Understanding safety functions: Local control

Last updated on August 23rd, 2022 at 04:28 pm

This post on the local control function is part of a series on the different safety-related control functions described in ISO 13849-1:2015 [1].

Not every control function is a safety-related control function. Understanding how to determine which control functions are safety functions is important.

The local control function is common in large and small machines and plants, where remote control from a central plant control room is needed or, for example, when transferring control from the main control panel to a robot teaching pendant. Because the risks related to allowing simultaneous remote and local control are so great, understanding the requirements for local and remote control of machinery is important.

What is a safety function?

As a reminder, the definition of a safety function is found in ISO 12100 [2] and in ISO 13849-1 [1]:

3.1.20
safety function
function of the machine whose failure can result in an immediate increase of the risk(s)
[SOURCE: ISO 12100:2010, 3.30.]
ISO 13849-1:2015

The key idea in the definition is that “failure can result in an immediate increase of the risk(s).” A local control function that fails can increase risk because the machine may revert to remote operation without indicating that this is the case. Note that remote operation, in this case, means “not using the local controls.” The remote location could be a plant control room in the same building or on the other side of the world, connected via the internet.

Is it a safety function?

The key to answering the question “What makes a safety function a safety function?” is found in the definition. As a machine designer, you need to analyze each control function to determine if there is an increase in safety-related risk if the function fails. You can make bad parts as long as you do it safely!

If unsure, drill down into the possible failure modes using a Failure Modes and Effects Analysis (FMEA). You do not necessarily need to go down to the individual component level in the analysis. You need to drill down deep enough into the control function to determine what kinds of failures are likely to occur and what effects they may have on the process. The idea is to segregate various failures into safe and dangerous failures. If the dangerous failures could create or permit access to a hazard, then you need to evaluate the risk posed by each one. If there are any that will increase the risk to workers using the machinery, then you have your answer: the control function is a safety function. Safety functions must be executed in the safety-related parts of the control system and are subject to the requirements in [1].

What is a local control function?

The image below shows a typical control system schematic. The controller can act on inputs from various sensors and provides outputs to actuators that make the process work. There is a local human-machine interface (HMI) that provides local control. The control room is connected to the controller via signals for status and alarms, equipment setpoints and process start/stop. There could be much more data than this, depending on the process. The signals, shown as discrete signal paths in the schematic, could be individually hardwired signals, or they could be connected via TCP/IP – the communication medium doesn’t matter for the purpose of this discussion.

Example: A press line

Consider a large machine that has a master control panel in one location. The machine may be an integrated manufacturing line of several independent machines linked together to create a larger manufacturing system. An example might be a progressive press line, where the line starts with a flat sheet material feeder, followed by a robot that transfers the blank sheet into the first press, the first press, a robot that transfers to a second press, etc. There would be as many presses and transfer robots as needed for the complete process.

The feeder would have its own controls to allow for setup and troubleshooting.

Each press has its own controls. These controls would be used for a die change, set-up, and maintenance activities.

Each robot has its own controls that would be used for programming, teaching, troubleshooting, etc.

The complete transfer line can be operated from the master control station until a fault occurs on one of the individual pieces of equipment. The operators would need to be able to get, for example, to robot #2, place it into local control mode, correct the fault, place it back into automatic mode, and then return to the master control console to restart the production process.

The local control safety function applies where a line is built in this way since each machine has its own local control interface.

What is a safety-related local control function?

Remember that for a control function to be a safety function, the failure of the control function must lead to increased risk to the worker or the user. The definition for the local control safety function is found in [1]:

5.2.4 Local control function
The following applies in addition to the requirements of Table 8.
When a machine is controlled locally, e.g. by a portable control device or pendant, the following requirements shall apply:
— the means for selecting local control shall be situated outside the danger zone;
— it shall only be possible to initiate hazardous conditions by a local control in a zone defined by the risk assessment;
— switching between local and main control shall not create a hazardous situation.
ISO 13849-1:2015

Since Table 8 references IEC 60204-1 [4], we should have a quick look at what that standard requires. Clause 10.1.5 deals with portable and pendant-type control stations from the perspective of local control. Note that local control functions are not limited to portable or pendant-type control stations; see the photo at the top of this article.

10.1.5 Portable and pendant control stations
Portable and pendant operator control stations and their control devices shall be so selected and arranged as to minimize the possibility of machine operations caused by inadvertent actuation, shocks and vibrations (for example if the operator control station is dropped or strikes an obstruction) (see also 4.4.8).
IEC 60204-1:2016

As you can see from the requirements above, there are two key requirements:

The selection and arrangement of the controls (i.e., the user interface design) should be such that the likelihood of inadvertent activation is minimized, and
The control station, pendant etc. is designed to be rugged enough for the expected use, e.g., if the control pendant is for a truck-mounted concrete pump, there is an expectation that the pendant will be dropped occasionally and that it will bounce around in a storage box on the truck when the truck is moving from site to site. The pendant must be rugged enough to tolerate that kind of expected abuse.

The details

The design execution should be easier now that we understand what is required. Notice that the first bullet in [1, clause 5.2.4] requires that the remote control station be located outside the danger zone.

