1. New machinery
  2. General info
  3. Selection of safety measures, protective devices

1          Methods of selection of guards and protective devices

1.1      Introduction

Ensuring the operational safety of the machine requires the introduction of a series of safety measures in accordance with the principal requirements of directive 2006/42/EC. The basic safety measures which decrease the risk related to hazards, mainly mechanical ones, include:

-          permanent guards and enclosures and

-          safety measures based on control methods.

Permanent guards and enclosures form partitions intended to effectively separate the employee from the hazardous zone, which should be achieved through appropriate construction and effective mounting. The dimensions and placement of the guards and enclosures should prevent them from being bypassed or accessing the hazard zone directly through openings in such guards and enclosures.

The use of control methods is an integral part of a set of measures necessary to provide operational safety of each machine. This results from the basic requirements of the Machinery Directive referring e.g. to safe start-up and shut-down, which implies the use of specific control technology solutions. Thus, the control methods which ensure safety, and technical measures related thereto, are included in the scope of design of all machinery, and should be also subjected to special supervision as significant elements of maintaining safety during the period of machine operation.

Restricting the possibility of accessing the hazard zones through the use of control-based safety measures requires the use of human detection or body part detection protective devices.

The control methods used to ensure machinery operation safety are implemented in the machine’s control system mainly as safety-related control system elements (SRCSE). The standards concerning the SRCSE requirements define SRCSE as: “the control system element(s) or component(s) which in response to safety-related input signals generate safety-related output signals”, or as “a part of the machine control system which, when defective, immediately increases risk”. The SRCSE implements so-called “safety functions” and usually is not used to implement process functions, but due to system reasons a strict separation is not always possible. When designing the machinery control systems as a whole, various types of safety requirements have also to be taken into account, as provided for in regulations (European Union directives, national regulations, industry rules) and technical documents (standards harmonised with the directives, other standards and technical specifications, including national ones, recommendations made by recognised technical organisations and notified bodies).

Due to the SRCSE design requirements, a specific design procedure has to be followed which is composed of strictly specified stages, starting with: risk identification, risk assessment, decision on the selection of a control method-based safety measure and establishing a safety function, and then requirements concerning their implementation through relevant stages of design, ending with the stage of validation of the final solution and completion of the required documentation. Designing which takes into account the requirements of harmonised standards and other widely recognised technical documents is recommended. The high level of requirements for the SRCSE creation process stems from the requirement to ensure an appropriate level of damage resistance — a defective SRCSE which results in it losing the ability to implement the assumed safety functions results in an immediate increase of risk related to the operation of the device. Similarly high requirements apply to SRCSE operation methods, which should ensure full functionality over the entire life cycle of the machine.

1.2      Basic requirements

In order to establish the scope of regulations which concern control systems, the type of energy used to implement the safety functions should be taken into account, as well as the technology used to implement them. This leads to the following division of SRCSE types:

-          mechanical,

-          pneumatic,

-          hydraulic,

-          electric/electronic/electronic programmable,

-          combinations of the aforementioned implementation methods.

Control-related safety measures (safety functions implemented by the SRCSE) should only be used when it is not possible to rationally eliminate hazards through appropriate construction of the machine and design of the process. When using the SRCSE, the remaining residual risk should also be estimated and the users should be notified about it, other safety measures which enable its decrease should be indicated (e.g. wearing personal protective equipment, training, procedures for verification of correct operation, regular maintenance activities, etc.).

Not only the SRCSE implementing security functions, but the entire machine control system should operate in a manner which minimises the risk of accident. For this reason the implemented logics, control elements, switching elements, logic and control functions and the method of construction should be carefully thought out. A series of related requirements applies to:

-          designing and constructing control systems in a manner ensuring their safety and reliability, preventing hazardous situations, enabling them to stand up to loads resulting from normal operation and from external factors, and preventing errors in logical systems which would lead to hazardous situations;

-          using of control elements, which should be: clearly visible, recognisable, appropriately marked (in necessary cases), placed in a manner ensuring their safe, immediate, unequivocal use, designed and placed in such a manner as to ensure that the direction of their movement is in accordance with the intended control effect, placed outside of hazardous zones (with the exception of emergency stop switches and robot programming panels), placed in such a manner as to prevent their operation from causing additional risk, designed or protected in such a manner as to ensure that the intended effect, if it entails risk, could not occur without an intentional action, adapted to foreseeable loads, adapted to foreseeable use of personal protective equipment (gloves, shoes);

-          using indicators and signalling devices necessary to ensure the safety of the operating personnel, which should be visible and legible from the operator station,

-          placing an operator station in a manner ensuring that in hazardous zones no exposed persons are present, and when this is impossible, preceding each start of the machine with an acoustic or optical warning signal;

-          placing of devices (measures) which enable rapid action preventing the start of the machine in the locations hazardous to personnel;

-          starting the machine only through intentional activation of a control element planned for this purpose (with the exception of an automatic operation mode);

-          equipping the machine with a control element enabling complete, safe stop in a normal operation mode with functional priority over the starting elements;

-          disconnecting power supply from the drives the moment the machine is stopped;

-          using emergency stop devices with appropriate features and functional properties;

-          priority of control in the selected mode over other control modes with the exception of emergency stop;

-          special conditions of control in modes related to the switching off of protective devices;

-          preventing dangerous situations related to the loss and return of power supply;

-          preventing automatic, unexpected start-up;

-          preventing the negative effects of control system defects;

-          developing dialogue software which is easy to operate;

1.3      General strategy of ensuring machinery operation safety

Ensuring machinery operation safety with control methods should be performed in accordance with the general risk decrease strategy presented in standard [5]. This strategy assumes that the hazards existing in the machine will sooner or later lead to harm unless an appropriate safety measure is used. The safety measures are a combination of methods used by the designer and user, whereas measures implemented at the design stage are considered more effective than the means which have to be implemented by the user.

