of 50
8/8/2019 Machinery Protection Devices
1/50
Chapter 5
95Ma
chineryProtection
De
vices
Machinery Protection Devices
Contents
5.0 Guards
5.0.1 Fixed guards
5.0.2 Movable guards
5.0.2.1 Type A
5.0.2.2 Type B
5.0.3 Adjustable guards
5.0.4 Guard switches
5.0.4.1 Function of a guard monitoring relay
5.1 Locking systems
5.1.1 Mechanical trapped key interlocking
5.1.2 Electrical control interlocking
5.1.2.1 Typical connections
5.2 Electrosensitive and optoelectronic devices
5.2.1 Optoelectronic selection criteria
5.2.2 Types of approach
5.2.3 Examples of machine guarding
5.2.3.1 Area guarding on an assembly line
5.2.3.2 Access guarding
5.2.3.3 Guarding the interior of a large press
5.2.4 Connection to control circuit
5.2.4.1 Typical connection
5.2.5 Muting
5.2.5.1 Typical connections
5.2.6 Pressure-sensitive safety devices
5.2.6.1 Typical connection
8/8/2019 Machinery Protection Devices
2/50
96Ma
chineryProtection
De
vices
5.3 Emergency stop devices
5.3.1 Emergency stop switch
5.3.2 Emergency stop circuit
5.3.3 Final control element in a safety circuit
5.3.4 Typical connections
5.4 Two-hand controls
5.4.1 Typical connection
5.4.2 Programmable electronic systems (PES) for
two-hand control
8/8/2019 Machinery Protection Devices
3/50
97Ma
chineryProtection
De
vices
5.0 Guards
A guard is defined as part of a machine that is used specifically to
provide protection by means of a physical barrier (EN 292-1, Section
3.22). Section 1.4 of the Machinery Regulations concerns guards
and protection devices, and states that in general these must:
Be robustNot give rise to any additional risk
Not be easy to bypass or render non-operational
(fixed enclosing guard)
Be located an adequate distance away from the
danger zone (fixed distance guard)
Cause minimum obstruction, enabling essential
work to be carried out without dismantling the
guard.
A suitable risk assessment must be carried out on the specific
machine to ensure that the appropriate guard is selected and
designed.
5.0.1 Fixed guards
These guards are fixed in place, i.e. not welded or fastened, and can
only be removed with the aid of tools (i.e. not with a coin or nail file).Where possible, fixed guards should not be able to remain in place if
the fixings are removed (i.e. it should not be possible to lean the
guard in order to cover the danger zone). A fixed guard may be the
simplest of all the protection devices, but there are still some
important aspects to consider in their application. The best strategy
is to refer to the following specifications:
2
8/8/2019 Machinery Protection Devices
4/50
98Ma
chineryProtection
De
vices
EN 953 (Safety of machinery. Guards. General
requirements for the design and construction of fixed
and movable guards). This is the starting point. This
specification will describe such things as guard
height, mechanical requirements and fixings.
EN 294 (Safety of machinery. Safety distances to
prevent danger zones being reached by the upper
limbs).EN 349 (Safety of machinery. Minimum gaps to avoid
crushing of parts of the human body).
EN 811 (Safety of machinery. Safety distances to
prevent danger zones being reached by the lower limbs).
5.0.2 Movable guards
5.0.2.1 Type A
Where possible, these must remain fixed to the machine. When
these guards are open they must be combined with a locking device
to prevent moving parts starting up while the danger zone is being
accessed. A stop command must be given when the guard is open.
5.0.2.2 Type B
These must be designed and incorporated into the control system so
that moving parts cannot start up while they are within the operators
reach. The exposed person must not be able to reach moving parts
once these are in motion. These guards can only be adjusted with
the aid of a tool or key. If any of the components on the guard fail,
the machine will be prevented from starting. If the machine has
already started up, all moving parts will be stopped. The function of
the associated locking device may be more or less sophisticated,
depending on the type of hazard, frequency of opening, etc.
3
8/8/2019 Machinery Protection Devices
5/50
99Ma
chineryProtection
De
vices
4
This will be determined by the risk assessment. Guards that meet the
requirements of Type B must be regarded carefully. Does the
opening of the guard:
a) Stop the entire machine by disconnecting the power
b) Stop moving parts in the danger zone, guarded for the duration of
this opening period?
To comply with the requirements of a), the guard switch or switchescan be treated as an emergency stop function. A suitable and
sufficient risk assessment can be carried out using the criteria
explained in Chapter 4. This type of interlocking is called power
interlocking (EN 1088).
To comply with the requirements of b), the method and integrity of the
guarding control circuit has to be assessed as an individual item and
the relevant specifications consulted. A risk assessment will alsohave to be performed. This type of interlocking is called control
interlocking (EN 1088).
5.0.3 Adjustable guards
Adjustable guards are used to allow access only to those areas
where it is strictly necessary. It should be possible to adjust these
guards both manually and automatically, without the use of tools.
Where adjustable guards are required, operators should have accessto other protective devices such as jigs or push sticks, for example.
5.0.4 Guard switches
The criteria for guard switches are similar to those of the emergency
stop switch, i.e. the switch actuator moves the contacts along with
it to achieve separation of the contact element (EN 292-2,
EN 60947-5-1).
8/8/2019 Machinery Protection Devices
6/50
100Ma
chineryProtection
De
vices
Fig. 8: The guard switch
When a single actuator is used to drive the switch it must be of the
positive type, i.e. the actuator is held depressed by the open guard.
