Safe to Operate

Risk Assessments Are Simpler. Safety Standards Are Harmonizing. New Machine or Old, It's Emphatically Smart to Protect Operators

By Jim Montague, Executive Editor

Some of the biggest ideas and history-making events just need a little push to get rolling, take off and change the world. Machine safety's evolution from obstacle to opportunity is one of these.

However, despite lip service about its importance, machine safety still is viewed by management and operators at too many manufacturers as a costly drag on production.

As a result, it's often ignored or bypassed, and the tragic injuries and deaths that result are just seen as the cost of doing business. Fortunately, it's become increasingly obvious that a little investment in machine safety now can pay huge long-term dividends in reduced downtime and improved production.

Machine safety is a benefit rather than an expense, and this is shown by the fact that many safety features are becoming standard equipment or low-cost options on today's machinery and equipment. One device, the safety PLC, provides designed-in safety features ready for engineers to incorporate into their applications. For instance, all the equipment in our assembly and components divisions has safety built in ahead of time by using safety PLCs," says Michael Douglas, senior manager and consultant for new technology and standards at General Motors (www.gm.com). Douglas also implemented GM's global health and safety designs and programs, such as its Safety 21 Process, throughout the entire lifecycle of its production systems. "In fact. we've been working with Fanuc for about 18 months to implement its Dual Check Safety software in the robots in our component and assembly divisions. This software defines an individually tailored and password-protected 3D space within which we can lock down and limit a robot's movement, so it can't travel outside of that 3D envelope and possibly injure someone.This feature also usually reduces the number of light curtains required between the operator and robot. The operators use a teaching pendant to lock the robot in its 3D space, which can be viewed on the pendant. This password feature really adds to the confidence level of the local plant's health and safety department."

Consequently, six months ago, GM began installing Dual Check Safety on several dozen of Fanuc's R30iA robots at its new Chevrolet Volt plant near Detroit. Besides protecting operators, Dual Check provides safety without the expense of traditional barriers, such as added safety mats or light curtains.
"The next phase will be to remove the external robot cell fencing by incorporating safety vision systems, such as Pilz' Safety Eye and other safe-motion robot capabilities. These safety features make our robots so safe that operators can walk right up and interface with them," explains Douglas. "This holds possible solutions for many industries' ergonomic part loading issues. For example, back in 2005 at our assembly plant in Spring Hill, Tennessee, we spent more than $100,000 in rework on our hood line resolving ergonomic issues. If technologies like Dual Check Safety had been available in 2005, we would have avoided those rework costs and provided a safe work space for our operators free of ergonomic risks. Technologies that allow for operator interface will also eliminate many hazards for our maintenance workers because they will no longer have to maintain interface equipment that was eliminated by adding these new technologies. Many of the safety features mentioned above can be applied to later-model robots. Users can check with their robot manufacturer for software upgrade details."

Preparing for Safety

Of course, good machine safety also means getting ready ahead of time. The staff at Oystar Jones (www.oystar.rajones.com) in Covington, Kentucky, always has been concerned with machine safety and proper due diligence. Consequently, even before ANSI/PMMI B155.1-2006, "Safety Requirements for Packaging Machinery and Packaging-Related Converting Machinery," was approved on April 25, 2006, with an effective date 30 months after, engineers at the packaging machine builder formerly known as R.A. Jones knew they would have to gear up to comply with it. They also needed to review their design to ensure compliance with the European Union's new Machinery Directive 2006/42/EC, which became effective on Dec. 29, 2009. As a result, Oystar Jones formed an in-house safety team to update its standards library, perform new risk assessments (RAs) of its machines and make sure it continues to conform to all applicable safety standards. Two members of its safety team are Electrical Controls Engineer Mike Steele and Mechanical Engineer Marc Koeppel.

"Whenever possible, we maintain a single design standard for both the U.S. and European markets," says Steele. "This isn't too difficult once the standards from both regions are understood. Usually, one is a bit more restrictive in some areas than the other. Therefore, if you comply with the more restrictive, you'll typically be in compliance with both standards. This is the general rule, though there are exceptions."

Assessing a Cartoner

For example, one of the Oystar Jones safety team's main projects was implementing a unified safety strategy for its now year-old Criterion 3 cartoning machine (Figure 1). "We first educated ourselves on all the relevant standards that applied to this type of machine," says Steele. "Any necessary standards not already in our possession were brought in-house for reference. Then, during the new machine development phase, we performed a design-phase RA. This allows us to identify potential safety and design issues early, which gives us the opportunity to solve problems before manufacturing begins. Obviously, once manufacturing begins, efforts to correct a potential problem is more time-consuming and costly."

