Tipper Tie Chooses the PNOZ Multi for Safety

As the premier supplier of packaging, clipping, and clip machinery throughout the world, Tipper Tie is committed to sustaining a leading edge position in automation and safety for its customers. Recognizing the importance of safety for both customers and its employees, Tipper Tie has chosen to partner with Pilz Automation Safety, also a world leader in its field, to achieve a high level of safety integrity that Tipper Tie’s customers and employees have come to expect.

The challenges in meeting today’s safety standards are more difficult than ever. And meeting those standards in the most effective and efficient manner can be particularly complex.  Rising to this challenge, Pilz Automation Safety’s PNOZ Multi safety controller is being used and was selected as the optimal safety solution for monitoring devices such as safety gate interlocks and emergency stops buttons.  Pilz Automation Safety’s PNOZ Multi family provides the ultimate in flexibility and simplicity and facilitates a very powerful safety positioning for Tipper Tie’s target markets.

The flexibility and expandability of a programmable safety relay controller, such as the Pilz PNOZ Multi, translates into a common and scalable safety solution that is capable of meeting a variety of safety challenges on any machine design. It also affords a platform on which Tipper Tie could design changes to accommodate changing market requirements.  Moreover, Pilz’s PNOZ Multi features useable diagnostic information which is unmatched by any other product offering.  Thus, Tipper Tie is assured that its customers have the maximum safety flexibility and machine availability.  Lastly, the PNOZ Multi’s ability to communicate over an Ethernet based network is a feature that helps Tipper Tie to distribute diagnostic information from the PNOZ Multi to a variety of HMIs and PLCs.  This capability gives machinery operators the ability to easily determine machine safety status.  It also optimizes troubleshooting processes to minimize engineering and technician resources.

Tipper Tie is the premier packaging, clipping, and clip machinery company throughout the world and it has chosen Pilz’s PNOZ multi as an important safety controller in its machine design.  Attached are two photos highlighting Tipper Tie’s use of this controller in a panel and an HMI image.

Manipulation of Safe Guards: What can designers do?

Designing safety-related machinery means more than simply complying with regulations and other legal stipulations. Consulting the relevant regulations and standards, dismissively asking “Where does it say that?!” – to ensure that only those safety measures that are strictly necessary are implemented – is no substitute for deep consideration of solutions that are not only right for safety and right for people, but are also fit for purpose.

Most of all, designers must be more sensitive to operators' demands for operability of machines and safety devices and provide a serious response, because their demands are based on practical experience. This does not make the safety-related design more difficult, but is the basis on which to build user-friendly, safety-related machinery. It's essential that the actual development and design is preceded by a detailed, candid analysis of the operational requirements, the results of which are recorded in a binding requirement specification. If not the situation may arise in which the machine and its incorporated safety measures may not be accepted. What's more they could provoke users into creating "new ideas", which are mostly not in the spirit of health and safety. These in turn could conjure up a whole new set of hazards, which were far from the minds of the original designers.

Experience shows that the fi rst part of this challenge can be met at reasonable cost and with a sufficient level of success through systematic troubleshooting, using function structures and signal flow paths. As for the second part of the task, counteracting manipulation attempts, designers must rely on their tried and trusted methods, as with any other design task. After all, safety related design is hardly a dark art!

Nonetheless: Manipulation rarely occurs voluntarily; it usually indicates that machine and operating concepts are not at their optimum. Conduct contrary to safety should always be anticipated when:

• Work practices demand actions which do not have a direct, positive impact on outcomes
• Work practices enforce constant repetition of the same work steps, or fresh approaches are always required in order to achieve work targets
• Safeguards restrict the line of vision and room for maneuvering required to perform the activity
• Safeguards impede or even block the visual/auditory feedback required to work successfully
• Troubleshooting and fault removal are impossible when the safeguards are open

In other words: Manipulations must always be anticipated when restricted machine functions or unacceptable difficulties tempt, even force, the machine user to “improve” safety concepts. Manufacturers must design protective measures so that the functionality and user friendliness of the machine are guaranteed at a tolerable, acceptable level of residual risk: predict future manipulation attempts, use design measures to counteract them
and at the same time improve machine handling.

