Simplifying Functional Safety for Non-Road Vehicles
Functional safety for non-road vehicles can be a complex process. Many non-road vehicles also function as machines and therefore can fall under multiple safety standards. Thomas Kramer-Wolf, Norms/Standards Specialist with Pilz Automation Technology Germany, spoke with us to clarify some of the issues.
Functional Safety Interview PDF
What is your background and what role do you have at Pilz GmbH?
Thomas Kramer-Wolf: I’ve been with Pilz for almost 12 years and today I'm in charge of standards. This involves, naturally, understanding the world of standards, knowing the standards themselves and working in committees as well as dealing with people who write and read standards. This is my key objective. I have a second hat on as Product Manager for a product which is performing the safety validation of safety functions. We call it PAScal. This is mainly a product which allows you to validate safety functions according to ISO 13849 or IEC 62061. So due to the close correlation of the standards and the software, I think it's quite a good fit.
I understand there are quite a few standards in non-road vehicles?
T.K-W.: At Pilz, we are focussed on machinery safety which is mainly around these two standards: IEC 62061 or ISO 13849 but there is a close correlation with the non-road vehicles. The IEC 62061 has the same mother standard as the ISO 26262 which is the IEC 61508. My understanding is that we are facing some sort of two-faced situation for the non-road vehicles. The vehicle itself is something which is covered to a big degree by the ISO 26262 but any sort of machinery which is built into the vehicle is covered by the machinery directive and then we are suddenly in the world of machines. That's what I'm familiar with. The machine world is a bit different from the vehicle world and with the non-road vehicles, very often, we have some sort of hybrid - situations where both worlds can apply, do apply or you have the choice to decide which way to go.
I appreciate your clarifying that. A lot of these vehicles do drive somewhere but have a primary function as a machine.
T.K-W.: I think one of the typical scenarios is the differentiation between road vehicles. For example, a garbage collecting vehicle is a regular truck while it's driving but once it stops, it’s a machine subject to the machinery directive. These two functions are mutually exclusive. But there are other kinds, for
example, a road cleaning vehicle. You cannot clean the road while standing in a parking lot so it's somewhat a hybrid and you must find a way around the world of requirements and directives. I think those two examples show quite nicely what problems our users are facing. They have to argue each time that this is a machinery function, this is a vehicle function. Depending on what it is, it falls under one or the other directive and has to be handled completely differently.
Do you see that as one of the main challenges or are there several others that fit into that same scenario?
T.K-W.: From a perspective of classifying and dealing with safety, I think that is one of the major aspects because it's never quite certain what it is depending on which situation and on how you look at the situation. With a notified body, the approval agency will hold a completely different set of requirements for you. Like I said, I'm familiar with the set of requirements coming from the machinery directive so everything that is to be considered a machine adapted to a vehicle falls under the machinery directive and then we are in the situation that we need to treat it as a machine as it would be in a factory. I think some of the supplemental machine builders, especially for the agricultural or forest area, are not completely aware of the situation because it is somewhat hidden in the deep area of the directives.
Do you see that as a problem in that some of these companies don't focus enough on functional safety or don't have dedicated people for the task?
T.K-W.: In general very few companies have a big staff dedicated to functional safety for a simple reason. It's time-consuming. However, in the overall development process, it should be one of the minor tasks compared to the basic function. So it is very often difficult for a smaller or mid-sized machine builder or vehicle builder to have a real expert. I see quite a significant business model for companies just doing safety consultancy. Spending your whole life just researching standards and doing safety is something that is worthwhile but if you have to make the same amount of effort just for one single safety function in a year, you're in a bad situation.
I'm not really sure if the regulations are doing a favour to the market in general. I think from a user's perspective having safe machines is a good thing. From the machine builder's point of view it's sometimes quite an overhead to meet a requirement because you never know what they are unless you spend a lot of time on it.
Where do you see opportunities to reduce complexity and to streamline best practices and standards?
T.K-W.: I think it is important for most of the users to find a clear differentiation under which directive they want to fall. Spending some time making the differentiation is worthwhile. Maybe our congress will help them or workshops will help them to make their differentiations better and decide which way to go. I don't see any significant advantage or disadvantage of either of the two ways. They simply have completely different approaches. Vehicles usually say, safety is maintained best if the machine works as long as possible in the intended way. Typical procedure - if I drive a car the steering wheel should not stop its function while I'm driving.
We hope not.
T.K-W.: The same is true for braking. Even if the car detected that the steering wheel is not functioning well as initiating an emergency stop would not be a nice solution in many cases. While if I have a garbage collecting machine and it detects a problem, to stop collecting garbage is quite adequate. So
the reaction to a detected problem is quite different in the two worlds. I like the approach of the machinery world very much: to stop functioning if something of safety relevance has been detected. The scenario is quite simple to control and to evaluate.
