Material Curso Seguridad Funcional PDF

Rockwell Automation
Functional Safety
Engineer
Introduction Program
SAF-TUV1 (rev. 10-14K)
Leonardo Sanchez
TUV Rheinland
Functional Safety Engineer
Copyright © 2010 Rockwell Automation, Inc. All rights reserved.

1
Scope of the Training: Functional Safety of
Machinery
• All, which belongs to Functional Safety of Machinery :

• The safety of machinery, is realized by using E/E/PE-controls,
safety equipment and protective devices.
– Calculation of the required measures to reduce risks
– Possibilities, methods and strategies for risk-reduction
– Selection of safety equipment, advantages and disadvantages
– Detailed examples for the protection of hazardous areas and hazardous movements
(position monitoring, light grids, scanner)
– Resulting requirements from A- and B-standards for selection, installation and
configuration of safety equipment (e. g. safety distance )
– Standards for Functional Safety of Machinery
– Requirements for the technical design and the selection of safety equipment,
organization, quality system, documentation, as well as for the verification.
2
Scope of the Training: Functional Safety on
Machinery
• This program is not:

– All aspects and details of the European Machinery Directive, OSHA or other
regional/national standards requirements
– Complete electrical equipment of machines (IEC 60204-1, NFPA 79, etc.)
– Resulting requirements from EMC-, Low voltage-, ATEX-Directive and others
– Requirements of C-Standards for a specific machine or industries
3
Legal Requirements
and regulations
North America

4
North America and European Examples
• All functional safety standards are used to

demonstrate compliance to global, regional
and sometimes, national legal requirements
• Two examples we will discuss are:
– North America – OSHA
– European – Directives, specifically Machinery
Directive
• Three types of Standards
– “A” Standards
• basic concepts
• principles for design
• general aspects
– “B” Standards
• B1 - safety distances, surface temps,
noise
• B2 - components or devices
– “C” Standards
• vertical standards covering a single
type of machine or group of machines.
• Use A and B standards to create C
standards.
5
Rockwell Safety Product Catalog
6
North America, OSHA CFR 29
• Code of Federal Regulations Part 29
7
North America – OSHA CFR 29, 1910
• Part 1910….
– establishes standards that shall be used by industries and businesses to accomplish the
OSHA objective.
• OSHA Purpose Section 2
– b) The Congress declares it to be its purpose and policy ... to assure so far as possible every
working man and woman in the Nation safe and healthful working conditions and to preserve
our human resources -
• 3) by authorizing the Secretary of Labor to set mandatory occupational safety and health standards applicable
to businesses affecting interstate commerce, and by creating an Occupational Safety and Health Review
Commission for carrying out adjudicatory functions under the Act;
• OSHA Applicability Section 4
– (a) This Act shall apply with respect to employment performed in a workplace in a…
• State,
• the District of Columbia,
• the Commonwealth of Puerto Rico,
• the Virgin Islands,
• American Samoa, Guam, the Trust Territory of the Pacific Islands, Wake Island, Outer
Continental Shelf Lands defined in the Outer Continental Shelf Lands Act, Johnston Island,
and the Canal Zone.
8
• Article 5
– (a) Each employer -
• (1) shall furnish to each of his employees employment and a place of employment
which are free from recognized hazards that are causing or are likely to cause death or
serious physical harm to his employees;
• (2) shall comply with occupational safety and health standards promulgated under this
Act.
– (b) Each employee shall comply with occupational safety and health standards and all rules,
regulations, and orders issued pursuant to this Act which are applicable to his own actions
and conduct.
• Section 6
– (a) “...the Secretary shall...by rule promulgate as an occupational safety or health standard
• any national consensus standard, and
• any established Federal standard,
• unless he determines that the promulgation of such a standard would not result in
improved safety or health for specifically designated employees…”
9
• Incorporation By Reference
– The legal effect of incorporation by reference is that the material is treated as if it
were published in full in the Federal Register (5 U.S.C. 552(a)).
– When a national consensus standard is incorporated by reference in one of the
subparts, that standard is considered the law.
• Internet site location: http://www.osha.gov
10
Part 1910 has 21 Subparts
• Most critical subparts

– A - General
– B - Adoption and Extension of Established Federal Standards
– C - General Safety and Health Provisions
– H - Hazardous Materials
– I - Personal Protective Equipment
– J - General Environmental Controls
• includes Lockout/Tagout
– O - Machinery and Machine Guarding
– R - Special Industries
– S - Electrical
11
1910.147, Subpart J
Control of hazardous energy
• Lockout/Tagout
– 1910.147(a)(1)(i) - this covers the servicing and maintenance of
machines and equipment in which the unexpected energization or
startup could cause injury to employees.
– 1910.147(a)(2)(i) - this standard applies to the control of energy during
servicing and/or maintenance of machines and equipment.
– 1910.147(a)(3)(i) - employers must establish a program and utilize
procedures for affixing appropriate lockout devices or tagout devices
to energy isolating devices, and to otherwise disable machines or
equipment to prevent unexpected energization, start up or release of
stored energy in order to prevent injury to employees.
12
Lockout Tagout Exception – Minor Servicing
• 1910.147(a)(2)(ii)(B)
– Note: Minor tool changes and adjustments, and other minor servicing
activities, which take place during normal production operations, are
not covered by this standard if they are routine, repetitive, and integral
to the use of the equipment for production, provided that the work is
performed using alternative measures which provide effective
protection.
• Alternative measures are safeguarding devices like light curtains, safety
mats, gate interlocks and other similar devices connected to a safety
system.
• See ANSI Z244.1 for the equivalent voluntary standard.
13
1910.147(b) - Definitions
• Energy Isolating Device

– is a mechanical device that
– physically prevents the transmission or release of energy
– is a manually operated device
– disconnects all ungrounded supply conductors
– allows no pole to be operated independently
– is capable of being locked out if it has a hasp or it has a locking
mechanism built into it.
14
1910.147(b) - Definitions
• Lockout Device
– utilizes a positive means such as a lock (key or combination type)
– to hold energy isolating device in a safe position
– and prevents energizing of machine or equipment
15
1910.147(c) General
• (c) (1) Where unexpected startup or release of stored energy could occur
and cause energy, the machine or equipment shall be isolated from the
energy source and rendered inoperative.
• (c)(2)(ii) If the energy device is capable of being locked out, it shall be.
– Under exceptions, Tagout can be used.
16
1910.147(c)(5) hardware
• Lockout devices shall

– shall be singularly identified and shall not be used for other purposes.
– durable to withstand the environment
– standardized on color, shape or size
– substantial to prevent removal
Solution
Trapped Key
Interlocks
17
Subpart O
Machinery and Machine Guarding
– 1910.211 Definitions
– 1910.212 General Requirements for All Machines
– 1910.213 Woodworking machinery
– 1910.214 Cooperage machinery
– 1910.215 Abrasive wheel machinery
– 1910.216 Mills and calenders
– 1910.217 Mechanical power presses
– 1910.218 Forging Machines
– 1910.219 Mechanical power-transmission apparatus
18
Subpart O
• Two types of Standards are applicable

– Horizontal - applies across all industries & machines (type A)
• These standards are relevant to machines that may be used in multiple
industries; e.g., conveyors, milling machines, etc.
– Vertical - applies to specific machines (type C)
• These standards are typically machine specific or even industry specific; e.g.,
Packaging/conveying, printing, etc.
19
Subpart O
– 1910.211 Definitions
1910.212 General Requirements for All Machines
– 1910.213 Woodworking machinery
– 1910.214 Cooperage machinery
– 1910.215 Abrasive wheel machinery
– 1910.216 Mills and calenders
– 1910.217 Mechanical power presses
– 1910.218 Forging Machines
1910.219 Mechanical power-transmission apparatus
Green (starred) are horizontal standards.
20
OSHA Citings
– If a vertical standard can not be applied, OSHA will cite a violation against…
• Article 5(a)(1)
– Each employer shall furnish to each of his employees employment and a
place of employment which are free from recognized hazards that are
causing or are likely to cause death or serious physical harm to his
employees.
• Subpart 212
– General requirements for all machines.
21
1910 Subpart O
• 1910.212 General Requirements

– One or more methods of machine guarding shall be provided to protect the operator
and other employees in the machine area from hazards such as those created by…
• point of operation
• ingoing nip points
• rotating parts
• flying chips
• and sparks.
22
General Requirements
• 1910.212(a)(2)
– Guards shall be affixed to the machine where possible and secured elsewhere if for
any reason attachment to the machine is not possible.
– The guard shall be such that it does not offer an accident hazard in itself.
23
Point of Operation Guarding
• 1910.212 (a)(3)
– 1910.212 (a)(3)(i)
• Point of operation is the area on a machine where work is actually performed upon the
material being processed.
– 1910.212 (a)(3)(ii)
• The point of operation of machines whose operation exposes an employee to injury,
shall be guarded.
• The guarding device shall be in conformity with any appropriate standards therefore,
or, in the absence of applicable specific standards, shall be so designed and
constructed as to prevent the operator from having any part of his body in the danger
zone during the operating cycle.
24
Types of Safeguards
– Guards
• Fixed, Interlocked, Adjustable, Self-Adjusting
– Devices
• Presence Sensing, Two-hand, tripwire, interlocks
– Location/Distance
• Hazard located away from people
– Feeding and Ejection Methods
• Operator does not have to put hands in point of operation
– Miscellaneous Aids
• Awareness Barriers, Shields, Holding Tools
25
1910 Subpart R
Special Industries
– Subpart R, Special Industries (sections 1910. 261-272)

• Pulp, Paper and paperboard mills
• Textiles
• Bakery Equipment
• Laundry machinery and operations
• Sawmills
• Logging Operations
• Telecommunications
• Electric Power Generation, transmission and distribution
• Grain handling facilities
26
1910 Subpart S
Design Safety for Electrical Systems
• 1910.301(a)
– Design safety standards for electrical systems. These regulations are contained in 1910.302
through 1910.330. Sections 1910.302 through 1910.308 contain design safety standards for
electric utilization systems. Included in this category are all electric equipment and
installations used to provide electric power and light for employee workplaces. Sections
1910.309 through 1910.330 are reserved for possible future design safety standards for other
electrical systems.
– Appendix A - Reference Documents
• NFPA 70-78 National Electric Code
• many other reference documents
27
ANSI/NFPA 79
Safety of Machinery
• NFPA is an ANSI Standard

– But not specifically referenced by OSHA.
• Is used as source document for helping
to ensure machinery safety.
28
OSHA Standards Interpretation and Compliance
Letters - Excerpt
“The machines which are not covered by specific OSHA standards

are required under the Occupational Safety and Health Act (OSHA
Act) and Section 29 CFR 1910.303(b)(1) to be free of recognized
hazards which may cause death or serious injuries.”
“ These machines must be designed and maintained to meet or

exceed the requirements of the applicable industry consensus
standards. In such situations OSHA may apply standards
published by the American National Standards Institute (ANSI),
such as standards contained in ANSI/NFPA 79, Electrical
Standard for Industrial Machinery, to cover hazards that are not
covered by specific OSHA standards.”
29
U.S. Standards
• Consensus standards are published by U.S. industry based on

committees representing industries like…
– AMT - The Association for Manufacturing Technology represents the metal forming
industry and working industry manufacturers, suppliers and users.
– RIA - Robotics Industries Association representing the robotics industry
manufacturers, suppliers and users.
– PMMI – Packaging Machinery Manufacturers Institute represents companies that
manufacture packaging and packaging-related converting machinery, commercially-
available packaging machinery components, containers and materials in the United
States and Canada.
30
Legal Requirements
and regulations
European Union

31
MACHINERY DIRECTIVE
The Directive
2006/42/EC
32
European Single Market
• European single market since 1.1.1993:
– Free passenger traffic, exchange of goods and services, capital flow

– Free exchange of goods within the member states
• Reduction of trade barriers
• No distortion of competition by different safety requirements
• All member states have to build products according to
standardized safety regulations
• standardized European regulations for occupational health and
safety (European Directives)
– harmonization of so far different national requirements
• Member states have to transform the EU Directives into national
law
33
CE Marking Requirements in EU-Directives (abridged
version)
34
What is an EU – Directive?
• EU-Directives define:
– Basic product requirements for health and safety protection of end users.
– Basic requirements for safe operation of machines and thus for health and safety of
persons and quality of the environment.
– Minimum requirements for safety at work.
• The directives require compliance with basic safety goals and for that purpose state
basic and general safety requirements. It is not defined in detail how these safety goals
shall be achieved.
• Compliance with the standards is not mandatory; but it is a legal obligation to
keep to the EU-directives.
35
Main Groups of EN - Standards
• Safety standards are structured systematically and hierarchically in order to exclude

different requirements for comparable hazards or similar risks and to avoid recurrences:
– Type A: Safety – basic standards regarding guidelines and general aspects of
safety, concerning all machines in a same or similar way.
– Type B1: Safety – group standards regarding safety aspects, concerning several or
a series of machines (e. g. safe distances, electrical safety, approach / grasp
speed).
– Type B2: Safety – group standards regarding safety devices which can be used with
machines (e. g. emergency shutdown devices, light grids, two-hand control devices).
– Type C: Safety – product standards stating defined requirements and safety
measures for all significant hazards, which can result from a machine or from all
types of machines.
36
European Standards for Safety of Machinery
37
Universe Model of EN Machinery Standards
Thermo processing EN746
EN954
Mats/Edges
Machine Safety
Inflatable Play E-Stop
Equipment
EN1760 EN418
EN1037 Start-Up
EN14960
Risk
Assessment Principles of
EN1050 Machinery
Safety
Amusement
Rides Interlocks
Directive
EN282
EN13814 EN1088
“A” EN999
Speed
“B” EN
Electrical
Safety
60204
EN574
“C” Two Hand
Control
EN415
Packaging 38
Universe Model of ISO Machinery Standards
Thermo processing EN746

ISO
13849 Machine
Safeguarding Safety
ISO E-Stop
ISO
10418 Start-Up
13850 ISO
14118
Principles of
Machinery Safety
Interlocks Directive ISO

ISO 12100
ISO ISO
11161 14119 “A” 13857
Mfg. Cells Speed
“B” IEC Electrical

Safety
ISO 60204
13851
“C” Two Hand
ISO Control
Robot 10218
39
What is a “Harmonized Standard?”
• A EN-standard is a harmonized standard, as soon as its title is published in the, EU

official register.
• All EU member states have accepted the standard
• The defined requirements stated in the standard are accepted by the EU member states
and are considered as sufficient in order to fulfill the basic safety and health
requirements of the according EU directive.
• Valid standard does not mean a harmonized standard.
A list of directives and the harmonized standards can be found on the internet:
http://ec.europa.eu/enterprise/policies/european-standards/documents/harmonised-
standards-legislation/list-recent-publications/index_en.htm
harmonized standard : presumption of conformity
40
The New Machinery Directive: 2006/42/EG
• Basic definition of a “machine” (article 2)

– An assembly, fitted with or intended to be fitted with a drive system other than
directly applied human or animal effort, consisting of linked parts or components, at
least of one which moves, and which are joined together for a specific application,
– ... missing only the components to connect it on site or to sources of energy and
motion
– ... ready to be installed and able to function as it stands only if mounted on a means
of transport, or installed in a building or a structure
– ... or partly completed machinery which, in order to achieve the same end, are
arranged and controlled so that they function as an integral whole,
– ... which are joined together, intended for lifting loads and whose only power source
is directly applied human effort;
41
Machinery and Safety Components acc. to MD
98/37/EG
• “Machinery”
– an assembly of linked parts or components, at least one of which moves, with the
appropriate actuators, control and power circuits, etc., joined together for a specific
application, in particular for the processing, treatment, moving or packaging of a
material,
– an assembly of machines which, in order to achieve the same end, are arranged
and controlled so that they function as an integral whole,
– interchangeable equipment modifying the function of a machine, which is placed on
the market for the purpose of being assembled with a machine or a series of
different machines or with a tractor by the operator himself in so far as this
equipment is not a spare part or a tool;
• “Safety Components”
– means a component, provided that it is not interchangeable equipment, which the
manufacturer or his authorized representative established in the Community places
on the market to fulfill a safety function when in use and the failure or malfunctioning
of which endangers the safety or health of exposed persons.
42
Safety Components according to Annex IV
(2006/42/EG)
• 15. Guards for removable mechanical transmission devices

• 19. Protective devices designed to detect the presence of persons.
• 20. Power-operated interlocking movable guards designed to be used as safeguards in
machinery (presses, plastics-molding machinery, rubber-
• molding machinery each with manual loading or unloading)
• 21. Logic units to ensure safety functions.
• 22. Roll-over protective structures (ROPS).
• 23. Falling-object protective structures (FOPS).
What is a “logic unit for safety functions?”
43
Safety Components acc. To annex IV (MD 98/37/EG)
(complete)
• Electro-sensitive devices designed specifically to detect persons in order to ensure their

safety (non-material barriers, sensor mats, electromagnetic detectors, etc.).
• Logic units which ensure the safety functions of bimanual controls.
• Automatic movable screens to protect the presses
• Roll-over protection structures (ROPS).
• Falling-object protective structures (FOPS).
44
What are “logic units to ensure safety functions”
acc. to Annex IV? (proposal to definition of VG 11)
Logic units to ensure safety functions are subsystems, which perform safety functions by
the interconnection of elements. They process input signals and generate
corresponding output signals.
• Logic units to ensure safety functions include e.g.
– safety relay combinations (ex MSR200/300)
– safety PLC (ex. GuardLogix)
– safety related interface modules (ex. MSR22LM)
– adjustable speed electrical power drive systems with safety functions (ex. PF753)
– two-hand control devices (ex. 800Z)
– safety monitoring devices (ex. MSR300)
• The logic unit can be
– hard wired (ex. Safety relay, MSR127)
– Programmable (ex. SG600)
– Configurable (ex. MSR 100)
45
A Safety Component
… according to MD (2006/42/EG) is a component which:

– serves to execute a safety function,
– is independently placed on the market,
– endangers the safety of persons, if they fail and/or malfunction, and
– is not necessary in order for the machinery to function, or for which normal
components may be substituted in order for the machinery to function.
46
List of the Safety Components referred to in ANNEX
V (2006/42/EG) (abridged)
– Guards for removable mechanical transmission devices.