The obligations of machine manufacturers are threefold:

1. Anticipate reasons and incentives for manipulation, remove the temptation to defeat interlocks by creating well thought-out operating and safety concepts for machinery.
2. Make manipulation difficult by design, e. g. by installing safety switches in accessible areas, using hinged switches, attaching safety switches and their actuators with non-removable screws, etc.
3. Under the terms of the monitoring obligation specified in the Geräte- und Produktsicherheitsgesetz [German equipment and product safety law], systematically identify and rectify any deficiencies through rigorous product monitoring with all operators (reports from customer service engineers and spare part deliveries are sometimes very revealing in this respect!).

The client who places the order for a machine can also help to counteract manipulation by talking to the machine manufacturer and candidly listing the requirements in an implementation manual, binding to both parties, and by talking openly about the faults and deficiencies within the process, then documenting this information.

Conduct contrary to safety – What's behind it?

Terminology

Defeat in a simple manner
Render inoperative manually or with readily available objects (e. g. pencils, pieces of wire, bottle openers, cable ties, adhesive tape, metallized film, coins, nails, screwdrivers, penknives, door keys, pliers; but also with tools required for the intended use of the machine), without any great intellectual effort or manual dexterity.

Manipulation
In terms of safety technology: an intentional, unauthorized, targeted and concealed invervention into a  machine's safety concept, using tools.

Sabotage
Secret, intentional and malicious intervention into a technical system, in order to harm employees or colleagues. Word's origin:
The wooden shoe (Fr.: sabot) of an an agricultural worker or Luddite in the 19th century, which was thrown into a lathe.

When designing and constructing machinery, manufacturers specify what the machines can and should be able to achieve. At the same time they also specify how the user should handle the machine. A successful design involves much more than simply the machine fulfilling its technological function in terms of the output quantity documented in the implementation manual, and the quality and tolerances of the manufactured products. It must also have a coherent safety and operating concept to enable users to implement the machine functions in the first place. The two areas are interlinked, so they ought to be developed and realized in a joint, synchronous operation.

Numerous product safety standards (e. g. EN 1010 or EN 12 717) are now available, offering practical solutions. Nonetheless, planning and design deficiencies are still to be found, even on new machinery. For example:

• Recurring disruptions in the workflow, brought about for example by deficiencies in the technological design or in the part accuracy (direct quote from a plant engineer: “The greatest contribution design engineers can make to active health and safety is to design the machines to work exactly in the way which was promised at the sale.”)
• Opportunities for intervention or access, e. g. to remove the necessary random samples, are either difficult or non-existent 
• Lack of segmented shutdowns with material buffers, so that subsections can be accessed safely in the event of a fault, without having to shut down the entire plant and lose valuable time starting it up again 

Ill-conceived safety concepts are still found in practice on a regular basis. Many errors are made with  interlocked safeguards, for example, when:

• Non-hazardous or frequently operated function elements, e. g. actuators, storage containers, filler holes are installed behind (interlocked) safeguards 
• The interlock interrupts the hazardous situation quickly and positively when a safeguard is opened, but afterwards the machine or process is unable to continue or must be restarted

Nobody has any doubt that designers act to the best of their knowledge and belief when they design and implement technological functions as well as those functions relating to persons or operators. One can't really blame them for assuming that subsequent users will behave reasonably and correctly when using the machinery. But it's precisely here that caution is advised: Human behavior is mainly benefit-oriented, both in everyday and in working life. People strive to perform the tasks they are given or have set themselves as quickly and as well as necessary, with the least exertion possible.

People will also try to intervene actively in support of a process, if it isn't running quite as it should. They will make every effort to rectify troublesome faults as quickly and simply as possible. If they can't because of the design (and the fault rectification procedure set down in the operating manual), they will find a way out by defeating the interlock, for example. They will often regard the additional work as a personal misfortune for the smooth performance of their work function. By defeating the safety measures that have been provided the procedure is much less complex, and is therefore seen as a success. Successful behavior tends to be repeated until it is reinforced as a habit, which in this case is unfortunately contrary to safety and indeed dangerous.