This is called positive mode actuation.
Fig. 9: Positive mode actuation
5.0.4.1 Function of a guard monitoring relay
The function of the guard monitoring relay is:
a) To monitor itself for functionality and integrity
b) To monitor the switches for functionality (opening and closing)
c) To monitor the switches for integrity (shorts etc.)
d) To monitor the switches for sequence (guard positioning).
5
Guard open Guard closed
8/8/2019 Machinery Protection Devices
7/50
101Ma
chineryProtection
De
vices
Fig. 10: Two-channel control for Fig. 11: Two-channel control, highposition monitoring integrity
Fig. 12: Three-channel switches conforming to EN 422 and EN 201
NB. Please refer to Pilz Safety Catalogue (1) for relay details.
6
PNOZ X6PST 2
PNOZXM1
8/8/2019 Machinery Protection Devices
8/50
102Ma
chineryProtection
De
vices
5.1 Locking systems
Locking systems can be divided into two basic types: mechanical
trapped key interlocking and electrical control interlocking. Trapped
key interlocking is a proven high-integrity safety system that complies
with the design principles identified in EN 954-1, EN 1088, EN 292-1
and EN 1050. All energy sources (e.g. electrical, pneumatic,
hydraulic) can be reduced to zero, providing unrivalled operator
protection. Such a system is also very easy to retrofit and can be
customised to individual applications. Control interlocking offers rapid
access, machine diagnostics, ease of maintenance and the ability to
maintain power to the PLC.
5.1.1 Mechanical trapped key interlocking
In many applications, mechanical interlocking provides the only
practicable method of safeguarding a machine or suite of machines.
This system ensures that a prescribed sequence of actions is taken
when accessing a machine. It is of particular use where there are
multiple hazard types or where access is required to a number of
danger zones over a wide area. The principle behind mechanical key
exchange control is that all sources of power are isolated and all
stored energy dissipated before the hazardous area of the machine
can be accessed. This tried and tested methodology can be used on
all machine installation categories.
A number of products can be configured to safeguard a diverse range
of hazards. Interlocks can be used to lock gates and to spool valves
and isolators. They can also be used to ensure that sources of
stored energy are made safe. Locks are designed in such a way that
the key can only be removed when the hazard has been isolated and
can only be reinstated when the key is trapped in the lock. This
means that the key represents the hazard status associated with that
8/8/2019 Machinery Protection Devices
9/50
8/8/2019 Machinery Protection Devices
10/50
104Ma
chineryProtection
De
vices
Rotation sensor units operate in a similar way to time delay units, but
use measurements to prove that the rotating part of a machine has
stopped before access is granted. Key exchange boxes can be used
to ensure that certain actions are performed before others. They also
allow complex if/or sequences to be safely controlled. Solenoid
controlled locks ensure that a key is trapped until signalled by another
action. This could be a permission signal from a remote source or it
could be part of the machine shutdown system.
A safety key is an important feature of mechanical trapped key
systems. The key is removed and taken into the hazardous area,
ensuring that a machine cannot start up unexpectedly. This is
particularly important where personnel can move out of sight within a
guarded area. Maintenance personnel can therefore have uniquely
coded or sub-master keys, ensuring that only suitably trained staff
can instigate access.
The two systems can also be combined so that safety keys can be
used to protect individuals, while access keys are used to limit access
to authorised personnel. This is particularly useful when a robot
needs to be put into teach mode or a machine has to be reset.
5.1.2 Electrical control interlocking
Electrical control interlocks are common where rapid or frequent
access is required into a machine. Power to the machine control
system can be maintained while providing a safe method of entry.
Gate control is provided by means of solenoid controlled locks that
contain safety monitoring circuits. These circuits incorporate
positively-guided contacts that monitor the solenoid and the physical
position of the gate. Additional electrical contacts are provided to
help determine the machine status. Tongue entry products are typically
used on sliding doors, while handle-operated products can be used
for hinged gates, removing the need for additional door furniture.
8/8/2019 Machinery Protection Devices
11/50
105Ma
chineryProtection
De
vices
5.1.2.1 Typical connections
Fig. 14: AMSTOP from Fortress Interlocks connected to a Pilz PNOZ X1, complyingwith category 1/2, EN 954-1
Typically this would connect the two normally closed output terminals
on the AMSTOP directly to the supply terminal on the Pilz PNOZ X1
safety relay. The supply voltage for this relay is 24 VDC. Auto reset
is available with this connection.
INTERLOCKFORTRES FORTRES
INTERLOCKINTERLOCKFORTRES
AmStop4 AmStop4 AmStop4
1 5 3 7
+V/L
2 6
R
4
0V/N
R
1
2
1
2
3
4
0 V
24VDC
PNOZ X1
Reset
A 1 Y 1 Y2
13 23 33
14 24 34
41 42 A2
8/8/2019 Machinery Protection Devices
12/50
106Ma
chineryProtection
De
vices
Fig. 15: AMSTOP from Fortress Interlocks connected to a Pilz PNOZ X5, complying
with category 3, EN 954-1
Using the two normally closed outputs on the AMSTOP with a
reference point from the safety relay, this connection is single-fault
tolerant and therefore meets the requirements of category 3,
EN 954-1. This is because both outputs from the AMSTOP must
respond correctly. If a fault occurs in one channel (for example, the
output not breaking or closing, or a fault to earth), the PNOZ X5 will
not reset. Auto reset is available with this connection.
