Machine Design
LOG ON REGISTER
TECH ZONES
CAD/CAM/CAE
Electrical/Electronic
Fastening & Joining
Fluid Power
Materials
Mechanical
Motion Control
ARTICLES
Features
News
New Products
Latest Issue
Issue Archive
Basics of Design Engineering
White Papers
e-Books
EVENTS
Web Events
In Person Events
COMMUNITY
Discussion Forums
Blogs
Careers
PRODUCTS
CAD Library
CAD Models
Supplier Directory
Part Number Search
Parametric Part Search
Plastics/Resins Search
RESOURCES
Podcasts
Video Library
Industry Links
Design Deck
Lits Online
e-Cards
Reader Service
SUBSCRIBE
Print Magazine
e-Mail Newsletters
RSS Feeds
ABOUT US
Contact Us
Media Kit
Original Publish Date : 12/12/2007
Reprints | Printer Friendly | Email
Programmable safety begets new standards
Safety-integrity levels spelled out in European standards increasingly impact equipment designers in the U.S.

Dave Collins
Product Manager
Schneider Electric
Palatine, Ill.

Hard-wired electromechanical components were the only option for machine-safety systems in the U.S. until 2002. Standards banned programmable logic controllers (PLCs) from use in safety systems. The reason was that programmable electronic systems were complex. It could be difficult to predict how a device behaved in the event of a failure,

But new safety standards have led safety PLCs and controllers to become more widely accepted in the U.S. In fact, many users are combining safety and automation components into the same system through use of safety PLCs and safety networks. A combined system can save money through a substantial reduction in wiring, wiring labor, and cabinet space.

Commonality in components for control and safety extends to software as well. Operators need learn only one programming architecture. Safety PLCs operating over safety-rated communications networks linked with machinecontrol systems provide higher levels of information and diagnostics. Not only can the safety system detect the fault, it can now query the control system about specific machine operations at the time.

Many European safety standards, such as IEC 61508 and EN 954-1, are not enforceable in the U.S. But they are still used to verify machine safety levels in both the U.S. and globally. Many U.S. companies must conform to these standards to compete internationally. And much of the European verbiage is being incorporated into U.S. safety standards as they are rewritten and revised.

Each programmable safety device and the overall machine must be classified into an appropriate risk-assessment categor y known as a safety- integri ty level (SIL). But that raises questions about what the SIL ratings actually mean and how they compare to the more familiar safety categories.

Most machine builders today think of risk assessment as detailed in the EU’s EN 954- 1 standard. It created five risk categories in 1995 listed as B, 1, 2, 3, and 4. All machinery in the EU must undergo formal risk assessment before they can be equipped with safety components. The risk assessment in EN 954-1 looks at the result of an accident, the frequency and duration of exposure to the hazard, and the possibility of avoiding the hazard.

From the results of each assessment, the machine or part gets put into one of five safety categories. Each category identifies the system requirements and behavior in the event of a fault. Category B holds the safest machines, where risk of injury is slight or the types of injuries that can occur are easily healed. Category 1 machinery poses a risk of serious injury that is mitigated through the use of well tried and tested components and principles. But no special tests are carried out to maintain the safety functions. Category 2 forces periodic checks of the safety functions but a fault may cause the safety function to fail. Faults in the final two categories should not cause loss of the safety system. That typically means categories 3 and 4 need redundancy from inputs through outputs.

It’s fairly simple to determine how an electromechanical system might fail. Therefore, to satisfy safety requirements, the machine is built so that it will shut down when a part fails or fault occurs. But modern, programmable equipment may fail in unexpected ways with consequences impossible to predict. Thus a new method of rating the safety of today’s machinery was required.

What is SIL?
The IEC 61508 standard provides a new approach for considering the reliability of electrical, electronic, and programmable electronic (E/E/PE) safety-related systems. It creates a safety integrity level for programmable systems using a statistical approach by measuring the probability of dangerous failures per hour, denoted as the PFHd.

