Safety-Related Control System Structure Considerations


This chapter looks at general structural considerations and principles that should be taken into account when designing a safety related control system to any standard. It uses much of language of the Categories from the outgoing EN 954-1 because the Categories primarily address the structure of control systems.

Note: Recent to the time of publication of this text, CEN (European Committee for Standardisation) announced that the final date for presumption of conformity of EN 954-1 will be extended to the end of 2011 to facilitate transition to the later standards. This replaces the original date of December 29, 2009.

For the latest information on the use and status of EN 954-1 visit: In the meantime it is advised that the extension of the transition period is used to move over to the use of the later standards (EN ISO 13849-1 or IEC/EN 62061) in a timely manner.

Categories of Control Systems

The “Categories” of control systems originated in the outgoing EN 954-1:1996 (ISO13849-1:1999). However they are still often used to describe safety control systems and they remain an integral part of EN ISO13849-1 as discussed in Introduction to Functional Safety of Control Systems section.

There are five categories describing the fault reaction performance of a safety related control system. See Table 19 for a summary of these categories. The following notes apply to the table.

Note 1: Category B in itself has no special measures for safety but it forms the base for the other categories.

Note 2: Multiple faults caused by a common cause or as inevitable consequences of the first fault shall be counted as a single fault.

Note 3: The fault review may be limited to two faults in combination if it can be justified but complex circuits (e.g. microprocessor circuits) may require more faults in combination to be considered.

Category 1 is aimed at the prevention of faults. It is achieved through the use of suitable design principles, components and materials. Simplicity of principle and design together with stable and predictable material characteristics are the keys to this category.

Categories 2, 3 and 4 require that if faults cannot be prevented they must be detected and appropriate action taken.

Redundancy, diversity and monitoring are the keys to these categories. Redundancy is the duplication of the same technique. Diversity is using two different techniques. Monitoring is the checking the status of devices and then taking appropriate action based on results of the status. The usual, but not only, method of monitoring is to duplicate the safety critical functions and compare operation.

Summary of Requirements System Behavior
Category B (see Note 1)
Safety related parts of machine control systems and/or their protective equipment, as well as their components, shall be designed, constructed, selected, assembled and combined in accordance with relevant standards so that they can withstand the expected influence.
Basic safety principles shall be applied.
When a fault occurs, it can lead to a loss of the safety function.
The requirements of category B apply together with the use of well tried safety components and safety principles.
As described for category B but with higher safety related reliability of the safety related function. (The higher the reliability, the less the likelihood of a fault).
The requirements of category B and the use of well tried safety principles apply.
The safety function(s) shall be checked at machine start-up and periodically by the machine control system. If a fault is detected a safe state shall be initiated or if this is not possible a warning shall be given.
EN ISO 13849-1 assumes that the test rate is at least 100 times more frequent that the demand rate.
EN ISO 13849-1 assumes that the MTTFd of the external test equipment is larger than half of the MTTFd of the functional equipment being tested.
The loss of safety function is detected by the check. The occurrence of a fault can lead to the loss of safety function between the checking intervals.
CATEGORY 3 (see Notes 2 & 3)
The requirements of category B and the use of well tried safety principles apply.
The system shall be designed so that a single fault in any of its parts does not lead to the loss of safety function.
Where practicable, a single fault shall be detected.
When the single fault occurs the safety function is always performed.
Some but not all faults will be detected.
An accumulation of undetected faults can lead to the loss of safety function.
Category 4 (see Notes 2 & 3)
The requirements of category B and the use of well tried safety principles apply.
The system shall be designed so that a single fault in any of its parts does not lead to the loss of safety function.
The single fault is detected at or before the next demand on the safety function. If this detection is not possible then an accumulation of faults shall not lead to a loss of safety function.
When the faults occur, the safety function is always performed. The faults will be detected in time to prevent the loss of safety functions.
Table 19: Categories of Safety Performance

Category B

Category B provides the basic requirements of any control system; whether it is a safety related control system or non-safety related. A control system must work in its expected environment. The concept of reliability provides a foundation for control systems, as reliability is defined as the probability that a device will perform its intended function for a specified interval under expected conditions.

Category B requires the application of basic safety principles. ISO 13849-2 tells us the basic safety principles for electrical, pneumatic, hydraulic and mechanical systems. The electrical principles are summarized as follows:

The designer must select, install, and assemble according to the manufacturer’s instructions. These devices must work within the expected voltage and current ratings. The expected environmental conditions, like electromagnetic compatibility, vibration, shock, contamination, washdown, must also be considered. The de-energization principle is used. Transient protection is installed across the contactor coils. The motor is protected against overloads. The wiring and grounding meets the appropriate electrical standards.

