A

Mechanical

A.1

A.2

A.3

A.4, A.5

B

Pneumatic

B.1

B.2

B.3

B.4 to B.19

C

Hydraulic

C.1

C.2

C.3

C.4 to C.13

D

Electrical (includes electronics)

D.1

D.2

D.3

D.4 to D.22

NOTE 1   Several safety principles are relevant from component level up to the use of the machine, e.g., use of suitable materials and adequate manufacturing, correct dimensioning and shaping, proper selection, combination, arrangements, assembly, and installation of components/system. These principles typically are relevant for the design and manufacturing of components (e.g., correct dimensioning of housing), the design and integration of components into subsystems (e.g., correct dimensioning of component parameters with respect to the expected load) and the installation and use of components and subsystems (e.g., correct dimensioning of filters and maintenance intervals).

NOTE 2   For the design and manufacturing of components fulfilment of product standards can be helpful for the confirmation of some basic or well-tried safety principles. In most cases the fulfilment of product standards is necessary to fulfil the basic safety principle proper selection, combination, arrangement, assembly, and installation of components/system.

NOTE 3   The specification of operating conditions and limits of use, e.g., in data sheets and installation and operation instructions, usually show that the safety principles for the construction and design of a component for the specified application are applied. Further information on safety related values of components or parts of control systems can be found in ISO 13849-1:2023, Annex O.

Use of suitable materials and adequate manufacturing

Selection of material, manufacturing methods and treatment in relation to, e.g. stress, durability, elasticity, friction, wear, corrosion, temperature.

M, D

Correct dimensioning and shaping

Consider, e.g. stress, strain, fatigue, surface roughness, tolerances, sticking, manufacturing.

M, D

Correct selection, combination, arrangements, assembly and installation of components or systems related to the application

Apply the installation and operation instructions provided by the manufacturer, e.g. catalogue sheets, installation instructions, specifications, and use of good engineering practice in similar components or systems.

M, D, U

Use of de-energization principle

This principle is not applicable when loss of energy creates a hazard, e.g. release of workpiece caused by loss of clamping or holding force.

The safe state is obtained by a release of energy. See primary action for stopping in ISO 12100:2010, 6.2.11.3.

Energy is supplied for starting the movement of a mechanism. See primary action for starting in ISO 12100:2010, 6.2.11.3.

Consider different modes, e.g. operation mode, maintenance mode.

Time-delay functions may be necessary to achieve a system safe state (see e.g. IEC 60204-1:2016 + AMD1:2021, 9.2.2).

M, D

Correct fastening

For screw locking apply the manufacturer's installation and operation instructions.

Fastening in the correct orientation and fastening to the correct torque is considered. Overloading can be avoided and adequate resistance to release can be achieved by applying adequate torque loading technology.

M, D, U

Withstanding environmental conditions

(see ISO 13849-1:2023, Clause 10, and follow manufacturer's installation and operation instructions)

Design the equipment so that it can work within the environmental limits of the intended use and in any reasonably foreseeable adverse conditions, e.g. temperature, humidity, vibration, pollution.

M, D, U

Prevention of the ingress of solid foreign objects and fluids

Apply appropriate protection against ingress of solid foreign objects and fluids.

M, D, U

Temperature range

External and internal temperature effects are considered throughout the whole system.

M, D, U

Limitation of speed, acceleration and jerk (to avoid or limit mechanical stress)

Consider, e.g. spring, damping device.

M, D

Reduction of response time

Minimize delay in de-energizing of switching components.

Consider, e.g. spring fatigue, friction, lubrication, temperature, inertia during acceleration and deceleration, combination of tolerances.

M, D

Protection against unexpected start-up

(see ISO 12100:2010, 6.2.11.4, ISO 14118:2017)

Consider unexpected start-up caused by stored energy and after power supply restoration for different modes e.g. operation mode, maintenance mode.

M, D

Special equipment for release of stored energy can be necessary.

Special applications, e.g. to keep energy for clamping devices or ensure a position, need to be considered separately.

M, D, U

Simplification

Avoid unnecessary components in the safety-related system.

M, D

Separation

Separation of safety-related functions from other functions.

M, D

Limitation of the generation and/or transmission of force, torque (e.g. to prevent wear)

This principle is not applicable when the continued integrity of components is essential to maintain the necessary level of control.

Examples are break pin, break plate and torque-limiting clutch.

M, D

Lubrication

Consider the need for lubrication devices, information on lubricants and lubrication intervals.

M, D, U

Abbreviations

M – Design and manufacturing of components

D – Design of subsystems

U – Use of the machine

Use of carefully selected materials and manufacturing

Selection of suitable material, adequate manufacturing methods and treatments related to the application.

M, D

Use of components with oriented failure mode

(see ISO 12100:2010, 6.2.12.3)

Use oriented failure mode components or systems wherever practicable. A safe state is directly or indirectly (e.g. through fault detection) obtained by the predominant failure mode.

M, D

Over-dimensioning

De-rate components when used in safety circuits.

Safety factors are as given in standards or by good engineering practice in safety-related applications.

M, D

Safe position

The moving part of the component is held in one of the possible positions by mechanical means. Force is needed to change the position, especially to leave a safe position.

If the realization is based on the principle of frictional engagement, the frictional force is always greater than the disturbing forces for the entire mission time.

M, D

Increased OFF force

A safe position or state is obtained by an increased OFF force in relation to the ON force.

M, D

Careful selection of fastening related to the application

Avoid relying only on friction, use e.g. form-fitting connections like positive-locking fastening, material-related connections like glueing/welding/soldering/vulcanizing, locking nuts.

M, D

Positive mechanical action

(see ISO 12100:2010, 6.2.5.)

To achieve positive (or direct) mechanical action, mechanical components needed for the safety function are moved either by direct contact or via rigid elements, e.g. a cam directly opens the contacts of an electrical switch rather than relying on a spring.

M, D

Multiple parts

Reducing the effect of faults by providing multiple parts acting in parallel, e.g. where a failure of one of several springs does not lead to a dangerous condition.

M, D

Use of well-tried spring

See Table A.3

M, D

Limited range of force and similar parameters

This principle is not applicable when the continued integrity of components is essential to maintaining the necessary level of control.

Determination of the necessary limitation in relation to the experience and application. Examples are break pin, break plate, and torque-limiting clutch.

M, D

Limited range of speed and similar parameters

Determination of the necessary limitation in relation to the experience and application. Examples are centrifugal governor, safe monitoring of speed, and limited displacement.

M, D, U

Limited range of environmental parameters

See ISO 13849-1:2023, 10.7

Determination of the necessary limitations. Examples are temperature, humidity, pollution at the installation. Follow manufacturer's installation and operation instructions.

M, D, U

Limited range of reaction time, limited hysteresis

Determination of the necessary limitations.

For example, spring fatigue, friction, lubrication, temperature, inertia during acceleration and deceleration, combination of tolerances.

M, D

Abbreviations

M – Design and manufacturing of components

D – Design of subsystems

U – Use of the machine

Screw

All factors influencing the screw connection and the application are to be considered. See Table A.2.

Mechanical jointing such as screws, nuts, washers, rivets, pins, bolts, etc. is standardized.

Spring

Well-tried springs are characterized by

Technical specifications for spring steels and other special applications are given in EN 13906‑1:2013.

— use of carefully selected materials, manufacturing methods (e.g. pre-setting and cycling before use) and treatments (e.g. rolling and shot-peening);

— sufficient guidance of the spring; and

— sufficient safety factor for fatigue stress (i.e. with a high probability that a fracture will not occur, which can be demonstrated by an endurance test of e.g. a valve with the built-in spring or using other ways).

Well-tried compression coil springs can also be designed by

— use of carefully selected materials, manufacturing methods (e.g. pre-setting and cycling before use) and treatments (e.g. rolling and shot-peening);

— sufficient guidance of the spring;

— clearance between the turns less than the wire diameter when unloaded; and

— sufficient force after a fracture(s) is maintained (i.e. a fracture(s) will not lead to a dangerous condition).

NOTE   Compression springs are preferred.

Cam

All factors influencing the cam arrangement (e.g. part of an interlocking device) are to be considered. See Table A.2.

See ISO 14119:2024

Break-pin Rupture disc, Shear pin

All factors influencing the application are to be considered. See Table A.2.

See ISO 4126-2:2018

Plunger

Guiding of the plunger in such a way that clamping/sticking can be excluded. The plunger is dimensioned in such a way that the forces can be transmitted reliably.

Wear/corrosion

Yes, in the case of carefully selected material, (over)dimensioning, manufacturing process, treatment and proper lubrication, according to the specified lifetime (see also Table A.2).

See ISO 13849‑1:2023, 6.1.10

Untightening/ loosening

Yes, in the case of carefully selected material, manufacturing process, locking means and treatment, according to the specified lifetime (see also Table A.2).

Fracture

Yes, in the case of carefully selected material, (over)dimensioning, manufacturing process, treatment and proper lubrication, according to the specified lifetime (see also Table A.2).

Deformation by overstressing

Yes, in the case of carefully selected material, (over)dimensioning, treatment and manufacturing process, according to specified lifetime (see also Table A.2).

