You can’t argue with Free Stuff! Last week we partnered with Schmersal Canada and Franklin Empire to put on three days of Free Safety Talks. We had full houses in all three locations, Windsor, London and Cambridge, with nearly 60 people participating.
We had two great presenters who helped people understand Pre-Start Health and Safety Reviews (PSRs) [1], CSAZ432-2016 [2], Interlocking Devices [3] and Fault Masking [4].
Mr Vashi at Franklin Empire Cambridge
Franklin Empire provided us with some great facilities and breakfast to keep our minds working. Thanks, Franklin Empire and Ben Reid who organized all of the registrations!
Mr Nix discussing injury rates in machine modes of operation
Reason #2 — Understanding Interlocking Devices
Mr Kartik Vashi, CFSE
Mr Kartik Vashi, CFSE, discussed the ISO Interlocking Device standard, ISO 14119. This standard provides readers with guidance in the selection and application of interlocking devices, including the four types of interlocking devices and the various coding options for each type. Did you know that ISO 14119 is also directly referenced in CSAZ432-16 [2]? That means this standard is applicable to machinery built and used in Canada as of 2016. If you don’t know what I’m talking about, you can contact Mr Vashi to get more information.
ISO 14119 Fig 2 showing some aspects of different types of interlocking devices [3]
Reason #3 — Understanding Fault Masking
Mr Vashi also talked about fault masking, an important and often misunderstood situation that can occur when interlocking devices or other electromechanical devices, like emergency stop buttons, are daisy-chained into a single safety relay or safety input on a safety PLC. Mr Vashi drew from ISO/TR 24119 to help explain this phenomenon. If you don’t understand the impact that daisy-chaining interlocking devices can have on the reliability of your interlocking systems, Mr Vashi can help you get a handle on this topic.
A part of ISO 24119 Fig 2 showing one common method of daisy-chaining interlocking devices [4]
Reason # 4 — Pre-Start Health and Safety Reviews
Mr Doug Nix, C.E.T.
Mr Nix opened his presentation with a discussion of some commonly asked questions about Pre-Start Health and Safety Reviews (PSRs). There are many ways that people become confused about the WHY, WHAT, WHEN, WHERE, WHO and HOW of PSRs, and Mr Nix covered them all. This unique-to-Ontario process requires an employer to have machines, equipment, racking and processes reviewed by a Professional Engineer or another Qualified Person when certain circumstances exist (see O. Reg. 851, Section 7 Table). If you are confused by the PSR requirements, contact Mr Nix for help with your questions.
Reason #5 — Understanding the changes to CSAZ432
CSAZ432 [2] was updated in 2016 with many changes. This much-needed update came after 12 years experience with the 2004 edition and many changes in machinery safety technology. Mr Nix briefly explored the many changes that were brought to Canadian machine builders in the new edition, including the many new references to ISO and IEC standards. These new references will help European machine builders get their products accepted in Canadian markets. Both Mr Vashi and Mr Nix sit on the CSA Technical Committee responsible for CSAZ432.
Reason #6 — Hot Questions
We like to over-deliver, so here’s the bonus reason!
We had some great questions posed by our attendees, two of which we are answering in video posts this week. If you have ever considered using a programmable safety system for lockout, our first video explains why this is not yet a possibility. Mr Nix gets into some of the reliability considerations behind the O.Reg. 851 Sections 75 and 76 and CSAZ460 requirements.
A case in the UK illustrates the dangers of bypassing interlocking systems. A worker was killed by a conveyor system in a pre-cast concrete plant when he was working in an area normally protected by a key-exchange system. Here’s the link to the article on OHSOnline.com. Allowing workers into the danger zone of a machine without other effective risk reduction measures may be a death sentence.
Original content here is published under these license terms:
X
License Type:
Non-commercial, Attribution, Share Alike
License Summary:
You may copy this content, create derivative work from it, and re-publish it for non-commercial purposes, provided you include an overt attribution to the author(s) and the re-publication must itself be under the terms of this license or similar.
The third level of the Hierarchy of Controls is Information for Use. Safety Labels are a key part of the Information for Use provided by machine builders to users and are often the only information that many users get to see. This makes the design and placement of the safety labels critical to their effectiveness. There is as much risk in the under-use of safety labels as there is in the over-use of safety labels. Often, machine builders and users simply select generic labels that are easily available from catalogues, missing the opportunity to design labels that are specific to the machine and the hazards present.
