Risk Assessment: Important when Assessing Risks on Older Machines or Constructing a New Machine

A well thought-out risk assessment supports both manufacturers and users of machines to develop production friendly safety solutions. One result of this is that the safety components will not be a hindrance. This minimizes the risk of the safety system being defeated.

Protection or Warning?

How is it possible to choose safety measures that are production friendly and in every way well balanced? The Machinery Directive gives an order of priority for the choice of appropriate methods to remove the risks. Here it is further developed in a 5-step method.

The further from the middle of the circle, the greater the responsibility for the safety is put onto the user of the machine. If full protection is not effectively achieved in one step, one has to go to the next step and find complementary measures.

What is possible is dependent on the need for accessibility, the seriousness of the risk, appropriate
safety measures, etc.

5-Step Method to Prioritize Safety Measures

1. Eliminate or reduce risks by design and construction.
2. Move the work tasks outside risk area.
3. Use guards and safety devices.
4. Develop safe working routines, information, education
5. Use warnings as pictograms, light, sound, etc.

 

The possibilities will increase to achieve a well planned safety system if each risk is handled according to the described prioritizing. The 5-step method, combined with production friendly thinking, can give you: fast and easy restart of machines after a stop from a safety device; enough space to safely program a robot; areas outside the risk area to observe the production; electrically interlocked doors, instead of guards attached with screws, to be able to take the necessary measures for removing production disturbances; and a safety system that is practical for all types of work tasks, even when removing production disturbances.

New Standards for Safety-Related Parts of Control Systems

Since November 10, 2006, the revised standard EN 954-1 has been in force. This is called EN ISO 13849-1. During a transition period extending until November 1, 2009, both standards were valid. It is, however, worth remembering that this only applies within the EU. At the international (ISO) level the transition period does not apply as ISO 13849-1 has
completely replaced EN 954-1.

The IEC has also produced a standard for safety in control systems. IEC 62061 — Safety of Machinery (functional safety of safety-related electrical, electronic and programmable electronic control systems) has been in force since May 23, 2005.

In addition, there has been a more general standard for functional safety in existance for several years — EN61508 (del 1-7) — which covers functional safety of safety-critical electrical, electronic and programmable electronic control systems.

When should each standard be applied?

EN ISO 13849-1 and EN 954-1 can both be applied to all protective functions — including mechanical, electrical, hydraulic and pneumatic — up to the highest level where PL = e.

EN 62061 can be used up to the highest level, SIL 3. This applies to protective functions that are electrical, electronic and programmable. Where all or part of the protective functions are mechanical, hydraulic or pneumatic, EN ISO 13849-1 should be applied.

EN 61508 should be used by designers of safety PLCs, while those who integrate a safety PLC into a machine control system and prepare applications program software can use EN 62061.

In the case of a risk assessment of a machine or type of machine, one determines which protective measures are necessary in order to ensure that the safety of the machinery will agree with the Machinery Directive and the standards that are to be applied. In respect of the safety measures that involve the control systems of machines, one must decide "how safe" the safety must be — the higher the risk, the more reliability is demanded of the safety function.

In EN 954-1 categories are selected—B, 1, 2, 3 or 4 for these parts. Here it is not always possible (nor desirable) to be able to assign a category to the entire safety function. With the method in EN ISO 13849-1, one instead selects a performance level (PL) and this applies to the entire safety function. the choice of performance level (PL) takes place in a similar way to the selection of a category (see Risk Graph).

PL	PFHD
a	10-5 ≥ to >10-4
b	3x10-6 ≥ to >10-5
c	10-6 ≥ to > 3x10-6
d	10-7 ≥ to >10-6
e	10-8 ≥ to >10-7

Achieving the Performance Level (PL) determined by Risk Graph

There are a number of parameters to consider when designing a certain protection function including:

• MTTFd (for each individual component), Mean Time To Failure — dangerous
• DC, Diagnostic Coverage — to what extent dangerous faults are detected CCF, Common Cause Failure—measures that will be relevant when working with some form of redundancy (for categories 2, 3 and 4)
• How the function acts in a fault condition — also given by the selected category)
• Systematic Fault — measures to avoid these in the design

The Performance Level (PL) is expressed as the Probability of Dangerous Failure Per Hour (PFHD) within certain ranges, as shown on the chart below:

The standard gives the designer several choices for achieving a certain PL. The illustration above shows how this is possible, depending on which levels the parameters achieve.

The values of MTTFd, DC and the categories of our products will be given to you when you contact us. In some cases we can state a PL immediately for a protective function or part of a protective function.

Simplified Assessment of Performance Level (PL)

A safety function most often consists of the following parts:

• Input—light beam, interlocked gate, etc.
• Logic—monitoring of the input, control and supervision of components for switching off energy
• Output—switches, valves, etc. for switching off energy

A safety function can be said to consist of N parts. One way of verifying that the PL has been achieved by using the Risk Graph is to calculate all the parameters — MTTFd, DCavg, etc. If, on the other hand, the Performance Levels (PL) of the three parts (input, logic and output) of the safety function are known, the estimation of achieved PL becomes much simpler.

The method is as follows:

1. Identify the part of the safety function that has the lowest PL; this will be PLlow

2. Identify the number of Nlow ≥ N in the safety function that have PLlow

3. Find the achieved PL in the table.

As an example, a common solution is to consider an interlocked gate (safety interlock), a safety relay and two monitored contactors with positive output contacts.

Applying SS-EN 62061

SIL	PFHD
3	≥ 10-8 to >10-7
2	≥ 10-7 to >10-6
1	≥ 10-6 to >10-5

If you choose to design a safety function in accordance with EN 63061, the level of reliability is expressed as the Safety Integrity Level — SIL. there are a total of 4 levels, but in the EN 62061 standard SIL 3 is the highest level. SIL is also expressed as the Probability of Dangerous Failure Per Hour (PFHD) — similar to the Performance Level (PL).

Definition of protective safety in accordance with EN 62061:

“Function of a machine whose failure can result in an immediate increase of the risk(s)”

The seriousness of injury that can occur is defined at one of the four levels. Class is the addition of the values of frequency (Fr, stated as a value between 1 and 5, where 5 represents the highest frequency), probability that a dangerous event will occur (Pr, stated as a value between 1 and 5, where 5 represents the highest probability) and the possibility of avoiding or limiting injury (Av, stated as a value of 1, 3 or 5, where 5 represents the least chance of avoiding or limiting an injury).

The safety function that is to be designed must at least fulfill the SIL that has been assigned to it in the analysis. The safety function consists of a number of sub-elements.

Example: A door is interlocked by a non-contact sensor which is, in turn, monitored by a Pluto Safety PLC, with outputs that break the power to two supervised contactors. The sensor is sub-element 1, Pluto is sub-element 2 and the two supervised contactors are sub-element 3. If in the analysis it has been established that SIL2 should be used, every individual sub-element in the safety function must fulfill the SIL 2 requirements. The safety function must then, in its entirety, fulfill the SIL2 requirments.

If the SIL requirements are not fulfilled in any of the sub-elements or by the safety function in its entirety, there must be a redesign.

You will get the PFH_D values of our products when you contact us.

In conclusion...

This is just a brief introduction to the EN ISO 13849-1 and EN 62061 standards. You are welcome to contact us so that we can prepare suitable training and guide you in how to apply the standards to our products.