Stiffness/sticking

Yes, in the case of carefully selected material, (over)dimensioning, manufacturing process, treatment and proper lubrication, according to specified lifetime (see also Table A.2).

Wear/corrosion

Yes, in case of use of well-tried springs and carefully selected fastenings (see Table A.3).

See ISO 13849‑1:2023, 6.1.10

Force reduction by setting and fracture

Fracture

Stiffness/sticking

Loosening

Deformation by overstressing

Use of suitable materials and adequate manufacturing

Selection of material, manufacturing methods and treatment in relation to, e.g. stress, durability, elasticity, friction, wear, corrosion, temperature characteristics of compressed air.

M, D

Correct dimensioning and shaping

Consider, e.g. stress, strain, fatigue, surface roughness, tolerances, sticking, manufacturing.

M, D

Correct selection, combination, arrangements, assembly and installation of components or systems related to the application

Apply the installation and operation instructions provided by the manufacturer, e.g. catalogue sheets, installation instructions, specifications, and use of good engineering practice in similar components or systems.

M, D, U

Use of de-energization principle

This principle is not applicable when loss of energy creates a hazard, e.g. release of workpiece caused by loss of clamping or holding force.

The safe state is obtained by release of energy to all relevant devices. See primary action for stopping in ISO 12100:2010, 6.2.11.3.

Energy is supplied for starting the movement of a mechanism. See primary action for starting in ISO 12100:2010, 6.2.11.3.

Consider different modes, e.g. operation mode, maintenance mode.

Time-delay functions may be necessary to achieve a system safe state (see e.g. IEC 60204-1:2016 + AMD1:2021, 9.2.2).

M, D

Correct fastening

For fasteners (e.g. screw locking, fittings, gluing or clamp ring) apply the manufacturer's installation and operation instructions.

Fastening in the correct orientation and fastening to the correct torque is considered. Overloading can be avoided by applying adequate torque loading technology.

M, D, U

Withstanding environmental conditions

(see ISO 13849-1:2023, Clause 10, and follow manufacturer's installation and operation instructions)

Design the equipment so that it can work within the environmental limits of the intended use and in any reasonably foreseeable adverse conditions, e.g. temperature, humidity, vibration, pollution, electromagnetic interference (EMI).

M, D, U

Prevention of the ingress of solid foreign objects and fluids

Apply appropriate protection against ingress of solid foreign objects and fluids.

M, D, U

Temperature range

External and internal temperature effects are considered throughout the whole system.

(see ISO 4414:2010)

M, D, U

Limitation of speed, acceleration and jerk (to avoid or limit mechanical stress)

An example is the speed limitation placed on a piston by a flow valve or throttle.

M, D

Reduction of response time

Minimize delay in de-energizing of switching components.

Suitable range of switching time, e.g. length of pipework, pressure, exhaust capacity, force, spring fatigue, friction, lubrication, temperature, inertia during acceleration and deceleration, frequencies, shock waves, combination of tolerances.

M, D

Simplification

Avoid unnecessary components in the safety-related system.

M, D

Protection against unexpected start-up

(see ISO 12100:2010, 6.2.11.4, ISO 14118:2017)

Consider unexpected start-up caused by stored energy and after power supply restoration for different modes, e.g. operation mode, maintenance mode.

M, D

Special equipment for the release of stored energy can be necessary.

Special applications, e.g. to maintain energy for clamping devices or ensure a position, need to be considered separately.

M, D, U

Separation

Separation of the safety-related functions from other functions.

M, D

Pressure limitation (e.g. to prevent wear)

Examples are pressure-relief valve, pressure-reducing/control valve.

M, D

Basic measures against contamination of the fluid

Consider filtration and separation of solid particles and water in the fluid. Prevent contamination of fluid by external sources during installation and handling of components.

Consider an indicator for when the filter needs service.

M, D, U

Correct use of pre-lubricated/self- lubricating/life-time lubrication valves

Use prepared oil-free air according to the manufacturer's installation and operation instructions, to prevent dissipation of the grease.

D, U

Abbreviations

M – Design and manufacturing of components

D – Design of subsystems

U – Use of the machine

Use of components with oriented failure mode

(see ISO 12100:2010, 6.2.12.3)

Use oriented failure mode components or systems wherever practicable. A safe state is directly or indirectly (e.g. through fault detection) obtained by the predominant failure mode.

M, D

Over-dimensioning

De-rate components when used in safety circuits, e.g. with respect to pressure level, temperature level, switching frequency.

Safety factors are as given in standards or by good engineering practice in safety-related applications.

M, D

Safe position

The moving part of the component is held in one of the possible positions by mechanical means. Force is needed to change the position.

If the realization is based on the principle of frictional engagement, the frictional force is always greater than the disturbing forces for the entire mission time.

M, D

Increased OFF force

A safe position or safe state is obtained by an increased OFF force in relation to the ON force.

One solution can be that the area ratio for moving a valve spool to the safe position (OFF position) is significantly larger than for moving the spool to ON position.

M, D

Valve closed by load pressure

These are generally, but not exclusively, seat valves, e.g. poppet valves, ball valves.

Consider how to apply the load pressure to keep the valve closed even if, e.g. the spring closing the valve breaks.

NOTE   High closing speeds can cause valve bounce.

M, D

Positive mechanical action

(see ISO 12100:2010, 6.2.5.)

The positive mechanical action is used for moving parts inside pneumatic components.

To achieve positive (or direct) mechanical action, mechanical components needed for the safety function are moved either by direct contact or via rigid elements.

M, D

Use of well-tried spring

See Table A.3.

M

Limited range of force and similar parameters to avoid or limit mechanical stress

This principle is not applicable when the continued integrity of components is essential to maintaining the necessary level of control.

Determination of the necessary limitation in relation to the experience and application.

This can be achieved by a well-tried pressure relief valve which is, e.g. equipped with a well-tried spring, correctly dimensioned and selected.

M, D

Limited range of speed and similar parameters

Determination of the necessary limitation in relation to the experience and application.

Examples are fixed orifices and fixed throttles to reduce the speed by resistance to a defined fluidic flow.

M, D, U

Limited range of environmental parameters

See ISO 13849-1:2023, 10.7

Determination of the necessary limitations. Examples are temperature, humidity, pollution at the installation. Follow manufacturer's installation and operation instructions.

M, D, U

Limited range of reaction time, limited hysteresis

Determination of the necessary limitations.

For example, increased friction will increase the hysteresis. A combination of tolerances will also influence the hysteresis.

M, D

Appropriate range of working conditions

The limitation of working conditions, e.g. pressure range, flow rate and temperature range, is considered.

M, D, U

Enhanced measures against contamination of the fluid

Consideration of the need for a finer filtration and separation of solid particles and water in the fluid.

M, D, U

Sufficient positive overlap in spool valves or piston valves

The positive overlap ensures the stopping function and prevents dangerous movements.

M

Sufficient underlap in spool valves

Exhaust applications in redundant systems.

M

Periodic evaluation of the fluid condition

Apply a high degree of filtration or separation of solid particles, water and contaminants in the fluid and an indication of the need for a filter service.

Evaluate the physical conditions of the fluid.

M, D, U

Abbreviations

M – Design and manufacturing of components

D – Design of subsystems

U – Use of the machine

Rupture disc

All factors influencing the application are to be considered. See Table B.1 and Table B.2

Technical specifications for bursting disk/flat bursting disk and other special applications are given in ISO 4126-2:2018.

Directional Valve

(electrically or remotely actuated or piloted)

Only well-tried if

ISO 13849‑1:2023, 6.1.3.2.3, 6.1.11

a) the component fulfils the basic and well-tried safety principles with regard to the intended application, including use of the component according to the specification of the manufacturer;

b) proven to be widely used in the past with documented successful results in similar applications or made, verified and validated using principles which demonstrate its suitability and reliability for safety-related applications according to relevant product and application standards;

c) either no electronics on-board or on-board electronics, if available, does not participate in executing the safety function (see NOTE 3);

d) the behavior of the component under all conditions is well defined and can be completely determined; and

e) the following construction characteristics are fulfilled:

— simple, robust design;

— positive connection;

— sufficient protection against loosening with detachable connection;

— sufficiently robust in relation to the use (application) and the ambient conditions (e.g. pressure fluctuations, vibration);

— return force provided by a spring to a safe position;

— use of well-tried springs (see Table A.3); and

— sufficient tightness in locking direction.

Pressure switches

Only well-tried if

ISO 13849‑1:2023, 6.1.3.2.3, 6.1.11

For the electrical part, see IEC 60947­5­1:2024

a) the component fulfils the basic and well-tried safety principles with regard to the intended application, including use of the component according to the specification of the manufacturer;

b) proven to be widely used in the past with documented successful results in similar applications or made, verified and validated using principles which demonstrate its suitability and reliability for safety-related applications according to relevant product and application standards;

c) either no electronics on-board or on-board electronics, if available, does not participate in executing the safety function;

d) the behavior of the component under all conditions is well defined and can be completely determined; and

e) the following construction characteristics are fulfilled:

— simple, robust design;

— positive connection;

— sufficient protection against loosening with detachable connection;

— sufficiently robust in relation to the use (application) and the ambient conditions (e.g. pressure fluctuations, vibration); and

— sufficient dimensioning of the spring.