Product Safety and Liability Limitation
If your company manufactures machinery that has potential hazards associated with its transportation, installation, use, maintenance, decommissioning and/or disposal, you likely have a very strong need to create effective product safety labels. This task must be done right: product safety labels play an integral role in your company’s product safety and liability prevention efforts. And that means that people’s lives and your company’s financial well-being are on the line. On that note, it’s important to keep in mind these two factors when it comes to effective safety labels:
If properly designed, they can dramatically reduce accidents. This not only improves a product’s overall safety record but adds to a company’s bottom line by reducing product liability litigation and insurance costs.
If poorly designed, needed safety communication does not take place and this can lead to accidents that cause injuries. With these accidents, companies face high costs settling or fighting lawsuits because their products lacked “adequate warnings.”
With the rise in product liability litigation based on “failure to warn” over the past several decades, product safety labels have become a leading focal point in lawsuits faced by capital equipment manufacturers. Let’s look at three best?practice tools for product safety label design. These tools can provide insight to help you create or improve your safety label strategy in order to better protect your product users from harm and your company from litigation-related losses.
TOOL #1: SAFETYLABELSTANDARDS
As a manufacturer, you know that your legal obligation is to meet or exceed the most recent versions of standards related to your product at the time it’s sold into the marketplace. Warning label standards are the first place to turn to when it comes to defining your product safety labels. Up until 1991, there was no overarching, multi-industry standard in the U.S., or in the rest of the world, which gave definitive guidance on the proper formatting and content for on-product warnings. In the U.S., that changed nationally with the publication of the ANSIZ535.4 Standard for Product Safety Signs and Labels in 1991, and internationally with the publication of ISO 3864–2 Design Principles for Product Safety Labels in 2004.
As of 2017, Canada does not have a warning label standard. Since Canada imports machinery from the U.S. and the EU, it is quite common to see either ANSIZ535 style labels or ISO 3864 style labels on products. Under Canadian law, neither is more correct. However, Québec has specific requirements for French language translations, and many CSA standards prescribe specific hazard warning labels that do not conform to either ANSI or ISO styles.
Following the design principles in ANSIZ535.4 or ISO 3864–2 will give you a starting place for both the content and format choices you have to make for your products’ safety labels, bearing in mind the language requirements of your jurisdiction. Note that both of these standards are revised regularly, every five years or so, and it’s important to be aware of the nuances that would make one format more appropriate for your product than another.
The ANSIZ535.4 product safety label standardThe ISO 3864–2 product safety label standard
TOOL #2: RISKASSESSMENT
From an engineering perspective, your job is to identify potential hazards and then determine if they need to be designed out, guarded, or warned about. From a legal perspective, your job is to define what hazards are “reasonably foreseeable” and “reasonable” ways to mitigate risks associated with hazards that cannot be designed out. This is where risk assessment comes into play.
In today’s world, a product is expected to be designed with safety in mind. The risk assessment process helps you to accomplish this task. At its most basic level, risk assessment involves considering the probability and severity of outcomes that can result from potentially hazardous situations. After identifying the potential hazards related to your product at every point in its lifecycle, you then consider various strategies to either eliminate or reduce the risk of people interacting with these hazards.
The best practice risk assessment standards that exist today (i.e. ANSIZ10, ANSIB11, CSAZ432, CSAZ1002, ISO 12100, ISO 31000, ISO 31010) give you a process to use to quantify and reduce risks. Using these standards as the basis for a formalized risk assessment process will not only help you to develop better safety labels and a safer product, but it will also provide you with documentation that will help you to show the world that you are a safety-conscious company who uses the latest standards-based technology to reduce risks. This will be highly important should you be involved in product liability litigation down the road.
From an engineering perspective, your job is to identify potential hazards and then determine if they need to be designed out, guarded, or warned about. From a legal perspective, your job is to define what hazards are “reasonably foreseeable” and “reasonable” ways to mitigate risks associated with hazards that cannot be designed out. This is where risk assessment comes into play.
A typical risk assessment scoring matrix (based on MILSTD 882 as defined in ANSIB11/ISO 12100 Safety of Machinery – Risk Assessment Annex D)
TOOL #3: PICTOGRAPHICSAFETYLABELSFORGLOBALMARKETS
A large number of machinery manufacturers sell their products around the globe and when this is the case, compliance with global standards is a requirement. The ANSIZ535.4 and ISO 3864–2 product safety label standards, and the EU machinery directive place an emphasis on using well-designed symbols on machinery safety labels so information can be conveyed across language barriers.
