Ensuring the operational safety of a machine requires the introduction of a series of safety measures in accordance with the essential requirements of the 2006/42/EC Directive. However, this action will not suffice for the whole machine’s life cycle. Monitoring whether minimum requirements have been met and quick response to any noticed irregularities are equally important.
In particular, it is important to monitor (check) guards and safety measures based on the control, which form the main resource of risk reduction measures when it comes to a variety of threats, including especially to mechanical hazards as they are the predominant cause of machine-related accidents.
The Regulation of the Minister of Economy of 30 October 2002 on the minimum requirements concerning occupational safety and health while operating machines and other technical equipment (implementing Directive 2009/104/EC) outlines requirements which shall be fulfilled by guards and control system components related to safety, installed on machines put into operation.
The minimum requirements pertaining to guards coincide with the essential requirements. It is crucial that all guards be in good working order, remain fitted as required and comply with safety requirements concerning the potential of accessing the hazard zone.
Section 15.4 specifies that guards and protective devices shall feature robust and durable construction, they shall not pose any risk, be easily detachable or disabled, they shall be situated at an appropriate distance from the hazard zone, they shall not limit the field of vision in the machine’s operating cycle, they shall allow for performance of tasks aimed at fixing or replacing parts as well as maintenance tasks, only limiting access to the area where works are to be performed and, if possible, without removal of guards and protective devices, and they shall limit access to the hazard zone only.
Whereas section 11 requires that control systems in machines ensure safety and selection thereof take into account potential damage, defects and limitations that could have been predicted for assumed conditions of the machine use.
The above requirements define the minimum level for guards and protective devices when it comes to their technical condition. The Regulation also specifies in what circumstances and how the technical condition of machines (including guards and protective devices) shall be verified. Section 26.1 reads that in the cases where safe operation of machines depends on their installation conditions, the employer is obliged to carry out initial inspection of machines after their installation and before commissioning for the first time; such inspection is also obligatory after installation on another workstation or in a different place. The inspection shall be conducted by entities operating on the basis of separate regulations (if such regulations exist in a given area) or properly qualified persons authorised by the employer.
Whereas section 27 states that the employer shall ensure that machines exposed to conditions harmful to their technical condition, which may lead to dangerous situations, are subjected to periodic inspections, including also examinations performed by entities operating on the basis of separate regulations and special inspections, whenever circumstances arise that can be indicative of deterioration of safety level in the context of a given machine. Such circumstances include but are not limited to the following: modifications (retrofits), occurrence of natural phenomena (e.g. lightning strike), prolonged periods of machine standstill, identification of hazardous damages, occurrence of accident at work linked to a given machine.
Machines shall be inspected by an inspection team composed of properly qualified persons in accordance with the scope of the inspections conducted. Inspection tasks and results obtained shall be registered (inspection protocol), and such documentation shall be preserved for a minimum period of 5 years, counting from the day the inspection ended (unless otherwise provided for in separate regulations). The documentation shall be accessible for interested bodies, in particular supervisory agencies and bodies responsible for inspection of working conditions. If the machines are used outside the premises, a document confirming completion of the last inspection of the machine should be available at the place of their usage.
