www.cmafh.

com

MACHINE SAFEGUARDING 101

For more information, email

sales@cmafh.com
 AGENDA
• Why Safeguard?
• What rules,
rules laws
laws, and regulations are there?
• Machine Safeguarding Process
• Safe Mounting Distance
• Understandingg Safetyy Circuits
• Additional Considerations
 Why CMA/Flodyne/Hydradyne?

o Engineering o Commissioning
 Electrical and Mechanical  Electrical Install Support
Design  Mechanical Install Support
 Design Review  SAT
 Software Design  Training
 Documentation o Deliverables
o Preliminary Engineering  SAT and Certificate of
 Risk Assessment Compliance
 Site Review  Recommended Spare Parts
 Operator Manual
 Maintenance
M i t Manual
M l
Why Safeguard?
Acceptable Maintenance Practices?
 Why should you Safeguard?
Because it hurts if you don’t……

• There are MANY hidden costs:

– Compliance Fines
– Worker’s Comp
– Insurance Increases
– Downtime
– Mental Anguish
http://www.osha.gov/dcsp/smallbusiness/saf
etypays/estimator html
etypays/estimator.html
Common Perception
Changing Perceptions….
 Number 1 Rule of Safeguarding?

Don’t Provide the “Illusion of Safety”

Providing the “Illusion of Safeguarding”
• Press has a light curtain
• Appears to be in
compliance
• No record of injuries on
machine
• OSHA inspector has
seen the machine
Providing the “Illusion of Safeguarding”
• Light Curtains are Type 2 not Type 4 Safety
Rated Device
• ANSI B11.19‐2010 and OSHA
1910.217 (c)(3)(iii)(c)
• Light Curtains mounted too close to Point
of Operation
• ANSI B11.19‐2010 and OSHA
1910.217 (c)(3)(iii)(e)
• Operators can reach around L/C into Point
of Operation
• ANSI B11.19‐2010 and OSHA
1910.217 (c)(2)(i)(a)
• No Stopping Performance Monitor (Brake
Monitor)
• OSHA 1910.217 (b)(14)(i)
• No Anti‐tie‐down,, Anti‐repeat
p function in
two‐hand control
• ANSI B11.19‐2010, NFPA 79‐2007
and OSHA 1910.217 (b)(7)(v)(c)
Providing the “Illusion of Safeguarding”
• Clutch control valve is single valve, dual
monitoring valve required
• OSHA 1910.217 (b)(7)(xi)
• Can reach point of operation through back
of machine
• ANSI B11.19‐2010, OSHA
1910.212 (a)(1) and OSHA
1910.217 (c)(2)(i)(a)
• Machine not anchored
• OSHA 1910.212 (b)
• Emergency stop pushbutton – Not
g type,
“latching” yp , no yyellow background
g
• ANSI B11.19‐2010 and NFPA 79‐
2007
• Non‐compliant main power disconnect
((not lockable in the “OFF” position
p only)
y)
• OSHA 1910.217 (b)(8)(i) and NFPA
79‐2007
Providing the “Illusion of Safeguarding”

Circuit Performance:
• Light Curtains wired into Machine Stop
Circuit
• Category
g y B per
p ISO 13849
• No Force‐Guided Relays (Safety Rated)
• Category B per ISO 13849
• No Redundancy
• Category B per ISO 13849
• No Monitoring of output circuit
• Category B per ISO 13849
What does this mean?
• Current Safeguards are
providing the illusion of
“providing
safety”
• Current Safeguards are a
waste of time and money
• Unable to claim
compliance to any
national or international
safety standards.
In America, are employers
REQUIRED to Safeguard?
 What about Machine Builders?

• Do I need to apply safety to the machines I am

building?

• The correct answers is.......

It Depends…..
 What does it depend on?
1. Where is the machine going?

2. What are the customer’s requests?

Common Machine Safeguarding Questions:

• Is an OSHA regulation the same thing as an

ANSI standard?
t d d?
• Are you required to follow ANSI?
• What happens if you don’t follow OSHA or
ANSI?
 Product Liability
• The responsibility of a manufacturer or vendor of goods to
compensate for injury caused by defective merchandise that it has
provided for sale.
• When individuals are harmed by an unsafe product, they may have a
Cause of Action against the persons who designed, manufactured,
sold, or furnished that product
– In most jurisdictions, a plaintiff's cause of action may be based on
one or more of four different theories: Negligence, breach of
Warranty, Misrepresentation, and strict tort liability.
Negligence refers to the absence of, or failure to exercise,
proper or ordinary care. It means that an individual who had
a legal obligation either omitted to do what should have been
done or did something that should not have been done.
• A new national
ti l policy
li was established
t bli h d on
December 29, 1970, when President Richard
Ni
Nixon signed
i d into
i t law
l theth OSHAct
OSHA t
• For employers, the General Duty clause is
used by OSHA when there are NO specific
standards applicable to a hazard.
 THE LAW

Part 1902:
PartPart
24: Procedures
70: Production PartPart 1903:
70: Production
PartPart
24: Procedures
1910: PartPart 24: Procedures
70: Production
PartPart
24: Procedures
70: Production
Part 70A:Part State
1901:Plans forPart
Protection the 70A: Protection
PartPart
70A:70A:
Protection
Protection
PartPart
70A:70A:
Protection
Protection
for the
or Disclosure
Handling ofof Inspection,
or Disclosure
Citations,
for the
of
Occupational
Handling of
for
Safety
the
or Disclosure
Handling ofoffor the
or Disclosure
Handling ofof
Part 1919:
of Individual Development
PartProcedures
Privacy
1900: Reserved and
for State
of Individual of
Privacy
Individual
of Individual
Privacy
Privacy
of Individual
of Individual
Privacy
Privacy
Retaliation
Information or and Information
ProposedRetaliation
orand Health Retaliation
Information orRetaliation
Information
Gear Certification
or
in Records
Agreements
Enforcement of in State
Records in Records
in Records in Recordsin Records
Complains
Materials Penalties
Materials Complains
Standards Complains
Materials Complains
Materials
Standards

