31-Dec-2011 — Are YOU ready?

This entry is part 8 of 8 in the series Cir­cuit Archi­tec­tures Explored

31-Decem­ber-2011 marks a key mile­stone for machine builders mar­ket­ing their prod­ucts in the Euro­pean Union, the EEA and many of the Can­di­date States. Func­tion­al Safe­ty takes a pos­i­tive step for­ward with the manda­to­ry appli­ca­tion of EN ISO 13849–1 and -2. As of 1-Jan­u­ary-2012, the safe­ty-relat­ed parts of the con­trol sys­tems on all machin­ery bear­ing a CE Mark will be required to meet these stan­dards.

This change start­ed six years ago, when these stan­dards were first har­mo­nized under the Machin­ery Direc­tive. The EC Machin­ery Com­mit­tee gave machine builders an addi­tion­al three years to make the tran­si­tion to these stan­dards, after much oppo­si­tion to the orig­i­nal manda­to­ry imple­men­ta­tion date of 31-Dec-08 was announced.

If you aren’t aware of these stan­dards, or if you aren’t famil­iar with the con­cept of func­tion­al safe­ty, you need to get up to speed, and fast.

Under EN 954–1:1995 and the 1st Edi­tion of ISO 13849–1, pub­lished in 1999, a design­er need­ed to select a design Cat­e­go­ry or archi­tec­ture, that would pro­vide the degree of fault tol­er­ance and reli­a­bil­i­ty need­ed based on the out­come of the risk assess­ment for the machin­ery. The Cat­e­gories, B, 1–4, remain unchanged in the 2nd Edi­tion. I’ve talked about the Cat­e­gories in detail in oth­er posts, so I won’t spend any time on them here.

The 2nd Edi­tion brings Mean Time to Fail­ure into the pic­ture, along with Diag­nos­tic Cov­er­age and Com­mon Cause Fail­ures. These new con­cepts require design­ers to use more ana­lyt­i­cal tech­niques in devel­op­ing their designs, and also require addi­tion­al doc­u­men­ta­tion (as usu­al!).

One of the main fail­ings with EN 954–1 was Val­i­da­tion. This top­ic was sup­posed to have been cov­ered by EN 954–2, but this stan­dard was nev­er pub­lished. This has led machine builders to make design deci­sions with­out keep­ing the nec­es­sary design doc­u­men­ta­tion trail, and fur­ther­more, to skip the Val­i­da­tion step entire­ly in many cas­es.

The miss­ing Val­i­da­tion stan­dard was final­ly pub­lished in 2003 as ISO 13849–2:2003, and sub­se­quent­ly adopt­ed and har­mo­nized in 2009 as EN ISO 13849–2:2003. While no manda­to­ry imple­men­ta­tion date for this stan­dard is giv­en in the cur­rent list of stan­dards har­mo­nized under 2006/42/EC-Machin­ery, use of Part 1 of the stan­dard man­dates use of Part 2, so this stan­dard is effec­tive­ly manda­to­ry at the same time.

Part 2 brings a num­ber of key annex­es that are nec­es­sary for the imple­men­ta­tion of Part 1, and also out­lines the com­plete doc­u­men­ta­tion trail need­ed for val­i­da­tion, and coin­ci­den­tal­ly, audit. Noti­fied bpdies will be look­ing for this infor­ma­tion when eval­u­at­ing the con­tent of Tech­ni­cal Files used in CE Mark­ing.

From a North Amer­i­can per­spec­tive, these two stan­dards gain access through ANSI’s adop­tion of ISO 10218 for Indus­tri­al Robots. Part 1 of this stan­dard, cov­er­ing the robot itself, was adopt­ed last year. Part 2 of the stan­dard will be adopt­ed in 2012, and RIA R15.06 will be with­drawn. At the same time, CSA will be adopt­ing the ISO stan­dards and with­draw­ing CSA Z434.

