Machinery Safety Control Systems
What is a control system? A control system responds to input signals from the machine or from the operator and generates output signals. These make the machine operate in a desired manner. So if for example, an operator presses a start button then the control system may respond by closing a contactor and energising a motor. Control systems can be implemented in a range of technologies, but this guidance is mostly concerned with electro technical systems employing electrical, electronic and programmable electronic technologies. Electro technical control systems can range from simple electromechanical relay based systems to complex programmable systems with multiple analogue and digital inputs and outputs.
What is a safety related control system?
A control system in a machine should be regarded as being safety-related if it contributes to reducing the occurrence of a hazardous situation or if it is required to function correctly to maintain or achieve safety. The functions carried out by a safety-related control system are termed safety functions. Generally safety functions either prevent the initiation of a hazard or detect the onset of a hazard. Safety-related control systems should be designed and configured to be reliable enough (bearing in mind the consequences of any failure) and to perform the necessary functions to achieve or maintain a safe state or mitigate the consequences of a hazard. To assist a designer or assessor in deciding which of the three main standards that addresses the design of safety-related control systems to use: BS EN ISO 13849, BS EN 62061 or BS EN 954-1 a distinction is drawn between those electro technical safety related systems that use programmable technologies and those that use electromechanical components.
EN 954-1
Designers may employ a range of techniques to reduce the level of risk, many of which will not involve the use of safety-related control systems. For example, the use of fixed guards will prevent access to dangerous parts, and the provision of platforms and walkways will reduce the risk of falls from height. However, in many cases risks cannot be reduced to acceptable levels without incorporating safety-related control systems. In this case, the designer needs to understand and assess the contribution that these systems make to the reduction of risk, and the consequential reliability and fault tolerance that the systems will need. The more critical the role played by the safety related part of the control system, the more reliable and resistant to faults it must be.
The transposed harmonised standard BS EN 954-1 Safety of Machinery. Safety related parts of control systems provides requirements by which the safety related parts of control systems of all operating media can be categorised in a qualitative manner according to their reliability and performance under fault conditions. There are five main categories of performance of control systems in accordance with the standard which are broadly:
- Category B: Use of good engineering principles
- Category 1: Use of well-tried components and principles (reducing the probability of failure)
- Category 2: Incorporates a safety function check at machine start-up and may also be checked periodically (safety monitoring) A single fault may lead to the loss of the safety function
- Category 3: A single fault will not cause the safety function to fail (redundancy of hardware)
- Category 4: Two or more faults will not cause the safety function to fail (redundancy and monitoring)
The selection of components and the design of systems may not be as straight forward as some perceive as some systems may not neatly fit into a single category, particularly if they use different energy sources - a control system can incorporate electrical, electronic, programmable electronic, pneumatic or hydraulic devices. In addition system designers must draw a distinction between safety and reliability. A component which is manufactured in accordance with a published safety standard may, itself meet the requirements of Category 1 but not the criteria for other categories. However its level of safety performance may be considered at least as reliable as technologies that meet Categories 2 and 3. Therefore designers and assessors should use the entire standard when considering control systems and should not only use the chart for category selection.
An example that the categories should not be regarded as hierarchical with regard to safety is as follows: A machine incorporates a control system with a dual channel interlock circuit fed into a safety relay. The dual channel circuit has one interlock and one emergency stop button in series, the components are installed 3 using good principles. The assessment for this machine is that it is a Category 3 machine in accordance with EN954-1 where the performance criteria is A single fault will not cause the safety function to fail’. On face value, and according to many sources of advice, this would appear to be the case. However, when the machine is in operation, the operator sees impending problems and activates the emergency stop. He then opens the guard to clear a fault, closes the guard and resets the emergency stop. In the sight of the control circuit, the two channels went open circuit when the EStop was pressed and found no fault, during the time the two channels were open circuit, the guard door was opened and the switches failed. The safety relay did not see this fault and when the E-stop was reset, the two channels went closed circuit again and the machine was allowed to start. So, why does this machine still comply with the requirements of Category 3? It is impracticable to assess safety-related parts of control systems without assuming that certain faults can be excluded. The faults which can be excluded are a compromise between the technical requirements for safety and the theoretical possibilities of occurrence. Using this argument we can design our system to ensure that the occurrence of such faults is reduced to an acceptable level in respect to safety and reliability. Such nuances are the essence of the standard and give us great scope in specifying the construction of such circuits.
At the time of writing, EN 954-1 is still the current standard to be used. It has been superseded by EN ISO 13849-1 and is due to be withdrawn in October 2009.
BS EN ISO 13849-1:2006
Provides safety requirements and guidance on the principles for the design and integration of safety-related parts of control systems, including the design of software. For these parts of safety-related parts of control systems, it specifies characteristics that include the performance level required for carrying out safety functions. It applies to safetyrelated parts of control systems, regardless of the type of technology and energy used (electrical, hydraulic, pneumatic, mechanical, etc.), for all kinds of machinery.
It applies to safety-related parts of control systems, regardless of the type of technology and energy used (electrical, hydraulic, pneumatic, mechanical, etc.), for all kinds of machinery.
Part 1 of BS EN ISO 13849 provides specific requirements for safety-related parts of control systems using programmable electronic system with guidance on aspects such as categories or performance levels specification. This part of ISO 13849 is intended to give guidance to those involved in the design and assessment of control systems. As part of the overall risk reduction strategy at a machine, a designer will often choose to achieve some measure of risk reduction through the application of safeguards employing one or more safety functions.
Parts of machinery control systems that are assigned to provide safety functions are called safety-related parts of control systems and these can consist of hardware and software and can either be separate from the machine control system or an integral part of it. In addition to providing safety functions, safetyrelated parts of control systems can also provide operational functions (e.g. twohanded controls as a means of process initiation).
In order to assist the designer and help facilitate the assessment of achieved PL, this document employs a methodology based on the categorisation of structures according to specific design criteria and specified behaviours under fault conditions.
BS EN 62061
Is a harmonised standard for the machinery sector and implements the principles of BS EN 61508. Significantly for control systems designers and systems integrators, BS EN 62061 provides the basis for the successful integration of sub-systems/parts that comply with BS EN 954-1 and IEC/EN 61508 into safety-related electrical control systems that satisfies key requirements for functional safety.
One of the limitations of EN 954-1 is that it is too simplistic, and it does not provide for evaluating common-cause system failures. In general, EN 954-1 takes a qualitative approach, whereas IEC 62061 is a risk-based standard that describes quantitative methods for evaluating statistical data such as the mean time to a dangerous failure (MTTF) and the diagnostic coverage (DC - the ratio of the probability of the detected dangerous failures to the probability of total dangerous failures).
When moving from EN 954-1 to IEC 62061 for more complex control systems it is inevitable that more calculations and documentation will be required to support conformity and the design process will inevitably take longer. However, the resultant safety related electrical control system will benefit from a more thorough design process, be better documented and perform more predictably.
Which standard now? When evaluating which standard to use, it is important to take into consideration the type of complexity that the equipment with the safety-related parts of control system has. The table below gives some indication of the technologies which are covered by each standard. A correct implementation of a safety-related parts of control system may require the application of both standards.
