MOTION DESIGN GUIDE

MACHINE SAFETY
IN AUTOMATION

Sponsored by: brought to you by:

Sponsored by:

1 www.schmersalusa.com
I www.designworldonline.com www.designworldonline.com
www.opto22.com
MACHINE SAFETY DESIGN GUIDE

Automation of discrete motion and process tasks is essential to modern

manufacturing and distribution. However, automation can pose numerous
dangers to nearby human personnel as well as equipment. The threats of
electrocutions, burns, amputations, crushed fingers and hands, and blindness
are most acute near slicing and sawing operations; spinning, reciprocating,
spooling, winding, pressing, and punching axes — as well as those transporting
heavy objects; and hot components as well as end effectors associated with
welding or sintering.

As we’ll detail in this Design Guide, any machine function, component, or

process posing the above risks (or the potential for damage to equipment) ▼
must be fitted with a safety system and in most cases safeguarded … and
LISA EITEL
hazards removed or controlled. In this exclusive Design Guide, the editors
Engineer Editor
of Design World review the approaches needed to fully assess a machine’s
required level of safety; the components needed for safe installations; and
the proper integration of such components in individual machines and
workcells. The role of controls and leading standards (for markets and general
automation) will also be covered.

TABLE OF CONTENTS
▼

▼
DANIELLE COLLINS
Engineer Editor
Introduction to industrial safety................................................................. 3

Assessing the need for (and designing) machine safety features.............. 6

Safety components using direct machine-operator contact.................... 10

Emergency stop switches — only in emergencies................................... 13

Basics of safe speed from Schmersal....................................................... 15

Machine-triggered sensors, switches, and perimeter components......... 16

Safety relays, signal processing, and controls.......................................... 24 Sponsored by:

© Copyright 2021 WTWH Media

www.wtwhmedia.com I marketing.wtwhmedia.com I www.designworldonline.com I www.motioncontroltips..com www.schmersalusa.com
@designworld /DesignWorldNetwork @motion_control
 INTRODUCTION TO
▼

INDUSTRIAL SAFETY

HMI WITH SAFETY

CONTROLS
NONCONTACT DOOR
SWITCH

EMERGENCY
STOP

SAFETY RELAY OR
SAFETY CONTROLLER

Some safety sensors can connect to servo

controls or VFDs and replace relay arrays
on machines involving motion control. Such
networked sensor installations can detect
errors that degrade the machine safety —
and keep machine zones on lockdown (or
moving very slowly) until the error is cleared.

Where standards allow it, such safety systems

often wire interlocks and the like in series to
boost reliability while minimizing cost and
complexity.

I
ndustrial threats to facility-personnel wellbeing include
radiation, hazardous-chemical exposure, lack of work-
cell ergonomics, biological hazards including harmful or
deadly viruses, fungi, or bacteria, environmental extremes
(including extreme temperatures), and physical harm from
mechanical threats.
near plant operators. Such conveyors can entangle personnel
— especially by fingers, loose shirt sleeves, and long hair.
That’s why (among other safety features) conspicuous stop
switches, strips, and cords must flank the conveyor at regular
intervals along its whole run — to let plant personnel stop the
entire conveyor during or just preceding an emergency.

In this Design Guide, we cover technologies to prevent harm
from the latter.
Basic mechanical safety systems prevent machines from
starting until it’s safe to start ... and stop the machine upon
detection of some hazardous condition.
Just consider industrial settings involving conveyors that run
Quantifying such safety risks and the potential severity of
personnel injury from machinery (as well as self-inflicted
machinery damage) is at the core of all industrial-safety design
work. European Standard (EN), International Electrotechnical
Commission (IEC), and International Organization for
Standardization (ISO) risk assessments and rules dominate
global regulations applying to most all industries.

Sponsored by:

www.schmersalusa.com
3 I www.designworldonline.com
 MACHINE SAFETY DESIGN GUIDE
(continued)
introduction to industrial safety

Robotic work cells also necessitate specialty guards that accommodate the fact that personnel may occasionally enter the robot’s work cell. Here,
trapped-key safety circuits can ensure force personnel to clear out of the work cell before the robot is allowed to resume operations.

These lead consolidated guidelines to thoroughly define Even for older machines, safety retrofits are increasingly
the required safety systems, redundancies, precautions to viable and warranted where plant personnel include new hires
sufficiently minimize risk — whether on the part of machine and younger less experienced operators.
operators (as is customary in the U.S.) or on the part of
the machine builders (as is required by law in Europe). Outsourcing the design of machine safety features (either to
Complementary industry-specific regulations then complete suppliers or integrators) may be necessary where:
the suite of protections to keep personnel safe.
• A facility or organization’s engineering teams lacks safety-
Such protections are especially important near operations specific expertise
considered typical in the world of industrial automation …
such as material handling, transporting, forming, cutting, • A machine’s operations (and potential hazards) are exotic
laminating, and pressing as well as forms of electrical, thermal, … necessitating customized machine guarding
and optical processing, testing, and inspection.
• No previous risk assessment has been done
Of course, overly zealous safety protocols are the enemy of
• Nuanced safety implementation demands reliance on
productivity, and can even shorten machinery life should
qualitative knowledge of best practices
there be over-reliance on emergency stops (e-stops),
as these are jarring to mechanical and even electrical • Full design-team mastery of both governmental and
machine components. On the other hand, it’s increasingly industry safety standards
unacceptable to leave machine safety to other parties ... even
for OEM machine builders not explicitly asked by end users to
include safety features on new machines.

Sponsored by:

www.schmersalusa.com
4 I www.designworldonline.com
 MACHINE SAFETY DESIGN GUIDE
(continued)
introduction to
industrial safety

All industrial-automation installations require careful

analysis to identify the most suitable safety guards and (if
applicable) safety control architecture. Simple machines
with straightforward safety requirements — for example,
necessitating only a light curtain and emergency stop button
— can successfully accept a wider array of solutions than
more complex installations. Where a machine requires a
more involved safety solution, today’s flexible safety controls,
architectures, and software can help simplify the setup of
key-locked work cells, safety interlocks, and even collaborative
workspaces that put machine operators near robotics,
conveyors, and other potentially dangerous equipment.

Case in point: Proliferation of collaborative robots or cobots

necessitate specialty safety systems that use sensor feedback
and specialty forms of actuation so any inadvertent contact
with human personnel is gentle.

The simplest form of safety equipment is fencing to keep personnel away

from dangerous areas.
Noise: The other physical threat to personnel
▼

Though beyond the focus of this Design Guide,
noise poses a real risk of stress, distraction, and
hearing loss in machine operators and other plant
personnel. That’s why providing a variety of hearing
protection is essential plant practice. Very loud and
sudden sounds from sirens, crashes, and explosions
can cause everything from tinnitus to temporary
hearing loss to permanent deafness at affected
frequencies. Just as harmful is long-term moderate
noise exposure — even at the modest levels of 70
to 80 dB. Many types of industrial equipment can
easily generate sounds at these levels at 4,000 to
8,000 Hz, the most critical frequencies for human
hearing. What’s more, the stress of unrelenting noise
can cause measurable harm to machine operators’
cardiovascular health.
Note that machine guarding or safeguarding is defined by
ISO standards as that which surrounds potentially dangerous
equipment axes or areas of action with fencing, gates, doors,
interlocks, sensors, light curtains, and other physical and
electronic components. Boundaries based on electronic actions
network with controls to trigger slowing or even stopping of
operations that could prove harmful to personnel or objects
entering the guarded area. Though some sources in industry
use safeguarding in the more general sense, many references
and formalized safety standards have begun using the more
exact phrases safety engineering controls and risk reduction
measures to respect the stricter ISO definition of safeguarding.
Other topics in industrial automation safety:
Machinery Directive and how it relates to motion safety
Functional safety standards for servo drives
Drive-based safety functions for controlled stops

Choosing a safety factor so a motor design lasts

Sponsored by:

www.schmersalusa.com
5 I www.designworldonline.com
 Assessing the need for (and designing)
▼

machine safety features

PLr LOW
RISK

P1 a FUNCTIONAL SAFETY RISK ESTIMATION

F1
P2 To calculate the performance level required (PLr) ...

