Occupational Hazards Automation...

A

26 PROFESSIONAL SAFETY DECEMBER 2006 www.asse.org

Occupational HazardsOccupational Hazards

AutomationSafety

Assessing the risks and understanding safeguardsBy Yuvin Chinniah and Real Bourbonniere

AUTOMATED SYSTEMS are found in many indus-tries, including food processing, pulp and paper,petroleum, textile and automobile manufacturing. Inaddition to advantages such as greater productivity,reduced production costs, improved product qualityand greater manufacturing flexibility, these systemsoften eliminate the need for some repetitive, tediousand hazardous tasks.

Under normal operating conditions, workers donot access danger zones and are kept away frommany hazards since the automated machines, oftencontrolled by programmable logic controllers (PLCs),

are designed to operate with-out human intervention. Assuch, these automated systemsshould inherently improvesafety by eliminating the needfor workers to reach into dan-ger zones. Furthermore, sincefewer workers are needed inautomated factories, it couldbe argued that potentiallyfewer workers are at risk.

Despite this, automated sys-tems have caused many seriousinjuries. For various reasons,workers still need to intervenein automated systems. Thesesystems often use multipletechnologies (hydraulic, electri-cal, pneumatic and mechanical)and, as such, they presentnumerous hazards that are notalways easy to identify. Poten-tially dangerous tasks includemaintenance, setting, commis-sioning, training, material load-ing/unloading, tool changes oradjusts, adjustments duringproduction, removal of jammedmaterials, and repairs or inter-

ventions following malfunctions. Human error—suchas miscommunication between workers who mistak-enly energize or start a machine when a coworker is inthe danger zone; incorrect use of safeguards; bypass-ing of protective devices; removal of guards; orchanges in the program of electronic programmablesafety devices—is also a potential contributing factorfor incidents involving automated systems.

Recent Incidents in QuebecPaving Block Factory

In June 2006, the Quebec Occupational Health andSafety Commission (CSST) reported on its investiga-tion into the accidental death of a young worker in anautomated factory that made paving blocks. The inci-dent occurred when the worker accessed a dangerzone located under an automated grabber arm usedto stack (palletize) the paving blocks. While trying torearrange a row of blocks that had become mis-aligned following a disruption in the normal produc-tion flow, the worker, who was younger than 25years old and had limited experience with the auto-mated machine, was hit and crushed by the grabber,which was located directly above him and moveddownward suddenly and unexpectedly.

CCST identified several contributing factors:•The worker accidentally activated a limit switch

while rearranging the blocks. The switch sent an inputsignal to the PLC that started the palletizing cycle andinitiated the grabber’s downward movement.

•A light beam, wrongly used as a safeguardingdevice, had been bypassed. CSST reported that theguard had been circumvented because the “safety”beam frequently disrupted normal production; thiswas reportedly due to the dusty environmentaround the palletizing machine.

•The worker had received little or no trainingregarding the risks to which he was exposed orabout safe techniques to use when intervening onthe machine. The safe working methods that couldhave been used included 1) change from automatic

Yuvin Chinniah, Ph.D., is a researcher inmachine safety at the IRSST (Occupational

Health and Safety Research Institute Robert-Sauve) in Montreal, Quebec. He holds a Ph.D.in

Mechanical Engineering (with a specializationin mechatronics) from the University of Sas-

katchewan, and an undergraduate degree inelectrical and electronic engineering from the

University of Mauritius. Chinniah currentlyworks in the area of safety-related control

systems, predictive maintenance strategies forhydraulic systems, risk assessment and machine

safeguarding. Before joining IRSST, he was alecturer in the Mechanical Engineering

Department at the University of Saskatchewan.

Real Bourbonniere has worked at IRSST sinceApril 1991. He specializes in the area of safety-

related control systems, lockout procedures,risk assessment and the use of safeguards.

Bourbonniere was a member of the technicalcommittees responsible for CSA Z432-04 on

safeguarding of machinery and CSA Z460-05 onthe control of hazardous energy. He holds an

undergraduate degree in engineeringautomation from ETS Montreal, Quebec, andhas helped to train inspectors of the Quebec

Occupational Health and Safety Commission onmachine safety and risk assessment.

