Fault tolerance in machinery safety

Laptop in background with honeycombs as icons in the foreground

People's willingness to take risks varies from individual to individual. However, what's up to each individual in a personal domain has to be assessed and regulated by standards in the field of machinery safety. What risk is still acceptable, which errors may be fatal and, from a standards perspective, under what conditions is it permitted to enable an automation system with a safety-critical error to continue operating for a limited time?

These questions represent a new approach to safety. So functional safety control systems should no longer simply shut down if there is a fault. Instead, they report the situation in good time – and remain in operation for a "reasonable time from a safety perspective".

What does fault tolerance mean in machinery safety?

Fault tolerance means that a technical system can maintain its functionality, even when fault states and failures compromise function. A fault-tolerant system requires not just fault detection, but also qualified fault evaluation. So a decision can be made as to whether the detected fault can be tolerated or is so serious that an immediate stop (shutdown) is unavoidable.

Fault tolerance increases a system's availability

Falling dominoes on grey background

This type of fault evaluation is not usual in current implementations of "classic factory automation systems". However, fault tolerance is impossible without fault evaluation. It is clear that decision-making for a graduated fault reaction is only possible on devices or systems with a suitable design. The developer and also the user of a fault-tolerant device or system must also define the length of the period Δtdeg for continued operation - in a degraded state. Additional risk reduction measures must also be specified, if necessary, which then become part of the information for use. This may be used to bring a processing step to an end, to give a practical example.

Machinery Directive – is degraded operation compliant with standards?

In mechanical engineering, functional safety control systems help to cover the requirements of health and safety protection in accordance with the Machinery Directive (2006/42/EC). The starting point here is the risk analysis and risk estimation based on EN ISO 12100. This standard describes fundamental hazards and helps the design engineer to identify relevant and significant hazards, which are reduced to an acceptable residual risk through risk-reducing measures.

Protective measures in accordance with EN ISO 13849-1 and/or IEC 62061

If control protection measures are used, manufacturers will design these in accordance with EN ISO 13849-1 and/or IEC 62061. Technical documentation will contain guidelines for constructing these measures, their safety-related reliability and intended use.

Safe state in functional safety

Today's functional safety control systems are designed so that their safe state is one of de-energisation. In other words: all hazardous movements are stopped. This is the right choice for all plant and machinery on which removal of power, and therefore a stop, is the safe state.
However, increased availability is required or demanded for increasingly more plant and machinery, in the context of Industrie 4.0, for example. Also, a "hard stop" may lead to further hazards, which need to be considered in the risk analysis. So the dogma of removing power, as the only reaction in the case of a fault, is no longer up to date.

ZVEI white paper - Fault tolerance in machinery safety

A working group within the ZVEI (German Electrical and Electronic Manufacturers' Association), working in collaboration with Pilz and the IFA (Institute for Occupational Safety and Health), has developed several white papers, which describe the basic principles of fault-tolerant devices and systems in functional safety on plant and machinery. They are intended to demonstrate that implementation of temporary operation with a degraded safety subfunction in safety-related sensors and power drives is in keeping with the protection objectives of the Machinery Directive and is not contrary to the harmonised standards EN ISO 13849 or EN 62061.
Operating in a degraded state breaks – in accordance with the standards – with the dogma of immediate removal of power in the case of a fault. This increases the safety and availability of plant and machinery:

  • Reduced incentive for tampering
  • No consequential damage from shutting down at an inopportune moment
  • Increased productivity
  • Event-based maintenance without downtimes

ZVEI's TASi working group calls on users and manufacturers to implement these benefits on machinery and so make them profitable for operators.
The white paper is aimed primarily at machine builders and system integrators, who design and implement safety functions and subsystems for the machine controller. This information can also be applied for the design of safety-related devices and systems in product development.

Cover, ZVEI white paper, fault tolerance in machinery safety

Download the ZVEI white paper free of charge!

Part 1 of the ZVEI white paper

The first part of the white paper describes the principles for operating in a degraded state. Part one must be considered before applying Part 2.

Download ZVEI white paper Part 1

Part 2 of the ZVEI white paper

The second part describes how to implement fault-tolerant safety functions, which allow a plant or machine to continue operating in fault scenarios, without neglecting personal protection requirements.

Download ZVEI white paper Part 2


Pilz South East Asia Pte. Ltd.
25 International Business Park, #04-56 German Centre
Singapore 609916

Telephone: +65 6839 292-0
E-Mail: sales@pilz.sg

Technical Support

Telephone: +65 6829 2920
E-Mail: techsupport-sg@pilz.com

Was this article helpful?