nhp safety reference guide · presumption of a low risk. risk assessment is a process that includes...

NHP S

AFET

Y REF

EREN

CE G

UIDE

AS 4024 Whitepaper

1. WHITEPAPER

Safety White PaperAS 4024

5 Step ProcessThe process takes you through five general steps:

Step 1 Risk Assessment is the process of identifying hazards and assessing the risk from those hazards.

Step 2 Deciding what risk reduction measures will be implemented to eliminate the hazards or reduce the risk.

Step 3 Specify the safety requirements, which consists of the safety function and what safety category these safety systems will be designed to.

Step 4 Design the safety system according to the specifications from step 3, verify the design meets the requirements at each stage.

Step 5 Validate the system against the requirements developed.

Risk AssessmentRisk Assessment is the first step in the process of achieving safety for machinery. Risk assessment is the task of identifying what hazards exist and what risk those hazards present, from this point it can be decided if risk reduction is needed to minimise the risk.

Information required to carry out the risk assessment should include:

a) Design drawings and other information to establish the nature of the machinery.

b) Information concerning the power supply.

c) Any accident history.

d) Any information on the damage to health.

In the absence of accident history, small number of accidents or low severity of accidents shall not be taken as an automatic presumption of a low risk.

Risk Assessment is a process that includes the following steps:

a) Risk Analysis: i. Determination of Limits of Machine

ii. Hazard Identification

iii. Risk Estimation.

b) Risk Evaluation: Whenever necessary the process of risk assessment is

followed by risk reduction, see Figure 2 – Risk Assessment Process.

Hazard analysis and risk assessment at machine

Specify safety requirements in terms of:

Design SRCS

Validation

• Characteristics of safety functions• Realisation of safety functions• Selection of categories

Decide measures for risk reduction

STEP 1

BY DESIGNOther

measuresOther

measuresControlsystem

By control means

Protectivedevices

BY SAFEGUARDING

STEP 2

STEP 3

STEP 4

STEP 5

Verify

Figure 1: Iterative process for the design of safety systems

NHP Safety Reference Guide > NON APR > 1. Safety Whitepapers 1-3


Risk Assessment (cont)

Determination of Machine Limits

The following information should be considered for the risk assessment process:

a) Phases of the machinery, examples of phases of the machine life cycle include:

i. Construction iv. Normal operation

ii. Transport v. Maintenance

iii. Assembly vi. De-commissioning

b) Limits of the machine, areas of consideration are:

i. Use limits, this includes all operating modes of the machine including reasonably foreseeable misuse

ii. Space limits, this includes the range of movements of the machine and the space requirements for installation

iii. Time limit, this considers the life limit for the machine and its components

c) Identify the user characteristics, this includes the sex, age, limiting physical abilities, level of expertise, etc.

d) Determine hazard exposure to other people, e.g. is the machine exposed to the public or near a common walkway

(AS 4024.1301 2006 Section 6)

Hazard Identification

The second step in the Risk Assessment process is identifying the hazards that exist from the machinery. Only when the hazards have been identified can the risk be estimated and then reduced to an acceptable level. When identifying hazards the following should be considered:

a) Human interaction during the complete lifecycle of machine.

b) Possible states of the machine, which includes malfunction

c) Unintended behaviour of operator or reasonably foreseeable misuse.

(AS 4024.1201 2006 Section 6.3)

What is a Hazard?

The simple description for a hazard is a “potential source of harm” (AS 4024.1201 2006 Section 4.13), examples of typical hazards are:

a) Mechanical hazards, these hazards are associated with the machine’s parts, surfaces, tools or projected materials. Some common types are:

i. Crushing iii. Entanglement

ii. Cutting iv. Impact

b) Electrical hazards, these hazards cause injury by electrical shock or burn resulting from electrical phenomena that may include:

i. Contact of person to live parts of machine

ii. Insulation not suitable for application

iii. Thermal radiation

iv. Projected molten particles or chemical effects from short-circuits or overloads

Consideration must be made to potential sources of harm that result from the surprise of electrical shock i.e an employee dropping a heavy object when shocked.

c) Thermal hazards, these hazards are burns and scalds from contact with materials of extreme temperature or any health effects from working in a hot or cold environment.

d) Noise hazards, these can result in hearing loss, tinnitus, loss of balance.

Determination of machine limits

Risk reduction

Hazard identi�cation

Risk estimation

Risk evaluation

Start

End

Risk analysis

Is the machine safe?

RISK ASSESSMENT

Figure 2: Risk Assessment Process

1-4NHP Safety Reference Guide > NON APR > 1. Safety Whitepapers


e) Vibration hazards, these hazards can occur when vibrations are transferred to the body through use of machinery and equipment. These vibrations can result in serious disorders and discomfort to the body.

f ) Radiation hazards, these hazards can cause injury, some common sources are listed below:

i. Electromagnetic fields iii. Laser radiation

ii. Infra-red light iv. X-rays, etc

g) Substance hazards, these hazards are associated with substances processed, used, produced or exhausted by the machinery, some common types are:

i. Substance ingestion, contact with the skin or inhalation

ii. Combustion of substance

h) Ergonomic hazards, these hazards occur when there is a mismatch of machinery with human characteristics or abilities.

