Standards and Regulations

kapitel 1
1.1 General information
1.2 Regulations and Standards in the European Union (EU)
1.3 Legal requirements and Standards regarding safety
at work in the US
1.4 Safety requirements for machines in Japan
1.1 General information
Objectives
The goal of safety technology is to keep
the potential hazards for man and the
environment as low as possible by apply-
ing and utilizing the appropriate technol-
ogy. However, this should be achieved
without imposing unnecessary restric-
tions on industrial production, the use of
machines and the production of chemi-
cals. By applying internationally harmo-
nized regulations, man and the environ-
ment should be protected to the same
degree in every country. At the same
time, differences in competitive environ-
ments, due to different safety require-
ments, should be eliminated.
In the various regions and countries
around the globe, there are different con-
cepts and requirements when it comes
to guaranteeing safety. The legal con-
cepts and the requirements regarding
what has to be proven and how, as to
whether there is sufficient safety, are
just as different as the assignment of the
levels of responsibility.
For example, in the EC, there are require-
ments, placed both on the manufacturer
of a plant or system as well as the oper-
ating company which are regulated using
the appropriate European Directives,
Laws and Standards.
On the other hand, in the US, require-
ments differ both at a regional and even
at a local level. However, throughout
the US, there is a basic principle that an
employer must guarantee a safe place of
work. In the case of damage, as a result
of the product liability, the manufacturer
can be made liable due to the associa-
tion with his product. On the other hand,
in other countries and regions, other prin-
ciples apply.
What is important for the manufacturers
of machines and plant construction com-
panies is that the legislation and rules of
the location always apply in which the
machine or plant is being operated. For
instance, the control system of a
machine, which is operated and used in
the US, must fulfill US requirements,
1/2 Safety Integrated Application Manual Siemens AG
even if the machine manufacturer (i.e.
OEM) is based in Europe. Even though
the technical concepts with which safety
is to be achieved, are subject to clear
technical principles, it is still important to
observe as to whether legislation or spe-
cific restrictions apply.
Functional safety
From the perspective of the object to be
protected, safety cannot be segregated.
The causes of hazards and the technical
measures applied to avoid them can dif-
fer widely. This means that a differentia-
tion is now made between various types
of safety, e.g. by specifying the cause of
the potential hazard. For instance, the
term “electrical safety” is used if protec-
tion has to be provided against electrical
hazards, or the term “functional safety”
is used if the safety is dependent on the
correct function.
This differentiation is now reflected in
the most recent Standards, in so much
that there are special Standards which
are involved with functional safety. The
area of machinery safety EN 954 deals
specifically with safety-relevant parts of
control systems and therefore concen-
trates on the functional safety. The IEC
handles functional safety of electrical,
electronic and programmable electronic
systems, independent of any specific
application in the pilot Standard IEC
61508 .
In IEC 61508, functional safety is defined
as “part of the overall safety relating to
the EUC* and the EUC control system
which depends on the correct function-
ing of the E/E/PE** safety-related sys-
tems, other technology safety-related
systems and external risk reduction facili-
ties”. In order to achieve functional safety
of a machine or a plant, the safety-rele-
vant parts of the protective and control
devices must function correctly, and,
when a fault or failure occurs, the plant
or system must remain in a safe condi-
tion or be brought into a safe condition.
To realize this, proven technology is
required, which fulfills the demands
specified by the relevant Standards. The
requirements to achieve functional safety
are based on the following basic goals:
• Avoid systematic faults,
• Control systematic faults,
• Control random faults or failures.
The measure for the level of achieved
functional safety is the probability of the
occurrence of dangerous failures, the
fault tolerance and the quality which
should be guaranteed by avoiding sys-
tematic faults. In the Standards, this is
expressed using various terms. In IEC
61508: “Safety Integrity Level” (SIL), in
EN 954: “Categories” and in DIN V
19250 and DIN V VDE.
0801: “Requirement classes” (AK).
Standardization goals
The demand to make plant, machines
and other equipment as safe as possible
using state-of-the-art technology comes
from the responsibility of the manufac-
turers and users of equipment for their
safety. All safety-significant aspects of
using state-of-the-art technology are
described in the Standards. By maintain-
ing and fulfilling these standards, it can
be ensured that state-of-the-art technol-
ogy is applied therefore ensuring that the
company erecting a plant or the manu-
facturer producing a machine or a device
has fulfilled his responsibility for ensuring
safety.
Note: The Standards, Directives and
Laws, listed in this Manual are just a
selection to communicate the essential
goals and principles. We do not claim
that this list is complete.
* EUC: Equipment under control
** E/E/PE: Electrical, electronic,
programmable electronic
1.2 Regulations and Standards
in the European Union (EU)
1.2.1 Basic principles of
European legislation*
Legislation states that we must focus
our efforts “... on preserving and pro-
tecting the quality of the environment,
and protecting human health through
preventive actions” (Council Directive
96/82/EC “Seveso II”).
It also demands “Health and safety at
the workplace” (Machinery Directive,
workplace, health and safety legisla-
tion, ...).Legislation demands that this
and similar goals are achieved for vari-
ous areas (“Areas which are legis-
lated”) in the EC Directives. In order to
achieve these goals, legislation places
demands on the operators and users
of plant, and the manufacturers of
equipment and machines. It also
assigns the responsibility for possible
injury or damage.
The EC Directives
• Specify demands placed on plant
and systems and their
operators/users to protect the health
and safety of personnel and environ-
mental quality;
• Contain regulations about health and
safety at the workplace (minimum
requirements);
• Define product features and charac-
teristics to protect the health and
safety of users;
• Make a differentiation between
requirements placed on the realiza-
tion and implementation of products
to guarantee free trade and the
requirements regarding the use of
products.
* Note: The EFTA countries have
decided to adopt the EC concept.
1
The EC Directives, which are associ- The list of EC Directives with the asso-
ated with implementing new products, ciated lists of harmonized standards is
are based on a new global concept provided in the Internet under:
(“new approach” , “global approach”):
http://www.NewApproach.org/
• EC Directives only contain general
directiveList.asp
safety goals and define fundamental
safety requirements.
Low-Voltage Directive
• Standards Committees, which have
The Low-Voltage Directive (73/23/EC)
received an appropriate mandate
applies to electrical equipment with
from the EC Commission (CEN,
rated voltages in the range between
CENELEC), can define technical
50 and 1000 V AC or between 75 and
details in the Standards. These
1500 V DC (for the revision presently
Standards are harmonized under a
being carried-out, it is possible that the
specific Directive and are listed in the
lower voltage limits may be omitted).
Official Journal of the EC. When the
This is a New Approach Directive.
harmonized standards are fulfilled,
EN 60204-1 is listed under the Low-
then it is assumed that the associ-
Voltage Directive for “Electrical equip-
ated safety requirements of the
ment of machines” . This means, that if
directives are also fulfilled (for more
EN 60204-1 is fulfilled, then it can be
detailed information, refer to Section
reasonably assumed that the Directive
1.2.3 “Safety of Machinery”)
is fulfilled.
• Legislation no longer specifies that
(Note: The requirements to fulfill the
specific standards have to be met.
Low-Voltage Directive are not dis-
However, it can be “reasonably
cussed in any more detail in this Man-
assumed” that when specific stan-
ual.)
dards are observed, the associated
safety goals of the EC Directives are
fulfilled.
1.2.2 Health and safety
• EC Directives specify that Member at the workplace in the
States recognize each other's
national regulations and laws.
EC
The EC Directives have the same
The requirements placed on health and
degree of importance, i.e. if several
safety at the workplace are based on
Directives apply for a specify piece of
Article 137 (previously 118a) of the EC
equipment or device, then the require-
Contract. The Master Directive “Health
ments of all of the relevant Directives
and Safety of Personnel at the Work-
have to be met (e.g. for a machine
place” (89/391/EC) specifies minimum
with electrical equipment, the Machin-
requirements for safety at the work-
ery Directive, and Low-Voltage Direc-
place. The actual requirements are sub-
tive apply).
ject to domestic legislation and can
Other regulations apply to equipment exceed the requirements of these
where the EC Directives are not applic- Master Directives. The requirements
able. They include regulations and crite- involve the operation of products (e.g.
ria for voluntary tests and certifica- machines), and not with their imple-
tions. mentation.
Safety Integrated Application Manual Siemens AG 1/3
 1.2.3 Safety of Machinery Machinery Directive
in Europe Application area, sel- Certification CE marking, Coming into
ling, marketing, free- procedure protection against force, transitional
Machinery Directive (98/37/EC)* dom of movement, arbitrary regulations,
health and safety fulfillment cancellation of
With the introduction of a common requirements the regulations
European market, a decision was Art.1 – Art. 7 Art. 8 – Art. 9 Art. 10 – Art. 12 Art. 13 – Art. 14
made to harmonize the national stan- Annex Article
dards and regulations of all of the EC
Member States. This meant that the Essential health and safety requirements relating to the
Machinery Directive, as an internal design and construction of machinery, and 3
• interchangeable equipment 5
Directive, had to be implemented in • safety components 10
the domestic legislation of the individ-
ual Member States. In Germany, the Contents of
contents of the Machinery Directive II 1. EC Declaration of Conformity for 4
were implemented as the 9th Decree machinery, and 5
• interchangeable equipment 8
of the Equipment Safety law. For the • safety components
Machinery Directive, this was realized
with the goal of having unified protec- 2. Manufacturer's declaration for 4
tive goals and to reduce trading barri- – specific components of the machinery
– non-functioning machines
ers. The area of application of the
Machinery Directive corresponds to its III CE marking 10
definition “Machinery means an
IV Types of machinery and
assembly of linked parts or compo- safety components, where
nents, at least one of which moves...” the procedure acc. to Article 8
which encompasses a wide scope. must be applied.
With the Change Directives, the area
of application has been subsequently V EC Declaration of conformity for
machinery, and 8
extended to “safety components” and • interchangeable equipment
“interchangeable equipment.” The • safety components
Machinery Directive involves the
implementation of machines. VI EC type examination for
machinery and 8
“Machinery” is also defined as an • interchangeable equipment
assembly of machines which, in order • safety components
to achieve the same end, are arranged VII Minimum criteria for testing bodies 9
and controlled so that they function as
an integral whole".. Fig. 1/1
Overview of the Machinery Directive
The application area of the Machinery
Directive thus ranges from a basic In selecting the most appropriate b) "When selecting the appropriate
machine up to a complete plant. methods, the manufacturer must apply solutions, the manufacturer must apply
The Machinery Directive has 14 Arti- the following principles, in the order the following basic philosophy, and
cles and 7 Annexes. given (Annex I Paragraph 1.1.2): more specifically in the specified
sequence:
The basic health and safety require- a) “The machine design must guaran-
ments in Annex I of the Directive are tee that operation, equipping and • Eliminate or reduce the risks as far as
mandatory for the safety of machinery. maintenance, when the machine is possible (integrating the safety con-
correctly used, does not represent any cept into the development and the
potential danger to personnel.” construction of the machine);
“The measures must exclude any risk • Take the necessary protective mea-
of accident...” sures against risks that cannot be
eliminated;

