Getting a complete picture from an optical illusion requires careful study and thoughtful examination — not a quick glance or cursory once-over. A machine safety audit requires this same depth and intensity of focus. If you don’t take time to analyze and study the entire picture, you’re likely to miss important details.
Auditing is the comparison of an existing condition to a desired condition. Health and safety standards set the minimum requirements for the desired condition. Numerous standards exist, but not all apply to every machine. This makes the auditing process challenging.
Machine safety auditors must, therefore, be familiar with the appropriate standards. But, which are appropriate? Certainly, the laws of each country set the basic requirements. In the United States, the Occupational Safety and Health Administration (OSHA) has set out the basic requirements for machine safety. These standards are found in Title 29 of the Code of Federal Regulations. Other countries have similar organizations and regulations. In addition to OSHA, many standards development organizations have developed consensus standards to help make industry a safer environment. For example, the National Fire Protection Association (NFPA) publishes NFPA 79, the electrical standard for industrial machinery. Machine auditors in the United States must use this standard. Another widely used standard in the United States is the American National Standards Institute (ANSI) ANSI Z535, which focuses on warning labels and signs. A few of the many standards that exist for specific machines are ANSI B11.1 for mechanical power presses, ANSI B155.1 for packaging machines and ANSI RIA R15.06 for robots. The challenge for a machine auditor is twofold: know which standards apply and understand what each standard requires.
A machine safety audit is a special type of audit. Its scope is limited to one machine rather than looking at a group of machines or a company’s safety program. One of the best ways to prepare for an audit is to have a checklist of questions. Many questions asked during a machine safety audit can be applied to many types of machines. Most, if not all, machines require electricity to operate; therefore, NFPA 79 (or its local equivalent) applies. For those machines built to specific standards, a machine-specific addendum should be attached to the checklist.
The depth of an audit is based on its objectives and the amount of information available. Typical safety system audits verify that the safety system is designed and installed to perform to some level of reliability and to meet functional performance requirements.
Governing bodies, consensus standards or the risk assessment that has been completed on the machine determine the level of safety system reliability needed. Consensus standards and the hazard control concepts selected from the results of the risk assessment are what define the functional performance requirements. A comprehensive audit evaluation of the safety system includes the evaluation of the safeguarding devices and the safety control logic.
The more common machine safety audit questions shown below aren’t intended to be a complete list for completing a satisfactorily. The audit process starts with gathering information. During the walk-through, the auditor needs a reference for comparison. Does the machine have a documented procedure that identifies the following:
- Warning symbols and signs
- Operating tasks
- Procedure for clearing jams
- Cleaning tasks
- Maintenance tasks
- Tasks requiring lockout/tagout
- The lockout/tagout procedure
Does a risk assessment document:
- Identify the modes of operation
- A Task/Hazard Field Log
- Selected safeguarding techniques for each hazard
- Circuit performance requirement for each safeguard
If procedures exist, the auditor should become familiar with the steps and attempt to follow them during the machine walk-through. The documented risk assessment should identify the machine’s hazards as well as its safeguards and safety circuit architecture. The operating procedures for older machines might be missing or out of date, and risk assessments might not have been performed. In these cases, the operating procedures are communicated word-of-mouth from worker to worker. This leaves much room for improvising — and they’ll tend to streamline the process, but not necessarily follow the requirements for safer machine operation.
The plant engineer and operators might find an audit to be stressful. Putting them at ease is critical because openness and trust make audits more effective. The auditor should make proper introductions and briefly explain the auditing process.
The machine walk-through can begin after the participants don appropriate personal protective equipment. Using a series of open-ended questions, the auditor encourages the machine operator to explain how the tasks are performed in practice, not necessarily how they should be performed. During the walk-through, the auditor must observe the ways in which the operator is protected during the tasks and ask questions regarding what could go wrong during the machine cycle. Some of the questions the auditor must ask include:
- Are the guards adequately secured to the floor or machine?
- Can the operator reach around, over, under or through the safeguards?
- Do the guards meet the appropriate spacing requirements?
- When accessing the machine through a safeguard (e.g., a door or light curtain), can the operator reach the hazard before it is neutralized?
- Are spare actuators available to bypass the interlocks? How are these controlled to prevent misuse?
- Are warning signs present and prominently displayed?
- Are controls, pushbuttons, switches and panels clearly marked?
- Is the span of control of e-stop buttons obvious or labeled?