PartPart
24: Procedures
70: Production
PartPart
24: Procedures
70: Production
PartPart
24: Procedures
70: Production
PartPart
24: Procedures
70: Production
PartPart
24: Procedures
70: Production
PartPart
24: Procedures
70:
PartProduction
2400:
Part 70A: Protection
Part 70A: Protection
Part 70A: Protection
PartPart
70A:70A:
Protection
Protection
PartPart
70A:70A:
Protection
Protection
f the
for th
or Disclosure
Di
Handling
H ldlifor
f of
the
th
of
or
f f Disclosure
Di
Handling
H ldlifor
f of
the
th
of
or
f f Disclosure
Di
Handling
H ldlifor
f of
the
th
of
or
f f Disclosure
Di
Handling
H ldli ofof f f the
for th
or Disclosure
Di
Handling
H ldli ofof f f the
for th
or Disclosure
Di
Handling
H Regulations
R ldli l tiofof
ff
of Individual Privacy
of Individual Privacy
of Individual Privacy
of Individual
of Individual
Privacy
Privacy
of Individual
of Individual
Privacy
Privacy
Retaliation
InformationRetaliation
orInformation Retaliation
orInformation Retaliation
orInformation orRetaliation
Information orRetaliation
Information
Implementing
or the
in Records in Records in Records in Records in Records in Records in Records
Complains
Materials Complains
Materials Complains
Materials Complains
Materials Complains
Materials Complains
Materials
Privacy Act
 THE LAW

Part 1910:
Occupational
Safety and Health
Standards

S b
Subpart A
A: General S b
Subpart H
H: Hazardous S b
Subpart O
O: Machinery and S b
Subpart V
V: Reserved
Materials Machine Guarding
Subpart B: Adoption and Subpart I: Personal Subpart P: Hand and Subpart W: Reserved
Extension of Established Protective Equipment Portable Powered Tools
Subpart
Federal C: Adoption and
Standards Subpart J: General Subpart Q: Welding, Subpart X: Reserved
E t i off Established
Extension E t bli h d E i
Environmental
t lC
Controls
t l C tti and
Cutting, d Brazing
B i
Subpart
Federal D: Walking‐
Standards Subpart K: Medical and Subpart R: Special Subpart Y: Reserved
Working Surfaces First Aid Industries
Subpart C: Means of Subpart L: Fire Protection Subpart S: Electrical Subpart Z: Toxic and
Egress Hazardous Substances
Subpart F: Powered Subpart
p M: Compressed
p Subpart
p T: Commercial
Gas and Compressed Air Diving Operations
Platforms, Manlifts, and
Subpart G: Occupational
Work Platforms EquipmentN: Materials
Subpart Subpart U: Reserved
Health and Environment Handling and Storage
 1910.211‐1910.219

1910.211: Definitions

1910.212: General Requirements for all Machinery Point of Operation is Defined

1910.213: Woodworking machinery requirements All cracked saws shall be removed from service.

1910.214: Cooperage Machinery ‐ Reserved

Subpart O: Machinery and
Machine Guarding
All abrasive wheels shall be mounted between flanges
1910.215: Abrasive Wheel Machinery
which shall not be less than one‐third the diameter of
1910.216: Mills and Calenders in the rubber the
h wheel.
h l
and plastics industries All trip and emergency switches shall not be of the
automatically resetting type, but shall require manual
1910.217: Mechanical Power Presses resetting.

1910.218: Forging Machines A pad with a nonslip contact area shall be firmly
attached to the pedal.
1910.219: Mechanical power‐transmission
apparatus
 For those hard of seeing:
$19,064338
JUST manufacturing

Machine
S f
Safeguarding
di
Fine
 OSHA General Duty Clause
1910.212 (a)(1):
One or more methods of machine guarding shall be provided to protect the
operator and other employees in the machine area from hazards such as
those
h createdd by
b point
i off operation,
i iingoing
i nip
i points,
i rotating
i parts,
flying chips, and sparks.

1910.212(a)(3):
1910 212(a)(3):
The guarding device shall be in conformity with any appropriate standards
therefor, or, in the absence of applicable specific standards, shall be so
designed and constructed as to prevent the operator from having any part
of his body in the danger zone during the operating cycle
 What happens if I don’t follow?
• Serious
– up to $7000 per violation
• Other than Serious
– discretionary but not more than $7000
• Repeat
– up to $70,000 per violation
• Willful
– up to $70,000 per violation
– Violations resulting in death‐
death further
penalties
• Failure to abate
– $7000/day
What actually happens?
 The Problem with OSHA…..

Open for interpretation….

Find X. A2+B2=C2

X
3cm

4cm
 How do you PROVE you are Safe?

ANSI NFPA RIA UL

Follow a recognized standard to

demonstrate yyour compliance
p
 ANSI Standards
• American National Standards Institute (ANSI) are voluntary
standards developed by experts in the industry.

• ANSI standards are detailed, technical documents that provide

rules, guidelines or characteristics for a product or process.

• ANSI standards explain the hazards involved in operating

machinery
hi
 Voluntary Standards with the General Duty Clause
• An ANSI
Thatstandard
d d is notseem
doesn’t a law,
l but
bto can become
b mandatory!
d !
– This happens through a process called “incorporation through
make sense!
reference” when an OSHA standard cites a specific
p ANSI
standard.
• You can be cited for not following voluntary standards!
– OSHA may cite
i you forf not following
f ll i a standard
d d like
lik NFPA 70E
even though it is not incorporated into OSHA.
Lets see if we can Simplify….
Simplify
‐ OSHA establishes the general
standards employers must
meet without specifying how.
‐ OSHA gives the employer
discretion to decide how best
to achieve the standard’s
goals.

