Monthly Archives: September 2010

Machinery Safety 101

Monthly Archives: September 2010

Emergency Stop Categories

Originating Standards

Category Definitions

Minimum Requirements

More Information

Manufacturing Automation Roundtable

Missing MTTFd data

What the heck is MTTF_d???

So how do you get this data?

Now what?

Safe designs for safe workplaces

Emergency Stop Categories

Categories

Originating Standards

Category Definitions

Selecting a Stop Function

Risk Assessment and Stop/Start Analysis

Control Reliability Requirements

Referenced Standards

This entry is part 5 of 9 in the series Emergency Stop

I’ve noticed a lot of people looking for information on Emergency Stop categories recently, so this post is aimed at those readers who want to understand this topic in more depth.

OK, so let’s talk about stop function categories. There are two standards that define these categories, and thankfully they are harmonized, meaning that the definitions for the categories are essentially the same in each document. They are:

IEC 60204–1, Safety of machinery — Electrical equipment of machines — Part 1: General requirements (aka EN 60204–1)
NFPA 79, Electrical Standard for Industrial Machinery

Note that Canada does not have a standard at the moment that specifically describes these same categories, however CSA Z432 does make reference to NFPA 79, bringing the categories in that way, albeit indirectly.

Download ANSI standards

Download IEC standards

The categories are broken down into three general groups:

Category 0 — Equivalent to pulling the plug;
Category 1 — Bring things to a graceful stop, then pull the plug; and
Category 2 — Bring things to a stop and hold them there under power.

Let’s look at the definitions in more detail. For comparison, I’m going to show the definitions from the two standards side-by-side.

Table 1
Comparison of Stop Function Categories
Category	IEC 60204–1	NFPA 79
0	stopping by immediate removal of power to the machine actuators (i.e. an uncontrolled stop – see 3.56);	is an uncontrolled stop by immediately removing power to the machine actuators.
1	a controlled stop (see 3.11) with power available to the machine actuators to achieve the stop and then removal of power when the stop is achieved;	is a controlled stop with power to the machine actuators available to achieve the stop then remove power when the stop is achieved.
2	a controlled stop with power left available to the machine actuators.	is a controlled stop with power left available to the machine actuators.

Definitions from IEC 60204–1:

3.11 controlled stop
stopping of machine motion with electrical power to the machine actuators maintained during the stopping process
3.56 uncontrolled stop
stopping of machine motion by removing electrical power to the machine actuators
NOTE This definition does not imply any particular state of other stopping devices, for example mechanical or hydraulic brakes.

As you can see, the two sets of Category descriptions are virtually identical, with the primary difference being the use of the definitions in the IEC standard instead of including that information in the description as in the NFPA standard.

Download ANSI standards

Download IEC standards

Both standards require that all machines have at least a Category 0 stop. This could be achieved by switching off (by using the disconnecting means for example), by physically “pulling the plug” from the power supply socket on the wall, through a ‘master-control relay’ circuit, or through an emergency stop circuit. Note that this does not require that all machines have an e-stop!!

To learn more about how to determine the need for emergency stop, see my earlier post Emergency Stop – What’s so confusing about that?

How do you decide on what category to use? First, a risk assessment is required. Second, a start/stop analysis should be conducted. This is quite simple, being a straightforward analysis of the starting and stopping conditions for the machinery. Next, ask these questions:

1) Will the machinery stop safely under an uncontrolled stop?

If the machinery does not have a significant amount of inertia, meaning it won’t coast more than a very short time, then a Category 0 stop may be all that is required.

2) If the machinery coasts, or if the machinery can be stopped more quickly under control than when power is simply removed, then a Category 1 stop is likely the best choice.

3) If the machinery includes devices that require power to keep them in a safe state, then a Category 2 stop is likely the best choice.

If you choose to use a Category 2 stop, be aware that leaving power on the machinery leaves the user open to hazards related to having power on the machinery. Careful risk assessment is required in these cases especially.

