More methods for planning a safety upgrade

April 4, 2018
Seven industry experts on how to consider design, integration, testing and operation

A Control Design reader writes: I work at a packaging plant where safety upgrades to palletizing equipment excessively stopped the machine and confused multiple technicians, ultimately leading to some of the safety measures being bypassed, which resulted in an operator injury. This is unacceptable and a review of the plant found many safety concerns that must be fixed.

The plan is to upgrade several bottling lines, fillers, palletizers and wrappers to a standardized safety platform, likely safety controllers, and then carefully train all personnel on the safety system and procedures. The systems involved are various and have a wide range of safety devices to integrate. Can you suggest how to plan this out, design, integrate, test and operate the system? Quick installation, integration, configuration and testing are required. Can you help with this safety upgrade?

Part one has nine other industry experts answer and give their safety upgrade tips


Functional safety

The first step in implementing any safety plan is to confirm the appropriate standard. In the case of machine automation, the predominant standard would be ISO 13849-1 / ISO 13849-2. The first part is the general principles for design; the second part is validation. Before the design process of the safety system can take place, another process— the risk assessment—must be carried out. This is represented by another standard, ISO 14121, and is very important to determine the hazards that are present in the existing machinery—bottling lines, fillers, palletizers. This necessary function is typically carried out by the machine builder or the people most intimate with the machine and its functions or by a third party certified in the safety of machinery. Quite often the end user or the purchaser of the machinery will get involved, since they are the ones who will operate the machine day to day.

Once the risks have been identified, the design process can begin. Another standard, ISO 12100, can be used. This standard identifies the basic concepts and general principles for design, identifying the necessary steps for risk reduction. The design of the safety-related parts of the control system (SRP/CS) may require iterative steps to determine the appropriate safety function and the necessary SRP/CS to satisfy the safety function. For instance, it may be determined that simple gating can be used in particular areas of a machine to comply with appropriate safety standards, such as EN ISO 13857, to effectively mitigate the hazard inside the gating. If, however, it is required for a person to enter and exit a work area during the operation of the machine, other SRP/CS must be used to mitigate the hazard. This may require reiterative steps in the control design process.

Before any build or integration of the SRP/CS can take place, the decided-upon solutions must be validated to determine if they will achieve the required level of safety determined in the risk assessment/evaluation. This requires the designers of the safety system to calculate the performance level (PL) using such information as the component reliability data (MTTFd, B10d), common cause failures (CCFs) and diagnostic coverage (DC). The performance level is the “discrete level used to specify the ability of safety-related parts of control systems to perform a safety function under foreseeable conditions.” Once calculated, the PL, along with the category, determines if the designed system can achieve the level of safety identified in the previously mentioned risk assessment/evaluation.

After the build and integration have been completed, the operating and testing (validation) of the safety system (SRP/CS) need to take place. ISO 13849-2 identifies the steps necessary to validate the safety process, including validation by analysis and validation by testing. The validation and testing also includes the determined safety function: the function of the machine whose failure can result in an immediate increase of the risks. To clarify, the safety function is the “safety state” that is initiated when a person breaches a safety input device, such as a safety light curtain or safety area scanner. The complete evaluation of all hardware and software SRP/CS need to be validated.

The efficiency of integration, installation, configuration and testing depends on:

  • utilization of existing components

  • delivery times of new SRP/CS

  • validation and testing requirements

  • category and PL required

  • knowledge base of staff.

If this type of upgrade to a safety system has never been done prior, it is recommended that a third party who is certified, such as a functional safety expert (FSE) or certified functional safety expert (CFSE), handle the project. They will be able to identify the hazards, what should be done and who can be used for SRP/CS. It is also possible to check in with your current controls supplier; most of them have an existing functional safety program and can provide complete service from beginning to end.

As a supplier of SRP/CS, we would be able to work with the third party and supply necessary pneumatic components/systems that would satisfy the required safety level.

If a specific safety standard will not be followed, the process outlined is still relevant and suggested.

Jeff Welker / project manager / Emerson Automation Solutions

United States and abroad

Your objective is to reduce risks to a value lower than acceptable risk. This is typically achieved by:

  • good machine design

  • safety-related systems and procedures

  • external risk reduction devices.

A well-designed system reduces the risk to an acceptable level. It does not make a machine completely safe.

These are the most common reference materials and standards used. Have these standards on-site and use them as references.

OSHA—Occupational Safety and Health Act of 1970: Mandatory and legally binding in the United States. It assures “safe and healthful working conditions,” and the focus is on work-related safety.