For a more detailed list of common hazards reference AS 4024.1301 2006 Appendix B.

Consideration should be paid to combinations of hazards that may occur at the same time, individually the hazards may seem minor, but when combined their result may be significant.

Hazard Identification Methods:

There are many methods used for hazard identification some common methods are:

a) “What-If Method”

This method is carried out by asking “what-if” questions about the effects of component failures or procedural errors and analysing the results. Involvement of many people, with different experience, is encouraged to achieve the best results.

b) Failure Mode and Effect Analysis

In this method failure modes of each component is analysed. If the failure has a very low probability of oc-currence it may not be analysed in depth, these decisions should be documented.

c) Fault Tree Analysis

Hazardous events are identified, and then all the combinations of failures that led to that event are shown in a fault tree format. The probability of these individual failures can be calculated, resulting in a calculation of the probabil-ity of the hazardous event occurring. This method is very useful as it can evaluate the impact of safety measures on the probability of the hazardous event occurring.

For a more detailed description of these and more hazard identification methods reference AS 4024.1301 2006 Appendix A.

(AS 4024.1201 2006 Section 5)

Risk Estimation

After the hazards have been identified the next step is to estimate the risk that each hazard poses. Risk is made up of the following elements:

a) Severity of harm

b) Probability of harm, based on the following criteria:

i. Frequency and duration of exposure to hazard

ii. Probability of event occurring

iii. Possibility of avoiding the hazard

Severity of harm:

Severity of harm considers who or what will be harmed by the hazard e.g. persons, property or environment and the extent of the harm caused e.g. slight, serious, death.

No risk estimation model is specified in AS 4024, thus the Risk Estimation model from IEC 62061 can be used to quantify the severity of harm.

Consequences Severity (Se)

Irreversible injury: death, losing an eye or limb.

4

Irreversible injury: broken limb(s), losing finger(s).

3

Reversible injury: requiring attention from medical practitioner.

2

Reversible injury: requiring first aid. 1

Table 1: Severity of injury (IEC 62061 risk estimation)

Frequency and duration of exposure:

This element considers the following

a) Need for access to the danger zone, e.g. repair, maintenance normal operation

b) Time spent in the danger zone

c) Number of people accessing the danger zone

d) Frequency of access to danger zone

Once again the IEC 62061 model can be used to quantify the frequency and duration. If the duration of exposure is less than 10 minutes, the value of Fr can be decreased one level.



Frequency of Exposure (Fr) Duration > 10min

≤ 1 hr 5

> 1hr to ≤ 1 day 5

> 1 day to ≤ 2 weeks 4

> 2 weeks to ≤ 1 year 3

> 1 year 2

Table 2: Frequency and duration of exposure (IEC 62061 risk estimation)

Probability of event occurrence:

Probability can be based on accident histories and comparing the safety to similar machine that may exist already.

The IEC 62061 method classifies the probability of the event occurring in the following way.

Probability of occurrence Probability (Pr)

Very High 5

Likely 4

Possible 3

Rarely 2

Negligible 1

Table 3: Probability of occurrence (IEC 62061 risk estimation)

Possibility of avoiding harm:

The possibility can be gauged by considering the following aspects:

a) Ability of the machine user, e.g. skilled person, inexperienced person, etc.

b) Speed of the hazard.

c) Risk awareness, how aware of the risk and possible warning signs is the user.

d) Possibility of the user avoiding the harm, e.g. reflex movement, escape

The IEC 62061 method classifies the possibility of avoiding the hazard in the following way.

Possibility of avoiding the harm (Av)

Impossible 5

Rarely 3

Probable 1

Table 4: Possibility of avoiding the hazard (IEC 62061 risk estimation)

Once all the elements of risk have been classified they can be combined to measure the risk, see Table 5. This tool can be used in the Risk Evaluation step (refer Risk Evaluation section on page 11.). It may also be used to compare the risk after safety measures have been implemented to the initial risk, thus demonstrating what risk reduction has been achieved.

Severity (Se)

Class (Cl)

3-4 5-7 8-10 11-13 14-15

4

3

2

1

Table 5: Risk Estimation matrix

The Class (Cl) is calculated by adding the Fr, Pr and Av values together, the risk is then evaluated by using the matrix in Table 5. Where the Class value and severity value intersect represents the amount of risk of the application. It can be seen that a combination of high Severity and high Class will result in a “Very High” risk level.

Example: For a specific hazard, the possible injury is a broken arm, the operator must expose himself to the hazard once a week for 15 minutes, the probability of the event occurring is very high and the possibility of the operator avoiding the hazard is extremely low.