If OSHA ddetermines
i that
h compliance
li
‐ But OSHA does say how with the voluntary standard would
they EXPECT employers have prevented or lessened the
severity of an injury, OSHA may cite
to use the discretion
the
h employer’s
l ’ failure
f il to follow
f ll theh
provided by the standard standard as a violation of the
general duty clause.
 Types of Voluntary Standards
– Horizontal standards – apply to ALL machine
types
– Vertical
V ti l standards
t d d – apply l only
l to
t specific
ifi
machine types

– Application Standards – apply to how to use a

specific
p safe guarding
g g device
– Construction Standards – apply to the design,
construction, and testing information on
presence sensingi d
devices
i
 Industrial Equipment
OSHA 1910.147,
1910 147 OSHA 1910.212,
1910 212 OSHA 1910.219,
1910 219 ANSI/ASSE Z244.1,
Z244 1
ANSI B15.1, NFPA 79, IEC 60204‐1, CSA Z432, ANSI/ISO 12100, etc.

Mechanical Power Industrial Robots Grinding Machines

Presses ANSI/RIA R15.06 OSHA 1910.215,
OSHA 1910.217 CSA Z434, ANSI B11.9,
ANSI B11
B11.1,
1 ISO 10218 ANSI B7.1,
B7 1
CSA Z142, ISO 13218
EN 692,
DR 04137
 How doesTHEEurope
LAW
Differ?

? Machinery
European
Union (EU)
Directive

Wh t’ the
What’s th Biggest
Bi t Difference?
Diff ?

Employer
LIABILITY OEM
 Machinery
2006/42/EC
Directive

A Harmonized B Standards C

Basic Standards Safety Components Specific Machines

Examples: Examples: Examples:

EN ISO14121 EN ISO 13849-1 EN 415-3
(Risk Assessments) (Functional Safety) (Form, Fill, and Seal Machines)
www.newapproach.org
www.newapproach.org
A Machine Builders Approach
 Specifying Safety
Wh should
What h ld OEMs
OEM and
d their
h i customer’s
’ Negotiate?
N i ?

Very Common to see Manufacturers (Customers)

S if a Product,
Specify P d t as opposedd tto, a St
Standard.
d d
Understanding the Machine Safeguarding Process
• So………How
S H d do I safeguard
f d thi
this machine?
hi ?
How should I guard this?
 ANSWER:

Review Applicable Standards and

Conduct an Assessment
Risk Assessment
 Risk Assessment Vs. Risk Reduction
• Risk Assessment
– The process by which the intended use
of the machine, the tasks and hazards,
and the level of risk are determined

• Risk Reduction
– The application of protective measures
to reduce the risk to a tolerable level
 Why do a risk Assessment?
• To create a safer working environment for employees (as required by OSHA)
• To reduce costs
• To comply with national and international consensus standards, including:
ANSI B11.TR3‐2000 – Risk Assessment and Risk Reduction – A Guide to Estimate,, Evaluate and Reduce Risks
Associated with Machine Tools
ANSI/RIA R15.06‐1999 – For Industrial Robots and Robot Systems – Safety Requirements
ANSI/NFPA 79‐2007 – Electrical Standard for Industrial Machinery
ANSI/ASSE Z244.1‐2003 – Control of Hazardous Energy – Lockout/Tagout and Alternative Methods
ANSI/PMMI B155.1‐2006 – Standard for Packaging Machinery and Packaging‐Related Converting Machinery –
S f t R
Safety Requirements
i t ffor C
Construction,
t ti C
Care, and
dUUse
CSA Z432‐04 – Safeguarding of Machinery – Occupational Health and Safety
CSA Z434‐03 – Industrial Robots and Robot Systems – General Safety Requirements
CSA Z460‐05 – Control of Hazardous Energy – Lockout and Other Methods
EN 1050:1996 / ISO 14121:1999 – Safety of machinery – Principles of risk assessment
EN 954‐1:2000
954 1:2000 / ISO 13849‐1:1999
13849 1:1999 – Safety of machinery – Safety‐related
Safety related parts of control systems – Part 1:
General principles of design
ISO 12100‐1:2003 – Safety of machinery – Basic Concepts, general principles for design – Part 1: Basic
terminology, methodology
ISO 12100‐2:2003 – Safety of machinery – Basic Concepts, general principles for design – Part 2: Technical
principles
 How do I do it?
• Pick a standard to follow
– ANSI,
ANSI CSA
CSA, ISO
• You can create your own process, as long as
it’ss based on industry best practices
it
• You can conduct the process in house,
request iti ffrom your OEM
OEM, or contract an
outside service provider
 Gather the Proper Personnel

• EHS manager
• Operators
• Maintenance personnel
• Engineers
• Electricians
• Production managers
• Specialists
Risk Assessment Process Per ISO 12100‐1
 Risk Assessment Matrix
from ANSI/RIA
/ R15.06‐1999
Table 2
Severity of Exposure Exposure Avoidance Risk Reduction Category
E2 Frequent A2 Not Likely R1
S2 Serious Injury
Exposure A1 Likely R2A
More than
E1 Infrequent A2 Not Likely R2B
Fi t id
First-aid
Exposure A1 Likely R2B
E2 Frequent A2 Not Likely R2C
S1 Slight Injury Exposure A1 Likely R3A
First-aid E1 Infrequent A2 Not Likely R3B
Exposure A1 Likely R4
Table 2 - Risk reduction decision matrix prior to safeguard selection
 Risk Reduction Measures
from ANSI/RIA
/ R15.06‐1999
Table 3
Category SafeGuard Performance Circuit Performance
Hazard Elimination or hazard substitution
Control Reliable (4
(4.5.4)
5 4)
R1 (9.5.1)
Engineering controls preventing acess to Control Reliable (4.5.4)
R2A
the hazard, or stopping the hazard (9.5.2),
e g interlocked barrier guards
e.g. guards, light Single Channel with monitoring (4
(4.5.3)
5 3)
R2B
curtains, safety mats, or other presence
sensing devices (10.4) Single Channel (4.5.2)
R2C
Si l Ch
Single Channell (4
(4.5.2)
5 2)
R3A Non interlocked barriers, clearance,
procedures and equipment (9.5.3)
Simple (4.5.1)
R3B
Awareness means (9.5.4) Simple (4.5.1)
R4
Table 3 - Safeguard Selection Matrix
Sample Risk Assessment per RIA 15.06
Sample Risk Assessment per ANSI B11.TR3
 If there are hazards, their MUST be risk reduction
PROTECTIVE MEASURE EXAMPLES

Most Effective This can only be done by

Eliminate human interaction in the process
Eliminate pinch points (increase clearance)
Elimination or Substitution
the OEM
Automated material handling (robots, conveyors, etc.)

