When designing safeguarding systems for machines, one of the basic building blocks is the movable guard — doors, panels, gates or other physical barriers that can be opened without using tools. Every one of these guards needs to be interlocked with the machine so that the hazards covered by the guards are effectively controlled when the guard is opened. There are a number of important aspects to the design of movable guards. This article will focus on the selection of interlocking devices that are used with movable guards. The hierarchy of controls This article assumes that a risk assessment has been done as part of the design process. If you haven’t done a risk assessment, start there, and then come back to this point in the process.The hierarchy of controls describes levels of controls that a machine designer can use to control the assessed risks . Designers are required to apply every level of the hierarchy in order, starting at the top. Where a level cannot be applied, the designer moves to the next lower level.Though much emphasis is placed on the correct selection of these interlocking devices, they represent a very small portion of the hierarchy. It is their widespread use that makes them so important when it comes to safety system design. Electrical versus mechanical interlocksMost modern machines use electrical interlocks because the machine is fitted with an electrical control system, but it is entirely possible to interlock the power to the prime movers using mechanical means. This doesn’t affect the portion of the hierarchy involved, but it may affect the control reliability analysis that you need to do.CategoriesIn Canada, CSA Z432  and CSA Z434  provide four categories of control reliability: simple, single channel, single channel monitored and control reliable. In the U.S., the categories are very similar, with some differences in the definition for control reliable. In the EU, there are five levels of control reliability, defined as Performance Levels (PL) in ISO 13849-1: PL a, b, c, d and e . Underpinning these levels are five architectural categories: B, 1, 2, 3 and 4. To add to the confusion, IEC 62061  is another international control reliability standard that could be used. This standard defines reliability in terms of Safety Integrity Levels (SILs). These SILs do not line up exactly with the ISO 13849-1 PLs, but they are similar. IEC 62061 is based on IEC 61508 , a control reliability standard used in the process industries. IEC 62061 is not well suited to applications involving hydraulic or pneumatic elements.The North American architectures deal primarily with electrical or fluid-power controls, while the EU system can accommodate electrical, fluid-power and mechanical systems.From the single channel monitored or Category 2 level up, the systems are required to have testing built-in, enabling the detection of failures in the system. The level of fault tolerance increases as the category increases. Interlocking devicesInterlocking devices are the components that are used to create the interlock between the safeguarding device and the machine’s power and control systems. Interlocks can be purely mechanical, purely electrical or a combination of these.Most machinery has an electrical/electronic control system, and these systems are the most common way that machine hazards are controlled. Switches and sensors connected to these systems are the most common types of interlocking devices.Interlocking devices can be something as simple as a micro-switch or a reed switch, or as complex as a non-contact sensor with an electromagnetic locking device.Requirements for these devices are published in a number of standards, but the key ones for industrial machinery are ISO 14119 [7, 2], and ANSI B11.0 . These standards define the electrical and mechanical requirements, and in some cases the testing requirements, that devices intended for safety applications must meet before they can be classified as safety components.These devices are also integral to the reliability of the control systems into which they are integrated. Interlock devices, on their own, cannot meet a reliability rating above ISO 13849-1 Category 1, or CSA Z432-04 Single Channel. To understand this, consider that the definitions for Category 2, 3 and 4 all require the ability for the system to monitor and detect failures, and in Categories 3 and 4, to prevent the loss of the safety function. Similar requirements exist in CSA and ANSI’s “single-channel-monitored,” and “control-reliable” categories. Unless the interlock device has a monitoring system integrated into the device, these categories cannot be achieved. Environment, failure modes and fault exclusionEvery device has failure modes. The correct selection of the device starts with understanding the physical environment to which the device will be exposed. This means understanding the temperature, humidity, dust/abrasives exposure, chemical exposures, and mechanical shock and vibration. Selecting a delicate reed switch for use in a high-vibration, high-shock environment is a recipe for failure, just as selecting a mechanical switch in a dusty, corrosive environment will also lead to premature failure.The device standards do provide some guidance in making these selections, but it’s pretty general.Fault exclusion is another key concept that needs to be understood. Fault exclusion holds that failure modes that have an exceedingly low probability of occurring during the lifetime of the product can be excluded from consideration. This can apply to electrical or mechanical failures. Here’s the catch: Fault exclusion is not permitted under any North American standards at the moment. Designs based on the