Safety design - diffrent questions

rQx · Apr 4, 2019

Hi,

I'm reading up on safety in control systems and have a few questions.
This is according to 13849-1.
I have never been involved with designing safety according to a risk analysis so this is just theoreticly questions.

I understand that the risk analysis is providing me with a PL and I must design the safety function according to this. For instance a magnetic switch on a door.

1. How about the emergency stop that is a complementary safety function? Do I get a PL for this or are emergency stops excluded from 13849-1 PL design?

2. I have heard and seen that some say that you have to design for atleast PL c. Where can I read this in a standard?

3. In the machine directive EN-60204-1 10.7.3 it says:
"Where a stop category 0 is suitable, the supply disconnecting device may
serve the function of emergency stop where:
- it is readily accessible to the operator and
- it is of the type descibed in 5.3.2 a),b),c) or d)
Where intended for emergency use, the suppy disconnecting device
shall meet the colour requirements of 10.2.1"

So this means that I can use the supply disconnecting device for emergency stop? How does this compare to the 13849-1? There is plenty of machines (drilles, sandpapers etc) that have this solution so it must be OK. But when and how do we document it when there is no PL? Is it this 60204-1 10.7.3 that I refer to?

Iner · Apr 4, 2019

This picture could help you to calculate the PL level needed according to your risk assessment.

You can use the supply disconnecting device for a e-stop if it can be easily pushed and if it isolates completely the circuit.

But in most industrial machine or installations it will not be useful at all to switch off the cabinet.

rQx · Apr 4, 2019

Iner said:
This picture could help you to calculate the PL level needed according to your risk assessment.

You can use the supply disconnecting device for a e-stop if it can be easily pushed and if it isolates completely the circuit.

But in most industrial machine or installations it will not be useful at all to switch off the cabinet.

Thanks, I know about the graph but my questions are a little bit more than just that.

The disconnecting device I think of is a regular main switch that I know fulfill the demands stated by the paragraph. And in small machines I can see it usefull and also cost effective if one could use this solution.

Rob... · Apr 4, 2019

A red an yellow handle should only be used if is can disconnect the stalled rotor current of the largest motor supplied from the cabinet plus FLC of all others.

If it can not, a grey an black one should be used.

One of the most common mistakes I see with panel builders in Europe.

Iner · Apr 4, 2019

rQx said:
Thanks, I know about the graph but my questions are a little bit more than just that.

Regarding this following question

"2. I have heard and seen that some say that you have to design for atleast PL c. Where can I read this in a standard?"

There is no standard about it. It really depend on what you do. If your machine is completely protected mechanically, , no access and no reachable or dangerous movement, you can do PL a.

If you have robots, fast or dangerous cylindric or motorized movements, you have to do at least Pl d. Or even Pl e if the operators are often exposed in the area. The PL level is about the risk of failure of the electrical components of your safety system.

JesperMP · Apr 4, 2019

Hello rQx.

So this means that I can use the supply disconnecting device for emergency stop?

Usually no.
When you make a risk assessment, you will identify risks that are countered by active means (such as by an e-stop). For these risks a "required performance level" (PLr) will be calculated (f.eks. by the graph that Iner showed in post #3). For any risk that require a PL greater than "a", you need a safety system that involves a safety relay. The safety relay must usually be able to detect errors in the safety circuit. If you use a main supply switch as an emergency stop, it will cut all power and the safety realy cannot detect an error in the circuit.

2. I have heard and seen that some say that you have to design for atleast PL c. Where can I read this in a standard?

They probably refer to socalled "C" standards. "A" standards are relevant to everyone. "C" standards are relevant to certain industries or applications. If a C standard exist and it is relevant to you, then you must follow it. It is quite possible that there is a C standard that says that PL=c is the minimum acceptable. The good thing is that by following the C standard you are well covered and dont have to contemplate some hard-to-define situations.
Here is an explanation: https://www.pilz.com/en-INT/knowhow/faq/standards/articles/167667

rQx · Apr 4, 2019

Rob... said:
A red an yellow handle should only be used if is can disconnect the stalled rotor current of the largest motor supplied from the cabinet plus FLC of all others.

If it can not, a grey an black one should be used.

One of the most common mistakes I see with panel builders in Europe.

I'm sure this is stated in the standard as well yes, my question is not regarding where I cannot use it. It is regarding where I actually can use it.