Category 1

Category 1 requires the system to meet the terms of Category B and, in addition, to use well-tried components. EN ISO 13849-2 gives information about well tried components for mechanical, hydraulic, pneumatic and electrical systems. Annex D addresses electrical components.

Components are considered to be well-tried if they have been successfully used in many similar applications. Newly designed safety components are considered to be well-tried if they are designed and verified in compliance to appropriate standards. Table 20 lists some electrical components and their respective standards.

Well-Tried Component Standard
Switch with positive mode actuation (direct opening action) IEC 60947-5-1
Emergency stop device ISO 13850, IEC60947-5-5
Fuse IEC 60269-1
Circuit Breaker IEC 60947-2
Contactors IIEC 60947-4-1, IEC 60947-5-1
Mechanically linked contacts IEC 60947-5-1
Auxiliary contactor (e. g. contactor, control relay, positive guided relays) EN 50205
IEC 60204–1, IEC 60947–5–1
Transformer IEC 60742
Cable IEC 60204-1
Interlocks ISO 14119
Temperature Switch IEC 60947-5-1
Pressure Switch IEC 60947-5-1 + pneumatic or hydraulic requirements
Control and protective switching device or equipment (CPS) IEC 60947-6-2
Programmable Logic Controller IEC 61508
Table 20: Standards for Well-Tried Components

Applying well-tried components to our Category B system, the limit switch would be replaced by a direct opening action tongue switch and the contactor would be over-dimensioned to further protect against welded contacts.

Figure 140 shows the changes to the simple Category B system to achieve Category 1. The interlock and the contactor play the key roles in removing energy from the actuator, when access to the hazard is needed. The tongue interlock meets the requirements of IEC 60947-5-1 for direct opening action contacts, which is shown by the symbol of the arrow within the circle. With the well-tried components, the probability of energy being removed is higher for Category 1 than it is for Category B. The use of well-tried components is intended to prevent a loss of the safety function. Even with these improvements, a single fault can still lead to the loss of the safety function.

Click to enlarge - Fig 141 Cat 1 Simple System
Figure 140: Category 1 of Simple Safety System

Categories B and 1 are prevention based. The design is intended to prevent a hazardous situation. When prevention by itself does not provide enough reduction in the risk, fault detection must be used. Categories 2, 3 and 4 are fault detection based, with increasingly stringent requirements to achieve higher levels of risk reduction.

Category 2

In addition to meeting the requirements of Category B and using well tried safety principles, the safety system must undergo testing to meet Category 2. The tests must be designed to detect faults within the safety related parts of the control system. If faults are not detected, the machine is allowed to run. If faults are detected, the test must initiate a command to bring the machine to a safe state.

Figure 141 shows a block diagram of a Category 2 system. The equipment performing the test can be an integral part of the safety system or a separate piece of equipment.

Click to enlarge - Fig 142 Cat 2 Block Diagram
Figure 141: Category 2 Block Diagram

The testing must be performed:

Note: EN ISO 138491-1 assumes a test to safety function demand ration of 100:1. The example given here would not meet that requirement.

The words “whenever possible” and “reasonably practicable” indicate that not all faults are detectable. Since this is a single channel system (i.e., one wire connects input to logic to output), a single fault may lead to the loss of the safety function. In some cases, Category 2 cannot be fully applied to a safety system, because not all of the components can be checked.

Figure 140 shows the simple Category 1 system enhanced to meet Category 2. A monitoring safety relay (MSR) performs the testing. Upon power-up, the MSR checks its internal components. If no faults are detected, the MSR checks the tongue switch by monitoring the cycling of its contacts. If no faults are detected and the guard is closed, the MSR then checks the output device: the mechanically linked contacts of the contactor. If no faults are detected and the contactor is off, the MSR will energize its internal output and connect the coil of K1 to the Stop button. At this point, the non safety rated parts of the machine control system, the Start/Stop/Interlock circuit, can turn the machine on and off.

Click to enlarge - Fig 143 Cat 2 System
Figure 142: Category 2 Safety System

Opening the guard turns the outputs of the MSR off. When the guard is re-closed, the MSR repeats the safety system checks. If no faults are discovered, the MSR turn on is internal output. The MSR allows this circuit to meet Category 2 by performing tests on the input device, the logic device (itself) and the output device. The test is performed on initial power-up and before initiation of the hazard.

