Failure modes of control circuits and any potential for stored energy must be understood and identified before safety functions using a control or isolation process can be properly designed into a machine. Could faults, such as sticky valves, hose failure, stored energy, or blocked flow paths, lead to a failure or exposure to danger?
The answer often is yes, and the potential danger these create should not be overlooked in the hazard identification process required by law. Contamination, lack of lubrication, condensation, silting, cavitation, aeration, rupture, leakage, blockage, intensification, wear, mechanical failure, poor maintenance, or circuit design are just some of the potential causes for a failure to danger within a fluid power circuit.
For example, we can identify a hazard inherent to circuit design which has led to accidents if we analyze a typical pneumatic circuit where a cylinder is controlled by a 5-port, 2-position single-solenoid spring return valve, shown in the illustration. Consider that the valve’s solenoid is de-energized when the machine’s protective guard is open. With no electrical power to the solenoid, compressed air flows into the rod-end of the cylinder.
The intent, here, is to retract the cylinder’s piston rod before protect the operator’s hand or arm. But does it? When the operator opens the machine guard, they believe nothing will move. However, if the cylinder has jammed in an extended position from fouled tooling, the operator may try to free it. An obvious crushing hazard would exist to the rear of the tooling relative when cylinder unexpectedly retracts.
Just because the solenoid of a 5-port, 2-position valve is not energized, pressure most likely remains in one of the lines feeding the cylinder, posing a potentially unsafe condition.
If the potential crushing hazard could only cause minor bruising and was assessed as requiring a Category 1 solution, then using a double-solenoid 3-position valve instead would exhaust air to a de-energized state. If a serious or irreversible injury could occur, the required fault detection of Categories 2, 3, and 4 could be met by providing 3/2 monitored safety interlock valves upstream of the directional control valve. Doing so would safely block incoming compressed air and bleed residual pressure from the both air lines to the cylinder. This would be suitable for cylinders mounted horizontally, but gravity loads require additional analysis and measures.
What Goes Up Must Come Down
As we know, gravity dictates that vertical loads fall if there is nothing holding them up. Rupture of hoses or single component failures in control valves, check valves, or counterbalance valves typically used in fluid power gravity load applications could lead to a hazardous condition. While undertaking failure modes and effects analysis of systems, we often observe clients assessing their slow-moving gravity loads as Category 3.
This is because they have a risk of serious injury and a high frequency of exposure. Their justification for selecting Category 3 over Category 4 is that they believe a good possibility of avoidance exists due to the slow speed of operation under normal control. If a failure occurred, would the load move slowly?
Consider a press where a flexible line runs from the bottom (cap end) of the cylinder back to a counterbalance valve. If the hose ruptures, the tooling could descend rapidly. This is where monitored valves fitted directly to the cylinder port or monitored rod-locking devices might become part of the safety solution—in some cases, both. By interlocking these safety devices with electromechanical locked guarding, operator access can easily be prevented until safe valve or rod lock position has been confirmed.
Counterbalance and pilot-operated check valves are often used as load-holding valves. An alternative, or means of redundant protection, is a rod lock. Rod locks brake and hold a cylinder’s piston rod and release it only when pressurized. Therefore, loss of system pressure automatically engages the rod lock.
Even safety components need to be carefully considered for their suitability to a circuit. For example, if you had application for a pneumatic safety valve, would you use only one exhaust path, or two? Providing two (as shown in the illustration) ensures that blocking of a single silencer (muffler) would not lead to the loss of the safety function. What type of monitoring does it offer? Do you wish to confirm that both valves have returned to the safe state before allowing access? Do you need the ability to continuously monitor valve stop time for maintaining light curtain safe distances? Is the safety certification relevant to the complete valve system, or just in part?
Just because a product is certified to a specific category does not mean that the system will meet the category just by placing it in circuit. Additional measures may be required, and the performance of the safety control system, as a whole, needs to be assessed.
The 2014 revision of AS4024.1—Safeguarding of Machinery provides additional guidance to current standards. Another resource, AS 4024.1502, is especially useful in summarizing basic safety principles, well-tried safety principles, fault considerations, and exclusions for pneumatic and hydraulic systems.
This material was submitted by Murray Hodges, director of Fluidsentry Pty Ltd., Carrom downs, Victoria, Australia. Fluidsentry is a fluid power design representative for the Safety & Environmental Risk Consultants of Australia and member of the SF-041 Technical Committee for AS4024.1—Safeguarding of Machinery. Part 1 of this series appears in our January-February 2018 issue. Part 3 will appear in our May 2018 issue and also be posted to our website.