You are on page 1of 13

Integrating safety during the machine design stage

Hani Raafat and Perry Simpson

Health & Safety Unit, Aston University, Birmingham B4 7ET, UK


IBC Vehicles, P.O. Box 163, Kimpton Road, Luton, LU2 0TY, UK

Abstract:
The number of machinery accidents, which occur regularly show how difficult it is for machines
and systems to operate safely. This problem is compounded by the fact that issues relating to the
design are specific to particular situations: companies modernise in phases, which means that
technologies of different generations co-exist at different levels of sophistication. Work activities
are diverse and varying and the demands on operators to be multi-functional have increased.
The European Union EU introduced a New Approach to Technical Harmonisation and
Standards aimed at integrating safety at the design stage. The Machinery Safety Directive is one
of the Directives and sets out Essential Health and Safety Requirements EHSRs for machinery
which must be met before machinery is placed on the market anywhere within the EU.
EHSRs are expressed in general terms and it is intended that the European Harmonised
Standards should fill in the detail so that machinery designers and suppliers have clear guidance
on how to achieve conformity with the Directive and to integrate safety at the design stage.
This has fundamentally changed the approach to the prevention machinery accidents in the
workplace. In the place of reactive and prescriptive legislation and standards, the EU Directives
represent a remarkable breakthrough in risk-based approach to machinery and work equipment
safety. This approach is currently proposed by ANSI (B11-TR3, 2000) for machine tools in the
USA. Research carried out at Aston (Raafat and Robert, 1999) has shown that the majority of
machinery suppliers into the UK market have failed to demonstrate compliance with the riskbased approach. This paper presents a model to assist machinery and system designers in
integrating health and safety into the design process, using the risk-based approach.

Keywords: EU Directives, EN Standards, risk assessment, task-based, automated press line

Corresponding author. Tel: +44-121-359 3611; Fax: +44-121-624 0188; e-mail: h.m.n.raafat@aston.ac.uk

1.

Introduction

The mass introduction of new technologies in industrial production systems (more


automation, more information technology) has increased the performance of these systems in
terms of quality, productivity, flexibility and availability. However it has introduced a number of
difficulties. These include:
1. The execution phase of these systems; notably in the process of installation, maintenance,
repair of breakdowns and deficiencies, and in logistics and safety, And
2. The design stage, where it is very difficult for the designer to take account of all the
relevant factors relating to health, safety and the integration of operator
activities/interventions.
Analysis of these industrial situations often uncovers large differences between the predicted
performance of systems and those observed in practice (including the management of deviations,
constraints of production, extending the life of equipment, evolution of production systems,
process variability, etc. This gap is considered currently as one of the main causes not only of
poor performance, but also of risk taking by operators, because they have to respond to situations
which have not been considered in the design phase (Fadier et al., 1999).
Integration of safety and human factors into the design phase is therefore essential if the
expected performance is translated into achieved results in industrial systems. It was found that
the vast majority of work carried out in the area of design, relates to practical experience and is
not theoretically based (Wagner 1988). Although different researchers have tackled a very
diverse range of problems, there are not many that have tackled the problem of the integration of
health and safety in the design process. Many works have reviewed and analysed the various
tools, methods and approaches to design, or have offered new research or design methods (Fadier
et al, 1998).
The concept of a model for integrating health and safety into the machine/process design has
been developed around simple consumable products where the users themselves are the
consumers. However, if the product is a complex production system, modelling should be based
on foreseeable needs for human intervention and risk assessment.
Designers are faced with several problems during the design phase. These include the following:
1. The lack of adequate data relating to new innovation and creative design (and even in
routine design).
2. The inability to foresee differing needs for human intervention, and the hazards
associated with each activity.
3. Identification of intended use and foreseeable misuse by machine users, particularly in
tasks relating to maintenance and fault finding.
4. Bringing together several types of expertise, which makes both resolution of the
problem and communication between this expertise more complex.
5. Design conflicts between different disciplines: mechanical, electrical and control
systems. This leads to conflicts that must be managed.

