Safety For Your Machine Operator

Introduction

Safety systems and methodologies for automated equipment have industrial standards that have

been globally proven and just recently been completely implemented locally. New ANSI safety

standards teach methodologies that have been in use in the European community for years. This

article teaches prevalent safeguarding methods used in the North American industrial automation

and assembly environment under today’s latest safety standards. As an introduction to these

safeguarding methods, we will first review the North American safety standards that teach us

safeguarding selection, criteria and implementation.

The New Standard for Safety

The Risk Assessment ProcessFor the most up to date safety standard methodologies, we look to ANSI/RIA R15.06

“AmericanThe Risk Assessment ProcessRisk Reduction Categories

National Standard for Industrial Robots and Robot Systems – Safety Requirements.” These

safety techniques closely approximate the European and Japanese standards for implementation

of safety systems. ANSI/RIA R15.06 also teaches the global approach for safety systems.

Safety standards place the responsibility for safety of machine systems on the manufacturer,

integrators, installers, and the users of the machine system. It is the user’s responsibility to

ensure that machine operators have proper training and that all safeguards are implemented

properly and working as intended.

The Risk Assessment Process

Machinery poses various types of hazards. Hazards inherent in the machinery must be identified

well in advance during safety studies conducted at the design stage. This process of identifying

risk is called risk assessment. Safeguarding selection and criteria are taught in ANSI/RIA R15.06

Clause 9 while the risk assessment methodology itself is shown in Annex C of the standard. The

similarities between the risk assessment methodology used according to the European

standards, and the methodologies defined in the ANSI/RIA R15.06 standards are remarkable.

ANSI/RIA R15.06 first looks at risk estimation, then risk reduction determination, followed by

safeguard selection, and then finally selection validation.

ANSI/RIA R15.06 instructs designers to examine every task of the machine and to associate any

and all possible hazards that may be related to each given task. A machine task can have

multiple hazards associated with it. For each task-hazard combination, the designer must

evaluate the danger to the machine operator (or anyone else) that the task-hazard combination

poses. Severity of the resultant injury, the amount of exposure to the hazard, and the ability for

the operator to avoid the hazard are all taken into consideration.

Risk Reduction Categories

After such time, each task-hazard is considered for a risk reduction category. These categories

Control ReliabilitySafety Rated RelaysSingle Channel with MonitoringSafeguard SelectionProtective Devices

determine the type and level of safeguarding that is required to protect the operator from machine

hazards. Risk reduction categories are R1, R2, R3, and R4, with R1 being the most dangerous

category. Safeguarding selection then takes place based upon risk reduction category. For

example, R1, the most dangerous of risk reduction categories, requires a “control reliable” safety

system and either hazard elimination or substitution based upon lower the operator’s exposure.

Safety systems and circuitry designed to today’s safety standard for “Control Reliability” must be

designed, constructed and applied such that any single component failure will not prevent the

normal stopping action of the machine. This is achieved through the implementation of a dual

channel control system with a monitoring function. That is to say, the safety system is a twochannel,

redundant circuit. The circuit also has an interlock function and a provision for the ability

to self-check.

Control Reliability

What does this mean? If a control reliable safety system experiences a detectable fault, it will

immediately shut down the dangerous aspects of the machine. If the safety system does not

detect the fault in question, the safety system will still perform its intended function, that is, to stop

the machine on the next demand of the safety function. Think of it as one safety channel of the

dual channel failing and the other channel still performing its safety function. The self-checking or

monitoring function of the safety control circuitry prevents a successive machine cycle from

occurring under a fault condition. This means that the machine operator will not be allow to run

the system unless the safety circuit is in complete working order. In a control reliable safety

system, the self-checking function of the circuit occurs on system start up and at each demand of

safety from the machine operator.

In the general sense, we find control reliable circuit performance is required in safety systems that

protect against hazards that could result in serious injuries to personnel. Serious injuries are

injuries that require hospitalization or are normally irreversible or could result in the death of the

operator.

Safety Rated Relays

It is also interesting to note that under the provisions of ANSI B11.1990 – 5.5.1, that redundant

safety systems (for example, a control reliable system) that require the usage of relays must use

relays that have a positive relationship between the Normally Open (NO) contacts and the

Normally Closed (NC) contacts. Omron calls this feature force guided safety contacts.

