Machine head
For nearly 20 years, the Machinery Directive set out the EU’s rules on health-and-safety-compliance requirements for industrial machinery. Now it’s being updated. Bill Murphy takes a spanner to it
The Machinery Directive (2006/42/EC), which sets out the EU rules on health and safety compliance requirements for industrial machinery, will finally be repealed by the new Machinery Regulation (EU 2023/1230).
Published in the Official Journal in June 2023, the substantive provisions will come into force (after a transition period of 42 months) on 20 January 2027.
The first obvious legal change is that the old directive is being replaced as a new EU regulation and is, therefore, directly applicable across the member states and the EEA.
While an evaluation of the old directive by the EU Commission in 2018 concluded that the legislation was generally relevant, it needed substantial updating to address emerging technological advancements since its enactment.
These include increasing digitalisation, the ‘Internet of Things’, robotics, cybersecurity and, more recently, the use of AI in industrial machinery and control systems.
As the old directive required transposing into domestic law across the EU, a commission impact analysis indicated that a divergent approach by some of the member states led to compliance challenges for machine manufacturers putting their products on the market in multiple European countries.
And so, by elevating the directive to a regulation, the intent is to eliminate cross-jurisdictional ambiguity, lessen transposition complexity, and create immediate uniformity, which is a core aim of the union’s New Legislative Framework in the legal harmonisation of product-safety law.
Never before
The old directive’s catch-all term for ‘machinery’ resulted in wide and ambiguous interpretation of the core definition within the legislation.
Clearer definitions of ‘machinery’ and ‘related products’ in the new regulation now provide more certainty on whether machine-related elements are brought within the scope of conformity requirements.
Similarly, other terms such as ‘safety components’ and ‘partly completed machinery’ have been defined with more precision, enabling manufacturers to identify their obligations under the new regulation in accordance with more clearly defined technical parameters.
Under the directive, there was a considerable amount of doubt and confusion among machine users if a machine already in service, which was then subsequently upgraded or retrofitted, would require a new CE Mark.
The directive indicated that a substantial modification could require a new CE Mark but, without providing much guidance on what changes to a machine would amount to a ‘substantial modification’.
Various national representative bodies, machine manufacturers, system integrators, or third-party machine-safety experts across the member states were left to judge for themselves what modifications would trigger the need for a conformity assessment and new CE Mark.
As machine users seek to upgrade their machinery and production lines with new functional and safety features – both physical and digital – clarity in this aspect was badly needed to assess whether a new conformity assessment was required or not.
Article 3(16) of the new regulation sets out a more clearly delineated scope of what a ‘substantial modification’ entails and so gives a clearer, more consistent guide on the scope and obligations in relation to assessments and safety certification of modified machinery.
Smoke on the water
Article 18 now deems that those who carry out such substantial modifications may now be classified as a ‘manufacturer’ for the purposes of the regulation, and so assume the duties and obligations of a manufacturer for those modifications to the machinery.
This has implications for companies and sole traders that carry out machine upgrades or retrofits, who may now find themselves considered as ‘manufacturers’ for the purpose of the regulation and, therefore, need to be cognisant of their duties and responsibilities.
By way of not placing too much of a burden on these modifiers of machinery, their responsibilities as ‘manufacturers’ are related only to the modifications, or at least to the extent that the modifications affect the safety of the unmodified parts of the machinery or assembly of machines, or if the modifications compromise the overall safety of the machinery or assembly.
In the case of multiple upgrades on complex machinery, there can be a range of modifiers who are now responsible for their own part of the ‘substantial modification’. In such cases, differentiating the various responsibilities can be challenging, and a well-structured, overall risk-assessment approach will be needed.
Exception is made for non-professional users who make substantial modifications to machinery (or related products), who are not regarded as ‘manufacturers’ under the regulation.
Under the new regulation, the original manufacturer has more expanded requirements for its risk assessment to consider foreseeable user interactions with the machine, as well a reasonably foreseeable misuse – which may pose a challenge to foresee all interactions and misuse by the machine user, especially in the context of software use and AI-enabled systems.
Space truckin’
Perhaps the biggest factor in overhauling the directive was the increasing realisation that it did not adequately address the emergence of multiple technologies, such as AI-enabled safety functions, autonomous guided vehicles, robots and cobots, and the new threats to safety and security to machinery and users posed by increased digitalisation and connectivity.
The efficiency and cost-effectiveness of advanced automation controls with connected field devices, heralded by the so-called ‘Industrial Revolution 4.0’ and the ‘Internet of Things’, created new areas of vulnerability in safety in manufacturing environments for cybersecurity threats or safety gaps due to unsecure or malfunctioning software.
As part of the EU Commission’s 2020 work programme (under the strategic priority of ‘A Europe fit for the digital age’), a range of technology-focused legislation has been adopted, including the Data Act, the Data Governance Act, the Cyber-Resilience Act, the AI Act, and others.
A revision of the Machinery Directive would also be needed to respond to new technologies as part of this strategy.
While all laws tend to lag behind the times, such has been the increasing threat of security breaches or vulnerabilities in recent years that machine security is now included as part of machine safety in the new regulation, and requires machine manufacturers to design-in ‘protection against corruption’.
