Decoding Ranking Systems Related to Industrial Safety

A user’s guide to understanding ranking protocols

Introduction
When EH&S personnel and controls engineers collaborate with suppliers to implement protective
measures for industrial equipment, the discussion can quickly run astray as various terminologies are
used – often with little to no true understanding of what the terms actually mean. For the uninitiated,
the jargon can (and often does) appear to be an entirely different language.

As is the case in many specific fields of study, one must first be acquainted with the basic expressions
that are often used in order to speak intelligently about a given topic – and industrial safety is no
different. In the safety marketplace, safety standards are heavily relied upon to present basic concepts
and specific definitions to establish common ground. For better or worse, many of the nomenclatures
used in these standards rely on seemingly simple ranking systems, but confusion is introduced
because many of the classifications utilize alphabetical or numerical designators, as shown in Figure 1.

Figure 1: Ranking Protocols Used Within the Safety Industry

NOTE: This image is not intended to imply any equivalency across standards or rating systems

Decoding Ranking Systems Related to Industrial Safety © 2014 SICK, Inc. All rights reserved. 1
Brief descriptions of the ranking systems are provided below, in no particular order. These can be
used as an aid to translate language that is already understood by industry insiders, but often
misapplied by newcomers.

Stratification of Safety Standards [Type-A, -B and -C]

The primary purpose of most safety standards is to provide the
audience (readers) with an overall framework and guidance for
decisions during the entire lifecycle of machinery to enable them to
maintain machines that are safe for their intended use. Many
standards developing organizations (SDOs) use the following structure,
which is also
represented in Figure 1:

• Type-A standards (basic safety standards)

giving basic concepts, principles for design and
general aspects that can be applied to
machinery;
• Type-B standards (generic safety standards)
dealing with one safety aspect or one type of
safeguard that can be used across a wide range
of machinery:
o Type-B1 standards on particular safety
aspects (e.g., safety distances, surface
temperature, noise); Figure 1: Structural Organization of Standards  
o Type-B2 standards on safeguarding
device (e.g., two-hand controls, interlocking devices, pressure-sensitive devices,
guards);
• Type-C standards (machine safety standards) dealing with detailed safety requirements for a
particular machine or group of machines.

This stratification was first developed by ISO/IEC Guide 51i and was implemented in Europe during the
development of European Norms (EN) standards. These EN documents were then elevated to
international (ISO or IEC) standards, and the
interrelationships as laid out were maintained. Many
standards development organizations around the world
follow the direction provided by ISO/IEC Guide 51, which
was recently updated in April 2014. The intent of the
guide is to establish common terminology and
methodologies to standards writers when addressing key
concepts of risk reduction. As a practical application of
this structure in use in North America, the ANSI B11ii
series of standards for machine tools has implemented a
similar organization as shown in Figure 2.

Figure 2: ANSI B11 Organization of Standards

Decoding Ranking Systems Related to Industrial Safety © 2014 SICK, Inc. All rights reserved. 2
 Stop Functions [Category 0, 1 and 2]
When designing and implementing circuits to initiate a stop, there are
three classifications of stop functions as follows:

• Stop category 0: Stopping by immediate removal of power to the

machine actuators (i.e., an uncontrolled stop)
• Stop category 1: A controlled stop with power available to the
machine actuators to achieve the stop and then removal of power when
the stop is achieved
• Stop category 2: A controlled stop with power left available to the machine actuators

These definitions of stop categories are harmonized in both internationaliii and domesticiv standards,
and form the basis for the functional requirements when discussing different types of stop circuits. As
a general primer to the typical types of stop circuits, the American standard ANSI B11.19v provides a
clear differentiation between the common purposes for stop circuits as follows:
• Normal stop: The stopping of a machine, initiated by the control system, at the
completion of a cycle
• Emergency stop: The stopping of a machine, manually initiated, for emergency purposes
[requirements for emergency stop functions are clearly addressed in NFPA
79, ANSI B11.19, and ISO 13850vi ]
• Protective stop: The stopping of a machine initiated by safeguarding for safeguarding
purposes [this was referred to in earlier standards as safety stop]

Table 1, on the following page, provides an expanded overview of the differences in requirements for
these types of stops.

