Fluid Power Safety Overview

Safety

Safety is the portion of a loss prevention program involved in reducing the chance of injury to not only machine operators but all persons, including maintenance (highest injury rate in the past), as well as damage to the machine, damage to other company assets, and harm to the environment. Standards now acknowledge that there is no such thing as zero risk.

Control Integrity

The important thing in control integrity is that the integrity of the entire system must be considered, not just the electrical control portion. The entire system is rated based on the weakest link in the system chain. The function of a control valve is equivalent to the function of an electrical control relay, and, therefore, is subject to the same rules for selection of safety integrity category. This means that a safety relay is equivalent to a control reliable-valve. To be control-reliable, a valve or system must be:

• Redundant in function,
• Monitored for a fault and, therefore, the loss of redundancy,
• Of fail-to-safe design (single failure does not inhibit the safety stopping function),
• Able to lock-out and inhibit further operation upon detection of a fault until corrected, and
• Be designed and manufactured, with safety in mind, specifically for critical applications.

Control reliability (safety category-3 or -4) is not simple to achieve. Fluid power is similar to, but also different from, electrical controls. Attaining just plain old redundancy in a safety circuit requires the function of four valves, not just two. Two valves are required for the inlet function and two for the stop function (release of the energy). Many self-designed systems have hidden, potential flaws, which can lead to unsafe conditions since they are unseen, unexpected, and, therefore, excluded from design and safety reviews. A good example is the spool cross-over conditions or ghost positions of a valve, which are usually not shown on schematics.

EN954-1 defines all of the types of circuit classifications (B, 1, 2, 3, and 4). New standards are introducing new types of safety circuits. As an example, B11-TR3 and Z244 now allow a redundant circuit that is manually checked at the time of machine start-up and then as frequently as indicated by a risk assessment. This redundant, person-monitored circuit would only apply for low risk applications.

With regard to safety, there are two general abnormal conditions that can occur in valves. The first condition is the equivalent of an electrical controls fault, which exists when a device does not achieve the required position at the time of checking, i.e. a limit switch not in the proper position at the time of a start cycle. Valves can also develop the condition of diminished performance, such as when a valve becomes sticky or sluggish. In these cases the valve will achieve the proper position, but the slower shifting of the valve will affect applications where safe stopping distances or timing is involved. A monitoring system that detects these conditions must be incorporated, for these applications, under the new B11.19 standard. An easy solution would be to use a self-monitoring, Category-3 or -4 valve, which is designed to detect both of these conditions.

LOTO - Lock-Out/Tag-Out - Energy Isolation

LOTO is the number two OSHA-cited topic. Under standard LOTO, before a worker can enter a protected area of a machine, all energy must be dissipated and verified. De-energized is defined, by the standards, as disconnected from all energy sources and not containing residual stored energy. This must be accomplished, for fluid power, with the use of a manually operated valve that meets certain standards or best safety practices. An energy isolation valve must:

1. Have a secure and tamper resistant method of lock attachment,
2. Be located outside the protected area in an easily accessible location,
3. Be (either the valve or system) provided with a method for the employee to verify the dissipation of the energy prior to entering the protected area,
4. Not be used in normal production,
5. Have a full-size exhaust port (required in Canada and is the best practice in the U.S.),
6. Be positive acting (only has 2 possible positions),
7. Be easily identifiable,
8. Only be able to be locked in the off position,
9. And, of course, a written policy must be available, and training must be provided to affected employees.

Alternative Lock Out

The new Z244 standard addresses non-standard lock-out techniques, called Alternative LOTO. These systems can offer several advantages resulting in cost savings and machine up time. But first, the applicability of alternative lock-out must be established. This requires that the task to be performed must be a routine, repetitive task that is integral to the production process. Once this is established, an alternative system can be evaluated, starting with a risk assessment to establish the necessary controls and protection level. The machine must still be provided with a standard lock-out system for repair and other tasks that do not qualify for alternative lock-out.

Using alternative LOTO has allowed many companies to incorporate two time-saving advantages into their LOTO program. The first is using a single lock-point system (a remote, low-voltage system), which reduces the time to perform the lock-out function as well as enhances safety by reducing the number of lock-out points to one, thus avoiding the chance of a point being missed. These systems place electrical lock-out switches on the machine at the points where access to the machine is required. These switches are connected to an appropriate control system (Category 3 or 4), which incorporates a valve of a correspondingly appropriate safety control category. The operator can immediately perform lock-out at the point nearest the task to be performed without need to travel all around the machine to access various lock-out points. After the task is completed, the operator can immediately unlock that single lock-out point and then only needs to travel to the operator’s station to restart the machine.

The second feature of alternative lock-out systems is that not all energy needs to be removed. In fact, sometimes removing all of the energy could create an even less safe condition. This can result in significant time and cost savings. Think of a system, which contains a large volume of air and the potential savings if, every time a lock-out is performed, it would not be necessary to waste the energy stored in the compressed air system. Well, under Z244 it is possible to design a system to do just that.

The last area where the Z244 standard is showing its usefulness is for tasks that are not routine, repetitive, or integral to production, but require that energy be present in order to be performed, such as troubleshooting a control circuit. The new standard recognizes that there is no such thing as zero risk and that some risk must be present in order to perform some tasks. In this case, the standard requires that the control system and the valve, used to control the non-isolated energy, be control-reliable (Category-3 or -4).

