STSARCES project - final report - part 2


2.1.            Increasing use of CES for safety applications

At the end of the 70s/beginning of the 80s, electronic systems were introduced into mechanical engineering. At first, they were used only in functions not related to safety. However, attempts were made to use such technology for safety-critical applications. This intention met with the better resistance of practically all established safety experts. It was not surprising : the electronic techniques met none of the safety criteria and principles of classic control technology which had been successfully applied in the past. A comparison shows just how big the problem was :

·       Inherent safety, in other words, safety guaranteed by the design of individual components, cannot be achieved with electronic systems.

·       It is virtually impossible to exclude the possibility of failures with physical causes, as is the case with electromechanical circuits.

·       The nature of possible defects and their consequences are usually known in the case of electromechanical components; they are mostly unknown for complex integrated circuits.

·       Programmable systems are highly complex. We have to accept – and this is something new – that these systems are no longer fully testable.

·       If modifications are made, there is a relatively high risk – compared with conventional technology – that serious defects are integrated without being noticed.

·       Electro-Magnetic Compatibility (EMC) is no problem in electromechanical com­ponents; there is extreme sensibility, however, in PES.

  • Several other proven safety methods such as grounding control circuits, starting up by logic „high“ make little sense or are not practicable in electronic systems.

These problems were solved by national and international standardisation papers which introduced basic requirements especially during design and testing of CES to overcome these difficulties. All these papers are based on a safety life cycle. The following three examples will illustrate how the situation developed during the past ten years.

Presumably, paper-cutting machines were the first machines to use computers for safety functions at the beginning of the 80s. Paper-cutting machines, which are used in large numbers in paper-processing factories, are especially dangerous machines. Fingers and hands can be seriously injured by the press cross-head and blade if a cut unexpectedly occurs as a result of a malfunction or if integrated protective devices (electro-sensitive device and two-hand control) fail.

This posed a problem because there was a lack of practical experience in industrial applications and suitable assessment methods. In cooperation with a German test house, the first machine manufacturer decided to develop the control in diverse redundancy where one channel was the computer, another was hard-wired in CMOS logic. In the course of over 15 years and several generations of machines, almost all manufacturers of large paper-cutting machines now use computer control systems. State-of-the-art technology for category 4 controls (according to EN 954-1) means : diverse or homogeneous redundancy with fail-safe comparator, two-hand control and lightcurtain.

The great need of industry forced the national standardisation body in Germany to create a general standard for safety-related computer control, see DIN V VDE 0801[i]. The technical content of this national standard has later been brought into the European, see EN954-1[ii] and international standardisation, see IEC 61508[iii].

Electro-sensitive protective equipment has been used to ensure the safety of machines and potentially dangerous areas for almost 30 years. So far, protective field geometry has always been unchangeable: computers were not used until around 1992. At the beginning of the 90s several light curtains have been manufactured which contained microcontrollers in homogeneous redundancy. As a basis for certification the German draft DIN V VDE 0801 was used. This standard is based on DIN V 19250[iv] which builds up a hierarchical system of eight risk reduction levels. These first light curtains using CES were certified according to level 5 of DIN V VDE 19250 and could be used as electro-sensitive protective devices for power presses.

Figure 1 : Laser scanner for area protection

In the last 2-3 years, there has been a real "quantum leap" in these systems. Not only microprocessors but the applied physical principle are revolutionising the previous safety philosophy of electro-sensitive protective equipment. In the past, for example, the safety function of electro-sensitive protective devices was actuated exclusively through interruption of the beam of light.

In the illustrated example (Figure 1of the "laser scanner", the human body in the danger area is detected through the reflection of an infrared beam of light. A rotating beam of light rapidly scans the danger area and transmits an image of the area to the computer. To determine the person's exact position, the running time of the light from the equipment to the person and back is measured. The protective field geometry can be adjusted via the software. This makes its use very flexible.

The electro-sensitive scanner depicted here is implemented in Category 3 according to EN 954-1. The architecture of the system is single-channelled with numerous self-tests and additional monitoring devices[v].

The first company to introduce such a system on the market took 15 man years in a development period of 3 years. Because of the many fundamental questions which had to be answered, the effort to validate the first system by the test house took 1.5 man-years. Today more than sixty thousand computer controlled electro-sensitive devices are used in all kinds of applications. An accident, caused by technical faults in the system, was not reported since now.

Machining centres are numerically controlled and have facilities to enable tools to be changed automatically from a magazine or similar storage unit in accordance with the machining programme. The most dangerous situation is an unexpected movement, start or speed acceleration when the worker observes the process while the protective guards are still open. To avoid this risk the machining centres in the past required to open and close the protective guards very often in the setting mode.

With a new safety concept, based on computers, the worker can operate in the setting mode by open protective guards and observe and estimate the machine´s movements. In the new approach a safe monitoring was integrated in a diverse redundant computer. The computers primarily responsible for the non-safety functions of the machine are part of the diverse redundant architecture[vi].

If the automatic motion is controlled in this safe way the user can move inside defined areas. Any deviation in space or velocity is detected by the diverse redundant adjustable speed power drive system, realised by safe software. In a highly flexible way the machine can be adapted to the work of the user and not vice versa. The safety functions realised by the integrated monitoring are safely reduced speed, safe operational stop, safe standstill, safe limit switch (by software) and safe position switches (by software).

2.2.            Basis for the validation of CES

As mentioned in the previous paragraph safety-related CES today are certified according to EN 954 in conjunction with national specifications, like DIN V VDE 0801. Some authorities also have used draft international standard IEC 61508 for the certification of safety-related programmable logic controllers[vii]. In most cases a certificate has EN 954-1, national specifications and sometimes IEC 61508 mentioned as test requirements. Nevertheless today there is no internationally used procedure for the validation of safety-related CES in the machinery sector and practice between test-houses in Europe. Some general remarks can be made on the basis of the procedures used today :

  • Validation at the end of development only, when the product is complete, is no longer possible. As the development process itself is an essential subject of the validation, it is advisable to involve the validating body in advance in order to agree on the documents to be submitted.
  • The specification of the safety-related CES is of key importance and needs to be inspected by the certifying authority. One of the important inputs of the specification is the required risk reduction of the CES when used in a specific safety function. If a CES is manufactured without a specific safety function in mind, the minimum achievable risk reduction of the CES, as a subsystem, has to be specified.
  • During all phases of the product life cycle analytical and testing measures are necessary to achieve a product which is robust against random and systematic failures. These measures have to be taken mainly by the CES manufacturer and they increase the effort of development dramatically.
  • Software is getting more and more important for the safety integrity of modern CES. A comprehensive understanding of the safety-related software is essential for the CES validation. The simpler the hardware looks like the more complex the integrated software can be.
  • The installer and user of the CES needs sufficient information and also ergonomic software for a safe installation and use of safety-related CES. This documentation and the software are a very important part of the validation process.
  • The modification of CES is a very critical process and has to be planed during the first design. The certifying authorities have to be involved into the entire maintenance process of safety-related CES.

The following chapter will describe a harmonised procedure for the validation of safety-related CES while chapter 4 considers the applicability of EN 954 and IEC 61508 to the machinery sector.