ISO 13849–1 Analysis — Part 8: Fault Exclusion

This entry is part 9 of 9 in the series How to do a 13849–1 analy­sis

Fault Consideration & Fault Exclusion

ISO 13849–1, Chap­ter 7 [1, 7] dis­cuss­es the need for fault con­sid­er­a­tion and fault exclu­sion. Fault con­sid­er­a­tion is the process of exam­in­ing the com­po­nents and sub-sys­tems used in the safe­ty-relat­ed part of the con­trol sys­tem (SRP/CS) and mak­ing a list of all the faults that could occur in each one. This a def­i­nite­ly non-triv­ial exer­cise!

Think­ing back to some of the ear­li­er arti­cles in this series where I men­tioned the dif­fer­ent types of faults, you may recall that there are detectable and unde­tectable faults, and there are safe and dan­ger­ous faults, lead­ing us to four kinds of fault:

  • Safe unde­tectable faults
  • Dan­ger­ous unde­tectable faults
  • Safe detectable faults
  • Dan­ger­ous detectable faults

For sys­tems where no diag­nos­tics are used, Cat­e­go­ry B and 1, faults need to be elim­i­nat­ed using inher­ent­ly safe design tech­niques. Care needs to be tak­en when clas­si­fy­ing com­po­nents as “well-tried” ver­sus using a fault exclu­sion, as com­po­nents that might nor­mal­ly be con­sid­ered “well-tried” might not meet those require­ments in every appli­ca­tion. [2, Annex A], Val­i­da­tion tools for mechan­i­cal sys­tems, dis­cuss­es the con­cepts of “Basic Safe­ty Prin­ci­ples”, “Well-Tried Safe­ty Prin­ci­ples”, and “Well-tried com­po­nents”.  [2, Annex A] also pro­vides exam­ples of faults and rel­e­vant fault exclu­sion cri­te­ria. There are sim­i­lar Annex­es that cov­er pneu­mat­ic sys­tems [2, Annex B], hydraulic sys­tems [2, Annex C], and elec­tri­cal sys­tems [2, Annex D].

For sys­tems where diag­nos­tics are part of the design, i.e., Cat­e­go­ry 2, 3, and 4, the fault lists are used to eval­u­ate the diag­nos­tic cov­er­age (DC) of the test sys­tems. Depend­ing on the archi­tec­ture, cer­tain lev­els of DC are required to meet the rel­e­vant PL, see [1, Fig. 5]. The fault lists are start­ing point for the deter­mi­na­tion of DC, and are an input into the hard­ware and soft­ware designs. All of the dan­ger­ous detectable faults must be cov­ered by the diag­nos­tics, and the DC must be high enough to meet the PLr for the safe­ty func­tion.

The fault lists and fault exclu­sions are used in the Val­i­da­tion por­tion of this process as well. At the start of the Val­i­da­tion process flow­chart [2, Fig. 1], you can see how the fault lists and the cri­te­ria used for fault exclu­sion are used as inputs to the val­i­da­tion plan.

The diagram shows the first few stages in the ISO 13849-2 Validation process. See ISO 13849-2, Figure 1.
Start of ISO 13849–2 Fig. 1

Faults that can be exclud­ed do not need to val­i­dat­ed, sav­ing time and effort dur­ing the sys­tem ver­i­fi­ca­tion and val­i­da­tion (V & V). How is this done?

Fault Consideration

The first step is to devel­op a list of poten­tial faults that could occur, based on the com­po­nents and sub­sys­tems includ­ed in SRP/CS. ISO 13849–2 [2] includes lists of typ­i­cal faults for var­i­ous tech­nolo­gies. For exam­ple, [2, Table A.4] is the fault list for mechan­i­cal com­po­nents.

Mechanical fault list from ISO 13849-2
Table A.4 — Faults and fault exclu­sions — Mechan­i­cal devices, com­po­nents and ele­ments
(e.g. cam, fol­low­er, chain, clutch, brake, shaft, screw, pin, guide, bear­ing)

[2] con­tains tables sim­i­lar to Table A.4 for:

  • Pres­sure-coil springs
  • Direc­tion­al con­trol valves
  • Stop (shut-off) valves/non-return (check) valves/quick-action vent­ing valves/shuttle valves, etc.
  • Flow valves
  • Pres­sure valves
  • Pipework
  • Hose assem­blies
  • Con­nec­tors
  • Pres­sure trans­mit­ters and pres­sure medi­um trans­duc­ers
  • Com­pressed air treat­ment — Fil­ters
  • Com­pressed-air treat­ment — Oil­ers
  • Com­pressed air treat­ment — Silencers
  • Accu­mu­la­tors and pres­sure ves­sels
  • Sen­sors
  • Flu­idic Infor­ma­tion pro­cess­ing — Log­i­cal ele­ments
  • etc.

As you can see, there are many dif­fer­ent types of faults that need to be con­sid­ered. Keep in mind that I did not give you all of the dif­fer­ent fault lists — this post would be a mile long if I did that! The point is that you need to devel­op a fault list for your sys­tem, and then con­sid­er the impact of each fault on the oper­a­tion of the sys­tem. If you have com­po­nents or sub­sys­tems that are not list­ed in the tables, then you need to devel­op your own fault lists for those items. Fail­ure Modes and Effects Analy­sis (FMEA) is usu­al­ly the best approach for devel­op­ing fault lists for these com­po­nents [23], [24].

When con­sid­er­ing the faults to be includ­ed in the list there are a few things that should be con­sid­ered [1, 7.2]:

  • if after the first fault occurs oth­er faults devel­op due to the first fault, then you can group those faults togeth­er as a sin­gle fault
  • two or more sin­gle faults with a com­mon cause can be con­sid­ered as a sin­gle fault
  • mul­ti­ple faults with dif­fer­ent caus­es but occur­ring simul­ta­ne­ous­ly is con­sid­ered improb­a­ble and does not need to be con­sid­ered

Examples

#1 — Voltage Regulator

A volt­age reg­u­la­tor fails in a sys­tem pow­er sup­ply so that the 24 Vdc out­put ris­es to an unreg­u­lat­ed 36 Vdc (the inter­nal pow­er sup­ply bus volt­age), and after some time has passed, two sen­sors fail. All three fail­ures can be grouped and con­sid­ered as a sin­gle fault because they orig­i­nate in a sin­gle fail­ure in the volt­age reg­u­la­tor.

#2 — Lightning Strike

If a light­ning strike occurs on the pow­er line and the result­ing surge volt­age on the 400 V mains caus­es an inter­pos­ing con­tac­tor and the motor dri­ve it con­trols to fail to dan­ger, then these fail­ures may be grouped and con­sid­ered as one. Again, a sin­gle event caus­es all of the sub­se­quent fail­ures.

#3 — Pneumatic System Lubrication

3a — A pneu­mat­ic lubri­ca­tor runs out of lubri­cant and is not refilled, depriv­ing down­stream pneu­mat­ic com­po­nents of lubri­ca­tion.

3b — The spool on the sys­tem dump valve sticks open because it is not cycled often enough.