These changes will final­ly bring North Amer­i­ca, the Inter­na­tion­al Com­mu­ni­ty and the EU onto the same foot­ing when it comes to Func­tion­al Safe­ty in indus­tri­al machin­ery appli­ca­tions. The days of “SIMPLE, SINGLE CHANNEL, SINGLE CHANNEL-MONITORED and CONTROL RELIABLE” are num­bered.

Are you ready?

Com­pli­ance InSight Con­sult­ing will be offer­ing a series of train­ing events in 2012 on this top­ic. For more infor­ma­tion, con­tact Doug Nix.

Inconsistencies in ISO 13849–1:2006

This entry is part 7 of 8 in the series Cir­cuit Archi­tec­tures Explored

I’ve writ­ten quite a bit recent­ly on the top­ic of cir­cuit archi­tec­tures under ISO 13849–1, and one of my read­ers noticed an incon­sis­ten­cy between the text of the stan­dard and Fig­ure 5, the dia­gram that shows how the cat­e­gories can span one or more Per­for­mance Lev­els.

ISO 13849-1 Figure 5
ISO 13849–1, Fig­ure 5: Rela­tion­ship between Cat­e­gories, DC, MTTFd and PL

If you look at Cat­e­go­ry 2 in Fig­ure 5, you will notice that there are TWO bands, one for DCavg LOW and one for DCavg MED. How­ev­er, read­ing the text of the def­i­n­i­tion for Cat­e­go­ry 2 gives (§6.2.5):

The diag­nos­tic cov­er­age (DCavg) of the total SRP/CS includ­ing fault-detec­tion shall be low.

This leaves some con­fu­sion, because it appears from the dia­gram that there are two options for this archi­tec­ture. This is backed up by the data in Annex K that under­lies the dia­gram.

The same con­fu­sion exists in the text describ­ing Cat­e­go­ry 3, with Fig­ure 5 show­ing two bands, one for DCavg LOW and one for DCavg MED.

I con­tact­ed the ISO TC199 Sec­re­tari­at, the peo­ple respon­si­ble for the con­tent of ISO 13849–1, and point­ed out this appar­ent con­flict. They respond­ed that they would pass the com­ment on to the TC for res­o­lu­tion, and would con­tact me if they need­ed addi­tion­al infor­ma­tion. As of this writ­ing, I have not heard more.

So what should you do if you are try­ing to design to this stan­dard? My advice is to fol­low Fig­ure 5. If you can achieve a DCavg MED in your design, it is com­plete­ly rea­son­able to claim a high­er PL. Refer to the data in Annex K to see where your design falls once you have com­plet­ed the MTTFd cal­cu­la­tions.

Thanks to Richard Har­ris and Dou­glas Flo­rence, both mem­bers of the ISO 13849 and IEC 62061 Group on LinkedIn for bring­ing this to my atten­tion!

If you are inter­est­ed in con­tact­ing the TC199 Sec­re­tari­at, you can email the Sec­re­tary, Mr. Stephen Kennedy. More details on ISO TC199 can be found on the Tech­ni­cal Com­mit­tee page on the ISO web Site.

Interlock Architectures Pt. 6 — Comparing North American and International Systems

This entry is part 6 of 8 in the series Cir­cuit Archi­tec­tures Explored

I’ve now writ­ten six posts, includ­ing this one, on the top­ic of cir­cuit archi­tec­tures for the safe­ty-relat­ed parts of con­trol sys­tems. In this post, we’ll com­pare the Inter­na­tion­al and North Amer­i­can sys­tems. This com­par­i­son is not intend­ed to draw con­clu­sions about which is “bet­ter”, but rather to com­pare and con­trast the two sys­tems so that design­ers can clear­ly see where the over­laps and the gaps in the sys­tems exist.

Since we’ve spent a lot of time talk­ing about ISO 13849–1 [1] in the pre­vi­ous five posts in this series, I think we should begin there by look­ing at Table 10 from the stan­dard.

