Current 2014 Safety StandardsMotivation, Basics, Scope Safety Standards and Laws 10 Steps to Performance Level Risk Assessment – the important FIRST STEP

1 | 04/15/2014 | DCUS/SPF11 Gary Thrall | © Bosch Rexroth AG 2014. All rights reserved, also regarding any disposal, exploitation, reproduction, editing,

distribution, as well as in the event of applications for industrial property rights.

CMA/Flodyne/Hydradyne Drive for Technology Expo 2014

Current 2014 Safety Standards Gary Thrall – Bosch Rexroth

CMA/F/D Drive for Technology Expo – April 15-16, 2014



Functional Safety of Machines

Contents

Motivation, Basics, Scope

Safety Standards and Laws

10 Steps to Performance Level

Risk Assessment – the important

FIRST STEP




Laws and Standards Landscape

ISO 13849: Guideline to fulfill the

safety requirements in the

design of control systems

of machine

Presumption Principle

EU directives are fulfilled through the

application of Standards which are listed in

EU official journal

Legal Consequence:

Reverse the obligation to prove in case of

harm

standards




Focus on safety-related parts of control system (SRP/CS)

Functional

Safety:

When the safety

of a machine

relies on the

control system,

then the control

system has a

safety function

and should fulfil

the requirements

of the standard

ISO 13849.




Contents





FIRST STEP



Mechanics, Pneumatics,

Hydraulics,

Electrics, Electronics,

Software (simple)

Electric, Electronic,

Software (complex)


Technology Laws and Standards Landscape

valid standard

IEC 61508

In some cases, the EN 954-1 could still be applied

IEC 61800-5-2

valid standard Nov. 2007

Com

pone

nt

Man

ufac

ture

r

98/37/EG Machinery Directive

valid standard

EN 954-1

ISO 13849-1

IEC 62061

2006/42/EG

transition period

valid standard

valid standard

Nov. 2006 Jan. 2010

Jan. 2012

Jan. 2006

replaced

Mac

hine

In

dust

ry





ISO 13849 and IEC 62061 are to be merged into new standard ISO 17305

Current target date is 2018

13849

+ 62061

17305

On the horizon:


distribution, as well as in the event of applications for industrial property rights..

Reliability and Safety Parameters

Bathtub Curve

Wear-Out Period (Wear-out Failures)

Useful Life (Random Failures)

Infant Mortality (Early Failures)

Failures

(Failure

Rate)

exponential increase

constant failure rate

minimized through quality tests

Time




Reliability Parameters (Machine Availability)

MTTR

MTTF MTTF

Start Restart Failure Failure

MTBF

Reliability parameter: MTTF: Mean Time To Failure (t: 63%), MTBF: Mean Time Between Failures, MTTR: Mean Time To Repair, B10: time until 10% of products failed, are mean values over several time periods!

Time

Availability (A) =

MTTF

MTTF + MTTR

Statistical

Expected Value:

no Guarantee!




Reliability Parameters: Example

Life Expectation of Men in Germany:

Under consideration of the whole population:

Mean Lifetime Expectation: MTTF = 77 years (with constant failure rate)

Under consideration only from the people, which are not older than 50 years:

Mean Lifetime Expectation : MTTF = 1 005 years (with constant failure rate)

Sterbewahrscheinlichkeit Männer in Deutschland

0%

5%

10%

15%

20%

25%

30%

35%

40%

0 10 20 30 40 50 60 70 80 90 100

Alter [Jahre]

An

teil

[%

]

Age [years]

Perc

en

tag

e [

%]

Source: Statistisches Bundesamt Deutschland 2005/2007




State of the components from a control system

State:

No failure: COK

Safety failure: CSAFE

Control system has a failure but stays in

a safety position (no dangerous!)

Dangerous failure: CD

Detected dangerous failure: CDD

Undetected dangerous failure: CDU

Event: s: Component is not dangerous failed

u: Component has been replaced

d: Component is dangerous failed

(MTTFd: Mean Time to dangerous Failure)

d,d: Dangerous failure is detected

t: Test-Rate

(DC: failure is detected)

d,u: Dangerous failure is not detected

OK dangerous Failure

safe Failure

(COK) (CD.)