Chinniah Feature Dec2006.qxp 11/7/2006 12:03 PM Page 26

www.asse.org DECEMBER 2006 PROFESSIONAL SAFETY 27

the mechanic was seriously injured. CSST found thatthe mechanic had been performing the interventionwhile the machine was still being controlled by thePLC. Furthermore, a danger zone was readily acces-sible. CSST concluded that guards were needed andthat a lockout procedure must be followed duringmaintenance or when removing material blocking orjamming the machine.

SawmillIn 2003, a sawmill worker was jammed between

the fork elevator of a stacker and the stand for a con-veyor of an automated wood piling system. Theworker was standing near the fork elevator, waitingfor it to stop before cleaning the floor. However, hewas in the trajectory of the fast-descending fork andwas killed.

Again, CSST found that a danger zone was read-ily accessible and that worker safety had beenignored when the automated stacking line wasdesigned. Clearly, a risk assessment involving alltasks that required access to the machine had notbeen performed.

Automation-Related Accidents:An Overview

Incidents involving automated systems havebeen studied in order to understand their causes.Some studies referred to in this article were con-ducted several years ago, but as the few examples ofrecent accidents involving automated systems indi-

mode to manual mode so that the grabber is nolonger controlled by the PLC when a worker inter-venes under it; 2) use the existing belt conveyor thatcarries paving blocks to the grabber to carry theblocks away from the danger zone in order to alignthem; 3) use a proper lockout procedure to shutdown electrical power supply to the grabber armbefore any intervention.

CSST also found that no risk assessments hadbeen conducted for the machine. According to CSST,a proper risk assessment would have identified sucha hazardous situation (a worker intervening underthe grabber) and that appropriate risk reductionmethods—such as the use of a safety light curtainrather than a single light beam (the worker couldaccess the danger zone simply by passing below thebeam), the use of interlocked guards or the use of anozzle to blow compressed air on the lens of thelight beam to remove dust—could have helped toprevent this fatal incident.

The report also revealed that a safety relay wasnot used and that the existing safety-related controlcircuit was not appropriate for the risk level to whichthe worker was exposed. Moreover, occupationalsafety and health regulations in Quebec mandatethat proper lockout procedures be implemented inplants whenever tasks such as maintenance, setupand removal of jammed materials are performed.CSST strongly suggested the need to implementsuch procedures (explained in greater detail in CSAZ460-05 and ANSI/ASSE Z244.1-2003).

Farm EquipmentA fatal accident in 2004 involved an automated

system on a farm. A farmer was strangled by hissweater, which had become entangled in the rotatingshaft of a screw conveyor while he was program-ming an automated feeding machine. The PLC wasfound close to the unguarded rotating shaft. CSSTfound that a danger zone (mechanical hazard) wasreadily accessible in the automated system and thatno safeguards were present.

Batten Packing FacilityIn another incident from 2004, a worker was

killed in a factory that made battens for woodenfloors. An employee was packing battens near a con-veyor that had its vertical displacements controlledby a PLC. When the worker tried to pick up a battenthat had fallen off the conveyor, the latter suddenlymoved downward and jammed the worker’s head,killing him. Again, CSST found that no risk assess-ment had been conducted on this automated systemand that several danger zones were readily accessi-ble. CSST concluded that use of an interlockedmobile guard or a safety light curtain could havehelped to prevent this fatality.

Paper MillAnother fatality involving an automated stopper

occurred in 2004 at a paper mill. A mechanic finishedrepairing the stopper controlled by a PLC. When heturned on the pneumatic system by opening a valvelocated behind the stopper, the latter retracted and

Abstract: Safety inautomated systems isan important issue.Several studies havebeen conducted toexamine reports ofautomation-relatedaccidents. This articlesummarizes some ofthese findings andidentifies contribut-ing factors to suchaccidents. In addition,safeguards and theirlimitations in pre-venting accidentsare discussed, as isthe need for properrisk assessment.

Chinniah Feature Dec2006.qxp 11/7/2006 11:39 AM 7


This can arise from inappropriate design of themachine’s control system; presence of a worker inthe danger zone who accidentally activates a sensor;human error at the control panel; software errors inthe PLC; or restoration of the energy supply afteran interruption.

•Insufficient or incorrect safeguarding.•Inadequate worker training.•Underestimation of risk. Workers may either be

unaware of or downplay the risks, often because oflimited training. Insufficient risk analysis during thedesign of a system also impacts the perception of risk.

•Workers tampering with existing safety devices.Often, this is done to reduce downtime caused by fre-quent disturbances to normal production.

