Machine Safety
Standards development is one of those activities that seems mysterious to many. The Technical Committees (TC) are made up of people from industry, academia, government, user associations and the general public for standards developed within a country, like the CSA standards we use in Canada. In the international arena, things are a bit different. ISO and IEC TCs are made up of delegations from member countries. The delegates come from the same sources within each country as the national standards TCs, and the work is generally organized by national standards bodies. In Canada’s case, this is the Standards Council of Canada. If you are qualified and there is space available, all you need to do is volunteer to participate, and then be ready to contribute by attending meetings, preparing submissions and traveling to meetings.In September, a meeting of ISO TC199 - Safety of Machinery, Joint Working Group 1 (JWG1) was held in Paris, France. This group is working on merging two important machinery standards: ISO 13849-1 and IEC 62061. If you design machinery that uses electrical or electronic controls as part of the safety system, then one of these standards may apply to your designs. How do you know if you should be using one of these standards? Ask yourself a few questions:1. Do we use interlocked guards or other safeguarding devices like light curtains, two-hand controls or presence-sensing mats to reduce risks from our designs?2. Do we use complementary protective measures including emergency stop systems in our designs?3. Where do we sell our machinery?4. Do we foresee a time in the next few years where we may want to expand our market internationally?If you answered ‘YES’ to either or both of the first two questions, these standards may be used to analyze the reliability of these systems. If you answered, ‘just Canada’ or ‘just North America,’ then these standards could be used to replace sections of the CSA or ANSI standards covering control reliability that apply to your machinery, but this is not required. If you sell outside of North America and the European Union, using ISO and IEC standards for your designs means that your products are much more likely to be ready for foreign markets, with few changes needed to meet local requirements.If you sell in the European Union, both of these standards are harmonized under the Machinery Directive, so using these standards helps to open the door to a market of 27 countries. If you are selling only in Canada or North America, and you can foresee a time in the near future when you will want to branch out into international markets, supplementing the Canadian and U.S. National Standards with ISO and IEC standards will help get your product ready for these markets.There is a problem, however, and JWG1 was assembled to deal with it. The two standards, while not in conflict, use different terminology and different methodology to assess control reliability. The results of the analysis are described as ‘Performance Levels’ or ‘PL’ by the ISO standard, or as ‘Safety Integrity Levels’ or ‘SIL’ by the IEC standard, and this is just the tip of the iceberg. Why are there two standards, and what are the advantages and disadvantages for each? These problems have to be resolved, and JWG1 is making plans to do just that.JWG1 needs help from users of these standards. There is a short, on-line questionnaire available that you can use to contribute to the work of the committee. As a member of the Canadian committee working on this problem, I want to appeal to you to take a few minutes to contribute. The questionnaire closes on Nov. 30, 2012. Here is the link: you have concerns about this work that you don’t feel were covered by the questionnaire, please write to me with your concerns. I will take your concerns to the committee for consideration along with all of the other concerns we are hearing from around the world. The next meetings are being planned now. Doug Nix, A.Sc.T., is Managing Director & Principal Consultant, Compliance InSight Consulting Inc. Reach him at This e-mail address is being protected from spambots. You need JavaScript enabled to view it . This article originally appeared in the November/December issue of Manufacturing AUTOMATION.
