Taking a long term view of machinery safety

David Collier, business development manager at Pilz Automation Technology, explains why machine builders should resist the temptation to save money in the short term by using Category 2 architecture on machine guard safety circuits that require Performance Level d (PLd)

Users of electromechanical safety components on machine guards should carefully consider the onerous test requirements of Category 2 in EN ISO 13849-1 at the design stage, particularly when seeking to achieve Performance Level d (PLd). Incorporating Category 2 architectures into PLd systems without taking these test requirements into due consideration may introduce systematic failures and associated loss of production or additional expense once the machine has been installed.

If after design, build, supply and commissioning a machine, it is then decided to convert from a Category 2 architecture to Category 3 or 4, this may become difficult or impossible in terms of fitting additional components to the machine, as well as mounting new in-panel devices that are required to step from single- to dual-channel architecture.

Under EN 954-1 (withdrawn at the end of 2011) the ‘Category’ of the control system has been used as the basis for constructing the safety-related control functions. With the increasing uptake of EN ISO 13849-1, however, the term ‘Category’ has been taken over by ‘Performance Level’ (PL).

In addition to the factors taken into account by Categories, Performance Levels also consider the reliability of the individual components and combination of components in a safety-related control system (expressed as the ‘mean time to dangerous failure’, MTTFd, or the ‘probability of failures per hour’, PFH). The reliability data is used to evaluate the availability of a safety function over time. The behaviour of the safety function in the presence of faults is still dictated by the Category, which is now also referred to as architecture or structure.


In EN ISO 13849-1, PL is achieved by a combination of Category, MTTFd and diagnostic coverage (DC). According to Figure 5 in the standard, PLd is still achievable using Category 3 architecture, but also by using Category 2 (so long as the MTTFd is high and there is at least a low level of diagnostic coverage). It may be very tempting to try to use Category 2, single-channel architecture to achieve PLd to save component cost and panel space.

A central factor in Category 2 is checking the safety function (not increased reliability), where an increased check frequency will decrease the probability of a dangerous situation - in other words, testing reduces the probability of continued operation in the presence of a fault. Within the simplified procedure in EN ISO 13849-1, the check in Category 2 must occur at start-up and then periodically, and there is an assumption that the frequency equates to at least 100 tests to every demand on the safety function (clause 4.5.4 of EN ISO 13849-1, where for Category 2 ‘demand rate <1/100 test rate’). This test rate is an additional quantitative factor to that given in EN 954-1. This means that if designers try to claim PLd using Category 2 architecture, they are assuming that the safety function will be tested at least 100 times between demands upon the safety function.

Practical considerations

It is difficult to see how users are going to manage this test frequency in machine applications on anything other than a dynamically, self-tested OSSD (Output Signal Switching Device, i.e. a solid-state safety output) on a Type 4 light curtain, or in very low demand applications such as infrequently used emergency stops. For electromechanical devices on guards (such as tongue-actuated interlock switches, limit switches and magnetic safety switches) testing will mean actuation (i.e. opening and closing the guard) at least 100 times between the functional need to open the guard. This may at least prove inconvenient because it would impede productivity, or even impossible due to the high demand already placed upon the safety function. Imagine having to test a guard door 100 times within a two-minute production cycle - it simply isn’t practical!

Lastly, consider the implication of frequent testing of electromechanical devices in terms of component wear and tear. MTTFd for an electromechanical component such as a safety interlock switch or contactor, is dependent upon the number of operations in a year (nop) and the component’s B10d (the expected number of cycles until 10 per cent of the components fail dangerously, with component-specific data normally available from the manufacturer, or generic data can be found in table C.1 of EN ISO 13849-1).

The stress placed upon the components through testing would be 100 times greater than that placed upon them due to the demand of the safety function, and the increased number of operations would at least reduce MTTFd (and potentially the PL). Moreover, the components might fail very early in the guard’s life, resulting in lost production and additional expense resulting from the need to replace the safety components repeatedly.

It is therefore more practical and commonplace to achieve PLd using Category 3 or 4, dual-channel architectures, because these will improve reliability through hardware fault tolerance (without a highly frequent periodic test cycle) as well as ‘automatic’ diagnostic coverage within the system.

Related Articles

Machine Safety

Safety and pneumatics

Machine Safety

Machinery Safety Alliance offers guidance on latest standards

Latest News

Get up to speed on machinery safety