The "Big Red Button" concept…
T.K-W.: Yes indeed, the big red button is something which is actually the originator of that safety idea. Once you have a safe state it's easy to reach and everybody knows what to do, it's easy to implement and very often cost efficient to implement. Maintaining a safe function is a completely different aspect and sometimes requires some sort of bargain: what is the least critical situation? If I'm driving on a road and I realise something is going wrong and I initiate an emergency stop, it could be a good solution. It can also be a dangerous solution if I'm in a curve.
So I have to evaluate a far more complex decision. I have to compute a far more complex decision and this makes life a bigger challenge for those who want to treat things like safe functions – and vehicles are safe functions. I think in many cases if non-road vehicles builders are able to switch to the machinery side they make life relatively easy for them. They especially gain one big bonus; there is a huge, huge variety of equipment around. So you get safety PLCs, you get safety sensors and actors and you get all that equipment which is off-the-shelf and easy to use, while for vehicles it's very often custom-made.
We have established that the auto industry standard is not appropriate for the actual machinery side. Nevertheless, are there things that can be done to simplify things?
T.K-W.: What I like from the ISO 26262 standard, which is similar to the IEC 61508 perspective, is the management approach. Both worlds are focussed on managing the design of the safety products. Those who didn't do anything will benefit from either of the two approaches. While I believe the ISO 26262 approach is more focussed for the vehicle approach and in that respect it might be an appropriate solution. If somebody is more focused on making supplemental equipment for vehicles he definitely will find himself a better solution with the IEC 61508 approach. Like I said before, we are always in between two worlds. Both are applicable. For vehicles, the ISO 26262, certainly has a focus on series builders of cars. Even if we consider the fact that they have management requirements they are very often focused on huge set-ups of manufacturing companies. So a small machine builder might not be in a position to actually implement those requirements.
Within the Non-road Vehicle industry, the concept of an OEM is different from the automotive industry correct?
T.K-W.: Yes. The OEM itself does not really exist either. I assume the liability from my provider. I subcontract something, I buy it and by buying it I assume the responsibility for it unless I make some special contracts to pass liability through. Usually the small companies don't manage to do it.
But what we're doing in the machinery world is we provide certified products. So if you buy a safety controller from Pilz it's certified to SIL3 and it specifies under which conditions the SIL3 is maintained. I have a certificate and I don't need to ask how this certificate has been achieved. There is a stamp on the certificate which says "TÝV" or a BG or CE sign, and that's all I need to know as a user of that equipment. This makes the whole situation quite easy if I want to set up a safety scenario, I try to rely as much as possible on safety equipment which is ready off-the-shelf.
Sure, this makes sense, because then essentially each piece is "safe".
T.K-W.: Correct. So I need just to establish a good process to integrate those pieces together. On a much higher level of integration, my safety concept needs to be a functional requirement rather than a detailed requirement on how the electronics work together. I combine four components, five components at the most, instead of a building a box with 200 elementary elements like ICs or resistors in it.
For a smaller company this is one of the spots you would say maybe an outside consultancy might actually be a good business model.
T.K-W.: Definitely, yes. Even if you're driving that a step further, today, very often functions are realised through software. If I'm looking at either of the two standards, I'm far more familiar with IEC 61508 and there it is quite clear that the bigger the freedom you have in software, the more extensive the tests need to be to show that it's safe. The tests can be very, very extensive. Very often today we are seeing complex controllers around, which are certified controllers, but which offer the user a simplified programming model. This simplified programming model can go so far, that the user knows that when they implement it, it finally shows that the safety function is working as intended and doesn't need to show any correct implementations of the software. The IEC 61508 really knows everything from parameterised software, for example a specific drive may only go so and so far or a specific function is one or two-hand control or it's with one or two switches. By using software which allows me to select only a very limited number of choices it requires just one test at the end to ensure that the function is working as intended. For example, if I make a service door and I monitor the service door with some switches and if the door is open the drive must stop. It's a very simple function. If I do that with such parameterised equipment, all I need to do at the end is to put it in function, open the door and see if it's stopping.
If I'm using an embedded controller or my own PLC to do high-level programming, I usually need to run a white or black box test, a "walk-through test." I need to have automated test equipment which is checking all the possible variations of the software, timing issues, memory overflows, index overflows. With that equipment it is dimensions more complex to verify that safety is present.
Is there any group out there right now that's working either streamline or update standards?
T.K-W.: We have to differentiate between notified bodies and standards. In the standards world there are a lot of efforts. I know the forestry and the agricultural machines have a big set of standards just covering their specific equipment. They try to implement the safety aspects with respect to machinery safety. Very often they're even listed under the machinery directive so they clearly respect that their products fall under the scope of the machinery directive. The notified bodies usually take a simple approach: read the standards, read the directives and follow them.
Does that change very much market to market?
T.K-W.: It changes market to market but in a bigger scope. Within Europe it should be quite uniform because we have the framework of the directive and those are not very elastic, so they allow you a specific range but it's quite simple to stick to the directives and to follow them. I think notified bodies are usually very simply knitted. If you are lucky you find every now and then a notified body that's willing to push the borders and allow new approaches which are not yet reflected in standards. But this is usually a very difficult task for both the notified body and the company trying to do it.
