Introduction to Safety

2007
2008
 6 Introduction to Safety

1- Design in safety. The European standards structure.

In order to be freely marketed in the countries of the European Community every
product or machinery must comply with Directives 2006/95/CE (“low voltage TYPE A STANDARDS
directive”) and 2006/42/CE (“machinery directive”) and subsequent modifications EN 12100-1 and -2 (replace EN 292-1 and EN 292-2).
and completions; these directives determine the fundamental requirements that Basic concepts, general design guidelines
devices or machinery should guarantee to reach an adequate safety level for EN 61508-1..-7. Functional safety of safety-related
electrical, electronic and programmable electronic
operators. The conformity is certified by the issue of the Conformity Declaration by systems.
the manufacturer and by the application of the marking CE on the machine itself. EN 1050:1996. Principles or risk assessment. (It will be
probably replaced by ISO 14121)
For the assessment of the machine risks and realization of safety systems to
protect the operator from those risks, the European regulation organizations CEN
and CENELEC have issued a series of standards which translate into technical
requirements the contents of directives. TYPE B1 STANDARDS

EN 62061:2005. Functional safety of safety-related

The safety standards are divided into three groups: A, B and C. electrical, electronic and programmable electronic
Type A standards: contain the basic concepts and the general design guidelines for control systems
the realization of all machines. EN 13849-1:2006 e -2:2003 (replace EN 954-1). Safety-
Type B standards: deal particularly with one or more aspects concerning the safety related parts of control systems
and they are also divided into: TYPE B2 STANDARDS
• Type B1 standards: concern some safety aspects (for example safety
distances, temperatures, noise, etc.) EN 574:1996. Two-hand control devices
• Type B2 standards: concern safety devices (for example bimanual controls, EN 13850:2006 (replace EN 418:1992). Emergency stop
devices for guards interlocking, etc.) EN 1088:1995. Interlocking devices associated with guards
EN 60204-1:2006. Electrical equipment of machinery
Type C standards: deal in detail with safety requirements for specific groups of EN 60947-5-1:2004. Electromechanical control devices
machines (e.g. hydraulic presses, injection machinery,…).

The manufacturer of devices or machineries must first verify if the product is

covered by a type C standard. If so, the standard will give the safety requirements,
TYPE C STANDARDS
otherwise type B standards for any specific aspect or device of the product will be
applied. Failing further requirements, the manufacturer will follow general guidelines EN 201:1997. Machinery for rubber and plastic material
stated in type A standards. - Injection machines
EN 415-1..-7:2000. Safety of wrapping machines
EN 692:2005. Mechanical presses
EN 693:2001. Hydraulic presses
EN 848-1:2007. Safety of wood-working machines – miller
on one single side with rotating tool – single-shaft
vertical miller (router)

2- Short introduction to the new machinery safety standard

After a long evolution and discussion inside different international standardization bodies, some new standards(1) have been issued and definitively
come into force in the sector of machine safety; these standards will gradually replace the current ones and re-define many basic concepts to
which the market was used.

The approach given by new standards is a probabilistic type and their formulation, briefly, extend deterministic concepts introduced with the EN
954-1 through new statistic variables indicated by terms as PL, MTTFd, SIL and others that, a few at a time, we have to get used.

Nowadays (2007) the course outlined by new standards presents obstacles because they are based on
some assumptions that are not realized in electromechanical sector. For example these standards require
the availability of statistic data to manufacturers, but without defining methodologies for the calculation of
these values and consequently creating an uncertain situation, so that every manufacturer could manage the
situation his own way. As these statistic data indicate the quality of products with a quantitative value it’s
plain that, without any clear and common definition, we could have more or less flexible interpretations from
manufacturers, with the risk of a lot of confusion not desirable in the safety sector.
Furthermore new standards are not very easy to treat and a possible overlapping between the EN 13849 and
the EN 62061 complicates further the situation.
But the path has been outlined and we wish that in future all problems will be solved with the common aim
of improve the machines’ safety.

