Control-technology-related protective measures are implemented using safety functions. These are functions of a machine which, if it fails, increases the risk, but does not have any immediate effects on the production process. Safety functions are made up of safety components and typically consist of a sensor, control logic and one or more actuators. Example: The opening of a safety door which is monitored by a position switch (sensor) generates a signal for switching off (logic) drives 1, 2 and 3 (actuators).
According to the current state of the art, the achieved safety performance level PL must be verified for each installed safety function and compared with the required PLr determined by the risk assessment. Whereas the basic data necessary to do this is easily obtainable for safety components today, it is usually unavailable for older controls, sensors and actuators. As soon as sensors with safety functionality are integrated in a standard PLC or a relay control (e.g. E-Stop in series with normal start/stop switching), it is no longer possible to assess them in terms of functional safety. A PL calculation can only be successful if all components of a safety function have a safe design and if the safety functions are clearly separated from the operating functions.
Safety technology uses various principles which are not necessarily applied in the "normal" design of a control, e.g.
- Measures for increasing the reliability of function channels such as
- Multi-channel capability of the function channels with comparison of the results
- Evaluation of multiple signals with sequence and/or time expectation
- Defined failure and shutdown behavior when faults are detected
- Application of proven safety principles (e.g. quiescent current principle)
- Measures for diagnosis through
- Comparison of the results from two function channels or
- Cyclical testing of a function channel with clear expectations
- Measures for minimizing design errors and errors with a common cause during development, such as consistent working according to the V-model with safety requirement specification, verification and validation.
Of course, the pure functionality of safety functions can also be implemented using standard technology, just as signals requiring safe processing can be erroneously generated by a standard control. These functions may remain intact over many years and their incorrect design may therefore not come to the fore, which all speaks in favor of the channel reliability. However, they can fail undetected at any time and cause dangerous situations ⟹ This interpretation of safety functions does not give rise to correct safety technology in accordance with the current state of the art. At best, PL a with Cat. B is achieved, which is inadequate for practically all safety functions used on machines.
Selection of operating modes
Machines are not permitted to pose significant risks during operation. This requirement of the machinery directive (for manufacturers) and the German Ordinance on Industrial Safety and Health (BetrSichV) (for operating companies) applies to all life and operating phases and uses. It is therefore not enough for protective devices to be effective only during normal operation (automatic operation). No unacceptably high risks are permitted to arise during setup, troubleshooting, maintenance, repair, etc. either.
Whereas manufacturers are not allowed to put unsafe machines into circulation in Europe, operating companies are obliged according to the BetrSichV to, where necessary, retrofit unsafe work equipment in their companies with (in this order) technical, organizational and personal measures until an acceptably low residual risk is achieved. The personal responsibility for this lies with the respective "employer" of the operating company in terms of the BetrSichV.
If machines cannot be developed with a sufficiently high level of safety or do not currently have a sufficiently high level of safety, the risk must be reduced by means of additional protective measures. One possible measure is manual operating mode changeover, by means of which
- either relevant characteristic parameters of the machine (e.g. speeds, torques) are safely adapted to the protective devices which are active or have limited functionality depending on the respective process
- or protective devices are adapted to the existing machine parameters, e.g. by changeover of the active protective field or other parameters of the protective devices.
Selection of operating modes is superordinate to all other control functions with the exception of E-Stop.
A distinction is usually made between the following operating modes:
Operating mode 1 – Automatic operation / normal operation:
This operating mode can pose particularly high risks for the operator. As a general rule, all guards and electro-sensitive protective devices available on the machine are active here. When dangerous movements are approached, the safety distance of the protective devices ensure that these movements cannot be reached or come to a standstill before the point of operation is reached. Alternatively, protective devices cannot be opened until the dangerous movements of the machine have stopped (locking device).
Risk reduction is achieved by limiting the risk parameters "E – Exposition" (guards) and "O – Occurrence" (electro-sensitive protective devices). Whereas the process control is not subject to any particular safety requirements, the evaluation and integration of the protective devices must take place safely in accordance with the safety performance level PLr determined from the risk assessment.
