3 Categories as defined in EN 954-1
Table 3:
Requirements for the categories of safety-related parts of machinery control systems
B Safety-related parts of control systems and/or their The occurrence of a fault can
safety devices and their components must be lead to the loss of the safety
designed, constructed, selected, assembled and com- function.
bined in accordance with the relevant standards such mainly
that they can withstand the expected influence. characterised
by the
selection of
1 The requirements of B shall apply. Well-tried compo- The occurrence of a fault can
nents and well-tried safety principles shall be used. lead to the loss of the safety
function, but the probability of
occurrence is lower than in
category B.
2 The requirements of B and the use of well-tried safety The occurrence of a fault can
principles shall apply. lead to the loss of the safety
The safety function shall be checked at suitable inter- function between the checks.
vals by the machinery control system. The loss of the safety function
is deteced by the check.
3 The requirements of B and the use of well-tried saftey If the single fault occurs, the
principles shall apply. safety function is still main-
Safety-related parts shall be designed such that: tained.
1. a single fault in any of these parts does not lead to Some, but not all faults are
the loss of the safety function, and detected.
by the structure
2. the single fault is detected whenever reasonably Accumulation of undetected
practicable. faults can lead to the loss of
the safety function.
faults8. In category 4, diversity and the use of magnetic fields, interruptions or disrup-
special test methods are mentioned as exam- tions to the energy supply).
ples of measures used to counter systematic
faults when validating the category. In princi- These general principles are illustrated in
ple, it can be said that many of the basic and general terms and with reference to specific
well-tried safety principles do, of course, technologies in the basic safety principles
have the effect of preventing systematic faults specified in table 4. In this table, the general
(see tables 4 and 6, pages 32 and 39). basic safety principles apply in full for all
technologies, whilst the technology-specific
principles are also necessary for the relevant
3.2 Category Specifications technologies. As category B represents a
basic category for each of the other catego-
3.2.1 Category B ries (see table 3), the basic safety principles
should be applied as a general rule to the
Safety-related parts of control systems must be design of safety-related parts of control sys-
designed, constructed, selected, assembled tems (STS) and/or safety devices.
and combined in accordance with the rele-
vant standards and using the basic safety No further specific safety-related measures
principles for the specific application, such are necessary for the components which com-
that they are able to withstand: ply with category B9.
the anticipated operating stresses (e.g.
reliability with respect to breaking capa-
city and frequency) 3.2.2 Category 1
8 9
Common mode faults are those faults which cause If a component failure occurs, it may lead to the loss
a multi-channel system to fail. of the safety function.
3 Categories as defined in EN 954-1
Table 4:
Basic safety principles for the design of safety-related parts of control systems, Part 1
Ensure adequate All components are selected such that they breaking capacity, breaking frequency
dimensioning for all can withstand the anticipated operating withstand voltage-strength
components stresses. pressure level, dynamic pressure beha-
viour, volume flow
temperature and viscosity of pressure
type and condition of pressure fluid or
compressed air
Resistance to relevant Safety-related parts of control systems (STS) mechanical effects (shock, vibration)
external influences are designed such that they can fulfil their climatic effects (temperature, humidity)
function even in the event of the external leak-tightness of the housing
influences which are usual for the (protection provided by enclosure)
application in question. electromagnetic compatibility
(fields, conducted disturbances)
closed circuit principle The safety-related switching position of the safe state in the event of an interruption
(positive signalling to STS is achieved by removing the control valves with working springs in the field
start) signal (electrical voltage, pressure), i.e. by of fluid technology
switching off the energy supply.
Control of fluctuations in In the event of fluctuations in the energy faults in the power supply
the energy supply, failure supply (voltage or pressure), the STS should changes in pressure, pressure loss
and recovery of the not initiate any unexpected reactions.
energy supply
Compliance with the The applicable technical regulations completeness
applicable technical associated with the application should be accuracy
regulations observed
Quality assurance General quality assurance measures, reproducibility during production
measures during e.g. as defined in EN 45000, guarantee
production constant product quality for the STS.
Comprehensible and Well-structured instructions which are completeness
complete installation, generally comprehensible are available for comprehensibility
commissioning, operating the installation, commissioning, operation accuracy
and maintenance and maintenance of STS.
Formalization of All modifications to STS should be docu- accuracy of modifications
modification procedure mented and the effects on the parts of the no effect on parts which have not been
STS which have not been modified should modified
be recorded. The modified STS will only be
released following successful acceptance.