Barriers
Engineering Controls Interlocks
(Safeguarding Technology / Presence sensing devices (light curtains, safety mats, area scanners, etc.)
Protective Devices) Two hand control and two hand trip devices

So what is the
Awareness Means
Lights, beacons, and strobes
Computer warnings

difference between These 3 rely

Signs and labels
Beepers, horns, and sirens

these 3 sections?
Training and Procedures on human
(Administrative Controls)
Personal Protective Equipment
((PPE))
Least Effective
Safe work procedures
Safety equipment inspections
Training
Lockout / Tagout / Tryout
behavior!
Safety glasses and face shields
Ear plugs
Gloves
Protective footwear
Respirators

Hierarchy of Control
 If there are hazards, their MUST be risk reduction
PROTECTIVE MEASURE EXAMPLES

Most Effective Eliminate human interaction in the process

Elimination or Substitution Eliminate pinch points (increase clearance)
Automated material handling (robots, conveyors, etc.)

Barriers
Engineering Controls Interlocks
(Safeguarding Technology / Presence sensing devices (light curtains, safety mats, area scanners, etc.)
Protective Devices) Two hand control and two hand trip devices

Lights, beacons, and strobes

Awareness Means Computer warnings
Signs and labels
Beepers, horns, and sirens

Safe work procedures

Training
g and Procedures Safetyy equipment
q p inspections
p
(Administrative Controls) Training
Lockout / Tagout / Tryout

Safety glasses and face shields

Personal Protective Equipment Ear plugs
(PPE) Gloves
Protective footwear
Least Effective Hierarchy of Control Respirators
If you don’t…….
Understanding the Machine Safeguarding Process
 What methods for machine safety are there?
 Guards  Location/distance
 fixed
 interlocked  Feeding and ejection methods
 adjustable  automatic and/or semi-
 self-adjusting automatic feed and
ejection
 Devices  robots
 presence sensing
 pullback  Miscellaneous aids

 restraint  awareness barriers

 safety
y controls ((tripwire
p cable,  protective shields
two-hand control, etc.)  hand-feeding tools
 gates
 What methods for machine safety are there?
 Guards  Location/distance
 fixed
 interlocked  Feeding
g and ejection
j methods
 adjustable  automatic and/or semi-
 self-adjusting automatic feed and
ejection
j
 Devices  robots
 presence sensing
 pullback  Miscellaneous aids

 restraint  awareness barriers

 safety controls (tripwire cable,  protective shields
two-hand control, etc.)  hand-feeding
hand feeding tools
 gates
 What methods for machine safety are there?
 Guards  Location/distance
 fixed
 interlocked  Feeding and ejection methods
 adjustable  automatic and/or semi-
 self-adjusting automatic feed and
ejection
 Devices  robots
 presence sensing
 pullback  Miscellaneous aids

 restraint  awareness barriers

 safety controls (tripwire cable,  protective shields
t
two-hand
h d control,
t l etc.)
t )  hand-feeding
hand feeding tools
 gates
Robotic Work Cell Example
Robotic Work Cell Example
Robotic Work Cell Example
Robotic Work Cell Example
Understanding the Machine Safeguarding Process
 Verification Vs. Validation
• Verification and validation are independent procedures
that are used together for checking the safety function and
protective measures meets the requirements and
specifications
ifi ti and
d fulfills
f lfill its
it intended
i t d d purpose.
• An easy way to understand the difference between the two
can be expressed by the following two questions:
– Validation, “Were the right safeguards selected to minimize the
risk?”
– Verification, “Are the safeguarding working correctly?
• Validation
lid i typically
i ll requires
i a secondary
d risk
i k assessment to
be conducted to ensure the risks have indeed been
minimized.
Sistema Tool for Verification
Understanding the Machine Safeguarding Process
Periodic Audits and Testing
• Define your testing criteria
for each safety function
• Define your testing frequency
• Conduct
C d t periodic
i di plant‐wide
l t id
safety audits
Sample Machine Safeguarding Checklists
Training

Training Log Example

per RIA 15
15.06‐1999
06‐1999
Understanding the Machine Safeguarding Process
Safe Mounting Distance

From ANSI/RIA R15.06-1999 Annex B

In an Ideal World……..
Safe Mounting Distance Formula
Total Stopping
Time

Ds = K(Ts) + Dpf
Hand Speed Depth
Safe Mounting Constant Penetration
Distance 63 inc/sec Factor

ANSI B11.19‐2010
Depth Penetration Factors
Depth Penetration Factors

Annex D ANSI B11.19‐2010

Depth Penetration Factors

Annex D ANSI B11.19‐2010

Stop Measurement Device
 Safety Circuit History
• In the 60’s, 70’s and 80’s, machine control systems
consisted primarily of hardwired electronic and electro‐
mechanical components (e.g.(e g relay logic)
• In America, the concept of Control Reliability became a
way of defining the quality of safety‐related machine
control systems
• In Europe, the standard EN954‐1 was created as a guide
for the design and classification of safety related machine
control systems.
What is Control Reliability? ANSI Definition

• 3.14 Control Reliability: The capability of the

machine control system, the safeguarding,
other control components and related
interfacing to achieve a safe state in the event
of a failure within their safety related
functions.
functions
ANSI B11.19-2010
 What is a category?
• Section 3.2 “Classification of the safety‐
related parts of a control system in respect
of its resistance to faults and its subsequent
behavior in the fault condition,
condition and which is
achieved by the structural arrangement of
the parts and/or by their reliability.
reliability
• Categories are rated B,1,2,3, and 4
 Why the confusion?
• The goal of all these standards is to define
what happens to the safety function of a
machine control system if a fault occurs.
• Customers and salespeople do not
understand the differences and how they
should be applied
What Standard should you follow?
Risk Assessment
Circuit
Performance

NEW!