The old directive had included annexes for categorising higher-risk machinery, but the new regulation reorders the annexes and, for example, Annex 1 (Part A Category) now includes within its scope both safety components and machinery with embedded safety systems (not independently placed on the market), with fully or partially self-evolving behaviour using machine learning.
While not expressly mentioning artificial intelligence, this terminology captures AIbased machine-safety systems within the Part A category of high-risk machinery, and requires that they undergo mandatory inspection by a third-party notified body rather than a self-assessment by the machine manufacturer.
Such categorisation clearly shows how the risk to safety and security posed by AI is perceived by the lawmakers when drafting the new regulation.
Pictures of home
Annex III in the new regulation also includes some important additions to essential health-and-safety requirements of machinery (and related components).
At Annex III 3.6.3.3, manufacturers now need to provide instructions for use of autonomous mobile machinery that specify the characteristics of the ‘intended travel, working area and danger zones’.
Annex III 1.1.9 also outlines cybersecurity requirements for both hardware and software to guard against intrusion, corruption, or manipulation of machinery safety-control systems.
And so, industrial security becomes an essential part of the new regulation, and shows a conceptual development of protecting the machine from security threats, rather than just protecting people from unsafe machinery – the sole emphasis of the old directive.
More detailed requirements in Annex III 1.1.9 now necessitate the recording of any ‘interventions’ or modifications of software installed in machinery, and this is supplemented by Annex III 1.2.1(f), in that such a ‘tracing log’ of interventions and updates is available for a period of five years after upload to demonstrate conformity.
This expansion of the regulation in the security space is aligned with other laws (such as the Cyber-Resilience Act and NIS 2) that cover different aspects of the industrial digital complex but are, in principle, part of a broad legislative initiative to protect machines, components, and industrial networks from attack and digital malfunction.
While it is difficult to guard against highly sophisticated cyberattacks, machine manufacturers will now have to consider how to design-in protection against corruption in machine operational technology so that security is built-in from the ground up, rather than as an afterthought or part of a costly retrofit.
There are also new requirements in relation to machine documentation (such as manuals and instructions), which can now be made available by the manufacturer in digital format.
This also modernises the approach in providing soft copies of essential technical and safety literature, which is more amenable to updates and access via digital platforms.
The documentation obligations of the old directive have also been expanded in regard to making available source code or programming logic for safety-control-related software, as part of the technical documentation that accompanies the EU declaration of conformity with the regulation.
Highway star
While Ireland is not, in comparison with Germany, Italy, France and others, a significant centre for industrial-machine manufacturing, the new regulation seeks to expand the role of machine importers and distributors under the term ‘economic operators,’ so as to apply explicit responsibilities to importers and distributors of machinery, for example, in the Irish market.
Importers, while not taking over the obligations of the machine manufacture, now need to ensure that the machinery they are placing on the market is compliant with the health-and-safety requirements of the new regulation, and that all the necessary conformity assessments have been conducted and the CE marking affixed by the manufacturer.
They need, also, to provide their contact details on machinery and related products when placing them on the market.
Distributors need to exercise ‘due care’ to ensure that the handling and storing of any machinery and related products is carried out in such a way as to not affect the safety compliance of the machines.
While, in nearly all cases, the manufacturer will provide technical documentation as required under the new regulation, any importers and/ or distributors in the supply chain now need to check and ensure that the documentation contains comprehensive technical and safety information available in a language easily understandable by the machine users in the local market, and that the compliance documentation is also available to the relevant national surveillance authorities.
In general, distributors are now under a duty, if they “consider or have reason to believe” that machinery is not in conformity, to take corrective actions to bring the machinery into conformity, or recall the non-conforming products and keep the relevant national safety authority informed.
Maybe I’m a Leo
While there are substantial changes introduced by the new regulation, many of the provisions from the old directive remained unchanged, indicating some satisfaction with the overall approach over the last 20 years.
The most noteworthy changes in the content of the legislation from the old directive to the new regulation relate to new technology.
Over the past few years, a raft of legislation for the digital economy, safety, and security has emanated from Brussels, with directives and regulations (such as the Data Act, the Digital Services Act, the AI Act, NIS 2, and the Cyber-Resilience Act) dealing with social-media platforms, cloud services, and cybersecurity for both domestic and industrial devices and everything in between.
This has resulted in a complex regulatory landscape for nearly all companies that have operations or customers in the single market.
While the consolidation of such laws through the Digital Omnibus may help in streamlining the regulatory environment, it will remain to be seen whether the new Machinery Regulation itself will continue to be fit for purpose or consistently responsive to the challenges for safety and security of such rapidly developing technology.
However, the regulation itself takes cognisance of this and includes a periodic EU Commission review of the scope of essential health-and-safety requirements, and the conformity assessment procedures for high-risk machinery.
This regular review will aid in ensuring that the Machinery Regulation, like the old directive, remains one of the leading regulatory instruments, not only in Europe but for global machinery safety where large international manufacturing companies who, as part of their corporate safety policy, require their machinery to be CE marked or assessed in accordance with the procedures of the regulation, even in jurisdictions outside Europe.
Bill Murphy is in-house lawyer with Pilz Ireland Industrial Automation.