Safety requirements for mining systems controlled in automatic mode

For machines working in an integrated way, as is the case of automated mining systems, the challenge is to design the control system to ensure implementation of all the functions required both for individual machines and ensure their proper interaction. While the requirements for machines of a given type are defined in relevant standards, the requirements for the linkage among them within mining systems, controlled in an automatic mode, are not always sufficiently specified in regulations and standard documents. Safety related to the control system of mining systems depends on the proper design of each machine and device, the realisation of technological interlocks and interdependencies among them within the complex, as well as on the proper design of the master control system. The master control systems, using digital transmission, enable a remote parameterisation of the control system, a parameterisation of electrical circuit protection settings and deactivation and activation of any input and output signals that are used in the control algorithm. On the basis of the experience gained during the evaluation of such systems, the principles that should be applied in order to avoid the occurrence of a hazard or risk increase associated with the use of master control systems are briefly discussed. This article reviews currently binding technical requirements for machines and their control systems and indicates a number of issues that should be taken into account in the process of designing control systems in order to ensure the required level of safety while using machines operating in an integrated manner within automated mining systems.


Introduction
One of the technical safety management system elements is the risk analysis and assessment, positioned between the safety requirements defined by law and the established safety objectives as well as the technical and organisational safety measures taken on its basis (see Fig. 1). Fig. 1. Risk assessment as a part of the safety management system -prepared based on (Figiel and Tytko, 2004) For several decades the Division of Attestation Tests, Certifying Body at the KOMAG Institute of Mining Technology has been dealing with issues related to technical safety of individual machines as well as machines working in an integrated way. Each machine in all the phases of its life cycle generates a number of hazards. One way to reduce the risk, associated with a given hazard, is to use a control system that, while performing the safety function, does not allow a dangerous event to occur (EN, 2018: EN 60204-1). When machines operate in an integrated way within an automated process line, the importance of the master control system increases (Stankiewicz, 2019), (Jasiulek, 2018), (Jasiulek, 2019), (Rogala-Rojek et al., 2019). Industrial automation solutions used today allow solving very advanced problems concerning cooperation of many machines (robots) within a technological sequence (Dodok et al., 2017), (Sapietová et al., 2018) (Kuric, 2019). In practice, any process can be optimised using available software tools and numerical calculation methods , (Elbakian, 2018). On the basis of many-year experience of the certification body in the field of conformity assessment of machines, this article indicates the issues, the inclusion of which in the process of designing mining systems controlled in an automatic mode, in particular, master control systems, contributes to an increase the safety level of their use. Also, knowledge of the mechanical properties of mined rock affects their safety (Biały, 2013), (Biały, 2014), (Biały and Fries, 2019).

Material and Methods
The article is based on the author's experience gained during analytical studies of technical documentation of mining machinery and equipment control systems operating in an automatic mode and on the basis of a review of documents containing the requirements for control systems. Control in automatic mode is most often used in transport systems (horizontal transport by conveyors and vertical transport by hoisting machines), (Blatnický et al., 2020)   integrated control systems of mining systems, integrated control systems of systems designed for tunnelling, control systems of the machinery of technological lines in coal processing plants. Control systems prior to an installation in underground mine workings are subject to evaluation as a part of the procedures provided in technical regulations. With regard to control systems of particular importance for safety, the assessment is performed by an external body independent of the manufacturer and the user. It is usually an accredited certification body with relevant competencies. The criteria for assessing control systems are the requirements contained in the standards for individual machines, control systems in terms of functional safety and the requirements of country-specific mining regulations. Assessment processes of integrated control systems of plow longwall systems; integrated control systems for shearer longwall systems; integrated control systems of machines designed for tunnelling; transport systems assembled from a belt and armoured conveyors; mining shaft hoists and technological systems of coal preparation plants carried out as a part of the certification body's activities led to the thesis that the criteria for assessing such systems, included in available standards and regulations, are insufficient (primarily due to the capabilities of modern control systems). On the basis of critical analysis, some issues were identified, the fulfilment of which is a guarantee of safe use of mining complexes controlled in an automatic mode. The results of the work should be used primarily by the designers of the control systems in question.

