Implementing a hierarchy of automation safety

A layered approach for addressing industrial automation safety provides optimal results.

By Joshua Draa July 20, 2022
Courtesy: AutomationDirect

Safety Insights

  • Safety comes in many forms and is a critical aspect of manufacturing operations. It starts with fundamentals like awareness and having the right equipment on-hand. While a good starting point, it is really the first step in the journey and can go in much greater detail.
  • A hierarchy of controls is a good way to build a safety program in effectiveness and making a culture that emphasizes worker safety and wellness.
  • There are many safety solutions ranging from personal protective equipment (PPE) to alarms and sensors. Many advanced tools can be managed on a tablet or smartphone and users can tailor them to fit the company’s specific needs.

The considerations surrounding design and implementation of industrial automation safety are extensive, with specialized training required to fully address each potential issue. In fact, before planning for any safety-related systems, it is important certified experts perform a safety audit to assess the conditions and determine the proper design path. In part this is because safety standards and regulations evolve over time, so the concept “we’ve always done it this way” doesn’t hold up. 

On the other hand, good industrial automation safety design almost always involves a multi-layered approach combining the right products, design practices, and operational training. The first step in achieving a safe workplace is to perform a risk assessment to identify potential issues, and the goal then changes to lowering risks through mitigation. A hierarchy approach of engineering and administrative controls is used to guide the most effective methods for protecting workers. 

All personnel on the project and operation teams benefit from an understanding of the relevant safety concepts, even if their core task isn’t creating the actual detailed design of safety systems. It’s important to understand the most common topics involved with safety design, providing overview information required to inform staff. 

Hierarchy of controls

Two of the most prominent safety organizations in North America are Occupational Safety and Health Administration (OSHA) and the National Institute for Occupational Safety and Health (NIOSH). OSHA creates and enforces regulations, while NIOSH is involved with research and investigation. In addition, there are many other regulatory agencies, codes, and standards associated with industrial safety. 

For any equipment using industrial automation, the design of the automation systems certainly plays a role with regards to safety. However, safe design that protects workers is a much larger concept extending to the physical properties and usage of any equipment under consideration. 

A traditional approach for personnel executing safe design is to consider several layers in a hierarchy of controls to provide a complete safety solution (Figure 1). 


Figure 1: A hierarchy of controls approach to safe design prompts the consideration of the most effective methods first. Courtesy: AutomationDirect

Figure 1: A hierarchy of controls approach to safe design prompts the consideration of the most effective methods first. Courtesy: AutomationDirect

The term “hierarchy of controls” does not refer to real-time controls, but instead defines what steps users should take to control and limit the hazards presented by any equipment or installation. There are often many potential steps which can be applied, in conjunction with each other to some extent. There are five layers involved in this process. 

1. Elimination of the hazard to reduce risk

The best and most effective risk mitigation step is elimination, which means removing or deleting the potential hazard. Unfortunately, this is not a viable option most of the time because most machines and processes cannot be designed in a way to remove all possible hazards. However, designers should always consider elimination as an option. 

For instance, a machine may have an easily opened inspection hatch, exposing users to potentially hazardous access. The hatch could be replaced by non-movable sheet metal, but that would be a problem for maintenance teams. Perhaps installing an interlocking safety switch and making the hatch openable only with tools is a better approach. 

2. Substitution of the hazard to decrease risk

Even if a hazard can’t be eliminated, it may be possible to perform a substitution, replacing the hazard with something less severe or requiring less frequent access. Sometimes this isn’t possible. For example, when it comes to equipment using chemicals, perhaps a safer chemical — from the standpoint of flammability or toxicity — could be available. Even if the safer chemical costs more, it would often be worth it to realize benefits, such as more efficient work practices and fewer potential incidents. 

Figure 2: This warehousing installation shows physical fencing to guard users from the moving equipment, and an e-stop button (lower left) so users can rapidly force all equipment to a safe state. Courtesy: AutomationDirect

Figure 2: This warehousing installation shows physical fencing to guard users from the moving equipment, and an e-stop button (lower left) so users can rapidly force all equipment to a safe state. Courtesy: AutomationDirect

Continuing with the previous access hatch example, maybe a shatter-resistant fixed window could be installed instead of a hatch so that users could inspect the equipment without being exposed to the mechanism. 

3. Engineering controls to reduce risk

While it is always important to investigate the first two steps, the reality is that for modern automated equipment the next step of applying engineering controls is often where most risk mitigation will be accomplished. Engineering controls can be simple or complex, and they may take many forms.  

