Sponsored By

Carefully Analyze Safeguard Benefits and Trade-offs

DN Staff

December 8, 2009

10 Min Read
Carefully Analyze Safeguard Benefits and Trade-offs

Most engineers can look at a machine such as a punch press, robot or web press and spot areas that could endanger operators. But they might not agree on what to do to protect those operators.
"Many participants in our classes just assume that an OEM provides a machine with the needed safeguards," says Chris Soranno, machine and process safety engineer at OMRON STI. "In North America, an equipment buyer must add the needed safeguarding devices to provide what the U.S. Occupational Safety and Health Administration (OSHA) calls a safe work environment. In Europe, it's just the opposite. The European Union requires equipment purchased in Europe to come equipped with all the safety and safeguarding devices installed and ready to use."
The North American approach can cause problems. "After a machine arrives, engineers must somehow attach safeguarding devices to it and connect those added devices to the machine-control circuits," explains Juergen Bukowski, SICK program manager for safety. "If the manufacturer did not prepare a machine for safeguarding devices and did not include a way for the devices to connect to the machine controls, the buyer faces an almost-impossible task to add the safeguarding devices. Thankfully, more OEMs have started to adopt the European approach or at least make provisions for added safety devices and electronics."
"OSHA has produced many standards that people can download for free," says Soranno. "In the machine-tool world, the ANSI B11 Machine Tools series of safety standards contains over 30 documents that provide safety standards and requirements for mechanical power presses, grinding machines and other equipment."
"In the robotics arena, the Robotic Industries Assn. standard ANSI/RIA R15.06-1999, Industrial Robots and Robot Systems; Safety Requirements covers installation and manufacture of industrial robots," says Soranno. "And you must follow the National Fire Protection Agency's Electrical Standard for Industrial Machinery (NFPA 79) for proper installation of industrial equipment."
Assess Risks First
Before you buy a lot of safeguarding devices, an assessment of the risks inherent in equipment will give you an informed start. "We always encourage people to do a risk assessment," says Bukowski. "During an assessment you evaluate the possibility of an injury and the severity of an injury that could occur. Suppose someone might get a scratch when they clear a jam from a machine about once a month. That risk differs greatly from the risk of a fatality from a press brake that operates once a minute." So the machine with the scratch risk might get a warning sign, while the press brake gets outfitted with guards and sensors to ensure it cannot injure people or operate with people too close.
Many consultants can provide risk-assessment services and engineers can buy risk-assessment software such as the DesignSafe package from Design Safety Engineering or risk-analysis software from Euchner-USA. Some safety-equipment vendors also offer assessment-consulting services, as well as informal reviews of machine-safety risks.
Vendors Help with Device Selection
Vendors also can help you choose safety devices based on the results of your assessment. Equipment includes interlock switches for doors and gates, light curtains that cover a planar area, laser scanners that monitor a work space, two-hand switches, wireless sensors, emergency switches and so on.
These types of active safeguarding devices are used with passive equipment such as physical guards and fences that keep people away from hazards created by machinery. "Many machines require movable guards, doors and screens that include an interlocking switch or sensor that lets the machine operate when they are in a safe position," says Mike Carlson, safety products marketing manager at Banner Engineering. "Protecting people often involves a balance between access to a work area and the means of safeguarding. If you have a loading station, for example, an operator must have access to it, so a physical guard probably won't be the best choice, but a light curtain might be. Or if you have a small area that only one individual can access, something as simple as a two-hand control that an operator must use might suffice. During the risk-assessment process, you work through these types of issues."
Physical or Electronic Safeguards?
In some cases, you might have to choose between a physical guard or a light screen for safeguarding. "A light curtain lets operators easily load or unload a machine," says SICK's Bukowski. "But if bits of metal could fly out of a machine or there is a high noise level, you need some mechanical guarding, interlocked with a safety door switch. So either the light curtain or the door switch could generate a stop signal to the machine."
Laser scanners can detect foreign objects - often people - within a work space. "Not only would this type of scanner stop a machine if someone entered a work area, it would also prevent the machine from operating if someone was still doing maintenance inside the machine," says Bukowski. A laser scanner transmits a beam and measures the time of flight, so you also get some distance information.
"Often we find that engineers have used the proper safety-rated light curtain but they mounted it too close to the hazardous area," says Soranno of OMRON STI. "So operators still can put their hands through the light curtain and get hurt. You must calculate the distance between the light curtain and the hazard based on how fast an operator can reach the equipment and how fast you can stop the hazard. Many times engineers overlook that aspect of safety. They use the proper safety equipment but they don't understand there's also a mounting distance to address. The physical location of safety devices will affect the overall safety of a system." Engineers also must consider the time it takes their safety electronics to respond to a signal from a safeguard device.
