## Presence Sensing Devices – Reaching over sensing fields

This entry is part 2 of 2 in the series Guards and Guarding

I recently heard about an application question related to a light curtain where a small gap existed at the top of the sensing field, between the last beam in the field and the surrounding structure of the machine. There was some concern raised about the gap, and whether or not additional guarding might be needed to close the gap. To answer this question, we need to split it into a few smaller pieces that we can deal with using the tools in the standards.

The first piece to consider is the gap at the top of the sensing field. For this part of the analysis, I’m going to assume that the light curtain is a fixed barrier guard, and we’ll analyse the gap based on that idea.

The second piece of the puzzle is the placement of the light curtain, and we’ll look at that separately. Once we we understand the two pieces, we’ll put them together to see if there are any other issues that may need to be addressed.

## The Application

For the purpose of this article, I’ve sketched up the following figures to illustrate the ideas in the article. These drawings don’t represent any actual robot cell or application. Note that the light curtain in the sketch is shown with zero safety distance to the robot envelope. This is NEVER permitted.

## Analyzing The Gap

Light curtains are treated the same way that movable guards are treated, so the answer to this question starts with determining the size of the gap. I’m going to reference two sets of standards in answering this question: CSA and ISO.

Referenced Standards
CSA Z432 2004 [1] ISO 13857 2008 [2]
Table 3 – Minimum distance from hazard as a function of barrier opening size Table 4 – Reaching through Regular openings
Opening Size (e) Safety Distance (sr) Opening Size (e) Safety Distance (sr)

11.1– 16.0mm [0.376″–0.625″]

Slotted >= 89.0 mm [3.5″]Square >= 66 mm [2.6″] Slot 10 < e <=12Square/Round 10 < e <=12 >= 100 mm>= 80 mm
49.1–132.0 mm [1.876–5.000″] Slotted/Square <= 915.0 mm [36.0″] Slot/Square/Round 40 < e <= 120 mm <= 850 mm

The first thing to notice is that CSA and ISO use slightly different opening sizes (e) and safety distances (sr). These differences have their origin in slightly different anthropometric data used to develop the tables. In both cases, the maximum value for e defines the largest opening permitted without additional guarding.

Let’s look at the application to see if the gap between the top-most beam and the edge of the physical guard falls into the bands defined for e.

Based on the sketches of the application, we have a problem: The gap shown above the light curtain is right at the edge of the robot envelope, i.e., the danger zone. We are going to have to either, a) Move the fence back 915 mm to get the necessary safety distance or, b) close the gap off completely, either with hard guarding, or by extending the light curtain to close the gap.

Knowing the size of the gap, we can now decide if the gap should be reduced, or the light curtain moved or enlarged. Since light curtains run about \$125/linear inch, adding an additional plate to reduce the size of the gap is likely the most cost effective choice. We also need to know the distance from the top-most beam of the light curtain to the hazard behind the guard. If that distance is less than 915/850 mm, then we have another problem, since the guarding is already too close to the hazard.

## Analyzing the Light Curtain

The light curtain positioning is driven by the stopping performance of the machine. Again, let’s reference both CSA and ISO for the relevant calculations.

Referenced Standards
CSA Z432 2004 ISO 13855 2005 [3]
5.1 Overall system stopping performance
The overall system stopping performance comprises at least two phases.Thetwophasesare linked by Equation (1):

T = t1 + t2                             (1)

where
T is the overall system stopping performance;
t1 is the maximum time between the occurrence of the actuation of the safeguard and the output signal achieving the OFF-state;
t2 is the stopping time, which is the maximum time required to terminate the hazardous machine function after the output signal from the safeguard achieves the OFF-state. The response time of the control system of the machine shall be included in t2.

t1 and t2 are influenced by various factors, e.g. temperature, switching time of valves, ageing of components.

t1 and t2 are functions of the safeguard and the machine, respectively, and are determined by design and evaluated by measurement. The evaluation of these two values shall include the uncertainties resulting from the measurements, calculations and/or construction.

Clause 10.11 – Safeguarding device safety distanceThecalculationforminimum safe distance between a safeguarding device and the danger zone of a machine shall be as follows:

S = [K (Ts + Tc + Tr + Tbm)] + Dpf

where
Ds = minimum safe distance between the safeguarding device and the hazard

K = speed constant: 1.6 m/s (63 in/s) minimum, based on the movement being the hand/arm only and the body being stationary.
Note: A greater value may be required in specific applications and when body motion must also be considered.
Ts = worst stopping time of the machine/equipment

Tc = worst stopping time of the control system

Tr = response time of the safeguarding device, including its interface
Note: Tr for interlocked barrier may include a delay due to actuation. This delay may result in Tr being a deduct (negative value).

Note: Ts + Tc + Tr are usually measured by a stop-time measuring device if unknown.

