From Manual Working Machines to Remotely Controlled Machinery Systems – New challenges for safety risk management

Risto Tiusanen

VTT Industrial systems

P.O.B ox 1307, FIN-33101 Tampere

Tel: 358 3 3163227 / risto.tiusanen@vtt.fi

ABSTRACT

Automated mobile machines are no longer stand-alone manual machines but are parts of the automated production system. Distributed control systems and communication networks are coming strongly to machine automation applications, as well. In some cases, unmanned machines are moving and working autonomously equipped with the latest navigation and control technologies in mines, quarries and harbour terminals even in construction sites. These changes and development trends set the machine manufacturers, system designers and end users difficult challenges in terms of safety issues.

VTT has been developing a system safety approach that combines the base line risk assessment and task based risk assessment methods. The previous is an application of Potential Hazard Analysis (PHA) and is structured to follow system life cycle stages. The latter is an application of Work Safety Analysis (WSA) and HAZOP study and it is based on Use-Case descriptions. Risk analysis of machinery typically results in proposals for technical improvements for the machinery and instructions for use and maintenance. The applied system level approach forces the consideration of new issues related to the work process such as production planning, maintenance planning, and work management.

Keywords

Mobile machine, autonomous operation, automation, safety, risk assessment

INTRODUCTION

The relation between the risk assessment procedure and the conformity to the essential health and safety requirements is not clear or unambiguous when talking about machine systems. Present machinery safety standards give the basic principles and procedures for risk assessment of a single machine. They do not, however, supply instructions on how to apply the principles into the machine system level.

To be sure that the automated machinery system is safe to use and maintain, we must know all the hazards and risks related to different operation modes and all operating situations so called use cases. All these risks cannot be singled out in the regulations or standards. The technologies are new and the applications are unique. Only a systematic analysis of safety-related factors and assessment of risks can fully ensure that all necessary measures regarding safety have been taken.

VTT Industrial Systems has been developing and implementing safety analysis methods and tools in co-operation with Finnish machine manufacturers for several years. One of our latest research and development works is focused on safety risk management of automated and remotely controlled working machines.

Tele-operated and autonomously moving machines are no longer stand-alone machines but are parts of the automated production systems, which are controlled from the control room via a factory-wide communication network. In the mining industry, the biggest open pit mines use unmanned dumpers, and in some of the largest underground mines, loading machines, dumpers, and ore transporting trains are tele-operated via radio and video links. The control room can be far from the underground production area, even above ground. Machines are able to operate autonomously using their onboard navigation systems, which detects the environment and compares it with pre-programmed routes and maps.

In the most commonly used version of machine remote control, the operator stands beside the machine or at least in the vicinity of the machine. This is called remote control line of sight. The control commands are linked via a cable or radio transmitter. In many cases, the operator’s working conditions are improved by moving the remote control place into a separate vehicle or building. The distance from the machine can be several hundred meters, and the driving is done with the video link (Figures 1).

Teleoperated and unmanned machinery

Remote control line of sight

Remote control from the machine

Manual machine Figure 1. Remote control applications with mining machines.

SYSTEM SAFETY MANAGEMENT PROCEDURE

The basic approach and the general principles for the risk assessment of a single machine are well known and are described in EN 1050 [1]. Generally, risk analysis and risk assessment are parts of the company’s risk management process which systematically applies management policies, procedures, and practices to the tasks of analyzing, evaluating, and controlling risks. The risk management process is specified

in IEC 60300-3-9 (Figure 2) [2].

ST AR T

S y stem  sp ecificatio n

H a zar d  id en tificatio n

R isk es tim a tio n R isk e valu a tio n Is th e s ystem  sa fe ?

Y ES

EN D

NO R isk re d u ctio n a n d co n t ro l

Figure 2. The risk management process for machinery /2/.

Methodology for safety design and risk assessment for automatic robot systems has been studied in VTT for several years [3]. The risk assessment approach for single manual mobile machinery has been developed and applied in VTT with mobile machine manufacturers since 1995. The focus in this development has been on stand-alone manual machinery and their remote control [4].

In the complex machinery systems the risk assessment must be done in several levels to be able cover the entire machine system. One must consider use of the machinery, operators’ actions, system level control functions, and machine onboard safety issues. The automated machine system must be divided into sub systems such as the local safeguarding system in the production area, machine onboard systems, factory-wide communication system, the production control system and the remote control stations.

This means more co-operation between machine manufactures, their subcontractors and the end users.

This new system level risk assessment approach for mobile machinery was developed in VTT in co-operation with mining company LKAB and mining machine manufacturer Sandvik Tamrock Corp and their subcontractors. System safety management principles commonly used in process industry were applied to mobile machine system (Figure 3).

SYSTEM CONCEPT

TIME

SYSTEM OPERATION

SYSTEM DEFINITION

INSTALLATION AND COMMISSIONING

SAFETY PLAN

PHA

SYSTEM SPECIFICATION

SYSTEM DESIGN AND IMPLEMENTATION

SYSTEM MANUFACTURE

OHA

VALIDATION

MODIFICATIONS

HAZOP studies

HAZOP / OHA

HAZOP / OHA

Figure 3. System safety management tasks [5].

