Techinical Guide

Fourth Edition
 Warnings
Serious injury may possibly occur due to loss of required safety functions.
When building the system, observe the following warnings to ensure the integrity of the safety-related components.

Setting Up a Risk Assessment System

The process of selecting these products should include the development and execution of a risk assessment system early in the design
development stage to help identify potential dangers in your equipment and optimize safety product selection.
Related International Standards:
ISO 12100 General Principles for Design - Risk Assessment and Risk Reduction

Protective Measure
When developing a safety system for the equipment and devices that use safety products, make every effort to understand and
conform to the entire series of international and industry standards available, such as the examples given below.
Related International Standards:
ISO 12100 General Principles for Design - Risk Assessment and Risk Reduction
IEC 60204-1 Electrical Equipment of Machines - Part 1: General Requirements
ISO 13849-1, -2 Safety-related Parts of Control Systems
ISO 14119 Interlocking Devices Associated with Guards - Principles for Design and Selection
IEC/TS 62046 Application of Protective Equipment to Detect the Presence of Persons

Role of Safety Products

Safety products incorporate standardized safety functions and mechanisms, but the benefits of these functions and mechanisms are
designed to attain their full potential only within properly designed safety-related systems. Make sure you fully understand all
functions and mechanisms, and use that understanding to develop systems that will ensure optimal usage.
Related International Standards:
ISO 14119 Interlocking Devices Associated with Guards - Principles for Design and Selection
ISO 13857 Safety Distances to Prevent Hazard Zones being Reached by Upper and Lower Limbs

Installing Safety Products

Qualified engineers must develop your safety-related system and install safety products in devices and equipment. Prior to machine
commissioning verify through testing that the safety products works as expected.
Related International Standards:
ISO 12100 General Principles for Design - Risk Assessment and Risk Reduction
IEC 60204-1 Electrical Equipment of Machines - Part 1: General Requirements
ISO 13849-1, -2 Safety-related Parts of Control Systems
ISO 14119 Interlocking Devices Associated with Guards - Principles for Design and Selection

Observing Laws and Regulations

Safety products must conform to pertinent laws, regulations, and standards. Make sure that they are installed and used in accordance
with the laws, regulations, and standards of the country where the devices and equipment incorporating these products are distributed.

Observing Usage Precautions

Carefully read the specifications and precautions as well as all items in the Instruction Manual for your safety product to learn
appropriate usage procedures. Any deviation from instructions will lead to unexpected device or equipment failure not anticipated by
the safety-related system.

Transferring Devices and Equipment

When transferring devices and equipment, be sure to retain one copy of the Instruction Manual and supply another copy with the
device or equipment so the person receiving it will have no problems with operation and maintenance.
Related International Standards:
ISO 12100 General Principles for Design - Risk Assessment and Risk Reduction
IEC 60204-1 Electrical Equipment of Machines - Part 1: General Requirements
ISO 13849-1, -2 Safety-related Parts of Control Systems
IEC 62061 Functional Safety of Safety-related Electrical, Electronic and Programmable Electronic Control Systems
IEC 61508 Functional Safety of Electrical/Electronic/Programmable Electronic Safety-related Systems

2
 Terms and Conditions Agreement
Read and understand this catalog.
Please read and understand this catalog before purchasing the products. Please consult your OMRON representative if you have
any questions or comments.

Warranties.
(a) Exclusive Warranty. Omron’s exclusive warranty is that the Products will be free from defects in materials and workmanship
for a period of twelve months from the date of sale by Omron (or such other period expressed in writing
by Omron). Omron disclaims all other warranties, express or implied.
(b) Limitations. OMRON MAKES NO WARRANTY OR REPRESENTATION, EXPRESS OR IMPLIED, ABOUT
NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OF THE
PRODUCTS. BUYER ACKNOWLEDGES THAT IT ALONE HAS DETERMINED THAT THE PRODUCTS WILL
SUITABLY MEET THE REQUIREMENTS OF THEIR INTENDED USE.
Omron further disclaims all warranties and responsibility of any type for claims or expenses based on infringement by the Products
or otherwise of any intellectual property right. (c) Buyer Remedy. Omron’s sole obligation hereunder shall be, at Omron’s election,
to (i) replace (in the form originally shipped with Buyer responsible for labor charges for removal or replacement thereof) the
non-complying Product, (ii) repair the non-complying Product, or (iii) repay or credit Buyer an amount equal to the purchase price
of the non-complying Product; provided that in no event shall Omron be responsible for warranty, repair, indemnity or any other
claims or expenses regarding the Products unless Omron’s analysis confirms that the Products were properly handled, stored,
installed and maintained and not subject to contamination, abuse, misuse or inappropriate modification. Return of any Products by
Buyer must be approved in writing by Omron before shipment. Omron Companies shall not be liable for the suitability or
unsuitability or the results from the use of Products in combination with any electrical or electronic components, circuits, system
assemblies or any other materials or substances or environments. Any advice, recommendations or information given orally or in
writing, are not to be construed as an amendment or addition to the above warranty.
See http://www.omron.com/global/ or contact your Omron representative for published information.

Limitation on Liability; Etc.

OMRON COMPANIES SHALL NOT BE LIABLE FOR SPECIAL, INDIRECT, INCIDENTAL, OR CONSEQUENTIAL DAMAGES,
LOSS OF PROFITS OR PRODUCTION OR COMMERCIAL LOSS IN ANY WAY CONNECTED WITH THE PRODUCTS,
WHETHER SUCH CLAIM IS BASED IN CONTRACT, WARRANTY, NEGLIGENCE OR STRICT LIABILITY.
Further, in no event shall liability of Omron Companies exceed the individual price of the Product on which liability is asserted.

Suitability of Use.
Omron Companies shall not be responsible for conformity with any standards, codes or regulations which apply to the
combination of the Product in the Buyer’s application or use of the Product. At Buyer’s request, Omron will provide applicable
third party certification documents identifying ratings and limitations of use which apply to the Product. This information by itself is
not sufficient for a complete determination of the suitability of the Product in combination with the end product, machine, system,
or other application or use. Buyer shall be solely responsible for determining appropriateness of the particular Product with
respect to Buyer’s application, product or system. Buyer shall take application responsibility in all cases.
NEVER USE THE PRODUCT FOR AN APPLICATION INVOLVING SERIOUS RISK TO LIFE OR PROPERTY OR IN LARGE
QUANTITIES WITHOUT ENSURING THAT THE SYSTEM AS A WHOLE HAS BEEN DESIGNED TO ADDRESS THE RISKS,
AND THAT THE OMRON PRODUCT(S) IS PROPERLY RATED AND INSTALLED FOR THE INTENDED USE WITHIN THE
OVERALL EQUIPMENT OR SYSTEM.

Programmable Products.
Omron Companies shall not be responsible for the user’s programming of a programmable Product, or any consequence thereof.

Performance Data.
Data presented in Omron Company websites, catalogs and other materials is provided as a guide for the user in determining
suitability and does not constitute a warranty. It may represent the result of Omron’s test conditions, and the user must correlate it
to actual application requirements. Actual performance is subject to the Omron’s Warranty and Limitations of Liability.

Change in Specifications.
Product specifications and accessories may be changed at any time based on improvements and other reasons. It is our practice
to change part numbers when published ratings or features are changed, or when significant construction changes are made.
However, some specifications of the Product may be changed without any notice. When in doubt, special part numbers may be
assigned to fix or establish key specifications for your application. Please consult with your Omron’s representative at any time to
confirm actual specifications of purchased Product.

Errors and Omissions.

Information presented by Omron Companies has been checked and is believed to be accurate; however, no responsibility is
assumed for clerical, typographical or proofreading errors or omissions.

3
 Table of Contents
Technical Guide

What Is Safety? The Social Background................................ 5

1. The Social Background to Safety of Machinery.......................................................6
2. Safety of Machinery.................................................................................................8
3. Safety Requirements.............................................................................................10
Chapter 1
Chap. 1

Risk Assessment and Risk Reduction.................................. 13

1. Risk Assessment...................................................................................................14
2. Risk Reduction Measures......................................................................................16
Chap. 2

3. Achievement of Safeguarding Depending on Controlling......................................19

Chapter 2
Safety Components................................................................ 21
1. Interlocking movable guards..................................................................................23
Chap. 3

2. Emergency Stop Device........................................................................................27

3. Safety Sensor........................................................................................................28
Chapter 3
4. Safety Controller....................................................................................................34
Chap. 4

5. Safety-related Operating Switches........................................................................38

6. Safety Relays........................................................................................................40
7. Drive Devices Equipped with the Safety Function.................................................41
Chap. 5

Safety Circuit Examples......................................................... 43

1. Index......................................................................................................................44
Chap. 6

2. Precautions............................................................................................................45
Chapter 4 3. Conditions for PL Evaluation.................................................................................46
4. Reliability Data for Safety of Machinery for OMRON Products.............................46

Performance Level.................................................................. 67
1. What is a Performance Level (PL) ?......................................................................68
2. Relationship between Risk Assessment and PL....................................................69
3. Organizing Safety Functions and Hazards............................................................71
Chapter 5
4. PLr and PL.............................................................................................................72
5. Safety-related Parts PL Evaluation Procedure......................................................73
6. Subsystem Configured in Discrete Components...................................................78
7. Complex Subsystem..............................................................................................92
8. PL Evaluation.........................................................................................................93
9. Basic Safety Principles for Risk Reduction in the Failure......................................95
10. Validation for Programmable Devices..................................................................101
11. Safety-related Parts PL Evaluation in the Devices..............................................104

Annex..................................................................................... 113
1. Regulations and Standards by Country............................................................... 114
2. Description of Safety Component-related Standards..........................................127

Chapter 6

EtherCAT® is a registered trademark and patented technology, licensed by Beckhoff Automation GmbH, Germany.
Safety over EtherCAT® is a registered trademark and patented technology, licensed by Beckhoff Automation GmbH, Germany.
CIP SafetyTM is a registered trademark of ODVA.
Screen shots in this document are used under license from Microsoft.
Other company and product names in this document are trademarks or registered trademarks of their respective holders.

4
 Technical Guide
Chap. 1
Chapter 1

What Is Safety? The Social Background

Chap. 2
Chap. 3
1. The Social Background to Safety of Machinery.................................6
(1) Changes in People.................................................................................................................. 6

Chap. 4
(2) Changes in Machines and Production Facilities...................................................................... 6

(3) Changes in Production Locations............................................................................................ 7

Chap. 5
(4) Changes in Social Consciousness.......................................................................................... 7

2. Safety of Machinery...............................................................................8

Chap. 6
(1) Strategies for Selecting Safety Measures............................................................................... 8

3. Safety Requirements...........................................................................10
(1) System of Standards for Safety of Machinery....................................................................... 10
Accelerated international harmonization of safety standards................................................ 11
International Standards and Design of Machines and Devices............................................. 11

5
 What Is Safety? The Social Background

In the manufacturing industry, production consists of processing, assembling, and transporting materials.
In modern times, machines use large amounts of energy to absorb the burden from workers to assist
in production. This result in the wide range of development in machines that we see today. And trained
Technical Guide

workers based on experience in operating the machines create more stable quality, causing the
relationship between machines and production to continue and evolve into many forms today.

1. The Social Background to Safety of Machinery

Chap. 1

(1) Changes in People

In some countries, changes in social structure have brought changes in the people that work at production sites. For example, many experienced
workers are retiring while the working population shrinks due to lower birth rates. At the same time, forms of employment continue to diversify,
Chap. 2

such as the increasing number of temporary employees and there is a continued increase in employees working overseas. Diversification also
continues to increase in other ways, such as age, sex, experience, language, and social habits.
Chap. 3
Chap. 4
Chap. 5
Chap. 6

(2) Changes in Machines and Production Facilities

Today’s society is facing more diversification in consumer needs driving demands for more variation in products. Production sites are required to
change between many different products at relatively short intervals, resulting in frequent changes to production facilities. Machines required for
production must support more functionality.
This and many other changes require that workers must master new techniques and working procedures.

6
 What Is Safety? The Social Background

(3) Changes in Production Locations

Market globalization has taken production sites from fixed sites across national borders. Domestic production is faced with the need for more
competitive products and new markets combined with demand for production sites in newly industrialized countries, such as BRICs. Offshore

Technical Guide
production means dealing with different laws, infrastructures, cultures, and values. The machines and production facilities resulting from the
accumulated knowhow of industry domestically must now be used in different human environments.

Chap. 1
Chap. 2
Chap. 3
Chap. 4
(4) Changes in Social Consciousness
In mature civil societies, companies must take social responsibility for their activities. For example, they must assume product liability for the
products that they produce. Although conditions vary by country, all countries now have laws requiring product safety to protect the consumer.

Chap. 5
(For example, Japan and the USA have product liability laws and the EU has the EC directives.) It is not necessary to provide examples of
product accidents to realize the very strict monitoring of manufacturing liability for safety and ease of mind in societies that share a common
ideal of respect for human beings. And based on these ideals, the responsibility of companies for the safety of workers on production sites is
also strictly monitored. (For example, OSHA in the USA, the Revised Industrial Safety and Health Law in Japan, and EC directives in the EU.)

Chap. 6
Companies face not only criminal, civil, and damage liability for any accidents that might occur, but their corporate image is greatly hurt as a
result. The social liability of companies for the safety of their workers has skyrocketed in recent years.

The relationship between workers and machines and the environment in which they operate has thus changed on a global scale. And yet,
manufacturing is not possible until a worker operates a machine. Across changes in the operating environment, society demands that machines
and production facilities can be used safely regardless of where they are used or who uses them. This is required not only in the workers, but
also in the machines and hardware technology. As a result, global standards for safety are required for today’s production sites. This is the
concept of Safety of Machinery.

7
 What Is Safety? The Social Background

2. Safety of Machinery
Security assurance which was not enough by the human scheme is intended to be secured against the
Technical Guide

machines themselves by the engineering means for a higher level of assurance. Safety standards define
the requirements for the safety of machinery.
ISO 12100 was officially issued in November 2003 as an international safety standard.
Publication of ISO 12100: 2010 was followed by the integration of ISO 12100-1, ISO 12100-2 and ISO
14121 into "General principles for design - Risk assessment and risk reduction."
Chap. 1

Typical standard for the safety of machinery is an European Standard (EN).

EN standard is established as the engineering criteria for meeting the basic safety requirements defined
in the machinery directive within the European Union and the conformity with the EN standard is a
Chap. 2

prerequisite for the EC Declaration of Conformity which is mandatory for the distribution within the EU.
Thus, conformity with the directives or standards is performed as part of the mechanical design or
engineering and some technical files are treated as a complete set of documents for machinery.
Chap. 3

(1) Strategies for Selecting Safety Measures

Chap. 4

1) Separation between human and machinery

Machinery hazards occur in hazard areas, where the human workspace overlaps the machine workspace.
Preventing machinery hazards begins by eliminating mechanisms that facilitate hazardous conditions.
The following strategies are generally used to achieve this goal.
Chap. 5

1. Spatial separation between human and machine workspaces

(Isolation principle: Safeguarding with guards)
Chap. 6

2. Temporal separation
(Stoppage principle: Safeguarding with interlocking devices *)
**An interlocking device refers to a mechanical or electrical device that was designed to prevent machines from operating
unless certain conditions are met, such as closing a guard for example. (ISO 14119)

Human Hazard Machine

workspace zone workspace

Will not open!

Stop STOP!
STOP! STOP! Restart

Emergency stop ensures termination of the The machine stops safely even if a Unauthorized personnel intrusion disables
power source. failure occurs on light curtains. the restart. A door will not open until a machine stops.

8
 What Is Safety? The Social Background

2) Safety Measure Strategy

All machines fail and everyone makes mistakes.
Therefore, basic designs that take every precaution to ensure the safety of operators is required in the event of a fault.

Technical Guide
Ensuring safety irrespective
of operating experience
Humans
make

Chap. 1
mistakes.

Chap. 2
Chap. 3
Ensuring safety during machine
setup and maintenance
Machines

Chap. 4
fail.

Chap. 5
Chap. 6
3) Safety secured by de-energizing
Isolating the human and machine states of operation with respect
to time by controlling the interlocking devices can be achieved in Type of Stop Functions
principle by shutting down the machine power source and thus
Stop Category 0
reducing the risk derived from the motion of the machine.
Note: If, however, de-energizing increases another risk (such as fall, scatter Stop category 0 is an uncontrolled stop that is achieved by
or overturn due to the loss of retention power), this does not apply.
immediately removing power to the machine actuators (e.g.,
IEC 60204-1 defines how the power is shut off with the stop directly cutting off the power supply).
categories of 0 to 2 depending on the behavior from the request
Stop Category 1
of emergency stop to the machine operation termination. Take the
optimum scheme for shutting down the energy from the selected risk Stop category 1 is a controlled stop that is achieved by sending
reduction measures. a stop command from the control circuit to stop (e.g., brake) the
Note: Depending on the risk reduction measures, there are some cases machine actuators and then removing power to the actuators (e.g.,
where the stop categories are specified by the standard's requirement.
cutting off control circuit power) after the stop is achieved.

Stop Category 2
Stop category 2 stops machine actuators without cutting off the
power.

9
 What Is Safety? The Social Background

3. Safety Requirements
(1) System of Standards for Safety of Machinery
Technical Guide

The International Electrotechnical Commission (IEC) prepares international standards for all electrical,
electronic and related technologies, and the International Organization for Standardization (ISO)
prepares international standards for all technologies other than electrical and electronic technologies
(machinery and management). European countries often take the initiative in proposing the standards
Chap. 1

and establishing them as ISO/IEC international standards. The standards referred to here are related to
the safety aspects and they are classified into three tiers of standards of A, B and C as shown below for
coverage of wide variety of machinery as well as fulfilling the specific purposes.
Chap. 2

ISO/IEC Guide 51
Chap. 3

ISO: Machinery IEC: Electrical Technologies

Basic Safety Standards

Chap. 4

Safety of machinery
General principles for design -
Risk assessment and risk reduction -
(ISO 12100) Standards
Chap. 5

Basic concepts, principles and standards including

the requirements related to the general safety
aspects that can be applied to the wide range of
products, process and services
Chap. 6

Safety of machinery - Interlocking devices (ISO 14119) Safety of machinery - Electrical

Safety of machinery - Guards (ISO 14120) equipment of machines (IEC 60204)
Safety of machinery - Safety-related parts of control Safety of machinery - Electrosensitive
systems (ISO 13849-1, ISO 13849-2) protective equipment (IEC 61496)
Safety of machinery - Emergency stop (ISO 13850)
Positioning of protective equipment in respect of
Group Safety Standards Low-voltage switchgear and
controlgear (IEC 60947)
approach speeds of parts of the human body Electro-magnetic compatibility-testing and
(ISO 13855) measurement techniques (IEC 61000-4)
Safety of machinery - Prevention of unexpected Safety Transformers (IEC 60742)
start-up (ISO 14118) Electrical apparatus for explosive gas
Safety of machinery - Two-hand control atmospheres (IEC 60079)
devices (ISO 13851)
Safety of machinery - Pressure-sensitive
Standards Indication, marking and actuation
(IEC 61310)
protective devices (ISO 13856) Functional safety of safety-related
Safety of machinery - Permanent means electrical, electronic and programmable
of access to machinery (ISO 14122) Safety-related standards that can be applied across a electronic control systems (IEC 62061)
Safety distances to prevent danger Application of protective equipment to
zones being reached by upper and
wide range of machinery, and are roughly divided into detect the presence of persons
lower limbs (ISO 13857) two types: (IEC/TS 62046)
Minimum gaps to avoid crushing of B-1 standards: standards on safeguards.
parts of the human body (ISO 13854) B-2 standards: standards on particular safety aspects.

Machine tools
Industrial robots
Forming machinery
Automatic guided vehicles
Transport machines Individual Product Standards
Printing presses
Industrial sewing machines
Semiconductor
manufacturing equipment

Standards

Standards that dealing with detailed safety requirements for

a particular machine or group of machines.

10
 What Is Safety? The Social Background

Accelerated international harmonisation of safety standards

The international standards which have been created by each country in its own way are now geared to

Technical Guide
the harmonisation with the ISO/IEC international standards by the WTO Standards Alliance.
It is mandatory for WTO members to adopt its policy into their safety regulations of each country. With
the technological advancement, the international standards are actively greeted with new proposals and
amendments by years and the way to the integrated standards is now under way throughout the world.

Chap. 1
IEC/ISO Standards

Chap. 2
Chap. 3
United States

Chap. 4
(ANSI) Europe (EN) China (GB)
Korea (KS)
Japan
(JIS)

Chap. 5
Australia (AS)

Chap. 6
Each country is affected by the standards.
Each country affects the standards.

International Standards and Design of Machines and Devices

Responding to Machine and Device Design Standards Today
International standards

JIS

ANSI
ISO/IEC

EN

(1) The newest information on (2) The differences between EN, UL, (3) Global designs must be created that
international standards and JIS, and other standards must be taking into account the differences.
industry standards must be understood.
collected, and the contents of
new and revised standards
must be understood.

11
What Is Safety? The Social Background

MEMO

12
Technical Guide Chap. 1 Chap. 2 Chap. 3 Chap. 4 Chap. 5 Chap. 6
 Technical Guide
Chap. 1
Chapter 2

Risk Assessment and Risk Reduction

Chap. 2
Chap. 3
1. Risk Assessment.................................................................................14
Risk Assessment........................................................................................................................... 14

Chap. 4
Classifications and Examples....................................................................................................... 15

2. Risk Reduction Measures...................................................................16

Chap. 5
(1) Step 1: What is Inherently Safe Design? .............................................................................. 17

(2) Step 2: What are Safeguarding and complementary protective measures?......................... 17

Chap. 6
(3) Step 3: What is Information for use?..................................................................................... 18

3. Achievement of Safeguarding Depending on Controlling...............19

(1) What are Safety-related Parts of Control Systems?.............................................................. 19

13
 Risk Assessment and Risk Reduction

••Step 1 Determination of the limits of

1. Risk Assessment machinery
To operate machines safely, risk must be reduced by analyzing/ Defining the limits of machinery requires the following points to be
Technical Guide

assessing machine hazards. ISO standards define the procedure to considered when assessing risk.
achieve risk reduction. •• Requirements for each phase of lifecycle
The hazards and risk levels present at the machine are different •• Defining the intended use and operation and the reasonably
for each phase of the machine lifecycle (construction, modification, foreseeable misuse and malfunction
transportation and disassembling, decommissioning, etc.). Machines •• Defining the machine’s range of use as limited by factors such
must be designed and produced so that they operate safely in every as the operator’s gender, age, dominant hand, and physical
Chap. 1

phase of their lifecycle. abilities (e.g., impaired eyesight or hearing, size, and strength)
The risk assessment can be logically performed by leveraging •• Expected user training, experience, and competence
ISO 12100: 2010 and operating it as a design procedure and the •• Possibility that people may be exposed to machine hazards
subsequent risk reduction measures can be correctly selected. •• Possibility that people may be exposed to machine hazards if a
Chap. 2

This chapter discusses how to assess the risk according to ISO •• foreseeable machine hazard occurs
12100: 2010 and then reduce identified risks.

••Step 2 Hazard Identification

Risk Assessment
Chap. 3

Hazard identification means checking for all the hazardous

The risk assessment identifies machine hazards and specifies the conditions and hazardous events associated with the machine. This
measures to prevent the resulting accidents. involves predicting hazards that may be caused by the machine,
The safety of machines can be determined in 5 steps. such as the following:
Chap. 4

Documentation of the risk assessment process must be kept. •• Mechanical hazards: Severing, entanglement, crushing, etc.
Electrical hazards: Contact with live parts, static electricity, etc.
Thermal hazards: Health disorders due to contact with high
Start
temperature parts or working in a high temperature or low
Chap. 5

temperature environment (refer to the figures on the next page)

Methods for clarifying hazards include the following:
Step 1
Determination of the •• Check lists
limits of machinery •• Hazard and Operability Study (HAZOP)
Chap. 6

•• Failure Mode and Effect Analysis (FMEA)

Step 2 •• Fault Tree Analysis (FTA)
Hazard identification •• “What-if” method
Step 5
Risk Risk
Assessment
Reduction Step 3 ••Step 3 Risk Estimation
Risk estimation The following set of operations are called "Risk Estimation": after
checking for hazardous conditions and hazardous events, the risk
Step 4 factors are determined and the risks are estimated from the severity
Risk evaluation or possible harm and the probability of the hazard occurring. During
the risk estimation, risks are estimated as quantitatively as possible
against each hazards (including sources appearing unexpectedly as
well as lasting sources).

NO Risk correctly
reduced? ••Step 4 Risk Evaluation
After estimating the risk, the risks are evaluated to determine whether
the level of risk must be reduced.
YES
If the level of risk must be reduced, safety measures as described
in step 5, such as changing the design or providing safeguards, are
Documentation taken. Repeat steps 1 to 5 to perform appropriate risk reduction
measures for each risk.

END ••Step 5 Risk Reduction

Taking the following safety measures against each risk is called
"Risk Reduction."
•• Eliminate or reduce exposure to hazard as far as practical.
•• Reduce the probability and severity.
•• Use safeguards and safety devices.
•• Determine that the performance and functional characteristics of
the safety measures are suitable for the machine and its use.
In the next section the measures to achieve the above actions are
detailed.

14
 Risk Assessment and Risk Reduction

Classifications and Examples

In ISO 12100 2010, Annex B, the following examples are listed as the typical hazards which machines can generally generate.

Technical Guide
1) Mechanical Hazards
Crushing, entanglement, stabbing or puncturing, shearing, drawing-in or trapping, friction or abrasion, cutting or
severing, high-pressure fluid ejection, etc.

Chap. 1
Chap. 2
2) Electrical Hazards 3) Thermal Hazards
Burns and scalds from flames, explosions, radiation from heat sources, etc.

Chap. 3
Contact by a person with live parts,
i.e., parts that normally carry a voltage,
or parts that have become live under
faulty conditions, especially as a result

Chap. 4
of an insulation failure, etc.

Chap. 5
Chap. 6
4) Noise Hazards 5) Vibration Hazards 6) Radiation Hazards
Hearing loss, tinnitus, etc. Serious damage to the entire body, Low frequencies, radio frequencies,
particularly to the hands, arms, and ultraviolet, infrared, X-rays, etc.
lower back.

7) Materials and Substances 8) Hazards generated by 9) Hazards associated with the

Hazards the neglect of ergonomic environment in which the
principles in the design of machine is used
machinery
Toxins, irritants, dust, explosions, etc. Unhealthy postures, human error, etc.

10) Combination Hazards

15
 Risk Assessment and Risk Reduction

2. Risk Reduction Measures

••Risk Reduction under ISO12100:2010
Technical Guide

ISO 12100:2010 is a standard into which ISO 12100-1, ISO 12100-2, and ISO 14121 are integrated.
This standard introduces the basic concept of the designing procedures required for designers to design safe machines.
The introduction of ISO12100-1:2010 states that “The concept of safety of machinery considers the ability of a machine to perform its intended
function(s) during its lifecycle where risk has been adequately reduced”. The 3-step method, which is an expression of this methodology
for making a work environment where risk has been adequately reduced, has been further implemented into the “Risk Reduction Process”
illustrated on the following diagram.
Chap. 1

ISO12100:2010 sets out examples of various measures, a sample of which are shown below.

Risk Assessment
Chap. 2

(Based on defined limits and intended

use of the machine)
Risk
Chap. 3

Protective measures taken

by the designer
<Step 1>
Chap. 4

Inherently safe design measures

<Step 2>
Chap. 5

Safeguarding and complementary

protective measures

User Input
<Step 3>
Chap. 6

Information for use Residual risk after

protective measures taken
At the Machine by the designer
Warning Signs, Signals
Warning Devices
In the instruction handbook

Designer Input
Protective measures
implemented by the user
(Including those based on the information
for use provided by the designer)

Organization
Safe Working Procedures
Supervision
Permit-to-Work Systems
Residual risk after all protective
Provision and use of additional
measures implemented
safeguards
Use of personal protective equipment
Training, etc.

16
 Risk Assessment and Risk Reduction

(1) Step 1: What is Inherently Safe (2) Step 2: What are Safeguarding
Design? and complementary protective

Technical Guide
(ISO 12100:2010 6.2)
measures?
•• Remove hazards and reduce exposure frequency (6.2.1 (ISO 12100: 2010 6.3)
General)
•• Maintain visibility, and avoid dangerous projections and parts 1 Safeguarding
(6.2.2.1 Geometric Elements) •• Employ Sensitive Protective Equipment (Safety Light Curtain,
•• Use alternative materials with few dangers that reduce noise Safety Laser Scanner, Safety Mat, etc.) (5.2.5)

Chap. 1
and radiation levels (6.2.2.2 Physical Elements) •• Employ fixed guards (6.3.3.2.2)
•• Select appropriate materials (Material quality, stresses, •• Employ movable guards (interlocking guard) (6.3.3.2.3)
corrosiveness etc.) (6.2.3 General Technical Information on
Example 1: Protection with a fixed guard (Isolation

Chap. 2
Machine Design)
•• Use inherently safe design measures in the below control principle)
system (6.2.11)
•• Perform automatic surveillance of safety functions

Chap. 3
implemented under safeguarding measures (6.2.11.6)
•• Employ diagnostic system to support fault detection (6.2.11.12)
•• Use measures listed below that minimize the failure probability
of safety functions (6.2.12)

Chap. 4
•• Use reliable components (6.2.12.2)
•• Use "oriented failure mode" components (6.2.12.3)
•• Employ redundant systems for components and sub systems
(6.2.12.4)

Chap. 5
•• Automatically limit exposure to hazards (6.2.14) Example 2: Protection with a movable guard and
•• Limit exposure to hazards through location of setting and interlock circuit (Stoppage principle)
maintenance points outside hazard zones. (6.2.15)

Example: Welding (assembly) robot

Chap. 6
Control The robot stops
panel when the movable
guard is opened.

Jig

Robot
Example 3: Protection with a safety light curtain and
interlock circuit (Stoppage principle)

••Considerations under the inherently safe

design (an example) The robot stops
•• Ability of robots, optimization of specifications (size, number of when the light
control axes, movable range) curtain is tripped.
•• Positional relation between an operator and robot (mechanical
hazards, thermal hazards)
•• Considerations of workability (handling workpieces, repeated
operations, manual operations)
•• Optimization for air pressure circuits for jigs (behaviors at restart,
residual pressure purge mechanism) Example 4: Protection with a safety mat and interlock
•• Teaching operability for robots (operating procedure, operating circuit (Stoppage principle)
position)
•• Safe maintenance (visibility, lockout and tagout of main breaker)
The robot stops
while an operator
exists in the safety
mat area.

17
 Risk Assessment and Risk Reduction

2 Complimentary Protective Measures (3) Step 3: What is Information for use?

•• Emergency stop function designed to be clearly identified and (ISO 12100: 2010 6.4)
quickly applied (6.3.5.2) •• Supplementary documentation or labels should notify of residual
Technical Guide

•• Employ an isolation device that can be locked (6.3.5.4) risks, and necessary training, personal protective equipment,
and additional protective devices (6.4.1.2)
Example of emergency stop equipment
•• Emit an audiovisual warning (6.4.3)
Machinery
•• Display manufacturer, model, and specifications of the machine
Pushbutton - Machine tool, packaging machine (6.4.4)
- Paper making, corrugated board,
•• Supplementary documentation to include storage conditions,
Chap. 1

woodworking machine
Operation room mass, dimensions, and installation and disposal methods
- Chemical plant, food factory (6.4.5.1)
Rope
When an emergency stop is required anywhere Warning sign (lamp, sound)
Chap. 2

in a work area
- Conveyer line, belt conveyer
- Testing

An emergency stop by a specific operator or from

Chap. 3

Pedal a specific work position Indicator

- Machine tool
- Woodworking, rubber-molding, plastics-molding
machines
- Presses etc.
Alarm
Chap. 4

Example of isolation device that can be locked

Chap. 5

Main control panel Warning label

Operating handle for

Chap. 6

power circuit breaker

with a lockout mechanism

18
 Risk Assessment and Risk Reduction

3. Achievement of Safeguarding Depending on Controlling

(1) What are Safety-related Parts of Control Systems?

Technical Guide
Input Control Logic Output The Safety-related Parts of Control System (SRP/CS) implement
signal the function of the safeguarding measures determined in the
risk assessment. The Safety-related Parts transfer the operation
PLC Power
Operation demands of the safety functions (e.g. guard opening) to the actuator
supplying
approval Processing approval STO and execute the required operations (e.g. isolating hazardous
Servo
Safety M

Chap. 1
Safety drive energy). This transferring path consists of the detection function
Safety check
input control (I: input device), judging function (L: logical operation device), and
device device
power control function (O: output device) and forms a single channel.
EDM
State monitoring This is usually called "Safety circuit." When the safeguarding

Chap. 2
Light curtain and/or Safety controller safety relay Servo driver inverter measures determined by the risk assessment are implemented by
emergency stop unit certified with the safety with a stop function depending on controlling, the control circuit and all the components
switch and so on, standards certified with the
certified with the safety standards used within it are included in the range of a safety-related parts.
safety standards

Chap. 3
Note: The following safety measures that do not depend on controlling are
not discussed in this manual. Refer to individual safety standards.
•• Purely mechanical inherently safe design (e.g. entanglement
prevention by narrowing down opening)
•• Physical safeguarding, such as fixed guard

Chap. 4
•• Risk reduction with administrative measures (e.g. lockout and tagout)
and others

Chap. 5
Chap. 6

19
Risk Assessment and Risk Reduction

MEMO

20
Technical Guide Chap. 1 Chap. 2 Chap. 3 Chap. 4 Chap. 5 Chap. 6
 Technical Guide
Chap. 1
Chapter 3

Safety Components

Chap. 2
Chap. 3
The Definition of Safety Components........................................................................................... 22

1. Interlocking movable guards..............................................................23

Chap. 4
(1) Basic elements of the safety switch....................................................................................... 23

(2) Guard Interlock Switch.......................................................................................................... 24

Chap. 5
2. Emergency Stop Device......................................................................27
(1) Emergency Stop Switch........................................................................................................ 27

Chap. 6
3. Safety Sensor.......................................................................................28
(1) Trip Function.......................................................................................................................... 28

(2) Presence Sensing................................................................................................................. 32

4. Safety Controller..................................................................................34
(1) Safety Relay Unit................................................................................................................... 34

(2) Flexible Safety Unit................................................................................................................ 35

(3) Safety Controller.................................................................................................................... 36

(4) Safety Network Controller...................................................................................................... 37

5. Safety-related Operating Switches....................................................38

(1) Mode Selector....................................................................................................................... 38

(2) Two-hand Controller.............................................................................................................. 38

(3) Enabling Switches................................................................................................................. 39

6. Safety Relays.......................................................................................40

7. Drive Devices Equipped with the Safety Function...........................41

21
 Safety Components

The Definition of Safety Components

The need for safety components within safety-related control systems arises when devising basic
Technical Guide

principles to prevent mechanical accidents and attain safety in machines.

••Definitions in the Machinery Directive ••OMRON’s View of Safety Components
Safety components are defined in the broadest sense as shown OMRON generically defines safety components as parts in the
below according to Article 2 of the Machinery Directive. broadest meaning as previously mentioned as well as safety-related
(1) Parts provided to ensure safety functions. parts that are stipulated for use in safety circuits.
Chap. 1

(2) Parts distributed independently within markets.

(3) A part that poses a threat to the safety of operators if damaged or ••The Function of Safety Components
functionally imperfect. Control systems that affect safety must be designed to minimize
(4) A part that is unnecessary for the machine to work or its function the possibility of danger occurring even when there is a failure in
Chap. 2

can be achieved with a normal component. an interlocking device. Safety devices are equipped with functions
such as a direct opening action for switches and a forcibly guided
••Items Specified in the Machinery Directive mechanism for relays, as required by standards. These functions
The following items are designated safety components in the Annex
are designed to operate correctly within the control system in which
Chap. 3

V. Refer to the Machinery Directive for details.

they are used.
•• Protective devices to detect operators
•• Power interlock guards related to Annex IV 9 10 11
The following describes safety components that are commonly used
•• Logic units that ensure safety functions
to develop safety functions.
Chap. 4

•• Emergency stop devices

•• Two-hand control devices

<Safety Components>
Chap. 5

Input device Control device Output device

Safety
Safety input
output
Chap. 6

Safety circuit
Emergency Feedback
stop input

Start/restart switch

<OMRON products>
Input Detects state to ensure the safety.

Safety Limit Switches Safety Light

Safety Door Switches Curtains Safety Mat Safety Laser Scanner Emergency Stop Switch Enabling Switch

Logic Receives signals from an input device and controls whether the machine should be started or not.

Safety Network
Safety Relay Units Safety Controllers Safety Control Unit
Controllers

Output Receives signals from a safety controller and shuts off power.

Safety Relays Servo Motor/Driver Compact Inverter

22
 Safety Components

1. Interlocking movable guards

These devices prevent workers from entering in hazardous machine areas.

Technical Guide
They detect whether or not fences or doors are not opened and, if opened, stop machines before operators are injured.

(1) Basic elements of the safety switch

The safety switch has the following functions and structures and Formlock Mechanism of Safety Limit Switch
ensures safe operation even when there is a failure.

Chap. 1
The functions and structures required for the safety switch are as This is a mechanism that can prevent actuators from failing.
follows: The actuator for the safety limit switch must not be deformed or
Direct Opening Action (IEC 60947-5-1) displaced by a strong force which may be applied on it when a
contact is welded so that the positive opening works correctly.
This is a mechanism where contacts can be opened through the

Chap. 2
Therefore the safety limit switch has a direct opening action that
pressing operation even if a contact is welded.
consists of inelastic, uneven parts engaged with one another. The
(1) Contact welded
following figure shows the example of the mechanism with the axis
Fixed NC contact
of rotation and the lever.

Chap. 3
Axis of rotation: Operating panel:
Portion engaging Protruding part for
the display panel a 90° level setting
Contact welded Movable contact
Operation axis Lever lock

Chap. 4
groove

(2) Opening welded contact

Chap. 5
Portion engaging
Contact welded Movable contact pressed the axis of rotation
with operational axis
Note: The lever is secured with uneven parts so that the lever will not fail if a
strong force is applied to it. The lever cannot be attached backwards.
(3) Completed Positive Opening

Chap. 6
Structure not easily defeated

"Defeating" means intentionally disabling the safety effects. The

safety switch has a structure not easily defeated.
5N 5N For more details, see (2) Guard interlock switch.
Impulse withstand voltage: 2.5 kV

The contacts must withstand the impulse voltage specified by

IEC 60947-5-1 after the contacts have been forcibly opened with
the positive operating force (POF) and positive overtravel (POT)
exceeding the contact welding force, which is equivalent to 10 N.

Safety Door Switch Safety Limit Switch

D4NS D4N

23
 Safety Components

(2) Guard Interlock Switch 2) Standards for guard interlock switches

The guard interlock switch detects that a fence and/or door provided (ISO 14119)
for preventing operators from entering in hazardous machine areas ISO 14119 “Interlocking devices associated with guards” provides
Technical Guide

is opened, and stops the machine before operators are injured. the designing standards for interlocking devices. To design
Switches such as safety door switch and safety limit switches are interlocking switches and interlocking circuits, ISO 13849-1 must be
classified as the guard interlock switch. conformed.

