February 2013

DIN EN ISO 13849-2

D
ICS 13.110 Supersedes
DIN EN ISO 13849-2:2008-09
and
DIN EN ISO 13849-2
Corrigendum 1:2009-01

Safety of machinery –
Safety-related parts of control systems –
Part 2: Validation (ISO 13849-2:2012);
English version EN ISO 13849-2:2012,
English translation of DIN EN ISO 13849-2:2013-02

Sicherheit von Maschinen –

Sicherheitsbezogene Teile von Steuerungen –
Teil 2: Validierung (ISO 13849-2:2012);
Englische Fassung EN ISO 13849-2:2012,
Englische Übersetzung von DIN EN ISO 13849-2:2013-02
Sécurité des machines –
Parties des systèmes de commande relatives à la sécurité –
Partie 2: Validation (ISO 13849-2:2012);
Version anglaise EN ISO 13849-2:2012,
Traduction anglaise de DIN EN ISO 13849-2:2013-02

Document comprises 90 pages

Translation by DIN-Sprachendienst.
In case of doubt, the German-language original shall be considered authoritative.

© No part of this translation may be reproduced without prior permission of

DIN Deutsches Institut für Normung e. V., Berlin. Beuth Verlag GmbH, 10772 Berlin, Germany,
has the exclusive right of sale for German Standards (DIN-Normen).
English price group 31
www.din.de !$ÇR8"
www.beuth.de 02.13 1944721
DIN EN ISO 13849-2:2013-02

A comma is used as the decimal marker.

Start of application
The start of application of this standard is 2013-02-01.

National foreword
This standard includes safety requirements within the meaning of the Produktsicherheitsgesetz (ProdSG)
(German Product Safety Act).

This document (EN ISO 13849-2:2012) has been prepared by Technical Committee ISO/TC 199 “Safety of
machinery” in collaboration with Technical Committee CEN/TC 114 “Safety of machinery” in accordance with
the agreement on technical co-operation between ISO and CEN (Vienna Agreement). Both secretariats are
held by DIN, Germany.

The responsible German body involved in its preparation was the Normenausschuss Sicherheitstechnische
Grundsätze (Safety Design Principles Standards Committee), Joint Technical Committee NA 095-01-03 GA
Steuerungen.

The DIN Standards corresponding to the International Standards referred to in this document are as follows:
The European Standards have been published as German Standards with the same number.

Referred to in Clause 2:
ISO 12100 DIN EN ISO 12100
ISO 13849-1 DIN EN ISO 13849-1

Referred to in Bibliography:
ISO 4413 DIN EN ISO 4413
ISO 4414 DIN EN ISO 4414
ISO 4960 DIN EN 10140 (modified)
ISO 11161 DIN EN ISO 11161
ISO 13850 DIN EN ISO 13850
ISO 13851 DIN EN 574
ISO 13855 DIN EN ISO 13855
ISO 13856 series DIN EN 1760 series
ISO 14118 DIN EN 1037
ISO 14119 DIN EN 1088
IEC 60204-1 DIN EN 60204-1 (VDE 0113-1) (modified)
IEC 60269-1 DIN EN 60269-1 (VDE 0636-1)
IEC 60529 DIN EN 60529 (VDE 0470-1)
IEC 60664 series DIN EN 60664 series (VDE 0110 series)
IEC 60812 DIN EN 60812
IEC 60893-1 DIN EN 60893-1 (VDE 0318-1)
IEC 60947 series DIN EN 60947 series (VDE 0660 series)
IEC 61025 DIN EN 61025
IEC 61078 DIN EN 61078
IEC 61131-1 DIN EN 61131-1
IEC 61131-2 DIN EN 61131-2 (VDE 0411-500)
IEC 61165 DIN EN 61165
IEC 61249 series DIN EN 61249 series
IEC 61508 series DIN EN 61508 (VDE 0803 series)
IEC 61558 series DIN EN 61558 series (VDE 0570 series)
IEC 61800-5-2 DIN EN 61800-5-2 (VDE 0160-105-2)
IEC 61810 series DIN EN 61810 series (VDE 0435 series)

2
 DIN EN ISO 13849-2:2013-02

Amendments

This standard differs from DIN EN ISO 13849-2:2008-09 and DIN EN ISO 13849-2 Corrigendum 1:2009-01 as
follows:

a) requirements and terminology have been updated to be in line with ISO 13849-1:2006;

b) normative references have been updated;

c) analysis and testing of the performance level (PL) in accordance with ISO 13849-1:2006 have been
included;

d) a new Clause 3 “Terms and definitions” has been added and subsequent clauses have been renumbered
or restructured;

e) Table 2 “Documentation requirements for categories in respect of performance levels” has been updated;

f) Subclause 9.2 “Validation of category specifications” have been updated to be in line with ISO 13849-1:2006;

g) Subclause 9.3 “Validation of MTTFd , DCavg and CCF” has been added;

h) Subclause 9.4 “Validation of measures against systematic failures related to performance level and
category of SRP/CS” has been added;

i) Subclause 9.5 “Validation of safety-related software” has been added;

j) Subclause 9.6 “Validation and verification of performance level” has been added;

k) Clause 12 “Validation of technical documentation and information for use” has been added;

l) Annex E “Example of validation of fault behaviour and diagnostic means” has been added.

Previous editions

DIN EN ISO 13849-2: 2003-12, 2008-09

DIN EN ISO 13849-2 Corrigendum 1: 2009-01

3
DIN EN ISO 13849-2:2013-02

National Annex NA
(informative)

Bibliography

DIN EN 574, Safety of machinery — Two-hand control devices — Functional aspects — Principles for design

DIN EN 1037, Safety of machinery — Prevention of unexpected start-up

DIN EN 1088, Safety of machinery — Interlocking devices associated with guards — Principles for design and
selection

DIN EN 1760 (all parts), Safety of machinery — Pressure sensitive protective devices

DIN EN 10140, Cold rolled narrow steel strip — Tolerances on dimensions and shape

DIN EN 60204-1 (VDE 0113-1), Safety of machinery — Electrical equipment of machines — Part 1: General
requirements

DIN EN 60269-1 (VDE 0636-1), Low-voltage fuses — Part 1: General requirements

DIN EN 60529 (VDE 0470-1), Degrees of protection provided by enclosures (IP code)

DIN EN 60664 (all parts) (VDE 0110 series), Insulation coordination for equipment within low-voltage systems

DIN EN 60812, Analysis techniques for system reliability — Procedure for failure mode and effects analysis
(FMEA)

DIN EN 60893-1 (VDE 0318-1), Insulating materials — Industrial rigid laminated sheets based on thermo-
setting resins for electrical purposes — Part 1: Definitions, designations and general requirements

DIN EN 60947 (all parts) (VDE 0660 series), Low-voltage switchgear and controlgear

DIN EN 61025, Fault tree analysis (FTA)

DIN EN 61078, Analysis techniques for dependability — Reliability block diagram and boolean methods

DIN EN 61131-1, Programmable controllers — Part 1: General information

DIN EN 61131-2 (VDE 0411-500), Programmable controllers — Part 2: Equipment requirements and tests

DIN EN 61165, Application of Markov techniques

DIN EN 61249 (all parts), Materials for printed boards and other interconnecting structures

DIN EN 61508 (all parts (VDE 0803 series), Functional safety of electrical/electronic/programmable electronic
safety-related systems

DIN EN 61558 (all parts) (VDE 0570 series), Safety of power transformers, power supplies, reactors and
similar products

DIN EN 61800-5-2 (VDE 0160-105-2), Adjustable speed electrical power drive systems — Part 5-2: Safety
requirements — Functional safety

DIN EN 61810 (all parts), Electromechanical elementary relays

4
 DIN EN ISO 13849-2:2013-02

DIN EN ISO 4413, Hydraulic fluid power — General rules and safety requirements for systems and their
components

DIN EN ISO 4414, Pneumatic fluid power — General rules and safety requirements for systems and their
components

DIN EN ISO 11161, Safety of machinery — Integrated manufacturing systems — Basic requirements

DIN EN ISO 12100, Safety of machinery — General principles for design — Risk assessment and risk
reduction

DIN EN ISO 13849-1, Safety of machinery — Safety-related parts of control systems — Part 1: General
principles for design

DIN EN ISO 13850, Safety of machinery — Emergency stop — Principles for design

DIN EN ISO 13855, Safety of machinery — Positioning of safeguards with respect to the approach speeds of
parts of the human body

5
DIN EN ISO 13849-2:2013-02

— This page is intentionally blank —

6
EUROPEAN STANDARD EN ISO 13849-2
NORME EUROPÉENNE
EUROPÄISCHE NORM October 2012

ICS 13.110 Supersedes EN ISO 13849-2:2008

English Version

Safety of machinery - Safety-related parts of control systems -

Part 2: Validation (ISO 13849-2:2012)

Sécurité des machines - Parties des systèmes de Sicherheit von Maschinen - Sicherheitsbezogene Teile von
commande relatives à la sécurité - Partie 2: Validation Steuerungen - Teil 2: Validierung (ISO 13849-2:2012)
(ISO 13849-2:2012)

This European Standard was approved by CEN on 14 October 2012.

CEN members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this European
Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical references concerning such national
standards may be obtained on application to the CEN-CENELEC Management Centre or to any CEN member.

This European Standard exists in three official versions (English, French, German). A version in any other language made by translation
under the responsibility of a CEN member into its own language and notified to the CEN-CENELEC Management Centre has the same
status as the official versions.

CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia,
Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania,
Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and United
Kingdom.

EUROPEAN COMMITTEE FOR STANDARDIZATION

COMI TÉ EUROP ÉEN DE NORMALI S ATI ON
EUROPÄISCHES KOMITEE FÜR NORMUNG

Management Centre: Avenue Marnix 17, B-1000 Brussels

© 2012 CEN All rights of exploitation in any form and by any means reserved Ref. No. EN ISO 13849-2:2012: E
worldwide for CEN national Members.
DIN EN ISO 13849-2:2013-02
EN ISO 13849-2:2012 (E)

Contents
Page

Foreword ............................................................................................................................................................. 3
Introduction ......................................................................................................................................................... 4
1 Scope ....................................................................................................................................................... 5
2 Normative references............................................................................................................................. 5
3 Terms and definitions ............................................................................................................................ 5
4 Validation process ................................................................................................................................. 5
4.1 Validation principles .............................................................................................................................. 5
4.2 Validation plan ........................................................................................................................................ 7
4.3 Generic fault lists ................................................................................................................................... 8
4.4 Specific fault lists ................................................................................................................................... 8
4.5 Information for validation ...................................................................................................................... 8
4.6 Validation record .................................................................................................................................. 10
5 Validation by analysis .......................................................................................................................... 10
5.1 General .................................................................................................................................................. 10
5.2 Analysis techniques............................................................................................................................. 11
6 Validation by testing ............................................................................................................................ 11
6.1 General .................................................................................................................................................. 11
6.2 Measurement accuracy ....................................................................................................................... 12
6.3 More stringent requirements .............................................................................................................. 12
6.4 Number of test samples ...................................................................................................................... 12
7 Validation of safety requirements specification for safety functions ............................................. 13
8 Validation of safety functions ............................................................................................................. 13
9 Validation of performance levels and categories ............................................................................. 14
9.1 Analysis and testing ............................................................................................................................ 14
9.2 Validation of category specifications................................................................................................. 14
9.3 Validation of MTTFd, DCavg and CCF................................................................................................ 16
9.4 Validation of measures against systematic failures related to performance level
and category of SRP/CS ...................................................................................................................... 17
9.5 Validation of safety-related software ................................................................................................. 17
9.6 Validation and verification of performance level .............................................................................. 18
9.7 Validation of combination of safety-related parts ............................................................................ 18
10 Validation of environmental requirements ........................................................................................ 19
11 Validation of maintenance requirements ........................................................................................... 19
12 Validation of technical documentation and information for use ..................................................... 20
Annex A (informative) Validation tools for mechanical systems ................................................................ 21
Annex B (informative) Validation tools for pneumatic systems .................................................................. 25
Annex C (informative) Validation tools for hydraulic systems .................................................................... 35
Annex D (informative) Validation tools for electrical systems .................................................................... 44
Annex E (informative) Example of validation of fault behaviour and diagnostic means ......................... 57
Bibliography ...................................................................................................................................................... 82
Annex ZA (informative) Relationship between this European Standard and the
Essential Requirements of EU Directive 2006/42/EC ........................................................................ 84

2
 DIN EN ISO 13849-2:2013-02
EN ISO 13849-2:2012 (E)

Foreword
This document (EN ISO 13849-2:2012) has been prepared by Technical Committee ISO/TC 199 “Safety of
machinery” in collaboration with Technical Committee CEN/TC 114 “Safety of machinery” the secretariat of
which is held by DIN.

This European Standard shall be given the status of a national standard, either by publication of an identical
text or by endorsement, at the latest by April 2013, and conflicting national standards shall be withdrawn at the
latest by April 2013.

Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. CEN [and/or CENELEC] shall not be held responsible for identifying any or all such patent rights.

This document supersedes EN ISO 13849-2:2008.

This document has been prepared under a mandate given to CEN by the European Commission and the
European Free Trade Association, and supports essential requirements of EU Directive.

For relationship with EU Directive, see informative Annex ZA, which is an integral part of this document.

EN ISO 13849 consists of the following parts, under the general title Safety of machinery — Safety-related
parts of control systems:

 Part 1: General principles for design;

 Part 2: Validation.

Annexes A to D, which are informative, are structured according to Table 1.

Table 1 — Structure of Annexes A to D of this part of ISO 13849

List of
List of basic safety List of well-tried Fault lists and fault
well-tried
Annex Technology principles safety principles exclusions
components
Table(s)
A Mechanical A.1 A.2 A.3 A.4, A.5
B Pneumatic B.1 B.2 — B.3 to B.18
C Hydraulic C.1 C.2 — C.3 to C.12
Electrical
D (includes D.1 D.2 D.3 D.4 to D.21
electronics)

According to the CEN/CENELEC Internal Regulations, the national standards organisations of the following
countries are bound to implement this European Standard: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech
Republic, Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece,
Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal,
Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and the United Kingdom.

Endorsement notice

The text of ISO 13849-2:2012 has been approved by CEN as a EN ISO 13849-2:2012 without any
modification.

3
DIN EN ISO 13849-2:2013-02
EN ISO 13849-2:2012 (E)

Introduction
The structure of safety standards in the field of machinery is as follows:
a) type-A standards (basic safety standards) giving basic concepts, principles for design and general
aspects that can be applied to machinery;
b) type-B standards (generic safety standards) dealing with one safety aspect or one type of safeguard
that can be used across a wide range of machinery:
— type-B1 standards on particular safety aspects (for example safety distances, surface
temperature, noise);
— type-B2 standards on safeguards (for example two-hand controls, interlocking devices,
pressure-sensitive devices, guards);
c) type-C standards (machine safety standards) dealing with detailed safety requirements for a
particular machine or group of machines.
This document is a type-B standard as stated in ISO 12100.
The requirements of this document can be supplemented or modified by a type-C standard.
For machines which are covered by the scope of a type-C standard and which have been designed and built
according to the requirements of that standard, the requirements of that type-C standard take precedence.
This part of ISO 13849 specifies the validation process for the safety functions, categories and performance
levels for the safety-related parts of control systems. It recognizes that the validation of safety-related
parts of control systems can be achieved by a combination of analysis (see Clause 5) and testing (see
Clause 6), and specifies the particular circumstances in which testing ought to be carried out.
Most of the procedures and conditions in this part of ISO 13849 are based on the assumption that the
simplified procedure for estimating the performance level (PL) described in ISO 13849-1:2006, 4.5.4, is
used. This part of ISO 13849 does not provide guidance for situations when other procedures are used
to estimate PL (e.g. Markov modelling), in which case some of its provisions will not apply and additional
requirements can be necessary.
Guidance on the general principles for the design (see ISO 12100) of safety-related parts of control
systems, regardless of the type of technology used (electrical, hydraulic, pneumatic, mechanical, etc.),
is provided in ISO 13849-1. This includes descriptions of some typical safety functions, determination
of their required performance levels, and general requirements of categories and performance levels.
Within this part of ISO 13849, some of the validation requirements are general, whereas others are
specific to the type of technology used.

4
 DIN EN ISO 13849-2:2013-02
EN ISO 13849-2:2012 (E)

1 Scope
This part of ISO 13849 specifies the procedures and conditions to be followed for the validation by
analysis and testing of
— the specified safety functions,
— the category achieved, and
— the performance level achieved
by the safety-related parts of a control system (SRP/CS) designed in accordance with ISO 13849-1.
NOTE Additional requirements for programmable electronic systems, including embedded software, are
given in ISO 13849-1:2006, 4.6, and IEC 61508 .

2 Normative references
The following referenced documents are indispensable for the application of this document. For dated
references, only the edition cited applies. For undated references, the latest edition of the referenced
document (including any amendments) applies.
ISO 12100:2010, Safety of machinery — General principles for design — Risk assessment and risk reduction
ISO 13849-1:2006, Safety of machinery — Safety-related parts of control systems — Part 1: General
principles for design

3 Terms and definitions

For the purposes of this document, the terms and definitions given in ISO 12100 and ISO 13849-1 apply.

4 Validation process

4.1 Validation principles

The purpose of the validation process is to confirm that the design of the SRP/CS supports the overall
safety requirements specification for the machinery.
The validation shall demonstrate that each SRP/CS meets the requirements of ISO 13849-1 and, in
particular, the following:
a) the specified safety characteristics of the safety functions provided by that part, as set out in the
design rationale;
b) the requirements of the specified performance level (see ISO 13849-1:2006, 4.5):
1) the requirements of the specified category (see ISO 13849-1:2006, 6.2),

5
DIN EN ISO 13849-2:2013-02
EN ISO 13849-2:2012 (E)

2) the measures for control and avoidance of systematic failures (see ISO 13849-1:2006, Annex G),
3) if applicable, the requirements of the software (see ISO 13849-1:2006, 4.6), and
4) the ability to perform a safety function under expected environmental conditions;
c) the ergonomic design of the operator interface, e.g. so that the operator is not tempted to act in a
hazardous manner, such as defeating the SRP/CS (see ISO 13849-1:2006, 4.8).
Validation should be carried out by persons who are independent of the design of the SRP/CS.
NOTE “Independent person” does not necessarily mean that a third-party test is required.

Validation consists of applying analysis (see Clause 5) and executing functional tests (see Clause 6)
under foreseeable conditions in accordance with the validation plan. Figure 1 gives an overview of the
validation process. The balance between the analysis and testing depends on the technology used for
the safety-related parts and the required performance level. For Categories 2, 3 and 4 the validation of
the safety function shall also include testing under fault conditions.
The analysis should be started as early as possible in, and in parallel with, the design process. Problems
can then be corrected early while they are still relatively easy to correct, i.e. during steps “design and
technical realization of the safety function” and “evaluate the performance level PL” [the fourth and fifth
boxes down in in ISO 13849-1:2006, Figure 3]. It can be necessary for some parts of the analysis to be
delayed until the design is well developed.
Where necessary due to the system’s size, complexity or the effects of integrating it with the control
system (of the machinery), special arrangements should be made for
— validation of the SRP/CS separately before integration, including simulation of the appropriate input
and output signals, and
— validation of the effects of integrating safety-related parts into the remainder of the control system
within the context of its use in the machine.

6
 DIN EN ISO 13849-2:2013-02
EN ISO 13849-2:2012 (E)

Figure 1 — Overview of the validation process

“Modification of the design” in Figure 1 refers to the design process. If the validation cannot be
successfully completed, changes in the design are necessary. The validation of the modified safety-
related parts should then be repeated. This process should be iterated until all safety-related parts of
the safety functions are successfully validated.

4.2 Validation plan

The validation plan shall identify and describe the requirements for carrying out the validation process
for the specified safety functions, their categories and performance levels.
The validation plan shall also identify the means to be employed to validate the specified safety functions,
categories and performance levels. It shall set out, where appropriate
a) the identity of the specification documents,
b) the operational and environmental conditions during testing,

7
DIN EN ISO 13849-2:2013-02
EN ISO 13849-2:2012 (E)

c) the analyses and tests to be applied,

d) the reference to test standards to be applied, and
e) the persons or parties responsible for each step in the validation process.
Safety-related parts which have previously been validated to the same specification need only a
reference to that previous validation.

4.3 Generic fault lists

The validation process involves consideration of the behaviour of the SRP/CS for all faults to be
considered. A basis for fault consideration is given in the tables of fault lists in Annexes A to D, which are
based on experience and which contain
— the components/elements to be included, e.g. conductors/cables (see Annex D),
— the faults to be taken into account, e.g. short circuits between conductors,
— the permitted fault exclusions, taking into account environmental, operating and application
aspects, and
— a remarks section giving the reasons for the fault exclusions.
Only permanent faults are taken into account in the fault lists.

4.4 Specific fault lists

If necessary, a specific product-related fault list shall be generated as a reference document for the
validation process of the safety-related part(s). The list can be based on the appropriate generic list(s)
found in the annexes.
Where the specific product-related fault list is based on the generic list(s) it shall state
a) the faults taken from the generic list(s) to be included,
b) any other relevant faults to be included but not given in the generic list (e.g. common-cause failures),
c) the faults taken from the generic list(s) which may be excluded on the basis that the criteria given in
the generic list(s) (see ISO 13849-1:2006, 7.3) are satisfied, and
exceptionally
d) any other faults for which the generic list(s) do not permit an exclusion, but for which justification
and rationale for an exclusion is presented (see ISO 13849-1:2006, 7.3).
Where this list is not based on the generic list(s), the designer shall give the rationale for fault exclusions.

