Why Category 2 is unsuitable for Performance Level d safety

David Collier, the Business Development Manager at Pilz Automation Technology, explains why machine builders should resist the temptation to save money by using Category 2 architecture on machine guard safety circuits requiring Performance Level d.

Under EN 954-1 (still scheduled for withdrawal at end 2011) the 'Category' of the control system has been used as the basis for constructing the safety-related control functions. With the increasing uptake of EN ISO 13849-1, however, the term 'Category' has been taken over by 'Performance Level' (PL). In addition to the factors taken into account by Categories, Performance Levels also consider the reliability of the individual components and combination of components in a safety-related control system (expressed as the mean time to dangerous failure, MTTFd, or probability of failures per hour, PFH); the reliability data is used to evaluate the availability of a safety function over time. The behaviour of the safety function in the presence of faults is still dictated by the Category, which is now also referred to as architecture or structure.

In the past, designers using the risk graph in EN 954-1 may have arrived at a Category 3 requirement based upon known factors for severity, frequency of exposure and possibility of avoidance. The designer would then have designed a dual-channel system, one with redundancy or hardware fault tolerance (HFT = 1), providing a behaviour such that a single fault in the system would not give rise to a loss of the safety function.

These same parameters used with the similar risk graph in EN ISO 13849-1 would most likely lead to PLd.


In EN ISO 13849-1, PL is achieved by a combination of Category, MTTFd and diagnostic coverage (DC). According to Figure 5 in the standard, PLd is still achievable using Category 3 architecture - but also by using Category 2 (so long as the MTTFd is high and there is at least a low level of diagnostic coverage). It may be very tempting to try to use Category 2, single-channel architecture to achieve PLd to save component cost and panel space. A central factor in Category 2 is checking the safety function (not increased reliability), where an increased check frequency will decrease the probability of a dangerous situation - in other words testing reduces the probability of continued operation in the presence of a fault. Within the simplified procedure in EN ISO 13849-1 the check in Category 2 must occur at start-up and then periodically, and there is an assumption that the frequency equates to at least 100 tests to every demand on the safety function (clause 4.5.4 of EN ISO 13849-1, where for Category 2 'demand rate <1/100 test rate'). This test rate is an additional quantitative factor to that given in EN 954-1. In other words, if you try to claim PLd using Category 2 architecture, you are assuming that the safety function will be tested at least 100 times between demands upon the safety function.

BGIA (now IFA) has worked out the Markov reliability model of EN ISO 13849-1 designated architecture category 2 as a single-channel circuit with this high test frequency, based on the findings of a European working group trying to map EN 954-1 categories to the SILs of IEC 61508/IEC 62061. This is a challenge within the machine industry where safety functions are considered to be high demand versus the process industry where the demand placed upon safety functions is low or continuous.

Practical considerations

It is difficult to see how users are going to manage this test frequency in machine applications on anything other than a dynamically self-tested OSSD (Output Signal Switching Device - ie a solid-state safety output) on a Type 4 light curtain, or in very low demand applications such as infrequently used emergency stops. For electromechanical devices on guards (such as tongue-actuated interlock switches, limit switches and magnetic safety switches) testing will mean actuation (ie opening and closing the guard) at least 100 times between the functional need to open the guard. This may at least prove inconvenient because it would impede productivity, or even impossible due to the high demand already placed upon the safety function. Imagine having to test a guard door 100 times within a two minute production cycle - not practical!

Lastly, consider the implication of frequent testing of electromechanical devices in terms of component wear and tear. MTTFd for an electromechanical component (like a safety interlock switch or contactor) is dependent upon the number of operations in a year (nop) and the component's B10d (the expected number of cycles until 10 per cent of the components fail dangerously, with component-specific data normally available from the manufacturer, or generic data can be found in table C.1 of EN ISO 13849-1). The stress placed upon the components through testing would be 100 times greater than that placed upon them due to the demand of the safety function, and the increased number of operations would at least reduce MTTFd (and potentially the PL). Moreover, the components might fail very early in the guard's life, resulting in lost production and additional expense through the need to replace the safety components repeatedly.

It is, therefore, more practical and commonplace to achieve PLd using Category 3 or 4, dual-channel architectures, because they improve reliability through hardware fault tolerance (without a highly frequent periodic test cycle) as well as 'automatic' diagnostic coverage within the system.

