Category: Control Functions

This cat­egory dis­cusses vari­ous aspects of con­trol func­tions.

Emergency Stop Failures

This entry is part of 12 in the series Emergency Stop

I am always look­ing for inter­est­ing examples of machinery safety prob­lems to share on MS101. Recently I was scrolling Reddit/​r/​OSHA and found these three real-​world examples.

Broken Emergency Stop Buttons

The first and most obvi­ous kinds of fail­ures are those res­ult­ing from either wear out or dam­age to emer­gency stop devices like e-​stop but­tons or pull cords. Here’s a great example:

Won’t be stop­ping this elev­at­or any­time soon. from OSHA

The oper­at­or device in this pic­ture has two prob­lems:

1) the but­ton oper­at­or has failed and

2) the e-​stop is incor­rectly marked.

The cor­rect mark­ing would be a yel­low back­ground in place of the red/​silver legend plate, like the example below. The yel­low back­ground could have the words “emer­gency stop” on them, but it is not neces­sary.

Yellow circular legend plate with the words "emergency stop" in black letters. Fits A-B 800T pushbutton operators.
Allen-​Bradley 800T Emergency Stop legend plate

There is an ISO/​IEC sym­bol for an emer­gency stop that could also be used [1].

Emergency stop symbol. A circle containing an equalateral triangle pointing downward, containing an exclamation mark.
Emergency Stop Symbol IEC 60417 – 5638 [1]
I won­der how the con­tact block(s) inside the enclos­ure are doing? Contact blocks have been known to fall off the back of emer­gency stop oper­at­or but­tons, leav­ing you with a but­ton that does noth­ing when pressed. Contact blocks secured with screws are most vul­ner­able to this kind of fail­ure. Losing a con­tact block like this hap­pens most often in high-​vibration con­di­tions. I have run across this in real life while doing inspec­tions on cli­ent sites.

There are con­tact blocks made to detect this kind of fail­ure, like Allen Bradley’s self-​monitoring con­tact block, 800TC-​XD4S, or the sim­il­ar Siemens product,3SB34. Most con­trols com­pon­ent man­u­fac­tur­ers will be likely to have sim­il­ar com­pon­ents.

Here’s anoth­er example from a machine inspec­tion I did a while ago. Note the wire “keep­er” that pre­vents the but­ton from get­ting lost!


Installation Failures

Here is an example of poor plan­ning when installing new bar­ri­er guards. The emer­gency stop but­ton is now out of reach. The ori­gin­al poster does not indic­ate a reas­on why the emer­gency stop for the machine he was oper­at­ing was moun­ted on a dif­fer­ent machine.

sure hope i nev­er need to hit that emer­gency stop but­ton. its for the machine on my side of the new fence. from OSHA

No Emergency Stop at all

Finally, and pos­sibly the worst example of all. Here is an impro­vised emer­gency stop using a set of wire cut­ters. No fur­ther com­ment required.

Emergency stop but­ton. from OSHA

If you have any examples you would like to share, feel free to add them in com­ments below. References to par­tic­u­lar employ­ers or man­u­fac­tur­ers will be deleted before posts are approved.

References

[1]     “IEC 60417 – 5638, Emergency Stop”, Iso​.org, 2017. [Online]. Available: https://​www​.iso​.org/​o​b​p​/​u​i​/​#​i​e​c​:​g​r​s​:​6​0​4​1​7​:​5​638. [Accessed: 27- Jun- 2017].

Safe Drive Control including STO

Ed. Note: This art­icle was revised 25-​Jul-​17 to include inform­a­tion on safe stand­still.