4.5 Information for validation

The information required for validation will vary with the technology used, the category or categories
and performance level(s) to be demonstrated, the design rationale of the system, and the contribution of
the SRP/CS to the reduction of the risk. Documents containing sufficient information from the following
list shall be included in the validation process to demonstrate that the safety-related parts perform the
specified safety functions to the required performance level or levels and category or categories:
a) specification of the required characteristics of each safety function, and its required category and
performance level;
b) drawings and specifications, e.g. for mechanical, hydraulic and pneumatic parts, printed circuit
boards, assembled boards, internal wiring, enclosure, materials, mounting;

8
 DIN EN ISO 13849-2:2013-02
EN ISO 13849-2:2012 (E)

c) block diagram(s) with a functional description of the blocks;

d) circuit diagram(s), including interfaces/connections;
e) functional description of the circuit diagram(s);
f) time sequence diagram(s) for switching components, signals relevant for safety;
g) description of the relevant characteristics of components previously validated;
h) for safety-related parts other than those listed in g), component lists with item designations, rated
values, tolerances, relevant operating stresses, type designation, failure-rate data and component
manufacturer, and any other data relevant to safety;
i) analysis of all relevant faults (see also 4.3 and 4.4), such as those listed in the tables of Annexes A to
D, including the justification of any excluded faults;
j) an analysis of the influence of processed materials;
k) information for use, e.g. installation and operation manual/instruction handbook.
Where software is relevant to the safety function(s), the software documentation shall include
— a specification which is clear and unambiguous and which states the safety performance the
software is required to achieve,
— evidence that the software is designed to achieve the required performance level (see 9.5), and
— details of tests (in particular test reports) carried out to prove that the required safety
performance is achieved.
NOTE See ISO 13849-1:2006, 4.6.2 and 4.6.3, for requirements.

Information is required on how the performance level and average probability of a dangerous failure per
hour is determined. The documentation of the quantifiable aspects shall include
— the safety-related block diagram (see ISO 13849-1:2006, Annex B) or designated architecture
(see ISO 13849-1:2006, 6.2),
— the determination of MTTFd, DCavg and CCF, and
— the determination of the category (see Table 2).
Information is required for documentation on systematic aspects of the SRP/CS.
Information is required as to how the combination of several SRP/CS achieves a performance level in
accordance with the performance level required.

Table 2 — Documentation requirements for categories in respect of performance levels

Category for which documentation

Documentation requirement is required
B 1 2 3 4
Basic safety principles X X X X X
Expected operating stresses X X X X X
Influences of processed material X X X X X
Performance during other relevant external influences X X X X X
Well-tried components — X — — —
Well-tried safety principles — X X X X

9
DIN EN ISO 13849-2:2013-02
EN ISO 13849-2:2012 (E)

Table 2 (continued)
Category for which documentation
Documentation requirement is required
B 1 2 3 4
Mean time to dangerous failure (MTTFd) of each channel X X X X X
The check procedure of the safety function(s) — — X — —
Diagnostic measures performed, including fault reaction — — X X X
Checking intervals, when specified — — X X X
Diagnostic coverage (DCavg) — — X X X
Foreseeable single faults considered in the design and the detection — — X X X
method used
Common-cause failures (CCF) identified and how to prevent them — — X X X
Foreseeable single faults excluded — — — X X
Faults to be detected — — X X X
How the safety function is maintained in the case of each of the faults — — — X X
How the safety function is maintained for each of the combinations of — — — — X
faults
Measures against systematic faults X X X X X
Measures against software faults X — X X X
X documentation required
— documentation not required
NOTE The categories are those given in ISO 13849-1:2006.

4.6 Validation record

Validation by analysis and testing shall be recorded. The record shall demonstrate the validation process
for each of the safety requirements. Cross-reference may be made to previous validation records,
provided they are properly identified.
For any safety-related part which has failed an element of the validation process, the validation record
shall describe which elements in the validation analysis/testing have been failed. It shall be ensured that
all safety-related parts are successfully re-validated after modification.

5 Validation by analysis

5.1 General
Validation of the SRP/CS shall be carried out by analysis. Inputs to the analysis include the following:
— the safety function(s), their characteristics and the required performance level(s) identified during
the risk analysis (see ISO 13849-1:2006, Figures 1 and 3);
— the quantifiable aspects (MTTFd, DCavg and CCF);
— the system structure (e.g. designated architectures) (see ISO 13849-1:2006, Clause 6);
— the non-quantifiable, qualitative aspects which affect system behaviour (if applicable, software aspects);
— deterministic arguments.

10
 DIN EN ISO 13849-2:2013-02
EN ISO 13849-2:2012 (E)

Validation of the safety functions by analysis rather than testing requires the formulation of
deterministic arguments.
NOTE 1 A deterministic argument is an argument based on qualitative aspects (e.g. quality of manufacture,
experience of use). This consideration depends on the application, which, together with other factors, can affect
the deterministic arguments.

NOTE 2 Deterministic arguments differ from other evidence in that they show that the required properties of
the system follow logically from a model of the system. Such arguments can be constructed on the basis of simple,
well-understood concepts.

5.2 Analysis techniques

The selection of an analysis technique depends upon the particular object. Two basic techniques
exist, as follows.
a) Top-down (deductive) techniques are suitable for determining the initiating events that can lead
to identified top events, and calculating the probability of top events from the probability of the
initiating events. They can also be used to investigate the consequences of identified multiple faults.
EXAMPLE Fault tree analysis (FTA, see IEC 61025), event tree analysis (ETA).

b) Bottom-up (inductive) techniques are suitable for investigating the consequence of identified
single faults.
EXAMPLE Failure modes and effects analysis (FMEA, see IEC 60812) and failure modes, effects and
criticality analysis (FMECA).

6 Validation by testing

6.1 General
When validation by analysis is not conclusive, testing shall be carried out to complete the validation.
Testing is always complementary to analysis and is often necessary.
Validation tests shall be planned and implemented in a logical manner. In particular:
a) a test plan shall be produced before testing begins that shall include
1) the test specifications,
2) the required outcome of the tests for compliance, and
3) the chronology of the tests;
b) test records shall be produced that include
1) the name of the person carrying out the test,
2) the environmental conditions (see Clause 10),
3) the test procedures and equipment used,
4) the date of the test, and
5) the results of the test;
c) the test records shall be compared with the test plan to ensure that the specified functional and
performance targets are achieved.
The test sample shall be operated as near as possible to its final operating configuration, i.e. with all
peripheral devices and covers attached.

11
DIN EN ISO 13849-2:2013-02
EN ISO 13849-2:2012 (E)

This testing may be applied manually or automatically, e.g. by computer.

Where applied, validation of the safety functions by testing shall be carried out by applying input signals,
in various combinations, to the SRP/CS. The resultant response at the outputs shall be compared to the
appropriate specified outputs.
It is recommended that the combination of these input signals be applied systematically to the control
system and the machine. An example of this logic is power-on, start-up, operation, directional changes,
restart-up. Where necessary, an expanded range of input data shall be applied to take into account
anomalous or unusual situations, in order to see how the SRP/CS responds. Such combinations of input
data shall take into account foreseeable incorrect operation(s).
The objectives of the test will determine the environmental condition for that test, which can be one or
another of the following:
— the environmental conditions of intended use;
— the conditions at a particular rating;
— a given range of conditions if drift is expected.
The range of conditions which is considered stable and over which the tests are valid should be agreed
between the designer and the person(s) responsible for carrying out the tests and should be recorded.

6.2 Measurement accuracy

The accuracy of measurements during the validation by testing shall be appropriate for the test carried
out. In general, these measurement accuracies shall be within 5 K for temperature measurements and
5 % for the following:
a) time measurements;
b) pressure measurements;
c) force measurements;
d) electrical measurements;
e) relative humidity measurements;
f) linear measurements.
Deviations from these measurement accuracies shall be justified.

6.3 More stringent requirements

If, according to its accompanying documentation, the requirements for the SRP/CS exceed those within
this part of ISO 13849, the more stringent requirements shall apply.
NOTE More stringent requirements can apply if the control system has to withstand particularly adverse
service conditions, e.g. rough handling, humidity effects, hydrolysation, ambient temperature variations, effects
of chemical agents, corrosion, high strength of electromagnetic fields — for example, due to close proximity of
transmitters.

6.4 Number of test samples

Unless otherwise specified, the tests shall be made on a single production sample of the safety-related
part being tested.
Safety-related part(s) under test shall not be modified during the course of the tests.

12
 DIN EN ISO 13849-2:2013-02
EN ISO 13849-2:2012 (E)

Certain tests can permanently change the performance of some components. Where a permanent change
in a component causes the safety-related part to be incapable of meeting the requirements of further
tests, a new sample or samples shall be used for subsequent tests.
Where a particular test is destructive and equivalent results can be obtained by testing part of the
SRP/CS in isolation, a sample of that safety-related part may be used instead of the whole safety-related
part(s) for the purpose of obtaining the results of the test. This approach shall only be applied where it
has been shown by analysis that testing of a safety-related part(s) is sufficient to demonstrate the safety
performance of the whole safety-related part that performs the safety function.

7 Validation of safety requirements specification for safety functions

Prior to the validation of the design of the SRP/CS, or the combination of SRP/CS providing the safety
function, the requirements specification for the safety function shall be verified to ensure consistency
and completeness for its intended use.
The safety requirements specification should be analysed before starting the design, since every other
activity is based on these requirements.
It shall be ensured that requirements for all safety functions of the machine control system are documented.
In order to validate the specification, appropriate measures to detect systematic faults (errors, omissions
or inconsistencies) shall be applied.
Validation may be performed by reviews and inspections of the SRP/CS safety requirements and design
specification(s), in particular to prove that all aspects of
— the intended application requirements and safety needs, and
— the operational and environmental conditions and possible human errors (e.g. misuse)
have been considered.
Where a product standard specifies the safety requirements for the design of a SRP/CS (e.g. ISO 11161
for integrated manufacturing systems or ISO 13851 for two-hand control devices), these shall be taken
into account.

8 Validation of safety functions

The validation of safety functions shall demonstrate that the SRP/CS, or combination of SRP/CSs,
provides the safety function(s) in accordance with their specified characteristics.
NOTE 1 A loss of the safety function in the absence of a hardware fault is due to a systematic fault, which can
be caused by errors made during the design and integration stages (a misinterpretation of the safety function
characteristics, an error in the logic design, an error in hardware assembly, an error in typing the code of software,
etc.). Some of these systematic faults will be revealed during the design process, while others will be revealed
during the validation process or will remain unnoticed. In addition, it is also possible for an error to be made (e.g.
failure to check a characteristic) during the validation process.

Validation of the specified characteristics of the safety functions shall be achieved by the application of
appropriate measures from the following list.
— Functional analysis of schematics, reviews of the software (see 9.5).
NOTE 2 Where a machine has complex or a large number of safety functions, an analysis can reduce the
number of functional tests required.

— Simulation.
— Check of the hardware components installed in the machine and details of the associated software
to confirm their correspondence with the documentation (e.g. manufacture, type, version).

13
DIN EN ISO 13849-2:2013-02
EN ISO 13849-2:2012 (E)

— Functional testing of the safety functions in all operating modes of the machine, to establish
whether they meet the specified characteristics (see ISO 13849-1:2006, Clause 5, for specifications
of some typical safety functions). The functional tests shall ensure that all safety-related outputs
are realized over their complete ranges and respond to safety-related input signals in accordance
with the specification. The test cases are normally derived from the specifications but could also
include some cases derived from analysis of the schematics or software.
— Extended functional testing to check foreseeable abnormal signals or combinations of signals from
any input source, including power interruption and restoration, and incorrect operations.
— Check of the operator–SRP/CS interface for the meeting of ergonomic principles (see
ISO 13849‑1:2006, 4.8).
NOTE 3 Other measures against systematic failures mentioned in 9.4 (e.g. diversity, failure detection by
automatic tests) can also contribute in the detection of functional faults.

9 Validation of performance levels and categories

9.1 Analysis and testing

For the SRP/CS or combination of SRP/CSs that provides the safety function(s), validation shall
demonstrate that the required performance levels (PLr) and categories in the safety requirements
specification are fulfilled. Principally, this will require failure analysis using circuit diagrams (see
Clause 5) and, where the failure analysis is inconclusive:
— fault injection tests on the actual circuit and fault initiation on actual components, particularly in parts
of the system where there is doubt regarding the results obtained from failure analysis (see Clause 6);
— a simulation of control system behaviour in the event of a fault, e.g. by means of hardware and/or
software models.
In some applications it may be necessary to divide the connected safety-related parts into several
functional groups and to subject these groups and their interfaces to fault simulation tests.
When validating by testing, the tests should include, as appropriate,
— fault injection tests into a production sample,
— fault injection tests into a hardware model,
— software simulation of faults, and
— subsystem failure, e.g. power supplies.
The precise instant at which a fault is injected into a system can be critical. The worst-case effect of a
fault injection shall be determined by analysis and by injecting the fault at this appropriate critical time.

9.2 Validation of category specifications

9.2.1 Category B

SRP/CSs to Category B shall be validated in accordance with basic safety principles (see Tables A.1, B.1,
C.1 and D.1) by demonstrating that the specification, design, construction and choice of components are
in accordance with ISO 13849-1:2006, 6.2.3. The MTTFd of the channel shall be demonstrated to be at
least 3 years. This shall be achieved by checking that the SRP/CS is in accordance with its specification as
provided in the documents for validation (see 4.5). For the validation of environmental conditions, see 6.1.
NOTE In particular cases, higher values of MTTFd can be required — for example, when PLr = b.

14
 DIN EN ISO 13849-2:2013-02
EN ISO 13849-2:2012 (E)

9.2.2 Category 1

SRP/CSs to Category 1 shall be validated by demonstrating the following:

a) they meet the requirements of Category B;
b) components are well-tried (see Tables A.3 and D.3), meeting at least one of the following conditions:
1) they have been widely used in the past with successful results in similar applications;
2) they have been made and verified using principles which demonstrate their suitability and
reliability for safety-related applications;
c) well-tried safety principles (where applicable, see Tables A.2, B.2, C.2 and D.2) have been implemented
correctly, and, where newly developed principles have been used, validation has been made of
1) how the expected modes of failure have been avoided, and
2) how faults have been avoided or their probability reduced to a suitable level.
Relevant component standards may be used to demonstrate compliance with this subclause (see Tables
A.3 and D.3). The MTTFd of the channel shall be demonstrated to be at least 30 years.

9.2.3 Category 2

SRP/CSs to Category 2 shall be validated by demonstrating the following:

a) they meet the requirements of Category B;
b) the well-tried safety principles used (if applicable) are in accordance with 9.2.2 c);
c) the checking equipment detects all relevant faults applied, one at a time, during the checking process
and generates an appropriate control action which
1) initiates a safe state or, when this is not possible,
2) provides a warning of the hazard;
d) the check(s) provided by the checking equipment do not introduce an unsafe state;
e) the initiation of the check is carried out
1) at the machine start-up and prior to the initiation of a hazardous situation, and
2) periodically, during operation in accordance with the design specification and if the risk
assessment and kind of operations show that it is necessary;
NOTE 1 The need for, and extent of, checks during operation are determined by the designer’s risk
assessment and the kind of operation necessary.

f) the MTTFd of the functional channel (MTTFd,L) is at least 3 years;

g) the MTTFd,TE is larger than half of MTTFd,L;
h) the test rate ≥ 100 × expected demand rate;
i) the DCavg is at least 60 %;
j) common-cause failures are sufficiently reduced (see ISO 13849-1:2006, Annex F).
NOTE 2 In particular cases, higher values of MTTFd and/or DCavg can be required — for example, owing to high PLr.

15
DIN EN ISO 13849-2:2013-02
EN ISO 13849-2:2012 (E)

9.2.4 Category 3

SRP/CSs to Category 3 shall be validated by demonstrating the following:

a) they meet the requirements of Category B;
b) the well-tried safety principles (if applicable) meet the requirements of 9.2.2 c);
c) a single fault does not lead to the loss of the safety function;
d) single faults (including common cause faults) are detected in accordance with the design rationale
and the technology applied;
e) the MTTFd of each channel is at least 3 years;
f) the DCavg is at least 60 %;
g) common-cause failures are sufficiently reduced (see ISO 13849-1:2006, Annex F).
NOTE In particular cases, higher values of MTTFd and/or DCavg can be required — for example, due to high PLr.

9.2.5 Category 4

SRP/CSs to Category 4 shall be validated by demonstrating the following:

a) they meet the requirements of Category B;
b) the well-tried safety principles (if applicable) are in accordance with 9.2.2 c);
c) a single fault (including common-mode faults) does not lead to the loss of the safety function;
d) single faults are detected at or before the next demand on the safety function, this being achieved
with a DCavg of at least 99 %;
e) if a single fault is not detected with a DCavg of at least 99 %, an accumulation of faults does not lead
to the loss of the safety function(s), and the extent of the accumulation of faults considered is in
accordance with the design rationale;
f) the MTTFd of each channel is at least 30 years;
g) common-cause failures are sufficiently reduced (see ISO 13849-1:2006, Annex F).

9.3 Validation of MTTFd, DCavg and CCF

The validation of MTTFd, DCavg and CCF is typically performed by analysis and visual inspection.
The MTTFd values for components (including B10d, T10d and nop values) shall be checked for plausibility
(e.g. against ISO 13849-1:2006, Annex C). For example, the value given on the supplier datasheet is to be
compared with ISO 13849-1:2006, Annex C. Where fault exclusion claims mean that particular components
do not contribute to the channel MTTFd, the plausibility of the fault exclusion shall be checked.
NOTE 1 A fault exclusion implies infinite MTTFd; therefore, the component will not contribute to the calculation
of channel MTTFd.

NOTE 2 For the determination of the B10d value, see e.g. IEC 60947-4-1:2010, Annex K.

The MTTFd of each channel of the SRP/CS, including application of the symmetrisation formula (see
ISO 13849-1:2006, Annex D) to dissimilar redundant channels, shall be checked for correct calculation. It
shall be ensured that the MTTFd of individual channels has been restricted to no greater than 100 years
before the symmetrisation formula is applied.
The DC values for components and/or logic blocks shall be checked for plausibility (e.g. against
measures in ISO 13849-1:2006, Annex E). The correct implementation (hardware and software) of

16
 DIN EN ISO 13849-2:2013-02
EN ISO 13849-2:2012 (E)

checks and diagnostics, including appropriate fault reaction, shall be validated by testing under typical
environmental conditions in use.
The DCavg of the SRP/CS shall be checked for correct calculation.
The correct implementation of sufficient measures against common-cause failures shall be validated
(e.g. against ISO 13849-1:2006, Annex F). Typical validation measures are static hardware analysis and
functional testing under environmental conditions.
NOTE 3 For the calculation of the MTTFd values of electronic components, an ambient temperature of +40 °C
is taken as a basis. During validation, it is important to ensure that, for MTTFd values, the environmental and
functional conditions (in particular temperature) taken as basis are met. Where a device, or component, is
operated significantly above (e.g. more than 15 °C) the specified temperature of +40 °C, it will be necessary to use
MTTFd values for the increased ambient temperature.

9.4 Validation of measures against systematic failures related to performance level and
category of SRP/CS
The validation of measures against systematic failures (defined in ISO 13849-1:2006, 3.1.7) related to
performance levels and categories of each SRP/CS can typically be provided by
a) inspections of design documents which confirm the application of
1) basic and well-tried safety principles (see Annexes A to D),
2) further measures for avoidance of systematic failures (see ISO 13849-1:2006, G.3), and
3) further measures for the control of systematic failures such as hardware diversity (see
ISO 13849‑1:2006, Annex G), modification protection or failure assertion programming;
b) failure analysis (e.g. FMEA);
c) fault injection tests/fault initiation;
d) inspection and testing of data communication, where used;
e) checking that a quality management system avoids the causes of systematic failures in the
manufacturing process.

9.5 Validation of safety-related software

The validation of both safety-related embedded software (SRESW) and safety-related application
software (SRASW) shall include
— the specified functional behaviour and performance criteria (e.g. timing performance) of the
software when executed on the target hardware,
— verification that the software measures are sufficient for the specified PLr of the safety function, and
— measures and activities taken during software development to avoid systematic software faults.
As a first step, check that there is documentation for the specification and design of the safety-
related software. This documentation shall be reviewed for completeness and absence of erroneous
interpretations, omissions or inconsistencies.
NOTE In the case of small programs, an analysis of the program by means of reviews or walk-through of
control flow, procedures, etc. using the software documentation (control flow chart, source code of modules or
blocks, I/O and variable allocation lists, cross-reference lists) can be sufficient.

In general, software can be considered a “black box” or “grey box” (see ISO 13849-1:2006, 4.6.2), and
validated by the black- or grey-box test, respectively.

17
DIN EN ISO 13849-2:2013-02
EN ISO 13849-2:2012 (E)

Depending on the PLr [ISO 13849-1:2006, 4.6.2 (for SRESW) and 4.6.3 (for SRASW)], the tests should include
— black-box testing of functional behaviour and performance (e.g. timing performance),
— additional extended test cases based upon limit value analyses, recommended for PL d or e,
— I/O tests to ensure that the safety-related input and output signals are used properly, and
— test cases which simulate faults determined analytically beforehand, together with the expected
response, in order to evaluate the adequacy of the software-based measures for control of failures.
Individual software functions which have already been validated do not need to be validated again.
Where a number of such safety function blocks are combined for a specific project, however, the resulting
total safety function shall be validated.
Software documentation shall be checked to confirm that sufficient measures and activities have
been implemented against systematic software faults in accordance with the simplified V-model
(ISO 13849-1:2006, Figure 6).
The measures for software implementation according to ISO 13849-1:2006, 4.6.2 (for SRESW) and 4.6.3
(for SRASW), which depend on the PL to be attained, shall be examined with regard to their proper
implementation.
Should the safety-related software be subsequently modified, it shall be revalidated on an appropriate scale.

