There comes a point in machine safety design when the designer needs to decide if it makes more sense to use multiple safety relays or to upgrade to a safety controller. This point typically occurs when the application requires three or more safety relays.
Last month, we discussed the new robot and robot systems safety standards ANSI/RIA15.06-2012, and the draft of CSA’s Z434-13. One of the changes in these new standards is the inclusion of definitions for shared workspaces. This is where a person and a robot can perform tasks at the same time within the safeguarded space. This is referred to as collaboration or a collaborative robot. Examples of these new robots include health care or personal robots used to help people with limited mobility, or service robots that can perform such duties as serving food and drinks. Typically, these are smaller robots with power and force limitations.
Recently the International Standards Organization and the Robotics Industry Association in the U.S. harmonized their robot safety standards. Now ISO10218 and ANSI/RIA15.06 are, for all intents and purposes, the same document with minor country-specific deviations.
Functional safety is a growing field in engineering, and one that is having increasing influence in most products that include active control systems. If you haven’t heard this term before, you can find one definition in an IEC Standard: “Functional safety is part of the overall safety that depends on a system or equipment operating correctly in response to its inputs.” The full definition is a bit longer, but the idea is clear: Control systems with a safety function must operate correctly.Since the mid-1990s, functional safety has been slowly creeping into the industrial machinery design field. Prior to that, most machines had a simple emergency stop circuit, one that often did double-duty as the main power control for the machine. In many cases, a simple interlock was added to that circuit, and voila! You had the safety-related parts of the control system. Figure 1 shows a simple master control relay circuit with interlock.In this figure, the ‘MCR,’ or Master Control Relay, would typically be a fairly beefy contactor, usually with a DC contact rating so that both AC and DC control circuits could be directly switched.‘PB2’ is the ‘Power On’ button, ‘PB1’ is the ‘Power Off’ button, and if it was fitted with a red mushroom-head operator, could also operate as the Emergency Stop button. ‘LS1’ is the guard interlock limit switch, and ‘CR1’ is the interlock relay. ‘M1’ represents the machine prime mover, like a conveyor motor or a hydraulic pump, for example.Since 1994, there has been an increasing focus on functional safety in industrial machinery. This focus has been driven primarily by the European Union, but North America has recognized there is value in ensuring safety functions work properly. This has been accompanied by an increasing selection of safeguarding devices, beginning with two-hand controls and now including light curtains and fences, safety mats, area scanners and 3D-vision systems. Failures in these systems result in injuries and fatalities, so reliable control systems make sense.To really understand the problems we are facing, a little history is needed. The timeline shown in Figure 2 illustrates the development of the standards.Functional safety was described in the first editions of both CSA Z432 and Z434, but little direction was given to designers about the appropriate use of these approaches. In 1995, EN 954-1 was introduced in Europe and was harmonized under the Machinery Directive of the day, introducing the reliability categories that have become familiar: Categories B, 1-4. EN 954-1 marked the first time that prescribed control circuit architectures were described, and also gave designers more specific guidance on when to use the different categories to achieve effective risk reduction. ISO would later take over responsibility for EN 954-1, renumbering it as ISO 13849-1 and publishing the first