Safe Drive Control

Variable Frequency Drive for conveyor speed control
Variable Frequency Drive for con­vey­or speed con­trol [1]
Motor drives are every­where. From DC vari­able speed drives and index­ing drives, through AC Variable Frequency drives, servo drives and step­per motor drives, the cap­ab­il­it­ies and the flex­ib­il­ity of these elec­tron­ic sys­tems has giv­en machine design­ers unpre­ced­en­ted cap­ab­il­it­ies when com­pared to basic relay or contactor-​based motor starters. We now have the cap­ab­il­ity to con­trol mech­an­isms using motors in ways that would have been hard to ima­gine at the begin­ning of the indus­tri­al revolu­tion.

Since we are con­trolling machinery, safety is always a con­cern. In the 1990’s when I star­ted design­ing machinery with motor drives, deal­ing with safety con­cerns usu­ally meant adding a suit­ably rated con­tact­or upstream of the drive so that you could inter­rupt power to the drive in case some­thing went wrong. With early servo drives, inter­rupt­ing the sup­ply power often meant los­ing pos­i­tion data or worse, so con­tact­ors were placed between the drive and the motor. This occa­sion­ally caused the drive stage of the servo con­trol­ler to blow up if the switch-​off happened with the motor run­ning and under high load. Motor drive man­u­fac­tur­ers respon­ded by provid­ing con­tact­ors and oth­er com­pon­ents built into their drives, cre­at­ing a fea­ture called Safe Torque Off (STO).

STO describes a state where “The drive is reli­ably torque-​free” [2]. The func­tions dis­cussed in this art­icle are described in detail in IEC 61800−5−2 [3]. The func­tions are also lis­ted in [10, Table 5.2]. Note that only Safe Torque Off and Safe Stop 1 can be used for emer­gency stop func­tions. Safe Torque Off, Safe Stop 1 and Safe Stop 2 can be used for safety-​related stop func­tions ini­ti­ated by a safe­guard­ing device.

If you have been a read­er of this blog for a while, you may recall that I have dis­cussed stop cat­egor­ies before. This art­icle expands on those con­cepts in rela­tion to motor drives and their stop­ping func­tions spe­cific­ally. I’ve also talked about Emergency Stop extens­ively. You might be inter­ested in read­ing more about the e-​stop func­tion in the post “Emergency Stop – What’s so con­fus­ing about that?”

Safe Torque Off (STO)

According to Siemens, “The STO func­tion is the most com­mon and basic drive-​integrated safety func­tion. It ensures that no torque-​generating energy can con­tin­ue to act upon a motor and pre­vents unin­ten­tion­al start­ing.” Risk assess­ment of the machinery can identi­fy the need for an STO func­tion. The devices used for this applic­a­tion are described in IEC 60204 – 1 in clause 5.4 [4]. The design fea­tures for pre­ven­tion of unex­pec­ted start­ing are covered in more detail in EN 1037 [5] or ISO 14118 [6]. If you are inter­ested in these stand­ards, ISO 14118 is in the pro­cess of being revised. A new ver­sion should be avail­able with­in 12 – 18 months.

The STO func­tion oper­ates as shown in Fig.1. The blue line rep­res­ents the drive speed/​velocity, V, on the y-​axis, with time, t, on the x-​axis.

Graph showing motor drive output over time when the STO function is activated.
Figure 1 – Safe Torque Off func­tion [1]
At the begin­ning of the stop­ping pro­cess (orange arrow and dot­ted line), the drive gate pulses are imme­di­ately shut off, remov­ing torque from the motor (i.e., zero torque). The speed of the driv­en equip­ment will drop at a rate determ­ined by the sys­tem fric­tion and iner­tia until stand­still is achieved. The zero torque con­di­tion is then main­tained until the safety func­tion per­mits restart­ing (area out­lined with yellow/​black zebra stripe). Note that drive stand­still may occur if the fric­tion and iner­tia of the sys­tem per­mit, but it is pos­sible that the driv­en equip­ment may coast for some time. You may be able to move the driv­en equip­ment by hand or grav­ity with drive in STO.STO is an uncon­trolled stop [4, 3.56]:

STO is an uncon­trolled stop [4, 3.56]:

uncon­trolled stop
stop­ping of machine motion by remov­ing elec­tric­al power to the machine actu­at­ors
NOTE This defin­i­tion does not imply any oth­er state of oth­er (for example, non-​electrical) stop­ping devices, for example, mech­an­ic­al or hydraul­ic brakes that are out­side the scope of this stand­ard.

