Safety Standards

  • Functional Safety

    The safety of machines, plants and systems employed in industry depends more than ever before on the correct functioning of electronic control systems.

    Malfunctioning of control systems can lead to unaccaptable risk, jeopardising both capital investments and people. To eliminate such risks as far as possible, the relevant control systems must meet exacting requirements in terms of functional safety.

    For example we talk about "functional safety" when safety depends on the correct function of an electrical (E), electronic (E) and programmable electronic (PE) system (in short: E/E/PE systems). The following standards are used in this area.

    ...Read More
  • EN ISO 13849-1:2008 Safety of machinery - Safety related parts of control systems

    EN ISO 13849-1 uses the concept of determining Performance Levels (PL) to assess the type of safety control system that is required to satisfy a given risk (Pr)

    The required performance (Pr) for a given safety function is determined by risk assessment. Any safety system must meet
    or exceed this performance level. Safety systems may have many safety functions, so it is important to determine the required performance for each safety function.

    The level of performance (PL) of the safety system(a to e) is based upon the probability of a dangerous failure occurring, the ability of the system to monitor any such dangerous failures, which is a combination of the diagnostic coverage and the architecture of the safety system.

    The PL of the overall safety system (and each of the individual components) must at least match that of the required performance (Pr) level, in order to achieve a system that is balanced in terms of complexity and risk. The higher the risk to the user, the greater the measures required within the safety system to prevent dangerous failures from occurring. Low risk applications can use simpler / lower cost components and system architecture.

    During the analysis of systems and/or components, all likely failure modes are identified (typically by using FMEA techniques). The aim of this is to separate these failures into “safe” or “dangerous” failures, depending of the effect that the failure would have upon the safety function.

    Designing safety interlocks to achieve a high level of performance means making each product strong and robust and with a high level of reliability. In addition, any theoretical failures that cannot be detected by the control system should be either designed out, or proven to be highly
    unlikely to occur in use. This can be done by using a calculation, a proving test and/or using the fault exclusions in the standard that can be used under the specific circumstances advised in the standard.

    Potentially dangerous failures must either be detected by the safety system (by diagnostic monitoring) or be proven to be extremely unlikely (covered by a fault exclusion) if a high PL is required.

    The probability of a dangerous failure is calculated in the standard. The number of operations before 10% of the test batch of components fails dangerously is known as the B10d value. This is a measure of the number of operations to dangerous failure.  The B10d is one of the parameters used (along with several other measures) to determine the level.

    This has the effect that the possibility of an undetected dangerous fault occurring diminishes with higher performance levels.

    Techniques to further improve PL, include changing the design architecture, for example by using redundant switches (dual channel operation), preventing common cause failures (by diversity) and Including a monitoring system to provide a high diagnostic coverage. 

    Information from manufacturers relating to the individual components can be entered into a calculation to determine the overall PL for the safety function. This calculation can be performed manually, following the examples in the standard, but more often the use of proprietary software, such as SISTEMA is used. This allows the determination of Pr and the experimentation with different types of components and architecture to achieve the required PL

    EN ISO 13849-1 can be used in simple or complex systems, however does not cover complex electronics. It can however provide equivalent SIL levels so that components approved to EN13849-1 can be incorporated within systems designed to EN61508 or EN62061 that use safety integrity levels (SIL) instead of performance levels (PL).

    EN ISO 13849-1 can be used regardless of the technology and energy form used (electric, hydraulic, pneumatic, mechanical etc)

    As part of the assessment process, consideration is given to protection against common cause and systematic faults that could cause the system to fail dangerously. There would be little point in using for example duplicate switches, if the failure of the first switch could be hidden, or if the mode of failure brought about the failure of the second switch.

