introduction to machine risk assessment and functional specification development

Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.

PUBLIC INFORMATION

SF02 - Introduction to Machine Risk Assessment and Functional Specification Development

Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. 2

The Machine Safety Lifecycle

STEP 5 MAINTAIN & IMPROVE SAFETY SYSTEM

STEP 1 RISK OR HAZARD ASSESSMENT

STEP 4 SAFETY SYSTEM INSTALLATION & VALIDATION STEP 3

SAFETY SYSTEM DESIGN & VERIFICATION

STEP 2 SAFETY SYSTEM FUNCTIONAL REQUIREMENTS

Safety Life Cycle


The Purpose of Risk Assessment

Properly identifies and assesses the real hazards involved in operating a

particular machine.

Determines equivalent levels of protection for safeguards when stating

OSHA’s minor service exception.

Takes away guesswork when estimating risk and prescribing safety

system performance.

Serves as documented proof of your ―due diligence‖.

Establishes the foundation for the design and implementation of an

effective machine safety program.

3

The risk assessment process:


As Referenced in U.S. Standards

Risk assessment is often

referenced throughout mainstream

U.S. machinery safety standards:

ANSI ASSE Z244.1






ANSI B11.19






ANSI / RIA R15.06






NFPA 79


In Europe

Risk assessment is a requirement for machinery directive compliance (2006/42/EC). Applies to those delivering CE compliant machinery to Europe.


Getting Started

It is quite common for any group, whether it be a new equipment OEM or a facility End-user, to have a multitude of questions and concerns when starting at the beginning of the machine safety system lifecycle.

What does the word safety really mean, and how is it achieved?

What is risk? How is it measured? Do I need a PHD in mathematics to analyze probability

and risk? How safe do I need to make this machine? How do I go about identifying hazards?

The risk assessment process answers most of these questions for us!


Before we can understand what exactly we achieve through risk assessment, it will be important to provide an answer for the first few questions.

What does the word safety really mean, and how is it achieved?

Safety, with respect to machinery operation is defined in IEC 62061:2005

as:

This immediately gives us a definition for safety in terms of risk, so it now

starts to become more clear how risk assessment plays a part in achieving

safety!

…Safety is freedom from unacceptable risk

12

What is “safety” exactly?


What is risk?

Now we must define risk? Under the same standard, risk can be defined as: Risk is the combination of the Severity of harm, and the probability of

occurrence of that harm (Frequency of exposure + Avoidability).

What severity of harm would come to the skydiver if his parachute did not open?

+ What is the probability that the parachute(s) will

not open and the skydiver will experience this harm?

Probability factors might be: How frequent does the person skydive?

+ If the parachute(s) do not open, is the skydiver able

to avoid or limit the harm from the fall?


Defined Risk Scale

If we can then define risk in terms of parameters that can be easily selected and summed together, then we will have a simple method for estimating risk relative to machine hazards.

Risk assessment methodologies provided in machine standards provide this

method through risk graphs and matrices, as we will see later.

Risk = Severity of Harm + Probability of Occurrence of Harm

Negligible

Low

Medium

High


Acceptable Risk

15

Acceptable risk may differ from organization to organization, and therefore this value is not purely defined in any standard or methodology. The important thing is that your organization (and the risk assessment team) determine this threshold prior to starting the risk assessment.

Since safety is freedom from unacceptable risk, we will need to establish a value on our range that determines a threshold between acceptable, and unacceptable. Various standards will provide guidance on how to determine when acceptable risk has been achieved.

Negligible

Low

Medium

High

Acceptable Risk


How Standards Help With Risk Assessment

What is the risk associated

with this task?

RISK RATING CRITERIA



What should I do to reduce

risk?

SAFE GUARD SELECTION



What level of performance is

required?

CIRCUIT PERFORMANCE

CRITERIA


What is the risk associated

with this task?

19


What level of performance is

required?

CIRCUIT PERFORMANCE

CRITERIA

RISK RATING CRITERIA

What should I do to reduce

risk?

