Safety Integrity Level, ConveyStop, and Acronym Soup

Pat's Corner

Safety for industrial equipment, which includes automated material handling equipment in general and conveyors in specific can be a confusing and rather daunting topic. Not complying with safety standards generally provokes word associations in our brains such as “bad”, “dangerous”, and “liability”.  This last one often gets the attention of the folks within our organizations that control the checkbook and those who have the company's attorneys on speed dial.

Understanding Safety Standards: Decoding the Jargon

When discussing safety, industrial equipment, and workers around said equipment, the conversation nearly always funnels to safety standards, which ones apply, and how to properly interpret them.  “Functional Safety” is a common term used for industrial equipment and one of the measures used in the Functional Safety is called Safety Integrity Level or SIL.  There are 4 levels of SIL numbered 1 through 4.  You can Google such terms and be pointed to a myriad of pages and documents filled with charts, values, and terms.  

The challenge with this 'acronym soup' lies in its broad application across industries, often leaving conveyor professionals wondering, 'What does this mean for us?

What is SIL, and Why Does It Matter?

A few years ago, I was tasked with getting a better understanding of Functional Safety.  I eventually came across a testing lab that provided answers to my questions.  On one particular conference call I inquired about SIL and they gave me a laymen’s explanation of each of the 4 SIL values. In essence a SIL value is based upon answering the question “What can happen to the people around the equipment if the safety system fails when activated?”.  Paraphrasing what they told me is: 

SIL 1 - Minor or superficial injury resulting in minimal or no medical treatment or lost work time.  Think “Band-Aid”

SIL 2 - Non-superficial injury that could result in medical treatment and lost work time.   Think “Broken foot, toe, arm or finger” or maybe “a cut that needs stitches"

SIL 3 - Major Injury such as loss of limb, becoming permanently disabled, or death. Probably do not need to elaborate with a “Think” on this one.

SIL 4 - Catastrophic disaster affecting an entire building or geographic area - Think exploding building or huge chemical spill.

Disclaimer #1: These definitions for SIL are paraphrased interpretations from my experience.  These are not “official” definitions.

The primary metric used for quantifying a safety system is the expected number of failures per hour (FPH) for the devices that make up the safety system.  To translate into conveyor language; each safety system device (E-Stop button, safety relay, pull-cord switch) has an expected FPH and the component or components with the highest FPH determines the FPH for the overall safety system (think “weakest link in the chain”).  The manufacturers of E-Stop buttons and safety relays have their products evaluated by third party labs to come up with these values. Although not necessarily accurate in all applications; you can generally say that the lower the FPH, the “safer” the device.

For each SIL value there is a corresponding min - max range of allowable FPH. 

The required SIL for a safety system is wholly dependent upon a risk analysis of the equipment, how it is used, how many times per year the safety system needs to engage, proximity to personnel, etc.  The question that needs to be asked is “out of the 4 levels, which one applies if the safety system is actuated and it fails to put the equipment in a safe state?”

The Evolution of MDR Technology and Its Safety Implications

Those of us on the engineering side of things in the MDR world have often had to temper the excitement of our salesman and customers who have been told that MDR conveyor is “safe” and “does not need an E-Stop”.  When MDR technology first appeared a couple of decades ago; the mechanical performance was such that a given system probably did not have to have an E-Stop because the drive trains could easily be stopped by hand.  As the technology has progressed, the torque and power capabilities of our MDRs have greatly increased.  The “No E-stop required” mantra is no longer valid in a lot of cases.  We have MDRs that can drive pallet loads weighing a few thousand pounds.  A person in the path of a couple thousand pound load moving on a conveyor if the E-stop system failed could certainly be severely injured or even killed.

There are quantitative numbers for the failures per hour ranges required to reach a given SIL designation.  This satisfies us engineering folks because we like numbers.  Where it gets hazy and subjective is the risk analysis.  Trying to glean this out of the specifications filled with general statements and acronym soup is more of a challenge.  And to top it off, hired third parties are sometimes needed to perform a risk analysis for larger systems.  Because we are human and the specifications can be left open to interpretation in some cases; you cannot count on the same result at every installation site.

Practical Insights for Conveyor Professionals

The question on the table still remains: “What does all of this mean for us conveyor dudes?”

Disclaimer #2: The following is my opinion.  This opinion and the change in your pocket may get you a bad cup of coffee.  This opinion on its own has little or no value in a court of law (insert your own Law and Order “cha dong” sound here)

For a conveyor system consisting of only carton handling with all of the drives being MDRs with a nominal amount of the conveyors requiring operator access; a safety system meeting SIL 2 should be acceptable.  A reasonable risk analysis evaluation should agree.

For a conveyor system that contains a mixture of MDR and fractional HP AC motors would more than likely require a SIL 3 because fractional HP AC motor drive trains can cause severe injury.  Depending on the location of the AC motors and their proximity to operators and personnel, one could argue that a SIL 2 system would be acceptable, but it may be a hard sell.

The main differences between a SIL 2 and SIL 3 safety system are cost and complexity.  Often this is driven by extra components and wiring required to properly stop non SIL 3 components in order to make the overall system SIL 3.

Now for the drum roll moment……..

Pulseroller’s ConveyLinx-Ai Family of controllers coupled with ConveyStop functionality included with EasyRoll+ is certified as EN ISO 13850 compliant for Emergency Stop Function.  This means that you can leave the modules powered on and issue a stop command from your PLC over the Ethernet network and this will meet SIL 2 requirements for a safe stop of our modules.  So, if your overall conveyor system’s risk analysis concludes that SIL 2 is acceptable, you do not need to have a separate E-Stop circuit to remove power from your ConveyLinx modules in order to have a safe system stop.

Although I have not performed an exhaustive search of the global market of networked MDR controllers, we believe the ConveyLinx-Ai Family controllers are the first and only that can boast compliance to the ISO 13850 specification and offer a built in configurator for E-Stop zones.

As always, the Pulseroller technical support team is available via our online chat, email, or phone to answer any questions you may have.

Safely Yours,