(CSAFE)

d

t u

d.u. Failure (CDU.)

d,u

d.d. Failure

(CDD)

s d,d

uddd

dd

d

dd

d

sd

DC,,

,,

1

1

dMTTF

MTTF

: Failure rate DC: Diagnostic coverage, percent of dangerous failure, which can be detected.




Determination of Reliability (MTTFd, B10)

1. Preconditions

Basics and well-tried safety principles

(ISO 13849-2)

Other standards (e. g. ISO 4413)

Appropriated operating conditions

2. Determination of the reliability

MTTFd from a database

(e.g. hydraulics: MTTFd = 150 years)

B10 from lifetime tests

MTTF from field data

By missing data: MTTFd = 10 years!

3. Percent of dangerous failure

General estimation:

Estimation through a FMEA /

FTA: e.g. for electronics

4. Calculation of the total MTTFd

Parts count method

De

finitio

n

low: 3 years≤ MTTFd < 10 years

Ra

ng

e

medium: 10 years ≤ MTTFd < 30 years

high: 30 years ≤ MTTFd < 100 years

MTTFd = 2 x MTTF

B10d = 2 x B10

ISO 13849-1:

50% of failures

are dangerous! }

HDBK 217 (MIL USA)

Telcordia SN 29500

(Siemens) ISO 13849

(Annex)

N

1i id,d MTTFMTTF11

15


| 04/15/2014 | DCUS/SPF11 Gary Thrall | © Bosch Rexroth AG 2014. All rights reserved, also regarding any disposal, exploitation, reproduction, editing,


Determination of Reliability: Calculation P

arts

cou

nt

Telcordia

ISO 13849 (Appendix)

SN 29500 (Siemens)

HDBK 217 (MIL USA)

Own Field data

Database Electronic Component

Part 1

Part 2

Part 3

stress (T): A dangerous: 50% FIT = x

stress (T): A dangerous: 50% FIT = y

stress (T): A dangerous: 50% FIT = z

Par

ts s

tress

Electronic Component

Part 1

Part 2

Part 3

stress (T): A dangerous: 50% FIT = x

stress (T): B dangerous: 0% FIT = y

stress (T): C dangerous: 100% FIT = z

MTTF

MTTFd

DC

16




Determination of Reliability: Lifetime Tests

10,00 100,00

1,00

5,00

10,00

50,00

90,00

99,00

0,9

1,0

1,2

1,4

1,6

2,0

3,0

6,0

b

h

Weibull Distribution (Example of a pneumatic valve family)

Number of cycles [in millions]

Pro

babi

lity

of F

ailu

re F

(t)

Legend

Performance in millions of cycles

Probability of failure: 10 %

Target: B10 20 million cycles

Failed probe (1: 40 million)

Failed probe (2 : 40 million)

Failed probe (8: 90 million)

Surviving probe (9 - 14>90 mio.)

Confidence interval (90%)

Result: B 10 @ 24 million cycles

in the confidence interval

MTTF in the confidence interval

Lifetime test of a

pneumatic valve family

14 probes by representative

load (e.g., pressure = 10 bar)

By applications with low loads:

longer lifetime

24

17




Determination of Reliability: Lifetime Tests

1,00 100,00 10,00

1,00

5,00

10,00

50,00

90,00

99,90 0,5

0,6

0,7

0,8

0,9

1,0

1,2

1,4

1,6

2,0

3,0

4,0

6,0

b

h

Weibull Distribution (Example of a hydraulic valve family)

Number of cycles [in millions]]

Pro

babi

lity

of fa

ilure

F(t)

Legend

Performance in million of cycles


Target: B10 10 million cycles

Surviving probes (24>10 mio.)

