Sunday, April 29, 2012

Product Liability Act (ProdHaftG): An Introduction

Strict liability for defective products was introduced universally throughout the whole of the EU through the European Directive 85/374/EEC of 25.06.1985 – the EC Product Liability Directive. This directive was implemented in Germany through the Product Liability Act, which has been in force since 01.01.1990.

§ 1 of the Product Liability Act states:
“If, as a result of a product defect, a person is killed, injured or suffers damage to his health, or an item is damaged, the producer of the product shall be liable to pay compensation to the other party for the resulting damage. In the case of material damage, this rule shall only apply if an item other than the defective product is damaged and this item is normally intended for private use or consumption and has been used by the injured party primarily for this purpose.”

Under the Product Liability Act, liability shall be accepted for any death, bodily injury, damage to health or material damage caused by the defective product. However, damage to an item used for corporate, business, commercial or professional purposes, cannot be compensated under the Product Liability Act.

Example: If a producer’s brass pipe nipples are built into commercially used water pipes and the small  incorporated parts ultimately damage the water pipe as a whole, no compensation claims can be made on the basis of the Product Liability Act. As the water pipe is not an object which is normally intended for private use or consumption, the Product Liability Act does not apply.

Wednesday, April 25, 2012

An Introduction to Product Liabilty: Terminology

For decades, the German Producer Liability Act has recognized the obligations of (industrial) producers in the field of design, production, instruction and after-sales product monitoring. In 1990, this was joined by the German Product Liability Act, which stems from a Product Liability Directive from Brussels. Today, both systems apply in parallel.

From industry’s perspective, German law essentially distinguishes between contractual and statutory liability: Contractual liability is basically only considered between contractual partners, i. e. in genuine supply relationships. This issue is not dealt with any further here, although there are many pitfalls that await in contracts in cross border business, which would make an early, judicial contractual review seem a recommended course
of action.

We generally talk of the risk from product or producer liability not when it concerns contracts and disputes between suppliers but when it concerns people who assert a claim for damages: Action is brought against a product’s producer due to personal injury or material damage that his product is supposed to have caused (whether or not this is the case is generally decided after a complex process, usually involving a variety of
specialists). The injured party makes a claim against the producer for financial compensation; compensation for non-pecuniary damages may also be involved if there has been damage to health.

Two areas of statutory liability
Statutory liability is again subdivided into two categories: Liability resulting from unlawful acts, known as liability in tort, which is based on an accusation or, in legal terms, on fault. In law, fault is re-described either as “accountability” or with the expressions of guilt: “intent” and “negligence”. If the law allows the mere presence of a certain risk to be enough to justify the producer’s liability (with no interest in the question as to whether at least negligence was involved), we talk of strict liability. This comes into effect much earlier and is
therefore particularly critical for producers.

The above-mentioned liability in tort of the producer is regulated in § 823 of the German Civil Code (BGB); strict liability for defective products comes from the Product Liability Law (ProdHaftG). Its content can only be applied if the accident or damage occurred in Germany. This is also called the “scene of crime principle”. If the accident or damage occurs in a different country, the local liability law will apply in most cases. This
may be more flexible in a particular case, but may also be stricter than German law. In any case it is an unfamiliar law; in incidents abroad such as these, legal advice must be obtained quickly so that mistakes are not made out of pure ignorance.

The section that follows will look first at strict liability from the Product Liability Act and then outline liability in tort. Although in practice both liability principles can usually be applied in parallel, there may be some important differences, particularly with regard to the scope of liability. These will be dealt with separately.


Monday, April 23, 2012

Reaction Times of Safety Functions

Block diagram of safety functions
Several boundary conditions are involved in calculating a safety distance.

Determination of the reaction time in the case of external commands
If an E-STOP pushbutton acts upon an evaluation device, its reaction time is added to the reaction time of the drive-integrated safety function. It will also be necessary to add the time needed to bring an accelerated axis to standstill:
  • treac = tmulti + tPMC + tramp
  • tmulti = Reaction time of the evaluation device is approx. 20 ms
  • tPMC = Reaction time of the drive-integrated safety functions to external signals is 6 ms
  • tramp = Ramp time to standstill depends on the moved mass, speed and other application dependent
    data
Determination of the reaction time when limit values are violated
If a monitoring circuit on a drive-integrated safety function is activated, it will be necessary to add the time needed to bring the accelerated axis to standstill. 
  • treac = tPMC + tramp

Thursday, April 19, 2012

Examples of Safe Motion: Safeguarding Detection Zones with a Safe Camera-Based Solution

Until now, interaction between man and robot has largely been characterized by fixed safeguards. A modern camera-based solution offers a whole range of new options in this case. The detection zone covers all three dimensions; one single device meets every requirement when accessing a danger zone and also provides protection against climbing over and crawling under the detection zone. The detection zones can be individually configured and can also enable the speed of the active axes in the monitored zone to be reduced if anyone approaches.
Structure of the Safety Function
Block Diagram of the Safety Functions
 Determination of the performance level for the overall circuit:
The result is performance level d.

