Safety Strategy
Safety StrategyFrom a purely functional point of view the more efficiently a machine performs its task of processing material then the better it is. But, in order for a machine to be viable it must also be safe. Indeed safety must be regarded as a prime consideration.
In order to devise a proper safety strategy there must be two key steps, which work together as shown in Figure 11.
| 1. | RISK ASSESSMENT based on a clear understanding of the machine limits and functions and the tasks that may be required to be performed at the machine throughout its life. |
| 2. | RISK REDUCTION is then performed if necessary and safety measures are selected based on the information derived from the risk assessment stage. |
|
| Figure 11: Safety Strategy |
The manner in which this is done is the basis of the SAFETY STRATEGY for the machine.
We need a checklist to follow and ensure that all aspects are considered, and that the overriding principle does not become lost in the detail. The whole process should be documented. Not only will this ensure a more thorough job, but it will also make the results available for checking by other parties.
This section applies both to machine manufacturers and to machine users. The manufacturer needs to ensure that his machine is capable of being used safely. The risk assessment should be started at the machine design phase and it should take account of all the foreseeable tasks that will need to be performed on the machine. This task based approach at the early iterations of the risk assessment is very important. For example, there may be a regular need for adjustment of moving parts at the machine. At the design phase it should be possible to design in measures that will allow this process to be carried out safely. If it is missed at the early stage it may be difficult or impossible to implement at later stage. The result could be that the adjustment of moving parts still has to be performed but must be done in a manner that is either unsafe or inefficient (or both). A machine on which all tasks have been taken account of during the risk assessment will be a safer machine and a more efficient machine.
The user (or employer) needs to ensure that the machines in their working environment are safe. Even if a machine has been declared safe by the manufacturer, the machine user should still perform a risk assessment to determine whether the equipment is safe in their environment. Machines are often used in circumstances unforeseen by the manufacturer. For example, a milling machine used in a school workshop will need additional considerations to one that is used in an industrial tool room.
It should also be remembered that if a user company acquires two or more independent machines and integrates them into one process they are the manufacturer of the resulting combined machine.
So now let us consider the essential steps on the route to a proper safety strategy. The following can be applied to an existing factory installation or a single new machine.
Risk Assessment
It is wrong to regard risk assessment as a burden. It is a helpful process that provides vital information and empowers the user or designer to take logical decisions about ways of achieving safety.
There are various standards that cover this subject. ISO 14121: “Principles for risk assessment” and ISO 12100: “Safety of machinery – Basic principles” contains the most globally applied guidance.
Whichever technique is used to carry out a risk assessment, a cross functional team of people will usually produce a result with wider coverage and better balance than one individual.
Risk assessment is an iterative process; it will be performed at different stages of the machine life cycle. The information available will vary according to the stage of the life cycle. For example, a risk assessment conducted by a machine builder will have access to every detail of the machine mechanisms and construction materials but probably only an approximate assumption of the machine’s ultimate working environment. A risk assessment conducted by the machine user would not necessarily have access to the in-depth technical details but will have access to every detail of the machines working environment. Ideally the output of one iteration will be the input for the next iteration.
Machine Limit Determination
This involves collecting and analyzing information regarding the parts, mechanisms and functions of a machine. It will also be necessary to consider all the types of human task interaction with the machine and the environment in which the machine will operate. The objective is to get a clear understanding of the machine and its usage.
Where separate machines are linked together, either mechanically or by control systems, they should be considered as a single machine, unless they are “zoned” by appropriate protective measures.
It is important to consider all limits and stages of the life of a machine including installation, commissioning, maintenance, decommissioning, correct use and operation as well as the consequences of reasonably foreseeable misuse or malfunction.
Task and Hazard Identification
All the hazards at the machine must be identified and listed in terms of their nature and location. Types of hazard include crushing, shearing, entanglement, part ejection, fumes, radiation, toxic substances, heat, noise, etc.
