• Prev
• 1 of 2
• Next

WEB EXCLUSIVE Under the new European Machinery Directive 2006/42/EC either of two standards can be followed to demonstrate sufficient reliability of the control system; BS EN ISO 13849-1 or BS EN 62061 and these introduce the notion of not only if, but how likely, faults are to occur.  This means there is a probabilistic element in compliance that must be quantified and to do so panel builders must be able to determine levels of safety integrity or performance. Therefore there is increased onus on manufacturers to provide safety relevant data for their products, but understanding the information given can be a minefield. Peter Still, Schneider Electric's standards manager, provides panel builders with the essential information they need

From 29 December 2009 the European Machinery Directive 2006/42/EC supersedes the Machinery Directive 98/37/EC and in the UK, the Supply of Machinery (safety) Regulations 1992 as amended will be replaced by the Supply of Machinery (safety) Regulations 2008. 

The new Machinery Directive, like other new approach directives, does not demand the use of any standards. However, the simplest way for a designer to demonstrate that he has met the relevant requirements of the Directive is to comply with one or more harmonised European Standards that can give a presumption of conformity to those requirements.

One of the main changes relevant to the new Machinery Directive relates to the standards used when designing a safety related electrical control system (SRECS) to be fully compliant. Panel builders who currently use BS EN 954-1 to design safety related parts of electrical control circuits will be familiar with the ‘risk graph'. Here, severity of injury, frequency of exposure and possibility of avoidance are subjectively assessed, to arrive at a required category (B, 1, 2, 3 or 4) for each safety related part. This category then stipulated how the safety circuit must behave under fault conditions.

However, with modern systems more commonly incorporating electronics and programmable electronics, the categories are insufficient to define the performance of the safety-related parts, so a standard is required to provide information on the probability of failure - it is no longer a case of if faults are going to occur, but how likely it is. In addition, the safety functions needed by modern machines are too complex to be addressed simply by considering the behaviour of the individual components; it is necessary to consider the overall safety functions provided by the control system.

As a result, the new standards BS EN ISO 13849-1 and BS EN 62061 have been designed to address the weaknesses of the old BS EN 954-1. Either of these standards can be followed to comply with the relevant essential health and safety requirements of the Directive. The performance of each safety function is then specified as either a performance level (PL a, b, c, d or e) in the case of BS EN ISO 13849-1 or safety integrity level (SIL 1, 2 or 3) in the case of BS EN 62061. 

Although the circuit architecture is still a major consideration within them, these standards also take into account the reliability of the safety circuit components and their ability to detect/diagnose faults and prevent common cause failures. Therefore, to verify their safety circuits meet with the determined PL or SIL, panel builders must be now able to determine the integrity of the components used within them.

To assist panel builders in doing so, manufacturers should make the safety data relating to their components, including detection devices, logic solvers such as safety PLCs and output devices such as contactors, completely visible and panel builders should use this data to specify products.

However, the data relating to components can be complicated and there are some terms vital to compliance. Only when these are fully understood can panel builders meet either BS EN ISO 13849-1 or BS EN 62061.

There are four main terms that need to be understood to comply with BS EN ISO 13849-1, these are; mean time to dangerous failure (MTTFd), diagnostic coverage (DC), performance level (PL) and common cause failures (CCFs).

MTTFd (mean time to dangerous failure) is the average period before the failure of a component used in the safety circuit can prevent a safety function from being performed. There are three classifications given to products; high (low risk, 30-100 years), medium (10-30 years) or low (high risk, 3-10 years) however, it's important to remember, if the component's MTTFd is 100 years it does not mean it will last this long without fault. This information is important because staff can be at risk if the product fails, so manufacturers of electronic safety devices (such as safety relays, safety controllers and safety PLCs) must make this data available to panel builders.
However, MTTFd is only an estimate of the likelihood that product may fail, so a control system should also be able to detect/diagnose a fault within itself (e.g. short circuit) to prevent a dangerous failure of the safety function. This is known as DC (diagnostic coverage) and the higher the level of automatic diagnostic tests, the lower the probability of hazardous system failures. Typically, safety devices like safety relays and contactors with mirror contacts can be used in systems with high DC.

