Machinery safety control systems and fluid power - part 2

This article is the second of a six –part series providing an overview of requirements, principles, applications and technology for pneumatic and hydraulic safety systems of machinery. In the last issue we overviewed the hierarchy of control and categories of safety-related parts of control systems as per AS4024.1 Safeguarding of Machinery.  Our second topic is an introduction to failure mode considerations for fluid power control systems.


In order to design a safety solution where an engineering control or isolation process is to be used, the failure modes of the control circuit and any potential for stored energy need to be understood and identified.


Could faults such as sticky valves, hose failure, stored energy or blocked flow paths lead to a failure or exposure to danger? The answer is often yes and the hazards these create should not be overlooked in the hazard identification process required by legislation. Contamination, lack of lubrication, condensation, silting, cavitation, aeration, rupture, leakage, blockage, intensification, wear, mechanical failure, poor maintenance or circuit design are just some of the potential causes for a failure to danger within a fluid power circuit.


For example we can identify a hazard inherent to circuit design which has led to accidents if we analyse a typical pneumatic circuit where a cylinder is controlled by a 5/2 single-solenoid spring return valve.  When the valve solenoid is de-energised upon a guard opening, air is supplied to one end of the cylinder. The principal being for the actuator to retract before the operator is in harms way, but does it?  When the operator opens the guard they believe nothing will move.   However if the cylinder has jammed in an extended position from fouled tooling, it is foreseeable that the operator is likely to try and free it.  An obvious crushing hazard could exist to the rear of tooling relative to the cylinder unexpectedly returning.



If the potential crushing hazard could only cause minor bruising and was assessed as requiring a category 1 solution, then alternatively using a double-solenoid 5/3 valve would provide for the air to be exhausted in the de-energised state.  If a serious or irreversible injury could occur, the required fault detection of categories 2,3 & 4 could be met by correctly interlocking 3/2 monitored safety valving prior to the directional control valve, resulting in safe block and bleed of the system.  This would be suitable for horizontal cylinders, but gravity loads require further analysis and measures.



As we know, gravity dictates that vertical loads fall if there is nothing holding them up. Rupture of hoses or single component failures in control valves, check valves or counter-balance valves typically used in fluid power gravity load applications could lead to a failure to danger.  Whilst undertaking failure modes and effects analysis of systems we often note clients assessing their slow moving gravity loads as category 3, because they have a risk of serious injury and a high frequency of exposure. Their justification for selecting category 3 over category 4 being they believe there is a good possibility of avoidance due to the speed of operation under normal control.  If a failure occurred would the load move slowly?  Consider a press where a flexible line runs from the bottom of the cylinder back to a counter-balance valve.  If the hose ruptures the tooling could descend rapidly.  This is where solutions including monitored valving fitted directly to the cylinder port and or monitored rod-locking devices might become part of the safety solution. By interlocking these safety devices with electro mechanical locked guarding, operator access can be easily prevented until safe valve and or rod lock position has been confirmed.


Even safety components need to be carefully considered for their suitability to a circuit. For example if you had application for a pneumatic safety valve would you require only one exhaust path or would it be two to ensure a single silencer blockage would not lead to the loss of the safety function?  What type of monitoring does it offer?  Do you wish to confirm that both valves have returned to the safe state before allowing access?  Do you need the ability to continuously monitor valve stop time for maintaining light curtain safe distances?  Is the safety certification relevant to the complete valve system, or just in part?


Just because a product is certified to a specific category does not mean that the system will meet the category just by placing it in circuit.  Additional measures may be required and the performance of the safety control system as a whole needs to be assessed.  


The revision of AS4024.1 Safeguarding of Machinery due for release mid 2006 will provide additional guidance to current standards.  Of further assistance to designers with basic safety principles, well-tried safety principles, fault considerations and exclusions for pneumatic and hydraulic systems will be Part 1502 Design of safety related parts of control systems – validation. 

Jason HodgesComment