– Protective devices designed to detect the presence of persons.
– Power-operated interlocking movable guards designed to be used as safeguards in
machinery
– Logic units to ensure safety functions.
– Valves with additional means for failure detection intended for the control of
dangerous movements on machinery.
– Extraction systems for machinery emissions.
– Guards and protective devices designed to protect persons against moving parts
involved in the process on the machinery.
– Monitoring devices for loading and movement control in lifting machinery.
– Restraint systems to keep persons on their seats.
47
List of safety components referred to in ANNEX V
(2006/42/EG)(abridged)
– Emergency stop devices.

– Discharging systems to prevent the build-up of potentially dangerous electrostatic
charges.
– Energy limiters and relief devices referred to in sections 1.5.7, 3.4.7 and 4.1.2.6 of
Annex I.
– Systems and devices to reduce the emission of noise and vibrations.
– Roll-over protective structures (ROPS).
– Falling-object protective structures (FOPS).
– Two-hand control devices.
– Components for machinery designed for lifting and/or lowering persons between
different landings ...
48
Safety of Machinery
Basic Concepts
ISO 12100:2010
49
Standards - EN, ISO and IEC
EXAMPLES:
Type A
ISO 12100 Safety of machinery. Basic terminology
and methodology
ISO TR14121-2 Safety of machinery — Risk
assessment — Part 2: Practical guidance and
examples of methods
Type B
ISO 13849-1 - Safety related parts of control systems
ISO 13850 - Emergency stop function
IEC 62061 - Functional safety of electrical control
systems
IEC 60204-1 - Safety of machinery. Electrical
Equipment
ISO 13851 – Two hand controls
Type C
ISO 10218 - Robots for industrial environments
ISO 11111 - Textile machinery - Safety requirements
50
ISO 12100:2010
• Safety of machinery — General principles for design — Risk assessment and risk
reduction (ISO 12100:2010)
– Scope: This International Standard specifies basic terminology, principles and a
methodology for achieving safety in the design of machinery. It specifies principles
of risk assessment and risk reduction to help designers in achieving this objective.
These principles are based on knowledge and experience of the design, use,
incidents, accidents and risks associated with machinery. Procedures are described
for identifying hazards and estimating and evaluating risks during relevant phases of
the machine life cycle, and for the elimination of hazards or the provision of sufficient
risk reduction. Guidance is given on the documentation and verification of the risk
assessment and risk reduction process.
51
Terms and Definitions ISO 12100:2010
• 3.1 Machinery – assembly, fitted with or intended to be fitted with a drive system
consisting of linked parts or components, at least one of which moves, and which are
joined together for a specific application.
• 3.2 Reliability – ability of a machine or its components or equipment, to perform a
required function under specified conditions and for a given period of time without
failing.
• 3.5 harm - physical injury or damage to health
• 3.6 hazard - potential source of harm
• 3.12 risk – combination of the probability of occurrence of harm and the severity of that
harm
• 3.13 residual risk – risk remaining after protective measures have been taken.
• 3.19 protective measure – measure intended to achieve risk reduction
• 3.21 safeguarding – protective measure using safeguards to protect persons from the
hazards which cannot reasonably be eliminated or from the risk which cannot be
sufficiently reduced by inherently
• 3.27 guard – physical barrier, designed as part of the machine, to provide protection
• 3.28 protective devices – safeguards other than guards
52
Terms and Definitions ISO 12100
• Definitions 3.28.1-3.28.9 are new definitions additions

• 3.30 safety function – function of a machine whose failure can result in an immediate
increase of the risk(s); i.e., harm
• 3.33 fault – the state of an item characterized by inability to perform a required function.
• 3.34 failure – the termination of the ability of an item to perform a required function
• 3.35 common cause failure – failures of different items, resulting from a single event,
where these failures are not consequences of each other
• 3.36 common mode failure – failures of items characterized by the same fault mode
53
Machinery Directive
2006/42/EC
ANNEX I
Essential health and safety requirements relating to the design and construction of machinery
GENERAL PRINCIPLES
1. The manufacturer of machinery or his authorized representative must ensure that a risk
assessment is carried out in order to determine the health and safety requirements which
apply to the machinery. The machinery must then be designed and constructed taking into
account the results of the risk assessment.
By the iterative process of risk assessment and risk reduction referred to above, the manufacturer or
his authorized representative shall:
– determine the limits of the machinery, which include the intended use and any reasonably foreseeable
misuse thereof,
– identify the hazards that can be generated by the machinery and the associated hazardous situations,
– estimate the risks, taking into account the severity of the possible injury or damage to health and the
probability of its occurrence,
– evaluate the risks, with a view to determining whether risk reduction is required, in accordance with the
objective of this Directive,
– eliminate the hazards or reduce the risks associated with these hazards by application of protective
measures, in the order of priority established in section 1.1.2(b).
54
Subclause 4 Strategy for risk assessment and risk
reduction
• To implement risk assessment and risk reduction the designer shall take the following
actions, in the order given (see Figure 1):
a) determine the limits of the machinery, which include the intended use and any
reasonably foreseeable misuse thereof;
b) identify the hazards and associated hazardous situations;
c) estimate the risk for each identified hazard and hazardous situation;
d) evaluate the risk and take decisions about the need for risk reduction;
e) eliminate the hazard or reduce the risk associated with the hazard by means of
protective measures.
• Actions (a) to (d) are related to risk assessment and (e) to risk reduction.
• Risk assessment is a series of logical steps to enable, in a systematic way, the
analysis and evaluation of the risks associated with machinery.
55
Schematic representation of risk reduction process
including iterative three-step method
56
Hierarchical Structure of the Measures for Risk
Reduction
Risk assessment process from the

point of view of the designer
Source: ISO 12100:2010

Risk reduction process from the
point of view of the designer
57
Subclause 5 Risk Assessment
• 5.0 General requirements for Risk Assessment

• 5.1 General – this section specifies the general requirements for a risk assessment
and should be reviewed for general knowledge and understanding because all three
standards; e.g., ISO 13849, IEC 62061, IEC 61508 reference the requirements for
performing a risk assessment. The Machinery Directive and most US standards also
require a Risk Assessment be performed.
• Risk assessment comprises (see Figure 1) risk analysis, comprising
1. determination of the limits of the machinery (see 5.3),
2. hazard identification (5.4 and Annex B), and
3. risk estimation (see 5.5), and risk evaluation (see 5.6).
• Risk analysis provides information required for the risk evaluation, which in turn
allows judgments to be made about whether or not risk reduction is required.
58
Subclause 5 ISO 12100:2010
– 5.2 Information for risk assessment– the information for the risk assessment
should include:
• Related to machinery description:
1. user specifications;
2. anticipated machinery specifications, including
3. documentation on previous designs of similar machinery, if relevant;
4. information for use of the machinery, as available.
• Related to regulations, standards and other applicable documents:
1. applicable regulations;
2. relevant standards;
3. relevant technical specifications;
4. relevant safety data sheets.
• Related to experience of use:
1. any accident, incident or malfunction history
2. the history of damage to health resulting,
3. the experience of users of similar machines
• Relevant ergonomic principles. 59
• Subclause 5.3 – Determination of limits of machinery

– 5.3.1 General - Risk assessment begins with the determination of the limits of the
machinery, taking into account all the phases of the machinery life. This means that
the characteristics and performances of the machine or a series of machines in an
integrated process, and the related people, environment and products, should be
identified in terms of the limits of machinery as given in 5.3.2 to 5.3.5.5.2
– 5.3.2 Use limits - Use limits includes the intended use and the reasonably
foreseeable misuse.
• consider the different machine operating modes and the different intervention
procedures with the machine the use of the machinery
• experience level
• access control – is the machine on a high traffic aisle, freely accessible?
• reasonably foreseen hazard identified on the machine
• exposure of other persons to the hazards associated with the machinery
where it can be reasonably foreseen:
60
• Subclause 5 – Determination of limits of machinery

– 5.3.3 Space limits – aspect to consider; e.g., operator adjacent to machine,
operators locations, energy sources associated with machine
– 5.3.4 Time – mission time of the machine and associated service intervals
– 5.3.5 Other limits – consideration of limits such as; environmental, housekeeping,
quality assurance, etc.
– 5.4 Hazard identification - After determination of the limits of the machinery, the
essential step in any risk assessment of the machinery is the systematic
identification of reasonably foreseeable hazards (permanent hazards and those
which can appear unexpectedly), hazardous situations and/or hazardous events
during all phases of the machine life cycle
• Human interaction during the whole life cycle of the machine
• Possible states of the machine
• Unintended behavior of the operator or reasonably foreseeable misuse of the
machine
61
• 5.5.2.1 – Elements Risk

– The elements of risk are shown in Figure 3. Additional details are given in 5.5.2.2, 5.5.2.3
and 5.5.3.
62
• Subclause 5 defines the strategy for risk reduction

– 5.5 Risk estimation
– 5.5.1 After hazard identification, risk estimation shall be carried out for each hazardous
situation by determining the elements of risk given in 5.5.2. When determining these
elements, it is necessary to take into account the aspects given in 5.5.3.
– 5.5.2 Elements of risk
– Severity of harm
• the severity of injuries or damage to health, for example,
– slight,
– serious, or
– death;
• b) the extent of harm, for example,
– one person,
– several persons.
– 5.5.2.3 Probability of occurrence of harm
• 5.5.2.3.1 Exposure of persons to the hazard
• 5.5.2.3.2 Occurrence of a hazardous event
• 5.5.2.3.3 Possibility of avoiding or limiting harm
63
• Subclause 5 defines the strategy for risk reduction

– 5.5.3.5 Suitability of protective measures
Risk estimation shall take into account the suitability of protective measures and shall
a) identify the circumstances which can result in harm,
b) whenever appropriate, be carried out using quantitative methods to compare
alternative protective measures (see ISO/TR 14121-2), and
c) provide information that can assist with the selection of appropriate protective
measures.
– 5.5.3.6 Possibility of defeating or circumventing protective measures
• Risk estimation shall take account of the possibility of defeating or circumventing
protective measures. It shall also take account of the incentive to defeat or circumvent
protective measures when, for example,
• a) the protective measure slows down production or interferes with another activity or
preference of the user,
• b) the protective measure is difficult to use,
• c) persons other than the operator are involved, or
• d) the protective measure is not recognized by the user or not accepted as being
suitable for its function.
64
– 5.5.3.7 Ability to maintain protective measures

• Risk estimation shall consider whether the protective measures can be maintained in
the condition necessary to provide the required level of protection.
• 5.6 Risk evaluation
– After risk estimation has been completed, risk evaluation shall be carried out to
determine if risk reduction is required. If risk reduction is required, then appropriate
protective measures shall be selected and applied (see Clause 6). As shown in
Figure 1, the adequacy of the risk reduction shall be determined after applying each
of the three steps of risk reduction described in Clause 6.
– Adequate risk reduction may consist of step taken in subclause 6
• Inherently safe design
• Safeguarding and/or complementary protective measures
• Information for use
– Comparison of risks - As part of the process of risk evaluation, the risks associated
with the machinery or parts of machinery can be compared with those of similar
machinery or parts of machinery, provided the following criteria apply:
65
Reduction
• Measures for risk reduction by the

construction of the machine (Immediate
Safety) (subclause 4)
• Risk reduction by the use of technical

safeguards and safety components
(Mediate Safety) (subclause 5)
• Provide Information to the operator,

indication of remaining risks (Indicative
Safety) (subclause 6)
66
Subclause 6.2 ISO 12100:2010
• 6.2 Inherently safe design measures

– Inherently safe design measures are the first and most important step in the risk
reduction process. This is because protective measures inherent to the
characteristics of the machine are likely to remain effective, whereas experience has
shown that even well-designed safeguarding can fail or be violated and information
for use may not be followed. Design out the hazard is the most effective method of
risk reduction.
– Methods include:
• Geometric tolerances (6.2.2) – oversized, overrated, safety factor, limiting
force, mass, velocity, acceleration, etc. are all effective methods
• “KISS” (keep it simple stupid) (6.2.3 and 6.2.4) – understanding and applying
to correct technology to mitigate the hazard
• Apply correct safety principles such as: positive mechanical action (6.2.5);
designing stability (6.2.6); easily maintained (6.2.7); applying appropriate
ergonometric principles (6.2.8); identifying electrical hazards (6.2.9),
pneumatic and hydraulic hazards(6.2.10).
67

– Methods include continued:
• Applying inherently safe design measures to control systems (6.2.11)
– The design measures of the control system shall be chosen so that their
safety-related performance provides a sufficient amount of risk reduction
(see ISO 13849-1 or IEC 62061).
– The correct design of machine control systems can avoid unforeseen
and potentially hazardous machine behavior.
• Review all the methods outlined in 6.2.11.1 – 6.2.11.12. These are all
effective methods to consider during the design of the safety related control
system.
• Minimizing probability of failure of safety functions (6.2.12)
– Safety of machinery is not only dependent on the reliability of the control
systems but also on the reliability of all parts of the machine.
– The continued operation of the safety functions is essential for the safe
use of the machine. This can be achieved by the measures given in
6.2.12.2 to 6.2.12.4.
68

– Methods include continued:
• Limiting exposure to hazards through mechanization or automation of loading
(feeding)/ unloading (removal) operations (6.2.14
• Limiting exposure to hazards through location of setting and maintenance
points outside danger zones (6.2.15)
– All these methods are worthwhile and should be evaluated in reference to the
hazard being mitigated and are effective when properly chosen and utilized as safe
design measures.
– These are considered as “direct safety engineering” techniques.
69
• 6.3 Safeguarding and/or complementary protective measures

– Guards and protective devices shall be used to protect persons whenever an
inherently safe design measure does not reasonably make it possible either to
remove hazards or to sufficiently reduce risks. Complementary protective measures
involving additional equipment (for example, emergency stop equipment) may have
to be implemented.
– This is considered “indirect safety engineering”
– Selection and implementation of guards and protective devices is covered in 6.3.2
• This subclause gives guidelines for the selection and the implementation of
guards and protective devices the primary purpose of which is to protect
persons against hazards generated by moving parts. Figure 4 gives guidance
on what are considered “separating” guards. (see next slide)
70
Subclause 6.3 ISO 12100:2010 (figure 4)
Guidelines for choosing safeguards against hazards generated by moving parts
71
• Selection and implementation of guards and protective devices is covered in 6.3.2