Nei­ther of these fail­ures has the same cause, so there is no need to con­sid­er them as occur­ring simul­ta­ne­ous­ly because the prob­a­bil­i­ty of both hap­pen­ing con­cur­rent­ly is extreme­ly small. One cau­tion: These two faults MAY have a com­mon cause — poor main­te­nance. If this is true and you decide to con­sid­er them to be two faults with a com­mon cause, they could then be grouped as a sin­gle fault.

Fault Exclusion

Once you have your well-con­sid­ered fault lists togeth­er, the next ques­tion is “Can any of the list­ed faults be exclud­ed?” This is a tricky ques­tion! There are a few points to con­sid­er:

  • Does the sys­tem archi­tec­ture allow for fault exclu­sion?
  • Is the fault tech­ni­cal­ly improb­a­ble, even if it is pos­si­ble?
  • Does expe­ri­ence show that the fault is unlike­ly to occur?*
  • Are there tech­ni­cal require­ments relat­ed to the appli­ca­tion and the haz­ard that might sup­port fault exclu­sion?

BE CAREFUL with this one!

When­ev­er faults are exclud­ed, a detailed jus­ti­fi­ca­tion for the exclu­sion needs to be includ­ed in the sys­tem design doc­u­men­ta­tion. Sim­ply decid­ing that the fault can be exclud­ed is NOT ENOUGH! Con­sid­er the risk a per­son will be exposed to in the event the fault occurs. If the sever­i­ty is very high, i.e., severe per­ma­nent injury or death, you may not want to exclude the fault even if you think you could. Care­ful con­sid­er­a­tion of the result­ing injury sce­nario is need­ed.

Bas­ing a fault exclu­sion on per­son­al expe­ri­ence is sel­dom con­sid­ered ade­quate, which is why I added the aster­isk (*) above. Look for good sta­tis­ti­cal data to sup­port any deci­sion to use a fault exclu­sion.

There is much more infor­ma­tion avail­able in IEC 61508–2 on the sub­ject of fault exclu­sion, and there is good infor­ma­tion in some of the books men­tioned below [0.1], [0.2], and [0.3]. If you know of addi­tion­al resources you would like to share, please post the infor­ma­tion in the com­ments!

Definitions

3.1.3 fault
state of an item char­ac­ter­ized by the inabil­i­ty to per­form a required func­tion, exclud­ing the inabil­i­ty dur­ing pre­ven­tive main­te­nance or oth­er planned actions, or due to lack of exter­nal resources
Note 1 to entry: A fault is often the result of a fail­ure of the item itself, but may exist with­out pri­or fail­ure.
Note 2 to entry: In this part of ISO 13849, “fault” means ran­dom fault. [SOURCE: IEC 60050?191:1990, 05–01.]

Book List

Here are some books that I think you may find help­ful on this jour­ney:

[0]     B. Main, Risk Assess­ment: Basics and Bench­marks, 1st ed. Ann Arbor, MI USA: DSE, 2004.

[0.1]  D. Smith and K. Simp­son, Safe­ty crit­i­cal sys­tems hand­book. Ams­ter­dam: Else­vier/But­ter­worth-Heine­mann, 2011.

[0.2]  Elec­tro­mag­net­ic Com­pat­i­bil­i­ty for Func­tion­al Safe­ty, 1st ed. Steve­nage, UK: The Insti­tu­tion of Engi­neer­ing and Tech­nol­o­gy, 2008.

[0.3]  Overview of tech­niques and mea­sures relat­ed to EMC for Func­tion­al Safe­ty, 1st ed. Steve­nage, UK: Overview of tech­niques and mea­sures relat­ed to EMC for Func­tion­al Safe­ty, 2013.

References

Note: This ref­er­ence list starts in Part 1 of the series, so “miss­ing” ref­er­ences may show in oth­er parts of the series. Includ­ed in the last post of the series is the com­plete ref­er­ence list.

[1]     Safe­ty of machin­ery — Safe­ty-relat­ed parts of con­trol sys­tems — Part 1: Gen­er­al prin­ci­ples for design. 3rd Edi­tion. ISO Stan­dard 13849–1. 2015.

[2]     Safe­ty of machin­ery — Safe­ty-relat­ed parts of con­trol sys­tems — Part 2: Val­i­da­tion. 2nd Edi­tion. ISO Stan­dard 13849–2. 2012.

[3]      Safe­ty of machin­ery — Gen­er­al prin­ci­ples for design — Risk assess­ment and risk reduc­tion. ISO Stan­dard 12100. 2010.

[4]     Safe­guard­ing of Machin­ery. 2nd Edi­tion. CSA Stan­dard Z432. 2004.

[5]     Risk Assess­ment and Risk Reduc­tion- A Guide­line to Esti­mate, Eval­u­ate and Reduce Risks Asso­ci­at­ed with Machine Tools. ANSI Tech­ni­cal Report B11.TR3. 2000.

[6]    Safe­ty of machin­ery — Emer­gency stop func­tion — Prin­ci­ples for design. ISO Stan­dard 13850. 2015.

[7]     Func­tion­al safe­ty of electrical/electronic/programmable elec­tron­ic safe­ty-relat­ed sys­tems. 7 parts. IEC Stan­dard 61508. Edi­tion 2. 2010.

[8]     S. Joce­lyn, J. Bau­doin, Y. Chin­ni­ah, and P. Char­p­en­tier, “Fea­si­bil­i­ty study and uncer­tain­ties in the val­i­da­tion of an exist­ing safe­ty-relat­ed con­trol cir­cuit with the ISO 13849–1:2006 design stan­dard,” Reliab. Eng. Syst. Saf., vol. 121, pp. 104–112, Jan. 2014.

[9]    Guid­ance on the appli­ca­tion of ISO 13849–1 and IEC 62061 in the design of safe­ty-relat­ed con­trol sys­tems for machin­ery. IEC Tech­ni­cal Report TR 62061–1. 2010.

[10]     Safe­ty of machin­ery — Func­tion­al safe­ty of safe­ty-relat­ed elec­tri­cal, elec­tron­ic and pro­gram­ma­ble elec­tron­ic con­trol sys­tems. IEC Stan­dard 62061. 2005.

[11]    Guid­ance on the appli­ca­tion of ISO 13849–1 and IEC 62061 in the design of safe­ty-relat­ed con­trol sys­tems for machin­ery. IEC Tech­ni­cal Report 62061–1. 2010.

[12]    D. S. G. Nix, Y. Chin­ni­ah, F. Dosio, M. Fessler, F. Eng, and F. Schr­ev­er, “Link­ing Risk and Reliability—Mapping the out­put of risk assess­ment tools to func­tion­al safe­ty require­ments for safe­ty relat­ed con­trol sys­tems,” 2015.

[13]    Safe­ty of machin­ery. Safe­ty relat­ed parts of con­trol sys­tems. Gen­er­al prin­ci­ples for design. CEN Stan­dard EN 954–1. 1996.

[14]   Func­tion­al safe­ty of electrical/electronic/programmable elec­tron­ic safe­ty-relat­ed sys­tems — Part 2: Require­ments for electrical/electronic/programmable elec­tron­ic safe­ty-relat­ed sys­tems. IEC Stan­dard 61508–2. 2010.

[15]     Reli­a­bil­i­ty Pre­dic­tion of Elec­tron­ic Equip­ment. Mil­i­tary Hand­book MIL-HDBK-217F. 1991.

