Product liability claims caused by an incomplete risk assessment can be avoided! Risk Assessment as the principal element of the CE Conformity Assessment of Wind Turbines Holger Berndt, Germanischer Lloyd Industrial Services GmbH, Competence Centre Renewables Certification CE marking is becoming increasingly important, due to the progressing market development of wind energy in Europe and series production of wind turbines and their components. Market supervisory authorities no longer turn a blind eye when it comes to the safety aspects of wind turbines. Safety as an integral element of turbine design must therefore always be in the forefront. In addition to the moral obligation for health protection, the issue of CE marking and compliance with the safety requirements for wind turbines is also a question of economic rationality for manufacturers and operators. Shutdowns, as well as a loss of reputation for the manufacturer, are typical consequences of an accident caused by an illegally CE marked wind turbine. E.g. the German Equipment and Product Safety Act [12] incorporates the Product Safety Directive [11] into federal law, and stipulates a fine of up to 30,000 for an illegally applied CE mark. Other European countries inflict similar penalties. A Passport for Europe In order to guarantee free movement of goods in the single European market, more than 20 product guidelines have been issued since 1987 on the basis of Article 95 of the EC Treaty, based in turn on the New Approach principle. It is characterised by the fact that the product requirements formulated in the guidelines are limited to essential requirements that are kept general and are primarily concerned with health protection. Products may only be put into circulation if they satisfy the essential requirements. The essential requirements are specified by means of harmonised standards, as well as by a risk assessment. Since the risk assessment describes all the risks associated with the machine as well as the measures implemented to protect against them, it must be conducted in sufficient detail and can be regarded as the principal element in the CE conformity assessment, because of its importance to machine safety. Before a machine may be placed on the single European market or may be put into service, it must be subjected to a CE conformity assessment in accordance with the applicable EC guideline(s), after which the EC declaration of conformity is issued and the CE mark is applied. Together with the EC declaration of conformity, the CE mark is to be considered as a passport for the machine for the single European market, and is to be regarded as a declaration to the authorities and the general public that it meets the essential requirements. Germanischer Lloyd Industrial Services GmbH, Renewables Certification Page 1
Risk Assessment and Machinery Directive A wind turbine is a functional machine for which a conformity assessment must be conducted under the terms of Machinery Directive 98/37/EC [9] respectively Machinery Directive 2006/42/EC [10]. In this regard, the manufacturer is required to perform a risk assessment in order to identify all hazards associated with the wind turbine, to estimate and assess its risks, as well as to design and construct the wind turbine taking them into consideration. Support for this can be found in harmonised basic standards (type-a standards) like EN ISO 14121-1 [8]. It describes the iterative process for risk assessment as shown in figure 1. EN ISO 12100-1 [5] provides further information. It provides support in the identification of hazards, describes risks that are to be taken into consideration by the designer, contains design guidelines and a strategy for risk minimisation as well as criteria for the existence of acceptable residual risk. The individual steps in the procedure are explained below. Fig. 1: Risk assessment as per EN ISO 14121-1 Step 1: Boundary definition As shown in figure 1, the limits of the machine must be defined in the first step. In accordance with EN ISO 12100-1, these are the following: Space limits: for example clearance, space required for installation and maintenance, man-machine interface, machine-power supply interface; Use limits: intended use of the system, including the modes of operation, application phases and different intervention phases by the users, as well as reasonably foreseeable misuse; Time limits: probable lifetime of the machine and its components, taking proper use into consideration. Germanischer Lloyd Industrial Services GmbH, Renewables Certification Page 2
