Overview of the main safety requirements and functional characteristics of the 5 categories

The categories reflect what is already happening in the industrial machinery world. Most of the controls implemented can be reduced to a limited number of safety control types. That means:

  • Untested single-channel systems based on component reliability (attempt to avoid failure)
  • Single-channel systems with testing (attempts to detect the fault)
  • Dual-channel systems with self-diagnosis (trying to check the fault)
  • Dual-channel systems with high quality self-diagnosis (even multiple faults are checked)

NOTE: The lines and arrows in the following figures represent logical, functional, and diagnostic interconnections.

Category B

Fault tolerance = 0

  • PLmax = b
  • DC = 0
  • MTTFD = from low to medium
  • Use of basic safety principles (components must withstand the expected
    operating stresses)

Single channel without diagnostic

Category 1

Fault tolerance = 0

  • PLmax = c
  • DC = 0
  • MTTFD = high
  • Use of basic safety principles and “well tried” safety principles;
    Use of “well tried” components; no complex components (PLC, Asic).

Single channel without diagnostic

NOTE: A “well tried component” is a component that has been:
Widely used in the past with positive results in similar applications
Built and verified using principles that demonstrate its suitability, reliability and robustness for safety related applications
The qualification of a component as well tried depends on its application. Example, a position switch with open contacts can be well tested for a machine tool and at the same time inappropriate for application in the food industry.

Category 2

Fault tolerance = 0

  • PLmax = c
  • DC = from low to medium
  • MTTFD = from low to medium (functional channel components only)
  • MTTFD of TE at least higher than half the MTTFD of the functional channel.
    If this is not the case, the MTTFD channel must be downgraded.
  • Use of basic safety principles
    Use of “well tried” safety principles

Single channel with diagnostic

The test must not create a dangerous situation (e.g increase in the response time).
The safety function must be tested at least during the start-up and before a dangerous condition can occur (starting a new cycle). The frequency of the functional channel test had to be at least 100 times higher than the request rate of the safety function.

For ratios greater than 25 and less than 100 it is possible to use the PFHD values (shown in table K .1 for Cat. 2) multiplied by a factor of 1.1.

The test can also be performed at the same time as the safety function request, but the overall time to detect the fault and to bring the machine to a safe condition (usually the machine is stopped) must be shorter than the time taken by a person to reach the dangerous point.

For PLr = a and up to PLr = c, when, upon detection of the fault, it is not possible to initiate a safe state (for example due to the welding of the contact in the output device), it may be sufficient that the output OTE only provides a warning signal.
For PL r = d, the OTE output must initiate a safe state which is maintained until the fault is cleared.

Category 3

Fault tolerance = 1

  • PLmax = e
  • DC = from low to medium
  • MTTFD = from low to medium
  • Use of basic safety principles
    Use of “well tried” safety principles

A single fault does not lead to the loss of the safety function.

When reasonably practicable, the single fault must be detected during or before the next safety function request.

Not all faults can be detected. The accumulation of undetected faults leads to the loss of the safety function.

Dual channel with diagnostic

Category 4

Fault tolerance = 1

  • PLmax = e
  • DC = High
  • MTTFD = HIgh
  • Use of basic safety principles
    Use of “well tried” safety principles

A single fault does not lead to the loss of the safety function.

Faults must be detected in time before the loss of safety function. For example, immediately upon their occurrence, or when the machine is turned on, or at the end of the operating cycle. If this detection is not possible, the combination of two faults must not lead to the loss of the safety function.

Dual channel with diagnostic