9.6 Validation and verification of performance level

For the simplified procedure for estimating PL of the SRP/CS according to ISO 13849-1:2006, 4.5.4,
and ISO 13849-1:2006, Annexes B to F and Annex K, the following verification and validation steps
shall be performed:
— checking for correct evaluation of PL based on the category, DCavg and MTTFd (according to
ISO 13849‑1:2006, 4.5.4 and Annex K);
— verification that the PL achieved by the SRP/CS satisfies the required performance level PLr in the
safety requirements specification for the machinery: PL ≥ PLr.
Where other methods are used to evaluate the achieved PL, based on the estimated average probability
of a dangerous failure per hour, validation shall consider
— the MTTFd value for each component,
— the DC,
— the CCF,
— the structure, and
— the documentation, application and calculation, which shall be checked for correctness.

9.7 Validation of combination of safety-related parts

Where the safety function is implemented by two or more safety-related parts, validation of the
combination — by analysis and, if necessary, by testing — shall be undertaken to establish that the
combination achieves the performance level specified in the design. Existing recorded validation results
of safety-related parts can be taken into account. The following validation steps shall be performed:
— inspection of design documents describing the overall safety function(s);
— a check that the overall PL of the SRP/CS combination has been correctly evaluated, based on the PL
of each individual safety-related part (according to ISO 13849-1:2006, 6.3);

18
 DIN EN ISO 13849-2:2013-02
EN ISO 13849-2:2012 (E)

NOTE A summation of the average probability of dangerous failures per hour of all combined SRP/CS
can be used as an alternative to ISO 13849-1:2006, Table 11. It is important to check the non-quantifiable
restrictions of systematic, architectural and CCF aspects which can limit the overall performance level to
lower values.

— consideration of the characteristics of the interfaces, e.g. voltage, current, pressure, data format of
information, signal level;
— failure analysis relating to combination/integration, e.g. by FMEA;
— for redundant systems, fault injection tests relating to combination/integration.

10 Validation of environmental requirements

The performance specified in the design of the SRP/CS shall be validated with respect to the environmental
conditions specified for the control system.
Validation shall be carried out by analysis and, if necessary, by testing. The extent of the analysis and
of the testing will depend upon the safety-related parts, the system in which they are installed, the
technology used, and the environmental condition(s) being validated. The use of operational reliability
data on the system or its components, or the confirmation of compliance to appropriate environmental
standards (e.g. for waterproofing, vibration protection) can assist this validation process.
Where applicable, validation shall address
— expected mechanical stresses from shock, vibration, ingress of contaminants,
— mechanical durability,
— electrical ratings and power supplies,
— climatic conditions (temperature and humidity), and
— electromagnetic compatibility (immunity).
When testing is needed to determine compliance with the environmental requirements, the procedures
outlined in the relevant standards shall be followed as far as required for the application.
After the completion of validation by testing, the safety functions shall continue to be in accordance
with the specifications for the safety requirements, or the SRP/CS shall provide output(s) for a safe state.

11 Validation of maintenance requirements

The validation process shall demonstrate that the provisions for maintenance requirements specified in
ISO 13849-1:2006, Clause 9, Paragraph 2, have been implemented.
Validation of maintenance requirements shall include the following, as applicable:
a) a review of the information for use confirming that
1) maintenance instructions are complete [including procedures, required tools, frequency
of inspections, time interval for changing components subjected to wear (T10d) etc.] and
understandable,
2) if appropriate, there are provisions for the maintenance to be performed only by skilled
maintenance personnel;
b) a check that measures for ease of maintainability (e.g. provision of diagnostic tools to aid fault-
finding and repair) have been applied.

19
DIN EN ISO 13849-2:2013-02
EN ISO 13849-2:2012 (E)

In addition, the following measures shall be included when applied:

— measures against mistakes during maintenance (e.g. detection of wrong input data via
plausibility checks);
— measures against modification (e.g. password protection to prevent access to the program by
unauthorized persons).

12 Validation of technical documentation and information for use

The validation process shall demonstrate that the requirements for technical documentation specified
in ISO 13849-1:2006, Clause 10, and for information for use specified in ISO 13849-1:2006, Clause 11,
have been implemented.

20
 DIN EN ISO 13849-2:2013-02
EN ISO 13849-2:2012 (E)

Annex A
(informative)

Validation tools for mechanical systems

When mechanical systems are used in conjunction with other technologies, Annex A should also be
taken into account.
Tables A.1 and A.2 list basic and well-tried safety principles.
Table A.3 lists well-tried components for a safety-related application based on the application of
well‑tried safety principles and/or a standard for their particular applications. A well-tried component
for some applications could be inappropriate for others.
Tables A.4 and A.5 list fault exclusions and their rationale. For further exclusions, see 4.4.
The precise instant at which the fault occurs can be critical (see 9.1).

Table A.1 — Basic safety principles

Basic safety principle Remarks

Use of suitable materials and adequate manufac- Selection of material, manufacturing methods and treat-
turing ment in relation to, e.g. stress, durability, elasticity, fric-
tion, wear, corrosion, temperature.
Correct dimensioning and shaping Consider, e.g. stress, strain, fatigue, surface roughness,
tolerances, sticking, manufacturing.
Proper selection, combination, arrangements, Apply manufacturer’s application notes, e.g. catalogue
assembly and installation of components/system sheets, installation instructions, specifications, and use of
good engineering practice in similar components/systems.
Use of de-energization principle The safe state is obtained by a release of energy. See pri-
mary action for stopping in ISO 12100:2010, 6.2.11.3.
Energy is supplied for starting the movement of a mecha-
nism. See primary action for starting in ISO 12100:2010,
6.2.11.3.
Consider different modes, e.g. operation mode, mainte-
nance mode.
IMPORTANT — This principle is not to be followed
when loss of energy would create a hazard, e.g. release
of workpiece caused by loss of clamping force.
Proper fastening For the application of screw locking, consider manufac-
turer’s application notes.
Overloading can be avoided and adequate resistance to
release can be achieved by applying adequate torque load-
ing technology.
Limitation of the generation and/or transmission Examples are break pin, break plate, and torque-limiting
of force and similar parameters clutch.
IMPORTANT — This principle is not to be followed
when the continued integrity of components is essen-
tial to maintain the required level of control.
Limitation of range of environmental parameters Examples are temperature, humidity and pollution at the
installation place. See Clause 10 and consider manufac-
turer’s application notes.

21
DIN EN ISO 13849-2:2013-02
EN ISO 13849-2:2012 (E)

Table A.1 (continued)

Basic safety principle Remarks
Limitation of speed and similar parameters Consider, e.g. the speed, acceleration, deceleration
required by the application.
Proper reaction time Consider, e.g. spring tiredness, friction, lubrication, tem-
perature, inertia during acceleration and deceleration,
combination of tolerances.
Protection against unexpected start-up Consider unexpected start-up caused by stored energy and
after power supply restoration for different modes (opera-
tion mode, maintenance mode, etc.).
Special equipment for release of stored energy can be
necessary.
Special applications, e.g. to keep energy for clamping
devices or ensure a position, need to be considered sepa-
rately.
Simplification Avoid unnecessary components in the safety-related sys-
tem.
Separation Separation of safety-related functions from other func-
tions.
Proper lubrication Consider the need for lubrication devices, information on
lubricants and lubrication intervals.
Proper prevention of the ingress of fluids and dust Consider IP rating (see IEC 60529).

Table A.2 — Well-tried safety principles

Well-tried safety principle Remarks

Use of carefully selected materials and manufac- Selection of suitable material, adequate manufacturing
turing methods and treatments related to the application.
Use of components with oriented failure mode The predominant failure mode of a component is known
in advance and is always the same. See ISO 12100:2010,
6.2.12.3.
Overdimensioning/safety factor Safety factors are as given in standards or by good experi-
ence in safety-related applications.
Safe position The moving part of the component is held in a safe posi-
tion, by mechanical means (friction alone is not sufficient).
Force is required to move from the safe position.
Increased OFF force A safe position/state is obtained by an increased OFF force
in relation to the ON force.
Careful selection, combination, arrangement, —
assembly and installation of components/system
related to the application
Careful selection of fastening related to the appli- Avoid relying only on friction.
cation
Positive mechanical action To achieve positive mechanical action, all moving mechani-
cal components required to perform the safety function
shall inevitably move connected components, e.g. a cam
directly opens the contacts of an electrical switch rather
than relying on a spring. See ISO 12100:2010, 6.2.5.
Multiple parts Reducing the effect of faults by providing multiple parts
acting in parallel, e.g. where a failure of one of several
springs does not lead to a dangerous condition.

22
 DIN EN ISO 13849-2:2013-02
EN ISO 13849-2:2012 (E)

Table A.2 (continued)

Well-tried safety principle Remarks
Use of well-tried spring (see also Table A.3) A well-tried spring requires
— use of carefully selected materials, manufacturing meth-
ods (e.g. pre-setting and cycling before use) and treatments
(e.g. rolling and shot-peening),
— sufficient guidance of the spring, and
— sufficient safety factor for fatigue stress (i.e. with a high
probability that a fracture will not occur).
Well-tried compression coil springs may also be designed, by
— use of carefully selected materials, manufacturing meth-
ods (e.g. pre-setting and cycling before use) and treatments
(e.g. rolling and shot-peening),
— sufficient guidance of the spring,
— clearance between the turns less than the wire diameter
when unloaded, and
— sufficient force after a fracture(s) is maintained (i.e. a
fracture(s) will not lead to a dangerous condition).
NOTE Compression springs are preferred.
Limited range of force and similar parameters Determine the necessary limitation in relation to the
experience and application. Examples are break pin, break
plate, and torque-limiting clutch.
IMPORTANT — This principle is not to be followed
when the continued integrity of components is essen-
tial to maintaining the required level of control.
Limited range of speed and similar parameters Determine the necessary limitation in relation to the expe-
rience and application. Examples are centrifugal governor,
safe monitoring of speed, and limited displacement.
Limited range of environmental parameters Determine the necessary limitations. Examples are
temperature, humidity, pollution at the installation. See
Clause 10 and consider manufacturer’s application notes.
Limited range of reaction time, limited hysteresis Determine the necessary limitations.
Consider, e.g. spring tiredness, friction, lubrication, tem-
perature, inertia during acceleration and deceleration,
combination of tolerances.

Table A.3 — Well-tried components

Well-tried
Conditions for “well-tried” Standard or specification
component
Screw All factors influencing the screw connection Mechanical jointing such as screws, nuts,
and the application are to be considered. See washers, rivets, pins, bolts, etc. is stand-
Table A.2. ardized.
Spring See Table A.2, “Use of well-tried spring”. Technical specifications for spring steels
and other special applications are given in
ISO 4960.

23
DIN EN ISO 13849-2:2013-02
EN ISO 13849-2:2012 (E)

Table A.3 (continued)

Well-tried
Conditions for “well-tried” Standard or specification
component
Cam All factors influencing the cam arrangement (e.g. See ISO 14119 (interlocking devices).
part of an interlocking device) are to be consid-
ered.
See Table A.2.
Break-pin All factors influencing the application are to be —
considered. See Table A.2.

Table A.4 — Faults and fault exclusions — Mechanical devices, components and elements
(e.g. cam, follower, chain, clutch, brake, shaft, screw, pin, guide, bearing)

Fault considered Fault exclusion Remarks

Wear/corrosion Yes, in the case of carefully selected material, (over)dimen- See ISO 13849-1:2006, 7.3.
sioning, manufacturing process, treatment and proper
lubrication, according to the specified lifetime (see also
Table A.2).
Untightening/ loos- Yes, in the case of carefully selected material, manufactur-
ening ing process, locking means and treatment, according to the
specified lifetime (see also Table A.2).
Fracture Yes, in the case of carefully selected material, (over)dimen-
sioning, manufacturing process, treatment and proper
lubrication, according to the specified lifetime (see also
Table A.2).
Deformation by Yes, in the case of carefully selected material, (over)dimen-
overstressing sioning, treatment and manufacturing process, according
to specified lifetime (see also Table A.2).
Stiffness/sticking Yes, in the case of carefully selected material, (over)
dimensioning, manufacturing process, treatment and
proper lubrication, according to specified lifetime (see also
Table A.2).

Table A.5 — Faults and fault exclusions — Pressure-coil springs

Fault considered Fault exclusion Remarks

Wear/corrosion Yes, in case of use of well-tried springs See ISO 13849-1:2006, 7.3.
and carefully selected fastenings (see
Force reduction by setting and frac-
Table A.2).
ture
Fracture
Stiffness/sticking
Loosening
Deformation by overstressing

24
 DIN EN ISO 13849-2:2013-02
EN ISO 13849-2:2012 (E)

Annex B
(informative)

Validation tools for pneumatic systems

When pneumatic systems are used in conjunction with other technologies, Annex B should also be taken
into account. Where pneumatic components are electrically connected/controlled, the appropriate fault
lists in Annex D should be considered.
NOTE Additional requirements can exist in national legislation.

Tables B.1 and B.2 list basic and well-tried safety principles.
A list of well-tried components is not given in Annex B of this edition. The status of “well-tried” is
mainly application‑specific. Components can be described as “well-tried” if they are in accordance with
ISO 13849-1:2006, 6.2.2 and ISO 4414:2010, Clauses 5 to 7. A well-tried component for some applications
could be inappropriate for other applications.
Tables B.3 to B.18 list fault exclusions and their rationale. For further exclusions, see 4.4.
The precise instant at which the fault occurs can be critical (see 9.1).

Table B.1 — Basic safety principles

Basic safety principle Remarks

Use of suitable materials and adequate Selection of material, manufacturing methods and treatment in
manufacturing relation to, e.g. stress, durability, elasticity, friction, wear, corro-
sion, temperature.
Correct dimensioning and shaping Consider, e.g. stress, strain, fatigue, surface roughness, toler-
ances, and manufacturing.
Proper selection, combination, arrangement, Apply manufacturer’s application notes, e.g. catalogue sheets,
assembly and installation of components/ installation instructions, specifications and use of good engineer-
system ing practice in similar components/systems.
Use of de-energization principle The safe state is obtained by release of energy to all relevant
devices. See primary action for stopping in ISO 12100:2010,
6.2.11.3.
Energy is supplied for starting the movement of a mechanism.
See primary action for starting in ISO 12100:2010, 6.2.11.3.
Consider different modes, e.g. operation mode, maintenance
mode.
This principle shall not be used in some applications, e.g. where
the loss of pneumatic pressure will create an additional hazard.
Proper fastening For the application of, e.g. screw locking, fittings, gluing or clamp
ring, consider manufacturer’s application notes.
Overloading can be avoided by applying adequate torque loading
technology.
Pressure limitation Examples are pressure-relief valve, pressure-reducing/control
valve.
Speed limitation/ speed reduction An example is the speed limitation placed on a piston by a flow
valve or throttle.
Sufficient avoidance of contamination of the Consider filtration and separation of solid particles and water in
fluid the fluid.

25
DIN EN ISO 13849-2:2013-02
EN ISO 13849-2:2012 (E)

Table B.1 (continued)

Basic safety principle Remarks
Proper range of switching time Consider, e.g. the length of pipework, pressure, exhaust capacity,
force, spring tiredness, friction, lubrication, temperature, inertia
during acceleration and deceleration, and combination of toler-
ances.
Withstanding environmental conditions Design the equipment so that it is capable of working in all
expected environments and in any foreseeable adverse con-
ditions, e.g. temperature, humidity, vibration, pollution. See
Clause 10 and consider manufacturer’s specification/application
notes.
Protection against unexpected start-up Consider unexpected start-up caused by stored energy and after
power supply restoration for different modes, e.g. operation
mode, maintenance mode.
Special equipment for the release of stored energy can be neces-
sary (see ISO 14118:2000, 5.3.1.3).
Special applications (e.g. to keep energy for clamping devices or
ensure a position) need to be considered separately.
Simplification Avoid unnecessary components in the safety-related system.
Proper temperature range To be considered throughout the whole system.
Separation Separation of the safety-related functions from other functions
(e.g. logical separation).

Table B.2 — Well-tried safety principles

Well-tried safety principle Remarks

Overdimensioning/safety factor Safety factors are as given in standards or by good experience in
safety-related applications.
Safe position The moving part of the component is held in one of the possible
positions by mechanical means (friction only is not enough).
Force is needed to change the position.
Increased OFF force One solution can be that the area ratio for moving a valve spool
to the safe position (OFF position) is significantly larger than for
moving the spool to ON position (a safety factor).
Valve closed by load pressure These are generally seat valves, e.g. poppet valves, ball valves.
Consider how to apply the load pressure in order to keep the
valve closed even if, for example, the spring closing the valve
breaks.
Positive mechanical action The positive mechanical action is used for moving parts inside
pneumatic components. See also Table A.2.
Multiple parts See Table A.2.
Use of well-tried spring See Table A.2.
Speed limitation/speed reduction by resist- Examples are fixed orifices and fixed throttles.
ance to defined flow
Force limitation/force reduction This can be achieved by a well-tried pressure relief valve which
is, e.g. equipped with a well-tried spring, correctly dimensioned
and selected.
Appropriate range of working conditions The limitation of working conditions, e.g. pressure range, flow
rate and temperature range, should be considered.
Proper avoidance of contamination of the Consider the need for a high degree of filtration and separation of
fluid solid particles and water in the fluid.

26
 DIN EN ISO 13849-2:2013-02
EN ISO 13849-2:2012 (E)

Table B.2 (continued)

Well-tried safety principle Remarks
Sufficient positive overlapping in spool The positive overlapping ensures the stopping function and pre-
valves vents movements that are not allowed.
Limited hysteresis For example, increased friction or a combination of tolerances
will increase the hysteresis.

Table B.3 — Faults and fault exclusions — Directional control valves

Fault considered Fault exclusion Remarks

Change of switching times Yes, in the case of positive mechanical —
action (see Table A.2) of the moving
components, as long as the actuating
force is sufficiently large.
Non-switching (sticking at the end Yes, in the case of positive mechanical
or zero position) or incomplete action (see Table A.2) of the moving
switching (sticking at a random components, as long as the actuating
intermediate position) force is sufficiently large.
Spontaneous change of the initial Yes, in the case of positive mechanical Normal installation and operating
switching position (without an action (see Table A.2) of the moving conditions apply when
input signal) components, as long as the holding
— the conditions laid down by the
force is sufficiently large, or if well-
manufacturer have been taken
tried springs are used (see Table A.2)
into account,
and normal installation and operating
conditions apply (see remark), or in the — the weight of the moving com-
case of spool valves with elastic sealing ponent is not acting unfavourably
and if normal installation and operat- in terms of safety
ing conditions apply (see remark). (e.g. horizontal installation),
— there are no inertia forces act-
ing adversely on moving compo-
nents (e.g. direction of valve com-
ponent motion takes into account
magnitude and direction of inertia
forces), and
— no extreme vibration and shock
stresses occur.
Leakage Yes, in the case of spool-type valves 1) In the case of spool-type valves
with elastic seal, in so far as a suffi- with elastic seal, the effects due to
cient positive overlap is present [see leakage can usually be excluded.
remark 1)], normal conditions of opera- However, a small amount of leak-
tion apply, and an adequate treatment age can occur over a long period
and filtration of the compressed air is of time.
provided; or, in the case of seat valves,
2) Normal conditions of operation
if normal conditions of operation apply
apply when the conditions laid
[see remark 2)], and adequate treat-
down by the manufacturer are
ment and filtration of the compressed
taken into account.
air is provided.
If the control functions are realized by a number of single-function valves, then a fault analysis should be car-
ried out for each valve. The same procedure should be carried out in the case of piloted valves.

27
DIN EN ISO 13849-2:2013-02
EN ISO 13849-2:2012 (E)

Table B.3 (continued)

Fault considered Fault exclusion Remarks
Change in the leakage flow rate None. —
over a long period of use
Bursting of the valve hous- Yes, if construction, dimensioning and
ing or breakage of the moving installation are in accordance with
component(s) as well as breakage/ good engineering practice.
fracture of the mounting or hous-
ing screws
For servo and proportional valves: Yes, in the case of servo and propor- —
pneumatic faults which cause tional directional valves, if these can
uncontrolled behaviour be assessed in terms of technical safety
as conventional directional control
valves, owing to their design and con-
struction.
If the control functions are realized by a number of single-function valves, then a fault analysis should be car-
ried out for each valve. The same procedure should be carried out in the case of piloted valves.

Table B.4 — Faults and fault exclusions — Stop (shut-off) valves/non-return (check)
valves/quick‑action venting valves/shuttle valves, etc.

Fault considered Fault exclusion Remarks

Change of switching times None. —
Non-opening, incomplete opening, Yes, if the guidance system for the For a non-controlled ball seat
non-closure or incomplete closure moving component(s) is designed in valve without a damping system,
(sticking at an end position or at a manner similar to that for a non- the guidance system is generally
an arbitrary intermediate posi- controlled ball seat valve without a designed such that any sticking of
tion) damping system (see remark) and the moving component is unlikely.
if well-tried springs are used (see
Table A.2).
Spontaneous change of the initial Yes, for normal installation and operat- Normal installation and operating
switching position (without an ing conditions (see remark) and if there conditions are met when
input signal) is sufficient closing force on the basis
— the conditions laid down by the
of the pressures and areas provided.
manufacturer are being followed,
— no special inertial forces affect
the moving components, e.g. direc-
tion of motion takes into account
the orientation of the moving
machine parts, and
— no extreme vibration or shock
stresses occur.
For shuttle valves: simultaneous Yes, if, on the basis of the construction —
closing of both input connections and design of the moving component,
simultaneous closing is unlikely.
Leakage Yes, if normal conditions of opera- Normal conditions of operation
tion apply (see remark) and there is apply when the conditions laid
adequate treatment and filtration of down by the manufacturer are
the compressed air. taken into account.

