CE, Brexit, and Authorised Representatives

CE, Brexit and Authorised Representatives

We’re just pass­ing the T-1 year mark on the UK’s jour­ney towards leav­ing the EU. Some of my read­ers are “Leavers”, while oth­ers are “Remain­ers”, but for every­one liv­ing in the UK or doing busi­ness with the UK, there are many ques­tions that remain unclear. To be fair, some of the lack of clar­i­ty is due to the nego­ti­a­tion process that Prime Min­is­ter May’s gov­ern­ment is engaged in, and some of it is the result of the com­plex­i­ty in the EU-UK rela­tion­ship. I hope to add some clar­i­ty to this sit­u­a­tion, at least as far as the impact on third-coun­try man­u­fac­tur­ers and CE Mark­ing is con­cerned.

What is an Authorised Representative?

Whether or not a man­u­fac­tur­er is based in the EU, they may use an Autho­rised Rep­re­sen­ta­tive to car­ry out cer­tain tasks, such as [1, 3.2]:

  • keep­ing the EU dec­la­ra­tion of con­for­mi­ty and the tech­ni­cal doc­u­men­ta­tion at the dis­pos­al of nation­al sur­veil­lance author­i­ties and coop­er­ate with them at their request,
  • pro­vid­ing that Nation­al Author­i­ties with all the infor­ma­tion and doc­u­men­ta­tion nec­es­sary to demon­strate the con­for­mi­ty of a prod­uct,
  • tak­ing actions to elim­i­nate the risks posed by prod­ucts cov­ered by their man­date,
  • affix the CE mark­ing and noti­fied body’s num­ber to the prod­uct,
  • draw up and sign the EU dec­la­ra­tion of con­for­mi­ty.

Man­u­fac­tur­ers locat­ed out­side the EU may be oblig­ed to have an Autho­rised Rep­re­sen­ta­tive by the Direc­tives applic­a­ble to their prod­ucts. Com­mer­cial rep­re­sen­ta­tives such as autho­rised dis­trib­u­tors or agents, should not be con­fused with the “autho­rised rep­re­sen­ta­tive” in the mean­ing of Union har­mon­i­sa­tion leg­is­la­tion.

Hav­ing an Autho­rised Rep­re­sen­ta­tive entails spe­cif­ic con­trac­tu­al oblig­a­tions. The EU Blue Guide [1] can help you to under­stand those oblig­a­tions and the pro­vi­sions that are rel­e­vant to the agree­ment. Since I am not a lawyer, I can’t pro­vide you with spe­cif­ic legal advice on this top­ic but an EU con­tracts lawyer can help you with the nec­es­sary arrange­ments. Many of the orga­ni­za­tions that have been pro­vid­ing these ser­vices for many years have ready-made con­tracts that ful­fil the require­ments and can get you set-up quick­ly.

How will Brexit affect your CE Mark?

Since the UK joined the Euro­pean Eco­nom­ic Com­mu­ni­ty (EEC) on 1-Jan-1973 [2], [3], [4], the rela­tion­ship has become a com­plex one, and dis­en­tan­gling this rela­tion­ship is going to take some time.

On the sur­face, third-coun­try man­u­fac­tur­ers are not required to have an EU-based Autho­rised Rep­re­sen­ta­tive [1], how­ev­er, some CE Mark­ing Direc­tives include explic­it require­ments regard­ing Autho­rised Rep­re­sen­ta­tives, while oth­ers like the Machin­ery Direc­tive, have implic­it require­ments that result in third coun­try man­u­fac­tur­ers need to have an Autho­rised Rep­re­sen­ta­tive based in the EU.

If you have a con­tract with an Autho­rised Rep­re­sen­ta­tive cur­rent­ly based in the UK, your CE Mark will no longer be valid on 1-Apr-2019 unless you make oth­er arrange­ments [5].

How will Brexit affect my Authorised Representative?

Since the UK and North­ern Ire­land will be leav­ing the EU at the end of March, 2019, any orga­ni­za­tion that offers Autho­rised Rep­re­sen­ta­tive ser­vices will no longer be able to meet the require­ment for being based in the EU. Where an indi­vid­ual is act­ing as an Autho­rised Rep­re­sen­ta­tive, they have the option to move from the UK to any oth­er EU Mem­ber State before the UK offi­cial­ly exits the union. Where an orga­ni­za­tion is pro­vid­ing an Autho­rised Rep­re­sen­ta­tive ser­vice, they have the option to move their cor­po­rate head­quar­ters to any oth­er EU Mem­ber mem­ber state. Once they can show that they are based in an EU coun­try, then they can legit­i­mate­ly offer Autho­rised Rep­re­sen­ta­tive ser­vices again.

Need help with CE Mark­ing? I can help! Con­tact me at +1 (519) 650‑4753 or by email.


[1]     Euro­pean Com­mis­sion, “Com­mis­sion Notice — The ‘Blue Guide’ on the imple­men­ta­tion of EU prod­ucts rules 2016″, Pub­li­ca­tions Office of the Euro­pean Union, Lux­em­bourg, 2018.

[2]     “When did Britain decide to join the Euro­pean Union? – UK in a chang­ing Europe”, Ukandeu.ac.uk, 2018. [Online]. Avail­able: http://ukandeu.ac.uk/fact-figures/when-did-britain-decide-to-join-the-european-union/. [Accessed: 30- Mar- 2018].

