Machinery Safety Labels: 3 Top Tools for Effective Warnings

This entry is part 1 of 3 in the series Safety Labels

Machinery Safety Labels

The third level of the Hier­archy of Con­trols is Inform­a­tion for Use. Safety Labels are a key part of the Inform­a­tion for Use provided by machine build­ers to users and are often the only inform­a­tion that many users get to see. This makes the design and place­ment of the safety labels crit­ic­al to their effect­ive­ness. There is as much risk in the under-use of safety labels as there is in the over-use of safety labels. Often, machine build­ers and users simply select gen­er­ic labels that are eas­ily avail­able from cata­logues, miss­ing the oppor­tun­ity to design labels that are spe­cif­ic to the machine and the haz­ards present.

Product Safety and Liability Limitation

If your com­pany man­u­fac­tures machinery that has poten­tial haz­ards asso­ci­ated with its trans­port­a­tion, install­a­tion, use, main­ten­ance, decom­mis­sion­ing and/or dis­pos­al, you likely have a very strong need to cre­ate effect­ive product safety labels. This task must be done right: product safety labels play an integ­ral role in your company’s product safety and liab­il­ity pre­ven­tion efforts. And that means that people’s lives and your company’s fin­an­cial well-being are on the line. On that note, it’s import­ant to keep in mind these two factors when it comes to effect­ive safety labels:

  1. If prop­erly designed, they can dra­mat­ic­ally reduce acci­dents. This not only improves a product’s over­all safety record but adds to a company’s bot­tom line by redu­cing product liab­il­ity lit­ig­a­tion and insur­ance costs.
  2. If poorly designed, needed safety com­mu­nic­a­tion does not take place and this can lead to acci­dents that cause injur­ies. With these acci­dents, com­pan­ies face high costs set­tling or fight­ing law­suits because their products lacked “adequate warn­ings.”

With the rise in product liab­il­ity lit­ig­a­tion based on “fail­ure to warn” over the past sev­er­al dec­ades, product safety labels have become a lead­ing focal point in law­suits faced by cap­it­al equip­ment man­u­fac­tur­ers. Let’s look at three best?practice tools for product safety label design. These tools can provide insight to help you cre­ate or improve your safety label strategy in order to bet­ter pro­tect your product users from harm and your com­pany from lit­ig­a­tion-related losses.

TOOL #1: SAFETY LABEL STANDARDS

As a man­u­fac­turer, you know that your leg­al oblig­a­tion is to meet or exceed the most recent ver­sions of stand­ards related to your product at the time it’s sold into the mar­ket­place. Warn­ing label stand­ards are the first place to turn to when it comes to defin­ing your product safety labels. Up until 1991, there was no over­arch­ing, multi-industry stand­ard in the U.S., or in the rest of the world, which gave defin­it­ive guid­ance on the prop­er format­ting and con­tent for on-product warn­ings. In the U.S., that changed nation­ally with the pub­lic­a­tion of the ANSI Z535.4 Stand­ard for Product Safety Signs and Labels in 1991, and inter­na­tion­ally with the pub­lic­a­tion of ISO 3864 – 2 Design Prin­ciples for Product Safety Labels in 2004.

As of 2017, Canada does not have a warn­ing label stand­ard. Since Canada imports machinery from the U.S. and the EU, it is quite com­mon to see either ANSI Z535 style labels or ISO 3864 style labels on products. Under Cana­dian law, neither is more cor­rect. How­ever, Québec has spe­cif­ic require­ments for French lan­guage trans­la­tions, and many CSA stand­ards pre­scribe spe­cif­ic haz­ard warn­ing labels that do not con­form to either ANSI or ISO styles.

Fol­low­ing the design prin­ciples in ANSI Z535.4 or ISO 3864 – 2 will give you a start­ing place for both the con­tent and format choices you have to make for your products’ safety labels, bear­ing in mind the lan­guage require­ments of your jur­is­dic­tion. Note that both of these stand­ards are revised reg­u­larly, every five years or so, and it’s import­ant to be aware of the nuances that would make one format more appro­pri­ate for your product than anoth­er.

Safety label standard ANSI Z535.4 Product Safety Signs and Labels
The ANSI Z535.4 product safety label stand­ard
Safety label standard ISO 3864-2 Graphical symbols - Safety colours and safety signs - Part 2: Design principles for product safety labels.
The ISO 3864 – 2 product safety label stand­ard

TOOL #2: RISK ASSESSMENT

From an engin­eer­ing per­spect­ive, your job is to identi­fy poten­tial haz­ards and then determ­ine if they need to be designed out, guarded, or warned about. From a leg­al per­spect­ive, your job is to define what haz­ards are “reas­on­ably fore­see­able” and “reas­on­able” ways to mit­ig­ate risks asso­ci­ated with haz­ards that can­not be designed out. This is where risk assess­ment comes into play.

In today’s world, a product is expec­ted to be designed with safety in mind. The risk assess­ment pro­cess helps you to accom­plish this task. At its most basic level, risk assess­ment involves con­sid­er­ing the prob­ab­il­ity and sever­ity of out­comes that can res­ult from poten­tially haz­ard­ous situ­ations. After identi­fy­ing the poten­tial haz­ards related to your product at every point in its life­cycle, you then con­sider vari­ous strategies to either elim­in­ate or reduce the risk of people inter­act­ing with these haz­ards.