[16]     “IFA — Prac­ti­cal aids: Soft­ware-Assis­tent SISTEMA: Safe­ty Integri­ty — Soft­ware Tool for the Eval­u­a­tion of Machine Appli­ca­tions”, Dguv.de, 2017. [Online]. Avail­able: http://www.dguv.de/ifa/praxishilfen/practical-solutions-machine-safety/software-sistema/index.jsp. [Accessed: 30- Jan- 2017].

[17]      “fail­ure mode”, 192–03-17, Inter­na­tion­al Elec­trotech­ni­cal Vocab­u­lary. IEC Inter­na­tion­al Elec­trotech­ni­cal Com­mis­sion, Gene­va, 2015.

[18]      M. Gen­tile and A. E. Sum­mers, “Com­mon Cause Fail­ure: How Do You Man­age Them?,” Process Saf. Prog., vol. 25, no. 4, pp. 331–338, 2006.

[19]     Out of Control—Why con­trol sys­tems go wrong and how to pre­vent fail­ure, 2nd ed. Rich­mond, Sur­rey, UK: HSE Health and Safe­ty Exec­u­tive, 2003.

[20]     Safe­guard­ing of Machin­ery. 3rd Edi­tion. CSA Stan­dard Z432. 2016.

[21]     O. Reg. 851, INDUSTRIAL ESTABLISHMENTS. Ontario, Cana­da, 1990.

[22]     “Field-pro­gram­ma­ble gate array”, En.wikipedia.org, 2017. [Online]. Avail­able: https://en.wikipedia.org/wiki/Field-programmable_gate_array. [Accessed: 16-Jun-2017].

[23]     Analy­sis tech­niques for sys­tem reli­a­bil­i­ty – Pro­ce­dure for fail­ure mode and effects analy­sis (FMEA). 2nd Ed. IEC Stan­dard 60812. 2006.

[24]     “Fail­ure mode and effects analy­sis”, En.wikipedia.org, 2017. [Online]. Avail­able: https://en.wikipedia.org/wiki/Failure_mode_and_effects_analysis. [Accessed: 16-Jun-2017].

Interlocking Devices: The Good, The Bad and the Ugly

This entry is part 1 of 3 in the series Guards and Guard­ing

Note: A short­er ver­sion of this arti­cle was pub­lished in the May-2012 edi­tion of  Man­u­fac­tur­ing Automa­tion Mag­a­zine.

When design­ing safe­guard­ing sys­tems for machines, one of the basic build­ing blocks is the mov­able guard. Mov­able guards can be doors, pan­els, gates or oth­er phys­i­cal bar­ri­ers that can be opened with­out using tools. Every one of these guards needs to be inter­locked with the machine con­trol sys­tem so that the haz­ards cov­ered by the guards will be effec­tive­ly con­trolled when the guard is opened.

There are a num­ber of impor­tant aspects to the design of mov­able guards. This arti­cle will focus on the selec­tion of inter­lock­ing devices that are used with mov­able guards.

The Hierarchy of Controls

The Hierarchy of Controls as an inverted pyrimid.
Fig­ure 1 — The Hier­ar­chy of Con­trols

This arti­cle assumes that a risk assess­ment has been done as part of the design process. If you haven’t done a risk assess­ment first, start there, and then come back to this point in the process. You can find more  infor­ma­tion on risk assess­ment meth­ods in this post from 31-Jan-11. ISO 12100 [1] can also be used for guid­ance in this area.

The hier­ar­chy of con­trols describes lev­els of con­trols that a machine design­er can use to con­trol the assessed risks. The hier­ar­chy is defined in [1]. Design­ers are required to apply every lev­el of the hier­ar­chy in order, start­ing at the top. Each lev­el is applied until the avail­able mea­sures are exhaust­ed, or can­not be applied with­out destroy­ing the pur­pose of the machine, allow­ing the design­er to move to the next low­er lev­el.

Engi­neer­ing con­trols are sub­di­vid­ed into a num­ber of dif­fer­ent sub-groups. Only mov­able guards are required to have inter­locks. There are a num­ber of sim­i­lar types of guards that can be mis­tak­en for mov­able guards, so let’s take a minute to look at a few impor­tant def­i­n­i­tions.

Table 1 — Def­i­n­i­tions

Inter­na­tion­al [1] Cana­di­an [2] USA [10]
3.27 guard phys­i­cal bar­ri­er, designed as part of the machine to pro­vide pro­tec­tion.NOTEA guard may act either alone, in which case it is only effec­tive when “closed” (for a mov­able guard) or “secure­ly held in place” (for a fixed guard), or  in con­junc­tion with an inter­lock­ing device with or with­out guard lock­ing, in which case pro­tec­tion is ensured what­ev­er the posi­tion of the guard.NOTE 2Depend­ing on its con­struc­tion, a guard may be described as, for exam­ple, cas­ing, shield, cov­er, screen, door, enclos­ing guard.NOTE 3 The terms for types of guards are defined in 3.27.1 to 3.27.6. See also 6.3.3.2 and ISO 14120 for types of guards and their require­ments. Guard — a part of machin­ery specif­i­cal­ly used to pro­vide pro­tec­tion by means of a phys­i­cal bar­ri­er. Depend­ing on its con­struc­tion, a guard may be called a cas­ing, screen, door, enclos­ing guard, etc. 3.22 guard: A bar­ri­er that pre­vents expo­sure to an iden­ti­fied haz­ard.E3.22 Some­times referred to as bar­ri­er guard.”
3.27.4 inter­lock­ing guard guard asso­ci­at­ed with an inter­lock­ing device so that, togeth­er with the con­trol sys­tem of the machine, the fol­low­ing func­tions are per­formed:
  • the haz­ardous machine func­tions “cov­ered” by the guard can­not oper­ate until the guard is closed,
  • if the guard is opened while haz­ardous machine func­tions are oper­at­ing, a stop com­mand is giv­en, and
  • when the guard is closed, the haz­ardous machine func­tions “cov­ered” by the guard can oper­ate (the clo­sure of the guard does not by itself start the haz­ardous machine func­tions)

NOTE ISO 14119 gives detailed pro­vi­sions.

