Proceed with Caution: Discussing thoughtful safety design

Good and Thoughtful Safety Design Yields Productive Machines That Are Easy to Operate and Maintain

By Dan Hebert, PE, technical editor

A machine can be designed to be safe in all instances but virtually unusable in day-to-day plant operations. If it’s at all possible, such a machine inevitably will have some or all of its safety features disabled by plant operations and maintenance personnel. A machine also can be designed to leave all shutdown decisions in the hands of operators, unfairly and unwisely burdening them with split-second, life-or-death decisions.

Machine builders can avoid these situations by making sure that their machines are not only safe, but also designed for ease-of-use and maintenance. This means making realistic assumptions about how an operator will respond to potential hazardous situations.

You’ll hear experienced builders say the best way to make a machine safe is to identify and understand applicable safety standards prior to machine design and incorporate these standards into the machine design. Testing the completed machine in various failure modes and modifying the design as required is the final and necessary step.

Failure to follow these procedures certainly will produce an unsafe machine, either initially or eventually, as plant personnel redesign the machine for more-convenient, but often unsafe, operations and maintenance.

Related on-demand webcast: Machinery Risk Assessments — best practices and insights

Abstract discussions of safety are important, but nothing brings safety to life like a recounting of actual unsafe practices or machine accidents. Reviewing these incidents can illuminate hazardous issues and show a path toward improvement.

I, Robot

“The most serious accident I know of occurred when one of my fellow programmers was pinned against a wall by a robot that he programmed at the customer site,” says Shahvar Pirouznia, engineering manager and founder of Balance Automation Solutions, Longmont, Colo.

Balance Automation makes automated material handling systems for semiconductor and general-industry applications. Its systems are divided equally between fully automated robotics-based systems and semi-automated, pneumatic pick-and-place mechanisms. This incident didn’t involve Balance Automation, says Pirouznia, but he doesn’t identify the company in question.

Injury was minimal in this case, but the situation is frightening to contemplate and could have been avoided easily. “The incident would have been prevented had the programmer not defeated the safety circuit and entered the safety enclosure while the robots were running,” recounts Pirouznia. “This was completely his fault as he was attempting to fix a problem while the system was running. It was the wrong decision.”

As a result, it was mandated that everyone in the company be trained to prevent similar incidents. “Unfortunately, this effort was weak and infractions continued without additional injuries to personnel,” chides Pirouznia.


Why Machine Accidents Happen
1. Machines are not built and tested with proper
     safety systems, interlocks and alarms
2. Safety features are too cumbersome and are
     removed by end users
3. End users are not properly trained
4. Plant production needs takes precedence
     over safety
5. Plant operators are unfairly expected to
     make split-second shutdown decisions

Injury to personnel is the most serious outcome, but damage to equipment can be costly. “Years ago I worked at a company where we designed automated hard-disk-certification work cells,” continues Pirouznia. “One of our robots hit a spinning disk spindle and destroyed it. The problem was a bug in the robot’s path that caused it to swing too wide and hit the customer’s equipment. The bug was determined to be a problem with the vendor’s motion servo algorithm. The robot’s paths were calculated dynamically so it would have been very time-consuming to test all possible paths prior to shipping the work cell.”

Testing all possible robot paths or machine operating modes is not practical in many situations, so perhaps the best we can hope for is testing of all instances for which injury is possible. These types of safety risk-reward decisions are an inevitable and difficult part of the machine designer’s job.

Incidents Presage Accidents

Unsafe practices don’t always lead to accidents, but it’s easy to see how they could. “In one instance, I found two oven gas-pressure switches that were bypassed by the end user,” says Niels Bogh, owner of Bogh Industries, Puyallup, Wash. Bogh Industries is a consulting company for the heat-treat industry, and a large part of its business is combustion-hazard assessment and combustion safety checks on gas-fired equipment.

“The gas pressure switches had been tripping for an unknown reason and shutting off the oven. Instead of investigating and fixing the problem, the two switches were bypassed,” recounts Bogh (Figure 1). “This created a ticking time bomb and disregarded personnel safety.”

Bogh recounts a second incident in which disaster narrowly was avoided. “During an inspection of a large oven, we discovered the hoist cables in extreme danger of breaking,” recalls Bogh (Figure 2). “The problem was reported to shop management and safety personnel. The initial decision made was to run the machine for an additional three days and replace the cables on the weekend.” Fortunately, explains Bogh, upper management intervened. The machine was shut down immediately and repaired. “Failure of the cable would have brought production to a standstill for quite some time, not to mention cause possible injuries or loss of life,” he says.