The machine designer, when commencing work on the design, should acquaint himself with the experiences of users of similar machinery and, if possible, obtain opinions of potential users of the new design, and then commence actions in the following order:

-          establish the limitations and usage in accordance with the intended use;

-          identify the hazards and hazardous situations related thereto;

-          estimate the risk for each identified hazard and potentially hazardous situations;

-          assess the risk and decide whether it has to be decreased;

-          eliminate the hazard or decrease the risk related to the hazard through the use of appropriate safety measures.

The aforementioned actions form an iterative risk assessment and reduction process. After the risk is eliminated, e.g. by changing the manufacturing process, the hazards and potentially hazardous situations should be reassessed, to make sure that actions eliminating one type of a hazard did not cause the occurrence of different hazards. After the use of the safety measure, the risk related to the given hazard should be assessed again, to check whether it has been decreased to a socially acceptable level. If the acceptable level has not been reached, then the use of additional safety measures or change of the solutions proposed so far to different ones should be decided upon. In each of these cases repeated risk assessment should be performed, then these steps should be repeated iteratively using state-of-the-art technology, until for all the identified hazards and hazardous situations solutions are found which decrease the risk to an acceptable level.

It should be noted that the socially acceptable level of risk results on the one hand from social expectations concerning the working conditions, and on the other hand from technical and organisational possibilities and costs of introduction of new or more advanced and complex safety measures. The socially acceptable level of risk is systematically decreasing, leading to a continuously safer work environment. This has been made possible through continuous technical progress and introduction of new work organisation methods.

In an iterative machinery safety assurance process in the selection of appropriate safety measures the following order of goals has to be kept:

-          safety of machinery operation at all stages of its life;

-          the capacity of the machine to implement its functions;

-          the usefulness of the machine in manufacturing processes;

-          the costs of constructing, operating and dismantling (scrapping) the machine.

In order to ensure permanent machine operation safety, it is important to use such safety measures which do not hinder and do not interfere with the operation of the machine in accordance with its intended use.

1.4      The use of permanent and movable guards

Guards, in order to be able to efficiently act as a safety measure decreasing the risk related to machine operation, should fulfil a series of requirements. The enclosures have to meet the same requirements as guards. The guard should be suitable for its intended use, that is to stop e.g. the parts which could be ejected from the machine, stop the emission of substances, decrease the noise emissions, decrease the radiation emissions, reduce the effects of explosion of materials present in the machine.

The guard should prevent access to the hazardous zone and ensure appropriate safety distance from this zone. The guard should not be removed or opened to perform adjustment, lubrication or maintenance actions. It should be designed and placed in a manner preventing the possibility of leaving a human in the hazard zone, and should be designed taking into account the principles of ergonomics and in a manner enabling the correct observation of the process of the machinery. Climbing on the guard should also be made difficult.

Detachable parts of the guard may be removed only with the use of a tool. Supporting elements of the guards, guard frames and filling materials should form a rigid and stable structure, and be resistant to deformation. Guards and their parts should be well fixed at anchoring points with appropriate durability, spacing and number, adequately to the expected load. Movable parts of the guards, such as hinges, guide bars, handles, hooks should be selected in a manner ensuring their reliable performance.

The guard itself should not create any hazards, its removable parts should have the dimensions and weight enabling their easy handling without excessive effort. It should not have any sharp edges or corners. Parts of the guard that cannot be moved or transported manually should be equipped or should have the ability to be equipped with appropriate lifting measures.

The guard should be durable over the entire life cycle, ensure appropriate level of hygiene and enable easy cleaning. Guard material should be resistant to predictable corrosive or oxidising agents from the product, process or environment, not be toxic in predictable conditions of use and be compatible with the process for which it is used and ensure electrostatic properties when required.

Electrically driven movable guard should not present the risk of injury as a result of pressure, force, speed, sharp edges. It should be designed in a manner not causing the emergence of crushing or gripping places. The closed position (not causing the stop) of the movable guard should be forced by gravitation, spring, hook, locking device or in another manner. Self-closing guards should not open wider than it is required for the movement of detail and not be lockable in the open position.

The permanent guards (and enclosures) are used to restrict access to hazardous zones which do not require regular maintenance activities. Movable guards are usually connected with the function of machine start interlock or with the function of interlocking and locking in the open position.

Movable guards are used in the case of hazardous zones which require relatively rare operation, or in cases of problems with ensuring correct safety distance (locking guards, applies to cases of significant safety distance values resulting, for instance, from long machine after-running time), and also when other protective devices prove to be unsuitable for a given hazardous zone.

1.5      The use of protective devices for the implementation of safety functions

The implementation of a series of safety functions requires the use of protective devices, which are elements of equipment that detect hazards to human life and health. Currently, it is possible to use multiple types of protective devices which meet the requirements established for them and which are placed on the market. This chapter will present detecting protective devices, interlocking and locking devices associated with movable guards and two-hand control devices. Their tasks resulting from control-based machine safety assurance and the general principles of selection and installation will be discussed.

Protective devices are used in the implementation of safety functions as sensors which actively generate a signal showing that nothing has entered their detection zone, which equals the lack of hazard. The lack of this signal may be caused by the detection of a hazardous situation or other reasons, such as loss of power or the occurrence and detection of damage (the damage is not dangerous). In both these situations the SRCSE in which a protective device was used may implement the assumed safety function and maintain the machine in a safe state or make it enter a safe state.

1.6      Basic definitions of protective devices

Detecting protective devices — machinery equipment providing human detection or human body part detection, which generates an appropriate signal for the control system in order to reduce the risk of injury.

Electro-sensitive protective equipment — a set of devices and/or elements which operate jointly in order to ensure automatic protective shut-down or to ensure presence detection, containing at least: a (contactless) detection device, control and monitoring devices and output signal switching devices.

AOPD — a device where the detection function is performed by emitting and receiving optoelectronic elements which detect the interruption of a light beam generated inside the device by an opaque item present in a specific detection zone.

