Safety is an aspect of a plant or of a machine that becomes prominent when it is absent. It is subject matter of several standards, defined by various regulatory bodies, who define terms in a legally accurate manner. A discussion on this topic can be referred to in the ‘Machinery Directive 2006/42/EC’ of the European Union or an equivalent from other bodies. This is key because for actual implementation issues, the legal definitions refer to the standards documents published by the authorities.
The objective of functional safety is achieving freedom from unacceptable risks of physical injury or of damage to the health of people either directly or indirectly through damage to property or to the environment by the proper implementation of one or more automatic protection functions, often called safety functions. These aforementioned statements contain several terms, which have a standard meaning and also a specialised meaning in the context of Functional Safety (FS), which will be further investigated.
What is hazard, risk and safety?
A hazard is a potential source of harm to humans or machinery or to the environment. This harm could be in terms of injury or death of humans, loss or damage to machinery or could even be pollution of the environment. Hazard, and its consequent damage could arise out of random hardware faults, systematic design mistakes or human errors. On the other hand, risk is the probability of occurrence of harm due to the hazard combined with the potential magnitude of the harm. Functional safety refers to the management of all operations and events within an industry in order to protect its employees and assets by minimising hazards, risks, accidents and near misses.
Traditionally, safety has been implemented using cut-off relays. In case of a situation leading to a hazard, the relay should operate and bring the equipment to a safe condition.
A Safety-instrumented system is also called now and then as an Emergency Shutdown System. In parallel to the regular control system, and largely independent of it, a safety system with its own controller and sensors is implemented to take care of reactions to safety violations. The safety system or ESD is specified to have higher availability so that a failure of any component in the emergency system does not compromise the safety of a plant. This approach is favoured by process plants, for example, in the oil & gas or nuclear plants.
Smart Safe Reaction
A standard way to react to an unsafe situation, referred to as a ‘Safety Event’, is to stop the machine or remove power to the dangerous parts. However, safety reaction should always be tailored to the requirement of the process and the event, keeping loss of production to a minimum. This sort of a reaction is called a Smart Safe Reaction. For instance, when a safety door is opened, the system instead of going to a stop, can go into Safe Direction of Rotation, combined with Safe Limited Speed.
What is SIL?
Safety Integrity Level (SIL) is defined as a relative level of risk-reduction provided by a safety function, or to specify a target level of risk reduction. SIL is a standardised measure of safety of a system defined in terms of ‘undetected errors per hour’ in the system. There are other equivalent measures, namely, PL or Performance Level and Preferred Category or CAT. It is significant to note, however, that a system having a higher grade of safety does not necessarily mean higher quality. The SIL categories are indicative of robustness in detecting errors, meaning that they react to most errors appropriately, thereby ensuring safety of the machine and the person.
When is a machine SIL-3 compliant?
It must be noted that an SIL level is meaningful for an entire machine or plant. The SIL level of the entire plant or machine is derived from the individual SIL levels of components and the various modes of failure (single and compounded) along with associated risk.
What are the applicable standards?
Safety concerns itself to reduction of unacceptable risks to life and limb of humans. Therefore, it is a topic for much regulation from authorities. Voluminous standards are available to define the terms, parameters and the acceptable levels or limits. It is key to understand that standards are continuously being improved and published. In addition, there are several country and industry-specific requirements.
In case of production machinery, Integrated Safety is favoured as it brings many benefits. It provides an independent controller for safety with its own safety sensors for presence of detection. It also avoids double wiring of sensors, which in itself is a source of errors. Integrated safety is a strategy by which rigid safety reactions can be replaced by flexible reactions, which take into account machine status modes like start-up, maintenance mode or production mode. Integrated Safety is a state-of-the-art strategy and it is the way forward.
To avoid the painfully high costs of stopping production, machinery needs to have availability designed from the start. Intelligent safety technology plays a critical role in preventing downtime and production outages.
The general approach taken with series-produced machinery is to equip it with a suite of customisation options. This approach places special demands on the safety technology that cannot be met by traditional safety solutions. Smart Safe Reaction can be designed to provide desired safety levels for all machine variants.
In a production line, machines from vendors must interact. With integrated, network-based safety technology, the entire line is able to react to safety events in a coordinated way. Safe communication is provided by bus-independent safety standards.
This is the next extension to the approach of Integrated Safety. The intelligence needed for achieving Safety Functionality can be integrated into the IO module itself. Or the IO acquisition can be integrated into the safety CPU. This provides a viable option for even small machines and for different add-on units to a machine.
How is safe PLC different from regular PLC?
Safety equipment needs to be rugged and have high availability. The challenge on this equipment is that the probability of getting a wrong diagnosis or a wrong action should be minimal. Safety is definitely more important than the commercial concerns yet we cannot throw productivity concerns to the winds.
There are several aspects to this, as discussed in the following:
Rugged HW design: The controllers are designed with a dual independent redundant microprocessors, exchanging data via shared memory so that a single error or fault will not lead to any dangerous situation
Robust programming of Safety Application: Safety Programming is done in a Team generally with 3 people. The SAE is primarily tasked with creating the safety application in accordance with the customer's specifications based on the Safety Requirement Specification (SRS). The STE is primarily tasked with creating the test specification, as well as testing, verifying and validating the safety application created by the SAE. The functional application engineer programs the main controller to meet the functional requirements of the machine.
Rugged and controlled means of replacing IO modules: Safe IO modules come equipped with an electronic data sheet so that they can identify itself to the controller. If the controller program is expecting a different module type at that location, it can flag a violation.
Robust check on updating programs on controller: Safe PLC have their program saved on a SafeKey, a memory device. This key has a locking mechanism, thus inadvertent removing during running operation is not possible. Strict version and revision controls are implemented.
Program platform to support all of the above: From above, it is clear that one should look for a programming platform, which can support the above activities. It is not possible just by administrative controls to achieve the highest safety.
All machinery has moving parts. Motion is controlled by various means, usually by drives. These drives nowadays are intelligent and many safety related functions can be realised using the processors inside these drives. One important requirement is that it is not always safe to turn-off the drive, leaving an uncontrolled motor. So, we prefer a mode called STO or Safe Torque Off. It is also needed that in systems having multiple drives, we achieve a synchronised stop if the conditions permit. It is equally important to prevent an unwanted or premature restart.
Safety is a very important topic and needs to be taken seriously by all plant builders and owners. Since many a plant or line will have controllers of different makes, it is recommended to insist on bus independent protocols.
Courtesy: B&R Industrial Automation