Functional safety is a growing field in engineering, and one that is having increasing influence in most products that include active control systems. If you haven’t heard this term before, you can find one definition in an IEC Standard: “Functional safety is part of the overall safety that depends on a system or equipment operating correctly in response to its inputs.” The full definition is a bit longer, but the idea is clear: Control systems with a safety function must operate correctly.Since the mid-1990s, functional safety has been slowly creeping into the industrial machinery design field. Prior to that, most machines had a simple emergency stop circuit, one that often did double-duty as the main power control for the machine. In many cases, a simple interlock was added to that circuit, and voila! You had the safety-related parts of the control system. Figure 1 shows a simple master control relay circuit with interlock.In this figure, the ‘MCR,’ or Master Control Relay, would typically be a fairly beefy contactor, usually with a DC contact rating so that both AC and DC control circuits could be directly switched.‘PB2’ is the ‘Power On’ button, ‘PB1’ is the ‘Power Off’ button, and if it was fitted with a red mushroom-head operator, could also operate as the Emergency Stop button. ‘LS1’ is the guard interlock limit switch, and ‘CR1’ is the interlock relay. ‘M1’ represents the machine prime mover, like a conveyor motor or a hydraulic pump, for example.Since 1994, there has been an increasing focus on functional safety in industrial machinery. This focus has been driven primarily by the European Union, but North America has recognized there is value in ensuring safety functions work properly. This has been accompanied by an increasing selection of safeguarding devices, beginning with two-hand controls and now including light curtains and fences, safety mats, area scanners and 3D-vision systems. Failures in these systems result in injuries and fatalities, so reliable control systems make sense.To really understand the problems we are facing, a little history is needed. The timeline shown in Figure 2 illustrates the development of the standards.Functional safety was described in the first editions of both CSA Z432 and Z434, but little direction was given to designers about the appropriate use of these approaches. In 1995, EN 954-1 was introduced in Europe and was harmonized under the Machinery Directive of the day, introducing the reliability categories that have become familiar: Categories B, 1-4. EN 954-1 marked the first time that prescribed control circuit architectures were described, and also gave designers more specific guidance on when to use the different categories to achieve effective risk reduction. ISO would later take over responsibility for EN 954-1, renumbering it as ISO 13849-1 and publishing the first edition in 1999; this edition was virtually unchanged from EN 954-1.In 1999, ANSI published the second edition of RIA R15.06 and detailed the prescribed control circuit architectures in a North American standard. The categories were not identical to those in EN 954-1 or ISO 13849-1, and were called SIMPLE, SINGLE CHANNEL, SINGLE CHANNEL MONITORED and CONTROL RELIABLE. These categories were quickly adopted with some changes by CSA and included in CSA’s Z432 and Z434 standards in 2003 and 2004 respectively.In 2006, everything changed with the publication of ISO 13849-1, Edition 2. This edition expanded on the prescribed architectures from the first edition, introducing the ideas of Performance Level or PL, Mean Time to Failure (dangerous) or MTTFd, Diagnostic Coverage or DC, and Common Cause Failures or CCF. A big problem had been created: North America had the SIMPLE to CONTROL RELIABLE categories, but the U.S. and Canadian definitions were different. Internationally, ISO had PLa-e, and IEC had SILs (Safety Integrity Levels) SIL1-SIL4. All of these standards were applicable to machinery, but there was no clear guidance on how to choose the most appropriate standard.Since the second Edition of ISO 13849-1 was published in 2006, ANSI has adopted ISO 10218-1 for Industrial Robots, and this standard brings ISO 13849-1 in with it. This may spell the end of the SIMPLE-CONTROL RELIABLE definitions, since the coming adoption of ISO 10218-2 for Industrial Robot Systems will incorporate ISO 13849-1 into the requirements for the safeguarding systems on robot systems in the U.S. It is reasonable to expect that CSA will not be far behind in adopting these same standards.ISO and IEC recognize that a problem exists for users. While ISO 13849-1 has been harmonized for machinery and has replaced EN 954-1, IEC has a competing standard. IEC 62061, which uses SILs, is also harmonized under the machinery directive, but doesn’t explicitly include pneumatics and hydraulics while ISO 13849-1 does. You can use the IEC standard to assess the reliability of fluid power systems; it just takes a bit more work. A Joint Working Group was formed under ISO TC199 - Safety of Machinery, called ‘JWG1.’ The sole task of this group is the merger of ISO 13849-1 and IEC 62061. Although the work started in 2011, publication of the merged document is unlikely to come soon. We may have to wait until 2018 to see the finished product.Designers need to ensure that they have reduced the risks on their machinery following the hierarchy of controls, and that the safeguarding systems selected are appropriate for the application.A presentation given by Heinrich Mödden of Germany’s VDW to ISO TC199 in 2012, showed injuries due to intentional bypassing of safeguarding systems, often for legitimate reasons, far outweighed injuries from control systems failing to danger. There is often insufficient motivation to return the safeguards to their original state, eliminating the protective function designed into the machinery by the manufacturer.Are we wasting our time focusing so much effort on functional safety, if our efforts are often disabled in the field? I don’t think so, since even one injury is too many, but we may be putting more effort into figuring out how best to assess control reliability than is warranted. Machinery designers need to focus on the whole hierarchy of controls, and functional safety considerations should only receive attention when it makes sense. If you are interested in learning more about machinery risk assessment and the application of ISO 13849-1, Compliance InSight Consulting is offering open enrollment workshops on risk assessment and the application of ISO 13849-1 starting this month. Visit for more details and to register. You can get more technical information on these topics by visiting the Machinery Safety 101 blog at Doug Nix, A.Sc.T., is Managing Director & Principal Consultant, Compliance InSight Consulting Inc.