edition in 1999; this edition was virtually unchanged from EN 954-1.In 1999, ANSI published the second edition of RIA R15.06 and detailed the prescribed control circuit architectures in a North American standard. The categories were not identical to those in EN 954-1 or ISO 13849-1, and were called SIMPLE, SINGLE CHANNEL, SINGLE CHANNEL MONITORED and CONTROL RELIABLE. These categories were quickly adopted with some changes by CSA and included in CSA’s Z432 and Z434 standards in 2003 and 2004 respectively.In 2006, everything changed with the publication of ISO 13849-1, Edition 2. This edition expanded on the prescribed architectures from the first edition, introducing the ideas of Performance Level or PL, Mean Time to Failure (dangerous) or MTTFd, Diagnostic Coverage or DC, and Common Cause Failures or CCF. A big problem had been created: North America had the SIMPLE to CONTROL RELIABLE categories, but the U.S. and Canadian definitions were different. Internationally, ISO had PLa-e, and IEC had SILs (Safety Integrity Levels) SIL1-SIL4. All of these standards were applicable to machinery, but there was no clear guidance on how to choose the most appropriate standard.Since the second Edition of ISO 13849-1 was published in 2006, ANSI has adopted ISO 10218-1 for Industrial Robots, and this standard brings ISO 13849-1 in with it. This may spell the end of the SIMPLE-CONTROL RELIABLE definitions, since the coming adoption of ISO 10218-2 for Industrial Robot Systems will incorporate ISO 13849-1 into the requirements for the safeguarding systems on robot systems in the U.S. It is reasonable to expect that CSA will not be far behind in adopting these same standards.ISO and IEC recognize that a problem exists for users. While ISO 13849-1 has been harmonized for machinery and has replaced EN 954-1, IEC has a competing standard. IEC 62061, which uses SILs, is also harmonized under the machinery directive, but doesn’t explicitly include pneumatics and hydraulics while ISO 13849-1 does. You can use the IEC standard to assess the reliability of fluid power systems; it just takes a bit more work. A Joint Working Group was formed under ISO TC199 - Safety of Machinery, called ‘JWG1.’ The sole task of this group is the merger of ISO 13849-1 and IEC 62061. Although the work started in 2011, publication of the merged document is unlikely to come soon. We may have to wait until 2018 to see the finished product.Designers need to ensure that they have reduced the risks on their machinery following the hierarchy of controls, and that the safeguarding systems selected are appropriate for the application.A presentation given by Heinrich Mödden of Germany’s VDW to ISO TC199 in 2012, showed injuries due to intentional bypassing of safeguarding systems, often for legitimate reasons, far outweighed injuries from control systems failing to danger. There is often insufficient motivation to return the safeguards to their original state, eliminating the protective function designed into the machinery by the manufacturer.Are we wasting our time focusing so much effort on functional safety, if our efforts are often disabled in the field? I don’t think so, since even one injury is too many, but we may be putting more effort into figuring out how best to assess control reliability than is warranted. Machinery designers need to focus on the whole hierarchy of controls, and functional safety considerations should only receive attention when it makes sense. If you are interested in learning more about machinery risk assessment and the application of ISO 13849-1, Compliance InSight Consulting is offering open enrollment workshops on risk assessment and the application of ISO 13849-1 starting this month. Visit www.complianceinsight.ca/training/Seminars.html for more details and to register. You can get more technical information on these topics by visiting the Machinery Safety 101 blog at machinerysafety101.com. Doug Nix, A.Sc.T., is Managing Director & Principal Consultant, Compliance InSight Consulting Inc.