The best prac­tice risk assess­ment stand­ards that exist today (i.e. ANSI Z10, ANSI B11, CSA Z432, CSA Z1002, ISO 12100, ISO 31000, ISO 31010) give you a pro­cess to use to quanti­fy and reduce risks. Using these stand­ards as the basis for a form­al­ized risk assess­ment pro­cess will not only help you to devel­op bet­ter safety labels and a safer product, but it will also provide you with doc­u­ment­a­tion that will help you to show the world that you are a safety-con­scious com­pany who uses the latest stand­ards-based tech­no­logy to reduce risks. This will be highly import­ant should you be involved in product liab­il­ity lit­ig­a­tion down the road.

From an engin­eer­ing per­spect­ive, your job is to identi­fy poten­tial haz­ards and then determ­ine if they need to be designed out, guarded, or warned about. From a leg­al per­spect­ive, your job is to define what haz­ards are “reas­on­ably fore­see­able” and “reas­on­able” ways to mit­ig­ate risks asso­ci­ated with haz­ards that can­not be designed out. This is where risk assess­ment comes into play.

MIL-STD 882 risk assessment form
A typ­ic­al risk assess­ment scor­ing mat­rix (based on MIL STD 882 as defined in ANSI B11/ISO 12100 Safety of Machinery – Risk Assess­ment Annex D)

TOOL #3: PICTOGRAPHIC  SAFETY LABELS FOR GLOBAL MARKETS

A large num­ber of machinery man­u­fac­tur­ers sell their products around the globe and when this is the case, com­pli­ance with glob­al stand­ards is a require­ment. The ANSI Z535.4 and ISO 3864 – 2 product safety label stand­ards, and the EU machinery dir­ect­ive place an emphas­is on using well-designed sym­bols on machinery safety labels so inform­a­tion can be con­veyed across lan­guage bar­ri­ers.

The EU Machinery Dir­ect­ive 2006/42/EC requires that all inform­a­tion for use be provided in the offi­cial lan­guages of the coun­try of use. Inform­a­tion for use includes haz­ard warn­ing signs and labels that bear mes­sages in text. Adding sym­bols also increases your labels’ notice­ab­il­ity. The use of sym­bols to con­vey safety is becom­ing com­mon­place world­wide and not tak­ing advant­age of this new visu­al lan­guage risks mak­ing your product’s safety labels obsol­ete and non-com­pli­ant with loc­al, region­al and inter­na­tion­al codes. In ISO 3864 – 2’s latest, 2016 update, a major change in ISO label formats was made: a new “word­less” format that con­veys risk sever­ity was added to the stand­ard. This new label format uses what ISO calls a “haz­ard sever­ity pan­el” but no sig­nal word. It com­mu­nic­ates the level of risk through col­our-cod­ing of the haz­ard sever­ity pan­el. This format option elim­in­ates words – mak­ing trans­la­tions unne­ces­sary.

It should be noted that some­times sym­bols alone can­not con­vey com­plex safety mes­sages. In these cases, text is often still used. When ship­ping to non-Eng­lish speak­ing coun­tries, the trend today is to trans­late the text into the lan­guage of the coun­try in which the machine is sold. Digit­al print tech­no­logy makes this solu­tion much more cost effect­ive and effi­cient than in the past.

Safety label by Clarion Safety Systems on a machine
A typ­ic­al Clari­on machine safety label that uses an inter­na­tion­ally format­ted graph­ic­al sym­bol and a format that meets both ANSI Z535.4 and ISO 3864 – 2 design prin­ciples (Design ©Clari­on Safety Sys­tems. All rights reserved.)

Concluding Thoughts

The safety labels that appear on your products are one of its most vis­ible com­pon­ents. If they don’t meet cur­rent stand­ards, if they aren’t designed as the res­ult of a risk assess­ment, and if they don’t incor­por­ate well-designed graph­ic­al sym­bols, your com­pany risks lit­ig­a­tion and non-con­form­ance with mar­ket require­ments. Most import­antly, you may be put­ting those who inter­act with your machinery at risk of harm. Mak­ing sure your product safety labels are up-to-date is an import­ant task for every engin­eer respons­ible for a machine’s design.

For more inform­a­tion on effect­ive product safety labelling and resources that you can put to use today, vis­it www.clarionsafety.com. Clari­on also offers com­pli­ment­ary safety label assess­ments, where we use our exper­i­ence with the latest stand­ards and best prac­tices to assess your labels and ensure that they’re up-to-date in meet­ing today’s require­ments.

Ed. note: Addi­tion­al Cana­dian mater­i­al con­trib­uted by Doug Nix.

Digiprove sealCopy­right secured by Digi­prove © 2017
Acknow­ledge­ments: Derek Evers­dyke, Clari­on Safety Sys­tems, LLC
Some Rights Reserved

Safe Drive Control including Safe Torque Off (STO)

This entry is part 12 of 14 in the series Emer­gency Stop

Ed. Note: This art­icle was revised 25-Jul-17 to include inform­a­tion on safe stand­still.

Safe Drive Control including STO

Variable Frequency Drive for conveyor speed control
Vari­able Fre­quency Drive for con­vey­or speed con­trol [1]
Motor drives are every­where. From DC vari­able speed drives and index­ing drives, through AC Vari­able Fre­quency drives, servo drives and step­per motor drives, the cap­ab­il­it­ies and the flex­ib­il­ity of these elec­tron­ic sys­tems has giv­en machine design­ers unpre­ced­en­ted cap­ab­il­it­ies when com­pared to basic relay or con­tact­or-based motor starters. We now have the cap­ab­il­ity to con­trol mech­an­isms using motors in ways that would have been hard to ima­gine at the begin­ning of the indus­tri­al revolu­tion. Along with these con­trol cap­ab­il­it­ies come safety-related func­tions like Safe Torque Off (STO).

