The increasing role of functional safety in complex machine design
Mechatronics and safety: Proper application of safety standards is required to attain CE Marking, vital for machines placed in Europe. See the five steps to self certification.
One of the biggest challenges facing U.S. machine builders is the transition from the old safety standard EN954-1 to the new ISO 13849-1 or IEC 61061 safety standards. Proving conformity with these safety standards helps a machine builder obtain a CE Mark, required for placing machines in Europe. Achieving a CE Mark need not be difficult if the right steps are taken.
The new standards are used to demonstrate conformity to the European Machinery Directive 2006/42/EC for safety-related parts of a control system (SRP/CS). This functional safety approach to machine design is a necessary response to the changing complexity of automation and the increasing role of new software-based controllers in carrying out integrated safety functions. While the task of designing the safety control system has become a bit more complicated, functional safety offers a more flexible method to design the SRP/CS and to mitigate hazards with safety functions.
Although the use of functional safety concepts has its origins in the process control industry, this approach for machinery-specific implementation is gaining momentum with machine builders. But with two years of implementation now passed, there are still many machine and robot builder OEMs in the U.S. struggling to understand the Machinery Directive and how to implement the standard(s) to show conformity on the way to CE Marking.
Bottom line for U.S. manufacturers looking to place machines in the EU market: You have to build your machinery such that the essential health and safety requirements in the Machinery Directive are met. This overview of designing for the Machinery Directive includes references and suggestions for those requiring more detailed information, and provides best practices for others.
Applicable directives, standards
The safety of machinery depends to a large extent on the correct application of directives and standards. In Europe the national legal requirements are harmonized by European directives, such as the Machinery Directive. Such directives describe general requirements that are specified in more detail by standards.
The directives define basic objectives and requirements and are kept as technologically neutral as possible. In the area of health and safety at work and machine safety, the following directives have been published:
- Machinery Directive 2006/42/EC – aimed at the manufacturers of machinery
- Work Equipment Directive 2009/104/EC – aimed at organizations that operate machinery
- EMC Directive 2004/108/EC
- Low Voltage Directive 2006/95/EC
Manufacturers must take into account the integration of safety during the design process. In practice, this means that the designer makes a risk assessment as early as the machine’s development phase. The resulting measures can then flow directly into the design.
CE Marking Machinery and the conformity assessment procedure under the Directive can take several paths, depending on the type and risk level of the machine.
5 steps to self-certify a machine
Most machines are not listed in Annex IV of the Machinery Directive and can therefore take the self-certification route, which requires the manufacturer to complete these five steps:
- Perform a risk assessment
- Demonstrate conformity to the Essential Health and Safety Requirements (EHSRs) of Annex I, or against the requirements of applicable C-type harmonized standards.
- Compile all technical documentation into a Technical File
- Complete an EC Declaration of Conformity
- Affix the CE Mark
This procedure does not involve the intervention of a Notified Body, but the manufacturer or an authorized representative may choose to seek independent advice or assistance as necessary to carry out the conformity assessment of the machinery. Any technical report(s) generated must be included in the Technical File.
Directives describe basic requirements, and A, B, and C level harmonized standards demonstrate conformity to the directives. A list of harmonized standards is available. Figure 1 shows the basic A, B, and C level harmonized standards typically applied.
If a C-type standard exists for a machine-such as ISO 10218-1:2011 Robots and Robotic Devices - Safety requirements for industrial robots-then this standard has priority over all other A and B-type standards and any information in these guidelines. In these cases, only the C-type standard applies.
While the use of standards is not mandatory, the selection of a standard and its correct application is the surest way to obtain conformance with the relevant EHSRs. The end user is still responsible for ensuring that the equipment complies with the directives and that the standards were applied correctly.
Performing risk assessment
The first step on the path to a CE Mark is a risk assessment. When designing a machine, analyze the possible risks and, where necessary, add protective measures to protect the operator from any hazards that may exist.
To aid a machine manufacturer with this task, ISO 12100:2010 defines and describes the process of risk assessment, including risk estimation and risk evaluation. A risk assessment is a sequence of logical steps that permit systematic analysis and evaluation of risks.
The aim of the risk assessment is to:
- Identify hazards
- Identify tasks associated with each hazard
- Determine whether a risk reduction is necessary or not
- Determine how the required risk reduction shall be reached
- Identify safety functions
- Determine the Required Performance Level (PLr).
The documented outcome of the risk assessment is critical when risk reduction measures are implemented by devices that perform safety functions. The machine must be designed and built taking into account the results of the risk assessment.
Section 6 of ISO 12100:2010 outlines applying inherently safe design measures for control systems. It states that the design measures of the control system shall be chosen so that their safety-related performance provides a sufficient amount of risk reduction. To prevent hazardous machine motion and to achieve safety functions, the design of control systems shall comply with the principles and methods presented in subclause 6 and shall be applied as appropriate to the circumstances (see ISO 13849-1, IEC 60204-1, and IEC 62061).
Determining the PLr for the system defines the performance of control components and their integration into the control system for the SRP/CS. The performance level is defined in five discrete steps, from “a” to “e” (Figure 2), and is calculated via a complex formula. The PLr depends on the structure of the control system, the reliability of the components used, the ability to detect failures, and resistance to multiple common cause failures in multiple channel control systems. In addition, further measures to avoid design faults are required.
Documenting calculations for the PLr is an essential part in building the Technical File for the machine. While these calculations can be a bit complex, there is a free software program (Safety Integrity Software Tool for the Evaluation of Machine Applications, or SISTEMA) from IFA, an institute for research and testing of the German Social Accident Insurance.
The IFA website includes information and examples on how to install and use the software. A critical step in the correct use of SISTEMA is the inclusion of component manufacturer libraries that list their devices for use with the software. This aids in the reliability calculations of safety devices used in performing safety functions. Current manufacturers’ device libraries can be found on the IFA website as well as on the manufacturers’ own web sites.
After the PLr is established for various machine functions, the designer must make sure the safety systems meet either ISO 13849-1 or IEC 62061 requirements. Table 1 from ISO 13849-1 summarizes the scope of applications for IEC 62061 and ISO 13849-1.
Functional safety methods found in ISO 13849-1 give guidance to design adjustments that define what a safe control circuit is. ISO13849-1 can be applied to all areas of the SRP/CS, including hydraulic and pneumatic components when analyzing the complete safety system.
The advantage of using these standards is that it allows design engineers to adjust their safety circuit structure and the quality of their chosen safety or even non-safety devices according to the level of risk defined by the PLr. This eliminates over-engineering and ensures the proper application of both safety and non-safety rated devices.
See next page for an application photo, diagram, and more about Declaration of Conformity and affixing a CE Mark.