•Evolution of automated systems. This can becaused by modifications in the PLC software; addi-tion or removal of sensors; or changes in safeguard-ing methods.

Consequences of Automation AccidentsAs revealed by Vautrin and Dei-Svaldi (1989),

automation-related accidents occur less frequentlythan other types of machine-related accidents, butthey often cause serious injuries, resulting in ampu-tations and death. Of the incidents they reviewed,26% of the injuries resulted in death; 23% resulted inamputation; 23% required hospitalization; and 28%required no hospitalization.

Of the tasks being performed during those inci-dents, the person involved was intervening after amalfunction (54%); performing a normal operation(16%); changing settings and making adjustments(20%); and conducting preventive maintenance andsupervision (10%).

The injuries reported involved the upper limbs(12%), head (22%), chest (40%) and lower limbs(12%). Those involved were operators (46%); main-tenance personnel (22%); adjustment and setup per-sonnel (24%); and supervisors (6%).

Similarly, Dei-Svaldi and Charpentier (2001)found that 27% of workers suffered amputationswhile 28% experienced fractures; in addition, 16% ofthe incidents studied were fatal. Edwards (2001)found that 42% of automation-related incidentsresulted in major injuries, including amputation andfractures other than fingers and toes.

Risk Management Process: Risk AssessmentAs the review of incident reports reveals, risk

assessment is an essential part of the overall processto ensure the safety of automated systems. Riskassessment is a series of steps to examine the hazardsassociated with machines. It can be divided into twophases: risk analysis and risk evaluation (ISO, 1999a).

Risk analysis consists of three stages: determiningmachine limits; identifying hazards; and estimatingrisk. The risk evaluation process allows decisions tobe made regarding a machine’s safety.

Machinery LimitsKnowing the limits of the automated system

includes considering all phases of the machine life—design, construction, transport, installation, commis-

cate, their findings can be used to identify potentialhazards associated with such systems.

The National Research Institute on Safety (INRS)in France has conducted two studies on the safety ofautomation systems. The first study analyzed 54automation-related incidents in France between 1983and 1987 (Vautrin & Dei-Svaldi, 1989). It showed thatinterventions following a malfunction of the auto-mated system during production were hazardousand that operators, as well as maintenance personnelwere the most frequent victims of those incidents.

INRS conducted another study based on 457automation-related accidents occurring during a 20-year period in France (Dei-Svaldi & Charpentier,2001). This study investigated the impact of auto-mated systems on worker safety. The results showedthat the accidents occurred mainly during use of theautomated system (36%) and during ancillary phas-es (42%), such as adjustment, supervision, repair,cleaning, inspection or testing. Nearly 25% of thevictims had fewer than 3 months’ experience. Thestudy confirmed results from the previous study inconcluding that many incidents occur during inter-ventions needed after the automated system mal-functions or during maintenance activities.

In another study, the U.K. Health and SafetyExecutive (HSE) analyzed 143 accidents involvingautomated systems that occurred between 1996 and2000 (Edwards, 2001). The analysis revealed thatactivities such as maintenance tasks, setting, faultfinding and rectification put workers at risk, andthat 69% of victims were operators and 13% weremaintenance staff. In addition, the injured workerwas performing one of the following activities whenthe incident occurred:

•normal production operations, such as feedingand unloading of the machine; quality control,including dealing with minor disturbances to nor-mal operation such as adjusting the position of theproduct being worked on; and clearing waste prod-uct from the work area (45% of the incidents);

•tasks to prepare the machine, including setting,adjusting, recalibrating, tool changing and cleaning(23% of the incidents);

•serious disturbances in normal machine opera-tion, including fault-finding and rectification (15% ofthe incidents);

•maintenance activities (10% of the incidents).Many accidents involving automated systems

occur when addressing production disruptions.During these malfunctions or disturbances, the auto-mated machine often operates in an abnormal mode.For example, machine movement may have beeninitiated but was interrupted and is ready to resumeonce the hindrance is removed. Another example iswhen an already received start signal stored in thePLC’s memory prompts a machine movement assoon as a wedged work piece is freed (Backstrom &Doos, 2000).

Based on the studies and accident reportsreviewed, several factors that contribute to automa-tion-related incidents can be identified.

•Unexpected start-up or machine movement.

Chinniah Feature Dec2006.qxp 11/7/2006 11:39 AM Page 28


event and the possibility of avoiding the harm. Thecombination of these four factors, including theseverity of the harm, is used to estimate risk valuesthat can then be used for comparison purposes.