Thus;

a) Severity of injury (Se) = 3

b) Frequency and duration (Fr) = 4

c) Probability of event occurring (Pr) = 5

d) Possibility of avoidance (Av) = 5

The Class (Cl) can now be calculated: Cl = Fr + Pr + Av = 14

The intersection of Cl = 14-15 and Se =3 in Table 5 has the risk placed in the “Very High” (Orange in colour) region.

After risk reduction, safety measures have been put in place to reduce the probability of the event occurring to negligible, thus Pr = 1 and the possible injury has been reduced due to using safe design principles severe bruising, thus Se = 2The Class (Cl) now is calculated as being Cl = 10The intersection of Cl = 8-10 and Se = 2 in Table 5 has the risk placed in the “Low” (Light green in colour) region.

Using the Risk Estimation model we have indicated the reduction of the risk by implementing safety measures. The next step is to evaluate if the level of risk is acceptable or if more safety measures are required.

Very High

High

Moderate

Low

Negligable



Risk Evaluation

Once the risks have been estimated, they must be evaluated to determine if further risk reduction is required. If risk reduction is required then the appropriate safety measure shall be selected and applied and then the risk assessment process repeated. Special attention should be paid to any new hazards created by the introduction of the safety measures.

Documentation

The process of risk assessment must be documented, the following information should be included when relevant:

a) Machinery for which the assessment has been made, e.g. specifications, limits, intended use, etc.

b) Any assumptions which have been made, e.g. loads, strengths, safety factors, etc.

c) Hazards identified; hazardous situations identified and hazardous events considered.

d) Information on which the risk assessment was based, e.g. accident histories, experiences gained from risk reduction applied to similar machinery, etc, and the uncertainty associated with the data.

e) Objectives to be achieved by safety measures.

f ) Safety measures implement-ed to eliminate identified hazards or to reduce the risk.

g) Residual risk associated with the machinery.

h) The result of the final risk evaluation.

Measures for Risk ReductionBy using a combination of safety measures the risk of a particular hazard can be minimised. It must be remembered that the safety measures allow easy use and do not hinder the machine’s intended use. Refer to Figure 3.

The objective is to eliminate the hazard or reduce the two elements that determine the risk:

a) The severity of harm caused by the hazard.

b) The probability of harm occurring.

Safety measures should be applied according to the following sequence:

a) Inherently safe design.

b) Safeguarding and complementary measures.

c) Information for use about the residual risk. (AS 4024.1201 2006 Section 6).

RISKRisk assessment

Inherently safe design measures

Residual risk afterdesigner protective measures

Residual risk afterall protective measures

Safety measures by the designer

Protective measures by the user:Administrative means,

protective peronal equipment

Safeguarding and complementary measures

Information for use

Figure 3: Risk Reduction Process



Inherently Safe Design Measures

Safe design is achieved by avoiding hazards or reducing risks by suitable choice of design features, safe design should be the first step in risk reduction. Some design considerations include:

Geometrical Factors:

a) Design the shape of the machinery to maximise visibility of working areas and hazard zones from the control position, e.g. minimise blind spots.

b) Design large enough gaps between moving surfaces to allow body parts to move freely without crushing or design the gaps small enough not to allow body parts to enter them, reference AS 4024.1803 for more detail.

c) Avoid sharp edges, corners, angles or rough surfaces likely to cause injury.

Physical Factors:

a) Minimise actuating forces of machinery, to avoid/reduce mechanical hazards wherever possible.

b) Minimise the mass or velocity of movable parts, to avoid/reduce mechanical hazards wherever possible.

c) Minimise noise, vibration, emission of hazardous substances and radiation generated by machinery.

General Technicalities of Machine Design

a) Correct mechanical stress calculations for the machine structure, to avoid mechanical failures of the machine parts.

b) Correct selection of materials, considering corrosion, hardness, flammability.

Appropriate Technology:

a) For machines used in explosive environments, technologies of choice include:

i. Pneumatic or hydraulic actuation.

ii. Intrinsically safe electrical equipment, reference AS/NZS 60079 for more detail.

Apply Positive Break Principle:

a) Switching elements should be designed to use positive break theory, thus not relying on gravity or springs to break the circuit.

Ergonomic Factors:

a) Machine should be designed to avoid stressful postures or movements of the operator.

b) Machine should be designed to be operated easily, taking into account effort required.

c) Lighting of work area should be acceptable.

d) Ergonomically designed manual controls, taking into account visibility, layout, selection of control.

e) Displays should be ergonomically designed to maximise effectiveness.

For more detailed information on ergonomic factors, reference AS 4024.1401 2006.

Electrical Design:

a) Machine should be designed to protect against electric shock, reference AS 60204.1 for more detail.

Pneumatic and Hydraulic Factors:

a) Pressure limiting devices should be used to ensure the maximum rated pressure of the system is not exceeded.

b) Machine should be designed so hazards do not result from pressure surges, or losses of vacuum.

c) Failure of components should not cause hazardous fluid jets or movements of the hose.

d) All air reservoirs or similar vessels should comply with relevant design rules.

e) Reservoirs and similar vessels should automatically depressurise when the machine is isolated from the power supply, reference AS 4024.1603 for more detail.