OSHA 1910 focuses on machine safety. Lock-out-tag-out is biggest impact. It recommends robots comply with ANSI/RIA R15.06.

ANSI—American National Standards Institute (founding member of ISO): B11 technical reports provide guidelines and tools for risk assessment, risk reduction and safeguarding. ANSI does not develop standards. It acts as a facilitator in establishing voluntary consensus standards with various groups.

NFPA—National Fire Protection Agency: Covers all industrial machinery. NFPA 79 is the electrical standard for industrial machinery. E-stops and stop categories are the biggest impact.

RIA—Robotic Industries Association, recommended by OSHA: Several sections focus on safeguarding. A key thing to remember is that OSHA has incorporated ANSI and NFPA standards into its own, and OSHA1910.6 states: “Organizations which are not agencies of the U.S. government which are incorporated by reference in this part, have the same force and effect as other standards in this part.”

Key U.S. machine safety rules include due diligence. Due diligence in assessing and removing hazards is required to be performed by machine builders and machine users. At a minimum, this means compliance with OSHA standards.

Proving in a court of law that you did your due diligence requires documented evidence that a risk assessment has been performed and corrective actions taken when needed.

The document must demonstrate that all hazards have been addressed and removed using “state of the art” equipment, which is interpreted as compliance with globally accepted machine safety standards.

Your core proof is the “requirement” to perform and document the “risk assessment and hazard abatement means,” per IEC-62046 safety of machines.

To help you, Sistema Performance level (PL) software packets are available to document the risk assessment phase.

Before we start designing our safety circuit, let’s review some key U.S. rules.

Who is responsible? OSHA states, the user (employer) is responsible for ensuring the safeguarding equipment is installed and maintained correctly and that the various personnel are trained in the operation and maintenance of the safeguarding. U.S. rules focus on the safety of employees.

In Europe, the European Machinery Directive requires machine builders, not the employer, to make safe machines. It requires TUV certification for all components used in machine safety circuits.

Another key difference is that OSHA is legally binding in the United States, while the European Machinery Directive is a harmonized standard that has no legal ability to enforce the rules. Any legal action to enforce is the sole responsibility of each member state.

Who is responsible is a main difference between U.S. and European rules. If you only use machine safety hardware that has TUV certification, the devices have documented proof that they conform to internationally accepted machine safety standards. While they are like U.S. standards, the TUV rules tend to be better defined and have implementation plans that are easier to understand and execute.

TUV-certified machine safety hardware is the highest, well-defined, globally accepted standard you can use. Hardware that has this certification enables faster implementation and shows a great “due diligence” approach to selecting your machine safety hardware. This can help to protect your organization from frivolous lawsuits and excessive penalties.

Another advantage, the risk assessment on TUV-certified components is already done and well documented when it arrives at your plant. This can be a big-time saver.

ANSI B11.19 defines a user as:

  • an entity that utilizes machines, systems and related equipment
  • an individual, corporation, partnership or other legal entity or form of business that employs individuals to operate and maintain manufacturing systems/cells.

ANSI B11.19 states the user’s responsibilities:

  • The user shall be responsible for ensuring that safeguarding is provided, integrated, installed, maintained and used in accordance with the requirements of this standard.

The user shall be responsible for ensuring that supervisors, operators, maintenance and service personnel are trained in the proper installation, adjustment, operation and maintenance of the safeguarding, within the scope of their work activity.

Have a solid, well-documented trail for all training. OSHA and ANSI have also defined an “authorized (qualified) person” to perform tasks and that the authority is given by the employer to this person. This person has also received training on the hazards involved in the tasks they are to perform.

In another area, OSHA 1910.211 Definitions—Safety System (d)(60)(d)(62) “Safety system” means the integrated total system, including the pertinent elements of the press, the controls, the safeguarding and any required supplemental safeguarding, and their interfaces with the operator, and the environment, designed, constructed and arranged to operate together as a unit, such that a single failure or single operating error will not cause injury to personnel due to point of operation hazards.

This implies redundant electric circuits for high-risk machine-safety hazardous areas. OSHA 1910.211 Definitions—Authorized Person (d)(63) “Authorized person” means one to whom the authority and responsibility to perform a specific assignment has been given by the employer.

The NFPA 79 definition of a qualified person is one who has skills and knowledge related to the construction and operation of the electrical equipment and installations and has received safety training on the hazards involved. Do you have documented proof to back this up?

Many standards require conformance to NFPA 79 for electrical equipment. Two such standards are ANSI B11.19 and ANSI B11.20. NFPA 79 defines emergency-stop devices and stop categories.