SAFE GUARD SELECTION

Different terms, same methodology and purpose


What is a Risk Assessment?

Copy

right

©

2011

Rock

well

Auto

matio

n,

Inc.

All

rights

reser

ved.

RA

CON

FIDE

NTIA

L

INFO

RMA

TION

20

ANSI B11.0


Fundamental Process

Risk Evaluation

Risk Reduction

Risk Reduction

Complete for particular hazard

OK

Unacceptable

Risk Estimation

Next hazard Hazard Identification

Define all known machine characteristics and limits


Assessment Tool / Worksheet

A typical risk assessment worksheet will allow each item of data that will be collected and/or determined to be recorded:


Fundamental Process

Risk Evaluation

Risk Reduction

Risk Reduction


OK

Unacceptable

Risk Estimation




Hazard Identification

The first pass of hazard identification is performed on the machine while

ignoring all current safeguards that may be in place

All risks must be identified and estimated

It needs to be determined whether or not the existing safeguard and

it’s performance are applicable and appropriate for the level of risk

All tasks are broken down into individual steps

Allows each step to be assessed more thoroughly for exposure to

hazards

Provides a flow and outline for the risk assessment process


With a task and hazard identified, we enter this data into our worksheet

Assessment Tool / Worksheet

Hazard Type

Hazard Description:

May include Event or Failure mode, hazardous energy source

Reference to supporting photo / drawing


Pallet Nailing Example

30


Pallet Nailing Example

31

Tasks – What did you see?

What was the operator doing?

What were the steps the operator had to go through to accomplish the

task?

Unseen tasks… What if everything didn’t go perfectly?

Break tasks into manageable chunks

Did you observe normal operation? Maintenance tasks? Other?

Let’s look at normal operation, loading raw materials


Assume No Guards Present!

32


Pallet Nailing - Hazard Identification

What hazard(s) does the operator encounter while loading raw materials?

What is the potential hazard?

Event or failure that leads to exposure?

Hazardous energy sources?

What if…

The robot traveled outside of the area intended?

The operator dropped a piece of wood?

The fixture started rotating while the operator was still working?



Unexpected start of fixture start while loading raw materials.

What is the potential hazard?

Event or failure that leads to exposure?

Hazardous energy sources?

Impact by rotating pallet fixture

Operator doesn’t finish task on time

Error - start command issued by control system

Electric motor

More detail is good! ―Fixture Turret Motor‖, ―Motor 117‖

Drive? Contactor? HP?



Task: Normal Operation

Step: Load raw materials into fixture

Affected personnel: Operators

Hazard: Impact by rotating table due to unexpected start

Hazardous energy source: ―Fixture Motor‖, 2HP, 480VAC


Fundamental Process

Risk Evaluation

Risk Reduction

Risk Reduction


OK

Unacceptable

Risk Estimation




Risk Graphs/Matrix/Chart

Depending on our objectives, we can use various other methods. We should consider that one objective is to define our safety performance, and that our process must provide a method for doing so…..


Risk Estimation - HRN

Two fundamental questions:

If something happens, how bad will it be? (Severity)

What are the chances it will happen? (Probability)

What is the Degree of Possible Harm (DPH)?

What is the Frequency of Exposure (FE)?

What is the Likelihood of Occurrence (LO)?

What is the Number of Persons at Risk (NP)?

HRN = DPH x FE x LO x NP


Pallet Nailing – Risk Estimation





Degree of Possible Harm (DPH) Value

Fatality 15

Amputation of two limbs,eyes or total loss of hearing or sight 10

Amputation of a limb, one eye or partial hearing loss 6

Fracture: major bone or major illness (temporary) 4

Fracture: minor bone or minor illness (temporary) 2

Burn, cut, short illness 0.5

Scratch / Bruise 0.1


Frequency of Exposure (FE) Value

Constantly 5

Hourly 4

Daily 2.5

Weekly 1.5

Monthly 1

Annually 0.5







Likelihood of Occurrence (LO) Value

Certain – No doubt 15

Probable – Can be expected 10

Probable – Not surprising 8

Although improbable, it may happen 5

Possible, but unusual 2

Improbable, but still possible 1.5

Highly improbable, but still possible 1

Little/low possibility, extreme circumstances 0.033







Number of Persons at Risk (NP) Value

More than 50 persons 12

16 - 50 persons 8

8 - 15 persons 4

3 - 7 persons 2

1- 2 persons 1












Degree of Possible Harm (DPH)


