Technical Guide

Safety Solutions

General Information

Safety Light Curtains

Safety Switches

Emergency Stop Switches

Safety Application Controllers

Safety Relays

Safety Components

 

What is Safety?	Safety Requirements	Safety Functions
Safety Circuit Examples	Circuit Diagrams

Part III: Safety Functions

1. Risk and Safety Category Assessments

(1) Ensure Safety

The responsible machine or process designer no longer considers the production requirements and adds safety systems later, but addresses the two issues as a whole. Legislation demands that the machine or process design meets the necessary safety standards and regulations - it is a legal requirement.

Different types of machines will have different levels of associated risk. These risk levels need to be addressed for the whole machine life span. In particular the requirements at commissioning, application/usage and decommissioning of the machine must be considered.

Risk assessment according to ISO14121 is a series of logical steps that enables designers and safety engineers to examine in a systematic way the hazards arising from the use of machinery so that appropriate safety measures can be selected.

(2) Risk Assessment

ISO14121 - Safety of Machinery - Principles for Risk Assessment

The main objective is to describe a systematic procedure for risk assessment so that adequate and constant safety measures can be adopted. These are appropriate during the design, construction, modification, use and decommissioning of the machine. The safety of machines can be determined in 5 steps. Documentation of the risk assessment process must be kept.

● Step 1 Determination of the limits of machinery

Defining machine limits requires the following points to be considered when assessing risk.

• Determining requirements for all phases of the machine's life

• Defining the intended use and operation and the foreseeable misuse and malfunction

• Defining the machine's range of use as limited by factors such as the operator's gender, age, dominant hand, and physical abilities (e.g., impaired eyesight or hearing, size, and strength)

• Expected user training, experience, and competence

• Possibility that people may be exposed to machine hazards

• Possibility that people may be exposed to machine hazards if a foreseeable machine hazard occurs

● Step 2 Hazard Identification

Hazard identification means checking for all the hazardous conditions and hazardous events associated with the machine. This involves predicting hazards that may be caused by the machine, such as the following:

Mechanical hazards: Severing, entanglement, crushing, etc.

Electrical hazards: Contact with live parts, static electricity, etc.

Thermal hazards: Health disorders due to contact with high-temperature parts or working in a high-temperature or low-temperature environment

Methods for clarifying hazards include the following:

• Check lists

• Hazard and Operability Study (HAZOP)

• Failure Mode and Effect Analysis (FMEA)

• Fault Tree Analysis (FTA)

• "What-if" method

● Step 3 Risk Estimation

After checking for hazardous conditions and hazardous events, the risk factors are determined and the risks are estimated from the degree or possible harm and the probability of the hazard occurring.

● Step 4 Risk Evaluation

After estimating the risk, the risks are evaluated to determine whether the level of risk must be reduced.

If the level of risk must be reduced, safety measures, such as changing the design or providing safeguards, are taken.

● Step 5 Risk Reduction

The following actions are taken.

• Eliminate or reduce exposure to hazard as far as practical.

• Reduce the probability and severity.

• Use safeguards and safety devices.

• Determine that the performance and functional characteristics of the safety measures are suitable for the machine and its use.

● Risk Reduction under ISO12100

ISO 12100 (-1/-2) has been formed into JIS standard JISB9700 (-1/-2). The main purpose of this standard is to set out a framework and directions for general machine safety, so that designers can design safe machines.

The introduction of ISO12100-1:2003 states that “The concept of safety of machinery considers the ability of a machine to perform its intended function(s) during its lifecycle where risk has been adequately reduced”. The 3-step method, which is an expression of this risk reduction methodology, has been further implemented into the “Risk Reduction Process” illustrated on the following page, but
it does not yet seem to have been fully recognized in actual applications. ISO12100-2 sets out examples of various measures, a sample of which are shown below.

What is Inherently Safe Design? (ISO12100-1: 2003, para. 4)

• Remove dangers and reduce exposure frequency (4.1 General)

• Maintain visibility, and avoid dangerous projections and parts (4.2.1 Geometric Elements)

• Employ alternative materials with few dangers that reduce noise and radiation levels (4.2.2 Physical Elements)

• Select appropriate materials (Material quality, stresses, corrosiveness etc.) (4.3 General Technical Information on Machine Design)

• Employ inherently safe design measures in the below control system (4.11)

• Perform automatic surveillance of safety functions implemented under safeguarding measures (4.11.6)

• Employ diagnostic system to support fault detection (4.11.12)

• Employ redundant systems for components and sub systems (4.12.3)

• Automatically limit exposure to sources of danger (4.14)

What is Safeguarding? (ISO12100-2: 2003 para. 5)

• Employ Sensitive Protective Equipment (Light Curtain, Scanner etc.) (5.2.5)

• Employ fixed guards (5.3.2.2)

• Employ movable guards (guards with interlocks) (5.3.2.3)

What are Complimentary Protective Measures? (ISO12100-2: 2003 para. 5)