Inter­locked bar­ri­er guard — a fixed or mov­able guard attached and inter­locked in such a man­ner that the machine tool will not cycle or will not con­tin­ue to cycle unless the guard itself or its hinged or mov­able sec­tion enclos­es the haz­ardous area. 3.32 inter­locked bar­ri­er guard: A bar­ri­er, or sec­tion of a bar­ri­er, inter­faced with the machine con­trol sys­tem in such a man­ner as to pre­vent inad­ver­tent access to the haz­ard.
3.27.2 mov­able guard
guard which can be opened with­out the use of tools
Mov­able guard — a guard gen­er­al­ly con­nect­ed by mechan­i­cal means (e.g., hinges or slides) to the machine frame or an adja­cent fixed ele­ment and that can be opened with­out the use of tools. The open­ing and clos­ing of this type of guard may be pow­ered. 3.37 mov­able bar­ri­er device: A safe­guard­ing device arranged to enclose the haz­ard area before machine motion can be ini­ti­at­ed.E3.37 There are two types of mov­able bar­ri­er devices:
  • Type A, which enclos­es the haz­ard area dur­ing the com­plete machine cycle;
  • Type B, which enclos­es the haz­ard area dur­ing the haz­ardous por­tion of the machine cycle.
3.28.1 inter­lock­ing device (interlock)mechanical, elec­tri­cal or oth­er type of device, the pur­pose of which is to pre­vent the oper­a­tion of haz­ardous machine func­tions under spec­i­fied con­di­tions (gen­er­al­ly as long as a guard is not closed) Inter­lock­ing device (inter­lock) — a mechan­i­cal, elec­tri­cal, or oth­er type of device, the pur­pose of which is to pre­vent the oper­a­tion of machine ele­ments under spec­i­fied con­di­tions (usu­al­ly when the guard is not closed). No def­i­n­i­tion
3.27.5 inter­lock­ing guard with guard lock­ing guard asso­ci­at­ed with an inter­lock­ing device and a guard lock­ing device so that, togeth­er with the con­trol sys­tem of the machine, the fol­low­ing func­tions are per­formed:
  • the haz­ardous machine func­tions “cov­ered” by the guard can­not oper­ate until the guard is closed and locked,
  • the guard remains closed and locked until the risk due to the haz­ardous machine func­tions “cov­ered” by the guard has dis­ap­peared, and
  • when the guard is closed and locked, the haz­ardous machine func­tions “cov­ered” by the guard can oper­ate (the clo­sure and lock­ing of the guard do not by them­selves start the haz­ardous machine func­tions)

NOTE ISO 14119 gives detailed pro­vi­sions.

Guard lock­ing device — a device that is designed to hold the guard closed and locked until the haz­ard has ceased. No def­i­n­i­tion

As you can see from the def­i­n­i­tions, mov­able guards can be opened with­out the use of tools, and are gen­er­al­ly fixed to the machine along one edge. Mov­able guards are always asso­ci­at­ed with an inter­lock­ing device. Guard selec­tion is cov­ered very well in ISO 14120 [11]. This stan­dard con­tains a flow­chart that is invalu­able for select­ing the appro­pri­ate style of guard for a giv­en appli­ca­tion.

5% Dis­count on ISO and IEC Stan­dards with code: CC2012

Though much empha­sis is placed on the cor­rect selec­tion of these inter­lock­ing devices, they rep­re­sent a very small por­tion of the hier­ar­chy. It is their wide­spread use that makes them so impor­tant when it comes to safe­ty sys­tem design.

Electrical vs. Mechanical Interlocks

Mechanical Interlocking
Fig­ure 2 — Mechan­i­cal Inter­lock­ing

Most mod­ern machines use elec­tri­cal inter­locks because the machine is fit­ted with an elec­tri­cal con­trol sys­tem, but it is entire­ly pos­si­ble to inter­lock the pow­er to the prime movers using mechan­i­cal means. This doesn’t affect the por­tion of the hier­ar­chy involved, but it may affect the con­trol reli­a­bil­i­ty analy­sis that you need to do.

Mechanical Interlocks

Fig­ure 2, from ISO 14119 [7, Fig. H.1, H.2 ], shows one exam­ple of a mechan­i­cal inter­lock.  In this case, when cam 2 is rotat­ed into the posi­tion shown in a), the guard can­not be opened. Once the haz­ardous con­di­tion behind the guard is effec­tive­ly con­trolled, cam 2 rotates to the posi­tion in b), and the guard can be opened.

Arrange­ments that use the open guard to phys­i­cal­ly block oper­a­tion of the con­trols can also be used in this way. See Fig­ure 3 [7, Fig. C.1, C.2].

Mechanical Interlocking using control devices
Fig­ure 3 — Mechan­i­cal Inter­lock­ing using machine con­trol devices

Fluid Power Interlocks

Fig­ure 4, from [7, Fig. K.2], shows an exam­ple of two flu­id-pow­er valves used in com­ple­men­tary mode on a sin­gle slid­ing gate.

Hydraulic interlock from ISO 14119
Fig­ure 4 — Exam­ple of a flu­id pow­er inter­lock

In this exam­ple, flu­id can flow from the pres­sure sup­ply (the cir­cle with the dot in it at the bot­tom of the dia­gram) through the two valves to the prime-mover, which could be a cylin­der, or a motor or some oth­er device when the guard is closed (posi­tion ‘a’). There could be an addi­tion­al con­trol valve fol­low­ing the inter­lock that would pro­vide the nor­mal con­trol mode for the device.

When the guard is opened (posi­tion ‘b’), the two valve spools shift to the sec­ond posi­tion, the low­er valve blocks the pres­sure sup­ply, and the upper valve vents the pres­sure in the cir­cuit, help­ing to pre­vent unex­pect­ed motion from trapped ener­gy.

If the spring in the upper valve fails, the low­er spool will be dri­ven by the gate into a posi­tion that will still block the pres­sure sup­ply and vent the trapped ener­gy in the cir­cuit.

5% Dis­count on ISO and IEC Stan­dards with code: CC2012

Electrical Interlocks

By far the major­i­ty of inter­locks used on machin­ery are elec­tri­cal. Elec­tri­cal inter­locks offer ease of instal­la­tion, flex­i­bil­i­ty in selec­tion of inter­lock­ing devices, and com­plex­i­ty from sim­ple to extreme­ly com­plex. The archi­tec­tur­al cat­e­gories cov­er any tech­nol­o­gy, whether it is mechan­i­cal, flu­idic, or elec­tri­cal, so let’s have a look at archi­tec­tures first.

Architecture Categories

Comparing ANSI, CSA, and ISO Control Reliability Categories
Fig­ure 5 — Con­trol Reli­a­bil­i­ty Cat­e­gories

In Cana­da, CSA Z432 [2] and CSA Z434 [3] pro­vide four cat­e­gories of con­trol reli­a­bil­i­ty: sim­ple, sin­gle chan­nel, sin­gle-chan­nel mon­i­tored and con­trol reli­able. In the U.S., the cat­e­gories are very sim­i­lar, with some dif­fer­ences in the def­i­n­i­tion for con­trol reli­able (see RIA R15.06, 1999). In the EU, there are five lev­els of con­trol reli­a­bil­i­ty, defined as Per­for­mance Lev­els (PL) giv­en in ISO 13849–1 [4]: PL a, b, c, d and e. Under­pin­ning these lev­els are five archi­tec­tur­al cat­e­gories: B, 1, 2, 3 and 4. Fig­ure 5 shows how these archi­tec­tures line up.

To add to the con­fu­sion, IEC 62061 [5] is anoth­er inter­na­tion­al con­trol reli­a­bil­i­ty stan­dard that could be used. This stan­dard defines reli­a­bil­i­ty in terms of Safe­ty Integri­ty Lev­els (SILs). These SILs do not line up exact­ly with the PLs in [4], but they are sim­i­lar. [5] is based on IEC 61508 [6], a well-respect­ed con­trol reli­a­bil­i­ty stan­dard used in the process indus­tries. [5] is not well suit­ed to appli­ca­tions involv­ing hydraulic or pneu­mat­ic ele­ments.

