The Details of the Safety Standards

While changing safety standards are always part of the industry environment for plant machine manufacturers, the standards that will go into affect for Europe at the end of next year provide a shift in how safety is assessed.

The new standards, ISO 13849-1 and IEC 62061 add a quantitative calculation to machine design. These standards will replace EN 954-1, which became the machine safety standard in Europe and throughout most of the world after being released in 1992.

Many in the industry view 954-1 as overly simplistic, because it does not require the assessment of safety components in relation to time or lifecycle. The new standards require machine builders to add quantitative calculations to the design. This will result in a more methodical assessment of the machine’s performance, reliability and availability.

EN 954-1. European Norm (EN) 954-1—titled “Safety of Machinery, Safety Related Parts of Control Systems”—was developed for safety of plant machinery. The standard has two parts: 1. General principles of design and 2. Validation, testing and fault lists. The standard sets out procedures for the selection and design of safety measures. It also provides a list of typical safety functions such as stops, manual re-sets, starts and re-starts and more. While appropriate for its day, 954-1 is now considered appropriate mostly for low-complexity systems.

ISO 13849-1. This standard developed by the International Organization for Standardization builds on EN 954-1. The standard specifies system reliability based on hardware-oriented structure, calculated mean time to dangerous failure, and diagnostic coverage of the safety function. The standard applies beyond electric and electronic systems to include mechanical, hydraulic and pneumatic parts of the control system.

IEC 62061. The International Electrotechnical Commission developed this standard for “functional safety of safety-related electrical electronic and programmable electronic control systems.” The standard determines the amount of risk that needs to be reduced in a machine in terms of safety integrity levels (SIL). The machine industry uses three SILs that determine the level of risk. The standard sets the SIL levels for the machine system and subsystems, though with flexibility.

Machine Safety Incorporates Relays, PLCs, Risk Assessment and Standards

What’s in your bottle? The SPF of your sunscreen lotion might protect your hide, but achieving appropriate safety integrity levels (SILs) will protect your operators and machines. This is especially true if you precede SILs with a hazard identification and risk assessment (RA) and follow them with performance requirements, consistent implementation, thorough training and continuous revaluation.

If you don’t apply protection, however, you could wake up at the metaphorical beach with a lobster-red sunburn. Likewise, most machine safety programs are inspired by a painful wake-up call. These events can be deadly serious destructions of life, limb and equipment, or only slightly less serious near misses that could turn tragic next time if changes aren’t made.

Enough Was Enough

After several years of poor safety performance, Goodyear Tire & Rubber's plant in Gadsden, Ala., had two major injuries, which occurred when employees were caught in the facility’s let-off shear machinery in 2006. In one event, a machine had been left in automatic mode, and it seized and injured an operator’s hands when he patted down the roll of rubber on it.

“We had a huge need for improved safety,” says Charles Skaggs, Goodyear’s health and safety manager. “We had 300 new staff this year, and for the past four or five years, we’ve had to tell them that Gadsden was at or near the bottom of all Goodyear plants in terms of safety. After 2006, our corporate management said it wasn’t going to put up with these incidents any more and asked us to study ways for our machines to achieve first-class safety ratings.”

Goodyear’s subsequent study included input from the Rubber Manufacturer Assn, which reported that the most dangerous place in the Gadsden facility—and in most tire-making applications—is the wind-up and let-off areas in their fabric bias cutter and sheet calendar machines. RMA recommended that Goodyear focus on improving the wind-up and let-off safety at all its global facilities. Consequently, Goodyear’s management ordered mandatory safety release (MSR) capabilities, so its machines could attain a Level 1 safety rating, and budgeted $3 million for the project.

To help improve the safety of its machines, many of which were very old, Goodyear used a Rockwell Automation modular kit-based solution that could be implemented and reproduced among multiple machines. Goodyear began installing the presence-sensing equipment and light-activated barriers from August to December 2007. These devices prevent the wind-up and let-off machines from running if an operator puts his or her hand in it. The kit also includes new e-stop equipment, replacing the former safety cables and belly bars, as well as new safety interlocks and fencing.

“Because the kits are modular, we could implement them in 67 wind-up/let-off applications in 20 weeks,” says Skaggs. “The kits were so successful that Goodyear plans to spread them across all of our plants.” Besides completing its MSR project on time, Skaggs reports that Gadsden improved its safety performance and record by 61% in the approximately 12 months that it’s been in place. The plant had 34 fewer OSHA-reportable incidents during the same period, and its safety project also reduced downtime by 34%. The $885,000 worth of safety equipment that Goodyear has installed so far paid for itself in just four months. More specifically, Gadsden’s OSHA-reportable incidents dropped from 148 in 2004 to just 29 in 2007 and 27 as of October 2008.

