Electrical machine safety

Those who design new machinery or make electrical/control systems modifications to existing machine need to be aware of changes that have occurred with the Machinery Directive and standards that influence AS 4024:2006.

Whilst not an AS/NZ standard, AS4024-1 2006 is viewed by DOL as “taking all practicable steps” as required by New Zealand Law. Now let’s test that in court!
• AS 4024.1 is a derivative of BS 5108 & EN IOS 954-1.
• EN 954-1 is now replaced by EN ISO 13849-1.
• AS 4024.1:2006 contains information on hazard identification and details on carrying out risk assessment. It includes category information and explanations of principles of design and is widely used by New Zealand industry as the benchmark for health and safety design.

Some of the most relevant, recognised standards for electrical machine safety are:
• EN ISO 954-1 which has been replaced by EN ISO 13849-1. There was a transition period during which EN 954-1 remained current. On 28 December 2009 that transition period ended and EN 954-1 became obsolete, meaning that machine builders and system integrators will instead need to apply EN ISO 13849-1:2008 or, if more appropriate, the other functional safety standard for machinery, namely EN (IEC) 62061 ‘Safety of machinery – Functional safety of safety-related electrical, electronic and programmable electronic control systems.”
• EN ISO 13849-1 “Safety of machinery, “Safety-related parts of control systems, Part 1: General principles for design” which has replaced EN 954.1.
EN ISO 13849-2 specifies the procedures and conditions to be followed for the validation by analysis and testing of the safety functions provided; and the category achieved for the safety-related parts of the control system in compliance with EN 954-1 (ISO 13849-1), using the design rationale provided by the designer.
This International Standard does not give complete validation requirements for programmable electronic systems and therefore can require the use of other standards.
• EN/IEC 62061: “Safety of Machinery – Functional Safety of safety-related electrical, electronic programmable control systems” which is going to be integrated with EN ISO 13849.1 “Safety of machinery – Safety related parts of control systems.”
• AS 61508 (parts1-7) Functional safety of electrical/electronic/programmable electronic safety-related systems.
• Machinery Directive 2006/42/EC, Where machines have to comply with the Essential Health and Safety Requirements (EHSRs) listed in Annexure I of the directive.

What were the main reasons for revising EN 954-1?
EN 954-1 has described the design of safety-related control circuits in the machinery safety sector since 1996. It is in use, but specifically contains no adequate requirements for programmable electronic systems. Other criticisms were that the relationship between risk level and category was not always plausible. Also, the general view was that probabilistic considerations ought to be included along with the safety aspects.

What has changed?
A significant revision in EN ISO 13849-1 is the probabilistic approach to the assessment of safety-related control systems. The aim of the revision was to provide EN 954-1 with the probabilistic techniques urgently needed in order to assess modern circuits. The key step was to continue to use the proven categories but to also assess quantitative safety-related features.
Performance levels (PL) have come into use; these are based on the categories and are described by the following parameters:
• Category (structural requirement).
• Mean time to dangerous failure (MTTFd).
• Diagnostic coverage (DC).
• Common cause failure (CCF).

The six steps for the design of the safety-related parts of a control system
The introduction of EN ISO 13849-1 has also resulted in new procedural requirements for machine design. The design of the safety-related parts of a control system is an iterative process which is completed over several steps.

Step 1 – Define the safety function requirements
First of all it’s necessary to establish the features required of each safety function. This step is the most important and sometimes the most difficult too. For safety gate guarding on a machine, for example, hazardous movements must be shut down when the safety gate is opened; it must not be possible for the machine to restart while the safety gate is open.

Step 2 – Determine the required performance level PL
The greater the risk, the higher the requirements of the control system. The contribution of reliability and structure can vary depending on the technology used. The level of each hazardous situation is classified in five stages from “a” to “e”. With PL “a” the control function’s contribution to risk reduction is low, with PL “e” it’s high. The risk graph can be used to determine the required performance level (PLr) for the safety function.

Step 3 – Design and technical realisation of the safety functions
The “safety gate interlock” safety function described in step 1 is realised through control measures. The safety gate interlock can implemented using a coded proximity switch such as the PSEN code. This provides the option to connect several safety gates in series without reducing the effectiveness of the monitoring functions. Coding also provides extensive manipulation protection. The sensors are evaluated using a multifunctional safety system such as the PNOZ multi. The drive is shut down via two contactors with positive-guided contacts.

Step 4 – Determine and evaluate the performance level
The safety function is broken down into three parts to determine the performance level that has been achieved: input, logic and output. Each of these subsystems contributes to the safety function. All the necessary performance data is available for reputable hardware such as Pilz, Sick Allen Bradley and Schneider to name but a few.

Step 5 – Verification
This step determines the extent to which the achieved performance level matches the required performance level. The achieved PL must be greater than or equal to the PL r required by the risk assessment. This means a “green light” for the machine design.

Step 6 – Validation
Alongside the purely qualitative requirements for the design of safety systems, it is also important to avoid systematic failures.
Steps 5 and 6 are too often not completed and are an extremely important part of the process, in simple terms it could be said:
• Verification: Did we do what we meant to do? Involving lots of paperwork and analysis.
• Validation: Did what we do work how we wanted it to? Test plan/testing.

Performance level safety software
Sistema is popular for performing EN ISO 13849-1 performance level calculations, but some engineers criticise the way its results can be open to interpretation. Some English companies are now promoting Docufy Machine Safety to the UK market. While this is primarily a tool to aid compliance with the risk assessment aspects of EN ISO 12100:2010, it integrates with Sistema and, moreover, removes the ambiguity from Sistema’s results.

The Sistema software utility provides developers and testers of safety-related machine controls with comprehensive support in the evaluation of safety in the context of ISO 13849-1. The tool enables you to model the structure of the safety-related control components based upon the designated architectures, thereby permitting automated calculation of the reliability values with various levels of detail, including that of the attained performance level (PL). The Sistema program is now available with selection of English language. Sistema may be downloaded and distributed to third parties free of charge. Relevant parameters such as the risk parameters for determining the required performance level (PLr), the category of the SRP/CS, measures against common-cause failures (CCF) on multi-channel systems, the average component quality (MTTFd) and the average test quality (DCavg) of components and blocks, are entered step by step in input dialogs. Each parameter change is reflected immediately on the user interface with its impact upon the entire system. Users are spared time-consuming consultation of tables and calculation of formulae, since these tasks are performed by the software. The final results can be printed out in a summary document.

Of course, if you are designing safety-related control systems to EN 62061 (IEC 62061) instead, then Sistema is of no help. However, the Pilz PAScal safety calculator can be used with this standard as well as EN ISO 13849-1, and it can import data for other manufacturers’ products in Sistema format.
The Institute will be closely following the updating of AS4024:2006 in relationship with the implementation of EN ISO 13849.1 and the proposed integration of EN/IEC 62061 with EN ISO 13849.1

Allan Hill
National secretary
New Zealand Electrical Institute (Inc).