The defin­i­tion above is import­ant. Uncontrolled stops are the most com­mon form of stop­ping used in machines of all types and is required as a basic func­tion for all machines. It can be achieved in a num­ber of ways, includ­ing the use of a dis­con­nect­ing device, emer­gency stop sys­tems, and gate inter­lock­ing sys­tems that remove power from machine actu­at­ors.

The concept of an uncon­trolled stop is embod­ied in stop cat­egory 0 [4, 9.2.2]:

stop cat­egory 0 — stop­ping by imme­di­ate remov­al of power to the machine actu­at­ors (i.e., and uncon­trolled stop, see 3.56)

Stop cat­egory 0 is only appro­pri­ate where the machinery has little iner­tia, or where mech­an­ic­al fric­tion is high enough that the stop­ping time is short. It may also be used in cases where the machinery has very high iner­tia, but only for nor­mal stop­ping when coast­ing time is not a factor, not for safety stop­ping func­tions where the time to a no-​motion state is crit­ic­al.

There are a few oth­er stop­ping modes that are often con­fused with STO:

  • Safe Stop 1
  • Safe Stop 2
  • Safe Operating Stop
  • Safe Standstill

Let’s explore the dif­fer­ences.

Safe Stop 1 (SS1)

If a defined stop­ping time is needed, a con­trolled stop­ping func­tion will be required fol­lowed by entry into STO. This stop­ping func­tion is called “Safe Stop 1” (SS1).

SS1 is dir­ectly related to Stop Category 1 [4, 9.2.2]. As described in [4], Stop Category 1 func­tions as fol­lows:

stop cat­egory 1 — a con­trolled stop (see 3.11) with power avail­able to the machine actu­at­ors to achieve the stop and then remov­al of power when the stop is achieved;

A “con­trolled stop” is defined in [4, 3.11]:

con­trolled stop
stop­ping of machine motion with elec­tric­al power to the machine actu­at­or main­tained dur­ing the stop­ping pro­cess

Once the con­trolled stop is com­pleted, i.e., machine motion has stopped, the drive may then be placed into STO (or cat­egory 0 stop). The stop­ping pro­cess is shown in Fig. 2 [7].

Graph showing the reduction of drive speed over time following the beginning of a controlled stopping process.
Figure 2 – Safe Stop 1

The stop­ping pro­cess starts where the orange arrow and dot­ted line are shown. As com­pared to Fig. 1 where the decel­er­a­tion curve is gentle and expo­nen­tial, the act­ive stop­ping peri­od in Fig. 2 is a lin­ear curve from oper­at­ing speed to zero speed. At the blue dot­ted line, the drive enters and stays in STO. The yellow/​black zebra striped area of the curve out­lines the com­plete stop­ping func­tion. This stop­ping meth­od is typ­ic­al of many types of machinery, par­tic­u­larly those with servo driv­en mech­an­isms.

Safe Stop 2 (SS2)

In some cases, the risk assess­ment may show that remov­ing power com­pletely from a mech­an­ism will increase the risk. An example might be a ver­tic­al axis where the motor drive is used to main­tain the pos­i­tion of the tool­ing. Removing power from the drive with the tool raised would res­ult in the tool­ing crash­ing to the bot­tom of the axis in an uncon­trolled way. Definitely NOT the desired way to achieve any kind of stop!

There are a num­ber of ways to pre­vent this kind of occur­rence, but I’m going to lim­it the dis­cus­sion here to the Safe Stop 2 func­tion.