The more such rule breaches are tolerated at management level and go unsanctioned, the greater the probability that the rules will continue to be breached without punishment. Incorrect conduct becomes the new, informal rule. For over the course of time, the awareness of the risks that are being taken will lessen and those involved become convinced that they have mastered the potential hazards through vigilance. But the risk is still there; it's just waiting for its chance to strike.

There's no question that the factors that trigger an accident seem initially to rest with the conduct of those affected. However, design errors on the machine encourage the misconduct that's so dangerous (even life threatening) to those involved. Such machines do not comply with the EC Machinery Directive. In other words: It is the manufacturer's responsibility to design protective measures in such a way that they provide a sufficient level of safety, in accordance with the determined risk, while still guaranteeing the functionality and user friendliness of the machine. Ultimately it is always better to accept a calculable, acceptable residual risk with a carefully thought out safety concept, tailored to the practical requirements, than to expose the machine operator to the full risk of insecure processes following successful manipulation.

Manipulation of safeguards

Dealing with safeguards and their manipulation is an issue in which the true causes have long been largely taboo. It's a situation that's diffi cult to understand, for without negative feedback, where can you start to make positive changes in the design of plant and machinery?
This situation has now changed: the confederation of commercial trade associations has published a study showing that safety equipment had been manipulated on almost 37 % of the metal processing machinery examined. In other words: in a good third of cases, manipulations have been detected and examined, although it's safe to assume that the unreported number may be somewhat higher.
One fact that hasn't changed, however, is the number of accidents recurring on machinery on which the safeguards are manipulated, as the BG bulletins regularly show. The report also reveals that in at least 50 % of all cases, the reasons for manipulation can be traced right back to the design
departments.
The legal position is clear: European and domestic law (e. g. EC Machinery Directive, EN standards, Geräte- und Produktsicherheitsgesetz [German equipment and product safety law]) mean that it is the responsibility of machine manufacturers only to place on the market products that have an adequate level of safety.  Manufacturers must establish all the potential hazards on all their machines in advance and assess the  associated risks. They are responsible for developing a safety concept for the respective products,  implementing that concept and providing the relevant documentation, based on the results of the hazard  analysis and risk assessment. Potential hazards must not be allowed to impact negatively on subsequent users, third parties or the environment. Any reasonably foreseeable misuse must also be included. Operating  instructions should also clearly defi ne the products' intended use and prohibit any known improper uses.
Design engineers must therefore make reasoned decisions regarding situations in which events may be above and beyond what you would normally expect. This is a subject which is generally familiar and is considered these days, as CE marking clearly shows. Or is it? Despite the formal declarations from manufacturers that they themselves have taken responsibility for complying with all the essential health and safety requirements, behavior-based accidents continue to occur on machinery. Although the plant or machinery complies with the formal specifications, the design still failed to meet needs or satisfy safety requirements.
Design engineers should never underestimate the technical intelligence and creativity of machine users, and how dubious practices for defeating safeguards can be revealed: It begins with crude but effective access to the mechanical structure of the signal fl ow chain and extends to skillfully filed keys for type 2 safety switches. It includes loosened, positive-locking shaft/hub connections on switch cams, which are difficult to detect, as
well as sophisticated short and cross circuits and disguised, carefully hidden but rapidly accessible override switches in N/C / N/O combinations, in the connection lead between the control system and the safety switch. This is only a small sample of the manipulations that are detected; it is by no means all.
Design engineers should also consider that machine workers generally have a fair level of technical understanding and manual dexterity and also have considerably more time to become annoyed at ill-conceived operating and safety concepts and consider effective “improvements” than the designers had in their  development and implementation. Quite often they will have been reliant purely on the normative specifications, without being aware of the realistic, practical requirements.
The task of working out potential manipulations in advance is therefore contradictory: Design engineers with little experience in this area are supposed to simulate the imagination and drive of the machine operators, who may frequently work under pressure but still have enough time and energy to work out alternative solutions. They are supposed to incorporate their expertise into their designs and, under today's usual time constraints, convert this into safety measures which are manipulation-proof. A task that's not always easy to resolve.
BGIA has developed a check list of manipulation incentives, which performs a valuable service in predicting potential manipulations. From the author's point of view, however, enormous progress would be made if designers in future would increasingly put themselves in the user's position and honestly and candidly ask themselves what they would do with the available operating and safety concept.