Assumption (VDA vol. 3, part 2):

Weibull form parameter b = 2

Determined Weibull curve -

with confidence interval (90%)

Result: B 10 @ 10 million cycles



Lifetime test of a

hydraulic valve family 24 probes by representative

load (e. g., pressure, stroke)

By applications with low loads:

longer lifetime

b = 2,00

18




Determination of Reliability: Field Data

0,10 100000,00 1,00 10,00 100,00 1000,00 10000,00

1,00E-3

5,00E-3

0,01

0,05

0,10

0,50

1,00

5,00

10,00

50,00

90,00

99,00

1,00E-3

0,5

0,6

0,7

0,8

1,0

1,2

1,6

2,0

3,0

6,0

b

h

Weibull Distribution (Evaluation of field data – hydraulic valve)

Operating time [h]

Pro

babi

lity

of F

ailu

re, F

(t)

Legend

Performance in operating hours


Failed probe (1: 250 h)

Failure with time shift

Failed probe (2 : 450 h )

Failed probe (n: 15 075 h)

Surviving probe (< 16 200 h)

Confidence interval (90%)

Result: B 10 @ 15 500 h



Evaluation of field data from

a hydraulic component

Observation of approx. 25 000

components from 2004 to 2009

by different loads

Application with extremely high

loads: lower lifetime

19

1. B10d:

2. nOP:

3. MTTFd:

4. T10d:

5. d:




MTTFd from B10: application load (cycles / year)

Inputs:

B10: Number of cycles until 10% of failure

hOP: Mean working time [hours/days]

dOP: Mean working time [days/year]

TCycle: Mean cycle time [seconds]

Outputs:

nOP: Mean number of cycles per year

B10d: Number of cycles until10% dangerous

failures

T10d:Mean time until 10% dangerous failure [years]

MTTFd: Mean time to dangerous failure [years]

d: Dangerous failure rate

1010 2 BB d

Cycle

OPOP

OPt

hshd

n3600

OP

d

d

dn

BMTTF

1,0

1 10

OP

dd

n

BT 10

10

OP

dd

d

dn

BTMTTF

1,01,0

1 1010

20




MTTFd and the Availability of the Safety Function

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

0 5 10 15 20 25 30

Service Time of the Machine [years]

Pro

ba

bil

ity o

f F

ail

ure

[%

]

MTTFd = 3 years MTTFd = 10 years MTTFd = 30 years MTTFd = 100 years

MTTFd @ 63%

dangerous failure

MTTFd = 10 years

safety function can

dangerous fail in

63% of machines

in 10 years!

Service Time of the

Machine:

20 years (ISO13849)

MTTFd = 100 years

safety functions can

dangerous fail in

18% of machines

in 20 years!

63%

MTTFd MTTFd

18%




Performance Level (PL) means risk reduction

high risk

not acceptable risk

low risk e. g., 10-8/h for dangerous situation

median risk

PL = e risk reduction

PL = c risk reduction

PL = d risk reduction

risk

1st Case: a life dangerous risk

2nd Case: high risk of damage

tolerated

3rd Case: median risk of damage

Safe Machine

press control

systems

common hydr.aulic

applications

clamp

circuits

http://db3.bosch.de/cgi-bin/cgiWebLinkImage.exe/?sid=17338475&action=jpeg&image=//Obelix/SAN-C/Bilder/Rexroth/0306/AWE2560_03.jpg

22

IEC

620

61




Performance Level (PL)

Contribution of the control system to reduce the risk of an accident

Directly related to probability of dangerous failure per hour (PFHd):

Safety Integrity Level

SIL

IEC 61508

Probability of dangerous

failure per hour (1/h)

PFHd

Performance Level

PL

ISO 13849

- >= 10-5 to 10-4 a

1 >= 3 x 10-6 to 10-5 b

1 >= 10-6 to 3 x 10-6 c

2 >= 10-7 to 10-6 d

3 >= 10-8 to 10-7 e

4 < 10-8 -

ISO

138

49

PL d or SIL 2 means that the safety function can dangerous fail in the period of

one working hour with a probability between 10-7 and 10-6.




Performance Level (PL) depends on:




The right parameters for different technologies

1:For the calculation of MTTFd from the B10 value see ISO 13849-1. 2: Calculation of PL by adding the PFHd values.




