Protective Measures and Complementary Equipment

Introduction

When the risk assessment shows that a machine or process carries a risk of injury, the hazard must be eliminated or contained. The manner in which this is achieved will depend on the nature of the machine and the hazard. Protective measures in conjunction with guarding either prevent access to a hazard or prevent dangerous motion at a hazard when access is available. Typical examples of protective measures are interlocked guards, light curtains, safety mats, two-hand controls and enabling switches.

Emergency stop devices and systems are associated with safety related control systems but they are not direct protective systems, they should only be regarded as complementary protective measures.

Preventing Access

Fixed Enclosing Guards

If the hazard is on a part of the machinery which does not require access, a guard should be permanently fixed to the machinery as shown in Figure 21. These types of guards must require tools for removal. The fixed guards must be able to 1) withstand their operating environment, 2) contain projectiles where necessary, and 3) not create hazards by having, for example, sharp edges. Fixed guards may have openings where the guard meets the machinery or openings due to the use of a wire mesh type enclosure.

Windows provide convenient ways to monitor machine performance, when access to that portion of the machine. Care must be taken in the selection of the material used, as chemical interactions with cutting fluids, ultra-violet rays and simple aging cause the window materials to degrade over time.

Figure 21: Fixed Guards

The size of the openings must prevent the operator from reaching the hazard. Table O-10 in U.S. OHSA 1910.217 (f) (4), ISO 13854, Table D-1 of ANSI B11.19, Table 3 in CSA Z432, and AS4024.1 provide guidance on the appropriate distance a specific opening must be from the hazard.

Detecting Access

Protective measures can be used to detect access to a hazard. When detection is selected as the method of risk reduction, the designer must understand that a complete safety system must be used; the safeguarding device, by itself, does not provide necessary risk reduction.

This safety system generally consists of three blocks: 1) an input device that senses the access to the hazard, 2) a logic device that process the signals from the sensing device, checks the status of the safety system and turns on or off output devices, and 3) an output device that controls the actuator (for example, a motor). Figure 22 shows the block diagram of a simple safety system.

Figure 22: Simple Safety System Block Diagram

Detection Devices

Many alternative devices are available to detect the presence of a person entering or inside a hazard area. The best choice for a particular application is dependent on a number of factors.

• Frequency of access,
  
• Stopping time of hazard,
  
• Importance of completing the machine cycle, and
  
• Containment of projectiles, fluids, mists, vapors, etc.
  

Appropriately selected movable guards can be interlocked to provide protection against projectiles, fluids, mists and other types of hazards, and are often used when access to the hazard is infrequent. Interlocked guards can also be locked to prevent access while the machine is in the middle of the cycle and when the machine takes a long time to come to a stop.

Presence sensing devices, like light curtains, mats and scanners, provide quick and easy access to the hazard area and are often selected when operators must frequently access the hazard area. These types of devices do not provide protection against projectiles, mists, fluids, or other types of hazards.

The best choice of protective measure is a device or system that provides the maximum protection with the minimum hindrance to normal machine operation. All aspects of machine use must be considered, as experience shows that a system that is difficult to use is more liable to be removed or by-passed.

Presence Sensing Devices

When deciding how to protect a zone or area it is important to have a clear understanding of exactly what safety functions are required.

In general there will be at least two functions.

1.	Switch off or disable power when a person enters the hazard area.
2.	Prevent switching on or enabling of power when a person is in the hazard area.

At first thought these may seem to be one and the same thing but although they are obviously linked, and are often achieved by the same equipment, they are actually two separate functions. To achieve the first point we need to use some form of trip device. In other words a device which detects that a part of a person has gone beyond a certain point and gives a signal to trip off the power. If the person is then able to continue past this tripping point and their presence is no longer detected then the second point (preventing switching on) may not be achieved.

Figure 23 shows a full body access example with a vertically mounted light curtain as the trip device. Interlocked guard doors may also be regarded as a trip only device when there is nothing to prevent the door being closed after entry.

Figure 23: Full Body Access

If whole body access is not possible, so a person is not able to continue past the tripping point, their presence is always detected and the second point (preventing switching on) is achieved.

For partial body applications, as shown in Figure 24, the same types of devices perform tripping and presence sensing. The only difference being the type of application.

Presence sensing devices are used to detect the presence of people. The family of devices includes safety light curtains, single beam safety barriers, safety area scanners, safety mats and safety edges.

Figure 24: Partial Body Access

Safety Light Curtains

Safety light curtains are most simply described as photoelectric presence sensors specifically designed to protect personnel from injuries related to hazardous machine motion. Also known as AOPDs (Active Opto-electronic Protective Devices) or ESPE (Electro Sensitive Protective Equipment), light curtains offer optimal safety, yet they allow for greater productivity and are the more ergonomically sound solution when compared to mechanical guards. They are ideally suited for applications where personnel need frequent and easy access to a point of operation hazard.

Light curtains are designed and tested to meet IEC 61496-1 and -2. There is no harmonized EN version of part 2 so Annex IV of the European Machinery Directive requires third party certification of light curtains prior to placing them on the market in the European Community. Third parties test the light curtains to meet this international standard. Underwriter’s Laboratory has adopted IEC 61496-1 as a U.S. national standard.

Operation

Safety light curtains consist of an emitter and receiver pair that creates a multi-beam barrier of infrared light in front of, or around, a hazardous area. The emitter is synchronized with the receiver by the photoelectric beam nearest one end of the housing. To eliminate susceptibility to false tripping attributed to ambient light and interference (crosstalk) from other opto-electronic devices, the LEDs in the emitter are pulsed at a specific rate (frequency modulated), with each LED pulsed sequentially so that an emitter can only affect the specific receiver associated with it. When all the beams have been checked, the scan starts over again. An example of a basic light curtain system is shown in Figure 25.

Figure 25: Basic Light Curtain Safety System

When any of the beams are blocked by intrusion into the sensing field, the light curtain control circuit turns its output signals off. The output signal must be used to turn the hazard off. Most light curtains have OSSD (Output Signal Switching Devices) outputs. The OSSDs are PNP type transistors with short circuit protection, overload protection and cross fault (channel to channel) detection. They can switch DC powered devices, like safety contactors and safety control relays, usually up to 500 mA.

Start/Restart Interlock: Light curtains are designed to interface directly with either low power machine actuators or logic devices like monitoring safety relays or programmable safety controllers. When switching machine actuators directly, the Start/Restart interlocking input of the light curtain must be used. This prevents the light curtain from re-initiating the hazard when the light curtain is initially powered or when the light curtain is cleared.

EDM: Light curtains also have an input that allows them to monitor the machine actuators. This is known as EDM (external device monitoring). After the light curtain is cleared, the light curtain determines if the external actuator is off before enabling any restart.

The emitter and receiver can also be interfaced to a control unit that provides the necessary logic, outputs, system diagnostics and additional functions (muting, blanking, PSDI) to suit the application.

The light curtain system must be able to send a stop signal to the machine even in the event of a component failure(s). Light curtains have two cross monitored outputs that are designed to change state when the safety light curtain sensing field is broken. If one of the outputs fails, the other output responds and sends a stop signal to the controlled machine and as part of the cross monitored system detects that the other output did not change state or respond. The light curtain would then go to a lock out condition, which prevents the machine from being operated until the safety light curtain is repaired. Resetting the safety light curtains or cycling power will not clear the lock out condition.

Figure 26: Light Curtain Interfacing with MSR or Safety PLC

Light curtains are often integrated into the safety system by connecting them to a monitoring safety relay (MSR) or safety PLC, as shown in Figure 26. In this case, the MSR or safety PLC handles the switching of the loads, the start/restart interlock and the external device monitoring. This approach is used for complex safety functions, and large load switching requirements. This also minimizes the wiring to the light curtain.

Resolution:

One of the important selection criteria for light curtain is its resolution. Resolution is the theoretical maximum size that an object must be to always trip the light curtain. Frequently used resolutions are 14 mm, which is commonly used for finger detection; 30 mm, which is commonly used for hand detection; and 50 mm, which is commonly used for ankle detection. Larger values are used for full body detection.

The resolution is one of the factors that determine how close the light curtain can be placed to the hazard. See Safety Distance Calculation for more information.

Vertical Applications:

Light curtains are most often used in vertically mounted applications. The light curtains must be placed at such distance as to prevent the user from reaching the hazard before the hazard stops.

In reach-through applications, the breaking of the light curtain initiates a stop command to the hazard. While continuing to reach through, to load or unload parts for example, the operator is protected because some part of their body is blocking the light curtain and preventing a restart of the machine.

Fixed guards or additional safeguarding must prevent the operator from reaching over, under or around the light curtain. Figure 27 shows an example of a vertical application.

Figure 27: Vertical Application

Cascading

Cascading is a technique of connecting one set of light curtains directly to another set of light curtains like that shown in Figure 28. One set acts as the host, and the other set acts as a guest. A third light curtain can be added as the second guest. This approach saves cabling costs and input terminals at the logic device. The tradeoff is that the response time of the cascaded light curtains is increased as more beams have to be checked during each scan of the cascaded light curtain.

Figure 28: Cascaded Light Curtains

Fixed Blanking

Blanking allows portions of a light curtain's sensing field to be disabled to accommodate objects typically associated with the process. These objects must be ignored by the light curtain, while the light curtain still provides detection of the operator.

Figure 29 shows an example where the object is stationary. Mounting hardware, machine fixture, tooling, or conveyor are in the blanked portion of the light curtain. Known as monitored fixed blanking, this function requires that the object be in the specified area at all times. If any of the beams programmed as “blanked” are not blocked by the fixture or work piece, a stop signal is sent to the machine.

Figure 29: Light Curtain Is Blanked Where Conveyor Is Fixed

Floating Blanking

Floating blanking allows an object such as feed stock to penetrate the sensing field at any point without stopping the machine. This is accomplished by disabling up to two light beams anywhere within the sensing field. Instead of creating a fixed window, the blanked beams move up and down, or “float,” as needed.

The number of beams that can be blanked depends on the resolution. Two beams can be blanked with a resolution of 14 mm, whereas only one beam can be blanked when a resolution of 30 mm is used. This restriction maintains a smaller opening to help prevent the operator from reaching through the blanked beams.

The beam(s) can be blocked anywhere in the sensing field except the sync beam without the system sending a stop signal to the protected machinery. A press brake, shown in Figure 30, provides a good example. As the ram moves down, the sheet metal bends and moves through the light curtain, breaking only one or two contiguous beams at a time.

