Safety Functions

Written By Bridget Nastali

In machine control system design, the question of when to use safety-rated equipment is commonly asked; but this is often the wrong question. The defining question should be whether the specific machine control function is a safety function. Determining this is not always straightforward and requires a hazard assessment to identify safety functions (e.g., equipment, devices, or circuits) and the required performance level of the system's safety-related components. Without a thorough risk assessment, there simply is not sufficient information for a blanket answer on whether it is a safety function or not, and therefore it is not possible to dictate whether or not safety-rated equipment is required.

In general, a safety function protects from hazardous scenarios, reduces the risk of personnel exposure to a hazard, and/or maintains a safe state. Some obvious safety functions are emergency stops (e-stops), resets, and protective device integration such as light curtains or area scanners. However, to fully understand the purpose of a circuit or the function that it is performing, personnel involved must have an intimate knowledge of the facility and environment, as well as the specific machines integrated with upstream and downstream systems.

The risk assessment is the starting point to characterize tasks, hazards, and operational and control scenarios. It identifies the safety function requirements for the machinery and dictates the required performance level of the safety circuit. Lower performance levels are more commonly achieved with standard equipment, while higher performance levels commonly require safety-rated equipment. For high performance levels, the components involved in the control circuit need to be safety-rated (such as a safety relay or a safety-rated position switch), wired into a safety I/O, and programmed in the safety PLC. However, the use of safety-rated components or a safety PLC does not automatically produce a safe state – the Safety Requirements Specification (SRS) must be adhered to in its entirety to ensure the outcome of the operation being performed will actually reach a safe state. The risk assessment cannot be skipped since it is the critical building block for the SRS and required performance level of the safety functions.

An example that demonstrates these concepts is a stop control circuit that has an effect of removing power to a drive. It may be tempting to assume that this is a safety function, but without a risk assessment, there is not enough information to make that determination. For instance, if the drive controls a vacuum blower motor that produces a low volume sucking action to lift material and the operator exposure is low, then the resulting risk is very low. This may meet the organization's risk tolerance criteria, and no further action is required. Alternatively, if an acceptable level of risk is not achieved, the risk assessment may determine that the required performance level of the function is a PLa or PLb, which can be achieved with standard control equipment.

In summary, safety functions are not always obvious, and a thorough risk assessment is critical to determining whether standard control equipment or safety equipment is needed. Alarms, warning systems, holding brakes, and starting up a backup generator are all examples of safety functions. Understanding the risks associated with a particular scenario and determining the required performance level of the safety functions is necessary to ensure the safety of personnel and maintain a safe work environment.

Bridget Nastali
Previous

Risk Assessment
Next

Sand Extraction Plant Seeks Pieper Automation's Expertise to Improve Production