The Machinery Directive 2006/42/EC is the basis for a uniform level of protection for accident prevention for machinery in Europe. As such, it requires the risk assessment of a machine in accordance with EN ISO 12100 for the evaluation and reduction of risks. The harmonized standard EN ISO 13849 describes a probabilistic method to reduce the risks of control systems. As the standard applies equally to mechanical, pneumatic, hydraulic and electrical control systems, the requirements for electrical and pneumatic control systems are basically similar. Nevertheless, there are a few differences to be noted, which are based more on the characteristics of the different forms of energy and actuators than on the structural design of the control technology. Specifically, ISO 13849-1 (general design principles) deals with the following aspects for safe control systems:

• Architecture of the system: this covers what is commonly used under categories B, 1, 2, 3 and 4.
• Reliability data (MTTFd, B10d) required for the individual parts of the system.
• Diagnostic Coverage (DC) of the system: This effectively represents the extent of fault monitoring in the system.
• Protection against common cause failures (CCF).
• Protection against systematic faults.

Figure 1: The architecture for control category 3 relies on redundancy, diagnostics and fault detection to achieve greater reliability of the safety function.

© Rockwell Automation

Many cases in mechanical and plant engineering require a structure in accordance with category 3. The architecture provided for this must use basic and proven safety principles (see annex to standard EN ISO 13849-2). It is also stipulated that safety must continue to be guaranteed in the event of a component failure. With regard to the safety function, the system or subsystem must therefore have a simple fault tolerance. As a rule, a two-channel architecture (see Fig. 1) is used to fulfill this requirement. An additional requirement is the detection of individual faults, as far as this is practicable. Depending on how many dangerous faults are detected in the system, the system is assigned a DC value (diagnostic coverage). In addition, measures must be taken against common cause faults (CCF). What this means in individual cases is illustrated below using a specific case study.

Drives stop at emergency stop

In principle, a category 4 structure is similar to a category 3, the difference being that with a category 4, every fault must be detected and an accumulation of faults does not lead to a loss of safety. This requires better diagnostics (DC ≥99 %). In the case of continuous electrical functions, for example, two positively actuated NC contacts of the emergency stop button are switched to a safety relay in a category 4 setup. This controls two contactors, which in turn stop the flow of energy to the drives. The safety relay regularly compares the consistency of the two input signals. For their part, the two contactors are read back into the relay via positively driven auxiliary or mirror contacts. In this way, a malfunction of both the emergency stop button and the contactors is detected.

If a malfunction is detected, the entire function is switched off and can only be restarted once the fault has been rectified. The drive is immediately disconnected from the power supply and coasts to a halt. In accordance with EN 60204-1, this immediate disconnection of power and uncontrolled stopping is called 'Stop-0'. If the drive is first deliberately braked when the emergency stop is activated and then disconnected from the power supply, this is referred to as 'Stop-1'. Forcibly guided contacts, for example, are used as a proven safety principle. Adequate measures must also be taken against common cause faults (CCF). The list of possible measures can be found in ISO 13849-2.

In the event of an electrically triggered emergency stop, there are several ways to stop the pneumatic drive. An STO (Safe Torque Off) ensures that the actuator is depressurized and, depending on the installation position, speed, load and friction, the kinetic energy is not dissipated as quickly. As a rule, the drive continues to run until the end of the stroke due to inertia. The machine manufacturer must assess this risk and reduce it accordingly. This destructive energy often leads to machine damage. According to EN 60204-1, this is a Stop-0.

Figure 2: Unlockable non-return valve with status query: The built-in sensor detects the safe position of the non-return valve and reports this to the control unit.

© SMC Pneumatics

Single-channel stop

Where necessary, the drive can be stopped by shutting off the pressure. In single-channel systems, this is achieved by switching off the drive with a 5/3 directional control valve, center position closed, or via pilot-operated check valves that are screwed directly into the compressed air inlets of the drive. The machine manufacturer must validate the overrun by testing and take appropriate measures to ensure that, in the event of manual intervention, the danger zone of the actuator is only reached after it has come to a standstill.

Directional control valves are often installed at a distance from the actuator. The hose length increases the air volume, which causes the actuator to resonate for longer and thus delays the standstill. This is where the pilot-operated check valves screwed directly into the actuator come into their own. In a single-channel system, these can be controlled using the pilot air by means of crossover unlocking.

Dual-channel stopping with diagnostics

Dual-channel systems with diagnostics should also be used in pneumatics where there is a higher risk. Such a two-channel control system can be set up with a 5/3 directional control valve, which is also the directional valve of the actuator, as the first channel. The second channel is then a pilot-operated check valve screwed directly into the actuator. Its pilot air is to be controlled with a separate monostable 5/2-way valve.

As pilot-operated check valves did not previously have a status query, it was only possible to check whether they were fulfilling their safety-related function - i.e. blocking the compressed air in the actuator chamber - using a test routine. To do this, the pilot air of the valves had to be vented and the 5/3 directional control valve had to move the actuator. The actuator had signal transmitters at the stroke ends for diagnostic purposes. If the pilot-operated non-return valve blocked the compressed air without error, the actuator did not move to the end position. This had to be checked in both actuator directions.

