Frequently asked questions about what’s new in the updated ANSI B11.19 standard in regards to determining safety distances for devices
The American National Standards Institute (ANSI) recently updated the ANSI B11.19 standard to provide more details on the application of risk reduction measures. As the main source for national standards to achieve the safety of people working with industrial equipment, the ANSI B11 standards provide details on various aspects of machinery safety measures. The 2019 version is an effective complement to the risk assessment process by providing a near-complete list of risk reduction measures.
Watch our webinar to get more information on the ANSI B11.19 standard.
With this recent update to the ANSI B11.19 standard, we’re here to help with any questions you may have. Here are some frequently asked questions regarding the standard answered by Chris Soranno, SICK Safety Standards and Competence Manager, and Todd Dickey, Staff Engineer at Honda Engineering NA.
How do you determine the ‘hazard zone’ to measure the safety distance from?
Soranno: It is first important to recognize that engineering control devices may not reduce risk associated with all hazard types. For instance, a safety light curtain may effectively reduce risk to a tolerable level for hazards associated with moving equipment, but cannot feasibly reduce risk associated with ejected materials.
Once a practical engineering control device is selected, the “hazard zone” associated with the span of control of the device must be accurately identified. In some applications, the hazard zone is static and does not move or change, such as a rotating mechanical power transmission apparatus. However, other applications more dynamic hazard zones. For instance, the moving die of a power press which opens and closes each cycle is somewhat dynamic in the fact that the hazard may only be present within the footprint of the die during the closing stroke.
A robot system, however, may have one or more very dynamic hazard zones. Typically, the “hazard zone” of a robot system is often equivalent to the “operating space”. This space is different than both the “maximum space” (space which can be swept by the moving parts of the robot as defined by the manufacturer plus the space which can be swept by the end-effector and the workpiece) and the “restricted space” (portion of the maximum space restricted by limiting devices that establish limits which will not be exceeded). While the “restricted space” includes areas where a robot system could move, the “operating space” more precisely identifies where the robot system will move.
The complexity of the system, including logic and sequencing) may determine that the “hazard zone” associated with one task may be different shape/size/dimension than during a different task. In the example of the robot system, the task of teaching the robot with a teach pendant allows motion anywhere within the “restricted space,” whereas the task of loading/unloading should restrict motion to the “operating space” – or possibly even a subset of it. A thorough risk assessment which accounts for all task and hazard pairs should be used to accurately determine the appropriate “hazard zone” each engineering control device is associated with.
When a light curtain is mounted around 45 degree angle, is it vertical or horizontal? How should we calculate safety distance?
Soranno: The accepted limit to differentiate between vertical and horizontal orientation of a presence-sensing device has been ±30° from horizontal. Any value less than 30° is considered near horizontal, and therefore should be calculated as such. Values at or above 30°, on the other hand, must use the approaches for determining reaching distances associated with vertical orientation.
How does safety distance apply to hazards which can be ejected (e.g., broken tooling or parts)?
Soranno: This is more of a consideration during the risk assessment as opposed to the various safety distance calculations. When the potential for an ejection of a workpiece or broken tooling exists, a physical barrier guard is necessary. That barrier guard must be of sufficient size and strength to prevent the hazard from contacting a person standing on the opposite side of the barrier.
To identify total time to achieve a safe condition, how should we determine the safe speed?
Soranno: In the past, the concept of “safe speed” was traditionally equated to zero speed. The two default settings on most older equipment was “run” and “off”. In this binary paradigm, it is easy to understand how the opposite of full speed was safe speed. However, over the past few decades, advances in automation technology have resulted in many other operating conditions that fall somewhere between full and zero speed. Furthermore, the reliability of drive systems and introduction of safety-related monitoring functions (including safety functions for power drive system) have expanded the concepts of residual risk.
The concept of “safe condition” is directly aligned with “acceptable risk” – both of which are a function of a risk assessment. Within the structure of the ANSI B11 standards, ANSI B11.0 addresses the general concept of risk assessment; this is comprised of the estimation, evaluation and reduction of risk. This process is also iterative, which means that subsequent estimation and evaluation must occur following each attempt at risk reduction until acceptable residual risk is achieved.
The risk tolerance level is subjective, however; what is acceptable to one individual (or organization) may not be acceptable to another. In these situations, a full stop is the least objectionable amount of speed. For such organizations, new approaches to safety may be too foreign to accept, such as collaborative robot applications which rely on reduced pressure or force as a risk reduction measure. Fortunately, a number of application-specific standards (so-called type-C standards) exist which define various levels of reduced energy which have been agreed upon by industry experts as a “safe condition.”
As guidance, ANSI B11.0-2020 includes an informative Annex Q which outlines a number of reduced energy limits (including speed, force, kinetic energy, pressure, and thermal energy) benchmarked from specific application standards. It is important to note, however, that the reduction of energy in and of itself is typically not sufficient to achieve a safe condition; additional measures are often necessary to further reduce risk as low as reasonably practicable (ALARP).