Skaggs believes the main requirements for a successful safety improvement project include 100% commitment from management, sufficient training and awareness, thorough understanding of the production system and coming to realize that safety is not a technology problem, but is about educating people and overcoming traditional resistance to change.

To further encourage and ensure safety, last year Goodyear started a rapid improvement activity (RIA) program, in which company participants spend one day in a safety class and then go through their facilities and applications, seek out safety-related items that need to be improved and try to complete 80% of those fixes in three days. So far, Skaggs says Goodyear’s employees have found 262 items and have improved 219 of them.

“After doing so badly in 2003-04, Gadsden’s plant management and Goodyear’s corporate management said we just had to do safety differently,” adds Skaggs. “Before that, we just didn’t have enough of a focus on it. So, we revised our whole safety structure and also began to drive more safety responsibility to our safety teams on the plant floors. We also work very closely with our union’s safety representatives, and we have a very good relationship with them because we both have the same goal of no one getting hurt. I think this kind of relationship is something you must have to improve safety and maintain it.”

What is SIL?

The IEC 61508 standard provides a new approach for considering the reliability of electrical, electronic, and programmable electronic (E/E/PE) safety-related systems. It creates a safety integrity level for programmable systems using a statistical approach by measuring the probability of dangerous failures per hour, denoted as the PFHd.

The SIL is defined as the probability of a safety system to perform its functions under all stated conditions within a stated period of time. The higher the SIL level, the lower the probability that the safety system will fail to carry out its mission. IEC 61508 outlines the tools and formulas to calculate probability that safety functions will fail and then provides a system of SIL levels to categorize these systems.

The four SIL levels identified by IEC 61508 correspond to the PFHd in high-demand or continuous-operation mode. IEC 62061 dictates how the statistical results obtained in IEC 61508 are applied to machinery. While IEC 62061 does look at both high and low-demand listings, it does not consider lowdemand relevant for safety applications on machinery.

Similar to an electromechanical- risk assessment for safety categories, a SIL-level assessment also considers the consequences of an accident, the frequency and duration of exposure to a hazard, the possibility of avoiding the hazard, and the probability of an unwanted occurrence. So both assessments have similarities in how they look at machine safety.

SIL, however, defines the result of an accident differently. It expands into four subclasses identified as minor injury; serious permanent injury to one or more people, or death to one person; death to several people; and death to many people.

Unlike an electromechanical risk assessment for safety, a SIL-risk assessment includes an additional analysis criterion: The statistical probability of an unwanted occurrence or failure. This criterion is further divided into several subcategories: a slight probability that the unwanted occurrences will come to pass and a only a few unwanted occurrences are likely; a slight probability that the unwanted occurrences will come to pass and a few unwanted occurrences are likely; and a relatively high probability that unwanted occurrences will come to pass and frequent unwanted occurrences are likely.

EN/IEC 62061 states that SIL 4 is not considered relevant to risk-reduction requirements normally associated with industrial machinery. While not specifically stated in any of the standards, it is highly unlikely that industrial machinery would combine a possibility of many people killed with a relatively high probability that the unwanted occurrences will come to pass, plus a likelihood of frequent unwanted occurrences.

Electromechanical Devices Verses Solid State
While electromechanical systems are fairly simple to monitor and it is easy to detect failures, solid-state systems must be designed for redundancy and self-checking. Standard PLCs are typically not designed for safety and won’t qualify for a SIL rating. Safety PLCs have redundant, highly reliable processors and redundant circuitry to verify system integrity. The redundant circuitry continually checks the processors, internal components, inputs, and outputs to ensure everything is working properly.

Another new standard to recently emerge, EN/ISO 13849-1, will eventually replace EN 954-1. The new standard updates EN954-1 with a new way to categorize the risk level of a machine using performance levels. These performance levels use the same criteria as safety categories, but the results are arranged differently and are assigned letter designators A through E. The performance levels also are assigned values for their related mean time to dangerous failure (MTTFd), allowing for a statistical look at electromechanical safety and safety categories. The standard thus allows comparisons between safety categories, performance levels, and SIL ratings. For example, category 4 is the same performance level as SIL 3, and vice-versa.

