Machine Safety

1

Functional Safety Shealy Energy Expo

November 6 Mark Madden Product Manager – Safety Detection, Pressure, and Mechanical Sensors

2 Confidential Property of Schneider Electric 2

Agenda Introduction

Safety Standards Risk Assessment Inputs Logic

3 Confidential Property of Schneider Electric

Invest in safety– WHY ?

> Health & safety for all personnel health & safety for all personnel >  Cut costs associated with:

> Physical injuries >  Insurance premiums >  Lost production, penalties

>  Increased productivity due to the prevention of accidents > Better failure detection > Higher worker confidences at work >  Improving maintenance efficiency


Why we need strong International Machine Safety Rules


Standards

> A few of the most important US Standards are: > OSHA 29 CFR1910 > NFPA 79, Electrical Standard for Industrial Machinery > ANSI B11.19, Performance Criteria for Safeguarding > ANSI/RIA R15.06, Industrial Robots and Robot Systems, Safety Requirements

> Locally > UL and CSA (in Canada) > UL is mandatory in most US cities in their codes and requirements. > Customers and users demand these approvals even if local codes do not require it.

> Canada > CSA is mandatory in Canada


US Standards Organizations

> Occupational Safety and Health Administration (OSHA) > American National Standards Institute (ANSI) > National Fire Prevention Association (NFPA) > Underwriters Laboratories Inc. (UL) > Factory Mutual Research Corporation (FM) > National Electrical Manufacturers Association (NEMA)


Occupational Safety and Health Act of 1970

> SEC. 5. Duties(a) Each employer >  (1) shall furnish to each of his employees employment and a place of employment which are

free from recognized hazards that are causing or are likely to cause death or serious physical harm to his employees; (2) shall comply with occupational safety and health standards promulgated under this Act.

> “The compliance with OSHA regulations is the responsibility of the employer (user), not the seller of equipment”.

> SEC. 6. Agencies. “organizations which are not agencies of the U.S. > Government which are incorporated by reference in this part, have the same force

and effect as other standards in this part”


Many Standardization Institutes

OSHA

ANSI

IEC (electrical standards)

ISO (other standards: mechanical parts)

CEN (mechanical standards) CENELEC (electrical standards)

JIS

BS DIN CEI

SAA

UNE

GOST NF

CSA

UL

SIS

(PCB making machines)

ISO: International Organization for Standardization IEC: International Electrotechnical Commission CEN: Comité Européen de Normalisation CENELEC: Comité Européen de Normalisation Electrotechnique


Many Standardization Bodies

All countries use IEC and ISO or adapt them locally. All the institutes work jointly with other international organizations


A, B, C Standards

1.  The functions that are regulated by type B2 standards, and served by dedicated safety products

2.  The functions that are specific to one type of machine, and derived from the requirements of type C standards. Those safety functions are solved by machine builders with specific mechanical and automation design

> A: Basic Standards (e.g risk assessment & reduction) > B: Generic Standards >  B1: Particular Safety aspects (e.g safety distance) >  B2: Safeguards (e.g interlocking devices) > C: Standards for particular machines


Safety - Acceptable Risk Level

>  Zero Risk does not exist but risk must be reduced to an acceptable level

> Safety is the absence of risks which could cause serve injury or damage the health of persons.

>  It’s the machine designer job to reduce all risks to a value lower than the acceptable risk.


Risk Reduction

Func%onal Safety PL & SIL Sector specific standards for the Process Industry and Machinery

Standards highlighted in red are Interna%onal standards

IEC/EN 61511 IEC/EN 61508-‐3 IEC/EN 62061 EN/ISO 13849-‐1

SoKware

Process Machines

Safety of Systems and Equipment

IEC/EN 61508 Func%onal safety of electrical / electronic /

programmable electronic safety-‐related systems

EN 954-‐1 Safety related parts of

control systems


New Machinery Directive

> EN ISO 13849-1:2006 Machinery safety – safety related parts of control system non electrical and simple electrical

> This standard is an evolution of EN 954-1 and provides safety requirements and guiding principles for design and integration of safety-related parts of control system; e.g. electrical, mechanical, pneumatic and hydraulics technologies

> EN IEC 62061:2003 Machine safety – functional safety of electrical, electronic and programmable electronic control systems.

