User-Friendly Guards

It's important to recognize that safeguards – even interlocked guards – are always willingly accepted and are not manipulated when they do not obstruct but actually support or even simplify the workflow. Faults in the safety concept which force operators to manipulate safeguards are genuine design faults, for which the machine manufacturer is liable in some circumstances. Safety-related solutions with an acceptable residual risk must be put in place, not just for fault-free normal operation, but also for setup, testing, fault removal and troubleshooting.

Simply to make manipulation attempts more difficult on a technical level, as laid out in the supplement to EN 1088 for example, only appears to solve the problem. For if there is enough pressure, a “solution” will be found. It's more important to eliminate the reason for manipulation. What's needed is not excessive functionality (even in terms of safety technology), but user friendliness. If there's any doubt as to whether the safety concept is adequate, it's recommend that you seek expert advice from the relevant employer's liability insurance association or from the safety component manufacturer.

Guards use physical barriers to stop people and hazardous situations coinciding in time and space. Their essential design requirements are stated in EN 953 and EN 1088. Safety-related and ergonomic aspects must be taken into account alongside questions regarding the choice of materials and consideration of mechanical aspects such as stability. These factors are decisive, not just in terms of the quality of the guard function but also in determining whether the safeguards, designed and constructed at considerable expense, will be used
willingly by employees or be defeated and even manipulated.

Experience shows that despite all the protestations, almost every safeguard has to be removed or opened at some point over the course of time. When safeguards are opened, it's fundamentally important that hazards are avoided where possible and that employees are protected from danger. The reason for opening, the frequency of opening and the actual risk involved in carrying out activities behind open safeguards (see the following illustrations) will determine the procedures used to attach and monitor safeguards.

Where safeguards are opened as a condition of operation or more frequently (for example: at least once per shift), this must be possible without using tools. Where there are hazardous situations, use of an interlock or guard locking device must be guaranteed. Further protective measures must be adjusted to suit the resulting risk and the drive/technological conditions, to ensure that the activities
which need to be carried out while the safeguards are open can be performed at an acceptable level of risk. This procedure conforms to the EC Machinery Directive. It allows work to be carried out while the safeguards are open as a special operating mode and gives this practice a legal basis.

Just some final words in conclusion for all designers: Designing interlocks so that absolutely no movement of the machine or subsections is possible once the safeguard has been opened actually encourages the type of conduct which is contrary to safety and, ultimately, leads to accidents. Nevertheless it is the causes you have to combat, not the people. If a machine does not operate as intended, users will feel they have no choice but to intervene. In all probability, the machine will “reciprocate” some time with an accident. Which is not actually what is was designed to do!

Manipulation of Safe Guards: What can designers do?

Designing safety-related machinery means more than simply complying with regulations and other legal stipulations. Consulting the relevant regulations and standards, dismissively asking “Where does it say that?!” – to ensure that only those safety measures that are strictly necessary are implemented – is no substitute for deep consideration of solutions that are not only right for safety and right for people, but are also fit for purpose.

Most of all, designers must be more sensitive to operators' demands for operability of machines and safety devices and provide a serious response, because their demands are based on practical experience. This does not make the safety-related design more difficult, but is the basis on which to build user-friendly, safety-related machinery. It's essential that the actual development and design is preceded by a detailed, candid analysis of the operational requirements, the results of which are recorded in a binding requirement specification. If not the situation may arise in which the machine and its incorporated safety measures may not be accepted. What's more they could provoke users into creating "new ideas", which are mostly not in the spirit of health and safety. These in turn could conjure up a whole new set of hazards, which were far from the minds of the original designers.

Experience shows that the fi rst part of this challenge can be met at reasonable cost and with a sufficient level of success through systematic troubleshooting, using function structures and signal flow paths. As for the second part of the task, counteracting manipulation attempts, designers must rely on their tried and trusted methods, as with any other design task. After all, safety related design is hardly a dark art!

Nonetheless: Manipulation rarely occurs voluntarily; it usually indicates that machine and operating concepts are not at their optimum. Conduct contrary to safety should always be anticipated when:

• Work practices demand actions which do not have a direct, positive impact on outcomes
• Work practices enforce constant repetition of the same work steps, or fresh approaches are always required in order to achieve work targets
• Safeguards restrict the line of vision and room for maneuvering required to perform the activity
• Safeguards impede or even block the visual/auditory feedback required to work successfully
• Troubleshooting and fault removal are impossible when the safeguards are open

In other words: Manipulations must always be anticipated when restricted machine functions or unacceptable difficulties tempt, even force, the machine user to “improve” safety concepts. Manufacturers must design protective measures so that the functionality and user friendliness of the machine are guaranteed at a tolerable, acceptable level of residual risk: predict future manipulation attempts, use design measures to counteract them
and at the same time improve machine handling.