– 6.3.2.2 Where access to the hazard zone is not required during normal operation
• Where access to the hazard zone is not required during normal operation of the
machinery, safeguards should be selected from the following:
a) fixed guards (see also ISO 14120);
b) interlocking guards with or without guard locking (see also 6.3.3.2.3, ISO 14119
and ISO 14120);
c) self-closing guards (see ISO 14120:2002, 3.3.2);
d) sensitive protective equipment, such as electrosensitive protective equipment
(see IEC 61496) or pressure-sensitive protective devices (see ISO 13856).
– 6.3.2.3 Where access to the hazard zone is required during normal operation
• Where access to the hazard zone is required during normal operation of the
machinery, safeguards should be selected from the following:
a) interlocking guards with or without guard locking (see also ISO 14119, ISO
14120 and 6.3.3.2.3 of this document);
b) sensitive protective equipment, such as electrosensitive protective equipment
(see IEC 61496);
c) adjustable guards;
d) self-closing guards (see ISO 14120:2002, 3.3.2);
e) two-hand control devices (see ISO 13851);
f) interlocking guards with a start function (control guard) (see 6.3.3.2.5).
72
• Selection and implementation of guards and protective devices is covered in 6.3.2

• 6.3.2.4 Where access to the hazard zone is required for machine setting,
teaching, process changeover, fault-finding, cleaning or maintenance
• 6.3.2.5 Selection and implementation of sensitive protective equipment
– Care should be taken when selecting “sensitive protection equipment”
because this type of equipment is consider “non-separating”
– Types include:
• light curtains,
• scanning devices, for example, laser scanners,
• pressure-sensitive mats, and
• trip bars, trip wires
– The following characteristics of the machinery, among others, can
preclude the sole use of sensitive protective equipment:
• tendency for the machinery to eject materials or component parts;
• necessity to guard against emissions (noise, radiation, dust, etc.);
• erratic or excessive machine stopping time;
• inability of a machine to stop part-way through a cycle.
73
• 6.3.3 Requirements for design of guards and protective devices – general statement
– Guards and protective devices shall be designed to be suitable for the intended
use, taking into account mechanical and other hazards involved. Guards and
protective devices shall be compatible with the working environment of the
machine and designed so that they cannot be easily defeated. They shall provide
the minimum possible interference with activities during operation and other
phases of machine life, in order to reduce any incentive to defeat them.
NOTE:
1. For additional information, see ISO 14120, ISO 13849-1, ISO 13851, ISO 14119,
ISO 13856, IEC 61496 and IEC 62061
2. For openings in the guards, see ISO 13857.
74
– Requirements for guards are covered in 6.3.3.2.1 through 6.3.3.2.6
• 6.3.3.2.1 Functions of guards
• 6.3.3.2.2 Requirements for fixed guards
• 6.3.3.2.3 Requirements for movable guards
• 6.3.3.2.4 Requirements for adjustable guards
• 6.3.3.2.5 Requirements for interlocking guards with a start function (control
guards)
• 6.3.3.2.6 Hazards from guards
Note: understand the differences between the different types of guards. Pro’s and Con’s of
each type.
75
– Safeguarding to reduce emissions are covered in 6.3.4. Types of emissions are:
• Noise
• Vibration
• Hazardous substance
• Radiation
• Etc.
76
– Complementary protective measures are covered in 6.3.5
• Protective measures which are neither inherently safe design measures, nor
safeguarding (implementation of guards and/or protective devices), nor
information for use, could have to be implemented as required by the intended
use and the reasonably foreseeable misuse of the machine. Such measures
include, but are not limited to, those dealt with in 6.3.5.2 to 6.3.5.6.
– 6.3.5.2 Components and elements to achieve emergency stop function
– 6.3.5.3 Measures for the escape and rescue of trapped persons
– 6.3.5.4 Measures for isolation and energy dissipation
– 6.3.5.5 Provisions for easy and safe handling of machines and their
heavy component parts
– 6.3.5.6 Measures for safe access to machinery
Note: all of the above are considered to be “complementary in nature” to safeguard means.
77
• 6.4 Information for use general requirements

– Information for use consists of communication links, such as texts, words, signs,
signals, symbols or diagrams, used separately or in combination to convey
information to the user.
– Information shall be provided to the user about the intended use of the machine,
taking into account, notably, all its operating modes
– Information for use shall cover, separately or in combination, transport, assembly
and installation, commissioning, use of the machine (setting, teaching/programming
or process changeover, operation, cleaning, fault-finding and maintenance) and, if
necessary, dismantling, disabling and scrapping.
78
• 6.4 Information for use – other requirements

– 6.4.2 Location and nature of information for use
– 6.4.3 Signals and warning devices
– 6.4.4 Markings, signs (pictograms) and written warnings
– 6.4.5 Accompanying documents (refer to subsections 6.4.5.1 – 6.4.5.3 for more
detailed requirement of document)
While all this is worthwhile material, it really isn’t covered at all on the test. A general
awareness is required about the need for appropriate “information for use”, but no test
questions are based on any of this material.
79
• 7 Documentation of risk assessment and risk reduction

– The documentation shall demonstrate the procedure that has been followed and the
results that have been achieved. This includes, when relevant, documentation of:
a) the machinery for which the risk assessment has been made (for example,
specifications, limits, intended use);
b) any relevant assumptions that have been made (loads, strengths, safety
factors, etc.);
c) the hazards and hazardous situations identified and the hazardous events
considered in the risk assessment;
d) the information on which risk assessment was based (see 5.2):
1) the data used and the sources (accident histories, experience gained
from risk reduction applied to similar machinery, etc.);
2) the uncertainty associated with the data used and its impact on the risk
assessment;
80
• 7 Documentation of risk assessment and risk reduction

– The documentation shall demonstrate the procedure that has been followed and the
results that have been achieved. This includes, when relevant, documentation of
(cont):
e) the risk reduction objectives to be achieved by protective measures;
f) the protective measures implemented to eliminate identified hazards or to
reduce risk;
g) residual risks associated with the machinery;
h) the result of the risk assessment (see Figure 1);
i) any forms completed during the risk assessment.
– Standards or other specifications used to select protective measures referred to in f)
above should be referenced.
NOTE No requirement is given in this International Standard to deliver the risk

assessment documentation together with the machine. See ISO/TR 14121-2 for
information on documentation.
81
Annexes of ISO 12100:2010
All annexes are informative in nature and there are not required but rather used for
informational purposes only
Subclauses 1-7 are normative and are therefore required.
• Annex A – shows a schematic representation of a machine. This example shows where

indicators, guards, protective devices, and other parts of a machine generally reside
within the framework of a “typical” machine
• Annex B - Examples of hazards, hazardous situations and hazardous events - This
annex gives, in separate tables, examples of hazards (see Tables B.1 and B.2),
hazardous situations (see Table B.3), and hazardous events (see Table B.4), in order to
clarify these concepts and assist the persons performing risk assessment in the process
of hazard identification (see 5.4).
• The lists of hazards, hazardous situations and hazardous events given by this annex
are not exhaustive, nor are they prioritized. Therefore, the designer should also identify
and document any other hazard, hazardous situation or hazardous event existing in the
machine.
82
• Annex B - Examples of hazards, hazardous situations and hazardous events

– This annex gives, in separate tables, examples of hazards (see Tables B.1 and B.2),
hazardous situations (see Table B.3), and hazardous events (see Table B.4), in
order to clarify these concepts and assist the persons performing risk assessment in
the process of hazard identification (see 5.4).
• Review tables B.1 – B.4 for general awareness, but again, this is not on the
test because it is informative and not normative
– The lists of hazards, hazardous situations and hazardous events given by this annex
are not exhaustive, nor are they prioritized. Therefore, the designer should also
identify and document any other hazard, hazardous situation or hazardous event
existing in the machine.
83
• Annex C - index of specific terms and expressions used in ISO 12100 – this is an
excellent cross reference for key words and phrases that are used in the document.
Comes in very handy when you want to see where a particular word or phrase is used
throughout the document.
84
Bibliography of ISO 12100:2010
• This is a very handy reference because it references the standards that are used or
referenced in ISO 12100. This is a good point to begin to understand the interaction and
interdependence of machine functional safety standard. At least be familiar with the
standards that are referenced in the bibiliography.
85
ISO 12100:2010
• What I expect you to know about ISO 12100

– It’s general makeup and what all is covered in the standard – this is the base standard for all
other machine functional safety standards. All machine type “C” standards are based on this
standard.
– Understand the phases and requirements of a risk assessment and it’s relationship to a
machine design.
– This is a type “A” standard
– I think the scope of this document best describes it’s intended use:
• This International Standard specifies basic terminology, principles and a methodology
for achieving safety in the design of machinery. It specifies principles of risk
assessment and risk reduction to help designers in achieving this objective. These
principles are based on knowledge and experience of the design, use, incidents,
accidents and risks associated with machinery. Procedures are described for
identifying hazards and estimating and evaluating risks during relevant phases of the
machine life cycle, and for the elimination of hazards or the provision of sufficient risk
reduction. Guidance is given on the documentation and verification of the risk
assessment and risk reduction process.
• This International Standard is also intended to be used as a basis for the preparation
of type-B or type-C safety standards.
• It does not deal with risk and/or damage to domestic animals, property or the
environment.
86
Various Risk
Assessment
Methodology
87
Risks and Hazards of Technical Equipment
• Machines, technical installations and

plants can endanger the life and health
of human beings.
• It is essential, to hold off these hazards
as far as possible.
• Environmental damages are no

longer acceptable.
• Technical devices have to be designed
in such a manner, that the impact on
the environment is as low as possible.
88
Machinery Directive
2006/42/EC
ANNEX I
Essential health and safety requirements relating to the design and construction of machinery
GENERAL PRINCIPLES
1. The manufacturer of machinery or his authorized representative must ensure that a risk
assessment is carried out in order to determine the health and safety requirements which apply to
the machinery. The machinery must then be designed and constructed taking into account the
results of the risk assessment.
By the iterative process of risk assessment and risk reduction referred to above, the manufacturer or
his authorised representative shall:
– determine the limits of the machinery, which include the intended use and any reasonably foreseeable
misuse thereof,
– identify the hazards that can be generated by the machinery and the associated hazardous situations,
– estimate the risks, taking into account the severity of the possible injury or damage to health and the
probability of its occurrence,
– evaluate the risks, with a view to determining whether risk reduction is required, in accordance with the
objective of this Directive,
– eliminate the hazards or reduce the risks associated with these hazards by application of protective
measures, in the order of priority established in section 1.1.2(b).
89
Responsibilities
• Manufacturer (the one who places the machinery on the market):

– is responsible for safety of “product machinery”
– has to carry out a risk analysis and
– has to apply measures to eliminate the hazards or to reduce the risks
– (safeguards, suitable controllers, ergonomics, product-documentation, Information
and warning hints regarding remaining risks and hazards etc.)
• OEM:
– is responsible for safety of application
– has to carry out a risk analysis for the application
– is responsible for safe operation and protection of operating personnel (fencing,
organizational measures, instruction of the operating personnel etc.)
90
Risk Assessment
• Hazard identification
– Which hazards exist, who is endangered, types of injuries
• Risk estimation
– Probability of occurrence of hazardous event, avoiding or limiting of harm
• Risk reduction (down to a tolerable risk)
• Applying technical and organizational measures
• Risks completely eliminated (?)
– Information about remaining risks!
91
Stepwise iterative Process for Risk Reduction (ISO
12100-1)
• Determination of the nominal use and service of the machine and of the physical and
temporal limits; consideration of any foreseeable misuse and mis-operation by the
personnel.
• Identification of the possible hazards and dangerous situations
• Assessment of the risk of any identified hazard and possible dangerous situation
• Appraisal of the risks; decision, if risk reduction is necessary or not
• Elimination of the hazards by the following (hierarchical) measures:
– Constructive measures (inherent safe construction, intrinsic design)
– Use of technical safeguarding devices
– Information and warning hints to the machine operator regarding the possible
remaining risks and hazards (Pictograms, Operating Manual)
92
Reduction
• Measures for risk reduction by the

construction of the machine
(Immediate Safety)
• Risk reduction by the use of technical

safeguards and safety components
(Mediate Safety)
• Provide Information to the operator,

indication of remaining risks (Indicative
Safety)
93
Reduction
Source: ISO 12100

Risk reduction process from the point
of view of the designer
94
Reduction
Source: ISO 12100

Risk reduction process from the point of view of the designer
95
Example: 3-Steps Method of the Safety Technique
Prevention of Control of Indication of

Hazard Hazard Hazard
96
ISO 12100 Iterative Process to Achieve the
Necessary Safety
Source: ISO 12100

Iterative process of risk reduction
97
Example, Hazards of Machines (ISO 12100)
• Mechanical hazards
– crushing, cropping, jabbing
– cutting, chopping
– collecting and coiling, pulling in and catching, clamping
– slipping, tripping ….
• Electrical hazards
• Touching of dangerous voltages (direct and indirect touching)
• ….
• Thermal hazards
– Burning and scalding
– Too cold, too warm environmental conditions
– ….
• Hazards by noise, vibration
• Hazards by radiation
– a, b, g rays, micro waves, UV-, IR light, etc.
• Hazards by material and other substances
– Contact with or breathing in of gases, vapors, powders, fluids etc.
• Hazards because of neglect of ergonomic principles regarding the design of machines • and more
98
Risk Determination, assessment and reduction
99
Risk, Tolerable Risk, Residual Risk, Danger, Safety
100
Risk Elements
101
Examples of Risk Graphs
• Risk Graph acc. to EN 954 (ISO 13849-1:1999)

– Severity of injury
• S1 slight (usually reversible) injury
• S2 serious (usually irreversible) injury,
including death
– Frequency and/or exposure time for hazard F1
seldom to less often and/or short duration of
exposure time
• F2 frequent to continuous and/or long
duration of
• exposition
– Possibilities of avoiding the hazard
• P1 possible under certain conditions
• P2 almost impossible
– Choice of category
• B, 1 to 4 categories for safety related
parts of controls
102
• Risk Analysis to Determine the Requested Performance Level PLr (ISO

13849-1)
103
Parameter at the Risk Analysis IEC 62061 (ref. IEC 62061, Annex A)
A.2.2 Risk estimation
• Risk estimation should be carried out for each hazard by determining the risk parameters
that as shown in Figure A.2 should be derived from the following:
– severity of harm, Se; and
– probability of occurrence of that harm, which is a function of:
• frequency and duration of the exposure of persons to the hazard, Fr;
• probability of occurrence of a hazardous event, Pr; and
• possibilities to avoid or limit the harm, Av.
104
Parameter at the Risk Analysis IEC 62061
105
106
107
108
Determination of the Required SIL IEC 62061
109
Determination of the Required SIL IEC 62061
110
Example form for SIL assignment process
3 5 4 3 12
CL = Se + Fr + Pr + Av
Consequence: Frequency and duration Probability of event Probability of avoidance
Permanent, About 4 times a day likely possible