Safe Design of Control System:

a) Control system should allow the operator to interact with the machine safely, i.e. clearly display faults, prevent unintended start-ups.

b) Starting an internal power supply or switching on an external power supply should not result in the immediate operation of working parts.

c) The starting action should be performed by increasing voltage, fluid pressure or changing a binary value from 0 to 1. The stopping action should be performed by decreasing voltage, fluid pressure or changing a binary value from 1 to 0.

d) Machine should be designed to prevent hazardous situations resulting from interruptions or excessive fluctuations of power supply.

e) Control system can use automatic monitoring to detect faults in the components that carry out the safety function of the machine.

Safety Functions Implemented by Programmable Electronic Control System:

a) The programmable electronic control system should be installed and validated to ensure the specified performance is met, i.e. safety integrity level (SIL) reference AS 61508.

b) Hardware such as sensors, actuators should be selected and installed to meet functional and performance requirements.

c) The software should achieve the performance requirements, reference AS 61508.3 for more detail.

d) Software should be stored in non re-programmable memory or be securely locked/password protected. (AS 4024.1202 2006 Section 5).



Safeguarding & Complimentary Measures

Safeguarding can be used whenever inherently safe design doesn’t reduce the risk of a machine to an acceptable level.

Types of Guards:

Guards are physical barriers that provide protection from the hazards on the machine. Types of guards are mentioned in AS 4024.1601 are:

a) Adjustable guard, this is a fixed or movable guard that is adjustable, however the adjustment remains fixed during machine operation. These guards are only used when the hazard can’t be completely protected by the guard e.g. a saw blade needs to be exposed to perform its operation, it can’t be completely enclosed in a guard.

b) Fixed guard, this guard is kept in place either permanently (by welding) or by means of fasteners that can only be removed with a tool. One type of fixed guard is:

i. Distance Guard, this guard doesn’t completely enclose the danger, but prevents access due to its dimensions and distance from the danger e.g. perimeter fence.

c) Interlocking guard, this guard is associated with an interlocking device so that the hazardous machine functions only operate when the guard is closed, however closing the guard doesn’t initiate machine operation.

d) Interlocking guard with locking, this guard will only allow operation of the machine when the guard is closed and locked, however the closing and locking of the guard doesn’t initiate machine operation. The guard will only unlock when the hazard presented by the machine has subsided.

e) Movable guard, this guard can be opened without the use of a tool, typical variations are:

i. Control Guard, this is a movable guard with and interlocking device where the machine will only operate when the guard is closed and closing the guard will initiate machine operation.

ii. Power-operated Guard, this guard operates with assistance of power other then gravity or persons.

Is access required during use?

Can the hazard be totally protected

by a guard?

Is access only needed for set-up or maintenance?

Is access required > once

per shift?

Does hazard cease immediately

when guard is opened?

Is access required during work cycle?

Are hazards present?

NO

NO

NO

YES

YES YES

YES

YES

YES

NO

YES

YES

NO

NO

Guards not required

Fixedguard

Movable guard with interlocking device or control guard

Movable guard with interlocking device optional guard locking or �xed

Movable guard with interlocking device with guard locking

Self-closing guardor adjustable guard

Figure 4: Seleciton of guard



Generally Figure 4 can be used a guideline when selecting a guard based on the nature and the frequency of the access. When access is not required a fixed guard is specified because of its simplicity and reliability.

When access is only required for maintenance or process set-up, a movable guard with interlocking device can be used, if frequency of access is high or removal of a fixed guard would be difficult. A fixed guard may be used if the frequency is low, however the removal and replacement of the guard must be done under a safe system of work.

If the hazard can’t be totally protected by a guard e.g. a saw blade needs to be partially exposed to operate, the user may incorporate a self-closing or adjustable guard.

The following aspects should be considered when selecting a guard:

a) The material of the guard should be:

i. Able to withstand expected impacts

ii. Have acceptable rigidity

iii. Be securely fixed in place

iv. Resistant to corrosion

v. Non-toxic

vi. Properties such as transparency, stroboscopic effect, electrostatic, thermal stability and flammability are con-sidered depending on the application of the guard.

b) Harmful substances should be contained by the guard e.g. fluids, dust, fumes.

c) The guard should be designed to inhibit bacterial or fungal growth especially in food or pharmaceutical industries.

d) The guard should be designed to maximise visibility of the machine.

e) When required the guard will be required to absorb excess noise of the machinery.

f ) The guard will be designed to give radiation protection in relevant applications.

(AS 4024.1601 2006)

Design of Interlocking Guards:

There are two types of interlocking principles for a guard:

a) Control interlocking – The stop command from interlocking device is introduced into the control system, so the interruption of energy supply to the machine’s actuators is triggered by the control system.

b) Power interlocking – The stop command from the interlocking device directly interrupts the energy supply to the machine’s supply, thus the control system does not play a part in this operation.

