Safety of machinery

General

This page summarizes the steps, derived from the ISO 12100, ISO 13849-1/2, and EN 62061 standards, required to design machines with safety in mind.

To implement risk assessment and reduction, the designer should take the following steps:

• Perform a risk assessment with a multi-disciplinary team
• Risk reduction process for the hazard
• Determination of required performance level (PLr)
• Design of Safety related parts of Control system
• Evaluation of the achieved performance level (PL)
• Validation process

Risk assessment

A risk assessment consist of:

• Risk analysis, comprising:
  • Determination of the limits of the machinery
  • Hazard identification
  • Risk estimation
• Risk evaluation

Determination of limits of machinery

When performing a risk assessment, it’s important to establish the limits of the machinery and consider all phases of its life cycle. This involves identifying the characteristics and performance capabilities of the machine or series of machines within an integrated process, as well as any people, environmental factors, and products associated with it, while keeping in mind the limits of the machinery.

Hazard identification

An essential step in the risk assessment is the systematic identification of reasonably foreseeable hazards, hazardous situations and/or hazardous events during all phases of the machine life cycle. To identify hazards effectively, a team consisting of professionals from multiple disciplines should consider the following factors:

• Human interaction during the whole life cycle of the machine
• Possible states of the machine
• Unintended behavior of the operator or reasonably foreseeable misuse of the machine

Risk estimation

The risk estimation shall be carried out for each hazardous situation by determining the
elements of risk:

• Severity of harm
• Probability of occurrence of harm
  • Exposure of persons to the hazard
  • Occurrence of a hazardous event
  • Possibility of avoiding or limiting harm

Risk evaluation

After risk estimation has been completed, risk evaluation shall be carried out to determine if risk reduction is required. If risk reduction is required, then appropriate protective measures shall be selected and applied.

Risk reduction process for the hazard

The hazard analysis and risk reduction process for a machine requires that hazards are eliminated or
reduced through a hierarchy of measures:

1. Applying inherently safe design measures to control systems
2. Safeguarding and/or complementary protective measures
3. Information for use

Applying inherently safe design measures to control systems

Determination of required performance level (PLr)

Guidance for selecting parameters S, F and P for the risk estimation:

• Severity of injury
  • S1; slight (normally reversible injury)
  • S2; serious (normally irreversible injury or death)
• Frequency and/or exposure times to hazard
  • F1; seldom-to-less-often and/or exposure time is short
  • F2; frequent-to-continuous and/or exposure time is long
• possibility of avoiding hazard or limiting harm
  • P1; possible under specific conditions
  • P2; scarcely possible

The required performance level, ranging from low (performance level a) to high (performance level e), can be determined based on the chosen risk parameters in the following figure.

Design of Safety related parts of Control system

A typical safety function diagrammatic presentation is given in following figure showing a combination of

safety-related parts of control systems (SRP/CS) for:

• Input
• Logic/processing
• Output/power control elements
• Interconnecting means

Evaluation of the achieved performance level (PL)

Determine the PL for each selected SRP/CS or combination of SRP/CS that performs a safety function by estimating the following factors:

• The MTTFd (mean time to dangerous failure) value for single components
  • Using the classifications of Low, Medium, and High
• The DC (diagnostic coverage)
  • Using the classifications of None, Low, Medium, and High
• The CCF (Common cause failure)
  • The minimum score required to pass is 65%
• The structure
  • Using the classifications of category B, 1, 2, 3, and 4
• The behaviour of the safety function under fault condition(s)
• Safety-related software
• Systematic failure
• The ability to perform a safety function under expected environmental conditions.

The performance level can be determined by reading the chosen parameters in the following figure:

Validation Process

Software safety requirements

The primary focus for all lifecycle activities of safety-related software should be on avoiding faults introduced during the software lifecycle (as shown in the figure below). The goal of the following requirements is to ensure software that is readable, understandable, testable, and maintainable.

Verification that achieved PL meets PLr

It is necessary for the PL (Performance Level) of each individual safety function to match the required performance level (PLr) of the related SRP/CS as determined by Figure 3. If a match is not achieved, an iterative process as described in Figure 3 must be undertaken.