By Stephanie Neil, Editor-in-Chief
The last time Ron Bocian went on a site visit at a manufacturer’s facility to investigate a safety incident involving an Urschel slicer, he found that someone had miswired the machine so that it didn’t provide the level of protection required. And it certainly wasn’t the first time something like that had happened.
Bocian, the electrical engineer and risk manager at Urschel Laboratories, Inc., an Indiana-based OEM of food cutting technology, knows you can design a machine that is as safe as it can possibly be, but there will always be the fear of the unknown. It’s what Bocian calls reasonable foreseeable misuse. “What’s an operator going to do to get injured that you couldn’t foresee them doing?”
And that’s just one of the many things OEMs have to think about when they are designing a safe, yet flexible, machine. There are considerations around cost, competition, global markets and the ability to provide end users with more efficient systems that can evolve with new consumer demands. And all of this has to be done while meeting requirements from both the Occupational Safety and Health Administration (OSHA) and the U.S. Food and Drug Administration (FDA).
“Unfortunately, food safety is contradictory to machine safety,” Bocian says. “Machine safety is about adding interlocks that are creating crevices for bacteria to harbor. They are two competing safety issues. It’s a balancing act.”
On top of that, there are many safety standards and equipment requirements that can leave even savvy machine builders scratching their heads. For example, a robot integrated as part of a packaging machine used in a manufacturing facility will have to follow at least nine standards from the International Organization for Standardization (ISO), the American National Standards Institute (ANSI) and the National Fire Protection Association (NFPA).
Keeping up with these ever-evolving standards—which are refreshed every five years to keep up with technology changes and data requirements—can be a challenge. In addition, despite the fact that there are harmonizing efforts underway to align ANSI, ISO and the International Electrotechnical Commission (IEC), if an OEM is selling equipment in other countries, there may be additional legal requirements.
“You have to consider the difference between standards and regulations,” explains Fred Hayes, director of technical services at PMMI. “In the U.S., there is no regulation that tells an OEM how to build a machine. In Europe, there’s a different attitude. They have a machinery directive that tells a builder what he must comply with to meet the law.”
But, even when everything is done in compliance, there’s still the issue of operator error, which is uncontrollable. In fact, an ANSI standard states that “there is no such thing as being absolutely safe, that is, a complete absence of risk. Therefore, there is no machinery, including packaging and processing machinery, that is absolutely safe in the sense of being completely devoid of all conceivable risks.”
That means OEMs must build machines at their own risk. Because when that inevitable “something” happens, even if it’s not technically the OEM’s fault, the machine builder may still be held liable.
“Throughout the world everyone is struggling with the same issues,” says Bruce Main, president of design safety engineering, inc., a software and engineering services company that is focused on helping OEMs improve the safety of their equipment. “There is no magic solution of how to build a machine for the U.S. versus Europe or elsewhere. Fundamentally, you have to achieve acceptable risk. So, if an OEM starts with that, the standards become tools to help them as opposed to specific requirements that they have to chase down.”
Mitigating risk
In an effort to demystify what can be a confusing endeavor, industry experts recommend starting with a risk assessment comprised of multiple steps: Identifying hazards, assessing the risk, reducing risk to an acceptable level, documenting the results and following up to ensure the machine does what it’s supposed to do. This risk mitigation is not just an exercise to understand what standards to apply to the machine, but a way to pay attention to the application. For example, if a machine is to be used in the food industry, there are hygiene requirements to consider, too.
With that in mind, one of the first things an OEM should do is apply the ANSI/PMMI B155.1-2016 Safety Requirements for Packaging and Processing Machinery standard, a formal method for identifying hazards and hierarchy of control. The standard, which has evolved since it was first approved in 1972, specifies terminology, principles and methodology for achieving safety by design.
“The risk assessment helps to identify hazards and pick the appropriate risk reduction methods, which could be a guard, a light curtain or personal
protective equipment” says PMMI’s Hayes. “The other standards, like ANSI B11 or ISO 12100, tells you that if you do need a guard, what the specific requirements are.”
ANSI B11.19, for example, outlines the performance criteria for safeguarding as it relates to the design, construction, installation, operations and maintenance of the guard when applied to machines. It does not provide requirements for the selection of the safeguarding for a particular application.
To that end, functional requirements that define what happens to a machine in response to a person’s action are an important part of the risk assessment process.
“Probably 60 percent of failures of a design specification are not failures of the technology, but more foundational failures,” says George Schuster, TÜV-certified functional safety expert and certified functional safety engineer for Rockwell Automation. That means everything must be mapped out from design details to product selection to the engineering of circuitry to programming and then testing. “We call this design verification. How do we test our design in the early stages to make sure we’re on track to meet the requirements defined, as well as the risk assessment and the functional specifications? That’s where the standards give strong guidance to document and keep everything on track.”
But, the standards are just one piece of the puzzle, as they are only providing direction for compliance. The second important tool is the technology, Schuster says, including things such as safety PLCs, drives, servos and light screens.
“Standards by themselves don’t make a safe system. Components by themselves don’t make a safe system. They need to be considered together, and in the context of the safety plan,” he says.
And that requires a design conforming to principles that will create inherently safe systems.
Safety by design
Urschel uses IDEM safety switches, Rockwell’s Allen-Bradley guard locking switches, Pepperl+Fuchs non-contact switches and safety relays from Pepperl+Fuchs, IDEM and Pilz.
From there, Bocian will apply the ISO 13849 standard that provides guidance on the principles for the design and integration of safety-related parts as it pertains to the circuitry and the control system. His next step is to research standards that meet the category 3 performance level D.