To define a product, an information model must be considered (geometric, functional,


technological, physical, logistic, economic and social aspects, etc.) to ensure and to control
conformity with the initial specification after manufacture. This model must serve as the basis of
every information exchange about the product that has already been designed; it must also be
able to be integrated into a product engineering industrial environment. Several product models
are available in the literature (Bernard, 1999). Each model has a different objective depending on
the contexts envisaged during the development of these models. (Belloy, 1994; Constant, 1996;
Chapa Kasusky 1997; Harani, 1997; Sellini, 1999; Eynard 1999). None has yet integrated safety
requirements. This paper considers integrating a system model using the principles of the generic
model presented in (Harani, 1997) and subsequently modified by Hasan (Hasan et al, 2000).
The model proposed by this paper is based on the model of Harani who proposed a product
model aimed at capitalising on existing knowledge. It has recourse to the principle of metamodelling to propose a machine/system model that represents and groups all the information
defining the product in the same knowledge base. This system model integrates the use of risk
assessment to assist the designer in integrating health and safety into the machine/system design.
The functional analyses in the proposed model considers the mode of intervention of the
operator on the system, the tasks carried out by the system and the operator, and both the tools
and materials used to ensure correct operation of the system. The model of the system, the
elements relative to the machine/system and their relationships are presented below.
The main concept of this model is to integrate health and safety during the machine design
stage, using the risk-based approach and consideration of relevant EU product safety Directives
and harmonised transposed machinery safety standards.

2.

Modelling Machine/system Safety

The concept of integrating health and safety during the machine/system design is shown in
FIGURE 1. The machine/system model is made up of subsystems, foreseeable tasks involved,
danger zones, hazards, hazardous events, modes of intervention and risk assessment. Exposure to
work hazards may constitute a significant risk if the machine designers do not adequately
consider all foreseeable needs for interventions. The basic concepts behind this model was
defined by Harani (Harani, 1997) but other concepts relating to risk assessment and compliance
with the EU harmonised transposed standards is considered by this paper.
The attributes of the machine/system safety concept are:
Machine/system: this includes name, serial number, description, raw material and finished
product. It is important to identify the machine boundary and interfaces with other systems.

Danger zone

Tasks Involved

Environment

Workplace

Sub-systems

id

id

id

id

Nature of the task

Name of the zone

Description

Duration of task
Personnel involved
Task description/analysis

Description/boundary

Description
Layout

name of system
Description
Functions

id

Interfaces
Layout
Applied EN Standards

Hazards
id
Hazard type, e.g.
Mechanical, electrical, ..

Machine/System
id

id

Name
Serial number

Review

Source of hazard

Activity type
Hazardous event

Review

Description
Raw materials

Who is exposed to hazard


Task involved

Cause
Severity/consequences
Risk level
Risk evaluation

Finished product
Boundary/interfaces

Duration of exposure
Possibility of avoidance

Risk Assessment

1,1

Risk reduction strategy


Review system

Review

Number exposed

Mode of intervention
Hazardous Events
id
Nature of the event
Frequency of occurrence
Cause

Tools

Working team

Consumable
id

id

id

Name of tool
Description

Name of consumable
Description

Number of members
Tasks
Experience

id
Nature of intervention
Cause
Frequency of intervention
Duration

FIGURE 1 General Machine/System safety model


Subsystem: this identifies parts of the machine, description, layout and functions. It is
important within this description to identify relevant EU Directives and applicable transposed
harmonised EN standards to each subsystem.
Mode of intervention: represents machineuser interactions, i.e. the modes allowing access
into danger zones to carry out foreseeable activities, e.g. tool setting, maintenance,
faultfinding, programming, etc.
Working team: this concept represents all those responsible for installing, operating, setting,
maintaining, cleaning, repairing and fault-fining a machine (EN 292-1). It represents the users
who will work in the working situation, which is foreseeable at the design stage.
Dangerous zone: represents any zone inside and/or outside a machine in which a person is
exposed to a risk of injury or damage to health (EN 292-1), (EN 1050). One or several of the
technical design of the system that satisfy one or several of the required functions can create
this zone.
Hazards: represents any source of harm capable of causing an injury or damage to the health
(EN 292-1) of the user during his or her presence inside the danger zone.