11
INTERLOCKFORTRES FORTRES
INTERLOCKINTERLOCKFORTRES
AmStop4 AmStop4 AmStop4
1 5 3 7
+V/L
2 6
R
4
0V/N
R
1
2
1
2
3
4
PNOZX5
Reset
A1 S33 S34
S11 S12 A2
14 S12 S22
13 23 24
8/8/2019 Machinery Protection Devices
13/50
107Ma
chineryProtection
De
vices
Fig. 16: AMSTOP from Fortress Interlocks connected to a Pilz PNOZ X2, complying
with category 4, EN 954-1
Using the two normally closed outputs on the AMSTOP connected to
two individual inputs on the safety relay, this connection is single-fault
tolerant and has some on-line fault detection, thereby meeting the
requirements of category 4, EN 954-1. The PNOZ X2 will react in the
same way as the PNOZ X5 in the previous example, but with the
additional feature that shorts across the input terminals will be
detected, causing the PNOZ X2 to de-energise. An additional option
with the PNOZ X2 range is for a monitored manual reset.
12
INTERLOCKFORTRES FORTRES
INTERLOCKINTERLOCKFORTRES
AmStop4 AmStop4 AmStop4
1 5 3 7
+V/L
2 6
R
4
0V/N
R
1
2
1
2
3
4
PNOZX2
Reset
A1 S33 S34
S21 S22 A2
14 S11 S12
13 23 24
8/8/2019 Machinery Protection Devices
14/50
Fig. 17: AMLOK from Fortress Interlocks connected to a Pilz PNOZ X2, complying withcategory 4, EN 954-1
Features are the same as in the previous example. Here, the locking
feature on the AMLOK must be used.
108Ma
chineryProtection
De
vices
13
PNOZX2
Reset
A1 S33 S34
S21 S22 A2
14 S11 S12
13 23 24
AutoLok4
FORTRE S
I NTE RL OCK
F O R T R E S
I N T E R L O C K
AutoLok4
FORTRE S
I NTE RL OCK
F O R T R E S
I N T E R L O C K
I N T E R L O C K
F O R T R E S
I NTE RL OCK
FORTRE S
AutoLok4
+ -
1
2
1
2
1
2
1
2
3
4
3
4
R Y
1 2
2 14 75 126 131 3 4
+V/L
0V/N
8/8/2019 Machinery Protection Devices
15/50
109Ma
chineryProtection
De
vices
14
F ORT RE SS
I NT E RL OCKS
FORTRESS
INTERLOCKS
AmLok AmLok
F ORT RE SS
I NT E RL OCKS
INTERLOCKS
FORTRESS
AmLok
I NT E RL OCKS
F ORT RE SS
FORTRESS
INTERLOCKS
A1 17 25 35 Y1 Y2
18 26 36 A2
PZA
K1
K1
K1
Start
Unlock
Stop
PNOZX2.
A1 S33 S34
S21 S22 A2
14 S 11 S12
13 23 24
16
1
2
1
2
1
2
1
2
3
4
3
4
R YL
1 2
2 14 75 126 131 3 4
+ -+
V/L
0V/N
Fig. 18: AMLOK from Fortress Interlocks connected to a Pilz PNOZ X2 and PZA safetytimer, complying with category 4, EN 954-1
8/8/2019 Machinery Protection Devices
16/50
110Ma
chineryProtection
De
vices
15
AutoLok4
F ORT RE S
I NT E RL OCK
FORTRES
INTERLOCK
AutoLok4
F ORT RE S
I NT E RL OCK
FORTRES
INTERLOCK
INTERLOCK
FORTRES
I NT E RL OCK
F ORT RE S
AutoLok4
A1 13 23 L1 L3
14 24 Y30Y31 A2Y1
PSWZ
41 L2
42 Y32 Y2
1
L2
L3
K
24VDC
0V
0 V + 24 V out
K
K
K
S1 K2
S0 K
K K K K
PNOZX2.
A1 S33S34
S21S22 A2
14 S11S12
13 23 24
Unlock+ -
1
21
2
1
21
2
3
4
3
4
R Y
1 2
2 14 75 126 131 3 4
+V/L
0V/N
M
Fig. 19: AMLOK from Fortress Interlocks connected to a Pilz PNOZ X2 and PSWZstandstill monitor, complying with category 4, EN 954-1
8/8/2019 Machinery Protection Devices
17/50
111Ma
chineryProtection
De
vices
Fig. 18:
With the AMLOK normally closed output contacts closed, the PNOZ
X2 will energise, making its safety outputs 13 and 14. When the start
button is depressed, K1 will energise, opening its normally closed
contact. The PZA will then de-energise, opening its safety contacts
17 and 18. When the stop button is pressed, K1 will energise,
allowing the PZA to perform its delay time function. After the pre-set
time has elapsed, PZA will energise, closing its safety contacts 17
and 18. The optional release switch can now be pressed, allowing
the AMLOK solenoid to release the lock.