Safety categories range from 1-to-4, with 4 having the highest level of safety achieved by the safety function. Categories are about architecture or how the components are put together for a safety function. The performance level (PL), on the other hand, is a technology-neutral concept that can be used for electrical, mechanical, pneumatic and hydraulic safety. PL is used as a measure of the reliability of the components that make up a safety function and is divided into five levels (A through E), with E giving the best reliability and required at the highest level of risk.
“There is a lot of confusion around these designations,” notes PMMI’s Hayes. “A lot of OEMs and end users spend time and money to come up with a control system solution that performs at category 3, level D. But then, I say, look past the end of the wire, because past that, the control system will control a brake on a shaft, which will never be better than category 2.”
The devil is in the details, Hayes says, and that requires that a machine builder use a risk assessment process—even before quoting a job.
“First, an OEM must understand what a customer wants and how the machine will be used in order to figure out hazards and define safety functions.”
Then, it’s time to design the machine. At Urschel, Bocian says they conduct a risk assessment before building. The engineering group will analyze safeguarding aspects and after the first prototype is built they will assemble a team to test the system and then go through a formal risk assessment using the designsafe software from design safety engineering.
The designsafe software is a tool that walks the user through the process by identifying hazards and then assessing and reducing risk. It identifies who the users are and comes up with built-in checklists. Next level, the software looks at operator tasks and then the hazards associated with specific tasks from mechanical, electrical to ergonomics, material handling, environmental and more. As builders work through the task list they can assess the severity of each hazard and how to reduce the risk. Risk reduction measures are documented that will be used to reduce the risk and then assess the probability of risk to provide a residual risk level.
“The software doesn’t tell you what to think, but it helps you on what to think about,” says design safety engineering’s Main, who created the software for general industry use. A PMMI co-branded version of the software, called PackSafe, is specifically tailored for packaging applications, he says.
Assessing competitive advantage
The safety assessment shouldn’t stop once the machine is built. That’s why Rockwell Automation offers a Safety Maturity Index (SMI) for machine builders. This self-guided online assessment tool measures performance as it relates to culture (behavior), compliance (procedure) and capital (investment in contemporary technology). These measurements can help in areas of minimizing costs, legal compliance, operator safety and customer value—which not only optimizes machine design, but can help differentiate machines from the competition, especially as it relates to safety and the connected enterprise via the Industrial Internet of Things (IIoT).
“The network investment that customers have made over the last couple of decades, putting in industrial Ethernet, for example, provides a pipeline for data flow,” says Rockwell Automation’s Schuster. “Now you can have access to data and have analytic tools to make sense of it. And safety is emerging as a perfectly crafted application space where the connected enterprise or Industry 4.0 can bring people real value.”
An operator in the plant may have found a better way to perform a task which was never anticipated, and that could improve productivity. Alternatively, the misuse of a safety system on the plant floor may be a compliance issue, as well. Collecting information from the machines allows a broader assessment of the situation as it relates to safety functions. By knowing a door is actually being accessed 40 times per shift, when it was only designed for access four times per shift, may indicate that someone is using that door for something they are not supposed to, for example. This may represent a compliance issue, or an opportunity for continuous improvement.
Similarly, Siemens offers its Safety Evaluation Tool for the IEC 62061 and ISO 13849-1 standards. Available free of charge, this TÜV-tested online tool supports the assessment of a machine’s safety functions and the performance level it is meeting, providing a standard-compliant report, which can be integrated in the documentation as a proof of safety. Because the tool lives online, Siemens is able to keep component information up to date.
“This tool does not just have all of the safety data in there, but it is the most current, so when someone uses it to do calculations the results are compliant to what is needed to be met,” says John D’Silva, the safety technology manager for Siemens Digital Factory Group.
The network advantage
It’s important to note that the ISO 13849 standard accommodates network safety and programmable safety functionalities. The reason is that there are new offerings that support “networked safety” which replaces hardwired safety, and creates new diagnostic capabilities and safe motion, enabling machinery to operate in “safe mode” vs. shutting down completely.
“It is a full set of functions for motion control and robotic kinematics,” explains John Kowal, business development director for B&R Industrial Automation. “When it goes into safe mode, it has safe direction, safe torque, safe position, safe velocity and all kinds of functions so that the machine does not have enough power, speed or force to cause injury.”
It’s realistic to leverage networked safety—which runs over the same network as machine control—due to redundant processors and deterministic networks. B&R’s openSAFETY communication protocol, which is an IEC standard, transmits information critical to the safe operation of machines. It can also enable remote diagnostics to avoid opening an electrical cabinet, for example. According to a B&R white paper, the NFPA and OSHA requirements for protecting workers from the hazard of electric arc flash means that opening a cabinet with the power on is not a simple task. So, instead of opening an electrical cabinet to access and test safety relays, networked safety can diagnose a problem remotely using a machine configuration dashboard to show each safety function being controlled. The B&R white paper also makes a case that networked safety costs much less than the traditional hardwired approach.
The only obstacle to adoption is the machine builder’s mindset.
“There’s a sense that I can trust a screwdriver to tighten a wire, whereas you can’t see software,” Kowal says. “But in reality, you can see more with networked safety in the HMI, including diagnostics you don’t have with hardwired safety.”
The risk and the reward
Urschel’s Bocian sees the opportunity for networked safety technology on sophisticated equipment. But for their slicers, dicers and shredders, it makes sense to stick with hardwiring back to a safety relay, since many of the Urschel end users don’t have the capability to collect diagnostics and troubleshoot.
And, when it comes to understanding the many global standards out there, Bocian, who was once a member of the British Standards Institute—which produces some standards for food equipment that the U.S. doesn’t have—says he has a simple rule of thumb: “If you design a machine that meets the European standards, you will design a machine that can be used anywhere in the world.