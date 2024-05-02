The European Machinery Directive requires a risk analysis should be performed for every machine before being brought to market. The convergence of IT and OT and the rapid technological development has made it necessary to revise the Machinery Directive. The result is the new Machinery Regulation: It will replace the Machinery Directive as the legal foundation. It contains additional requirements for risk analysis. In addition to the general procedure for the risk analysis, various processes for the risk assessment are introduced and their properties are explained in the following.

Legal fundamentals

Following EU Machinery Directive 2006/42/EC, a machinery manufacturer may not bring a machine to market if it poses a danger. For written confirmation, he performs a CE conformity assessment that includes creating a risk analysis. Machines may only bear a CE mark if the evaluation process is fully completed, and the risk analysis shows that the machine is safe.

The Machinery Directive describes the risk analysis process in general terms, even if it lists in an appendix possible dangers that must be accounted for during the analysis. You can find a more exact description of the risk analysis process in standard ISO 12100 – Risk Assessment and Risk Reduction (figure 1). It defines an iterative process in which one first identifies, assesses, and evaluates the hazards. If unacceptable hazards are present in the analysis, they must be minimized. The procedure for reducing the hazards is divided into three levels; the sequence of these levels must be followed.

The first level pertains to constructive measures. This means that the machine must be designed to be safe and if it’s not possible, the manufacturer can employ technical measures. These include, for example, guards, such as fences, or electro-sensitive protective devices like safety light curtains. Both ensure that the operator can no longer reach the hazards. Organizing measures may be used If neither technical nor constructive measures are possible. An example of these would be the instruction of the employees.

If the defined measures for risk reduction are implemented, the iterative process starts again. Other hazards not fully eliminated by the measures or caused by the measures may thereby be identified. The iterative process ends once all hazards have been sufficiently minimized.

The new EU Machinery Regulation EU 2023/1230 replaces the Machinery Directive on January 20, 2027. No provision is made for a transitional regulation. Revision of the Machinery Directive was necessary due to technical advancements. The Machinery Regulation now details requirements on the safety of machines that arise in the areas of:

Networking of machinery

Digitization and more complex control technology

New technologies, such as AI or collaborating robots

In Appendix III – Safety Requirements for the Design and Construction of Machinery – the Machinery Regulation covers hazards not explicitly listed in the Machinery Directive. The following sections describe the main changes to the risk analysis.

Concerning the networking of machines, this is the protection against corruption. The connection of hardware or software must not lead to damage. In addition, unauthorized access to the machine and the possibility of tampering with data must be prevented. The failure or restoration of a communication connection must likewise not result in a dangerous situation.

The controls of machines must be protected against external influence so that no intentional or unintentional changes can be made to the software or the configuration. An access log of changes to the hardware or software is to be stored for five years. Both the software and the configuration must have an identifier (ID).

Furthermore, the Machinery Regulation regulates topics of AI of self-learning systems. Machines must not execute actions beyond their defined task and movement range. Data that lead to decisions that are relevant to safety must be archived for one year. Furthermore, it must be possible to correct the machine to ensure safety. The Machinery Regulation defines additional requirements for autonomous, mobile machines as well. They must detect obstacles or persons and, in case of collisions, batteries must not cause any hazards.

Parameters for the risk assessment

There is not generally any unit of measurement for a risk. The risk is typically described as low/high using a risk indicator or a failure probability. A textual description of the risk is often easier to understand than the definition with risk indicators. If the actual risk is to be estimated using a risk indicator, its value range must be known.

The Machinery Directive defines that to determine the risk of an observed danger, two parameters must be considered: the extent of damage and the probability of an injury (figure 2).

Depending on the process used for the risk assessment, these two parameters can be divided into further parameters. Some processes divide the extent of damage into:

Severity of the injury (S, Severity)

Number of injured persons (N, Number).

In automation technology, only one person is usually affected by an event; thus, parameter N has no meaning. In process technology where many persons could be injured, parameter N is important for assessing the risk.

To define the probability of an injury more precisely, this is often divided into sub-parameters:

Duration of the exposure to danger (E, Exposure)

Frequency of the dangerous event (O, Occurrence) Possibility for avoiding the life-threatening event (A, Avoidance)

Not every dangerous event automatically results in harm. Harm occurs if a person is in the endangered area simultaneously with the life-threatening event and can’t avoid the danger. In practice, one minimizes either the duration, E, of the hazard with a hard guard or the frequency, O, of the hazard, using a machine stop with safe sensors to obtain a secure system.

In summary, the risk can be represented as follows: S=f(S,N)* f(E,O, A)

Process for risk assessment

The risk assessment’s objectives are to calculate the risk using the specified parameters and risk representation with an indicator as a numerical value. There are no normative specifications for assessing the risk. Some standards do, however, specify a process in the informative appendix. Furthermore, processes may originate from technical reports from standards organizations or other publications. The choice of process is left to the machine manufacturer. To ensure that the evaluation is as objective as possible, the risk assessment should be performed by a team.

The processes for the risk analysis can be divided into three classes:

Graphical processes

Tabular processes

Numerical processes

Graphical processes determine the risk through a graph. Each node usually only has two branches, which represent different parameter values. The options are described in text form here. Due to the limited number of options, the risk is usually only classified roughly, but easy to understand.

