|
Users of electromechanical safety components on machine guards should carefully consider the onerous test requirements of Category 2 in EN ISO 13849-1 at the design stage, particularly when seeking to achieve Performance Level d (PLd). Incorporating Category 2 architectures into PLd systems without taking these test requirements into due consideration may introduce systematic failures and associated loss of production or additional expense once the machine has been installed.
If after design, build, supply and commissioning a machine, it is then decided to convert from a Category 2 architecture to Category 3 or 4, this may become difficult or impossible in terms of fitting additional components to the machine, as well as mounting new in-panel devices that are required to step from single- to dual-channel architecture.
Under EN 954-1 (still scheduled for withdrawal at the end of 2011) the 'Category' of the control system has been used as the basis for constructing the safety-related control functions. With the increasing uptake of EN ISO 13849-1, however, the term 'Category' has been taken over by 'Performance Level' (PL).
In addition to the factors taken into account by Categories, Performance Levels also consider the reliability of the individual components and combination of components in a safety-related control system (expressed as the 'mean time to dangerous failure', MTTFd, or the 'probability of failures per hour', PFH). The reliability data is used to evaluate the availability of a safety function over time. The behaviour of the safety function in the presence of faults is still dictated by the Category, which is now also referred to as architecture or structure.
In the past, designers who used the risk graph in EN 954-1 may have arrived at a Category 3 requirement based upon known factors for severity, frequency of exposure and possibility of avoidance. The designer would then have designed a dual-channel system, one with redundancy or hardware fault tolerance (HFT = 1), providing a behaviour such that a single fault in the system would not give rise to a loss of the safety function.
These same parameters used with the similar risk graph in EN ISO 13849-1 would most likely lead to PLd.
Testing
In EN ISO 13849-1, PL is achieved by a combination of Category, MTTFd and diagnostic coverage (DC). According to Figure 5 in the standard, PLd is still achievable using Category 3 architecture - but also by using Category 2 (so long as the MTTFd is high and there is at least a low level of diagnostic coverage). It may be very tempting to try to use Category 2, single-channel architecture to achieve PLd to save component cost and panel space.
A central factor in Category 2 is checking the safety function (not increased reliability), where an increased check frequency will decrease the probability of a dangerous situation - in other words, testing reduces the probability of continued operation in the presence of a fault. Within the simplified procedure in EN ISO 13849-1, the check in Category 2 must occur at start-up and then periodically, and there is an assumption that the frequency equates to at least 100 tests to every demand on the safety function (clause 4.5.4 of EN ISO 13849-1, where for Category 2 'demand rate <1/100 test rate'). This test rate is an additional quantitative factor to that given in EN 954-1. This means that if designers try to claim PLd using Category 2 architecture, they are assuming that the safety function will be tested at least 100 times between demands upon the safety function.
BGIA (now the Institute for Occupational Safety and Health of the German Social Accident Insurance or IFA) has worked out the Markov reliability model of EN ISO 13849-1 designated architecture category 2 as a single-channel circuit with this high test frequency, based on the findings of a European working group trying to map EN 954-1 categories to the SILs of IEC 61508/IEC 62061. This is a challenge within the machine building industry, where safety functions are considered to be high demand versus the process industry, where the demand placed upon safety functions is low or continuous.
Practical considerations
It is difficult to see how users are going to manage this test frequency in machine applications on anything other than a dynamically, self-tested OSSD (Output Signal Switching Device, i.e. a solid-state safety output) on a Type 4 light curtain, or in very low demand applications such as infrequently used emergency stops. For electromechanical devices on guards (such as tongue-actuated interlock switches, limit switches and magnetic safety switches) testing will mean actuation (i.e. opening and closing the guard) at least 100 times between the functional need to open the guard. This may at least prove inconvenient because it would impede productivity, or even impossible due to the high demand already placed upon the safety function. Imagine having to test a guard door 100 times within a two-minute production cycle - it simply isn't practical!
Lastly, consider the implication of frequent testing of electromechanical devices in terms of component wear and tear. MTTFd for an electromechanical component such as a safety interlock switch or contactor, is dependent upon the number of operations in a year (nop) and the component's B10d (the expected number of cycles until 10% of the components fail dangerously, with component-specific data normally available from the manufacturer, or generic data can be found in table C.1 of EN ISO 13849-1).