Table 10 — Sum­ma­ry of require­ments for cat­e­gories
Cat­e­go­ry Sum­ma­ry of require­ments Sys­tem behav­iour Prin­ci­ple used
to achieve
safe­ty
MTTFd
of each
chan­nel
DCavg CCF
B
(see
6.2.3)
SRP/CS and/or their pro­tec­tive equip­ment, as well as their com­po­nents, shall be designed, con­struct­ed, select­ed, assem­bled and com­bined in accor­dance with rel­e­vant stan­dards so that they can with­stand the expect­ed influence.Basic safe­ty prin­ci­ples shall be used. The occur­rence of a fault can lead to the loss of the safe­ty func­tion. Main­ly char­ac­ter­ized by selec­tion of com­po­nents Low to medi­um None Not rel­e­vant
1
(see
6.2.4)
Require­ments of B shall apply. Well-tried com­po­nents and well-tried safe­ty prin­ci­ples shall be used. The occur­rence of a fault can lead to the loss of the safe­ty func­tion but the prob­a­bil­i­ty of occur­rence is low­er than for cat­e­go­ry B. Main­ly char­ac­ter­ized by selec­tion of com­po­nents High None Not rel­e­vant
2
(see
6.2.5)
Require­ments of B and the use of well-tried safe­ty prin­ci­ples shall apply. Safe­ty func­tion shall be checked at suit­able inter­vals by the machine con­trol sys­tem. The occur­rence of a fault can lead to the loss of the safe­ty func­tion between the checks. The loss of safe­ty func­tion is detect­ed by the check. Main­ly char­ac­ter­ized by struc­ture Low to high Low to medi­um See Annex F
3
(see
6.2.6)
Require­ments of B and the use of well-tried safe­ty prin­ci­ples shall apply.Safety-related parts shall be designed, so that

—a sin­gle fault in any of these parts does not lead to the loss of the safe­ty func­tion, and

—when­ev­er rea­son­ably prac­ti­ca­ble, the sin­gle fault is detect­ed.

When a sin­gle fault occurs, the safe­ty func­tion is always performed.Some, but not all, faults will be detect­ed.

Accu­mu­la­tion of unde­tect­ed faults can lead to the loss of the safe­ty func­tion.

 Main­ly
char­ac­ter­ized
by struc­ture
Low to
high
Low to
medi­um
 See
Annex F
 4
(see
6.2.7)
Require­ments of B and the use of well-tried safe­ty prin­ci­ples shall apply. Safe­ty-relat­ed parts shall be designed, so that
—a sin­gle fault in any of these parts does not lead to a loss of the safe­ty func­tion, and

—the sin­gle fault is detect­ed at or before the next demand upon the safe­ty func­tion, but that if this detec­tion is not pos­si­ble, an accu­mu­la­tion of unde­tect­ed faults shall not lead to the loss of the safe­ty func­tion.

 

When a sin­gle fault occurs the safe­ty func­tion is always per­formed. Detec­tion of accu­mu­lat­ed faults reduces the prob­a­bil­i­ty of the loss of the safe­ty func­tion (high DC). The faults will be detect­ed in time to pre­vent the loss of the safe­ty func­tion.  Main­ly char­ac­ter­ized by struc­ture  High  High includ­ing accu­mu­la­tion of faults  See Annex F
NOTE For full require­ments, see Clause 6.

Table 10 sum­ma­rizes all the key require­ments for the five cat­e­gories of archi­tec­ture, giv­ing the fun­da­men­tal mech­a­nism for achiev­ing safe­ty, the required MTTFd, DC and CCF. Note that fault exclu­sion can be used in Cat­e­gories 3 and 4. There is no sim­i­lar table avail­able for CSA Z432 [2] or RIA R 15.06 [3], so I have con­struct­ed one fol­low­ing a sim­i­lar for­mat to Table 10.