[3]     “BBC News — A time­line of the EU”, News.bbc.co.uk, 2018. [Online]. Avail­able: http://news.bbc.co.uk/2/hi/europe/3583801.stm. [Accessed: 30- Mar- 2018].

[4]     Euro­pean Com­mis­sion, “Com­mis­sion Notice — The ‘Blue Guide’ on the imple­men­ta­tion of EU prod­ucts rules 2016″, Pub­li­ca­tions Office of the Euro­pean Union, Lux­em­bourg, 2016.


New Directions in Plastics Machinery

Canada’s Participation in ISO TC 270

SCC Standards Council of Canada LogoIn Feb­ru­ary of 2016, Cana­da formed the SCC Mir­ror Com­mit­tee (SMC) to ISO TC 270, Rub­ber and Plas­tics Machin­ery. This inter­na­tion­al tech­ni­cal com­mit­tee is cur­rent­ly devel­op­ing ISO 20430, the first inter­na­tion­al plas­tic injec­tion mould­ing machine stan­dard. Until the pub­li­ca­tion of ISO 20430, two stan­dards have been fight­ing for dom­i­nance: EN 201, Plas­tics and rub­ber machines — Injec­tion mould­ing machines — Safe­ty require­ments, and ANSI B151.1, Amer­i­can Nation­al Stan­dard for Plas­tics Machin­ery — Hor­i­zon­tal Injec­tion Mould­ing Machines — Safe­ty Require­ments for man­u­fac­ture, Care and Use.

Cana­da has a strong plas­tic and rub­ber indus­try, with key equip­ment man­u­fac­tur­ers like Athena Automa­tion, Husky Injec­tion Mold­ing Sys­tems, Mold Mas­ters and GN Plas­tics among oth­ers pro­duc­ing world class machin­ery for the indus­try. The indus­try is rep­re­sent­ed nation­al­ly by the Cana­di­an Plas­tics Indus­try Asso­ci­a­tion. Despite this, Cana­da has nev­er had its own stan­dard for this type of machin­ery.

Involve­ment in ISO TC 270 allows Canada’s plas­tics indus­try to have a voice in devel­op­ing the inter­na­tion­al stan­dards for the machin­ery they design and build, and which ever more com­mon­ly, they buy and use.

The com­mit­tee needs your help to know which way Cana­di­an indus­try wants us to focus our efforts as the work on ISO 20430 wraps up in com­ing months. We have a short sur­vey, just three ques­tions long, where you can rank five pos­si­ble top­ics we can focus on. We will be sub­mit­ting our com­mit­tee vote in ear­ly August on the top­ic, so you have a month or so to answer the ques­tion­naire. Let us know your pref­er­ences.

Why now?

ISO LogoUntil the pub­li­ca­tion of ISO 20430, two stan­dards have been fight­ing for dom­i­nance: EN 201 in Europe, and ANSI B151.1 in North Amer­i­ca. Until the rel­a­tive­ly recent for­ma­tion of ISO TC 270 in 2012, there were NO inter­na­tion­al stan­dards for this type of machin­ery. While there have been some efforts to har­monise the Euro­pean and ANSI stan­dards, there are still some sig­nif­i­cant gaps between these stan­dards. In addi­tion, ANSI’s B151 com­mit­tee has a num­ber of addi­tion­al stan­dards for aux­il­iary equip­ment for items like robots designed to unload molds, that are not direct­ly addressed in EN stan­dards.

Cana­da was giv­en a chance to par­tic­i­pate through our ongo­ing friend­ship with ANSI and the USA, so between 2012 and 2015, Cana­di­an del­e­gates attend­ed ISO TC 270 work­ing group meet­ings infor­mal­ly, and put Canada’s per­spec­tive for­ward through the US ANSI TAG com­mit­tee, but in 2016 it became clear that we need­ed to form our own com­mit­tee. If you are involved in the indus­try and you are a mem­ber of one of these gen­er­al groups and would like to get involved with stan­dards devel­op­ment, please go to our recruit­ing page and join us!

Committee Membership Matrix

Matrix Cat­e­go­ry Min Max Cur­rent
Total  15  25  6
Pro­duc­er Inter­est (PI) 3 5 3
User Inter­est, Man­age­ment (UM) 3 5 1
User Inter­est, Labour (UL) 3 5 0
Reg­u­la­to­ry Author­i­ty (RA) 3 5 1
Gen­er­al Inter­est (GI) 3 5 1

As you can see from the table, we need mem­bers in every group except the pro­duc­ers to meet our intend­ed bal­ance.

Definitions of the Categories

Pro­duc­er Inter­est (PI) — Machine builders, Aux­il­iary Equip­ment Man­u­fac­tur­ers, Con­sul­tants, and Engi­neer­ing Com­pa­nies pro­vid­ing for-prof­it ser­vices relat­ed to plas­tics and rub­ber machin­ery.

User Inter­est, Labour (UL) — Cana­di­an labour unions, labour orga­ni­za­tions, and indi­vid­ual work­ers locat­ed at Cana­di­an work­places.

User Inter­est, Man­age­ment (UM) — Trade asso­ci­a­tions, com­pa­nies, con­trac­tors, and orga­ni­za­tions rep­re­sent­ing com­pa­nies engaged in work per­formed in Cana­da.

Reg­u­la­to­ry Author­i­ties (RA)OHS provin­cial and fed­er­al reg­u­la­to­ry bod­ies (labour and elec­tri­cal).

