A Control Design reader writes: I work at a packaging plant where safety upgrades to palletizing equipment excessively stopped the machine and confused multiple technicians, ultimately leading to some of the safety measures being bypassed, which resulted in an operator injury. This is unacceptable and a review of the plant found many safety concerns that must be fixed.
The plan is to upgrade several bottling lines, fillers, palletizers and wrappers to a standardized safety platform, likely safety controllers, and then carefully train all personnel on the safety system and procedures. The systems involved are various and have a wide range of safety devices to integrate. Can you suggest how to plan this out, design, integrate, test and operate the system? Quick installation, integration, configuration and testing are required. Can you help with this safety upgrade?
ANSWERS
Assess the risk first
This is a tough one. There is so much we can do with a clean sheet of paper that you can't do with existing hardwired safety, and you can't do without a controls retrofit, which is typically not cost-effective. This user would be well-advised to attend a PMMI risk assessment workshop and work with their current machinery and controls supplier to achieve the safety levels prescribed by the risk assessment.
John Kowal / director, business development / B&R Industrial Automation
7 steps to safety
A plan for safety is a good thing. The first step of the plan is to have a risk assessment done by a trained and certified safety engineer or risk assessor. This safety engineer or assessor many times can come from the company’s general liability insurance carrier. If the insurance company does not offer this service, then there are many companies that offer this service. There are “independent” organizations such as TUV and UL, or there are the manufacturers of the safety devices. They will assess each operating system—be it a simple machine to a complex system such as a palletizing line—and determine the level of protection that is required to meet the local and national requirements.
Once the assessment is complete, the level of protection will dictate the type of safety system that will be used—safety relays/controllers/PLCs in conjunction with e-stops/interlocks/area scanners. In fact, the large manufacturers and their distributors will provide a recommended list of components to be used and, in most cases, assist with integrating and training. However, you and your company are the only ones that know how you use the equipment, and you are the ones responsible for successfully implementing a safety program within your facility. The safety device providers, their distributors and their integrators can only provide so much.
In a numbered list form here are my suggested steps:
- Perform a risk assessment of each individual machine and complex system (multiple machines). Use existing records of injuries to determine the cause.
- Using the results of the risk assessment, determine the level of safety required for each machine and complex system. The level of safety is determined by assessed risk (severity) and probability of injury. The solution will be based on local and national requirements.
- Work with a qualified, reputable distributor that has a wide product breadth to meet the needs of the safety level.
- Obtain all of the electrical schematics of each machine, whether on its own or within a complex system. This will allow you to determine if and how you will integrate the necessary safety devices. Contact the manufacturer of the machines. They may have made upgrades to their offerings that you may retrofit into the existing equipment.
- For complex systems, develop a safety schematic to show how all of the safety devices interact with the system. This should include the “brains,” as well as all of the interlocking devices.
- If you don’t have a safety-trained electrician in-house, hire an integration company. This will be an additional cost, but they will guarantee their work and could assist with the above steps.
- Even though this is listed last, it should by no means happen last. Develop the training module. It should include all of the information gathered and developed along the way. It will be specific to your needs, and you can add it to your training matrix, if you keep training records.
Pat Klingberg / general manager / Global Controls
Independent systems
We have worked in this industry for three decades and have seen how safety has evolved.
Current practice for most OEMs is to provide relatively simple e-stop safety systems incorporating safety relays and switches that are safety-rated double-contact type, as well as safety-rated output devices. In contrast to traditional e-stop safety systems, these types of e-stop systems are inherently safe and prevent an operator from easily bypassing.
This type of hardware is standard issue and readily available off-the-shelf from Allen-Bradley and others. It will not break the bank and can typically be installed in a few weeks, provided complete prints of the existing systems are available to be used for designing the new e-stop systems.
While it is possible to use PLCs with integrated safety, such as Allen-Bradley GuardLogix, we have not seen this approach used in this industry. This is largely because each of the systems you mentioned—bottling, filling, palletizing—is independent and each has its own safety system. You have to have one system with quite a few safety I/O to make the safety-controller route look economically attractive.
Stan Prutz, P. E. / systems engineering manager / QDS Systems / Control System Integrators Association member
Phased project management
Polytron's approach for any machine-safety remediation effort follows the same phased project management approach we use for capital projects. First, we utilize our TUV-certified machine-safety experts to develop a machine-safety risk assessment to identify all of the machine hazards associated with the operation and maintenance of the machine. If the owner has already obtained a machine-safety hazard assessment from the OEM or another entity, we'd review it and address any missing details. Then, we'd work with the owner's operations, maintenance and EHS resources to define the necessary safety category and performance level for each piece of equipment assessed. We'd identify the gaps between the current machine design and the target safety category/performance level and work with the owner to define acceptable mitigation designs. In this phase, it’s really important to evaluate the proposed mitigation design against the machine's current OEE to determine the impact. In many cases, an alternative machine safety design approach can limit or eliminate any negative effect on the equipment's overall equipment effectiveness (OEE) . And, in all cases, personnel training and standard-operating-procedure (SOP) development should be considered, based upon the level of change required by the safety mitigation design.