Hazardous event: represents one of the events liable to occur either accidentally or not in the
working situation, caused by the users, the system or third parties. According to standard EN
1050 this concept is defined as an event likely to cause injury or damage.
Risk assessment: involves the probability (chance) of exposure to the harm inside the danger
zone coupled with the consequences (severity) of exposure. It also considers evaluation of
risk and whether corrective/preventive measure is needed to reduce risk to a tolerable level.
Tools: this concept represents one of the tools that can be used to ensure the correct operation
of the system in the working situation being the subject of the design.
Consumable: represents the consumable materials that are needed for the work activity.
Work Environment: this concept represents all the physical, chemical, biological,
organisational, social and cultural elements that surround a working situation inside its
working area.

3.

Concept of Risk assessment

The global impact of risk assessment on machinery safety standards is gaining momentum.
The role of risk assessment within the European New Approach Directives and harmonised
standards is fundamental in guiding the designer through hazard analysis and evaluation of risks
to the selection of appropriate levels of integrity of health and safety measures. This essentially is
a proactive approach based on a structured and systematic method for hazard identification,
evaluation of risks and decision to reduce risks to a tolerable level. A general risk assessment
framework (Raafat, 1996) is shown in FIGURE 2.
The main elements of risk assessment are:
Define machine/system: This should include description, intended use, space and time limits
and boundaries/interfaces.
Identify hazards: These include hazards and hazardous situations considering the various
aspects of the operator-system relationship, the possible states of the machine and foreseeable
misuse. Hazards can be classified as continuing hazards, which are inherent in the machine,
material or substance; and hazardous events which can result from machine/system failures
and human error.
Analyse consequences: This primarily relates to the severity of injury and ill health as a result
of exposure to the hazard. It can also be described in terms of economic losses due to
interruption to production and asset damage or in terms of environmental damage.
Estimate/measure risks: Risk is defined as the chance (probability) of the harm being
realised combined with the consequences (severity). Risk therefore can be described in
qualitative, semi-quantitative or quantified terms. For the vast majority of industrial
machinery hazards, a semi-quantified measurement of risk is recommended.
5

/
DEFINE SYSTEM
Machine/Process
Activity

IDENTIFY
HAZARDS

CONTINUING
HAZARDS

HAZARDOUS
EVENTS

IDENTIFY CAUSES
ANALYSE
&& ANALYSE
CONSEQUENCES

RISK ANALYSIS

VERIFY
ESTIMATE/
MEASURE RISKS

NO
DECIDE
RISK CONTROL
STRATEGY

EVALUATE
IS
RISK
RISKS
TOLERABLE?

RISK EVALUATION

YES
NO CHANGE
(MONITOR)

FIGURE 2 Risk assessment Framework


Evaluation of risks: A criterion is selected to evaluate risks. That is to decide if risk is
tolerable or should warrant some corrective or preventive measures.
Risk control strategy: If risk is judged to be intolerable, a hierarchy of risk reduction option
is set out in the EU Machinery Directive. The first consideration is to design out hazards, then
to reduce risk by design. The design should minimise the need for access into the danger
zones and to accommodate foreseeable misuse. The third option is to incorporate safeguards
and safety devices. The last option is to warn the user of any residual risks and to develop safe
systems of work.
Verification: There will be a need to review the system following modifications to ensure
that these measures will reduce risks to a tolerable level and that no new hazards are generated
as a result of design changes.

4.

Modelling Risk assessment

Modelling of risk assessment (FIGURE 3) involves the following:


Risk assessment:. This procedure represents the methodology to identify potential hazards
associated with each danger zone or hazardous activity (or both).
The two basic risk assessment techniques, which are considered more relevant to machinery
safety, are the hazard-based approach (EN 1050, 1997) and the task-based approach (ANSI
B.11-TR3, 2000). The task-based risk assessment is much more open-ended as it analyses
different hazards associated with each step of the task/subtask.
The machine/system based risk assessment considers the following:
Danger zone: this identifies all hazardous areas inside and outside the machine by name,
description of subsystems within each zone and boundary/interfaces with other danger zones.
Danger zone
id

Tasks Involved

Name of the zone

id

Description/boundary

Nature of the task


Duration of task

Risk Assessment

Hazards

Personnel involved
Task description/analysis

id

id

1,1

Activity type

Hazard type, e.g.


Mechanical, electrical, ..