Control reliability is very similar to the intent of Category 3 and 4 as defined in European Harmonized Standard EN/ISO 13849-1. In all cases, if a single component fails, it shall not prevent the normal stopping action of the machine, and it does prevent the machine from restarting.

It stands to reason that, if a single component fails, there must be a similar component available to complete the stopping action, and that there must be some type of checking circuit to acknowledge that single component failure and prevent a restart of the machine. This would suggest some type of redundancy of the various components and some type of additional self-checking circuitry would be required in order for a circuit is to be reliably controlled.

I really don’t like using suggestions and guidance as advice to build a system. There are too many gray areas that can come back to bite you. TUV certification has a major advantage in this area. TUV tends to use performance specifications with well-defined limits that make it easier to build a solid, reliable system. TUV certification also requires the hardware manufacturer to make a safe system and that it be well-documented. This can save a bunch of time during the documentation phase of the project.

The control system shall be constructed so that a failure within the system does not prevent the normal stopping action from being applied to the press when required, but does prevent initiation of a successive stroke until the failure is corrected. The failure shall be detectable by a simple test or indicated by the control system. This requirement does not apply to those elements of the control system that have no effect on the protection against point-of-operation injuries.

ANSI B11.19 and ANSI/RIA 15.06 both provide a definition of control reliability as:

The control system shall be designed, constructed and installed such that a single control component failure within the system does not prevent stopping action from taking place but will prevent successive system cycles until the failure has been corrected.

The first step is putting together a team of experienced people to identify the hazards. This team should be made up of line people, production, safety, quality engineering and other people that have extensive knowledge of the machine and how it is used and operated throughout the day.

Hazards must be identified before the machine safety hardware architecture can be designed. The team’s job will be to identify hazards.

The first corrective action used is good machine design. Ask yourself what can you change in the existing design to make it safer? Are all safety gates, panels and guards in place? Can more be added?

Next, try to improve safety-related systems and procedures used in the facility. Some common questions to ask: Have operators been trained on the hazards, and do they know how to operate the machine in a safe way? What procedures are in place to keep unskilled people from operating a dangerous machine?

If the above steps do not drive the risk down to an acceptable level, then machine safety monitoring equipment will need to be added to the equipment. The first step is risk assessment.

After a dangerous area is defined, you need to build a solution. A machine safety monitoring system requires the following three basic building blocks:

  • acquiring information

  • monitoring and processing

  • stopping the machine.

Sensors are needed to acquire information on the machines state. Is the door open or closed? This information on the state of the machine is fed back to the machine safety monitoring device.

Machine safety-rated monitoring hardware and processing software then process the sensor data. It has two primary functions.

  1. The first is to detect when the machine is in an unsafe condition. When this condition is detected, it sends a shutoff signal to the power circuit that is creating the dangerous energy in the system.
  2. Another critical function of the safety relay, PLC or controller is to do automatic, continuous self-checks. This is required by most standards.

Also, use machine-safety relays that are designed with universal inputs. These devices are very flexible and can handle a wide range of machine safety sensors such as mechanical door interlocks, e-stops, e-stop cable pulls and light curtains. Universal-input machine safety relays will simplify your system design.

In the United States, stop categories define the way we stop the machine. It explains approved ways to remove dangerous power from machines. Power can be generated by electricity, high-pressure air, hydraulic fluid, chemistry or high-temperature components that need to cool before allowing entry.

In the United States, stop categories are identified in EN 60204-1 and NFPA 79 2007 (9.2.2). There are three types of stop categories:

Stop Cat. 0 removes all power. It is typically used on simple machines such as a hand-operated drill press.

Stop Cat. 1 adds an interlock device to the circuit. This is used when operator access time is faster than the time it takes to remove the danger. The machine safety sensor will have a remote-controlled locking/unlocking solenoid. It is controlled by the machine safety analysis device. Its job is to “only allow operator entry after the danger has been removed and power disconnected.”

Stop Cat. 2 also removes high inertia/slow stop energy and is typically used when VFD or motion-control devices are in the system. The main difference is low-level power is left on to power the control system so it can retain control of the system.

Per EN/ISO 13849-1 there is a specific way that the power-disconnect device code must be implemented. In addition to Stop Category, OSHA 1910.147 Subpart J, General Environmental controls control of hazardous energy must be followed.

This is known as the lockout/tagout (LOTO) procedure. It was adopted to help to safeguard personnel from hazardous energy while maintaining or servicing equipment.

