The increasing role of functional safety in complex machine design

Mechatronics and safety: Proper application of safety standards is required to attain CE Marking, vital for machines placed in Europe. See the five steps to self certification.
By Mark Nehrkorn January 30, 2014

Figure 1: This chart shows the standards involved when making a risk assessment and the application of A, B, and C level standards. Courtesy: SickOne of the biggest challenges facing U.S. machine builders is the transition from the old safety standard EN954-1 to the new ISO 13849-1 or IEC 61061 safety standards. Proving conformity with these safety standards helps a machine builder obtain a CE Mark, required for placing machines in Europe. Achieving a CE Mark need not be difficult if the right steps are taken.

The new standards are used to demonstrate conformity to the European Machinery Directive 2006/42/EC for safety-related parts of a control system (SRP/CS). This functional safety approach to machine design is a necessary response to the changing complexity of automation and the increasing role of new software-based controllers in carrying out integrated safety functions. While the task of designing the safety control system has become a bit more complicated, functional safety offers a more flexible method to design the SRP/CS and to mitigate hazards with safety functions.

Although the use of functional safety concepts has its origins in the process control industry, this approach for machinery-specific implementation is gaining momentum with machine builders. But with two years of implementation now passed, there are still many machine and robot builder OEMs in the U.S. struggling to understand the Machinery Directive and how to implement the standard(s) to show conformity on the way to CE Marking.

Bottom line for U.S. manufacturers looking to place machines in the EU market: You have to build your machinery such that the essential health and safety requirements in the Machinery Directive are met. This overview of designing for the Machinery Directive includes references and suggestions for those requiring more detailed information, and provides best practices for others.

Applicable directives, standards

The safety of machinery depends to a large extent on the correct application of directives and standards. In Europe the national legal requirements are harmonized by European directives, such as the Machinery Directive. Such directives describe general requirements that are specified in more detail by standards.

The directives define basic objectives and requirements and are kept as technologically neutral as possible. In the area of health and safety at work and machine safety, the following directives have been published:

  • Machinery Directive 2006/42/EC – aimed at the manufacturers of machinery
  • Work Equipment Directive 2009/104/EC – aimed at organizations that operate machinery
  • EMC Directive 2004/108/EC
  • Low Voltage Directive 2006/95/EC

Manufacturers must take into account the integration of safety during the design process. In practice, this means that the designer makes a risk assessment as early as the machine’s development phase. The resulting measures can then flow directly into the design.

CE Marking Machinery and the conformity assessment procedure under the Directive can take several paths, depending on the type and risk level of the machine.

5 steps to self-certify a machine

Most machines are not listed in Annex IV of the Machinery Directive and can therefore take the self-certification route, which requires the manufacturer to complete these five steps:

  1. Perform a risk assessment
  2. Demonstrate conformity to the Essential Health and Safety Requirements (EHSRs) of Annex I, or against the requirements of applicable C-type harmonized standards.
  3. Compile all technical documentation into a Technical File
  4. Complete an EC Declaration of Conformity
  5. Affix the CE Mark 

This procedure does not involve the intervention of a Notified Body, but the manufacturer or an authorized representative may choose to seek independent advice or assistance as necessary to carry out the conformity assessment of the machinery. Any technical report(s) generated must be included in the Technical File.

Directives describe basic requirements, and A, B, and C level harmonized standards demonstrate conformity to the directives. A list of harmonized standards is available. Figure 1 shows the basic A, B, and C level harmonized standards typically applied.

If a C-type standard exists for a machine-such as ISO 10218-1:2011 Robots and Robotic Devices – Safety requirements for industrial robots-then this standard has priority over all other A and B-type standards and any information in these guidelines. In these cases, only the C-type standard applies.

While the use of standards is not mandatory, the selection of a standard and its correct application is the surest way to obtain conformance with the relevant EHSRs. The end user is still responsible for ensuring that the equipment complies with the directives and that the standards were applied correctly.

Performing risk assessment

The first step on the path to a CE Mark is a risk assessment. When designing a machine, analyze the possible risks and, where necessary, add protective measures to protect the operator from any hazards that may exist.

