Machine Safety
In my experience one of the questions that arises the most is “when is interlocking permissible to protect the worker?”  Ideally, using interlocking to protect the worker would never be acceptable since, as stated in CSA Z460-05, lockout is always the preferred method of protecting a worker, as long as it is practicable. Practicable may mean, for example, that providing a guard completely over a grinder is not practicable, since no grinding would be possible. However it is practicable to allow the wheel to be exposed sufficiently so as to permit the grinding to take place. Another example would be that it may not be practicable economically to perform a full lockout, as would be the case on a CNC machine. In this case, requiring a worker to perform a full lockout each time a workpiece needs to be unloaded may make the operation so economically unviable that the work would be lost. In such a case, we would need to provide adequate protection to the worker so that the risk is as low as reasonably practical (ALARP). In essence, ALARP involves weighing a risk against the trouble, time and money needed to control the risk. This long-standing issue has been tackled by a technical committee that developed CSA Z460-05 (R2010) Controlling Hazardous Energy – Lockout and Other Methods.In this standard, the distinction is made between tasks that are integral to the production process and, by implication, tasks that are not integral to the production process. In short, the standard distinguishes that lockout is not always doable in an economic sense and there is a need to use “other methods” to control the hazardous energy.This “other method” of controlling hazardous energy is, for the purpose of this article, the use of interlocks. However, interlocks can only be used if – and only if – the task to be performed is integral to the production process.At this juncture it is worth reviewing the regulatory requirements of section 24 and 25, which can be surmised to state that where there is an exposed moving part or nip point that endangers the safety of a worker, the worker must be prevented from gaining access to the exposed moving part and/or nip point. It is to be noted that the emphasis is on the employer to prevent access and not on the worker not to gain access. We can hope and pray all we want that nobody will access the exposed dangerous parts, but at the end of the day, the regulations only require that a person have access to be non-compliant with the regulatory requirement. That is the point of interlocking – that with the interlocking, there are no exposed moving parts, thereby removing the source of the hazard that has the potential to cause harm to the worker. This reliability of the functioning of the interlock is not in itself absolute, as there is some risk of failure of the interlocking system. But the risk must be reduced to as low as reasonably practicable under the circumstances to protect the safety of the worker.As referenced earlier, the interlocking should be applied for specific tasks under specific circumstances and, by implication, not all tasks under all circumstances. It is clear therefore that one must be able to assess whether or not a task can be considered as integral to the production process or is part of some other activity.To be considered integral to the production process, the designed task will exhibit most of the following characteristics:1. It must be of short duration.2. It must be relatively minor in nature.3. It must occur frequently during the shift or production day.4. It is usually performed by operators or others functioning as operators.5. It represents pre-determined cyclical activities.6. It minimally interrupts the operation of the production process.7. It must exist even when optimum operating levels are achieved.8. It requires task-specific personnel training.Each of these tasks should be analyzed within the context of their application but the following analysis is useful:1. Duration: Of course, the question then becomes how short is short? This may depend on the nature of the activity, but one must recognize that if a machine needs to be fiddled with for a disproportionate period of time, that task is not part and parcel of the production process.2. Minor in nature: This is, once again, relative, but one could define minor as meaning that no tools, or perhaps a specific tool only (to keep parts of the body out of hazardous areas) only, are to be used.3. Occurrence: If the task needs to be performed infrequently or sporadically, then the task is required not because of production requirements but because of defects within the machine itself. Clearly the root cause of the required task needs to be addressed and not have a worker subject him or herself to a potentially hazardous event because of the machine deficiency.4. Operator skill level: If the task requires a person with specific skill sets not normally attributable to the operator, then the task itself is distinct from the production task. Clearly, such a task would not be integral to the production process.5. Pre-determined cyclical activities: As an example, we can look at a spot welder, whereby the operator is required to change the welding tip every 5,000 weld cycles. Changing the tip may be considered integral to the production process.6. Production interruption: If the task to be performed requires a lengthy amount of time, then that task cannot be said to be integral to the production process.7. Exists all the time: It sometimes happens that an operator needs to make some adjustment on the machine and that the adjustment is the result of a defect due to a defective or worn part. These things start slowly and the operator tolerates the deficiency. Over time, it is no longer deficiency but becomes part of the “normal” operation of the machine. Clearly the task necessary to overcome this deficiency cannot be considered to be integral to the production process and the worker should not be subject to undue risk because the machine is not operating within is normal operating specifications. 