Safety in the Automated World

The words industrial accident make everyone cringe. It is in the best interests of all workplaces to maintain safe working conditions. To further the cause of safety in the workplace, the U.S. Congress established the Occupational Safety and Health Administration (OSHA) in 1970. Its "prime directive" requires U.

By Dick Johnson November 1, 2004

AT A GLANCE

Know the law

Assess risks

Audit operations

Implement standards

Practice safety

Sidebars: EN Standard 1050: principles for risk assessment

The words industrial accident make everyone cringe. It is in the best interests of all workplaces to maintain safe working conditions. To further the cause of safety in the workplace, the U.S. Congress established the Occupational Safety and Health Administration (OSHA) in 1970. Its ‘prime directive’ requires U.S. employers provide a workplace free of recognized hazards. Safety-based automated control is often a critical part of meeting that mandate. It is also the first place investigators look when something goes awry.

The Bureau of Labor Statistics says that 5,500 deaths and 4,700,000 reportable injuries occurred on the job in 2003 (out of approximately 126,000,000 U.S. workers). Although the number of incidents has dropped dramatically over the past 30 years, the cost-per-incident today has sky-rocketed into the tens of billions of dollars. Financial consequences of an injury can go well beyond immediate plant downtime and medical expenses.

Worker rehabilitation expenses, insurance premium increases, flagging worker morale and productivity, regulatory fines, costs to train an injured worker’s temporary or permanent replacement, and litigation costs all increase total incident costs 4 to 10 times beyond those actually assessed by the company’s insurance underwriter. But high as those costs may be, they pale in comparison to the physical pain and emotional suffering of injured workers and their families.

Role of law

According to Lewis Bass, attorney, safety engineer, and principal at Lewis Bass International Safety Consultants, ‘Current trends in regulatory and tort law interpretations make it increasingly likely that, in the event of an accident, anyone who owns, designs, installs, maintains, supervises, or operates the whole or any part of an industrial system will be evaluated for culpability. This is why proactive safety makes so much sense.’

In the U.S., there are essentially three levels of industrial safeguarding, oversight, and guidance:

OSHA and its state-level counterparts (such as IL-OSHA, CAL-OSHA , etc). OSHA publishes its dictates in 29 CFR (Code of Federal Regulations) Part 1910 and can enforce them with fines as high as $75,000 per violation, criminal charges, and plant shutdowns. OSHA also publishes detailed standards, technical reports, and training programs to assist employers in compliance with the law.

‘ National Consensus Standards ‘ groups, such as the American National Standards Institute (ANSI). ANSI is a not-for-profit, coalition of technical, trade, and professional organizations, corporations, and labor and government agencies that establishes national consensus standards in many areas, including safety. Participating member organizations include: The Association of Manufacturing Technology (AMT), Robotic Industries Association (RIA), American Society of Civil Engineers (ASCE), ISA-The Instrumentation, Systems, and Automation Society, and American Society of Mechanical Engineers (ASME). These organizations develop standards for their respective industries and are excellent sources of guidance on industry-specific safety issues.

Although ANSI standards do not have the force of regulations, OSHA often cites them as criteria for legal compliance. At this point, ANSI standards become law. Because ANSI and its industry-specific collegial organizations include representatives from the industries the standards affect, the costs and technological feasibility of a directive or standard are always part of the safety-standards development process.

The employer . Companies using high-risk or rapidly developing technologies sometimes develop their own application-specific safety requirements that exceed those in the regulations. This is not only an ethical way to run a business, but can also provide proving grounds for evaluating locally devised standards and methodologies for possible adoption later by an industry standards group. Currently, OSHA does not require licensed professional engineers to certify safety systems. However, professional input into, and endorsement of, a company’s safety systems and programs increases the likelihood of a plant meeting applicable regulations.

Global input

The European Union (EU) is a world leader in addressing equipment and workplace safety issues. The EU publishes standards primarily under the European Committee for Standardization (CEN) and European Norms (EN). EU standards and directives (laws) are usually more rigorous and comprehensive than U.S. equivalents. They are also more unified and likely to be stated in one place. The EU uses those standards to protect Europe from non-compliant imports. Hence, U.S. safety oversight groups are increasing efforts to ‘harmonize’ U.S. standards with those of the EU.

These actions will eventually spell relief for many U.S. companies that serve both markets, allowing them to suspend manufacturing two separate versions of the same product to remain cost competitive here and product-compliant with EU standards. Bass also notes, ‘Because EU standards may be included in ANSI standards, and eventually adopted by OSHA, U.S. companies would be well advised to keep up with EU standards development.’ Doing so makes plants safer, Bass contends, and saves money by designing to higher safety-standards ahead of time, rather than retrofitting after a European standard or directive becomes a U.S. standard or law.

