Six Steps to Meet New Safety Standards

By Control Engineering Staff August 22, 2007

The advent of new standards isn’t often a cause for celebration, but what is typically seen as a negative can be changed into something positive by following the right approach. Careful implementation of new standards can be good for the bottom line, to the tune of millions of dollars.

An example of this can be seen in two machine and system safety standards, EN 62061:2005 and EN ISO 13849-1:20061. The latter is almost halfway through a two-year phase-in in Europe. Because of the effect of global end users, global harmonization of standards and OEMs exporting to Europe, these new standards will have an impact around the world. By following six steps, machine system manufacturers can meet these standards with a minimum of trouble and a maximum of gain.

The first step is to decide which of the two standards applies where in a given situation and should therefore be followed for particular systems and components within the setup. The second step involves hazard identification, the third hazard evaluation or risk analysis, and the fourth centers on defining the safety function against the identified risks.

In the fifth step components for the safety function are selected and the sixth and final action is implementing that safety function and validating the solution. A necessary part of the last two steps is that the component supplier has safety experience and provides products or tools that are certified appropriately, such as IEC 61508 certification. This is something Siemens has done with its offerings, for instance.

If done right, the result of implementing the new standards can be both safety and savings. For one example of how this works, consider KUKA Toledo Productions Operation (KTPO) LLC, which followed a similar philosophy to the standards in its plant. KTPO is a Tier 1 automotive supplier, producing various vehicle systems for DamilerChrysler. By moving from a hardwired and traditional safety system to a Safety PLC-based approach, KTPO combined standard and safety I/O, with an 85 percent reduction in relays, local I/O, terminal blocks, cable connections, and other wiring. The savings totaled millions of dollars, with flexibility to expand and change the production line and its layout as needed. There was also a 20 percent reduction in the size of the footprint of a robotic production cell and a decrease in commissioning and debug time from several days to less than an hour.

As for the solution procedure outlined above, the first step seems obvious but is actually the source of some confusion. EN 62061:2005 applies to the functional safety of safety-related electrical, electronic and programmable electronic control systems as a whole. A Safety PLC, for instance, falls into this classification and the standard talks of the Safety Integrity Level (SIL) of the complete system. SIL is categorized as level 1, 2, or 3. On the other hand, EN ISO 13849-1:2006 concerns itself with individual safety-related components, deriving the safety-evaluated performance level (PL) of the whole from those parts. The system is assigned a PL ranging from a to e.

In the end, both standards arrive at a machine and system safety rating and the two types of evaluation, SIL and PL, can be related to one another. The decision about which standard to follow is a function of the first step. EN 60261:2005 is a safety automation system standard while EN ISO 13849-1:2006 concerns itself with components. They are essentially followed in parallel, with one often applying where the other doesn’t. A given setup may have a Safety PLC in it and some switch, for example, which would mean EN 62061:2005 would be applied to part of the setup and EN I20 13849-1:2006 would be applied to the switch.

The need to consider two standards can be puzzling for machine builders and end users alike. This situation is complicated by the fact that governing bodies in some countries favor one over the other. The hope is that through education and harmonization efforts these difficulties will be smoothed out over the next few years.

The second step involves risk analysis of the machine. During this phase, everything that can be potentially dangerous has to be considered. The possibilities looked at could include such hazards as spindles that rotate, arms that move, belts that carry items, and places where electrically hot wire or physically hot motors could be or are exposed.

With the possibilities identified, the machine builder must then evaluate each hazard and assign a safety performance for it as either a SIL or PL. The risk elements of frequency, occurrence probability and prevention possibility go into the evaluation. For SIL, this is done by classifying the frequency into duration categories that range from more than hourly to less than yearly. The probability of occurrence stretches from frequent to negligible and the prevention possibilities are impossible, possible and probable. Combined into a score and mapped against the severity of injury, these yield the required SIL for the system.

A rotating spindle, for example, may need to be safely stopped when a protective hood is open. This may happen at an interval of more than an hour but less than a day, with a hazardous situation probable and prevention possible. Such information when combined with the severity effect of a permanent loss of fingers produces an assignment of SIL 2.

The same assessment done when determining the required PL involves the frequency of exposure, the possibility of hazard prevention and the severity of injury. For the spindle example, the injury is severe, the exposure frequent and the hazard can be prevented under certain conditions. The resulting PL is d.

Once the hazards have been evaluated and the appropriate SIL or PL assigned, the manufacturer then has to define the safety function against these risks. Examples of the safety functions that could be implemented include door monitoring through contacts or light curtains to determine when a rotating spindle, for instance, is accessible. When such a door is open, the safety function would be to stop motors so as to render the situation safe. This process of defining a safety function has to be followed for every assessed hazard.

The last two steps involve the actual implementation of the safety function in the machine. The first of these entails the selection of the components needed, with the choice ranging from among safety relays, Safety PLCs, safety-related numerical control, and others. This selection is driven by the function being sought and the established habits and customs of the particular manufacturer, as well as any end user requirements.

Part of the selection criteria has to be that the components are of the required safety performance level. Determining that can be a bit tricky, as some vendors supply the needed data and some don’t. In particular, the components or subsystems need to have mean-time-to-failure or probability-of-failure-per-hour data, which is something Siemens provides. Such information is necessary to determine if the component meets requirements and also may be needed if a probabilistic computation of the overall safety level is required.

For liability reasons, deriving safety level information via computation should be avoided, because this approach takes the liability burden off the part supplier and places it on the part user. It is far better—and perhaps in the end cheaper—to have the supplier provide the safety level information.

In the final step, it’s necessary to wire the components in, program and parameterize them if need be, and conduct a validation test of the system. Such validation ensures that the safety function is correctly achieved and also provides the basis for required documentation of the test. Documentation also has to be prepared for the machine itself.

While this six step process is not absolutely necessary today, the odds are very good that it soon will be. Europe will complete the phase-in of the new standards by the fourth quarter of 2008 and governing bodies in North America are just beginning to consider the implementation of the new standards. Far from being a burden, though, the changeover can be an opportunity that leads to machines and systems that are safer, less expensive, and smaller. The new standards can also improve productivity, which is good news for the bottom line.