Electric: Certified Safety Components

Safe Torque Off

Safe Stop 1

Safe Stop 1

Safely Limited Speed

Safe Direction

Safely Monitored Position

Safely Limited Position

Safe Maximum Speed

Safe Braking and Holding System

Safe Door Locking

Safely Limited Increment

Safely Monitored Deceleration




Electric: Safe Logic Compact

Compact electric control system

with integrated safety functions

Properties:

Economical Logic Processing up to PL e

Category 4 / SIL3 for compact machines

Modular system design to minimize the volume

of electrical cabinet

Safe connection of the individual stations

for complex machine in reduced space

Efficient Engineering Tool with fast

configuration per Drag-and-Drop

Simulation and report function for fast

verification and completely documentation

IndraDrive Cs with integrated Safety Function Drag & Drop

Function blocks




Hydraulics: Standard and Certified Components

A1

A5 4

1 2

3

5

Active Logic

special for

safety

applications

Certified

Press

Block

28

Hydraulics: Standard and Certified Components




Standardized Safety Control System for

Press Machines

for application in to the safety functions:

1. Safety related stop function / Stop of a

dangerous movement: PLr = e

2. Prevention of unexpected start-up from the stop

position: PLr = e

3. Prevention of unexpected drop under own

weight: PLr = e

4. Prevention of unexpected drop under own weight

during the return: PLr = d

5. Speed reduction (<10mm/s) by the closing

movement for the operating modes: adjustment,

start up and maintenance: PLr = c

29




Pneumatics: appropriate Standard Components

Directional valves

Check valves

Halt units

Proportional valve (pressure control valve)

Bus module

All components which can avoid a dangerous

movement or have outputs which control a movement.




Pneumatics: approved Safety Circuits

Safety Functions prepared to be

build up by yourself

13 circuit examples from Bosch Rexroth have been evaluated by “Institut für Arbeitsschutz” (IFA).

31




Mobile Hydraulics: Control Blocks

1. Control Plate:

MTTFd = 50 years (PL = c)

Elect.: 160 a

P-Valve 150 a

M-Valve: 150 a

32




Mobile Hydraulics: Control Blocks

Safety Functions?

From the risk assessment

Overlapping of hazards (movement)?

Analysis of each moving system!




Contents





FIRST STEP





1. Risk assessment and reduction

2. Identification of the

Safety Functions

3. Specification of the required PLr

4. Choice of System Architecture

(Category)

5. Modeling the System with

Block Diagram

6. Failure and Diagnose

7. Determination of PL

8. Evaluation of System Robustness

9. Software Requirements

10. Verification and Validation




1. Risk assessment and reduction Is there a C Standard for this machine? If yes, use this as a model.

Start

Is the Machinery safe?

no

yes

Determination of the limits of the machinery

Hazard identification

Risk estimation

Risk evaluation

Measures for risk reduction

Ris

k an

alys

is

Ris

k as

sess

men

t

End





Risk reduction process according to ISO 12100

1. Avoidance by intrinsic design

2. Avoidance by safeguards

(protective devices)

3. Avoidance by information for use

Does the measure depend on a control system?

yes

Rest risks (new hazards)? Repeat risk assessment

no

Everything done?

Safety Function (SRP/CS) based on ISO 13849 Safety Function 2: Stop and avoidance of

unexpected start up (activated by

protective door)

Safety Function 1: Emergency Stop




2. Identification of the Safety Function

Earlier: Safety Reaction: Turn Off

Today: Safety Condition: SafeMotion

SDL: Safe Door Locking

STO: Safe Torque Off / Stop Category 0

SLS: Safety Limited Speed

SLP: Safety Limited Position




3. Specification of the required Performance Level

Example: If the function fails, a deadly accident could occur. The user needs less than once per work shift access to the machine. In case of failure, he is not able to avoid the hazard.




4. Choice of System Architecture (Category): PL d

40

Which components are relevant for

the Safety Function?

Which hazards (dangerous movement)

are there? Cylinder!

Which elements avoid this (stop the

movement)? Valve!

Who controls these elements?

Safety PLC!

What activates this function?

Sensor (Laser scanner)!

Who tests this function, how and

how often? Position Monitoring!

Support Elements/Safety Principles?

Temp., level, pressure, filter etc!




5. Modeling the System with Block Diagram

Source: BGIA-Report 2/2008

BIA Report 02 2008 (Chapter 8.2.15): Protective area monitored by Laser scanner with electro - hydraulic deactivation (stop) of the dangerous movement.