S1
P1 b S Severity of injury
F2 S1 slight (normally reversible injury) Nhẹ, chấn thương có thể hồi phục
S2 serious (normally irreversible injury or death) Nghiêm trọng, chấn thương không thể hồi
P2
c
phục
F Frequency and/or exposure to hazard
P1 F1 seldom to less often and/or exposure time is short Ít khi xảy ra
F2 frequent to continuous and/or exposure to time is long Thường xuyên xảy ra
F1
P2
S2
d P Possibility of avoiding hazard or limiting harm
P1 possible under specific conditions Có thể xảy ra dưới một số điều kiện nhất định
F2 P1 P2 scarcely possible Hiếm khi xảy ra

P2 e HIGH
RISK

All functional safety analyses begin with risk assessment to determine the required Safety Integrity Level or Performance Level.

M
achines should be rendered safe with minimal impact SIL PFH PFH (power) RRF
on operational efficiency and productivity. Fortunately, -5 -6
1 0.00001 to 0.000001 10 -10 100,000 to 1,000,000
functional safety features in machines and systems allow
-6 -7
both scenarios to be realized — mitigating the risk of injury without 2 0.000001 to 0.0000001 10 -10 1,000,000 to 10,000,000
needlessly affecting production. 10
-7 -8
-10
3 0.0000001 to 0.00000001 10,000,000 to 100,000,000
-8 -9
4 0.00000001 to 0.000000001 10 -10 100,000,000 to 1,000,000,000

MEAN TIME TO FAILURE AND SAFETY RATINGS

PL The four SIL levels of EN/IEC 62061 list values for the Probability
10 -4
of Dangerous Failure per Hour as well as a Risk Reduction Factor.
MTTFd
a low ISO and IEC standards have been shifting to standardizing
10 -5 more robust risk-mitigation techniques … with new standards
MTTFd iterations released every few years. Europe has traditionally led
b medium
in machinery safety, though the U.S. has reached comparable
3x10-6 MTTFd adoption levels in recent years.
high
c
10-6
d Designers of industrial machinery and equipment must account for
10-7 the fact that automated motion poses a significant risk of injury or
e damage. Automation’s dominant form of safety today — that of
10-8 functional safety — is a design approach that allows verification
DC DC DC DC DC DC DC that a machine’s safety-related components do in fact reliably
PFHD none none low medium low medium high
function as intended when given safety commands. In short, the
Cat. B Cat. 1 Cat. 2 Cat. 3 Cat. 4 aim of functional safety is to ensure equipment correctly operates
and responds to inputs. Diagnostics and validation routines today
can regularly certify that safety hardware in such designs maintain
EN/ISO 13849-1 values for Category, Diagnostic Coverage, and safety-system requirements for low risk of harm sans deterioration of
Mean Time to Dangerous Failure for PL levels are interrelated. that reliability over time

Sponsored by:

www.schmersalusa.com
6 I www.designworldonline.com

(continued)
ASSESSING THE NEED FOR (AND DESIGNING)
MACHINE SAFETY FEATURES
▼
Functional safety demands that systems detect
potentially dangerous conditions and activate protective
or corrective devices or commands to prevent (or reduce
the consequences of) hazardous events.
Standards abound to define the functional safety of a given
machine. Major ISO functional safety standards include ISO 12100,
ISO 13849, IEC 60204, ISO 61508, and ISO 62061. Relevant
to safety-component suppliers as well as design engineers
deploying these safety components, these detail the necessary
risk assessment, design, installation, and validation for designing
functional safety to obey ISO 61508 and 62061. Fortunately,
functional-safety ISO standards at least list other potentially
applicable standards for a given design in the standards’
normative references.
Just consider two of the most significant standards for automation
today — EN/IEC 62061 and EN/ISO 13849-1. Although the EU was
the first market to mandate integrated safety functions in machinery,
manufacturers around the world have begun to integrate functional
safety features in machines marketed and sold outside of the EU.
EN/IEC 62061 and EN/ISO 13849-1 govern safety requirements for
such industrial equipment.
According to the International Electrotechnical Commission
(IEC) the IEC 62061 standard specifies requirements and makes
recommendations for the design, integration, and validation of
safety-related electrical, electronic, and programmable electronic
control systems (SRECs) for machines. It is applicable to control
systems used, either singly or in combination, to carry out safety-
related control functions on machines that are not portable by hand
while working, including a group of machines working together in a
coordinated manner.
According to the International Standards Organization (ISO) the
EN/ISO 13849-1:2005 standard provides safety requirements
and guidance on the principles for the design and integration
of safety-related parts of control systems (SRP/CS) — including
the design of software. For these parts of SRP/CS, it specifies
characteristics that include the performance level required
for carrying out safety functions. It applies to SRP/CS for
high demand and continuous mode, regardless of the type
of technology and energy used (such as electrical, hydraulic,
pneumatic, or mechanical) for all kinds of machinery.
▼
Industrial-machinery SILs are now coordinated with ISO
13849-1 performance levels (PLs).
7 I www.designworldonline.com
MACHINE SAFETY DESIGN GUIDE
So why do some standards begin with the prefix EN? In short, the
EN prefix designates a harmonized standard. That means it is listed
under the EU Machinery Directive 2006/42/EC. The Machinery
Directive specifies essential safety and health requirements that
all machines in the EU must meet. Harmonized standards include
standards from ISO, IEC, and the European Union. These standards
provide the technical specifications and procedures to fulfill the
Machinery Directive requirements.
COMPARISON OF EN/IEC 62061 WITH EN/ISO 13849-1
EN/IEC 62061 uses the Safety Integrity Level (SIL) rating system to
indicate the level of functional safety and …
• Assigns a numeric score from 1 to 4, with 1 being the lowest
and 4 being the highest; example: SIL3 (note that only levels
1-3 apply to machine systems)
• Risk assessment for determining the required SIL level is based
on severity of injury (Se), frequency and duration of exposure
(Fr), probability of occurrence of a hazardous event (Pr), and
probability of avoiding or limiting harm (Av)
• SIL rating indicates the Probability of Dangerous Failure per
Hour (PFHD) and the Risk Reduction Factor (RRF)
• Considers both low-frequency demand (such as infrequent
machine processes or actions) and high-frequency demand.
• EN/ISO 13849-1 uses the Performance Level (PL) rating system
to indicate the level of functional safety and …
• Assigns an alphabetic score from a to e … with a being the
lowest and e being the highest — as expressed in Category 4
PLe, for example
• Risk assessment for determining the required PL is based on
severity of injury, frequency and exposure time to the hazard,
and possibility of avoiding the hazard or limiting harm
• PL rating indicates the system’s architecture (called its
Category), mean time to dangerous failure (MTTFd), diagnostic
coverage (DC), and Common Cause Failures (CCF)
• Considers only high-frequency demand
Note that the Performance Levels (PL) under ISO 13849-1
correspond to certain PFHD ranges so can be cross-referenced to
SIL levels from IEC 62061. When implementing functional safety,
machine builders, integrators, and users are free to choose either
standard — EN/IEC 62061 or EN/ISO 13849-1.
Sponsored by:
www.schmersalusa.com

