Catalogs > Safety Products Catalog > Principles, Standards and Implementation > Protective Measures and Complementary Equipment
Protective Measures and Complementary Equipment
| Protective Measures |  |
Preventing Access | |
Detection Devices | |
Safety Switches | |
Guard Locking Switches | |
| Non-Contact Interlock Switches | |
Hinge Switches | |
Position (Limit Switch) Interlocks | |
Trapped Key Interlocks | |
Operator Interface Devices | |
| Logic Devices | |
Integrated Safety Controllers | |
Safety Networks | |
Output Devices | |
Connection Systems | |
Logic devices play the central role of the safety related part of the control system. Logic devices perform the checking and monitoring of the safety system and either allow the machine to start or execute commands to stop the machine.
A range of logic devices are available to create a safety architecture that meets the complexity and the functionality required for the machine. Small hardwired monitoring safety relays are most economical for smaller machines where a dedicated logic device is needed to complete the safety function. Modular and configurable monitoring safety relays are preferred where a large and diverse number of safeguarding devices and minimal zone control are required. The medium to large and more complex machine will find programmable systems with distributed I/O to be preferable.
Monitoring Safety Relays
Monitoring safety relay (MSR) modules play a key role in many safety systems. These modules are usually comprised of two or more positively guided relays with additional circuitry to ensure the performance of the safety function.
Positive guided relays are specialized “ice-cube” relays. Positively guided relays must meet the performance requirements of EN50025. Essentially, they are designed to prevent the normally closed and normally open contacts from being closed simultaneously. Newer designs replace the electromechanical outputs with safety rated solid state outputs.
Monitoring safety relays perform many checks on the safety system. Upon power-up, they perform self-checks on their internal components. When the input devices are activated, the MSR compares the results of redundant inputs. If acceptable, the MSR checks external actuators. If okay, the MSR awaits a reset signal to energize its outputs.
The selection of the appropriate safety relay is dependent on a number of factors: type of device it monitors, the type of reset, the number and type of outputs.
Inputs Types
Safeguarding devices have different types of methods to indicate something has happened:
Contact Interlocks and E-stops:
- Mechanical contacts, single channel with one normally-closed contact or dual channel, both normally closed. The MSR must be able to accept single or dual channel and provide crossfault detection for the dual channel arrangement.
Non-Contacts Interlocks and E-Stops
- Mechanical contacts, may be dual channel, one normally-open and one normally-closed contact. The MSR must be able to process diverse inputs.
Output Solid-State Switching Devices
- Light curtains, laser scanners, solid-state non-contacts have two sourcing outputs and perform their own crossfault detection. The MSR must be able to ignore the devices’ crossfault detection method.
Mats:
- Mats create a short circuit between two channels. The MSR must be able to withstand the repeated short circuits.
Edges:
- Some edges are designed like four-wire mats. Some are two-wire devices that create a change in resistance. The MSR must be able to detect a short circuit or the change in resistance.
Voltage
- Measures the Back EMF of a motor during rundown. The MSR must be able to tolerate high voltages as well as detect low voltages as the motor spins down.
Stopped Motion
- The MSR must detect pulse streams from diverse, redundant sensors.
Two-Hand Control
- The MSR must detect normally-open and normally-closed diverse inputs as well as provide 0.5 sec. timing and sequencing logic.
MSRs must be designed specifically to interface with each of these types of devices, as they have different electrical characteristics. Some MSRs can connect to a few different types of inputs, but once the device is chosen, the MSR can only interface with that device. The system designer must select an MSR that is compatible with the input device.
Input Impedance
The input impedance of the monitoring safety relays determines how many input devices can be connected to the relay and how far away the input devices can be mounted. For example, a safety relay may have a maximum allowable input impedance of 500 ohms. When the input impedance is greater than 500 ohms, it will not switch on its outputs. Care must be taken by the user to ensure the input impedance remains below the maximum specification. The length, size, and type of wire used effects input impedance. Table 4 shows typical resistance of annealed copper wire at 25°C.
| ISO Cross Section mm2 | AWG Size | W per 1000 m | W per 1000 ft |
| 0.5 | 20 | 33.30 | 10.15 |
| 0.75 | 18 | 20.95 | 6.385 |
| 1.5 | 16 | 13.18 | 4.016 |
| 2.5 | 14 | 8.28 | 2.525 |
| 4 | 12 | 5.21 | 1.588 |
| Table 4: Wire Resistance | |||
Number of Input Devices
The risk assessment process should be used to help determine how many inputs devices should be connected to an MSR unit and how often the input devices should be checked. To assure that E-stops and gate interlocks are in an operational state, they should be checked for operation at regular intervals, as determined by the risk assessment. For example, a dual-channel input MSR connected to an interlocked gate that must be opened every machine cycle (e.g., several times per day) may not have to be checked. This is because opening the guard causes the MSR to check itself, its inputs, and its outputs (depending on configuration) for single faults. The more frequent the guard opening, the greater the integrity of the checking process.
