Machinery Safety Audits

Risk Assessment and Hazard Analysis

Hazard Identification

A hazard is: -
Anything that has the potential to do harm, a source of possible injury or damage to health.

A risk is: -
The likelihood of someone coming into contact with a hazard and the degree of injury or damage to health that could be caused should contact occur.

A hazardous situation is: -
Any situation where a person or persons are exposed to a hazard. Examples A moving belt on a conveyor would be a hazard. The risk would be the likelihood of someone coming into contact with an inrunning nip or being drawn along the belt by a protrusion and the severity of injury or damage to health that could be caused. An electrical enclosure containing voltages above 50v AC and 75v DC that has uncovered terminations is a hazard even though the enclosure may be kept locked and strict key control enforced. The reason for this is that if an electrician had to carry out diagnostic testing on a live enclosure they could inadvertently touch an adjacent terminal with a tool etc. The risk would be the likelihood of that happening and the severity of injury or damage to health that could be caused.

Risk Assessment Definition
A comprehensive estimation of the probability and degree of possible injury or damage to health in a hazardous situation in order to select appropriate safety measures

EN ISO 14121-1 Objective
To achieve adequate safety according to the state of the art and technical and economic requirements.

There are numerous ways of assessing risk involved with a hazard, one of which is the hazard rating number system. (HRN)

The practical risk assessment method that is used by Laidler Associates is Preliminary Hazard Analysis, which uses the HRN system. A sample risk assessment form can be found in the appendices at the end of this guide.

Numerical values are assigned to descriptive phrases relating to-

• The likelihood of occurrence (LO)
• The frequency of exposure (FE)
• The degree of possible harm (DPH)
• The number of persons at risk (NP)

A key to the number system is detailed on the risk assessment form in the appendices.

The hazard description is vital in understanding those risk assessments, unless otherwise stated, the risk assessment relates to the hazards in the normal operation of the machine. Where a specific risk is associated with that equipment, a separate risk assessment will be provided.

Where there is no control over the frequency of exposure, a worst-case scenario must be assumed, and a constant frequency is assigned.

Risk Assessment Example Injury due to access to dangerous parts of machinery. The present guarding, partially fitted, allows access to the moving parts.

LO FE DPH NP=H.R.N.
2 X 5 X 4 X 1=40
Degree of risk: = Significant
Clearly from this example we can see that the existing guarding, whilst offering a certain amount of protection, is not adequate and the degree of risk can be reduced further by fitting a guard that completely prevents contact with the hazard but does not affect the production.

Control Measure:
Fit a tunnel guard that prevents all access to the moving parts in accordance with EN953 and EN294.

After control measures fitted:
LO FE DPH NP=H.R.N.
0.1 X0.1 X 4 X 1=0.04
Degree of risk: = Negligible
The control measure has detailed the machinery needs additional guarding, and has detailed the Standards to which you should construct that guard in accordance with. EN Standards will be used for the correct control measure where those Standards exist. The control measure is deliberately left non-specific in its description in order to allow the designer of that guard some scope of flexibility in his approach. If we detail an exact specification to a guard or control measure, we effectively tie your hands. Our assessments are one method of compliance and should you find an alternative way to achieve compliance, then we would welcome your suggestions. Our engineers are available to give specific advice to you outside of these assessments should you require it.

As mentioned at the start of this section, EN ISO 14121-1 is the main standard for risk assessment for machines and is harmonised to the Machinery Directive. It lays down principles for risk assessment and highlights a number of different methods, including the method that Laidler Associates use and was documented on the previous pages.

Also included within the standard is a table giving examples of hazards, hazardous situations and hazardous events. A simplified version of this is included within the Appendices of this guide. The original table in the standard gives more detail as to the kind of hazards or hazardous situations that can occur. Anyone involved in a risk assessment project for machinery should refer to the Standard list as matter of course unless they are totally confident in their knowledge and ability to carry out the assessment.

In addition to the EN ISO 14121-1 hazard list, you will also find a PUWER checklist and a CE Marking checklist within the Appendices of this guide. By using the hazard list and the relevant Regulation checklist together, you will be able to complete an indepth and accurate assessment of a particular machine.

Machinery Safety Audits for Control Systems

What is a control system? A control system responds to input signals from the machine or from the operator and generates output signals. These make the machine operate in a desired manner. So if for example, an operator presses a start button then the control system may respond by closing a contactor and energising a motor. Control systems can be implemented in a range of technologies, but this guidance is mostly concerned with electro technical systems employing electrical, electronic and programmable electronic technologies. Electro technical control systems can range from simple electromechanical relay based systems to complex programmable systems with multiple analogue and digital inputs and outputs.

What is a safety related control system?
A control system in a machine should be regarded as being safety-related if it contributes to reducing the occurrence of a hazardous situation or if it is required to function correctly to maintain or achieve safety. The functions carried out by a safety-related control system are termed safety functions. Generally safety functions either prevent the initiation of a hazard or detect the onset of a hazard. Safety-related control systems should be designed and configured to be reliable enough (bearing in mind the consequences of any failure) and to perform the necessary functions to achieve or maintain a safe state or mitigate the consequences of a hazard. To assist a designer or assessor in deciding which of the three main standards that addresses the design of safety-related control systems to use: BS EN ISO 13849, BS EN 62061 or BS EN 954-1 a distinction is drawn between those electro technical safety related systems that use programmable technologies and those that use electromechanical components.

