ISO 12100:2012 – Safety of machinery – General principles for design –
Risk assessment and risk reduction
As a result of their functionality, machines and plants represent potential risks for the workers. If a machine may present hazards, a risk assessment is required and, if relevant, a risk reduction shall be undertaken to reduce the risk to an acceptable level.
ISO 12100 provides a methodology for the design of machines that shall be safe for their intended use. It gives provisions:
- For identification of the hazards
- For estimation and evaluation of the risks associated with the machine
- On how to remove hazards or provide sufficient risk reduction
ISO 12100 is a type-A standard.
For USA equivalent information is given in ANSI 12100.
Strategy for risk assessment and risk reduction
Risk assessment is comprehensive method to enable in a systematic way the analysis and evaluation of risks. It must be carried out during the design, construction and commissioning of the machinery and every time are made modifications. It can also be used for the evaluation of existing machinery if, for example, there have been accidents or malfunctions.
To implement risk assessment and risk reduction the following actions shall be taken
- Risk analysis
to determine the limits of the machinery, which include the intended use and any reasonably foreseeable misuse, and to identify the hazards and associated hazardous situations associated to the person’s activities (all safeguards should be ignored while hazard identification is performed).
- Risk evaluation
To evaluate the risk for each identified hazard and hazardous situation and take decisions about whether there is a need to reduce risk.
- Risk reduction
If the hazard cannot be removed, reduce the associated risk by implementing protective measures.
The process is iterative, and several successive applications can be necessary.
Fig. 1 – Strategy for risk assessment and risk reduction
The goal to be met is to reduce risk to an acceptable (tolerable) level considering that the risk reduction achieved: should be effective throughout all phases the machine life cycle and should not impair machinery functions and usability.
When changes are made to the process or to the machine or if protective measures are added, all steps of the risk assessment should be repeated to check whether:
Achieving the required risk reduction is only one of the inputs to the decision to stop the iterative risk reduction process. This decision should involve additional considerations such as regulations, national laws, and work organization.
A safety function is typically starting with a detection and evaluation of an ‘initiation event’ and ending with an output causing an action to a ‘machine actuator’
A safety function is usually made by a series combination of three sub-functions performing respectively the tasks of Detection, Evaluation and Action.
Any of the technologies available (electric, hydraulic, pneumatic, mechanical) individually or in combination may be used.
The risk reduction provided by each safety function does not cover the overall risk of the machine, but only that part of the risk resulting from the application of that safety function. This measure helps to avoid an unduly increase of complexity in the execution of calculations because the reliability data of components of the safety-related control system that do not contribute to that safety function are not considered.
A hazardous movement is safeguarded by a fence fitted with five guards. The opening of any of the five guards stops the dangerous movement.
Four separate safety functions can be considered, one for each door, if it is assumed that only one door is opened at a time.
Per l’integrazione di un sistema di controllo relativo alla sicurezza nel sistema di controllo della macchina (MCS) devono essere applicati i seguenti principi:
Fig. 3 – Example of integration of a safety-related control system with a PLC
A – A failure to open (e.g. due to welded contacts) of KM1 prevents stopping of the motor.
B – If the outputs of the SRP/CS are connected TO the inputs of a standard (non-safety) PLC, hw and sw faults within the PLC or the failure of KM1 can prevent stopping of the motor.