Figure 30: Floating Blanking

When using blanking, fixed or floating, the Safety Distance (the minimum distance the light curtain can be from the hazard such that an operator cannot reach the hazard before the machine stops) is affected. Since blanking increases the minimum object size that can be detected, the minimum safety distance must also increase based on the formula for calculating the minimum safety distance (see Safety Distance Calculation).

Horizontal Applications

After calculating the safety distance, the designer might find that the machine operator can fit in the space between the light curtain and the hazard. If this space exceeds 300 mm (12 in.), additional precautions must be considered. One solution is to mount a second light curtain in a horizontal position. These can be two independent sets of light curtains or a cascaded pair of light curtains. Another alternative is to mount a longer light curtain on an angle to the machine. These alternatives are shown in Figure 31. In either alternative, the light curtains must be located a safe distance away from the hazard.

Figure 31: Alternative Solutions for Space between Light Curtain and Hazard

For longer safety distances or for area detection, light curtains can be mounted horizontally, as shown in Figure 32. The light curtains must not be mounted too close to the floor to prevent them from getting dirty, nor too high so as to allow someone to crawl under the light curtain. A distance of 300 mm (12 in.) off the floor is often used. Additionally, the light curtains must not be used as foot steps to gain access. The resolution of the light curtain must be selected to at least detect a person’s ankle. No larger than 50 mm resolution is used for ankle detection. If the light curtain does not protect the whole cell, then a manual rest function must be used. The reset button must be located outside the cell with full view of the cell.

Figure 32: Horizontal Application of a Light Curtain

Perimeter or Area Access Control

Perimeter access control is often used to detect access along the outside edge of a hazard area. Light curtains used to detect perimeter access have resolutions that detect full bodies, as shown in Figure 33. This can be accomplished by a couple different ways. Multi-beam light curtains consisting of two or three beams or a single beam device that is reflected off mirrors to create a dual beam pattern are regularly used. In either case, the lowest beam should be 300 mm (12 in.) off the ground, and the highest beam should prevent a person from simply climbing over the light curtain.

Mirrors can be used to deflect the light beam around a cell. The distance the light curtain can cover is reduced due to the losses in the mirror reflections. Alignment of the light curtain is more difficult and a visible laser alignment tool is often needed during installation.

Figure 33: Mirrors Create Perimeter

Mirrors can be used to deflect the light beam around a cell. The distance the light curtain can cover is reduced due to the losses in the mirror reflections. Alignment of the light curtain is more difficult and a visible laser alignment tool is often needed during installation.

Figure 34: Single Beam Devices for a Low Risk Application

Some single beam devices have extensive (up to 275 feet) sensing distances. This allows a single beam device to create a protective barrier around hazardous machines. Since only a single or dual beam arrangement can be made, this approach is limited to low risk applications. The Safety Distance Calculation section discussed beam placement and spacing to achieve adequate protective fields. Figure 34 shows an example of a single beam application. This approach is generally used in low risk applications, due to the larger beam spacing. Breakage of the beam is used to stop the hazardous machine motion.

Safety Laser Scanners

Safety laser scanners use a rotating mirror that deflects light pulses over an arc, creating a plane of detection. The location of the object is determined by the angle of rotation of the mirror. Using a “time-of-flight” technique of a reflected beam of invisible light, the scanner can also detect the distance the object is from the scanner. By taking the measured distance and the location of the object, the laser scanner determines the exact position of the object.

Laser scanners create two zones: 1) a warning zone and 2) a safety zone. The warning zone provides a signal that does not shut down the hazard and informs people that they are approaching the safety zone as shown in Figure 35. Objects entering or inside the safety zone cause the laser scanner to issue a stop command; the OSSD outputs turn off.

The shape and size of the protected area is configured by an accompanied software program and downloaded to the scanner. The safety distance calculation must be used to determine the appropriate size of the safety zone.

One advantage of the laser scanner over a horizontal light curtains or mats is the ability to reconfigure the area. Figure 35 shows an example of the warning field configured to ignore structural objects.

Figure 35: Warning Field Configured Around Structural Objects

Developments in laser scanner technology allow a single scanner to cover multiple zones. In Figure 36, the laser scanner allows operator access to one side (shown as Case 1) while the robot is busy on the other side (Case 2).

Older scanners have electro-mechanical outputs. Newer scanners adopt the same principles as light curtains and provide OSSD outputs with cross checking, external device monitoring and restart interlock for standalone use. The OSSD outputs can also be connected to logic devices when needed as part of a larger system.

Figure 36: Multizone Application of Laser Scanner

Muting

Muting is characterized as the automatic, temporary suspension of a safety function. Sometimes the process requires that the machine stop when personnel enters the area, yet remain running when automatically-fed material enters. In such a case, a muting function is necessary. Muting is permitted during the non-hazardous portion of the machine cycle or must not expose people to a hazard.

Sensors are used to initiate the muting function. The sensors may be safety rated or non-safety rated. The types, number and location of muting sensors must be selected to meet the safety requirements determined by the risk assessment.

Figure 37 shows a typical conveyor material handling muting arrangement using two sensors. The sensors are arranged in an X pattern. Some logic units require a specific order in which the sensors are blocked. When order is important, the X pattern must be asymmetrical. For those logic units that use the sensor inputs as pairs, the X pattern can be symmetrical. Polarized, retroreflective photosensors are often used to prevent spurious reflections from falsely initiating the muting function, or causing nuisance trips. Other sensing technologies, such as inductive sensors and limit switches may also be use.

Figure 37: Conveyor 2 Sensor Muting

Another commonly applied approach is to use four sensors, as shown in Figure 38. Two sensors are mounted on the hazard side and two on the non-hazard side. The sensors look directly across the conveyor. The shape and position of the object is less important in this approach. The length of the object is important as the object must block all four sensors.

Figure 38: Conveyor 4 Sensor Muting

A common application is for a fork truck to access a conveyor. In order to mute the light curtain, the fork truck must be detected by sensors. The challenge is to locate the sensors so they detect the fork truck and not a person. Figure 39 shows an example of this application.

Figure 39: Fork Truck 2 Sensor Muting

Access to robot cells is also accomplished by muting. As shown in Figure 40, limit switches, located on the base of the robot, indicate the position of the robot. The safeguarding devices (the light curtains and safety mats) are muted when the robot is not in a hazardous position.

Figure 40: Muting of a Robot Cell

Presence Sensing Device Initiation (PSDI)

Also known as single break, double break, or stepping operating mode, PSDI involves the use of a light curtain not only as a safety device, but as the control for machine operation. PSDI initiates a machine cycle based on the number of times the sensing field is broken. For example, as an operator reaches toward the hazard to insert a work piece, breakage of the beams immediately stops the machine or prevents restart of the machine until the operator removes his hand from the area, at which time the machine automatically initiates its next cycle. This process can be accomplished by safety programmable logic devices or by monitoring relays specifically designed for this function.

Auto initiation allows the machine to start and stop based on the number of times the light curtain beams are broken and cleared. Illustrated in Figures 41 to 43 is an auto initiation double break mode (after initial start-up sequence).

In Step 1, the operator breaks the light curtain. The machine is stopped and the operator removes the processed material. The operator clears the light curtain, making the first break.

Figure 41: Step 1 of Double Break PSDI

Figure 43: Step 2 of Double Break PSDI

Figure 43: Step 3 of Double Break PSDI

In Step 2, the operator breaks the light curtain a second time and loads new material. The machine remains in stop mode.

In Step 3, the machine starts automatically after the second clearing of the light curtain.

Pressure Sensitive Safety Mats

These devices are used to provide guarding of a floor area around a machine, as shown in Figure 44. A matrix of interconnected mats is laid around the hazard area and pressure applied to the mat (e.g., an operator's footstep) will cause the mat controller unit to switch off power to the hazard.

There are a number of technologies used to create safety mats. One of the more popular technologies is using two parallel metal plates, as shown in Figure 45. The plates are separated by spacers. The metal plates and spacers are encapsulated in a nonconductive material with its surface designed to prevent slipping.

Figure 44: Safety Mats Surrounding a Robot

Figure 45: Safety Mat Interfacing

To ensure that the safety mat is available for use, an electrical current is passed through both plates. If an open-circuit wiring fault occurs, the safety system shuts down. To accommodate the parallel plates into a safety system, either two or four conductors are used. If two conductors are used, then a terminating resistor is used to differentiate the two plates. The more popular approach is to use four conductors. Two conductors, connected to the top plate are assigned one channel. Two conductors connected to the bottom plate are assigned to a second channel. When a person steps on the mat, the two plates create a short circuit from Channel 1 to Channel 2. The safety logic device must be designed to accommodate this short circuit. Figure 46 shows an example of how multiple 4-wire mats are connected in series to ensure the safety mats are available for use.

Figure 46: Typical Safety Mat Construction

Pressure sensitive mats are often used within an enclosed area containing several machines—flexible manufacturing or robotics cells, for example. When cell access is required (for setting or robot "teaching," for example), they prevent dangerous motion if the operator strays from the safe area, or must get behind a piece of equipment, as shown in Figure 47.

The size and positioning of the mat must take the safety distance into account (see Safety Distance Calculation).

Figure 47: Safety Mat Detects Operator Behind Equipment

Pressure Sensitive Edges

These devices are flexible edging strips that can be mounted to the edge of a moving part, such as a machine table or powered door that poses a risk of a crushing or shearing, as shown in Figure 48.

If the moving part strikes the operator (or vice versa), the flexible sensitive edge is depressed and will initiate a command to switch off the hazard power source. Sensitive edges can also be used to guard machinery where there is a risk of operator entanglement. If an operator becomes caught in the machine, contact with the sensitive edge will shut down machine power.

There are a number of technologies used to create safety edges. One popular technology is to insert essentially what is a long switch inside the edge. This approach provides straight edges and generally uses the four-wire connection technique.

Figure 48: Edge on Machine Table and Powered Door

The Allen-Bradley Guardmaster Safedge uses conductive rubber, with two wires running the length of edge (Figure 49). At the end of the edge, a terminating resistor is used to complete the circuit. Depressing the rubber reduces the circuit resistance.

Figure 49: Conductive Rubber Safety Edge

Since a change in resistance must be detected, the monitoring safety relay must be designed to detect this change. An example wiring of this two-wire design with a terminating resistor is shown in Figure 50. One advantage of the conductive rubber technology is that it provides active corners.