> This is a machinery sector standard based on IEC 61508 primarily for electrical, electronic and programmable electronic systems.


En/IEC 62061, EN/ISO 13849-1

> Both EN/IEC 62061 and EN/ISO 13849-1 and 2 specify requirements for the design and implementation of safety-related control systems of machinery. The methods developed in both of these standards are different but, when correctly applied, can achieve the same risk reductions.

> These standards classify safety-related control systems that implement safety functions into levels that are defined in terms of their probability of dangerous failure per hour (PFHd).

>  EN/ISO 13849-1 has five Performance Levels (PLs): a, b, c, d and e > EN/IEC 62061 has three Safety Integrity Levels (SILs): 1, 2, and 3. > Machinery designers can choose to use either EN/IEC 62061 or EN/ISO13849-1 or a

combination of both.


Key Points – Control Reliability

> Both OSHA and ANSI refer to a term “control reliability”. > Control reliability described per ANSI B11.19 - Performance Criteria for

Safeguarding:

“When required by the performance requirements of safeguarding, the device, system or interface shall be designed, constructed and installed such that a single component failure within the device, interface or system shall not prevent normal stopping action from taking place but shall prevent a successive machine cycle. This requirement does not apply to those components whose function does not affect the safe operation of the machine tool.” OSHA has similar wording.

> To accomplish this, some sort of redundancy is needed to carry out the stop command if there is a failure of one of the components


Basic Safety Idea

18

Appendix 2: Category, structure and behavior!

Category B When a fault occurs it can lead to the loss of the safety function

Category 1 When a fault occurs it can lead to the loss of the safety function, but the MTTFd of each channel in category 1 is higher than in category B. Consequently the loss of the safety function is less likely.

Category 2 Category 2 system behavior allows that: the occurrence of a fault it can lead to the loss of the safety function between the checks; the loss of the safety function is detected by the check.

Category 3 SRP/CS to category 3 shall be designed so that a single fault in any of these safety-related parts does not lead to the loss of the safety function. Whenever reasonably possible the single fault shall be detected at or before the next demand upon the safety function.

Category 4 SRP/CS to category 4 shall be designed so that a single fault in any of these safety-related parts does not lead to the loss of the safety function, and the single fault is detected at or before the next demand upon the safety functions, e.g. immediately, at switch on, at end of a machine operation cycle. If this detection is not possible an accumulation of undetected faults shall not lead to the loss of the safety function.

Input Logic Outputim im

Testequipment

Testoutput

im

Input Logic Outputim im

Testequipment

Testoutput

im

Input Logic Outputim imInput Logic Outputim im

Input 1 Logic 1 Output 1im im

m


mcross monitoring


m


m


m


mcross monitoring


m


mcross monitoring


m


m


m


mcross monitoring

Input Logic Output i m i m Input Logic Output i m i m

! From EN/ISO 13849-1 Section 6.2 – Specifications of Categories


5 Pillars of Safety Control system

20

Message from our sponsor Use of suitable materials

Well-tried safety principles

Well-tried component

Prevent Common Cause Failures


Common types of danger


Machine Safety – Reduce Risks

>  Cage around danger >  Control access points

>  Door Safety Interlocks

> Light Curtains


Functional Safety – Where used

Control System

Functional Safety System

Output (motor / contractor / VFD)


Machine Safety Related Solutions

Inputs Output Logic E-Stop Guarding &

Positioning

A safety related machine solution would include the following:

Machine S

afety Products


Safety Inputs at a glance

XCSPA XCSA XCSDM Limit Switches XCSLE/LF

Safety cable pull switches

XY2CH XY2CE XY2CJ

Safety switches for machine gates

XUSL

Safety light curtains


Safety Interlock Switches - XCS

>  Safety interlock switches send a signal to the safety related control circuit when the gates and guards are closed and it is appropriate to start the machine

>  Safety interlock switches also send a stop signal to the safety related control circuit when the gates or guards are opened so the machine can be stopped

>  Many varieties of safety interlocks are available >  Locking with electromagnet >  Locking with key release >  Locking with push button release >  Rotary shaft >  Lever type >  Compact pre-wired >  Metal or plastic bodies

>  Most are available with connector options


Basic Guidelines

When designing a door or gate guarding system, these guidelines must be followed:

>  The actuating key alone must not be used as the sole means to hold the gate or guard closed. A separate locking or latching mechanism must be used to hold the door closed.