(continued)
ASSESSING THE NEED FOR (AND DESIGNING)
MACHINE SAFETY FEATURES
Remember that functional safety is applicable to the machine and
its control system — not to a specific component or device type.
For example, a servo drive may include features and functionality
that let system achieve a specific EN/IEC 62061 or EN/ISO 13849-1
safety category, but the use of the drive itself does not confer that
machine’s safety level.
Many motion-component manufacturers have published brochures or
white papers addressing functional safety, and for good reason. While
the concept of functional safety is relatively simple, the decision
regarding what safety level should be applied to a particular machine
or process is based on a complex mix of quantitative factors and
qualitative assessments. Some manufacturers have even developed
proprietary software to assist designers in determining what
functional safety level is required and in choosing the appropriate
components to achieve that safety level.
For more information on this topic, read: The difference between
PL and SIL machine safety standards
Notice that EN/IEC 62061 and EN/ISO 13849-1 as well as other
functional-safety standards (including ISO 12100-1) classify
machines as needing to satisfy Type A, B, and C requirements.
Foundational Type A standards (such as ISO 12100 itself) apply to
all machine types. Midrange Type B standards include B1 standards
such as ISO 13849-1 and ISO 62061 defining safety approaches and
B2 standards such as ISO 13850 and ISO 13851 defining specific
safe-system requirements. Very machine-specific Type C standards
are the most stringent and preferred for new machine designs.
Examples include:
• EN 201 covering safety requirements for injection molding
machines
• EN 692 covering safety requirements for mechanical presses
• EN 847-1 covering safety requirements for woodworking
machines involving milling and saw-blade axes
• EN 848-1 covering safety requirements for molding machines
with rotating vertical axes
• ISO 3691 covering safety requirements for industrial trucks
• ISO 11111 covering safety requirements for textile machinery
• ISO 10218-1 covering safety requirements for industrial robots
• ANSI/RIA R15.06 covering safety requirements for robot
starting and restarting
Related article: Encoders on robot joints for Functional Safety
WIDER UNIVERSE OF SAFETY STANDARDS
So far we’ve covered EN/IEC 62061 with EN/ISO 13849-1 —
two key standards for motion-control applications. In fact, other
standards apply to designs to varying degrees. Now consider other
standards that are common for automated equipment.
8 I www.designworldonline.com
MACHINE SAFETY DESIGN GUIDE
ISO 12100 • Safety of machinery general principles for design | Risk
assessment and risk reduction: This defines an approach often serving
as the initial process for identifying machine hazards. The standard
requires an inherently safe design and then the addition of safeguards
as well as safety information that must be shared with operators.
Control-based safety must be verified through iterative process
ensuring each safety feature satisfies a sufficiently safe performance
level or PLr until a given mean time to dangerous failure or MTTFd
as described earlier. The latest iteration of the ISO 12100 standard
has replaced portions of the former ISO 12100 and ISO 14121— and
informs Japanese Industrial Standards (JIS) standard JIS B9700. It also
consolidates Type A machinery standards so engineers can use one set
of requirements for all their related designs. The “practical guidance”
standard of ISO/TR 14121 remains to inform the actual analysis process.
ISO/TR 14121: This systematic risk-assessment standard is useful
during machine design, construction, retrofitting, and use. The
standard outlines five steps to that end.
Step 1 is to determine the machinery limits including:
• Requirements for all machine-life phases and the machine’s
intended use
• Potential modes of misuse and malfunction
• Operator’s age, strength, dominant hand, and abilities
relating to eyesight and hearing — as well as competence and
experience
Next ISO/TR 14121 requires the identification of all hazardous
conditions … largely through predicting situations that could cause
electrocution, severing of body parts, entanglement, and crushing,
and burning. Clarifying such hazards can be done using checklists,
what-if questionnaires, hazard and operability studies, and failure
mode and effect as well as fault-tree analyses.
Step 3 of ISO/TR 14121 includes quantification of the risk factors’
probability of occurring and magnitude of potential harm; this is
followed by evaluation of additional measures (including design
changes and safeguarding additions) to further reduce all risks.
Finally, the standard outlines ways to eliminate or reduce personnel
exposure to any remaining and unavoidable hazards.
DIN EN ISO/TR 11688-1 • Acoustics — Recommended
practice for the design of low-noise machinery and equipment
(Planning): This safety standard outlines basics of machinery noise
control and recommended mitigation tactics for all design stages.
ISO 13732-1 • Ergonomics of the thermal environment: This
standard (among other things) lists temperature thresholds (both
hot and cold) that can burn skin when an operator intentionally or
accidentally touches machine surfaces for a given duration. The
standard also details the expected burn severity for set values — as
well as unacceptable heat strain that could occur.
Sponsored by:
www.schmersalusa.com

(continued)
ASSESSING THE NEED FOR (AND DESIGNING)
MACHINE SAFETY FEATURES
ISO 13849 • Safety of machinery: This functional-safety
standard (detailed earlier) combines the IEC 62061 probabilistic
design approach (and models) with the straightforward EN 954-
1 categories (B, 1, 2, 3, 4) determinism. That yields architecture
models matching categories definitions for simplified risk
estimation.
Note that ISO 13849 Part 1 covers general principles for design
and part 2 covers the validation of safety-related parts of industrial
control systems.
Ultimately, ISO 13849 simplifies risk assessments for OEMs
implementing safety because it forces homogeneous and
specific risk estimations that are more relatable to end user risk
assessments. That’s especially helpful where an end user might not
fully understand the functional differences of different OEM safety
architectures, or the OEM might not recognize subtle end-user
requirements.
ISO 13857 — Safety distances to prevent danger zones
being reached by the upper and lower limbs: This industrial
safety standard lists values for distances to prevent danger zones
being reached by the limbs of an average 14 year old (and older
individuals) without additional aid. It recently superseded ISO
13852 (safety of machinery) which was a standard that included
protections for those three years old and older … and only defined
reachability distances for the arms (and not the legs).
ISO 14118 • Safety of machinery — Prevention of unexpected
startup: This recently superseded EN 1037 to define systems to
let operators safely enter a hazardous machine area. Central to ISO
14118 is energy isolation or dissipation — as in the disconnection of
electric power supplies, stopping of motors, release of pneumatic
valves, shutdown of any hydraulics, and spending of any moving
axes’ kinematic energy. Where zero-energy conditions are
impossible, electronic controls satisfying ISO 12100 should be used
to prevent unexpected startup. In some instances, key interlocks
may be in order — though to be clear, e-stops aren’t acceptable
startup preventors.
ISO 14119 • Safety of machinery | Interlocking devices
associated with guards: ISO 14119 covers machinery-guarding
interlock safety … while referencing other safety standards for risk
analysis. As covered in later in this Design Guide, guard interlocks
prevent hazardous machine operations until they’re closed. Of
course, even though machines with closed interlocks can run, their
closing shouldn’t trigger automation operation starts. The safest
machines usually include a dedicated start button — or a very
specialized control interlock that does double duty as an interlock
and machine-start mechanism. Machines that satisfy ISO 14119 also
render intentional and accidental safety-system defeats (as through
jamming a position switch or switch actuator) impossible.
9 I www.designworldonline.com
MACHINE SAFETY DESIGN GUIDE
ISO 14120 • Safety of machinery | Guards — General
requirements for the design and construction of fixed and
movable guards: This ISO Type-B standard superseded EN for
outlining the general design and integration of machine guards
to protect plant operators from mechanical hazards — both from
dangerous access to work cells and noise, projectiles, fires, and
even radiation emitted from the work cell.
EC 60947 • Low-voltage switchgear and controlgear (General
rules): This applies as required by relevant product standards to
low-voltage switchgear and controlgear to connect to circuits with
rated voltages at or below 1,000 Vac or 1,500 Vdc.
IEC 60204-1 • Electrical equipment of industrial machines Part
1 (general requirements): Updated in 2016 and aligned with EN
60204-1 in 2020, this standard covers the safe specification and
integration of electrical components such as circuit breakers.
IEC 61508 • Functional safety of electrical, electronic, and
programmable electronic safety-related systems: This seven-
part universal standard supports the development of uniform safety
designs employing electric operation … and outlines the approach
for thorough machine-risk analysis. In fact, IEC 61508 has been
key to promoting use of functional-safety concepts— and safety
design that emphasizes safety-systems performance and reliability
over outdated focus on component failure modes. The standard’s
wide applicability prompted the more specific IEC 62061 for
machine-control mechanical safety.
IEC 62061 • Safety of machinery — Functional safety of safety-
related electrical, electronic, and programmable electronic
control systems: IEC 62061 (covered earlier) derives from IEC
61508 so engineers can more easily specify safety hardware
and software for specific machinery. This standard may be more
appropriate than the deterministic EN 954-1 or probabilistic ISO
13849-1 for machines involving programmable controls and safety
buses. Two caveats are that IEC 62061 demands the calculation
of probabilities (of dangerous events) and can be complicated …
covering all details for even the most sophisticated safety control
architectures.
BS EN 614-1 • Safety of machinery | Ergonomic design
principles — Part 1 (Terminology and general principles):
ANSI B11.0 • Safety of machinery | General requirements and
risk assessment: This recently updated ISO Type-A (general)
standards series defines machine design, construction, installation,
reconstruction, modification, setup, operation, maintenance, and
safety-design documentation requirements. It’s meant to support
other more specific standards (especially Type C standards) while
specifying risk-assessment principles and procedures.
Sponsored by:
www.schmersalusa.com
SAFETY
COMPONENTS
USING
DIRECT
MACHINE-
OPERATOR
CONTACT
Light-curtain application example via Schmersal