Determining a Machine’s SIL Level
EN/IEC 62061 provides tables and a worksheet to identify a machine’s SIL-level requirements. There are numerical values for different levels of the criteria discussed previously: C (consequences), F (frequency), P (probability), and W (unwanted occurrences). The numerical values for each criteria are summed, and the SIL level determined from a chart on the worksheet. Each of the levels are more defined than the safety categories, making it simpler and a bit less subjective to determine severity.

As machines become more complicated, so do their safety systems. The growing complexity makes programmable safety systems more attractive and economical. Programmable safety devices easily integrate into control systems while adding new function and diagnostics.

Programmable safety begets new standards

Hard-wired electromechanical components were the only option for machine-safety systems in the U.S. until 2002. Standards banned programmable logic controllers (PLCs) from use in safety systems. The reason was that programmable electronic systems were complex. It could be difficult to predict how a device behaved in the event of a failure,

But new safety standards have led safety PLCs and controllers to become more widely accepted in the U.S. In fact, many users are combining safety and automation components into the same system through use of safety PLCs and safety networks. A combined system can save money through a substantial reduction in wiring, wiring labor, and cabinet space.

Commonality in components for control and safety extends to software as well. Operators need learn only one programming architecture. Safety PLCs operating over safety-rated communications networks linked with machinecontrol systems provide higher levels of information and diagnostics. Not only can the safety system detect the fault, it can now query the control system about specific machine operations at the time.

Many European safety standards, such as IEC 61508 and EN 954-1, are not enforceable in the U.S. But they are still used to verify machine safety levels in both the U.S. and globally. Many U.S. companies must conform to these standards to compete internationally. And much of the European verbiage is being incorporated into U.S. safety standards as they are rewritten and revised.

Each programmable safety device and the overall machine must be classified into an appropriate risk-assessment categor y known as a safety- integri ty level (SIL). But that raises questions about what the SIL ratings actually mean and how they compare to the more familiar safety categories.

Most machine builders today think of risk assessment as detailed in the EU’s EN 954- 1 standard. It created five risk categories in 1995 listed as B, 1, 2, 3, and 4. All machinery in the EU must undergo formal risk assessment before they can be equipped with safety components. The risk assessment in EN 954-1 looks at the result of an accident, the frequency and duration of exposure to the hazard, and the possibility of avoiding the hazard.

From the results of each assessment, the machine or part gets put into one of five safety categories. Each category identifies the system requirements and behavior in the event of a fault. Category B holds the safest machines, where risk of injury is slight or the types of injuries that can occur are easily healed. Category 1 machinery poses a risk of serious injury that is mitigated through the use of well tried and tested components and principles. But no special tests are carried out to maintain the safety functions. Category 2 forces periodic checks of the safety functions but a fault may cause the safety function to fail. Faults in the final two categories should not cause loss of the safety system. That typically means categories 3 and 4 need redundancy from inputs through outputs.

It’s fairly simple to determine how an electromechanical system might fail. Therefore, to satisfy safety requirements, the machine is built so that it will shut down when a part fails or fault occurs. But modern, programmable equipment may fail in unexpected ways with consequences impossible to predict. Thus a new method of rating the safety of today’s machinery was required.

Small Control Systems

Technology has been blazing ahead with larger memory capacity and smaller, faster processors in less space. The volume of quality commercial off-the-shelf digital devices used in so many everyday applications is bringing down the price.

New Ethernet technologies have made that venerable communication technique practical for process control work. All of this has contributed to much more affordable, small control systems. This has in turn allowed inexpensive but sophisticated control for applications and industries, which previously were not possible or practical.

The new markets that opened up provided opportunities for the process control companies to offer smaller but complete systems. Because many of these systems had the capacity to scale up, they were equally attractive to traditionally larger companies to also “start small, grow large” and try different suppliers without much risk.

The flexibility of the five IEC 61131 languages and their relative ease of use was attractive to batch-based industries, which often were small batch process units of operation with a packaging line “downstream.” That packaging line was the province of the PLC world. There was pressure (and opportunity) to marry the process and discrete functions in the same control system. Those batch operations were among the earliest to struggle with the need for a hybrid of discrete and process. This no doubt led to the designation of “hybrid industries.” Pressure on the pharmaceutical industries to expand production led the need for “hybrid controls” to also include large system networks.

Both PLC and DCS suppliers raced to fill the void. Today they can be integral to enterprise control systems, which encompass the business side of the operations, not just the manufacturing.

Further, systems include optimization at all levels, which include alarm management, predictive maintenance, cyber security, and the safety of people, product, and equipment.