>  The safety interlock switch must not be used as a mechanical stop for the moving guard. A separate mechanical stop must be provided.

>  The actuating key must not be used as a gate guiding device. Install a guide for the guard to ensure proper alignment.

>  Actuating keys must be securely attached to gates, guards, and doors only. They should not be attached to cables, cords, or chains.

28

The Product Range Type Non-Contact Non-Contact Non-Contact Non-Contact

Family XCSDMC XCSDMP XCSDMR XCSDM3/4

Operating Zone

Sao: 0.20 in (5 mm) Sar: 0.59 in (15 mm)

Sao: 0.31 in (8 mm) Sar: 0.79 in (20 mm)

Sao: 0.31 in (8 mm) Sar: 0.79 in (20 mm)

Sao: 0.39 in (10 mm) Sar: 0.79 in (20 mm)

Wiring Cable or connector Cable or connector Cable or connector Cable or connector

Size 2.01 x 0.63 x 0.28 in 3.56 x 0.98 x 0.51 in 30 mm dia. 1.51 in 3.94 x 1.34 x 1.26 in


Non-Contact Safety Interlocks – Why ?

>  Food and beverage and pharmaceutical applications do not allow contaminants to be trapped in or around devices

>  Zero operating force is needed – such as lightweight or plexiglass doors where cracking or breakage is prevalent with standard safety interlocks. Non-contact devices have no inherent operating force.

>  Wash down applications where a standard mechanical safety interlock switch would be much more difficult to clean, especially in the actuating key receptacle.

>  Smallest size in the marketplace for Category 4 applications, .63” x 2” x .28”

>  Tolerates gate or guard alignment problems >  Wider temperature range for a plastic bodied device than any of the competition >  6 operating directions allows for maximum flexibility of mounting options >  Suitable for Category 4 safety circuits


Key Points Primary Selection Factor

The primary factor in the selection of safety interlock switches is the access time of personnel vs. the stopping time of the machine, if the:

>  Stopping time of the hazard is less than the access time of personnel to the hazardous area, then the door or guard does not need to locked

>  Stopping time of the hazard is greater than the access time of personnel to the hazardous area, then the door or guard must be locked until the hazard poses no threat to personnel

This question must be answered first, before any other criteria are considered

31

The Product Range Type Safety Limit Switch Safety Limit Switch Safety Limit Switch

Family XCSM XCSP XCSD

Enclosure Metal Plastic Metal

Wiring Cable Conduit Conduit


Why Safety Limit Switches?

>  US and European safety standards require that switches used in safety applications have positive opening contacts.

>  Safety limit switches are many times used in conjunction with safety interlocks for mechanical and electrical redundancy

>  Also used for end of travel and overtravel applications

>  XCS Safety Limit Switches have tamper resistant covers over mounting screws.

>  Red color allows easy visibility and identification of safety related limit switches


Light Curtains – Type 2 vs Type 4

> Type 2 light curtains > Generally used as a perimeter guard > These devices run a self-check when they are turned on or reset. A component anomaly could

cause loss of safety function and won't be detected until the next self-check.

> Type 4 Light Curtains > Required in point of operation applications - such as presses where serious injury could result > Point of operation - that point (pinch point) where material is actually positioned and work is

being performed during any process such as shearing, punching, forming, or assembling. > These devices continuously check themselves and will detect loss of function immediately.


Light Curtains – Where used?