The risk estimation process is usually completedusing a risk matrix or graph (Figure 1), where param-eter values are combined to produce a resulting risklevel. For example, the severity of the harm (S) couldbe defined as 1) S1, minor injury that is usuallyreversible (scratches, lacerations, bruises); or 2) S2,serious injury that is usually irreversible (broken orcrushed body parts, fractures, death).

The frequency and/or duration of exposure (F)could be defined as 1) F1, twice or less by work shift,or less than 15 minutes cumulative exposure byshift; or 2) F2, more than twice by work shift or morethan 15 minutes cumulative exposure by shift.

The probability of occurrence of the hazardousevent (O) could be defined as 1) O1, when a mature,tested, robust technology, proven and recognized insafety application, is being used; 2) O2, where tech-nical failure has been observed in the last 2 years orinappropriate human action has been taken by awell-trained employee, aware of the risks, with morethan 6 months’ experience at the workstation; and 3)O3, when technical failures occur regularly; when aninappropriate human action has been taken by anuntrained person with less than 6 months’ experi-

sioning, operation, start-up/shutdown, setting or processchangeover, cleaning and ad-justment. One must look be-yond the intended use andoperation of the machine toconsider the consequences ofreasonably foreseeable misuseor malfunction, as well as theanticipated level of workertraining and experience.

Hazard IdentificationFor each task that requires

access to a danger zone of theautomated systems, associatedhazardous conditions must beidentified (i.e., hazard, haz-ardous situation, hazardousevent and possible harm,as detailed in ISO 14121).According to Annex A of ISO14121, hazards in automatedsystems and for machinery ingeneral fall into two main cate-gories—mechanical and electri-cal hazards (ISO, 1999a).

Forms of mechanical haz-ards include crushing, shear-ing, cutting, entanglement,entrapment, impact and abra-sion. These hazards can beproduced by various machineparts depending on theirshapes, relative motions, mass-es, stabilities, velocities and strength. Workers can beinjured by mechanical hazards in an automated sys-tem as a result of being:

•trapped between a machine and a fixed structure;•struck by material ejected from the machine;•struck by ejected part of the machine;•struck by jet of fluid under pressure;•in contact/entangled with material in motion;•in contact or entangled with the machine.Workers can also be injured by electrical hazards,

which include situations such as contact with liveparts, contact with parts becoming live under faultconditions, approach to live parts carrying high volt-age and thermal radiation. Electrical hazards can leadto electrification (injuries), electrocution (death), heartattacks and burns. Thermal hazards, as well as haz-ards generated by noise, vibration, radiation and dan-gerous substances are examples of other dangers thatshould be considered at this stage.

Risk Estimation & EvaluationOnce hazards are identified, the risk of each iden-

tified hazard and hazardous situation must be esti-mated. Risk is a combination of the severity of theharm and the probability of occurrence of that harm.The probability of occurrence of harm can be esti-mated by considering exposure frequency and dura-tion, the probability of occurrence of a hazardous

Figure 1Figure 1

Risk Graph: 6 Indices

(S) = severity of the harm(F) = frequency and/or duration of exposure(O) = probability of occurrence of the hazardous event(A) = possibility of avoiding the harm


creo


It was concluded that a proper risk assessment,coupled with the use of fixed guards, interlockedmobile guards, safety mats, light curtains and safetyprocedures could have reduced the risks of accidents(Vautrin & Dei-Svaldi, 1989)

Dei-Svaldi and Charpentier (2001) suggest thatduring the design stage, engineers should use anappropriate risk assessment method to analyzeevery operating mode of the system—automatic,semiautomatic, adjustment, manual and degraded.These researchers found that 90% of all incidentsreviewed could have been prevented had appropri-ate safeguards been used.

Edwards (2001) notes that 44% of incidents whichoccurred during normal production involvedmachines in automatic mode and reported that thisfactor, along with the need for workers to gain accessto danger zones when the machine was in automaticmode, implied fundamental design problems whichshould have been identified by proper risk assess-ments. This study also revealed that existing safe-guards did not allow workers to intervene safely inthe production process when necessary. Maintenancestaff gained access to the machine by suspending theoperation of some safety devices and designers needto take that into consideration as well (Edwards, 2001).