North American control reliability standards cannot take advantage of fault exclusions. Designs based on the international and EU standards can use fault exclusions, but significant documentation supporting the exclusion of each fault is needed. Defeat resistanceThe North American standards require that the devices chosen for safety-related interlocks be defeat-resistant, meaning they cannot be easily fooled with a cable-tie, a scrap of metal or a piece of tape.The International and EU standards do not require the devices to be inherently defeat-resistant, which means that you can use “safety-rated” limit switches with roller-cam actuators, for example. However, as a designer, you are required to consider all reasonably foreseeable failure modes, and that includes intentional defeat. If the interlocking devices are easily accessible, then you must select defeat-resistant devices and install them with tamper-resistant hardware to cover these failure modes.Almost any interlocking device can be bypassed by a knowledgeable person using wire and the right tools. This type of defeat is not generally considered, as the degree of knowledge required is greater than that possessed by “normal” users. Device selectionWhen selecting an interlocking device, start by looking at the environment in which the device will be located. Is it dry, wet or abrasive? Is it indoors or outdoors and subject to temperature variations?Is there a product standard that defines the type of interlock you are designing? An example of this is the interlock types in ANSI B151.1  for plastic injection moulding machines. There may be restrictions on the type of devices that are suitable based on the requirements in the standard.Consider integration requirements with the controls. Is the interlock purely mechanical? Is it integrated with the electrical system? Do you require guard locking capability? Do you require defeat resistance?Once you can answer these questions, you will have narrowed down your selections considerably. The final question is: What brand is preferred? Go to your preferred supplier’s catalogues and make a selection that fits with the answers to the previous questions.The next stage is to integrate the device(s) into the controls, using whichever control reliability standard you need to meet. That is the subject of another article!References Safety of machinery - General principles for design - Risk assessment and risk reduction, ISO Standard 12100, Edition 1, 2010 Safeguarding of Machinery, CSA Standard Z432, 2004 (R2009) Industrial Robots and Robot Systems - General Safety Requirements, CSA Standard Z434, 2003 (R2008) Safety of machinery — Safety-related parts of control systems — Part 1: General principles for design, ISO Standard 13849-1, 2006 Safety of machinery – Functional safety of safety-related electrical, electronic and programmable electronic control systems, IEC Standard 62061, Edition 1, 2005 Functional safety of electrical/electronic/programmable electronic safety-related systems (Seven Parts), IEC Standard 61508-X Safety of machinery – Interlocking devices associated with guards – Principles for design and selection, ISO Standard 14119, 1998 American National Standard for Machines, General Safety Requirements Common to ANSI B11 Machines, ANSI Standard B11.0, 2008 Douglas Nix, A.Sc.T., is managing director at Compliance InSight Consulting, Inc. (www.complianceinsight.ca) in Kitchener, Ont. He produces a blog and podcast called Machinery Safety 101, exploring a wide variety of machine safety topics. Check out his blog at www.machinerysafety101.com.This column originally appeared in the May 2012 issue of Manufacturing AUTOMATION.
In North America, about five to 10 arc flash events occur each day. Arc flashes are responsible for as many as 80 percent of all electrical-related injuries.
An increased focus to comply with regulations and the need to reduce safety injuries are driving organizations to adopt new strategies and technologies to ensure the safety of people, processes and products. A recent Aberdeen Group study, "Integrated Safety Systems: Ensuring Safety and Operational Productivity," surveyed more than 120 executives last Fall about the current state of their safety program and the technologies they use to support their safety initiative. The report provides a roadmap for organizations attempting to better understand how an integrated safety system and other enabling technologies can best be deployed in a plant environment.
Bill 160 shifts the responsibility for injury and illness prevention activities from the Workplace Safety and Insurance Board (WSIB) to the Ministry of Labour. This will have the Ministry of Labour carry out health and safety inspections at Ontario workplaces, as well as oversee the delivery of workplace injury and illness prevention services by Ontario's health and safety associations. I had a chance to speak with the Ministry of Labour's John Vander Doelen, director of the Occupational Health and Safety System Review Project Secretariat, about how this shift will impact the readers of Manufacturing AUTOMATION (MA).
Note to readers: This article focuses on item 2 of the table in section 7 of the regulations titled Pre-Start Health and Safety Review that deals with machinery. The guidelines from the Ministry of Labour are available at http://www.labour.gov.on.ca/english/hs/pdf/gl_psr.pdf.
As a controls integrator, I have had the opportunity to work in different facilities across the globe. The majority of these facilities have one thing in common - the concept of arc flash is largely an unknown. This is no surprise, as arc flash standards and awareness have only recently become publicized and enforced.