Results
On the basis of a review of the technical requirements concerning control systems for mining machinery and equipment operating in an automatic mode, three levels of technical safety were identified and discussed: (1) safety of each individual machine; (2) safety of the machinery system due to functional links, interlocking, interaction between machines, etc.; (3) safety related to the master control system. While the requirements for individual types of machinery are well recognised, this is no longer the case for automatically controlled machinery system. For this reason, the article presents aspects, to be taken into account, when designing and evaluating control systems for mining systems, with particular emphasis on the master system. The presented analysis results are important for the authors of standards, machine manufacturers, designers of control systems of mining systems and superior control and visualisation systems. According to the author, meeting the requirements presented in the article will contribute to the safety of control systems operating in an automatic mode. Layers of technical safety of mining systems controlled in an automatic mode The safety of automated mining systems is ensured in many layers. Basically, three main layers can be distinguished: Layer I -Safety of a single machine, for which the manufacturer has the main responsibility. Layer II -Safety of the mining system, composed of machines, unfinished machines, power supply, control and safety devices, creating a functional system and realising the assumed process. Layer III -Safety of the master control and visualisation system, monitoring the process carried out by the mining system.
In each layer, control systems are essential for safety, so they must be designed in accordance with the requirements of the functional safety standards (  Functional safety is understood as a part of the machinery safety which depends on the control system's correct operation and its immunity to faults and external interference.

Safety of the machine
The main safety measures for each machine are: − design and manufacture of the machine, taking into account the results of the risk analysis and assessment, so that: − all the identified hazards have been eliminated, or the risks associated with them have been reduced to an acceptable level, − the sources of hazards are monitored in the way enabling to prevent a risk increase by initiating preventive measures, − use of safe working methods and a provision of appropriate means of collective protection and personal protective equipment.
The risk assessment results make it possible to determine whether the applied design concepts correspond to the current level of technical knowledge, reflected in the latest editions of standards and technical regulations (directives) in force. Machinery shall be designed in such a way that the risks associated with any identified hazard are limited to an acceptable level (European Parliament and Council of the European Union, 2006) (DGUV, 2017). Decisions on how to reduce risks must be taken in accordance with the 'three steps' principle (EN ISO, 2010: 12100:2010, giving preference to inherently safe design measures (first step), followed by technical and complementary protective measures such as changing the design, monitoring potential sources of risk by implementing safeguarding and/or additional protective measures (second step), and organisational measures, such as planning safe working methods, providing personal protective equipment, taken on the basis of information provided by the manufacturer. A risk reduction through the use of a control system (electrical, electronic, programmable electronic, hydraulic, pneumatic) results in need of taking into account the risks associated with its possible malfunction (Robinson, 2018) (Jocelyn et al., 2014) (Hietikko et al., 2011) (Krenicky, 2011 (Murcinkova and Krenicky, 2013) (Porras-Vázquez and Romero-Pérez, 2018) (Chinniah, 2015) (Missala, 2000). This approach results from the Machinery Directive 2006/42/EC, according to which control systems must be designed and constructed in such a way that: − they prevent hazardous situations from arising, − they can withstand the intended operating stresses and external impacts, − a fault in the hardware or the software of the control system does not lead to hazardous situations, − errors in the control system logic do not lead to hazardous situations, − reasonably foreseeable human error during operation does not lead to hazardous situations.
Machinery control systems shall perform their designated control functions even under failure or interference conditions, in a predictable manner and with specified reliability, throughout the machinery's life cycle. The measures, implemented to minimise the probability of such failures or interferences and their scope, depend on the level of risk associated with the specific control function (EN, 2018(EN, : 60204-1:2018. The important question is, however, who determines the reliability level of (fault and interference tolerance) of safety functions performed by machine control systems and on what grounds? It happens that the required safety level of a given safety function is specified in the standard dedicated to a given type of machine, but this is a rare situation. It is usually the result of a risk assessment carried out by the machine manufacturer or control system designer, determining the required safety performance level PL r according to the EN ISO 13849-1:2015 Standard or the safety integrity level SIL according to the EN 62061 Standard.
Once the safety function has been identified, all the specific requirements that guarantee the performance function in the intended working environment must be specified. They shall specify the ambient and operating conditions (supply voltage range, electromagnetic environment (Šmelko et al., 2020), the possibility of occurrence of a hazardous explosive atmosphere, ambient temperature, degree of environmental pollution, humidity range, maximum vibration values, resistance to mechanical impact), mode of operation (initiating) requirements (measuring range, accuracy and response time), operating requirements and requirements for individual components of the control system (sensors, control devices, test equipment, actuators).
When the machinery manufacturer does not provide power and control equipment, he shall supply the control system integrator with full information on the requirements for connecting the machinery to the power supply and the control system's requirements. It is particularly important to provide information which control functions are safety functions and which safety level the control system shall achieve. This allows the control system integrator to choose the right architecture and system components (Beugin et al., 2007) (Hietikko et al., 2015).

