Machine Safety: Easy to Love, Hard to Understand

U.S. Safety Standards Continue to Be an Obscure Issue

By Joe Feeley

As Control Design celebrates its 15th anniversary, we bring you a look back at some of the topics we have covered and that have generated the most discussion among our machine builder and integrator audience. This article is part of our June 2012 cover story, "We Celebrate 15 Years."


Just as building machines for a global market has been something of an adventure, the evolution of machine safety has been an exciting, often confusing, period.

Here again, competing in the global economy meant better understanding of regional differences—safety standards in particular. But even in the U.S., standards were a thorny issue.

At What Cost, Safety?
In the January 2008 issue ("Why Is Safety Information So Pricey?"), Scott Gee, chief software architect at ISDTech, Canyon Country, Calif., lamented in the OEM Insight guest column, "Engineers are bombarded with mantras of Safety Compliance and Standards Conformity. If you are not following the latest safety decrees, you could jeopardize your company's ability to do business, not to mention liabilities you could incur. But no one wants to recognize a question of 'How much is this going to cost me?' I'm not referring to the costs of implementing these processes and procedures; rather, it's about the cost just to even learn the information in these standards."

Gee had replaced an old extrusion press controller system with a new PLC. The local inspector's report frequently referred to UL508 and UL508A as the authority for items that needed to be fixed.

"I asked the inspector if I could get more than just a reference number to this standard," Scott continued. "He politely chuckled. He wasn't trying to embarrass me, but he clearly was amused by my request. He said I would have to find and purchase these standards for myself. I did a web search for these standards and quickly understood the inspector's reaction. The least expensive price I was quoted for UL508 and UL508A was about $450 a piece, and other places wanted as much as $600 each."

When he finished reading them, Gee had one thought: "'Why am I paying so much for these documents?' There were about two dozen pages between both of these documents that actually pertained to my specific situation. I paid $900 to find the reference for not affixing the proper signage?"

Scott concluded by writing, "I have two issues with what happened to me and probably to countless other engineers trying to do the right thing. First, a significant amount of these standards don't contain information relevant to a particular application. Second, standards companies still charge as if you were getting an actual book, but they are delivering PDF files. It's fair for a company to recoup its research investment costs, but hasn't UL been able to amortize their initial costs for the 17th edition of a safety standards book over the decades since the first edition appeared? Spare me the, 'We have to charge that much because of continuing research' argument. The physics of electrical panel safety does not change every year or two."

Safe by Design
In our May 2008 cover story, "Proceed With Caution," we learned that many designers believe that most machines are initially safe but don't stay that way because of improper operation or end user modifications. "Most accidents occur due to lack of end user training or from purposeful bypassing or defeating of the safeties and alarms supplied by the manufacturer of the machine or robot," said Eric Wolfgang, who was then the quality assurance and safety standards manager at Engel Machinery, York, Pa. Engel makes horizontal and vertical injection molding machines and the robots and associated automation used with them.

"Injury was minimal, but the situation is frightening. The incident would have been prevented had the programmer not defeated the safety circuit and entered the safety enclosure while the robots were running."

Abstract discussions of safety are important, but nothing brings safety to life like a recounting of actual unsafe practices or machine accidents. "The most serious accident I know of occurred when one of my fellow programmers was pinned against a wall by a robot that he programmed at the customer site," said Shahvar Pirouznia, engineering manager and founder of Balance Automation Solutions, Longmont, Colo. "This was completely his fault as he attempted to fix a problem while the system was running. It was the wrong decision."

Technology Can Help With This
A feature in our February 2009 issue, "Safety Adds Complexity and Function," summarized recent  growth in use of programmable safety controllers.

"As the complexity of machines and work cells advances, the use of midsized and larger safety PLCs has become a must," said Scott Bonnet, control engineer for Rockford Systems, a safety systems integrator in Rockford, Ill. "More and more companies find the benefits of these PLCs if they have multiple zones, multiple devices and the need for integrated controls. The percentage of our business using PLCs is increasing steadily."