(1)
EN 954-1:1996 Machinery safety – safety related parts of control systems: part 1: General design guidelines
In the text, this standard will be indicated as EN 954-1, if not otherwise specified

EN 61508-1:2001. Functional safety of electrical/electronic/programmable electronic safety-related systems. Part 1: General requirements
EN 61508-2:2001. Functional safety of electrical/electronic/programmable electronic safety-related systems. Part 2: Requirements for electrical/electronic/programmable electronic safety-
related system
EN 61508-3:2001. Functional safety of electrical/electronic/programmable electronic safety-related systems. Part 3: Software requirements
EN 61508-4:2001. Functional safety of electrical/electronic/programmable electronic safety-related systems. Part 4: Definitions and abbreviations
EN 61508-5:2001. Functional safety of electrical/electronic/programmable electronic safety-related systems. Part 5: Examples of method for the determination of safety integrity levels
EN 61508-6:2001. Functional safety of electrical/electronic/programmable electronic safety-related systems. Part 6: Guidelines on the application of IEC 61508-2 and IEC 61508-3
EN 61508-7:2001. Functional safety of electrical/electronic/programmable electronic safety-related systems. Part 7: Overview of techniques and measures
In the text, these standards will be indicated as EN 61508, if not otherwise specified

EN 62061:2005. Safety of machinery - Functional safety of safety-related electrical, electronic and programmable electronic control systems
In the text, this standard will be indicated as EN 62061, if not otherwise specified

EN 13849-1:2006. Safety of machinery – Safety-related parts of control systems: Part 1: General design guidelines. (Note: ISO 13849-1:1999 is identical to EN 954-1:1996)
EN 13849-2:2003. Safety of machinery – Safety-related parts of control systems: Part 2: Validation.
In the text, these standards will be indicated as EN 13849, if not otherwise specified

page 6/21 General Catalog 2007-2008

 Introduction to Safety 6

3- Current normative situation (2007)

Actually four very important standards are in force for the machines safety.
EN 954-1:1996. It’s a type B1 standard, which has introduced safety categories concepts. It covers applications for the machines safety and
foreseen but doesn’t deal safety devices with electronic components.
EN 61508:2002. It’s a type A standard, which has introduced guidelines and calculation methods to evaluate and classify the safety level of
machinery or devices containing electrical, electronic or programmable electronic components. This standard introduce also the concept of
SIL (Safety Integrity Level).
EN 62061:2005. It’s a type B1 standard which came from the EN 61508 and reports same concepts and terminology applying them to the
machine safety sector. Also this standard use the concept of SIL.
EN 13849:2006. It’s a type B1 standard which someway links the EN 954-1 and the Important note.
EN 62061, creating references to both standards and introducing the concept of PL
(Performance Level). In detail, this standard covers electromechanical, hydraulic, “not The EN 13849 is a type B1 standard, therefore if a
complex” electronic devices and some programmable electronic devices with predefined machinery is already classified by a type C standard
is this last one to prevail. All type C standards
structures. In this standard it is indicated a correlation between SIL and PL, are used
previously developed are based on concepts of
concepts borrowed by EN 61508 (as DC and CCF) and is established a reference with
the EN 954-1. For manufacturers of machineries
safety categories of EN 954-1. Practically, this standard try to help the manufacturer, covered by a type C standard, the introduction
already used with EN 954-1 concepts, to slide “softly” into new statistic concepts. time of new standards could be different according
to the updating speed of the various technical
The EN 954-1:1996 will be in force up to November 2009, when it will be substituted by commissions. It would be possible that a machine
EN 13849-1:2006. This last standard is already in force, so during the intermediate stage it could maintain the “old classification” as from EN
will be possible to use both of them. Therefore, nowadays it’s possible to classify machines 954-1 even after this one is expired.
according to both standards.

