DESIGN GUIDE MACHINE SAFETY IN AUTOMATION Sponsored by: www.bannerengineering.com brought to you by: MACHINE SAFETY DESIGN GUIDE Automation of discrete motion and process tasks is essential to modern manufacturing and distribution. However, automation can pose numerous dangers to nearby human personnel as well as equipment. The threats of electrocutions, burns, amputations, crushed fingers and hands, and blindness are most acute near slicing and sawing operations; spinning, reciprocating, spooling, winding, pressing, and punching axes — as well as those transporting heavy objects; and hot components as well as end effectors associated with welding or sintering. ▼ ▼ As we’ll detail in this Design Guide, any machine function, component, or process posing the above risks (or the potential for damage to equipment) must be fitted with a safety system and in most cases safeguarded … and hazards removed or controlled. In this Design Guide, the editors of Design World review the approaches needed to fully assess a machine’s required level of safety; the components needed for safe installations; and the proper integration of such components in individual machines and workcells. The role of controls and leading standards (for markets and general automation) will also be covered. LISA EITEL Engineer Editor TABLE OF CONTENTS Introduction to industrial safety................................................................. 3 Assessing the need for (and designing) machine safety features.............. 6 Safety components using direct machine-operator contact....................11 Emergency stop switches — only in emergencies...................................14 Machine-triggered sensors, switches, and perimeter components.........16 Sponsored by: Safety relays, signal processing, and controls..........................................24 www.bannerengineering.com © Copyright 2023 WTWH Media I October 2023 www.wtwhmedia.com I marketing.wtwhmedia.com I www.designworldonline.com I www.motioncontroltips..com @designworld /DesignWorldNetwork @motion_control INTRODUCTION TO INDUSTRIAL SAFETY Quantifying such safety risks and the potential severity of personnel injury from machinery (as well as self-inflicted machinery damage) is at the core of all industrial-safety design work. European Standard (EN), International Electrotechnical Commission (IEC), and International Organization for Standardization (ISO) risk assessments and rules dominate global regulations applying to most all industries. Protect personnel from entering a hazardous area with a shear point using the XS26 Safety Controller and the light curtains. An illuminated E-stop provides indication as well as an input to stop the machine in case of an emergency. Image: Banner Engineering I ndustrial threats to facility-personnel wellbeing include radiation, hazardouschemical exposure, lack of work-cell ergonomics, biological hazards including harmful or deadly viruses, fungi, or bacteria, environmental extremes (including extreme temperatures), and physical harm from mechanical threats. In this Design Guide, we cover technologies to prevent harm from the latter. Basic mechanical safety systems prevent machines from starting until it’s safe to start ... and stop the machine upon detection of some hazardous condition. Just consider industrial settings involving conveyors that run near plant operators. Such conveyors can entangle personnel — especially by fingers, loose shirt sleeves, and long hair. That’s why (among other safety features) conspicuous stop switches, strips, and cords must flank the conveyor at regular intervals along its whole run — to let plant personnel stop the entire conveyor during or just preceding an emergency. 3 I www.designworldonline.com These lead consolidated guidelines to thoroughly define the required safety systems, redundancies, precautions to sufficiently minimize risk — whether on the part of machine operators (as is customary in the U.S.) or on the part of the machine builders (as is required by law in Europe). Complementary industry-specific regulations then complete the suite of protections to keep personnel safe. Such protections are especially important near operations considered typical in the world of industrial automation … such as material handling, transporting, forming, cutting, laminating, and pressing as well as forms of electrical, thermal, and optical processing, testing, and inspection. Of course, overly zealous safety protocols are the enemy of productivity, and can even shorten machinery life should there be over-reliance on emergency stops (e-stops), as these are jarring to mechanical and even electrical machine components. On the other hand, it’s increasingly unacceptable to leave machine safety to other parties ... even for OEM machine builders not explicitly asked by end users to include safety features on new machines. Even for older machines, safety retrofits are increasingly viable and warranted where plant personnel include new hires and younger less experienced operators. www.bannerengineering.com MACHINE SAFETY DESIGN GUIDE (continued) introduction to industrial safety HMI WITH SAFETY CONTROLS NONCONTACT DOOR SWITCH EMERGENCY STOP SAFETY RELAY OR SAFETY CONTROLLER Some safety sensors can connect to servo controls or VFDs and replace relay arrays on machines involving motion control. Such networked sensor installations can detect errors that degrade the machine safety — and keep machine zones on lockdown (or moving very slowly) until the error is cleared. Where standards allow it, such safety systems often wire interlocks and the like in series to boost reliability while minimizing cost and complexity. Outsourcing the design of machine safety features (either to suppliers or integrators) may be necessary where: • A facility or organization’s engineering teams lacks safetyspecific expertise • A machine’s operations (and potential hazards) are exotic … necessitating customized machine guarding • No previous risk assessment has been done • Nuanced safety implementation demands reliance on qualitative knowledge of best practices • Full design-team mastery of both governmental and industry safety standards All industrial-automation installations require careful analysis to identify the most suitable safety guards and (if applicable) safety control architecture. Simple machines with straightforward safety requirements — for example, necessitating only a light curtain and emergency stop button — can successfully accept a wider array of solutions than more complex installations. Where a machine requires a more involved safety solution, today’s flexible safety controls, architectures, and software can help simplify the setup of key-locked work cells, safety interlocks, and even collaborative workspaces that put machine operators near robotics, conveyors, and other potentially dangerous equipment. Using two sets of EZ Screen light curtains to protect personnel from a robot. These curtains can be muted depending on where the robot is so parts can be placed/moved. Image: Banner Engineering Case in point: Proliferation of collaborative robots or cobots necessitate specialty safety systems that use sensor feedback and specialty forms of actuation so any inadvertent contact with human personnel is gentle. 4 I www.designworldonline.com www.bannerengineering.com (continued) MACHINE SAFETY DESIGN GUIDE introduction to industrial safety Note that machine guarding or safeguarding is defined by ISO standards as that which surrounds potentially dangerous equipment axes or areas of action with fencing, gates, doors, interlocks, sensors, light curtains, and other physical and electronic components. Boundaries based on electronic actions network with controls to trigger slowing or even stopping of operations that could prove harmful to personnel or objects entering the guarded area. Though some sources in industry use safeguarding in the more general sense, many references and formalized safety standards have begun using the more exact phrases safety engineering controls and risk reduction measures to respect the stricter ISO definition of safeguarding. Other topics in industrial automation safety: Machinery Directive and how it relates to motion safety Functional safety standards for servo drives Drive-based safety functions for controlled stops ▼ Choosing a safety factor so a motor design lasts Noise: The other physical threat to personnel Though beyond the focus of this Design Guide, noise poses a real risk of stress, distraction, and hearing loss in machine operators and other plant personnel. That’s why providing a variety of hearing protection is essential plant practice. Very loud and sudden sounds from sirens, crashes, and explosions can cause everything from tinnitus to temporary hearing loss to permanent deafness at affected frequencies. Just as harmful is long-term moderate noise exposure — even at the modest levels of 70 to 80 dB. Many types of industrial equipment can easily generate sounds at these levels at 4,000 to 8,000 Hz, the most critical frequencies for human hearing. What’s more, the stress of unrelenting noise can cause measurable harm to machine operators’ cardiovascular health. 