With their daily decisions, designers significantly influence the safety of machines and systems. This article provides an overview of the most important legal obligations that designers have to at least fulfil in the product development process. In addition, this article provides answers to pragmatic solution finding during the design processes and how the cooperation with other departments and people can be optimally organized.
One of the most important activities in the safety-related planning process is the legally compliant implementation and documentation of the risk assessment. This term hides a legally prescribed process by which all persons involved in the product development process have to determine which hazards and risks are associated with their machine and with which measures these hazards can be eliminated or how the risk of accidents can be reduced. The Machinery Directive describes a pragmatic approach in Annex I (see box). The last point of the list is particularly important for designers. Ultimately, every product development is always about eliminating hazards or reducing risks adequately. In order for this to take place expediently, the preceding bullet points have to be fulfilled:
2006/42/EC, Annex I, General Principles: The manufacturer of machinery […] must ensure that a risk assessment is carried out […] The machinery must then be designed and constructed taking into account the results of the risk assessment. By the iterative process of risk assessment and risk reduction referred to above, the manufacturer or his authorised representative shall:
Very often, however, risk assessments are only carried out after the machine has already been designed or even built. In the first paragraph of general principles of the Machinery Directive it is unequivocally stipulated that the risk assessment has to be carried out beforehand and that the machine may only "be designed and constructed taking into account the results of the risk assessment". See Figure 1.
Another passage in the Machinery Directive that is particularly important for designers is section 1.1.2 b:
2006/42/EC, Annex I, 1.1.2.b:
In selecting the most appropriate methods, the manufacturer or his authorised representative must apply the following principles, in the following order:
It is shown here that the selection of safety-related solutions must be carried out in a clearly defined order! Therefore, it would not be in accordance with the law if the instruction manual just refers to residual risks, if it were possible to avoid the hazard designedly using economically justifiable means. The harmonized European standard EN ISO 12100 [1] requires a three-step concept for risk reduction analogous to the requirements of the Machinery Directive:
Tabelle 1: Sequence for selecting safety-related solutions
These legal and normative requirements result in a simple and logical approach for design praxis: Risk assessments have to start early in projects. This is the only way that the results of the risk assessment can influence the design of machines or systems. A judgment by the Swiss Federal Administrative Court shows that non-compliance with this three-step procedure can be decisive for the outcome of court proceedings:
Judgment (C-5864/2009)Situation: There was a serious hand injury on an automatic circular saw because trailing parts of the machine were accessible after switching off. The machine manufacturer argued that the accident would not have happened if the operator had followed the instructions in the manual. However, the court judged that the machine did not meet the requirements of the Machinery Directive. The reasons for the judgment state:"Accordingly, special warnings in the instructions manual or user instructions as a safety precaution are only adequate if other protective measures are not possible or if these would lead to disproportionate impairments when using the machine."
Please note, that the translations are done by IBF.
Delayed risk assessments can lead to high costs for re-design, changes and overall rebuilds. In general: The earlier it is hazards are identified, the better designers can react to them and certain hazards can be eliminated by the design itself. In other words, the ability to influence them, decreases with the progress of the project. At the same time, the effort and costs for changes increase, as the project progresses:
In order to eliminate hazards discovered quite late in the project or to reduce the risk of injury, expensive safety equipment (e.g. light curtains or similar) is used more often, as this is a cheaper alternative compared to re-designs. Please note: The origin safety standard, which was set by evaluating the machine, is always based on the three-step procedure. If the danger could have been eliminated by a design measure (step 1), protective measures such as light curtains etc. (step 2) most likely cannot be considered adequate solution.
But how does a technical designer / engineer have to proceed? Section 6.2 of EN ISO 12100 lists a variety of aspects and solutions for an inherently safe design. Section 6.2.2 for example, mentions “the design of geometric factors and physical aspects”:
EN ISO 12100, 6.2.2 (Summary)
Geometrical factors
Physical aspects
In addition to these aspects, designers deal with a variety of other factors in their daily work. Table 2 shows, which other requirements for inherently safe design are defined by EN ISO 12100.
Selection of suitable technologies e.g. when using machines in potentially explosive atmospheres
Table 2: Methods for inherently safe design according to EN ISO 12100
Relevant technical standards provide helpful sources of knowledge for the technical design of the methods for inherently safe construction defined above. E.g. for components that trigger an actuating force, the question arises up to which maximum force an operation can be regarded as inherently safe. Product-specific standards (so-called C-standards) often already contain specific solutions or refer to more general safety standards (B-standards) regarding the selection of parameters. When selecting standards, the designer must check whether a specific standard is suitable for his machine or its application. If, for example, it cannot be excluded that only adults have access to a particular machine, it must be checked whether the parameters specified by a standard are also suitable for children. In addition to check the area of application, before selecting a standard, it must be checked whether it is up to date! Likewise, solutions that are copied from previous projects must be checked for topicality.