Tbm = additional stopping time allowed by the brake monitor before it detects stop-time deterioration beyond the end users’ predetermined limits. (For part revolution presses only.)

Dpf = maximum travel towards the hazard within the presence-sensing safeguarding device’s (PSSD) field that may occur before a stop is signaled. Depth penetration factors will change depending on the type of device and application. See Figure 5 for specific values. (If applicable, based on the style of safety device.)

Clause 6.2.3 – Electro-sensitive protective equipment employing active opto-electronic protective devices with a sensor detection capability of ? 40 mm  in diameter

6.2.3.1 Calculation

The minimum distance, S, in millimetres, from the detection zone to the hazard zone shall not be less than that calculated using Equation (2):

S = (K x T ) + C                             (2)

where

K = 2 000 mm/s;

C = 8 (d – 14), but not less than 0;

d is the sensor detection capability of the device, in millimetres (mm).

[Author’s Note – T comes from 5.1, above]

Then

S = (2 000 x T ) + 8(d-14)               (3)

Equation (3) applies to all minimum distances of S up to and including 500 mm. The minimum value of S shall be 100 mm.

Where the values for S, calculated using Equation (3), exceed 500 mm, Equation (4) can be used. In this case, the minimum value of S shall be 500 mm.

S = (K x T ) + C                          (2)

where

K = 1 600 mm/s;

C = 8 (d – 14), but not less than 0;

d is the sensor detection capability of the device, in millimetres (mm).

Then

S = (1 600 x T ) + 8(d – 14)

Key

1 hazard zone

2 detection zone

3 fixed guard

S minimum distance

a Direction of approach

The two calculation methods shown above are essentially the same, with the primary difference being the value of K, the “hand-speed constant”. ISO uses a higher value of K for light curtain installations where the field is vertical, or angled as low as 45º. If the calculated value of S is >500 mm, then the value of K is reduced to 1600 mm/s. Using the higher value of K for a North American installation is not wrong, and will result in a more conservative installation result. Use of 1 600 mm/s for machines going into international markets is wrong if S is <500 mm when calculated using 2 000 mm/s.

Let’s assume some values so we can do a representative calculation:

Stopping Time of the system (T) = 265 ms [0.265 s]

Light curtain resolution (d) = 30 mm [1.2″]

Calculating Dpf

Dpf = 8 x (d – 14) = 8 x (30 – 14) = 128

Using K = 2 000 mm/s

S = (2000 x 0.265) + 128 = 658 mm

Since applications where S > 500 mm can be recalculated using K = 1600 mm/s

S = (1 600 x 0.265) + 128 = 552 mm

So, from the above calculation we can see that the distance from the plane of the light curtain to the edge of the robot envelope (i.e., the danger zone) must be at least 552 mm [21.75″]. That distance is enough that some people might be able to stand between the light curtain field and the fixture in the cell, so we should probably add a horizontal light curtain to protect against that possibility. See Figure 7.

Another alternative to adding a horizontal section is to slope the light curtain field, so that the plane of the light curtain is at 45 degrees above the horizontal, with the highest beam as far away from the hazard as possible. See Figure 8.

This type of installation avoids the need to replace the existing light curtain, as long as the field depth is enough to meet the calculated Ds.

The field could also be laid horizontally, with no vertical component. This will change the Dpf calculation as highlighted by the note in Figure 8. Dpf for a horizontal field is calculated using the following equation:

Dpf = 1 200 mm [48″]

therefore

S = (1 600 x 0.265) + 1200 = 1 624 mm

Note also that there is a height restriction placed on horizontal devices based on the object resolution as well, so the 0.3 m maximum height may not apply to an exclusively horizontal application. Note that ISO 13855 allows H a maximum value of 1 000 mm, rather than cutting the value off at 990 mm as done in CSA Z432. Using either the 14 mm or the 30 mm resolution curtains yields a minimum height of 0 mm and a maximum of 990 mm (CSA) or 1 000 mm (ISO). Note that the 3rd Edition of CSA Z432 is likely to harmonize these distances with the ISO calculations, eliminating these differences.

Also note that field heights where H > 300 mm may require additional safeguards in conjunction with the Presence-Sensing Safeguarding Device (PSSD) field.

Going back to our original vertical field installation, there is one more option that could be considered: Reduce the object resolution of the light curtain. If we go down to the smallest object resolution typically available, 14 mm , the calculation looks like this:

Dpf = 8 x (14-14) = 0

S = (2 000 x 0.265) + 0 = 530 mm

Since S > 500,

S = (1 600 x 0.265) + 0 = 424 mm [16.7″]

While we have substantially reduced the safety distance, it looks like we will still need the horizontal light curtain to ensure that no one can stand behind the curtain without being detected.