Sum­ma­ry of require­ments for CSA Z432 / Z434 and RIA R15.06
CSA Z432-04 / Z434-03 RIA R15.06 1999
Cat­e­go­ry  Sum­ma­ry of require­ments  Sys­tem behav­iour  Prin­ci­ple used
to achieve
safe­ty
Sum­ma­ry of require­ments
All Safe­ty con­trol sys­tems (elec­tric, hydraulic, pneu­mat­ic) shall meet one of the per­for­mance cri­te­ria list­ed in Claus­es 4.5.2 to 4.5.5. Safe­ty cir­cuits (elec­tric, hydraulic, pneu­mat­ic) shall meet one of the per­for­mance cri­te­ria list­ed in 4.5.1 through 4.5.4.2

2 These per­for­mance cri­te­ria are not to be con­fused with the Euro­pean cat­e­gories B to 3 as described in ISO/IEC DIS 13849–1, Safe­ty of machin­ery – Safe­ty-relat­ed parts of con­trol sys­tems – Part 1: Gen­er­al prin­ci­ples for design (in cor­re­la­tion with EN 954–1.) They are dif­fer­ent. The com­mit­tee believes that the cri­te­ria in 4.5.1–4.5.4 exceed the cri­te­ria of B — 3 respec­tive­ly, and fur­ther believe the reverse is not true.

SIMPLE Sim­ple safe­ty con­trol sys­temsshall be designed and con­struct­ed using accept­ed sin­gle chan­nel circuitry.Such sys­tems may be pro­gram­ma­ble.

Note: This type of sys­tem should be used for sig­nalling and annun­ci­a­tion pur­pos­es only.

The occur­rence of a fault can lead to the loss of the safe­ty func­tion. Main­ly char­ac­ter­ized by com­po­nent selec­tion. Sim­ple safe­ty cir­cuits shall be designed and con­struct­ed using accept­ed sin­gle chan­nel
cir­cuit­ry, and may be pro­gram­ma­ble.
SINGLE
CHANNEL
Sin­gle chan­nel safe­ty con­trol sys­tems shal­la) be hard­ware based or com­ply with Clause 6.5;

b) include com­po­nents that should be safe­ty rat­ed; and

c) be used in accor­dance with man­u­fac­tur­ers’ rec­om­men­da­tions and proven cir­cuit designs (e.g., a sin­gle chan­nel electro­mechan­i­cal pos­i­tive break device that sig­nals a stop in a de-ener­gized state).

Note: In this type of sys­tem a sin­gle com­po­nent fail­ure can lead to the loss of the safe­ty func­tion.

The occur­rence of a fault can lead to the loss of the safe­ty func­tion. Main­ly char­ac­ter­ized by com­po­nent selec­tion. Sin­gle chan­nel safe­ty cir­cuits shall be hard­ware based or com­ply with 6.4, include com­po­nents
which should be safe­ty rat­ed, be used in com­pli­ance with man­u­fac­tur­ers’ rec­om­men­da­tions
and proven cir­cuit designs (e.g. a sin­gle chan­nel elec­tro-mechan­i­cal pos­i­tive break device which sig­nals a stop in a de-ener­gized state.)
SINGLE CHANNEL
WITH
MONITORING
Sin­gle chan­nel safe­ty con­trol sys­tems with mon­i­tor­ing shall include the require­ments for sin­gle chan­nel,
be safe­ty rat­ed, and be checked (prefer­ably auto­mat­i­cal­ly) at suit­able inter­vals in accor­dance with the following:a) The check of the safe­ty function(s) shall be per­formed

i) at machine start-up; and

ii) peri­od­i­cal­ly dur­ing oper­a­tion (prefer­ably at each change in state).

b) The check shall either

i) allow oper­a­tion if no faults have been detect­ed; or

ii) gen­er­ate a stop if a fault is detect­ed. A warn­ing shall be pro­vid­ed if a haz­ard remains after ces­sa­tion of motion.

c) The check itself shall not cause a haz­ardous sit­u­a­tion.

d) Fol­low­ing detec­tion of a fault, a safe state shall be main­tained until the fault is cleared.

