Is everything safe and sound?
The new EU Machinery Directive went into force at the end of 2009 and imposed new safety requirements. How should these regulations actually be implemented when designing machine controls? A guideline.
On December 29, 2009, the new 2006/42/EC Machinery Directive went into effect. In addition, a new standard on functional safety, ISO 13849-1, became binding earlier. Thus every manufacturer who wishes to market machinery within the European Economic Area will have to meet the applicable safety requirements. Given the complexity of the methods involved, small and medium-sized companies in particular will have to make use of the support offered by outside consultants.
Machine safety is a function of correct operation of the controls. The yardstick for the safe design and evaluation of controls as per ISO 13849-1 is the so-called Performance Level (PL). The ten steps enumerated below describe the path toward effectively attaining the required PL when designing controls.
1. Risk evaluation and risk reduction
When undertaking a risk assessment as per ISO 14121, the engineer must first determine the machine’s operating limits, such as its maximum permissible load. Then he will identify the hazards that might occur when the machine is used within these limits. If the assessment shows that relevant risks still exist, then safety measures will have to be adopted to eliminate or attenuate these risks.
2. Identifying safety-critical functions
If measures have to be adopted in order to reduce risk, then the basic sequence is:
1. Intrinsically safe design
2. Protective equipment
3. Informing users
If a safety feature is dependent on a control function, then it executes a safety-critical function that can be engineered in accordance with the ISO 13849 standard. This standard considers the design and integration of safety-critical components used in control systems regardless of the technology used, this in contrast to IEC 62061. Consequently the engineer will have to identify all the safety-critical functions in the controls.
3. Determining the required performance level
The engineer will define the safety requirements and the required Performance Level (PLr) for every safety-critical function. To do this, it will be necessary to answer three questions about the hazards:
-How severe might the injury be: slight or serious?
-How often and how long will the person be exposed to the hazard: seldom and briefly or frequently and for an extended period?
-Can the hazard be avoided: possible or impossible?
Based on the answers to these questions it is possible to categorize the PLr on a scale from “a” (minor risk) to “e” (serious risk).
4. Selecting the category
The engineer uses this PLr when selecting the system architecture for the controls. The five different levels are associated with five control categories. These differ in the fact that they are single or dual channel designs, may or may not incorporate surveillance, and exhibit various reliability values or ruggedness against systemic errors. Fundamentally ISO 13849-1 offers the engineer greater freedoms in achieving the PL but at the same time also represents a new challenge, that being to identify the most economical solution in each case.
5. Modeling the circuitry
The engineer will now design a circuit complying with the category selected. Its components can be modeled in a block diagram in accordance with their safety-related functions. This diagram determines how the individual components enter into the calculation of the PL. Especially when designing complex systems in fluid technology applications this is an entirely new task, for which Rexroth offers specialized support.
6. Selecting suitable components
Important factors in calculating the PLr are not only the structure of the circuitry, but the selection of the components, too. Component suitability will depend on failure probability and whether safety principles are maintained. Depending on the technology used, various characteristic values will have to be provided by the supplier, e.g. MTTFd for hydraulic components, B10 for pneumatic mechanisms and PL for electronic subsystems. Used here are anticipated statistical values that will not always be determined with the same degree of strictness. That is why a good relationship between the user and the supplier – one based on mutual trust – is important to eliminating exposure to product liability risks where unclear statements are made.
7. Assessing controls surveillance
The quality of the monitoring provided for the controls is a factor considered in the PL. The unit of measure here is Diagnostic Coverage (DC), indicating what per centage of failures actually occurring will be discovered. ISO 13849 suggests typical values for the evaluation of the surveillance concepts. If one uses a component with integrated auto-monitoring, e.g. the IndraDrive with Safety on Board, or a valve with position monitoring, then DC of up to 99% can be attained. Rexroth can provide support in selecting the most effective concepts.
8. Evaluating the controls’ ruggedness
When dealing with two-channel control concepts, it will be necessary to observe certain requirements for resistance to the so-called Common Cause Failure (CCF). CCF denotes the failures of multiple units in response to a single event, wherein these failures are not due to mutual causes. The evaluation is undertaken using a table of anti-CCF measures, to which various point values are assigned. At least 65 of 100 possible points will have to be achieved in the evaluation.
9. Examining the safety principles and software requirements
Here the engineer will have to determine whether measures designed to protect against systemic failures and the unit’s behavior in the event of errors have been taken into account. It will also be necessary to compare with the requirements for the application software if custom software is written. Finally the mechanical engineer will have to determine whether the relevant basic and time-tested safety doctrines – such as the fail-safe principle – have been implemented in the design.
10. Verification and validation
The overall control concept is evaluated in the final step. The engineer determines whether the actual PL corresponds to the PLr. Rexroth customers can rely on our expertise in many fields of technology, making it possible to optimize the interaction of the various components in a control system and thus to optimize safety. During validation, the engineer determines as per ISO 13849-2 whether the concept was actually implemented in the intended fashion.
Rexroth offers functional safety at all automation levels, in all its technologies and products – from individual components to comprehensive systems, and that includes the software. Rexroth imparts this unique safety know-how, aligned with everyday needs, in the special training curricula offered by the Drive & Control Academy.