Gen­er­al Inter­est (GI) — Safe­ty asso­ci­a­tions, research orga­ni­za­tions, insti­tu­tions, and non-com­mer­cial con­sul­tants who have exper­tise in the sub­ject area.

We need your help!

CAC ISO TC 270 needs your help!

Can you vol­un­teer some time? Sign up!

Can you help direct us? Answer our ques­tion­naire!

Need more infor­ma­tion? Con­tact Doug Nix!

Testing Emergency Stop Systems

This entry is part 11 of 13 in the series Emer­gency Stop

Emergency Stop on machine consoleI’ve had a num­ber of ques­tions from read­ers regard­ing test­ing of emer­gency stop sys­tems, and par­tic­u­lar­ly with the fre­quen­cy of test­ing. I addressed the types of tests that might be need­ed in anoth­er arti­cle cov­er­ing Check­ing Emer­gency Stop Sys­tems. This arti­cle will focus on the fre­quen­cy of test­ing rather than the types of tests.

The Problem

Emer­gency stop sys­tems are con­sid­ered to be “com­ple­men­tary pro­tec­tive mea­sures” in key machin­ery safe­ty stan­dards like ISO 12100 [1], and CSA Z432 [2]; this makes emer­gency stop sys­tems the back­up to the pri­ma­ry safe­guards. Com­ple­men­tary pro­tec­tive mea­sures are intend­ed to per­mit “avoid­ing or lim­it­ing the harm” that may result from an emer­gent sit­u­a­tion. By def­i­n­i­tion, this is a sit­u­a­tion that has not been fore­seen by the machine builder, or is the result of anoth­er fail­ure. This could be a fail­ure of anoth­er safe­guard­ing sys­tem, or a fail­ure in the machine that is not con­trolled by oth­er means., e.g., a work­piece shat­ters due to a mate­r­i­al flaw, and the bro­ken pieces dam­age the machine, cre­at­ing new, uncon­trolled, fail­ure con­di­tions in the machine.

Emer­gency stop sys­tems are man­u­al­ly trig­gered, and usu­al­ly infre­quent­ly used. The lack of use means that func­tion­al test­ing of the sys­tem doesn’t hap­pen in the nor­mal course of oper­a­tion of the machin­ery. Some types of faults may occur and remain unde­tect­ed until the sys­tem is actu­al­ly used, i.e., con­tact blocks falling off the back of the oper­a­tor device. Fail­ure at that point may be cat­a­stroph­ic, since by impli­ca­tion the pri­ma­ry safe­guards have already failed, and thus the fail­ure of the back­up elim­i­nates the pos­si­bil­i­ty of avoid­ing or lim­it­ing harm.

To under­stand the test­ing require­ments, it’s impor­tant to under­stand the risk and reli­a­bil­i­ty require­ments that dri­ve the design of emer­gency stop sys­tems, and then get into the test fre­quen­cy ques­tion.


In the past, there were no explic­it require­ments for emer­gency stop sys­tem reli­a­bil­i­ty. Details like the colour of the oper­a­tor device, or the way the stop func­tion worked were defined in ISO 13850 [3], NFPA 79 [4], and IEC 60204–1 [5]. In the soon-to-be pub­lished 3rd edi­tion of ISO 13850, a new pro­vi­sion requir­ing emer­gency stop sys­tems to meet at least PLc will be added [6], but until pub­li­ca­tion, it is up to the design­er to deter­mine the safe­ty integri­ty lev­el, either PL or SIL, required. To deter­mine the require­ments for any safe­ty func­tion, the key is to start at the risk assess­ment. The risk assess­ment process requires that the design­er under­stand the stage in the life cycle of the machine, the task(s) that will be done, and the spe­cif­ic haz­ards that a work­er may be exposed to while con­duct­ing the task. This can become quite com­plex when con­sid­er­ing main­te­nance and ser­vice tasks, and also applies to fore­see­able fail­ure modes of the machin­ery or the process. The scor­ing or rank­ing of risk can be accom­plished using any suit­able risk scor­ing tool that meets the min­i­mum require­ments in [1]. There are some good exam­ples giv­en in ISO/TR 14121–2 [7] if you are look­ing for some guid­ance. There are many good engi­neer­ing text­books avail­able as well. Have a look at our Book List for some sug­ges­tions if you want a deep­er dive.


Once the ini­tial unmit­i­gat­ed risk is under­stood, risk con­trol mea­sures can be spec­i­fied. Wher­ev­er the con­trol sys­tem is used as part of the risk con­trol mea­sure, a safe­ty func­tion must be spec­i­fied. Spec­i­fi­ca­tion of the safe­ty func­tion includes the Per­for­mance Lev­el (PL), archi­tec­tur­al cat­e­go­ry (B, 1–4), Mean Time to Dan­ger­ous Fail­ure (MTTFd), and Diag­nos­tic Cov­er­age (DC) [6], or Safe­ty Integri­ty Lev­el (SIL), and Hard­ware Fault Tol­er­ance (HFT), as described in IEC 62061 [8], as a min­i­mum. If you are unfa­mil­iar with these terms, see the def­i­n­i­tions at the end of the arti­cle.

Refer­ring to Fig­ure 1, the “Risk Graph” [6, Annex A], we can rea­son­ably state that for most machin­ery, a fail­ure mode or emer­gent con­di­tion is like­ly to cre­ate con­di­tions where the sever­i­ty of injury is like­ly to require more than basic first aid, so select­ing “S2″ is the first step. In these sit­u­a­tions, and par­tic­u­lar­ly where the fail­ure modes are not well under­stood, the high­est lev­el of sever­i­ty of injury, S2, is select­ed because we don’t have enough infor­ma­tion to expect that the injuries would only be minor. As soon as we make this selec­tion, it is no longer pos­si­ble to select any com­bi­na­tion of Fre­quen­cy or Prob­a­bil­i­ty para­me­ters that will result in any­thing low­er than PLc.