The results of the task analysis should be compared with the results of the hazard identification. This will show where there is a possibility for the convergence of a hazard and a person i.e. a hazardous situation. All the hazardous situations should be listed. It may be possible that the same hazard could produce different type of hazardous situation depending on the nature of the person or the task. For example, the presence of a highly skilled and trained maintenance technician may have different implications than the presence of an unskilled cleaner who has no knowledge of the machine. In this situation if each case is listed and addressed separately it may be possible to justify different protective measures for the maintenance technician than the ones for the cleaner. If the cases are not listed and addressed separately then the worst case should be used and the maintenance and the cleaner will both be covered by the same protective measure.
Sometimes it will be necessary to carry out a general risk assessment on an existing machine that already has protective measures fitted (e.g., a machine with dangerous moving parts protected by an interlocked guard door). The dangerous moving parts are a potential hazard that may become an actual hazard in the event of failure of the interlocking system. Unless that interlock system has already been validated (e.g., by risk assessment or design to an appropriate standard), its presence should not be taken into account.
Risk Estimation
This is one of the most fundamental aspects of risk assessment. There are many ways of tackling this subject and the following pages illustrate the basic principles.
Any machinery that has potential for hazardous situations presents a risk of a hazardous event (i.e. of harm). The greater the amount of risk, the more important it becomes to do something about it. At one hazard the risk could be so small that we can tolerate and accept it but at another hazard the risk could be so large that we need to go to extreme measures to protect against it. Therefore in order to make a decision on “if and what to do about the risk,” we need to be able to quantify it.
Risk is often thought of solely in terms of the severity of injury at an accident. Both the severity of potential harm AND the probability of its occurrence have to be taken into account in order to estimate the amount of risk present.
The suggestion for risk estimation given on the following pages is not advocated as the definitive method as individual circumstances may dictate a different approach. IT IS INTENDED ONLY AS A GENERAL GUIDELINE TO ENCOURAGE A METHODICAL AND DOCUMENTED STRUCTURE.
The point system used has not been calibrated for any particular type of application therefore it may not be suitable for some applications. At the time of publication of this catalog, ISO TR (Technical Report) 14121-2 “Risk assessment – Practical guidance and examples of methods” is being prepared. Hopefully this document will be available in late 2007 and it will provide much needed practical guidance.
The following information is intended to explain and illustrate the risk estimation section of the existing standard ISO 14121 "Principles for Risk Assessment."
The following factors are taken into account:
THE SEVERITY OF POTENTIAL INJURY.
THE PROBABILITY OF ITS OCCURRENCE.
The probability of occurrence includes two factors:
FREQUENCY OF EXPOSURE.
PROBABILITY OF INJURY.
Dealing with each factor independently we will assign values to each of these factors.
Make use of any data and expertise available to you. You are dealing with all stages of machine life, so to avoid too much complexity base your decisions on the worst case for each factor.
It is also important to retain common sense. Decisions need to take account of what is feasible, realistic and plausible. This is where a cross functional team approach is valuable.
Remember, for the purposes of this exercise you should usually not take account of any existing protective system. If this risk estimation shows that a protective system is required there are some methodologies as shown later in this chapter that can be used to determine the characteristics required.
1. Severity of potential injury
For this consideration we are presuming that the accident or incident has occurred, perhaps as a result of the hazards shown in Figure 12. Careful study of the hazard will reveal what is the most severe injury possible.
|
| Figure 12: Potential Injury |
Remember: For this consideration we are presuming that an injury is inevitable and we are only concerned with its severity. You should assume that the operator is exposed to the hazardous motion or process.
The severity of injury should be assessed as:
- FATAL
- MAJOR: (Normally irreversible) Permanent disability, loss of sight, limb amputation, respiratory damage, etc.
- SERIOUS: (Normally reversible) Loss of consciousness, burns, breakages, etc.
- MINOR: Bruising, cuts, light abrasions, etc.