Another example might be E-stops. Since E-stops are typically used only for emergencies, they are rarely used. A program should therefore be established to exercise the E-stops and confirm their effectiveness on a scheduled basis. Exercising the safety system in this way is called performing a functional test, and the time between functional tests is called the functional test interval. A third example might be access doors for machine adjustments which, like E-stops, might be rarely used. Here again, a program should be established to exercise the checking function on a scheduled basis.
The risk assessment will help determine whether the input devices need to be checked and how often they should be checked. The higher the level of risk, the greater integrity required of the checking process. The less frequent the automatic checking, the more frequent should be the imposed manual check.
Input Crossfault Detection
In dual-channel systems, channel-to-channel short-circuit faults of the input devices, also known as crossfaults, must be detected by the safety system. This is accomplished by the sensing device or the MSR.
Microprocessor-based devices (e.g., MSRs, light curtains, laser scanners, and the advanced non-contact sensors) detect these shorts in a variety of ways. One common way of detecting crossfaults is by using diverse pulse testing shown in Figure 86. The output signals are pulsed very quickly. The channel 1 pulse is offset from the channel 2 pulse. If a short occurs, the pulses occur concurrently and are detected by the device.
|
| Figure 86: Pulse Testing to Detect Crossfaults |
Electromechanically-based MSRs employ a different diversity technique: one pull-up input and one pull-down input. This is shown in Figure 87. A short from Channel 1 to Channel 2 will make the over-current protection device active and the safety system will shut down.
|
| Figure 87: Diverse Inputs Detect Crossfaults |
Outputs
MSRs come with various numbers of outputs. The types of outputs help determine which MSR must be used in specific applications.
Most MSRs have at least two immediately operating safety outputs. MSR safety outputs are characterized as normally open. These are safety rated due to the redundancy and internal checking.
A second type of output is delayed outputs. Delayed outputs are typically used in Category 1 stops, where the machine requires time to execute the stopping function before allowing access to the hazard area. Figure 88 shows the symbols used for immediate and delayed contacts.
|
| Figure 88: Symbols for Contact Types |
MSRs also have auxiliary outputs. Generally these are considered normally closed and are used to signal the machine control system that the safety system is off. Figure 89 shows three arrangements of normally closed contacts. The circuit on the left only allows the normally closed contacts to be used as auxiliary circuits as a single fault in CH1 or CH2 will close the circuit. The middle arrangement can be auxiliary usage as shown or safety usage if connected in series. The circuit on the right shows the normally closed contacts in a redundant arrangement, so they can be used in safety-related circuits.
|
| Figure 89: NC Contact Usage |
Output Ratings
Output ratings describe the ability of the safeguarding device to switch loads. Typically, the ratings for industrial devices are described as resistive or electromagnetic. A resistive load may be a heater type element. Electromagnetic loads are typically relays, contactors, or solenoids; where there is a large inductive characteristic of the load. Annex A of standard IEC 60947-5-1, shown in Table 5 describes the ratings for loads.
Designation Letter: The designation is a letter followed by a number, for example A300,
The letter relates to the conventional enclosed thermal current and whether that current is direct or alternating. For example A represents 10 amps alternating current. The number stands for the rated insulation voltage. For example, 300 represents 300V.