Once the proposed safety mitigation design has been reviewed and the machine hazards reduced to an acceptable risk level, the next step in our process is to develop a safety functional design specification (SFDS) that would detail the scope of the mechanical and electrical modifications required for each machine. This document would detail the bill of material, preliminary fabrication and/or installation drawings and a functional description of the safety mitigation changes. The SFDS is then utilized to generate equipment fabrication and installation costs and timelines. Most importantly, the SFDS is the basis for developing the safety validation plan that is the documentation utilized to validate the safety mitigation changes have been installed and verified upon the completion of the effort.
Once all of the equipment has been assessed and the execution cost and timelines have been identified, the execution phase of the safety mitigation project is managed like any other project. Equipment downtime is requested and coordinated for the installation, startup and validation of the mitigation changes on each piece of equipment. Strong project management acumen is required to coordinate the schedule of the safety mitigation execution efforts and the available operational downtime.
Damian Stahl / vice president / Polytron / Control System Integrators Association member
Close the safety gaps
The situations you describe are not unique to Optimation Technology and have been addressed during design-build and upgrades for our clients. When equipment and facilities are barriers to safe work, the flow of business can be impeded. Optimation uses a multifaceted approach to these types of concerns. Approaches include but are not limited to assessing hazard recognition, equipment functionality, operator interface, maintainability and desired production throughput. Assessing the following and closing any gaps discovered will be critical.
Hazard recognition: Determining the inherent risk factors for the entire process. Ensure machine and worker safe guards are adequate, compliant and not overkilling production and throughput.
Equipment functionality: Evaluate if the machine will operate as desired. Over- or under-engineered equipment can inhibit functionality.
Operator interface: Discover all the tasks and activities the operators will be involved in while operating the equipment. Knowledge of the what, where and how operators interface allows for effective and efficient design the first time.
Maintainability: Ensure maintenance personnel have ready access to all necessary pieces of equipment appropriate for the work. Knowledge of the what, where and how maintenance mechanics interface allows for effective and efficient design the first time.
Desired production throughput: Determine and deliver the appropriate quantity of product on time and at the highest level of quality. Without addressing the items listed above, desired production throughput will be extremely difficult if not impossible to attain.
Optimation’s multifaceted approach to these situations can improve not only the safety functionality of an equipment process. But the cost, schedule, quality and worker satisfaction also will be byproducts of the enhancements.
Al Manzer / corporate safety engineering manager / Optimation / Control System Integrators Association member
Standards-based approach
This unfortunate scenario seems to play out repeatedly. In most cases, the root cause is failure to consider how people interact with the machine when selecting safeguarding. This is why we see some organizations dragged kicking and screaming into safeguarding projects. The belief is that safety upgrades will result in lower productivity, which often happens when using the wrong safeguarding approach.
The goal is to proactively engineer a safety system that complements the tasks operators and maintenance technicians need to perform on machinery and allows them to perform those tasks quickly and safely. To start, follow the functional safety lifecycle and consider modularization and reuse. If you have more than one copy of each machine, begin with the most complex example and then use the assessment, specification and design as a template for the others. You still need to look at each machine individually, but make it easy on yourself by reusing what you have already done.
The first step in the lifecycle is a good risk assessment. Hazard identification should be completed by looking at the tasks people are performing on the machine and the hazards they are exposed to while performing those tasks. This must be a team exercise. The input and buy-in of the people who are bypassing the current safeguards are very important. Anywhere you discover an unacceptable risk, consider the full range of safeguards. This includes many options: designing the hazard out; using fixed guarding, interlocking guards and/or presence sensing devices; building awareness; implementing training and procedures;, and using personal protective equipment (PPE). When you examine all of the possibilities, you will likely end up with several options that will help to keep people safe. You are then free to choose the best options based on their effect on productivity. If you are unfamiliar with this process, get help.
Now, you’ll have a design concept that should either minimally affect productivity or improve it. Additionally, you should have buy-in from the people who will be working on the machine. At this point, you can focus on the things that we traditionally associate with a safety-system implementation, such as specification, safety-circuit design and safety-software development. Each one of these pieces of the project should be used as a template for other machines of the same type. This applies to the end of the process, as well. Perform a good validation, and use the validation plan as a template. The time and cost requirements for other machines should go down with each iteration.
Overall, it is important to remember that this process is not focused on safety components or technology. Rather, it is a standards-based approach to designing a safety system that makes all human-machine interactions more efficient, safer and in compliance with requirements.
Pat Barry / safety regional manager / Rockwell Automation
ALSO READ: 7 must-read articles on machine safety
Safe and productive
We are sorry to hear that there was an operator injury, and we hope everyone is well.