Since we are con­trolling machinery, safety is always a con­cern. In the 1990’s when I star­ted design­ing machinery with motor drives, deal­ing with safety con­cerns usu­ally meant adding a suit­ably rated con­tact­or upstream of the drive so that you could inter­rupt power to the drive in case some­thing went wrong. With early servo drives, inter­rupt­ing the sup­ply power often meant los­ing pos­i­tion data or worse. Pla­cing con­tact­ors between the drive and the motor solved this prob­lem, but inter­rupt­ing the sup­ply power would some­times cause the drive stage of the servo con­trol­ler to blow up if the switch-off happened with the motor run­ning and under high load. Motor drive man­u­fac­tur­ers respon­ded by provid­ing con­tact­ors and oth­er com­pon­ents built into their drives, cre­at­ing a fea­ture called Safe Torque Off (STO).

STO describes a state where “The drive is reli­ably torque-free” [2]. The func­tions dis­cussed in this art­icle are described in detail in IEC 61800 – 5-2 [3]. The func­tions are also lis­ted in [10, Table 5.2]. Note that only Safe Torque Off and Safe Stop 1 can be used for emer­gency stop func­tions. Safe Torque Off, Safe Stop 1 and Safe Stop 2 can be used for safety-related stop func­tions ini­ti­ated by a safe­guard­ing device. This dis­tinc­tion, between emer­gency stop func­tions and safe­guard­ing func­tions, is an import­ant one.

If you have been a read­er of this blog for a while, you may recall that I have dis­cussed stop cat­egor­ies before. This art­icle expands on those con­cepts with the focus on motor drives and their stop­ping func­tions spe­cific­ally. I’ve also talked about Emer­gency Stop extens­ively. You might be inter­ested in read­ing more about the e-stop func­tion, start­ing with the post “Emer­gency Stop – What’s so con­fus­ing about that?”

Safe Torque Off (STO)

Accord­ing to Siemens, “The STO func­tion is the most com­mon and basic drive-integ­rated safety func­tion. It ensures that no torque-gen­er­at­ing energy can con­tin­ue to act upon a motor and pre­vents unin­ten­tion­al start­ing.” Risk assess­ment of the machinery can identi­fy the need for an STO func­tion. The devices used for this applic­a­tion are described in IEC 60204 – 1 in clause 5.4 [4]. The design fea­tures for pre­ven­tion of unex­pec­ted start­ing are covered in more detail in EN 1037 [5] or ISO 14118 [6]. If you are inter­ested in these stand­ards, ISO 14118 is in the pro­cess of being revised. A new ver­sion should be avail­able with­in 12 – 18 months.

The STO func­tion oper­ates as shown in Fig.1. The blue line rep­res­ents the drive speed/velocity, V, on the y-axis, with time, t, on the x-axis. The orange arrow and the dot­ted line show the ini­ti­ation of the stop­ping func­tion.

Graph showing motor drive output over time when the STO function is activated.
Fig­ure 1 – Safe Torque Off func­tion [1]
At the begin­ning of the stop­ping pro­cess (orange arrow and dot­ted line), the drive gate pulses are imme­di­ately shut off, remov­ing torque from the motor (i.e., zero torque). The speed of the driv­en equip­ment will drop at a rate determ­ined by the sys­tem fric­tion and iner­tia until stand­still is achieved. The zero torque con­di­tion is main­tained until the safety func­tion per­mits restart­ing (area out­lined with yellow/black zebra stripe). Note that drive stand­still may occur if the fric­tion and iner­tia of the sys­tem per­mit, but it is pos­sible that the driv­en equip­ment may coast for some time. You may be able to move the driv­en equip­ment by hand or grav­ity with the drive in the STO mode.

STO is an uncon­trolled stop­ping mode [4, 3.56]:

uncon­trolled stop
stop­ping of machine motion by remov­ing elec­tric­al power to the machine actu­at­ors
NOTE This defin­i­tion does not imply any oth­er state of oth­er (for example, non-elec­tric­al) stop­ping devices, for example, mech­an­ic­al or hydraul­ic brakes that are out­side the scope of this stand­ard.

The defin­i­tion above is import­ant. Uncon­trolled stops are the most com­mon form of stop­ping used in machines of all types and is required as a basic func­tion for all machines. There are vari­ous ways of achiev­ing STO, includ­ing the use of a dis­con­nect­ing device, emer­gency stop sys­tems, and gate inter­lock­ing sys­tems that remove power from machine actu­at­ors.

The embod­i­ment of the uncon­trolled stop concept is Stop Cat­egory 0 [4, 9.2.2]:

stop cat­egory 0 — stop­ping by imme­di­ate remov­al of power to the machine actu­at­ors (i.e., and uncon­trolled stop, see 3.56)

Stop cat­egory 0 is only appro­pri­ate where the machinery has little iner­tia, or where mech­an­ic­al fric­tion is high enough that the stop­ping time is short. It may also be used in cases where the machinery has very high iner­tia, but only for nor­mal stop­ping when coast­ing time is not a factor, not for safety stop­ping func­tions where the time to a no-motion state is crit­ic­al.

There are a few oth­er stop­ping modes that are often con­fused with STO:

  • Safe Stop 1
  • Safe Stop 2
  • Safe Oper­at­ing Stop
  • Safe Stand­still

Let’s explore the dif­fer­ences.

Safe Stop 1 (SS1)

If a defined stop­ping time is needed, a con­trolled stop­ping func­tion will be required fol­lowed by entry into STO. This stop­ping func­tion is called “Safe Stop 1” (SS1).