8. Personnel training: As was noted earlier, these tasks are designed tasks, not tasks merely performed at the whim of the operator. The task must be designed so as to minimize worker exposure in the course of performing a specific task.One method of conducting the assessment is to give specific quantitative (or qualitative) values to each of the characteristics. Then, you can draw conclusions to assess whether or not the task is integral to the production process. If it is, you may use an appropriate interlock. If it is not, you must redesign the task.The preceding is all fine and well, but please remember that if an incident with consequences occurs, labour officials in your province will need to look at any violation. If an injury has occurred, it becomes difficult to state that access to exposed moving parts or pinch points has been prevented. Franco Tomei, B.A.Sc. P.Eng, is a professional engineer with more than 40 years of industrial experience — 12 years of that directly in the safety field. He can be reached at This e-mail address is being protected from spambots. You need JavaScript enabled to view it .This column originally appeared in the September 2012 issue of Manufacturing AUTOMATION.
Many enterprises seem to accept the high risk generated by defeated protective devices placed on machinery. By “defeated,” I mean safety devices that have been altered so as to render their intended function ineffective. There are also safety integrators that install protective devices that render the machine unusable. While this may sound far fetched, I have, on at least two occasions, been called upon to review machinery that became unusable because of the protective devices. Use of protective devices on machinery is necessary to protect the worker. If the moral obligation isn’t enough to ensure their effectiveness, there are regulatory requirements that must be fulfilled. Yet, many workplaces end up with machinery whereby defeating the protective device is part of a company’s everyday life. Time and again, defeated protective equipment causes severe injuries and, in some cases, fatalities. From a realistic viewpoint, it must be stated that defeating protective devices could not happen if there was not some willingness on the part of the employer/supervisor to permit the defeating to happen. Rather than criticize these actions, we must refrain from placing blame and learn why such actions take place. If we can learn the why, we may be able to prevent the defeating of safeguards. Given that a worker is a rational, thinking person, defeating a protective device for no reason simply would not occur. Similarly, given that the employer is a rational, thinking person, he or she would also not permit the defeating of protective devices. To get to the root of the problem, it must be concluded that the defeating takes place because there is something to gain — whatever that gain may be perceived to be by either party. In a study conducted in Germany, it was found that 37 percent of protective elements were defeated. In presenting this study a few years ago in Mississauga, Dr. Friedrich Adams of Schmersal GmbH did not call for greater enforcement, nor did he place blame on the employer or worker. Rightfully, in my opinion, Dr. Adams stated that we as machine builders or safety integrators have failed in our mission to the worker and the employer. We have failed because we have created the conditions such that the performance of a task is so inconvenient or cumbersome that we are providing an incentive to the worker and/or employer to defeat the protective device.As a sidebar, it is worth noting the variance in the approach to safety of machinery in Canada compared to the European Free Trade Association (EFTA). In the EFTA, the machinery must be deemed to meet the Machinery Directive of the EU before it can be placed on the market. Successfully meeting the Machinery Directive causes the machine to be declared safe. As far as I am aware, in Canada, the responsibility for the safety of the machine is placed on the employer, who should ensure the safety of the machinery through commercial contracts. These two fundamental approaches on how machinery is placed on the market result in different methodologies in seeking solutions. If defeating the protective device is foreseeable, the manufacturer and/or safety integrator has to take this into account at the design stage or during the retrofit. Essentially, as designers/users, we know the tasks that are to be performed on the machine. Once the tasks are