NFPA 79: One Year Later

Changes to the National Fire Protection Assn. standard for machine safety systems provide design choices...and create some confusion over implementation

 

It's been barely a year since NFPA 79, "Electrical Standard for Industrial Machinery" began allowing the use of Programmable Safety Systems (PSS). The new code allows the use of safety controllers and safety PLCs. The hardwired and electronics required by the old code meant relay logic, extra wiring, and safety relays. It was a parallel system that added purchase cost, maintenance cost, and points of failure.

The flexibility of PSS is one reason this is a welcome change to many industry experts. "It's much easier to make changes in a PLC than to rewire a complete work cell," says Vince Gunkel, electrical engineering team leader, Heller Machine Tools (www.heller-machinetools.com), Troy, Mich. He's hardly alone in his thinking. "PSS improves flexibility in design and function, while retaining the reliability of hard-wired systems," adds Tim Otchy, project design engineer with Factory Automation Systems (www.factoryautomation.com), an Atlanta-based engineering and integration company. "Diagnostic features can help our customers quickly identify and rectify problems."

A common complaint about the old code was the "unnecessary costs" of hard-wired safety systems. Many see the new code as welcome relief. Steve Musick, application support manager, Schneider Electric (www.schneiderautoamtion.com), says, "The Code is emerging from the Dark Ages." Tim Parmer, product marketing manager, Siemens Energy & Automation (www.sea.siemens.com), adds, "This alternative to the dual-system requirement can eliminate a significant amount of wiring that doesn't enhance safety."

Where's the Action?

Despite some sound reasons to start using it, there has been no upsurge in PSS implementation since the new code took effect. One big reason seems to be that many builders are not being pushed for programmable safety systems by customers. Roger Bates, controls engineer for custom machine builder DW Fritz (www.dwfritz.com), Portland, Ore, provides an observation shared by many others. "Most of what we do is customer-driven," says Bates. "And because Fritz has so many European customers, that work tends to be based on IEC standards."

U.S. customers tend to specify hard-wired safety controls, despite the new code "It hasn't changed our project specifications, states Dave Shaeffer, electrical engineer for secondary packaging equipment builder Pearson Packaging (www.pearsonpkg.com), Spokane, Wash. "It's nice, but until our customers specify it, we aren't using it."

Contributing to the lack of customer interest is the difficulty of NFPA 79 conformance. Tammy Forman, an engineer in safety systems at Daimler Chrysler, Auburn Hill, Mich., works closely with machine builders. "Not many USA builders are using PSS per NFPA 79," she says. "Conformance requires careful attention to the details of NFPA 79, which is not as prescriptive as an IEC standard." Daimler Chrysler, successful in their PSS implementation, has a comprehensive program that few end-users can match.

Comparing Old and New

The old code required relay logic, extra wiring, and safety relays, all of which added purchase and maintenance costs, plus points of failure. The new code permits using an electronic logic hardware or software system,and a communication network or link,that complies with certain provisions and has the right listing.

Figure 1: Bring the Code to Your PLC

The new code allows users to bring the safety system control elements into the PLC. The system can have safety supervisory ability, reporting, and diagnostics. The wiring is simpler and cheaper, troubleshooting is quicker, there are fewer points of failure, and the system uses less space. (Source: Rockwell)

Because the new code allows you to bring the safety system control elements into the PLC (Figure 1), your system can have safety supervisory ability, reporting, and diagnostics. The wiring is simpler and cheaper, troubleshooting is quicker, you have fewer points of failure, and the system uses less space. Safety PLCs may offer several hundred digital I/O points, including analog.

Modifying an application is as easy as changing the program on your laptop and uploading it to the controller. "Our customers' needs are always changing," says Gunkel. "With hardwired relays, there's more cost to change over the equipment to a new configuration to meet changing production needs. PSS reduces downtime, wiring mistakes, and other problems in process reconfigurations."

Factory Automation has a prime example of a safety solution developed for a large metals processor. "The PSS had to comply with applicable codes, while maintaining the functionality of widely-varying existing equipment," says Otchy. "We devised a flexible safety package that strictly adhered to the NFPA-79 and RIA [Robotic Industry Assn.] safety requirements, while standardizing operating procedures. The system allows process/equipment modifications, without major redesign of the safety control system. It also means significant reductions in training time and parts inventories."

However, there may be applications where a PSS may be more expensive than a given application justifies, so it's not always the best choice. But at least there are alternatives to consider. "Now designers can choose technology most suitable for their applications," says Thomas Pilz, CEO, Pilz Automation Safety L.P. (www.pilz.com), Canton, Mich. "Sometimes, this is the old hardwired circuit and other times it's a programmable safety system."

Issues With the New Approach

Contrary to some opinions of the new approach, a PSS doesn't self-design your safety system. Pilz cautions against bypassing the design process. "Whether you put safety devices in series does not depend on the technology, but on the design criteria for the Risk Category, he says. "The required steps are risk assessment to determine the risk category, device selection, circuitry design per category, and finally, the validation of the design to the specified category.

