Comparison of Legal Requirements: The Machinery Directive vs. the Machinery Regulation
1.2.1. Safety and reliability of control systems
Changes
The Machinery Regulation introduces several new and more stringent requirements for control systems, with a particular focus on cybersecurity, traceability, and the role of software in safety. Control systems must now be resilient to both unintended and intended interference, including malicious attacks. Requirements are introduced for the boundaries of safety functions to be defined and not capable of being changed in a way that leads to a risk.
In addition, requirements are added for logging and retention of safety-related events and software changes to enable post-event verification. For machinery with self-developing behavior or autonomy, specific requirements are also introduced so that their actions must be limited, monitorable, and, where necessary, correctable in order to maintain safety.
- New requirement: "it, where appropriate having regard to the circumstances and the risks, withstands the intended operating loads and intended and unintended external influences, including reasonably foreseeable malicious attempts by third parties that lead to hazardous situations,"
- New requirement: "the limits of the safety functions shall be established as part of the risk assessment carried out by the manufacturer, and no changes are permitted to the settings or rules generated by the machine or the related product or by operators, including during the learning phase of the machine or the related product, where such changes may lead to hazardous situations,"
- New requirement: "the trace log of the data generated in connection with an intervention and the versions of safety software uploaded after the machine or the related product has been placed on the market or put into service is enabled for five years after upload, exclusively for the purpose of demonstrating, upon a reasoned request by a competent national authority, that the machine or the related product complies with this Annex,"
- New requirement: "control systems for machinery or related products with wholly or partly self-developing behavior or logic, designed to operate with varying degrees of autonomy, shall be designed and manufactured in such a way that"
- New requirement: "the machine or the related product does not perform actions beyond its defined task and operating envelope,"
- New requirement: "recording of data concerning the safety-related decision-making process for software-based safety systems that ensure safety functions, including safety components, after the machine or the related product has been placed on the market or put into service, is possible and that such data are stored for one year after collection, exclusively for the purpose of demonstrating, upon a reasoned request by a competent national authority, that the machine or the related product complies with this Annex,"
- New requirement: "it is always possible to correct the machine or the related product in order to maintain its inherent safety."
- New requirement: "Changes to the settings or rules generated by the machine or the related product or by operators, including during the learning phase of the machine or the related product, shall be prevented if such changes may lead to hazardous situations."
- Requirement amended: "For wireless control, an automatic stop shall be performed when correct control signals are not received, including communication loss." is replaced by "With regard to wireless control, a fault in the communication or connection, or an incorrect connection, must not lead to a hazardous situation."
Proposed measures
- Ensure that the control system is also analyzed with respect to intentional interference (e.g., manipulation, cyberattacks)
- Verify that the control system is robust against both unintentional and intentional external influence, including communications and networks
- Ensure that the limits for all safety functions are defined and documented in the risk assessment
- Check that these limits cannot be changed by the operator, system, or learning functions in a way that could create risk
- Verify that changes to parameters, settings, and rules affecting safety are protected (e.g., access control, locking, validation)
- Ensure that changes during any learning phase cannot lead to hazardous situations
- Ensure that logging systems (traceability) are in place and activated
- Verify that logs contain:
- interventions in the system
- changes to safety software
- version control
- Check that logs are retained for at least 5 years and can be provided upon request by the authorities
- If the machine exhibits self-evolving behavior or autonomy:
- Verify that the machine cannot perform actions outside the defined task and operating area
- Ensure that decisions affecting safety functions are recorded and stored (for at least 1 year)
- Check that there is a possibility to correct or restore the system in order to maintain safety
- Ensure that the control system prevents unauthorized changes to safety-critical settings (including by operators)
- Verify that this also applies during operation, service, and any adaptive functions
- For wireless control:
- Check that all types of communication failures (loss, interference, incorrect connection) are handled so that no risk arises
- Verify that the system transitions to a safe state in the event of communication problems (not merely a stop, but a risk-free condition)
Machinery Directive statutory text
1.2.1. Safety and reliability of control systems
Control systems must be designed and constructed in such a way as to prevent hazardous situations from arising. Above all, they must be designed and constructed in such a way that:
— they can withstand the intended operating stresses and external influences,
— a fault in the hardware or the software of the control system does not lead to hazardous situations,
— errors in the control system logic do not lead to hazardous situations,
— reasonably foreseeable human error during operation does not lead to hazardous situations.