Fig. 19:
In some cases, for example, where the guarded machine has uneven
rundown times, it is not efficient to use a delay timer because it has to
be set permanently to the maximum rundown time. The PSWZ
standstill monitor uses the regenerated voltage on two separate coils
of the motor and compares this with a pre-defined set point. With the
AMLOK normally closed contacts closed, the PNOZ X2 energises,
making its safety contacts 13 and 14, allowing a star delta start by
depressing S1. When the PSWZ detects voltage at points L1, L2 and
L3, its safety contacts 23 and 24 will open. When the stop relay S0 is
pressed, K2 will de-energise and disconnect the motor from the
supply, allowing the PSWZ to monitor the regenerated voltage. When
the pre-determined voltage level is reached, safety contacts 23 and
24 on the PSWZ will close. This means the optional release switch
S3 can be pressed, energising the AMLOK solenoid and releasing
the lock.
16
8/8/2019 Machinery Protection Devices
18/50
112Ma
chineryProtection
De
vices
5.2 Electrosensitive and optoelectronic devices
Mechanical guarding, whether fixed or movable, may not always
provide the solution for certain types of machinery. If an operator
requires regular access to a hazardous area, an electrosensitive or
optoelectronic solution may be better. The advantages are higher
productivity, with protection for both the operator and any third party.
However, it is important to remember that this method of guarding
offers no protection against flying materials.
5.2.1 Optoelectronic selection criteria
The main criteria for specifying an optoelectronic guard are as
follows:
Define the zone to be guarded
This is based on the machines risk assessment, in which accessto the danger zone can be specified.
Define the safety function to be performed
Here you will need to define exactly what is to be detected within
the danger zone:
-A finger or hand (required when the operator is near to the
hazard). In all cases, the resolution of the active optoelectronic
protection device (AOPD) must be less than or equal to 14 mm.
-Arm or body (mainly for perimeter guarding)
-Presence of an operator (especially where the guarded
machine is not visible from the control point). This is also
suitable for guarding the approach to danger zones, and where
vehicles are involved.
Comply with the category of the safety-related control
Please refer to Section 4.4.
8/8/2019 Machinery Protection Devices
19/50
113Ma
chineryProtection
De
vices
Calculate the safety distance
The safety distance for an AOPD can be calculated as described
in prEN 999 (Safety of machinery. Hand/arm speed. Approach
speed of parts of the body for the positioning of safety devices),
or as described in any relevant specification for the
corresponding machine (i.e. press). The minimum distance
calculated using prEN 999 must be acceptable from an
operational and ergonomic point of view. The type and locationof the device must also be assessed in order to give complete
detection and protection. If the minimum distance calculated is
not acceptable for operational reasons, other options will need to
be considered.
prEN 999 provides the following general formula for calculating the
minimum distance from the danger zone:
S = (K * T) + C,
where:
S is the minimum distance in mm from the hazardous zone to the
detection point
K is the approach speed of the body or parts of the body (in mm
per second)T is the overall stopping performance in seconds
C is the additional distance in mm, based on intrusion towards the
danger zone prior to actuation of the protective equipment.
Other factors should also be taken into account, such as the
resolution of the AOPD. Annex C of EN 692 (Mechanical presses.
Safety) provides the following table with regard to parameter C:
8/8/2019 Machinery Protection Devices
20/50
114Ma
chineryProtection
De
vices
Detection capability Additional distance C Cycle initiation by
in mm in mm the AOPD
14 0
>14 20 80 Permitted
> 20 30 130
> 30 40 240 Not permitted
> 40 850
Fig. 20: Additional distance parameter C from EN 692
5.2.2 Types of approach
Generally we can distinguish between three types of approach:
Perpendicular
Angular
Parallel.
Fig. 21: Types of approach
19
Direction of
penetration
AOPD
Limit ofprotected
field
Floor
Hazardouszone
H
S Direction ofpenetration
Limit of protected field
Floor
Hazardouszone
H
S
AOPD
Direction ofpenetration
Limit of protected field
Floor
Hazardouszone
H
S
AOPD
8/8/2019 Machinery Protection Devices
21/50
115Ma
chineryProtection
De
vices
The following table shows the formulae for calculating the safety distance S:
Perpendicular
approach
= 90 ( 5) S = 2000T + 8 * (d 14) NB. To prevent bypassing thed = 40 mm where S > 100 mm AOPD, use EN 294. In practice,
this standard is not alwaysapplicable because it regards
the hand as a deformable
element. In this case it isnecessary to seek the adviceof an accident prevention body.
where S > 500 mmtake S = 1600T + 8 * (d 14).In this case S cannot be< 500 mm.
40 < d 70 mm S = 1600T + 850 Height of lowest beam 300 mmHeight of highest beam 900 mm
d > 70 mm No. of Recommendedmulti-beam S = 1600T + 850 Beams heights
4 300, 600, 900, 1200 mm3 300, 700, 1100 mm2 400, 900 mm
single beam S = 1600T + 1200 1 750 mm
Parallel S = 1600T + (1200 0.4 * H) 15 * (d 50) H 1000 mm.approach where 1200 0.4 * H > 850 mm Where H 300 mm there is a
risk of undetected access under = 0 ( 5) the beam to be taken into account
for H where d
H/15 + 50
Angular Where > 30 C, cf. d H/15 + 50 applies to theapproach perpendicular approach; lowest beam.
Where < 30 C, cf. parallel5 < < 85 approach;
S then applies to the furthestbeam whose height 1000 mm
S: Minimum distance H: Height d: Resolution: Angle between plane of detection and direction of penetration T: Time
Fig. 22: Formulae for calculating the safety distance
20
8/8/2019 Machinery Protection Devices
22/50
116Ma
chineryProtection
De
vices
5.2.3 Examples of machine guarding
5.2.3.1 Area guarding on an assembly line
The diagrams below show two ways of installing an AOPD for the
same application (access guarding), taking into account both a
perpendicular and a parallel approach, as described above. It is
assumed that this is the only way in which the machine can be
accessed, that the risk is one of severe injury, and that the operator
has frequent access to the hazardous zone.
