Choice of Safety Category
“A fault in the control circuit logic, or failure of or damage to the control circuit must not lead to dangerous situations.” This is the declaration of the EU’s Machinery Directive and EN 292-2:1991 under the heading 1.2.7. “Failure of the control circuit”, EN terminates on November 1, 2009 to be replaced completely by EN ISO 13849-1. During the transition period, it is possible to choose which of the two standards to apply. A further standard that can be applied to safety related parts is EN 62061.
The significance of this statement is that a fault such as a jammed relay, a short circuit in a transistor or a short circuit between two conductors should and must not result in the safety function failing with the risk of consequent personal injuries. Please note, “a fault” means that the system is only expected to handle one fault at a time. Two components failing at the same time is not regarded as likely as long as they cannot be made to fail by an external interference. This safety requirement has not been recently introduced with the machine directive, but has existed in other regulations for many years.
Choice of Category
It is above all a question of the technique available. Gate operation equipment can for example be fitted with a control led interlocking switch (category 1). However, interlocking circuits with relays and transistors, etc. normally require solutions in categories 2–4 in order to achieve a higher safety level than for standard control circuits. Appendix B to EN954-1 shows an example of how a category is chosen. The example gives some guidance but is quite inadequate. The safety category is chosen based on the safety risk of the machinery. The risk is estimated based on the parameters S, F and P.
Creating a Control Reliable Safety System
Where required by the appropriate ANSI standard (example clause 4.5.4 of RIA 15.06.1999), the importance of using safety relays to achieve control reliable circuits can be explained. Control Reliable Systems must be designed “such that a single component failure within the system does not prevent the stopping action from taking place but will prevent successive system cycle until that failure has been corrected.”
Ladder Diagram of a Common Emergency Stop Circuit
In this typical emergency stop circuit the weakest link is relay CR1. The contacts of CR1 can weld closed or, since this relay is spring applied, it can fail mechanically. If this failure occurred, energy to the load would continue resulting in an UNSAFE CONDITION that would cause machine damage and/or personnel injury. ANSI standards and OSHA regulations demand prevention of such a condition.
Ladder Diagram using two Force-Guided Relays to Achieve Redundancy
According to the definition of control reliability we need to guard against failure of CR1. It is one source for a single component failure. Redundancy is not sufficient. If one of the two relays fail you are back to square one—with redundancy lost, the second relay could fail on a subsequent machine cycle. We must monitor the condition of the redundant relays. Force or positive guided relays provide the best solution to accomplish monitoring.
Ladder Diagram of a Circuit using three Force-Guided Relays
This circuit is approaching control reliable. Using positive guided relays offers redundancy and crossmonitoring, but does not monitor for short circuits or reset problems.
1.Examples of Control Circuits by Safety Category
This part provides control circuit (safety circuit) examples grouped by category. These circuits are made up of electric interlocking mechanisms that incorporate protective door and safety switches.
Note 1:
These interlock mechanisms are only part of the safety systems of machines. An appropriate system suitable to the safety of the overall machine must be designed, selected, and constructed after evaluating the risks in the work environment as well as hazardous conditions, such as the frequency of access to hazardous areas and the time required to ensure the hazard has been removed.
Note 2:
Circuit Examples
Safety Components
The safety components that are used in these circuit examples are equipped with functions such as a direct opening mechanism for switches and a forcibly guided mechanism for relays, as required by standards. These functions are designed to operate correctly within the control system in which they are used. A control system cannot be constructed using only the safety components.
Safety Category
(1)Category B applies basic safety rules, such as those regarding the environment that are common to other categories, and it does not apply to interlocking devices that use ordinary safety guards (safety doors).
(2)In the simple circuit examples of categories 1 to 4, the safety functions required for each category are included to show circuit concepts. When designing a safety-related control system using safety components, refer to Circuit Diagrams.
(1) Safety Category 1
● Circuit with a Single Limit Switch 
Examples of Applicable Control Parts
SW1: Safety limit switch (direct opening mechanism)
K1: Relay
KM1: Magnetic contactor
Category 1: Main Safety Functions
Fully Proven Parts and Safety Principles
1. Basic safety circuit configuration for ground faults
2. Control circuit forced opened directly by a safety switch in positive operation. (SW1)
3. Use of parts such as switches and relays that conform to EN and other standards.
(2) Safety Category 2
● Circuit with a Single Limit Switch 
Examples of Applicable Control Parts
SW1: Safety limit switch (direct opening mechanism)
S1: Reset switch
K1 and K2: Safety relays
KM1: Magnetic contactor
Category 2: Main Safety Functions
<Fully Proven Parts and Safety Principles> (Refer to safety category 1.)
