ISO 11161:1994

ISO
INTERNATIONAL
STANDARD 11161
First edition
1994-04-01
Industrial automation Systems - Safety
of integrated manufacturing Systems -
Basic requirements
Sys thmes d ‘automa tisa tion industrielle - Skcurit6 des sys temes de
fabrica tion in t&gr& - Prescrip tions fondamen tales
Reference number
ISO 11161 :1994(E)
Contents
Page
1 Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2 Normative references . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3 Definitions
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
4 Safety strategy
4.1 General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4.2 System specification
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
4.3 Application of a safety strategy
4.4 Hazard identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4.5 Risk assessment
. . . . . . . . . . . . . . . . . .*. 6
4.6 Ergonomie considerations
4.7 Marking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
..,.....,,,,.....,,..,..,...............,.
4.8 Requirements for documentation
5 Design requirements for safety functions of the control System
5.1 General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5.2 I nterferences
. . . . . . . . . . . . . . . . . . . . . . .
5.3 Limitation of fault effects for safety functions
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
5.4 Safety measures
.*.
5.5 Manually-operated control devices
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
5.6 Status indicators
. . . . . . . . . . . . . . . . 11
5.7 Selection of the operating modes of the System
Control measures for the Suspension of safeguards . . . . . . . . . . . 11
5.8
5.9 Local Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5.10 Starting . . .*.
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5.11 Stopping
5.12 Emergency movement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
0 ISO 1994
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced
or utilized in any form or by any means, electronie or mechanical, including photocopying and
microfilm, without Permission in writing from the publisher.
International Organization for Standardization
Case Postale 56 l CH-l 211 Geneve 20 l Switzerland
Printed in Switzerland
0 ISO ISO 11161:1994(E)
5.13 Power interruption or fluctuation . 13
5.14 Power disconnection . 13
..................................................................... 13
5.15 Stored energy
5.16 Safety related Parameters .
6 Design and safeguarding of the System .
6.1 General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
6.2 Safeguarding requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
6.3 Guards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
6.4 Interlocks and protective trip devices
6.5 Ena bling devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
................................................................... 17
6.6 Warning devices
6.7 Safety markings .
6.8 Safe working procedures .
6.9 Openings for loading and unloading of material .
....................................................... 18
6.10 Stopping timeldistance
. . 18
7 Training, installation, commissioning and functional testing
7.1 General .,.,,,.*.,.,.,.,.,.*.,.,.,.,.
7.2 Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .” 18
7.3 Installation
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
7.4 Commissioning and functional testing
8 Use and care . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .~ 19
................................................................................. 19
8.1 General
................................................. 19
8.2 Requirements for personnel
8.3 Normal Operation .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.4 Manual Operation
........................................................................ 20
8.5 Programming
.............................................................. 21
8.6 Program verification
8.7 Troubleshooting and Observation of production cycle . 21
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .~. 21
8.8 Maintenance and repair
8.9 Fault elimination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .*.
. 21
8.10 System restart procedures after maintenance and repair
. . .
Ill
Q ISO
A Examples of a typical integrated manufacturing System
0 ISO
Foreword
ISO (the International Organization for Standardization) is a worldwide
federation of national Standards bodies (ISO member bodies). The work
of preparing International Standards is normally carried out through ISO
technical committees. Esch member body interested in a subject for
which a technical committee has been established has the right to be
represented on that committee. International organizations, governmental
and non-governmental, in liaison with ISO, also take part in the work. ISO
collaborates closely with the International Electrotechnical Commission
(IEC) on all matters of electrotechnical standardization.
Draft International Standards adopted by the technical committees are
circulated to the member bodies for voting. Publication as an International
Standard requires approval by at least 75 % of the member bodies casting
a vote.
International Standard ISO 11161 was prepared by Technical Committee
ISO/TC 184, Industrial automation Systems and integration.
Annex A of this International Standard is for information only.

63 ISO
Introduction
0.1 This International Standard is part of a series of Standards dealing
with safety of industrial machines. lt has been harmonized with other rel-
evant International Standards dealing with safety issues of industrial
equipment.