Table 4:
Basic safety principles for the design of safety-related parts of control systems, Part 2
Fluid Technology
Pressure control in the One or more pressure control valves usually check dimensioning
system prevent the pressure in a system or in parts position in the system (number)
of systems from rising beyond a specified design
level. Pressure control valves with secondary
venting are used primarily for this purpose in
pneumatic systems.
Filtration of the pressure The necessary purity class of the pressure check dimensioning
medium medium during operation as specified by type of hydraulic fluid/compressed air
(hydraulic fluid, the manufacturer with reference to the com- state
compressed air) ponents used is achieved by the use of a suit- component manufacturers requirements
able device (usually a filter) after taking ambient conditions and conditions of
account of the application in question. usage
Adequate drainage of the compressed air is position in the fluid technology system
also necessary for this to be achieved in the
pneumatics sector.
Prevention of dirt intake In open hydraulic systems, one particular check dimensioning
way of preventing contamination from component manufactures requirements
penetrating the fluid technology system is by ambient conditions and conditions of
using an active vent filter. In pneumatic usage
systems, exhaust air filters (filter-silencer com- exhaust air discharge direction
binations) are used for this purpose
(negative pressure).
Disconnection from the Disconnection from the energy supply and reliable disconnection/safe discharge
energy supply (if the ener- discharge of the residual energy (if neces- (also in the case of storages)
gy supply is not required sary) is facilitated by suitable main control switch position and operating state
for the safety function, devices (e.g. isolating valves). should be recognisable
e.g. clamping devices)
3 Categories as defined in EN 954-1
Table 4:
Basic safety principles for the design of safety-related parts of control systems, Part 3
Simple functional tests Safety functions must be checked. normal functional and operating
tests should be representative
Transmission protocols When transmitting usable data, compliance accuracy of data communication
with timed sequence with a communication specification
monitoring for data trans- (e.g. parity bit) is monitored.
mission via buses
Timed monitoring via A timing element is periodically reset by the monitoring program sequence
Watch-Dog program. If the program no longer reacts
after being reset, the STS is switched to
a defined state by the timing element.
Minimisation of real-time Real-time effects on the program make software should be able to be analysed
effects analysis more difficult and may cause cer- software should be easy to modify
tain properties of a program to become
erratic. There should, therefore, be as few
interrupts and multi-tasking areas as
possible. Cyclic detection of process states
should take place in a fixed sequence.
Rules for approving interrupts should be
drawn up.
Structured programming Control sequence flow in programs and case of testing, comprehensibility
data flow in these programs are designed adaptability
to be transparent thanks to this method. This case of maintenance
thus avoids non-systematic, complex and
awkward program structures. portability
A component which is well-tried with respect function into the safety-related position. A
to safety for a safety-related application is a valve of this type must fulfil the component-
component which specific basic and well-tried safety principles
in Tables 4 and 6. Filtration for a valve
has been widely and successfully used in which is well-tried with respect to safety must
the past with successful results in similar be performed specifically. In the case of a
applications or low risk combined with simple installations,
the system filter which is always present in the
has been manufactured and verified by installation may be sufficient for the necessary
applying principles which demonstrate its filtration operation. In the case of a higher
suitability and reliability for safety-related risk and in complex installations, filtration
applications. should be performed immediately in front of
the relevant valve and/or the relevant valves
Table 5 provides an overview of known com- by means of a full-flow pressure filter (referred
ponents which are well-tried with respect to to as DF in the examples in Chapter 4). The
safety in the field of electrical engineering filter's contamination level should be moni-
and components from the fluid technology tored. In pneumatic installations, a full-flow
sector which may be components which are pressure filter may also be necessary immedi-
well-tried with respect to safety. ately in front of the relevant valves in the case
of larger pipework systems, several users and
Requirements with respect to the design and in the case of valves which require a higher
construction of valves which are well-tried filtration grade than other components in the
with respect to safety and requirements con- installation.
