|
ISO/DIS 12100 Disponibile Draft 2024 - 13 Dicembre 2024
ID 23112 | 14.12.2024 / Preview attached
ISO/DIS 12100(en) Safety of machinery - General principles for design - Risk assessment and risk reduction
ISO 12100:2010 specifies basic terminology, principles and a methodology for achieving safety in the design of machinery. It specifies principles of risk assessment and risk reduction to help designers in achieving this objective. These principles are based on knowledge and experience of the design, use, incidents, accidents and risks associated with machinery. Procedures are described for identifying hazards and estimating and evaluating risks during relevant phases of the machine life cycle, and for the elimination of hazards or sufficient risk reduction. Guidance is given on the documentation and verification of the risk assessment and risk reduction process.
ISO 12100:2010 is also intended to be used as a basis for the preparation of type-B or type-C safety standards.
It does not deal with risk and/or damage to domestic animals, property or the environment.
Under development
This Draft International Standard is in the enquiry phase with ISO members.
Will replace ISO 12100:2010 | ISO/TR 22100-1:2021 | ISO/TR 22100-2:2013
ISO/DIS 12100 Safety of machinery - General principles for design - Risk assessment and risk reduction
Introduction
The primary purpose of this document is to provide designers with an overall framework and guidance for decisions during the development of machinery to enable them to design machines that are adequately safe for their intended use. It also provides a strategy for standards developers and will assist in the preparation of consistent and appropriate type-B and type-C standards.
The concept of safety of machinery considers the ability of a machine to perform its intended function(s) during its life cycle where risk has been adequately reduced.
This document is the basis for a set of standards which has the following structure: a) type-A standards (basic safety standards) giving basic concepts, principles for design, and general aspects that can be applied to all machinery; b) type-B standards (generic safety standards) dealing with one safety aspect or one or more type(s) of safeguard that can be used across a wide range of machinery: - type-B1 standards on particular safety aspects (e.g., safety distances, surface temperature, noise); - type-B2 standards on safeguards (e.g., two-hand control devices, interlocking devices, pressure-sensitive devices, guards); c) type-C standards (machine safety standards) dealing with detailed safety requirements for a particular machine or group of machines.
This document is a type-A standard.
This document is of relevance, in particular, for the following stakeholder groups representing the market players with regard to machinery safety: - machine manufacturers (small, medium and large enterprises); - health and safety bodies (regulators, accident prevention organisations, market surveillance);
Others can be affected by the level of machinery safety achieved with the means of the document by the above-mentioned stakeholder groups: - machine users/employers (small, medium and large enterprises); - machine users/employees (e.g. trade unions, organizations for people with special needs); - service providers, e.g. for maintenance (small, medium and large enterprises); - consumers (in case of machinery intended for use by consumers).
The above-mentioned stakeholder groups have been given the possibility to participate in the drafting process of this document. When a type-C standard deviates from one or more technical provisions dealt with by this document or by a type-B standard, the type-C standard takes precedence. It is desirable that this document be referred to in training courses and manuals to convey basic terminology and general design methods to designers. ISO/IEC Guide 51 has been taken into account as far as practicable at the time of drafting of this document.
1 Scope
This document specifies basic terminology, principles and a methodology for achieving safety in the design of machinery. It specifies principles of risk assessment and risk reduction to help designers in achieving this objective. These principles are based on knowledge and experience of the design, use, incidents, accidents and risks associated with machinery. Procedures are described for identifying hazards and estimating and evaluating risks during relevant phases of the machine life cycle, and for the elimination of hazards or the provision of adequate risk reduction. Guidance is given on the documentation and verification of the risk assessment and risk reduction process.
This document covers principal implications on machinery safety in case of implementation of artificial intelligence/machine learning, and vulnerability against cybersecurity attacks / corruption regarding their impact on safety. It specifies generic measures to address both aspects. Safety of machinery includes hygiene aspects. This document is also intended to be used as a basis for the preparation of type-B or type-C safety standards. It does not cover risk and/or damage to domestic animals, property or the environment.
NOTE 1 While this document refers to risks of harm to persons, the risk assessment process set out in this document can be equally effective in assessing other types of risks such as damage to domestic animals, property or the environment.
NOTE 2 Annex B gives, in separate tables, examples of hazards, hazardous situations and hazardous events, in order to clarify these concepts and assist the designer in the process of hazard identification.
NOTE 3 The practical use of a number of methods for each stage of risk assessment is described in ISO/TR 14121-2.
NOTE 4 As used in this document the designer of a machine can include the manufacturer, integrator, supplier; or the user in case of safety-relevant modifications.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content constitutes requirements of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
- ISO 20607, Safety of machinery - Instruction handbook - General drafting principles - IEC 60204-1:2021,1 Safety of machinery - Electrical equipment of machines - Part 1: General requirements - IEC 61508-3, Functional safety of electrical/electronic/programmable electronic safety-related systems - Part 3: Software requirements - IEC 62061, Safety of machinery - Functional safety of safety-related electrical, electronic and programmable electronic control systems
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply. ISO and IEC maintain terminological databases for use in standardization at the following addresses:
- ISO Online browsing platform: available at https://www.iso.org/obp - IEC Electropedia: available at https://www.electropedia.org/
3.1 machinery machine an assembly, fitted with or intended to be fitted with a drive system other than directly applied human or animal effort, consisting of linked parts or components, at least one of which moves, and which are joined together for a specific application Note 1 to entry: The term “machinery” also covers an assembly of machines which, in order to achieve the same end, are arranged and controlled so that they function as an integral whole. Note 2 to entry: Annex A provides a general schematic representation of a machine. 3.2 reliability ability of a machine or its components or equipment to perform a required function under specified conditions and for a given period of time without failing 3.3 maintainability ability of a machine to be maintained in a state which enables it to fulfil its function under conditions of intended use, or to be restored to such a state 3.4 usability ability of a machine to be easily used including properties or characteristics that enable its function(s) to be easily understood 3.5 harm physical injury or damage to health 3.6 hazard potential source of harm Note 1 to entry: The term “hazard” can be qualified in order to define its origin (for example, mechanical hazard, electrical hazard) or the nature of the potential harm (for example, electric shock hazard, cutting hazard, toxic hazard, fire hazard). Note 2 to entry: The hazard envisaged by this definition either - is permanently present during the intended use of the machine (for example, motion of hazardous moving elements, electric arc during a welding phase, unhealthy posture, noise emission, high temperature), or - can appear unexpectedly (for example, explosion, crushing hazard as a consequence of an unintended/ unexpected start-up, ejection as a consequence of a breakage, fall as a consequence of acceleration/deceleration). 3.7 significant hazard hazard which has been identified as associated with the machine and which requires specific action by the designer to eliminate or to reduce the risk according to the risk assessment Note 1 to entry: This term is included as basic terminology for type-B and type-C standards. Note 2 to entry: The deprecated term ‘relevant’ is included as being a significant hazard. 3.8 hazardous event event that can cause harm Note 1 to entry: A hazardous event can occur over a short period of time or over an extended period of time. 3.9 hazardous situation circumstance in which a person is exposed to at least one hazard Note 1 to entry: The exposure can result in harm immediately or over a period of time. 3.10 hazard zone danger zone any space within and/or around machinery in which a person can be exposed to a hazard 3.11 risk combination of the probability of occurrence of harm and the severity of that harm 3.12 residual risk risk remaining after risk reduction measures have been implemented Note 1 to entry: This document distinguishes - the residual risk after risk reduction measures have been implemented by the designer, - the residual risk remaining after all risk reduction measures by the designer and the user have been implemented. Note 2 to entry: See also Figure 3. 3.13 risk estimation defining likely severity of harm and probability of its occurrence 3.14 risk analysis combination of the specification of the limits of the machine, hazard identification and risk estimation 3.15 risk evaluation procedure based on the risk analysis to determine whether further risk reduction is required [SOURCE:ISO/IEC Guide 51:2014, definition 3.12, modified – The wording “tolerable risk has been exceeded” has been replaced with “further risk reduction required”.] 3.16 risk assessment overall process comprising a risk analysis and a risk evaluation Note 1 to entry: See Figure 1. 3.17 adequate risk reduction risk reduction that is at least in accordance with legal requirements, taking into consideration the current state of the art Note 1 to entry: Criteria for determining when adequate risk reduction is achieved are given in 5.6.2. 3.18 risk reduction measure DEPRECATED:protective measure action or means to eliminate hazards or reduce risks Note 1 to entry: See Figure 2. 3.19 tolerable risk acceptable risk level of risk that is accepted in a given context based on the current values of society Note 1 to entry: Tolerable risk usually refers to the level at which further technologically, functionally and financially feasible risk reduction measures or additional expenditure(s) of resources will not result in significant reduction in risk. Note 2 to entry: A similar phrase used in some ISO standards is “the risk has been adequately reduced”. 3.20 inherently safe design risk reduction measure which either eliminates hazards or reduces the risks associated with hazards by changing the design or operating characteristics of the machine without the use of guards or protective devices Note 1 to entry: See 6.2. 3.21 safeguarding risk reduction measure using safeguards to protect persons from the hazards which cannot reasonably be eliminated or risks which cannot be sufficiently reduced by inherently safe design Note 1 to entry: See 6.3. 3.22 information for use risk reduction measure consisting of communication links (for example, text, words, signs, signals, symbols, diagrams) used separately or in combination, to convey information to the user Note 1 to entry: See 6.4. 3.23 intended use use of a machine in accordance with the information for use 3.24 reasonably foreseeable misuse use of a machine in a way not intended by the designer, but which can result from readily predictable human behaviour 3.25 task specific activity performed by one or more persons on, or in the vicinity of, the machine during its life cycle 3.26 safeguard guard or protective device 3.27 guard physical barrier, designed as part of the machine to provide protection Note 1 to entry: A guard may act either - alone, in which case it is only effective when “closed” (for a movable guard) or “securely held in place” (for a fixed guard), or - in conjunction with an interlocking device with or without guard locking, in which case protection is ensured whatever the position of the guard. Note 2 to entry: Depending on its construction, a guard may be described as, for example, casing, shield, cover, screen, door, enclosing guard. Note 3 to entry: The terms for types of guards are defined in 3.27.1 to 3.27.6. See also 6.3.3.2 and ISO 14120 for types of guards and their requirements. 3.27.1 fixed guard guard affixed in such a manner (for example, by screws, nuts, welding) that it can only be opened or removed by the use of tools or by destruction of the affixing means 3.27.2 movable guard guard which can be opened without the use of tools 3.27.3 adjustable guard fixed or movable guard which is adjustable as a whole or which incorporates adjustable part(s) 3.27.4 interlocking guard guard associated with an interlocking device such that, together with the control system of the machine, prevents the: - operation of the hazardous machine functions associated with the guard until the guard is closed, - and if the guard is opened while hazardous machine functions are operating, a command to bring the machine to a safe (a stop command) is given, Note 1 to entry: An interlocking guard can contain/be equipped with one or more interlocking devices. These interlocking devices can also be of different types. Note 2 to entry: The generation of the (stop) command to bring the machine to a safe state when the guard is open does not apply to guards locked with a trapped key interlocking system. Note 3 to entry: ISO 14119 gives detailed provisions. 3.27.5 interlocking guard with guard locking guard associated with an interlocking device and a guard locking device so that, together with the control system of the machine, the following functions are performed: - the hazardous machine functions associated with the guard cannot operate until the guard is closed and locked, - the guard remains closed and locked until the risk due to the hazardous machine functions associated with the guard has ceased, and - when the guard is closed and locked, the hazardous machine functions associated with the guard can operate (the closure and locking of the guard do not by themselves start the hazardous machine functions) Note 1 to entry: ISO 14119 gives detailed provisions. 3.27.6 interlocking guard with a start function control guard special form of interlocking guard which, once it has reached its closed position, gives a command to initiate the hazardous machine function(s) without the use of a separate start control Note 1 to entry: See 6.3.3.2.5 for detailed provisions on the conditions of use. 3.28 protective device safeguard other than a guard Note 1 to entry: Examples of types of protective devices are 3.28.1 to 3.28.8. 3.28.1 interlocking device interlock mechanical, electrical or other type of device, the purpose of which is to prevent the operation of hazardous machine functions under specified conditions (generally as long as a guard is not closed) 3.28.2 enabling device additional manually operated device used in conjunction with a start control and which, when continuously actuated, allows a machine to function 3.28.3 hold-to-run control device control device which initiates and maintains machine functions only as long as the manual control (actuator) is actuated 3.28.4 two-hand control device control device which requires simultaneous actuation by both hands in order to initiate and to maintain hazardous machine functions, thus providing a risk reduction measure only for the person who actuates it Note 1 to entry: ISO 13851 gives detailed provisions. 3.28.5 sensitive protective equipment SPE equipment for detecting persons or parts of persons which generates an appropriate signal to the control system to reduce risk to the persons detected Note 1 to entry: The signal can be generated when a person or part of a person goes beyond a predetermined limit, for example, enters a hazard zone (tripping) or when a person is detected in a predetermined zone (presence sensing), or in both cases. 3.28.6 active optoelectronic protective device AOPD device whose sensing function is performed by optoelectronic emitting and receiving elements detecting the interruption of optical radiation, generated within the device, by an opaque object present in the specified detection zone Note 1 to entry: The IEC 61496 series gives detailed provisions. 3.28.7 limiting device device which prevents a machine or hazardous machine condition(s) from exceeding a designed limit (space limit, pressure limit, load moment limit, speed limit etc.) 3.28.8 mechanical restraint device device which introduces into a mechanism a mechanical obstacle (for example, wedge, spindle, strut, slide locks, safety blocks, scotch (pin)) which by virtue of its own span, can prevent any hazardous movement 3.28.9 limited movement control device control device, a single actuation of which, together with the control system of the machine, permits only a limited amount of travel of a machine element 3.29 impeding device any physical obstacle (low barrier, rail, etc.) which, without totally preventing access to a hazard zone, reduces the probability of access to this zone by offering an obstruction to free access 3.30 safety function function of a machine whose failure can result in an immediate increase of the risk(s) 3.31 unexpected start-up unintended start-up any start-up which, because of its unexpected nature, generates a risk to persons Note 1 to entry: For example, this can be caused by - a start command which is the result of a failure in or an external influence on the control system, - a start command generated by inopportune action on a start control or other parts of the machine such as a sensor or a power control element, - restoration of the power supply after an interruption, - external/internal influences (gravity, wind, self-ignition in internal combustion engines, etc.) on parts of the machine. Note 2 to entry: Machine start-up during normal sequence of an automatic cycle is not unintended, but can be considered as being unexpected from the point of view of the operator. Prevention of hazardous situations in this case involves the use of safeguarding measures (see 6.3). [SOURCE:ISO 14118:2017, definition 3.2, modified – The word “any” has been added at the begin of the definition. In the second sentence of Note 2 to entry “hazardous events” has been replaced by “hazardous situations”.] 3.32 fault (of an item) inability to perform as required, due to an internal state Note 1 to entry: A fault of an item results from a failure, either of the item itself, or from a deficiency in an earlier stage of the life cycle, such as specification, design, manufacture or maintenance. See latent fault (192-04-08). Note 2 to entry: Qualifiers, such as specification, design, manufacture, maintenance or misuse, may be used to indicate the cause of a fault. Note 3 to entry: The type of fault may be associated with the type of associated failure, e.g. wear-out fault and wear-out failure. Note 4 to entry: The adjective “faulty” designates an item having one or more faults. [SOURCE:IEC 60050-192:2015, 192-04-01] 3.33 failure failure (of an item) loss of ability to perform as required Note 1 to entry: A failure of an item is an event that results in a fault of that item: see fault (192-04-01). Note 2 to entry: Qualifiers, such as catastrophic, critical, major, minor, marginal and insignificant, may be used to categorize failures according to the severity of consequences, the choice and definitions of severity criteria depending upon the field of application. Note 3 to entry: Qualifiers, such as misuse, mishandling and weakness, may be used to categorize failures according to the cause of failure. [SOURCE:IEC 60050-192:2015, 192-03-01] 3.34 common cause failures failures of multiple items, which would otherwise be considered independent of one another, resulting from a single cause Note 1 to entry: Common cause failures can also be common mode failures (192-03-19). Note 2 to entry: The potential for common cause failures reduces the effectiveness of system redundancy. [SOURCE:IEC 60050-192:2015, 192-03-18] 3.35 common mode failures common mode failures (within a system), pl failures of different items characterized by the same failure mode Note 1 to entry: Common mode failures may have different causes. Note 2 to entry: Common mode failures can also be common cause failures (192-03-18). Note 3 to entry: The potential for common mode failures reduces the effectiveness of system redundancy. [SOURCE:IEC 60050-192:2015, 192-03-19] 3.36 malfunction failure of a machine to perform an intended function Note 1 to entry: See 5.4, item b) 2) for examples. 3.37 emergency situation hazardous situation needing to be urgently ended or averted Note 1 to entry: An emergency situation can arise - during normal operation of the machine (for example, due to human interaction, or as a result of external influences), or - as a consequence of a malfunction or failure of any part of the machine. 3.38 emergency operation all actions and functions intended to end or avert an emergency situation 3.39 emergency stop emergency stop function function which is intended to - avert arising or reduce existing hazards to persons, damage to machinery or to work in progress, and - be initiated by a single human action Note 1 to entry: ISO 13850 gives detailed provisions. 3.40 emission value numerical value quantifying an emission generated by a machine (for example, noise, vibration, hazardous substances, radiation) Note 1 to entry: Emission values are part of the information on the properties of a machine and are used as a basis for risk assessment. Note 2 to entry: The term “emission value” ought not to be confused with “exposure value”, which quantifies the exposure of persons to emissions when the machine is in use. Exposure values can be estimated using the emission values. Note 3 to entry: Emission values are preferably measured and their associated uncertainties determined by means of standardized methods (for example, to allow comparison between similar machines). 3.41 cybersecurity measures to protect a machine control system against unauthorized access or attack that can result in a hazardous situation Note 1 to entry: Damage or changes can be made to the machine control system hardware, software or information, as well as from disruption or misdirection of the intended function Note 2 to entry: Cybersecurity is covering both, information technology security (IT security) and operational technology (OT). See also ISO 23806. ...
Fonte: ISO
Info e download
ISO 12100:2010 in revisione: attesa 2026 - Scheda
Collegati ISO 12100:2010 in revisione: attesa 2026 EN ISO 12100 Tabella corrispondenza EN ISO 12100 Appendice B - Pericoli, Situazioni pericolose ed Eventi pericolosi EN ISO 12100:2010 - Presunzione di Conformità EN ISO 12100 Le definizioni EN ISO 12100 - Valutazione del Rischio p. 5-6
|
|