If hazards cannot be eliminated or significantly reduced by inherently safe designs, technical protective measures are used. Examples: fixed guards, such as safety fences or enclosures, or movable guards, such as panels or doors. Without further measures, hazardous areas would be accessible if the panels or doors are open. For this reason, movable guards are monitored from a controller, so that dangerous machine functions can only be started when the guard is closed or a command to stop is triggered when the guard is opened. The Machine Directive titles this control measure “interlocking”. Machines in which hazard zones could be reached, even though opening the protective door triggered a command to stop (=interlocking), must also be equipped with a so called “guard locking device”. For the judgment of the circular saw machine discussed above, a interlocking in combination with a guard locking device would have been a possible solution that would have prevented the accident. In addition to the guards, protective devices such as electro-sensitive protective equipment (ESPE) or two-hand controls are examples of measures of step 2. For all measures that are monitored by control technology, there is an important interface between designers of different disciplines: Depending on the risk posed by the control measures (e.g. monitoring the safety door), there are other requirements for the reliability and the level of diagnosis of the safety function, i.e. the entire functional chain of the position sensor, evaluation / controlling unit and actuator. This requirement identified in the risk assessment is then made available to the control engineer, for example in the form of a required performance level (PLr) as an input parameter for the design of the safety function (e.g. in accordance with EN ISO 13849-1). As additional protective measures, EN ISO 12100 names, for example, EMERGENCY STOP devices that may need to be attached to machines.
EN ISO 12100, section 6.1 […] Where risks remain despite inherently safe design measures, safeguarding and the adoption of complementary protective measures, the residual risks shall be identified in the information for use. […]
Safety instructions in the case of user information is existing to increase the visibility of unavoidable hazards. To do this, it has to be decided in the process of the risk assessment which information channels are used.
Information and hints can be given at various points, e.g.:
Regarding to the instruction manual, there is an important interface between designers and the technical editors: If references to residual risks are documented during the risk assessment, these can be formulated in the instruction manual by the technical editors at a later date. Without this information, there is no guarantee that the technical editors will recognize all residual risks. Important safety information, which is missing in the instruction manual, leads to an increased product liability risk. In addition to the types of information described so far, optical or acoustic signals can also be used to warn people of imminent danger. However, EN ISO 12100 warns against “sensorial saturation” when selecting such signals:
EN ISO 12100, section 6.4.3
[…] The attention of designers is drawn to the possibility of “sensorial saturation”, which can result from too many visual and/or acoustic signals and which can also lead to defeating the warning devices.
The Machinery Directive indicates that machine manufacturers have to have the necessary resources when developing and building machines or plants for the EEA:
2006/42/EC, Article 5 (3)
For the purposes of the procedures referred to in Article 12, the manufacturer or his authorised representative shall have, or shall have access to, the necessary means of ensuring that the machinery satisfies the essential health and safety requirements set out in Annex I.
In addition to qualified employees, necessary resources include access to the necessary information or equipment.
Designers play a particularly important role in safety engineering. In the risk assessment, they determine at an early stage, which hazards and risks are sent off by the machine. This enables the consistent application of the three-step iterative process for risk reduction, which is legally required on one side and on the other it saves effort for extensive redesigns and costs for expensive safety equipment.
[1] EN ISO 12100 - Safety of machinery - General principles for design - Risk assessment and risk reduction [2] W. Engeln, Methods of Product Development (translated by IBF)
Posted on: 03.09.2018
Johannes Windeler-Frick, MSc ETH Member of the IBF management board. Specialist in CE marking and Safexpert. Presentations, podcasts and publications on various CE topics, in particular CE organisation and efficient CE management. Management of the further development of the Safexpert software system. Degree in electrical engineering from ETH Zurich (MSc) with a focus on energy technology and specialisation in the field of machine tools.
Email: johannes.windeler-frick@ibf-solutions.com | www.ibf-solutions.com
Back to overview
General InformationRisk assessmentOur Products
CE software for systematic and professional safety engineering
Practical seminars on aspects of risk assessment and ce-marking
With the CE InfoService you stay informed about important developments in the field of product safety.