Retrofitting machines for safety

Below are insights written by James C. Roberts, P.E., chief engineer at IS International Services LLC. He provides an overview of adding machine safety barriers and E-Stops on a variety of medical device manufacturing machines, optimized for operator usability and accessibility. 

1. Why Retrofit Machines for Safety – Short History

   The medical device industry is constantly developing new products and processes.  This frequently leads to the development and deployment of new machinery to meet these needs.  New machines are manufactured to current standards and are either supplied with modern machine safeguarding already in place or at least designed for it to be easily added. 

   But what about cases where legacy machines have been in use for decades? Often these were built and installed before the wide-spread adoption of NEMA and ISO safeguarding standards and are not designed for the currently required levels of risk isolation. Retrofitting these machines to bring them into compliance while still maintaining their functionality and maintainability requires careful engineering and plenty of communications.

2. Regulatory Standards to Comply With

   When it comes to machine safeguarding, the risks are identified and ranked through a series of steps including Risk and Hazard Assessments and Layers of Protection Analysis (LOPA), designed to determine what needs to be protected and how reliable and secure the protection should be.  A couple of the key outcomes from this process are the identification of items that can be passively protected with techniques such as barriers, non-slip surfaces and keylocks and items that require active protection using safety circuits or similar interlocking. 

   These outcomes are the starting point for designing the safeguarding requirements for the machine. It is likely that protection needs were identified and mitigation methods were prescribed during the analysis phase. 

3. Distance, Energy, Procedures

   While the particulars will vary on a case-by-case basis, the primary tools typically boil down to these three concepts:

   • Guard the machinery in a manner that provides enough distance between personnel and hazards to allow additional safeguarding measures to take effect, preventing the personnel from being exposed to the hazard
   • Remove all energy that may constitute or enable the hazard (most typically electrical and pneumatic energy sources in the Medical Device Industry)
   • Develop and enforce of access limitation policies to prevent people from bypassing the first two concepts

     Policies are usually the domain of Operations, but frequently the Controls Engineer is required to implement the first two out.

     Many older machines are designed for direct operator interaction.  When retrofitting these machines, the original functionality needs to be understood, and when possible, fully enabled within a safer, better-guarded environment.

     Proper solutions must adequately address operability and maintainability because implementing the above three concepts without considering how the machine is used will often result in designs which interfere with day-to-day operations to an impractical degree, resulting in unnecessarily lost run time.

4. Guarding

   A fundamental principle of machine protection is that it takes time for an operator to move from a safe location to a point exposed to risk (time-of-flight.)  A design is considered safe if the machine can be stopped and made safe during the time-of-flight and before an operator can reach the hazard. Fixed barriers, such as mechanical guards, cages and fences create permanent blockages that completely prevent operators from reaching hazards while in place.

   The downside is these barriers are often inflexible making it extremely difficult for the operators and maintenance staff to access protected areas, even when their duties require them this ability as a part of their job function.  Often, materials will need to pass through these boundaries while the machine is in operation. In both cases, openings in the barriers are required. 

   

   © IS International Services | https://is-international.com

   The standard tool for determining how large these openings is based on human anatomy, typically for fingers and arms, that allow larger gaps if the danger points are further from the barrier.  A good example of this is the OSHA Guard Opening Scale.  Only smaller holes are allowed if the distance is less than finger length and larger holes are allowed if a hazard is further than arm length away.

   Non-fixed barriers, such as light curtains and scanners provide more flexibility in both physical design and in the ability to modify the boundaries based on current conditions.  These are typically more expensive and the larger access windows these provide means that the proper consideration of time-of-flight is critical.  A combination of fixed and non-fixed guards typically provides the best solution.

   With either type of guarding, it is important to consider not only how the operators work on the machine, but also how maintenance technicians will access it.  Disassembly of bolt-in-place guard panels may be permissible for major maintenance, but areas of frequent maintenance need guards and protective panels that can be quickly removed or frequently adjusted equipment and instruments need to be relocated to hazard free locations.  When used, quick release panels will need to have proof that they are properly reinstalled prior to being able to reset the protective circuits. 

   A sound strategy to use when adding machine guarding is to work with operations and maintenance to develop potential approaches and then conduct a Management of Change (MOC) meeting with Safety, Operations and Maintenance team members to select the approach that meets the needs of all parties. These meetings are most successful when all concerned departments are present at the same time.  3D renderings showing the guards on the machine are often key to helping all team members visualize the restrictions and access paths being proposed.

5. Energy Removal

   Once the access protection methods are established, energy removal can be addressed.

   It wasn’t long ago that local motor disconnects and simple standard relay latching circuits were considered best practice. This is no longer the case with the introduction of concepts such as Safety Categories and Performance Levels. Now, it is common to find requirements such as “CAT3/PLd” for machine protection. 

   “CAT3” refers to the ISO 13849-1 Category 3 fault reaction performance level, in which a single fault in the safety system will create a trip, but not all faults will be detected. Essentially this means simple redundancy at every level of the safety circuit.

   As defined in ISO 13849-1, the Performance Level or PL is a measure of the reliability of the overall safety system to function correctly and trip when it is required to. A PL of “d” would be expected to not function correctly in the range of once every 100,000 to 1,000,000 hours and is equivalent to SIL2 in the process industry.

   Designing safety circuits of this class requires special logic solvers (safety monitoring relays or safety logic solvers), redundant-contact detection devices (position switches and pushbuttons), use of redundant pairs of contactors specially designed with cage-guided proof contacts, and similar specialty devices.  Single-contact switches and standard relays cannot provide the level of protection this requires.

   Fortunately, vendors are developing new and unique standards-compliant detection and actuation devices that continually add to the arsenal of the controls engineer.  Now there are safety-rated area scanners, compressed air supply/dump valves, access gate locks and similar devices that provide flexibility and space saving solutions often necessary in retrofitting process machinery.

6. Policy Development

   All of the guarding design and interlocking designs won’t help a bit unless they are accompanied by proper procedures that require the operating and maintenance personnel to respect the inherent dangers associated with the machines and to not tamper with the guards. Inflexible protection designs or loose policy application will inevitably lead to bypasses of the systems, resulting in exposure to the hazards and potentially loss of life or limb.

7. Summary

Machine safety systems are often viewed as necessary evils, but with careful planning and execution, the protection can often be added in ways that both protect the people that need to work on the equipment and still perform their jobs correctly, efficiently and safely. It is up to the Controls Engineer to work with all the people and tools available to make sure the systems they deliver are safe and functional so that they are appreciated and respected.

About the company:

IS International Services, LLC (IS) is a global services and engineering company focused on clients with an emphasis on providing quick and quality deliverables. They are a member of Control System Integrators Association (CSIA).