Risk assessment is critical to the specification of all safety–related functions. While emergency stop is not a safeguard, it is considered to be a ‘complementary protective measure’. Understanding the hazards that need to be controlled and the degree of risk related to the hazards is basic design information that will provide specific direction on the stop category required and the degree of control reliability necessary to provide the expected risk reduction.

Stop/Start Analysis is quite simple. It amounts to considering all of the intended stop/start conditions for the machinery, and then including conditions that may result from reasonably foreseeable failure modes of the machinery and foreseeable misuses of the machinery. Create a table with three columns as a starting point, similar to Table 2.

Table 2
Example Start/Stop Analysis

Description	Start Condition	Stop Condition
Lubricant Pump	Lubricant Pump Start Button Pressed	Lubricant Pump Stop Button Pressed
		Low Lubricant Level in reservoir
		High pressure drop across lubricant filter
Main Spindle Motor	Start enabled and Start Button Pressed	Low Lubricant Pressure
		Stop button pressed
Feed Advance motor	Feed Advance button pressed	Feed Stop button pressed
		Feed end of travel limit reached
Emergency Stop		All motions stop, lubricant pump remains running

The above table is simply an example of what a start/stop analysis can look like. You can have as much detail as you like.

Both ISO 13849–1 and IEC 62061 base the initial requirements for reliability on the outcome of the risk assessment (PL_r or SIL_r). If the stopping condition is part of normal operation, then simple circuit requirements (i.e. PL_a, Category 1) are all that may be required. If the stopping condition is intended to be an Emergency Stop, then additional analysis is needed to determine exactly what may be required.

How have you typically implemented your stops and emergency stop systems?

Have you ever used the START/STOP analysis method?

I care about what you think as a reader, so please leave me comments and questions! If you would prefer to discuss your question privately, contact me directly.

5% Discount on All Standards with code: CC2011

American National Standards Institute (ANSI)

ANSI/NFPA 79, 2007 — Electrical Standard for Industrial Machinery

Download standards from ANSI

Canadian Standards Association (CSA)

CSA Z432, 2004 — Safeguarding of Machinery
CSA Store

International Electrotechnical Commission (IEC)

IEC 60204–1, 2009 — Electrical Equipment of Industrial Machines

Download IEC standards

International Standardization Organization (ISO)

ISO 13849–1, 2006 — Safety of Machinery — Safety Related Parts of Control Systems — Part 1: General Principles for Design

ISO 13849–2, 2006 — Safety of Machinery — Safety Related Parts of Control Systems — Part 2: Validation

Download ISO Standards

5% Discount on All Standards with code: CC2011

Posted by Doug Nix on September 21, 2010 Comments Off

I had the great pleasure today of participating in a round table discussion that was held by Manufacturing Automation magazine at their headquarters in Aurora, Ontario.

Around the table were: Elizabeth Rankin — CSA, Wayne De L’Orme — Ontario Ministry of Labour, Dave Lawson — Advanced Motion & Controls, Jeff Mathyssen — Electro-Mag, Rick Sauer — Festo, Dan Fournier — Omron and Lisa Bolton — Sherrard Kuzz LLP.

The depth and breadth of the expertise was refreshing, and the discussion that ranged from standards and harmonization to the practice of safety, workplace OHS and education of engineers and users was stimulating.

CLB Media is planning to have a video of the discussions available on their web site, as well as an article in the magazine and on the web site.

For more information, contact Mary Del Ciancio at CLB Media.

Watch for the article in Manufacturing Automation in their Nov/Dec issue!

Posted by Doug Nix on September 13, 2010 Comments Off

When you first start to work through ISO 13849–1, the first thing that will smack you in the head is the plethora of new acronyms. The first one you’ll run into is ‘PL’, of course, since the entire purpose of the standard is to aid the designer in determining the reliability Performance Level of the control system. Shortly after that you’ll find yourself face to face with MTTF_d.