AOPDDR — a device where the detection function is performed by emitting and receiving optoelectronic elements which detect the reflection of diffused optical radiation generated by the device, caused by the presence of some item in a two-dimensional detection zone.

Pressure-sensitive protective equipment — a set of devices and/or elements which operate jointly in order to ensure automatic protective shut-down or to ensure presence detection, containing at least: a pressure reacting device, a control unit and one or more output signal switching devices.

Locking device (interlock) — a mechanical, electrical or other device intended to prevent the operation of elements of machinery in specific conditions (usually when the guard is not closed).

Guard locking device — the device intended for locking the guard in a closed position, connected to the machine control system in a manner ensuring that:

-          hazardous operation of the machine may not start earlier than after closing and locking the guard;

-          the guard remains closed (and locked) until the hazard-related risk stops;

Two-hand control device — a device which requires at least simultaneous activation with both hands in order to start any operation of the machine and to supervise it during the occurrence of a hazardous condition, protecting the activating person.

One-hand hold-to-run device — a device which requires one-hand activation and holding in order to start any operation of the machine — stopping the activation will result in immediately stopping machine operation.

1.7      Types of protective devices

The following basic types of protective devices can be distinguished:

-          detecting protective devices (e.g. light curtains, pressure-sensitive mats);

-          interlocking devices, and interlocking and locking devices (associated with movable guards);

-          safe activation devices (used to initiate hazard-causing machine movement);

Protective devices are usually present on the market as devices offered on their own. Machine designers, when designing the required safety functions, should appropriately select the devices, taking into account multiple factors, anticipate the possibilities of their installation within machinery and connect them appropriately to SRCSE circuits. Due to the special role of these devices in the implementation of safety goals, they are subject to the requirements of directive 2006/42/EC.

1.7.1    Detecting protective devices and their basic parameters

Detecting protective devices encompass machinery equipment with human detection or human body part detection, which generates an appropriate signal for the control system in order to reduce the risk of injury. The signal for the control system may be generated when a human or a human body part passes through a previously defined border of the hazard zone, or is present within, or in both cases.

There are two groups of detecting protective devices available currently:

-          electro-sensitive protective devices,

-          pressure-sensitive protective devices.

1.7.1.1.1  Electro-sensitive protective devices (ESPE)

Electro-sensitive protective devices (ESPE) are a very advanced and currently frequently used group of protective devices. This term covers a set of devices and/or elements which operate jointly in order to ensure automatic protective shut-down or to ensure presence detection, containing at least: a (contactless) detection device; control and monitoring devices and output signal switching devices, and optionally an auxiliary switching device. These devices may use various physical phenomena (e.g. electromagnetic microwave, infrared or visible light radiation, sound waves, including ultrasound, capacitance and inductance changes, etc.) in order to detect humans or human body parts. In current practice only active optoelectronic protective devices which use infrared radiation are permitted for use. Research is being conducted on other methods of human detection and the introduction of other types of protective devices to the market may be expected.

The basic standard containing requirements for the ESPE is PN-EN 61496-1:2014-02 Safety of machinery. Electro-sensitive protective equipment. Part 1: General requirements and tests. This group of devices contains:

-          active optoelectronic protective devices, which include light (safety) curtains (barriers) and light beam devices. The requirements for these devices are contained in the PN-EN 61496-2:2014-02 Safety of machinery. Electro-sensitive protective equipment. Part 2: Particular requirements for equipment using active opto-electronic protective devices (AOPD) standard;

-          active optoelectronic protective device responsive to diffuse reflection, which include laser scanners. The requirements for these devices are contained in the PN-EN 61496-3:2004 Safety of machinery. Electro-sensitive protective equipment. Part 3: Particular requirements for Active Opto-electronic Protective Devices responsive to Diffuse Reflection (AOPDDR) standard.

In the Active Opto-electronic Protective Devices (AOPD), the technical implementations of which include light curtains and beams, the detection function is implemented using emitting and photo-sensitive opto-electronic elements operating within the infrared radiation band (invisible to human eye). Interruption of the light beam between the transmitter and receiver by an opaque object is an event which generates the detection signal. In a light beam device one emitting and one photosensitive element is used, forming a light beam line, the section of which forms the detection zone. In a light curtain, units of emitting (transmitter) and photosensitive (receiver) elements are placed within the lines of enclosures. Parallel placement of the enclosures establishes the plane of the light curtain, over which a two-dimensional detection zone is present. The use of appropriate mirrors enables bending the light beam line or light curtain plane and creating folded detection zones. Figure 2.1 presents examples of AOPD (light curtain and beam), which are manufactured as a set of two elements: transmitter and receiver.

Figure 2.2 presents the principle of creating a light curtain detection zone through the use of multiple single infrared radiation transmitter-receiver lines. The possibility of bending the light curtain detection zone using mirrors is presented ion figure 2.3.

a)          b) 

Fig. 1 Examples of active opto-electronic protection devices (AOPD):
a) light curtain, b) light beam

Fig. 2 Principle of creating a light curtain detection zone

Fig. 3 Bending the light curtain detection zone using mirrors

In active opto-electronic protective devices responsive to diffuse reflection (AOPDDR), the technical implementation of which is a laser scanner, the detection function is implemented in an integrated opto-electronic transceiver module. The emitted infrared radiation pulses reflect from the objects in the vicinity and return to the receiver in the form of diffuse radiation. The distance to the surrounding items is calculated pursuant to the time required for the radiation to return. The rotation of a special prism which sends out radiation pulses and collects returning diffuse radiation enables the measurement of distance in various directions (scanning method). The measured distances are compared to the distance to the end of the detection zone, independently for each direction in which the measurement is made. When the distance measurement result in any direction is lower than the distance to the detection zone border a detection signal is generated. An example of an AOPDDR protective device is a laser scanner constructed in the form of a single head, which integrates the transmitter and receiver sub-assemblies (fig. 4).