Decoding Ranking Systems Related to Industrial Safety © 2014 SICK, Inc. All rights reserved. 3
 Stop Emergency Stop Protective (Safety) Stop
Personnel have quick, unobstructed Personnel have quick, unobstructed Located such that an individual
access. access. cannot access the hazard.
Stop Category 0 required on every Required on all operator stations Determined by the safety distance
Location machine (other categories may be and other locations as determined formula.
used as determined by a risk by a risk assessment.
assessment).
Required on all operator stations.
Initiation of
Manual or automatic Manual only Manual or automatic
stop signal
Stop category
0, 1 or 2 0 or 1 only 0, 1, or 2
(see above)
As determined by a documented risk assessment
Circuit Typically single channel (non-safety- Minimum single channel safety Typically control reliable
performance rated) rated controls. Greater performance
may be required when interfaced
with a safeguarding device(s).
Manual only Manual only Manual or automatic (hardware or
Circuit reset software)
Bypass and Allowed (for cycle completion, etc.) Not allowed Allowed (for muting, modes of
mute operation, set up, etc.)
Use Variable; frequent (every cycle) to Infrequently; only in emergency Variable; frequent (every cycle) to
frequency infrequent infrequent
De-energize the relevant circuit and Remove all energy sources to Remove or control energy sources
override related start functions hazards and override all other to the safeguarded hazard and
Effect functions and operations in all override all other functions and
modes operations in all modes associated
with the safeguarded hazard
Electromechanical or solid-state Electromechanical components or Electromechanical or solid-state
Final removal
components solid state output devices (drives) components
of power designed for safety related functions

Table 1: Comparison of Stop, Emergency Stop and Protective Stop Requirements

Circuit Performance and Reliability Requirements

Certain parts of machinery control systems are frequently assigned safety functions, and these parts
are referred to as the safety-related parts of the control system (SRP/CS). These parts can be
separate or integrated parts of the control system, consist of both hardware and software, and are
intended to provide the safety functions of control systems.

Safety functions define how risks are reduced by engineering controls, and must be defined for each
hazard that has not been eliminated through design measures. At its core, a “safety function” is any
element of the protective system whose failure leads to an immediate increase of risk.

In order to accurately design, implement and validate safety functions to achieve the required level of
risk reduction, it is necessary to provide a precise description of each safety function. The type and
number of components required for the function are derived from the definition of the safety function.
Many different safety functions are possible, and some applications may require more than one
function in order to adequately reduce risk. Likewise, it is also possible for a single protective measure
(safeguarding component) to play a part in more than one safety function simultaneously. Further
discussion of safety functions is provided in a previous White Paper, Functional Safety for Machine
Controls.

Decoding Ranking Systems Related to Industrial Safety © 2014 SICK, Inc. All rights reserved. 4
 Circuit Architecture [Category B, 1, 2, 3 and 4]
The first predominant standard developed and used in Europe to
functionally describe circuit design requirements was EN 954-1vii . This
document classified 5 categories (B, 1, 2, 3 and 4) of performance for
SRP/CS with respect to the occurrence of faults. The categories can be
applied to:
• control systems of all kinds of machinery, from simple (such as small
kitchen appliances) to complex manufacturing installations (such as
packaging machinery, printing machines, or presses);
• control systems of protective equipment (such as two-hand control
devices, interlocking devices, electro-sensitive protective devices and
pressure sensitive protective devices).

According to EN 954-1, the design of SRP/CS and the selection of categories was based on a risk
assessment methodology, as shown in Figure 3.

CATEGORY
S1 B 1 2 3 4

P1
START F1
P2

S2 P1

F2 P2

S Severity of Injury Selection of Categories– B, 1 to 4

S1 Slight (normally reversible) injury
S2 Serious (normally irreveraible) injury, including death Preferred categories for reference points

F Frequency and/or Duration of Exposure to the Hazard Possible categories which may require
F1 Slight (normally reversible) injury additional measures
F2 Serious (normally irreveraible) injury, including death
Measures which can be over-
P Possibility of Avoiding the Hazard dimensioned for the relevant risk
P1 Possible under specific conditions
P2 Nearly impossible

Figure 3: EN 954-1 Selection of Categories for SRP/CS

The categories presented in EN 954-1are summarized in Table 2 below. These definitions provided a
clear basis upon which the design and performance of any SRP/CS could be assessed. This
document was subsequently elevated to the status of an international standardviii with no changes to
the requirements.

