Most machinery relies both on physical safety measures and on control system functions to ensure that it provides the safety features required to maintain the safety of the operator and others.
Examples of physical safety measures are guards and warning notices, examples of safety related control system functions are emergency stops and guard interlocks.
Machinery which has safety related control functions must operate in a way which ensures that the equipment functions in a safe manner under normal operating conditions and in the event of certain faults. The ability of the machine to correctly deliver these safety related functions is known as ‘functional safety’.
Control systems may be susceptible to failure as a result of component failure, poor system design or electrical interference. Where such failures could cause a dangerous situation to occur, the equipment must be adequately specified, designed and constructed to ensure an adequate level of safety is maintained.
SAFETY RELATED CONTROLS
Almost all machines require a control unit, commonly referred to as the 'control system', for starting, stopping and operating. The complexity of the control system reflects the features of the machine. Although control systems are commonly based on electrical or electronic technology, they can also rely on other technologies such as hydraulic or mechanical elements.
Control systems can be as simple as an electrical switch that connects a drive motor to an electrical supply or as sophisticated system designed to automatically control large, highly complex machines.
Control systems, in addition to operational functions, can be utilised to provide risk reducing protective measures for the safeguarding of personnel. Control functions which help to protect personnel are called 'Safety Related Control Functions' (SRCFs).
The key issue with SRCFs is the need to ensure they are sufficiently reliable that they will provide the safety function required when called on to do so. The level of reliability is called the 'Safety Integrity Level' (SIL) or 'Performance Level' (PL).
The basic standard which lays out the key principles for safety related control systems is IEC 61508 Functional safety of electrical/electronic/programmable electronic safety-related systems. There are then a number of subsidiary standards which deal with specific applications such as EN 61511 for process control, IEC 61513 for nuclear applications, ISO 15998 for earth moving machinery and ISO 26262 for road vehicles.
All these standards provide guidance on how to select the level of reliability required, based on the severity of injury which would result from failure of the control system, the frequency of exposure to the hazard and the possibility that the hazard can be avoided by other means. The standards also contain requirements which ensure that the desired level of reliability is achieved.
For machinery, there are two key standards. EN 62061 Safety of machinery - Functional safety of safety-related electrical, electronic and programmable electronic control systems deals only with electronic controls, whereas EN ISO 13849 Safety of machinery - Safety-related parts of control systems deals with systems which include other technologies such as hydraulic and mechanical elements.
EN ISO 13849 has two parts:
Part 1: General principles for design (BS EN ISO 13849-1:2008) – This part of EN ISO 13849 gives guidance to those involved in the design and assessment of control systems.
Part 2: Validation (BS EN ISO 13849-2:2012) - This part of EN ISO 13849 specifies the validation process for the safety functions, categories and performance levels for the safety-related parts of control systems.
EN ISO 13849 is a harmonized standard under the Machinery Directive. Compliance with this standard, therefore, will provide a presumption of conformity for the safety and reliability of controls systems essential health and safety requirement (EHSR 1.2.1) in annex 1 of the Directive.
1. Safety Function: this is the action, process or operation of removing or reducing the risk from a given hazard. An example is the stopping of machine when a person enters a hazardous area to reduce the risk of entanglement, e.g. the breaking of a light curtain beam of a light which signals the power to be cut from a machine’s motor, thereby halting the dangerous movement. Safety functions may include emergency stop, guard interlock functions, personnel detection, limitation of speed or range, and many others.
2. Safety-Related Part of a Control System (SRP/CS) is that part of the control system which delivers the safety function. The part responds to safety-related input signals from parts of machine, operators, external control equipment or any combination of these and generates safety-related output signals which make the machine behave in the intended manner. It is important to note that the safety related parts are the hardware (and software) which delivers the safety function so they include emergency stop actuators, light curtains, safety relays and PLCs, contactors etc. Any given SRP/CS may be essential to the delivery of one or more safety function.
3. Performance Level: this specifies the ability, the reliability and the safety integrity of safety-related parts of control systems to perform a safety function under foreseeable conditions. It is defined in BS EN ISO 13849-1 in terms of the probability of dangerous failure per hour (PFH) and 5 levels (a to e) are set out, each with a defined range of PFH.
THE EN ISO 13849 PROCESS
ISO 13849 provides a methodology for identifying the required level of performance (PLr) for any given safety function, and for determining whether the performance level achieved (PLa) by the machine control system is adequate. At its simplest, the standard shows the user how to identify the PLr and gives methods for calculating the PLa. So long as the PLa is greater than or equal to the PLr then the design is adequate; if the PLa is less than the PLr then additional measures will be required.
The standard addresses this with the following procedure:
1. A risk assessment is performed to determine the required safety functions;
2. The safety functions are analysed in terms of the level of protection they are required to provide and how often they are likely to be needed to determine the performance level requirement (PLr).
3. A specification – the safety requirements specification - is developed that details the required functionality and performance level of each safety function. It's especially important to ensure that the specification carefully defines the requirements for any software which will be required.
4. A preliminary design for the control system is developed and the components which deliver each safety function are identified.
5. The arrangement of the components is described in terms of a block diagram which identifies the inputs, logic and outputs.
6. Using the guidance and rules in the standard, the performance level of the proposed design (PLa) is determined.
7. Compare PLa with PLr and if the PLa is too low, revise the design to give higher reliability.
8. Document the steps and the design, including collecting the required component information and ensuring it is stored securely.
9. Validate all aspects of the process to confirm the requirements of the standard have been met.
PARTICULAR REQUIREMENTS FOR SOFTWARE
There are essentially two types of software utilised in a SRP/CS: safety-related embedded software (SRESW) and safety-related application software (SRASW):
1. SRESW – this is proprietary software developed under the manufacturer’s management processes and provides the framework for the user configuration of application software.
2. SRASW – this is software or configuration –logic, calculations, sequences, etc. - that is specifically written for a particular SRP/CS.
EN ISO 13849 is a complex standard and many consider it to be a 'sledgehammer to crack a nut'. It is arguably overkill to have to apply the whole procedure for simple machinery with only basic safety functions such as an on/off control and a single emergency stop button. There is also a strong case for saying that 90% of the benefit of the standard can be gained simply from the initial identification of safety functions and the components that deliver them, and the additional 10% of the benefit which comes from calculating the PFH takes 90% of the effort. Overall, it is difficult to show that the focus on control system reliability has actually had an impact on accident statistics.
Nevertheless, safety related controls are now integral to the design of most machinery, from simple domestic appliances such as washing machines through to extensive robotic production lines. Unless the designers understand and apply the principles of functional safety it is far from certain that such systems will be provide an adequate and reliable level of safety. Clearly, a way of defining and measuring the reliability of controls is required so it can be shown that the legal requirements of the Machinery Directive (and other requirements) have been met.
Standards for general machine safety first started appearing 50+ years ago and by comparison, functional safety standards are still relatively new. Even so, the standards writers struggle to keep up with the speed with which advances in electronics come along, and users' expectations of the functionality of devices develops. Contact us at Conformance if you need help to get to grips with these complex requirements.