Fig. 4 An example of active optoelectronic protective device responsive to diffuse reflection AOPDDR (laser scanner)

The AOPDDR detection zone is a fragment of the scanning plane. It may have various shapes (e.g. rectangle, fragment of a circle, figure bounded by a broken curve and various combinations of these figures). The AOPDDR detection zone may be shaped (programmed using special software) within the range of the device, keeping to the required rule of a single boundary point for every scanning direction. Due to the lack of a visible limit of the programmed detection zone, an additional warning zone is usually programmed around the detection zone proper. Entering the warning zone enables turning on the warning signal, which notifies on the proximity of the detection zone, which frequently prevents accidental stopping of the machine. The principle of establishing the detection and warning zones is presented in fig. 5.

Fig. 5 The principle of establishing the detection and warning zones in AOPDDR

Strefa wykrywania

Detection zone

Strefa ostrzegawcza

Warning zone

 

The basic ESPE elements include:

-          detection device — the ESPE part which uses electro-sensitive methods to establish an event or condition which is supposed to be detected by the ESPE, e.g. in an opto-electronic device, the detection function may detect an opaque object entering the detection zone;

-          control/monitoring device — the ESPE part which receives and transforms information from the detection device, and then supplies signals to the output signal switching devices (OSSD) and monitors the detection device and the OSSD;

-          output signal switching device (OSSD) — the ESPE part connected to the control system which, when the detection device is activated, during normal operation reacts by switching to an OFF state;

-          auxiliary signal switching device (SSD) — optional device, which in the locked state performs an auxiliary safety function by going into the switched-off state and initiating an appropriate machine control action, e.g. disconnection of an auxiliary control element of the machine from power supply.

Characteristic ESPE parameters include:

-          detection threshold — the limit value of the sensitivity function parameter which will activate the ESPE, as provided by the manufacturer. For the AOPD and AOPDDR, the detection threshold is equal to the diameter of an opaque cylinder (tester) which will activate the detection device after it is placed in the detection zone;

-          detection zone — an area, within which the tester is detected by the ESPE;

-          activation time — the maximum time between an event which activates the detection device and the OSSD achieving a deactivation state;

-          effective aperture angle (EAA) — maximum angle of deflection from the optical alignment of the emitting and receiving element(s) at which AOPD will continue normal operation (applies only to AOPD);

-          tolerance zone — zone outside of the detection zone necessary to reach the required probability of detection of a specific tester inside an appropriate detection zone (applies only to the AOPDDR);

Another important parameter is also the ESPE type, which determines its behaviour in case of a defect. Four various types of ESPE have been established, marked by digits from 1 (lowest resistance to defects) to 4 (highest resistance to defects). The AOPD is usually constructed as type 2 or type 4 devices. For the AOPDDR a type 3 device is required. In the PN-EN 61496 standard series, requirements for type 1 were not formulated. Type 1 is planned for electro-sensitive protective devices with relatively low resistance to defects, for which the requirements will be established in the future.

The basic function of the electro-sensitive protective equipment is the detection of a situation where an object with dimensions higher than the detection threshold is found within the detection zone. When this occurs, the OSSD should switch to an OFF state (interruption of the output circuit), as signalled by a red indicator switching on. The occurrence and detection of an internal defect and lack of power should also lead to an off state. The situation where no intrusion into the detection zone occurs with simultaneous lack of internal defects and with the supply voltage switched on enables the OSSD switching to an ON state (output circuit closed, signalled by a green indicator).

ESPE may also perform additional functions, such as:

-          start interlock — a function which prevents automatic start of the machine after power supply to the ESPE is switched on or interrupted and restarted;

-          restart interlock — a function which prevents repeated automatic restart of the machine after the detection device activates during a dangerous phase of the machine operational cycle, after the machine operation mode changes, and after the machine start control measures change;

-          temporary muting of the detection function — temporary automatic muting of the safety function by the safety-related parts of the control system;

-          external device monitoring (EDM) — the means for ESPE to monitor the condition of control devices external to it;

-          stopping performance monitor (SPM) — the means for monitoring whether a total stop may or may not be performed within a previously established limit(s);

-          initial test — a manual or automatic test function which is performed after the ESPE power supply is switched on, and before normal operation of the machine is initiated, in order to test its entire safety-related control system;

-          local blanking of the detection function — applies only to light curtains and means establishing a fragment of a detection zone, in which the detection function may be temporarily inactive (e.g. during the transportation of material through the detection zone).

1.7.1.2    Pressure-sensitive protective devices (PSPE)

There are three following groups of pressure-sensitive protective devices:

-          pressure-sensitive mats and floors — covered by the PN-EN ISO 13856-1:2013-08 Safety of machinery. Pressure-sensitive protective devices. Part 1: General principles for design and testing of pressure-sensitive mats and pressure-sensitive floors standard;

-          pressure-sensitive edges and bars — covered by the PN-EN ISO 13856-2:2013-08 Safety of machinery. Pressure-sensitive protective devices. Part 2: General principles for design and testing of pressure-sensitive edges and pressure-sensitive bars standard;

-          pressure-sensitive bumpers, plates, wires and similar devices — covered by the PN-EN ISO 13856-3:2013-11 Safety of machinery. Pressure-sensitive protective devices. Part 3: General principles for design and testing of pressure-sensitive bumpers, plates, wires and similar devices standard;

Pressure-sensitive devices are used within a wide scope of applications and in various conditions, for example under extreme loads or exposure to the impact of adverse weather, electric, mechanical and chemical environmental conditions. They are connected to the machinery control systems in a manner which prevents the switch-over (return) of the machine to a safe state after the device activates. The protective action of pressure-sensitive devices consists of detecting pressure (force), which may indicate a presence of a human or a human body part in the zone under supervision. In these devices two basic functional elements can be distinguished (which may be a single united element or may be composed of multiple parts):

-          sensor — a part of the protective device which contains an effective sensitivity area, which after applying an initiating force will result in a signal sent to a control unit, and

-          control unit — a device which reacts to the condition of the sensor (sensors) and controls the condition of the device (devices) which switches the output signal (OSSD). The control unit may also supervise the operation of the sensor, contain elements for the processing of the reset signal (restoring the OSSD switched on condition after specific conditions are met), in some cases may be integrated with the machine’s control system.

