Incompatible safety systems and how to avoid them

Machinery safety standard EN ISO 12100 'Safety of machinery - General principles for design - Risk assessment and risk reduction' makes reference to the requirement that protective measures are compatible with one another, [Clause 5.6.2 'Adequate Risk Reduction']. Other than this brief mention there is little if any further guidance in this or any other standard.

When are safety systems incompatible?

An example of incompatible safety systems may be found in a palletiser (or de-palletiser) cell enclosing a robot, or robots and associated mechanisms with hazardous movement. Such a cell is enclosed by guarding on three sides, and has maintenance access door(s). The remaining side of the cell has open access, permitting the movement of forklift trucks (FLT) for loading and unloading the cell. The safety systems in this example include two principle methods of controlling access:

1) Maintenance access door(s) - each controlled by a key exchange system reliant upon the transfer of keys between the safety controlling element and a lock fixed on the guard. In this case the operator/maintenance personnel (the user) may only gain safe access by following a three-step process by:

1. Removing a coded Master Key from the control panel, which disables the hazardous movements in the cell via the safety control system(s);
2. Transferring and inserting the Master Key into the selected access door locking device which, when activated, releases a second key (the Access Key), whilst also locking (trapping) the Master Key in place so that it cannot be removed and used to reactivate the cell;
3. The cell access door is then unlocked and, while in possession of the Access Key, the user may enter the hazardous cell area safe in the knowledge that they hold 'in their hand' the only key that ensures that the cell is disabled.

2) The cell loading access for the FLTs is controlled by a light curtain (AOPD) that disables the hazardous movements in the cell in the event that the light curtain beams are interrupted using a safety control system. When the light curtain has been 'tripped' the system can only be reset by the operator using a reset button.

Here we have two proven and reliable safety interlocking systems; however, they have different safety principles.

• Key exchange systems are proven and reliable, when correctly chosen for personnel safety, having a long and proven heritage, originally used by the French railway in the 1890s and can be found in many industrial settings including manufacturing, machine safety, warehouse and storage facilities, electrical systems, petroleum and chemical plants, etc. Key exchange systems are detailed in the standard EN 14119 and further guidance is given in the Technical Specification ISO/TS 19837. The 'safety principle' of a key exchange system is broadly mechanical (Type 2 as defined in EN 14119) and relies on secure transfer of keys and, finally, the holding of a key by the user exposed to the hazards.
• Light curtains (electro-sensitive protective equipment) are also proven and reliable safety devices. They are designed specifically to detect persons passing through them by employing active opto-electronic protective devices (AOPDs) as the sensing function. Their installation requires correct positioning and integration into a suitable safety-related system designed such that appropriate safety-related performance is achieved. Light curtain (AOPD) devices are clearly detailed in the standard EN 61496 with their effective positioning detailed in EN 13855 and control functions detailed in EN ISO 13849. The 'safety principle' of a light curtain (AOPD) is that of detection of the user who is at risk of being exposed to the hazards, and a suitable control system response.

Look carefully at these two safety principles used in this common application example and it can be seen that they are fundamentally different. Safe access to the hazards in the cell via the maintenance access door(s) is provided by the holding of a key by the user, while safe access to the hazards in the cell via the cell loading access is by detection only - and the holding of a key by the user is NOT necessary. The safety principles are potentially incompatible.

Foreseeable risks

A person can gain access to the hazards in the cell via the cell loading access by walking through the light curtain without the need for a key. The safety-related control system will be tripped and the risks reduced by stopping the hazardous machinery. However, given that one of the safety principles is a key, a second person (operator) may see that the master key is secure in the control panel, conduct a cursory visual inspection of the cell, conclude that the area is free of personnel, and reset the safety control system, operating the machinery. This is a 'reasonably foreseeable risk' 'which may result from readily predictable human behaviour' as defined in the Essential Health and Safety Requirements of the Machinery Directive. One could argue that the visual inspection of the cell was insufficient, but in the author's experience, palletisers and de-palletisers can be large and/or crowded, with large visual blocks such as robots, pallet stacks, slip sheet stacks, product, structural objects, etc, and with personnel moving between them they can easily become obscured and missed.

What could reduce the risk of incompatible safety systems?

Training of the users in the use of the master key whenever and however they enter the cell is an option; but, taking into account 'reasonably foreseeable risks ... which may result from readily predictable human behaviour', I would argue, precludes this as a practical option.

Preventing or warning of Start-up. The Machinery Directive requires that: 'From each control position, the operator must be able to ensure that no-one is in the danger zones, or the control system must be designed and constructed in such a way that starting is prevented while someone is in the danger zone. If neither of these possibilities is applicable, before the machinery starts, an acoustic and/or visual warning signal must be given. The exposed persons must have time to leave the danger zone or prevent the machinery starting up.'

The risk assessment and design process must include consideration of the safety principles and their compatibility (or, more importantly, their potential incompatibility). Considerations could include:

• Resetting the light curtain safety system only by using the master key
• Alternative door interlocking devices/systems
• Alternative cell loading access methods
• Etc, etc.

Is this a 'real risk?

YES - both published and anecdotal reporting of a fatality inside a de-palletiser in a factory in Halifax in 2008 may have been as a result of the employment of just such incompatible safety systems.

There are many palletisers and de-palletising cells, warehouse and storage facilities that employ combinations of key exchange and light curtain system that, potentially, constitute incompatible safety systems.

Conclusion

There is, unfortunately, very little guidance on, or even mention of, incompatible safety systems in the standards or published guidance documents. It falls within the classification of Systematic Failure and Common Cause Failure (CCF) in the much acclaimed, standard EN ISO 13849 'Safety of machinery - Safety-related parts of control systems' but, strangely, is not mentioned specifically.

It is extremely important that the designers of any machinery systems and assemblies - but in particular, palletisers and de-palletising cells, warehouse and storage facilities - diligently review the safety principles they intend to employ. It is vitally important to consider their suitability and compatibility and, to quote the Machinery Directive, take into account 'reasonably foreseeable risks ... which may result from readily predictable human behaviour.'