41

Connection of the blocks with each

other (backward analysis):

What does this element depend on?

Serial Connection (Dependency)

Who takes his function by a failure of

this element?

Parallel Connection (Redundancy)




5. Modeling the System with Block Diagram

Source: BGIA-Report 2/2008

1. Option (Channel 1) for Safe Stop

or

2. Option (Channel 2) for Safe Stop

Valve 1V5 stop,

which is controlled by PLC K1,

which is activated by Sensor F1!

with

Tests: Monitored by 1S3 (S1)

1V5

Channel 1

1S3 S1

Channel 2

Tests

K1 F1 1V3 1V4

F1a

F1b

K1a

K1b

SRP/CS1 SRP/CS2 SRP/CSc




6. Failure and Diagnostics Diagnostic Coverage (DC): Percentage of dangerous failure, which can be detected.

DC: Measure of the effectiveness of diagnostics, which may be determined as the ratio between the failure rate of detected dangerous failures (d,d) and the failure rate of total dangerous failures (d; λd = λd,u + λd,d)

Example of design possibilities:

dd, ud,

De

no

tatio

n

none: DC < 60% DC

ran

ge

low: 60% ≤ DC < 90%

medium: 90% ≤ DC < 99%

high: 99% ≤ DC

Measure Technology DC

Process (cyclic test) Fluid technique 0% ≤ DC < 99%

Cross monitoring between 2 channels Electronic DC = 99%

Indirect monitoring (e.g. pressure) Fluid technique 90% ≤ DC < 99%

Direct position monitoring Fluid technique DC = 99%

Integrated self-monitoring Safety on Board 90% ≤ DC ≤ 99%




7. Determination of Performance Level

Calculation of the Performance Level using the Software SISTEMA:




8. Evaluation of System Robustness Start

Category B?

no

yes

Measures against CCF

Basic safety principles

Well-tried safety principles

Well-tried components

8. E

valu

atio

n of

Sys

tem

Rob

ustn

ess

End

Category 1?

Category 2,3 or 4?

Man

ufac

ture

r sta

tem

ent:

appl

icab

ility

of

the

com

pone

nt fo

r saf

ety

func

tions

Measures against systematic failures

yes yes

no no




8. Robustness: Common Cause Failure (CCF)

CCF: Failures of different items, resulting from a single event, where these failures are not consequences of each other.

Measure against CCF Fluid technology Electronic Points Fulfilled?

Separation between

signal paths

Separation in piping

(e.g. in control blocks)

Clearance and creep age

distances between printed-

circuit boards

15

Diversity e.g. different valves e.g. different processors 20

Protection against over-

voltage, …

Design based on ISO 4413 or

ISO 4414 (pressure limiter

valve)

(e.g. air gap switch, power

supply) 15

Application of

well-tried components Application designer 5

FMEA in the

Development FMEA by the system design 5

Competence / Training Qualification measures (training) 5

Protection against

contamination and EMC Fluid quality

EMC testing (product

instructions, user) 25

other Influences (e.g.

temperature, shock)

Fulfillment of ISO 4413 or ISO

4414 and product specification

Environment conditions of

product specification 10

CCF Total Total of points (65 CCF 100):




8. Robustness: Safety Principles

Extract from ISO 13849-2:

Measures for the design (component and machine) and the operation

Basic Safety Principles

□ Use of de-energization principle

(e.g. central positioning by springs)

□ Pressure limitation

□ Speed limitation / speed reduction

□ Avoidance of fluid contamination

□ Proper range of switching time

□ Protection against unexpected start–up

□ Separation of the Energy

□ …

Well-Tried Safety Principles

□ Overdesign / Safety factor

□ Safe position

□ Use of well–tried spring

□ Speed limitation / speed reduction

□ Force limitation / force reduction

□ Monitoring of the condition of the fluid

□ Sufficient positive overlapping in

piston valves

□ ...

