Machine safety: Your alternative to complete shutdown

“Working for Rockwell Automation for 37 years, the one thing I’ve recognized about safety is that it’s ever-changing,” said David Rasmussen, TÜV-certified functional safety engineer, regional marketing lead safety, Rockwell Automation, presenting at Rockwell Automation TechED in San Diego. “We’re developing products that are technological advances in safety. Implementation might get simpler, but the advancements won’t stop.”

Companies implement machinery safety solutions and programs to protect employees from unsafe conditions and known hazards; to reduce costs such as medical and insurance expenses; for regional or international regulatory compliance; to protect the brand from bad publicity and reduced sales; and to improve productivity and avoid complete machine shutdown or full system lockout/tagout.

“At an event like this where most attendees are developers, they’re used to developing standard applications,” explained Steven Ludwig, safety programs manager, Rockwell Automation. “As safety becomes a bigger part of what developers do, we want to show what type of skill sets are needed to successfully implement machine safety.”

“Risk assessment can mean a lot of different things to different people. In the lifecycle process, if you don’t document it, then it didn’t happen. The customer’s going to feel the same way.” David Rasmussen, TÜV-certified functional safety engineer, regional marketing lead safety, Rockwell Automation describes the Machine Safety Lifecycle at Rockwell Automation TechED.

Which OSHA standards apply to machine guarding of production equipment? CFR 1910.147, the lockout/tagout (LOTO) standard, applies when employees perform maintenance and service to production equipment. It requires that unexpected energization of equipment be prevented by removing all energy from a machine and locking the energy sources in the off-state whenever employees must place any part of their bodies in a potentially hazardous location.

CFR 1910 Subpart O, machine guarding standards, applies when employees operate and work around equipment that is in the production state, and requires that employers provide safeguarding of hazards that could cause injury or illness to employees.

The exception to LOTO applies when employees perform “minor servicing” to equipment, and requires that employers provide effective “alternative measures” to safeguard employees.

“Alternative measures are ways to help keep you running while you still protect the workers,” said Ludwig. “We’re trying to lend some clarification around what they’re permitted to do as an alternative measure because you’re not allowed to decrease the protection of the worker.”

If machine access is required, the choices are LOTO or the alternative means—machine safety, such as integrated machine safety solutions.

“OSHA’s pretty clear on lockout/tagout standards,” said Rasmussen. “Machinery safety exists in one tiny paragraph within the lockout/tagout exception. OSHA’s given us an exception, but how do we implement it? With machinery safety, we have two choices—manual lockout/tagout or automatic alternative methods. Environmental, Health & Safety (EH&S) says to prove that it was designed properly and that it really works.”

The functional safety design process utilizes the Machinery Safety Lifecycle, which is a defined process that is followed to ensure that proper safety practices have been implemented. The steps include assessment; functional requirements; selection, design and verification; installation, verification and validation; and operation, maintenance and improvement.

“The first step is to do an assessment,” said Rasmussen. “Risk assessment can mean a lot of different things to different people. In the lifecycle process, if you don’t document it, then it didn’t happen. The customer’s going to feel the same way.”

Assessment

“Do the safety assessment early in the process,” said Ludwig. “Average performers often do it after the functional specification, or even after machine delivery. Top performers perform a risk assessment as part of the design process, so they’re designing safety into the machine, rather than adding it afterward.”

A risk assessment is done to properly identify and assess the real hazards involved in operating a particular machine. It determines equivalent levels of protection for safeguards when stating OSHA’s minor service exception, takes away guesswork when estimating risk and prescribing safety system performance, serves as documented proof of your due diligence and establishes the foundation for the design and implementation of an effective machine safety program.

“Identify the machine limits,” explained Rasmussen. “Identify the hazards. Estimate the risk. If I haven’t identified the risks or the hazards or the modes of operation, I probably haven’t done a very good job of breaking that down. Risk is based on severity, frequency or duration of exposure and avoidance probability.”

There are numerous ways of assessing risk involved with a hazard, one of which is the Hazard Rating Number system. With this technique, numerical values are assigned to descriptive phrases relating to the likelihood of occurrence of coming into contact with the hazard (LO), the frequency of exposure (FE), the degree of possible harm (DPH) and the number of persons at risk (NP). A hazard rating number is completed using the following calculation: LO x FE x DPH x NP = HRN.

“The HRN number relates to a risk level,” said Rasmussen. “A lot of these come from the EH&S folks. There’s a divide between developers and EH&S because they don’t understand procedures such as lockout/tagout, for example. LOTO is extremely safe, but the problem is that somebody has to actually do it. Failure to control hazardous energy has been in the top 10 citations on the OSHA website for the past 10 years. There is a misperception among users; they’ll just put out an edict to the OEM or system integrator to set the bar very high, but it often increases the cost unnecessarily. This is often dictated by an EH&S professional.”

Functional safety requirements

For each safety function, the characteristics and the required performance level shall be specified and documented in the safety requirements specification (ISO 13849-1 4.2.2). The safety function is a function of the machine whose failure can result in an immediate increase of risk. System components include input, logic and output.

“Most engineers who have to implement machine safety on equipment don’t feel entirely comfortable with it,” explained Rasmussen. “Rockwell Automation has the most complete offering of safety products available. In the past 14 months, we’ve tried to put together multiple types of tools to make it easier or more comfortable for them to put them together. We put together functional safety document sets available online at no charge. We have about 60 of them now. Most safety functions, when we’re talking about alternative measures, are high-use or high-demand functions.”

Selection, design and verification

Design considerations include the following questions:

• What mitigation technique should I use?
• What circuit structure should I use?
• What safety products should I use?
• What type of control system should I use?
• What type of special operations do I need?
• Where are all of my safety devices?
• What kinds of interactions are needed for auxiliary machines?
• What kind of diagnostics do I need?
• Should I use hardwiring or networked systems?

“We developed another tool—Safety Automation Builder—as a tool after the risk assessment was completed,” said Rasmussen. “In this software, you can build each of the safety functions, and it will build a bill of materials. When you’re done building the safety function, it will export that to SISTEMA, which will take all of the components, model them and create the overall performance level of the safety function.”

Verification and validation

Verification and validation play important roles in the avoidance of faults throughout the safety system design and development process. ISO 13849-2 sets the requirements for verification and validation. The standard calls for a documented plan to confirm that all of the safety functional requirements have been met.

Verification is an analysis of the resulting safety control system. The performance level of the safety control system is calculated to confirm that the system meets the required performance level specified. The SISTEMA software is typically used to perform the calculations and assist with satisfying the requirements of ISO 13849-1.

Installation, verification and validation

Validation is a functional test of the safety control system to demonstrate that the system meets the specified requirements of the safety function. The safety control system is tested to confirm that all of the safety-related outputs respond appropriately to their corresponding safety-related inputs. The functional test includes normal operating conditions in addition to potential fault injection of failure modes. A checklist is typically used to document the validation of the safety control system. ISO 13849-2 sets the requirements for verification and validation.

“A lot of people misinterpret what validation of a safety function is,” warned Rasmussen. “Unless I’ve tested it, how do I know if that circuit meets the design? Most people do not do it. Safety devices are designed to fail in a fail-safe manner. How many people have gone through failure injection in a safety system?”

Operation, maintenance and improvement

Periodic testing should be done to verify proper system functionality. Machine modifications that affect safety require validation of the safety function. These include program changes, safety system use, hardware or software changes and machinery changes. Should the safety-related software be subsequently modified, it shall be revalidated on an appropriate scale.