As far as control-based safety measures are concerned, requirements shall be more detailed due to the fact that not all safety aspects listed in the description of general rules can be intuitively named. When it comes to minimum requirements for safety-related elements of control systems, compliance with the following conditions shall be checked and ensured:
- Safety-related machine control devices are visible;
- Safety-related machine control devices are identifiable without the need to mark them or are marked with a comprehensible symbol or text in Polish;
- Safety-related machine control devices are located outside hazard zones in such a way that their use does not pose any additional hazards;
- Safety-related machine control devices used for stopping the machine are only red or black and there are no other red or black control devices present on-site;
- Safety-related machine control devices do not pose hazards related to their accidental tripping;
- Safety-related machine control devices are buttons for starting operation, do not protrude above the cover or are covered (unintentional start of the machine is prevented);
- Safety-related machine control devices differ from other buttons and starting elements (levers, handwheels, pedals), have resistance preventing their self-actuation (actuating force > 5 N, e.g. under the influence of vibrations or accidental contact) and are prevented from accidental actuation (e.g. press pedal cover);
- The machine operator can check from the location of control devices used for starting if there is anyone in the danger zone or, if this is not possible, an acoustic or visual warning signal is given before starting;
- An exposed employee has the time or means to avoid the hazard caused by starting or stopping the machine;
- The control system of the machine is selected taking into consideration the expected scope of risk reduction, the effect of the environmental factors and expected operating conditions of the machine;
- The machine can only be started by a deliberate operation of the control designed for this purpose, which appropriately activates the control system;
- The machine is equipped with a control system designed to stop it completely and safely;
- The control function designed to stop the machine has priority over the control function designed to start it;
- Restarting the machine after a stoppage due to a process situation (deliberate action by the operator, stopping automatically at the end of the process cycle) and safety-related stoppage (emergency stop, tripped protective device, failure, power supply failure) is possible only through a deliberate action on a control device designed for this purpose;
- The control system ensures that no significant changes in the parameters of the machine, in particular speed and pressure, can occur accidentally (they require deliberate impact on the respective control device or are carried out in automatic mode);
- Each workstation is fitted with a control device to stop the entire machine or its part, during normal operation or in an emergency, depending on the existing hazards, so that the machinery is rendered safe;
- The control system ensures disconnecting the machine drives from energy in the case of its stoppage;
- Safety function(s) of normal start is carried out as intended (confirmation by operation tests);
- Safety function(s) of normal stop is carried out as intended (confirmation by operation tests);
- Safety function(s) of emergency stop is carried out as intended (confirmation by operation tests);
- Safety function(s) of preventing unexpected start is carried out as intended (confirmation by operation tests);
- Safety function(s) of preventing start after power supply failure and reestablishment or following its fluctuation is carried out as intended (confirmation by operation tests);
- Safety function(s) of energy disconnection and dissipation of energy (e.g. braking, pressure discharge) is carried out as intended (confirmation by operation tests and measurements, as necessary);
- Safety function(s) related to the adjustment of operating modes and/or operating parameters is carried out as intended (confirmation by operation tests);
- Safety function(s) of the release of stored energy after stoppage is carried out as intended (confirmation by operation tests and, if required, measurements of energy release time);
- Safety function(s) of automatic stoppage due to activation (tripping) of detecting protective devices is carried out as intended (confirmation by operation tests and verifying the parameters of protection devices);
- Safety function(s) of automatic stoppage due to opening of an interlocking guard is carried out as intended (confirmation by operation tests);
- Safety function(s) of automatic stoppage due to the activation of the sensor of a machine parameter limit value is carried out as intended (confirmation by operation tests and verification of thresholds values);
- Safety function(s) of automatic stoppage due to machine failure is carried out as intended (confirmation by tests using failure simulation techniques);
- Safety function(s) of start blocking in the activated state of detecting protective devices is carried out as intended (confirmation by operation tests and verifying the parameters of protective devices);
- Safety function(s) of start blocking in the condition of opening the interlocking guard is carried out as intended (confirmation by operation tests);
- Safety function(s) of start blocking in the condition of the activation of the sensor of a machine parameter limit value exceedance is carried out as intended (confirmation by operation tests and verification of threshold values);
- Safety function(s) of start blocking in the machine failure condition is carried out as intended (confirmation by tests using failure simulation techniques);
- Safety function(s) of preventing one-handed start by using a two-hand control device is carried out as intended (confirmation by operation tests);
- Safety function(s) of locking guard interlocking is carried out as intended (confirmation by operation tests);
- Safety function(s) of manual overriding (resetting) of the blocking function is carried out as intended (confirmation by operation tests);