Backstrom & Doos (2000) also report that prob-lems with safeguarding in automated systems couldcause accidents. This study examined problemsrelated to safety devices in 76 accidents involvingautomated production. Four common safeguardingproblems were reported:

1) not using safeguards, including removing, cir-cumventing, defeating decoupling and failure (54%);

2) failure to stop all machine movement, arisingfrom a) residual pressure in pneumatic andhydraulic systems; b) stalled pneumatic system as aresult of a jam and sudden movement when theequipment is freed; c) movement starting when aperson is correcting a malfunction in the dangerzone; d) time taken for all machine movement tocease not considered (20%);

3) limited range of safeguards, arising whenmaterial barriers and presence-sensing devices donot protect workers during work in the danger zoneand during work which requires that a machine beenergized (18%);

4) safeguard failures, including barrier failure,faulty interlock and a faulty component (5%).

Recommendations for Improving SafetyAutomated systems must be assessed, preferably

during the design phase, in order to identify all haz-ards that workers may potentially face. ANSIB11.TR3-2000 (ANSI, 2000) and ISO 14121 (ISO, 1999a)both provide guidance on performing such assess-ments. Workers should participate in both the riskassessment and in the evaluation of safeguards imple-mented. The experience of operators, mechanics,setup personnel, electricians and other workers whointervene on the automated machines is crucial.

Ideally, a small team consisting of at least one

ence at the workstation; or a similar accident hasbeen observed within the last 10 years.

The possibility of avoiding the harm (A) could bedefined as 1) A1, possible under certain conditions ifmechanical parts are moving at a low speed and theexposed worker is familiar with the risks and withindications of its apparition; and 2) A2, impossible.

At the last stage of the assessment process, a deci-sion is made about the safety of each situation. If therisk is deemed intolerable, the process continueswith the search for the proper risk reductionmethod. Risk estimation results are often used as atool in the evaluation process with the determina-tion of a risk hierarchy.

Risk ReductionIf the risk evaluation shows that risk reduction is

needed, the method used to reduce the risk to a tol-erable level should follow a hierarchical approach:

•Eliminate the hazard.•Substitute less-hazardous materials.•Use safeguarding.•Ensure that safe working procedures are used,

provide training and protective equipment.However, it is not always possible to eliminate haz-

ards, and certain tasks require access to danger zones.In such situations, the use of safeguards should beconsidered. The proposed safeguarding methods thenmust be assessed. In most cases, existing safeguardsshould not be considered when conducting a riskassessment. This helps to ensure that all possible haz-ards associated with a task are identified. It can alsoenable inherent prevention to be considered—that is,finding means to eliminate the hazard itself. In allcases, the risk reduction method selected must beassessed after its implementation.

Problems with SafeguardingThe machine safeguarding industry is expand-

ing, with an expected compounded annual growthrate of 8.4% over the next 5 years. The market repre-sents $1 billion in 2004 and is forecasted to surpass$1.5 billion by 2009 (Machine safeguarding, 2005).According to ISO 12100, safeguarding is “a protec-tive measure using physical barriers or protectivedevices to protect persons from the hazards whichcannot reasonably be eliminated or risks which can-not be sufficiently reduced by inherent design meas-ures” (ISO, 2003).

Without prior risk assessment, relying solely onsafeguarding to reduce risks associated with auto-mated systems is troublesome. The presence of safe-guards alone does not guarantee safety sinceincidents occur despite these protective measures. Infact, the need for workers to intervene into a dangerzone imposes additional demands on safeguards.

Vautrin and Dei-Svaldi (1989) highlight theimportance of safeguards in automated systems. Intheir study, the automated systems under investiga-tion had:

•no safeguards;•wrongly designed or deteriorated safeguards;•safeguards that had been bypassed or removed

during maintenance or repair.

Withoutprior risk

assessment,relying solelyon safeguard-ing to reducerisks associ-

ated withautomatedsystems is

troublesome.



•Have you ever bypassed or defeated safe-guards? If so, how easily was this achieved?

•What type of safeguards do you think would bemore appropriate?

•What kinds of interventions require entry into adanger zone, how often and for how long?

•Do you stop all machine movements beforeintervening in the danger zone? If not, why?

•Was the training you received sufficient to help

operator, maintenance personnel, safety engineer,technician and representative from plant manage-ment should conduct the risk assessment. A teamapproach is best since no one person will knowenough about the various tasks performed on theautomated systems and have the technical back-ground to conduct a proper risk assessment.