It is certainly understandable that such test routines are undesirable, as they reduce the time available for the production process and increase the programming effort. Furthermore, with each drive stroke, the non-return valve is moved out of the safe position again with the compressed air flowing into the drive chamber. Ultimately, you could never be sure that both non-return valves were diagnosed in the safe position at the same time.

For this reason, SMC developed an unlockable non-return valve with status query to diagnose the safe position of the non-return function. The time-consuming test routine can therefore be omitted. The status query can also be used to diagnose the safe position of the monostable 5/2-way valve, which is used to control the pilot air of the non-return valves. If both non-return valves are not in their safe position, this indicates a switched 5/2-way valve - the non-return valves are unlocked and not closed.

Increased caution with held loads

Drives must not only be stopped in the event of an emergency stop. For example, if an employee enters the hazardous machine area through a door secured with an interlock switch, all movements that could endanger them must be stopped.

Nowadays, modern electric drives often have STO inputs that allow the drives to be stopped electronically. STO functions in frequency inverters and servo drives increase the service life of the devices and allow them to be restarted more quickly, as the internal capacitors do not have to be discharged and therefore do not have to be recharged, which is time-consuming. The use of such technologies often makes contactors superfluous in such applications and control cabinets more manageable. But even with modern drives, there may be other dangers lurking that can be caused by switching them off. For example, in the case of vertical axes, which can slide downwards due to their own weight and thus become a danger to the operator. In this respect, an additional mechanical holding brake is required.

Figure 3: Doors are usually interrogated for their status using safe interlock switches in accordance with ISO 14119. For subsequent movements, it may be necessary to use an interlocking device with guard locking.

© Rockwell Automation

There are similar consequential hazards in pneumatics: The greatest danger usually comes from trapped compressed air in drives or loads that are held up. Locked compressed air and thus stored energy has an enormous force when suddenly released, which is often underestimated. If the drive remains in an intermediate position due to the tool jamming, there is a risk that employees will shake the tool to clear the fault. The clamping can then suddenly release and the stored energy triggers a sudden movement. Products for residual pressure venting are available for this purpose. An important decision to be made by the machine manufacturer is whether the venting operation should be carried out manually on the actuator or at a sufficient distance outside the danger zone.

Loads held high by pneumatic drives result in further risks that must be reduced by taking appropriate measures. According to DIN EN ISO 13849-2, fault exclusion is permitted for pressurized hoses for holding up a load when using hoses according to ISO 4079-1. Otherwise, fixed piping must be provided. DIN EN ISO 4414, the harmonized safety standard for pneumatics, stipulates that the mechanical load must be released, supported or held when the pressure is relieved.

What to do in the event of faults?

In the event of minor faults without electrical work, it may be sufficient to block the door switches with padlocks in the open position and thus prevent an unexpected restart. Depending on the required performance level, 1 or 2 channels must be switched off on the output side. During maintenance work involving electrical work, however, all hazardous energies must be switched off. This potential isolation must be carried out electromechanically. The following five safety rules (DIN VDE 0105) must be observed:

• Disconnect
• Secure against reconnection
• Ensure that there is no voltage
• Earth and short-circuit
• Cover or isolate neighboring live parts.

In pneumatics, this is done as follows: Residual pressure venting can be carried out using manually operated residual pressure venting valves, for example. These are available with a plug-in connection for hoses and with a thread for fixed piping. For actuation outside the danger zone, there are both electric-pneumatic and purely pneumatic alternatives.

Figure 4: Trapped air in pneumatic actuators poses a potential hazard that can be reduced with residual pressure bleed valves.

© SMC Pneumatics

In larger complex systems with many energy sources, it can make sense to combine the energy isolation of the different sources for small maintenance work without electrical activities. A single maintenance switch can be used to switch partial areas or the entire system to a safe state. The maintenance switch is connected to safety electronics (relay or PLC) for this purpose. This then controls the contactors and valves and thus switches off all energy supplies. A two-channel system with a high degree of diagnostic coverage is again recommended. Such a solution is often more practical for the operator, as he only has to operate one switch and secure it against being switched on again. More detailed information on this can be found in EN 60204-1 (chapter 5.4).

Very often, only the structural design, i.e. the control category, is taken into account when setting up safety functions and it is checked whether the corresponding B10d or MTTFd values are present. However, when setting up the functions, additional requirements are important, which are specified in ISO 13849-2. These include basic and proven safety principles - in Cat.1, for example, the use of proven components, DC values and measures against CCF and systematic faults. These requirements must be met by the system and/or the components used. However, the user is often unable to recognize this from the outside of the components. It is therefore advisable to contact the manufacturer and ask for confirmation if anything is unclear.

Authors:
Christof Dörge is a TÜV-certified FS expert at Rockwell Automation;
Ferdinand Rein is Manager Actuators & Air Equipment Section at SMC Pneumatik.