Figure 50: Conductive Rubber Safety Edge Circuit

Light curtains, scanners, floor mats and sensitive edges are classified as "trip devices." They do not actually restrict access but only "sense" it. They rely entirely on their ability to both sense and switch for the provision of safety. In general they are only suitable on machinery which stops reasonably quickly after switching off the power source. Because an operator can walk or reach directly into the hazard area it is obviously necessary that the time taken for the motion to stop is less than that required for the operator to reach the hazard after tripping the device.

Safety Switches

When access to the machine is infrequent, movable (operable) guards are preferred. The guard is interlocked with the power source of the hazard in a manner which ensures that whenever the guard door is not closed the hazard power will be switched off. This approach involves the use of an interlocking switch fitted to the guard door. The control of the power source of the hazard is routed through the switch section of the unit. The power source is usually electrical but it could also be pneumatic or hydraulic. When guard door movement (opening) is detected the interlocking switch will initiate a command to isolate the hazard power supply either directly or via a power contactor (or valve).

Some interlocking switches also incorporate a locking device that locks the guard door closed and will not release it until the machine is in a safe condition. For the majority of applications the combination of a movable guard and an interlock switch with or without guard locking is the most reliable and cost effective solution.

Tongue Interlock Switches

Tongue operated interlocks require a tongue-shaped actuator to be inserted and removed from the switch. When the tongue is inserted, the internal safety contacts close and allow the machine to run. When the tongue is removed, the internal safety contacts open and send a stop command to the safety related parts of the control system. Tongue operated interlocks are versatile as they can be used on sliding, hinged or removable guards as shown in Figure 51.

Figure 51: Tongues Interlocks on Sliding, Hinge or Removable Guards

Some of the latest functional safety standards focus on the need for complete fault tolerance as part of the requirements for device that is being used for high risk levels (e.g. SIL 3 or PLe). Because, in theory, mechanical tongue operated switches have single points of failure (e.g. the tongue actuator) even though they have two electrical switching channels. This means that non-contact switches may be preferred in these cases because they do not generally have the single mechanical failure points.

Tongue interlocks have three basic features that allow them to have a safety rating: defeatability, galvanic isolation, and direct opening action.

Defeatability

The security of an interlock switch is dependent on its ability to withstand attempts to "cheat" or defeat the mechanism. An interlock switch should be designed so that it cannot be defeated by simple tools or materials which may be readily available (like screwdrivers, coins, tape, or wire).

Figure 52: Tongue Shaped Actuators with Dimensional Features to Help Prevent Defeatability

This is accomplished by making the actuator a special shape, as shown in Figure 52. When maintenance is required on the machine, the interlocks may have to be bypassed. If this is done, other safeguarding methods for protection must be provided. Access to spare actuators must be controlled by management operating procedures. Some actuators, like the one on the left in Figure 52, have a spring that prevents the tongue from fully entering and operating the interlock switch unless it is correctly fixed to the guard.

In some circumstances personnel may be tempted to override the switch in some way. Information concerning the use of the machine, gathered at the risk assessment stage, will help to decide whether this is more likely or less likely to happen. The more likely it is to happen then the more difficult it should be to override the switch or system. The level of estimated risk should also be a factor at this stage. Switches are available with various levels of security ranging from resistance to impulsive tampering, to being virtually impossible to defeat.

It should be noted at this stage that if a high degree of security is required it is sometimes more practical to achieve this by the way in which it is mounted.

For example, if the switch is mounted as in Figure 53 with a covering track, there is no access to the switch with the guard door open. The nature of any "cheating" prevention measures taken at the installation will depend on the operating principle of the switch.

Figure 53: Switch and Actuator Hidden

Direct Opening Action

ISO 12100-2 explains that if a moving mechanical component inevitably moves another component along with it, either by direct contact or via rigid elements, these components are said to be connected in the positive mode. IEC 60947-5-1 uses the term Direct Opening Action and defines it as achievement of contact separation as the direct result of a specified movement of the switch actuator through non-resilient members (for example not dependent upon springs). This standard provides a set of test that can be used to verify Direct Opening Action. Products that meet the requirements of Direct Opening Action display the symbol shown in Figure 54 on their enclosure.

Figure 54: Symbol of Direct Opening Action

Figure 55 shows an example of positive mode operation giving forced disconnection of the contacts. The contacts are considered normally-closed (N.C.) when the actuator is inserted into the switch (i.e., guard closed). This closes an electrical circuit and allows current to flow through the circuit when the machine is allowed to run. The closed circuit approach allows for the detection of a broken wire which will initiate a stop function. These switches are typically designed with double break contacts. When the guard is opened, the tongue is removed from the operating head and rotates an internal cam. The cam drives the plunger which forces the spanner to open both contacts, breaking potentially welded contacts.

Figure 55: Double-Break with Direct Opening Action

Figure 56: Daisy Chain of Multiple 2 N.C. Interlocks

Most tongue interlocks also have a set of normally-open (N.O.) contacts. These contacts typically close by the force of the return spring. If the spring breaks, proper contact operation cannot be performed with a high enough degree of reliability. Therefore, they are typically used to signal the machine control system that the guard is open.

Normally-open spring-return contacts can be used as a secondary channel in a safety system. This approach provides diversity to the safety system to help prevent common cause failures. The monitoring safety relay or safety PLC must be designed to accommodate this diverse N.O. + N.C. approach.

Figure 56: Daisy Chain of Multiple Two N.C. Interlocks

Figure 57: Multiple Interlocks with N.C. and N.O. Contacts

One advantage of using two normally closed contacts with interlocks is reduction in the wiring when multiple gates must be monitored. Figure 56 shows how multiple gates can be daisy chained. This may be practical for a small number of gates, but becomes more challenging to troubleshoot when too many gates are connected in series.

Where the risk assessment deems the use of diverse contacts, the N.C. contacts are connected in series and the N.O. contacts are connected in parallel. Figure 57 shows a basic schematic of this approach when multiple interlocks are monitored by a monitoring safety relay. The N.O. contacts in the Channel 2 circuit are connected in parallel.

Duplication (also referred to as Redundancy)

If components which are not inherently safe are used in the design, and they are critical to the safety function, then an acceptable level of safety may be provided by duplication of those components or systems. In case of failure of one component, the other one can still perform the function. It is usually necessary to provide monitoring to detect the first failure so that, for example, a dual channel system does not become degraded to a single channel without anybody being aware of it. Attention also must be given to the issue of common cause failures.

Protection must be provided against failure, which will cause all duplicated components (or channels) to fail at the same time Suitable measures may include using diverse technologies for each channel or ensuring an oriented failure mode.

Galvanic Isolation

Figure 58 shows contact blocks with two sets of contacts. A galvanic isolation barrier is required if it is possible for the contacts to touch each other back to back in the event of contact weld or sticking.

Figure 58: Galvanic Isolation of Contacts

Mechanical Stops

Interlock switches are not designed to withstand the stopping of a gate. The machine designer must provide an adequate stop while also providing enough travel for the actuator to fully insert into the switch (Figure 59).

Figure 59: Mechanical Stops

The guard-mounted tongue needs to remain reasonably well aligned with the entry hole in the switch body. Over time, hinges may wear and guards may bend or twist. This adversely affects the alignment of the actuator to the head. The machine designer should consider metal bodied interfaces and flexible actuators, as shown in Figure 60.

Figure 60: Metal Interface with Flexible Actuator

Contact operation affects performance of the switch in the safety/control system and must be taken into account by the machine designer. This performance is only important when both the normally closed contacts are used by the safety system and the normally open contacts are used to indicate guard status to the PLC.

Contact operation is either slow-acting or snap-acting. In slow-acting operation, two types exist. Break before make (BBM) describes the operation where the normally closed contacts open before the normally open contacts close. Make before break (MBB) describes the operation where the normally closed contacts open after the normally open contacts close.

Figure 61: MBB and BBM Contacts—Conflicting Messages

Due to wear, damaged, or other changes to the guarding over time, pressure may be applied to the door forcing it open slightly. If the door moves between to the point where the change-over occurs, the safety system and machine control system will get conflicting messages, as shown in Figure 61.

Fixes for this include latching the door closed or using snap acting contacts. Selection of the appropriate tongue interlock involves many considerations: plastic or metal body, number of contacts, contact operation, size of guard, alignment of guard, movement of the guard, space available and washdown. Tongue operated switches can be difficult to clean thoroughly. Thus, food/beverage and pharmaceutical industries generally prefer non-contact interlocks.

Guard Locking Switches

In some applications, locking the guard closed or delaying the opening of the guard is required. Devices suitable for this requirement are called guard locking interlock switches. They are suited to machines with run down characteristics but they can also provide a significant increase of protection level for most types of machines.

For most types of guard locking interlock switches, the unlocking action is conditional on the receipt of some form of electrical signal, for example an electrical voltage to energize a lock release solenoid. This principle of conditional release makes the solenoid controlled guard locking switch a very useful and adaptable device. Whereas with most devices the safety function is achieved by stopping the machine, guard locking switches also prevent access to the machine and prevent restart of the machine whenever the lock is released. Therefore these devices can perform two separate but inter-related safety functions: prevention of access and prevention of dangerous movement. This means that these switches are fundamentally important in the field of machinery safety. The following text describes some typical application based reasons why guard locking interlock switches are commonly used:

Protection of machine and people: In many situations tool or work piece damage can be caused or significant process disruption incurred if a machine is stopped suddenly at the wrong point in its operating sequence. A typical example of this would be the opening of an interlocked guard door of an automated machine tool in mid cycle. This situation can be avoided by using a solenoid controlled guard locking switch. If access through the guard door is required a lock release request signal is sent to the machine controller which will then wait for a properly sequenced stop before sending the release signal to the guard locking switch.

Figure 62: Simplified Basic Solenoid Guard Locking Switch Scheme

Figure 62 shows a very simplified schematic view of the principle. In practice, the start, stop and lock release functions of the push switches shown would typically be achieved by inputs and outputs of the machine’s PLC. The PLC would accept a lock release request input at any point in the machine cycle but would only action a release command at the end of that cycle. The release command would be the equivalent of pressing the stop and lock release push switches.

When the lock is released and the guard door is opened, the switch contacts open causing the isolation of power to the hazard.

This type of approach can be further developed by using a key operated switch or button as the lock release request. In this way it can be possible to control not only when the guard can be opened but also who can open it.