identified, we need to ensure the worker is protected in the course of performing each of those tasks, but we must do so without any significant “inconvenience” to the worker or process. If the protective device creates an “inconvenience,” then the first thing that will be done by the individual worker or in collusion with others and with the blessing of supervisors/employers, is the protective device will be defeated — and sooner or later this will result in an injury. In the machinery industry, the manufacturer of the machinery and the user of the machinery should have a collaborative program whereby information is exchanged to ensure there is no task whereby there is a significant incentive to defeat the protective device. This would assist the manufacturer in seeking solutions to prevent such events.How can one assess whether or not their own machinery’s protective devices are defeated? Several tools can be used, such as supervisory inspections of the protective devices, reports from the manufacturers (although not common), and asking the worker for input on the adequacy of the machine in performing their work. However, the better approach is to, at the design stage, assess whether or not there is a foreseeable significant enough incentive for a protective device to be defeated in performing a specific task.Assessing whether or not a safeguard will be defeated is not insurmountable. The steps necessary to do so are as follows:• Identify each activity required for the machine;• Break the activity down into the various tasks; and• For each task, assess whether or not the task needs to be performed with a protective device to protect the worker.Assess whether there is a significant enough incentive to defeat the safeguard by considering the following 11 common incentives:1) Will defeating the safeguard make the job easier or more convenient?2) Will defeating the safeguard result in faster and/or greater productivity?3) Will defeating the safeguard result in increasing the capacity of the machine?4) Will defeating the safeguard result in greater precision?5) Will defeating the safeguard result in better visibility?6) Will defeating the safeguard result in better audibility?7) Will defeating the safeguard result in less physical effort?8) Will defeating the safeguard result in reduced travel?9) Will defeating the safeguard result in greater freedom of movement of the worker?10)  Will defeating the safeguard result in material flow improvement?11)  Will defeating the safeguard result in avoidance of interruptions?The above questions could be answered with a straight yes or no, but life is never that simple as there are degrees of incentives. It is therefore recommended that a score be given to each of the questions, whereby an acceptable number is defined. In addition, one should also look at the greater picture since, while all of the answers may be low enough to be a no, the total may result in a yes.Where the answer is yes, action must be taken on the possible various fronts that will permit the worker to perform the task without having significant incentive to defeat the protective device.Franco Tomei, B.A.Sc. P.Eng, is a professional engineer with more than 40 years of industrial experience — 12 years of that directly in the safety field. He can be reached at This e-mail address is being protected from spambots. You need JavaScript enabled to view it . This column originally appeared in the June 2012 issue of Manufacturing AUTOMATION.
When designing safeguarding systems for machines, one of the basic building blocks is the movable guard — doors, panels, gates or other physical barriers that can be opened without using tools. Every one of these guards needs to be interlocked with the machine so that the hazards covered by the guards are effectively controlled when the guard is opened. There are a number of important aspects to the design of movable guards. This article will focus on the selection of interlocking devices that are used with movable guards. The hierarchy of controls This article assumes that a risk assessment has been done as part of the design process. If you haven’t done a risk assessment, start there, and then come back to this point in the process.The hierarchy of controls describes levels of controls that a machine designer can use to control the assessed risks [1]. Designers are required to apply every level of the hierarchy in order, starting at the top. Where a level cannot be applied, the designer moves to the next lower level.Though much emphasis is placed on the correct selection of these interlocking devices, they represent a very small portion of the hierarchy. It is their widespread use that makes them so important when it comes to safety system design. Electrical versus mechanical interlocksMost modern machines use electrical interlocks because the machine is fitted with an electrical control system, but it is entirely possible to interlock the power to the prime movers using mechanical means. This doesn’t affect the portion of the hierarchy involved, but it may affect the control reliability analysis that you need to do.CategoriesIn Canada, CSA Z432 [2] and CSA Z434 [3] provide four categories of control reliability: simple, single channel, single channel monitored and control reliable. In the U.S., the