Step 2: Hazard identification When identifying the hazards, the following aspects are to be taken into consideration in particular: hazards during all life phases and modes of operation of the machine interaction between machine and system personnel, other machines and their energy supply, possible malfunctions of the machine, proper use of the machine and its components, the physical characteristics of the system personnel and their level of training. A list of hazardous events of machines can be found in EN ISO 14121-1, taking the essential requirements formulated in the Machinery Directive into consideration. It is recommended to assess the safety of the wind turbine based on the listing of hazardous events given in the standard and to document the identified hazards. Furthermore, it should be verified whether wind turbine-specific hazards exist that are not covered by the standard. Step 3: Risk estimation Risk estimation takes place after all hazards have been determined. In this regard, EN ISO 14121-1 mentions four risk elements that must be determined for each identified hazard (figure 2). Afterwards, the estimate of risk is dependent on the severity of harm that can result from the considered hazard and the Fig. 2: Risk elements as per EN ISO 14121-1 probability of occurrence of that harm. The probability of the occurrence of a possible harm, in turn, is dependent on the exposure of person(s) to the hazard, the occurrence of the hazardous event and the possibility of avoiding or limiting the harm. Two frequently-used methods for investigating hazards and estimating risks are the failure mode and effects analysis (FMEA) according to EN 60812 [2] as well as the Risk Graph according to EN 954-1 [1] and EN ISO 13849-1 [7]. Germanischer Lloyd Industrial Services GmbH, Renewables Certification Page 3
Step 4: Risk evaluation After risk estimation, a risk evaluation must be conducted in order to decide whether risk reduction is necessary or whether adequate safety or an acceptable residual risk has been attained. While the actual risk can be defined to a large extent by experts, the acceptable residual risk is a convention of socio-political responsibility; i.e. it is not determined, but rather greatly influenced by subjective and social viewpoints. Criteria that speak in favour of an acceptable risk are given in EN ISO 12100-1, among others. Since the risk evaluation is determined by subjective viewpoints, experts are needed to define an acceptable residual risk based on prior experience. As many expert opinions as well as accident statistics as possible should be included in the process. It is important for risk assessment that the decision on adequate risk minimisation is made with a thorough knowledge of the state of the art. Step 5: Risk reduction If the result of the risk evaluation is that the residual risk is estimated to be higher than the acceptable residual risk, then risk reduction measures must be taken. For this purpose, the Machinery Directive mentions three principles for the integration of safety, which must be followed in the given order: elimination or reduction of hazards as far as possible through design and construction, taking technical protective measures against hazards that cannot be eliminated, informing users of the residual hazards and their avoidance. The lower level must be applied first, should the higher-ranking measure not adequately reduce the risk. After this, design measures always have priority. In cases in which this does not produce the desired results, then consideration can be given to risk reduction by means of technical protective gear. EN ISO 12100-2 [6] provides support with regard to the selection of technical protective gear. EN 954-1 or the successor standard EN ISO 13849-1 provide support for the execution and assessment of machine control systems. EN 954-1 remains valid, together with EN ISO 13849-1, during the transition period up to November 30, 2009 and will then be replaced. If the hazards also cannot be completely prevented through technical protective measures, then the manufacturer is required to point out the residual risks in the operating manual, and to identify the respective hazards in the form of signs on the wind turbine. Certification With its Guideline for the Certification of Wind Turbines, Germanischer Lloyd takes the great importance of wind turbine safety into account. During certification in accordance with the GL guideline, compliance with a multitude of standards is assessed, some of them are published as harmonised standards in the Official Journal of the European Union and concern a variety of safety aspects. Central standards in this regard are the standards for the design and Germanischer Lloyd Industrial Services GmbH, Renewables Certification Page 4