• Emergency stop function designed to be clearly identified and quickly applied (5.5.2)

• Employ an isolation device that can be locked (5.5.4)

What is Information for use? (ISO12100-2: 2003 para. 6)

• Supplementary documentation or labels should notify of remaining risks, and necessary training, protective equipment, and additional protective devices (6.1.1)

• Emit an audiovisual warning (6.3)

• Display manufacturer, model, and specifications of the machine (6.4)

• Supplementary documentation to include storage conditions, mass, dimensions, and installation and disposal methods (6.5.1)

Risk Reduction Processes from the Designer’s Perspective

(3) Safety Category Assessment

● Safety Categories Based on ISO 13849-1

The size of the machine risk is evaluated according to ISO 14121 and measures are taken to reduce the risk. Measures to reduce risk, however, include design measures and mounting safety devices. First, the measures are taken in the design and the category that should be selected is determined by considering two factors: the degree of potential injury (from slight to serious) according to the Category Assessment Table at the right, and the probability of that injury occurring (from almost never to always).

The safety category for safety-related parts of control systems in sometimes assessed assigning one category for the entire control circuit of one machine, and in other cases the category is assessed for each part.

ISO13849-1 : 1999 (EN954-1)

Note: EN954-1 in the table above is the old version. This old version is expected to be valid until December 2009.

Selecting Parameter S: Severity of Injury
S1: Slight injury (e.g., bruising)
S2: Serious injury (e.g., limb amputation or death)

The risk caused by failures in safety-related parts of the control system is accessed taking into account the worst degree of injury. S1 is selected if the injury is slight and S2 is selected if it is serious.

Selecting Parameter F: Frequency and/or Exposure Time to the Hazard
F1: Occurs rarely or for a short time.
F2: Occurs frequently or for a long time.

For example, if a worker must periodically insert his hands between parts of a machine while it is operating to mount and remove machine tool parts, F2 is selected. If the machine is rarely approached, F1 is selected.

Selecting Parameter P: Possibility of Avoiding the Hazard
P1: Avoidable
P2: Unavoidable

Aspects that influence the selection of parameter P include the following:

• operation with or without supervision;

• operation by experts or non-professionals;

• speed with which the hazard arises, e.g., quickly or slowly,

• possibilities for hazard avoidance,

• practical safety experiences relating to the process.

When a hazardous situation occurs P1 should only be selected if there is realistic chance of avoiding an accident or of significantly reducing its effect. P2 should be selected if there is almost no chance of avoiding the hazard.

(4) Categories

ISO 13849-1 Safety of Machinery — Safety-related Parts of Control Systems

Describes risk reduction, which is necessary when designing and constructing safety-related parts of control systems and devices. The categories represent a classification of the control system with respect to their ability to withstand faults and their behavior in the event of a fault.

Category	Overview of requirements	Basis for assuring safety
B	The safety-related parts of control systems shall, as a minimum, be designed, constructed, selected, assembled, and combined, in accordance with the relevant standards, using basic safety principles for the specific application so that they can withstand: ☆ The following are examples of resisting operating environment stress. Expected operation stress, such as the reliability of the breaking capacity and the frequency of breaking Selecting materials that are resistant to the operating environment External factors, such as mechanical vibration, external magnetic fields, power interruptions, and disturbances Compliance of components with relevant standards Therefore, special safety standards do not apply to category B parts, and safety functions may decrease when a failure occurs.	Depends mainly on the selection of components.
1	The requirements of category B and of this subclause shall apply. Safety-related parts of control systems to category 1 shall be designed and constructed using well-tried components and well-tried safety principles. ☆ The following are examples of well-tried parts. Parts that have previously been used for a broad variety of applications Parts that are suitable for safety-related applications and that have had their reliability validated ☆ The following are examples of well-tried safety principles. Protection using fuses when a short circuit occurs Decreasing the probability of failure occurrence by providing a margin in part dimensions and by lowering the ratings Defining the failure mode, such as by opening the circuit and turning OFF the power supply when a failure occurs Early detection of failures Post-failure measures, such as grounding the device Therefore, the probability of failure occurrence for category 1 is lower than that for category B. Safety functionality may decrease, however, when a failure occurs.
2	The requirements of category B, the use of well-tried safety principles and the requirements in this subclause shall apply. Safety-related parts of control systems to category 2 shall be designed so that their function(s)  are checked at suitable intervals by the machine control system. The check of the safety function(s) shall be performed. ☆ The following are examples of designing for inspection at intervals appropriate for the machine control system. Safety functions are inspected as follows: Before starting the machine and before a hazardous condition occurs. Inspection periodically during operation if risk assessment and operation category require inspection. Inspection may be started automatically or manually, but inspection of safety functions is one of the following. If no failure is detected, operation is possible. If a failure is detected, the output to start the appropriate control operation is output, and the output produces a safe condition. If a safe condition is not produced (e.g., contact fusing in the final switching device), a hazard alarm is output. After a failure is detected, the safety condition is maintained until there is no longer a failure. Therefore, in category 2, safety functions may be lost between inspections if a failure occurs.	Mainly depends on configuration
3	The requirements of category B, the use of well-tried safety principles and the requirements in this subclause shall apply. Safety-related parts of control systems to category 3 shall be designed so that a single fault in any of these parts does not lead to the loss of the safety function. Common mode faults shall be taken into account when the probability of such a fault occurring is significant. Whenever reasonably practicable the single fault shall be detected at or before the next demand upon the safety function. ☆ Designing to prevent single faults from lowering safety functions, means, for example, the following: Providing redundancy and diversity Automatically checking safety functions Therefore, safety functions may not operate if multiple failures overlap.
4	The requirements of category B, the use of well-tried safety principles and the requirements in this subclause shall apply. Safety-related parts of control systems to category 4 shall be designed so that: A single fault in any of these safety-related parts does not lead to a loss of the safety function. The single fault is detected at or before the next demand upon the safety functions, e.g. immediately, at switch on, at end of a machine operating cycle. If this detection is not possible, then an accumulation of faults shall not lead to a loss of the safety function.