    EN13849-1 Basic elements of the standard

    Risk assessment to provide required performance level (Pr)
    An assessment of the architecture of the system. (Categories).
    A inclusion of the reliability data for the constituent parts of the system and the determination of the overall performance level (PL)
    The Diagnostic Coverage [DC] of the system (The ability to monitor faults).
    Specification of safety functions
    Fault consideration and fault exclusion
    Protection against common cause failure
    Protection against systematic faults
    Specific requirements for software where used.
    Ergonomic aspects of the design

     

    Table 1 - Overview of interlocking devices
    Actuation principle examples Actuator examples Type Examples:
    see Annex a
    Mechanical Physical contact / force Uncoded Rotary cam Type 1 A.1
    Linear cam A.2, A.4
    Hinge A.3
    Coded Tongue (shaped actuator) Type 2 B.1
    Trapped-key B.2
    Non-contact Inductive Uncoded Suitable ferric metal Type 3 C
    Magnetic Magnet, solenoid
    Capacative Any suitable object
    Ultrasonic Any suitable object
    Optic Any suitable object
    Magnetic Coded Coded magnet Type 4 D.1
    RFID Coded RFID tag D.2
    Optic Optically coded tag -
    Examples of other interlocking devices are given Annex E.

     

    ...Read More
  • EN ISO 14119  Interlocking devices associated with guard

    This standard provides guidance on the design and selection of safety interlocking devices.

    This standard was revised on 25/09/2013 and will replace the previous standard (EN 1088 / ISO 14119:1998) on 25/03/2015.

    This standard applies to the design of new machines. Existing installations are not affected.

    Principles of Guard Locking

    Unconditional locking – Can occur as unlocking takes place (used when hazard disappears as soon as the guard opened).
    Conditional locking – prevents unlocking until the hazard has disappeared (e.g. when the machine has a long run-down time).

    Fastening of position switches (and their actuators)

    Must be reliable and loosening then shall require a tool. Self-loosening shall be prevented.
    Type 1 position switches must have provision for permanent fixing the location after adjustment (e.g. by pins or dowels.
    Access to position switches for maintenance and checking must be possible
    Prevention of defeat in a reasonably foreseeable manner shall be considered.

    Series connected volt-free contacts.

    When multiple devices are connected in series with volt-free (electromechanical) contacts, faults can be hidden and so cannot be detected by the safety system fault diagnostics. The standard shows how contacts in series can influence the functional safety of the system. The Diagnostic coverage (DC) and performance level (PL), or safety integrity Level (SIL) are affected by series contacts when performing calculations in either (EN) ISO 13849 or IEC 62061.

    This issue is covered in more detail in Technical Report PD ISO/TR 24119.

    Assessment of faults

    Interlock devices that have a single point of failure in their mechanical linkage are, in general, limited to maximum PLd/SIL2 if it is found to be possible that these parts can break.
    This could be the actuator (tongue) or the mechanical linkage to the switching contacts.
    The PL/SIL for the guard locking function is not necessarily limited by the use of fault exclusion for breakage of a mechanical locking bolt if the holding force (FZh) is sufficient to with stand the expected static force and other dynamic forces due to guard movement, are prevented.

    Resistance to defeat

    All interlock devices can be subject to defeat. The standard contains information on the measures to remove the motivation to defeat and measures to make the system more difficult to defeat.
    Three levels of switch actuator coding are now defined: low level (< 10 codes), medium (10 to 1000 codes), and high level (>1000 codes).

    Infrequently used interlock devices

    Where the safety system requires that the guard door needs to be opened and closed to be able to test for faults, then infrequently use requires a functional test at least every month to achieve PLe and at least every 12 months for a PLd.

    Interlock devices with Guard Locking

    Power-to-Lock and Power-to-Release types are given equal status for applications where the locking function is safety related. The level of safety equivalent to Power-to-Release or bistable locking principles must be provided.

    Note: Power to lock functions are used extensively in certain parts of industry. Their characteristics is that they will unlock in the event of a power loss, so it is therefore important that if this method is employed, particularly with machines that have a long run down time that any remaining hazards are considered via a suitable risk assessment.  

    Auxiliary, Escape and Emergency Release.

    In certain applications the use of a supplementary release of guard locking (an over-ride function) can be necessary. It is important to ensure that methods do not introduce a way to bypass the interlock and allow access when the hazard is present. All methods of supplementary release of guard locking require that a stop command is generated when the guard is opened.