Similarly, International Electrotechnical Commission (IEC) has been working on global standards unification.

The fundamental building blocks of safety automation are essentially the same as those of factory automation, whether in a process/ batch or discrete manufacturing environment. Yet historically, legally compliant safety systems largely involved only mechanical and electromechanical interlock devices. Regulatory concern about solid-state reliability prevented many advances in electronic devices from being implemented as safety system components. Hard-wired safety circuitry was favored over program logic because software was assumed to be too easy for humans to intentionally or accidentally defeat. However, today, color-coded versions of PLCs, solid-state relays, photo switches, network hardware, and I/O devices are routinely specified for, and are integral to, compliant safety systems. In addition, a plethora of safety-specific electronic ‘trip devices’ has been designed to indicate human presence in potentially dangerous situations. Examples include safety mats, light curtains, proximity sensors, two-hand/no tie down controls, safety contact strips, and electronic safety bumpers.

What makes equipment ‘safety-grade’ instead of ‘production-grade’? The simple answer is more reliability—which interested standards groups accomplish by specifying the treatment devices must endure (physical construction) and how they will function (design). Examples of safety-specific functionality include:

Intrinsically safe —Device runs on power insufficient to ignite volatile gas in case of a spark caused by electrical malfunction.

Self-monitoring capability —Safety controllers (such as safety relays, certain interlock switch controllers, and safety mat controllers) detect their own faults, drive the process or machine to a safe situation, and hold it at that point until the event is cleared and the device is reset. This function is present in the three fundamental operations of a safety controller—monitoring safety inputs, monitoring safety reset, and monitoring safety outputs—and the timing of its actions. Safety inputs are monitored to verify that a change of state (from unsafe to safe) has occurred before a reset operation will be permitted.

When manual reset is required, monitoring the safety-reset function requires that the reset circuit change state (from off to reset) after the safety inputs have been satisfied. This action ensures that a safety controller reset is operator-initiated and that the reset circuit is not ‘jumpered’ (defeated manually). A self-monitoring feature also requires that the safety outputs respond to changes in the safety inputs (from unsafe to safe) and safety reset state (from off to reset), and that they occur in the correct sequence. That is, if the safety inputs are unsafe, then all safety outputs must turn OFF. Conversely, when the safety inputs are safe and the safety controller is reset, all safety outputs may turn back ON.

Dual channel capability (redundancy) with voltage diversity —Voltage diversity enhances self-monitoring and simple redundancy by detecting when the safety input channels have crossed (or shorted together). Under these circumstances, the internal safety outputs are forced OFF and the safety relay goes into a fault (and safe) mode.

Use of these safety-rated components is critical to the ‘control-reliability’ of the safety systems they compose. ANSI standard B11.19-2003 defines control reliability as ‘The capability of the machine control system, the safeguarding, other control components, and related interfacing to achieve a safe state in the event of failure within their safety-related functions.’ Control-reliable circuitry and logic are especially important in highly hazardous situations.

Tools for compliance

Control engineers charged with installing or revamping systems to eliminate accident potential in their plants must first identify hazards through a safety-audit process known as risk assessment. Who should perform these critical discovery actions? Bill VanDervoort, director of safety integration at DST Controls, says, ‘Conscientious owners can perform a significant preliminary safety investigation themselves,’ but ‘first-timers’ conducting their own safety-audits-of-record is akin to a do-it-yourself physical exam. ‘The technical and legal aspects of plant safety are—as in medicine—so voluminous, esoteric, and multi-sourced that it is virtually impossible for anyone but a full-time professional to stay current. This is especially true for equipment and system manufacturers who have to comply with as-yet unharmonized U.S. and European directives.’

Specific risk-assessment methodologies are not prescribed by law, but various versions are suggested by regulatory and standards organizations. One recommended safety audit standard is shown below.

Eliminating risk

When risk is ascertained, the OSHA/ANSI ‘Hierarchy for Safe Guarding Machinery’ may be followed. These principles, which apply to all machinery in process and discrete manufacturing situations, cover five levels of activity: eliminating hazards by design; controlling hazards by guarding (barriers, interlocks, automated protection, etc.); using warnings signs and alarms; using personal protective equipment (gloves, safety glasses, etc.); and providing worker training.

Risk assessment may be confusing. Flow chart illustrates a recommended process for a safety audit. (Illustration courtesy of STI, www.sti.com)

These points are listed according to priority. The first is considered optimum because any hazards were eliminated during original design. If a totally hazard-free situation is not practical—steel mills and chemical plants are good examples—the next-best option would be safeguarding against the hazard itself. If that doesn’t eliminate sufficient risk, the third level of action—use of warning devices—can be implemented, and so on.