The intent of this International Standard is to provide safety requirements
and guidelines for the design, construction, installation, programming,
Operation, use, and maintenance of integrated manufacturing Systems. lt
describes basic types of hazards associated with these Systems and Steps
to be taken to assess the risks associated with these hazards and to
eliminate or reduce the hazards to an acceptable Ievel.
Where specific Points in this International Standard are considered to be
in conflict with the requirements of other international Standards (now or
in the future), these requirements will be analysed to determine if they are
to be included or deleted as System safety requirements.
0.2 This International Standard has been created in recognition of the
particular hazards which exist in integrated manufacturing Systems incor-
porating industrial machines and associated equipment.
The risks associated with these hazards vary with the types of industrial
machines incorporated in integrated manufacturing System and the appli-
cation of such a System as to how it is installed, programmed, operated,
maintained and repaired.
The requirements of this International Standard are aimed at minimizing
the possibilities of injuries to Personne1 while working on or adjacent to
an integrated manufacturing System. This International Standard contains
definitions, measures or procedures, and devices which are not specific
to Systems but tan also apply to safety requirements for individual ma-
chines and equipment. They are included in this International Standard to
make it more understandable or because no relevant international stan-
dards exist.
Figure0.1 Shows a typical System with the assumption that all of the
hazards presented by the System are contained within the work Zone.
These hazards are suitably protected by safeguarding means determined
by the risk assessment (see clause 4) and described in clauses 5 to 8 of
this International Standard.
Where hazards are presented by equipment outside the work zone (e.g.
electrical shock), it is intended that these hazards be suitably protected
by means described in relevant International Standards (e.g. IEC 204-1)
vi
0 ISO
which tan be integrated by the procedures developed by the System
supplier or User.
Supervisory
control
A
Localarea network/
data link
Figure 0.1 - Basic integrated manufacturing System
vii
This page intentionally left blank

INTERNATIONAL STANDARD 0 ISO
Industrial automation Systems - Safety of integrated
manufacturing Systems - Basic requirements
lSO/TR 8373: 1988, Manipulating industrial robots -
1 Scope
Vocabulary.
This International Standard specifies the safety re-
ISO 10218:1992, Manipulating industrial robots -
quirements for integrated manufacturing Systems that
Safety.
incorporate two or more industrial machines inter-
connected with and operated by a controller(s) ca-
CEI 204-1: 1992, Electrical equipment of industrial
pable of being reprogrammed for the manufacturing
machines - Part 1: General requiremen ts.
of discrete Parts or assemblies. lt describes the re-
quirements and recommendations for the safe instal-
EN 418:1992, Safety of machinery - Emergency
lation, programming, Operation, maintenance, or repair
stop equipment, Functional aspects - Principles for
of such Systems (see figureO.l for the basic config-
design.
uration of an integrated manufacturing System).
This International Standard is not intended to cover
safety aspects of individual machines and equipment
3 Definitions
which may be covered by Standards specific to those
machines and equipment. Where machines and
For the purposes of this International Standard, the
equipment of an integrated manufacturing System are following definitions apply.
operated separately or individually and while the pro-
tective effects of the safeguards provided for auto-
3.1 awareness barrier: Attachment or obstacle that
matic mode are muted or suspended, the relevant
by physical contact warns of an approaching or pres-
safety Standards for these machines and equipment
ent hazard.
shall apply.
3.2 barrier: Physical boundary to a hazard.
2 Normative references
3.3 controlled stop: The stopping of machine mo-
tion by reducing the command Signal to 0 once the
The following Standards contain provisions which,
Signal has been recognized by the control but retain-
through reference in this text, constitute provisions
ing power to the machine actuators during the
of this International Standard. At the time of publi-
stopping process. [IEC 204-1: 1992, 3.121
cation, the editions indicated were valid. All Standards
are subject to revision, and Parties to agreements
3.4 enabling device:
Manually-operated device
based on this International Standard are encouraged
which, when continuously activated in one Position
to investigate the possibility of applying the most re-
only, allows hazardous functions but does not initiate
cent editions of the Standards indicated below.
them. In any other Position, hazardous functions are
Members of IEC and ISO maintain registers of cur-
stopped safely.
rently valid International Standards.