B
ecause it’s easiest to picture the touchable (tactile) safety
mats, light curtains, consoles, and locks on industrial
machinery, we cover these peripheral safety components signal prompts a safety controller to halt the potentially dangerous
first. Switches and sensors that contact machine components are machine activity. A close cousin of safety bars are safety edges.
covered in the next section of this Design Guide. These components affix to the outermost reaches of machine axes to
detect when they bump into something or someone … and prompt
Presence-sensing safety mats integrate pressure-sensor arrays
a halt to dangerous motion capable of inflicting blunt-force injuries.
between rubber layers to detect when a machine operator steps
into a hazardous area. The sensor contacts come together, and a
safety controller registers that signal to generate some response
command. Though replaced by light curtains in many applications,
presence-sensing safety mats endure. Drawbacks are that it’s easy
to defeat safety mats by putting heavy objects on them; they’re also
vulnerable to being crushed or rendered inoperable by dirt ingress.
Light curtains are a type of active opto-electronic protective device
(or AOPD) and use communications between a pair of posts to
secure openings in machine fencing or housing. They can detect
the presence of a plant worker (which is why we include them in
this Design Guide section) as well as machine linkages and objects
being moved by the machine. The transmitter post sends an
infrared array of light beam to a receiver post; any interruption of
any of the beams causes a signal prompting the machine controls
to stop the potentially hazardous machine activity. For example,
light curtains can verify a sheet-metal cutting machine’s material-
insertion point and active slicing area are clear before any blades
move. Other related designs include light grids and light barriers Shown here is an example of a safety pressure mat application
that (like light curtains) allow machine operators an unobstructed around a robot arm.
view of the protected work volume they’re about to access.
Industrial safety bars are pressure-sensitive strips that affix to
the edges of machine housings, conveyors, and stages. When Sponsored by:
machine operators bump into or lean on the strips, the resulting

www.schmersalusa.com
10 I www.designworldonline.com
 MACHINE SAFETY DESIGN GUIDE
(continued)
SAFETY COMPONENTS USING
DIRECT MACHINE-OPERATOR CONTACT
Laser scanners (another AOPD) are newer and costlier than light
curtains but can cover far bigger portals — such as the virtual “exit
doorway” of a large robotic box-stacking work cell — and more
accurately. They work by emitting a rotating beam that reflects off
surrounding objects and back to a receiver in the scanner body. Like
light curtains, they can detect the presence of a plant worker … as
well as machine linkages and objects being moved by machinery.
Two-hand machine safety control consoles prevent operators
from coming too close to hazardous machine areas. Depending
on the design, the latter may demand that both operator hands
activate inputs on the control (within 0.5 sec) for machine startup or
the generation of an output signal. That signal in turn must turn off
if either or both operator’s hands come off the control. Any reset or
machine restart requires release and then reengagement with the
control by both operator hands. A safety foot switch designed with a full
cover to prevent accidental actuation.
ISO 13851 dictates that such controllers satisfy Type I, Type II, or
Type III requirements.
A two-hand machine safety control can also serve to prevent These footswitches include waterproof and dustproof seals
accidental startups by separating its twin startup switches with a around their internal electric-switch subcomponents; the other
shield between them. Depending on the control’s exact dimensions, subcomponents are made of metal and high-impact plastic shaped
these can prevent accidental machine startups from both switches to maximize ergonomics. Many are also adjustable to protect
inadvertently being triggered by a single hand, forearm and hand, machine operators from the main risk of poor ergonomics — that of
or (if the control is low on a control panel) even hand and knee or repetitive strain injury. Such injuries can degrade productivity and
hip bump. The related standard of ISO 13855 details safe distances even force workers into medical leave.
and best practices for locating machine safety elements. This safe
Required footswitch force varies with the intended use; a
distance is the minimum distance from a stop-triggering safety
footswitch supplied for automated lab equipment (say, allowing
component to a hazardous machine section allowing a full stop of
a lab worker to control the grasping and moving of test tubes)
that section before the operator has time to get too close.
will be designed for low-force input. In contrast, a footswitch for
Maintenance enabling switches are squeezable safety switches installation on a harvester or other piece of agricultural off-highway
that let machine integrators or maintenance personnel perform equipment may take the form of a heavy-duty stomp switch — to
repair or troubleshooting work inside machine fencing (or near let operators more easily control equipment tools. Here, switches
hazardous machine axes) while preventing unexpected motion. requiring higher deliberate force input can help avoid nuisance
Often taking the form of a split-body squeeze joystick, these trips as well as unexpected shutdowns triggered by machine
switches usually complement other teach, control, and jog buttons impulses and vibrations.
on consoles or handheld pendants. The delicate nature of what
these switches recognize as an “on” position is their strength:
Squeezing the switch too hard or too softly or completely releasing FOOTSWITCH-INTEGRATION DESIGN
it (as an operator might do if startled by a machine action) turns CONSIDERATIONS
the switch off and disables the machine. Only a moderate and
controlled amount of grip force allows the machine to run. Some Footswitches have rated specifications — but these should be used
designs connect enabling switches to safety relays in safety circuits carefully. Consider a motor-driven drawing 12 A and controlled by
for top reliability. a footswitch. Simply assuming a switch rated for 15 A is sufficient
could spell trouble. A heavily loaded motor or one with a locked
shaft can draw tremendous current. Catastrophic failure of such a
DEEPER DIVE ON FOOTSWITCHES FOR machine’s footswitch would present an unacceptable risk to the
MACHINE SAFETY machine operator as well as downtime. Such machine arrangements
require a circuit breaker, overcurrent detection mechanism, and
Foot controls have complemented industrial machine designs some type of control to trigger an immediate shutdown … as well
since before the steam age. The earliest forms actually served as as a footswitch rated to withstand such extreme conditions.
a power input — especially for textile weaving and sewing as well
as wood and metal working. Today, modern automated equipment
incorporates ruggedized electric footswitches as a safe and
convenient way for machine operators to engage and disengage Sponsored by:

axes or even machine power.

www.schmersalusa.com
11 I www.designworldonline.com
 MACHINE SAFETY DESIGN GUIDE
(continued)
SAFETY COMPONENTS USING
DIRECT MACHINE-OPERATOR CONTACT

Footswitches have been a

staple control device since
the very first mechanized
machines. The first
footswitches were simple
kinematic devices.
Today’s modern industrial
machinery uses electric
means of transmitting
foot-switch signals.

neous-switch arrangements have their uses but can introduce mo-

mentary short circuits … and even electrical sparks and discharges.
Of course, not all footswitches are on-off or three-setting con-
trols. Some allow for an infinitely variable analog control over an
axis’ power input — for a simple speed control, for example. Such
footswitches often pair with axes employing variable-speed motor
controls and trimmers for smooth operation sans sudden kick-on
and kick-off points.
Single-pole foot-switch wiring can be normally closed (top) or
normally open (middle) or normally open and closed (bottom).

On-off footswitches — what are called single-action footswitches

— are either engaged or disengaged. They can also allow momen-
tary stopping or starting (that lasts as long as an operator keeps his
or her foot on the pedal) or can latch. For momentary operation,
the pedal is spring loaded to return to its default position upon
release. Latching footswitches have a push-on push-off operation.
Both momentarily operating and latching footswitches can include
circuitry that’s normally open, normally closed, or both normally
open and normally closed. They can also include single-pole,
double-pole, or multi-pole wiring to allow gangs of footswitches to
connect in arrays.

In contrast with single-action footswitches are dual-action

footswitches. These trigger a stage-one condition when halfway
depressed and a stage-two condition when fully depressed.
Some industrial foot-switch manufacturers support modular safety
An example of a two stage footswitch topology. In this
designs with footswitches that can wire in cascading arrays … with
case both switches are normally open. This type can be
each footswitch having its own unique contacts. At their actual normally open, normally closed, or both. This topology
switching core, these footswitches can have a make-before-break, can also be used to implement a make-before-break or
break-before-make, or simultaneous-switch arrangement. The break-before-make configuration.
connected design being controlled will dictate which is most
suitable. A footswitch controlling a dc-motor-driven axis’ direc-
tion for example may necessitate a footswitch with break-before-
make wiring — to reliably disconnect the switches for forward Sponsored by:
polarity before applying the switches for reverse polarity. Simulta-

12 I www.designworldonline.com www.schmersalusa.com
emergency stop switches —
only in emergencies
EN ISO 13850 and NFPA 79 dictate that e-stop mushroom-head buttons must be bright red and flanked by a yellow element.
Note that resetting an e-stop should not restart the machine; that’s done through a separate reset power-on button.