Fig. 23: Perpendicular approach: point of operation guarding combined with area guarding
The calculation shown in the diagram results in a safety distance of
320 mm. This safety distance will increase if the resolution is reduced.
In any case, the safety distance shall not be less than 100 mm. TwoAOPDs are used to avoid the risk of non-detection: one is vertical and
is positioned at the safety distance (perpendicular approach), and the
other is horizontal and is intended to prevent non-detection behind
the vertical AOPD.
According to EN 294 (Safety of machinery. Safety distances to prevent
danger zones being reached by the upper limbs), if height A of the
danger zone is 1000 mm, y equals 1800.
21
Floor
Hazardouszone
A
AOPD:resolution14mm
320 mm
Ymm
x = d (or refer to C Standard)
Stopping time withAOPD = 160 ms
S = 2000 * 0.16 + 8 (14 - 4)S = 320 mm
8/8/2019 Machinery Protection Devices
23/50
117Ma
chineryProtection
De
vices
Fig. 24: Parallel approach: area guarding
In this case a horizontal AOPD is used. The diagram above shows
the calculation of the safety distance S and the positioning of the
AOPD. If the installation height of the AOPD is increased beyond
300 mm the safety distance will be less, but you will need to allow for
the risk of a person entering the hazardous zone undetected bypassing under the AOPD. In such a case you would need to install
an additional device, based on the risk assessment.
Fig. 25 shows the results of both these methods. Operating constraints
will enable you to decide which is best for your application.
Advantages Disadvantages
Solution no. 1 Higher productivity because Safety device is more
S = 320 mm the operator is closer. expensive.The short distance between thevertical barrier and the hazardouszone enables material to be storedclose to the machine.
Solution no. 2 Safety device is less expensive. Operator much further away.S = 1336 mm Enables access to be guarded, Difficult to store products on the
regardless of the height of ground because the barrier takes uphazardous zone A. a great deal of space.
Lower productivity.
Higher productivity cost.
Fig. 25: Advantages/disadvantages of perpendicular and parallel approach
22
Floor
Hazardous zone
AOPD: resolution 30 mm
1256 mm minimum
x = d < H / 15 + 50 (or refer to C Standard)
Stopping time withAOPD = 160 mswhere H = 500 mm
S = 1600 * 0.16 + (1200 - 0.4 * 500)S = 1256 mmC > 850 mm
H = 500 mm
8/8/2019 Machinery Protection Devices
24/50
118Ma
chineryProtection
De
vices
5.2.3.2 Access guarding
Perimeter guarding using 3 beams (at heights of 300, 700 and
1100 mm) allows for a perpendicular approach as described above.
This method must allow for the possibility of the operator becoming
undetected between the AOPD and the hazardous zone, so additional
precautions will need to be taken. For example, the local control
should be positioned in such a way that the whole of the hazardous
zone is visible; it should also be beyond the reach of the operator
while in the hazardous zone.
Fig. 26: Access guarding
5.2.3.3 Guarding the interior of a large press
This type of guarding is recommended for large presses that can be
accessed at ground level. In such a case it is necessary to stop thepress starting up while the operator is inside. It is important to note
that this is a secondary guarding system that should on no account
replace the main guarding system (consisting of an AOPD or two-
hand control). The safety distance must be calculated for the main
guarding system, whose function is to stop the press, and not for the
secondary guarding system, which detects the presence of an
operator inside the press and prevents the press from starting up.
23
Floor
Hazardous zone
1106 mm minimumon all sides with access
to the machine
Stopping time withAOPD = 160 mswhere H = 300 mm
S = 1600 * 0.16 + 850S = 1106 mm
1100
300
700
8/8/2019 Machinery Protection Devices
25/50
119Ma
chineryProtection
De
vices
5.2.4 Connection to control circuit
Each safety device must be incorporated into the machines control
system to form an integral part. This means that all parts of the
control system - the relevant part of the machines control circuit, its
connection to the safety device and the safety device itself must
take into account the category defined during the risk assessment (as
per EN 954-1 and EN 61496).
The diagrams overleaf explain the safety categories suitable for an
AOPD and control unit, in line with EN 954-1, taking into account the
whole system, including the stop valve. The diagrams also show how
safety devices of a particular category react in the event of a fault. If
a safety device is activated under normal operating conditions (e.g. a
hand enters the protected field), the machine will always stop,
regardless of the safety category. Fault tolerance in the respective
safety categories will differ.
For further reading on the application of electrosensitive and
optoelectronic devices, please refer to the guidance document
HSG180, available from the HSE.
24
8/8/2019 Machinery Protection Devices
26/50
120Ma
chineryProtection
De
vices
on
Category 2
onoffOSSD / FSD
T T T T T
RISK
External test cycle
Protection field
Normaloperation
Operationwith error
Safety function may be lostbetween checks. Faultsdetected at time of externaltest. Risk of accident in theperiod between the faultoccurring and the next test.
Category 3
T T T T T
Normaloperation
Operationwith error
A single fault assures thesafety function as an outputsignal for stopping can stillbe generated (e.g. if a handenters the protection field).The fault is detected eitherwhen the hand enters theprotection field or by internalchecking.