It’s impor­tant to under­stand that Fig­ure 1 is not a risk assess­ment tool, but rather a deci­sion tree used to select an appro­pri­ate PL based on the rel­e­vant risk para­me­ters. Those para­me­ters are:

Table 1 — Risk Para­me­ters
Sever­i­ty of Injury fre­quen­cy and/or expo­sure to haz­ard pos­si­bil­i­ty of avoid­ing haz­ard or lim­it­ing harm
S1 — slight (nor­mal­ly reversible injury) F1 — sel­dom-to-less-often and/or expo­sure time is short P1 — pos­si­ble under spe­cif­ic con­di­tions
S2 — seri­ous (nor­mal­ly irre­versible injury or death) F2 — fre­quent-to-con­tin­u­ous and/or expo­sure time is long P2 — scarce­ly pos­si­ble
Decision tree used to determine PL based on risk parameters.
Fig­ure 1 — “Risk Graph” for deter­min­ing PL

PLc can be accom­plished using any of three archi­tec­tures: Cat­e­go­ry 1, 2, or 3. If you are unsure about what these archi­tec­tures rep­re­sent, have a look at my series cov­er­ing this top­ic.

Cat­e­go­ry 1 is sin­gle chan­nel, and does not include any diag­nos­tics. A sin­gle fault can cause the loss of the safe­ty func­tion (i.e., the machine still runs even though the e-stop but­ton is pressed). Using Cat­e­go­ry 1, the reli­a­bil­i­ty of the design is based on the use of high­ly reli­able com­po­nents and well-tried safe­ty prin­ci­ples. This approach can fail to dan­ger.

Cat­e­go­ry 2 adds some diag­nos­tic capa­bil­i­ty to the basic sin­gle chan­nel con­fig­u­ra­tion and does not require the use of “well-tried” com­po­nents. This approach can also fail to dan­ger.

Cat­e­go­ry 3 archi­tec­ture adds a redun­dant chan­nel, and includes diag­nos­tic cov­er­age. Cat­e­go­ry 3 is not sub­ject to fail­ure due to sin­gle faults and is called “sin­gle-fault tol­er­ant”. This approach is less like­ly to fail to dan­ger, but still can in the pres­ence of mul­ti­ple, unde­tect­ed, faults.

A key con­cept in reli­a­bil­i­ty is the “fault”. This can be any kind of defect in hard­ware or soft­ware that results in unwant­ed behav­iour or a fail­ure. Faults are fur­ther bro­ken down into dan­ger­ous and safe faults, mean­ing those that result in a dan­ger­ous out­come, and those that do not. Final­ly, each of these class­es is bro­ken down into detectable and unde­tectable faults. I’m not going to get into the math­e­mat­i­cal treat­ment of these class­es, but my point is this: there are unde­tectable dan­ger­ous faults. These are faults that can­not be detect­ed by built-in diag­nos­tics. As design­ers, we try to design the con­trol sys­tem so that the unde­tectable dan­ger­ous faults are extreme­ly rare, ide­al­ly the prob­a­bil­i­ty should be much less than once in the life­time of the machine.

What is the life­time of the machine? The stan­dards writ­ers have set­tled on a default life­time of 20 years, thus the answer is that unde­tectable dan­ger­ous fail­ures should hap­pen much less than once in twen­ty years of 24/7/365 oper­a­tion. So why does this mat­ter? Each archi­tec­tur­al cat­e­go­ry has dif­fer­ent require­ments for test­ing. The test rates are dri­ven by the “Demand Rate”. The Demand Rate is defined in [6]. “SRP/CS” stands for “Safe­ty Relat­ed Part of the Con­trol Sys­tem” in the def­i­n­i­tion:

demand rate (rd) — fre­quen­cy of demands for a safe­ty-relat­ed action of the SRP/CS

Each time the emer­gency stop but­ton is pressed, a “demand” is put on the sys­tem. Look­ing at the “Sim­pli­fied Pro­ce­dure for esti­mat­ing PL”, [6, 4.5.4], we find that the stan­dard makes the fol­low­ing assump­tions:

  • mis­sion time, 20 years (see Clause 10);
  • con­stant fail­ure rates with­in the mis­sion time;
  • for cat­e­go­ry 2, demand rate <= 1/100 test rate;
  • for cat­e­go­ry 2, MTTFDTE larg­er than half of MTTFDL.

NOTE When blocks of each chan­nel can­not be sep­a­rat­ed, the fol­low­ing can be applied: MTTFD of the sum­ma­rized test chan­nel (TE, OTE) larg­er than half MTTFD of the sum­ma­rized func­tion­al chan­nel (I, L, O).

