Machine Safety Update: Digital Safety Emerges

How a Growing Understanding of World Standards Has Enhanced the Value of Programmable Safety Systems

By Jason Christopher

Machine Safety Update

The integration of enhanced safety systems by system integrators and machine builders is accelerating at an unprecedented pace—and with good reason. It’s estimated that $7.2 billion per year is lost in compensation payments for workplace injuries in the industrial sector alone.

And this figure is just the direct cost of workplace injuries, such as medical and insurance administration fees, and represents only 29% of the total expense associated with these injuries. The other 71% involves lost revenue and fringe benefits. The total amount lost by U.S. firms from avoidable injuries reaches a staggering $32 billion annually.

At the same time, machine control professionals are always under pressure to create designs that meet tighter budget requirements, while still providing better performance than ever before, especially in the domain of safe operation. Though these two forces might seem mutually exclusive, engineers and manufacturers now are capable of making their systems safer for all parties involved. This is largely possible because they’re using programmable safety systems in place of traditional, hardwired, relay-based solutions.

Just What They Needed
“We thoroughly evaluated a variety of safety approaches for our latest tandem-line installation, and, hands down, the best choice was a safety PLC system,” says Joe Quigg, corporate controls engineering manager for International Automation in Windsor, Ontario, Canada. “Start-up time, engineering time, material costs, and space considerations all pointed to the use of this technology. We could not have achieved the functionality we needed with a traditional hardwired system. The safety PLC was our only real option.”

This is one of those few, genuine paradigm shifts for many of us. The hard-and-fast rule of safety systems always has been that anything related to the safety system—even remotely—had to be hardwired with absolutely no exceptions. However, when today’s advantages are weighed against today’s disadvantages, perhaps we’ll be willing to reconsider what we’re comfortable implementing. Further, when the finance department catches wind of these advantages, they’ll help persuade you, too.

“More of the standard automation technology we have today will be adapted to also become safe automation,” believes Tina Hull, applications engineer with Pilz Automation Safety. Hull adds this means using programmable safety systems for controlling safety systems on industrial and skid-mounted machines. “Some designers will have to adjust their comfort zone. There usually is some resistance to change, but people find it easier to accept and use technology when it proves its robustness, and demonstrates its effectiveness in saving lives.”

“The newest versions of safety networks integrate the safety and control system as one common unit. There is no need for a separate safety bus or safety PLC.”

The PLC revolutionized industrial automation when it first emerged, but it wasn’t adapted for safety applications until recently. The failure of solid-state devices is difficult to anticipate without some very sophisticated self-monitoring capabilities, and this had presented problems for using them in safety systems. Also, revision control and different authorization levels for safety software edits weren’t traditionally advanced enough to provide the security that safety applications require.

In 2002, however, a revised edition of National Fire Protection Association (NFPA) 79 standard was published. NFPA 79 is one of the most prominent standards covering industrial machinery safety in the U.S. This revision was the first for the standard since 1997. Just think of how much automation changed in those five years. The revision included a few key changes that helped push implementation of programmable safety systems. [See the sidebar below, “NFPA Revisions,” which includes the new standard’s key elements.]

More Endorsements
Other machine builders taking advantage of safety PLC technology include Vince Gunkle, electrical engineering team leader for Heller Machine Tools, Troy, Mich. “With the latest drive and safety PLC technologies, we can bring safer, more functional machine tools to our customers without increasing costs,” says Gunkle. “We can help our customers safely manipulate the machine without the risk of it running away. In the past, the drive speed would need to be monitored by external systems, and it was very difficult to do. Now, it’s all done right in the CNC.”

Omron Electronics in Schaumburg, Ill., also is onboard with programmable safety systems. “Network safety revolutionizes the way safety is done,” says Gil Guajardo, Omron’s safety product marketing manager. “Unless the safety application is small-scale or trivial, system integrators, machine builders, and end users strongly consider network safety solutions, and most often conclude that a network safety device is the optimal safety solution.”

Similarly, fieldbuses and the whole concept of digital networking long ago modernized machine control design. It’s now rare to see anyone using “home-run” wiring to integrate a piece of equipment. The cost of a networked system is less than point-to-point, and it provides more diagnostic tools for easier installation and faster troubleshooting in the event of a failure.

