Safety and risk minimization in the operator control of plant machinery

Machine and operator safety must be considered at all stages of its service life and never become an afterthought
By Chuck Edwards, Lenze Americas October 21, 2013

Courtesy: Hasbro, CFE MediaModern machines are being produced with faster lead times—and designed to operate at considerably higher speeds than in the past. In the great race to meet production deadlines and budgets, safety must never be an afterthought. The least effective and most costly safety fixes are made after a machine has been commissioned and problems arise. Machine and operator safety must be considered at all stages of its service life from design to commissioning to operation and maintenance. 

Machine functional safety standards still a work in progress

Operating safely at higher performance dynamics calls for uniform safety concepts at the component, machine and system design levels. Mechanical engineers developing safe machines are bound by standards and need to know how these aggregate standards may affect their designs. Not only is it important to understand the application ranges, but also how standards differ and overlap.

Effective in 2010, the comprehensive Machinery Directive (MD) 2006/42/EC defines requirements to be met for machines intended for the European Economic Area (EEA). MD is universally applicable for machinery, replaceable equipment, safety components, load handling devices, chains, ropes and lifting straps, detachable cardan shafts, partial machines and service elevators.

When a machine is built, mechanical engineers must confirm that MD requirements are met, indicated by affixing the CE mark to the machine, indicating that it can be put to market in the EEA. While CSA Standard Z432-04-Safeguarding of Machinery includes basic concepts and general safety considerations for design, the new European MD is designed to ensure consistent global standards of safety—commonly referred to as harmonization.

All machine safety standards are intended to ensure that safety doesn’t get shortchanged. Until recently, a safe torque off (STO) and safe stop 1 (SS1) function was sufficient for most applications. However, the trend towards increased functional safety in electrical drive and automation technology has gained traction. EN ISO 13849-1 and EN IEC 62061 both address issues of functional safety of machinery.

In the field of machine and systems engineering, the EN IEC 62061 standard addresses the functional safety of safety-related electrical, electronic and programmable electronic control systems. As such, the standard does not apply to hydraulic, pneumatic or electromechanical safety-related control elements, for example. In December 2011, EN ISO 13849-1 completely replaced EN 954-1. For machine builders and plants this meant changes affecting product certification, specifically requiring that probability calculations be taken into account when defining safety. EN ISO 13849-1 can be applied to the safety-related parts of control systems and all types of machines, regardless of the technology and energy used (electrical, hydraulic, pneumatic, mechanical, etc.).

Implementing safety at the product level can provide the best possible support to those responsible for machine safety and overall plant performance levels. Regardless of whether an engineer chooses to work in compliance with EN ISO 13849-1 or EN IEC 62061, probability calculations are now required to verify the reliability of the safety-related parts of machine controls. So, the relevant safety-related parameters of individual components come into play. 

Understanding specification functions of safety-related parts

What risks does the machine pose? That should be among the first questions asked during the design phase. It can be fundamentally assumed that any hazard prevailing on a machine will sooner or later cause damage if protective measures are not taken. Therefore all potential hazards must be identified very early in development.

A comprehensive risk and hazard analysis can identify and assess risks posed by each potential hazard. Findings of the analysis can then be used to make decisions about the need to reduce risks. If these initial steps identify a need for risk minimization, each of the standards set out a hierarchy of measures to mitigate and minimize hazards to acceptable levels via design measures, protective devices and user information.

Like its predecessor standard, EN ISO 13849-1 uses a risk graph. The graph indicates PLr (performance level required). This is the new gauge used to measure actual performance level (PL) achieved following implementation of defined safety components. The PL refers to the ability of safety-related parts of a control system (SRP/CS) to perform a safety function designed to achieve the expected reduction in risk. Both quantitative and qualitative aspects are taken into account. In short, the PL must be greater than or equal to the PLr.

Risk parameters, including frequency, severity of injury, and avoidance tactics, must now be evaluated for each hazard identified in the risk and hazard analysis. If design measures can be taken to minimize the risk, the risk graph process (iterative method) is repeated, with the aim of achieving a lower PLr for previously more serious hazards. If this can be achieved, the risk will have been successfully minimized by design.

However, in many cases, design measures are insufficient, so protective devices are needed to achieve adequate risk minimization. It is within this context that safety functions executed by SRP/CS are defined. SRP/CS measures include the entire safety chain comprised of sensors (detect), logic (process) and actuators (switches). Safety functions are defined on the basis of both the application and the hazard. They are often specified as a Type C (product standard), which sets out precise specifications for special machines. In the absence of a C standard, safety functions are defined by the machine designer. Typical safety functions are described in more detail in EN ISO 13849-1 Section 5.1 Specification of safety functions. The safety functions for adjustable speed electrical power drive systems are not described in EN ISO 13849-1, but in the separate standard IEC 61800-5-2.

The EN ISO 13849-1 standard requires that a specification of functional safety requirements be drafted containing details about each safety function to be executed. To this end, the Plr must be defined as described above and documented in writing. Additionally, one must define the necessary interfaces with other control functions and required error responses specified. The PL must be estimated for each selected SRP/CS executing a safety function. Parameters include identifying each structure by category, mean time to failure danger of individual components, diagnostic coverage, common cause failure, the behavior of safety function under error conditions, safety related software, systematic errors, and the ability to execute a safety function under foreseeable ambient conditions in the plant operation. Standard EN ISO 13849-1 uses a graph to describe a simple way of estimating the PL. The graph illustrates the relationship between the familiar category from EN 954-1 and new relevant safety-related parameters.