Lose of finger For < 10 minutes
111
Risk Graph according to IEC 61508-5
112
Documentation of the Risk Analysis
• As required:
– Risk analysis shall be carried out systematically by a team of experts and
documented traceably.
– Manufacturer has the obligation to produce supporting documents, that he has done
everything possible in order that the machine is “safe.”
– Demonstration without documentation is almost impossible!
– If the documents cannot be presented (because they are not available), the proof of
conformity with the Directive is regarded as not effected.
• (Annex. VII cl. 3: sufficient reason for a doubt on the conformity with the
Directives)
– Duration of maintaining the documentation: 10 years after the end of production
113
What is a Safety Function?
• A function, which is performed by a safety-related system for risk reduction with the aim,
to achieve or keep a safe state of the machinery.
• Transition into the safe state (Shut-Off, e.g.)
– Risk analysis with identification of hazards/dangers:
Hazard harm x frequency of occurrence Risk
Risk Risk graph
– necessary risk reduction according to a determined SC, SIL or PL
• A safety function is assigned to the elimination/reduction of a risk.
• The safety function is executed by all components, which are involved in the safety
function:
– Sensor for the detection of an event,
– evaluation of the sensor signal and
– execution of the appropriate action.
114
What is a Safety Function?
• The safety of machinery/plant is mainly determined by the “safe functioning” of the

control - and monitoring system.
• Functional Safety is achieved, if each specified safety function is executed according
to the applicable risk; i. e., the machinery can be considered as safe.
• The safety shall be ensured under normal/undisturbed conditions and shall not be
disturbed under failure conditions.
– Not to confuse with: “electrical (basic) safety;” i.e., protection against dangerous
body currents
115
Step to take to design a “safe” machine
• Execution of a risk estimation and risk evaluation; example, according to ISO 12100
• Determine the necessary measures to reduce the risks (application of the risk graph)
– Example: PLr (performance level required)
– Example: SILCL (safety integrity level claim limit)
• Execution / Design of the measures for risk reduction (constructive measures )
• Realization of the protective devices with IEC 62061 or/and ISO 13849-1
– For each safety function: Assignation of the required SILCL or PLr
– Functional and safety-related specification (SRS) for each safety function
– Design and technical realization of the safeguards
– Evaluation of the achieved SIL or PL
– Verification
– Validation
116
Steps to designing a “safe” machine with the using
the “safety life cycle” approach
Notes:
• Execution of a risk estimation and risk
evaluation may be according to ISO
12100
• Determine the necessary measures to
reduce the risks (application of the risk
graph)
• Execution / Design of the measures for
risk reduction (constructive measures )
• Realization of the protective devices
using IEC 62061 or/and ISO 13849-1
• For each safety function: Assignation of
the required SIL or PLr
• Functional and safety-related
specification (SRS) for each safety
function
• Design and technical realization of the
safeguards
• Evaluation of the achieved SIL or PL
• Verification
• Validation
117
Risk Reduction by the Use of Electronic Safeguards
and Safety Components
Machine Safety - General principles for Machine Safety - General Safety Requirements
design — Risk And Principles for Risk
assessment and risk reduction Assessment
ISO 12100 ANSI B11.0
Functional and safety requirements for Functional and safety requirements for
the safety related functions the safety related functions
Design and realization of Design and realization of

electric/electronic safeguards electric/electronic safeguards
Machine Safety - Machine Safety -

safety-related Functional safety
parts of control of EEPES control Machine Safety - Selection of
systems systems Programmable Electronic Systems
ISO 13849-1 IEC 62061 (PES/PLC) for Machine Tools
Non-electrical and ANSI B11.TR4
simple electrical
Machine Safety - Electrical equipment Electrical equipment of machines

of machines ANSI/NFPA 79
IEC 60204-1
118
IEC 60204 Electrical
Safety
119
IEC 60204-1 Scope
• This part of IEC 60204 applies to the application of electrical, electronic and
programmable electronic equipment and systems to machines not portable by
hand while working, including a group of machines working together in a co-ordinated
manner.
• The equipment covered by this part of IEC 60204 commences at the point of
connection of the supply to the electrical equipment of the machine.
• This part of IEC 60204 does not cover all the requirements (for example guarding,
interlocking, or control) that are needed or required by other standards or regulations in
order to protect persons from hazards other than electrical hazards. Each type of
machine has unique requirements to be accommodated to provide adequate safety.
120
IEC 60204-1 Section 4
• Section 4 – General Requirements

– 4.1 General Considerations
– The Risk associated with the machine electrical hazards shall be assessed as part
of the overall risk assessment of the machine.
– To determine risk reduction & protective measures to be implemented to maintain
an acceptable level of performance of the machine
– Electrical components shall be suitable for use & conform to IEC standards
• Guidelines are given for the following :

– AC/DC Supply, Voltage, Electromagnetic compatibility(EMC), Air Temp, Humidity,
Altitude, Contaminants, Ionizing & non-Ionizing radiation, Vibration, Shock & Bump,
Transportation & Storage, Provisions for Handling and Installation
121
• Section 9 - covers Control Circuits and Control Functions

– The following sections are all relevant and important
• Control circuits (9.1)
• Control functions (9.2)
• Protective interlocks (9.3)
• Control functions in the event of failure (9.4)
– Under control functions:
• Stop & Start Functions (9.2.1/9.2.2)
• Operating modes (9.2.3)
• Suspension of Safety Functions or protective measures (9.2.4)
• Emergency stop/Emergency switching off (9.2.5.4)
• Hold to run, Two-hand control and Enabling control (9.2.6)
• Cableless control (9.2.7)
122
IEC 60204-1 Sections 9
• Section 9 - covers Control Circuits and Control Functions (cont.)

– Protective interlocks (9.3)
– Measure to minimize risk due to failure (9.4)
• Proven techniques and components (9.4.2)
• Redundancy
• Diversity
• Functional testing
123
• Start Function (9.2.5.2)

– Operates by energizing the relevant circuits
– Can only be operated when all safety function or measures are in place as
well as operational (Except when a suspension of the safety function has
been operated)
• Stop Functions (9.2.5.3)
– There are Three categories of stop functions as follows:
• Stop Category 0 – Stopping by immediate removal of power to the
machine actuators (ie an un-controlled stop)
• Stop Category 1 – A controlled stop with power available to the
machine actuators to achieve the stop and the removal of power
when stop achieved
• Stop Category 2 – A controlled stop with power left available to the
machine actuators
• Emergency stop must be either a Category 0 or 1 Stop
• Stop category to be defined by Risk Assessment
124
• Stop Functions
– Measures should be taken to prevent any movement of the machine or unintended
or unexpected manner after any stopping of the machine (i.e. power supply fault ,
battery replacement, Lost signal cable-less control
– When a machine has more than one control station steps should be taken to ensure
that a start command from any control station does not lead to a hazardous
condition.
– Where more than one control station is supplied a stop command from any control
station shall be effective when required by the risk assessment.
125
• Emergency Stop
– Emergency stop must be either a Cat 0 or Cat 1 stop
– Shall override all other functions and operations
– Power shall be removed immediately to parts which can cause a hazard
Stop Cat 0
OR
– A controlled stop to stop hazard as quickly as possible without creating additional

hazards, Stop Cat 1.
– Reset can only be actuated at point of stop command and is not a re-start of the
machine which is a separate command
126
• Emergency switching off should be provided where:

– protection against direct contact (for example with conductor wires, conductor bars,
slipring assemblies, controlgear in electrical operating areas) is achieved only by
placing out of reach or by obstacles (see 6.2.6); or
– there is the possibility of other hazards or damage caused by electricity.
• Emergency switching off is accomplished by switching off the relevant incoming supply
by:
– electromechanical switching devices, effecting a stop category 0 of machine
actuators connected to this incoming supply.
Note: When a machine cannot tolerate this stop category 0 stop, it may be necessary
to provide other measures, for example protection against direct contact, so that
emergency switching off is not necessary.
127
IEC 60204-1 Sections 9 & 10
• Suspension of safety Functions and / or protective measures

(i.e. By-Pass only where it is necessary setting and maintenance the
following will apply)
– Disabling all other operating control modes
– Also in conjunction one or more of the following
• Initiation of operation by hold to run device
• Portable control station with E stop and enabling device and motion
can only be initiated from this device
• Limitation of the speed or the power of motion
• Limitation of the range of motion
128
• Operating Modes
A machine can have one or more operating modes but when exposed to
hazard in a set mode then unauthorized or inadvertent mode selection
shall be prevented (access code key operated switch)
• Mode selection will not start up the machine a separate actuation of
the start will be required
• Each Operating mode will have its own relevant safety functions and
protective measures in place
• Indication of the selected mode shall be provided; ie. selector switch
indicator lamp or visual display
129
• Other Control Functions (9.2.6)

– Hold to Run Control
• Hold-to-run controls shall require continuous actuation of the control
device(s) to achieve operation.
NOTE: Hold-to-run control can be accomplished by two-hand control
devices.
130
• Two Hand Control (Three Types)

– Type 1 the provision of two control devices and their concurrent actuation
by both hands
• Continuous concurrent actuation during the hazardous situation
• Machine will stop upon the release of either one or both of the
control devices
• A type 1 device is not suitable for hazardous operations
• Type 2 same as type 1 but requires the releasing of both control
devices before machine operation can be restarted
• Type 3 same as type 11 requiring release of both buttons but also
requires
• Both buttons to be operated within time period not exceeding 0.5s
• Where time period has been exceeded then both devices has to be
released before machine can be re-started
131
• Other Control Functions (9.2.6 cont.)

– Enabling control (see also 10.9) is a manually activated control function
interlock that:
• when activated allows a machine operation to be initiated by a
separate start control, and
• when de-activated
– initiates a stop function, and
– prevents initiation of machine operation.
– Enabling control shall be so arranged as to minimize the possibility of
defeating,
for example by requiring the de-activation of the enabling control device
before machine operation may be reinitiated. It should not be possible to
defeat the enabling function by simple means.
132
• Cableless control:
– This subclause deals with the functional requirements of control systems
employing cableless (for example radio, infra-red) techniques for
transmitting commands and signals between a machine control system
and operator control station(s).
– Measures shall be taken to prevent the machine from responding to
signals other than those from the intended operator control station(s).
– Where necessary, means shall be provided so that the machine can only
be controlled from operator control stations in one or more predetermined
zones or locations.
• Control limitation:
Measures shall be taken to ensure that control commands:
• affect only the intended machine;
• affect only the intended functions.
133
• Control Functions in the event of Failure (9.4)

– Where failures in the electrical equipment may occur and lead to a
hazardous situation or damage to the machine or work the steps should
be taken to reduce the probability of such failures occurring as per
IEC 62061 and ISO13849-1, ISO 13849-2
– Measures to reduce those risks include but are not limited to
– Protective devices on the machine (Interlocks /trip devices)
– Protective interlocking of the electrical circuits
– Use of proven circuit techniques and components
– Provision of partial or complete redundancy
– Provision of functional tests
134
• Section 10 Operator interface and machine mounted control devices

– Devices mounted outside or partially outside control enclosures
• Positioning and Mounting
– Not placed so can be inadvertently operated
– Not exposed to damage from other machine operations
– Readily accessible for service and maintenance
– Easily accessible for the machine operator and does lead to a hazardous
situation
– Hand operated control devices should not be less than 0.6m above the
servicing area and accessible
– Suitable IP rating for environment
• Position Sensors (Position switches Proximity switches)
– Shall be mounted so not damaged by over travel and safety related
position switches shall have direct opening action
135
• Push – Buttons
– Colors as per Table 2
• Red = Emergency E Stop
• Yellow = Abnormal Intervention to suppress abnormal condition
• Blue = Mandatory Reset function
• Green = Normal
• White / Grey / Black No Specific meaning Start /Stop / Off
136
• Indicator Lights and displays

– Mounted in and selected in such away so as visible to machine operator
– Indicators lights used for warning lights should be monitored for operability
137
• Emergency Stop Devices Location of

– Should be readily accessible
– Located at each operator control station and at other locations where the
initiation of an E stop can be required (Point of hazard)
• Types of Emergency Stop Devices

– Mushroom Head Button Red Yellow Back ground ISO 13850
– Pull cord operated switch
– Pedal operated switch without mechanical guard
138
• 17 Technical documentation - Information to be provided

– A main document (parts list or list of documents);
– Complementary documents including:
• a clear, comprehensive description of the equipment, installation
and mounting, and the connection to the electrical supply(ies);
• electrical supply(s) requirements
• information on the physical environment (for example lighting,
vibration, noise levels, atmospheric contaminants) where
appropriate;
• overview (block) diagram(s) where appropriate;
• circuit diagram(s)
139
• 17 Technical documentation information to be provided

• information (as applicable) on:
– programming, as necessary for use of the equipment;
– sequence of operation(s);
– frequency of inspection;
– frequency and method of functional testing;
– guidance on the adjustment, maintenance, and repair,
particularly of the protective
devices and circuits;
– recommended spare parts list; and list of tools supplied.
• a description (including interconnection diagrams) of the
safeguards, interlocking functions, and interlocking of guards
against hazards, particularly for machines operating in a co-
ordinated manner;
140
• 17 Technical documentation information to be provided

• a description of the safeguarding and of the means provided
where it is necessary to suspend the safeguarding (for example
for setting or maintenance), (see 9.2.4);
• instructions on the procedures for securing the machine for
safe maintenance; (see also 17.8);
• information on handling, transportation and storage;
• information regarding load currents, peak starting currents and
permitted voltage drops, as applicable;
• information on the residual risks due to the protection measures
adopted, indication of whether any particular training is required
and specification of any necessary personal protective equipment.
141
• Installation documents
– The installation documents shall give all information necessary for the
preliminary work of setting up the machine (including commissioning). In
complex cases, it may be necessary to refer to the assembly drawings for details.
• Circuit diagrams
– A circuit diagram(s) shall be provided. This diagram(s) shall show the electrical
circuits on the machine and its associated electrical equipment. Any graphical
symbol not shown in IEC 60617-DB:2001 shall be separately shown and
described on the diagrams or supporting documents. The symbols and
identification of components and devices shall be consistent throughout all
documents and on the machine.
• Operating manual
• Maintenance manual
• Parts list
142
• 18 Verification
– General - this part of IEC 60204 gives general requirements for the electrical
equipment of machines.
– The extent of verification will be given in the dedicated product standard for
a particular machine. Where there is no dedicated product standard for the
machine, the verifications shall always include the items a, b and f and may include
one or more of the items c to e:
• a) verification that the electrical equipment complies with its technical
documentation;
• b) in case of protection against indirect contact by automatic disconnection,
conditions for
• protection by automatic disconnection shall be verified according to 18.2;
• c) insulation resistance test (see 18.3);
• d) voltage test (see 18.4);
• e) protection against residual voltage (see 18.5);
• f) functional tests (see 18.6).
143
143
ISO 13849-1 Safety Functions
144
144
Safety Functions and
Devices for Machines
145
Safety Related Functions
Classic safety related functions (EN IEC 60204-1 etc.)

• … stop
• … emergency operation
• ... start and re-start, prevention of unexpected start
• ... hold-to-run function for instance for machine set-up
More complex functions

• … safely limited speed, safe speed range
• … safely limited position
• … muting
• ... etc.
146
Proximity Switches for Safety Functions
• Defined per IEC 60947-5-3:

– proximity switches with defined behavior under fault conditions, which sense differences in
optical, magnetic, electrostatic, acoustic or other fields and as result switch an output signal.
– Especially suitable for
• High frequent/imprecise operation
• Is hot and aggressive environments
• Strong vibrations
• High risk for manipulation
147
Proximity Switch – Categorized according to
behavior
Classification Designation Requirements regarding the functionality

PDF-F proximity switch A PDF-F does take reasonable foreseeable faults into account, so
with designed that they cannot bring/hold the switch in on-state.
reliability
PDF-T proximity switch A PDF-T must have a test-input. A testing signal at the test input
which test does simulate a detected body in the detecting area. (object
capability nearer than the safety off-state distance)
PDF-S proximity switch with If a singe fault occurs:

single fault tolerance a) the PDF-S works correct according to the defined behaviour - or
b) the OSSD`s are switched to off-state and kept there, in a defined
risk time, independent of the position of the actuator - or
c) the OSSD`s are switched to off-state and kept there, after the
actuator is out of the detection area and after a defined risk time has
passed.
PDF-M proximity switch with Additional to the requirements of the PDF-S, 1 and 2 faults shall
self-monitoring not to lead to an undefined behaviour (2 fault tolerance).
Note: The output of a PDF-S or PDF-M must have a minimum of two OSSD`s.
148
• Section 10 Operator interface and machine mounted control devices

– Devices mounted outside or partially outside control enclosures
• Positioning and Mounting
– Not placed so can be inadvertently operated
– Not exposed to damage from other machine operations
– Readily accessible for service and maintenance
– Easily accessible for the machine operator and does lead to a hazardous situation
– Hand operated control devices should not be less than 0.6m above the servicing
area and accessible
– Suitable IP rating for environment
• Position Sensors (Position switches Proximity switches)
– Shall be mounted so not damaged by over travel and safety related position
switches shall have direct opening action
149
Muting
... is the temporary suspension of a safety function

• Muting functions are often used in conjunction with opto-electronical safety
sensing devices.
• Muting is required for automated systems in which the machine or other
objects (e. g. pallets) are to be able to cross the detection zone, without
stopping the system.
• Typical examples are pallet handling devices:
– The pallet must be able to pass the detection zone without stopping the
process.
– However the detection of a person must lead to an immediate stop of the
process.
Muting functions must be able to distinguish between permitted objects and not
permitted objects (e. g. persons).
150
Muting - Standards
General standards
• ISO 13849-1: Safety of machinery – Safety-related parts of control systems
Detailed standards
• IEC 62046: Safety of machinery - Application of protective equipment to detect the
presence of persons
• IEC 61496: Safety of machinery - Electro-sensitive protective equipment, Part 1:
General requirements and tests
151
Muting - Definitions
ISO 13849-1:
• Muting: temporary automatic suspension of a safety function(s) by safety-related parts
of the control system
IEC 62046:
• Mute dependent override function allows a manual operation of the machine when the
detection zone of the protective device is interrupted to allow the evacuation of the pallet
or of the material from the muting area.
IEC 61496
152
• Suspension of safety Functions and / or protective measures