Next, the machine builders constructed a Criterion 3 prototype and undertook a build-phase RA. "A risk assessment really means looking at a machine as if it had no guarding at all," explains Steele. "The object is to identify hazards, including pinch and shear points, impact locations, burn hazards, electrical shock hazards, possible entanglements and other potential hazards. Then, we use a risk-scoring system to determine the severity of each hazard and the probability the machine user will be exposed to this hazard during normal interaction, whether it's an operator or maintenance personnel. For instance, if a hazard with a potentially serious severity is present in the carton magazine region, where an operator interfaces frequently, then there is a greater probability an injury may occur there than in another section of the machine requiring less interaction. This situation would be considered a high risk on our RA, and we would take appropriate corrective action."

Once all the hazards on a machine or system have been identified and evaluated, the safety team and other Oystar Jones engineers work to eliminate or reduce the risk of each. reports Steele. "We first try to eliminate the hazard by design, so it is not an issue," he explains. "If we can't design it out, then we try to guard against it to prevent exposure. If we can't guard against it, we put in warning and caution signs to bring awareness. Once this is done, we do a final RA review to make sure all our risk-reduction capabilities are in place."

Finally, the latest Oystar Jones machine can be shipped to its customer, who also receives a letter that it's gone through a thorough RA process and that it complies with the interpreted relevant sections of ANSI/PMMI B155.1-2006.

Oystar Jones also stores an RA for each machine in its library, updates them as new functions are added and then uses them as a foundation/baseline for future machines. "An RA is really a living document," says Steele. "We've performed most of these same safety practices all along, and so the safety team was an effort to do even more formal documentation."

Standards—Harmonizing or Half-Baked?

To help builders and users implement machine safety consistently, several machine safety standards and their supporting organizations have been working to harmonize their North American and European counterpart standards with each other. This means builders will no longer have to design and construct different machines for different regions, but can instead follow one international safety standard.

ISO 10218 is an example of that. The robotics standard is on track to become the first genuinely international safety standard, according to the Robotic Industries Association (www.robotics.org). However, other efforts are struggling to resolve their differences and implement new procedures.

For example, the EN 954-1 and its safety categories have been updated to become the ISO 13849-1 standard and its performance levels. Unfortunately, while the EN-954-1 device-focused categories are well understood and used, the ISO 13849-1 performance levels are more comprehensive, use statistical analyses and require mean time to dangerous failure (MTTFd) and other data from all the components on a safety circuit.

Though there are mathematical software tools to help negotiate ISO 13849-1's required calculations, several machine builders report that the numbers they require from their suppliers are still not available. This has prompted postponement of the ISO 13849-1 effective date until December 2011. Steele says Oystar Jones also was preparing to conform with requirements of the latest ISO 13849-1, which includes determining performance levels, MTTFd and diagnostic coverage, but is holding off until data needed to accurately determine these variables is made available to the public.

"We prefer to do the ISO 13849-1 calculations from scratch," explains Steele. "Software programs exist that are supposed to help users determine their performance levels and conform to the standard, but we prefer to use these programs as an additional level of assurance to our calculated results. As a result, when we look at using the ISO 13849-1 standard, we need specific data from different components to ensure we can meet the required performance level. However, several suppliers don't have all this data available to the public at this time, and that may have been a factor in why ISO 13849-1 taking the place of EN 954-1 was postponed. Consequently, our plan is to look at ISO 13849-1 again in the beginning of 2011 and see if there is better data is available. Hopefully, the component suppliers will be more up to speed by then."

Production Line Tools

While it's not easy to evaluate and improve the safety of one machine, it can be even more complex to do it for an entire production line.

Italian bottling line builder Sipa Berchi (www.sipa.it) recently launched its Sincro Tribloc Isotronic molding, filling and packaging line at the Drinktec tradeshow in September 2009, but developers at the Parma-based builder decided they needed a PC-based solution to combine and more tightly integrate its PLCs and safety controls to its basic applications (Figure 2).

The machine initially used Siemens Industry's regular S7300 processor and HMI with Profibus protocol, as well as Pilz's PNOZmulti safety modules.

However, Sipa Berchi's engineers felt this arrangement was too cumbersome because Sincro Tribloc's operators would have to go through both Siemens' SCADA software and OPC Foundation's data access specification methods and software to reach from the plant floor to the enterprise level to perform track-and-trace tasks.

To reduce the number of cumbersome steps, Sipa Berchi's engineers installed a Siemens S7 modular embedded controller (MEC) with a WinAC Real-Time eTension Failsafe (RTX F) safety controller software on the Sinrco Tribloc about six months ago.

"We can now program our safety controller with the same seven-step program we use for our standard controller, so no extra training or negotiation is needed," says Luca Tedeschi, Sipa Berchi's technical and manufacturing director. "We also can include our safety I/O points with the station I/O points and put them all on a standard I/O module. These advantages are valid for new and existing machines. Connecting the safety sensor to the PLC via the regular bus system is much easier and reduces wiring, which means we can improve performance and reduce costs at the same time."