Control Reliability + Reliability

Categories = Performance Levels
How do I know what safety level I need then?
• Doing a risk assessment determines what risks
exist and must be reduced.
• A risk reduction exercise then points at what
categories are appropriate for the risk
reduction task.
– In some C level Harmonized standards the levels
are prescribed
The Five Categories

EN 954‐1
Page 15
 Five Categories are Defined
• Category B
– The use of basic safety principles ( i.e. expected operating stresses )
– Reliability should be taken into account for given application
Single Channel
– Measures in addition to safety related controls may be needed
• Category 1
– All requirements for Category B apply
g Channel
Single
– Higher Reliability components for Safety functions: Using well‐tried components and principles.
– Decrease likelihood of faults
• Category 2
– All requirements for Category B apply Single Channel with limited Testing
– Higher Reliability components for Safety functions
– Safety function should be checked at suitable intervals by the machine control system
– The occurrence of a fault can lead to the loss of a safety function between checking intervals
• Category 3
– All requirements for Category B apply Dual Channel to tolerate Single Fault
– A Single fault shall not cause the loss of the Safety Function (need for redundancy)
– When reasonably practical, safety critical faults detected at or before the next demand upon the Safety Function
– Accumulation of Faults may lead to loss of Safety Function
• Category 4
– All requirements for Category B apply Dual Channel with testing for multiple faults
– Safety Critical Faults detected at or before the next demand upon the Safety Function
– Accumulation of Faults may not lead to loss of Safety Function
– Pulse Testing may be used to achieve this level of detection
Examples of products Control system category

1
Periodically
tested Safety Relay
required? 2
Redundant
Inputs & Outputs
Category
C t 3+
3
Monitoring

Self-monitoring 4
circuits
Function Block Diagram (Category 3)
How Safety Circuits Work (Category 3)
 SIMPLE CIRCUIT INTERFACE – EXAMPLE ONLY
PLC OUT
LIGHT OUTPUT 1 MPCE 1
CURTAIN
PLC
or other
Safety OUTPUT 2 PLC OUT
Device
MPCE 2

CONTROL RELIABLE METHOD – EXAMPLE ONLY MPCE = Machine

Primary Control
Element

MPCE 1
PLC

LIGHT MPCE 2
AUX. OUT MPCE Mon
CURTAIN
or other Safety
Device Safety OUTPUT 1
ALTERNATE APPROACH
APPROACH:
Device
OUTPUT 2 LC safety outputs are tied in series
with the PLC outputs
 Things change
• Control systems became increasingly more
sophisticated utilizing complex integrated
circuits, microprocessors and firmware
• Control circuits became so complex that it was
no longer practical to define all possible
failure modes at the component level
• A more practical way to evaluate the safety related performance of control
systems was to analyze them at the black box or functional level
 Elements of Functional Safety
Software

IEC 62061
Electronic
components
ISO 13849
13849-1
1 2006
Electromechanical EN954-1
components (ISO13849-1:1999)

Defines category B to 4 Category B to 4 Definition compliant

Specified
S ifi d
+ reliability with SIL3
architecture
(based on IEC61508)
 Performance Level
PL‐capability of delivering the expected level of performance in order to reduce risks.

Average rate of dangerous failures per hour

PL
1/h

a  10-5 to  10-4

b  3×10-6 to  10-5

c  10-6 to  3×10-6

d  10-7 to  10-6

e  10-8 to  10-7
EN ISO 13849‐1
 PLr PL
B 1 2 3 4 Category
S: Severity of injury

L M H L M H L M H H MTTFd
F: Frequency and/or exposure to hazard

n n L M L M L M L M L M L M H DCavg
P: Possibility
P P ibilit off avoiding
idi
hazard or limiting harm
- 65 or higher CCF

                Possible
1 a combinat
ions
1 2              
1 1
b
2
2          

1
c
2 1 2     
d
2 1

2
e
n: none L: Low M: Medium H: High
Lets start with making Categories Simple
• Safety control systems have different architectures (structures)
depending on a machine’s purpose, the degree of hazard, the
machine's size, etc. Categories as referred to in safety control
systems
y refer to basic classifications of architecture like this:
Architecture of Each Category
 Making MTTFd simple
• MTTFd refers to an average amount of time
th t it ttakes
that k ththe safety
f t control
t l system
t to
t
encounter a dangerous failure.

( Dangerous failure means that the safety function is not

performed
f d because
b off a components
t failure
f il )
 How to Determine MTTFd
 The calculation results are classified into the three levels: Low,
Medium and High.

MTTFd

Low 3 years  MTTFd  10 years

Medium 10 years  MTTFd  30 years

High 30 years  MTTFd  100 years

Note: Results of more than 100 yyears are

classified as High.
 Making DCavg Simple
• DCavg in an indicator of the reliability of a
safetyy control system
y as a whole. DCavgg is
determined by how frequently and accurately
the system performs self‐diagnosis and by
what measures the system takes to address
the results of such diagnostics. ( This concerns the
reliability of not just the components but also of the
functionality that affects the entire system – such as software
)
 Method DC
Input Dynamic test
Periodic test using input signals’
signals dynamic changes 90%
99% Ex: Feedback loops using
Validity check 99%
Ex: Use of mechanically linked NO and NC contacts forcibly-guided contacts
Cross-monitoring of inputs (without a dynamic test) 0% to 99%, depending on how much signal
change occurs due to applications.
Cross-monitoring of input signals (with a dynamic test when short- 90% Depends on frequency
circuits are undetectable) (for multi I/O) of checking
Cross-monitoring of input signals and interim results within the Logic (L), 99%
temporal and logical software monitoring of program flows and detection
of static failures and short
short-circuits
circuits (for multi I/O)
Indirect monitoring (Ex: Monitoring of a pressure switch, monitoring of 90% to 99%: Varies depending on applications.
an actuators’ electrical position)
Direct monitoring (Ex: Monitoring of a control valve’s electrical position, 99%
monitoring of an electromechanical device using mechanically linked
contact elements)
Detection of failures through processes 0% to 99%: Varies depending on applications.
This method when used alone is insufficient for
the required performance level of “e”.
Monitoring of a sensor’s characteristics (response times, range of 60%
analog signals, Ex: Electrical resistance, electrostatic capacitance)

Table E1 – Estimates of Diagnostic Coverage (DC)

 How to Determine the DCavg
 The DC of the I, P and O are averaged to determine the DCavg
 Calculation results are classified into the four levels: None
None, Low
Low,
Medium, and High.

