There’s safety in machines

Of all the machine automation topics we're writing about in celebration of our 10-year anniversary, machine safety arguably has witnessed more change than any other subject we've covered.

By Joe Feeley, Editor in Chief

Joe FeeleyOf the machine automation topics we’re writing about in these “look back” articles celebrating Control Design’s 10-year anniversary, machine safety arguably has witnessed more change than any other subject we’ve covered in these past 10 years.

For certain, its importance to machine builders and their customers has changed. Safety has moved away from being considered a difficult-to-do afterthought once a machine was built and/or installed and/or a costly necessity that adds complexity and limits machine operations. Most enlightened builders and manufacturers now see machine safety as a crucial element in building and operating equipment that runs longer, avoids damage from mishaps, and can be safely repaired and maintained, often without shutting down the whole machine.

Oh, and it’s had the marvelous trickle-down effect of better protecting operators and technicians. That might be a bit cynical, but it’s this emphasis on uptime and a recognition of global machine safety requirements that elevated machine safety to full-partner status.

        10th Anniversary

Look back
at how machine automation has changed since our inaugural issue in 1997.

Our second-ever issue in October 1997 pushed CE mark directives center stage as a “time-to-get-acquainted” alarm bell for many machine builders, who needed to understand the impact of newly mandatory European Union requirements for machinery. This directive carried a safety amendment regarding components and systems. This was how many machine builders began to understand what they had to do to compete in Europe. It began to change some notions about safety systems, too.

A machine safety article we published in June 1999 found many industrial OEMs still struggling with the effectiveness of safety systems. “In some cases, simple barriers or guards are sufficient to ensure safe machine operation,” said Dennis Donigan, manager of systems engineering, Kingsbury Machine Tool Co., Keene, N.H. “But you have to be alert to ways that operators can defeat the system. Then you have to design the guard, so it’s as foolproof or defeat-resistant as possible.”

In those days, safety still had a ways to go to be viewed as something other than a pain. Most everyone had a hardwired safety system, whether they’d moved on to digital communications for their machine I/O or not. Still, we saw better things ahead in that 1999 article. We concluded by stating that, “Corporate attitudes about safety are beginning to change. No longer is safety considered just another operating expense that has to be passed on to the marketplace.”

However, we also foresaw the burdens that corporate downsizing of factory-floor engineering skills among end users would put on machine builders and SIs to fill the expertise gap.

The following year, I met Thomas Pilz, who was running the North American operation of Pilz Automation Safety, for the first time at an IMTS 2000 luncheon. I recall him being a bit surprised and pleased that Control Design’s degree of interest and knowledge about machine safety was as strong as it was. The subject hadn’t been much more than a faint blip on the radar screen of many trade publications.

He lamented the difference—primarily from restrictions that NFPA 79 put on the use of programmable safety controllers in the U.S.—in the level of sophistication and interest here as compared to Europe. “People are used to the idea that when you build a machine, you build the safety system, too,” he said in an article we ran in 2001. We agreed it was in everyone’s interest to help raise awareness.

Even though everyone in our biz will now tell you they were absolutely, positively sure back then that Ethernet would become the fundamental data bus in machine control, there’s precious little evidence of them saying so. In fact, a safety bus was pretty much thought of as a second network running next to your control network, if you ever moved away from hardwiring.

Towards the end of 2001, ODVA’s then-president Dave Quebbemann wrote our guest column, telling us about ODVA’s initiative to develop DeviceNet Safety, an advanced safety network to meet the demanding requirements of machinery-shutdown and process-sector availability applications.

“Consisting of a safety protocol running on top of the traditional DeviceNet network, DeviceNet Safety will allow both standard and safety devices to operate on the same network,” he wrote. “In addition, DeviceNet Safety will provide communication between safety nodes, including smart input/output and programmable logic controllers.”

DeviceNet and Safety Bus p then began to vie for visibility. I remember thinking this was great. The more competition, the faster users will find real benefit.

In an October 2002 article, we wrote about how NFPA 79-1997 required that all Category 0 (uncontrolled) e-stops be hardwired electromechanical components, and cause immediate removal of power to all machine actuators until the stop is achieved. Software and firmware-based controllers could be used in Category I and II (controlled) safe stops. Many Category I and II systems also are hardwired in parallel to a machine’s standard control system.

