"Whether it's a pull cord, scanner, or drive, we already have the code for it." Michelin's Kerry White discussed how the company's global effort to standardize safety processes helps "squeeze out potential errors."
Chris Brogli added that companies that practice safety have goals such as protecting their workers and the environment, as well as their brand image. "When you hear 'oil spill' or 'accelerator pedal,' which companies immediately come to mind? Firms want be safe to help avoid tainting their brands."
Rockwell Automation also has designed a process it calls the Machine Safety Lifecycle, which firms can follow to ensure they have implemented proper safety practices. It is based on the ISO 12100 standard. Steps to follow include assessing risk, determining machines' functional requirements, design and verification, installation and validation and, importantly, maintaining and improving. "Users can then perform design-verification calculations using complex mathematical calculations or an easy-to-use Rockwell Automation tool based on the SISTEMA (Safety Integrity Software Tool for the Evaluation of Machine Applications) methodology," said Brogli.
Michelin Tires is putting similar methods to practice. The company been around since 1832, has 111,200 employees worldwide in 67 plants in 17 countries, and has made tires in the U.S. since 1971. "We approach safety in terms of reliability because in the final analysis, it's all about how reliable that machine is going to be at the safety level," said Kerry White. "We are part of what we call UTEs—united teams of engineering with a fourfold purpose of improving design safety, design quality through standardization, engineering efficiency and engineering professionalism."
This endeavor is a challenge because Michelin has many regions, zones and plants at many different skill levels. Further, there are different requirements in every country, continued White. "To ensure the level of safety in every plant is the same, we use ISO 13849 and IEC 60204, standards that apply to all governmental regulations and meet the requirements of every country."
A few years ago, safety standard EN 954-1 was replaced by ISO 13849, so Michelin now uses the latter. "EN 954-1 was mostly electromechanical and involved relays and contactors. The safety circuit defined by the electrical diagram. The engineer drew it out, wired up the machine, started it and flagged the light curtain. If the machine stopped, we said 'we are good to go.' But you can't use a solid-state device in that safety system," explained White. "ISO 13849, though, includes EN 954-1 tenets and encompasses electrical, programmable, pneumatic, fluid and hydraulic technologies."
"Currently, we look at how reliable will a machine or switch be, what is the ability of a system to detect a fault or the state it is in, as well as common causes of failure," said White. "If we deconstruct the standard (ST-154), it can be seen that every risk has to be mitigated by a safety function. So if you have a machine with 10 risks, you have to have 10 safety functions. Inside each safety function are three components— inputs like light curtains, interlocks, floor mats and scanners; logic in the form of controllers, safety relays or safety PLCs; and outputs, which are the final switching elements such as valves. When you look at the whole system, you must look at multiple safety functions for different levels with the varying input, logic and output devices."
Instead of training all its engineers on becoming safety experts, "Michelin developed a several-step process. Following it ensures we apply ISO 13849 and meet our goals of safety, quality, efficiency and professionalism," White said.
The first is a risk analysis that defines what performance level to design to. It involves using a tool Michelin developed that walks through the interventions with the machine, then identifies hazards. "The tool tells us the risk level, how we need to protect it and documents every intervention. For example, if a worker is likely to get pinched by a robot, this is documented. In addition, every hazard is mitigated by, say, putting up a guard or implementing an electrical fix.
In another step, the company looks at the input, logic and output components one at a time. "For inputs, every plant has a choice of only three E-stop buttons, simplifying the process," said White. "The next step is to apply the input to a safety logic element—a safety relay, safety controller or other device. That way, the diagram is already done, and we don't have to guess whether the PLC or safety relay was wired up right. The method is the same from plant to plant or zone to zone. We do this for every one of our inputs and have only one safety relay and one safety controller to choose from, again simplifying the process. Output components are done the same way."
Every safety device also has its implementation guide from the manufacturer that we must we follow (for example, directions on how to best install a light curtain), continued White. "The last part is to validate that the performance level required equals the performance level achieved, and again, this is all based on ISO 13849."
"The upshot is that following these instructions ensures safety," said White. "We apply the same kind of thinking to programmable safety by using a modular approach with locked bits of code that contain the HMI graphics and programming, as well as the implementation guides. Whether it's a pull cord, scanner or drive, we already have the code for it. Our approach standardizes our operations, which bolsters safety by helping squeeze out potential errors."