Accumulation of faults maylead to loss of the safetyfunction.The system shall be designedso that a single fault in anyof its parts does not lead tothe loss of safety functions.
Category 4 Normaloperation
Operationwith error
T T TT T T T T T T T T
A single fault still assures thesafety function. In additionto category 3 the safetyfunction must be assured incase of an accumulation offaults. Internal tests musttherefore be within theresponse time of the safetydevice.The single fault is detectedat or before the next demandon the safety function. If thedetection is not possible then
an accumulation of faultsshall not lead to a loss of thesafety function.
freeoccupied
off
OSSD / FSD
External test cycle
Protection fieldfree
occupied
on
off
1
2
off
OSSD / FSD
External test cycle
Protection fieldfree
occupied
onoff
1
2
on
T
Fig. 27: Suitable safety categories in line with EN 954-1
8/8/2019 Machinery Protection Devices
27/50
121Ma
chineryProtection
De
vices
25
5.2.4.1 Typical connection
S52A1 S12 S22 S21 13 23 33 41 Y36
Y1S11 Y2 A3 14 24 34 42 Y37 A2
PNOZ 8
3 1 3 2
2K1
K2
K3
K1M
K2M
K1M
K2M
Reset
13
14
K1 K2 K3
24V
Y32
Y35
0V
1 3
1
5 6 7 3 4 2
FGS
+ 24 VDC
M3
Fig. 28: Typical connection of a category 4 device (Pilz PNOZ 8) with a Sick FGS lightcurtain, manual reset
8/8/2019 Machinery Protection Devices
28/50
122Ma
chineryProtection
De
vices
5.2.5 Muting
The muting of protective devices raises the problem of an
installations safety. For example, EN 415-4 (Palletizers and
depalletizers) relates to packaging machinery on which all operations
on the palletised load are carried out entirely and automatically by
machine. Under normal operating conditions, there is a risk at both
the entrance and exit of the interior zone. The AOPD must be muted
at the moment the pallet passes through, but it must also be possible
to detect the presence of an operator. The muting system must
therefore be able to discriminate between the pallet and the operator.
The muting conditions defined in standard EN 415-4 state that:
Muting may only occur during the operating cycle when the
loaded pallet obstructs access to the hazardous zone
Muting shall be automatic
Muting shall not depend on a single electrical signal
Muting shall not depend entirely on software signals
If muting signals occur as part of an invalid combination,
they shall not allow a state of muting, or they shall ensure
that the machine is locked out
The state of muting must be deactivated as soon as the
pallet has passed through the detection zone.
The diagrams below show how a light curtain can be used to meet all
these requirements. The device incorporates a system of temporary
muting by automatic discrimination. The AOPD is muted by the
sensor pairs A1/A2 and B1/2. In this case the distance between A1
and B2 must be less than the length of the pallet. The light curtain
can also be used to define the maximum duration of the muting
period, in stages of 1 second.
26
8/8/2019 Machinery Protection Devices
29/50
123Ma
chineryProtection
De
vices
Fig. 29: Muting: pulse diagram
Figs. 30 and 31 give a schematic overview of the muting process.
Fig. 30: Muting: the conveyed material is identified; no muting signal is emitted
Fig. 31: Muting: the operator is identified; the light curtain initiates an (emergency) stop
27
LCU-P outputin ON state
AOPD output
A1
A2
B1
B2
Muting
< 50 ms > 50 ms
A1 A2 B1 B2 LCU
A1 A2 B1 B2 LCU
8/8/2019 Machinery Protection Devices
30/50
124Ma
chineryProtection
De
vices
5.2.5.1 Typical connections
Fig. 32: Typical muting circuit using Pilz safety relays
NB. Please refer to Pilz Safety Catalogue (1) for relay details.
28
X1
X2
S24 S12
S23 S11 S1 K1
K2
Y36 Y37 Y2
PNOZ 8
S12 S52 S21S22
K1 K2
PST 1
LC
Reset
8/8/2019 Machinery Protection Devices
31/50
125Ma
chineryProtection
De
vices
Fig. 33: Typical muting circuit using Pilz safety relays
NB. Please refer to Pilz Safety Catalogue (1) for relay details.
29
3 4
2B SERIES
RECEIVER
24VDC
1
3
B SERIES
EMITTER 24VDC
4
2
1
PILZ
PNOZ X5
A2
S12
S22
S33
S34
24
23
14
13
L N E
F1 1A
24VDC
POWER SUPPLY
eg. LUTZ 722-930
0V
24VF2 2A
MUTE 1
A1 A2 S33 S34
S11
PILZPNOZ X2.1
13
14
S12
S21
S22
23
24
B1 B2 S11 S12
S21 13
14
23
24
33
34
S22
S31
S32
PILZ
PNOZ X3
SAFETY O/P 1
SAFETY O/P 2
SAFETY O/P 3
S33 S34
FEEDBACK FROM
EXTERNAL
CONTACTORSMONITORED
MAN. RESET.
NOTES
1) MUTE 1 & 2 INPUTS SHOULD BE FORCED
BREAK LIMIT SWITCHES
2) IF THE APPLICATION REQUIRES A FAILSAFE
MUTE INDICATOR, A UNIT WITH FAILSAFE
MONITORING OF THE MUTE DEVICE
SHOULD BE USED
A1
MUTE 2
8/8/2019 Machinery Protection Devices
32/50
126Ma
chineryProtection
De
vices
5.2.6 Pressure-sensitive safety devices
Another alternative to mechanical guarding is to use a device that will
sense presence by contact, i.e. a pressure-sensitive device. The two
most common types are contact-sensing bumpers and pressure mats.