1) Guard Monitoring and Interlocking 3) Requirements for Guard Monitoring

Guard monitoring and interlocking switches are one of the most Interlocking guards must ensure that the safety door protects the
Chap. 1

important types of protective devices to prevent dangerous situations hazardous area as defined in ISO 12100.
by shutting power off from the machine. The sensors and the signal processing must comply with all required
norms and directives.
When it is decided to protect the machine with protective fences, •• Switches shall be designed to withstand all expected and
Chap. 2

we must be sure that the only way inside the dangerous area is foreseeable stresses
through the guard. If the guard is opened, a mechanically actuated •• Switches shall comply with safety standards, especially, direct
position detector stops the machine. Every guard in the protective opening action and safety door switches shall be completely
fence must have position detector switches to ensure the safety equipped.
Chap. 3

of personnel. A basic requirement is that it the door is opened, the •• The principles of redundancy and diversity shall be considered
machine must stop before anyone can reach the hazardous moving in the mechanical design of switches and signal processing, if
parts of the machine. necessary.
•• Safety-related parts in the associated control circuit must meet
Chap. 4

The most import selection criteria of an interlocking device are:

at least the required level (PLr) defined in the risk assessment.
•• the conditions of use and intended use (ISO 12100)
•• the hazard present at the machine (ISO 12100)
4) Requirements for Guard Locking
•• the severity of the possible harm
An interlocking device with a guard locking shall be used when the
Chap. 5

•• the probability of failure of the interlocking device

stopping time is greater than the access time taken by a person to
•• stopping time and access time considerations
reach the danger zone.
•• the frequency of access
•• the duration of person’s exposure to the hazard The interlocking device with a guard locking is intended to lock a
Chap. 6

•• performance considerations guard in the closed position and linked to a control system so that:

The position switch shall be actuated in positive mode (for more •• the machine cannot operate until the guard is closed and locked;
details, refer to the section "Negative operation and Positive •• the guard remains locked until the risk has passed.
operation"). The break contact of the position switch shall be of the For applications requiring frequent access, the interlocking device
“direct opening action” type. (IEC60947-5-1) shall be chosen to provide the least possible hindrance to the
operation of the guard.
The security of an interlock switch is dependent on its ability to
withstand attempts to “cheat” or defeat the mechanism. An interlock Because the guard might be defeated, requirements of intended
switch should be designed so that is cannot be defeated in a simple use, conditions of use, risk assessment and stopping time and
manner. ”Defeating in a simple manner" is an illegal nullification access time must be taken into account. In some cases to reduce
by measures other than valid mode changing procedure using an the frequency of guard opening/closing, the machine processes
operating switch etc. For example, the following readily available must be reviewed.
objects can be used as a defeating tool:
•• screws, needles, sheet-metal pieces;
•• objects in daily use such as keys, coins, tools required for the
intended use of the machine

24
 Safety Components

5) Interlocking devices 3. Hinge operated actuation

Hinged door switches have two features. One is that it is difficult
1. Cam operated actuation
to defeat the switch. The other is that it can be used for small

Technical Guide
When one single safety switch is used it shall be installed to actuate
size guards thanks to no limitation to tongue radius as opposed
in positive mode to prevent the safety switch from being defeated
to operation key operated switches. Prior confirmation is required
in a simple manner. A higher level safety protection against defeat
for very large wide guard doors because a significant gap may be
can be achieved, e.g., by enclosing the cam and safety switch in the
generated when the opening of the door is detected.
same housing.

Chap. 1
Chap. 2
Chap. 3
Chap. 4
2. Tongue-actuated operation
The tongue-actuated operation switch requires a dedicated tongue
and can prevent easy cheating of the switch.
However care should be taken because it can be defeated by using

Chap. 5
a spare tongue. Safety-door Hinge Switch
D4NH

4. Actuation by non-contact method

Chap. 6
Non-contact door switches require a dedicated actuator for sensor
parts and can prevent the switches from being easily defeated.
These switches do not utilize the mechanical operating method as
opposed to the cam operated and/or tongue-actuated switches.
As a result, they are unlikely to suffer from the mounting limitation
compared to the other switches because of the easy positioning
during installation.

Compact non-contact Door Switch

D40Z/D40A

25
 Safety Components

Direct and Non-direct Mechanical Action

Technical Guide

(A) Non-direct mechanical action (B) Direct mechanical action (C) Combined action

In general, never use non-direct Direct mechanical action switches are Switches in combined operation offer
mechanical action switches alone in recommended when used alone as the an even higher level of safety than
Safety
safety applications. switches offer a higher level of safety than direct mechanical action switches
Chap. 1

non-direct mechanical action switches. alone.

Category B or 1 (using approved parts) B, 1, 2, 3, 4 B, 1, 2, 3, 4
Normal Abnormal Normal Abnormal Normal
operation operation operation operation operation
Chap. 2

Contacts closed a) No reset due to Contacts closed a) Contact not open Contacts closed (guard closed)
(guard closed) contact welding (guard closed) due to cam abrasion
(guard open) (guard open)
Chap. 3

S2

S1 S2
S1
Chap. 4

Negative Positive
Operation Operation
Chap. 5

Operating
status Contacts open b) No reset due to Contacts open b) Contact not open Contacts open (guard open)
(guard open) spring damage (guard open) due to improper
(guard open) cam position
(guard door open)
Chap. 6

S2

S1 S2
S1

Negative Positive
Operation Operation

Contact Opened by built-in spring. Opened directly by externally operating Opened by a combined action.
opening unit like cam or dog.
methoda
Applicable NO contacts NC contacts (○
→) NO and NC contacts (○
→)
contact
The negative operation is a fail- The actuator forcibly opens contacts if a A combined action eliminates the
safe operation that ensures safety contact welds or a spring is broken. disadvantages of both modes.
Characteristics

Pros in case of cam abrasion, improper

cam positioning or unexpected cam
removal.
The actuator may move accidentally There is a danger that contacts may The safety switch circuit may work
with unexpected force and close close due to cam abrasion, improper cam normally for a while if one of the
Cons
the contacts. The result may be a positioning or unexpected cam removal. switches fails to operate.
relatively dangerous situation.

26
 Safety Components

2. Emergency Stop Device

This is a switch to interrupt machine operations in the event of an emergency.

Technical Guide
(1) Emergency Stop Switch
An emergency stop switch is a switch which stops the machinery in the event of an emergency.
Detecting
Safety Switch Normal type Door Switch
door/cover

Chap. 1
Limit Switch

Electromagnetic Guard Lock

Lock type Safety-door Switch
Stopping the hazard
in the event of Emergency Stop

Chap. 2
an emergency Switch

Enabling Switch

1) Types

Chap. 3
The following are typical types of emergency stop devices:

•• A pushbutton switch
•• A pull-cord switch

Chap. 4
2) Requirements
•• Electric contacts must have a direct opening action.

Chap. 5
•• Emergency stop devices must have a holding function that will mechanically hold in the stop position until the device is manually reset.
•• Actuators of an emergency stop device must be colored red and of a mushroom shape. The background immediately behind the actuator
must be colored yellow.
•• Consideration must be given to the following items when a wire is used as an actuator.

Chap. 6
(1) The amount of deflection needed to generate the emergency stop signal
(2) The maximum deflection possible
(3) The minimum clearance between the wire and the nearest machine in the vicinity
(4) The amount of force required for operation
(5) The ease with which an operator can locate the device, by use of a marker flag or other method
(6) The automatic generation of an emergency stop signal in the event that the wire breaks or becomes detached

Emergency Stop Switch

A22E

27
 Safety Components

3. Safety Sensor
Safety sensors are used to stop the machinery when detecting an entry or presence of a person during the machine operation.
Technical Guide

Trip Safety Light Curtain

Detecting
Safety Sensor
a person
Safety Mat
Presence
detection
Chap. 1

Safety Laser Scanner

Chap. 2

(1) Trip Function Emitter Receiver

This function stops the machine when detecting entry of a person.
Chap. 3

1) Safety Light Curtain

Safety Light Curtain detects operators entering hazard zone by
light beams and stops the machine before they are harmed.
Chap. 4

Unlike ordinary sensors, safety area sensors use a combination

of hardware and software to check constantly for internal faults to
ensure safe operation.
The following section describes the faults and malfunctions the
Chap. 5

safety light curtain detects to ensure safety.

Emitter element
failure
Chap. 6

Power supply,
Emitter circuit circuit failure
failure
Receiver element
failure
Runaway CPU

Amp. Receiver circuit

Disconnected or failure
shorted cord
Runaway CPU

Extraneous
incident light

Output drive
circuit failure

Output failure

Disconnected or
shorted cord

Also equipped with an external relay monitor function.

F3SJ Series Safety Light Curtain

28
 Safety Components

1. Diagnostic system 2. Effective Aperture Angle

The safety standards for safety area sensors are the same The effective aperture angle is the angle to which area sensors must
essential health and safety requirements stipulated for safety in be rotated to switch the output from ON to OFF. A narrower effective

Technical Guide
the Machinery Directive, and European standards like IEC 61496 aperture angle is required to minimize the influence of optical
ensure compliance with those requirements. IEC 61496-1 stipulates reflections.
exactly how type 4 sensor will ensure safety for an accumulation For type 4
of up to three faults. In the safety light curtain safety was designed
in by using dual CPUs that check each other as well as by using Rotation following Lateral rotation
redundant signal processing and output circuits. FMEA * was also the axis formed by

Chap. 1
used to demonstrate safe operation and thus maintain safety. the light beams
Within ±2.5°

** FMEA: Failure Mode & Effects Analysis

Within ±2.5°
Circuit Block Diagram

Chap. 2
Emitter Receiver 3 m or
more

Monitoring Axis formed by

3 m or more

Chap. 3
the light beams
Monitoring
Controls Outputs
Receiver
Emitter

Sensor type 3.0m 1.5m 0.75m 0.5m

Controls Type 2 5° 10° 19.3° 27.7°

Chap. 4
Controls Outputs Type 4 2.5° 5° 10° 14.7°

Monitoring

Chap. 5
Chap. 6

29
 Safety Components

3. Safety Distances
When installing electro-sensitive protective equipment, such as a Safety Light Curtain, the minimum distance that is required to stop the machine
before a person who enters the detection zone will reach the machine is stipulated by ISO 13855 and other standards.
Technical Guide

• Calculating the minimum distance based on ISO 13855

Minimum distance (S) = Person’s approach speed × response time + additional distance due to the sensor’s detection capability
Finger or hand detection
• S = (K × T) + 8 (d - 14) d ≤ 40
A. Vertical approach K = 2,000 mm (assuming entry speed of finger)
Chap. 1

S T = Machine’s maximum stop time + Light Curtain response time

d = Light Curtain’s minimum detection object value
Hazardous area
Note: If S = ≤ 100 mm, S = 100 mm
If S = ≥ 500 mm, recalculate with K = 1,600
Direction of entry
If the calculation result is S ≤ 500 mm, S = 500 mm
Chap. 2

Body detection
• S = (K × T) + 850 40 < d ≤ 70
K = 1,600 mm (assuming person’s walking speed)
Sensor detection area
Chap. 3

T = Machine’s maximum stop time + Light Curtain response time

C = 850 mm (assuming entry with an outstretched arm)

B. Horizontal approach • S = (K × T) + (1,200 − 0.4 H)

K = 1,600 mm (assuming person’s walking speed)
Chap. 4

S
T = Machine’s maximum stop time + Light Curtain response time
H = Light Curtain installation height
Note:1. H ≥ 15 (d − 50). However H must not exceed 1,000 mm and drop below 0 mm.
Note:2. If H exceeds 300 mm (200 mm for non-industrial applications), there is a danger of someone
Chap. 5

slipping under. This must be considered in the risk assessment.

Note:3. When detecting entry with a Safety Mat
S = (1,600 × T) + 1,200
Direction of entry
H
Chap. 6

C. Entry at an angle D. Two-point switching device

S S

Direction of entry

Direction of entry
30° > θ
30° < θ Direction of entry
S
S

When the installation angle is more than When the installation angle is less than
30°, the entry is generally considered as 30°, the entry is generally considered as When the installation position is switched,
normal and the vertical approach horizontal and the horizontal approach the minimum distance is calculated in
calculation is applied. calculation is applied. response to the resulting conditions

General formula S=K×T+C

d ≤ 40 mm 100 mm ≤ S ≤ 500 mm S = (2,000 mm/s × T) + 8 (d - 14 mm)
S > 500 mm S = (1,600 mm/s × T) + 8 (d - 14 mm)
40 mm < d ≤ 70 mm S = (1,600 mm/s × T) + 850 mm
Single beam/Safety mat S = (1,600 mm/s × T) + 1,200 mm

30
 Safety Components

4. Muting Function (IEC 61496-1) 5. Blanking function

The muting function temporarily stops the detection function of the The blanking function is a function to take out zones from the
Safety Light Curtain and automatically keeps it ON regardless of protection field.

Technical Guide
whether the light is incident or tripped.
Fixed Blanking
The muting function can be added to the Safety Light Curtain by
connecting the Safety Light Curtain with accessories (F3SJ + Muting Example:
Cap). Invalidating specific beams that are always
Conventionally when objects such as AGVs or transport pallets tripped by the working table.
passed through the detection area, the work process was stopped

Chap. 1
by tripping of the Safety Light Curtain each time they passed. With
the addition of the muting function, the safety output can be turned
OFF only when a person enters the area, while automatically
maintaining the safety output when a workpiece passes through.

Chap. 2
This makes it possible for work to continue without stopping the
production line.
However, when muted, the safety detection function is deactivated,
which means that it cannot output an OFF signal to the hazard when

Chap. 3
a person enters the detection area. Therefore various conditions
exist for the methods to install and/or control muting sensors.
Partial muting
When the tripping objects is fixed:

Chap. 4
Light beams are always effective,
regardless of whether or not
Possible to be introduced for the machines where
the workpiece passes through. the specific objects such as workpieces always trip
the light curtain by invalidating the specified beams.

Chap. 5
Floating Blanking
Example:

Chap. 6
Invalidating beams by the width of workpieces
when the beams to be invalidated cannot be
specified due to movement up/down of workpieces.
If additional beams are tripped, the output will be
Only the beams of the Safety Light turned OFF.
Curtain in the area where the workpieces
pass through are muted.

Only the beams in the area where the AVG

passes through is defeated, and the safety
output is turned OFF only when a person
enters the area.

Position detection muting

When the tripping objects moves:

Possible to be introduced for the machines where
the specific objects such as workpieces interrupt
the light curtain by invalidating the specified beams.

Workpieces can be set without stopping the robot

by ensuring that it is in a safe position through
detection with a limit switch or others.

31
 Safety Components

(2) Presence Sensing 1) Safety Laser Scanner

This function detects the presence of a person and stops the The sensor detects the presence of an operator in dangerous
machine until the person escapes from the hazardous area. environments.
Technical Guide

1. Basic Safety Detection Methods

Basic safety is broadly classified into the following categories.
(1) Machines and equipment will not start until it is safe to do so. • Reflective
(2) Machinery will be stopped whenever a hazardous condition is Features: Relative freedom in defining protected areas.
detected.
Chap. 1

In order to maintain a safe environment, measures must be

employed on one level to detect operators entering or present in
a hazardous area and on another level to eliminate hazardous
conditions.
Chap. 2

2. Safety Requirements Hazard

The safety requirements for presence sensing, such as those shown zone
below, are defined by the standards and guidelines of each country.
Chap. 3

•• Guidelines Related to the Comprehensive Safety Standards for

Machinery: Ministry of Health, Labor and Welfare
Attached Table 3: Procedure for Safeguarding Against • Active Opto-electronic Protective Device
Mechanical Hazards
responsive to Diffuse Reflection (IEC 61496-3)
Chap. 4

A device that will detect operators must be installed in a

protected area if an operator can pass through an opening and As shown in the figure below, the laser scanner emits a beam that
enter that protected area to perform his job. is reflected by surrounding objects. It calculates the distance to the
•• ANSI/RIA R15.06: US robot-related safety standards object from the time that it takes to receive the reflected light.
Chap. 5

Article 10.4.7 Starting and Restarting

When an operator is required to enter a protected area, the Receiver
Stop
operator must be protected from inadvertent starting or restarting Collecting
of the robot and/or robot system. (Part omitted) If the protected lens
Chap. 6

area is clearly marked and the cell cannot start or restart, some Reflective
Start
means of detecting operators in hidden areas must be provided. Emitter
The ideal means would be automatic detection. (Remainder Reflector Light
omitted.) emission
Stop watch
•• EN 201: European safety standards for injection molding Startup
machines
Angular Sensing
Article 5.3.1 Sampling object
encoder
If an operator can fit between the movable guard and the mold, T × V Light
D= Motor
a device that will detect the presence of the operator must be 2
installed there.
Rotating shaft
3. Safety Distance
When an operator enters a hazardous area, the machine in the area
must come to a complete stop before that operator reaches the
hazard of the machine.
Safety distance refers to the minimum calculated distance that the
protective device must be installed from the hazard of the machine.

OS32C Safety Laser Scanner

32
 Safety Components

2) Safety Mat
The sensor detects the presence of an operator in dangerous
environments.

Technical Guide
Detection Methods
• Pressure detection
Features: Excellent environmental resistance

Chap. 1
Chap. 2
Hazard
zone

Chap. 3
Safeguarding device:

Chap. 4
Pressure detecting-type
protection device

• Pressure detecting-type protection device (ISO

Chap. 5
13856-1)
Two plates inside the Safety Mat make contact when an operator

Chap. 6
steps on the Mat. A Controller detects the contact and generates an
output.

UM/MC3 Safety Mat/Mat Controller

33
 Safety Components

4. Safety Controller
The Safety Controllers receive signals from a safety input device, control whether the machine should be started or not, and notify each device
Technical Guide

of their determination. They can be broadly categorized into the following four types:

(1) Safety Relay Unit

A typical configuration for the operation control of machinery and equipment is shown in Fig. 1. This is a safety-relay-based control device and
suited to single input/single output applications.
• Non-safety-related Parts Operate
Chap. 1

command

Power control element

The role of non-safety-related parts is to start and continue the signal
operation of devices upon receiving an operate command signal
Non-safety-related part
(PLC)
from an automatic control system.
Chap. 2

• Safety-related Parts Independent Processing

The role of safety-related parts is to enable operation only when the
safety of the machinery and equipment is confirmed. Safety-related part Safety check
Chap. 3

• Processing (safety component) signal

Safety Light Curtains
The processing sends an operate signal to a power control element
Safety Switches, etc.
only when it has processed that both the above-mentioned operate
command signal, which is sent from a non-safety-related part, and
Chap. 4

the safety check signal from a safety-related part, which confirms

Fig. 1
the safety of the machinery, allow operation.
[Processing Circuit Configuration Example]
• Processing Elements
Chap. 5

The processing element cannot be created by simply combining When configuring a processing circuit, it is necessary to
multiple elements. consider mainly the following circuit configuration measures for
Its circuit must incorporate elements that will minimize risks caused minimizing risks caused by a failure in the system.
by a failure in machinery or equipment. These circuit configuration (1) The use of proven circuit technology and components
Chap. 6

(2) Periodical implementation of functional tests

elements typically include items (1) to (5) shown below.
(3) Redundancy
• Necessity of Safety Relay Units (4) Single fault detection
(5) Short-circuit protection detection
It is possible to configure a safety-verified circuit by incorporating
safety relays with forcibly guided contacts. However, this requires a
certain level of technology to configure the circuit and some expense
for its certification. As a result, it has become general practice to use [Relay with Forcibly Guided Contacts]
standard units that specialized manufacturers have developed by It is possible to configure a safety-verified circuit by
incorporating safety relays. These are provided as a series of Safety combining safety relays with circuit elements in
Relay Units with proven functional safety. consideration of the above circuit configuration measures.
However, the following conditions must be satisfied.
(1) A certain level of know-how is required for creating a
judging function circuit.
(2) There are expenses involved in obtaining circuit
certification.

[Safety Relay Units]

The above problem can be easily solved by using Safety
Relay Units because they already have the following.
(1) A safety-verified circuit with built-in safety relays
(2) Circuit certification

G9SA Safety Relay Unit

34
 Safety Components

(2) Flexible Safety Unit

Electronic units are suited to simple relay sequence configurations • Effective Functions
for single input/single output applications. In addition the following

Technical Guide
techniques have been used to handle complicated applications 1. Logic Connections
(with multiple inputs and outputs) that are difficult for simple relay For example, when partially stopping each module of a device as
sequences. well as stopping the entire device are required, they can be achieved
by making the AND logic into a function. The logic connection
• Dual CPUs
function allows them to be easily achieved and enables flexible
We pursued safety to the limit to deliver safety and reliability backed response to applications.

Chap. 1
by the highest level of safety design and FMEA. Two CPU Units
•• When the Emergency Stop Switch is pressed, the entire
perform mutual checking and diagnostic monitoring of each I/O machine will stop.
section, and the safety of operations is further verified by FMEA and
•• When a door is open, the corresponding part will not activate.
process-controlled design and production.

Chap. 2
(2) Main door (1) Emergency Stop Switch (4)Tool changer door
CPU (control and Output
monitoring) section
Input

Chap. 3
section
CPU (control and Output
monitoring) section Basic Unit
G9SX-BC
Control line Monitoring line

Chap. 4
Damage to power
FMEA: Failure Mode & Effects Analysis or circuits

CPU runaway

Broken or

Chap. 5
shortcircuited cable

Damage to circuit
(3) Pallet Changer

Chap. 6
Damage to output Door

Noise

(1) Emergency Stop Switch

(2) Main door (3) Pallet Changer Door (4) Tool changer door

Safety Door Safety Door Safety Door

G9SX Flexible Safety Unit Switch Switch Switch
Logic Connections

Advanced Unit Advanced Unit Advanced Unit

G9SX-AD G9SX-AD G9SX-AD

Segment A Segment B Segment C

35
 Safety Components

(3) Safety Controller

By creating safety programs, the designer can more flexibly handle Connection example
Technical Guide

complex applications.
There are, however, some requirements for safety in programming
safety circuits.

(1) Preventing User Programming Errors

Chap. 1

Safety functions (such as emergency stop buttons and two-hand

operating buttons) are provided as verified function blocks to ensure
safety at the function block level.
The verification and validation are necessary in addition to the
confirmation of the safety of the combination of function blocks to
Chap. 2

demonstrate final safety as an machinery control system.

(2) Preventing Unintended Operation from Incorrect Wiring

Chap. 3

External wiring faults are detected, including incorrect wiring, ground

faults, short circuits, and disconnection. Internal circuit faults are
also detected.
Input device Safety Controller
Chap. 4

(3) Preventing Unintended Settings

USB
connection
Checks are performed to ensure that the parameters input by
the user are correctly transferred to and set in the devices before
Chap. 5

automatically enabling starting.

Programming tool
(4) Preventing System Access Except by Administrators
Chap. 6

Passwords are set for devices to allow only administrators to change

parameters, operating modes, or others aspects of operation.

When designing the safety-related parts, such as equipment and

devices, with the programmable safety device, safety validity for
software must also be checked. Output device

For more details, see "10. Validation for Programmable Devices" in

Chapter 5.

G9SP Safety Controller

36
 Safety Components

(4) Safety Network Controller

Networking (3) IDs for Transmitters and Receivers

Technical Guide
Creating networks for safety circuits enables applications that Mutually monitoring safety devices' unique ID code and/or
require distributing safety devices, as well as expansion of I/O implementing an unique ID code into the transferred data prevent
capacity. data communications between incorrect devices.
The following four measures are taken in implementing safety circuit
networks. (4) Data Time Management

Chap. 1
(1) Checking Communications Data (System Reversed or late communications data are monitored by attaching
time stamps by the safety devices to data they send and/or detecting
Redundancy)
the data reception time by destination nodes of transferred data.
Redundancy is implemented for safety data by sending inverted

Chap. 2
data together with safety data and checking response messages
sent from destinations to improve safety.

(2) Special Check Code for Safety Data (Safety-CRC)

Chap. 3
Check codes called Safety-CRC are attached to the safety data
to ensure that any message corruption and/or impersonation are
detected.

Chap. 4
CIP SafetyTM on DeviceNet Safety over EtherCAT (FSoE)

Chap. 5
Safety Network Controller (Master)

NJ Series

Chap. 6
DeviceNet

CIP SafetyTM on
DeviceNet

Safety CPU Unit Safety I/O Unit Safety I/O Unit

Safety I/O Terminal (Slave)

NE1A/DST1 Safety Network Controller NX Series Safety Control Unit

37
 Safety Components

5. Safety-related Operating Switches

These switches maintains safety areas and/or safe conditions by sending safety signals via controllers through manual operations.
Technical Guide

(1) Mode Selector 3) Preventing Accidental Actuation and

These switches change the machines from operation mode to of Defeat
maintenance mode during machine maintenance, setup, cleaning
1. Prevention of defeat using one hand
and others to ensure the safety of operators.
The two startup switches must be at least 260 mm (inside dimensions
In IEC 60204-1 (JIS B9960-1), if operation mode is explicitly
Chap. 1

laterally) apart.
changed and the safety function and/or safety measures are
Note: A shield must be installed between the two controllers. This does not
interrupted, a mode change is required. In this case, the safety of apply to applications where inadvertent startup prevention is possible.
operators suitable for operation mode is ensured by combining with
the safety controller. 2. Prevention of defeat using the hand and
Chap. 2

elbow of the same arm

The two controllers must be at least 550 mm (inside dimensions
laterally) apart.
Chap. 3

Note: A shield must be installed between the two operation devices. This does
not apply to applications where inadvertent startup prevention is possible.

3. Prevention of defeat using the forearm(s)

or elbow(s)
Chap. 4

A22TK Safety Key Selector

Install a cover or enclosure.

(2) Two-hand Controller 4. Prevention of defeat using one hand and

One way to prevent operators from approaching hazardous areas any other part of the body
Chap. 5

too closely when conditions are hazardous is to install two-hand Install the controllers at least 1,100 mm off the floor or from the
controllers at specified locations. operating level to prevent operators from employing inadvertent
In this case a controller supporting two-hand controllers shall be startup prevention with one hand and another part of the body (e.g.
Chap. 6

used. knees, hips, etc.).

1) Standards for the two-hand Note: Safety Distance
The safety distance from the startup switches to the hazardous
controllers: ISO 13851 area must be calculated using factors such as hand and arm speed,
response time of the startup switches, and maximum time required to
The guidelines for designing Two-hand Controllers are given in eliminate a hazard according to ISO 13855.
ISO13851. The major safety requirements for Controller design are
listed there under Functional Aspects and Principles of Design for
5. Typical Example
Two-hand Controllers. Fig. 1 shows a typical example of a Two-hand Controller according
Note: Conduct actual designing in compliance with the detailed stipulations to Articles 2) and 3).
of ISO 13851.

2) Main Characteristics
The characteristics that must be provided are categorized by type
into Type I, Type II, and Type III categories. The major characteristics
listed here are Type III characteristics used in Category 3 and 4, as
determined by risk assessment.
(1) Two hands must be used together to start up the machine.
(2) Two input signals are required to produce an output signal.
(3) The output signal must turn OFF if either or both input signals
turn OFF.
(4) The output signal cannot be restarted until the both signals are
turned OFF.
(5) Both input signals must turn ON within 0.5 s to enable
synchronous startup output.
(6) Prevention of accidental actuation and of defeat: Refer to Article 3.

G9SA-TH Two-hand Controller

38
 Safety Components

(3) Enabling Switches

An enabling switch is a safety component used so that various hazards such as inadvertent entanglement can be avoided or reduced when
performing non-scheduled maintenance work or other non-scheduled operations in hazardous areas, such as those inside safety fences.

Technical Guide
When an operator is using a hand-held console with operation switches to teach a robot, retool, or perform maintenance, unexpected movement
of a hazard and/or operator's inadvertent behaviors can result in a hazardous state. In a such situation, it’s impossible to predict whether the
operator will instinctively release the console or will grip it with force.

A normal switch thus does not turn OFF when excessive force is applied, which may result in an operator accident. With an Enabling Switch,

Chap. 1
machines or robots can be controlled only when the switch is gripped lightly to the middle position. If the switch is gripped with force past the
middle position or if the switch is released, the machine or robot will be shut OFF, disabling operation.

Enabling Switches are normally used built into teaching pendants, grip switches, and other hand-held controls. They can be combined with
safety circuits built with Safety Relay Units and other devices to ensure safety.

Chap. 2
Chap. 3
Chap. 4
Chap. 5
A4EG Enabling Grip Switch

Chap. 6
1) Structure of Enabling Switches
Enabling Switches operate through three positions: OFF - ON - OFF.
They are OFF when not pressed, ON when pressed to the middle position, and then OFF again when pressed past the middle position.
••Three Positions: OFF - ON - OFF
Position 1 Position 2 Position 3
Not Gripped Gripped to Gripped past
Middle Position Middle Position

Gripped lightly

OFF ON Gripped Farther OFF

Released

Moving Terminal
contact contact
Released

39
 Safety Components

6. Safety Relays
Unlike other relays, safety relays has the function to detect its welding state and allow determination by the control circuit if contacts are welded
Technical Guide

together because they have forcibly guided (linked) contacts (EN 50205).
Note: Welding cannot be pulled apart.

1) Main Safety Relay Requirements 3) Structural Comparison of General

The gap between contacts must be at least 0.5 mm during normal Relays and Relays with Forcibly
operation or when a fault occurs. For more details, see 3).
Guided Contacts
Chap. 1

Contact load switching must conform to AC-15 and DC-13 (IEC

60947-5-1). General Relay
The mechanical service life must be at least 10 million operations.
Chap. 2

2) Forcibly Guided (Linked) Contact

Structure
Guide NO contact
Chap. 3

NC contact
G2R Structure G2R Structure
(Coil: Not energized) (Coil: Not energized)
Both the NO and NC
Chap. 4

contacts may close.

Coil
Coil
Chap. 5

NC NO
If at least one normally open contact is welded, when the coil is contact contact
NC NO
Chap. 6

deenergized, all normally closed contacts maintain a gap of at least contact contact A broken movable spring may
cause a short-circuit between
0.5 mm. electrodes
Even if a normally closed contact is welded, all normally open (a) When contact welding (b) When a movable spring
contacts maintain a gap of at least 0.5 mm in the coil energized occurs is broken
mode (in accordance with EN 50205).
Relays in which all the contacts are linked by forced guide are called Relay with Forcibly Guided Contact
Type A and indicated by the mark.

G7SA Structure G7SA Structure

(Coil: Not energized) (Coil: Not energized)

0.5 mm Contact Shielded Shielded

or more welding structure Broken structure

NC NO NO
Forced NC NO NO Forced
contact contact contact guide contact contact contact
guide

The above shielded structure protects

other contacts from being affected
by the failure.
(a) When contact welding (b) When a contact spring
occurs in the is broken
NO contacts (broken NC contacts)
The NO contacts will
not close if contact
welding occurs in the
NC contacts.

40
 Safety Components

7. Drive Devices Equipped with the Safety Function

The safety functions for drive devices are defined in IEC 61800-5-2. The following figure shows the range of the safety-related parts (PDS (SR))

Technical Guide
of the electric-power drive systems.
OMRON products implementing STO function
PDS (SR)

Control system
Diagnostic
function

Chap. 1
External Modulation
Communication Torque/speed/
signal and and
and I/O interface position control
control protection

Chap. 2
Sensor

Power
supply Power part Motor

Chap. 3
Block diagram for PDS (SR) G5 Series AC Servo Motor/Servo Drives

STO (Safe Torque Off) function, which is a typical safety function, is

explained here.

Chap. 4
As shown in the following figure, STO cuts off the power, which
generates turning forces (thrust) of the motor, from the motor.
In STO additional measures, such as mechanical brakes, may be
required because the stop state is not controlled. In addition, when

Chap. 5
a driver/motor should be accessed for maintenance and others,
disconnection from the power source using devices such as breaker
and contactor is required because STO does not have an electric-
shock prevention function.

Chap. 6
MX2 Series V1 Type Multi-function Compact Inverter
Drive system

CPU

Safety Safety
signal circuit

Feedback Motor
signal

STO function
Power module

41
Safety Components

MEMO

42
Technical Guide Chap. 1 Chap. 2 Chap. 3 Chap. 4 Chap. 5 Chap. 6
 Technical Guide
Chap. 1
Chapter 4

Safety Circuit Examples

Chap. 2
Chap. 3
1. Index.....................................................................................................44

2. Precautions..........................................................................................45

Chap. 4
3. Conditions for PL Evaluation.............................................................46

4. Reliability Data for Safety of Machinery for OMRON Products.......46

Chap. 5
Connection Example 1: Emergency Stop Switch.......................................................................... 48

Connection Example 2: Emergency Stop Switch x 2.................................................................... 50

Chap. 6
Connection Example 3: Emergency Stop Switch x 2.................................................................... 52

Connection example 4: Safety Limit Switch x 2............................................................................ 54

Connection Example 5: Logical Connection of Emergency Stop Switch and Door Switch........... 56

Connection Example 6: Safety Light Curtain (stand alone).......................................................... 58

Connection Example 7: Mode Switching, STO............................................................................. 60

Connection Example 8: Removing Energy Supply with Emergency Stop Switch after Deceleration
Stop ...................................................................................................................................... 62

Connection Example 9: Guard Lock Safety-door Switch.............................................................. 64

43
 Safety Circuit Examples

1. Index
Technical Guide

Index No. Safety functions Models used Page

A22E-M-02
1 Emergency Stop Switches 48
G9SA-301

A22E-M-02
Chap. 1

2 Emergency Stop Switch x2 50

G9SA-301

A22E-M-02
3 Emergency Stop Switch x2 52
G9SX-AD322-T15
Chap. 2

D4N-□□20
4 Safety Limit Switch x2 54
G9SA-301
Chap. 3

A22E-M-02
Emergency Stop Switches (complete stop) G9SX-BC202
G9SX-AD322-T15
5 56
D4NL-□□□A
Chap. 4

Guard Lock Safety-door Switches,

D4N-□□20
Safety Limit Switches (partial stop)
G9SX-AD322-T15

6 Safety Light Curtains (stand alone) MS4800A-30-□ 58

Chap. 5

A22E-M-02
Emergency Stop Switches G9SP-N20S
R88D-KT
Chap. 6

D4N-□□20
Safety Limit Switches G9SP-N20S
7 R88D-KT 60

A4EG-C000041
Enabling Switches
G9SP-N20S R88D-KT

A22TK-2□□-11
Mode Selectors
G9SP-N20S

A22E-M-02
Emergency Stop Switches
8 NX Series 62
(stops by STO after slowing down)
R88D-KT

D4SL-N2VFA
9 Guard Lock Safety-door Switches 64
NX Series

44
 Safety Circuit Examples

2. Precautions
1. Circuit Configurations for Safety-related Applications

Technical Guide
A variety of connection examples for interlocking devices are presented here, divided into categories and PL combinations. These examples are
only intended to show one type of configuration for securing the safety of control systems for machinery.
In actual circuit configurations, it is necessary to use protective grounding, wiring protection, and other methods to prevent problems like open
circuits and short circuits. With respect to specific measures, it is recommended that you comply with the standards in the following table, and
any related standards, when designing and implementing circuit configurations, while also receiving confirmation from a third-party verification

Chap. 1
organization for the safety of the overall system.
Standards Number Title
ISO 12100 General principles for design -- Risk assessment and risk reduction
IEC 60204-1 Electrical equipment of machines -- Part 1: General requirements

Chap. 2
ISO 13849-1 Safety-related parts of control systems -- Part 1: General principles for design
ISO 13849-2 Safety-related parts of control systems -- Part 2: Validation
Note: In some situations, it is also necessary to refer to other standards.

Chap. 3
2. Determining PLr
PLr, which is a performance indicator of safety measures, is determined as a result of a risk assessment. To determine the actual PLr of safety-
related parts, it is necessary to determine the PLr that is applicable to the entire machine by evaluating the machine specifications and the
machine’s equipment, usage, and operating environment for the duration of its service life.

Chap. 4
3. About 2-channel Input
Applications in which the open/closed status of a guard is confirmed by the contact signals of position detection equipment such as Safety Door
Switches need to be considered.

Chap. 5
It is possible to provide 2-channel input of the open/closed confirmation signal to the Controller by using two contacts inside a single position
detection unit. However, when this is done, an incorrectly inserted tongue or a certain degree of impact may damage the head of the position
detection equipment, with the result in common cause failures on both output signals. The method for selecting 2-channel input depends largely
on the risk assessment results for the entire system, but it is recommended that two position detection units with a reciprocal mode be used

Chap. 6
for a single door to ensure correct confirmation of the open/closed status of guards. Parts selection as well as category selection are important
as ISO/TR 23849: 2010-7.2.2.5 describes that achievement of PLe using two contacts inside a single position detection unit is in general
impossible. For more details, see ISO/TR 23849, ISO 14119, each C standard, and others.

4. The Role of Safety Components

Safety-related control systems must minimize the possibility of danger occurring even when there is a failure in the interlocking device. As
stipulated by standards, OMRON safety components are equipped with functions such as direct opening action for switches, and forced guide
contact mechanisms. These functions are designed to operate effectively within the control system in which they are contained.

5. How to use Safety Components

Refer to the precautions listed in this catalog and manual for the use of safety components.
Particularly you must use clamps, couplings, etc., to secure doors fitted with a guard lock safety-door switch. When a switch is used as a direct
guard lock, errors in the guard lock safety-door switch functions can occur due to the weight of the guard itself, vibration from machinery, or
impacts during erroneous door opening/closing in holding status.

6. Detecting Trip and Presence

The basic feature of the Safety Light Curtain is to detect the tripping of a person’s finger, hand, or body. When it is necessary to have a
presence-detecting function in a hazardous area in response to the overall system risk assessment, e.g., due to frequent entry in the hazardous
area, it is recommended that the Safety Light Curtain be used together with a Safety Mat, Safety Laser Scanner, or similar device. Refer to
Chapter 3-3 "(2) Presence Sensing" for information on presence sensing.

7. Reset Methods
These connection examples use manual resetting.
In order to use an auto reset method, the dimensions from the opening to the hazard must be such that they will not allow a person to reach
the hazard. For information on the connection for a system using an auto reset method, refer to the connection circuit examples in the relevant
product catalog. Refer to ISO 12100:2010 6.3.2.5.3, to use auto reset and/or auto restart methods.

8. Contactors
It is recommended that the auxiliary NC contacts used as monitors for main contact welding be equipped with a function to prevent the same
failure.
Note: As of Jan., 2014. These cautions are subject to change if required due to various reasons such as improvements of the specifications of products or
accessories described in this manual.

45
 Safety Circuit Examples

3. Conditions for PL Evaluation

Technical Guide

In the Circuit Diagram examples described in this manual, PL is assessed for the following requirements using the following models.
However the models and PL assessment results are only an example. In the production circuits, you must assess PLs independently based on
the actual requirements.

Number of operation
Safety function Assumed usage and frequency demanded per year (Nop) Reliability Data for Safety
Chap. 1

Device When operating time is assumed

(Safety component) of operation demands of Machinery
as 12 hours per day for 220 days
per year.
Operation for inspection at shift
Emergency stop switch 500
Chap. 2

start time (approx. twice per day)

Slightly frequent taking out of
Safety limit switch (when used for
workpieces (approx. 125 times 27,500
guard interlocking)
per day)
Chap. 3

Safety door switch without guard

Taking out of workpieces
lock function (including non- 22,000
(approx. 100 per day)
contact type door switches)
Maintenance, inspection,
Chap. 4

Guard lock safety-door switch cleaning or others (approx. 50 11,000

per day) Reliability Data for
Input device
Slightly frequent taking out of Safety of Machinery for
Safety light curtain/multi-beam
workpieces (approx. 125 per 27,500 each product (see the
sensor/single-beam sensor
Chap. 5

day) following:)
Slightly frequent taking out of If there is no applicable
Two-hand control device workpieces (approx. 125 per 27,500 item, select one from ISO
day) 13849-1: 2006 Annex
Chap. 6

Maintenance, inspection, C, Table C1 (refer to

Safety laser scanner/safety mat cleaning or others (approx. 50 11,000 "International Standards
per day) dealing with MTTFd or
Enabling switch/enabling grip Retool or others (approx. twice B10d for components
500
switch per day) (quoted from ISO 13849-
Safety relay Safety functions are performed 1: 2006 Annex C)").
By the total of operation
Control when the operation demand
requests of the related
device Safety controller from the input device is
input devices
detected.
Power shut off by servo/inverter
(STO)
** Assumes that this device has the EDM Safety functions are performed By the total of operation
Output function. when the operation demand
requests of the related
device Power shut off by contactor (stop from the input device is
input devices
category 0) detected.
** Assumes that this device has the mirror
contactor.