(i.e. By-Pass only where it is necessary setting and maintenance the following will
apply)
– Disabling all other operating control modes
– Also in conjunction one or more of the following
• Initiation of operation by hold to run device
• Portable control station with E stop and enabling device and motion can only
be initiated from this device
• Limitation of the speed or the power of motion
• Limitation of the range of motion
• Section 4.11.9 of ISO12100 -2 2003
153
Muting – General Requirements
(ISO 13849-1, 5.2.5)
• Muting shall not result in any person being exposed to hazardous situations.
• During muting safe conditions must be provided by other means.
• After termination of muting all safety functions of the safety-related parts of the control
system must be reinstated.
• The performance level of safety-related parts providing the muting function must be
selected in order that through the use of the muting function the required safety integrity
for the relevant safety functions is not reduced.
154
Muting - Principle
light grid
transport material
conveyor belt
4 muting sensors logic unit
Muting lamp is on, while muting is active

USA: monitoring of lamp required
(UL 61496)
155
Muting - Timing Diagram
output in on state
ESPE output
<tmax <tmaxB1
A1 A2 B2
transport
transport material material
transport transport material
material transport material
transport transport material
material
E
156
Muting – Monitoring/Diagnosis
Standard sensing devices/switches can be used for muting, as there are multiple
diagnostic options available:
• time dependent behaviour
• sequence detection (also direction dependent )
• monitoring of the duration of the muting
• ....
The above measures can be combined.
157
Override – Requirements for the Activation
(IEC 62046)
Activation by either
• Use of a spring-return hold-to-run device
– located that it is not possible to enter the hazardous area during actuation
– and so that the hazardous area is observable during the action
Or activation by
• Use of a key-switch or equally secure momentary action push-button
– If automatic end of override mode after correct muting – sequence is guaranteed
– and entry to the hazardous area is not possible during override mode
– and an emergency-stop can be activated from the same location
158
Enabling Control Devices
• Required if a person interferes in machine

operation
– Programming, setting up a machine, teaching
– Service work, Maintenance
– Repair
Note: IEC 60947-5-8, IEC 60947-5-1, IEC 60204-1, NFPA 79, ANSI B11.19, ANSI R15.06, ISO
10218, ISO 11161
159
Hold-To- Run Controls
(IEC 60204-1)
• Definition: Hold-to-run controls shall require continuous actuation of the control

device(s) to achieve operation (control with integrated resetting)
160
Enabling Control Devices (ref. standards)
• IEC 60204-1, Chapter 10.9 / IEC 60947-5-8 (three-position enabling device)

– 2-level enabling switch – off/on
– 3-level enabling switch – off/on/off
• Enabling control (IEC 60204-1, Chapter 9.2.6.3)

– Enabling control (see also 10.9) is a manually activated control function interlock
that:
– when activated allows a machine Operation to be initiated by a separate start
control, and
– when de-activated
– initiates a stop function, and
– prevents initiation of machine Operation.
– Enabling control shall be so arranged as to minimize the possibility of defeating, for
example by requiring the de-activation of the enabling control device before machine
Operation may be reinitiated.
161
Hold-To-Run Control
Safely limited position and speed (EN 1010)
• The machine can be started, although the safety guard is opened only by the hold-to-
run button.
• • vmax max 1 m/min or
• • smax max 25 mm if v,s are not practical for the application and a higher
velocity does not lead to a significantly higher hazard.
• vmax max 5 m/min or

• smax max 75 mm 2-hand-control devices required for higher
velocity
• vmax range from 5 to 10 m/min

• speed of movement as low as possible
162
Blanking (1)
• Fixed Blanking (stationary blanking):

– The locations of the blanked (masked) areas
of the detection zone do not change during
operation. The detection capability of the
other parts of the detection zone remains unchanged.
– The blanked areas shall be covered completely by permanently installed obstacles;
they are monitored by dark signal
– If this cannot be ensured, it must be considered for the calculation of the safety
distance.
163
Blanking (2)
• Floating Blanking (non-stationary blanking):

– The blanked area of the detection zone follows the location of a moving object(s)
during operation. The detection capability of the other areas remains unchanged.
– The blanked areas shall be covered completely by the blanked objects; they are
monitored by dark signal
– If this cannot be ensured, it must be considered for the calculation of the safety
distance.
164
Blanking (3)
• A variant of Floating Blanking is without monitoring the masked areas, i. e. the object
might be present or not.
• In this case the optical resolution and therefore the safety distance for the complete
protective device is determined by the number of blanked/ignored beams.
• Equivalent to a reduced resolution at only one position of the detection zone.
165
Summary of Blanking and Reduced Resolution
• Manufacturers use different terminology for Blanking and Reduced Resolution functions;
Observance of definition and description in manual necessary!
• Selection, installation (teach-in), modification of the functions and commissioning only
by authorized persons (password, keyswitch).
• Possible hazard through reflections caused by the mechanical parts, which are installed
in the protection field
• After teach-in the user has to validate the effective areas of the protection field with the
help of a test piece.
• Depending on the results of the risk assessment it shall be clarified if blanking/reduced
resolution is acceptable; application of additional protective equipment might be
necessary!
166
Cyclic Operation
Cyclic Operation is:

– the reinitiating of the operation of the machine by the protective equipment
– modes:
• single cycle: where an actuation and de-actuation of the sensing device
reinitiates machine operation
• double cycle: where two consecutive actuations and de-actuations of the
sensing device reinitiate machine operation.
Cyclic operation is merging a control function with a safety function.
167
Requirements to Safety Devices with Cyclic
Operation (IEC 62046, IEC 61496)
• Requires start and restart interlock feature

• Limited to AOPD type 4 devices, which are used for stop action (must have presence
sensing functionality)
• If several AOPD‘s are used, only one is to initiate the operation
• only for machines with repetitive, short operating cycles, only one operator and manual
feeding
• not allowed as single measure for initiating machine operation (e. g. after power up)
• Sensor detection requirements: 14 mm for finger, 30 mm for hands or 70 mm for legs
• Persons must not be able to pass the protection zone and subsequently reinitiate the
machine cycle
• Reinitiating of the machine cycle is to be time limited
168
Operating Condition (IEC 62046)
• first machine cycle is initiated by a normal start control

• for further machine operation use of cyclic operation allowed if:
– reinitialization of the operation within the cycle time of the machine, and
– reinitialization within the expected time (≤ 30 s);
– reinitialization only if the time of actuation of protective device at least 100 ms; (i. e.
the light curtain must be interrupted at least for 100 ms)
– no actuation of the protective device during the hazardous operation took place (if
actuation -> restart interlock)
169
• Section 9 - covers Control Circuits and Control Functions

– The following sections are all relevant and important
• Control circuits (9.1)
• Control functions (9.2)
• Protective interlocks (9.3)
• Control functions in the event of failure (9.4)
– Under control functions:
• Stop & Start Functions (9.2.1/9.2.2)
• Operating modes (9.2.3)
• Suspension of Safety Functions or protective measures (9.2.4)
• Emergency stop/Emergency switching off (9.2.5.4)
• Hold to run, Two-hand control and Enabling control (9.2.6)
• Cableless control (9.2.7)
170
• Start Function (9.2.5.2)

– Operates by energizing the relevant circuits
– Can only be operated when all safety function or measures are in place as well as
operational (Except when a suspension of the safety function has been operated)
• Stop Functions (9.2.5.3)
– There are Three categories of stop functions as follows:
• Stop Category 0 – Stopping by immediate removal of power to the machine
actuators (i.e., an un-controlled stop)
• Stop Category 1 – A controlled stop with power available to the machine
actuators to achieve the stop and the removal of power when stop achieved
• Stop Category 2 – A controlled stop with power left available to the machine
actuators
• Emergency stop must be either a Category 0 or 1 Stop
• Stop category to be defined by Risk Assessment
171
• Stop Functions
– Measures should be taken to prevent any movement of the machine or unintended
or unexpected manner after any stopping of the machine (i.e. power supply fault ,
battery replacement, Lost signal cable-less control
– When a machine has more than one control station steps should be taken to ensure
that a start command from any control station does not lead to a hazardous
condition.
– Where more than one control station is supplied a stop command from any control
station shall be effective when required by the risk assessment.
172
• Emergency Stop
– Emergency stop must be either a Cat 0 or Cat 1 stop
– Shall override all other functions and operations
– Power shall be removed immediately to parts which can cause a hazard
Stop Cat 0
OR
– A controlled stop to stop hazard as quickly as possible without creating additional

hazards, Stop Cat 1.
– Reset can only be actuated at point of stop command and is not a re-start of the
machine which is a separate command
173
Emergency Stop Function
• Special type of machine stopping, in case other measures do not function anymore
or the user is not able to cause a normal stop
• In case of existing or occurring danger shut-down of machine by a single action by
anybody present without further elaboration
• Is not a replacement for other safeguards. Emergency-stop is an additional safety
function, which is added to other required safeguarding devices for the elimination
of hazardous conditions at a machine.
• Machinery Directive requires beside the “normal stopping function” a “stopping
function in case of emergency”.
174
Emergency Switching Off --- Emergency Stop
Both are actions in an emergency (IEC 60204-1, Annex E):

• Emergency stop
– An emergency Operation intended to stop a process or a
movement that has become hazardous.
Symbol E-Stop
• Emergency switching off
– An emergency Operation intended to switch off the supply of
electrical energy to all or a part of an installation where a risk
of electric shock or another risk of electrical origin exists.
175
• Emergency switching off should be provided where:

– protection against direct contact (for example with conductor wires, conductor bars,
slipring assemblies, controlgear in electrical operating areas) is achieved only by
placing out of reach or by obstacles (see 6.2.6); or
– there is the possibility of other hazards or damage caused by electricity.
• Emergency switching off is accomplished by switching off the relevant incoming supply
by:
– electromechanical switching devices, effecting a stop category 0 of machine
actuators connected to this incoming supply.
Note: When a machine cannot tolerate this stop category 0 stop, it may be necessary
to provide other measures, for example protection against direct contact, so that
emergency switching off is not necessary.
176
Emergency Switching Off --- Emergency Stop
• The following requirements apply for both functions with one exception:
– Emergency Stop requires no switching off by electromechanical switching devices
– The choice of Emergency Switching Off or Stop depends on the result of the risk
assessment
• Emergency Switching Off should be provided where:
– there is the possibility of electrical shock or other hazards caused by electricity or
– protection against electrical hazards is achieved by distancing or barriers only
177
Emergency Switching Off / Emergency Stop
• Emergency Switching Off / Emergency Stop

shall not impair any facilities
designed to release trapped persons
(e. g. interlocking of guards)
• Stop functions shall override all
other functions and operations in all modes!
• Stop functions shall be operable independent of the operation modes.
• Fail safety shall comply to the safety level of the control system.
• Requirements for Emergency Switching Off / Emergency Stop are defined in IEC
60204-1 and ISO 13850.
178
• Push – Buttons
• Red = Emergency E Stop
• Yellow = Abnormal Intervention to suppress abnormal condition
• Blue = Mandatory Reset function
• Green = Normal
• White / Grey / Black No Specific meaning Start /Stop / Off
179
• Indicator Lights and displays

– Mounted in and selected in such away so as visible to machine operator
– Indicators lights used for warning lights should be monitored for operability
180
• Emergency Stop Devices Location of

– Should be readily accessible
– Located at each operator control station and at other locations where the initiation of
an E stop can be required (Point of hazard)
• Types of Emergency Stop Devices

– Mushroom Head Button Red Yellow Back ground ISO 13850
– Pull cord operated switch
– Pedal operated switch without mechanical guard
181
ISO 13849-1 Safety Functions
182
Requirements of Emergency Stop/Switching Off
Devices
• Assignment: When subdividing into several emergency shut-down areas, it has to be

easily recognizable, which emergency stop device is assigned to which area.
• Shut-down: Shut down only by electro-mechanical components for Emergency
Switching Off
• Reset: A restart may not be initiated (Restart interlock)
• Reaction: The reaction of the machine to the emergency-stop /off signal may not cause
an additional danger.
• For machines and equipments, which operate together (chained machines), not only the
machine but also all pre and post positioned equipments must be stopped (risk
analysis).
183
Manual reset function
(ISO 13849-1)
• After a stop command has been initiated by a safeguard, the stop condition
shall be maintained until safe conditions for restarting exist.
• The re-establishment of the safety function by resetting of the safeguard
cancels the stop command. If indicated by the risk assessment, this
cancellation of the stop command shall be confirmed by a manual, separate
and deliberate action (manual reset).
• The performance level of safety-related parts providing the manual reset
function shall be selected so that the provision of the manual reset function
does not diminish the safety required for the relevant safety function.
184
Manual reset function
(ISO 13849-1)
The manual reset function shall

• be provided through a separate and manually operated device within the
SRP/CS,
• only be possible if all safety functions and safeguards are operative,
• not initiate motion or a hazardous situation by itself,
• be a deliberate action,
• enable the control system for accepting a separate start command,
• only be accepted by releasing the actuator from its energized (on) position
(state change).
185
Sources of possible faults
which may lead to an unintended start of the machinery
• Faulty design of the machinery

(e. g. no restart interlock implemented)
• Wrong start command by a defective control system
(e. g. faults in software, hardware or sensors)
• Restoration of power after interruption
• Generation of a wrong start command by human error
(e. g. unintended actuation of a button)
• Faulty sensor value
• Fault in the power circuit of a frequency converter
• Environmental influences
• EMC Pulses (Surge) in the cabling used for the start command
186
ISO 13849-1:2006
General Scope and
overview
187
Functional Safety Standards
“Generic”
Electrical
Control IEC 61508
Systems
“Process”
Electrical
IEC 61511 SIL
Control
Systems
“Machinery”
Electrical
Control IEC 62061
Systems
“Machinery”
Control ISO 13849-1
Systems
PL
(All technologies)
188
Restrictions concerning the Application Area of the
ISO 13849-1
• For electronic systems the standard is only applicable, if at least one of the
following criteria is given:
– the PLr is a or b
– the safety function is carried out by HW, whose fault behavior is clearly determined
and assessable; i.e., all fault conditions are known
– the part of programmable electronic systems within the SRP/CS, that carries out the
safety function, is low (e.g. for monitoring) and the PLr is from a to d
– the safety function is carried out by diverse programmable electronic system and the
PLr is from a to d. Depending on the application the diverse means
• diverse application SW and/or
• diverse operational system and/or
• diverse HW and the PLr
– the safety related parts used (including SW) fulfill the requirements of appropriate
applicable standards.
Not applicable for safety products with complex and programmable electronic for PL e!
189
Risk Graph Performance Level
Performance Contribution to
Level, PLr Risk Reduction
P1
F1
a Low
P2
S1
P1 b
F2
P2
P1 c
F1
P2
S2
P1 d
F2
S = Severity P2
F = Frequency or Duration of Exposure e
P = Avoidance Probability
High
Must be determined for each safety function!
190
Relationship between PL and SIL
Performance Average probability of a Safety

level (PL) dangerous failure per hour [1/h] Integrity Level Least to
(SIL) Greatest
RL
a ≥ 10-5 to < 10-4 No special safety

requirements
b ≥ 3 x10-6 to < 10-5 1
c ≥ 10-6 to < 3 x10-6 1
d ≥ 10-7 to < 10-6 2
e ≥ 10-8 to < 10-7 3
Combining Table 3 and 4 from ISO 13849-1:2006
191
Performance level estimation
What is the PLr required? What does that mean?