Note: ISO13849-1:2006 follows the above categories.

(5) Validation

The safety category of safety-related parts is selected based on ISO 13849-1 to attempt to check and reduce the occurrence of hazards associated with the entire machine based on ISO 14121.

Next, analysis and testing is performed to confirm that the safety-related parts conform to the requirements for the safety of the entire machine.
Although the analysis is performed using a list of foreseeable faults based on ISO 13849-2 and design criteria based on ISO 13849-1, as an example, the following faults are excluded as examples of ‘fault exception items’.

1. The NC contact of a safety switch with a direct circuit-opening mechanism does not open.

2. The NC and NO contacts of a safety switch with forcibly guided contacts are closed at the same time.

3. A secured cable reliably protected with a cable duct or other means causes a short circuit between wiring due to an external shock.

4. A short circuit occurs in adjacent terminals whose connections are reliably covered with an insulating tube or other means.

(6) Documentation

A technical file containing the following information should be recorded:

• Drawings, control circuit drawings, calculations, test results

• List of necessary safety requirements for ISO 12100, plus other relevant standards and technical specifications used

• Details of the methods used to eliminate hazards, risk assessment data

• A test report/certificate from a competent body if required

• A copy of the instructions

• Series manufacture details of internal measures and QA systems

Items that are required to be documented are shown below, by category (extracted from ISO 13849-2 Table 2)

(7) What is ISO13849-1: 2006 (PL)

● Background of ISO 13849-1 Revision

Until now, the ‘category’, i.e. the classification of the architecture (structure) of a safety control system, has been a deterministic theory focused on the composition of hardware.

But as technology advances, electronic components such as transistors, integrated circuits and software based components such as microprocessors were adopted as core elements of safety related control systems.

Since year 2000, work has been underway to define the performance of machine safety control systems in terms of function and reliability rather than component failure modes. This is the concept of “functional safety.” IEC61508, the international standard for safety related electrical and electronic control systems, provides definitions of safety of complicated controls, down to the constituent components level such as designing reliability including life (until a loss of safety function) and programs based upon probability theory.

IEC61508 has a very wide scope of application, so a new standard specifically designed for the machine control systems, IEC62061, was developed to provide for mechanical safety. However, because this standard basically assumes complicated controls, it assumes many safety control system architectures, and individual architecture requires complicated calculation of probability. This is the reason why IEC62061 was not familiar among machine designers who are accustomed to the relatively easy-to-follow definitions of “Categories.”

The latest version of ISO13849-1: 2006 combines the straight forward deterministic features of EN954-1’s Categories with IEC62061’s probabilistic and systematic design considerations (a reliability model). In other words, the revised version of ISO13849-1 selects the architecture models in IEC62061 that match the definitions of the Categories, and applies those reliability models. This version can be called a functional safety standard in its simplified version.

● Main Changes

Changes in Risk Estimation Methods

Both methods require estimating risk of hazards at the risk assessment stages.

In estimating risks, EN954-1 evaluated and classified the results of its risk estimations into the risk levels of I to IV.

But the evaluation process did not encompass any notion of targeted performance that safety measures to reduce risks should reach. As a result, safety control system’s structure Categories B to 4 are generally determined directly from the risk graph. When trying to establish a common parameter between persons who perform risk assessment (for example, users) and persons who implement risk reduction (for example, machine designers), the users may not understand the functional differences of safety control system structures from the designer’s viewpoint, and the designer in turn finds it difficult to understand user requirements. Also, the overwhelming majority of risks at actual working sites are minor damage such as suspension of operation for several days, while EN954-1’s risk graph gave more stress for risk estimations to serious damage, and the previous standard did not accurately reflect this aspect.

The latest revision in ISO 13849-1: 2006 allows users to determine risk estimations homogeneously and uniquely, and makes risk assessment easier for persons responsible for implementing it.

