Ethics of modifying PLC programs on unsafe machines

[ElectricalHammer]

Scenario:
1. An employer has a machine that isn't up to code/standards: hydrogen gas torch systems without safety shutoff valves, industrial robot with its gate and e-stop channels being run by non-safety PLC outputs, E-stops wired as single-channel PLC inputs, Gate switches wired as single-channel PLC inputs, HMI has an 'Emergency Stop' Button, a 'bypass button' exists to circumvent the gate switch allowing people to enter the machine while its running, no safety switching devices exist in the control cabinet (not even relays).
2. Employer asks you to make changes to the PLC program for process reasons.

IME, the advice I've always gotten from previous managers is that 'once you touch it, you own it', so you don't modify a PLC program or make changes to a machine that you KNOW isn't safe. Arguably, the engineer should perform a risk assessment and lock the machine out until it can be completely revamped and considered 'safe'. Or (gray area, I know), we can leave the machine run while plans are made to fix its problems while maintaining some plausible deniability... but the line that is not crossed is to make any changes to that machine, especially in the program, because then if anything bad were to happen, "who was the last engineer to make changes to the program?" means fingers get pointed at that person. My attitude is if push comes to shove and I am told/forced to make changes to a machine that I know is unsafe, then I turn it off until I fix EVERYTHING, including the outstanding safety issues.

So what's your guys take on this? Is the whole 'he who was last to change it owns it' standard sounding right to you? Is leaving the machine running already too much of a professional ethical problem? What's the response you would give to the employer? Are there any legal/regulatory/code resources that address this situation specifically?

 

[ASF]

I can't speak to any legal questions, especially in the USA, but I can tell you this:

I like to sleep at night.

I wouldn't touch it with a 3.05m pole.

 

[ojz0r]

Yep that "you touch it, you own it" seems to be universal.
Don't touch it until all safety issues has been resolved ($$).


I wouldn't touch it with a 3.06m pole, just to be sure @ASF touches it first.

 

[Saffa]

If anyone ever tried to force me to do something unsafe, I'd politely decline. If they pushed the issue or became threatening, I'd ask for it in writing... and then immediately contact the relevant safety regulator (Worksafe here) with this nice piece of evidence, and walk away while they tear that place apart.

In this day and age there are very few reasons to even consider something like you say. "We are going to lose money if this isn't running" is not ever one of those reasons.

 

[Puddle]

My attitude is if push comes to shove and I am told/forced to make changes to a machine that I know is unsafe, then I turn it off until I fix EVERYTHING, including the outstanding safety issues.

That's the route I'd be taking. Tell them you make the changes, but it'll take several weeks due to the machine being capable of literally BBQing their staff at present.

I know the US is different, but in the UK there are protections against getting fired for refusing to work unsafely so I'd be choosing to die on that hill.

 

[mikeexplorer]

I was in a situation where a manager wanted me to replace a failed SSR without shutting the machine down (480 volts) I refused. He called another tech and asked him to do it, he also refused. Ultimately he had no choice but to shut it down.


Needless to say, I started looking for a different job after that incident and left a few months later.


Mike

 

[parky]

Some years ago, I was working for an agency in between full time jobs, I was given a job to do some work on an old engine valve profiling machine as their guy had to go on holiday, he had converted an old Siemens S5 program to the S7, Siemens had installed some standard blocks for their servo drives, got to site on the saturday the factory manager asked me "It will be running by monday won't it" I said I do not know as I'm only filling in for the guy who ison holiday, over those 2 days I completely re-wrote the program as the conversion did not have an equivelent of the Siemens standard sequencer logic the S7 imported the FB's but they were empty. I could not run the main drive as there was no lube, however, I noticed that the company who had re-jigged the panel had not upgraded the safeties for the grinding drive I felt this was a must Removed the fuses (as I would have done anyway due to no lube) & e-mailed plus & a phone message with the boss of the contractor who called me in, I was called on the monday by the boss, he was impressed with the work I had done that his guy could not do in two weeks & offered me a full time job, I mentioned the safety aspect & declined his offer, When asked why I told him I would not work for a company that did not take safety seriously. I was aware that if I had carried on & got it running both I and the company would be liable, I never knew what happened after that but there was no way I was going to complete a job knowing that it was not upto the standard required by current legislation

 

[saultgeorge]

"...Is the whole 'he who was last to change it owns it' standard sounding right to you?..."

Absolutely! This industry is more "Fix the blame, not the problem." I've been asked to do some similar things in safety logic, cell gates and robots. One place said if I didn't do what they asked they would call my boss. I closed my laptop and put it in my backpack and on the way out told them they need not bother to call; I would inform him myself.

 

[joseph_e2]

When I was a technician, I was once asked to bypass a light curtain so the operators could load components while the machine was running. The tooling for the automated loader hadn't arrived yet and they were in a hurry to run that product. When I was maintenance at a previous employer, I'd had to drive an operator to the ER because her hand got caught while standing inside the guarding and loading those same parts in an identical machine...so I refused. I proposed and implemented a "single cycle" mode so the machine would stop gracefully and automatically after each cycle so they could hand load. I then added a pushbutton on the end of a cable to restart the machine since the normal startup was several feet away from where they would stand while loading the parts. I think they may have used that mode maybe once in 4 years...



Don't really care about production schedules if it's at the cost of an injury.

