By Nikolaus Fecht
Connected automation is presenting companies with new challenges regarding machine safety. "Industrie 4.0 systems can reconfigure and optimize themselves autonomously. This means we continuously have to reassess safety during operation and guarantee that any gaps in security do not result in safety risks," says Christoph Baumeister, Product Manager at Pilz GmbH & Co. KG in Ostfildern.
Monitoring safety gate systems
In order to guarantee that deliberately or inadvertently opening access doors does not result in hazards, the company's machines have been equipped with a safety gate system that combines safety gate monitoring with safe locks in a single system. The monitoring system is also equipped with safety functions such as an escape release, emergency stop and a mechanical restart lock. In case of danger, anyone who inadvertently becomes trapped can exit the danger zone quickly and easily. The system can only be restarted if the integrated safety and acknowledgment functions determine with absolute certainty that nobody remains in the danger zone.
"This safety gate system guarantees personal safety, but the aspect of process safety, in other words operating safety, remains open," says Baumeister. According to him, protection against unauthorized access can be implemented through a safe operating mode selector switch. The user can use this switch for two functions: to select the operating mode and to regulate the access permissions for the machine.
Coding prevents manipulation
Operating mode selector switches allow the operator to switch between defined operating modes. The operator selects the operating mode by using a transponder key with the respective permissions and pressing the corresponding button. Each key is individually coded in order to verify the operator and to prevent manipulation. As these unique keys can be used on different machines and different permissions are stored on them, the user can combine multiple mechanical keys in a single transponder key, thus reducing administrative effort.
The coded keys give each operator access to the machine functions or operating modes for which he has permission. "Thanks to the RFID-based key, individual permission rights can be assigned for each operator," explains Baumeister. "The rights can be assigned via identification management in the machine control system."
Authorized persons can operate and control the different operating modes via the operating mode selector switch. "Every operator is given access to machines in line with their capabilities and qualifications. This provides comprehensive protection against unintended actions and manipulation, as well as ensuring the security of the information," says Baumeister.
The current state of the art comprises safety switches, sensors and locks that secure machine and system safety gates. "A cost-effective alternative is a key transfer system, which enables the position of movable protection systems to be monitored wirelessly," explains Michael Eckhardt, Product Manager of Command and Signalling Devices at K. A. Schmersal Holding GmbH & Co. KG from Wuppertal. The operating principle is simple: Each safety gate is assigned a key that fits the safe lock. During normal machine operation, the key is placed in a central unit, known as the key-operated selector switch interlocking device. The operator can only open the safety gate when the machine is stopped – only then does the standstill monitor send a signal to release the key, enabling the operator to unlock the safe lock with the key and open the safety gate. The machine can only be restarted when the safe lock is locked and the key is placed back in the unit lock.
Protection against unintended operation
Another series offers a model equipped with a second locking cylinder that can be used to block operation of the first locking cylinder. This feature is useful for situations in which the operator needs to enter a space and has to ensure that inadvertent operation by a third party is prevented. "The main advantage of this safety and safe lock system is that the safety gate does not require a power supply or a signal line," says Eckhardt. "The key transmits the information on whether a safety gate can be opened, or whether a machine can be started. This creates additional freedom and facilitates the assembly of safe lock systems, particularly in larger systems."
Most key transfer systems with a second locking cylinder are found in more complex manufacturing and machine systems. It is especially useful for securing maintenance and service doors which are rarely used by the staff. Other fields of use include potentially explosive systems in chemical plants and process technology, as well as systems that have been installed in tough environments and under high temperatures.
Activating the right protection
Companies still have to bypass, i.e. manipulate, the existing protection measures during maintenance and service work on many machines and plants as suitable operating modes are unavailable - not an ideal situation. A step in the right direction would be to enable the operator to select the required operating mode and activate the respective protective measures. "Our electronic key system is ideally suited to the implementation of an operating mode selector that is easy to use and complies with all legal regulations," says Jens Rothenburg, Product Manager of Safety Technology at Euchner GmbH + Co. KG from Leinfelden-Echterdingen.