Safety of mining system
The machines which form a mining system are functionally linked and work in a dependent way. A correct selection of machines, power supply equipment and control system determines not only the efficiency and productivity of the mining system but also the safety associated with its use (Bluff, 2014) (Beugin et al., 2007).
Mining systems are created at the place of the target work. For this reason, they cannot be fully tried and tested before being delivered to the mine.
An assessment of the mining system, including the control system, with a view to meeting safety requirements, shall be carried out on the assumption that the individual machinery and equipment incorporated in the system are safe -meeting the essential safety requirements set out in the EU technical harmonisation regulations (Akatov et al., 2019).
In addition, for machines working in an integrated way, an assessment of their compatibility and correct operation shall be performed. An assessment of the links among the machines, carried out by the master control system, is made on the basis of technical documentation (design assessment), in most cases developed by the control system integrator, usually a specialised engineering office or a supplier of control equipment, possibly the technical service of the user.
While the conformity assessment procedures for individual machines are very well described in technical regulations, this is no longer the case for a mining system. The designer of a compound technical object faces a difficult task regarding ensuring that the planned process is carried out by all the properly selected machines and equipment, meeting all the conditions of use specified by their manufacturers, including the safety requirements.
Basing on the certification body's experience, a number of factors that should be taken into account in the design processes of automated mining systems have been formulated. These include: 1) a selection of equipment included in the system due to the conditions of use specified in the instructions (intended use, restrictions of use), power supply conditions (requirements concerning the layout and parameters of the power supply network, back-up power supply, required protection of electrical circuits), environmental conditions (presence of a potentially explosive atmosphere, ambient temperature, humidity, altitude). 2) performance of control functions in accordance with design assumptions and industry standards -due to the increased risk during automatic control, this type of work should be subject to detailed analysis; the control system should switch individual machines on and off without generating an additional hazard, the persons in the zone, where the hazard may occur, should be warned of the potential hazard by a clear acoustic or optical signal or both at the same time, 3) performance of safety functions with the required safety level, 4) a possibility of shutting down and interlocking the start-up of any machine; shutting down the machine should result in the shutdown of all the others if their continued operation results in a hazard, the operation of the safety devices should be effective (adequate stopping time, switch-off reliability, immunity to interference), 5) providing a reliable communication infrastructure among the system equipment (reliability and safety of electrical connections and data transmission, resistance to interference, protection against mechanical damage, fault detection) (Láryš and Koziorek, 2010), 6) equipping control workstations with control devices, devices signalling the realised mode of operation, warning about emergency states and interlocks, providing information about process parameters, technical conditions of machines and devices, parameters of media influencing their operation, environmental hazards, stopping or blocking the machine; equipping control workstations with means for emergency stopping of all the machines and blocking their activation -the operator should be warned in time about potential hazards and should have access to the means for restoring a safe condition, 7) providing instructions for the safe operation of each machine in the mining system in all the phases of operation (during normal operation, maintenance and service).

Safety of the master control system
Modern control systems enable a remote parameterisation of the control system, a parameterisation of electrical circuit protection settings and activation and deactivation of any input and output signals. It is a very helpful tool, but it creates conditions for a hazard or an increase in risk when misused. An operator can influence the process negatively from a master control system. The protection against such practices includes: − a necessity to log in to the system by an unambiguously identified user (name and password), − limited access to the system functions depending on the held rights (range of rights: viewing the synoptic table, selection of the control mode, viewing the settings of electrical circuit protections, system parameterisation, changing the settings of electrical circuit protections, user's system management, service and administrative functions), − recording in the system all the events assigned to a logged-in person, aware that he is responsible for the operations to be performed, − no possibility to deactivate the safety function, − a deactivation of input or output signals only in special cases, i.e. when testing or diagnosing system malfunctions; during normal line operation all the control system components shall be active, − a separation of the data transmission network from all the others, especially the external network, for example, by using a "mirror" server with one-way communication port, or other means to prevent unauthorised interference with the control system.
An example of a master control system, meeting the requirements mentioned above, is the visualisation system of the jig developed at the KOMAG Institute of Mining Technology. The following figures show the main application window (Fig. 3) and the main visualisation application window view (Fig. 4).  (Stankiewicz and Jagoda, 2019)