4-Normative evolution: reason of changes, new standards and some overlapping

The current EN 954-1 have had the great merit of giving evidence and classifying in organic way what a good engineer already knew.
This standard, with the introduction of safety categories and risk analysis methods, has helped to identify different machinery risk degrees, has
introduced a common analysis methodology among products of different sectors, and has proposed solutions (redundancy, self-check) for most
dangerous applications.
On the other hand it doesn’t deal with programmable electronic devices, it doesn’t analyze cases where more machines are interconnected and,
even if it introduces the concept of periodical surveillance, it gives few instructions about how this one have to be made.

The standard EN 61508 was issued initially to define the electronic devices safety, particularly the complex programmable electronic devices, so
covering the “lack” left by the EN 954-1. But during its developing at the IEC, this standard has gradually widened its application field becoming
a very complex standard (it’s 800 pages volume, divided in 7 parts) and suitable for different application fields (process industry, industrial
machinery, nuclear plants), so that has achieved the status of type A standard.

Theoretically the EN 62061, derived from the EN 61508 for industrial machinery, should had covered only the complex or programmable
electronic but owing to the widened approach of its ancestor, it has finally included all electrical, electronic and programmable electronic circuits.
The approach of these two standards is fundamentally of probabilistic type and there are introduced new statistic variables which require a deep
analysis (mathematic also) of machinery, analysis that could require much time and not of simple application.

In the meantime was at developing stage the revision of the EN 954-1, carried by the CEN under the aegis of ISO, with the standard project
which then has become the EN 13849. The references between two standards means that commissions have talked to each other, but finally
they prefer to create an overlapping of application fields so that also the final version of the EN 13849 covers electronic and programmable
electronic systems, even if only for some predefined structures and for not maximum safety levels. The application ambit is clearly stated in the
EN 13849-1 (see table 1) and, as you can see, for wide product typologies both standards could be applied.

Table 1 — Recommended application of IEC 62061 and ISO 13849-1

Technology implementing the

ISO 13849-1 IEC 62061
safety-related control function(s)
A Non-electrical, e.g. hydraulics X Not covered
Electromechanical, e.g. relays, and/or non Restricted to designated
B All architectures and up to SIL 3
complex electronics architecturesa and up to PL = e
Restricted to designated
C Complex electronics, e.g. programmable All architectures and up to SIL 3
architecturesa and up to PL = d
Restricted to designated
D A combined with B Xc
architecturesa and up to PL = e
Restricted to designated
E C combined with B architectures (see Note 1) and up All architectures and up to SIL 3
to PL = d
C combined with A, or C combined with A
F Xb Xc
and B
X indicates that this item is dealt with by the International Standard shown in the column heading.
a. Designated architectures are defined in 6.2 (EN 13849-1) in order to give a simplified approach for quantification of performance level.
b. For complex electronics: use designated architectures according to this part of ISO 13849 up to PL = d or any architecture
according to IEC 62061.
c. For non-electrical technology, use parts in accordance with this part of ISO 13849 as subsystems.

Taken from table 1 of EN 13849-1:2006

The choice of the standard to use is up to the manufacturer and to the market, even if we believe that the EN 13849, with its mediate approach
and reutilization of the EN 954-1 concepts (supplemented with some others introduced by the EN 61508), is a standard easier to understand for
small and medium machinery manufacturers.

General Catalog 2007-2008 page 6/22

 6 Introduction to Safety

5.0 - Risk analysis and assessment through EN 954-1 and EN 1050

These two standards define how to analyze (EN 1050) and consequently evaluate potential risks of a machine and give a methodology to reduce
those risks through the adoption of suitable safety circuits (EN 954-1). The process is iterative, that is once a possible solution for risk reduction
has been identified, this solution must be validated. On the contrary, the risk analysis must be repeated.

5.1 - Procedure for the choice and the design of safety measures
The following 5 steps are quoted from the standard EN 954-1 par. 4.3 for the correct choice and design of safety measures.
Step 1 Danger analysis and risks computation on the machine.
Step 2 Arrangement of measures for the risk reduction by means of control devices.
Step 3 Specification of the safety requirements in terms of:
- selection of the safety category,
- realization of the safety functions
Step 4 Design and check of the relevant parts for the safety of a control system.
Step 5 Validation of the functions and of the achieved categories by their comparison with what previously defined in step 3.