SS1 is dir­ectly related to Stop Cat­egory 1 [4, 9.2.2]. As described in [4], Stop Cat­egory 1 func­tions as fol­lows:

stop cat­egory 1 — a con­trolled stop (see 3.11) with power avail­able to the machine actu­at­ors to achieve the stop and then remov­al of power when the stop is achieved;

A “con­trolled stop” is defined in [4, 3.11]:

con­trolled stop
stop­ping of machine motion with elec­tric­al power to the machine actu­at­or main­tained dur­ing the stop­ping pro­cess

Once the con­trolled stop is com­pleted, i.e., machine motion has stopped, the drive may then be placed into STO (or cat­egory 0 stop). The stop­ping pro­cess is shown in Fig. 2 [7].

Graph showing the reduction of drive speed over time following the beginning of a controlled stopping process.
Fig­ure 2 – Safe Stop 1

The stop­ping pro­cess starts where the orange arrow and dot­ted line are shown. As com­pared to Fig. 1 where the decel­er­a­tion curve is gentle and expo­nen­tial, the act­ive stop­ping peri­od in Fig. 2 is a lin­ear curve from oper­at­ing speed to zero speed. At the blue dot­ted line, the drive enters and stays in STO. The yellow/black zebra striped area of the curve out­lines the com­plete stop­ping func­tion. This stop­ping meth­od is typ­ic­al of many types of machinery, par­tic­u­larly those with servo-driv­en mech­an­isms.

Safe Stop 2 (SS2)

In some cases, the risk assess­ment may show that remov­ing power com­pletely from a mech­an­ism will increase the risk. An example might be a ver­tic­al axis where the motor drive is used to main­tain the pos­i­tion of the tool­ing. Remov­ing power from the drive with the tool raised would res­ult in the tool­ing crash­ing to the bot­tom of the axis in an uncon­trolled way. Not the desired way to achieve any type of stop!

There are vari­ous to pre­vent this kind of occur­rence, but I’m going to lim­it the dis­cus­sion here to the Safe Stop 2 func­tion.

Let’s start with the defin­i­tion [4, 3.11]:

con­trolled stop
stop­ping of machine motion with elec­tric­al power to the machine actu­at­or main­tained dur­ing the stop­ping pro­cess

Wait! The defin­i­tion of a con­trolled stop is exactly the same as a stop cat­egory 1, so what is the dif­fer­ence? For that we need to look to [4, 9.2.2]:

stop cat­egory 2 — a con­trolled stop with power left avail­able to the machine actu­at­ors.

Emer­gency Stop func­tions can­not use Stop Cat­egory 2 [4, 9.2.5.4.2]. If you have tool­ing where Stop Cat­egory 2 is the most appro­pri­ate stop­ping func­tion under nor­mal con­di­tions, you will have to add an anoth­er means to pre­vent the axis from fall­ing dur­ing the emer­gency stop. The addi­tion­al means could be a spring-set brake that is held released by the emer­gency stop sys­tem and is applied when the e-stop sys­tem removes power from the tool­ing. There are many ways to achieve auto­mat­ic load-hold­ing besides brakes, but remem­ber, whatever you choose it must be effect­ive in power loss con­di­tions.

As shown in Fig. 3, the oper­a­tion of Safe Stop 2 dif­fers from Safe Stop 1 in that, instead of enter­ing into STO when motion stops, the sys­tem enters Safe Oper­at­ing Stop (SOS) [8], not STO. SOS is a Stop Cat­egory 2 func­tion. Full torque remains avail­able from the motor to hold the tool­ing in pos­i­tion. Safe stand­still is mon­itored by the drive or oth­er means.

Graph showing speed reduction to zero, followed by entry into stop category 2.
Fig­ure 3 — Safe Stop 2

Depend­ing on the ISO 13849 – 1 PLr, or the IEC 62061 SILr needed for the applic­a­tion, the drive may not have high enough reli­ab­il­ity on its own. In this case, a second chan­nel may be required to ensure that safe stand­still mon­it­or­ing is adequately reli­able. This can be achieved by adding anoth­er means of stand­still detec­tion, like a second encoder, or a stand­still mon­it­or­ing device. An example cir­cuit dia­gram show­ing this type of mon­it­or­ing can be found in Fig. 4 [10, Fig. 8.37], show­ing a safety PLC and drive used to provide an “inch­ing” or “jog” func­tion.

Circuit diagram for a safe inching mode using a motor drive. Taken from Fig 8.37 in BGIA Report 2/2008e
Fig­ure 4 — Safely lim­ited speed for inch­ing mode – PLd, Cat. 3 [10]
In Fig. 4, the encoders are labelled G1 and G2. Both encoders are con­nec­ted to the safety PLC to provide two-chan­nel feed­back required for Cat­egory 3 archi­tec­ture. G1 is also con­nec­ted to the motor drive for pos­i­tion and velo­city feed­back as needed for the applic­a­tion. Note that this par­tic­u­lar drive also has a con­tact­or upstream, Q1, to provide one chan­nel of the two required for Cat­egory 3. The second chan­nel would be provided by the pulse block­ing input on the drive. For more on how this cir­cuit func­tions and how the func­tion­al safety ana­lys­is is com­pleted, see [10].

Safe Operating Stop (SOS)

Dur­ing a safe oper­at­ing stop (SOS), the motor is brought to a spe­cif­ic pos­i­tion and held there by the drive. Full torque is avail­able to keep the tool­ing in pos­i­tion. The stop is mon­itored safely by the drive. The func­tion is shown in Fig­ure 4 [9].

A graph showing a drive maintaining position following a stop
Fig­ure 5 — Safe Oper­at­ing Stop

In Fig. 5, the y-axis, s, rep­res­ents the pos­i­tion of the tool­ing, NOT the velo­city, while the x-axis rep­res­ents time, t. The start of the pos­i­tion hold­ing func­tion is shown by the orange arrow and dashed line. The peri­od fol­low­ing the green dashed line is the SOS peri­od.