categories are very similar, with some differences in the definition for control reliable. In the EU, there are five levels of control reliability, defined as Performance Levels (PL) in ISO 13849-1: PL a, b, c, d and e [4]. Underpinning these levels are five architectural categories: B, 1, 2, 3 and 4. To add to the confusion, IEC 62061 [5] is another international control reliability standard that could be used. This standard defines reliability in terms of Safety Integrity Levels (SILs). These SILs do not line up exactly with the ISO 13849-1 PLs, but they are similar. IEC 62061 is based on IEC 61508 [6], a control reliability standard used in the process industries. IEC 62061 is not well suited to applications involving hydraulic or pneumatic elements.The North American architectures deal primarily with electrical or fluid-power controls, while the EU system can accommodate electrical, fluid-power and mechanical systems.From the single channel monitored or Category 2 level up, the systems are required to have testing built-in, enabling the detection of failures in the system. The level of fault tolerance increases as the category increases. Interlocking devicesInterlocking devices are the components that are used to create the interlock between the safeguarding device and the machine’s power and control systems. Interlocks can be purely mechanical, purely electrical or a combination of these.Most machinery has an electrical/electronic control system, and these systems are the most common way that machine hazards are controlled. Switches and sensors connected to these systems are the most common types of interlocking devices.Interlocking devices can be something as simple as a micro-switch or a reed switch, or as complex as a non-contact sensor with an electromagnetic locking device.Requirements for these devices are published in a number of standards, but the key ones for industrial machinery are ISO 14119 [7, 2], and ANSI B11.0 [8]. These standards define the electrical and mechanical requirements, and in some cases the testing requirements, that devices intended for safety applications must meet before they can be classified as safety components.These devices are also integral to the reliability of the control systems into which they are integrated. Interlock devices, on their own, cannot meet a reliability rating above ISO 13849-1 Category 1, or CSA Z432-04 Single Channel. To understand this, consider that the definitions for Category 2, 3 and 4 all require the ability for the system to monitor and detect failures, and in Categories 3 and 4, to prevent the loss of the safety function. Similar requirements exist in CSA and ANSI’s “single-channel-monitored,” and “control-reliable” categories. Unless the interlock device has a monitoring system integrated into the device, these categories cannot be achieved. Environment, failure modes and fault exclusionEvery device has failure modes. The correct selection of the device starts with understanding the physical environment to which the device will be exposed. This means understanding the temperature, humidity, dust/abrasives exposure, chemical exposures, and mechanical shock and vibration. Selecting a delicate reed switch for use in a high-vibration, high-shock environment is a recipe for failure, just as selecting a mechanical switch in a dusty, corrosive environment will also lead to premature failure.The device standards do provide some guidance in making these selections, but it’s pretty general.Fault exclusion is another key concept that needs to be understood. Fault exclusion holds that failure modes that have an exceedingly low probability of occurring during the lifetime of the product can be excluded from consideration. This can apply to electrical or mechanical failures. Here’s the catch: Fault exclusion is not permitted under any North American standards at the moment. Designs based on the North American control reliability standards cannot take advantage of fault exclusions. Designs based on the international and EU standards can use fault exclusions, but significant documentation supporting the exclusion of each fault is needed. Defeat resistanceThe North American standards require that the devices chosen for safety-related interlocks be defeat-resistant, meaning they cannot be easily fooled with a cable-tie, a scrap of metal or a piece of tape.The International and EU standards do not require the devices to be inherently defeat-resistant, which means that you can use “safety-rated” limit switches with roller-cam actuators, for example. However, as a designer, you are required to consider all reasonably foreseeable failure modes, and that includes intentional defeat. If the interlocking devices are easily accessible, then you must select defeat-resistant devices and install them with tamper-resistant hardware to cover these failure modes.Almost any interlocking device can be bypassed by a knowledgeable person using wire and the right tools. This type of defeat is not generally considered, as the degree of knowledge required is greater than that possessed by “normal” users. Device selectionWhen selecting an interlocking device, start by looking at the environment in which the device will be located. Is it dry, wet or abrasive? Is it indoors or outdoors and subject to temperature