Machine & Operator Safety
The perils of upgrading interlocking switches
May 24, 2016 by Danny C. Marmora
Mar. 15, 2016 – A question I get asked often comes from industrial clientele asking me how they can bring their existing equipment up to existing safety standards. Specifically, they ask about the cost effectiveness and technical requirements of upgrading/replacing/integrating new safety switches forming/part of an interlocked door/access panel/robot guarding perimeter, etc.
To achieve the ultimate deliverable — which is a regulatory compliant, non-defeatable, fail safe interlocked system — a number of variables need to be considered. It has been my personal experience that the methodology presented herein is a good pathway to evaluating and collecting the required information to make an informed decision regarding an upgraded or new safety interlocked system.
1. CAN THE EXISTING INTERLOCKED SYSTEM BE UPGRADED AT ALL?
This is really the starting point. As obvious as this may seem, I see it more often than not where attention to, and understanding the existing machines control and upgrade capabilities, has not been undertaken to any depth. Simply contacting your local supplier and replacing the non-compliant switch with one that is compliant normally does not aid in regaining/establishing compliance, and can actually make the condition worse. Depending on the age, control design and origin of the machine, trying to upgrade or integrate within the existing control architecture may not be possible. Machines that are PLC-control based can be burdensome as the interlocked switches may be run as input(s) to the PLC along with their associated outputs. Further, if the existing PLC is not a safety rated device, further complications and costs can ensue.
2. ARE ANY EXISTING SAFETY DEVICES PRESENT?
Tying into Point 1, having an existing safety system may not always equal a technical advantage or cost savings. The safety standards existing devices were built to may not comply with today’s standards. Specifically, the existing system may not have the ability to control long machine response times in a reliable manner (i.e. when stopping times are an issue), the required internal monitoring may not be present (i.e. internal fail safe capabilities), and circuit redundancy may not possible (i.e. Category B-4), as required by the prescribed in force standards. Relying on such dubious components could compromise the integrity of the new safety system by trying to build upon those already present.
3. HAS A RECOGNIZED RISK ANALYSIS BEEN COMPLETED/DOCUMENTED?
This is another area where shortcomings commonly occur. Most of the responses I receive after I ask, “Have you completed and documented a risk analysis?” is, “Of course, it is a risk and that’s why we have to guard it!” While the latter is partially true, the level of circuitry sophistication required is a direct outcome of the documented recognized risk analysis. The reason I elude to “recognized” is that specific industries such as packaging, machine tools and robotics have well-defined risk analysis methodologies to be followed. Not completing the risk analysis begs the question, “What circuit reliability/performance level is required for the new interlock?”
In lieu of a machine specific risk analysis, one can use that within CSA Z432 – Safeguarding of Machinery. It is noted that with some machine specific standards (i.e. type “C” Standards, the opportunity to evaluate safety functionality via a risk analysis is not permitted. These standards may define any number of know hazard types/classes, and establish the minimum safety circuitry performance level therein). Finally, when the risk analysis is properly completed and documented not only has the organization exercised their required due diligence, the required minimum circuitry/device/safety system performance level is established. That information can then be used as part of the safety device selection process.
4. WHAT ARE THE RESTRICTIONS (IF ANY) REGARDING DEVICE SELECTION & MOUNTING?
Traditionally, interlock switches are mounted at the edge of a door, end of a travelling gate, or another configuration that allows the internal contact arrangement of the switch to change state when the interlocks mating components “break” (i.e. the switch comes apart/back together based on the guards position). However the concern with mounting switches at the edge of a door or end of a travelling gate is the switch normally becomes part of the end stop. Hence the switch may be exposed to nuisance impact and experience premature wear. CSA Z432 and other machine standards discuss how interlocked switches should be mounted to prevent nuisance impact and premature wear.