   

Decoding Ranking Systems Related to Industrial Safety © 2014 SICK, Inc. All rights reserved. 5
 
 Principles for
Category Brief Summary of Requirements System Behavior
Achieving Safety
The safety-related parts of control systems and/or • The occurrence of a fault can
their protective devices, as well as their components, result in the loss of the safety
must be designed, built, selected, assembled, and function.
B combined in compliance with applicable standards so
that they are able to tolerate anticipated influencing Primarily
factors. characterized by
The requirements of category B shall be met. Proven • The occurrence of a fault can component selection
components and proven safety principles shall be result in the loss of the safety
1 used. function, but the probability of
occurrence is lower than in
category B.
The requirements of category B shall be met and • The occurrence of a fault can
proven safety principles used. The safety function result in the loss of the safety
2 must be checked by the machine controller at function between checks.
appropriate intervals (test rate 100 times higher than • The loss of the safety function is
requirement rate). detected by the check.
The requirements of category B shall be met and • When the single fault occurs, the
proven safety principles used. Safety-related parts safety function is always retained.
shall be designed such that: • Some, but not all faults are
3 • A single fault in any of these parts will not lead detected.
to the loss of the safety function • Accumulation of undetected faults Predominantly
• Wherever it is reasonably possible, the single may lead to loss of the safety characterized by the
fault is detected. function. structure
The requirements of category B shall be met and • The safety function is always
proven safety principles used. Safety-related parts retained when faults occur.
shall be designed such that: • The faults are detected in a timely
• A single fault in any of these parts will not lead manner to prevent the loss of the
4 to the loss of the safety function and safety function.
• The single fault is detected on or before the
next request for the safety function.
If this is not possible, an accumulation of faults will
not lead to the loss of the safety function.

Table 2: Categories of Safety-Related Parts of Control Systems (SRP/CS)

Performance Levels [PL a, b, c, d and e]

Building on the guidance initially provided by EN 954-1 (and the later
ISO 13849-1 in 1999), the concept of safety performance was explored
on an even deeper level with the release of a revised document in
2006ix. While the architecture of the circuit design has a direct effect on
the overall performance of an SRP/CS, it was subsequently
acknowledged that other factors play an equally important role. The
updated (and still current) ISO 13849-1 document was revised to focus on a higher order concept of
control system performance and integrity, known as Performance Level.

Contrary to what some people may believe, the defined Categories first established in EN 954-1 did
not get replaced or supplanted by Performance Levels. Instead, Performance Level (PL) recognizes
that additional factors must be accounted for to determine the overall performance of a circuit. As
shown in Figure 4 below, these factors are:

Decoding Ranking Systems Related to Industrial Safety © 2014 SICK, Inc. All rights reserved. 6
 1. Structure and behavior of the safety function under fault conditions (category)
This is the same circuit architecture concerns addressed previously in EN 954-1, utilizing the
same category ratings (B, 1, 2, 3 and 4) described above.

2. Reliability of individual components defined by mean time to a dangerous failure

(MTTFd) values
This value represents a theoretical parameter expressing the probability of a dangerous failure
of a component (not the entire subsystem) within the service life of that component.

3. Diagnostic coverage (DC)

The level of safety can be increased if fault detection is implemented in the subsystem. The
diagnostic coverage (DC) is a measure of capability to detect dangerous faults.

4. Common cause failure (CCF)

External influencing factors (e.g., voltage level, over temperature) can render identical
components unusable regardless of how rarely they fail or how well they are tested. These
common cause failures must always be prevented.

5. Process
The process for the correct implementation of safety-relevant topics is a management task and
includes appropriate quality management, including thorough testing and counter checking, as
well as version and change history documentation.

Figure 4: Performance Level (PL) Considerations

As was the case in EN 954-1, the required Performance Level (PLr) of the SRP/CS must be based
upon an evaluation of the inherent risk associated with the hazard, as shown in Figure 5.

Decoding Ranking Systems Related to Industrial Safety © 2014 SICK, Inc. All rights reserved. 7
 
 Figure 5: Risk Graph for Determining Required Performance Level (PLr) for Safety Functions

Based on the assessment of risk, the PLr determined can be achieved through a variety of
combinations of circuit architecture (utilizing Categories), diagnostic coverage (DC), and reliability of
components (based on Mean Time to Dangerous Failure, MTTFd), as long as Common Cause Failures
(CCF) and the overall process are accounted for. This concept is visually represented in Figure 6.