5 I The simplest form of safety equipment is fencing to keep personnel away from dangerous areas. www.designworldonline.com Robotic work cells also necessitate specialty guards that accommodate the fact that personnel may occasionally enter the robot’s work cell. Here, trapped-key safety circuits can ensure force personnel to clear out of the work cell before the robot is allowed to resume operations. www.bannerengineering.com ▼ ASSESSING THE NEED FOR (AND DESIGNING) MACHINE SAFETY FEATURES PLr a P1 F1 S1 P2 P2 F1 P2 d P1 F2 To calculate the performance level required (PLr) ... c P1 S2 FUNCTIONAL SAFETY RISK ESTIMATION b P1 F2 LOW RISK Severity of injury slight (normally reversible injury) serious (normally irreversible injury or death) F F1 F2 Frequency and/or exposure to hazard seldom to less often and/or exposure time is short frequent to continuous and/or exposure to time is long P Possibility of avoiding hazard or limiting harm P1 possible under specific conditions P2 scarcely possible e P2 S S1 S2 HIGH RISK All functional safety analyses begin with risk assessment to determine the required Safety Integrity Level or Performance Level. M achines should be rendered safe with minimal impact on operational efficiency and productivity. Fortunately, functional safety features in machines and systems allow both scenarios to be realized — mitigating the risk of injury without needlessly affecting production. MEAN TIME TO FAILURE AND SAFETY RATINGS 10 PL -4 10-5 3x10-6 low MTTFd b medium MTTFd high c 10-6 10 MTTFd a 10-8 PFHD 1 3 4 e DC DC none none Cat. B Cat. 1 DC low DC medium Cat. 2 DC low DC medium Cat. 3 DC high Cat. 4 EN/ISO 13849-1 values for Category, Diagnostic Coverage, and Mean Time to Dangerous Failure for PL levels are interrelated. 6 I SIL 2 d -7 Designers of industrial machinery and equipment must account for the fact that automated motion poses a significant risk of injury or damage. Automation’s dominant form of safety today — that of functional safety — is a design approach that allows verification that a machine’s safety-related components do in fact reliably function as intended when given safety commands. In short, the aim of functional safety is to ensure equipment correctly operates and responds to inputs. Diagnostics and validation routines today can regularly certify that safety hardware in such designs maintain safety-system requirements for low risk of harm sans deterioration of that reliability over time www.designworldonline.com PFH 0.00001 to 0.000001 0.000001 to 0.0000001 0.0000001 to 0.00000001 0.00000001 to 0.000000001 PFH (power) -5 10 -6 10 -7 10 -8 10 -6 -10 -7 -10 -8 -10 -9 -10 RRF 100,000 to 1,000,000 1,000,000 to 10,000,000 10,000,000 to 100,000,000 100,000,000 to 1,000,000,000 The four SIL levels of EN/IEC 62061 list values for the Probability of Dangerous Failure per Hour as well as a Risk Reduction Factor. ISO and IEC standards have been shifting to standardizing more robust risk-mitigation techniques … with new standards iterations released every few years. Europe has traditionally led in machinery safety, though the U.S. has reached comparable adoption levels in recent years. www.bannerengineering.com (continued) MACHINE SAFETY DESIGN GUIDE ▼ ASSESSING THE NEED FOR (AND DESIGNING) MACHINE SAFETY FEATURES Functional safety demands that systems detect potentially dangerous conditions and activate protective or corrective devices or commands to prevent (or reduce the consequences of) hazardous events. Standards abound to define the functional safety of a given machine. Major ISO functional safety standards include ISO 12100, ISO 13849, IEC 60204, ISO 61508, and ISO 62061. Relevant to safety-component suppliers as well as design engineers deploying these safety components, these detail the necessary risk assessment, design, installation, and validation for designing functional safety to obey ISO 61508 and 62061. Fortunately, functional-safety ISO standards at least list other potentially applicable standards for a given design in the standards’ normative references. Just consider two of the most significant standards for automation today — EN/IEC 62061 and EN/ISO 13849-1. Although the EU was the first market to mandate integrated safety functions in machinery, manufacturers around the world have begun to integrate functional safety features in machines marketed and sold outside of the EU. EN/IEC 62061 and EN/ISO 13849-1 govern safety requirements for such industrial equipment. Manage the status of multiple doors with Banner’s RFID safety rated switch. Get door gap diagnostics as well as individual switch status with In-Series-Diagnostics from Banner. ▼ According to the International Electrotechnical Commission (IEC) the IEC 62061 standard specifies requirements and makes recommendations for the design, integration, and validation of safety-related electrical, electronic, and programmable electronic control systems (SRECs) for machines. It is applicable to control systems used, either singly or in combination, to carry out safetyrelated control functions on machines that are not portable by hand while working, including a group of machines working together in a coordinated manner. Industrial-machinery SILs are now coordinated with ISO 13849-1 performance levels (PLs). Image: Banner Engineering According to the International Standards Organization (ISO) the EN/ISO 13849-1:2005 standard provides safety requirements and guidance on the principles for the design and integration of safety-related parts of control systems (SRP/CS) — including the design of software. For these parts of SRP/CS, it specifies characteristics that include the performance level required for carrying out safety functions. It applies to SRP/CS for high demand and continuous mode, regardless of the type of technology and energy used (such as electrical, hydraulic, pneumatic, or mechanical) for all kinds of machinery. 7 I www.designworldonline.com So why do some standards begin with the prefix EN? In short, the EN prefix designates a harmonized standard. That means it is listed under the EU Machinery Directive 2006/42/EC. The Machinery Directive specifies essential safety and health requirements that all machines in the EU must meet. Harmonized standards include standards from ISO, IEC, and the European Union. These standards provide the technical specifications and procedures to fulfill the Machinery Directive requirements. www.bannerengineering.com MACHINE SAFETY DESIGN GUIDE (continued) ASSESSING THE NEED FOR (AND DESIGNING) MACHINE SAFETY FEATURES COMPARISON OF EN/IEC 62061 WITH EN/ISO 13849-1 EN/IEC 62061 uses the Safety Integrity Level (SIL) rating system to indicate the level of functional safety and … • Assigns a numeric score from 1 to 4, with 1 being the lowest and 4 being the highest; example: SIL3 (note that only levels 1-3 apply to machine systems) • Risk assessment for determining the required SIL level is based on severity of injury (Se), frequency and duration of exposure (Fr), probability of occurrence of a hazardous event (Pr), and probability of avoiding or limiting harm (Av) • SIL rating indicates the Probability of Dangerous Failure per Hour (PFHD) and the Risk Reduction Factor (RRF) • Considers both low-frequency demand (such as infrequent machine processes or actions) and high-frequency demand. For more information on this topic, read: The difference between PL and SIL machine safety standards Notice that EN/IEC 62061 and EN/ISO 13849-1 as well as other functional-safety standards (including ISO 12100-1) classify machines as needing to satisfy Type A, B, and C requirements. Foundational Type A standards (such as ISO 12100 itself) apply to all machine types. Midrange Type B standards include B1 standards such as ISO 13849-1 and ISO 62061 defining safety approaches and B2 standards such as ISO 13850 and ISO 13851 defining specific safe-system requirements. Very machine-specific Type C standards are the most stringent and preferred for new machine designs. Examples include: • EN 201 covering safety requirements for injection molding machines • EN 692 covering safety requirements for mechanical presses • EN/ISO 13849-1 uses the Performance Level (PL) rating system to indicate the level of functional safety and … • EN 847-1 covering safety requirements for woodworking machines involving milling and saw-blade axes • Assigns an alphabetic score from a to e … with a being the lowest and e being the highest — as expressed in Category 4 PLe, for example • EN 848-1 covering safety requirements for molding machines with rotating vertical axes • Risk assessment for determining the required PL is based on severity of injury, frequency and exposure time to the hazard, and possibility of avoiding the hazard or limiting harm • ISO 3691 covering safety requirements for industrial trucks • ISO 11111 covering safety requirements for textile machinery • ISO 10218-1 covering safety requirements for industrial robots • ANSI/RIA R15.06 covering safety requirements for robot starting and restarting • PL rating indicates the system’s architecture (called its Category), mean time to dangerous failure (MTTFd), diagnostic coverage (DC), and Common Cause Failures (CCF) • Considers only high-frequency demand Related article: Encoders on robot joints for Functional Safety Note that the Performance Levels (PL) under ISO 13849-1 correspond to certain PFHD ranges so can be cross-referenced to SIL levels from IEC 62061. When implementing functional safety, machine builders, integrators, and users are free to choose either standard — EN/IEC 62061 or EN/ISO 13849-1. WIDER UNIVERSE OF SAFETY STANDARDS Remember that functional safety is applicable to the machine and its control system — not to a specific component or device type. For example, a servo drive may include features and functionality that let system achieve a specific EN/IEC 62061 or EN/ISO 13849-1 safety category, but the use of the drive itself does not confer that machine’s safety level. ISO 12100 • Safety of machinery general principles for design | Risk assessment and risk reduction: This defines an approach often serving as the initial process for identifying machine hazards. The standard requires an inherently safe design and then the addition of safeguards as well as safety information that must be shared with operators. Control-based safety must be verified through iterative process ensuring each safety feature satisfies a sufficiently safe performance level or PLr until a given mean time to dangerous failure or MTTFd as described earlier. The latest iteration of the ISO 12100 standard has replaced portions of the former ISO 12100 and ISO 14121— and informs Japanese Industrial Standards (JIS) standard JIS B9700. It also consolidates Type A machinery standards so engineers can use one set of requirements for all their related designs. The “practical guidance” standard of ISO/TR 14121 remains to inform the actual analysis process. Many motion-component manufacturers have published brochures or white papers addressing functional safety, and for good reason. While the concept of functional safety is relatively simple, the decision regarding what safety level should be applied to a particular machine or process is based on a complex mix of quantitative factors and qualitative assessments. Some manufacturers have even developed proprietary software to assist designers in determining what functional safety level is required and in choosing the appropriate components to achieve that safety level. 