How do I set up my Safety Control System? Five Questions Answered

How do I set up my Safety Control System?

Five Common Questions Answered

This post will focus on how to set up a safety control system with regards to machine safety. This is part two. Part one was all about “Where Do I Start?” and can be found here. Before we get into the “How do I” topics, let’s quickly review some of the points from part one:

  • Do not tackle a machine safety project alone. Form a safety committee and include many levels of the organization. Involve anyone who interacts with the machine in ANY way.
  • Perform a risk assessment on your machine following some guidelines
  • Pick a standard to follow, and keep in mind your industry may have its own specific standards. OHSA 1910 Subpart O (Machinery and Machinery Guarding) is a good resource.
  • Identify individual Risks and evaluate them. This is when we quantify the risk.

Safety Control System Risk Flow Chart

Risk Reduction Measures

Once you have identified risks and quantified them, the next step is actionable changes towards risk reduction. Risk Reduction can be accomplished in different ways: (1) eliminate the hazard from your system (2) safeguarding, add physical guards to or around the hazard and (3) use PPE and train employees on best practices.

Safety Control System Effectiveness

Click to Enlarge

Some methods are preferred to others. This chart, from ANSI RIA TR15.06.306, does a good job of highlighting some methods of risk reduction measures and correlating them to a scale of effectiveness. Obviously it’s best to eliminate the hazard, but if not possible, the next best option is working within your Machine Controls. This is called the “Safety Related Parts of the Control System”, referred to within the standards as the SRP/CS.

Safety Related Parts of the Control System

This post will focus on the controls side of the safety system, the SRP/CS. Depending on your level of familiarity with controls, you might be asking yourself:

  1. How do I know how to set up my controls?
  2. How do I calculate risk?
  3. What architecture to use?
  4. What does a real world application would look like?
  5. What type of devices to use?

These are five very common questions. Before we go any further, some quick background and terminology may be helpful. If you have a high level of familiarity with controls, you may already know some or all of this – but it can be a helpful refresher. We certainly encourage most users to let the standards guide you.

Many people have heard the terms Category 3 (Cat 3) or Category 4 (Cat 4) when talking machine safety. The standard EN954-1 introduced category levels in 1997. This standard covered that fact that you could have a fault in your controls that might jeopardize safety. If there is a fault somewhere in the controls, how does one assure the system will perform as designed? Fundamentally a higher Category level added two things to create fault tolerance to the circuit:

  1. Redundancy (dual channels): If one channel goes down the other is available to perform the safety function
  2. Circuit monitoring: confirmation that the circuit is up and ready when there is a demand for it

In 2006, ISO 13849-1 superseded EN954 by adding to it. What was added and why? This addressed the scenario that a user could have a great circuit design, but be utilizing low quality or unreliable components. That system would not be reliable. ISO 13849 also covers how to assure that the safety circuit is actually ready for a demand, through monitoring.

ISO 13849 and Performance Levels

Three things were added in ISO 13849:

  1. Rating the quality of components in the SRP/CS. This is done with a rating called “Meantime to Dangerous Failure” (MTTFd). A serious manufacturer will give their components a MTTFd rating. And most do.
  2. Quantifying the level of circuit monitoring. This is called “Diagnostic Coverage”, and considers how well your circuit is monitoring itself.
  3. The consideration that a single fault event could compromise the duality of the safety circuit. By adding diversity in the type of components, the probability that similar components could be taken out by a single event is reduced. The term for this is “Common Cause Failure”

The ISO 13849 standard uses the term “Performance Levels” to rate the safety circuit. Occasional, Performance Levels is referred to as “PL”. Performance levels are rated ‘a’ thru ‘e’, where ‘e’ is the highest level. If you already understand Category ratings, the following table might be helpful in relating to Performance Levels:

Safety Control System Performance Level Chart 2You can see in the table there is an approximate equivalency between Categories and Performance Levels. Also shown in the table are the ANSI term of “Control Reliable”, or the EN62061 standard term of “SIL”. But to avoid confusion, we will not introduce other standards. We will stay focused on our subject of setting up your controls. 

