Integration challenges with the new robot safety standard

I attended the Robotic Industries Association’s 25th National Robot Safety Conference this past October in Indianapolis, Ind. Attending the conference proved very informative, leaving me with many questions regarding the impact the new ANSI/RIA R15.06-2012 robot safety standard will have on current integration methods and control system architecture given the current state of accepted safety control system design in North America.

The current 2012 revision of the ANSI/RIA R15.06 standard is a harmonization with its European counterpart — ISO 10218 Parts 1 and 2. I believe it carries significant weight that has yet to be fully understood in North America.

Our Canadian Standards Association harmonized the existing CSA Z434 standard in 2003 with the then in force ANSI/RIA R15.06-1999 edition of the standard. At that time, other than a few specific “Canadian” requirements in Z434 that differed from its U.S. counterpart, the two standards were aligned from a technical, safety and integration standpoint. By way of this North American harmonization, the transfer of robots, robot cells and integration was easier, and consumers of such equipment had an increased confidence that the robots and allied equipment were compliant to one robot standard.  

What further made this environment palatable from a safety control design and integration standpoint was that the accepted safety circuitry/control architecture platform that was being used across North America (for most industrial machinery and robots) was based on BS EN 954-1 “Safety of Machinery. Safety Related Parts of Control Systems – General Principles for Design.” This standard outlined the five basic safety circuit designs, their functional requirements, monitoring and failsafe reliability. Those categories were identified as B, 1, 2, 3 and 4 (B being the lowest and 4 being the highest).

In many instances, without a defined directive from an existing machine safety standard to rely on, the application’s safety devices and the overall safety control system were chosen via the use of well-tried and accepted risk analysis (such as those provided in CSA Z432, Z434 and many ANSI standards). The outcome of the risk analysis would ultimately decide the circuit category the safety system was to be built to.

Conversely, a number of years ago, the European Commission announced that EN 951-4 was to be withdrawn (circa 2011) and replaced with two new standards: EN 62061 and EN ISO 13849-1. These two new standards deal with the functional safety aspects of machinery and electrical/electronic control systems.

Briefly (and specific to robots and most industrial machinery), 13849-1 deals with safety-related parts of control systems and all types of machinery, regardless of the type of technology and prime energy source (i.e., electrical, hydraulic, pneumatic, mechanical, etc.). 13849-1 also lists special requirements for safety-related parts of control systems with programmable electronic systems. 13849-1 has the familiar category hierarchy of EN 954-1, but bases circuit performance not only on the physical wiring configuration (i.e., a single or dual channel), but also on a Performance Level (PL). This PL is the average probability of dangerous failures per hour. It is a statistical value, and each of the five PLs within 13849-1 has a defined value range. This method of establishing and measuring circuit performance is quantitative, unlike the qualitative aspects of EN 954-1. 13849-1 examines the complete safety function, including all of the components involved in their design.

Where 13849-1 is different and goes beyond the qualitative approach of EN 954-1 is that it includes an assessment of the various safety functions — be it electrical, hydraulic, pneumatic or mechanical. A PL is established for each safety sub-system/block.

The current version of the ANSI/RIA R15.06 robot safety standard is now reflective of that functional safety requirement given its harmonization with its European counterpart. And since safety control design in North America still primarily relies on EN 954-1, many machine builders, integrators, etc., still use the risk graph and category selection for safety system design.

Where I believe the immediate challenge lies with robot cell builders and integrators is that the functional safety requirements of the current ANSI/RIA R15.06 2012 standard do not coincide well with the existing BS EN 954-1 methodology. This is not to mean that the existing safety controllers, relays, contacts, etc., cannot satisfy the requirements of 13849-1. In fact, these devices are built and tested to satisfy functional safety requirements. The challenge is going to be integrating these new functional safety requirements within the existing framework of 954-1 applications, whether they are new or existing/older applications seeking robotic integration/upgrade.

When designing and implementing a functional safety system under the requirements of 13849-1, one needs to consider several variables, including safety system structure, reliability, diagnostics, resistance and process testing. Within these areas are the requirements to review and establish mean time to failure/dangerous failure and sub-system design.

What I find interesting about this new method is that the summation of PL systems could limit/change how current multi-device safety circuit chains are designed. Understanding that the functional safety method deals with the probabilistic life cycle of the devices physically connected to one another, one draws the conclusion that integrating an increasing number of devices in a series/parallel circuit could effectively reduce the overall probabilistic life of the circuit. This concept is not limited to safety design, but any connected system where those devices have a known reliability. Hence, under 13489-1, each increasing PL from a to e has an associated maximum number of physical components that can be allowed in that resulting PL circuit (PLa being the highest and PLe the lowest).

By way of example, the current ANSI/RIA R15.06 standard requires that safety related parts of a controls system shall be designed with a PLd. Therefore, the “traditional” method of building a robot cell with several interlocked doors tied electrically into one safety relay that is control reliable or Category 4 may not work under the requirements of the new standard because the number, arrangement and probabilistic life of each component becomes important in the overall circuit design and requires consideration. Further, many of the larger-scale integration projects I have reviewed have included the robot controllers integrated with machine tools, welding operations and/or other standalone process equipment. The current EN 954-1 and CSA Z434 (at this time), do not specifically preclude this type of integration so long as the required safety circuit reliability, monitoring and failsafes are maintained.

Considering this practice through the lens of functional safety, we need to ask the following questions: Can we rely on the machine tools controller for a contribution to overall safety?; What is the performance level of the welding operation?; What are the external process safety sub-systems and mean time to dangerous failure?; Does their integration into the robot cell allow us to maintain the prescribed PLd as per the standard?

What are the answers to these questions? Only time will tell.
 
Danny C. Marmora, B.Eng., P.Eng., CET, is the principal at Marmora Consulting, based in Stoney Creek, Ont. His engineering firm specializes in pre-start health & safety reviews, fire code consulting and forensic engineering. He can be reached at danny@marmoraconsulting.com.