Change in Definitions of Safety Control System's Performance

How should designers reduce risks?
 

If designers are required to satisfy Category requirements only, once determined safety control system structure will maintain the same level of safety performance.

The question is whether or not this is a correct concept considering that every machine can fail at some future time.
 

The components comprising the safety control system also will deteriorate and can fail at some future time. It is important to figure out in what mode the system will encounter a failure at such times. When a machine experiences a failure that causes the expected safety function to fail during a period expected by its users, and if the
failure is not detected, it is equal to non performance of safety functions. But, definitions only based upon deterministic theory cannot cover such time related elements.

To improve this aspect, the latest revision includes additional features to the previous structure definitions with two-layer structure definitions that enable users to probabilistically evaluate a safety control system’s reliability, including mean time to dangerous failure at the component level and the level of detecting dangerous failure. This allows users to make quantitative evaluation according to how they actually use the machine. This is the core component of the 2006 revision.

Common Indicator Criteria

The revised standard establishes indicators of a safety control system performance level that can be clearly communicated between a person who implements risk assessment and a person who designs a machine.

These indicators are called Performance Level (hereinafter abbreviated as “PL”), and are evaluated using five levels from “a” to “e.” Required performance levels as seen from the standpoint of a person who implements risk assessment are specifically called PLr.

PL, the achieved performance level of a safety control system after risk reduction has been implemented, must be equal to or greater than required Performance Level (PLr).

● How to Determine Performance Level

Required Performance Level: PLr
As with the risk graph in EN954-1, a required performance level is evaluated in terms of severity of injury (S), frequency and/or exposure to hazard (F) and possibility of avoiding hazard or limiting harm (P). As a result, the required performance level (PLr) ranging from “a” to “e” is determined depending on the scale of the risk.

<Meaning of Symbols>
S1: slight (normally reversible injury)
S2: serious (normally irreversible injury or death)
F1: seldom-to-less-often and/or exposure time is short
F2: frequent-to-continuous and/or exposure time is long
P1: possible under specific conditions
P2: scarcely possible

Method to Evaluate Performance Level (PL)
Four parameters are used to evaluate a safety related control system’s performance level (PL).

1. Category
2. MTTFd (Mean Time To Dangerous Failure)
3. DCavg (Average Diagnostic Coverage)
4. CCF (Common Cause Failure)

The Categories refer to the architecture of a safety related control system, and are classified into five categories as defined in the previous version of EN954-1.

MTTFd refers to an average life before the dangerous failure of a component. DC refers to the certainty of detecting failures in the entire system including software. CCF refers to the protection of the entire system from failing due to a common cause. As parameters for reliability, MTTFd and DCavg are determined by formulas, and CCF is determined with a checklist method.

Each of the parameters is classified into levels using standard values: three levels for MTTFd, three levels for DC and two levels for CCF. Performance Levels are evaluated comprehensively in terms of these four parameters.

The following sections show how each of the parameters is calculated.

● How to Evaluate Performance Level

As described above, when the four parameters are calculated, the PL can be determined from the following graph:

• Category (the five categories of B, 1, 2, 3, and 4)
• MTTFd (the three levels of High, Medium, and Low)
• DCavg (the four levels of High, Medium, Low, and None)
• CCF (the two levels of 65 or more points and less than 65 points)

For example, with “Category 4, MTTFd=High, DCavg=High, CCF of 65 points or higher,” then the PL is evaluated as “e”. However, the thresholds in the above graph for MTTFd determination are not easy to locate therefore the below table is provided to give a more simplified view. Either the graph or the table may be used.

* Notice that in both the graph and the table methods some combinations of parameters are not allowed. For example, combining Category 4 with medium  reliability and low diagnostic coverage is not considered.

• How to Calculate PL Parameter [click here]

2. Interlocking Devices

An interlocking device is a mechanical or electrical device that can prevent the machine from operating unless certain conditions are met, such as closing a guard.
Provisions for interlocking are stipulated in ISO14120 for guards, ISO14119 for interlocking devices associated with guards, and ISO13849-1 for the method that is used to process the signal from an interlocking device and to stop machinery. This section describes interlocking parts linked to guards like safety limit switches and safety door switches in accordance with ISO14119 along with a description of each.

(1) The role of Interlocking Devices

Safety machinery and equipment consist of a control system and an operative system as shown in Fig. 1 Interlocking device. The power control element combines the roles of the control and operative systems, and machine actuators are equipped with safeguards and interlocking devices.

Electricity is supplied to the power control elements only if a safety check signal is sent from the interlock device and an operate command is sent from the control system.

The interlock device is used to send safety check results to the power control elements as shown in the figure below. A safety signal can be sent from a PLC in some cases as long as the PLC does not have a negative impact on the interlock device.

In other words, the interlock device (safety-related part) and the PLC (non safety-related part) are completely independent of each other.

Control systems are divided into safety-related and non-safety-related parts in international safety standards, and they must be constructed so that non-safety-related parts do not have a negative impact on safety-related parts during normal operation or when a malfunction occurs.

