Dr Martin Kidman, a Safety Specialist with Sick UK, presents the arguments for and against using standard sensors for machinery safety applications.
Functional safety standards EN ISO 13849-1 and EN 62061, in principle, permit the use of standard components in safety circuits. So, as standard sensors become smarter, with enhanced functionality and communications, machine designers are beginning to ask whether standard sensors can be used as adequately in a safety role as those with full safety designations. After all, sensor manufacturers quote Mean Time To Failure (MTTF) and Mean Time To Dangerous Failure (MTTFd), so would this be sufficient to put together a safety system that conforms to the standards?
Could standard sensors provide a safety role just as well as sensors with full safety designations, such as Performance Levels (PL a, b, c, d, e) and Safety Integrity Levels (SIL 1, 2, 3)? And would they be more cost-effective than choosing the most highly-designated safety-rated option?
The answer lies in understanding what the safety standards are looking for when designing a safety system. For example, what do terms like MTTFd actually mean in relation to safety requirements, and how do the design and electronics of different types of safety device, like safety light curtains, safety laser scanners or safe proximity switches, meet the requirements relating to redundancy and fail-safe?
Crucially, it should be understood that the design of the whole protective system and its components, including control and power supplies, must satisfy the safety criteria, ie the designated Performance Level (PL).
When designing safety functions, the following six interrelated criteria are essential:
- The hardware and software structure (system architecture category).
- The reliability of the components: are they well tried and tested as per the standards? MTTF is any failure, of which dangerous failure (ie MTTFd) is the essential part and is quoted in years.
- The effectiveness of integrated fault detection mechanisms (Diagnostic Coverage - DC).
- Combating Common Cause Failures (CCF), which are component failures inherent to specific designs; ie putting the use of two identical components in a safety context risks failure of both.
- Systematic failures resulting from faults in development, manufacture, operation or maintenance of the hardware and software.
- Applications suitability.
Safety choices in practice
We will consider two typical guarding applications, monitoring a grinding mill guard door, and light curtain guarding of a hazardous batch collection point.
Application A – Monitoring a grinding mill guard door
The guard door is opened and closed about four times per hour. The safety function has to ensure immediate shutdown of the mill motor when the door is opened. The risk assessment for injury to an operative resulted in a required Performance Level PLr = d.
For the possible options considered, the designer has to determine the PL of each of three subsystems, namely the sensor, logic controller and power control unit, using data supplied by the manufacturer.
Option 1: For a single magnetic proximity switch unit rated as PLe, and with the controller and power supply components rated PLe, the whole safety system achieves PLe. This rating exceeds the required safety system Performance Level of PLd, so is acceptable.
Option 2: With a standard single inductive sensor, the sensor is equipped with complex electronics with no specified failure mode in the case of an internal fault. As a result, the sensor only rates at PLb, so the system as a whole can only be rated at PLb; the safety offered by the system is not acceptable as it is lower than the required PLd.
Option 3: With two identical inductive sensors (as in solution 2) in parallel as a dual-channel, the performance of the sensor subsystem can be improved because the control unit can perform diagnostic fault checks on each sensor separately, whenever the door is operated. With this improved Diagnostic Coverage, the pair of sensors together could be rated as PLd, allowing possible compliance of the whole safety system with PLd.
However, Common Cause Failure could occur where each sensor had a common design fault (eg failure due to a voltage surge). Unless there is some provision to eliminate this possibility, the sensor subsystem has therefore to be rated as a single sensor, or PLb, so the complete system is not acceptable.
Option 4: Two different types of standard sensors are used, with different output levels and internal structure; the dual channels are monitored by the controller. This brings in the powerful principle of diverse redundancy, which allows the MTTFd values to be combined for a high total value. This counters the CCF values and allows a Performance Level of PLe, so the complete system can be rated at an acceptable PLe.
Application B - Light curtain guarding of a hazardous batch collection point
In this application, light curtains can be affected by 'optical noise' such as reflections and ambient light. The risk assessed performance level required is PLr=c.
Option 1: A safety light curtain, which can function reliably despite 'optical noise' interference is a type 4 device and can achieve PLe. The safety controller has a PLe rating. In this case, a single actuator power control element can be used because, despite only offering a single channel, it has a very high MTTFd of 30 years, so fulfils the well-tried and tested parameter and is rated at PLc. The whole installation is therefore rated as PLc and is acceptable.
Option 2: A standard light grid does not meet a product standard or the required opto-electronic safety standard for personal protection devices. Additionally, without a specified internal fault failure mode, its complex electronics cannot be considered a well-tried safety component and so it has no PL rating. As a result, the safety system cannot be given a Performance Level rating and the safety system is not acceptable.
Are standard sensors feasible?
These two examinations of some typical safety sensor applications show that standard sensors may be used in safety system design if the designer has a very good grasp of the principles involved and how these can be applied. However, designing a reliable solution could challenge the time and experience of a busy plant engineer.
In comparison, a world-class safety systems manufacturer has already invested in iterative product development and lengthy testing and offers experience gleaned with other manufacturers. So for some applications, seeking external support may turn out to be more cost-effective.
Follow the link for more information about Sick safety sensors.