In my experience one of the questions that arises the most is “when is interlocking permissible to protect the worker?”  Ideally, using interlocking to protect the worker would never be acceptable since, as stated in CSA Z460-05, lockout is always the preferred method of protecting a worker, as long as it is practicable. Practicable may mean, for example, that providing a guard completely over a grinder is not practicable, since no grinding would be possible. However it is practicable to allow the wheel to be exposed sufficiently so as to permit the grinding to take place. Another example would be that it may not be practicable economically to perform a full lockout, as would be the case on a CNC machine. In this case, requiring a worker to perform a full lockout each time a workpiece needs to be unloaded may make the operation so economically unviable that the work would be lost. In such a case, we would need to provide adequate protection to the worker so that the risk is as low as reasonably practical (ALARP). In essence, ALARP involves weighing a risk against the trouble, time and money needed to control the risk. This long-standing issue has been tackled by a technical committee that developed CSA Z460-05 (R2010) Controlling Hazardous Energy – Lockout and Other Methods.In this standard, the distinction is made between tasks that are integral to the production process and, by implication, tasks that are not integral to the production process. In short, the standard distinguishes that lockout is not always doable in an economic sense and there is a need to use “other methods” to control the hazardous energy.This “other method” of controlling hazardous energy is, for the purpose of this article, the use of interlocks. However, interlocks can only be used if – and only if – the task to be performed is integral to the production process.At this juncture it is worth reviewing the regulatory requirements of section 24 and 25, which can be surmised to state that where there is an exposed moving part or nip point that endangers the safety of a worker, the worker must be prevented from gaining access to the exposed moving part and/or nip point. It is to be noted that the emphasis is on the employer to prevent access and not on the worker not to gain access. We can hope and pray all we want that nobody will access the exposed dangerous parts, but at the end of the day, the regulations only require that a person have access to be non-compliant with the regulatory requirement. That is the point of interlocking – that with the interlocking, there are no exposed moving parts, thereby removing the source of the hazard that has the potential to cause harm to the worker. This reliability of the functioning of the interlock is not in itself absolute, as there is some risk of failure of the interlocking system. But the risk must be reduced to as low as reasonably practicable under the circumstances to protect the safety of the worker.As referenced earlier, the interlocking should be applied for specific tasks under specific circumstances and, by implication, not all tasks under all circumstances. It is clear therefore that one must be able to assess whether or not a task can be considered as integral to the production process or is part of some other activity.To be considered integral to the production process, the designed task will exhibit most of the following characteristics:1. It must be of short duration.2. It must be relatively minor in nature.3. It must occur frequently during the shift or production day.4. It is usually performed by operators or others functioning as operators.5. It represents pre-determined cyclical activities.6. It minimally interrupts the operation of the production process.7. It must exist even when optimum operating levels are achieved.8. It requires task-specific personnel training.Each of these tasks should be analyzed within the context of their application but the following analysis is useful:1. Duration: Of course, the question then becomes how short is short? This may depend on the nature of the activity, but one must recognize that if a machine needs to be fiddled with for a disproportionate period of time, that task is not part and parcel of the production process.2. Minor in nature: This is, once again, relative, but one could define minor as meaning that no tools, or perhaps a specific tool only (to keep parts of the body out of hazardous areas) only, are to be used.3. Occurrence: If the task needs to be performed infrequently or sporadically, then the task is required not because of production requirements but because of defects within the machine itself. Clearly the root cause of the required task needs to be addressed and not have a worker subject him or herself to a potentially hazardous event because of the machine deficiency.4. Operator skill level: If the task requires a person with specific skill sets not normally attributable to the operator, then the task itself is distinct from the production task. Clearly, such a task would not be integral to the production process.5. Pre-determined cyclical activities: As an example, we can look at a spot welder, whereby the operator is required to change the welding tip every 5,000 weld cycles. Changing the tip may be considered integral to the production process.6. Production interruption: If the task to be performed requires a lengthy amount of time, then that task cannot be said to be integral to the production process.7. Exists all the time: It sometimes happens that an operator needs to make some adjustment on the machine and that the adjustment is the result of a defect due to a defective or worn part. These things start slowly and the operator tolerates the deficiency. Over time, it is no longer deficiency but becomes part of the “normal” operation of the machine. Clearly the task necessary to overcome this deficiency cannot be considered to be integral to the production process and the worker should not be subject to undue risk because the machine is not operating within is normal operating specifications. 