MTTF_d, or the Mean Time To Failure (dangerous), is the name given to the expected failure rate per year for a component used in a system that is being analyzed. This rate differs from the straight failure rate for the component because it’s limited to the failures that result in a dangerous failure mode, or that may lead to a hazard.

Obtaining MTTF_d data for a component should be easy for a designer. Component manufacturers who market components intended for safety applications should provide this data in the component specifications, but there are thousands, perhaps millions, of different components being marketed today for use in safety systems. Most of the major manufacturers are already providing this figure, or a figure that can be used to derive MTTF_d, B_10d, but for many components, this data is simply not available.

Here are some randomly chosen examples of manufacturer’s specification sheets that give this data:

Allen-Bradley Trojan™ T15 Interlock Switch

Pilz PNOZ X2 (pdf data sheet)

Telemecanique XPS MP Safety Controller (pdf data sheet)

B_10dis the number of cycles until 10% of the components being tested fail in a dangerous way. Using failure rate data from the component’s data sheet, it is possible to estimate B_10d from either B₁₀ or T (the application dependent lifetime of the component). Check out Annex C of the standard if you want to see how this can be done.

But what do you do if the manufacturer of your favourite contactor doesn’t provide ANY failure data? Some major manufacturers still don’t provide any failure rate data at all, some provide expected lifetimes under specific operation conditions. Some provide only EN 954–1:95 data. In the last case, I think this is one of the reasons for the EC Machinery Working Group’s decision late last year to extend the transition period to ISO 13849–1:07. Need to know more about that decision?

Unless you work for a large organization, instituting a life testing program is not likely to be an option, since you either need a protracted period of time with a few components in test, or thousands of samples for a short time.

The standard provides the option to use 10 years as a default where no other data is available. 10 years sounds like a long time at first blush, particularly if the planned lifetime of the system involved is 20 years. Typical MTTF_d values for high-reliability components are in the hundreds of years, so by comparison, 10 years is almost nothing. Tables are also provided for some kinds of components, but the tables are necessarily limited in size, so not every component will be listed.

Your only option is to use the data in the standard, or pick up some of the other publications that include component failure data, like MIL-HDBK-217F, IEC/TR 62380 (based on UTE 80810 & RDF 2000), NPRD 95 or IEC 61709 (based on Siemens SN 29500 documents). Some of these documents may be difficult or impossible to obtain.

The result of this lack of objective data from the component manufacturers is:

Conservative results based on the minimum default MTTF_d;
Potential over-design of safety related controls;
Increased manufacturing costs for machine builders;

The reasons for this situation vary by manufacturer, but ultimately it comes down to the cost of life testing components multiplied by number of components built by each manufacturer. Typical life tests require load simulators and switching for thousands of components, as well as data logging to trap failures and record relevant data. In the case of fluid power components (pneumatics and hydraulics), this becomes increasingly complex. For many component manufacturers, the cost of the life testing is prohibitive, even though this data is badly needed by their users.

Will we see an improvement in the future? The largest controls component manufacturers are very likely to provide this data as they have it available, meaning as they complete testing. New designs are much more likely to come with this data initially, while it may be a long time before some of the old standard components get time in the life test cell. Until then, lots of components will be assigned ’10 years’.

A big thank you to Wouter Leusden for the idea for this post!

Have a thought to share on this topic? Correct an error in the article? Sound off? Leave a comment!

Original content here is published under these license terms:		X

License Type:	Non-commercial, Attribution, Share Alike

License Summary:	You may copy this content, create derivative work from it, and re-publish it for non-commercial purposes, provided you include an overt attribution to the author(s) and the re-publication must itself be under the terms of this license or similar.

License URL:	http://creativecommons.org/licenses/by-nc-sa/3.0/

17 Events on February 17, 2012 Toronto Engineering & Human Environment ExCom More details