* replaces 89/392/EC, 91/368/EC,

93/44/EC, 93/68/EC.

1/4 Safety Integrated Application Manual Siemens AG

 1
• Inform users of the residual risks due
Types of machinery and safety components, for which the procedure
to any shortcomings of the protection
referred to in Article 8, Paragraph 2, Letters b) and c) must be applied.
measures adopted.
A. Machinery The protection goals must be responsi-
1. Circular saws (single or multi-blade) for working with wood and analogous materials bly implemented in order to fulfill the
or for working with meat and analogous materials demand for conformance with the
1.1. Swing machines with fixed tool during operation, having a fixed bed with Directive.
manual feed of the workpiece or with a demountable power feed.
1.2. Sawing machines with fixed tool during operation, having a manually The manufacturer of a machine must
operated reciprocating saw-bench carriage prove that the basic requirements have
1.3. Sawing machines with fixed tool during operation, having a built-in been fulfilled. This proof is made easier
mechanical feed device for the workpieces, with manual loading and/or unloading by applying harmonized standards.
1.4. Sawing machines with movable tool during operation, with a mechanical feed device
and manual loading and/or unloading A certification technique is required for
2. Hand-fed surface planing machines for woodworking machines listed in Annex IV of the
3. Thicknesses for one-side dressing with manual loading and/or Machinery Directive, which represent a
unloading for woodworking more significant hazard potential. (Rec-
4. Band-saws with fixed or mobile bed and band-saws with a mobile carriage, ommendation: Machinery, which is not
with manual loading and/or unloading, for working with wood and analogous materi- listed in Annex IV, can also represent a
als or for working with meat and analogous materials high potential hazard and should be
5. Combined machines of the types referred to in 1 to 4 and 7 for working with wood appropriately handled.) The precise
and analogous materials
“technique to define whether compli-
6. Hand-fed tenoning machine with several tool holders for woodworking
ance exists” with the goals, is defined
7. Hand-fed vertical spindle molding machines for working with wood in Chapter II of the Directive.
and analogous materials
8. Portable chain saws for woodworking
Standards
9. Presses, including press-brakes, for the cold working of metals, with manual loading
and/or unloading, whose movable working To sell, market or operate/use products,
parts may have a travel exceeding 6 mm and a speed exceeding 30 mm/s these products must fulfill the basic
10. Injection or compression plastic-molding machines with manual loading safety requirements of the EC Direc-
or unloading
tives. Standards can be extremely help-
11. Injection or compression rubber-molding machines with manual loading
or unloading ful when it involves fulfilling these
12. Machinery for underground working or the following types:
safety requirements. In this case, a dif-
– machinery or rails: Locomotives and brake-vans ferentiation must be made between
– hydraulic-powered roof supports harmonized European Standards and
– internal combustion engines to be fitted to machinery for underground working other Standards, which although are
13. Manually-loaded trucks for the collection of household refuse incorporating a com- ratified, they have still not been harmo-
pression mechanism nized under a specific Directive, as well
14. Guards and detachable transmission shafts with universal joints as described in Sec- as other technical rules and regulations
tion 3.4.7.. which are also known as “National
15. Vehicle-servicing lifts Standards” in the Directives.
16. Devices for the lifting of persons involving a risk of falling from a
vertical height of more than 3 meters Ratified Standards describe recognized
17. Machines for the manufacture of pyrotechnics state-of the-art technology. This means,
that by proving that he has applied
B. Safety components them, a manufacturer can prove that he
1. Sensor-controlled devices to detect persons has fulfilled what is a recognized state-
e.g. light barriers, sensor mats, electromagnetic detectors of-the-art technology.
2. Logic units which ensure the safety functions of bimanual
controls Generally, all Standards, which have
3. Automatic movable screens to protect the presses referred to been ratified as European standards,
in 9, 10 and 11 (Letter A) must be included, unchanged in the
4. Rollover protection structures (ROPS) domestic (national) Standards of the
5. Falling-object protective structures (FOPS)

Fig. 1/2
Annex IV of the Machinery Directive

Safety Integrated Application Manual Siemens AG 1/5

Basic safety standards Type
A Standards

Basic design principles

and terminology for machines

Group safety standards Type

B Standards

B1 Standards B2 Standards
General safety Reference to special
aspects protective devices

Specialist Type C Standards

Standards
Special safety features for
individual machine groups

Fig. 1/3
European Standards for Safety of Machinery

Member States. This is independent of
whether they are harmonized under a
particular Directive or not. Existing
National Standards, handling the same
subject, must then be withdrawn.
Thus, within a period of time in
Europe, a unified set of regulations will
be created (without any contradic-
tions).
Note: IEC 61508 is an important Stan-
dard which has not been harmonized
under a particular EC Directive - “Func-
tional safety of electrical/electronic/pro-
grammable electronic safety-related
systems”, as there is no appropriate
harmonized standard. It is ratified as
EN 61508. The German Draft Stan-
dards DIN V VDE 0801 and DIN V
19250 and 19251 will therefore be
withdrawn by August 2004.
Harmonized European Standards
These are drawn up by the two stan-
dards organizations CEN (Comité
Européen de Normalisation) and CEN-
ELEC (Comité Européen de Normalisa-
tion Électrotechnique) as mandate
from the EC Commission in order to
fulfill the requirements of the EU
Directives for a specific product, which
must be published in the official Coun-
cil Journal of the European communi-
ties. These Standards (EN Standards)
are then transferred into the national
standards unchanged.
They are used to fulfill the basic health
and safety requirements and the pro-
tective goals specified in Annex I of
the Machinery Directive.
DIN and DKE are the contact
partners for CEN / CENELEC .
By fulfilling such harmonized stan-
dards, there is an “automatic presump-
tion of conformity,” i.e. the manufac-
turer can be trusted to have fulfilled all
of the safety aspects of the Directive
as long as they are covered in the par-

1/6 Safety Integrated Application Manual Siemens AG

 1
Note for users:
If harmonized C Standards exist for the particular product, then
the associated B and if relevant, also the A Standards can be
EN 292 considered as secondary.
Safety of Machinery
Basic terminology, general Type A
design principles Basic safety
standards
EN 1050
Safety of Machinery
Principles of risk assessment

Minimum Safety- Safety clear- Electrical Safety of

Type B1
clearances relevant ances against equipment machines Higher-level
to prevent parts of accessing of inter-latching safety aspects
parts of the control dangerous machines devices with
body being systems locations with and without
crushed the upper limbs tumbler

EN 349 EN 954 EN 294 EN 60204-1 EN 1088

Type B2
Requirements for
Two-hand Emergency stop equipment, functional Light barriers,
circuit aspects – design guidelines – light curtains safety related devices
EN 574 EN 418 EN 61496-1

Elevators Injection molding machines Presses + sheers Numerically Type

Typ-CC
EN 692 controlled lathes -–Specialist
Fachnormenstan-
–
EN 81-3 EN 201 EN 693 EN 12415, EN 12418
dards – Specific
Spezifische
requirements
Anforderungen
etc. on
an specific
bestimmte
machines
Maschinen