28
 DIN EN ISO 13849-2:2013-02
EN ISO 13849-2:2012 (E)

Table B.4 (continued)

Fault considered Fault exclusion Remarks
Change in the leakage flow rate None. —
over a long period of use
Bursting of the valve hous- Yes, if construction, dimensioning and
ing or breakage of the moving installation are in accordance with
component(s) as well as breakage/ good engineering practice.
fracture of the mounting or hous-
ing screws

Table B.5 — Faults and fault exclusions — Flow valves

Fault considered Fault exclusion Remarks

Change in flow rate without any Yes, for flow control valves without 1) The setting device is not consid-
change in setting device moving parts [see remark 1)], e.g. ered to be a moving part. Changes
throttle valves, if normal operating in flow rate due to changes in
conditions apply [see remark 2)], and pressure differences are physi-
adequate treatment and filtration of cally limited in this type of valve
the compressed air is provided. and are not covered by this
assumed fault.
Change in the flow rate in the case Yes, if the diameter is ≥ 0,8 mm, nor-
of non-adjustable, circular orifices mal operating conditions apply [see 2) Normal operating conditions
and nozzles remark 2)], and if adequate treatment apply when the conditions laid
and filtration of the compressed air is down by the manufacturer are
provided. taken into account.
For proportional flow valves: None. —
change in the flow rate due to an
unintended change in the set value
Spontaneous change in the setting Yes, where there is an effective protec-
device tion of the setting device adapted to
the particular case, based upon techni-
cal safety specification(s).
Unintended loosening (unscrew- Yes, if an effective positive locking
ing) of the operating element(s) of device against loosening (unscrewing)
the setting device is provided.
Bursting of the valve hous- Yes, if construction, dimensioning and
ing or breakage of the moving installation are in accordance with
component(s) as well as the break- good engineering practice.
age/fracture of the mounting or
housing screws

29
DIN EN ISO 13849-2:2013-02
EN ISO 13849-2:2012 (E)

Table B.6 — Faults and fault exclusions — Pressure valves

Fault considered Fault exclusion Remarks

Non-opening or insufficient Yes, if 1) This fault applies only when
opening when exceeding the set the pressure valve(s) is used for
— the guidance system for the moving
pressure (sticking or sluggish forced actions, e.g. clamping.
component(s) is similar to the case of
movement of the moving compo-
a non-controlled ball seat or mem- This fault does not apply to its
nent) [see remark 1)]
brane valve [see remark 2)], e.g. for a normal function in the pneumatic
Non-closing or insufficient closing pressure-reducing valve with second- systems, e.g. pressure limitation,
if pressure drops below the set ary pressure relief, and pressure decrease.
value (sticking or sluggish move-
ment of the moving component) — the installed springs are well-tried 2) For a non-controlled ball seat
[see remark 1)] springs (see Table A.2). valve or for a membrane valve,
the guidance system is generally
Change of the pressure control Yes, for directly actuated pressure- designed such that any sticking of
behaviour without changing the limiting valves and pressure-switching the moving component is unlikely.
setting device [see remark 1)] valves if the installed spring(s) are
well-tried (see Table A.2).
For proportional pressure valves: None.
change in the pressure control
behaviour due to unintended
change in the set value [see
remark 1)]
Spontaneous change in the setting Yes, where there is effective protec- —
device tion of the setting device within the
requirements of the application, e.g.
lead seals.
Unintended unscrewing of the Yes, if an effective positive locking
operating element of the setting device against unscrewing is provided.
device
Leakage Yes, for seat valves, membrane valves Normal operating conditions are
and spool valves with elastic sealing met when the conditions laid
in normal operating conditions (see down by the manufacturer are
remark) and if adequate treatment followed.
and filtration of the compressed air is
provided.
Change of the leakage flow rate, None. —
over a long period of use
Bursting of the valve hous- Yes, if construction, dimensioning and
ing or breakage of the moving installation are in accordance with
component(s) as well as breakage/ good engineering practice.
fracture of the mounting or hous-
ing screws

30
 DIN EN ISO 13849-2:2013-02
EN ISO 13849-2:2012 (E)

Table B.7 — Faults and fault exclusions — Pipework

Fault considered Fault exclusion Remarks

Bursting and leakage Yes, if the dimensioning, choice of materials When using plastic pipes, it is
and fixing are in accordance with good engi- necessary to consider the manu-
neering practice (see remark). facturer’s data, in particular with
respect to operational environ-
mental influences, e.g. thermal
influences, chemical influences or
influences due to radiation. When
using steel pipes that have not been
treated with a corrosion-resistant
medium, it is particularly important
to provide sufficient drying of the
compressed air.
Failure at the connector Yes, if using bite-type fittings or threaded —
(e.g. tearing off, leakage) pipes (i.e. steel fittings, steel pipes) and if
dimensioning, choice of materials, manufac-
ture, configuration and fixing are in accord-
ance with good engineering practice.
Clogging (blockage) Yes, for pipework in the power circuit.
Yes, for the control and measurement pipe-
work if the nominal diameter is ≥ 2 mm.
Kinking of plastic pipes Yes, if properly protected and installed, taking
with a small nominal into account the relevant manufacturer’s data,
diameter e.g. minimum bending radius.

Table B.8 — Faults and fault exclusions — Hose assemblies

Fault considered Fault exclusion Remarks

Bursting, tearing off at Yes, if hose assemblies use hoses manufac- Fault exclusion is not considered
the fitting attachment and tured to ISO 4079-1 or similar hoses (see when
leakage remark) with the corresponding hose fittings.
— the intended lifetime is expired,
— fatigue behaviour of reinforce-
ment can occur,
— external damage is unavoidable.
Clogging (blockage) Yes, for hose assemblies in the power circuit, —
and, in the case of the control and measure-
ment hose assemblies, if the nominal diameter
is ≥ 2 mm.

31
DIN EN ISO 13849-2:2013-02
EN ISO 13849-2:2012 (E)

Table B.9 — Faults and fault exclusions — Connectors

Fault considered Fault exclusion Remarks
Bursting, breaking of Yes, if dimensioning, choice of material, manu- —
screws or stripping of facture, configuration and connection to the
threads piping and/or to the pipe/hose fittings are in
accordance with good engineering practice.
Leakage (loss of airtight- None. Due to wear, ageing, deterioration
ness) of elasticity, etc. it is not possible to
exclude faults over a long period. A
sudden major failure of the airtight-
ness is not assumed.
Clogging (blockage) Yes, for applications in the power circuit and, —
in the case of control and measurement con-
nectors, if the nominal diameter is ≥ 2 mm.

Table B.10 — Faults and fault exclusions — Pressure transmitters and pressure medium
transducers

Fault considered Fault exclusion Remarks

Loss or change of air/ None. —
oil‑tightness of pressure
chambers
Bursting of the pressure Yes, if dimensioning, choice of material, con-
chambers as well as frac- figuration and attachment are in accordance
ture of the attachment or with good engineering practice.
cover screws

Table B.11 — Faults and fault exclusions — Compressed air treatment — Filters

Fault considered Fault exclusion Remarks

Blockage of the filter ele- None. —
ment
Rupture or partial rup- Yes, if the filter element is sufficiently resist-
ture of the filter element ant to pressure.
Failure of the filter condi- None.
tion indicator or monitor
Bursting of the filter Yes, if dimensioning, choice of material,
housing or fracture of arrangement in the system and fixing are in
the cover or connecting accordance with good engineering practice.
elements

32
 DIN EN ISO 13849-2:2013-02
EN ISO 13849-2:2012 (E)

Table B.12 — Faults and fault exclusions — Compressed-air treatment — Oilers

Fault considered Fault exclusion Remarks

Change in the set value None. —
(oil volume per unit time)
without change to the set-
ting device
Spontaneous change in Yes, if effective protection of the setting device
the setting device is provided, adapted to the particular case.
Unintended unscrewing Yes, if an effective positive locking device
of the operating element against unscrewing is provided.
of the setting device
Bursting of the housing Yes, if the dimensioning, choice of materials,
or fracture of the cover, arrangement in the system and fixing are in
fixing or connecting ele- accordance with good engineering practice.
ments.

Table B.13 — Faults and fault exclusions — Compressed air treatment — Silencers
Fault considered Fault exclusion Remarks
Blockage (clogging) of the Yes, if the design and construction of the Clogging of the silencer element
silencer silencer element fulfils the remark. and/or an increase in the exhaust
air back-pressure above a certain
critical value is unlikely if the
silencer has a suitably large diam-
eter and is designed to meet the
operating conditions.

Table B.14 — Faults and fault exclusions — Accumulators and pressure vessels
Fault considered Fault exclusion Remarks
Fracture/bursting of the Yes, if construction, choice of equipment, —
accumulator/pressure choice of materials and arrangement in the
vessel or connectors or system are in accordance with good engineer-
stripping of the threads of ing practice.
the fixing screws

Table B.15 — Faults and fault exclusions — Sensors

Fault considered Fault exclusion Remarks
Faulty sensor (see None. Sensors in this table include signal
remark) capture, processing and output, in
particular for pressure, flow rate,
temperature, etc.
Change of the detection or None. —
output characteristics

33
DIN EN ISO 13849-2:2013-02
EN ISO 13849-2:2012 (E)

Table B.16 — Faults and fault exclusions — Information processing — Logical elements
Fault considered Fault exclusion Remarks
Faulty logical element For corresponding fault assumptions and fault —
(e.g. AND element, OR exclusions, see Tables B.3, B.4 and B.5 and the
element, logic-storage- relevant related components.
element) due to, e.g.
change in the switching
time, failing to switch or
incomplete switching

Table B.17 — Faults and fault exclusions — Information processing — Time-delay devices
Fault considered Fault exclusion Remarks
Faulty time-delay device, Yes, for time-delay devices without moving Normal operating conditions are
e.g. pneumatic and pneu- components, e.g. fixed resistance, if normal met when the conditions laid down
matic/mechanical time operating conditions (see remark) apply and by the manufacturer are followed.
and counting elements adequate treatment and filtration of the com-
pressed air is provided.
Change of detection or
output characteristics
Bursting of the housing Yes, if construction, dimensioning and instal- —
or fracture of the cover or lation are in accordance with good engineer-
fixing elements ing practice.

Table B.18 — Faults and fault exclusions — Information processing — Converters

Fault considered Fault exclusion Remarks

Faulty converter [see Yes, for converters without moving compo- 1) This covers, for example, the
remark 1)] nents, e.g. reflex nozzle, if normal operating conversion of a pneumatic signal
conditions apply [see remark 2)] and adequate into an electrical one, the position
Change of the detection or
treatment and filtration of the compressed air detection (cylinder switch, reflex
output characteristics
is provided. nozzle), the amplification of pneu-
matic signals.
2) Normal operating conditions are
met when the conditions laid down
by the manufacturer are followed.
Bursting of the housing Yes, if construction, dimensioning and instal- —
or fracture of the cover or lation are in accordance with good engineer-
fixing elements ing practice.

34
 DIN EN ISO 13849-2:2013-02
EN ISO 13849-2:2012 (E)

Annex C
(informative)

Validation tools for hydraulic systems

When hydraulic systems are used in conjunction with other technologies, Annex C should also be taken
into account. Where hydraulic components are electrically connected/controlled, the appropriate fault
lists in Annex D should be considered.
NOTE Additional requirements can exist in national legislation.

Tables C.1 and C.2 list basic and well-tried safety principles. Air bubbles and cavitation in the hydraulic
fluid should be avoided because they can create additional hazards, e.g. unintended movements.
A list of well-tried components is not given in Annex C of this edition. The status of “well-tried” is
mainly application‑specific. Components can be described as “well-tried” if they are in accordance with
ISO 13849-1:2006, 6.2.2 and ISO 4414:2010, Clauses 5 to 7. A well-tried component for some applications
could be inappropriate for other applications.
Tables C.3 to C.12 list fault exclusions and their rationale. For further exclusions, see 4.4.
The precise instant at which the fault occurs can be critical (see 9.1).

Table C.1 — Basic safety principles

Basic safety principle Remarks

Use of suitable materials and adequate Selection of material, manufacturing methods and treatment in
manufacturing relation to e.g. stress, durability, elasticity, friction, wear, corro-
sion, temperature, hydraulic fluid.
Correct dimensioning and shaping Consider, e.g. stress, strain, fatigue, surface roughness, toler-
ances, manufacturing.
Proper selection, combination, arrange- Apply manufacturer’s application notes, e.g. catalogue sheets,
ments, assembly and installation of compo- installation instructions, specifications, and use of good engi-
nents/system neering practice in similar components/systems.
Use of de-energization principle The safe state is obtained by release of energy to all relevant
devices. See primary action for stopping in ISO 12100:2010,
6.2.11.3.
Energy is supplied for starting the movement of a mechanism.
See primary action for starting in ISO 12100:2010, 6.2.11.3.
Consider different modes, e.g. operation mode, maintenance
mode.
This principle shall not be used in some applications, e.g. where
the loss of hydraulic pressure will create an additional hazard.
Proper fastening For the application of e.g. screw locking, fittings, gluing, clamp
ring, consider manufacturers application notes.
Overloading can be avoided by applying adequate torque loading
technology.
Pressure limitation Examples are pressure-relief valve, pressure-reducing/control
valve.
Speed limitation/speed reduction An example is the speed limitation of a piston by a flow valve or a
throttle.

35
DIN EN ISO 13849-2:2013-02
EN ISO 13849-2:2012 (E)

Table C.1 (continued)

Basic safety principle Remarks
Sufficient avoidance of contamination of the Consider filtration/separation of solid particles/water in the
fluid fluid.
Consider also an indication of the need for a filter service.
Proper range of switching time Consider, e.g. the length of pipework, pressure, evacuation relief
capacity, spring tiredness, friction, lubrication, temperature/vis-
cosity, inertia during acceleration and deceleration, combination
of tolerances.
Withstanding environmental conditions Design the equipment so that it is capable of working in all
expected environments and in any foreseeable adverse con-
ditions, e.g. temperature, humidity, vibration, pollution. See
Clause 10 and consider the manufacturer’s specification and
application notes.
Protection against unexpected start-up Consider unexpected start-up caused by stored energy and after
power supply restoration for different modes, e.g. operation
mode, maintenance mode.
Special equipment for release of stored energy may be necessary.
Special applications (e.g. to keep energy for clamping devices or
ensure a position) need to be considered separately.
Simplification Avoid unnecessary components in the safety-related system.
Proper temperature range To be considered throughout the whole system.
Separation Separation of safety-related functions from other functions.

36
 DIN EN ISO 13849-2:2013-02
EN ISO 13849-2:2012 (E)

Table C.2 — Well-tried safety principles

Well-tried safety principle Remarks
Overdimensioning/safety factor Safety factors are as given in standards or by good experience in
safety-related applications.
Safe position The moving part of the component is held in one of the possible posi-
tions by mechanical means (friction only is not enough). Force is
needed to change the position.
Increased OFF force One solution can be that the area ratio for moving a valve spool to the
safe position (OFF position) is significantly larger than for moving the
spool to the ON position (a safety factor).
Valve closed by load pressure Examples are seat and cartridge valves.
Consider how to apply the load pressure in order to keep the valve
closed even if, e.g. the spring closing the valve breaks.
Positive mechanical action The positive mechanical action is used for moving parts inside hydrau-
lic components. See also Table A.2.
Multiple parts See Table A.2.
Use of well-tried spring See Table A.2.
Speed limitation/speed reduction by Examples are fixed orifices and fixed throttles.
resistance to defined flow
Force limitation/force reduction This can be achieved by a well-tried pressure-relief valve which is, e.g.
equipped with a well-tried spring, correctly dimensioned and selected.
Appropriate range of working condi- The limitation of working conditions, e.g. pressure range, flow rate
tions and temperature range, should be considered.
Monitoring of the condition of the fluid Consider a high degree of filtration/separation of solid particles/water
in the fluid. Consider also the chemical/physical conditions of the fluid.
Consider an indication of the need for a filter service.
Sufficient positive overlapping in pis- The positive overlapping ensures the stopping function and prevents
ton valves non-permitted movements.
Limited hysteresis For example increased friction will increase the hysteresis. A combina-
tion of tolerances will also influence the hysteresis.

37
DIN EN ISO 13849-2:2013-02
EN ISO 13849-2:2012 (E)

Table C.3 — Faults and fault exclusions — Directional control valves

Fault considered Fault exclusion Remarks

Change of switching times Yes, in the case of positive mechanical action 1) A special type of cartridge seat
(see Table A.2) of the moving components as valve is obtained if
long as the actuating force is sufficiently large;
— the active area for initiating the
or, in respect of the non-opening of a special
safety-related switching movement
type of cartridge seat valve, when used with at
is at least 90 % of the total area of
least one other valve, to control the main flow
the moving component (poppet),
of the fluid [see remark 1)].
Non-switching (sticking Yes, in the case of positive mechanical action — the effective control pressure on
at an end or zero position) (see Table A.2) of the moving components as the active area can be increased up
or incomplete switch- long as the actuating force is sufficiently large; to the maximum working pressure
ing (sticking at a random or, in respect of the non-opening of a special (in accordance with ISO 5598:2008,
intermediate position) type of cartridge seat valve, when used with at 3.2.429) in line with the behaviour
least one other valve, to control the main flow of the seat valve in question,
of the fluid [see remark 1)]. — the effective control pressure on
the area opposite the active area of
the moving component is vented to
a very low value compared with the
maximum operating pressure, e.g.
return pressure in case of pressure
dump valves or supply pressure in
case of suction/fill valves,
— the moving component (poppet)
is provided with peripheral balanc-
ing grooves, and
— the pilot valve(s) to this seat
valve is designed together in a
manifold block (i.e. without hose
assemblies and pipes for the con-
nection of these valves).
Spontaneous change of Yes, in the case of positive mechanical action 2) Normal installation and operat-
the initial switching posi- (see Table A.2) of the moving components as ing conditions apply when
tion (without an input long as the holding force is sufficiently large;
— the conditions laid down by
signal) or if well-tried springs are used (see Table A.2)
the manufacturer are taken into
and normal installation and operating condi-
account,
tions apply [see remark 2)]; or, in respect of
the non-opening of a special type of cartridge — the weight of the moving com-
seat valve, when used with at least one other ponent does not act in an unfavour-
valve, to control the main flow of the fluid able sense in terms of safety, e.g.
[see remark 1)] and if normal installation and horizontal installation,
operating conditions apply [see remark 2)].
— no special inertial forces affect
the moving components, e.g. direc-
tion of motion takes into account
the orientation of the moving
machine parts, and
— no extreme vibration and shock
stresses occur.
Leakage Yes, in the case of seat valves, if normal instal- Normal installation and operating
lation and operating conditions apply (see conditions apply when the condi-
remark) and an adequate filtration system is tions laid down by the manufac-
provided. turer are taken into account.
If the control functions are realized by a number of single-function valves, then a fault analysis should be car-
ried out for each valve. The same procedure should be carried out in the case of piloted valves.

38
 DIN EN ISO 13849-2:2013-02
EN ISO 13849-2:2012 (E)

Table C.3 (continued)

Fault considered Fault exclusion Remarks
Change in the leakage None. —
flow rate over a long
period of use
Bursting of the valve Yes, if construction, dimensioning and instal-
housing or breakage of lation are in accordance with good engineer-
the moving component(s) ing practice.
as well as breakage/frac-
ture of the mounting or
housing screws
For servo and propor- Yes, in the case of servo and proportional
tional valves: hydraulic directional valves, if these can be assessed in
faults which cause uncon- terms of safety as conventional directional
trolled behaviour control valves, owing to their design and con-
struction.
If the control functions are realized by a number of single-function valves, then a fault analysis should be car-
ried out for each valve. The same procedure should be carried out in the case of piloted valves.

Table C.4 — Faults and fault exclusions — Stop (shut–off) valves/non-return (check)
valves/shuttle valves, etc.

Fault considered Fault exclusion Remarks

Change of switching times None. —
Non-opening, incomplete Yes, if the guidance system for the moving For a non-controlled ball seat valve
opening, non-closure or component(s) is designed in a manner similar without damping system, the guid-
incomplete closure (stick- to that for a non-controlled ball seat valve ance system is generally designed
ing at an end position or without a damping system (see remark) and if in such a manner that any stick-
at an arbitrary intermedi- well-tried springs are used (see Table A.2). ing of the moving component is
ate position) unlikely.
Spontaneous change of Yes, for normal installation and operating con- Normal installation and operating
the initial switching posi- ditions (see remark) and if there is sufficient conditions are met when
tion (without an input closing force on the basis of the pressures and
— the conditions laid down by the
signal) areas provided.
manufacturer are followed and
— no special inertial forces affect
the moving components, e.g. direc-
tion of motion takes into account
the orientation of the moving
machine parts, and
— no extreme vibration or shock
stresses occur.
For shuttle valves: simul- Yes, if, on the basis of the construction and —
taneous closing of both design of the moving component, this simulta-
input connections neous closing is unlikely.
Leakage Yes, if normal conditions of operation apply Normal conditions of operation
(see remark) and an adequate filtration sys- apply when the conditions laid
tem is provided. down by the manufacturer are
taken into account.