B
esides the operator-interfacing safety components already
described, industrial safety systems also include emergency stop
switches or e-stops. As explained earlier in this Design Guide,
these should be used rarely to never. Machine builders should resist
the temptation (heightened by their simple wiring and integration) to
include e-stops as a regular-use machine off switch. Neither should
e-stops be compared to safety machine-perimeter guard switches.
Defining specific e-stop installation requirements are:

• U.S. Occupational Safety and Health Administration (OSHA)

regulations

• IEC 60204-1 standards

• National Fire Protection Association (NFPA) 79 standards

To satisfy all three, emergency stops should be readily accessible at all

machine stations — and require no stooping or reaching to activate. All emergency stop buttons must
latch when depressed by an
Despite common misconceptions to the contrary, e-stops actually operator — and remain depressed
deliver lower EN ISO 13849 performance levels (in fact, only to PLd) (keeping power cut offfrom the
than safety switches designed for regular use. Compounding the controlled machine axes) until the
problem is how dangerous-failure probabilities for e-stops are based operator resets it.
on the assumption of infrequent use. So if a machine’s e-stop is used
a lot, its likelihood of dangerous failure rises. That could ultimately
mean an e-stop won’t work when needed most.

Sponsored by:

www.schmersalusa.com
13 I www.designworldonline.com
 MACHINE SAFETY DESIGN GUIDE
(continued)
Emergency stop switches —
only in emergencies

An emergency stop via cable pull on a conveyor system can be

used to trigger a stop at any point along the entire conveyor.

IEC 60204-1 and NFPA 79 classify e-stops as Category 0, 1, or 2
e-stops (unrelated to ISO 13849 control Categories). A formal risk
assessment and determination of required stop time dictate which a
machine needs. Category 0 e-stops (mandatory on all machines) cut
power to the machine in an uncontrolled way. Category 1 (controlled)
e-stops allow some electric power supply to continue to select
machine sections involved in bring the machine to a gentle stop.
Category 2 e-stops continues powering all machine sections but
stops its use for movement or end-effector processes.
THREE COMMON FORMS OF EMERGENCY STOPS
Emergency stops based on foot-activated switches: These are
uncovered or covered stomp pedals that bolt to the floor near the
machine they control. They serve the same function as mushroom-
head e-stop buttons and are supplied with features to satisfy EN ISO
13850 requirements.
Emergency stops based on slack-wire, cable pull, or pull-wire
actuation: These like mushroom-head e-stop buttons are manually
activated switches that festoon alongside the un-guardable machines
they control. Their main strength is how plant personnel can pull
anywhere along the cable to trigger a machine stop.

Emergency stops based on mushroom-head button actuation: No matter the design, no e-stop can detect or prevent threats to
Also called e-stop palm buttons, these are always bright red (often machine-operator safety. Therefore, they shouldn’t wire into first-
with a yellow flange or neck behind the red element) and wire in defense safety-system circuitry — but should be separately wired
series with machine safety controls. Pressing or slapping these e-stop into a machine.
buttons immediately breaks the circuitry of the controlled axes’
power supplies. Once the hazard is cleared, e-stops are released and
returned to their default (closed-circuit) position by twisting, pulling
the button back out (if a design based on push-pull actuation), or
releasing with a key.

Sponsored by:

www.schmersalusa.com
14 I www.designworldonline.com
 Sponsored Content

■
■
■
■
■
■
■

■
■
■
■

■
■

■
■

■
DN3PS2 DN3PD1 DN3PD2 SRB-E...FWS PSC1
■
■
■
■
■
■
■
■
■

■
■
■
■
■
■
■

d Increment
MACHINE-TRIGGERED SENSORS, SWITCHES
AND PERIMETER COMPONENTS
This safety sensor mounted inside the machine verifies that a
housing section is closed before allowing machine operation.
W
e’ve already outlined the safety components with which
human machine operators make direct contact. Now
let’s review …
1. Several machine-activated sensors and switches supporting
safety functions
2. The safety components known as interlocks, which mount onto
machine perimeters and contact not plant personnel but other
machine parts. Note we include interlocks on manually opened
doors in this section as well.
Increased capabilities in recent years have rendered these safety (and
fail-safe) components capable of tasks constituting edge computing,
distributed control, IIoT connectivity, and reliability assurances
exceeding that of their non-safety sensor and switch equivalents.
Shown here is a roller-lever switch application example.
Click here to watch the Schmersal video.
16 I www.designworldonline.com
FIRST THINGS FIRST: SUMMARY OF SENSORS
AND SWITCHES
Sensors in the context of industrial safety are feedback components
that detect the presence or absence of workpiece objects or
machine sections … and distill that signal into actionable data for
the controller to command any number of machine responses.
Switches in the context of industrial safety have a more specific
function — of turning power supplies off and on. These feedback
components (often mechanical) detect the position of workpiece
objects or machine sections and (if conditions satisfy some preset)
immediately cause a disconnect or reconnect of some machine
power supply. That’s in contrast with electromechanical relays that
(often using a solenoid) make or break some mechanical contact
between electrical leads. In common designs, a small voltage into
to the solenoid prompts a relatively large current through relay
contacts.
These switches and sensors must be safety-rated variations
to satisfy current standards preventing bypasses, failures, and
defeats. Just consider how standard inductive proximity switches
were once sufficient to satisfy ISO 14119 interlock requirements.
Now, more stringent IEC 60947 requirements for switchgear
electromagnetic compatibility largely prevent such use.
Many newer designs included coded (uniquely mating)
subcomponents to prevent tampering or defeating with tape
or conductive objects so common in automated facilities. Or
safety-rated mechanical switches might include positive-opening
operation not found in comparable general-purpose switches.
Shown here is another switch
application — this one a true
safety example. Click here to
watch the Schmersal video.
Sponsored by:
www.schmersalusa.com
 MACHINE SAFETY DESIGN GUIDE
(continued)
machine-triggered sensors, switches,
and perimeter components

MECHANICAL INTERLOCKS
These use direct-contact force for operation.

CAM PROFILE TONGUE • ACTUATOR KEY

LINAR CAM KEY TRANSFER

HINGE

Parts of an interlock include a ...

GUARD

ACTUATOR
INTERLOCK
ASSEMBLY

NONCONTACT INTERLOCKS
These use ultrasound and various forms of
POSITION
electromagnetic phenomena for operation. SWITCH

CAPACITIVE — via any object OUTPUT

MAGNETIC— via any magnetic object

INDUCTIVE — via some ferrous object

OPTICAL — via any object

ULTRASOUND — via any object

LIGHT SOURCE

INDUCTIVE COIL MAGNETIC — via an encoded magnet actuator

RFID — via an encoded RFID Transponder

OPTICAL — via an optically encoded transponder

OPTO-ASIC OR
OTHER PHOTOCELLS OBJECT MOVING
PAST SENSOR

Interlocks are classified by international safety standards. Switches in Sponsored by:

interlock applications allow various orientations.