3.5 guard: Machine element specifically used to
ISO 3864: 1984, Safety colours and safety signs.
provide protection by means of a physical barrief.
ISO 6385: 1981, Ergonomie principles in the design of Depending on its construction, a guard may be called
work sys tems. casing, cover, Screen, door, enclosing guard, etc.

0 ISO
3.6 hazard: Source of possible injuty or darnage to 3.18 Pendant: Unit Iinked to the control System with
health. which the System or portions of the System tan be
programmed (or moved).
3.7 hazard zone [area] [space]: Any zone within
and/or around machinery in which a person is ex-
3.19 person: Any individual.
posed to risk of injury or darnage to health.
3.20 personnel: Persons specifically employed and
3.8 hazardous Situation [condition] [motion]:
trained in the use and care of a machine or manufac-
Any Situation in which a person is exposed to a hazard
turing System.
or hazards.
3.21 protective device: Device (other than a guard)
3.9 hold-to-run control device: Manually-actuated
which reduces risk, alone or associated with a guard.
Start and stop control device which initiates and
maintains Operation of machine elements only as long
3.22 risk: Combination of the probability of injury
as the control is actuated in a set Position. The control
occurring and the degree of the injury or darnage to
automatically returns to the stop Position when re-
health in a definite hazardous Situation.
leased.
3.23 safeguard: Guard or protective device used in
3.10 industrial machine; machine: Individual com-
a safety function to protect persons from a present
ponent machine and associated equipment of an in-
or impending hazard.
tegrated manufacturing System.
3.24 safeguarded space: Spate determined by the
3.11 integrated manufacturing System; System:
safeguards.
Group of two or more industrial machines working
together in a coordinated manner normally intercon-
3.25 safeguarding: Those safety measures consist-
nected with and operated by a supervisoty controller
ing of the use of safeguards to protect persons from
or controllers capable of being reprogrammed for the
the hazards which cannot reasonably be removed or
manufacturing of discrete Parts or assemblies.
sufficiently eliminated by design.
3.12 interlocking device (as used with a guard):
Mechanical, electrical, or other type of device, the
3.26 safe working procedure: Specified procedure
purpose of which is to prevent the Operation of sys-
intended to reduce the possibility of injury while per-
tem elements under specified conditions (generally
forming an assigned task.
as long as the guard is not closed).
3.27 supplier: Entity (e.g. designer, manufacturer,
3.13 limiting device: Device which prevents a sys-
contractor, installer, integrator) who provides equip-
tem or System elements from exceeding a design
ment or Services associated with the manufacturing
Ilmit.
System or Portion of the System.
3.14 local control: State of the System or portions NOTE 1 The user may also act in the capacity of a sup-
plier to himself.
of the System in which the System is operated from
the control Panel or Pendant of the individual ma-
chines only.
3.28 task program: Set of motion and auxiliary
functions instructions which define the specific in-
3.15 lackout: Placement of a leck on the energy tended task of the manufacturing System.
isolating device (e.g. disconnecting means) in the
NOTE 2 This type of program is normally generated by
“OFF” or “OPEN” Position indicating that the energy
the User.
isolating device or the equipment being controlled
shall not be operated until the fernoval of the leck.
3.29 trip device: Device which Causes a System or
System element to stop when a person or a part of
3.16 muting: Temporary automatic Suspension of
his or her body goes beyond a safe limit.
the protective function of a safeguarding device dur-
ing normal Operation.
3.30 troubleshooting; fault finding: Act of meth-
3.17 operational stop: Stop which Stops the pro- odically determining the reason that the System or
duction process at a natura1 Point in the working portions of the System has failed to perform the task
process as soon as possible after its activation. or function as intended.