NOTE 1   The confirmation of basic and well-tried safety principles, as well as proof of wide use in the past with documented successful results in similar applications, can be done by the component manufacturer or by the designer of the subsystem.

NOTE 2   Examples of directional valves can be valve types with discrete (specific) positions: stop (shut-off) valve, gate valve, AND-valve, shuttle valve, non-return (check) valve, blocking valve, exhaust valve, pressure relief valve.

NOTE 3   Digital communication units for valve manifolds or pressure switches are complex and do not fulfil the conditions to be well-tried. If shutting-off the power supply puts the valves into a safe state and if a fault exclusion for cross-circuit connections between the power supply and the control bus (see Annex D) can be made and if for the installed valves the conditions for “well-tried” are fulfilled, the manifold can be considered a well-tried component.

Change of switching times

Yes, in the case of positive mechanical action (see Table A.2) of the moving components, as long as the actuating force is sufficiently large.

—

Non-switching (sticking at the end or zero position) or incomplete switching (sticking at a random intermediate position)

Yes, in the case of positive mechanical action (see Table A.2) of the moving components, as long as the actuating force is sufficiently large.

Spontaneous change of the initial switching position (without an input signal)

Yes, in the case of positive mechanical action (see Table A.2) of the moving components, as long as the holding force is sufficiently large, or if well-tried springs are used (see Table A.3) and normal installation and operating conditions apply (see remark), or in the case of spool valves with elastic sealing and if normal installation and operating conditions apply (see remark).

Normal installation and operating conditions apply when

— the conditions laid down by the manufacturer have been considered;

— there are no inertia forces acting adversely on moving components (e.g. direction of valve component motion considers magnitude and direction of inertia forces); and

— the vibration and shock stresses are smaller than permissible, and no extreme vibration and shock stresses occur.

Leakage

Yes, in the case of spool-type valves with elastic seal, in so far as a sufficient positive overlap is present [see remark 1)], normal conditions of operation apply, and an adequate treatment and filtration of the compressed air is provided; or, in the case of seat valves, if normal conditions of operation apply [see remark 2)], and adequate treatment and filtration of the compressed air is provided.

1)   In the case of spool-type valves with elastic seal, the effects due to leakage can usually be excluded. However, a small amount of leakage can occur over a long period of time.

2)   Normal conditions of operation apply when the conditions laid down by the manufacturer are considered.

Change in the leakage flow rate over a long period of use

None.

—

Bursting of the valve housing or breakage of the moving component(s) as well as breakage/fracture of the mounting or housing screws

Yes, if construction, dimensioning and installation are in accordance with good engineering practice.

For servo and proportional valves: pneumatic faults which cause uncontrolled behavior

Yes, in the case of servo and proportional directional valves, if these can be assessed in terms of technical safety as conventional directional control valves, owing to their design and construction.

—

NOTE If the control functions are realized by a number of single-function valves, then a fault analysis should be carried out for each valve. The same procedure should be carried out in the case of piloted valves.

Change of switching times

None.

—

Non-opening, incomplete opening, non-closure or incomplete closure (sticking at an end position or at an arbitrary intermediate position)

Yes, if the guidance system for the moving component(s) is designed in a manner similar to that for a non-controlled ball seat valve without a damping system (see remark) and if well-tried springs are used (see Table A.3).

For a non-controlled ball seat valve without a damping system, the guidance system is generally designed such that any sticking of the moving component is unlikely.

Spontaneous change of the initial switching position (without an input signal)

Yes, for normal installation and operating conditions (see remark) and if there is sufficient closing force on the basis of the pressures and areas provided.

Normal installation and operating conditions are met when

— the conditions laid down by the manufacturer are being followed;

— no special inertial forces affect the moving components, e.g. direction of motion considers the orientation of the moving machine parts; and

— the vibration and shock stresses are smaller than permissible, and no extreme vibration or shock stresses occur.

For shuttle valves: simultaneous closing of both input connections

Yes, if simultaneous closing is unlikely, based on the construction and design of the moving component.

—

Leakage

Yes, if normal conditions of operation apply (see remark) and there is adequate treatment and filtration of the compressed air.

Normal conditions of operation apply when the conditions laid down by the manufacturer are considered.

Change in the leakage flow rate over a long period of use

None.

—

Bursting of the valve housing or breakage of the moving component(s) as well as breakage/fracture of the mounting or housing screws

Yes, if construction, dimensioning and installation are in accordance with good engineering practice and following the valve manufacturer’s specifications.

Change in flow rate without any change in setting device

Yes, for flow control valves containing components of metal without moving parts [see remark 1)], e.g. throttle valves, if normal operating conditions apply [see remark 2)], and adequate treatment and filtration of the compressed air is provided.

1)   The setting device is not considered to be a moving part. Changes in flow rate due to changes in pressure differences are physically limited in this type of valve and are not covered by this assumed fault.

2)   Normal operating conditions apply when the conditions laid down by the manufacturer are considered.

Change in the flow rate in the case of non-adjustable, circular orifices and nozzles

Yes, if the diameter is ≥ 0,8 mm, normal operating conditions apply [see remark 2)], and if adequate treatment and filtration of the compressed air is provided.

For proportional flow valves: change in the flow rate due to an unintended change in the set value

None.

—

Spontaneous change in the setting device

Yes, where there is an effective protection of the setting device adapted to the particular case, based upon technical safety specification(s).

Unintended loosening (unscrewing) of the operating element(s) of the setting device

Yes, if an effective positive locking device against loosening (unscrewing) is provided.

Bursting of the valve housing or breakage of the moving component(s) as well as the breakage/fracture of the mounting or housing screws

Yes, if construction, dimensioning and installation are in accordance with good engineering practice and following the valve manufacturer’s specifications.

Change of the pressure control behavior without changing the setting device [see remark 1)]

Yes, for directly actuated pressure-limiting valves and pressure-switching valves if the installed spring(s) are well-tried (see Table A.3).

For proportional pressure valves: change in the pressure control behavior due to unintended change in the set value [see remark 1)]

None.

Spontaneous change in the setting device

Yes, where there is effective protection of the setting device within the requirements of the application, e.g. lead seals.

—

Unintended unscrewing of the operating element of the setting device

Yes, if an effective positive locking device against unscrewing is provided.

Leakage

Yes, for seat valves, membrane valves and spool valves with elastic sealing in normal operating conditions (see remark) and if adequate treatment and filtration of the compressed air is provided.

Normal operating conditions are met when the conditions laid down by the manufacturer are followed.

Change of the leakage flow rate, over a long period of use

None.

—

Bursting of the valve housing or breakage of the moving component(s) as well as breakage/fracture of the mounting or housing screws

Yes, if construction, dimensioning and installation are in accordance with good engineering practice and following the valve manufacturer’s specifications.

Bursting and leakage

Yes, if the dimensioning, choice of materials and fixing are in accordance with good engineering practice (see remark) e.g. installation avoiding accumulation of water, regular draining.

When using plastic pipes, it is necessary to consider the manufacturer's data, in particular with respect to operational environmental influences, e.g. thermal influences, chemical influences or influences due to radiation. When using steel pipes that have not been treated with a corrosion-resistant medium, it is particularly important to provide sufficient drying of the compressed air. Consideration of the environmental dew point is also essential.

Failure at the connector (e.g. tearing off, leakage)

Yes, if using bite-type fittings or threaded pipes (i.e. steel fittings, steel pipes) and if dimensioning, choice of materials, manufacture, configuration and fixing are in accordance with good engineering practice.

—

Clogging (blockage)

Yes, for pipework in the power circuit.

Yes, for the control and measurement pipework if the nominal diameter is ≥ 2 mm.

Kinking of plastic pipes with a small nominal diameter

Yes, if properly protected and installed, considering the relevant manufacturer's data, e.g. minimum bending radius.

Bursting, tearing off at the fitting attachment and leakage

Yes, if hose assemblies use hoses manufactured in accordance with ISO 4079:2020, ISO 2398:2024, ISO 5774:2023 or similar hoses (see remark) with the corresponding hose fittings.

NOTE: ISO 4414:2010 does not include criteria regarding the manufacturing specifications of rubber hoses and hose assemblies.

Fault exclusion is not considered when

— the intended lifetime is expired;

— fatigue behavior of reinforcement can occur; or

— external damage is unavoidable.

Clogging (blockage)

Yes, for hose assemblies in the power circuit, and, in the case of the control and measurement hose assemblies, if the nominal diameter is ≥ 2 mm.

—

Bursting, breaking of screws or stripping of threads

Yes, if dimensioning, choice of material, manufacture, configuration and connection to the piping and/or to the pipe/hose fittings are in accordance with good engineering practice.

—

Leakage (loss of airtightness)

None.

Due to wear, ageing, deterioration of elasticity, etc. it is not possible to exclude faults over a long period.

Leakage (sudden major change of airtightness)

Yes, if measures to reduce the risk of leakage are applied that could lead to the loss of the intended component function.

Measures can include but are not limited to:

1)   If leakage (sudden major change of airtightness) can lead to a dangerous movement, particularly on gravity-loaded (e.g. vertical) axes, a fault exclusion is not recommended. A fault exclusion on this type of application is only possible with risk estimation and additional measures.