Frequency of Exposure (FE)

Constantly 5

Likelihood of Occurrence (LO)


Number of Persons at Risk (NP)

1- 2 persons 1

HRN = DPH x FE x LO x NP 160


We now enter the risk estimation parameter selections into our worksheet


Risk Parameters: NP, FE, LO, DPH


Fundamental Process

Risk Evaluation

Risk Reduction

Risk Reduction


OK

Unacceptable

Risk Estimation




Pallet Nailing – Risk Evaluation

We have measured the initial risk, is it acceptable?


Pallet Nailing – Risk Evaluation




Hazard: Impact by rotating table due to unexpected start: HRN = 160

HRN Risk Comment

0-5 Negligible Risk

Presents very little risk to health and safety. The residual risks are

to be controlled by awareness training and in some cases by

warning signs.

5 – 50 Low but significant riskThese are risks that need to be reduced by applying suitable

control measures but are not considered urgent

50 - 500 High riskHaving potentially dangerous hazards, which require control

measures to be implemented urgently

Above 500 Unacceptable RiskThese hazards are extreme and the equipment should not be

operated until the level has been reduced.


Fundamental Process

Risk Evaluation

Risk Reduction

Risk Reduction


OK

Unacceptable

Risk Estimation




HRN RiskSafeguard

PerformanceAbove 500 Unacceptable Risk Hazard elimination

0-5 Negligible RiskAwareness

means(8)a

5 – 50Low but significant

risk

Non-interlocked

barriers, clearance,

Performance Level ISO 13849-1

2006e / d

d

d / c

c

b

b

50 - 500 High risk Engineering controls

Pallet Nailing – Risk Reduction




Hazard: Impact by rotating table due to unexpected start: HRN = 160

Adapted from ANSI B11.0 Table D-4


HRN RiskSafeguard

PerformanceAbove 500 Unacceptable Risk Hazard elimination

0-5 Negligible RiskAwareness

means(8)a

5 – 50Low but significant

risk

Non-interlocked

barriers, clearance,

Performance Level ISO 13849-1

2006e / d

d

d / c

c

b

b

50 - 500 High risk Engineering controls

Pallet Nailing – Risk Reduction

Our risk measurement correlates with a Performance Level d circuit, so our

next step is to implement a PLd circuit, right?

Adapted from ANSI B11.0 Table D-4

WRONG! (but this is a good thing!)


What will we do?

Design it out

Fixed enclosing guard

Monitoring Access /

Interlocked Gates

Awareness Means, Training and Procedures

(Administrative)

Personal protective equipment

Most Effective

Least Effective

Hierarchy of Protective Measures


What will we do?

Design it out

Materials

Fixture

Completed

Pallets

Rack

Robot

Operator

Automate?

What Else?


What will we do?


Monitoring Access /

Interlocked Gates

Materials

Fixture

Completed

Pallets

Rack

Robot

Fixed Guard?

Interlocking Guard?


What will we do?


Monitoring Access /

Interlocked Gates

Materials

Fixture

Completed

Pallets

Rack

Robot

Light Curtain?

Scanner / Mat?


What will we do?