Figure 6: Determination of the Performance Level (PL) of a Subsystem

Decoding Ranking Systems Related to Industrial Safety © 2014 SICK, Inc. All rights reserved. 8
 
In North America, a new standard is currently in development to further address this topic. This
standard, ANSI B11.26x, builds upon the concepts of Performance Levels and provides detailed
explanation and examples of Categories applied to real world scenarios. It is expected to be published
by early 2015 and is intended to improve the understanding of electrical, pneumatic and hydraulic
control circuits used in safety-related functions.

Safety Integrity Levels [SIL 1, 2, 3 and 4]

A similar approach to determining system performance and reliability
uses terminology known as Safety Integrity Levels (SILs). The SIL
concept is very similar to the PL approach in that it looks at many
aspects of system design rather than simply concentrating on the
architecture of the individual components.

When safety systems are comprised of electrical, electronic, and/or programmable electronic (E/E/PE)
elements to perform safety functions, the applicable international standard is IEC 61508-1xi. The
approach of this standard applies a rational and consistent technical development protocol for all
electrically-based safety-related systems.

The essential objective is to ensure that control elements with safety-related functions will perform to a
degree of reliability equivalent to the level of risk for the application. Table 3 identifies the average
probability of a dangerous failure (PFDavg) that is required to achieve each specified SIL level,
depending on the level of demand placed on the elements.

Average probability of a dangerous failure on

Safety Integrity demand of the safety function (PFDavg)
Level (SIL) High Demand or
Low Demand
Continuous Operation
4 -9
≥ 10 to < 10
-8 -5
≥ 10 to < 10
-4

3 -8
≥ 10 to < 10
-7 -4
≥ 10 to < 10
-3

2 -7
≥ 10 to < 10
-6 -3
≥ 10 to < 10
-2

1 -6
≥ 10 to < 10
-5 -2
≥ 10 to < 10
-1

Table 3: IEC 61508 Safety Integrity Levels (SILs) –

Target Failure Measures for a Safety Function

Another standard that utilizes the SIL rating scale is IEC 62061xii. As a result of automation and the
associated demand for increased production and reduced operator physical effort, this standard was
developed to address Safety-Related Electrical Control Systems (SRECS) of machines. Since
SRECS play an increasing role in the achievement of overall machine safety, they also increasingly
employ complex electronic technology. Prior to the development of such standards, there had been a
reluctance to accept SRECS in safety-related functions for significant machine hazards because of
uncertainty regarding the performance of such technology.

In conjunction with IEC 61508, this standard was developed specifically for the machine sector and is
intended to facilitate the performance specifications of the SRECS in relation to the significant hazards
of machines. Similar to IEC 61508, this standard also relates the performance reliability of safety-
related control functions (SRCF) to the probability of a dangerous failure per hour (PFHD). As shown in
Table 4, the performance requirements of Safety Integrity Levels 1 through 3 are identical to the IEC
61508 expectation for systems used in continuous operation or with high mode of demand. However,
SIL 4 is not considered in IEC 62061 because it is not relevant to the risk reduction requirements
normally associated with machinery, but rather those risks associated with the process industry (such
as chemical, oil and gas, etc.).

Decoding Ranking Systems Related to Industrial Safety © 2014 SICK, Inc. All rights reserved. 9
 
 Safety Integrity Probability of a dangerous
Level (SIL) Failure per Hour (PFHD)
3 -8
≥ 10 to < 10
-7

2 -7
≥ 10 to < 10
-6

1 -6
≥ 10 to < 10
-5

Table 4: IEC 62061 Safety Integrity Levels (SILs) –

Target Failure Values for Safety-Related Control Functions (SRCFs)

In relation to industrial machine safety, the two primary methodologies to determine the likelihood of a
dangerous failure are Performance Levels in accordance ISO 13849-1 and Safety Integrity Levels as
addressed in IEC 62061. Generally speaking, design engineers apply the SIL process to applications
with complicated electrical and electronic control systems, such as in process industries (e.g., oil and
gas, chemical, aerospace, etc.). However, the PL process is more common in the industrial machine
market which utilizes both electronic and electromechanical components. Figure 6 illustrates these
methodologies in terms of probability to a dangerous condition.

Figure 6: Scale of Functional Safety Levels

Subsystem (Product) Ratings

Additional standards exist to create classifications or tiers of specific product types. This type of
standard is known as a product family standard and may be used as a normative reference in a
dedicated product standard for the safety of machinery.