When designing safeguarding systems for machines, one of the basic building blocks is the movable guard — doors, panels, gates or other physical barriers that can be opened without using tools. Every one of these guards needs to be interlocked with the machine so that the hazards covered by the guards are effectively controlled when the guard is opened. There are a number of important aspects to the design of movable guards. This article will focus on the selection of interlocking devices that are used with movable guards. The hierarchy of controls This article assumes that a risk assessment has been done as part of the design process. If you haven’t done a risk assessment, start there, and then come back to this point in the process.The hierarchy of controls describes levels of controls that a machine designer can use to control the assessed risks . Designers are required to apply every level of the hierarchy in order, starting at the top. Where a level cannot be applied, the designer moves to the next lower level.Though much emphasis is placed on the correct selection of these interlocking devices, they represent a very small portion of the hierarchy. It is their widespread use that makes them so important when it comes to safety system design. Electrical versus mechanical interlocksMost modern machines use electrical interlocks because the machine is fitted with an electrical control system, but it is entirely possible to interlock the power to the prime movers using mechanical means. This doesn’t affect the portion of the hierarchy involved, but it may affect the control reliability analysis that you need to do.CategoriesIn Canada, CSA Z432  and CSA Z434  provide four categories of control reliability: simple, single channel, single channel monitored and control reliable. In the U.S., the categories are very similar, with some differences in the definition for control reliable. In the EU, there are five levels of control reliability, defined as Performance Levels (PL) in ISO 13849-1: PL a, b, c, d and e . Underpinning these levels are five architectural categories: B, 1, 2, 3 and 4. To add to the confusion, IEC 62061  is another international control reliability standard that could be used. This standard defines reliability in terms of Safety Integrity Levels (SILs). These SILs do not line up exactly with the ISO 13849-1 PLs, but they are similar. IEC 62061 is based on IEC 61508 , a control reliability standard used in the process industries. IEC 62061 is not well suited to applications involving hydraulic or pneumatic elements.The North American architectures deal primarily with electrical or fluid-power controls, while the EU system can accommodate electrical, fluid-power and mechanical systems.From the single channel monitored or Category 2 level up, the systems are required to have testing built-in, enabling the detection of failures in the system. The level of fault tolerance increases as the category increases. Interlocking devicesInterlocking devices are the components that are used to create the interlock between the safeguarding device and the machine’s power and control systems. Interlocks can be purely mechanical, purely electrical or a combination of these.Most machinery has an electrical/electronic control system, and these systems are the most common way that machine hazards are controlled. Switches and sensors connected to these systems are the most common types of interlocking devices.Interlocking devices can be something as simple as a micro-switch or a reed switch, or as complex as a non-contact sensor with an electromagnetic locking device.Requirements for these devices are published in a number of standards, but the key ones for industrial machinery are ISO 14119 [7, 2], and ANSI B11.0 . These standards define the electrical and mechanical requirements, and in some cases the testing requirements, that devices intended for safety applications must meet before they can be classified as safety components.These devices are also integral to the reliability of the control systems into which they are integrated. Interlock devices, on their own, cannot meet a reliability rating above ISO 13849-1 Category 1, or CSA Z432-04 Single Channel. To understand this, consider that the definitions for Category 2, 3 and 4 all require the ability for the system to monitor and detect failures, and in Categories 3 and 4, to prevent the loss of the safety function. Similar requirements exist in CSA and ANSI’s “single-channel-monitored,” and “control-reliable” categories. Unless the interlock device has a monitoring system integrated into the device, these categories cannot be achieved. Environment, failure modes and fault exclusionEvery device has failure modes. The correct selection of the device starts with understanding the physical environment to which the device will be exposed. This means understanding the temperature, humidity, dust/abrasives exposure, chemical exposures, and mechanical shock and vibration. Selecting a delicate reed switch for use in a high-vibration, high-shock environment is a recipe for failure, just as selecting a mechanical switch in a dusty, corrosive environment will also lead to premature failure.The device standards do provide some guidance in making these selections, but it’s pretty general.Fault exclusion is another key concept that needs to be understood. Fault exclusion holds that failure modes that have an exceedingly low probability of occurring during the lifetime of the product can be excluded from