Safety

Radio control – Machines – Equipment – People

Safe lifting

Preface
To everyone involved in the protection of people and equipment in the workplace…

- In recent years, many industrial machines have greatly improved their flexibility and productivity with the introduction of various electronic control systems. The introduction of advanced components and systems has required new methods to assess its safety performance. As a result, high standards of safety for machinery have also been required and we are constantly following updated information on risk-based, quantitative standards from global organizations such as IEC and ISO. Guided methods within these standards contribute greatly to the implementation of state-of-the-art safety solutions and now enable a simplified selection of safety components and systems to achieve adequate risk reduction. This information is intended to be an objective and comprehensive reference for people involved in the selection of wireless radio control systems for safety-critical applications.

We, within the group as manufacturer of Safe radio control equipment "Autec safety remote control" hope that the following information will help and we appreciate your comments and suggestions that enable us to continue to improve our work. To all our valuable partners and friends - thank you for your passionate commitment!

Avoid work in dangerous zone
Full status feedback helps the operator

Have you ever wondered if the remote control for your radio control equipment complies with relevant standards and how can you tell if a remote control is reliable and suitable for the machine?

In recent years, radio controls have become an increasingly common extension for various machines of all sizes. With such global acceptance from both designers, customers and end users of radio control equipment, the market has come to regard them as convenient, safe and reliable. But with today's global marketplace, it's not always that simple.

The most basic is that there is an employer responsibility that includes that they can provide a safe workplace and that we as manufacturers of radio control equipment follow the regulations that exist around the world, the requirements increase at the same time the employer must be able to show how this is also achieved and how their checks take place.

When choosing all safety related equipment such as radio control equipment or other equipment to be added to a machine or other equipment being designed, the criteria and processes used in the feasibility study and needs analysis should be directly demonstrable.

You should therefore always ask yourself if your radio control equipment complies with relevant standards?

The first step should therefore be that the manufacturer of the selected radio control equipment can demonstrate that the system complies with all applicable standards for the market for which the equipment will be used.

Depending on Laws, Rules and relevance, radio control equipment falls into several different categories:
➜ Radio emissions and immunity:  these requirements address the risk of interference with other radio devices and the health risks associated with electromagnetic radiation. For example, the R&TTE Directive and its harmonized standards (EN 300220, EN 61000, EN301489), FCC part 15/90, AS4268.
➜ Functional safety: these requirements are the most complex and point directly to the possible risk that the unit may malfunction and cause dangerous machine behavior, e.g. EN ISO 13849-1, IEC62061, AS4024.
➜ Requirements specific to the lifting machine: these standards can impose special requirements for the system in a variety of ways, including safety, performance, physical parameters, marking, etc. A good example is EN IEC60204 1/32, EN13557, AS 1418, ANSI ECMA 15: 2010.
➜ Electrical safety: these requirements are intended to control the risk of electric shock and fire and are common to quantities of electrical equipment. For example, the Low Voltage Directive (EU) or AS / NZS 3000 (Australia and New Zealand).

These rules can be complicated and can interact with each other. It is also important to recognize that minimum requirements are required for the said. Meeting all these requirements is therefore not sufficient to demonstrate that a radio control is "Safe" or in other words, that it would reduce the risk that a selected tolerance level is correct. A second step is to ensure that the radio control also follows the appropriate level of protection that arises after the evaluation of the risks ("Risk Analysis" which is the correct procedure and what to use for this task), many good guidelines for how to make a correct evaluation is available.

How can you see if a radio control is suitable or not? And what should you watch out for?
The appearance of a radio control equipment is a very poor guide to know if the required Security Level is met or not. Some brands that are marketed as "Safe" radio control systems are directly fundamentally deficient, despite the fact that they look significantly similar to other radio control systems that meet the set requirements.

However, there are two things that can be examined with the naked eye:
➜ The stop button must be of the mechanical locking type. As with all STOP buttons, the radio control must have positive switches and normally closed contacts. When Stop is activated, the Stop button must always be reset before restarting, these buttons are often red against a yellow background on the control unit, also marked with return-> arrows for reset direction, with or without text for reset. Reset must always be performed manually before the radio control can be used again. If the Stop button on a radio control system appears to be a standard push button, then further questions are eligible.
➜ Does the radio control use rechargeable batteries?  Most "Safe" radio controls use rechargeable batteries for one simple reason - they transmit continuously when the radio control is turned on, even if no function / command is active. This is necessary so that the radio control fails "Safely" in the event that communication between the transmitter and the receiver is interrupted. The radio control equipment that does not have rechargeable batteries can therefore not be claimed to meet the requirements as they transfer function only when a command is given. Although this results in a much lower power consumption and longer battery life, safety decreases dramatically. In addition to these simple observations, the customer should therefore ask the manufacturer if they comply with the mandatory standards that have been established to be able to consider their radio control product as "Safe".

