EN ISO 12100-2:2003

SLOVENSKI SIST EN ISO 12100-2:2004

STANDARD
junij 2004
9DUQRVWVWURMHY2VQRYQLSRMPLVSORãQDQDþHODQDþUWRYDQMDGHO7HKQLþQD
QDþHOD,62
Safety of machinery - Basic concepts, general principles for design - Part 2:
Technical principles (ISO 12100-2:2003)
ICS 5HIHUHQþQDãWHYLOND
01.040.13; 13.110
!#"$%&’& ()$*+
EUROPEAN STANDARD
EN ISO 12100-2
NORME EUROPÉENNE
EUROPÄISCHE NORM
November 2003
ICS 01.040.13; 13.110 Supersedes EN 292-2:1991
English version
Safety of machinery - Basic concepts, general principles for
design - Part 2: Technical principles (ISO 12100-2:2003)
Sécurité des machines - Notions fondamentales, principes Sicherheit von Machinen - Grundbegriffe, allgemeine
généraux de conception - Partie 2: Principes techniques Gestaltungsleitsätze - Teil 2: Technische Leitsätze (ISO
(ISO 12100-2:2003) 12100-2:2003)
This European Standard was approved by CEN on 9 June 2003.
CEN members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this European
Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical references concerning such national
standards may be obtained on application to the Management Centre or to any CEN member.
This European Standard exists in three official versions (English, French, German). A version in any other language made by translation
under the responsibility of a CEN member into its own language and notified to the Management Centre has the same status as the official
versions.
CEN members are the national standards bodies of Austria, Belgium, Czech Republic, Denmark, Finland, France, Germany, Greece,
Hungary, Iceland, Ireland, Italy, Luxembourg, Malta, Netherlands, Norway, Portugal, Slovakia, Spain, Sweden, Switzerland and United
Kingdom.
EUROPEAN COMMITTEE FOR STANDARDIZATION
COMITÉ EUROPÉEN DE NORMALISATION
EUROPÄISCHES KOMITEE FÜR NORMUNG
Management Centre: rue de Stassart, 36  B-1050 Brussels
© 2003 CEN All rights of exploitation in any form and by any means reserved Ref. No. EN ISO 12100-2:2003 E
worldwide for CEN national Members.

CORRECTED 2003-12-17
Foreword
This document (EN ISO 12100-2:2003) has been prepared by Technical Committee ISO/TC 199
"Safety of machinery" in collaboration with Technical Committee CEN/TC 114 "Safety of
machinery", the secretariat of which is held by DIN.
This European Standard shall be given the status of a national standard, either by publication of
an identical text or by endorsement, at the latest by May 2004, and conflicting national standards
shall be withdrawn at the latest by May 2004.
This document supersedes EN 292-2:1991.
This document has been prepared under a mandate given to CEN by the European Commission
and the European Free Trade Association, and supports essential requirements of EU
Directive(s).
For relationship with EU Directive(s), see informative Annex ZB, which is an integral part of this
document.
According to the CEN/CENELEC Internal Regulations, the national standards organizations of
the following countries are bound to implement this European Standard: Austria, Belgium, Czech
Republic, Denmark, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy,
Luxembourg, Malta, Netherlands, Norway, Portugal, Slovakia, Spain, Sweden, Switzerland and
the United Kingdom.
Endorsement notice
The text of ISO 12100-2:2003 has been approved by CEN as EN ISO 12100-2:2003 without any
modifications.
NOTE Normative references to International Standards are listed in Annex ZA (normative).
Annex ZA
(normative)
Normative references to international publications
with their relevant European publications
This European Standard incorporates by dated or undated reference, provisions from other
publications. These normative references are cited at the appropriate places in the text and the
publications are listed hereafter. For dated references, subsequent amendments to or revisions of
any of these publications apply to this European Standard only when incorporated in it by
amendment or revision. For undated references the latest edition of the publication referred to
applies (including amendments).
NOTE Where an International Publication has been modified by common modifications, indicated
by (mod.), the relevant EN/HD applies.
Publication Year Title EN Year
ISO 12100-1 2003 Safety of machinery - Basic EN ISO 12100-1 2003
concepts, general principles for
design - Part 1: Basic
terminology, methodology
Annex ZB
(informative)
Relationship of this document with EC Directives
This document has been prepared under a mandate given to CEN by the European Commission
and the European Free Trade Association and supports essential requirements of EC
Directive(s) :
Machinery Directive 98/37/EC, amended by Directive 98/79/EC.
Compliance with this document provides one means of conforming with the specific essential
requirements of the Directive concerned and associated EFTA regulations.
WARNING: Other requirements and other EC Directives may be applicable to the product(s)
falling within the scope of this document.
INTERNATIONAL ISO
STANDARD 12100-2
First edition
2003-11-01
Safety of machinery — Basic concepts,
general principles for design —
Part 2:
Technical principles
Sécurité des machines — Notions fondamentales, principes généraux
de conception —
Partie 2: Principes techniques