SOS can­not be used for the emer­gency stop func­tion. Under cer­tain con­di­tions it may be used when guard inter­locks are opened, i.e., the guard door on a CNC lathe is opened so that the oper­at­or can place a new work­piece.

There a quite a few addi­tion­al “safe” drive func­tions. For more on these func­tions and how to imple­ment them, see [2] and applic­a­tion data from your favour­ite drive man­u­fac­turer. Ref­er­ence is also provided in [9, Table 5.2].

Safe Standstill

Safe stand­still is a con­di­tion where motion has stopped and is being mon­itored by a safety-rated device whose out­put sig­nals are used to con­trol the release of guard lock­ing devices. Safe stand­still is not the same as zero-speed because zero-speed can be achieved without the use of safety-rated con­trol com­pon­ents and design, while safe stand­still requires both suit­able com­pon­ents and design.

There are vari­ous ways to achieve safe stand­still. Here are three approaches [12]:

  1. Rota­tion sensors
    Sensors includ­ing prox­im­ity sensors, resolv­ers, and encoders can be used to mon­it­or the motion of the drive com­pon­ents. A safe stand­still mon­it­or­ing device is used to when stand­still has occurred.  When a machine has an unstable rest pos­i­tion, a prox­im­ity sensor should be used to ensure the machine is in a safe con­di­tion before the guard lock­ing devices are released.
  2. Back EMF mon­it­or­ing
    Back elec­tro­mot­ive force or Back EMF is the voltage cre­ated in an elec­tric motor due to the rota­tion of the arma­ture in the mag­net­ic field in the motor. This voltage opposes the applied voltage and is approx­im­ately pro­por­tion­al to the rota­tion­al speed of the motor. Back EMF remains after the sup­ply voltage has been removed, allow­ing mon­it­or­ing devices to indir­ectly meas­ure motor speed and stand­still.
  3. Failsafe timer
    Failsafe timers are time delay relays designed for use in safety func­tions. Failsafe timers can be used when the stop­ping per­form­ance of the machinery is con­sist­ent and known.
    Fol­low­ing remov­al of power from the drive motor, the time delay starts. At the end of the time delay, the relay releases the guard lock­ing devices.
    Reg­u­lar time delay relays can­not be used for this pur­pose, only fail-safe relays designed to be used in safety func­tions can be used, along with suit­able safety sys­tems design tech­niques like ISO 13849 or IEC 62061.

Conclusions

As you can see, there are sig­ni­fic­ant dif­fer­ences between STO, SS1, SS2, SOS and Safe Stand­still. While these func­tions may be used togeth­er to achieve a par­tic­u­lar safety func­tion, some are func­tions of the imple­ment­a­tion of the motor drive, e.g., STO. Some are a func­tion of the design of the motor drive itself, e.g., STO, SS1, SS2, and SOS, or the design of con­trols extern­al to the motor drive, e.g., safe stand­still. The sim­il­ar­it­ies between these vari­ous func­tions can make it easy to con­fuse them. Care needs to be taken to ensure that the cor­rect tech­nic­al approach is used when real­ising the safety func­tion required by the risk assess­ment.

Ref­er­ences

[1]    “Vari­able Fre­quency Drives – Indus­tri­al Wiki – odesie by Tech Trans­fer”, Myodesie.com, 2017. [Online]. Avail­able: https://www.myodesie.com/wiki/index/returnEntry/id/3040. [Accessed: 19- Jun- 2017].

[2] “Safe Torque Off (STO) – Safety Integ­rated – Siemens”, Industry.siemens.com, 2017. [Online]. Avail­able: http://www.industry.siemens.com/topics/global/en/safety-integrated/machine-safety/product-portfolio/drive-technology/safety-functions/pages/safe-torque-off.aspx. [Accessed: 19- Jun- 2017].

[3]      Adjustable speed elec­tric­al power drive sys­tems – Part 5 – 2: Safety require­ments – Func­tion­al. IEC Stand­ard 61800 – 5-2. 2nd Ed. 2016.

[4]     Safety of machinery — Elec­tric­al equip­ment of machines — Part 1: Gen­er­al require­ments. IEC Stand­ard 60204 – 1. 2006.

[5]     Safety of machinery — Pre­ven­tion of unex­pec­ted start-up. EN Stand­ard 1037+A1. 2008.

[6]     Safety of machinery — Pre­ven­tion of unex­pec­ted start-up. ISO Stand­ard 14118. 2000.

[7]     “Safe Stop 1 (SS1) – Safety Integ­rated – Siemens”, Industry.siemens.com, 2017. [Online]. Avail­able: http://www.industry.siemens.com/topics/global/en/safety-integrated/machine-safety/product-portfolio/drive-technology/safety-functions/Pages/safe-stop1.aspx. [Accessed: 19- Jun- 2017].

[8]     “Safe Stop 2 (SS2) – Safety Integ­rated – Siemens”, Industry.siemens.com, 2017. [Online]. Avail­able: http://www.industry.siemens.com/topics/global/en/safety-integrated/machine-safety/product-portfolio/drive-technology/safety-functions/Pages/safe-stop2.aspx. [Accessed: 19- Jun- 2017].

[9]     “Safe Oper­at­ing Stop (SOS) – Safety Integ­rated – Siemens”, Industry.siemens.com, 2017. [Online]. Avail­able: http://www.industry.siemens.com/topics/global/en/safety-integrated/machine-safety/product-portfolio/drive-technology/safety-functions/Pages/safe-operating-stop.aspx. [Accessed: 19- Jun- 2017].