Q ISO
3.31 uncontrolled stop: Stopping of machine mo-
layout and/or model;
tion by removing power to the machine actuators
Survey about the interaction of different working
which Cause hazardous conditions, all brakes or other
processes and manual activities;
mechanical stopping devices being activated (see IEC
204-1).
analysis of process sequences including manual
interaction;
3.32 User: Entity who utilizes and maintains the
man
ufacturing System.
description of the interfaces with conveyer or
transport lines;
process flow Charts;
foundation Plans;
Plans for supply and disposal devices;
4 Safety strategy
determination of the space required for supply and
4.1 General
disposal of material;
This clause deals with the Overall strategy of deter-
available accident records;
mining the safety requirements for a System. This
Overall strategy is a combination of the measures in-
study of similar System installations.
corporated at the design Stage and those measures
required to be implemented by the User.
~ne designer shall have a specific and documented
idea of the probable human activities on the site, and
The design of the System shall be the first consider-
in particular:
ation while still maintaining an acceptable level of
Performance. This Phase of the safety strategy
visits (presence of third Parties not directly con-
should:
cerned by the Operation);
specify the limits or Parameters of the System (see
process control and monitoring;
.
.
4 2) I
workpiece loading;
apply a safety strategy (4.3);
takeover of manual control by Operator;
identify the hazards (4.4);
brief interventions not requiring disassembly;
assess the associated risks (4.5);
setti ng ;
remove the hazards or limit the risks as much as
practicable.
troubleshooting;
Where it is not possible to reduce the risks to an ac-
maintenance.
ceptable level by the above measures, provisions for
safeguarding in the design Phase shall be considered
This information will enable the designer to work out
in such a manner that the flexibility of the System in
a coherent, purposeful Programme of action based on
its application is retained without impairing its safety.
the following elements:
In addition, information (e.g. written instructions,
- analysis of reference situations (Old or more recent
warning signs) concerning hazards which are difficult
on other sites);
to recognize shall be provided.
- allowance for effects of industrial variability
(equipment wear, dimensional variations of prod-
4.2 System specification
uct, etc.);
A System concept shall define the System specifi-
- participation of Personne1 having to work on the
cation. This includes or takes into account:
System in the future.
description of functions;
63 ISO
4.2.1 System design criteria
4.3 Application of a safety strategy
Besides the description of functions, all necessary
An integrated manufacturing System shall be de-
requirements to ensure safe Operation should be
signed and safeguarded to ensure orderly transport
considered in the design criteria list. This includes all
and installation as well as proper and safe use and
protective measures to effectively reduce the hazards
maintenance in accordance with the risk assessment
listed in 4.4 where they exist.
(see 4.5). To achieve these objectives the relationship
between human factors, the work being carried out,
Such a design implies a coherent procedure which
the hazards arising and the production process should
minimizes the effects of project fragmentation. This
be taken into account.
requires:
The factors of noise, hazardous materials, heat, low
integration of the man-machine interface;
temperature, radiation and similar influences of the
physical operating environment shall be considered
early definition of the Position of those working on
so as not to create health hazards.
the System (in time and space);
The supplier(s) of the System (or Parts of the System)
cutting down on
early consideration of ways of
shall state the expected conditions of the physical
isolated work;
environment and the requirements of the extemal
.
* I . ’ r c I powers sources and how they are to be connected to
consiaerarjon or envrronmenraj aspects (e.g. qual-
ensure proper Operation. The user shall ensure that
ity of air, lighting conditions, noise).
either these conditions are met or that alternative
means are provided and that the System operates
A System shall not be designed exclusively in terms
under these conditions according to the specification.
of its working functions; it shall also be considered
from the viewpoints of its use and Operation.
4.2.2 Project Organkation
4.3.1 Design and development
During planning, design and construction of a manu-
All available knowledge concerning safety should be
facturing System, safety measures especially those
considered during the development of Single units,
related to the interactions between individual ma-
sections of System and complete Systems so that,
chines shall be coordinated. This applies also where
through its application, accident and health hazards
a System consists of a combination of sections
shall be prevented or reduced to an acceptable level.
and/or Single units from different suppliers.