8 I www.designworldonline.com So far we’ve covered EN/IEC 62061 with EN/ISO 13849-1 — two key standards for motion-control applications. In fact, other standards apply to designs to varying degrees. Now consider other standards that are common for automated equipment. www.bannerengineering.com (continued) MACHINE SAFETY DESIGN GUIDE ASSESSING THE NEED FOR (AND DESIGNING) MACHINE SAFETY FEATURES ISO/TR 14121: This systematic risk-assessment standard is useful during machine design, construction, retrofitting, and use. The standard outlines five steps to that end. Step 1 is to determine the machinery limits including: • Requirements for all machine-life phases and the machine’s intended use • Potential modes of misuse and malfunction • Operator’s age, strength, dominant hand, and abilities relating to eyesight and hearing — as well as competence and experience Next ISO/TR 14121 requires the identification of all hazardous conditions … largely through predicting situations that could cause electrocution, severing of body parts, entanglement, and crushing, and burning. Clarifying such hazards can be done using checklists, what-if questionnaires, hazard and operability studies, and failure mode and effect as well as fault-tree analyses. Step 3 of ISO/TR 14121 includes quantification of the risk factors’ probability of occurring and magnitude of potential harm; this is followed by evaluation of additional measures (including design changes and safeguarding additions) to further reduce all risks. Finally, the standard outlines ways to eliminate or reduce personnel exposure to any remaining and unavoidable hazards. DIN EN ISO/TR 11688-1 • Acoustics — Recommended practice for the design of low-noise machinery and equipment (Planning): This safety standard outlines basics of machinery noise control and recommended mitigation tactics for all design stages. ISO 13732-1 • Ergonomics of the thermal environment: This standard (among other things) lists temperature thresholds (both hot and cold) that can burn skin when an operator intentionally or accidentally touches machine surfaces for a given duration. The standard also details the expected burn severity for set values — as well as unacceptable heat strain that could occur. ISO 13849 • Safety of machinery: This functional-safety standard (detailed earlier) combines the IEC 62061 probabilistic design approach (and models) with the straightforward EN 9541 categories (B, 1, 2, 3, 4) determinism. That yields architecture models matching categories definitions for simplified risk estimation. Note that ISO 13849 Part 1 covers general principles for design and part 2 covers the validation of safety-related parts of industrial control systems. Ultimately, ISO 13849 simplifies risk assessments for OEMs implementing safety because it forces homogeneous and specific risk estimations that are more relatable to end user risk assessments. That’s especially helpful where an end user might not fully understand the functional differences of different OEM safety architectures, or the OEM might not recognize subtle end-user requirements. ISO 13857 — Safety distances to prevent danger zones being reached by the upper and lower limbs: This industrial safety standard lists values for distances to prevent danger zones being reached by the limbs of an average 14 year old (and older individuals) without additional aid. It recently superseded ISO 13852 (safety of machinery) which was a standard that included protections for those three years old and older … and only defined reachability distances for the arms (and not the legs). Use warning zones to alert personnel that they are too close to a danger zone. Use these warning zones to control the speed of the process and slow it down to a safer speed as a person enters the hazardous zone. Image: Banner Engineering 9 I www.designworldonline.com ISO 14118 • Safety of machinery — Prevention of unexpected startup: This recently superseded EN 1037 to define systems to let operators safely enter a hazardous machine area. Central to ISO 14118 is energy isolation or dissipation — as in the disconnection of electric power supplies, stopping of motors, release of pneumatic valves, shutdown of any hydraulics, and spending of any moving axes’ kinematic energy. Where zero-energy conditions are impossible, electronic controls satisfying ISO 12100 should be used to prevent unexpected startup. In some instances, key interlocks may be in order — though to be clear, e-stops aren’t acceptable startup preventors. www.bannerengineering.com (continued) MACHINE SAFETY DESIGN GUIDE ASSESSING THE NEED FOR (AND DESIGNING) MACHINE SAFETY FEATURES ISO 14119 • Safety of machinery | Interlocking devices associated with guards: ISO 14119 covers machinery-guarding interlock safety … while referencing other safety standards for risk analysis. As covered in later in this Design Guide, guard interlocks prevent hazardous machine operations until they’re closed. Of course, even though machines with closed interlocks can run, their closing shouldn’t trigger automation operation starts. The safest machines usually include a dedicated start button — or a very specialized control interlock that does double duty as an interlock and machine-start mechanism. Machines that satisfy ISO 14119 also render intentional and accidental safety-system defeats (as through jamming a position switch or switch actuator) impossible. ISO 14120 • Safety of machinery | Guards — General requirements for the design and construction of fixed and movable guards: This ISO Type-B standard superseded EN for outlining the general design and integration of machine guards to protect plant operators from mechanical hazards — both from dangerous access to work cells and noise, projectiles, fires, and even radiation emitted from the work cell. EC 60947 • Low-voltage switchgear and controlgear (General rules): This applies as required by relevant product standards to low-voltage switchgear and controlgear to connect to circuits with rated voltages at or below 1,000 Vac or 1,500 Vdc. IEC 62061 • Safety of machinery — Functional safety of safetyrelated electrical, electronic, and programmable electronic control systems: IEC 62061 (covered earlier) derives from IEC 61508 so engineers can more easily specify safety hardware and software for specific machinery. This standard may be more appropriate than the deterministic EN 954-1 or probabilistic ISO 13849-1 for machines involving programmable controls and safety buses. Two caveats are that IEC 62061 demands the calculation of probabilities (of dangerous events) and can be complicated … covering all details for even the most sophisticated safety control architectures. BS EN 614-1 • Safety of machinery | Ergonomic design principles — Part 1 (Terminology and general principles): ANSI B11.0 • Safety of machinery | General requirements and risk assessment: This recently updated ISO Type-A (general) standards series defines machine design, construction, installation, reconstruction, modification, setup, operation, maintenance, and safety-design documentation requirements. It’s meant to support other more specific standards (especially Type C standards) while specifying risk-assessment principles and procedures. IEC 60204-1 • Electrical equipment of industrial machines Part 1 (general requirements): Updated in 2016 and aligned with EN 60204-1 in 2020, this standard covers the safe specification and integration of electrical components such as circuit breakers. IEC 61508 • Functional safety of electrical, electronic, and programmable electronic safety-related systems: This sevenpart universal standard supports the development of uniform safety designs employing electric operation … and outlines the approach for thorough machine-risk analysis. In fact, IEC 61508 has been key to promoting use of functional-safety concepts— and safety design that emphasizes safety-systems performance and reliability over outdated focus on component failure modes. The standard’s wide applicability prompted the more specific IEC 62061 for machine-control mechanical safety. 