Machinery Safety 101

It all started with EN 954–1

In 1995 CEN pub­lished an impor­tant stan­dard for machine builders — EN 954–1, “Safety of Machinery — Safety Related Parts of Control Systems — Part 1: General Principles for Design”. This stan­dard set the stage for defin­ing con­trol reli­a­bil­ity in machin­ery safe­guard­ing sys­tems, intro­duc­ing the Reliability cat­e­gories that have become ubiq­ui­tous. So what do these cat­e­gories mean, and how are they applied under the lat­est machin­ery stan­dard, ISO 13849–1?

Download ISO Standards

Circuit Categories

The cat­e­gories are used to describe sys­tem archi­tec­tures for safety related con­trol sys­tems. Each archi­tec­ture car­ries with it a range of reli­a­bil­ity per­for­mance that can be related to the degree of risk reduc­tion you are expect­ing to achieve with the sys­tem. These archi­tec­tures can be applied equally to elec­tri­cal, elec­tronic, pneu­matic, hydraulic or mechan­i­cal con­trol systems.

Historical Circuits

Early elec­tri­cal ‘master-​​control-​​relay’ cir­cuits used a sim­ple archi­tec­ture with a sin­gle con­tac­tor, or some­times two, and a sin­gle chan­nel style of archi­tec­ture to main­tain the con­tac­tor coil cir­cuit once the START or POWER ON but­ton (PB2 in Fig. 1) had been pressed. Power to the out­put ele­ments of the machine con­trols was sup­plied via con­tacts on the con­tac­tor, which is why it was called the Master Control Relay or ‘MCR’. The POWER OFF but­ton (PB1 in Fig. 1) could be labeled that way, or you could make the same cir­cuit into an Emergency Stop by sim­ply replac­ing the oper­a­tor with a red mushroom-​​head push but­ton. These devices were usu­ally spring-​​return, so to restore power, all that was needed was to push the POWER ON but­ton again (Fig.1).

Figure 1 — Basic Stop/​Start Circuit

Typically, the com­po­nents used in these cir­cuits were spec­i­fied to meet the cir­cuit con­di­tions, but not more. Controls man­u­fac­tur­ers brought out over-​​dimensioned ver­sions, such as Allen-Bradley’s Bulletin 700-​​PK con­tac­tor which had 20 A rated con­tacts instead of the stan­dard Bulletin 700’s 10 A contacts.

When inter­locked guards began to show up, they were inte­grated into the orig­i­nal MCR cir­cuit by adding a basic con­trol relay (CR1 in Fig. 2) whose coil was con­trolled by the inter­lock switch(es) (LS1 in Fig. 2), and whose out­put con­tacts were in series with the coil cir­cuit of the MCR con­tac­tor. Opening the guard inter­lock would open the MCR coil cir­cuit and drop power to the machine con­trols. Very simple.

Figure 2 — Old-​​School Start/​Stop Circuit with Guard Relay

‘Ice-​​cube’ style plug-​​in relays were often cho­sen for CR1. These devices did not have ‘force-​​guided’ con­tacts in them, so it was pos­si­ble to have one con­tact in the relay fail while the other con­tin­ued to oper­ate properly.

LS1 could be any kind of switch. Frequently a ‘micro-​​switch’ style of limit switch was cho­sen. These snap-​​action switches could fail shorted inter­nally, or weld closed and the actu­a­tor would con­tinue to work nor­mally even though the switch itself had failed. These switches are also ridicu­lously easy to bypass. All that is required is a piece of tape or an elas­tic band and the switch is no longer doing it’s job.

Photo 1 — Micro-​​Switch style limit switch used as a cover inter­lock switch in a piece of indus­trial laun­dry equipment

The prob­lem with these cir­cuits is that they can fail in a num­ber of ways that aren’t obvi­ous to the user, with the result being that the inter­lock might not work as expected, or the Emergency Stop might fail just when you need it most.

Modern Circuits

Category B

These orig­i­nal cir­cuits are the basis for what became known as ‘Category B’ (‘B’ for ‘Basic’) cir­cuits. Here’s the def­i­n­i­tion from the stan­dard. Note that I am tak­ing this excerpt from ISO 13849–1: 2007 (Edition 2). “SRP/​CS” stands for “Safety Related Parts of Control Systems”:

6.2.3 Category B
The SRP/​CS shall, as a min­i­mum, be designed, con­structed, selected, assem­bled and com­bined in accor­dance with the rel­e­vant stan­dards and using basic safety prin­ci­ples for the spe­cific appli­ca­tion to withstand

• the expected oper­at­ing stresses, e.g. the reli­a­bil­ity with respect to break­ing capac­ity and frequency,
• the influ­ence of the processed mate­r­ial, e.g. deter­gents in a wash­ing machine, and
• other rel­e­vant exter­nal influ­ences, e.g. mechan­i­cal vibra­tion, elec­tro­mag­netic inter­fer­ence, power sup­ply inter­rup­tions or disturbances.