variations?Is there a product standard that defines the type of interlock you are designing? An example of this is the interlock types in ANSI B151.1 [4] for plastic injection moulding machines. There may be restrictions on the type of devices that are suitable based on the requirements in the standard.Consider integration requirements with the controls. Is the interlock purely mechanical? Is it integrated with the electrical system? Do you require guard locking capability? Do you require defeat resistance?Once you can answer these questions, you will have narrowed down your selections considerably. The final question is: What brand is preferred? Go to your preferred supplier’s catalogues and make a selection that fits with the answers to the previous questions.The next stage is to integrate the device(s) into the controls, using whichever control reliability standard you need to meet. That is the subject of another article!References[1] Safety of machinery - General principles for design - Risk assessment and risk reduction, ISO Standard 12100, Edition 1, 2010[2] Safeguarding of Machinery, CSA Standard Z432, 2004 (R2009)[3] Industrial Robots and Robot Systems - General Safety Requirements, CSA Standard Z434, 2003 (R2008)[4] Safety of machinery — Safety-related parts of control systems — Part 1: General principles for design, ISO Standard 13849-1, 2006[5] Safety of machinery – Functional safety of safety-related electrical, electronic and programmable electronic control systems, IEC Standard 62061, Edition 1, 2005[6] Functional safety of electrical/electronic/programmable electronic safety-related systems (Seven Parts), IEC Standard 61508-X[7] Safety of machinery – Interlocking devices associated with guards – Principles for design and selection, ISO Standard 14119, 1998[8] American National Standard for Machines, General Safety Requirements Common to ANSI B11 Machines, ANSI Standard B11.0, 2008 Douglas Nix, A.Sc.T., is managing director at Compliance InSight Consulting, Inc. ( in Kitchener, Ont. He produces a blog and podcast called Machinery Safety 101, exploring a wide variety of machine safety topics. Check out his blog at column originally appeared in the May 2012 issue of Manufacturing AUTOMATION.
In North America, about five to 10 arc flash events occur each day. Arc flashes are responsible for as many as 80 percent of all electrical-related injuries.
An increased focus to comply with regulations and the need to reduce safety injuries are driving organizations to adopt new strategies and technologies to ensure the safety of people, processes and products. A recent Aberdeen Group study, "Integrated Safety Systems: Ensuring Safety and Operational Productivity," surveyed more than 120 executives last Fall about the current state of their safety program and the technologies they use to support their safety initiative. The report provides a roadmap for organizations attempting to better understand how an integrated safety system and other enabling technologies can best be deployed in a plant environment.
Bill 160 shifts the responsibility for injury and illness prevention activities from the Workplace Safety and Insurance Board (WSIB) to the Ministry of Labour. This will have the Ministry of Labour carry out health and safety inspections at Ontario workplaces, as well as oversee the delivery of workplace injury and illness prevention services by Ontario's health and safety associations. I had a chance to speak with the Ministry of Labour's John Vander Doelen, director of the Occupational Health and Safety System Review Project Secretariat, about how this shift will impact the readers of Manufacturing AUTOMATION (MA).
Note to readers: This article focuses on item 2 of the table in section 7 of the regulations titled Pre-Start Health and Safety Review that deals with machinery. The guidelines from the Ministry of Labour are available at
Today, machines operate at considerably higher speeds than in the past. In the race to meet production deadlines and budgets, safety cannot be forgotten.
As a controls integrator, I have had the opportunity to work in different facilities across the globe. The majority of these facilities have one thing in common - the concept of arc flash is largely an unknown. This is no surprise, as arc flash standards and awareness have only recently become publicized and enforced.
When a company is convicted of an offence under Ontario's Occupational Health and Safety Act, the normal penalty imposed by the court is a fine. The courts in Ontario consider a wide range of factors when sentencing a corporation under the Act, although these factors are not of even weight.
Most offences under occupational health and safety legislation are "strict liability offences." This means that if a person or company is charged with such an offence, the Crown only has to prove that a workplace accident or injury took place due to a prohibited act or omission. The Crown does not have to prove that the defendant was at fault or negligent. However, the defendant — usually the employer — can defend itself against a strict liability offence by establishing the defence of due diligence.
There are a number of myths that have grown up around emergency stops over the years. These myths can lead to injury or death, so it's time for a little myth busting.