Figure 63: Timed Delay Controlled Solenoid Guard Locking Switch Scheme

Protection against machine run down: On many machines, removal of power to the motor or actuator will not necessarily cause a reliable and immediate stopping of the dangerous motion. This situation can be addressed by using a solenoid controlled guard locking switch with its release conditional on implementation of some form of delay that ensures that all dangerous motion has stopped before the lock is released.

Timed delay: The simplest method is to use a timed delay function configured so that the switch will not release the guard until the contactor is OFF and a preset time interval has elapsed. This is shown in Figure 63. The timed delay function can be provided by a Safety PLC or a dedicated controller. It is important that it is safety rated because failure that causes a shorter time delay than specified could result in exposure to dangerous moving parts.

The timed delay interval should be set at least to the worst case stopping time of the machine. This stopping time must be predictable, reliable and not dependant on braking methods that may degrade with use.

Stopped motion confirmation: It is also possible to make the lock release conditional on the confirmation that motion has stopped. The advantages with this approach are that even if the machine takes longer than expected to stop the lock will never be released too early. It also provides better efficiency than a timed delay because the lock is released as soon as the motion has stopped without having to always wait for the worst case stopping time. An example of this approach is shown in Figure 64.

Figure 64: Simplified Stopped Motion Controlled Solenoid Guard Locking Switch Scheme

This stopped motion monitoring function must be safety rated and is usually achieved by one of the following methods:

Proximity sensors or shaft encoders combined with a dedicated controller or safety PLC.

Back EMF detection using a dedicated control unit.

Future generations of variable speed drives and motion control systems will also provide this functionality as safety rated.

Slow speed safety: For some types of machinery it may be necessary to have access to some moving parts in order to perform certain tasks such as maintenance, setting, feeding or threading. This type of activity is only considered if adequate safety can be provided by other measures. Typically these other measures will take the form of at least both of the following:

a) Access is only allowed under conditions of a safe slow speed

b) Any person with access to the moving parts must have personal local control for stopping, or prevention of starting, of the motion. The local control must override any other control signals.

This should be taken as a minimum. Whether this is acceptable or not will depend on risk assessment and relevant safety standards and regulations. However where it is found to be acceptable this type of safety functionality is often implemented using a solenoid controlled guard locking interlock switch in combination with a slow speed monitoring unit and a three position enabling device.

The safe slow speed monitoring unit constantly checks the speed of the moving parts via its input sensors and will only allow the sending of the lock release signal when the speed is not greater than its preset threshold value. After the lock has been released the slow speed unit continues to monitor the speed. If its preset threshold is exceeded while access is allowed, power to the motor will be switched off immediately. Also the safe slow speed can only continue while the enabling switch is held in the middle position (see Figure 70 for more information). It is clear that the guard locking switch, the safe slow speed unit and the enabling device must be connected to some form of safety rated logic solver in order implement the required functionality for both safety and production. In its most simple form this can simply be the way that the units are hardwired together, typically switchable via a manual mode selector switch. This switch is often key operated to restrict the safe slow speed access mode to authorized people. Greater operating efficiency and flexibility can be gained by using a configurable or programmable device for the logic solving function. This could be anything from modular configurable relay through to a Safety PLC.

This type of safe slow speed functionality is often required on complex integrated machinery systems where the equipment is divided into different operating zones each with different and interdependent operating modes. In these types of applications a Safety PLC or a dedicated configurable control unit such as the MSR57 is often a more suitable solution than individual relays and control units.

Most guard locking switches are adaptations of tongue interlocks. A solenoid is added to the interlock. The solenoid locks the actuator in place. There are two types of solenoid locking:

	1.	Power-to-unlock
	2.	Power-to-lock

Power-to-unlock devices require power to the solenoid to unlock the actuator. As long as power is applied to the solenoid, the door can be opened. With power removed from the actuator, the guard locks as soon as it is closed.

During a power loss, the gate remains closed and locked. If the guard locking device is used in full body access applications, a method of escape must be provided in case someone becomes locked in the hazard area. This is accomplished by providing a rotating lever, a pushbutton, or mechanical methods, as shown in Figure 65.

Figure 65: Escape Methods for Guard Locking

The power-to-lock requires power to the solenoid to lock the guard. A risk assessment must consider the potential hazardous situations that may arise if power is lost and the gate becomes unlocked while the machine is running down.

An important criterion when selecting guard locking interlocks is the holding force. How much force is required to hold the guard locked? When the door is manually operated, holding force can be minimal. Depending on where the guard locking switch is installed, operating leverage may suggest higher holding forces. Motorized doors may require higher holding forces.

Figure 66: Inline and Offset Solenoid

Another important criterion for the selection process involves the relationship of the solenoid and the actuator. Two relationships exist: inline and offset, as shown in Figure 66. The solenoid is in the same axis as the actuator contacts or the solenoid is offset from the actuator contacts. The offset arrangement provides separate contacts that provide status of the solenoid.

The inline arrangement does not provide separate contacts for the solenoid. The inline arrangement is a little easier to apply. The offset arrangement provides more information on the operation of the switch. With the offset arrangement, the machine designer must ensure the solenoid status is monitored by the safety system. Selection of either arrangement is based on user preference.

A second type of guard locking device is manually operated and the guard can be opened at any time. A handle or knob that releases the guard lock also opens the control circuit contacts.

On a device such as the bolt switch, a time delay is imposed. The bolt which locks the guard in place operates the contacts and is withdrawn by turning the operating knob. The first few turns open the contacts but the locking bolt is not fully retracted until the knob is turned many more times (taking up to 20 seconds). These devices are simple to apply and they are extremely rugged and reliable. The time delay bolt switch is suitable mainly for sliding guards.

The stopping time of the hazard must be predictable and it must not be possible for the bolt to be withdrawn before the hazard has ceased. It must only be possible to extend the bolt into its locked position when the guard is fully closed. This means that it will be necessary to add stops to restrict the travel of the guard door, as shown in Figure 67.

Figure 67: Sliding Bolt Interlock

Non-Contact Interlock Switches

Some of the latest functional safety standards focus on the need for complete fault tolerance as part of the requirements for device that is being used for high risk levels (e.g. SIL 3 or PLe). Because, in theory, mechanically actuated switches have single points of failure (e.g. the tongue actuator) even though they have two electrical switching channels. This means that dual channel non-contact switches may be preferred in these cases because they do not generally have the single mechanical failure points.

For non-contact interlocks, no physical contact (under normal conditions) takes place between the switch and actuator. Therefore positive mode operation cannot be used as the way of ensuring the switching action, and we need to use other methods to achieve equivalent performance.

Redundancy

Just as described in the section on tongue interlock switches, a high level of safety can be provided by non-contact devices designed with component duplication (or redundancy). In case of a failure of one component there is another one ready to perform the safety function and also a monitoring function to detect that first failure. In some cases it can be an advantage to design devices with components that have the same function but different failure mechanisms. This is referred to as diverse redundancy. A typical example is the use of one normally open contact and one normally closed contact.

Oriented Failure Mode

With simple devices we can use components with an oriented failure mode as explained in ISO 12100-2. This means using components in which the predominant failure mode is known in advance and always the same. The device is designed so that anything likely to cause a failure will also cause the device to switch off.

An example of a device using this technique is a magnetically actuated non-contact interlock switch. The contacts are connected with an internal non-reset overcurrent protection device. Any overcurrent situation in the circuit being switched will result in an open circuit at the protection device that is designed to operate at a current well below that which could endanger the safety-related contacts.

Due to the use of special components, the safety-critical fault likely to occur would be a welding of the reed contacts due to excessive current being applied to the switch as illustrated in Figure 68. This is prevented by the non-reset overcurrent protection device. There is a large margin of safety between the rating of this device and the reed contacts. Because it is non-reset, the switch should be protected by a suitably rated external fuse. The Allen-Bradley Guardmaster Ferrogard interlocks use this technique.

Figure 68: Simple Magnetic Operated Noncontact Interlock

Non-contact devices are designed with smooth enclosures and are fully sealed, making them ideal for food and beverage applications as they have no dirt traps and can be pressure cleaned. They are extremely easy to apply and have a considerable operating tolerance so they can accept some guard wear or distortion and still function properly.

One important consideration when applying non-contact switches is their sensing range and tolerance to misalignment. Each product family has an operating curve showing sensing range and tolerance to misalignment, as shown in Figure 69.

Figure 69: Non-Contact Operating Curve

Another important consideration for applying non-contact switches is the direction of approach of the actuator, as shown in Figure 70. The coding techniques determine which approaches are acceptable.

Figure 70: Approach of Actuator Affects Performance

Defeatability—Non-Contact Interlock Switches

It is important that the switch is only operated by its intended actuator. This means that ordinary proximity devices which sense ferrous metal are not appropriate. The switch should be operated by an "active" actuator.

When protection against defeatability by simple tools (a screwdriver, pliers, wire, coin, or a single magnet) is deemed necessary by the risk assessment, the noncoded actuation types must be installed so that they cannot be accessed while the guard is open. An example of this is shown in Figure 71. They should also be installed where they are not subjected to extraneous interference by magnetic/electric fields.

Figure 71: Sliding Guard Protects Access to Sensor

A high security against defeat can be achieved by using a coded actuator and sensor. For magnetically actuated and coded devices the actuator incorporates multiple magnets arranged to create multiple specific magnetic fields. The sensor has multiple reed switches specifically arranged to operate only with the specific magnetic fields of the actuator. Unique coding is generally not feasible using magnetic coding techniques. Unique coding, where an individual actuator is “tuned” to an individual sensor.

The reed switches used with magnetically coded switches are often small. To avoid the risk of welded contacts some switches use one normally open contact and one normally closed contact as outputs. This is based on the premise that you cannot weld an open contact. The logic device or control unit must be compatible with the N.C. + N.O. circuit arrangement and must also provide overcurrent protection. The Allen-Bradley Guardmaster Sipha interlocks use the coded magnetic technique.

RFID Non-Contact Interlock Switches

Non-contact interlock switches based on RFID (Radio Frequency Identification) technology can provide a very high level of security against defeat by “simple” tools. This technology can also be used to provide devices with unique coding for applications where security is paramount.

The use of RFID technique has many other important advantages. It is suitable for use with high integrity circuit architectures such as Category 4 or SIL 3.

It can be incorporated into devices with fully sealed IP69K enclosures manufactured from plastic or stainless steel.

When RFID technology is used for coding, and inductive technology for sensing, a large sensing range and tolerance to misalignment can be achieved, typically 15…25 mm. This means that these devices can provide very stable and reliable service combined with high levels of integrity and security over a wide range of industrial safety applications.