The pressure-sensitive protective devices may be constructed as electronic, electromechanical, hydraulic, pneumatic, fibre optic-based and other.

Individual types of pressure-sensitive devices are established as follows:

-          pressure-sensitive mat — a protection device which detects a person standing on or walking onto it. In this device, an effective sensitivity area will undergo local deformation, which will activate the sensor (sensors);

-          pressure-sensitive floor — a protection device which detects a person standing on or walking onto it. In this device, an effective sensitivity area moves as a whole (unlike a mat, which undergoes local deformation), which will activate the sensor (sensors);

-          pressure-sensitive edge — a protection device which detects a human or a human body part, the sensor of which has the following characteristics: the length is greater than width, the effective sensitivity area cross-section is constant, the cross-section width exceeds 8 mm, the effective sensitivity area is locally deformed in order to activate the sensor;

-          pressure-sensitive bar — a protection device which detects a human or a human body part, the sensor of which has the same size characteristics as the edge, but for which the effective sensitivity area moves as a whole in order to activate it;

-          pressure-sensitive bumper — a protective device, the sensor of which has the following characteristics: the cross-section through the effective sensitivity area may be regular or irregular, the cross-section width usually exceeds 80 mm, the effective sensitivity area may be locally deformed or may move as a whole;

-          pressure-sensitive plate — a protective device, the sensor of which has the following characteristics: the area of the effective sensitivity is usually, but not necessarily flat, the width of this area usually exceeds 80 mm, the area moves as a whole;

-          pressure-sensitive wire — a protective device, the sensor of which has the following characteristics: the wire, line, cord or cable is under tension, a change in the line tension is detected (based on deflection) and on this basis an output signal is generated.

The following definitions and characteristic parameters are associated with pressure-sensitive protective devices:

          initiating force — the force acting on the sufficient sensitivity area, which causes the OSSD to switch to an OFF state when specific conditions are met;

          effective sensitivity area — a part of the upper surface of the sensor or set of sensors, specified by the manufacturer, where the use of the initiating force results in the OSSD switching to an OFF state (for pressure-sensitive edges and bars the length of the sufficient sensitivity area is also established);

          effective operation direction (angle) — the direction (angle) of application of the initiating force, which results in sensor activation;

          activation path — the distance taken by an object acting on the sensor, measured in the direction the initiating force is applied, from the effective sensor surface contact point to the point where the OSSD switches to an OFF state;

          activation time — time between the beginning of force application to the effective sensitivity area and the beginning of the OSSD being in an OFF state;

          dead zone — the part of the upper sensor zone located outside of the effective sensitivity area;

          reset — a function which enables the OSSD ON state being restored when specific conditions are met.

The activation time of a pressure-sensitive mat or floor should be specified by the manufacturer and should not exceed 200 ms. In the case of a pressure-sensitive mat or floor equipped with a reset capability, the reset signal should be entered manually to the protective device control unit, or alternatively through the machine control system. Resetting should fulfil two functions: start interlock and restart interlock. In the case of pressure-sensitive mats and floors, the possibility of the sensor being locked by dirt or production waste should be taken into account. Similar requirements apply to the remaining pressure-sensitive protective devices.

With regard to defect resistance, the pressure-sensitive protective devices should meet the requirements of the category for which they were specified and marked (acc. to the PN-EN ISO 13849-1:2008 standard). The requirements of category 1 should be met as a minimum.

Examples of pressure-sensitive protective devices are presented in figure 2.6.

a)    b)    c)

Fig. 6 Examples of pressure-sensitive protective devices: a) mat b) edge c) bumper

1.8      Safety distance

Detecting protective devices are frequently used to implement an automatic stop (switching off) safety function. The activation of this function may occur when a hazard occurs (the machine is operating), when entering the detection zone will result in the activation of a protective device and will trigger actions which lead to the cessation of the hazard (the machine is stopped). The cessation of the hazard is never immediate — it is accompanied by a time delay, called the after-running time, which is the maximum time elapsed from the activation of the protective device until the hazard is completely eliminated. This time is a sum of two values:

T = t1 + t2

where:   t1 — maximum machine reaction (after-running) time

              t2 — detecting protective device activation time

Due to the after-running time, the protective device may not be located at the edge of the actual hazard zone, since the protective action of the safety function would always be late by the after-running time. For this reason the activation of the detecting protective device should occur in advance of the actual ingress into the hazard zone. This is achieved through the placement of protective devices at a certain minimum distance from the actual hazard zone, referred to as the safety distance (fig. 7). This distance is established according to the general formula:

S = (K x T) + C

where:  S — safety distance

              K — approach speed

              T — machine after-running time

              C — additional distance

Fig. 7 Safety distance

The approach speed is the maximum speed of a human or human body part which can be achieved in some specific conditions, in the direction of the shortest path towards the hazard zone. For a walking human it is assumed that it is 1.6 m/s, and for a hand movement 2.0 m/s. If the analysis of the hazard situation indicates the possibility of an employee running or moving on another device (e.g. riding a bicycle), then appropriately higher approach speeds should be used to calculate the safety distances.

The value of the additional distance is related to the detection threshold of the detecting protection device. The detection threshold of the protective device establishes the minimum physical conditions (e.g. the size of the object entering the detection zone) required to achieve its reliable activation. This raises, depending on the method of detection, the possibility of partial ingress into the protective device detection zone without it being activated. The maximum possible distance of such an ingress which may occur in specific conditions is assumed as the additional distance.