If the design of the machinery allows, it might be possible to reduce the stopping time of the machine. If you can reduce the stopping time, you will be able to shorten the safety distance required. Note that the safety distance can never go to zero, and can never be less than that determined by the object resolution applied to the reaching-through tables. In this case, a 14 mm opening results in an 89 mm [3.5″] minimum safety distance (CSA). Since the stopping time of the machine can never be zero, 89 mm works out to a stopping time of 44.5 ms using K=2 000 mm/s, or 55.6 ms if K= 1 600 mm/s. Very few machines can stop this quickly.

The calculated safety distance is about half of the safety distance required for the gap, at 915 mm. Clearly, closing the gap with the light curtain or hard guarding will be preferable to moving the fence away from the danger zone by 915 mm.

Here’s one more figure to help illustrate these ideas.

Figure 9 shows the difference between the reaching-through or reaching-over light curtain applications. Notice that without a restricting guard above the curtain as we have in our example, the Dpf value goes out to 1 200 mm [48″], rather than the 915 mm value used in our example.

The lower figures show light fence applications, where two or three beams are used, rather than a full coverage light curtain.

## Summary

Here are some of the more important considerations:
1) Is the field of the light curtain placed correctly, based on the stopping performance of the machine?
2) What is the object resolution of the sensing field? This dimension may be used to assess the size of the “openings” in the field if this becomes relevant.
3) What is the height of the lowest and highest beams or the edges of the sensing field?
4) What are the dimensions of the gap above the field of the curtain, and the distance from the opening to the closes hazard?

## Acknowledgements

I’d like to acknowledge my colleague, Christian Bidner, who suggested the idea for this article based on a real-world application he had seen. Christian works for OMRON/STI in their Toronto office.

## References

[1]     Safeguarding of Machinery. CSA Z432. Canadian Standards Association (CSA).  Toronto. 2004.

[2]     Safety of machinery – Safety distances to prevent hazard zones being reached by upper and lower limbs. ISO 13857.International Organization for Standardization (ISO). Geneva. 2008.

[3]     Safety of machinery – Positioning of safeguards with respect to the approach speeds of parts of the human body. ISo 13855. International Organization for Standardization (ISO). Geneva. 2010.

Acknowledgements: Figures from CSA Z432, Calculations f more...
Some Rights Reserved

## Interlocking Devices: The Good, The Bad and the Ugly

This entry is part 1 of 2 in the series Guards and Guarding

Note: A shorter version of this article was published in the May-2012 edition of  Manufacturing Automation Magazine.

When designing safeguarding systems for machines, one of the basic building blocks is the movable guard. Movable guards can be doors, panels, gates or other physical barriers that can be opened without using tools. Every one of these guards needs to be interlocked with the machine control system so that the hazards covered by the guards will be effectively controlled when the guard is opened.

There are a number of important aspects to the design of movable guards. This article will focus on the selection of interlocking devices that are used with movable guards.

## The Hierarchy of Controls

This article assumes that a risk assessment has been done as part of the design process. If you haven’t done a risk assessment first, start there, and then come back to this point in the process. You can find more  information on risk assessment methods in this post from 31-Jan-11. ISO 12100 [1] can also be used for guidance in this area.

The hierarchy of controls describes levels of controls that a machine designer can use to control the assessed risks. The hierarchy is defined in [1]. Designers are required to apply every level of the hierarchy in order, starting at the top. Each level is applied until the available measures are exhausted, or cannot be applied without destroying the purpose of the machine, allowing the designer to move to the next lower level.

Engineering controls are subdivided into a number of different sub-groups. Only movable guards are required to have interlocks. There are a number of similar types of guards that can be mistaken for movable guards, so let’s take a minute to look at a few important definitions.