5.2 - Risk assessment and safety categories

Some information regarding the choice of the proper safety category suitable for the machine in evaluation is quoted below.

Safety categories
B 1 2 3 4
Risk table in accordance with the
standard EN 954-1/enclosure B S1
I

P1
II
Starting point F1
P2
III
S2
P1
IV
F2
P2
V

Legend:

Starting point for risk assessment

S Accident severity:
S1 = reversible (slight) injury (i.e. small cuts, burns, light abrasions, etc..)
S2 = irreversible (serious) injury or death (i.e. permanent disability, loss of limbs, breath harms, etc..)
F Presence in the dangerous zone:
F1 = from rare to quite frequent (i.e. weekly or more, to once a day)
F2 = from often to continuous (i.e. from many times a day to continuous)
P Chance to avoid the accident or to reduce its effect significantly:
P1 = possible under certain conditions (i.e. possibility of the worker to realize the imminent danger)
P2 = almost impossible (i.e. impossibility of the worker to realize the imminent danger)
I-V Estimated risk level
B, 1-4 Safety categories of control systems
Preferential category foreseen for this risk level
Choice of a higher category
Choice of a lower category

It is possible to use different categories than the preferential ones (big circle ), but the foreseen behaviour of the system in case of faults must
be taken into consideration. Also, the reasons for the derogation must be indicated by the machine manufacturer. When categories indicated by
a small circle ( ) are chosen, some additional measures can be required, as for example:
- over-sizing or use of techniques for the fault elimination;
- use of a dynamic monitoring.

page 6/23 General Catalog 2007-2008

 Introduction to Safety 6

5.3 - Table of requirements for each category according to the standard EN 954-1 par. 6.2

Safety List of the requirements Behaviour of the system Safety principles

category

Relevant parts for the safety in control systems

and/or their protection devices as well as their
components have to be designed, manufactured, An occurring error may cause the loss of the
B chosen and combined in compliance with the safety function.
pertaining standards, in order to resist to the
foreseen influence. Mainly marked by the choice
of the components

The requirements of category B are applied. An occurring error may cause the loss of the
1 Well-tested components and safety principles safety function, but the probability of error
must be used. occurrence is lower than in category B.

The requirements of category B and the use of

well-tested safety principles are applied.
The safety function has to be checked by the
2 control system from time to time or at least on
every machine start and before any dangerous
situation.
An occurring error may cause the loss of the
safety function among the controls.
The loss of the safety function is detected by
the control.

The requirements of category B and the use of

well-tested safety principles are applied.
When one single error occurs, the safety
Relevant parts for the safety have to be designed
function is always performed.
so that:
3 - one single error in one of these parts doesn’t
Not all the errors are detected.
The accumulation of undetected errors may Mainly marked by the
cause the loss of the safety function.
cause the loss of the safety function. structure
- Where reasonably practicable, the single error
is detected.

The requirements of category B and the use of

well-tested safety principles are applied.
Relevant parts for the safety have to be designed
so that:
When errors occur, the safety function is always
- one single error in one of these parts doesn’t
performed.
4 cause the loss of the safety function.
Errors are detected in time in order to avoid the
- the single error is detected in the moment or
loss of the safety function.
before the request of the next safety function.
If this is not possible, then the accumulation
of errors must not cause the loss of the safety
function.

General Catalog 2007-2008 page 6/24

 6 Introduction to Safety

6.0 - Risk analysis and assessment through EN 13849 and ISO 14121
Also in the case of the EN 13849 and ISO 14121 (mentioned in the EN 13849 but still today not in force) the process for risk analysis, assessment
and reduction is iterative and structurally similar to the couple of standards EN 954-1 and 1050 case.

The following figure shows the iterative evaluation process as stated on the EN 13849-1.