This includes the clarity of the complete System, the
sections of System and the Single units. Particularly,
The Coordination of activities include, for example:
the normal operating positions of personnel shall
grant sufficient Vision of the flow of production and
- planning;
the machining operations which may require addi-
tional measures (e.g. Video monitoring).
- procurement;
Normal positions for operating and maintenance per-
- delivery and assembly;
sonnel shall be easily accessible and located outside
hazardous areas. Elements requiring routine mainte-
- installation procedure and Stage of testing;
nance (e.g. Points of lubrication, setting mechanisms)
shall be arranged, where practicable, outside the haz-
- partial acceptance/acceptance;
ardous areas. lt is preferable to achieve the desired
levels of safety by the use of nonhazardous elements
- delivery of the System in final working Order;
to remove or reduce hazards. Secondly, alternative
process sequences or working processes giving a
- System verification (runoff) including correction of
lower level of risk may be used.
any fau ts or failures found;
Manually-operated Start and stop controls shall be lo-
- maintainability;
cated in such a way that the hazard zone which is
- ergonomic factors. associated with that control facility is clearly identified.

0 ISO
4.3.2 Safeguarding a) moving mechanical components in
Where the measures in accordance with 4.3.1 are not
1) normal Operation either individually or in con-
or only partially applicable in reducing risks to an ac-
junction with other elements of the System
ceptable level, the safeguards given in clause 6 shall
or related equipment in the hazard Zone,
be provided. These safeguards shall not complicate
2) unexpected Operation (e.g. falling of mechan-
Operation and maintenance more than necessary. This
ical components, tipping of the machinery);
includes the clear arrangement in conjunction with the
complete System, the sections of System and the
b) power sources;
Single units.
Depending upon the design and application of the
c) stored energy;
System, the use of a Single safeguard or a combi-
d) interferences
nation of several different safeguards may be neces-
sary. The selection of the safeguards depends upon
1) electrical [e.g. electromagnetic interference
the identified hazards.
(EMI), electrostatic discharge (ESD), radio fre-
Safeguarding means shall remain effective for all op-
quency interference (RFI)],
erating modes (see IEC 204-1:1992, subclause 9.2.4
for Suspension of safeguards under special condi- 2) mechanical (e.g. Vibration, shock);
tions).
e) hazardous atmospheres or materials
4.3.3 Warning signs and personal protective
1) explosive or combustible,
equipment
2) corrosive,
Where the measures given in 4.3.2 and 4.3.2 are not
or only partially applicable, warning devices (see 6.6)
3) radiation (e.g. ionization, thermal);
and signs shall indicate the presence of the remaining
hazards which are difficult to recognize.
iilure or fault of
The following hazards tan be difficult to recognize:
) protective means including removal, disas-
- those due to unexpected movements; sembly, or defeating,
- those due to unexpected effects of energy (e.g.
) components, devices, or circuits,
by overpressure, tension, rotation, gravity, noise,
heat, low temperature, radiation); or 3) power sources or means of power distribution
including fluctuations or disturbances,
- those due to unexpected escape of hazardous
information transmission;
materials. 4)
Where necessary, the use of personal protective
g) human error
equipment shall be specified.
1) design, construction, or modification,
4.4 Hazard identification
2) operating Systems, application Software, and
programming,
Hazards tan arise from
3) application and implementation,
- the System itself;
4) setup including work handlinglholding and
- the interaction of the System with other machinery
tooling,
or equipment outside the System;
Operation or use,
- the physical environment in which the System is 5)
used; or
6) maintenance and repair,
- interactions between personnel and the System.
7) documentation and traininglinstruction;
Examples of sources of hazards are:

0 ISO
h) ergonomic conside,rations The hazardous situations which tan occur in each area
of the System to which persons tan have access,
1) lighting,
shall be identified.
2) Vibration,
4.6 Ergonomie considerations
3) noise,
4.6.1 Man-machine interface
climatic conditions,
4)
The following measures are designed to facilitate the
5) Operator control Station design/layout.
activities of automated System monitoring and data
processing.