Table 1 – Definitions

 International [1] Canadian [2] USA [10] 3.27 guard physical barrier, designed as part of the machine to provide protection.NOTE 1 A guard may act either alone, in which case it is only effective when “closed” (for a movable guard) or “securely held in place” (for a fixed guard), or  in conjunction with an interlocking device with or without guard locking, in which case protection is ensured whatever the position of the guard.NOTE 2Depending on its construction, a guard may be described as, for example, casing, shield, cover, screen, door, enclosing guard.NOTE 3 The terms for types of guards are defined in 3.27.1 to 3.27.6. See also 6.3.3.2 and ISO 14120 for types of guards and their requirements. Guard — a part of machinery specifically used to provide protection by means of a physical barrier. Depending on its construction, a guard may be called a casing, screen, door, enclosing guard, etc. 3.22 guard: A barrier that prevents exposure to an identified hazard.E3.22 Sometimes referred to as “barrier guard.” 3.27.4 interlocking guard guard associated with an interlocking device so that, together with the control system of the machine, the following functions are performed: the hazardous machine functions “covered” by the guard cannot operate until the guard is closed, if the guard is opened while hazardous machine functions are operating, a stop command is given, and when the guard is closed, the hazardous machine functions “covered” by the guard can operate (the closure of the guard does not by itself start the hazardous machine functions) NOTE ISO 14119 gives detailed provisions. Interlocked barrier guard — a fixed or movable guard attached and interlocked in such a manner that the machine tool will not cycle or will not continue to cycle unless the guard itself or its hinged or movable section encloses the hazardous area. 3.32 interlocked barrier guard: A barrier, or section of a barrier, interfaced with the machine control system in such a manner as to prevent inadvertent access to the hazard. 3.27.2 movable guard guard which can be opened without the use of tools Movable guard — a guard generally connected by mechanical means (e.g., hinges or slides) to the machine frame or an adjacent fixed element and that can be opened without the use of tools. The opening and closing of this type of guard may be powered. 3.37 movable barrier device: A safeguarding device arranged to enclose the hazard area before machine motion can be initiated.E3.37 There are two types of movable barrier devices: Type A, which encloses the hazard area during the complete machine cycle; Type B, which encloses the hazard area during the hazardous portion of the machine cycle. 3.28.1 interlocking device (interlock)mechanical, electrical or other type of device, the purpose of which is to prevent the operation of hazardous machine functions under specified conditions (generally as long as a guard is not closed) Interlocking device (interlock) — a mechanical, electrical, or other type of device, the purpose of which is to prevent the operation of machine elements under specified conditions (usually when the guard is not closed). No definition 3.27.5 interlocking guard with guard locking guard associated with an interlocking device and a guard locking device so that, together with the control system of the machine, the following functions are performed: the hazardous machine functions “covered” by the guard cannot operate until the guard is closed and locked, the guard remains closed and locked until the risk due to the hazardous machine functions “covered” by the guard has disappeared, and when the guard is closed and locked, the hazardous machine functions “covered” by the guard can operate (the closure and locking of the guard do not by themselves start the hazardous machine functions) NOTE ISO 14119 gives detailed provisions. Guard locking device — a device that is designed to hold the guard closed and locked until the hazard has ceased. No definition

As you can see from the definitions, movable guards can be opened without the use of tools, and are generally fixed to the machine along one edge. Movable guards are always associated with an interlocking device. Guard selection is covered very well in ISO 14120 [11]. This standard contains a flowchart that is invaluable for selecting the appropriate style of guard for a given application.

Though much emphasis is placed on the correct selection of these interlocking devices, they represent a very small portion of the hierarchy. It is their widespread use that makes them so important when it comes to safety system design.

## Electrical vs. Mechanical Interlocks

Most modern machines use electrical interlocks because the machine is fitted with an electrical control system, but it is entirely possible to interlock the power to the prime movers using mechanical means. This doesn’t affect the portion of the hierarchy involved, but it may affect the control reliability analysis that you need to do.

### Mechanical Interlocks

Figure 2, from ISO 14119 [7, Fig. H.1, H.2 ], shows one example of a mechanical interlock.  In this case, when cam 2 is rotated into the position shown in a), the guard cannot be opened. Once the hazardous condition behind the guard is effectively controlled, cam 2 rotates to the position in b), and the guard can be opened.

Arrangements that use the open guard to physically block operation of the controls can also be used in this way. See Figure 3 [7, Fig. C.1, C.2].

### Fluid Power Interlocks

Figure 4, from [7, Fig. K.2], shows an example of two fluid-power valves used in complementary mode on a single sliding gate.

In this example, fluid can flow from the pressure supply (the circle with the dot in it at the bottom of the diagram) through the two valves to the prime-mover, which could be a cylinder, or a motor or some other device when the guard is closed (position ‘a’). There could be an additional control valve following the interlock that would provide the normal control mode for the device.

When the guard is opened (position ‘b’), the two valve spools shift to the second position, the lower valve blocks the pressure supply, and the upper valve vents the pressure in the circuit, helping to prevent unexpected motion from trapped energy.

If the spring in the upper valve fails, the lower spool will be driven by the gate into a position that will still block the pressure supply and vent the trapped energy in the circuit.

### Electrical Interlocks

By far the majority of interlocks used on machinery are electrical. Electrical interlocks offer ease of installation, flexibility in selection of interlocking devices, and complexity from simple to extremely complex. The architectural categories cover any technology, whether it is mechanical, fluidic, or electrical, so let’s have a look at architectures first.

### Architecture Categories

In Canada, CSA Z432 [2] and CSA Z434 [3] provide four categories of control reliability: simple, single channel, single-channel monitored and control reliable. In the U.S., the categories are very similar, with some differences in the definition for control reliable (see RIA R15.06, 1999). In the EU, there are five levels of control reliability, defined as Performance Levels (PL) given in ISO 13849-1 [4]: PL a, b, c, d and e. Underpinning these levels are five architectural categories: B, 1, 2, 3 and 4. Figure 5 shows how these architectures line up.