4. Reliability Data for Safety of Machinery for OMRON Products

OMRON provides reliability data for safety of machinery for each product category by means of the parameter list (PDF file) and SISTEMA
dedicated library to help customers to calculate PL of their devices.
Refer to our web site (www.ia.omron.com).

46
 Technical Guide Chap. 1 Chap. 2 Chap. 3 Chap. 4 Chap. 5 Chap. 6

47
Safety Circuit Examples

MEMO
 Safety Circuit Examples

Connection Example 1: Emergency Stop Switch

••Safety Functions
Technical Guide

Safety
Operation Stopping method Restart method
function
• Immediately removes power to Motor M when Emergency Stop Switch S1 is pressed.
1 • The power to Motor M is kept removed until the latch of the Emergency Stop Switch Stop category 0 Manual
is released and Reset Switch S2 is pressed.
Chap. 1

Feedback
S1 loop
Chap. 2

KM1
S2
KM2
Chap. 3

24 VDC Fuse L1 L2 L3
L1

A1 A2 T11 T12 T31 T32 13 23 33 41

3
Chap. 4

1 4
TH a K1 K2
K1
1
SA 2
K2 KM1
3
Chap. 5

K1 4
a Control 2 JP 5
b Circuit 5
b K2 6 KM2

6
SB1
PE T21 T23 T22 A B 14 24 34 42
Chap. 6

KM1 KM2

••Timing Chart
Emergency stop Note:1. Refer to "2. Precautions" in chapter 4 when actually configuring the
switch S1 circuit.
Note:2. Use manual resetting for the emergency stop circuit. (ISO 13850)
Reset switch S2

K1 and K2 (NC)
G9SA
K1 and K2 (NO)
G9SA

KM1 and KM2 (NC)

KM1 and KM2 (NO)

Motor M rotation

48
 Safety Circuit Examples

••Model used and machinery safety reliability data

Symbol Model used Machinery safety reliability data

Technical Guide
S1-1/S1-2 Emergency Stop Switch: A22E-M-02 (2NC contact) B10d: 100,000
S2 Push Button Switch (from Annex C of ISO 13849-1) B10d: 100,000
Safety Relay Unit G9SA-301
SB1 Category 4, MTTFd: 100 years, DCavg: 99%
(PLe certified on ISO 13849-1)
KM1/KM2 Contactor with nominal load (from Annex C of ISO 13849-1) B10d: 2,000,000

Chap. 1
••Developed logical block diagram
Electrical block diagram of safety-related parts Developed logical block diagram
Safety function 1

Chap. 2
Sub-system 1 Sub-system 2

S1-1 KM1

Chap. 3
S1-1 KM1

SB1 SB1

S1-2 KM2 S1-2 KM2

Chap. 4
••PL of Safety-related Part
Safety Sub MTTFd DCavg PL

Chap. 5
Component Category PFHd
function system (year)*1 (%) (SIL)
S1-1, S1-2
Faults excluded - - - - -
(A22E-M-02)
1 KM1, KM2

Chap. 6
(Contactor with nominal
B10d = 2,000,000
4 100 99 2.47×10-8 e
1 DC = 99%, nop = 500/year *2
load)
2
SB1
4 100 99 2.47×10-8 e
(G9SA-301) *2

PFHd and PL for the entire safety-related parts 4.94×10-8 e

*1. The upper limit of MTTFd as a sub system shall be 100 years.
*2. Converted to PFHd based on Table K.1 of Annex K of ISO 13849-1.

Note: The point of CCF shall be at least 65.

49
 Safety Circuit Examples

Connection Example 2: Emergency Stop Switch x 2

••Safety Functions
Technical Guide

Safety Restart
Operation Stop method
function method
• Immediately removes power to Motor M when Emergency Stop Switch S1 is
pressed.
1 Stop category 0 Manual
• The power to Motor M is kept removed until the latch of the Emergency Stop
Chap. 1

Switch is released and Reset Switch S3 is pressed.

• Immediately removes power to Motor M when Emergency Stop Switch S2 is
pressed.
2 Stop category 0 Manual
• The power to Motor M is kept removed until the latch of the Emergency Stop
Chap. 2

Switch is released and Reset Switch S3 is pressed.

S1-1 S1-2
Chap. 3

S1
Chap. 4

S2-1 S2-2
Feedback
S2 loop

KM1
S3
Chap. 5

KM2

24 VDC Fuse L1 L2 L3
L1
Chap. 6

A1 A2 T11 T12 T31 T32 13 23 33 41

1
3 SB1
4
TH a K1 K2
K1
SA 1
K2 2 KM1
3
K1 4
a Control 2 JP 5
b Circuit 5
b K2 6 KM2

6
PE T21 T23 T22 A B 14 24 34 42

KM1 KM2

••Timing Chart
Emergency stop Note:1. Refer to "2. Precautions" in chapter 4 when actually configuring the
switch S1 circuit.
Note:2. Use manual resetting for the emergency stop circuit. (ISO 13850)
Emergency stop
switch S2

Reset switch S3

K1 and K2 (NC)
G9SA

K1 and K2 (NO)
G9SA

KM1 and KM2 (NC)

KM1 and KM2 (NO)

Motor M rotation

50
 Safety Circuit Examples

••Model used and machinery safety reliability data

Symbol Model used Machinery safety reliability data
S1-1/S1-2 Emergency Stop Switch: A22E-M-02 (2NC contact) B10d: 100,000

Technical Guide
S2-1/S2-2 Emergency Stop Switch: A22E-M-02 (2NC contact) B10d: 100,000
S3 Push Button Switch (from Annex C of ISO 13849-1) B10d: 100,000
Safety Relay Unit G9SA-301 Category 4, MTTFd: 100 years,
SB1
(PLe certified on ISO 13849-1) DCavg: 99%
KM1/KM2 Contactor with nominal load (from Annex C of ISO 13849-1) B10d: 2,000,000

Chap. 1
••Developed block diagram
Electrical block diagram of Developed logical block diagram
safety-related parts

Chap. 2
Safety function 1
Sub system 1 Sub system 2

Chap. 3
S1-1 KM1

SB1

S1-2 KM2

Chap. 4
S1-1 S2-1 KM1

SB1

S1-2 S2-2 KM2

Safety function 2
Sub system 1 Sub system 2

Chap. 5
S2-1 KM1

SB1

Chap. 6
S2-2 KM2

••PL of safety-related parts

Safety Sub MTTFd DCavg PL
Component Category PFHd
function system (year)*1 (%) (SIL)
S1-1, S1-2
Faults excluded - - - - -
(A22E-M-02)
1 KM1, KM2
(Contactor with nominal
B10d= 2,000,000
3 100 90 4.29×10-8 e
1 DC = 99%, nop = 11,000/year *2
load)
2
SB1
4 100 99 2.47×10-8 e
(G9SA-301) *2
-8
PFHd and PL for the entire safety-related parts 4.94×10 e
S2-1, S2-2
Faults excluded - - - - -
(A22E-M-02)
1 KM1, KM2
(Contactor with nominal
B10d= 2,000,000
3 100 90 4.29×10-8 e
2 DC=99%, nop=1,000/year *2
load)
2
SB1
4 100 99 2.47×10-8 e
(G9SA-301) *2
-8
PFHd and PL for the entire safety-related parts 4.94×10 e
*1. The upper limit of MTTFd as a sub system shall be 100 years.
*2. Converted to PFHd based on Table K.1 of Annex K of ISO 13849-1.

Note: The point of CCF shall be at least 65.

51
 Safety Circuit Examples

Connection Example 3: Emergency Stop Switch x 2

••Safety function
Technical Guide

Safety Restart
Operation Stop method
function method
• Immediately removes power to Motor M when Emergency Stop Switch S1 is pressed
regardless of operation mode.
1 Stop category 0 Manual
• The power to Motor M is kept removed until the latch of the Emergency Stop Switch is
Chap. 1

released and Reset Switch S3 is pressed.

• Immediately removes power to Motor M when Emergency Stop Switch S2 is pressed.
2 • The power to Motor M is kept removed until the latch of the Emergency Stop Switch is Stop category 0 Manual
Chap. 2

released and Reset Switch S3 is pressed.

Chap. 3

S1-1
S1
S1-2

KM1
Chap. 4

S3

S2-1 KM2
S2
S2-2
Chap. 5

Open Open OpenOpen

AND
A1 T11 T12 T21 T22 T31 T32 T33 Y1 T41 T42 L1 L2 L3
OFF
Chap. 6

Safety Safety Reset/feedback Cross fault

Internal
input 1 input 2 input
detection Logical AND input KM1
power input
24 VDC
supply Auxiliary output Expansion Unit
circuit Safety output control
control output control
KM2

SB1
A2 S14 S24 S34 S44 S54 L1 X1 X2

KM1 KM2 M

••Timing Chart
Emergency stop Note:1. Refer to "2. Precautions" in chapter 4 when actually configuring the
switch S1 circuit.
Note:2. Use manual resetting for the emergency stop circuit.
Emergency stop
switch S2

Reset switch S3

G9SX S14 and

S24 output

KM1 and KM2 (NC)

KM1 and KM2 (NO)

Motor M rotation

52
 Safety Circuit Examples

••Model used and machinery safety reliability data

Machinery safety

Technical Guide
Symbol Model used
reliability data
S1-1/S1-2 Emergency Stop Switch: A22E-M-02 (2NC contact) B10d: 100,000
S2-1/S2-2 Emergency Stop Switch: A22E-M-02 (2NC contact) B10d: 100,000
S3 Push Button Switch (from Annex C of ISO 13849-1) B10d: 100,000
Flexible Safety Unit G9SX-AD322-T15
SB1 PFHd: 5.70×10-9
(IEC 61508 SIL3 certified)

Chap. 1
KM1/KM2 Contactor with nominal load (from Annex C of ISO 13849-1) B10d: 2,000,000

••Developed block diagram

Chap. 2
Electrical block diagram of Developed logical block diagram
safety-related parts Safety function 1
Sub system 1 Sub system 2

Chap. 3
S1-1 KM1

SB1

Chap. 4
S1-2 KM2

S1-1 S2-1 KM1

SB1

Safety function 2

Chap. 5
S1-2 S2-2 KM2
Sub system 1 Sub system 2

S2-1 KM1

Chap. 6
SB1

S2-2 KM2

••PL of Safety-related Parts

Safety Sub MTTFd DCavg
Component Category PFHd PL (SIL)
function system (year)*1 (%)
S1-1, S1-2
Faults excluded - - - - -
(A22E-M-02)
1 KM1, KM2
(Contactor with nominal
B10d= 2,000,000
3 100 90 4.29×10-8 e
1 DC=99%, nop=1,000/year *2
load)
SB1 e
2 4 - - 5.70×10-9
(G9SX-AD322-T15） (SIL3)
PFHd and PL for the entire safety-related parts 4.86×10-8 e
S2-1, S2-2
Faults excluded - - - - -
(A22E-M-02）
1 KM1, KM2
(Contactor with nominal
B10d= 2,000,000
3 100 90 4.29×10-8 e
2 DC=99%, nop=1,000/year *2
load)
SB1 e
2 4 - - 5.70×10-9
(G9SX-AD322-T15） (SIL3)
PFHd and PL for the entire safety-related parts 4.86×10-8 e
*1. The upper limit of MTTFd as a sub system shall be 100 years.
*2. Converted to PFHd based on Table K.1 of Annex K of ISO 13849-1.

Note: The point of CCF shall be at least 65.

53
 Safety Circuit Examples

Connection example 4: Safety Limit Switch x 2

••Safety functions
Technical Guide

Safety
Operation Stop method Restart method
function
• Immediately removes power to Motor M when limit Switch S1 and S2 detect the
1 opening of the Guard. Stop category 0 Manual
• The power to Motor M is kept removed until Reset Switch S3 is pressed.
Chap. 1

S1
Chap. 2

OPEN
Chap. 3

S2
Chap. 4

Feedback
loop

KM1
Chap. 5

S3
KM2

24 VDC Fuse L1 L2 L3
Chap. 6

L1

A1 A2 T11 T12 T31 T32 13 23 33 41

3
1 4
TH a K1 K2
K1
SA 1
K2 2 KM1
3
K1 4
a Control 2 JP 5
b Circuit 5
b K2 6 KM2

6 SB1
PE T21 T23 T22 A B 14 24 34 42

KM1 KM2

••Timing Chart
Safety limit switch Note: Refer to "2. Precautions" in chapter 4 when actually configuring the
S1NC contact circuit.
Safety limit switch
S2NO contact

Reset switch S3

K1 and K2 (NC)
G9SA

K1 and K2 (NO)
G9SA

KM1 and KM2 (NC)

KM1 and KM2 (NO)

Motor M rotation

54
 Safety Circuit Examples

••Model used and machine safety reliability data

Reliability data for safety of

Technical Guide
Symbol Model used
machinery
Safety Limit Switch:
S1 B10d: 20,000,000
D4N-□□20 (NC contact direct mechanical action)
S2 General limit switch (NO contact) B10d: 10,000,000
S3 Push Button Switch (from Annex C of ISO 13849-1) B10d: 100,000
Safety Relay Unit G9SA-301 Category 4, MTTFd: 100 years,

Chap. 1
SB1
(PLe certified on ISO 13849-1) DCavg: 99%
KM1/KM2 Contactor with nominal load (from Annex C of ISO 13849-1) B10d: 2,000,000

••Developed block diagram

Chap. 2
Electrical block diagram of Developed logical block diagram
safety-related parts Safety function 1

Chap. 3
Sub system 1 Sub system 2

S1 KM1
S1 KM1
SB1

Chap. 4
SB1
S2 KM2
S2 KM2

Chap. 5
••PL of Safety-related Parts
Safety Sub MTTFd DCavg PL
Component Category PFHd

Chap. 6
function system (year)*1 (%) (SIL)
S1 B10d=20,000,000
(D4N-□□20 NC contact direct DC=99%,
mechanical action) nop=27,500/year
B10d=10,000,000
1
S2
DC=99%, 4 100 99 2.47×10-8 e
General limit switch (NO contact) *2
nop=27,500/year
1 B10d= 2,000,000
KM1, KM2
DC=99%,
(Contactor with nominal load)
nop=27,500/year
2
SB1
4 100 99 2.47×10-8 e
(G9SA-301) *2
-8
PFHd and PL for the entire safety-related parts 4.94×10 e
*1. The upper limit of MTTFd as a sub system shall be 100 years.
*2. Converted to PFHd based on Table K.1 of Annex K of ISO 13849-1.

Note: The point of CCF shall be at least 65.

55
 Safety Circuit Examples

Connection Example 5: Logical Connection of Emergency Stop Switch and

Door Switch
Technical Guide

••Safety functions
Safety Stop Restart
Operation
function method method
• Immediately removes power to Motor M1 and M2 when Emergency Stop Switch S1 is pressed.
Stop
1 • The power to Motor M is kept removed until the latch of the Emergency Stop Switch is released and Manual
category 0
Reset Switch S2 is pressed.
Chap. 1

• S3 and S4 detect the opening of Guard 1 and the circuit only removes power to Motor M. Stop
2 Auto
• Starts power supply to Motor M after the Guard is closed and locked. category 1
• S7 and S8 detect the opening of Guard 2 and the circuit only removes power to Motor M2. Stop
3 Auto
• Starts power supply to Motor M after the Guard is closed and locked. category 1
Chap. 2

••Timing Chart
(G9SX-BC202 (SB1))
Emergency stop switch S1

Reset switch S2
Chap. 3

Logical AND output L1

(G9SX-AD322-T15 (SB2, SB3))

Logical AND Input T41/42

Limit switch S4/S8

Guard lock safety door
Chap. 4

switch S3/S7

Solenoid voltage S3

Lock release switch

S1-1 S1-2
Lock release switch
S6/S10
Stop signal 1/2
G9SX
Chap. 5

SB2 S34
S1 G9SX
SB2 S44, S54
S2 G9SX
SB3 S34
+24V G9SX
Open SB3 S44, S54
KM1 and KM2 (NC)
A1 T11 T12 T21 T22 T31 T32 T33 Y1 SB1
Chap. 6

KM1 and KM2 (NO)

KM3 and KM4 (NC)

+24V + Internal Safety Safety Reset/feedback Cross fault KM3 and KM4 (NO)
power input 1 input 2 input detection input
- Motor M1 rotation
supply Auxiliary output
circuit Safety output control Motor M2 rotation
control

Off delay time Off delay time

A2 S14 S24 L1 L2 X1 X2 Note: Refer to "2. Precautions" in chapter 4 when actually

configuring the circuit.
PLC etc.

Lock release
signal Lock release
signal
KM1 KM3
KM2 KM4
S3 S7
S6 S10

S34 S34
Motor controller Motor controller
Guard 1 Feedback loop Guard 2 Feedback loop
KM1 KM3
S4 S8
KM1 KM3
KM2 KM4
KM2 KM4

Stop signal 1 M1 Stop signal 2 M2

+24V +24V +24V +24V
Open Open
AND AND
A1 T11 T12 T21 T22 T31 T32 T33 Y1 T41 T42 A1 T11 T12 T21 T22 T31 T32 T33 Y1 T41 T42
OFF OFF

Cross fault Cross fault

Internal Safety Safety Reset/feedback detection Logical Internal Safety Safety Reset/feedback detection Logical AND
power input 1 input 2 input input AND input power input 1 input 2 input input input
supply Auxiliary output Expansion Unit supply Auxiliary output Expansion Unit
circuit Safety output control circuit Safety output control
control output control control output control

A2 S14 S24 S34 S44 S54 L1 X1 X2 A2 S14 S24 S34 S44 S54 L1 X1 X2
SB2 SB3
KM1 KM2 PLC etc. KM3 KM4 PLC etc.

Motor controller Motor controller

(Operation instruction) (Operation instruction)

56
 Safety Circuit Examples

••Model used and machine safety reliability data

Symbol Model used Machine safety reliability data

Technical Guide
S1-1/S1-2 Emergency Stop Switch: A22E-M-02 (2NC contact) B10d: 100,000
S2 Push Button Switch (from Annex C of ISO 13849-1) B10d: 100,000
S3, S7 Guard Lock Safety-door Switch: D4NL B10d: 2,000,000
S4, S8 Safety Limit Switch: D4N-□□20 NC contact direct mechanical action B10d: 10,000,000
Flexible Safety Unit: G9SX-BC202
SB1 PFHd: 4.10×10-9
(IEC 61508 SIL3 certified)

Chap. 1
Flexible Safety Unit: G9SX-AD322-T15
SB2, SB3 PFHd: 5.70×10-9
(IEC 61508 SIL3 certified)
KM1/KM2/
Contactor with nominal load (from Annex C of ISO 13849-1) B10d: 2,000,000
KM3/KM4

Chap. 2
••Developed block diagram
Electrical block diagram of Logical development of block diagram
safety-related parts

Chap. 3
Safety function 1-1
S1-1 Sub system 1 Sub system 2 Sub system 3
Note.
SB1
S1-1 KM1 The block diagram

Chap. 4
S1-2 of safety function
SB1 SB2 1-2 (S1-1, S1-2,
S1-2 KM2 KM3, KM4, SB1,
SB3) is developed.
S3 KM1 S7 KM3

Chap. 5
SB2 SB3 Safety function 2
S4 KM2 S8 KM4 Sub system 1 Sub system 2

Note.
S3 KM1 The block diagram of safety

Chap. 6
function 3 (consisting of S7,
SB2
S8, SB3, KM3 and KM4) is
S4 KM2 developed in the same way.

••PL of Safety-related Parts

Safety Sub MTTFd DCavg
Component Category PFHd PL (SIL)
function system (year)*1 (%)
S1-1, S1-2
Faults excluded - - - - -
(A22E-M-02)
1 KM1, KM2
(Contactor with nominal
B10d= 2,000,000
4 100 99 2.47×10-8 e
DC=99%, nop=11,500/year *2
load)
1-1
2 SB1(G9SX-BC202) 4 - - 4.10×10-9 e(SIL3)
-9
3 SB2(G9SX-AD322-T15) 4 - - 5.70×10 e(SIL3)
PFHd and PL for the entire safety-related parts
3.45×10-8 e
The same result for safety function 1-2 that goes through SB3, KM3 and KM4.
B10d= 2,000,000
S3(D4NL)
DC=99%, nop=11,000/year
S4
Safety Limit Switch:
B10d= 10,000,000
D4N-□□20 2.47×10-8
1 DC=99%, nop=11,000/year 4 100 99 e
NC contact direct *2
2 mechanical action
KM1, KM2
B10d 2,000,000
(Contactor with nominal
DC=99%, nop=11,500/year
load)
2 SB2(G9SX-AD322-T15) 4 - - 5.70×10-9 e(SIL3)
PFHd and PL for the entire safety-related parts -8
3.04×10 e
The same result for safety function 3 that consists of S7, S8, SB3, KM3 and KM4.
*1. The upper limit of MTTFd as a sub system shall be 100 years.
*2. Converted to PFHd based on Table K.1 of Annex K of ISO 13849-1.

Note: The point of CCF shall be at least 65.

57
 Safety Circuit Examples

Connection Example 6: Safety Light Curtain (stand alone)

••Safety functions
Technical Guide

Safety
Operation Stop method Restart method
function
• Immediately removes power to Motor M when the Safety Light Curtain detects a
1 person entering the area. Stop category 0 Manual
• The power to Motor M is kept removed until Reset Switch S2 is pressed.
Chap. 1

Emitter Receiver
Chap. 2

SB1 S1: External test switch

S2: Start input
KM1, KM2: Magnet contactor
KM3: Solid state contactor [G3J]
M: 3-phase motor
Chap. 3

E1: 24 VDC power supply

PLC: Programmable controller
(The PLC is not part of the safety system.)
Chap. 4
Chap. 5

KM3
+24 V (brown)

Start input

Auxiliary output

Control output 1

killer Control output 2

External relay monitor
Shield (green)

0 V (blue)

Test input (white)

Test input return (black)

+24 V (brown)

0 V (blue)

0 V (blue)
(yellow)
Chap. 6

(orange)

(black)

(white)
input (red)

KM1
KM1
Surge

Surge
S2

S2

killer

KM1 KM2
KM2
KM2

+24 VDC IN OUT M

E1 0V
Ground PLC

••Timing Chart Note: Refer to "2. Precautions" in chapter 4 when actually configuring the
circuit.
Light incident
Light interrupted

External test switch (S1)

Reset switch (S2)

Control output

KM1, KM2 (NO)

KM1, KM2 (NC)

PLC input *

PLC output

* ON output when light is interrupted for output operation

mode of auxiliary output 1.

58
 Safety Circuit Examples

••Model used and machine safety reliability data

Machine safety reliability

Technical Guide
Symbol Model used
data
Safety Light Curtain MS4800A-30-□
SB1 PFHd: 5.90×10-8
(IEC 61508 SIL3 certified)
KM1/KM2 Contactor with nominal load (from Annex C of ISO 13849-1) B10d: 2,000,000

••Developed block diagram

Chap. 1
Electrical block diagram of Developed logical block diagram
safety-related parts Safety function 1

Chap. 2
Sub system 1 Sub system 2

KM1
KM1
SB1

Chap. 3
SB1
KM2
KM2

Chap. 4
••PL of Safety-related Parts
Safety Sub MTTFd DCavg
Component Category PFHd PL (SIL)
function system (year)*1 (%)

Chap. 5
KM1, KM2 B10d= 2,000,000 2.47×10-8
1 4 100 99 e
(Contactor with nominal load) DC=99%, nop=27,500/year *2

1 SB1 e
2 4 - - 5.90×10-8
(MS4800A-30-□)

Chap. 6
(SIL3)
PFHd and PL for the entire safety-related parts 8.37×10-8 e
*1. The upper limit of MTTFd as a sub system shall be 100 years.
*2. Converted to PFHd based on Table K.1 of Annex K of ISO 13849-1.

Note: The point of CCF shall be at least 65.

59
 Safety Circuit Examples

Connection Example 7: Mode Switching, STO

••Safety functions
Technical Guide

Safety Restart
Operation Stop method
function method
• Immediately removes power to Motor M when Emergency Stop Switch S1 is pressed
regardless of operation mode.
1 STO* Manual
• The power to Motor M is kept removed until the latch of the Emergency Stop Switch is
Chap. 1

released and Reset Switch S6 is pressed.

• When the Guard is open during scheduled operation, Limit Switch S2 and S3 detects it and
the circuit immediately remove power to Motor M.
2 STO* Manual
• The power to Motor M is kept removed until the Guard is closed and Reset Switch S6 is
Chap. 2

pressed.
• Immediately removes power to Motor M when Enabling Grip S5 is gripped or released during
maintenance mode.
3 • The power to Motor M is kept removed until the Enabling Grip is held and Reset Switch S6 is STO* Manual
Chap. 3

pressed.
• Interlocking by the Guard must be defeated during maintenance mode.
4 • Mode Selector S4 switches between scheduled operation mode and maintenance mode. - -
** Based on the definition of IEC 61800-5-2.
Chap. 4

Open
S1 S2
S1-1 S1-2 S4-1 S4-2
Chap. 5

S4 S5-1 S5-2
S3
Chap. 6

S5

V1 Si0 Si1 Si2 Si3 Si4 Si5 Si6 Si7 T0 T1

L1 L2 L3
24 VDC
G9SP-N20S

G1 Si8 Si9 T2 So0 So1

S6 SF1+

SF1-
SF2+

SF2- R88D-KT
EDM+

EDM-

M
••Model used and machine safety reliability data
Symbol Model used Machinery safety reliability data
S1-1/S1-2 Emergency Stop Switch: A22E-M-02 (2NC contact) B10d: 100,000
S2 Safety Limit Switch: D4N-□□20 (NC contact direct mechanical action) B10d: 20,000,000
S3 General limit switch (NO contact) B10d: 10,000,000
S4-1/S4-2 Mode Selector: A22TK-2□□-11 (1NC/1NO contact) B10d: 100,000
S5-1/S5-2 Enabling Grip Switch: A4EG-C000041 (2NO contact) B10d: 100,000
S6 Push Button Switch (from Annex C of ISO 13849-1) B10d: 100,000
Safety Controller: G9SP-N20S
SB1 PFHd: 8.55×10-11
(IEC 61508 SIL3 certified)
AC Servo Driver G5 Series: R88D-KT/KN
SB2 PFHd: 2.30×10-8
(IEC 61508 SIL3 certified)

60
 Safety Circuit Examples

••Developed block diagram

Electrical block diagram of Developed logical block diagram
safety-related parts

Technical Guide
Safety function 1
(Emergency Stop Switch) Safety function 2 (Guard)
S1-1
Sub system 1 Sub system 2 Sub system 3 Sub system 1 Sub system 2 Sub system 3
SB2
S1-2
S1-1 S2
SB1 SB2 SB1 SB2

Chap. 1
S2
S1-2 S3

S3
SB1
Safety function 3 (Enabling Grip) Safety function 4 (Mode Switching)

Chap. 2
S4-1
Sub system 1 Sub system 2 Sub system 3 Sub system 1 Sub system 2

S4-2
S5-1 S4-1

Chap. 3
SB1 SB2 SB1
S5-1
S5-2 S4-2
S5-2

Chap. 4
••PL of Safety-related Parts
Safety Sub MTTFd DCavg
Component Category PFHd PL (SIL)
function system (year)*1 (%)

Chap. 5
S1-1, S2-2
1 Faults excluded - - - - -
(A22E-M-02)
1 2 G9SP-N20S 4 - - 1.10×10-10 e(SIL3)

Chap. 6
3 R88D-KT 3 - - 2.80×10-8 d(SIL2)
-8
PFHd and PL for the entire safety-related parts 2.81×10 d*3
B10d=20,000,000
S2 (D4N-□□20 NC
DC=99%,
contact)
1
nop=27,500/year
4 100 99 2.47×10-8 e
B10d=10,000,000 *2
S3 (General limit
2 DC=99%,
switch NO contact)
nop=27,500/year
2 G9SP-N20S 4 - - 1.10×10-10 e(SIL3)
3 R88D-KT 3 - - 2.80×10 -8
d(SIL2)
PFHd and PL for the entire safety-related parts 5.28×10-8 d*3
S5-1, S5-2 B10d=100,000
1 (A4EG-C000041 NO DC=99%, 4 100 99 2.47×10-8 e
*2
contact) nop=500/year
3 2 G9SP-N20S 4 - - 1.10×10-10 e(SIL3)
3 R88D-KT 3 - - 2.80×10-8 d(SIL2)
PFHd and PL for the entire safety-related parts 5.28×10-8 d*3
S4-1, S4-2 B10d=100,000
1 (A22TK-2□□-11 NC/ DC=99%, 4 100 99 2.47×10-8 e
*2
4 NO contact) nop=500/year
2 G9SP-N20S 4 - - 1.10×10-10 e(SIL3)
PFHd and PL for the entire safety-related parts 2.48×10-8 e
*1. The upper limit of MTTFd as a sub system shall be 100 years.
*2. Converted to PFHd based on Table K.1 of Annex K of ISO 13849-1.
*3. The SIL claim limit is applied.

Note: The point of CCF shall be at least 65.

61
 Safety Circuit Examples

Connection Example 8: Removing Energy Supply with Emergency Stop

Switch after Deceleration Stop
Technical Guide

••Safety functions
Safety Restart
Operation Stop method
function method
• Decelerates the speed of Motor M gradually when Emergency Stop Switch S1 is pressed,
and removes power to Motor M after it stops completely.
Chap. 1

• The power to Motor M is kept removed until the latch of Emergency Stop Switch S1 is
1 STO* Manual
released and Reset Switch S2 is pressed.
• The power to Motor M is kept removed until STO is released and the Restart Switch S3 is
pressed.
Chap. 2

** Based on the definition of IEC 61800-5-2.

S1 S1-1 S1-2
Chap. 3

S4
Non-safety
related parts
Chap. 4

IOV0
IN0
UG

Si0

Si1
UV

T0

T1

U1 U2 U3 U4 U5 SB1 SB2 SB3

Chap. 5

L1 L2 L3
IOV1
IOG

IOG

IOG
So1

So0
IOV

IN1

Si2

Si3

Si4
T0

T1

T0

STO
signal
Chap. 6

SF1+
SF1-
S2
SF2+
SF2-
EDM+
S5 S3 EDM-

Connected via EtherCAT SB4

Instructions such as servo ON, alarm release, acceleration/deceleration,

and stop, and speed monitoring, etc.

••Timing Chart
(1) (1) Press stop switch S4 in operation state (servo ON) and give a deceleration
stop instruction from general control side to AC servo controller SB4.
Stop switch (S4)
(2) (8) (2) Press start switch S5 in stop state (servo ON) and give an acceleration
instruction from the general control side to AC servo controller SB4.
Start switch (S5) (3) When emergency stop switch S1 is pressed in operation state (servo ON),
(3) (5)
Emergency stop switch give a deceleration stop instruction from the general control side to AC
(S1-1, S1-2) servo controller SB4.
(6) (4) Remove power to motor M after a certain period of time since emergency
Alarm reset switch (S2) stop switch S1 has been pressed. (Safety function 1)
(7) (5) The latch of the emergency stop switch is released.
(6) After reset switch S2 is pressed, release alarm state of the servo driver to
Restart switch (S3)
turn the servo ON.
STO output (4) (7) Release STO when restart switch S3 is pressed.
(8) Press start switch S5 and give an acceleration instruction from general
control side to AC servo controller SB4.
Motor M rotation

62
 Safety Circuit Examples

••Model used and machine safety reliability data

Symbol Model used Machine safety reliability data

Technical Guide
S1-1/
Emergency Stop Switch: A22E-M-02 B10d: 100,000
S1-2
S2 Reset Switch: General push button switch (NO contact, momentary) B10d: 100,000*3
S3 Restart Switch: General push button switch (NO contact, momentary) B10d: 100,000*3
Stop Switch (For general control): General push button switch (NO contact,
S4 Not evaluated as PL (Non-safety-related parts)
momentary)

Chap. 1
Start Switch (for general control): General push button switch (NO contact,
S5 Not evaluated as PL (Non-safety-related parts)
momentary)
SB1 Safety CPU Unit: NX-SL3300*1 PFHd: 3.10 x 10-10, Category 4

Chap. 2
*1
SB2 Safety Input Unit: NX-SID800 PFHd: 4.30×10-10, Category 4
*1
SB3 Safety Output Unit: NX-SOH200 PFHd: 3.60×10-10, Category 4
SB4 AC Servo Driver G5 Series: R88D-KT *2
PFHd: 2.30×10-8, Category 3

Chap. 3
U1 Machine Controller (for general control): NJ301 Not evaluated as PL (Non-safety-related parts)
U2 NX Series EtherCAT Coupler Unit (for general control): NX-ECC201 Not evaluated as PL (Non-safety-related parts)
U3 Additional NX Unit Power Supply Unit (for general control): NX-PD1000 Not evaluated as PL (Non-safety-related parts)

Chap. 4
U4 Additional I/O Power Supply Unit (for general control): NX-PF0630 Not evaluated as PL (Non-safety-related parts)
U5 Digital Input Unit (for general control): NX-ID4442 Not evaluated as PL (Non-safety-related parts)
*1. IEC 61508 SIL3 certified.
*2. IEC 61508 SIL2 certified.

Chap. 5
*3. According to Table C.1 of Annex C of ISO 13849-1.

••Developed block diagram

Pathway of safety functions Block diagram of reliability

Chap. 6
SB1 Safety function 1
Sub system 1 Sub system 2 Sub system 3 Sub system 4 Sub system 5

S1-1
S1-1

S1-2 SB2 SB1 SB3 SB4

SB2 S1-2

SB3 SB4

••PL of Safety-related Parts

Safety Sub MTTFd DCavg
Component Category PFHd PL/ SIL
function system (year)*1 (%)
S1-1, S1-2
1 Faults excluded - - - - -
(A22E-M-02)
2 SB2 (Safety Input Unit: NX-SID800) 4 - - 4.30×10-10 e(SIL3)
1 3 SB1 (Safety CPU Unit: NX-SL3300) 4 - - 3.10×10-10 e(SIL3)
4 SB3 (Safety Output Unit: NX-SOH200) 4 - - 3.60×10-10 e(SIL3)
5 SB4 (AC Servo Driver G5 Series: R88D-KT) 3 - - 2.80×10-8 d(SIL2)
PFHd and PL for the entire safety-related parts 2.91×10-8 d*2
*1. The upper limit of MTTFd as a sub system shall be 100 years.
*2. The SIL claim limit is applied.

Note: The point of CCF shall be at least 65.

63
 Safety Circuit Examples

Connection Example 9: Guard Lock Safety-door Switch

••Safety functions
Technical Guide

Safety Restart
Operation Operation
function method
• Immediately removes power to Motor M when Stop Switch S1 is pressed.
• Releases the solenoid lock of Guard Lock Safety-door Switch S5 after a period of time
Stop
4 required for Motor M to stop. Manual
category 1
• The power to Motor M is kept removed until the Guard is closed and locked, and Reset
Chap. 1

Switch S2 is pressed.

S3 S2 S1
Chap. 2

UG

Si4
Si7

Si5
UV

T0
T1

T1
Si6
T0
Chap. 3

U1 U2 U3 U4 SB1 SB2 SB3

IOG
IOG

IOG
IOG

So2

So1

So0
IOV

Si0

Si1

Si2

Si3
T0

T1

T0

T1
Chap. 4

S4

KM1
Chap. 5

KM2
S5-1
Chap. 6

S5-3 S5-2
Non-safety-related sub system
M
S5 Guard lock release signal

••Timing Chart
(1) (1) Remove power to motor M when stop switch S1 is pressed.
(2) After motor M stopped, press guard lock release switch S2 to release the
Stop switch (S1)
(2) door lock.
Guard lock release (3) Open the guard.
(5)
switch (S2) (4) Move out of the hazard zone and close the guard.
(4)
(3) (5) Lock the guard.
Safety limit switch (S4)
(6) Press reset switch S3 to restore the machine to operating state.
Guard lock safety-door switch
Door opening/closing detection
contact (S5-1)
Locking monitoring contact (S5-2)
Door opening/closing
detection + Locking monitoring
contact (S5-3) (6)
Reset switch (S3)

KM1 output

KM2 output

Motor M rotation

64
 Safety Circuit Examples

••Model used and machine safety reliability data

Symbol Model used Machine safety reliability data

Technical Guide
S1 Stop Switch: General push button switch (NO contact, momentary) B10d: 100,000*2
Guard Lock Release Switch: General push button switch (NO contact,
S2 B10d: 100,000*2
alternate)
S3 Reset Switch: General push button switch (NO contact, momentary) B10d: 100,000*2
S4 Safety Limit Switch: D4N-□□20 B10d: 20,000,000

Chap. 1
Guard Lock Safety-door Switches (Door opening/closing detection
S5-1 B10d: 2,000,000
contact): D4SL-N2VFA
Guard Lock Safety-door Switches (Locking monitoring contact): D4SL-
S5-2 B10d: 2,000,000
N2VFA

Chap. 2
Guard Lock Safety-door Switches (Door opening/closing detection
S5-3 B10d: 2,000,000
contact + locking monitoring contact): D4SL-N2VFA
KM1, KM2 Contactor with nominal load B10d: 2,000,000*2
*1
SB1 Safety CPU Unit: NX-SL3300 PFHd: 3.10×10-10, Category 4

Chap. 3
SB2 Safety Input Unit: NX-SID800*1 PFHd: 4.30×10-10, Category 4
*1
SB3 Safety Output Unit: NX-SOD400 PFHd: 5.50×10-10, Category 4
U1 Machine Controller (for general control): NJ301 Not evaluated as PL (Non-safety-related parts)

Chap. 4
U2 NX Series EtherCAT Coupler Unit (for general control): NX-ECC201 Not evaluated as PL (Non-safety-related parts)
Additional NX Unit Power Supply Unit (for general control): NX-
U3 Not evaluated as PL (Non-safety-related parts)
PD1000

Chap. 5
U4 Additional I/O Power Supply Unit (for general control): NX-PF0630 Not evaluated as PL (Non-safety-related parts)
*1. IEC 61508 SIL3 certified. *2. According to Table C.1 of Annex C of ISO 13849-1.

••Developed block diagram

Chap. 6
Pathway of safety functions Block diagram of reliability

SB1 Safety function 1

Sub system 1 Sub system 2 Sub system 3 Sub system 4

S4
SB2 S4 KM1
S5-1 SB2 SB1 SB3

S5-1 KM2

S4
SB3
S5-1

••PL of Safety-related Parts

Safety Sub MTTFd DCavg
Component Category PFHd PL / SIL
function system (year)*1 (%)
S4 B10d = 20,000,000, nop = 11,000/year, DC = 99%
KM1 B10d = 2,000,000, nop = 11,000/year, DC = 99% 2.47×10-8
1 4 100 99 e
S5-1 B10d = 2,000,000, nop = 11,000/year, DC = 99% *2

KM2 B10d = 2,000,000, nop = 11,000/year, DC = 99%

1 2 SB2 (Safety Input Unit: NX-SID800) 4 - - 4.30×10-10 e(SIL3)
3 SB1 (Safety CPU Unit: NX-SL3300) 4 - - 3.10×10-10 e(SIL3)
4 SB3 (Safety Output Unit: NX-SOD400) 4 - - 5.50×10-10 e(SIL3)
-8
PFHd and PL for the entire safety-related parts 2.59×10 e
*1. The upper limit of MTTFd as a sub system shall be 100 years.
*2. Converted to PFHd based on Table K.1 of Annex K of ISO 13849-1.

