Knowledge and Focus are Key for Effective Safety Audit
Getting a complete picture from an optical illusion requires careful study and thoughtful examination–not a quick glance or cursory once-over. A machine safety audit requires this same depth and intensity of focus. If you don’t take time to analyze and study the entire picture, you likely will miss important details.
Essentially, auditing is a comparison of an existing condition to a desired condition. Health and safety standards set minimal requirements for the desired condition. Numerous standards exist, but not all are applicable to every machine. This makes the auditing process challenging.
|Architectural block diagram for Category 3 machine safety systems.|
Machine safety auditors must, therefore, be familiar with the appropriate standards. But, which are appropriate?
Certainly, the laws of each country set the basic requirements. In the U.S., the Occupational Safety and Health Administration (OSHA) has set out basic requirements for machine safety. These standards are found in Title 29 of the Code of Federal Regulations (CFR 29). Other countries have similar organizations and regulations.
In addition to OSHA, many U.S. standards-development organizations have promulgated consensus machine-safety standards. For example, the National Fire Protection Association (NFPA) publishes NFPA79, the electrical standard for industrial machinery that machine auditors are also required to use. Warning labels and signs are regulated by ANSI Z535 (American National Standards Institute). Moreover, there are many standards that exist for specific machines such as ANSI B11.1 for mechanical power presses, ANSI B155.1 for packaging machines, and ANSI RIA R15.06 for robots.
The challenge for a machine auditor is two-fold: To know which standards apply, and to understand what the standard requires.
A machine safety audit is a special type of audit; its scope is limited to one machine rather than looking at a group of machines, or a company’s safety program. One of the best ways to prepare for a machine-safety audit is to have a checklist of questions. Many questions asked during a machine safety audit can be applied to many types of machines. Most, if not all, machines require electricity to operate; therefore, NFPA79 (or its local equivalent) applies. For machines built to applicable standards, a machine specific addendum could be attached to the checklist.
The depth of the audit will need to be determined based on audit program objectives and the amount of information available. Typically, safety system audits seek to verify that the safety system is designed and installed to achieve to some level of reliability, and to meet functional performance requirements. The level of safety system reliability is identified by the governing bodies, consensus standards, or by the risk assessment that has been completed on the machine. Functional performance requirements are defined by consensus standards and by hazard-control concepts selected from risk assessment results.
A comprehensive safety-system audit evaluation includes evaluation of the safeguarding devices and safety control logic.
The questions shown in this article are some of the more common questions and are not intended to be a complete list to complete a machine safety audit satisfactorily.
The audit process starts with gathering information. During a walkthrough, the auditor needs a reference for comparison.
Does a documented procedure exist for the machine?
Does the procedure identify the warning symbols and signs, operating tasks, procedure for clearing jams, cleaning tasks, maintenance tasks, tasks requiring lockout/tagout, and the lockout/tagout process.
Does a risk assessment document exist?
Does it include: the modes of operation, task/hazard field log, selected safeguarding techniques for each hazard, and circuit performance requirement for each safeguard.
If procedures exist, then the auditor should become familiar with the steps, and attempt to follow them during the machine walkthrough. The documented risk assessment provides valuable information. It should identify the hazards of the machine as well as the safeguards and safety circuit architecture that was applied.
For many older machines, the operating procedures may be missing or outdated, and risk assessments may not have been performed. In these cases, the operating procedures must be verbally communicated, leaving operators much room for improvising. Experience shows they will tend to streamline the process, but not necessarily follow requirements for safer machine operation.
Auditing can be a stressful process on the auditee. Putting the auditee at ease is critical, as openness and trust make the audit effective. The auditor should make proper introductions and briefly explain the auditing process.
Wearing appropriate personal protective equipment, the auditor can begin the machine walk-through. By asking open-ended questions, the auditor encourages the machine operator to explain how tasks are performed, not necessarily how they should be performed. During the walk-through, the auditor must do two things: observe how the operator is protected during the tasks, and ask questions regarding what could go wrong during the machine cycle.
Some of the questions the auditor must ask include:
Are the guards adequately secured to the floor or machine;
Can the operator reach around, over, under or through the safeguards;
Do the guards meet appropriate spacing requirements;
When accessing the machine through a safeguard (e.g., a door or light curtain), can the operator reach the hazard before it is neutralized;
Are spare actuators available to bypass the interlocks;
How are spare parts controlled to prevent misuse;
Are warning signs present and prominently displayed;
Are controls buttons, switches and panels clearly marked; and,
Is the span of control of e-stop buttons obvious or labeled.