2)   Tubing push-to-connect fittings, also known as push-in fittings or push-fit fittings, are considered as appropriately rated push-lock fittings if over-dimensioning and installation and operation instructions provided by the manufacturer are adhered to, notably the push-to-connect fitting matches the tube type being used.

3)   Hose push-lock fittings, e.g. featuring a barbed-end that is inserted into the hose, are considered as appropriately rated push-lock fittings only if high-pressure hose clamps are used.

— robust connection methods, i.e. compression fittings or appropriately rated push-lock fittings (see remarks 1 to 3);

— robust hoses, tubing and fittings;

— robust materials that are appropriate for the intended environment.

Clogging (blockage)

Yes, for applications in the power circuit and, in the case of control and measurement connectors, if the nominal diameter is ≥ 2 mm.

—

Blockage of the filter element

None.

—

Rupture or partial rupture of the filter element

Yes, if the filter element is sufficiently resistant to pressure.

Failure of the filter condition indicator or monitor

None.

Bursting of the filter housing or fracture of the cover or connecting elements

Yes, if dimensioning, choice of material, arrangement in the system and fixing are in accordance with good engineering practice.

Change in the set value (oil volume per unit time) without change to the setting device

None.

—

Spontaneous change in the setting device

Yes, if effective protection of the setting device is provided, adapted to the particular case.

Unintended unscrewing of the operating element of the setting device

Yes, if an effective positive locking device against unscrewing is provided.

Bursting of the housing or fracture of the cover, fixing or connecting elements.

Yes, if the dimensioning, choice of materials, arrangement in the system and fixing are in accordance with good engineering practice.

Blockage (clogging) of the silencer

Yes, if the design and construction of the silencer element fulfils the remark.

Clogging of the silencer element and/or an increase in the exhaust air back-pressure above a certain critical value is unlikely if the silencer has a suitably large diameter and is designed to meet the operating conditions.

Fracture/bursting of the accumulator/pressure vessel or connectors or stripping of the threads of the fixing screws

Yes, if construction, choice of equipment, choice of materials and arrangement in the system are in accordance with good engineering practice.

—

Faulty sensor (see remark)

None.

—

Change of the detection or output characteristics

None.

NOTE Sensors in this table are devices for signal capture, processing and output, in particular for, e.g. pressure, flow, temperature.

Faulty logical element (e.g. AND element, OR element, logic-storage-element) due to, e.g. change in the switching time, failing to switch or incomplete switching

For corresponding fault assumptions and fault exclusions, see Tables B.4, B.5 and B.6 and the relevant related components.

—

Faulty time-delay device, e.g. pneumatic and pneumatic/mechanical time and counting elements

Yes, for time-delay devices without moving components, e.g. fixed resistance, if normal operating conditions apply and adequate treatment and filtration of the compressed air is provided.

—

Change of detection or output characteristics

Bursting of the housing or fracture of the cover or fixing elements

Yes, if construction, dimensioning and installation are in accordance with good engineering practice.

—

Faulty converter (see remark)

Yes, for converters without moving components, e.g. reflex nozzle, if normal operating conditions apply and adequate treatment and filtration of the compressed air is provided.

—

Change of the detection or output characteristics

Bursting of the housing or fracture of the cover or fixing elements

Yes, if construction, dimensioning and installation are in accordance with good engineering practice.

NOTE Converters in this table are devices to e.g. detect that a position is reached or switch between binary states (position reached/not reached, pressure on/off). They are also used to amplify pneumatic signals.

Use of suitable materials and adequate manufacturing

Selection of material, manufacturing methods and treatment in relation to e.g. stress, durability, elasticity, friction, wear, corrosion, temperature, characteristics of hydraulic fluid.

M, D

Correct dimensioning and shaping

Consider, e.g. stress, strain, fatigue, surface roughness, tolerances, manufacturing.

M, D

Correct selection, combination, arrangements, assembly and installation of components or systems related to the application

Apply the installation and operation instructions provided by the manufacturer, e.g. catalogue sheets, installation instructions, specifications, and use of good engineering practice in similar components or systems.

M, D, U

Use of de-energization principle

This principle is not applicable when loss of energy creates a hazard, e.g. release of workpiece caused by loss of clamping or holding force.

The safe state is obtained by release of energy to all relevant devices. See primary action for stopping in ISO 12100:2010, 6.2.11.3.

Energy is supplied for starting the movement of a mechanism. See primary action for starting in ISO 12100:2010, 6.2.11.3.

Consider different modes, e.g. operation mode, maintenance mode.

Time-delay functions may be necessary to achieve a system safe state (see e.g. IEC 60204-1:2016 + AMD1:2021, 9.2.2).

M, D

Correct fastening

For fasteners (e.g. screw locking, fittings, gluing, clamp ring) apply the manufacturer’s installation and operation instructions.

Fastening in the correct orientation and fastening to the correct torque is considered. Overloading can be avoided by applying adequate torque loading technology.

M, D, U

Withstanding environmental conditions

(see ISO 13849-1:2023, Clause 10, and follow manufacturer's installation and operation instructions)

Design the equipment so that it can work within the environmental limits of the intended use and in any reasonably foreseeable adverse conditions, e.g. temperature, humidity, vibration, pollution, electromagnetic interference (EMI).

M, D, U

Prevention of the ingress of solid foreign objects and fluids

Apply appropriate protection against ingress of solid foreign objects and fluids.

M, D, U

Temperature range

External and internal temperature effects are considered throughout the whole system.

(See ISO 4413:2010)

M, D, U

Limitation of speed, acceleration and jerk (to avoid or limit mechanical stress)

An example is the speed limitation of a piston by a flow valve or a throttle.

M, D

Reduction of response time

Minimize delay in de-energizing of switching components.

Suitable range of switching time, e.g. length of pipework, pressure, evacuation relief capacity, spring fatigue, friction, lubrication, temperature, viscosity, inertia during acceleration and deceleration, frequencies, shock waves, combination of tolerances.

M, D

Protection against unexpected start-up

(see ISO 12100:2010, 6.2.11.4, ISO 14118:2017)

Consider unexpected start-up caused by stored energy and after power supply restoration for different modes, e.g. operation mode, maintenance mode.

M, D

Special equipment for release of stored energy can be necessary.

Special applications, e.g. to maintain energy for clamping devices or ensure a position, need to be considered separately.

M, D, U

Simplification

Avoid unnecessary components in the safety-related system.

M, D

Separation

Separation of safety-related functions from other functions.

M, D

Pressure limitation (e.g. to prevent wear)

Examples are pressure-relief valve, pressure-reducing/control valve.

M, D

Basic measures against contamination of the fluid

Consider filtration of solid particles and separation and water and gas from the fluid. Prevent contamination of fluid by external sources during installation and handling of components.

Consider an indicator for when the filter needs service.

M, D, U

Correct fluid handling

Air bubbles and restrictions in the hydraulic fluid are avoided because they can create cavitation which can cause additional hazards, e.g. unintended movements.

M, D, U

Abbreviations

M – Design and manufacturing of components

D – Design of subsystems

U – Use of the machine

Use of components with oriented failure mode

(see ISO 12100:2010, 6.2.12.3)

Use oriented failure mode components or systems wherever practicable. A safe state is directly or indirectly (e.g. through fault detection) obtained by the predominant failure mode.

M, D

Over-dimensioning

De-rate components when used in safety circuits.

Safety factors are as given in standards or by good engineering practice in safety-related applications.

M, D

Safe position

The moving part of the component is held in one of the possible positions by mechanical means. Force is needed to change the position, especially to leave a safe position.

M, D

Increased OFF force

A safe position or safe state is obtained by an increased OFF force in relation to the ON force.

One solution can be that the area ratio for moving a valve spool to the safe position (OFF position) is significantly larger than for moving the spool to the ON position (a safety factor).

M, D

Valve closed by load pressure

Examples are seat and cartridge valves.

Consider how to apply the load pressure to keep the valve closed even if, e.g. the spring closing the valve breaks.

M, D

Positive mechanical action

(See ISO 12100:2010, 6.2.5.)

The positive mechanical action is used for moving parts inside hydraulic components.

To achieve positive (or direct) mechanical action, mechanical components needed for the safety function are moved either by direct contact or via rigid elements.

M, D

Use of well-tried spring

See Table A.3.

M

Limited range of force and similar parameters to avoid or limit mechanical stress

This principle is not applicable when the continued integrity of components is essential to maintaining the necessary level of control.

Determination of the necessary limitation in relation to the experience and application.

This can be achieved by a well-tried pressure-relief valve which is, e.g. equipped with a well-tried spring, correctly dimensioned and selected.

M, D

Limited range of speed and similar parameters

Determination of the necessary limitation in relation to the experience and application.

Examples are fixed orifices and fixed throttles to reduce the speed by resistance to a defined fluidic flow.

M, D, U

Limited range of environmental parameters

See ISO 13849-1:2023, 10.7

Determination of the necessary limitations. Examples are temperature, humidity, pollution at the installation. Follow manufacturer's installation and operation instructions.

M, D, U

Limited range of reaction time, limited hysteresis

Determination of the necessary limitations.