> Type 2 Light Curtain Applications: >  Packaging and assembly plants >  Conveyor and mechanical handling systems >  Warehousing and storage systems >  Waste disposal skips >  Robot areas

> Type 4 Light Curtain Typical Applications: >  Presses (all types), shears and trimmers Machine Tools >  Hoisting equipment Woodworking machines >  Saws (all types) Assembly machines


Different Styles of light curtains

> Finger, hand, and body detection Light Curtain Typical Applications:

>  Protected height 160 – 1810 mm (6” – 72”)

>  2 PNP outputs > Operating temperature range: -10 °C -

+55 °C (14 - +131 F) >  Cascadable (master / slave) > Sensing distance from 0 – 20 meters (0 –

65 feet)


Different Styles of light curtains

>  IP69K Light Curtains >  Protected height 310 – 1060 mm (12” –

42”) >  2 PNP outputs > Operating temperature range: -25 °C -

+55 °C (-13 - +131 F) > Resistance to acidic and alkaline

cleaning agents, and aliphatic hydrocarbons

> Sensing distance from 0 – 17 meters (0 – 55 feet)


XUSL 2/4 Light Curtain

> No External >  Safety Relay >  Required > Lowest installation costs

XUSL2E and XUSL4E compliant with: Type 2, SIL2 – SILCL2 and PLd- Cat.2 Type 4, SIL3, SILCL3 and PLe- Cat.4


Taut Cable vs. Slack Cable

> Taut Cable > Cable is tight (taut) with a specified tension applied to set switch > Device trips if either the cable is pulled or if the cable is loose or cut > The distance the operator has to pull on the cable is constant throughout the cable run > The force the operator has to place on the cable is constant throughout the cable run

> Slack Cable > Cable is slack, and rests on eyelets placed around machine > Device trips only if the cable is pulled >  If the cable is loose or cut, the operator can pull on the cable until they reach the end of their

rope > The distance the operator has to pull on cable is directly related to the overall cable length,

how loose the cable was, and how far the operator was away from the switch.


Requirements for E-Stops (EMO for SEMI)

> E-Stop must have absolute priority over all other functions > Must have e-stop capability at each workstation and other locations where e-stop is required > Every machine must have a category 0 or category 1 emergency stop > Must be mushroom push button, cable pull or foot switch (without cover) – Cannot be flat panel

types of operators or graphical displays > Must have mechanical latch means (pull to release or rotate) > Shall be initiated by a single human action > Reset of e-stop command shall not restart machinery – only permit restarting > Must (shall) have positive opening contacts > RED actuator with a YELLOW background required > The emergency stop devices must be continuously operable, clearly identifiable, clearly visible

and readily accessible


Stop Categories

> Three categories of emergency stop function: > Category 0: Immediate removal of power (all machines must have a category 0 or 1

emergency stop) > Category 1: Power to machine actuators to achieve the stop, then the removal of

power (all machines must have a Category 0 or 1 emergency stop) > Category 2: Power to machine actuators to achieve the stop; power remains on the

circuit


Key Points

> No teasing

> Red mushroom actuator

> Positive opening contact


Cable Pull Vs. E- Stop Buttons

> A machine can be stopped by either an e-stop button or cable pull switch. Which should you use?

>  An E-Stop button > Designed for an individual’s protection at a single workstation > May be more expensive to use if many operators are in close proximity and each require

their own e-stop > Best choice if operators are far apart or if cable pull’s cable would be difficult to run (e.g.:

many turns or just physically challenging to mount)

>  A Cable Pull Switch > Designed for use by several personnel over a longer distance, up to 230feet > One operating cable needs to be run, fewer electrical connections > Can be used in place of many e-stop buttons, reducing installation costs


Safety Interlocks vs. Light Curtains

Light Curtains can be used where: >  Operators need easy physical access to hazardous areas >  Clear visibility of the operation is desired >  Gates and guards may not be practical >  They cannot be used where there is potential for flying debris that could harm personnel

There are a lot of questions on when to use light curtains and when to use guards with safety interlocks

Safety Interlocks can be used where: ●  Access is not desired or where access needs to be limited ●  Large areas of a machine need to be protected, where there are multiple points of access ●  There may be flying debris, fluids or coolants, or other materials you want to keep away from personnel ●  Lower cost is a primary concern