| Designation | Utilization | Enclosed Thermal Current | Rated Operational Current le at the Rated Operational Voltage Ue | VA | ||||||
| 120V | 240V | 380V | 480V | 500V | 600V | Make | Break | |||
| A150 | AC-15 | 10 | 6 | — | — | — | — | — | 7200 | 720 |
| A300 | AC-15 | 10 | 6 | 3 | — | — | — | — | 7200 | 720 |
| A600 | AC-15 | 10 | 6 | 3 | 1.9 | 1.5 | 1.4 | 1.2 | 7200 | 720 |
| B150 | AC-15 | 5 | 3 | — | — | — | — | — | 3600 | 360 |
| B300 | AC-15 | 5 | 3 | 1.5 | — | — | — | — | 3600 | 360 |
| B600 | AC-15 | 5 | 3 | 1.5 | 0.95 | 0.92 | 0.75 | 0.6 | 3600 | 360 |
| C150 | AC-15 | 2.5 | 1.5 | — | — | — | — | — | 1800 | 180 |
| C300 | AC-15 | 2.5 | 1.5 | 0.75 | — | 1800 | 180 | |||
| C600 | AC-15 | 2.5 | 1.5 | 0.75 | 0.47 | 0.375 | 0.35 | 0.3 | 1800 | 180 |
| D150 | AC-14 | 1.0 | 0.6 | — | — | — | — | — | 432 | 72 |
| D300 | AC-14 | 1.0 | 0.6 | 0.3 | — | — | — | — | 432 | 72 |
| E150 | AC-14 | 0.5 | 0.3 | — | — | — | — | — | 216 | 36 |
| Direct Current | 125V | 250V | 400V | 500V | 600V | |||||
| N150 | DC-13 | 10 | 2.2 | — | — | — | — | 275 | 275 | |
| N300 | DC-13 | 10 | 2.2 | 1.1 | — | — | — | 275 | 275 | |
| N600 | DC-13 | 10 | 2.2 | 1.1 | 0.63 | 0.55 | 0.4 | 275 | 275 | |
| P150 | DC-13 | 5 | 1.1 | — | — | — | — | 138 | 138 | |
| P300 | DC-13 | 5 | 1.1 | 0.55 | — | — | — | 138 | 138 | |
| P600 | DC-13 | 5 | 1.1 | 0.55 | 0.31 | 0.27 | 0.2 | 138 | 138 | |
| Q150 | DC-13 | 2.5 | 0.55 | — | — | — | — | 69 | 69 | |
| Q300 | DC-13 | 2.5 | 0.55 | 0.27 | — | — | — | 69 | 69 | |
| Q600 | DC-13 | 2.5 | 0.55 | 0.27 | 0.15 | 0.13 | 0.1 | 69 | 69 | |
| R150 | DC-13 | 1.0 | 0.22 | — | — | — | — | 28 | 28 | |
| R300 | DC-13 | 1.0 | 0.22 | 0.1 | — | — | — | 28 | 28 | |
| Table 5: Contact Ratings for Inductive Load Switching | ||||||||||
Utilization: The Utilization describes the types of loads the device is designed to switch. The utilizations relevant to IEC 60947-5 are shown in Table 6.
| Utilization | Description of Load |
| AC-12 | Control of resistive loads and solid-state loads with isolation by opto-couplers |
| AC-13 | Control of solid-state loads with transformer isolation |
| AC-14 | Control of small electromagnetic loads (less than 72 VA) |
| AC-15 | Electromagnetic loads greater than 72 VA |
| DC-12 | Control of resistive loads and solid-state loads with isolation by opto-couplers |
| DC-13 | Control of electromagnets |
| DC-14 | Control of electromagnetic loads having economy resistors in circuit |
| Table 6: Utilization Categories | |
Thermal Current, Ith: The conventional enclosed thermal current is the value of current used for the temperature-rise tests of the equipment when mounted in a specified enclosure.
Rated Operational Voltage Ue and Current Ie: The rated operational current and voltage specify the making and breaking capacities of the switching elements under normal operating conditions. The Allen-Bradley Guardmaster products are specifically rated at 125V AC, 250V AC, and 24V DC. Consult the factory for usage at voltages other than these specified ratings.
VA: The VA (Voltage x Amperage) ratings indicate the ratings of the switching elements when making the circuit as well as breaking the circuit.
Example 1: An A150, AC-15 rating indicates that the contacts can make a 7200V A circuit. At 120V AC, the contacts can make a 60 amp inrush circuit. Since the AC-15 is an electromagnetic load, the 60 amp is only for a short duration; the inrush current of the electromagnetic load. The breaking of the circuit is only 720V A because the steady state current of the electromagnetic load is 6 A, which is the rated operational current.
Example 2: An N150, DC-13 rating indicates that the contacts can make a 275V A circuit. At 125V AC, the contacts can make a 2.2 amp circuit. DC electromagnetic loads do not have an inrush current like AC electromagnetic loads. The breaking of the circuit is also 275V A because the steady state current of the electromagnetic load is 2.2, which is the rated operational current.