For example, increased friction will increase the hysteresis. A combination of tolerances will also influence the hysteresis.

M, D

Appropriate range of working conditions

The limitation of working conditions, e.g. pressure range, flow rate and temperature range, is considered.

M, D, U

Enhanced measures against contamination of the fluid

Consideration of the need for a finer filtration and separation of solid particles and water in the fluid.

M, D, U

Sufficient positive overlapping in spool valves or piston valves

The positive overlapping ensures the stopping function and prevents dangerous movements.

M

Periodic evaluation of the fluid condition

Apply a high degree of filtration or separation of solid particles, water and contaminants in the fluid and an indication of the need for a filter service.

Evaluate the physical and chemical conditions of the fluid.

M, D, U

Abbreviations

M – Design and manufacturing of components

D – Design of subsystems

U – Use of the machine

Pressure relief valve (spring loaded)

All factors influencing the application are to be considered. See Table C.2.

Technical specifications for bursting disk/flat bursting disk and other special applications are given in ISO 4126-1:2013.

Directional Valve

(electrically or remotely actuated or piloted)

Only well-tried if

ISO 13849‑1:2023, 6.1.3.2.3, 6.1.11

a) the component fulfils the basic and well-tried safety principles with regard to the intended application, including use of the component according to the specification of the manufacturer;

b) proven to be widely used in the past with documented successful results in similar applications or made, verified and validated using principles which demonstrate its suitability and reliability for safety-related applications according to relevant product and application standards;

c) either no electronics on-board or on-board electronics, if available, does not participate in executing the safety function (see NOTE 3);

d) the behavior of the component under all conditions is well defined and can be completely determined; and

e) the following construction characteristics are fulfilled:

— simple, robust design;

— positive connection;

— sufficient protection against loosening with detachable connection;

— sufficiently robust in relation to the use (application) and the ambient conditions (e.g. pressure fluctuations, vibration);

— return force provided by a spring to a safe position;

— use of well-tried springs, see Table A.3; and

— sufficient tightness in locking direction.

Pressure switches

Only well-tried if

ISO 13849‑1:2023, 6.1.3.2.3, 6.1.11

For the electrical part, see IEC 60947­5­1:2024

a) the component fulfils the basic and well-tried safety principles with regard to the intended application, including use of the component according to the specification of the manufacturer;

b) proven to be widely used in the past with documented successful results in similar applications or made, verified and validated using principles which demonstrate its suitability and reliability for safety-related applications according to relevant product and application standards;

c) either no electronics on-board or on-board electronics, if available, does not participate in executing the safety function;

d) the behavior of the component under all conditions is well defined and can be completely determined; and

e) the following construction characteristics are fulfilled:

— simple, robust design;

— positive connection;

— sufficient protection against loosening with detachable connection;

— sufficiently robust in relation to the use (application) and the ambient conditions (e.g. pressure fluctuations, vibration); and

— sufficient dimensioning of the spring.

NOTE 1   The confirmation of basic and well-tried safety principles as well as proof of wide use in the past with documented successful results in similar applications can be done by the component manufacturer or by the designer of the subsystem.

NOTE 2   Examples of directional valves can be valve types with discrete (specific) positions: stop (shut-off) valve, gate valve, AND-valve, shuttle valve, non-return (check) valve, blocking valve, exhaust valve, pressure relief valve.

NOTE 3 Digital communication units for valve manifolds or pressure switches are complex and do not fulfil the conditions to be well-tried. If shutting-off the energy supply puts the valves into a safe state and if a fault exclusion for cross-circuit connections between the power supply and the control bus (see Annex D) can be made and if for the installed valves the conditions for “well-tried” are fulfilled, the manifold can be considered a well-tried component.

Change of switching times

Yes, in the case of positive mechanical action (see Table A.2) of the moving components as long as the actuating force is sufficiently large; or, in respect of the non-opening of a special type of cartridge seat valve, when used with at least one other valve, to control the main flow of the fluid [see remark 1)].

1) A special type of cartridge seat valve is obtained if

— the active area for initiating the safety-related switching movement is at least 90 % of the total area of the moving component (poppet);

— the effective control pressure on the active area can be increased up to the maximum working pressure (in accordance with ISO 5598:2020, 3.2.429) in line with the behavior of the seat valve in question;

— the effective control pressure on the area opposite the active area of the moving component is vented to a very low value compared with the maximum operating pressure, e.g. return pressure in case of pressure dump valves or supply pressure in case of suction/fill valves;

— the moving component (poppet) is provided with peripheral balancing grooves; and

— the pilot valve(s) to this seat valve is designed together in a manifold block (i.e. without hose assemblies and pipes for the connection of these valves).

Non-switching (sticking at an end or zero position) or incomplete switching (sticking at a random intermediate position)

Yes, in the case of positive mechanical action (see Table A.2) of the moving components if the actuating force is sufficiently large; or, in respect of the non-opening of a special type of cartridge seat valve, when used with at least one other valve, to control the main flow of the fluid [see remark 1)].

Spontaneous change of the initial switching position (without an input signal)

Yes, in the case of positive mechanical action (see Table A.2) of the moving components as long as the holding force is sufficiently large; or if well-tried springs are used (see Table A.3) and normal installation and operating conditions apply [see remark 2)]; or, in respect of the non-opening of a special type of cartridge seat valve, when used with at least one other valve, to control the main flow of the fluid [see remark 1)] and if normal installation and operating conditions apply [see remark 2)].

2) Normal installation and operating conditions apply when

— the conditions laid down by the manufacturer are taken into account;

— the weight of the moving component does not act in an unfavorable sense in terms of safety, e.g. horizontal installation;

— no special inertial forces affect the moving components, e.g. direction of motion considers the orientation of the moving machine parts; and

— no extreme vibration and shock stresses occur.

Leakage

Yes, in the case of seat valves, if normal installation and operating conditions apply (see remark) and an adequate filtration system is provided.

Normal installation and operating conditions apply when the conditions laid down by the manufacturer are considered.

Change in the leakage flow rate over a long period of use

None.

—

Bursting of the valve housing or breakage of the moving component(s) as well as breakage/fracture of the mounting or housing screws

Yes, if construction, dimensioning and installation are in accordance with good engineering practice.

For servo and proportional valves: hydraulic faults which cause uncontrolled behavior

Yes, in the case of servo and proportional directional valves, if these can be assessed in terms of safety as conventional directional control valves, owing to their design and construction.

NOTE If the control functions are realized by several single-function valves, then a fault analysis should be carried out for each valve. The same procedure should be carried out in the case of piloted valves.

Change of switching times

None.

—

Non-opening, incomplete opening, non-closure or incomplete closure (sticking at an end position or at an arbitrary intermediate position)

Yes, if the guidance system for the moving component(s) is designed in a manner similar to that for a non-controlled ball seat valve without a damping system (see remark) and if well-tried springs are used (see Table A.3).

For a non-controlled ball seat valve without damping system, the guidance system is generally designed in such a manner that any sticking of the moving component is unlikely.

Spontaneous change of the initial switching position (without an input signal)

Yes, for normal installation and operating conditions (see remark) and if there is sufficient closing force based on the pressures and areas provided.

Normal installation and operating conditions are met when

— the conditions laid down by the manufacturer are followed;

— no special inertial forces affect the moving components, e.g. direction of motion considers the orientation of the moving machine parts; and

— no extreme vibration or shock stresses occur.

For shuttle valves: simultaneous closing of both input connections

Yes, if this simultaneous closing is unlikely, based on the construction and design of the moving component.

—

Leakage

Yes, if normal conditions of operation apply (see remark) and an adequate filtration system is provided.

Normal conditions of operation apply when the conditions laid down by the manufacturer are considered.

Change in the leakage flow rate over a long period of use

None.

—

Bursting of the valve housing or breakage of the moving component(s) as well as breakage/fracture of the mounting or housing screws

Yes, if construction, dimensioning and installation are in accordance with good engineering practice.

Change in the flow rate without change in the setting device

Yes, in the case of flow valves without moving parts [see remark 1)], e.g. throttle valves, if normal operating conditions apply [see remark 2)] and an adequate filtration system is provided [see remark 3)].

1)   The setting device is not considered to be a moving part. Changes in flow rate due to changes in the pressure differences and viscosity are physically limited in this type of valve and are not covered by this assumed fault.

2)   Normal operating conditions are met when the conditions laid down by the manufacturer are followed.

3)   Where a non-return valve is integrated into the flow valve, then, in addition, the fault assumptions for non-return valves have to be considered.

Change in the flow rate in the case of non-adjustable, circular orifices and nozzles

Yes, if the diameter is ≥ 0,8 mm, normal operating conditions apply [see remark 2)] and an adequate filtration system is provided.

For proportional flow valves: change in the flow rate due to an unintended change in the set value

None.

—

Spontaneous change in the setting device

Yes, where there is an effective protection of the setting device adapted to the particular case, based upon technical safety specification(s).

Unintended loosening (unscrewing) of the operating element(s) of the setting device

Yes, if an effective positive locking device against loosening (unscrewing) is provided.