Once a safe condition (such as a reduced speed) is established, the time to achieve such a condition must be determined within an acceptable probabilistic tolerance. ANSI B11.19-2019 includes an informative Annex J which provides guidance for a statistical approach to identifying 99.7% of occurrences within a Gaussian distribution (the so-called “bell curve”). This statistical approach, however, must be applied to valid data points. Therefore, measurements should be taken with a calibrated system and documented as part of a formulated measurement service, such as through SICK Services.
How can I calculate safety distance for Enabling Device?
Soranno: Safety distance calculations do not actually apply to an enabling device. By definition, an enabling device is “a manually operated control device, when continuously activated and used in conjunction with a separate actuating control, will allow the machine to function.” The key here is that it is used with a separate actuating control, often a hold-to-run control. It is important to differentiate between the risk reduction measure used to allow control of the hazardous motion (“enabling device”) and the risk reduction measure used to control the hazardous motion (“actuating control”).
Enabling devices require the use of only one actuating control to initiate machine function. Often, they are also used in conjunction with other risk reduction measures – such as incremental movement or monitored reduce speed (e.g., teach mode in robotic applications under manual reduced speed).
Hold-to-run controls represent a special case; when they are used with other engineering control – devices (e.g., an enabling device), they only serve the purpose of a logic device and do not fulfill the functional safety requirements of the safety-related part of the control systems. However, when used without other engineering control – devices, they effectively become the primary actuating control. According to the guidance of ANSI B11.19, actuating controls – including two-hand actuating controls and single (foot/hand) actuating controls – actually do require a safety distance to further reduce risk.
Do we need to consider stopping time for an emergency stop device?
Soranno: An emergency stop device must be manually actuated by an individual to initiate the stop command, usually in reaction to an unexpected event or hazardous situation. Since it is reactionary, rather than a proactive approach to detect or prevent exposure to a hazard, it is often viewed and applied as an option of last resort. As such, an emergency stop device must be used with other risk reduction measures – it is almost never a stand-alone solution.
Safety distance (as a function of time for the hazard to achieve a safe condition) only applies to risk reduction measures which can either detect or prevent exposure of a person to a hazard zone. Since an emergency stop can do neither of these, the concept of safety distance as a calculated location does not apply.
However, the category of stop initiated by an emergency stop – either Category 0 or Category 1 – must be chosen based on a risk assessment, and should consider how quickly the hazardous condition can achieve a stop safely.
How does the new edition of ANSI B11.19 compare to similar documents, such as ISO 13855 or RIA TR R15.406?
Soranno: ISO 13855 is the international equivalent of the content addressed in Annexes H & I of ANSI B11.19-2019. The current edition of ISO 13855 is dated 2010, although it is currently undergoing a significant revision. The previous edition of ANSI B11.19 had many differences from ISO 13855, but the 2019 changes have nearly eliminated these. In many cases, new content added to ANSI B11.19 was sourced from ISO 13855 (e.g., reaching over vertical sensing fields, arm length associated with reaching through presence-sensing devices, single-beam devices, and gap associated with horizontal sensing fields). In other cases, ANSI B11.19 has updated existing guidance based on current research and best practices, or is simply addressing considerations not included in the published version of ISO 13855 (e.g., reaching under vertical sensing fields, foot-actuated controls, interlocked guards and pressure-sensitive edges / bumpers). These updated and new factors from ANSI B11.19 are being reviewed for the ongoing revision of the ISO standard, with the anticipation that both standards will be in much closer alignment moving forward.
The technical report RIA TR R15.406 is intended as an informative supplement for robot and robot systems designed according to ANSI/RIA R15.06-2012 (an identical national adoption of the international standards ISO 10218-1 & -2). In the ISO structure, guidance for the application of safeguarding devices are in a number of other (external) type-B standards. Since these ISO standards are not nationally adopted in the USA, the TR R15.406 document was aimed to draw the most relevant content into a single American document. When RIA TR R15.406 was published in 2014, the content was based upon the international standards which were available at that time. However, many of the source standards have since been updated, including:
- ISO 13857 (safety distances for guards)
- ISO 14119 (interlocking devices for guards)
- ISO 14120 (design of fixed and movable guards)
- IEC 60204-1 (electrical equipment of machines)
- IEC 60947-5 (control circuit devices and switching elements)
Furthermore, many of the source documents are currently undergoing technical revisions, such as:
- ISO 11161 (integrated manufacturing systems)
- ISO 13855 (safety distances for devices) [as discussed previously],
- ISO 14119 (interlocking devices for guards) [undergoing another revision since the previous update listed above]
- IEC 60947-5 (control circuit devices and switching elements) [also undergoing a new revision since the previous update listed above]
Therefore, the guidance in RIA TR R15.406 no longer represents the current state of the art, whereas ANSI B11.19-2019 is much more aligned with current and future content of similar international standards. At the end of the day, the goal is to achieve acceptable risk for individuals exposed to hazards associated with industrial machinery. While differences still exist in the technical details (e.g. calculations and resulting distances) across standards, the overall methodologies and approaches of the various documents are still aligned. In other words, the newer standards and associated guidance are simply advancing the state of the art based on updated scientific studies and current best practices in industry.