Together, the circuit's MTTFd, DC ratings and circuit architecture (category B, 1, 2, 3 or 4) as in BS EN 954-1, can be used to define a PL (Performance Level) for the system. This is a discrete level, which specifies the safety-related control system's capability of the performing a safety function under foreseeable conditions and is rated from a to e. PLa represents the lowest and PLe represents the highest probability of performing the function. If a manufacturer states a specific PL for a component (such as a safety relay) it means only this is the highest PL a circuit incorporating that component can achieve. The important thing to remember here is that the PL applies ultimately to the channels and the whole safety circuit, not to each individual component.
Common cause failures (CCFs) also need to be considered. These are defined as ‘failures of different items, resulting from a single event, where these failures are not consequences of each other'. For example if two identical components are operated at the same time in the same way, then the chances of both failing at the same time are higher than if they were driven differently or if they were of different design. Steps can be taken to prevent common cause failures, such as using different types of components in dual channel systems and driving them in different modes, and guidance is given in the standards.

For compliance with BS EN 62061 there are slightly different terms that are vital to compliance, including safety integrity level (SIL), SIL claim limit (SILCL), probability of dangerous failure per Hour (PFHD) and safe failure fraction (SFF).

SIL (safety integrity level) is a discrete level used to determine the safety integrity requirements of the safety-related control system. These levels range from one to three; one is low and three is high. The risk assessment can be used to assign a target SIL to each safety-related function. As with the PL rating in BS EN ISO 13849-1, if a manufacturer states a specific SIL for a component (such as a safety PLC) it means only that this is the highest SIL which a function performed by that component could achieve. 

This target SIL is then used to determine the SILCL (SIL claim limit) that is needed for each of the subsystems within a safety system. A subsystem is defined as a part of a safety system/circuit, which, if it fails, will bring about a failure of the whole safety system/circuit and SILCL is the maximum SIL that can be claimed for a subsystem in relation to its architectural constraints and systematic safety integrity. 

To establish the SIL, the reliability of the entire safety system/circuit needs to be identified. In much the same way as MTTFd is in BS EN ISO 13849-1, PFHD (probability of dangerous failure per hour) is a measure of the probability of failure, which could result in failure to perform a safety function, so manufacturers of electronic safety devices (such as safety relays, safety controllers and safety PLCs) should make this figure available. 

However, dangerous failures are not the only failures that need to be considered. Manufacturers can choose to give panel builders information about the share of failures within the total rate of failure that does not lead to danger and this is known as SFF (safe failure fraction). However, what defines a safe failure is application-specific; for example, a contactor sticking closed on a motor driven saw is obviously dangerous, as it means the saw will not stop if the contactor is de-energised, but in a cooling system, failure to stop the cooling pump is not usually dangerous.  Manufacturers can therefore find this difficult to establish without knowing how the component is going to be used.

The MTTFD and PFHD are both time-dependent estimates of reliability, and are not really applicable to electromechanical components, for which the probability of failure is related to the number of operating cycles. Because of this, for both BS EN ISO 13849-1 and BS EN 62061 it is necessary to know the B10 and B10d figures for the circuit's electromechanical components. B10 is the number of operations at which 10% of the ‘population' of a component will have failed and B10d is the number of cycles after which 10% of the population will have failed to a dangerous state.  Since the frequency of operations is application specific, electromechanical components do not have published MTTFd or PDHD figures, so panel builders can use B10 or B10d with known machine data to calculate MTTFd or PFHD of subsystems containing these components.
Understanding all of this data relating to safety components can be confusing and because some of the data is application specific, calculating failure rates for the safety circuit will require safety related knowledge. To overcome this, panel builders should look at partnering with a manufacturer to ensure their systems and subsystems comply with all relevant standards. They should select one that can confidently offer data on all safety related components.  For example, Schneider Electric has a wide range of knowledge and understanding of panels and systems, thanks to a broad product offering and experience of working with panel builders to design and create entire processes. Because all of the products are manufactured by the company itself, there is full assurance they meet all relevant safety standards and data is accurate and visible.
To help panel builders further Schneider Electric has also devised a Safe Machines Handbook, an unbiased and concise guide explaining the new directive, which can be downloaded by visiting: http://.schneider-electric.co.uk.