START

Determination of the limits Risk assessment carried out in

of the machine (see 5.2a)
Hazard identification
(see clause 4a and 5.3a)
Risk estimation
(see 5.3a)
accordance with lSO 14121
Yes a
Refers to ISO 12100-1:2003
b
Refers to ISO 13849-1:2006
c
ISO 13849-2 provides additional help for the validation
This iterative risk reduction
process shall be carried
out separately for each
hazard under each
condition of use (task)

Risk evaluation
(see 5.3a) Are other
No
hazards
generated?
Has the risk Yes
been adequately END Verification of safety-related
reduced? control systems according
to ISO 13849-1
No

Risk reduction process for the hazard: ldentify the safety functions to be
1) by intrinsic design, performed by SRP/CSs
2) by safeguards,
3) by information for use For each safety function specify the
(see lSO 12100-1: 2003, Figure 4) required characteristics (see Clause 5b )

Determined the required performance

For each level PLr (see 4.3b and Annex Ab)
Does the
selected
protective measure Yes safety
selected depend on a
function Design and technical realisation
control system?
of the safety function:
ldentify the safety-related parts which
carry out the safety function (see 4.4b)
No
Evaluate the perfomance level PL
(see 4.5b) considering:
- category (see Clause 6b}
- MTTFd (see Annex Cb and Db)
- DC (see Annex Eb)
- CCF (see Annex Fb)
- if existing: software (see 4.6b
and Annex Jb)of the above
safety-related parts

Verification of PL No
for the safety function:
is PL r PLr (see 4.7b)

Yes

Validation No
(see Clause 8bc)
Are all requirements
met?

Yes

Yes Have No
all safety functions
been analysed?

Note: this figure has been obtained by the combination of figures 1 and 3 of EN 13849-1:2006.

page 6/25 General Catalog 2007-2008

 Introduction to Safety 6

6.1- New and old concepts: Safety categories, PL, MTTF, DC

As for the EN 954-1, also the EN 13849 use a graph for the risk analysis of a machine function (see figure), but determining, instead of a safety
category, a required performance level (PLr) for the safety function that will protect that machine’s part. The manufacturer will have to make a
system to protect the operator with a performance level PL (calculated) equal or higher to that required.

Risk graph for determining required PLr for safety function (taken by EN 13849-1, figure A.1)

Key Risk parameters

1 starting point for evaluation of safety function’s S severity of injury

contribution to risk reduction
L low contribution to risk reduction
H high contribution to risk reduction
PLr required performance level
S1 slight (normally reversible injury)
S2 serious (normally irreversible injury or death)
F frequency and/or exposure to hazard
F1 seldom-to-less-often and/or exposure time is short
F2 frequent-to-continuous and/or exposure time is long
P possibility of avoiding hazard or limiting harm
P1 possible under specific conditions
P2 scarcely possible

PL are classified in 5 levels, from PLa to PLe on risk increasing, and each one of them identifies a numerical range of average probability of
dangerous failure per hour. For example, PLd indicates that the average probability of a dangerous failure per hour is included between 1 x 10-6 and
1 x 10-7 that is about 1 dangerous failure every 100-1000 years.

PL PL average probability of a

PL=
dangerous failure per hour (1/h)
a ≥ 10-5 and < 10-4
b ≥ 3 x 10 and <10-5
-6

c ≥ 10-6 and < 3 x10-6

d ≥ 10-7 and < 10-6
e ≥ 10
-8
and <10-7

RY
GO)
There is no direct correlation between PL and Safety Categories of EN 954-1.
E
The EN 13849 reuses concepts of safety categories as aggregation of system
AT -1
topology (with single channel, redundant, etc… using the term “Designated
RY C 9 54
Architectures”) and of system resistance to failure, supplementing them with FE E N
the calculation of further new numerical parameters as: SA rom
(f

General Catalog 2007-2008 page 6/26

 6 Introduction to Safety

MTTFd (Mean Time To Dangerous Failure)

This parameter is likely a quality statement of the system representing the expected average working time without dangerous failure (not
generic failure) expressed in years. Practically, the calculation of the MTTFd is based on numerical values supplied by manufacturers of single
components of the system. In case of data absence, the standard provides values in suitable reference tables. The calculation will bring to a
numerical value included in three categories: high, medium or low.

