Double standards in safety
01 March 2010
Some back-pedalling on new safety standards has confused many engineers. Martin Payn finds the few simple truths that will define machine safety from now on
Towards the end of 2009, the European Commission’s Machinery Working Group suddenly decided to delay withdrawing an ageing standard even though its successor had already been introduced. Presumably this was meant to be helpful to companies that were not quite ready for the switchover. However, a major problem has arisen in that some companies now want to stick with the existing standard, others want to adopt the new one, while a third set don’t know what to do at all!
The reprieved standard is EN 954. This was nearly ten years old and due to be discontinued at the end of 2009, but now has an extra three years. In simple terms its replacement was to be EN 13849, which is already in place. So until 2012 engineers can choose to comply with either.
It is notable that some people were planning to adopt EN 62061 as the new standard instead of EN 13849. Based on Safety Integration Levels (SILs), this is attractive because it is an established standard. But unlike EN 13849, EN 62061 is not appropriate for all applications.
As ever, many companies had not decided which route to follow; instead they would ‘go with the flow’, as the trend became apparent. In theory, the extension means that engineers can carry on as they were until December 2012. But the reality is that those who were not ready three months ago won’t be ready in three years time either; they will wait until a consensus emerges.
The result is confusion in the marketplace with several standards vying for dominance. This is messy, frustrating, expensive and ultimately could lead to a reduction in overall safety levels until a single regime emerges.
The fact is that industry is only as ready as it wants to be, because most people were waiting to see what others do. Thus the fact that there is currently little enthusiasm for replacing EN 954 is simply to be expected. There was no real reason for delaying the matter. However, delayed it has been, so we must live with that.
Comparison
Introduced in 1997, EN 954 was written at a time when some technologies and engineering practices were significantly different to what they are today. A key issue is that it has become far more common to start and stop machines remotely. In the early 1990s there was nearly always a supervising manager present. Another issue is that component reliability has changed markedly.
But perhaps the biggest change has been driven by EN 954 itself; new rigour has been brought to calculating mean times between potentially dangerous failures. This can now be done so much more reliably that it is affecting the way machines are designed. EN 954 concerns itself with the design of circuits, developing architectures that implied safety. It doesn’t consider component quality; there is a presumption that they will fail eventually so failsafe or redundancy had to be included.
By contrast, EN 13849 concerns itself not with individual parts or design details, but with overall system safety. It defines the start and end points of systems and requires safety between the two over the lifetime of the system.
The start point of a system may be the on/off button; the end point the final mechanism. Between the two there could be a number of components including drive, motor, contactors, etc. It is the overall construct that will be certified under the new regime, not the individual components.
Under EN 954 end users and machine builders could pass a lot of responsibility and related workload for safety down to the component suppliers. But this is no longer the case. Legal responsibility is primarily positioned at the system builder level.
Significantly, something like the control system within a machine is defined under EN13849 as a component part of the machine. This means the machine builder is responsible for its safe functioning: if there is a problem, they will be the first port of call. They may be able to prove misuse by the end user or an out-of-spec component. But passing the buck back to a parts supplier will be very much more difficult because the system design should have been able to cope with an internal malfunction.
EN 13849 defines a new measure, Mean Time to Failure (Dangerous) for systems. Its critical point is the word ‘Dangerous’. Safe failure is acceptable; dangerous isn’t. Thus the machine builder must involve his suppliers from the earliest design stages. The machine builder must consider the reliability of each component and design systems accordingly. If components fail, they must do so in a safe manner.
New safety legislation is always worrying, but in this case there is a wonderful software tool available. SISTEMA, (Safety Integrity Software Tool for the Evaluation of Machine Applications) developed by the German Government’s certification body, BGIA (Institute for occupational safety and health) can be downloaded from http://www.dguv.de/ifa/en/pra/softwa/sistema/index.jsp
This will do all the calculations automatically and simplify design procedures no end. Significantly it includes a comprehensive library of safety-assessed products and components; if you use those, safety performance levels can be assured.
Dr Martin Payn is with Parker SSD Drives
Contact Details and Archive...
Related Articles...
Most Viewed Articles...