Must choose the most suitable combination of Structure (Category), Reliability (MTTFd)
and Diagnostics (DC)
192
Performance Level overview
193
Procedure of the Design, Development and
Verification Process
• Risk analysis, Determination of the safety functions

• For each safety function:
– Determination of the required Performance Level PLr
– Design of the SRP/CS
– Determination of the achieved PL:
• Category (similar to EN954)
• Quality of the hardware: MTTFd (= 1/λd)
• Quality of the diagnostic: DC
• Measures against common cause failures: CCF
– Consideration of qualitative aspects
• Safety-related Software
• Systematic Failures
– Is PL = PLr ? This process is performed under the
– If yes, validation of SRP/CS application of suitable QM measures.
194
Designated Architecture
Category B
195
Basic and well-tried Safety Principles
(ISO 13849-2:2003)
• Basic Safety Principles (selection):

– Correct dimensioning and construction
– Use of suitable materials and appropriate manufacturing process
– Use of NC contacts at inputs (position switches, buttons, ...) and NO contacts at
outputs
– Sufficient protection elements for immunity against transient interferences
• • Well-tried Safety Principles (selection):
– Use of mechanically linked contacts
– Limitation of energy
– Over-dimensioning (factor 2)
– no undefined states
– Separation of safety relevant and non-safety relevant functions
– When ever possible the device should fail into the safe state
196
What is a “well-tried components”
(ISO 13849-1 and –2)
• Well-tried components acc. to ISO 13849-2:

• Switches with positive opening contacts (e.g. Emergency Stop button, position
switch)
• Fuses
• Relays, auxiliary- and main contactors
• Transformers
• cable
• Plugs, sockets
• ....
Important: The components have to meet the relevant product standard !
The ISO 13849-1: 2006 has a definition, which deviates from the ISO 13849-2:
– Component, which has been widely used in the past with successful results in similar
applications, or
– which has been made and verified using principles which demonstrate its suitability and
reliability for safety related applications, (also applicable to new components).
– Whether a component can be regarded as “well-tried”, depends on the application.
197
Deterministic Fault Consideration
(Safety of Machinery)
• In order to prove the fail-safety (safe behavior of a control / device in case of a fault) the
following shall be considered:
– which faults (failures) have to be assumed
– which faults can be excluded
– under which conditions/constraints can these faults be excluded
– how are the effects of faults
– when is a fault revealed (time until fault detection)
• Fault lists / fault models can be found in :
– ISO 13849-2 (various technologies)
– For detailed information see also EN 982, EN 983 and Annex B of IEC 61496-1
(electrical / electronic components)
All faults that are physically possible, shall be considered as faults.
198
General requirements for the consideration of faults
• If in consequence to a component failure further components fail, this has to be

regarded as one fault/failure.
– If due to one reason 2 or more components fail, this has to be regarded as one
fault/failure (Common Cause Failure).
– The simultaneous fail of 2 or more components due to different causes must not be
assumed.
• Fault exclusions are allowed, but must be justified,

– if due to technical conditions the failure is very, very unlikely,
– due to generally accepted technical experience,
– in special applications, if special technical characteristics exist.
199
Designated Architecture Category B
• Design according to relevant standards MTTFd: L M

• Withstand expected influences
• Fault tolerance of zero DC: --
• Mainly characterized by selection of components CCF: --
Category B circuit example
Designated Architecture Category 1
• Requirements for category B apply

• Well-tried components and safety principles MTTFd: H
• Fault tolerance of zero - but the probability of DC: --
occurrence is lower than for category B
• Mainly characterized by selection of components CCF: --
Category 1 circuit example
TE: Test Equipment

OTE: Output of Test Equipment
MTTFd: L M H
• Well-tried safety principles DC: L M
• SF has to be checked in suitable intervals CCF: +
• Fault tolerance of zero, but the loss of the SF is detected
• Mainly characterized by structure

• Well-tried safety principles MTTFd: L M H
• Fault tolerance of one
• Some but not all faults are detected DC: L M
• Accumulation of undetected faults can CCF: +
lead to the loss of the SF
• Requirements for category B apply MTTFd: H

• Well-tried safety principles
• Fault tolerance of two DC: H
• All faults are detected or CCF: +
• Fault accumulation does not lead to the loss of the SF
Performance level relationship
3 years
10 years
30 years
100 years
210
Quantification - MTTFd

– Is PL = PLr ?
– If yes, validation of SRP/CS
211
MTTFd
• MTTFd = Mean Time to dangerous Failure

• Average value of the operating time without dangerous failure in one channel
• Statistical value, no guaranteed lifetime!
212
Simplified method for estimating MTTFd
Parts count method for each channel:

• Identification of all single components which a part of the
channel and have a contribution to the safety function
• Determination of MTTFd for each component; worst-case values
from table in annex C1
• Sum up of 1/ MTTFdi –values all identical component :
• Sum up of all ΣλDi values:
• Classification of MTTFd via table 3

• If the MTTFd of the channels differ:
– worst case assumption, the lower value should be taken into
account, or
– application of equation for symmetrization of MTTFd
This method is very conservative and errs always on the safe side!
213
Two Types of Failure Data
• Mechanical or Electromechanical
– Failure is dependent on load and operating frequency
– B10d
• Number of operations where 10% of the sample has failed to danger.
• Electronic
– Failure is dependent on temperature and time.
– MTTFd or PFHd
• Mean time to failure - dangerous
– Probability of danger failure per year
• MTTFd => 1 / PFHd (must convert years to hours)
• Need to convert these to one data type to complete the analysis.

– We convert B10d to MTTFd.
214
Determination of MTTFd (per channel)
• B10d = Number of cycles until a

component fails dangerously
• dop = Number of days per year when the d op × hop × 3600 s / h
machine is operational nop =
tcycle
• hop = Number of hours per day the
machine is operational
• tcycle = Mean time in seconds between B 10 d
the beginning of two consecutive cycles T10 d =
n op
of the component
• To be determined:
– Number of switching cycles per year: T10 d
MTTF =
– Operation time of the component d
0 .1
until it fails dangerously:
– Mean time to dangerous failure
(MTTFd):
215
Determination of MTTFd
Determination of MTTFd Symmetrization

•Total MTTFdtot:
•If both channels are equal: = MTTFdChannel1
= MTTFdChannel2
•If both channels are not equal: either the
smallest MTTFd of the 2 channels or
•calculate MTTFd using the following formula
(symmetrization of both channels):
216
Hierarchical Sequence at the Determination of the
MTTFd values
• Use values provided by the manufacturer

• Use methods defined in Annex C and D:
– MTTF values in Annex C are taken out of SN 29500,
• These values are based on the application of methods for “good

engineering
• practice” as well as basic and well-tried safety principles.
• Set MTTFd = 10 years
217
MTTFd and B10d Example from MTTFd values Annex
C
218
Considerations for B10d data
• For electro-mechanical devices, the deterioration or the life time is essentially

determined:
– by the mechanical stress for the mechanical parts,
– and the electrical stress due to loading effects
• The life time MTTFd is calculated via the interim value B10 (B10d) under consideration
of the stress rate (B10-method):
– B10: Number of operating cycles until 10 % of the components failed
– B10d: Number of operating cycles until 10 % of the components have failed
dangerously.
– If B10d is not known then:
• B10d = 2 B10 (assuming 50 % of all failures are dangerous and 50% of
failures are safe)
219
Calculations for MTTFd example
• MTTFd: The B10d value of 2,000,000 cycles [manufacturer’s value] is stated for the
mechanical part of LS1 and LS2. At 360 working days per year, 16 working hours per
day and a cycle time of 300 seconds (5 minutes), nop is 69,120 cycles per year for
these components.
Noted: (calculated by using equations C.2 and C.7. per ISO 13849-1)
d h s
360 ⋅ 16 ⋅ 3600
y d h cycles
= 69120
s y
300
cycle
B10 d 2000000cycles
MTTFd , LS 1− 2 = = = 289 y
0.1 ⋅ nop 0.1⋅ 69120 cycles
y
B10 d 2000000cycles
T10 d , LS 1− 2 = = = 28.9 y
nop cycles
69120
y
220
What to do, if manufacturer provides MTTF or
MTBF?
Situation: Manufacturer provides for a component / a device either MTTF or MTBF

• MTTF » MTBF
– Calculation of MTTFd via: MTTFd = 2 MTTF
– MTTFd wc = 0.1 MTTFd (worst case)
Note: The method is an approximation that errs always on the safe side.
• If these determined MTTFd wc values are too conservative (too low), more detailed and
complicated methods must be used:
• Application of an FMEA to determine either λd or MTTFd
• Classification of MTTFd in low, medium, high
Great care should be taken when using Manufacturers MTTFd data. These
values are always based on assumptions and assumptions should be
validated against application.
221
Quantification - DC

– Is PL = PLr ?
222
Failure Categories
Certainly
would like to
minimize DU
223
Classification of the Quality of the Diagnostic
Measures (DC)
224
Estimation of the Quality of the Measures for Failure
Detection (DC)
• Identification of all online-tests and diagnostics

• DC values for each test out of the tables in Annex E
• If diagnosis is not contained in Annex E, look in IEC 61508-2 tables A.2 – A.15
• If diagnosis is not contained in IEC 61508-2, estimate the diagnostic coverage DC
• Calculation of the average DC (DCavg) using the formula in E.2 (Interpolation)
• Denotation (classification) of quality of the measures for failure detection (DC) via table
4
225
Estimation of DC
Example: Output Device
Output:
• Redundant shut-off paths with monitoring (feedback) and test (DC = ?)
• Use of mechanically linked contacts (relays with forcibly guided contacts); plausibility
checks, if the NC contact signals the right state (DC = ?)
• Cyclic test of the relay drive circuit (DC = ?) NC contact signal
resulting DC for the output device: ? K11/K12
Redundant shutoff path

K12/K22
Mechanically linked
contacts
K12/K22
Cyclic test of relay drive
circuit (internal
diagnostics)
226
Estimation of the DC
Example: Output Device
From ISO 13849-1:2006 table E.1

227
Determination of the Average DC
DCavg = 73.3%
228
Assessment – Common Cause Failure (CCF)

– Is PL = PLr ?
229
Common Cause (CC) Effects
(only at multi-channel systems)
• Common Cause Failures (CCF) result from a single cause and affect more than one
channel.
• One part of the failures in both channels reveals as CC failures; that means due to one
cause a failure in one channel is followed by the same failure in the other channel,
either at the same time or some time later.
• Common causes are:
– External stress as excessive temperature, high e/m-interferences, e.g.
– Systematic design failures due to the high complexity of the product or missing
experience with the new technology
– No spatial separation between channels, use of common cables, on one PCB,
etc.
– Human errors during maintenance and repair
230
Assessment of the Measures against CCF
• For multi-channel structures (SCAT 2, 3 and 4) measures are required against Common
Cause Failures (CCF).
• From the total list of measures to reduce common cause effects to ISO 13849-1 Annex
F. Here only the relevant measures for machinery applications are considered.
• The total maximum score is 100.
– The achieved total score must be ³ 65.
– This complies to a beta–factor of 2 %.
• • If the score is < 65, there is not a sufficient allowance for CCF and additional
measures must be realized.
231
Determination of CCF from
ISO 13849-1:2006 Table F.1
232
Quantification - MTTFd

– Is PL = PLr ?
233
Determination of the Achieved PL
234
Relation between Safety Categories (SC) and PL
(simplified)
235
Assessment of the Results of the PFH-calculations of
Designated Architectures
236
Determination of the Resulting PL for a Safety
Function
• Which subsystems belong to the safety function (SRP/CS) and have to be counted ?
– Starting point:
• Subsystem, in which the safety related signal is generated (Sensor)
– End point:
• Output of the Power Control Element resulting PL:
N=3
237
Summary Assessment of a Safety Function acc. to
ISO 13849-1
• Alternative 1: Use of certified components (usually electronic subsystems)

– Data from the manufacturer: PL, CAT., MTTFd, DCavg, (or PL, PFH)
• Alternative 2: Use of electro-mechanical components
– Data from the manufacturer: B10 or B10d
– User determines:
• MTTFd = B10d / (0.1 x nop) via commutation frequency nop = dop x hop x
3,600s/h / tcycle
• Classification of MTTFd (Limitation to 100 years)
• Determination of the category (from the architecture of the use of the
component)
• Determination of DC, classification of DC
• Determination of the PL via figure 5 or from Annex table K
238
If the Architecture does not correspond to one of
the 5 Designated Architectures?
• In this case the simplified methods acc. to ISO 13849-1 cannot be applied for the
determination of the PL.
– Calculation/estimation of the safety related reliability has to be done based on the
methods acc. to IEC 61508 (Reliability Block Diagram, Markov Models, etc.).
– Clause 4.5.1: For a SRP/CS, which deviates from the designated architectures a
detailed calculation shall be provided to demonstrate the achievement of the
required performance level PLr.
– The methods of IEC 61508 can be applied at any design architecture.
• In applications, where the SRP/CS can be considered simple, and the required PLr is a
to c, a qualitative estimation of the PL may be justified in the design rationale.
239
Can I use standard components in a safety
application?
…in safety related applications according to ISO 13849-1 and EN 62061.

These components are not approved after this standards and not certified for specific PL
and SIL CL.
– ISO 13849-1 states for the use of these components in safety applications (Annex
C):
• Produced under the application of basic and well-tried safety principles acc. to
ISO 13849-2 or the relevant product standard of the component
• Used in accordance with the specification of the manufacturer
• Consideration of basic and well-tried safety principles at the application in
safety functions
– Good engineering practice
– Under consideration of these prerequisites these standard components can be used
in safety applications up to PL e and SIL 3.
The requested safety related reliability data (MTTFd, PFH) may be determined via
the B10 method and other methods; i.e., supplied by the manufacturer.
240
Requirements – Safety-related software

– Is PL = PLr ?
241
Requirements for Software development (section
4.6)
• Software safety requirements (per 4.6)

– All lifecycle activities of safety-related embedded or application software shall
primarily consider the avoidance of faults introduced during the software lifecycle
(see Figure 6). The main objective of the following requirements is to have readable,
understandable, testable and maintainable software.
242
Requirements for SW according to EN ISO 13849-1
• Requirements for safety-related

– Embedded SW (SRESW)
– Application SW (SRASW)
– SW software-based parameterization
• Requirements for measures for fault avoidance
• Considers that SW-faults (bugs) are mainly implemented during specification and
design.
• Organization of design and development to reduce the possibilities to introduce faults as
far as possible.
• Requirements based on IEC 61508-3,
– easier to understand, easier to apply, more practical
– less complex and prescriptive as in IEC 61508
• • Measures for avoidance of faults:
– Defensive Programming,
– Application of programming guidelines
243
Measures – Systematic Failure

– Is PL = PLr ?
244
Measures against Systematic Failures
• Avoidance of systematic failures

– e. g. selection of appropriate material and dimensioning, simulation ...
– e.g. functional testing, black-box-testing, project management ...
(see EN ISO 13849-2, validation)
• Control of systematic failures:
– e. g. online-tests, redundancy, diversity, over-dimensioning ...
Note: systematic failures have deterministic, not probabilistic causes and can only be
eliminated by changes in design, production, organization etc.
245
Measures for avoidance of Systematic Failures
(Annex G.3)
• Measure that should be considered for avoidance of systematic failure:

– Use of suitable materials and adequate manufacturing
– Correct dimensioning and shaping
– Proper selection, combination, arrangements, assembly and installation of
components, including cabling, wiring and any interconnections
– Compatibility
– Withstanding specified environmental conditions
– Use of components designed to an appropriate standard and having well-defined
failure modes.
– In addition, one or more of the following measures should be applied, taking into
account the complexity of the SRP/CS and its PL:
• Hardware design review (e. g. by inspection or walk-through)
• Computer-aided design tools capable of simulation or analysis
• Simulation
246
Additional measures for the control of Systematic
Failures (Annex G.2)
• Additional measure that should be considered for avoidance of systematic failure:

– Use of de-energization
– Measures for controlling the effects of voltage variation
– Measures for controlling the effects of the physical environment
– Program sequence monitoring (if software existing)
– Measures for controlling the effects arising from data communication processes
– In addition, one or more of the following measures should be applied, taking into
account the complexity of the SRP/CS and its PL:
• failure detection by automatic tests
• tests by redundant hardware
• diverse hardware
• operation in the positive mode
• mechanically linked contacts
• direct opening action
• oriented mode of failure
• over-dimensioning.
247
Measures during SRP/CS integration
(Annex G.4)
• functional testing
• project management
• documentation
• In addition, black-box testing should be applied, taking into account the complexity of
the SRP/CS and its PL.
248
Summary
• ISO 13849 deal with SRP/CS for machines regardless of the used technology (except
highly complex electronic)
• ISO 13849-1: 2006 integrates categories and probabilistic aspects (MTTFd, DC, CCF)
to establish a performance level (PL)
• PL: Ability to perform the Safety Function: Required risk reduction
• IEC 61508 is a flexible standard useful for any type of E/E/PES.
• ISO 13849-1 can be considered as a sub-set of the requirements of IEC 61508 with
design restrictions (simplified methods relative to IEC 61508)
• The simplified methods to show, that the required PLr is met, are very conservative.
They always end on the safe side.
249
Requirements - Validation

– Is PL = PLr ?
250
Functional Safety Management
• What is Functional Safety Management:

– The requirements to specify the management and technical activities during the
overall, E/E/PES and software safety lifecycle phases which are necessary for the
achievement of the required functional safety of the E/E/PE safety-related systems.
– Secondly, the requirements to specify the responsibilities of the persons,
departments and organizations responsible for each overall, E/E/PES and software
safety lifecycle phase or for activities within each phase.
• So what is Functional Safety Management from a your perspective?