So what does all that mean? The 20-year mis­sion time is the assumed life­time of the machin­ery. This num­ber under­pins the rest of the cal­cu­la­tions in the stan­dard and is based on the idea that few mod­ern con­trol sys­tems last longer than 20 years with­out being replaced or rebuilt. The con­stant fail­ure rate points at the idea that sys­tems used in the field will have com­po­nents and con­trols that are not sub­ject to infant mor­tal­i­ty, nor are they old enough to start to fail due to age, but rather that the sys­tem is oper­at­ing in the flat por­tion of the stan­dard­ized fail­ure rate “bath­tub curve”, [9]. See Fig­ure 2. Com­po­nents that are sub­ject to infant mor­tal­i­ty failed at the fac­to­ry and were removed from the sup­ply chain. Those fail­ing from “wear-out” are expect­ed to reach that point after 20 years. If this is not the case, then the main­te­nance instruc­tions for the sys­tem should include pre­ven­ta­tive main­te­nance tasks that require replac­ing crit­i­cal com­po­nents before they reach the pre­dict­ed MTTFd.

Diagram of a standardized bathtub-shaped failure rate curve.
Fig­ure 2 — Weibull Bath­tub Curve [9]
For sys­tems using Cat­e­go­ry 2 archi­tec­ture, the auto­mat­ic diag­nos­tic test rate must be at least 100x the demand rate. Keep in mind that this test rate is nor­mal­ly accom­plished auto­mat­i­cal­ly in the design of the con­trols, and is only relat­ed to the detectable safe or dan­ger­ous faults. Unde­tectable faults must have a prob­a­bil­i­ty of less than once in 20 years, and should be detect­ed by the “proof test”. More on that a bit lat­er.

Final­ly, the MTTFD of the func­tion­al chan­nel must be at least twice that of the diag­nos­tic sys­tem.

Cat­e­go­ry 1 has no diag­nos­tics, so there is no guid­ance in [6] to help us out with these sys­tems. Cat­e­go­ry 3 is sin­gle fault tol­er­ant, so as long as we don’t have mul­ti­ple unde­tect­ed faults we can count on the sys­tem to func­tion and to alert us when a sin­gle fault occurs; remem­ber that the auto­mat­ic tests may not be able to detect every fault. This is where the “proof test” comes in. What is a proof test? To find a def­i­n­i­tion for the proof test, we have to look at IEC 61508–4 [10]:

proof test
peri­od­ic test per­formed to detect fail­ures in a safe­ty-relat­ed sys­tem so that, if nec­es­sary, the sys­tem can be restored to an “as new” con­di­tion or as close as prac­ti­cal to this con­di­tion

NOTE — The effec­tive­ness of the proof test will be depen­dent upon how close to the “as new” con­di­tion the sys­tem is restored. For the proof test to be ful­ly effec­tive, it will be nec­es­sary to detect 100% of all dan­ger­ous fail­ures. Although in prac­tice 100% is not eas­i­ly achieved for oth­er than low-com­plex­i­ty E/E/PE safe­ty-relat­ed sys­tems, this should be the tar­get. As a min­i­mum, all the safe­ty func­tions which are exe­cut­ed are checked accord­ing to the E/E/PES safe­ty require­ments spec­i­fi­ca­tion. If sep­a­rate chan­nels are used, these tests are done for each chan­nel sep­a­rate­ly.

The 20-year life cycle assump­tion used in the stan­dards also applies to proof test­ing. Machine con­trols are assumed to get at least one proof test in their life­time. The proof test should be designed to detect faults that the auto­mat­ic diag­nos­tics can­not detect. Proof tests are also con­duct­ed after major rebuilds and repairs to ensure that the sys­tem oper­ates cor­rect­ly.

If you know the archi­tec­ture of the emer­gency stop con­trol sys­tem, you can deter­mine the test rate based on the demand rate. It would be con­sid­er­ably eas­i­er if the stan­dards just gave us some min­i­mum test rates for the var­i­ous archi­tec­tures. One stan­dard, ISO 14119 [11] on inter­locks does just that. Admit­ted­ly, this stan­dard does not include emer­gency stop func­tions with­in its scope, as its focus is on inter­locks, but since inter­lock­ing sys­tems are more crit­i­cal than the com­ple­men­tary pro­tec­tive mea­sures that back them up, it would be rea­son­able to apply these same rules. Look­ing at the clause on Assess­ment of Faults, [9, 8.2], we find this guid­ance:

For appli­ca­tions using inter­lock­ing devices with auto­mat­ic mon­i­tor­ing to achieve the nec­es­sary diag­nos­tic cov­er­age for the required safe­ty per­for­mance, a func­tion­al test (see IEC 60204–1:2005, can be car­ried out every time the device changes its state, e.g. at every access. If, in such a case, there is only infre­quent access, the inter­lock­ing device shall be used with addi­tion­al mea­sures, because between con­sec­u­tive func­tion­al tests the prob­a­bil­i­ty of occur­rence of an unde­tect­ed fault is increased.

When a man­u­al func­tion­al test is nec­es­sary to detect a pos­si­ble accu­mu­la­tion of faults, it shall be made with­in the fol­low­ing test inter­vals:

  • at least every month for PLe with Cat­e­go­ry 3 or Cat­e­go­ry 4 (accord­ing to ISO 13849–1) or SIL 3 with HFT (hard­ware fault tol­er­ance) = 1 (accord­ing to IEC 62061);
  • at least every 12 months for PLd with Cat­e­go­ry 3 (accord­ing to ISO 13849–1) or SIL 2 with HFT (hard­ware fault tol­er­ance) = 1 (accord­ing to IEC 62061).

NOTE It is rec­om­mend­ed that the con­trol sys­tem of a machine demands these tests at the required inter­vals e.g. by visu­al dis­play unit or sig­nal lamp. The con­trol sys­tem should mon­i­tor the tests and stop the machine if the test is omit­ted or fails.