Note: The point of CCF shall be at least 65.

65
Safety Circuit Examples

MEMO

66
Technical Guide Chap. 1 Chap. 2 Chap. 3 Chap. 4 Chap. 5 Chap. 6
 Technical Guide
Chap. 1
Chapter 5

Performance Level

Chap. 2
Chap. 3
1. What is a Performance Level (PL) ?...................................................68
Roles of manufacturers of machines and control devices............................................................ 68

Chap. 4
2. Relationship between Risk Assessment and PL..............................69
Risk Assessment Procedure......................................................................................................... 69
Iterative Process of Risk Reduction.............................................................................................. 69

Chap. 5
3. Organizing Safety Functions and Hazards........................................71
Multiple safety functions in the same machine............................................................................. 71

Chap. 6
4. PLr and PL............................................................................................72
Common Criteria........................................................................................................................... 72
How to Determine PLr................................................................................................................... 72

5. Safety-related Parts PL Evaluation Procedure.................................73

Evaluating the Safety-related Parts by Path of Safety Function................................................... 73
PL Evaluation Procedure.............................................................................................................. 76

6. Subsystem Configured in Discrete Components.............................78

(1) Category................................................................................................................................ 79
(2) MTTFd (Mean Time to Dangerous Failure)........................................................................... 81
(3) DC (Diagnostic Coverage) and DCavg.................................................................................. 84
(4) CCF (Common Cause Failure).............................................................................................. 87
(5) PFHd (Probability of Dangerous Failure per Hour)................................................................ 89

7. Complex Subsystem...........................................................................92

8. PL Evaluation.......................................................................................93

9. Basic Safety Principles for Risk Reduction in the Failure...............95

(1) Description in IEC 60204-1.................................................................................................... 95

10. Validation for Programmable Devices.............................................101

Design process for the safety-related parts software.................................................................. 101

11. Safety-related Parts PL Evaluation in the Devices.........................104

(1) Sorting out safety functions................................................................................................. 104
(2) Drawing up block diagram................................................................................................... 105
(3) Points in compositive hazard schematisation...................................................................... 107

67
 Performance Level

1. What is a Performance Level (PL) ?

Technical Guide

If a risk reduction measure is based on the control, the performance

level of achievement is required depending on the scale of risk for
Roles of manufacturers of machines
both hardware and software in the safety-related parts for the control and control devices
system. This level is defined in the ISO 13849-1 standard as the PL is evaluated based on the control circuit structure for the safety
Performance Level (PL). function and reliability of the composites.
For the machines to be exported to Europe, the safety function PL PL is evaluated by the device designers in the manufacturers of
Chap. 1

is required to be met and the validity shall be certified based on the the machines. Evaluation is achieved by applying the machine
Machinery Directive for European regulation. safety reliability data specific to the control devices to the structural
JIS B 9705-1 is the standard of Japanese counterpart and elements (such as category as described later or parameters as
harmonized with the ISO 13849-1 being identified as the same. CCF) of the safety-related parts or usage conditions (such as nop or
Chap. 2

Regulations in each country are being standardized based on DCavg parameters) which are known only to the designers.
ISO 13849-1 and that is recognized as the standard method for
evaluating the safety function of the machine control. Control device manufacturers provide the device designers the
machine safety reliability data required for the PL evaluation.
Chap. 3

The following sections describe the relationship between a risk

assessment and PL, and the specific PL evaluation procedures.
Chap. 4

•• Relationship between Risk Assessment and PL

•• Organizing Safety Functions and Hazards
•• PLr and PL
••
Chap. 5

PL Evaluation for the Safety-related Parts

•• Subsystem Configured in Singular Parts
-Categories
-MTTFd
Chap. 6

-DCavg
-CCF
-PFHd
•• Individual Subsystem
•• PL Determination

68
 Performance Level

2. Relationship between Risk Assessment and PL

Technical Guide
Risk Assessment Procedure Iterative Process of Risk Reduction
This section describes the risk reduction measures and PL for the Control-based risk reduction measures only are subject to PL
safety-related parts. evaluation. Risk reduction process with ISO 13849-1 is specifically
ISO 12100: 2010 machine design procedure follows a series of flows harmonized with ISO 12100 as shown in the diagram below.
for the risk reduction following the risk analysis.

Chap. 1
The risk reduction measures contain the following three steps as
Start
described in Chapter 2. When measures are based on control
1.Inherently safe design
2.Safeguard and complementary protective measures ISO 13849-1

Chap. 2
3.Information for use
Of the measures above, safeguarding and the complementary Decide measures Decide limits of
protective measures are featured with the many safety functions machinery ISO 12100

such as the interlock mechanism of safety switches or safety light

Determine PLr

Chap. 3
curtain or the emergency stop devices. These devices do not usually
Identify source of hazard
work individually but are integrated in a safety-related part of control
ISO 12100
system, followed by a processing function and a power control Design safety-related parts
function.

Chap. 4
Evaluate PL (Categories,
Risk estimation ISO 12100
MTTFd, DCavg, CCF)
Safeguard is based on
the control in many examples: Start
Interlock

Chap. 5
Light beam safety sensor, etc. PL ≥ PLr
No Yes

Decide limits of

Chap. 6
Measures for risk reduction machinery ISO 12100
Level acceptable
1. Inherently safe design or not?
No
2. Safeguard and
complementary Yes
Identify hazard ISO 12100
protective measure
3. Information for use Complete
ISO 12100 Risk estimation ISO 12100
Risk reduction Risk analysis

Level acceptable
No or not?

Yes

Complete

Risk reduction Risk analysis

69
 Performance Level

Safety function and PL

The risk reduction measures, if not relevant with the control system, are not subject to the PL evaluation. The safety measures not taken by the
control, such as those by mechanical protection structures as the fixed safety fences or by the operation such as lockout/tagout are not subject
Technical Guide

to PL evaluation. The safety measures, though controlled, which are positioned as the information for use such as the alarm function, are not
subject to PL evaluation either.
The safety measures, though not subject to the PL evaluation, which are specified in other safety standards are required to meet the standard.
For example, an overcurrent protection device as referred to in IEC 60204-1 safety standard is applicable.
It is recommended to start with extracting the items restricted for PL evaluation of the risk reduction measures in the process of reviewing the
machinery risk assessment sheet.
Chap. 1

Device Risk reduction PL

NO Hazard Hazardous event Risk Allowance
name measure evaluation
During the press work, another operator puts a
Chap. 2

Press Protection by light

1
machine
Crushing hand in to take out a workpiece, resulting in a High ×
beam safety device. 
hand pinched.
Control Contact with a Electrically shocked by contact with a live part by Install main power
2 Medium ×
panel live part mistake during a part replacement. isolator.
Chap. 3

Install an emergency
Entanglement, Work wear is entangled into a conveyor, bruised
3 Conveyor
trapping by dragging along.
Medium × stop switch in 
certain intervals.
Lay floor cable
Chap. 4

A operator trips over an exposed cable on the

4 Cables Trapping Medium ×
floor and falls down. covers.
Work Back pain occurs due to working long hours
Unnatural Adjust the bench
5 piece using a work piece table that is too low in height Medium ×
posture height.
Chap. 5

table for the operator.

Chap. 6

70
 Performance Level

3. Organizing Safety Functions and Hazards

Each performance level from the multiple safety functions in a single machine will be briefly explained.

Technical Guide
Multiple safety functions in the same machine
There are generally multiple measures for the risk reduction referred If a single risk reduction measure is shared with the measures
to in the risk assessment. Of the multiple measures, PL is required against the multiple hazards, it is handled as a separate system.
in the control-based risk reduction schemes for the safety function. PL evaluation is performed to each system for these safety

Chap. 1
functions.
Following devices are assumed as an example. There are two That means that PL for a machine having multiple hazards and
hazards: laser beams (risk of blindness) and conveyor power multiple risk reduction measures is not restricted to one. It is
(entanglement). recommended to clarify the relationships between risk reduction

Chap. 2
Laser beam measures and hazards before starting the PL evaluation even if the
safety functions are complicated in the actual machines.
With the relationships summarized, the safety functional system is
Movable guard
Conveyor power evaluated in terms of the safety-related parts.

Chap. 3
Workpiece

Emergency
stop switch

Chap. 4
Safety light curtain Control panel

If the following risk reduction measures are taken against the

Chap. 5
hazards described above, the summary of the safety functional
systems are as shown in the table below.
•• Shut down the laser beam if the emergency stop switch is
pressed

Chap. 6
•• Shut down the conveyor power as well if the emergency stop
switch is pressed
•• Shut down the laser beam only if the movable guard is opened
•• Shut down the conveyor power if a safety light curtain is blocked

Hazard
Device Conveyor
Laser beam
power
Emergency stop
Risk System 1 System 2
switch
reduction
Movable guard System 3 -
measure
Safety light curtain - System 4

71
 Performance Level

4. PLr and PL
Common Criteria How to Determine PLr
Technical Guide

With the system of the safety functions in the machine being Of the performance levels, what can be determined at the
summarized, the required performance level for each safety system completion of the risk assessment is PLr. This can be a target
is evaluated. performance on design for the safety-related parts.
PL is comprised of the performance (PLr) required in the safety PLr is evaluated using the risk graphs and scheme in terms of
related parts according to the scale of the risk and the result (PL) the Severity of Injury (S), Frequency and/or Exposure Time to the
Chap. 1

where an actual safety relevance validity is evaluated. Hazard (F) and Possibility of Avoiding the Hazard (P). The results
Both performances are evaluated in five levels from "a" to "e." are subsequently divided into the indexes from a to e depending on
•• Performance level required in the safety-related parts: the risk size.
PLr (Required Performance Level)
PLr
Chap. 2

•• Validity evaluation result in the safety-related parts:

PL (Performance Level)
B 1 2 3 4
Reliability
P1 a
Low
Chap. 3

a F1
P2
b
S1 b
PLr c PL P1

d F2
Chap. 4

P2
e
High
c
P1
Risk Low High

F1
P2
Chap. 5

S2
d
P1
F2

P2
e
Chap. 6

Scale of Risk

<Meaning of Symbols>
S1: slight (normally reversible injury)
S2: serious (normally irreversible injury or death)
F1: seldom-to-less-often and/or exposure time is short
F2: frequent-to-continuous and/or exposure time is long
P1: possible under specific conditions
P2: scarcely possible

PL cannot be evaluated unless the safety-related parts design

is specifically defined. The following section describes the PL
evaluation procedure, assuming the safety-related parts design is
embodied.

Validity evaluation result (PL) for the safety-related parts is required

to be equivalent to the required performance level (PLr) or more.

72
 Performance Level

5. Safety-related Parts PL Evaluation Procedure

This section describes the safety-related parts PL evaluation procedure for achieving the safety function system.

Technical Guide
Evaluating the Safety-related Parts by Path of Safety Function
Request for safety function operation request is performed via
Control system
the transmission path different for each system. For example, a
certain safety function tells the actuator that the event of guard

Chap. 1
opening occurs and shuts off the hazardous energy. And another Non-safety
safety function tells the actuator that the emergency stop switch is related part Operation
prep signal
being pressed and shuts off the hazardous energy. There are some PLC, etc. Processing Power control
function
common phenomena, but they are transmitted in different paths.
Safety

Chap. 2
Each transmission path is comprised of the detection function: I (Input detection
function Safety check
device), judging function: L (Logic operation device) and power signal
Door switch, Safety controller, etc. Contactor, etc.
control function: O (Output device), forming a path. This is a safety- light curtain, etc.
related part. Safety-related part

Chap. 3
By turning the sequel of the safety function being transmitted from
the control circuit through the system into the block diagram as
shown on the right and further into a pattern may facilitate the PL
evaluation.

Chap. 4
I L O
Path
(Input device) (Logic operation (Output device)
device)

Chap. 5
1) Extracting safety-related parts
Representing the safety-related parts of a certain safety function 3-phase power supply (200 VAC system)
in a block diagram can be started with isolating the parts which are Breaker Contactor

Chap. 6
related to the safety function implementation from the parts which 01 02
are not in the control circuit diagrams. The parts not relevant to the
safety function or those whose failure does not cause the loss of M
the safety function are not needed to be incorporated into the PL
evaluation even if they are on the transmission path.
Example:
•• Overcurrent breaker, transformer, etc.: Important parts for the
Single phase power supply (100 VAC system)
electric safety (such as IEC 60204-1 (JIS B 9960-1)), but they
Switching power supply
are not within the scope of the application of ISO 13849-1. Fuse
•• Cable, connector, or signal splitter/divider: They are not active L +V +24 VDC

parts and they are least likely to be the cause of the loss of PE

the safety function. (If "fault exclusions" in ISO 13849-2 is N -V 0V

applicable)
Assume the safety function control circuit diagram where hazards
are shut off by the stop category 0 via the emergency stop switch. Control power supply (24 VDC)
Emergency stop switch
+24 VDC 0V
Safety controller Contactor
I1 (coil)

In1 Out1 01
L
In2 Out2 02
I2

Connector Connector

73
 Performance Level

2) Assigning to the Block Diagram and 3) Dividing the Entire Safety-related Parts
Judging the Category into Subsystems
Assign the extracted individual safety-related part to the block As a matter of fact, making a safety relevance PL evaluation based
Technical Guide

diagrams of I, L and O. It is important to note here how many paths on the ISO 13849-1: 2006 scheme alone is complicated and difficult.
are available to transmit each safety function. This passage is called So the subsequent description will be made according to the scheme
a channel. The category is determined by a number of channels. presented in the technical report ISO/TR 23849 as an application
Assign the safety relevance parts to a block diagram of the guide to ISO 13849-1.
designated architecture. Dividing the safety-related parts block diagram into some functional
Input and output are provided with two channels each (Two contacts chunks (which are called subsystems in a sense of system
Chap. 1

inside the emergency stop switch which are connected to each sublayers) may help PL evaluation more easily. For example, in
channel are assumed to be two channels). The safety controllers are the safety controller in the above diagram, there are some safety-
assumed to be internally made redundant. The block diagram in that related parts where two channels are formed within a device
case is category 3 or category 4. for PL evaluation being established as a device. Such a safety
Chap. 2

NOTE: A block diagram shows the probability of a dangerous device is a subsystem for itself. To avoid the duplicated evaluation,
failure of the safety-related parts being accumulated. This does not the subsystems are viewed separated from the block diagram.
represent an electric signal flow. The parts are expanded in series Consequently, what are assigned to the block diagrams are
Chap. 3

even if the power supply system differs. restricted to the individual parts whose PL is not yet evaluated (such
Each category has specific requirements according to the PLr of the as switches, relays or contactors). These individual parts are called
safety function. For further details, see (1) Category in Section 6. a block.
Subsystem Configured in Discrete Components in Singular Parts in Devices such as safety controllers whose PL is evaluated by the
Chap. 4

Chapter 5. control device manufacturers are evaluated as an independent

subsystem. A portion of discrete parts are handled as a subsystem
3-phase power supply (200 VAC system)
assigned to the designated architecture of a combination of those
Breaker Contactor
01 02
portions.
Chap. 5

Subsystem 1 Designated architecture (subsystem 2)

M
L

I1 O1 Channel 1
Chap. 6

Interlock circuit

Single phase power supply (100 VAC)

Switching power supply Emergency stop switch Contactor
(NC contact)
Fuse
L +V +24VDC I2 O2

PE
Interlock circuit
N -V 0V

Safety controller
Emergency stop switch Contactor
(NC contact) Channel 2
Control power supply (24 VDC)
Emergency stop switch PFHd = 2.47 x 10-8 Category = 4
+24VDC 0V
Safety controller
I1 Contactor (coil)

In1 Out1 01
L
In2 Out2 02
I2

Connector Connector

Channel 1
I1 L O1

Demand for
Interlock circuit
safeguarding
operation Risk
Emergency stop switch Contactor
reduction
(1NC contact)

M
I2 O2 Power is
shut OFF

Interlock circuit

Emergency stop switch Safety controller Contactor

(1NC contact)
Channel 2

74
 Performance Level

Reference: Classification of Omron Safety Components

Classification Discrete components (block) Complex Subsystem

• No PL declaration per se • PL declared in a device

Technical Guide
Features
• No diagnosis (passive) • Failure diagnosis self-contained (active)

Safety Limit Switch: Emergency Stop Non-contact Safety Laser

D4N Series Switch: A22E Door Switch: Scanner:
D40A, D40Z OS32C
Input device

Chap. 1
Safety Door Switch: D4NS Safety Light Curtain:
Guard Lock Safety-door Switch: F3SJ series
D4NL, D4SL-N
etc. etc.

Chap. 2
Safety Relay:
Safety Relay Unit: Flexible Safety Unit:
G7SA
G9SA series G9SX series
Control

Chap. 3
device
Safety Controller: Safety Control Unit:
G9SP NX series
etc. etc.

Chap. 4
Contactor, etc. AC Servo Multi-function
Output Motor/Driver: Compact Inverter:
device G5 series MX2 series V1 type

Chap. 5
etc.

In a subsystem composed of singular devices, devices are assigned 4) Linking the Subsystems
to a designated architecture and out of the following four parameters

Chap. 6
Overall evaluation is made by summing together the subsystem PL
•• Category evaluation comprised of the discrete components obtained in 3) and
•• MTTFd the individual subsystem PL evaluation.
•• DCavg PFHd is used for linking the subsystems.
•• CCF For further details, see Section 8. PL Evaluation in Chapter 5.
and ultimately the following parameter
•• PFHd
is derived for evaluation.

For further details, see Section 6. Subsystem Configured in Discrete

Components in Chapter 5.
For the independent subsystem, the control device manufacturers
provide the four parameters or PFHd in the above.
For further details, see Section 7. Complex Subsystem in Chapter 5.

75
 Performance Level

PL Evaluation Procedure
Work flow up to the present point is as follows.
Those diagrams represent the evaluation procedure overview for the safety-related parts performance (PL) as indicated in the ISO 13849-1:
Technical Guide

2006 and ISO/TR 23849.

Proceed to the detailed safety design along with the description in each chapter.

A C
Chap. 1
Chap. 2

Design a control circuit to implement

the required safety function.
To achieve PLr in the safety-related
Chap. 3

parts, it is necessary to select the parts

having the circuit of designated archi-
Enumerate the risks by the risk assessment. tecture (category) and reliability to
meet the requirements.
Chap. 4

See Risk Assessment Procedure in 2. Relationship

between Risk Assessment and PL in Chapter 5.
Chap. 5

B
Chap. 6

Extract from the control circuit the

safety-related parts for transmitting the
If the risk level is not acceptable, take operating demands for safety function
measures for reducing the risk. and expand into the logical block
diagram.
See Risk Assessment Procedure in 2. Relationship
between Risk Assessment and PL in Chapter 5.

a
b
c a
d
e Of the safety-related parts, isolate what
If a measure is control-based, determine
the required performance level (PLr) to
are already evaluated with PL per se
and what are functionally evaluated for b
meet the measure (safety function). safety (SIL) from the discrete
components.
See How to Determine PLr in 4. PLr and PL See 7. Complex Subsystem in Chapter 5.
in Chapter 5.

76
 Performance Level

b a

Technical Guide
Complex subsystem Safety-related parts or
Complicated electronic circuits subsystem comprised of
(including safety light curtains, designated architecture

Chap. 1
safety controllers) comprised
of the electronic parts are
mainly evaluated by the parts
manufacturers.

Chap. 2
Consumable mechanical parts
(including switches, relays or
contactors) are mainly evaluated by

Chap. 3
the machinery manufacturers
Products in Products in conformity
conformity to IEC to ISO 13849-1 B10d
62061/IEC 61508 DC
are given by a manufacturer

Chap. 4
nop is assumed
SIL only PL only Category
PFHd is
declared declared MTTFd
given by
DC Identify category

Chap. 5
a manufacturer
CCF Calculate MTTFd
are given by a Calculate DCavg
manufacturer Check CCF

Chap. 6
Converted into
PL via PL Converted into Converted into Converted into
decision table PFHd via PFHd PFHd via PFHd PL via PL
on page 104 conversion table conversion table decision table
on page 103 on page 103 on page 104

Simplified evaluation Quantitative evaluation

Which is the lowest PL in the subsystem? Sum of PFHd in all the subsystems
Determine PL in 3) Simplified estimation in 8. Determine PL in 1) Combination of Subsystems
PL Evaluation in Chapter 5 in 8. PL Evaluation in Chapter 5

Risk reduced to
YES YES All risks YES
PLr achieved? an acceptable
assessed? Completed
level?
NO NO NO

Reconsider Consider Continue risk

circuit C additional B enumeration A
configuration and parts safety measures

77
 Performance Level

6. Subsystem Configured in Discrete Components

Singular parts basically indicate the consumable parts (such as switches, relays or contactors) or sensors which are not provided with the active
Technical Guide

diagnostic functions. Reliability of the subsystems configured in these discrete components are evaluated by the following parameters. The
same is true if the entire safety-related parts are comprised of the singular parts. If the parts themselves, however, are already certified by ISO
13849-1 or IEC 62061 (or IEC 61508) and their reliable values are known, different values are to be consolidated. Such certified parts are called
subsystem. How they are consolidated into the entire safety-related parts is described in 8. PL Evaluation in Chapter 5.

PL parameter Criteria for

Chap. 1

determination

Category Safety control system's architecture

Chap. 2

B
(configuration of I, L and O) 1
2
Input signal Output signal
Input signal Output signal Input signal Output signal
m
I L O I L O l1 L1 O1
Chap. 3

m C 3
TE OTE
4
m

l2 L2 O2
Output signal
Input signal Output signal

5 categories
Chap. 4

(1) Component block

MTTFd 1. Use MTTFd provided by the manufacturer. High
Chap. 5

2. Use MTTFd or B10d specified in Annex C. (30 or more years and

3. 10 years if no data is available less than 100 years)
When B10d is provided, use
B10d the right-hand side equation to Medium
Chap. 6

obtain MTTFd.
(10 or more years and
(2) Channel less than 30 years)

Low
(3) Entire subsystem (3 or more years and
less than 10 years)
If Channel 1 and Channel 2 MTTFd are equivalent, assume
nop* the equation (2) result as MTTFd for the subsystem.
MTTFd for the subsystem, however, is limited up to 100 years.
* The machine designer 3 levels
him/herself needs to
know nop.

High
(99% or more)

Medium
Select the relevant DC
DCavg (1) Component block (90% or more and
from Table 1 in Annex E. less than 99%)

Low
(60% or more and
DC
(2) The entire less than 90%)

subsystem N/A
(Less than 60%)
MTTFd
4 levels

CCF The score in the checklist

in Annex F must be 65 or over
Yes (65 or more)

No (Less than 65)

2 levels

78
 Performance Level

(1) Category
This section describes the types of category and its requirements as a framework of the safety-related parts.

Technical Guide
For example ...

Fig. 1: Space for avoiding

Chap. 1
rains and winds

Concept of category
The safety-related parts have different structures (architectures) walls or roofs. Such a basic structural pattern in the safety-related

Chap. 2
depending on the purpose of the machines, degree of hazards, scale parts is called a designated architecture, which is a basic form for
of the machinery or its frequency of usage in spite of the common each category. Each category has its structural requirement to be
purpose of safety to be secured. Take an example of the space for met.
avoiding the rains and winds (see Fig.1). There are different types The dangerous failure rate required for the safety-related parts is

Chap. 3
of spaces such as tents, wooden houses or office buildings, with different with the categories.
the varying basic structures including the bases, skeletons, external

Category General guideline of requirements Applicable designated architecture

What is required in the safety-related parts in the category is that the

Chap. 4
target safety function can be achieved.
For the fulfillment, the use of the parts is required to tolerate the usage
environmental stress as shown below.
• Expected operation stress, such as the reliability of the breaking

Chap. 5
capacity and the frequency of breaking
• Chemical impact
Example: Corrosion by chemicals
• Other external factors

Chap. 6
Example: Mechanical vibration, electromagnetic noise, interruption or
vibration in the control power supply
B Essentially, the parts are to be selected in conformity with the standard
best suited to the purpose.
Note: Resistance to the external factors is subject to the relevant standard.

It is necessary to design circuit and assemble based on the basic safety Input signal Output signal
principles.
I L O
As exemplified by NC contact selected to turn off when a wire is
disconnected.
I :Input device (e.g., sensor)
In category B, which is a single channel system in nature, the safety L :Logical operation device
function is impaired with the occurrence of failure. Category B does not O :Output device (e.g., contactor)
have diagnostic coverage (DCavg = 0%). And CCF is not applied. PL is
determined by the channel MTTFd. Note: The above block diagram represents a conceptual
Maximum PL achievable in the category B is PL = b. view of the channel flow; the number of blocks
What is required in the safety-related parts in category 1 is high reliability may be different from the actual electrical circuit
as well as the achievable safety function. So the structure in the safety- diagram. For example, in category B and in
related parts is required to be designed and assembled based on the well- category 1, there are cases where an input device
(I) and an output device (O) alone are used without
tried safety principles with the well-tried components in addition to the a logical operation device (L). On the other hand,
category B requirements. there is also a case where three or more blocks
Well-tried components apply to either of the following. (See ISO 13849-2 may be used.
for details.)
a) Widely used in the similar usages in the past with the actual
achievements. (What are composed of the complicated electronic
components, such as general PLC, are not entitled to be included in
1 the track record.)
b) Conformity with the safety-related usage and the reliability verified.
In category 1, as well as category B, which is a single channel system
in nature, the safety function is impaired with the occurrence of a failure.
There is no diagnostic range (DCavg = 0%). And CCF is not applied.
However, since MTTFb is higher than category B, the safety function is
less likely to be impaired than category B.
Maximum PL achievable in category 1 is PL = c.
Note: "Well-tried parts" and "Fault exclusion" in Section 9. Basic Safety Principles for
Risk Reduction in the Failure in the Event of a Fault in Chapter 5" should be clearly
distinguished.

79
 Performance Level

Category General guideline of requirements Applicable designated architecture

What is required in the safety-related parts in category 2 is to make
up for the possible impairment of the safety function caused by the
Technical Guide

dangerous failure with the supplementary checkup. To achieve this,

it is necessary to be able to perform design and assembly based
on the well-tried safety principles in addition to the requirements
in category B and the checkup function in the machinery control
system being capable of checking the safety function in appropriate
intervals.
Chap. 1

The checkup function is composed of the test equipment (TE) and

the output device (OTE). Following requirements are observed for
checking the safety function. Input signal Output signal
• Check shall be performed on the occasion of the following: I L O
- On starting up the machine
Chap. 2

- Before the occurrence of the hazardous situation (for example,

m
before a new cycle start or periodically if required during
2 operation)
• Result of a checkup TE OTE
Chap. 3

- Operation shall be approved when no failure is detected Output signal

- If the failure is found, feed the controlled output of the failure
m :Monitoring
safely. If the output is disabled (e.g., in case of dangerous failure TE :Test equipment
due to a welded contactor), the alarm shall be made to output.
Chap. 4

OTE :Check result output

The current status shall be retained until the failure is removed.
• Hazardous situation shall not be caused by the check itself
(such as increased response time for safety function)
Chap. 5

The safety function may be impaired by the failure between checks

in category 2.
Maximum PL achievable in the category 2 is PL = d.
Note: In ISO 13849-1: 2006, category 2 is handled as redundant system.
Chap. 6

MTTFd is, however, evaluated for the safety main channels of I, L and O
and the check device TE only and not for OTE. DCavg is evaluated only
for I, L and O only.
What is required in the safety-related parts in safety category 3 is
that even if a portion of the safety function fails, the entire safety
m
function is not impaired.
So, in addition to the requirement in category B, it is necessary l1 L1 O1
to be able to design and assemble based on the well-tried safety Input signal Output signal
principles and to have the means to detect the failure in the safety C
function and, if detected properly, failure is required to be detected
3
on requesting the next safety function operation or earlier. m
The safety function is maintained by the safety channel redundancy l2 L2 O2
(two channels), interlock based on the feedback from each device Input signal Output signal
and interchannel cross-monitoring.
The safety function is not compromised by a single fault, but it m :Monitoring
could be impaired by the accumulation of the undetected faults. C :Cross-monitoring
Maximum PL achievable in category 3 is PL = e.
What is required in the safety-related parts in category 4 is that the
safety function is not impaired even with a certain amount of the
accumulation of faults in the safety function. m
So, in addition to the requirement in category B, it is necessary
l1 L1 O1
to be able to design and assemble based on the well-tried safety
principles and to have the means to detect the failure in the safety Input signal Output signal
function and, failure is required to be detected on requesting the C
4 next safety function operation or earlier.
Configuration of the safety functions is the same as in category 3, m
but category 4 requires higher performance of failure detection. l2 L2 O2
A higher DCavg yields less likely impairment of the safety function Input signal Output signal
due to the accumulation of faults.
m :Monitoring
Achievable PL in the category 4 is PL = e. C :Cross-monitoring
Note: Both categories 3 and 4 are configured in redundant system with only
difference of DCavg and MTTFd for each channel.
** Complex structures not applicable to these block diagrams, such as having inputs of three channels or more based on the majority decision logic cannot be
handled by ISO 13849-1. If that is a case, it is necessary to use another standard such as IEC 62061.

80
 Performance Level

(2) MTTFd (Mean Time to Dangerous Failure)

This section describes the mean time taken by the safety-related parts leading to a dangerous failure in terms of "MTTFd".
1) Concept of MTTFd

Technical Guide
For example ...

Chap. 1
Parts Materials Materials

Aluminum pipe

Chap. 2
Wood H-shaped steel
Pegs

Durable years Durable years Durable years

Chap. 3
Frequency of use Frequency of use Frequency of use

Chap. 4
Chap. 5
Once or twice a year 24 hrs, 365 days 8 hrs/day, 200 days/year

Failure expectancy period Failure expectancy period Failure expectancy period

Chap. 6
Fig. 2: Parts comprised in a building and failure expectancy period

Tents, wooden houses and office buildings serve the same

2) Layers of MTTFd
functions in terms of weatherproofness. Each building has its own
Take, for example, the block diagram used in 5. Safety-related
life expectancy period, varying with time depending on the housing
Parts PL Evaluation Procedure in Chapter 5. If the device itself is
types.
already evaluated as PL in the subsystem, it will be excluded from
Each element of the parts comprised in the building (see Fig. 2)
consideration. For further details, see 8. PL Evaluation in Chapter 5.
(e.g., tent support, wooden house beam, building steel frame) has
Each box in the block diagram represents a singular part (block)
its own inherent failure rate of the materials. Even if a periodical
featured with its own MTTFd. If some blocks are found in the same
replacement period is observed, the weatherproof durability time
channel, an average is taken as MTTFd for the channel. If two
varies depending on the frequency of use. The same is true with the
channels are used (category 3 and category 4), take further average
safety-related parts control devices.
to yield MTTFd for the total subsystem comprised of singular parts.
MTTFd is an expectancy time before dangerous failure, not the
durable years of the parts. Subsystem (SB) Channel (CH)

I1 O1 Channel 1

Emergency stop switch Contactor

(NC contact)

I2 O2

Emergency stop switch Contactor

(NC contact) Channel 2

Block (BL)

81
 Performance Level

3) Discrete component (block) MTTFd 5) MTTFd of subsystem

Assign the MTTFd data to each box in the expanded block diagram. If MTTFd is different with channel 1 and channel 2, MTTFd is further
averaged in the subsystem (SB) level.
Technical Guide

MTTFd in a block (BL) is provided with the following options.

2
1. Use the data prepared by the parts manufacturers. MTTFd SB MTTFd CH1 MTTFd CH2
3
2. If manufacturer data are not available, use the data referred to
MTTFd CH1 MTTFd CH2
in Annex in ISO 13849-1: 2006.
(Formula 4)
3. If no data is available, MTTFd is assumed to be 10 years.
If the parts function only when the operation is demanded as a If, however, MTTFd is identical in both channel 1 and channel 2,
Chap. 1

switch or a relay or when the consumption is caused to the parts, the calculation result in the Eq. 3 is straightforwardly applied to the
the dangerous failure rate is relevant to the count of the operations. MTTFd in the subsystem.
The data referred to as B10d are provided to such types of the parts.
Reference
Chap. 2

B10d: Count of operations until 10% of the parts encounter the What is Mission Time?
dangerous failure The parts have their own inherent failure rate and the mechanical
MTTFd for a discrete component is obtained from B10d and the parts failure increases steeply at a certain time due to the fatigue
part's mean number of annual operations (nop) per year. or aging. The same is true with the dangerous failure rate. The
Chap. 3

characteristics during the rapidly changing period cannot be

used for the evaluation of MTTFd. The dangerous failure rate is
(Formula 1) assumed to be constant based on the premise that the parts are
Chap. 4

replaced with the identical parts periodically by the designated

nop: Total count of operations per year for the target application usage period for determination of MTTFd of the part. This period
(Units: cycle/year) of time is called Mission Time.
The nop can be obtained from the following formula. The designer of the machinery shall consider the following in

3,600
Chap. 5

terms of mission time.

t cycle (Formula 2) (1) The designer shall define the control system of a machine or
the mission time (operating years of an intended machine) of
Chap. 6

tcycle: Average time interval per operation cycle (Units: second/ a machine in total.
cycle) (2) If T10d for each part used in the control system is shorter
hop: Operation time per day (Units: hour/day) than the mission time of the machinery, notify the users of the
dop: Operating days per year (Units: day/year) necessity of the replacement of the part in T10d period.
A device designer in this case is required to know how frequently the
safety function is requested to operate. T10d represents time taken by 10% samples to reach the
dangerous failure, to be obtained by the following equation.

4) MTTFd of channel B10d

On completing the assignment of MTTFd to all blocks, MTTFd is T10d
calculated by channel (CH) based on the assignment. Harmonic (Formula 5)
mean of the MTTFd in all the blocks in the same channel is taken
using the following formula.

(Formula 3)

Two channels are available in the designated architecture in

category 3 and category 4 and the calculation is required for both
channels.

82
 Performance Level

Reference: MTTFd or B10d for parts referred to in International Standards and their typical values (Source: ISO 13849-1: 2006 Annex C)

Well-tried basic safety Typical values

principles in compliance Other related Standards MTTFd (year)

Technical Guide
with ISO 13849-2: 2003 B10d (cycle)

Mechanical components Tables A.1 and A.2 − MTTFd =150

Hydraulic components Tables C.1 and C.2 EN 982 MTTFd =150
Pneumatic components Tables B.1 and B.2 EN 983 B10d =20,000,000
EN 50205
Relays and contactor relays with small load

Chap. 1
Tables D.1 and D.2 IEC 61810 B10d =20,000,000
(mechanical load)
IEC 60947
EN 50205
Relays and contactor relays with maximum load Tables D.1 and D.2 IEC 61810 B10d =400,000

Chap. 2
IEC 60947
Proximity switches with small load IEC 60947
Tables D.1 and D.2 EN 1088 B10d =20,000,000
(machanical load)
IEC 60947
Proximity switches with maximum load Tables D.1 and D.2 B10d =400,000

Chap. 3
EN 1088
Contactors with small load (mechanical load) Tables D.1 and D.2 IEC 60947 B10d =20,000,000
Contactors with nominal load Tables D.1 and D.2 IEC 60947 B10d =2,000,000
IEC 60947

Chap. 4
Position switches independent of load * Tables D.1 and D.2 B10d =20,000,000
EN 1088

Position switches (with separate actuator, IEC 60947

Tables D.1 and D.2 B10d =2,000,000
guard-locking) independent of load EN 1088

Chap. 5
Emergency stop devices independent IEC 60947
Tables D.1 and D.2 B10d =100,000
of the load ISO 13850
Emergency stop devices with maximum IEC 60947
Tables D.1 and D.2 B10d =6,050
operational demands ISO 13850

Chap. 6
Push buttons (e.g. enabling switches)
Tables D.1 and D.2 IEC 60947 B10d =100,000
independent of the load)

** Fault exclusion in the direct opening action is only applied to the contact welding failure. If that is a case, that means the relevant B10d is applicable to the switch
actuator mechanical failure.

Note:1. For definition and usage of B10d, see Table C. 4 in Annex C in ISO 13849-1: 2006.
Note:2. B10d is estimated as two times B10 (50 % dangerous failure).
Note:3. "Small-load" indicates, for example, 20% of the rated value. (See ISO 13849-2 for details)

83
 Performance Level

(3) DC (Diagnostic Coverage) and DCavg

Diagnostic coverage (DC) represents the effectiveness of dangerous failure monitoring of the safety-related parts and the DCavg the averaged
values for the safety-related parts or the whole subsystem.
Technical Guide

1) Concept of DC
For example ...
Chap. 1
Chap. 2

Measures as needed
Preparation before use Termite extermination,
Monthly maintenance of building Fig. 3: Effective measures
leaking roof repair, etc. for detecting troubles in advance
for maintaining building

There are two cases of safety-related parts failures: safety failure and dangerous failure. If the safety-related parts functionalities are met and the
Chap. 3

usage is appropriate, safety failure is not a problem. If, however, a dangerous failure occurs, there could be two different situations of whether
effective measures are taken (see Fig. 3) or not depending on the detectability (diagnostic function). Feasibility (%) to detect the failure and take
an effective measure against the dangerous failure is represented by the DC.
A certain level of DC is required for the category for achievement of the PLr needed for the safety functions. In association with the building in a
Chap. 4

preceding example, as far as a tent is concerned, repairing once a year before use would be quite OK. If, on the other hand, in case of a wooden
housing for daily life, immediate action is required for termite or leaky roof being found. With the office buildings, unless proactive actions are
taken in anticipation of the possible troubles through the periodical maintenance, a large disaster may be encountered. So, the required level of
diagnostics shall be complied with the relevant structure.
Chap. 5

For further details, see (1) Category in 6. Subsystem Configured in Discrete Components in Chapter 5.

2) Layers of DC
Chap. 6

Take, for example, the block diagram used in Section 5. Safety- Subsystem (SB)
Related Parts PL Evaluation Procedure in Chapter 5. If the device
itself is already evaluated as PL in the subsystem, it will be excluded I1 O1 Channel 1

from consideration.
For further details, see 8. PL Evaluation in Chapter 5.

Each block in the block diagram box is provided with the individual Emergency stop switch Contactor
(NC contact)
DC. DCs in all the blocks averaged out by the subsystem levels are
I2 O2
called DCavg (DC Average).
Note: Architecture which requires the evaluation of the DC and DCavg is
the designated structure of category 2 or more having the monitoring
capability. The evaluation is not needed for the designated architecture
Emergency stop switch Contactor
of category B or category 1. (NC contact) Channel 2

Block (BL)

3) DC for a block
Discrete parts (such as switches or contactors) are not usually Undetectable
provided with the diagnostic functions by themselves. The state of
those devices, however, are mostly monitored by the diagnostics
of other devices (such as safety controllers). So, it is necessary
for the device designers to determine what constitutes the failure Safe state Dangerous Detectable
state DC (%)
diagnostics with the comparison with the controller function.
Select the relevant DC from Table 1 in Annex E in ISO 13849-1 by
considering what safety design principles are used in the failure
diagnostics and asign their values into each block.