With its inherent logic capabilities, a Safety PLC (PLC safety-rated to IEC 61508) based safety system can be designed to meet category 2.

Click to enlarge - Fig 144 Complex Cat 2 System
Figure 143: Complex Category 2 Safety System

Figure 143 shows an example of a complex system using a safety rated PLC. A safety rated PLC meets the requirements of well-tried as it is designed to an appropriate standard. The mechanically linked contacts of the contactors are fed into the Input of the PLC for testing purposes. These contacts may be connected in series to one input terminal or to individual input terminals, depending on the program logic.

Although well-tried safety components are used, a single fault occurring between the checks can lead to the loss of the safety function. Therefore, Category 2 systems are used in lower risk applications. When higher levels of fault tolerance are needed, the safety system must meet Categories 3 or 4.

Category 3

In addition to meeting the requirements of Category B and well-tried safety principles, Category 3 requires successful performance of the safety function in the presence of a single fault. The fault must be detected at or before the next demand on the safety function, whenever reasonably practicable.

Here again we have the phrase “whenever reasonably practicable.” This covers those faults that may not be detected. As long as the undetectable fault does not lead to the loss of the safety function, the safety function can meet category 3. Consequently, an accumulation of undetected faults can lead to the loss of the safety function.

Click to enlarge - Fig 7.8 Cat 3 Block Diagram
Figure 144: Category 3 Block Diagram

Figure 144 shows a block diagram to explain the principles of a Category 3 system. Redundancy combined with reasonably practicable cross monitoring and output monitoring are used to ensure the performance of the safety function

Figure 145 shows an example of a Category 3 system. A redundant set of contacts are added to the tongue interlock switch. Internally, the monitoring safety relay (MSR) contains redundant circuits that cross monitor each other. A redundant set of contactors remove power from the motor. The contactors are monitored by the MSR through the “reasonably practicable” mechanically linked contacts.

Fault detection must be considered for each part of the safety system, as well as the connections (i.e., the system). What are the failure modes of a dual channel tongue switch? What are the failure modes of the MSR? What are the failure modes of the contactors K1 and K2? What are the failure modes of the wiring?

The tongue interlock switch is designed with direct opening contacts. Therefore we know that opening the guard is designed to open a welded contact. This resolves one failure mode. Do other failure modes exist?

Click to enlarge - Fig 7.9 Cat 3 System
Figure 145: Category 3 System

The direct opening action switch is usually designed with a spring operate return. If the head is removed or broken off, the safety contacts spring back to the closed (safe) state. Many interlock switches are designed with removable heads to accommodate installation requirements of various applications. The head can be removed and rotated between two to four positions.

A failure could occur where the head mounting screws are not torqued properly. With this condition, the expected vibration of the machine may cause the head mounting screws to back out. The operating head, under spring pressure, removes the pressure from the safety contacts, and the safety contacts close. Subsequently, opening the guard does not open the safety contacts, and a failure to danger occurs.

Similarly, the operating mechanism within the switch must be reviewed. What is the probability that a failure of a single component will lead to the loss of the safety function? A common practice is to use tongue interlocks with dual contacts in Category 3 circuits. This usage must be based on excluding the single failure of the switch to open the safety contacts. This is considered “fault exclusion” and is discussed later in this chapter.

A monitoring safety relay (MSR) is often evaluated by a third party and assigned a category level (and/or a PL and SIL CL). The MSR often includes dual channel capability, cross channel monitoring, external device monitoring and short circuit protection. No specific standards are written to provide guidance on the design or usage of monitoring safety relays. MSRs are evaluated for their ability to perform the safety function per EN ISO 13849-1 or the outgoing EN 954-1. The rating of the MSR must be the same or higher than the required rating of the system in which it is used.

Two contactors help to ensure that the safety function is fulfilled by the output devices. With overload and short-circuit protection, the probability of the contactor failing with welded contacts is small but not impossible. A contactor can also fail due with its power switching contacts staying closed due to a stuck armature. If one contactor fails to a dangerous state, the second contactor will remove power from the hazard. The MSR will detect the faulted contactor upon the next machine cycle. When the gate is closed and the start button pressed, the mechanically linked contacts of the faulted contactor will remain open and the MSR will not be able to close its safety contacts, thereby, revealing the fault.

Undetected Faults

With a Category 3 system structure there may be some faults that cannot be detected but they must not, by themselves, lead to the loss of the safety function.

Where faults can be detected we need to know if, under some circumstances, they could be either masked or unintentionally cleared by the operation other devices within the system structure.