Reference number
ISO 12100-2:2003(E)
©
ISO 2003
ISO 12100-2:2003(E)
PDF disclaimer
This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but
shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In
downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat
accepts no liability in this area.
Adobe is a trademark of Adobe Systems Incorporated.
Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation
parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In
the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below.

©  ISO 2003
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO 2003 – All rights reserved

ISO 12100-2:2003(E)
Contents Page
Foreword. iv
Introduction . v
1 Scope. 1
2 Normative references. 1
3 Terms and definitions. 1
4 Inherently safe design measures . 1
4.1 General. 1
4.2 Consideration of geometrical factors and physical aspects. 2
4.3 Taking into account the general technical knowledge regarding machine design . 3
4.4 Choice of an appropriate technology . 3
4.5 Applying the principle of the positive mechanical action of a component on another
component. 4
4.6 Provisions for stability . 4
4.7 Provisions for maintainability. 4
4.8 Observing ergonomic principles. 5
4.9 Preventing electrical hazard . 6
4.10 Preventing hazards from pneumatic and hydraulic equipment. 6
4.11 Applying inherently safe design measures to control system. 6
4.12 Minimizing the probability of failure of safety functions . 11
4.13 Limiting exposure to hazards through reliability of equipment. 12
4.14 Limiting exposure to hazards through mechanization or automation of loading (feeding)
/unloading (removal) operations . 13
4.15 Limiting exposure to hazards through location of the setting and maintenance points
outside of danger zones. 13
5 Safeguarding and complementary protective measures. 13
5.1 General. 13
5.2 Selection and implementation of guards and protective devices . 13
5.3 Requirements for the design of guards and protective devices. 19
5.4 Safeguarding for reducing emissions . 21
5.5 Complementary protective measures. 22
6 Information for use . 25
6.1 General requirements. 25
6.2 Location and nature of the information for use. 25
6.3 Signals and warning devices. 25
6.4 Markings, signs (pictograms), written warnings . 26
6.5 Accompanying documents (in particular, instruction handbook). 27
Bibliography . 30

ISO 12100-2:2003(E)
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards bodies
(ISO member bodies). The work of preparing International Standards is normally carried out through ISO
technical committees. Each member body interested in a subject for which a technical committee has been
established has the right to be represented on that committee. International organizations, governmental and
non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with the
International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of technical committees is to prepare International Standards. Draft International Standards
adopted by the technical committees are circulated to the member bodies for voting. Publication as an
International Standard requires approval by at least 75 % of the member bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO shall not be held responsible for identifying any or all such patent rights.
ISO 12100-2 was prepared by Technical Committee ISO/TC 199, Safety of machinery.
This edition cancels and replaces ISO/TR 12100-2:1992, which has been technically revised.
ISO 12100 consists of the following parts, under the general title Safety of machinery — Basic concepts,
general principles for design:
 Part 1: Basic terminology, methodology, expressing the basic overall methodology to be followed when
designing machinery and when producing safety standards for machinery, together with the basic
terminology related to the philosophy underlying this work;
 Part 2: Technical principles, giving advice on how this philosophy can be applied using available
techniques.
iv © ISO 2003 – All rights reserved