Iner said:
Regarding this following question

"2. I have heard and seen that some say that you have to design for atleast PL c. Where can I read this in a standard?"

There is no standard about it. It really depend on what you do. If your machine is completely protected mechanically, , no access and no reachable or dangerous movement, you can do PL a.

If you have robots, fast or dangerous cylindric or motorized movements, you have to do at least Pl d. Or even Pl e if the operators are often exposed in the area. The PL level is about the risk of failure of the electrical components of your safety system.

Then probably I have missunderstood some posts or it's a language thing

JesperMP said:
Hello rQx.

Usually no.
When you make a risk assessment, you will identify risks that are countered by active means (such as by an e-stop). For these risks a "required performance level" (PLr) will be calculated (f.eks. by the graph that Iner showed in post #3). For any risk that require a PL greater than "a", you need a safety system that involves a safety relay. The safety relay must usually be able to detect errors in the safety circuit. If you use a main supply switch as an emergency stop, it will cut all power and the safety realy cannot detect an error in the circuit.

I'm aware of this but my question is where I can use a supply disconnect as an emergency stop, because according to 60204-1 I can but I don't see how I should be able to unless it is excepted from the Performance Levels.

I meen if you see a stationary drill for example this is still a pretty dangerous machine but it is still made with a supply disconnect that are intended for emergency stop.

Also the lowest architechture of a safety system is "B" and this has Input - Logic - Output. I don't see how it is legal to make a "PL a" with no safety relay?

JesperMP said:
They probably refer to socalled "C" standards. "A" standards are relevant to everyone. "C" standards are relevant to certain industries or applications. If a C standard exist and it is relevant to you, then you must follow it. It is quite possible that there is a C standard that says that PL=c is the minimum acceptable. The good thing is that by following the C standard you are well covered and dont have to contemplate some hard-to-define situations.
Here is an explanation: https://www.pilz.com/en-INT/knowhow/faq/standards/articles/167667

Maybe I have read to posts wrong or misinterpreted it

------------------

Buttom line is, 60204-1 says I can use an supply disconnect as a emergency stop. In wich cases and how does that relate to 13849-1 and 12100-1. Has it something to do with that an emergency stop is a complementary protective meassure and not a safe guard?

Iner · Apr 4, 2019

rQx said:
I'm aware of this but my question is where I can use a supply disconnect as an emergency stop, because according to 60204-1 I can but I don't see how I should be able to unless it is excepted from the Performance Levels.

I meen if you see a stationary drill for example this is still a pretty dangerous machine but it is still made with a supply disconnect that are intended for emergency stop.

Also the lowest architechture of a safety system is "B" and this has Input - Logic - Output. I don't see how it is legal to make a "PL a" with no safety relay?

Several things:

1) You can make a machine with no e-stop if there is no risk (manual workstations with PLC often don't have e-stop)

2) Pl is a level of security reached for each of your electrical loops.

You can reach Pl d for your e-stop loop and PL c for your gates loop by exemple.
You can reach Pl a if you use Pl a components. It won't be a problem if there are no risks.

3) You first paragraph is answering the question you are asking.

The main supply switch can be a e-stop if it is close enough of the operator and if you can do a category 0 e-stop, which is immediate and uncontrolled switch off of the power. I think your remaining question is "Do I need to calculate a Pl Level for my main switch ?". I think the answer is no as I have never seen a Pl level given for these components and you have no safety in your control system but you should seek the advice of a control organism.

Anyway, if a machine use an e-stop and is to be installed in a factory, odds are that it will need light curtains, safe gates, or safe sensors and you will have to build a control system with safety (unless it's a simple pump or something like that).

rQx · Apr 4, 2019

Thank you for that input!

I also just now read an article state stated that an emergency stop isn't a safety function and it needed to be atleast PLc (standard 13850). So this still confuse me a little bit since that standard (13850) is again in conflict with 60204-1 and the supply disconnect wich can not meet a PL as far as we know. Sorry to draw this further but the standards are conflicting in my world

kvogel · Apr 4, 2019

rQx said:
Thank you for that input!