[10]     M. Hauke, M. Schae­fer, R. Apfeld, T. Boe­mer, M. Huelke, T. Borowski, K. Bülles­bach, M. Dorra, H. Foer­mer-Schae­fer, W. Grigulewitsch, K. Hei­mann, B. Köhler, M. Krauß, W. Küh­lem, O. Loh­maier, K. Mef­fert, J. Pil­ger, G. Reuß, U. Schuster, T. Seifen and H. Zil­li­gen, “Func­tion­al safety of machine con­trols – Applic­a­tion of EN ISO 13849 – Report 2/2008e”, BGIA – Insti­tute for Occu­pa­tion­al Safety and Health of the Ger­man Social Acci­dent Insur­ance, Sankt Augustin, 2017.

[11]     “Gloss­ary”, Schmersalusa.com, 2017. [Online]. Avail­able: http://www.schmersalusa.com/service/glossary/#c3616. [Accessed: 10- Jan-2018].

[12]     Schmersal Tech Briefs: Safe Speed & Stand­still Mon­it­or­ing. Schmersal USA, 2017.

Acknowledgements

Spe­cial thanks go out to two of my reg­u­lar read­ers for sug­gest­ing this post: Matt Ernst and con­trols­girl, who com­ments fre­quently. Thanks for the ideas and the ques­tions that sparked this post!

ISO 13849 – 1 Analysis — Part 8: Fault Exclusion

This entry is part 9 of 9 in the series How to do a 13849 – 1 ana­lys­is

Fault Consideration & Fault Exclusion

ISO 13849 – 1, Chapter 7 [1, 7] dis­cusses the need for fault con­sid­er­a­tion and fault exclu­sion. Fault con­sid­er­a­tion is the pro­cess of examin­ing the com­pon­ents and sub-sys­tems used in the safety-related part of the con­trol sys­tem (SRP/CS) and mak­ing a list of all the faults that could occur in each one. This a def­in­itely non-trivi­al exer­cise!

Think­ing back to some of the earli­er art­icles in this series where I men­tioned the dif­fer­ent types of faults, you may recall that there are detect­able and undetect­able faults, and there are safe and dan­ger­ous faults, lead­ing us to four kinds of fault:

  • Safe undetect­able faults
  • Dan­ger­ous undetect­able faults
  • Safe detect­able faults
  • Dan­ger­ous detect­able faults

For sys­tems where no dia­gnostics are used, Cat­egory B and 1, faults need to be elim­in­ated using inher­ently safe design tech­niques. Care needs to be taken when clas­si­fy­ing com­pon­ents as “well-tried” versus using a fault exclu­sion, as com­pon­ents that might nor­mally be con­sidered “well-tried” might not meet those require­ments in every applic­a­tion. [2, Annex A], Val­id­a­tion tools for mech­an­ic­al sys­tems, dis­cusses the con­cepts of “Basic Safety Prin­ciples”, “Well-Tried Safety Prin­ciples”, and “Well-tried com­pon­ents”.  [2, Annex A] also provides examples of faults and rel­ev­ant fault exclu­sion cri­ter­ia. There are sim­il­ar Annexes that cov­er pneu­mat­ic sys­tems [2, Annex B], hydraul­ic sys­tems [2, Annex C], and elec­tric­al sys­tems [2, Annex D].

For sys­tems where dia­gnostics are part of the design, i.e., Cat­egory 2, 3, and 4, the fault lists are used to eval­u­ate the dia­gnost­ic cov­er­age (DC) of the test sys­tems. Depend­ing on the archi­tec­ture, cer­tain levels of DC are required to meet the rel­ev­ant PL, see [1, Fig. 5]. The fault lists are start­ing point for the determ­in­a­tion of DC, and are an input into the hard­ware and soft­ware designs. All of the dan­ger­ous detect­able faults must be covered by the dia­gnostics, and the DC must be high enough to meet the PLr for the safety func­tion.

The fault lists and fault exclu­sions are used in the Val­id­a­tion por­tion of this pro­cess as well. At the start of the Val­id­a­tion pro­cess flow­chart [2, Fig. 1], you can see how the fault lists and the cri­ter­ia used for fault exclu­sion are used as inputs to the val­id­a­tion plan.

The diagram shows the first few stages in the ISO 13849-2 Validation process. See ISO 13849-2, Figure 1.
Start of ISO 13849 – 2 Fig. 1

Faults that can be excluded do not need to val­id­ated, sav­ing time and effort dur­ing the sys­tem veri­fic­a­tion and val­id­a­tion (V & V). How is this done?

Fault Consideration

The first step is to devel­op a list of poten­tial faults that could occur, based on the com­pon­ents and sub­sys­tems included in SRP/CS. ISO 13849 – 2 [2] includes lists of typ­ic­al faults for vari­ous tech­no­lo­gies. For example, [2, Table A.4] is the fault list for mech­an­ic­al com­pon­ents.

Mechanical fault list from ISO 13849-2
Table A.4 — Faults and fault exclu­sions — Mech­an­ic­al devices, com­pon­ents and ele­ments
(e.g. cam, fol­low­er, chain, clutch, brake, shaft, screw, pin, guide, bear­ing)

[2] con­tains tables sim­il­ar to Table A.4 for:

  • Pres­sure-coil springs
  • Dir­ec­tion­al con­trol valves
  • Stop (shut-off) valves/non-return (check) valves/quick-action vent­ing valves/shuttle valves, etc.
  • Flow valves
  • Pres­sure valves
  • Pipe­work
  • Hose assem­blies
  • Con­nect­ors
  • Pres­sure trans­mit­ters and pres­sure medi­um trans­ducers
  • Com­pressed air treat­ment — Fil­ters
  • Com­pressed-air treat­ment — Oil­ers
  • Com­pressed air treat­ment — Silen­cers
  • Accu­mu­lat­ors and pres­sure ves­sels
  • Sensors
  • Flu­id­ic Inform­a­tion pro­cessing — Logic­al ele­ments
  • etc.