When calculating the safety distance, the type of detecting protection device, its location and placement above the floor level, detection threshold and other factors depending on the hazardous situation should be taken into account. A series of detailed indications concerning this issue and of tested calculation formulae are available in the PN-EN ISO 13855:2010 Safety of machinery. Positioning of safeguards with respect to the approach speeds of parts of the human body standard.

1.9      Interlocking devices and interlocking and locking devices associated with movable guards

The interlocking devices and interlocking and locking devices associated with movable guards should fulfil the requirements of the PN-EN ISO 14119:2014-03 Safety of machinery. Interlocking devices associated with guards. Principles for design and selection standard. The PN-EN 953:+A1:2009 Safety of machinery. Guards. General requirements for the design and construction of fixed and movable guards standard is also useful for those devices.

The interlocking device (without locking) always enables opening of the movable guard. When the guard is closed, the interlocking device generates an active signal which permits the dangerous movements of the machinery. The guard equipped with an interlocking device should implement the following safety functions:

          the hazardous machinery functions which are “supervised” by the guard may not be started before the guard is closed (start interlock);

          opening the guard during a hazardous machinery function will result in the generation of a signal which commences the stop procedure (automatic stop);

          the hazardous machinery functions which are “supervised” by the guard may be performed when the guard is closed, but the closing of the guard itself will not start them;

The interlocking device with a lock keeps the guard closed. There are two types of such devices, where the unlocking:

          may be initiated by an operator at any time (unconditional unlocking);

          is possible only when the condition of hazard cessation is met (conditional unlocking);

In case of conditional unlocking, the guard equipped with an interlocking and locking device should implement the following safety functions:

-                the hazardous machinery functions which are “supervised” by the guard may not be started before the guard is closed and locked (start interlock);

-                the guard remains closed (and locked) until the hazard stops;

-                the hazardous machinery functions which are “supervised” by the guard may be performed when the guard is closed and locked, but the closing and locking of the guard itself will not start them;

If the stop signal is generated by a single sensor (switch), a sensor switched in a forced mode should be used. Switching in a non-forced mode is allowed only in combination with a sensor switched in a forced mode.

In electronic interlocking devices and interlocking and locking devices, position switches (limit switches, roller switches) are used, as well as keyed devices (interlocking, interlocking with locking) which may contain a single forced mode NC contact, or two contacts: forced NC and non-forced NO contact. The use of non-mechanically switched contacts (proximity, magnetic contacts) requires the use of additional measures to increase resistance to defects (special systems for monitoring the functionality). The manufacturers of these devices usually provide solutions which enable obtaining systems with a specific category of resistance to defects.

The examples of interlocking devices, and interlocking and locking devices associated with movable guards are presented in figure 2.8.

a)    b)   c)   d)

Fig. 8 Interlocking devices, and interlocking and locking devices associated with guards:
a) limit position switch, b) roller position switch, c) keyed interlocking device, d) keyed interlocking and locking device

 

1.10   Safe activation devices

The safe activation devices force the operator to assume a position where the risk of injury is minimised. For safe operation, the following are used:

-                two-hand control devices,

-                one-hand hold-to-run devices.

1.11   Two-hand control devices

Two-hand control devices are commonly used to start the operating movements of particularly dangerous machinery (e.g. presses, cutters). The requirements for such devices are established in the PN-EN 574+A1:2010 Safety of machinery. Two-hand control devices. Functional aspects. Principles for design standard. These devices supplement the implementation of presence-establishing safety functions, but the essence of their operation is opposite to the typical use of electro-sensitive or pressure-sensitive protective devices. The simultaneous activation of control elements with both hands is a positive signal for commencing the dangerous movement of the machine.

The two-hand control device is defined as a device which requires at least simultaneous activation with both hands in order to start any operation of the machine and to supervise it during the occurrence of a hazardous condition, protecting the activating person. In this device, external input signals are initiated by hands acting on control elements (e.g. buttons) connected to signal transducers (e.g. contact elements). Signals from the transducers are sent to a logic signal processing system which implements the two-hand control function and related safety functions and generates the signal sent further on to the machine control system.

The following safety functions are connected with the two-hand control device (implemented within the device):

-                use of both hands — the operator should use both hands simultaneously to activate the two-hand control device, one hand for one control element;

-                interdependence between the input signals and the output signal — sending the input signal simultaneously to each of the two control elements should initiate and maintain the output signal from the two-hand control device only while both input signals are maintained;

-                cancellation of the output signal — releasing of one or both control elements should initiate the cancellation of the output signal;

-                prevention of accidental operation — through appropriate design solutions of the two-hand control device, minimum force and travel required to activate the control devices;

-                prevention of circumvention — through the appropriate placement of control elements and through additional measures;

-                repeated initiation of the input signal — it should be possible only after both control devices are released, which prevents the attempts of using the device as a one-hand device;

-                activation method — simultaneous or synchronous;

Prevention of circumvention requires analysing the possibility of the device being activated with one hand, with a hand and/or another body part and/or simple measures like bridges, cords, adhesive tape. Prevention measures include: appropriate spacing of the control elements, the use of one or many barriers between the control elements, control element shielding (collars), control elements with different method and direction of activation.

There are two methods of activation used in two-hand control devices: simultaneous or synchronous. In simultaneous activation, the activating output signal appears after both control elements are activated at the same time, regardless of the value of the delay between the activation of the first and the second input signal. Synchronous activation is a special case of simultaneous activation, where the delay between the activation of the first and the second input signal is lower than 0.5 s. Synchronous activation provides better protection, since it prevents an activation attempt by two different persons.

The behaviour of individual components of a two-hand control device in case of a defect should be in accordance with the selected defect resistance category according to the PN-EN ISO 13849-1:2008 standard.

The types of two-hand control devices and minimum requirements concerning the implemented safety functions and the provided categories are listed in table 2.1

Table 2.1. Types of two-hand control devices.