- Safety function(s) of automatic suspension of a safety function (muting) is carried out as intended (confirmation by operation tests);
- Safety function(s) related to operating modes of the machine (set-up, release of trapped persons, etc.) is carried out as intended (confirmation by operation tests);
- Adequate safety distance is ensured in the case of safety function(s) of automatic stoppage detecting protective devices;
- All start and stop states of the machine are clearly and legibly represented by the state of the signalling elements;
- The protective devices used are properly fastened, their position is stable, it has not been changed and cannot be easily changed;
- Access to the hazard zone is only possible through the detection zone of detecting protective devices or after opening the interlocking guard;
- Measures have been used to prevent circumvention of protective devices and disabling (deactivating) security functions;
- Protective devices used do not impede the operation of the machine, e.g. by impeding access to work areas or excessively limiting the field of vision;
- Violation of the AOPD or AOPDDR detection zone with an appropriate test probe activates the appropriate automatic stop functions or start blocking function;
- Exerting adequate pressure with a test probe in the effective sensitivity area of the pressure-sensitive protective device activates the appropriate automatic stop functions or start blocking function;
- Opening an interlocking guard activates the appropriate automatic stop functions or start blocking function;
- Electrical circuits of safety-related parts of control systems are supplied from a power supply source ensuring sufficient galvanic isolation in relation to electrical power supply circuits of machine drives;
- One pole of each voltage source supplying the circuits of safety-related parts of control systems is effectively connected with the system of protective connections;
- Machine operating rules provide for checking of the most important safety functions each time before starting work on the machine by the employee on a working day and recording the checking activities in the relevant register;
- Periodic maintenance and functional checks of devices which make up the safety-related parts of control systems are provided by qualified personnel; these activities are recorded in the relevant register;
- Acquisition and use of original spare parts or replacement parts authorised by the manufacturer is ensured for the repair of safety-related parts of control systems and any repair work is recorded in the relevant register.
In practice, periodic inspections of guards and safety-related elements of control systems shall include the following:
- evaluation of technical condition, in particular for excessive wear and tear of parts,
- evaluation of correct implementation of safety functions, including performance of functional tests,
- evaluation of correct positioning, including in the context of maintaining correct safety distance,
- measurements of spin-up time (pertains mainly to automatic stop safety functions),
- check of progress of maintenance and repair works (as per the machine repair and maintenance log),
- check of whether operational limitations for particular safety-related elements have not been exceeded (i.e. service life),
- check for occurrence of non injury incidents indicative of insufficient or faulty functioning of safety measures (interviews with employees and supervisors),
- analysis of accidents and non injury incidents,
- analysis of the cases in which protective equipment was bypassed,
- check of qualifications of employees and validity of trainings in the scope of safety,
- check of safety equipment documentation for completeness (instructions, diagrams).
Methods for carrying out such checks shall include site inspection (place where the machine is installed), check of available documentation, interviews with employees, functional tests, and measurements of required parameters. Use of check lists is highly recommended here. They constitute a very useful supporting tool when prepared in advance.
When it comes to periodic inspections, evaluation of technical condition of safety measures and carrying out functional tests are not sufficient. The identified cases in which safety equipment was bypassed shall be analysed in detail in order to establish the causes of such incidents and to determine viable organisational and technical measures that could help eliminate the problem.
Moreover, analysis of accidents, if any, and non injury incidents (hazardous situations in which an employee managed to avoid injuries) is also very important. Information on potential non injury incidents can be obtained from employees and their direct supervisors. As a rule, non injury incidents happen much more often than accidents. They show that hazardous situations occur which often have not been identified before, and they prove that there exists a risk related to them on a level exceeding requirements of regulations. This calls for developing and implementing additional safety measures.
Periodic inspections shall be conducted based on a prepared timetable. When preparing the timetable, and in particular when it comes to inspection intervals for particular machine parts, the following factors shall be taken into account:
- guidelines of the machine’s manufacturer,
- level of risk reduction ensured by individual types of protective equipment,
- intensity of machine operation,
- environmental conditions in which the machine is operated,
- presence of wear parts within the machine and how they impact the level of risk,
- other, e.g. related to the type of material processed.
Results of periodic inspections, in particular the number of identified nonconformities with requirements and changes in the intensity of influence of the above factors shall be employed for the purpose of verification of current inspection intervals. It might be reasonable to appropriately coordinate periodic inspections for individual machines or machine groups in order to perform them faster and in a more organised manner.