Safety-related parts failure: Dangerous failure: Detectable

safe or dangerous? (effective measures taken?) or
undetectable

84
 Performance Level

Reference: Evaluating the diagnostic coverage (DC) (Source: ISO 13849-1: 2006 Annex E)

Input device

Technical Guide
Measure DC

Cyclic test stimulus by dynamic change of the input signals 90 %

Plausibility check, e.g. use of normally open and normally closed mechanically linked
99 %
contacts

0 % to 99 %, depending on how often a signal

Cross monitoring of inputs without dynamic test

Chap. 1
change is done by the application

Cross monitoring of input signals with dynamic test if short circuits are not detectable (for
90 %
multiple I/O)

Chap. 2
Cross monitoring of input signals and intermediate results within the logic (L), and temporal
and logical software monitor of the program flow and detection of static faults and short 99 %
circuits (for multiple I/O)

Indirect monitoring (e.g. monitoring by pressure switch, electrical position monitoring of

90 % to 99 %, depending on the application

Chap. 3
actuators)

Direct monitoring (e.g. electrical position monitoring of control valves, monitoring of

99 %
electromechanical devices by mechanically linked contact elements)

0 % to 99 %, depending on the application;

Chap. 4
Fault detection by the process this measure alone is not sufficient for the
required performance level "e"!
Monitoring some characteristics of the sensor (response time, range of analogue signals,
60 %
e.g. electrical resistance, capacitance)

Chap. 5
Logic

Measure DC

Chap. 6
Indirect monitoring (e.g. monitoring by pressure switch, electrical position monitoring of actuators) 90 % to 99 %, depending on the application

Direct monitoring (e.g. electrical position monitoring of control valves, monitoring of electromechanical
99 %
devices by mechanically linked contact elements)

Simple temporal time monitoring of the logic (e.g. timer as watchdog, where trigger points are within
the program of the logic) 60 %

Temporal and logical monitoring of the logic by the watchdog, where the test equipment does
90 %
plausibility checks of the behaviour of the logic

Start-up self-tests to detect latent faults in parts of the logic

90 % (depending on the testing technique)
(e.g. program and data memories, input/output ports, interfaces)

Checking the monitoring device reaction capability (e.g., watchdog) by the main channel at start-up or
90 %
whenever the safety function is demanded or whenever an external signal demand it, through an input facility

Dynamic principle (all components of the logic are required to change the state ON-OFF-ON when
99 %
the safety function is demanded), e.g. interlocking circuit implemented by relays

Invariable memory: signature of one word (8 bit) 90 %

Invariable memory: signature of double word (16 bit) 99 %

Variable memory: RAM-test by use of redundant data e.g. flags, markers, constants, timers and cross
60 %
comparison of these data

Variable memory: check for readability and write ability of used data memory cells 60 %

Variable memory: RAM monitoring with modified Hamming code or RAM self-test
99 %
(e.g. “galpat” or “Abraham”)

Processing unit: self-test by software 60 % to 90 %

Processing unit: coded processing 90 % to 99 %

0 % to 99 %, depending on the application; this

Fault detection by the process measure alone is not sufficient for the required
performance level “e”!

85
 Performance Level

Output device

Measure DC
Technical Guide

0 % to 99 %, depending on how often a signal

Monitoring of outputs by one channel without dynamic test
change is done by the application

0 % to 99 %, depending on how often a signal

Cross monitoring of outputs without dynamic test change is done by the application

Cross monitoring of output signals with dynamic test without detection of short circuits (for
90 %
multiple I/O)
Chap. 1

Cross monitoring of output signals and intermediate results within the logic (L) and
temporal and logical software monitor of the program flow and detection of static faults and 99 %
short circuits (for multiple I/O)

Redundant shut-off path with no monitoring of the actuator 0%

Chap. 2

Redundant shut-off path with monitoring of one of the actuators either by logic or by test
90 %
equipment

Redundant shut-off path with monitoring of the actuators by logic and test equipment 99 %
Chap. 3

Indirect monitoring (e.g. monitoring by pressure switch, electrical position monitoring of

90 % to 99 %, depnding on the application
actuators)
0 % to 99 %, depending on the application;
this measure alone is not sufficient for the
Chap. 4

Fault detection by the process

required performance level "e"!

Direct monitoring (e.g. electrical position monitoring of control valves, monitoring of

99 %
electromechanical devices by mechanically linked contact elements)
Chap. 5

Note:1. For additional evaluation of the DC, see Table A.2 to A.15 in IEC 61508-2: 2000.
Note:2. If Medium or High DC is required for the logical operation devices, it is needed to apply a measure having a minimum 60% DC for variable memory,
invariable memory and process devices. There are other measures than those described in this table.
Chap. 6

4) Examples of DC application to discrete parts

Following is a table showing the discrete components of the typical safety-related parts to which the Table 1 in the Annex E is applied.
Parts DC (%) Annex E relevant items Preconditions
• At least one of the switches is provided with the direct
opening action.
• Interchannel cross-monitoring being performed by the safety
Combination of
99 Validation check (input device) controller where two switches are hazardously connected (via
two switches
a guard)*
• Separately conformed with the requirements of ISO 14119
(guard-linked interlocking device)
Direct monitoring (logical operation • Provided with enforced guide contact mechanism
device) • Fed back to the safety controller and being monitored
Relays 99
-Electromechanical device monitoring by
mechanically linked contact
Direct monitoring (output device) • Provided with a mirror contact
Contactor 99 -Electromechanical device monitoring by • Fed back to the safety controller and being monitored
mechanically linked contact
** Since a diagnostic function is different with controllers, DC being given could also be different. For further detail, contact a respective control device manufacturer.

5) DCavg in subsystem
Average out the DC values for all the blocks (BL) comprising the DC
0% 60% 90% 100%
subsystem (SB) for DCavg.
1/MTTFdBL1

1/MTTFdBL2 Detectable Undetectable

1/MTTFd
1/MTTFdBL3

(Formula 6) 1/MTTFdBL4

DCavg is weighted by MTTFd in each block. This is shown in the

Figure on the right. This means that a block of the smaller MTTFd Shaded area
(less reliable) in the subsystem gives a larger impact to DCavg. DCavg =
Total area

86
 Performance Level

(4) CCF (Common Cause Failure)

Common cause failure (CCF) is a tolerance to the simultaneous failure in channels in the designated architecture (including category 2) of two
or more channels.

Technical Guide
Concept of CCF
CCF is to be evaluated by the device designers using scores based
on the design specifications margins, parts positioning on the actual
devices or wiring states, not the evaluation on the block diagrams.

Chap. 1
Evaluation score may vary depending on how much effective safety
principles are used for eliminating the common causes. Items for
consideration on design are standardized in Table F.1 in Annex F.1
in ISO 13849-1 in check sheet form. Select check boxes for the
Solid ground Loose ground

Chap. 2
relevant items and add together the score. Make a decision whether
the total score exceeds 65 points. CCF score of 65 points or more is
Common cause failure (CCF) is generally a term to describe the required for the designated architecture of redundancy of category
failure mode in which multiple systems are impaired by a common 2 or more. For details of category, see (1) Category in 6. Subsystem

Chap. 3
cause, but as PL parameters, it is used to represent the level of Configured in Discrete Components in Singular Parts in Chapter 5.
tolerance against the simultaneous failure of channels.
CCF is, as it were, a reliability index in terms of engineering
management for the safety-related parts design and construction.

Chap. 4
This is similar to the ground on which a building is established;
even a strong building erected on the weak ground is susceptible to
collapse.

Chap. 5
Chap. 6

87
 Performance Level

Table F.1 in Annex F in ISO 13849-1

(Source: Annex F in ISO 13849-1: 2006)

No. Measures against Common Cause Failures (CCF) Score

Technical Guide

1 Separation/segregation

Physical separation between the signal paths 15

for example separation of wiring/piping
for example sufficient creepage and clearance on printed circuit boards
Chap. 1

2 Diversity

Using different technologies/design or physical principles 20

for example first channel in programmable electronic and second channel hardwired
Chap. 2

for example type of initiation

for example pressure and temperature
Measuring distance and pressure
Chap. 3

for example digital and analog

Components supplied from different manufacturers.
Chap. 4

3 Design/application/experience

3.1 Protection against overvoltage, overpressure, overcurrent etc. 15

3.2 Using well-tried components 5

Chap. 5

4 Assessment/analysis
Have the results of the analysis of failure types and effects been considered in order to avoid common 5
Chap. 6

causes failures in future design

5 Competence/training
Have designers/mechanics been trained in understanding the causes and consequences of failures 5
with a common cause

6 Environment
6.1 Prevention of contamination and electromagnetic compatibility (EMC) against CCF in compliance with 25
the respective standards

Fluid systems: Filtering of the pressure medium, prevention of dirt intake, drainage of compressed air, for
example in compliance with the requirements of the manufacturer responsible for the purity of the media,

Electric systems: Has the system been tested for electromagnetic compatibility, for example as specified
against CCF in the respective standards.

For combined fluid and electric systems, both requirements should be considered.

6.2 Other influences 10

Have all requirements for immunity against all relevant environmental factors such as temperature,
shock, vibration, humidity (for example as stipulated in the respective standards) been considered

Total [maximum 100]

Total score Measures to prevent Common Cause Failures

65 or more Requirements fulfilled
Less than 65 Process failed Choose additional measures

88
 Performance Level

(5) PFHd (Probability of Dangerous Failure per Hour)

1) What is PFHd ?
PFHd is a parameter derived from the conceptual view of the functional safety. That represents a very tiny figure, meaning a count of the latent

Technical Guide
hazardous failure (probability of dangerous failure) per hour with a certain device.
Reliability (dangerous failure rate) in the safety-related parts can be obtained by the sum of PFHd of all the subsystems comprised. Technical file
ISO/TR 23849 as a guidance of ISO 13849-1 authenticates the reliability data for safety of machinery for the dangerous failure evaluated in IEC
62061 based on the functional safety to be used as the PL assessment parameters and PFHd for the subsystem comprised of the discrete parts
can be obtained by the conversion from the four parameters of category, MTTFd, DCavg and CCF.

Chap. 1
2) Conversion into PFHd
For conversion from the category, MTTFd, DCavg and CCF into PFHd, the Table K.1 in the Annex K in ISO 13849-1 is used.
As shown in the table below, PFHd is represented by a decimal number of mantissa and exponent.

Chap. 2
Source: ISO 13849-1: 2006, Annex K, Table K.1

Category B 1 2 3 4
Low Medium Low Medium High
DCavg None

Chap. 3
60≤DCavg 90≤DCavg 60≤DCavg 90≤DCavg 99≤DCavg
CCF Not relevant 65 ≤ CCF 65 ≤ CCF 65 ≤ CCF 65 ≤ CCF 65 ≤ CCF

3≤MTTFd 3.80×10-5 2.58×10-5 1.99×10-5 1.26×10-5 6.09×10-6

Chap. 4
3.3≤MTTFd 3.46×10 -5
2.33×10 -5
1.79×10 -5
1.13×10 -5
5.41×10-6
3.6≤MTTFd 3.17×10 -5
2.13×10 -5
1.62×10 -5
1.03×10 -5
4.86×10-6
3.9≤MTTFd 2.93×10-5 1.95×10-5 1.48×10-5 9.37×10-6 4.40×10-6
4.3≤MTTFd 2.65×10-5 1.76×10-5 1.33×10-5 8.39×10-6 3.89×10-6

Chap. 5
4.7≤MTTFd 2.43×10-5 1.60×10-5 1.20×10-5 7.58×10-6 3.48×10-6
Low 5.1≤MTTFd 2.24×10 -5
1.47×10 -5
1.10×10 -5
6.91×10 -6
3.15×10-6
5.6≤MTTFd 2.04×10 -5
1.33×10 -5
9.87×10 -6
6.21×10 -6
2.80×10-6

Chap. 6
6.2≤MTTFd 1.84×10 -5
1.19×10 -5
8.80×10 -6
5.53×10 -6
2.47×10-6
6.8≤MTTFd 1.68×10-5 1.08×10-5 7.93×10-6 4.98×10-6 2.20×10-6
7.5≤MTTFd 1.52×10-5 9.75×10-6 7.10×10-6 4.45×10-6 1.95×10-6
8.2≤MTTFd 1.39×10 -5
8.87×10 -6
6.43×10 -6
4.02×10 -6
1.74×10-6
9.1≤MTTFd 1.25×10 -5
7.94×10 -6
5.71×10 -6
3.57×10 -6
1.53×10-6
10≤MTTFd 1.14×10 -5
7.18×10 -6
5.14×10 -6
3.21×10 -6
1.36×10-6
11≤MTTFd 1.04×10-5 6.44×10-6 4.53×10-6 2.81×10-6 1.18×10-6
12≤MTTFd 9.51×10-6 5.84×10-6 4.04×10-6 2.49×10-6 1.04×10-6
13≤MTTFd 8.78×10-6 5.33×10-6 3.64×10-6 2.23×10-6 9.21×10-7
15≤MTTFd 7.61×10 -6
4.53×10 -6
3.01×10 -6
1.82×10 -6
7.44×10-7
Medium 16≤MTTFd 7.13×10 -6
4.21×10 -6
2.77×10 -6
1.67×10 -6
6.76×10-7
18≤MTTFd 6.34×10 -6
3.68×10 -6
2.37×10 -6
1.41×10 -6
5.67×10-7
20≤MTTFd 5.71×10-6 3.26×10-6 2.06×10-6 1.22×10-6 4.85×10-7
22≤MTTFd 5.19×10-6 2.93×10-6 1.82×10-6 1.07×10-6 4.21×10-7
24≤MTTFd 4.76×10 -6
2.65×10 -6
1.62×10 -6
9.47×10 -7
3.70×10-7
27≤MTTFd 4.23×10 -6
2.32×10 -6
1.39×10 -6
8.04×10 -7
3.10×10-7
30≤MTTFd 3.80×10 -6
2.06×10 -6
1.21×10 -6
6.94×10 -7
2.65×10-7 9.54×10-8
33≤MTTFd 3.46×10-6 1.85×10-6 1.06×10-6 5.94×10-7 2.30×10-7 8.57×10-8
36≤MTTFd 3.17×10-6 1.67×10-6 9.39×10-7 5.16×10-7 2.01×10-7 7.77×10-8
39≤MTTFd 2.93×10-6 1.53×10-6 8.40×10-7 4.53×10-7 1.78×10-7 7.11×10-8
43≤MTTFd 2.65×10 -6
1.37×10 -6
7.34×10 -7
3.87×10 -7
1.54×10 -7
6.37×10-8
47≤MTTFd 2.43×10 -6
1.24×10 -6
6.49×10 -7
3.35×10 -7
1.34×10 -7
5.76×10-8
51≤MTTFd 2.24×10 -6
1.13×10 -6
5.80×10 -7
2.93×10 -7
1.19×10 -7
5.26×10-8
High
56≤MTTFd 2.04×10-6 1.02×10-6 5.10×10-7 2.52×10-7 1.03×10-7 4.73×10-8
62≤MTTFd 1.84×10-6 9.06×10-7 4.43×10-7 2.13×10-7 8.84×10-8 4.22×10-8
68≤MTTFd 1.68×10 -6
8.17×10 -7
3.90×10 -7
1.84×10 -7
7.68×10 -8
3.80×10-8
75≤MTTFd 1.52×10 -6
7.31×10 -7
3.40×10 -7
1.57×10 -7
6.62×10 -8
3.41×10-8
82≤MTTFd 1.39×10 -6
6.61×10 -7
3.01×10 -7
1.35×10 -7
5.79×10 -8
3.08×10-8
91≤MTTFd 1.25×10-6 5.88×10-7 2.61×10-7 1.14×10-7 4.94×10-8 2.74×10-8
100≤MTTFd 1.14×10-6 5.28×10-7 2.29×10-7 1.01×10-7 4.29×10-8 2.47×10-8

89
 Performance Level

How to use Table K.1 in Annex K in ISO 13849-1

Conversion example into PFHd is shown below.
Technical Guide

PL parameter Usage (example)

Category Designated architecture

(configuration of I. L and O) Designated
Chap. 1

Input signal Output signal Input signal Output signal Input signal Output signal
m
architecture
I L O I L O l1 L1 O1

m
corresponds to
Cat 3.
C
Chap. 2

TE OTE m

l2 L2 O2
Output signal
Input signal Output signal
Chap. 3

* The machine designer

MTTFd (1) Component block him/herself needs to
know Nop.
1. Use MTTFd provided by the manufacturer
2. Use MTTFd specified in Annex C
Chap. 4

3. When B10d is provided, convert into

B10d
MTTFd from the formula on the right Subsystem
MTTFd
(2) Channel
calculation
Chap. 5

(3) Entire subsystem result is

nop* If Channel 1 and Channel 2 MTTFd are equivalent, assume the equation 2
result as MTTFd for the subsystem. MTTFd for the subsystem, however,
40 years.
* The machine designer
Chap. 6

him/herself needs to is limited up to 100 years.

know nop.

Select the relevant DC from

DCavg (1) Component block Table 1 in Annex E

Subsystem
DC DCavg
(3) Entire subsystem calculation
result is 80%.
MTTFd

The score in the checklist in

CCF Annex F must be 65 or over
Check list
score is
75.

90
 Performance Level

Category B 1 2 3 4
Low Medium Low Medium High
DCavg None

Technical Guide
Cat3 domain
60≤DCavg 90≤DCavg 60≤DCavg 90≤DCavg 99≤DCavg
CCF Not relevant selected
65 ≤ CCF 65 ≤ CCF 65 ≤ CCF Focused
65 ≤ CCF to domain
65 ≤ CCF
equivalent to
3≤MTTFd a 3.80×10-55 a 2.58×10-55 a 1.99×10-55 a 1.26×10-55 b 60
6.09≤×10 -6
Dcavg < 90
Confirm the
3.3≤MTTFd 3 46×10
a 3.46 10-55 a 2.33
2 33×10
10-55 a 1.79
1 9×10
10-55 a 1.13
1 13×10
10-55 b 5.41
41×10
10 6
-6

range 65 ≤ CCF
3.6≤MTTFd 3 1 ×10
a 3.17 10 a 2.13
2 13×10
10 a 1.62
1 62×10
10 a 1.03
1 03×10
10-55 b 4.86×10-6

Chap. 1
-5
5 -5
5 -5
5

3.9≤MTTFd 2 93×10
a 2.93 10-55 a 1.95
1 9 ×10
10-55 a 1.48
1 48×10
10-55 b 9.37
9 3 ×10
10-66 b 4.40×10-6
4.3≤MTTFd 2 6 ×10
a 2.65 10 -5
5
a 1.76
1 6×10
10 -5
5
a 1.33
1 33×10
10 -5
5
b 8.39
8 39×10
10 -6
6
b 3.89×10-6
4.7≤MTTFd 2 43×10
a 2.43 10-55 a 1.60
1 60×10
10-55 a 1.20
1 20×10
10-55 b 7.58
8×10
10-66 b 3.48×10-6

Chap. 2
Low 5.1≤MTTFd 2 24×10
a 2.24 10 -5
5
a 1.47
1 4 ×10
10 -5
5
a 1.10
1 10×10
10 -5
5
b 6.91
6 91×10
10 -6
6
b 3.15×10-6
5.6≤MTTFd 2 04×10
a 2.04 10-55 a 1.33
1 33×10
10-55 b 9.87
9 8 ×10
10-66 b 6.21
6 21×10
10-66 c 2.80×10-6
6.2≤MTTFd 1 84×10
a 1.84 10 -5
5
a 1.19
1 19×10
10 -5
5
b 8.80
8 80×10
10 -6
6
b 5.53
3×10
10 -6
6
c 2.47×10-6

Chap. 3
6.8≤MTTFd 1 68×10
a 1.68 10-55 a 1.08
1 08×10
10-55 b 7.93
7 93×10
10-66 b 4.98
4 98×10
10-66 c 2.20×10-6
7.5≤MTTFd 1 52×10
a 1.52 10 -5
5
b 9.75
9 75×10
10 -6
6
b 7.10
7 10×10
10 -6
6
b 4.45
4 45×10
10 -6
6
c 1.95×10-6
8.2≤MTTFd 1 39×10
a 1.39 10 -5
5
b 8.87
8 87×10
10 -6
6
b 6.43
6 43×10
10 -6
6
b 4.02
4 02×10
10 -6
6
c 1.74×10-6

Chap. 4
9.1≤MTTFd 1 25×10
a 1.25 10-55 b 7.94
7 94×10
10-66 b 5.71
5 71×10
10-66 b 3.57
3 57×10
10-66 c 1.53×10-6
10≤MTTFd 1 14×10
a 1.14 10 -5
5
b 7.18
7 18×10
10 -6
6
b 5.14
5 14×10
10 -6
6
b 3.21
3 21×10
10 -6
6
c 1.36×10-6
11≤MTTFd 1 04×10
a 1.04 10-55 b 6.44
6 44×10
10-66 b 4.53
4 53×10
10-66 c 2.81
2 81×10
10-66 c 1.18×10-6

Chap. 5
12≤MTTFd b 9.51
9 51×10
10 -6
6
b 5.84
5 84×10
10 -6
6
b 4.04
4 04×10
10 -6
6
c 2.49
2 49×10
10 -6
6
c 1.04×10-6
13≤MTTFd 8 78×10
b 8.78 10-66 b 5.33
5 33×10
10-66 b 3.64
3 64×10
10-66 c 2.23
2 23×10
10-66 d 9.21×10-7
15≤MTTFd 7 61×10
b 7.61 10 -6
6
b 4.53
4 53×10
10 -6
6
b 3.01
3 01×10
10 -6
6
c 1.82
1 82×10
10 -6
6
d 7.44×10-7

Chap. 6
Medium 16≤MTTFd 7 13×10
b 7.13 10-66 b 4.21
4 21×10
10-66 c 2.77
2 77×10
10-66 c 1.67
1 67×10
10-66 d 6.76×10-7
18≤MTTFd 6 34×10
b 6.34 10 -6
6
b 3.68
3 68×10
10 -6
6
c 2.37
2 37×10
10 -6
6
c 1.41
1 41×10
10 -6
6
d 5.67×10-7
20≤MTTFd b 5.71
5 71×10
10-66 b 3.26
3 26×10
10-66 c 2.06
2 06×10
10-66 c 1.22
1 22×10
10-66 d 4.85×10-7
22≤MTTFd 5 19×10
b 5.19 10 -6
6
c 2.93
2 93×10
10 -6
6
c 1.82
1 82×10
10 -6
6
c 1.07
1 07×10
10 -6
6
d 4.21×10-7
24≤MTTFd 4 76×10
b 4.76 10 -6
6
c 2.65
2 65×10
10 -6
6
c 1.62
1 62×10
10 -6
6
d 9.47
9 47×10
10 -7
7
d 3.70×10-7
27≤MTTFd 4 23×10
b 4.23 10-66 c 2.32
2 32×10
10-66 c 1.39
1 39×10
10-66 d 8.04
8 04×10
10-77 d 3.10×10-7
30≤MTTFd 3 80×10
b 3.80 10 -6
6
c 2.06
2 06×10
10 -6
6
c 1.21
1 21×10
10 -6
6
d 6.94
6 94×10
10 -7
7
d 2.65
2 65×10
10-77 e 9.54×10-8
33≤MTTFd b 3.46
3 46×10
10-66 c 1.85
1 85×10
10-66 c 1.06
1 06×10
10-66 d 5.94
5 94×10
10-77 d 2.30
2 30×10
10-77 e 8.57×10-8
36≤MTTFd b 3.17
3 17×10
10 -6
6
c 1
1.67
67×10
10 -6
6
d 9
9.39
39×10
10 -7
7
d 5.16
5 16×10
10 -7
7
d 2
2.01
01×10
10 -7
7
e 7
7.77
77×10-88
39≤MTTFd c 2.93
2 93×10
10-66 c 1.53
1 53×10
10-66 d 8.40
8 40×10
10-77 d 4.53×10-7 d 1.78
1 78×10
10-77 e 7.11×10-8
43≤MTTFd c 2.65
2 65×10
10 -6
6
c 1
1.37
37×10
10 -6
6
d 7
7.34
34×10
10 -7
7
d 3.87
3 87×10
10 -7
7
d 1
1.54
54×10
10 -7
7
e 6
6.37
37×10-8
47≤MTTFd c 2.43
2 43×10
10-66 c 1.24
1 24×10
10-66 d 6.49
6 49×10
10-77 d 3.35
3 35×10
10-77 d 1.34
1 34×10
10-77 e 5.76×10-8
51≤MTTFd c 2.24
2 24×10
Domain 10 -6
6
c 1.13
1 13×10
equivalent 10 -6
6
d 5.80
5 80×10
10 -7
7
d 2.93
2 93×10
10 -7
7 Crossed
d 1.19
1 19×10
10 portion
e 5.26×10
-7
7 -8

High
56≤MTTFd to
c 39
2 04≤×10
2.04 MTTFd
10 -6
6
c<1.02
143
02×10
10-66 d 5.10
5 10×10
10 -7
7
d 2.52
2 52×10
10 -7
7
represents
d 1.03
1 03×10
10 e 4.73×10
-7
7 -8

selected
62≤MTTFd c 1.84
1 84×10
10-66 d 9.06
9 06×10
10-77 d 4.43
4 43×10
10-77 d 2.13
2 13×10
10-77
PL and
e 8.84
8 84×10
10
PFHd
e 4.22×10
-8
8 -8

68≤MTTFd c 1.68
1 68×10
10 -6
6
d 8.17
8 17×10
10 -7
7
d 3.90
3 90×10
10 -7
7
d 1.84
1 84×10
10 -7
7
e 7.68
7 68×10
10 e 3.80×10
-8
8 -8

75≤MTTFd c 1.52
1 52×10
10-66 d 7.31
7 31×10
10-77 d 3.40
3 40×10
10-77 d 1.57
1 57×10
10-77
for this
e 6.62
6 62×10
10
channel
e 3.41×10
-8
8 -8

82≤MTTFd c 1.39
1 39×10
10 -6
6
d 6.61
6 61×10
10 -7
7
d 3.01
3 01×10
10 -7
7
d 1.35
1 35×10
10 -7
7
e 5.79
5 79×10
10 -8
8
e 3.08×10-8
91≤MTTFd c 1.25
1 25×10
10-66 d 5.88
5 88×10
10-77 d 2.61
2 61×10
10-77 d 1.14
1 14×10
10-77 e 4.94
4 94×10
10-88 e 2.74×10-8
100≤MTTFd c 1.14
1 14×10
10 -6
6
d 5.28
5 28×10
10 -7
7
d 2.29
2 29×10
10 -7
7
d 1.01
1 01×10
10 -7
7
e 4.29
4 29×10
10 -8
8
e 2.47×10-8

91
 Performance Level

7. Complex Subsystem
The individual subsystem corresponds to the devices cited in 5. Safety-related parts (entire system)
Technical Guide

Safety-related Parts PL Evaluation Procedure in Chapter 5. Safety-

Related Parts PL Evaluation Procedure in Chapter 5. The internal
hardware structure is represented in the designated architecture. If I L O
the reliability of the devices themselves is already evaluated by ISO
13849-1 and the subsystem categories, MTTFd and DCavg data are Safety- Safety- Safety-
provided by the control device manufacturers, they are converted related parts related parts related parts
Chap. 1

into PFHd using the Table K.1 in Annex K in ISO 13849-1. I L O I L O I L O

There are some safety devices having the complex electronic circuits I L O I L O TE OTE

which are evaluated based on IEC 62061 or IEC 61508. If that is a Subsystem Subsystem Subsystem
Chap. 2

case, the performance of the safety devices is evaluated by Safety

Integrity Level (SIL). PFHd is also used for SIL evaluation, and
the level is subdivided as with PL evaluation by PFHd exponents. PFHd
There is an equivalency relation between PL and SIL via PFHd. That PL SIL*
Chap. 3

indicates that the PFHd value data for the safety devices certified Mantissa Exponent
by IEC 62061 or IEC 61508 can be straightforwardly used for PL
a 10 > n ≥ 1 x10 -5 Not supported
evaluation once the data are supplied by the manufacturers.
Chap. 4

b 10 > n ≥ 3 x10 -6 1
It is, however, needed to have met the overall requirements of ISO
13849-1 in addition to those of PFHd. Note that there are some c 3>n≥1 x10 -6 1
cases where SIL is not compatible with the size of PFHd, depending
on the hardware structure because of the restrictions called SIL d 10 > n ≥ 1 x10 -7 2
Chap. 5

claim limit.
e 10 > n ≥ 1 x10 -8 3

*(IEC 61508-1, Evaluation by high-frequency operation mode)

Chap. 6

92
 Performance Level

8. PL Evaluation
This section describes the final determination of PL for the safety-related parts by concatenating multiple subsystems.

Technical Guide
1) Combination of Subsystems 2) PL Estimation
PL for the entire safety-related parts is evaluated by the summation PL for the overall safety-related parts is determined by the exponent
of the dangerous failure rate in all the subsystems. size of the floating point as a result of summation of the PFHd in the
Add PFHd of the subsystems configured in discrete components subsystem.
and PFHd of all other complex subsystems.

Chap. 1
If the sum of the PFHd is 1.50 x 10-7, the exponential portion is -7th
power of 10, indicating the PL for the entire safety-related parts is d
according to the Table below.
This completes the PL determination for one safety function system.

Chap. 2
Return to 3. Organizing Safety Functions and Hazards in Chapter
Complex Subsystem Configured 5 and repeat the procedure of PL determination for all other safety
subsystem in discrete components function systems.

Chap. 3
L
However, if SIL (and corresponding PL) is found restricted by SIL
I1 O1 Channel 1
Interlock circuit
claim limit in a series of subsystems, there could be cases where PL
for the overall safety-related parts cannot be determined by PFHd

Chap. 4
alone.
Emergency stop switch Contactor
(NC contact)

I2 O2
(Source: ISO 13849-1: 2006)
PFHd

Chap. 5
Interlock circuit

PL
Safety controller
Emergency stop switch Contactor
Mantissa Exponent
(NC contact) Channel 2
10 > n ≥ 1 10-5 a

Chap. 6
Conversion Conversion

10 > n ≥ 3 10-6 b
PFHdSB1 PFHdSB2
Sum
3>n≥1 10-6 c
PFHdSRP/CS = PFHdSB1 + PFHdSB2 10 > n ≥ 1 10-7 d
Entire safety-related parts
10 > n ≥ 1 10-8 e

Remark:
To achieve the PL determination, the dangerous failure
average rate per hour and other measures are needed.

93
 Performance Level

3) Simplified estimation
If PL as a subsystem only is declared by a control device
manufacturer and the detailed data of PFHd is not available, the
Technical Guide

following procedure allows a simplified evaluation of PL for the entire

safety-related parts with the subsystem PL alone.
This method allows the PL of the safety-related parts to be evaluated
when there is nonconformity between PL and PFHd values because
of the SIL claim limit in the subsystems.
Demand Risk reduction action
Subsystem Subsystem Subsystem
Chap. 1

on safety with power control

function 1 2 N elements
PL1 PL2 PLN
Chap. 2

1. Identify the lowest PL (PLlow) PL N low PL

low
in each subsystem.
4 or more None
2. Identify the number of a
Up to 3 a
subsystems (Nlow) having
the same PLow. 3 or more a
b
Chap. 3

Up to 2 b
3. Estimate according to the 3 or more b
Table on the right. c
Up to 2 c
4 or more c
d
Up to 3 d
Chap. 4

4 or more d
e
Up to 3 e

With the combination of the following subsystems, for example:

Chap. 5

Subsystem1 Subsystem2 Subsystem3 Subsystem4 Subsystem5 Subsystem6

PLe PLd PLd PLd PLe PLd

PL Count (N)
Chap. 6

e 2

d 4

PL for the safety-related parts as a whole is PLc.

Note: Calculation method used

(1) Derive overall PL from the summation of PFHd for the subsystems.
(2) Derive overall PL from the count of PLlow for the subsystems.
The above method does not show the compatibility between ISO 13849-1:
2006 and IEC 62061.
The values of PFHd alone do not testify to the conformity with ISO 13849-1:
2006.
Moreover, PL determination achieved does not validate the conformity with
IEC 62061 or IEC 61508.
In addition to PFHd or MTTFd values, confirmation or certification that the
parts meet the ISO 13849-1: 2006 requirements such as category or CCF.

94
 Performance Level

9. Basic Safety Principles for Risk Reduction in the Failure

If the electric device failures or disturbances cause the hazardous situation and the machines or works during process are threatened to be

Technical Guide
impaired, necessary actions shall be taken to minimize the jeopardy. This section describes the typical means for minimizing the failure risks
based on the IEC 60204-1.

••Applying the ISO 13849-1 or IEC 62061 requirements

The control circuit should maintain the appropriate safety performance level determined by the risk assessment.
See 2. Relationship between Risk Assessment and PL in Chapter 5.

Chap. 1
(1) Description in IEC 60204-1
1) Use of well-tried circuit principles and • Earth failure example

Chap. 2
The safety circuit is not earthed
components
1. Basic circuit configuration in consideration Fuse
Switch

of earth failure

Chap. 3
Typical actions taken are shown below.

• Basic circuit configuration Relay contact

Earth failure
Precautions on configuration are shown below on designing the

Chap. 4
Transformer
safety circuit for the control system. Relay coil

(1) Relay contact in the safety circuit is to be opened by non-

exciting coil.
A switch is bypassed by two earth failures, causing a sudden start or

Chap. 5
(2) Connect one line of the safety circuit in the secondary winding
stop of a machine.
of the isolation transformer to the earth.
(3) Place all the coils in the safety circuit as closest to the earth line
as possible for direct connection. The circuit is earthed in the middle of the secondary

Chap. 6
(4) Be sure to attach the fuse to the safety circuit. winding of the transformer of the safety circuit
Shown below is a basic configuration of the safety circuit with the
Switch
items (1) to (4) included in the above. Fuse Relay coil
Switch
Fuse A

Ground failure

Relay contact

Relay contact Transformer

Transformer Relay coil

A single earth failure causes the relay coil to keep 50% of voltage
B
applied, subject to the inability to stop the machine.
If the earth failure occurs on the switch line A, a fuse is blown with
the path shut off.
Because a coil line B is earthed, there is no earth failure.

95
 Performance Level

2. Measures provided ready to shut off or 3) Having the redundancy

stop the hazards based on the stoppage Providing a partial or overall redundancy would minimize the risk
principle. caused by a single failure by the electric circuit.
Technical Guide

For details, see Chapter 1. Safety Secured by De-energizing.

For example, by combining two or more relays or switches, a circuit
3. Safety regulation certified parts used. function is kept even if a single part is encountered with a failure as
Safety regulation certification is one issued by the third-party shown below.
certificate authority such as TÜV.

• Example of redundant outputs by using two

Chap. 1

4. Safety switch to be used for reliable

relays
opening operation
The certified product is labeled as mark.
Chap. 2

5. Safety-related parts function shall not be K1

impaired by a single power failure.
Isolate the power supplies of the power systems from the safety- ES GS
related parts. Emergency stop Activation K2
Chap. 3

switch switch
Power supply disruption causes the Relay coil
damage to the entire safety-related parts

• Example of redundant inputs by using two

Chap. 4

Power
supply contacts
Safety-related
parts
ES
Chap. 5

Switch A Switch B
Power circuit
Chap. 6

T11 T12 T22

Power supply Input terminal A Input terminal B
terminal
Divide the power supplies

Power
supply Safety-related
parts

Power
supply Power circuit

2) Periodical functional test

Perform the safety-related functional test either automatically via the
control system or manually.
Start the test at the beginning of the business hours and for a certain
period of days. If a failure is detected, be sure not to restart the
machine until the cause is clarified.

96
 Performance Level

4) Use of diversity 2. Using different types of control parts in a

Same type of devices under the redundant configuration could be circuit
failed at the same time under the same conditions. Using the control • Combination example of active high and active

Technical Guide
circuits of the diversified principles or various types of devices or
low operation sensors
parts could reduce the failure rate due to the identical, common Erroneous signals could be input into channel 1 and channel 2 by
causes. noise on the occasion of surge.
Examples of diverse parts or devices in usage are as follows. By reversing the logic and phase of the signals into channel 1 and
channel 2, the noise of the same phase can be eliminated.
1. Operating the movable guard with a

Chap. 1
combination of NC contact and NO contact
• Example of operating the movable guard with a
combination of negative and positive operation Safety-related parts

Chap. 2
switches
I L O
<contacts closed> (guard closed) Wrong start

I L O

Chap. 3
S2

Chap. 4
S1

Started active high

S1 S2

Chap. 5
Not started
Non-direct Direct mechanical
mechanical action action

Chap. 6
Started active low
<contacts open> (guard open)
Undetected
Active low start conditions detected
(Example: NO contact switch)

S2
3. Redundant configuration by combining
electric-mechanical circuits and electronic
circuits.
S1 S2
S1 • Example of sharing different types of switches
Open/closed guard is detected by two different detection means. A
single door switch of key-in type alone could cause an unlocked key to
be a common cause failure. If this risk cannot be eliminated, a different
Non-direct Direct mechanical type of a switch such as a limit switch should be additionally used.
mechanical action action Failure of tongue

Tongue actuated interlock switch

Safety-related
parts
I L O
I L O

Tongue actuated interlock switch

Safety-related
parts
I L O
L O

Limit switch

Note: It is necessary to determine the type of switches or its usage based on

the risk assessment results or Type C standard request.

97
 Performance Level

5) Short circuit protection or its detection 6) Electromagnetic compatibility (EMC)

Damages to the wires by the squash, heat, hitting or acid could The circuitry shall have an appropriate immunity against the
cause the branches or short circuit to the wiring. electromagnetic interference for proper operation in an intended
Technical Guide

Providing the safety control circuit with the short circuit protection environment.
allows these impacts to be detected. Short circuit protection can be
achieved with the following conditions.
• Example for enhancing the EMC
(1) The safety control circuit shall be provided with the two-channel
•• Provide an appropriate shield to the path whose impedance is
inputs with NC contacts respectively. likely to be high (e.g., a cable connecting an external sensor and
(2) There shall be potential difference between channels. the controller in the control panel).
Chap. 1

A short-circuit detection circuit example is shown below.

•• Change the cable routing to avoid the induction. Change the
two-channel cable routing to avoid the interference of the same
• Example of Short-circuit detection in the noise source.
2-channel switch inputs •• Check the electromagnetic immunity with the EMC test based
Chap. 2

on the IEC 62061 Annex E.

Noise caused
by induction Safety-related
Magnetic
parts
field
Chap. 3

I L O
-VE +VE

Input terminal B Power supply (-)

terminal
Power supply (+)
terminal
Input terminal A I L O
Chap. 4

Current
(+)
Load
Circuit subject to the production
F2
of induction noise
Chap. 5

Safety-related
F1 NO NC
Shield parts
Chap. 6

S2 S1
I L O
T11 T12
T22 T21

KM1
I L O
S

KM1 KM2
(+) Current
Load
KM2 K1
K3 K1 K3 K2
K2
K1 K2 K3 Change the cable routing to
Load
I avoid the induction.
Contactor
KM2 KM1

(-)
(-) L O
I L O
Note: Operation is not verified with the circuit example for safety standard
certification.
Current
Load

98
 Performance Level

7) Operation in other intended

environments

Technical Guide
• Example of consideration to the heat
For installing the input devices such as switches into the designated
area, the devices are designed in consideration against the parts
impairment or malfunction due to the heat (high or low) or chemicals
to prevent the dangerous failure on installation or usage in the

Chap. 1
environment exceeding the parts rating.

• Example of consideration to the vibration

Do not install the mechanical contact parts such as relays to the

Chap. 2
vibrating location.

• Example of consideration to the mechanical

Chap. 3
stress
Avoid mounting the switches in a way that reduces the expected
effectiveness due to the mechanical stress.
For example:

Chap. 4
•• Design and mount the limit switch dogs not to produce the
overtravel.
•• Provide a stopper to prevent the impact from the guard against
the head of the key-in type door switch.

Chap. 5
•• Observe the design value of the key insertion radius for the key-
in type door switch.

●Protection against switches

Chap. 6
Stopper

(For safety limit switches)

Mount a stopper to protect the switches from damage on
operating an actuator or on overtravel.

Stopper

(For safety door switches)

Do not use the switch itself as a stopper. Mount a stopper
to prevent the switch body and tongues. Adjust the setting
position (a) so that it is within the tongue setup zone.