Each description is assigned a points value shown in Figure 13.
|
| Figure 13: Points Assigned to Severity |
2. Frequency of exposure
Frequency of exposure answers the question of how often is the operator or the maintenance person exposed to the hazard (Figure 14).
|
| Figure 14: Frequency of Exposure |
The frequency of exposure to hazard can be classified as:
- FREQUENT: Several times per day
- OCCASIONAL: Daily
- SELDOM: Weekly or less
Each description is assigned a points value shown in Figure 15.
|
| Figure 15: Points Assigned to Frequency of Exposure |
3. Probability of injury
You should assume that the operator is exposed to the hazardous motion or process (Figure 16).
|
| Figure 16: How Likely |
By considering the manner in which the operator is involved with the machine and other factors (speed of start up, for example) the probability of injury can be classified as:
- Unlikely
- Probable
- Possible
- Certain
Each description is assigned a points value shown in Figure 17.
|
| Figure 17: Points Assigned to Probability of Injury |
All headings are assigned a value and they are now added together to give an initial estimate. Figure 18 shows the sum of the three components adds up to a value of 13. But we must consider a few more factors.
|
| Figure 18: Initial Estimate |
(Note: This is not based necessarily on the previous example pictures.)
The next step is to adjust the initial estimate by considering additional factors such as those shown in Table 2. Often they can only be properly considered when the machine is installed in its permanent location.
| Typical Factor | Suggested Action |
| More than one person exposed to the hazard | Multiply the severity by the number of people |
| Protracted time in the danger zone without complete power isolation | If time spent per access is more than 15 minutes, add 1 point to the frequency factor. |
| Operator is unskilled or untrained | Add 2 points to the total. |
| Very long intervals (e.g., 1 year) between accesses. (There may be progressive and undetected failures particularly in monitoring systems.) | Add point’s equivalent to the maximum frequency factor. |
| Table 2: Additional Considerations for Risk Estimate | |
The results of any additional factors are then added to the previous total as shown in Figure 19.
|
| Figure 19: Final Value with Adjustments |
Risk Reduction
Now we must consider each machine and its respective risks in turn and take measures to address all of its hazards.
The chart shown in Figure 20 is a suggestion for part of a documented process of accounting for all safety aspects of the machinery being used. It acts as a guide for machinery users, but machine manufacturers or suppliers can also use the same principle to confirm that all equipment has been evaluated. It will also act as an index to more detailed reports on risk assessment.
|
| Figure 20: Risk Assessment Matrix |
It shows that where a machine carries the CE mark it simplifies the process as the machine hazards have already been evaluated by the manufacturer and that all the necessary measures have been taken. Even with CE marked equipment there may still be hazards due to the nature of its application or material being processed which the manufacturer did not foresee.
Hierarchy of Measures for Risk Reduction
There are three basic methods to be considered and used in the following order:
| 1. | Eliminate or reduce risks as far as possible (inherently safe machinery design and construction). |
| 2. | Install the necessary protective systems and measures (e.g. interlocked guards, light curtains etc) in relation to risks that cannot be eliminated by design. |
| 3. | Inform users of the residual risks due to any shortcomings of the protection measures adopted, indicate whether any particular training is required and specify any need to provide personal protection equipment. |
Each measure from the hierarchy should be considered starting from the top and used where possible. This will usually result in the use of a combination of measures.
Inherently Safe Design
At the machine design phase it will be possible to avoid many of the possible hazards simply by careful consideration of factors such as materials, access requirements, hot surfaces, transmission methods, trap points, voltage levels etc.
For example, if access is not required to a dangerous area, the solution is to safeguard it within the body of the machine or by some type of fixed enclosing guard.
Protective Systems and Measures
If access is required, then life becomes a little more difficult. It will be necessary to ensure that access can only be gained while the machine is safe. Protective measures such as interlocked guard doors and/or trip systems will be required. The choice of protective device or system should be heavily influenced by the operating characteristics of the machine. This is extremely important as a system that impairs machine efficiency will render itself liable to unauthorized removal or bypassing.
The safety of the machine in this case will depend on the proper application and correct operation of the protective system even under fault conditions.
The correct operation of the system must now be considered. Within each type there is likely to be a choice of technologies with varying degrees of performance of fault monitoring, detection or prevention.