www.schmersalusa.com
17 I www.designworldonline.com

(continued)
machine-triggered sensors, switches,
and perimeter components
Limit switches: Direct-contact limit-switch registering (via an
actuator) an axis’ end of stroke prompts a breaking or making
of a related electrical connection. The latter in turn connects to
safety controls to prompt immediate neutralization of potentially
hazardous motion. Consider one specific example — limit switches
with rounded plungers. In these switches, the plunger serves as
the actuator that registers forces at a right angle to their rounded-
end spring-loaded rod. When forced inward, contacts are typically
cut. Roller plunger limit switches are a related design that tips the
spring-loaded rod with a small wheel to roll on machine sections or
objects that bump into it.
The contacts in such mechanical switches have slow-breaking or
snap-action contacts. The former accept direct actuator force to
slide in their track and then …
• Break-before-make contacts open a normally closed contact
and then close a normally open contact — for interruption of
one function before continuation of another or …
• Make-before-break contacts close a normally open contact
and then open a normally closed contact — for overlapping
functions
Otherwise, spring-loaded snap-action contacts respond to
actuator travel-direction force by accumulating spring pressure.
Then moveable contacts snap from a default to a trigger set of
contacts to close a circuit. Upon actuator retraction, the spring
snaps the moveable contacts back to their default position. Such
operation is reliable and useful for making and breaking power as
well as control-signal circuits.
Position switches: These include mechanical position switches
with roller levers and rod levers that register a machine axis
position as an angular displacement. Rod levers have a simple
metal antenna that contacts the monitored axis structure or
handled objects; roller levers have a wheel-tipped lever arm that
contacts and rolls on the monitored axis structure surface or
handled objects.
Other safety-rated proximity sensors (distinct from such sensors for
non-safety applications) use non-contact photoelectric or inductive
operation. Contrary to one common misperception, induction
proximity sensors detect when any metallic object has entered its
monitored area …so don’t need any additional coded target or
magnet to work. Many directly connect to PLCs via basic unshielded
four-pole wiring. Adding certain low-cost electronics can impart
muting and e-stop functions satisfying industry safety standards.
18 I www.designworldonline.com
MACHINE SAFETY DESIGN GUIDE
MACHINE BOUNDARIES GUARDED BY SAFETY
INTERLOCKS
The boundaries around dangerous machine sections are the first
line of defense against threats to worker safety. The challenge
is that machine operators must often interact with dangerous
machines. So such boundaries take the form of housings, fencing,
gates, and doors consisting of immovable sheet-metal panels as
well as chain-link fencing — and movable chain-link doors, sliding
glass panels, swinging windows, light curtains, and so much more.
The safety components that mount onto machine perimeters and
contact other machine parts are interlocks.
▼
Interlocks are perimeter-monitoring safety components
stand guard at all the movable sections around a potentially
dangerous machine.
Interlocks cause an interdependence between what the safety
controller allows and the positions of all the movable machine-
perimeter sections. In fact, interlocks are defined by ISO 12100 (and
adopted in ISO 14119) as mechanical, electrical, or other devices
that prevent hazardous machine operations if the guard (machine
boundary section it monitors) is open. Such interlocks are at their
core a position switch or proximity switch (or latching design called a
guard lock on some more featured assemblies) that can command a
machine controller to react to a machinery-perimeter guard position.
While position switches and proximity switches can be located
anywhere on or in a machine, those that are part of some interlock
assembly are always on the movable parts of a machine’s safety-
perimeter hardware. International standards dictate their design and
integration — including ISO 14119 as well as Conformitè Europëenne
(CE) Machinery Directive 2006/42/EC.
Industrial safety systems often use guard (perimeter) elements
called interlocks. As already explained, these are typically
electromechanical components that render machine functions
mutually reliant. For example, an open interlock on a machine door
might prevent startup of a machining axis or (if closed) will stop
the running axis should someone open the door during operation.
Such interdependency renders machines extremely unlikely to injure
personnel or sustain self-inflicted damage. These interlocks are a
switch subtype in that they’re activated via some preset operation
sequence. What makes a design qualify as an interlock is that they
won’t release their locked state without the correct reversal process.
Sponsored by:
www.schmersalusa.com
 MACHINE SAFETY DESIGN GUIDE
(continued)
machine-triggered sensors, switches,
and perimeter components

Still more capable interlocks are those touted as guard locks
— essentially position switches with separate actuators that
can be restrained to render the entire assembly locked until the
machine comes to a safe stop. One caveat here is that in everyday
engineering parlance, it’s common for such doubly capable guard
locks to be called interlocks instead of the more proper and exact
guard locks.
Basic single or dual action solenoids have a direction of
motion controlled by coil current. Single action solenoids use
spring loaded return for de energized state while dual-action
solenoids have active engage and release circuits.
DUAL-ACTION SOLENOID

SINGLE-ACTION SOLENOID
Interlock variations abound … and purely mechanical cammed
interlocks do exist. In one version, such an interlock might
mechanically register an unsafe condition by pivoting about an
axis to catch (and lock) a dangerous machine axis. Such interlocks
are rarer than electromechanical and even purely electrical
and electronic variations using electronic circuits or safety
microprocessors. After all, electronics impart low-cost interlock-
system flexibility, reliability, and reconfigurability.

Consider one such electromechanical example — that of a hinged

safety interlock. These attach to (or integrate into) the hinge of a
machine’s access flap, door, or other guard. Then a mechanical
lever arm or pin through the interlock registers when the hinged
guards opens and (upon a set threshold switching angle) triggers
some output to stop the hazardous operation inside the machine. In
these designs, it’s usually a kinematic elbow or hinge linkage of the The use of mechanical switches, optical detectors, and current sense
interlock that accepts externally applied force and prompts some circuits can detect if the solenoid movement has occurred. These can
solenoid action for contact. verify position, sequence a next step in the machine operation, and
confirm the integrity of the coil itself.

SOLENOID

In a solenoid, current through a coil

generates an electromagnetic field that
draws a plunger into a stack.

The latter is often designed to optimize

mangetic flux for maximum output force.

LED ONE FUNCTION:

Current through the solenoid coil (here encased in black PHOTO INTERRUPTER
epoxy) induces a flux (magnetic field). The ferrous (steel or iron)
solenoid housing along with steel plates capping the coil ends
can help carry and concentrate this flux.

Sponsored by:

www.schmersalusa.com
19 I www.designworldonline.com
 MACHINE SAFETY DESIGN GUIDE
(continued)
machine-triggered sensors, switches,
and perimeter components

DOUBLE-POLE INTERLOCK CIRCUIT

DOUBLE-POLE
SWITCH
NORMALLY CLOSED
DETECTOR
CIRCUIT

SINGLE POLE
SINGLE THROW DETECTOR
CIRCUIT
NORMALLY OPEN

SOLENOID SIGNAL
SINGLE POLE
DOUBLE THROW

LOGIC GATE

DOUBLE POLE DOUBLE POLE

SINGLE THROW DOUBLE THROW

A variety of double pole switches can be used to implement redundancy for solenoid interlock safety. Two approaches shown here
use redundant series wired switches that must both show activation (left), and the use of both normally open and normally closed
contact state detection to verify activation.

DEEPER DIVE ON SOLENOID BASICS

AND SOLENOID INTERLOCKS Not an industrial example but a good cutaway
(clearly showing its spring-loaded solenoid inside) this
Machine builders often leverage the reliability of solenoid Schmersal AV 15 door lock secures one-leaf doors on
based interlocks in safety systems. passenger elevators. It offers failsafe locking — with
manual release only via an M5 triangular key.
Recall from basic circuits that solenoids are engineered electromagnetic
plunger-and-copper-coil assemblies available in various configurations
to trigger mechanical, electrical, and hydraulic actions. They do this
by converting electrical input into linear (or less commonly rotary)
mechanical output. The simplest configuration includes a conducting
(ferrous) plunger functioning as an armature that (upon electrification)
moves from its rest position within a multi-turn assembly coil. Then (in
many cases) a spring retracts the plunger back to its rest position when
current is switched off. In double-coil arrangements, the plunger moves
through two open-center coils — typically to serve as a dual-action
(active-pull and active-release) device.

Solenoids in interlocks serve as the input source for guard-lock bolt or

locking mechanisms.

Such solenoid interlocks can also protect machinery from the effects of
mechanical malfunction. For example, some industrial conveyors use
arrays of solenoid interlocks to ensure consistent belt conveyance …
even if inline machines or conveyor-tending robots interact with items Sponsored by:
on the belt.

www.schmersalusa.com
20 I www.designworldonline.com

(continued)
machine-triggered sensors, switches,
and perimeter components
Most electromechanical interlocks have a low coded tongue
or key actuator, where every switch is able to use the same
actuator. Some, like this Type 2 interlock, employ several
separate cams to have a more unique combination The
unique actuator will only work with the matched switch and
on no other. If there are over 1000 combinations, then the
coding level is considered “high.”
AZM150 solenoid interlock video still courtesy of Schmersal
Some solenoid arrangements in interlocks also protect against
faulty signaling with redundancies. Double-pole position-
verification switches wire poles in series to redundantly verify open
or closed positions and as well as solenoid activation … or two-
pole switches with both normally open and normally closed circuits
can monitor solenoid actuation. Select contributions by Jon Gabay
ISO 14119 categorization of interlocking devices — and
preventing defeat
ISO 14119 classifies interlocks by how they’re actuated and whether
they’re encoded.
Type 1 interlocks: According to ISO 14119, these (unfortunately)
easily defeatable interlocks include position switches using
mechanical linear cam, rotary cam, or hinge actuation.
Actuating physical contact is between uncoded (non-unique)
subcomponents. Their benefits are that they lend themselves to
end-user configurability and are cost effective.
Type 2 interlocks: These include position switches that are
mechanically actuated by coded (specially machined) tongues or
trapped keys, so are somewhat difficult to circumvent or defeat.
In fact, the Type 2 moniker for such designs was adopted by ISO
14119 from its first use in DIN EN 1088. Trapped-key interlocks
require all guards be locked the perimetered machine is allowed to
turn on. Keys in each safety-guard lock can only be removed when
that guard is latched. In some arrangements, those same keys do
21 I www.designworldonline.com
MACHINE SAFETY DESIGN GUIDE
This electronic solenoid interlock has a secondary RFID sensor,
making it a Type 4 interlock. A standard model may be “low”
coded - accepting any actuator in its series. The sensor could
be taught to recognize only one actuator code, thereby making
it “high” level coded, and more difficult to defeat.
AZM40 solenoid interlock video still courtesy of Schmersal
double duty to fit into a machine control-console keyhole to turn on
the machine. This keyhole holds the key captive unless the machine
is machine is turned off. A machine operator can then use them to
open the guards again.
Type 3 interlocks: These use noncontact proximity or position
switches with uncoded actuators. Switch actuators based on
ultrasonic, capacitive, or optic action are defeatable by bringing
various everyday items into range. Actuators based on induction
or magnetism are more robust — defeatable by ferrous objects or
actual magnets respectively.
Type 4 interlocks: These use noncontact position switches and
require matched actuators such as coded magnetic and optical
tags or (inherently coded) RFID tags to work. These are essentially
undefeatable because there’s a nearly infinite range of actuator-
coding variations that are possible.
Besides the level of defeatability, interlocks should also be
specified to satisfy …
• Required system-stopping ability — quantified as the time
a machine needs to reach a safe state after receiving a stop
command
• Accommodation of access time — how fast it’s feasibly possible
for a machine operator to reach into or enter the hazardous area
after the safety system issues a stop-axis command.
Sponsored by:
www.schmersalusa.com
 MACHINE SAFETY DESIGN GUIDE
(continued)
machine-triggered sensors, switches,
and perimeter components

Stopping ability must be far faster than actions feasible within the
calculated access time.
As mentioned, machine sections and operations necessitating
frequent tending by human plant personnel demand guard
interlocks that aren’t bothersome. Automatic interlock functions
can help here, though on heavily used doors and other guard
sections must be accompanied by conditional unlocking functions
to address the increased probability of an undetected fault.
For movable-guard interlocks, ISO 12100 details how closing the
door or movable panel can enable machine operation — and even
cause an automatic start of operations. That’s in stark contrast
with how using e-stop buttons necessitates pressing some other
additional machine-restart button. But this makes sense —
because after all, use of interlocks is supposed to be routine … so
cannot hinder the productivity by slowing everyday interactions
operators have with their machines.

CONTROL
CABINET

HMI WITH SAFETY

CONTROLS

EMERGENCY TERMINAL
STOP BOX

NONCONTACT DOOR
SWITCH

FAULT-MASKING SOLUTION ONE:

INCLUSION OF SAFETY CONTROLLER RELAYS WITH
MICROPROCCESORS

In a traditional series arrangement,

two faults (from a short on each
channel) will definitely not register.
FAULT-MASKING SOLUTION TWO:
USE OF AS-INTERFACE with AS INTERFACE SAFETY AT WORK (ASI SAW)
Example solution courtesy Schmersal

A single-channel fault across a NC

contact may or may not register.

Fault masking can happen where a circuit includes components that are
unpowered beyond some switch connections. Slightly more sophisticated
wiring and connections can prevent this problem.

Sponsored by:

22 I www.designworldonline.com www.schmersalusa.com

(continued)
machine-triggered sensors, switches,
and perimeter components
WIRING AND INTEGRATING INTERLOCKS
Typical safety logic for interlocks is built around a normally
closed or NC arrangement that only lets machine axes run if the
monitored interlock circuit is closed. For example, a machine’s
fencing doors might be studded with various NC position
switches. If any perimeter section opens, it renders the affected
position switch and in fact the whole safety circuit open — and
machine startup blocked. Industrial safety standards often
demand that the components in a safety circuit wire in series for
foolproof event and error detection. The catch here is a limit to the
sensor count allowed in series. Exceeding that count (and failing
to leverage newer connectivity options) can risk fault masking and
degrade machine PLr.
In addition, safety interlocks based on one mechanical (spring-
actuated) NC position or limit switch should be setup so it
actuates during a positive break or open — so upon opening, the
door edge or other guard section works against the spring force
and forces open the interlock’s electrical contacts. Interlocks
using two mechanically actuated switches for redundancy should
(for trouble-free operation) rely on one switch to actuate upon
positive open (as just described) and the other designed for a
negative opening — with its electrical contacts separated when
the door closes. The latter require additional design features for
top reliability. One such feature in some safety circuits is the self-
reporting electrical shorts — as those occurring when lead wires
to safety devices are cut by overheating, damage from shearing,
acid corrosion, or tearing. Here, a short-circuit detector can work
by relying on two safety-circuit input channels using NC contact
having a potential difference between them.
MACHINE SAFETY DESIGN GUIDE
(usually in the form of large lever door handles) allow tool-free
manual guard-lock release from within the perimetered zone.
In many cases, the guard lock is integrated right into its associated
interlock. If they’re separate, a reliable (typically series) connection
between them is key … along with complementary controller-
based interlock monitoring.
We’ve already covered how traditional safety interlocks capable
of guard locking can be released or actuated via various force
combinations of force from electrical power and mechanical
spring power. Besides solenoid-actuated deadbolt or trapped-
key designs, there are an ever-widening array of electromagnetic
guard locks. As specificized in ISO 14119, securement is via flux
coupling of a passive magnet and the electromagnet actuator.
Such locks mustn’t be integrated to trigger machine start upon
release unless safety controls continually monitor their state.
Top benefits of electromagnetic guard locks include cleanability,
ruggedness, tolerant of slight misalignments, and wear-free
operation. The caveat here is that electrically actuated spring-
release guard locks will in fact unlock during a power outage.
Another consideration of industrial-safety interlocks is the
potential for doors and other movable guard sections (if slammed
closed — as by a busy machine operator) to bounce off their
frames and swing back open. Such rebounding can be minimized
by shock dampers that minimize the impact forces for softer fully
latching closes.

INTERLOCKS THAT CAN

ALSO LOCK GUARD SECTIONS

So far in this Design Guide section, we’ve detailed how interlocks

can prevent the motion of axes or execution of other dangerous
tasks when a machine safety-perimeter section is open. Some
interlocks go one step further with an additional capability — and
these can deadbolt or otherwise lock movable guards. Especially
useful on very dangerous machines with high-inertia axes or
otherwise slow-to-slow sections, these are properly called guard-
locking interlocks.

But because guard-locking interlocks are indeed door and

panel-locking devices, it begs the question: Might there ever be
a situation where a machine operator become trapped inside the
machine’s safety perimeter … and need an emergency release?
If such emergency-release functions are warranted, their controls If an operator can be trapped within
can be located within and outside the guarded area. Emergency the guard, an emergency exit release is
releases allow manual tool-free guard-lock release from outside necessary. Here is a door handle system
the perimetered zone — as for immediately life-threatening which features an inside exit handle.
emergencies such as fires. Auxiliary releases allow manual tool-
Sponsored by:
assisted guard-lock release from outside the perimetered zone —
as for overriding a faulty lock that won’t unlatch. Escape releases

www.schmersalusa.com
23 I www.designworldonline.com
SAFETY RELAYS,
SIGNAL PROCESSING,
AND CONTROLS
Safety controllers increase the reliability of the machine
guarding safety system. Some form of a safety
controller is required to meet higher risk categories.
T
o satisfy the industrial safety standards listed earlier in
this Design Guide and set reliably safe (yet maximally
productive) operations, advanced safety functions today
leverage the newest sensors, actuators, and application-
specific safety components — as well as logic, I/O, relays, PLCs,
and other control components. The architectures to connect these
safety controls abound. Where general-automation systems assume
safety functions, the involved components and software are the
safety-related part of a control system — abbreviated SRP/CS —
and detailed by ISO 13849 referencing ISO 14119. Such SRP/CSs
are categorized by their fault resistance and response … and they
can involve the help of system PLCs or distributed control systems
or DCSs (common in process industries) if the solution satisfies SIL
ratings and independency requirements for such use.
Otherwise, dedicated systems dominate … and in fact, most
automated facilities today include blended safety architectures
representing right-sized solutions to meet safety requirements.
Hardwired safety systems and dedicated safety-relay systems:
These are relay-based systems traditionally incorporating one relay
serving each safety-related field device as well as application-
specific controls. These hardwired safety systems are suitable
for moderate to high-risk applications. Recall that safety relays
are essentially switches controlled by some other input. In other
words, these electronic devices accept current or voltage signals
(including those from safety switches, for example) via their input
circuit … and then via their output circuit, translate that input
to prompt a switch to open or close some other downstream
24 I www.designworldonline.com
circuit or pilot device. Dedicated safety-relay installations execute
monitoring, timing, muting, basic diagnostics, and status-reporting
functions. (Here, data communications are via LEDs or auxiliary PLC
connections.) Dedicated safety-relay installations are also capable
of more advanced functions — including the execution of controlled
sequential-shutdown routines, time-delayed functions and timed
outputs, or accommodation of two-hand control consoles to ensure
operator safety.
Note that sometimes the simplest of these safety installations are
called component safety systems because they consist of one to a few
safety components each connecting to some modest relay install —
as in a setup with one emergency-stop button and a safety relay, for
example. Where sufficient, such arrangements are quite cost-effective.
To be clear, though — dedicated safety-relay installations are (besides
safety PLCs) one of two choices capable of the mid-range and more
advanced safety-control functions listed above.
Modular safety-relay systems: Permutations of these abound, but
the main feature of such hardware is how it allows architectures with
the flexibility of PLC-based systems and reliability of traditional relay
systems. Most feature simple setup (typically connecting each field
module to a base relay module) and digital I/O as well as fieldbus
connectivity. Where minimizing downtime is a top design objective,
the powerful microprocessor-based diagnostics, HMI connectivity,
and remote monitoring of modular-relay hardware are also useful.
Sponsored by:
www.schmersalusa.com

(continued)
safety relays, signal
processing and controls
Safety networks such as AS-i Safety at Work, openSAFETY, CIP
Safety over EtherNet, PROFIsafe, and FailSafe over EtherCAT
(FSoE) are scalable high-speed industrial networks that support
the quick response needed for effective safety systems.
In such modular systems, relay safety controllers (whether having
positive-guided electromechanical or solid-state microprocessor
technology) boost emergency-stop as well as machine-guarding
reliability. They install between safety field devices (such as switches
and light curtains) and relevant machine-power components such
as control relays or motor contactors. Some use dual-channel logic
circuits for redundant cross monitoring … and continuously scan for
faults in system wiring and connected safety components. In this
way, such relay safety controllers can detect open and short circuits,
relay failures, electromagnetic interference (EMI), undervoltage
conditions, and welded contacts in system interlocks, motors,
controls, or e-stop switches.
25 I www.designworldonline.com
MACHINE SAFETY DESIGN GUIDE
▼
Automation demanding the most sophisticated diagnostics
may benefit from relay-system components that allow
I/O signals with device health and status data sharing via
industrial networks or fieldbuses. Then this data can display
on networked HMIs.
Safety-monitoring modules are another component type in modular
relay systems. These are DIN-rail or control-cabinet components
that monitor safety sensors and positive-open (positive-break)
position switches described earlier in this Design Guide — as
well as interlocks and e-stops such as light curtains. Where safety
primarily relies on a motor, shaft, or other axis element to come to a
stop, standstill monitor modules and time relays can serve in pulse
evaluation to confirm underspeed or fully braked safe conditions.
Elsewhere, output expansion modules (sometimes called
extensions) increase how many signals a safety controller can
handle. In contrast, input expansion modules (sometimes called
expanders) complement relay safety controllers that monitor one
discrete safety component with two channels. These components
aren’t needed where series wiring of safety switches to a common
safety controller is sufficient. But such daisy-chaining requires lots
of wiring and doesn’t support the communication of each field
device’s diagnostics. Adding input expanders lets a given safety
control accept connection of many field devices while supporting
their diagnostics functions.
Safety instrument systems (SISs): A system most common in
process industries (and not discrete industries) SISs are safety
installations that go beyond hazard alarms to include critical
shutdown routines — with interlocks, sensors, and safety controls
that can command machine motors, valves, and other actuators (and
in fact, whole systems) to safer nonactive states. While beyond the
scope of this Design Guide, it’s worth noting that SISs are slightly
different than the hardwired relay-based designs just described
as well as the PLC-based systems covered next … in part because
stopping or altering process operations is a specialized proposition.
PLC and safety PLC-based systems: All PLCs control machine
functions such as timing, monitoring, and sequencing of actions —
including the turning of motors and commanding pump valves to
turn on and off. In contrast, safety PLCs are dedicated controllers
specifically built and certified to prevent machines from hurting
personnel according to functional safety directives IEC 62061,
ISO 13849-1, and IEC 61508 that define SILs and the risk reductions
imparted by specific safety functions. Safety PLCs satisfying IEC
61131 are often employed to track only safety-related events and
occasionally test functions.
Sponsored by:
www.schmersalusa.com

(continued)
safety relays, signal
processing and controls
In some contexts, safety-rated PLCs are differentiated from
component PLCs — another name for the general-purpose version
of these controllers just described. Safety-rated PLCs are generally
costlier than general-purpose PLCs — and their programming and
hard wiring (to ensure reliable safety logic) more specialized and
involved. At the hardware level, safety PLCs also include redundancy
and self-checking mechanisms that ordinary PLCs don’t have. Safety
PLCs continually monitor their inputs for failures and malfunctions ...
and leverage extra safety circuitry between their outputs and every
device to which they connect. Much of this circuitry limits damage to
these devices if there’s a fault or malfunction.
Typically, engineers define a machine’s safety requirements (and its
necessary PLC functions) by …
• Identifying the countries in which the machine will be used —
and thus the locally applicable safety regulations
• Cataloging the industry-specific standards that will apply to the
machine — whether food and beverage, machine tool, or oil
and gas, just to give a few examples.
In fact, safety PLCs are often the only option for safety-system
controls. Note that modular safety relay systems described above
are (like systems built around safety PLCs) designed for easy setup.
But safety PLC installations also tend to offer more network and
I/O-based expansion options as well as (and their name indicates)
maximum re-programmability should a machine’s safety functions
change over time. Software-based logic allows use of new and
evolving routines, including single-axis or other partial machine
shutdowns. The latter (called zone control) uses and/or logic to let
the machine halt one function while continuing others. Program
modifications are possible even during machine operation … and
are far faster than altering hardwired relay systems.
26 I www.designworldonline.com
MACHINE SAFETY DESIGN GUIDE
▼
Including safety PLCs in a design’s safety architecture
renders the whole design more reconfigurable —
necessitating only a quick connection to a safety
programmer’s laptop to upload new programming.
A safety system’s number and location of field devices dictates its
required safety-architecture I/O count. If that could change over
time, relay components allowing incremental system expansions are
particularly useful. Safety PLCs are capable of all the mid-range safety-
control functions possible with dedicated safety relays (including
sequenced routines and timed functions, for example) as well as
more sophisticated routines such as sequential (controlled) machine
shutdown routines. Advanced controls can allow zone control for more
nuanced protection of plant personnel in different manufacturing
sections in a facility. Some safety PLC suppliers offer application-
specific instructions and prewritten function blocks to streamline code
entry for reliable validation and operating machine safety.
Out of the various safety-control options available to OEMs, safety
PLCs offer the most connectivity, including industrial-network
and peer-to-peer data communications. Many allow hundreds of
digital I/Os — and are unique in how they can also accept analog
I/O. Machine installations using higher I/O counts (or needing
to conserve panel space) benefit from distributed architectures
based on networked safety PLCs. Of course, Ethernet-based
connectivity has spurred new forms of networked safety less reliant
on redundant wiring for failsafe functionality.
Sponsored by:
www.schmersalusa.com