The Allen-Bradley Guardmaster SensaGuard interlocks use the RFID technique.

Hinge Switches

The device is mounted over the hinge-pin of a hinged guard as shown in Figure 72. The opening of the guard is transmitted via a positive mode operating mechanism to the control circuit contacts.

Figure 72: Hinge Switch Installation

When properly installed these types of switches are ideal for most hinged guard doors where there is access to the hinge center line. They can isolate the control circuit within 3° of guard movement and they are virtually impossible to defeat without dismantling the guard.

Care must be taken since an opening movement of only 3° can still result in a significant gap at the opening edge on very wide guard doors. It is also important to ensure that a heavy guard does not put excessive stress on the switch actuator shaft.

Position (Limit Switch) Interlocks

Cam operated actuation usually takes the form of a positive mode limit (or position) switch and a linear or rotary cam (as shown in Figure 73). It is generally used on sliding guards. When the guard is opened, the cam forces the plunger down to open the control circuit contacts. The simplicity of the system allows the switch to be both small and reliable.

Figure 73: Positive Mode Limit Switch

Position (limit) interlocks must not be used on lift-off or hinged guards.

It is extremely important that the switch plunger can only extend when the guard is fully closed. This means that it may be necessary to install additional stops to limit the guard movement in both directions.

It is necessary to fabricate a suitably profiled cam that will operate within defined tolerances. The guard-mounted cam must never become separated from the switch as this will cause the switch contacts to close. Such a system can be prone to failures due to wear, especially when badly profiled cams or the presence of abrasive materials is a factor.

It is often advisable to use two switches as shown in Figure 74. One operates in positive mode (direct action to open contact), and one operates in negative mode (spring return).

Figure 74: Diverse Redundant Position Switches

Trapped Key Interlocks

Trapped keys can perform control interlocking as well as power interlocking. With “control interlocking,” an interlock device initiates a stop command to an intermediate device, which turns off a subsequent device to disconnect the energy from the actuator. With “power interlocking,” the stop command directly interrupts the energy supply to the machine actuators.

The most practical method of power interlocking is a trapped key system (see Figure 75). The power isolation switch is operated by a key that is trapped in position while the switch is in the ON position. When the key is turned, the isolation switch contacts are locked open (isolating the power supply) and the key can be withdrawn.

Figure 75: Power Interlocking with Trapped Key System

The guard door is locked closed and the only way to unlock it is by using the key from the isolator. When turned to release the guard locking unit, the key is trapped in position and cannot be removed until the guard is closed and locked again.

Therefore it is impossible to open the guard without first isolating the power source and it is also impossible to switch on the power without closing and locking the guard.

This type of system is extremely reliable and has the advantage of not requiring electrical wiring to the guard. The main disadvantage is that because it requires the transfer of the key every time, it is not suitable if guard access is required frequently.

Whenever whole body access is required, the use of a personnel key is recommended. As shown in Figure 76, the “B” key is the personnel key. The “B” key is taken by the operator into the hazard area. The trapped key range is available in double, triple, and quad key versions for multiple access points. The use of a personnel key ensures that the operator cannot be locked in the guarded area. The key can also be taken into the cell and inserted into another switch to enable functions like robot teach and machine jog modes.

Figure 76: Full Body Access—Operator Takes "B" Key

In another example shown in Figure 77, rotate and remove Key "A" from the power isolator. Power is then OFF. To gain access through guard doors Key "A" is inserted and rotated in the Key Exchange Unit. Both "B" Keys are then released for guard locks. Key "A" is trapped preventing power from being switched on. Two "C" Keys are released from the guard door locks for use in the next sequence step or as personnel keys.

Figure 77: Multiple Doors Are Accessible

Figures 78 shows another example of trapped key interlock applications by using both single and double key locking units and keys with different codes together with a key exchange unit, complex systems can be formed. Besides ensuring that the power is isolated before access can be gained it is also possible to use the system to enforce a pre-defined sequence of operation.

Figure 78: Defined Sequence of Events

Because the entire safety of this type of system depends on its mechanical operation it is critical that the principles and materials used are suitable for the expected demand made on them.

If an isolation switch is part of the system it should have positive mode operation and it should satisfy the requirements of the relevant parts of IEC 60947.

The integrity and security of the system revolves around the fact that under certain conditions the keys are trapped in place, therefore two basic features need to be ensured:

1. THE LOCK CAN ONLY BE OPERATED BY THE DEDICATED KEY.

This means that it should not be possible to "cheat" the lock by using screwdrivers, etc., or defeat the mechanism by mistreating it in any straightforward manner. Where there is more than one lock on the same site it also means that the specifying of key codes must in itself prevent any possibility of spurious operation.

2. IT IS NOT POSSIBLE TO OBTAIN THE KEY IN ANY WAY OTHER THAN THE INTENDED MANNER.

This means that, for example, once the key is trapped, any excessive force applied to it will result in a broken key as opposed to a broken lock.

Operator Interface Devices

Stop Function

In the U.S., Canada, Europe, and at the international level, harmonization of standards exist with regard to the descriptions of stop categories for machines or manufacturing systems.

NOTE: these categories are different to the categories from EN 954-1 (ISO 13849-1). See standards NFPA79 and IEC/EN60204-1 for further details. Stops fall into three categories:

• Category 0 is stopping by immediate removal of power to the machine actuators. This is considered an uncontrolled stop. With power removed, braking action requiring power will not be effective. This will allow motors to free spin and coast to a stop over an extended period of time. In other cases, material may be dropped by machine holding fixtures, which require power to hold the material. Mechanical stopping means, not requiring power, may also be a used with a category 0 stop. The category 0 stop takes priority over category 1 or category 2 stops.
  
• Category 1 is a controlled stop with power available to the machine actuators to achieve the stop. Power is then removed from the actuators when the stop is achieved. This category of stop allows powered braking to quickly stop hazardous motion, and then power can be removed from the actuators.
  
• Category 2 is a controlled stop with power left available to the machine actuators. A normal production stop is considered a category 2 stop.
  

These stop categories must be applied to each stop function, where the stop function is the action taken by the safety related parts of the control system in response to an input, category 0 or 1 should be used. Stop functions must override related start functions. The selection of the stop category for each stop function must be determined by a risk assessment.

Emergency Stop Function

The emergency stop function must operate as either a category 0 or category 1 stop, as determined by a risk assessment. It must be initiated by a single human action. When executed, it must override all other functions and machine operating modes. The objective is to remove power as quickly as possible without creating additional hazards.

Until recently, hardwired electro-mechanical components were required for e-stop circuits. Recent changes to standards such as IEC 60204-1 and NFPA 79 mean that safety PLCs and other forms of electronic logic meeting the requirements of standards like IEC61508, can be used in the e-stop circuit.

Emergency Stop Devices

Wherever there is a danger of an operator getting into trouble on a machine there must be a facility for fast access to an emergency stop device. The e-stop device must be continuously operable and readily available. Operator panels should contain at least one e-stop device. Additional e-stop devices may be used at other locations as needed. E-Stop devices come in various forms. Pushbutton switches and cable pull switches are examples of the more popular type devices. When the e-stop device is actuated, it must latch in and it must not be possible to generate the stop command without latching in. The resetting of the emergency stop device must not cause a hazardous situation. A separate and deliberate action must be used to re-start the machine.

For further information on e-stop devices, read ISO/EN13850, IEC 60947-5-5, NFPA79 and IEC60204-1, AS4024.1, Z432-94.

Emergency Stop Buttons

Emergency stop devices are considered complimentary safeguarding equipment. They are not considered primary safeguarding devices because they do not prevent access to a hazard nor do they detect access to a hazard.

The usual way of providing this is in the form of a red-colored mushroom-headed push button on a yellow background which the operator strikes in the event of an emergency (see Figure 79). They must be strategically placed in sufficient quantity around the machine to ensure that there is always one in reach at a hazard point.

Figure 79: E-Stop Push Button—Red Colored Mushroom Head on a Yellow Background

E-Stop buttons must be readily accessible and must be available in all modes of machine operation. When a pushbutton is used as an e-stop device, it must be a mushroom (or palm operated) shaped, red colored, with a yellow background. When the button is pressed, the contacts must change state at the same time the button latches in the depressed position.

One of the latest technologies to be applied to e-stops is a self-monitoring technique. An additional contact is added to the back e-stop that monitors whether the back of the panel components are still present. This is known as a self-monitoring contact block. It consists of a spring actuated contact that closes when the contact block is snapped into place onto the panel. Figure 80 shows the self-monitoring contact connected in series with one of the direct opening safety contacts.

Figure 80: Self-Monitoring Contacts on E-Stop

Cable Pull Switches

For machinery such as conveyors, it is often more convenient and effective to use a cable pull device along the hazard area (as shown in Figure 81) as the emergency stop device. These devices use a steel wire rope connected to latching pull switches so that pulling on the rope in any direction at any point along its length will trip the switch and cut off the machine power.

Figure 81: Cable Pull Switches

The cable pull switches must detect both a pull on the cable as well as when the cable goes slack. Slack detection ensures that the cable is not cut and is ready for use.

Cable distance affects performance of the switch. For short distances, the safety switch is mounted on one end and a tension spring mounted at the other. For longer distances, a safety switch must be mounted at both ends of the cable to ensure that a single action by the operator initiates a stop command.

The required cable pull force should not exceed 200 N (45 lb) or a distance of 400 mm (15.75 in.) at a position centered between two cable supports.

Two-Hand Controls

The use of two-hand controls (also referred to as bi-manual controls) is a common method of preventing access while a machine is in a dangerous condition. Two controls must be operated concurrently (within 0.5 s of each other) to start the machine. This ensures that both hands of the operator are occupied in a safe position (i.e., at the controls) and therefore cannot be in the hazard area. The controls must be operated continuously during the hazardous conditions. Machine operation must cease when either of the controls are released, if one control is released, the other control must also be released before the machine can be restarted.

A two-hand control system depends heavily on the integrity of its control and monitoring system to detect any faults, so it is important that this aspect is designed to the correct specification. Performance of the two-hand safety system is characterized into Types by ISO 13851 (EN 574) as shown and they are related to the Categories from ISO 13849-1. The types most commonly used for machinery safety are IIIB and IIIC. Table 4.1 shows the relationship of the types to the categories of safety performance.