39
DIN EN ISO 13849-2:2013-02
EN ISO 13849-2:2012 (E)

Table C.4 (continued)

Fault considered Fault exclusion Remarks
Change in the leakage None. —
flow rate over a long
period of use
Bursting of the valve Yes, if construction, dimensioning and instal-
housing or breakage of lation are in accordance with good engineer-
the moving component(s) ing practice.
as well as breakage/frac-
ture of the mounting or
housing screws

Table C.5 — Faults and fault exclusions — Flow valves

Fault considered Fault exclusion Remarks

Change in the flow rate Yes, in the case of flow valves without mov- 1) The setting device is not consid-
without change in the set- ing parts [see remark 1)], e.g. throttle valves, ered to be a moving part. Changes
ting device if normal operating conditions apply [see in flow rate due to changes in the
remark 2)] and an adequate filtration system pressure differences and viscosity
is provided [see remark 3)]. are physically limited in this type
of valve and are not covered by this
Change in the flow rate in Yes, if the diameter is > 0,8 mm, normal oper-
assumed fault.
the case of non-adjusta- ating conditions apply [see remark 2)] and an
ble, circular orifices and adequate filtration system is provided. 2) Normal operating conditions are
nozzles met when the conditions laid down
by the manufacturer are followed.
3) Where a non-return valve is inte-
grated into the flow valve, then, in
addition, the fault assumptions for
non-return valves have to be taken
into account.
For proportional flow None. —
valves: change in the flow
rate due to an unintended
change in the set value
Spontaneous change in Yes, where there is an effective protection
the setting device of the setting device adapted to the par-
ticular case, based upon technical safety
specification(s).
Unintended loosening Yes, if an effective positive locking device
(unscrewing) of the oper- against loosening (unscrewing) is provided.
ating element(s) of the
setting device
Bursting of the valve Yes, if construction, dimensioning and instal-
housing or breakage of lation are in accordance with good engineer-
the moving component(s) ing practice.
as well as the breakage/
fracture of the mounting
or housing screws

40
 DIN EN ISO 13849-2:2013-02
EN ISO 13849-2:2012 (E)

Table C.6 — Faults and fault exclusions — Pressure valves

Fault considered Fault exclusion Remarks

Non-opening or insuf- Yes, in respect of the non-opening of a special 1) This fault applies only when the
ficient opening (spatially type of cartridge seat valve, when used with pressure valve(s) is (are) used for
and temporarily) when at least one other valve, to control the main forced actions, e.g. clamping, and
exceeding the set pres- flow of the fluid [see remark 1)] of Table C.3); for the control of hazardous move-
sure (sticking or slug- or if the guidance system for the moving ment, e.g. suspension of loads. This
gish movement of the component(s) is similar to the case of a non- fault does not apply to its normal
moving component) [see controlled ball seat valve without a damping function in hydraulic systems,
remark 1)] device [see remark 2)] and if the installed e.g. pressure limitation, pressure
springs are well-tried (see Table A.2). decrease.
Non-closing or insuf-
ficient closing (spatially 2) For a non-controlled ball seat
and temporarily) if the valve without a damping device,
pressure drops below the guidance system is generally
the set value (sticking or designed in such a manner that any
sluggish movement of the sticking of the moving component is
moving component) [see unlikely.
remark 1)]
Change of the pressure Yes, in the case of directly actuated pressure-
control behaviour without relief valves, if the installed spring(s) are well-
changing the setting tried (see Table A.2).
device [see remark 1)]
For proportional pres- None.
sure valves: change in the
pressure control behav-
iour due to unintended
change in the set value
[see remark 1)]
Spontaneous change in Yes, where there is an effective protection of —
the setting device the setting device adapted to the particular
case in relation to technical safety specifica-
tions
(e.g. lead seals).
Unintended unscrewing Yes, if an effective positive locking device
of the operating element against unscrewing is provided.
of the setting device
Leakage Yes for seat valves if normal operating condi- Normal operating conditions apply
tions apply (see remark) and if an adequate when the conditions laid down by
filtration system is provided. the manufacturer are taken into
account.
Change of the leakage None. —
flow rate over a long
period of use
Bursting of the valve Yes, if construction, dimensioning and instal-
housing or breakage of lation are in accordance with good engineer-
the moving component(s) ing practice.
as well as breakage/frac-
ture of the mounting or
housing screws

41
DIN EN ISO 13849-2:2013-02
EN ISO 13849-2:2012 (E)

Table C.7 — Faults and fault exclusions — Metal pipework

Fault considered Fault exclusion Remarks
Bursting and leakage Yes, if the dimensioning, choice of —
materials and fixing are in accord-
ance with good engineering practice.
Failure at the connector (e.g. tearing Yes, if welded fittings or welded —
off, leakage) flanges or flared fittings are used,
and dimensioning, choice of materi-
als, manufacture, configuration and
fixing are in accordance with good
engineering practice.
Clogging (blockage) Yes, for pipework in the power circuit,
and for control and measurement
pipework if the nominal diameter
is ≥ 3 mm.

Table C.8 — Faults and fault exclusions — Hose assemblies

Fault considered Fault exclusion Remarks
Bursting, tearing off at the fitting None. —
attachment and leakage
Clogging (blockage) Yes, for hose assemblies in the power
circuit, and for control and measure-
ment hose assemblies if the nominal
diameter is ≥ 3 mm.

Table C.9 — Faults and fault exclusions — Connectors

Fault considered Fault exclusion Remarks

Bursting, breaking of screws or strip- Yes, if dimensioning, choice of mate- —
ping of threads rial, manufacture, configuration and
connection to the piping and/or to
the fluid technology component are
in accordance with good engineering
practice.
Leakage (loss of the leak-tightness) None (see remark). Due to wear, ageing, deteriora-
tion of elasticity, etc., it is not
possible to exclude faults over
a long period. A sudden major
failure of the leak-tightness is
not assumed.
Clogging (blockage) Yes, for applications in the power —
circuit, and for control and meas-
urement connectors if the nominal
diameter is ≥ 3 mm.

42
 DIN EN ISO 13849-2:2013-02
EN ISO 13849-2:2012 (E)

Table C.10 — Faults and fault exclusions — Filters

Fault considered Fault exclusion Remarks

Blockage of the filter element None. —
Rupture of the filter element Yes, if the filter element is sufficiently
resistant to pressure and an effective
bypass valve or an effective monitor-
ing of dirt is provided.
Failure of the bypass valve Yes, if the guidance system of the
bypass valve is designed similarly
to that for a non-controlled ball seat
valve without a damping device (see
Table C.4) and if well-tried springs are
used (see Table A.2).
Failure of the dirt indicator or dirt None.
monitor
Bursting of the filter housing or Yes, if dimensioning, choice of mate-
fracture of the cover or connecting rial, arrangement in the system and
elements fixing are in accordance with good
engineering practice.

Table C.11 —Faults and fault exclusions — Energy storage

Fault considered Fault exclusion Remarks
Fracture/bursting of the energy Yes, if construction, choice of —
storage vessel or connectors or cover equipment, choice of materials and
screws as well as stripping of the arrangement in the system are in
screw threads accordance with good engineering
practice.
Leakage at the separating element None.
between the gas and the operating
fluid
Failure/breakage of the separating Yes, in the case of cylinder/piston A sudden major leakage is not to
element between the gas and the storage (see remark). be considered.
operating fluid
Failure of the filling valve on the gas Yes, if the filling valve is installed in —
side accordance with good engineering
practice and if adequate protection
against external influences is pro-
vided.

Table C.12 — Faults and fault exclusions — Sensors

Fault considered Fault exclusion Remarks
Faulty sensor (see remark) None. Types of sensors include signal
capture, processing and output,
in particular for pressure, flow
rate and temperature.
Change of the detection or output None. —
characteristics

43
DIN EN ISO 13849-2:2013-02
EN ISO 13849-2:2012 (E)

Annex D
(informative)

Validation tools for electrical systems

D.1 General
When electrical systems are used in conjunction with other technologies, Annex D should also be taken
into account.
The environmental conditions of IEC 60204-1 apply to the validation process. If other environmental
conditions are specified, they should also be taken into account.
Tables D.1 and D.2 list basic and well-tried safety principles.
The components listed in Table D.3 are considered to be “well-tried” when they comply with the
description given in ISO 13849-1:2006, 6.2.4. The standards listed in Table D.3 can be used to demonstrate
their suitability and reliability for a particular application. A well-tried component for some applications
could be inappropriate for other applications.
NOTE Complex electronic components, such as programmable logic controllers (PLCs), microprocessors and
application-specific integrated circuits, cannot be considered equivalent to the “well-tried” components.

Clause D.2 and Tables D.4 to D.18 list fault exclusions and their rationale. For further exclusions, see 4.4.
For validation, both permanent faults and transient disturbances should be considered.
The precise instant at which the fault occurs can be critical (see 9.1).

Table D.1 — Basic safety principles

Basic safety principle Remarks

Use of suitable materials and ade- Selection of material, manufacturing methods and treatment in relation
quate manufacturing to e.g. stress, durability, elasticity, friction, wear, corrosion, tempera-
ture, conductivity, dielectric rigidity.
Correct dimensioning and shaping Consider, e.g. stress, strain, fatigue, surface roughness, tolerances,
manufacturing.
Proper selection, combination, Apply manufacturer’s application notes, e.g. catalogue sheets, installa-
arrangements, assembly and installa- tion instructions, specifications, and use of good engineering practice.
tion of components/system
Correct protective bonding One side of the control circuit, one terminal of the operating coil of each
electromagnetic operated device, or one terminal of another electrical
device is connected to the protective bonding circuit (see IEC 60204-
1:2005, 9.4.3.1).
Insulation monitoring Use of an insulation monitoring device which either indicates an
earth fault or interrupts the circuit automatically after an earth fault
(see IEC 60204‑1:2005, 6.3.3).

44
 DIN EN ISO 13849-2:2013-02
EN ISO 13849-2:2012 (E)

Table D.1 (continued)

Basic safety principle Remarks
Use of de-energization A safe state is obtained by de-energizing all relevant devices, e.g. by
use of normally closed (NC) contact for inputs (push-buttons and
position switches) and normally open (NO) contact for relays (see also
ISO 12100:2010, 6.2.11.3).
Exceptions can exist in some applications, e.g. where the loss of the
electrical supply will create an additional hazard. Time-delay functions
may be necessary to achieve a system safe state (see IEC 60204-1:2005,
9.2.2).
Transient suppression Use of a suppression device (RC, diode, varistor) parallel to the load, but
not parallel to the contacts.
NOTE A diode increases the switch-off time.
Reduction of response time Minimize delay in de-energizing of switching components.
Compatibility Use components compatible with the voltages and currents used.
Withstanding environmental condi- Design the equipment so that it is capable of working in all expected
tions environments and in any foreseeable adverse conditions, e.g. tempera-
ture, humidity, vibration and electromagnetic interference (EMI) (see
Clause 10).
Secure fixing of input devices Secure input devices, e.g. interlocking switches, position switches, limit
switches, proximity switches, so that position, alignment and switching
tolerance is maintained under all expected conditions, e.g. vibration,
normal wear, ingress of foreign bodies, temperature.
See ISO 14119:1998, Clause 5.
Protection against unexpected start- Prevent unexpected start-up, e.g. after power supply restoration
up (see ISO 12100:2010, 6.2.11.4, ISO 14118, IEC 60204-1).
Protection of the control circuit The control circuit should be protected in accordance with
IEC 60204‑1:2005, 7.2 and 9.1.1.
Sequential switching for circuit of To avoid common mode failure by the welding of both contacts, switch-
serial contacts of redundant signals ing on and off does not happen simultaneously, so that one contact
always switches without current.

Table D.2 — Well-tried safety principles

Well-tried safety principle Remarks

Positively mechanically linked con- Use of positively mechanically linked contacts for, e.g. monitoring func-
tacts tion in Category 2, 3, and 4 systems (see EN 50205, IEC 60947-4-1:2001,
Annex F, IEC 60947-5-1:2003 + A1:2009, Annex L).
Fault avoidance in cables To avoid short circuits between two adjacent conductors, either
— use cable with shielding connected to the protective bonding circuit
on each separate conductor, or
— in flat cables, use one earthed conductor between each signal con-
ductor.
Separation distance Use of sufficient distance between position terminals, components and
wiring to avoid unintended connections.
Energy limitation Use of a capacitor for supplying a finite amount of energy, e.g. in a timer
application.
Limitation of electrical parameters Limiting voltage, current, energy or frequency to restrict movement,
e.g. torque limitation, hold-to-run with displacement/time limited,
reduced speed, to avoid an unsafe state.

45
DIN EN ISO 13849-2:2013-02
EN ISO 13849-2:2012 (E)

Table D.2 (continued)

Well-tried safety principle Remarks
No undefined states Avoid undefined states in the control system. Design and construct the
control system so that, during normal operation and all expected oper-
ating conditions, its state, e.g. its output(s), can be predicted.
Positive mode actuation Direct action is transmitted by the shape (and not the strength) with
no elastic elements, e.g. spring between actuator and the contacts
(see ISO 14119:1998, 5.1, ISO 12100:2010, 6.2.5).
Failure mode orientation Wherever possible, the device/circuit should fail to the safe state or
condition.
Oriented failure mode Oriented failure mode components or systems should be used wherever
practicable (see ISO 12100:2010, 6.2.12.3).
Overdimensioning De-rate components when used in safety circuits, e.g. by the following means:
— the current passed through switched contacts should be less than half
their rated current;
— the switching frequency of components should be less than half their
rated value;
— the total number of expected switching operations should be no more
than 10 % of the device’s electrical durability.
NOTE De-rating can depend on the design rationale.
Minimizing possibility of faults Separate safety-related functions from the other functions.
Balance complexity/simplicity Balance should be made between
— complexity to reach a better control, and
— simplification in order to have better reliability.

Table D.3 — Well-tried components

Well-tried component Additional conditions for “well-tried” Standard or specification

Switch with positive mode actuation — IEC 60947-5-1:2003, Annex K
(direct opening action), e.g.:
— push-button;
— position switch;
— cam-operated selector switch, e.g.
for mode of operation
Emergency stop device — ISO 13850
IEC 60947-5-5
Fuse — IEC 60269-1
Circuit-breaker — IEC 60947-2
Switches, disconnectors — IEC 60947-3
Differential circuit-breaker/RCD — IEC 60947-2:2006, Annex B
(residual current device)

46
 DIN EN ISO 13849-2:2013-02
EN ISO 13849-2:2012 (E)

Table D.3 (continued)

Well-tried component Additional conditions for “well-tried” Standard or specification
Main contactor Only well-tried if IEC 60947-4-1
a) other influences are taken into account,
e.g. vibration,
b) failure is avoided by appropriate meth-
ods, e.g. overdimensioning (see Table D.2),
c) the current to the load is limited by the
thermal protection device, and
d) the circuits are protected by a protection
device against overload.
NOTE Fault exclusion is not possible.
Control and protective switching — IEC 60947-6-2
device or equipment (CPS)
Auxiliary contactor (e.g. contactor Only well-tried if EN 50205
relay)
a) other influences are taken into account, IEC 60947-5-1
e.g. vibration,
IEC 60947-4-1:2001, Annex F
b) there is positively energized action,
c) failure is avoided by appropriate meth-
ods, e.g. overdimensioning (see Table D.2),
d) the current in the contacts is limited by a
fuse or circuit-breaker to avoid the welding
of the contacts, and
e) contacts are positively mechanically
guided when used for monitoring.
NOTE Fault exclusion is not possible.
Relay Only well-tried if IEC 61810-1
a) other influences are taken into account, IEC 61810-2
e.g. vibration,
b) positively energized action,
c) failure avoided by appropriate methods,
e.g. overdimensioning (see Table D.2), and
d) the current in the contacts is limited by
fuse or circuit-breaker to avoid the welding
of the contacts.
NOTE Fault exclusion is not possible.
Transformer — IEC 61558
Cable Cabling external to enclosure should be IEC 60204-1:2005, Clause 12
protected against mechanical damage
(including, e.g. vibration or bending).
Plug and socket — According to an electrical
standard relevant for the
intended application.
For interlocking, see also
ISO 14119.
Temperature switch — For the electrical side,
see EN 60730‑1

47
DIN EN ISO 13849-2:2013-02
EN ISO 13849-2:2012 (E)

Table D.3 (continued)

Well-tried component Additional conditions for “well-tried” Standard or specification
Pressure switch — For the electrical side,
see IEC 60947-5-1
For the pressure side, see
Annexes B and C.
Solenoid for valve — —

D.2 Fault exclusion

D.2.1 General
A fault exclusion is valid only if the parts operate within their specified ratings.

D.2.2 “Tin whiskers”

If lead-free processes and products are applied, electrical short circuits due to the growth of “tin
whiskers” can occur. This possibility should be evaluated and considered when applying the fault
exclusion “short circuit…” of any component. For example, if the risk of tin whisker growth is considered
high, the fault exclusion “short circuit of a resistor” is useless, since a short between the contacts of this
component has to be considered.
NOTE 1 Tin whisker growth is a phenomenon related mainly to pure bright tin finishes. The needle-like
protrusions can grow to several hundred micrometres in length and can cause electrical short circuits. The
prevailing theory is that the whiskers are caused by compressive stress build-up in tin plating.

NOTE 2 References [34] and [35] can be helpful for evaluation of the phenomenon.

NOTE 3 Whiskers on printed circuit boards have not so far been reported. Tracks usually consist of copper
without tin coating. Pads can be coated with tin alloy, but the production process seems not to stimulate the
susceptibility to whisker growing.

D.2.3 Short circuits on PCB-mounted parts

Short circuits for parts which are mounted on a printed circuit board (PCB) can only be excluded if the
fault exclusion “short circuit between two adjacent tracks/pads”, described in Table D.5, is made.

D.2.4 Fault exclusions and integrated circuits

As it is not possible to exclude faults that can cause the malfunction of an integrated circuit (see
Tables D.20 and D.21), a single fault can lead to loss of a safety function (including its check/test)
implemented in a single integrated circuit. Consequently, it is highly unlikely that the multi-channel
functionality necessary for the fault tolerance and/or detection requirements of category 2, 3 or 4 can
be achieved using a single integrated circuit, unless it satisfies the special architecture requirements of
IEC 61508-2:2010, Annex E.

48
 DIN EN ISO 13849-2:2013-02
EN ISO 13849-2:2012 (E)

Table D.4 — Faults and fault exclusions — Conductors/cables

Fault considered Fault exclusion Remarks

Short circuit between any Short circuits between conductors which are Provided both the conductors and
two conductors enclosure meet the appropriate
— permanently connected (fixed) and pro-
requirements (see IEC 60204-1).
tected against external damage, e.g. by cable
ducting, armouring,
— separate multicore cables,
— within an electrical enclosure (see remark),
or
— individually shielded with earth connec-
tion.
Short circuit of any con- Short circuits between conductor and any
ductor to an exposed con- exposed conductive part within an electrical
ductive part or to earth or enclosure (see remark).
to the protective bonding
conductor
Open circuit of any con- None. —
ductor

Table D.5 — Faults and fault exclusions — Printed circuit boards/assemblies

Fault considered Fault exclusion Remarks
Short circuit between two Short circuits between adja- As base material, EP GC according to IEC 60893-1 is
adjacent tracks/pads cent conductors in accordance used as a minimum.
with remarks.
The clearances and creepage distances are dimen-
sioned to at least IEC 60664-5 (IEC 60664-1 for dis-
tances greater than 2 mm) with pollution degree 2/
overvoltage category III; if both tracks are powered
by a SELV/PELV power supply, pollution degree 2/
overvoltage category II applies, with a minimum
clearance of 0,1 mm.
The assembled board is mounted in an enclosure
giving protection against conductive contamina-
tion, e.g. an enclosure with a protection of at least
IP54, and the printed side(s) is (are) coated with an
ageing-resistant varnish or protective layer covering
all conductor paths.
NOTE 1 Experience has shown that solder masks are
satisfactory as a protective layer.
NOTE 2 A further protective layer covering according
to IEC 60664-3 can reduce the creepage distances and
clearances dimensions.
Open circuit of any track None. —

49
DIN EN ISO 13849-2:2013-02
EN ISO 13849-2:2012 (E)

Table D.6 — Faults and fault exclusions — Terminal block

Fault considered Fault exclusion Remarks
Short circuit between Short circuit between adjacent 1) The terminals and connections used are in
adjacent terminals terminals in accordance with accordance with IEC 60947-7-1 or IEC 60947-7-2
remarks 1) or 2). and the requirements of IEC 60204-1:2006, 13.1.1,
are satisfied.
2) The design in itself ensures that a short circuit
is avoided, e.g. by shaping shrink-down plastic tub-
ing over connection point.
Open circuit of individual None. —
terminals

Table D.7 — Faults and fault exclusions — Multi–pin connector

Fault considered Fault exclusion Remarks

Short circuit between any Short circuit between adja- By using ferrules or other suitable means for
two adjacent pins cent pins in accordance with multi-stranded wires. Creepage distances and
remark. clearances and all gaps should be dimensioned to
at least IEC 60664-1 with overvoltage category III.
If the connector is mounted on
a PCB, the fault exclusion con-
siderations of Table D.5 apply.
Interchanged or incor- None. —
rectly inserted connector
when not prevented by
mechanical means
Short circuit of any None. The core of the cable is considered a part of the
conductor (see remark) multi‑pin connector.
to earth or a conductive
part or to the protective
conductor
Open circuit of individual None. —
connector pins

Table D.8 — Faults and fault exclusions — Switches — Electromechanical position switches,
manually operated switches (e.g. push-button, reset actuator, DIP switch,
magnetically operated contacts, reed switch, pressure switch, temperature switch)

Fault considered Fault exclusion Remarks

Contact will not close Pressure-sensitive devices in accord- —
ance with ISO 13856
Contact will not open Contacts in accordance with —
IEC 60947-5-1:2003, Annex K, are
expected to open.
For PL e, a fault exclusion for mechanical (e.g. the mechanical link between an actuator and a contact element)
and electrical aspects is not allowed. In this case redundancy is necessary. For emergency stop devices in
accordance with IEC 60947-5-5, a fault exclusion for mechanical aspects is allowed if a maximum number of
operations is considered.
NOTE The fault lists for the mechanical aspects are considered in Annex A.

50
 DIN EN ISO 13849-2:2013-02
EN ISO 13849-2:2012 (E)

Table D.8 (continued)

Fault considered Fault exclusion Remarks
Short circuit between adjacent con- Short circuit can be excluded Conductive parts which become
tacts insulated from each other for switches in accordance with loose should not be able to
IEC 60947-5-1 (see remark). bridge the insulation between
contacts.
Simultaneous short circuit between Simultaneous short circuits can be
three terminals of change-over con- excluded for switches in accordance
tacts with IEC 60947-5-1 (see remark).
For PL e, a fault exclusion for mechanical (e.g. the mechanical link between an actuator and a contact element)
and electrical aspects is not allowed. In this case redundancy is necessary. For emergency stop devices in
accordance with IEC 60947-5-5, a fault exclusion for mechanical aspects is allowed if a maximum number of
operations is considered.
NOTE The fault lists for the mechanical aspects are considered in Annex A.