 

[arpus4KM]

Well then playing devil's advocate... What would you all do if you were called in to help get a machine back running again, and you end up working on it and fixing the problems they have.

You can't do a solid safety evaluation in such a short amount of time, you have no idea of how safe the entire system is, you were only called to help with a specific problem and now you've worked on it but it may not be up to safety standards.

 

[Operaghost]

"...Is the whole 'he who was last to change it owns it' standard sounding right to you?..."

Absolutely! This industry is more "Fix the blame, not the problem." I've been asked to do some similar things in safety logic, cell gates and robots. One place said if I didn't do what they asked they would call my boss. I closed my laptop and put it in my backpack and on the way out told them they need not bother to call; I would inform him myself.

There is also the case to be made that if I see that it is unsafe, then I am now at least partially responsible. The response above would seem to be the best option. Close your laptop, call your boss and tell them what you see. People in charge need to be notified so they can be made accountable for getting it fixed properly.

 

[JesperMP]

I think there are different scenarios, with different ways to tackle the situation.

1. Machine has safety functions made with a non-PLC. Like in this case.
Don't touch the PLC program, no matter that you don't change anything safety related.
Put in writing your concern, and post it to the management, stating what you have observed and that will take no responsibility for the machine.

2. Machine has safety functions made with safety relays, i.e. safety is not directly related to the PLC.
You can make modifications to the PLC program, but someone else has to verify that the program changes do not affect the safety.
Put in writing what you have done and that you take no responsibility for the safety of the machine.

3. Machine has safety functions made with a safety-PLC.
3a. You can make modifications to the non-safety PLC program, but someone else has to verify that the program changes do not affect the safety.
Put in writing what you have done and that you take no responsibility for the safety of the machine.
3b. You can make modifications to the safety PLC program, but only if you have access to the risk assessment, you are proficient in safety, and you are specifically tasked with updating the safety.
The risk assessment, risk evaluation, risk validation needs to be updated accordingly, and all documented and saved.
Put in writing what you have done and that you take responsibility for the safety of the machine as far as the safety program.

Notice, I would not mention any other safety aspects other than the ones mentioned above. If you say something like 'everything must be made safe' it implies that you are aware of safety issues. If the machine has an accident, someone can say you knew but did nothing.
Case 1 is special, because you have observed something clearly unsafe, and you need to cover your back. You need to document that you informed someone else who should take care of the issue.

 

[James Mcquade]

the general rule for your situation is this, "you touch it, you own it".
it doesn't matter what change you made in the program, you touched it and KNEW of the safety concerns/violations. if any one gets hurt, they will hire lawyers and they will go after anyone and everyone who touched it, including the one who sold the machine to your company. they will contend that you KNEW of the safety issues and did nothing.

i am going through the same thing at work with a press, and the new controls are not going to make production happy.

i would do the following.
take pictures of the violations and if someone asks, you are documenting the needed changes.
document everything.
estimate as best you can the time, materials, and other items needed to correct the issues.
present your documentation to management and plan accordingly.
KEEP a copy for your records at home and note who was there in the meeting. this will be proof of your concerns if someone does get hurt and you tried to get the machine fixed should someone get hurt.
regards,
james

 

[JesperMP]

Would it make a difference if you get in writing before accessing the machine which you did not originally supply, that the end-user is responsible for the safety ?

The bit about documenting safety issues with photos etc. what if there is an accident caused by a safety issue that you missed ?
If you even begin providing safety advice, doesn't that just involve you deeper and deeper and make you the expert in the machine ?

 

[arpus4KM]

I think there are different scenarios, with different ways to tackle the situation.

1. Machine has safety functions made with a non-PLC. Like in this case.
Don't touch the PLC program, no matter that you don't change anything safety related.
Put in writing your concern, and post it to the management, stating what you have observed and that will take no responsibility for the machine.

2. Machine has safety functions made with safety relays, i.e. safety is not directly related to the PLC.
You can make modifications to the PLC program, but someone else has to verify that the program changes do not affect the safety.
Put in writing what you have done and that you take no responsibility for the safety of the machine.

3. Machine has safety functions made with a safety-PLC.
3a. You can make modifications to the non-safety PLC program, but someone else has to verify that the program changes do not affect the safety.
Put in writing what you have done and that you take no responsibility for the safety of the machine.
3b. You can make modifications to the safety PLC program, but only if you have access to the risk assessment, you are proficient in safety, and you are specifically tasked with updating the safety.
The risk assessment, risk evaluation, risk validation needs to be updated accordingly, and all documented and saved.
Put in writing what you have done and that you take responsibility for the safety of the machine as far as the safety program.

Notice, I would not mention any other safety aspects other than the ones mentioned above. If you say something like 'everything must be made safe' it implies that you are aware of safety issues. If the machine has an accident, someone can say you knew but did nothing.
Case 1 is special, because you have observed something clearly unsafe, and you need to cover your back. You need to document that you informed someone else who should take care of the issue.

This all sounds good... But the reality is that Most machines don't meet every safety standard, and it's impossible to have to be any kind of call-in service engineer while questioning every single job that comes up to the point where a lot of places don't have original drawings, or prints for a machine.

The catch-all would be that every single quote for work includes a blurb that your company takes no responsibility for safety of the machine after work is completed. But how many have that?