DIRECTIVE 2006/42/EC ANNEX I_EHSR


1.2. CONTROL SYSTEMS
1.2.1. Safety and reliability of control systems
Control systems must be designed and constructed in such a way as to prevent hazardous situations from
arising. Above all, they must be designed and constructed in such a way that:
— they can withstand the intended operating stresses and external influences,
— a fault in the hardware or the software of the control system does not lead to hazardous situations,
— errors in the control system logic do not lead to hazardous situations,
— reasonably foreseeable human error during operation does not lead to hazardous situations.

Particular attention must be given to the following points:
— the machinery must not start unexpectedly,
— the parameters of the machinery must not change in an uncontrolled way, where such change may lead
to hazardous situations,
— the machinery must not be prevented from stopping if the stop command has already been given,
— no moving part of the machinery or piece held by the machinery must fall or be ejected,
— automatic or manual stopping of the moving parts, whatever they may be, must be unimpeded,
— the protective devices must remain fully effective or give a stop command,
— the safety-related parts of the control system must apply in a coherent way to the whole of an assembly
of machinery and/or partly completed machinery.
For cable-less control, an automatic stop must be activated when correct control signals are not received,
including loss of communication.
1.2.2. Control devices
Control devices must be:
— clearly visible and identifiable, using pictograms where appropriate,
— positioned in such a way as to be safely operated without hesitation or loss of time and without ambiguity,
— designed in such a way that the movement of the control device is consistent with its effect,
— located outside the danger zones, except where necessary for certain control devices such as an emergency
stop or a teach pendant,
— positioned in such a way that their operation cannot cause additional risk,
— designed or protected in such a way that the desired effect, where a hazard is involved, can only be
achieved by a deliberate action,
— made in such a way as to withstand foreseeable forces; particular attention must be paid to emergency
stop devices liable to be subjected to considerable forces.
Where a control device is designed and constructed to perform several different actions, namely where there
is no one-to-one correspondence, the action to be performed must be clearly displayed and subject to confirmation,
where necessary.
Control devices must be so arranged that their layout, travel and resistance to operation are compatible with
the action to be performed, taking account of ergonomic principles.
Machinery must be fitted with indicators as required for safe operation. The operator must be able to read
them from the control position.
From each control position, the operator must be able to ensure that no-one is in the danger zones, or the
control system must be designed and constructed in such a way that starting is prevented while someone is in
the danger zone.
If neither of these possibilities is applicable, before the machinery starts, an acoustic and/or visual warning
signal must be given. The exposed persons must have time to leave the danger zone or prevent the machinery
starting up.
If necessary, means must be provided to ensure that the machinery can be controlled only from control positions
located in one or more predetermined zones or locations.
Where there is more than one control position, the control system must be designed in such a way that the
use of one of them precludes the use of the others, except for stop controls and emergency stops.
When machinery has two or more operating positions, each position must be provided with all the required
control devices without the operators hindering or putting each other into a hazardous situation.

1.2.3. Starting
It must be possible to start machinery only by voluntary actuation of a control device provided for the
purpose.
The same requirement applies:
— when restarting the machinery after a stoppage, whatever the cause,
— when effecting a significant change in the operating conditions.
However, the restarting of the machinery or a change in operating conditions may be effected by voluntary
actuation of a device other than the control device provided for the purpose, on condition that this does not
lead to a hazardous situation.
For machinery functioning in automatic mode, the starting of the machinery, restarting after a stoppage, or a
change in operating conditions may be possible without intervention, provided this does not lead to a hazardous
situation.
Where machinery has several starting control devices and the operators can therefore put each other in
danger, additional devices must be fitted to rule out such risks. If safety requires that starting and/or stopping
must be performed in a specific sequence, there must be devices which ensure that these operations are
performed in the correct order.
1.2.4. Stopping
1.2.4.1. Normal stop
Machinery must be fitted with a control device whereby the machinery can be brought safely to a complete
stop.
Each workstation must be fitted with a control device to stop some or all of the functions of the machinery,
depending on the existing hazards, so that the machinery is rendered safe.
The machinery's stop control must have priority over the start controls.
Once the machinery or its hazardous functions have stopped, the energy supply to the actuators concerned
must be cut off.
1.2.4.2. Operational stop
Where, for operational reasons, a stop control that does not cut off the energy supply to the actuators is
required, the stop condition must be monitored and maintained.
1.2.4.3. Emergency stop
Machinery must be fitted with one or more emergency stop devices to enable actual or impending danger to
be averted.
The following exceptions apply:
— machinery in which an emergency stop device would not lessen the risk, either because it would not
reduce the stopping time or because it would not enable the special measures required to deal with the
risk to be taken,
— portable hand-held and/or hand-guided machinery.
The device must:
— have clearly identifiable, clearly visible and quickly accessible control devices,
— stop the hazardous process as quickly as possible, without creating additional risks,
— where necessary, trigger or permit the triggering of certain safeguard movements.

Once active operation of the emergency stop device has ceased following a stop command, that command
must be sustained by engagement of the emergency stop device until that engagement is specifically overridden;
it must not be possible to engage the device without triggering a stop command; it must be possible
to disengage the device only by an appropriate operation, and disengaging the device must not restart the
machinery but only permit restarting.
The emergency stop function must be available and operational at all times, regardless of the operating mode.
Emergency stop devices must be a back-up to other safeguarding measures and not a substitute for them.
1.2.4.4. Assembly of machinery
In the case of machinery or parts of machinery designed to work together, the machinery must be designed
and constructed in such a way that the stop controls, including the emergency stop devices, can stop not
only the machinery itself but also all related equipment, if its continued operation may be dangerous.

1.2.5. Selection of control or operating modes
The control or operating mode selected must override all other control or operating modes, with the exception
of the emergency stop.
If machinery has been designed and constructed to allow its use in several control or operating modes
requiring different protective measures and/or work procedures, it must be fitted with a mode selector which
can be locked in each position. Each position of the selector must be clearly identifiable and must correspond
to a single operating or control mode.
The selector may be replaced by another selection method which restricts the use of certain functions of the
machinery to certain categories of operator.
If, for certain operations, the machinery must be able to operate with a guard displaced or removed and/or a
protective device disabled, the control or operating mode selector must simultaneously:
— disable all other control or operating modes,
— permit operation of hazardous functions only by control devices requiring sustained action,
— permit the operation of hazardous functions only in reduced risk conditions while preventing hazards
from linked sequences,
— prevent any operation of hazardous functions by voluntary or involuntary action on the machine's
sensors.
If these four conditions cannot be fulfilled simultaneously, the control or operating mode selector must activate
other protective measures designed and constructed to ensure a safe intervention zone.
In addition, the operator must be able to control operation of the parts he is working on from the adjustment
point.
1.2.6. Failure of the power supply
The interruption, the re-establishment after an interruption or the fluctuation in whatever manner of the
power supply to the machinery must not lead to dangerous situations.
Particular attention must be given to the following points:
— the machinery must not start unexpectedly,
— the parameters of the machinery must not change in an uncontrolled way when such change can lead to
hazardous situations,
— the machinery must not be prevented from stopping if the command has already been given,

— no moving part of the machinery or piece held by the machinery must fall or be ejected,
— automatic or manual stopping of the moving parts, whatever they may be, must be unimpeded,
— the protective devices must remain fully effective or give a stop command.