<Monitoring Operation>
1. Monitors operation at an appropriate interval using a control system.
2. Monitors contact welding using safety relays.
Note:Safety functions will be lost by a single failure, such as a short-circuit failure in the input wiring.
(3) Safety Category 3
● Circuit with two Limit Switches
Examples of Applicable Control Parts
SW1: Safety limit switch (direct opening mechanism)
SW2: Limit switchS1:Reset switch
K1, K2, and K3: Safety relays
KM1 and KM2: Magnetic contactors
Category 3: Main Safety Functions
<Fully Proven Parts and Safety Principles> (Refer to safety category 1.)
<Redundancy>
1.Input redundancy using switches:
Improves reliability with duplicate input using safety switch SW1 in positive operation connected in parallel with safety switch SW2 in negative operation.
2.Circuit redundancy using relays:
Improves reliability with duplicate relay coil operating circuits K1 and K2 connected in parallel.
3.Output redundancy using relays:
Improves reliability with duplicate interface relay unit output circuits KM1 and KM2 connected in parallel.
<Automatic safety check at the start of operation>This automatically checks all relay contacts for faults via the safety circuit interface relay and it prevents the start of operation if any faults are found. (K3)
<Monitoring Operation>
1.Contact welding:
Detects whether the contacts of interface relays K1 and K2 are welded shut, and turns OFF the coil power supply for magnetic contactors KM1 and KM2 if welding has occurred. (K3)
2.Safety door:
Monitors whether the safety doors are open or closed via safety switch SW1 in positive operation and safety switch SW2 in negative operation.
<Diversity>
Reduces common faults by combining safety switch SW1 in positive operation with safety switch SW2 in negative operation.
(4) Safety Category 4
● Circuit with a Electromagnetic-locking Safety Door Switch and a Limit Switch 
Examples of Applicable Control Parts
SW1: Electromagnetic lock safety door switch(direct opening mechanism)
SW2: Lock monitoring switch
SW3: Safety limit switch (direct opening mechanism)
S1: Reset switchK1, K2, K3: Safety relays
KM1, KM2: Magnetic contactors
Category 4: Main Safety Functions
<Fully Proven Parts and Safety Principles> (1, 2, and 3: Refer to safety category 1.)
4.Fail-safe design keeps the safety door locked when power fails.
5.Foolproof design prevents incorrect operation.
<Redundancy>
1.Input redundancy using switches: Two-channel input with limit switches SW1 and SW3 in positive operation.
2.Circuit redundancy using relays: Improves reliability with duplicate relay coil operating circuits K1 and K2.
3.Output redundancy using relays: Improves reliability with duplicate interface relay unit output circuits KM1 and KM2 connected in parallel.
4.Feedback circuit: Improves reliability by feeding back the series-connected normally closed contacts of interface relay unit output circuits KM1 and KM2 to the interface relay unit.
<Diversity>
Reduces common faults by combining safety switch SW1 in positive operation with safety switch SW3 in negative operation.
< Short-circuit protection detection>
Generates an electrical potential between each channel with a two-channel input.
<Automatic safety check at the start of operation>
This automatically checks all relay contacts for faults via the safety circuit interface relay and it prevents the start of operation if any faults are found. (K3) The magnetic contactor will maintain a gap in normally closed contacts of at least 0.5 mm even if normally open contacts are welded shut.
<Monitoring Operation>
1.Contact welding: Detects whether the contacts of interface relays K1 and K2 as well as magnet contactors KM1 and KM2 are welded shut, and turns OFF the coil power supply for magnet contactors KM1 and KM2 if welding has occurred. (K3)
2.Safety door: Monitors whether the safety doors are open or closed via safety switches SW1 and SW3, and whether they are locked via safety switch SW2.
Note:Construct the circuit so that operating lock release switch Sr requires an AND condition for the perfect rotation stop signal.