Figure 146 shows a widely used approach for connecting multiple devices to a monitoring safety relay. Each device contains two normally closed direct opening action contacts. These devices can be a mix of interlocks or e-stop buttons. This approach saves wiring costs as the input devices are daisy-chained. Assume a short circuit fault occurs across one of the contacts at Sw2 as shown. Can this fault be detected?

Click to enlarge - Fig 7.10 Series Connection with Fault
Figure 146: Series Connection of Inputs Devices

If switch Sw1 (or Sw3) is opened, both Ch1 and Ch2 are open circuit and the MSR removes power from the hazard. If Sw3 is then opened and then closed again the fault across its contacts will not be detected because there is no change of status at the MSR: both Ch1 and Ch2 remain open. If Sw1 (or Sw3) is then closed, the hazard can be restarted by pressing the start button. Under these circumstances the fault did not cause a loss of the safety function but it was not detected, it remains in the system and a subsequent fault (a short circuit across the second contact of Sw2) could lead to the loss of the safety function.

If Sw2 alone was opened and closed, with no operation of the other switches, Ch1 opens and Ch2 remains closed. The MSR de-energizes the hazard because Ch1 opened. When Sw2 closes, the motor cannot be started when the Start button is pressed, because Ch2 did not open. The fault is detected. However if for any reason, Sw1 (or Sw3) is then opened and closed, both Ch1 and Ch2 will be open then closed circuit. This sequence simulates the clearing of the fault and will result in unintentional reset at the MSR.

This raises the question of what DC could be claimed for the individual switches within this structure when using EN ISO 13849-1 or IEC 62061. At the time of publication of this text there is no specific definitive guidance on this but it is usual and reasonable to assume a DC of 60% under the condition that the switches are individually tested at suitable periods to reveal faults. If it is foreseeable that one (or more) of the switches will never be individually tested then it can be argued that its DC should be described as zero. At the time of publication of this text EN ISO 13849-2 is undergoing revision. When it is published it may provide more guidance on this issue.

The series connection of mechanical contacts is limited to Category 3 as it may lead to the loss of the safety function due to an accumulation of faults. In practical terms, the reduction of the DC (and therefore SFF) would limit the maximum achievable PL and SIL to PLd and SIL2.

It is interesting to note that these characteristics of a Category 3 structure have always required consideration but they are brought into sharp focus by the newer functional safety standards.

Figure 147 shows a category 3 circuit using a safety rated variable frequency drive. Recent developments in drive technology coupled with the updating of EN/IEC 60204-1 and NFPA79 standards allow safety rated drives to be used in e-stop circuits without the need for an electro-mechanical disconnect of the actuator (e.g., the motor).

Pressing the E-Stop opens the outputs of the MSR. This sends a stop signal to the drive, removes the enable signal and opens the gate control power. The drive executes a Category 0 Stop—immediate removal of power to the motor. This function is termed “Safe Torque Off.” The drive achieves category 3 because it has redundant signals to remove power to the motor: the enable and a positive guided relay. The positive guided relay provides reasonably practicable feedback to the actuator. The drive itself is analyzed to determine that a single fault does not lead to the loss of the safety function.

Click to enlarge - Fig 7.11 Drive Cat 3
Figure 147: Safety Rated Drives with E-stop Rated to Category 3

Figure 148 shows an example of a wiring fault, a short circuit, from the MSR Channel 2 safety output to the coil of Contactor K1. All components are operating properly. This wiring fault can occur prior to machine commissioning or at some later date during maintenance or enhancements. Can this fault be detected?

Click to enlarge - Fig 7.12 Wiring Fault on Output
Figure 148: Example 1 of Wiring Fault

This fault cannot be detected by the safety system as shown. Fortunately it does not, on its own, lead to the loss of the safety function. This fault, as well as the fault from Ch1 to K2, must be detected during commissioning or checks following maintenance work. The list of possible fault exclusions given in EN ISO 13849-2 Annex D Table D4 clarifies that these types of faults can be excluded if the equipment is contained within an electrical enclosure and both the enclosure and wiring comply with the requirements of IEC/EN 60204-1. The Joint Technical report on EN ISO 13849-1 and IEC 62061 also clarifies that this fault exclusion can be considered up to and including PLe and SIL3. It can also be used at Category 4.

Figure 149 shows another wiring fault example. This fault occurs from the mechanically linked contact of K2 to the monitoring input of the MSR. Can this fault be detected?