Electro-Sensitive Protective Equipment (ESPE) [Type 2, 3 and 4]

One of the most recognized – yet still misunderstood – product
classification systems applies to electro-sensitive protective equipment
(ESPE), or electro-optical devices. The primary standard for ESPE is
IEC 61496-1xiii which defines both common and specific requirements
for the different component technologies which comprise ESPEs.

This standard also defines the specific performance requirements necessary to achieve a Type
qualification. Interestingly, there is no Type 1 designation; only Types 2, 3 and 4. Additionally, there
are subsequent parts to this standard which provide specific requirements for each product
technology. Table 5 identifies the various ESPE technologies considered, as well as the possible Type
achievable for each.

Decoding Ranking Systems Related to Industrial Safety © 2014 SICK, Inc. All rights reserved. 10
 Applicable Possible Type
Technology Abbreviation Examples
Standards Achievable
• Light curtains
Active Opto- • IEC 61496-1 • Single/multiple beam systems
electronic Protective AOPD xiv 2 or 4 • Close Proximity Point of Operation
Devices • IEC 61496-2
AOPDs (also known as laser
actuated AOPDs in Europe)
Active Opto-
electronic Protective • IEC 61496-1
AOPDDR xv 3 • Laser (area) scanners
Devices Responsive • IEC 61496-3
to Diffuse Reflection
Vision-Based • IEC 61496-1
VBPD xvi 3 • Camera systems
Protective Devices • IEC 61496-4

Table 5: Types of ESPE Addressed by IEC 61496

As Table 5 indicates, Type 2 and Type 4 ratings are reserved for through-beam technologies, which
utilize distinct transmitting (sender) and receiving (receiver) elements to constantly monitor an optical
signal. Table 6 represents a comparison of the primary differences between these ratings.

Table 6: Main Differences of Type 2 and Type 4

Active Optoelectronic Protective Devices (AOPDs) according to IEC 61496

Since ESPEs contain logic components with self-checking and monitoring features performing safety
functions, they are also considered sub-systems. In turn, these sub-systems can achieve specific
Performance Levels and Safety Integrity Levels, as shown in Table 7.

Decoding Ranking Systems Related to Industrial Safety © 2014 SICK, Inc. All rights reserved. 11
 
 Performance Level (PL)
per ISO 13849-1
a b c d e Device Examples
Safety light curtains, single-beam
2 photoelectric safety switches,
multiple light beam safety devices
ESPE Type
Safety laser scanners, safety
per 3 camera systems
IEC 61496-1
Safety light curtains, single-beam
4 photoelectric safety switches,
multiple light beam safety devices
1 2 3
Safety Integrity Level (SIL)
per IEC 62061
Table 7: Achievable Reliability of Safety Functions with
Active Optoelectronic Protective Devices (AOPDs)

It is important to point out a key difference between most North American and European/International
standards. Very few application standards in North America require ESPE to be certified by a third-
party testing organization to any of the Types defined above, whereas most EN and ISO type-C
standards set minimum Type requirements when ESPEs are utilized as part of the risk reduction
solution. For instance, when an ESPE is utilized for presence sensing device initiation (PSDI), not only
must the minimum object sensitivity be 30 mm, but the device must also be a Type 4 component per
IEC 61496. While the regulatory requirements and consensus standards in North America do not
stipulate that ESPEs meet a specific rating system (such as the Types defined by IEC 61496), many
proactive organizations – both suppliers and end users – have a higher degree of confidence in the
overall reliability of their safeguarding systems when such devices are used.

With that said, it is also interesting to point out that Underwriters Laboratory (UL) – one of the leading
third-party testing organizations in North America – has developed a series of test standards based
strongly on the IEC standards. At this time, they have a standard for general requirementsxvii as well
as another for AOPDsxviii .

Interlocking Devices [Type 1, 2, 3 and 4]

Another example where a standard identifies a product classification
system using ‘Types’ with numeric rankings is ISO 14119xix for
interlocking devices. This standard describes the technology and
typical characteristics of the defined four types of interlocking devices.
The four types of interlocking devices are not presented in a
hierarchical order, and other solutions may be adopted as long as they
comply with the principles of the standard. The correct application of
each type of interlocking device must always be determined by a risk assessment for the specific
machine application.

Since interlocking methods involve a broad spectrum of technological aspects, interlocking devices
can be classified using many different criteria. This may include grouping according to the nature of
the link between the guard and the output system, or by the type of technology (electromechanical,
pneumatic, electronic, etc.) associated with the output system. Table 8 shows the actuation principles
and actuators for the defined interlocking device types, as well as examples of products available on
the market to fill many of the categories.