Cable Pull Switches

Cable length

XY2CJS

XY2CH

XY2CE

XY2CJL/R

XY2CH Price

65 feet 230 feet 98 feet

45

Monitor and processing Type Safety Relay Safety Controller Safety PLC AS-i

Safety Card

Family XPS XPSMC XPSMF ASISAFE

Lexium 32

Function Solution for monitoring one

function

Solution for monitoring several functions simultaneously

Solution for monitoring many

functions simultaneously and communication over

Safe Ethernet

Solutions using a safety related

communications bus

Solutions using a motion controller


Key Points - Logic

> Different amount of inputs and different software solutions


Support resources


Telemecanique Safety Sensors

49

Whichever sensors or switches are used, machine builders need to demonstrate and document the functional safety of their machinery in front of regulatory agencies

Sistema has become the most popular tool to calculate the safety level of an automation safety chain

Need for quantification approach


Sistema

> Electronic sensors (component/block) > MTTFd, Mission Time, DC > Switches (component) > B10d > Safety related sensors (sub system) > PL, PFHd, category, Mission Time

> Available on demand from our specialist sales people, > and directly from www.tesensors.com web site or http://

www.schneider-electric.com/us/en/


Typical Customer Application Examples

Solutions driven sales will also need: Harmony XB4 - Emergency stop Phaseo ABL8 - Power supply Preventa XUSL - Safety light curtains OsiSense XU Photo-electric when Muting Relay Used Modicon TM3SAFL5R(G) - Safety Module Tesys D - Contactor Harmony XVB - Modular beacon and tower lights


Machine Safety Solutions for Doors, Gates, Panels

• Related Products • Switches, pushbuttons, emergency stop - Harmony XB4 • Switch mode Power supply - Phaseo ABL8 • Safety Module - Preventa XPSAC • Safety switches - Preventa XCS • Contactor - TeSys D • Modular beacon and tower light - Harmony XVB


Machine Safety Solutions for Doors, Gates, Panels


Key Points

> US standards are important to the development of safety related systems here in the US

> Many of the requirements are similar to the European (EN) and IEC standards > Many different products and solutions available for cost effective and safety related

solutions to meet your requirements

55 ©2015 Schneider Electric. All Rights Reserved. All trademarks are owned by Schneider Electric Industries SAS or its affiliated companies or their respective owners.

56

Glossary Appendix Functional Safety


Glossary *

>  Safety-Related Parts of Control Systems (SRP/CS) A part of a control system that responds to input signals and generates safety-related output signals.

>  Category The classification of safety-related parts of a control, respective their resistance against faults and their behaviour in the fault condition, which is achieved by the structural arrangement of the parts, fault detection and/or by their reliability.

>  Performance Level (PL) The ability of safety-related parts to perform a safety function under foreseeable conditions (which should be taken into account) to fulfil the expected risk reduction. The performance level is indicated in five possible discrete levels from a to e according to Table 1.

>  Safety Integrity Level (SIL) One of three possible discrete levels for specifying the safety integrity requirements to be allocated to the safety-related electrical control system (SRECS), where the SIL 3 has the highest level of safety integrity for machinery and SIL 1 the lowest.

>  Mean Time To dangerous Failure (MTTFd) Expectation of the mean time to dangerous failure.

>  Diagnostic Coverage (DC) The DC is a measure for the effectivity of diagnostics, may be determined as the ratio between the rate of the detected dangerous failures (λDD) and the rate of total dangerous failures (λD): DC = ΣλDD / ΣλD total

>  Common Cause Failure (CCF) The CCF-factor b is a measure for a failure, which is the result of one or more events causing coincident failure of two or more separate channels in a multiple channel (redundant architecture) subsystem, leading to failure of a safety function.

* From EN/ISO 13849-1


Glossary

>  Risk Combination of the probability of the occurrence of a harm and severity of that harm.

>  Risk assessment Overall process comprising of risk analysis and risk evaluation.

>  Risk analysis Combination of the specification of the limits of the machine, hazard identification and risk estimation.

>  Risk evaluation Judgment, on the basis of risk analysis, of whether risk reduction objectives have been achieved.