As you can see, there are many dif­fer­ent types of faults that need to be con­sidered. Keep in mind that I did not give you all of the dif­fer­ent fault lists – this post would be a mile long if I did that! The point is that you need to devel­op a fault list for your sys­tem, and then con­sider the impact of each fault on the oper­a­tion of the sys­tem. If you have com­pon­ents or sub­sys­tems that are not lis­ted in the tables, then you need to devel­op your own fault lists for those items. Fail­ure Modes and Effects Ana­lys­is (FMEA) is usu­ally the best approach for devel­op­ing fault lists for these com­pon­ents [23], [24].

When con­sid­er­ing the faults to be included in the list there are a few things that should be con­sidered [1, 7.2]:

  • if after the first fault occurs oth­er faults devel­op due to the first fault, then you can group those faults togeth­er as a single fault
  • two or more single faults with a com­mon cause can be con­sidered as a single fault
  • mul­tiple faults with dif­fer­ent causes but occur­ring sim­ul­tan­eously is con­sidered improb­able and does not need to be con­sidered

Examples

#1 – Voltage Regulator

A voltage reg­u­lat­or fails in a sys­tem power sup­ply so that the 24 Vdc out­put rises to an unreg­u­lated 36 Vdc (the intern­al power sup­ply bus voltage), and after some time has passed, two sensors fail. All three fail­ures can be grouped and con­sidered as a single fault because they ori­gin­ate in a single fail­ure in the voltage reg­u­lat­or.

#2 – Lightning Strike

If a light­ning strike occurs on the power line and the res­ult­ing surge voltage on the 400 V mains causes an inter­pos­ing con­tact­or and the motor drive it con­trols to fail to danger, then these fail­ures may be grouped and con­sidered as one. Again, a single event causes all of the sub­sequent fail­ures.

#3 – Pneumatic System Lubrication

3a – A pneu­mat­ic lub­ric­at­or runs out of lub­ric­ant and is not refilled, depriving down­stream pneu­mat­ic com­pon­ents of lub­ric­a­tion.

3b – The spool on the sys­tem dump valve sticks open because it is not cycled often enough.

Neither of these fail­ures has the same cause, so there is no need to con­sider them as occur­ring sim­ul­tan­eously because the prob­ab­il­ity of both hap­pen­ing con­cur­rently is extremely small. One cau­tion: These two faults MAY have a com­mon cause – poor main­ten­ance. If this is true and you decide to con­sider them to be two faults with a com­mon cause, they could then be grouped as a single fault.

Fault Exclusion

Once you have your well-con­sidered fault lists togeth­er, the next ques­tion is “Can any of the lis­ted faults be excluded?” This is a tricky ques­tion! There are a few points to con­sider:

  • Does the sys­tem archi­tec­ture allow for fault exclu­sion?
  • Is the fault tech­nic­ally improb­able, even if it is pos­sible?
  • Does exper­i­ence show that the fault is unlikely to occur?*
  • Are there tech­nic­al require­ments related to the applic­a­tion and the haz­ard that might sup­port fault exclu­sion?

BE CAREFUL with this one!

Whenev­er faults are excluded, a detailed jus­ti­fic­a­tion for the exclu­sion needs to be included in the sys­tem design doc­u­ment­a­tion. Simply decid­ing that the fault can be excluded is NOT ENOUGH! Con­sider the risk a per­son will be exposed to in the event the fault occurs. If the sever­ity is very high, i.e., severe per­man­ent injury or death, you may not want to exclude the fault even if you think you could. Care­ful con­sid­er­a­tion of the res­ult­ing injury scen­ario is needed.

Basing a fault exclu­sion on per­son­al exper­i­ence is sel­dom con­sidered adequate, which is why I added the aster­isk (*) above. Look for good stat­ist­ic­al data to sup­port any decision to use a fault exclu­sion.

There is much more inform­a­tion avail­able in IEC 61508 – 2 on the sub­ject of fault exclu­sion, and there is good inform­a­tion in some of the books men­tioned below [0.1], [0.2], and [0.3]. If you know of addi­tion­al resources you would like to share, please post the inform­a­tion in the com­ments!

Definitions

3.1.3 fault
state of an item char­ac­ter­ized by the inab­il­ity to per­form a required func­tion, exclud­ing the inab­il­ity dur­ing pre­vent­ive main­ten­ance or oth­er planned actions, or due to lack of extern­al resources
Note 1 to entry: A fault is often the res­ult of a fail­ure of the item itself, but may exist without pri­or fail­ure.
Note 2 to entry: In this part of ISO 13849, “fault” means ran­dom fault. [SOURCE: IEC 60050?191:1990, 05 – 01.]

Book List

Here are some books that I think you may find help­ful on this jour­ney:

[0]     B. Main, Risk Assess­ment: Basics and Bench­marks, 1st ed. Ann Arbor, MI USA: DSE, 2004.

[0.1]  D. Smith and K. Simpson, Safety crit­ic­al sys­tems hand­book. Ams­ter­dam: Elsevi­er­/But­ter­worth-Heine­mann, 2011.

[0.2]  Elec­tro­mag­net­ic Com­pat­ib­il­ity for Func­tion­al Safety, 1st ed. Steven­age, UK: The Insti­tu­tion of Engin­eer­ing and Tech­no­logy, 2008.

[0.3]  Over­view of tech­niques and meas­ures related to EMC for Func­tion­al Safety, 1st ed. Steven­age, UK: Over­view of tech­niques and meas­ures related to EMC for Func­tion­al Safety, 2013.