10 I www.designworldonline.com www.bannerengineering.com SAFETY COMPONENTS USING DIRECT MACHINEOPERATOR CONTACT Use Banner’s heavy duty light curtains to safeguard personnel in press applications. Additionally, Banner offers safety controllers with “Press Control” function blocks to make implementation easier. Image: Banner Engineering B ecause it’s easiest to picture the touchable (tactile) safety mats, light curtains, consoles, and locks on industrial machinery, we cover these peripheral safety components first. Switches and sensors that contact machine components are covered in the next section of this Design Guide. Presence-sensing safety mats integrate pressure-sensor arrays between rubber layers to detect when a machine operator steps into a hazardous area. The sensor contacts come together, and a safety controller registers that signal to generate some response command. Though replaced by light curtains in many applications, presence-sensing safety mats endure. Drawbacks are that it’s easy to defeat safety mats by putting heavy objects on them; they’re also vulnerable to being crushed or rendered inoperable by dirt ingress. Light curtains are a type of active opto-electronic protective device (or AOPD) and use communications between a pair of posts to secure openings in machine fencing or housing. They can detect the presence of a plant worker (which is why we include them in this Design Guide section) as well as machine linkages and objects being moved by the machine. The transmitter post sends an infrared array of light beam to a receiver post; any interruption of any of the beams causes a signal prompting the machine controls to stop the potentially hazardous machine activity. For example, light curtains can verify a sheet-metal cutting machine’s material-insertion point and active slicing area are clear before any blades move. Other related designs include light grids and light barriers that (like light curtains) allow machine operators an unobstructed view of the protected work volume they’re about to access. Industrial safety bars are pressure-sensitive strips that affix to the edges of machine housings, conveyors, and stages. When machine operators bump into or lean on the strips, the resulting signal prompts a safety controller to halt the potentially dangerous machine activity. A close cousin of safety bars are safety edges. These components affix to the outermost reaches of machine axes to detect when they bump into something or someone … and prompt a halt to dangerous motion capable of inflicting blunt-force injuries. Shown here is an example of a safety pressure mat application around a robot arm. 11 I www.designworldonline.com Laser scanners (another AOPD) are newer and costlier than light curtains but can cover far bigger portals — such as the virtual “exit doorway” of a large robotic box-stacking work cell — and more accurately. They work by emitting a rotating beam that reflects off surrounding objects and back to a receiver in the scanner body. Like light curtains, they can detect the presence of a plant worker … as well as machine linkages and objects being moved by machinery. www.bannerengineering.com (continued) MACHINE SAFETY DESIGN GUIDE SAFETY COMPONENTS USING DIRECT MACHINE-OPERATOR CONTACT Two-hand machine safety control consoles prevent operators from coming too close to hazardous machine areas. Depending on the design, the latter may demand that both operator hands activate inputs on the control (within 0.5 sec) for machine startup or the generation of an output signal. That signal in turn must turn off if either or both operator’s hands come off the control. Any reset or machine restart requires release and then reengagement with the control by both operator hands. ISO 13851 dictates that such controllers satisfy Type I, Type II, or Type III requirements. A two-hand machine safety control can also serve to prevent accidental startups by separating its twin startup switches with a shield between them. Depending on the control’s exact dimensions, these can prevent accidental machine startups from both switches inadvertently being triggered by a single hand, forearm and hand, or (if the control is low on a control panel) even hand and knee or hip bump. The related standard of ISO 13855 details safe distances and best practices for locating machine safety elements. This safe distance is the minimum distance from a stop-triggering safety component to a hazardous machine section allowing a full stop of that section before the operator has time to get too close. Maintenance enabling switches are squeezable safety switches that let machine integrators or maintenance personnel perform repair or troubleshooting work inside machine fencing (or near hazardous machine axes) while preventing unexpected motion. Often taking the form of a split-body squeeze joystick, these switches usually complement other teach, control, and jog buttons on consoles or handheld pendants. The delicate nature of what these switches recognize as an “on” position is their strength: Squeezing the switch too hard or too softly or completely releasing it (as an operator might do if startled by a machine action) turns the switch off and disables the machine. Only a moderate and controlled amount of grip force allows the machine to run. Some designs connect enabling switches to safety relays in safety circuits for top reliability. DEEPER DIVE ON FOOTSWITCHES FOR MACHINE SAFETY Foot controls have complemented industrial machine designs since before the steam age. The earliest forms actually served as a power input — especially for textile weaving and sewing as well as wood and metal working. Today, modern automated equipment incorporates ruggedized electric footswitches as a safe and convenient way for machine operators to engage and disengage axes or even machine power. A safety foot switch designed with a full cover to prevent accidental actuation. Required footswitch force varies with the intended use; a footswitch supplied for automated lab equipment (say, allowing a lab worker to control the grasping and moving of test tubes) will be designed for low-force input. In contrast, a footswitch for installation on a harvester or other piece of agricultural off-highway equipment may take the form of a heavy-duty stomp switch — to let operators more easily control equipment tools. Here, switches requiring higher deliberate force input can help avoid nuisance trips as well as unexpected shutdowns triggered by machine impulses and vibrations. FOOTSWITCH-INTEGRATION DESIGN CONSIDERATIONS Footswitches have rated specifications — but these should be used carefully. Consider a motor-driven drawing 12 A and controlled by a footswitch. Simply assuming a switch rated for 15 A is sufficient could spell trouble. A heavily loaded motor or one with a locked shaft can draw tremendous current. Catastrophic failure of such a machine’s footswitch would present an unacceptable risk to the machine operator as well as downtime. Such machine arrangements require a circuit breaker, overcurrent detection mechanism, and some type of control to trigger an immediate shutdown … as well as a footswitch rated to withstand such extreme conditions. These footswitches include waterproof and dustproof seals around their internal electric-switch subcomponents; the other subcomponents are made of metal and high-impact plastic shaped to maximize ergonomics. Many are also adjustable to protect machine operators from the main risk of poor ergonomics — that of repetitive strain injury. Such injuries can degrade productivity and even force workers into medical leave. 12 I www.designworldonline.com www.bannerengineering.com (continued) MACHINE SAFETY DESIGN GUIDE SAFETY COMPONENTS USING DIRECT MACHINE-OPERATOR CONTACT Footswitches have been a staple control device since the very first mechanized machines. The first footswitches were simple kinematic devices. Today’s modern industrial machinery uses electric means of transmitting foot-switch signals. Single-pole foot-switch wiring can be normally closed (top) or normally open (middle) or normally open and closed (bottom). neous-switch arrangements have their uses but can introduce momentary short circuits … and even electrical sparks and discharges. Of course, not all footswitches are on-off or three-setting controls. Some allow for an infinitely variable analog control over an axis’ power input — for a simple speed control, for example. Such footswitches often pair with axes employing variable-speed motor controls and trimmers for smooth operation sans sudden kick-on and kick-off points. On-off footswitches — what are called single-action footswitches — are either engaged or disengaged. They can also allow momentary stopping or starting (that lasts as long as an operator keeps his or her foot on the pedal) or can latch. For momentary operation, the pedal is spring loaded to return to its default position upon release. Latching footswitches have a push-on push-off operation. Both momentarily operating and latching footswitches can include circuitry that’s normally open, normally closed, or both normally open and normally closed. They can also include single-pole, double-pole, or multi-pole wiring to allow gangs of footswitches to connect in arrays. In contrast with single-action footswitches are dual-action footswitches. These trigger a stage-one condition when halfway depressed and a stage-two condition when fully depressed. Some industrial foot-switch manufacturers support modular safety designs with footswitches that can wire in cascading arrays … with each footswitch having its own unique contacts. At their actual switching core, these footswitches can have a make-before-break, break-before-make, or simultaneous-switch arrangement. The connected design being controlled will dictate which is most suitable. A footswitch controlling a dc-motor-driven axis’ direction for example may necessitate a footswitch with break-beforemake wiring — to reliably disconnect the switches for forward polarity before applying the switches for reverse polarity. Simulta- 13 I www.designworldonline.com An example