    If Auxiliary Release is provided the release must require use of a tool. Reset must also require the use of a tool or alternatively can be reset by the appropriate control system command.

    If Escape Release is provided (to escape from inside of the guard) then the release must be possible without tools.

    If Emergency Release is provided (to gain access to the inside of the guard from outside), then the interlock release must be possible without tools and the resetting of the interlock must also use a tool, or alternatively it can be reset by the appropriate control system command.

    Classification of Interlock Devices

    A new classification system for interlock devices is provided in table 1 of the standard shown below.  The types 1 to 4 shown are not to be considered hierarchical.

    *See Table 1
     
    Trapped key systems

    An explanation of trapped key devices is shown in annex B which includes the principles and characteristics of these devices and the importance of ensuring individual coding for key access systems. The scope of the standard explains that its requirements do not necessarily provide all
    the requirements for trapped key devices and systems.

    Holding Force.

    Interlocking devices must have a declared locking holding force (FZh).
    The standard requires that a force test (F1max) be carried out to 1.3 times the manufacturers declared value.

    Maximum Guard Door Force.

    Annex I provides guidance on the maximum static action forces that a person can exert at a guard door. This is used for specifying holding force (FZh) is required for an application

    ...Read More
  • EN/IEC 62061 Safety of machinery

    The recent move towards functional safety has been recognised in EN 61508 (a basic safety publication in IEC) that has a 'systems' based approach where greater emphasis is placed upon the correct specification and implementation of safety functions, using a reliability-based methodology.

    The integrity of safety functions is classified into one of four safety integrity levels (SILs). These SILs can be considered to define a performance target for electrical, electronic and/or programmable electronic systems that perform safety functions.

    EN 62061 is a harmonised standard for the machinery sector and implements the principles of EN 61508. Significantly for control systems designers and systems integrators, EN 62061 provides the basis for the successful integration of systems/parts that comply with EN 13849-1 and IEC/EN 61508 into safety-related electrical control systems (SRECS) in a logical manner that satisfies key requirements for functional safety.

    What is risk assessment like in accordance with EN 62061? Risk estimation is an iterative process. This means it may be necessary to go through the process more than once. The risk must be estimated and the SIL defined for each hazard on which the risk is to be reduced through control measures.

    The risk is estimated through consideration

    Se   The severity of the injury

    Fr   The frequency and duration of exposure to the hazard

    Pr   The probability of occurrence of a hazardous event

    Av   The probability of avoiding or limiting harm


    1) Severity (Se) classification:

    Consequence Severity (Se)
    Irreversible: death, losing an eye or arm 4
    Irreversible: broken limb(s), losing a finger(s) 3
    Reversible: requiring attention from a medical practitioner 2
    Reversible: requiring first aid 1

     

    2) Frequency and duration of exposure classification:

    Frequency of exposure Duration (Fr) > 10 m
    <= 1 h 5
    > 1 h to <= 1 day 5
    > 1 day to <= 2 weeks 4
    > 2 weeks to <= 1 year 3
    > 1 year 2

     

    3)Probability classification:

    Probability of occurrence Probability (Pr)
    Very high 5
    Likely 4
    Possible 3
    Rarely 2
    Negligble 1

     

    4) Probability of avoiding or limiting harm classification:

    Probability of avoiding or limiting harm Avoidance and limitation
    Impossible 5
    Rarely 3
    Probable 1

    SIL assignment matrix

    Severity (Se) Class 3 - 4 Class 5 - 7 Class 8 - 10 Class 11 - 13 Class 14 - 15
    4 SIL 2 SIL 2 SIL 2 SIL 3 SIL 3
    3   (OM) SIL 1 SIL 2 SIL 3
    2     (OM) SIL 1 SIL 2
    1       (OM) SIL 1

    The following minimum requirements need to considered.The selection or design of the relevant safety function must always meet the following minimum requirements:

     