In practice it turns out that designing and manufacturing safety-related elements of control systems in due manner and in accordance with the requirements, and their subsequent thorough maintenance and monitoring, are not sufficient to ensure safe operation of the machine. This is confirmed by accident-related statistics. Research conducted in the Central Institute for Labour Protection – National Research Institute shows that in the majority of cases machine-related accidents are caused by the activity of employees known as “bypassing of safety devices”. This constitutes intentional and deliberate behaviour leading to the limitation of functional efficiency of such devices, which in particular pertains to safety-related elements of control systems, especially safety sensors (including protective devices). Below are the most common examples of such bypassing: preventing the operation of limit switches, disconnection of interlocks and locking devices, moving in such a way that detection zones of electrosensitive protective devices and protective devices sensitive to pressure are avoided, or use of objects allowing for one-handed activation of two-hand control devices. There are also situations in which safety devices are disabled or even removed from the machine. Performance of works with removed or provisionally installed fixed guards shall also be added to the above examples of bypassing safety devices (this can be either an intentional employee action or it can be due to the fact that maintenance or repair works have not been finished).
Research conducted in Germany showed that approx. 14% of safety devices are constantly bypassed, and approx. 23% of them are bypassed from time to time. Nearly 75% of operators of machines in which safety functions were bypassed claimed that no effort was needed in order to disable the safety devices. Similar research was also carried out by the HSE (Health and Safety Executive) and the HSL (Health and Safety Laboratory) in the United Kingdom. Authors analysed over 100 reports concerning accidents that happened in the years 2002–2007. According to the research, the main cause in 12.4% of machine-related work accidents was bypassing of safety devices. Whereas research conducted in Poland (Central Institute for Labour Protection – National Research Institute) and covering the years 2010–2011 showed that 18% of machine-related accidents that occurred in the processing industry could be attributed to bypassing of safety devices. Such results are confirmed by representatives from virtually all companies. Even the companies which implement the highest standards when it comes to safety management experience cases in which safety devices are bypassed. Both the research and random pieces of information obtained from companies confirm the large scale of occurrence of such cases.
Detailed investigation into situations related to bypassing of safety devices showed that there are two main causes as to why safety devices are bypassed:
- it is easy to bypass a safety device – the efficiency of control-based safety measures can be reduced quickly and with the use of basic tools (or even without any tools); the same pertains to the removal of fixed guards,
- it is convenient for an employee to bypass a safety device – here is the list of some gains that motivate the employee to bypass safety devices: less effort needs to be put into the work performed (this pertains to lower ergonomic load, easier operation consisting in bypassing of certain activities, cutting corners, increasing the freedom of movement), possibility to work faster and achieve higher salary (facilitation of work, better visibility and audibility, better precision when performing tasks, avoiding interruptions in order to work more smoothly and faster, piece work), possibility to perform work exceeding machine limitations (i.e. exceeding its intended use conditions).
The objective here is to evaluate periodically whether safety devices are susceptible to bypassing in the context of the above reasons.
Periodic inspections (detection of cases, use of technical and organisational measures limiting the susceptibility of safety devices to bypassing) and employee training activities (increasing the awareness that occupational risks are increased when safety devices are bypassed and informing on consequences resulting from the severity of potential damage and any possible financial losses) shall be employed as countermeasures for bypassing of safety devices.
Inspection of safety-related elements of control systems shall be particularly meticulous due to the fact that these technical safety measures are usually responsible for the most important tasks related to the limitation of risk of accidents.
Inspection of safety-related elements of control systems includes checking the technical condition of devices and their fixtures as well as checking their functionality, which in practice means confirming the compliance of assumptions concerning the implemented safety function with actual functioning of the control system components. Such inspection is also an opportunity to analyse the cases in which such safety measures are bypassed. This is particularly important from the perspective of general safety of machine operation.
Implementation of each and every safety function requires participation of all components of a safety-related control system, i.e. sensors, controllers, and actuators. All these elements are inspected conjointly. When it comes to safety functions in which a hazardous situation is detected by a protective device, it is generally said that the inspection pertains to protective devices. This is due to the fact that the methods for inspecting such safety functions are strictly adjusted to the properties of the protective devices in use.
Inspections of safety-related elements of control systems used in machines shall be conducted based on information obtained from the manufacturer. Instructions for machine operation shall contain information on the number and type of safety functions implemented in the machine’s control system, protective devices used, algorithms for implementation of safety functions, required parameters, environmental limitations pertaining to elements participating in implementation of a given safety function, and recommended inspection procedures. Such information is often not included in the machine instructions. The employer is responsible for obtaining all information necessary to ensure the correct use of safety-related elements of control systems and inspections related to their operation. When purchasing new machinery, it is essential to check whether the machine’s operating instructions contain all the required information pertaining to such elements.