I also just now read an article state stated that an emergency stop isn't a safety function and it needed to be atleast PLc (standard 13850). So this still confuse me a little bit since that standard (13850) is again in conflict with 60204-1 and the supply disconnect wich can not meet a PL as far as we know. Sorry to draw this further but the standards are conflicting in my world

To me emergency stop is just the act of removing the potential energy from the machine systems. It doesn't necessarily mean that the devices controlling these actions are trustworthy and designed to fail into a safe state. That's were the safety aspect comes in, If the emergency stop is meant to protect "life & limb" you need to be sure that the devices controlling these actions are robust, tested and fail-safe. The two ideas are conflated because the safety system devices are used to initiate & control the e-stop.
Cheers

James Mcquade · Apr 4, 2019

my 2 cents.
An emergency stop is just that.
in an emergency condition, you press the e-stop to kill all machine power to the I/o, pneumatics, hydraulics. with the items mentioned, you have to do a lot of design work to ensure safety, hold the output on if its more dangerous to kill the output. the risk assessment will determine this.

if someone gets caught in the machine, conveyor, workstation
if a part gets hung and the machine continues to run.
if a part is about to get thrown out of the machine because it got hung
hydraulic hose breaks and oil is going everywhere.
the list goes on...

if you want to stop the machine, use a stop button and allow the machine to complete its current task and come to a safe stop.

Iner, i started my career in 1984 and cannot remember seeing a machine that didn't have an e-stop, i can be wrong.

james

kvogel · Apr 4, 2019

My point was that the concept of putting the machine into a zero energy state isn't the same as the safety functions which verify the safe condition of the machine. In common usage the e-stop is a safety function. Safety devices are there to protect personnel from hazards, not to protect the machine, but the safety devices do often serve both purposes. Emergency stop means stop now, as soon as physically possible due to an abnormal condition in which you can't afford to complete a cycle or stop in a normal manner because doing so would be hazardous to the machine or personnel. This doesn't mean that the machine has been put into a zero-energy state or is in a safe condition. The safety system is tasked with the protection of personnel regardless of the energy state of the system.

Cheers

rQx · Apr 5, 2019

Alot of insightful inputs, it is much appreciated.

I think that for this discussion that is concerning an actual emergency stop button, we have to be careful not to mix it up with actual safety functions. As stated in the standards an emergency stop button isn't a safety function and the standard is seperated from the safety of machinery standard 13849-1 and lies in 13850.

An emergency stop button is used when the other safety functions has failed, it doesn't need to kill all power but it can be designed to.

It is alot of insightful inputs but buttom line is still that we have to reference to the standards when answering the questions

I think I might be calling the Swedish support for the standards and see what they have to say, to clear things up

/Tim

James Mcquade · Apr 5, 2019

I agree,

your country, district, and local codes trump anything we say.
May I suggest that you purchase the code books for your area and study up on them.

james

mk42 · Apr 5, 2019

rQx said:
Alot of insightful inputs, it is much appreciated.

I think that for this discussion that is concerning an actual emergency stop button, we have to be careful not to mix it up with actual safety functions. As stated in the standards an emergency stop button isn't a safety function and the standard is seperated from the safety of machinery standard 13849-1 and lies in 13850.

An emergency stop button is used when the other safety functions has failed, it doesn't need to kill all power but it can be designed to.

It is alot of insightful inputs but buttom line is still that we have to reference to the standards when answering the questions

I think I might be calling the Swedish support for the standards and see what they have to say, to clear things up

/Tim

I would definitely encourage you to learn about the safety standards and requirements in your country.

I think the standards that Performance Levels come from were designed to line up with the requirements of the EU. A brief googling suggests that Sweden is semi-aligned with the European Union, so I don't know if you've adopted their safety requirements, or have your own.

I know for a fact that America has (at best) fuzzy safety standards that basically boil down to "don't let people get hurt". Where there are specific rules, most people haven't updated from how they did things in the 70's and 80's. Not a knock on my American colleagues, but take anything specific we say about safety with a big grain of salt. Put 4 random American controls engineers in a room, and you'll probably get 6 different ideas about what is the absolutely only correct way to do the safety on a machine.

Safety design - diffrent questions

rQx

Lifetime Supporting Member

Iner

Member

rQx

Lifetime Supporting Member

Rob...

Lifetime Supporting Member

Iner

Member

JesperMP

Lifetime Supporting Member + Moderator

rQx

Lifetime Supporting Member

Iner

Member

rQx

Lifetime Supporting Member

kvogel

Member

James Mcquade

Member

kvogel

Member

rQx

Lifetime Supporting Member

James Mcquade

Member

mk42

Lifetime Supporting Member

Similar Topics