cerning the condition of the pressure medium
involved have not yet been specified. For this In order to protect the valve as much as pos-
reason, only valve manufacturers and/or sible from contamination in the pressure
users are usually in a position to nominate medium from the cylinder side, specific
valves which are well-tried with respect to measures are necessary with respect to the
safety for defined applications on the basis of piston rod in the hydraulic/pneumatic cylin-
their practical experience. A valve which is ders (e.g. working wiper rings). In pneumatic
well-tried with respect to safety is, in particu- control systems, it should also be noted that
lar, a valve with a sufficiently high level of contamination can be drawn into the system
safety-related reliability in practical condi- via exhaust air apertures. For this reason,
tions. This reliability relates solely to switching exhaust air (vent) apertures (e.g. on valves)
3 Categories as defined in EN 954-1
should be fitted with working filters, so-called said to be well-tried in operation if, for an
filter-silencer combinations. unaltered specification, the following condi-
tions apply:
In the fields of electronics and computing,
there are also no known components which 10 systems in different applications and
are well-tried with respect to safety at the
104 operating hours and
present time. As explained in [17], the
method which is described in detail below to at least one year of operation and
establish whether components are well-tried
no faults or no safety-related faults have
in operation, is used to prove that the com-
been observed.
ponents used, e.g. including software, are
sufficiently free of systematic design faults. There must be a statistical confidence
However, being well-tried in operation does level of 95%.
not yet in itself enable a hardware module to
be classified as a well-tried component, as, Proof must be provided by way of documen-
quite apart from systematic faults, the ran- tation from the manufacturer or user. The doc-
dom error rate for a component must also be umentation must include the following at the
very low [16]10. If a component is well-tried very least: a precise description of the system
in operation, this tells us that no faults, or only and its components including the versions
insignificant faults, were established when of the hardware and software used, the user
using a considered unit, whereby this unit and the usage period, operating hours, a
has been operated for the most part without method for selecting the systems and applica-
any modifications over an adequate period tion cases used to provide this proof and a
of time in numerous different applications method to detect faults and to record and
[17]. According to [17], a component is eliminate faults [17]. This is a particularly use-
ful way of proving that software or complex
electronic systems are well-tried in operation
10 with respect to systematic faults. A corre-
IEC Draft 1508 classifies the specified aims of a
safety-related system in category 1 with a failure spondingly higher number of operating hours
probability of 101 to 102 per demand for sys-
tems with a low demand rate and a probability of
is required for higher categories [16].
one dangerous failure per year of 101 to 102 for
safety-related systems with a continuous or high Certain faults which are used for assessment
demand rate. This probability limit is lower by one purposes can also be ruled out for some well-
decimal power in each case for categories 3
and 4. tried components, because the fault rate for
this failure mode is known to be very low example, whilst touch operation, which is lim-
(e.g. switches not opening when forcibly ited by time or distance, represents a princi-
opened in category 3). Fault exclusions of ple which is dependent on the application in
this type are described for specific tech- question. On the other hand, the principle of
nologies in the fault lists in Appendix B to this a control system with self-locking can be
Report. used for all categories on a very general
basis. These reflections make it quite clear
The decision as to whether to accept a spe- that, unlike the basic safety principles, well-
cific component as being well-tried with tried principles cannot all be applied in all
respect to safety is dependent on the applica- circumstances, but are specific to each tech-
tion in question. nology, application or category.
The following are examples of well-tried In general terms, it can be said that there is a
safety principles: lower probability of a dangerous failure in
category 1 than in category B. It follows that
avoiding specific faults (e.g. avoiding the loss of the safety function is less likely11.
short-circuits by separation)
At present, there are no specified well-tried
reducing the probability of faults (e.g. by
safety principles in the field of fluid technol-
overdimensioning) or stress on the com-
ogy. These safety principles relate to both the
ponents below the design limit
components and the pressure medium. Part 3
specifying the failure direction for a fault of Table 6 lists the major well-tried safety prin-
ciples for fluid technology, which in our opin-
fault detection in good time (e.g. detec-
ion, although, depending on the application
ting earthing)
in question cannot all be achieved at the
limiting the consequences of a fault. same time.