These devices are manufactured following the guidance of EN 1760-1
(Safety of machinery. Pressure-sensitive protective devices).
The technology used in these devices may consist of wires or optical
fibres, wire being the most common type at the moment. They are
installed in accordance with prEN 999 (Safety of machinery.
Hand/arm speed. Approach speed of parts of the body for the
positioning of safety devices). Such devices will allow access where
required, without the constraints of mechanical interlocked guards. For
example, in robot cells where access is required in order to teach the
robot, pressure mats on the floor are interlocked into the safety system
to prevent the operator straying into the hazardous area. Contact
sensing bumpers can be used on safe edges on numerous machine
applications or as bumpers on automatic guided vehicles (AGVs).
5.2.6.1 Typical connection
Fig. 34: Typical pressure mat connection with Pilz PNOZ 16
NB. Please refer to Pilz Safety Catalogue (1) for relay details.
30
Reset
Final control element
8/8/2019 Machinery Protection Devices
33/50
127Ma
chineryProtection
De
vices
5.3 Emergency stop devices
Every machine must be fitted with a control to bring it to a complete
stop safely. On a complex machine, each workstation must be fitted
with a stop so that all or some of the moving parts can be rendered
safe. Where machinery has complex movements or high inertias, the
stop function must not cause damage to the machine or create a
dangerous situation. This means it is vital to consider the way in
which the machine is brought to a safe condition. The energy supply
to the machines actuators must be removed once the stop has been
achieved.
Section 9 of EN 60204-1 categorises stop functions as follows:
Category 0: Stopping by immediate removal of power to the
machine actuators, all brakes or mechanical devices
being activated (i.e. an uncontrolled stop).
Category 1: Stopping by means of the machine actuators (i.e. a
controlled stop). Power is finally removed once the stop
has been achieved.
Category 2: A controlled stop with the power left available to the
machine actuators.
In reality, all machinery should be fitted with a category 0 stop
function, but where safety or functional requirements demand it,
category 1 or 2 should be provided. Category 0 and 1 stops have
priority over all machine functions.
31
8/8/2019 Machinery Protection Devices
34/50
128Ma
chineryProtection
De
vices
5.3.1 Emergency stop switch
The switch is the device that initiates the emergency stop. It must
sustain this signal until disengaged by the appropriate action.
EN 418 is the consultative document for emergency stopping,
explaining the differences between the design of a normal stop and
an emergency stop. It defines the safety requirements of the device
as having the principle of positive actuation to achieve contact
separation that is not dependent on springs Any action on the
actuator which generates the signal for an emergency stop must
result in a latching of that actuator. The resetting of the actuator shall
be only by a manual action.
The emergency stop switch actuator may take different forms,
depending on the application in which it is being used, for example:
Mushroom-headed buttons
Bars
Levers
Kick-plates
Pressure-sensitive cables.
The colour or the actuator must be red. Where used, the background
colour must be yellow.
5.3.2 Emergency stop circuit
The integrity of the circuit can be decided in conjunction with the risk
assessment. EN 954-1 outlines the requirements for safety-related
controls. In general, the stop circuit can be viewed along the
following lines.
32
8/8/2019 Machinery Protection Devices
35/50
129Ma
chineryProtection
De
vices
Fig. 35: Category B and 1 stop circuit
This is the type of circuit that meets the requirements of categories B
and 1, in accordance with EN 954-1. The emergency stop push
button has positive actuation and will always break the circuit. The
control relay is a spring-return device. As the failure mode is not
clearly defined, this could lead to failure to closed circuit. However,the aim of these categories is to achieve good design using well-tried
components and, if a failure does occur, the risk to the operator or
environment is low.
Fig. 36: Category 2 stop circuit using a safety relay
33
Final control element
E-Stop
Reset
Final control element
E-Stop
8/8/2019 Machinery Protection Devices
36/50
130Ma
chineryProtection
De
vices
The next category of EN 954-1 makes greater demands on the
components. Not only do they have to be good by design and
nature, but the safety function must also be checked and the loss of
the safety function must be detected by this check.
This can be achieved by duplicating the critical safety elements. The
normal method, as shown, is to use redundant relays whose
actuation is checked on start-up and reset. However, although the
emergency stop button is positively driven, if a wiring error or short
occurs across the switch terminals, the safety circuit will be rendered
inoperable. The fault will only be noticed when the button is
operated, so these circuits will require an off-line test, the frequency
of which should be decided by the circuits demand rate.
Fig. 37: Category 3 stop circuit using a safety relay
34
Reset
Final control element
E-Stop
8/8/2019 Machinery Protection Devices
37/50
131Ma
chineryProtection
De
vices
In accordance with EN 954-1, the demands of category 3 include all
those of the previous categories, with the additional requirement that
a single fault should not lead to the loss of the safety function andthat this fault, wherever practicable, should be detected.
As in the case of category 2, where the critical safety device was
considered to be the relay, the input devices must now be duplicated
so their movement can be checked. More switches could be added
to the input circuit, minimising the cost, but this would compromise
the spirit of category 3. For example, if multiple gate switches are
used and more than one gate is open, a single fault on one switchmight not be detected. Again, an off-line test may be required.