Consequently, the opportunities that come from programmable safety are merging with the digital control network. “The newest versions of safety networks integrate the safety and control system as one common unit. There is no need for a separate safety bus or safety PLC,” says Joe Lazzara, president and CEO of Scientific Technologies Inc. “This saves more costs in design, materials, and installation.” Not having a separate safety bus aside, the control bus will be “a major force in the further integration of safety and the machine controls into one seamless control system.”

Can’t Do This With Hardwiring
Especially for manufacturers expecting machine availability approaching 100%, time is money. So time saved in a downtime event means dollars to the bottom line. Advanced diagnostics, the ability to zone-protect a piece of equipment, and safe orderly shutdowns that can be recovered from without technician intervention, all represent significant operating time recovery for manufacturers. Unfortunately, these features represent overwhelming challenges to the old hardwired systems.

For example, asks Lazzara, how do you determine which mechanical guard isn’t fully latched? Like their non-safety brethren, the beauty of the safety-rated control network is that with less wiring a specific device can be identified and the problem diagnosed.”

International Automation’s Quigg says the simplicity introduced by the programmable safety system gave everyone from maintenance electricians to the plant manager a great degree of comfort. “They were all were comfortable that, not only would the system work, but they would be able to keep it working for the long haul,” he says.

Looming Liability
Liability and legal issues represent a significant consideration for today’s machine builders today, even as machines are expected to be more productive. Doing the same work in less time usually means more power and force, and that means the equipment is harder to control or, at least, bring to a controlled stop. By default, they have the potential to be more dangerous than before. As a result, the risk an OEM takes on increases proportionally.

“Lawsuits against industrial OEMs who have been diligent in their efforts to build safe machines will decrease in number,” contends Tom Doyle of Industrial Safety Integration, Fergus, Ontario, Canada, speaking on the need for due diligence in safety system design. “This requires that OEMs ensure they’re in a defendable position prior to offering their equipment for sale.”

However, the most significant way that machine safety contributes directly to a corporate bottom line is through reduced workplace injuries. “To some degree large companies are recognizing that reduced profits due to workplace injuries is an area in which prevention can be an investment strategy,” adds Doyle.

Pilz’ Hull agrees, and explains, “Injuries cause an enormous expense due to downtime, work limitations, increased insurance and workers’ compensation costs, and machine shutdown for inspections. Injuries also are time consuming because they start a lengthy paperwork process for everyone from the injured worker to human resources personnel, and let’s not forget legal counsel.”

Doyle doesn’t entirely buy this. “Most employers fail to realize the true costs associated with workplace injuries,” he states. In spite of this, according to a recent Liberty Mutual poll, 95% of business executives report that workplace safety has a positive impact on a company's financial performance, with 61% believing their companies receive a return on investment of $3 or more for each $1 they invest in improving workplace safety.

Nothing Standard About Standards
Despite compelling reasons for enhancing safety on the equipment we build, there are other obstacles. Tom Tomack, electrical engineering manager for packaging machine builder Klockner-Bartelt, Sarasota, Fla., contends that the “different standards requirements for different parts of the world costs money. CE costs money. More importantly, people are getting sued when there’s an injury because there’s the perception that the OEM built a ‘safer’ machine for the other market.”

Varying standards make machines more expensive, agrees Gunkle. “Most people contend that CE marking costs them more, but, as a German company, we’ve found that altering our machines to meet U.S. requirements costs extra too,” he says.

Quigg tried to keep International Automation ahead of the curve. “One of our design objectives was to create a system that would need as little modification as possible to apply to other markets,” he says. “International Automation will save money in the long run because the design is very applicable to both the European and the North American markets.”

There are international standards, which many of us know aren’t so international, as well as national standards and local standards. Understanding when and where to apply each of the different requirements for machines under control can be a full-time job. This represents one of the greatest challenges facing safe system designers.

“Standards are more difficult for people to embrace since every industry and every nation has a different standard,” says Hull. “Many systems today use multiple industrial technologies and will be installed in different countries. The question usually is about which standard to use.”

The magnitude of the problem multiplies with the increasing complexity of safety systems. As a result, safety engineering becomes more fundamental to the design of the machine. “Clearly, the risk and safety considerations are being evaluated and mitigated ever earlier in the design cycle,” says Lazzara. "The days of ‘we’re almost finished, let’s throw the safety guards on,’ or, worse, leaving the safety issues for the customer to resolve, are over. Safety becomes an integral part of the machine control.” Because of this, the question of which standards to apply becomes a more significant issue when considering the impact on the overall design.