For this opportunity at the packaging plant we would like to offer a solution to make the operations at the packaging plant safe and increase work ergonomics and productivity. The following plan will expedite the implementation of the required safety functions.
Risk assessment: To implement safety on a machine, first a risk assessment must be done to identify the risks of the machine and the process.
Identification of required safety functions: After the risk assessment is complete, the required safety functions have to be identified. What are the conditions that put a machine in safety state? For example, if Door A is opened, what happens to the machine? All of these scenarios must be documented.
Identification of safety equipment: Next, the proper equipment must be selected to accomplish the safety functions. The following questions have to be answered. Will it be drive-based safety or will a safety PLC be used? Will it be a combination of drive-based safety with a safety PLC? Is the safety PLC going to have remote safety I/O of local safety I/O? Will safety equipment be installed, or will older equipment be replaced with new safety equipment?
Testing: Once the equipment has been selected, it must be tested and validated to ensure it performs as expected.
Training: Training can be done after this last step. The machines perform as expected, and this information must be shared with the operators. Operators must understand the conditions that put the machine in safety state and how to use it for their safety and to reduce downtime.
The above plan will ensure a fast and efficient implementation of machine safety to increase protection of the operators and machines.
Joaquin Ocampo / product manager / Bosch Rexroth
Safe operation is not a given
What your company needs is an overall safety plan. Adding guarding to a machine is not enough, and in some cases guarding alone may never be able to stop a determined operator. On the other hand, an operator should never feel compelled to bypass safety controls to continue production. Regarding safety, the roles of operators, maintenance/engineering and management should be clearly defined by the safety plan. What that means in reference to your situation is that both the production manager and the operator should be trained to stop production and contact maintenance if there is an issue with the guarding causing excessive stopping on the equipment.
To implement a safety plan, it is best practice to follow accepted and up-to-date industry standards. We will restrict the discussion to safety of machinery and functional safety since your interest is to integrate a PLC-based safety system. In the United States, please refer to the ANSI B.11 standards; however, there are also many EN/ISO (European standards) that apply.
To design the system properly, you will want to perform a risk assessment, for which EN ISO 12100:2010 is generally used. The risk assessment will help you to get a baseline idea of where, how severe and how frequent your hazards are present. Because you are integrating a system with existing machines, the machine manufacturers may already have some of this information available to you in their user manuals.
Once you understand these hazards, you will want to perform risk reduction analysis. This involves examining each hazard to come up with a mix of physical guarding, safety controls and personnel training to eliminate or reduce this risk to an acceptable, residual level. Remember, this is an iterative process, so it may take a few passes.
Finally, make sure you are paying attention to standards specific to your machines. The high-level standards will help to lay out the architecture and performance level of your safety functions, but the lower-level standards contain specific requirements that vary from machine to machine.
At this point, you should have a system designed that includes physical guarding, electronic safety functions and other measures of risk reduction, including signage and training for all employees. Each safety function has been assigned a performance level, as well as a reaction time, a known safe state and a restart acknowledgement procedure; your test cases are now done. These test cases should be carried out when commissioning the system, as well as periodically, according to your calculated proof test interval for each safety function.
Integration of the safety functions with safety PLCs allows you to build diagnostics into your functional safety system, and these diagnostics can then be used to troubleshoot issues that come up with the safety system, as well as perform continuous improvement efforts within the system.
If a door guard switch is false tripping periodically, it may be appropriate to add some debounce time and still fulfill the requirements of the safety function; otherwise, it may be necessary to move to a different guarding technology that is more immune to the disturbance. Remember that you always have the performance level and proof test requirements from your design phase to guide you on what is safe and what is not.
Remote safety I/O should also be able to provide diagnostics.
Operating the system in a safe manner is not a given unless everyone in the organization buys into the safety plan and plays their roles. Safety training and continuous improvement is always the most important step to operating a safe work environment.
Kyle Hall / product engineer—fieldbus technology / Turck
Efficiency improvement
Challenges like outdated safety components are hidden opportunities to improve overall plant efficiency. AS-Interface Safety at Work is the obvious choice to overhaul your safety systems. This PLC-independent technology allows safety devices such as door switches, e-stops and light curtains to coexist on standard AS-Interface networks. So your safety systems—and, in turn, your entire plant—can benefit from the advantages of AS-Interface: easier installation with piercing technology, drastically reduced cabling, flexible network topologies, and extensive diagnostics. Furthermore, AS-Interface Safety at Work systems satisfy the most stringent safety requirements of PL e/SIL 3. And don’t overlook integrating Safe Link, which gives you the ability to link multiple AS-Interface gateways and safety monitors via standard Ethernet—Profinet, EtherNet/IP and Modbus/TCP. AS-Interface Safety at Work provides flexibility and increased uptime and, most importantly, ensures staff and equipment are operating in a safe environment.
Danius Silgalis / product manager / Pepperl+Fuchs
Read part two of this series with even more methods for planning a safety upgrade.