Manufacturers across many industries are placing increased emphasis on machine designs that support safety and sustainability initiatives, and drive economic prosperity. Machines that improve safety, minimize waste, consume less energy and deliver maximum return on investment are critical to the success of any sustainable production program. Building such a machine requires a holistic approach to analysing operational efficiency, safety, functionality, productivity, ease of operation and maintenance. By following these five best-practice design principles, machine builders can deliver safer, more cost-effective and sustainable machines. 1. Perform a safety audit after mechanical design, but before control system design: Performing a safety audit before control system design helps engineers chart the course for an effective safety solution, and evaluate and investigate risks early in the development process. This saves critical time and helps machine builders get their equipment to market faster. In addition, the machine's end users gain optimized production, thanks to an automation system that helps operate machinery and processes in the most efficient way. A safety audit identifies the required safety control system integrity level and helps guide the selection of the overall control architecture to achieve the optimum level of safety. 2. Guard or control access to moving parts: Where hazards cannot be removed through design, machine builders typically will install a fixed physical barrier that protects users from the hazard. When frequent access to the hazardous area is required, non-fixed guards are used, such as removable, swinging or sliding doors. In areas where non-fixed guards are impractical, guarding solutions that monitor the presence of the operator rather than the status of the gate can be used.   While relays and other devices prove effective, many safety applications require a level of programming or more sophisticated safety logic that is best met through a safety controller. Safety controllers offer significant benefits in multistep shutdown or ramp-down sequences, such as transfer line applications, because they provide the necessary logic through software rather than the hard-wired logic of relays. An integrated safety controller is an ideal solution for any application requiring advanced functionality, such as zone control. With properly designed safety controls and guarding, designers reduce access time and help to make machines safer and more efficient. 3. Use integrated safety systems to reduce control system complexity: The more designers integrate the standard and safety control functions of a system, the better the opportunity is to reduce equipment redundancies and improve productivity and economic factors. This integrated control functionality reduces the number of unique components in use on the factory floor, which in turn reduces crib inventory costs, as well as maintenance team training requirements. End users also benefit from less waste with fewer parts to maintain and replace throughout the machine life cycle. In addition, integrated control systems have broader intelligence regarding machine operation and status, and reduce nuisance shutdowns and prolonged restarts, further improving machine efficiency and productivity. New safe-speed control solutions provide a great example of effective control integration. With safe-speed control, safety input devices, such as guard-locking switches, light curtains and emergency stops, connect directly to the speed-monitoring core of the control solution. This eliminates the need for a separate, dedicated safety controller. Providing use across multiple platforms, safe-speed control solutions help reduce overall system cost and improve flexibility because they allow operators to perform maintenance and other tasks while a machine is in motion. Safe-speed control also helps increase uptime and decrease energy costs because a machine does not need to be completely shut down and restarted. Networking offers another way to integrate safety and standard controls. The introduction of networks to the plant floor brought many benefits to manufacturers, including increased productivity, reduced wiring and installation, improved diagnostics and easier access to plant-floor data. Using an existing network to include safety information extends those same benefits, allowing seamless communication of the complete automation process on one standard network with one set of hardware and wiring. 4. Make better use of diagnostics: With the ability to embed intelligence-gathering devices into machines without redesign or retooling, machine builders provide customers with self-diagnostic equipment capable of predicting and preventing failures, thereby boosting productivity and reducing repair costs. Moreover, this technology relays the machine condition information back to the machine builder for value-added monitoring and analysis services without compromising existing resources or hindering profitability. From the end user's perspective, turning the maintenance function over to the machine builder makes good business sense - it improves machine performance, maximizes capital investments and allows for more cost-efficient use of internal resources.  Machines designed with EtherNet/IP connectivity allow remote troubleshooting and thus provide end users with improved diagnostic benefits. The ability to remotely monitor equipment from a distant location helps reduce fuel usage and related emissions, as well as associated travel time and costs of maintenance personnel who otherwise would go to the machine's location. 5. Design IT connectivity into the machine: Building information-enabled machines capable of connecting into an end user's IT infrastructure provides them with critical operational insight, including energy efficiency and overall equipment effectiveness (OEE) calculations. This insight, in turn, helps plant managers reduce waste and optimize productivity. A machine's IT connectivity also helps maximize the benefits of a machine's track-and-trace capabilities. Using advanced information software, manufacturers track and record relevant data at every step of the process to identify when and where resources were used. This visibility offers end users a wealth of data for waste reduction and other improvement programs. In addition, these systems also help automate track-and-trace procedures of product genealogy through the full chain of custody. In doing so, these systems help companies comply with regulations, document required data, identify potential product quality issues before they reach the market and, if necessary, respond to recalls faster and more efficiently. CONCLUSION Thanks to advancements in technology and best practices, machine builders can play an important role in helping companies implement safer machine designs that support sustainable production practices. By following the above core design principles and leveraging the best of today's advanced technologies, machine builders can create safer, more cost-effective and reliable equipment. Steve Ludwig is program manager for Rockwell Automation. For more information, please contact Leanne Hanson at This e-mail address is being protected from spambots. You need JavaScript enabled to view it .