There is no diag­nos­tic cov­er­age (DC_avg = none) within cat­e­gory B sys­tems and the MTTF_d of each chan­nel can be low to medium. In such struc­tures (nor­mally single-​​channel sys­tems), the con­sid­er­a­tion of CCF is not relevant.

The max­i­mum PL achiev­able with cat­e­gory B is PL = b.

NOTE When a fault occurs it can lead to the loss of the safety function.

Specific require­ments for elec­tro­mag­netic com­pat­i­bil­ity are found in the rel­e­vant prod­uct stan­dards, e.g. IEC 61800–3 for power drive sys­tems. For func­tional safety of SRP/​CS in par­tic­u­lar, the immu­nity require­ments are rel­e­vant. If no prod­uct stan­dard exists, at least the immu­nity require­ments of IEC 61000−6−2 should be followed.

The stan­dard also pro­vides us with a nice block dia­gram of what a single-​​channel sys­tem might look like:

ISO 13849–1 Category B Designated Architecture

If you look at this block dia­gram and the Start/​Stop Circuit with Guard Relay above, you can see how this basic cir­cuit trans­lates into a sin­gle chan­nel archi­tec­ture, since from the con­trol inputs to the con­trolled load you have a sin­gle chan­nel. Even the guard loop is a sin­gle chan­nel. A fail­ure in any com­po­nent in the chan­nel can result in loss of con­trol of the load.

Lets look at each part of this require­ment in more detail, since each of the sub­se­quent Categories builds upon these BASIC requirements.

The SRP/​CS shall, as a min­i­mum, be designed, con­structed, selected, assem­bled and com­bined in accor­dance with the rel­e­vant stan­dards and using basic safety prin­ci­ples for the spe­cific application…

Basic Safety Principles

We have to go to ISO 13849–2 to get a def­i­n­i­tion of what Basic Safety Principles might include. Looking at Annex A.2 of the stan­dard we find:

Table A.1 — Basic Safety Principles

Download ISO Standards
As you can see, the basic safety prin­ci­ples are pretty basic — select com­po­nents appro­pri­ately for the appli­ca­tion, con­sider the oper­at­ing con­di­tions for the com­po­nents, fol­low manufacturer’s data, and use de-​​energization to cre­ate the stop func­tion. That way, a loss of power results in the sys­tem fail­ing into a safe state, as does an open relay coil or set of burnt contacts.

“…the expected oper­at­ing stresses, e.g. the reli­a­bil­ity with respect to break­ing capac­ity and frequency,”

Specify your com­po­nents cor­rectly with regard to volt­age, cur­rent, break­ing capac­ity, tem­per­a­ture, humid­ity, dust,…

“…other rel­e­vant exter­nal influ­ences, e.g. mechan­i­cal vibra­tion, elec­tro­mag­netic inter­fer­ence, power sup­ply inter­rup­tions or disturbances.”

“Specific require­ments for elec­tro­mag­netic com­pat­i­bil­ity are found in the rel­e­vant prod­uct stan­dards, e.g. IEC 61800–3 for power drive sys­tems. For func­tional safety of SRP/​CS in par­tic­u­lar, the immu­nity require­ments are rel­e­vant. If no prod­uct stan­dard exists, at least the immu­nity require­ments of IEC 61000−6−2 should be followed.”

Probably the biggest ‘gotcha’ in this point is “elec­tro­mag­netic inter­fer­ence”. This is impor­tant enough that the stan­dard devotes a para­graph to it specif­i­cally. I added the bold text to high­light the idea of ‘func­tional safety’. You can find other infor­ma­tion in other posts on this blog on that topic. If your prod­uct is des­tined for the European Union (EU), then you will almost cer­tainly be doing some EMC test­ing, unless your prod­uct is a ‘fixed instal­la­tion’. If it’s going to almost any other mar­ket, you prob­a­bly are not under­tak­ing this test­ing. So how do you know if your design meets this cri­te­ria? Unless you test, you don’t. You can make some edu­cated guesses based on using sound engi­neer­ing prac­tices , but after that you can only hope.

Diagnostic Coverage

“…There is no diag­nos­tic cov­er­age (DC_avg = none) within cat­e­gory B systems…”

Category B sys­tems are fun­da­men­tally sin­gle chan­nel. A sin­gle fault in the sys­tem will lead to the loss of the safety func­tion. This sen­tence refers to the con­cept of “diag­nos­tic cov­er­age” that was intro­duced in ISO 13849–1:2007, but what this means in prac­tice is that there is no mon­i­tor­ing or feed­back from any crit­i­cal ele­ments. Remember our basic MCR cir­cuit? If the MCR con­tac­tor welded closed, the only diag­nos­tic was the fail­ure of the machine to stop when the emer­gency stop but­ton was pressed.