In the pre­ced­ing, HFT=1 is equiv­a­lent to say­ing that the sys­tem is sin­gle-fault tol­er­ant.

This leaves us then with rec­om­mend­ed test fre­quen­cies for Cat­e­go­ry 2 and 3 archi­tec­tures in PLc, PLd, and PLe, or for SIL 2 and 3 with HFT=1. We still don’t have a test fre­quen­cy for PLc, Cat­e­go­ry 1 sys­tems. There is no explic­it guid­ance for these sys­tems in the stan­dards. How can we deter­mine a test rate for these sys­tems?

My approach would be to start by exam­in­ing the MTTFd val­ues for all of the sub­sys­tems and com­po­nents. [6] requires that the sys­tem has HIGH MTTFd val­ue, mean­ing 30 years <= MTTFd <= 100 years [6, Table 5]. If this is the case, then the once-in-20-years proof test is the­o­ret­i­cal­ly enough. If the sys­tem is con­struct­ed, for exam­ple, as shown Fig­ure 2 below, then each com­po­nent would have to have an MTTFd > 120 years. See [6, Annex C] for this cal­cu­la­tion.

Basic Stop/Start Circuit
Fig­ure 2 — Basic Stop/Start Cir­cuit

PB1 — Emer­gency Stop But­ton

PB2 — Pow­er “ON” But­ton

MCR — Mas­ter Con­trol Relay

MOV — Surge Sup­pres­sor on MCR Coil

M1 — Machine prime mover (motor)

Note that the fus­es are not includ­ed, since they can only fail to safe­ty, and assum­ing that they were spec­i­fied cor­rect­ly in the orig­i­nal design, are not sub­ject to the same cycli­cal aging effects as the oth­er com­po­nents.

M1 is not includ­ed since it is the con­trolled por­tion of the machine and is not part of the con­trol sys­tem.

If a review of the com­po­nents of the sys­tem shows that any sin­gle com­po­nent falls below the tar­get MTTFD, then I would con­sid­er replac­ing the sys­tem with a high­er cat­e­go­ry design. Since most of these com­po­nents will be unlike­ly to have MTTFD val­ues on the spec sheet, you will like­ly have to con­vert from total life val­ues (B10). This is out­side the scope of this arti­cle, but you can find guid­ance in [6, Annex C]. More fre­quent test­ing, i.e., more than once in 20 years, is always accept­able.

Where man­u­al test­ing is required as part of the design for any cat­e­go­ry of sys­tem, and par­tic­u­lar­ly in Cat­e­go­ry 1 or 2 sys­tems, the con­trol sys­tem should alert the user to the require­ment and not per­mit the machine to oper­ate until the test is com­plet­ed. This will help to ensure that the req­ui­site tests are prop­er­ly com­plet­ed.

Need more infor­ma­tion? Leave a com­ment below, or send me an email with the details of your appli­ca­tion!


3.1.9 [8]
func­tion­al safe­ty
part of the over­all safe­ty relat­ing to the EUC and the EUC con­trol sys­tem which depends on the cor­rect func­tion­ing of the E/E/PE safe­ty-relat­ed sys­tems, oth­er tech­nol­o­gy safe­ty-relat­ed sys­tems and exter­nal risk reduc­tion facil­i­ties
3.2.6 [8]
electrical/electronic/programmable elec­tron­ic (E/E/PE)
based on elec­tri­cal (E) and/or elec­tron­ic (E) and/or pro­gram­ma­ble elec­tron­ic (PE) tech­nol­o­gy

NOTE — The term is intend­ed to cov­er any and all devices or sys­tems oper­at­ing on elec­tri­cal prin­ci­ples.