of a two stage footswitch topology. In this case both switches are normally open. This type can be normally open, normally closed, or both. This topology can also be used to implement a make-before-break or break-before-make configuration. www.bannerengineering.com EMERGENCY STOP SWITCHES — ONLY IN EMERGENCIES EN ISO 13850 and NFPA 79 dictate that e-stop mushroom-head buttons must be bright red and flanked by a yellow element. Note that resetting an e-stop should not restart the machine; that’s done through a separate reset power-on button. B esides the operator-interfacing safety components already described, industrial safety systems also include emergency stop switches or e-stops. As explained earlier in this Design Guide, these should be used rarely to never. Machine builders should resist the temptation (heightened by their simple wiring and integration) to include e-stops as a regular-use machine off switch. Neither should e-stops be compared to safety machine-perimeter guard switches. Defining specific e-stop installation requirements are: • U.S. Occupational Safety and Health Administration (OSHA) regulations • IEC 60204-1 standards • National Fire Protection Association (NFPA) 79 standards To satisfy all three, emergency stops should be readily accessible at all machine stations — and require no stooping or reaching to activate. Despite common misconceptions to the contrary, e-stops actually deliver lower EN ISO 13849 performance levels (in fact, only to PLd) than safety switches designed for regular use. Compounding the problem is how dangerous-failure probabilities for e-stops are based on the assumption of infrequent use. So if a machine’s e-stop is used a lot, its likelihood of dangerous failure rises. That could ultimately mean an e-stop won’t work when needed most. 14 I www.designworldonline.com All emergency stop buttons must latch when depressed by an operator — and remain depressed (keeping power cut offfrom the controlled machine axes) until the operator resets it. www.bannerengineering.com MACHINE SAFETY DESIGN GUIDE (continued) Emergency stop switches — only in emergencies An emergency stop via cable pull on a conveyor system can be used to trigger a stop at any point along the entire conveyor. IEC 60204-1 and NFPA 79 classify e-stops as Category 0, 1, or 2 e-stops (unrelated to ISO 13849 control Categories). A formal risk assessment and determination of required stop time dictate which a machine needs. Category 0 e-stops (mandatory on all machines) cut power to the machine in an uncontrolled way. Category 1 (controlled) e-stops allow some electric power supply to continue to select machine sections involved in bring the machine to a gentle stop. Category 2 e-stops continues powering all machine sections but stops its use for movement or end-effector processes. THREE COMMON FORMS OF EMERGENCY STOPS Emergency stops based on mushroom-head button actuation: Also called e-stop palm buttons, these are always bright red (often with a yellow flange or neck behind the red element) and wire in series with machine safety controls. Pressing or slapping these e-stop buttons immediately breaks the circuitry of the controlled axes’ power supplies. Once the hazard is cleared, e-stops are released and returned to their default (closed-circuit) position by twisting, pulling the button back out (if a design based on push-pull actuation), or releasing with a key. 15 I www.designworldonline.com Emergency stops based on foot-activated switches: These are uncovered or covered stomp pedals that bolt to the floor near the machine they control. They serve the same function as mushroomhead e-stop buttons and are supplied with features to satisfy EN ISO 13850 requirements. Emergency stops based on slack-wire, cable pull, or pull-wire actuation: These like mushroom-head e-stop buttons are manually activated switches that festoon alongside the un-guardable machines they control. Their main strength is how plant personnel can pull anywhere along the cable to trigger a machine stop. No matter the design, no e-stop can detect or prevent threats to machine-operator safety. Therefore, they shouldn’t wire into firstdefense safety-system circuitry — but should be separately wired into a machine. www.bannerengineering.com Use Banner’s full line of safety equipment to protect and indicate. Create warning and start inhibiting zones with our Safety Laser Scanners, protect personnel from unsafe areas with our light curtains. Control and monitor entry points with our locking door switches. Use our illuminate e-stops and tower lights to indicate the status of your process and safety equipment. Image: Banner Engineering MACHINE-TRIGGERED SENSORS, SWITCHES AND PERIMETER COMPONENTS W e’ve already outlined the safety components with which human machine operators make direct contact. Now let’s review … 1. Several machine-activated sensors and switches supporting safety functions 2. The safety components known as interlocks, which mount onto machine perimeters and contact not plant personnel but other machine parts. Note we include interlocks on manually opened doors in this section as well. Increased capabilities in recent years have rendered these safety (and fail-safe) components capable of tasks constituting edge computing, distributed control, IIoT connectivity, and reliability assurances exceeding that of their non-safety sensor and switch equivalents. FIRST THINGS FIRST: SUMMARY OF SENSORS AND SWITCHES Sensors in the context of industrial safety are feedback components that detect the presence or absence of workpiece objects or machine sections … and distill that signal into actionable data for the controller to command any number of machine responses. 16 I www.designworldonline.com Control access to certain parts of the process with the built-in muting function in Banner’s Safety Laser scanner. Image: Banner Engineering www.bannerengineering.com MACHINE SAFETY DESIGN GUIDE (continued) machine-triggered sensors, switches, and perimeter components MECHANICAL INTERLOCKS These use direct-contact force for operation. CAM PROFILE TONGUE • ACTUATOR KEY LINAR CAM KEY TRANSFER HINGE Parts of an interlock include a ... GUARD NONCONTACT INTERLOCKS ACTUATOR INTERLOCK ASSEMBLY These use ultrasound and various forms of electromagnetic phenomena for operation. POSITION SWITCH CAPACITIVE — via any object OUTPUT MAGNETIC— via any magnetic object INDUCTIVE — via some ferrous object OPTICAL — via any object ULTRASOUND — via any object LIGHT SOURCE INDUCTIVE COIL MAGNETIC — via an encoded magnet actuator RFID — via an encoded RFID Transponder OPTICAL — via an optically encoded transponder OPTO-ASIC OR OTHER PHOTOCELLS OBJECT MOVING PAST SENSOR Interlocks are classified by international safety standards. Switches in interlock applications allow various orientations. 17 I www.designworldonline.com www.bannerengineering.com MACHINE SAFETY DESIGN GUIDE (continued) machine-triggered sensors, switches, and perimeter components These switches and sensors must be safety-rated variations to satisfy current standards preventing bypasses, failures, and defeats. Just consider how standard inductive proximity switches were once sufficient to satisfy ISO 14119 interlock requirements. Now, more stringent IEC 60947 requirements for switchgear electromagnetic compatibility largely prevent such use. Many newer designs included coded (uniquely mating) subcomponents to prevent tampering or defeating with tape or conductive objects so common in automated facilities. Or safety-rated mechanical switches might include positive-opening operation not found in comparable general-purpose switches. Limit switches: Direct-contact limit-switch registering (via an actuator) an axis’ end of stroke prompts a breaking or making of a related electrical connection. The latter in turn connects to safety controls to prompt immediate neutralization of potentially hazardous motion. Consider one specific example — limit switches with rounded plungers. In these switches, the plunger serves as the actuator that registers forces at a right angle to their roundedend spring-loaded rod. When forced inward, contacts are typically cut. Roller plunger limit switches are a related design that tips the spring-loaded rod with a small wheel to roll on machine sections or objects that bump into it. The contacts in such mechanical switches have slow-breaking or snap-action contacts. The former accept direct actuator force to slide in their track and then … • • Break-before-make contacts open a normally closed contact and then close a normally open contact — for interruption of one function before continuation of another or … Make-before-break contacts close a normally open contact and then open a normally closed contact — for overlapping functions Otherwise, spring-loaded snap-action contacts respond to actuator travel-direction force by accumulating spring pressure. Then moveable contacts snap from a default to a trigger set of contacts to close a circuit. Upon actuator retraction, the spring 18 I www.designworldonline.com snaps the moveable contacts back to their default position. Such operation is reliable and useful for making and breaking power as well as control-signal circuits. Position switches: These include mechanical position switches with roller levers and rod levers that register a machine axis position as an angular displacement. Rod levers have a simple metal antenna that contacts the monitored axis structure or handled objects; roller levers have a wheel-tipped lever arm that contacts and rolls on the monitored axis structure surface or handled objects. Other safety-rated proximity sensors (distinct from such sensors for ▼ Switches in the context of industrial safety have