Requirements	Types
	I	II	III
			A	B	C
Synchronous actuation			X	X	X
Use of Category 1 (from ISO 13849-1)	X		X
Use of Category 3 (from ISO 13849-1)		X		X
Use of Category 4 (from ISO 13849-1)					X
Table 3: Two-Hand Control Types and Categories

The physical design spacing should prevent improper operation (e.g., by hand and elbow). This can be accomplished by distance or shields as the examples shown in Figure 82.

Figure 82: Separation of Two hand Controls

The machine should not go from one cycle to another without the releasing and pressing of both buttons. This prevents the possibility of both buttons being blocked, leaving the machine running continuously. Releasing of either button must cause the machine to stop.

The use of two-hand control should be considered with caution as it usually leaves some form of risk exposed. The two-hand control only protects the person using them. The protected operator must be able to observe all access to the hazard, as other personnel may not be protected.

ISO 13851 (EN574) provides additional guidance on two-hand control.

Enabling Devices

Enabling devices are controls that allow an operator to enter a hazard area with the hazard running only while the operator is holding the enabling device in the actuated position. Enabling devices use either two-position or three position types of switches. Two position types are off when the actuator is not operated, and are on when the actuator is operated. Three position switches are off when not actuated (position 1), on when held in the center position (position 2) and off when the actuator is operated past the mid position (position 3). In addition, when returning from position 3 to 1, the output circuit must not close when passing through position 2. This concept is shown in Figure 83.

Figure 83: Three-Position Enabling Switch Operation

Enabling devices must be used in conjunction with other safety related function. A typical example is placing the motion is a controlled slow mode. Once in slow mode, an operator can enter the hazard area holding the enabling device.

When using an enabling device, a signal must indicate that the enabling device is active.

Logic Devices

Logic devices play the central role of the safety related part of the control system. Logic devices perform the checking and monitoring of the safety system and either allow the machine to start or execute commands to stop the machine.

A range of logic devices are available to create a safety architecture that meets the complexity and the functionality required for the machine. Small hardwired monitoring safety relays are most economical for smaller machines where a dedicated logic device is needed to complete the safety function. Modular and configurable monitoring safety relays are preferred where a large and diverse number of safeguarding devices and minimal zone control are required. The medium to large and more complex machine will find programmable systems with distributed I/O to be preferable.

Monitoring Safety Relays

Monitoring safety relay (MSR) modules play a key role in many safety systems. These modules are usually comprised of two or more positively guided relays with additional circuitry to ensure the performance of the safety function.

Positive guided relays are specialized “ice-cube” relays. Positively guided relays must meet the performance requirements of EN50025. Essentially, they are designed to prevent the normally closed and normally open contacts from being closed simultaneously. Newer designs replace the electromechanical outputs with safety rated solid state outputs.

Monitoring safety relays perform many checks on the safety system. Upon power-up, they perform self-checks on their internal components. When the input devices are activated, the MSR compares the results of redundant inputs. If acceptable, the MSR checks external actuators. If okay, the MSR awaits a reset signal to energize its outputs.

The selection of the appropriate safety relay is dependent on a number of factors: type of device it monitors, the type of reset, the number and type of outputs.

Inputs Types

Safeguarding devices have different types of methods of indicating something has happened:

• Contact Interlocks and E-stops:
  Mechanical contacts, single channel with one normally closed contact or dual channel, both normally closed. The MSR must be able to accept single or dual channel and provide cross fault detection for the dual channel arrangement.
  
• Non-Contacts Interlocks and E-stops
  Mechanical contacts, dual channel, one normally open and one normally closed contact. The MSR must be able to process diverse inputs.
  
• Output Solid State Switching Devices
  Light curtains, laser scanners, solid-state non-contacts have two sourcing outputs and perform their own cross fault detection. The MSR must be able to ignore the devices cross fault detection method.
  
• Mats:
  Mats create a short circuit between two channels. The MSR must be able to withstand the repeated short circuits.
  
• Edges:
  Some edges are designed like 4-wire mats. Some are two wire devices that create a change in resistance. The MSR must be able to detect a short circuit or the change resistance.
  
• Voltage
  Measures the Back EMF of a motor during rundown. The MSR must be able to tolerate high voltages as well as detect low voltages as the motor spins down.
  
• Stopped Motion
  The MSR must detect pulse streams from diverse, redundant sensors.
  
• Two-hand Control
  The MSR must detect normally open and normally closed diverse inputs as well as provide 0.5s timing and sequencing logic.
  

Input Impedance

The input impedance of the monitoring safety relays determines how many input devices can be connected to the relay and how far away the input devices can be mounted. For example, a safety relay may have a maximum allowable input impedance of 500 ohms (W). When the input impedance is greater than 500W, it will not switch on its outputs. Care must be taken by the user to ensure that the input impedance remains below the maximum specification. The length, size and type of wire used affects input impedance. Table 4 shows typical resistance of annealed copper wire at 25°C.

ISO Cross Section mm2	AWG Size	W per 1000 m	W per 1000 ft
0.5	20	33.30	10.15
0.75	18	20.95	6.385
1.5	16	13.18	4.016
2.5	14	8.28	2.525
4	12	5.21	1.588
Table 4: Wire Resistance Values

Number of Input Devices

The risk assessment process should be used to help determine how many inputs devices should be connected to a monitoring safety relay unit MSR and how often the input devices should be checked. To assure that E-Stops and gate interlocks are in an operational state, they should be checked for operation at regular intervals, as determined by the risk assessment. For example, a dual channel input MSR connected to an interlocked gate that must be opened every machine cycle (e.g., several times per day) may not have to be checked. This is because opening the guard causes the MSR to check itself, its inputs and its outputs (depending on configuration) for single faults. The more frequent the guard opening the greater the integrity of the checking process.

Another example might be E-Stops. Since E-Stops are typically used only for emergencies, they are likely to be rarely used. Therefore a program should be established to exercise the E Stops and confirm their effectiveness on a scheduled basis. Exercising the safety system in this way is called performing a Proof Test, and the time in between Proof Tests is called the Proof Test Interval. A third example might be access doors for machine adjustments, which like E-Stops might be rarely used Here again a program should be established to exercise the checking function on a scheduled basis.

The risk assessment will help determine whether the input devices need to be checked and how often they should be checked. The higher the level of risk, the greater integrity required of the checking process. And the less frequent the "automatic" checking, the more frequent should be the imposed "manual" check.

Input Crossfault Detection

In dual channel systems, channel-to-channel short circuit faults of the input devices, also known as cross faults, must be detected by the safety system. This is accomplished by the sensing device or the monitoring safety relay.

Microprocessor based monitoring safety relays, like light curtains, laser scanners and the advanced non-contact sensors detect these shorts in a variety of ways. One common way of detecting cross faults is by using diverse pulse testing shown in Figure 84. The output signals are pulsed very quickly. The channel 1 pulse is offset from the channel 2 pulse. If a short occurs, the pulses occur concurrently and are detected by the device.

Figure 84: Pulse Testing to Detect Crossfaults

Electro-mechanical based monitoring safety relays employ a different diversity technique: one pull-up input and one pull-down input. This is shown in Figure 85. A short from Channel 1 to Channel 2 will make the overcurrent protection device active and the safety system will shut down.

Figure 85: Diverse Inputs Detect Crossfaults

Outputs

MSRs come with various numbers of outputs. The types of outputs help determine which MSR must be used in specific applications.

Most MSRs have at least 2 immediately operating safety outputs. MSR safety outputs are characterized as normally-open. These are safety rated due to the redundancy and internal checking.

A second type of output is delayed outputs. Delayed outputs are typically used in Category 1 stops, where the machine requires time to execute the stopping function before allowing access to the hazard area. Figure 86 shows the symbols used for immediate and delayed contacts.

Figure 86: Symbols for Contact Types

MSRs also have auxiliary outputs. Generally these are considered normally closed. Figure 87 shows three arrangements of normally closed contacts. The circuit on the left only allows the normally closed contacts to be used as auxiliary circuits as a single fault in CH1 or CH2 will close the circuit. The middle arrangement can be auxiliary usage as shown or safety usage if connected in series. The circuit on the right shows the normally closed contacts in a redundant arrangement, so they can be used in safety related circuits.

Figure 87: NC Contact Usage

Output Ratings

Output ratings describe the ability of the safeguarding device to switch loads. Typically, the ratings for industrial devices are described as resistive or electromagnetic. A resistive load may be a heater type element. Electromagnetic loads are typically relays, contactors, or solenoids; where there is a large inductive characteristic of the load. Annex A of standard IEC 60947-5-1, shown in Table 5 describes the ratings for loads.

Designation Letter: The designation is a letter followed by a number, for example A300.

The letter relates to the conventional enclosed thermal current and whether that current is direct or alternating. For example A represents 10 amps alternating current. The number stands for the rated insulation voltage. For example, 300 represents 300V.

Designation	Utilization	Enclosed Thermal Current	Rated Operational Current le at the Rated Operational Voltage Ue						VA
			120V	240V	380V	480V	500V	600V	Make	Break
A150	AC-15	10	6	—	—	—	—	—	7200	720
A300	AC-15	10	6	3	—	—	—	—	7200	720
A600	AC-15	10	6	3	1.9	1.5	1.4	1.2	7200	720
B150	AC-15	5	3	—	—	—	—	—	3600	360
B300	AC-15	5	3	1.5	—	—	—	—	3600	360
B600	AC-15	5	3	1.5	0.95	0.92	0.75	0.6	3600	360
C150	AC-15	2.5	1.5	—	—	—	—	—	1800	180
C300	AC-15	2.5	1.5	0.75	—				1800	180
C600	AC-15	2.5	1.5	0.75	0.47	0.375	0.35	0.3	1800	180
D150	AC-14	1.0	0.6	—	—	—	—	—	432	72
D300	AC-14	1.0	0.6	0.3	—	—	—	—	432	72
E150	AC-14	0.5	0.3	—	—	—	—	—	216	36
Direct Current			125V	250V		400V	500V	600V
N150	DC-13	10	2.2	—		—	—	—	275	275
N300	DC-13	10	2.2	1.1		—	—	—	275	275
N600	DC-13	10	2.2	1.1		0.63	0.55	0.4	275	275
P150	DC-13	5	1.1	—		—	—	—	138	138
P300	DC-13	5	1.1	0.55		—	—	—	138	138
P600	DC-13	5	1.1	0.55		0.31	0.27	0.2	138	138
Q150	DC-13	2.5	0.55	—		—	—	—	69	69
Q300	DC-13	2.5	0.55	0.27		—	—	—	69	69
Q600	DC-13	2.5	0.55	0.27		0.15	0.13	0.1	69	69
R150	DC-13	1.0	0.22	—		—	—	—	28	28
R300	DC-13	1.0	0.22	0.1		—	—	—	28	28
Table 5: Contact Ratings for Inductive Load Switching

Utilization: The Utilization describes the types of loads the device is designed to switch. The utilizations relevant to IEC 60947-5 are shown in Table 6.