Also refer to Section 8 – List of harmonized standards

ticular Standard. However, not every
European Standard is harmonized in
this sense. The listing in the European
documentation is definitive The latest
versions can be found in the Internet
(address:
http:// www.NewApproach.org/
directiveList.asp).
The European Standards for the safety
of machinery are hierarchically struc-
tured as follows
• A Standards,
also known as Basic Standards.
• B Standards,
also known as Group Standards.
• C Standards,
also known as Product Standards.
The diagram above shows the struc-
ture.
Type A Standards/Basic Standards
Type A Standards contain basic termi-
nology and definitions for all machines.
This includes EN 292 “Safety of
machinery - Basic concepts, general
principles for design.”
Type A Standards primarily address
those parties setting B and C Stan-
dards. The techniques for minimizing
risks, specified there, can, however,
also be helpful for manufacturers if
there are no relevant C Standards.
Type B Standards/Group Standards
These include all Standards with
safety-related statements, which can
involve several types of machines.
Type B Standards also primarily
address those parties setting C Stan-
dards. However, they can also be help-
ful for manufacturers

Safety Integrated Application Manual Siemens AG 1/7

when designing and constructing
machinery if there are no relevant C
Standards.
For B Standards an additional subdivi-
sion was made:
Type B1 Standards for higher-level
safety aspects, e.g. ergonomic design
principles, safety distances from
potential sources of danger, minimum
clearances to prevent crushing of body
parts.
Type B2 Standards for safety equip-
ment are specified for various machine
types, e.g. EMERGENCY STOP equip-
ment, two-hand controls,
interlocking/latching, non-contact pro-
tective devices, safety-related parts of
controls.
Type C Standards/Product Stan-
dards
These involve the machinery-specific
Standards, e.g. for machine tools,
woodworking machines, elevators,
packaging machines, printing machines
etc.
The European Standards are structured
so that general statements which are
already included in type A or type B
standards are not repeated. Refer-
ences to these are made in type C
Standards
Product Standards include machinery-
specific requirements. These require-
ments, under certain circumstances,
deviate from the Basic and Group
Standards. For machinery OEMs, type
C Standard/Product standards have the
highest priority. They (the machinery
OEMs) can then assume that they ful-
fill the basic requirements of Annex I
of the Machinery Directive (automatic
presumption of conformity).
If there is no Product Standard for a
particular machine, then Type B Stan-
dards can be applied for orientation
purposes when constructing machin-
ery.
1/8 Safety Integrated Application Manual Siemens AG
In order to provide a method to harmo- Risk evaluation/assessment
nize the basic requirements of the
As a result of their general design and
Directive, with the mandate of the EC
functionality, machines and plants rep-
commission, harmonized standards
resent potential risks. Therefore, the
were drawn-up in the technical com-
Machinery Directive requires a risk
mittees of the CEN and CENELEC for
assessment for every machine and, if
machinery or machinery groups for
relevant, risk reduction, so that the
almost all areas. Drawing-up the stan-
remaining risk is less than the tolerable
dards essentially involves representa-
risk. The following Standards should be
tives of the manufacturer of the partic-
applied for the technique to assess
ular machinery, the regulatory bodies,
these risks:
such as Trade Associations as well as
users. An overview of the most impor- • EN 292 “Safety of machinery – Basic
tant type A, B and C standards is pro- concepts, general principles for
vided in Section 8. A complete list of design” and
all of the listed Standards as well as
• EN 1050 “Safety of machinery – Prin-
the activities associated with Stan-
ciples for risk assessment”
dards - with mandate - are provided in
the Internet under: EN 292 mainly handles the risks to be
evaluated and design principles to
http://www.NewApproach.org/ reduce risks. EN 1050 basically han-
directiveList.asp dles the iterative process with risk
assessment and risk reduction to
Recommendation: Technology is pro-
achieve safety.
gressing at a tremendous pace which
is also reflected in changes made to
Risk assessment
machine concepts. For this reason,
especially when using Type C Stan- Risk assessment is a sequence of
dards, they should be checked to steps, which allows hazards, which are
ensure that they are up-to-date. It caused by machines, to be systemati-
should also be noted that it is not cally investigated. Where necessary,
mandatory to apply the standard but the risk assessment phase is followed
instead, the safety objective must be by risk reduction. The interactive
achieved. process (refer to Graphic 1/5) is
obtained by repeating this procedure.
National Standards This allows potential hazards to be
removed as far as possible, and allows
If harmonized European Standards are
the appropriate protective measures to
not available, or they cannot be applied
be taken
for certain reasons, then the manufac-
turer can utilize “National Standards.”All The risk assessment includes:
of the other technical rules fall under
• Risk analysis
this term, e.g. also the accident pre-
a) Determining the limits of the ma-
vention regulations and standards,
chine (EN 292, EN 1050 Paragraph 5)
which are not listed in the European
b) Identification of hazards (EN 292,
Council Journal (also IEC or ISO Stan-
EN 1050 Paragraph 6)
dards which were ratified as EN). By
c) Techniques to estimate risks (EN
applying ratified standards, the manu-
1050 Paragraph 7)
facturer can prove that recognized
state-of-the-art technology was ful- • Risk evaluation (EN 1050 Paragraph 8)
filled. However, when such standards
After risks have been estimated, a risk
are applied, the above mentioned
evaluation is made as part of an itera-
“automatic presumption of confor-
tive process to achieve safety. In this
mity” does not apply.
case, a decision has to be made
 1
Risk is a Severity and Probability of OCCURRENCE of
function that harm
related to the of of the possible
considered hazard harm for the Frequency and duration of
considered hazard exposure

Probability of occurrence of
hazardous event

Possibility to avoid or limit

the harm

Fig. 1/4
Risk elements

START

Determine the machine limits

Identify the hazard Risk analysis Risk assessment

Risk estimation

Risk evaluation

YES
Is the machine safe? END

NO

Reduce risk

Risk reduction and the selection of appropriate safety measures are not part of the risk assessment
For a further explanation, refer to Section 5 of EN 292-1 (1991) and EN 292-2.

Fig. 1/5
Iterative process to achieve safety in accordance with EN 1050

Safety Integrated Application Manual Siemens AG 1/9

whether it is necessary to reduce a
risk. If the risk is to be further reduced,
suitable protective measures must be
selected and applied. The risk evalua-
tion must then be repeated.
If the required degree of safety has
still not been reached, measures are
required to further reduce the risk.
The risk must be reduced by suitably
designing and implementing the
machine. For instance, using suitable
control or protective measures for the
safety functions (also refer to the Sec-
tion “Requirements of the Machinery
Directive”). If the protective measures
involve interlocking or control func-
tions, then these must be configured
in accordance with EN 954. When
using electronic controls and bus sys-
tems to implement these protective
measures, then, in addition, IEC / EN
61508 must also be fulfilled.
Standard EN 1050 calls this operation
an iterative process to achieve safety
(refer to Fig. 1/5).
Risk elements are defined as a sup-
port tool to evaluate risks. Graphic 1/4
shows the inter-relationship between
these risks elements.
Residual risk (EN 1050)
Safety is a relative term in
our technical environment. Unfortu-
nately, it is not possible to implement
the so-called “zero risk guarantee”
where nothing can happen under any
circumstances. The residual risk is
defined as: Risk, which remains after
the protective measures have been
implemented.
In this case, protective measures rep-
resent all of the measures to reduce
risks.
Reducing risks
In addition to applying structural mea-
sures, risk reduction for a machine can
also be realized using safety-relevant
control functions. For these control
functions, special requirements must
be observed, which are classified
according to the level of risks. These
1/10 Safety Integrated Application Manual Siemens AG
Category
B 1 2 3 4
S1
Starting point for P1
estimating the risk F1
of the safety-related
part of the control P2
S2
P1
F2
P2
S Severity of the injury
S1 Slight (normally reversible) injury
S2 Severe (normally irreversible) injury including death
F Frequency and/or exposure time to the hazardous condition
F1 Seldom up to quite often and/or the exposure time is short
F2 Frequent up to continuous and/or the exposure time is long
P Possibility of avoiding the hazard
P1 Possible under specific conditions
P2 Scarcely possible
Selecting the category
B, 1 to 4 Categories for safety-related parts of control systems
Preferred categories for reference points
Possible categories requiring further steps
Measures which can be over-dimensioned for the relevant risk
Fig. 1/6
Possible selection of the Categories in accordance with EN 954-1
are described in EN 954-1 and, for whether the requirements of the
complex control systems with pro- selected Category have been fulfilled.
grammable electronics, in IEC 61508. The control must be validated. The
details of how this validation process
The requirements placed on safety-rel-
is actually carried-out and what has to
evant parts of control systems are
be taken into account is described in
classified in categories according to
Section 2 of EN 954. Presently, this
the level of risk. Techniques to select a
section is available as Draft prEN954-2.
suitable Category as reference point
for configuring the various safety- The adjacent table shows a brief sum-
related parts of a control system are mary of the requirements for the vari-
recommended in Annex B of EN 954-1 ous categories. The complete text of
(refer to Fig. 1/6). A detailed concept to the requirements is contained in EN
evaluate the risk and to determine the 954-1 “Safety-related parts of control
necessary requirements placed on the systems”, Section 6 “Categories”. Basic
control system are presently drawn-up requirements for configuring control
in the form of Draft IEC 62061. It is systems are defined in the various cat-
important that all of the parts and com- egories. These are intended to make
ponents of the controls, which are the systems tolerant to hardware fail-
involved in implementing the safety- ures.
relevant function fulfill these require-
Additional aspects must be taken into
ments.
consideration for more complex control
After the control has been imple- systems, especially programmable
mented, it is necessary to check electronic systems, so that
 1
• random hardware failures can be
Category1) Summary of requirements System behavior2) Principles to
controlled, achieve safety
• systematic errors/faults in the hard-
ware and software are avoided B Safety-related parts of control The occurrence of a fault
systems and/or their protective- can lead to the loss of
• systematic errors/faults in the hard- equipment, as well as their com- the safety function
ware and software can be controlled, ponents, shall be designed, con-
structed selected, assembled and
and sufficient functional safety is combined in accordance with rele-
achieved for safety-critical tasks. The vant standards so that they can
withstand the expected influence. Mainly
necessary requirements are described characterized by
in the International IEC 61508 Standard selection of
(the previous DIN V VDE 0801 will be components
1 Requirements of B shall The occurrence of a
withdrawn in August 2004 as part of apply.Well-tried components and fault can lead
the European harmonization of well-tried safety principles to the loss of
shall be used. the safety function
EN 61508) and for contactless protec- but the probability
tive devices such as light arrays or of occurrence is
laser scanners IEC / EN 61496-1. The lower than for
Category B.
scope of the required measures is also
graded corresponding to the risk 2 Requirements of B and the use – The occurrence of a
reduction required. of well-tried safety principles fault can lead to the
shall apply. loss of the safety
In order to support the implementation The safety function shall be function between
and application of these systems, checked at suitable intervals by the checks.
the machine control system.
presently, other standards are being – The loss of the
developed with IEC 62061 “Safety of safety function
Machinery – Functional safety of is detected by
the check.
safety-related electrical, electronic and
programmable electronic control sys- 3 Requirements of B and the use – When the single
tems ” and IEC 61800-5-2 of well-tried safety principles fault occurs, the
“Adjustable speed electrical power shall apply. safety function is
Safety-related parts shall be always performed.
drive systems - functional safety designed, so that: – Some but not Mainly
requirements.” – a single fault in any of these all faults will characterized by
parts does not lead to the loss be detected. structure
Validation of the safety function, and – Accumulation
– whenever reasonably of undetected faults
The subject of “validation” is handled practicable, the single can lead to the loss
fault is detected. of the safety function
in the Draft Standard prEN954-2
“Safety of Machinery – Safety-related
parts of control systems”. In this case, 4 Requirements of B and the use – When the faults
validation means that the safety func- of well-tried safety principles occur, the safety
shall apply. function is always
tionality to be achieved is checked and Safety-related parts shall be performed.
evaluated. This Standard corresponds designed so that: – The faults will be
to the status of a B1 safety group – a single fault in any of these detected in time to
parts does not lead to a loss prevent the loss of
Standard (general safety aspects). The of the safety function and the safety function.
purpose of the validation is to confirm – the single fault is detected at or
the definitions and level of conformity before the next demand upon
the safety function. If this is not
of the safety-related parts of the con- possible, then an accumulation of
trols within the overall definition of faults shall not lead to a loss
safety requirements on the machinery. of the safety function