ISO 12100-2:2003(E)
Introduction
The primary purpose of ISO 12100 is to provide designers with an overall framework and guidance to enable
them to produce machines that are safe for their intended use. It also provides a strategy for standard makers.
The concept of safety of machinery considers the ability of a machine to perform its intended function(s)
during its lifecycle where risk has been adequately reduced.
This standard is the basis for a set of standards which has the following structure:
 type-A standards (basic safety standards) giving basic concepts, principles for design, and general
aspects that can be applied to all machinery;
 type-B standards (generic safety standards) dealing with one safety aspect or one type of safeguard that
can be used across a wide range of machinery:
 type-B1 standards on particular safety aspects (e.g. safety distances, surface temperature, noise);
 type-B2 standards on safeguards (e.g. two-hand controls, interlocking devices, pressure sensitive
devices, guards);
 type-C standards (machine safety standards) dealing with detailed safety requirements for a particular
machine or group of machines.
This standard is a type-A standard.
The subject of numerous clauses or subclauses of this standard is also dealt with, in a more detailed manner,
in other type-A or B standards.
When a type-C standard deviates from one or more provisions dealt with by Part 2 of this standard or by a
type-B standard, the type-C standard takes precedence.
It is recommended that this standard be incorporated in training courses and manuals to convey basic
terminology and general design methods to designers.
INTERNATIONAL STANDARD ISO 12100-2:2003(E)

Safety of machinery — Basic concepts, general principles for
design — Part 2: Technical principles
1 Scope
This standard defines technical principles to help designers in achieving safety in the design of machinery.
ISO 12100-2 is intended to be used together with ISO 12100-1 when considering the solution to a specific
problem. The two parts of ISO 12100 can be used independently of other documents or as a basis for the
preparation of other type-A standards or type-B or -C standards.
This standard does not deal with damage to domestic animals, property or the environment.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated
references, only the edition cited applies. For undated references, the latest edition of the referenced
document (including any amendments) applies.
IEC 60204-1:1997, Safety of machinery – Electrical equipment of machines – Part 1: General requirements.
ISO 12100-1:2003, Safety of machinery – Basic concepts, general principles for design – Basic terminology,
methodology.
3 Terms and definitions
For the purposes of this International Standard, the terms and definitions given in ISO 12100-1:2003 apply.
4 Inherently safe design measures
4.1 General
Inherently safe design measures are the first and most important step in the risk reduction process because
protective measures inherent to the characteristics of the machine are likely to remain effective, whereas
experience has shown that even well-designed safeguarding may fail or be violated and information for use
may not be followed.
Inherently safe design measures are achieved by avoiding hazards or reducing risks by a suitable choice of
design features of the machine itself and/or interaction between the exposed persons and the machine.
NOTE Clause 5 gives safeguarding and complementary measures to achieve the risk reduction objectives where
inherently safe design measures are not sufficient (see 3-step method in ISO 12100-1:2003, clause 5).
ISO 12100-2:2003(E)
4.2 Consideration of geometrical factors and physical aspects
4.2.1 Geometrical factors
Such factors can be, e.g.:
 designing the shape of machinery to maximise direct visibility of the working areas and hazard zones
from the control position, e.g. reducing blind spots, and choosing and locating means of indirect vision
where necessary (e.g. mirrors) so as to take into account the characteristics of human vision, particularly
when safe operation requires permanent direct control by the operator, e.g.:
 the travelling and working area of mobile machines;
 the zone of movement of lifted loads or of the carrier of machinery for lifting persons;
 the area of contact of the tool of a hand-held or hand-guided machine with the material being worked;
The design of the machine shall be such that, from the main control position, the operator is able to
ensure that there are no exposed persons in the danger zones.
 the shape and the relative location of the mechanical component parts; for instance, crushing and
shearing hazards are avoided by increasing the minimum gap between the moving parts, such that the
part of the body under consideration can enter the gap safely, or by reducing the gap so that no part of
the body can enter it (see ISO 13852, ISO 13853, ISO 13854);