To add to the confusion, IEC 62061 [5] is another international control reliability standard that could be used. This standard defines reliability in terms of Safety Integrity Levels (SILs). These SILs do not line up exactly with the PLs in [4], but they are similar. [5] is based on IEC 61508 [6], a well-respected control reliability standard used in the process industries. [5] is not well suited to applications involving hydraulic or pneumatic elements.

The orange arrow in Figure 5 highlights the fact that the definition in the CSA standards results in a more reliable system than the ANSI/RIA definition because the CSA definition requires TWO (2) separate physical switches on the guard to meet the requirement, while the ANSI/RIA definition only requires redundant circuits, but makes no requirement for redundant devices. Note that the arrow representing the ANSI/RIA Control reliability category falls below the ISO Category 3 arrow due to this same detail in the definition.

Note that Figure 5 does not address the question of PL’s or SIL’s and how they relate to each other. That is a topic for another article!

The North American architectures deal primarily with electrical or fluid-power controls, while the EU system can accommodate electrical, fluid-power and mechanical systems.

From the single-channel-monitored or Category 2 level up, the systems are required to have testing built-in, enabling the detection of failures in the system. The level of fault tolerance increases as the category increases.

## Interlocking devices

Interlocking devices are the components that are used to create the interlock between the safeguarding device and the machine’s power and control systems. Interlocking systems can be purely mechanical, purely electrical or a combination of these.

Most machinery has an electrical/electronic control system, and these systems are the most common way that machine hazards are controlled. Switches and sensors connected to these systems are the most common types of interlocking devices.

Interlocking devices can be something as simple as a micro-switch or a reed switch, or as complex as a non-contact sensor with an electromagnetic locking device.

Images of interlocking devices used in this article are representative of some of the types and manufacturers available, but should not be taken as an endorsement of any particular make or type of device. There are lots of manufacturers and unique models that can fit any given application, and most manufacturers have similar devices available.

Photo 1 shows a safety-rated, direct-drive roller cam switch used as half of a complementary switch arrangement on a gate interlock. The integrator failed to cover the switches to prevent intentional defeat in this application.

Photo 2 shows a ‘microswitch’ used for interlocking a machine cover panel that is normally held in place with fasteners, and so is a ‘fixed guard’ as long as the fasteners require a tool to remove. Fixed guards do not require interlocks under most circumstances. Some product family standards do require interlocks on fixed guards due to the nature of the hazards involved.

Microswitches are not safety-rated and are not recommended for use in this application. They are easily defeated and tend to fail to danger in my experience.

Requirements for interlocking devices are published in a number of standards, but the key ones for industrial machinery are ISO 14119 [7], [2], and ANSI B11.0 [8]. These standards define the electrical and mechanical requirements, and in some cases the testing requirements, that devices intended for safety applications must meet before they can be classified as safety components.

These devices are also integral to the reliability of the control systems into which they are integrated. Interlock devices, on their own, cannot meet a reliability rating above ISO 13849-1 Category 1, or CSA Z432-04 Single Channel. To understand this, consider that the definitions for Category 2, 3 and 4 all require the ability for the system to monitor and detect failures, and in Categories 3 & 4, to prevent the loss of the safety function. Similar requirements exist in CSA and ANSI’s “single-channel-monitored,” and “control-reliable” categories. Unless the interlock device has a monitoring system integrated into the device, these categories cannot be achieved.

## Guard Locking

Interlocking devices are often used in conjunction with  guard locking. There are a few reasons why a designer might want to lock a guard closed, but the most common one is a lack of safety distance. In some cases the guard may be locked closed to protect the process rather than the operator, or for other reasons.

Safety distance is the distance between the opening covered by the movable guard and the hazard. The minimum distance is determined using the safety distance calculations given in [2] and ISO 13855 [9]. This calculation uses a ‘hand-speed constant’, called K, to represent the theoretical speed that the average person can achieve when extending their hand straight forward when standing in front of the opening. In North America, K is usually 63 inches/second, or 1600 mm/s. Internationally and in the EU, there are two speeds, 2000 mm/s, used for an approach perpendicular to the plane of the guard, or 1600 mm/second for approaches at 45 degrees or less [9]. 2000 mm/s is used with movable guards, and is approximately equivalent to 79 inches/second. Using the International approach, if the value of Ds is greater than 500 mm when calculated using K = 2 000, then [9] permits the calculation to be done using K = 1 600 instead.

Using the stopping time of the machinery and K, the minimum safety distance can be calculated.