CCF (Common Cause Failures)

Only in case of category 2, 3 or 4 systems for the calculation of MTTFd is necessary also the evaluation of possible common cause failures or
CCF that could invalidate the systems redundancy.

DC (Diagnostic Coverage)
This parameter tries to indicate how much the system is able to “self-control” its own possible failure. According to the percentage of dangerous
failures detectable by the system, thanks to its structure, the diagnostic coverage will be different. Also in this case, the parameter DC is divided
into categories, in detail: high, medium, low and none. None diagnostic coverage is admitted only for systems with category B or 1.

Through these three parameters Category, MTTFd and DC, the standard supplies a table (see figure or annex K of EN 13849-1) that allows seeing
which PL level is possible to achieve.

Relationship between categories DCavg, MTTFd of each channel and PL (taken from EN 13849-1, figure 5)

PL performance level
1 MTTFd of each channel = low
2 MTTFd of each channel = medium
3 MTTFd of each channel = high

The manufacturer who want to verify machines safety, have to follow the iterative approach provided by standards. In particular, after the first
stage of risk assessment (according to EN 1050 or ISO 14121), if the protection is supplied by a control system, will follow an iterative stage to
verify that the system itself is able to supply the protection level required.

This second phase will start determining the required performance level PLr to supply the necessary protection degree according to found risks.
During this phase, it will be used the graphic afore seen.

Then a protection system will be assumed, identifying the safety category (according to the Architecture and failure resistance) and calculating
the MTTFd and verifying DC and CCF as well. With these values, it will possible to calculate the PL of own system and, if this one will result
higher or equal to PLr the system will be considered suitable. At this point, a validation system stage (according to EN 13849-2) will follow and
if also this verification will be positive, the risk at issue could be defined sufficiently limited.

page 6/27 General Catalog 2007-2008

 Introduction to Safety 6

7- What will change in the risk analysis: two important variations

In the shift from old to new standards group, main news are the probabilistic approach and the introduction of all new parameters pointed out
in previous paragraphs. It is clear that, in order to comply with new standards, to all sector operators will be required a higher skill and training
level.

There are also two important differences introduced by new standards concerning the risk analysis and assessment as regards what has been
done so far:

1) The risk of slight accident (not permanent wounds) doesn’t carry anymore to a necessarily low safety level (category B or 1) as in the EN
954-1. Now a frequent and difficult to avoid slight accident risk it is considered equal to an infrequent and avoidable permanent accident risk
(level PLr=c).

Safety categories

B 1 2 3 4

S1
I

Start P1
II Start
F1
P2
III
S2
P1
IV
F2
P2
V

according to EN 954-1 according to EN 13849-1:2006

2) Whereas in the EN 954-1 standard a system of a certain category had to have a specific structure, in the new standard to obtain intermediate
performance level many path are possible. For instance to obtain a system having a PL equal to “c” level all the following solutions are
correct:
1. A Category 3 system with little affordable components (MTTFd=low) and medium DC.
2. A Category 3 system with affordable components (MTTFd=medium) and low DC.
3. A Category 2 system with affordable components (MTTFd=medium) and medium DC.
4. A Category 2 system with highly affordable components (MTTFd=high) and low DC.
5. A Category 1 system with highly affordable components (MTTFd=high).

Simplified procedure for evaluating PL achieved by SRP/CS (derived from EN 13849-1, figure 7)

Category B 1 2 2 3 3 4
DCavg none none low medium low medium high

MTTFd of each channel

low a not covered a b b c not covered

medium b not covered b c c d not covered

high not covered c c d d d e

The machine manufacturer has to consider which combination is the best for his machine for the ratio performance/price.

General Catalog 2007-2008 page 6/28

6 Introduction to Safety

5 - Examples of connections according to the standard EN 954-1 (min. requirements)

Emergency stop push button and rope safety switches for emergency stop installation.

