Catalogs > Safety Products Catalog > Principles, Standards and Implementation > Protective Measures and Complementary Equipment
Protective Measures and Complementary Equipment
| Introduction |  |
Preventing Access | |
Detection Devices | |
Safety Switches | |
Guard Locking Switches | |
| Non-Contact Interlock Switches | |
Hinge Switches | |
Position (Limit Switch) Interlocks | |
Trapped Key Interlocks | |
Operator Interface Devices | |
| Logic Devices | |
Integrated Safety Controllers | |
Safety Networks | |
Output Devices | |
Connection Systems | |
Logic devices play the central role of the safety related part of the control system. Logic devices perform the checking and monitoring of the safety system and either allow the machine to start or execute commands to stop the machine.
A range of logic devices are available to create a safety architecture that meets the complexity and the functionality required for the machine. Small hardwired monitoring safety relays are most economical for smaller machines where a dedicated logic device is needed to complete the safety function. Modular and configurable monitoring safety relays are preferred where a large and diverse number of safeguarding devices and minimal zone control are required. The medium to large and more complex machine will find programmable systems with distributed I/O to be preferable.
Monitoring Safety Relays
Monitoring safety relay (MSR) modules play a key role in many safety systems. These modules are usually comprised of two or more positively guided relays with additional circuitry to ensure the performance of the safety function.
Positive guided relays are specialized “ice-cube” relays. Positively guided relays must meet the performance requirements of EN50025. Essentially, they are designed to prevent the normally closed and normally open contacts from being closed simultaneously. Newer designs replace the electromechanical outputs with safety rated solid state outputs.
Monitoring safety relays perform many checks on the safety system. Upon power-up, they perform self-checks on their internal components. When the input devices are activated, the MSR compares the results of redundant inputs. If acceptable, the MSR checks external actuators. If okay, the MSR awaits a reset signal to energize its outputs.
The selection of the appropriate safety relay is dependent on a number of factors: type of device it monitors, the type of reset, the number and type of outputs.
Inputs Types
Safeguarding devices have different types of methods of indicating something has happened:
- Contact Interlocks and E-stops:
Mechanical contacts, single channel with one normally closed contact or dual channel, both normally closed. The MSR must be able to accept single or dual channel and provide cross fault detection for the dual channel arrangement.
- Non-Contacts Interlocks and E-stops
Mechanical contacts, dual channel, one normally open and one normally closed contact. The MSR must be able to process diverse inputs.
- Output Solid State Switching Devices
Light curtains, laser scanners, solid-state non-contacts have two sourcing outputs and perform their own cross fault detection. The MSR must be able to ignore the devices cross fault detection method.
- Mats:
Mats create a short circuit between two channels. The MSR must be able to withstand the repeated short circuits.
- Edges:
Some edges are designed like 4-wire mats. Some are two wire devices that create a change in resistance. The MSR must be able to detect a short circuit or the change resistance.
- Voltage
Measures the Back EMF of a motor during rundown. The MSR must be able to tolerate high voltages as well as detect low voltages as the motor spins down.
- Stopped Motion
The MSR must detect pulse streams from diverse, redundant sensors.
- Two-hand Control
The MSR must detect normally open and normally closed diverse inputs as well as provide 0.5s timing and sequencing logic.
Input Impedance
The input impedance of the monitoring safety relays determines how many input devices can be connected to the relay and how far away the input devices can be mounted. For example, a safety relay may have a maximum allowable input impedance of 500 ohms (W). When the input impedance is greater than 500W, it will not switch on its outputs. Care must be taken by the user to ensure that the input impedance remains below the maximum specification. The length, size and type of wire used affects input impedance. Table 4 shows typical resistance of annealed copper wire at 25°C.
| ISO Cross Section mm2 | AWG Size | W per 1000 m | W per 1000 ft |
| 0.5 | 20 | 33.30 | 10.15 |
| 0.75 | 18 | 20.95 | 6.385 |
| 1.5 | 16 | 13.18 | 4.016 |
| 2.5 | 14 | 8.28 | 2.525 |
| 4 | 12 | 5.21 | 1.588 |
| Table 4: Wire Resistance Values | |||
Number of Input Devices
The risk assessment process should be used to help determine how many inputs devices should be connected to a monitoring safety relay unit MSR and how often the input devices should be checked. To assure that E-Stops and gate interlocks are in an operational state, they should be checked for operation at regular intervals, as determined by the risk assessment. For example, a dual channel input MSR connected to an interlocked gate that must be opened every machine cycle (e.g., several times per day) may not have to be checked. This is because opening the guard causes the MSR to check itself, its inputs and its outputs (depending on configuration) for single faults. The more frequent the guard opening the greater the integrity of the checking process.