To aid a machine manufacturer with this task, ISO 12100:2010 defines and describes the process of risk assessment, including risk estimation and risk evaluation. A risk assessment is a sequence of logical steps that permit systematic analysis and evaluation of risks.

The aim of the risk assessment is to:

  • Identify hazards
  • Identify tasks associated with each hazard
  • Determine whether a risk reduction is necessary or not
  • Determine how the required risk reduction shall be reached
  • Identify safety functions
  • Determine the Required Performance Level (PLr).

Figure 2: This diagram depicts paths for Risk Estimation & Associated Required Performance Level (PLr). Courtesy: SickThe documented outcome of the risk assessment is critical when risk reduction measures are implemented by devices that perform safety functions. The machine must be designed and built taking into account the results of the risk assessment.

Section 6 of ISO 12100:2010 outlines applying inherently safe design measures for control systems. It states that the design measures of the control system shall be chosen so that their safety-related performance provides a sufficient amount of risk reduction. To prevent hazardous machine motion and to achieve safety functions, the design of control systems shall comply with the principles and methods presented in subclause 6 and shall be applied as appropriate to the circumstances (see ISO 13849-1, IEC 60204-1, and IEC 62061).

Determining the PLr for the system defines the performance of control components and their integration into the control system for the SRP/CS. The performance level is defined in five discrete steps, from “a” to “e” (Figure 2), and is calculated via a complex formula. The PLr depends on the structure of the control system, the reliability of the components used, the ability to detect failures, and resistance to multiple common cause failures in multiple channel control systems. In addition, further measures to avoid design faults are required.

Documenting calculations for the PLr is an essential part in building the Technical File for the machine. While these calculations can be a bit complex, there is a free software program (Safety Integrity Software Tool for the Evaluation of Machine Applications, or SISTEMA) from IFA, an institute for research and testing of the German Social Accident Insurance.

The IFA website includes information and examples on how to install and use the software. A critical step in the correct use of SISTEMA is the inclusion of component manufacturer libraries that list their devices for use with the software. This aids in the reliability calculations of safety devices used in performing safety functions. Current manufacturers’ device libraries can be found on the IFA website as well as on the manufacturers’ own web sites.

After the PLr is established for various machine functions, the designer must make sure the safety systems meet either ISO 13849-1 or IEC 62061 requirements. Table 1 from ISO 13849-1 summarizes the scope of applications for IEC 62061 and ISO 13849-1.

Table shows the recommended application of IEC 62061 and ISO 13849-1 as they relate to the technologies implementing the safety-related control function(s). Courtesy: Sick

Functional safety methods found in ISO 13849-1 give guidance to design adjustments that define what a safe control circuit is. ISO13849-1 can be applied to all areas of the SRP/CS, including hydraulic and pneumatic components when analyzing the complete safety system.

The advantage of using these standards is that it allows design engineers to adjust their safety circuit structure and the quality of their chosen safety or even non-safety devices according to the level of risk defined by the PLr. This eliminates over-engineering and ensures the proper application of both safety and non-safety rated devices.

See next page for an application photo, diagram, and more about Declaration of Conformity and affixing a CE Mark.

Declaration of Conformity, affixing a CE Mark

When all the procedures listed above have been followed, it’s time to put all the relevant documentation into a “Technical File.”

According to Annex VII of the Machinery Directive, this technical documentation must:

  • Contain all diagrams, calculations, test reports, and documents that are relevant to conformity with the essential health and safety requirements of the Machinery Directive
  • Be archived for at least 10 years from the last day of manufacture of the machine (or the machine type)
  • Be submitted to the authorities on legitimate request.

Critical items for the Technical File can be documented integrated safety engineering software, for CE Marking in machine construction and engineering. Such workflow-oriented software supports the designer with an engineered solution for the demanding process of CE Marking, including the risk assessment, management of harmonized standards, and inclusion of SISTEMA and other documents derived from all design and testing.

Figure 3: Here are the paths to conformity for CE Marking. Courtesy: SickWith the technical documentation developed and placed into a Technical File, the manufacturer can now complete and issue the EC Declaration of Conformity.

As mentioned before, there are several paths to CE Marking (Figure 3).