Click to enlarge - Fig 7.14 EDM Fault
Figure 149: Monitored Manual Reset to Detect Fault

This fault cannot be detected by the safety system, as shown. The MSR monitoring circuit is a series circuit that must be closed prior to startup. As long as the circuit is closed, the MSR believes all monitored devices are in the off state and ready to go. In this example, a welded or stuck K1 contactor will not be detected; it will be masked by the short circuit fault. With two contactors, the safety function is performed by K2, if K1 is indeed faulted. An MSR with monitored manual reset could be substituted for the MSR with automatic reset to detect this type of fault. This type of MSR requires a change of state in terms of a rising or falling signal edge as discussed in the next example and also in the Protective Measures and Complementary Equipment section.

Figure 150 shows the same situation as 149, except the monitoring circuit of the MSR has changed function from automatic to monitored manual. This is accomplished in the MSR by wiring changes or model changes. The monitored manual reset can detect this type of fault because the monitoring circuit must be open at the time that the guard is closed. After closing the guard, the reset button must be pressed. In many (but not all) relays, the MSR outputs energize when the reset button is released. This requirement for a change of state means that the relay cannot be “fooled” into reset by a permanent blocking down of the reset button or unintentionally reset by a short circuit fault.

Click to enlarge - Fig 7.15 Reset Detects Fault
Figure 150: Monitored Manual Reset to Detect Fault

Figure 151 shows a cross channel input fault. A fault occurs from Channel 1 to Channel 2 at the input of the MSR. With eight connections for the two channels, there are numerous potential ways to create the cross channel fault. Can this fault be detected?

Detection of this fault is dependent upon the type of MSR. Microprocessor based MSRs use pulse testing fault detection techniques (see later explanation) and some MSRs utilize diverse inputs. One input is pulled up to +V, and the second input is pulled down to ground. In either case this wiring short will be detected immediately, and the safety input of the MSR will turn off, removing energy from the hazard.

Click to enlarge - Fig 7.16 Crossfault
Figure 151: Cross Channel Input Fault

Pulse Testing Fault Detection

Safety circuits are designed to be carrying current when the safety system is active and the hazard is protected. Pulse testing is a technique where the circuit current drops to zero for a very short duration. The duration is too short for the safety circuit to respond and turn the hazard off, but is long enough for a microprocessor based system to detect. The pulses on the channels are offset from each other. If a cross fault short circuit occurs, the microprocessor detects the pulses on both channels and initiates a command to turn the hazard off.

Figure 152 illustrates this principle. This technique also detects shorts to the +V supply. Microprocessor based safety monitoring relays and safety PLC based systems use the pulse testing technique.

Click to enlarge - Fig 7.18 Pulse Testing
Figure 152: Cross Channel Fault with Pulse Testing

Figure 153 shows an arrangement where two outputs of the PLC are configured for pulse testing. Alternating pulses are connected to each channel operated by mechanical switches. This approach detects cross channel faults as well as faults to power and ground. This pulse testing is required by Category 3 because it is reasonably practicable to detect cross channel faults in this manner.

The faults described above are only a subset of all the faults that must be considered. Short circuits to +V, to Ground, shorts to other circuits, and open circuit conditions must be evaluated. In addition, the component ratings and performance must be considered.

Click to enlarge - Fig 7.19 Safety PLc Pulse Testing
Figure 153: Safety PLC using Pulse Testing for Fault Detection

Figure 154 shows a variation of a Safety PLC arrangement. In some cases, connecting a non-safety rated device to a safety system is needed and beneficial. If the outputs are sourcing type, they can be connected directly to the input of the safety PLC. If they are dual channel, they can be considered to meet Category 3 reasonable requirements.

Another consideration for Safety PLC modules is the number of inputs. Occasionally, one or two additional inputs may be needed, but panel space does not allow for an additional block. In this case, input devices may be connected in series (e.g., SW1 and SW2) and still meet the requirements of Category 3. The tradeoff is the loss of information as to which switch is actuated, unless an additional contact is used and connected to the machine control system.

Click to enlarge - Fig 7.20 Complex Cat 3 System
Figure 154: Complex Inputs Meeting Category 3 with a Safety PLC

Click to enlarge - Fig 156 Light Curtain Crossfault
Figure 155: Cross Channel Wiring Fault with Light Curtains

Figure 155 shows an example safety system with light curtains (solid state OSSD outputs).

In this example, the wiring fault is detected by the pulse testing at the light curtain. The detection of the fault is immediate, and the light curtain turns off its output.