Legally-compliant operating mode selector
In order to use a legally-compliant and standard-compliant operating mode selector, users must guarantee the fulfillment of three requirements:
- The use of an operating mode selector switch must be limited to certain people, as the Machinery Directive demands this for dangerous machine functions. The operating mode selector switch must therefore be lockable. "Passwords or key switches are limited in their suitability, as passwords can be passed on, or a key left in the lock permanently," warns Rothenburg.
- The operating mode selector must comply with a performance level (PL). The PL indicates the reliability of a control unit's safety function. "Simply equipping a PL with a password is no longer acceptable, as there are better solutions," says Rothenburg.
- Suitable protection measures must be in place for all necessary work on a machine. "The protective measure must correspond to the risk assessment," explains Rothenburg, while companies must ensure that the staff deployed for special service tasks are protected as effectively as possible. Protective measures must never be circumvented. Mechanical engineers and users of the technology must comply not only with the Machinery Directive, but also with the Health and Safety Ordinance.
High performance level required
A practical example illustrates this: Each operating mode is equipped with one or more safety functions to help protect the operator during their work. A closed safety gate prevents the machine from putting the operator at risk during automatic operation. In the "Setup" operating mode, the user can work with the safety gate open. The safety function is therefore no longer "Safety gate closed". If the operating mode is changed, so too is the protection measure. However, as an incorrect and improper switchover can result in risks to the user, the operating mode selector must exhibit a high performance level as per ISO 13849-1.
Operating mode selection via button
If companies wish to add another operating mode such as the service operating mode to machines and systems with control panels, operating mode selection via buttons is a good option. "Technical implementation in this case is particularly simple," says Rothenburg. "Our electronic key system with data interface acts as an access system to securely restrict the number of users, as is laid out in the Machinery Directive."
Safety through key transfer system
"In this age of digitalization, technical procedures and production methods are becoming ever more complicated, presenting specific risks for operating staff," says Oliver Haake, Managing Director at Haake Technik GmbH in Vreden. "This is particularly true when a certain sequence of defined actions or process steps must be adhered to in order to avoid hazardous situations." A mechanical key transfer system can guarantee this. The system is a safety component in accordance with the Machinery Directive 2006/42 EC, which comprises individual components with a corresponding coded key. According to Haake, these key transfer systems are based on a simple yet effective principle: a coded key can only be in one location at once.
Mechanical key transfer systems are extremely robust and simple to install. Companies generally use them to secure applications in tough environments. "Be it on stone crushers, in steel mills, on mixers, or in the concrete or food industries, the applications are focused on safety gates, switchboards, valves and maintenance flaps," explains Haake. Transferring a coded key from one component to the next ensures compliance with a predetermined procedure. The user documents this process with the help of a 'key transfer plan'.
Coded keys for increased operator protection
In one real-life example, the user wanted to secure the maintenance flap of a machine. The operator must not enter the danger zone during this procedure and it should only be possible to open the maintenance flap when the machine is stopped. This safety function can be implemented with a locking mechanism, equipped with a switch element and a safe lock device, for example. A coded key links the components. The switch element contains a key turn-switch. If the operator wishes to remove the key, he first operates the turn-switch, which switches off the dangerous machine function. He can then remove the key.
"The responsible employee then uses the released key on the safe lock device on the maintenance flap," explains Haake. "The safe lock can be operated by inserting and turning the key, allowing the maintenance flap to be opened." The employee cannot remove the key from the safe lock while the flap is open, so the machine cannot be started. "Once the work is completed, the maintenance flap is locked using the safe lock and the key released," says Haake. "This key is then transferred back to the original switch element and used to restart the machine."
Retrofitting a key transfer system
Companies choose key transfer systems based on the risk assessment of an application. According to Haake, the decision must also take the environmental conditions and the machine's stopping time into account. It is also important to note whether the operator can enter the whole danger zone. A crucial advantage of key transfer systems is that they are easy to retrofit in existing plants. "They reduce costs, as the system does not require separate cables to the individual safety gates or maintenance flaps," emphasizes Haake. "Furthermore, they are particularly well-suited to machines that use different types of energy."