CSA Z1002 Public Review — Only 15 days left!

Only 15 days remain to get your thoughts sub­mit­ted on the draft of CSA Z1002. Do it now!

Today is Fri­day 4-Mar-2011, mark­ing 45 days into the pub­lic review peri­od for CSA Z1002Occu­pa­tion­al Health and Safe­ty Haz­ard Iden­ti­fi­ca­tion and Elim­i­na­tion and Risk Assess­ment and Con­trol.

If you down­loaded the draft from the CSA web site, remem­ber that the PDF will lock on 17-Mar, and you will no longer be able to do any­thing with it. If you haven’t looked at it yet, NOW IS THE TIME! Com­ments must also be sub­mit­ted by the 17th, so please sub­mit them as soon as pos­si­ble. No sub­mis­sions will be accept­ed after the 17th of March!

If you don’t have the draft already, get it here. Com­ments can be sub­mit­ted in the same place as you down­load the draft. DO NOT SUBMIT COMMENTS TO THIS BLOG.

If you need more infor­ma­tion on the draft or on sub­mis­sion of com­ments, please con­tact the CSA Project Man­ag­er, Ms. Eliz­a­beth Rankin, elizabeth.rankin’at’csa.ca, +1 (416) 747‑2011.

Reader Question: Multiple E-Stops and Resets

Control Panel with Emergency Stop Button.I had an inter­est­ing ques­tion come in from a read­er today that is rel­e­vant to many sit­u­a­tions:

When you have mul­ti­ple E-Stop but­tons I have often got­ten into an argu­ment that says you can have a reset beside each one. I was taught that you were required to have a sin­gle point of reset. Who is cor­rect?”

— Michael Barb, Sr. Elec­tri­cal Engi­neer

The Short Answer

There is noth­ing in the EU, US or Cana­di­an reg­u­la­tions that would for­bid hav­ing mul­ti­ple reset but­tons. How­ev­er, you must under­stand the over­lap­ping require­ments for emer­gency stop and pre­ven­tion of unex­pect­ed start-up.

The Long Answer:

First I need to define two dif­fer­ent types of reset for clar­i­ty:

  1. Emer­gency Stop Device Reset: Each e-stop device, i.e. but­ton, pull cord, foot switch, etc., is required to latch in the acti­vat­ed state and must be indi­vid­u­al­ly reset. Reset­ting the e-stop device is NOT per­mit­ted to re-start the machin­ery, only to per­mit restart­ing. (NFPA 79, CSA Z432, ISO 14118).
  2. Restart­ing the machine is a sep­a­rate delib­er­ate action from reset­ting the emer­gency stop device(s).

ANSI B11-2008 pro­vides some direct guid­ance on this top­ic:

7.2.2 Zones

A machine or an assem­bly of machines may be divid­ed into sev­er­al con­trol zones (e.g., for emer­gency stop­ping, stop­ping as a result of safe­guard­ing devices, start-up, iso­la­tion or ener­gy dis­si­pa­tion). The machine and con­trols in dif­fer­ent zones shall be defined and iden­ti­fied. Con­trols for machines in zones can be local for each machine, across sev­er­al machines in a zone, or glob­al­ly for machines across zones. The con­trol require­ments shall be based on the oper­a­tional require­ments and on the risk assessment.The inter­faces between zones, includ­ing syn­chro­niza­tion and inde­pen­dent oper­a­tion, shall be designed such that no func­tion in one zone cre­ates a hazard(s) / haz­ardous sit­u­a­tion in anoth­er zone.

CSA Z432-04 has sim­i­lar word­ing:

When zones can be deter­mined, their delim­i­ta­tions shall be evi­dent (includ­ing the effect of the asso­ci­at­ed emer­gency stop device). This shall also apply to the effect of iso­la­tion and ener­gy dis­si­pa­tion.