There is progress, albeit slow, toward harmonizing the major global standards. “We’ll continue to see the trend of globalization and the rapid pursuit of common, international standards for machine safety,” predicts Lazzara. “Clearly, Europe has been driving this effort. The U.S. still is lagging in the trend toward harmonization of U.S. and international, or should I say European, standards.”

David Fisher, manager of special projects for Rockwell Automation, is optimistic about harmonizing the standards. “Many of the current standards used in different countries are converging, which will help align requirements, and make it easier for global companies to comply with these standards,” he says. “It might require some positive thinking, and maybe even a leap of faith, but harmonization is possible and it has already begun.” Fisher points to recent success in standards such as IEC TC-44, “Standardization of User Guideline for Safety Related Field Networks,” which has members from a U.S. Technical Advisory Group working alongside the other members of the IEC.

As stated earlier, including programmable safety devices in NFPA 79 represented a significant advance. However, while the 2002 revision of NFPA 79 included provisions for programmable safety systems, it intentionally didn’t provide much detail about how to implement these systems. Instead, it included a brief, yet significant, reference that opened many doors for machine designers dealing with the U.S. market. Annex A of the standard contains the following clause:

“A.9.4.3 IEC 61508 provides requirements for the design of control systems incorporating the use of software and firmware-based controllers to performing safety-related functions.”

This, in effect, assigns the responsibility for governing software-based systems to international efforts of the IEC. Not only does this provide a venue for designing programmable safety systems for the U.S. market, it also provides a means for instant harmonization for safety systems, regardless of geography.
“The main enablers of change are the functional safety standards such as IEC 61508, IEC 62061, and their ilk,” says Fisher. “They enable the concepts and technology required to really implement these solutions.”

Show Me the Differences

THE ESSENCE of a programmable safety system is different than its hardwired predecessor. “Hardwired safety systems are designed as monitoring systems with the sole purpose of shutting down an otherwise well-functioning system at the moment that a violation of the safety system occurs,” explains Pat Mosher, senior controls engineer at General Motors’ truck assembly plant in Detroit. “It actually is overlaid on top of the control system as a separate system. There is very little flexibility when restarting the system. Because of the complexity associated with hardwired redundancy on safety-rated devices, operations such as safe zoning, diagnostics, device monitoring, and system feedback all become a cumbersome burden that adds complexity and cost to the system. This often proves to be more burdensome than helpful.”

Consequently, because it’s difficult to generate just one safety-rated output in a hardwired system, a hazardous activity typically is stopped by cutting power to many or all devices simultaneously, even if they aren’t associated with the event. As a result, reverberations are felt in many different areas.

On the other hand, programmable systems have a distinctly different role than their hardwired brethren. Because of flexibility from its software origins and its tight integration with the main control system, often right in the same PLC and/or network, it actually becomes part of the control system.

Mosher says to consider a light curtain on an assembly machine. With a traditional hardwired system, if the light curtain is violated at an inopportune point in the cycle, then the safety system will halt the process, most likely similar to an E-stop condition. “Difficulty might then be experienced with homing the tooling, generating scrap, re-sequencing the machine, and just recovering from the fault in general under these circumstances,” says Mosher.

With a programmable system, it’s a different story. “In the same light curtain setting, when the programmable safety system is violated, only the necessary devices need to be powered down,” explains Mosher. “Power not only can be maintained to the rest of the operation, but unaffected manufacturing process can continue. This is where the real power of a programmable safety system comes from.”

Combine this advantage with inherent advanced diagnostics, and you can now give operators the information they need to keep their machine running. For maintenance and troubleshooting, the advanced diagnostics found in an intelligent, networked device provide facts about why the safety conditions aren’t met. Is the door switch key not fully inserted? Is the light curtain starting to come out of alignment? The diagnostic evidence from a single device can be very useful when troubleshooting.

Design Differences Defined
There are some design differences that need to be taken into account when considering programmable systems, warns Mosher. Many of us are familiar with Risk Categories B through 4 in the EN 954-1 standard. When designing a programmable safety system, this analysis isn’t used. Instead, Safety Integrity Levels (SILs) are used.