The SIL is defined as the probability of a safety system to perform its functions under all stated conditions within a stated period of time. The higher the SIL level, the lower the probability that the safety system will fail to carry out its mission. IEC 61508 outlines the tools and formulas to calculate probability that safety functions will fail and then provides a system of SIL levels to categorize these systems.

The four SIL levels identified by IEC 61508 correspond to the PFHd in high-demand or continuous-operation mode. IEC 62061 dictates how the statistical results obtained in IEC 61508 are applied to machinery. While IEC 62061 does look at both high and low-demand listings, it does not consider lowdemand relevant for safety applications on machinery.

Similar to an electromechanical- risk assessment for safety categories, a SIL-level assessment also considers the consequences of an accident, the frequency and duration of exposure to a hazard, the possibility of avoiding the hazard, and the probability of an unwanted occurrence. So both assessments have similarities in how they look at machine safety.

SIL, however, defines the result of an accident differently. It expands into four subclasses identified as minor injury; serious permanent injury to one or more people, or death to one person; death to several people; and death to many people.

Unlike an electromechanical risk assessment for safety, a SIL-risk assessment includes an additional analysis criterion: The statistical probability of an unwanted occurrence or failure. This criterion is further divided into several subcategories: a slight probability that the unwanted occurrences will come to pass and a only a few unwanted occurrences are likely; a slight probability that the unwanted occurrences will come to pass and a few unwanted occurrences are likely; and a relatively high probability that unwanted occurrences will come to pass and frequent unwanted occurrences are likely.

EN/IEC 62061 states that SIL 4 is not considered relevant to risk-reduction requirements normally associated with industrial machinery. While not specifically stated in any of the standards, it is highly unlikely that industrial machinery would combine a possibility of many people killed with a relatively high probability that the unwanted occurrences will come to pass, plus a likelihood of frequent unwanted occurrences.

Electromechanical Devices Verses Solid State
While electromechanical systems are fairly simple to monitor and it is easy to detect failures, solid-state systems must be designed for redundancy and self-checking. Standard PLCs are typically not designed for safety and won’t qualify for a SIL rating. Safety PLCs have redundant, highly reliable processors and redundant circuitry to verify system integrity. The redundant circuitry continually checks the processors, internal components, inputs, and outputs to ensure everything is working properly.

Another new standard to recently emerge, EN/ISO 13849-1, will eventually replace EN 954-1. The new standard updates EN954-1 with a new way to categorize the risk level of a machine using performance levels. These performance levels use the same criteria as safety categories, but the results are arranged differently and are assigned letter designators A through E. The performance levels also are assigned values for their related mean time to dangerous failure (MTTFd), allowing for a statistical look at electromechanical safety and safety categories. The standard thus allows comparisons between safety categories, performance levels, and SIL ratings. For example, category 4 is the same performance level as SIL 3, and vice-versa.

Determining a Machine’s SIL Level
EN/IEC 62061 provides tables and a worksheet to identify a machine’s SIL-level requirements. There are numerical values for different levels of the criteria discussed previously: C (consequences), F (frequency), P (probability), and W (unwanted occurrences). The numerical values for each criteria are summed, and the SIL level determined from a chart on the worksheet. Each of the levels are more defined than the safety categories, making it simpler and a bit less subjective to determine severity.

As machines become more complicated, so do their safety systems. The growing complexity makes programmable safety systems more attractive and economical. Programmable safety devices easily integrate into control systems while adding new function and diagnostics.