Hazardous event

Source of hazard

Severity/consequences

Cause

Hazardous Events

Risk level

Who is exposed to hazard

id

Risk evaluation
Task involved

Risk reduction strategy

Duration of exposure

Review system

Nature of the event


Frequency of occurrence
Cause

Possibility of avoidance
Number exposed

EN 1050
Risk Evaluation
id
Type

Source

Task

id
Activity Hazardous
Cause
Type
Event

mechanical
electrical
substance
toxic
flamm
explosive
ergonomic
environment

ANSI B11.TR3
1,1

id

Effects

Risk
level

(ALARP)
B
C

FIGURE 3 Risk assessment model


Hazards: A list of hazards to be identified is presented by (EN 1050). This includes
mechanical, electrical, physio-chemical and hazards resulting from inadequate ergonomic
consideration in the machine design.

Tasks involved: this identifies all foreseeable tasks, where an individual needs to enter a
danger zone. These tasks must include normal operation and different needs for intervention,
such as maintenance, setting and fault finding. This is important, as some safety measures
may have to be overridden/defeated during the intervention (which is foreseeable at the design
stage). Task analysis, and particularly Hierarchical Task Analysis HTA is a very powerful
technique for the designer to identify and analyse what needs to be done and when.
Hazardous event: in this context, this attribute represents one of the events liable to occur on
the system (like a technical malfunction), and how individuals may be exposed to harm. The
approach adopted by ANSI B11-TR3 (ANSI, 2000) considers both task involved and
hazardous events in a structured way.
Risk evaluation: It should be remembered that not every hazard and hazardous event would
warrant risk reduction measures. It is only when the risk level is significant that the designer
would consider a hierarchy of risk reduction options. There is a number of tools developed,
based on semi-quantitative methods for the evaluation of risks, which may be suited for the task
of selecting the most appropriate category or safety integrity level, e.g. a risk matrix (ANSI,
2000) and the risk calculator (Raafat, 1996).
Evaluation of risks, using the approach adopted by (EN 1050, 1997) is based on the hazards
identified in the danger zone, but the concept of risk evaluation is unclear. The task-based
approach adopted by (ANSI, 2000) is more suited to the evaluation of risks associated with
foreseeable modes of intervention.

5.

Application of the model

The example used to demonstrate the application of the model is based on a design of a
mechanical 1200/800-ton press line used in a body shop of an automotive manufacturer. Five
mechanical presses were imported from the Far East, which did not comply with the EU
machinery safety requirements. As the machine suppliers are not represented in the UK, the
Company undertook the design, construction and assembly of an automated tandem press line.
A new approach, using the model shown in FIGURE 1 was applied to the design of the car
body panel handling system, based on a single line flow. The new E-Line included, in addition to
the five single-action presses, two destack trolleys, seven 6-axis robots, one tilt (centralising)
table, two offload conveyors and ten die-carts. The general layout for E-Line is shown in
FIGURE 4.

Zone B

Zone D

Z
o
n
e
C

01

Zone G

03

Zone H

06

04
03

02

04

03

01

05

05

05

05

05

Zone I

06

06

04

03

Zone J
06

06

06

06

04

03

Zone K

04

06
08

03

Z
o
n
e
L

03

Zone F

05

05

05

05

05

Zone E

Zone B

FIGURE 4 General layout of E-Line


The Company operates three-shift system, and the core working team consists of 8 dedicated
persons per shift. Maintenance was introduced as part of the production schedule, so multitasking and cross-functioning were essential elements of personnel training to provide flexibility.
The line operation starts by loading panels onto the destack trolleys, using fork-lift trucks in zone
C. Loaded trolleys then automatically move into zone F, where one robot picks one panel at a
time and places it on the tilt table. A second robot picks up the panel and places it between the
dies of the first mechanical press. One robot located between the presses for handling the semishaped panel until the final product is loaded on the offload conveyors.
FIGURE 5 demonstrates the application of the model to a selected mode of intervention. This
relates to a dropped panel inside danger zone F due to a robotic gripper fault. This fault could be
either the result of the gripper control or pneumatic system failure.
The task-based risk assessment approach (FIGURE 3) was used to evaluate the risks to twomaintenance crew involved in fault finding. The risk level was found within the ALARP as low
as reasonably practicable region, which would warrant reduction, taking costs into account.