It is therefore more practical and commonplace to achieve PLd using Category 3 or 4, dual-channel architectures, because these will improve reliability through hardware fault tolerance (without a highly frequent periodic test cycle) as well as 'automatic' diagnostic coverage within the system.
Single failure point
On balance, there is an argument against Category 3 in PLd systems in the case where a single component, such as an interlock or limit switch containing two contacts is employed to monitor a guard. Such a device has one potential point of failure: a failure of a limit switch plunger mechanism (say due to excessive force, contamination or corrosion) is a single failure point affecting both contacts and both channels. In this case, what is ostensibly a Category 3 architecture can be considered to be Category 1, because a single failure can cause a loss of the safety function.
With a single device containing two channels needing to achieve PLd, it is necessary to declare a 'fault exclusion', which justifies why such a single point of failure in the switch body is unlikely. There is guidance in EN ISO 13849-2 on fault exclusions, which considers, among various factors, the environment (dirt and corrosion affecting the device during its lifetime), safe positioning and mounting (such as a preference for actuation occurring on opening, and avoidance of using the device as a mechanical stop), and adequate dimensioning. Where a fault exclusion can not be justified and PLd is required, the answer is to use two independent switches; this is more likely and is already common practise on monitored guards, and at this point measures taken to reduce Common Cause Failures can be quantified.
The use of fault exclusions in PLd and PLe will become a moot point when ISO 14119, Safety of machinery -- Interlocking devices associated with guards -- Principles for design and selection, is published. This is because reference is made to interlocking circuits providing PLd or PLe having to include at least two position switches, since fault exclusions of mechanical faults are not accepted in high-risk applications.
Pilz Automation Technology in profile
Pilz Automation Technology develops, manufactures and supplies process and automation control products for use wherever there is a requirement to ensure the safety of plant, personnel or the environment. Included in the range are: safety relays; configurable safety controllers; programmable safety systems (safety PLCs) for use with or without the SafetyBUS p safe, open industrial fieldbus network; mechanically actuated and non-contact guard switches; safety light curtains; 2D and 3D vision-based safety sensors; emergency stop switches; conventional and touchscreen operator interfaces; plus control and monitoring relays for non-safety applications.
In addition, Pilz provides safety-related services, such as training, engineering, consultancy and competence management. For 20 years Pilz has taken a leading role in educating the market with regard to safety legislation. This has been through seminars on legislation, software packages that assist with standards compliance and product selection, and publications. Pilz has produced six editions of the Guide to Machinery Safety, a Guide to Programmable Safety Systems, and publishes a free monthly email newsletter. For further information, e-mail: j.harris@pilz.co.uk or view website: www.pilz.co.uk Refer to page 95
|
|
Enhancing swarf evacuation, the Twisted Tungdrill has a twisted coolant hole in the drill body to increase the fluid flow by 50%, this further improves surface finish and chip removal. The combination of innovative new insert and drill designs combined with the twisted coolant holes, promote swarf evacuation, improve surface finishes, tool life and productivity. The drill body also guarantees a long tool life, credit to its specialised drill body coating that is hardened to improve rigidity.
The new AH725 insert for the Twisted Tungdrill is a PVD coated grade that incorporates Tungaloy's 'Triple Force Technology' that dramatically improves resistance to chip welding and insert edge chipping. The newly improved coating layer features great adhesion strength between the coating and substrate. This works in conjunction with a well balanced micro alloy substrate that is effective for plastic deformation resistance and improves toughness.
The AH725 insert improves wear resistance when high speed machining stainless steel, it also delivers excellent chip control and prevents burrs with the combination of a twisted drill design, high powered coolant flow and innovative insert geometries. For the Twisted Tungdrill with AH725 grade, Tungaloy has developed three insert types, the DJ, DW and DS types.
The DJ insert is a general purpose chipbreaker usable for almost all applications. It features low cutting forces and allows stable drilling with its deeply formed chip groove that performs exceptionally free cutting action and effective chipbreaking. The DS type has an entirely new rake face design, strengthened corner and sharp cutting edges that permit excellent chip control for gummy materials such as stainless steels and low carbon steels. Whereas the DW type incorporates a new wiper design, extremely strong insert corner and chipbreaker for high feed machining. In comparison with conventional inserts, this chipbreaker allows higher feeds and produces superior surface finish.
For further information, view website: www.tungaloy.co.jp Refer to page 373
|