Reprints | Printer Friendly | Email | Digg This | Del.icio.us
Click on any of the images below for a full-size view :
Rate / Comment on this Article

Post a comment

Be the first to comment on this article

Login to post a comment
Video Related Articles |  Most Viewed | 
Inkjet Material Deposition System
The MDS 300 is an ultra high precision Materials Deposition System. It enables digital deposition of a wide range of fluids utilizing inkjet printhead technology. The MDS 300 allows the ultimate flexibility in printing capabilities. Users can input print resolution, print speed, printhead separation and curing processes. It can be utilized in both R&D and pilot line production applications....
Printed Solar Power
Plextronics, Inc. is an international technology company that specializes in printed solar, lighting and other electronics. Headquartered in Pittsburgh, PA, the company's focus is on organic solar cell and OLED (Organic Light Emitting Diode) lighting, specifically the conductive inks and process technologies that enable those and other similar applications. In printed solar cells, sunlight is...
Genesys Programmable Power Supply
Lambda's Genesys family of programmable power supplies sets a new standard for flexible, reliable, AC/DC power systems in OEM, Industrial and Laboratory applications. Now available in more power levels (750W, 1.5kW, 3.3kW, 5kW, 10kW and 15kW) and with available output voltages from 7.5 to 600V and current up to 1,000A. This member of the Lambda Genesys product family of programmable switching...
TerraMax Autonomous Cargo Truck
The TerraMax autonomous truck is based on Oshkosh’s Medium Tactical Vehicle Replacement (MTVR) defense truck platform. Most recently, TerraMax competed in the 2007 Darpa Urban Challenge. The MTVR was designed for the US Marine Corps with a 70% off-road mission profile. TerraMax's unmanned ground vehicle kit does not interfere with the conventional operation of the vehicle. A robust sensor suite...
V-Bat VTOL UAV
MLB Company's next generation UAV is the V-Bat, a tail-sitter VTOL craft that can take off and land vertically, eliminating the need for a runway or catapult, as well as hover autonomously. For autonomous waypoint navigation, it can transition smoothly to the horizontal for speeds up to 100 mph. MLB Company has been involved in a wide variety of projects, ranging from the 15’ wingspan Volcano...
The blame game
I feel there was a glaring omission in Mr. Berke's May 25, 2006 column titled "For lack of a guard, a severed hand" — personal responsibility.
Shake, rattle, and modal analysis
FEA can be a useful tool for sizing up resonance problems.
Biomimetics could hold a key to next-generation body armor
Who would have thought that your wife's jewelry holds the secret to better body armor?
What's a mechatronics technician?
When Keith Campbell muses about industrial education, his thoughts go back to his uncle Ralph.
The meaning of bearing life
How long will a bearing last? Standardized life equations help to answer.
Engineering an ad
How do you convince a doubting public your truck is tough? You show them.
Tricked-Out Trucks
Stylists and engineers are exploring new ways to personalize pickup trucks, the best-selling type of vehicle in the U.S.
Tom-Thumb turbines power radio-controlled jets
Engineers have managed to shrink the modern jet engine until it is small enough to fit in model planes.
Engineering in India
Here’s a snapshot of the Indian engineers who increasingly compete for global manufacturing work.
Gulliver's Engines
Shrinking full-scale engines to pocket size is no small feat.
PRODUCT SEARCH
Powered by
SEARCH THE PLASTICS WEB™
Powered by
FORUMS
View All Forums
Mass-Transit Myths
It should be noted, Hong Kong = very high population density, very high job density. So not a surprise that mass transit is very convenient there.

What’s Tough About Training
This issue’s emphasis on motion control prompts some reflection on how people learn about motion technology. Often theoretical training isn’t...

What’s hot? Not ethanol
This special issue looks at some of the technologies and industrial themes that are eliciting a lot of interest in the technical community. But...

We Don’t Know How to Recreate Silicon Valley
Preseason football is on TV, the kids are getting ready for the school year, and theme parks are anticipating their final Labor Day crowds. It...

Hydraulic Pump design
Where can i find a person that can design hydraulic pumps? immediatly Terra 503-612-2040

Penton Media, Inc
Machine Design
Advertise with MD  |  Privacy Statement  |  Terms of Use  |  Contact Us  |  RSS  |  Index
Copyright © 2008 Penton Media, Inc. All Rights Reserved.