Energy source can be electrical, mechanical, hydraulic, pneumatic, chemical, thermal or other forms of energy. Multiple energy sources may need to be locked out or tagged. Section (b) of this standard states, “Push buttons, selector switches and other control circuit type devices are not energy isolating devices.” This would include limit switches, safety interlock switches, cable pull switches and other types of control equipment. These devices can have power after a safety shutdown event. 1910.147 may be the most far-reaching standard OSHA has adopted and is similar in principle to the European Machinery Directive 98/37/EC, Annex 1, Isolation of Energy Sources.

Check to be sure you have the certifications and markings you need for your area. TUV, even though it is not required in the United States, is a very useful standard to incorporate. It has strict guidelines on the performance, system reliability, hardware performance and layout of the safety systems that are better defined and easier to implement and understand than the OSHA rules.

Allan D. Hottovy / TUV-FSCEM functional safety certified automation & machine safety sensor expert / Telemecanique Sensors

The ultimate goal

Ironically the only way to do a quick installation is to spend the time up front and perform a thorough risk assessment. It is critical that you analyze the current operations, identifying areas of risk to determine how critical they are based on frequency and consequence of failure. The ultimate goal is to ensure that each operation can carry out its intended function safely and reliably even if a failure were to occur. After this assessment, you will have selected the appropriate safety standard and performance level to comply with. We can then move on to reviewing the hardware and software requirements. For instance, you may want an integrated safety controller which can control both safe and non-safe devices over an Ethernet-based network. It is also important to make sure that this integrated safety system is designed with operator feedback to complement practical machine operation. The safest machine design may be pointless if your operators resort to bypassing safety functions in the name of efficiency. Once the specification and design has been validated, we will move on to create an installation and test plan. Some things to test for:

  • confirm that each safety input and output is in working condition and responsive to the controller logic

  • validate that safety devices are responding to every mode of operation

  • check that resets, e-stops and any zone controls are responsive

  • finally execute fault testing to ensure that we are in compliance with the selected safety standards.

Throughout this entire process it is imperative to create user instructions; document all revisions of prints, diagrams and bill of materials; and keep track of every component's lifecycle. Finally, safety upgrades are part of an ongoing process, and it is best practice to regularly validate and review the safety mechanisms and implement improvements.

Deana Fu / senior product manager / Mitsubishi Electric Automation

IEC 61511

It's difficult to give a complete answer without knowing the specifics of the application and the safety knowledge/capability of the organization. I'll try, however, to give some broad guidance based on industry common practices, standards and guidelines.

Without going too deeply into standards, many in the industry take a machine functional safety lifecycle approach. This considers various phases in the design, startup and operation of a machine, in general there are several steps to the process:

  1. analysis: this includes a risk assessment, which must always be conducted
  2. implementation
  3. operation
  4. ongoing functions.

These are the steps in the process defined by the IEC 61511 standard; it has multiple sub-steps. You can find similar processes from other organization and suppliers by searching the Internet. Since you are likely located in the United States, you'll be focused on meeting OSHA's requirements and any standards which are referenced by OSHA. In general, if you follow a well-organized process, such as the one referenced by IEC 61511, you'll create the basis for better compliance with OSHA regulations and other standards.

Once you have decided on a machine functional safety lifecycle approach, you can start working on the different elements of the process. In this case, there are a variety of machines to safeguard, and each may require a different strategy and solution. It also seems that machine-to-machine coordination and complete process integration is desired. A functional safety approach will allow use of safety PLCs and safety fieldbus communications tied into the standard control and networking platform. It may be beneficial to use a single supplier for the standard and safety controls and to choose a single Ethernet-based control network which can handle both standard and safety communications, such as Ethernet IP/CIP, ProfiNet/ProfiSafe or EtherCAT/FSoE. This will simplify programming, setup, integration and maintenance. It may also be possible to use a modular control, network, I/O and software design, allowing reuse of basic design elements and documentation across multiple machines.

These controllers and networks will also enable the use of local, remote and remote IP67 I/O, which simplifies wiring, startup and troubleshooting of the individual machines and complete process. If the I/O count is high enough and the process is spread out, such as a filling line, it can be advantageous to add a device-level network, such as IO-Link and Safety over IO-Link, below the Ethernet network. Using a networked remote I/O approach also allows integration of various safety and non-safety devices from multiple suppliers, including safety light curtains, door switches, e-stops and safety laser scanners. Users will often need to mix and match components for a variety of reasons.

If this seems daunting, there are several companies that can be hired to do everything from a just a risk assessment to the complete machine safety lifecycle, including integration and installation.

Tom Knauer / safety champion / Balluff

5 steps to safety

There are five steps to consider for your safety upgrade.