DCavg
g
None DC<60%
Low 60%  DC  90%
Medium 90%  DC  99%
High 99%  DC
 Making CCF Simple

• CCF is an indicator of designing reliability to

show whether a safety control system
incorporates considerations to ensure that its
overall functionality is not damaged by
common causes. Thus CCF refers to the degrees of
such
h designing
d i i considerations
id i to provide
id ffor as many diff
different
kinds of external factors as can be predicted.
 How to Determine the CCF
No
No. Item Maximum possible score
1 Separation / isolation 15
2 Diversity 20
3 Designing/application/experience

3.1 Protection against overvoltage, overpressure, overcurrent, etc. 15

3.2 Components used have track records 5

Must
4 Assessment/analysis
Whether the results of the failure mode and the effectiveness analysis are utilized to 5
avertt failures
f il that
th t frequently
f tl occur from
f the
th designing
d i i perspective
ti
5 Ability/training
Whether the designer is trained to understand the cause and effect of failures that 5
Be > 65
frequently occur
6 Environment
6.1 Electromagnetic compatibility (EMC) for CCF based on contamination prevention and 25
appropriate standards
6.2 Other effects 10
Whether the system is designed to meet the requirements for resistance against all
relevant environmental effects such as temperature, shock, vibration, humidity, etc,
as specified in applicable standards
Total 100 max
Table F.1 - Estimation of the measures against CCF
 What do you need to know?
• How to use ISO 13849 to determine the
performance level of safety functions
• How to assess the safety integrity of a
p
complete machine control system,
y , and
gather the reliability data for each of the
safetyy components
p and subsystems
y that
is required to do the calculations
Protective Stop Vs. Emergency Stop
 Stop Basics ( per NFPA‐79:2010 )
• Stop Categories
– There are three categories
g of stopp functions as follows:
• Category 0 is an uncontrolled stop by immediately
removing power to the machine actuators.
• Category 1 is a controlled stop with power to the machine
actuators available to achieve the stop then remove power
when the stop is achieved.
• Category
C t 2 is
i a controlled
t ll d stop
t withith power lleft
ft available
il bl to
t
the machine actuators.
 Emergency Stop Actuators
• 10.7.3 Actuators for emergency stop devices shall be colored RED.
• The background immediately around pushbuttons and disconnect
switch actuators used as emergency stop devices shall be colored
YELLOW.
• The RED/YELLOW combination is reserved exclusively for the
emergency stop and emergency switching off applications.
 Emergency Stop PUSHBUTTON Requirements (Hardware)
• The emergency stop
pushbutton device shall
remain unguarded.
– For pushbutton type of devices 60mm (or less)

with a diameter of 60mm or less,

less
a clear area of 120mm (diameter
centered on the actuator) is
considered not to impede
operation.
operation
– Anything within the clear area
cannot extend above a plane 120mm

defined by the actuated

(pressed) button.
– The 120mm dimension is
considered to be the breadth of
a hand by U.S. and EU
anthropomorphic
p p standards.
From current DRAFT of ANSI B11.19
 Emergency Stop PUSHBUTTON Requirements
(Hardware)

Commercially available (and NON-COMPLIANT) components

 Top 10 Most Common Machine
S f
Safeguarding
di Mistakes
Mi t k
• Risk Assessments and Risk Reduction plans do not take into account all interaction
types with the use of machinery. Therefore safeguards are typically defeated to
meett needsd off plant
l t production.
d ti
• No specific safety standard references given to machine builders or integrators.
• Safety devices not mounted in accordance to the safe mounting distance formula
(e.g. Light curtain mounted “too close”)
• A Belief that meeting Category 3 circuit performance means your machine is
“Safe”
• Allowing maintenance to defeat safeguards to clear jams
• Usingg a standard PLC to mute a safetyy function ((e.g.
g Light
g Curtain))
• Misapplying and misusing Protective Stops, Cycle Stops, and Emergency Stops
• Not including the pneumatic and hydraulic functions in the safety circuit.
• Relying on lockout/Tagout for tasks that are “routine, repetitive, and integral to the
production process
process”
• Rope‐Pull Emergency Stop devices not detecting “slack” in the line.
Safety and Motion: ISO 61800‐5‐2
A Few Safe Motion Examples
A Few More Safe Motion Examples
 3 Big Takeaways
• Safeguarding is the LAW!
• The worst approach
pp to safetyy is “Providingg the
illusion of safety.”
• Document,
Document Document
Document, Document!
 Quiz Answers – Question 1
• Does OSHA require Risk Assessments?
a) Yes
b) No

OSHA does not require risk assessments; however, they do require a safe
place of employment. The easiest way to demonstrate that an employer is
providing a safe place of employment is to follow national and/or
international consensus standards (Such as ANSI or ISO). Most of these
standards do require a risk assessment to determine the appropriate level of
safeguarding and circuit performance. For example, if a company chooses to
follow ANSI B11.19 Performance Criteria for Safeguarding to demonstrate
compliance to OSHA, this standard requires a Risk Assessment is performed.
In Short, it’s highly advised to conduct a risk assessment
 Quiz Answers – Question 2
Is OSHA a federal or state program?
a) Federal
b) State
c)) Federal
F d l andd eachh state has
h their
h i own OSHA program
d) Federal and some of the states have their own OSHA programs

OSHA covers most private sector employers and their workers in all 50 states, the
District of Columbia, and other U.S. jurisdictions either directly through Federal OSHA
or through an OSHA‐approved state program.