3 Categories as defined in EN 954-1
Table 5:
Components which are well-tried with respect to safety for the design of safety-related parts of control systems
Electrical Engineering
Fuse/automatic switch Cut-off in the event of a short-circuit or
Mechanical position switch with personal protection function with forcibly Control voltage interrupted when actuated
actuated normally closed contact EN 60947-5-1, chapter 3
Positive locking (see EN 1088) Preventing dangerous access
Forcibly actuated camshaft switch Actuation of switching contacts
Control circuit contactors5 as per EN 60947-4-1 Release when de-energized
Power contactors 5
Emergency Stop keys/cable control switch with forcibly actuated normally Control voltage interrupted when actuated
closed contact (EN 60947-5-1, chapter 3)
Wiring, installation in control cabinet Avoid short circuit of wires
Light plastic sheathed cable, protected installation in machinery frame
Touch controls Control voltage interrupted when released
Mechanically actuated compliance switch (see EN 292)
Terminals in switching cabinet/terminal box in the machinery Avoid crosses (short circuits)
(with adequate protection system)
Fluid Technology 6
Directional control valves with discrete switching positions Safety-related switching position is taken up
(slide and seat valves) by means of durable, working springs and
the control energy is interrupted
Continuous directional control valves
Stop valves (non-return valves, controlled non-return valves) Preventing the flow in the closed direction
Flow control valves (throttles and restrictors) as a fixed resistance in fluid Retention of the set volume flow
engineering systems
Pressure valves in the safety-related part of the control system Proposed function in the event of pressure
values being exceeded or not attained
Pressure switches, pressure sensors
Mechanically positively actuated valves (forcibly actuated) Interruption of volume flow or control signal
Manual lever valves with spring return or spring centring
Pipework in the safety-related part of the control system and to consumer Leak-tightness, breaking strength
5 Whilst there is no doubt that control and power contactors do not respond if the control voltage is absent (fault exclusion), there is some controversy
as to whether these contactors should be regarded as "well-tried components" with respect to the way in which they are released when de-ener-
gized. In the author`s opinion, no fault exclusion can in fact be made for these switching devices, but it is possible and justifiable to classify them
as "well-tried components". Otherwise, contrary to many years of practical experience, a position monitoring device for a movable safety guard
with only one power contactor for switching off the potentially hazardous movement would have to be classified under category B.
6 This details components which may be components which are well-tried with respect to safety, as the current situation in the field of fluid technology
is such that it is only possible to specify components which are well-tried with respect to safety in specific individual cases.
Table 6:
Well-tried safety principles for the design of safety-related parts of control systems, Part 1
Control system with self-lock This type of control system goes into a self-locking state after Protection
a brief command, e.g. by touch controls and retains this
state for as long as the control energy is provided against unexpected
(voltage, pressure). restarting
after energy failure and
Separation/insulation Adequate leakage distances and air gaps are To avoid short-circuits
ensured, and suitable insulating materials and thicknesses
are used.
Earthing control circuits A one-sided connection is made between control Fault detection in the event
circuits and the equipment earth (see EN 60204-1, of earthing
Section 9.1.4).
Torque/power limiting Forces which may lead to a hazard are limited by Risk reduction
(reduced pressure) electrical, mechanical or fluid technology devices. by improved hazard
Limited distance touch The distance of a movement is limited to an admissible
operation value in touch operation.
Overdimensioning (under- All equipment is loaded to less than the nominal value. Reduction of the failure
loading) probability
Start-up testing The protection function is compulsorily checked before Fault detection before
initiating a potentially hazardous movement. initiation
Self-actuated/automatic Faults in components are detected in good time by Pick up faults in good time
monitoring monitoring.
Hardware diversity Different types and designs of technical devices are Avoid common mode faults
Use of standard circuits Standard circuits are circuits for special applications, Safety function by means
which have been checked to determine their behaviour of well-tried or tested
in the event of faults and which have been well-tried in devices
3 Categories as defined in EN 954-1
Table 6:
Well-tried safety principles for the design of safety-related parts of control systems, Part 2
Use of type-tested modules Type-tested modules are factory-built devices which fulfil
(e.g. control devices) particular validated requirements.
Normally closed/normally This is concerned with the arrangement of two mechanical Maintain the safety
open contact combination position switches in a safety device with fundamentally function of mechanical
different actuation modes. One switch is always actuated position switches in the
and the other is not actuated whatever the position of the event of individual
safety device. faults in the mechanism
Detection if the safety
device is removed
Electromechanical engineering
Forcible/positive actuation This is a reliable means of actuation by rigid, Safe actuation, e.g.
mechanical parts without non-positive and spring-actuated for mechanical position
connections. switches
Dynamic techniques All safety-related signals change their state on a regular Static component faults can
basis, with the result that static faults automatically initiate a be picked up and dealt
safety-oriented function. with in good time
Table 6:
Well-tried Safety Principles for the Design of Safety-related Parts of Control Systems, Part 3
Non-equivalent signal When processing redundant signals, one channel uses a Increased resistance to
control logical l when the other uses a logical 0 and vice versa. interference with respect to
common mode faults
Fault detection via the Faults are picked up by means of specific expected events Early fault detection
technical process which are prescribed by the technical process. It is not usu-
ally possible to pinpoint the fault in this method.