The orange arrow in Fig­ure 5 high­lights the fact that the def­i­n­i­tion in the CSA stan­dards results in a more reli­able sys­tem than the ANSI/RIA def­i­n­i­tion because the CSA def­i­n­i­tion requires TWO (2) sep­a­rate phys­i­cal switch­es on the guard to meet the require­ment, while the ANSI/RIA def­i­n­i­tion only requires redun­dant cir­cuits, but makes no require­ment for redun­dant devices. Note that the arrow rep­re­sent­ing the ANSI/RIA Con­trol reli­a­bil­i­ty cat­e­go­ry falls below the ISO Cat­e­go­ry 3 arrow due to this same detail in the def­i­n­i­tion.

Note that Fig­ure 5 does not address the ques­tion of PL’s or SIL’s and how they relate to each oth­er. That is a top­ic for anoth­er arti­cle!

The North Amer­i­can archi­tec­tures deal pri­mar­i­ly with elec­tri­cal or flu­id-pow­er con­trols, while the EU sys­tem can accom­mo­date elec­tri­cal, flu­id-pow­er and mechan­i­cal sys­tems.

From the sin­gle-chan­nel-mon­i­tored or Cat­e­go­ry 2 lev­el up, the sys­tems are required to have test­ing built-in, enabling the detec­tion of fail­ures in the sys­tem. The lev­el of fault tol­er­ance increas­es as the cat­e­go­ry increas­es.

Interlocking devices

Inter­lock­ing devices are the com­po­nents that are used to cre­ate the inter­lock between the safe­guard­ing device and the machine’s pow­er and con­trol sys­tems. Inter­lock­ing sys­tems can be pure­ly mechan­i­cal, pure­ly elec­tri­cal or a com­bi­na­tion of these.

Roller cam switch used as part of a complementary interlock
Pho­to 1 — Roller Cam Switch

Most machin­ery has an electrical/electronic con­trol sys­tem, and these sys­tems are the most com­mon way that machine haz­ards are con­trolled. Switch­es and sen­sors con­nect­ed to these sys­tems are the most com­mon types of inter­lock­ing devices.

Inter­lock­ing devices can be some­thing as sim­ple as a micro-switch or a reed switch, or as com­plex as a non-con­tact sen­sor with an elec­tro­mag­net­ic lock­ing device.

Images of inter­lock­ing devices used in this arti­cle are rep­re­sen­ta­tive of some of the types and man­u­fac­tur­ers avail­able, but should not be tak­en as an endorse­ment of any par­tic­u­lar make or type of device. There are lots of man­u­fac­tur­ers and unique mod­els that can fit any giv­en appli­ca­tion, and most man­u­fac­tur­ers have sim­i­lar devices avail­able.

Pho­to 1 shows a safe­ty-rat­ed, direct-dri­ve roller cam switch used as half of a com­ple­men­tary switch arrange­ment on a gate inter­lock. The inte­gra­tor failed to cov­er the switch­es to pre­vent inten­tion­al defeat in this appli­ca­tion.

Micro-Switch used for interlocking
Pho­to 2 — Micro-Switch used for inter­lock­ing

Pho­to 2 shows a ‘microswitch’ used for inter­lock­ing a machine cov­er pan­el that is nor­mal­ly held in place with fas­ten­ers, and so is a ‘fixed guard’ as long as the fas­ten­ers require a tool to remove. Fixed guards do not require inter­locks under most cir­cum­stances. Some prod­uct fam­i­ly stan­dards do require inter­locks on fixed guards due to the nature of the haz­ards involved.

Microswitch­es are not safe­ty-rat­ed and are not rec­om­mend­ed for use in this appli­ca­tion. They are eas­i­ly defeat­ed and tend to fail to dan­ger in my expe­ri­ence.

Require­ments for inter­lock­ing devices are pub­lished in a num­ber of stan­dards, but the key ones for indus­tri­al machin­ery are ISO 14119 [7], [2], and ANSI B11.0 [8]. These stan­dards define the elec­tri­cal and mechan­i­cal require­ments, and in some cas­es the test­ing require­ments, that devices intend­ed for safe­ty appli­ca­tions must meet before they can be clas­si­fied as safe­ty com­po­nents.
Down­load stan­dards

Typical plastic-bodied interlocking device
Pho­to 3 — Schm­er­sal AZ15 plas­tic inter­lock switch

These devices are also inte­gral to the reli­a­bil­i­ty of the con­trol sys­tems into which they are inte­grat­ed. Inter­lock devices, on their own, can­not meet a reli­a­bil­i­ty rat­ing above ISO 13849–1 Cat­e­go­ry 1, or CSA Z432-04 Sin­gle Chan­nel. To under­stand this, con­sid­er that the def­i­n­i­tions for Cat­e­go­ry 2, 3 and 4 all require the abil­i­ty for the sys­tem to mon­i­tor and detect fail­ures, and in Cat­e­gories 3 & 4, to pre­vent the loss of the safe­ty func­tion. Sim­i­lar require­ments exist in CSA and ANSI’s “sin­gle-chan­nel-mon­i­tored,” and “con­trol-reli­able” cat­e­gories. Unless the inter­lock device has a mon­i­tor­ing sys­tem inte­grat­ed into the device, these cat­e­gories can­not be achieved.

Guard Locking

Inter­lock­ing devices are often used in con­junc­tion with  guard lock­ing. There are a few rea­sons why a design­er might want to lock a guard closed, but the most com­mon one is a lack of safe­ty dis­tance. In some cas­es the guard may be locked closed to pro­tect the process rather than the oper­a­tor, or for oth­er rea­sons.

Interlock Device with Guard Locking
Pho­to 4 — Inter­lock­ing Device with Guard Lock­ing

Safe­ty dis­tance is the dis­tance between the open­ing cov­ered by the mov­able guard and the haz­ard. The min­i­mum dis­tance is deter­mined using the safe­ty dis­tance cal­cu­la­tions giv­en in [2] and ISO 13855 [9]. This cal­cu­la­tion uses a ‘hand-speed con­stant’, called K, to rep­re­sent the the­o­ret­i­cal speed that the aver­age per­son can achieve when extend­ing their hand straight for­ward when stand­ing in front of the open­ing. In North Amer­i­ca, K is usu­al­ly 63 inches/second, or 1600 mm/s. Inter­na­tion­al­ly and in the EU, there are two speeds, 2000 mm/s, used for an approach per­pen­dic­u­lar to the plane of the guard, or 1600 mm/second for approach­es at 45 degrees or less [9]. 2000 mm/s is used with mov­able guards, and is approx­i­mate­ly equiv­a­lent to 79 inches/second. Using the Inter­na­tion­al approach, if the val­ue of Ds is greater than 500 mm when cal­cu­lat­ed using K = 2 000, then [9] per­mits the cal­cu­la­tion to be done using K = 1 600 instead.

Using the stop­ping time of the machin­ery and K, the min­i­mum safe­ty dis­tance can be cal­cu­lat­ed.

Eq. 1              Ds = K x Ts

Using Equa­tion 1 [2], assume you have a machine that takes 250 ms to stop when the inter­lock is opened. Insert­ing the val­ues into the equa­tion gives you a min­i­mum safe­ty dis­tance of:

Exam­ple 1             Ds = 63 in/s x 0.250 s = 15.75 inch­es

Exam­ple 2             Ds = 2000 mm/s x 0.250 s = 500 mm

As you can see, the Inter­na­tion­al val­ue of K gives a more con­ser­v­a­tive val­ue, since 500 mm is approx­i­mate­ly 20 inch­es.