Machine Restart
If, for example, an interlocked guard is opened on an operating machine, the safety interlock switch will stop that machine. In most circumstances it is imperative that the machine does not restart immediately when the guard is closed. A common way of achieving this is to rely on a latching contactor start arrangement as shown in Figure 90. An interlocked guard door is used as an example here but the requirements apply to other protection devices and emergency stop systems.
|
| Figure 90: Simple Machine Start Stop Interlock Circuit |
Pressing and releasing the start button momentarily energizes the contactor control coil, which closes the power contacts. As long as power is flowing through the power contacts, the control coil is kept energized (electrically latched) via the contactor's auxiliary contacts which are mechanically linked to the power contacts. Any interruption to the main power or control supply results in the de-energizing of the coil and opening of the main power and auxiliary contacts. The guard interlock is wired into the contactor control circuit. This means that restart can only be achieved by closing the guard and then switch the normal start button to ON, which resets the contactor and starts the machine.
The requirement for normal interlocking situations is made clear in ISO 12100-1 Paragraph 3.22.4 (extract).
When the guard is closed, the hazardous machine functions covered by the guard can operate, but the closure of the guard does not by itself initiate their operation.
Many machines already have either single or double contactors that operate as described above (or have a system that achieves the same result). When fitting an interlock to existing machinery, it is necessary to determine whether the power control arrangement meets this requirement and take additional measures if necessary.
Reset Functions
Allen-Bradley Guardmaster monitoring safety relays are designed with either monitored manual reset or automatic/manual reset.
Monitored Manual Reset
A monitored manual reset requires a closing and opening of a circuit after the gate is closed or the E-stop is reset. Figure 91 shows a typical configuration of a reset switch connected in the output monitoring circuit of a safety relay with a monitored manual reset function.
The mechanically-linked, normally-closed auxiliary contacts of power switching contactors are connected in series with a momentary pushbutton. After the guard has been opened and closed again, the safety relay will not allow the machine to be restarted until after the reset button has been pressed and released. When this is done, the safety relay verifies (e.g., monitors) both contactors are off and that both interlock circuits (and therefore the guards) are closed. If these verifications are successful, the machine can then be restarted from the normal controls.
|
| Figure 91: Monitored Manual Reset |
The reset switch should be located in a place that provides a good view of the hazard so that the operator can check the area is clear before operation.
Auto/Manual Reset
Some safety relays have automatic/manual reset. The manual reset mode is not monitored and reset occurs when the button is pressed. A shorted or jammed reset switch will not be detected.
Alternatively, the reset line can be jumpered, allowing an automatic reset. The user must then provide another mechanism for preventing machine startup when the gate closes.
An auto-reset device does not require a manual switching action but after de-actuation, it will always conduct a system integrity check before resetting the system. An auto-reset system should not be confused with a device without reset facilities. In the latter, the safety system will be enabled immediately after de-actuation but there will be no system integrity check.
Control Guards
A control guard stops a machine when the guard is opened and directly starts it again when the guard is closed. The use of control guards is only allowed under certain stringent conditions because any unexpected startup or failure to stop would be extremely dangerous. The interlocking system must have the highest possible reliability (it is often advisable to use guard locking). The use of control guards can ONLY be considered on machinery where there is NO POSSIBILITY of an operator or part of his/her body staying in or reaching into the danger zone while the guard is closed. The control guard must be the only access to the hazard area.
Safety Programmable Logic Controls
The need for flexible and scaleable safety applications drove the development of safety PLCs/controllers. Programmable safety controllers provide users the same level of control flexibility in a safety application that they are accustomed to with standard programmable controllers. However, there are extensive differences between standard and safety PLCs. Safety PLCs, shown in Figure 92, come in various platforms to accommodate the scalability, functional, and integration requirements of the more complex safety systems.
|
| Figure 92: Safety PLC Platforms |
Hardware
Redundancy of CPUs, memory, I/O circuits, and internal diagnostics are enhancements that safety PLCs have that are not required in a standard PLC. A Safety PLC spends significantly more time performing internal diagnostics on memory, communications, and I/O. These additional operations are necessary to reach the required safety certification. The additional redundancy and diagnostics are taken care of in the operating system of the controller, making it transparent to the programmer, so that the safety PLC program functions much like a standard PLC program.
The microprocessors controlling these devices perform extensive internal diagnostics to ensure the performance of the safety function. Figure 93 provides an example block diagram of a safety PLC. Although microprocessor-based controllers differ slightly from one family to another, similar principles are applied to achieve a safety rating.