Let’s start with the defin­i­tion [4, 3.11]:

con­trolled stop
stop­ping of machine motion with elec­tric­al power to the machine actu­at­or main­tained dur­ing the stop­ping pro­cess

Wait! This is exactly the same as a stop cat­egory 1, so what is the dif­fer­ence? For that we need to look to [4, 9.2.2]:

stop cat­egory 2 — a con­trolled stop with power left avail­able to the machine actu­at­ors.

The first thing to know about stop cat­egory 2 is that this cat­egory can­not be used for emer­gency stop [4, 9.2.5.4.2]. If you have tool­ing where stop cat­egory 2 is the most appro­pri­ate stop under nor­mal con­di­tions, you will have to add an anoth­er means to pre­vent the axis from fall­ing dur­ing the emer­gency stop. This could be a spring-​set brake that is held released by the emer­gency stop sys­tem and is applied when the e-​stop sys­tem removes power from the tool­ing. There are many ways to achieve auto­mat­ic load-​holding besides brakes, but remem­ber, whatever you choose it must be effect­ive in power loss con­di­tions.

As shown in Fig. 3, the oper­a­tion of Safe Stop 2 dif­fers from Safe Stop 1 in that, instead of enter­ing into STO when motion stops, the sys­tem enters Safe Operating Stop (SOS) [8], not STO. SOS is a stop cat­egory 2 func­tion. Full torque remains avail­able from the motor to hold the tool­ing in pos­i­tion. Safe stand­still is mon­itored by the drive or oth­er means.

Graph showing speed reduction to zero, followed by entry into stop category 2.
Figure 3 — Safe Stop 2

Depending on the ISO 13849 – 1 PLr, or the IEC 62061 SILr needed for the applic­a­tion, the drive may not have high enough reli­ab­il­ity on its own. In this case, a second chan­nel may be required to ensure that safe stand­still mon­it­or­ing is adequately reli­able. This can be achieved by adding anoth­er means of stand­still detec­tion, like a second encoder, or a stand­still mon­it­or­ing device. An example cir­cuit dia­gram show­ing this type of mon­it­or­ing can be found in Fig. 4 [10, Fig. 8.37], show­ing a safety PLC and drive used to provide an “inch­ing” or “jog” func­tion.

Circuit diagram for a safe inching mode using a motor drive. Taken from Fig 8.37 in BGIA Report 2/2008e
Figure 4 — Safely lim­ited speed for inch­ing mode – PLd, Cat. 3 [10]
In Fig. 4, the encoders are labelled G1 and G2. Both encoders are con­nec­ted to the safety PLC to provide two-​channel feed­back required for Category 3 archi­tec­ture. G1 is also con­nec­ted to the motor drive for pos­i­tion and velo­city feed­back as needed for the applic­a­tion. Note that this par­tic­u­lar drive also has a con­tact­or upstream, Q1, to provide one chan­nel of the two required for Category 3. The second chan­nel would be provided by the pulse block­ing input on the drive. For more on how this cir­cuit func­tions and how the func­tion­al safety ana­lys­is is com­pleted, see [10].

Safe Operating Stop (SOS)

During a safe oper­at­ing stop (SOS), the motor is brought to a spe­cif­ic pos­i­tion and held there by the drive. Full torque is avail­able to keep the tool­ing in pos­i­tion. The stop is mon­itored safely by the drive. The func­tion is shown in Figure 4 [9].

A graph showing a drive maintaining position following a stop
Figure 5 — Safe Operating Stop

In Fig. 5, the y-​axis, s, rep­res­ents the pos­i­tion of the tool­ing, NOT the velo­city, while the x-​axis rep­res­ents time, t. The start of the pos­i­tion hold­ing func­tion is shown by the orange arrow and dashed line. The peri­od fol­low­ing the green dashed line is the SOS peri­od.