Tuesday, April 17, 2012

Examples of Safe Motion: Muting with Safe Direction (SDI)

Structure of the Safety Function
The block diagram shows the logical structure of the safety function,
consisting of the series alignment of the safety-related subcircuits (SRP/CS).
In conjunction with light curtains and a muting circuit, the safe direction function (SDI) has a positive effect on safety because the respective direction of the drive axis is monitored during the muting phase and a safe shutdown occurs in the event of an error.

Determination of the performance level for the overall circuit

The performance level corresponds to the result from the example of the safe stop function.

Thursday, April 12, 2012

Examples of Safe Motion: Jog Function With Safely Limited Speed (SLS)

These days, jog functions can generally be carried out while guards are open thanks to the safely limited speed (SLS) function. The respective application will determine the type of increment that can be classified as non-hazardous. It may be helpful to consult EN 349 (Minimum gaps to avoid crushing of parts of the human body) and EN 999 (The positioning of protective equipment in respect of approach speeds of parts of the human body).

Structure of the Safety Function

The block diagram shows the logical structure of the safety function,
consisting of the series alignment of the safety-related subcircuits.
Determination of the performance level for the overall circuit
In terms of structure, the jog function with safely limited speed is similar to the safe stop function. The key difference lies in the push buttons used for the jog function and the impact this has on the calculation of the performance level. In EN ISO 13849-1, push buttons (enable switches) are given a B10d of 100 000. The time between two operations (cycles) is the key factor in calculating the MTTFd.

Calculation formula for MTTFd:


The following assumptions are made, based on the application of the component:
  • hop is the mean operating time in hours per day
  • dop is the mean operating time in days per year
  • tcycle is the mean time between the start of two consecutive cycles of the component (e.g. switching a valve) in seconds per cycle
Assumptions:
B10d = 100 000
hop = 16 h/day
dop = 220 d/year

Calculation MTTFd:
tCycle = 5 s ➔ MTTFd = 0.395 years
tCycle = 3 600 s ➔ MTTFd = 284.1 years

As shown in the example with cyclical operation in 5 s intervals, even in the best case it is only possible
to achieve PL c with a B10d value of 100 000. This demonstrates very clearly that the application range for wearing components has a direct influence on the calculation of the performance level and therefore affects the achievable safety level. The design engineer must therefore look very closely at the application range of his components in the respective application. Even if EN ISO 13849-1 states 100 000 cycles for B10d, there may well be special components with a higher B10d value. If an application uses a push button as an E-STOP command device, it will certainly not be operated constantly at 5 second intervals. The situation is completely different if a push button is used as a command device for cyclic initiation of a machine cycle and
has to trigger a safe stop once released. The values stated in the example may cause a problem if a higher performance level is required.


Tuesday, April 10, 2012

Examples of Safe Motion: Safe Stop Function on Vertical Axes

If you examine the potential risks on servo axes you'll see that a vertical axis is also a good example for increasing awareness of the mechatronic view. Removal of power is not enough to bring an axis to a safe condition. In many cases, the load's own weight is enough for the axis to fall. Mass and friction will determine the speed that occurs in the process. As part of the risk analysis, potential hazards are analyzed in the various machine operating modes and as operators carry out their work. The required measures will then be derived from this analysis. With vertical axes, the measures that need to be taken will essentially depend on whether the full body of the operator can pass below the vertical axis or whether just his arms and hands are positioned below the vertical axis. Another aspect is the frequency and duration of his stay in the danger zone. All these factors are added up to give the “performance level” that the safety functions must achieve.

Building on the “Safe stop function” example, a brake is added to the structure. Holding brakes and service brakes are both common.

Structure of Safety Function
The block diagram shows the logical structure of the safety function,
consisting of the series alignment of the safety-related subcircuits.
Determination of the performance level for the holding brake
Here the user of EN ISO 13849-1 is confronted with one of the positive approaches of this standard. The standard not only enables examination of the electrical part of the safety function, but also of the mechanical, hydraulic and pneumatic section.
However, the holding brake used in this example does not have a performance level, as this is only available for intelligent components. The brake manufacturer can only provide a B10d value, as he does not know how exactly his components will be used in the application and so can only make a statement regarding the number of operations before a component failure. The design engineer constructing the safety-related part of the control system must now calculate the time to a dangerous failure of the component. The B10d value is not the only consideration in this calculation; the mean time between two consecutive cycles is also a key factor which influences the MTTFd value.