99
 Performance Level

Fault exclusion
In an fault exclusion state, there is no dangerous failure because in Take a circuit composed of typical electric parts as an example.
a certain condition the parts are not broken dangerously or the way Of the designated architecture of input devices (I), logic operation
Technical Guide

of the failure is defined. Fault exclusion conditions are defined in the devices (L), output devices (O) and the conductors as an interface,
series standard of ISO 13849-2. what are defined in ISO 13849-2 are the switches and the
Logic operation Output conductors alone. For example, for a switch of a direct opening
Input device Conductor device Conductor device action mechanism, which is in conformity with Annex K in IEC
60947-5-1, the failure mode of "Not able to open the contact" can be
applied to the failure exception. Short circuits between the terminals
Chap. 1

I1 L1 O1 in the IEC 60947-5-1 conformed switches can be excluded from

failure. But it does not means that they are not broken dangerously
in all the conditions. Failure exception cannot be applied in some
use cases. For example, a failure exception is not defined for the
Chap. 2

failure in which a switch is not closed. That is, a failure exception

cannot be applied if the safety function is made to work by closing
I2 L2 O2 the switch.
If the cables are appropriately protected and structured to be in
Chap. 3

conformity with the IEC 60204-1, the failure exception can be

applied to the conductors such as cables.
Fault exclusion Fault exclusion Fault exclusion
The failure exception is not necessarily applied to all the safety
defined defined undefined
Chap. 4

components. And it is important to recognize in some conditions

Applicability of the fault exclusion in ISO 13849-1: 2006 means that that there could be possibilities that the parts may be broken
the MTTFd or DCavg in the relevant safety-related parts can be dangerously.
Chap. 5

placed outside the scope of consideration.

Failure to be considered Fault exclusion Remarks

Chap. 6

Contact does not close None

Contact does not open A contact conformed with Fault exclusion is only applicable to
IEC 60947-5-1 Annex K is the opening defects of the electric
considered to be opened. contacts and the opening defects due
to the mechanical factors in the overall
switch components cannot be
excluded from the failure.
Short circuit between Short circuit of the contacts conformed Loosened conductor should not bridge
the adjacent, mutually with IEC 60947-5-1 can be excluded the isolation between the contacts.
isolated contacts from failure.
Simultaneous shorting Simultaneous short circuit of the Loosened conductor should not bridge
between three terminals contacts conformed with IEC 60947-5-1 the isolation between the contacts.
of the switching contacts can be excluded from failure.
Failure exceptions of the position switches (limit switches) and operating switches (ISO 13849-2 Annex D)

Failure to be considered Fault exclusion Remarks

Short circuit of lines A cable is properly protected and

the structure in conformity with
IEC 60204-1
Cable failure exception (ISO 13849-2 Annex D)

• Switches
Mechanical impairment to the door switches or interlock switches Chapter 5)
such as limit switches cannot be ignored because of the nature of Fault exclusion can be applied to the emergency stop switches and
switch operation by opening/closing of the guard. If two NC contacts enable switches. Because they are manually operable switches and
(conformed with IEC 60947-5-1 Annex K) having the direct opening the damage to the switch itself can be usually ignored.
action built in a switch are used for the redundant input for the safety-
related parts, this could involve the common cause failure (CCF)
such as coming off of an actuator (e.g., a key) or the damage, the
fault exclusion is not applied. (See (3) DC (Diagnostic Coverage)
and DCavg in 6. Subsystem Configured in Discrete Components in

100
 Performance Level

10. Validation for Programmable Devices

Before designing the safety-related parts for the facilities or equipment using the programmable safety devices, it is needed to check the safety

Technical Guide
of not only the hardware and software.
There are two types of software: application software (SRASW) created by the device designer and the firmware (SRESW) embedded in the
programmable device. This section describes the application software. (See Figure 1).
Programmable devices Programming Tool
Hardware

Chap. 1
A device evaluated by IEC 62061 (or IEC 61508) can achieve
the safety level up to SIL3 (PLe).
Note: A device evaluated by ISO 13849-1: 2006 can achieve the safety level up to PLd.

CPU Storage media SRASW

Chap. 2
SRESW SRASW SRASW
Basic software embedded Application software Application software
in a device which allows the user which allows the user
to externally define the to externally define the

Chap. 3
Loaded safety function Transmitted safety function

Mostly covered by
IEC 61508 and
IEC 62061. Scope covered by ISO 13849-1: 2006.

Chap. 4
If SRASW meets the requirement, the above
hardware PL and SIL is considered valid.

Fig. 1

Chap. 5
Design process for the safety-related parts software
V model is referred to in ISO 13849-1 as the design process scheme for the safety-related parts software (SRASW). This is based on the quality
management system ISO 9000 series concept as the background and generally used not only in the safety-related design but in the software

Chap. 6
development as well. Software design procedure assumes what is called Plan-Do-Check-Action flow in the quality control management.
Prepare the documents required at each phase of design and show the third party that the safety functions are appropriately configured by
software. To configure the safety-related parts by software, it is recommended to streamline the procedure in advance of design, modification
and documentation.
This section describes what is to be done in each phase based on the flow in Figure 2.

1. Safety function spec 9. Validated software

Define all the safety function requirements Is software used as intended ?
Validation
to be achieved by the control. Product safely protected ?

2. Safety-related software spec 8. Validation

Define all the safety function requirements Confirm from the point of third-party
to be achieved by software. view whether all the safety functions
meet the requirements.

3. System design 7. Integration testing

Verification
Define the systematic functions for Verify whether the system works as
the design of the whole system. intended (including the predictable failures).

4. Module design 6. Module testing

Verification
Divide the functions into multiple Verify whether each module works
modules by clarifying each function as intended.
* and design in for individual modules. *

* Depending on the scale of the system, the 5. Coding

procedural layers could be deeper, or even Easy-to-understand programming.
removed and incorporated into the system design.

Fig. 2

101
 Performance Level

1. Safety function specification

Extract all the safety functions (described in ISO 13849-1) achievable with the control from the risk assessment sheet and define the
Technical Guide

operations, performance level (PLr), frequency of operations (nop) as the requirements in the safety function specifications.
Create a list of the parts comprising the control circuits and safety functions based on the safety function specifications. Parts specifications
and mechanical safety reliability data for the dangerous failure are obtained from the device manufacturers. Analyze the control circuits (such
as FMEA) and define the predictable failure or abuses of the parts.
1. Safety function spec Validation 9. Software after validation

<Documents example> 2. Safety-related software spec 8. Validation

• Safety function specification

Chap. 1

Verification

• Control circuits 3. System design 7. Integration testing

• Operation list Verification

• Parts list 4. Module design 6. Module test

• Parts specifications
Chap. 2

• Mechanical safety reliability data for the dangerous failure, etc. 5. Coding

2. Safety-related software specification

Chap. 3

Of the safety functions, define the requirements achieved by software.

From the operation list created based on the "1. Safety function specifications," extract the safety functions alone which are related to the
programmable safety controller. Create a list of assignment of the I/O devices of safety functions to the I/O of the programmable safety
controller for determination of the interface specifications.
Chap. 4

Determine the safety function logic and operation specifications from the operation list.
1. Safety function spec Validation 9. Software after validation
<Documents example> 2. Safety-related software spec 8. Validation
• Interface specifications
• Operating specifications, etc. Verification
Chap. 5

3. System design 7. Integration testing

Verification

4. Module design 6. Module test

Chap. 6

5. Coding

3. System design
Based on the interface specifications, define the variables which are subsequently used in the software design phase. Design the safety
functions defined in the external requirements specifications determined by "1. Safety function specifications." Create the system test
procedure in advance to facilitate the verification of all the system of operation in the integration testing in the subsequent process.

<Documents example> 1. Safety function spec Validation 9. Software after validation

• System test procedure, etc. 2. Safety-related software spec 8. Validation

Verification
3. System design 7. Integration testing

Verification

4. Module design 6. Module test

5. Coding

4. Module design
Depending on the scale of the system, multiple hardware modules, that is, combination of multiple programmable safety controllers, are used
to achieve the safety function. In that case, each software is also divided into functional blocks for design. The functional blocks includes the
blocks of function which are created specifically by a designer.
For ease of verification in the later phase of the module tests, create the test procedure for each module.

<Documents example> 1. Safety function spec Validation 9. Software after validation

• Test procedure for each module, etc. 2. Safety-related software spec 8. Validation

Verification
3. System design 7. Integration testing

Verification

4. Module design 6. Module test

5. Coding

102
 Performance Level

9. Validated software
On completing the software validation, incorporate with the safety-related parts hardware in the control circuit for validation. With the

Technical Guide
software embedded in the device incorporated with the parts in mechanism, confirmation is proceeded with that of the risk reduction.
Validated program is handled as part of the hardware and is used for simplified management of the following items. If a program is required
to be modified in a lifecycle of the device, security is provided so that authorized personnel only can change the program.

<Example of items for management> 1. Safety function spec Validation 9. Software after validation

2. Safety-related software spec 8. Validation

• Device type or revision

Verification

• User (customer) of a device 3. System design 7. Integration testing

Chap. 1
• Control circuit design version
Verification

4. Module design 6. Module test

• Target module
5. Coding

• Device format and revision where a program is transferred

• Version of a program itself, etc.

Chap. 2
8. Validation
Confirm whether the program is designed according to the safety function specifications, based on the variation of the output, including the

Chap. 3
response performance, in compliance with the external specifications, with the input conditions created by implementing the program into the
safety-related parts. Since this scheme of validation is focused on the external specifications, you do not need to have the insight into the
detailed structure of the software.
Record the result into the validation test confirmation. If any trouble is found, this could

Chap. 4
1. Safety function spec 9. Software after validation
be derived from the software specification itself, regress to the safety-related software
Validation

2. Safety-related software spec 8. Validation

specification process for correction (see "Validation" in the Figure). Verification

3. System design 7. Integration testing

<Documents example> 4. Module design

Verification

6. Module test

• Validation record, etc.

Chap. 5
5. Coding

7. Integration testing

Chap. 6
Verify whether the total software operation is as intended including the incorporated modules based on the system test procedure. Execute
all the operations of the program once on the development tool simulator, in some cases with the program loaded in the safety-related parts,
to verify the response performance from the input given until output as a reaction or the operation of the predictable parts failure or abuse as
defined in the safety function specification. Record the result into the integration testing result document. If any trouble is found, this could
be derived from the design, regress to the system design process for correction (see "Verification" in the Figure). Reverify whether there is
another trouble due to the modification work. 1. Safety function spec Validation 9. Software after validation

2. Safety-related software spec 8. Validation

<Documents example> Verification

• Integration testing result documents, etc.

3. System design 7. Integration testing

Verification

4. Module design 6. Module test

5. Coding

6. Module testing
Verify whether a module works as intended based on the test procedure per module. Verify either on the development tool simulator or in
some case on the actual device by feeding the simulated input.
Record the result into the module test result document. If any trouble is found, this could be derived from the design, regress to the module
design process for correction. (See "Verification" in the Figure) Reverify whether there is another trouble due to the modification work.

<Documents example> 1. Safety function spec Validation 9. Software after validation

2. Safety-related software spec 8. Validation

Module test result document

Verification

Software correction procedure, etc. 3. System design 7. Integration testing

Verification

4. Module design 6. Module test

5. Coding

5. Coding
Embody the system worked out by the module design via the program. Create the program by adding the comment statement
understandable by the third party.
If any bugs are found in the later phase of the module test or integration testing, a couple of regressions could be encountered in coding for
correction. Program version management will tell you what type of bugs are corrected and reflected to the later phase of processing.

<Documents example>
1. Safety function spec Validation 9. Software after validation

2. Safety-related software spec 8. Validation

Program version management, etc. Verification

3. System design 7. Integration testing

Verification

4. Module design 6. Module test

5. Coding

103
 Performance Level

11. Safety-related Parts PL Evaluation in the Devices

(1) Sorting out safety functions
Technical Guide

This section explains how to sort out the hazards or safety functions Relationship between the safety function and the risk reduction
in a system. action in simplified form is as shown below; this equipment has three
Note: The description is for the sake of explanatory example. Different lines of safety functions and each is required to evaluate PL.
calculation is necessary to suit to the device of the actual circuit.
Safety function Safety-related parts Risk
reduction
It is often the cases that a safety function is not alone in the actual
Chap. 1

device control system. There are some cases when more than
1
Safety-related part 1-1
M
one safety functions are provided against the risks derived from Sa
fet Transport
hazards in a machine. There are still other cases where different y-r
ela power
ted
safety functions are provided against each risk for multiple hazards pa
rt 1
Chap. 2

-2
in a machine. Also in such a case, PL is evaluated for each safety
function.
2 Safety-related part 2
But this does not mean that not all safety functions have their own
independent control circuits; they often share the same control Laser
Chap. 3

circuit. beam

Example: Laser marking equipment Hazard 2: Manual reset

Hazard 1:
Transport system Circuit example Feedback
(Lifter, conveyor) +24V
Chap. 4

Laser beam Risk: Pinched or entangled

Risk: Blindness due to
sudden radiation KM1
Controller 1
KM2

Work Guard M
Chap. 5

Conveyor
Logical
Work connection Transport
+24V Auto-reset Feedback power
Contactor

KM3
Switch 2 Switch 1
Chap. 6

Lifter Controller 2
KM4

Safety function 1: Safety function 2: Guard 1

Emergency stop switch Stop laser radiation only
Stop both laser radiation and lifter Laser beam

Above devices are assumed as an example. These safety functions are achieved with the circuit in the above.
This equipment has two hazards. One is the laser beam, which Transport power is shut down by the logical operation device of
would cause, if the beam is penetrated into an eye, the worst case of controller 1 while the laser beam is shut down by the controller 2.
loss of eyesight, equivalent to PLr = d; and the other is the transport
system (lifter and conveyor) which would cause a relatively light Controller 1 and Controller 2 are logically connected by the
hazard such as bruises or scraping, equivalent to PLr = b. redundantly configured interface and the logical input of Controller
Against the laser beam, movable guard is set up and interlock 2 is ANDed together with the physical input system (safety function
system is provided. If a work is stuck in an equipment, an operator 1 and safety function 2). Demand for operation for emergency stop
manually handles, but if the transport system is stopped, there could switch leads to the shut down of both of the transport power and the
be an inconvenience to work, so the laser beam radiation only is laser beam, and demand for operation for guard 1 leads to the shut
stopped. In an emergency, press the emergency stop switch to shut down of the laser beam alone.
down both the laser beam and transport power. Controller 1 and Controller 2 are assumed to be individually
evaluated in terms of PFHd.

104
 Performance Level

(2) Drawing up block diagram

Safety-related part 1-1 Safety-related part 1-2
Auto-reset Feedback

Technical Guide
Auto-reset Feedback +24V
+24V

I
KM1

I L O
KM1 Controller 1
Controller 1 KM2
KM2

M
Logical
connection
M
Transport
Logical
connection
L Auto-re
eset Feedback
Transport
power

Chap. 1
+24V
+24V Auto-reset Feedback power Contactor

O
Contactor
KM3
KM3 Controller 2
Controller 2 KM4
KM4

Chap. 2
Laser beam
Laser beam

Block diagram

Chap. 3
Block diagram Subsystem 3
(designated architecture) Subsystem 2 Subsystem 4
Subsystem 1 (designated architecture) Subsystem 2
I1 O1 Channel 1
I1 O1 Channel 1

Chap. 4
Emergency stop Contactor KM3
Emergency stop Contactor KM1 switch

Chap. 5
switch I2 O2 Channel 2
I2 O2 Channel 2

Controller 1 Controller 2
Controller 1

Chap. 6
Contactor KM4
Contactor KM2

Safety related part 1-2 is comprised of the emergency stop switch

Safety related part 1-1 is comprised of the emergency stop switch
NC contacts 1 and 2, the designated architecture (subsystem 3)
NC contacts 1 and 2, the designated architecture (subsystem 1) of
of contactors KM 3 and KM 4 and controller 1 (subsystem 2) and
contactors KM 1 and KM 2 and controller 1 (subsystem 2) where PL
controller 2 (subsystem 4) where PL and PFHd are individually
and PFHd are individually evaluated.
evaluated.
PFHd for subsystem 1 is evaluated using the parameters (category,
PFHd for subsystem 3 is evaluated using the parameters (category,
MTTFd, DCavg and CCF).
MTTFd, DCavg and CCF).

Note: Since contactors KM 3 and KM 4 are shared components with the

safety-related parts 2, MTTFd is calculated by the summation of nop in
each safety function.
If, however, the operation demand to one block is extremely low and
the impact to the other block is almost nil, this can be considered a
margin of error and this calculation is not applied. (Example: A guard
is often operated daily while the emergency stop is so few as once a
year)

105
 Performance Level

Safety-related part 2
Auto-reset Feedback
+24V
Technical Guide

KM1
Flexible Safety
Controller KM2

M
Logical
connection Transport
+24V Auto-reset Feedback power
Contactor
Chap. 1

I L O
KM3
Flexible Safety
Controller KM4

Laser beam
Chap. 2

Block diagram
Chap. 3

Subsystem 5 (designated architecture) Subsystem 4

I1 O1 Channel 1
Chap. 4

Switch 1 Contactor KM3

I2 O2 Channel 2
Chap. 5

Controller 2

Switch 2 Contactor KM4

Chap. 6

Safety related parts 2 is comprised of the designated architecture

(subsystem 5) of contactors KM 3 and KM 4 and the controller 2
(subsystem 4) where PL and PFHd are individually evaluated.
PFHd for subsystem 5 is evaluated using the parameters (category,
MTTFd, DCavg and CCF).

Note: Note: Since contactors KM 3 and KM 4 are shared components with

the safety-related parts 1-2, MTTFd is calculated by the summation of
nop in each safety function.
If, however, the operation demand to one block is extremely low and
the impact to the other block is almost nil, this can be considered a
margin of error and this calculation is not applied.
(Example: A guard is often operated daily while the emergency stop is
so few as once a year)

106
 Performance Level

(3) Points in compositive hazard schematisation

Device configuration Multiple hazards: Robot Series connection of input devices

Technical Guide
X axis Y axis
Safety function 1: Safety function 2:
Control
Safety function 1: Safety function 2:
Guard 1
power
Guard 2
supply
Guard Guard
Safety function 3:
Enabling switch

Guard Guard
To K 1

Chap. 1
Work

Limit switch Limit switch

(SW1) (SW2)
Limit switch 1 Limit switch 2

Chap. 2
Block diagram is a logical conceptual diagram to represent the sum
Safety function 1:
of the dangerous failure rates. This does not necessarily correspond
SW1 K1

Chap. 3
to the electrical control circuit diagram.
Consider the machine as in the diagram above for example. The
hazard for this machine is a robot operating along the X and Y axes.
Contradiction with this movement is assumed to be the hazardous

Chap. 4
event, against which a safety measure is to be set up based on
the risk assessment. The risk reduction shall be assumed to be
achieved without stopping both X and Y axes simultaneously. Use
Safety function 2:
a measure, for example, for configuring an interlock circuit with two
SW2 K1

Chap. 5
limit switches, with movable guards installed opening right and left.
Each guard is assigned as safety functions 1 and 2. If one guard
is opened, a hazard is shut down by activating the interlock. There
are some cases, however, where a robot is required to operate with

Chap. 6
the guards open for the maintenance or adjustment purposes of a
machine. The enabling switch is used as alternative of the guard
and this works as the safety function 3. Two limit switches (SW1 and SW2) for guard 1 and guard 2 in the
And the request PL for these safety functions is assumed to be input section of this circuit are electrically connected in series. The
equivalent to PLr = c. safety function 1 and safety function 2, however, are not affected
by each other. When the safety function 1 demands operation (that
Example of the electric circuit diagram in the safety- is, when guard 1 is opened), interlock works regardless of the state
related parts of the guard 2 to shut off the hazard. Even if SW2 is in a state of
dangerous failure due to the contact welding, the safety function 1 is
Safety function 1: Safety function 2:
not affected by this. The opposite is also true.
Control Guard Guard
power That is, the two safety functions are independent of each other. PL
supply
is used to evaluate each safety function, so the block diagram is
Limit switch Limit switch
divided into two for each PL evaluation.
KM2 Control
(SW1) (SW2)
KM1
power
supply
It is assumed, however, there is no such a case where both safety
Safety function 3:
Reset functions are damaged at the same time due to the short circuit of
K1 the conductors.
Drive Drive
power power
Enabling switch
SW3 K1 supply supply Common cause failure (CCF) as below is not assumed.
Safety relay
Control power Control power
supply supply
KM1 KM2
Short
Contactor Contactor circuit
Hazard
SW1 SW2
M1 M2 Detection is disabled.
X axis Y axis

Robot

Suppose the safety-related parts for achieving the safety functions

1, 2 and 3 are configured in a single system as the diagram above.
Assume that the designated architecture category 1 is selected for
meeting PLr = c or its equivalent.

Note: Note: This circuit diagram is intended for the simplified explanation
only for the block diagram expansion and not a recommended circuit
for this application. (For example, on enabling, other safety functions
are required including the mode switching by key switches and
accompanied restriction of the power engine, but these are skipped
in this description)If further information is needed, see the relevant
standards.

107
 Performance Level

Input devices in parallel connection Output devices in parallel connection

Safety function 1: Safety function 2: Control
Control
power
power
Technical Guide

supply
supply
Guard Guard
Drive Drive
power power
K1 supply supply
To K 1

Safety relay
Limit switch Limit switch
Chap. 1

(SW1) (SW2)

Safety function 3: KM1 KM2

Contactor Contactor
Chap. 2

Enabling switch SW3

Hazard

M1 M2
Chap. 3

Safety function 1:
X axis Y axis
SW1 SW3 K1
Robot
Chap. 4

Compositive hazard

K1 KM1 KM2

Safety function 2:
Chap. 5

SW2 SW3 K1

X axis Y axis
Chap. 6

In the output of the circuit of interest, two contactors (KM1 and KM2)
are connected in parallel for controlling the X and Y axes of the
In parallel with the limit switches (SW1 and SW2) for guard 1 and robot. It is premised here that only one axis cannot reduce the risk.
guard 2, the enabling switch is connected with the hardware wire. It If, for example, the robot X-axis movement is controlled into stop,
could be possible that the enabling switch dangerous failure may affect the Y-axis movement could cause an accident, resulting in the
safety functions 1 and 2. For examle, even if the detection of the open impairment of safety function. If a real reduction of the risk can
state of the guard is assumed to cause the driving engine of the hazard only be achieved by the simultaneous stop of the X and Y axes,
to shut down, the dangerous failure of the output contact welding in the dangerous failure rates for two contactors are required to be
the enabling switch would fail to detect the open state of the guard, summed together, resulting in the series connection in the block
resulting in the impairment of the guard safety function. diagram.
If the dangerous failure in a part may impact the safety function of other
parts, those dangerous failure rates are summed together, represented Note: If, however, risk assessment reveals that X and Y axes are separate
hazards and the consideration of the composite risks is not needed
in a block diagram as a series connection.
and each PLr is different, the block diagram can also be separated.
Safety function 3:

SW3 K1

From a reverse point of view on the other hand, the enabling

switch in safety function 3 is not subject to hazardous state as far
as the simultaneous dangerous failure is not encountered such as
the simultaneous welding of the limit switches (SW1 and SW2) in
guards 1 and 2. With the due considerations given to the common
cause failure, the probability of such a failure could be assumed
to be infinitely small. Therefore, an input device attributable to the
cause of the dangerous failure in safety function 3 is considered to
be the enabling switch (SW3) only and the resulting block diagram is
as shown in the above.

108
 Performance Level

PL Decision Table/PFHd Conversion Table (Source: ISO 13849-1, Annex K, Table K.1)

Technical Guide
Category B 1 2 3 4
Low Medium Low Medium High
DCavg None
Cat3 domain
60≤DCavg 90≤DCavg 60≤DCavg 90≤DCavg 99≤DCavg
CCF Not relevant selected
65 ≤ CCF 65 ≤ CCF 65 ≤ CCF 65Focused
≤ CCF to domain
65 ≤ CCF
equivalent to

Chap. 1
3≤MTTFd a 3.80×10-55 a 2.58×10-55 a 1.99×10-55 a 1.26×10-55 b 6.09
60 ≤×10
-6
DCavg < 90
Confirm the range -55
3.3≤MTTFd a 3.46×10
10-55 a 2.33×10
10-55 a 1.79×10
10 a 1.13×10
10-55 b 5.41×10
10-66
65 ≤ CCF
3.6≤MTTFd 3 1 ×10
a 3.17 10 -5
5
a 2.13
2 13×10
10 -5
5
a 1.62
1 62×10
10 -5
5
a 1.03
1 03×10
10 -5
5
b 4.86×10-6

Chap. 2
3.9≤MTTFd 2 93×10
a 2.93 10-55 a 1.95
1 9 ×10
10-55 a 1.48
1 48×10
10-55 b 9.37
9 3 ×10
10-66 b 4.40×10-6
4.3≤MTTFd 2 6 ×10
a 2.65 10 -5
5
a 1.76
1 6×10
10 -5
5
a 1.33
1 33×10
10 -5
5
b 8.39
8 39×10
10 -6
6
b 3.89×10-6
4.7≤MTTFd 2 43×10
a 2.43 10-55 a 1.60
1 60×10
10-55 a 1.20
1 20×10
10-55 b 7.58
8×10
10-66 b 3.48×10-6

Chap. 3
Low 5.1≤MTTFd 2 24×10
a 2.24 10-55 a 1.47
1 4 ×10
10-55 a 1.10
1 10×10
10-55 b 6.91
6 91×10
10-66 b 3.15×10-6
5.6≤MTTFd 2 04×10
a 2.04 10 -5
5
a 1.33
1 33×10
10 -5
5
b 9.87
9 8 ×10
10 -6
6
b 6.21
6 21×10
10 -6
6
c 2.80×10-6
6.2≤MTTFd 1 84×10
a 1.84 10-55 a 1.19
1 19×10
10-55 b 8.80
8 80×10
10-66 b 5.53
3×10
10-66 c 2.47×10-6

Chap. 4
6.8≤MTTFd 1 68×10
a 1.68 10 -5
5
a 1.08
1 08×10
10 -5
5
b 7.93
7 93×10
10 -6
6
b 4.98
4 98×10
10 -6
6
c 2.20×10-6
7.5≤MTTFd 1 52×10
a 1.52 10-55 b 9.75
9 75×10
10-66 b 7.10
7 10×10
10-66 b 4.45
4 45×10
10-66 c 1.95×10-6
8.2≤MTTFd 1 39×10
a 1.39 10-55 b 8.87
8 87×10
10-66 b 6.43
6 43×10
10-66 b 4.02
4 02×10
10-66 c 1.74×10-6

Chap. 5
9.1≤MTTFd 1 25×10
a 1.25 10 -5
5
b 7.94
7 94×10
10 -6
6
b 5.71
5 71×10
10 -6
6
b 3.57
3 57×10
10 -6
6
c 1.53×10-6
10≤MTTFd 1 14×10
a 1.14 10-55 b 7.18
7 18×10
10-66 b 5.14
5 14×10
10-66 b 3.21
3 21×10
10-66 c 1.36×10-6
11≤MTTFd 1 04×10
a 1.04 10 -5
5
b 6.44
6 44×10
10 -6
6
b 4.53
4 53×10
10 -6
6
c 2.81
2 81×10
10 -6
6
c 1.18×10-6

Chap. 6
12≤MTTFd 9 51×10
b 9.51 10-66 b 5.84
5 84×10
10-66 b 4.04
4 04×10
10-66 c 2.49
2 49×10
10-66 c 1.04×10-6
13≤MTTFd 8 78×10
b 8.78 10-66 b 5.33
5 33×10
10-66 b 3.64
3 64×10
10-66 c 2.23
2 23×10
10-66 d 9.21×10-7
15≤MTTFd 7 61×10
b 7.61 10 -6
6
b 4.53
4 53×10
10 -6
6
b 3.01
3 01×10
10 -6
6
c 1.82
1 82×10
10 -6
6
d 7.44×10-7
Medium 16≤MTTFd 7 13×10
b 7.13 10-66 b 4.21
4 21×10
10-66 c 2.77
2 77×10
10-66 c 1.67
1 67×10
10-66 d 6.76×10-7
18≤MTTFd 6 34×10
b 6.34 10 -6
6
b 3.68
3 68×10
10 -6
6
c 2.37
2 37×10
10 -6
6
c 1.41
1 41×10
10 -6
6
d 5.67×10-7
20≤MTTFd 5 71×10
b 5.71 10-66 b 3.26
3 26×10
10-66 c 2.06
2 06×10
10-66 c 1.22
1 22×10
10-66 d 4.85×10-7
22≤MTTFd 5 19×10
b 5.19 10-66 c 2.93
2 93×10
10-66 c 1.82
1 82×10
10-66 c 1.07
1 07×10
10-66 d 4.21×10-7
24≤MTTFd 4 76×10
b 4.76 10 -6
6
c 2.65
2 65×10
10 -6
6
c 1.62
1 62×10
10 -6
6
d 9.47
9 47×10
10 -7
7
d 3.70×10-7
27≤MTTFd 4 23×10
b 4.23 10-66 c 2.32
2 32×10
10-66 c 1.39
1 39×10
10-66 d 8.04
8 04×10
10-77 d 3.10×10-7
30≤MTTFd b 3.80
3 80×10
10 -6
6
c 2.06
2 06×10
10 -6
6
c 1.21
1 21×10
10 -6
6
d 6.94
6 94×10
10 -7
7
d 2.65
2 65×10
10-77 e 9.54×10-8
33≤MTTFd b 3.46
3 46×10
10-66 c 1.85
1 85×10
10-66 c 1.06
1 06×10
10-66 d 5.94
5 94×10
10-77 d 2.30
2 30×10
10-77 e 8.57×10-8
36≤MTTFd b 3.17
3 17×10
10-66 c 1
1.67
67×10
10-66 d 9
9.39
39×10
10-77 d 5.16
5 16×10
10-77 d 2
2.01
01×10
10-77 e 7
7.77
77×10-88
39≤MTTFd c 2.93
2 93×10
10 -6
6
c 1.53
1 53×10
10 -6
6
d 8.40
8 40×10
10 -7
7
d 4.53×10 -7
d 1.78
1 78×10
10 -7
7
e 7.11×10-8
43≤MTTFd c 2.65
2 65×10
10-66 c 1
1.37
37×10
10-66 d 7
7.34
34×10
10-77 d 3.87
3 87×10
10-77 d 1
1.54
54×10
10-77 e 6
6.37
37×10-8
47≤MTTFd c 2.43
2 43×10
10 -6
6
c 1.24
1 24×10
10 -6
6
d 6.49
6 49×10
10 -7
7
d 3.35
3 35×10
10 -7
7
d 1.34
1 34×10
10 -7
7
e 5.76×10-8

High
51≤MTTFd c 2.24
Domain2 24×10
10 -6
6
equivalent c 1.13
1to
13×10
10 -6
6
d 5.80
5 80×10
10-77 d 2.93
2 93×10
10-77 Crossed eportion
d 1.19
1 19×10
10-77 5.26×10 -8

56≤MTTFd 39 c≤ 2.04
2MTTFd10-66 < 43c selected
04×10 1 02×10
1.02 10-66 d 5.10
5 10×10
10-77 d 2.52
2 52×10
10-77 drepresents
1 03×10
1.03 10 PL
e 4.73
-7
7
×10 -8

62≤MTTFd c 1.84
1 84×10
10 d 9.06
9 06×10
10 d 4.43
4 43×10
10 d 2.13
2 13×10
10
and
e 8.84
PFHd
8 84×10
10
for this
e 4.22×10
-6
6 -7
7 -7
7 -7
7 -8
8 -8

68≤MTTFd c 1.68
1 68×10
10-66 d 8.17
8 17×10
10-77 d 3.90
3 90×10
10-77 d 1.84
1 84×10
10-77 e 7
7.68
68 ×10
10 e 3.80×10
channel
-8
8 -8

75≤MTTFd c 1.52
1 52×10
10 -6
6
d 7.31
7 31×10
10 -7
7
d 3.40
3 40×10
10 -7
7
d 1.57
1 57×10
10 -7
7
e 6.62
6 62×10
10 e 3.41×10
-8
8 -8

82≤MTTFd c 1.39
1 39×10
10-66 d 6.61
6 61×10
10-77 d 3.01
3 01×10
10-77 d 1.35
1 35×10
10-77 e 5.79
5 79×10
10-88 e 3.08×10-8
91≤MTTFd c 1.25
1 25×10
10-66 d 5.88
5 88×10
10-77 d 2.61
2 61×10
10-77 d 1.14
1 14×10
10-77 e 4.94
4 94×10
10-88 e 2.74×10-8
100≤MTTFd c 1.14
1 14×10
10 -6
6
d 5.28
5 28×10
10 -7
7
d 2.29
2 29×10
10 -7
7
d 1.01
1 01×10
10 -7
7
e 4.29
4 29×10
10 -8
8
e 2.47×10-8

109
 Performance Level

PL Decision Table (Source: ISO 13849-1, Annex K, Table K.1)

Technical Guide

Category B 1 2 3 4
Low Medium Low Medium High
DCavg None
60≤DCavg 90≤DCavg 60≤DCavg 90≤DCavg 99≤DCavg
CCF Not relevant 65 ≤ CCF 65 ≤ CCF 65 ≤ CCF 65 ≤ CCF 65 ≤ CCF
Chap. 1

3≤MTTFd a a a a b
3.3≤MTTFd a a a a b
Chap. 2

3.6≤MTTFd a a a a b
3.9≤MTTFd a a a b b
4.3≤MTTFd a a a b b
Chap. 3

4.7≤MTTFd a a a b b
Low 5.1≤MTTFd a a a b b
5.6≤MTTFd a a b b c
Chap. 4

6.2≤MTTFd a a b b c
6.8≤MTTFd a a b b c
Chap. 5

7.5≤MTTFd a b b b c
8.2≤MTTFd a b b b c
9.1≤MTTFd a b b b c
Chap. 6

10≤MTTFd a b b b c
11≤MTTFd a b b c c
12≤MTTFd b b b c c
13≤MTTFd b b b c d
15≤MTTFd b b b c d
Medium 16≤MTTFd b b c c d
18≤MTTFd b b c c d
20≤MTTFd b b c c d
22≤MTTFd b c c c d
24≤MTTFd b c c d d
27≤MTTFd b c c d d
30≤MTTFd b c c d d e
33≤MTTFd b c c d d e
36≤MTTFd b c d d d e
39≤MTTFd c c d d d e
43≤MTTFd c c d d d e
47≤MTTFd c c d d d e
51≤MTTFd c c d d d e
High
56≤MTTFd c c d d d e
62≤MTTFd c d d d e e
68≤MTTFd c d d d e e
75≤MTTFd c d d d e e
82≤MTTFd c d d d e e
91≤MTTFd c d d d e e
100≤MTTFd c d d d e e

110
 Performance Level

Category B 1 2 3 4
Low Medium Low Medium High
DCavg None

Technical Guide
60≤DCavg 90≤DCavg 60≤DCavg 90≤DCavg 99≤DCavg
CCF Not relevant 65 ≤ CCF 65 ≤ CCF 65 ≤ CCF 65 ≤ CCF 65 ≤ CCF

3≤MTTFd 3.80×10-5 2.58×10-5 1.99×10-5 1.26×10-5 6.09×10-6

3.3≤MTTFd 3.46×10-5 2.33×10-5 1.79×10-5 1.13×10-5 5.41×10-6

Chap. 1
3.6≤MTTFd 3.17×10-5 2.13×10-5 1.62×10-5 1.03×10-5 4.86×10-6
3.9≤MTTFd 2.93×10-5 1.95×10-5 1.48×10-5 9.37×10-6 4.40×10-6
4.3≤MTTFd 2.65×10-5 1.76×10-5 1.33×10-5 8.39×10-6 3.89×10-6

Chap. 2
4.7≤MTTFd 2.43×10-5 1.60×10-5 1.20×10-5 7.58×10-6 3.48×10-6
Low 5.1≤MTTFd 2.24×10-5 1.47×10-5 1.10×10-5 6.91×10-6 3.15×10-6

Chap. 3
5.6≤MTTFd 2.04×10-5 1.33×10-5 9.87×10-6 6.21×10-6 2.80×10-6
6.2≤MTTFd 1.84×10-5 1.19×10-5 8.80×10-6 5.53×10-6 2.47×10-6
6.8≤MTTFd 1.68×10-5 1.08×10-5 7.93×10-6 4.98×10-6 2.20×10-6

Chap. 4
7.5≤MTTFd 1.52×10-5 9.75×10-6 7.10×10-6 4.45×10-6 1.95×10-6
8.2≤MTTFd 1.39×10-5 8.87×10-6 6.43×10-6 4.02×10-6 1.74×10-6

Chap. 5
9.1≤MTTFd 1.25×10-5 7.94×10-6 5.71×10-6 3.57×10-6 1.53×10-6
10≤MTTFd 1.14×10-5 7.18×10-6 5.14×10-6 3.21×10-6 1.36×10-6
11≤MTTFd 1.04×10-5 6.44×10-6 4.53×10-6 2.81×10-6 1.18×10-6

Chap. 6
12≤MTTFd 9.51×10-6 5.84×10-6 4.04×10-6 2.49×10-6 1.04×10-6
13≤MTTFd 8.78×10-6 5.33×10-6 3.64×10-6 2.23×10-6 9.21×10-7
15≤MTTFd 7.61×10-6 4.53×10-6 3.01×10-6 1.82×10-6 7.44×10-7
Medium 16≤MTTFd 7.13×10-6 4.21×10-6 2.77×10-6 1.67×10-6 6.76×10-7
18≤MTTFd 6.34×10-6 3.68×10-6 2.37×10-6 1.41×10-6 5.67×10-7
20≤MTTFd 5.71×10-6 3.26×10-6 2.06×10-6 1.22×10-6 4.85×10-7
22≤MTTFd 5.19×10-6 2.93×10-6 1.82×10-6 1.07×10-6 4.21×10-7
24≤MTTFd 4.76×10-6 2.65×10-6 1.62×10-6 9.47×10-7 3.70×10-7
27≤MTTFd 4.23×10-6 2.32×10-6 1.39×10-6 8.04×10-7 3.10×10-7
30≤MTTFd 3.80×10-6 2.06×10-6 1.21×10-6 6.94×10-7 2.65×10-7 9.54×10-8
33≤MTTFd 3.46×10-6 1.85×10-6 1.06×10-6 5.94×10-7 2.30×10-7 8.57×10-8
36≤MTTFd 3.17×10-6 1.67×10-6 9.39×10-7 5.16×10-7 2.01×10-7 7.77×10-8
39≤MTTFd 2.93×10-6 1.53×10-6 8.40×10-7 4.53×10-7 1.78×10-7 7.11×10-8
43≤MTTFd 2.65×10-6 1.37×10-6 7.34×10-7 3.87×10-7 1.54×10-7 6.37×10-8
47≤MTTFd 2.43×10-6 1.24×10-6 6.49×10-7 3.35×10-7 1.34×10-7 5.76×10-8
51≤MTTFd 2.24×10-6 1.13×10-6 5.80×10-7 2.93×10-7 1.19×10-7 5.26×10-8
High
56≤MTTFd 2.04×10-6 1.02×10-6 5.10×10-7 2.52×10-7 1.03×10-7 4.73×10-8
62≤MTTFd 1.84×10-6 9.06×10-7 4.43×10-7 2.13×10-7 8.84×10-8 4.22×10-8
68≤MTTFd 1.68×10-6 8.17×10-7 3.90×10-7 1.84×10-7 7.68×10-8 3.80×10-8
75≤MTTFd 1.52×10-6 7.31×10-7 3.40×10-7 1.57×10-7 6.62×10-8 3.41×10-8
82≤MTTFd 1.39×10-6 6.61×10-7 3.01×10-7 1.35×10-7 5.79×10-8 3.08×10-8
91≤MTTFd 1.25×10-6 5.88×10-7 2.61×10-7 1.14×10-7 4.94×10-8 2.74×10-8
100≤MTTFd 1.14×10-6 5.28×10-7 2.29×10-7 1.01×10-7 4.29×10-8 2.47×10-8

111
Performance Level

MEMO

112
Technical Guide Chap. 1 Chap. 2 Chap. 3 Chap. 4 Chap. 5 Chap. 6
 Technical Guide
Chap. 1
Chapter 6

Annex

Chap. 2
Chap. 3
1. Regulations and Standards by Country..........................................114
(1) Europe..................................................................................................................................114

Chap. 4
(2) The United States of America...............................................................................................117

(3) Canada.................................................................................................................................119

Chap. 5
(4) Japan................................................................................................................................... 120

(5) China................................................................................................................................... 122

(6) South Korea......................................................................................................................... 123

Chap. 6
(7) Australia............................................................................................................................... 124

(8) Relationships between Standard Numbers of Individual Countries and International

Standards ........................................................................................................................... 125

(9) Industry Standards.............................................................................................................. 126

2. Description of Safety Component-related Standards....................127

(1) Description of Standard....................................................................................................... 127

(2) Terminology......................................................................................................................... 134

(3) Other Terminology (Markings)............................................................................................. 138

113
 Annex

1. Regulations and Standards by Country

(1) Europe
Technical Guide

••EC Directives and CE Marking those objectives.

