Do We Future-Guard Machine Designs?

Sept. 10, 2013
Will Designing Redundant Switches Up Front Forgo Future Problems, Liabilities and Added Costs?

We install a number of different types of safety switches on our machines, all we believe in accordance with applicable standards that were in force at the time. We aren't called on to do regular upkeep or updating of the machines very often. We're a little concerned that, as time goes by and users change out components, the original safety design might be compromised. We're thinking about designing in redundant switches up front to forgo future, unforeseen problems, liabilities. We'd like some thoughts about whether the added costs provide more peace of mind for us as OEMs?

— From July '13 Control Design

SEE ALSO: Sensors, Switches Supply Safety


Two's Better
The topic of redundant switches is a controversial issue in the view of many. However, the simple fact is that if the switch is not properly maintained, it can be damaged and fail in an undetermined condition. Some manufacturers suggestions that their products will "fail-safe" damage can be wide and varied so there is no guarantee. Use of two switches in different operation modes or with different methods of actuation is the best and safest practice when monitored by a safety circuit for simultaneous operation; if the switches don't open or close together, the safety circuit will keep the machine from restarting until the fault is cleared. In this situation, the OEM can provide troubleshooting guidelines and guidance in the machine operation manuals on how to remedy the situation and keep machine operators safe.

Matt Dodds,
product marketing manager — safety,
Omron Automation and Safety

Identify and Mitigate
The peace of mind that comes from a well-designed safety system is indeed worth the upfront investment. The added time and cost in the design process is likely smaller than the potential financial burden associated with future questions or even litigation. More importantly, designing robust safety systems for machinery is an OEM's responsibility.

November's Problem

We see Microsoft will stop supporting Windows XP next year. The PC-based controls we've deployed over the years — some with RT kernels, some without — range from Windows CE to Windows 7 and more than a few NT in between. We don't have any real problems with the systems we have out there, and we don't worry too much about installing updates that might upset a old but stable system. We'll suggest an updated OS usually when a customer buys a new machine or has a hardware failure or performance reason to upgrade. Have we missed something?

Send us your comments, suggestions or solutions for this problem.

Conducting a risk assessment is the first step in any effective safety-system design process. OEMs should consider foreseeable use and misuse, as well as all individuals who might come in contact with the machine, including operators, engineers, maintenance and cleaning staff.

After completing a thorough risk assessment, OEMs should select and implement safety components that help mitigate the identified risks. Traditional electromechanical safety switches can be a cost-effective solution if installed properly and integrated to provide the required functional safety performance. If the system and its components are more robustly designed (which can include redundancy), then OEMs can expect longer life and higher diagnostics. If the safety switches are implemented such that they can be monitored and not easily defeated, then the suppliers can breathe easier.

The industry is moving toward safety switches that have a higher functional safety (safety integrity) within the switch itself, meaning Performance Level (PL) e per ISO 13849. This includes guard locking-type safety switches because folks are realizing that the locking part of the switch is also a safety-related function. Per the draft ISO 14119 standard, a single electromechanical safety switch can only achieve PL d when using fault exclusion. For new installations, this might or might not be appropriate.

Engineers and machine builders want to design and build once, and know that their machine is robust. This robust design includes more sophisticated and reliable safety components with diagnostics capabilities, all integrated in a way that allows users to easily monitor performance. By starting the design process with a risk assessment and adapting to changing standards and expectations, taking the next steps will be worth the potential added cost and effort.

Roberta Nelson Shea,
marketing manager,
Rockwell Automation

Built-In Redundancy
Industry continues to struggle with the cost and the possible loss of productivity in order to comply with the latest safety standards. In general, redundancy provides the highest level of safety, and this is very true when it comes to safety switch applications. A traditional design, to meet a SIL 3 rating, will use two safety-rated switches to monitor the position of a protective cover on a machine.