One of the most challenging aspects of a machine safety audit is to understand the intricacies of the control system. This is where a risk assessment (conducted prior to the audit) serves as a vital tool by helping identify potential hazards and define specific safety functional requirements.
To audit the control system effectively, the auditor must be able to look at the risk assessment and answer core questions, such as:
Are safety functions clearly defined and understood;
What are the energy sources associated with the hazard;
What mode of operation is the machine in when the employee is exposed to the hazard;
What risk reduction techniques were implemented to control the hazard; and,
What safety circuit architecture was utilized for the safeguard.
Let’s say, for example, the risk assessment of a given machine determined that a specific safety function needed to meet Category 3 per EN954-1 (also published as ISO13849-1:1999). This means the safety-related parts of the control system must perform the safety function in the presence of a single fault. In addition, safety principles must be applied to the control system.
The auditor’s checklist for Category 3 might look like this:
Do the components meet the requirements of Category B (withstand their expected operating stresses);
Are well-tried safety principles used;
Can a single fault lead to loss of the safety function;
Is detection of the fault at or before the next demand of the safety function reasonably practicable;
Have common mode faults been considered; and,
Have excluded faults been justified.
To satisfy Category 3 requirements, designers typically use redundant sets of components. But a knowledgeable designer and auditor will both know that simple redundancy may not be sufficient to meet Category 3. Detection of a fault at or before the next demand on the safety system is often reasonably practicable. Selecting and implementing components that allow monitoring techniques to be applied often accomplishes this.
Energy takes many forms; it is not limited to electricity. Many machines also use pneumatic and hydraulic energy. Others may use lasers. Still others may utilize mechanical energy by way of springs, levers, or gravity.
When access is needed to a machine for maintenance, adjustment, or repair, two approaches to control the energy driving it are available. One method is to turn off and lock out all energy sources. However, this method does not allow proficient use of a machine when frequent access is needed.
Under certain conditions, the second method allows access to the machine through safeguarding devices. Careful design using this method can make it possible to perform many operations safely on an energized machine. For example, the machine’s motions might be restricted to a slow speed, or access might be provided to only part of the machine while other parts keep operating.
The control of hazardous energy leads to another set of questions the auditor must ask:
Is such access routine, repetitive, and integral to the production process;
Is such access short in duration;
Does access require disassembly and tools; and,
Is the task performed for operation, set-up, or maintenance.
Answers to these and similar questions help the auditor determine whether safeguarding can be used or whether energy sources must be locked out.
A valuable resource
While designing safer machines is the ultimate goal, designers sometimes do not know which of the wide range of standards may apply. They may also struggle to understand how to apply a specific standard. A plethora of standards exist today, and changes in technologies are driving more complexity into standards. While designers strive to keep up with technologies, auditors must focus on keeping up with standards. A knowledgeable and experienced auditor can provide a unique and valuable service by helping machine designers stay abreast of the latest changes in standards.
Like many things in life, focus is the key. Whether you’re studying an optical illusion or conducting a machine safety audit, you must look for hidden, underlying elements before you can see the whole picture. And, seeing the whole picture makes all the difference.
Example of a Category 3 interlock system
In the simple schematic shown, opening either one of the guards causes the motor to stop. One tongue-operated interlock switch using a redundant set of contacts serves as input device to detect if the guard is open. Interlocks are connected to a monitoring safety relay, which serves as the logic and checking device (only one channel must open to initiate a stop, but both channels must open and close to restart the motor). Two contactors serve as output devices. The status of the contactors is fed back into the monitoring device for fault detection. The monitoring safety relay performs internal fault detection.
On paper, the circuit appears to meet the requirements of Category 3. Dual channel signals from the tongue switch feed the monitoring safety relay. The safety relay turns off a redundant pair of contactors to remove power to the motor. The safety relay performs reasonably practical monitoring. The discerning auditor will know the limitations of the tongue interlock switch. The tongue switch has a single actuator, and some single internal components that drive the contacts open. Use of a single interlock must be accomplished by using the principle of fault exclusion, and fault exclusion can only be claimed with a proper technical justification. The auditor’s checklist might look like this:
• How does the design address misalignment over the life of the switch;
• What is the strength of the mounting hardware;
• What prevents the gate from opening and closing too fast; and,
• Have mechanical stops been used to prevent the gate from slamming into the interlock.
|Opening either of the guards protecting operators causes the motor to stop.|
|Steve Dukich is a senior commercial engineer, and Mike Duta, PE is manager of machine safety services at Rockwell Automation. Contact them through Andrea Hazard at email@example.com .|