Provision and Use of Work Equipment Regulations (PUWER) came into force on 5 December 1998 and was formerly known as PUWER98.
The main objective of PUWER is to ensure the provision of safe work equipment throughout the lifetime of its use, regardless of its condition, age or origin.
The regulations require that machinery provided for use at work is:
- Suitable for its intended use
- Safe for use – including keeping it maintained in a safe condition with regular inspections to ensure it is installed correctly and that its level of safety doesn’t subsequently decline
- Used only by people who have received adequate training, instruction and information
- Accompanied by suitable health and safety measures, such as protective controls and devices
- Used in accordance with specific requirements – mobile work equipment and power presses
PUWER is comprised of 37 regulations and is split into 6 parts; within this article we will explore Part 2 – Regulation 18 Control Systems in detail, covering the changes made to the ACOP in November 2014 and how it can be applied.
Regulation 18 deals with taking realistic and practical allowances into account when choosing or specifying control systems, and not increasing risk when the control system is operating, either directly or indirectly, by impeding the operation of other safety measures; not increasing risk if a control system fails or loses its power supply.
This regulation states that every employer shall ensure, so far as is reasonably practicable, that all control systems of work equipment are safe, and are chosen making due allowance for the failures, faults and constraints to be expected in the planned circumstances of use.
Failure of any part of the control system or its power supply should lead to a ‘fail-safe’ condition. Fail-safe can be more correctly and realistically called ‘minimised failure to danger’ where the minimisation can actually be quantified as a “probability of dangerous failure per hour”, or PFH.
This should not impede the operation of the ‘stop’ or ‘emergency stop’ controls. The greater the risk, the more resistant the control system should be to the effects of failure. Bringing a machine to a safe halt may achieve the objective. Halting a chemical process, however, could create further hazards. Care should be taken to fully assess the consequences of such events and provide further protection, for example standby power plant or diverting chemicals to a place of safety. It should always be possible to recover to a safe condition.
Regulation 18 mentions the standards BS EN 60204-1, BS EN ISO 13849-131 BS EN 62061 which provide guidance on design of control systems so as to achieve high levels of performance related to safety. Importantly, though they are aimed at new machinery, they may be used as guidance for existing work equipment as “state of the art” guidance.
What’s new?
What is new here is the fact that both functional safety standard BS EN ISO 13849-1 (first published in 2006) and BS EN 62061 (first published in 2005) are now available; at the time that the previous version of PUWER in 1998 was released, both standards were only in preparation. EN 60204-1 was already around in 1998. So what are these standards and when would you apply them?
BS EN 60204-1 is a standard harmonised to the Machinery Directive and the Low Voltage directive, and is titled: “Safety of machinery. Electrical equipment of machines. General requirements”. It is intended to cover the electrical safety aspects of machines. This includes safety requirements for electrical, electronic and computer controlled equipment and systems for machines. It gives specific instructions for the safe maintenance of the point where electrical or electronic equipment connects to the machine i.e. at the main machine isolator connecting the machine to the electrical supply; it refers to machinery that operates with nominal supply voltages below 1,000Vac or 1,500Vdc, or with nominal supply frequencies below 200 Hz.
When it comes to the safety related controls on machines (systems containing safety relays/controllers, interlocked guards, two hand controllers, safety mats, light curtains, emergency stops and the like) there is choice between BS EN ISO 13849-1 (with part 2 for validation) and BS EN 62061. Which you use will depend upon the application.
BS EN ISO 13849-1 is harmonised to the Machinery Directive, and is titled: “Safety of machinery. Safety-related parts of control systems. General principles for design”. It provides safety requirements and guidance on the principles for the design and integration of safety-related parts of control systems (SRP/CS), including the design of software. It was developed as the direct replacement for its predecessor EN 954-1 (with its attendant categories B, 1, 2, 3 and 4 for SRP/CS). For these parts of SRP/CS, it specifies characteristics that include the Performance Level (PL a – e) required for carrying out safety functions.
The PL is based upon not only the old categories of EN 954-1 but also parameters including Diagnostic Coverage (DC), failure rates expressed at Mean Time to Dangerous Failure (MTTFd) and steps taken to reduce Common Cause Failures (CCF). These four factor combine via look up tables (such as one found in Annex K1 of the standard) to form a Probability of Dangerous Failure per Hour (PFH), the order of magnitude of which corresponds to a particular Performance Level (e.g. 10-7 – 10-8 = PL e). It applies to SRP/CS, regardless of the type of technology and energy used (electrical, hydraulic, pneumatic, mechanical, etc.), for all kinds of machinery. It is recommended that EN ISO 13849-1 is used primarily for the design of low complexity SRP/CS.
BS EN 62061 (also harmonised to the Machinery Directive) is titled: “Safety of machinery. Functional safety of safety-related electrical, electronic and programmable electronic control systems”. It gives best-practice recommendations for the design, integration and validation of safety related electronic control equipment for machines – just like EN ISO 13849-1/-2. Rather than specifying Performance Levels it specifies a range of Safety Integrity Levels (SIL 1 – 3) for carrying out safety functions.
The SIL for a safety related control function comprises the architecture (A, C, B, D which are almost equivalent to categories 1,2,3 and 4 of BS EN ISO 138491), Hardware Fault Tolerance (HFT), Safe Failure Fraction (SFF), Diagnostic Coverage (DC) , steps taken against Common Cause Failure (CCF and a beta-factor), test intervals (T1 and T2) and failure rates (expressed as lambda); when these factors are combined in specific equations the result is a Probability of Dangerous Failure per Hour (PFH) the order of which correlates with a particular SIL (e.g. 10-7 – 10-8 = SIL 3). It applies to the safety related control functions (SRCF) which are electrical, electronic and programmable electronic only – it can not be applied to non-electrical/electronic systems, and this is perhaps the key difference in scope between EN ISO 13849-1 and EN 62061.
The term SIL actually comes from a much broader functional safety standard BS EN 61508 which describes in detail the entire lifecycle for managing safety related controls from cradle to grave of any system be it a device, software tool, a petrochemical plant, rail traffic management system and so on; it is so big that sectorial versions exist for particular branches of industry. BS EN 62061 is such a sectorial version.Other sectorial versions include BS EN 61511 for industrial processes (e.g. petrochemical plants) or EN 61513 for nuclear. Hence, in these particular sectors (and others which use SIL), from a Functional Safety Management point of view, it may be attractive to use EN 62061 for machines
So the reasons for using EN ISO 13849 include the ease of migration from EN 954-1 and its applicability to all systems regardless of source of energy, especially where they’re not complex.
EN 62061 is a more rigorous standard, it lends itself to more complex applications (as long as they do not include non-electrical sources of energy), and it may appeal to those already using SIL-rated systems (for example in the process industries) who are familiar with the BS EN 61508 lifecycle.
Work is currently in hand within a standards working group to merge these two functional safety standards into a definitive single standard within the next few years.
David Collier CMSE®, is business development manager at Pilz Automation Technology