SOS can­not be used for the emer­gency stop func­tion. Under cer­tain con­di­tions it may be used when guard inter­locks are opened, i.e., the guard door on a CNC lathe is opened so that the oper­at­or can place a new work­piece.

There a quite a few addi­tion­al “safe” drive func­tions. For more on these func­tions and how to imple­ment them, see [2] and applic­a­tion data from your favour­ite drive man­u­fac­turer. Reference is also provided in [9, Table 5.2].

Safe Standstill

Safe stand­still is a con­di­tion where motion has stopped and is being mon­itored by a safety-​rated device whose out­put sig­nals are used to con­trol the release of guard lock­ing devices. Safe stand­still is not the same as zero-​speed because zero-​speed can be achieved without the use of safety rated con­trol com­pon­ents and design, while safe stand­still requires both suit­able com­pon­ents and design.

There are a num­ber of ways to achieve safe stand­still. Here are three com­mon approaches [12]:

  1. Rotation sensors
    Sensors includ­ing prox­im­ity sensors, resolv­ers, and encoders can be used to mon­it­or the motion of the drive com­pon­ents. A safe stand­still mon­it­or­ing device is used to when stand­still has occurred.  When a machine has an unstable rest pos­i­tion, a prox­im­ity sensor should be used to ensure the machine is in a safe con­di­tion before the guard lock­ing devices are released.
  2. Back EMF mon­it­or­ing
    Back elec­tro­mot­ive force or Back EMF is the voltage cre­ated in an elec­tric motor due to the rota­tion of the arma­ture in the mag­net­ic field in the motor. This voltage opposes the applied voltage and is approx­im­ately pro­por­tion­al to the rota­tion­al speed of the motor. Back EMF remains after the sup­ply voltage has been removed, allow­ing mon­it­or­ing devices to indir­ectly meas­ure motor speed and stand­still.
  3. Failsafe timer
    Failsafe timers are time delay relays designed for use in safety func­tions. Failsafe timers can be used when the stop­ping per­form­ance of the machinery is con­sist­ent and known.
    Following remov­al of power from the drive motor, the time delay starts. At the end of the time delay, the relay releases the guard lock­ing devices.
    Regular time delay relays can­not be used for this pur­pose, only fail-​safe relays designed to be used in safety func­tions can be used, along with suit­able safety sys­tems design tech­niques like ISO 13849 or IEC 62061.

Conclusions

As you can see, there are sig­ni­fic­ant dif­fer­ences between STO, SS1, SS2, SOS and Safe Standstill. While these func­tions may be used togeth­er to achieve a par­tic­u­lar safety func­tion, some are func­tions of the imple­ment­a­tion of the motor drive, e.g., STO, a func­tion of the design of the motor drive itself, e.g., STO, SS1, SS2, and SOS, or the design of con­trols extern­al to the motor drive, e.g., safe stand­still. The sim­il­ar­it­ies between these vari­ous func­tions can make it easy to con­fuse them. Care needs to be taken to ensure that the cor­rect tech­nic­al approach is used when real­ising the safety func­tion required by the risk assess­ment.

References

[1]    “Variable Frequency Drives – Industrial Wiki – odesie by Tech Transfer”, Myodesie​.com, 2017. [Online]. Available: https://​www​.myo​desie​.com/​w​i​k​i​/​i​n​d​e​x​/​r​e​t​u​r​n​E​n​t​r​y​/​i​d​/​3​040. [Accessed: 19- Jun- 2017]. 

[2] “Safe Torque Off (STO) – Safety Integrated – Siemens”, Industry​.siemens​.com, 2017. [Online]. Available: http://​www​.industry​.siemens​.com/​t​o​p​i​c​s​/​g​l​o​b​a​l​/​e​n​/​s​a​f​e​t​y​-​i​n​t​e​g​r​a​t​e​d​/​m​a​c​h​i​n​e​-​s​a​f​e​t​y​/​p​r​o​d​u​c​t​-​p​o​r​t​f​o​l​i​o​/​d​r​i​v​e​-​t​e​c​h​n​o​l​o​g​y​/​s​a​f​e​t​y​-​f​u​n​c​t​i​o​n​s​/​p​a​g​e​s​/​s​a​f​e​-​t​o​r​q​u​e​-​o​f​f​.​a​spx. [Accessed: 19- Jun- 2017].