Twenty‐five states, Puerto Rico and the Virgin Islands have OSHA‐approved State Plans
and have adopted their own standards and enforcement policies. For the most part,
these States adopt standards that are identical to Federal OSHA. However, some States
have adopted different standards applicable to this topic or may have different
enforcement policies.
 Quiz Answers – Question 3
Are ANSI standards enforceable by OSHA?
a) Yes, all ANSI standards are enforceable.
b) Only ANSI B11.19 (Performance Criteria for Safeguarding)
c)) Yes,, onlyy the ANSI B11 Group
p of Standards
d) Yes, but only the standards “incorporated through reference”
e) No

One area of confusion for safety professionals, design engineers, machine builders and
users involved with the implementation of the ANSI documents revolves around the
enforceability of these consensus standards. After all, these are just voluntary
standards, right? Well, the real answer is yes – and no. Technically, ANSI standards are
considered voluntary consensus standards and are not written as laws or regulations.
In fact, the subcommittees that create the standards have no enforcement authority,
much to the relief, I am sure, of the subcommittee members! Yet the standards
themselves are widely recognized in industry as an excellent source of reference
material, often with an easier‐to‐understand format than that of OSHA.
 Quiz Answers – Question 3 Continued
• The voluntary status of the standards can change significantly when
OSHA adopts ANSI standards by reference. This is the case, for
example, with OSHA 1910.215, Abrasive Wheel Machinery. The
section, 1910.215(b)(12), requires abrasive wheel machinery guards
to conform to the ANSI B7.1‐1970 standard on abrasive wheels. By
specifically incorporating the B7.1 standard in its regulations, OSHA
has converted a voluntary standard into a federal requirement.
Various state safety agencies may follow the same process as OSHA,
OSHA
and incorporate ANSI standard references in their respective state
regulations, especially when taking the lead from OSHA. For
example, California, Oregon and South Carolina all have similar
rulings on the abrasive wheel machinery.
 Quiz Answers – Question 4
What safeguard
Wh f d technologies
h l i would ld b
be subject
bj to the
h SSafe
f MMounting
i
Distance Calculation according to ANSI standards?
a) Hard Guards
b) Movable/Removable Guards (Interlocked)
c) Light Curtains
d) Laser Scanners
e) Two‐Hand Control
f) C+D
g) C+D+E
h) All of the above
In Short, all safeguarding devices are subject to some form of a Safe Mounting Distance
Calculation.
IIn order
d ffor presence sensing
i d devices
i tto b
be effective,
ff ti th they mustt either
ith preventt th
the start
t t of,f or
stop hazardous motion (or situation) when an individual is exposed to the hazard. For the devices
to accomplish this requirement, they must be located at a distance from the hazard such that
hazardous motion (or situation) is prevented, completed or stopped before the individual can be
harmed. However, Guards and movable barrier devices with various openings are located at a
position
iti away from
f the
th hazard
h d zone based
b d on the th ability
bilit off the
th operator
t to
t reachh through
th h the
th
opening.
 Quiz Answers – Question 4 Continued
According to Annex D (Safety Distance) of ANSI B11.19:2010:

Devices that require location at a safety distance include

include, but are not limited
to:
1. interlocked guards (non‐locking);
2. two hand control devices;;
3. two hand trip devices;
4. single control safeguarding devices;
5. electro‐optical presence‐sensing devices;
6. RF presence‐sensing devices;
7. safety mat devices;
8. safety edge devices.
 Quiz Answers – Question 5
What is a major difference between ISO standards and ANSI Standards?
a) ISO standards are enforceable as law
b) Anyone can volunteer to participate in an ANSI Standard
c) ISO Standards don’t
don t include examples
d) ANSI Standards are generally written for the Employer and ISO standards are
generally written for the Machine Builder
e) ANSI Standards can only be used in North America, while ISO standards can
only
l b
be usedd in Europe
In Short, ANSI and ISO standards are generally written for different audiences. In
America, the requirements of safeguard are placed on the employer, therefore, ANSI,
standards
d d are generally ll written
i with
i h the
h employer
l i mind.
in i d This
Thi is
i why
h ANSI standards
d d
include installation, operation, and maintenance. ISO standards are typically written
for the manufacturer of safeguarding devices or the manufacturer or supplier of the
machine.
 Quiz Answers – Question 6
An Emergency stop is considered a safeguarding
device?
a) True
b) False

According to Section 12.9

12 9 of ANSI B11.19:2010,
B11 19:2010 emergency stop devices are not
safeguarding devices. They are complementary to the guards, safeguarding devices,
awareness barriers, signals and signs, safeguarding methods and safeguarding
procedures in clauses 7 through 11.

A safeguarding device detects or prevents inadvertent access to a hazard, typically

without overt action by the individual or others. Since an individual must manually
g y stop
actuate an emergency p device to issue the stop
p command,, usuallyy in reaction to
an event or hazardous situation, it neither detects nor prevents exposure to a hazard.
 Quiz Answers – Question 7
What would
Wh ld most likely
lik l happen
h if an employer
l were to mount a Light
Li h
Curtain “too close” on a machine and an accident were to occur?
a) If the Light Curtain is mounted within 20% of required distance,
the machine is considered compliant to ANSI standards.
b)) If the Light
g Curtain is mounted greater
g than 20% of required
q
distance, most likely a Willful Fine (according to OSHA)
c) The application wouldn’t be compliant with any national (ANSI)
or International (ISO) Standards, therefore it would be very
difficult to prove the employer provided a safe place of
employment to OSHA
d) As long as the machine is considered a “Low Risk Machine”
according to ISO 12100, the safe mounting distance is only
considered a guideline.