Control engineers have the opportunity and responsibility to apply their skills primarily in the first two levels of the hierarchy. The following five steps provide direction (again preferably with professional help) for a control-based risk-reduction solution:

Assess risks during all operational modes of the system in light of acceptable risk reduction levels;

Co-opt existing, or design new, control-based hazard-reduction schemes;

Specify safety requirements for the safety-related parts of the control system (such as what category of reliability is required. See Standard EN 954-1).

Design safety related sub-systems of the control strategy according to the specifications developed in step 3 above.

Validate achieved safety functions against the specifications in step 3 and redesign if a shortfall is observed.

Documenting investigations and actions is critical to preventing the need to repeat time-consuming tasks, aiding investigators in case of an incident, and indicating due-diligence to regulators and/or courts.

The goal of process and machine safeguarding is to prevent access during dangerous conditions and to prevent dangerous conditions during access with minimal impact on the process or operation. Though well-meaning operators may find a way to bypass safety systems that seem to slow productivity, production efficiency and safety can and should go hand in hand. When activated, systems ensuring safety should leave a machine or process in good working order after the problem is cleared and the system is reset.

Control Engineering thanks DST Controls ( www.dstcontrols.com ), Joe Lazzara of STI ( www.sti.com ), and Lewis Bass International ( www.lewisbass.com ) for help with this article.

Online Extra Risk-assessment structure follows EN 1050 As if continually making industrial processes run better, cheaper, and faster in a hyper-competitive world wasn’t enough! Control engineers also must make those processes safer as well, and do it by innovatively eliminating hazards during design or implementing dedicated safety-system retrofits later. Failure to do so will generate increasingly harsh reminders from government agencies and injured co-workers and their attorneys. Techniques and guidance are available to help prevent that failure.

The following information is based on EN Standard 1050, “Principals for Risk Assessment,” and is presented as an example risk assessment structure:

Assuming that Risk = Severity + Probability + Frequency, these components can be thought of as intermittent points on numeric scales, where:

Severity (of likely injuries)1 = Minor (cuts or bruises addressable by first aid.)3 = Serious (non-permanent injuries: unconsciousness, broken bones)6 = Major (permanent disabilities: blindness, loss of limbs)10 = Death

Probability (of injury)1 = Unlikely2 = Possible4 = Probable6 = Certain

Frequency (number and duration of exposures)1 = Seldom (weekly or less)2 = Occasional (daily)4 = Frequent (several times a day)

Once scores are assigned, their sum can be measured against a scale of 1-20, where “1” would be low risk, “10” would be medium risk, and “20” would be high risk. Obviously, the assignment of these values, and those in-between, is subjective and can vary significantly with the competence of the assessor. Therefore, it is important that experienced, and preferably licensed, safety profes-sionals perform this activity and apply other assessment tools. Machines or processes being evaluated should be examined during normal production modes, start-up, shut down, and mainte-nance. Even the possibility of intentional or accidental misuse must be considered.

Links to related Control Engineering coverage:

Fail-safe PLC secures rail, barge traffic

Reach for machine safety

Machine builders turn to PCs for control

A safe route through the European standards world

Selected safety standards and information sources

Safety information sources include the following.

Association for Manufacturing Technology

American National Standards Institute

American Society of Mechanical Engineers

Conveyor Equipment Manufacturers Association

Comite European de Normalization

International Electrotechnical Commission

Institute of Electrical & Electronics Engineers

ISA-The Instrumentation, Systems, and Automation Society

International Standards Organization

National Electrical Manufacturers Association

National Fire Protection Association

Occupational Safety & Health Administration*

Precision Metalforming Association

Robotics Industries Association

Society of the Plastics Industry

Semiconductor Equipment and Materials International

Underwriters Laboratories Inc.

*OSHA provides free compliance assistance and on-site inspections to small business. Visit the OSHA website, click on “Compliance Assistance,” and then “Consultation” to see if your company qualifies for this service.

EN Standard 1050: principles for risk assessment

Assuming that Risk = Severity + Probability + Frequency, these components can be thought of as intermittent points on numeric scales, where:

Severity (of likely injuries)

1 = Minor (cuts or bruises addressable by first aid)

3 = Serious (non-permanent injuries: unconsciousness, broken bones)

6 = Major (permanent disabilities: blindness, loss of limbs)

10 = Death

Probability (of injury)

1 = Unlikely

2 = Possible

4 = Probable

6 = Certain

Frequency (number and duration of exposures)

1 = Seldom (weekly or less)

2 = Occasional (daily)

4 = Frequent (several times a day)

Once scores are assigned, their sum can be measured against a scale of 1-20, where ‘3’ would be low risk, and ’20’ would be high risk. Machines or processes being evaluated should be examined during normal production modes, start-up, shut down, and maintenance. Even the possibility of intentional or accidental misuse must be considered.