Multiple microprocessors are used to process the I/O, memory, and safe communications. Watchdog circuits perform diagnostic analysis. This type of construction is known as 1oo2D, because either of the two microprocessors can perform the safety function, and extensive diagnostics are performed to ensure that both microprocessors are operating in sync.
|
| Figure 93: 1oo2D Architecture |
Also, each input circuit is internally tested many times each second to make sure that it is operating correctly. Figure 94 shows a block diagram of an input. The E-Stop might only be hit once a month; but when it is, the circuit has been continuously tested so that the E-Stop will be sensed correctly internal to the safety PLC.
|
| Figure 94: Block Diagram of a Safety Input Module |
Safety PLC outputs are electromechanically or safety-rated solid-state outputs. Figure 95 shows multiple switches in every output circuit of a safety PLC. Like the input circuits, the output circuits are tested multiple times every second to make sure they can turn the output off. If any one of the three circuits fail, the output is turned off by the other two, and the fault is reported by the internal monitoring circuit.
|
| Figure 95: Safety Output Module Block Diagram |
When using safety devices with mechanical contacts (E-stops, gate switches, etc), the user can apply pulse test signals to detect crossfaults. To avoid using expensive safety outputs, many safety PLCs provide specific pulsing outputs that can be connected to mechanical contact devices. A wiring example is shown in Figure 96. In this example, outputs O1, O2, O3, and O4 are each pulsing at a different rate. The safety PLC expects to see these different pulse rates reflected at the inputs. If identical pulse rates are detected, a crossfault has occurred and appropriate action is taken in the safety PLC.
|
| Figure 96: Pulse Testing of 2 N.C. Mechanical Inputs |
Software
A safety PLC is programmed much like a standard PLC. All the additional diagnostics and error checking mentioned earlier are performed by the operating system. The programmer is not aware this is happening. Most safety PLCs will have special instructions used to write the program for the safety system and these instructions tend to mimic the function of their safety relay counterparts. For example, the Emergency Stop instruction in Figure 97 operates very much like an MSR127. Though the logic behind each of these instructions is complex, the safety program looks relatively simple because the programmer simply connects these blocks together. These instructions, along with other logic, math, data manipulation, etc. instructions are certified by a third party to ensure their operation is consistent with the applicable standards.
Function blocks are the predominant methods for programming safety functions. In addition to function blocks and ladder logic, safety PLCs also provide certified safety application instructions. Certified safety instructions provide application specific behavior. This example shows an emergency stop instruction. To accomplish the same function in ladder logic would require approximately 16 rungs of ladder logic. Since the logic behavior is embedded in the E-stop instruction, the embedded logic does not have to be tested.
|
| Figure 97: E-Stop Function Block |
Certified function blocks are available to interface with almost all safety devices. One exception to this list is the safety edge that uses resistive technology. Here is an example of certified application instructions available in the GuardPLC.
| 1. | Diverse (1 N.O. + 1 N.C.) Input with Auto Reset |
| 2. | Diverse (1 N.O. + 1 N.C.) Input with Manual Reset |
| 3. | Emergency Stop with Auto Reset |
| 4. | Emergency Stop with Manual Reset |
| 5. | Redundant (2 N.C.) Input with Auto Reset |
| 6. | Redundant (2 N.C.) Input with Manual Reset |
| 7. | Redundant Output with Positive Feedback |
| 8. | Redundant Output with Negative Feedback |
| 9. | Enable Pendant with Auto Reset |
| 10. | Enable Pendant with Manual Reset |
| 11. | Two Hand Run Station with Active Pin |
| 12. | Two Hand Run Station without Active Pin |
| 13. | Light Curtain with Auto Reset |
| 14. | Light Curtain with Manual Reset |
| 15. | Five Position Mode Selector |
| 16. | Single Pulse Test Output |
| 17. | Redundant Pulse Test Output |
A safety PLC generates a signature that provides the ability to track whether changes were made. This signature is usually a combination of the program, input/output configuration, and a time stamp. When the program is finalized and validated, the user should record this signature as part of the validation results for future reference. If the program needs modification, revalidation is required and a new signature must be recorded. The program can also be locked with a password to prevent unauthorized changes.
Wiring is simplified with programmable logic systems as compared to MSRs. Unlike wiring to specific terminals on MSRs, input devices are connected to any input terminals and output devices are connected to any output terminals. The terminals are then assigned through software.