Table D.9 — Faults and fault exclusions — Switches — Electromechanical devices

(e.g. relay, contactor relays)

Fault considered Fault exclusion Remarks

All contacts remain in the energized None. —
position when the coil is de-energized
(e.g. due to mechanical fault)
All contacts remain in the de-ener- None.
gized position when power is applied
(e.g. due to mechanical fault, open
circuit of coil)
Contact will not open None.
Contact will not close None.
Simultaneous short circuit between Simultaneous short circuit can be The creepage and clearance
the three terminals of a change-over excluded if remarks are taken into distances are dimensioned to at
contact account. least IEC 60664-1 with at least
pollution degree 2/overvoltage
Short circuit between two pairs of Short circuit can be excluded if
category III.
contacts and/or between contacts remarks are taken into account.
and coil terminal Conductive parts which become
loose cannot bridge the insula-
tion between contacts and the
coil.
Simultaneous closing of normally Simultaneous closing of contacts can Positively driven (or mechani-
open and normally closed contacts be excluded if remark is taken into cally linked) contacts are
account. used (see IEC 60947-5-1:2003,
Annex L).

51
DIN EN ISO 13849-2:2013-02
EN ISO 13849-2:2012 (E)

Table D.10 — Faults and fault exclusions — Switches — Proximity switches

Fault considered Fault exclusion Remarks
Permanently low resistance at output None (see remark). See IEC 60947-5-3.
Permanently high resistance at out- None (see remark). Fault prevention measures
put should be described.
Interruption in power supply None. —
No operation of switch due to No operation due to mechanical All parts of the switch should
mechanical failure failure when remark is taken into be sufficiently well fixed.
account. For mechanical aspects, see
Annex A.
Short circuit between the three con- None. —
nections of a change-over switch

Table D.11 — Faults and fault exclusions — Switches — Solenoid valves

Fault considered Fault exclusion Remarks
Does not energize None. —
Does not de-energize None.
NOTE The fault lists for the mechanical aspects of pneumatic and hydraulic valves are considered in Annexes B and C
respectively.

52
 DIN EN ISO 13849-2:2013-02
EN ISO 13849-2:2012 (E)

Table D.12 — Faults and fault exclusions — Discrete electrical components — Transformers

Fault considered Fault exclusion Remarks

Open circuit of individual winding None. —
Short circuit between different wind- Short circuit between different wind- 1) The requirements of the rel-
ings ings can be excluded if remarks 1) evant parts of IEC 61558 should
and 2) are taken into account. be met.
Short circuit in one winding A short circuit in one winding can be 2) Between different wind-
excluded if remark 1) is taken into ings, doubled or reinforced
account. insulation or a protective
Change in effective turns ratio Change in effective turns ratio can screen applies. Testing accord-
be excluded if remark 1) is taken into ing to IEC 61558‑1:2005,
account. See also remark 3). Clause 18, applies. Appropri-
ate test voltages are given in
IEC 61558‑1:2005, Table 8 a).
Short circuits in coils and wind-
ings need to be avoided by tak-
ing appropriate steps, e.g.
— impregnating the coils so as
to fill all the cavities between
individual coils and the body of
the coil and the core, and
— using winding conductors
well within their insulation and
high-temperature ratings.
3) In the event of a secondary
short circuit, heating above a
specified operating temperature
should not occur.

Table D.13 — Faults and fault exclusions — Discrete electrical components — Inductances
Fault considered Fault exclusion Remarks
Open circuit None. —
Short circuit Short circuit can be excluded if Coil is single-layered, enamelled
remark is taken into account. or potted, with axial wire con-
nections and axial-mounted.
Random change of value None. Depending upon the type of
0,5 LN < L < LN + tolerance, where LN construction, other ranges can
is the nominal value of the inductors be considered.

53
DIN EN ISO 13849-2:2013-02
EN ISO 13849-2:2012 (E)

Table D.14 — Faults and fault exclusions — Discrete electrical components — Resistors

Fault considered Fault exclusion Remarks

Open circuit None. —
Short circuit Short circuit can be excluded if 1) The resistor is of the film
remark 1) or 2) is taken into account. type, or wire-wound single-layer
type with protection to prevent
unwinding of wire in the event
of breakage, with axial wire
connections, axial-mounted and
varnished.
2) Resistors in surface-mount
technology must be of the thin
film metal type in package types
MELF, mini MELF or µMELF.
3) For example, if the risk of tin-
whisker growth is considered
high, the fault exclusion “short
circuit of a resistor” is useless,
since a short between the con-
tacts of this component has to be
considered.
Random change of value None. Depending upon the type of
0,5 RN < R < 2 RN, where RN is the construction, other ranges can
nominal value of resistance [see also be considered.
remark 3)]

Table D.15 — Faults and fault exclusions — Discrete electrical components — Resistor networks
Fault considered Fault exclusion Remarks
Open circuit None. —
Short circuit between any two con- None.
nections
Short circuit between any connec- None.
tions.
Random change of value None. Depending upon the type of
0,5 RN < R < 2 RN, where RN is the construction, other ranges can
nominal value of resistance be considered.

Table D.16 — Faults and fault exclusions — Discrete electrical components — Potentiometers
Fault considered Fault exclusion Remarks
Open circuit of individual connection None. —
Short circuit between all connections None.
Short circuit between any two con- None.
nections
Random change of value None. Depending upon the type of
0,5 Rp < R < 2 Rp, where Rp is the construction, other ranges can
nominal value of resistance be considered.

54
 DIN EN ISO 13849-2:2013-02
EN ISO 13849-2:2012 (E)

Table D.17 — Faults and fault exclusions — Discrete electrical components — Capacitors
Fault considered Fault exclusion Remarks
Open circuit None. —
Short circuit None.
Random change of value None. Depending upon the type of
0,5 CN < C < CN + tolerance, construction, other ranges can
where CN is the nominal value of be considered.
capacitance
Changing value tan, δ None. —

Table D.18 — Faults and fault exclusions — Electronic components — Discrete semiconductors
(e.g. diodes, Zener diodes, transistors, triacs, thyristors, voltage regulators, quartz crystal,
phototransistors, light-emitting diodes [LEDs])
Fault considered Fault exclusion Remarks
Open circuit of any connection None. —
Short circuit between any two con- None.
nections
Short circuit between all connections None.
Change in characteristics None.

Table D.19 — Faults and fault exclusions — Electronic components — Optocouplers

Fault considered Fault exclusion Remarks

Open circuit of individual connection None. —
Short circuit between any two input None.
connections
Short circuit between any two output None.
connections
Short circuit between any two con- Short circuit between input and out- The optocoupler is built in
nections of input and output put can be excluded if the remarks are accordance with overvolt-
taken into account. age category III according to
IEC 60664-1. If a SELV/PELV
power supply is used, pollution
degree 2/overvoltage category II
applies.
NOTE See Table D.5.
Measures are taken to ensure
that an internal failure of the
optocoupler cannot result in
excessive temperature of its
insulating material.

55
DIN EN ISO 13849-2:2013-02
EN ISO 13849-2:2012 (E)

Table D.20 — Faults and fault exclusions — Electronic components — Non–programmable

integrated circuits
Fault considered Fault exclusions Remarks
Open circuit of each individual con- None. —
nection
Short circuit between any two con- None.
nections
Stuck-at-fault (i.e. short circuit to 1 None.
and 0 with isolated input or discon-
nected output). Static “0” and “1”
signal at all inputs and outputs, either
individually or simultaneously
Parasitic oscillation of outputs None.
Changing values (e.g. input/output None.
voltage of analogue devices)
NOTE In this part of ISO 13849, ICs with less than 1 000 gates and/or less than 24 pins, operational amplifiers, shift
registers and hybrid modules are considered non-complex. This definition is arbitrary.

Table D.21 — Faults and fault exclusions — Electronic components — Programmable and/or
complex integrated circuits

Fault considered Fault exclusions Remarks

Faults in all or part of the function None. —
including software faults
Open circuit of each individual con- None.
nection
Short circuit between any two con- None.
nections
Stuck-at-fault (i.e. short circuit to 1 None.
and 0 with isolated input or discon-
nected output). Static “0” and “1”
signal at all inputs and outputs, either
individually or simultaneously
Parasitic oscillation of outputs None.
Changing value, e.g. input/output None.
voltage of analogue devices
Undetected faults in the hardware None.
which go unnoticed because of the
complexity of the integrated circuit
The analysis should identify additional faults, which should be considered if they influence the operation of the
safety function.
NOTE In this part of ISO 13849, an IC is considered complex if it consists of more than 1 000 gates and/or more than
24 pins. This definition is arbitrary.

56
 DIN EN ISO 13849-2:2013-02
EN ISO 13849-2:2012 (E)

Annex E
(informative)

Example of validation of fault behaviour and diagnostic means

E.1 General
This example considers the validation of the PL of a safety function (SF 1), with the exception of
requirements relating to the following aspects of the PL:
— MTTFd values;
— common-cause failures (CCFs);
— software analysis;
— systematic failures.
The example does not cover the validation of
— safety requirements specification (see Clause 7),
— characteristics of safety functions (see Clause 8),
— environmental requirements (see Clause 10),
— maintenance requirements (see Clause 11),
— documentation requirements (see Clause 12).
Three safety functions, SF 1, SF 2 and SF 3, are considered in the example.
SF 1 is a safety-related stopping function of four individual machine actuators initiated by the opening of one
interlocking guard, and this is treated as a separate safety function for each actuator (SF 1.0, SF 1.1, SF 1.2
and SF 1.3). In order to reduce the extent of the example, the validation has been limited to SF 1.0 and SF 1.3.
Annex A provides guidance on how to examine the fault behaviour and diagnostic coverage of a given
circuit is provided. The methods used for determination of the diagnostic coverage are based on failure
mode and effects analysis (FMEA), taking into account ISO 13849-1:2006, Annex E.
NOTE This example does not cover the complete validation process of SRP/CS. In particular, the necessary
validation of the PLC software has not been considered. For the validation of safety-related software, see 9.5.

E.2 Description of machine

The example is based upon an automatic assembly machine, with manual loading and unloading of
workpieces. The machine is intended to perform two sequential operations: ball insertion and screw
fixing on each workpiece.
There are four stations on the machine: the loading and unloading stations and two workstations (see
Figure E.1). The first workstation is the pneumatically driven ball-insertion stage, and the second the
pneumatically driven screw-fixing stage.
An electrically-driven rotary table moves workpieces around each of the four stations. The workpieces
are manually placed on, and removed from, workpiece holders mounted on the rotary table. An inverter-
controlled electric motor drives a planetary gear and drive-belt system which moves the rotary table.

57
DIN EN ISO 13849-2:2013-02
EN ISO 13849-2:2012 (E)

At the first workstation a ball is inserted into the workpiece by a horizontally mounted pneumatic
cylinder, which is controlled by a monostable 5/2 port directional control valve (1V1, see Figure E.3). The
basic position (valve de-energized) of this cylinder is the retracted position. The depth of the inserted
ball is checked by monitoring a limit switch at the fully extended position of the cylinder, and the applied
pressing pressure is monitored by a pressure sensor in the air supply line for cylinder extension.
The screw-fixing workstation consists of a vertically mounted, rodless pneumatic cylinder carrying
a pneumatically driven rotary screwdriver unit. The screwdriver unit is raised and lowered by the
pneumatic cylinder, which is controlled by a monostable 5/2 port directional control valve (2V1). The
basic position (valve de-energized) of this cylinder is the upper position, with the screwdriver unit
raised. Additionally, a pilot-controlled check valve (2V2) is provided in the lower connection of the
pneumatic cylinder.
Rotary motion of the screwdriver unit is provided by a pneumatic motor, controlled by a monostable 5/2 port
directional control valve (3V1). The basic position (valve de-energized) of this pneumatic motor is the OFF
state. The torque provided by the screwdriver unit is monitored by a pressure sensor in its air supply line.
A single cycle of the machine in automatic mode of operation is initiated by actuating the start
push-button. At the beginning of a cycle, the rotary table holds three workpieces: (i) a newly loaded
workpiece, (ii) a partially finished workpiece (ball inserted), and (iii) a finished workpiece (ball
inserted and screw fixed). Each cycle of the machine consists of the rotary table moving through 90°,
followed by simultaneous ball-insertion and screw‑fixing operations on the newly loaded and partially
finished workpieces. The machine then comes to an operational stop, after which the operator opens
the interlocking guard to unload the finished workpiece and load a new workpiece. The completion of
a workpiece requires three machine cycles to rotate the workpiece by 270° from the loading station
through to the unloading station.
The following modes of operation are provided:
— automatic mode with manual loading and unloading (full motion of the machine with the interlocking
guard closed);
— set-up mode for the rotary table (motion of the rotary table with hold-to-run control and the
interlocking guard open).
The machine presents mechanical hazards arising out of movements of the pneumatically driven machine
actuators (at the ball-insertion and screw‑fixing workstations) and the electrically driven rotary table.
It is for this reason protected by mechanical guards, all of which are fixed, except for an interlocking
guard that provides access to the loading and unloading stations (the hazard zone).

58
 DIN EN ISO 13849-2:2013-02
EN ISO 13849-2:2012 (E)

Key
1 loading station 8 workpiece
2 ball-insertion workstation 9 rotary table
3 ball‑insertion cylinder (A1) 10 pulse sensor (G2)
4 screw‑fixing workstation 11 drive belt
5 unloading station 12 planetary gear
6 screwdriver unit (A3) 13 electric motor (M1)
7 screw insertion (vertical-drive) cylinder (A2) 14 rotation sensor (G1)

Figure E.1 — Machine used in example: automatic assembly machine

E.3 Specification of safety function requirements

In the automatic mode of operation, protection against hazardous movements is provided by the
following safety function:
SF 1 safety-related stopping initiated by the opening of the interlocking guard and prevention
of unexpected start-up whenever the interlocking guard is open.
For the purposes of the example, this can be considered a separate safety function for each of the four
individual machine actuators:

59
DIN EN ISO 13849-2:2013-02
EN ISO 13849-2:2012 (E)

SF 1.0 electric motor of the rotary table (M1);

SF 1.1 ball‑insertion cylinder (A1);
SF 1.2 screw‑insertion cylinder (A2);
SF 1.3 pneumatic motor of the screwdriver unit (A3).
NOTE 1 For the example, safety-related stop and protection against unexpected start-up are considered a
single safety function because they are implemented in the same combination of SRP/CS.

During the set-up mode for the rotary table with the interlocking guard open (pneumatically driven
machine actuators disabled by SF 1.1, SF 1.2 and SF 1.3), the safe condition of the rotary table movement
is achieved by a combination of the following safety functions:
SF 2: safely-limited speed;
SF 3: hold-to-run mode.

Table E.1 — Active safety functions according to mode of operation

Safety function
Mode of operation
SF 1.0 SF 1.1 SF 1.2 SF 1.3 SF 2 SF 3
Automatic mode (interlocking guard X X X X
closed)
Set-up mode (interlocking guard open) X X X X X
X: safety function active

After performing a risk assessment, the following values of PLr were assigned to the safety functions:
PLr d for SF 1 (safety-related stopping and prevention of unexpected start-up);
PLr d for SF 2 (safely-limited speed);
PLr c for SF 3 (hold-to-run mode).
NOTE 2 The selection of PLr c for SF 3 takes account of its use in combination with SF 2, for which PL d is achieved.

When SF 1 is demanded, it initiates the following actions:

— the rotary table performs a controlled stop in accordance with Stop Category 2 of IEC 60204-1;
— the horizontally mounted pneumatic cylinder (A1) of the ball-insertion workstation and the vertically
mounted pneumatic cylinder (A2) of the screw‑fixing workstation return to and/or remain in their
basic positions (i.e. retracted and upper respectively);
— the screwdriver unit (A3) stops immediately.
NOTE 3 For the example, the risk assessment determined that loss of controlled deceleration of the rotary
table as a result of an inverter malfunction was acceptable, and movement of pneumatic cylinders A1 and A2 to
their basic positions non-hazardous.

The minimum distance between the interlocking guard and these moving parts of the machine was
determined according to ISO 13855, based on the machine stopping performance.
The machine is provided with other safety functions, such as an emergency stop, restart interlock, reset,
and selection of modes for operation, but these are not considered in the example and, consequently,
relevant components are not shown in the circuit diagrams of Figures E.2 and E.3.

60
 DIN EN ISO 13849-2:2013-02
EN ISO 13849-2:2012 (E)

Figure E.2 — Automatic assembly machine — Electrical circuit diagram

Figure E.3 — Automatic assembly machine — Pneumatic circuit diagram

E.4 Design of SRP/CS

E.4.1 General
The control system for the example has been implemented using a combination of electromechanical,
electronic and pneumatic technologies.

61
DIN EN ISO 13849-2:2013-02
EN ISO 13849-2:2012 (E)

In order to achieve the PLr for SF 1 and SF 2, Category 3 has been selected. A diverse redundant and
monitored structure has therefore been adopted for all electrical and pneumatic parts associated with
these safety functions (see Figures E.2 and E.3).
To achieve the PLr for SF 3, a combination of Category 2 and Category 3 has been selected.
The signals from the sensors and control actuators (interlocking guard position switches, hold-to-run
push-button) have been duplicated and connected into two diverse PLCs (different types of hardware for
PLC A and PLC B), which process them using specific software function blocks (SRASW). Each PLC also
controls both the rotary table inverter and the pneumatically driven machine actuators via switching
paths that are independent of the other PLCs’ switching paths.
For diagnostic (cross-monitoring) and synchronization purposes, the two PLCs communicate with each
other via a standard data-bus.
The particular inverter in this example has an additional facility (internal relay) to disable its power
semiconductor control signals (pulse-blocking), which can be considered a second shutdown path [Safe
Torque Off (STO) according to IEC 61800-5-2].
This pulse-blocking feature will not bring a rotating motor to a rapid stop, because disabling the inverter
control of the motor causes an uncontrolled deceleration. However, in this example pulse-blocking would
still cause the rotary table to stop before an operator can access the hazard zone, and so the controlled
deceleration to a standstill that normally precedes pulse-blocking is not a required characteristic of SF 1.0.
In the pneumatic circuit, the supply of air to each of the machine actuators (A1, A2 and A3) is controlled
by a monostable 5/2 port directional control valve (1V1, 2V1 and 3V1) of the pilot-controlled solenoid
type. The control air for all three valves is switched by an additional valve (1V0) of the same type, which
provides a redundant channel of control. The status of this release valve is monitored by a pressure
switch (1S0).The air supply for A2 is taken from the main air supply, whereas for A1 and A3 it is taken
from the control air supply (1V0).
De-energizing of the driving chamber from moving cylinder A1 during penetration of the workspace is
provided by two channels too:
— air bleeding through 1V1 by switching in normal position, and
— de-energizing through 1V0 by switching in normal position.
The status of 1V1 is monitored by a limit switch (1S2).
A pilot-controlled check valve (2V2), which also takes its control air from 1V0, is provided in the lower
connection of A2 (vertically mounted rodless pneumatic cylinder). This provides a redundant channel
for stopping the downward motion and retaining the machine actuator in its basic (upper) position.
The status of 2V1 is monitored by a limit switch (2S2).
The air supply for pneumatic motor A3 (screwdriver unit) is taken from the control air supply (1V0)
rather than the main air supply. This use of 1V0 in addition to 3V1 to switch off the air supply to A3
provides a redundant channel of control, which ensures that A3 will not continue to rotate if 3V1 were
to fail in the energized position. The status of 3V1 is monitored by a pressure sensor (3S1) that provides
an analogue output signal.
In accordance with Category 3, basic and well-tried safety principles are taken into account, and the
requirements of Category B are also satisfied. In particular, the requirements of the standards IEC 60204-
1 and ISO 4414 have been applied.
The attributes of components implementing SRP/CS are explained in detail in Table E.2.

62
 DIN EN ISO 13849-2:2013-02
EN ISO 13849-2:2012 (E)

Table E.2 — Attributes of components implementing SRP/CS (parts list of Figures E.2 and E.3)

Component
Function Element Attribute Well-tried safety principlea Possible fault exclusion
label
B1 Monitoring position of Interlocking IEC 60947-5-1:2003, Positive mode actuation Failure of switch contacts to
interlocking guard switch including direct opening open when operated can be
action in accordance with excluded.
IEC 60947‑5‑1:2003, Annex K
Electrical faults because B1
possesses positive mode of
actuation.
B2 Monitoring position of Interlocking IEC 60947-5-1 None. None.
interlocking guard switch
S4 Generates hold-to-run Normally open — None. None.
motion during set-up push-button
mode
PLC A Processing safety-related Programmable IEC 61131-1 and IEC 61131-2 None. None.
and non safety-related logic controller
PLC B
signals (PLC)
K1 Generates redundant Relay contactor IEC 60947-5-1, including Mechanically-linked contacts None.
STOP signal for inverter mechanically linked contact
in case of failure in PLC A elements in accordance with
path IEC 60947-5-1:2003, Annex L,
and EN 50205
T1 Drives rotary table elec- Inverter Inverter has additional shut- Blocking relay with positively None.
tric motor down path using pulse block- mechanically linked contacts
ing.
G1 Measures speed of electric Rotation sensor — None. None.
motor for rotary table (cos/sin encoder)
G2 Monitors motion of rotary Pulse sensor — None. None.
table
1V0 Control of pilot air for Directional-control Spring-biased valve, 5/2-func- Table B.2 overdimensioning/ Pressure build-up at port 4
directional control valves solenoid valve tion, pilot-operated, internal safety factor, safe position (use with exhausted port 5 in nor-
1V1, 2V1, 3V1, and for pilot air supply, spool valve of well-tried spring), sufficient mal position, failure of the seal-
check valve 2V2 with overlap positive overlapping in piston ing through extrusion, moving
valves of valve spool without operat-
ing power.