avoiding sharp edges and corners, protruding parts. In so far as their purpose allows, accessible parts of
the machinery shall have no sharp edges, no sharp angles, no rough surfaces, no protruding parts likely to
cause injury, and no openings which may "trap" parts of the body or clothing. In particular, sheet metal edges
shall be deburred, flanged or trimmed, open ends of tubes which may cause a "trap" shall be capped;
 designing the shape of the machine to achieve a proper working position and accessibility of manual controls
(actuators).
4.2.2 Physical aspects
Such aspects can be, e.g.:
 limiting the actuating force to a sufficiently low value so that the actuated part does not generate a
mechanical hazard;
 limiting the mass and/or velocity of the movable elements, and hence their kinetic energy;
 limiting the emissions by acting on the characteristics of the source:
 measures for reducing noise emission at source (see ISO/TR 11688-1);
 measures for reducing the emission of vibration at source include e.g. redistribution or addition of
mass and change of process parameters, e.g. frequency and/or amplitude of movements (for hand-
held and hand-guided machinery, see CR 1030-1);
 measures for reducing the emission of hazardous substances include e.g. use of less hazardous
substances or use of dust reducing processes;
 measures for reducing radiation emissions include e.g. avoiding the use of hazardous radiation
sources, limiting the power of radiation to the lowest level sufficient for the proper functioning of the
machine, designing the source so that the beam is concentrated on the target, increasing the
distance between the source and the operator or providing for remote operation of the machinery.
2 © ISO 2003 – All rights reserved

ISO 12100-2:2003(E)

measures for the reduction of emission of non-ionizing radiation are given in 5.4.5 (see also EN
12198-1 and –3).
4.3 Taking into account the general technical knowledge regarding machine design
This general technical knowledge can be derived from technical specifications for design (e.g. standards,
design codes, calculation rules). These should be used to cover:
a) mechanical stresses, e.g.:
 stress limitation by implementation of correct calculation, construction and fastening methods as
regards, e.g. bolted assemblies, welded assemblies;
 stress limitation by overload prevention, (e.g. "fusible" plugs, pressure-limiting valves, breakage
points, torque-limiting devices);
 avoiding fatigue in elements under variable stresses (notably cyclic stresses);
 static and dynamic balancing of rotating elements;
b) materials and their properties, e.g.:
 resistance to corrosion, ageing, abrasion and wear;
 hardness, ductility, brittleness;
 homogeneity;
 toxicity;
 flammability.
 flammability.
c) emission values for:
 noise;
 vibration;
 hazardous substances;
 radiation.
When the reliability of particular components or assemblies is critical for safety (e.g. ropes, chains, lifting
accessories for lifting loads or persons), stress values shall be multiplied by appropriate working coefficients.
4.4 Choice of an appropriate technology
One or more hazards can be eliminated or risks reduced by the choice of the technology to be used in certain
applications, e.g.:
a) on machines intended for use in explosive atmospheres:
 fully pneumatic or hydraulic control system and machine actuators;
 "intrinsically safe" electrical equipment (see EN 50020);
ISO 12100-2:2003(E)
b) for particular products to be processed such as a solvent: equipment assuring that the temperature will
remain far below the flash point .
c) alternative equipment to avoid high noise level, e.g.:
 electrical instead of pneumatic equipment;
 in certain conditions, water cutting instead of mechanical equipment.
4.5 Applying the principle of the positive mechanical action of a component on another
component
If a moving mechanical component inevitably moves another component along with it, either by direct contact
or via rigid elements, these components are connected in the positive mode. An example of this is positive
opening operation of switching devices in an electrical circuit (see IEC 60947-5–1 and ISO 14119:1998, 5.7).
NOTE Where a mechanical component moves and thus allows another one to move freely (e.g. by gravity, by spring
force), there is no positive mechanical action of the first one on the other one.
4.6 Provisions for stability
Machines shall be designed to have sufficient stability to allow them to be used safely in their specified
conditions of use.
Factors to be taken into account include:
 geometry of the base;
 weight distribution, including loading;
 dynamic forces due to movements of parts of the machine, of the machine itself, or of elements held by
the machine which may result in an overturning moment;
 vibration;
 oscillations of the centre of gravity;
 characteristics of the supporting surface in case of travelling or installation on different sites (e.g. ground
conditions, slope);
 external forces (e.g. wind pressure, manual forces).
Stability shall be considered in all phases of the life of the machine, including handling, travelling, installation,
use, de-commissioning and dismantling.
Other protective measures for stability relevant to safeguarding are given in 5.2.6.
4.7 Provisions for maintainability
When designing a machine, the following maintainability factors shall be taken into account:
 accessibility, taking into account the environment and the human body measurements, including the
dimensions of the working clothes and tools used;
 ease of handling, taking into account human capabilities;
 limitation of the number of special tools and equipment.
4 © ISO 2003 – All rights reserved

