Can safety come as standard?
Dr Martin Kidman of Sick UK looks at the arguments for using standard sensors for machinery safety and the possible pitfalls.
The new safety standards EN ISO 13849-1 and EN 62061 are now in place and, in principle, permit the use of standard components in safety circuits. So, with standard sensors becoming smarter, machine systems designers are beginning to ask whether standard sensors can be used as adequately in a safety role as those with full safety designations.
Sensor manufacturers quote Mean Time To Failure (MTTF) and Mean Time To Dangerous Failure (MTTFd). So would this be sufficient to put together a safety system that conforms to the standards? The answer lies in understanding what the safety standards are looking for when designing a safety system. For example, what do terms like MTTFd actually mean in relation to safety requirements, and how do the design and electronics of different types of safety device, like safety light curtains, safety laser scanners or safe proximity switches, meet the requirements of redundancy and fail-safe?
Crucially, it should be understood that the design of the whole protective system and its components, including control and power supplies, must satisfy the safety criteria, ie the designated Performance Level (PL).
Consider two typical guarding applications. First is the monitoring of a grinding mill guard door. The guard door is opened and closed about four times per hour. The safety function has to ensure immediate shutdown of the mill motor when the door is opened. The risk assessment for injury to an operative resulted in a required Performance Level PLr = d.
Option 1: For a single magnetic proximity switch unit solution rated as PLe, and with the controller and power supply components rated PLe, the whole safety system achieves PLe. This rating exceeds the required safety system Performance Level of PLd, so is acceptable.
Option 2: With a standard single inductive sensor solution, the sensor is equipped with complex electronics with no specified failure mode in the case of internal fault. As a result, the sensor only rates at PLb, so the system as a whole can only be rated at PLb so is not acceptable as a solution.
Option 3: With two identical inductive sensor solutions in parallel as a dual channel, the performance of the sensor subsystem can be improved as the control unit can perform diagnostic fault checks on each sensor separately whenever the door is operated. With this improved Diagnostic Coverage, the sensors could be rated as PLd. However, Common Cause Failure could occur where each sensor had a common design fault (for example failure due to a voltage surge). Unless there is some provision to eliminate this possibility, the sensor subsystem has therefore to be rated as a single sensor, or PLb, so the complete system is not acceptable.
Option 4: Two different types of standard sensors are used, with different output levels and internal structure; dual channels monitored by the controller. This brings in the powerful principle of diverse redundancy, which allows the MTTFd values to be combined for a high total value. This counters the CCF values and allows a Performance Level of PLe.
In our second application, consider a light curtain guarding hazardous batch collection point. Light curtains can be affected by 'optical noise' such as reflections and ambient light. The risk assessed performance level required is PLr = c.
Option 1: A safety light curtain, which can function reliably despite 'optical noise' interference is a type 4 device and can achieve PLe. The safety controller has a PLe rating. In this case, a single actuator power control element can be used because, despite only offering a single channel, it has a very high MTTFd of 30 years, so fulfils the well-tried and tested parameter and is rated at PLc. The whole installation is therefore rated as PLc.
Option 2: A standard light grid does not meet a product standard or the required opto-electronic safety standard for personal protection devices. Additionally, without a specified internal fault failure mode, its complex electronics cannot be considered a well-tried safety component and so it has no PL rating. As a result, the safety system cannot be given a PL rating.
These two examinations of some typical safety sensor applications show that standard sensors may be used in safety system design if the designer has a very good grasp of the principles involved and how these can be applied. However, designing a reliable solution could challenge the time and experience of a busy plant engineer.
Other News from Sick (UK) Ltd
Latest news about Safety products