Category 4

Like Category 3, Category 4 requires the safety system to meet Category B, use safety principles and perform the safety function in the presence of a single fault. Unlike Category 3 where an accumulation of faults can lead to the loss of the safety function, Category 4 requires performance of the safety function in the presence of an accumulation of faults. In practice the consideration of two accumulated faults may be sufficient, although 3 faults may be necessary for some designs due to complexity.

Figure 156 shows the block diagram for Category 4. Monitoring of both output devices and cross monitoring is essentially required, not just when reasonably practicable. This helps differentiate Category 4 from Category 3.

Click to enlarge - Fig 7.21 Cat 4 Block Diagram
Figure 156: Category 4 Block Diagram

Figure 157 shows an example Category 4 circuit using a two channel non-contact interlock switch.

Click to enlarge - Fig 7.25 Non contact Cat 4
Figure 157: Non-contact Interlock Category 4 System

Up until relatively recently, tongue actuated interlock switches have sometimes been used for Category 4 circuits. In order to use a tongue interlock in a dual channel circuit it is necessary to exclude the possible single fault failure points on the mechanical actuation tongue and switch linkage. However, the Joint Technical Report on EN ISO 13849-1 and IEC 62061 has clarified that this type of fault exclusion should not be used in PLe or SIL 3 systems.

If the safety system designer prefers using tongue style interlocks, then two switches can be used to meet Category 4. Figure 158 shows an example with two tongue interlock switches with direct opening action contacts.

Click to enlarge - Fig 7.23 Cat 4 Redundant Interlocks
Figure 158: Category 4 with Redundant Tongue Interlocks

The Monitoring safety relay itself must be rated to meet Category 4, and both output contactors, using mechanically linked contacts, must be monitored.

Figure 159 shows a modular monitoring safety relay with one non-contact switch device connected to each input module. If the safety relay is rated for category 4, this arrangement of input devices meets Category 4. Notice that with the modular approach, the safety relay is microprocessor based and utilizes pulse checking to detect cross faults.

Click to enlarge - Fig 7.24 Cat Diverse Redundant Interlocks
Figure 159: Modular Safety Relay Category 4 System

Component and System Ratings

Categories can be used as part of safety component (device) ratings as well as system ratings. This generates some confusion that can be clarified by understanding the components and their capabilities. By studying the preceding examples we find that a component such as an interlock switch rated to Category 1 can be used on its own in a Category 1 system, and it can be used in a Category 2 system if additional function monitoring is provided. It can also form part of a Category 3 or 4 system if two of the components are used together with a diagnostic function provided by a monitoring safety relay

Some components such as monitoring safety relays and programmable safety controllers have their own internal diagnostics and they check themselves to ensure proper performance. Therefore they can be rated as safety components to meet Categories 2, 3 or 4 without any additional measures.

Fault Considerations

Safety analysis requires extensive analysis of faults, and a thorough understanding of the performance of the safety system in the presence of faults is needed. ISO 13849-1 and ISO 13849-2 provide details on fault considerations and fault exclusions.

If a fault results in a failure of a subsequent component, the first fault and all the subsequent faults shall be considered one fault.

If two or more faults occur as a result of a single cause, the faults shall be considered a single fault. This is known as a common cause fault.

The occurrence of two or more faults at the same time is considered to be highly unlikely and is not considered in this analysis. There is a basic assumption is that only one fault will occur between demands placed on the safety function providing that the periods between the use of the function are not excessively long.

Fault Exclusions

The outgoing EN 954-1, and the more recent EN ISO 13849-1 and IEC 62061 all permit the use of fault exclusions when determining a safety system classification if it can be shown that the occurrence of the fault is extremely unlikely. It is important that where fault exclusions are used that they are properly justified and are valid for the intended lifetime of the safety system. The greater the level of risk protected by the safety system then the more stringent becomes the justification required for the fault exclusion. This has always caused some confusion about when certain types of fault exclusion can or cannot be used. As we have seen already in this chapter, recent standards and guidance documents have clarified some aspects of this issue.

In general, where PLe or SIL3 is specified for a safety function to be implemented by a safety system it is not normal to rely upon fault exclusions alone to achieve this level of performance. This is dependent upon the technology used and the intended operating environment. Therefore it is essential that designer takes additional care on the use of fault exclusions as that PL or SIL increases. For example fault exclusion is not applicable to the mechanical aspects of electromechanical position switches and manually operated switches (e.g. an emergency stop device) in order to achieve a PLe or SIL3 system. Those fault exclusions that can be applied to specific mechanical fault conditions (e.g. wear/corrosion, fracture) are described in Table A.4 of ISO 13849-2. Therefore a guard interlocking system that has to achieve PLe or SIL3 will need to incorporate a minimum fault tolerance of 1 (e.g. two conventional mechanical position switches) in order to achieve this level of performance since it is not normally justifiable to exclude faults, such as, broken switch actuators. However, it may be acceptable to exclude faults, such as short circuit of wiring within a control panel designed in accordance with relevant standards.