ISO 12100-2:2003(E)
4.8 Observing ergonomic principles
4.8.1 Ergonomic principles shall be taken into account in designing machinery to reduce mental or physical
stress and strain of the operator. These principles shall be considered when allocating functions to operator
and machine (degree of automation) in the basic design.
NOTE It also improves the performance and reliability of the operation and hence it reduces the probability of errors
at all stages of machine use.
Account shall be taken of body sizes likely to be found in the intended user population, strengths and postures,
movement amplitudes, frequency of cyclic actions (see ISO 10075 and ISO 10075-2).
All elements of the "operator-machine" interface such as controls, signalling or data display elements, shall be
designed to be easily understood so that clear and unambiguous interaction between the operator and the
machine is possible.
(See EN 614-1, ISO 6385, EN 13861 and IEC 61310-1).
Designers' attention is especially drawn to following ergonomic aspects of machine design:
4.8.2 Avoiding stressful postures and movements during use of the machine (e.g. by providing facilities to
adjust the machine to suit the various operators).
4.8.3 Designing machines, and more especially hand-held and mobile machines to enable them to be
operated easily taking into account human effort, actuation of controls and hand, arm and leg anatomy.
4.8.4 Avoiding as far as possible noise, vibration, thermal effects (e.g. extreme temperatures).
4.8.5 Avoiding linking the operator's working rhythm to an automatic succession of cycles.
4.8.6 Providing local lighting on or in the machine for the illumination of the working area and of adjusting,
setting-up, and frequent maintenance zones when the design features of the machine and/or its guards render
the ambient lighting inadequate. Flicker, dazzling, shadows and stroboscopic effects shall be avoided if they
can cause a risk. If the position of the lighting source has to be adjusted, its location shall be such that it does
not cause any risk to persons making the adjustment.
4.8.7 Selecting, locating and identifying manual controls (actuators) so that:
 they are clearly visible and identifiable and appropriately marked where necessary (see 5.4);
 they can be safely operated without hesitation or loss of time and without ambiguity (e.g. a standard
layout of controls reduces the possibility of error when an operator changes from a machine to another
one of similar type having the same pattern of operation);
 their location (for push-buttons) and their movement (for levers and handwheels) are consistent with their
effect (see IEC 61310-3);
 their operation cannot cause additional risk.
See also EN 894-3.
Where a control is designed and constructed to perform several different actions, namely where there is no
one-to-one correspondence (e.g. keyboards), the action to be performed shall be clearly displayed and
subject to confirmation where necessary.
Controls shall be so arranged that their layout, travel and resistance to operation are compatible with the
action to be performed, taking account of ergonomic principles. Constraints due to the necessary or
foreseeable use of personal protective equipment (such as footwear, gloves) shall be taken into account.
ISO 12100-2:2003(E)
4.8.8 Selecting, designing and locating indicators, dials and visual display units so that:
 they fit within the parameters and characteristics of human perception;
 information displayed can be detected, identified and interpreted conveniently, i.e. long lasting, distinct,
unambiguous and understandable with respect to the operator’s requirements and the intended use;