The obligations of machine manufacturers are threefold:

1. Anticipate reasons and incentives for manipulation, remove the temptation to defeat interlocks by creating well thought-out operating and safety concepts for machinery.
2. Make manipulation difficult by design, e. g. by installing safety switches in accessible areas, using hinged switches, attaching safety switches and their actuators with non-removable screws, etc.
3. Under the terms of the monitoring obligation specified in the Geräte- und Produktsicherheitsgesetz [German equipment and product safety law], systematically identify and rectify any deficiencies through rigorous product monitoring with all operators (reports from customer service engineers and spare part deliveries are sometimes very revealing in this respect!).

The client who places the order for a machine can also help to counteract manipulation by talking to the machine manufacturer and candidly listing the requirements in an implementation manual, binding to both parties, and by talking openly about the faults and deficiencies within the process, then documenting this information.

Conduct contrary to safety – What's behind it?

Terminology

Defeat in a simple manner
Render inoperative manually or with readily available objects (e. g. pencils, pieces of wire, bottle openers, cable ties, adhesive tape, metallized film, coins, nails, screwdrivers, penknives, door keys, pliers; but also with tools required for the intended use of the machine), without any great intellectual effort or manual dexterity.

Manipulation
In terms of safety technology: an intentional, unauthorized, targeted and concealed invervention into a  machine's safety concept, using tools.

Sabotage
Secret, intentional and malicious intervention into a technical system, in order to harm employees or colleagues. Word's origin:
The wooden shoe (Fr.: sabot) of an an agricultural worker or Luddite in the 19th century, which was thrown into a lathe.

When designing and constructing machinery, manufacturers specify what the machines can and should be able to achieve. At the same time they also specify how the user should handle the machine. A successful design involves much more than simply the machine fulfilling its technological function in terms of the output quantity documented in the implementation manual, and the quality and tolerances of the manufactured products. It must also have a coherent safety and operating concept to enable users to implement the machine functions in the first place. The two areas are interlinked, so they ought to be developed and realized in a joint, synchronous operation.

Numerous product safety standards (e. g. EN 1010 or EN 12 717) are now available, offering practical solutions. Nonetheless, planning and design deficiencies are still to be found, even on new machinery. For example:

• Recurring disruptions in the workflow, brought about for example by deficiencies in the technological design or in the part accuracy (direct quote from a plant engineer: “The greatest contribution design engineers can make to active health and safety is to design the machines to work exactly in the way which was promised at the sale.”)
• Opportunities for intervention or access, e. g. to remove the necessary random samples, are either difficult or non-existent 
• Lack of segmented shutdowns with material buffers, so that subsections can be accessed safely in the event of a fault, without having to shut down the entire plant and lose valuable time starting it up again 

Ill-conceived safety concepts are still found in practice on a regular basis. Many errors are made with  interlocked safeguards, for example, when:

• Non-hazardous or frequently operated function elements, e. g. actuators, storage containers, filler holes are installed behind (interlocked) safeguards 
• The interlock interrupts the hazardous situation quickly and positively when a safeguard is opened, but afterwards the machine or process is unable to continue or must be restarted

Nobody has any doubt that designers act to the best of their knowledge and belief when they design and implement technological functions as well as those functions relating to persons or operators. One can't really blame them for assuming that subsequent users will behave reasonably and correctly when using the machinery. But it's precisely here that caution is advised: Human behavior is mainly benefit-oriented, both in everyday and in working life. People strive to perform the tasks they are given or have set themselves as quickly and as well as necessary, with the least exertion possible.

People will also try to intervene actively in support of a process, if it isn't running quite as it should. They will make every effort to rectify troublesome faults as quickly and simply as possible. If they can't because of the design (and the fault rectification procedure set down in the operating manual), they will find a way out by defeating the interlock, for example. They will often regard the additional work as a personal misfortune for the smooth performance of their work function. By defeating the safety measures that have been provided the procedure is much less complex, and is therefore seen as a success. Successful behavior tends to be repeated until it is reinforced as a habit, which in this case is unfortunately contrary to safety and indeed dangerous.

The more such rule breaches are tolerated at management level and go unsanctioned, the greater the probability that the rules will continue to be breached without punishment. Incorrect conduct becomes the new, informal rule. For over the course of time, the awareness of the risks that are being taken will lessen and those involved become convinced that they have mastered the potential hazards through vigilance. But the risk is still there; it's just waiting for its chance to strike.

There's no question that the factors that trigger an accident seem initially to rest with the conduct of those affected. However, design errors on the machine encourage the misconduct that's so dangerous (even life threatening) to those involved. Such machines do not comply with the EC Machinery Directive. In other words: It is the manufacturer's responsibility to design protective measures in such a way that they provide a sufficient level of safety, in accordance with the determined risk, while still guaranteeing the functionality and user friendliness of the machine. Ultimately it is always better to accept a calculable, acceptable residual risk with a carefully thought out safety concept, tailored to the practical requirements, than to expose the machine operator to the full risk of insecure processes following successful manipulation.