Decoding Ranking Systems Related to Industrial Safety © 2014 SICK, Inc. All rights reserved. 12
 
 1)
These  sensors  are  not  designed  for  safety  applications.    If  they  are  used  as  interlocking  devices,  the  designer  
shall   give   very   careful   consideration   to   systematic   and   common   cause   failures   and   take   additional   measures  
accordingly.  

Table 8: Overview of Interlocking Devices and Product Examples

As a basic introduction to this technology, interlocking devices are utilized to perform a function of
monitoring the position of a guard to sense whether the guard is closed or open. The device is then
intended to produce a stop command when the guard is not in the closed position. Additionally,
interlocking devices can be used to control other functions (e.g., application of a brake to stop
hazardous machine functions before access is permitted).

Furthermore, some interlocking devices also have a guard locking function to keep the guard locked
while hazardous machine function is present or simply to prevent interruption of the machine process.
The guard locking device is often an integral part of an interlocking device, but it may also be a
separate unit. Monitoring the status of the guard locking device determines whether the device is
engaged or released and produces an appropriate output signal accordingly. The operating principles
and associated terminology for these devices are addressed in Table 9.
   

Decoding Ranking Systems Related to Industrial Safety © 2014 SICK, Inc. All rights reserved. 13
 
 By Shape By Force

Principle

Actuation
Principle Spring Power ON Power ON Power ON
(locking)
of
Operation Release
Power ON Spring Power ON Power OFF
(unlocking)
Mechanical locking Electrical locking Pneumatic / Magnetic locking
Terminology device (preferred for device (preferred for hydraulic locking device
safeguarding) process protection) device

Table 9: Principles of Operation and Terminology for Locking Interlock Devices

Two-Hand Controls [Type I, II, IIIA, IIIB and IIIC]

Two-hand control devices are another example where subcategories
are defined using terminology with alpha-numeric ‘Types.’ As used
within the industrial safety market, a two-hand control device is a
safety device which provides a measure of protection for the operator.
The level of risk reduction is gained by preventing the operator from
reaching danger zones during hazardous situations by locating the
control actuating devices at a specific position and distance.

The international standard ISO 13851xx describes the main characteristics of two-hand control devices
used in safety applications and sets out combinations of functional characteristics for three types.
Short of a detailed review, Table 10 provides a brief overview of the functional requirements for each
device type as defined by the ISO standard.

Type North American Requirements

per ISO 13851 OSHA 29
ANSI CSA
Requirement III CFR
B11.19 Z432
I II 1910.217
A B C
Use of both hands (simultaneous actuation) x x x x x x x x

Relationship between input and output signal x x x x x x x x

Cessation of the output signal x x x x x x x x

Prevention of accidental operation x x x x x x x x

Prevention of defeat x x x x x x x x

Re-initiation of the output signal a x x x x x x x

Synchronous actuation x x x x x x

Use of Category 1 circuit architecture x x a a

Use of Category 3 circuit architecture x x b a a

Use of Category 4 circuit architecture x a a

a Dependent on a risk assessment

b OSHA refers to circuit architecture in terms of ‘control reliable’

Table 10: Minimum Safety Requirements for Two-Hand Control Devices and Type Classifications

Decoding Ranking Systems Related to Industrial Safety © 2014 SICK, Inc. All rights reserved. 14
In some applications, enabling devices and hold-to-run devices may comply with the definition of a
two-hand control device, but the ISO standard is not intended to apply to these special control devices.

In contrast to the ISO standard, the North American market does not segment the requirements for
two-hand control devices into different classifications. Instead, the OSHA regulationxxi and the ANSIxxii
and CSAxxiii standards set forth a single group of requirements, as identified in the last column of Table
10.

Commonalities of Product Classifications

As we have seen with the international Type-B standards categorizing product segments, the
standards do not specify which machines require specific classifications of devices. They also do not
specify which types of device shall be used. Instead, the standards provide requirements and
guidance addressing the design and selection (based on a risk assessment) while also establishing
performance requirements for design and certification of devices used in safety functions.

Conclusion
As reviewed in the discussion presented above, it should hopefully now be apparent that the various
ranking systems used within the industrial safety marketplace are each unique. Some of these ranking
systems utilize common terminology (such as ‘Category’ or ‘Type’) or similar classification levels
(either with alphabetical or numerical identification systems). However, the context of the terminology
is the most important element to ensure that all parties understand the intended meaning of the
message being communicated.