Utilization	Description of Load
AC-12	Control of resistive loads and solid-state loads with isolation by opto-couplers
AC-13	Control of solid-state loads with transformer isolation
AC-14	Control of small electromagnetic loads (less than 72 VA)
AC-15	Electromagnetic loads greater than 72 VA
DC-12	Control of resistive loads and solid-state loads with isolation by opto-couplers
DC-13	Control of electromagnets
DC-14	Control of electromagnetic loads having economy resistors in circuit
Table 6: Utilization Categories

Thermal Current, Ith: The conventional enclosed thermal current is the value of current used for the temperature-rise tests of the equipment when mounted in a specified enclosure.

Rated Operational Voltage Ue and Current Ie; The rated operational current and voltage specify the making and breaking capacities of the switching elements under normal operating conditions. The Allen-Bradley Guardmaster products are specifically rated at 125V AC, 250V AC and 24V DC. Consult the factory for usage at voltages other than these specified ratings.

VA: The VA (Voltage x Amperage) ratings indicate the ratings of the switching elements when making the circuit as well as breaking the circuit.

Example 1: An A150, AC-15 rating indicates that the contacts can make a 7200V A circuit. At 120V AC, the contacts can make a 60 amp inrush circuit. Since the AC-15 is an electromagnetic load, the 60 amp is only for a short duration; the inrush current of the electromagnetic load. The breaking of the circuit is only 720V A because the steady state current of the electromagnetic load is 6 A, which is the rated operational current.

Example 2: An N150, DC-13 rating indicates that the contacts can make a 275V A circuit. At 125V AC, the contacts can make a 2.2 amp circuit. DC electromagnetic loads do not have an inrush current like AC electromagnetic loads. The breaking of the circuit is also 275V A because the steady state current of the electromagnetic load is 2.2, which is the rated operational current.

Machine Restart

If, for example, an interlocked guard is opened on an operating machine, the safety interlock switch will stop that machine. In most circumstances it is imperative that the machine does not restart immediately when the guard is closed. A common way of achieving this is to rely on a latching contactor start arrangement as shown in Figure 88. An interlocked guard door is used as an example here but the requirements apply to other protection devices and emergency stop systems.

Figure 88: Simple Machine Start Stop Interlock Circuit

Pressing and releasing the start button momentarily energizes the contactor control coil which closes the power contacts. As long as power is flowing through the power contacts the control coil is kept energized (electrically latched) via the contactor's auxiliary contacts which are mechanically linked to the power contacts. Any interruption to the main power or control supply results in the de-energizing of the coil and opening of the main power and auxiliary contacts. The guard interlock is wired into the contactor control circuit. This means that restart can only be achieved by closing the guard and then switching "ON" at the normal start button which resets the contactor and starts the machine.

The requirement for normal interlocking situations is made clear in ISO 12100-1 Paragraph 3.22.4 (extract).

When the guard is closed, the hazardous machine functions covered by the guard can operate, but the closure of the guard does not by itself initiate their operation.

Many machines already have either single or double contactors which operate as described above (or have a system which achieves the same result). When fitting an interlock to existing machinery it is necessary to determine whether the power control arrangement meets this requirement and take additional measures if necessary.

Reset Functions

Allen-Bradley Guardmaster monitoring safety relays are designed with either monitored manual reset or automatic/manual reset.

Monitored Manual Reset

A monitored manual reset requires a change of state of the reset circuit after the gate is closed or the E-Stop is reset. Figure 89 shows a typical configuration of a reset switch connected in the output monitoring circuit of a safety relay with a monitored manual reset function. The mechanically linked normally closed auxiliary contacts of the power switching contactors are connected in series with a momentary push button. After the guard has been opened and closed again, the safety relay will not allow the machine to be restarted until there is a change of state at the reset button. This is in compliance with the intent of the requirements for additional manual reset as given in EN ISO 13849-1. i.e., the reset function ensures that both contactors are OFF and that both interlock circuits (and therefore the guards) are closed and also (because a change of state is required) that the reset actuator has not been bypassed or blocked in any way. If these checks are successful the machine can then be restarted from the normal controls. EN ISO 13849-1 cites the change of state from energized to de-energized but the same protective principle can also be achieved by the opposite effect.

Figure 89: Monitored Manual Reset

The reset switch should be located in a place that provides a good view of the hazard so that the operator can check that the area is clear before operation.

Auto/Manual Reset

Some safety relays have automatic/manual reset. The manual reset mode is not monitored and reset occurs when the button is pressed. A short circuited or jammed in reset switch will not be detected. With this approach it may not be possible to achieve the requirements for additional manual reset as given in EN ISO 13849-1 unless additional means are used.

Alternatively the reset line can be jumpered allowing an automatic reset. The user must then provide another mechanism for preventing machine start-up when the gate closes.

The reset switch should be located in a place that provides a good view of the hazard so that the operator can check that the area is clear before operation.

Auto/Manual Reset

Some safety relays have automatic/manual reset. The manual reset mode is not monitored and reset occurs when the button is pressed. A short circuited or jammed in reset switch will not be detected. With this approach it may not be possible to achieve the requirements for additional manual reset as given in EN ISO 13849-1 unless additional means are used.

Alternatively the reset line can be jumpered allowing an automatic reset. The user must then provide another mechanism for preventing machine start-up when the gate closes.

An auto-reset device does not require a manual switching action but after de-actuation it will always conduct a system integrity check before resetting the system. An auto-reset system should not be confused with a device without reset facilities. In the latter the safety system will be enabled immediately after de-actuation but there will be no system integrity check.

Control Guards

A control guard stops a machine when the guard is opened and directly starts it again when the guard is closed. The use of control guards is only allowed under certain stringent conditions because any unexpected start-up or failure to stop would be extremely dangerous. The interlocking system must have the highest possible reliability (it is often advisable to use guard locking). The use of control guards can ONLY be considered on machinery where there is NO POSSIBILITY of an operator or part of his body staying in or reaching into the danger zone while the guard is closed. The control guard must be the only access to the hazard area.

Safety Programmable Logic Controls

The need for flexible and scaleable safety applications drove the development of safety PLCs/controllers. Programmable safety controllers provide users the same level of control flexibility in a safety application that they are accustomed to with standard programmable controllers. However there are extensive differences between standard and safety PLCs. Safety PLCs, shown in Figure 90 come in various platforms to accommodate the scalability, functional and integration requirements of the more complex safety systems.

Figure 90: Safety PLC Platforms

Hardware

Redundancy of CPUs, memory, I/O circuits, and internal diagnostics are enhancements that safety PLCs have that are not required in a standard PLC. A Safety PLC spends significantly more time performing internal diagnostics on memory, communications and I/O. These additional operations are needed to reach the required safety certification. This additional redundancy and diagnostics is taken care of in the controller’s operating system making it transparent to the programmer so that safety PLCs program very much like standard PLCs do.

The microprocessors controlling these devices perform extensive internal diagnostics to ensure the performance of the safety function. Figure 91 provides an example block diagram of a safety PLC. Although microprocessor based controllers differ slightly from one family to another, similar principles are applied to achieve a safety rating.

Figure 91: 1oo2D Architecture

Multiple microprocessors are used to process the I/O, memory, and safe communications. Watchdog circuits perform diagnostic analysis. This type of construction is known as 1oo2D, because either one of the two microprocessors can perform the safety function, and extensive diagnostics are performed to ensure that both microprocessors are operating in sync.

Also, each input circuit is internally tested many times each second to make sure that it is operating correctly. Figure 92 shows a block diagram of an input. You may only hit the E-Stop once a month; but when you do, the circuit has been continuously tested so that the E-Stop will be sensed correctly internal to the safety PLC.

Figure 92: Block Diagram of a Safety Input Module

Safety PLC outputs are electromechanical or safety rated solid state. Figure 93 shows multiple switches in every output circuit of a safety PLC. Like the input circuits, the output circuits are tested multiple times every second to make sure that they can turn the output off. If one of the three fails, the output is turned off by the other two, and the fault is reported by the internal monitoring circuit.

Figure 93: Safety Output Module Block Diagram

When using safety devices with mechanical contacts (E-stops, gate switches, etc), the user can apply pulse test signals to detect cross faults. To not use up expensive safety outputs, many safety PLCs provides specific pulsing outputs that can be connected to mechanical contact devices. A wiring example is shown in Figure 94. In this example, outputs O1, O2, O3, and O4 are all pulsing at different rates. The safety PLC expects to see these different pulse rates reflected in the inputs. If identical pulse rates are detected, a cross fault has occurred and appropriate action is taken in the safety PLC.

Figure 94: Pulse Testing of 2 N.C. Mechanical Inputs

Software

Safety PLCs program very much like standard PLCs do. All of the additional diagnostics and error checking mentioned earlier is done by the operating system, so the programmer is not even aware that it is happening. Most safety PLCs will have special instructions used to write the program for the safety system, and these instructions tend to mimic the function of their safety relay counterparts. For example, the Emergency Stop instruction in Figure 95 operates very much like an MSR127. Though the logic behind each of these instructions is complex, the safety programs look relatively simple because the programmer simply connects these blocks together. These instructions, along with other logical, math, data manipulation, etc. instructions are certified by a third party to ensure their operation is consistent with the applicable standards.

Figure 95: E-Stop Function Block

Function blocks are the predominant methods for programming safety functions. In addition to Function Blocks and Ladder Logic, safety PLCs also provide certified safety application instructions. Certified safety instructions provide application specific behavior. This example shows an emergency stop instruction. To accomplish the same function in ladder logic would require approximately 16 rungs of ladder logic. Since the logic behavior is embedded in the E-Stop instruction, the embedded logic does not have to be tested.

Certified function blocks are available to interface with almost all safety devices. One exception to this list is the safety edge that uses resistive technology. Here is a list of certified application instructions available in the GuardPLC.