The interlocked device can either have guard locking or not, if the hazard is not immediately ceased when the guard is opened (e.g. the machine has high inertia) or the user wants to control access to the machinery then a guard locking device would be used.

The unlocking of the guard can occur in two ways:

a) Unconditional unlocking – The operator can initiate the unlocking process at any time.

b) Conditional unlocking – Unlocking is only possible if a con-dition has been fulfilled, ensuring the hazard has disappeared (using a safe timer or zero speed monitor).

The following provisions are taken when selecting and installing the interlocking device:

a) Actuation of modes of mechanical position switches – If a single detector is used to generate the stop signal it must be actuated in the positive mode. Non-positive mode actuation is only allowed in conjunction with a positive mode actuating detector, to avoid common-cause failures.

Mode of actuation Guard closed Guard open Working mode

Positive mode The detector stem (actuator) is held depressed by a cam as long as the guard is open.

When the guard is closed, the detector changes its state as the result of the action of a return spring.

Non-positive mode The detector stem (actuator) is held depressed by a cam as long as the guard is closed.

When the guard is opened the detector changes its state as the result of the action of a return spring.

Table 6: Positive mode actuation explanation



b) Arrangement of fasteners of switches – The switch should be mounted to avoid any change in position, thus the fasteners must be reliable and difficult to defeat (e.g. coded screws).

c) The position detector mustn’t be used as a mechanical stop.

d) Reduce the possibility of common-cause failure by:

i. Mounting position detectors in positive and non-positive mode combination.

ii. Using two independent interlocking devices, which interrupt supply from different energy sources e.g. hydraulic, electrical.

e) Guard locking devices – The bolt that is used to lock the guard should be engaged (locking the guard) via spring, power must be applied to unlock the guard. Other forms of operation can be used (power-to-lock guard devices) in specific applications if an equivalent level of safety is achieved. A common application where power-to-lock is applicable; the guard is locked to control what state the machinery is in when power supply is interrupted. If the guard is locked because the machine has a substantial run down time, a power-to-unlock device should be used. A manual unlocking function, requiring a tool, may be pro-vided to unlock the guard in the event of power lose. The state of the guard (locked or unlocked) must be moni-tored.

f ) Delay Device – If the delay device fails, it should not result in a decrease of the delay.

g) Design to minimise defeat possibilities – Devices shall be installed in a way so that they can’t be defeated easily. The operator must not be able to defeat the device with readily available tools (sheet-metal pieces, screws, equipment the operator needs for their job). The fasteners used for the device should be designed to be tamper resistant (coded screws). The device operation should be coded where possible e.g. mechanical coding (shape of tongue switch actuator), magnetic coding, optical coding. Device should be mounted to reduce access when the guard is open.

Sensitive Protective Equipment:

Typical examples of sensitive protective equipment are:

a) Light curtains

b) Laser scanners

c) Safety mats, etc.

Typical reasons why an application will not suit the use of sensitive protective equipment are:

a) Machine has a tendency to eject materials.

b) Guard also needs to protect against noise, radiation, etc.

c) Inconsistent or very long machine stopping time.

Requirements for placement, size and characteristics of device can be found in ISO 13855.

Complementary Measures:

These are safety measures that are neither inherently safe design nor safeguarding, some typical examples are:

a) Emergency stop function, this measure is used to achieve a stop function to avert actual or impending emergency situations. The emergency stop function must be initiated by a single human action.

i. The actuator must be clearly identifiable and readily accessible.

ii. The hazardous process should be stopped as quickly as possible, without creating additional hazards.

iii. The effect of the command must be sustained until it is reset, the reset should only be possible at the location of the emergency stop command.

iv. The emergency stop device should allow easy actuation, use a mushroom type push button actuated by the palm, wire (rope), bars or for specific applications a foot pedal without a cover.

v. Emergency stops should be located at each operator control station and other relevant areas.

vi. An emergency stop device should apply positive mechanical action.

vii. The emergency stop device should be coloured red and have a yellow background, if using a rope, attaching marker flags may improve the visibility.

An emergency stop command is not a substitute for safe-guarding, it should be designed as a back-up measure (in case of failure). For more information reference IEC 60204.

b) Measures for the escape and rescue of trapped persons, the following measures may be considered:

i. Escape routes if installation can generate operator-trapping hazard.

ii. Ability to manually move and/or reverse elements after emergency stop.

iii. Means of communication to allow trapped operators to call for help.

c) Measures for isolation and energy dissipation. (AS 4024.1202 2006 Section 6)



Information for Use

These measures are different ways to communicate information to the user of the machinery. Information about the intended use of the machine should be provided to the user, this information should indicate if training is required, if personal protective equipment is required or if additional guards are required.

Some examples of information for use are:

a) Signals and warning devices, these mechanisms are used at the machine to warn the user of an impending hazard, e.g. flashing lights, sirens.

b) Marking, signs and written warnings, these instructions should be on the machine to indicate machine identification, machine compliance and working specifications.

c) Accompanying documents, these include documents such as instruction handbooks.