Dickey: The only thing to add to Mr. Soranno’s comprehensive answer is that due to the aforementioned points regarding TR R15.406, plus the fact there were a couple of technical errors discovered, the R15.06 subcommittee has requested this technical report be withdrawn.
Are the tables available anywhere other than the ANSI Spec?
Soranno: At this time, ANSI B11.19 is the most current standard available with the information provided in our recent webinar. Some of the tables are harmonized with other standards already published and available, while other guidance addressed in the new edition of ANSI B11.19 are being considered for future editions of industry standards currently in development. The best place to find the information consolidated into a single place is the actual ANSI B11.19-2019 standard.
In your experience, is the 300 mm height to avoid reach the hazard under light curtains enough?
Soranno: The 300 mm height to prevent reaching under a vertical presence-sensing device is a maximum value for the lowest edge of the sensing field; other (lower) values are also acceptable. The 300 mm value has been used effectively and proven in use, and has been cited in international standards more than 20 years. However, as with any risk reduction measure, the overall effectiveness must be validated and verified before returning equipment to use to ensure the residual risk is acceptable.
What approach speed value (K) should be applied when reaching under a vertical light curtain?
Soranno: If a person is lying prone to reach under the sensing field (either on their back or stomach), the 1,600 mm/s (63 in/s) speed may be unrealistic and a slower speed may be appropriate. However, a person crouching to reach under may lose their balance and fall forward into the hazard zone, in which case the 1,600 mm/s speed may not be large enough.
The issue of approach speed is addressed in Annex H.3 of ANSI B11.19-2019. Here, the value of 1,600 mm/s is explained to be one accepted value which represents the hand and body movement of an individual approaching a hazard zone. Other body movements (or restrictions of body movement) may serve as justification for a different approach speed value for a given application. Additional guidance is also provided that any value less than 1,600 mm/s should be used only when:
- determined to be valid by a risk assessment;
- is clearly documented; AND
- is verified as acceptable through statistically valid modelling and experimentation.
Therefore, other values are still acceptable, however values lower than the 1,600 mm/s speed require an additional effort by the integrator to justify such a value.
The response time of the safety controller Tc is really the actual “thru-put” not the average response time. One of the FlexiSoft manuals had a nice summary of how to calculate the “Thru-put”. Has anyone written a white paper or is there a presentation that addresses this concept?
Soranno: We must first clarify the difference between Tc (reaction time of the actuator control system) and Ti (reaction time of the interface). The variable Tc is assigned to the portion of the machine control system which controls the actuator (e.g., the redundant contacts controlling a motor or valve). When addressing the logic portion of the safety-related parts of the control system (SRP/CS), such as with SICK’s FlexiSoft software-programmable safety controller, we are actually addressing Ti in the safety distance formula.
Unfortunately, we did not have time in the webinar to specifically addressed all of the sub-parts of the time factor T. However, as a general rule, when a more complex interface device is selected to perform the logic function of the SRP/CS, the determination of the response or reaction time of the component also becomes more complex.
The worst credible delay must be considered when determining reaction time of the interface component(s) in order to obtain a sufficient value to plug into the formula. All signal paths must be taken into account when calculating the response times, as well as communication time for both input and output signals, as well as the time necessary to execute the logic. For programmable controllers, this execution time can be affected by the complexity of the logic program. In some cases, logic execution time can be optimized, depending on the logic component selected. In all cases, the component supplier should provide information and guidance to determine a suitable value for determining safety distances of all integrated engineering control – devices. For instance, the FlexiSoft operating instruction includes such guidance in chapter 12.2.1.
Your recommendation for a whitepaper on this topic will be considered; thank you for the idea!
If we don’t know if the reaching distance of an existing device meets the ANSI B11.19 requirements, how may such non-conformance issue impact the risk assessment information of the machine equipped with such engineering – devices?
Soranno: The risk assessment process should be performed multiple times throughout the lifecycle of a machine (see ANSI B11.0-2020, clause 4.14 for further guidance). Additionally, every risk reduction measure must be evaluated to ensure the residual risk for each unique application is acceptable. Simply applying engineering control – devices to a machine is not enough; each element of the risk reduction strategy must be validated and verified. Furthermore, periodic inspections should be performed to ensure the measures are in working order and are still appropriate – especially in cases where equipment usage or interaction may change over time.
NOTE: A new technical report – ANSI B11.TR8 – will be available soon to provide further guidance regarding periodic inspection of risk reduction measures throughout the machine lifecycle.
If existing measures on a machine have not been validated and verified for their effectiveness, the guidance in ANSI B11.19-2019 should be considered as a sort of ‘measuring stick’ which can be used to represent current best practices and state-of-the-art.