As managing director of a firm that specializes in risk assessment, industrial machinery safety and regulatory compliance, I have seen an unfortunate amount of poorly designed and built machinery. As a result, I have compiled a list of the top six errors I see machine builders make on a regular basis.
1. Poor or absent risk assessment
Risk assessments are fundamental to safe machine design and liability limitation, and are required by law in the European Union (EU). They are also included in all of the modern North American machinery safety standards.
Machine builders frequently have trouble with the risk assessment process, usually because they fail to understand the process or to devote enough resources to getting it done. If risk assessment is built into your design process, it becomes the norm for how you do business. Time and resources will automatically be devoted to the process, and since it's part of how you do things, it will become relatively painless. Where people go wrong is in making it a one-time event. Also, getting it done early in the design process and updating it as the design progresses means that you have time to react to the findings, and you can complete any necessary changes at more cost-effective points in the design and build process.
The worst time to do risk assessment is at the point where the machine is on the shop floor ready to start production. At this point, costs for modification are exponentially higher than during design and construction.
Poorly done, risk assessments become a liability defence lawyer's worst nightmare and a plaintiff lawyer's dream. Shortchanging the risk assessment process ensures that you will lose, either now or later.
Fight this problem by: Learning how to conduct a risk assessment using quality risk assessment software tools, and building risk assessment into your organization's standard design process/practice.
2. Failure to be aware of regulations and use design standards
Every market has product safety legislation supported by regulations. Granted, the scope and quality of these regulations varies widely, but if you want to sell a product in a market, it doesn't take a lot of effort to find out what regulations may apply.
Design standards have been in existence for a long time. Most purchase orders, at least for custom machinery, contain lists of standards that the equipment is required to meet at Factory Acceptance Testing (FAT). Using these standards can actually give machine builders a competitive edge, as well as help them to meet regulatory requirements.
Fight this problem by: Doing some research. Understand the market environment in which you sell your products. If you aren't sure how to do this, use a consultant to assist you. Buy the standards, especially if your client calls them out in their specifications. Read and apply them to your designs. One great resource for information on regulatory environments and standards applications is the IEEE Product Safety Engineering Society (http://www.ieee-pses.org).
3. Fixed guard design
Fixed guarding design is driven by at least two factors. The first is preventing people from accessing hazards. Designers frequently go wrong by selecting a fixed guard where a movable guard is necessary to permit frequent access (e.g. more than once per shift). This is sometimes done in an effort to avoid having to add interlocks to the control system. Frequently, the guard will be removed and replaced a couple of times, and then the screws will be left off, and eventually the guard itself will be left off, leaving the user with an unguarded hazard.
The other common fault with fixed guards is getting raw materials and products in and out of the machine. There are limits on the size of the openings that can be left in guards, dependent on the distance from the opening to the hazards behind the guard and the size of the opening itself. Often the only factor considered is the size of the item that needs to enter or exit the machinery.
Both of these faults often occur because the guarding is not designed, but is allowed to happen during machine build. The size and shape of the guard is then often driven by convenience in fabrication, rather than by thoughtful design and application of the minimum code requirements.
Fight this problem by: Designing the guards on your product, rather than allowing them to happen. The design must be based on the outcome of the risk assessment and the limits defined in the standards. Tables for guard openings and safety distances are available in North American, EU and international standards.
4. Movable guard interlocking
Movable guards themselves are usually reasonably well done. (Note that I am not talking about self-adjusting guards like those found on a table saw, for instance. I am talking about guard doors, gates and covers.) The problem usually comes with the design of the interlock that is required to go with the movable guard.
The first part of the problem goes back to my number one mistake: risk assessment. No risk assessment means that you cannot reasonably hope to get the reliability requirements right for the interlocking system. Next, there are small but significant differences in how the Canadian, U.S., EU and international standards handle control reliability, and the biggest differences occur in the higher reliability classifications.
In the U.S., the standards speak of control reliable circuits (see ANSI RIA R15.06-1999, 4.5.5). This requirement is written in such a way that a single interlocking device, installed with dual-channel electrical circuits and suitably selected components, will meet the requirements. No single electrical component failure will lead to the loss of the safety function, but a single mechanical fault could.
In Canada, the machinery and robotics standards speak of control reliable systems (see CSA Z432, 8.2.5), not circuits. This requirement is written in such a way that two electromechanical interlocking devices are required; one in each electrical channel of the interlocking system. This permits the system to detect mechanical failures, such as broken or missing keys, and if different types of interlocking devices are chosen, may also permit detection of efforts to bypass the interlock. Most single mechanical faults and electrical faults will be detected. The use of different types of interlocking devices will also increase reliability by adding diversity to the system.