The EU Machinery Directive 2006/42/EC requires that all information for use be provided in the official languages of the country of use. Information for use includes hazard warning signs and labels that bear messages in text. Adding symbols also increases your labels’ noticeability. The use of symbols to convey safety is becoming commonplace worldwide and not taking advantage of this new visual language risks making your product’s safety labels obsolete and non-compliant with local, regional and international codes. In ISO 3864–2’s latest, 2016 update, a major change in ISO label formats was made: a new “wordless” format that conveys risk severity was added to the standard. This new label format uses what ISO calls a “hazard severity panel” but no signal word. It communicates the level of risk through colour-coding of the hazard severity panel. This format option eliminates words – making translations unnecessary.
It should be noted that sometimes symbols alone cannot convey complex safety messages. In these cases, text is often still used. When shipping to non-English speaking countries, the trend today is to translate the text into the language of the country in which the machine is sold. Digital print technology makes this solution much more cost effective and efficient than in the past.
The safety labels that appear on your products are one of its most visible components. If they don’t meet current standards, if they aren’t designed as the result of a risk assessment, and if they don’t incorporate well-designed graphical symbols, your company risks litigation and non-conformance with market requirements. Most importantly, you may be putting those who interact with your machinery at risk of harm. Making sure your product safety labels are up-to-date is an important task for every engineer responsible for a machine’s design.
For more information on effective product safety labelling and resources that you can put to use today, visit www.clarionsafety.com. Clarion also offers complimentary safety label assessments, where we use our experience with the latest standards and best practices to assess your labels and ensure that they’re up-to-date in meeting today’s requirements.
Ed. note: Additional Canadian material contributed by Doug Nix.
Original content here is published under these license terms:
X
License Type:
Non-commercial, Attribution, Share Alike
License Summary:
You may copy this content, create derivative work from it, and re-publish it for non-commercial purposes, provided you include an overt attribution to the author(s) and the re-publication must itself be under the terms of this license or similar.
ISO 13849–1, Chapter 7 [1, 7] discusses the need for fault consideration and fault exclusion. Fault consideration is the process of examining the components and sub-systems used in the safety-related part of the control system (SRP/CS) and making a list of all the faults that could occur in each one. This a definitely non-trivial exercise!
Thinking back to some of the earlier articles in this series where I mentioned the different types of faults, you may recall that there are detectable and undetectable faults, and there are safe and dangerous faults, leading us to four kinds of fault:
Safe undetectable faults
Dangerous undetectable faults
Safe detectable faults
Dangerous detectable faults
For systems where no diagnostics are used, Category B and 1, faults need to be eliminated using inherently safe design techniques. Care needs to be taken when classifying components as “well-tried” versus using a fault exclusion, as components that might normally be considered “well-tried” might not meet those requirements in every application. [2, Annex A], Validation tools for mechanical systems, discusses the concepts of “Basic Safety Principles”, “Well-Tried Safety Principles”, and “Well-tried components”. [2, Annex A] also provides examples of faults and relevant fault exclusion criteria. There are similar Annexes that cover pneumatic systems [2, Annex B], hydraulic systems [2, Annex C], and electrical systems [2, Annex D].
For systems where diagnostics are part of the design, i.e., Category 2, 3, and 4, the fault lists are used to evaluate the diagnostic coverage (DC) of the test systems. Depending on the architecture, certain levels of DC are required to meet the relevant PL, see [1, Fig. 5]. The fault lists are starting point for the determination of DC, and are an input into the hardware and software designs. All of the dangerous detectable faults must be covered by the diagnostics, and the DC must be high enough to meet the PLr for the safety function.
The fault lists and fault exclusions are used in the Validation portion of this process as well. At the start of the Validation process flowchart [2, Fig. 1], you can see how the fault lists and the criteria used for fault exclusion are used as inputs to the validation plan.
Start of ISO 13849–2 Fig. 1
Faults that can be excluded do not need to validated, saving time and effort during the system verification and validation (V & V). How is this done?
Fault Consideration
The first step is to develop a list of potential faults that could occur, based on the components and subsystems included in SRP/CS. ISO 13849–2 [2] includes lists of typical faults for various technologies. For example, [2, Table A.4] is the fault list for mechanical components.