Operating mode 2 – Setup mode:
In this operating mode, machines are prepared for subsequent automatic operation. The term "setup mode" therefore also covers possible "fault rectification" and "maintenance", "teach-in" and "retooling". If this operating mode requires the effect of protective devices to be reduced (e.g. smaller protective field) or to be completely canceled (overridden), then the affected machine functions must be safely limited accordingly. These measures include the following:
- all relevant movements must be triggered only in inching mode by means of manual, adequately safe actuators and, when the actuator is released, come to an immediate standstill (turning movements: after max. 2 revolutions),
- the speed of the relevant linear axes must not exceed 2 m/min = 33 mm/s,
- the operators have been specially trained for this operating mode and are therefore aware of the risks,
- Access similar to that for setup mode, to dangerous machine functions without risk reduction is not possible by manipulating safety-relevant sensors.
Risk reduction in setup mode is achieved through avoidance (risk parameter "A – Avoidance"). This requires limitation of machine functions to be implemented safely, i.e. with the safety performance level PLr determined from the risk assessment. Limitation of the rotational speed and linear speed of the drives must therefore be safely monitored, and control in inching mode must be safeguarded in compliance with PLr.
Operating mode 3 – Extended manual intervention:
This operating mode is used for processing under specific conditions, e.g. if the process needs to be controlled manually, but visibility is restricted. Here, manual intervention by the operator is necessary and allowed. Unlike automatic operation in Operating mode 1, the process can be controlled with limited or partially deactivated protective devices if
- the choice of machine functions compared to automatic operation is limited,
- automatically operating machine parts, e.g. feeds, are out of operation,
- operation in the working area is via a handheld operating unit,
- the operators have been trained accordingly for this operating mode and are aware of the risks,
- the handheld operating unit has an E-Stop device and enabling button, after the release of which all relevant movements stop immediately (turning movements: after max. 5 revolutions),
- the speed of linear axes does not exceed 5 m/min = 83 mm/s.
Risk reduction is achieved by limiting the risk parameter "E – Exposition" (one hand is on the enabling button of the handheld operating unit and the other hand is used for controlling), and avoidance (risk parameter "A – Avoidance") by limiting the speed. This requires the limitations to be implemented safely, i.e. with the safety performance level PLr determined from the risk assessment. Limitation of the rotational speed and linear speed of the drives must therefore be monitored safely; the selection of possible machine functions must be restricted safely ⟹ this necessitates safe control.
If every operating mode was in itself functionally safe in the sense of "safety", the changeover between the operating modes could take place without any special safety-related measures. However, because specific requirements are placed on the operators in the special operating modes 2 and 3, it must be ensured that only the operators intended for this task change over the operating mode. This is why security measures are additionally required. The choice of operating mode can be divided into the following:
- Access system, restricts access to a specific person group, e.g. as a key, electronic key system, password; has only an authorization function
- Selection system, e.g. control actuator, command device, selector switch for safe selection of an operating mode permitted for the person
- Activation system, e.g. enabling button, 2-hand operation via safe inputs of a control
If the access system has not been executed safely, the selection and activation system must be executed safely. The operating mode selector switch as an access system must be superordinate to all other control and operating functions, with the exception of E-Stop. The following also applies:
- It must be possible to operate the selector switch only with a key or comparable technology, e.g. encoded RFID transponder.
- It must be possible to lock, i.e. block, the selector switch in every, clearly identifiable, position such that a changeover without corresponding access authorization is not possible.
- From the location at which the selector switch is actuated, it is possible to control all machine parts operated in the selected operating mode.
- If multiple access systems exist for the same operating modes on one machine, they must be interlocked with respect to each other if impermissible changeover increases risks.
It must be possible to lock an electromechanical operating mode selector switch at any position.
It must be possible to control the machine parts to be moved depending on the operating mode, from the location at which the selector switch is actuated
The enabling function is a manually activated locking function specially intended for operating mode 3 "Extended manual intervention", which
- if actuated correctly, allows a machine cycle to be initiated with a separate start control
- and when actuation is ended, initiates a stop function
- and with no actuation, prevents initiation of a machine movement.
An enabling device must be set up such that the possibility of circumventing it is minimized, e.g. by the enabling device needing to be deactivated before a new machine cycle can be initiated. Enabling devices must be selected such that:
- they are designed in accordance with ergonomic principles,
- for a type with two positions:
- Position 1: OFF function of the switch (control element is not actuated);
- Position 2: Release function (control element is actuated);
- for a type with three positions:
- Position 1: OFF function of the switch (control element is not actuated);
- Position 2: Release function (control element is actuated and in its middle position);
- Position 3: OFF function (control element is moved out of its middle position);
- if the control element is moved back from position 3 to position 2, the release function is not activated.