Last updated on August 23rd, 2022 at 04:31 pm
After the safety-related stopping and the reset functions, the start/restart function is the next most common. Without a start/restart function, there is no way to make the machine do what it’s supposed to do. If you’re designing a machine control system, you need to understand this function.
Starting the machine initially is a manual function. Whatever pre-starting checks need to be made, and when all is ready, pressing the start button initiates the machine’s function. The documentation for the machine should include pre-starting checklists and instructions to help ensure that all the safety-related pre-starting conditions are met before the START button is pressed.
RE-starting the machine is another thing altogether. Restarts can be manual or automatic, depending on the type of machine, and the conditions of its use. Machines that are designed to be used unattended, like pumps, for example, may need to be able to restart automatically after a power loss or other condition that forces a stop.
Risk Assessment considerations
As with any control function, determining whether it’s a safety function or just a control function is the first step. When you are working on the risk assessment for the machine, do a start-stop analysis to better understand what is going on when you are stopping and starting the machine. You need to analyze what is going on at the moment that the start function is activated, including what movements will begin, the sequence (if any) that must occur for safe starting, and what hazards are present during starting. Think about the failure modes that could occur, i.e., the starting sequence is broken for some reason, causing out-of-sequence starting. What happens?
Once you have the starting process analyzed, you can decide if there are any hazards created by the starting of the machine, and therefore if it’s a safety function. If hazards are present, or if a failure mode in the starting process can create a hazard, it’s a safety function. If no hazards are present, and none can be created, it’s a control function.
Risk considerations for automatic restart
Go through the same process for restarting. If hazards are present, or if a failure mode in the restarting process can create a hazard, it’s a safety function. If no hazards are present, and none can be created, it’s a control function.
Let’s get back to the requirements in ISO 13849. When a decision is taken to use automatic restarting, the next considerations must include any hazards that could be created by the automatic restarting of the machine or the possibility that workers could be exposed to machine hazards unexpectedly if the machine were to attempt to restart automatically. Any hazards that are found must have appropriate mitigation measures applied, including rejecting the use of automatic restarting.
Interlock bypass or defeat
Where automatic restarting is used, the possibility of defeating or bypassing the interlocking device must be carefully considered. ISO 14119 [3] has a good tool in the Annexes that can help determine how likely it may be for a worker to attempt to bypass the interlocks.
If the design includes the provision of a guard muting/bypass mode, the design should include features that will interrupt the control guard or PSDI modes, and lock them out until the operation of the guarding is restored.
Once you have decided that the start/restart function is a safety function, then the requirements in ISO 13849-1 [1] apply.
Requirements
Here are the requirements from ISO 13849-1:
5.2.3 Start/restart function
The following applies in addition to the requirements of Table 8.
A restart shall take place automatically only if a hazardous situation cannot exist. In particular, for interlocking guards with a start function, ISO 12100:2010, 6.3.3.2.5, applies.
These requirements for start and restart shall also apply to machines which can be controlled remotely.
NOTE A sensor feedback signal to the control system can initiate an automatic restart.
EXAMPLE In automatic machine operations, sensor feedback signals to the control system are often used to control the process flow. If a work piece has come out of position, the process flow is stopped. If the monitoring of the interlocked safeguard is not superior to the automatic process control, there could be a danger of restarting the machine while the operator readjusts the work piece. Therefore the remotely controlled restart ought not to be allowed until the safeguard is closed again and the maintainer has left the hazardous area. The contribution of prevention of unexpected start-up provided by the control system is dependent on the result of the risk assessment.
Control guards
ISO 13849-1 reference the requirements for interlocking guards with a start function, also called a “control guard”, in ISO 12100, clause 6.3.3.2.5 [2]. This type of guard is similar in function to the “presence-sensing device initiation (PSDI)” application that is sometimes used with light curtains in short-cycle machines. In a PSDI application, each time the worker breaks the light curtain field and then clears it the machine will start the next cycle. A control guard is a physical, mechanical guard with an interlocking device. The guard must be opened to place parts or do something else that the machine needs each cycle, and then closed again to start the machine cycle. Control guards generally can’t support the cycle rates that are achievable with a light curtain in PSDI mode, but it’s still faster, and often ergonomically better, than requiring the operator to press a separate cycle start button for each cycle. Control guards aren’t used that often in my experience. Let’s look at [2, 6.3.3.2.5] since these requirements build on those from [1].
6.3.3.2.5 Requirements for interlocking guards with a start function (control guards)
An interlocking guard with a start function may only be used provided that
- all requirements for interlocking guards are satisfied (see ISO 14119),
- the cycle time of the machine is short,
- the maximum opening time of the guard is preset to a low value (for example, equal to the cycle time) and, when this time is exceeded, the hazardous function(s) cannot be initiated by the closing of the interlocking guard with a start function and resetting is necessary before restarting the machine,
- the dimensions or shape of the machine do not allow a person, or part of a person, to stay in the hazard zone or between the hazard zone and the guard while the guard is closed (see ISO 14120),
- all other guards, whether fixed (removable type) or movable, are interlocking guards,
- the interlocking device associated with the interlocking guard with a start function is designed such that for example, by duplication of position detectors and use of automatic monitoring (see 6.2.11.6) – its failure cannot lead to an unintended/unexpected start-up, and
- the guard is securely held open (for example, by a spring or counterweight) such that it cannot initiate a start while falling by its own weight.
It’s worthwhile knowing that there is no definition for what a “short cycle time” is. That is entirely up to the engineering experience of the designer(s) working on the project. There are also limitations based on the cycle time of the machine so that the guard must be closed within the normal cycle time of the machine. This helps to protect workers who get distracted from the machine tending activity for any reason.
Remote start/restart
If the design of the machine includes the possibility for remote restarting, for example, a sewage pump located in a remote pumping station, then the risk assessment must address the hazards that could be created by remote starting. Hazardous energy control procedures, including lockout, are a starting point, but additional measures, e.g., CCTV, may be needed. Additional administrative controls, like permit-to-work procedures, may also be needed.
Start controls on an HMI
Unlike the safety-related stop and reset functions, there are no prohibitions in [1] that would prevent using an HMI screen graphic as a start control. Depending on the hazards involved in the operations and the related risks, it may not be advisable. The only way to answer this question is via a risk assessment.
Courses
If you are unsure how to proceed with functional safety or ISO 13849, check out our FS101 course. This course will teach you how to proceed:
- with a review of machinery risk assessment
- developing the Safety Requirement Specifications
- analyzing your design
- developing the validation documentation, and
- developing the validation test procedure
This course is suitable for control systems designers and engineers. If you have a CMSE designation or equivalent, and you’re still not feeling confident about how to use ISO 13849, this course will work for you too. The course includes a review of machinery risk assessment according to ISO 12100. Our RA101 course will give you the needed expertise if you have never had risk assessment training.
References
[1] Safety of machinery ? Safety-related parts of control systems ? Part 1: General principles for design, ISO 13849-1. International Organization for Standardization (ISO), Geneva. 2015.
[2] Safety of machinery ? General principles for design ? Risk assessment and risk reduction, ISO 12100. International Organization for Standardization (ISO), Geneva. 2010.
[3] Safety of machinery ? Interlocking devices associated with guards ? Principles for design and selection, ISO 14119. International Organization for Standardization (ISO), Geneva.
© 2021 – 2022, Compliance inSight Consulting Inc. 
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.