12/02/2021

Machine Safety Training Course Module 2

Prevention of Machinery Hazards
TÜV Rheinland
Training Master

Method and Tools of Machinery Safety

Honda Prospect Motor Feb 2021
Trainer: Ivan Stevanus Chandra

Course Program
Machinery Safety Adopting ISO 12100

Morning Session 1
08.30-10.30
Module 1 Definition and Introduction of Machinery Hazards

Morning Session 2
10.45-12.00
Module 2 Method and Tools of Machinery Safety

After Noon Session 1

13.00-15.00
Module 3 Risk Estimation and Risk Reduction – Concept and Application

After Noon Session 2

15.00-17.00
15.00-15.45 Module 4 Study Cases
16.00-17.00 Module 5 Workshop and Presentation

1
 12/02/2021

Module 2: Method and Tools of Machinery Safety

Welcome to TÜV Rheinland Academy

Introduction to Machinery Safety
2021

The aim of this course

Is to understand and be able to:

Risk Assessment Methodology

ISO 12100, 2010
Tools on ISO 13849-1; IEC 62061

Method for Risk Estimation –

Common Risk Matrix

Risk Graph

Application of Risk Assessment –

Quantitative Approach

2
 12/02/2021

Principles of Method of Risk Assessment of Machines

TÜV Rheinland Akademie GmbH
2020

Machinery Risk Assessment

3
 12/02/2021

Risk Assessment Methodology

General Methods

Method for Risk Assessment (Hazard Analysis)

Common Method for Risk Assessment

• Risk Matrix
 A matrix consists of Probability and Severity
(determined by company).
 Semi quantitative measurement.
• Risk Graph
 Known as decision tree.
 Nodes connected as branches to other nodes
 More in qualitative measurement.
• FMEA
• HAZOP
• Numerical Scoring
 Quantitative Risk Estimation
 Calculation of initiating event with each layer of
protection and determined unwanted event.

4
 12/02/2021

Risk Matrix
Common Method for Risk Assessment

• Risk Matrix
 Conservative approach on determining the Risk
level
 A matrix combines failure frequency and
consequences allows categories for levels of
risk to be established.
 Risk evaluation is then performed by selecting
the appropriate failure management policy for
each failure mode.
High = Action Priority to Add at least two Safety Measure/Change the design (Design Review)
Serious = Action Priority to Add at least one Safety Measure (Technical Control)
Medium = Action Priority such as Administrative control still acceptable
Low = Action Priority such as Information to use or PPE still acceptable
Eliminated = No further action

Risk Graph
Another Method

• Risk Graph with four factors

 Severity of possible injury (E).
 frequency and duration of exposure of
individuals to the considered situation
 probability that the considered dangerous
event takes place
 lack of possibilities for hazard mitigation
(G), or lack of possibilities to avoid or
minimize injury

5
 12/02/2021

Risk Graph (2)

Application

• Risk Graph Application

 Each potential hazard or hazardous situation,
the factors E, B, W and G are to be determined -
possibly after extensive discussion - and to be
recorded.
 Aims - removing the latent danger.

E = Degree of Severity of the possible injury

B – Frequency and duration of exposure of individuals to latent danger
W = Probability that the hazardous event occurs
G = Opportunities to evade the danger or to minimize injury

Numerical Scoring – Risk Graph

Risk Graph and SIL Calculation, ISO 13849-1

• Risk Graph with Risk Estimation

 Severity of Injury.
 Frequency and or exposure to hazard
 Possibility of avoiding hazard or limiting
harm.

* ISO 13849-1, 2015 – Safety related parts of control systems – Part 1:

General principles for design

6
 12/02/2021

FMEA
Design and Process FMEA

• FMEA
 Failure Mode and Effects Analysis (FMEA) is a structured approach to discovering potential failures that may exist within the design of a
product or process.

Module 2
Application of Risk Assessment – Quantitative Approach (Active optoelectronic protective device)
 Interlocking movable guards

7
 12/02/2021

Basic Principle in SIS

SIS, SIF and SIL

• Safety Instrumented System

 A SIS is a set of devices and software that perform
one or more Safety Instrumented Functions (SIFs).
• Safety Instrumented Function
 An independent safety loop or interlock that
automatically brings process to a safe state in
response to specific initiating events
• Safety Integrity Level
 A value of a specific safety instrumented function
which is being implemented by a safety
instrumented system
 SIL is expressed as a number from 1-4 SIL 4
provides the greatest risk reduction SIL 1 provides
the lowest risk reduction

Safe failures of the SIS

4 groups of failures

Safe Failure: A failure of a safety instrumented function component

that has no effect on the ability of the system reaching to a safe state.
Dangerous Failure: A failure of a safety instrumented function
component that has the potential in preventing the system from
being able to reach fail-safe state when requested to do so.
• Safe Detected failures (SD): A not dangerous failure that is detected by the
SIS diagnostic.
•Safe Undetected Failure (SU): A not dangerous failure that is not detected by
the SIS diagnostic
• Dangerous Detected Failure (DD): A dangerous failure that is detected by the
SIS diagnostic and which could possibly lead to a loss of a safety function
• Detection if analog signal is out-of-range or the PST test (Partial Stroke Test) on the
safety valves.
• Dangerous Undetected Failure (DU): A dangerous failure that is not detected
by the SIS diagnostics and which could possibly lead to the loss of safety
Keep in mind that the tests we must perform periodically to all
function. safety functions are never perfect.