The mere presence of safety controllers does not inherently make a system safe. "It's critical to implement any safety system with great care and planning, adds Otchy. "We do a comprehensive safety evaluation of each project to determine the applicability of these technologies to the desires and requirements of our customers. Sometimes, the customer would best be served by a conventional relay-based safety package. For the more complex and flexible designs, we often recommend the integration of a PSS."

Normal PLC implementation issues have to be considered. These include the location of modules, NEC Chapter 3 wiring methods, and programming standards. You must select a PLC with the proper Listing for the purpose. Currently, modules are Listed but not Labeled,that could create confusion for installers and end-users.

Figure 2: Risk Analysis Defines Actions

Risk analysis according to EN-954-1 and IEC 61508 provide system-level validation guidelines that consider the specific application. Europeans and Americans want standards harmonization, so the reference to IEC 61508 in the NFPA 79 signifies the convergence of these codes. (Source: Siemens)

A recognized weakness of NFPA 79 is that it just isn't very descriptive. Frank Watkins, safety controllers program manager, Rockwell Automation (www.rockwellautomation.com), says, "NFPA 79 provides guidelines and steps, but it doesn't provide the details that would help users determine what level of safety to apply. Our goal in the next revision is to add a more quantitative analysis." NFPA 79 partially fills this void by listing IEC 61508 as a reference in the appendix.

Security also is a major issue with PSS. "You must ensure your security measures are adequate," warns Forman. "Those measures can include special passwording, but don't stop there."

Tom Tomack, electrical engineering manager for packaging machine builder Klockner Bartelt (www.barteltinc.com), Sarasota, Fla., adds, "Isolated relay design rules are very clear, so we tend to stay with it. There is no external means of changing it,so security is fairly high. With a PLC, it's easier to modify and that means more chance of unauthorized modification."

Product Offering Changes

Some new products will emerge, but the main change will be in system design. "The standard does not create products, says Pilz. "End-user demands will drive product design changes. Certainly, EN 954-1 and EN 61508 will promote changes to the control cabinets of U.S. machines because end users will want systems that conform to these standards."

Under the new code, a designer can use risk analysis,looking at the severity of an alarm condition and at other aspects of the machine,in the design criteria, while providing a fail-safe machine with "no restart" built in.

The new code also frees designers and builders to provide more value-added features. "This allows for third party condition-based maintenance and inspection, which isn't possible with just relays, says Parmer.

Dedicated safety application instructions will continue to grow in popularity. These will ease the implementation of PSS by offering certified solutions for difficult safety applications. "Some customers are holding off to see where it settles," believes Schaeffer. "UL Listing is a problem, because some components required for a complete panel in some situations are not Listed."

European vs. U.S. Standards

Roughly speaking, the American philosophy holds the employer responsible for a safe work environment, while the European philosophy holds the machine builder responsible for a safe product. American standards are not prescriptive, while IEC standards are highly prescriptive. "This difference in approaches really does not drive different product designs, but results in different testing and installation," says David Collins, control products marketing specialist, Square D/Schneider Electric.

Some validation specifications, such as IEC 61508, provide system-level validation guidelines that consider the specific application. EN-954 (Figure 2) is working on the final step. Europeans and Americans want standards harmonization, so the machine is safe regardless of the standard used. "The reference to IEC 61508 in the NFPA 79 signifies the similarities and convergence of these codes," says Watkins: "This helps end-users with global operations to standardize on one control method for their safety applications."

This isn't the end of changes to NFPA 79. A future revision should include the missing Labeling requirements. Guidance for the circuitry designer is an issue. William Goble, a principal partner of safety consulting firm Exida (www.exida.com), says convergence between U.S. and IEC standards is "the next big thing in NFPA 79." He sees savings in design and implementation costs, once that occurs. Further, he says that process is already underway.

Collins agrees, "You can see this pattern in NFPA 79's adoption of entire IEC regulations."

Mark Lamendola is a freelance writer with many years of experience working in and writing about industrial automation issues. You can reach Mark at

comments@mindconnection.com.

Sidebar:

Device Differences

Relay vs. safety relay:

A standard control relay is usually a device. It has a coil that moves contacts when energized or de-energized. The position of the contacts (open or closed) controls the motion of a machine. A safety relay is a circuit. The relay components of the circuit are positive guided relays, meaning, in the case of a welded contact, the other contacts can not fall back into their de-energized state. The device will stop the machine, even in the event of a component failure. This circuit monitors itself for failures and prevents restart after fault detection.

PLC vs. safety controller: You can implement PSS with redundant PLCs or with a safety controller. Standard and Safety PLCs differ in the design specification of the logic circuits. Each logic circuit of a Safety PLC contains several test points. A typical SPLC output circuit contains multiple current-interrupting devices, often under microprocessor control. SPLC power supplies fail in a predictable mode, by design. Backplanes between the SPLC controller and local I/O modules provide redundant communication channels with logical switchover in event of failure. Communication to remote I/O devices is via networks running sophisticated detection/correction protocols.

Show Comments
Hide Comments

Join the discussion

We welcome your thoughtful comments.
All comments will display your user name.

Want to participate in the discussion?

Register for free

Log in for complete access.

Comments

No one has commented on this page yet.

RSS feed for comments on this page | RSS feed for all comments