Two main trends have become evident in recent years. On one hand more and more electrical, electronic and programmable systems are integrated in all types of machinery, including lifting machines. On the other hand new worldwide standards are focusing on safety as the most important objective to be achieved in the product lifecycle.
Safety may be defined as “the reduction of risk to a tolerable level.” When applied to radio remote controls for lifting machines, this can include such things as electrical safety (protection against electrical shock and fire), and electromagnetic radiation and immunity requirements. These are important aspects, and are the subject of mandatory requirements, for example, the EU Low Voltage and R&TTE directives and the associated standards. But we are primarily concerned here with functional safety, “the correct functioning of a control system in response to input signals thus reducing external risks to a tolerable level.”
Functional safety
Today, the evolution of national and international standards recognises the importance of functional safety. For many years, there was only one descriptive standard on safety of control systems, namely EN ISO 954-1 (safety of machinery – safety-related parts of control systems), and this is still the basis for many test and certification regimes.
This standard describes safety requirements and provides guidance on principles for the design of safety-related parts of control systems, including programmable and electronic systems. It applies to all safety-related parts of control systems, regardless of the type of energy used, for example, electrical, hydraulic, pneumatic, mechanical, and applies to all machinery for professional and non-professional use.
EN ISO 954-1 defines different levels of fault-resistance by categories (Table 1) by describing the behaviour of the safety function under fault conditions, and whether this is to be achieved by structural arrangements of the parts, or by their reliability. It is important to note that truly fail-safe behaviour, (for example, categories 3 and 4) requires a structure that is redundant and monitored, not simply “reliable.”
Risk analysis
The particular safety level required for a given application must be determined through a risk analysis that takes into account:
– the probability of hazardous event
– the severity of the possible consequences of a failure
– the frequency and duration of exposure to the hazard
– the possibility of avoiding the hazard
This procedure must be performed not only by the machinery manufacturer but also by the end user, or more generally, by whomever has responsibility for the overall safety. The reason is simple, only an analysis that considers both the machine and its working environment can be correct and complete.
As discussed in the previous article in this series, when analyzing a radio remote control system, we consider two separate safety functions:
– the STOP function
– unexpected motion from standstill
For each of these safety functions, we must use the risk-tree of Fig 1 to determine a suitable safety category.
We use here the example of an electric overhead travelling crane moving heavy loads in a typical factory environment. Consider first the risk that the STOP function was non-operable:
Starting from the point A in Fig 1. The possible severity of injury is serious if, for example, a heavy load is dropped or is otherwise not controllable, hence select S2. The frequency and/or exposure time to the hazard is high if one considers that many persons are working nearby while the crane is in operation, hence select F2. Finally the possibility of avoiding the hazard needs to be evaluated depending on the specific conditions on that site but, in general, should be possible, hence select P1.
So the minimum category required for the STOP function is category 3.
Secondly, consider the risk that a fault may initiate unwanted crane motion. Again, we select the path S2-F2-P1, with a result of Category 3.
Given that most cranes and lifting machines face similar risks, it is not surprising that industry-specific standards such as EN IEC 60204-1/32, EN13557, or the Australian AS1418.1 mandate a minimum safety category of 3. (Note that Category 4 may still be required if so determined by the risk assessment).
The evolution of functional safety standards
The increased use of devices and sensors with microprocessors for safety functions has led organisations like the IEC and ISO to recognise the importance of functional safety. Unfortunately the EN ISO 954-1 standard does not sufficiently address new computer technology while end users require certainty in the use of complex control systems. For this reason IEC and ISO have worked in the past years to establish a framework of standards that have recently been defined and published.
The first new and fundamental standard for functional safety is IEC 61508 (functional safety of safety-related electrical, electronic, and programmable electronic systems). With IEC 61508, the requirements for safety systems in plant/machinery safety are defined independently of the application, and the level of risk reduction is quantitatively calculated by mathematical methods.
The standard focuses on risk-based, safety-related system design, that means implementing only the “right” level of protection measures, which should result in far more cost-effective safe solutions.
This standard is based on two fundamental concepts:
1 The Safety Life Cycle is defined as an engineering process that includes all of the steps necessary to achieve the required functional safety. The basic philosophy behind the safety life cycle is to develop and document a safety plan, execute that plan, document its execution (to show that the plan has been met) and continue to follow that safety plan through to decommissioning with further appropriate documentation throughout the life of the system. Changes along the way must similarly follow the pattern of planning, execution, validation, and documentation.
2 Safety Integrity Levels (SILs) are order of magnitude levels of risk reduction. There are four SILs defined in IEC 61508. SIL1 is the lowest level of risk reduction, SIL4 is the highest. In machinery application only the first three levels are considered (for example, up to SIL3).
IEC-61508 has also spawned two industry-specific standards relevant to this discussion: IEC 62061-2005 (safety of machinery – functional safety of safety-related electrical, electronic and programmable electronic control systems) and ISO13849-1:2006 (safety of machinery – safety-related parts of control systems – general principles for design) electronic and programmable systems cannot be designed without taking into account the requirements of these standards.
EN/IEC 62061
This standard describes the implementation of safety-related electrical control systems on machinery. It examines the overall lifecycle from the concept phase through to decommissioning. Quantitative and qualitative examinations of the safety functions form the basis. It is addressed to planners, constructors and users of safety-related systems.
In Europe, for example, EN/IEC 62061 is listed as an harmonized standard under the EU Machinery Directive, so the “presumption of conformity” comes into force when it is applied.
EN ISO 13849-1 (2006)
This standard continues to deal with electrical, electronic and programmable electronic systems as well as other control technologies, such as fluid power technology. It can also be applied to programmable electronic systems for safety functions.
Certification of radio remote controls
Clearly, the standards governing the functional safety of radio remote controls are complex. The analysis of the electronic and programmable systems that comprise them is exceptionally so, in fact, there are very few organisations in the world competent in the assessment and certification of safety electronics (TUV SUD and TUV Rheinland of Germany being probably the most recognised).
With such complexity involved, manufacturers’ self-declarations of a products’ conformity with functional safety standards should be examined with a very critical eye. It is highly unlikely that a manufacturer working in isolation from independent certification laboratories would even be competent to assess its own products.
For meaningful results, a manufacturer of safety remote controls must work very closely with these laboratories from the earliest stages of a product design through to the production line processes. As well as independent certification, such a relationship brings major organisational advantages, it proves the manufacturer has the ability to design, test, and maintain this level of safety in its products, and in a way that is transparent and accessible to independent experts.
Of course, this requires a commitment of the entire company culture, and would be a process more likely to span decades than months.
To the purchaser or end user of remote controls, the use of independently certified systems brings many advantages:
– certainty that they know what they are buying
– increased safety and the resulting savings in downtime, injuries, and equipment damage
– reduced administrative burden in documenting the selection and risk-assessment procedures
– reduction of exposure to litigation
Also, a company capable of producing independently certifiable remote controls will bring with it the highly refined design and quality systems that should result in a better user experience.
Summary
The four articles in this series have covered many aspects of radio remote control theory, design, standardisation, and certification. Armed with this knowledge, you should be in a better position to critically analyze various manufacturers’ claims, and choose an appropriate controller for an application. But let us end with a simple analogy: The safety features of a radio control system should be thought of as similar to those of a car. You may drive your car for years without needing the anti-lock brakes. In fact, you may not even know whether the car you bought has anti-lock brakes or not. They will only truly be appreciated on the day you need them.