In practice, the team will create a risk assessmenttable. Column headings may include tasks, hazards,hazardous situations, hazardous events, harm,severity of the harm, exposure duration and fre-quency, probability of occurrence of the hazardousevent, probability of avoiding the hazard, resultingrisk level, possible risk reduction methods, and riskreduction method selected.

The rows of the table are used to described differ-ent tasks involved with the automated systemthroughout its life cycle. These tasks could include,for example, feeding and unloading; dealing withminor disturbances to normal operation; clearingwaste product from the work area; serious distur-bances in normal operation, such as fault-findingand rectification; setting, adjusting, recalibrating,tool changing and cleaning; and maintenance. Ithelps to use a video camera and photographs tostudy interventions that require access to dangerzones. This way, tasks can be analyzed carefullyoffline, in a less-stressful environment.

Furthermore, risk reduction methods should beapplied in a hierarchical order, as explained in ISO12100. The first step is to seek ways to eliminate thehazard or to reduce its consequences through design(e.g., eliminate the need for the worker to intervene;reduce speed and force involved in danger zones;avoid danger zones where workers can be trappedor struck by material; use ergonomic principles).

The next step is to install fixed guards that arepermanent and that can only be removed with tools.When frequent access to the danger zones isrequired, an interlocked guard (installed with theproper safety-related control circuitry) should beused. Presence-sensing devices such as light cur-tains, safety mats, two-hand controls and laser scan-ners should then be considered. Use of warningsigns and alerting techniques, safety procedures,worker training and protective equipment are theleast-effective risk reduction methods.

In addition, existing safeguards should be evalu-ated. Safeguarding techniques such as interlockingof mobile guards, light barriers, pressure mats andtwo-hand controls often provide an effective level ofprotection when suitable to the specific tasks andwhen installed properly (Table 1).

However, their presence alone does not guaranteesafety. To identify problems with existing safeguard-ing, workers should be asked several questions:

•Have you experienced an unexpected move-ment of the machine or been in a situation where amachine movement occurred when you believedthat the machine had safely stopped?

•Do you have to perform tasks where it is impos-sible or impracticable to use existing safeguards?

ProgrammableLogic Controllers& SafetyIndustrial automation often involves the use ofPLCs. These digital electronic devices have pro-grammable memories to store instructions andto implement functions such as logic, sequenc-ing, timing, counting and arithmetic in order tocontrol machines and processes. PLCs can beprogrammed to control a wide range ofmachines and they come in different sizes, gen-erally designated according to the number ofinputs and outputs, and the memory capacity.PLCs are similar to microcomputers, with addi-tional features related to their use in industrialenvironments.

However, the use of the standard PLC forsafety functions—such as the interlocking ofmobile guards and the connection of emergencystop push buttons—is generally not recom-mended for three main reasons (Paques, 1990).

First, PLCs are more susceptible to failurethan electromechanical relays since environmen-tal conditions can interfere with their operation.PLCs may become sensitive to electromagneticinterference, temperature variation, vibrationand humidity if not properly enclosed.

Second, the failure mode for the electroniccomponents is not fully predictable and soft-ware problems can cause the program to gethung up in a loop or stopped, making the out-put erroneous.

Third, the ease of program modification,which is a main attraction of a PLC when it iscompared to bulky and expensive relay panels,can pose safety hazards if unauthorized person-nel modify the program without proper docu-mentation or verification. This is particularlyhazardous if the safety function is what hasbeen modified. Standard PLCs are not designedfor safety applications and they exhibit limitedfail-safe characteristics, limited redundancy intheir architecture and limited software reliabili-ty. Therefore, it is typically better to use hard-wired circuits involving safety relays to ensurecritical safety functions in a way that the safetycontrol circuits are kept independent of theprocess control circuits.



Safeguard Methods, Advantages & LimitationsSafeguard Advantages Limitations Problems in automationa

Table 1Table 1

Fixed guardA casing, cover, screen,door or enclosure prevent-ing access in the dangerzone. The guard is kept inplace by means of screwsand nuts, preferably by per-manent means such as riv-eting or welding. Tools areneeded to remove the fixedguard.Interlocking guardPrevent starting a machinewhen the mobile guard isopened. Mobile guards areusually connected by me-chanical means (hinges orslides) and need to be inter-locked with devices such ascam-activated switches,trapped-key systems, me-chanical systems and electri-cal controls.Two-hand controlRequires the use of bothhands simultaneously toinitiate and maintainoperation.Presence-sensing deviceUsed for detecting danger-zone intrusion or for useinside the danger zone.Sensor types include opticalbeam, ultrasonic, capaci-tance, infrared, tactile, pres-sure-sensitive mats andvision.