The following assumptions are made, based on the application of the component:

  • hop is the mean operating time in hours per day 
  • dop is the mean operating time in days per year
  • tcycle is the mean time between the start of two consecutive cycles of the component (e.g. switching a valve) in seconds per cycle
Assuming that the calculation of the MTTFd for the holding brake results in a value of > 100 years, this gives an MTTFd classification of “HIGH”. EN ISO 13849-1 provides a graph to make it easier to determine the performance level. To decipher the performance level from this graph the diagnostic coverage DC is required. To determine the level of diagnostic coverage it is important to know whether every conceivable error can be detected through tests. Based on this consideration, a high classification will be possible if a safe converter is used to drive the motor and the holding brake is always tested automatically before the danger  zone is accessed. To do this, a torque is established with a factor of 1.3 to the brake's rated holding torque,
before waiting for at least one second. If the axis holds its position during the whole test, it can be assumed that the holding brake is in good working order. On this basis it is possible to define the diagnostic coverage at 99 %.


Graph to determine the PL
in accordance with EN ISO 13849-1.
So we now have the following data:
  • Category = 4
  • MTTFd = high
  • DC = high
If this data is applied to the graphic, PL e can be determined.

Determination of the performance level for the overall circuit
In the illustrated example of the safe stop function on a servo axis with holding brake, all four components involved have performance level e. As a result the lowest performance level of a subcircuit (SRP/CS) is also PL e. Using the standard's terminology, therefore, we have:

4 x SRP/CS each with PL e
The lowest performance level of the
4 subcircuits (SRP/CS) = PL e and is assigned the parameter PLlow
The lowest performance level occurs in 4 subcircuits and so the parameter Nlow = 4

If this information is applied to Table 11 of EN ISO 13849-1 for a simplified calculation, the result for the example is an overall classification of PL d. Unlike the example for the safe stop function (without brake), a reduction factor now applies: In accordance with EN ISO 13849-1, the achieved performance level is reduced by one level if the overall circuit contains more than three subcircuits with PLlow. However, in this case a detailed calculation using the achieved PFHD values can certainly result in PL e. This is where software tools such as the PAScal Safety Calculator come into their own.




Sunday, April 8, 2012

Examples of Safe Motion: Performance Level of Safety Functions

Normative Basis
Several standards (generic safety standards and technical safety standards; type A and type B standards) are available for determining the safety level achieved by the safety-related section of a control system. EN ISO 13849-1 is generally applied in the engineering sector. For many machines, the safety level to be achieved can be taken from the respective machinery safety standards (type C standards, e.g. presses ➔ EN 692, EN 693;
robots ➔ EN ISO 10218-1, packaging machinery ➔ EN 415). If there are no C standards for a product, the requirements can be taken from the A and B standards.

Safe Stop Function
The safety function “E-STOP when light curtain is interrupted” is addressed here by the example below; it illustrates a safe stop function for a motor driven axis. The methodology described below is based on EN ISO 13849-1 and as such can only be applied if all the safety function sub-components have their own performance level. Using the terminology of the standard, it is a series alignment of safety-related parts of a control system (SRP/CS).

This example uses a light curtain, a configurable safety control system and a servo amplifier with integrated safety functions. A servo motor with feedback system is connected to the servo amplifier.

The risk analysis permits a stop category 1 for the axis.

Structure of Safety Function

The block diagram shows the logical structure of the safety function,
comprising the series alignment of the safety-related sub-circuits.

Determination of the performance level for the overall circuit:

EN ISO 13849-1: Table 11 – Calculation of PL for series alignment of SRP/CS 

Note: The values calculated for this look-up table are based on reliability values at the mid-point for each PL.

In the example of the safe stop function, all three components involved have performance level e. As a result, the lowest performance level of a safety-related subcircuit (SRP/CS) is also PL e. Using the standard's terminology, therefore, we have:
  • 3 x SRP/CS each with PL e
  • The lowest performance level of the 3 subcircuits (SRP/CS) = PL e and is assigned the parameter PLlow
  • The lowest performance level occurs in 3 subcircuits and so the parameter Nlow = 3 

If you apply this information to Table 11 of the standard, the result for the example is an overall classification of PL e.

Tuesday, April 3, 2012

System Examination: Implementation Examples

Servo converters with drive-integrated motion monitoring and safe pulse disabler for shutdown
Implementation Example with Servo Amplifier
Sensor evaluation is undertaken, for example, by a small, safety-related control system, which activates the safety functions in the drive via a safe I/O interconnection. The servo motor has an integrated sine/cosine motor  encoder for motor control and positioning. The reaction time before the safety function is activated is around 60 ms, the reaction time when limit values are violated is < 10 ms.


Safely monitored drive with frequency converter and asynchronous motor
Implementation Example with Frequency Converter
An incremental encoder is used to detect motion. A safety relay or a small, safety-related control system with motion monitoring evaluates the sensor signals and triggers an STO function in the event of an error.



Sunday, April 1, 2012

System Examination: Motion Control

With the current state-of-the-art technology, motion control is a non-safety-related drive component. Depending on the task, the functions are either drive-integrated or are performed by an external control system via fieldbus or drive bus. The classic allocation between the control systems depends on the required movement.