Note that I have not includ­ed the ‘Pen­e­tra­tion Fac­tor’, Dpf in this cal­cu­la­tion. This fac­tor is used with pres­ence sens­ing safe­guard­ing devices like light cur­tains, fences, mats, two-hand con­trols, etc. This fac­tor is not applic­a­ble to mov­able, inter­locked guards.

Also impor­tant to con­sid­er is the amount the guard can be opened before acti­vat­ing the inter­lock. This will depend on many fac­tors, but for sim­plic­i­ty, con­sid­er a hinged gate on an access point. If the guard uses two hinge-pin style switch­es, you may be able to open the gate a few inch­es before the switch­es rotate enough to detect the open­ing of the guard. In order to deter­mine the open­ing size, you would slow­ly open the gate just to the point where the inter­lock is tripped, and then mea­sure the width of the open­ing. Using the tables found in [2], [3], [10], or ISO 13857 [12], you can then deter­mine how far the guard must be from the haz­ards behind it. If that dis­tance is greater than what is avail­able, you could remove one hinge-pin switch, and replace it with anoth­er type mount­ed on the post oppo­site the hinges. This could be a keyed inter­lock like Pho­to 3, or a non-con­tact device like Pho­to 5. This would reduce the open­ing width at the point of detec­tion, and there­by reduce the safe­ty dis­tance behind the guard. But what if that is still not good enough?

If you have to install the guard clos­er to the haz­ard than the min­i­mum safe­ty dis­tance, lock­ing the guard closed and mon­i­tor­ing the stand-still of the machine allows you to ignore the safe­ty dis­tance require­ment because the guard can­not be opened until the machin­ery is at a stand­still, or in a safe state.

Guard lock­ing devices can be mechan­i­cal, elec­tro­mag­net­ic, or any oth­er type that pre­vents the guard from open­ing. The guard lock­ing device is only released when the machine has been made safe.

There are many types of safe­ty-rat­ed stand-still mon­i­tor­ing devices avail­able now, and many vari­able-fre­quen­cy dri­ves and ser­vo dri­ve sys­tems are avail­able with safe­ty-rat­ed stand-still mon­i­tor­ing.

Environment, failure modes and fault exclusion

Every device has fail­ure modes. The cor­rect selec­tion of the device starts with under­stand­ing the phys­i­cal envi­ron­ment to which the device will be exposed. This means under­stand­ing the tem­per­a­ture, humid­i­ty, dust/abrasives expo­sure, chem­i­cal expo­sures, and mechan­i­cal shock and vibra­tion expo­sures in the appli­ca­tion. Select­ing a del­i­cate reed switch for use in a high-vibra­tion, high-shock envi­ron­ment is a recipe for fail­ure, just as select­ing a mechan­i­cal switch in a dusty, damp, cor­ro­sive envi­ron­ment will also lead to pre­ma­ture fail­ure.

Example of a non-contact interlocking device
Pho­to 5 — JOKAB EDEN Inter­lock Sys­tem

Inter­lock device man­u­fac­tur­ers have a vari­ety of non-con­tact inter­lock­ing devices avail­able today that use cod­ed RF sig­nals or RF ID tech­nolo­gies to ensure that the inter­lock can­not be defeat­ed by sim­ple mea­sures, like tap­ing a mag­net to a reed switch. The Jokab EDEN sys­tem is one exam­ple of a sys­tem like this that also exhibits IP65 lev­el resis­tance to mois­ture and dust. Note that sys­tems like this include a safe­ty mon­i­tor­ing device and the sys­tem as a whole can meet Con­trol Reli­able or Cat­e­go­ry 3 / 4 archi­tec­tur­al require­ments when a sim­ple inter­lock switch could not.

The device stan­dards do pro­vide some guid­ance in mak­ing these selec­tions, but it’s pret­ty gen­er­al.

Fault Exclusion

Fault exclu­sion is anoth­er key con­cept that needs to be under­stood. Fault exclu­sion holds that fail­ure modes that have an exceed­ing­ly low prob­a­bil­i­ty of occur­ring dur­ing the life­time of the prod­uct can be exclud­ed from con­sid­er­a­tion. This can apply to elec­tri­cal or mechan­i­cal fail­ures. Here’s the catch: Fault exclu­sion is not per­mit­ted under any North Amer­i­can stan­dards at the moment. Designs based on the North Amer­i­can con­trol reli­a­bil­i­ty stan­dards can­not take advan­tage of fault exclu­sions. Designs based on the Inter­na­tion­al and EU stan­dards can use fault exclu­sion, but be aware that sig­nif­i­cant doc­u­men­ta­tion sup­port­ing the exclu­sion of each fault is need­ed.

Defeat resistance

Diagram showing one method of preventing interlock defeat.
Fig­ure 6 — Pre­vent­ing Defeat

The North Amer­i­can stan­dards require that the devices cho­sen for safe­ty-relat­ed inter­locks be defeat-resis­tant, mean­ing they can­not be eas­i­ly fooled with a cable-tie, a scrap of met­al or a piece of tape.

Fig­ure 6 [7, Fig. 10] shows a key-oper­at­ed switch, like the Schm­er­sal AZ15, installed with a cov­er that is intend­ed to fur­ther guard against defeat. The key, some­times called a ‘tongue’, used with the switch pre­vents defeat using a flat piece of met­al or a knife blade. The cov­er pre­vents direct access to the inter­lock­ing device itself. Use of tam­per-resis­tant hard­ware will fur­ther reduce the like­li­hood that some­one can remove the key and insert it into the switch, bypass­ing the guard.

Inner-Tite tamper resistance fasteners
Pho­to 6 — Tam­per-resis­tant fas­ten­ers

5% Dis­count on ISO and IEC Stan­dards with code: CC2012

The Inter­na­tion­al and EU stan­dards do not require the devices to be inher­ent­ly defeat resis­tant, which means that you can use “safe­ty-rat­ed” lim­it switch­es with roller-cam actu­a­tors, for exam­ple. How­ev­er, as a design­er, you are required to con­sid­er all rea­son­ably fore­see­able fail­ure modes, and that includes inten­tion­al defeat. If the inter­lock­ing devices are eas­i­ly acces­si­ble, then you must select defeat-resis­tant devices and install them with tam­per-resis­tant hard­ware to cov­er these fail­ure modes.

Pho­to 6 shows one type of tam­per resis­tant fas­ten­ers made by Inner-Tite [13]. Pho­to 7 shows fas­ten­ers with unique­ly keyed key ways made by Bryce Fas­ten­er [14], and Pho­to 8 shows more tra­di­tion­al tam­per­proof fas­ten­ers from the Tam­per­proof Screw Com­pa­ny [15]. Using fas­ten­ers like these will result in the high­est lev­el of secu­ri­ty in a thread­ed fas­ten­er. There are many dif­fer­ent designs avail­able from a wide vari­ety of man­u­fac­tur­ers.

Bryce Key-Rex tamper-resistant fasteners
Pho­to 7 — Keyed Tam­per-Resis­tant Fas­ten­ers
Tamper proof screws made by the Tamperproof Screw Company
Pho­to 8 — Tam­per proof screws

Almost any inter­lock­ing device can be bypassed by a knowl­edge­able per­son using wire and the right tools. This type of defeat is not gen­er­al­ly con­sid­ered, as the degree of knowl­edge required is greater than that pos­sessed by “nor­mal” users.