safety of wind turbines, i.e. EN 61400-1 and EN 61400-2 [3, 4]. Furthermore, Germanischer Lloyd requires a systematic consideration of possible faults, including information on measures for limiting negative consequences. This ensures that hazards associated with the wind turbine are identified and reduced to a minimum in accordance with the state of the art. The content of this systematic fault consideration mainly corresponds to the content of the risk assessment described above, and is therefore transferable. Technical protective measures or elements of machine control systems that incorporate protective measures are identified as safety-related parts of controls. Their operation and assessment are described in the harmonised standard EN 954-1. The objective is to implement the control elements in such a manner that the safety of the control function, as well as the behaviour of the controls in the event of a fault, corresponds to the degree of risk reduction determined in the risk assessment. For that purpose, EN 954-1 defines five safety categories, based on which the controls are to be implemented. As part of the certification, Germanischer Lloyd checks the respective safety categories established by the manufacturer and their implementation in the electrical installations. Thus, synergies between certification and CE marking are given. In the hands of the manufacturer The manufacturer of a wind turbine is responsible for ensuring that the wind turbine is designed and manufactured in accordance with the essential requirements of the applicable EC guidelines. The manufacturer himself is responsible for performing the conformity assessment and guaranteeing the conformity of the wind turbine. This assigns an active role in adherence to product safety to the manufacturer. On the basis of the principle of liability regardless of negligence or fault, a claimant does not have to prove that the manufacturer was negligent, but only the connection between the turbine fault and the harm. This means that the manufacturer may not be disburdened by claiming to have done everything in its power to place a safe turbine on the market. Conduct that complies with standards does indeed help to avoid legally liable safety deficits, but is not justification for release from liability. Therefore, the best way to avoid liability claims is to improve product safety itself. A manufacturer who has a good safety strategy, and practically applies it, can prevent liability claims to a great extent. A principle element in this context is consistent implementation of the risk assessment as a design-accompanying process by experts from a variety of disciplines. Risk assessment is teamwork, and requires the examination of a variety of aspects. Independent experts in particular, with profound knowledge of safety standards and long-time professional experience, examine safety aspects from a perspective that provides turbine manufacturers with additional insight. The far-reaching consequences of nonconformity and illegally CE marking can thus be avoided. Ultimately, it is in the hands of the manufacturers to live up to their responsibility and to initiate the correct measures. Germanischer Lloyd Industrial Services GmbH, Renewables Certification Page 5
Literature: [1] EN 954-1 (1996): Safety of machinery Safety-related parts of control systems Part 1: General principles for design. [2] EN 60812 (2006): Analysis techniques for system reliability procedures for failure mode and effects analysis (FMEA). [3] EN 61400-1 (2005): Wind turbines - Part 1: Design requirements. [4] EN 61400-2 (2006): Wind turbines - Part 2: Design requirements for small wind turbines. [5] EN ISO 12100-1 (2003): Safety of machinery Basic concepts, general principles for design Part 1: Basic terminology, methodology. [6] EN ISO 12100-2 (2003): Safety of machinery Basic concepts, general principles for Part 2: Technical principles. [7] EN ISO 13849-1 (2008): Safety of machinery Safety-related parts of control systems Part 1: General principles for design. [8] EN ISO 14121-1 (2007): Safety of machinery Risk assessment - Part 1: Principles. [9] European Parliament/European Council (1998): Directive 98/37/EC of the European Parliament and of the Council of 22 June 1998 on the approximation of the laws of the Member States relating to machinery. Official Journal of the European Union No. L 207/1 of July 23, 1998. [10] European Parliament/European Council (2006): Directive 2006/42/EC of the European Parliament and of the Council of 17 May 2006 on machinery, and amending Directive 95/16/EC (recast). Official Journal of the European Union No. L 157/24 of June 9, 2006. [11] European Parliament/European Council (2001): Directive 2001/95/EC of the European Parliament and of the Council of 3 December 2001 on General Product Safety. Official Journal of the European Union No. L 011/1 of January 15, 2002. [12] Equipment and Product Safety Act (GPSG) from January 6, 2004 (BGBI. I S. 2 (219)) [13] Germanischer Lloyd (2003/2004): Guideline for the Certification of Wind Turbines, Edition 2003 with Supplement 2004. Germanischer Lloyd Industrial Services GmbH, Renewables Certification Page 6