a more specific function — of turning power supplies off and on. These feedback components (often mechanical) detect the position of workpiece objects or machine sections and (if conditions satisfy some preset) immediately cause a disconnect or reconnect of some machine power supply. That’s in contrast with electromechanical relays that (often using a solenoid) make or break some mechanical contact between electrical leads. In common designs, a small voltage into to the solenoid prompts a relatively large current through relay contacts. Interlocks are perimeter-monitoring safety components stand guard at all the movable sections around a potentially dangerous machine. non-safety applications) use non-contact photoelectric or inductive operation. Contrary to one common misperception, induction proximity sensors detect when any metallic object has entered its monitored area …so don’t need any additional coded target or magnet to work. Many directly connect to PLCs via basic unshielded four-pole wiring. Adding certain low-cost electronics can impart muting and e-stop functions satisfying industry safety standards. MACHINE BOUNDARIES GUARDED BY SAFETY INTERLOCKS The boundaries around dangerous machine sections are the first line of defense against threats to worker safety. The challenge is that machine operators must often interact with dangerous machines. So such boundaries take the form of housings, fencing, gates, and doors consisting of immovable sheet-metal panels as well as chain-link fencing — and movable chain-link doors, sliding glass panels, swinging windows, light curtains, and so much more. The safety components that mount onto machine perimeters and contact other machine parts are interlocks. Interlocks cause an interdependence between what the safety controller allows and the positions of all the movable machineperimeter sections. In fact, interlocks are defined by ISO 12100 (and adopted in ISO 14119) as mechanical, electrical, or other devices that prevent hazardous machine operations if the guard (machine boundary section it monitors) is open. Such interlocks are at their core a position switch or proximity switch (or latching design called a guard lock on some more featured assemblies) that can command a machine controller to react to a machinery-perimeter guard position. www.bannerengineering.com (continued) MACHINE SAFETY DESIGN GUIDE machine-triggered sensors, switches, and perimeter components While position switches and proximity switches can be located anywhere on or in a machine, those that are part of some interlock assembly are always on the movable parts of a machine’s safetyperimeter hardware. International standards dictate their design and integration — including ISO 14119 as well as Conformitè Europëenne (CE) Machinery Directive 2006/42/EC. Industrial safety systems often use guard (perimeter) elements called interlocks. As already explained, these are typically electromechanical components that render machine functions mutually reliant. For example, an open interlock on a machine door might prevent startup of a machining axis or (if closed) will stop the running axis should someone open the door during operation. Such interdependency renders machines extremely unlikely to injure personnel or sustain self-inflicted damage. These interlocks are a switch subtype in that they’re activated via some preset operation sequence. What makes a design qualify as an interlock is that they won’t release their locked state without the correct reversal process. Still more capable interlocks are those touted as guard locks — essentially position switches with separate actuators that can be restrained to render the entire assembly locked until the machine comes to a safe stop. One caveat here is that in everyday engineering parlance, it’s common for such doubly capable guard locks to be called interlocks instead of the more proper and exact guard locks. Basic single or dual action solenoids have a direction of motion controlled by coil current. Single action solenoids use spring loaded return for de energized state while dual-action solenoids have active engage and release circuits. DUAL-ACTION SOLENOID SINGLE-ACTION SOLENOID The use of mechanical switches, optical detectors, and current sense circuits can detect if the solenoid movement has occurred. These can verify position, sequence a next step in the machine operation, and confirm the integrity of the coil itself. SOLENOID In a solenoid, current through a coil generates an electromagnetic field that draws a plunger into a stack. The latter is often designed to optimize mangetic flux for maximum output force. LED ONE FUNCTION: PHOTO INTERRUPTER Current through the solenoid coil (here encased in black epoxy) induces a flux (magnetic field). The ferrous (steel or iron) solenoid housing along with steel plates capping the coil ends can help carry and concentrate this flux. 19 I www.designworldonline.com www.bannerengineering.com MACHINE SAFETY DESIGN GUIDE (continued) machine-triggered sensors, switches, and perimeter components DOUBLE-POLE INTERLOCK CIRCUIT DETECTOR CIRCUIT SINGLE POLE SINGLE THROW DETECTOR CIRCUIT NORMALLY CLOSED DOUBLE-POLE SWITCH NORMALLY OPEN SOLENOID SIGNAL SINGLE POLE DOUBLE THROW LOGIC GATE DOUBLE POLE SINGLE THROW DOUBLE POLE DOUBLE THROW A variety of double pole switches can be used to implement redundancy for solenoid interlock safety. Two approaches shown here use redundant series wired switches that must both show activation (left), and the use of both normally open and normally closed contact state detection to verify activation. Interlock variations abound … and purely mechanical cammed interlocks do exist. In one version, such an interlock might mechanically register an unsafe condition by pivoting about an axis to catch (and lock) a dangerous machine axis. Such interlocks are rarer than electromechanical and even purely electrical and electronic variations using electronic circuits or safety microprocessors. After all, electronics impart low-cost interlocksystem flexibility, reliability, and reconfigurability. Consider one such electromechanical example — that of a hinged safety interlock. These attach to (or integrate into) the hinge of a machine’s access flap, door, or other guard. Then a mechanical lever arm or pin through the interlock registers when the hinged guards opens and (upon a set threshold switching angle) triggers some output to stop the hazardous operation inside the machine. In these designs, it’s usually a kinematic elbow or hinge linkage of the interlock that accepts externally applied force and prompts some solenoid action for contact. DEEPER DIVE ON SOLENOID BASICS AND SOLENOID INTERLOCKS Machine builders often leverage the reliability of solenoid based interlocks in safety systems. Recall from basic circuits that solenoids are engineered electromagnetic plunger-and-copper-coil assemblies available in various configurations to trigger mechanical, electrical, and hydraulic actions. They do this by converting electrical input into linear (or less commonly rotary) mechanical output. The simplest configuration includes a conducting (ferrous) plunger functioning as an armature that (upon electrification) moves from its rest position within a multi-turn assembly coil. Then (in many cases) a spring retracts the plunger back to its rest position when current is switched off. In double-coil arrangements, the plunger moves through two open-center coils — typically to serve as a dual-action (active-pull and active-release) device. Solenoids in interlocks serve as the input source for guard-lock bolt or locking mechanisms. 20 I www.designworldonline.com www.bannerengineering.com (continued) MACHINE SAFETY DESIGN GUIDE machine-triggered sensors, switches, and perimeter components Use the muting function in Banners Safety Laser scanners to protect personnel while allowing the process to flow. Our easy-to-use software has a simple teach function in order to accommodate several different muting profiles. Image: Banner Engineering Such solenoid interlocks can also protect machinery from the effects of mechanical malfunction. For example, some industrial conveyors use arrays of solenoid interlocks to ensure consistent belt conveyance … even if inline machines or conveyor-tending robots interact with items on the belt. Some solenoid arrangements in interlocks also protect against faulty signaling with redundancies. Double-pole positionverification switches wire poles in series to redundantly verify open or closed positions and as well as solenoid activation … or twopole switches with both normally open and normally closed circuits can monitor solenoid actuation. Select contributions by Jon Gabay ISO 14119 categorization of interlocking devices — and preventing defeat ISO 14119 classifies interlocks by how they’re actuated and whether they’re encoded. Type 1 interlocks: According to ISO 14119, these (unfortunately) easily defeatable interlocks include position switches using mechanical linear cam, rotary cam, or hinge actuation. Actuating physical contact is between uncoded (non-unique) subcomponents. Their benefits are that they lend themselves to end-user configurability and are cost effective. 