Get up to speed on functional safety standards and machinery design
By Doug Nix
By Doug Nix
Functional safety is a growing field in engineering, and one that is having increasing influence in most products that include active control systems. If you haven’t heard this term before, you can find one definition in an IEC Standard: “Functional safety is part of the overall safety that depends on a system or equipment operating correctly in response to its inputs.” The full definition is a bit longer, but the idea is clear: Control systems with a safety function must operate correctly.
Since the mid-1990s, functional safety has been slowly creeping into the industrial machinery design field. Prior to that, most machines had a simple emergency stop circuit, one that often did double-duty as the main power control for the machine. In many cases, a simple interlock was added to that circuit, and voila! You had the safety-related parts of the control system. Figure 1 shows a simple master control relay circuit with interlock.
In this figure, the ‘MCR,’ or Master Control Relay, would typically be a fairly beefy contactor, usually with a DC contact rating so that both AC and DC control circuits could be directly switched.
‘PB2’ is the ‘Power On’ button, ‘PB1’ is the ‘Power Off’ button, and if it was fitted with a red mushroom-head operator, could also operate as the Emergency Stop button. ‘LS1’ is the guard interlock limit switch, and ‘CR1’ is the interlock relay. ‘M1’ represents the machine prime mover, like a conveyor motor or a hydraulic pump, for example.
Since 1994, there has been an increasing focus on functional safety in industrial machinery. This focus has been driven primarily by the European Union, but North America has recognized there is value in ensuring safety functions work properly. This has been accompanied by an increasing selection of safeguarding devices, beginning with two-hand controls and now including light curtains and fences, safety mats, area scanners and 3D-vision systems. Failures in these systems result in injuries and fatalities, so reliable control systems make sense.
To really understand the problems we are facing, a little history is needed. The timeline shown in Figure 2 illustrates the development of the standards.
Functional safety was described in the first editions of both CSA Z432 and Z434, but little direction was given to designers about the appropriate use of these approaches. In 1995, EN 954-1 was introduced in Europe and was harmonized under the Machinery Directive of the day, introducing the reliability categories that have become familiar: Categories B, 1-4. EN 954-1 marked the first time that prescribed control circuit architectures were described, and also gave designers more specific guidance on when to use the different categories to achieve effective risk reduction. ISO would later take over responsibility for EN 954-1, renumbering it as ISO 13849-1 and publishing the first edition in 1999; this edition was virtually unchanged from EN 954-1.
In 1999, ANSI published the second edition of RIA R15.06 and detailed the prescribed control circuit architectures in a North American standard. The categories were not identical to those in EN 954-1 or ISO 13849-1, and were called SIMPLE, SINGLE CHANNEL, SINGLE CHANNEL MONITORED and CONTROL RELIABLE. These categories were quickly adopted with some changes by CSA and included in CSA’s Z432 and Z434 standards in 2003 and 2004 respectively.
In 2006, everything changed with the publication of ISO 13849-1, Edition 2. This edition expanded on the prescribed architectures from the first edition, introducing the ideas of Performance Level or PL, Mean Time to Failure (dangerous) or MTTFd, Diagnostic Coverage or DC, and Common Cause Failures or CCF.
A big problem had been created: North America had the SIMPLE to CONTROL RELIABLE categories, but the U.S. and Canadian definitions were different. Internationally, ISO had PLa-e, and IEC had SILs (Safety Integrity Levels) SIL1-SIL4. All of these standards were applicable to machinery, but there was no clear guidance on how to choose the most appropriate standard.
Since the second Edition of ISO 13849-1 was published in 2006, ANSI has adopted ISO 10218-1 for Industrial Robots, and this standard brings ISO 13849-1 in with it. This may spell the end of the SIMPLE-CONTROL RELIABLE definitions, since the coming adoption of ISO 10218-2 for Industrial Robot Systems will incorporate ISO 13849-1 into the requirements for the safeguarding systems on robot systems in the U.S. It is reasonable to expect that CSA will not be far behind in adopting these same standards.
ISO and IEC recognize that a problem exists for users. While ISO 13849-1 has been harmonized for machinery and has replaced EN 954-1, IEC has a competing standard. IEC 62061, which uses SILs, is also harmonized under the machinery directive, but doesn’t explicitly include pneumatics and hydraulics while ISO 13849-1 does. You can use the IEC standard to assess the reliability of fluid power systems; it just takes a bit more work. A Joint Working Group was formed under ISO TC199 – Safety of Machinery, called ‘JWG1.’ The sole task of this group is the merger of ISO 13849-1 and IEC 62061. Although the work started in 2011, publication of the merged document is unlikely to come soon. We may have to wait until 2018 to see the finished product.
Designers need to ensure that they have reduced the risks on their machinery following the hierarchy of controls, and that the safeguarding systems selected are appropriate for the application.
A presentation given by Heinrich Mödden of Germany’s VDW to ISO TC199 in 2012, showed injuries due to intentional bypassing of safeguarding systems, often for legitimate reasons, far outweighed injuries from control systems failing to danger. There is often insufficient motivation to return the safeguards to their original state, eliminating the protective function designed into the machinery by the manufacturer.
Are we wasting our time focusing so much effort on functional safety, if our efforts are often disabled in the field? I don’t think so, since even one injury is too many, but we may be putting more effort into figuring out how best to assess control reliability than is warranted. Machinery designers need to focus on the whole hierarchy of controls, and functional safety considerations should only receive attention when it makes sense.
If you are interested in learning more about machinery risk assessment and the application of ISO 13849-1, Compliance InSight Consulting is offering open enrollment workshops on risk assessment and the application of ISO 13849-1 starting this month. Visit www.complianceinsight.ca/training/Seminars.html for more details and to register. You can get more technical information on these topics by visiting the Machinery Safety 101 blog at machinerysafety101.com.
Doug Nix, A.Sc.T., is Managing Director & Principal Consultant, Compliance InSight Consulting Inc.