Note: In this type of cir­cuit a sin­gle com­po­nent fail­ure can also lead to the loss of the safe­ty func­tion.

The occur­rence of a fault can lead to the loss of the safe­ty func­tion. Char­ac­ter­ized by both com­po­nent selec­tion and struc­ture. Sin­gle chan­nel with mon­i­tor­ing safe­ty cir­cuits shall include the require­ments for sin­gle chan­nel,
shall be safe­ty rat­ed, and shall be checked (prefer­ably auto­mat­i­cal­ly) at suit­able intervals.a) The check of the safe­ty function(s) shall be per­formed

1) at machine start-up, and

2) peri­od­i­cal­ly dur­ing oper­a­tion;

b) The check shall either:

1) allow oper­a­tion if no faults have been detect­ed, or

2) gen­er­ate a stop sig­nal if a fault is detect­ed.
A warn­ing shall be pro­vid­ed if a haz­ard remains after ces­sa­tion of motion;

c) The check itself shall not cause a haz­ardous sit­u­a­tion;

d) Fol­low­ing detec­tion of a fault, a safe state shall be main­tained until the fault is cleared.

CONTROL RELIABLE Con­trol reli­able safe­ty con­trol sys­tems shall be dual chan­nel with mon­i­tor­ing and shall be designed,
con­struct­ed, and applied such that any sin­gle com­po­nent fail­ure, includ­ing mon­i­tor­ing, shall not pre­vent
the stop­ping action of the robot.
These safe­ty con­trol sys­tems shall be hard­ware based or in accor­dance with Clause 6.5. The sys­tems shall include auto­mat­ic mon­i­tor­ing at the sys­tem lev­el con­form­ing to the following:a) The mon­i­tor­ing shall gen­er­ate a stop if a fault is detect­ed. A warn­ing shall be pro­vid­ed if a haz­ard remains after ces­sa­tion of motion.

b) Fol­low­ing detec­tion of a fault, a safe state shall be main­tained until the fault is cleared.

c) Com­mon mode fail­ures shall be tak­en into account when the prob­a­bil­i­ty of such a fail­ure occur­ring is
sig­nif­i­cant.

d) The sin­gle fault should be detect­ed at time of fail­ure. If not prac­ti­ca­ble, the fail­ure shall be detect­ed
at the next demand upon the safe­ty func­tion.

e) These safe­ty con­trol sys­tems shall be inde­pen­dent of the nor­mal pro­gram con­trol (func­tion) and shall be designed to be not eas­i­ly defeat­ed or not eas­i­ly bypassed with­out detec­tion.

When a sin­gle fault occurs, the safe­ty func­tion is always performed.Some, but not all, faults will be detect­ed.

Accu­mu­la­tion of unde­tect­ed faults can lead to the loss of the safe­ty func­tion.

Char­ac­ter­ized pri­mar­i­ly by struc­ture. Con­trol reli­able safe­ty cir­cuit­ry shall be designed, con­struct­ed and applied such that any sin­gle com­po­nent fail­ure shall not pre­vent the stop­ping action of the robot.These cir­cuits shall be hard­ware based or com­ply with 6.4, and include auto­mat­ic mon­i­tor­ing at the sys­tem lev­el.

a) The mon­i­tor­ing shall gen­er­ate a stop sig­nal if a fault is detect­ed. A warn­ing shall be pro­vid­ed if a haz­ard remains after ces­sa­tion of motion;

b) Fol­low­ing detec­tion of a fault, a safe state shall be main­tained until the fault is cleared.

c) Com­mon mode fail­ures shall be tak­en into account when the prob­a­bil­i­ty of such a fail­ure occur­ring is sig­nif­i­cant.

d) The sin­gle fault should be detect­ed at time of fail­ure. If not prac­ti­ca­ble, the fail­ure shall be detect­ed at the next demand upon the safe­ty func­tion.