– It is the processes, procedures and techniques required to design, manufacture,
maintain and decommission (obsolete) systems and machines.
Qualitative requirements (QM) over the Product Life
Cycle
Concept / Scope
Functional Safety Management
Hazard Analysis & Risk Assessment ANALYSIS

Safety Requirement Specifications
Conceptional Design
Detailed Design
REALIZATION
Installation, Commissioning, Validation
Operation & Maintenance Modifications OPERATION

Decommissioning
What are the key requirements of FSM?
• Management of functional safety is one of the most important life cycles because if
management is handled incorrectly it will negatively influence all aspects of the safety
life cycle as defined in the previous slide.
• The requirements of FSM have been divided and grouped as follows:

• General requirements
• Organizational requirements
• Assessment
• Auditing and revision
• Configuration management
FSM Requirements
General Requirements
• The company needs to establish:
– Strategies, policies, procedures, techniques and documentation requirements for
achieving functional safety
– A means for evaluating its achievement, and the means by which these processes
are communicated within the organization to ensure a culture of safe working
Organizational Requirements
• The company need to:
– Identify the persons, departments and organizations which are responsible for
carrying out and reviewing the applicable overall, E/E/PES or software safety
lifecycle phases (including, where relevant, licensing authorities or safety regulatory
bodies)
FSM according to ISO 13849-2
• Validation process
– The purpose of the validation process is to confirm that the design of the SRP/CS supports
the overall safety requirements specification for the machinery.
– The validation shall demonstrate that each SRP/CS meets the requirements of ISO 13849-1
and, in particular, the following:
• a) the specified safety characteristics of the safety functions provided by that part, as
set out in the design rationale;
• b) the requirements of the specified performance level (see ISO 13849-1:2006, 4.5):
– 1) the requirements of the specified category (see ISO 13849-1:2006, 6.2),
– 2) the measures for control and avoidance of systematic failures (see ISO
13849-1:2006, Annex G),
– 3) if applicable, the requirements of the software (see ISO 13849-1:2006, 4.6),
and
– 4) the ability to perform a safety function under expected environmental
conditions;
• c) the ergonomic design of the operator interface, e.g. so that the operator is not
tempted to act in a hazardous manner, such as defeating the SRP/CS (see ISO
13849-1:2006, 4.8).
Creating a Validation Plan
• The validation plan shall identify and describe the requirements for carrying out the
validation process for the specified safety functions, their categories and performance
levels.
• The validation plan shall also identify the means to be employed to validate the
specified safety functions, categories and performance levels. It shall set out, where
appropriate
– a) the identity of the specification documents,
– b) the operational and environmental conditions during testing,
– c) the analyses and tests to be applied,
– d) the reference to test standards to be applied, and
– e) the persons or parties responsible for each step in the validation process.
Two types of Validation required
Validation by analysis
• Validation of the SRP/CS shall be carried out by analysis. Inputs to the analysis include
the following:
– the safety function(s), their characteristics and the required performance level(s)
identified during the risk analysis (see ISO 13849-1:2006, Figures 1 and 3);
– the quantifiable aspects (MTTFd, DCavg and CCF);
– the system structure (e.g. designated architectures) (see ISO 13849-1:2006, Clause
6);
– the non-quantifiable, qualitative aspects which affect system behaviour (if
applicable, software aspects);
– deterministic arguments.
• Analysis techniques
Validation of performance levels and categories
Analysis and testing

• For the SRP/CS or combination of SRP/CSs that provides the safety function(s), validation shall demonstrate
that the required performance levels (PLr) and categories in the safety requirements specification are fulfilled.
This will require failure analysis using circuit diagrams (see ISO 13849-2. clause 5) and, where the failure
analysis is inconclusive:
– fault injection tests on the actual circuit and fault initiation on actual components, particularly in parts of
the system where there is doubt regarding the results obtained from failure analysis (see Clause 6);
– a simulation of control system behavior in the event of a fault, e.g. by means of hardware and/or software
models.
• In some applications it may be necessary to divide the connected safety-related parts into several functional
groups and to subject these groups and their interfaces to fault simulation tests.
• When validating by testing, the tests should include, as appropriate,
– fault injection tests into a production sample,
– fault injection tests into a hardware model,
– software simulation of faults, and
– subsystem failure, e.g. power supplies.
• The precise instant at which a fault is injected into a system can be critical. The worst-case effect of a fault
injection shall be determined by analysis and by injecting the fault at this appropriate critical time.
Validation of category specifications
• Categories B through 4 must be validated according to ISO 13849-2, subclauses:

– 9.2.1 Category B
– 9.2.2 Category 1
Validation of MTTFd, DCavg and CCF
• MTTFd
– The validation of MTTFd, DCavg and CCF is typically performed by analysis and
visual inspection.
– The MTTFd values for components (including B10d, T10d and nop values) shall be
checked for plausibility (e.g. against ISO 13849-1:2006, Annex C).
– Where fault exclusion claims mean that particular components do not contribute to
the channel MTTFd, the plausibility of the fault exclusion shall be checked.
– The MTTFd of each channel of the SRP/CS, including application of the
symmetrisation formula (see ISO 13849-1:2006, Annex D) to dissimilar redundant
channels, shall be checked for correct calculation. It shall be ensured that the
MTTFd of individual channels has been restricted to no greater than 100 years
before the symmetrisation formula is applied.
• DC
– The DC values for components and/or logic blocks shall be checked for plausibility
(e.g. against measures in ISO 13849-1:2006, Annex E). The correct implementation
(hardware and software) of checks and diagnostics, including appropriate fault
reaction, shall be validated by testing under typical environmental conditions in use.
– The DCavg of the SRP/CS shall be checked for correct calculation.
• CCF (common cause failure)

– The correct implementation of sufficient measures against common-cause failures
shall be validated (e.g. against ISO 13849-1:2006, Annex F). Typical validation
measures are static hardware analysis and functional testing under environmental
conditions.
Validation of measures against systematic failures
• The validation of measures against systematic failures (defined in ISO 13849-1:2006,

3.1.7) related to performance levels and categories of each SRP/CS can typically be
provided by
– inspections of design documents which confirm the application of
• basic and well-tried safety principles (see Annexes A to D),
• further measures for avoidance of systematic failures (see ISO 13849-1:2006,
G.3), and
• further measures for the control of systematic failures such as hardware
diversity (see ISO 13849-1:2006, Annex G), modification protection or failure
assertion programming;
– failure analysis (e.g. FMEA);
– fault injection tests/fault initiation;
– inspection and testing of data communication, where used;
– checking that a quality management system avoids the causes of systematic failures
in the manufacturing process.
Validation of safety-related software
• The validation of both safety-related embedded software (SRESW) and safety-related

application software (SRASW) shall include
– the specified functional behavior and performance criteria (e.g. timing performance)
of the software when executed on the target hardware,
– verification that the software measures are sufficient for the specified PLr of the
safety function, and
– measures and activities taken during software development to avoid systematic
software faults.
• As a first step, check that there is documentation for the specification and design of the
safety-related software. This documentation shall be reviewed for completeness and
absence of erroneous interpretations, omissions or inconsistencies.
• In general, software can be considered a “black box” or “grey box” (see ISO 13849-
1:2006, 4.6.2), and validated by the black- or grey-box test, respectively.
Validation and verification of performance level
• For the simplified procedure for estimating PL of the SRP/CS according to ISO 13849-
1:2006, 4.5.4, and ISO 13849-1:2006, Annexes B to F and Annex K, the following
verification and validation steps shall be performed:
– checking for correct evaluation of PL based on the category, DCavg and MTTFd
(according to ISO 13849-1:2006, 4.5.4 and Annex K);
– verification that the PL achieved by the SRP/CS satisfies the required performance
level PLr in the safety requirements specification for the machinery: PL ≥ PLr.
• Where other methods are used to evaluate the achieved PL, based on the estimated
average probability of a dangerous failure per hour, validation shall consider
– the MTTFd value for each component,
– the DC,
– the CCF,
– the structure, and
– the documentation, application and calculation, which shall be checked for
correctness.
Additional Validation Requirement
• Validation of combination of safety-related parts

– Where the safety function is implemented by two or more safety-related parts,
validation of the combination — by analysis and, if necessary, by testing — shall be
undertaken to establish that the combination achieves the performance level
specified in the design. Existing recorded validation results of safety-related parts
can be taken into account.
• Validation of environmental requirements
– Where applicable, validation shall address
• expected mechanical stresses from shock, vibration, ingress of contaminants,
• mechanical durability,
• electrical ratings and power supplies,
• climatic conditions (temperature and humidity), and
• electromagnetic compatibility (immunity).
• Validation of maintenance requirements

– Validation of maintenance requirements shall include the following, as applicable:
• a review of the information for use confirming that
– maintenance instructions are complete [including procedures, required
tools, frequency of inspections, time interval for changing components
subjected to wear (T10d) etc.] and understandable,
– if appropriate, there are provisions for the maintenance to be performed
only by skilled maintenance personnel;
• a check that measures for ease of maintainability (e.g. provision of diagnostic
tools to aid faultfinding and repair) have been applied.
– In addition, the following measures shall be included when applied:
• measures against mistakes during maintenance (e.g. detection of wrong input
data via plausibility checks);
• measures against modification (e.g. password protection to prevent access to
the program by unauthorized persons).
• Validation of technical documentation and information for use

– The validation process shall demonstrate that the requirements for technical
documentation specified in ISO 13849-1:2006, Clause 10, and for information for
use specified in ISO 13849-1:2006, Clause 11, have been implemented.
Additional reference
material
269
Additional areas of knowledge
• These are subjects you should be aware of during your study’s:

– Protective equipment for machinery
– Safety Distances – both NA and International
– Guards and guard types
– Interlocking devices and guard locking devices
– Position switches and proximity switches
– Circuit examples
– ESPE – Electro Sensitive Protection Equipment
– Pressure sensitive Mats and floors
– Pressure sensitive edges (PSE), pressure sensitive bars
– Enabling controlling devices
– Muting, blanking and differences
270
Additional areas of knowledge

– Emergency Stop, Emergency switching off, stop categories
– Start and restart interlocking
– Hold to run
– External device monitoring
271
Protective Device Overview
272
Safety Distances
Note: Key standards to review ISO 13857, EN 999, ANSI B11.19
273
Guards and Guard Types
• Specific requirements:
– Entry restricting, adjustable safety devices must
• Manually be adjusted or automatically, depending on the king of operation
• Be easy adjustable without tools
• Reduce the danger of ejection of parts as far as practicable and suitable
– Moveable guards must be designed and integrated into the control unit, in a way that:
• If possible they keep being connected to the machine, when opened
• They are monitored an interlock the machine
• Their adjustment is only possible intentionally
• If there is the danger of ejection of parts, they will protect persons by appropriate
shielding
Note: reference EN953, ISO 13855, ISO 14120, ANSI B11.19
274
Interlocking Devices and Guard Locking devices
• Interlocking devices definition:

– Mechanical, electrical or other type of device, the purpose of which is to prevent the
operation of machine elements under specified conditions (generally as long as the guard is
not closed).
– Interlocking (moveable) guard
• Guard associated with an interlock device so that:
– The hazardous machine function – cannot operate until the guard is closed:
– A stop command is initiated when the guard is opened during a hazardous machine
function:
– When the guard is closed, the hazardous machine functions – can operate, but the closure
of the guard does not by itself initiate their operation.
Note: review EN 1088, ISO 14119, ANSI B11.19
275
Position Switches
• Two types of position switches:

– Type 1 (B1) - switch-contact element and actuator part are an attached functional unit for
switching (note: not for removable protective devices)
– Type 2 (B2) – switch-contact element and actuator part are not attached, but come together
as a functional unit for switching.
276
Positively driven, positive opening
• Definitions:
– Positively driven actuation (EN 1088)
• if a moveable, mechanical device is forcing a second device to move as well, by
direct connection to each other or with the use of inflexible parts
– Direct open action (of a switch contact) IEC/EN 60947-5-1 (positive opening operation)
• assuring the disconnection of the switch contacts by a defined movement of the
actuator, without elastic parts.
Symbol for direct opening per IEC

60947-5-1
277
Guard Locking Devices
• Guard locking devices prevent the opening of a guard.

– The unlocking is carried out
• time-controlled (time switch), malfunction shall not reduce the time delay
• automatic, if the machine is in no hazardous state (e. g. stand still monitoring)
• manually operated: time between unlocking and opening of the guard and switching-
off of the machine by the safety equipment
– shall be greater than the run-down time of the machine (e. g. threaded bolt).
278
Installation of Position Switches and Guard Locking
• Secure against change of position

• Positive location
• Accessibility for repair and testing
• Must have positive mode of actuation
• Protection against easy by-passing of device required (Immunity against manipulation)
• Cannot be used as mechanical stop
• Depending on risk two switches are required
• Protection against over travel
• Displacement according to required travel for positive mode of actuation travel or
required safe switching distance (PDF)
• For guard locking:
– Bolt monitoring required
– Must be able to withstand expected forces
279
ESPE - Electro Sensitive Protective Equipment
• What are the differences between guards and ESPE?

– Guards (protective equipment with separation): Part of a machine specifically
used to provide protection by means of a physical barrier (e. g. fencing, enclosure).
Guards are also applicable when the machinery will eject materials, swarf or
component parts.
– Protective equipment without separation: when actuated they operate on the
process / machinery to cause a safe condition (lock-out).
Note: Each protective equipment has its own advantages and disadvantages!
280
ESPE , AOPD – Active Optoelectronic Protective
Device
• Examples of AOPDs:
– Light barriers with one beam
– Light barriers with multiple separate beams (light array)
– Light curtain (continuous optical resolution)
– Not applicable when:
• the machinery will eject materials, swarf or component parts
• the risk of injury from thermal or other radiation exists
• unacceptable noise levels exist
• an environment is likely to adversely affect the function of the protective
equipment
• the stopping performance of the machine is unknown, inconsistent or
inadequate
281
Safety distance calculation (ISO/EN)
• Calculation of the separation distance: S = K * T + C

– S = minimum distance (mm)
– K = constant (mm/s), derived from data of approach speeds (1.6m/s)
– T = overall system stopping performance
– C = additional distance (mm), based on reaching into the danger zone prior to
activation of the protective equipment (8 x (Object Sensitivity – 14 mm), but not less
than 0)
Note: reference ISO 13855 and EN 999
282
Safety distance calculation (US/CAN)
• Calculation of the separation distance:

Ds =K x(Ts + Tc + Tr + Tbm) + Dpf
– Ds = the minimum safe distance from the danger zone to the closest detection point.
– K = constant (in/s), derived from data of approach speeds (63 in/s)
– Ts = overall system stopping performance
– Tc = the worst stopping time of the control system.
– Tr = the response time of the safeguarding device, including its interface.
– Tbm = additional stopping time allowed by the brake monitor before it detects stop-
time deterioration beyond the end users’ predetermined limits. Tbm is used with part
revolution mechanical presses.
– Dpf = 3.4 x (Object Sensitivity – 6.875 mm), but not less than zero.
Note: reference ANSI B11.19, ANSI RIA R15.06 and CAN/CSA Z434-03
283
Pressure Sensitive Mats and Floors
• Working principle: entering the pressure sensitive area initiates shut down of dangerous
motion via control device
• Pressure sensitive mats and floors conform to ISO 13856-1 (EN 1760-1)
• Weight restrictions apply:
– > 35 kg assumed for industrial environments
– > 20 kg, if children are present
• For persons (small children) ≤ 20 kg pressure sensitive mats and floors can not be used
• Safety distance, same as for light grids horizontal mounting using H = 0:
S=K*T+C
S = 1600 mm/s * T + 1200 mm
Note:
– According to IEC 62046 pressure sensitive mats with normally open contacts can
only be used up to safety category 2.
– However some devices are available on the market for use up to safety category 3
when used with suitable control devices (Safety category 4 can not be achieved as
mats are based on working current principle).
– Safety mats in combination with a logic unit are safety components according to MD,
thus need to have an EC Type examination certificate.
284
Two-hand Control Devices
• Application:
• Safety of persons, who are disposed to the danger zone
• who need to have direct access to the hazardous area
• mainly with presses Protects the operating person by binding both hands outside the
danger zone; other persons are not protected.
• Definition according to ISO 13851/EN 574:
– “A device which requires at least simultaneous actuation by the use of both hands in
order to initiate and to maintain, whilst a hazardous condition exists, any operation
of a machine thus affording a measure of protection only for the person who
actuates it.”
– Two-hand control devices are safety components according to Annex IV of the
Machinery Directive (Logic units which ensure the safety functions of bimanual
controls), thus must have an EC Type Examination Certificate.
285
Two-hand Control Devices – safety distance
• Safety distance according to the following formula (EN 999) in mm:

S=K*T+C
K mm/s depending on approach speed
S = 1600 mm/s * T + 250 mm
T/s machine stopping performance; C /mm additional distance to danger zone
• C can be 0, if it is ensured by shields and arrangement of the control actuating devices,
that hands, arms and other bodily parts can not reach into the danger zone, while the
actuators are pressed.
• S (min) = 100 mm
• With 2 or even more operators (e. g. at big presses ) it is not necessary to fulfill the
simultaneous actuation with all operators (0.5 sec).
286
Overview Standards for Safety Devices
A Standard
B Standard
C Standard
287
Safety Related Functions
• Typical safety related functions (IEC 60204-1 etc.)