How to select the right device

When select­ing an inter­lock­ing device, start by look­ing at the envi­ron­ment in which the device will be locat­ed. Is it dry? Is it wet (i.e., with cut­ting flu­id, oil, water, etc.)? Is it abra­sive (dusty, sandy, chips, etc.)? Is it indoors or out­doors and sub­ject to wide tem­per­a­ture vari­a­tions?

Is there a prod­uct stan­dard that defines the type of inter­lock you are design­ing? An exam­ple of this is the inter­lock types in ANSI B151.1 [4] for plas­tic injec­tion mould­ing machines. There may be restric­tions on the type of devices that are suit­able based on the require­ments in the stan­dard.

Con­sid­er inte­gra­tion require­ments with the con­trols. Is the inter­lock pure­ly mechan­i­cal? Is it inte­grat­ed with the elec­tri­cal sys­tem? Do you require guard lock­ing capa­bil­i­ty? Do you require defeat resis­tance? What about device mon­i­tor­ing or annun­ci­a­tion?

Once you can answer these ques­tions, you will have nar­rowed down your selec­tions con­sid­er­ably. The final ques­tion is: What brand is pre­ferred? Go to your pre­ferred supplier’s cat­a­logues and make a selec­tion that fits with the answers to the pre­vi­ous ques­tions.

The next stage is to inte­grate the device(s) into the con­trols, using whichev­er con­trol reli­a­bil­i­ty stan­dard you need to meet. That is the sub­ject for a series of arti­cles!

References

5% Dis­count on ISO and IEC Stan­dards with code: CC2012

[1] Safe­ty of machin­ery — Gen­er­al prin­ci­ples for design — Risk assess­ment and risk reduc­tion, ISO Stan­dard 12100, Edi­tion 1, 2010

[2] Safe­guard­ing of Machin­ery, CSA Stan­dard Z432, 2004 (R2009)

Buy CSA Stan­dards

[3] Indus­tri­al Robots and Robot Sys­tems — Gen­er­al Safe­ty Require­ments, CSA Stan­dard Z434, 2003 (R2008)

[4] Safe­ty of machin­ery — Safe­ty-relat­ed parts of con­trol sys­tems — Part 1: Gen­er­al prin­ci­ples for design, ISO Stan­dard 13849–1, 2006

[5] Safe­ty of machin­ery – Func­tion­al safe­ty of safe­ty-relat­ed elec­tri­cal, elec­tron­ic and pro­gram­ma­ble elec­tron­ic con­trol sys­tems, IEC Stan­dard 62061, Edi­tion 1, 2005

[6] Func­tion­al safe­ty of electrical/electronic/programmable elec­tron­ic safe­ty-relat­ed sys­tems (Sev­en Parts), IEC Stan­dard 61508-X

[7] Safe­ty of machin­ery — Inter­lock­ing devices asso­ci­at­ed with guards — Prin­ci­ples for design and selec­tion, ISO Stan­dard 14119, 1998

[8] Amer­i­can Nation­al Stan­dard for Machines, Gen­er­al Safe­ty Require­ments Com­mon to ANSI B11 Machines, ANSI Stan­dard B11, 2008
Down­load ANSI stan­dards

[9] Safe­ty of machin­ery — Posi­tion­ing of safe­guards with respect to the approach speeds of parts of the human body, ISO 13855, 2010

[10] Amer­i­can Nation­al Stan­dard for Machine Tools – Per­for­mance Cri­te­ria for Safe­guard­ing, ANSI B11.19, 2003

[11] Safe­ty of machin­ery — Guards — Gen­er­al require­ments for the design and con­struc­tion of fixed and mov­able guards, ISO 14120. 2002

[12] Safe­ty of machin­ery — Safe­ty dis­tances to pre­vent haz­ard zones being reached by upper and low­er limbs, ISO 13857. 2008.

[13] Inner-Tite Corp. home page. (2012). Avail­able: http://www.inner-tite.com/

[14] Bryce Fas­ten­er, Inc. home page. (2012). Avail­able: http://www.brycefastener.com/

[15] Tam­per­proof Screw Co., Inc., home page. (2013). Avail­able: http://www.tamperproof.com

Five things most machine builders do incorrectly

Five things that most machine builders fail to do. With a Sixth Bonus fail­ure!

The Top Five errors I see machine builders make on a depress­ing­ly reg­u­lar basis:

1) Poor or Absent Risk Assessment

Risk assess­ments are fun­da­men­tal to safe machine design and lia­bil­i­ty lim­i­ta­tion, and are required by law in the EU. They are a includ­ed in all of the mod­ern North Amer­i­can machin­ery safe­ty stan­dards as well.

Machine builders fre­quent­ly have trou­ble with the risk assess­ment process, usu­al­ly because they fail to under­stand the process or because they fail to devote enough resources to get­ting it done.

If risk assess­ment is built into your design process, it becomes the norm for how you do busi­ness. Time and resources will auto­mat­i­cal­ly be devot­ed to the process, and since it’s part of how you do things it will become rel­a­tive­ly pain­less. Where peo­ple go wrong is in mak­ing it a ‘big deal’ one-time event. Also get­ting it done ear­ly in the design process and iter­at­ed as the design pro­gress­es means that you have time to react to the find­ings, and you can com­plete any nec­es­sary changes at more cost-effec­tive points in the design and build process. The worst time to do risk assess­ment is at the point where the machine is on the shop floor ready to start pro­duc­tion. Costs for mod­i­fi­ca­tion are then expo­nen­tial­ly high­er than dur­ing design and con­struc­tion.

Poor­ly done, risk assess­ments become a lia­bil­i­ty defense lawyer’s worst night­mare and a plaintiff’s lawyer’s dream. Short­chang­ing the risk assess­ment process ensures that you will lose, either now or lat­er.

Fight this prob­lem by: learn­ing how to con­duct a risk assess­ment, using qual­i­ty risk assess­ment soft­ware tools, and build­ing risk assess­ment into your stan­dard design process/practice in your orga­ni­za­tion.

2) Failure to be Aware of Regulations & Use Design Standards

This one is a mys­tery to me.

Every mar­ket has prod­uct safe­ty leg­is­la­tion, sup­port­ed by reg­u­la­tions. Grant­ed, the scope and qual­i­ty of these reg­u­la­tions varies wide­ly, but if you want to sell a prod­uct in a mar­ket, it doesn’t take a lot of effort to find out what reg­u­la­tions may apply.

Design stan­dards have been in exis­tence for a long time. Most pur­chase orders, at least for cus­tom machin­ery, con­tain lists of stan­dards that the equip­ment is required to meet at Fac­to­ry Accep­tance Test­ing (FAT).

Why machine builders fail to grasp that using these stan­dards can actu­al­ly give them a com­pet­i­tive edge, as well as help­ing them to meet reg­u­la­to­ry require­ments, I don’t know. If you do, please either com­ment on this sto­ry or send me an email. I’d love to hear your thoughts on this!

Fight this prob­lem by: Doing some research. Under­stand the mar­ket envi­ron­ment in which you sell your prod­ucts. If you aren’t sure how to do this, use a con­sul­tant to assist you. Buy the stan­dards, espe­cial­ly if your client calls them out in their spec­i­fi­ca­tions. Read and apply them to your designs.

