Safety of machine control systems: what is the status of the situation?

For about ten years now in the world of tissue, particularly in tissue making, we have been speaking about machine safety systems, calling on the phantom “level 3” in opposition to “level 2”.

There’s nothing magical about it and, indeed, for the sake of accuracy, we should not be speaking about levels but rather about categories. Furthermore, it is not an issue limited to the tissue field but also concerns every machine launched on the market by the European Union (and on the markets of many other countries that use the European EN norms). Let’s try and shed some light on the topic, starting from the principle that the reference norm was radically changed between 2006 and 2007. We will examine the past and also speak about the new norm.


Alessandro Mazzeranghi


SAFETY CATEGORIES ACCORDING TO EN 954-1. The above-mentioned norm was published in 1996 at European level (in 1998 in Italy), with the title: “Safety of machinery – Safety related parts of control systems – General principles for design”.

This norm defines the requisites of “safety systems”, i.e., those sets of devices that, in a detected danger situation, intervene, making the machine safe (or prohibiting access to dangerous areas until the danger situation is resolved). The requisites mainly concern the reliability level of the entire “chain” that performs the safety function (figure 1), and are expressed through the definition of the architecture of the above-mentioned systems. Let us review for a minute some examples of safety systems:


• The micro-switch (in technical jargon “interblock”) on the guarding of a corewinder, stops the machine if the guarding is opened. Evidently, it does not suffice to detect its opening in a reliable way, it is also necessary that the machine actually stop (interrupting electrical power supply to the motor);

• The vibration sensor of a cogeneration gas turbine stops the machine if excessively high vibrations are detected that could lead to the detachment of the turbine’s blades from the rotor (in technical jargon: blade failure). It is not only a machine risk because in turbines used in the aeronautics field, the stator is very thin and the blades easily perforate it, ending up “flying” around the facilities (did you know about the existence of this risk?);

• The electric lock (interlock with lock blocking device) on the perimeter guardings of a rewinder that do not allow access before the unwinders come to a stop. If the zero speed of the unwinders is not detected in a reliable way, the doors could open when the unwinders are running.


But let us see the categories. In general terms, we can say that we go (in the order from least reliable to most reliable) from systems of proven reliability (that in the case of single failure, however, lose their function without the person running the machine realizing it) to systems whose good operation is periodically controlled (category 2), to systems in which the fact that a single failure does not entail loss of the safety function (category 3) is added to the periodic control; up to systems which, to the requisites of category 3, add a continuous control of good operation (category 4).

In Box 1 the definitions of this norm are reported in their entirety.

At this point, two scenarios open up regarding the choice of the appropriate safety category for a given safety system:


1. there exists a norm in the field (norm for a specific machine category, called type C norm) that indicates the “right” categories to determine safety functions. It is the case of the converting machine, for which EN 1010-1 “Safety requirements for the design and construction of printing and paper converting machines– common requirements” indicates category 3 for “electric” safety systems (applying a discount on actuators, which must not be redundant) except where differently indicated in even more specific norms;

2. there is no specific norm (it is the case of packaging machines); hence, the choices listed in attachment B of EN 954-1 must be applied. The choice diagram, reported in Figure 2, requires the evaluation of three factors: accident severity, length of presence in the dangerous zone and chance to avoid the accident, and on these bases proposes the right category(ies) indicated by the big orange circle. It is useful to note that the assessment parameters are three of the four indicated by the EN 1050 for Risk Assessment of the machines, which is actually the heart of the technical document of the manufacturer that must be created in order to obtain CE marking.


WHAT CHANGES WITH EN 13849-1: THE INTRODUCTION OF THE PERFORMANCE LEVEL. In November 2006 (at European level, February 2007 in Italy) the norm 13849-1 was published: “Safety-related parts of control systems - Part 1: General principles for design”, that replaces EN 954-1 (some legal quibbles have given rise to a transitory period of co-existence). The general wording is similar to the previous one but an important factor changes: the categories are replaced by Performance Levels (PL) which (see Table 1) are veritable indicators of reliability (average probability of dangerous failure per hour); therefore, no direct correlation exists between the two “indices”.

What remains almost unchanged is the choice diagram that is based on the same risk assessment factors previously considered (Figure 3).

From a technical point of view, the change is correct. Among other things, it also opens the way for the use of PCs for the management of safety functions (as long as we know the reliability of the hardware and how to validate the software). A contingent problem was created because no manufacturer of components (or very few of them, at least) indicated the reliability of these components; hence, calculating the reliability of the chain in figure 1 was impossible.

Today, the issue is being resolved at least for what concerns the electric and electronic part. Some manufacturers of components for industrial automation even support customers in PL calculation.


TECHNICAL-LEGAL CONSIDERATIONS (WHAT’S THE BIG PROBLEM?). With the publication of EN 13849-1 all type C norms became obsolete. Hence the question: since there is no precise correspondence between categories and PLs, if norm EN 1010-1 speaks about category 3, which PL should I adopt? It is not possible to answer univocally (even though we would be able to make some considerations). Therefore, also builders of machines subject to type C norms will have to go through Risk Assessment in order to choose the proper PL.

Fortunately, this is a problem that the European Committee for Standardization (CEN) knows very well and it for this reason, too (the other is the “upcoming” entry into force of the new 2006/42/CE machine directive on 29/12/2009) that it is pressing for a prompt revision of type C norms. But even with all the best intentions in the world, we are talking about years before it is done.

We would like to conclude with a note for the users: all this sounds like a problem that concerns only builders: nothing could be farther from the truth! Social directive 95/63/CE inherent to the safety of equipment used on the job (and the relative obligations of the employer) establishes that when choosing equipment for a working environment (machines included) the employer must keep in mind that “control systems must be safe and must be chosen keeping in consideration possible failures, troubles and stresses in their designed use”. Therefore, the employer must ascertain that the machinery he/she makes available to his/her employees possesses the safety systems bearing the proper category or PL (whatever the case may be).

This provision entered into force in all EU countries between 1997 (for example in Spain) and 1999 (in Italy), and was assimilated by all new member countries before admission to the EU (the assimilation of directives in the national legislature is a prerequisite for admission). Therefore, at least in the EU, the issue of categories or PLs really concerns a wide multiplicity of subjects. That’s why it is important to understand well what we are talking about! .

Login or Register to publish a comment