(AS 4024.1202 2006 Section 7)

Safety System Requirements When specifying the safety requirements of the system, the following must be considered

a) Specify safety requirements of the safety system, specify the safety functions to be provided by the system. Specify how the safety functions will be met and select the category for the system.

Safety Functions

The following is a list of some common safety functions and the characteristics of those functions that the safety system should be designed to achieve:

a) Stop function – The stopping action should be performed by decreasing voltage, fluid pressure or changing a binary value from 1 to 0. The stop function should put the machine into a safe state a soon as possible.

b) Emergency stop function, this measure is used to achieve a stop function to avert actual or impending emergency situations. The emergency stop function must be initiated by a single human action.

i. The actuator must be clearly identifiable and readily accessible.

ii. The hazardous process should be stopped as quickly as possible, without creating additional hazards.

iii. The effect of the command must be sustained until it is reset, the reset should only be possible at the location of the emergency stop command.

iv. The emergency stop device should allow easy actuation, use a mushroom type push button actuated by the palm, wire (rope), bars or for specific applications a foot pedal without a cover.

v. Emergency stops should be located at each operator control station and other relevant areas.

vi. An emergency stop device should apply positive mechanical action (the contacts of the device will be forced open through a non-resilient member when actuated).

vii. The emergency stop device should be coloured red and have a yellow background, if using a rope, attaching marker flags may improve the visibility.

An emergency stop command is not a substitute for safeguarding, it should be designed as a back-up measure (in case of failure).

c) Manual reset – after the stop command has been initiated, the stop condition shall be maintained until the manual reset device is actuated and safe conditions are reached. The manual reset function:

i. Shall be provided by a separate manually operated device

ii. Shall only be achieved when a safe state has been reached

iii. Shall not initiate motion or a hazardous situation

The category of the parts providing the manual reset shall not diminish the required safety of the relevant safety func-tion. The reset actuator is to be placed outside the danger zone and allow for good visibility of the danger area.

d) Start and restart - starting an internal power supply or switching on an external power supply should not result in the immediate operation of working parts. The starting action should be performed by increasing voltage, fluid pressure or changing a binary value from 0 to 1. The stopping action should be performed by decreasing voltage, fluid pressure or changing a binary value from 1 to 0. An automatic restart can be used when a hazardous situation can’t exist.

e) Response time – the designer must declare the response time of the system when the risk assessment indicates it is necessary.

f ) Local control functions – the machine can be controlled locally e.g. by a portable pendent, it must follow the below requirements:

i. The selection for the local control must be outside the danger zone.

ii. It must be impossible to initiate hazardous conditions outside the local control zone.

iii. Switching from local control to external control must not create a hazardous situation.

g) Muting – muting must not lead to a hazardous situation, at the end of muting all safety systems must be re-instated. In some applications a muting indication signal is required.

(AS 4024.1501 2006 Section 6)



Safety Categories

The safety categories state the required behaviour of the safety-related parts in respect to resistance to faults. The requirements of the categories are as follows:

a) Category B – the safety system should be designed, as a minimum, with the relevant standards so they can withstand expected operating stresses, influences of pro-cessed material and other influences e.g. vibration, power interruptions, etc. No special measures for safety are applied to components in category B systems. When a fault occurs it can lead to loss of safety function. Refer to Figure 5.

Figure 5: example category B system

In Figure 5, when the washing machine lid is open, contact S1 will open and remove power from the relay (K1) coil in the control circuit. This will open the relay contact in the power circuit, thus the washing machine motor is isolated.

The only requirements for the system are that the components are designed and selected correctly for the application and environment.

If either the door switch contact (S1) or the relay contact (K1) fail the system will loose safety function (the washing ma-chine motor will not be isolated when the lid is open). None of these component failures are detected by the system.

b) Category 1 – the requirements of category B apply and the system should be designed and constructed using well-tried components and well-tried safety principles.

i. Well-tried components are components that have been widely used in the past with success for similar applications or made and verified using principles that demonstrate its reliability for safety applications. Reference AS 4024.1502 Appendix D4.

ii. Well-tried safety principles may include some of the below (reference AS 4024.1502 Appendix D2 and D3):

• Avoidance of fault e.g. avoiding short circuit by separation

• Reduction of probability of fault e.g. over-dimensioning of components

• Orientation of the mode of fault e.g. using an open circuit to remove power

• Early detection of faults

New components and principles can be considered if they fulfil the above conditions. Due to the use of well-tried com-ponents and principles the probability of failure is reduced in category 1. When a fault occurs it can lead to loss of safety function. Refer to Figure 6.

Figure 6: example category 1 circuit

In Figure 6 the structure of the circuit is exactly the same as the category B system. The system depends on the door switch contact (S1) and the contactor (K1) to operate cor-rectly or else the system looses safety function. Again like category B none of component failures are detected.