Another example might be E-Stops. Since E-Stops are typically used only for emergencies, they are likely to be rarely used. Therefore a program should be established to exercise the E Stops and confirm their effectiveness on a scheduled basis. Exercising the safety system in this way is called performing a Proof Test, and the time in between Proof Tests is called the Proof Test Interval. A third example might be access doors for machine adjustments, which like E-Stops might be rarely used Here again a program should be established to exercise the checking function on a scheduled basis.
The risk assessment will help determine whether the input devices need to be checked and how often they should be checked. The higher the level of risk, the greater integrity required of the checking process. And the less frequent the "automatic" checking, the more frequent should be the imposed "manual" check.
Input Crossfault Detection
In dual channel systems, channel-to-channel short circuit faults of the input devices, also known as cross faults, must be detected by the safety system. This is accomplished by the sensing device or the monitoring safety relay.
Microprocessor based monitoring safety relays, like light curtains, laser scanners and the advanced non-contact sensors detect these shorts in a variety of ways. One common way of detecting cross faults is by using diverse pulse testing shown in Figure 84. The output signals are pulsed very quickly. The channel 1 pulse is offset from the channel 2 pulse. If a short occurs, the pulses occur concurrently and are detected by the device.
|
| Figure 84: Pulse Testing to Detect Crossfaults |
Electro-mechanical based monitoring safety relays employ a different diversity technique: one pull-up input and one pull-down input. This is shown in Figure 85. A short from Channel 1 to Channel 2 will make the overcurrent protection device active and the safety system will shut down.
|
| Figure 85: Diverse Inputs Detect Crossfaults |
Outputs
MSRs come with various numbers of outputs. The types of outputs help determine which MSR must be used in specific applications.
Most MSRs have at least 2 immediately operating safety outputs. MSR safety outputs are characterized as normally-open. These are safety rated due to the redundancy and internal checking.
A second type of output is delayed outputs. Delayed outputs are typically used in Category 1 stops, where the machine requires time to execute the stopping function before allowing access to the hazard area. Figure 86 shows the symbols used for immediate and delayed contacts.
|
| Figure 86: Symbols for Contact Types |
MSRs also have auxiliary outputs. Generally these are considered normally closed. Figure 87 shows three arrangements of normally closed contacts. The circuit on the left only allows the normally closed contacts to be used as auxiliary circuits as a single fault in CH1 or CH2 will close the circuit. The middle arrangement can be auxiliary usage as shown or safety usage if connected in series. The circuit on the right shows the normally closed contacts in a redundant arrangement, so they can be used in safety related circuits.
|
| Figure 87: NC Contact Usage |
Output Ratings
Output ratings describe the ability of the safeguarding device to switch loads. Typically, the ratings for industrial devices are described as resistive or electromagnetic. A resistive load may be a heater type element. Electromagnetic loads are typically relays, contactors, or solenoids; where there is a large inductive characteristic of the load. Annex A of standard IEC 60947-5-1, shown in Table 5 describes the ratings for loads.
Designation Letter: The designation is a letter followed by a number, for example A300.
The letter relates to the conventional enclosed thermal current and whether that current is direct or alternating. For example A represents 10 amps alternating current. The number stands for the rated insulation voltage. For example, 300 represents 300V.