Most machines are not listed explicitly in annex IV of the Machinery Directive, and are thus subject to the standard process. In these cases, it is the responsibility of the manufacturer to apply the CE Marking, without involving a body or the authorities (“self-certification”). However, the manufacturer must compile a Technical File so that the documentation can be submitted to national authorities on request.

Machines that are particularly hazardous are subject to special procedures. Annex IV of the Machinery Directive contains a list of categories of machinery that may be subject to one of the two conformity assessment procedures involving a Notified Body: EC type examination or full quality assurance in accordance with Annex X.

If harmonized standards exist for the machine or safety components, and these standards cover the entire range of requirements, the declaration of conformity can be obtained in one of three ways:

  • Self-certification (most common method)
  • EC type-examination by a Notified Body
  • Usage of a full quality management system that has been assessed.

If no harmonized standards exist for the machine or if the machine or parts of the machine cannot be built to harmonized standards, the declaration of conformity can only be achieved as follows:

  • EC type-examination by a Notified Body where the manufacturer shall make available his machine and the related technical documentation so that it can be determined by means of a type-examination whether or not the machine meets the essential health and safety requirements. The Notified Body tests for compliance with the directive and prepares an EC type-examination certificate that contains the results of the tests.
  • Usage of a full quality management system (QMS) that has been assessed: The full QMS shall ensure conformity with the requirements of the Machinery Directive and be assessed by a Notified Body. The manufacturer is always responsible for the effective and appropriate usage of the QMS as outlined in Annex X of the Machinery Directive.

Once all the requirements have been met, the CE Mark can be applied to the machine and the manufacturer is permitted to place the machine on the market in the European Union.

Applying standards, getting the CE Mark

Figure 4: When a robot is added to an existing injection molding machine to unload parts, although each has a CE Mark, the combined system needs a new risk assessment. In this case, the U.S. manufacturer called upon Sick to assist in the risk assessment,Consider the following complex machine consisting of several pieces of existing equipment combined into a single machine. Here, a robot (Figure 4) is unloading finished parts from an injection molding machine. 

The U.S. manufacturer designed and built the molding machine but chose to purchase the robot as an off-the-shelf component and integrated it accordingly. Each machine is complex in its own right, and each machine has a completed Technical File and CE Mark, in accordance with the applicable type C standard: EN ISO 10218-1:2011 for the robot, and EN 201:2009 for the injection molding machine.

Combined, they make a complete machine that requires a new risk assessment to consider all the new hazards and tasks associated with its operation and integration. This may include the application of EN ISO 10218-2:2011 for robot systems and integration.

While injection or compression plastics-molding machinery with manual unloading is listed in Annex IV, the resulting manufacturing system with robot unloading is not listed in Annex IV. In this case, the manufacturer can proceed with the conformity assessment by self-certification, in accordance with Annex VIII. However, a machine of this complexity may influence the manufacturer to contract with a third party to help with the resulting risk assessment and Technical File preparation. Due to liability concerns or lack of expertise, the manufacturer may have the equipment assessed by a Notified Body for Type Examination to ensure compliance to the directives.

Conforming to the directives and preparing the Technical File to support CE Marking can be a very difficult process, especially for U.S. machine builders going through the process for the first time. While this article touched on the main procedures, it is by no means a comprehensive, detailed analysis. A machine builder needs a deep, thorough knowledge of the directives, procedures, and standards involved to demonstrate conformance, or it needs to ask for outside help from an experienced consultant or a safety systems vendor.

– Mark Nehrkorn is manager of safety services and solutions, Sick Inc. Edited by Mark T. Hoske, content manager, CFE Media, Control Engineering, mhoske@cfemedia.com.

ONLINE

Control Engineering Machine Safety blog 

Harmonized standards list 

German Social Accident Insurance 

Annex IV of the Machinery Directive 

Key concepts

  • Machine Directive integrates functional safety into machine design.
  • Evaluate safety standards properly to get CE Marking for machines placed in Europe.
  • Some U.S. machine builders remain challenged by the transition from the old safety standard EN954-1 to the new ISO 13849-1 or IEC 61061 safety standards.

Consider this

Even if you’re not designing a machine for the European market, considering and documenting safety during machine design can be a best practice.