One of the most important criteria for proper use of a safety light curtain for machine
guarding involves the minimum safe distance. A light curtain must be mounted far
enough away from the point of hazardous operation so the machine will stop before
the operator
operator’ss hand or other body part can reach this hazardous point. If the safety
light curtain is mounted too close to the point of operation hazard, the machine may
not stop in time to prevent an operator injury.
 Quiz Answers – Question 7 Continued
In America, the employer is the one responsible for providing a safe place of
employment. The employer typically will reference a well‐recognized
safety standard to demonstrate they are indeed providing a safe working
environment. A few examples of well recognized safety standards to
address
dd Safe
f Mounting Distance off safety
f light
l h curtains are ANSI B11.19‐
2010, ISO 13855, and CSA 432‐04. The employer is not required to follow
one of these standards; however, it would be highly unadvised. In the
event of an accident, the employer would need to justify how their
safeguards
f d ddid
d in ffact provide
d a safe
f place
l off employment.
l Without
h
following a well‐recognized standard this justification (to OSHA and /or a
judge) can be quite difficult.

NOTE: Answers A, B, and D are simply false and do not exist as part of any
consensus standard or OSHA regulation.
 Quiz Answers – Question 8
Can a Safety Mat, used in a safety application, be used to initiate
machine motion by detecting the presence of an operator?
a) Yes
b) No
N

According to Section 8.5.2.9 of ANSI B11.19‐2010 A safety mat device shall not be used to
allow or enable the initiation or continuation of hazardous machine motion by indicating
that an individual is in a safe position related to the hazard.

NOTE: The safety mat device is designed to detect intrusion and to affect a safe shutdown.
Th
There are th
three primary
i reasons why
h it is
i nott to
t be
b used d as an enable
bl signal:
i l
Placement of a weighted object on the safety mat bypasses the intended safety function;
The failure of the safety mat controllers could result in a false enable signal;
Only one individual standing on the mat can enable hazardous motion. Other individuals
may be exposed to the hazard.
.
 Quiz Answers – Question 9
What is the highest category you can achieve by wiring
conventional safety “Reed Style” switches in series?
a) B
b) 1
c) 2
d)) 3
e) 4

The series connection of mechanical contacts is limited to

Category 3 as it may lead to the loss of the safety function due to
an accumulation of faults.
 Quiz Answers – Question 9 Continued

This figure shows a widely used approach for connecting multiple devices to a
monitoring safety relay. Each device contains two normally closed direct
opening action contacts. These devices can be a mix of interlocks or e‐stop
buttons. This approach saves wiring costs as the input devices are daisy‐
chained. Assume a short circuit fault occurs across one of the contacts at
Sw2 as shown. Can this fault be detected?
 Quiz Answers – Question 10
What iis the
Wh h difference
diff between
b wiring
i i safeguarding
f di devices
d i in
i
parallel or “OR‐ing” safeguards in a Safety controller?
a) There is no difference in functionality or safety
performance
b) There
Th is
i no difference
diff in
i functionality,
f i li but
b parallel
ll l circuits
i i
have a lower circuit performance rating
c) Functionality is different, but safety performance is the
same
d) Functionality
F i li iis diff
different and
d safety
f performance
f h
has a
lower circuit rating

In Short, wiring safety devices in parallel or using an OR Gate

(“or‐ing”) is functionally the same. If either device is tripped, the
output will be ON. However, their circuit performance is quite
different.
different
Quiz Answers – Question 10 Continued
In a parallel circuit, each device is placed in a closed circuit in which the
current divides into two or more paths before recombining to complete
the circuit. This would arguably be a category 1 circuit because the ability
to monitor each device individually is lost. If interlock 1 is ON, certain
f l in interlock
faults l k 2 would ld not be
b detected.
d d
Below is a sample representation of using parallel wiring with two separate
safety interlocks:
Quiz Answers – Question 10 Continued
An OR gate (also
( referred to as “Or‐ing” ) is a digital logic gate that implements logical
disjunction ‐ it behaves according to the truth table below. A HIGH output (1)
results if one or both the inputs to the gate are HIGH (1). If neither input is HIGH, a
LOW output (0) results.
U i an OR Gate
Using G t ((assuming
i properly l wired)
i d) couldld achieve
hi category
t 4
4. IIn this
thi case,
each interlock is individually monitored by a safety controller/safety relay, allowing
for all possible faults to be identified.
Below is a sample representation of Hardware and Software “Or‐ing” two safety
interlocks:
 Quiz Answers – Question 11
Does achieving Category 3 or Category 4 mean your
machine is “Safe”?
a) Yes
b) No
The “Categories” of control systems originated in the outgoing EN 954‐1:1996 (ISO13849‐
1:1999).
) However theyy are still often used to describe safetyy control systems
y and theyy
remain an integral part of EN ISO13849‐1.
The categories represent a classification of the safety‐related parts of a control system (STS)
with respect to their ability to withstand faults and their behavior in the event of faults, this
being achieved on the basis of reliability and/or the structural architecture of the parts
parts.
Therefore, categories are NOT a measure of “Safety.” Theoretically you could have a
Category 4 control system that is extremely unsafe ( e.g. Light Curtains wired properly, but
laying on the floor) or you could have a very safe system which is very unreliable (e.g. Light
Curtains properly selected and mounted in accordance to the safe mounting distance
distance, but
wired into a PLC ).
 Quiz Answers – Question 12
If you install
i ll a LLaser SScanner with
i h a 70
70mm object
bj resolution
l i
using the Safe Mounting Distance Calculation, what is the
Depth Penetration Factor (Dpf) that should be used?
a) 24”
b) 36”
c) 48”
d) 48” when mounted horizontally, and up to 36” when
mounted vertically if considered “reach through.”
e)) Use
U the h same “Dpf“D f Chart”
Ch ” as lilight
h curtains
i

IIn Sh
Short,
t Laser
L S
Scanners h
have diff
differentt Depth
D th PPenetration
t ti ffactors
t depending
d di on ththeir
i orientation.
i t ti Th
The
Depth Penetration factor also needs to consider the minimum object resolution.

Dpf = 1200mm (48 in) for horizontal sensing field applications without vertical sensing for ground level
devices that can be reached over (30° or less).

Dpf = 900 mm (36 in) for reach through applications for object sensitivities greater than 64 mm (2.5
inches)