| Designation | Utilization | Enclosed Thermal Current | Rated Operational Current le at the Rated Operational Voltage Ue | VA | ||||||
| 120V | 240V | 380V | 480V | 500V | 600V | Make | Break | |||
| A150 | AC-15 | 10 | 6 | — | — | — | — | — | 7200 | 720 |
| A300 | AC-15 | 10 | 6 | 3 | — | — | — | — | 7200 | 720 |
| A600 | AC-15 | 10 | 6 | 3 | 1.9 | 1.5 | 1.4 | 1.2 | 7200 | 720 |
| B150 | AC-15 | 5 | 3 | — | — | — | — | — | 3600 | 360 |
| B300 | AC-15 | 5 | 3 | 1.5 | — | — | — | — | 3600 | 360 |
| B600 | AC-15 | 5 | 3 | 1.5 | 0.95 | 0.92 | 0.75 | 0.6 | 3600 | 360 |
| C150 | AC-15 | 2.5 | 1.5 | — | — | — | — | — | 1800 | 180 |
| C300 | AC-15 | 2.5 | 1.5 | 0.75 | — | 1800 | 180 | |||
| C600 | AC-15 | 2.5 | 1.5 | 0.75 | 0.47 | 0.375 | 0.35 | 0.3 | 1800 | 180 |
| D150 | AC-14 | 1.0 | 0.6 | — | — | — | — | — | 432 | 72 |
| D300 | AC-14 | 1.0 | 0.6 | 0.3 | — | — | — | — | 432 | 72 |
| E150 | AC-14 | 0.5 | 0.3 | — | — | — | — | — | 216 | 36 |
| Direct Current | 125V | 250V | 400V | 500V | 600V | |||||
| N150 | DC-13 | 10 | 2.2 | — | — | — | — | 275 | 275 | |
| N300 | DC-13 | 10 | 2.2 | 1.1 | — | — | — | 275 | 275 | |
| N600 | DC-13 | 10 | 2.2 | 1.1 | 0.63 | 0.55 | 0.4 | 275 | 275 | |
| P150 | DC-13 | 5 | 1.1 | — | — | — | — | 138 | 138 | |
| P300 | DC-13 | 5 | 1.1 | 0.55 | — | — | — | 138 | 138 | |
| P600 | DC-13 | 5 | 1.1 | 0.55 | 0.31 | 0.27 | 0.2 | 138 | 138 | |
| Q150 | DC-13 | 2.5 | 0.55 | — | — | — | — | 69 | 69 | |
| Q300 | DC-13 | 2.5 | 0.55 | 0.27 | — | — | — | 69 | 69 | |
| Q600 | DC-13 | 2.5 | 0.55 | 0.27 | 0.15 | 0.13 | 0.1 | 69 | 69 | |
| R150 | DC-13 | 1.0 | 0.22 | — | — | — | — | 28 | 28 | |
| R300 | DC-13 | 1.0 | 0.22 | 0.1 | — | — | — | 28 | 28 | |
| Table 5: Contact Ratings for Inductive Load Switching | ||||||||||
Utilization: The Utilization describes the types of loads the device is designed to switch. The utilizations relevant to IEC 60947-5 are shown in Table 6.
| Utilization | Description of Load |
| AC-12 | Control of resistive loads and solid-state loads with isolation by opto-couplers |
| AC-13 | Control of solid-state loads with transformer isolation |
| AC-14 | Control of small electromagnetic loads (less than 72 VA) |
| AC-15 | Electromagnetic loads greater than 72 VA |
| DC-12 | Control of resistive loads and solid-state loads with isolation by opto-couplers |
| DC-13 | Control of electromagnets |
| DC-14 | Control of electromagnetic loads having economy resistors in circuit |
| Table 6: Utilization Categories | |
Thermal Current, Ith: The conventional enclosed thermal current is the value of current used for the temperature-rise tests of the equipment when mounted in a specified enclosure.
Rated Operational Voltage Ue and Current Ie; The rated operational current and voltage specify the making and breaking capacities of the switching elements under normal operating conditions. The Allen-Bradley Guardmaster products are specifically rated at 125V AC, 250V AC and 24V DC. Consult the factory for usage at voltages other than these specified ratings.
VA: The VA (Voltage x Amperage) ratings indicate the ratings of the switching elements when making the circuit as well as breaking the circuit.
Example 1: An A150, AC-15 rating indicates that the contacts can make a 7200V A circuit. At 120V AC, the contacts can make a 60 amp inrush circuit. Since the AC-15 is an electromagnetic load, the 60 amp is only for a short duration; the inrush current of the electromagnetic load. The breaking of the circuit is only 720V A because the steady state current of the electromagnetic load is 6 A, which is the rated operational current.
Example 2: An N150, DC-13 rating indicates that the contacts can make a 275V A circuit. At 125V AC, the contacts can make a 2.2 amp circuit. DC electromagnetic loads do not have an inrush current like AC electromagnetic loads. The breaking of the circuit is also 275V A because the steady state current of the electromagnetic load is 2.2, which is the rated operational current.
Machine Restart
If, for example, an interlocked guard is opened on an operating machine, the safety interlock switch will stop that machine. In most circumstances it is imperative that the machine does not restart immediately when the guard is closed. A common way of achieving this is to rely on a latching contactor start arrangement as shown in Figure 88. An interlocked guard door is used as an example here but the requirements apply to other protection devices and emergency stop systems.
|
| Figure 88: Simple Machine Start Stop Interlock Circuit |
Pressing and releasing the start button momentarily energizes the contactor control coil which closes the power contacts. As long as power is flowing through the power contacts the control coil is kept energized (electrically latched) via the contactor's auxiliary contacts which are mechanically linked to the power contacts. Any interruption to the main power or control supply results in the de-energizing of the coil and opening of the main power and auxiliary contacts. The guard interlock is wired into the contactor control circuit. This means that restart can only be achieved by closing the guard and then switching "ON" at the normal start button which resets the contactor and starts the machine.