Awareness Means, Training and Procedures

(Administrative)

Personal protective equipment

Materials

Fixture

Completed

Pallets

Rack

Robot


Safeguarding Concept

62

Application requirements:

Single zone with simple control scheme

Allow free operator access

Category 3 / PLd required

Leave existing motor / drive combo in place

Our conceptual design is a safety scanner that shuts down the fixture

motor


Risk Reduction

63


Fundamental Process

Risk Evaluation

Risk Reduction

Risk Reduction


OK

Unacceptable

Risk Estimation

The process of risk reduction may have to be implemented several times before the risk is mitigated to an acceptable value







Safeguard: Approaching fixture causes fixture to stop

Degree of Possible Harm (DPH) Value

Fatality 15

Amputation of two limbs,eyes or total loss of hearing or sight 10

Amputation of a limb, one eye or partial hearing loss 6


Fracture: minor bone or minor illness (temporary) 2

Burn, cut, short illness 0.5



Frequency of Exposure (FE) Value

Constantly 5

Hourly 4

Daily 2.5

Weekly 1.5

Monthly 1

Annually 0.5








Likelihood of Occurrence (LO) Value

Certain – No doubt 15

Probable – Can be expected 10


Although improbable, it may happen 5

Possible, but unusual 2

Improbable, but still possible 1.5

Highly improbable, but still possible 1









Number of Persons at Risk (NP) Value

More than 50 persons 12

16 - 50 persons 8

8 - 15 persons 4

3 - 7 persons 2

1- 2 persons 1








Pallet Nailing – With Safeguard In Place





Degree of Possible Harm (DPH)


Frequency of Exposure (FE)

Constantly 5

Likelihood of Occurrence (LO)


Number of Persons at Risk (NP)

1- 2 persons 1

HRN = DPH x FE x LO x NP 0.02


Residual Risk Rating

70


Risk Assessment Documentation

Risk assessment documentation should contain the following information:

Information relevant for the machinery being assessed (machine limits, specs)

Any relevant operational or design assumptions (loads, strengths, safety factors)

Identified hazard scenarios

The information on which the risk assessment was based; • The data used and the sources (accident histories, experience through

safeguarding similar machinery, etc.) • The uncertainty associated with the data used and its impact on the risk

assessment. • Photos, video, and other supporting data.

Risk reduction measures assessed and applied in the determination of risk reduction

Residual risks associated with the machinery


Next – Functional Specification

STEP 5 MAINTAIN & IMPROVE SAFETY SYSTEM

STEP 1 RISK OR HAZARD ASSESSMENT

STEP 4 SAFETY SYSTEM INSTALLATION & VALIDATION STEP 3

SAFETY SYSTEM DESIGN & VERIFICATION

STEP 2 SAFETY SYSTEM FUNCTIONAL REQUIREMENTS

Safety Life Cycle


Where are we now?

Risk Assessment Complete

Output of the assessment is a CONCEPTUAL Design

Concept should include:

Detail on the task being performed

Risk measurement for the hazard

Potential safeguard (usually the INPUT)

Detail on the hazard (what am I shutting off?)

Requirement for circuit performance (PLr, SIL, Control Reliable)

Next – fashion these details into HOW the system will work


How we got to concept

74

Measured risk level for the task

Used the mitigation hierarchy to choose an engineering safeguard and

specify a circuit performance requirement to match the risk level


Safeguarding Concept

Application requirements:

Single zone with simple control scheme

Allow free operator access

Category 3 / PLd required

Leave existing motor / drive combo in place

Our conceptual design is a safety scanner that shuts down the fixture

motor – a Safety Function

75

75


Next Step – Safety Function

76

A safety function is a control function that affects safety

Behaves like any other control function, but with higher integrity

Like any control function, has Input, Logic, Output subsystems

―High integrity‖ implies certain things aside from ―safety rated‖

Source of hazardous energy directly controlled (not removing an

enable signal)

Circuit performance maintained through I, L, O subsystems

I L O

76


Next Step – Safety Function

Safety function protects persons from a specific hazard

In our example, violation of scanned area stops fixture movement

Safety functions can be described with multipart requirements.