21 I www.designworldonline.com Type 2 interlocks: These include position switches that are mechanically actuated by coded (specially machined) tongues or trapped keys, so are somewhat difficult to circumvent or defeat. In fact, the Type 2 moniker for such designs was adopted by ISO 14119 from its first use in DIN EN 1088. Trapped-key interlocks require all guards be locked the perimetered machine is allowed to turn on. Keys in each safety-guard lock can only be removed when that guard is latched. In some arrangements, those same keys do double duty to fit into a machine control-console keyhole to turn on the machine. This keyhole holds the key captive unless the machine is machine is turned off. A machine operator can then use them to open the guards again. Type 3 interlocks: These use noncontact proximity or position switches with uncoded actuators. Switch actuators based on ultrasonic, capacitive, or optic action are defeatable by bringing various everyday items into range. Actuators based on induction or magnetism are more robust — defeatable by ferrous objects or actual magnets respectively. Type 4 interlocks: These use noncontact position switches and require matched actuators such as coded magnetic and optical tags or (inherently coded) RFID tags to work. These are essentially undefeatable because there’s a nearly infinite range of actuatorcoding variations that are possible. www.bannerengineering.com (continued) MACHINE SAFETY DESIGN GUIDE machine-triggered sensors, switches, and perimeter components Besides the level of defeatability, interlocks should also be specified to satisfy … • Required system-stopping ability — quantified as the time a machine needs to reach a safe state after receiving a stop command • Accommodation of access time — how fast it’s feasibly possible for a machine operator to reach into or enter the hazardous area after the safety system issues a stop-axis command. Stopping ability must be far faster than actions feasible within the calculated access time. As mentioned, machine sections and operations necessitating frequent tending by human plant personnel demand guard interlocks that aren’t bothersome. Automatic interlock functions can help here, though on heavily used doors and other guard sections must be accompanied by conditional unlocking functions to address the increased probability of an undetected fault. Image: Banner Engineering EASY-TO-IMPLEMENT DIAGNOSTIC CAPABILITIES FOR SAFETY SYSTEMS In-Series Diagnostics (ISD) makes it easy to access diagnostic data from devices in a safety system without special equipment or designated cabling. Users can troubleshoot machine safety systems, prevent system faults, and reduce equipment downtime. This innovative, next-generation technology is exclusive to safety devices from Banner Engineering. PREVENT AND REDUCE UNPLANNED DOWNTIME In-Series Diagnostics gives machine owners and operators greater insight into the health and performance of their equipment, making them less reliant on outside experts to solve system problems. 22 I www.designworldonline.com SIMPLE, COST-EFFECTIVE, AND EASY TO IMPLEMENT The technology that makes In-Series Diagnostics possible is embedded in the safety devices and communicated using the same cables, connectors, adaptors, and inputs that connect the devices to the safety controller. This eliminates the time, hassle, and expense of running designated cabling between each device and the control panel in order to access diagnostic data. Users can add, move, or remove safety devices as needed and then easily error-proof the entire safety system prior to deployment. www.bannerengineering.com (continued) MACHINE SAFETY DESIGN GUIDE machine-triggered sensors, switches, and perimeter components For movable-guard interlocks, ISO 12100 details how closing the door or movable panel can enable machine operation — and even cause an automatic start of operations. That’s in stark contrast with how using e-stop buttons necessitates pressing some other additional machine-restart button. But this makes sense — because after all, use of interlocks is supposed to be routine … so cannot hinder the productivity by slowing everyday interactions operators have with their machines. WIRING AND INTEGRATING INTERLOCKS Typical safety logic for interlocks is built around a normally closed or NC arrangement that only lets machine axes run if the monitored interlock circuit is closed. For example, a machine’s fencing doors might be studded with various NC position switches. If any perimeter section opens, it renders the affected position switch and in fact the whole safety circuit open — and machine startup blocked. Industrial safety standards often demand that the components in a safety circuit wire in series for foolproof event and error detection. The catch here is a limit to the sensor count allowed in series. Exceeding that count (and failing to leverage newer connectivity options) can risk fault masking and degrade machine PLr. In addition, safety interlocks based on one mechanical (springactuated) NC position or limit switch should be setup so it actuates during a positive break or open — so upon opening, the door edge or other guard section works against the spring force and forces open the interlock’s electrical contacts. Interlocks using two mechanically actuated switches for redundancy should (for trouble-free operation) rely on one switch to actuate upon positive open (as just described) and the other designed for a negative opening — with its electrical contacts separated when the door closes. The latter require additional design features for top reliability. One such feature in some safety circuits is the selfreporting electrical shorts — as those occurring when lead wires to safety devices are cut by overheating, damage from shearing, acid corrosion, or tearing. Here, a short-circuit detector can work by relying on two safety-circuit input channels using NC contact having a potential difference between them. INTERLOCKS THAT CAN ALSO LOCK GUARD SECTIONS these can deadbolt or otherwise lock movable guards. Especially useful on very dangerous machines with high-inertia axes or otherwise slow-to-slow sections, these are properly called guardlocking interlocks. But because guard-locking interlocks are indeed door and panel-locking devices, it begs the question: Might there ever be a situation where a machine operator become trapped inside the machine’s safety perimeter … and need an emergency release? If such emergency-release functions are warranted, their controls can be located within and outside the guarded area. Emergency releases allow manual tool-free guard-lock release from outside the perimetered zone — as for immediately life-threatening emergencies such as fires. Auxiliary releases allow manual toolassisted guard-lock release from outside the perimetered zone — as for overriding a faulty lock that won’t unlatch. Escape releases (usually in the form of large lever door handles) allow tool-free manual guard-lock release from within the perimetered zone. In many cases, the guard lock is integrated right into its associated interlock. If they’re separate, a reliable (typically series) connection between them is key … along with complementary controllerbased interlock monitoring. We’ve already covered how traditional safety interlocks capable of guard locking can be released or actuated via various force combinations of force from electrical power and mechanical spring power. Besides solenoid-actuated deadbolt or trappedkey designs, there are an ever-widening array of electromagnetic guard locks. As specificized in ISO 14119, securement is via flux coupling of a passive magnet and the electromagnet actuator. Such locks mustn’t be integrated to trigger machine start upon release unless safety controls continually monitor their state. Top benefits of electromagnetic guard locks include cleanability, ruggedness, tolerant of slight misalignments, and wear-free operation. The caveat here is that electrically actuated springrelease guard locks will in fact unlock during a power outage. Another consideration of industrial-safety interlocks is the potential for doors and other movable guard sections (if slammed closed — as by a busy machine operator) to bounce off their frames and swing back open. Such rebounding can be minimized by shock dampers that minimize the impact forces for softer fully latching closes. So far in this Design Guide section, we’ve detailed how interlocks can prevent the motion of axes or execution of other dangerous tasks when a machine safety-perimeter section is open. Some interlocks go one step further with an additional capability — and 23 I www.designworldonline.com www.bannerengineering.com SAFETY RELAYS, SIGNAL PROCESSING, AND CONTROLS T o satisfy the industrial safety standards listed earlier in this Design Guide and set reliably safe (yet maximally productive) operations, advanced safety functions today leverage the newest sensors, actuators, and applicationspecific safety components — as well as logic, I/O, relays, PLCs, and other control components. The architectures to connect these safety controls abound. Where general-automation systems assume safety functions, the involved components and software are the safety-related part of a control system — abbreviated SRP/CS — and detailed by ISO 13849 referencing ISO 14119. Such SRP/CSs are categorized by their fault resistance and response … and they can involve the help of system PLCs or distributed control systems or DCSs (common in process industries) if the solution satisfies SIL ratings and independency requirements for such use. Otherwise, dedicated systems dominate … and in fact, most automated facilities today include blended safety architectures representing right-sized solutions to meet safety requirements. Hardwired safety systems and dedicated safety-relay systems: These are relay-based systems traditionally incorporating one relay serving each safety-related field device as well as applicationspecific controls. These hardwired safety systems are suitable for moderate to high-risk applications. Recall that safety relays are essentially switches controlled by some other input. In other words, these electronic devices accept current