1)
The categories are not intended to be used in any given order or in any given hierarchy in respect of
safety requirements.
Fig. 1/7 2)
The risk assessment will indicate whether the total or partial loss of the safety function(s) arising from
Description of the requirements for the faults is acceptable.
Categories in accordance with EN 954-1

Safety Integrated Application Manual Siemens AG 1/11

The validation must show that every
safety-related part or component ful- START
fills the requirements laid down in
EN 954-1. The following aspects are
described: Fault list Considerations when designing Validation plan Validation principle

• Validation using analysis

• Validation using testing Documents Analysis

• Fault lists
Is the analysis
• Validation of safety functions Criteria for excluding faults
adequate?
NO NO
• Validation of categories
• Validation of the environment Test

requirements YES

• Validation of the service/maintenance Is the test

complete?
requirements
YES
An overview of the validation tech-
nique in compliance with EN 954-2 is Validation report

shown in Fig. 1/8.

The validation plan must identify and
END
describe the requirements to carry-out
the validation technique for the defined
safety functions and their categories. Fig. 1/8
Where appropriate, it must also docu- Overview of the validation process (from prEN 954-2)
ment these. Fig. 1/9 illustrates the
Documentation requirements Category for which
requirements placed on the documen- documentation is required
tation corresponding to the various
Categories. B 1 2 3 4

Basic safety principles X X X X X

The requirements, described in EN
954-1, are not adequate for systems Stressing expected in operation X X X X X
utilizing programmable electronic sys-
Influence of the material being processed X X X X X
tems. This is the reason that EN 954-2
specifies that additional standards, e.g. Performance during other relevant external influences X X X X X
the IEC 61508 or contactless protec- Proven components – X – – –
tive devices, IEC 61496 are used for
validation. Proven safety principles – X X X X

These extensive requirements refer to The test technique for safety function(s) – – X – –
the development and implementation Defined test internals – – X – –
of controls, not to the application and
Individual faults which can be predicted and have been taken – – X X X
parameterization of certified systems, into account in the design and the detection technique applied
Simatic S7-300F, Sinumerik Safety Inte-
grated, Siguard Laser Scanner and All identified faults with a common cause and how they can – – – X X
be prevented
Light Curtains, PROFIsafe or AS-i
Safety at Work. How the safety function is maintained for each fault/error – – – X X

Faults which are to be detected – – X X X

Various fault groups which must be taken into account – – – X X

in the design

How the safety function should be maintained for all – – – – X

combinations of faults

Fig. 1/9
Documentation requirements (from prEN 954-2)