One great resource for infor­ma­tion on reg­u­la­to­ry envi­ron­ments and stan­dards appli­ca­tions is the IEEE Prod­uct Safe­ty Engi­neer­ing Soci­ety and the EMC-PSTC List­serv that they main­tain.

3) Fixed Guard Design

Fixed guard­ing design is dri­ven by at least two fac­tors, a) pre­vent­ing peo­ple from access­ing haz­ards, and b) allow­ing raw mate­ri­als and prod­ucts into and out of the machin­ery.

Design­ers fre­quent­ly go wrong by select­ing a fixed guard where a mov­able guard is nec­es­sary to per­mit fre­quent access (say more than once per shift). This is some­times done in an effort to avoid hav­ing to add inter­locks to the con­trol sys­tems. Fre­quent­ly the guard will be removed and replaced a cou­ple of times, and then the screws will be left off, and even­tu­al­ly the guard itself will be left off, leav­ing the user with an unguard­ed haz­ard.

The oth­er com­mon fault with fixed guards relates to the sec­ond fac­tor I men­tioned — get­ting raw mate­ri­als and prod­ucts in an out of the machine. There are lim­its on the size of open­ings that can be left in guards, depen­dent on the dis­tance from the open­ing to the haz­ards behind the guard and the size of the open­ing itself. Often the only fac­tor con­sid­ered is the size of the item that needs to enter or exit the machin­ery.

Both of these faults often occur because the guard­ing is not designed, but is allowed to hap­pen dur­ing machine build. The size and shape of the guards is then often dri­ven by con­ve­nience in fab­ri­ca­tion rather than by thought­ful design and appli­ca­tion of the min­i­mum code require­ments.

Fight this prob­lem by: Design­ing the guards on your prod­uct rather than allow­ing them to hap­pen, based on the out­come of the risk assess­ment and the lim­its defined in the stan­dards. Tables for guard open­ings and safe­ty dis­tances are avail­able in North Amer­i­can, EU and Inter­na­tion­al stan­dards.

4) Movable Guard Interlocking

Mov­able guards them­selves are usu­al­ly rea­son­ably well done. Note that I am not talk­ing about self adjust­ing guards like those found on a table saw for instance. I am talk­ing about guard doors, gates, and cov­ers.

The prob­lem usu­al­ly comes with the design of the inter­lock that is required to go with the mov­able guard. The first part of the prob­lem goes back to my #1 mis­take: Risk Assess­ment. No risk assess­ment means that you can­not rea­son­ably hope to get the reli­a­bil­i­ty require­ments right for the inter­lock­ing sys­tem. Next, there are small but sig­nif­i­cant dif­fer­ences in how the Cana­di­an, US, EU and Inter­na­tion­al stan­dards han­dle con­trol reli­a­bil­i­ty, and the biggest dif­fer­ences occur in the high­er reli­a­bil­i­ty clas­si­fi­ca­tions.

In the USA, the stan­dards speak of con­trol reli­able cir­cuits (see ANSI RIA R15.06–1999, 4.5.5). This require­ment is writ­ten in such a way that a sin­gle inter­lock­ing device, installed with dual chan­nel elec­tri­cal cir­cuits and suit­ably select­ed com­po­nents will meet the require­ments. No sin­gle ELECTRICAL com­po­nent fail­ure will lead to the loss of the safe­ty func­tion, but a sin­gle mechan­i­cal fault could.

In Cana­da, the machin­ery and robot­ics stan­dards speak of con­trol reli­able sys­tems (see CSA Z432, 8.2.5), not cir­cuits as in the US stan­dards. This require­ment is writ­ten in such a way that TWO electro­mechan­i­cal inter­lock­ing devices are required, one in each elec­tri­cal chan­nel of the inter­lock­ing sys­tem. This per­mits the sys­tem to detect mechan­i­cal fail­ures such as bro­ken or miss­ing keys, and if dif­fer­ent types of inter­lock­ing devices are cho­sen, may also per­mit detec­tion of efforts to bypass the inter­lock. Most sin­gle mechan­i­cal faults and elec­tri­cal faults will be detect­ed.

In the EU and Inter­na­tion­al­ly, con­trol reli­a­bil­i­ty is much more high­ly devel­oped. Here, the appli­ca­tion of ISO 13849, IEC 62061 or IEC 61508 have tak­en con­trol reli­a­bil­i­ty to high­er lev­els than any­thing seen to date in North Amer­i­ca. Under these stan­dards, the required Per­for­mance Lev­el (PLr) or Safe­ty Integri­ty Lev­el (SIL) must be known. This is based on the out­come of, you guessed it, the Risk Assess­ment. No risk assess­ment, or a poor risk assess­ment, dooms the design­er to like­ly fail­ure. Sig­nif­i­cant skill is required to han­dle the analy­sis and design of safe­ty relat­ed parts of con­trol sys­tems under these stan­dards.

Fight this prob­lem by: Get­ting the train­ing you need to prop­er­ly apply these stan­dards and then using them in your designs.

5) Safety Distances

Safe­ty dis­tances crop up any­where you don’t have a phys­i­cal bar­ri­er keep­ing the user away from the haz­ard. Whether its an open­ing in a fixed guard, a mov­able guard like a guard door or gate, or a pres­ence-sens­ing safe­guard­ing device like a light cur­tain, safe­ty dis­tances have to be con­sid­ered in the machine design. The eas­i­er it is for the user to come in con­tact with the haz­ard, the more safe­ty dis­tance mat­ters.

Stop­ping per­for­mance of the machin­ery must be test­ed to val­i­date the safe­ty dis­tances used. Fail­ure to get the safe­ty dis­tance right means that your guards will give your users a false sense of secu­ri­ty, and will expose them to injury. This will also expose your com­pa­ny to sig­nif­i­cant lia­bil­i­ty when some­one gets hurt, because they will. Its only a mat­ter of time.

Fight this prob­lem by: Test­ing safe­guard­ing devices.

6) Validation

OK, so this list should real­ly be SIX things. Just con­sid­er this to be a bonus for read­ing this far!

Designs, and par­tic­u­lar­ly safe­ty crit­i­cal designs, must be test­ed. Let me say it again:

Safe­ty Crit­i­cal Designs MUST Be Test­ed.

What­ev­er the­o­ry you are work­ing under, whether it’s North Amer­i­can, Euro­pean, Inter­na­tion­al or some­thing else, you can­not afford miss­ing the val­i­da­tion step. With­out val­i­da­tion you have no evi­dence that your sys­tem worked at all, let alone if it worked cor­rect­ly.

Fight this prob­lem by: TESTING YOUR DESIGNS.

A wise man once said: “If you think safe­ty is expen­sive, try hav­ing an acci­dent.” The gen­tle­man was involved in inves­ti­gat­ing the crash of a Siko­rsky S-92 heli­copter off the coast of New­found­land. 17 peo­ple died as a result of the fail­ure of two tita­ni­um studs that held an oil fil­ter onto the main gear­box, and the fact that the heli­copter failed the ‘1/2-hour gear­box run-dry test’ that is required for all new heli­copter designs. This was a clear case of fail­ure in the risk assess­ment process com­pli­cat­ed by fail­ure in the test process.