Danger zone

Tasks Involved

Environment

Faultfinding robotic gripper

Zone F

Panel slips

Panels loading cell


Two robots, 2 destack
trolleys + one tilt table

Duration of task = 45min


Maintenance personnel

Workplace

Sub-systems

Press shop

Press Shop

Line E loading cell

Noise level 78 dB

5-1200/800t presses
Near LTP press

Two robotics, one


tilt table and press 1.
To load panel in press 1
Layout: see drawing
Applied EN Standards:
EN292:1 and 2, EN692,
EN982, EN577, EN954,
EN1088, EN1050

Task analysis 7.3

Hazards
Mechanical
1,1
impact, crushing- robots,
crushing/shearing- table
cutting/severing- Panels ,
High pressure fluid injection,
robots grippers ,
crushing, impact- trolleys .

Machine/System

Entry to danger zone F

1200/800t Press Line

Review

Expected exposure = 30 m
Number exposed = 2

Risk Assessment

PRESS LINE E

Serial number

Faultfinding

Review

Crushing/impact by robot

5 mechanical presses

Human error/electric fault

Galvanized sheets

Possible fatality

Body panels

Risk level = B

Boundary/interfaces

Risk evaluation = ALARP


Risk reduction strategy:

Review

Reduce need for access

Hazardous Event
Impact/crushing by robot
Once/month
Control/pneumatics failure

Mode of intervention
Tools
Diagnostic kit
Control pendant,
pressure gauge
electronic probes

Consumable
Seals- pneumatic
High quality

Working team

Faultfinding/setting

Cross-functional team

Adjusting grippers

Eight per shift

Panel slips from grippers


Once per month

Production/maintenance
6 years experience

Duration= 45 min

FIGURE 5 General model application


As a result of the risk assessment, an attempt was made to reduce the need for access into
zone F and to reduce the need for human intervention, in this case for fault finding while the
robot is powered and the pneumatic power is on. As a result, a design change was made where
the robotic gripper can be changed automatically without the need for access into the danger
zone for any of the robots. This concept is shown in FIGURE 6.

FIGURE 6 Automatic changeover of robotic gripper

10

Other safety measures resulting from the risk assessment included enhancements of the
diagnostic systems. FIGURE 7 shows the overall improvements in E-Line safety systems as a
result of application of the risk assessment model. The main guarding system is a mixture
between rising screen interlocking safeguards and photoelectric devices.
Specific design safety measures resulting from risk assessment include the following:

Modification of all 5 mechanical presses, taking account of (EN 692, 1998; EN 982, 1996)
Selection of Category 4 Safety-related parts of the control system according to (EN 954-1,
1996; EN 60204-1, 1996).
Software design to Safety Integrity Level (SIL) 3 according to (IEC 61508, 2000). Part
handling is broken down into logic steps, using sequencers from process start to process
finish.
Fixed and rising screen safeguards around zones F and L, and rising screen guards between
presses. The rising screen guards are interlocked with the process control system, taking
account of (EN 1088, 1996), which is equivalent to type II protection according to (EN 201,
1997).
Design of the photoelectric devices in accordance with (EN 999, 1996; EN 50100-1, 1996).

Free Standing
Posts

Light Beam
Post

Zone B

Light Beam

Z
o
n
e

Zone G

03

01

02

04

06

05

Zone D

Zone H
06

04
03

05

05

05

04

Zone J
06

06

Light Beam

05

Zone I
06

Light Beam
Post

06

Zone K
06

04

04

06
08

Z
o
n
e

C
03

01

03

03

03

03

Zone F

Light Beam

05

05

05

05

05

Light Beam

Zone E

Light Beam
Post
Free Standing
Posts

Zone B

Light Beam
Post

FIGURE 7 Safety systems design


The above example also shows that, in addition to the reduction of risks, significant
improvements in productivity have been achieved. These have included the following:

Average press strokes =

8 per minute

11

Average die changeover time


Offline setting time

< 3 minutes
< 30 minutes

The above productivity level is regarded as world class performance.

6.