Manipulation of safeguards

Dealing with safeguards and their manipulation is an issue in which the true causes have long been largely taboo. It's a situation that's diffi cult to understand, for without negative feedback, where can you start to make positive changes in the design of plant and machinery?
This situation has now changed: the confederation of commercial trade associations has published a study showing that safety equipment had been manipulated on almost 37 % of the metal processing machinery examined. In other words: in a good third of cases, manipulations have been detected and examined, although it's safe to assume that the unreported number may be somewhat higher.
One fact that hasn't changed, however, is the number of accidents recurring on machinery on which the safeguards are manipulated, as the BG bulletins regularly show. The report also reveals that in at least 50 % of all cases, the reasons for manipulation can be traced right back to the design
departments.
The legal position is clear: European and domestic law (e. g. EC Machinery Directive, EN standards, Geräte- und Produktsicherheitsgesetz [German equipment and product safety law]) mean that it is the responsibility of machine manufacturers only to place on the market products that have an adequate level of safety.  Manufacturers must establish all the potential hazards on all their machines in advance and assess the  associated risks. They are responsible for developing a safety concept for the respective products,  implementing that concept and providing the relevant documentation, based on the results of the hazard  analysis and risk assessment. Potential hazards must not be allowed to impact negatively on subsequent users, third parties or the environment. Any reasonably foreseeable misuse must also be included. Operating  instructions should also clearly defi ne the products' intended use and prohibit any known improper uses.
Design engineers must therefore make reasoned decisions regarding situations in which events may be above and beyond what you would normally expect. This is a subject which is generally familiar and is considered these days, as CE marking clearly shows. Or is it? Despite the formal declarations from manufacturers that they themselves have taken responsibility for complying with all the essential health and safety requirements, behavior-based accidents continue to occur on machinery. Although the plant or machinery complies with the formal specifications, the design still failed to meet needs or satisfy safety requirements.
Design engineers should never underestimate the technical intelligence and creativity of machine users, and how dubious practices for defeating safeguards can be revealed: It begins with crude but effective access to the mechanical structure of the signal fl ow chain and extends to skillfully filed keys for type 2 safety switches. It includes loosened, positive-locking shaft/hub connections on switch cams, which are difficult to detect, as
well as sophisticated short and cross circuits and disguised, carefully hidden but rapidly accessible override switches in N/C / N/O combinations, in the connection lead between the control system and the safety switch. This is only a small sample of the manipulations that are detected; it is by no means all.
Design engineers should also consider that machine workers generally have a fair level of technical understanding and manual dexterity and also have considerably more time to become annoyed at ill-conceived operating and safety concepts and consider effective “improvements” than the designers had in their  development and implementation. Quite often they will have been reliant purely on the normative specifications, without being aware of the realistic, practical requirements.
The task of working out potential manipulations in advance is therefore contradictory: Design engineers with little experience in this area are supposed to simulate the imagination and drive of the machine operators, who may frequently work under pressure but still have enough time and energy to work out alternative solutions. They are supposed to incorporate their expertise into their designs and, under today's usual time constraints, convert this into safety measures which are manipulation-proof. A task that's not always easy to resolve.
BGIA has developed a check list of manipulation incentives, which performs a valuable service in predicting potential manipulations. From the author's point of view, however, enormous progress would be made if designers in future would increasingly put themselves in the user's position and honestly and candidly ask themselves what they would do with the available operating and safety concept.

The must have book to keep manufacturing employees safe, profits up and compliance with OSHA

The New Safety Compendium has just been released by Pilz Automation Safety L.P.This e-book contains the basics on safety as well as advanced concepts that everyone who works in manufacturing must know. 

Due to the downsizing many manufacturers have experienced, engineering responsibilities have increased into areas like controls and safety; this free book will help them understand how to make their plants and machines safe and compliant.

Machine safety encompasses everything from incorporating guards to designing safe motion into machines.Topics include: standards, directives and laws; safeguards; safe control technology; safe communication; and safe motion.Inside you will find diagrams, charts and examples as well as equations that will aid in ensuring employee safety.

The book has been authored by eleven leading practitioners in the safety field. They include Pilz engineers, international academic lecturers and lawyers from manufacturing law firms.

This compendium answers questions like: What you must know in order to export machines to Europe, it addresses the Machinery Directive changes and CE Marking.

Topics like guarding, protective devices, fixed guards, movable guards, optoelectronic protective devices and design of safeguards are discussed. Pictures of undected faults in safety circuits and how to connect safety gates are also reviewed.  The Compendium contains diagrams of wiring, discussions of items like light curtains and formulas engineers need to know when making machines safe. Concepts such as functional safeguards are also reviewed.  Review and understand the terminology related to ‘manipulation of safeguards’, how and why it is done and what you can do to prevent it.

Other topics include safety relays; configurable safety relays and how safety is an integral part of the overall plant and machine function. Basic principles of safety-related communication are given as well as safe fieldbus communication principles and safe Ethernet communication definitions. Principles of safe motion are also reviewed.

To receive a free copy of The New Safety Compendium visit pilz.us, enter webcode 3000.