You need a Safety-Rated PLC, Too
"When we look at equipment that in-house or third-party engineers have safeguarded, often we discover they haven't connected the safety-rated component to a safety-rated control system commensurate with the level of risk," says Soranno. Typically, a lot of safety-control designs use either electromechanical relays or off-the-shelf safety-rated monitoring relays. Engineers connect all of their safeguarding electronics to the relay and then use the relay to turn off a machine if someone "trips" a safeguard device. Many manufacturers now sell programmable safety controllers, or safety-rated programmable logic controllers, that give engineers a lot of design flexibility. A safety-rated PLC can include its own logic that monitors and controls different safeguarding devices depending on phase of a machine cycle.
"But many people still connect safeguarding devices to their off-the-shelf PLCs," says Soranno. "We all know a standard PLC will eventually fail, but you can't predict whether its outputs fail in an open or closed mode. And in a standard PLC, someone could inadvertently change a line of code that now affects the PLC's response to a safeguard input. Engineers know they need logic for their safety system but they incorrectly try to merge safety and machine logic into one PLC." When it comes to safety, you want to ensure any component of a system is rated for its intended use. If a safety-rated PLC fails, you know it will "fail to safe" and leave your machine in a safe condition.
Two Channels Prove Better than One
Redundancy can extend to the outputs on a safety-rated PLC, too. "A safety-rated PLC often provides two redundant outputs," says Bukowski. "If one output channel fails, you always have the second channel to stop a machine's movement. Even if a safety-rated PLC experiences a single-point failure it can still turn off a machine in a safe state."
Engineers also want redundancy in the safeguarding devices. "Depending on your risk assessment, you might need a light curtain with redundant outputs," says Carlson. "But in an emergency-stop button, a single output might suffice. With that said, though, e-stop buttons with multiple contacts have started to gain popularity because that e-stop button must work when you hit it."
Stop Buttons are Not Safeguards
"But engineers must not regard e-stop buttons as safeguarding devices," emphasizes Carlson. "They form part of what I call the umbrella of safety." As stated in the ANSI B11.19 document, "A safeguarding device detects or prevents inadvertent access to a hazard, typically without overt action by the individual or others. Since an individual must manually actuate an emergency stop device to issue the stop command, usually in reaction to an event or hazardous situation, it neither detects nor prevents exposure to a hazard."
"In several instances where people have been killed, an e-stop button has been a short distance from an outstretched hand. An e-stop button augments safeguarding devices," says Carlson.
When you plan to buy a safety-rated PLC, look for one with a safety-integrity level of 3, or SIL3. In continuous use, a SIL3 device has a probability of a dangerous failure between 10-8 and 10-7 per hour. That becomes one failure in 10 million hours of operation. The safety-equipment industry also relies on the ISO-13849-1:2006 standard (in full effect as of November 2009) that gives safety products a "performance level" rating where lowercase letters indicate each level, from PLa to PLe. The latter corresponds exactly to a SIL3 rating.
Implement Flexible Safeguards
In some industrial situations, engineers might need to control safety levels so humans can access equipment or parts can enter equipment during operation. So, safety engineers talk about muting, bypass and blanking conditions.
If you have parts on a conveyor belt that goes into a machine, a safety-rated controller must let parts pass through a light curtain, but must detect an arm or hand. "Muting refers to the automatic suspension of safeguarding functions at non-hazardous times during machine cycles," says Carlson. "If there's no hazard, you can turn off, say, a light curtain so an operator can place a part on the conveyor belt."
"People often confuse muting with bypassing," continues Carlson. "In the latter, someone purposely overrides the safeguards. If you have a web process that coats paper, for example, you might have to adjust something but cannot turn off the machinery. So, a highly trained operator can insert a key and bypass the safeguards and adjust the web equipment. Part of your safety plan for this equipment involves training that lets operators know if they put their hand in the wrong place, they'll lose it." That's one reason why only highly trained individuals should have the ability to bypass safeguards.
A third function, blanking, also can confuse people. You might need to desensitize a light-curtain's monitored "field," so small objects, but not a hand or arm, can pass through, or you could program the light curtain to ignore beams in given locations so a tool or jig can stick out.
When you must implement safeguarding on brand-new equipment or retrofit older machines, you'll find safety-equipment vendors available to help. They can provide some assessment and risk-analysis services, offer consulting services or help you find third parties that offer a wide range of services. An Internet search will also turn up seminars on machine safety and vendors also have helpful tutorials and documents on their websites. They want to give you a hand and help ensure you and your employees don't lose one.
For an overview of IEC 61508, Standard for Functional Safety of Electrical/Electronic/Programmable Electronic Safety-Related Systems, click here.
For more information about EN ISO 13849-1:2006, see "A New Approach to Machine Safety: EN ISO 13 849-1:2006 - Safety-Related Parts of Control Systems."
For more on machine safety, see "Software Safety: System Software Safety Demands Attention."

Sign up for the Design News Daily newsletter.

You May Also Like