Minimum requirements concerning the implemented safety functions

Type of two-hand control device

I

II

IIIA

IIIB

IIIC

Use of two hands (simultaneous activation)

x

x

x

x

x

Dependency between the input signals and the output signal

x

x

x

x

x

Input signal cancellation

x

x

x

x

x

Prevention of accidental activation

x

x

x

x

x

Circumvention prevention

x

x

x

x

x

Repeated initiation of the input signal

x

x

x

x

x

Synchronous activation

*)

x

x

x

x

Applying the requirements of category 1 (PN-EN 954-1)

x

 

x

 

 

Applying the requirements of category 3 (PN-EN 954-1)

 

x

 

x

 

Applying the requirements of category 4 (PN-EN 954-1)

 

 

 

 

x

*) Depending on the risk assessment result

 

The two-hand control device is a protective device only for one person, since only the activating person is in a position which guarantees safety as a result of its location. The remaining personnel in the vicinity of the machine is not protected by the use of a two-hand control device. That is why two-hand control devices should not be the only protective device in high risk machinery.

An example of a two-hand control device is presented in figure 2.9.

a)                      b)

Fig. 9 Two-hand control device: a) control elements, b) logic system

1.12   One-hand hold-to-run devices

A one-hand hold-to-run device is implemented using typical control elements, as a safety-related control function. The one-hand activation control function should ensure:

-                start and operation of the accident risk-related machine only after activation and after one hand is used to hold the activation element,

-                immediate stop of machine operation after actuation of the control element is stopped.

1.13   The general principles of protective devices selection and installation

Ensuring machine operation safety using measures associated with the application of control and protective devices should result from risk assessment and be a part of an iterative risk reduction process. The use of protective devices is justified and appropriate in machinery which requires the operator to have frequent access to a hazardous zone (e.g. to an operating zone) or to cooperate with the machine during process-related operations, where it is necessary to be able to observe the machine and technological process, or where it is difficult to install permanent guards. Some characteristic features of the machine may prevent the use of protective devices as the only safety measure; the use of additional safety measures may thus be required.

The process of selection of protective devices should be conducted in order to select the most appropriate protective device and accompanying safety measures and should take into account:

-                machine features,

-                environmental features,

-                safety functions,

-                human characteristics,

-                electronic protective devices characteristic parameters.

The machine features may exclude the possibility of using some types of protective devices, e.g. due to:

-                the possibility of ejection of the processed material, cuttings or element parts,

-                presence of a thermal radiation or other type of radiation,

-                exceeding the allowable noise level.

-                the possibility of adverse environmental impact on their operation,

-                lack of possibility of ensuring machine safety during the process cycle, caused by: the nature of the process (e.g. stopping it could result in an additional hazard), the method used to power the machine (e.g. a rotating spline clutch is used, which may be decoupled only after the operational cycle is finished), or due to the energy stored (e.g. in the form of pneumatic or hydraulic pressure in tanks).

-                the machine stop time (required to achieve a safe state) which does not meet the conditions for the installation of protective devices, as a result of its design solutions (this may be related to: the construction of a stop system in a technology which is not adapted to operation with the protective device or with significant delays, and also with insufficient braking of operational movements resulting from variable speed, load or inertia).

-                Environmental factors may restrict the functionality of some types of protective devices. For example strong visible radiation may exclude the use of electro-sensitive protective devices. When selecting protective devices, the following environmental factors (and others) should be taken into account:

-                electromagnetic fields, including: electrostatic discharges, radio frequencies (e.g. mobile phone radiation);

-                vibrations and impacts;

-                local lighting, including: daylight, infrared radiation (for example from remote control devices), reflective surfaces;

-                pollution, including: water, dust, corrosive chemicals;

-                temperature;

-                humidity;

-                weather conditions;

-                ionizing radiation.

Special and additional requirements related to the environmental features should also be taken into account, for example ones resulting from:

-                operating machinery outdoors (e.g. outside of buildings or other structures which may protect against the environment);

-                using, processing or manufacturing potentially explosive materials (e.g. paints or dusts which occur as a side effect of sawing);

-                operating machinery in a potentially explosive or flammable atmosphere;

-                special risk of accidents occurring during the manufacture or use of specific materials;

-                using machines in mines.

Detecting protective devices may be used to implement automatic shut-down safety functions, start interlock safety functions or both at the same time.

When selecting protective devices, the features of human body have to be taken into account with regard to:

-                speed and direction of approach to the hazard zone;

-                detected body part (e.g. finger, hand, upper extremity, lower extremity, entire body detection);

-                human-machine cooperation;

Moreover the positioning of protective devices depends significantly on the listed factors. These devices should be also selected and placed in a manner which minimises the possibility of exposure to hazards by bypassing them, for example:

-                access to the hazard zone above, under or around the detection zone;

-                bending above the detection zone;

-                walking above the detection zone;

-                standing astride the detection zone;

-                changing the position of the sensor elements of the protective equipment;

-                reflection of light beams using reflective surfaces, which modifies the detection zone of electro-sensitive protective devices;

-                remaining in the hazard zone outside of the detection zone.

The expected degree of risk reduction related to the safety functions and protective devices used should be adequate to the obtained defect resistance of the system (category, type).

The selection of protective devices should also be preceded by the analysis of accidents which have occurred on similar machinery or in similar hazardous situations.

1.14   Safety functions

The elements of the control system which participate in the implementation of at least one safety function are included in the SRCSE category. The SRCSE may be constructed using various technologies of implementation and may operate using various types of energy (mechanical, pneumatic, hydraulic, and electric, electronic and programmable electronic (E/E/PE) systems). In the SRCSE structure, just like in typical control systems, the following elements may be distinguished: sensors, logic systems and actuator elements (fig. 10).