Bursting of the valve housing or breakage of the moving component(s) as well as the breakage/fracture of the mounting or housing screws

Yes, if construction, dimensioning and installation are in accordance with good engineering practice.

Non-opening or insufficient opening (spatially and temporarily) when exceeding the set pressure (sticking or sluggish movement of the moving component) [see remark 1)]

Yes, in respect of the non-opening of a special type of cartridge seat valve, when used with at least one other valve, to control the main flow of the fluid [see remark 1) of Table C.4]; or if the guidance system for the moving component(s) is similar to the case of a non-controlled ball seat valve without a damping device [see remark 2)] and if the installed springs are well-tried (see Table A.3).

1)   This fault applies only when the pressure valve(s) is (are) used for forced actions, e.g. clamping, and for the control of hazardous movement, e.g. suspension of loads. This fault does not apply to its normal function in hydraulic systems, e.g. pressure limitation, pressure decrease.

2)   For a non-controlled ball seat valve without a damping device, the guidance system is generally designed in such a manner that any sticking of the moving component is unlikely.

Non-closing or insufficient closing (spatially and temporarily) if the pressure drops below the set value (sticking or sluggish movement of the moving component) [see remark 1)]

Change of the pressure control behaviour without changing the setting device [see remark 1)]

Yes, in the case of directly actuated pressure-relief valves, if the installed spring(s) are well- tried (see Table A.3).

For proportional pressure valves: change in the pressure control behaviour due to unintended change in the set value [see remark 1)]

None.

Spontaneous change in the setting device

Yes, where there is an effective protection of the setting device adapted to the particular case in relation to technical safety specifications (e.g. lead seals).

—

Unintended unscrewing of the operating element of the setting device

Yes, if an effective positive locking device against unscrewing is provided.

Leakage

Yes, for seat valves if normal operating conditions apply (see remark) and if an adequate filtration system is provided.

Normal operating conditions apply when the conditions laid down by the manufacturer are considered.

Change of the leakage flow rate over a long period of use

None.

—

Bursting of the valve housing or breakage of the moving component(s) as well as breakage/fracture of the mounting or housing screws

Yes, if construction, dimensioning and installation are in accordance with good engineering practice.

Bursting and leakage

Yes, if the dimensioning, choice of materials and fixing are in accordance with good engineering practice.

Dimensioning, possible loads due to vibrations and pressure pulsations must be considered (e.g. due to gear pumps).

Failure at the connector (e.g. tearing off, leakage)

Yes, if welded fittings or welded flanges or flared fittings are used, and dimensioning, choice of materials, manufacture, configuration and fixing are in accordance with good engineering practice.

—

Clogging (blockage)

Yes, for pipework in the power circuit, and for control and measurement pipework if the nominal diameter is ≥ 3 mm.

Bursting, tearing off at the fitting attachment and leakage

None.

—

Clogging (blockage)

Yes, for hose assemblies in the power circuit, and for control and measurement hose assemblies if the nominal diameter is ≥ 3 mm.

Bursting, breaking of screws or stripping of threads

Yes, if dimensioning, choice of material, manufacture, configuration and connection to the piping and/or to the fluid technology component are in accordance with good engineering practice.

—

Leakage (loss of the leak-tightness)

None (see remark).

Due to wear, ageing, deterioration of elasticity, etc., it is not possible to exclude faults over a long period. A sudden major failure of the leak-tightness is not assumed.

Clogging (blockage)

Yes, for applications in the power circuit, and for control and measurement connectors if the nominal diameter is ≥ 3 mm.

—

Blockage of the filter element

None.

—

Rupture of the filter element

Yes, if the filter element is sufficiently resistant to pressure and an effective bypass valve or an effective monitoring of dirt is provided.

Failure of the bypass valve

Yes, if the guidance system of the bypass valve is designed similarly to that for a non-controlled ball seat valve without a damping device (see Table C.5) and if well-tried springs are used (see Table A.3).

Failure of the dirt indicator or dirt monitor

None.

Bursting of the filter housing or fracture of the cover or connecting elements

Yes, if dimensioning, choice of material, arrangement in the system and fixing are in accordance with good engineering practice.

Fracture/bursting of the energy storage vessel or connectors or cover screws as well as stripping of the screw threads

Yes, if construction, choice of equipment, choice of materials and arrangement in the system are in accordance with good engineering practice.

—

Leakage at the separating element between the gas and the operating fluid

None.

Failure/breakage of the separating element between the gas and the operating fluid

Yes, in the case of cylinder/piston storage (see remark).

A sudden major leakage is not to be considered.

Failure of the filling valve on the gas side

Yes, if the filling valve is installed in accordance with good engineering practice and if adequate protection against external influences is provided.

—

Faulty sensor (see remark)

None.

Types of sensors include signal capture, processing and output, in particular for pressure, flow rate and temperature.

Change of the detection or output characteristics

None.

—

Use of suitable materials and adequate manufacturing

Selection of material, manufacturing methods and treatment in relation to e.g. stress, durability, elasticity, friction, wear, corrosion, temperature, conductivity, dielectric rigidity.

M, D

Correct dimensioning and shaping

Consider, e.g. stress, strain, fatigue, surface roughness, tolerances, manufacturing.

M, D

Correct selection, combination, arrangements, assembly and installation of components or systems related to the application

Apply the installation and operation instructions provided by the manufacturer, e.g. catalogue sheets, installation instructions, specifications, and use of good engineering practice in similar components or systems.

M, D, U

Use components compatible with the voltages and currents used.

M, D

Use of de-energization

This principle is not applicable when loss of energy creates a hazard, e.g. release of workpiece caused by loss of clamping or holding force.

The safe state is obtained by de-energizing all relevant devices, e.g. by use of normally closed (NC) contact for inputs (push-buttons and position switches) and normally open (NO) contact for relays (see also ISO 12100:2010, 6.2.11.3).

Time-delay functions may be necessary to achieve a system safe state (see e.g. IEC 60204-1:2016 + AMD1:2021, 9.2.2).

M, D

Correct fastening

For fastening of electrical conductors, e.g. DC busbars in frequency converters, apply the manufacturer's installation and operation instructions.

Fastening in the correct orientation and fastening to the correct torque is considered. Overloading can be avoided and adequate resistance to release can be achieved by applying adequate torque loading technology.

M, D, U

Withstanding environmental conditions

(see ISO 13849-1:2023, Clause 10, and follow manufacturer's installation and operation instructions)

Design the equipment so that it can work within the environmental limits of the intended use and in any reasonably foreseeable adverse conditions, e.g. temperature, humidity, vibration and electromagnetic interference (EMI).

M, D, U

Prevention of the ingress of solid foreign objects and fluids

Apply an appropriate degree of protection against ingress of solid foreign objects and fluids.

Consider IP rating (see IEC 60529:1989+AMD1:1999+AMD2:2013+Cor1:2019)

M, D, U

Limitation of speed, acceleration and jerk (to avoid or limit mechanical stress)

An example is the acceleration limitation of a motor by limitation of the motor current in a frequency converter.

M, D

Reduction of response time

Minimize delay in de-energizing of switching components.

Suitable range of switching time, e.g. response time of devices and components (e.g. solenoids, contactors, relays) and the effects of EMI measures to these elements (e.g. surge suppression diodes on contactors).

M, D

Protection against unexpected start-up

(see ISO 12100:2010, 6.2.11.4, ISO 14118:2017)

Consider unexpected start-up caused by stored energy and after power supply restoration for different modes, e.g. operation mode, maintenance mode.

(See IEC 60204-1:2016 + AMD1:2021).

M, D

Special equipment for release of stored energy can be necessary.

Special applications, e.g. to keep energy for clamping devices or ensure a position, need to be considered separately.

M, D, U

Simplification

Avoid unnecessary components in the safety-related system.

M, D

Separation

Separation of safety-related functions from other functions.

M, D

Current limitation (e.g. to prevent wear)

Example is a resistor (series resistor).

M, D

Correct protective bonding

One side of the control circuit, one terminal of the operating coil of each electromagnetic operated device, or one terminal of another electrical device is connected to the protective bonding circuit.

(See IEC 60204‑1:2016 + AMD1:2021, 9.4.3.1)

M, D, U

Insulation monitoring

Use of an insulation monitoring device which either indicates an earth fault or interrupts the circuit automatically after an earth fault.

(See IEC 60204‑1:2016 + AMD1:2021, 6.3.3)

M, D, U

Transient suppression

Use of a suppression device (RC, diode, varistor) parallel to the load, but not parallel to the contacts.

NOTE   A diode increases the switch-off time.

M, D

Temperature range

External and internal temperature effects are considered throughout the whole system.

M, D, U

Secure fixing of input devices

Secure input devices, e.g. interlocking switches, position switches, limit switches, proximity switches, so that position, alignment and switching tolerance is maintained under all expected conditions, e.g. vibration, normal wear, ingress of foreign bodies, temperature.

(See ISO 14119:2024, Clause 5)

M, D, U

Protection of the control circuit

Apply protection in accordance with IEC 60204‑1:2016 + AMD1:2021, 7.2 and 9.1.1.

M, D

Sequential switching for circuit of serial contacts of redundant signals

To avoid common mode failure by the welding of both contacts, switching on and off does not happen simultaneously, so that one contact always switches without load.