As you can see, there are many different types of faults that need to be considered. Keep in mind that I did not give you all of the different fault lists — this post would be a mile long if I did that! The point is that you need to develop a fault list for your system, and then consider the impact of each fault on the operation of the system. If you have components or subsystems that are not listed in the tables, then you need to develop your own fault lists for those items. Failure Modes and Effects Analysis (FMEA) is usually the best approach for developing fault lists for these components [23], [24].
When considering the faults to be included in the list there are a few things that should be considered [1, 7.2]:
if after the first fault occurs other faults develop due to the first fault, then you can group those faults together as a single fault
two or more single faults with a common cause can be considered as a single fault
multiple faults with different causes but occurring simultaneously is considered improbable and does not need to be considered
Examples
#1 — Voltage Regulator
A voltage regulator fails in a system power supply so that the 24 Vdc output rises to an unregulated 36 Vdc (the internal power supply bus voltage), and after some time has passed, two sensors fail. All three failures can be grouped and considered as a single fault because they originate in a single failure in the voltage regulator.
#2 — Lightning Strike
If a lightning strike occurs on the power line and the resulting surge voltage on the 400 V mains causes an interposing contactor and the motor drive it controls to fail to danger, then these failures may be grouped and considered as one. Again, a single event causes all of the subsequent failures.
#3 — Pneumatic System Lubrication
3a — A pneumatic lubricator runs out of lubricant and is not refilled, depriving downstream pneumatic components of lubrication.
3b — The spool on the system dump valve sticks open because it is not cycled often enough.
Neither of these failures has the same cause, so there is no need to consider them as occurring simultaneously because the probability of both happening concurrently is extremely small. One caution: These two faults MAY have a common cause — poor maintenance. If this is true and you decide to consider them to be two faults with a common cause, they could then be grouped as a single fault.
Fault Exclusion
Once you have your well-considered fault lists together, the next question is “Can any of the listed faults be excluded?” This is a tricky question! There are a few points to consider:
Does the system architecture allow for fault exclusion?
Is the fault technically improbable, even if it is possible?
Does experience show that the fault is unlikely to occur?*
Are there technical requirements related to the application and the hazard that might support fault exclusion?
* BECAREFUL with this one!
Whenever faults are excluded, a detailed justification for the exclusion needs to be included in the system design documentation. Simply deciding that the fault can be excluded is NOTENOUGH! Consider the risk a person will be exposed to in the event the fault occurs. If the severity is very high, i.e., severe permanent injury or death, you may not want to exclude the fault even if you think you could. Careful consideration of the resulting injury scenario is needed.
Basing a fault exclusion on personal experience is seldom considered adequate, which is why I added the asterisk (*) above. Look for good statistical data to support any decision to use a fault exclusion.
There is much more information available in IEC 61508–2 on the subject of fault exclusion, and there is good information in some of the books mentioned below [0.1], [0.2], and [0.3]. If you know of additional resources you would like to share, please post the information in the comments!
Definitions
3.1.3 fault
state of an item characterized by the inability to perform a required function, excluding the inability during preventive maintenance or other planned actions, or due to lack of external resources
Note 1 to entry: A fault is often the result of a failure of the item itself, but may exist without prior failure.
Note 2 to entry: In this part of ISO 13849, “fault” means random fault. [SOURCE: IEC 60050?191:1990, 05–01.]
Book List
Here are some books that I think you may find helpful on this journey:
[0.2] Electromagnetic Compatibility for Functional Safety, 1st ed. Stevenage, UK: The Institution of Engineering and Technology, 2008.
Note: This reference list starts in Part 1 of the series, so “missing” references may show in other parts of the series. Included in the last post of the series is the complete reference list.
[18] M. Gentile and A. E. Summers, “Common Cause Failure: How Do You Manage Them?,” Process Saf. Prog., vol. 25, no. 4, pp. 331–338, 2006.
[19] Out of Control—Why control systems go wrong and how to prevent failure, 2nd ed. Richmond, Surrey, UK: HSE Health and Safety Executive, 2003.
Original content here is published under these license terms:
X
License Type:
Non-commercial, Attribution, Share Alike
License Summary:
You may copy this content, create derivative work from it, and re-publish it for non-commercial purposes, provided you include an overt attribution to the author(s) and the re-publication must itself be under the terms of this license or similar.
All original content on these pages is fingerprinted and certified by Digiprove
This website stores some user agent data. These data are used to provide a more personalized experience and to track your whereabouts around our website in compliance with the European General Data Protection Regulation. If you decide to opt-out of any future tracking, a cookie will be set up in your browser to remember this choice for one year. I Agree, Deny