The ISO 10218 international standard for industrial robot safety is entering its last stage of approval prior to publication. This decade-long effort by representatives from 10 countries over three continents will result in the first all-new and complete international robot safety standard since 1992. This milestone achievement will, in turn, put the effort to revise the current Z434 Canadian national standard for robot safety into high gear, and result in new published standards in 2011. Both ISO 10218-1 (the revision to ISO 10218-1:2006 for the robot only) and the completely new ISO 10218-2 for the robot system and integration, are being prepared for release as Final Draft International Standards (FDIS) and formal approval balloting. This process should be completed near the end of this year, with publication coming next year. The revision to the international standard draws heavily on the experience and success of the United States' robot safety standard, ANSI/RIA R15.06-1999 (r2009). Since the R15.06 and Z434 documents are very similar, the Canadian content in the international standard will also be recognized. The international standard has always been slanted towards instructions for the manufacturer. The Part 1 document that was revised and published in 2006 was dedicated solely to the robot manufacturer. It was basically the requirements that were contained in Clause 4 of the Z434, with some new features added. Important information for proper use of the robots was not included. Part 2 of the ISO document rounds out the necessary safety information for the robot system and the integration of robots into useful work cells. It essentially contains the rest of the Z434 information. The two documents together will give the international community the necessary information for proper robot safety. With the advent of a new international standard for robot safety, what is happening with the standards in North America? The simple answer is that both CSA- and RIA-sponsored standards development teams are preparing to revise the current standards (Z434 and R15.06). Canada has not made a change in its robot safety standard since publishing the Z434 in 2003. In 2007, the United States adopted the ISO 10218-1 as ANSI/RIA/ISO 10218-1-2007, but could not change R15.06 because the Part 2 ISO document was not complete at that time. The RIA team bridged the gap in user information relative to the new features in the ISO standard with a technical report - RIA TR R15.206-2008. The United States has the R15.06; the ISO 10218-1, which stands in for Clause 4; the technical report; and the other 13 clauses of R15.06. These make up a newer package of safety information. The same can be applied in Canada with the Z434, though the documents have not been formally adopted. Canada and the United States have spent a lot of time and resources supporting the revision to the international standard. We can now reap some of the rewards for that effort by adopting it as our standard. This means the ISO standard will represent one standard, valid worldwide, and recognize the global nature of industrial robot safety requirements and the industry itself. Robots and robot systems designed and built in other countries will be fully compliant with the North American requirements, and will be able to be used here in North America. This will correct a long-standing issue presented to a number of global companies with both North American and international operations. Likewise, robot systems designed in Canada will be compliant with the requirements in other countries if a company chooses to move a cell or wants common cell designs throughout its global corporate operations. How will this be achieved? For the United States, it will all be contained in one document - ANSI/RIA R15.06-2011. The R15.06 committee has been actively following the work of the international committee and making appropriate inputs and comments to their work as the standards develop. The R15.06 committee released the first draft of the next edition of R15.06 at the National Robot Safety Conference last month. The draft contains both parts of the ISO standards (Part 1 for the robot and Part 2 for robot systems and integration), and has additional U.S.-unique requirements directed to the user. The new standard thus will continue to address the three stakeholders that the current R15.06 standard addresses - the manufacturer, the integrator and the user. Similarly, the Z434 document will be revised to include the updated robot safety information. Work on that document is continuing and is expected for release in 2011. The new standards will represent the state-of-the-art for industrial robot safety and robot work cell efficiency and productivity. North America promises to stay at the leading edge of robot safety technology, while making our industry more efficient and competitive. Jeff Fryman is the director of Standards Development at the Robotic Industries Association. He can be reached at This e-mail address is being protected from spambots. You need JavaScript enabled to view it .