Further information on the use of fault exclusions will be provided in the forthcoming revision of EN ISO 13849-2.

Stop Categories according to IEC/EN 60204-1 and NFPA 79

It is both unfortunate and confusing that the term “Category” in relation to safety related control systems has two different meanings. So far we have discussed the categories that originated in EN 954-1. They are a classification of the performance of a safety system under fault conditions.

There is also a classification known as “Stop Categories” that originated in IEC/EN 60204-1 and NFPA 79 There are three Stop Categories.

Stop Category 0 requires immediate removal of power to the actuators. This is sometimes considered as an uncontrolled stop because, in some circumstances, motion can take some time to cease because the motor may be free to coast to a stop.

Stop Category 1 requires that power is retained to apply braking until the stop is achieved and then remove power to the actuator.

Stop Category 2 allows that power need not be removed from the actuator.

Note that only Stop Categories 0 or 1 can be used as emergency stops. The choice of which of the two Categories to use should be dictated by a risk assessment.

All the circuit examples shown so far in this chapter have used a Stop Category 0. A Stop Category 1 is achieved with a time-delayed output for the final removal of power. An interlocked guard with guardlocking often accompanies a Category 1 stop system. This keeps the guard locked in a closed position until the machine has reached a safe (i.e., stopped) state.

Stopping a machine without taking proper account of the programmable controller may affect restarting and could result in severe tool and machine damage. A standard (non-safety) PLC alone cannot be relied on for a safety related stopping task; therefore, other approaches need to be considered.

Two possible solutions are given below:

1. Safety Relay with Time Delayed Override Command

Figure 160 shows a hard wired system that has allows a correctly sequenced shut-down which protects the machine and program.

A safety relay with both immediate acting and delayed action outputs is used (e.g. MSR138DP). The immediate acting outputs are connected to inputs at the programmable device (e.g., PLC.) and the delayed acting outputs are connected to the contactor. When the guard interlock switch is actuated, the immediate outputs on the safety relay switch. This signals the programmable system to carry out a correctly sequenced stop. After short but sufficient time has elapsed to allow this process, the delayed output on the safety relay switches and isolates the main contactor.

Note: Any calculations to determine the overall stopping time must take the safety relay output delay period into account. This is particularly important when using this factor to determine the positioning of devices in accordance with the safety distance calculation.

Click to enlarge - Fig 7.27 Delayed output to Main Contactor
Figure 160: Delayed Outputs for Orderly Shutdown

2. Safety PLCs

The logic and timing functions required can be conveniently implemented by using a (safety) PLC with an appropriate safety integrity level. In practice this would be achieved by using a Safety PLC such as the SmartGuard or GuardLogix.

U.S. Safety Control System Requirements

In the U.S., safety related control system requirements can be found in a number of different standards but two documents stand out: ANSI B11.TR3 and ANSI R15.06.

The technical report ANSI B11.TR3 sets out four levels characterized by the expected amount of risk reduction that each can provide: The requirements for each level follows.


In ANSI B11.TR3, safeguards providing the lowest degree of risk reduction include electrical, electronic, hydraulic or pneumatic devices and associated control systems using a single-channel configuration. Implicit in the requirements is the requirement to use safety rated devices. This is closely aligned with Category 1 of ISO13849-1.

Low/Intermediate Risk Reduction

Safeguards, in ANSI B11.TR3 providing low/intermediate risk reduction include control systems having redundancy that may be manually checked to verify the performance of the safety system. Looking at the pure requirements, the system employs simple redundancy. Use of a checking function is not required. Without checking, one of the redundant safety components can fail, and the safety system would not realize it. This would result in a single channel system. This level of risk reduction aligns best with Category 2 when checking is used.

High/Intermediate Risk Reduction

Safeguards providing high/intermediate risk reduction in ANSI B11.TR3 include control systems having redundancy with self-checking upon startup to confirm the performance of the safety system. For machines that are started every day, the self-checking provides a significant improvement in the safety integrity over the purely redundant system. For machines running 24/7, the self-checking is a marginal improvement, at best. Employing periodic monitoring of the safety system aligns the requirements with Category 3.

