1.1-11
1.1
Risk parameters
S = Severity of injury:
1 = Slight (normally reversible) injury
2 = Serious (normally irreversible) injury, in-
cluding death
F = Frequency and/or exposure to the hazard:
1 = Seldom to quite often and/or exposure
time is short
2 = Frequent to continuous and/or exposure
time is long
P = Possibility of avoiding the hazard:
1 = Possible under specifi c conditions
2 = Scarcely possible
Categories in accordance with EN 954-1
The control system requirements derived from
the risk graph are specifi ed as follows:
Standards and Directives
Risk parameters and categories in accordance with EN 954-1/EN ISO 13849-11)
Risk graph from EN 954
Categories
Categories
Starting point for
risk estimation
Pilz GmbH & Co. KG, Felix-Wankel-Straße 2, 73760 Ostfi ldern, Germany, Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de 2008-09
Category B
Basic category with no special requirements
= “good industrial standard”
Category 1
Safety-related parts must be designed and
constructed using well-tried components and
well-tried safety principles.
Well-tried means: the components have been
widely used in the past with successful results
in similar applications, or they have been ma-
nufactured using principles that demonstrate
its suitability and reliability for safety-related
appli-cations.
Example: safety switch with forced-opening
contacts.
Well-tried safety principles are circuits that are
constructed in such a way that certain faults
can be avoided by the appropriate arrange-
ment or layout of components.
Example: avoiding a short circuit through ap-
propriate separation, avoiding component fai-
lures that result from overdimensioning, using
the failsafe principle (on switching off).
Note: The occurrence of a fault can lead to
the loss of the safety function.
Category 2
Safety-related parts of control systems must
be designed so that their safety function(s) are
checked at suitable intervals by the machine
control system. The safety function(s) must
be checked: at the machine start-up and prior
to the initiation of any hazardous situation;
periodically during operation, if the risk as-
sessment and the kind of operation show that
it is necessary.
This check may be initiated automatically
or manually. Automatically, for example, the
check may be initiated by a signal generated
from a control system at suitable intervals.
The automatic test should be provided by
preference. The decision about the type of
test depends on the risk assessment and
the judgement of the end user or machine
builder. If no fault is detected, operation may
be approved as a result of the test. If a fault
is detected, an output must be generated to
initiate appropriate control action. A second,
independent shutdown route is required for
this.
Notes: In some cases Category 2 is not ap-
plicable because the checking of the safety
function cannot be applied to all components
and devices. Moreover, the cost involved
in implementing Category 2 correctly may
be considerable, so that it may make better
economic sense to implement a different ca-
tegory.
In general Category 2 can be realised with
electronic techniques. The system behaviour
allows the occurrence of a fault to lead to the
loss of the safety function between checks;
the loss of the safety function is detected by
the check.
Category 3
Safety-related parts of control systems must
be designed so that a single fault in any of
these parts does not lead to the loss of the
safety function.
Whenever reasonably practicable, the single
fault shall be detected at or before the next
demand upon the safety function.
This does not mean that all faults will be de-
tected. The accumulation of undetected faults
can lead to an unintended output signal and a
hazardous situation at the machine.
Category 4
Safety-related parts of control systems must
be designed so that a single fault in any of
these parts does not lead to a loss of the
safety function; the single fault must be de-
tected at or before the next demand upon the
safety functions (e.g. immediately at switch
on, at the end of a machine operating cycle).
If this detection is not possible, then an ac-
cumulation of faults shall not lead to a loss of
the safety function.
1) Only applicable until November 2009.
Replaced by EN ISO 13849-1