Inspection of safety-related electronic and programmable electronic control systems as well as such systems in which data transmission subsystems are used is of particular interest here.
If there are safety-related data transmission subsystems within a machine, operation, maintenance, repairs and inspections pertaining to such subsystems require the following:
- appointing a person responsible,
- preparation of a maintenance schedule,
- implementation of inspections and periodic maintenance tasks,
- specification of scope of periodic works and checks,
- registering of performed works.
A person responsible for carrying out of all safety-related works in the scope of maintenance and repairs of the data transmission subsystem shall be appointed. If possible, such person shall participate in the commissioning of the subsystem in order to acquire thorough knowledge concerning its configuration, properties, work parameters, testing techniques and software tools as well as diagnostic devices used for this purpose. During operation of the machine such person shall conduct or personally supervise works in the scope of maintenance schedule, e.g. restarting of the subsystem after its stoppage, functional tests after its commissioning and all works performed periodically in accordance with the periodic inspection timetable. Periodic inspections in this area shall be delegated to persons with appropriate competences.
The maintenance schedule shall list all activities required for ensuring functional safety (maintenance of the required SIL level) by means of correct operation of the subsystem. It shall be prepared based on the manufacturer’s guidelines specified in the subsystem documentation and arising from the operating conditions. The schedule shall enlist activities (procedures) essential for ensuring correct operation of the subsystem as well as the equipment (instrumentation and software tools) that shall be used to facilitate such activities. In particular, it shall cover the procedures for commissioning, testing, carrying out inspections, maintenance tasks and repairs. The procedures shall be documented, and in the case of procedures intended for periodic use an appropriate timetable shall be provided as well. The necessary measuring instruments shall be subjected to metrology supervision (calibration), and diagnostic software shall be checked for safety of use and correct functioning.
Periodic inspections in the scope of the safety-related data transmission subsystem shall be conducted throughout the whole service life. Periodic inspections shall be performed not less frequently than it results from the period of carrying out of functional tests outlined in the safety specification and recorded in the maintenance schedule. Periodic inspections shall include all functional tests listed in the safety specification or recommended by the manufacturer. Periodic inspections shall be combined with replacement of such components which shall be replaced periodically due to high working load.
Results of all procedures included in the scope of maintenance of the safety-related data transmission subsystem shall be registered and stored. The period for record keeping shall be defined as per the regulations in place and mentioned in the maintenance schedule.
To conduct the above evaluations as well as to design new safety measures, forms prepared for the purposes of designing new machines according to the essential requirements may be required, including the following:
- “Selection of a protective device” form, the algorithm of which is based on the guidelines from IEC/TS 62046:2014 Safety of machinery – Application of protective equipment to detect the presence of persons;
- “Safety distance assessment” form – the form outlines the possibilities to assess the correctness of determining safety distances with respect to the positioning of protective equipment and fixed guards – the form was prepared based on the guidelines from the following standards: PN-EN ISO 13855:2010 Safety of machinery – Positioning of safeguards with respect to the approach speeds of parts of the human body and PN-EN ISO 13857:2010 Safety of machinery – Safety distances to prevent hazard zones being reached by upper and lower limbs;
- “Emergency stop device assessment” form – the form contains essential requirements pertaining to design and operational characteristics of this auxiliary safety measure – the form was prepared based on the guidelines from PN‑EN ISO 13850:2012 Safety of machinery – Emergency stop – Principles for design;
- “Assessment of the measures preventing unexpected start-up” form – the form contains essential requirements pertaining to important aspects of machine’s design solutions helping to achieve high efficiency of machine stoppage functions with respect to normal, emergency and automatic (triggered by activation of protective equipment) stop – the form was prepared based on PN-EN 1037+A1:2010 Safety of machinery – Prevention of unexpected start-up;
- “Guard assessment” form – the form contains essential requirements pertaining to important design and functional solutions in fixed and movable guards – the form was prepared based on the guidelines from PN-EN 953+A1:2009 Safety of machinery – Guards – General requirements for the design and construction of fixed and movable guards.