Safety
category Wiring diagram Circuit structure

E-stop1 E-stop2 E-stop3

CC 01AAB00AB CC 01AAB00AB CC 01AAB00AB

KM1
L/+

Stop

E-stop1
KM1
E-stop2
E-stop1 E-stop2 E-stop3
B-1 E-stop3 FD 1878 FD 1878 FD 1878

M
KM1
Start

KM1

N/-

L/+
E-stop1 E-stop2 E-stop3
CC 01AAB00AB CC 01AAB00AB CC 01AAB00AB

Stop

CS AR-40....
E-stop1

E-stop2

E-stop3

A1 13

CS AR-40.....
E-stop1 E-stop2 E-stop3
2 A2 S33 S34 14 FD 1878 FD 1878 FD 1878

Start KM1
CS AR-40....

N/-

KM1

M
If an external contactor (KM1) is used to increase the load capacity of the contacts,
this contactor should have forced guided contacts.

page 6/29 General Catalog 2007-2008

 Introduction to Safety 6

Emergency stop push button and rope safety switches for emergency stop installation.

Safety
category Wiring diagram Circuit structure

L/+

E-stop1 E-stop2 E-stop3

Stop CC 01AAB00AC CC 01AAB00AC CC 01AAB00AC

E-stop1
CS AR-20....
E-stop2

E-stop3

A1 13 23

CS AR-20.....

A2 S33 S34 14 24
E-stop1 E-stop2 E-stop3
KM1 FD 978 FD 978 FD 978
3 Start
KM1 CS AR-20....

N/-

KM2

KM1

M
If external contactors (KM1-KM2) are used to increase the load capacity of the
contacts, these contactors should have forced guided contacts.

L/+ N/-
E-stop1
CC 01AAB00AC
E-stop1

CS AR-01....
A1 S35 S22 S21 S12 S11 S31 13 23

E-stopn
CS AR-01.....
CC 01AAB00AC

A2 S33 S34 14 24

KM1 CS AR-01....
Start
KM2
KM2

4 KM1
E-stop

E-stop1
A1 S35 S22 S21 S12 S11 S31 13 23 FD 978

CS AR-01.....
M CS AR-01....

E-stopn
A2 S33 S34 14 24 FD 978

KM1 CS AR-01....
Start
KM2

If external contactors (KM1-KM2) are used to increase the load capacity of the contacts, these contac-
tors should have forced guided contacts.

Attention: the examples mentioned above are purely descriptive and give only an indication about how to set up a safety circuit according to the categories foreseen by standard EN 954-1.
It is the manufacturer’s responsibility to control that correct circuits are applied on each specific machine.

General Catalog 2007-2008 page 6/30

6 Introduction to Safety

5 - Examples of connections according to the standard EN 954-1 (min. requirements)

Applications with safety switches for gate monitoring.

Safety
category Wiring diagram Circuit structure

SS3
FX 693
L/+

Stop

SS1
KM1
SS2 SS2
FX 693
B-1 SS3

Start
M
KM1

SS1
N/- FX 693

KM1

L/+

Stop
SS3
SS1 FX 693

SS2

SS3

A1 13

CS AR-40.....

SS2
S33 S34 FX 693
2 A2 14

Start KM1

N/-

KM1 SS1
FX 693

CS AR40....

M
If an external contactor (KM1) is used to increase the load capacity of the contacts,
this contactor should have forced guided contacts.

page 6/31 General Catalog 2007-2008

 Introduction to Safety 6

Applications with safety switches for gate monitoring.

Safety
category Wiring diagram Circuit structure

L/+

Stop

SS1 SS3
FX 993
SS2

SS3

A1 13 23

CS AR-20.....

A2 S33 S34 14 24 SS2

FX 993
KM1
Start
3 KM1

N/-

KM2 SS1
FX 993
KM1

CS AR-20....

M
If external contactors (KM1-KM2) are used to increase the load capacity of the Attention: the utilisation of only one switch for each guard requires that in the risk
contacts, these contactors should have forced guided contacts. analysis the mechanical breaking of the same can be excluded.