EXAMPLE Electrical/electronic/programmable elec­tron­ic devices include

  • electro­mechan­i­cal devices (elec­tri­cal);
  • sol­id-state non-pro­gram­ma­ble elec­tron­ic devices (elec­tron­ic);
  • elec­tron­ic devices based on com­put­er tech­nol­o­gy (pro­gram­ma­ble elec­tron­ic); see 3.2.5
3.5.1 [8]
safe­ty func­tion
func­tion to be imple­ment­ed by an E/E/PE safe­ty-relat­ed sys­tem, oth­er tech­nol­o­gy safe­ty-relat­ed sys­tem or exter­nal risk reduc­tion facil­i­ties, which is intend­ed to achieve or main­tain a safe state for the EUC, in respect of a spe­cif­ic haz­ardous event (see 3.4.1)
3.5.2 [8]
safe­ty integri­ty
prob­a­bil­i­ty of a safe­ty-relat­ed sys­tem sat­is­fac­to­ri­ly per­form­ing the required safe­ty func­tions under all the stat­ed con­di­tions with­in a stat­ed peri­od of time
NOTE 1 — The high­er the lev­el of safe­ty integri­ty of the safe­ty-relat­ed sys­tems, the low­er the prob­a­bil­i­ty that the safe­ty-relat­ed sys­tems will fail to car­ry out the required safe­ty func­tions.
NOTE 2 — There are four lev­els of safe­ty integri­ty for sys­tems (see 3.5.6).
3.5.6 [8]
safe­ty integri­ty lev­el (SIL)
dis­crete lev­el (one out of a pos­si­ble four) for spec­i­fy­ing the safe­ty integri­ty require­ments of the safe­ty func­tions to be allo­cat­ed to the E/E/PE safe­ty-relat­ed sys­tems, where safe­ty integri­ty lev­el 4 has the high­est lev­el of safe­ty integri­ty and safe­ty integri­ty lev­el 1 has the low­est
NOTE — The tar­get fail­ure mea­sures (see 3.5.13) for the four safe­ty integri­ty lev­els are spec­i­fied in tables 2 and 3 of IEC 61508–1.
3.6.3 [8]
fault tol­er­ance
abil­i­ty of a func­tion­al unit to con­tin­ue to per­form a required func­tion in the pres­ence of faults or errors
NOTE — The def­i­n­i­tion in IEV 191–15-05 refers only to sub-item faults. See the note for the term fault in 3.6.1.
[ISO/IEC 2382–14-04–061]
3.1.1 [6]
safety–related part of a con­trol sys­tem (SRP/CS)
part of a con­trol sys­tem that responds to safe­ty-relat­ed input sig­nals and gen­er­ates safe­ty-relat­ed out­put sig­nals
NOTE 1 The com­bined safe­ty-relat­ed parts of a con­trol sys­tem start at the point where the safe­ty-relat­ed input sig­nals are ini­ti­at­ed (includ­ing, for exam­ple, the actu­at­ing cam and the roller of the posi­tion switch) and end at the out­put of the pow­er con­trol ele­ments (includ­ing, for exam­ple, the main con­tacts of a con­tac­tor).
NOTE 2 If mon­i­tor­ing sys­tems are used for diag­nos­tics, they are also con­sid­ered as SRP/CS.
3.1.2 [6]
clas­si­fi­ca­tion of the safe­ty-relat­ed parts of a con­trol sys­tem in respect of their resis­tance to faults and their sub­se­quent behav­iour in the fault con­di­tion, and which is achieved by the struc­tur­al arrange­ment of the parts, fault detec­tion and/or by their reli­a­bil­i­ty
3.1.3 [6]
state of an item char­ac­ter­ized by the inabil­i­ty to per­form a required func­tion, exclud­ing the inabil­i­ty dur­ing pre­ven­tive main­te­nance or oth­er planned actions, or due to lack of exter­nal resources

NOTE 1 A fault is often the result of a fail­ure of the item itself, but may exist with­out pri­or fail­ure.
[IEC 60050–191:1990, 05–01]

NOTE 2 In this part of ISO 13849, “fault” means ran­dom fault.

3.1.4 [6]
ter­mi­na­tion of the abil­i­ty of an item to per­form a required func­tion

NOTE 1 After a fail­ure, the item has a fault.

NOTE 2 “Fail­ure” is an event, as dis­tin­guished from “fault”, which is a state.

NOTE 3 The con­cept as defined does not apply to items con­sist­ing of soft­ware only.
[IEC 60050–191:1990, 04–01]

NOTE 4 Fail­ures which only affect the avail­abil­i­ty of the process under con­trol are out­side of the scope of this part of ISO 13849.

3.1.5 [6]
dan­ger­ous fail­ure
fail­ure which has the poten­tial to put the SRP/CS in a haz­ardous or fail-to-func­tion state

NOTE 1 Whether or not the poten­tial is real­ized can depend on the chan­nel archi­tec­ture of the sys­tem; in redun­dant sys­tems, a dan­ger­ous hard­ware fail­ure is less like­ly to lead to the over­all dan­ger­ous or fail-to-func­tion state.

NOTE 2 Adapt­ed from IEC 61508–4:1998, def­i­n­i­tion 3.6.7.

3.1.20 [6]
safe­ty func­tion
func­tion of the machine whose fail­ure can result in an imme­di­ate increase of the risk(s)
[ISO 12100–1:2003, 3.28]
3.1.21 [6]
safe­ty func­tion which ensures that a pro­tec­tive mea­sure is ini­ti­at­ed if the abil­i­ty of a com­po­nent or an ele­ment to per­form its func­tion is dimin­ished or if the process con­di­tions are changed in such a way that a decrease of the amount of risk reduc­tion is gen­er­at­ed
3.1.22 [6]
pro­gram­ma­ble elec­tron­ic sys­tem (PES)
sys­tem for con­trol, pro­tec­tion or mon­i­tor­ing depen­dent for its oper­a­tion on one or more pro­gram­ma­ble elec­tron­ic devices, includ­ing all ele­ments of the sys­tem such as pow­er sup­plies, sen­sors and oth­er input devices, con­tac­tors and oth­er out­put devices

NOTE Adapt­ed from IEC 61508–4:1998, def­i­n­i­tion 3.3.2.

3.1.23 [6]
per­for­mance lev­el (PL)
dis­crete lev­el used to spec­i­fy the abil­i­ty of safe­ty-relat­ed parts of con­trol sys­tems to per­form a safe­ty func­tion under fore­see­able con­di­tions

NOTE See 4.5.1.

3.1.25 [6]
mean time to dan­ger­ous fail­ure (MTTFd)
expec­ta­tion of the mean time to dan­ger­ous fail­ure

NOTE Adapt­ed from IEC 62061:2005, def­i­n­i­tion 3.2.34.

3.1.26 [6]
diag­nos­tic cov­er­age (DC)
mea­sure of the effec­tive­ness of diag­nos­tics, which may be deter­mined as the ratio between the fail­ure rate of detect­ed dan­ger­ous fail­ures and the fail­ure rate of total dan­ger­ous fail­ures

NOTE 1 Diag­nos­tic cov­er­age can exist for the whole or parts of a safe­ty-relat­ed sys­tem. For exam­ple, diag­nos­tic cov­er­age could exist for sen­sors and/or log­ic sys­tem and/or final ele­ments.