Let’s take a case with a sin­gle e-stop but­ton first. The same require­ments apply for all e-stop devices. The require­ments include:

  1. But­ton must be in ‘easy-reach’ of the nor­mal oper­a­tor posi­tion. I con­sid­er ‘easy-reach’ to be the range I can touch while sit­ting or stand­ing at the nor­mal oper­a­tor posi­tion. This posi­tion is not nec­es­sar­i­ly in front of the con­trol pan­el. This is the posi­tion where the oper­a­tor is expect­ed to be while car­ry­ing out the tasks expect­ed of them when the machine is oper­at­ing. This is the require­ment that dri­ves hav­ing mul­ti­ple but­tons in most cas­es.
  2. E-stop devices can­not be locat­ed so that the oper­a­tor must reach over or past a haz­ard to acti­vate them.
  3. The but­ton must latch in the oper­at­ed posi­tion.
  4. The but­ton must be robust enough to han­dle the mechan­i­cal and elec­tri­cal stress­es that will be placed on it when used. i.e. rugged but­tons are required.
  5. When the e-stop device is reset — i.e returned to the ‘RUN’ posi­tion — the machine is NOT per­mit­ted to restart. It is only PERMITTED to restart. It must be restart­ed through anoth­er delib­er­ate action, like press­ing a ‘Pow­er On’ but­ton.

So what do you do with the ‘POWER ON’ or safe­ty cir­cuit reset but­ton? The first ques­tion to ask is: ‘What hap­pens when I reset this cir­cuit, apply­ing pow­er to the con­trol cir­cuits?”

Case A: If it is impos­si­ble to see the entire machine from the loca­tion of the reset but­ton, then I would rec­om­mend a sin­gle reset but­ton locat­ed at the HMI or main con­sole. The oper­a­tor must check to make sure the machine is clear before re-apply­ing pow­er. Where the machine is too big to be com­plete­ly vis­i­ble from the main oper­a­tor con­sole, then I would also rec­om­mend:

  • warn­ing horn,
  • warn­ing lights, and
  • a start-up delay that is long enough to allow a per­son to get clear of the machine before it starts mov­ing.

Case B: If the machine is sim­ply ‘enabled’ at this point, but no motion occurs, then mul­ti­ple ‘reset’ or ‘pow­er on’ but­tons may be accept­able, depend­ing on the out­come of the risk assess­ment and start/stop analy­sis. Hav­ing said that, the oper­a­tor will like­ly have to return to a main con­sole to reset the machine and restart oper­a­tion, and chances are there is only one HMI screen on the machine, so there may not be any advan­tage to hav­ing mul­ti­ple reset but­tons.

I would rec­om­mend doing two things to get a good han­dle on this: Con­duct a detailed risk assess­ment and include all nor­mal oper­a­tions and all main­te­nance oper­a­tions. Then con­duct a start/stop analy­sis to look at all of the start­ing and stop­ping con­di­tions that you can rea­son­ably fore­see. Com­bine the results of these two analy­ses to find the start­ing and stop­ping con­di­tions with the high­est risk, and then deter­mine if hav­ing mul­ti­ple reset but­tons will con­tribute to the risk or not. You may also want to look at the con­trol reli­a­bil­i­ty require­ments for the emer­gency stop sys­tem based on the out­come of the risk assess­ment and the start/stop analy­sis.

In a case where there are mul­ti­ple emer­gency stop devices, loca­tions are impor­tant. There must be one at each nor­mal work­sta­tion to meet the reg­u­la­to­ry require­ments in most juris­dic­tions, and with­in ‘easy reach’. You may also want some inside the machine if it is pos­si­ble to gain full body access inside the machin­ery. i.e. inside a robot work cell. Make sure that the but­tons or oth­er devices are locat­ed so that a per­son exposed to the hazard(s) inside the machine is not required to reach over or past the haz­ard to get to the but­ton.

Michael, I hope that set­tles the argu­ment!

Understanding Risk Assessment

When peo­ple dis­cuss ‘Risk’ there are a lot of dif­fer­ent assump­tions made about what that means. For me, the study of risk and risk assess­ment tech­niques start­ed in 1995. As a tech­nol­o­gist and con­trols design­er, I had to some­how wrap my head around the whole con­cept in ways I’d nev­er con­sid­ered. If you’re try­ing to fig­ure out risk and risk assess­ment this is a good place to get start­ed!

What is risk?

From a machin­ery per­spec­tive, ISO 12100:2010 defines risk as:

com­bi­na­tion of the prob­a­bil­i­ty of occur­rence of harm and the sever­i­ty of that harm”

Risk can have pos­i­tive or neg­a­tive out­comes, but when con­sid­er­ing safe­ty, we only con­sid­er neg­a­tive risk, or events that result in neg­a­tive health effects for the peo­ple exposed.