>  Low Complexity Component component in which

>  failure modes are well-defined, and >  the behavior under fault conditions can be completely defined

>  Complex Component

component in which >  failure modes are not well-defined, or >  the behavior under fault conditions cannot be completely defined

* From EN/ISO 13849-1

59

Appendix 1:Use of suitable materials • correct dimensioning and shaping • proper selection, combination, arrangements, assembly and installation of components/system • correct protective bonding • proper fastening • insulation monitoring • use of de–energisation principle • transient suppression • energy limitation (pressure, speed) • reduction of response time • compatibility • withstanding environmental conditions • secure fixing of input devices • protection against unexpected start–up • protection of the control circuit • sequential switching for circuit of serial contacts of redundant signals • simplification (reduce the number of components in the safety–related system) • separation • proper temperature range • sufficient avoidance of contamination of the fluid • proper range of switching time • limitation of the generation and/or transmission of force and similar parameters • limitation of range of environmental parameters • proper lubrication • proper prevention of the ingress of fluids and dust [Summary of Table A.1, B.1, C.1 and D.1 in [ISO13849-2]

60

Appendix 2:Well-tried safety principles • positive mechanically linked contacts • fault avoidance in cables • separation distance • energy limitation • limitation of electrical parameters • no undefined states • failure mode orientation • over–dimensioning • minimise possibility of faults • balance complexity/simplicity • use of carefully selected materials and manufacturing • use of components with oriented failure mode • over–dimensioning/safety factor • safe position • increased OFF force • carefully selection, combination, arrangement, assembly and installation of components/system related to the application • carefully selection of fastening related to the application • positive mechanical action • multiple parts • use of well–tried spring • Proper avoidance of contamination of the fluid • Sufficient positive overlapping in piston valves • Limited hysteresis [Summary of Table A.2, B.2, C.2 and D.2 in [ISO13849-2]

61

Appendix 3: Well-tried component • A “well-tried component” for a safety-related application is a component which has been either a) widely used in the past with successful results in similar applications, or b) made and verified using principles which demonstrate its suitability and reliability for safety-related applications. • switch with positive mode actuation e.g.: push–button, position switch, cam-operated selector switch e.g. for mode of operation • emergency stop device • fuse, circuit breaker, or differential circuit breaker/ RCD (Residual current detection) • switches, disconnectors • main contactor • control and protective switching device or equipment (CPS) • auxiliary contactor (e. g. contactor relay) • relay • transformer • cables • plug and socket • temperature switch • pressure switch • solenoid for valve • Screw • Spring • Cam • Break–pin • [Summary of Table A.3, B.3, C.3 and D.3 in [ISO13849-2]

62

Appendix 4: Common Cause Failure (CCF)

●  The common cause failures (CCF) should also be taken into account (see Annex F of EN/ISO 13849-1).

●  In Category B and 1 the common cause failures (CCF) are not relevant.

●  Examples of measures against CCF: ●  prevention of contamination and electromagnetic compatibility (EMC)

●  separation

●  diversity


Appendix 5 Positive Opening Contacts

>  Traditionally, Positive Opening Contacts have been slow-make slow-break type. There are now snap action type contact units that have positive opening mechanisms which force the NC contacts open to meet EN 60947-5-1. Either type is suitable (and required) for use in safety related applications.

>  The actuator travel for snap acting contact opening is different than the actuator travel to the point of positive opening. If this difference is not designed into the application, the actuator may not be operated far enough to invoke the positive opening function in the event of a contact weld or anomaly.

>  Slow-make slow-break positive opening construction is overwhelmingly PREFEERED in safety related circuits.

Unactuated State

Snap Action Contact Change

of State

Approach Travel

Positive Opening


Appendix 6– Linked Contacts

> Mechanically linked contacts have: > A mechanical link between the contacts. > A minimum distance between the points of an open

contact in the event of a closed contact being welded.

> Linked Contacts are used on > Control Relays > Starters > Contactors/starters > Auxiliary contacts of starters/contactors > Safety Relays

If an anomaly occurs –i.e.: contact A becomes welded - then contact B stays open

Contact A - welded

Contact B Minimum

gap

Mechanical link Linked contacts

Mechanical guiding (forced guiding) does not allow the closing of the normally closed and normally open contact simultaneously.

Documents

Machine Safety