Safety integrity is defined in IEC 61508-4 as the probability of a safety-related system to satisfactorily perform the required safety functions under all stated conditions within a stated period of time. The higher the level of safety integrity, the lower the probability that the safety-related system will fail to carry out the required safety functions.

The standard defines a Safety Integrity Level (SIL) as a discrete level (one out of a possible four) for specifying the safety integrity requirements of the safety functions to be allocated to the safety-related systems, where Level 4 has the highest level of safety integrity and Level 1 has the lowest. Figure 1 below draws a loose correlation between SIL and EN 954-1 categories.


EN 954-1 Risk Category

SIL Level













Still Need Redundancy
Depending on the risk category, redundancy might be required for many hardwired safety circuits. A switch to a programmable system doesn’t necessarily eliminate that need. Redundancy on the inputs is required as a result of the integrity of the input device (door switch, light curtain outputs, palm button, etc.). This requirement doesn’t go away.

However, redundancy on the outputs is handled differently. “When using non-safety-rated output modules, steps need to be taken to provide monitoring of the outputs to insure proper operation,” says Mosher.

In Figure 2 below , only one output point is required to control the hazardous actuator shown. The output, however, is monitored by the system. First, the output module is wired to an input module for monitoring purposes. “If, under any circumstances, the output is turned off, but the input detects a voltage there, then a fault condition occurs,” says Mosher. “This is when an additional relay is used to cut off power to the entire module, and it’s wired in series with the power terminal of the output card.” This relay is controlled by the same programmable safety system as the output point and the monitoring input point. If a fault condition is detected, then power to the entire module is cut via this additional relay.

Redundant Differences

Redundancy on inputs is required as a result of the integrity of the input device in both home-run and networked solutions. Redundancy on the outputs, however, is handled differently. Only one output point is required to control the hazardous actuator shown. The output module is wired to an input module for monitoring purposes. If the output is turned off, but the input detects a voltage there, then a fault condition occurs, and an additional relay is used to cut off power to the entire module. Unlike the hardwired system, violations of the safety system result only in the shutdown of the effected actuator or device. The necessity to cut power to many (or all) devices only is precipitated when there is a failure in the hardware controlling the actuator, aslso known as the output card.


This sounds analogous to the hardwired system, in which a violation of the safety system cuts power to many devices, but there are significant differences. With the programmable safety system, violations of the safety system result only in shutting down the affected actuator or device. The necessity to cut power to many (or all) devices only is precipitated when there’s a failure in the hardware controlling the actuator, also known as the output card.

“It’s also necessary to conduct regular ‘proof tests’ of each safety-related output point at specified intervals,” Mosher adds. Proof tests are designed to regularly verify proper operation of the safety circuitry. It requires the user to cycle the output on and then off, and verify it functions as required. These proof tests can be automatic, with the logic written to sense the on/off status of the system, or it can be performed manually by a qualified technician and a voltmeter.

With safety-rated output modules, however, there’s a different way to insure proper and safe operation. Monitoring of the output point by a separate input module, as in the above example, is taken care of internally to the output module. This eliminates the need to separate wiring to the input module. Using the external relay to cut power to the output card still is required.

The NPFA Revisions

The main clauses of interest that changed in NFPA 79 2002 include:
Where a Category 0 stop is used for the emergency stop function, it shall have only hardwired electromechanical components. Exception: an electronic logic (hardware or software) system as well as the communication network or link that complies with both 9.4.3 and 11.3.4 and is listed for Category 0 emergency stop function shall be permitted. The final removal of power shall be accomplished by means of electromechanical components.

Control Systems Incorporating Software and Firmware Based Controllers. Control systems incorporating software and firmware based controllers performing safety-related functions shall conform to all of the following. In the event of any single failure, perform as follows:
• Lead to the shutdown of the system in a safe state
• Prevent subsequent operation until the component failure has been corrected
• Prevent unintended startup of equipment upon correction of the failure
• Provide protection equivalent to that of control systems incorporating hardwired/hardware components
• Be designed in conformance with an approved standard that provides requirements for such systems

Use in Safety-Related Functions. Software and firmware based controllers to be used in safety-related functions shall be listed for such use.

  About the Author