The Machine Safety Alternative to Complete Shutdown

Machine Safety Alternative to Complete Shutdown

Follow the Machinery Safety Lifecycle to design integrated machine safety solutions that help protect employees, reduce costs, comply with regulations and improve productivity.

Machine builders and system integrators need expertise in current safety standards, a proven track record in building or integrating safety systems and knowledge of productivity-enhancing safety technologies.

“Working for Rockwell Automation for 37 years, the one thing I've recognized about safety is that it's ever-changing,” says David Rasmussen, TÜV-certified functional safety engineer, regional marketing lead safety, Rockwell Automation. “We're developing products that are technological advances in safety. Implementation might get simpler, but the advancements won't stop.”

Companies implement machinery safety solutions and programs to protect employees from unsafe conditions and known hazards; to reduce costs such as medical and insurance expenses; for regional or international regulatory compliance; to protect the brand from bad publicity and reduced sales; and to improve productivity and avoid complete machine shutdown or full system lockout/tagout (LOTO).

Developers are used to developing standard applications. “As safety becomes a bigger part of what developers do, we want to show what type of skill sets are needed to successfully implement machine safety,” explains Steven Ludwig, safety programs manager, Rockwell Automation.

Which OSHA standards apply to machine guarding of production equipment? CFR 1910.147, the LOTO standard, applies when employees perform maintenance and service to production equipment. It requires that unexpected energization of equipment be prevented by removing all energy from a machine and locking the energy sources in the off-state whenever employees must place any part of their bodies in a potentially hazardous location.

CFR 1910 Subpart O, machine guarding standards, applies when employees operate and work around equipment that is in the production state, and requires that employers provide safeguarding of hazards that could cause injury or illness to employees.

The exception to LOTO applies when employees perform “minor servicing” to equipment, and requires that employers provide effective “alternative measures” to safeguard employees.

“Alternative measures are ways to help keep you running while you still protect the workers,” said Ludwig. “We're trying to lend some clarification around what they're permitted to do as an alternative measure because you're not allowed to decrease the protection of the worker.”

If machine access is required, the choices are LOTO or the alternative means—machine safety, such as integrated machine safety solutions.

“OSHA's pretty clear on lockout/tagout standards,” said Rasmussen. “Machinery safety exists in one tiny paragraph within the lockout/tagout exception. OSHA's given us an exception, but how do we implement it? With machinery safety, we have two choices — manual lockout/tagout or automatic alternative methods. Environmental, Health & Safety (EH&S) says to prove that it was designed properly and that it really works.”

The functional safety design process uses the Machinery Safety Lifecycle (see illustration), which is a defined process that is followed to ensure that proper safety practices have been implemented. The steps include assessment; functional requirements; selection, design and verification; installation, verification and validation; and operation, maintenance and improvement.

“The first step is to do an assessment,” Rasmussen says. “Risk assessment can mean a lot of different things to different people. In the lifecycle process, if you don't document it, then it didn't happen. The customer's going to feel the same way.”

Assessment

“Do the safety assessment early in the process,” explains Ludwig. “Average performers often do it after the functional specification, or even after machine delivery. Top performers perform a risk assessment as part of the design process, so they're designing safety into the machine, rather than adding it afterward.”

A risk assessment is done to properly identify and assess the real hazards involved in operating a particular machine. It determines equivalent levels of protection for safeguards when stating OSHA's minor service exception, takes away guesswork when estimating risk and prescribing safety system performance, serves as documented proof of your due diligence and establishes the foundation for the design and implementation of an effective machine safety program.

“Identify the machine limits,” Rasmussen says. “Identify the hazards. Estimate the risk. If I haven't identified the risks or the hazards or the modes of operation, I probably haven't done a very good job of breaking that down. Risk is based on severity, frequency or duration of exposure and avoidance probability.”

There are numerous ways of assessing risk involved with a hazard, one of which is the Hazard Rating Number (HRN) system. With this technique, numerical values are assigned to descriptive phrases relating to the likelihood of occurrence of coming into contact with the hazard (LO), the frequency of exposure (FE), the degree of possible harm (DPH) and the number of persons at risk (NP). A hazard rating number is completed using the following calculation: LO × FE × DPH × NP = HRN.

“The HRN number relates to a risk level,” explains Rasmussen. “A lot of these come from the EH&S folks. There's a divide between developers and EH&S because they don't understand procedures such as lockout/tagout, for example. LOTO is extremely safe, but the problem is that somebody has to actually do it.

“Failure to control hazardous energy has been in the top 10 citations on the OSHA website for the past 10 years,” he continues. “There is a misperception among users; they'll just put out an edict to the OEM or system integrator to set the bar very high, but it often increases the cost unnecessarily. This is often dictated by an EH&S professional.”

Selection, Design and Verification

For each safety function, the characteristics and the required performance level shall be specified and documented in the safety requirements specification (ISO 13849-1 4.2.2). The safety function is a function of the machine whose failure can result in an immediate increase of risk. System components include input, logic and output.

Design considerations include the following questions:

• What mitigation technique should I use?

• What circuit structure should I use?

• What safety products should I use?

• What type of control system should I use?

• What type of special operations do I need?

• Where are all of my safety devices?

• What kinds of interactions are needed for auxiliary machines?

• What kind of diagnostics do I need?

• Should I use hardwiring or networked systems?

“We developed another tool — Safety Automation Builder — as a tool after the risk assessment was completed,” Rasmussen notes. “In this software, you can build each of the safety functions, and it will build a bill of materials. When you're done building the safety function, it will export that to SISTEMA, which will take all of the components, model them and create the overall performance level of the safety function.”

Verification and Validation

Verification and validation play important roles in the avoidance of faults throughout the safety system design and development process. ISO 13849-2 sets the requirements for verification and validation. The standard calls for a documented plan to confirm that all of the safety functional requirements have been met.

Verification is an analysis of the resulting safety control system. The performance level of the safety control system is calculated to confirm that the system meets the required performance level specified. The SISTEMA software is typically used to perform the calculations and assist with satisfying the requirements of ISO 13849-1.

Installation, Verification and Validation

Validation is a functional test of the safety control system to demonstrate that the system meets the specified requirements of the safety function. The safety control system is tested to confirm that all of the safety-related outputs respond appropriately to their corresponding safety-related inputs. The functional test includes normal operating conditions in addition to potential fault injection of failure modes. A checklist typically is used to document the validation of the safety control system. ISO 13849-2 sets the requirements for verification and validation.

“A lot of people misinterpret what validation of a safety function is,” Rasmussen warns. “Unless I've tested it, how do I know if that circuit meets the design? Most people do not do it. Safety devices are designed to fail in a fail-safe manner. How many people have gone through failure injection in a safety system?”

Operation, Maintenance and Improvement

Periodic testing should be done to verify proper system functionality. Machine modifications that affect safety require validation of the safety function. These include program changes, safety system use, hardware or software changes and machinery changes. Should the safety-related software be subsequently modified, it shall be revalidated on an appropriate scale.

Learn more about Rockwell Automation Safety Solutions.

The functional safety design process uses the Machinery Safety Lifecycle, which includes several steps to help ensure proper safety practices have been implemented.

Latest News

Rockwell Automation and our partners offer exceptional knowledge to help design, implement, and support your automation investment.

Subscribe

Subscribe to Rockwell Automation and receive the latest news and information directly to your inbox.