The way force guided safety relays work is that if at least one normally open contact becomes

welded, when the coil is de-energized, all normally closed contacts maintain a gap of at least

0.5mm or greater. Even if a normally closed contact is welded, all normally open contacts

maintain a gap of at least 0.5mm in the coil-energized mode. This is in accordance with the

European Norm safety standard EN50205. Relays that are safety rated will display this symbol.

Keep in mind that predictable performance of hardware under fault conditions is one way we can

reliably design safety circuits. This requirement created the interlock dual channel safety system.

An interlocked circuit ensures that under a fault condition, the safety circuit goes into a lock-out

condition until the fault is cleared or corrected.

Single Channel with Monitoring

Another circuit performance criteria also worth examining is one aspect of the risk reduction

category R2. Risk reduction category R2 demands that engineering controls be implemented to

prevent operator access to the hazard or requires a stopping of the hazard before operator

exposure to such. We find that R2 has a provision within it called R2B which describes a “Single

Channel with Monitoring” circuit performance.

This is significant because, generally, single channel with monitoring circuitry is used to protect

personnel from hazards that might result in slight injuries. Slight injuries are injuries that do not

require hospitalization and can be cured through the plants first-aid kits. For actual safety circuit

performance requirements for risk reduction methodologies always consult the appropriate safety

standards first.

Safety circuits designed to meet today’s standards for the requirements of single channel with

monitoring must be hardware based, include components that have been safety rated, and shall

be checked preferably automatically at suitable intervals. Typically, suitable intervals are

considered at machine start-up and on each demand of the safety function.

Safeguard Selection

After risk assessment and risk reduction have been evaluated, it is time to choose the safeguard.

Some risk reductions require safeguarding through hazard elimination. This is an example where

the machine operator and hazard will never meet. Liken it to a man on a motorcycle on a street

that crosses paths with railroad tracks. To eliminate any potential hazard to the cyclist, a tunnel

under the tracks can be built for the road so that the cyclist could never encounter the train. The

hazard is still there, but the danger is eliminated.

A far more common scenario is to take protective measures in relationship to the risks that cannot

be eliminated entirely. That is to say, it may be impractical to dig tunnels at each railroad

crossing and therefore, it becomes necessary to implement a different protective measure. A

moving gate that blocks the road from the railroad tracks is possible. A proper implementation of

the safety circuitry for this physical safeguard uses a control reliable safety circuit, no doubt.

In machine design and automation, protective barriers can be fixed enclosed guards (perhaps key

locked into position). Other examples are moveable interlocked guards, like slide or hinged

safety guard doors with safety switches that detect the door’s current position. Presence sensing

device like two-hand control systems and safety light curtains can be used to detect operator

position/location.

One of the lower level safety implementation is the posting of signs not unlike those lonely

country roads that cross remote train tracks and that sport nothing more than a warning sign. It’s

dangerous, but if cyclists are properly trained, train accidents can be avoided. The same is true

in automation; the training of the proper operation of the machine usage and posted signs are

considered safety measures. Let’s take a look at prevalent safeguarding methods used in the

North American industrial automation and assembly.

Protective Devices

Safety Mats

In some industrial environments, you can find multiple machine operators and other open-air

hazards like those found in robotic work cells. Photo-eye detectors are often physically

obstructed from seeing the complete field of view in the hazardous area. Undetected machine

operators or maintenance personnel that work in automated cells can be exposed to the

articulated robot arm, which at times can move at high speeds. When these conditions appear,

safety system designers look towards the safety mat solution.

Safety mats are pressure sensing floor coverings that typically perform dual channel functionality

for personnel detection near hazardous equipment. A safety mat uses two conductive plates that

are separated by a non-conductive compressible insulator. The two conductive plates contact

each other when a specified pressure is applied to the separator. Safety mat standards use

minimum weight and size requirements to standardize mat behavior. Due to safety mats

detection ability and slower response times, they are typically used in conjunction with other

safety devices or protective measures.