1/12 Safety Integrated Application Manual Siemens AG


Safety Integrated
The measures which are required to
make a complex control adequately
and functionally safe for safety tasks
are extremely extensive and involve
the complete development and manu-
facturing process. Therefore, controls
have to be specifically designed to ful-
fill safety functions. SIMATIC S7-300F /
S7 400F/FH and SINUMERIK “Safety
Integrated” are examples of such con-
trol systems. This also applies to the
communication systems PROFIsafe
and AS-i Safety at Work, PROFIBUS
and AS-i which are used to transfer
safety-related data.
Safety-related functions
The safety-related functions include,
in addition to conventional functions
• Stop
• Actions in an emergency situation
• Preventing accidental starting
and, in the meantime, even complex
functions, such as
• State-dependent interlocking
• Speed limiting
• Position limiting
• Speed deviation, to name just a few
The classic functions are defined
in EN 60204-1 and were, up until
now, generally implemented using
mechanical components. Electronic
programmable systems can also be
used to implement more complex
functions, if they fulfill the relevant
Standards (IEC 61508, EN 954). Com-
plex functions, e.g. which involve the
behavior of variable-speed drives, are
described in draft IEC 61800-5-2.
Stop
Stop categories of EN 60204-1
Three stop categories are defined in
EN 60204-1 (VDE 0113 Part 1) which
define the control sequence for stop-
ping, independent of an emergency
situation:
Stop category 0
Uncontrolled stop by immediately
removing the power to the machine
drive elements.
Stop Category 1
Controlled stop; the power is only
removed after the machine has come
to a standstill.
Stop Category 2
Controlled stop, where power is still
fed to the machine at standstill.
Emergency operations and actions
EN 60204-1/11.98 has, harmonized
with HD 384 (IEC 60364; VDE 0100)
defined the following possible actions
for emergency situations (EN 60204-1
Annex D):
Action in an emergency situation
includes
individually, or a combination of:
- Stopping in an emergency situation
(EMERGENCY STOP);
- Starting in an emergency situation
(EMERGENCY START);
- Power-off in an emergency situation
(EMERGENCY SWITCHING-OFF);
- Power-on in an emergency situation
(EMERGENCY SWITCHING-ON).
According to EN 60204-1 and EN 418,
these functions are exclusively initi-
ated by a conscious manual interven-
tion.
In the following text, only “Power-off in
an emergency situation” and “stopping
in an emergency situation” will be
discussed. The latter fully corresponds
to the same terminology in the EC
Machinery Directive. For reasons of
simplicity, EMERGENCY SWITCHING-
OFF and EMERGENCY STOP will be
used in the following.
1
EMERGENCY SWITCHING-OFF
This is an intervention (action) in an
emergency situation, which discon-
nects power to a complete
system or installation or part of it,
if there is a risk of electric shock or
another risk caused by electricity
(from EN 60204-1 Annex D).
Functional aspects to disconnect the
power in an emergency situation are
defined in IEC 60364-4-46 (this is
identical to HD 384-4-46 and VDE 0100
Part 460).
Power must be disconnected in an
emergency situation, where
- Protection against direct contact
(e.g. with contact cables, slip ring
assemblies, switchgear in electrical
rooms) is only achieved by maintain-
ing a clearance or barrier;
- Other hazards or damage could occur
as a result of electric power.
Further, the following is specified in
9.2.5.4.3 of EN 60204-1:
In an emergency situation, the power
supply is disconnected from the
machine, which results in a Category 0
Stop.
If a Category 0 Stop is not permissible
for a machine, then it may be neces-
sary to provide other protection,
e.g. against direct contact, so that
power does not have to be discon-
nected in an emergency situation.
This means that EMERGENCY
SWITCHING-OFF should be used
where the risk analysis indicates a
hazard due to electric voltage/power
and therefore requires that the voltage
is immediately disconnected from the
complete machine.
Safety Integrated Application Manual Siemens AG 1/13
In the EC, EMERGENCY SWITCHING-
OFF devices fall under the Low-Voltage
Directive 73/23/EC if they are not used
in conjunction with machines. If they
are used in conjunction with machines,
then they come under the Machinery
Directive 98/37/EC as is true for all of
the other electrical equipment associ-
ated with a machine.
EMERGENCY STOP
This is an action, in an emergency
situation, which is defined to stop a
process or movement which would
otherwise have potentially hazardous
consequences (from EN 60204-1
Annex D).
Further, the following is defined in
9.2.5.4.2 of EN 60204-1:
Stop
In addition to the requirements for
Stop (refer to 9.2.5.3), the following
requirements apply for an emergency
stop:
– it must have priority over all other
functions and actions in all operating
modes;
– the power to the machine actuators,
which could cause a hazardous con-
dition or conditions must be discon-
nected as quickly as possible without
creating other hazards (e. g. using
mechanical stopping/braking devices,
which do not require an external
supply, by using counter-current
braking for Stop Category 1);
– resetting may not initiate a restart.
1/14 Safety Integrated Application Manual Siemens AG
Stopping in an emergency situation
must either be effective as a Stop, Cat-
egory 0 or Category 1 (refer to 9.2.2).
The Stop Category in an emergency
situation must be defined as the result
of the risk evaluation for the particular
machine.
To technically implement EMER-
GENCY STOP corresponding to
the recommended application
in the Foreword of EN 60204-1,
either the requirements specified
in EN 60204-1 or in EN 954 and
IEC 61508 can be applied.
EN 60204-1 primarily requires
that this is implemented using
electromechanical components,
as “basic” (programmable) elec-
tronic systems are not safe
enough. By correctly applying
EN 954 and, if required, IEC
61508, electronic and program-
mable electronic components
become functionally safe enough
that they can also be used to
implement EMERGENCY STOP for
all categories (German National
Foreword: “... this therefore clearly
states that electronic equipment
can also be used for EMERGENCY
STOP devices independent of the
Stop Category ...”).
Devices for EMERGENCY SWITCH-
ING-OFF and EMERGENCY STOP
Devices which are used to stop equip-
ment and machinery in an emergency
situation must be provided at every
operator control location and also at
other locations where it may be neces-
sary to initiate a stop in an emergency
situation (exception: operator control
stations which are not connected
through cables). In order to fulfill the
protective goals, specified in
EN 60204-1 as well as EN 418, the
following requirements apply for both
functions (also refer to 10.7 in
EN 60204-1):
• When contacts switch even with just
a brief actuation, the control device
must positively latch.
• It is not permissible that the machine
can be restarted from a remote main
operator control station without the
hazard or danger first having been
removed. The emergency off device
must be consciously released again
“locally”.
Operator control stations which are
connected without using cables must
have a dedicated and clearly identified
possibility of initiating the Stop
function of the machine. The operator
section, which initiates this stop
function, may not be marked or labeled
as a device to shut down the machine
in an emergency situation.
Implementing safety-related
functions
When implementing safety-related
control functions using programmable
electronic systems, the requirements
of EN 954 and IEC 61508 must be
fulfilled. When the requirements of
these standards are taken into
account, it is possible, to even imple-
ment complex functions by using
electronics and programmable elec-
tronic systems, for example, a fail-safe
SIMATIC or SINUMERIK. These
functions can then be implemented in
a safety-related fashion.
 1
Man – Machine Color Meaning Explanation Examples of application
In order to simplify the interaction RED Emergency Actuate in the event EMERGENCY STOP,
between man and machine, reference of a hazardous condi- Initiation of EMERGENCY STOP functions,
is made to Standards EN 60073 and tion or emergency conditional for STOP/OFF
DIN EN 60204. YELLOW Abnormal Actuate in the Intervention to suppress an abnormal
event of an condition,
Switches, pushbuttons and signaling abnormal Intervention to restart an interrupted
lamps are predominantly used as condition automatic cycle
machine components as the interface
GREEN Normal Actuate to START/ON,
between man and the machine. These initiate normal however WHITE should be
operator control elements are clearly conditions or preferably used
and uniformly identified using color normal status
coding, which has a very specific sig- BLUE Mandatory Actuate for a Reset function
nificance. This guarantees that the condition requiring
mandatory action
safety of operating personnel is
increased and it is easier to handle and WHITE No specific For general START/ON (preferred),
maintain the operating meaning initiation of functions STOP/OFF
assigned except for
resources/plants and systems. GREY EMERGENCY STOP START/ON,
(see STOP/OFF
The colors of pushbuttons, the signifi- note)
cance of these colors, explanations BLACK START/ON,
and application examples are shown in STOP/OFF (preferred)
Fig. 1/10. Note: Where a supplemental means of coding (e. g. shape, position, texture) is used for the
identification of pushbutton actuators, then the same color WHITE, GREY or BLACK may be
According to DIN EN 60204-1 used for various functions , e. g. WHITE for START/ON and for STOP/OFF actuators.
(VDE 0113 Part 1) the following
Fig. 1/10
information has to be observed: Colors for pushbuttons and their significance in accordance with EN 60204-1
The preferred colors for START/ON (VDE 0113 Part 1): 06.93
operator devices should be WHITE, Color Meaning Explanation Action by operator Examples of
GREY or BLACK - preferably WHITE. application
GREEN may be used, RED may not RED Emergency Hazardous condition Immediate action to Pressure/temperature
be used. deal with a hazardous outside safe limits,
condition (e.g. by voltage drop, voltage
RED must be used for EMERGENCY operating emergency interruption, passing
STOP devices.The colors for stop) through a stop posi-
tion
STOP/OFF operator control devices
should be BLACK, GREY or WHITE -
preferably BLACK. RED is also permit- YELLOW Abnormal Abnormal condition Monitoring and/or Pressure/ temperature
ted. It is not permissible to use Impending critical con- intervention (e.g. by outside normal opera-
GREEN. dition re-establishing the ting ranges
intended function) Tripping a protective
WHITE, GREY and BLACK are the pre- device
ferred colors for pushbuttons, which
can be used alternating as START/ON GREEN Normal Normal condition Optional Pressure/temperature
and STOP/OFF pushbuttons. It is not within the normal ope-
rating ranges, permis-
permissible to use RED, YELLOW or sive signal to continue
GREEN.
BLUE Mandatory Indication of a condition Mandatory action Prompt to enter
WHITE, GREY and BLACK are the that requires action by specified values
preferred colors for pushbutton control the operator
elements which initiate an operation
while they are being pressed and end WHITE Neutral Other conditions; may Monitoring General information
that operation when they are released be used whenever
doubt exists about the
(e. g. jogging). It is not permissible to application of RED,
use RED, YELLOW or GREEN. YELLOW, GREEN,
BLUE

Fig.1/11
Colors for indicator lamps and their significance in accordance with EN 60204-1
(VDE 0113 Part 1): 06.93
Safety Integrated Application Manual Siemens AG 1/15
GREEN is reserved for functions which
display a safe or normal operating con-
dition.
YELLOW is reserved for functions
which display an alarm or a non-stan-
dard (abnormal) condition.
BLUE is reserved for functions which
require a specific action.
Reset pushbuttons must be BLUE,
WHITE, GREY or BLACK. If they also
act as STOP/OFF pushbuttons, WHITE,
GREY or BLACK are permissible - but
preferably BLACK. It is not permissible
to use GREEN.
The colors of the indicating lamps,
their significance with reference to the
status of the machine as well as their
handling and application examples are
listed in Fig. 1/11.
For illuminated pushbuttons, the infor-
mation in Figs. 1/10 and 1/11 applies.
If problems are encountered when
assigning suitable colors, WHITE must
be used. For EMERGENCY STOP
devices, the color RED may not be
dependent on the illumination state of
the device.
Coding cables
The color coding of switches, pushbut-
tons and indicator lamps has been
discussed in the previous Section.
EN 60204 offers a higher degree of
flexibility when coding cables.
It specifies that, “
... cables at every
connection must be able to be identi-
fied in conformance with the technical
documentation...” .
1/16 Safety Integrated Application Manual Siemens AG
It is sufficient if terminals are num-
bered, corresponding to the informa-
tion in the circuit diagram if the cable
can be visually traced. For complex
controls, we recommend that the
internal cables used for wiring as well
as the outgoing cables are coded so
that after the cable has been discon-
nected from the terminal, it can be
easily re-connected to the same termi-
nal. This is also recommended for ter-
minal locations which have to be dis-
connected when the equipment is
transported.
Using the formulation in IEC 60204-1
1997, Paragraph 14.2.1 conductor core
coding/identification, the Standards
Committee wanted to make the fol-
lowing statement:
1. Each individual cable must be able
to be identified, however, only in
conjunction with the documenta-
tion. It is not necessary that every
cable can be identified without
using the documentation.
2. The type of coding and also the
identification technique should be
agreed between the manufacturer
and the owner/operating company.
It is not the intention of the Standard
to specify a specific coding type world-
wide. For instance, for safety reasons,
factory-internal specifications may
have a higher priority in order to avoid
confusion in specific areas which are
handled by the same personnel.
These definitions cannot be general-
ized due to the wide application range
of the particular Standard - from small
individual machines (high unit volume
standard products) up to large, com-
plex plants (with unique equipment
and systems).
Primarily, appropriate testing should be
used to avoid installation/assembly
faults.
Instead of many different colors, a
single color can be used for the inter-
nal wiring. It should be color-coded as
follows:
• Black for
Main AC and DC circuits
• Red for
AC control circuits
• Blue for
DC control circuits
• Orange for
Interlocking circuits which are sup-
plied from an external power source.
The above color assignment is recom-
mended if a decision is made to just
use color coding. The only mandatory
specification is the color coding of the
protective conductor and the neutral
conductor. For all other cabling and
wiring, one of the methods listed in
14.2.4 can be selected (color, numbers
or letters; or a combination of colors
and numbers or colors and letters).
Protective conductor marking
The protective conductor must be able
to be uniquely identified as a result of
its shape, location, coding or color. If it
is only identified as a result of its color,
then a two color-combination of
green/yellow must be used along the
whole length of the cable. The
green/yellow color may only be used
for protective conductors.
Neutral conductor marking
If a circuit has a color-coded neutral
conductor, then light blue must be
used. Light blue may not be used to
code other cables if there is a danger
of accidentally interchanging them.
If a neutral conductor is not used, a
light-blue conductor may be used for
other purposes, but not as protective
conductor.