Based upon this review, a safety professional should hopefully better understand their control
engineers when they hear the following:
“We’ve designed a functional safety system to exceed the requirements of the Type-C standard. This
system is comprised of an emergency stop device used in a Category 0 stop circuit with Category 2
architecture, as well as a separate protective stop circuit with a Category 2 stop function achieving PLd
with Category 3 architecture. The protective stop circuit has the following components compliant with the
applicable Type-B standards; a Type 4 light curtain rated as PLe and SIL 3, a Type 2 power to unlock
guard locking interlock device, and a Type IIIB two-hand control device.”

While many EH&S personnel may not be able to review the control schematics in order to confirm the
component selection and circuit design, the language used by control engineers should hopefully now
have clearer meaning – or at least it should be more understandable. As is the case in any type of
communication, misunderstanding is often the root of many disappointments. Conversely, proper use
of industry-specific language can only aide in achieving intended goals.

This white paper is meant as a guideline only and is accurate as of the time of publication. When
implementing any safety measures, we recommend consulting with a safety professional.

For more information about ranking protocols used within the industrial safety market visit our web
site at www.sickusa.com.

Decoding Ranking Systems Related to Industrial Safety © 2014 SICK, Inc. All rights reserved. 15
References
The following standards were referenced for the content of this white paper.

Document Revision Title

i
ISO/IEC Guide 51 2014 Safety aspects – Guidelines for their inclusion in standards
ii
ANSI B11.0 2010 Safety of Machinery – General Requirements and Risk Assessment
iii
IEC 60204-1 2005 Safety of machinery – Electrical equipment of machines – Part 1: General
requirements
iv
NFPA 79 2015 Electrical Standard for Industrial Machinery
v
ANSI B11.19 2010 Performance Criteria for Safeguarding
vi
ISO 13850 2006 Safety of machinery – Emergency stop – Principles for design
vii
EN 954-1 1996 Safety of machinery – Safety-related parts of control systems – Part 1:
General principles for design
viii
ISO 13849-1 1999 Safety of machinery – Safety-related parts of control systems – Part 1:
General principles for design
ix
ISO 13849-1 2006 Safety of machinery – Safety-related parts of control systems – Part 1:
General principles for design
x
ANSI B11.26 2015* Functional Safety for Equipment (Electrical/Fluid Power Control Systems) –
Application of ISO 13849 – General Principles for Design
xi
IEC 61508-1 2010 Functional safety of electrical, electronic, programmable electronic safety-
related systems – Part 1: General requirements
xii
IEC 62061 2005 Safety of machinery – Functional safety of safety-related electrical,
electronic and programmable electronic control systems
xiii
IEC 61496-1 2012 Safety of machinery – Electro-sensitive protective equipment – Part 1:
General requirements and tests
xiv
  IEC 61496-2 2013 Safety of machinery – Electro-sensitive protective equipment – Part 2:
Particular requirements for equipment using active opto-electronic
protective devices (AOPDs)
xv
  IEC 61496-3 2008 Safety of machinery – Electro-sensitive protective equipment – Part 3:
Particular requirements for active opto-electronic protective devices
responsive to diffuse reflection (AOPDDR)
xvi
  IEC/TR 61496-4 2007 Safety of machinery – Electro-sensitive protective equipment – Part 4:
Particular requirements for equipment using vision based protective
devices (VBPD)
xvii
  UL 61496-1 2002 Standard for Electro-sensitive protective equipment, Part 1: General
Requirements and Tests  
xviii
  UL 61496-2 2002 Standard for Electro-sensitive protective equipment, Part 2: Particular
Requirements for Equipment Using Active Opto-Electronic Protective
Devices (AOPDs)  
xix
ISO 14119 2013 Safety of machinery – Interlocking devices associated with guards –
Principles for design and selection
xx
ISO 13851 2002 Safety of machinery – Two-hand control devices – Functional aspects and
design principles
xxi
OSHA 1910.217 1971 Mechanical power presses
xxii
ANSI B11.19 2010 Performance Criteria for Safeguarding
xxiii
CSA Z432 2004 (R14) Safeguarding of machinery

* Expected publication date; currently in final draft / ballot stage.

Decoding Ranking Systems Related to Industrial Safety © 2014 SICK, Inc. All rights reserved. 16