Eq. 1              Ds = K x Ts

Using Equation 1 [2], assume you have a machine that takes 250 ms to stop when the interlock is opened. Inserting the values into the equation gives you a minimum safety distance of:

Example 1             Ds = 63 in/s x 0.250 s = 15.75 inches

Example 2             Ds = 2000 mm/s x 0.250 s = 500 mm

As you can see, the International value of K gives a more conservative value, since 500 mm is approximately 20 inches.

Note that I have not included the ‘Penetration Factor’, Dpf in this calculation. This factor is used with presence sensing safeguarding devices like light curtains, fences, mats, two-hand controls, etc. This factor is not applicable to movable, interlocked guards.

Also important to consider is the amount the guard can be opened before activating the interlock. This will depend on many factors, but for simplicity, consider a hinged gate on an access point. If the guard uses two hinge-pin style switches, you may be able to open the gate a few inches before the switches rotate enough to detect the opening of the guard. In order to determine the opening size, you would slowly open the gate just to the point where the interlock is tripped, and then measure the width of the opening. Using the tables found in [2], [3], [10], or ISO 13857 [12], you can then determine how far the guard must be from the hazards behind it. If that distance is greater than what is available, you could remove one hinge-pin switch, and replace it with another type mounted on the post opposite the hinges. This could be a keyed interlock like Photo 3, or a non-contact device like Photo 5. This would reduce the opening width at the point of detection, and thereby reduce the safety distance behind the guard. But what if that is still not good enough?

If you have to install the guard closer to the hazard than the minimum safety distance, locking the guard closed and monitoring the stand-still of the machine allows you to ignore the safety distance requirement because the guard cannot be opened until the machinery is at a standstill, or in a safe state.

Guard locking devices can be mechanical, electromagnetic, or any other type that prevents the guard from opening. The guard locking device is only released when the machine has been made safe.

There are many types of safety-rated stand-still monitoring devices available now, and many variable-frequency drives and servo drive systems are available with safety-rated stand-still monitoring.

## Environment, failure modes and fault exclusion

Every device has failure modes. The correct selection of the device starts with understanding the physical environment to which the device will be exposed. This means understanding the temperature, humidity, dust/abrasives exposure, chemical exposures, and mechanical shock and vibration exposures in the application. Selecting a delicate reed switch for use in a high-vibration, high-shock environment is a recipe for failure, just as selecting a mechanical switch in a dusty, damp, corrosive environment will also lead to premature failure.

Interlock device manufacturers have a variety of non-contact interlocking devices available today that use coded RF signals or RF ID technologies to ensure that the interlock cannot be defeated by simple measures, like taping a magnet to a reed switch. The Jokab EDEN system is one example of a system like this that also exhibits IP65 level resistance to moisture and dust. Note that systems like this include a safety monitoring device and the system as a whole can meet Control Reliable or Category 3 / 4 architectural requirements when a simple interlock switch could not.

The device standards do provide some guidance in making these selections, but it’s pretty general.

### Fault Exclusion

Fault exclusion is another key concept that needs to be understood. Fault exclusion holds that failure modes that have an exceedingly low probability of occurring during the lifetime of the product can be excluded from consideration. This can apply to electrical or mechanical failures. Here’s the catch: Fault exclusion is not permitted under any North American standards at the moment. Designs based on the North American control reliability standards cannot take advantage of fault exclusions. Designs based on the International and EU standards can use fault exclusion, but be aware that significant documentation supporting the exclusion of each fault is needed.

## Defeat resistance

The North American standards require that the devices chosen for safety-related interlocks be defeat-resistant, meaning they cannot be easily fooled with a cable-tie, a scrap of metal or a piece of tape.

Figure 6 [7, Fig. 10] shows a key-operated switch, like the Schmersal AZ15, installed with a cover that is intended to further guard against defeat. The key, sometimes called a ‘tongue’, used with the switch prevents defeat using a flat piece of metal or a knife blade. The cover prevents direct access to the interlocking device itself. Use of tamper-resistant hardware will further reduce the likelihood that someone can remove the key and insert it into the switch, bypassing the guard.

The International and EU standards do not require the devices to be inherently defeat resistant, which means that you can use “safety-rated” limit switches with roller-cam actuators, for example. However, as a designer, you are required to consider all reasonably foreseeable failure modes, and that includes intentional defeat. If the interlocking devices are easily accessible, then you must select defeat-resistant devices and install them with tamper-resistant hardware to cover these failure modes.

Photo 6 shows one type of tamper resistant fasteners made by Inner-Tite [13]. Photo 7 shows fasteners with uniquely keyed key ways made by Bryce Fastener [14], and Photo 8 shows more traditional tamperproof fasteners from the Tamperproof Screw Company [15]. Using fasteners like these will result in the highest level of security in a threaded fastener. There are many different designs available from a wide variety of manufacturers.