The first step is to conduct a risk assessment. Most North American and European machine safety standards call for mandatory risk assessment for the construction or modification of a machine or machine part. The risk assessment should be implemented and documented by qualified personnel.

Next, reduce the risks. The purpose of risk reduction is the attainment of an acceptable residual risk. For this purpose, suitable safety measures are defined on the basis of a three-step method by a team from the respective specialist departments. The architecture of the safety functions is defined and the overall safety concept is implemented and commissioned in future steps.

Third, implement technical protective measures. Components should be selected in accordance with the applied standard requirements.

Fourth, the manufacturer prepares the technical documents as proof of conformity.

And finally, validate and verify. Prepare a validation plan, theoretically examine and test all safety functions and finalize documentation as applicable. In case of damage, the manufacturer can verify that the machine’s design is compliant with the directive. Compliance verification provides better protection against liability claims and accusations of negligence, which may result in claims for damages.

John D’Silva / safety technology manager / Siemens Industry

Avoid the bypass

Where exactly does the confusion lie? Bypassing safety measures should never occur in a production environment, as this could lead to potential hazards, which seems to have happened in this case. Before any technological answer, plant safety standards must be understood by all team members and adhered to.

Given your plan to upgrade existing production lines using a standardized safety system, it would be beneficial to seamlessly integrate it into the existing machine design and control platform. Separate/standalone development tools for standard and safety signals should not be used because they are not necessary considering the system-integrated safety platforms available today. The most comprehensive solutions can be found with PC-based control architectures that integrate a programmable safety solution within the same programming environment used for PLC, motion control and all other control functions.

This makes it easier for controls engineers to support the system, and it’s easier to train operators because all control aspects reside on one software platform. Connections to the field safety devices are handled via standard I/O hardware. Distributed safety solutions offer great flexibility, without having to rely on separate safety controllers. Modern programmable safety technology promotes simpler handling of the safety functions and eliminates confusion. It also offers more effective diagnosis of the safety system for faster troubleshooting. As important as it is to safely shut down the machine, it is also important to pinpoint via diagnostics exactly where any problem is for the fastest possible resolution. EtherCAT and Safety over EtherCAT (FSoE) provide a wealth of diagnostic features that can identify errors and faults down to an individual field device or I/O terminal. Alternate industrial Ethernet solutions can only identify an entire I/O segment with an error or perhaps a cable break without much precision. Also, since EtherCAT can be directly integrated within the PC-based control software, all diagnostic information can be brought into the PLC or conveniently viewed on an HMI display.

More flexible expansion options mean vastly improved scalability; compliance with SIL and IEC 61508 standards; and independence from legacy protocols that may still be used on machines. Without having to change your existing fieldbus, an EtherCAT gateway can be added that will allow the addition of a safety logic controller right alongside the standard I/O hardware in the same rack. Once the safety platform is networked via EtherCAT, all the benefits of the protocol—real-time Ethernet technology; operation without requiring switches; virtually unlimited network expansion; flexible network topology; and no IP addressing in EtherCAT devices—are accessible to the user. An added benefit already described is the ability to mix safety and standard, non-safety I/O on one piece of DIN rail.

How to diagram safety

Figure 1: This integrated safety solution represents the consistent continuation of the open and PC-based control philosophy, demonstrated by the modularity and versatility.

(Source: Beckhoff)

Vendors offer digital I/O safety terminals and single-channel I/O terminals for analog signals, and, in cases where safety hardware needs to be machine-mounted, the scalability of EtherCAT permits simple connection of IP67-rated I/O boxes that are ideal for use outside of electrical cabinets (Figure 1). Using these inputs and outputs, you can connect standard safety devices such as e-stops, light curtains, interlocks and safety scanners. The programming environment is achieved via multipurpose PC-based control software and the resulting safe parameters are set and password-monitored by the safe logic controller. This prevents unwanted changes to the safety program and limits the possible areas where safety measures can be improperly bypassed.

Andy Garrido / I/O product marketing / Beckhoff Automation
Sree Potluri / I/O application specialist / Beckhoff Automation

About the author: Mike Bacidore
About the Author

Mike Bacidore | Editor in Chief

Mike Bacidore is chief editor of Control Design and has been an integral part of the Endeavor Business Media editorial team since 2007. Previously, he was editorial director at Hughes Communications and a portfolio manager of the human resources and labor law areas at Wolters Kluwer. Bacidore holds a BA from the University of Illinois and an MBA from Lake Forest Graduate School of Management. He is an award-winning columnist, earning multiple regional and national awards from the American Society of Business Publication Editors. He may be reached at [email protected]