Validation of specification functions of safety-related parts

Verification and validation are the quality assurance measures required to avoid errors during the design and implementation of SRP/CS which execute safety functions. Part 2 of EN ISO 13849 in particular deals with this subject in depth. For each individual safety function, the PL of the associated SRP/CS must match the PLr. The performance levels of the various SRP/CSs forming part of a safety function have to be greater than or equal to the PLr of this function. If multiple SRP/CSs are interconnected, the definitive PL can be determined using Table 11 contained within the standard.

The design of a safety-relevant control function must be validated by showing that the combination of safety-relevant parts for each safety function indeed meets applicable requirements. That’s one important reason to select suppliers whose products requiring functional safety engineering are already certified to new standards. For example, certified Lenze frequency inverters with the safe torque off (STO) safety function and servo inverters with high-grade functions, such as safely limited speed (SLS) are tested and certified to achieve the highest performance levels. By providing the relevant safety-related parameters and required performance levels, using such certified products makes standards compliance on an overall machine design vastly easier.

Today, there are also powerful software tools to support safety engineering and validation. SISTEMA is a tool provided free of charge by the Institute for Occupational Safety and Health IFA-Germany) for determining the achieved performance level in a machine. Dialog boxes guide mechanical engineers through the process of creating their individual safety functions in a project and entering the safety-relevant parameters for the individual disconnecting paths. Parameters for all components in the safety chain (sensor-logic-actuator) must be entered.

The tool then calculates respective and aggregate performance levels. Lenze takes the tool to the next level by providing a SISTEMA library of its components which have already been certified to the latest standards. The library can be integrated into a project and used, without having to determine and enter individual safety-related parameters for each drive component. This saves time and avoids erroneous entries.

Mechanical engineers who want machines certified in accordance with the new EN ISO 13849-1 are pushing hard for all manufacturers to provide relevant parameters for the components they supply. Towards that end, the entire industry sector is working to define and publish accurate parameters. Creation of a comprehensive global databank is already underway in a joint venture making available the relevant safety-related parameters of functional safety components as provided by suppliers and verified by the TÜV Rheinland. 

Drive-based safety engineering

From a design perspective, the moving parts of a machine pose the most risk to plant personnel. The primary purpose of all safety standards and functions is to safely limit the motion of the drive on demand or in the event of an error. The most effective design approach is to intervene at the place in the machine where the dangerous movement originates—directly in the controller.

Drive-based safety is the integration of functional safety tools in the drive that specifically guard against uncontrolled movement. In the event of anomalous movement, the corresponding ability to stop drives significantly faster than manual or conventional solutions employing safety relays, speed monitors or contactors. Drive-based safety can also simplify machine control systems, thereby driving down cost and expediting risk and hazard assessments.

Integrated drive safety features generally fall into three categories—safe stop functions, safe motion surveillance functions, which may trigger a stop function in the event of a fault, and means of activation, such as safe inputs or a safety bus system. The safety chain comprises sensor input (i.e., light bar, emergency stop button, safe feedback), logic (i.e., safe PLC) and actuator or output (i.e., drive with integrated safety functions).

Obviously, the stop functions are among the most critical safety functions. According to the situation, the drive is shut down in a technically redundant, safe fashion by means of the STO, which prevents the inverter from generating a rotating field that would produce a torque in the motor. Depending on the application, integrated safety functions might include any or all of the following: safe torque off, safe stop, safe maximum speed, safely limited speed, safe tip mode, safely limited increment, safe direction and safe speed monitoring. Building on this basic framework, the latest drive safety modules feature higher-order safety functions, such as safely limited speed and safe direction, with variations including safe operational stop, as well as safe inputs and outputs.

Conventional solutions for drive safety typically required additional external components. That is no longer the case. Drive-based safety gives greater clarity to safety technology and implementation, and simplifies the system structure. One of the positive cost aspects is the savings of external components (e.g., safety switch, speed monitor, guards or a second sensor system for safely limited speed). From a functional point of view, faster shutdown on command or in the event of an error means an increase in safety. Because the safety technology provides status information available in the servo inverter and, therefore, in the PLC, there is also an improvement in the diagnostic possibilities.

The best engineered safety designs break down complex barriers. Drive-based safety reduces space requirements, wiring and hardware needed for external safety engineering. Moreover, the machine operator has the benefits of transparent safety parameters programmed right into the controller. These high-performance drive systems are available in small, modular packages, with safety functions integrated in the drive and even on optional pluggable modules.

Safety modules enable tailor-made scalability with different grades of safety depending on the application and validation standards. Using modular and scalable drive components also means the system is open to subsequent changes to accommodate future safety standards. 

Simplify compliance and certify at the product level

Modern machines are produced with faster lead times and designed to operate at considerably higher speeds than in the past. In the great race to meet production deadlines and budgets, safety must never be an afterthought. The overarching goal for the engineer must be to protect human operators, machines, materials and the plant environment, while maintaining ease of operation, and accomplishing these aggregate objectives at a competitive cost. Operating safely at higher performance dynamics calls for uniform safety concepts at the component, machine and system design levels.

As new machines are designed and built the newer safety regulations are only now coming into effect, which place responsibility for machine safety more squarely on the machine manufacturer, rather than on the end user. The safety landscape especially in manufacturing industries is set to change dramatically. For machine builders the more stringent standards mean design changes and an increased workload with regard to certification of their products. The new standards don’t have to necessitate more complexity. But they do underscore the importance of using all of the design strategies and tools one has at their disposal.

The right design strategies can incorporate certified drive components and advanced safety functions as integrated features. Effective safety measures ensure compliance with valid standards and help to future-proof plant machines and automation systems. Specifying certified components and designing in accordance with the more stringent requirements of international safety standards makes it easier for global customers to purchase products, knowing that safety has been designed into the product.

Chuck Edwards is president of Lenze Americas.