In an ideal world every protective system would be perfect with absolutely no possibility of failing to a dangerous condition. In the real world, however, we are constrained by the current limits of knowledge and materials. Another very real constraint is cost. Based on these factors it becomes obvious that a sense of proportion is required. Common sense tells us that it would be ridiculous to insist that the integrity of a safety system on a machine that may, at the worst case, cause mild bruising to be the same as that required keeping a jumbo jet in the air. The consequences of failure are drastically different and therefore we need to have some way of relating the extent of the protective measures to the level of risk obtained at the risk estimation stage.
Whichever type of protective device is chosen it must be remembered that a "safety related system" may contain many elements including the protective device, wiring, power switching device and sometimes parts of the machine’s operational control system. All these elements of the system (including guards, mounting, wiring etc.) should have suitable performance characteristics relevant to their design principle and technology. The pre-revision version of the standard ISO 13849-1 outlines various categories for safety related parts of control systems and provides a risk graph in its Annex B. This is a very simplistic approach, but it can provide useful guidance determining some of the requirements for a protective system.
The revised version of ISO 13849-1 and IEC 62061 both provide useful methods and guidance on how to specify a safety related control system that is providing a protective measure or safety function.
ISO 13849-1:2006 provides an enhanced risk graph in its Annex A. This graph is shown in Figure 21.
|
| Figure 21: Risk Graph for Determining the Required Performance Level for a Safety Function—from ISO 13849-1:2006 |
IEC 62061 also provides a method in its Annex A, it takes the form shown in Figure 22.
The use of either of the above methods should provide equivalent results. Each method is intended to take account of the detailed content of the standard to which it belongs.
In both cases it is extremely important that the guidance provided in the text of the standard is used. The Risk Graph or Table must not be used in isolation or in an overly simplistic manner.
|
| Figure 22: Table for Determining the Required Safety Integrity Level for a Safety Function—from IEC 62061 |
Evaluation
After the protective measure has been chosen and before it is implemented it is important to repeat the risk estimation. This is a procedure that is often missed. It may be that if we install a protective measure, the machine operator may feel that they are totally and completely protected against the original envisaged risk. Because they no longer have the original awareness of danger, they may intervene with the machine in a different way. They may be exposed to the hazard more often, or they may enter further into the machine for example. This means that if the protective measure fails they will be at a greater risk than envisaged before. This is the actual risk that we need to estimate. Therefore the risk estimation needs to be repeated taking into account any foreseeable changes in the way that people may intervene with the machine. The result of this activity is used to check whether the proposed protective measures are, in fact, suitable. For further information Annex A of IEC 62061 is recommended.
Training, Personal Protective Equipment, etc.
It is important that operators have the necessary training in the safe working methods for a machine. This does not mean that the other measures can be omitted. It is not acceptable to merely tell an operator that they must not go near dangerous areas (as an alternative to guarding them).
It may also be necessary for the operator to use equipment such as special gloves, goggles, respirators, etc. The machinery designer should specify what sort of equipment is required. The use of personal protective equipment will not usually form the primary safeguarding method but will complement the measures shown above.
Standards
Many standards and technical reports provide guidance on risk assessment. Some are written for wide applicability, and some are written for specific applications. The following is a list of standards that include information on risk assessment.
ANSI B11.TR3: Risk assessment and risk reduction – A guide to estimate, evaluate and reduce risks associated with machine tools
ANSI PMMI B155.1: Safety Requirements for Packaging Machinery and Packaging-Related Converting Machinery
ANSI RIA R15.06: Safety Requirements for Industrial Robots and Robot Systems
AS 4024.1301-2006: Principles of risk assessment
CSA Z432-04: Safeguarding of Machinery
CSA Z434-03: Industrial Robots and Robot Systems - General Safety Requirements
IEC/EN 61508: Functional safety of electrical, electronic and programmable electronic safety-related systems.
IEC/EN 62061: Functional safety of safety related electrical, electronic and programmable electronic control systems.
ISO 14121 (EN 1050): Principles for risk assessment.