4.5 Risk assessment
4.6.1.1 Direct view of operations
A risk assessment shall be performed which shall
serve as a basis for determining safety objectives and
The site shall be designed to facilitate the acquisition
measures.
of information concerning sensitive Points of the sys-
tem; special attention shall be paid to the layout of
Risks shall be reduced to an acceptable level. To
Observation Points or areas (it may be useful to pro-
achieve this requirement, it is the intent of this sub-
vide for viewing aids such as mirrors, Video Systems,
clause to provide guidance in the development of
etc.).
programs or Plans to
4.6.1.2 Information displayed
- create a safe working environment, and
The user shall be able to obtain all necessary infor-
- ensure safety and health of personnel.
mation concerning the actual state of the progress of
Esch identified hazard shall be assessed for its risk the operating cycle. Comprehensive information con-
and appropriate safety measures shall be determined cerning the state of the System should be available
and implemented to minimize that risk. on the man-machine interfaces. Special attention shall
be paid to the choice of information to be displayed
Hazards shall be ascertained for the Single units, the
on these interfaces and information which tan be ac-
interaction between Single units, the operating
cessed by the System Operator on request.
sections of the System, and Operation of the complete
This information shall be presented in a language
System for all intended operating modes/conditions
including conditions where normal safeguarding which takes into account the customary activity and
means are suspended for such operations as pro- technical culture of the System Operators. For infor-
gramming, verification, troubleshooting, maintenance, mation display, the conditions listed below concerning
or repair. This also applies where Systems are modi- its form and appearance shall be complied with
fied.
- the physical characteristics of Signals and controls
Risks shall be evaluated for normal Operation where
shall be adapted to the viewing and manipulating
conditions are clearly foreseeable including the inter-
capabilities of all Operators;
action of personnel as patt of the production process.
Where a hazard exists, normal production should - the controls and information relating to a given
avoid human intervention. action and monitoring of its result shall be located
close to one another;
Risks shall also be considered for those Parts of the
process where it is foreseeable that there will be di-
- the grouping of information shall promote diagno-
rect human intervention within the System (e.g.
sis (i.e. facilitate the identification of significant
Clearing blockages, setting, programminglteaching,
configurations of the technical System);
. recog-
troubl eshooting, maintenance) lt shoul d be
nized that unde r these circu mstances the normal
- information allowing verification of the reliability
control sequences and some or all of the normal
of an indicator shall be located close to that indi-
process safeguards may be suspended. Where this is
cator;
the case, special provisions should be made for Iocal
- the conventions adopted shall be the same for all
control and safeguarding together with dedicated safe
devices (colours, abbreviations, direction of scroll-
Systems of work (e.g. lackout).
Q ISO
ing, orientation of diagrams, etc.). Importante of 4.6.2 Human interventions
identifying Iabels (see also IEC 204-1);
4.6.2.1 Control and maintenance activities
the design of display Systems shall be such as to
allow detection of display-system malfunctions
Interventions areas shall be sized and arranged so as
and repair of the System;
to provide sufficient space for movement and for
performing the necessary tasks with minimum risk.
allowance shall be made for the capability of the
device to evolve with evolutions in production,
Provisions should be made, in particular, for
user population, etc,;
- areas for movement by those working on the sys-
duplication: it is often necessary for the same in-
tem, avoiding, insofar as practicable, changes of
formation to be displayed at several locations on
levels and lengthy movements, and with Provision
the site.
for crossover Points;
the site design Stage, consideration shall be given
- a working space or platform for all long, frequent,
to the possibility of the users storing in memory sig-
or high-elevation interventions which takes into
nificant events (settings, oil changes, drifts, contin-
account the aspects of posture, body dimensions,
gencies, incidents). Storage in memory should make
the environment, and task;
it possible for the user to trace the history of the
System.