A relatively new concept for non-contact safety switches is to incorporate an RFID coding and built-in redundancy. This new approach provides several benefits to the customer. First, by having built-in redundancy, it's no longer required to have two sets of switches to achieve the highest safety rating. The second benefit in cross-circuit-detection is built-in as well, which allows multiple switches to be connected in series, and reduces the number of evaluation units (safety relays) required down to only one. Both of these benefits reduce the cost of the circuit.

John Burns,
product manager,
Siemens Industry


Upfront Effort Will Pay Off
Over the years, I've been brought to view a machine that had issues with a safety interlock. As these devices are in the heart of the safety circuit, any problems can lead to expensive machine downtime and, even worse, bypass. Often, the root of the switch problem is related to original switch selection. Door misalignment, vibration and environment are leading causes of safety switch issues. As a leading manufacturer of hundreds of safety interlock versions, I can say without question, there is not one safety interlock that can meet all applications. Recent changes in machine safety standards have prompted safety switch manufacturers to develop sophisticated safety switch systems that integrate RFID coding and internal diagnostics. These innovations can dramatically improve the level of safety on a machine, reduce downtime associated with the safety device, and by doing so, eliminate the possibilities of intentional bypass.

SEE ALSO: Future Safety Design

The emergence of ISO 13849 resulted in quality control for the machine safety system. Selection of components now is based, not only on deterministic methods (EN 954) that provide the generic architecture for machine safety system, but also on common cause failure and component reliability. Recent discussions at both OEMs and end users have ignited interest in finding better and more reliable components for use in machine safety. Based on these discussions, I would say that both the OEM and end user are heading in the right direction. Upfront investment is well worth the effort, and will ultimately lead to a safer machine.

Michael Ladd,
president and CEO,

Solidify the Design
Adding additional safety switches could help increase the integrity of the safety system, as long as it's wired appropriately, but unfortunately might not give you peace of mind when looking into the future use of the machine. This does not prevent users from changing out switches. In practical use, if parts get damaged or fail, users have the ability to change them out. The downside is in design and how easy it is to change, defeat or even wire incorrectly when replacing.

This doesn't mean you can't achieve what you're looking for. With standards such as ISO13849 and ISO14119, manufacturers and OEMs are taking a closer look at not only the components selected, but also the way they're installed and wired and the overall reliability of the safety system. The standards look for designs to reflect foreseeable misuse of the safety system, thus making it more difficult to manipulate or defeat. Ensuring a validation procedure is provided to properly test the safety system when a replacement is required will help check for proper installation and functionality.

Here are some thoughts that might help with the overall design. These are general concepts that may not be limited to the three written below.

1. Tamper Resistance

a. Selection of Hardware – Use hardware that requires a special tool that's not common to an operator. Many consider Socket Head screws that require hex keys. However, if a facility provides the operator with asset of hex keys for their normal change for adjustments and tool changes, then these become common as well, and where you start to consider more tamper resistant hardware. Examples of more-tamper-resistant hardware would be Pin In Torx or one-way screws, rivets, etc.

b. Selection of Components – Electronic safety switches provide more diagnostics on what is going on with the system. Get models that are a matched set, so the switch and the actuator are a pair, and need to be used together. They becomes harder to defeat. There are electronic systems now that can use serial communication for diagnostics to see if the switch is even in the circuit.

2. Location – Embed the safety devices in an area that is not easy to get to. "Out of Sight, Out of Mind."

3. Wiring Practices – When concerned about ease of use or the possibility of incorrect wiring, a plug and socket system might be beneficial, keeping in mind that you still need to install so it's difficult to defeat. Having the wiring hidden, installed into a junction box, or using serial communications to determine if an interlock is missing or misused are all methods providing a more efficient safety system. This does not apply to other components such as safety controllers. They are installed in control enclosures and should be accessed only by authorized personnel. But when wiring needs to be done, there needs to be documentation to provide the proper configuration settings for the safety controller. In addition, ISO13849 requires having validation principles and a validation plan. You should have the directions to test the system in normal conditions, but also to introduce faults that the safety system is designed to detect, such as short circuits.