The safety level / protection in your radio control equipment must have a level for fault detection, which should be determined early in the project, normally both for the Stop function and movement functions, both separated from each other. Manufacturers' self-assessments of safety performance are useful, independent assessments by qualified laboratories, e.g. notified bodies which are authorized to be able to analyze a systems different security levels. The fact that manufacturers of various radio control equipment can demonstrate the aforementioned independent assessment of the technology platform should be seen as a high added value for the customer.

Summary and well worth adding; the best defense for a customer of a radio control is to avoid choosing an inappropriate system for their machine. The aforementioned can be avoided at an early stage by building up their knowledge of the technology so that the choice is not based on just price and appearance, or to be content with the manufacturer claiming that the system complies with all set directives. The customer must first make sure that the manufacturer meets the set requirements, meaning that requirements should be set for the customer that they adhere to sound principles.

Reliability and Security!
Many "unsafe" radio control systems can unfortunately be found on many different applications today because many customers are not aware of the requirements or they completely lack the knowledge to be able to ask the right safety questions that their machine / equipment requires. In some cases, the deficiency may also include poor attention from the manufacturer of the radio control system, which means that the right safety issues are never raised, which can also have a consequence in the overall quality of the machine, something that the end user becomes aware of when something critical critical to the machine occurs. In other cases, the end user may be quite satisfied with the daily use of "unsafe" radio control equipment. This is not surprising as performance under fault conditions is very different for basic functionality. As with most safety issues, inattention to the machines safety needs can go unpunished for a very long time - the shortcomings are only exposed when something goes wrong, sometimes with very tragic consequences…

As described in the first paragraph, "security with radio control" means the various aspects mentioned as basic.

The next topic includes ”Security in digital communication” where we explore concepts related to radio transmission. This is of great importance and safety-related.

Fail-safe radio control:
The primary safety feature of radio control must be the ability to operate the machine safely. Protecting the Stop function against errors is therefore clearly critical. However, it should be noted that protecting the Stop system is not sufficient to achieve a safe system as it depends on the human operator being able to take appropriate and up-to-date action in an emergency. The operator may not be present, or may not be aware of the risk, may not react in time, or may even take measures that make the risk much higher, which can create serious consequences.

Some benefits can be achieved by ensuring that an unused transmitter is switched off automatically with a built-in automatic shut-off function (which then initiates a Stop), suitable if the system has been unused for a longer period of time. But again, that alone is not enough. The radio control system must be protected against errors that cause the initiation of unexpected movement without the operator having to activate the stop.
➜ The stop function failed.
➜ Accidental movement from a standstill caused by a fault (also called UMFS protection).

Dual Stop outputs:
One of the most predictable dangerous "Errors" that can occur in a radio control is that the stop output is not turned off when needed. Said problems are handled by the system having two Stop outputs, both of which can independently take the machine to a safe state. Although this is a definite improvement over the systems that only have a single output, it is not a complete system solution. In addition, reliable detection of the Stop outputs is required. If there is no detection of the Stop outputs, the consequence would be that the radio control system operates without the protection of the other Stop output. A manual inspection of the outputs can reveal problems, but it is often impractical to schedule manual inspections at frequent intervals to ensure that any faults can be detected before a second fault occurs. It is necessary for a control system to be able to detect for itself that a failure has occurred to prevent the machine from operating while only one output is active. This duplication with error detection can also be called "redundancy with self-monitoring" and should be obvious to call a radio control "Safe" for use in various lifting applications or other dangerous moving machines. The stop outputs from a radio control receiver / base station can use a special class of relay outputs called "Safety relays". Despite their name meaning, their design is Safer than a regular relay, there is still a risk of welding, coil failure or other mechanical faults that may occur. What makes them different is that the function is known as “forcibly guided contacts”, this name is more indicative of their real function. If one set of contacts is disturbed in the ON position, the other set cannot return to the normal closed position (which can occur with standard relays, especially those with a small contact distance). This means that the control system can know with some certainty which set of relay contacts is working through continuous monitoring of the second set. This simplifies the design of a robust safety control circuit as one set of contacts is used for power switching and the other set is used for monitoring. Another system solution may involve the use of fixed outputs which are continuously monitored by the deactivation of the electronics if a fault is detected.

Dual inputs:
To protect the control unit against faults due to the fact that its electronic circuits can cause unexpected movement, the remote controls can use dual function inputs. Some types use a physical actuator (such as a button) that operates two separate channels to confirm the command. Some models use two electrically and mechanically separated actuators which operates the two control channels to confirm each command, which provides a higher level of security because the protection is also given against mechanical faults (eg. such as broken springs, failed contacts, or cable breakage).