8
 12/02/2021

Advance Risk Graph

Risk Graph and SIL Calculation, IEC 62061

• Risk Graph with Calculation

 IEC 62061 specifies requirements and
makes recommendations for the
design, integration and validation of
safety-related electrical, electronic and
programmable electronic control
systems (SRECS) for machines

* IEC 62061, 2005 - Safety of machinery - Functional safety of safety-related

The risk elements evaluation and SIL requirements determination
according to IEC 61508 5
electrical, electronic and programmable electronic control systems

SIL Determination – Application IEC 62061

Example Study case

• For the Operator error event identified earlier Item Initiating Event Description

determine the required SIL based on : 1 Operator error Operator opens protective hood
 If an operator hand(s) are near the work piece it is while machine is running
likely that they will have a severe laceration or loss of 2 Control failure Failure of control leads to
finger(s). unexpected start-up of machine

 From experience/incident data, it is known that an

operator will open the machine several times per year
while it is running
 Even if the protective hood (guard) is open, the
operator does not always reach into the work area

9
 12/02/2021

SIL Determination
Classify the Probable Harm

Item Initiating Description Se Fr Pr Av CI

Event
1 Operator Operator opens protective hood while 3 3 3 5 11
error machine is running
2 Control Failure of control leads to unexpected
failure start-up of machine

Item 1 – for Operator Error

Item Initiating Description Se Fr Pr Av CI
Event
1 Operator Operator opens protective hood while 3 3 3 5 11
error machine is running

• For the Operator error

event identified earlier
determine the required SIL
based on :
 The result for SIL Determination
is SIL 2.

Action to do:
Provide Safety Instrumented
Function with SIL 2 requirement.

10
 12/02/2021

Advance Safety Barriers Calculation

Example of Emergency stop of ballast system

• Description of function
 An emergency stop mechanism of the ballast system in addition to and separate from the programmed ballast control
functions.
 Purpose to ensure a safe installation by closing all relevant equipment under control and stopping all relevant
rotors/motors
 Sub-function as following:
 Emergency pushbutton
 Safety relay
 Isolation relay
 MCC shutdown relay
 Contactor to the motor
 Equipment under control (EUC) assembly (solenoid/pilot/valve/Protection hood)

 RBD (Reliability Block Diagram)

MCC Solenoid/
Manual Safety Isolation shutdown Contactor EUC pilot
pushbutton Relay relay relay

Numerical Scoring – Advance Safety Barriers Calculation

Example of Emergency stop of ballast system - PFD result for Emergency Stop

No. Component No. of components Total PFD System PSF

1 Emergency pushbutton 1 4.4 ⋅ 10-4 (Note 1) 1 ⋅ 10-5 (Note 1)

2 Safety relay 1 1.75 ⋅ 10-3 (Note 2) -

3 Isolation relay 1 1.75 ⋅ 10-3 (Note 2) -

4 MCC shutdown relay 1 1.75 ⋅ 10-3 (Note 2) -

5 Contactor 1 1.75 ⋅ 10-3 (Note 2) -

6 Equipment Under Control (Gate) 1 8.8 ⋅ 10-3 (Note 3) 0.5 ⋅ 10-5

7 Solenoid/pilot 1 3.9 ⋅ 10-3 (Note 3) -

Total Function - 0.020 1.5 ⋅ 10-5
General: A two-year test interval has been assumed throughout for relays and contactors, except for solenoid/pilot/valve where a 1-year test interval is assumed.
Note 1: Values taken from Reliability Prediction Method for Safety Instrumented System-PDS handbook (λDU for ESD pushbutton = 0.2⋅ 10-6).
Note 2: A λDU for relays and contactors of 0.2⋅ 10-6 has been applied throughout.
Note 3: Standard failure data for shutdown valves and solenoid are applied (ref. Reliability values from OREDA).

As seen from the above quantifications, only a SIL 1 requirement is met with the given assumptions.
However, by increasing the test frequency for relays and contactors (from 24 months) and for the valve assembly (from 12 months),
and/or by introducing redundancy of the valves, a SIL 2 requirement seems achievable and is therefore stated.

11
 12/02/2021

Fire Protection System as Safety Barriers

Example of Safety Deluge System

•PFD1oo2* = λDU(c) ⋅ T1/2 + [λDU(i) ⋅ T1]2/3.

The above quantifications indicate that only a quantitative SIL 1 level is obtained.

As seen from the above table a SIL 2 function can be achieved by:
• better (verified) reliability data for the deluge valve and/or more frequent testing of the deluge valve.
• F&G logic a failure rate (λDU) of 1.10-6 per hour has been applied, i.e. corresponding to the failure rate for a single system.
Typically, the F&G system will have redundant CPUs and I/Os, and based on the type of redundancy applied, a lower failure rate for
the overall F&G logic may be argued;
It is therefore concluded that the SIL 2 requirement is achievable, and this requirement is therefore given.

Thank you for

your attention

Method and Tools for Machinery Safety

Compliance with ISO 12100, 2010

Ivan Stevanus Chandra

Jakarta, 17-18 February 2021

www.tuv.com

LEGAL DISCLAIMER
This document remains the property of TÜV Rheinland. It is supplied in confidence solely for information purposes for the recipient. Neither this
document nor any information or data contained therein may be used for any other purposes, or duplicated or disclosed in whole or in part, to any
third party, without the prior written authorization by TÜV Rheinland. This document is not complete without a verbal explanation (presentation)
of the content.
TÜV Rheinland AG

12