An example: Robot teach pendant

A typical robot teaching pendant, with the screen showing a 6-axis bot with surrounding control data. The pendant has a prominent emergency stop button, as well as control buttons. — Typical Robot Teach Pendant

Consider the way an industrial robot controller is built. The controller has a teach pendant used for local control of the robot. The robot controller and the teach pendant must be located outside the danger zone, i.e., the restricted space of the robot, so that inadvertent operation of a motion-related control on the pendant could conceivably cause unexpected movement of the robot does not endanger the operator. Also, note in this example that the pendant is equipped with an enabling device, which is a safety device and therefore has a safety-related enabling function. The pendant also has an emergency stop device, which has a safety-related stopping function associated with it. There are hold-to-run controls that are done typically using either a button associated with something on the screen or directly on the screen. The hold-to-run function will also be a safety-related function.

Zone Control

The question of zone control is important; see the second bullet in 5.2.4. This zone could be a single machine as in the press line example or a single robot in the case of the robot control example in the previous paragraph. From the perspective of a remote control room, the control room should not be able to manipulate a single robot, but it should be able to start and stop the integrated manufacturing system or make setpoint changes or manufacturing recipe selections where these changes are not likely to increase the risk to the workers on the shop floor.

Mode selection

Mode selection changes should never create a hazardous situation; see the third bullet in 5.2.4.

IEC 60204-1 adds some requirements for mode selection:

9.2.3.5 Operating modes
Each machine can have one or more operating modes (for example manual mode, automatic mode, setting mode, maintenance mode) determined by the type of machine and its application.
Where machinery has been designed and constructed to allow its use in several control or operating modes requiring different protective measures and having a different impact on safety, it shall be fitted with a mode selector which can be locked in each position (for example key operated switch). Each position of the selector shall be clearly identifiable and shall correspond to a single operating or control mode.
The selector may be replaced by another selection method which restricts the use of certain functions of the machinery to certain categories of operator (for example access code). Mode selection by itself shall not initiate machine operation. A separate actuation of the start control shall be required.
For each specific operating mode, the relevant safety functions and/or protective measures shall be implemented.
Indication of the selected operating mode shall be provided (for example the position of a mode selector, the provision of an indicating light, a visual display indication).
IEC 60204-1

An industrial 22 mm key-operated control switch with a single contact block mounted to it. — Key-operated selector switch

A key point in the above requirements: “Where machinery has been designed and constructed to allow its use in several control or operating modes requiring different protective measures and having a different impact on safety, it shall be fitted with a mode selector which can be locked in each position (for example key operated switch).” Where the risk is higher in some operating modes as compared to others on the same machine, the mode selection must be capable of being secured.

The example given is a key-operated selector switch, but it could just as easily be a security fob, like the Pilz PITmode system, reader shown below.

A Pilz PITmode reader. The device is shown in the yellow colour used by Pilz, and shows the reader with The PIT key inserted and the border of the key reader opening showing green to indicate that the key has been accepted. — PILZ PITmode reader [6]

Conclusions

That’s it. Once you have determined that the control function is a safety function, then you can go about selecting suitable components, gathering the supporting data needed for the functional safety analysis, developing the software and documenting the process used, doing the analysis and then validating the safety functions according to ISO 13849-2 [5].

Courses

If you are unsure how to proceed with functional safety or ISO 13849, check out our FS101 course. This course will teach you how to proceed:

with a review of machinery risk assessment
developing the Safety Requirement Specifications
analyzing your design
developing the validation documentation, and
developing the validation test procedure

This course is suitable for control systems designers and engineers. If you have a CMSE designation or equivalent, and you’re still not feeling confident about how to use ISO 13849, this course will work for you too. The course includes a review of machinery risk assessment according to ISO 12100. Our RA101 course will give you the needed expertise if you have never had risk assessment training.

References

[1] Safety of machinery — Safety-related parts of control systems — Part 1: General principles for design, ISO 13849-1. Geneva: International Organization for Standardization (ISO). 2015.

[2] Safety of machinery — General principles for design — Risk assessment and risk reduction, ISO 12100. Geneva: International Organization for Standardization (ISO). 2010.

[3] “Control System Architecture”, Instrumentationtools.com, 2022. [Online]. Available: https://instrumentationtools.com/control-system-architecture/. [Accessed: 27-Jun-2022].

[4] Safety of machinery — Electrical equipment of machines — Part 1: General requirements, IEC 60204-1. Geneva: International Electrotechnical Commission (IEC). 2016.

[5] Safety of machinery — Safety-related parts of control systems — Part 2: Validation, ISO 13849-2. Geneva: International Organization for Standardization (ISO). 2012.

[6] “Operating mode selection and access permission system PITmode – Pilz CA”, Pilz.com, 2022. [Online]. Available: https://www.pilz.com/en-CA/products/operating-and-monitoring/control-and-signal-devices/pitmode-operating-mode-selector-switch. [Accessed: 27-Jun-2022].

© 2022, Compliance inSight Consulting Inc.
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.