    1)Architectural constraints for hardware safety integrity

    Safe failure fraction (SFF) HTF 0 HFT 1 HFT 2
    < 60 % Not permitted SIL 1 SIL 2
    60 % to < 90 % SIL 1 SIL 2 SIL 3
    90 % to < 99 % SIL 2 SIL 3 SIL 3
    >= 99 % SIL 3 SIL 3 SIL 3

     

    2) Requirements for the probability of dangerous random hardware failures

    SIL level PFHD
    SIL 3 >= 10 E-8 to < 10 E-7
    SIL 2 >= 10 E-7 to < 10 E-6
    SIL 1 >= 10 E-6 to < 10 E-5

     

    ...Read More
  • The ATEX directive and Fortress products

    This guide is intended to serve as an introduction to the main topics surrounding the ATEX Directive. It should not be considered as an alternative to obtaining the official European standards.

    Fortress interlocks are able to supply equipment suitable for environments where there is a risk of explosion due to a flammable atmosphere being present.

    In the European Union, the requirements for equipment and protective systems intended for use in potentially explosive atmospheres are covered by compliance with the essential health & safety requirements (EHSR’s) of the ATEX (94/9/EC) directive. (ATEX is derived from the French "ATmosphere Explosible)."

    Essential Health and Safety Requirements are specific with respect to:

    Potential ignition sources of equipment intended for use in potentially explosive atmospheres;
    Autonomous protective systems intended to come into operation following an explosion with the prime objective to halt the explosion immediately and/or limit the effects of explosion flames and pressures.
    Safety devices intended to contribute to the safe functioning of such equipment with respect to ignition source and to the safe functioning of autonomous protective systems;
    Components with no autonomous function essential to the safe functioning of such equipment or autonomous protective system(s).

    Relevant products can be placed on the market in the EU territory, freely moved and operated as designed and intended in the expected environment if they comply with Directive 94/9/EC (and any other relevant legislation).

    The ATEX Directive is based on Article 95 of the EC Treaty and provides for harmonised requirements and procedures to establish compliance (generally in the form of European harmonised standards). The intent is to provide free movement of goods within the European Union, based upon common regulatory requirements.

    Trapped key systems
    Fortress stainless steel trapped key systems are a highly reliable and robust method of interlocking. Because they have no electrical parts they do not generate heat or sparks. They are therefore an ideal choice for use in hazardous areas. The materials used in these trapped key systems are made of stable, non-sparking metals. These materials prevent the creation of sparks when moving parts (such as door lock actuators) strike each other in use.

    Electrical control and interlocking devices
    Electrical devices such as the Fortress heavy-duty explosion protection safety gate switch STOPTX incorporates an approved flameproof switching system. In addition, external parts that are liable to encounter mechanical impacts are made from the same robust and non-sparking materials found in the trapped key range.


    Ex Zones

    Zones are areas where equipment is installed that has a risk of a explosive atmosphere being present. They are divided into 3 main zones:

    Zone 0:- A location where an explosive atmosphere consisting of a mixture of with air or flammable substances in the form of a gas, vapour or mist is present continuously or for long periods. (Dust = zone 20).

    Zone 1:- A location where an explosive atmosphere consisting of a mixture of with air or flammable substances in the form of a gas, vapour or mist is likely to occur in normal operation occasionally. (Dust = zone 21).

    Zone 2:- A location where an explosive atmosphere consisting of a mixture of with air or flammable substances in the form of a gas, vapour or mist is not likely to occur in normal operation occasionally but if it does will occur will only persist for a short period only. (Dust = zone 22).

    Once the zones have been determined and the gasses or dusts that will be present are known, the process of selecting the correct equipment can be started.


    * See Figure 1.

    Standards and the ATEX directive
    The use of European harmonised standards offer a “presumption of compliance” with the their applicable directive. A wide variety of protection concepts are covered. The following chart explains the way the correct protection concept is matched to the zone.

    * See Figure 2.

    Further information:
    Please refer to the E.U. official website for the full text of the ATEX directive and details of the harmonised standards: http://ec.europa.eu/enterprise/atex/

    An update to ATEX directive (2014/34/EU) will be released on 20th April 2016.

    ...Read More