New Standard Shifts Focus for Safety
Over the past few years, safety has become one of the dominant factors that impact product design processes. European guidelines for machine safety, which have played a major role in reducing injuries, are changing this year, bringing new requirements for product and component developers.
At the end of 2011, EN ISO 13849-1:2006 “Safety of machinery, Safety-related parts of control systems, Part 1: General principles for design” took effect. It effectively replaces EN 954-1, the guideline that’s no longer a requirement after being a mainstay for years.
The guideline was needed because technology has changed so dramatically that it’s no longer possible to use the parameters of EN 954-1 to determine the safety of programmable products. ISO 13849-1 directs users to perform risk assessments to determine the possibility that injuries can occur.
These risk assessments will help developers minimize the impact of hazardous conditions or eliminate them completely. This risk analysis helps product developers balance the level of protection and the possibility of serious injury or damage.
Risk assessment is an iterative process: developers estimate the likelihood and severity of risks, then they must take steps to reduce or eliminate these risks. If they’re eliminated, there’s no need to go further. If not, another iteration is necessary.
That task must take a broad view of the product, covering its entire lifespan. “Hazard identification must include the full lifetime of the machine, from transportation, assembly, installation and commissioning through use, decommissioning and dismantling,” says Andras Szende, Technical Manager Commercial, TUV Rheinland of North America, Inc.
One of the new factors in ISO 13849 is the inclusion of mean time to dangerous failures. This is defined as the potential to put the control system into a hazardous position. Products need to have redundancy and other safeguards to ensure that the chance of hazardous failures is extremely low.
The standard provides five levels of risk ranging from PLa to PLe. These categories discuss the circumstances when a single fault can lead to a loss of safety functions. PLa provides the lowest levels of protection, so they can be used only when the possibility of serious injury is minimal. When the chances of serious injury are high, such as if the light curtain used near a large press fails, developers need to use PLe. PLe provides the highest level of protection, with at least some redundancy to minimize the chance of a single point of failure.
Szende noted that engineers can provide redundancy even when some of the components needed in their design are not built with this type of fault protection in mind.
“If you’re looking for a PLd safety level device and there isn’t one available for PLd or PLe requirements of some redundancy, you may have the option to use two of these devices to add redundancy yourself,” Szende says.
Many engineers may think that the levels of ISO 13849 are the same thing as the safety integrity levels (SIL) specified in IEC 61508. However, there’s no harmonization between the two documents.
“SIL and ISO 13849 are two different standards. There’s no direct correlation between them, though they do correlate at some points,” Szende says.
The goal of any design should be to eliminate or reduce risks as far as is possible. But that’s not always possible. When developers can’t eliminate risks, they need to clearly explain the residual risks in their documentation.
“Companies must inform users of the residual risks, indicating whether any particular training is required and specifying whether there’s a need to provide personal protective equipment,” Szende says. He addressed the changes in a Webinar entitled “Achieve Higher Safety Performance Level with EN ISO 13849-1.”
One way to avoid potential safety issues is to run extensive diagnostics. The standard addresses that with diagnostic coverage, which measures that effectiveness of diagnostics. That can include the ratio of the failure rate of detected dangerous failures compared to the failure rate of total dangerous failures.
Common cause failures are another factor that must be analyzed. These faults are caused by single event, they aren’t consequential of each other. They are often non-quantifiable, popping up under differing fault conditions. Safety systems should be able to account for them, ensuring that injuries won’t occur.
Separation and segregation are among the measures that can be taken to prevent common cause failures. Developers can separate signal paths and isolate wiring to prevent problems. They can also provide sufficient clearance to account for creep as printed circuit boards age.
Yet another way to reduce the impact of common cause failures is to use a diversity of products. Digital and analog parts may be used together to ensure reliability, and factors like distance and pressure may both be measured so failures occur less frequently. Buying components from different manufacturers also helps by reducing the chance that similar parts made in different facilities will fail at the same time.
Szende suggests that developers start designing products using EN ISO 13849-1:2006. It improves safety and the experience of working with the new document will have much greater long term benefits than using the EN 954.
Join us for an upcoming live webinar, titled, “Transitioning to ISO 13849-1: Changes Required and Helpful Tools” that builds upon this topic.Have an Inquiry for Siemens about this article? Click Here >>