Fig. 10 General SRCSE structure

The elements which are used as sensors in SRCSE (sources of safety signals):

-                detecting protective devices (electro-sensitive and pressure-sensitive);

-                interlocking devices (associated with guards);

-                two-hand control devices (used to initiate dangerous movements of the machine);

-                emergency stop devices;

-                power supply parameter sensors;

-                physical parameter sensors;

-                limit sensors (switches);

-                zero speed sensors;

-                control elements used to start, stop, select the mode of operation, manually cancel (reset) the interlock function;

The SRCSE logic systems may be implemented using relays, semiconductor logic modules and programmable logic controller (PLC) modules, or using pneumatic or hydraulic logical blocks, switching blocks and check valves. The actuator elements may include power consumer contactors, electro-valves, servo-motors.

The requirements of directive 2006/42/EC mean that the following functions of the machine control system should be treated as safety functions:

-                normal start;

-                normal stop;

-                emergency stop (additional safety function);

-                preventing unexpected start;

-                preventing start after power supply failure and re-establishment or following its fluctuation;

-                setting operating modes and/or operating parameters;

-                disconnecting and dispersing of power (e.g. braking rotating elements, letting off compressed air or discharging hydraulic power);

-                automatic stop caused by activation of detecting protective devices;

-                automatic stop due to the opening of an interlocking guard;

-                automatic stop due to the activation of a machine parameter limit value sensor;

-                automatic stop due to machine failure;

-                start interlock caused by activation of detecting protective devices;

-                start interlock due to the opening of an interlocking guard;

-                start interlock due to the activation of a machine parameter limit value sensor;

-                start interlock due to machine failure;

-                preventing one-handed start by using a two-hand control device;

-                locking the movable guard;

-                manual cancellation (resetting) of the interlock function;

-                automatic muting of safety functions — related to the optional function of detection muting in detecting protective devices;

-                special operation modes (setting, releasing trapped personnel, etc.);

The start and stop specifications on the list of functions provided above refer both to activities related to the operational movements of the machine and related to switching the entire machine or its separate circuits on/off, which must not necessarily correspond to starting/stopping the operational movements.

In addition to the safety functions provided by the SRCSE there are a series of safety requirements used when designing the entire control system of the machine. These apply to:

-                avoiding connecting the operator’s work rhythm with the automatic machine operation cycles;

-                appropriate selection, placement and recognition of control elements;

-                selection, design and placement of indicators, scales and visual displays;

-                preventing electrical hazards;

-                preventing hazards arising from the use of pneumatic and electrical equipment;

-                using intrinsically safe solutions in the control systems;

-                starting internal energy sources and switching on external power;

-                logical principles used to start/stop the mechanisms;

-                maintaining an action for reasons of safety in conditions of loss of power;

-                restarting after a break in the power supply;

-                using automatic supervision;

-                conditions of using programmable devices to implement control, including also safety functions;

-                application and utility software for programmable devices;

-                manual control principles;

-                methods of control for setting, programming, changing the process, detecting defects, cleaning, maintenance and repairs;

-                selecting methods of control and types of operation;

-                using diagnostic methods supporting the detection of defects;

-                decreasing the probability of a safety function not being implemented through the use of reliable parts with a known failure frequency, the use of redundant parts and subsystems;

-                signals and warning devices;

-                markings, symbols and warning inscriptions on control elements.

Additional information and requirements may be found in the following standards:

          PN-EN ISO 4413:2011 Hydraulic fluid power. General rules and safety requirements for systems and their components;

          PN-EN ISO 4414:2011 Pneumatic fluid power. General rules and safety requirements for systems and their components;

          PN-EN 1037+A1:2010 Safety of machinery. Prevention of unexpected start-up;

          PN-EN ISO 13850:2012 Safety of machinery. Emergency stop. Principles for design;

          PN-EN 894-1+A1:2010 Safety of machinery. Ergonomics requirements for the design of displays and control actuators. Part 1: General principles for human interactions with displays and control actuators;

          PN-EN 894-2+A1:2010 Safety of machinery. Ergonomics requirements for the design of displays and control actuators. Part 2: Displays;

          PN-EN 894-3+A1:2010 Safety of machinery. Ergonomics requirements for the design of displays and control actuators. Part 3: Control actuators;

Fig. 11 Emergency stop device mushroom-type button;

1.15   Methodology of assessment of meeting the basic requirements for machinery

The design decisions concerning the use of control method-based safety measures in most cases require establishing whether the given machinery hazard zone requires a safety measure in the form of a permanent guard, or whether necessary protective equipment and related safety function are required. For this reason a combined algorithm of selection of a permanent guard or control-based safety measure has been used, as provided in the “Selection of a protective device” form. The algorithm is based on the guidelines from IEC/TS 62046:2014 Safety of machinery – Application of protective equipment to detect the presence of persons.

Meeting various detailed requirements must be checked using additional forms. Some examples include:

          “Safety distance assessment” form — the form outlines the possibilities to assess the correctness of determining safety distances with respect to the positioning of protective equipment and fixed guards — the form was prepared based on the guidelines from the following standards: PN-EN ISO 13855:2010 Safety of machinery. Positioning of safeguards with respect to the approach speeds of parts of the human body and PN-EN ISO 13857:2010 Safety of machinery. Safety distances to prevent hazard zones being reached by upper and lower limbs;

          “Emergency stop device assessment” form — the form contains essential requirements pertaining to design and operational characteristics of this auxiliary safety measure – the form was prepared based on the guidelines from PN-EN ISO 13850:2012 Safety of machinery. Emergency stop. Principles for design;

          “Assessment of the measures preventing unexpected start-up” form — the form contains essential requirements pertaining to important aspects of machine’s design solutions helping to achieve high efficiency of machine stoppage functions with respect to normal, emergency and automatic (triggered by activation of protective equipment) stop – the form was prepared based on PN-EN 1037+A1:2010 Safety of machinery. Prevention of unexpected start-up;

          “Guard assessment” form — the form contains essential requirements pertaining to important design and functional solutions in fixed and movable guards — the form was prepared based on the guidelines from PN-EN 953+A1:2009 Safety of machinery. Guards. General requirements for the design and construction of fixed and movable guards.