The risk rela­tion­ship is illus­trat­ed in ISO 12100:2010 Fig­ure 3:

ISO 12100-2010 Figure 3
ISO 12100–2010 Fig­ure 3


R = Risk

S = Sever­i­ty of Harm

P = Prob­a­bil­i­ty of Occur­rence of Harm

The Prob­a­bil­i­ty of Occur­rence of Harm fac­tor is often fur­ther bro­ken down into three sub-fac­tors:

  • Prob­a­bil­i­ty of Expo­sure to the haz­ard
  • Prob­a­bil­i­ty of Occur­rence of the Haz­ardous Event
  • Prob­a­bil­i­ty of Lim­it­ing or Avoid­ing the Harm

How is risk measured?

In order to esti­mate risk a scor­ing tool is need­ed. There is no one ‘cor­rect’ scor­ing tool, and there are flaws in most scales that can result in blind-spots where risks may be over or under-esti­mat­ed.

At the sim­plest lev­el are ‘screen­ing’ tools. These tools use very sim­ple scales like ‘High, Medi­um, Low’, or ‘A, B, C’. These tools are often used when doing a shop-floor inspec­tion and are intend­ed to pro­vide a quick method of cap­tur­ing obser­va­tions and giv­ing a gut-feel assess­ment of the risk involved. These tools should be used as a way to iden­ti­fy risks that need addi­tion­al, detailed assess­ment. To get an idea of what a good screen­ing tool can look like, have a look at the SOBANE Déparis sys­tem.

Every scor­ing tool requires a scale for each risk para­me­ter includ­ed in the tool. For instance, con­sid­er the CSA tool described in CSA Z434:

CSA Z434-03 Table 1As you can see, each para­me­ter (Sever­i­ty, Expo­sure and Avoid­ance) has a scale, with two pos­si­ble selec­tions for each para­me­ter.

When con­sid­er­ing selec­tion of a scor­ing tool, it’s impor­tant to take some time to real­ly exam­ine the scales for each fac­tor. The scale shown above has a glar­ing hole in one scale. See if you can spot it and I’ll tell you what I think a bit lat­er in this post.

There are more than 350 dif­fer­ent scales and method­olo­gies avail­able for assess­ing risk. You can find a good review of some of them in Bruce Main’s text­book “Risk Assess­ment: Basics and Bench­marks” avail­able from DSE online.

A sim­i­lar, although dif­fer­ent, tool is found in Annex 1 of ISO 13849–1. Note that this tool is pro­vid­ed in an Infor­ma­tive Annex. This means that it is not part of the body of the stan­dard and is NOT manda­to­ry. In fact, this tool was pro­vid­ed as an exam­ple of how a user could link the out­put of a risk assess­ment tool to the Per­for­mance Lev­els described in the nor­ma­tive text (the manda­to­ry part) of the stan­dard.

Con­sid­er cre­at­ing your own scales. There is noth­ing wrong with deter­min­ing what char­ac­ter­is­tics (para­me­ters) you want to include in your risk assess­ment, and then assign­ing each para­me­ter a numer­ic scale that you think is suit­able; 1–10, 0–5, etc. Some scales may be invert­ed to oth­ers, for exam­ple: If the Sever­i­ty scale runs from 0–10, the Avoid­abil­i­ty scale might run from 10–0 (Unavoid­able to Entire­ly Avoid­able).

Once the scales in your tool have been defined, doc­u­ment the def­i­n­i­tions as part of your assess­ment.

Who should conduct risk assessments?

Lake YogaIn many orga­ni­za­tions, I find that risk assess­ment has been del­e­gat­ed to one per­son. This is a major mis­take for a num­ber of rea­sons. Risk assess­ment is not a solo activ­i­ty for a ‘guru’ in a lone­ly office some­where!

Risk assess­ment is not a lot of fun to do, and since risk assess­ments can get to be quite involved, it rep­re­sents a sig­nif­i­cant amount of work to put on one per­son. Also, leav­ing it to one per­son means that the assess­ment will nec­es­sar­i­ly be biased to what that per­son knows, and may miss sig­nif­i­cant haz­ards because the asses­sor doesn’t know enough about that haz­ard to spot it and assess it prop­er­ly.

Risk assess­ment requires mul­ti­ple view­points from par­tic­i­pants with var­ied exper­tise. This includes users, design­ers, engi­neers, lawyers and those who may have spe­cial­ized knowl­edge of a par­tic­u­lar haz­ard, like a Laser Safe­ty Offi­cer or a Radi­a­tion Safe­ty Offi­cer. The var­ied exper­tise of the peo­ple involved will allow the com­mit­tee to bal­ance the opin­ion of each haz­ard, and devel­op a more rea­soned assess­ment of the risk.