the operator is able to perceive them from the control position.
4.9 Preventing electrical hazard
For the design of the electrical equipment of machines IEC 60204-1:1997 gives general provisions, especially
in clause 6 for protection against electric shock. For requirements related to specific machines, see
corresponding IEC standards (e.g. series of IEC 61029, IEC 60745, IEC 60335).
4.10 Preventing hazards from pneumatic and hydraulic equipment
Pneumatic and hydraulic equipment of machinery shall be designed so that:
 the maximum rated pressure cannot be exceeded in the circuits (e.g. by means of pressure limiting
devices);
 no hazard results from pressure surges or rises, pressure losses or drops or losses of vacuum;
 no hazardous fluid jet or sudden hazardous movement of the hose (whiplash) results from leakage or
component failures;
 air receivers, air reservoirs or similar vessels (e.g. in gas loaded accumulators) comply with the design
rules for these elements;
 all elements of the equipment, and especially pipes and hoses, be protected against harmful external
effects;
 as far as possible, reservoirs and similar vessels (e.g. in gas loaded accumulators) are automatically
depressurized when isolating the machine from its power supply (see 5.5.4) and, if it is not possible,
means are provided for their isolation, local depressurizing and pressure indication (see also
ISO 14118:2000, clause 5);
 all elements which remain under pressure after isolation of the machine from its power supply be
provided with clearly identified exhaust devices, and a warning label drawing attention to the necessity of
depressurizing those elements before any setting or maintenance activity on the machine.
See also ISO 4413 and ISO 4414.
4.11 Applying inherently safe design measures to control system
4.11.1 General
The design measures of the control system shall be chosen so that their safety-related performance provides
a sufficient amount of risk reduction (see ISO 13849-1).
The correct design of machine control systems can avoid unforeseen and potentially hazardous machine
behaviour.
Typical causes of hazardous machine behaviour are:
 an unsuitable design or modification (accidental or deliberate) of the control system logic;
6 © ISO 2003 – All rights reserved