Conclusions

This paper proposes a tool and methodology to provide practical guidance to machine/system
on integrating health and safety at the design stage. A model based on risk assessment was
developed which takes into account relevant EU Product Directives and harmonised machinery
safety standards to assist the designer in selecting the most appropriate safety integrity levels for
safegaurds, safety devices and control systems with safety-related functions.
A case study was used to demonstrate the methodology, which shows that, in addition to
demonstrating compliance with relevant health & safety legislation, improved productivity,
downtime and world class performance can be achieved.

7.

References

ANSI B11 Technical Report #3 (2000) Risk assessment- A guideline to estimate, evaluate and reduce risks
associated with machine tools. Draft.
Belloy, P., 1994. Intgration des connaissances mtier dans la conception : un modle pour les pices mcaniques.
Application lusinage et lestampage. Ph.D. Report, Universit Joseph Fourrier Grenoble 1, France.
Bernard, A., 1999. Modles de produit et de processus, PRIMECA, Universit dAutomne, Nancy, 20 - 22 Oct.
1999, published in European Journal of Automatic Systems.
Chapa Kasusky, E.C., 1997. Outils et structure pour la coopration formelle et informelle dans un contexte de
conception holonique. Ph.D. Thesis. Institut National Polytechnique de Grenoble. Laboratoire des Sols, Solides,
Structures de Grenoble, France.
Constant, D., 1996. Contribution la spcification dun modle fonctionnel de produits pour la conception intgre
des systmes mcaniques. Ph.D. Thesis. Universit Joseph Fourrier-Grenoble 1, France.
EN 292-1 (1991), European Standard, Safety of machinery, Basic Concepts, general principles of design part 1:
Basic terminology , methodology. European Committee for Standardization, Brussels, December 1991.
EN 1050 (1997), European Standard, safety of machinery principles for risk assessment. European Committee for
Standardization, Brussels, January 1997.
EN 954-1 (1996), European Standard, safety of machinery Control systems with safety related functions.
European Committee for Standardization, Brussels, January 1996.
IEC 61508 (2000), Electrical, electronic and Programmable electronic systems with safety related functions.
Eynard, B., 1999. Modlisation du produit et des activits de conception : contribution la conduite et la
traabilit du processus dingnierie. Ph.D. Report. Universit Bordeaux I, Ecole Doctorale des Sciences
Physiques et de lIngnieur, Bordeaux, France.
Fadier, E., Ciccotelli, J., 1998. Integrating Safety into the Design of Industrial System: a General Overview. in
Proceedings of the 9th IFAC Symposium on Information Control in Manufacturing, Nancy, France, June 24-26,
1998, pp. 233-239.

12

Fadier, E., Ciccotelli, J., 1999. How to Integrate Safety in Design: Methods and Models. Journal of Human Factors
and Ergonomics in Manufacturing. Vol. 9 (4). John Wiley & Sons, Inc. pp.367-380.
Harani, Y., 1997. Une approche Multi-Modles pour la capitalisation des connaissances dans le domaine de la
conception. Ph.D. Thesis. Institut National Polytechnique de Grenoble, Laboratoire de Gnie Industriel et de
Production Mcanique, Grenoble, France.
Hasan, R., Ciccotelli, J., Bernard, A., Martin, P., 2000. Representation and evaluation of risks during the design
phase of a complex system. In Proc. of ESREL 2000, Foresight and Precaution, Cottam, Harvey, Pape & Tate
(eds), Rotterdam, Netherlands, 2000, pp. 141-147, ISBN 90-5809-140-6.
Raafat, H. (1996), Machinery Safety: the risk-based approach. Technical Communications (Publishing) Ltd., 1996,
ISBN 1 85953 006
Raafat, H and Nicholas, R. (1999), Analysis of the Degree of Machinery Suppliers with EU Requirements.
Volume 3, Issue 1- J. Inst. Of Occupational Safety and Health.
Sellini, F., 1999. Contribution la reprsentation et la vrification de modles de connaissance produit en
ingnierie densembles mcaniques. Ph.D. Report. Ecole Centrale Paris. Gnie Industriel, Informatique,
laboratoire ISMCM GRIIEM, Paris, France.
Wagner. M, 1988, Controlling Risks at the design Stage: Contribution of Human Factors. In Proc. of the Int. Conf.
on Safety of Industrial Automated System, IRSST Ed., Montreal, Canada, 5-7 Oct. 1999, pp. 96-112.

13