The requirement for normal interlocking situations is made clear in ISO 12100-1 Paragraph 3.22.4 (extract).
When the guard is closed, the hazardous machine functions covered by the guard can operate, but the closure of the guard does not by itself initiate their operation.
Many machines already have either single or double contactors which operate as described above (or have a system which achieves the same result). When fitting an interlock to existing machinery it is necessary to determine whether the power control arrangement meets this requirement and take additional measures if necessary.
Reset Functions
Allen-Bradley Guardmaster monitoring safety relays are designed with either monitored manual reset or automatic/manual reset.
Monitored Manual Reset
A monitored manual reset requires a change of state of the reset circuit after the gate is closed or the E-Stop is reset. Figure 89 shows a typical configuration of a reset switch connected in the output monitoring circuit of a safety relay with a monitored manual reset function. The mechanically linked normally closed auxiliary contacts of the power switching contactors are connected in series with a momentary push button. After the guard has been opened and closed again, the safety relay will not allow the machine to be restarted until there is a change of state at the reset button. This is in compliance with the intent of the requirements for additional manual reset as given in EN ISO 13849-1. i.e., the reset function ensures that both contactors are OFF and that both interlock circuits (and therefore the guards) are closed and also (because a change of state is required) that the reset actuator has not been bypassed or blocked in any way. If these checks are successful the machine can then be restarted from the normal controls. EN ISO 13849-1 cites the change of state from energized to de-energized but the same protective principle can also be achieved by the opposite effect.
|
| Figure 89: Monitored Manual Reset |
The reset switch should be located in a place that provides a good view of the hazard so that the operator can check that the area is clear before operation.
Auto/Manual Reset
Some safety relays have automatic/manual reset. The manual reset mode is not monitored and reset occurs when the button is pressed. A short circuited or jammed in reset switch will not be detected. With this approach it may not be possible to achieve the requirements for additional manual reset as given in EN ISO 13849-1 unless additional means are used.
Alternatively the reset line can be jumpered allowing an automatic reset. The user must then provide another mechanism for preventing machine start-up when the gate closes.
The reset switch should be located in a place that provides a good view of the hazard so that the operator can check that the area is clear before operation.
Auto/Manual Reset
Some safety relays have automatic/manual reset. The manual reset mode is not monitored and reset occurs when the button is pressed. A short circuited or jammed in reset switch will not be detected. With this approach it may not be possible to achieve the requirements for additional manual reset as given in EN ISO 13849-1 unless additional means are used.
Alternatively the reset line can be jumpered allowing an automatic reset. The user must then provide another mechanism for preventing machine start-up when the gate closes.
An auto-reset device does not require a manual switching action but after de-actuation it will always conduct a system integrity check before resetting the system. An auto-reset system should not be confused with a device without reset facilities. In the latter the safety system will be enabled immediately after de-actuation but there will be no system integrity check.
Control Guards
A control guard stops a machine when the guard is opened and directly starts it again when the guard is closed. The use of control guards is only allowed under certain stringent conditions because any unexpected start-up or failure to stop would be extremely dangerous. The interlocking system must have the highest possible reliability (it is often advisable to use guard locking). The use of control guards can ONLY be considered on machinery where there is NO POSSIBILITY of an operator or part of his body staying in or reaching into the danger zone while the guard is closed. The control guard must be the only access to the hazard area.
Safety Programmable Logic Controls
The need for flexible and scaleable safety applications drove the development of safety PLCs/controllers. Programmable safety controllers provide users the same level of control flexibility in a safety application that they are accustomed to with standard programmable controllers. However there are extensive differences between standard and safety PLCs. Safety PLCs, shown in Figure 90 come in various platforms to accommodate the scalability, functional and integration requirements of the more complex safety systems.
|
| Figure 90: Safety PLC Platforms |
Hardware
Redundancy of CPUs, memory, I/O circuits, and internal diagnostics are enhancements that safety PLCs have that are not required in a standard PLC. A Safety PLC spends significantly more time performing internal diagnostics on memory, communications and I/O. These additional operations are needed to reach the required safety certification. This additional redundancy and diagnostics is taken care of in the controller’s operating system making it transparent to the programmer so that safety PLCs program very much like standard PLCs do.