[3]      Adjustable speed elec­tric­al power drive sys­tems – Part 5 – 2: Safety require­ments – Functional. IEC Standard 61800−5−2. 2nd Ed. 2016.

[4]     Safety of machinery — Electrical equip­ment of machines — Part 1: General require­ments. IEC Standard 60204 – 1. 2006.

[5]     Safety of machinery — Prevention of unex­pec­ted start-​up. EN Standard 1037+A1. 2008.

[6]     Safety of machinery — Prevention of unex­pec­ted start-​up. ISO Standard 14118. 2000.

[7]     “Safe Stop 1 (SS1) – Safety Integrated – Siemens”, Industry​.siemens​.com, 2017. [Online]. Available: http://​www​.industry​.siemens​.com/​t​o​p​i​c​s​/​g​l​o​b​a​l​/​e​n​/​s​a​f​e​t​y​-​i​n​t​e​g​r​a​t​e​d​/​m​a​c​h​i​n​e​-​s​a​f​e​t​y​/​p​r​o​d​u​c​t​-​p​o​r​t​f​o​l​i​o​/​d​r​i​v​e​-​t​e​c​h​n​o​l​o​g​y​/​s​a​f​e​t​y​-​f​u​n​c​t​i​o​n​s​/​P​a​g​e​s​/​s​a​f​e​-​s​t​o​p​1​.​a​spx. [Accessed: 19- Jun- 2017].

[8]     “Safe Stop 2 (SS2) – Safety Integrated – Siemens”, Industry​.siemens​.com, 2017. [Online]. Available: http://​www​.industry​.siemens​.com/​t​o​p​i​c​s​/​g​l​o​b​a​l​/​e​n​/​s​a​f​e​t​y​-​i​n​t​e​g​r​a​t​e​d​/​m​a​c​h​i​n​e​-​s​a​f​e​t​y​/​p​r​o​d​u​c​t​-​p​o​r​t​f​o​l​i​o​/​d​r​i​v​e​-​t​e​c​h​n​o​l​o​g​y​/​s​a​f​e​t​y​-​f​u​n​c​t​i​o​n​s​/​P​a​g​e​s​/​s​a​f​e​-​s​t​o​p​2​.​a​spx. [Accessed: 19- Jun- 2017].

[9]     “Safe Operating Stop (SOS) – Safety Integrated – Siemens”, Industry​.siemens​.com, 2017. [Online]. Available: http://​www​.industry​.siemens​.com/​t​o​p​i​c​s​/​g​l​o​b​a​l​/​e​n​/​s​a​f​e​t​y​-​i​n​t​e​g​r​a​t​e​d​/​m​a​c​h​i​n​e​-​s​a​f​e​t​y​/​p​r​o​d​u​c​t​-​p​o​r​t​f​o​l​i​o​/​d​r​i​v​e​-​t​e​c​h​n​o​l​o​g​y​/​s​a​f​e​t​y​-​f​u​n​c​t​i​o​n​s​/​P​a​g​e​s​/​s​a​f​e​-​o​p​e​r​a​t​i​n​g​-​s​t​o​p​.​a​spx. [Accessed: 19- Jun- 2017].

[10]     M. Hauke, M. Schaefer, R. Apfeld, T. Boemer, M. Huelke, T. Borowski, K. Büllesbach, M. Dorra, H. Foermer-​Schaefer, W. Grigulewitsch, K. Heimann, B. Köhler, M. Krauß, W. Kühlem, O. Lohmaier, K. Meffert, J. Pilger, G. Reuß, U. Schuster, T. Seifen and H. Zilligen, “Functional safety of machine con­trols – Application of EN ISO 13849 – Report 2/​2008e”, BGIA – Institute for Occupational Safety and Health of the German Social Accident Insurance, Sankt Augustin, 2017.