63
DIN EN ISO 13849-2:2013-02
EN ISO 13849-2:2012 (E) Table E.2 (continued)
Component
Function Element Attribute Well-tried safety principlea Possible fault exclusion
label
1V1 Control of ball‑insertion See 1V0. See 1V0. See 1V0. See 1V0.
cylinder A1
2V1
Control of screw‑insertion
3V1
cylinder A2
Control of screwdriver
unit (pneumatic motor)
A3
2V2 Anti-fall device for Check valve Pilot-operated non-return Table B.2 valve closed by load Opening without pilot air
vertically mounted valve, spring-loaded poppet pressure
screw‑insertion cylin- valve
der (A2) of the screw-
driver unit
1S0 Monitors status of Pressure switch Fixed switch point Basic safety principles are not None.
valve 1V0 required for monitoring (no
safety function).
1S1 Monitors pressure applied Pressure sensor Analogue output signal Basic safety principles are not None.
during ball insertion required for monitoring (no
process safety function).
3S1
Monitors torque (pres-
sure) applied during
screwdriving process
1S2, 1S3 Limit switches for Proximity sensor Magnetic measuring principle Basic safety principles are not None.
ball‑insertion cylinder A1 required for monitoring (no
safety function).
Limit switches for
2S1, 2S2
screw‑insertion cylin-
der A2
A1 Ball-insertion cylinder Pneumatic cylinder Not in scope of this standard according to ISO 13849-1:2006, 3.1.1.
A2 Screw-insertion cylinder Rodless pneumatic Not in scope of this standard according to ISO 13849-1:2006, 3.1.1.
cylinder with
external guide
A3 Screwdriver unit Pneumatic motor Not in scope of this standard according to ISO 13849-1:2006, 3.1.1.
a Basic safety principles have also been taken into account in the design of components (see Table D.1 for electrical components and Table B.1 for pneumatic components).

64
 DIN EN ISO 13849-2:2013-02
EN ISO 13849-2:2012 (E)

E.4.2 Safety function SF 1 — Safety-related stopping initiated by the opening of the

interlocking guard and prevention of unexpected start-up whenever the interlocking
guard is open
According to the machine specification, opening of the interlocking guard has to initiate the stopping of
four machine actuators: (i) the rotary table (driven by inverter-controlled motor), (ii) the ball-insertion
cylinder, (iii) the screw-insertion cylinder, and (iv) the screwdriver unit. This function can therefore be
represented as shown in Figure E.4.

Figure E.4 — Function blocks — SF 1.0, SF 1.1, SF 1.2 and SF 1.3

When the interlocking guard is opened, PLC A initiates a stop of the rotary table by providing a stop
signal to the inverter (T1a). PLC B monitors the resulting deceleration of the rotary table via G2, and
when it detects that this has reached a standstill it de-energizes K1 to initiate pulse-blocking at the
inverter (T1b). If the rotary table does not stop due to a fault in T1a or PLC A, then PLC B will detect this
fault and still provide its own stop signal to the inverter (T1b). This is the second independent channel
for the stopping function. The part of the safety function relating to prevention of unexpected start-up
is performed in the same way.
Opening the interlocking guard also causes PLC A to initiate a first stop of the ball-insertion cylinder, the
screw-insertion cylinder and the screwdriver unit by de-energizing 1V1, 2V1 and 3V1. PLC B initiates a
second stop of these three actuators by de-energizing 1V0.
If the rotary table is already stopped, but the ball-insertion and screw‑fixing workstations are in
operation when the interlocking guard is opened, then PLC A will immediately de-energize 1V1, 2V1 and
3V1, and PLC B will immediately de-energize K1. PLC B will also de-energize 1V0 after a delay, to allow
for the ball‑insertion cylinder (A1) to complete its travel to the retracted position.
While the interlocking guard is in the open position, it needs to be ensured that a fault in the enabling
path of PLC A does not lead to an uncontrolled start-up. This is achieved by the action of PLC B de-
energizing K1 as soon as the rotary table motor has reached a standstill, and also de-energizing 1V0 to
prevent a start-up of the ball‑insertion cylinder or the screw‑insertion cylinder.
The evaluation of the PL for the SRP/CS performing SF 1 has been carried out as follows:
a) Identification of safety-related parts
The safety-related parts of stopping function SF 1.0 and their division into channels can be illustrated
by the safety-related block diagram shown in Figure E.5.

65
DIN EN ISO 13849-2:2013-02
EN ISO 13849-2:2012 (E)

Figure E.5 — Safety-related block diagram — SF 1.0

Similarly, the safety-related parts of stopping functions SF 1.1, SF 1.2 and SF 1.3 and their division
into channels can be illustrated by the safety-related block diagram shown in Figure E.6.

* SF 1.1 ** SF 1.2 *** SF 1.3

Figure E.6 — Safety-related block diagram — SF 1.1, SF 1.2 and SF 1.3

The two parts of the diagrams in Figures E.5 and E.6 can each be mapped to the designated
architecture for Category 3, so the diagrams can be simplified as the two SRP/CS (input, logic/output)
shown in Figure E.7.

Figure E.7 — Combination of SRP/CS performing safety functions

For each SRP/CS, a PL has been estimated by applying the simplified procedure from
ISO 13849-1:2006, 4.5.4.
b) Estimation of MTTFd of each channel
For the estimation of component MTTFd values, reliability data provided by the manufacturers
has been used.
For the estimation of the MTTFd of a channel, the parts count method has been applied (see
ISO 13849‑1:2006; Annex D). The diverse redundant structure leads to dissimilar MTTFd values
for each channel, so that application of the symmetrisation equation provides an average result of
25 years (medium) for the MTTFd of each channel of both SRP/CSI and SRP/CSL/O of SF 1.0, SF 1.1,
SF 1.2, and SF 1.3 (see ISO 13849-1:2006, D.2).
c) Estimation of DCavg
The DCavg has been calculated for both SRP/CS from the DC of the internal test and monitoring
measures applied to the different components.
A plausibility check of the guard interlocking switches B1 and B2 by PLC A and PLC B according
to ISO 13849-1:2006, Annex E, results in a DCavg high (99 %) for the SRP/CSI of SF 1.0, SF 1.1,
SF 1.2 and SF 1.3.
The following diagnostic measures are provided in the SRP/CSL/O of SF 1.0, SF 1.1, SF 1.2 and SF 1.3:
— monitoring of the relay contactor, K1, by PLC A through the position of K1 contacts;

66
 DIN EN ISO 13849-2:2013-02
EN ISO 13849-2:2012 (E)

— cross-monitoring between PLC A and PLC B;

— indirect monitoring of T1a and PLC A by PLC B through G2;
— indirect monitoring of the PLC A output card by itself through 1S2, 2S2, 3S1 and G1;
— program sequence monitoring by an internal watchdog in PLC A and in PLC B;
— indirect monitoring of T1a by PLC A through G1;
— monitoring of T1b by PLC A through the position of pulse-blocking relay contact;
— indirect monitoring of the PLC B by PLC A through the position of K1 contacts;
— indirect monitoring of the PLC B output card by itself through 1S0;
— indirect monitoring of 1V1 by the PLC A through 1S2;
— indirect monitoring of 2V1 by the PLC A through 2S2;
— indirect monitoring of 3V1 by the PLC A through 3S1;
— indirect monitoring of 1V0 by the PLC B through 1S0;
— fault detection of PLC A, T1a and 1V1, 2V1 and 3V1 through process observation.
According to ISO 13849-1:2006, Annex E, these diagnostic measures provide a DCavg result of
medium (90 %) for the SRP/CSL/O of SF 1.0, SF 1.1, SF 1.2 and SF 1.3.
d) Estimation of measures against common-cause failure (CCF)
It is estimated that adequate measures against common-cause failure (separation, diversity, protection
against over-pressure, environmental) have been taken for both SRP/CS of SF 1.0, SF 1.1, SF 1.2 and
SF 1.3, which, according to ISO 13849-1:2006, Annex F, results in a score of 75 points for each SRP/CS.
e) Determination of PL for each SRP/CS
The PL for each SRP/CS is determined as follows:
— SRP/CSI of SF 1.0, SF 1.1, SF 1.2 and SF 1.3:
— Category 3;
— medium MTTFd of each channel;
— high DCavg ;
— 75 points for measures against CCF.
Applying these values to ISO 13849-1:2006, Figure 5, but with DCavg restricted to medium
(Category 3), gives a result of PL d.
— SRP/CSL/O of SF 1.0, SF 1.1, SF 1.2 and SF 1.3:
— Category 3;
— medium MTTFd of each channel;
— medium DCavg ;
— 75 points for measures against CCF.
Applying these values to ISO 13849-1:2006, Figure 5, gives a result of PL d.

67
DIN EN ISO 13849-2:2013-02
EN ISO 13849-2:2012 (E)

f) Determination of the PL for the combination of SRP/CS performing SF 1.0, SF 1.1, SF 1.2 and SF 1.3
According to ISO 13849-1:2006, 6.3, and taking into account that the individual SRP/CS for SF 1.0,
SF 1.1, SF 1.2 and SF 1.3 have the same values of PL, the PL of the overall combination of SRP/CS for
SF 1.0, SF 1.1, SF 1.2 and SF 1.3 is determined as follows:
— PLlow = d
— Nlow = 2
The PL for the combination of SRP/CS for each of SF 1.0, SF 1.1, SF 1.2 and SF 1.3 is therefore PL d.
NOTE Calculation of the resulting PL by adding the PFH values of all subsystems will lead to a more
precise result.

g) Systematic failures
It is estimated that the adequate measures against systematic failure have been applied to the
SRP/CS for SF 1.0, SF 1.1, SF 1.2 and SF 1.3 according to ISO 13849-1:2006, Annex G.

E.4.3 Safety function SF 2 — Safely-limited speed (SLS)

When the machine is in the set-up mode and the interlocking guard is in the open position, the rotary
table can only move at a safely limited speed (SLS), which is measured by both G1 and G2. PLC A monitors
the signal from G1 and PLC B monitors the signal from G2, with both PLCs performing the desired/actual
speed comparisons independently. If the speed is not successfully reduced to the limited value by the
inverter T1a, then PLC A can react by providing a stop signal to the inverter (T1a), and PLC B can react
by activating a delayed pulse-blocking on the inverter (T1b) via K1.
a) Identification of safety-related parts
The safety-related parts of safety function SF 2 and its division into channels can be illustrated by
the safety-related block diagram shown in Figure E.8.

Figure E.8 — Safety-related block diagram — SF 2

For the SRP/CS, a PL has been estimated by applying the simplified procedure in ISO 13849-1:2006, 4.5.4.
The diagram can be mapped to the designated architecture for Category 3, so the safety function is
performed by one SRP/CS, as shown in Figure E.9.

Figure E.9 — SRP/CS performing the safety function SF 2

For the SRP/CS, a PL has been estimated by applying the simplified procedure in ISO 13849-1:2006, 4.5.4.

68
 DIN EN ISO 13849-2:2013-02
EN ISO 13849-2:2012 (E)

b) Estimation of MTTFd of each channel

For the estimation of component MTTFd values, reliability data provided by the manufacturers
has been used.
For the estimation of the MTTFd of a channel, the parts count method has been applied (see
ISO 13849‑1:2006; Annex D). The diverse redundant structure leads to dissimilar MTTFd values for
each channel, so application of the symmetrisation equation provides an average result of medium
MTTFd (more than 25 years) for each channel of the SRP/CS.
c) Estimation of DCavg
The DCavg has been calculated for the SRP/CS from the DC of the internal test and monitoring
measures applied to the different components.
The following diagnostic measures are provided:
— monitoring of the relay contactor, K1, by PLC A through the position of K1 contacts;
— cross-monitoring between PLC A and PLC B;
— indirect monitoring of G1, T1a and PLC A by PLC B through G2;
— monitoring of T1b by PLC A through the position of pulse-blocking relay contact;
— program sequence monitoring by an internal watchdog in PLC A and in PLC B;
— indirect monitoring of G2 and PLC B by PLC A through the position of K1 contacts;
— monitoring of G1 by PLC A;
— monitoring of G1 and T1a (plausibility of sin/cos information);
— monitoring of G2 by PLC B (after pushing S4, PLC B checks for pulses from G2; if there are none,
PLC B stops T1b).
According to ISO 13849-1:2006, Annex E, these diagnostic measures provide a DCavg result of
medium (90 %) for the SRP/CS.
d) Estimation of measures against common-cause failure (CCF)
It is estimated that the adequate measures against common-cause failure (separation, diversity,
protection against over-pressure, environmental) have been taken for the SRP/CS, which according
to ISO 13849-1:2006, Annex F, results in a score of 75 points for the SRP/CS.
e) Determination of the PL for the SRP/CS
The PL for the SRP/CS is determined as follows:
— Category 3;
— medium MTTFd of each channel;
— medium DCavg ;
— 75 points for measures against CCF.
Applying these values to ISO 13849-1:2006, Figure 5, but with DCavg restricted to medium
(Category 3), gives a result of PL d.
f) Systematic failures
It is estimated that adequate measures against systematic failures have been applied to the SRP/CS
according to ISO 13849-1:2006, Annex G.

69
DIN EN ISO 13849-2:2013-02
EN ISO 13849-2:2012 (E)

E.4.4 Safety function SF 3 — Hold-to-run mode

Movement of the rotary table (at a safely limited speed) with the interlocking guard open is initiated and
continues while the push-button S4 is actuated, and stops when the push-button is released. When the
push-button is in the released position, unexpected start-up has to be prevented. The signal from the
push-button S4 is processed by both PLCs.
a) Identification of safety-related parts
The safety-related parts of safety function SF 3 and their division into channels can be illustrated
by the safety-related block diagram shown in Figure E.10.

Figure E.10 — Safety-related block diagram — SF 3

The two parts of the diagram can each be mapped to the designated architecture for Category 1 and
Category 3, so the diagram can be simplified as the two SRP/CS (input, logic/output) shown in Figure E.11.

Figure E.11 — Combination of SRP/CS performing the safety function SF 3

For each SRP/CS, a PL has been estimated by applying the simplified procedure in
ISO 13849-1:2006, 4.5.4.
b) Estimation of MTTFd of each channel
The MTTFd for the SRP/CSI (hold-to-run push-button) is calculated using the manufacturer’s B10d
value to give a result of high MTTFd.
The estimation of the MTTFd of SRP/CSL/O provides, as in SRP/CSL/O of SF 1.0, an average result of
25 years (medium) for the MTTFd (more than 25 years) of each channel.
c) Estimation of DCavg
The DCavg has been calculated for both SRP/CS from the DC of the internal test and monitoring
measures executed on the different components.
Time monitoring of hold-to-run push-button S4 (low-high alternation in a time frame window) by
PLC A and PLC B according to ISO 13849-1:2006, Annex E, results in a DCavg low (75 %) for the SRP/CSI.
The monitoring measures as per SRP/CSL/O of SF 1.0 are provided in the SRP/CSL/O of SF 3, resulting
in a DCavg medium (90 %) for the SRP/CSL/O.
d) Estimation of measures against common-cause failure (CCF)
It is estimated that adequate measures against common-cause failure (separation, diversity,
protection against over-voltage, environmental) have been taken for each SRP/CS, which, according
to ISO 13849-1:2006, Annex F, results in a score of 75 points for both SRP/CS.
e) Determination of PL for each SRP/CS
The PL for each SRP/CS is determined as follows.

70
 DIN EN ISO 13849-2:2013-02
EN ISO 13849-2:2012 (E)

— SRP/CSI:
— Category 1;
— High MTTFd of the channel.
Applying these values to ISO 13849-1:2006, Figure 5, gives a result of PL c.
— SRP/CSL/O:
— Category 3;
— Medium MTTFd of each channel;
— Medium DCavg ;
— 75 points for measures against CCF.
Applying these values to ISO 13849-1:2006, Figure 5, gives a result of PL d.
f) Determination of the PL of the combination of SRP/CS performing SF 3
According to ISO 13849-1:2006, 6.3, and taking into account both SRP/CS of SF 3, the PL of the
overall combination of SRP/CS is determined as follows:
— PLlow = c;
— Nlow = 1.
The PL for the combination of SRP/CS of SF 3 is therefore PL c.
g) Systematic failures
It is estimated that the adequate measures against systematic failures have been taken for both
SRP/CS of SF 3 according to ISO 13849-1:2006, Annex G.

E.5 Validation
E.5.1 General
As stated in E.1, the example has been reduced to the validation of fault behaviour and diagnostic means
of safety functions SF 1.0 and SF 1.3.
According to 9.2 and 9.3, validation of fault behaviour and diagnostic means are performed by a review
of design documentation, a failure analysis and complementary fault injection tests.
The following steps are carried out.
a) Identify the diagnostic measures and the units (components, blocks) that they test/monitor.
b) Verify the DC value assigned to each diagnostic measure (DC) for a particular unit.
c) Analyse the fault behaviour of the system and define the test cases.
d) Check for correct calculation of the DCavg for each SRP/CS.
e) Carry out required tests to confirm the DC values.

71
DIN EN ISO 13849-2:2013-02
EN ISO 13849-2:2012 (E)

E.5.2 Validation of fault behaviour and DCavg

A check of the design documentation (safety-related block diagram and list of diagnostic measures for
the SRP/CS) confirms that
— blocks (components) related to each SRP/CS and the combination of SRP/CS, in the safety-related
block diagrams, and
— diagnostic measures and monitored units
assumed in the design rationale are correct for all safety functions.
A FMEA is used to check the values of DC assigned to each monitored unit of each SRP/CS, and also the
fault behaviour of the system.
As safety function SF 1 has to fulfil both safety-related stopping and subsequent prevention of unexpected
start-up, the failure analysis for each associated component is considered in a separate row for each of
these requirements.
For the analysis, the appropriate fault lists given in Annexes A, B, C and D have been used.
The FMEA for safety functions SF 1.0 and SF 1.3, including test cases, are now considered.

E.5.3 FMEA and DCavg for SF 1.0 and SF 1.3

E.5.3.1 SF 1.0

In order to facilitate the analysis of SF 1.0, its safety-related block diagram is reproduced in Figure E.12.

Figure E.12 — Safety-related block diagram — SF 1.0

See Tables E.3 and E.4.

72
 DIN EN ISO 13849-2:2013-02
EN ISO 13849-2:2012 (E)

Table E.3 — FMEA and estimation of DC for components of SRP/CSI of SF 1.0

Component/ Tests for con-

Potential fault Fault detection Effect/reaction
unit firmation
Contact does not open Fault is recognized Electric motor M1 is Apply a static
when the guard is independently by stopped via T1a by the high level at the
opened (mechanical PLC A and PLC B PLC A and via K1 and relevant input
faults). a through signal change T1b by the PLC B and of both PLCs
F1 in B2 when the safety re-start is prevented. before the guard
Interlocking function is demanded is opened.
switch B1 (opening of the safety
guard, plausibility
check).
No dangerous fault — — —
F2 while the guard is open
(fault exclusion).
A plausibility check of B1 and B2 by PLC A and PLC B gives a DC of 99 % for B1 (see ISO 13849-1:2006,
Table E.1).
Contact does not open Fault is recognized Electric motor M1 is Apply a static
when the guard is independently by stopped via T1a by the high level at the
opened (electrical or PLC A and PLC B PLC A and via K1 and relevant input
mechanical faults) through signal change T1b by the PLC B and of both PLCs
F3 in B1 when the safety re-start is prevented. before the guard
function is demanded is opened.
(opening of the safety
Interlocking guard, plausibility
switch B2 check).
Spontaneous contact Fault is recognized Electric motor M1 is Apply a static
closure while the guard independently and stopped via T1a by the high level at the
is open (mechanical immediately by PLC A PLC A and via K1 and relevant input of
F4 faults). and PLC B as a result T1b by the PLC B and both PLCs while
of there being no re-start is prevented. the guard is
corresponding signal open.
change in B1.
A plausibility check of B1 and B2 by PLC A and PLC B gives a DC of 99 % for B2 (see ISO 13849-1:2006,
Table E.1).
NOTE Conductors are not included in the fault analysis because it is considered that they only fail due to systematic
causes.
a Electrical faults can be excluded because B1 posses a direct mode of actuation (see IEC 60947‑5‑1:2003, Annex K).

From the analysis it can be deduced that any single faults in the SRP/CSI will be detected either
immediately, or at the next demand upon the safety function. When a single fault occurs, the safety
function is always performed and re-start is prevented.
As a result of the analysis, it is considered that the assumed values of DC (high) during the design for B1
and B2 are adequate. As the DC of both components is equal (99 %), the DCavg of SRP/CSI is high (99 %),
as was estimated during the design.
These characteristics are typical for Category 3, selected in the design (see E.4.1) in order to comply
with the safety requirement specification given in E.3 (PLr).
In order to check the correct implementation of the diagnostic measures, the tests described in the final
column of Table E.3 could be applied.

73
DIN EN ISO 13849-2:2013-02
EN ISO 13849-2:2012 (E)

Table E.4 — FMEA and estimation of DC of components for SRP/CSL/O of SF 1.0

Component/ Tests for con-

Potential faults Fault detection Effect/reaction
unit firmation
F1 Stuck-at-fault at the Fault is recognized by Electric motor M1 is Apply a static
input/output cards, PLC B through reading stopped by PLC B via high level at the
or stuck-at or wrong of G2 to compare its K1 and T1b after a stop output of
coding or no execution time-related signal time delay when the PLC A before the
in the CPU, which pre- with the expected guard is opened, and guard is open.
vents PLC A from send- change in the number re-start is prevented.
ing a stop command to of revolutions.
In the case of faults
T1a before or when the
Some faults (e.g. detected by PLC A
guard is opened.
output cards) are through reading of G1
recognized by PLC A during the operational
through reading of G1 stop, PLC A informs
at an operational stop PLC B. As a result of
of the electric motor reporting PLC B, the
M1 or when the safety electric motor M1 is
function is demanded. stopped and re-start is
prevented by PLC B.
Other faults can be
detected early by the In the case of faults
internal watchdog detected by WD, PLC A
(WDa) function of tries to stop electric
PLC A. motor M1 and prevent
the re-start via T1a
before the safety func-
tion is demanded or
before electrical motor
M1 comes to an opera-
tional stop, and then to
PLC A inform PLC B.
F2 Stuck-at-fault at the Faults cannot be Electric motor M1 Transfer the
input/ output cards, recognized by PLC B remains stopped by start signal to
or stuck-at or wrong through reading of PLC B via K1 and T1b the inverter
coding or no execu- G2 because the motor while the guard is while the guard
tion in the CPU, which M1 remains stopped open. is open.
removes the PLC A by PLC B via K1 and
In the case of faults
stop command from T1b while the guard is
detected by PLC A
T1a while the guard is open.
through reading of G1
open.
Some faults (e.g. on closing the guard,
output cards) are PLC A informs PLC B.
recognized by PLC A As a result of reporting
through reading of G1 PLC B, the unintended
on closing the guard. start-up of electric
motor M1 is prevented
The above and
by PLC B.
additional faults are
detected by opera- In the case of faults
tor through process detected by WD, PLC A
observation on closing tries to keep electric
the guard, or by PLC B motor M1 stopped and
when the safety func- to prevent the re-start
tion is next demanded via T1a, and to inform
(opening of the guard). PLC B.
Other faults can be
detected early by WDa
function of PLC A.
a Some internal faults of PLCs that, a priori, do not cause a failure of the safety function (e.g. inability of PLCs to send a
stop command to the drive or to a valve, or inability to keep a stop command on the drive or on a valve) can be detected by
the WD function.