Particular attention must be given to the following points:
— the machinery must not start unexpectedly,
— the parameters of the machinery must not change in an uncontrolled way, where such change may lead to hazardous situations,
— the machinery must not be prevented from stopping if the stop command has already been given,
— no moving part of the machinery or piece held by the machinery must fall or be ejected,
— automatic or manual stopping of the moving parts, whatever they may be, must be unimpeded,
— the protective devices must remain fully effective or give a stop command,
— the safety-related parts of the control system must apply in a coherent way to the whole of an assembly of machinery and/or partly completed machinery.
For cable-less control, an automatic stop must be activated when correct control signals are not received, including loss of communication.
Read more
Machinery Regulation legal text
1.2.1. Safety and reliability of control systems
Control systems shall be designed and constructed in such a way as to prevent hazardous situations from arising.
Control systems shall be designed and constructed in such a way that:
(a) they can withstand, where appropriate to the circumstances and the risks, the intended operating stresses and intended and unintended external influences, including reasonably foreseeable malicious attempts from third parties leading to a hazardous situation;
(b) a fault in the hardware or the logic of the control system shall not lead to hazardous situations;
(c) errors in the control system logic shall not lead to hazardous situations;
(d) the limits of the safety functions are to be established as part of the risk assessment performed by the manufacturer and no modifications are allowed to the settings or rules generated by the machinery or related product or by operators, including during the machinery or related product learning phase, where such modifications could lead to hazardous situations;
(e) reasonably foreseeable human errors during operation shall not lead to hazardous situations;
(f) the tracing log of the data generated in relation to an intervention and of the versions of safety software uploaded after the machinery or related product has been placed on the market or put into service is enabled for five years after such upload, exclusively to demonstrate the conformity of the machinery or related product with this Annex further to a reasoned request from a competent national authority.
Control systems of machinery or related products with fully or partially self-evolving behaviour or logic that are designed to operate with varying levels of autonomy shall be designed and constructed in such a way that:
(a) they shall not cause the machinery or related product to perform actions beyond its defined task and movement space;
(b) recording of data on the safety related decision-making process for software based safety systems ensuring safety function including safety components, after the machinery or related product has been placed on the market or put into service, is enabled and that such data is retained for one year after its collection, exclusively to demonstrate the conformity of the machinery or related product with this Annex further to a reasoned request from a competent national authority;
(c) it shall be possible at all times to correct the machinery or related product in order to maintain its inherent safety.
Particular attention shall be given to the following points:
(a) the machinery or related product shall not start unexpectedly;
(b) the parameters of the machinery or related product shall not change in an uncontrolled way, where such change could lead to hazardous situations;
(c) modifications to the settings or rules, generated by the machinery or related product or by operators, including during the machinery or related product learning phase, shall be prevented, where such modifications could lead to hazardous situations;
(d) the machinery or related product shall not be prevented from stopping if the stop command has already been given;
(e) no moving part of the machinery or related product or piece held by the machinery or related product shall fall or be ejected;
(f) automatic or manual stopping of the moving parts, whatever they may be, shall be unimpeded;
(g) the protective devices shall remain fully effective or give a stop command;
(h) the safety-related parts of the control system shall apply in a coherent way to the whole of an assembly of machinery or related products or partly completed machinery, or a combination thereof.
For wireless control, a failure of the communication or connection or a faulty connection shall not lead to a hazardous situation.
Read more
Har du några frågor? Kontakta oss