However unlike category B the door switch and contac-tor must be well-tried components and the system must use well–tried safety principles (e.g. the contactor may be over-dimensioned to reduce the chance of welding). These two factors reduce the probability of loosing safety function compared to a category B system.

c) Category 2 – the requirements of category B apply and the system should be designed using well-tried safety principles.

i. Safety-related parts are designed so their functions are checked at suitable intervals by the machine control system. The check shall be performed at machine start-up and prior to the initiation of hazardous situation or periodically during operation

ii. The check may be initiated automatically or manually and shall either:

• Allow operation if no faults detected; or



• Generate an output that, when possible, generates a safe state. When not possible to initiate a safe state (e.g. welding of final switching device) the output shall provide a warning of the hazard.

iii. The check must not itself lead to a hazardous situation. The checking equipment may be integral or separate from the safety-related parts providing the safety function

iv. After a fault has been detected a safe state should be maintained until the fault is cleared

v. The occurrence of a fault can lead to the loss of safety function and the loss of safety function shall be detected.

Figure 7: Example of category 2 system

In Figure 7 the control circuit and power circuit are the same structure as category 1. If a failure was to occur in the door switch (S1) or the contactor (K1) safety function would be lost. However unlike category 1 the components of the system are monitored.

In this example a second door switch (S2) is used to detect any faults with S1. A second switch is used because it will be independent of faults that occur in S1 (e.g. if tongue actua-tor was to snap off inside S1, this will not affect S2).

Feedback from the safety contactor is also wired to an evalu-ation device (e.g. PLC) to determine if the machine has been isolated.

If a failure in the system occurs, e.g. welded contactor, the PLC will detect this because S2 will indicate the guard door is open but the contactor feedback will indicate the machine isn’t isolated. The system has lost safety function because without a redundant contactor the machine can’t be isolated, however the PLC can give a warning of this unsafe state. In Figure 7 the PLC can indicate the unsafe state by turning the green lamp, which is mounted next to the guard door, off.

d) Category 3 – the requirements of category B apply and the system should be designed using well-tried safety principles.

i. The system is designed so that a single fault does not lead to the loss of safety function.

ii. Common-mode faults shall be taken into consideration

iii. Whenever reasonably practicable the single fault shall be detected at or before the next demand on the safety function e.g. monitoring of contactor auxiliary contacts

iv. Accumulation of undetected faults can lead to loss of safety function

Refer to Figure 8 for an example category 3 system.


In Figure 8 it is seen that category 3 has dual redundant channels, this allows the system to maintain safety function if a single fault occurs.

Each door has two door switches, thus if one switch fails the safe controller will detect this fault on demand (when the guard door is opened) and fail the system to safe.

The power circuit also has two contactors in series, thus if one contactor fails the other contactor is still able to isolate the machine on demand. The feedback circuit from the contactors to the safe controller won’t allow the system to restart until the faulted contactor is replaced.

In category 3 it is possible to wire guard doors in series to the safe controller, as seen in Figure 8. This means that faults may be undetected:

Example: If the left guard door is open, S1 and S2 contacts open the input channels of the safe controller. If during this state, the right guard door is open the state of S3 and S4 contacts can’t be seen by the controller because S1 and S2 have already broken the input channels. Thus if one of S3 or S4 fails to open the controller will not detect this fault, this is called “masking” a fault. However the undetected fault alone has not led to lose of safety function.



e) Category 4 – the requirements of category B apply and the system should be designed using well-tried safety principles.

i. The system is designed so that a single fault does not lead to the loss of safety function and a single fault is detected at or before the next demand on the safety function. If this detection is not possible then the accumulation of faults shall not lead to a loss of safety function.

ii. If further faults occur as a result of the first fault, the combination will be counted as one fault.


In Figure 9 the input circuitry has changed, each of the contacts (S1-S4) enter the controller system on an individual channel. This allows the system to detect all faults that may occur with the contacts, unlike the masking situation that may occur in category 3.

Apart from the above difference category 4 is similar to category 3 because a single fault doesn’t cause lose of safety function due to redundancy. (AS 4024.1501 2006 Section 7)

Category selection:

Selection of category for a safety system must be done using the information from the Risk Assessment. The method presented in AS 4024 provides an estimation of risk reduction based on the system’s behaviour in case of a fault. However the user must also consider other factors such as component reliability, technology used. The method is shown in Figure 10.

The criteria for the method are explained:

a) Severity of injury S1 or S2 - commonly S1 for reversible and S2 for irreversible, taking the normal healing process into account. Thus:

i. S1 would be bruising or lacerations.

ii. S2 would be more serious injuries including amputations or death.

b) Frequency or duration of exposure F1 or F2 – Commonly if access is required frequently or as part of the machine cycle then F2 shall be used, or else use F1. If the duration of exposure is high in relation to the period of usage time then F2 should be used.

c) Possibility of avoiding the hazard P1 or P2 – Considers whether the hazard can be identified and avoided before the accident occurs. P1 should be selected if there is a realis-tic chance of avoiding an accident. P2 should be selected if there is almost no chance of avoiding the hazard.