•Can providemaximum protec-tion.•Requires littlemaintenance.•Less costly.

•Can providemaximum protec-tion.•Allows access tothe machine with-out removal offixed guards.

•Operator’s handsare at a predeter-mined location,away from thedanger zone.•Can allow freemovement of oper-ator.•Leaves operator’shand free to work.•Self-testing andfail-safe character-istics possible.

•May interfere with visibility.•Gaps and safety distances mayhave wrong dimensions.•Limited to specific operations.•Machine adjustment and repairmay require its removal.•Not suitable where frequentaccess to guarded zone isneeded.

•Requires careful adjustmentand maintenance.•May be easy to disengage.•Time required for movementto stop before worker reachesthe danger zone must beconsidered.•Safety interlocking switchesmay be damaged or misaligned.

•Protects only the operator.•Blocking the control andenabling one-hand operationmay be possible.•May be disconnected.•Does not protect againstmechanical failure and object ormachine parts being projectedtoward worker.•May require frequent alignmentand calibration.•Excessive vibration may causesensor damage (e.g., opticalbeams).•Environmental factors mayaffect the device and signals.Safety mats risk wear and tear, aswell as damage from chemicals.•Light beams are sensitive todust.•May be possible to work on thedangerous side of the intrusiondetection device. •May cause production distur-bances.•Time required for movement tostop before worker reaches thedanger zone must be considered.

•Guard had to be removed forsetup.•Guard was circumvented onthe ground since it disturbed thework.•Guard not suitable.

•Interlock did not stop all machinemovement in the danger zone.•Interlock was defeated.•The cam disk of the interlockswitch had become detached.•Interlocked gate was open whileworkers intervened on themachine on manual mode.

•The buttons on a two-hand con-trol were activated by mistake bythe operator’s body as he stretchedover the control.

•Ultrasound sensors deactivatedsince they gave false alarms.•Failure to stop all machinemovement.•One person started the machineafter the light curtain stopped allmovement, while the operatorremained inside the danger zone.

aFrom “Problems with Machine Safeguards in Automated Installations,” by T. Backstrom and M. Doos, 2000, International Journal of IndustrialErgonomics, 25(6), pp. 573-585.

Chinniah Feature Dec2006.qxp 11/7/2006 12:03 PM Page 32


costs to improved product quality and a reducedneed for employees to perform repetitive tasks.However, they bring with them additional hazardsthat must be identified, assessed and controlled.

All stakeholders play a role in this process. Designengineers must work to eliminate hazards by consid-ering worker interactions with the automated sys-tems—particularly in danger zones—during thedesign phase. Management must evaluate the sys-tems once installed to assess risks, develop andenforce safe work practices, and implement appro-priate safeguards. Management must also communi-cate hazards to workers and provide them with theproper tools and training to avoid those hazards.Finally, workers must recognize the hazards associat-ed with these machines, follow safe work practicesand understand the need for safeguards. �

ReferencesANSI. (2000). Risk assessment and risk reduction: A guide to

estimate, evaluate and reduce risks associated with machine tools.ANSI B11.TR3- 2000. New York: Author.

ANSI/ASSE. (2003). Control of hazardous energy: Lockout/tagout and alternative methods. ANSI/ASSE Z244.1-2003. DesPlaines, IL: ASSE.

Backstrom T. & Doos, M. (2000). Problems with machine safe-guards in automated installations. International Journal of IndustrialErgonomics, 25(6), 573-585.

Canadian Standards Association (CSA). (2005). Control ofhazardous energy: Lockout and other methods. CSA Z460-05.Mississauga, Ontario: Author.

Dei-Svaldi, D. & Charpentier, P. (2001). Study of automationaccidents based on the reports of accidents in the EPICEA database.Paris, France: National Research Institute for Safety (INRS).

Edwards, R. (2001). Learning from mistakes: Experiencegained from accidents associated with complex technology.Proceedings of Safety of Industrial Automated System, U.K., 39-44.

HVBG. (1997). Categories for safety-related control systems inaccordance with EN 954-1. BIA-Report 6/97e. Bonn, West Germany:Author. Retrieved March 20, 2006, from http://www.hvbg.de/e/bia/pub/rep/rep02/bia0697.html.