How do I calculate risk?

OK, we covered a lot of technical details above. Take a breath, it’s not as complicated as it sounds. What it boils down to is this:

The higher the calculated risk, the higher performance level is required of the controls.

Safety Control System Table 2 RiskSo how do we calculate risk you may ask? You and your team need to quantify each hazard on the machine in a “Risk Evaluation”. ANSI RIA TR15.06.306 -2016 is a very good resource for quantification of risk. This chart is another helpful tool to get you started:

Risk evaluation is determined by the consideration of 3 factors:

1). Consider, how severe would an injury be
2). Consider, how frequently are people exposed
3). Consider, how likely is avoidance of the hazard

From these three factors the required Performance Level is then determined. Now that you know what PL you need for your circuit, what is your next step? Safety Control System Risk Level 5

What architecture to use?

The next step is to put together an idea if what your controls might look like. A big part of this step is to review what the different architecture categories look like. What is your input device? What kind of monitoring will you have? What type of logic will the system be using? This diagram compares the different parts of an architecture with the different category levels:

Safety Control System Circuit Category Diagram

The above conceptual diagram comes from the standard. In the Cat 3 and 4 structure, you can see that there are two channels – Input device, through logic, to output device. Keep in mind most quality components on the market incorporate the two channels in one device. Typically, machine safety control circuits are Cat 3 or Cat 4.

What does a real world application would look like?

Here is an example diagram. It shows two door interlocks wired in series. Note the dual channels from input device into the safety relay. Notice also that the safety relay is monitoring the status of the output contactors.

Safety Control System Device Architecture Cat 3

Contactors with mechanically linked contacts

Safety Control System Electrical Schematic

Click to Enlarge

For comparison here is a wiring diagram. This comes from Rockwell Automation, on their pre-engineered safety functions webpage. This circuit meets the highest levels of Ple/Cat 4. In the electrical schematic, the 440N is a door interlock which is tied into the 440R safety relay and an e-stop. The circuit has dual channel on BOTH inputs, with monitoring on the channels for immediate notification if a fault occurs. The safety relay is self-monitoring. And the circuit has dual output contactors. In case one welds closed, no restart is possible until the issue is fixed.


What type of devices should I use?

Let’s assume you have an application in mind that you are ready to tackle. Let’s assume you have read the above content and have a basic understand of how to determine the required performance level. Now you need to select and specify components with an acceptable MTTFd rating and ensure you are monitoring the circuit correctly.

This can be done via the methods described in the Standards via manual calculations. Or, this can be accomplished through software tools. These tools automate many of the longhand calculations and make the task relatively easy:

Tool #1) Safety Automation Builder Software

This is a free tool from Rockwell Automation, available for download. With this tool you can input the Performance Level you determined you need, and put together a bill of materials (BOM) for your application. Additionally, it will give you an official report proving your application meets the levels you require.

Tool #2) Pre-Engineered Safety Circuits

This is a free tool from Rockwell Automation, essentially a library for common applications. The work has already been done for you! You can look up a circuit based on application and include a parameter of the performance level required. you will get receive a complete document containing setup instructions, wiring, configuration, programming and more. Very handy.

Tool #3) Machine Safety Solutions Page

A resource for other resources such as technical articles, application guides, hot topics and more. In general, a great place to learn more about safety and what other companies are doing

Tool #4) RASWin Risk Assessment Software Win

If you are a safety professional this will vastly enhance your effectiveness: import machine pictures, identify and rate hazards, create a mitigation strategy and more. This is not a free tool. There is a cost associated.

Five Machine Safety Questions, Answered

Hopefully, this post answered a lot of your question about how to set up your safety control system. I covered lots of ground in this post. There’s a bit to it, but it’s really not that hard when you dig in. Horizon Solutions and Rockwell Automation have many resources to guide you, don’t be afraid to ask. If you have a question, please ask in the comments section.

Stay in touch. Listen in. Better yet, join the conversation.Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone