Safety Functions of Safety Components - Technical Guide - India - Omron IA

29/7/2020 Safety Functions of Safety Components | Technical Guide | India | Omron IA
Omron uses cookies to improve your experience on this website. By continuing to use the website, you hereby agree to our Privacy and Cookie Policy ✕
India
Contact
Login / Signup
Search
Home Products Solutions Service & Support About Us Search Sales Network
Home > Service & Support > Technical Guide > Safety Components
Safety Components
Risk and Safety Category Assessments,Interlocking Devices,Basic Safety Functions in the Event of a Fault,Presence Detection,Two-hand Controller,Functional Safety Technology,
Overview Safety Requirements
Safety Functions Safety Components
Safety Circuit Example Circuit Diagrams
Related Contents Technical Guide

Safety Components
Safety Components
Products
Applications
1.Risk and Safety Category Assessments
2. Interlocking Devices
3. Basic Safety Functions in the Event of a Fault
4. Presence Detection
5. Two-hand Controller
6. Enabling Switches
7. Functional Safety Technology
Safety Functions
1.Risk and Safety Category Assessments
(1) Ensure Safety
www.omron-ap.co.in/service_support/technical_guide/safety_component/safety_functions.asp 1/34
The responsible machine or process designer no longer considers the production requirements and adds safety systems later,
but addresses the two
Omron issues
uses as ato
cookies whole. Legislation
improve demandson
your experience that
thisthe machine
website. Byor process design
continuing to use meets the necessary
the website, safety
you hereby agree to our Privacy and Cookie Policy ✕
standards and regulations - it is a legal requirement.
Different types of machines will have different levels of associated risk. These risk levels need to be addressed for the whole
machine life span. In particular the requirements at commissioning, application/usage and decommissioning of the machine
must be considered.
Risk assessment according to ISO14121 is a series of logical steps that enables designers and safety engineers to examine in
a systematic way the hazards arising from the use of machinery so that appropriate safety measures can be selected.
(2) Risk Assessment

ISO14121 - Safety of Machinery - Principles for Risk Assessment The main objective is to describe a systematic procedure for
risk assessment so that adequate and constant safety measures can be adopted. These are appropriate during the design,
construction, modification, use and decommissioning of the machine.
The safety of machines can be determined in 5 steps.
Documentation of the risk assessment process must be kept.
● Step 1 Determination of the limits of machinery
Defining machine limits requires the following points to be considered when assessing risk.
Determining requirements for all phases of the machine's life
Defining the intended use and operation and the foreseeable misuse and malfunction
DefiningOmron uses cookies
the machine's range to
of improve your experience
use as limited on this
by factors such aswebsite. By continuing
the operator's gender, to usedominant
age, the website,
hand,you hereby
and agree to our Privacy and Cookie Policy
physical ✕
abilities (e.g., impaired eyesight or hearing, size, and strength)
Expected user training, experience, and competence
Possibility that people may be exposed to machine hazards
Possibility that people may be exposed to machine hazards if a foreseeable machine hazard occurs
● Step 2 Hazard Identification
Hazard identification means checking for all the hazardous conditions and hazardous events associated with the machine. This
involves predicting hazards that may be caused by the machine, such as the following:
Mechanical hazards: Severing, entanglement, crushing, etc.
Electrical hazards: Contact with live parts, static electricity, etc.
Thermal hazards: Health disorders due to contact with high-temperature parts or working in a high-temperature or low-
temperature environment
Methods for clarifying hazards include the following:
Check lists
Hazard and Operability Study (HAZOP)
Failure Mode and Effect Analysis (FMEA)
Fault Tree Analysis (FTA)
"What-if" method
● Step 3 Risk Estimation
After checking for hazardous conditions and hazardous events, the risk factors are determined and the risks are estimated from
the degree or possible harm and the probability of the hazard occurring.
● Step 4 Risk Evaluation
After estimating the risk, the risks are evaluated to determine whether the level of risk must be reduced. If the level of risk must
be reduced, safety measures, such as changing the design or providing safeguards, are taken.
● Step 5 Risk Reduction
The following actions are taken.

Eliminate or reduce exposure to hazard as far as practical.
Reduce the probability and severity.
Use safeguards and safety devices.
Determine that the performance and functional characteristics of the safety measures are suitable for the machine and its
use.
● Risk Reduction under ISO12100
ISO 12100 (-1/-2) has been formed into JIS standard JISB9700 (-1/-2).
The main purpose of this standard is to set out a framework and directions for general machine safety, so that designers can
design safe machines.
The introduction of ISO12100-1:2003 states that "The concept of safety of machinery considers the ability of a machine to
perform its intended function(s) during its lifecycle where risk has been adequately reduced". The 3-step method, which is an
expression ofOmron
this risk reduction
uses cookiesmethodology, has experience
to improve your been furtheronimplemented
this website.into
By the "Risk Reduction
continuing Process"
to use the website, illustrated
you on
hereby agree to our Privacy and Cookie Policy ✕
the following page, but it does not yet seem to have been fully recognized in actual applications. ISO12100-2 sets out examples
of various measures, a sample of which are shown below.
What is Inherently Safe Design? (ISO12100-1: 2003, para. 4)
Remove dangers and reduce exposure frequency (4.1 General)

Maintain visibility, and avoid dangerous projections and parts (4.2.1 Geometric Elements)
Employ alternative materials with few dangers that reduce noise and radiation levels (4.2.2 Physical Elements)
Select appropriate materials (Material quality, stresses, corrosiveness etc.) (4.3 General Technical Information on Machine
Design)
Employ inherently safe design measures in the below control system (4.11)
Perform automatic surveillance of safety functions implemented under safeguarding measures (4.11.6)
Employ diagnostic system to support fault detection (4.11.12)
Employ redundant systems for components and sub systems (4.12.3)
Automatically limit exposure to sources of danger (4.14)
What is Safeguarding? (ISO12100-2: 2003 para. 5)
Employ Sensitive Protective Equipment (Light Curtain, Scanner etc.) (5.2.5)

Employ fixed guards (5.3.2.2)
Employ movable guards (guards with interlocks) (5.3.2.3)
What are Complimentary Protective Measures? (ISO12100-2: 2003 para. 5)

Emergency stop function designed to be clearly identified and quickly applied (5.5.2)
Employ an isolation device that can be locked (5.5.4)
What is Information for use? (ISO12100-2: 2003 para. 6)
Supplementary documentation or labels should notify of remaining risks, and necessary training, protective equipment, and
additional protective devices (6.1.1)
Emit an audiovisual warning (6.3)
Display manufacturer, model, and specifications of the machine (6.4)
Supplementary documentation to include storage conditions, mass, dimensions, and installation and disposal methods
(6.5.1)
Risk Reduction Processes from the Designer�s Perspective
(3) Safety Category Assessment
● Safety Categories Based on ISO 13849-1
The size of the machine risk is evaluated according to ISO 14121 and measures are taken to reduce the risk. Measures to
reduce risk, however, include design measures and mounting safety devices. First, the measures are taken in the design and
the category that should be selected is determined by considering two factors: the degree of potential injury (from slight to
serious) according
Omrontouses
the Category
cookies toAssessment Table
improve your at the right,
experience andwebsite.
on this the probability of that injury
By continuing to useoccurring (from
the website, almost
you never
to always). The safety category for safety-related parts of control systems in sometimes assessed assigning one category for
the entire control circuit of one machine, and in other cases the category is assessed for each part.
Selecting Parameter S: Severity of Injury

S1: Slight injury (e.g., bruising)
S2: Serious injury (e.g., limb amputation or death)
The risk caused by failures in safety-related parts of the control system is accessed taking into account the worst degree of
injury. S1 is selected if the injury is slight and S2 is selected if it is serious.
Selecting Parameter F: Frequency and/or Exposure Time to the Hazard

F1: Occurs rarely or for a short time.
F2: Occurs frequently or for a long time.
For example, if a worker must periodically insert his hands between parts of a machine while it is operating to mount and
remove machine tool parts, F2 is selected. If the machine is rarely approached, F1 is selected.
Selecting Parameter P: Possibility of Avoiding the Hazard

P1: Avoidable
P2: Unavoidable
Aspects that influence the selection of parameter P include the following:

operation with or without supervision;
operation by experts or non-professionals;
speed with which the hazard arises, e.g., quickly or slowly,
possibilities for hazard avoidance,
practical safety experiences relating to the process.
When a hazardous situation occurs P1 should only be selected if there is realistic chance of avoiding an accident or of
significantly reducing its effect. P2 should be selected if there is almost no chance of avoiding the hazard.
ISO13849-1 : 1999 (EN954-1)
(4) Categories
ISO 13849-1 Safety of Machinery — Safety-related Parts of Control Systems
Describes risk reduction, which is necessary when designing and constructing safety-related parts of control systems and
devices. The categories represent a classification of the control system with respect to their ability to withstand faults and their
behavior in the event of a fault.
Basis for
Category Overview of requirements assuring
safety
B The safety-related parts of control systems shall, as a minimum, be designed, constructed, selected, Depends
assembled, and combined, in accordance with the relevant standards, using basic safety principles for the mainly on
specific application so that they can withstand: the selection
☆ The following are examples of resisting operating environment stress. of
・Omron
Expected
usesoperation
cookiesstress, such as
to improve the experience
your reliability of the
on breaking capacity
this website. and the frequency
By continuing to use of
thebreaking components.
website, you hereby agree to our Privacy and Cookie Policy ✕
・ Selecting materials that are resistant to the operating environment
・ External factors, such as mechanical vibration, external magnetic fields, power interruptions, and
disturbances
・ Compliance of components with relevant standards
Therefore, special safety standards do not apply to category B parts, and safety functions may decrease
when a failure occurs.
The requirements of category B and of this subclause shall apply. Safety-related parts of control systems to
category 1 shall be designed and constructed using well-tried components and well-tried safety principles.
☆ The following are examples of well-tried parts.
・ Parts that have previously been used for a broad variety of applications
・ Parts that are suitable for safety-related applications and that have had their reliability validated
☆ The following are examples of well-tried safety principles.
・ Protection using fuses when a short circuit occurs
1 ・ Decreasing the probability of failure occurrence by providing a margin in part dimensions and by lowering
the ratings
・ Defining the failure mode, such as by opening the circuit and turning OFF the power supply when a failure
occurs
・ Early detection of failures
・ Post-failure measures, such as grounding the device
Therefore, the probability of failure occurrence for category 1 is lower than that for category B. Safety
functionality may decrease, however, when a failure occurs.
The requirements of category B, the use of well-tried safety principles and the requirements in this subclause Mainly
shall apply. Safety-related parts of control systems to category 2 shall be designed so that their function(s) depends on
are checked at suitable intervals by the machine control system. The check of the safety function(s) shall be configuration
performed.
☆ The following are examples of designing for inspection at intervals appropriate for the machine control
system. Safety functions are inspected as follows:
・ Before starting the machine and before a hazardous condition occurs.
2 ・ Inspection periodically during operation if risk assessment and operation category require inspection.
Inspection may be started automatically or manually, but inspection of safety functions is one of the following.
・ If no failure is detected, operation is possible.
・ If a failure is detected, the output to start the appropriate control operation is output, and the output
produces a safe condition. If a safe condition is not produced (e.g., contact fusing in the final switching
device), a hazard alarm is output. After a failure is detected, the safety condition is maintained until there is
no longer a failure.
Therefore, in category 2, safety functions may be lost between inspections if a failure occurs.
The requirements of category B, the use of well-tried safety principles and the requirements in this subclause
shall apply. Safety-related parts of control systems to category 3 shall be designed so that a single fault in
any of these parts does not lead to the loss of the safety function. Common mode faults shall be taken into
account when the probability of such a fault occurring is significant. Whenever reasonably practicable the
3 single fault shall be detected at or before the next demand upon the safety function.
☆ Designing to prevent single faults from lowering safety functions, means, for example, the following:
・ Providing redundancy and diversity
・ Automatically checking safety functions
Therefore, safety functions may not operate if multiple failures overlap.
4 The requirements of category B, the use of well-tried safety principles and the requirements in this subclause
shall apply. Safety-related parts of control systems to category 4 shall be designed so that:
・ A single fault in any of these safety-related parts does not lead to a loss of the safety function.
・ The single fault is detected at or before the next demand upon the safety functions, e.g. immediately, at
switch
Omronon,uses
at end of a machine
cookies operating
to improve yourcycle.
experience on this website. By continuing to use the website, you hereby agree to our Privacy and Cookie Policy ✕
・ If this detection is not possible, then an accumulation of faults shall not lead to a loss of the safety
function.
Note:ISO13849-1: 2006 follows the above categories.
(5) Validation
The safety category of safety-related parts is selected based on ISO 13849-1 to attempt to check and reduce the occurrence of
hazards associated with the entire machine based on ISO 14121.
Next, analysis and testing is performed to confirm that the safety-related parts conform to the requirements for the safety of the
entire machine.
Although the analysis is performed using a list of foreseeable faults based on ISO 13849-2 and design criteria based on ISO
13849-1, as an example, the following faults are excluded as examples of 'fault exception items'.
1. The NC contact of a safety switch with a direct opening/positive opening mechanism does not open.
2. The forcibly guided NC and NO contacts of a safety relay contacts are closed at the same time.
3. A secured cable reliably protected with a cable duct or other means causes a short circuit between wiring due to an
external shock.
4. A short circuit occurs in adjacent terminals whose connections are reliably covered with an insulating tube or other means.
(6) Documentation
A technical file containing the following information should be recorded:

Drawings, control circuit drawings, calculations, test results
List of necessary safety requirements for ISO 12100, plus other relevant standards and technical specifications used
Details of the methods used to eliminate hazards, risk assessment data
A test report/certificate from a competent body if required
A copy of the instructions
Series manufacture details of internal measures and QA systems
Items that are required to be documented are shown below, by category (extracted from ISO 13849-2 Table 2)
Category
Items Requiring Documentation
B 1 2 3 4
Basic Safety Principles ○ ○ ○ ○ ○

Omronstresses
Expected operating uses cookies to improve your experience on this website. By continuing to use the○ website,
○ you
○ hereby
○ agree
○ to our Privacy and Cookie Policy ✕
Influences of processed material ○ ○ ○ ○ ○
Performance during other relevant external influences ○ ○ ○ ○ ○
Well-tried Components --- ○ --- --- ---
Well-tried Safety Principles --- ○ ○ ○ ○
The check procedure of the safety function(s) --- --- ○ --- ---
Checking intervals, when specified --- --- ○ --- ---
Foreseeable, single faults considered in the design and the detection method used --- --- ○ ○ ○
The common mode failures identified and how prevented --- --- --- ○ ○
The foreseeable, single faults excluded --- --- --- ○ ○
The faults to be detected --- --- ○ ○ ○
The variety of accumulations of faults considered in the design --- --- --- --- ○
How the safety function is maintained in the case of each of the fault(s) --- --- --- ○ ○
How the safety function is maintained for each of the combination(s) of faults --- --- --- --- ○
(7) What is ISO13849-1: 2006 (PL)
● Background of ISO 13849-1 Revision

Until now, the 'category', i.e. the classification of the architecture (structure) of a safety control system, has been a deterministic
theory focused on the composition of hardware.
But as technology advances, electronic components such as transistors, integrated circuits and software based components
such as microprocessors were adopted as core elements of safety related control systems.
Since year 2000, work has been underway to define the performance of machine safety control systems in terms of function and
reliability rather than component failure modes. This is the concept of "functional safety." IEC61508, the international standard
for safety related electrical and electronic control systems, provides definitions of safety of complicated controls, down to the
constituent components level such as designing reliability including life (until a loss of safety function) and programs based upon
probability theory.
IEC61508 has a very wide scope of application, so a new standard specifically designed for the machine control systems,
IEC62061, was developed to provide for mechanical safety. However, because this standard basically assumes complicated
controls, it assumes many safety control system architectures, and individual architecture requires complicated calculation of
probability. This is the reason why IEC62061 was not familiar among machine designers who are accustomed to the relatively
easy-to-follow definitions of "Categories."
The latest version of ISO13849-1: 2006 combines the straight forward deterministic features of EN954-1's Categories with
IEC62061's probabilistic and systematic design considerations (a reliability model). In other words, the revised version of
ISO13849-1 selects the architecture models in IEC62061 that match the definitions of the Categories, and applies those
reliability models.
This version can be called a functional safety standard in its simplified version.
● Main Changes
Changes in Risk Estimation Methods

Both methods require estimating risk of hazards at the risk assessment stages.
In estimating risks, EN954-1 evaluated and classified the results of its risk estimations into the risk levels of I to IV.
But the evaluation process did not encompass any notion of targeted performance that safety measures to reduce risks should
reach. As a result, safety control system's structure Categories B to 4 are generally determined directly from the risk graph.
When trying to establish a common parameter between persons who perform risk assessment (for example, users) and persons
who implement risk reduction (for example, machine designers), the users may not understand the functional differences of
safety control system structures from the designer's viewpoint, and the designer in turnfinds it difficult to understand user
requirements. Also, the overwhelming majority of risks at actual working sites are minor damage such as suspension of
operation for several days, while EN954-1's risk graph gave more stress for risk estimations to serious damage, and the
previous standard did not accurately reflect this aspect.
The latest revision in ISO 13849-1: 2006 allows users to determine risk estimations homogeneously and uniquely, and makes
risk assessment easier for persons responsible for implementing it.
Change in Definitions of Safety Control System's Performance

How should designers reduce risks?
If designers are required to satisfy Category requirements only, once determined safety control system structure will maintain
the same level of safety performance.
The question is whether or not this is a correct concept considering that every machine can fail at some future time. The
components comprising the safety control system also will deteriorate and can fail at some future time. It is important to figure
out in what mode the system will encounter a failure at such times. When a machine experiences a failure that causes the
expected safety function to fail during a period expected by its users, and if the failure is not detected, it is equal to non
performance of safety functions. But, definitions only based upon deterministic theory cannot cover such time related elements.
To improve this aspect, the latest revision includes additional features to the previous structure definitions with two-layer
structure definitions that enable users to probabilistically evaluate a safety control system's reliability, including mean time to
dangerous failure at the component level and the level of detecting dangerous failure. This allows users to make quantitative
evaluation according to how they actually use the machine. This is the core component of the 2006 revision.
Common Indicator Criteria

The revised standard establishes indicators of a safety control system performance level that can be clearly communicated
between a person who implements risk assessment and a person who designs a machine.
These indicators are called Performance Level (hereinafter abbreviated as "PL"), and are evaluated using five levels from "a" to
"e." Required performance levels as seen from the standpoint of a person who implements risk assessment are specifically
called PLr.
PL, the achieved performance level of a safety control system after risk reduction has been implemented, must be equal to or
greater than required Performance Level (PLr).
● How to Determine Performance Level
Required Performance Level: PLr
As with the risk graph in EN954-1, a required performance level is evaluated in terms of severity of injury (S), frequency and/or
exposure to hazard
Omron (F)
usesand possibility
cookies of avoiding
to improve your hazard or limiting
experience on thisharm (P). As
website. By a result, thetorequired
continuing use the performance
website, you level
hereby(PLr)
agree to our Privacy and Cookie Policy ✕
ranging from "a" to "e" is determined depending on the scale of the risk.
＜Meaning of Symbols＞
S1: slight (normally reversible injury)
S2: serious (normally irreversible injury or death)
F1: seldom-to-less-often and/or exposure time is short
F2: frequent-to-continuous and/or exposure time is long
P1: possible under specific conditions
P2: scarcely possible
Method to Evaluate Performance Level (PL)

Four parameters are used to evaluate a safety related control system's performance level (PL).
1. Category
2. MTTFd (Mean Time To Dangerous Failure)
3. DCavg (Average Diagnostic Coverage)
4. CCF (Common Cause Failure)
The Categories
Omronrefer to the
uses architecture
cookies of a your
to improve safetyexperience
related control system,
on this andByare
website. classifiedtointo
continuing usefive
thecategories as defined
website, you in
the previous version of EN954-1.
MTTFd refers to an average life before the dangerous failure of a component. DC refers to the certainty of detecting failures in
the entire system including software. CCF refers to the protection of the entire system from failing due to a common cause. As
parameters for reliability, MTTFd and DCavg are determined by formulas, and CCF is determined with a checklist method.
Each of the parameters is classified into levels using standard values: three levels for MTTFd, three levels for DC and two levels
for CCF. Performance Levels are evaluated comprehensively in terms of these four parameters.
The following sections show how each of the parameters is calculated.
● How to Evaluate Performance Level

As described above, when the four parameters are calculated, the PL can be determined from the following graph:
Category (the five categories of B, 1, 2, 3, and 4)
MTTFd (the three levels of High, Medium, and Low)
DCavg (the four levels of High, Medium, Low, and None)
CCF (the two levels of 65 or more points and less than 65 points)
For example, with "Category 4, MTTFd=High, DCavg=High, CCF of 65 points or higher," then the PL is evaluated as "e".
However, the thresholds in the above graph for MTTFd determination are not easy to locate therefore the below table is
provided to give a more simplified view. Either the graph or the table may be used.
Category B 1 2 2 3 3 4
DCavg None None Low Medium Low Medium High
MTTFd of each channel
Low a --- a b b c ---
Medium b --- b c c d ---
High --- c c d d d e
*Notice that in both the graph and the table methods some combinations of parameters are not allowed. For example, combining Category 4
with medium reliability and low diagnostic coverage is not considered.
● How to Calculate PL Parameter
Top of page
2. Interlocking Devices
An interlocking device is a mechanical or electrical device that can prevent the machine from operating unless certain
conditions are met, such as closing a guard.
Provisions for interlocking are stipulated in ISO14120 for guards, ISO14119 for interlocking devices associated with
guards, and ISO13849-1 for the method that is used to process the signal from an interlocking device and to stop
machinery. This section describes interlocking parts linked to guards like safety limit switches and safety door
switches in accordance with ISO14119 along with a description of each.
(1) The role of Interlocking Devices
Safety machinery and equipment consist of a control system and an operative system as shown in Fig. 1 Role of Interlocking
Devices. The power control element combines the roles of the control and operative systems, and machine actuators are
equipped with safeguards and interlocking devices.
Electricity is supplied to the power control elements only if a safety check signal is sent from the interlock device and an operate
command is sent from the control system.
The interlock device is used to send safety check results to the power control elements as shown in the figure below. A safety
signal can be sent from a PLC in some cases as long as the PLC does not have a negative impact on the interlock device.
In other words, the interlock device (safety-related part) and the PLC (non safety-related part) are completely independent of
each other.
Control systems are divided into safety-related and non-safety-related parts in international safety standards, and they must be
constructed so that non-safety-related parts do not have a negative impact on safety-related parts during normal operation or
when a malfunction occurs.
(2) Types of Interlocking Devices
Interlocking devices are classified by type.
● Interlocking Types
Controlon
Omron uses cookies to improve your experience Interlock
this website. By continuing to use the website, you hereby agree to our Privacy and Cookie Policy ✕
This type of interlocking device inputs a stop command to a control system, like an electromagnetic relay that interrupts or
removes the energy supplied to machine actuators.
Power Interlock
This type of interlocking device sends a stop command that directly interrupts or removes the energy supplied to machine
actuators.
Under the power interlock system, the control system does not intervene between the interlock device and the power supply, but
instead the interlock device itself uses a safety switch or some similar measure to control interlocking.
● Guard Locking Types
Non-locking Type
The guard can be opened or closed at any time and the interlocking device sends a stop command only if the guard is open.
Locking Type
(1) Unconditional Unlocking
An operator can unlock the guard at any time with this type of unlocking, but it does have a precondition in that it must take
longer to unlock the guard than it does to clear the hazard.
(2) Conditional Unlocking
The guard can be unlocked under certain conditions, such as when confirming that the hazardous condition has been cleared
(e.g. confirming that rotation has stopped).
Example of non-locking type
Example of locking type
● Locking and Unlocking Types
Locking and unlocking types can be classified by the actuating mechanism that is used to apply and release the lock.
Spring Applied, Power Released Type
OMRON uses a mechanical lock/solenoid release method.
Power Applied, Spring Released Type
OMRON uses a solenoid lock/mechanical release method.
Power Applied, Power Released Type
Mechanical lock and solenoid release Solenoid lock and mechanical release
Solenoid (Power) Lock
Mechanical (Spring) Lock

Guard (close)
Solenoid (Power) Lock Release
Mechanical (Spring) Lock Release

Guard (open)
Note: In a specific application, either a "power applied, spring released type" or "power applied, power released type" may be used if they
provide an equivalent level of safety. In principle, however, the part (bolt) intended to provide the lock the guard must be the "spring applied,
power released type."
(3) Designing Interlocking Devices
The following items must be considered in the design of interlocking devices that use a safety limit switch or safety door switch.
● Using a Mechanically Actuated Position Detector Switch

(1) When designing an interlocking device that uses a single mechanically actuated position detector switch, the switch must
be actuated in positive operation (positive opening mechanism).
(2) When designing an interlocking device that uses two mechanically actuated position detector switches, one switch must be
actuated in positive operation (positive opening mechanism) and the other must be activated in negative operation
(negative opening mechanism) notably to avoid common cause failures.
Note:See the part of Negative Operation and Positive Operation of Safety Components for details on positive and negative actuation.
● Fixing Position Detector Switches

(1) Position detector switches must be tightened and loosened with a tool.
(2) The use of slots for mounting must be limited to initial adjustment and provisions must be made so adjustment will not be
needed after the switch is replaced.
(3) Guard movement produced by switch activation must be within a range that will not defeat the safeguard effectiveness.
(4) The mechanical operating range must remain within the specified operating range of the switch.
(5) Switches must not be used as mechanical stops.
(6) Switches must be located, and if necessary protected, to avoid damage from external causes.
(7)
Omron uses cookies to improve your experience on this website. By continuing to use the website, you hereby agree to our Privacy and Cookie Policy
Easy access for switch maintenance and inspection must be afforded. ✕
● Reducing Faults Due to Common Causes

Faults due to common causes must be avoided with redundant designs using one positive-actuated and one negative-actuated
switch.
(4) Selecting Interlocking Devices
When selecting an interlocking device it is necessary to consider all phases of the interlocking device, including the conditions of
use and intended use of the machine, hazards present at the machine and their evaluation, stopping time and access time to
the machine, and frequency of access.
● Stopping Time and Access Time

An interlocking device with a guard locking must be used when the stopping time is greater than the time it takes a person to
reach the danger zone (access time).
Frequency of Access
(Frequency of Opening the Guard)
(1) For applications requiring frequent access, conduct a risk evaluation and then select an interlocking device that provides
the least possible hindrance to the operation of the guard.
(2) For applications using interlocking devices with automatic monitoring, the interlocking device should be used with additional
measures, such as conditional guard unlocking, because the frequency of function checks decreases and the probability of
an undetected fault occurring increases as the opening frequency decreases.
(5) Control Requirements for Interlock Devices
The following control requirements must be satisfied for interlocking devices for movable guards (ISO 12100-1).
(1) Closing the movable guard enables operation of the machine that was covered by the guard. Closing the movable guard
causes the operation to start automatically. At actual startup, restarting can be performed by pressing the start button after
all other start conditions are met.
(2) The stop signal for the machine will be output if the guard is opened during operation of a machine that is covered by a
guard. In other words, the machine will not be permitted to operate as long as it has not been detected that the guard is
closed.
Top of page
3. Basic Safety Functions in the Event of a Fault
When a fault or disturbance in electrical equipment leads to a hazardous condition and the possibility that the machine
as well as the item being processed may be damaged, appropriate steps must be taken to minimize the probability of a
hazard. This section uses the safety principles found in EN 60204-1 to describe and illustrate the main procedures to
follow to minimize risk in the event of a fault.
● Application of the claims postulated by ISO13849-1 and IEC62061

The control circuit must comply with the appropriate safe performance level as determined in the risk assessment.
(1) Use of Proven Circuit Techniques and Components

(2) Functional Tests
(3) Provisions of Redundancy
(4) Use of Diversity
(5) Self-monitoring by Safety Relays in Application Circuits

(6)
Single-fault Detection ✕
(7) Short-circuit Detection

(8) Emergency Stop
(1) Use of Proven Circuit Techniques and Components
1. Basic Circuit Configuration for Ground Faults

The following examples are typical.
● Basic Circuit Configuration

The following must be taken into consideration when designing safety circuits for a control system.
(1) The relay contacts must open when a coil is not energized.
(2) One line must be grounded on the secondary side of the insulating transformer.
(3) All coils in the safety circuit must be connected directly and as close as possible to the line that connects to the ground line.
(4) The safety circuit must employ a fuse.
The figure below shows the basic configuration of a safety circuit containing all the preceding items.
The fuse will blow and power to the circuit will cut off if a ground fault occurs on line A.
A ground fault will not occur on line B because it is grounded.
● Examples of Ground Faults

A: Safety Circuit Not Grounded
Two ground faults act as a bypass. As a result, the machine may start abruptly or its operation may not be interrupted.
B: Safety Circuit Transformer Grounded from the Midpoint on the Secondary Side
A ground fault causes half the voltage to be applied to the relay coil. As a result, the machine in operation may not be
interrupted. ✕
2. A procedure must be established to cut off power to stop control and power circuits instantly.
See (8) Emergency Stop for details.
3. Parts with safety standards approvals must be used.

Obtaining safety standards approval means obtaining approval from an independent body such as TÜV.
4. Safety switches that operate reliably must be used.
Parts with safety standards approval display the
5. Safety designs including fail-safe or foolproof functions must be used.

A fail-safe function ensures safety in the event of fault, break down, or incorrect operation. A fail proof function ensures safety
despite human error, fault, or incorrect operation.
(2) Functional Tests

Functional tests that ensure safety must be conducted at regular intervals and whenever electric products are started, and they
must be conducted either automatically by the control systems of electric products or manually through inspections and tests. If
faulty operation occurs, product operation must be suspended until troubleshooting has been completed.
(3) Provisions of Redundancy

Whole or parts of electric circuits must be redundant (duplicated) to minimize the probability that a malfunction in the circuits will
result in a hazard.
The following are examples of redundant electric circuits that employ more than one relay or switch in combination so
the circuits will function even if one of the relays or switches fails to operate.
● Circuit with Two Relays
● Circuit with Two Switches
(4) Use of
Omron uses cookies to improve your experience onDiversity
Common malfunctions and the probability of failure in electric products can be reduced if each product uses a variety of control
circuits as well as various types of devices and components. The following are examples showing the use of diversity.
1. Safety door with safety components that use a combination of NC and NO contacts.
2. Circuits using control components that are different from each other in type.
3. Redundant combinations of electromechanical and electronic circuits.
● Examples of Safety Doors with Switches in Negative and Positive Operation
(5) Self-monitoring by Safety Relays in Application Circuits

When the reset switch is operated, the interface circuits containing safety relays automatically check to see if there are any
faults. If there are faults in any circuit, then this safety control circuit will turn OFF power to stop operation.
● Examples
Omron uses cookies to improve of Self Monitoring
your experience by Relay
on this website. Units
By continuing to use the website, you hereby agree to our Privacy and Cookie Policy ✕
G9S-301 (24 VDC) - Two Limit Switch Input Channels
Fault detection 1: Detect closed door switches (K1, K2)Fault detection 2: Detect fused interface relay and contactor contacts (K3)
● Normal Operation ● Failure
If the normally open contact (8) of the contactor is welded, the normally closed contact (7) will be neutral (not conducting), and
no voltage will be applied to the coil of safety relay K3. K3 will not operate, in which case the relay sequence will not operate
even if the reset switch (2) is turned ON and power will not be supplied. The auxiliary contacts of the contactor must be mirror
contacts.
(6) Single-fault Detection

Programmable controllers are usually used only to monitor safety-related functions, to test functions periodically, or to
serve as a backup. Programmable controllers conforming to IEC61131 must be used.
The following example shows a basic circuit with a programmable controller for single-fault detection.
Switch S1 turns OFF the input signal to the programmable controller to shut down the power supply when the door is open.
Switch S2 has a safety protection function that prevents hazards from developing in the event of a fault. Therefore, switch
S2 must be a safety switch that incorporates a positive opening mechanism.
One power load switching requires a power contactor.
● Basic Circuit with a Programmable Controller for Single-fault Detection
(7) Short-circuit Detection

The lead wires of a safety control circuit may be bypassed or short-circuited due to damage caused by force, heat, shock, or
acid.Such damage can be detected if the safety control circuit incorporates a short-circuit detecting function that satisfies the
following criteria.
(1) The safety circuit must have two input channels that each employ an NC contact.
(2) There must be a potential difference between these channels.
Omron uses cookies to improve example
The following your experience
shows aon this website.
circuit By continuing
for short-circuit to use the website, you hereby agree to our Privacy and Cookie Policy
protection. ✕
● Safety Control Circuit with Two Input Channels and a Short-circuit Detecting Function
(8) Emergency Stop

The following items are required for emergency stopping.
● Emergency Stop Equipment

(1) Emergency stop equipment must be located at each operator control station and at other locations where the initiation of an
emergency stop can be required.
(2) When machinery is divided into several emergency stop zones, emergency stop equipment must be placed where
operators can see and access them easily and can operate them without exposure to hazards.
(3) The emergency stop function must have priority over all other functions and operation in any mode.
The emergency stop function must work so that it falls under category 0 or category 1. The choice of category 0 or category
(4)
1 must
Omron uses cookies to improve your depend on
experience on the
thisrisk assessment.
website. By continuing to use the website, you hereby agree to our Privacy and Cookie Policy ✕
Type of Stop Functions
Stop Category 0
Stop category 0 is an uncontrolled stop that is achieved by immediately removing power to the machine actuators (e.g., directly
cutting off the power supply).
Stop Category 1
Stop category 1 is a controlled stop that is achieved by sending a stop command from the control circuit to stop (e.g., brake) the
machine actuators and then removing power to the actuators (e.g., cutting off control circuit power) after the stop is achieved.
Stop Category 2
Stop category 2 stops machine actuators without cutting off the power.
(5) Where several emergency stop devices are provided in a circuit, it must not be possible to restore that circuit until all
triggered emergency stop devices have been reset.
(6) Emergency stop equipment must be used as neither an alternative to proper safeguarding measures nor as an alternative
for automatic safety devices, but they may be used as a back-up measure.
● Emergency Stop Requirements

The functional and design-related principles of emergency stop buttons, pull-cord switches, foot pedals, and other emergency
stop devices are defined in ISO 13850. Devices built in accordance with ISO 13850 are suitable for emergency stop
applications. Their general design is as shown below.
The requirements for the emergency stop function as stipulated in IEC 60204-1 are as follows:
The emergency stop function must deactivate all other functions and operation in any mode.
The power supply for all machines that are capable of inducing a dangerous condition must be removed as quickly as
possible without causing any other dangers.
The reset function must not restart the stopped machine.
The relevant standards divide applications into numerous stop categories. The selection of the appropriate category must be
made depending on a risk assessment of the machine involved.
Top of page
4. Presence
Omron uses cookies to improve your experience on Detection
(1) Basic Safety

Basic safety is broadly classified into the following categories.
(1) Machines and equipment will not start until it is safe to do so.
(2) Machinery will be stopped whenever a hazardous condition is detected.
In order to maintain a safe environment, measures must be employed on one level to detect operators entering or present in a
hazardous area and on another level to eliminate hazardous conditions.
(2) Safety Requirements

The safety requirements for presence detection, such as those shown below, are defined by the standards and guidelines of
each country.
Guidelines Related to the Comprehensive Safety Standards for Machinery: Ministry of Health, Labor and Welfare
Attached Table 3: Procedure for Safeguarding Against Mechanical Hazards
A device that will detect operators must be installed in a protected area if an operator can pass through an opening and
enter that protected area to perform his job.
ANSI/RIA R15.06: US robot-related safety standardsArticle 10.4.7 Starting and Restarting
When an operator is required to enter a protected area, the operator must be protected from inadvertent starting or
restarting of the robot and/or robot system. (Part omitted) If the protected area is clearly marked and the cell cannot start or
restart, some means of detecting operators in hidden areas must be provided. The ideal means would be automatic
detection. (Remainder omitted.)
EN201: European safety standards for injection molding machinesArticle 5.3.1
If an operator can fit between the movable guard and the mold, a device that will detect the presence of the operator must
be installed there.
(3) Presence Detection Sensor Functions

The sensor detects the presence of a worker in dangerous environments.
(4) Detection Methods

Presence detection methods are broadly classified into the following categories.
● Reflective
Features: Relative freedom in defining protected areas.
● Pressure detection
Features: Excellent environmental resistance
(5) Safe Distance
When an operator enters a hazardous area, the machine in the area must come to a complete stop before that operator reaches
the hazardous part of the machine. Safe distance refers to the minimum calculated distance that the protective device must be
installed from the hazardous part of the machine.
(6) Operating Principles (ISO13856-1)
● Safety Mats (ISO13856-1)

As shown in Fig. 1, two plates inside the Safety Mat make contact when an operator steps on the Mat. A Controller detects the
contact and generates an output.
● Laser Scanner (IEC61496-3)

As shown in Fig. 2, the laser scanner emits a beam that is reflected by surrounding objects. It calculates the distance to the
object from the time that it takes to receive the reflected light.
Top of page
5. Two-hand Controller
One way to prevent operators from approaching hazardous areas too closely when conditions are hazardous is to
install two-hand controllers at specified locations.
The guidelines for designing Two-hand Controllers are given in ISO13851. The major safety requirements for Controller
design are listed there under Functional Aspects and Principles of Design for Two-hand Controllers.
Note:Conduct actual designing in compliance with the detailed stipulations of ISO13851.
(1) Main Characteristics
The characteristics that must be provided are categorized by type into Type I, Type II, and Type III categories. The major
characteristics listed here are Type III characteristics used in Category 3 and 4, as determined by risk assessment.
(1) Two hands must be used together to start up the machine.
(2) Two input signals are required to produce an output signal.
(3) The output signal must turn OFF if either or both input signals turn OFF.
(4) Both input signals must be turned OFF before the output signal is restarted.
(5) Both input signals must turn ON within 0.5 s to enable synchronous startup output.
(6) Preventing inadvertent startup and disable prevention: Refer to Article 2.
(2) Preventing Inadvertent Startup and Disable Prevention

1. One-hand Disable Prevention
The two startup switches must be at least 260 mm (inside dimensions laterally) apart.
Note: A shield must be installed between the two startup switches. This does not apply to applications where disable prevention is possible.
2. Disable Prevention with the Hand and Elbow of the Same Arm
The two startup switches must be at least 550 mm (inside dimensions laterally) apart.
Note: A shield must be installed between the two startup switches. This does not apply to applications where disable prevention is possible.
3. Omron uses cookies to improve your Prevention
Disable experiencewith
on this
the website.
ForearmBy continuing
and Elbow to use the website, you hereby agree to our Privacy and Cookie Policy ✕
Install a cover or enclosure.
4. Disable Prevention with One Hand and Another Part of the Body
Install the startup switches at least 1,100 mm off the floor or from the operating level to prevent operators from employing
disable prevention with one hand and another part of the body (e.g. knees, hips, etc.).
Note:Safe Distance
The safe distance from the startup switches to the hazardous area must be calculated using factors such as hand and arm speed, response
time of the startup switches, and maximum time required to eliminate a hazard according to ISO13855.
5. Typical Example
Fig. 1 shows a typical example of a Two-hand Controller according to Articles 2.1 to 2.3.
(3) Connection Examples
1. Connection Circuit Example Using a Safety Relay Unit

The part of "circuit Diagrams" includes shows an example of a G9SA-TH301 Safety Relay Unit connected to a Two-hand
Controller.
2. Connection Circuit Example Using a Safety Controller
The part of "circuit Diagrams" includes shows an example of an F3SX Safety Controller, F3SN-A Safety Light Curtain, and A22
Pushbutton Switch connected to a Two-hand Controller for the caulking machine shown below.
Top of page
6. Enabling Switches
An enabling switch is a safety component used so that workers can avoid unexpected machine movement when
performing non-scheduled maintenance work or other non-scheduled operations in hazardous areas, such as those
inside safety fences.
When a worker is using a hand-held console with operation switches to teach a robot, retool, or perform maintenance,
unexpected movement of a hazard can result in a hazardous state. When this occurs, it's impossible to predict whether
the operator will instinctively release the console or will grip it with force. A normal switch thus does not turn OFF
when excessive force is applied, which may result in a worker accident.
With an Enabling Switch, machines or robots can be controlled only when the switch is gripped lightly to the middle
position. If the switch is gripped with force past the middle position or if the switch is released, the machine or robot
will be shut OFF, disabling operation.
Enabling Switches are normally used built into teaching pendants, grip switches, and other hand-held controls. They
can be combined with safety circuits built with Safety Relay Units and other devices to ensure safety.
(1) Structure of Enabling Switches

Enabling Switches operate through three positions: OFF - ON - OFF.
They are OFF when not pressed, ON when pressed to the middle position, and then OFF again when pressed past the middle
position.
● Three Positions: OFF - ON - OFF
Top of page
7. Functional Safety Technology
Until recently, there