M, D

Abbreviations

M – Design and manufacturing of components

D – Design of subsystems

U – Use of the machine

Use of components with oriented failure mode

(see ISO 12100:2010, 6.2.12.3)

Use oriented failure mode components or systems wherever practicable. A safe state is directly or indirectly (e.g. through fault detection) obtained by the predominant failure mode.

M, D

Over-dimensioning

De-rate components when used in safety circuits, e.g. by the following means:

M, D

— the current passed through switched contacts should be less than half their rated current;

— the switching frequency of components should be less than half their rated value;

— the total number of expected switching operations should be no more than 10 % of the device’s electrical durability.

NOTE   De-rating can depend on the design rationale.

Safety factors are as given in standards or by good engineering practice in safety-related applications.

Separation distance

Use of sufficient distance between position terminals, components and wiring to avoid unintended connections.

M, D

Minimizing possibility of faults

Separate safety-related functions from the other functions.

M, D

Positive mechanical action

(see ISO 12100:2010, 6.2.5.)

Direct action is transmitted by the shape (and not the strength) with no elastic elements, e.g. spring between actuator and the contacts (see ISO 14119:2024, 5.1).

To achieve positive (or direct) mechanical action, mechanical components needed for the safety function are moved either by direct contact or via rigid elements.

M, D

Multiple parts

Reducing the effect of faults by providing multiple parts acting in parallel, e.g. where a failure of one of several resistors does not lead to a dangerous condition.

M, D

Use of well-tried spring

See Table A.3

M

Limited range of force and similar parameters to avoid or limit mechanical stress

This principle is not applicable when the continued integrity of components is essential to maintaining the necessary level of control.

Determination of the necessary limitation in relation to the experience and application.

M, D

Limited range of environmental parameters

See ISO 13849-1:2023, 10.7

Determination of the necessary limitations. Examples are temperature, humidity, pollution at the installation. Follow manufacturer's installation and operation instructions.

M, D, U

Limited range of reaction time, limited hysteresis

Determination of the necessary limitations.

For example, proper selection of protective devices.

M, D

Positively mechanically linked contacts

Use of positively mechanically linked contacts for, e.g. monitoring function in Category 2, 3, and 4 systems (IEC 61810-3:2015, IEC 60947‑4-1:2023, Annex F, IEC 60947‑5‑1:2024, Annex L).

M, D

Fault avoidance or detection in cables

To avoid or detect short circuits between two adjacent conductors,

M, D

— use cable with shielding connected to the protective bonding circuit on each separate conductor;

— in flat cables, use one earthed conductor between each signal conductor; or

— use cross-circuit monitoring, e.g. by test pulses.

Energy limitation

Use of a capacitor for supplying a finite amount of energy, e.g. in a timer application.

M, D

Limitation of electrical parameters

Limiting voltage, current, energy or frequency to restrict movement, e.g. torque limitation, hold-to-run with displacement/time limited, reduced speed, to avoid an unsafe state.

M, D

No undefined states

Avoid undefined states in the control system. Design and construct the control system so that, during normal operation and all expected operating conditions, its state, e.g. its output(s), can be predicted.

M, D

Failure mode orientation

Wherever possible, the device/circuit should fail to the safe state or condition.

M, D

Balance complexity and simplicity

Balance between complexity to reach better control and simplification to have better reliability.

M, D

Abbreviations

M – Design and manufacturing of components

D – Design of subsystems

U – Use of the machine

Switch with positive mode actuation (direct opening action), e.g.:

—

IEC 60947‑5‑1:2024, Annex K

— push-button;

— position switch;

— cam-operated selector switch, e.g. for mode of operation

Emergency stop device

—

ISO 13850:2015

IEC 60947‑5‑5:1997+AMD1:2005+AMD2:2016

Fuse

—

IEC 60269‑1:2024

Circuit-breaker

—

IEC 60947‑2:2024

Switches, disconnectors

—

IEC 60947‑3:2025

Differential circuit-breaker or RCD (residual current device)

—

IEC 60947‑2:2024

Main contactor

Only well-tried if

IEC 60947‑4‑1:2023

a) other influences are considered, e.g. vibration;

b) failure is avoided by appropriate methods, e.g. over-dimensioning (see Table D.2);

c) the short-circuit current to the load is limited by a protection device, e.g. thermal fuse; and

d) the circuits are protected by a protection device against overload.

Control and protective switching device or equipment (CPS)

—

IEC 60947‑6‑2:2020

Force Guided Relays (e.g. Auxiliary contactor, contactor relay)

Only well-tried if

IEC 61810-1:2015/AMD1:2019

IEC 61810-2:2017

IEC 61810-3:2015

IEC 60947‑5‑1:2024

IEC 60947‑4‑1:2023, Annex F

a) other influences are considered, e.g. vibration;

b) there is positive opening;

c) failure is avoided by appropriate methods, e.g. over-dimensioning (see Table D.2);

d) the current in the contacts is limited by a fuse or circuit-breaker to avoid the welding of the contacts; and

e) contacts are positively mechanically guided when used for monitoring.

Relay

Only well-tried if

IEC 61810-1:2015+AMD1:2019

IEC 61810-2:2017

IEC 61810-3:2015

a) other influences are considered, e.g. vibration;

b) positive opening action;

c) failure avoided by appropriate methods, e.g. over-dimensioning (see Table D.2); and

d) the current in the contacts is limited by fuse or circuit-breaker to avoid the welding of the contacts.

Transformer

—

IEC 61558 (all parts)

Cable

Protection of cabling external to enclosure against mechanical damage (including, e.g. vibration or bending) is considered.

IEC 60204‑1:2016 + AMD1:2021, Clause 12

Plug and socket

—

According to an electrical standard relevant for the intended application.

For interlocking, see also ISO 14119:2024.

Temperature switch

Only well-tried if

ISO 13849‑1:2023, 6.1.11

For the electrical part, see IEC 60730­1:2022

a) the component fulfils the basic and well-tried safety principles regarding the intended application (see NOTE), including use of the component according to the specification of the manufacturer;

b) proven to be widely used in the past with documented successful results in similar applications or made, verified and validated using principles which demonstrate its suitability and reliability for safety-related applications according to relevant product and application standards;

c) either no electronics on-board or on-board electronics, if available, does not participate in executing the safety function;

d) the behavior of the component under all conditions is well defined and can be completely determined; and

e) the following construction characteristics are fulfilled:

— simple, robust design;

— positive connection;

— sufficient protection against loosening with detachable connection; and

— sufficiently robust in relation to the use (application) and the ambient conditions (e.g. humidity, vibration).

NOTE The confirmation of basic and well-tried safety principles as well as proof of wide use in the past with documented successful results in similar applications can be done by the component manufacturer or by the designer of the subsystem.

Short circuit between any two conductors

Short circuits between conductors which are

Provided both the conductors and enclosure meet the appropriate requirements (see IEC 60204-1:2016 + AMD1:2021).

— permanently connected (fixed) and protected against external damage, e.g. by cable ducting, armoring;

— separate multicore cables;

— within an electrical enclosure (see remark); or

— individually shielded with earth connection.

Short circuit of any conductor to an exposed conductive part or to earth or to the protective bonding conductor

Short circuits between conductor and any exposed conductive part within an electrical enclosure (see remark).

Open circuit of any conductor

None.

—

Short circuit between two adjacent tracks/pads

Short circuits between adjacent conductors in accordance with remarks.

As base material, EP GC according to IEC 60893-1:2004 is used as a minimum.

The clearances and creepage distances are dimensioned to at least IEC 60664‑1:2025, for pollution degree 2/overvoltage category III. If both tracks are powered by a SELV/PELV power supply, pollution degree 2/overvoltage category II applies, with a minimum clearance of 0,1 mm.

The assembled board is mounted in an enclosure giving protection against conductive contamination, e.g. an enclosure with a protection of at least IP54, and the printed side(s) is (are) coated with an ageing-resistant varnish or protective layer covering all conductor paths.

NOTE 1   Experience has shown that solder masks are satisfactory as a protective layer.

NOTE 2   A further protective layer covering according to IEC 60664‑3:2016 can reduce the creepage distances and clearances dimensions.

Open circuit of any track

None.

—

Short circuit between adjacent terminals

Short circuit between adjacent terminals in accordance with remarks 1) or 2).

1)   The terminals and connections used are in accordance with IEC 60947‑7-1:2025 or IEC 60947‑7-2:2009 and the requirements of IEC 60204‑1:2016 + AMD1:2021, 13.1.1, are satisfied.

2)   The design in itself ensures that a short circuit is avoided, e.g. by shaping shrink-down plastic tubing over connection point.

Open circuit of individual terminals

None.

—

Short circuit between any two adjacent pins

Short circuit between adjacent pins in accordance with remark.

If the connector is mounted on a PCB, the fault exclusion considerations of Table D.5 apply.

By using ferrules or other suitable means for multi-stranded wires. Creepage distances and clearances and all gaps should be dimensioned to at least IEC 60664‑1:2025 with overvoltage category III.

Interchanged or incorrectly inserted connector when not prevented by mechanical means

None.

—

Short circuit of any conductor (see remark) to earth or a conductive part or to the protective conductor

None.