In Canada, and North America as a whole, the standards surrounding machine safety - particularly from a mechanical focus - are rather muddy. While the Occupational Health and Safety Act (OSHA) ensures the protection of workers from injury while on the job, and the Canadian Standards Association (CSA) has established the Safeguarding of Machinery standard Z432-04, which assigns responsibilities for the proper safeguarding of machinery, there are currently no standards that address mechanical machine safety, such as forced control (including contours and cams), and pneumatics and hydraulics in an automated system. While Europe has its own set of standards, North American manufacturers are left only with a standard developed by the International Electrotechnical Commission (IEC), the IEC61496, which is an international standard for all electrical, electronic and related technologies that is accepted as the default standard by the Underwriters Laboratories. But just because there aren't defined Canadian standards doesn't mean owners of manufacturing equipment aren't responsible for malfunctioning or harmful machines. In the past decade, there has been increased regulation and enforcement by the Ministry of Labour on machine guarding and safety, particularly regarding machinery and operator interfaces. In many cases, it's the owners of these machines - not the designers or manufacturers - that face hefty fines and potential jail time if an employee becomes injured on the job as a result of them. Over the past few years, there has been a steady increase in the penalties available under provincial legislation relating to health and safety, and this trend seems to be on the rise. This has led to a push to ensure machines are safe before they're built - namely in the design stage. This trend appears to be driven by customers who will evidently be held responsible for any risks that could become a safety concern during a pre-start safety inspection or through the lifespan of a piece of automated equipment.  This is a good place to start. To prevent potential penalties down the road, it's wise for buyers of automation machinery to ensure that, during the design of new machinery and the upgrade of existing machinery, measures are implemented to protect the worker and machine from moving devices through security and interlocking principles.  The problem is, this stage of the process is identified through a thorough risk assessment, which is nothing more than a calculated forecast of possible recognized risks and severity of injury. The individual phases of a machine's life present different hazards, which would not be evident through a normal operating risk assessment. A thorough assessment should also consider the following factors: • Initial position standstill: What are the potential hazards when machinery is pressurized for the first time from a pre-exhausted state? • Set up and service operation: What are the associated risks when machinery needs to be set up and serviced? What are the potential hazards that may exist when compressed air and/or power have been shut off?  • Emergency: The emergency condition can present different hazards, such as losing control of motors and drives that continue to move under momentous forces when an emergency event has been triggered. How will your machinery respond to emergencies? Safe stopping, safe exhausting and protection against unexpected startup need to be considered when an emergency condition has been triggered.  In all of these phases, there is the need for risk assessment and the identification of hazards. This results in design measures that reduce risk, and technical protective measures that will ensure that the residual risk is at an acceptably low level.  The life expectancy of machinery also needs to be addressed, and mean time to failure calculations should be carried out to determine that the components that are used in critical applications will perform as required during the life cycle of machinery. Rick Sauer is a product manager with Festo Inc. He can be reached at This e-mail address is being protected from spambots. You need JavaScript enabled to view it .
Page 3 of 5

Subscription Centre

New Subscription
Already a Subscriber
Customer Service
View Digital Magazine Renew

We are using cookies to give you the best experience on our website. By continuing to use the site, you agree to the use of cookies. To find out more, read our Privacy Policy.