This article by Jamie Walton, Head of Consulting at Pilz Automation Technology, explains what you need to know about PUWER Regulation 18, relating to control systems, and the applicable standards.
The Provision and Use of Work Equipment Regulations (PUWER) came into force on 5 December 1998 and was formerly known as PUWER98. The main objective of PUWER is to ensure work equipment is safe throughout the lifetime of its use, regardless of its condition, age or origin.
The regulations require that machinery provided for use at work is:
- Suitable for its intended use
- Safe for use - including keeping it maintained in a safe condition with regular inspections to ensure it is installed correctly and that its level of safety does not subsequently decline
- Used only by people who have received adequate training, instruction and information
- Accompanied by suitable health and safety measures such as protective controls and devices
- Used in accordance with specific requirements - mobile work equipment and power presses
PUWER is comprised of 37 regulations and is divided into six parts; within this article we will explore Part 2 – Regulation 18 Control Systems in detail, covering the changes made to the ACOP (approved code of practice) in November 2014 and how it can be applied.
PUWER Regulation 18
Regulation 18 deals with taking realistic and practical allowances into account when choosing or specifying control systems, and not increasing risk when the control system is operating, either directly or indirectly, by impeding the operation of other safety measures; not increasing risk if a control system fails or loses its power supply.
This regulation states that every employer shall ensure, so far as is reasonably practicable, that all control systems of work equipment are safe, and are chosen making due allowance for the failures, faults and constraints to be expected in the planned circumstances of use.
Failure of any part of the control system or its power supply should lead to a 'fail-safe' condition. Fail-safe can be more correctly and realistically called 'minimised failure to danger' where the minimisation can actually be quantified as a 'probability of dangerous failure per hour' (PFHd). This should not impede the operation of the 'stop' or 'emergency stop' controls. The greater the risk, the more resistant the control system should be to the effects of failure. Bringing a machine to a safe halt may achieve the objective. Halting a chemical process, however, could create further hazards. Care should be taken to fully assess the consequences of such events and provide further protection - for example, standby power plant or diverting chemicals to a place of safety. It should always be possible to recover to a safe condition.
Regulation 18 mentions the standards BS EN 60204-1, BS EN ISO 13849-1 and BS EN 62061, which provide guidance on design of control systems so as to achieve high levels of performance related to safety. Importantly, though they are aimed at new machinery, they may be used as guidance for existing work equipment as 'state of the art' guidance.
What is new here is the fact that both functional safety standard BS EN ISO 13849-1 (first published in 2006) and BS EN 62061 (first published in 2005) are now available; when the previous version of PUWER was released in 1998, both standards were only in preparation, though EN 60204-1 was already around in 1998. So what are these standards and when would you apply them?
BS EN 60204-1
BS EN 60204-1 is a standard harmonised to the Machinery Directive and the Low Voltage directive, and is titled Safety of machinery. Electrical equipment of machines. General requirements. It is intended to cover the electrical safety aspects of machines, including safety requirements for electrical, electronic and computer-controlled equipment and systems for machines. It gives specific instructions for the safe maintenance of the point where electrical or electronic equipment connects to the machine (the main machine isolator connecting the machine to the electrical supply). This standard applies to machinery that operates with nominal supply voltages below 1000V AC or 1500V DC, or with nominal supply frequencies below 200Hz.
When it comes to the safety-related controls on machines (systems containing safety relays/controllers, interlocked guards, two-hand controllers, safety mats, light curtains, emergency stops and the like) there is choice between BS EN ISO 13849-1 (with part 2 covering validation) and BS EN 62061. Which you use will depend upon the application.
BS EN ISO 13849-1
BS EN ISO 13849-1 is harmonised to the Machinery Directive and is titled Safety of machinery. Safety-related parts of control systems. General principles for design. It provides safety requirements and guidance on the principles for the design and integration of safety-related parts of control systems (SRP/CS), including the design of software. It was developed as a direct replacement for its predecessor EN 954-1 (with its attendant categories B, 1, 2, 3 and 4 for SRP/CS). For these parts of a SRP/CS it specifies characteristics that include the Performance Level (PL a - e) required for carrying out safety functions.
The PL is based upon not only the old categories of EN 954-1 but also parameters including Diagnostic Coverage (DC), failure rates expressed at Mean Time to Dangerous Failure (MTTFd) and steps taken to reduce Common Cause Failures (CCF). These four factors combine via lookup tables (such as one found in Annex K1 of the standard) to form a Probability of Dangerous Failure per Hour (PFHd), the order of magnitude of which corresponds to a particular Performance Level (eg 10-7 to 10-8 = PL e).
BS EN ISO 13849-1 applies to SRP/CS regardless of the type of technology and energy used (electrical, hydraulic, pneumatic, mechanical, etc) for all kinds of machinery. It is recommended that EN ISO 13849-1 is used primarily for the design of low-complexity SRP/CS.
BS EN 62061
BS EN 62061 (also harmonised to the Machinery Directive) is titled Safety of machinery. Functional safety of safety-related electrical, electronic and programmable electronic control systems. It gives best-practice recommendations for the design, integration and validation of safety-related electronic control equipment for machines - just like BS EN ISO 13849-1 and BS EN ISO 13849-2. Rather than specifying Performance Levels it specifies a range of Safety Integrity Levels (SIL 1 - 3) for carrying out safety functions.
The SIL for a safety-related control function comprises the architecture (A, B, C and D - which are almost equivalent to categories 1, 2, 3 and 4 of BS EN ISO 13849-1), Hardware Fault Tolerance (HFT), Safe Failure Fraction (SFF), Diagnostic Coverage (DC), steps taken against Common Cause Failure (CCF and a beta-factor), test intervals (T1 and T2) and failure rates (expressed as lambda); when these factors are combined in specific equations the result is a Probability of Dangerous Failure per Hour (PFHd), the order of which correlates with a particular SIL (eg 10-7 to 10-8 = SIL 3). It applies to the safety-related control functions (SRCF) that are electrical, electronic and programmable electronic only - it cannot be applied to non-electrical/electronic systems, and this is perhaps the key difference in scope between EN ISO 13849-1 and EN 62061.
The term SIL actually comes from a much broader functional safety standard BS EN 61508 that describes in detail the entire lifecycle for managing safety-related controls 'from cradle to grave' of any system, be it a device, software tool, petrochemical plant, rail traffic management system and so on; it is so big that sectoral versions exist for particular branches of industry. BS EN 62061 is the version relating to machine control systems. Other versions include BS EN 61511 for industrial processes (eg petrochemical plants) or EN 61513 for nuclear. Hence, in these particular sectors (and others using SIL), from a Functional Safety Management point of view, it may be attractive to use EN 62061 for machines.
Consequently, the reasons for using EN ISO 13849 include the ease of migration from EN 954-1 and its applicability to all systems regardless of source of energy, especially where they are not complex.
EN 62061 is a more rigorous standard that lends itself to more complex applications (as long as they do not include non-electrical sources of energy), and it may appeal to those already using SIL-rated systems (for example in the process industries) who are familiar with the BS EN 61508 lifecycle.
Follow the link for more information about PUWER assessment services from Pilz Automation Technology.