Download a PDF of this article.
The design of any machine should begin with a careful risk assessment. The process involves designers of all systems within a machine or process from mechanical to electrical. The first step is to look at the project and identify any potential hazards and risks for injury. Next, conduct a risk estimate and evaluation of each hazard. Designers can then develop the appropriate preventive measures to minimize the risk to acceptable levels.
ISO 13849 outlines the process by which machine builders can develop their own standard for meeting the guidelines with the goal of making machines as safe as possible. The standard addresses the control of a machine and not the actual moving components, such as cylinders, motors, and other actuators. Pneumatic circuits are usually only one part of a machine that could pose potential hazards.
The risk assessment of pneumatic circuits examines each actuator and its movement to determine if potential hazards (such as pinch points) exist. The hazards may already be addressed in the original machine design, as guarding or other obstacles may already be present. The easiest way to avoid the hazard would be to prevent access to the area. However, the machine function may require access either when it is running or in a maintenance mode.
The design team works together to identify all areas where more control is required. The ISO standard focuses on the control aspect of the circuit. However, it would also be a good practice at this point to ensure that the actuators have been properly sized for the application. The proper sizing of the cylinders will also make the machine safer and more efficient. (Several pneumatic components suppliers offer comprehensive online sizing tools to make this easier.) Once all risks have been identified and listed, it will be time to move on to the risk estimation part of the process.
Risk Estimation and Conformance
Risk estimation allows the design engineer to determine the category and performance level required for the safety circuit. The first question is, “What is the severity of the possible injury? High or low?” The second question is, “How frequent is the exposure to the risk, and can the hazard be avoided if the safety circuit fails?” Can you add additional guarding? The lower the risk, the lower the category and performance level required.
The lowest category, “B” (basic), carries ratings of 1 to 4, with increasing reliability requirements for each. As the category increases, so does the achievable performance level. The performance level ranges from a to e and is based on the components used in the circuit (see figure above). It is calculated based on statistical data from testing that the component manufacturer has done to determine the life—typically in cycles.
The reliability of air valves is described using a B10 value, which is the number of cycles until 10% of the tested components fail. The reliability of electrical components, such as cylinder limit switches, is measured by mean time to failure (MTTF). Not all failures may be dangerous, so other values reflect dangerous failures (i.e., B10d and MTTFd). The values will give you confidence in the reliability of the products you are selecting and you will need more reliable products as the performance level required increases. Most pneumatic suppliers have this data available. AVENTICS has published data for many products with the IFA, a European occupational safety and health organization. IFA also has free software to help with the calculations needed. The software is called SISTEMA and is available at www.dguv.de/en/index.jsp.
Products and circuits meeting Category 3 and 4 architecture requirements are increasingly required. The basic requirement for each is redundancy and monitoring of both channels. The monitoring is quantified as diagnostic coverage (DC) and listed as a percentage ratio of the rate of detected dangerous failures compared to the rate of all dangerous failures. All monitoring components used in the circuit will have a DC value. The values are used to calculate the DC average, which is used to calculate the overall performance level (PL).
Meeting Safety Requirements
Monitoring can be done directly or indirectly. An example of direct monitoring is a sensor that detects the position of a spool on a pneumatic directional valve. An indirect example is a pressure switch downstream from the valve. Direct monitoring provides a higher diagnostic coverage value and helps increase the performance level of the circuit.
Another factor to consider is common cause failure (CCF), an observational analysis of how components fail. The designer looks for possible reasons why a component would fail. The environment could be at higher temperatures or the compressed air may not be properly filtered. The CCF is a point system based on several of these factors and when totaled for a given circuit will also be a factor in determining the PL. Category 4, which is the highest rating, requires a high DC value, high life cycle, and common cause failure observations with a performance level of e.
This is a circuit diagram for holding or braking, any cylinder mounting direction, with the valve normally closed in starting position.
Engineers at this point in the process know the category and performance level needed and can now design the circuit. The control circuit can be a single device developed to perform a given safety function. However, most circuits use several pneumatic components. AVENTICS has developed several IFA-approved circuits that can be used to simplify the design and product specification. The most common pneumatic circuits used are safe exhaust, safe holding, and protection against unexpected startup.
Safe exhaust is probably the most common pneumatic circuit used for machine safety. The circuit exhausts air from a cylinder or entire circuit to prevent trapping potential energy. Machine builders typically find that Category 3—which can cover a performance level a to d—is required. The function can be accomplished with an integrated device or by using standard off-the-shelf pneumatic components to ensure that machine safety has been optimized. Two 3-way valves in series exhaust compressed air from the circuit. Depending on the required performance level, the valves can be monitored directly with sensors that detect spool position or indirectly using downstream flow or pressure sensors.
Above is an example of safe dual-channel exhaust with 3/2 valves.
Safe holding and protection against unexpected startup circuits can be used to hold a load and ensure it does not move. Using pressure-operated check valves on cylinder ports can prevent air movement in a cylinder. The trapped pressure will keep the cylinder from moving, and diagnostic coverage could be obtained from a pressure switch in the circuit. Another solution would be to use a rod lock, which is typically a spring-applied, pneumatically released braking device installed on the cylinder’s piston rod. The lock will only allow the cylinder to move when air pressure is sent to the port on the lock. Some manufacturers have a sensor to directly detect that the rod lock is engaged to provide additional diagnostic coverage.
Here is a holding unit (rod lock) series LU6, holding force of 12,000 N.
Summarizing for Safety
Machine builders are asked to anticipate every scenario when a machine is running, not running, and being serviced. They need to develop a well-documented process for making the machines as safe as possible. Pneumatic circuits can be safe when carefully examined and implemented. The designers can use the appropriate level of reliability based on their assessment of the risk and frequency of the potential risk. They can increase guarding when the design allows or develop a circuit to reduce the risk.
The key to designing safe pneumatic circuits is to use proven and evaluated techniques, well-established components that have been tested for life cycle data, and properly sized components. Pneumatic component suppliers are continuing to develop products to help designers implement these and other solutions such as integrated safe exhaust, dynamic and static rod locks, and position transducers that can give feedback on a cylinder’s position throughout the full stroke. The goal is to make the machine safer, but added benefits include making the machine more reliable and increasing machine efficiency.
Erl Campbell is key account manager for AVENTICS Corp., Lexington, Ky. For more information, visit www.aventics.com/us/MachineSafety.