1.2.4 Process technology
in Europe
Legislative
requirements in Europe
For process technology, essentially the
following EC Directives must be
applied:
• Council Directive 96/82/EC from the
9th of December 1996 on the control
of major accident hazards involving
dangerous substances (“Seveso
Directive” II).
• Low-Voltage Directive
• Machinery Directive (98/37/EC)
• Pressure Equipment Directive
(97/23/EC). The latter is only relevant
in so much that the devices used
must fulfill this directive. “The Direc-
tive on the other hand does not apply
for assembling devices at the user's
plant, for example, in industrial sys-
tems under his responsibility.”
At the same time, the Health and
Safety at Work and Accident Preven-
tion Regulations must always be care-
fully observed and adhered to.
“Seveso Directive”
This EC Directive specifies, corre-
sponding to the principles explained in
the introduction, the safety goal,
⇒“
... preserving and protecting the
quality of the environment, and pro-
tecting human health through pre-
ventive action.”
In order to achieve this goal, the follow-
ing basic requirements have been
drawn-up, which the Member States
must ensure are fulfilled.
1
⇒ Concept to prevent ⇒ Inspection
severe accidents
The regulatory bodies must set
The owner/operating company is up a system of inspections to system-
responsible for “… drawing-up a docu- atically check the operational, organiza-
ment setting-out his major accident tional and management-specific sys-
prevention policy and appropriate steps tems of the operation which will allow
to ensure that it is properly imple- these regulatory bodes to confirm that
mented. The major accident prevention the user/operating company can prove
policy established by the owner/operat-
• that he has undertake measures to
ing company shall be designed to guar-
prevent severe accidents,
antee a high level of protection for man
and the environment by applying appro- • he has provided adequate measures
priate means, structures and manage- to limit the results of any accidents.
ment systems” (Article 7 Paragraph 1).
This EC Directive must be nationally
The document must also take into implemented.
account . the following basic principles: In Germany, this is realized using
the fault case regulations.
• The concept to prevent severe
accidents must be in written form. Note: The “Seveso Directive” is not a
Directive of the “New Approach." This
• A safety management system in
means that it cannot be automatically
which, among others, the following
assumed that the goals of the Direc-
issues are regulated:
tive are fulfilled if the harmonized Stan-
– determining an evaluating the risks dards are applied. The exact require-
– defining and applying techniques ments are regulated at a national level.
to systematically determine haz-
ards.
– operation monitoring – defining and
applying techniques for safe opera-
tion, including the maintenance and
service of the plants and systems.
– quality assurance – defining and
applying techniques to continu-
ously ensure that the goals are
achieved.
⇒ Safety report
The owner/operating company is
responsible in generating a safety
report, in which the following is
defined,
• that a concept.... has been imple-
mented,
• that the hazards have been identified
and all of the required measures to
prevent these types of accidents and
limit the impact for man and the envi-
ronment have been put in place, and
• the implementation, building/con-
struction, installation and operation
of all plant and systems, ... is ade-
quately safe and reliable.
Safety Integrated Application Manual Siemens AG 1/17
Technical measures to ful- These standards will lose their validity
in 08.2004 due to the ratification of
fill legislative goals EN 61508. EN 61508 should then be
The first priority is to design the applied. The specific standard for the
process so that it is inherently safe. process industry is IEC 61511 “Func-
Where this is not possible, as a result tional safety: Safety instrumented sys-
of the process, then additional mea- tems for the process industry sector”
sures are required in order to reduce which was finally decided by vote in
the remaining risk to a tolerable level. 2002. IEC 61511 defines the require-
This can be realized using electronic ments of EN/IEC 61508, specifically
controllers if these are suitable for the for the process industry.
particular task. Electronic controllers
Beyond this, additional Standards
are suitable for securing the safety of
apply for the devices and equipment
the plant, if they have been specifically
used. These Standards involve the spe-
designed for this purpose. The require-
cific safety requirements. Also refer to
ments are described in the Standards.
Chapter Safety of Machinery (refer to
Chapter 1.2).
Relevant Standards for safety
measures using process control
technology
For safety measures using process
control technology, for example in
Germany, the following national
standards have been applied, so far.
• DIN V 19250 “Basic safety
issues for control and
instrumentation protective devices”
• DIN V 19251 “Instrumentation and
control protective devices - require-
ments and measures for safety-
related functioning”
• DIN V VDE 0801 “Basic rules for com-
puters in systems with safety-related
tasks”.

1/18 Safety Integrated Application Manual Siemens AG

 1
Reducing risks when using process
control technology
Prevention Mitigation
Measures are required to reduce risks,
if faults or disturbances in the basic
Safety instrumented Safety instrumented
prevention system mitigation system process control system and monitoring
devices can lead to a dangerous event
or can cause the plant or system to go
Safety-related into a hazardous condition and if the
resulting risk is unacceptably high.
Non-safety-relevant In this case, suitable protective mea-
sures must be taken, either to suffi-
Basic Process ciently reduce the probability of a haz-
Monitoring systems ardous event occurring, or to reduce
the extent of the damage. This can be
achieved using process control protec-
Basic Process tive equipment and systems if these
Control systems
fulfill the safety requirements.

Risk reduction
Fig. 1/12
Arrangement of process control systems in safety-related/non-safety-related configurations As it is not possible to completely
exclude certain risks - both from a
technical and cost-effective standpoint
- it is necessary not only to determine
the existing risk, but also to define and
Residual Tolerable EUC*
risk risk risk specify a risk which can be tolerated.
The measure for the safety integrity of
the risk-reducing functions is then
derived from the difference between
these two factors. EN 61508 defines
Increasing
Necessary risk reduction “Safety Integrity Level” (SIL) as a tar-
risk
get measure for the probability of fail-
ure when executing risk-reducing func-
Actual risk reduction
tions.

Risk reduction achieved by all safety-related systems

and e.g. organizational measures

Partial risk Partial risk Partial risk

covered by covered by covered by
other technol- electronic external risk
ogies and electrical reduction
(mechanical, safety-related facilities
optical etc.) systems

* Equipment under control

Fig. 1/13
Principle of risk reduction (acc. to IEC 61508)