Almost any interlocking device can be bypassed by a knowledgeable person using wire and the right tools. This type of defeat is not generally considered, as the degree of knowledge required is greater than that possessed by “normal” users.

## How to select the right device

When selecting an interlocking device, start by looking at the environment in which the device will be located. Is it dry? Is it wet (i.e., with cutting fluid, oil, water, etc.)? Is it abrasive (dusty, sandy, chips, etc.)? Is it indoors or outdoors and subject to wide temperature variations?

Is there a product standard that defines the type of interlock you are designing? An example of this is the interlock types in ANSI B151.1 [4] for plastic injection moulding machines. There may be restrictions on the type of devices that are suitable based on the requirements in the standard.

Consider integration requirements with the controls. Is the interlock purely mechanical? Is it integrated with the electrical system? Do you require guard locking capability? Do you require defeat resistance? What about device monitoring or annunciation?

Once you can answer these questions, you will have narrowed down your selections considerably. The final question is: What brand is preferred? Go to your preferred supplier’s catalogues and make a selection that fits with the answers to the previous questions.

The next stage is to integrate the device(s) into the controls, using whichever control reliability standard you need to meet. That is the subject for a series of articles!

## References

[1] Safety of machinery – General principles for design – Risk assessment and risk reduction, ISO Standard 12100, Edition 1, 2010

[2] Safeguarding of Machinery, CSA Standard Z432, 2004 (R2009)

[3] Industrial Robots and Robot Systems – General Safety Requirements, CSA Standard Z434, 2003 (R2008)

[4] Safety of machinery — Safety-related parts of control systems — Part 1: General principles for design, ISO Standard 13849-1, 2006

[5] Safety of machinery – Functional safety of safety-related electrical, electronic and programmable electronic control systems, IEC Standard 62061, Edition 1, 2005

[6] Functional safety of electrical/electronic/programmable electronic safety-related systems (Seven Parts), IEC Standard 61508-X

[7] Safety of machinery — Interlocking devices associated with guards — Principles for design and selection, ISO Standard 14119, 1998

[8] American National Standard for Machines, General Safety Requirements Common to ANSI B11 Machines, ANSI Standard B11, 2008

[9] Safety of machinery — Positioning of safeguards with respect to the approach speeds of parts of the human body, ISO 13855, 2010

[10] American National Standard for Machine Tools – Performance Criteria for Safeguarding, ANSI B11.19, 2003

[11] Safety of machinery — Guards — General requirements for the design and construction of fixed and movable guards, ISO 14120. 2002

[12] Safety of machinery – Safety distances to prevent hazard zones being reached by upper and lower limbs, ISO 13857. 2008.

## Hockey Teams and Risk Reduction or What Makes Roberto Luongo = PPE

This entry is part 1 of 3 in the series Hierarchy of Controls

Special Co-Author, Tom Doyle

Last week we saw the Boston Bruins earn the Stanley Cup. I was rooting for the green, blue and white, and the ruin of my voice on Thursday was ample evidence that no amount of cheering helped. While I was watching the game with friends and colleagues, I realized that Roberto Luongo and Tim Thomas were their respective team’s PPE*. Sound odd? Let me explain.

## Risk Assessment and the Hierarchy of Controls

Equipment designers need to understand  OHS* risk. The only proven method for understanding risk is risk assessment. Once that is done, the next play in the game is the reduction of risks by eliminating hazards wherever possible and controlling those that remain.

Control comes in a couple of flavours:

• Hazard modification to reduce the severity of injury, or
• probability modification to reduce the probability of a worker coming together with the hazard.

These ideas have been formalized in the Hierarchy of Controls. Briefly, the Hierarchy starts with hazard elimination or substitution, and flows down through engineering controls, information for use, administrative controls and finally PPE. As you move down through the Hierarchy, the effectiveness and the reliability of the measures declines.

It’s important to recognize that we haven’t done a risk assessment in writing this post. This step was skipped for the purpose of this example—to apply the hierarchy correctly, you MUST start with a risk assessment!

So how does this relate to Hockey?

## Hockey and the Hierarchy of Controls

### Hazard Identification and Exposure to Risk

If we consider the goal as the worker – the thing we don’t want “injured”, the puck is the hazard, and the act of scoring a goal as the act of injuring a person, then the rest quickly becomes clear.

### Level 1: Hazard Elimination

By definition, if we eliminate the puck, we no longer have a game. We just have a bunch of big guys skating around in cool jerseys with sticks, maybe having a fight or two, because they’re bored or just don’t know what else to do. Since we want to have a game, either to play or to watch, we have to allow the risk of injury to exist. We could call this the “intrinsic risk”, as it is the risk that exists before we add any controls.