consideration. This can apply to electrical or mechanical failures. Here’s the catch: Fault exclusion is not permitted under any North American standards at the moment. Designs based on the North American control reliability standards cannot take advantage of fault exclusions. Designs based on the international and EU standards can use fault exclusions, but significant documentation supporting the exclusion of each fault is needed. Defeat resistanceThe North American standards require that the devices chosen for safety-related interlocks be defeat-resistant, meaning they cannot be easily fooled with a cable-tie, a scrap of metal or a piece of tape.The International and EU standards do not require the devices to be inherently defeat-resistant, which means that you can use “safety-rated” limit switches with roller-cam actuators, for example. However, as a designer, you are required to consider all reasonably foreseeable failure modes, and that includes intentional defeat. If the interlocking devices are easily accessible, then you must select defeat-resistant devices and install them with tamper-resistant hardware to cover these failure modes.Almost any interlocking device can be bypassed by a knowledgeable person using wire and the right tools. This type of defeat is not generally considered, as the degree of knowledge required is greater than that possessed by “normal” users. Device selectionWhen selecting an interlocking device, start by looking at the environment in which the device will be located. Is it dry, wet or abrasive? Is it indoors or outdoors and subject to temperature variations?Is there a product standard that defines the type of interlock you are designing? An example of this is the interlock types in ANSI B151.1  for plastic injection moulding machines. There may be restrictions on the type of devices that are suitable based on the requirements in the standard.Consider integration requirements with the controls. Is the interlock purely mechanical? Is it integrated with the electrical system? Do you require guard locking capability? Do you require defeat resistance?Once you can answer these questions, you will have narrowed down your selections considerably. The final question is: What brand is preferred? Go to your preferred supplier’s catalogues and make a selection that fits with the answers to the previous questions.The next stage is to integrate the device(s) into the controls, using whichever control reliability standard you need to meet. That is the subject of another article!References Safety of machinery - General principles for design - Risk assessment and risk reduction, ISO Standard 12100, Edition 1, 2010 Safeguarding of Machinery, CSA Standard Z432, 2004 (R2009) Industrial Robots and Robot Systems - General Safety Requirements, CSA Standard Z434, 2003 (R2008) Safety of machinery — Safety-related parts of control systems — Part 1: General principles for design, ISO Standard 13849-1, 2006 Safety of machinery – Functional safety of safety-related electrical, electronic and programmable electronic control systems, IEC Standard 62061, Edition 1, 2005 Functional safety of electrical/electronic/programmable electronic safety-related systems (Seven Parts), IEC Standard 61508-X Safety of machinery – Interlocking devices associated with guards – Principles for design and selection, ISO Standard 14119, 1998 American National Standard for Machines, General Safety Requirements Common to ANSI B11 Machines, ANSI Standard B11.0, 2008 Douglas Nix, A.Sc.T., is managing director at Compliance InSight Consulting, Inc. (www.complianceinsight.ca) in Kitchener, Ont. He produces a blog and podcast called Machinery Safety 101, exploring a wide variety of machine safety topics. Check out his blog at www.machinerysafety101.com.This column originally appeared in the May 2012 issue of Manufacturing AUTOMATION.
In North America, about five to 10 arc flash events occur each day. Arc flashes are responsible for as many as 80 percent of all electrical-related injuries.
An increased focus to comply with regulations and the need to reduce safety injuries are driving organizations to adopt new strategies and technologies to ensure the safety of people, processes and products. A recent Aberdeen Group study, "Integrated Safety Systems: Ensuring Safety and Operational Productivity," surveyed more than 120 executives last Fall about the current state of their safety program and the technologies they use to support their safety initiative. The report provides a roadmap for organizations attempting to better understand how an integrated safety system and other enabling technologies can best be deployed in a plant environment.
Bill 160 shifts the responsibility for injury and illness prevention activities from the Workplace Safety and Insurance Board (WSIB) to the Ministry of Labour. This will have the Ministry of Labour carry out health and safety inspections at Ontario workplaces, as well as oversee the delivery of workplace injury and illness prevention services by Ontario's health and safety associations. I had a chance to speak with the Ministry of Labour's John Vander Doelen, director of the Occupational Health and Safety System Review Project Secretariat, about how this shift will impact the readers of Manufacturing AUTOMATION (MA).
ABB Customer World
March 4-7, 2019
ATS Knowledge Day
March 28, 2019
Hannover Messe 2019
April 1-5, 2019
RFID Journal LIVE!
April 2-4, 2019
April 8-11, 2019
2019 Annual Valve Industry Knowledge Forum
April 9-11, 2019