Hard-wired electromechanical components were the only option for machine-safety systems in the U.S. until 2002. Standards banned programmable logic controllers (PLCs) from use in safety systems. The reason was that programmable electronic systems were complex. It could be difficult to predict how a device behaved in the event of a failure,
But new safety standards have led safety PLCs and controllers to become more widely accepted in the U.S. In fact, many users are combining safety and automation components into the same system through use of safety PLCs and safety networks. A combined system can save money through a substantial reduction in wiring, wiring labor, and cabinet space.
Commonality in components for control and safety extends to software as well. Operators need learn only one programming architecture. Safety PLCs operating over safety-rated communications networks linked with machinecontrol systems provide higher levels of information and diagnostics. Not only can the safety system detect the fault, it can now query the control system about specific machine operations at the time.
Many European safety standards, such as IEC 61508 and EN 954-1, are not enforceable in the U.S. But they are still used to verify machine safety levels in both the U.S. and globally. Many U.S. companies must conform to these standards to compete internationally. And much of the European verbiage is being incorporated into U.S. safety standards as they are rewritten and revised.
Each programmable safety device and the overall machine must be classified into an appropriate risk-assessment categor y known as a safety- integri ty level (SIL). But that raises questions about what the SIL ratings actually mean and how they compare to the more familiar safety categories.
Most machine builders today think of risk assessment as detailed in the EU’s EN 954- 1 standard. It created five risk categories in 1995 listed as B, 1, 2, 3, and 4. All machinery in the EU must undergo formal risk assessment before they can be equipped with safety components. The risk assessment in EN 954-1 looks at the result of an accident, the frequency and duration of exposure to the hazard, and the possibility of avoiding the hazard.
From the results of each assessment, the machine or part gets put into one of five safety categories. Each category identifies the system requirements and behavior in the event of a fault. Category B holds the safest machines, where risk of injury is slight or the types of injuries that can occur are easily healed. Category 1 machinery poses a risk of serious injury that is mitigated through the use of well tried and tested components and principles. But no special tests are carried out to maintain the safety functions. Category 2 forces periodic checks of the safety functions but a fault may cause the safety function to fail. Faults in the final two categories should not cause loss of the safety system. That typically means categories 3 and 4 need redundancy from inputs through outputs.
It’s fairly simple to determine how an electromechanical system might fail. Therefore, to satisfy safety requirements, the machine is built so that it will shut down when a part fails or fault occurs. But modern, programmable equipment may fail in unexpected ways with consequences impossible to predict. Thus a new method of rating the safety of today’s machinery was required.