References

Note: This ref­er­ence list starts in Part 1 of the series, so “miss­ing” ref­er­ences may show in oth­er parts of the series. Included in the last post of the series is the com­plete ref­er­ence list.

[1]     Safety of machinery — Safety-related parts of con­trol sys­tems — Part 1: Gen­er­al prin­ciples for design. 3rd Edi­tion. ISO Stand­ard 13849 – 1. 2015.

[2]     Safety of machinery – Safety-related parts of con­trol sys­tems – Part 2: Val­id­a­tion. 2nd Edi­tion. ISO Stand­ard 13849 – 2. 2012.

[3]      Safety of machinery – Gen­er­al prin­ciples for design – Risk assess­ment and risk reduc­tion. ISO Stand­ard 12100. 2010.

[4]     Safe­guard­ing of Machinery. 2nd Edi­tion. CSA Stand­ard Z432. 2004.

[5]     Risk Assess­ment and Risk Reduc­tion- A Guideline to Estim­ate, Eval­u­ate and Reduce Risks Asso­ci­ated with Machine Tools. ANSI Tech­nic­al Report B11.TR3. 2000.

[6]    Safety of machinery – Emer­gency stop func­tion – Prin­ciples for design. ISO Stand­ard 13850. 2015.

[7]     Func­tion­al safety of electrical/electronic/programmable elec­tron­ic safety-related sys­tems. 7 parts. IEC Stand­ard 61508. Edi­tion 2. 2010.

[8]     S. Jocelyn, J. Bau­doin, Y. Chin­ni­ah, and P. Char­pen­ti­er, “Feas­ib­il­ity study and uncer­tain­ties in the val­id­a­tion of an exist­ing safety-related con­trol cir­cuit with the ISO 13849 – 1:2006 design stand­ard,” Reliab. Eng. Syst. Saf., vol. 121, pp. 104 – 112, Jan. 2014.

[9]    Guid­ance on the applic­a­tion of ISO 13849 – 1 and IEC 62061 in the design of safety-related con­trol sys­tems for machinery. IEC Tech­nic­al Report TR 62061 – 1. 2010.

[10]     Safety of machinery – Func­tion­al safety of safety-related elec­tric­al, elec­tron­ic and pro­gram­mable elec­tron­ic con­trol sys­tems. IEC Stand­ard 62061. 2005.

[11]    Guid­ance on the applic­a­tion of ISO 13849 – 1 and IEC 62061 in the design of safety-related con­trol sys­tems for machinery. IEC Tech­nic­al Report 62061 – 1. 2010.

[12]    D. S. G. Nix, Y. Chin­ni­ah, F. Dosio, M. Fessler, F. Eng, and F. Schrever, “Link­ing Risk and Reli­ab­il­ity — Map­ping the out­put of risk assess­ment tools to func­tion­al safety require­ments for safety related con­trol sys­tems,” 2015.

[13]    Safety of machinery. Safety related parts of con­trol sys­tems. Gen­er­al prin­ciples for design. CEN Stand­ard EN 954 – 1. 1996.

[14]   Func­tion­al safety of electrical/electronic/programmable elec­tron­ic safety-related sys­tems – Part 2: Require­ments for electrical/electronic/programmable elec­tron­ic safety-related sys­tems. IEC Stand­ard 61508 – 2. 2010.

[15]     Reli­ab­il­ity Pre­dic­tion of Elec­tron­ic Equip­ment. Mil­it­ary Hand­book MIL-HDBK-217F. 1991.

[16]     “IFA – Prac­tic­al aids: Soft­ware-Assist­ent SISTEMA: Safety Integ­rity – Soft­ware Tool for the Eval­u­ation of Machine Applic­a­tions”, Dguv.de, 2017. [Online]. Avail­able: http://www.dguv.de/ifa/praxishilfen/practical-solutions-machine-safety/software-sistema/index.jsp. [Accessed: 30- Jan- 2017].

[17]      “fail­ure mode”, 192 – 03-17, Inter­na­tion­al Elec­tro­tech­nic­al Vocab­u­lary. IEC Inter­na­tion­al Elec­tro­tech­nic­al Com­mis­sion, Geneva, 2015.

[18]      M. Gen­tile and A. E. Sum­mers, “Com­mon Cause Fail­ure: How Do You Man­age Them?,” Pro­cess Saf. Prog., vol. 25, no. 4, pp. 331 – 338, 2006.

[19]     Out of Con­trol — Why con­trol sys­tems go wrong and how to pre­vent fail­ure, 2nd ed. Rich­mond, Sur­rey, UK: HSE Health and Safety Exec­ut­ive, 2003.

[20]     Safe­guard­ing of Machinery. 3rd Edi­tion. CSA Stand­ard Z432. 2016.

[21]     O. Reg. 851, INDUSTRIAL ESTABLISHMENTS. Ontario, Canada, 1990.

[22]     “Field-pro­gram­mable gate array”, En.wikipedia.org, 2017. [Online]. Avail­able: https://en.wikipedia.org/wiki/Field-programmable_gate_array. [Accessed: 16-Jun-2017].

[23]     Ana­lys­is tech­niques for sys­tem reli­ab­il­ity – Pro­ced­ure for fail­ure mode and effects ana­lys­is (FMEA). 2nd Ed. IEC Stand­ard 60812. 2006.

[24]     “Fail­ure mode and effects ana­lys­is”, En.wikipedia.org, 2017. [Online]. Avail­able: https://en.wikipedia.org/wiki/Failure_mode_and_effects_analysis. [Accessed: 16-Jun-2017].