Presented as an example of a graphical process is the risk graph acc. to standard ISO/TR 14121-2 – Practical guidance and examples of methods (figure 3). It is often used to depict the effectiveness of risk-reducing measures and has tour parameters S, E, O, and A. The resulting risk index has a numerical value between 1 and 6. The values 1 and 2 represent a state of low danger. The example also shows that graphs with more than two branches per node become confusing.

Tabular processes usually have more than two values per parameter; the values are described in text form. There are more options than with graphical processes. The classification is still relatively rough, as the number of parameters is limited to preserve clarity.

A simple example of a tabular process is described in standard ISO 14798 – Lifts (elevators), escalators, and moving walks (figure 4). It has only two parameters ‘severity of the harm’ and ‘probability of a hazard’. This makes the process easy to follow; like the graphical process, the classification is, however, only rough. The resulting risk index is described by a number and a letter that indicates a low, medium, or high hazard.

Numerical processes determine risk indicators by adding or multiplying the parameter values. As a result, many parameters with different values are possible and the risk is assessed in greater detail. This can give a false impression of accuracy, as the parameter values are always determined subjectively and depend on the user’s capabilities. Nevertheless, the greater level of detail helps in comparing the hazards of different risks with one another. Due to the many parameters and options, numerical processes are not as simple and easy to understand as graphical or tabular processes.

It is possible to compare the risk of various hazards with one another and to identify the hazard with the greatest risk, due to the high level of detail. This can be important for prioritizing the steps for overhauling a machine.

An example of a numerical process is HRN, Hazard Rating Numbers (figure 5). It was published in 1990 by Chris Steel and exists in several variants. The text description of the numerous parameter values does, however, make it more difficult to select the correct value. The original form has the four parameters S, N, E, O, and parameter A, for the possibility of avoidance, was omitted. The resulting risk is determined through multiplication:

R=S*N*E*O

It can suffice if one parameter is small or becomes small through risk reduction using multiplication.

Risk reduction through technical measures

If the risk evaluation yields too high a risk, it must be reduced through appropriate measures. The sequence of the measures is defined. Technical measures can be realized only if constructive measures are not possible.

Technical measures are often realized with safe controls that are part of a safety function. A safety function consists of safe components, also known as, safe sensors, safe control, and safe actuators. The components must satisfy a certain reliability, which defines the probability of a dangerous failure of the component. The greater the risk that it safeguards, the greater the reliability needs to be: In the event of a failure of the components, protection against the hazard is no longer present. The reliability of the component is also referred to as the safety level. To determine this value, a risk assessment must therefore be performed. The result is not a value that defines the risk but a necessary safety level of the function’s components.

Standards for safety-related control systems define their process for risk assessment with which the required safety level can be determined.

In automation technology, standard ISO 13849-1 – Safety-related parts of control systems – is usually used to define the safety system of a machine. It can be used for electronic, mechanical, hydraulic, and pneumatic systems. Appendix A describes a risk graph for determining the necessary performance level PLr of the safety function (figure 6). The risk graph contains three parameters: the extent of damage (S), the duration of the presence of persons in the dangerous area (E), and the possibility of avoidance (A). As with other graphical processes, it is simple and easy to understand and works with a rough classification. If users select the higher value due to uncertainty, the resulting requirements are too high, and the safety technology becomes unnecessarily expensive.

An alternative for electrical and electronic control systems is standard IEC 62061- Functional safety of safety-related control systems. Appendix A describes a combination of tabular and numerical processes for determining the necessary safety level SILCL of the safety function (figure 7). The process is more complex than the risk graph of 13849-1. A detailed classification is, however, possible, as more different values are available for selection for the four parameters.

Risk estimation in accordance with HARMONY

The described processes guide the user through the risk assessment two times with different procedures and objectives: first with process 1 for assessing the initial and final risk of a hazard and then with process 2 for determining the safety level of the safety function.

This procedure appears unnecessarily complex and burdensome. A considerable simplification is possible if the process for the risk assessment defines not only the risk indicator but also automatically defines a safety level for technical measures.

For this reason, Leuze satisfied this requirement in its HARMONY process. HARMONY is the abbreviated form of HAzard Rating for Machinery and prOcess iNdustrY. The process is used in automation technology and process technology.

HARMONY is an adaptation of the HRN numerical process. It determines a risk indicator by multiplying the extent of damage (S), duration of the hazard (E), frequency of the dangerous event (O), and the possibility of avoidance (A):

R=S*E*O*A

The value ranges of the risk indicator R are defined so that they can be assigned a performance level PLr per ISO 13849-1 or a Safety Integrity Level SILCL following IEC 62061. Figure 8 shows this assignment.

Summary

Following the Machinery Directive and the Machinery Regulation that is replacing it, a risk analysis must be carried out for every machine before being brought to market as it must not pose a danger at any point in time.

A systematic and careful procedure is important to identify all hazards during the risk analysis. Only if the hazard has been identified can an appropriate measure for risk reduction be undertaken; this is complex and time-intensive. Various processes are available for risk assessment; there are, however, no normative requirements. Every organization must find the appropriate procedure itself. Criteria for the selection can include the complexity of the task or the specialist knowledge or preferences of the employees. The HARMONY process defined by Leuze simplifies the risk assessment process, reducing the amount of work.

Author: