The 'EU Machinery Directive' (Directive 2006/42/EC) from 2006 is part of the national product safety legislation in the various EU countries and compliance with it is therefore legally binding for all machines sold or placed on the market within the European Union. The requirements set out therein form the basis for CE marking and certify to the user that the machine is mechanically and electrically safe at the time it is placed on the market. The basis for this is the declaration of conformity to be drawn up by the manufacturer, which is based, among other things, on a comprehensive risk analysis. Various harmonized standards, i.e. those explicitly referenced in the Machinery Directive, such as ISO 12100 on the safety of machinery or ISO 13849-1, which focuses on safety-related components of control systems, serve to support the machine manufacturer in preparing this declaration.

On December 15, 2022, a long-awaited agreement was reached on a new version of the EU Machinery Directive - which will be called the Machinery Regulation in future. It is expected to be published in July 2023. After a transition period of 42 months, this document will then become mandatory reading for anyone who wants to build, sell or commission a machine within the EU. It should be noted that, unlike the previous Machinery Directive, the new Machinery Regulation will become law in all EU member states after the end of the transition period with the same wording, meaning that compliance will be mandatory.

What challenges does this pose for manufacturers, integrators and end users of mobile machinery?

Becoming a manufacturer unexpectedly

One of the requirements of the supervisor function is to safely stop and restart a machine or to move it to a safe position in which no further danger emanates from the machine. The graphic shows how the necessary functionality of an external emergency stop switch for mobile robots can be implemented.

© HMS Networks

One issue that was not quite clearly defined in the previous Machinery Directive is that of "substantial modification": when does such a modification occur and what effect does it have on the CE conformity of an overall system?

The new Machinery Directive defines this more clearly and describes a 'substantial modification' as any change - whether electrical or mechanical - that can lead to the creation of a new hazardous situation or to an increase in an existing hazard. Each of these changes can have an impact on the CE conformity of the overall system. This in turn can lead to the person introducing the modification becoming the legal machine manufacturer and having to fulfill the corresponding requirements for the modified machine from the Machinery Ordinance.

An example from the field of mobile robot systems: The trend towards interoperability of mobile robot systems with and among each other is obvious, as exemplified by the creation of uniform communication standards (VDA 5050 in Europe or Massrobotics in the USA). At first glance, it seems very convenient for the end user to operate several different robots and robot types in one and the same system. The user buys new robots, integrates them into their system themselves thanks to standardized communication interfaces and is therefore no longer dependent on individual manufacturers and integrators. However, it can quickly happen that the addition of a new machine type creates new hazardous situations, for example automated forklift trucks, where previously only underfloor vehicles were used. While the individual machine is sold by the manufacturer as inherently safe and CE-compliant, this does not necessarily apply to the overall system into which the machine is integrated.

The least that needs to be done before integrating the new machine type is a new risk analysis. If this analysis reveals new or extended hazards for the overall system, the end user himself becomes the manufacturer of the overall system and must comply with the requirements of the Machinery Directive. In this case, it makes sense to commission an appropriate independent expert, for example TÜV or VDI, to obtain an initial assessment before making any planned changes to an existing system.

The supervisor function

A specific requirement that will be relevant for manufacturers of autonomous mobile machinery in the future can be found in Annex III of the Machinery Directive under 3.2.4 with the "supervisor function" described there. A mobile machine must enable a supervisor to receive information about the machine from outside. This information should enable the person to obtain a complete and accurate overview of the operation, movement and safe positioning of the machine in its travel and working area. At the same time, it should allow the supervisor to safely stop and restart the machine or move it to a safe position in which no further danger is posed by the machine.

The central problem in implementing this function is the transmission of safety-related signals via a wireless network, as mobile machines generally have no direct wired communication in order not to restrict their mobility. The use of safe fieldbus protocols, such as Profisafe or CIP Safety, is ideal for transmitting safety-related data in compliance with the requirements of the Machinery Directive and the standards based on it, for example ISO 3691-4. Although these protocols were not originally designed for wireless use, they can also be used without cables thanks to the black channel principle on which they are based. However, the individual protocols differ considerably in terms of performance in a wireless network due to their different architectures. What the protocols have in common is that a stable wireless network is essential for a functioning overall system. When designing the network and the data to be transmitted, care must be taken to avoid interference factors and keep the amount of data to be transmitted as low as possible. With fleets of sometimes several hundred mobile machines, problems can otherwise quickly arise if the individual safety messages no longer reach the relevant recipient reliably.

With the Ixxat Safe T100/FSoE from HMS Networks, users can implement safe EAs for FSoE (Functional Safety over EtherCAT).

© HMS Networks

In response to unreliable communication, the system must automatically switch to a safe state. In most cases, this means that the system or at least parts of it are safely shut down. Unstable wireless connections can therefore lead to enormous downtimes in this context.

An additional challenge for manufacturers of mobile machines and systems is also the separation or combination of two different safety circuits: a 'slow' one coming from outside - such as for the aforementioned supervisor function - where longer cycle times of sometimes several hundred milliseconds can be tolerated, and the 'fast' one on the vehicle itself, for example for person detection, where a real-time reaction is required in an acute hazardous situation.

Protection against manipulation

An important reason for the need to revise the current Machinery Directive was and is the topic of 'security' (often translated into German as 'IT security'). While the areas of safety (functional safety) and security used to be two separate areas, these two topics are converging more and more with the increasing networking of machines and their connection to global networks. In the broadest sense, safety describes the protection of people from machines, while security describes the protection of machines from people.

Back in 2010, Stuxnet showed the world the dangers of malicious manipulation of industrial systems. And almost every day there are new reports about companies and systems that have fallen victim to cyberattacks. It was therefore urgently necessary to take this aspect into account in the new Machinery Ordinance. In future, it will no longer be sufficient to install a firewall between the machine and the global network.

Annex III of the forthcoming Machinery Directive deals with this in more detail in the sub-item "Protection Against Corruption". The manufacturer of a machine must ensure that the connection of a third-party device, for example a laptop, cannot lead to a hazardous situation. In addition, the machine should in future be able to detect lawful and unlawful changes to safety-relevant components - including software components - and collect data about them.

The topics mentioned above are examples of the challenges that machine manufacturers will face in order to meet the legal requirements within the EU. The primary objective remains the protection of people, the environment and property from the dangers posed by machinery. Significant changes to the current Machinery Directive are particularly evident in the area of security, where the legal requirements have been significantly increased: In future, machines must be able to detect, log and prevent attacks in the best possible way. Manufacturers should therefore start thinking about this at an early stage and work with experienced partners to find solutions for the upcoming requirements.

The explicit inclusion of mobile machines in the new regulation now sets clear guidelines for them and takes them out of the current 'gray area', which can offer scope for interpretation and misunderstandings. In the future, standards will continue to significantly support the work of manufacturers in complying with the Machinery Directive. The use of pre-certified components simplifies the system structure.