When a company is convicted of an offence under Ontario's Occupational Health and Safety Act, the normal penalty imposed by the court is a fine. The courts in Ontario consider a wide range of factors when sentencing a corporation under the Act, although these factors are not of even weight.
Most offences under occupational health and safety legislation are "strict liability offences." This means that if a person or company is charged with such an offence, the Crown only has to prove that a workplace accident or injury took place due to a prohibited act or omission. The Crown does not have to prove that the defendant was at fault or negligent. However, the defendant — usually the employer — can defend itself against a strict liability offence by establishing the defence of due diligence.
There are a number of myths that have grown up around emergency stops over the years. These myths can lead to injury or death, so it's time for a little myth busting.
Ask any production line manager about the importance of safety, and they will likely tell you about the critical role it plays in helping to protect personnel, reduce injuries and meet compliance demands. These are all valid objectives, but manufacturers and machine builders are missing opportunities if they only focus on avoiding negative consequences, rather than striving for increased productivity, improved competitiveness and overall profitability as well. Historically, the industry has viewed safety practices as punitive actions or compliance activities, not as opportunities to deliver real value or gain a competitive edge. These days, however, manufacturers understand that a well-designed safety system can help improve their efficiency and productivity, and machine builders increasingly recognize how safety systems can improve both business and machine performance, helping differentiate themselves to potential customers. The combination of functional safety standards, new safety technologies and innovative design approaches are positioning safety as a core system function that can deliver significant business and economic value. This includes financial returns beyond the benefits of reducing costs associated with accidents and medical expenses. A systematic approach To achieve a higher level of functional safety and experience the resulting benefits, system designers must have an in-depth understanding of the manufacturing process and a clear determination of machinery limits and functions, as well as a thorough knowledge of the various ways that people interact with the machinery. They also need to take a practical, rigorous approach to safety system design and be willing to implement and apply new safety technologies and techniques. The functional safety life cycle, as defined in standards IEC 61508 and IEC 62061, provides the foundation for this detailed, more systematic design process for machinery applications. A key objective of the safety life cycle is addressing the cause of accidents. To do this, designers must aim to create a system that helps to reduce and minimize risks, meets appropriate technical requirements and helps assure personnel competency. Previous standards have relied on prescriptive measures defining specific safeguarding. The new functional standards are performance-based, which makes it easier for designers to quantify and justify the value of safety. This approach uses a more methodical, deterministic approach, and offers the ability to tailor the specific safety functions to the application. It helps to reduce cost and complexity, improve machine sustainability, and achieve a more optimum level of safety for each defined safety circuit or function to improve the return on investment. Safety life cycle phases Conducting a risk assessment is the first phase of the safety life cycle. A risk assessment provides the basis for the overall risk reduction process, which involves the following steps: * Eliminating hazards by design using inherently safe design concepts; * Employing safeguarding and protective measures with hard guarding and safety devices; * Implementing complementary safety measures, including personal protective equipment (PPE); and * Achieving safer working practice with procedures, training and supervision. When designing a safety system, a risk assessment helps to determine what potential hazards exist, and which safety mechanisms should be implemented to help ensure adequate protection against them. The functional life cycle provides the framework for several highly effective "design-in" safety concepts. These include passive, configurable and lockable system designs. Easier and more intuitive A passive approach aligns with the design philosophy that safety systems should be easy to use and not hinder production. The reason that operators might elect to bypass safety systems is that the systems are cumbersome or impractical or do not easily accommodate maintenance and operating procedures. An effective passive system design performs its function automatically, with little if any effort required on the part of the user. Moreover, when intelligently applied, a passive design can help boost productivity. For example, in many production operations, manufacturers often use a light curtain to help prevent machine motion when an operator enters a hazardous area. Other approaches, such as a safety interlock gate, require operators to perform a task to initiate the safety function. Even if it only takes 10 seconds to open and close the gate for each cycle, that time accumulates over the course of a 200-cycle day. With a light curtain, the operator simply breaks the infrared barrier when entering hazardous areas, and the operation comes to a safe stop. Over time, this passive design helps to increase productivity and creates a positive return. Another approach that helps limit