The LKAB’s semiautomatic loading and transportation system in Kiruna was the first large-scale underground loading and transporting system in the world that uses unmanned loading machines and digital mine wide communication network. Semiautomatic loading and transport system include several autonomous and teleoperated loading machines. A simplified work cycle proceeds as follows: the operator fills the loader bucket in remote control mode. The loader trams automatically to ore pass, dumps ore into the ore pass, and trams automatically back to draw point. One operator in the control room can handle several loaders and rock breakers from his control station.

HAZARD IDENTIFICATION AND RISK ESTIMATION

The aim in hazard identification is to determine the automated system, its limits and interfaces, and identify all the potential hazards related to the machinery in all foreseeable operating situations. The intended use, related procedures and regular maintenance of the machine, as well as anticipated misuse of the machine must be taken into consideration in the identification of risk factors.

The system safety approach combines the base line risk assessment and task based risk assessment methods. The previous is an application of Potential Hazard Analysis (PHA) and is structured to follow system life cycle stages. The latter is an application of Work Safety Analysis (WSA) and HAZOP study and it is based on Use-Case descriptions. Use cases are descriptions and procedures on how the machinery system is used and maintained describing system operators actions and system functions.

In the PHA the following factors were used to help systematic hazard identification. Geographical Areas: production area, workshop area, fuel bay, etc…

Operation stages: Area construction, HW Installation, Machinery and sub system testing, System integration, System Commission, Training operators, System configuration, Operating manually, Operating semi-automatically, Operating autonomously, System extension, Troubleshooting, Repair work, System modification and System decommissioning

Occupations: Operator, driver, cleaner, service man, repairer, construction worker, manager, designer, sub contractor, etc...

Causes for hazards: Conditions, Environment, Materials, Machinery, Equipment, Human factors, Ergonomic, Failures, External systems, Unexpected problems with utility systems, Common causes, Unusual events

Consequences: Death, injury, reportable injury, loss time injury, loss of production, damage to equipment

For risk estimation the following 5 x 5 matrix was used instead of simpler 3 x 3 matrix (Figure 4). With this matrix it is more clear to see the impact of severity and probability to the risk level: High risk ( 1- 6), Medium risk ( 7-15) and Low risk ( 16- 25).

Figure 4. The risk matrix for person safety risks.

The goal of the task based risk assessment was to determine the effects of possible functional and operational deviations and failures to the intended use of system. It integrated the people and the procedures into the system and considers human factors and critical human errors, normal and emergency operations and support tasks. For the task based risk assessment the operating and support procedures must be defined in such level that they can be analyzed as work tasks.

Hazards identified earlier in base line risk assessment were updated and supplemented, causes and consequences of possible new hazards were analyzed and possibilities of prevention were assessed.

The task based analysis was divided into the following phases:

• daily routines carried out at the beginning of a work shift,
• daily work with the system, and
• daily maintenance and repair works.

All the main work tasks in production areas were analysed. These tasks include e.g.

• area preparation,
• marking and teaching the routes for unmanned machines,
• testing the control functions,
• operation (manual drive, teleoperation, autonomous drive),
• maintenance,
• troubleshooting, repair works, etc.

It was important that the system operators and maintenance people participated in the analysis teams. They knew best the real work procedures and practical problems in the mine tunnels. In this case, the team had representatives from machine operators, production control, maintenance, automation system designers, and mine safety experts. The work included several analysis meetings, designers’ interviews, and follow-ups relating to the operation of the system in the mine. VTT was leading the analysis meetings and the assessment process. VTT conducted the documentation and reporting (Figure 5).

Analysis Assessment

Controlroom

Results

• * Safety related aspects for:
• work planning
• work management
• cooperation inside the company

PHA HAZOP

List of hazards WSA

Communication system

Unmanned machinery

MD 37/98/EC

EN 1050

EN 954-1

cooperation with subcontractors user instructions maintenance instructions

• * Requirements for safety functions
• * Safeguarding principles for automated production areas* Documents for the technical file of the semiautomatic production system* Proposals for actions to fulfill the EEC’s essential safety requirementsFigure 5.  Overall picture of system level risk assessment tasks, methods and results.

CONCLUSIONS

In large-scale machine automation applications, the safety related remote control functions are complicated and difficult to analyze. They can be compared with automation systems in process industries. Safety related control functions in highly automated machine systems include multi-dimensional aspects such as the operator’s actions, user interface, and communication protocols and machine onboard control signals. In such a context, safety aspects must be understood to be an important part of systems engineering. The system operation and maintenance work tasks must be specified and designed taking in to account the new automation related hazards and potential safety risks.

Risk analysis of machinery typically results in proposals for technical improvements for the machinery and instructions for use and maintenance. The applied system level approach forced the consideration of new issues related to the work process such as production planning, maintenance planning, and work management. It additionally

introduced new safety related aspects for co-operation inside the company between production and maintenance people and co-operation with machine suppliers and other subcontractors working in the automated production areas, topics that are not normally discussed when the safety analysis is conducted only at the machine level.

REFERENCES

• 1. EN  1050  1997  (ISO  14121:1999)  Safety  of  machinery.  Principles  for  risk assessment.
• 2. IEC  6030039  2000.  Dependability  management.  Part  3:  Application  guide. Section 9: Risk analysis of technological systems.
• 3. Kuivanen, R. 1995. Methodology for simultaneous robot system safety design. VTT Publications 219. 142 p.
• 4. Tiusanen,   R.   2000.   Risk   assessment   of   automated   working   machinery. Proceedings of the 7th International Conference on Human Aspects of Advanced Manufacturing: Agility