The microprocessors controlling these devices perform extensive internal diagnostics to ensure the performance of the safety function. Figure 91 provides an example block diagram of a safety PLC. Although microprocessor based controllers differ slightly from one family to another, similar principles are applied to achieve a safety rating.
|
| Figure 91: 1oo2D Architecture |
Multiple microprocessors are used to process the I/O, memory, and safe communications. Watchdog circuits perform diagnostic analysis. This type of construction is known as 1oo2D, because either one of the two microprocessors can perform the safety function, and extensive diagnostics are performed to ensure that both microprocessors are operating in sync.
Also, each input circuit is internally tested many times each second to make sure that it is operating correctly. Figure 92 shows a block diagram of an input. You may only hit the E-Stop once a month; but when you do, the circuit has been continuously tested so that the E-Stop will be sensed correctly internal to the safety PLC.
|
| Figure 92: Block Diagram of a Safety Input Module |
Safety PLC outputs are electromechanical or safety rated solid state. Figure 93 shows multiple switches in every output circuit of a safety PLC. Like the input circuits, the output circuits are tested multiple times every second to make sure that they can turn the output off. If one of the three fails, the output is turned off by the other two, and the fault is reported by the internal monitoring circuit.
|
| Figure 93: Safety Output Module Block Diagram |
When using safety devices with mechanical contacts (E-stops, gate switches, etc), the user can apply pulse test signals to detect cross faults. To not use up expensive safety outputs, many safety PLCs provides specific pulsing outputs that can be connected to mechanical contact devices. A wiring example is shown in Figure 94. In this example, outputs O1, O2, O3, and O4 are all pulsing at different rates. The safety PLC expects to see these different pulse rates reflected in the inputs. If identical pulse rates are detected, a cross fault has occurred and appropriate action is taken in the safety PLC.
|
| Figure 94: Pulse Testing of 2 N.C. Mechanical Inputs |
Software
Safety PLCs program very much like standard PLCs do. All of the additional diagnostics and error checking mentioned earlier is done by the operating system, so the programmer is not even aware that it is happening. Most safety PLCs will have special instructions used to write the program for the safety system, and these instructions tend to mimic the function of their safety relay counterparts. For example, the Emergency Stop instruction in Figure 95 operates very much like an MSR127. Though the logic behind each of these instructions is complex, the safety programs look relatively simple because the programmer simply connects these blocks together. These instructions, along with other logical, math, data manipulation, etc. instructions are certified by a third party to ensure their operation is consistent with the applicable standards.
|
| Figure 95: E-Stop Function Block |
Function blocks are the predominant methods for programming safety functions. In addition to Function Blocks and Ladder Logic, safety PLCs also provide certified safety application instructions. Certified safety instructions provide application specific behavior. This example shows an emergency stop instruction. To accomplish the same function in ladder logic would require approximately 16 rungs of ladder logic. Since the logic behavior is embedded in the E-Stop instruction, the embedded logic does not have to be tested.
Certified function blocks are available to interface with almost all safety devices. One exception to this list is the safety edge that uses resistive technology. Here is a list of certified application instructions available in the GuardPLC.
| 1. | Diverse (1 N.O. + 1 N.C.) Input with Auto Reset |
| 2. | Diverse (1 N.O. + 1 N.C.) Input with Manual Reset |
| 3. | Emergency Stop with Auto Reset |
| 4. | Emergency Stop with Manual Reset |
| 5. | Redundant (2 N.C.) Input with Auto Reset |
| 6. | Redundant (2 N.C.) Input with Manual Reset |
| 7. | Redundant Output with Positive Feedback |
| 8. | Redundant Output with Negative Feedback |
| 9. | Enable Pendant with Auto Reset |
| 10. | Enable Pendant with Manual Reset |
| 11. | Two Hand Run Station with Active Pin |
| 12. | Two Hand Run Station without Active Pin |
| 13. | Light Curtain with Auto Reset |
| 14. | Light Curtain with Manual Reset |
| 15. | Five Position Mode Selector |
| 16. | Single Pulse Test Output |
| 17. | Redundant Pulse Test Output |
Safety PLCs generate a “signature” that provides the ability to track whether changes were made. This signature is usually a combination of the program, input/output configuration, and a time stamp. When the program is finalized and validated, the user should record this signature as part of the validation results for future reference. If the program needs modification, revalidation is required and a new signature must be recorded. The program can also be locked with a password to prevent unauthorized changes.
Wiring is simplified with programmable logic systems as compared to monitoring safety relays. Unlike wiring to specific terminals on monitoring safety relays, input devices are connected to any input terminals and output devices are connected to any output terminals. The terminals are then assigned through software.