With their daily decisions, designers significantly influence the safety of machines and systems. This article provides an overview of the most important legal obligations that designers have to at least fulfil in the product development process. In addition, this article provides answers to pragmatic solution finding during the design processes and how the cooperation with other departments and people can be optimally organized.
Legally required risk assessment
One of the most important activities in the safety-related planning process is the legally compliant implementation and documentation of the risk assessment. This term hides a legally prescribed process by which all persons involved in the product development process have to determine which hazards and risks are associated with their machine and with which measures these hazards can be eliminated or how the risk of accidents can be reduced. The Machinery Directive describes a pragmatic approach in Annex I (see box). The last point of the list is particularly important for designers. Ultimately, every product development is always about eliminating hazards or reducing risks adequately. In order for this to take place expediently, the preceding bullet points have to be fulfilled:
- Determine the limits of the machinery,
- Identify hazards,
- Estimate risks and based on these parameters
- "evaluate" whether measures for risk reduction are necessary or not.
2006/42/EC, Annex I, General Principles:
The manufacturer of machinery […] must ensure that a risk assessment is carried out […] The machinery must then be designed and constructed taking into account the results of the risk assessment. By the iterative process of risk assessment and risk reduction referred to above, the manufacturer or his authorised representative shall:
- determine the limits of the machinery, which include the intended use and any reasonably foreseeable misuse thereof,
- identify the hazards that can be generated by the machinery and the associated hazardous situations,
- estimate the risks, taking into account the severity of the possible injury or damage to health and the probability of its occurrence,
- evaluate the risks, with a view to determining whether risk reduction is required, in accordance with the objective of this Directive,
- eliminate the hazards or reduce the risks associated with these hazards by application of protective measures, in the order of priority established in section 1.1.2(b).
Risk assessment parallel to design?
Very often, however, risk assessments are only carried out after the machine has already been designed or even built. In the first paragraph of general principles of the Machinery Directive it is unequivocally stipulated that the risk assessment has to be carried out beforehand and that the machine may only "be designed and constructed taking into account the results of the risk assessment". See Figure 1.
Attention: Not only a recommendation!
Another passage in the Machinery Directive that is particularly important for designers is section 1.1.2 b:
2006/42/EC, Annex I, 1.1.2.b:
In selecting the most appropriate methods, the manufacturer or his authorised representative must apply the following principles, in the following order:
- eliminate or reduce risks as far as possible (inherently safe design and construction),
- take the necessary protective measures in relation to risks that cannot be eliminated,
- inform users of the residual risks (…)
It is shown here that the selection of safety-related solutions must be carried out in a clearly defined order!
Therefore, it would not be in accordance with the law if the instruction manual just refers to residual risks, if it were possible to avoid the hazard designedly using economically justifiable means. The harmonized European standard EN ISO 12100  requires a three-step concept for risk reduction analogous to the requirements of the Machinery Directive:
|Step||MACHINERY DIRECTIVE 2006/42/EC||EN ISO 12100|
|1||Safety Integration||Inherently safe design measures|
|2||Protective measures||Safeguarding and complementary protective measures|
|3||Information for users||Information for users|
Tabelle 1: Sequence for selecting safety-related solutions
These legal and normative requirements result in a simple and logical approach for design praxis:
Risk assessments have to start early in projects. This is the only way that the results of the risk assessment can influence the design of machines or systems. A judgment by the Swiss Federal Administrative Court shows that non-compliance with this three-step procedure can be decisive for the outcome of court proceedings:
There was a serious hand injury on an automatic circular saw because trailing parts of the machine were accessible after switching off.
The machine manufacturer argued that the accident would not have happened if the operator had followed the instructions in the manual.
However, the court judged that the machine did not meet the requirements of the Machinery Directive. The reasons for the judgment state:
"Accordingly, special warnings in the instructions manual or user instructions as a safety precaution are only adequate if other protective measures are not possible or if these would lead to disproportionate impairments when using the machine."
Please note, that the translations are done by IBF.
Consequences of delayed risk assessments
Delayed risk assessments can lead to high costs for re-design, changes and overall rebuilds. In general: The earlier it is hazards are identified, the better designers can react to them and certain hazards can be eliminated by the design itself. In other words, the ability to influence them, decreases with the progress of the project. At the same time, the effort and costs for changes increase, as the project progresses:
In order to eliminate hazards discovered quite late in the project or to reduce the risk of injury, expensive safety equipment (e.g. light curtains or similar) is used more often, as this is a cheaper alternative compared to re-designs. Please note: The origin safety standard, which was set by evaluating the machine, is always based on the three-step procedure. If the danger could have been eliminated by a design measure (step 1), protective measures such as light curtains etc. (step 2) most likely cannot be considered adequate solution.
Risk reduction measures
Inherently safe design (step 1)
But how does a technical designer / engineer have to proceed? Section 6.2 of EN ISO 12100 lists a variety of aspects and solutions for an inherently safe design. Section 6.2.2 for example, mentions “the design of geometric factors and physical aspects”:
EN ISO 12100, 6.2.2
- Visibility of the working areas and hazard zones
- The form and the relative location of the mechanical component’s parts (avoiding crushing and shearing hazards) by increasing the minimum or reducing the maximum gap
- Avoiding sharp edges and corners
- Limitation of the actuating force
- Limitation of the mass and/or velocity of the movable elements, and hence their kinetic energy
- Limitation of emissions (e.g. noise, vibrations, hazardous substances, radiation)
In addition to these aspects, designers deal with a variety of other factors in their daily work. Table 2 shows, which other requirements for inherently safe design are defined by EN ISO 12100.