The true advantages to safety mats are that they are not an obstruction to the operator, like a

protective hard guard, and so they do not slow down operator cycle times. Also, they offer

protection for multiple machine operators. If one operator is in the hazardous area of the

machine, an operator outside the hazardous area will not be able to restart the system due to the

safety mat overriding the machine actuators. Lastly, due the various shapes and sizes of the

safety mats themselves, they can be placed side by side, linked up together for a complete safety

grid with no “dead” or non-detection areas.

Emergency stop circuits, called “e-stops,” are one of the most common safety systems found in

automation today. E-stop buttons should be found at each personnel station that handles

machine operations. Take for example, a chip-mounting machine with multiple user hard guard

and entry points. E-stops should be located within reach of any position where an operator is

exposed to a machine pinch point. E-stop circuitry must be fully compliant with the NFPA 79

code which requires the override of all machine functions and causes all moving parts to stop,

and removes drive power from the actuators of the machine.

The safety requirements for e-stop pushbuttons are that they must be red in color with a yellow

background and be unguarded. Also, the pushbutton shape must be the palm or mushroom head

type. The e-stop button itself must be the manual reset variety and they must be installed such

that resetting the button will not initiate a restart of the machine. The restart must be achieved

through an independent start button located outside of the hazardous area.

The diagram shows a control reliable e-stop circuit. The red e-stop pushbutton has two

redundant safety outputs that feed into a safety relay unit with force-guided relays. The relay unit

performs an interlock function that ensures that successive demands upon the safety circuit are

not continued under fault conditions. The safety relay unit has multiple safety outputs that shut

down safety contactors that are wired in series that in turn, shut power down to the machine

motor. The circuit features a feedback loop wired through the external contacts of the safety

contactor into the safety relay unit’s third input channel. This is commonly known as the safety

circuit’s monitoring channel. The start/restart button is wired in series with the feedback loop.

Safety door interlock switches physically monitor the position of hard barriers. For example,

at a consumer electronics company, we had an operator who had the misfortune of being on

the wrong end of a plastics screw during a sub-assembly operation involving an automated

screw gun and the product’s lower enclosure. Although she was all right after a brief trip to the

hospital, it became apparently obvious that some thought should have been placed in this simple

 but hazardous operation. The screw machine was enclosed and the sub-assembly operator was

required to engage a hard guard into the closed position before the screwing operation could take

place.

A safety door interlock switch was used for hard guard position detection. The hard guard is

affixed with a special tamper-proof actuation key while the safety door interlock switch features

the mating insertion head. Some safety door interlock switches feature a solenoid that can

capture the tamper-proof so that the hard guard cannot be opened until a machine safety state

has been achieve. In any case, safety door interlock switches feature “positive opening” internal

switch mechanisms that ensure switch contacts open whenever the safety switch is actuated.

Safety standards require that physical barriers be constructed such that they can withstand the

operational and environmental conditions of the machine. Also, they must be free of sharp edges

and projections so that they themselves do not create further hazard. Safety door interlock

switches must have a plug or key that cannot be easily duplicated. They must be tamper

resistant to the point that they cannot be intentionally defeated without the use of tools.

The disadvantage to the hard guard and safety door interlock switch solution is the additional time

that is required for the operator to open and shut the door. In repetitive operations, this could

potentially add up to a lot of production time. On the other hand, a physical barrier that separates

the machine operator from the hazardous condition is a low cost and effective safety solution. It

is for these reasons that hard guarding is one of the most popular safety measures taken.

Two hand control systems operate under the principle that if a machine operator’s hands are

occupied during hazardous machine cycles, the machine operator will be free from the hazard.

For example, there is a pressing (forming) application in the manufacture of custom thin sheet

shields for printed circuit boards. The machine in question requires the operator to load the tool

with a small piece of shielding material and place his hands upon two separate safety palm

buttons. If the two palm buttons are depressed together, the operator’s hands are considered to

be free of the press, and the machine performs the forming of the shield.