CSA Z434 vs. RIA R15.06

Before we dig into the com­par­i­son between North Amer­i­ca and the Inter­na­tion­al stan­dards, we need to look at the dif­fer­ences between CSA and ANSI/RIA. There are some sub­tle dif­fer­ences here that can trip you up and cost sig­nif­i­cant mon­ey to cor­rect after the fact. The fol­low­ing state­ments are based on my per­son­al expe­ri­ence and on dis­cus­sions that I have had with peo­ple on both the CSA and RIA tech­ni­cal com­mit­tees tasked with writ­ing these stan­dards. One more note — ANSI RIA R15.06 has been revised and ALL OF SECTION 4 has been replaced with ANSI/RIA/ISO 10218–1 [7]. This is very sig­nif­i­cant, but we need to deal with this old dis­cus­sion first.

Systems vs. Circuits

The CSA stan­dard uses the term “con­trol system(s)” through­out the def­i­n­i­tions of the cat­e­gories, while the ANSI/RIA stan­dard uses the term “circuit(s)”. This is real­ly the crux of the dis­cus­sion between these two stan­dards. While the dif­fer­ence between the terms may seem insignif­i­cant at first, you need to under­stand the back­ground to get the dif­fer­ence.

The CSA term requires two sep­a­rate sens­ing devices on the gate or oth­er guard, just as the Cat­e­go­ry 3 and 4 def­i­n­i­tions do, and for the same rea­son. The CSA com­mit­tee felt that it was impor­tant to be able to detect all sin­gle faults, includ­ing mechan­i­cal ones. Also, the use of two inter­lock­ing devices on the guard makes it more dif­fi­cult to bypass the inter­lock.

The RIA term requires redun­dant elec­tri­cal con­nec­tions to the inter­lock­ing device, but implic­it­ly allows for a sin­gle inter­lock­ing device because it only explic­it­ly refers to “cir­cuits”.

The expla­na­tion I’ve been giv­en for the dis­crep­an­cy is root­ed in the ear­ly days of indus­tri­al robot­ics. Many ear­ly robot cells had NO inter­locks on the guard­ing because the haz­ards relat­ed to the robot motion was not well under­stood. There were a num­ber of inci­dents result­ing in fatal­i­ties that drove robot users to begin to seek bet­ter ways to pro­tect work­ers. The RIA R15.06 com­mit­tee decid­ed that inter­locks were need­ed, but there was a recog­ni­tion that many users would balk at installing expen­sive inter­lock devices, so they com­pro­mised and allowed that ANY kind of inter­lock­ing device was bet­ter than none. This was amend­ed in the 1999 edi­tion to require that com­po­nents be “safe­ty rat­ed”, effec­tive­ly elim­i­nat­ing the use of con­ven­tion­al prox­im­i­ty switch­es and non-safe­ty-rat­ed lim­it switch­es.

The recent revi­sion of ANSI/RIA R15.06 to include ANSI/ISO 10218–1 as a replace­ment for Sec­tion 4 is sig­nif­i­cant for a cou­ple of rea­sons: 1) It now means that the robot itself need only meet the ISO stan­dard; instead of the ISO and the RIA stan­dards; and 2) It brings in ISO 13849–1 def­i­n­i­tions of reli­a­bil­i­ty cat­e­gories. This means that the US has now offi­cial­ly dropped the “SIMPLE, SINGLE-CHANNEL,” etc. def­i­n­i­tions and now uses “Cat­e­go­ry B, 1, etc.” How­ev­er, they have only adopt­ed the Edi­tion 1 ver­sion of the stan­dard, so none of the PL, MTTFd, etc. cal­cu­la­tions have been adopt­ed. This means that the RIA stan­dard is now har­mo­nized to the 1995 edi­tion of EN 954–1. These updates to the 2006 edi­tion may come in sub­se­quent edi­tions of R15.06.

CSA has cho­sen to reaf­firm the 2003 edi­tion of CSA Z434, so the Cana­di­an Nation­al Stan­dard con­tin­ues to refer to the old def­i­n­i­tions.