8. Personnel training: As was noted earlier, these tasks are designed tasks, not tasks merely performed at the whim of the operator. The task must be designed so as to minimize worker exposure in the course of performing a specific task.One method of conducting the assessment is to give specific quantitative (or qualitative) values to each of the characteristics. Then, you can draw conclusions to assess whether or not the task is integral to the production process. If it is, you may use an appropriate interlock. If it is not, you must redesign the task.The preceding is all fine and well, but please remember that if an incident with consequences occurs, labour officials in your province will need to look at any violation. If an injury has occurred, it becomes difficult to state that access to exposed moving parts or pinch points has been prevented. Franco Tomei, B.A.Sc. P.Eng, is a professional engineer with more than 40 years of industrial experience — 12 years of that directly in the safety field. He can be reached at This e-mail address is being protected from spambots. You need JavaScript enabled to view it .This column originally appeared in the September 2012 issue of Manufacturing AUTOMATION.
Many enterprises seem to accept the high risk generated by defeated protective devices placed on machinery. By “defeated,” I mean safety devices that have been altered so as to render their intended function ineffective. There are also safety integrators that install protective devices that render the machine unusable. While this may sound far fetched, I have, on at least two occasions, been called upon to review machinery that became unusable because of the protective devices. Use of protective devices on machinery is necessary to protect the worker. If the moral obligation isn’t enough to ensure their effectiveness, there are regulatory requirements that must be fulfilled. Yet, many workplaces end up with machinery whereby defeating the protective device is part of a company’s everyday life. Time and again, defeated protective equipment causes severe injuries and, in some cases, fatalities. From a realistic viewpoint, it must be stated that defeating protective devices could not happen if there was not some willingness on the part of the employer/supervisor to permit the defeating to happen. Rather than criticize these actions, we must refrain from placing blame and learn why such actions take place. If we can learn the why, we may be able to prevent the defeating of safeguards. Given that a worker is a rational, thinking person, defeating a protective device for no reason simply would not occur. Similarly, given that the employer is a rational, thinking person, he or she would also not permit the defeating of protective devices. To get to the root of the problem, it must be concluded that the defeating takes place because there is something to gain — whatever that gain may be perceived to be by either party. In a study conducted in Germany, it was found that 37 percent of protective elements were defeated. In presenting this study a few years ago in Mississauga, Dr. Friedrich Adams of Schmersal GmbH did not call for greater enforcement, nor did he place blame on the employer or worker. Rightfully, in my opinion, Dr. Adams stated that we as machine builders or safety integrators have failed in our mission to the worker and the employer. We have failed because we have created the conditions such that the performance of a task is so inconvenient or cumbersome that we are providing an incentive to the worker and/or employer to defeat the protective device.As a sidebar, it is worth noting the variance in the approach to safety of machinery in Canada compared to the European Free Trade Association (EFTA). In the EFTA, the machinery must be deemed to meet the Machinery Directive of the EU before it can be placed on the market. Successfully meeting the Machinery Directive causes the machine to be declared safe. As far as I am aware, in Canada, the responsibility for the safety of the machine is placed on the employer, who should ensure the safety of the machinery through commercial contracts. These two fundamental approaches on how machinery is placed on the market result in different methodologies in seeking solutions. If defeating the protective device is foreseeable, the manufacturer and/or safety integrator has to take this into account at the design stage or during the retrofit. Essentially, as designers/users, we know the tasks that are to be performed on the machine. Once the tasks are identified, we need to ensure the worker is protected in the course of performing each of those tasks, but we must do so without any significant “inconvenience” to the worker or process. If the protective device creates an “inconvenience,” then the first thing that will be done by the individual worker or in collusion with others and with the blessing of supervisors/employers, is the protective device will be defeated — and sooner or later this will result in an injury. In the machinery industry, the manufacturer of the machinery and the user of the machinery should have a collaborative program whereby information is exchanged to ensure there is no task whereby there is a significant incentive to defeat the protective device. This would assist the manufacturer in seeking solutions to prevent such events.How can one assess whether or not their own machinery’s protective devices are defeated? Several tools can be used, such as supervisory inspections of the protective devices, reports from the manufacturers (although not common), and asking the worker for input on the adequacy of the machine in performing