[11]     “Glossary”, Schmersalusa​.com, 2017. [Online]. Available: http://​www​.schmersa​lusa​.com/​c​m​s​1​7​/​o​p​e​n​c​m​s​/​h​t​m​l​/​e​n​/​s​e​r​v​i​c​e​/​g​l​o​s​s​a​r​y​.​h​t​m​l#S. [Accessed: 25- Jul- 2017].

[12]     Schmersal Tech Briefs: Safe Speed & Standstill Monitoring. Schmersal USA, 2014.

Acknowledgements

Special thanks go out to two of my reg­u­lar read­ers for sug­gest­ing this post: Matt Ernst and con­trols­girl, who com­ments fre­quently. Thanks for the ideas and the ques­tions that sparked this post!

How to do a 13849 – 1 analysis: Complete Reference List

This entry is part 8 of 9 in the series How to do a 13849 – 1 ana­lys­is

An old book lying open with round eyeglasses lying on top.As prom­ised in pre­vi­ous posts, here is the com­plete ref­er­ence list for the series “How to do a 13849 – 1 ana­lys­is”! If you have any addi­tion­al resources you think read­ers would find help­ful, please add them in the com­ments.

Book List

Here are some books that I think you may find help­ful on this jour­ney:

[0]     B. Main, Risk Assessment: Basics and Benchmarks, 1st ed. Ann Arbor, MI USA: DSE, 2004.

[0.1]  D. Smith and K. Simpson, Safety crit­ic­al sys­tems hand­book. Amsterdam: Elsevier/​Butterworth-​Heinemann, 2011.

[0.2]  Electromagnetic Compatibility for Functional Safety, 1st ed. Stevenage, UK: The Institution of Engineering and Technology, 2008.

[0.3]  Overview of tech­niques and meas­ures related to EMC for Functional Safety, 1st ed. Stevenage, UK: Overview of tech­niques and meas­ures related to EMC for Functional Safety, 2013.

References

Note: This ref­er­ence list starts in Part 1 of the series, so “miss­ing” ref­er­ences may show in oth­er parts of the series. Included in the last post of the series is the com­plete ref­er­ence list.

[1]     Safety of machinery — Safety-​related parts of con­trol sys­tems — Part 1: General prin­ciples for design. 3rd Edition. ISO Standard 13849 – 1. 2015.

[2]     Safety of machinery – Safety-​related parts of con­trol sys­tems – Part 2: Validation. 2nd Edition. ISO Standard 13849 – 2. 2012.

[3]      Safety of machinery – General prin­ciples for design – Risk assess­ment and risk reduc­tion. ISO Standard 12100. 2010.

[4]     Safeguarding of Machinery. 2nd Edition. CSA Standard Z432. 2004.

[5]     Risk Assessment and Risk Reduction- A Guideline to Estimate, Evaluate and Reduce Risks Associated with Machine Tools. ANSI Technical Report B11.TR3. 2000.

[6]    Safety of machinery – Emergency stop func­tion – Principles for design. ISO Standard 13850. 2015.

[7]     Functional safety of electrical/​electronic/​programmable elec­tron­ic safety-​related sys­tems. 7 parts. IEC Standard 61508. Edition 2. 2010.

[8]     S. Jocelyn, J. Baudoin, Y. Chinniah, and P. Charpentier, “Feasibility study and uncer­tain­ties in the val­id­a­tion of an exist­ing safety-​related con­trol cir­cuit with the ISO 13849 – 1:2006 design stand­ard,” Reliab. Eng. Syst. Saf., vol. 121, pp. 104 – 112, Jan. 2014.