Example of a "layered" approach to safety
Horizontal transport systems of a jig (process line with master control system shown in chapter 2.4), consisting of belt conveyors, operating in an automatic mode, illustrate the "layered" way of ensuring the safety of compound technical objects.
(1) Layer I: A single conveyor belt is equipped with the following devices: − head and tail drum, − drive unit (electric motor and gearbox), − brake unit, − conveyor belt, − switching equipment, − control and warning devices.
The manufacturers of each of the assemblies mentioned above and devices have carried out the applicable conformity assessment procedures and declared that the safety requirements, applicable to the product, have been met. The requirements for safe use are specified in the operational manual. The conveyor, assembled from the above-mentioned equipment, has been designed taking into account the results of the risk assessment. All the hazards, associated with an operation of the conveyor belt, have been eliminated or the risk associated with them has been reduced to an acceptable level; some of them through a control system, for example, an ignition hazard caused by the belt slipping against the drive drum, which may occur if the belt tension is too low. The manufacturer has equipped the conveyor with speed sensors, and in the manual he specified the requirements for the function of stopping the conveyor after detecting the difference in speed between the drive drum and the belt, giving for this function the required safety integrity level SIL 2. As the conveyor manufacturer, in the example under consideration, is not the control system's supplier, it is the responsibility of the control system designer to design and implement the safety function with the required SIL level.
(2) Layer II: The system integrator has designed a realisation of all the control functions of the belt conveyor with the safety level specified by the manufacturer. The parameter determining the safety level of risk is primarily the severity of the injury that may occur in the result of failure to perform the safety function, once it has been demanded. The consequences of failure to perform the sample safety function of the belt conveyor are serious regarding the health and life of the machine operators and those in its vicinity. Therefore, the required level of safety integrity should not be less than SIL 2, according to the EN 62061 Standard. SIL 2 cannot be achieved with a simple control system architecture without any diagnostic coverage. It is relatively easy to ensure a high safety integrity level of the subsystem with input elements (sensors) and the subsystem processing signals (safety module). Ensuring a reliable realisation of safety functions by executive devices usually requires using the executive subsystem's two-channel architecture (Fig. 5). (3) Layer III: An operation of several conveyors, forming a conveyor line and operating in an automatic mode, is monitored by the master system. Many functions can be performed from this system, including deactivating input and output signals. In the event of a failure of the drive drum speed control sensor, at the correct belt tension, the system operator is under pressure to deactivate the input to which the sensor is connected, because if a single conveyor is stopped, the entire system is stopped and the process is interrupted. Although it is very easy to deactivate this input ("click") from the level of the master control system, the system operator cannot do so because it is the operation of the machine under conditions which the conveyor manufacturer and safety rules exclude (Kuric, I. et al., 2019a), (Kuric, I. et al., 2019b).
The example, given above, shows that the measures taken in each "layer" are important for the safety of process lines. All the persons involved in the design and manufacture of machinery, process lines, superior control systems and their operation have a decisive impact on work safety.

Conclusions
On the basis of the experience of the certification body, which assesses the conformity of machines with the safety requirements, the responsibility of business entities and persons participating in the design, manufacture, operation of machines intended to work within complex technical objects was reviewed. Three layers of safety assurance were distinguished and discussed: the first one, for which the manufacturer of each machine is responsible, the second one, for which the designer and supplier of the control system for machines forming an automated process line are responsible, and the third one, for which the designer and supplier of the master visualisation and monitoring systems are responsible. The safety, associated with the use of complex technical objects, requires the implementation of control functions with a high level of reliability, resistance to unauthorised external interference (cybersecurity) and elimination of the possibility of making mistakes by the operator.
The results of the analyses and tests presented in this article allow the following conclusions to be drawn for: − standards' authors (technical standardisation committees) -in the standards dedicated to a given type of machinery, if possible, safety functions should be identified, and the required safety level should be determined for them, − machinery manufacturers -control systems should be designed in accordance with functional safety standards; control system architecture and reliability parameters of its components should achieve the required level of safety; safety functions should be validated; if the manufacturer does not supply a complete control system, he should provide complete information on the control function requirements to the control system designer, − designers of the mining complex control system -the control system should be designed in accordance with functional safety standards, taking into account the information obtained from the manufacturer of each machine, − master control system designers -the master control system should be designed in such a way that the functions available from this level (remote parameterisation, system configuration, activation and deactivation of inputs and outputs) do not lead to a decrease in the safety level of machine operation and are protected against unauthorised external interference.
The principles of safety assessment of machinery operating in an integrated manner, presented in this article, have been implemented in relation to mining complexes. The design of the control system is subject to assessment based on the requirements of applicable regulations, standards and the certification body's own criteria. The use of modern control systems using digital technology definitely increases this system's functionality; on the other hand, it is a challenge to assess the level of safety associated with it effectively.
Future work should focus on establishing principles (standardisation) of the use of master control systems in terms of their ability to prevent erroneous and unauthorised interference.