There are approximately 300 EC Directives issued for harmony in (3) The essential health and safety requirements have been
Europe. The EC Directives are equivalent to law in 27 countries grouped according to the hazards which they cover.
in Europe. Twenty one Directives according to the New Approach Machinery presents a series of hazards which maybe indicated
Directives and several Directives require the CE Marking to indicate that under more than one heading in this Annex.
Chap. 1

products conformed with these Directives. The CE Marking attached to The manufacturer is under an obligation to assess the hazards in
products indicates that the products conformed with the stipulated level order to identify all of those which apply to his machine; he must
of protection in all relevant EC Directives. Devices labeled with the CE then design and construct it taking account of this assessment.
Marking may be imported and exported to Europe without restriction.
••EN Directive and Harmonized Standards
Chap. 2

You might call the CE Marking a “passport” to Europe. Therefore you

Standards for countries in the European region are unified by CEN
must identify the corresponding Directive before attaching the CE
and CENELEC. The unified standards are called European Norm
Marking to products. For industrial machineries, corresponding Directive
(EN) and “EN” is added to the front of the standard numbers. When
is usually Low voltage Directive, EMC Directive, or Machinery Directive.
Chap. 3

new EN Standards are established, each country in the region

Low
Machinery voltage EMC must replace its relevant domestic standard with the EN Standard
Directive Directive Directive normally within six months. In addition to official EN Standards,
Drafts of European Standards (prEN), Harmonization Documents
Chap. 4

(HD), European Pre-standards (ENV), and CEN Reports (CR) are

also published. Also recently the IEC ISO standards are used as an
EN standard under the WTO TBT Agreement.
Measures conformed with the Harmonized standard are used for
Chap. 5

many machines as "presumption of conformity" to the EC Directives.

Applicable standards for products intended are not indicated in the
••Low-voltage Directive (LVD) individual EC Directives. The list of EN Standards that can apply
According to the EC Directive (EC Directive 2006/95/EC), low for each directive are published separately in the Official Journal of
Chap. 6

voltage devices are devices that operate at 50 to 1,000 VAC or 75 the European Communities (OJEC). The EN standards listed in this
to 1,500 VDC. The LVD applies to almost all electrical devices from Official Journal are called "Harmonized standard." Manufacturers
electrical household appliances and office equipment to industrial are therefore necessary to determine the design specifications
electrical machinery. The LVD pertains to electrical safety in the based on the EN Standards published in the OJEC.
Machinery Directive, along with the EMC Directive.
••Relation between the EC Directives, EN
••EMC Directive Standards, and CE Marking
The EMC Directive (2004/108/EC) has been in force since July 20,
2007, and the old version EMC Directive (89/336/EEC) was revoked. EC Directive
EMC stands for “electromagnetic compatibility.” When measures EN Standards
CE Marking
have been taken for both electromagnetic interference (EMI) and
electromagnetic susceptibility/immunity (EMS), the device is called
As explained above, all relevant EC Directives must be satisfied
electromagnetically compatible, which means that EMC measures
for a product to be labeled with the CE Marking. EN Standards
have been successfully applied.
complement the EC Directives. Satisfying the EN Standards alone,
however, does not result in the EC Directives being satisfied.
••Machinery Directive (MD) Countermeasures for product liability is mainly required in
This Directive was issued as the new Machinery Directive 2006/42/EC
instructions and catalogs.
in 2006, and has been implemented in place of 98/37/EC since 2009.

••Essential Health and Safety ••Product Liability

The General Product Safety Directive and Product Liability Directive
Requirements of the Machinery Directive are complementary regulations but their scope is not identical.
These basic requirements are listed in Machinery Directive Annex I. The Product Liability Directive applies to virtually all products, while
The Preliminary Observations of the Annex I of Machinery Directive the General Product Safety Directive applies only to new, used, and
are introduced below. reconditioned products intended for or used by consumers.
(1) The obligations laid down by the essential health and safety Both regulations, however, include areas of uncertainty. Therefore,
requirements apply only when the corresponding hazard to be especially careful, a manufacturer must compare the individual
exists for the machinery in question when it is used under provisions of all directives that apply to its product.
the conditions foreseen by the manufacturer. In any event,
requirements 1.1.2, 1.7.3 and 1.7.4 apply to all machinery
covered by this directive.
(2) The essential health and safety requirements laid down in this
Directive are mandatory. However, taking into account the state
of the art, it may not be possible to meet the objectives set by
them. In this case, the machinery must as far as possible be
designed and constructed with the purpose of approaching

114
 Annex

••Structure of Standards Related to Machinery Safety

Technical Guide
Type A Standards
(Basic Safety Standards)

Standards related to basic concepts and design concepts that can be applied to all machinery.
EN ISO 12100 : Basic Concepts, General Principles for Design - Risk Assessment and Risk Reduction.

Chap. 1
Chap. 2
Type B Standards (Generic Safety Standards)

Standards related to safety and safety equipment that can be applied to different types of machinery.

Chap. 3
B1: Standards on particular safety aspects, such as Safe Distances
EN ISO 13855 : The positioning of protective equipment in respect of approach speeds of parts of the human body

Chap. 4
EN ISO 13849-1 : Safety-related parts of control systems Part 1: General principles for design
EN1127-1 : Explosive atmospheres - Explosion prevention and protection Part 1: Basic concepts and methodology
EN60204-1 : Electrical equipment of machines Part 1: Specification for general requirements

Chap. 5
B2: Standards on safeguards

Chap. 6
EN ISO 13850 : Emergency stop equipment - Principles for design
EN574 : Two-hand control devices, functional aspects - Principle for design
EN ISO 14119 : Interlocking Devices Associated with Guards - Principles for Design and Selection
EN ISO 13856-1 : General principles for the design and testing of pressure sensitive mats and pressure sensitive floors
EN61469-1 : Electro-sensitive protective equipment Part 1: General requirements and tests
EN61496-2 : Electro-sensitive protective equipment
Part 2: Particular requirements for equipment using active opto-electronic devices
EN60947-1 : Low-voltage switchgear and controlgear Part 1: General rules

Type C Standards (Machine Safety Standards)

Standards that specify detailed safety requirements for specific machinery.

EN 81 Series : Safety rules for the Construction and Installation of Lifts
EN 115 Series : Safety rules for the construction and installation of escalators and passenger conveyors
EN 201 : Rubber and plastic machines - Injection Moulding machines - Safety requirements
EN 415 Series : Safety of packaging machines
EN 422 : Rubber and plastics - Machines - Safety
EN 692 : Mechanical presses - Safety
EN 693 : Hydraulic presses - Safety
EN ISO 10218 Series : Manipulating Industrial robots - Safety
EN 869 : Safety requirements for high pressure metal diecasting units
EN 1010 Series : Technical safety requirements for the design and construction of printing and paper converting machines
EN 1034 Series : Technical safety requirements for the design and construction of paper making and finishing machines
(Section 3: winders, slitters, and plying machines)
EN 1114 Series : Extrusion molding machine safety
EN ISO 23125 : Safety of machine tools - turning machines
EN 12417 : Safety of machine tools - machining center
EN 13128 : Safety of machine tools - milling machines

115
 Annex

••Main EC Directives for which the CE Marking is mandatory (as of November, 2013)
Directive No. Directive Name Directive No. Directive Name
2006/42/EC Machinery 2009/142/EC Appliances burning gaseous fuels
Technical Guide

206/95/EC Low Voltage devices 00/9/EC Cableway installations designed to carry persons
2004/108/EC Electromagnetic compatibility (EMC) 2011/65/EU Directive on the Restriction of the use of certain Hazardous
Substances in electrical and electronic equipment (recast)
2009/105/EC Simple pressure vessels 93/15/EEC Explosive for Civil uses
94/9/EC Equipment intended for use in Potentially 90/385/EEC Medical devices: Active implantable
Explosive Atmospheres (ATEX)
Chap. 1

97/23/EC Pressure Equipment 93/42/EEC Medical devices: General

89/686/EEC Personal Protective Equipment 98/79/EC Medical devices: In vitro diagnostic
95/16/EC Lifts 92/42/EEC Hot-water boilers (efficiency requirement)
99/5/EC Radio and Telecommunications Terminal 2009/23/EC Non-automatic weighing instruments
Chap. 2

Equipment (R&TTE)
2004/22/EEC Measuring instruments 94/62/EC Packaging and packaging waste
2009/48/EC Toys 94/25/EC Recreational craft (boats)

••Example of conformity evaluation based on machinery directive

Chap. 3

Machines other than Machinery

Machines of the machinery directive addendum IV
Directive Addendum IV
Chap. 4

Module A When conforming with Harmonized Standards: When not conforming or partly
conforming with the harmonized
standards or when the harmonized
In-house checks Module A Module B Module H standards do not completely
Chap. 5

Machine specification conformity, include Annex I:

Checking at our own EC Type-examination Implementing the
ensured operator safety and responsibility and and certificate by complete QA
technical files are checked implementing notified body procedure stipulated Module B Module H
in-house. Declaration of according to the in the Annex X
Chap. 6

(Must use qualified parts for conformity according procedure in the EC Type-examination Implementing the
to the procedure in Annex IX. In addition, and certificate by complete QA
electrical components relating to the Annex VIII (not implementing the notified body according procedure stipulated
safety.) including Declaration Article 3 of the to the procedure in the in the Annex X
of incorporation) Annex VIII Annex IX. In addition
implementing the Article
EC Type-examination
3 of the Annex VIII
Technical Construction file (TCF) Certificate of conformity certificate
Technical Construction Technical Construction EC Type-examination
Declaration of Conformity file (TCF) file (TCF) certificate
Declaring machine conformity Declaration of Declaration of Technical Construction
or incorporation completely at Conformity Conformity file (TCF)
our own responsibility. Declaring conformity or Declaring conformity through Declaration of
incorporation based on a EC Type-examination
certificate of conformity certification of an EC Conformity
from a thirdparty testing notified body. Declaring conformity through
organization. EC Type-examination certificate
of an EC notified body.

Display of CE marking

••Machine requiring EC Type-examination by an EC notified body (Machines equivalent to

the Machinery Directive Addendum IV)
(A) Machines
(1) Circular saw machines for cutting wood (8) Portable chainsaws (17) Lifting device
materials and meat (Single blades/multi- (9) Presses (Have a travel exceeding 6 mm and (18) Portable impact machine
blade) a speed exceeding 30 mm/s) (19) Protective device for human body
(2) Hand-fed surface planing machines for (10) Injection or compression plastics-moulding detection
woodworking machines (20) Power interlock guard used as a protective
(3) Thicknessers for one-side dressing with (11) Injection or compression rubber-moulding measure of the machines (9), (10), and
manual loading and/or unloading for machines (11)
woodworking (12) Machines for underground working (21) Logic units for safety functions
(4) Band saw machines for cutting wood (13) Manually-loaded trucks for the collection (22) Roll-over protection structures
materials and meat of household refuse incorporating a (23) Falling-object protective structures
(5) Combined machines of the types referred compression mechanism
to in (1) to (4) and (7) (14) Transmissions
(6) Tenoning machines (15) Guard for transmissions
(7) Hand-fed vertical spindle moulding machines (16) Vehicles servicing lifts
for working with wood and analogous materials.

116
 Annex

(2) The United States of America

••Occupational Safety and Health For example, in 1976 ANSI approved the Underwriters Laboratories
(UL), which was established by the fire insurance industry.

Technical Guide
Administration (OSHA) Manufacturers of industrial robots in Japan and many other countries
The Occupational Safety and Health Act (OSHA) passed in 1970 to
worldwide use the requirements for safety of industrial robots and
provide safe and healthy working conditions. Part 1910 of the 29th
robotic systems given in ANSI/RIA R15.06, which forms the basis of
Code of Federal Regulations (CFR) gives specific standards.
ISO 10218. ANSI/B11.19 safety standards for machine tools were
Subpart O of Part 1910 sets standards for machinery and machine
established in 2003 and have become important standards.
guarding, and divides into Part1910.211 to Part 1910.219.

Chap. 1
1. Safety of Machine Tools
Standard
Title The American Society of Mechanical Engineers (ASME) collaborates
No.
in creating ANSI Standards, which are often adopted as ANSI B
1910.211 Definition
Standards.

Chap. 2
1910.212 General requirements for all machines
The main safety standards for machine tools are stipulated by ANSI
1910.213 Woodworking machinery requirements
B11.
1910.214 Cooperage machinery
1910.215 Abrasive wheel machinery US Standards (B11 Standards)

Chap. 3
1910.216 Mills and calendars in the rubber and plastic
industries Standard No. Title
1910.217 Mechanical power presses ANSI B11.1 Mechanical power presses
1910.218 Forging machines ANSI B11.2 Hydraulic power presses

Chap. 4
1910.219 Mechanical power-transmission apparatus ANSI B11.3 Power press brakes
ANSI B11.4 Shears
Part1910.212 covers general requirements for all machines. The ANSI B11.5 Iron workers
main points in Part1910.212 are given below. ANSI B11.6 Turning machines

Chap. 5
ANSI B11.7 Cold headers and cold formers
Paragraph (a)(1) ANSI B11.8 Drilling, milling and boring machines
One or more methods of machine guarding shall be provided to ANSI B11.9 Grinding machines
protect the operator and other employees in the machine area ANSI B11.10 Metal sawing machines

Chap. 6
from hazards such as those created by point of operation, ingoing ANSI B11.11 Gear and spline cutting machines
nip points, rotating parts, flying chips, and sparks. Examples of ANSI B11.12 Roll forming and roll bending machines
guarding methods are barrier guards, two-hand tripping devices, ANSI B11.13 Automatic bar and chucking machines
electronic safety devices, etc.

Paragraph (a)(3)(ii)
The point of operation of machines whose operation exposes
an employee to injury shall be guarded. The guarding device
shall be in conformity with any appropriate standards, therefore,
or, in the absence of applicable specific standards, shall be so
designed and constructed as to prevent the operator from having
any part of his body in the danger zone during the operating
cycle.

••American National Standards Institute

(ANSI)
ANSI is an independent standards organization in the USA. It does not
create any standards by itself, but rather approves and registers US
standards created in various fields.

117
 Annex

Standard No. Title 2. Safety of Industrial Robots

ANSI B11.14 Coil slitting machines
ANSI B11.15 Pipe tube and shape bending machines Safety items demanded of industrial robots by U.S.
Technical Guide

ANSI B11.16 Metal powder compacting presses standards (ANSI/RIA R15.06)

ANSI B11.17 Horizontal hydraulic extrusion presses Applicable scope (Section 1)
ANSI B11.18 Machines processing or slitting coiled or non-
coiled metal •• Robot here refers to industrial robots and industrial robot
ANSI B11.19 Performance requirements for safeguarding systems.
ANSI B11.20 Integrated manufacturing systems •• Date of ANSI standard implementation
The standard has been implemented for industrial robots since
Chap. 1

ANSI B11.19 (Safeguarding when Referenced by the Other B11

Machine Tool Safety Standards - Performance Criteria for the June 2001.
Design, Construction, Care, and Operation) sets standards for The standard has been implemented for industrial robot systems
barrier guards often referenced by other ANSI B11 standards. since June 2002.
Chap. 2

The main points in B11.19 are given on the next page. Robot production, modification, re-assembly (Section 4)
•• Electromagnetic compatibility (EMC) countermeasures for
Purposes for Using Safety Equipment electrical devices
To ensure the safety of operators, safety and protective
Chap. 3

•• Safety circuit designs (according to risk categories)

equipment is designed to prevent any hazardous machine •• Emergency stop buttons shall be shaped to fit the palm of
motion or stop the machine when the operator’s hand or other the hand, or mushroom shaped, and shall be red on a yellow
body part enters the hazard zone. The following items are background.
Chap. 4

demanded of safety and protective equipment. •• Enabling devices

1. Interlocked Protective Device 3-position switches
A protective barrier must be installed that is equipped with an
Safety and protective device performance (Section 5)
interlock function that prevents the machine from operating
Chap. 5

unless the hazard is eliminated. •• Safeguarding devices

Safety related systems must be provided with a safety function Light Curtains, Safety Mats, two-handed operating devices
that prevents the machine from starting due to a single fault.
Interlock equipment must be equipped with a tamper resistant Installation of robot and robot systems (Section 6)
Chap. 6

function. •• Software or devices that are to be used with safety devices must
2. Presence-sensing Device be approved by an NRTL (U.S. Nationally Recognized Testing
A device equipped with a function that detects the operator’s Laboratory).
hand or other body part, and outputs a signal to prevent any
Safeguarding of personnel (Sections 7, 8, 9, 10)
hazardous machine motion or to stop the machine.
The device must have a single fault detection function. •• Requirements for reducing risk due to risk assessment
When mounted in a location that requires adjustment of the Requirements for robot risk reduction and design according
operating conditions, a blanking function must be provided. to categories R1, R2 (A, B, C), R3 (A, B), and R4. (These
categories differ from those of the ISO 13849-1 international
3. Safety Mat standards.)
•• The Safety Mat is a device that detects the presence of an
operator who steps on it, and prevents any hazardous Safeguarding devices (Section 11)
machine motion.
•• The safeguarding devices (Section 5) must be installed, so that
•• The device must have a single fault detection function.
an operator cannot bypass them and access hazard.

Maintenance of robot and robot systems (Section 12)

•• Establishing continuous safe operation programs

Testing and start-up of robot and robot systems (Section 13)

•• Testing and start-up procedures

Safety training of personnel (Section 14)

•• Training programs

Annex (A to E)
•• B Safety distances and direct opening action switches
•• C Risk assessment

OMRON safety components can be used when constructing safety-

related systems conforming with the requirements of ANSI B11.19
and ANSI/RIA R15.06.

118
 Annex

••National Fire Protection Association (3) Canada

(NFPA) ••CSA
Some standards created by NFPA, which is founded for protection Safety standards created by Canadian Standards Association

Technical Guide
from fire and/or fire prevention are employed by ANSI. These standards cover electrical products, medical devices,
Major standards related to industrial machinery machines, appliances, etc.

Standard No. Title These regulations on electrical product safety are mandatory
ANSI/NFPA 70 National Electrical Code (NEC) standards for electrical products used in Canada, because in all the
ANSI/NFPA 79 Electrical standard for Industrial machinery 10 provinces and 2 territories in Canada electrical machines and

Chap. 1
appliances used by connecting to power source, regardless their
types and/or quantity, must conform with safety standards of this
CSA standards for electrical safety.

Chap. 2
Major standards applying to machinery
Standard No. Title
CSA Z431 Basic and Safety Principles for Man-Machine
Interface, Marking and Identification-Coding

Chap. 3
Principles for Indicators and Actuators.
CSA Z432 Safeguarding of Machinery
CSA Z434 Industrial Robots and Robot Systems-General
Safety Requirements

Chap. 4
••Pre-Start Health And Safety Reviews
(PSHSR)
Ontario's provincial law for safety and health, called "Occupational

Chap. 5
Health and Safety Act R.R.O.1990, REGULATION 851" includes
implementation provisions of PSHSR review by professional
technicians qualified by the Employment and Social Development
Canada for new machine installation.

Chap. 6

119
 Annex

(4) Japan
••Industrial Safety and Health Act ••Guidelines for Comprehensive
The amended Industrial Safety and Health Act went into effect
Technical Guide

Machinery Safety Standards

in 2006, with the purpose of providing an environment for the In July 2007, the Ministry of Health, Labor and Welfare in Japan
promotion of independent safety and health activities in offices. For amended its Guidelines for Comprehensive Standards of Machinery,
example, the Act includes requirements to investigate dangers and which was originally issued in June 2001 in response to the basic
hazards in the workplace and take necessary measures against safety standards provided in ISO 12100. These Guidelines stipulate
them. the procedure for manufacturers to use in reducing safety risks
The Act incorporates a framework to identify dangers and hazards, and achieve designs that take safety into consideration in the
Chap. 1

evaluate risks, and implement measures to reduce these risks. manufacture of production equipment and machinery, and also
••Ordinance on Industrial Safety and request that users provide safety measures when they introduce and
Health use the equipment and machinery.
In other words, the measures that ensure safety in machinery
Individual hazard prevention standards are stipulated for machine
Chap. 2

include measures that manufacturers build-in at the design stage

tool, woodworking machine, food processing machine, press
and measures that users must take when using the machinery.
machine and shearing machine, centrifugal machine, crushing
However, the Guidelines also clarify the fact that the measures that
machine and mixer, rolling mills, etc. high speed rotating body,
manufacturers build-in at the design stage must naturally precede
industrial robots. Also general standards are stipulated for all types
Chap. 3

the measures taken by the users.

of machines. One of the articles revised in October, 2013 requires
The following diagram shows the flow of achieving machinery safety
that all the machines should stop during adjustment works, for
based on the information in the Guidelines for Comprehensive
example when clogging occurs.
Machinery Safety Standards.
Chap. 4

Safety Procedure for Machinery

(1) Implementation of risk assessment *1

Chap. 5

1) Set specifications for machine usage limitations etc.

2) Identify hazards and hazardous situations for operators when using machines *2
3) Evaluate the risk associated with each of these hazards
Chap. 6

4) Determine whether appropriate risk reduction measures are in place

Machine
Manufacturers
etc.
(2) Implementation of Safety Measures
1) Inherently safe design measures (Attached Table 2)
2) Safeguarding and complementary protective measures (Attached Tables 3, 4)
3) Information for use (Attached Table 5)

Transfer/Loan of
Machinery Supply of information for use
Provision of
conditions of
order and
transfer of (1) Implementation of risk assessment
information 1) Confirmation of the content of information for use
gained through 2) Identify hazards and hazardous situations for operators when using machines
usage 3) Evaluate the risk associated with each of these hazards
4) Determine the priority of risk reduction and whether appropriate risk reduction measures are in place
Machine
User
Businesses
(2) Implementation of Safety Measures
1) Implementation of inherently safe design measures where possible (Attached Table 2)
2) Implementation of safeguarding and complementary protective measures (Attached Tables 3, 4)
3) Maintaining work methods, implementing employee training, and using personal protective equipment etc.

Safe Use of Machinery

*1. In the Attachment, “risk assessment” is referred to as “assessment of hazards and dangers”.
*2. In the Attachment, “hazards” is referred to as “hazards and dangers”.

120
 Annex

••JIS
The regulations and standards of individual countries must be brought in line with international standards to remove trade barriers and thus
ensure free trade worldwide. To that end, Japan accepted the terms of the World Trade Organization (WTO), becoming a member and signatory

Technical Guide
to the WTO Agreement as well as the TBT Agreement (Technical Barrier Treatment). In 1995, Japan declared its commitment to a system of
global cooperation. Growing pressure to adopt international standards triggered a complete overhaul of the JIS standards, which were enacted
under the Industrial Standardization Law, to bring them in line with the framework of the international IEC and ISO standards.The new JIS
standards will be shifted to the hierarchical system comprised of type A (basic safety standards), type B (generic safety standards) and type C
(machine safety standards) standards so that Japanese standards will conform to international standards.

JIS Standards International Standards

Chap. 1
B 9700: 2013 Safety of machinery - general principles for design - Risk assessment and risk reduction ISO 12100: 2010
B 9703: 2011 Safety of machinery -- Emergency stop -- Principles for design ISO 13850: 2006
B 9705-1: 2011 Safety of machinery -- Safety-related parts of control systems - Part 1: General principles for ISO 13849-1: 2006
design

Chap. 2
B 9718: 2013 Safety of machinery -- Safety distances to prevent hazard zones being reached by the upper and ISO 13857: 2008
lower limbs
B 9709-1: 2001 Safety of machinery -- Reduction of risks to health from hazardous substances emitted by ISO 14123-1: 1998
machinery - Part 1: Principles and specifications for machinery manufacturers

Chap. 3
B 9709-2: 2001 Safety of machinery -- Reduction of risks to health from hazardous substances emitted by ISO 14123-2: 1998
machinery - Part 2: Methodology leading to verification procedures
B 9710: 2006 Safety of machinery -- Interlocking devices associated with guards -- Principles for design and ISO 14119: 1998
selection

Chap. 4
B 9711: 2002 Safety of machinery -- Minimum gaps to avoid crushing of parts of the human body ISO 13854: 1996
B 9712: 2006 Safety of machinery -- Two-hand control devices -- Functional aspects and design principles ISO 13851: 2002
B 9713-1: 2004 Safety of machinery -- Permanent means of access to machinery - Part 1: Choice of a fixed ISO 14122-1: 2001
means of access between two levels

Chap. 5
B 9713-2: 2004 Safety of machinery -- Permanent means of access to machinery - Part 2: Working platforms and ISO 14122-2: 2001
walkways
B 9713-3: 2004 Safety of machinery -- Permanent means of access to machinery - Part 3: Stairs, stepladders and ISO 14122-3: 2001
guard-rails

Chap. 6
B 9713-4: 2004 Safety of machinery -- Permanent means of access to machinery - Part 4: Fixed ladders ISO/FDIS 14122-4: 2000
B 9714: 2006 Safety of machinery -- Prevention of unexpected start-up ISO 14118: 2000
B 9715: 2013 Safety of machinery -- Positioning of safeguards with respect to the approach speeds of parts of ISO 13855: 2010
the human body
B 9716: 2006 Safety of machinery -- Positioning of protective equipment with respect the approach of parts of ISO 14120: 2002
the human body
B 9960-1: 2008 Safety of machinery -- Electrical equipment of machines - Part 1: General requirements IEC 60204-1: 2005/A1:
/A1: 2011 2008
B 9961: 2008 Safety of machinery -- Functional safety of safety-related electrical, electronic and programmable IEC 62061: 2005
electronic control systems
B 9704-1: 2006 Safety of machinery -- Electro-sensitive protective equipment - Part 1: General requirements and IEC 61496-1: 2004/A1:
/A1: 2011 tests 2007
B 9704-2: 2008 Safety of machinery -- Electro-sensitive protective equipment - Part 2: Particular requirements for IEC61496-2: 2006
equipment using active opto-electronic protective devices (AOPDs)
B 9704-3: 2004 Safety of Machinery -- Electro-Sensitive Protective Equipment - Part 3: Particular requirements IEC 61496-3: 2001
for Active Opto-electronic Protective Devices responsive to Diffuse Reflection (AOPDDR).
B 9706-1: 2009 Safety of machinery -- Indication, marking and actuation - Part 1: Requirements for visual, IEC 61310-1: 2007
acoustic and tactile signals.
B 9706-2: 2009 Safety of machinery -- Indication, marking and actuation - Part 2: Requirements for marking IEC 61310-2: 2007
B 9706-3: 2009 Safety of machinery -- Indication, marking and actuation - Part 3: Requirements for the location IEC 61310-3: 2007
and operation of actuators
TS B 62046: 2010 Safety of machinery -- Application of protective equipment to detect the presence of persons IEC/TS 62046: 2008
C 0508-1: 2012 Functional safety of electrical/electronic/programmable electronic safety-related systems - Part 1: IEC 61508-1: 2010
General requirements
C 0508-2: 2000 Functional safety of electrical/electronic/programmable electronic safety-related systems - Part 2: IEC/CDV 61508-2: 1998
Requirements for electrical/electronic/programmable electronic safety-related systems
C 0508-3: 2000 Functional safety of electrical/electronic/programmable electronic safety-related systems - Part 3: IEC/FDIS 61508-3: 1998
Software requirements
C 0508-4: 2012 Functional safety of electrical/electronic/programmable electronic safety-related systems - Part 4: IEC 61508-4: 2010
Definitions and abbreviations
C 0508-5: 1999 Functional safety of electrical/electronic/programmable electronic safety-related systems - Part 5: IEC/FDIS 61508-5: 1998
Examples of methods for the determination of safety integrity levels
C 0508-6: 2000 Functional safety of electrical/electronic/programmable electronic safety-related systems - Part 6: IEC/CDV 61508-6: 1998
Guidelines on the application of parts 2 and 3
C 0508-7: 2000 Functional safety of electrical/electronic/programmable electronic safety-related systems - Part 7: IEC/CDV 61508-7: 1998
Overview of techniques and measures
(As of November 2013)

121
 Annex

(5) China
••GB
Chinese national standards (GB: Guojia Biaozhun)
Technical Guide

Standards for electrical equipment are produced based on IEC standards.

Structure of National Standards

Standard Administrator
Chap. 1

GB Mandatory National Standards Standardization Administration of the People’s Republic of China

GB/T Voluntary National Standards Standardization Administration of the People’s Republic of China

Mandatory National Standards (GB: Guojia Biaozhun) International Standards

Chap. 2

GB 16754-2008 Safety of machinery -- Emergency stop -- Principles for design ISO 13850 : 2006
GB 18209.1/2/3-2010 Safety of machinery -- Indication, marking and actuation IEC 61310-1/2/3 : 2007
GB 23821-2009 Safety of machinery -- Safety distances to prevent hazard zones being ISO 13857 : 2008
reached by the upper and lower limbs
Chap. 3

GB 12265.3-1997 Safety of machinery -- Minimum gaps to avoid crushing of parts of the ISO 13854 : 1996
human body
GB 17888.1/2/3/4-2008 Safety of machinery -- Permanent means of access to machinery ISO 14122-1/2/3 : 2001
ISO 14122-4 : 2004
Chap. 4

GB 5226.1-2008 Safety of Machinery -- Electrical equipment of machines - Part 1: General IEC 60204-1 : 2005
requirements
GB 19436.2-2013 Safety of Machinery -- Electro-sensitive protective equipment - Part 2: IEC 61496-2 : 2006
Particular requirements for equipment using active opto-electronic
protective devices
Chap. 5

GB 28526-2012 Safety of Machinery -- Functional safety of safety-related electrical, IEC 62061 : 2005
electronic and programmable electronic control systems
Chap. 6

Voluntary National Standards (GB/T: Guojia Biaozhun/ Tuijian) International Standards

GB/T 15706-2012 Safety of machinery -- General principles for design - Risk assessment and ISO 12100 : 2010
risk Reduction
GB/T 19436.1-2013 Safety of machinery -- Electro-sensitive protective equipment - Part 1 : IEC 61496-1 : 2008
General requirements and tests
GB/T 16855.1-2008 Safety of machinery -- Safety-related parts of control systems - Part 1 : ISO 13849-1 : 2006
General principles for design
GB/T 16855.2-2007 Safety of machinery -- Safety-related parts of control systems - Part 2 : ISO 13849-2 : 2003
Validation
GB/T 18831-2010 Safety of machinery -- Interlocking devices associated with guards - ISO 14119 : 1998/A1 : 2007
Principles for design and selection
GB/T 19876-2012 Safety of machinery -- Positioning of safeguards with respect to the ISO 13855 : 2010
approach speeds of parts of the human body
GB/T 20438.1/2/3/4/5/6/7-2006 Functional safety of electrical/electronic/programmable electronic safety- IEC 61508-1/3/4/5 : 1998
related systems IEC 61508-2/6/7 : 2000
(As of November 2013)

122
 Annex

••CCC (6) South Korea

CCC: China Compulsory Certification mark system
••KS
Upon its entry into the World Trade Organization South Korea became a WTO member and signatory to the TBT

Technical Guide
(WTO) in 2001, China integrated its former Agreement (Technical Barrier Treatment) in 1995, the year the WTO
Product Safety Certification System for Imported was created, and declared its commitment to a system of global
Items (CCIB mark) and Product Safety cooperation. As a result, the Korean Industrial standards (KS) were
Certification System for Items Distributed within established by the Industrial Standardization Law as part of an
CCC mark China (CCEE mark), and issued the China overall obligation to employ international standards, and are in line
Compulsory Product Certification System

Chap. 1
with the framework of the international IEC and ISO standards.
(Abbreviated name: CCC mark) on December 3, 2001, which took
effect on May 1, 2002. ••KCs Marking System
On August 1, 2003 it became prohibited to sell, import, or use ISHL (Industrial Safety and Health Low), Article
products of the items subject to the compulsory certification 34 requires safety certification for harmful or

Chap. 2
system that do not meet either of the following conditions: having a hazardous machines, appliances, and
certificate from the specified verification organization and displaying equipment. Eleven machine/appliance items,
China Compulsory Certification mark (CCC mark). eight safeguard items, and twelve personal

Chap. 3
Products subject to the compulsory certification system: the "First protective equipment items are subject to
list of the compulsory certification products" is expanded from safety certification (as of March, 2013).
132 products in 19 groups (2003) to 157 products in 22 groups Also the Article 35 in force since March 1, 2013 stipulates the
(revised in December, 2012). You can view the detailed item list in Self-regulatory Safety Confirmation System. Manufacturers of

Chap. 4
the Certification and Accreditation Administration of the People's machines/appliances subject to this system are required to confirm
Republic of China web page (http://www.cnca.gov.cn/cnca/). conformity and submit conformed document. Twenty-four machine/
Products manufactured and certificated outside China must display appliance product items, eight safeguard items, and four personal
the China Compulsory Certification mark (CCC mark) before being protective equipment items are subject to the Self-regulatory Safety

Chap. 5
imported to China, while products manufactured and certificated Confirmation System (as of March, 2013).
within China must display it when being shipped from the factory. Products that obtain a safety certification and products whose Self-
For details of CCC-certificated models, refer to each catalog or regulatory Safety Confirmation System document is accepted must
contact an OMRON sales representative. display a KCs mark.

Chap. 6
Electric wires and cables ••S-mark
The S-mark is a voluntary certification system established in
Electric circuit switches, electronic equipment for November 1997 by the Korea Occupational Safety and Health
protection or connection use Agency (KOSHA) to reduce the occurrence of work-related
accidents. The S-mark is granted for products that have been
GB International Standards
examined by KOSHA and are deemed to satisfy standards based
GB 14048.5-2008 IEC 60947-5-1-2003
on the Industrial Safety Maintenance Law, Article 34, item 2, for
GB/T 14048.10-2008 IEC 60947-5-2-2004
product safety, product reliability, and the quality control capabilities
GB 14048.3-2008 IEC 60947-3-2005
of the manufacturer. Products that obtain a S-mark certification are
GB 14048.2-2008 IEC 60947-2-2006
not required to submit Self-regulatory Safety Confirmation System
GB 14048.4-2010 IEC 60947-4-1-2009
document, even if they are also subject to the Self-regulatory Safety
Low-voltage electrical equipment Confirmation System.
The requirements are divided into Safety and EMC.
GB International Standards In the case of OMRON, “Safety Components” have been certified
GB 14048.5-2008 IEC 60947-5-1-2003 for both safety and EMC, and basic sensors have received EMC
GB 14048.6-2008 IEC 60947-4-2-2002 certification.
and others For details of certified models, refer to each catalog or contact an
OMRON sales representative.

123
 Annex

(7) Australia
••AS (Australian standard)
Industrial standards created by the Standards Association of Australia
Technical Guide

AS 4024.1 series is used as the safety standards applied to machinery. These standers are divided into 26 parts and created based on ISO
standards and IEC standards.

AS 4024.1101 Terminology - General

Safety principles AS 4024.1201 Basic terminology and methodology
Chap. 1

AS 4024.1202 Technical principles

AS 4024.1301 Principles of risk assessment
Risk assessment Reduction of risks to health and safety from hazardous substances emitted by
AS 4024.1302
machinery - Principles and specification for machinery manufacturers
Chap. 2

Ergonomic principles AS 4024.1401 Design principles - Terminology and general principles

Design of safety related parts of AS 4024.1501 General principles
control systems AS 4024.1502 Validation
Guards - General requirements for the design and construction of fixed and
AS 4024.1601
Chap. 3

moveable guards
Design of controls, interlocks and AS 4024.1602 Principles for design and selection
guarding
AS 4024.1603 Prevention of unexpected start-up
AS 4024.1604 Emergency stop - Principles for design
Chap. 4

AS 4024.1701 Basic human body measurements for technological design

Principles for determining the dimensions required for openings for whole body
AS 4024.1702
Human body measurements access to machinery
AS 4024.1703 Principles for determining the dimensions required for access openings
Chap. 5

AS 4024.1704 Anthropometric data

AS 4024.1801 Safety distances to prevent danger zones being reached by the upper limbs
Safety distances and safety gaps AS 4024.1802 Safety distances to prevent danger zones being reached by the lower limbs
AS 4024.1803 Minimum gaps to prevent crushing of parts of the human body
Chap. 6

Ergonomic requirements for the AS 4024.1901 General principles for human interaction with displays and control actuators
design of displays and control AS 4024.1902 Displays
actuators AS 4024.1903 Control actuators
AS 4024.1904 Requirements for visual, auditory and tactile signs
AS 4024.1905 Requirements for marking
Indication, marking and actuation
AS 4024.1906 Requirements for the location and operation of actuators
AS 4024.1907 System of auditory and visual danger and information signals
(As of November 2013)

124
 Annex

(8) Relationships between Standard Numbers of Individual Countries and

International Standards

Technical Guide
Versions are different for each country.
Item Country Japan Europe U.S.A. Canada China South Korea Australia
TBT Agreement
○ ○ ○ ○ ○ ○ ○
(WTO signatory)
International
National standards
standards
ISO ANSI/ISO
── KS B ISO 12100-1

Chap. 1
12100-1 JIS B 9700-1 EN ISO 12100-1 GB/T 15706.1 AS 4024.1201
12100-1
ANSI/ISO
12100-2 JIS B 9700-2 EN ISO 12100-2 ── GB/T 15706.2 KS B ISO 12100-2 AS 4024.1202
12100-2
14121 JIS B 9702 EN ISO 14121 ── ── GB/T 16856 KS B ISO 14121 AS 4024.1301
── ── KS B ISO 13849-1

Chap. 2
13849-1 JIS B 9705-1 EN ISO 13894-1 GB/T 16855.1 AS 4024.1501
13850 JIS B 9703 EN ISO 13850 ── ── GB 16754 KS B ISO 13850 AS 4024.1604
13852 JIS B 9707 EN ISO 13852 ── ── GB 12265.1 KS B ISO 13852 AS 4024.1801
13853 JIS B 9708 EN ISO 13855 ── ── GB 12265.2 KS B ISO 13853 AS 4024.1802
13857*1 ── EN ISO 13857*1 ── ── ── ── ──

Chap. 3
13854 JIS B 9711 EN 349 ── ── GB 12265.3 KS B ISO 13854 AS 4024.1803
13855 JIS B 9715 EN ISO 13855 ── ── ── KS B ISO 13855 AS 4024.2
IEC 60204-1 JIS B 9960-1 EN 60204-1 ── ── GB 5226.1 KS C IEC 60204-1 AS 60204.1
61496-1 JIS B 9704-1 EN 61496-1 UL 61496-1 CSA-E61496-1 GB/T 19436.1 KS C IEC 61496-1 AS 4024.2

Chap. 4
61310-1 JIS B 9706-1 EN 61310-1 ── ── GB 18209.1 KS C IEC 61310-1 AS 4024.1904
61310-2 JIS B 9706-2 EN 61310-2 ── ── GB 18209.2 KS C IEC 61310-2 AS 4024.1906
61310-3 JIS B 9706-3 EN 61310-3 ── ── GB 18209.3 KS C IEC 61310-3 AS 4024.1907
Certification mark ── CE-Mark *2 UL *3 CSA *3 CCC *4 S-Mark *5 ──

Chap. 5
(As of November 2013)
*1. A standard integrating ISO 13852 and ISO 13853
*2. Self-declaration is allowed for general machines in the Machinery Directive.
*3. UL and CSA are mutual certification systems.
*4. As of November 2013. Certification is not required for the field of industrial machinery.