- layout of interfaces, central and decentralized
consoles (stationaty or mobile) in such a way as to
In addition, the information conveyed via several
allow viewing of the part actuated, to limit time
interfaces shall be interconnected to ensure the co-
constraints and minimize risks related to faults in
herence of such information, especially when the
communication between Operators;
principle of redundancy is employed.
- a lighting Ievel in work areas and for Parts of the
site requiring special monitoring which is appro-
priate for the operations to be performed. Care
4.6.1.3 Manually-operated control devices
should also be taken that visibility is not disturbed
by phenomena such as glare or reflections. In
certain cases, provisions should be made for the
possibility of lighting adjustment (intensity, orien-
tation);
The design and location of manually-operated control
devices should:
- lifting bolts or other devices built into the equip-
ment and/or forming part of the site and the use
- ensure that the state of each power actuated de-
of special handling facilities to facilitate the
vice is visible from the Position of the manually-
assembly/disassembly of the System.
operated control device;
4.6.2.2 Predominantly manual activities
- ensure that functions and statuses are defined and
displayed explicitly for the Operator;
Application of ergonomic measures and data contrib-
- harmonize the manually-operated control devices utes to improvement of the safety level by making
(e.g. designation, positions) by ensuring consist- task completion easier and by decreasing the number
ency between the various control Parts of a given of human errors during interventions (e.g. repairing,
maintenance, checking, programming, operating). The
System;
design of System elements on which human inter-
- adapt the shapes and sizes of the actuators of the vention is intended shall take into account human
control devices to ensure that they tan be actu-
characteristics such as size, posture, strength, move-
ated without error by Workshop Operators.
ments, and physical ability (ISO 6385).
Care should be taken to ensure the Operators
The effects of the actuation of any manually-operated
control device shall be clearly defined. The state of
- maintain normal body Position;
the actuated control device shall be made clearly ap-
parent.
- tan communicate (visually and orally).

0 ISO
j) a description (including interconnecting diagrams)
4.7 Marking \
of the safeguards, interacting functions, and
interlocking of guards with hazardous movements
The System sh all be provided with a specific identifi-
particularly with interacting installations;
cation with the
following infor ,matio n (as a minimum):
k) a description of the safeguarding means and
- name and location of manufacturer/supplier;
methods when the primary safeguards are sus-
System identifier; pended;
- appropriate certification (where required). 1) a description (including diagrams) for the inter-
faces for the connection of control and power cir-
cuits;
4.8 Requirements for documentation
m) procedures for adjustment of the limiting devices.
The System documentation shall be written in the The instruction manual for a System shall include the
various specific manuals for its component Parts.
language(s) agreed between the user and the supplier
Prior to the acceptance of the Order and contain (as a
minimum) the following:
5 Design requirements for safety
functions of the control System
a) a clear, comprehensive description of the System
and its installation including mounting and con-
5.1 General
nection to external energy sources;
The following requirements apply to the control as-
b) a repetition of the markings found on the System
pects (e.g. electrical, hydraulic, pneumatic, mechan-
(see 4.7);
ical) of integrated manufacturing Systems.
c) the System Performance specifications;
Control Systems shall be designed and constructed in
a manner that they Cause no hazards to persons when
external power Source(s) specifications;
d)
they are used according to their specification during
normal Operation (see 8.3) or manual Operation (see
e) physical environment specifications (e.g. lighting,
8.4). This applies also to the interaction between a
Vibration, and noise levels, atmospheric con-
complete control System with separate unit control
taminants);
Systems in addition to unit control Systems in relation
to each other.
f) a description of potentially hazardous conditions
and how to avoid them (e.g. lackout, blocking,
The electrical equipment of a System shall be in ac-
pinning);
cordante with IEC 204-1:1992 and in particular
clause 9.
g) how to recognize abnormal Performance and how
to correct it;
The electrical power supply and the connection of the
earthing (grounding) conductor shall be in accordance
information on the
hl
with the supplier’s recommendations.
programming,
1)
5.2 Interferences
2) Operation,
The design and installation of the System shall incor-
3) frequency of inspection, porate good engineering practices which protect con-
trols and control Systems from sources of
frequency and method of functional testing,
4)
interference. If risks may be foreseen as a result of
and
interference, then separate safeguards are required to
ensure that interference with control functions does
5) guidance on the repair and maintenance of
not present risks whenever the machines are put to
the System and its safeguards;
their intended tasks.
a recommended procedure for maintaining a re-
i) Exa mple s of sources of in terferences include:
cord of the task program to assist personnel in
operating or troubleshooting; - electromagnetic interference (EM 1);

0 ISO
initiation or successive System cycles from occurring
- electrostatic discharge (ESD);
until the failure has been corrected.