their work. However, the better approach is to, at the design stage, assess whether or not there is a foreseeable significant enough incentive for a protective device to be defeated in performing a specific task.Assessing whether or not a safeguard will be defeated is not insurmountable. The steps necessary to do so are as follows:• Identify each activity required for the machine;• Break the activity down into the various tasks; and• For each task, assess whether or not the task needs to be performed with a protective device to protect the worker.Assess whether there is a significant enough incentive to defeat the safeguard by considering the following 11 common incentives:1) Will defeating the safeguard make the job easier or more convenient?2) Will defeating the safeguard result in faster and/or greater productivity?3) Will defeating the safeguard result in increasing the capacity of the machine?4) Will defeating the safeguard result in greater precision?5) Will defeating the safeguard result in better visibility?6) Will defeating the safeguard result in better audibility?7) Will defeating the safeguard result in less physical effort?8) Will defeating the safeguard result in reduced travel?9) Will defeating the safeguard result in greater freedom of movement of the worker?10)  Will defeating the safeguard result in material flow improvement?11)  Will defeating the safeguard result in avoidance of interruptions?The above questions could be answered with a straight yes or no, but life is never that simple as there are degrees of incentives. It is therefore recommended that a score be given to each of the questions, whereby an acceptable number is defined. In addition, one should also look at the greater picture since, while all of the answers may be low enough to be a no, the total may result in a yes.Where the answer is yes, action must be taken on the possible various fronts that will permit the worker to perform the task without having significant incentive to defeat the protective device.Franco Tomei, B.A.Sc. P.Eng, is a professional engineer with more than 40 years of industrial experience — 12 years of that directly in the safety field. He can be reached at This e-mail address is being protected from spambots. You need JavaScript enabled to view it . This column originally appeared in the June 2012 issue of Manufacturing AUTOMATION.
When designing safeguarding systems for machines, one of the basic building blocks is the movable guard — doors, panels, gates or other physical barriers that can be opened without using tools. Every one of these guards needs to be interlocked with the machine so that the hazards covered by the guards are effectively controlled when the guard is opened. There are a number of important aspects to the design of movable guards. This article will focus on the selection of interlocking devices that are used with movable guards. The hierarchy of controls This article assumes that a risk assessment has been done as part of the design process. If you haven’t done a risk assessment, start there, and then come back to this point in the process.The hierarchy of controls describes levels of controls that a machine designer can use to control the assessed risks [1]. Designers are required to apply every level of the hierarchy in order, starting at the top. Where a level cannot be applied, the designer moves to the next lower level.Though much emphasis is placed on the correct selection of these interlocking devices, they represent a very small portion of the hierarchy. It is their widespread use that makes them so important when it comes to safety system design. Electrical versus mechanical interlocksMost modern machines use electrical interlocks because the machine is fitted with an electrical control system, but it is entirely possible to interlock the power to the prime movers using mechanical means. This doesn’t affect the portion of the hierarchy involved, but it may affect the control reliability analysis that you need to do.CategoriesIn Canada, CSA Z432 [2] and CSA Z434 [3] provide four categories of control reliability: simple, single channel, single channel monitored and control reliable. In the U.S., the categories are very similar, with some differences in the definition for control reliable. In the EU, there are five levels of control reliability, defined as Performance Levels (PL) in ISO 13849-1: PL a, b, c, d and e [4]. Underpinning these levels are five architectural categories: B, 1, 2, 3 and 4. To add to the confusion, IEC 62061 [5] is another international control reliability standard that could be used. This standard defines reliability in terms of Safety Integrity Levels (SILs). These SILs do not line up exactly with the ISO 13849-1 PLs, but they are similar. IEC 62061 is based on IEC 61508 [6], a control reliability standard used in the process industries. IEC 62061 is not well suited to applications involving hydraulic or pneumatic elements.The North American architectures deal primarily with electrical or fluid-power controls, while the EU system can accommodate electrical, fluid-power and mechanical systems.From the single channel monitored or Category 2 level up, the systems are required to have testing built-in, enabling the detection of failures in the system. The level of fault tolerance increases as the category increases. Interlocking devicesInterlocking devices are the components that are used to create the interlock between the safeguarding device and the machine’s power and control systems. Interlocks can be purely mechanical, purely electrical or a combination of these.Most machinery has an electrical/electronic control system, and these systems are the most common way that machine hazards are controlled. Switches and sensors connected to these systems are the most common types of interlocking devices.Interlocking devices can be