The night in question couldn't have been more normal at the baked goods plant. Throughout the day, sheets of dough wind through a twisting maze of machinery and conveyor belts, where they are manipulated into a variety of products. As usual, at the end of second shift, it was time to tear everything down and sanitize the line. One of the first machines to be cleaned was a dough extruder, a piece of equipment that uses powerful rollers to flatten out raw dough and deposit it onto a conveyor.
A maintenance worker was busy scrubbing and spraying down the extruder intake hopper when his glove became caught in the rotating rolling pins (Photo 1). The rollers slowly sucked in his glove, fingers, hand, and eventually his arm, up to the mid-bicep. The wound was so grave his arm was ultimately amputated.
Our firm was hired by the victim's attorney to determine how the accident occurred as well as what controls, safety devices, or procedures should have been in place to prevent it. Because we became involved in the case some years after the accident, the production line and sanitation procedures had already been altered to address various safety concerns.
Setting the scene
The third shift of maintenance and sanitation workers normally began their cleaning process on the lamination line, which was the first portion of the production line to finish for the day.
To prepare for the sanitization process, the workers first placed plastic bags over electrical junction boxes along the line while it was still operating. After the last of the product moved through, the line was shut down from one of the user-interface junction boxes. Workers removed the cutting blades from the machines and dislodged the larger pieces of leftover dough. While the lamination line was still de-energized, sanitation workers sprayed it down with hot water. Then, they restarted the line and rinsed it again while it was running. If workers needed to rinse out the inside of a machine, many times they would activate one of the pull-cord e-stops and shut down the line. They may have also opened one of the interlocked doors on a particular machine, activated the push-button e-stop on the user-interface junction box, or pulled the disconnect on the main control panel. Any of these methods would shut down the entire lamination line. In order to get the line running again, the safeties would have to be reset and the line restarted from the control panel.
After a thorough rinse, the lamination line was restarted and sprayed down with cleansing foam. Next, the workers began scrubbing down the exteriors of the machines using a handheld scratchpad. The line was then shut down by one of the methods mentioned above, and the interiors of the machines were scrubbed down. Finally, the line was turned back on, and the workers rinsed it once more.
Of particular note is the extruder/chunker interface (Photo 2). Because the extruder is mounted directly underneath the chunker, it needs to be wheeled away for cleaning or maintenance. As originally designed, the extruder included a short power and control cord that plugged into an outlet near the chunker. If the extruder was rolled away, a jumper was plugged into the outlet so that the rest of the lamination line could continue to operate. This also served as a safety feature. If the extruder was de-energized once it was pulled away from the line, then personnel couldn't come in contact with the rotating components.
However, if the extruder was de-energized, it made cleaning the interior more difficult. The unit had to be sprayed down from above, a process that would only clean the exposed surfaces of the rollers. Thus, the extruder would have to be plugged back in, restarted, and the rollers spun until the soiled surfaces were exposed. The unit would then have to be de-energized, pulled away from the line, and sprayed down again.
In the minds of the workers and plant management, it was easier to just spray down the rollers while they were running. Eventually, when the jumper plug began to fail due to water infiltrating the connection, they were able to solve two problems at once. The power and control cable connection was replaced with a long hardwired cable sometime before the accident. The extruder could now be operated while it was pulled far away from the lamination line.
The accident
On the night of the accident, the victim and a coworker were cleaning the lamination room. At some point, he pulled the extruder away from the line and sprayed down the rollers while the machine was running. He was standing on a stool and scrubbing the interior walls of the hopper when his glove became caught in the rotating rollers. The gloves were taped to his arm for protection from the hot water used in sanitizing, so he couldn't pull away. The rollers quickly pulled in his arm.
Hearing his screams, another coworker ran into the lamination room. After failing to find a way to shut down or unplug the extruder, he finally ran to the main control panel and operated the main electrical disconnect, shutting down the entire lamination line. To make matters worse, because there was no way to reverse the rotation of the motors, maintenance workers had to open up the machine and use wrenches to reverse them by hand — a process that took around 45 minutes.
To get a clear picture of the circumstances leading up to this accident, we had to take the investigation back in time. Our analysis included reviewing dozens of documents and depositions, analyzing schematics and programs, and inspecting the plant where the accident occurred.
The investigation
Approximately one year prior to the accident, plant management decided to replace the lamination section of the production line. The manufacturing company chosen to head the project designed an automated system to fit the same space taken up by the old line. The dough mixing equipment, including the chunker, was left in place for integration with the new lamination line.
Before shipment, the manufacturing firm assembled and test ran the entire line at its factory, at which time representatives from the baked goods plant were invited to observe the operation of the new line and suggest changes. The new lamination line was packaged and shipped to the baked goods plant roughly six months prior to the accident. In the meantime, the old line was removed, and plant management hired a local electrical contractor to run conduit and conductors from the main control panel to various junction boxes along the line.
According to the contract for the project, the manufacturer provided installation and startup supervision of the new line as an added service. The manufacturer sent engineers and technicians to the plant to assist with connection of the new lamination line machines to the electrical junction boxes along the line. They also helped install the main control panel on the north wall of the lamination room.
A programmable logic controller (PLC) housed in the main control panel controlled the new lamination line. The main electrical disconnect, PLC input/output wiring terminals, and various sets of contactor relays were also located in the main control panel. The PLC was programmed with custom-designed ladder logic written by the manufacturer.