NOTE 2 Adapt­ed from IEC 61508–4:1998, def­i­n­i­tion 3.8.6.

3.1.33 [6]
safe­ty integri­ty lev­el (SIL)
dis­crete lev­el (one out of a pos­si­ble four) for spec­i­fy­ing the safe­ty integri­ty require­ments of the safe­ty func­tions to be allo­cat­ed to the E/E/PE safe­ty-relat­ed sys­tems, where safe­ty integri­ty lev­el 4 has the high­est lev­el of safe­ty integri­ty and safe­ty integri­ty lev­el 1 has the low­est
[IEC 61508–4:1998, 3.5.6]


Thanks to my col­leagues Derek Jones and Jonathan John­son, both from Rock­well Automa­tion, and mem­bers of ISO TC199. Their sug­ges­tion to ref­er­ence ISO 14119 clause 8.2 was the seed for this arti­cle.

I’d also like to acknowl­edge Ronald Sykes, Howard Tou­s­ki, Mirela Moga, Michael Roland, and Grant Rid­er for ask­ing the ques­tions that lead to this arti­cle.


[1]     Safe­ty of machin­ery — Gen­er­al prin­ci­ples for design — Risk assess­ment and risk reduc­tion. ISO 12100. Inter­na­tion­al Orga­ni­za­tion for Stan­dard­iza­tion (ISO). Gene­va 2010.

[2]    Safe­guard­ing of Machin­ery. CSA Z432. Cana­di­an Stan­dards Asso­ci­a­tion. Toron­to. 2004.

[3]    Safe­ty of machin­ery – Emer­gency stop – Prin­ci­ples for design. ISO 13850. Inter­na­tion­al Orga­ni­za­tion for Stan­dard­iza­tion (ISO). Gene­va 2006.

[4]    Elec­tri­cal Stan­dard for Indus­tri­al Machin­ery. NFPA 79. Nation­al Fire Pro­tec­tion Asso­ci­a­tion (NFPA). Bat­tery­march Park. 2015

[5]    Safe­ty of machin­ery – Elec­tri­cal equip­ment of machines – Part 1: Gen­er­al require­ments. IEC 60204–1. Inter­na­tion­al Elec­trotech­ni­cal Com­mis­sion (IEC). Gene­va. 2009.

[6]    Safe­ty of machin­ery — Safe­ty-relat­ed parts of con­trol sys­tems — Part 1: Gen­er­al prin­ci­ples for design.  ISO 13849–1. Inter­na­tion­al Orga­ni­za­tion for Stan­dard­iza­tion (ISO). Gene­va. 2006.

[7]    Safe­ty of machin­ery — Risk assess­ment — Part 2: Prac­ti­cal guid­ance and exam­ples of meth­ods. ISO/TR 14121–2. Inter­na­tion­al Orga­ni­za­tion for Stan­dard­iza­tion (ISO). Gene­va. 2012.

[8]   Safe­ty of machin­ery – Func­tion­al safe­ty of safe­ty-relat­ed elec­tri­cal, elec­tron­ic and pro­gram­ma­ble elec­tron­ic con­trol sys­tems. IEC 62061. Inter­na­tion­al Elec­trotech­ni­cal Com­mis­sion (IEC). Gene­va. 2005.

[9]    D. J. Wilkins (2002, Novem­ber). “The Bath­tub Curve and Prod­uct Fail­ure Behav­ior. Part One — The Bath­tub Curve, Infant Mor­tal­i­ty and Burn-in”. Reli­a­bil­i­ty Hot­line [Online]. Avail­able: http://www.weibull.com/hotwire/issue21/hottopics21.htm. [Accessed: 26-Apr-2015].

[10] Func­tion­al safe­ty of electrical/electronic/programmable elec­tron­ic safe­ty-relat­ed sys­tems — Part 4: Def­i­n­i­tions and abbre­vi­a­tions. IEC 61508–4. Inter­na­tion­al Elec­trotech­ni­cal Com­mis­sion (IEC). Gene­va. 1998.

[11] Safe­ty of machin­ery — Inter­lock­ing devices asso­ci­at­ed with guards — Prin­ci­ples for design and selec­tion. ISO 14119. Inter­na­tion­al Orga­ni­za­tion for Stan­dard­iza­tion (ISO). Gene­va. 2013.

Sources for Standards


Cana­di­an Stan­dards Asso­ci­a­tion sells CSA, ISO and IEC stan­dards to the Cana­di­an Mar­ket.


ANSI offers stan­dards from most US Stan­dards Devel­op­ment Orga­ni­za­tions. They also sell ISO and IEC stan­dards into the US mar­ket.


Inter­na­tion­al Orga­ni­za­tion for Stan­dard­iza­tion (ISO).

Inter­na­tion­al Elec­trotech­ni­cal Com­mis­sion (IEC).


Each EU mem­ber state has their own stan­dards body. For rea­sons unknown to me, each stan­dards body can set their own pric­ing for the doc­u­ments they sell. All offer Eng­lish lan­guage copies, in addi­tion to copies in the offi­cial language(s) of the mem­ber state. My best advice is to shop around a bit. Prices can vary by as much as 10:1.

British Stan­dards Insti­tute (BSi) $$$

Dan­ish Stan­dards (DS) $

Eston­ian Stan­dards (EVS) $

Ger­man stan­dards (DIN) — Beuth Ver­lag GmbH