In our example:

The fixture cannot start turning until the operator is clear

Approaching the fixture will cause the fixture to stop

Backing away will not restart the fixture

The circuit that issues the stop command is required to meet the

requirements of PLd / Cat 3 / Control Reliable

77

77


Specifying Safety Functions

Functional Safety Specifications outline how a safety system responds

to system inputs to control system outputs. Functional safety

specifications must at least consider the following:

a) results of the risk assessment for each specific hazard or hazardous situation;

b) machine operating characteristics, including

• intended use of the machine (including reasonable foreseeable misuse), modes of operation

(e.g. local mode, automatic mode, modes related to a zone or part of the machine), cycle time,

and response time;

c) emergency operation;

d) description of the interaction of different working processes and manual activities

(repairing, setting, cleaning, trouble shooting, etc.);

e) the behavior of the machine that a safety function is intended to achieve or to prevent;

f) condition(s) (e.g. operating mode) of the machine in which it is to be active or disabled;

g) the frequency of operation;

h) priority of those functions that can be simultaneously active and that can cause conflicting

action.



What is the triggering event?

What is the reaction?

What is the safe state?

What is the behaviour of the system in the presence of faults?

How does normal operation resume?

Standards to meet? Required circuit performance? Other

considerations?

Interruption of the sensing zone of the SafeZone scanner

Contactors (name? size?) opened, energy to motor (name?) removed

Electrical energy removed, motor at rest

Faults (which ones?) detected before / on demand, energy removed

On reset, contactors close / energy restored, motion does not resume

Shall be designed and constructed to meet requirements of ISO

13849-1 PLd, Safe distance according to ISO 13855, etc…



In all modes of operation, interruption of the configured sensing zone of the

Fixture Scanner (SCN_01) laser scanner is sensed by the Fixture Safety

Relay (MSR_01) and stops and prevents hazardous motion by opening

Fixture Motor Contactors 1 and 2 (K1, K2) removing power to the Fixture

Motor. The motor coasts to a stop (Stop Category 0). When the scanner is

reset, hazardous motion and power to the motor do not resume until a

secondary action occurs—the Start button depressed. A fault at the laser

scanner is detected before the next safety demand.. The safe distance

from the location of the laser scanner to the hazard must be established,

per EN ISO 13855, such that hazardous motion must be stopped before

the user can reach the hazard. The safety function shall be designed and

installed to meet the requirements of PLd, Cat. 3 per EN ISO 13849-1.


Specifying Safety Function

82

Safety Functions can be generalized for reuse

Two different interlocking guards on two different machines operate in

a similar fashion

Basis for many corporate standards

Some Common Safety Functions include:

E-stop Light Curtains – muting Light Curtains – non muting Two hand control Enabling Switch Guard-locking Tongue switch interlock

Safety Camera Area Scanner (Single & Multi) Pull-cord Hinge switch interlock Non contact interlock Safe Speed Control Safe Stop


Rockwell Safety Functions Library

83


Specifying Safety Function

84

Generalized Functional Specification


Summary: Risk Assessment

A good Risk Assessment

Takes a comprehensive view of the machine, including

The machine operating parameters and limits

Task / Hazard identification

Risk Estimation

Risk evaluation / risk reduction measures

Establishes the required safety performance for machine safeguards

Generates OPTIONS for safeguarding

Provides documentation of your due diligence

…Is the foundation for ALL Machine Safety Decisions


Summary: Specifying Safety Functions

Safety Functions

Are similar to other control functions, performed with higher integrity

Are developed with the results of the assessment in mind

Human interaction with machine

Ensure person is able to do their job

Careful not to give incentive to defeat safeguards

Can be generalized and applied to many machines

Safety Functions are ALWAYS specified, just not always in writing!


Example


We care what you think!

On the mobile app:

1. Locate session using

Schedule or Agenda Builder

2. Click on the thumbs up icon on

the lower right corner of the

session detail

3. Complete survey

4. Click the Submit Form button

107

Please take a couple minutes to complete a quick session survey to tell us how we’re doing.

2

3

4

1

Thank you!!


www.rsteched.com

Follow RSTechED on Facebook & Twitter. Connect with us on LinkedIn.

PUBLIC INFORMATION

Thank you!

introduction to machine risk assessment and functional specification development

Technology

standards risk assessment

machine risk assessment

unacceptable risk

terms of risk

risk graphs

europe risk assessment

risk assessment team

risk assessment methodologies