Figure 1
Bypassing this high gas pressure switch created a ticking time bomb on an industrial oven.

These two incidents are blatant instances of failure by end users to operate machines as designed. But in many cases, machine builders must share the blame for incidents with their customers.

Are Standards Correct?

Before we try to apply safety standards, we must ask if existing standards are correct and sufficient. “The basic theories and standards of machine safety that exist today provide a strong foundation on which to design and build safety systems that allow for the safe operation of machines and equipment,” states Mark Lewandowski, machine controls technology leader for corporate engineering at Procter & Gamble.

Others agree. “Machine safety theories and standards are correct and accurate,” observes Gene Niewoehner, director of environmental, health and safety at systems integrator Maverick Technologies, Columbia, Ill. “The theories are based on physics, physical attributes, mechanics and available technologies. Theories and standards combine to control conditions and series of sometimes unrelated events that can result in catastrophic failure. Current safety standards and methodologies build layers of protection that guard against potentially harmful events.”

Although the standards and theories are substantially correct, there still are the issues of selection and application. “We see the major cause of accidents as a breakdown in defining the correct scope and specification,” says Craig Torrance, national sales manager for Pilz Automation Safety in the U.S. and Canada.

Torrance reports that the U.K.'s HSE department, the UK version of OHSA, studied 34 control system incidents and concluded that 44% had inadequate specification as their primary cause.


Figure 2
One end user wanted to leave this frayed hoist cable in place until a more convenient, and less costly, shutdown time was available. Fortunately, wiser heads prevailed.

“Defining the correct specifications is the most important step in machine safety,” concludes Torrance. “Poor comprehension of standards and theories is not the main issue. The main problem is instead a lack of understanding that the correct theories need to be applied at the specification stage and not the design stage.”

A good idea for sure, but a machine builder explains why applying safety specs early can be difficult. “It can be very hard to get mechanical engineers to understand they must design safety features into the machines instead of slapping them on at the end of the project,” argues Phillip Hillard, electrical engineer at Rennco, Homer, Mich., which makes vertical plastic film bagging machines, cup and lid trim press interfaces and cup and lid counters.

Safe by Design

Many designers believe that most machines are initially safe but don’t remain that way due to improper operation or end user modifications. “Most accidents occur due to lack of end user training or from purposeful bypassing or defeating of the safeties and alarms supplied by the manufacturer of the machine or robot,” says Eric Wolfgang, quality assurance and safety standards manager at Engel Machinery, York, Pa.

Engel makes horizontal and vertical injection molding machines (Figure 3). They also manufacture robots and associated automation used with injection molding machines.

A leading supplier of motion control systems agrees with Engel. “To achieve production numbers and keep machines running, many operators innovate new ways to bypass safety equipment and safety processes,” says Rami Al-Ashqar, motion control product manager at Bosch Rexroth Electric Drives & Controls.

It is easy to blame operations and maintenance personnel, and they often are the main culprit in safety violations. But, machine builders can help their customers by making sure machines can be operated and maintained easily with all safety features kept in place.

The best way to do this is to select the right specifications up front, and to design safety into the machine from the initial specifications stage instead of as an afterthought. “Machines must be designed for use,” says Bogh. “The controls must support the use of the machine in the intended fashion, and the operators must be well-trained and alert to subtle changes that can make the machine dangerous to work on or with.”

Related white paper: Understanding the essentials of machine safety

Bogh’s point is well-taken. A machine and its safety systems must be designed with the end user in mind. The safest machine will become dangerous quickly if safety features make the machine cumbersome to operate and maintain. Safety system vendors recognize this and strive to provide components that are safe, easy-to-use and simple to maintain.

Figure 3

This tiebarless injection molding machine from Engel is used for processing thermoplastic and thermoset materials. This machine line has more than 360 equipment packages that provide molding flexibility for medical, automotive, consumer products, electronics and technical molding applications.