EN 954-1
Designers may employ a range of techniques to reduce the level of risk, many of which will not involve the use of safety-related control systems. For example, the use of fixed guards will prevent access to dangerous parts, and the provision of platforms and walkways will reduce the risk of falls from height. However, in many cases risks cannot be reduced to acceptable levels without incorporating safety-related control systems. In this case, the designer needs to understand and assess the contribution that these systems make to the reduction of risk, and the consequential reliability and fault tolerance that the systems will need. The more critical the role played by the safety related part of the control system, the more reliable and resistant to faults it must be.

The transposed harmonised standard BS EN 954-1 Safety of Machinery. Safety related parts of control systems provides requirements by which the safety related parts of control systems of all operating media can be categorised in a qualitative manner according to their reliability and performance under fault conditions. There are five main categories of performance of control systems in accordance with the standard which are broadly:

• Category B: Use of good engineering principles
• Category 1: Use of well-tried components and principles (reducing the probability of failure)
• Category 2: Incorporates a safety function check at machine start-up and may also be checked periodically (safety monitoring) A single fault may lead to the loss of the safety function
• Category 3: A single fault will not cause the safety function to fail (redundancy of hardware)
• Category 4: Two or more faults will not cause the safety function to fail (redundancy and monitoring)

The selection of components and the design of systems may not be as straight forward as some perceive as some systems may not neatly fit into a single category, particularly if they use different energy sources - a control system can incorporate electrical, electronic, programmable electronic, pneumatic or hydraulic devices. In addition system designers must draw a distinction between safety and reliability. A component which is manufactured in accordance with a published safety standard may, itself meet the requirements of Category 1 but not the criteria for other categories. However its level of safety performance may be considered at least as reliable as technologies that meet Categories 2 and 3. Therefore designers and assessors should use the entire standard when considering control systems and should not only use the chart for category selection.

An example that the categories should not be regarded as hierarchical with regard to safety is as follows: A machine incorporates a control system with a dual channel interlock circuit fed into a safety relay. The dual channel circuit has one interlock and one emergency stop button in series, the components are installed 3 using good principles. The assessment for this machine is that it is a Category 3 machine in accordance with EN954-1 where the performance criteria is A single fault will not cause the safety function to fail’. On face value, and according to many sources of advice, this would appear to be the case. However, when the machine is in operation, the operator sees impending problems and activates the emergency stop. He then opens the guard to clear a fault, closes the guard and resets the emergency stop. In the sight of the control circuit, the two channels went open circuit when the EStop was pressed and found no fault, during the time the two channels were open circuit, the guard door was opened and the switches failed. The safety relay did not see this fault and when the E-stop was reset, the two channels went closed circuit again and the machine was allowed to start. So, why does this machine still comply with the requirements of Category 3? It is impracticable to assess safety-related parts of control systems without assuming that certain faults can be excluded. The faults which can be excluded are a compromise between the technical requirements for safety and the theoretical possibilities of occurrence. Using this argument we can design our system to ensure that the occurrence of such faults is reduced to an acceptable level in respect to safety and reliability. Such nuances are the essence of the standard and give us great scope in specifying the construction of such circuits.

At the time of writing, EN 954-1 is still the current standard to be used. It has been superseded by EN ISO 13849-1 and is due to be withdrawn in October 2009.

BS EN ISO 13849-1:2006
Provides safety requirements and guidance on the principles for the design and integration of safety-related parts of control systems, including the design of software. For these parts of safety-related parts of control systems, it specifies characteristics that include the performance level required for carrying out safety functions. It applies to safetyrelated parts of control systems, regardless of the type of technology and energy used (electrical, hydraulic, pneumatic, mechanical, etc.), for all kinds of machinery.

It applies to safety-related parts of control systems, regardless of the type of technology and energy used (electrical, hydraulic, pneumatic, mechanical, etc.), for all kinds of machinery.

Part 1 of BS EN ISO 13849 provides specific requirements for safety-related parts of control systems using programmable electronic system with guidance on aspects such as categories or performance levels specification. This part of ISO 13849 is intended to give guidance to those involved in the design and assessment of control systems. As part of the overall risk reduction strategy at a machine, a designer will often choose to achieve some measure of risk reduction through the application of safeguards employing one or more safety functions.

Parts of machinery control systems that are assigned to provide safety functions are called safety-related parts of control systems and these can consist of hardware and software and can either be separate from the machine control system or an integral part of it. In addition to providing safety functions, safetyrelated parts of control systems can also provide operational functions (e.g. twohanded controls as a means of process initiation).

In order to assist the designer and help facilitate the assessment of achieved PL, this document employs a methodology based on the categorisation of structures according to specific design criteria and specified behaviours under fault conditions.

BS EN 62061
Is a harmonised standard for the machinery sector and implements the principles of BS EN 61508. Significantly for control systems designers and systems integrators, BS EN 62061 provides the basis for the successful integration of sub-systems/parts that comply with BS EN 954-1 and IEC/EN 61508 into safety-related electrical control systems that satisfies key requirements for functional safety.

One of the limitations of EN 954-1 is that it is too simplistic, and it does not provide for evaluating common-cause system failures. In general, EN 954-1 takes a qualitative approach, whereas IEC 62061 is a risk-based standard that describes quantitative methods for evaluating statistical data such as the mean time to a dangerous failure (MTTF) and the diagnostic coverage (DC - the ratio of the probability of the detected dangerous failures to the probability of total dangerous failures).

When moving from EN 954-1 to IEC 62061 for more complex control systems it is inevitable that more calculations and documentation will be required to support conformity and the design process will inevitably take longer. However, the resultant safety related electrical control system will benefit from a more thorough design process, be better documented and perform more predictably.

Which standard now? When evaluating which standard to use, it is important to take into consideration the type of complexity that the equipment with the safety-related parts of control system has. The table below gives some indication of the technologies which are covered by each standard. A correct implementation of a safety-related parts of control system may require the application of both standards.