74
 DIN EN ISO 13849-2:2013-02
EN ISO 13849-2:2012 (E)

Table E.4 (continued)

Component/ Tests for con-
Potential faults Fault detection Effect/reaction
unit firmation
As a result of the indirect monitoring of PLC A by PLC B through G2, PLC A’s indirect monitoring of its own
output card through G1, program sequence monitoring by the internal watchdog, and fault detection through
process observation, PLC A is considered to have a DC of 90 % (see ISO 13849-1:2006, Table E.1).
The above measures can be considered as being in relation to ISO 13849-1:2006, Table E.1, NOTE 2.
NOTE It is considered that most PLC faults occur at the input/output cards and are of the stuck-at type (90 % of all faults
in a PLC), but the WD function of a PLC can only detect some faults that affect program sequencing.
F3 Stuck-at-fault and other Fault is recognized by Electric motor M1 is Set the stop-
complex internal faults PLC B through reading stopped by PLC B via input of the
in control and power of G2 when the safety K1 and T1b after a inverter to high
electronics of the function is demanded. time delay when the before or when
inverter, which prevent guard is opened, and the guard is
Fault is recognized
T1a from stopping the re-start is prevented. opened.
also by PLC A through
motor before or when
reading of G1 at an PLC A informs PLC B
the guard is opened.
operational stop of the when a fault is rec-
electric motor M1 or ognized during the
when the safety func- operational stop. As
tion is demanded. a result of reporting
PLC B, the electric
motor M1 is stopped
and re-start is pre-
vented by PLC B.
F4 Stuck-at-fault and Fault cannot be Electric motor M1 Transfer the
Inverter T1a
other complex internal recognized by PLC B remains stopped by start signal to
faults in control and through reading of PLC B via K1 and T1b the inverter
power electronics of G2 because the motor while the guard is while the guard
the inverter, which M1 remains stopped open. is open.
provides gate signals to by PLC B via K1 and
On closing the guard,
power semiconductors T1b while the guard is
an unintended start-up
of T1a, while the guard open.
of the motor occurs
is open.
Fault will be detected (non-hazardous).
by the operator
PLC A informs PLC B
through process
when a fault is recog-
observation on closing
nized. As a result of
the guard.
reporting PLC B, the
Fault is also rec- unintended start-up
ognized by PLC A of electric motor M1 is
through reading of G1 prevented and re-start
on closing the guard. is prevented by PLC B.
As a result of the indirect monitoring of T1a by PLC B through G2, indirect monitoring of T1a by PLC A through
G1 and fault detection through process observation, T1a is considered to have a DC of 99 %.
a Some internal faults of PLCs that, a priori, do not cause a failure of the safety function (e.g. inability of PLCs to send a
stop command to the drive or to a valve, or inability to keep a stop command on the drive or on a valve) can be detected by
the WD function.

75
DIN EN ISO 13849-2:2013-02
EN ISO 13849-2:2012 (E)

Table E.4 (continued)

Component/ Tests for con-
Potential faults Fault detection Effect/reaction
unit firmation
Stuck-at-fault at the Fault is recognized by Electric motor M1 is Keep K1 in the
input/output cards, PLC A monitoring of K1 immediately stopped energized posi-
or stuck-at or wrong mechanically linked by PLC A via T1a when tion when the
coding or no execu- feedback contact when the guard is opened guard is opened.
tion in the CPU, which the safety function is and re-start is pre-
prevents PLC B from demanded. vented.
switching off K1 before
Some faults can be In the case of faults
F5 or when the guard is
detected early by the detected by WD, PLC B
opened.
WDa function of PLC B. tries to inform PLC A
and then to stop the
electric motor M1 and
prevent the re-start
via T1b before the
PLC B safety function is
demanded.
Stuck-at-fault at the Fault is immediately Electric motor M1 is Switch K1 to its
input/output cards, recognized by PLC A kept stopped by PLC A energized posi-
or stuck-at or wrong monitoring of K1 via T1a while the tion while the
coding or no execu- mechanically linked guard is open, and re- guard is open.
tion in the CPU, which feedback contact. start is prevented.
removes the PLC B
F6 Some faults can be In the case of faults
stop command from
detected early by the detected by WD, PLC B
K1 while the guard is
WDa function of PLC B. tries to keep stopped
open.
the electric motor M1
and prevent the re-
start via T1b, and to
inform PLC A.
As a result of the indirect monitoring of PLC B by PLC A through the position of K1 feedback contact and pro-
gram sequence monitoring by the internal watchdog, PLC B is considered to have a DC of 90 %.
NOTE It is considered that most PLC faults occur at input/output cards and are of the stuck-at type (90 % of all faults in
a PLC), but the WD function of a PLC can only detect some faults that affect program sequencing.
The contact does not Fault is recognized by Electric motor M1 is Keep K1 contact
open when the guard is PLC A monitoring of K1 immediately stopped in the ON posi-
opened (electrical fault, mechanically linked by PLC A via T1a when tion when the
F7
e.g. welded contacts). feedback contact when the guard is opened guard is opened.
Relay contac- the safety function is and re-start is pre-
tor K1 demanded. vented.
No dangerous fault — — —
F8 while the guard is open
(fault exclusion).
Monitoring of relay contactor K1 by PLC A through the position of K1 mechanically linked feedback contact
gives a DC of 99 % for K1.
a Some internal faults of PLCs that, a priori, do not cause a failure of the safety function (e.g. inability of PLCs to send a
stop command to the drive or to a valve, or inability to keep a stop command on the drive or on a valve) can be detected by
the WD function.

76
 DIN EN ISO 13849-2:2013-02
EN ISO 13849-2:2012 (E)

Table E.4 (continued)

Component/ Tests for con-
Potential faults Fault detection Effect/reaction
unit firmation
Non-opening of inter- Fault is recognized by Electric motor M1 is Keep the input
nal relay contact when PLC A monitoring of immediately stopped of the coil of the
the guard is opened. mechanically linked by PLC A via T1a when blocking relay in
F9 feedback contact for the guard is opened T1b to high level
T1b internal relay and re-start is pre- when the guard
Inverter T1b when the safety func- vented. is opened.
tion is demanded.
No dangerous fault — — —
F10 while the guard is open
(fault exclusion).
Monitoring of the T1b internal (pulse-blocking) relay by PLC A gives a DC of 99 % for T1b.
a Some internal faults of PLCs that, a priori, do not cause a failure of the safety function (e.g. inability of PLCs to send a
stop command to the drive or to a valve, or inability to keep a stop command on the drive or on a valve) can be detected by
the WD function.

From the analysis, it can be deduced that single faults in the SRP/CS will be detected either immediately,
or at an operational stop of electric motor M1, or at the next demand upon the safety function. When a
single fault occurs, the safety function is always performed. Re-start is possible with only one channel
in the case of undetected faults in PLC A and PLC B.
The analysis determines that values of DC assumed during the design of the SRP/CSL/O are adequate.
Taking into account the estimated MTTFd values and the DC values for the various components used in
SRP/CSL/O, a DCavg result of medium (90 %) is achieved, as was estimated during the design.
These characteristics are typical for Category 3, selected in the design (see E.4.1) in order to comply
with the safety requirement specification given in E.3 (PLr).
To check the correct implementation of the diagnostic measures, the tests described in the final column
of Table E.4 could be applied.

E.5.3.2 SF 1.3

In order to facilitate the analysis of SF 1.3, its safety-related block diagram is reproduced in Figure E.13.

Figure E.13 — Safety-related block diagram for SF 1.3

For SRP/CSI of SF 1.3, the diagnostic measures and the tested/monitored units are identical to those for
SF 1.0 and therefore the DCavg of SRP/CSI is also high (99 %).
See Table E.5.

77
DIN EN ISO 13849-2:2013-02
EN ISO 13849-2:2012 (E)

Table E.5 — FMEA of SRP/CSL/O of SF 1.3

Component/ Potential faults/ Tests for con-

Fault detection Effect/reaction
unit failure firmation
Stuck-at-fault at the Some faults (e.g. Pneumatic motor A3 Apply a static
input/output cards, output cards) are is stopped by PLC B high level at the
or stuck-at or wrong recognized by PLC A via 1V0 after a time 3V1 output of
coding or no execu- through reading of delay when the guard PLC A before the
tion in the CPU, which pressure sensor 3S1 at is opened. guard is opened.
prevents PLC A from an operational stop of
In the case of faults
switching off 3V1 the pneumatic motor
detected by PLC A
before or when the A3 or when the safety
through reading of 3S1
guard is opened. function is demanded.
during the operational
Other faults can be stop, PLC A informs
detected early by the PLC B. As a result of
WDa function of PLC A. reporting PLC B, the
pneumatic motor A3
is stopped via 3V1 and
F1
re-start is prevented
by PLC B.
For faults detected by
the WD, PLC A tries
to stop the pneumatic
motor A3 and to pre-
vent the re-start via
3V1 before the safety
function is demanded
or before the pneu-
matic motor A3 comes
to an operational stop
and then to inform
PLC B.
PLC A
Stuck-at-fault at the Some faults (e.g. Pneumatic motor A3 is Change the 3V1
input/output cards, output cards) are kept stopped by PLC B output of PLC A
or stuck-at or wrong recognized by PLC A via 1V0 while the to a high level
coding or no execu- through reading of guard is open. while the guard
tion in the CPU, which pressure sensor 3S1 is open.
On closing the guard,
causes PLC A to switch on closing the guard.
PLC B energizes 1V0
on 3V1 while the guard
Other faults can be and pneumatic motor
is open.
detected early by the A3 will restart-up (non
WDa function of the hazardous).
PLC A.
In the case of faults
detected by PLC A
through reading of 3S1
on closing the guard,
F2 PLC A informs PLC B.
As a result of reporting
PLC B, the unintended
start-up of pneumatic
motor A3 is prevented
and re-start is pre-
vented by PLC B.
For faults detected by
the WD, PLC A tries
to keep stopped the
pneumatic motor A3
and to prevent the
re-start via 3V1, and to
inform PLC B.

78
 DIN EN ISO 13849-2:2013-02
EN ISO 13849-2:2012 (E)

Table E.5 (continued)

Component/ Potential faults/ Tests for con-
Fault detection Effect/reaction
unit failure firmation
As a result of PLC A’s indirect monitoring of its own output card through 3S1 and program sequence monitor-
ing by the internal watchdog, PLC A is considered to have a DC of 90 %.
NOTE It is considered that most PLC faults occur at input/output cards and are of the stuck-at type (90 % of all faults in
a PLC), but the WD function of a PLC can only detect some faults that affect to program sequencing.
Non-switching (stick- Fault is recognized by Pneumatic motor A3 Keep the electri-
ing at the end posi- PLC A through reading is stopped by PLC B cal and pneu-
tion) or incomplete of pressure sensor via 1V0 after a time matic control
switching (sticking at 3S1 at an operational delay when the guard signals for 3V1
a random intermediate stop of the pneumatic is opened. at a high level
position) or change of motor A3 or when as the guard is
PLC A informs PLC B
F3 switching times, before the safety function is opened.
when a fault is rec-
or when the guard is demanded.
ognized. As a result
opened.
Faults are also of this reporting,
detected by the opera- PLC B stops via 1V0
Directional- tor through process the pneumatic motor
control sole- observation. A3 and any re-start is
noid valve prevented.
3V1
Spontaneous change of — — —
the initial switching posi-
tion (without an input
signal) while the guard
is open.
F4
NOTE This fault can be
excluded because 3V1 has
well-tried springs, and
normal installation and
operating conditions are
applied.
As a result of indirect monitoring of 3V1 by PLC A through 3S1 and fault detection through process observa-
tion, 3V1 is considered to have a DC of 99 %.

79
DIN EN ISO 13849-2:2013-02
EN ISO 13849-2:2012 (E)

Table E.5 (continued)

Component/ Potential faults/ Tests for con-
Fault detection Effect/reaction
unit failure firmation
Stuck-at-fault at the Some faults (e.g. Pneumatic motor A3 is Apply a static
input/output cards, output cards) are immediately stopped high level at the
or stuck-at or wrong recognized by PLC B by PLC A via 3V1 when 1V0 output of
coding or no execu- through reading the the guard is opened. PLC B before the
tion in the CPU, which pressure switch 1S0 guard is opened.
In the case of faults
prevents PLC B from when the safety func-
detected by PLC B
switching off 1V0 tion is demanded.
through reading the
before or when the
Others can be detected pressure switch 1S0,
guard is opened.
early by WDa function PLC B informs PLC A
of PLC B. and keeps K1 deacti-
F5 vated. As a result of
reporting, PLC A pre-
vents the re-start.
For faults detected by
the WD, PLC B tries to
inform PLC A and then
to stop the pneumatic
motor A3 via 1V0 and
to prevent the re-start
before the safety func-
PLC B tion is demanded.
Stuck-at-fault at the Some faults (e.g. out- Pneumatic motor A3 is Change the 1V0
input/output cards, put cards) are imme- kept stopped by PLC A output of PLC B
or stuck-at or wrong diately recognized by via 3V1 while the to a high level
coding or no execu- PLC B through reading guard is open. while the guard
tion at the CPU, which the pressure switch is open.
In the case of faults
causes PLC B to switch 1S0.
detected by PLC B
on 1V0 while the guard
Others can be detected through reading the
is open.
early by WDa function pressure switch 1S0,
of PLC B. PLC B informs PLC A
and keeps K1 deacti-
F6
vated. As a result of
reporting, PLC A pre-
vents the re-start.
In the case of faults
detected by WD, PLC B
tries to inform PLC A
and then to keep
stopped the pneumatic
motor A3 via 1V0 and
prevent the re-start.
As a result of the indirect monitoring by PLC B of its own output card through 1S0, indirect monitoring of PLC B
by PLC A through the position of K1 feedback contact and program sequence monitoring by the internal watch-
dog, PLC B is considered to have a DC of 90 %.
NOTE It is considered that most PLC faults occur at input/output cards and are of the stuck-at type (90 % of all faults in
a PLC), but the WD function of a PLC can only detect some faults that affect program sequencing.

80
 DIN EN ISO 13849-2:2013-02
EN ISO 13849-2:2012 (E)

Table E.5 (continued)

Component/ Potential faults/ Tests for con-
Fault detection Effect/reaction
unit failure firmation
F7 Directional- Non-switching (stick- Fault is recognized by Pneumatic motor A3 is Apply a static
control sole- ing at the end posi- PLC B through reading immediately stopped high level at the
noid valve tion) or incomplete of pressure switch 1S0 by PLC A via 3V1 when 1V0 output of
1V0 switching (sticking at when the safety func- the guard is opened. PLC B before the
a random intermediate tion is demanded. guard is opened.
In the case of faults
position) or change of
detected by PLC B
switching times, before
through reading the
or when the guard is
pressure switch 1S0,
opened.
PLC B informs PLC A
and keeps K1 de-
energized. As a result
of reporting, PLC A
prevents the re-start.
F8 Magnetic Spontaneous change — — —
valve 1V0 of the initial switching
position (without an
input signal) while the
guard is open.
NOTE This fault can
be excluded because
1V0 possesses well-
tried springs and
normal installation and
operating conditions
are applied.
Indirect monitoring of 1V0 by PLC B through 1S0 gives a DC of 99 % for 1V0.
a Some internal faults of PLCs that, a priori, do not cause a failure of the safety function (e.g. inability of PLCs to send a
stop command to the drive or to a valve, or inability to keep a stop command on the drive or on a valve) can be detected by
the WD function.

From the analysis, it can be deduced that most single faults in the SRP/CS will be detected either
immediately, or at an operational stop of the pneumatic motor, A3, or at the next demand upon the safety
function. When a single fault occurs, the safety function is always performed. Re-start is possible with
only one channel in the case of undetected faults in PLC A and PLC B.
The analysis determines that values of DC assumed during the design of the SRP/CSL/O are adequate.
Taking into account the estimated MTTFd values and the DC values for the various components used in
SRP/CSL/O, a DCavg result of medium (90 %) is achieved, as was estimated during the design.
These characteristics are typical for Category 3, selected in the design (see E.4.1) in order to comply
with the safety requirement specification given in E.3 (PLr).
To check the correct implementation of the diagnostic measures, the tests described in the final column
of Table E.5 could be applied.

81
DIN EN ISO 13849-2:2013-02
EN ISO 13849-2:2012 (E)

Bibliography

[1] ISO 4079-1, Rubber hoses and hose assemblies — Textile-reinforced hydraulic types — Specification
— Part 1: Oil-based fluid applications
[2] ISO 4413:2010, Hydraulic fluid power — General rules and safety requirements for systems and
their components
[3] ISO 4414:2010, Pneumatic fluid power — General rules and safety requirements for systems and
their components
[4] ISO 4960, Cold-reduced carbon steel strip with a mass fraction of carbon over 0,25 %
[5] ISO 5598:2008, Fluid power systems and components — Vocabulary
[6] ISO 11161, Safety of machinery — Integrated manufacturing systems — Basic requirements
[7] ISO 13850, Safety of machinery — Emergency stop — Principles for design
[8] ISO 13851, Safety of machinery — Two-hand control devices — Functional aspects and design principles
[9] ISO 13855, Safety of machinery — Positioning of safeguards with respect to the approach speeds of
parts of the human body
[10] ISO 13856 (all parts), Safety of machinery — Pressure-sensitive protective devices
[11] ISO 14118:2000, Safety of machinery — Prevention of unexpected start-up
[12] ISO 14119:1998, Safety of machinery — Interlocking devices associated with guards — Principles
for design and selection
[13] IEC 60204-1:2005, Safety of machinery — Electrical equipment of machines — Part 1: General
requirements
[14] IEC 60269-1, Low-voltage fuses — Part 1: General requirements
[15] IEC 60529, Degrees of protection provided by enclosures (IP code)
[16] IEC 60664 (all parts), Insulation coordination for equipment within low-voltage systems
[17] IEC 60812, Analysis techniques for system reliability — Procedure for failure mode and effects
analysis (FMEA)
[18] IEC 60893-1, Insulating materials — Industrial rigid laminated sheets based on thermosetting
resins for electrical purposes — Part 1: Definitions, designations and general requirements
[19] IEC 60947 (all parts), Low-voltage switchgear and controlgear
[20] IEC 61025, Fault tree analysis (FTA)
[21] IEC 61078, Analysis techniques for dependability — Reliability block diagram and boolean methods
[22] IEC 61131-1, Programmable controllers — Part 1: General information
[23] IEC 61131-2, Programmable controllers — Part 2: Equipment requirements and tests
[24] IEC 61165, Application of Markov techniques
[25] IEC 61249 (all parts), Materials for printed boards and other interconnecting structures
[26] IEC 61508, Functional safety of electrical/electronic/programmable electronic safety-related systems

82
 DIN EN ISO 13849-2:2013-02
EN ISO 13849-2:2012 (E)

[27] IEC 61558 (all parts), Safety of power transformers, power supplies, reactors and similar products
[28] IEC 61800-5-2, Adjustable speed electrical power drive systems — Part 5-2: Safety requirements —
Functional
[29] IEC 61810 (all parts), Electromechanical elementary relays
[30] EN 952:1996, Safety of machinery — Safety requirements for fluid power systems and their
components — Hydraulics
[31] EN 953:1996, Safety of machinery — Safety requirements for fluid power systems and their
components — Pneumatics
[32] EN 50205, Relays with forcibly guided (mechanically linked) contacts
[33] EN 60730 (all parts), Automatic electric controls for household and similar use
[34] JESD22A121.01,Test Method for Measuring Whisker Growth on Tin and Alloy Surfaces Finishes1)
[35] JESD201, Environmental Acceptance Requirements for Tin Whisker Susceptibility of Tin and Alloy
Surface Finishes1)

1) JEDEC Solid State Technology Association, 2500 Wilson Boulevard, Arlington, VA 22201-3834, www.jedec.
org/download/search/22a1121-01.pdf

83
DIN EN ISO 13849-2:2013-02
EN ISO 13849-2:2012 (E)

Annex ZA
(informative)
Relationship between this European Standard and the Essential
Requirements of EU Directive 2006/42/EC

This European Standard has been prepared under a mandate given to CEN by the European Commission
and the European Free Trade Association to provide a means of conforming to Essential Requirements of the
New Approach Directive Machinery, 2006/42/EC.

Once this standard is cited in the Official Journal of the European Union under that Directive and has been
implemented as a national standard in at least one Member State, compliance with the normative clauses of
this standard confers, within the limits of the scope of this standard, a presumption of conformity with the
relevant Essential Requirements 1.2.1 of that Directive and associated EFTA regulations.

WARNING — Other requirements and other EU Directives may be applicable to the product(s) falling
within the scope of this standard.

84