Risk Assessment/Reduction

Risk assessment can be used to determine what minimum level of safety products must be used for a specific application, and weighs the degree of harm (injury, damage to property, or harm to the environment) that may result from an accident and then prompts steps to be taken to determine if it is feasible to reduce these risks to a tolerable level. Risk assessment incorporates additional parameters such as the probability of such an accident occurring, the severity of the harm, the amount of exposure workers have, and the possible ways the worker has to avoid the risk. The risk assessment process also allows for the fact that not all risks can be eliminated or reduced within reasonable economic limits. In addition, risk assessment is a task based program and recognizes that some risks must be present to perform certain tasks.

The best approach to risk assessment is as a team. One big change that B11-TR3 brings about is that, now, both the machine manufacturers and the users are responsible for performing the assessment (for new or rebuilt machines). In the past it has been considered the user’s responsibility for the safety on a machine. If the basis of the risk assessment program is properly established initially, a machine risk assessment will result in the identification of hazards that were previously not considered or were permitted because they were not covered by any standard.

The most difficult part of starting the risk assessment process is defining the subjective words for the assessment. Without defining these terms, the team is left wondering such things as “What is a frequent exposure or a serious injury?” There are no precise answers for these questions, and even the standards differ. Even so, TR-3 is only a technical report - not a standard. Each user (company) needs to develop its own program and to set the limits for each term used (such as degree of injury). ROSS CONTROLS^® is of the opinion that there are two degrees of injury - minor and major. Minor injuries can be treated with a first aid kit and anything requiring more extensive care is considered to be a major injury for the purposes of risk assessment. When a company uses a risk matrix that leans toward the “better-to-be-safe” side, the first question is, of course, “Will it require expenditure of additional money to eliminate a rare possibility?” No, to error on the high side will just cause the assessment team to look at each hazard a little more carefully. In addition, safety can pay back in machine up time, reduced employee absenteeism, saving the time and cost to investigate an accident, insurance savings, and other hidden costs involved with accidents. Safety is part of a company’s loss prevention program. OSHA 29 CFR 1900.1 will be the new standard for risk assessment that follows TR-3. OSHA has set a time table giving employers 9 months to institute the first portions of the program and 18 months to have their program fully in place after the standard is passed into law.

Consider a simple pneumatic or hydraulic valve while doing a risk assessment of hazards for a new machine. It might be determined that if the valve does not shift, a dangerous situation would exist. But what could cause the valve to fail? How about a broken spring or a sticky spool? Using the wrong category valve is the biggest concern. TR-3 sets the recommended minimum level of control integrity as follows.

1. Highest degree of risk reduction - control systems having redundancy with continuous self-checking to ensure the continuance of performance
2. High/intermediate risk reduction - control systems having redundancy with self- checking upon startup
3. Low/intermediate risk reduction - control systems having redundancy that may be manually checked
4. Lowest degree of risk reduction - hydraulic or pneumatic devices and associated control system using single-channel configuration

In safety-critical applications, should a decision be made to not use a critical application (Category-3 or -4 control-reliable, redundant and monitored) valve, then the potential for component failure of the valves must be considered, and what can be done to correct each possible cause must be determined as well. This would include considering things such as, internal wear causing leakage, dirt, grit, or rust entering the valve, valve spool sticking, failure of mechanical shifting device (spring), failure of solenoid coil, the valve being subjected to excessive flow, and establishing what the unknown spool cross-over conditions might be.

In order to perform a true risk assessment, additional knowledge or new input is more than likely required. Do not be afraid to involve knowledgeable persons to help your assessment team detect these hazards.

Here are a few potential areas of concern for safety and risk reduction in fluid power.

1. Hydraulic accumulator dump valves, which must be monitored or manually operated,
2. Pilot-operated check valves (PO checks), which are designed to hold a load in place and inherently trap pressure (which must be released during lock-out procedures),
3. Use of 3-position all ports blocked valves, which trap pressure,
4. Hazard created when a hose- or plastic tube-fitting blows off,
5. Sudden surge of compressed air being reapplied after LOTO causing cylinders to move quickly, subjecting the machine to shock,
6. A complete analysis of the circuit to uncover potential hazards, even though the hazards have never occurred in the past. The standards say if it can happen, it must be considered.

A company knowledgeable in fluid power safety can help discover equipment hazards, and can offer safer, cost-justified solutions. Fluid power safety-related valves are available for every category in which electrical control devices are available. Hopefully this discussion has provided insight for a deeper examination of fluid powered machinery, how it functions, and, most importantly, how it can fail.

ROSS CONTROLS^® offers a technical reference book “Fluid Power Safety for Machine Guarding”, a “Risk Locator for Machinery with Pneumatic Power” CD ROM, and a course in Fluid Power Safety. These new products are available in two ways. The book can be purchased alone (form # A10264) or a book and CD ROM package can be purchased (form # A10264CD).

For more information, please contact the ROSS CONTROLS^® Safety Team at 248-764-1816 or
safety@rosscontrols.com.

This document is taken from ROSS CONTROLS^® form #: A10276