International Organization for Standardization (ISO). (1999a).Safety of machinery: Risk assessment. ISO 14121. Geneva, Switzer-land: Author.

ISO. (1999b). Safety of machinery: Safety-related control sys-tem parts. Part 1: General design principles. ISO 13849-1. Geneva,Switzerland: Author.

ISO. (2003). Safety of machinery: Basic concepts, general prin-ciples for design. Part 1: General terminology, methodology.ISO/FDIS 12100-1. Geneva, Switzerland: Author.

IEC. (2005). Safety of machinery: Functional safety of safety-related electrical, electronic and programmable electronic controlsystems. IEC 62061. Geneva, Switzerland: Author.

Machine safeguarding market to grow. (2005, Nov.) Automa-tion, 1-48.

McConnell, S. (2004, Jan.). Machine safeguarding: Building asuccessful program. Professional Safety, 49(1), 18-27.

Manuele, F. (2005, Nov.). Global harmonization of safety stan-dards: Examining the European influence on the practice of safety.Professional Safety, 50(11), 41-46.

Mitchell, C. & Williams, K. (1993). Failure experience of pro-grammable logic controllers used in emergency shutdown sys-tems. Reliability Engineering and System Safety, 39(3), 329-331.

Paques J.J. (1990, Feb.). Basic safety rules for using program-mable controller. ISA Transactions, 29.

Pilz Automation Technology. (1999). Guide to machinery safety.Northants, U.K.: Author. Retrieved March 20, 2006, from http://www.pilzsupport.co.uk/downloads_gms.htm.

Roudebush, C. (2005, Oct.). Machine safeguarding: A processfor determining tolerable risk. Professional Safety, 50(10), 20-24.

Vautrin J.P. & Dei-Svaldi, D. (1989). Work accidents in automatedplants: Evaluating a preventive method. Paris, France: INRS.

you perform tasks correctly and safely? If not, whatare some specific deficiencies?

•Are safeguards inspected? Are the inspectionseffective?

•Do maintenance activities require you toremove or bypass safeguards?

A routine check of safety devices could prove tobe an important action before each shift, betweenoperator changes and especially after maintenanceactivities. The cited studies revealed that mainte-nance personnel are particularly at risk when per-forming complex fault-finding and adjustment taskswhich require access to danger zones when machineparts are able to move. Therefore, having a post-maintenance testing and inspection program canensure that equipment is returned to service onlyafter it is verified to be ready.

Maintenance workers might also be expected toperform work when safeguards are removed orwhen machines are faulty. A proper risk assessmentwill identify these high-risk situations and will eval-uate existing safeguards during maintenance actions.In cases where the use of safeguard is not deemedsufficient, the use of a well-devised and executedlockout procedure (such as that detailed inANSI/ASSE Z244.1-2003 or CSA Z460-05) will benecessary. Furthermore, if possible, it is best to havea maintenance or setting mode in which the speed ofmoving parts and the forces involved are lower thanthose found during normal operating conditions.

Properly designed safety-related control systems,independent of the process control, are also highlyrecommended for some safeguards to be fully effec-tive (HVBG, 1997). ISO 13849-1:1999 provides guide-lines on how to design and implement correctsafety-related control systems (ISO, 1999b). Morecomplex systems, such as programmable electronicsystems, when used for safety applications, shouldcomply with IEC 62061 (2005).

As noted, use of standard PLCs for safety appli-cations is not recommended, nor is it advisable toconnect interlocked guards or light barriers to stan-dard PLCs. Instead, if deemed necessary, safetyPLCs should be used. They are certified to meetrigid safety and reliability requirements of interna-tional standards and emphasize internal diagnosticsthat allow the device to detect internal faults.

ConclusionSound working principles, such as proper training,

use of proper tools and equipment during interven-tions, use of PPE, and respect of ergonomic principlessuch as adequate location of control panels in terms ofvisibility of danger zones can reduce the risks ofinjury-producing incidents. Worker training shouldcover how to operate the automated system safely;how to identify and recognize (when possible) poten-tial hazards; existing safeguards and the reasons to notcircumvent them; risks associated with their tasks;and recommended safe working methods.

Automated systems offer many advantages—from greater productivity and reduced production


Occupational Hazards Automation...

Documents

Transcript of Occupational Hazards Automation...