Chap. 6
*5. S-mark certification requires Labor Department approval of safety certification regulations in addition to standards conformity.

125
 Annex

(9) Industry Standards

••Semiconductor Manufacturing Equipment Guideline SEMI Standards
SEMI, which is an abbreviation of Semiconductor Equipment and Materials International, was established in 1970 as an international industry
Technical Guide

association for semiconductor manufacturing equipment and materials manufacturers. SEMI standards have been established as independent
industry standards. There are separate standards for materials (M Series), Facilities (F Series), Flat Panel Displays (D Series), and Traceability
(T Series), and the S Series governs environment, health and safety (EHS). These standards have been employed by many equipment users,
primarily in the United States. Their headquarters are in California, and there are 11 offices in 8 countries around the world, including in Tokyo.

Structure of SEMI S Series

Chap. 1

Item Content
SEMI S1 Safety Guideline for Equipment Safety Labels
SEMI S2 Environmental, Health, and Safety Guideline for Semiconductor Manufacturing Equipment
Chap. 2

SEMI S3 Safety Guidelines for Process Liquid Heating System

SEMI S4 Safety Guideline for the Separation of Chemical Cylinders Contained in Dispensing Cabinets
SEMI S5 Safety Guideline for Sizing and Identifying Flow Limiting Devices for Gas Cylinder Valves
SEMI S6 EHS Guideline for Exhaust Ventilation of Semiconductor Manufacturing Equipment
Chap. 3

SEMI S7 Safety Guidelines for Environmental, Safety, and Health (ESH) Evaluation of Semiconductor Manufacturing Equipment
SEMI S8 Safety Guidelines for Ergonomics Engineering of Semiconductor Manufacturing Equipment
SEMI S9 (revoked) Guide to Electrical Design Verification Tests for Semiconductor Manufacturing Equipment
SEMI S10 Safety Guideline for Risk Assessment and Risk Evaluation Process
Chap. 4

SEMI S11 Environmental, Safety, and Health Guidelines for Semiconductor manufacturing Equipment Mini-environments
SEMI S12 Guidelines for Equipment Decontamination
SEMI S13 Environmental, Health and Safety Guideline for Documents Provided to the Equipment User for Use with Semiconductor
Manufacturing Equipment
Chap. 5

SEMI S14 Safety Guidelines for Fire Risk Assessment and Mitigation for Semiconductor Manufacturing Equipment
SEMI S15 (revoked) Safety Guideline for the Evaluation of Toxic and Flammable Gas Detection Systems
SEMI S16 Guide for Semiconductor Manufacturing Equipment Design for Reduction of Environmental Impact at End of Life
SEMI S17 Safety Guideline for Unmanned Transport Vehicle (UTV) Systems
Chap. 6

SEMI S18 Environmental, Health and Safety Guideline for Silane Family Gases Handling
SEMI S19 Safety Guideline for Training of Semiconductor Manufacturing Equipment Installation, Maintenance and Service
Personnel
SEMI S20 (revoked) Safety Guideline for Identification and Documentation of Energy Isolation Devices for Hazardous Energy Control
SEMI S21 Safety Guideline for Worker Protection
SEMI S22 Safety Guideline for the Electrical Design of Semiconductor Manufacturing Equipment
SEMI S23 Safety Guideline for Conservation of Energy, Utilities and Materials used by Semiconductor Manufacturing Equipment
SEMI S24 Safety Guideline for Multi-Employer Work Areas
SEMI S25 Safety Guideline for Hydrogen Peroxide Storage & Handling Systems
SEMI S26 Environmental, Health, and Safety Guideline for FPD Manufacturing System
SEMI S27 Safety Guideline for the Contents of Environmental, Safety, and Health (ESH) Evaluation Reports
SEMI S28 Safety Guideline For Robots And Load Ports Intended For Use In Semiconductor Manufacturing Equipment
SEMI S29 Safety Guideline for Fluorinated Greenhouse Gas (F-GHG) Emission Characterization and Reduction
(As of November 2013)

126
 Annex

2. Description of Safety Component-related Standards

(1) Description of Standard

Technical Guide
This section describes the international standards in the order of the standard number, and lists corresponding European EN numbers and JIS
standard numbers. (As of November 2013)

ISO 12100:2010 ISO 12100-2

Safety of machinery - General principles for design - Basic concept, general principles for design

Chap. 1
Risk assessment and risk Reduction Part 2 : Technical principles
EN standards: EN ISO 12100: 2010 EN standards: EN ISO 12100-2
JIS standards: JIS B 9700 JIS standards: JIS B 9700-2

Chap. 2
• Description • Description
Standards integrating ISO 12100-1, ISO 12100-2, and ISO 14121. This part of these standards describes the safety design procedures
stipulated in part 1 in greater detail.
ISO 12100-1 These standards were merged with ISO 12100-1 and ISO 14121

Chap. 3
into ISO 12100 and revoked in 2010.
Basic concepts, general principles for design
Part 1 : Basic terminology, methodology • Main Points
EN standards: EN ISO 12100-1 This part of these standards takes step 3 (Use inherently safe design

Chap. 4
JIS standards: JIS B 9700-1 to remove hazards and reduce risks as much as possible.), step
4 (Design guards, safety equipment and other safeguards against
• Description any residual risks.), and step 5 (Inform and warn users about any
This part of these standards defines the basic concepts of machinery residual risks.) given in part 1 and describes them in greater detail.

Chap. 5
safety and stipulates safety design procedures.
These standards were merged with ISO 12100-2 and ISO 14121 ISO 13849-1
into ISO 12100 and revoked in 2010.
Safety-related parts of control systems
• Main Points Part 1 : General principles for design

Chap. 6
(1) Machinery hazards are classified as follows: EN standards: EN ISO 13849-1
Mechanical hazards, electrical hazards, thermal hazards, hazards JIS standards: JIS B 9705-1
generated by noise, hazards generated by vibrations, hazards
generated by radiation, hazards generated by materials and • Description
substances, and hazards generated by neglecting ergonomic These standards apply to control systems where safety is a concern.
principles in machine design.
• Main Points
(2) Identify the preceding hazards and apply safety design (1) These standards consider the anticipated degree of injury (light
procedures to reduce risks. to serious) and the probability of injury (rare to common) in
Step 1: Specify the operating range of the machine. determining the hazard level of machinery.
Step 2: Identify the hazardous events and assess the risks. (2) These standards classify hazard levels in five categories and
Step 3: Use inherently safe design to remove hazards and reduce stipulates safety functions that control systems should have in
risks as much as possible. every category.
Step 4: Design guards, safety equipment, and other safeguards
against any residual risks.
Step 5: Inform and warn users about any residual risks.

127
 Annex

ISO 13849-2 ISO 13855

Safety-related parts of control systems Positioning of safeguards with respect to the approach speeds of
Technical Guide

Part 2 : Validation parts of the human body

EN standards: EN ISO 13849-2 EN standards: EN ISO 13855
JIS standards: JIS B 9715
• Description
Regarding the verification of the conformity of claims in relation to • Description
ISO 13849-1 categories. These standards stipulate the minimum distance that must be
Chap. 1

provided between hazardous parts of machinery and protective

• Main Points
In order to verify conformity to the category claims, the following equipment. Referred to as the safe distance, this distance is
should be specified: calculated from the operator approaching direction, protective
equipment response time, machine response time, and minimum
Chap. 2

(1) Guidelines for validity testing and inspections

(2) General considerations at time of design object size detectable by the protective equipment.
(3) List of failures and failure exclusion criteria • Main Points
(4) Test and Test results or report (1) These standards apply when individual machine standards do
Chap. 3

not prescribe the method used to calculate minimum distance.

ISO 13850 (2) Protective equipment must be selected with a detection
performance level capable of maintaining a minimum distance
Emergency stop - Principles for design
so machines can be stopped before they pose a hazard to
EN standards: EN ISO 138850
Chap. 4

operators.
JIS standards: JIS B 9703

• Description ISO 13856-1

These standards stipulate principles used to design emergency stop Pressure-sensitive protective devices
Chap. 5

devices. Part 1 : General principles for design and testing of pressure-

• Main Points sensitive mats and pressure-sensitive floors
(1) Electrical emergency stop devices must conform with IEC 60947- EN standards: EN 1760-1
Chap. 6

5-5. JIS standards: JIS B 9717-1

(2) Stop category must be 0 or 1.
(3) The emergency stop devices must be placed where operators • Description
can access them easily and can operate them without exposure These standards stipulate requirements for mats and floors that
to hazards. detect a hazardous condition as a safety device protecting operators
from hazardous machines when an operator steps on them.

ISO 13851 • Main Points

(1) These mats must detect operators with a weight of 35 kg or
Two-hand control devices,
more.
Functional aspects and design principles
(2) The controller units must be category 2 or higher.
EN standards: EN 574
(3) Enclosure rating of mats must be IP54 or higher.
JIS standards: JIS B 9712

• Description ISO 13856-2

These standards stipulate safety requirements related to the design Pressure-sensitive protective devices
and selection of two-hand control devices. Part 2 : General principles for the design and testing of pressure-
• Main Points sensitive edges and pressuresensitive bars
(1) Stipulates dimensions for prevention of defect. EN standards: EN 1760-2
(2) Output signal shall be designated only when both control
actuating devices are actuated less than or equal to 0.5 s. • Description
(3) Classify devices by type (type I, II, IIIA, IIIB and IIIC) and risk These standards stipulate requirements for edges and bars that
assessment results as the basis for selecting devices. detect a hazardous condition as a safety device protecting operators
from hazardous machines when an operator presses them.

128
 Annex

ISO 14119 IEC 60947-5-1

Interlocking devices associated with guards - Principles for design Low-voltage switchgear and controlgear

Technical Guide
and selection Part 5-1 : Control circuit devices and switching elements Section
EN standards: EN ISO 14119 one-Electromechanical control circuit devices
JIS standards: JIS B 9710 EN standards: EN 60947-5-1
JIS standards: JIS C 8201-5-1
• Description
These standards stipulate general design and selection principles • Description

Chap. 1
for equipment that uses interlocking devices for safety. This part of these standards applies to control circuit devices and
switching elements that are produced to control, signal, and interlock
• Main Points
(1) There are two types of interlocking devices: those with and those switching and control devices. It applies to control circuits with a
maximum rated voltage of 600 VDC or 1,000 VAC (a maximum

Chap. 2
without a guard lock.
(2) The guard must not allow machinery to operate until it is closed frequency of 1,000 Hz).
and it sends a stop command if it is open. • Main Points
(1) This part of these standards consists of General Requirements,

Chap. 3
ISO 14121 Special Requirements for Indicators, and Special Requirements
for direct opening action.
Principle of risk assessment
(2) It contains provisions such as switching capacity, temperature
EN standards: EN ISO 14121
rise, terminal strength, protective structures, and direct opening
JIS standards: JIS B 9702

Chap. 4
action.
• Description
These standards pertain to risk assessment in the safety design IEC 60947-5-5
procedures described in ISO 12100-1. These standards were Low-voltage switchgear and controlgear

Chap. 5
merged with ISO 12100-1 and ISO 12100-2 into ISO 12100 and Part 5-5 : Control circuit devices and switching elements
revoked in 2010. Electrical emergency stop device with mechanical latching function
• Main Points EN standards: EN 60947-5-5

Chap. 6
Assess risk is performed using the following systematic JIS standards: JIS C 8201-5-5
methodology:
A) Determine how the machinery will be used. • Description
B) Check foreseeable hazardous events. These standards stipulate electrical/mechanical structure of
C) Identify risk elements based on hazardous events. emergency stop switches with a latching mechanism.
D) Assess the risk and design accordingly to reduce the risk. • Main Points
(1) Switches must have a direct opening action.
IEC 60204-1 (2) Switches must have a latching mechanism.
(3) The operative parts must be structured to allow easy access to
Electrical equipment of machines
the mushroom-shaped pushbuttons, wires, and ropes.
Part 1 : General requirements
(4) The operative parts must be red on a yellow background.
EN standards: EN 60204-1
JIS standards: JIS B 9960-1

• Description
This part of these standards applies to electrical equipment with a
maximum rated power supply voltage of 1,000 VAC or 1,500 VDC
between lines or a maximum rated frequency of 200 Hz.
• Main Points
This part of these standards stipulates all elements required in
electrical equipment for machines including the control circuits,
functions, devices, safety measures, and technical documents
related to the installation, operation, and maintenance of electrical
and electronic equipment in machines.

129
 Annex

IEC 60947-5-8 IEC 61310-2

Low-voltage switchgear and controlgear. Indication, marking and actuation
Technical Guide

Part 5-8 : Control circuit devices and switching elements. Part 2 : Requirements for marking
Three-position enabling switches EN standards: EN 61310-2
EN standards: EN 60947-5-8 JIS standards: JIS B 9706-2
JIS standards: JIS C 8201-5-8
• Description
• Description This standard sets out the identification of machines, and markings
Chap. 1

An IEC 60947-5 Series standard that stipulates 3-position enabling to ensure safe use and the reduction of danger from incorrect
switches, for enable devices under the IEN60204-1 standard. connections.
This does not apply to devices that employ teaching pendants or
• Main Points
grip switches etc., but only to those devices with built-in enable
Chap. 2

(1) Regulations regarding manufacturer information (manufacturer

switches. name, address etc.), and rating information (power supply range,
• Main Points maximum speed etc.)
(1) Stipulates electrical properties such as withstand voltage and (2) Regulations regarding necessary markings such as for AC, DC
Chap. 3

insulation, and operating characteristics for operating stroke and and earthing etc.
load etc.
(2) The 3-position enabling switch verification mark has been IEC 61310-3
changed.
Indication, marking and actuation
Chap. 4

Part 3 : Requirements for the location and operation of actuators

IEC 61310-1 EN standards: EN 61310-3
Indication, marking and actuation JIS standards: JIS B 9706-3
Part 1 : Requirements for visual, acoustic and tactile signals
Chap. 5

EN standards: EN 61310-1 • Description

JIS standards: JIS B 9706-1 Specifies safety issues for actuators that are operated by hand or by
human control.
• Description • Main Points
Chap. 6

This standard sets out specific requirements regarding visual, (1) Set up away from dangers, and avoid ambiguous operations.
audio and tactile methods for providing safety related information to Also, be sure that operation does not create alternative risks.
operators and those that may be placed in dangerous situations. (2) Design to increase the clockwise rotation of handles and lifting
• Main Points action for levers, so that the operator is better aware of the
(1) Separate signals into passive and active resulting operation.
(2) Visual spectrum, brightness, and contrast ratio (3) Two-handed operating controls and enabling devices where
(3) Meaning of colors and the shape of markings, and examples of necessary.
forms that can be discerned by touch alone
(4) Operating switch symbols
(5) Shape, color and dimensions of safety markings (Prohibitions,
warnings, information etc.)

130
 Annex

IEC 61496-1 IEC 61496-3

Electro-sensitive protective equipment Electro-sensitive protective equipment

Technical Guide
Part 1 : General requirements and tests Part 3 : Particular requirements for Active Optoelectronic Protective
EN standards: EN 61496-1 Devices responsive to Diffuse Reflection
JIS standards: JIS B 9704-1 EN standards: EN 61496-3
JIS standards: JIS B 9704-3
• Description
These standards apply to devices, such as safety sensors safety • Description

Chap. 1
light curtains, that detect the presence of operators electrically and This part of these standards applies to electro-sensitive protective
output a control signal for their protection. They stipulate items like equipment that diffuse or reflect light. They stipulate items such as
fault detection performance, software design policy, heat resistance detection performance for the detection range, allowable errors,
performance, EMC performance, vibration and shock performance, response time, detection capacity, resistance to extraneous light,

Chap. 2
indicator colors, labeling details, and the content of instructions. and reflective detection capability as well as the influence of
background interference.
• Main Points
(1) Electro-sensitive protective equipment (ESPE) is classified as • Main Points
(1) Only stipulated for Type 3. (not specified for types 1, 2 and 4)

Chap. 3
either type 4, which complies with category 4 requirements in ISO
13849-1, or type 2, which complies with category 2 requirements (2) Conditions that maintain ordinary operation and conditions that
in that same standard. permit incorrect operation safely are stipulated for all extraneous
(2) The provisions in these standards stipulate that equipment light sources.

Chap. 4
displays the fault mode for electronic components in the
equipment and they demonstrate that safety characteristics for IEC 61800-5-2
the type of equipment are maintained in all fault modes.
Adjustable speed electrical power drive systems -
Part 5-2: Safety requirements - Functional

Chap. 5
IEC 61496-2 EN standards: EN 61800-5-2
Electro-sensitive protective equipment
Part 2 : Particular requirements for equipment using active opto- • Description
electronic protective devices These standards are applied to designing/developing of safety-

Chap. 6
EN standards: EN 61496-2 related parts of the power drive system (PDS(SR)), and created
JIS standards: JIS B 9704-2 based on the IEC 61508 Series Functional Safety Standards.
• Main Points
• Description (1) Fourteen types of safety functions, such as STO, are defined.
This part of these standards applies to the type of ESPE protective (2) The development procedure is the same as IEC 61508.
equipment that in principle detect emitted or received light. They (3) SIL is used as the indicator of safety functions.
stipulate items such as detection performance for the minimum size (4) General failures and failure exclusion are explicitly indicated.
object detected, effective aperture angle, extraneous light resistance
performance, and mutual interference resistance performance.
• Main Points
(1) Directional angles are stipulated separately for type 4 and type 2
according to the distance between the emitter and receiver.
(2) Conditions that maintain ordinary operation and conditions that
permit incorrect operation safely are stipulated for all extraneous
light sources.

131
 Annex

IEC/TS 62046 IEC/TR 62061-1, ISO/TR 23849

Application of protective equipment to detect the presence of Guidance on the application of ISO 13849-1 and IEC 62061 in the
Technical Guide

persons design of safety-related control systems for machinery

EN standards: CLC/TS 62046
JIS standards: JIS B 62046 • Description
Guidance on the application of ISO 13849-1 and IEC 62061 jointly
• Description created by ISO and IEC. Although the both standards are not the
These standards stipulate requirements for selection/installation of same, an equivalent level of risk reduction is possible by applying
Chap. 1

light curtains and/or safety mats. each standard correctly. Machine designers can decide which of
those should be used depending on its application.
• Main Points
(1) Description on types and characteristics of protective equipment • Main Points
Chap. 2

and considerations for selection (1) Both PL and SIL are categorized by PFH (Probability of Failure
(2) Description on considerations about added functions of light per Hour).
curtains and others, such as muting and overriding (2) Integration by combining safety-related parts with subsystems
(3) Regulations on inspection and testing (3) Explicit indication of considerations for applying failure exclusion
Chap. 3

(4) Calculation examples

IEC 62061
Functional safety of safety-related electrical, electronic and EN 50205
programmable electronic control systems Relay with forcibly guided (mechanically linked) contacts
Chap. 4

EN standards: EN 62061
JIS standards: JIS B 9961 • Description
These standards apply to control circuit relays that are installed for
• Description safety and its provisions are for self-monitoring relays that have a
Chap. 5

This standard specifies those matters applicable to the machinery forced guided mechanism that prevents normally open and closed
portion of the industry as included in the IEC 61508 Series contacts from operating simultaneously.
Functional Safety Standards.
• Main Points
This standard applies to the design and verification of safety related
Chap. 6

(1) If a normally open contact of a relay with forcibly guided (linked)

control systems that use electric, electronic, or programmable contact is welded shut, the coil switches OFF and all normally
electronic control systems. closed contacts must maintain a gap of at least 0.5 mm. Even if
• Main Points a normally closed contact is welded shut, the coil switches ON
Standards, including the following, for the allotment of SIL (Safety and all normally open contacts must maintain a gap of at least 0.5
Integrity Level) and in order to achieve the allotted SIL, for safety mm.
functions performed by safety control systems. (2) Ideally, contact load switching must comply with the AC-15 (AC
(1) Functional safety management electromagnetic load) and DC-13 (DC electromagnetic load)
(2) Create specifications for safety controls utilization categories.
(3) Control system design (3) The forced guide contact mark may be used on all class A relays
(4) User information (Manual) (all relays with forcibly guided (linked) contacts).
(5) Validation

132
 Annex

GS-ET-15 GS-ET-19
Principles of testing and certification for direct opening action Principles of testing and certification for interlocking devices with

Technical Guide
switches solenoid guard-locking

• Description • Description
These are German labor safety standards that were enacted to These are also German labor safety standards. They apply only to
prevent industrial accidents. They apply to testing on direct opening devices that have a lock monitoring mechanism in door switches
action detector switches that are installed for safety. that use a key lock for safety.

Chap. 1
• Main Points • Main Points
(1) Limit and door switches are classified in two categories according (1) The switches must use a mechanism like a solenoid for locking
to function. and unlocking.

Chap. 2
B1 (2) They must have a locking strength and direct opening action,
A safety switch falls under a mechanical service life of 1,000,000 operations, and an
category 1 if the switch mechanism enclosure rating of IP54, and must not operate with a tool other
and actuator are of monoblock
than a special tongue.
construction physically and

Chap. 3
functionally, and the safety function
is activated by actuator operation.

Chap. 4
B2
A safety switch falls under category
2 if the switch mechanism and
actuator are not of monoblock

Chap. 5
construction and the safety function
is activated when the actuator
is separated from the switch
mechanism.

Chap. 6
(2) The switches must have a direct opening action, a mechanical
service life of 1,000,000 operations, and an enclosure rating of
IP54, and must not operate with any tool except a special tongue.

133
 Annex

(2) Terminology
1) General Terminology
• Pollution Degree (IEC 60664-1)
Technical Guide

Pollution degree is the most important factor in deciding clearances (determined by the pollution degree and overvoltage categories) as well
as creepage (determined by the pollution degree and CTI value), and it is classified into four degrees depending on the air pollution of the
equipment used.

Pollution Degree 1 There is no pollutant or only a dry, non-conductive pollutant that has no effect on components.
Chap. 1

Pollution degree 1 is possible in clean rooms or other places with clean air.
Pollution Degree 2 There is only a non-conductive pollutant. The non-conductive pollutant may be conductive on occasions due to
unexpected condensation.
Pollution degree 2 is normal for electric products that are used inside control panels, electric household
appliances, and business equipment.
Chap. 2

Pollution Degree 3 There is a conductive pollutant or a dry, non-conductive pollutant that becomes conductive due to expected
condensation. Pollution degree 3 is normal in ordinary factories.
Pollution Degree 4 There is a pollutant that is continuously conductive due to the presence of conductive dust, rainfall, or snowfall.
Pollution degree 4 is normal for outdoor areas.
Chap. 3

• Overvoltage Category (IEC 60664) • CTI Value (IEC 60112)

The overvoltage category classifies overvoltages into categories CTI (Comparative Tracking Index)
Chap. 4

I, II, III and IV depending on whether the rated voltage is the rated
impulse voltage or the rated voltage of the equipment as shown in
Measurement of CTI Value
the table below. Rated impulse voltage levels are set individually (The value is measured using method A from the CTI/PTI value
with respect to the rated voltages as shown in the figure below. measurement methods stipulated in IEC 60112.)
Chap. 5

The overvoltage category is one of the factors that decide spacing The CTI value of an insulation material is the maximum possible
(determined by the overvoltage category and pollution degree). voltage that does not cause tracking when 50 drops of 0.1%
Overvoltage ammonium chloride solution are dripped onto the material at a rate
Equipment description Example of 30 seconds per drop.
category
Chap. 6

Drop port

Devices connected to Electronic circuits

0.1% ammonium
circuits with measures protected from power chloride solution 100
I that limit excessive supplies by isolating No. of drops Maximum voltage under
Electrode Electrode which no tracking occurs
overvoltage to a low transformers
30 s/drop even after 50 drops have
level. been applied.
Size:
Energy-saving Data processing 15 × 15 mm,
thickness: 50
equipment supplied equipment, portable
Test material 3 mm
II by hard-wired power tools, and electric Tracking has occurred if
supply installations (i.e., household appliances a current of 0.5A flows
electrical outlets) for more than 2s.
Equipment in hard- Switches in hard-
100 to 600 V 500 VA 100 CTI value 600 Voltage
wired facilities where wired power supply
equipment reliability and
installations and
III efficiency are particularly
industrial equipment Materials Classified with CTI Value Range (IEC 60664-1)
important permanently connected
to hard-wired power Group I: CTI value greater than 600
supply installations Group II: CTI value greater than 400 but less than 600
Equipment used in power Primary side overcurrent Group IIIa: CTI value greater than 175 but less than 400
IV
receiving installations protection equipment Group IIIb: CTI value greater than 100 but less than 175
Standard limit switches use group IIIa or better insulation material
Electric household
Power receiving Electric appliances and Secondary
installations installations business machines circuits • PTI Value (IEC 60112)
Rated supply PTI (Proof Tracking Index)
voltage:
230 V/400 V Materials that conform to CTI values of 175, 250, 300, 375 and
230V/400 V 500 are called PTI-175, PTI-250, PTI-300, PTI-375 and PTI-
230 V
500 respectively. IEC 60335 and IEC 60065 stipulate that electric
24 V
household appliances and consumer electronic appliances such as
TVs, VTRs and radios must use PTI-175 or PTI-250 materials.

Impulse voltage:
6 kV,
overvoltage 4 kV, 2.5 kV, 330 V,
category IV overvoltage overvoltage overvoltage
category III category II category I

134
 Annex

• Class 1 circuit (NFPA 70) • SELV (IEC 60364-4-41)

Class 1 remote-control, signaling, and power-limited circuits Safety extra-low voltage
Class 1 circuit is further divided into two circuits: A circuit that meets all the following criteria for protection from

Technical Guide
(A) Class 1 power-limited circuit electrical shock caused by direct and indirect contacts:
This circuit is supplied power from 30 V or less and 1000 VA or less (1) AC 50 V or less or DC 120 V (the RMS of ripple voltage must be
power source. 10 % or less of DC components)
(B) Class 1 remote-control and signaling circuit (2) Basic insulation from other SELV or PELV circuits
This circuit must be 600 V or less.There is no regulation on current (3) Double insulation or reinforced insulation from other non-SELV or
limitation. non-PELV circuits

Chap. 1
(4) Basic insulation from ground (earthing is not allowed)
• Class 2 circuit (NFPA 70) (5) When using plugs and sockets:
Class 2 remote-control, signaling, and power-limited circuits - Plugs cannot be inserted into other power voltage system
This circuit uses Class 2-certificated power supplies and/or sockets.

Chap. 2
transformers and utilizes Class 2 or Class 3-certificated conductors - Sockets cannot accept plugs from other power voltage systems.
as wiring parts.
Note: these criteria may be different for other standards.

• Class 3 circuit (NFPA 70) • PELV (IEC 60204-1)

Chap. 3
Class 3 remote-control, signaling, and power-limited circuits
Protective extra-low voltage
This circuit uses Class 3-certificated power supplies and/or
A circuit that meets all the following criteria for protection from
transformers and utilizes Class 3-certificated conductors as wiring
electrical shock caused by direct and indirect contacts:
parts. Class 2-certificated conductors cannot be used in Class 3

Chap. 4
(1) In a usually dry place where human bodies are unlikely to widely
circuits.
contact with live parts: AC 25 V or less or DC 60 V (the RMS of
ripple voltage must be 10 % or less of DC components)
• ELV (IEC 60364-4-41) Otherwise: AC 6 V or less or DC 15 V (the RMS of ripple voltage
Extra-low voltage

Chap. 5
must be 10 % or less of DC components)
A circuit that satisfies the following two criteria for protection from
(2) Either side of the circuit or one point of power source must be
electrical shock caused by direct and indirect contacts: (1) AC 50 V
connected to a protective bonding circuit.
or less or DC 120 V (the RMS of ripple voltage must be 10 % or less
(3) Live parts of PELV circuits must be electrically isolated from other
of DC components) and (2) isolation from hazardous voltage levels

Chap. 6
live circuits. This electrical isolation must satisfy criteria required
at least with basic insulation. ELV is categorized into FELV, PELV,
for the interface between the primary and secondary circuits of
and SELV.
safety isolating transformers.
(4) Conductors for each PELV circuit must also be physically isolated
from other circuits. When this cannot be implemented, use
insulation measures stipulated in the IEC 60204-1, 13.1.3.
(5) When using plugs and sockets:
- Plugs cannot be inserted into other power voltage system
sockets.
- Sockets cannot accept plugs from other power voltage systems.

Note: these criteria may be different for other standards.

135
 Annex

• Protection degree by enclosure (IP code) (IEC 60529: 2001)

IEC (International Electrotechnical Commission) Standard (IEC 60529: 2001)
IP-
Technical Guide

International Protection Mark

First symbol: Degree of protection against solid materials
Degree Protection
0 No protection
50 mm dia.
Protects against penetration of any solid object
1
Chap. 1

such as a hand that is 50 mm or more in diameter.

12.5 mm dia. Protects against penetration of any solid object
that is 12.5 mm or more in diameter.
*1. OMRON Test Methods
2 Any object with a diameter of 12 mm, such as
The Proximity Sensor’s IP67 degree of protection was
a finger, will not reach a hazardous part even if it
Chap. 2

penetrates 80 mm. confirmed by performing the tests described in the table below
and making sure that the sensing distance and installation
2.5mm resistance satisfied the performance specifications after
Protects against penetration of any solid object
3 repeating a heat shock cycle 5 times, consisting of immersing
such as a wire that is 2.5 mm or more is diameter.
the Sensor in cold water at 0°C for 1 hour followed by hot
1mm
Chap. 3

Protects against penetration of any solid object water at 70°C for 1 hour.
4
such as a wire that is 1 mm or more in diameter. *2. Precautions on OMRON Testing
Protects against penetration of dust of a quantity Operating conditions for E2F Proximity Sensors: Underwater
that may malfunction the protect or obstruct the within 10 m
5
safety operation of the product. (1) No penetration of water when immersed in water for
Chap. 4

1 hour at an atmospheric pressure of 2

(2) Satisfies sensing distance and insulation resistance
6 Protects against penetration of all dust. performance specifications after the heat shock cycle
described in *1 is repeated 20 times

Second symbol: Degree of protection against water

Chap. 5

Degree Protection Test method (with pure water)

0 No protection Not protected against water. No test
Protection against water drop Protects against vertical drops of water Water is dropped vertically towards the product
Chap. 6

towards the product. from the test machine for 10 min. 200mm
1

Protection against water drop Protects against drops of water approaching Water is dropped for 2.5 min each (i.e., 10 min in
at a maximum angle of 15° to the left, right, total) towards the product inclined 15° to the left, 200mm
2 back, and front of vertical towards the product. right, back, and front from the test machine.
15°

Water rate is 0.07

Protection against sprinkled Protects against sprinkled water approaching Water is sprinkled at a maximum angle of 60° liter/min per hole.
water at a maximum angle of 60° from vertical to the left and right from vertical for 10 min
3 towards the product. from the test machine.

Protection against water spray Protects against water spray approaching at Water is sprayed at any angle towards the Protection against
water jet spray
any angle towards the product. product for 10 min from the test machine.
4

Protects against water jet Protects against water jet spray approaching Water is jet sprayed at any angle towards the
12.5l/min
spray approaching at any at any angle towards the product. product for 1 min per square meter for at least 3 2.5 to 3m
angle towards the product. min in total from the test machine.

5
Diameter of discharging
nozzle: 6.3 mm

100l/min
Production against high-pressure Protects against highpressure water jet spray Water is jet sprayed at any angle towards the 2.5 to 3m
water jet spray approaching at any angle towards the product. product for 1 min per square meter for at least 3
6 min in total from the test machine.
Diameter of discharging
nozzle: 12.5 mm

Protection underwater Resists the penetration of water when the The product is placed 1 m deep in water (if the
*1 product is placed underwater at specified product is 850 mm max. in height) for 30 min.
7 pressure for a specified time. 1m

Protection underwater Can be used continuously underwater. The test method is determined by the manufacturer and user.

8 *2

In-house Standards for Oil Resistance

Degree of protection
Oilproof No harmful effect when subjected to oil drops or oil spraying from any direction.
Oil-resistant No penetration into internal parts when subjected to oil drops or oil spraying from any direction.
Note: Oil resistance is confirmed using oils and cutting oils stipulated by OMRON (equivalent to previous JEM standards).

136
 Annex

2) Switch/Relay Terminology • Name of contact rating (UL 508, IEC 60947-5-1)

Electrical rating of contacts based on load types is expressed with one
• Rated Operational Voltage (Ue) (IEC 60947-1) alphabetic character and 3 digit numerical value. The following example
The rated operational voltage (Ue) of equipment is the voltage

Technical Guide
is provided for A600.
applied to equipment, and is combined with the rated operational
current (Ie) as references for utilization categories (i.e., AC-15). Name Load type Closed thermoelectric current (Ithe)
A600 AC-15 10A
• Rated Operational Current (Ie) (IEC 60947-1) 120V(Ue) 380V(Ue) 600V(Ue)
The rated operational current (Ie) is the current applied to 6A(Ie) 1.9A(Ie) 1.2A(Ie)
equipment.

Chap. 1
• Utilization Category for Switching Capacity (IEC
• Conventional Free Air Thermal Current (Ith) (IEC 60947-1)
60947-1) Utilization Category for Switching Elements
The Conventional Free Air Thermal Current (Ith) is the maximum (Classified by switching path and current.)

Chap. 2
value of testing current used for temperature rise tests (under open
air) of devices that are not sealed within free air. Current Category Main application
Control of resistive loads and solid-state loads
AC-12
• Conventional Enclosed Thermal Current (Ithe) with photocoupler isolation.

Chap. 3
(IEC 60947-1) Control of solid-state loads with transformer
AC-13
The Conventional Enclosed Thermal Current (Ithe) is the flowing AC isolation.
current value declared by the manufacturer to use for temperature Control of small electromagnetic loads (≤72
AC-14
VAC).

Chap. 4
rise tests of highly sealed devices.
AC-15 Control of electromagnetic loads (>72 VAC).
Control of resistive loads and solid-state loads
• Rated Impulse Withstand Voltage (Uimp) (IEC DC-12
with photocoupler isolation.
60947-1) DC DC-13 Control of electromagnetic loads.

Chap. 5
The rated impulse withstand voltage (Uimp) is the peak value for Control of electromagnetic loads with
DC-14
an impulse voltage of prescribed form which equipment is capable economic resistors in the circuit.
of withstanding without failure and to which clearance values are
referred.
3) Sensor Terminology

Chap. 6
• Rated Insulation Voltage (Ui) (IEC 60947-1) • Type4 (IEC 61496-1)
The rated insulation voltage (Ui) is the maximum operating voltage Type 4 safety devices satisfy category 4 requirements prescribed in
that can be withstood without damage. It is the reference voltage ISO 13849-1.
for dielectric strength tests and creepage distance for insulation
material. The maximum value of the rated insulation voltage (Ui) • ESPE (IEC 61496-1)
must be greater than that of the rated operating voltage. Electro-Sensitive Protective Equipment
ESPE equipment electrically detects people and outputs a control
• Switching Over Voltage (IEC 60947-1) signal for their protection.
The switching over voltage is the maximum reverse voltage
generated during load switching. Do not exceed Uimp value. • AOPD (IEC 61496-2)
Active Opto-electronic Protective Device
• Rated Conditional Short Circuit Current (IEC AOPD protective devices are electro-sensitive protective devices
60947-1) that operate on the principle of detection by emitted and received
The rated conditional short-circuit current is the current stated by light.
the manufacturer that a product can withstand provided the product
is protected by a device (10-A fuse model gI or gG/IEC 60269 for • Protective Height (IEC 61496-2)
the D4BL) that is designated by the manufacturer under conditions The protective height is the range within which objects can be
specified by related product standards. detected. The height is the length from the first optical beam to the
last optical beam.

137
 Annex

• Response Time (IEC 61496-1) (3) Other Terminology (Markings)

The response time is the maximum amount of time it takes from the
Cautions are displayed with symbols on nameplates for using safety
moment someone is detected in the detection zone until the output
devices. The followings are typical safety-related symbols.
Technical Guide

turns OFF. The time it takes to turn output ON again once it goes off
is also listed in catalog specifications mainly for system design.
Meaning Mark

• Muting Function (IEC 61496-1) Arrow indicating direct opening action

(displayed on conforming products to IEC 60947-5-1,
The muting function temporarily disables the detection function.
Annex K )
When the muting function is turned ON, the protective equipment
Chap. 1

remains ON regardless of whether someone enters the detection Indicates type A forcibly guided (linked) contact
zone or not. marking.
(displayed on conforming products to EN 50205 )
For F3SJ-A/B, the muting function can be added by attaching the
F39-CN6 (Muting Cap).
Indicates double insulation
Chap. 2

For more details, refer to the catalogue. (displayed on conforming products to IEC 60204-1 )

• Test Rod or Test Piece (IEC 61496-2)

A test rod is an opaque rod equivalent to the smallest detectable
Chap. 3

object. It is used to check the detection performance of area

sensors.

• Minimum Distance from the Detection Zone to

Chap. 4

the Danger Zone (ISO 13855)

Minimum Distance from the Detection Zone to the Danger Zone
The safety zone is the minimum distance that must be allowed from
hazardous parts of machinery to the protection equipment.
Chap. 5

It is prescribed so that machinery will turn OFF before someone

entering the detection zone of the protection equipment reaches
hazardous parts of the machinery.
Chap. 6

• Light Beam Axis (IEC 61496-2)

The imaginal line that top beam and bottom beam of light curtain is
connected. It is the reference line that is used to measure the Safety
distance from hazardous parts of machinery to the light curtain.

• Effective Aperture Angle (IEC 61496-2)

The effective aperture angle is the angle to which area sensors must
be rotated to switch the output from ON to OFF. Measurements can
be taken in two directions with lateral rotation as long as the rotation
follows the axis formed by the light beams.

• Lock-out condition (IEC 61496-1)

A lock out disables normal operation and it occurs when the output is
forced OFF. When safety light curtain's control output remains OFF
because diagnostic system results have determined that operation
cannot be resumed as a result of a fault, this is called a lock out.

138
OMRON Corporation Industrial Automation Company Authorized Distributor:
Tokyo, JAPAN
Contact: www.ia.omron.com
Regional Headquarters
OMRON EUROPE B.V. OMRON SCIENTIFIC TECHNOLOGIES INC.
Wegalaan 67-69, 2132 JD Hoofddorp 6550 Dumbarton Circle Fremont
The Netherlands CA 94555 U.S.A
Tel: (31)2356-81-300/Fax: (31)2356-81-388 Tel: (1) 510-608-3400/Fax: (1) 510-744-1442

OMRON ASIA PACIFIC PTE. LTD. OMRON (CHINA) CO., LTD. © OMRON Corporation 2007-2014 All Rights Reserved.
No. 438A Alexandra Road # 05-05/08 (Lobby 2), Room 2211, Bank of China Tower, In the interest of product improvement,
Alexandra Technopark, 200 Yin Cheng Zhong Road, specifications are subject to change without notice.
Singapore 119967 PuDong New Area, Shanghai, 200120, China Printed in Japan
Tel: (65) 6835-3011/Fax: (65) 6835-2711 Tel: (86) 21-5037-2222/Fax: (86) 21-5037-2200 Cat. No. Y107-E1-04 1214