something as simple as a micro-switch or a reed switch, or as complex as a non-contact sensor with an electromagnetic locking device.Requirements for these devices are published in a number of standards, but the key ones for industrial machinery are ISO 14119 [7, 2], and ANSI B11.0 [8]. These standards define the electrical and mechanical requirements, and in some cases the testing requirements, that devices intended for safety applications must meet before they can be classified as safety components.These devices are also integral to the reliability of the control systems into which they are integrated. Interlock devices, on their own, cannot meet a reliability rating above ISO 13849-1 Category 1, or CSA Z432-04 Single Channel. To understand this, consider that the definitions for Category 2, 3 and 4 all require the ability for the system to monitor and detect failures, and in Categories 3 and 4, to prevent the loss of the safety function. Similar requirements exist in CSA and ANSI’s “single-channel-monitored,” and “control-reliable” categories. Unless the interlock device has a monitoring system integrated into the device, these categories cannot be achieved. Environment, failure modes and fault exclusionEvery device has failure modes. The correct selection of the device starts with understanding the physical environment to which the device will be exposed. This means understanding the temperature, humidity, dust/abrasives exposure, chemical exposures, and mechanical shock and vibration. Selecting a delicate reed switch for use in a high-vibration, high-shock environment is a recipe for failure, just as selecting a mechanical switch in a dusty, corrosive environment will also lead to premature failure.The device standards do provide some guidance in making these selections, but it’s pretty general.Fault exclusion is another key concept that needs to be understood. Fault exclusion holds that failure modes that have an exceedingly low probability of occurring during the lifetime of the product can be excluded from consideration. This can apply to electrical or mechanical failures. Here’s the catch: Fault exclusion is not permitted under any North American standards at the moment. Designs based on the North American control reliability standards cannot take advantage of fault exclusions. Designs based on the international and EU standards can use fault exclusions, but significant documentation supporting the exclusion of each fault is needed. Defeat resistanceThe North American standards require that the devices chosen for safety-related interlocks be defeat-resistant, meaning they cannot be easily fooled with a cable-tie, a scrap of metal or a piece of tape.The International and EU standards do not require the devices to be inherently defeat-resistant, which means that you can use “safety-rated” limit switches with roller-cam actuators, for example. However, as a designer, you are required to consider all reasonably foreseeable failure modes, and that includes intentional defeat. If the interlocking devices are easily accessible, then you must select defeat-resistant devices and install them with tamper-resistant hardware to cover these failure modes.Almost any interlocking device can be bypassed by a knowledgeable person using wire and the right tools. This type of defeat is not generally considered, as the degree of knowledge required is greater than that possessed by “normal” users. Device selectionWhen selecting an interlocking device, start by looking at the environment in which the device will be located. Is it dry, wet or abrasive? Is it indoors or outdoors and subject to temperature variations?Is there a product standard that defines the type of interlock you are designing? An example of this is the interlock types in ANSI B151.1 [4] for plastic injection moulding machines. There may be restrictions on the type of devices that are suitable based on the requirements in the standard.Consider integration requirements with the controls. Is the interlock purely mechanical? Is it integrated with the electrical system? Do you require guard locking capability? Do you require defeat resistance?Once you can answer these questions, you will have narrowed down your selections considerably. The final question is: What brand is preferred? Go to your preferred supplier’s catalogues and make a selection that fits with the answers to the previous questions.The next stage is to integrate the device(s) into the controls, using whichever control reliability standard you need to meet. That is the subject of another article!References[1] Safety of machinery - General principles for design - Risk assessment and risk reduction, ISO Standard 12100, Edition 1, 2010[2] Safeguarding of Machinery, CSA Standard Z432, 2004 (R2009)[3] Industrial Robots and Robot Systems - General Safety Requirements, CSA Standard Z434, 2003 (R2008)[4] Safety of machinery — Safety-related parts of control systems — Part 1: General principles for design, ISO Standard 13849-1, 2006[5] Safety of machinery – Functional safety of safety-related electrical, electronic and programmable electronic control systems, IEC Standard 62061, Edition 1, 2005[6] Functional safety of electrical/electronic/programmable electronic safety-related systems (Seven Parts), IEC Standard 61508-X[7] Safety of machinery – Interlocking devices associated with guards – Principles for design and selection, ISO Standard 14119, 1998[8] American National Standard for Machines, General Safety Requirements Common to ANSI B11 Machines, ANSI Standard B11.0, 2008 Douglas Nix, A.Sc.T., is managing director at Compliance InSight Consulting, Inc. ( in Kitchener, Ont. He produces a blog and podcast called Machinery Safety 101, exploring a wide variety of machine safety topics. Check out his blog at column originally appeared in the May 2012 issue of Manufacturing AUTOMATION.