### Level 2: Hazard Substitution

The Center and the Wingers (collectively the “Forwards” or the “Offensive Line”), act as hazard “substitution”. We’ve already established that elimination of the hazard results in the loss of the intended function—no puck, no game. The forwards only let the other team have the puck on rare occasion, if they’re playing well. This is a great idea, but still a little too optimistic after all. Both teams are trying to get the puck in the opposing net and both teams have qualified to play the final game. If they fail to keep the puck beyond the other team’s blue line, or at least beyond the center line, then the next layer of protection kicks in, with the Defensive Line.

### Level 3: Engineering Controls

As the puck moves down the ice, the Defensive Line engages the approaching puck, attempting to block access to the area closer to the goal. They act as a movable barrier between the net and the puck.  They will do whatever is necessary to keep the hazard from coming in contact with the net. As engineering controls, their coordination and positioning are critical in ensuring success.

The system will fail if the controls have poor:

• positioning,
• choice of materials (players),
• timing, etc.

These risk controls fail regularly, so are less desirable than having the Forward Line handle Risk Control.

### Level 4: Information for Use and Awareness Means

In a hockey game, the information for use is the rule book. This information tells players, coaches, and officials how the game is to be played, and what the intended use of the game should be. Activities like spearing, tripping, and blind-side checks are not permitted.

The awareness means are provided by the roar of the fans. As the puck heads for the home-team’s goal, the home fans will roar, letting the team know, if they don’t know already, that the goal is at risk from the puck. Hopefully the defensive line can react in time and get between the puck and the net.

Information for use from the previous step is the basis for all the following controls. The team’s coaches, or “supervisors”, use this information to give training in the form of hockey practice. The Forward Line and Defensive Line could be considered the Suppliers and Users. They all need to know what to do to avoid hazardous situations, and what to do when one arises, to reduce the number of potential failures.

A “Permit to Work” is given to the players by the coach when they form the lines. The coach ensures that the right people are on the ice for each set of circumstances, deciding when line changes happen as the game progresses, adapting the people permitted to work to the specific conditions on the ice.

### Level 6: Personal Protective Equipment (PPE)

All of this brings me to Roberto Luongo and Tim Thomas. So how is a Goalie like PPE?

Goalies are the “last-ditch” protection. It’s clear that the first 5 levels of the hierarchy don’t always work, since every type of control, even hazard elimination, has failure modes. To give a bit of backup, we should make sure that we add extra protection in the form of PPE.

The puck wasn’t eliminated, since having a hockey game is the point, after all. The puck wasn’t kept distant by the Forward Line. The Defensive Line failed to maintain safe distance between the goal and the puck, and now all that is left is the goalie (or your protective eyewear, boots, hardhat, or whatever). In the 2011 Stanley Cup Final game, Luongo equaled long pants and long sleeves, while Thomas equaled a suit of armour. The Bruin’s “PPE” afforded superior protection in this case.

As anyone who has used protective eyewear knows, particles can get by your eyewear. There are lots of factors, including how well they fit, if you’re wearing them (properly or at all!), etc. If the gear is fitted and used properly by a person who understands WHY and HOW to use the equipment, then the PPE is more like Tim Thomas, and you may be able to “shut out” injury. Most of the time. Remember that even Tim Thomas misses stopping some shots on goal and the other guys can still score.

When your PPE doesn’t fit properly, isn’t selected properly, is worn out (or psyched out as the case may be), or isn’t used properly, then it’s more like Roberto Luongo. Sometimes it works perfectly, and life is good. Sometimes it fails completely and you end up injured or worse.

Goalies are also like PPE because they are RIGHT THERE. Right before injury will occur. PPE is RIGHT THERE, protecting you—5 mm from the surface of your eye, or in your ear, 2 mm from your ear drum. By this point the harmful energy is RIGHT THERE, ready to hurt you, and injury is imminent. A simple misplacement or bad fit condition and you’re blinded or deaf or… well you get the idea!

On Wednesday night, 15-Jun-2011, everything failed for the Vancouver Canucks. The team’s spirit was down, and they went into the game thinking “We just don’t want to lose!” instead of Boston’s “We’re taking that Cup home!”. Even the touted Home Ice Advantage wasn’t enough to psych out the Bruins, and in the end I think it turned on the Canucks as the fans realized that the game was lost. The warnings failed, the guards failed, and the PPE failed. Somebody got hurt, and unfortunately for Canadian fans, it was the Canucks. Luckily it wasn’t a fatality! Even being #2 in the NHL is a long stretch better than filling a cooler drawer in the morgue.

So the next time you’re setting up a job, an assembly line, a new machine, or a new workplace, check out your team and make sure that you’ve got the right players on the ice. You only get one chance to get it right. Sure, you can change the lines and upgrade when you need to, but once someone scores a goal, you have an injured person and bigger problems to deal with.

Special thanks to Tom Doyle for his contributions to this post!

*Personal Protective EquipmentOccupational Health and Safety