[9]    Guidance on the applic­a­tion of ISO 13849 – 1 and IEC 62061 in the design of safety-​related con­trol sys­tems for machinery. IEC Technical Report TR 62061 – 1. 2010.

[10]     Safety of machinery – Functional safety of safety-​related elec­tric­al, elec­tron­ic and pro­gram­mable elec­tron­ic con­trol sys­tems. IEC Standard 62061. 2005.

[11]    Guidance on the applic­a­tion of ISO 13849 – 1 and IEC 62061 in the design of safety-​related con­trol sys­tems for machinery. IEC Technical Report 62061 – 1. 2010.

[12]    D. S. G. Nix, Y. Chinniah, F. Dosio, M. Fessler, F. Eng, and F. Schrever, “Linking Risk and Reliability — Mapping the out­put of risk assess­ment tools to func­tion­al safety require­ments for safety related con­trol sys­tems,” 2015.

[13]    Safety of machinery. Safety related parts of con­trol sys­tems. General prin­ciples for design. CEN Standard EN 954 – 1. 1996.

[14]   Functional safety of electrical/​electronic/​programmable elec­tron­ic safety-​related sys­tems – Part 2: Requirements for electrical/​electronic/​programmable elec­tron­ic safety-​related sys­tems. IEC Standard 61508 – 2. 2010.

[15]     Reliability Prediction of Electronic Equipment. Military Handbook MIL-​HDBK-​217F. 1991.

[16]     “IFA – Practical aids: Software-​Assistent SISTEMA: Safety Integrity – Software Tool for the Evaluation of Machine Applications”, Dguv​.de, 2017. [Online]. Available: http://​www​.dguv​.de/​i​f​a​/​p​r​a​x​i​s​h​i​l​f​e​n​/​p​r​a​c​t​i​c​a​l​-​s​o​l​u​t​i​o​n​s​-​m​a​c​h​i​n​e​-​s​a​f​e​t​y​/​s​o​f​t​w​a​r​e​-​s​i​s​t​e​m​a​/​i​n​d​e​x​.​jsp. [Accessed: 30- Jan- 2017].

[17]      “fail­ure mode”, 192−03−17, International Electrotechnical Vocabulary. IEC International Electrotechnical Commission, Geneva, 2015.

[18]      M. Gentile and A. E. Summers, “Common Cause Failure: How Do You Manage Them?,” Process Saf. Prog., vol. 25, no. 4, pp. 331 – 338, 2006.

[19]     Out of Control — Why con­trol sys­tems go wrong and how to pre­vent fail­ure, 2nd ed. Richmond, Surrey, UK: HSE Health and Safety Executive, 2003.

[20]     Safeguarding of Machinery. 3rd Edition. CSA Standard Z432. 2016.

[21]     O. Reg. 851, INDUSTRIAL ESTABLISHMENTS. Ontario, Canada, 1990.

[22]     “Field-​programmable gate array”, En​.wiki​pe​dia​.org, 2017. [Online]. Available: https://​en​.wiki​pe​dia​.org/​w​i​k​i​/​F​i​e​l​d​-​p​r​o​g​r​a​m​m​a​b​l​e​_​g​a​t​e​_​a​r​ray. [Accessed: 16-​Jun-​2017].

[23]     Analysis tech­niques for sys­tem reli­ab­il­ity – Procedure for fail­ure mode and effects ana­lys­is (FMEA). 2nd Ed. IEC Standard 60812. 2006.

[24]     “Failure mode and effects ana­lys­is”, En​.wiki​pe​dia​.org, 2017. [Online]. Available: https://​en​.wiki​pe​dia​.org/​w​i​k​i​/​F​a​i​l​u​r​e​_​m​o​d​e​_​a​n​d​_​e​f​f​e​c​t​s​_​a​n​a​l​y​sis. [Accessed: 16-​Jun-​2017].