I rec­om­mend that risk assess­ment com­mit­tees nev­er be less than three mem­bers. Five is fre­quent­ly a good num­ber. Once you get beyond five, it becomes increas­ing­ly dif­fi­cult to obtain con­sen­sus on each haz­ard. Also, con­sid­er the cost. As each com­mit­tee mem­ber is added to the team, the cost of the assess­ment can esca­late expo­nen­tial­ly.

Train­ing in risk assess­ment is cru­cial to suc­cess. Ensure that the indi­vid­u­als involved are trained, and that at least one has some pre­vi­ous expe­ri­ence in the prac­tice so that they may guide the com­mit­tee as need­ed.

When should a risk assessment be conducted?

Risk Assessment Lifetime Flow Chart
Risk Assess­ment in the Life­time of a Prod­uct

Risk assess­ment should begin at the begin­ning of a project, whether it’s the design of a prod­uct, the devel­op­ment of a process or ser­vice, or the design of a new build­ing. Under­stand­ing risk is crit­i­cal to the design process. Cost for changes made at the begin­ning of a project are min­i­mal com­pared to those that will be incurred to cor­rect prob­lems that might have been fore­seen at the start. Risk assess­ment should start at the con­cept stage and be includ­ed at each sub­se­quent stage in the devel­op­ment process. The accom­pa­ny­ing graph­ic illus­trates this idea.

Essen­tial­ly, risk assess­ment is nev­er fin­ished until the prod­uct, process or ser­vice ceas­es to exist.

What tools are available?

As men­tioned ear­li­er in this post, the book ‘Risk Assess­ment: Basics and Bench­marks” pro­vides an overview of rough­ly 350 dif­fer­ent scor­ing tools. You can search the Inter­net and turn up quite a few as well. The key thing with all of these sys­tems is that you will need to devel­op any soft­ware based tools your­self. Depend­ing on your com­fort with soft­ware, this might be a spread­sheet for­mat, a word pro­cess­ing doc­u­ment a data­base, or some oth­er for­mat that works for your appli­ca­tion.

There are a num­ber of risk assess­ment soft­ware tools avail­able as well, includ­ing ISI’s CIRSMA™ and DSE’s Design­Safe. As with the scor­ing tools, you need to be care­ful when eval­u­at­ing tools. Some have sig­nif­i­cant blind spots that may trip you up if you are not aware of their lim­i­ta­tions.

Remem­ber too that the out­put from the soft­ware can only be as good as the input data. The old saw “Garbage In, Garbage Out” holds true with risk assess­ment.

Where can you get training?

There are a few places to get train­ing. Com­pli­ance InSight Con­sult­ing pro­vides train­ing to cor­po­rate clients and will be launch­ing a series of web-based train­ing ser­vices in 2011 that will allow indi­vid­ual learn­ers to get train­ing too.

The IEEE PSES oper­ates a Risk Assess­ment Tech­ni­cal Com­mit­tee that is open to the pub­lic as well. See the RATC web site.

The Answer to the Scale Question

The Expo­sure Scale in the CSA tool has a gap between E1 and E2. Look­ing at the def­i­n­i­tions for each choice, notice that E1 is less than once per day or shift, while E2 is more than once per hour. Expo­sures that occur once per hour or less, but more than once per day can­not be scored effec­tive­ly using this scale.

Also, notice the Sever­i­ty scale: S1 encom­pass­es injuries requir­ing not more than basic first aid. One com­mon ques­tion I get is “Does that include CPR*?”. This ques­tion comes up because most basic first aid cours­es taught in Cana­da include CPR as part of the course. There is no clear answer for this in the stan­dard. The S2 fac­tor extends from injuries requir­ing more than basic first aid, like a bro­ken fin­ger for instance, all the way to a fatal­i­ty. Does it make sense to group this broad range of injuries togeth­er? This def­i­n­i­tion doesn’t quite match with the Province of Ontario’s def­i­n­i­tion of a Crit­i­cal Injury found in Reg­u­la­tion 834 either.

All of this points to the need to care­ful­ly assess the scales that you choose before you start the process. Choos­ing the wrong tool can skew your results in ways that you may not be very hap­py about.

*Car­dio-Pul­monary Resus­ci­ta­tion