Component Failure Rates

“…the MTTF_d of each chan­nel can be low to medium.”

This part of the state­ment is refer­ring to another new con­cept from ISO 13849–1:2007, “MTTF_d”. Standing for “Mean Time to Failure Dangerous”, this con­cept looks at the expected fail­ure rates of the com­po­nent in hours. Calculating MTTF_d is a sig­nif­i­cant part of imple­ment­ing the new stan­dard. From the per­spec­tive of under­stand­ing Category B, what this means is that you do not need to use high-​​reliability com­po­nents in these systems.

Common Cause Failures

“In such struc­tures (nor­mally single-​​channel sys­tems), the con­sid­er­a­tion of CCF is not relevant.”

CCF is another new con­cept from ISO 13849–1:2007, and stands for “Common Cause Failure”. I’m not going to get into this in any detail here, but suf­fice to say that design tech­niques, as well as chan­nel sep­a­ra­tion (impos­si­ble in a sin­gle chan­nel archi­tec­ture) and other tech­niques are used to reduce the like­li­hood of CCF in higher reli­a­bil­ity systems.

Performance Levels

“The max­i­mum PL achiev­able with cat­e­gory B is PL = b.”

PL stands for “Performance Level”, divided into five degrees from ‘a’ to ‘e’. PL_a is equal to an aver­age prob­a­bil­ity of dan­ger­ous fail­ure per hour of >= 10^–5 to < 10^–4 fail­ures per hour. PL_b is equal to >= 3 × 10^–6 to < 10^–5 fail­ures per hour or once in 10,000 to 100,000 hours, to once in 3,000,000 hours of oper­a­tion. This sounds like a lot, but when deal­ing with prob­a­bil­i­ties, these num­bers are actu­ally pretty low.

If you con­sider an oper­a­tion run­ning a sin­gle shift in Canada where the nor­mal work­ing year is 50 weeks and the nor­mal work­day is 7.5 hours, a work­ing year is

7.5 h/​d x 5 d/​w x 50 w/​a = 1875 hours/​a

Taking the fail­ure rates per hour above, yields:

PL_a = one fail­ure in 5.3 years of oper­a­tion to one fail­ure in 53.3 years

PL_b = one fail­ure in 1600 years of operation

If we go to an oper­a­tion run­ning three shifts in Canada, a work­ing year is:

7.5 h/​shift x 3 shifts x 5 d/​w x 50 w/​a = 5625 hours/​a

Taking the fail­ure rates per hour above, yields:

PL_a = one fail­ure in 1.8 years of oper­a­tion to one fail­ure in 17 years

PL_b = one fail­ure in 533 years of operation

Now you should be start­ing to get an idea about where this is going. It’s impor­tant to remem­ber that prob­a­bil­i­ties are just that — the fail­ure could hap­pen in the first hour of oper­a­tion or at any time after that, or never. These fig­ures give you some way to gauge the rel­a­tive reli­a­bil­ity of the design, and ARE NOT any sort of guarantee.

Add to your Library

If you are work­ing on imple­ment­ing these design stan­dards in your prod­ucts, you need to buy copies of the stan­dards for your library.

• ISO 13849–1:2006 Safety of machin­ery — Safety-​​related parts of con­trol sys­tems — Part 1: General prin­ci­ples for design
• ISO 13849–2:2003 Safety of machin­ery — Safety-​​related parts of con­trol sys­tems — Part 2: Validation
• ISO TR 13849–100:2000 Safety of machin­ery — Safety-​​related parts of con­trol sys­tems — Part 100: Guidelines for the use and appli­ca­tion of ISO 13849–1

Download ISO Standards

If you are work­ing in the EU, or are work­ing on CE Marking your prod­uct, you should hold the har­mo­nized ver­sion of this stan­dard avail­able from one the the CEN resellers:

EN ISO 13849–1:2008 Safety of machin­ery — Safety-​​related parts of con­trol sys­tems — Part 1: General prin­ci­ples for design

Watch for the next post in this series where I will look at Category 1 requirements!

+DougNix is Managing Director and Principal Consultant at Compliance InSight Consulting, Inc. (http://​www​.com​pli​an​cein​sight​.ca) in Kitchener, Ontario, and is Lead Author and Managing Editor of the Machinery Safety 101 blog.

Doug’s work includes teach­ing machin­ery risk assess­ment tech­niques pri­vately and through Conestoga College Institute of Technology and Advanced Learning in Kitchener, Ontario, as well as pro­vid­ing tech­ni­cal ser­vices and train­ing pro­grams to clients related to risk assess­ment, indus­trial machin­ery safety, safety-​​related con­trol sys­tem inte­gra­tion and reli­a­bil­ity, laser safety and reg­u­la­tory conformity.

Connect me on Facebook | Twitter | Google + | LinkedIn | Website

Copyright secured by Digiprove © 2011–2012Some Rights Reserved