  • Physical: Adding gates, guards, walls, cages, and bollards are a simple yet important way to safeguard users (Figure 2). 
  • Sensors: Many types of sensors can detect dangerous conditions or that may be triggered by users to indicate and mitigate a hazard. These include emergency stop (e-stop) buttons, e-stop pullcords, light curtains, limit switches, and others. Any one of multiple sensors wired or programmed in series may be used to initiate an e-stop (Figure 3). 
  • Interlocks: Some safety sensors are interlocking, which means they can be locked closed to prevent users from opening the associated equipment unless it is safe to do so. 
  • Removing energy: Sensors and interlocks can be wired via safety relays or safety controllers, to disconnect energy to motors, actuators, and any other devices which could otherwise harm users. Energy can take several forms: electrical mains power, electrical device power and most often missed is pneumatic energy and even hydraulic energy. Sensors may be wired to remove energy, or they may be designed as part of more capable hardwired relay or digital safety controller circuits. Safety controllers are advanced digital devices,  are very configurable via software and can communicate with higher-level systems.  
  • Stop kinetic motion: Certain physical systems require additional attention to prevent motion even after energy is removed in the event of an e-stop. Pneumatic circuits may need a quick-dump valve to remove pressure from cylinders that might otherwise move. Equipment like vertical presses or shears may need mechanical stoppers to prevent movement due to gravity after an e-stop. Motor-driven mechanicals may call for brakes to stop rotational motion after an e-stop. 
  • Software: When all preceding methods have been applied, another good enhancement for programmable systems is to add permissive programming which checks sensors and system parameters as appropriate, and then prevents users from enabling and e-stop circuit until all conditions are safe. 
  • Wiring: For the preceding methods involving safety sensors, interlocks, relays and controllers, these devices have specialized designs with dual-electrical contacts and other failsafe provisions. Standard non-safety devices often are not acceptable.

For the access hatch example, engineering controls could include installing an interlock switch, which only allows the inspection door to open if the machine is safe and prevents the machine from running if the door is open. 

Figure 3: Although some other methods are preferable, there is still a need for administrative controls, like clear warning lights and labels. Courtesy: AutomationDirect

Figure 3: Although some other methods are preferable, there is still a need for administrative controls, like clear warning lights and labels. Courtesy: AutomationDirect

4. Administrative controls to lower risk

After the preceding steps have been incorporated, it is important to address the human element. This includes any design, engineering, maintenance, contractor, visitor or other personnel who will work with the equipment, or could potentially be in the area.  

A training program is important for making users aware of safety concerns, work practices and proper procedures. Rigorous lockout/tagout (LOTO) procedures are essential for protecting workers who need direct access to equipment. In addition, clear warning labels, signage, and indicator lights provide an additional layer of protection. 

5. Personal protective equipment (PPE) to decrease risk

In most industrial settings, PPE such as safety glasses, earplugs, respirators, safety toe boots, gloves, and the like are standard. Some situations call for more complex fall protection systems, along with associated training. Even though these items are indispensable for worker protection, they are at the bottom of the hierarchy of controls and should not be viewed as mitigating identified risks as they are a method of last resort. They also require ongoing worker effort to use PPE. 

Mitigate, but validate

After a safety design has been created, the results must be validated in conformance with ISO 13849-2 to ensure that the target hazards identified in the risk assessment are truly mitigated. Sometimes the process can be a bit iterative, requiring some repeated steps. 

For instance, mitigation efforts in the elimination and substitution steps, tend to also create new risks. After a validation is completed, a new risk assessment needs to be performed. It is not enough to use the risk assessment as a check list.  

Also, some standards in the US state a risk assessment needs to be performed periodically (ANSI/RIA R15.06). This prompts the end user to reevaluate industrial equipment to see if any changes to the area have created new hazards. Also, each year new products and ideas can provide improved safety. 

A spectrum of safety solutions

Creating safe industrial equipment, systems, and automation is never a one-time task. Instead, it is an ongoing life cycle. In addition, safety is not only the responsibility of one environmental health and safety (EHS) officer. All team members have a stake in safe designs and operation. Each task from risk assessment to mitigation to validation should be completed by a team. Another recommendation is introducing a degree of checks and balances, such as having different personnel perform the safety engineering and the validation. This provides more awareness to the team and allows things to be viewed from a different perspective. 

Many engineering considerations and products are required for creating safe industrial designs. To assist in these projects, team members in all company roles can access industrial automation supplier websites to see a wide range of products that can be implemented for providing layers of safety. 

Original content can be found at Control Engineering.

Author Bio: Joshua Draa is a product engineer at AutomationDirect. Over his 14-year career he has held controls/safety engineering positions for system integrators working in consumer product goods, pharma, and the food and beverage industries where he estimated, designed, assessed, validated, commissioned, and started up systems. Joshua holds a bachelor’s degree in Electrical Engineering from Georgia Institute of Technology and an associate’s degree in Engineering from University of North Georgia.