ISO 12100-2:2003(E)
 a temporary or permanent defect or a failure of one or several components of the control system;
 a variation or a failure in the power supply of the control system;
 inappropriate selection, design and location of the control devices;
Typical examples of hazardous machine behaviour are:
 unintended / unexpected start-up (see ISO 14118);
 uncontrolled speed change;
 failure to stop moving parts;
 dropping or ejection of a mobile part of the machine or of a workpiece clamped by the machine;
 machine action resulting from inhibition (defeating or failure) of protective devices.
In order to prevent hazardous machine behaviour and to achieve safety functions, the design of control
systems shall comply with the principles and methods presented in this subclause 4.11 and in 4.12. These
principles and methods shall be applied singly or in combination as appropriate to the circumstances (see
ISO 13849-1 and IEC 60204-1:1997, clauses 9 to 12).
Control systems shall be designed to enable the operator to interact with the machine safely and easily; this
requires one or several of the following solutions:
 systematic analysis of start and stop conditions;
 provision for specific operating modes (e.g. start-up after normal stop, restart after cycle interruption or
after emergency stop, removal of the workpieces contained in the machine, operation of a part of the
machine in case of a failure of a machine element);
 clear display of the faults;
 measures to prevent accidental generation of unexpected start commands (e.g. shrouded start device)
likely to cause dangerous machine behaviour (see ISO 14118:2000, figure 1);
 maintained stop commands (e.g. interlock) to prevent restarting that could result in dangerous machine
behaviour (see ISO 14118:2000, figure 1).
An assembly of machines may be divided into several zones for emergency stopping, for stopping as a result
of protective devices and/or for isolation and energy dissipation. The different zones shall be clearly defined
and it shall be obvious which parts of the machine belong to which zone. Likewise it shall be obvious which
control devices (e.g. emergency stop devices, supply disconnecting devices) and/or protective devices belong
to which zone. The interfaces between zones shall be designed such that no function in one zone creates
hazards in another zone which has been stopped for an intervention.
Control systems shall be designed to limit the movements of parts of the machinery, the machine itself, or
workpieces and/or loads held by the machinery, to the safe design parameters (e.g. range, speed,
acceleration, deceleration, load capacity). Allowance shall be made for dynamic effects (e.g. the swinging of
loads).
For example:
 the travelling speed of mobile pedestrian controlled machinery other than remote-controlled shall be
compatible with walking speed;
ISO 12100-2:2003(E)
 the range, speed, acceleration and deceleration of movements of the person-carrier and carrying vehicle
for lifting persons shall be limited to non-hazardous values, taking into account the total reaction time of
the operator and the machine;
 the range of movements of parts of machinery for lifting loads shall be kept within specified limits.
When machinery is designed to use synchronously different elements which can also be used independently,
the control system shall be designed to prevent risks due to lack of synchronization.
4.11.2 Starting of an internal power source/switching on an external power supply
Starting of an internal power source or switching on an external power supply shall not result in starting of
working parts (e.g. starting the internal combustion engine shall not lead to movement of a mobile machine,
connection to mains electricity supply shall not result in starting of working parts of an electrical machine; see
IEC 60204-1:1997, 7.5).
4.11.3 Starting/stopping of a mechanism
The primary action for starting or accelerating the movement of a mechanism should be performed by
application or increase of voltage or fluid pressure, or, if binary logic elements are considered, by passage
from state 0 to state 1 (if state 1 represents the highest energy state).
The primary action for stopping or slowing down should be performed by removal or reduction of voltage or
fluid pressure, or, if binary logic elements are considered, by passage from state 1 to state 0 (if state 1
represents the highest energy state).
NOTE In certain applications (e.g. high-voltage switchgear) this principle cannot be used. Then, other measures
should be applied to achieve the same level of confidence for the stopping or slowing down.
When, in order for the operator to maintain permanent control of deceleration, this principle is not observed
(e.g. a hydraulic braking device of a self-propelled mobile machine), the machine shall be equipped with a
means of slowing and stopping in case of failure of the main braking system.
4.11.4 Restart after power interruption
If it may generate a hazard, the spontaneous restart of a machine when it is re-energized after power
interruption shall be prevented (e.g. by use of a self-maintained relay, contactor or valve).
4.11.5 Interruption of power supply
Machinery shall be designed to prevent hazardous situations resulting from interruption or excessive
fluctuation of the power supply. At least the following requirements shall be met:
 the stopping function of the machinery shall remain;
 all devices whose permanent operation is required for safety shall operate in an effective way to maintain
safety (e.g. locking, clamping devices, cooling or heating devices, power-assisted steering of self-
propelled mobile machinery);
 parts of machinery or workpieces and/or loads held by machinery which are liable to move as a result of
potential energy shall be retained for the time necessary to allow them to be safely lowered.
4.11.6 Use of automatic monitoring
Automatic monitoring is intended to ensure that a safety function(s) implemented by a protective measure
do(es) not fail to be performed if the ability of a component or an element to perform its function is diminished,
or if the process conditions are changed in such a way that hazards are generated .
8 © ISO 2003 – All rights reserved