We learned here that relays remained a popular choice for many automation and control systems, however, particularly for smaller projects. But the potential troubleshooting benefits of safety controllers was a very compelling new feature for many builders, since a downside of safety relays can be the lack of diagnostics they provide. "When the machine stops," said J.B. Titus, who then was manager of business development and safety standards for Siemens Energy & Automation, "you still have to go out and do some troubleshooting; find and repair the problem to restart the machine. Sometimes the diagnostics issue drives the decision."

PLCs weren't considered sufficiently reliable for safety requirements when first introduced in factories in the 1970s, and standards for industry were written to exclude PLCs from any role in safety, Titus explained.

"That all changed in 2002 when NFPA 79 was republished and allowed safety PLC technology to do safety control," Titus added, now an independent safety systems consultant. "By then, safety PLCs had gone through several design changes and the reliability of PLC technology had achieved high marks."

Assessing Risk Is Everything
We examined the machine builders' approach to risk assessment in our May 2009 cover story, "Don't Get Burned," and learned how, after several years of poor safety performance, Goodyear Tire & Rubber's plant in Gadsden, Ala., had two major injuries, which occurred when employees got caught in the facility's let-off shear machinery in 2006. In one event, a machine had been left in automatic mode, and it seized and injured an operator's hands when he patted down the roll of rubber on it.

"We had a huge need for improved safety," said Charles Skaggs, Goodyear's health and safety manager. "After 2006, our corporate management said it wasn't going to put up with these incidents anymore, and asked us to study ways for our machines to achieve first-class safety ratings."

As we all know, with the essential management support of a safety program, things can change. The main lesson in Goodyear's story was that machine builders and users can look ahead to solve safety problems before they become incidents or accidents, rather than look back after they've happened.

"We've progressed from the idea that there's a magic formula and that you'll be safe if you just use it," said Alan Metelsky, controls engineering manager at Gleason Works, Rochester, N.Y., which builds machine tools for gear-processing manufacturers. "This was the idea several years ago—that if you follow the right U.S. or European standard and use the right doodads, then you'll be safe. However, I say you won't necessarily be safe. You can't just blindly follow a cookbook and expect to do it perfectly enough to address all the different elements in each individual application."

So identifying hazards is still very important, but Metelsky added that they should be followed by task-based risk assessments that include what the operators and maintenance staff do during normal operations and during the whole life of the machine. "The tremendous advantage of a logical, well-thought-out RA is that it can provide tailored risk mitigation that fits each given hazard," he added. "If we need to change a machine's design, having an RA helps us justify and back up those decisions. This lets us avoid being overly redundant, reduce risk appropriately, apply risk assessment consistently, and spend less on safety while still being safe."

Risk assessment was important to Procter & Gamble (P&G). "Our people are our most important asset, and we have a moral obligation to them," said Mark Lewandowski, machine controls technology leader in P&G's Corporate Engineering Technologies division.

Despite many good reasons for doing risk assessments, Lewandowski said, there are reasons why machine OEMs resist doing them, including a lack of awareness about the regulations, fear of liability, confusion on how to do RAs, worry that sharing data on residual risk will scare away customers, and concerns that performing an RA will be too costly. However, he insisted that doing RAs is far better than avoiding them.

"Besides the fact that U.S. standards require machine suppliers to do RAs, it's useful for them to show this kind of due diligence in their design process and demonstrate that their machine is safe to use," Lewandowski said. "If you're sued, it's much better to have done a good RA. And it helps us create better partnerships with our builders. We want to work with builders that show they value safety as much as we do."
Standards Change, Cause Uncertainty

A year later in "Safe to Operate," we discussed the expected changeover of machine safety standards in Europe from the established, device-focused EN 954-1 standards to a performance-based ISO 13849-1 standard that relied more heavily on statistical analysis and mean-time-to-dangerous-failure (MTTFd) data.

As potential users noted that much of the needed data was as yet unavailable from suppliers, the effective date of the new standard was pushed back to the end of 2011. "When we look at using the ISO 13849 standard, we need specific data for each component in the safety circuit to determine the required performance level," said Mike Steele, safety team member electrical controls engineer for Oystar Jones. "However, several suppliers like Rockwell, Siemens and Sick don't have all of the numbers needed to determine those performance levels yet, and that's why ISO 13849 was postponed for two years until December 2011. Consequently, our plan is to look at ISO 13849 again in the beginning of 2011, and see if there is better data available then. Hopefully, the suppliers will be more up to speed by then."