Safety Integrated Application Manual Siemens AG 1/19

 Safety High demand or continuous
Integrity mode of operation
Level (probability of a
dangerous failure per hour)
4 ≥ 10-9 to < 10-8
3 ≥ 10-8 to < 10-7
2 ≥ 10-7 to < 10-6
1 ≥ 10-6 to < 10-5
Fig.1/14
Safety Integrity levels according to IEC 61508: Target failure measure for a safety function,
allocated to a safety-related system
Selecting the equipment
and basics of the required
features
Safety function
Risk reduction using electronic con-
trollers is realized by defining functions
for each possible hazardous event or
each possible dangerous condition of
the plant or system, which prevents
the dangerous event occurring. These
so-called “safety functions” are to
maintain the plant or system in a safe
state or to re-establish this safe state
if a dangerous event could occur due
to a failure or a disturbance in the
plant or system. This means that the
safety function can also be used to
reduce the extent of the damage due
to a hazardous event.
The definition of a safety function
always includes the specification of
the function itself (e. g. inhibiting the
feed to a container, if the level has
reached the upper limit), and the
“Safety Integrity (SIL)”, derived from
the risk analysis.
Implementing the safety functions
Every safety function always includes
the complete chain, from information
acquisition, through information evalua-
tion up to executing the required
action.
1/20 Safety Integrated Application Manual Siemens AG
Low demand mode of operation
(average probability of failure to perform
its design function on demand)
≥ 10-5 to < 10-4
≥ 10-4 to < 10-3
≥ 10-3 to < 10-2
≥ 10-2 to < 10-1
The equipment involved, for example,
fail-safe PLCs, sensors and actuators
etc. must fulfill, as a total, the deter-
mined SIL.
If a device is used at the same time for
various safety functions, it must fulfill
the highest SIL of the individual func-
tions.
Device characteristics and features
If PLCs are used for information pro-
cessing, these must fulfill as “safety
PLC”, the requirements of the relevant
Standards (i.e. IEC 61508), and fulfill
the specified SIL. They must also be
certified by an independent tester. The
essential characteristics and features
of a fail-safe PLC which are specified
by the standards are:
• When developing, manufacturing and
servicing, specific measures and
techniques must be applied so that
systematic faults can be avoided.
• The PLC must be able to control sys-
tematic failures which occur during
operation.
• The PLC must detect random hard-
ware failures during operation and
be able to control them.
Evaluation
Sensor Actuator
unit
Acquire Evaluate Execute
information information action
Safety function
Fig. 1/15
Evaluation unit, e.g. safety PLC
• To be able to control a failure means
that when the system detects a fault
or failure, the safety function, defined
for this particular case (e. g. shut
down the plant) is reliably executed.
Similar requirements also apply for
complex field devices. Details on this
are described in IEC 61511.
Application
When using a fail-safe PLC, only the
conditions defined in the associated
Safety Manual, and, if relevant, addi-
tional conditions of the certificate,
must be maintained.
In addition, for the peripheral devices
which are to be connected (e.g. sen-
sors and actuators), the requirements
in the Standards (IEC 61508 or IEC
61511) must also be taken into account
regarding the following aspects:
• Systematic faults must be avoided,
e. g. configuring, installation and
handling faults.
• Random faults or failures must be
detected and controlled.
• Necessary fault tolerance. This
depends on the proportion of faults
which go towards a safe condition.
• Required service/maintenance
(repeated tests).

“Safe”
failure fraction
0 (refer to Note 3)
< 60% not permissible
90% SIL 1
99% SIL 2
≥ 99% SIL 3
Note 2: Hardware fault tolerance is the maximum number of faults, as a result of random
hardware failures, which can occur without resulting in a hazardous failure.
Note 3: A hardware fault tolerance of zero means that a single fault can result in a haz-
ardous failure.
IEC 61508 defines the maximum per-
missible SIL as a function of its fault
tolerance and the safe failure fraction
(also refer to Fig. 1/17). (“Safe failure”
means all those failures where the sys-
tem remains in a safe condition). This
can be achieved using fault detection
and a defined response to the fault. A
required response must be performed
within a suitably short time. These
times are specified in IEC 61508-2.
In order to detect faults or failures in
peripheral devices, test and monitor
functions can be integrated into the
safety PLC.
When using complex peripheral
devices (e.g. transmitters with micro-
processor), it must be ensured that
these devices themselves fulfill the
relevant Standards (EN 61508 or IEC
61511).
The complete safety-instrumented sys-
tem must be configured so that it ful-
fills the relevant standards for all of the
safety-relevant functions. EN 61508 or
IEC 61511 are relevant regarding func-
tional safety.
Hardware fault tolerance
(refer to Note 2)
1 2
SIL 1 SIL 2
SIL 2 SIL 3
SIL 3 SIL 4
SIL 4 SIL 4
1.2.5 Furnace systems
in Europe
EC Directives
Furnaces and burners are subject to
the relevant Directives as a result of
their application and the devices and
equipment which are used (e.g. Machi-
nery Directive, Pressured Equipment
Directive (...), Directive for gas burners
(90/396/EEC)).There are no specific EC
Directives for furnace systems. Fur-
naces are subject, where relevant, to
application-specific Directives. Indus-
trial thermo-processing equipment is,
for example, classified as machinery
under the Machinery Directive.
Standards
Industrial thermo-processing equip-
ment and systems
There is a European draft standard for
these systems, which was drawn-up
under a mandate of the Machinery
Directive, and more precisely EN 746
“Industrial thermo-processing equip-
ment” with
Part 1: General safety requirements
of industrial thermo-processing
equipment
Part 2: Safety requirements for com-
bustion and fuel handling sys-
tems.
1
Fig. 1/16
Maximum permissible SIL for complex sub-
systems, dependent on their fault tolerance
and the “safe failure fraction” (acc. to IEC
61508-2)
EN 746 can be applied to industrial
thermal-processing equipment, for
example
• Metal producing and processing
plants,
• Glassworks,
• Ceramic plants,
• Cement, lime and gypsum plants,
• Chemical plants,
• Incinerators etc.
This refers to EN 60204-1 and
EN 954-1 and for safety-relevant elec-
tronic systems, also to IEC 61508.
Furnaces
For furnaces which do not belong to
industrial thermal-processing equip-
ment and are not used to heat process
liquids and gases in the chemical
industry, there are the following gen-
eral Standards for electrical equipment
- the European Draft Standard.
• EN 50156 “Electrical equipment for
furnaces Part 1: Requirements for
application design and installation”
And the German Standard
• DIN VDE 0116 “Electrical equipment
for furnaces.”
The following standards are presently
in force for burners
• EN 676 gas burners;
• EN 230 oil vapor burner in a
monoblock design;
• EN 267 oil burner;
• EN 298 automation equipment for
furnaces for gas burners and bas
units with and without blower.
Safety Integrated Application Manual Siemens AG 1/21
1.3 Legal Requirements and Standards
Regarding Safety at Work in the US
Note: The following information is only
intended to provide an overview of the
general principles and basic require-
ments. It may not be considered as a
complete description of the situation.
The reader of this document must, in
addition, inform himself about the pre-
cise requirements as well as the
domestic and local regulations for his
particular application.
A significant difference between the
legal requirements for Safety at Work
between the US and Europe is that in
the US there is no unified legislation,
across the US, which is applicable for
the safety of machines, and which fully
covers the responsibility of the manu-
facturer/supplier. In fact, there is a gen-
eral requirement that the employer
provides a safe place of work. This is
regulated with the Occupational Safety
and Health Act (OSHA) of 1970. The
core requirements of OSHA are listed
in Section 5 “Duties”:
(a) Each employer --
(1) shall furnish to each of his
employees employment and
a place of employment
which are free from recognized
hazards that are causing or are
likely to cause death or serious
physical harm to his employees;
(2) shall comply with occupational
safety and health standards
promulgated under this Act.
1/22 Safety Integrated Application Manual Siemens AG
The requirements from the OSH Act
are administered and managed by the
Occupational Safety and Health Admin-
istration (also called OSHA). OSHA
uses regional inspectors which check
whether the workplace (places of
employment) fulfill the applicable regu-
lations.
The regulations, relevant for safety at
work of the OSHA are defined and
described in OSHA 29 CFR 1910.xxx
(“OSHA Regulations (29 CFR) PART
1910 Occupational Safety and
Health”). (CFR: Code of Federal Regu-
lations).
Also refer to www.osha.gov.
The following is stated at the begin-
ning of the regulations for the Safety
and Health Program (29 CFR 1900.1):
“(b)(1)What are the employer's basic
obligations under the rule?
Each employer must set up a
safety and health program to
manage workplace safety and
health to reduce injuries, ill-
nesses and fatalities by syste-
matically achieving compliance
with OSHA standards and the
General Duty Clause.”
And later
"(e) Hazard prevention and control.
(e)(1) What is the employer's basic
obligation? The employer's
basic obligation is to systemati-
cally comply with the hazard
prevention and control require-
ments of the General Duty
Clause and OSHA standards.
(e)(2) If it is not possible for the
employer to comply immedia-
tely, what must the employer
do? The employer must develop
a plan for coming into compli-
ance as promptly as possible,
which includes setting priorities
and deadlines and tracking pro-
gress in controlling hazards.
Note: Any hazard identified by
the employer's hazard identifi-
cation and assessment process
that is covered by an OSHA
standard or the General Duty
Clause must be controlled as
required by that standard or
that clause, as appropriate."
The application and use of various
Standards is regulated in 29 CFR
1910.5 “Applicability of standards.” The
concept is similar to that in Europe.
Product-specific standards have prior-
ity over general standards as long as
the associated aspects are actually
handled there. When the standards are
fulfilled, the employer can assume that
he has fulfilled the core requirements
of the OSH Act regarding the aspects
actually handled in the standard.
1910.5 (f) “An employer who is in
compliance with any standard
in this part shall be deemed to
be in compliance with the
requirement of section 5(a)(1)
of the Act, but only to the
extent of the condition, prac-
tice, means, method, operation,
or process covered by the
standard.”