Highest Degree of Risk Reduction

ANSI B11.TR3 provides a highest risk reduction by control systems having redundancy with continuous self-checking. The self checking must verify the performance of the safety system. The challenge to the safety system designer is to determine what is continuous. Many safety systems perform their checks at startup and when a demand is placed on the safety system.

Some components, on the other hand, perform continuous self-checking. Light curtains, for example, sequentially turn on and off their LEDs. If a fault occurs, the light curtain turns off its outputs, before a demand is place on the safety system, as it continuously checks itself. Microprocessor based relays and safety PLCs are other components that perform continuous self-checking.

The control system requirement for “continuous” self checking is not intended to limit the selection of components to light curtains and microprocessor based logic units. The checking should be performed at startup and after every demand on the safety system. This level of risk reduction is intended to align with Category 4 of ISO13849-1.

Robot Standards: U.S. and Canada

The robot standards in the U.S. (ANSI RIA R15.06) and Canada (CSA Z434-03) are quite similar. Both have four levels, which are similar to the categories of EN954-1:1996 and which are described below.


At this lowest level, simple safety control systems must be designed and constructed with accepted single channel circuitry, and these systems may be programmable.

In Canada, this level is further restricted for signaling and annunciation purposes only.

The challenge for the safety system designer is to determine what is “accepted.” What is an accepted single channel circuit? To whom is the system acceptable?

The simple category is most closely aligned with Category B of EN954-1:1996.

Single Channel

The next level is a single channel safety control system that:

An example of a proven circuit design is a single channel electromechanical positive break device that signals a stop in a de-energized state.

Being a single channel system, a single component failure can lead to the loss of the safety function.

The simple category most closely aligns with Category 1 of EN954-1:1996.

Safety Rated Software/Firmware Device

Although hardware based systems have been the preferred method providing safeguarding of robots, software/firmware devices are becoming a popular choice due to their ability to handle complex systems. Software/firmware devices (safety PLCs or safety controllers) are allowed provided these devices are safety rated. This rating requires that a single safety-related component or firmware failure does not lead to the loss of the safety function. When the fault is detected, subsequent automatic operation of the robot is prevented until the fault is cleared.

To achieve a safety rating, the software/firmware device must be tested to an approved standard by an approved lab. In the U.S., OSHA maintains a list of nationally recognized testing laboratories (NRTL). In Canada, the Standards Council of Canada (SCC) maintains a similar list.

Single Channel with Monitoring

Single channel safety control systems with monitoring must fulfill the requirements for single channel; be safety rated and utilize checking. The check of the safety function(s) must be performed at machine start-up, and periodically during operation. Automatic checking is preferred over manual checking.

The checking operation allows operation if no faults have been detected or generates a stop signal if a fault is detected. A warning must be provided if a hazard remains after cessation of motion. Of course, the check itself must not cause a hazardous situation. After detecting the fault, the robot must remain in a safe state until the fault is corrected.

Single Channel with Monitoring most closely aligns with Category 2 of EN954-1:1996.

Control Reliable

The highest level of risk reduction in the U.S. and Canadian robot standards is achieved by safety related control systems meeting the requirements of Control Reliable. Control reliable safety related control systems are dual channel architectures with monitoring. The stopping function of the robot must not be prevented by any single component failure, including the monitoring function.

The monitoring shall generate a stop command upon detection of a fault. If a hazard remains after motion stops, a warning signal must be provided. The safety system must remain in a safe state until the fault is corrected.

Preferably, the fault is detected at the time of the failure. If this cannot be achieved, then the failure must be detected at the next demand on the safety system.

Common mode failures must be taken into consideration if a significant probability of such a failure can occur.

The Canadian requirements differ from the U.S. requirement by adding two additional requirements. First, the safety related control systems shall be independent of the normal program control systems. Second, the safety system must not be easily defeated or bypassed without detection.

Control reliable systems align with Category 3 and 4 of EN 954-1:1996.

Comments on Control Reliable

The most fundamental aspect of Control Reliable is single fault tolerance. The requirements state how the safety system must respond in the presence of “a single fault,” “any single fault,” or “any single component failure.”

Three very important concepts must considered regarding faults: (1) not all faults are detected, (2) adding the word “component” raises questions about wiring, and (3) wiring is an integral part of the safety system. Wiring faults can result in the loss of a safety function.

The intent of Control Reliability is clearly the performance of the safety function in the presence of a fault. If the fault is detected, then the safety system must execute a safe action, provide notification of the fault, and prevent further operation of the machine until the fault is corrected. If the fault is not detected, then the safety function must still be performed upon demand.