The reality of bigtime downtime was clear. “If a machine has 20 e-stops wired in series and a gate guard is tripped, then the machine immediately shuts down,” we wrote. “If it’s a large machine, figuring out the problem could take awhile.”

However, good news was coming. We reported in this same story that “efforts are under way to develop safety network solutions. A safety network will allow multiple e-stops and detection equipment to send machine stop signals to motor actuators along one wiring scheme. Further, we reported “NFPA 79-2002 will allow electronic products that are listed for Functional Safety to be used for all categories of safety systems. It was interesting to note that, while machine control standards were just beginning to accept these technologies in the U.S., the process industry had been using electronic systems for years.

We’re headed, albeit still too slowly, in the right direction now. In a 2004 OEM Insight guest column, Bill Elrod of Hartness Int’l. wrote: “This leads me to using technology for safety. There are numerous fieldbus systems, and several have developed the technology to have both process-level control and safety in one network. AS-Interface has a safety bus that operates in conjunction with process-level control. This allows engineers to develop safety and non-safety data on one bus.” He saw the potential in the 2002 revision to NFPA 79. “One of our concerns was the approval of this type of system for use in the U.S. by NEC committees. With acceptance of this method in NFPA 79’s latest release, allowing use of ‘Control Systems Incorporating Software and Firmware Based Controllers,’ we OEMs have options for designing integral systems.”

More and more companies have begun to turn this same corner. The evidence is growing. We’ll revisit the 1997-2007 machine safety saga in our official 10th anniversary issue in June.

As a little teaser for our upcoming May cover story on the continuing convergence of safety systems and control systems, here’s how we previewed its inevitably strong emergence a while back. In a 2006 Control Design cover story on digital safety, Joe Lazzara, at that time president and CEO of Scientific Technologies Inc., now a part of Omron, stated: “The newest versions of safety networks have integrated the safety and control system as one common unit. There’s no need for a separate safety bus, or safety PLC. This saves costs in design, materials, and installation.” He added that not having a separate safety bus aside from the control bus will be “a major force in the further integration of safety and the machine controls into one seamless control system.”

All this, we wrote then, “is a paradigm shift for many of us. The hard and fast rule of safety systems always has been that everything even remotely related to the safety system had to be hardwired, with no exceptions. However, when advantages are weighed against disadvantages, perhaps we’ll reconsider what we’re comfortable with. If we aren’t, then you can be certain that when the guys in the finance group catch wind of the advantages, they’ll help persuade you.”

Most recently, in a February 2007 article on safety relays, contributing editor Loren Shaum closed with a telling fact about the results of consumer products manufacturing giant Johnson & Johnson’s embrace of a standards-based safety strategy. He wrote, “According to a report presented at a recent Packaging Machine and Manufacturing Institute (PMMI) conference, J&J reported 23 worker amputations worldwide in 1982. As of September, 2006, J&J has enjoyed more than 14 months of amputation-free machine operation.”

Despite my cynicism about motive in the opening of this article, the real winners in machine safety are the operators and technicians. That’s why we’ll keep writing about it for the next 10 years.

NFPA 79 2002 Revisions Changed
U.S. Thinking About Digital Safety

The main clauses of interest that changed in NFPA 79 2002 include:

9.2.5.4.1.4—Where a Category 0 stop is used for the emergency stop function, it shall have only hardwired electromechanical components. Exception: an electronic logic (hardware or software) system, as well as the communication network or link that complies with both 9.4.3 and 11.3.4 and is listed for Category 0 emergency stop function shall be permitted. The final removal of power shall be accomplished by means of electromechanical components.

9.4.3—Control systems incorporating software and firmware based controllers performing safety-related functions shall conform to all of the following. In the event of any single failure:

  • Lead to safe-state system shutdown 
  • Prevent subsequent operation until the component failure has been corrected
  • Prevent unintended startup of equipment upon correction of the failure
  • Provide protection equivalent to that of control systems incorporating hardwired/hardware components
  • Be designed in conformance with an approved standard that provides requirements for such systems

11.3.4—Software and firmware based controllers to be used in safety-related functions shall be listed for such use.

From May 2006, Control Design