or voltage signals (including those from safety switches, for example) via their input circuit … and then via their output circuit, translate that input 24 I www.designworldonline.com Use Banners advanced safety controllers and light curtains to protect personnel while still allowing the depalletizing process to flow. The advanced muting functions are easy to implement giving you the widest range of capabilities. Image: Banner Engineering to prompt a switch to open or close some other downstream circuit or pilot device. Dedicated safety-relay installations execute monitoring, timing, muting, basic diagnostics, and status-reporting functions. (Here, data communications are via LEDs or auxiliary PLC connections.) Dedicated safety-relay installations are also capable of more advanced functions — including the execution of controlled sequential-shutdown routines, time-delayed functions and timed outputs, or accommodation of two-hand control consoles to ensure operator safety. Note that sometimes the simplest of these safety installations are called component safety systems because they consist of one to a few safety components each connecting to some modest relay install — as in a setup with one emergency-stop button and a safety relay, for example. Where sufficient, such arrangements are quite cost-effective. To be clear, though — dedicated safety-relay installations are (besides safety PLCs) one of two choices capable of the mid-range and more advanced safety-control functions listed above. www.bannerengineering.com MACHINE SAFETY DESIGN GUIDE (continued) safety relays, signal processing and controls Modular safety-relay systems: Permutations of these abound, but the main feature of such hardware is how it allows architectures with the flexibility of PLC-based systems and reliability of traditional relay systems. Most feature simple setup (typically connecting each field module to a base relay module) and digital I/O as well as fieldbus connectivity. Where minimizing downtime is a top design objective, the powerful microprocessor-based diagnostics, HMI connectivity, and remote monitoring of modular-relay hardware are also useful. ▼ In such modular systems, relay safety controllers (whether having positive-guided electromechanical or solid-state microprocessor technology) boost emergency-stop as well as machine-guarding reliability. They install between safety field devices (such as switches and light curtains) and relevant machine-power components such as control relays or motor contactors. Some use dual-channel logic circuits for redundant cross monitoring … and continuously scan for faults in system wiring and connected safety components. In this way, such relay safety controllers can detect open and short circuits, relay failures, electromagnetic interference (EMI), undervoltage conditions, and welded contacts in system interlocks, motors, controls, or e-stop switches. Automation demanding the most sophisticated diagnostics may benefit from relay-system components that allow I/O signals with device health and status data sharing via industrial networks or fieldbuses. Then this data can display on networked HMIs. Safety-monitoring modules are another component type in modular relay systems. These are DIN-rail or control-cabinet components that monitor safety sensors and positive-open (positive-break) position switches described earlier in this Design Guide — as well as interlocks and e-stops such as light curtains. Where safety primarily relies on a motor, shaft, or other axis element to come to a stop, standstill monitor modules and time relays can serve in pulse evaluation to confirm underspeed or fully braked safe conditions. Elsewhere, output expansion modules (sometimes called extensions) increase how many signals a safety controller can handle. In contrast, input expansion modules (sometimes called expanders) complement relay safety controllers that monitor one discrete safety component with two channels. These components aren’t needed where series wiring of safety switches to a common safety controller is sufficient. But such daisy-chaining requires lots of wiring and doesn’t support the communication of each field device’s diagnostics. Adding input expanders lets a given safety control accept connection of many field devices while supporting their diagnostics functions. 25 I www.designworldonline.com Safety instrument systems (SISs): A system most common in process industries (and not discrete industries) SISs are safety installations that go beyond hazard alarms to include critical shutdown routines — with interlocks, sensors, and safety controls that can command machine motors, valves, and other actuators (and in fact, whole systems) to safer nonactive states. While beyond the scope of this Design Guide, it’s worth noting that SISs are slightly different than the hardwired relay-based designs just described as well as the PLC-based systems covered next … in part because stopping or altering process operations is a specialized proposition. PLC and safety PLC-based systems: All PLCs control machine functions such as timing, monitoring, and sequencing of actions — including the turning of motors and commanding pump valves to turn on and off. In contrast, safety PLCs are dedicated controllers specifically built and certified to prevent machines from hurting personnel according to functional safety directives IEC 62061, ISO 13849-1, and IEC 61508 that define SILs and the risk reductions imparted by specific safety functions. Safety PLCs satisfying IEC 61131 are often employed to track only safety-related events and occasionally test functions. In some contexts, safety-rated PLCs are differentiated from component PLCs — another name for the general-purpose version of these controllers just described. Safety-rated PLCs are generally costlier than general-purpose PLCs — and their programming and hard wiring (to ensure reliable safety logic) more specialized and involved. At the hardware level, safety PLCs also include redundancy and self-checking mechanisms that ordinary PLCs don’t have. Safety PLCs continually monitor their inputs for failures and malfunctions ... and leverage extra safety circuitry between their outputs and every device to which they connect. Much of this circuitry limits damage to these devices if there’s a fault or malfunction. Typically, engineers define a machine’s safety requirements (and its necessary PLC functions) by … • Identifying the countries in which the machine will be used — and thus the locally applicable safety regulations • Cataloging the industry-specific standards that will apply to the machine — whether food and beverage, machine tool, or oil and gas, just to give a few examples. www.bannerengineering.com (continued) MACHINE SAFETY DESIGN GUIDE ▼ safety relays, signal processing and controls Including safety PLCs in a design’s safety architecture renders the whole design more reconfigurable — necessitating only a quick connection to a safety programmer’s laptop to upload new programming. In fact, safety PLCs are often the only option for safety-system controls. Note that modular safety relay systems described above are (like systems built around safety PLCs) designed for easy setup. But safety PLC installations also tend to offer more network and I/O-based expansion options as well as (and their name indicates) maximum re-programmability should a machine’s safety functions change over time. Software-based logic allows use of new and evolving routines, including single-axis or other partial machine shutdowns. The latter (called zone control) uses and/or logic to let the machine halt one function while continuing others. Program modifications are possible even during machine operation … and are far faster than altering hardwired relay systems. A safety system’s number and location of field devices dictates its required safety-architecture I/O count. If that could change over time, relay components allowing incremental system expansions are particularly useful. Safety PLCs are capable of all the mid-range safetycontrol functions possible with dedicated safety relays (including sequenced routines and timed functions, for example) as well as more sophisticated routines such as sequential (controlled) machine shutdown routines. Advanced controls can allow zone control for more nuanced protection of plant personnel in different manufacturing sections in a facility. Some safety PLC suppliers offer applicationspecific instructions and prewritten function blocks to streamline code entry for reliable validation and operating machine safety. Banner’s line of washdown rated safety equipment can be trusted to protect personnel from restricted areas in your production area. Image: Banner Engineering Out of the various safety-control options available to OEMs, safety PLCs offer the most connectivity, including industrial-network and peer-to-peer data communications. Many allow hundreds of digital I/Os — and are unique in how they can also accept analog I/O. Machine installations using higher I/O counts (or needing to conserve panel space) benefit from distributed architectures based on networked safety PLCs. Of course, Ethernet-based connectivity has spurred new forms of networked safety less reliant on redundant wiring for failsafe functionality. 26 I www.designworldonline.com www.bannerengineering.com SMART SAFETY SOLUTIONS ® INTUITIVE SAFETY FOR YOUR PACKAGING EQUIPMENT Banner’s In-Series Diagnostics (ISD) ensures reliable fault detection, monitors safety networks, and reduces downtime for improved operational reliability. Maximize Uptime Reduce Cost Simplfy Wiring Get Diagnostic Data Learn More at bannerengineering.com/smartsafetysolutions Learn More Scan QR Code
