Dr Frager, you are head of the standardization working group at VDMA Integrated Assembly Solutions. Over the past two years, the working group has been working on the VDMA standard sheet 66416. What is it about in detail?
■ We wanted to create a guideline that provides recommendations for the safety-oriented design of assembly and testing systems, taking into account the requirements of standards and the EC Machinery Directive. First of all, we defined the operating modes that are important for our industry and the so-called function types they contain, for example, idle or home position travel within the automatic operating mode. Then we described the relevant type representatives, i.e. the machine types in our industry.

Another focus of the standard sheet is the treatment of hazards arising from machine parts that are moved as intended. The latter refers to controlled moving axes or cylinders, whereby we consider drives with electrical, hydraulic or pneumatic energy supply. We have given examples of how risks can be reduced by incorporating safety functions.

What else does the standard sheet contain?
■ The risk graph, which is proposed in DIN EN ISO 13849 as a way of determining the required performance level, should be familiar by now. The only problem is that the information given there for determining the PLr is very general and far too unspecific for designers. This is exactly where our standard sheet comes in, by being more specific and giving values for the important parameters. To this end, we have consulted existing standards in order to relieve designers of the work of having to laboriously find all the values themselves.

We have also specified previously undefined limit values and agreed them with the employers' liability insurance association. Specifically, this involves parameters such as the duration of exposure to the hazard or the severity of the injury. We have compiled the guidelines, standards and information available on this subject, but it is clear that this topic will need to be developed further in the future. There is little or nothing on 'severity of injury' in particular. Although there is a publication for collaborative robots, it does not deal with the limit values between S1 and S2, as would be required in the risk graph, but with the values on the border to no injury at all - S0, so to speak. This is only of limited help, as the machine manufacturer would be unnecessarily imposing excessively strict limit values.

Doesn't the standard sheet then overlap thematically with other standards?
■ No, we have paid attention to this and taken the important standards into account or referred to them. For example, the industrial robot standard DIN EN ISO10218-1 and -2 or the standard for integrated manufacturing systems ISO 11161.

Dr. Oliver Frager, Teamtechnik Maschinen und Anlagen: "The VDMA standard sheet 66416 is intended to help increase understanding and efficiency in the implementation of functional safety."

© VDMA

What do you see as the greatest benefit of VDMA standard sheet 66416?
■ Let's start with understanding. Anyone who deals with the Machinery Directive, DIN EN ISO 12100 and DIN EN ISO 13849 Parts 1 and 2 will still have many questions when it comes to putting them into practice, even after thorough familiarization with these topics. For example: Am I doing unnecessarily much or too little with regard to a detailed aspect? This is where our standard sheet comes in - anyone who reads it will get answers to these questions.

However, our standard sheet also raises understanding, or perhaps better awareness, among those who are not yet so familiar with the subject. When do I need which safety function, how do I link this to my risk assessment, what is really required to implement functional safety appropriately? Although there is a definition of a safety function in DIN EN ISO 13849-1, it is not necessarily immediately understandable.

In addition, a typical machine has a large number of safety functions to sufficiently mitigate all risks. It is a misconception that you can always manage with one safety function per electric drive or cylinder. Take an electric or pneumatic axis: it is not enough to have a 'safe stop', you also have to prevent unexpected start-up or, in the case of gravity-loaded axes, falling - that's three safety functions in itself. In one operating mode, for example in automatic mode, the input is a safety gate switch or a light curtain. In set-up mode, on the other hand, the input is the enabling switch on the mobile manual control panel, for example. So you have up to six safety functions for a vertical axis in two operating modes!

When a machine manufacturer familiarizes himself with the subject, he quickly realizes that a huge number of safety functions are involved. This can lead to doubts as to whether you are really on the right track.

Was it so much easier under EN 954-1?
■ Not at all, realizing such a number of safety functions was already required in the earlier EN 954-1 and, strictly speaking, even in DIN EN ISO 12100. Regardless of the standards, this results from the pure necessity to achieve sufficient machine safety. Common sense dictates that a vertical axis must not suddenly fall when a person is standing underneath it, or that an axis must not suddenly start up unexpectedly when stationary.

The only new aspect of DIN EN ISO 13849 is that the robustness of the realized control of each safety function against failures must now be quantified in a numerical value. Using this numerical value, it must then be verified that the selected design measures have achieved a sufficiently high reliability of these safety functions. This verification is usually carried out with the aid of software tools such as Sistema using safety-related characteristic data from the component manufacturers.

Opinions may differ on the necessity and added value of the additional effort involved in this quantitative analysis; however, the harmonized standard DIN EN ISO 13849-1 specifies this and thus defines the state of the art in this respect. It is therefore binding for the machine manufacturer, which perhaps not everyone is aware of. However, what initially appears to be an unbelievable effort can be largely offset by efficient processes with increasing experience.

The large table A7 on the subject of control technology measures including safety functions is the core of the whole thing, but is only included in the appendix. Why is that?
■ We put it in the appendix because we followed the structure of C standards, the main part of which is normative and the appendices can be informative. As we list suggestions in this table using examples, it is informative.

What exactly can you find in this table?
■ In the first part, we look at fluidic movements, i.e. hydrau
hydraulic and pneumatic actuators, and then electric axes in the second part. We have taken the previously defined machine types as a basis, as the risk of continuous work in the hazardous area of a cyclically stationary but controlled moving axis at a manual workstation is significantly higher than if a worker only occasionally enters such hazardous areas in the set-up mode of a fully automated system.

We therefore subdivide the whole thing into the operating modes. After all, you should not treat automatic operation in the risk assessment in the same way as set-up operation, because in the latter you carry out completely different activities, namely entering the hazardous area to set up, for example - but you do this infrequently. We then list measures for all these cases in order to reduce the various hazards posed by a moving axis. For the safety functions, we make recommendations as to the required performance level at which they should be implemented and make suggestions as to when, for example, a safely reduced speed must be used and when an enabling switch is sufficient.

How binding are the recommendations of a standard sheet?
■ In other machine sectors, for example machine tools, there are so-called C standards. They are created to summarize the essential specifications for a specific type of machine and to concretize the specifications of the A and B standards for a specific type of machine, as these are deliberately kept general.

Our standard sheet VDMA 66416 can serve as a preliminary stage of a C standard and covers larger parts of what a C standard contains. As a C standard can apply throughout Europe or even worldwide, much larger groups are involved in its creation - and implementation takes a correspondingly long time. It takes many years before a C standard is ready. Until then, we now have the 66416 standard sheet, which we have based on existing C standards in order to make it as easy as possible to convert it into a C standard at a later date. Incidentally, a C standard can even take precedence over A and B standards in some areas.