Plausibility checks Plausibility checks are used to achieve a defined reaction Defined reaction
in the event of inadmissible or unusual inputs and states or
those which are outside the specified values. in the event of incorrect
user specifications and
in the event of compo-
nent failures
Use of an external A watchdog is a timed program run monitoring system in Defined reaction in the
watchdog which an external component expects signals from the event of defective pro-
microcomputer at regular time intervals. gram sequence
Fluid Technology
Positive overlap There must be an adequate positive overlap for contacts to to stop potentially hazard-
be closed when using slide valves. ous movements
to prevent unintentional
starting up
Positive dynamic effect The actuating forces have a direct effect (forcible) on the Reliable actuation of
moving parts, i.e. without frictional connections. moving parts
Specific selection of materi- This selection takes place by considering the properties of Reduction of failure probab-
als and material pairing the hydraulic fluid on the basis of corresponding experience ilities
and/or specific tests.
Definition of operating data The principal variables which are defined are the operating
temperature range and the operating viscosity range for the
hydraulic fluid.
Monitoring the hydraulic The state of the hydraulic fluid is monitored on a regular
fluid basis, e.g. by sampling.
3 Categories as defined in EN 954-1
3.2.4 Category 3 are incorporated, are chiefly dependent on
the consequences of a failure and on the
The requirements of category B must be ful- probability of occurrence of an accident
filled. Well-tried safety principles must also within the application. The technology which
be used. In addition, the safety-related parts is used influences the possibilities for incor-
in category 3 must be designed such that porating fault detection14.
a single fault in one of these parts as defined
by the fault list in Appendix B does not lead
to the loss of the safety function (see table 3). 3.2.5 Category 4
Common mode faults must be taken into
account if the probability of a fault occurring The requirements of category B must be ful-
is high. The individual fault must be detected filled. Well-tried safety principles should
during or before the next demand on the also be used. In addition, safety-related parts
safety function whenever reasonably practic- of control systems in category 4 must
able. be designed such that (see also table 3):
a single fault (see Appendix B of this
The requirement that individual faults should
report) in any of these safety-related parts
be detected does not mean that all faults are
does not lead to the loss of the safety
detected. zThis is why, in the case of certain
function and
types of machinery, an accumulation of
unobserved faults can, in certain circum- the individual fault is detected during or
stances, lead to an unintentional output signal before the next demand on the safety
and to the machinery entering into a hazard- function, e.g. immediately after switching
ous state. zTypical examples of practicable on or at the end of a machine cycle. If this
measures for fault detection purposes are type of detection is not possible, an
scanning the relay contacts with connected
movement or monitoring redundant electrical
outputs. If necessary as a result of the technol-
ogy and application in question, the Type C
standard maker should specify additional 14
This system behaviour accepts that
details with respect to fault detection. the safety function is always retained if a single
Whenever reasonably practicable means fault occurs,
some, but not all faults are detected,
that the necessary measures for fault detec- an accumulation of undetected faults may lead
tion purposes and the extent to which these to the loss of the safety function.
3 Categories as defined in EN 954-1
accumulation of faults should not lead to Fault review can be restricted to two com-
the loss of the safety function15. bined faults, if
the components' fault rates are low and
If it is not even possible to detect certain faults
due to the technology or circuit design in the combined faults mainly occur inde-
question during the next test, the occurrence pendently of each other and
of additional faults must be assumed. In this
the safety function is only interrupted if the
case, an accumulation of faults should not
faults occur in a specific sequence.
lead to the loss of the safety function. Fault
review should be suspended if the probability
If additional faults occur as a result of an ini-
of further faults occurring can be regarded
tial individual fault, the initial fault and all
as being sufficiently low16.
resulting faults must be regarded as a single
fault. Common mode faults must be taken
into account, e.g. by applying diversity
or special methods for detecting faults of this
This system behaviour accepts that
the safety function is always retained if faults type.
faults are detected in sufficient time to prevent the In the case of complex circuit structures (e.g.
loss of the safety function.
16 microprocessors, complete redundant sys-
According to the experience acquired by the BIA,
fault accumulation can be suspended after the third tems), fault review is generally performed at
fault, irrespective of the technology in question. structural level, i.e. based on sub-assemblies.