exposure to hazards and reduces the incentive to bypass the safety system is a configurable design, which allows operators to alter the behaviour of the safety system based on the task they need to perform. For example, in many cases, an operator may need to access a machine and still need some form of power enabled to perform a maintenance function, clear a jam or teach a robot. The initial risk assessment identifies and defines all the tasks, including these, that must be performed on the machine with or without power. The assessment offers insight to create a configurable design that meets global safety requirements, increases productivity and reduces the incentive to bypass the system. In most cases, inexpensive components, like push buttons, selector switches and lights, are all that is needed to achieve an acceptable level of safety. Turning safety into productivity Using a lockable system design to systematically reduce mean time to repair (MTTR) can help boost productivity. This approach allows operators to select a safety configuration, and then lock it in place at the point of entry. In addition to helping to protect configuration changes, a lockable design also helps to achieve higher productivity by using the safety system in lieu of lock-out/tag-out (LO/TO) for many routine maintenance and set-up procedures. For example, in a LO/TO situation, operators may need to use six locks to safely shut down a line, including electronic, pneumatic and robotic systems. Shutting down the entire machine can be time-consuming and inefficient, causing excessive downtime that hinders productivity. If the safety system meets the target safety level and complies with standard ANSI Z244-1, the safety system can be used to disable the hazards. In this case, LO/TO is not required. Instead of locking the disconnect switch, operators only lock the safety system. The potential cost savings associated with reducing the LO/TO downtime by even a few minutes often proves to be substantial. For example, let's say a manufacturer is able to reduce MTTR by two minutes using this lockable design approach. If the value of one minute of downtime is $10,000, and the plant averages 3,000 downtime events per year (eight per day), the value of the safety solution equates to roughly $60 million per year ($10,000 X two minutes X 3,000). The far-reaching economic benefits of a well-designed safety system are too significant to overlook. Using reliable safety technology and the rigorous approach defined in the safety life cycle, manufacturers and machine builders can harness the inherent value of intelligent safety system designs to help drive productivity, reduce labour costs and ultimately increase the bottom line. George Schuster is a senior industry consultant, Safety and Sustainability Solutions, with Rockwell Automation.
Proper machine guarding is a safety precaution that shouldn't be taken lightly. That was the underlying message at the Machine Automation Safety Congress, which was held from May 4 to 5 at the International Centre in Mississauga, Ont. The show was one of four safety-related conferences taking place under one roof and was accompanied by the IAPA's Partners in Prevention, Your Workplace 2010, and CANECT 2010. The MASC portion of the conference featured 11 machine automation safety and safe-guarding exhibitors, as well as a panel discussion on machine safety. The panel discussion, which was mediated by Andre Voshart, former editor of Manufacturing AUTOMATION, and Mari-Len De Guzman, editor of MA's sister publication, Canadian Occupational Safety, featured four panelists: Jeremy Warning of Heenan Blaikie, Wayne De L'Orme of the Ontario Ministry of Labour, Walter Veugen of Veugen Integrated Technologies, and John Murphy of Leuze Electronics. Each speaker addressed a different aspect of machine safety to a packed house, starting with Wayne De L'Orme who offered a unique insight into the severe ramifications of improper machine guarding. Of the 78,000 orders the Ministry of Labour filed in 2009, 4,000 were violations of sections 24 and 25 which are industrial regulations. "Machine guarding issues were the number one cause of fatalities in the industrial sector last year," he said. "They were also the number one source of prosecution." Jeremy Warning presented the legal motivation behind proper machine guarding. "For every $100,000 in fines, you'll end up paying $25,000 in payables," he said. To put that number into perspective, he presented a number of cases where companies not only lost employees due to a lack of proper machine guarding, but were hit hard by fines as well. The most notable was an October 2003 ruling that saw the Ontario Power Generation pay $350,000 in fines after a fatal accident that saw an employee get caught in a conveyor due to a guarding violation. John Murphy walked attendees through an effective safety audit. He suggested a five-step process - research, delegate, evaluate, plan and prepare. He also recommended getting everyone involved. "Who should be involved? The operator? Definitely. Otherwise they'll find a way to get around the safety guard," he said. "You need to get the operator's buy-in." Walter Veugen supported that notion and suggested getting companies like his, which offer guarding solutions, involved before the audit takes place. "Sure, we can come in after the audit and fix problems then and there, but what about the next one?" he said. "What we try to do is help companies identify what a guarding problem is so they can prevent an accident at an earlier stage." Vanessa Chris is the acting editor of Manufacturing AUTOMATION.
ABB Customer World
March 4-7, 2019
Hannover Messe 2019
April 1-5, 2019
RFID Journal LIVE!
April 2-4, 2019
April 8-11, 2019
Advanced Design & Manufacturing (ADM) Canada
June 4-6, 2019
Digital Industry USA
September 10-12, 2019