Safety standards require that two hand control systems be designed such that they prevents

accidental or unintentional operation of the machine. Also, the operator’s hand controls must be

arranged by construction or separation to require the use of both hands within 500ms (1/2

second) to cycle the system. Furthermore, the system must be designed to require the release of

the operator’s hand controls and a re-activation of the operator’s hand controls before an

additional machine cycle can be initiated. Lastly, a stopping operation must be issued if one or

both of the operator’s hands are removed from the controls during the hazardous portion of the

machine cycle.

Two hand control systems have the advantage of typically increasing the machine cycle and

operator inaction time. The main disadvantage in these systems is that they present a stronger

urge for operator circumvention in order to achieve higher throughput. In either case, today’s two

hand control systems are fairly robust and at best difficult to defeat.

By far, the most popular method of safeguarding comes in the form of the safety light curtain.

Safety light curtains use photo-eye technology and control reliable internal circuitry to provide the

utmost in safety protection. Safety standards dictate that safety light curtains must only be of the

through-beam variety, which means that safety light curtains are available in emitter-receiver

pairs.

Let’s look at a pick and place machine that has open access to the internal arm mechanisms for

maintenance purposes. The machine designers included the expected e-stop circuitry at the

point of operation-machine interface. However, what should happen if maintenance personnel

were working to clear a jam clear on the other side of the machine? An accidental machine start

could cause the person to get caught by the articulated pick and place arm and he would be

unable to reach across the machine to activate the e-stop button.

The solution is a safety light curtain that monitors access to the machine’s internal and hazardous

area. As long as the maintenance personnel is reaching into the machine through the safety light

curtain monitored area, the machine will act as if an e-stop has been initiated. Safety light

curtains are commonly used in a “restart” interlock mode which means once the safety light

curtain beams have been broken (i.e. object detection), a lock out is initiated and the machine

cannot be restarted until all obstructions have been removed from the sensing area. The

machine start button is located out of the hazardous area for machine restart.

Safety standards dictate that safety light curtains must be labeled with maximum response time

and maximum angle of divergence (that is, the emitter beam pattern). Also, protective height and

minimum object sensitivity must be labeled. Safety light curtain response times are a factor in

determining how close the curtain can be placed to the point of hazard. Minimum object

sensitivity tells the machine design and operator what the largest object is that can possibly pass

through the sensing field undetected.

Safety light curtains come to two varieties, Type 4 and Type 2. Type 4 safety light curtains are

used in control reliable safety systems. These safety light curtains feature dual redundant

microprocessors and a typically, a provision for monitoring the condition of the safety contactor’s

auxiliary contacts. Typically, these Type 4 safety light curtains are used to protect personnel from

hazards that can result in serious injuries. For example, in a mechanized point of operation

stamping application, the open area can expose the operator to large forces. A Type 4 safety

light curtain guarding the open area will stop the stamping before an operator’s fingers can be

caught in a pinch point.

Type 2 safety light curtains are used in single channel with monitoring safety systems. These

safety light curtains feature one microprocessor, two safety outputs, and a provision for

monitoring the condition of the safety contactor’s auxiliary contacts. Take for example an

enclosed articulated robotic arm that moves PCB material from a conveyor system into a curing

application. The enclosure has its own independent safety system that may be rated for control

reliability. The conveyor system only poses a hazard that might result in slight injury to

personnel.

In this case, one safeguard is a protective fence that surrounds the machine to prevent personnel

approach from the conveyor area. The open area of the fencing and the front of the enclosed

machine themselves do not present a great hazard to personnel, but detection is still desired due

to the hazard presented by the conveyor system. In this case a Type 2 safety light curtain is

placed at the point of operator entrance to detect whenever someone approaches the enclosed

machine and conveyor system combination.

After the safeguards have been put into place, the task-hazard combinations must undergo the

risk assessment process again and must be re-evaluated for residual risk. If the remaining risk is

at tolerable levels, the risk assessment process comes to an end. Tolerable risk is the amount of

risk that a normal person is said to accept. This concept is quantified in the safety standards and

is a combination of the type of injury, time of exposure, and possibly for avoidance of any given

hazard.

In this article, we covered the basic concepts of the risk assessment process and prevalent

safeguarding techniques. If you are interested in the safety process and the standards that are

specific to your machine design, feel free to contact the American National Standard Institute

(ANSI) at web.ansi.org for the appropriate machine safety standards.