|6.2||Inherently safe design|
|6.2.2||Consideration of geometrical factors and physical aspects|
|6.2.3||Consideration of the general technical knowledge about the construction of machines e.g. mechanical stress (mechanical solidity, etc.) or selection of materials (wear, flammability, ...)|
Selection of suitable technologies e.g. when using machines in potentially explosive atmospheres
|6.2.5||Applying principles of positive mechanical action|
|6.2.6||Provisions for stability|
|6.2.7||Provisions for maintainability|
|6.2.8||Observing ergonomic principles|
|6.2.10||Pneumatic and hydraulic hazards|
|6.2.11||Applying inherently safe design measures to control systems|
|6.2.12||Minimizing probability of failure of safety functions|
|6.2.13||Limiting exposure to hazards through reliability of equipment|
|6.2.14||Limiting exposure to hazards through mechanization or automation of loading (feeding)/unloading (removal) operations|
|6.2.15||Limiting exposure to hazards through location of setting and maintenance points outside danger zones|
Table 2: Methods for inherently safe design according to EN ISO 12100
Support by standards
Relevant technical standards provide helpful sources of knowledge for the technical design of the methods for inherently safe construction defined above. E.g. for components that trigger an actuating force, the question arises up to which maximum force an operation can be regarded as inherently safe. Product-specific standards (so-called C-standards) often already contain specific solutions or refer to more general safety standards (B-standards) regarding the selection of parameters.
When selecting standards, the designer must check whether a specific standard is suitable for his machine or its application. If, for example, it cannot be excluded that only adults have access to a particular machine, it must be checked whether the parameters specified by a standard are also suitable for children.
In addition to check the area of application, before selecting a standard, it must be checked whether it is up to date! Likewise, solutions that are copied from previous projects must be checked for topicality.
Safeguarding and additional protective measures (step 2)
If hazards cannot be eliminated or significantly reduced by inherently safe designs, technical protective measures are used. Examples: fixed guards, such as safety fences or enclosures, or movable guards, such as panels or doors. Without further measures, hazardous areas would be accessible if the panels or doors are open. For this reason, movable guards are monitored from a controller, so that dangerous machine functions can only be started when the guard is closed or a command to stop is triggered when the guard is opened. The Machine Directive titles this control measure “interlocking”. Machines in which hazard zones could be reached, even though opening the protective door triggered a command to stop (=interlocking), must also be equipped with a so called “guard locking device”. For the judgment of the circular saw machine discussed above, a interlocking in combination with a guard locking device would have been a possible solution that would have prevented the accident.
In addition to the guards, protective devices such as electro-sensitive protective equipment (ESPE) or two-hand controls are examples of measures of step 2. For all measures that are monitored by control technology, there is an important interface between designers of different disciplines: Depending on the risk posed by the control measures (e.g. monitoring the safety door), there are other requirements for the reliability and the level of diagnosis of the safety function, i.e. the entire functional chain of the position sensor, evaluation / controlling unit and actuator. This requirement identified in the risk assessment is then made available to the control engineer, for example in the form of a required performance level (PLr) as an input parameter for the design of the safety function (e.g. in accordance with EN ISO 13849-1).
As additional protective measures, EN ISO 12100 names, for example, EMERGENCY STOP devices that may need to be attached to machines.
Risk reduction by information for use (step 3)
EN ISO 12100, section 6.1
[…] Where risks remain despite inherently safe design measures, safeguarding and the adoption of complementary protective measures, the residual risks shall be identified in the information for use. […]
Safety instructions in the case of user information is existing to increase the visibility of unavoidable hazards. To do this, it has to be decided in the process of the risk assessment which information channels are used.
Information and hints can be given at various points, e.g.:
- directly on the machine (e.g. in the form of pictograms)
- in the instruction manual
- on the packaging
Regarding to the instruction manual, there is an important interface between designers and the technical editors: If references to residual risks are documented during the risk assessment, these can be formulated in the instruction manual by the technical editors at a later date. Without this information, there is no guarantee that the technical editors will recognize all residual risks. Important safety information, which is missing in the instruction manual, leads to an increased product liability risk.
In addition to the types of information described so far, optical or acoustic signals can also be used to warn people of imminent danger. However, EN ISO 12100 warns against “sensorial saturation” when selecting such signals:
EN ISO 12100, section 6.4.3
[…] The attention of designers is drawn to the possibility of “sensorial saturation”, which can result from too many visual and/or acoustic signals and which can also lead to defeating the warning devices.
Prerequisite: Necessary means
The Machinery Directive indicates that machine manufacturers have to have the necessary resources when developing and building machines or plants for the EEA:
2006/42/EC, Article 5 (3)
For the purposes of the procedures referred to in Article 12, the manufacturer or his authorised representative shall have, or shall have access to, the necessary means of ensuring that the machinery satisfies the essential health and safety requirements set out in Annex I.
In addition to qualified employees, necessary resources include access to the necessary information or equipment.
Designers play a particularly important role in safety engineering. In the risk assessment, they determine at an early stage, which hazards and risks are sent off by the machine. This enables the consistent application of the three-step iterative process for risk reduction, which is legally required on one side and on the other it saves effort for extensive redesigns and costs for expensive safety equipment.
 EN ISO 12100 - Safety of machinery - General principles for design - Risk assessment and risk reduction
 W. Engeln, Methods of Product Development (translated by IBF)
Posted on: 03.09.2018
Johannes Frick, MSc ETH
Managing Director of IBF Solutions AG, the Swiss subsidiary of IBF in Zürich. Johannes is a trainer for both the Machinery Directive (MD) as well as the Low Voltage Directive (LVD). He studied electrical engineering at ETH Zürich with a specialization in energy systems.