## Understanding safety functions: Response time

This post deepens the discussion of safety-related parameters. Safety functions are control functions whose failure causes an immediate increase in risk. ISO 13849-1 [1] defines several common safety functions to develop safety-related control systems. In this post, I will discuss the response time safety-related parameter.

## Response time

To better understand the response time parameter, we need to look at the definition for the safety function and then at an example. [1. 5.2.6] gives the requirements related to the response time of a safety function.

5.2.6 Response time

The following applies in addition to the requirements of Table 9.

The response time of the SRP/CS shall be determined when the risk assessment of the SRP/CS indicates that this is necessary (see also Clause 11).

NOTE The response time of the control system is part of the overall response time of the machine. The required overall response time of the machine can influence the design of the safety-related part, e.g. the need to provide a braking system.

ISO 13849-1

## Safe distance requirements based on time

ISO 13855 [2] provides methods for calculating the minimum safety distance required for a safeguarding device. The calculations include a response time parameter for the machine control system.

The minimum distance from the safeguarding device to the hazard is determined by:

S=K \times \left(t_1+t_2 \right)+C

Where

S is the minimum distance in millimetres (mm)

K is a parameter, in mm/second, derived from data on the approach speeds of the body or parts of the body. K = 2 000 mm/s for S ≤ 500 mm, 1 600 mm/s for S > 500 mm.

t1 is the maximum time between the occurrence of the actuation of the safeguard and the output signal achieving the OFF state.

t2 is the stopping time in seconds, which is the maximum time required to terminate the hazardous machine function after the output signal from the safeguard achieves the OFF state. The response time of the control system of the machine is included in t2.

C is the intrusion distance in millimetres determined by the object resolution of the device or the minimum distance based on the opening size [3].

Various factors can influence t1 and t2; for example,

• the temperature,
• the switching time of valves,
• aging of components,
• braking performance,
• etc.

## Determining response time

In a very practical sense, determining the response time of a machine can pose some challenges for machine designers. For example, it may not be practical to take a prototype machine to a laboratory to do environmental tests to see what kinds of effects temperature, humidity, vibration, etc., on the machine.

Often machines are too large to fit in commercially available environmental and electromagnetic test chambers. You may be building a one-off machine with no time in the production schedule for engineering research tests. Many reasons can prevent doing in-depth testing.

Getting data to estimate the response time is very difficult in those situations. I recommend testing the system as new and then deciding on the maximum degradation of the stopping performance you want to allow or which is permitted by the relevant standards. You will need to develop a means to monitor the machine’s performance in operation so that suitable action can be taken when the degradation limit approaches.

An FMEA [7] can help. Understanding the failure modes, including the effects of aging on the various system components, will help develop the necessary understanding. It’s not incredibly difficult, but it takes care and a methodical approach.

It is impossible to standardize response times since many variables in component selections, and system design can affect how the equipment behaves. However, control systems engineers/designers must have data to support their decisions regarding selecting and setting appropriate response times for their safety functions.

### Stopping time

Some abbreviated testing is the quickest way to determine the machine’s initial response time, T. ISO 13855 [2, Eq. 1] breaks T down further into t1 and t2, where t1 is the response time of the safeguarding device, and t2 is the response time of the control system and the mechanical portion of the machine. The relationship is shown in the figure below [2, Fig. 2].

T=\left(t_1+t_2\right)

Other variations on the basic calculations exist where the T term is broken down even further [5, 10.11], but I don’t think that adds a lot.

#### Testing

If you test, you can directly measure T without fussing with breaking it down into constituent components. The only limitation in this is how fine the time resolution of your measuring device is. If you’re using an NTSC video camera, you are limited to a nominal 30 frames/second (fps), which in reality is 29.97 fps. This converts to 33 ms per frame resolution (1/29.97 frames/sec). If you can set your camera to 60/120/240 fps, you can reduce the resolution to as little as 4.2 ms. At 2 000 mm/s, the basic speed constant used in [2], each frame at 30 fps is 2000×0.033 = 66.7 mm, while at 240 fps its 8.33 mm. If available, you can do this testing with a mobile phone camera and a tripod or with more professional equipment.

You can do even better if you’ve got a truly high-speed camera, although 8.33 mm resolution is more than good enough for most applications. Even 66.7 mm is good enough for many applications, especially if you do several sequential tests and then take the mean value of the results. I add three standard deviations to the mean value to ensure that the safety device is located far enough from the hazard to take into account the worst-case stopping performance that can be expected.

In safety-critical systems, depending on the potential severity of the injury and other consequences, it might take some accelerated aging testing on a prototype to get a handle on the system’s performance. That might involve putting the critical components in an environmental chamber and exercising the system over days or weeks. It depends on what the application is and what the related risks are.

#### Effects of wear

The effects of wear on a machine are another thing. If you have the opportunity to gather data on the real-world effects of wear on the machines you build, certainly use that data. Most of the time, this kind of data is very hard to obtain.

If you consider brake wear, you can test the machine “as new” to determine the best-case stopping performance. The mechanical power press standards typically allow up to a 20% degradation in stopping performance before triggering an alarm and faulting the controller to prevent further cycles until the brake is adjusted/maintained/repaired. You can use the worst-case stopping time, i.e., 120% of the “as new” stopping performance, to position the safeguarding devices; that way, you can be certain that even when the brake is worn to the maximum allowable, the safeguarding devices are still far enough away to ensure that they can protect the user adequately.

