Machine Design

Programmable safety begets new standards

Safety-integrity levels spelled out in European standards increasingly impact equipment designers in the U.S.

Dave Collins
Product Manager
Schneider Electric
Palatine, Ill.

Hard-wired electromechanical components were the only option for machine-safety systems in the U.S. until 2002. Standards banned programmable logic controllers (PLCs) from use in safety systems. The reason was that programmable electronic systems were complex. It could be difficult to predict how a device behaved in the event of a failure,

But new safety standards have led safety PLCs and controllers to become more widely accepted in the U.S. In fact, many users are combining safety and automation components into the same system through use of safety PLCs and safety networks. A combined system can save money through a substantial reduction in wiring, wiring labor, and cabinet space.

Commonality in components for control and safety extends to software as well. Operators need learn only one programming architecture. Safety PLCs operating over safety-rated communications networks linked with machinecontrol systems provide higher levels of information and diagnostics. Not only can the safety system detect the fault, it can now query the control system about specific machine operations at the time.

Many European safety standards, such as IEC 61508 and EN 954-1, are not enforceable in the U.S. But they are still used to verify machine safety levels in both the U.S. and globally. Many U.S. companies must conform to these standards to compete internationally. And much of the European verbiage is being incorporated into U.S. safety standards as they are rewritten and revised.

Each programmable safety device and the overall machine must be classified into an appropriate risk-assessment categor y known as a safety- integri ty level (SIL). But that raises questions about what the SIL ratings actually mean and how they compare to the more familiar safety categories.

Most machine builders today think of risk assessment as detailed in the EU’s EN 954- 1 standard. It created five risk categories in 1995 listed as B, 1, 2, 3, and 4. All machinery in the EU must undergo formal risk assessment before they can be equipped with safety components. The risk assessment in EN 954-1 looks at the result of an accident, the frequency and duration of exposure to the hazard, and the possibility of avoiding the hazard.

From the results of each assessment, the machine or part gets put into one of five safety categories. Each category identifies the system requirements and behavior in the event of a fault. Category B holds the safest machines, where risk of injury is slight or the types of injuries that can occur are easily healed. Category 1 machinery poses a risk of serious injury that is mitigated through the use of well tried and tested components and principles. But no special tests are carried out to maintain the safety functions. Category 2 forces periodic checks of the safety functions but a fault may cause the safety function to fail. Faults in the final two categories should not cause loss of the safety system. That typically means categories 3 and 4 need redundancy from inputs through outputs.

It’s fairly simple to determine how an electromechanical system might fail. Therefore, to satisfy safety requirements, the machine is built so that it will shut down when a part fails or fault occurs. But modern, programmable equipment may fail in unexpected ways with consequences impossible to predict. Thus a new method of rating the safety of today’s machinery was required.

What is SIL?
The IEC 61508 standard provides a new approach for considering the reliability of electrical, electronic, and programmable electronic (E/E/PE) safety-related systems. It creates a safety integrity level for programmable systems using a statistical approach by measuring the probability of dangerous failures per hour, denoted as the PFHd.

The SIL is defined as the probability of a safety system to perform its functions under all stated conditions within a stated period of time. The higher the SIL level, the lower the probability that the safety system will fail to carry out its mission. IEC 61508 outlines the tools and formulas to calculate probability that safety functions will fail and then provides a system of SIL levels to categorize these systems.

The four SIL levels identified by IEC 61508 correspond to the PFHd in high-demand or continuous-operation mode. IEC 62061 dictates how the statistical results obtained in IEC 61508 are applied to machinery. While IEC 62061 does look at both high and low-demand listings, it does not consider lowdemand relevant for safety applications on machinery.

Similar to an electromechanical- risk assessment for safety categories, a SIL-level assessment also considers the consequences of an accident, the frequency and duration of exposure to a hazard, the possibility of avoiding the hazard, and the probability of an unwanted occurrence. So both assessments have similarities in how they look at machine safety.

SIL, however, defines the result of an accident differently. It expands into four subclasses identified as minor injury; serious permanent injury to one or more people, or death to one person; death to several people; and death to many people.

Unlike an electromechanical risk assessment for safety, a SIL-risk assessment includes an additional analysis criterion: The statistical probability of an unwanted occurrence or failure. This criterion is further divided into several subcategories: a slight probability that the unwanted occurrences will come to pass and a only a few unwanted occurrences are likely; a slight probability that the unwanted occurrences will come to pass and a few unwanted occurrences are likely; and a relatively high probability that unwanted occurrences will come to pass and frequent unwanted occurrences are likely.

EN/IEC 62061 states that SIL 4 is not considered relevant to risk-reduction requirements normally associated with industrial machinery. While not specifically stated in any of the standards, it is highly unlikely that industrial machinery would combine a possibility of many people killed with a relatively high probability that the unwanted occurrences will come to pass, plus a likelihood of frequent unwanted occurrences.

Electromechanical Devices Verses Solid State
While electromechanical systems are fairly simple to monitor and it is easy to detect failures, solid-state systems must be designed for redundancy and self-checking. Standard PLCs are typically not designed for safety and won’t qualify for a SIL rating. Safety PLCs have redundant, highly reliable processors and redundant circuitry to verify system integrity. The redundant circuitry continually checks the processors, internal components, inputs, and outputs to ensure everything is working properly.

Another new standard to recently emerge, EN/ISO 13849-1, will eventually replace EN 954-1. The new standard updates EN954-1 with a new way to categorize the risk level of a machine using performance levels. These performance levels use the same criteria as safety categories, but the results are arranged differently and are assigned letter designators A through E. The performance levels also are assigned values for their related mean time to dangerous failure (MTTFd), allowing for a statistical look at electromechanical safety and safety categories. The standard thus allows comparisons between safety categories, performance levels, and SIL ratings. For example, category 4 is the same performance level as SIL 3, and vice-versa.

Determining a Machine’s SIL Level
EN/IEC 62061 provides tables and a worksheet to identify a machine’s SIL-level requirements. There are numerical values for different levels of the criteria discussed previously: C (consequences), F (frequency), P (probability), and W (unwanted occurrences). The numerical values for each criteria are summed, and the SIL level determined from a chart on the worksheet. Each of the levels are more defined than the safety categories, making it simpler and a bit less subjective to determine severity.

As machines become more complicated, so do their safety systems. The growing complexity makes programmable safety systems more attractive and economical. Programmable safety devices easily integrate into control systems while adding new function and diagnostics.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.