(2) Types of Interlocking Devices

Interlocking devices are classified by type.

● Interlocking Types

Control Interlock
This type of interlocking device inputs a stop command to a control system, like an electromagnetic relay that interrupts or removes the energy supplied to machine actuators.

Power Interlock

This type of interlocking device sends a stop command that directly interrupts or removes the energy supplied to machine actuators. Under the power interlock system, the control system does not intervene between the interlock device and the power supply, but instead the interlock device itself uses a safety switch or some similar measure to control interlocking.

● Guard Locking Types

Non-locking Type

The guard can be opened or closed at any time and the interlocking device sends a stop command only if the guard is open.

Locking Type
(1) Unconditional Unlocking:
An operator can unlock the guard at any time with this type of unlocking, but it does have a precondition in that it must take longer to unlock the guard than it does to clear the hazard.

(2) Conditional Unlocking:
The guard can be unlocked under certain conditions, such as when confirming that the hazardous condition has been cleared (e.g. confirming that rotation has stopped).

● Locking and Unlocking Types

Locking and unlocking types can be classified by the actuating mechanism that is used to apply and release the lock.

Spring Applied, Power Released Type
OMRON uses a mechanical lock/solenoid release method.

Power Applied, Spring Released Type
OMRON uses a solenoid lock/mechanical release method.

Power Applied, Power Released Type

Note: In a specific application, either a “power applied, spring released type” or “power applied, power released type” may be used if they provide an equivalent level of safety. In principle, however, the part (bolt) intended to provide the lock the guard must be the “spring applied, power released type.”

(3) Designing Interlocking Devices

The following items must be considered in the design of interlocking devices that use a safety limit switch or safety door switch.

● Using a Mechanically Actuated Position Detector Switch

(1) When designing an interlocking device that uses a single mechanically actuated position detector switch, the switch must be actuated in positive operation (positive opening mechanism).

(2) When designing an interlocking device that uses two mechanically actuated position detector switches, one switch must be actuated in positive operation (positive opening mechanism) and the other must be activated in negative operation (negative opening mechanism) notably to avoid common cause failures.

Note: See the part of Negative Operation and Positive Operation of Safety Components for details on positive and negative actuation.

● Fixing Position Detector Switches

(1) Position detector switches must be tightened and loosened with a tool.

(2) The use of slots for mounting must be limited to initial adjustment and provisions must be made so adjustment will not be needed after the switch is replaced.

(3) Guard movement produced by switch activation must be within a range that will not defeat the safeguard effectiveness.

(4) The mechanical operating range must remain within the specified operating range of the switch.

(5) Switches must not be used as mechanical stops.

(6) Switches must be located, and if necessary protected, to avoid damage from external causes.

(7) Easy access for switch maintenance and inspection must be afforded.

● Reducing Faults Due to Common Causes

Faults due to common causes must be avoided with redundant designs using one positive-actuated and one negative-actuated switch.

(4) Selecting Interlocking Devices

When selecting an interlocking device it is necessary to consider all phases of the interlocking device, including the conditions of use and intended use of the machine, hazards present at the machine and their evaluation, stopping time and access time to the machine, and frequency of access.

● Stopping Time and Access Time

An interlocking device with a guard locking must be used when the stopping time is greater than the time it takes a person to reach the danger zone (access time).

● Frequency of Access (Frequency of Opening the Guard)

(1) For applications requiring frequent access, conduct a risk evaluation and then select an interlocking device that provides the least possible hindrance to the operation of the guard.

(2) For applications using interlocking devices with automatic monitoring, the interlocking device should be used with additional measures, such as conditional guard unlocking, because the frequency of function checks decreases and the probability of an undetected fault occurring increases as the opening frequency decreases.

(5) Control Requirements for Interlock Devices

The following control requirements must be satisfied for interlocking devices for movable guards (ISO 12100-1).

(1) Closing the movable guard enables operation of the machine that was covered by the guard. Closing the movable guard causes the operation to start automatically. At actual startup, restarting can be performed by pressing the start button after all other start conditions are met.

(2) The stop signal for the machine will be output if the guard is opened during operation of a machine that is covered by a guard. In other words, the machine will not be permitted to operate as long as it has not been detected that the guard is closed.

3. Basic Safety Functions in the Event of a Fault

When a fault or disturbance in electrical equipment leads to a hazardous condition and the possibility that the machine as well as the item being processed may be damaged, appropriate steps must be taken to minimize the probability of a hazard. This section uses the safety categories found in EN 60204-1 to describe and illustrate the main procedures to follow to minimize risk in the event of a fault.

● Application of the claims postulated by ISO13849-1 and IEC62061

The control circuit must comply with the appropriate safe performance level as determined in the risk assessment.

(1) Use of Proven Circuit Techniques and Components
(2) Functional Tests
(3) Provisions of Redundancy
(4) Use of Diversity
(5) Self-monitoring by Safety Relays in Application Circuits
(6) Single-fault Detection
(7) Short-circuit Detection
(8) Emergency Stop

(1) Use of Proven Circuit Techniques and Components

1. Basic Circuit Configuration for Ground Faults

The following examples are typical.