Legend: red = consideration by the selection of the valves; blue = information for machine user





Safety-related application software? See requirements (Check-List)

Safety-related software specification Validation

System design

Integration tests

Module design

Module tests

Coding

Validation

Validated software

Specifi- cation

Result

Verification





Safety-related application software? See requirements (Check-List)

Limited Variability Languages (like FBD or Ladder) simplify validation





10.a Verification of the reached Performance Level (PL PLr)

10.b Validation of the reached Performance Level (Machine builder)

Validation procedure according to ISO 13849-2

Check of implemented safety function

Creation of technical documentation

Design of the control system (Steps 4 to 9)

PL PLr

yes

no

Next safety function

Requirement: PLr (Steps 1 to 3)

PL

Safety Function “1” is ready!



Further Information about Machine Safety

www.boschrexroth.com/SAFETY

264 page Handbook

in English

since May 2012!

E-Learning also available

in English!

ISBN-Number: 978-3-9814879-2-3

R961006998

http://www.boschrexroth.com/corporate/sub_websites/training/eLearning/index.jsp?language=en






Contents





FIRST STEP

52 04/15/2014 | DCUS/SPF11 Gary Thrall | © Bosch Rexroth AG 2014. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution,

as well as in the event of applications for industrial property rights.



ISO 12100:

Safety of machinery –

General principles for design –

Risk assessment and risk reduction

New version since March 2011

integrates the old versions:

ISO 14121

+ ISO 12100-1

+ ISO 12100-2

ISO 12100



Risk Assessment

ISO 12100

Machine Safety:

“The concept of safety of machinery considers the ability of a machine to

perform its intended function during its life cycle where risk has been

adequately reduced.”

Intended use:

“use of a machine in accordance with the information for use provided in the instructions”

Reasonably foreseeable misuse:

“use of a machine in a way not intended by the designer, but which can result from readily predictable human behavior”



Risk Assessment

Why documentation?

How do lawyers evaluate the quality of work

done by engineers?

As it would have been done by lawyers!

This means…

What is not documented, has not been

done!

So in case of an accident…

You should be able to show that you

have taken appropriate measures to

reduce the risk of all main hazards.



Risk Assessment

Who should do it? When?

Multidisciplinary Team!

Machine designers / development

Quality management

Sales

Service

Production

When?

Before the machine design



Risk Assessment

Regulations?

Which regulations apply to my product?

Directives

Laws

Standards

- Machine specific standard (type C)?

If yes, use it as template.

- Norm-Master by Bosch:

https://rb-normen.bosch.com/NormMaster/

Internal-Standards

- See intranet “Guidelines & Standards”

Which requirements do they have to produce?

Document requirements




http://intranet.boschrexroth.com/locations/dc/en/standards/index.jsp



Risk Assessment

component producer machine producer machine user

Collecting of relevant information

Developing functional requirements

document

Functional requirements

document of component with

specific safety requirements

Conception of components

Risk assessment

Risk reduction

Component production

Component

Product documentation for

user (machine manufacturer)

including specification

of residual risks

Type-C-Standard

Developing functional requirements document

Functional requirements document

with safety requirements from user statement

Machine conception

Risk assessment

Is the machine

sufficiently safe?

Risk reduction

•Inherent safety construction

•Protection

•User information

Machine production

Instruction manual with

specification of residual risks

Start

Need for a new machine with new risk

Provision of safety requirements

Protection measures for users

•Organisation

•Risk protection equipment

•Training Machine

Collecting relevant information

End

New machine is safety installed






2. Identification of the

Safety Functions

3. Specification of the required PLr

4. Choice of System Architecture

(Category)

5. Modeling the System with

Block Diagram

6. Failure and Diagnose

7. Determination of PL

8. Evaluation of System Robustness






1. Risk assessment and reduction Is there a C Standard for this machine? If yes, use this as a model.

Start

Is the Machinery safe?

no

yes

Determination of the limits of the machinery

Hazard identification

Risk estimation

Risk evaluation

Measures for risk reduction

Ris

k an

alys

is

Ris

k as

sess

men

t

End











yes

Remaining risks (new hazards)? Repeat risk assessment

no

Everything done?


unexpected start up (activated by protective

door)




Risk Assessment

1.1 Determination of the limits of the machinery

Use limits

different machine operating modes use of the machinery:

- intended use

- reasonably foreseeable misuse

- misuse

users (skills, behavior etc.)

exposure of other persons to the hazards

Space limits

Dimensioning

Time limits (machine life cycle)

Transport, Assembly and Installation, Set-Up and Start-Up

Operation: normal, automatic => ISO 13849: Machine Lifetime = 20 years

Maintenance, recycling

Other limits

materials to be processed …

Operating Manual



Risk Assessment

1.1 Determination of the limits of the machinery

Hazard zone / danger zone

“any space within and/or around machinery in which a person can be exposed to a hazard”

TC

Y X B

Safety zone 2

Door 1

Door 2

ES1

ES2

MBA

Door 4

Z

S

Safety zone 1

Safety zone 3



Risk Assessment

1.2 Hazard identification

Human interaction during the whole life cycle of the machine, examples:

Teaching / programming

Feeding

Cleaning and housekeeping

Maintenance

Possible states of the machine, examples:

machine performs the intended function

machine has malfunctions

Unintended behavior of the operator or

reasonably foreseeable misuse of the machine, examples:

reflex behavior of a person in case of malfunction,

behavior resulting from pressures to keep the machine running in all

circumstances



Risk Assessment

1.2 Hazard

identification

Source: ISO 12100:2010



Risk Assessment

1.2 Hazard

identification

Source: ISO 12100:2010



Risk Assessment

“Risk” – The risk related to the considered hazard

is a function of

Severity of harm (S), that can result

from the considered hazard

The probability of occurrence of that

harm (K)

&

Exposure of a person / several

persons to the hazard (F)

The probability of occurrence of the

hazardous event (W)

The possibility to avoid or to limit

the harm (P)

Risk index ( R ) = S • K = S • (F + W + P)

1.3 Risk estimation



Risk Assessment

1.3 Risk estimation

Estimation of the probability of occurrence of given harm (Class K)

the exposure of person to the hazard (F): frequency and duration

the probability of occurrence of a hazardous event (W), and

the technical and human possibilities to avoid or limit the harm (P).

1 1 1 2 2 2 3 3 3 4 4 4 5 5 5

prob

able

poss

ible

impo

ssib

le

prob

able

poss

ible

impo

ssib

le

prob

able

poss

ible

impo

ssib

le

prob

able

poss

ible

impo

ssib

le

prob

able

poss

ible

impo

ssib

le

1 3 5 1 3 5 1 3 5 1 3 5 1 3 5

1 > 1 year 2 4 6 8 5 7 9 6 8 10 7 9 11 8 10 121 > 2 weeks to 1 year 3 5 7 9 6 8 10 7 9 11 8 10 12 9 11 13F > 1 day to 2 weeks 4 6 8 10 7 9 11 8 10 12 9 11 13 10 12 141 > 1 hour to 1 day 5 7 9 11 8 10 12 9 11 13 10 12 14 11 13 151 1 hour 5 7 9 11 8 10 12 9 11 13 10 12 14 11 13 15

1 > 1 year 1 3 5 7 4 6 8 5 7 9 6 8 10 7 9 111 > 2 weeks to 1 year 2 4 6 8 5 7 9 6 8 10 7 9 11 8 10 12F > 1 day to 2 weeks 3 5 7 9 6 8 10 7 9 11 8 10 12 9 11 131 > 1 hour to 1 day 4 6 8 10 7 9 11 8 10 12 9 11 13 10 12 141 1 hour 5 7 9 11 8 10 12 9 11 13 10 12 14 11 13 15

Class (K) = F + W + P

Probability of Occurrence (W)negligible rare possible probable frequent

Possibility to Avoid (P)

Frequency by Duration >10 minutes

Frequency by Duration <=10 minutes



Risk Assessment

1.3 Risk estimation

Estimation of the the severity of injuries or damage to health

(Severity S)

3 4 5 7 8 10 11 13 14 15

Dead, injury of an eye or arm 4 12 16 20 28 32 40 44 52 56 60

Permanent, injury of a finger 3 9 12 15 21 24 30 33 39 42 45

Reversibel, medical treatments 2 6 8 10 14 16 20 22 26 28 30

Reversibel, first aid 1 3 4 5 7 8 10 11 13 14 15

Class (K) = F + W + PRisk index (R) = S * K

Severity of Injury

(S)