In North America, about five to 10 arc flash events occur each day. Arc flashes are responsible for as many as 80 percent of all electrical-related injuries.
An increased focus to comply with regulations and the need to reduce safety injuries are driving organizations to adopt new strategies and technologies to ensure the safety of people, processes and products. A recent Aberdeen Group study, "Integrated Safety Systems: Ensuring Safety and Operational Productivity," surveyed more than 120 executives last Fall about the current state of their safety program and the technologies they use to support their safety initiative. The report provides a roadmap for organizations attempting to better understand how an integrated safety system and other enabling technologies can best be deployed in a plant environment.
Bill 160 shifts the responsibility for injury and illness prevention activities from the Workplace Safety and Insurance Board (WSIB) to the Ministry of Labour. This will have the Ministry of Labour carry out health and safety inspections at Ontario workplaces, as well as oversee the delivery of workplace injury and illness prevention services by Ontario's health and safety associations. I had a chance to speak with the Ministry of Labour's John Vander Doelen, director of the Occupational Health and Safety System Review Project Secretariat, about how this shift will impact the readers of Manufacturing AUTOMATION (MA).
Note to readers: This article focuses on item 2 of the table in section 7 of the regulations titled Pre-Start Health and Safety Review that deals with machinery. The guidelines from the Ministry of Labour are available at
Today, machines operate at considerably higher speeds than in the past. In the race to meet production deadlines and budgets, safety cannot be forgotten.
As a controls integrator, I have had the opportunity to work in different facilities across the globe. The majority of these facilities have one thing in common - the concept of arc flash is largely an unknown. This is no surprise, as arc flash standards and awareness have only recently become publicized and enforced.
When a company is convicted of an offence under Ontario's Occupational Health and Safety Act, the normal penalty imposed by the court is a fine. The courts in Ontario consider a wide range of factors when sentencing a corporation under the Act, although these factors are not of even weight.
Most offences under occupational health and safety legislation are "strict liability offences." This means that if a person or company is charged with such an offence, the Crown only has to prove that a workplace accident or injury took place due to a prohibited act or omission. The Crown does not have to prove that the defendant was at fault or negligent. However, the defendant — usually the employer — can defend itself against a strict liability offence by establishing the defence of due diligence.
There are a number of myths that have grown up around emergency stops over the years. These myths can lead to injury or death, so it's time for a little myth busting.