ISO 12100-2:2003(E)
Automatic monitoring either detects a fault immediately or carries out periodic checks so that a fault is
detected before the next demand upon the safety function. In either case, the protective measure can be
initiated immediately or delayed until a specific event occurs (e.g. the beginning of the machine cycle).
The protective measures may be, e.g.:
 the stopping of the hazardous process;
 preventing the re-start of this process after the first stop following the failure;
 the triggering of an alarm.
4.11.7 Safety functions implemented by programmable electronic control systems
4.11.7.1 General
A control system including programmable electronic equipment (e.g. programmable controllers) can be used
to implement safety functions at machinery. Where a programmable electronic control system is used it is
necessary to consider its performance requirements in relation to the requirements for the safety functions.
The design of the programmable electronic control system shall be such that the probability of random
hardware failures and the likelihood of systematic failures that can adversely affect the performance of the
safety-related control function(s) are sufficiently low. Where a programmable electronic control system
performs a monitoring function, the system behaviour on detection of a fault shall be considered (see also
IEC 61508 series for further guidance).
NOTE Both draft IEC 62061 and ISO 13849-1 rev., which are specific to machinery safety, provide guidance that is
applicable to programmable electronic control systems.
The programmable electronic control system should be installed and validated to ensure that the specified
performance (e.g. safety integrity level (SIL) in IEC 61508 series) for each safety function has been achieved.
Validation comprises testing and analysis (e.g. static, dynamic or failure analysis) to show that all parts
interact correctly to perform the safety function and that unintended functions do not occur.
4.11.7.2 Hardware aspects
The hardware (including e.g. sensors, actuators, logic solvers) shall be selected (and/or designed) and
installed to meet both the functional and performance requirements of the safety function(s) to be performed,
in particular, by means of:
 architectural constraints (e.g. the configuration of the system, its ability to tolerate faults, its behaviour on
detection of a fault);
 selecting (and/or designing) equipment and devices with an appropriate probability of dangerous random
hardware failure;
incorporating measures and techniques within the hardware to avoid systematic failures and control
systematic faults.
4.11.7.3 Software aspects
The software (including internal operating software (or system software) and application software) shall be
designed so as to satisfy the performance specification for the safety functions (see also IEC 61508-3).
ISO 12100-2:2003(E)
4.11.7.4 Application software
Application software should not be re-programmable by the user. This may be achieved by use of embedded
software in a non re-programmable memory (e.g. micro-controller, application specific integrated circuit
(ASIC)).
When the application requires reprogramming by the user, the access to the software dealing with safety
functions should be restricted e.g. by:
 locks;
 passwords for the authorized persons.
4.11.8 Principles relating to manual control
a) Manual control devices shall be designed and located according to the relevant ergonomic principles
given in 4.8.7.
b) A stop control device shall be placed near each start control device. Where the start/stop function is
performed by means of a hold-to-run control, a separate stop control device shall be provided when a risk
can result from the hold-to-run control device failing to deliver a stop command when released.
c) Manual controls shall be located out of reach of the danger zones (see IEC 61310-3:1999, clause 4),
except for certain controls where, of necessity, they are located within a danger zone, such as emergency
stop or teach pendant.
d) Whenever possible, control devices and control positions shall be located so that the operator is able to
observe the working area or hazard zone.
The driver of a ride-on mobile machine shall be able to actuate all control devices required to operate the
machine from the driving position, except for functions which can be controlled more safely from other
positions.
On machinery intended for lifting persons, controls for lifting and lowering and, if appropriate, for moving
the carrier, shall generally be located in the carrier. If safe operation requires controls to be situated
outside the carrier, the operator in the carrier shall be provided with the means of preventing hazardous
movements.
e) If it is possible to start the same hazardous element by means of several controls, the control circuit shall
be so arranged that only one control is effective at a given time. This applies especially to machines
which can be manually controlled by means among others of a portable control unit (teach pendant, for
instance), with which the operator may enter danger zones.
f) Control actuators shall be designed or guarded so that their effect, where a risk is involved, cannot occur
without intentional operation (see ISO 9355-1 and ISO 447).
g) For machine functions whose safe operation depends on permanent, direct control by the operator,
measures shall be taken to ensure the presence of the operator at the control position, e. g. by the design
and location of control devices.
h) For cableless control an automatic stop shall be performed when correct control signals are not received,
including loss of communication (see IEC 60204-1:1997, 9.2.7).
4.11.9 Control mode for setting, teaching, process changeover, fault-finding, cleaning or maintenance
Where, for setting, teaching, process changeover, fault-finding, cleaning or maintenance of machinery, a
guard has to be displaced or removed and/or a protective
...