1.3.1 Machine safety
Minimum requirements of the
OSHA
The OSHA Regulations under 29 CFR
1910 include general requirements for
machines and machinery (1910.121)
and a series of specific requirements
for certain types of machines. The
requirements specified are extremely
specific but have little technical detail.
Excerpt from 29 CFR 1910.212 “Gen-
eral requirements for all machines”:
"(a)(1)
Types of guarding. One or more meth-
ods of machine guarding shall be pro-
vided to protect the operator and other
employees in the machine area from
hazards such as those created by point
of operation, ingoing nip points, rotat-
ing parts, flying chips and sparks.
Examples of guarding methods are
barrier guards, two-hand tripping
devices, electronic safety devices, etc."
An example for the requirements
placed on the control of presses is
the following excerpt from 29 CFR
1910.217 “Mechanical Power
Presses”:
"(b)(13)
Control reliability. When required by
paragraph (c)(5) of this section, the
control system shall be constructed so
that a failure within the system does
not prevent the normal stopping action
from being applied to the press when
required, but does prevent initiation of
a successive stroke until the failure is
corrected. The failure shall be
detectable by a simple test, or indi-
cated by the control system. This
requirement does not apply to those
elements of the control system which
have no effect on the protection
against point of operation injuries."
"(h)(6)(xvii)
Controls with internally stored pro-
grams (e.g., mechanical, electro-
mechanical, or electronic) shall meet
the requirements of paragraph (b)(13)
of this section, and shall default to a
predetermined safe condition in the
event of any single failure within the
system. Programmable controllers
which meet the requirements for con-
trols with internally stored programs
stated above shall be permitted only if
all logic elements affecting the safety
system and point of operation safety
are internally stored and protected in
such a manner that they cannot be
altered or manipulated by the user to
an unsafe condition."
The OSHA regulations define mini-
mum requirements to guarantee safe
places of employment. However, they
should not prevent employers from
applying innovative methods and tech-
niques, e.g. “state of the art” protec-
tive systems in order to maximize the
safety for employees.
(Refer to, for example: www.osha.gov/
...Standard Interpretations ...
06/05/2001 - Use of Electro Sensitive
Protection Equipment ...)
For specific applications, OSHA speci-
fies that all of the electrical devices
and equipment, which are used to pro-
tect the employee, are authorized for
the application by a nationally recog-
nized testing laboratory (NRTL) which
has been authorized by OSHA
(For example, refer to: www.osha.gov/
...Standard Interpretations ...
08/11/1994 - Presence sensing devices
(PSDs) for power presses.: “...OSHA
requires that all electrical products
used by employees must be treated
and approved for their intended use by
an OSHA Approved Nationally Recog-
nized Testing Laboratory (NRTL)....”).
Application and use of additional
standards
In addition to OSHA Regulations, it is
just as important to carefully observe
the current standards of organizations
such as NFPA and ANSI as well as the
extensive product liability legislation
which is in force in the US. As a result
of the product liability, it is in the inter-
ests of the manufacturers and operat-
1
ing companies to carefully observe and
maintain the regulations and are more
or less forced to fulfill the state-of-the-
art technology requirement".
Third-party insurance contracts gener-
ally demand that the parties fulfill the
applicable standards of the standard-
ization organizations. Companies who
are self-insured initially do not have
this requirement. However, in the case
of an accident, they must prove that
they had applied generally recognized
safety principles.
NPFA 70 (known as the National Elec-
tric Code (NEC)) and NFPA 79 (Electri-
cal Standard for Industrial Machinery)
are two especially important standards
regarding safety in industry. Both of
these describe the basic requirements
placed on the features and the imple-
mentation of electrical equipment. The
National Electric Code (NFPA 70) pre-
dominantly applies to buildings, but
also for the electrical connections from
machines and parts of machines.
NFPA 79 applies to machines. This
results in a grey area (somewhat unde-
fined) in the demarcation between
both standards for large machines and
machinery which comprise partial
machines. For instance, large conveyor
systems can be considered to be part
of the building so that NFPA 70 and/or
NFPA 79 should be applied.
NFPA 79
This standard is valid for the electrical
equipment of industrial machines with
rated voltages less than 600V. (A group
of machines, which operate together in
a coordinated fashion, is considered as
a machine.)
The new Edition of NFPA 79 - 2002
includes some basic requirements for
programmable electronics and buses if
these are used to execute safety-rele-
vant functions. If these requirements
are fulfilled, electronic controls and
buses can also be utilized for Emer-
gency Stop functions of Stop Cate-
gories 0 and 1 (refer to NFPA 79 - 2002
9.2.5.4.1.4). Contrary to EN 60204-1,
NFPA 79 specifies that, for Emergency
Stop functions, the electrical power
Safety Integrated Application Manual Siemens AG 1/23
must be disconnected using electro-
mechanical devices.
The core requirements placed on
programmable electronics and buses
include:
System requirements
(refer to NFPA 79 - 2002 9.4.3)
• Control systems, which must contain
software-based controllers,
(1) if a single fault/error occurs,
- the system must be shutdown and
brought into a safe state
- restart must be prevented until the
fault has been removed
- Unexpected starting must be
prevented
(2) must offer a comparable degree of
protection to hard-wired control
systems
(3) must be implemented in accord-
ance with a recognized Standard
which defines the requirements
for such systems.
In a Note, it is stated that
IEC 61508 is a suitable standard.
Requirements placed on programma-
ble equipment and devices (refer to
NFPA 79 - 2002 11.3.4)
• Software and firmware-based con-
trollers, which are used for safety-rel-
evant functions, must be listed for
such an application (this means, certi-
fied by an NRTL).
In a Note, a statement is made that
IEC 61508 specifies the requirements
to design such controllers.
ANSI B11
There is a series of additional stan-
dards on safety in industry, specified
under ANSI B11, which offer additional
instructions to achieve the required
degree of safety.
1/24 Siemens AG Safety Integrated Application Manual
OSHA provides guidelines on this
1.3.2 Process industry with: CPL 2-2.45A "Process Safety
Management of Highly Hazardous
Chemicals-- Compliance Guidelines
The basic safety requirements of the and Enforcement Procedures.
OSHA for the process industry are
OSHA demands that the process
defined in OSHA's Process Safety
instrumentation is implemented in
Management of Highly Hazardous
accordance with generally accepted
Chemicals, Explosives and Blasting
“good engineering practice.” With a
Agents Standard (PSM),
letter, dated March 2000, OSHA clari-
29 CFR 1910.119.
fied an inquiry from ISA, that
(Refer to www.osha.gov ).
ANSI/ISA 84.01 is a standard which
Excerpt from 29 CFR 1910.119: is applicable nationwide and which
OSHA recognizes as generally
Purpose. This section contains
accepted “good engineering prac-
requirements for preventing or mini-
tice.” However, in the same letter,
mizing the consequences of cata-
OSHA clearly stated that ISA 84.01
strophic releases of toxic, reactive,
is not the only standard which is
flammable, or explosive chemicals.
considered when fulfilling the
These releases may result in toxic,
requirements of 1910.119 (PSM).
fire or explosion hazards.
CFR 1910.119 doesn't clearly state
Section (d) with its sub-sections con-
whether the requirements refer to
tains the basic requirements placed
the complete instrumentation. Two
on process instrumentation.
types of instrumentation are gener-
1910.119(d) ally used in the process industry.
“Safety Instrumented Systems” (SIS)
Process safety information. ... the
and “Basic Process Control System”
employer shall complete a compila-
(BPCS). ANSI/ISA 91.01 defines that
tion of written process safety infor-
only the SIS is to be handled under
mation ... This process safety infor-
the OSHA regulations.
mation shall include information
pertaining to the hazards of the IEC 61511 “Functional safety: Safety
highly hazardous chemicals used or Instrumented Systems for the
produced by the process, information process industry sector” is the IEC
pertaining to the technology of the standard with the same scope as ISA
process, and information pertaining 84.01. It was developed with signifi-
to the equipment in the process. cant ISA participation and contains
the same principles as ISA 84.01.
1910.119(d)(3)
A large proportion of processes falls
Information pertaining to the
within the scope of ISA 84.01, but
equipment in the process.
does not formally fall under 29 CFR
1910.119(d)(3)(i)(F) 1910.119 (PSM). Also in this case, the
Standard should be applied in order
Design codes and standards
not to violate the basic requirements
employed;
of the “Duties” section of the Occu-
1910.119(d)(3)(ii) pational Safety and Health Act
(OSHA).
The employer shall document
that equipment complies
with recognized and generally
accepted good engineering
practices.
1.4 Safety Requirements for Machines in Japan
For applications in Japan
The situation in Japan is different than
in Europe and the US. Comparable
legal requirements regarding functional
safety, which exist in Europe, do not
apply here. The product liability does
not play such a role as in the US.
There is no legal requirement to apply
standards, however, an administrative
recommendation to apply JIS (Japan-
ese Industrial Standards):
Japan bases its standards on the Euro-
pean concept and has included basic
standards as national standards (refer
to the Table))
1
For machinery OEMs and users
operating worldwide
Machinery OEMs who do a lot of
export business are extremely inter-
ested in fulfilling European and Ameri-
can requirements, so that their prod-
ucts fulfill the requirements and
specifications of the various target
markets. Companies with globally dis-
tributed production facilities also align
themselves to the European and
American requirements in order to
have, as far as possible, standard
safety concepts in all of their plants.

ISO/IEC number JIS number Note

ISO12100-1 (EN292-1) TR B 0008 JIS number will be given after ISO12100-1 is

approved as IS
ISO12100-2 (EN292-2) TR B 0009 JIS number will be given after ISO12100-2 is
approved as IS
ISO14121 (EN1050) JIS B 9702
ISO13849-1 (EN954-1) JIS B 9705-1
IEC60204-1 JIS B 9960-1
IEC1508-1 to 7 JIS C 0508

Siemens AG Safety Integrated Application Manual 1/25