The core of the cable is considered a part of the multi‑pin connector.

Open circuit of individual connector pins

None.

—

Contact will not close

None.

—

Contact will not open

Contacts in accordance with IEC 60947‑5-1:2024, Annex K, are expected to open.

—

Short circuit between adjacent contacts insulated from each other

Short circuit can be excluded for switches in accordance with IEC 60947‑5-1:2024 (see remark).

Conductive parts which become loose should not be able to bridge the insulation between contacts.

Simultaneous short circuit between three terminals of change-over contacts

Simultaneous short circuits can be excluded for switches in accordance with IEC 60947‑5-1:2024 (see remark).

NOTE 1   For PL e, a fault exclusion for mechanical (e.g. the mechanical link between an actuator and a contact element) and electrical aspects is not allowed. In this case redundancy is necessary. For emergency stop devices in accordance with IEC 60947‑5-5:1997+AMD1:2005+AMD2:2016, a fault exclusion for mechanical aspects is allowed if a maximum number of operations is considered.

NOTE 2   The fault lists for the mechanical aspects are considered in Annex A.

All contacts remain in the energized position when the coil is de-energized (e.g. due to mechanical fault)

None.

—

All contacts remain in the de-energized position when power is applied (e.g. due to mechanical fault, open circuit of coil)

None.

Contact will not open

None.

Contact will not close

None.

Simultaneous short circuit between the three terminals of a change-over contact

Simultaneous short circuit can be excluded if remarks are considered.

The creepage and clearance distances are dimensioned to at least IEC 60664‑1:2025 with at least pollution degree 2/overvoltage category III.

Conductive parts which become loose cannot bridge the insulation between contacts and the coil.

Short circuit between two pairs of contacts and/or between contacts and coil terminal

Short circuit can be excluded if remarks are considered.

Simultaneous closing of normally open and normally closed contacts

Simultaneous closing of contacts can be excluded if remark is considered.

Positively driven (or mechanically linked) contacts are used (see IEC 60947‑5‑1:2024, Annex L).

Does not energize

None.

—

Does not de-energize

None.

NOTE   The fault lists for the mechanical aspects of pneumatic and hydraulic valves are considered in Annexes B and C respectively.

Open circuit of individual winding

None.

—

Short circuit between different windings

Short circuit between different windings can be excluded if remarks 1) and 2) are considered.

1)   The requirements of the relevant parts of IEC 61558 (all parts) should be met.

2)   Between different windings, doubled or reinforced insulation or a protective screen applies. Testing according to e.g. IEC 61558‑1:2017, Clause 18, applies. Appropriate test voltages are given in IEC 61558‑1:2017, Table 8 a) or other appropriate product standards.

Short circuits in coils and windings need to be avoided by taking appropriate steps; e.g.

Short circuit in one winding

A short circuit in one winding can be excluded if remark 1) is considered.

Change in effective turns ratio

Change in effective turns ratio can be excluded if remark 1) is considered. See also remark 3).

— impregnating the coils so as to fill all the cavities between individual coils and the body of the coil and the core;

— using winding conductors well within their insulation and high-temperature ratings.

3)   In the event of a secondary short circuit, heating above a specified operating temperature should not occur.

Open circuit

None.

—

Short circuit

Short circuit can be excluded if remark is considered.

Coil is single-layered, enamelled or potted, with axial wire connections and axial-mounted.

Random change of value 0,5 L_N < L < L_N + tolerance, where L_N is the nominal value of the inductors

None.

Depending upon the type of construction, other ranges can be considered.

Open circuit

None.

—

Short circuit

Short circuit can be excluded if remark 1) or 2) is considered.

1)   The resistor is of the film type, or wire-wound single-layer type with protection to prevent unwinding of wire in the event of breakage, with axial wire connections, axial-mounted and varnished.

2)   Resistors in surface-mount technology must be of the thin film metal type in package types MELF, mini MELF or µMELF.

3)   For example, if the risk of tin-whisker growth is considered high, the fault exclusion “short circuit of a resistor” is useless, since a short between the contacts of this component has to be considered.

Random change of value 0,5 R_N < R < 2 R_N, where R_N is the nominal value of resistance

None.

Depending upon the type of construction, other ranges can be considered.

Open circuit

None.

—

Short circuit between any two connections

None.

Short circuit between any connections

None.

Random change of value 0,5 R_N < R < 2 R_N, where R_N is the nominal value of resistance

None.

Depending upon the type of construction, other ranges can be considered.

Open circuit of individual connection

None.

—

Short circuit between all connections

None.

Short circuit between any two connections

None.

Random change of value 0,5 R_p < R < 2 R_p, where R_p is the nominal value of resistance

None.

Depending upon the type of construction, other ranges can be considered.

Open circuit

None.

—

Short circuit

None.

Random change of value 0,5 C_N < C < C_N + tolerance, where C_N is the nominal value of capacitance

None.

Depending upon the type of construction, other ranges can be considered.

Changing value tan δ

None.

—

Open circuit of any connection

None.

—

Short circuit between any two connections

None.

Short circuit between all connections

None.

Change in characteristics

None.

Open circuit of individual connection

None.

—

Short circuit between any two input connections

None.

Short circuit between any two output connections

None.

Short circuit between any two connections of input and output

Short circuit between input and output can be excluded if the remarks are considered.

The coupler is built in accordance with overvoltage category III according to IEC 60664‑1:2025. If a SELV/PELV power supply is used, pollution degree 2/overvoltage category II applies.

NOTE   See Table D.5.

Measures are taken to ensure that an internal failure of the coupler for galvanic isolation cannot result in excessive temperature of its insulating material.

Open circuit of each individual connection

None.

—

Short circuit between any two connections

None.

—

Stuck-at-fault (i.e. short circuit to 1 and 0 with isolated input or disconnected output). Static “0” and “1” signal at all inputs and outputs, either individually or simultaneously

None.

—

Parasitic oscillation of outputs

None.

—

Changing values (e.g. input/output voltage of analogue devices or change of information due to soft error if shown to be relevant)

None.

See Annex D.3.

NOTE   In this document, ICs with either less than 1 000 gates or less than 24 pins, or both; operational amplifiers; shift registers and hybrid modules are considered non-complex. This definition is arbitrary.

Faults in all or part of the function including software faults

None.

—

Open circuit of each individual connection

None.

—

Short circuit between any two connections

None.

—

Stuck-at-fault (i.e. short circuit to 1 and 0 with isolated input or disconnected output). Static “0” and “1” signal at all inputs and outputs, either individually or simultaneously

None.

—

Parasitic oscillation of outputs

None.

—

Changing value, e.g.

None.

See Annex D.3

— input/output voltage of analogue devices

— change of information due to soft error if shown to be relevant, e.g. for RAM, FPGA

Undetected faults in the hardware which go unnoticed because of the complexity of the integrated circuit

None.

—

NOTE 1 The analysis should identify additional faults, which should be considered if they influence the operation of the safety function.

NOTE 2 In this document, an IC is considered complex if it consists of either more than 1 000 gates or more than 24 pins, or both. This definition is arbitrary.

Communication errors (corruption, unintended repetition, incorrect sequence, loss, unacceptable delay, insertion, masquerade, addressing)

None

Measures to control the effects of errors and other effects arising from any data communication, including transmission errors (such as corruption, unintended repetition, incorrect sequence, loss, unacceptable delay, insertion, masquerade, addressing) should be applied.

NOTE  1   Further information can be found in IEC 61784-3:2021+AMD1:2024, 5.3, Table 1 and IEC 61508-2:2010, 7.4.11.2.

NOTE 2   The term ‘masquerade’ means that the true contents of a message are not correctly identified. For example, a message from a non-safety component is incorrectly identified as a message from a safety component.

The relevant Essential Requirements of Directive 2006/42/EC

Clause(s)/sub-clause(s) of this EN

Remarks/Notes

1.2.1.   Safety and reliability of control systems

4

Reference in Clause 2

International Standard Edition

Title

Corresponding European Standard Edition

ISO 12100:2010

ISO 12100:2010

Safety of machinery — General

principles for design — Risk

assessment and risk reduction

 EN ISO 12100:2010

ISO 13849-1:2023

ISO 13849-1:2023

Safety of machinery —

Safety-related parts of control systems

Part 1: General principles for design

EN ISO 13849-1:2023

The relevant Essential Requirements of Regulation (EU) 2023/1230

Clause(s)/sub-clause(s) of this EN

Remarks/Notes

1.2.1.   Safety and reliability of control systems

4

Exclusions:

2.   Paragraph: (a) second part: “... and intended and unintended external influences, including reasonably foreseeable malicious attempts from third parties leading to a hazardous situation”, (d), (f)

3.   Paragraph: (a), (b), (c)

4.   Paragraph: (c)

Reference in Clause 2

International Standard Edition

Title

Corresponding European Standard Edition

ISO 12100:2010

ISO 12100:2010

Safety of machinery — General

principles for design — Risk

assessment and risk reduction

EN ISO 12100:2010

ISO 13849-1:2023

ISO 13849-1:2023

Safety of machinery —

Safety-related parts of control systems

Part 1: General principles for design

EN ISO 13849-1:2023