Mike DeRosier,
engineering services manager,

When It's Gone, It's Gone
I understand and respect your OEM's concern. However, the reality is that once an OEM sells his machine, he has little or no control over what the user does to it. Providing redundant safety switches will not stop users, who are so inclined, from disconnecting these devices, finding creative ways to defeat or override the devices, or attempting other ways to compromise the safety devices' intended function.

A more constructive alternative for the OEM is consideration of the following:

1. Assure that the OEM has performed a diligent risk assessment on their equipment.

2. Fit their equipment, to the degree possible as an OEM, with suitable machine-guarding safety devices consistent with this risk assessment and current safety standards.

3. Where possible/practical, emphasize the importance of these safety devices in the users' manual, and on the equipment (with warning notes, et al).

4. Recommend that any safety device that has been damaged be replaced with the same device supplied by the OEM.

5. Recommend that the user perform regular inspections and maintenance on the safety devices to assure that they haven't been tampered with, damaged, or in any other way have had their function/performance compromised.

6. If appropriate, suggest that the user (depending on how they use the equipment), add appropriate safety devices consistent with their own risk assessment based on their in-plant use/installation of the OEM's equipment.

Peter Engstrom,
managing director,
Steute USA

[Editor's note: The following thread resulted from posting the question on LinkedIn's Business Industrial Network Group.]

Some People Don't Get It
My first concern was always to do what I could to keep our people as safe as possible and I'm sure you feel the same way. I recently witnessed a couple of things that I questioned. A drive panel was added to a line and contained a safety relay. They were going to wire it into their old e-stop string. Without safety-rated buttons and proper wiring the safety relay is just wasted money.

Another company I do automation work for gathered quotes on a light curtain system that had a couple of operating modes. This was in front of a calender nip. I mentioned the expense of the safety PLC and safety switches, and I was told the others had quoted normal micro PLCs. I told them "Thanks, but no thanks."

I think if you try to improve a safety system on a line, you should use safety-rated components and wiring throughout.

Sam Cox,
general manager, automation group,
Precision Electric

Do Your Part
I agree with Sam. As safety system designers and installers, you're responsible for the integrity of the total system that you install. The manufacturer is responsible for the equipment that they provide as long as they're installed per manufacturer's instructions and applicable laws. As the manufacturer does not know how their equipment is installed, you're ultimately responsible for the system. You can't carry out half measures on safety systems.

If you're taken out of the loop as far as upkeep of the systems are concerned, you can't be held responsible for changes others have made to the installation as long as the original installation was in line with applicable regulations. Unfortunately, that doesn't help a person who is injured due the failure of a safety system. That's the point to emphasize to management when they're looking to save a few dollars.

Allan Kitchingman,
industrial electrician,
Laminex Group

[Editor's mote: These comments came from posting the question on LinkedIn's Controls and Automation Network Group.]

All About Risk Assessment
This seems to be a very typical question. My experience shows that everyone wants to provide a safe working environment, although not everyone always agrees on what they consider to be safe. Designers and engineers tend to be very conservative and usually will err on the side of caution. Cost seldom escapes the scrutiny of management. The best way to quantify cost and reduce your liability is to perform a risk assessment. The risk assessment will help you to evaluate the hazards and risks, and identify the appropriate level of safety required. It shows that you have done due diligence and why a certain level of safety is required or not. It's entirely possible that a risk assessment can reduce the cost of the safety solution. Regardless, it will allow you to justify the cost.

Risk assessment is essentially a requirement. In the U.S., it's more of an implicit requirement being referenced by many standards such as ANSI, NFPA and even OSHA. If you do business outside of the U.S., specifically Europe, it's an explicit requirement. If you're looking for peace of mind and want to know whether or not the cost adds up, start with a risk assessment.

Larry Asher,
engineering director,
TEC Systems Group

Can't Always Prevent Stupidity
I too have worked for an OEM, and gone back a couple years later to find safety switches modified — or in one case removed and the covers bolted down to prevent people from having access. Design in the safety and have a clear conscience — you can't prevent others from doing stupid things.

Chris Alexander,
PE, process control engineer,
Regional Engineering Group, Givaudan