– stop
– emergency operation
– start and re-start, prevention of unexpected start
– hold-to-run function for instance for machine set-up
• More complex functions
– safely limited speed, safe speed range
– safely limited position
– muting
– etc.
288
Safety related function – Start and Restart Interlock
• ISO 13849-1
– Chapter 5.5: Start and restart
• A restart shall take place automatically only if a hazardous Situation cannot
exist In particular, for control guards [...].
• These requirements for start and restart shall also apply to machines which
can be controlled remotely.
– Chapter 5.11: Fluctuations, loss and restoration of power sources
• When fluctuations in energy levels […], the safety-related parts of the control
system shall continue to provide or initiate Output signal(s) which will enable
other parts of the machine system to maintain a safe State.
289
• ISO 13849-1 Manual reset function

– After a stop command has been initiated by a safeguard, the stop condition shall be
maintained until safe conditions for restarting exist.
– The re-establishment of the safety function by resetting of the safeguard cancels the
stop command. If indicated by the risk assessment, this cancellation of the stop
command shall be confirmed by a manual, separate and deliberate action (manual
reset).
– The performance level of safety-related parts providing the manual reset function
shall be selected so that the inclusion of the manual reset function does not diminish
the safety required of the relevant safety function.
290
• ISO 13849-1 Manual reset function (cont.)

– The manual reset function shall
• be provided through a separate and manually operated device within the
SRP/CS,
• only be achieved if all safety functions and safeguards are operative,
• not initiate motion or a hazardous situation by itself,
• be by deliberate action,
• enable the control system for accepting a separate start command,
• only be accepted by disengaging the actuator from its energized (on) position.
291
• According to IEC 60204-1 measures shall be taken to prevent movement of the

machine in an unintended or unexpected manner after any stopping of the
– machine (for example due to locked-off condition, power supply fault, switching off
by safeguards etc. ) (Exceptions!)
• The machine shall only by a manual action be restarted, if all necessary
conditions are fulfilled.
• The start / restart interlock shall have the same safety level as the safeguards
at the machinery.
– The following faults shall be considered:
• Short circuit, open circuit of the cabling of the start button
• Permanent actuation of the button (e. g. clamping the button with a match)
292
requirements
• Start interlock – requirements (IEC 61496-1, chapter A.5)

– Prevention of going to the ON-state of the OSSD(s) when the electrical supply is
switched on/restored
– Continuing the OFF-state of the OSSD(s), until the start interlock is reset to its ON-
state manually (e. g. by switch operation or by actuation and de-actuation of the
sensing device)
– It shall not be possible for reset of a start interlock to reset the OSSD(s) to the ON-
state under a lock-out condition
– A failure of the start interlock (in permanent ON-state) shall cause the ESPE to lock-
out.
293
requirements
• Start interlock – requirements (IEC 61496-1, chapter A.6)

– Prevention of going to the ON-state of the OSSD(s) when:
• the detection zone is interrupted while the machine operation is at a
hazardous part of its operating cycle
• the detection zone is interrupted while the machine is in automatic or
semiautomatic mode
• there is a change of the machine operating mode or type of operation.
– The interlock condition shall continue until the restart interlock is manually reset.
– It shall not be possible to reset the restart interlock whilst the sensing device is
actuated.
– A failure to meet the functional requirements shall cause the ESPE to go to the lock-
out condition.
294
Safety related function – External Device Monitoring
(EDM)
• EDM: External Device Monitoring – Monitoring of external control devices

• EDM can be used in order to diagnose faults in the stop or the re-start circuit (e. g.
contactors, pneumatic valves, hydraulic valves)
• Definition according to IEC 62046 (IEC 61496):
– External device monitoring – EDM:
• means by which the electro-sensitive protective equipment monitors the state
of the control devices which are external to the electro-sensitive protective
equipment (ESPE)
295
Review these areas of knowledge

– Protective equipment for machinery
– Safety Distances – both NA and International
– Guards and guard types
– Interlocking devices and guard locking devices
– Position switches and proximity switches
– Circuit examples
– ESPE – Electro Sensitive Protection Equipment
– Pressure sensitive Mats and floors
– Pressure sensitive edges (PSE), pressure sensitive bars
– Enabling controlling devices
– Muting, blanking and differences
296
Review these areas of knowledge

– Emergency Stop, Emergency switching off, stop categories
– Start and restart interlocking
– Hold to run
– External device monitoring
297
Examples using ISO
13849
298
Examples using ISO 13849
• Safety function -
– Safety-related stop function, initiated by a protective device: opening of the
moveable guard (protective grating) initiates the safety function STO (safe torque
off).
299
• Functional description -
– Trapping hazards are safeguarded by means of a moveable guard (protective
grating). Opening of the protective grating is detected by two position switches
B1/B2, employing a break contact/make contact combination, and evaluation by a
central safety module K1. K1 actuates two contactors, Q1 and Q2, dropping out of
which interrupts or prevents hazardous movements or states.
– The position switches are monitored for plausibility in K1 for the purpose of fault
detection. Faults in Q1 and Q2 are detected by a start-up test in K1. A start
command is successful only if Q1 and Q2 had previously dropped out. Start-up
testing by opening and closing of the protective device is not required.
– The safety function remains intact in the event of a component failure. Faults are
detected during operation or at actuation (opening and closing) of the protective
device by the dropping out of Q1 and Q2 and operational disabling.
– An accumulation of more than two faults in the period between two successive
actuations may lead to loss of the safety function.
300
• The following features should also be provided:

– Basic and well-tried safety principles are observed (e. g. the load current for the
contactors Q1 and Q2 is de-rated by a factor of 50 %) and the requirements of
Category B are met. Protective circuits (e. g. contact protection) are implemented;
– A stable arrangement of the protective devices is assured for actuation of the
position switches;
– Switch B1 is a position switch with direct opening action in accordance with IEC
60947-5- 1, Annex K;
– The supply conductors to position switches B1 and B2 are laid separately or with
protection.
301
• The following information is available from the manufacturers for each part within the
design of SRP/CS:
– The safety module K1 is declared by the manufacturer as satisfying the
requirements for Category 4, PL e and SIL CL 3;
– The contactors Q1 and Q2 possess mechanically linked contact elements to IEC
60947-5-1, Annex L.
– The following observation can be made on the design of SRP/CS and/or SRECS:
– Category 4 can only be achieved where mechanical position switches for different
protective devices are not connected in a series arrangement (i. e. no cascading).
This is necessary as faults in the switches cannot otherwise be detected.
302
Class Example
303
Calculation of the probability of failure in
accordance with ISO 13849-1
• Figure below shows a logic subsystem (safety module K1) to which two-channel input
and output elements are connected. Since an abstraction of the hardware level is
already performed in the safety-related block diagram, the sequence of the subsystems
is in principle interchangeable.
• It is recommended that subsystems sharing the same structure be grouped together, as

shown on the next slide. This makes calculation of the PL simpler by reducing the
number of times limitation of the MTTFd of a channel to 100 years is performed in the
estimation.
304
305
Calculation formulas for ISO 13849-1, Annex C

Formula
C.1
C.2
C.3
C.4
C.5
C.6
C.7
306
• The probability of failure of the safety module K1 is declared by the manufacturer and is
added at the end of the calculation (2.31 × 10-9 per hour [manufacturer’s value], suitable
for PL e).
• For the remaining subsystem, the probability of failure is calculated as follows:
– Input circuit MTTFd
• The B10d value of 1,000,000 cycles [manufacturer’s value] is stated for the
mechanical part of B1.
• For the position switch B2, the B10d value is 500,000 cycles [manufacturer’s
value].
• At 365 working days per year, 24 working hours per day and a demand cycle
time of 900 seconds (15 minutes),
• nop is 35,040 cycles per year for these components calculated by using
equations C.2 and C.7.
307
C..2
C..1
C..3
C..1
C..3
308
• For the remaining subsystem, the probability of failure is calculated as follows:

– Output circuit
• For the contactors Q1 and Q2, the B10 value corresponds under inductive
load (AC 3) to an electrical lifetime of 1,000,000 cycles (manufacturer's
value). If 50 % of failures are assumed to be dangerous, the B10d value is
produced by doubling of the B10 value:
B10 d 2000000 cycles
C..1 MTTFd , Q1 / Q 2 = = = 571 y
0.1 * nop cycles
0.1 * 35040
y
B10 d 2000000 cycles

C..3 T 10 d , Q1 / Q 2 = = = 57 .1 y
nop cycles
35040
y
309
• For both channels, the MTTFd is calculated by using the following formula:
N
1 1
=∑
MTTFd i =1 MTTFd
• Applying this to our previous derived values will yield:
1 1 1 1
= + =
MTTF d , Ch1 285 y 571y 190 y
1 1 1 1
= + =
MTTF d , Ch 2 143 y 571y 114 y
• This gives an MTTFd for channel 1 = 190y and for channel 2 = 114y. In accordance with
ISO 13849-1, the MTTFD of both channels is limited to 100 years, and because both
channels are equal after limiting, symmetrization is not necessary.
310
• DCavg: the DC of 99% for B1 and B2 is based upon plausibility monitoring of the
break/make contact combination in K1. The DC of 99% for contactors Q1 and Q2 is
derived from regular monitoring by K1 during start-up. The DC values stated correspond
to the DCavg for each subsystem. The DCavg will be calculated according to Equation
(E.1) of ISO 13849-1. Because each single DC is 99%, the DCavg is also 99%.
• Adequate measures against common-cause failure in the subsystems B1/B2 and
Q1/Q2 (70 points):
– separation (15),
– well-tried components
– (5), protection against overvoltage, etc.
– (15) and environmental conditions (25 + 10).
• Mission time: for the simplified approach of ISO 13849-1 a mission time of 20 years is
assumed.
• The subsystem B1/B2/Q1/Q2 corresponds to Category 4 with a high MTTFd (100 years)
and high DCavg (99%).
• This results in an average probability of dangerous failure = 2.47 × 10−8 per hour (see
Table K.1 of ISO 13849-1).
311
Summary of ISO 13849-1 example calculation
• With the addition of the subsystem K1 (2.31 × 10-9 ) to the previous determined
subsystem (based on B1/B2 and Q1/Q2) PFHd = 2.47 × 10−8, the average probability of
dangerous failure is:
2.31 × 10-9 + 2.47 × 10−8 = 2.70 × 10−8 per hour
• This corresponds to PL e,
– CAT 4,
– DC = High,
– MTTFd > 91years
– (reference table K.1 ISO 13849-1)
312
DEVICE TYPES(NEW)
313
Device types defined by VDMA
Functional Safety – Universal data format for safety-related values of components or parts
of control systems - VDMA
• Devices can generally be distinguished by the following features:
– Device that can be used directly as a SRP/CS or subsystem (subelement) in a
safety function because the manufacturer has already developed the device for this
specific application (device type 1 and device type 4).
– Device that is only defined and assessed as a SRP/CS or subsystem (subelement)
through the user’s design process (device type 2 and device type 3).
NOTE 1 A safety function normally uses a variety of device types.

NOTE 2 The normative relationships are described in Clause 5.
314
315
Data required for safety applications
316
Device Type 1
• 4.1 Device type 1

– Device type 1 has the highest integration level. Pre-designed safety systems with
integrated diagnostics are typical.
– This type is SIL or PL-classified in line with the intended use. The classification is
specified by the device manufacturer.
– Devices of this type are developed in accordance with safety standards (e.g. IEC
61508).
NOTE 1 Examples for device type 1: Safety light curtain, safety light grid, safety-related control
system components, safe drives/drive functions, safety relays
NOTE 2 Parameters may depend on other application-specific data (e.g. limitation of the
maximum switching frequency).
317
Device Type 2

– Additional application data (circuit structure, diagnostic coverage (DC) and consideration of
common cause failure (CCF)) are needed in order for the user to assess a safety function.
– Devices of this type are not necessarily developed in accordance with safety standards;
however, this does not exclude application in accordance with ISO 13849-1 or IEC 62061.
NOTE Examples for device type 2: Non-safety-related electronics, e.g. operational amplifier,
proximity switch, pressure sensor, hydraulic valve
318
Device Type 3

– Type 3 devices are devices with a failure mode, which depends on the operating cycles.
– Additional application data (number of operations, number of activations, circuit structure,
diagnostic coverage (DC) and consideration of common cause failure (CCF)) are needed in
order for the user to assess a safety function.
– Devices of this type are not necessarily developed in accordance with safety standards;
however, this does not exclude application in accordance with ISO 13849-1 or IEC 62061.
NOTE Examples for device type 3: Electromechanical components that are subject to wear, e.g.
power contactors, switches, pneumatic valves, interlocking devices, control devices
319
Device Type 4

– Device type 4 is a special case of device type 1. This device type does not appear in Clause
5 because for this type there are non random failures which lead to a dangerous fault, this
means the probability of a dangerous fault occurring PFHD = 0 (not just very low!). For
components of this type, one of the following applies for each potential fault, either:
• Fault exclusion is in accordance with IEC 62061 / ISO 13849-2 or
• Fault always leads to a safe condition.
• Where architectural requirements (see IEC 62061, Clause 6.7.7.2) or other
considerations impose a restriction on sole (single-channel) use, a maximum
achievable PL and SIL must be specified for single-channel use.
• In order to provide the above information, devices must be assessed in accordance
with safety standards (e.g. IEC 61508).
320
Questions?
321

Material Curso Seguridad Funcional PDF

Uploaded by

Copyright:

Available Formats

Material Curso Seguridad Funcional PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Material Curso Seguridad Funcional PDF

Uploaded by

Copyright:

Available Formats

Rockwell Automation

Copyright © 2010 Rockwell Automation, Inc. All rights reserved.

• All, which belongs to Functional Safety of Machinery :

• This program is not:

Copyright © 2010 Rockwell Automation, Inc. All rights reserved.

• All functional safety standards are used to

• Code of Federal Regulations Part 29

• Internet site location: http://www.osha.gov

• Most critical subparts

• Energy Isolating Device

• Lockout devices shall

– substantial to prevent removal

• Two types of Standards are applicable

Green (starred) are horizontal standards.

• 1910.212 General Requirements

– Subpart R, Special Industries (sections 1910. 261-272)

• NFPA is an ANSI Standard

“The machines which are not covered by specific OSHA standards

“ These machines must be designed and maintained to meet or

• Consensus standards are published by U.S. industry based on

Copyright © 2010 Rockwell Automation, Inc. All rights reserved.

• European single market since 1.1.1993:

– Free passenger traffic, exchange of goods and services, capital flow

• Safety standards are structured systematically and hierarchically in order to exclude

Thermo processing EN746

Thermo processing EN746

Interlocks Directive ISO

“B” IEC Electrical

• A EN-standard is a harmonized standard, as soon as its title is published in the, EU

harmonized standard : presumption of conformity

• Basic definition of a “machine” (article 2)

• 15. Guards for removable mechanical transmission devices

What is a “logic unit for safety functions?”

• Electro-sensitive devices designed specifically to detect persons in order to ensure their

… according to MD (2006/42/EG) is a component which:

– Guards for removable mechanical transmission devices.

– Emergency stop devices.

Copyright © 2010 Rockwell Automation, Inc. All rights reserved.

ISO 11111 - Textile machinery - Safety requirements

• Definitions 3.28.1-3.28.9 are new definitions additions

Risk assessment process from the

Source: ISO 12100:2010

• 5.0 General requirements for Risk Assessment

• Subclause 5.3 – Determination of limits of machinery

• Subclause 5 – Determination of limits of machinery

• 5.5.2.1 – Elements Risk

• Subclause 5 defines the strategy for risk reduction

• Subclause 5 defines the strategy for risk reduction

– 5.5.3.7 Ability to maintain protective measures

• Measures for risk reduction by the

• Risk reduction by the use of technical

• Provide Information to the operator,

• 6.2 Inherently safe design measures

• 6.2 Inherently safe design measures

• 6.2 Inherently safe design measures

• 6.3 Safeguarding and/or complementary protective measures

Guidelines for choosing safeguards against hazards generated by moving parts

• Selection and implementation of guards and protective devices is covered in 6.3.2

• Selection and implementation of guards and protective devices is covered in 6.3.2