1.	Diverse (1 N.O. + 1 N.C.) Input with Auto Reset
2.	Diverse (1 N.O. + 1 N.C.) Input with Manual Reset
3.	Emergency Stop with Auto Reset
4.	Emergency Stop with Manual Reset
5.	Redundant (2 N.C.) Input with Auto Reset
6.	Redundant (2 N.C.) Input with Manual Reset
7.	Redundant Output with Positive Feedback
8.	Redundant Output with Negative Feedback
9.	Enable Pendant with Auto Reset
10.	Enable Pendant with Manual Reset
11.	Two Hand Run Station with Active Pin
12.	Two Hand Run Station without Active Pin
13.	Light Curtain with Auto Reset
14.	Light Curtain with Manual Reset
15.	Five Position Mode Selector
16.	Single Pulse Test Output
17.	Redundant Pulse Test Output

Safety PLCs generate a “signature” that provides the ability to track whether changes were made. This signature is usually a combination of the program, input/output configuration, and a time stamp. When the program is finalized and validated, the user should record this signature as part of the validation results for future reference. If the program needs modification, revalidation is required and a new signature must be recorded. The program can also be locked with a password to prevent unauthorized changes.

Wiring is simplified with programmable logic systems as compared to monitoring safety relays. Unlike wiring to specific terminals on monitoring safety relays, input devices are connected to any input terminals and output devices are connected to any output terminals. The terminals are then assigned through software.

Integrated Safety Controllers

Safety control solutions now provide complete integration within a single control architecture where safety and standard control functions reside and work together. The ability to perform motion, drive, process, batch, high speed sequential, and SIL 3 safety in one controller provides significant benefits. The integration of safety and standard control provides the opportunity to utilize common tools and technologies which reduce costs associated with design, installation, commissioning and maintenance. The ability to utilize common control hardware, distributed safety I/O or devices on safety networks and common HMI devices reduce purchase and maintenance costs, and also reduce development time. All of these features improve productivity, the speed associated with troubleshooting and the lowering of training costs due to commonality.

Figure 96 shows an example of the integration of control and safety. The standard non-safety related control functions reside in the Main Task. The safety related functions reside in the Safety Task.

Figure 96: Integrated Safety and Nonsafety Tasks

All standard and safety related functions are isolated from each other. Figure 97 shows a block diagram of allowed interaction between the standard and safety portions of the application. For example, safety tags can be directly read by the standard logic. Safety tags can be exchanged between GuardLogix controllers over EtherNet, ControlNet or DeviceNet. Safety tag data can be directly read by external devices, Human Machine Interfaces (HMI), personal computers (PC) or other controllers.

Figure 97: Standard and Safety Task Interaction

1.	Standard tags and logic behave the same as ControlLogix.
2.	Standard tag data, program or controller scoped and external devices, HMI, PC’s, other controllers, etc.
3.	As an integrated controller, GuardLogix provides the ability to move (map) standard tag data into safety tags for use within the safety task. This is to provide users the ability read status information from the standard side of GuardLogix. This data must not be used to directly control a safety output.
4.	Safety tags can be directly read by standard logic.
5.	Safety tags can be read or written by safety logic.
6.	Safety tags can be exchanged between GuardLogix controllers over EtherNet.
7.	Safety tag data, program or controller scoped can be read by external devices, HMIs, PCs, other controllers, etc. Note, once this data is read, it is considered standard data, not safety data.

Safety Networks

Plant floor communication networks have traditionally provided manufacturers the capability to improve flexibility, increase diagnostics, increase distance, reduce installation and wiring cost, ease maintainability and generally improve the productivity of their manufacturing operations. These same motivations are also driving the implementation of industrial safety networks. These safety networks allow manufacturers to distribute safety I/O and safety devices around their machinery using a single network cable, reducing installation costs while improving diagnostics and enabling safety systems of increased complexity. They also enable safe communications between safety PLCs/controllers, allowing users to distribute their safety control among several intelligent systems.

Safety networks do not prevent communication errors from occurring. Safety networks are more capable of detecting transmission errors and then allow safety devices to take the appropriate actions. Communication errors that are detected include: message insertion, message loss, message corruption, message delay, message repeat, and incorrect message sequence.

For most applications, when an error is detected the device will go to a known de-energized state, typically called a “safety state.” The safety input or output device is responsible for detecting these communication errors and then going to the safe state if appropriate.

Early safety networks were tied to a particular media type or media access scheme, so manufacturers were required to use specific cables, network interface cards, routers, bridges, etc. that also became part of the safety function. These networks were limited in that they only supported communication between safety devices. This meant that manufacturers were required to use two or more networks for their machine control strategy (one network for standard control and another for safety related control) increasing installation, training and spare parts costs.

Modern safety networks allow a single network cable to communicate with safety and standard control devices. CIP (Common Industrial Protocol) Safety is an open standard protocol published by ODVA (Open DeviceNet Vendors Association) that allows for safety communications between safety devices on DeviceNet, ControlNet and EtherNet/IP networks. Because CIP Safety is an extension to the standard CIP protocol, safety devices and standard devices can all reside on the same network. Users can also bridge between networks containing safety devices, allowing them to subdivide safety devices to fine-tune safety response times, or to simply make distribution of safety devices easier. Because the safety protocol is solely the responsibility of the end devices (safety PLC/controller, safety I/O module, safety component), standard cables, network interface cards, bridges, and routers are used, eliminating any special networking hardware and removing these devices from the safety function.

Figure 98 shows a simplified example of a distributed I/O system. The operator opens the gate. The interlock switch, connected to the local Safety I/O block, sends its safety data over the DeviceNet network to the Safety PLC. The Safety PLC sends a signal back to the Safety I/O block to shut down the equipment inside of the gate and sends a standard output to a stack light to annunciate the gate is open. The HMI and the standard PLC monitors the safety data for display and additional control measures, like performing a cycle stop of adjacent equipment.

Figure 98: Example of a Simple Distributed Safety Network

For larger manufacturing systems, where safety information and control must be shared, Ethernet/IP can also be used. Figure 99 (shown on the next page) shows an example of communications between two safety controllers while DeviceNet is used for local distribution of I/O within a smaller subsystem.

Figure 99: Example of a Complex Distributed Safety Network

Output Devices

Safety Control Relays and Safety Contactors

Control Relays and Contactors are used to remove power from the actuator. Special features are added to control relays and contactors to provide the safety rating.

Mechanically linked normally closed contacts are used to feed back the status of the control relays and contactors to the logic device. The use of mechanically linked contacts helps ensure the safety function. To meet the requirements of mechanically linked contacts, the normally closed and the normally open contacts cannot be in the closed state at the same time. IEC 60947-5-1 defines the requirements for mechanically linked contacts. If the normally open contacts were to weld, the normally closed contacts remain open by at least 0.5 mm. Conversely, if the normally closed contacts were to weld, then the normally open contacts remain open. If the product meets this requirement, the symbol shown in Figure 100 is applied to the product.

Figure 100: Mechanically Linked Contact Symbol

Safety systems must only be started at specific locations. Standard rated control relays and contactors allow the armature to be depressed to close the normally open contacts. On safety rated devices, the armature is protected from manual override to mitigate unexpected startup.

On safety control relays, the normally closed contact is driven by the main spanner. Safety contactors use an adder deck to locate the mechanically linked contacts. If the contact block were to fall off the base, the mechanically linked contacts remain closed. The mechanically linked contacts are permanently affixed to the safety control relay or safety contactor.

On the larger contactors, an adder deck is insufficient to accurately reflect the status of the wider spanner. Mirrored contacts, shown in Figure 101 are located on either side of the contactor are used.

Figure 101: Mirrored Normally Closed Contacts

Dropout time of control relays or contactors play a role in the safety distance calculation. Often, a surge suppressor is placed across the coil to improve the life of the contacts driving the coil. For AC powered coils, the drop out time is not affected. For DC powered coils, the drop out time is increased. The increase is dependent on the type of suppression selected.

Control relays and contactors are designed to switch large loads, anywhere from 0.5 A to over 100 A. The safety system operates on low currents. The feedback signal generated by the safety system logic device can be on the order of a few milliamps to tens of milliamps, usually at 24V DC. The safety control relays and safety contactors use gold plated bifurcated contacts to reliably switch this small current.

Overload Protection

Overload protection for motors is required by electrical standards. Diagnostics provided by the overload protection device enhances not only equipment safety but operator safety as well. Technologies available today can detect fault conditions like an overload, phase loss, ground fault, stall, jam, under-load, current imbalance and over-temperature. Detecting and communicating abnormal conditions prior to tripping help to improve production up time and help prevent operators and maintenance people from unforeseen hazardous conditions

Figure 102 shows examples of overload protection devices. When dual contactors are used to ensure the switching off of a motor in Category 3, 4 or Control reliable solution, only one overload protection device is needed for each motor.

Figure 102: Contactor Overload Protection

Drives and Servos

Safety rated drives and servos can be used to prevent rotational energy from being delivered to achieve a safety stop as well as an emergency stop.

AC drives achieve the safety rating with redundant channels to remove power to the gate control circuitry. One channel is the Enable signal, a hardware signal that removes the input signal to the gate control circuitry. The second channel is positive guided relay that remove the power supply from the Gate control circuitry. The positive guided relay also provides a status signal back to the logic system. A block diagram of the implementation of safe off feature in the PowerFlex drive is shown in Figure 103.

This redundant approach allows the safety rated drive to be applied in emergency stop circuits without the need for a contactor.

Figure 103: Drive Safety Signals

Figure 104: Kinetix Drive Safety Signals

The Servo achieves a result in a manner similar to the AC drives. Figure 104 shows that redundant safety signals are used to achieve the safety function. One signal interrupts the drive to the Gate Control Circuitry. A second signal interrupts power to the power supply of the Gate control circuitry. Two positive guided relays are used to remove the signals and provide feedback to the safety logic device as well.

Connection Systems

Connection systems add value by reducing the installation and maintenance costs of safety systems. Designs must take into account consideration of single channel, dual channel, dual channel with indication and multiple types of devices.

When a series connection of dual channel interlocks is needed, a distribution block can simplify installation. Figure 105 shows a simple example of a series of interlocks connected to one port. With an IP67 rating, these types of boxes can be mounted on the machine at remote locations.

Figure 105: Safety Distribution Block

When a diverse set of devices is required, an ArmorBlock Guard I/O box can be used. Figure 106 shows an eight port and four port block with an IP67 rating, which can be mounted directly on the machine without an enclosure. The inputs can be configured by software to accommodate various types of devices.

Figure 106: ArmorBlock Guard I/O