Do some notified bodies have more resources to employ technical experts and can therefore spend some time re-thinking the issues? What about the U.S.?
T.K-W.: In the US I see it more as an unclear situation. The US has far fewer safety regulations than we do in Europe. Most of the things in the US are abstract requirements. They say, "Do it safe and don't do any harm." But they do not have such a sophisticated set-up for standards and directives as we do in Europe.
There may be an issue for more education there but I think it has to do more with the legal background. In Europe we have strong insurance - business insurance - the BGIA. They insure companies and at the same time are supervising the market. They have a strong hold on the market as a whole and if you don't follow the requirements from the BGIA you're in a poor situation as a machine builder. Like that, they established far more solid groundwork. Safety is more accepted in Europe than it is somewhere else. In the rest of the world it's an issue. You sell a machine and if an accident happens you start to fight it in the court.
Here in Europe we have the convenient situation of the harmonised standards that due to the different approach of the insurances we have a set of standards which are considered "harmonised." If you follow those harmonised standards you may assume that you are following the legal requirements.
In any other country of the world the situation is more along the lines of you or your company having to prove to that you did everything right. This difference in approach makes a whole world of difference.
That's very interesting, but then as a global company, it helps to have to work with the Europeans standards because that also gives you best practice guidelines to follow for the other markets.
T.K-W.: That's actually my understanding that many markets try to follow the European approach. I see it especially in Asia. They are trying to adopt many of the European and international standards as their national standards. Not many markets are far enough to be implementing the legal background as we do, but I have seen just recently from Russia and from Brazil that they have the first legal documents which are similar to the European machinery directives.
So at least some of the BRIC countries are starting to go in that direction.
T.K-W.: Yes. Like that I think we are going in a good direction. It gives every manufacturer and the user a legal safety. If I buy a machine, does it have the proper certificates? Then I'm in a good situation and if I sell a machine and I follow the major standards and the major directives nobody can easily sue me. That’s a big relief.
Yes, in the long run that does reduce costs. Even if you had some up-front development costs to get yourselves to the point where the European regulations are being perfectly followed, once you get to that point then it's all benefit.
T.K-W.: Ultimately, you should follow it perfectly, but there are enough pragmatic people around in the standard bodies and in legal positions that there is an acceptable amount of leeway in the standards because otherwise even innovation would be difficult.
This is probably a good moment to look to the future. In your opinion what do you see as the greatest challenges for your industry over the next ten years?
T.K-W.: I think the big challenge is really to stabilise all the markets we see on a common safety approach. I see that the machinery market has been proposing a good safety method which was IEC 61508, and is actually following it. Now it’s a question of finding the right level of effort compared to the achieved safety. So some people believe it's too complex, some think it's not difficult at all. It always depends on who you look at. I think the market will get some sort of synchronisation among the different applications in the field and among the different technologies you find. If I say technologies, the electronic guys, for example, are good with mathematics. They can calculate and they have no problem with numbers while the mechanical guys or the climatic guys don't like it so much and they sometimes like other approaches. I think there will be some sort of synchronisation going on amongst the different markets just like the synchronisation as we discuss it right now between the ISO 26262 and IEC 61508 with some sort of statistical approach; what sort of acceptable level of risk is present. The machinery guys they have an absolute level. We say we have three questions to answer and I know which SIL level I've got. The automotive guys, they have a little bit more complexity and a more application-specific rating range. There will be some alterations and some synchronisations going on, on a big scale as well as on a small scale.
Do you predict any updates on any particular dates?
T.K-W.: We just got the second edition of IEC 61508 and I think that is something which we will have to digest first.
So the industry can take a deep breath for a little while?
T.K-W.: Yes. On the machinery market we have one challenge in front of us which is just coming up: The intended merger of IEC 13849 and the IEC 62061, two standards for the verification of functional safety. One comes from ISO, one from IEC and there is an intention to merge them. Two different worlds come together and there will be a learning curve and some political interactions. ISO and IEC are two different mentalities.
What we always like to see is a long-term stability. Even if we get new standards we are always looking for some migration paths or long-term stability because we know many of our customers are using machines for quite a long period. They're also building machines for a long period. We're discussing really not one or two years, rather 5, 10, 20 or 25 years of machinery usage or production. This means we need stability in the standards world as well for that long period.
In the end, the machinery directive is quite strong and quite universal so it doesn't matter if I'm using machines to build machines or if I'm building safety equipment. It's a directive with a really huge scope. Anything from a safety sensor up to one square kilometre machinery falls under that directive. It has a huge scope.
Mr. Kramer-Wolf this was a very insightful interview. Thank you for your time.
T.K-W.: I appreciate it.
This interview on Functional Safety is brought to you by Automotive IQ