Figure 10 : category selection method

The large filled circles in Figure 10 indicate the preferred category, the smaller circles indicate the category allowed with additional safety measures taken (AS 4024.1501 2006 Appendix C).

Fault Consideration

The following fault criteria should be considered:

a) If failures occur as a result of a previous fault, the first fault and all other faults will be counted as a single fault.

b) Common-mode faults are counted as a single fault.

c) The occurrence of two independent faults at the same time is not considered.

Some common faults that occur in a system are:

a) Electrical component faults include:

i. Short circuit or open circuit e.g. earth faults, open circuit of a conductor.

ii. Short circuit or open circuit occurring in a component e.g. position switch.

iii. Non-drop-out or non-pick-up of electromagnetic ele-ments e.g. contactors.

iv. Non-starting or non-stopping of motors.

v. Drift beyond tolerance values for analogue elements e.g. resistors,.

vi. Loss of partial or entire function of integrated component e.g. microprocessor.



b) Hydraulic and Pneumatic component faults include:

i. Incomplete switching of moving element e.g. sticking of valve position.

ii. Drift in original control position of moving element.

iii. Change of leakage volume flow.

iv. Bursting of lines.

v. Clogging of filters.

vi. Abnormal pressure.

vii. Failure of an input signal e.g. pressure switch.

c) Mechanical component faults include:

i. Spring fracture.

ii. Sticking of moving components.

iii. Loosening of fixtures.

iv. Wear.

v. Misalignment.

vi. Environment effects e.g. corrosion, temperature

Safety-related parts shall be selected for their ability to resist faults, in accordance to their required safety category. Certain faults may be excluded, if the probability of occurrence is negligible, the designer must declare the following:

a) The improbability of occurrence of the fault.

b) Generally accepted technical experience.

c) Technical requirements deriving from the application.

d) The harshness of the environment.

Reference AS 4024.1502 2006 Appendix D5, for common electrical faults and accepted reasons for fault exclusion. (AS 4024.1501 2006 Section 8).

Safety System ValidationValidation is used to determine if the safety system conforms to the requirements set out. Validation process should be carried out by persons who are independent of the design of the system. Validation consists of executing tests and analysis of the system’s design, the validation should demonstrate:

a) The requirements of the specified category are met.

b) The specified requirements of the part is met.

The creation of a validation plan is to be completed, this document will include a description of the following:

a) Validation by analysis, examples of analysis tools are fault lists, fault tree analysis. The analysis should be carried out in parallel with the design process so problems can be fixed easily.

b) Validation by testing

i. Test of the specified safety function, need to test the system achieves the requirements of the safety function (refer to the Safety Functions section on page 20).

ii. Test of the specified category.

iii. Test of dimensioning and compliance to environment parameters.

Validation for the specified category is carried out using the following criteria:

a) Category B – the components of the system must demonstrate their specification, design and construction is relevant to the expected environmental and structural requirement of the application.

b) Category 1 – the components of the system must demon-strate:

i. They meet the requirements of category B.

ii. Components are well-tried because they have been widely used with success in similar applications or they have been made using suitable safety principles.

iii. Well-tried safety principles have been used.

iv. When using new safety principles the user must demonstrate how faults are avoided or reduced in probability.

Relevant component standards are a common way to demonstrate compliance with category 1.

c) Category 2 – the components of the system must demonstrate:

i. They meet the requirements of category B and use well-tried safety principles.

ii. The checking equipment detects relevant faults when applied one at a time and initiates a safe state or when this is not possible provides a warning of the hazard.

iii. The check doesn’t introduce an unsafe state.

iv. The initiation of the check occurs at machine start-up and prior to the initiation of a hazardous situation or periodically during the operation.

d) Category 3 – the components of the system must demonstrate:


ii. A single fault doesn’t lead to loss of the safety function.

iii. Single faults are detected in accordance with the design rationale.

e) Category 4 – the components of the system must demonstrate:


ii. A single fault doesn’t lead to loss of the safety function.

iii. The single faults are detected at or before the next demand on the safety function.

iv. If not possible to detect the fault, an accumulation of fault will not lead to a loss of safety function (AS 4024.1502 2006).



DISCLAIMER: The information contained in this and any related publications is intended as a guide only. Every care has been taken to ensure that the information given is accurate at time of publication. Neither NHP nor any of the manufacturers portrayed in this and any related publications accept responsibility for any errors or omissions contained therein nor any misapplication resulting from such errors or omissions. Risk assessments should be conducted by authorised persons. The purchaser and installer are responsible for ensuring the any safety system(s) incorporating these products complies with all current regulations and applicable standards. Products are subject to change without notice and may differ from any illustration(s) provided. All products offered for sale are subject to NHP standard Conditions of Sale, a copy of which is available on application.


nhp safety reference guide · presumption of a low risk. risk assessment is a process that includes...

Documents