69

3 4 5 7 8 10 11 13 14 15

Dead, injury of an eye or arm 4 12 16 20 28 32 40 44 52 56 60

Permanent, injury of a finger 3 9 12 15 21 24 30 33 39 42 45

Reversibel, medical treatments 2 6 8 10 14 16 20 22 26 28 30

Reversibel, first aid 1 3 4 5 7 8 10 11 13 14 15

Class (K) = F + W + PRisk index (R) = S * K

Severity of Injury

(S)

04/15/2014 | DCUS/SPF11 Gary Thrall | © Bosch Rexroth AG 2014. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution,


Risk Assessment

1.4 Risk evaluation

Risk evaluation with recommendation of measures for risk reduction:

The risk evaluation is a team decision!

Important is to achieve an “Adequate risk reduction”

SIL PLr

SIL 3 eSIL 2 dSIL 1 c

- b- a

other measures or Safety Functionperharps orther measure or SF

Risk evaluation

according to Severity (S) and Class (K)

Colour Measure for Risk Reduction

needed, e.g. Safety Function (SF)needed, e.g. Safety Function (SF)needed, e.g. Safety Function (SF)



Risk Assessment

1.4 Risk evaluation

Adequate risk reduction (Criteria):

all operating conditions and all intervention procedures have been considered,

the hazards have been eliminated or risks reduced to the lowest practicable level,

any new hazards introduced by the protective measures have been properly

addressed,

users are sufficiently informed and warned about the residual risks

protective measures are compatible with one another,

sufficient consideration has been given to the consequences that can arise from the

use in a non-professional/non-industrial context of a machine designed for

professional/industrial use, and

the protective measures do not adversely affect the operator's working conditions or

the usability of the machine.

Comparison of risks

Comparison with similar machines or other type-C-Standards…



Risk Assessment

1.5 Risk reduction

1st Priority: Avoidance by intrinsic design

Inherently safe design measure: protective measure which either eliminates

hazards or reduces the risks associated with hazards by changing the design

or operating characteristics of the machine without the use of guards or protective

devices

This is because protective measures inherent to the characteristics of the

machine are likely to remain effective…

Object Before: Risk: Measure:



Risk Assessment

1.5 Risk reduction

1st Priority: Avoidance by intrinsic design

Ergonomic principles:

Ergonomic principles shall be taken into account in designing machinery so as

to reduce the mental or physical stress of, and strain on, the operator.

Pay attention!

Manipulation of the Machine Safety is quite often caused by machines

where the ergonomic principles have not been appropriated

implemented!



Risk Assessment

1.5 Risk reduction

2nd Priority: Avoidance by safeguards (protective devices)

Safeguard: “guard or protective device”

Guard: “physical barrier, designed as part of the machine to provide protection”

Fixed, movable, adjustable, interlocking

Protective device: “safeguard other than a guard“

Sensitive Protective Equipment (SPE): “equipment for detecting persons or

parts of persons which generates an appropriate signal to the control system to

reduce risk to the persons detected”

Safety function: “function of a machine whose failure can result in an immediate

increase of the risks”

Enabling device: “additional manually operated device used in conjunction with a

start control and which, when continuously actuated, allows a machine to function”



Risk Assessment

1.5 Risk reduction

3rd Priority: Avoidance by information for use

Where risks remain despite inherently safe

design measures, safeguarding and the

adoption of complementary protective measures,

the residual risks shall be identified

in the information for use.

operating procedures for the use of the machinery…

the recommended safe working practices…

sufficient information, including warning of residual risks…

recommended personal protective equipment…

Do not forget:

Operating Manual!



Risk Assessment

1.5 Risk reduction







yes

Rest risks (new hazards)?

Repeat risk assessment

no

Everything done?


unexpected start up (activated by protective

door)





Thank you for your attention!

Bosch Rexroth

Securing Your Future!

Documents

Current 2014 Safety StandardsMotivation, Basics, Scope Safety Standards and Laws 10 Steps to Performance Level Risk Assessment – the important FIRST STEP