Any other kinds of wear would have to be assessed case by case, looking specifically at how the wear affects the response time and/or other relevant safety functions.

#### Hydraulic systems

Hydraulic systems present a special case. Since most hydraulic systems use an oil-based fluid, viscosity changes in the fluid and increased stiction [6] due to changes in the characteristics of the fluid at lower temperatures. Differences in fluid viscosity, component friction and hose flexibility can make a significant difference, and this could be especially true for equipment used outdoors or in refrigerated environments. Elevated temperatures have the opposite effect on the fluid but may reduce clearances in valves and cylinders, increasing friction and slowing the system’s responsiveness.

Hydraulic systems can be tested in a thermal chamber if they are small enough or in the real world based on the normal operating temperatures that the designer expects. Depending on the results, it may be necessary to install hydraulic fluid temperature conditioning equipment to help ensure that the fluid, and therefore the rest of the hydraulic system, is kept at the optimal temperature. A temperature sensor could be used to prevent the operation of the machine until the oil was at a predetermined temperature.

The test data for a hydraulic system operating in the optimal design temperature range can then be gathered using some data logging and safeguarding devices located accordingly.

### Controlling response time

The design of the control system must be able to control the response time. Using an off-the-shelf component in a safety function, like a safety relay, gives a known response time with a margin because the component manufacturer determines the response of the relay. In most cases, the machine builder cannot adjust the response time unless the component is specifically designed to allow for adjustment, e.g., Category 1 stop delay time.

The same is true for safety functions created in safety PLCs. The PLC manufacturer predetermines the response time.

Suppose you are using components, like friction brakes, that are subject to wear. In that case, you may need to include devices that can monitor the braking performance and either initiate a safety-related stop when the braking performance exceeds a predetermined limit or set an alarm.

If you are developing bespoke safety systems, you must ensure that the finished system can either control the response time or respond to excessive response time as a fault condition.

As you can see, controlling the response time of the control system is critical to ensuring that the safeguarding device is located far enough away from the hazard that a stop command can be given. The danger is controlled before a person can reach the hazard. If the response time falls to a lower value, no increase in risk occurs, but if the response time increases about the value used in the design calculations, the risk is immediately increased. That risk increase qualifies the response time as a safety function.

ISO 13855 includes several application-specific calculations for different types of safeguarding devices and methods of using common safeguarding devices.

## Examples

For example, an interlocked guard door is fitted to a machine. The safety distance between the guard and the hazardous parts is based partly on the machine’s stopping performance; see Interlocking Devices: The Good, The Bad and the Ugly for more. Ensuring that the response time is correct and that a fault is generated if the time deviates significantly is very important. If the response time is too long, the safety distance used to determine the guard’s location will be incorrect. The user might be able to reach into the danger one before the interlocking safety function could execute a stop. This could happen if a Category 1 stop is used and the delay-off time is set incorrectly.

Another example is hinted at in the Note in clause 5.2.7. Machine hazards often take some time to coast to a stop. That time must be considered in the design of the guarding and the safety function. If the coasting time is too long and the guard cannot be placed at a safe distance, then a brake could be added to the design. The brake could then be activated to stop the machine more quickly.

Another option for the long-stopping-time problem is to use guard locking. The guards can be locked shut, and the unlock command is given only if the machine is stopped. More on that topic in Interlocking Devices: The Good, The Bad and the Ugly.

## Courses

If you are unsure how to proceed with functional safety or ISO 13849, check out our FS101 course. This course will teach you how to proceed:

• with a review of machinery risk assessment
• developing the Safety Requirement Specifications
• developing the validation documentation, and
• developing the validation test procedure

This course is suitable for control systems designers and engineers. If you have a CMSE designation or equivalent, and you’re still not feeling confident about how to use ISO 13849, this course will work for you too. The course includes a review of machinery risk assessment according to ISO 12100. Our RA101 course will give you the needed expertise if you have never had risk assessment training.

## References

[1] Safety of machinery — Safety-related parts of control systems — Part 1: General principles for design, ISO 13849-1. International Organization for Standardization (ISO). 2015.

[2] Safety of machinery – Positioning of safeguards with respect to the approach speeds of parts of the human body, ISO 13855. International Organization for Standardization (ISO). 2010.

[3] Safety of machinery – Safety distances to prevent hazard zones being reached by upper and lower limbs, ISO 13857. International Organization for Standardization (ISO). 2019.

[4] “Safety Response Time”, Product-help.schneider-electric.com, 2022. [Online]. Available: https://product-help.schneider-electric.com/Machine%20Expert/V1.1/en/mwt/topics/wp100881.htm. [Accessed: 02-Sep-2022].

[5] Safeguarding of machinery, CSA Z432. Canadian Standards Association (CSA). 2004.

[6] “Stiction – Wikipedia”, en.wikipedia.org. [Online]. Available: https://en.wikipedia.org/wiki/Stiction. [Accessed: 09-Sep-2022].

[7] “Failure mode and effects analysis – Wikipedia”, en.wikipedia.org. [Online]. Available: https://en.wikipedia.org/wiki/Failure_mode_and_effects_analysis. [Accessed: 09- Sep- 2022].

© 2022, Compliance inSight Consulting Inc.