● Basic Circuit Configuration
The following must be taken into consideration when designing safety circuits for a control system.

(1) The relay contacts must open when a coil is not energized.

(2) One line must be grounded on the secondary side of the insulating transformer.

(3) All coils in the safety circuit must be connected directly and as close as possible to the line that connects to the ground line.

(4) The safety circuit must employ a fuse.

The figure below shows the basic configuration of a safety circuit containing all the preceding items.

The fuse will blow and power to the circuit will cut off if a ground fault occurs on line A.
A ground fault will not occur on line B because it is grounded.

● Examples of Ground Faults

A: Safety Circuit Not Grounded



Two ground faults act as a bypass. As a result, the machine may start abruptly or its operation may not be interrupted.

B: Safety Circuit Transformer Grounded from the Midpoint on the Secondary Side

A ground fault causes half the voltage to be applied to the relay coil. As a result, the machine in operation may not be interrupted.

2. A procedure must be established to cut off power to stop control and power circuits instantly.

See (8) Emergency Stop for details.

3. Parts with safety standards approvals must be used.

Obtaining safety standards approval means obtaining approval from an independent body such as TÜV.

4. Safety switches that operate reliably must be used.

Parts with safety standards approval display the mark.

5. Safety designs including fail-safe or foolproof functions must be used.

A fail-safe function ensures safety in the event of fault, break down, or incorrect operation. A fail proof function ensures safety despite human error, fault, or incorrect operation.

(2) Functional Tests

Functional tests that ensure safety must be conducted at regular intervals and whenever electric products are started, and they must be conducted either automatically by the control systems of electric products or manually through inspections and tests. If faulty operation occurs, product operation must be suspended until troubleshooting has been completed.

(3) Provisions of Redundancy

Whole or parts of electric circuits must be redundant (duplicated) to minimize the probability that a malfunction in the circuits will result in a hazard.

The following are examples of redundant electric circuits that employ more than one relay or switch in combination so the circuits will function even if one of the relays or switches fails to operate.

● Circuit with Two Relays

● Circuit with Two Switches

(4) Use of Diversity

Common malfunctions and the probability of failure in electric products can be reduced if each product uses a variety of control circuits as well as various types of devices and components. The following are examples showing the use of diversity.

1. Safety door with safety components that use a combination of NC and NO contacts.

2. Circuits using control components that are different from each other in type.

3. Redundant combinations of electromechanical and electronic circuits.

● Examples of Safety Doors with Switches in Negative and Positive Operation

(5) Self-monitoring by Safety Relays in Application Circuits

When the reset switch is operated, the interface circuits containing safety relays automatically check to see if there are any faults. If there are faults in any circuit, then this safety control circuit will turn OFF power to stop operation.

● Examples of Self Monitoring by Relay Units

G9S-301 (24 VDC) - Two Limit Switch Input Channels



Fault detection 1: Detect closed door switches (K1, K2)

Fault detection 2: Detect fused interface relay and contactor contacts (K3)

● Normal Operation

● Failure

If the normally open contact (8) of the contactor is welded, the normally closed contact (7) will be neutral (not conducting), and no voltage will be applied to the coil of safety relay K3. K3 will not operate, in which case the relay sequence will not operate even if the reset switch (2) is turned ON and power will not be supplied. The auxiliary contacts of the contactor must be mirror contacts.

(6) Single-fault Detection

Programmable controllers are usually used only to monitor safety-related functions, to test functions periodically, or to serve as a backup. Programmable controllers conforming to IEC61131 must be used.

The following example shows a basic circuit with a programmable controller for single-fault detection.

• Switch S1 turns OFF the input signal to the programmable controller to shut down the power supply when the door is open.

• Switch S2 has a safety protection function that prevents hazards from developing in the event of a fault. Therefore, switch S2 must be a safety switch that incorporates a positive opening mechanism.

• One power load switching requires a power contactor.

● Basic Circuit with a Programmable Controller for Single-fault Detection

(7) Short-circuit Detection

The lead wires of a safety control circuit may be bypassed or short-circuited due to damage caused by force, heat, shock, or acid. Such damage can be detected if the safety control circuit incorporates a short-circuit detecting function that satisfies the following criteria.

(1) The safety circuit must have two input channels that each employ an NC contact.

(2) There must be a potential difference between these channels.

The following example shows a circuit for short-circuit protection.

● Safety Control Circuit with Two Input Channels and a Short-circuit Detecting Function

(8) Emergency Stop

The following items are required for emergency stopping.

● Emergency Stop Equipment

(1) Emergency stop equipment must be located at each operator control station and at other locations where the initiation of an emergency stop can be required.

(2) When machinery is divided into several emergency stop zones, emergency stop equipment must be placed where operators can see and access them easily and can operate them without exposure to hazards.