L/+ N/-

SS2
FR 1896
SS2 SS1

SS1
A1 S35 S22 S21 S12 S11 S31 13 23 FR 693
CS AR01....

CS AR-01.....

A2 S33 S34 14 24
SS4
KM1 FR 1896
Start
KM2
KM2
SS3
4 KM1 CS AR01....
FR 693
SSm SSn

A1 S35 S22 S21 S12 S11 S31 13 23

CS AR-01.....
M SSn
FR 1896

A2 S33 S34 14 24 SSm

FR 693
KM1 CS AR01....
Start
KM2

If external contactors (KM1-KM2) are used to increase the load capacity of the
contacts, these contactors should have forced guided contacts.

Attention: the examples mentioned above are purely descriptive and give only an indication about how to set up a safety circuit according to the categories foreseen by standard EN 954-1.
It is the manufacturer’s responsibility to control that correct circuits are applied on each specific machine.

General Catalog 2007-2008 page 6/32

 6 Introduction to Safety

6 - Positive opening, redundancy, diversification and self-control

Positive manner and negative manner.
According to the standard EN 292-2 point 3.5, if a mechanical component in motion, directly drives another component, through physical contact
or a rigid mechanical linkage, that connection is said to be in a positive manner. Instead, if the movement of a mechanical component simply
allows another element to move freely, without using direct force (for example by gravity force, spring effect, etc.) their connection is in a nega-
tive manner.

Positive manner Negative manner

Machine working Machine stopped Machine working Machine stopped

Door closed Door open Door closed Door open

Dangerous failures: The machine keeps working. Dangerous failures: The machine keeps working.

Worn out roller Misaligned roller Welded contacts Broken spring

The positive manner avoids, with a preventive maintenance, the dangerous failures indicated above. On the contrary, the negative
manner failures occur inside the switch and are therefore difficult to be detected.
With the positive manner, internal failures (welded contacts or broken springs) allow the opening of the contacts and therefore
the stop of the machine.

Broken Machine Welded Machine

spring stopped contacts stopped

page 6/33 General Catalog 2007-2008

 Introduction to Safety 6

Use of switches in safety applications

When a single switch is used in a safety function, it must be actuated in a positive manner. The opening contact (normally closed), must be
with “positive opening”, in order to be used for safety applications. All switches with the symbol are provided with NC contacts with
positive opening.

Rigid non-flexible connection between the moving contacts and

the actuator, where the actuating force is applied.

If the switches are two or more, it is suggested that they should operate in opposite manners, for example:
- One with a normally closed contact (opening contact) actuated by the guard in a positive manner.
- The other with a normally open contact (closing contact), actuated by the guard in a non positive manner.
This is a common practice, however, it does not exclude, if justified, the use of two switches actuated in a positive manner (see
diversification).

Diversification
Safety in the redundant system is increased by diversification. It is obtained by the application of two limit switches with different
project and/or technology, in order to avoid failures caused by the same reasons. Some examples of diversification are: the use of a
switch working in positive manner together with one working in non-positive manner; a switch with mechanical actuation and one with
non mechanical actuation ( e.g. electronic sensor); two switches with mechanical actuator working in positive manner but with different
actuation principles ( e.g. one actuator operated FR 693 and one hinge operated FR 1896 switch).

Redundancy
Redundancy is the use of more than one device or system in order to guarantee that, in case of a function failure in one of them, another
one is available to perform the safety functions. If the first failure is not detected, an eventual second failure may cause the loss of the
safety functions.

Self-monitoring
Self-monitoring consists in the automatic checking of the right function of every device running in the machine working-cycle.
Consequently, the next working-cycle can be either accepted or rejected.

Redundancy and self-monitoring

The combination of both systems, redundancy and self-monitoring, allows that a first failure in the safety circuit does not cause the
loss of safety functions. This first failure will be detected at the next re-start or anyhow before a second failure, which may cause the
loss of the safety functions.

General Catalog 2007-2008 page 6/34