One of the more challenging aspects of a machine safety audit is understanding the intricacies of the control system. This is why a pre-audit risk assessment serves as a vital tool by helping identify potential hazards and defining specific safety functional requirements. To audit the control system effectively, the auditor must be able to look at the risk assessment and answer core questions, such as:
- Are the safety functions clearly defined and understood?
- What are the energy sources associated with the hazard?
- What mode of operation is the machine in when the employee is exposed to the hazard?
- What risk-reduction techniques control the hazard?
- What safety circuit architecture was used for the safeguard?
Figure 1. The auditor started by examining possible problems that occur on the output side.
Let’s say, for example, the risk assessment determined that a specific safety function on the machine must meet Category 3 in accordance with EN954-1 (also published as ISO13849-1:1999). This means the control system’s safety-related parts must perform the safety function in the presence of a single fault. In addition, safety principles must be applied to the control system. The architectural block diagram for Category 3 is shown in Figure 1.
Path of error
The auditor’s checklist for Category 3 might look like this:
- Do the components meet the requirements of Category B (withstand their expected operating stresses)?
- Are well-tried safety principles used?
- Can a single fault lead to the loss of the safety function?
- Is detection of the fault at or before the next demand of the safety function reasonably practical?
- Have common mode faults been considered?
- Have excluded faults been justified?
To conform to Category 3, designers typically use redundant components. But knowledgeable designers and auditors know that simple redundancy might not be sufficient to meet Category 3 requirements. Fault detection at or before the next demand on the safety system often is reasonably practical. The selection and implementation of components that allow monitoring techniques to be applied often accomplishes this.
A closer look
In the simple schematic (Figure 2), opening either of the guards disables the motor. One tongue-operated interlock switch with a redundant set of contacts is the input device to detect the opening of the guard. The interlocks are connected to a monitoring safety relay, which serves as the logic and checking device (only one channel must open to initiate a stop, but both channels must open and close to restart the motor). Two contactors serve as the output devices. Contactor status is fed back into the monitoring device for fault detection. The monitoring safety relay performs internal fault detection.
Figure 2. The auditor will focus on the interlock switch limnitations.
On paper, the circuit appears to meet the Category 3 requirements. Dual-channel signals from the tongue switch-feed the monitoring safety relay. The safety relay turns off a redundant pair of contactors to remove power from the motor. The safety relay performs the reasonably practical monitoring. The discerning auditor knows about tongue interlock switch limitations. The tongue switch has a single actuator and some single internal components that drive the contacts open. Use of a single interlock must derive from the principle of fault exclusion, and fault exclusion can be claimed only with a proper technical justification.
The auditor’s checklist might look like this:
- How does the design address misalignment during the life of the switch?
- What is the strength of the mounting hardware?
- What prevents the gate from opening and closing too fast?
- Have mechanical stops been used to prevent the gate from slamming into the interlock?
Many types of energy sources
Energy takes many forms; it’s not limited to the electrical type. Many machines use pneumatic and hydraulic energy. Others might use lasers or mechanical energy in the form of springs, levers and gravity. There are two approaches to controlling the energy applied to a machine when a technician needs access to it. You can turn off and lock out the energy, but that’s not efficient when frequent access is needed. Under certain conditions, the second method allows access to the machine through safeguarding devices. The control of hazardous energy leads to another set of questions the auditor must ask:
- Is the access routine, repetitive and integral to the production process?
- Is the access short in duration?
- Does the access require disassembly and tools?
- Is the task performed for operation, set-up or maintenance?
Answers to these and similar questions help the auditor determine whether safeguarding can be used or whether the energy must be locked out.
A valuable resource
Safer machines are the ultimate goal, but designers sometimes don’t know which of the many standards might apply. They also might struggle to understand how to apply a specific standard. Many standards exist, and technological changes are driving complexity into them. Designers strive to keep up with technology, but an auditor must focus on keeping up with standards. A knowledgeable and experienced auditor can provide a valuable service by helping machine designers stay abreast of the latest changes in standards.
Like many things in life, focus is the key. Whether you’re studying an optical illusion or conducting a machine safety audit, you need to look for hidden, underlying elements before you can see the whole picture. And it’s the whole picture that makes all the difference.
Steve Dukich is senior application engineer and Mike Duta is manager of machine safety services at Rockwell Automation, Chelmsford, Mass. For more information, contact Tanja Bartulovic at [email protected] and (646) 440-4117.