Manufacturers across many industries are placing increased emphasis on machine designs that support safety and sustainability initiatives, and drive economic prosperity. Machines that improve safety, minimize waste, consume less energy and deliver maximum return on investment are critical to the success of any sustainable production program. Building such a machine requires a holistic approach to analysing operational efficiency, safety, functionality, productivity, ease of operation and maintenance. By following these five best-practice design principles, machine builders can deliver safer, more cost-effective and sustainable machines. 1. Perform a safety audit after mechanical design, but before control system design: Performing a safety audit before control system design helps engineers chart the course for an effective safety solution, and evaluate and investigate risks early in the development process. This saves critical time and helps machine builders get their equipment to market faster. In addition, the machine's end users gain optimized production, thanks to an automation system that helps operate machinery and processes in the most efficient way. A safety audit identifies the required safety control system integrity level and helps guide the selection of the overall control architecture to achieve the optimum level of safety. 2. Guard or control access to moving parts: Where hazards cannot be removed through design, machine builders typically will install a fixed physical barrier that protects users from the hazard. When frequent access to the hazardous area is required, non-fixed guards are used, such as removable, swinging or sliding doors. In areas where non-fixed guards are impractical, guarding solutions that monitor the presence of the operator rather than the status of the gate can be used.   While relays and other devices prove effective, many safety applications require a level of programming or more sophisticated safety logic that is best met through a safety controller. Safety controllers offer significant benefits in multistep shutdown or ramp-down sequences, such as transfer line applications, because they provide the necessary logic through software rather than the hard-wired logic of relays. An integrated safety controller is an ideal solution for any application requiring advanced functionality, such as zone control. With properly designed safety controls and guarding, designers reduce access time and help to make machines safer and more efficient. 3. Use integrated safety systems to reduce control system complexity: The more designers integrate the standard and safety control functions of a system, the better the opportunity is to reduce equipment redundancies and improve productivity and economic factors. This integrated control functionality reduces the number of unique components in use on the factory floor, which in turn reduces crib inventory costs, as well as maintenance team training requirements. End users also benefit from less waste with fewer parts to maintain and replace throughout the machine life cycle. In addition, integrated control systems have broader intelligence regarding machine operation and status, and reduce nuisance shutdowns and prolonged restarts, further improving machine efficiency and productivity. New safe-speed control solutions provide a great example of effective control integration. With safe-speed control, safety input devices, such as guard-locking switches, light curtains and emergency stops, connect directly to the speed-monitoring core of the control solution. This eliminates the need for a separate, dedicated safety controller. Providing use across multiple platforms, safe-speed control solutions help reduce overall system cost and improve flexibility because they allow operators to perform maintenance and other tasks while a machine is in motion. Safe-speed control also helps increase uptime and decrease energy costs because a machine does not need to be completely shut down and restarted. Networking offers another way to integrate safety and standard controls. The introduction of networks to the plant floor brought many benefits to manufacturers, including increased productivity, reduced wiring and installation, improved diagnostics and easier access to plant-floor data. Using an existing network to include safety information extends those same benefits, allowing seamless communication of the complete automation process on one standard network with one set of hardware and wiring. 4. Make better use of diagnostics: With the ability to embed intelligence-gathering devices into machines without redesign or retooling, machine builders provide customers with self-diagnostic equipment capable of predicting and preventing failures, thereby boosting productivity and reducing repair costs. Moreover, this technology relays the machine condition information back to the machine builder for value-added monitoring and analysis services without compromising existing resources or hindering profitability. From the end user's perspective, turning the maintenance function over to the machine builder makes good business sense - it improves machine performance, maximizes capital investments and allows for more cost-efficient use of internal resources.  Machines designed with EtherNet/IP connectivity allow remote troubleshooting and thus provide end users with improved diagnostic benefits. The ability to remotely monitor equipment from a distant location helps reduce fuel usage and related emissions, as well as associated travel time and costs of maintenance personnel who otherwise would go to the machine's location. 5. Design IT connectivity into the machine: Building information-enabled machines capable of connecting into an end user's IT infrastructure provides them with critical operational insight, including energy efficiency and overall equipment effectiveness (OEE) calculations. This insight, in turn, helps plant managers reduce waste and optimize productivity. A machine's IT connectivity also helps maximize the benefits of a machine's track-and-trace capabilities. Using advanced information software, manufacturers track and record relevant data at every step of the process to identify when and where resources were used. This visibility offers end users a wealth of data for waste reduction and other improvement programs. In addition, these systems also help automate track-and-trace procedures of product genealogy through the full chain of custody. In doing so, these systems help companies comply with regulations, document required data, identify potential product quality issues before they reach the market and, if necessary, respond to recalls faster and more efficiently. CONCLUSION Thanks to advancements in technology and best practices, machine builders can play an important role in helping companies implement safer machine designs that support sustainable production practices. By following the above core design principles and leveraging the best of today's advanced technologies, machine builders can create safer, more cost-effective and reliable equipment. Steve Ludwig is program manager for Rockwell Automation. For more information, please contact Leanne Hanson at This e-mail address is being protected from spambots. You need JavaScript enabled to view it .
Page 3 of 5

Subscription Centre

New Subscription
Already a Subscriber
Customer Service
View Digital Magazine Renew


Digital Industry USA
September 10-12, 2019
EMO Hannover 2019
September 16-21, 2019
Weidmuller Open House
September 17, 2019

We are using cookies to give you the best experience on our website. By continuing to use the site, you agree to the use of cookies. To find out more, read our Privacy Policy.