Safety First! – Categories and Terms Part 1: Modern Machine Safety – Talk the Talk so you can Walk the Walk

You want to improve machine safety at your facility, but you don’t even know where to start.  Not only do you not know where to start, but you don’t even know what words to use to describe the things you want to do.  Hopefully, by the time you get done reading this, you’ll feel more comfortable talking about machine safety and confident in starting your safety journey.

What is machine safety?  You’ll hear a lot of terms thrown about – categories, performance levels, safety integrity levels, diversity, redundancy, diagnostics – and those are just some.  What it boils down to is machine safety (or functional safety) is using technologies to prevent harm to people and equipment.  This can come in many forms, and doesn’t just have to utilize one philosophy.  It could mean fences around machines, or sensors and “safe” controls.  It could mean PPE like gloves, or it could mean signs that say “DANGER!”  Machine safety is an overarching concept, but in the end it’s all about making the machine as safe AND productive as possible.

First, let’s talk risk.  Specifically, risk assessments.  A risk assessment is a procedure you go through for a machine, group of machines, or whatever you want to assess, where you observe the subject of your assessment and define any areas where injury may occur.  The risk assessment is performed ignoring any existing safety measures, as you want to define the actual risk and ensure the in-place safety measures meet those risk requirements.  There are several factors to assessing the risk, including frequency of interaction, probability of injury, severity of injury, and probability of avoidance.  There are several different methods of risk assessment, but all of them utilize these factors or similar.  The risk assessment is your foundation for defining your safety system, and should be where you start.

Next, let’s talk categories.  A category of safety system is describing the physical layout of the system.  A safety system is defined by its inputs, logic, and outputs.  There are 5 categories: B, 1, 2, 3, and 4.  Categories B, 1, and 2 are single channel.  Categories 3 and 4 are dual channel.  Single and dual channel describes the number of inputs, logic, and outputs that are used for a safety function.  Single channel would be one device, dual channel would be two.  There’s a lot of other safety terms in there that make this confusing, so let’s talk in examples.  Let’s say I have a room that gets full of fire, with a door and a window.  Opening the door or window would cause immediate harm if the fire is present.  So, opening the door or the window are safety functions.  Each one is a separate function, and each one needs to show protection.  In addition to opening the window, breaking the window is a safety function, so we need to protect against that.  But let’s concentrate on opening the door.  Based on our risk assessment, we decide we need Category 3 protection, so we need a dual channel system.  To create a dual channel system, we put two normally-closed door switches on the door to detect when it opens, and wire each switch separately to an input on a safety relay.  We then take two output contactors and wire the power side in series with whatever power turns on the fire, and the control side for each contactor gets wired to a different output on the safety relay.  Sounds confusing, yes?  What it really does is set it up so that any failure won’t cause a dangerous situation.  We use normally closed contacts on the sensors, so that if the power goes out or the wire gets cut, we detect that fault and shut the system down.  We wire the sensors in parallel circuits so if one gets stuck in the “I’m safe” condition, the other one doesn’t get masked by it.  We wire the output contactors in series in the power circuit so if one contactor sticks shut the other will open and protect us.  And we wire each contactor to a separate output so that if any one logic channel fails, we don’t prevent the safety system from protecting us.  Single channel systems would only use one of each input, logic channel, and output.

To get the difference between the single channel and dual channel categories, it comes down to reliability.  A Category 2 system is similar to a Category B system in that they both are single channel, but a Category 2 system has extensive in-use testing performed on it (think of it like the check engine light on your car) and if the testing fails (the check engine light comes on) the safety system puts itself in a safe state (the machine turns off.)  A Category B system has none of that testing, so if a component fails in the circuit you won’t know until you go to use it.  The term you’ll hear used for this is diagnostics, which is where the safety circuit tests itself and its components to ensure that it’s still working correctly.

Categories are only the infrastructure upon which a modern safety system is built, though.  It doesn’t really tell you how safe the system is, because you can have a Category 4 system that uses junk components that will fail before a Category B system that uses highly reliable components.  This is where Performance Levels and Safety Integrity Levels come in.  The take the reliability based on physical construction (Category) and add in reliability based on component quality to give you a statistical answer to quantify your safety circuit, not just qualify it.  You’ll hear terms like “1×10-6 PFH” or “PL d” or “SIL 3”.  PL d and SIL 3 are similar, they denote a level of safety based on the “1×10-6 PFH” term.

“1×10-6 PFH” is a term that tells you the Probability of Failure per Hour.  Usually, there’s a “d” after it (PFHd), which means probability of failure per hour in a dangerous mode (components can fail either safely or dangerously – your car can either fail to start, or fail to stop.)  What “1×10-6 PFH” means is that you can statistically expect that the component won’t fail for 106 (1,000,000) hours, or about 114 years, of operation.  The smaller the PFH, the longer before it should fail.  When you start adding in this probability on top of the category (physical construction) of the safety system, you can see how now you’re looking at a more quantifiable measurement of its performance.  A Category B system with a combined PFH of 1×10-9 can potentially outperform a Category 2 system with a PFH of 1×10-2 (this is an extreme example – typically higher categories will be more reliable.)

PL (Performance Level) and SIL (Safety Integrity Level) both try to make quantifying the safety system a little easier to understand and use by grouping them into levels.  PL ranges from PLa to PLe, with PLa being the least safe and PLe being the safest.  SIL ranges from SIL1 to SIL4, although most people will never go beyond SIL3 (SIL4 is typically reserved for catastrophic safety requirements – chemical or nuclear safety.)  You might ask, why not just always use SIL3 or PLe?  Based on your risk assessment, you might not need it, and those high levels of safety are more expensive than the lower levels.  You might be able to save some funding from an area that doesn’t require as much to upgrade an area that requires more.  The lower level of safety might also be not as intrusive as the higher level, allowing the operator to perform their job more easily (and in turn, more safely.)

In reality, an entire article can be written for each one of these terms and the terms that define them.  With this beginning, it hopefully allows you to start understanding what the terms mean, and brings up questions.  In the end, the best way to learn about how to best protect your people (the Right Safety at the Right Time) is to talk to an expert on the subject, either a Certified Safety Professional or a Functional Safety Engineer.  With the questions you have from this, start the conversation with that expert and see where your journey takes you.

Posted on:
DO Supply Inc. makes no representations as to the completeness, validity, correctness, suitability, or accuracy of any information on this website and will not be liable for any delays, omissions, or errors in this information or any losses, injuries, or damages arising from its display or use. All the information on this website is provided on an "as-is" basis. It is the reader’s responsibility to verify their own facts. DO Supply Inc. is not an authorized distributor and is not in anyway affiliated with Rockwell Automation. DO Supply Inc. makes no representation as to your ability or right to download, obtain, or use any firmware provided by the product's manufacturer. To the extent you wish to use such firmware, it is your responsibility to comply with the terms of any applicable license or other such agreement related to the download, installation, or use of the firmware. DO Supply makes no representation that the version of the firmware that is installed on any product it sells is appropriate for your needs or use. Further, DO Supply Inc. does not sell, re-sell, or license software that may be needed to operate certain hardware and customers must obtain any necessary software licensing, maintenance, or upgrades from the manufacturer or other authorized source. To the extent any of the products sold by DO Supply requires software for operation, you acknowledge that DO Supply does not sell or license such software and that it is solely your responsibility to obtain the software or a proper license to use it from authorized sources.
Post author

Leave a comment

Your email address will not be published. Required fields are marked *