North America vs International Standards

In the descrip­tion of sin­gle-chan­nel sys­tems / cir­cuits under the North Amer­i­can stan­dards you will notice that par­tic­u­lar atten­tion is paid to includ­ing descrip­tions of the use of “proven designs” and “pos­i­tive-break devices”. What the TC’s were refer­ring to are the same “well-tried safe­ty prin­ci­ples” and “well-tried com­po­nents” as referred to in the Inter­na­tion­al stan­dards, only with less descrip­tion of what those might be. The only major addi­tion to the def­i­n­i­tions is the rec­om­men­da­tion to use “safe­ty-rat­ed devices”, which is not includ­ed in the Inter­na­tion­al stan­dard. (N.B. The use of the word “should” in the def­i­n­i­tions should be under­stood as a strong rec­om­men­da­tion, but not nec­es­sar­i­ly a manda­to­ry require­ment.) Under EN 954–1 [4] and EN 1088 [5] (in the ref­er­enced edi­tions, in any case) it was pos­si­ble to use stan­dard lim­it switch­es arranged in a redun­dant man­ner and acti­vat­ed using com­bined pos­i­tive and non-pos­i­tive-mode acti­va­tion. In lat­er edi­tions this changed, and there is now a pref­er­ence for devices intend­ed for use in safe­ty appli­ca­tions.

Also worth not­ing is that there is NO allowance for fault exclu­sion under the CSA stan­dard or the 1999 edi­tion of the ANSI stan­dard.

As far as the RIA committee’s asser­tion that their def­i­n­i­tions are not equiv­a­lent to the Inter­na­tion­al stan­dard, and may be supe­ri­or, I think that there are too may miss­ing qual­i­ties in the ANSI stan­dard for that to stand. In any case, this is now moot, since ANSI has adopt­ed EN ISO 13849–1:2006 as a ref­er­ence to EN ISO 10218–1 [6], replac­ing Sec­tion 4 of ANSI/RIA R15.06–1999.

References

[1] “Safe­ty of machin­ery — Safe­ty-relat­ed parts of con­trol sys­tems — Part 1: Gen­er­al prin­ci­ples for design”, ISO 13849–1, Edi­tion 2, Inter­na­tion­al Orga­ni­za­tion for Stan­dard­iza­tion (ISO), Gene­va, 2006.

[2] “Safe­guard­ing of machin­ery”, CSA Z432, Cana­di­an Stan­dards Asso­ci­a­tion (CSA), Toron­to, 2004.

[3] “Amer­i­can Nation­al Stan­dard for Indus­tri­al Robots and Robot Sys­tems — Safe­ty Require­ments”, ANSI/RIA R15.06, Amer­i­can Nation­al Stan­dards Insti­tute, Inc. (ANSI), Ann Arbor, 1999.

[4] “Safe­ty of machin­ery — Safe­ty relat­ed parts of con­trol sys­tems — Part 1. Gen­er­al prin­ci­ples for design”, EN 954–1, Euro­pean Com­mit­tee for Stan­dard­iza­tion (CEN), Gene­va, 1996.

[5] “Safe­ty of machin­ery — Inter­lock­ing devices asso­ci­at­ed with guards — Prin­ci­ples for design and selec­tion”, EN 1088, CEN, Gene­va, 1995.

[6] “Robots and robot­ic devices — Safe­ty require­ments for indus­tri­al robots — Part 1: Robots”, Euro­pean Com­mit­tee for Stan­dard­iza­tion (CEN), Gene­va, 2011.

[7] “Robots for Indus­tri­al Envi­ron­ment — Safe­ty Require­ments — Part 1 — Robot”, ANSI/RIA/ISO 10218–1, Amer­i­can Nation­al Stan­dards Insti­tute, Inc. (ANSI), Ann Arbor, 2007.

Digiprove sealCopy­right secured by Digiprove © 2011–2012
Acknowl­edge­ments: See ref­er­ences list­ed at end of arti­cle.
Some Rights Reserved