That lined up well with results from a Control Design Market Intelligence Report in 2010's October issue, which asked our audience about its biggest safety design headaches. Some 48% of the respondents said, "It's hard to know what standards/regulations to apply." Another 29% fretted about operator attempts to defeat the system. About 22% maintained that a safety system impeded productivity.

A Clear and Present Benefit
We've long argued that users and builders needed to look together at an intelligent machine safety design as a productivity enhancement, not an added cost. We reported in our April 2011 news section that an IMS Research study from early in 2011 stated, "It would appear that machine builders are beginning to agree." Machine builders and end users were also working to come into compliance with the latest safety legislation. "That's quite a big change going on," said Mark Watson, research manager at IMS and author of the report. "Machine builders are seeing this transition as something that's going to cost them money."

But they're beginning to realize that the trend toward more intelligent safety components (more likely than not networked, Watson noted) can limit downtime and improve efficiencies. Component companies are looking for more ways to integrate diagnostics, looking for failures before they happen, Watson said. "They're looking for anything where they can limit shutdowns by giving the components more intelligence."

Another attractive element, Watson said, is that EN ISO 13849-1 and EN IEC 62061 also are both globally recognized international standards rather than just European. This makes it easier for machine builders to adhere to standards no matter where they sell, without having to make regional changes, he noted.

And safety is working to keep up with the speed of automation. "The speed's increasing, but it still needs to be safe," Watson reported, and one way to achieve this is to integrate safety with standard control components. "It's much more of a focus now, particularly from the larger automation component suppliers."

Indeed, integration of safety and machine control was the focus of our May 2011 cover story, "An Integrated Approach." We noted that until recently, machine and robot builder OEMs needed two automation systems. One of them controlled the machine or robot, while the second dealt specifically with machine safety. Typically, the machine safety system required a separate safety PLC and a dedicated hardwired I/O network.

Separate hardwired safety systems were required for several reasons. Many suppliers simply charged too much for their safety controllers and I/O, restricting use to safety functions. Also, safety-rated versions of many digital communication networks were still in the regulatory approval stages. In addition, many OEM customers were not quite ready for change in the sensitive area of safety.
That changed in the past few years, and integrated safety is becoming a viable solution in many machine automation applications. You now can put control and safety functions into the same automation system, and run machine and safety I/O signals over the same wired or wireless safety-rated network. The price difference between standard and safety-rated controllers narrowed, meaning that it's often cost-effective to use one automation system for both control and safety, especially in systems with a high percentage of safety I/O compared with standard I/O. Of equal importance, machine user acceptance grows more widespread.

The article examined the implementation of a combined machine safety and automation system done by Toniolo R&D, an automation and robotics system integrator in Oxford Mills, Ontario. Brent Lekx-Toniolo is the director of the Automation Division at Toniolo, and had experience with old, separate, safety systems and with new, integrated alternatives. He preferred the new.

Toniolo built a control and safety system for a spot weld assembly cell with 11 robots. The safety system included e-stops, access control to safeguarded spaces, robot-to-human interference detection, and general detection of operators entering work stations via light curtains.

"This was a very large safety implementation that included fail-safe over EtherCAT (FSoE), 380 inputs, and 144 outputs across the welding system on 15 I/O stations," Lekx-Toniolo explained. "On top of the significant safety requirements of the cell, the systems also needed to control more than 600 standard I/O points, 12 pneumatic manifolds and two servo drives, while interfacing with 11 robot controllers."

Lekx-Toniolo found, to his surprise, that a TwinSafe system could perform both the control and safety functions, and it was faster than the old, dedicated safety system. "The typical deactivation time of a standard safety relay is 20 ms, and most safety relay systems require cascading of safety relays to build safety logic," he noted. "Many older safety networks have system response times that exceed 120 ms, and frequently exceed 200 ms. Currently, the PLC task, the entire EtherCAT network and all safety in the welding cell is updated every 20 ms, which is much faster than a traditional PLC and relay-based system."

Having one common automation platform with one network is not only simpler, it also consumes much less cabinet space than more traditional designs that use safety relays or multiple control platforms.