Omron were
uses no means
cookies to confirm
to improve the safety on
your experience of technologies such
this website. By as complex
continuing to useelectronic components
the website, you hereby or
agree to our Privacy and Cookie Policy ✕
software, which made it difficult to apply them safely. Demands have increased, however, by companies that want
greater safety in the use of various devices.This has led to the concept of functional safety, which is a method of
confirming safety by providing the reliability that electronic equipment and programmable devices used in safety
equipment will operate properly when the safety related demand is given. Reliability here refers to "lowering human
risk to the level of socially tolerable risk." This includes the following factors:
1. Periodic confirmation tests are conducted, showing that there are no latent hazards.
For example, a failure is detected in self-diagnosis and a safe state is achieved.
2. Reliability with respect to deterioration and lifetime of assembly components.
For example, the probability of a hazardous failure is determined for each part.
3. System reliability.
It is confirmed that protection against one type of hazard will not invite a different type of hazard.
IEC 61508, which was issued in 1998, is representative of common standards for functional safety. IEC 61508 is further divided
into seven detailed standards for individual fields of application. Standards for industrial machinery are stipulated in IEC 62061.
For detailed information, refer to these standards.
In the above standards, the SIL (Safety Integrity Level) is defined as parameters that specify the requirements of safety
functions. In the area of machinery, it has been decided to coordinate the SIL with the performance level (PL) defined by ISO
13849-1,2006.
(Extracted from the NECA Safety Guide Handbook.)
The required SIL (Safety Integrity Level) is greatly determined by whether the operation demand is low or high/continuous.
SIL Required of Safety-related Controls in Low Demand SIL Required of Safety-related Controls in High or
Mode (for Example, Safety-related Controls That Operate Continuous Demand Mode (for Example, Safety-related
Only for a Short Time When There Is Demand, Such as ABS Controls That Operate Continuously or Frequently over a
on Cars) Long Period of Time, Such as a Pacemaker)
Example: If risk assessment determined that SIL2 is suitable, Example: If risk assessment determined that SIL2 is suitable,
the TFM that needs to be achieved by the related safety the
controls would be 10-2 < TFM ≥ 10-3. TFM that needs to be achieved by the related safety
Note:TFM (Target Failure Measure) controls would be 10-6 < TFM ≥ 10-7.
SIL (Safety Note:TFM (Target Failure Measure)
Low operation demand mode (average
Integrity SIL (Safety
failure rate per operation demand) High or continuous operation demand mode
Level) Integrity
(hazardous failure rate per unit time (1/h))
4 ≥ 10-5 to < 10-4 Level)
3 ≥ 10-4 to < 10-3 4 ≥ 10-9 to < 10-8
2 ≥ 10-3 to < 10-2 3 ≥ 10-8 to < 10-7
1 ≥ 10-2 to < 10-1 2 ≥ 10-7 to < 10-6

1 ≥ 10-6 to < 10-5
Top
OMRON Asia Pacific
Omron uses cookies to improve your experience on this website.OMRON Corporation
By continuing to use the website, you hereby agree to our Privacy and Cookie Policy ✕
Copyright Statement
Sitemap
Terms and Conditions
Privacy Policy
Warranty and Limitation
© Copyright OMRON Corporation 2000-2020. All Rights Reserved.

Safety Functions of Safety Components - Technical Guide - India - Omron IA

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Safety Functions of Safety Components - Technical Guide - India - Omron IA

Uploaded by

Copyright:

Available Formats

29/7/2020 Safety Functions of Safety Components | Technical Guide | India | Omron IA

Overview Safety Requirements

Safety Functions Safety Components

Safety Circuit Example Circuit Diagrams

Related Contents Technical Guide

1.Risk and Safety Category Assessments

7. Functional Safety Technology

1.Risk and Safety Category Assessments

(1) Ensure Safety

(2) Risk Assessment

● Step 1 Determination of the limits of machinery

● Step 2 Hazard Identification

● Step 3 Risk Estimation

● Step 4 Risk Evaluation

● Step 5 Risk Reduction

The following actions are taken.

● Risk Reduction under ISO12100

What is Inherently Safe Design? (ISO12100-1: 2003, para. 4)

Remove dangers and reduce exposure frequency (4.1 General)

What is Safeguarding? (ISO12100-2: 2003 para. 5)

Employ Sensitive Protective Equipment (Light Curtain, Scanner etc.) (5.2.5)

What are Complimentary Protective Measures? (ISO12100-2: 2003 para. 5)

What is Information for use? (ISO12100-2: 2003 para. 6)

Risk Reduction Processes from the Designer�s Perspective

(3) Safety Category Assessment

● Safety Categories Based on ISO 13849-1

Selecting Parameter S: Severity of Injury

Selecting Parameter F: Frequency and/or Exposure Time to the Hazard

Selecting Parameter P: Possibility of Avoiding the Hazard

Aspects that influence the selection of parameter P include the following:

ISO13849-1 : 1999 (EN954-1)

ISO 13849-1 Safety of Machinery — Safety-related Parts of Control Systems

Note:ISO13849-1: 2006 follows the above categories.

A technical file containing the following information should be recorded:

Basic Safety Principles ○ ○ ○ ○ ○

(7) What is ISO13849-1: 2006 (PL)

● Background of ISO 13849-1 Revision

Changes in Risk Estimation Methods

Change in Definitions of Safety Control System's Performance

Common Indicator Criteria

● How to Determine Performance Level

Required Performance Level: PLr

Method to Evaluate Performance Level (PL)

● How to Evaluate Performance Level

● How to Calculate PL Parameter

(1) The role of Interlocking Devices

(2) Types of Interlocking Devices

Interlocking devices are classified by type.

● Guard Locking Types

Example of non-locking type

Example of locking type

● Locking and Unlocking Types

Spring Applied, Power Released Type

Power Applied, Power Released Type

Mechanical (Spring) Lock

Solenoid (Power) Lock Release

Mechanical (Spring) Lock Release

(3) Designing Interlocking Devices

● Using a Mechanically Actuated Position Detector Switch

● Fixing Position Detector Switches

● Reducing Faults Due to Common Causes

(4) Selecting Interlocking Devices

● Stopping Time and Access Time