Making Safety Systems Better

Designing a machine that lets operators handle mechanical jams and other common problems safely without severe impact on production is a key component of smart safety. “Our Safety on Board technology allows the operator to keep the machine in production during abnormal operations or maintenance,” explains Al-Ashqar of Bosch Rexroth. “An operator can stop all or part of a machine, go into the machine and remove a mechanical jam. He or she then steps out of a specific safety zone, hits a reset button, and the machine is up and running from the last point of stoppage. In the past, operators often had to bypass a safety switch in order to achieve quick recovery. Safety on Board technology removes that temptation and makes safe operations more likely.”

Rockwell Automation notes the improvements to safety systems over the years. “Although most accidents occur because of human error, mistakes can be exacerbated by poorly designed safety systems,” observes Dan Hornbeck, manager of safety business development at Rockwell Automation. “Historically, safety systems were designed as a black box add-on to the automation system and typically would shut the system down completely. To avoid losing productivity, operators and maintenance personnel would often bypass safety systems.” 


Steps to a Safe Machine
1. Find the right safety standards for
     your machines
2. Apply the standards to the initial machine
3. Make the machine easy to use and
4. Test the machine’s safety systems
     and interlocks
5. Consider making certain alarms auto-trip
     instead of operator-action-dependent

Advances in safety technology have led to more flexible and integrated safety system designs, argues Hornbeck. “These contemporary safety systems let operators and maintenance personnel perform certain procedures on machines in a safe mode, and not completely shut down,” he says. “This helps reduce downtime and improve productivity.”

We all clearly have a role to play in machine safety. Suppliers can provide systems that make safety easy to implement. End users must put safety first, even before production.

Finally, machine builders must design safety into machines up front by following the correct safety specifications. Realistic assumptions about operator capabilities and actions must be taken into account. Safety must be incorporated into machines with operations and maintenance personnel in mind, lest they be tempted to override safety in the interest of uptime.



Paying the Ultimate Price 

Death is the ultimate price for poor safety design, but the victim will not have died in vain if lessons are learned.

“I was peripherally involved in a compressor accident in Canada a number of years ago that resulted in a fatality,” recalls Steve Sabin, editor of ORBIT magazine for GE Energy Optimization and Control. “The compressor didn’t have instrumentation installed for detecting a thrust bearing failure. This particular type of failure is very catastrophic because the rotor moves axially and rotating parts contact non-rotating parts, seals fail, and other damage follows. In this case, the damage was serious enough to fatally injure an operator who approached the compressor.”

Following the accident, Sabin became involved with the installation of an API 670 machine monitoring system that included a thrust bearing failure alarm. Shortly thereafter, the axial bearing failed again and the alarm was activated. Because the alarm was not configured to automatically shutdown the machine, there almost was a recurrence of the same conditions that led to the earlier fatality.

In both incidents, operators mistakenly believed that a thrust bearing failure would generate high bearing temperatures. The lack of high bearing temperatures led the operators to believe that the compressor was safe. That belief cost one operator his life.

“After the second incident, the plant realized that it needed to take this particular shutdown decision out of the hands of the operators,” reports Sabin. “In this and other cases, operators often are timid when it comes to shutting down a machine that will interrupt a multi-million dollar process. They don't want to be the one who pulled the plug for a false alarm.”

Because of this and other related incidents, the API 670 task force is looking at making certain machine alarms auto-shutdown. “API 670 is an industry standard dealing with machinery protection instrumentation such as overspeed, bearing temperatures and vibration,” explains Sabin. “The task force is composed of machinery manufacturers, machinery end users, engineering and procurement companies and instrument vendors such as GE Energy.”

Sabin believes machinery manufacturers would prefer to force end users to shut machines down when certain critical alarms occur, such as overspeed, thrust bearing movement, loss of lube oil and perhaps seal gas leakage. In some plants these measurements are connected to automatic trips, but in many others the operator is expected to make a judgment call and manually intervene.

“Machinery OEMs historically have made strong recommendations [about machine safety], but end users have been left to decide whether to connect a machine to auto-trip on certain parameters,” states Sabin. “Because industrial accidents and liability concerns can impact the machinery OEM, the topic of mandatory auto-shutdown parameters is being actively discussed now with more interest.”

Certain parameters on any machine fall outside the realm of human interpretation because they are so basic, can occur so quickly and can be so catastrophic. It seems logical and imperative that alarms on these parameters should be auto-shutdown, removing the burden from the operator and possibly saving a life.


More from Control Design:

Related white paper: The latest in machine safety trends