In the EU and internationally, control reliability requirements are much more highly developed. The application of ISO 13849, IEC 62061 or IEC 61508 has taken control reliability to higher levels than anything seen to date in North America. Under these standards, the required Performance Level (PL) or Safety Integrity Level (SIL) must be known. This is based on the outcome of the risk assessment. No risk assessment, or a poor risk assessment, dooms the designer to failure. Significant skill is required to handle the analysis and design of safety-related parts of control systems under these standards.
Fight this problem by: Getting the training you need to properly apply these standards and use them in your designs.
5. Safety distances
Safety distances crop up anywhere you don't have a physical barrier keeping the user away from the hazard. Whether it's an opening in a fixed guard, a movable guard like a guard door or gate, or a presence-sensing safeguarding device like a light curtain, safety distances have to be considered in the machine design. The easier it is for the user to come in contact with the hazard, the more safety distance matters.
Stopping performance of the machinery must be tested to validate the safety distances used. Failure to get the safety distance right means that your guards will give your users a false sense of security, and will expose them to injury. This will also expose your company to significant liability when someone gets hurt.
Fight this problem by: Designing safeguarding device applications based on current standards, like ISO 13855, and testing the stopping capability of the machinery.
6. Validation
Designs, and particularly safety critical designs, must be tested. Whatever theory you are working under, whether it's North American, European, international or something else, you cannot afford to miss the validation step. Without it, you have no evidence that your system worked at all, let alone if it worked correctly.
Fight this problem by: Developing a validation plan and testing your designs.
A wise man once said: "If you think safety is expensive, try having an accident." This gentleman was involved in investigating the crash of a Sikorsky S-92 helicopter off the coast of Newfoundland. Seventeen people died as a result of the failure of two titanium studs that held an oil filter onto the main gearbox, and the fact that the helicopter failed the half-hour gearbox run-dry test that is required for all new helicopter designs. This was a clear case of failure in the risk assessment process, complicated by failure in the test process.
If we don't learn from our mistakes, we are destined to repeat them.
(This article was originally published in Manufacturing Automation, www.automationmag.com)
--------------------------
Doug Nix is managing director with Compliance InSight Consulting Inc., a firm specializing in risk assessment, industrial machinery safety and regulatory compliance. A version of this article was originally posted on August 6, 2010, on Doug's blog, Machinery Safety 101. To view this and more of Doug's blog posts, visit http://machinerysafety101.com.
1. Poor or absent risk assessment
Risk assessments are fundamental to safe machine design and liability limitation, and are required by law in the European Union (EU). They are also included in all of the modern North American machinery safety standards.
Machine builders frequently have trouble with the risk assessment process, usually because they fail to understand the process or to devote enough resources to getting it done. If risk assessment is built into your design process, it becomes the norm for how you do business. Time and resources will automatically be devoted to the process, and since it's part of how you do things, it will become relatively painless. Where people go wrong is in making it a one-time event. Also, getting it done early in the design process and updating it as the design progresses means that you have time to react to the findings, and you can complete any necessary changes at more cost-effective points in the design and build process.
The worst time to do risk assessment is at the point where the machine is on the shop floor ready to start production. At this point, costs for modification are exponentially higher than during design and construction.
Poorly done, risk assessments become a liability defence lawyer's worst nightmare and a plaintiff lawyer's dream. Shortchanging the risk assessment process ensures that you will lose, either now or later.
Fight this problem by: Learning how to conduct a risk assessment using quality risk assessment software tools, and building risk assessment into your organization's standard design process/practice.
2. Failure to be aware of regulations and use design standards
Every market has product safety legislation supported by regulations. Granted, the scope and quality of these regulations varies widely, but if you want to sell a product in a market, it doesn't take a lot of effort to find out what regulations may apply.
Design standards have been in existence for a long time. Most purchase orders, at least for custom machinery, contain lists of standards that the equipment is required to meet at Factory Acceptance Testing (FAT). Using these standards can actually give machine builders a competitive edge, as well as help them to meet regulatory requirements.
Fight this problem by: Doing some research. Understand the market environment in which you sell your products. If you aren't sure how to do this, use a consultant to assist you. Buy the standards, especially if your client calls them out in their specifications. Read and apply them to your designs. One great resource for information on regulatory environments and standards applications is the IEEE Product Safety Engineering Society (http://www.ieee-pses.org).
3. Fixed guard design
Fixed guarding design is driven by at least two factors. The first is preventing people from accessing hazards. Designers frequently go wrong by selecting a fixed guard where a movable guard is necessary to permit frequent access (e.g. more than once per shift). This is sometimes done in an effort to avoid having to add interlocks to the control system. Frequently, the guard will be removed and replaced a couple of times, and then the screws will be left off, and eventually the guard itself will be left off, leaving the user with an unguarded hazard.