Other critical considerations include the defeatability of the switch/its mounting arrangement. Depending on the switch selected (safety rated included), if it is not mounted properly, it may become defeatable. Another specific concern deals with solenoid locking switches. These switches are selected when a machine/device has a long/non-repeatable stopping time and are essentially interlocked switches with a solenoid locking pin/cylinder. The solenoid releases (allowing the switch to open). Two critical issues to consider when selecting solenoid locking switches are:
• The switch must only release the solenoid (hence unlocking the door/gate) when all hazardous motion has actually stopped, not when the signal to stop has been sent.
• The switch should be the “power to unlock” actuated solenoid vs. “power to lock.” While this doesn’t seem significantly different, the prior fails to a safe condition but the latter doesn’t.
5. ARE THE POTENTIAL DEVICES RATED & LISTED FOR SAFETY APPLICATIONS?
As obvious as this may seem, there are many non-rated devices — relays, contacts, contactors, tongue/key, capacitive and magnetic switches — being used in safety applications that should not be. The difference in price is what you cannot see, what is contained within the device itself. Any device rated for a safety application will normally undergo extensive testing meeting a number of internationally established and accepted safety related performance standards. These devices have known and published (via testing) design lives. They have established performance levels ensuing confidence in safety circuit design and integration. Depending on the device, they have internal monitoring and will fail to a safe condition should the device or the safety system fail (depending on the actual device arrangement and circuit design). All the required safety related channels are “positive break” — a term indicating that a change in device state will result in a chance in position of all the required internal contacts. If you are going to take the time and invest the money, it may as well be done so properly.
6. WHAT DOWNSTREAM EQUIPMENT IS TO BE CONTROLLED VIA THE NEW DEVICES?
In many instances, when an interlocked switch, safety relay, etc., is replaced or upgraded, the integration is limited to the safety system only, not the overall machine control. Referring back to Point 1, simply replacing a switch may not necessarily make the machine any safer. Consideration to where those safety signals are going is part of the overall safety functionality. Does the safety device remove power to a PLC, is a valve being blocked, or is air pressure being diverted and exhausted? And what are the implications of the post safety signal scenario? Is the machine in a safe state to enter? Are these risks of cylinders falling or is a released brake causing an unexpected residual motion?
7. HAS THE INSTALLATION BEEN COMPLETED IN ACCORDANCE WITH CURRENT SAFETY STANDARDS & THE MANUFACTURER’S INSTRUCTIONS?
Installing the new safety system in accordance with current safety standards and the manufacturer’s instructions not only aids in comply- ing with standards and safety legislation, but also allows for the opportunity to potentially establish an “exemption” under the Pre-Start Health & Safety Review (PSHSR) legislation. Refer to Ontario Regulation 851 – Industrial Establishments – Section 7. If an equipment owner can obtain the required signed letters stating the aforementioned (along with the required documentation establishing due diligence), an exemption can be sought.
8. HAS THE REQUIRED PSHSR BEEN COMPLETED?
In lieu of the exemption route, completing the PSHSR is the most traditional route the majority of equipment owners will undertake. Unlike the exemption which draws information from several sources, the PSHSR is specific in its review of the new installation. For those unfamiliar with the PSHSR process, this will normally include a site review, testing of the new system, a drawing review and a deficiency report preparation and submission. Depending on how much effort is placed into executing the aforementioned points prior to the PSHSR, these actions can drastically affect the number of potential issues presented in the PSHSR report of findings, and additional costs afterwards to undertake changes.
Here is what I can offer all the readers considering completing safety upgrades — have your PSHSR engineer involved as early as you can in the evaluation, risk analysis, device selection and implementation process. These engineers have your best interests in mind because, like myself, we are extending our liability to your organization.
Danny C. Marmora, B.Eng., P.Eng., CET, (firstname.lastname@example.org) is the principal at Marmora Consulting based in Stoney Creek, Ont. His firm specializes in Pre-Start Health & Safety Reviews, fire code consulting and forensic engineering.
This column was originally published in the March/April 2016 issue of Manufacturing AUTOMATION.