(3) The emergency stop function must have priority over all other functions and operation in any mode.

(4) The emergency stop function must work so that it falls under category 0 or category 1. The choice of category 0 or category 1 must depend on the risk assessment.

Type of Stop Functions

Stop Category 0: Stop category 0 is an uncontrolled stop that is achieved by immediately removing power to the machine actuators (e.g., directly cutting off the power supply).

Stop Category 1: Stop category 1 is a controlled stop that is achieved by sending a stop command from the control circuit to stop (e.g., brake) the machine actuators and then removing power to the actuators (e.g., cutting off control circuit power) after the stop is achieved.

Stop Category 2: Stop category 2 stops machine actuators without cutting off the power.

(5) Where several emergency stop devices are provided in a circuit, it must not be possible to restore that circuit until all triggered emergency stop devices have been reset.

(6) Emergency stop equipment must be used as neither an alternative to proper safeguarding measures nor as an alternative for automatic safety devices, but they may be used as a back-up measure.

● Emergency Stop Requirements

The functional and design-related principles of emergency stop buttons, pull-cord switches, foot pedals, and other emergency stop devices are defined in ISO 13850. Devices built in accordance with ISO 13850 are suitable for emergency stop applications. Their general design is as shown below.

The requirements for the emergency stop function as stipulated in IEC 60204-1 are as follows:

• The emergency stop function must deactivate all other functions and operation in any mode.

• The power supply for all machines that are capable of inducing a dangerous condition must be removed as quickly as possible without causing any other dangers.

• The reset function must not restart the stopped machine.

The relevant standards divide applications into numerous stop categories. The selection of the appropriate category must be made depending on a risk assessment of the machine involved.

4. Presence Detection

(1) Basic Safety

Basic safety is broadly classified into the following categories.

(1) Machines and equipment will not start until it is safe to do so.
(2) Machinery will be stopped whenever a hazardous condition is detected.

In order to maintain a safe environment, measures must be employed on one level to detect operators entering or present in a hazardous area and on another level to eliminate hazardous conditions.

(2) Safety Requirements

The safety requirements for presence detection, such as those shown below, are defined by the standards and guidelines of each country.

• Guidelines Related to the Comprehensive Safety Standards for Machinery: Ministry of Health, Labor and Welfare

  Attached Table 3: Procedure for Safeguarding Against Mechanical Hazards

  A device that will detect operators must be installed in a protected area if an operator can pass through an opening and enter that protected area to perform his job.

• ANSI/RIA R15.06: US robot-related safety standards

  Article 10.4.7 Starting and Restarting
  When an operator is required to enter a protected area, the operator must be protected from inadvertent starting or restarting of the robot and/or robot system. (Part omitted) If the protected area is clearly marked and the cell cannot start or restart, some means of detecting operators in hidden areas must be provided. The ideal means would be automatic detection. (Remainder omitted.)

• EN201: European safety standards for injection molding machines Article 5.3.1
  If an operator can fit between the movable guard and the mold, a device that will detect the presence of the operator must be installed there.

(3) Presence Detection Sensor Functions

The sensor detects the presence of a worker in dangerous environments.

(4) Detection Methods

Presence detection methods are broadly classified into the following categories.

● Reflective
Features: Relative freedom in defining protected areas.

● Pressure detection
Features: Excellent environmental resistance

(5) Safe Distance

When an operator enters a hazardous area, the machine in the area must come to a complete stop before that operator reaches the hazardous part of the machine. Safe distance refers to the minimum calculated distance that the protective device must be installed from the hazardous part of the machine.

(6) Operating Principles (ISO13856-1)

● Safety Mats (ISO13856-1)

As shown in Fig. 1, two plates inside the Safety Mat make contact when an operator steps on the Mat. A Controller detects the contact and generates an output.

● Laser Scanner (IEC61496-3)

As shown in Fig. 2, the laser scanner emits a beam that is reflected by surrounding objects. It calculates the distance to the object from the time that it takes to receive the reflected light.

5. Two-hand Controller

One way to prevent operators from approaching hazardous areas too closely when conditions are hazardous is to install two-hand controllers at specified locations.

The guidelines for designing Two-hand Controllers are given in ISO13851. The major safety requirements for Controller design are listed there under Functional Aspects and Principles of Design for Two-hand Controllers.

Note: Conduct actual designing in compliance with the detailed stipulations of ISO13851.

(1) Main Characteristics

The characteristics that must be provided are categorized by type into Type I, Type II, and Type III categories. The major characteristics listed here are Type III characteristics used in Category 3 and 4, as determined by risk assessment.

(1) Two hands must be used together to start up the machine.

(2) Two input signals are required to produce an output signal.

(3) The output signal must turn OFF if either or both input signals turn OFF.

(4) Both input signals must be turned OFF before the output signal is restarted.

(5) Both input signals must turn ON within 0.5 s to enable synchronous startup output.

(6) Preventing inadvertent startup and disable prevention: Refer to Article 2.