The other common fault with fixed guards is getting raw materials and products in and out of the machine. There are limits on the size of the openings that can be left in guards, dependent on the distance from the opening to the hazards behind the guard and the size of the opening itself. Often the only factor considered is the size of the item that needs to enter or exit the machinery.
Both of these faults often occur because the guarding is not designed, but is allowed to happen during machine build. The size and shape of the guard is then often driven by convenience in fabrication, rather than by thoughtful design and application of the minimum code requirements.
Fight this problem by: Designing the guards on your product, rather than allowing them to happen. The design must be based on the outcome of the risk assessment and the limits defined in the standards. Tables for guard openings and safety distances are available in North American, EU and international standards.
4. Movable guard interlocking
Movable guards themselves are usually reasonably well done. (Note that I am not talking about self-adjusting guards like those found on a table saw, for instance. I am talking about guard doors, gates and covers.) The problem usually comes with the design of the interlock that is required to go with the movable guard.
The first part of the problem goes back to my number one mistake: risk assessment. No risk assessment means that you cannot reasonably hope to get the reliability requirements right for the interlocking system. Next, there are small but significant differences in how the Canadian, U.S., EU and international standards handle control reliability, and the biggest differences occur in the higher reliability classifications.
In the U.S., the standards speak of control reliable circuits (see ANSI RIA R15.06-1999, 4.5.5). This requirement is written in such a way that a single interlocking device, installed with dual-channel electrical circuits and suitably selected components, will meet the requirements. No single electrical component failure will lead to the loss of the safety function, but a single mechanical fault could.
In Canada, the machinery and robotics standards speak of control reliable systems (see CSA Z432, 8.2.5), not circuits. This requirement is written in such a way that two electromechanical interlocking devices are required; one in each electrical channel of the interlocking system. This permits the system to detect mechanical failures, such as broken or missing keys, and if different types of interlocking devices are chosen, may also permit detection of efforts to bypass the interlock. Most single mechanical faults and electrical faults will be detected. The use of different types of interlocking devices will also increase reliability by adding diversity to the system.
In the EU and internationally, control reliability requirements are much more highly developed. The application of ISO 13849, IEC 62061 or IEC 61508 has taken control reliability to higher levels than anything seen to date in North America. Under these standards, the required Performance Level (PL) or Safety Integrity Level (SIL) must be known. This is based on the outcome of the risk assessment. No risk assessment, or a poor risk assessment, dooms the designer to failure. Significant skill is required to handle the analysis and design of safety-related parts of control systems under these standards.
Fight this problem by: Getting the training you need to properly apply these standards and use them in your designs.
5. Safety distances
Safety distances crop up anywhere you don't have a physical barrier keeping the user away from the hazard. Whether it's an opening in a fixed guard, a movable guard like a guard door or gate, or a presence-sensing safeguarding device like a light curtain, safety distances have to be considered in the machine design. The easier it is for the user to come in contact with the hazard, the more safety distance matters.
Stopping performance of the machinery must be tested to validate the safety distances used. Failure to get the safety distance right means that your guards will give your users a false sense of security, and will expose them to injury. This will also expose your company to significant liability when someone gets hurt.
Fight this problem by: Designing safeguarding device applications based on current standards, like ISO 13855, and testing the stopping capability of the machinery.
6. Validation
Designs, and particularly safety critical designs, must be tested. Whatever theory you are working under, whether it's North American, European, international or something else, you cannot afford to miss the validation step. Without it, you have no evidence that your system worked at all, let alone if it worked correctly.
Fight this problem by: Developing a validation plan and testing your designs.
A wise man once said: "If you think safety is expensive, try having an accident." This gentleman was involved in investigating the crash of a Sikorsky S-92 helicopter off the coast of Newfoundland. Seventeen people died as a result of the failure of two titanium studs that held an oil filter onto the main gearbox, and the fact that the helicopter failed the half-hour gearbox run-dry test that is required for all new helicopter designs. This was a clear case of failure in the risk assessment process, complicated by failure in the test process.
If we don't learn from our mistakes, we are destined to repeat them.
(This article was originally published in Manufacturing Automation, www.automationmag.com)
--------------------------
Doug Nix is managing director with Compliance InSight Consulting Inc., a firm specializing in risk assessment, industrial machinery safety and regulatory compliance. A version of this article was originally posted on August 6, 2010, on Doug's blog, Machinery Safety 101. To view this and more of Doug's blog posts, visit http://machinerysafety101.com.