Implementing Functional Safety Requirements
November 11, 2024
The Safety Functional Requirements Specification (SFRS; sometimes referred to as SRS or Safety Requirements Specification) is the plan for the safety controls on a machine and is the second step of the safety lifecycle. The SFRS document serves as a framework for the safety control system design, is informed by prior work done in the risk assessment, and directly impacts the design and validation of the control system.
A critical step of the safety lifecycle, the SFRS defines how you should use guards or control elements to mitigate hazards that have been identified. Before working on machine design, the criteria for the control system must be documented and defined. In step one of the safety lifecycle, the risk assessment evaluated the relevant machine hazards and determined a Performance Level required (PLr) for any safety controls used to mitigate those hazards; this PLr is a direct input to the SFRS which dictates the design of each relevant safety function.
What Goes Into an SFRS?
An SFRS may include any number of design elements that are used to reduce risk from the strategies defined in ISO 12100, Safety of Machinery:
- Inherently Safe Design Measures (“Design it out”)
- Safeguarding and Complementary Protective Measures (“Engineered Controls”: Guards, Safety Functions)
- Information for Use (“Administrative Controls”)
Inherently Safe Design Measures
Eliminating a hazard “by design” is always the safest option. When you apply risk reduction measures through the removal of a hazard or by changing the design of the machine, the SFRS captures the strategy used to accomplish this. Safe design is applied within the risk assessment and is often applied early in the design process. Early identification of machine hazards that can be mitigated through a design change is critical to avoid design changes later.
Otherwise, correcting unmitigated risks identified during validation could add to a project timeline. Identifying machine hazards early also lessens the demand for Safeguarding/Controls and Information for Use. As an example, replacing a chain and gear conveyor with a belt-top conveyor that prevents reach-through may be a path to “design out” the original hazard. Inherently Safe Design Measures should ALWAYS be considered first and are the highest priority risk-reduction measure you can take.
Safeguarding and Complementary Protective Measures
When a hazard cannot be “designed out,” the second-priority risk reduction measure includes Safeguarding and the use of safety control functions, or what some might consider “Engineered Controls.” Safety functions may be applied as risk reduction measures when it is appropriate for the machine and related operator interaction, as well as when it meets the constraints of the risk assessment.
The use of safety functions initiated by light curtains, interlocked guards, area scanners, and so forth, are considered “Alternative Protective Measures” (APM), which must be designed and applied to meet the PLr for the specific application. APM can only be applied as risk reduction techniques when the users are exposed to machine hazards because of tasks that are routine, repetitive and integral to the process.
Safety Control Functions
The SFRS document shall make it clear what Safety Functions are in use for the machine control system and Risk Mitigation plan, and what Performance Level (or PLr) each Safety Function must meet. The details of each Safety Function spelled out within the SFRS should include at a minimum:
- Which specific input devices trigger the Safety Function?
- How is the Safety Function logic evaluated?
- Are there any special considerations or requirements for the safety device/function, machine type, or logic?
- Which specific output devices are used to put the related machine hazards in a safe state, and what is the “safe state” for each device?
- Are multiple output devices used (2-channel design)?
- How is the safety control system achieving the safe state, and what Stop Category applies?
- How is the Safety Function going to be reset by the user?
The definition of each Safety Function employed by the risk reduction measures of the machine shall clearly indicate the Safety-Related Parts of the Control System (SRP/CS), how they are to be used and how each hazardous output is controlled. Each Safety Function specified shall also document any specific requirements from the applicable consensus standards.
For example, when applying a light curtain as a safeguard, you must consider ISO 13855 to determine the appropriate placement of that input device to satisfy the stated requirements for safe distance based on the machine stopping performance. Each specific device type/function may have its own applicable standard (that is ISO 13850, for Emergency Stop), and may also need to meet requirements stated by broader standards like ANSI B11.19.
Fixed and Movable Guarding
When recommending fixed and/or movable guarding to reduce risk, the guards must be designed to adequately restrict or limit access to the related machine hazard. Within the SFRS, each guarding measure identified within the risk reduction process needs to be defined in some manner. Guarding may have specific design requirements to meet the intent of the risk assessment which we can discern from Safety Consensus Standards.
For example, when designing a guard to help prevent a user from reaching over, under or through the safeguard, the SFRS can refer to ANSI B11.19 or ISO 13857 for specific criteria around upper and lower limits of the physical guard, as well as the aperture sizing (or guarded tunnel lengths). Any specific design criteria for a fixed or movable guard shall be defined within the SFRS so it is clear what is required of the safeguards installed when it is time to perform a validation.
Information for Use
“Administrative Controls,” or Information for Use, may come in many forms. This could include but is not limited to: Operating instructions from the OEM, hazard warning signage to alert a user to a hazard, audio/visual warning beacons, floor markings, training and standard operating procedures (SOPs). Risk reduction by information for use is the least effective risk-reduction method and is the lowest priority as specified in ISO 12100.
Typically, hazards are not considered “fully mitigated” when only administrative measures are employed, as this measure fully relies on the user paying attention and always avoiding risk themselves. When called out by the risk assessment, the SFRS should identify which “Information for Use” measures are required and define the requirements for how they are used.
For example, when hazard warning signage is identified as a risk-reduction measure, the SFRS shall identify any specific signage placement criteria or requirements for the sign itself. Heated metal fixtures within a machine may be a relevant burn hazard to the operator. Adding the appropriate pictogram warning on or near the heated parts in visible locations may help alert the operator to the hazard, but it does not prevent harm from occurring.
Putting It All Together
The SFRS document can be treated as a framework for the safety control system design, be used to define requirements to a machine builder/integrator, and also serve as an input to future machine validation so that the tester knows exactly how the system is meant to perform. The SFRS shall identify the relationship between Input, Logic and Output devices that are used to perform Safety Functions, as well as define requirements for safeguards and other risk-reduction measures. The SFRS shall indicate how each relevant standard is being applied to appropriately meet the intent of the risk-reduction measures identified in the risk assessment process.
Again, it is critical that you perform the SFRS thoughtfully and thoroughly so that the machine design is fully inclusive of the necessary safety controls before fabrication, and so that the validation is conducted in an informed manner. Hazardous components missing from the SFRS may not be accounted for in the final design or validation and result in an unidentified increased risk. Additionally, missing items may be identified during the validation, requiring rework to change the machine controls and adequately mitigate risk.