(2) Preventing Inadvertent Startup and Disable Prevention

1. One-hand Disable Prevention

The two startup switches must be at least 260 mm (inside dimensions laterally) apart.

Note: A shield must be installed between the two startup switches. This does not apply to applications where disable prevention is possible.

2. Disable Prevention with the Hand and Elbow of the Same Arm

The two startup switches must be at least 550 mm (inside dimensions laterally) apart.

Note: A shield must be installed between the two startup switches. This does not apply to applications where disable prevention is possible.

3. Disable Prevention with the Forearm and Elbow

Install a cover or enclosure.

4. Disable Prevention with One Hand and Another Part of the Body

Install the startup switches at least 1,100 mm off the floor or from the operating level to prevent operators from employing disable prevention with one hand and another part of the body (e.g. knees, hips, etc.).

Note: Safe Distance
The safe distance from the startup switches to the hazardous area must be calculated using factors such as hand and arm speed, response time of the startup switches, and maximum time required to eliminate a hazard according to ISO13855.

5. Typical Example

Fig. 1 shows a typical example of a Two-hand Controller according to Articles 2.1 to 2.3.

(3) Connection Examples

1. Connection Circuit Example Using a Safety Relay Unit

The part of "Circuit Diagrams" includes shows an example of a G9SA-TH301 Safety Relay Unit connected to a Two-hand Controller.

2. Connection Circuit Example Using a Safety Controller

The part of "Circuit Diagrams" includes shows an example of an F3SX Safety Controller, F3SN-A Safety Light Curtain, and A22 Pushbutton Switch connected to a Two-hand Controller for the caulking machine shown below.

6. Enabling Switches

An enabling switch is a safety component used so that workers can avoid unexpected machine movement when performing non-scheduled maintenance work or other non-scheduled operations in hazardous areas, such as those inside safety fences.

When a worker is using a hand-held console with operation switches to teach a robot, retool, or perform maintenance, unexpected movement of a hazard can result in a hazardous state. When this occurs, it's impossible to predict whether the operator will instinctively release the console or will grip it with force. A normal switch thus does not turn OFF when excessive force is applied, which may result in a worker accident.

With an Enabling Switch, machines or robots can be controlled only when the switch is gripped lightly to the middle position. If the switch is gripped with force past the middle position or if the switch is released, the machine or robot will be shut OFF, disabling operation.

Enabling Switches are normally used built into teaching pendants, grip switches, and other hand-held controls. They can be combined with safety circuits built with Safety Relay Units and other devices to ensure safety.

(1) Structure of Enabling Switches

Enabling Switches operate through three positions: OFF - ON - OFF.
They are OFF when not pressed, ON when pressed to the middle position, and then OFF again when pressed past the middle position.

● Three Positions: OFF - ON - OFF

7. Functional Safety Technology

Until recently, there were no means to confirm the safety of technologies such as complex electronic components or software, which made it difficult to apply them safely. Demands have increased, however, by companies that want greater safety in the use of various devices. This has led to the concept of functional safety, which is a method of confirming safety by providing the reliability that electronic equipment and programmable devices used in safety equipment will operate properly when the safety related demand is given. Reliability here refers to "lowering human risk to the level of socially tolerable risk." This includes the following factors:

1. Periodic confirmation tests are conducted, showing that there are no latent hazards.
   For example, a failure is detected in self-diagnosis and a safe state is achieved.

2. Reliability with respect to deterioration and lifetime of assembly components.
   For example, the probability of a hazardous failure is determined for each part.

3. System reliability.
   It is confirmed that protection against one type of hazard will not invite a different type of hazard.

IEC 61508, which was issued in 1998, is representative of common standards for functional safety. IEC 61508 is further divided into seven detailed standards for individual fields of application. Standards for industrial machinery are stipulated in IEC 62061. For detailed information, refer to these standards.

In the above standards, the SIL (Safety Integrity Level) is defined as parameters that specify the requirements of safety functions. In the area of machinery, it has been decided to coordinate the SIL with the performance level (PL) defined by ISO 13849-1,2006.

(Extracted from the NECA Safety Guide Handbook.)

The required SIL (Safety Integrity Level) is greatly determined by whether the operation demand is low or high/continuous.

SIL Required of Safety-related Controls in Low Demand Mode (for Example, Safety-related Controls That Operate Only for a Short Time When There Is Demand, Such as ABS on Cars)

Example: If risk assessment determined that SIL2 is suitable, the TFM that needs to be achieved by the related safety controls would be 10^-2 < TFM ≥ 10^-3.

Note: TFM (Target Failure Measure)
 

SIL Required of Safety-related Controls in High or Continuous Demand Mode (for Example, Safety-related Controls That Operate Continuously or Frequently over a Long Period of Time, Such as a Pacemaker)

Example: If risk assessment determined that SIL2 is suitable, the TFM that needs to be achieved by the related safety controls would be 10^-6 < TFM ≥ 10^-7.

Note: TFM (Target Failure Measure)