The user interface consisted of two touch-screen panels mounted on separate legs of the lamination line. Using the touch-screen panels, the employees could start up machines, control motor speeds, and reset any tripped safeties.
Many sensors and safeties were included on the fully automated line, including speed, torque, and blockage sensors, as well as various push-button and pull-cable emergency stops (e-stops). Safety interlocks integrated into the machines were used to protect workers from the hazards of moving parts. One type of safety interlock installed contained a switch component and a magnetic component. Essentially, when the two components are in close proximity, the switch is closed, and the machine will operate normally. When the two components are pulled apart (i.e., when a door is opened), an internal switch opens, turning off the machine.
In this particular design, a magnetic safety interlock was specified to interface between the extruder and chunker. The switch component was supposed to be mounted on the extruder and the magnetic component to the base of chunker. The interlock specifications show that the switch would open if the two components were moved more than 23.0 mm apart. The switch would again close when the two components were moved back to within 17.0 mm.
The interlock switch component was connected to a terminal block inside a junction box mounted near the extruder. From there, wires ran back to a terminal block inside the main control panel, and then to a contactor relay. The main contact pads inside the contactor linked the extruder roller motors to electrical conductors supplying power from the main panel. In this case, if the extruder/chunker magnetic safety interlock switch were opened, it would disrupt a constant input signal normally supplied to the contactor. The contactor would then open, de-energizing the extruder roller motors and shutting down the machine.
Helping our team connect the dots, this background information was crucial in recreating the circumstances leading up to the accident; however, it also became apparent that installation factors played a significant role in the unfortunate events that unfolded that day.
Uncovering answers
Toward the end of the installation process, an engineer from the manufacturing firm arrived at the plant to assist with the installation and help debug the circuit during initial startup procedures.
Previously, the lamination line had been set up and tested by the manufacturer, so most of the e-stops and safety interlocks were installed prior to shipping. The extruder/chunker magnetic safety interlock could not be pre-installed because the chunker was still in use at the baked goods plant. The engineer brought the magnetic safety interlock with him for final installation. However, as it turned out, the magnetic safety interlock was never installed. Depositions taken of the plant management and manufacturing representatives revealed conflicting reports as to the reasons why this was not done — the most likely reason being that plant management thought it would interfere with the sanitation process if the extruder were shut down whenever it was pulled away from the line.
As designed, without the interlock in place, the contactor relay would be in the open position, and the extruder motors would not receive power. The internal ladder logic program would read an open switch, and the PLC would alert the operator of a tripped safety device. The interlock would have to be put back in place before the line could be restarted.
Therefore, in order to operate the line, the extruder/chunker magnetic safety interlock was bypassed with a short section of wire connected across the input and output terminals of the contactor back at the terminal block in the main panel. An electrical signal then passed directly between terminals, effectively negating the safety interlock. We concluded that this had to have been done during the installation process, during which time both the manufacturer and plant representatives were present.
In addition to the non-installation of the extruder/chunker safety interlock, we found that various other adjustments were made to the PLC program between installation and the time of the accident. Motor speeds were changed, the extruder/chunker magnetic safety interlock was deleted, and the user interface program output was changed. It did not become clear during legal discovery whom exactly made the changes in the ladder logic.
The verdict
The baked goods plant was cited and fined as a result of a separate investigation by OSHA. Many parties were involved in a personal injury lawsuit, including the equipment manufacturer, baked goods plant, and a temporary hiring firm that supplied workers to the plant. The case reached a confidential settlement during mediation, prior to coming to trial.
As in most cases, multiple failures of systems and procedures must take place before an accident of this magnitude can occur. The fact that the magnetic safety interlock was bypassed, the line cord lengthened, and the PLC program altered all allowed the extruder to be moved away from the line during sanitation. In addition, the extruder was not designed to be cleaned while operating. Thus, appropriate safety guards and trip sensors were neither designed nor installed. Furthermore, sanitation procedures at the plant did not reflect the altered design and dangers involved. Even though personal responsibility of the worker inevitably played a part, if the failures leading up to the accident had not occurred, the victim would not have lost his arm.
Paris is a forensic electrical engineer with Anderson Engineering, New Prague, Minn.
Sidebar: Safety Codes and Standards
To specify proper design and operation of machines and make for a safe working environment, there are many industry design standards equipment manufacturers should follow.
At the time the manufacturer was designing the lamination line, it stated that it complied with standards from the American National Standards Institute (ANSI Z50.1), the National Fire Protection Association (NFPA 79), and the Baking Industry Sanitation Standards Committee (BISSC).
ANSI Z50.1 specifies safety requirements for bakery equipment. NFPA 79 specifies the “Electrical Standard for Industrial Machinery.” Finally, the BISSC document specifies “Sanitation Standards for the Design and Construction of Bakery Equipment and Machinery.” A number of requirements within these standards were not followed in this case, including: ANSI Z50.1-1.2, 1.6, 5.1.1, 5.2.1, 5.2.4, 9.5.2, and 9.8.2; NFPA 79-4.1.1, 4.3.1, 4.3.2, 4.3.3, 4.3.5, 5.8, 6.5.1, 9.6.1, 9.6.2, 9.6.3, 9.15, and 14.1.3; and BISSC 1.6, 1.7, and 3.2.13.