Dual decoders:
As mentioned earlier and which includes whether a radio control should be called "Safe", it should have a passive Stop function, i.e. the receiver must receive a valid "Message" from the transmitter within a certain period of time, otherwise it must enter a safe Stop Mode. The receiver / base station listens for incoming messages and decides if they are valid or not, these are called decoders. If the Stop system is to be protected against faults, the decoder must be equally protected. This requires duplication of the decoder (dual channel architecture, according to EN ISO 13849 terminology) and putting a mechanism in place, both decoders accept that a valid message has been received = Stop is activated. There are several manufacturers of radio control systems that are claimed to be "Fault proof", however, they do not meet these criteria - they have simple decoder patterns. If there is only one decoder and the decoding fails and the Stop circuit may not work properly, there will be a problem. A system of this type is vulnerable to software or corrupt data, random hardware breakdown, and systematic errors due to software and / or computer errors. The situation is similar if we consider the protection against unexpected movement. Again, in a single decoding system, there is nothing that can prevent the decoder's error from initiating unexpected movements. To protect against the above, duplication is required not only of the Stop functionality for the decoder but also of all security functions implemented in the system. Double decoding of the system is important to protect against hardware failures: both must agree on a command.

Furthermore, this can do nothing against other causes such as errors or systematic errors, eg. software error. If both decoders have an unencoded problem at a specific temperature, then both will fail at that temperature. Again, if the same is wrong and the program runs on both decoders and they always agree - but that they can both be wrong! Watchdog timers, program checksums and other techniques can then reduce the risk in part, but it is unlikely that they can make it to the desired level. For higher levels of privacy for decoders, these should be "different", which means that both the hardware and the software running must be different. This is one of the most important techniques used to achieve security in a remote control system.

Duplicate codes:
We have seen the importance of ensuring that a message is received and decoded correctly and how this can be achieved by using dual decoders. There may seem to be sufficient protection and it is not necessary to have duplicate codes for sending a message. However, there is a lot of justification for this argument "if we turn off the power to the transmitter using a power button or code key, the device will stop transmitting". With dual codes in the receiver, we know that at least one of them will detect the loss of communication and cause a passive Stop. In summary, we achieve a basic level of error as protection when it comes to "Passive" stop system with dual codes and decoders. The situation changes if we want it to ensure  UMFS protection and Active stop protection. Let us assume that the received message was correctly structured and sent, but contained incorrect commands because there was a fault in the coding electronics of the transmitter "in such a situation with double codes, the said will not be of any help". It is therefore required that there is some redundancy in the encoder of the transmitter unit to protect the system from initiating unexpected movement due to an error. The same consideration of common causes as failures and systematic errors.

Dual outputs:
The outputs in the receiver / base station must be duplicated to ensure that at least one output is opened to end in the event of a fault. If we are to protect ourselves against unexpected movement (UMFS), dual outputs are required to activate movement commands on the machine. This can take the form of duplicating each command individually, but there is a balance to be struck between reliability and security. If we duplicate each product, we also double the complexity. And if we do not monitor duplicate output for possible failures, only a small advantage has been gained. A compromise that achieves high security with little added complexity is to provide additional output that removes power from all movements if non-motion commands are active. In this way, the system is protected against certain output errors such as. short circuits with a relatively simple system. If Confirmation is duplicated and monitored, a high level of protection against unexpected movements is then created.

Functional safety: principles / references for Safety Electronics today!
Two major global trends have become apparent in recent years and they still influence technical decisions. More electrical and electronic as well as programmable systems are now integrated in all types of different machines. The trend started a few decades ago in the automotive industry with systems such as airbags, locking brakes, traction control and stability control that could finally ensure that high performance and that reliability and safety now coexisted. Since then, electronic systems have been included in the design of many other manufacturing areas. Their efficiency and proven value are undeniable and they are now so widespread that it has also been shown to be cost effective. The second trend is the focus on safety. Consequently, international standards have been enforced and are today stricter with more precise requirements and restrictions with a focus on safety as the most important goal for the product's life cycle. As a result, the technology has at the same time been further developed with the intention of applying and increasing safety, which can generally be described as "the reduction of risk to an acceptable level". The two trends also affected the machinery sector, including lifting and material handling machines, as well as manufacturing machines where the mechanical aspects traditionally prevailed over others. In the development and manufacture of machines, electrical, electronic and programmable systems as well. Offering increased levels of security that are designed and integrated is a matter of course today. Manufacturers of industrial radio control equipment have followed the same path, the systems are being integrated more and more, electronics and the improvement of "Functional Safety" of these systems as well. With Functional Security, the definition today includes "the safety resulting from the correct functioning of a control system in response to input signals thus reducing external risks to a tolerable level".

Want to know more? Do not hesitate to contact us for additional information or guidance for correct information and help right from the start for your project's feasibility study, needs and analysis work.

RadioControl SMD AB – Autec Sweden

www.autecsafety.com