Single failure point

On balance, there is an argument against Category 3 in PLd systems in the case where a single component, such as an interlock or limit switch containing two contacts, is employed to monitor a guard. Such a device has one potential point of failure: a failure of a limit switch plunger mechanism (say due to excessive force, contamination or corrosion) is a single failure point affecting both contacts and both channels. In this case, what is ostensibly a Category 3 architecture can be considered to be Category 1, because a single failure can cause a loss of the safety function. With a single device containing two channels needing to achieve PLd, it is necessary to declare a 'fault exclusion', which justifies why such a single point of failure in the switch body is unlikely. There is guidance in EN ISO 13849-2 on fault exclusions which considers, among various factors, the environment (dirt and corrosion affecting the device during its lifetime), safe positioning and mounting (such as a preference for actuation occurring on opening, and avoidance of using the device as a mechanical stop), and adequate dimensioning. Where a fault exclusion can not be justified and PLd is required, the answer is to use two independent switches; this is more likely and is already common practise on monitored guards, and at this point measures taken to reduce Common Cause Failures can be quantified.

The use of fault exclusions in PLd and PLe will become a moot point when ISO 14119, Safety of machinery "" Interlocking devices associated with guards "" Principles for design and selection, is published, because in it reference is made to interlocking circuits providing PLd or PLe having to include at least two position switches, since fault exclusions of mechanical faults are not accepted in high-risk applications.


Users of electromechanical safety components on guards are urged to consider carefully the onerous test requirements of Category 2 in EN ISO 13849-1 at the design stage, especially when seeking to achieve PLd. Incorporating Category 2 architectures into PLd systems without taking these test requirements into due consideration may introduce systematic failures and an associated loss of production and additional expense. If after design, build, supply and commissioning the machine it is decided to convert from a Category 2 architecture to Category 3 or 4 it might be difficult or impossible in terms of fitting additional on-machine components, as well as in-panel devices required to step from single- to dual-channel architecture.

Contact Pilz to find out more about the consultancy and engineering services that Pilz offers companies designing machine guard safety circuits. Follow the link for more information about PSEN sensors.

Pilz Automation Ltd

Pilz House
Little Collier's Field
NN18 8TJ

+44 (0)1536 460766



More technical articles
4 hours ago
TMI Group turns to Kawasaki for milling machine automation
Dutch integrator RFA Rijlaarsdam Factory Automation has installed a Kawasaki Robotics EMEA RS020N robot with an Okuma Benelux Genos M460V-5AX milling machine at TMI Group Nederland in Hengelo.
7 hours ago
100 million seals made from 45% recycled plastics
Essentra Components is expanding the ranges of security seals that it will manufacture using a minimum of 45% recycled material, after a successful 100 million piece initial phase.
3 days ago
Vision systems help IMA Group raise industry standards
IMA Active, a division of IMA Group dedicated to the production of automated systems and machinery for the pharmaceutical industry, has upgraded its continuous tablet-coating solution with the installation of Omron’s vision system equipped with a high-speed colour camera and dome light.
3 days ago
New robotics sales engineer for the North East
With demand for RARUK Automation’s automation solutions continuing to grow, the company has expanded its team of robotics and systems sales engineers. The most recent appointment is Tony Bailes, the new robotics sales engineer for the North East of England.
5 days ago
Kistler Group presents global climate strategy
The Kistler Group has presented its global climate strategy with facts and figures on its commitment to greater sustainability in its first sustainability report.
5 days ago
Euchner looks to drive growth strategy with new appointment
Euchner has further demonstrated its commitment to its growth strategy with the appointment of Hollie Dixon in a new business development role.
6 days ago
Energy efficiency is the best way for industry to cut costs
In a new report, ABB is quoted on recommendations for improving industrial energy efficiency, which is seen as being the best way for businesses to cut costs and reduce emissions right now.
1 week ago
Schneider Electric unveils next-generation industrial technology
Schneider Electric has called for industry to move beyond focusing solely on output, and to embrace a model that helps combat both the climate and energy crises.
1 week ago
Delta selected among the Taiwan Best Global Brands
Delta has been selected among the Best Taiwan Global Brands for the 12th consecutive year. Ms Shan Shan Guo, Delta’s chief brand officer, stated: “We have successfully transformed ourselves from a component supplier to a system integration solution provider, and we continue to innovate our products and services and seize opportunities in the market.
1 week ago
Drives and servos now certified to communicate via Profisafe
The COMBIVERT F6 range of drive controllers and the COMBIVERT S6 range of servo drives from KEB Automation, which offer integrated safety functions directly in the drive, are now certified to communicate via the safe fieldbus protocol Profisafe.

Login / Sign up