- radio frequency interference (RFI);
This requirement does not apply to those components
- vibration/shock;
whose failure cannot Cause hazardous conditions.
- airborne noise;
When analysing faults, the following shall be consid-
ered (see figure 1):
.
.
- Iight
I
- a Single- fault shall not give rise to any Situation
- radiation.
hazardous to persons;
5.3 Limitation of fault effects for safety - a first fault which has not been recognized in con-
junction with a further fault (second fault) shall not
functions
give rise to any Situation hazardous to persons.
The control System shall be designed, constructed,
and installed or applied to ensure that a Single control lt is assumed that two independent faults do not ap-
component failure within the System does not pre- pear at the same time, but the designer shall take into
account common mode failures.
vent stopping action from taking place but will prevent
Ist Fault
A hazord\
No
2nd Fault
I I
Undue, provide Cessation of No further fault
other measures fault assessment assessment
I I
I I I I
Figure 1 - Fault assessment
Failure consideration shall be made to maintain the The application of this measure (tan also be car-
safety-technical requirements in the case of failure ried out by Simulation) assumes that monitoring
and/or to ensure a detection of certain types of fail- carried out in a positive mode at fixed intervals
Ures. Consequently, the development and assess- determines how a consideration of the risk as-
ment (fault analysis) shall be based upon assumption
sessment will recognize an occurred fault and, in
of the failure modes of the different components. case of a recognized fault, will induce a safety
Signal (most of the time a shut-off Signal);
5.4 Safety measures
Enabling device (see 6.5).
The application of this measure assumes that the
5.4.1 Safety measures by the control
person who uses the enabling device will recog-
nize hazards in time to take immediate Steps to
In addition to the requirements of 5.3, proven circuit
avoid them;
techniques and components (see IEC 204-1 :1992,
subclause 9.4.2.1) shall be used together with one or
Delockable non-return valves, cyclic switching of
more of the following examples of safety measures:
slide valves which are infrequently actuated, forte
actuated valves, impulse valves without spring
a) Partial or
complete redundancy (see
actuation.
IEC 204-1 :1992, subclause 9.4.2.2).
Considerable energies tan be stored in hydraulic
Control component failure protection of electrical,
or pneumatic Systems. lt shall be assured that
electronie or fluidic Systems frequently consists
these do not lead to hazardous movements.
of multiple, independent parallel or series circuitry
Stored energies may be suited to induce safety
or components arranged to meet the require-
functions (e.g. through restoring movements). If
ments of this subclause. Protection against the
necessary additional measures shall be provided
consequences of failure of control components
against later hazardous movements (e.g. due to
should not depend solely upon simple redun-
drop in pressure, mains isolation, leakages, line
dancy.
breaks) such as, for example, mechanical forte
locked or positively located supporting facilities or
Component redundancy is the use of two or more
delockable non-return valves.
control components in parallel or series circuits
and is used to ensure reliable Operation. However,
5.4.2 Additional safety measures
failure of one of the redundant components tan
go undetected, allowing the appearance of safe
Where safety measures by the control alone are not
Operation. When the additional element(s) of the
sufficient to protect against hazardous fault effects,
redundant circuit subsequently fails, an Unsafe
complementaty measures such as mechanical safety
condition tan occur. Monitoring and response to
precautions shall be taken.
such Single failures is essential;
b) Use of diversity (see IEC 204-1 :1992, subclause
5.4.3 Combination of safety measures
9.4.2.3).
Usually, a combinati
...