The final category of EN 954-1 has the highest demands on the
safety-critical circuit. These are very similar to those of category 3, in
that no single fault will lead to the loss of the safety function, but with
the additional requirement that the fault be detected at or before the
next call on the safety system. If this is impossible, an accumulation
of faults shall not lead to the loss of the safety function.
35
Reset
Final control element
E-Stop
Fig. 38: Category 4 stop circuit using a safety relay
8/8/2019 Machinery Protection Devices
38/50
132Ma
chineryProtection
De
vices
Electromechanical and hydraulic circuits work on three faults (for
more details please refer to Chapter 6, Programmable Safety
Systems).
The input device is duplicated, as in category 3. However, to conform
to the requirements, both input devices must have separate
monitored supplies. Multiple input devices are discouraged.
5.3.3 Final control element in a safety circuit
The old British standard BS 2771 established the protection criteria in
case of failure to a dangerous condition by recommending a
redundant proving system. It went on to suggest that this method be
used where intermediate relays are used in a safety circuit. This
effectively incorporated safety relays into the safety circuit and left the
final control element (i.e. the contactor) to good design principles.
The new specification EN 954-1 states that the combined safety-
related PARTS of a control system start at the point at which the
safety-related signals are initiated and end at the output power control
elements. Future specification EN 61508 will require even more care
to be taken over the whole safety-related control system and will lay
down some stringent criteria, so it is essential to deal with the final
control element as a relevant part of the safety system.
Referring to EN 954-1, the requirements for category 2 onwards are
looking for more than just well-tried components. Well-proven final
elements with a low demand rate on the system might be sufficient
for category 2 and 3, but this really depends on a suitable risk
assessment and appropriate design methods. Duplication is almost
unavoidable if you wish to meet the requirements of category 4.
36
8/8/2019 Machinery Protection Devices
39/50
133Ma
chineryProtection
De
vices
Fig. 39: The normally closed contact of the final control element is monitored by thefeedback loop Y1/Y2
37
R1 R2
Reset
Y1
Y2
E-Stop
Y1
Y2
8/8/2019 Machinery Protection Devices
40/50
134Ma
chineryProtection
De
vices
Fig. 40: The normally closed contacts of the final control elements R1 and R2 are
monitored by the feedback loop Y1/Y2
38
Reset
E-StopY1
Y2
R2R1
Y1
Y2
8/8/2019 Machinery Protection Devices
41/50
135Ma
chineryProtection
De
vices
Fig. 41: The normally closed contacts of the final control elements R1 and R2 aremonitored by the feedback loop Y1/Y2
39
Reset
E-Stop Y1Y2
R1
Y1
Y2
R2
8/8/2019 Machinery Protection Devices
42/50
136Ma
chineryProtection
De
vices
5.3.4 Typical connections
Fig. 42: Simplified E-Stop circuit for category B & 1
40
F0Control Circuit
fuse
Direct-on-lineStarter
F21ThermalOverload
S1Emergency
Stop
S2Stop
S3Start
K1M
F0Control Circuit
Fuses
T1Control
Transformer
Q1Main
Isolator
Fuses F1
K1MMain Contactor
F2ThermalOverload
Relay
K1M
L 1
L 2
L 3
M
8/8/2019 Machinery Protection Devices
43/50
137Ma
chineryProtection
De
vices
Fig. 43: Simplified E-Stop circuit for category 2 (Pilz PNOZ X7)
41F0
Control Circuitfuse
Direct-on-lineStarter
F21ThermalOverload
S2Stop
S3Start
K1M
F0Control Circuit
Fuses
T1Control
Transformer
Q1Main
Isolator
Fuses F1
K1MMain Contactor
F2ThermalOverload
Relay
K1M
MS4Reset
K1M
PNOZ X7
S1EmergencyStop
Y1
Y2
A1
A2
13
14
L 1
L 2
L 3
8/8/2019 Machinery Protection Devices
44/50
138Ma
chineryProtection
De
vices
Fig. 44: Simplified E-Stop circuit for category 3 (Pilz PNOZ 1)
42
F0
Control CircuitFuses
T1Control
Transformer
Q1Main
Isolator
Fuses F1
K1MContactor
K2MContactor
F2ThermalOverload
Relay
K2MS3
Start
S2Stop
F2Thermal
Overload
S1Emergency
StopK1M
F0Control Circuit
fuse
Direct-on-lineStarter
T33
K2M
K2M
K1M
ResetPNOZ 1
M
T34
A2
A1 T11 T12 T22 13 33
14 34
L 1
L 2
L 3
K1M
8/8/2019 Machinery Protection Devices
45/50
139Ma
chineryProtection
De
vices
Fig. 45: Simplified E-Stop circuit for category 4 (Pilz PNOZ X3)
43
F0
Control CircuitFuses
T1Control
Transformer
Q1Main
Isolator
Fuses F1
K1MContactor
K2MContactor
F2ThermalOverload
Relay
K2MS3Start
S2Stop
F2Thermal
Overload
S1Emergency
StopK1M
F0Control Circuit
fuse
Direct-on-lineStarter
K1M K2M
K2M
K1M
ResetPNOZ X3
M
S33
S34
A2
A1 S21 S22 S31 S32 3313
3414
L 1
L 2
L 3
8/8/2019 Machinery Protection Devices
46/50
140Ma
chineryProtection
De
vices
Fig. 46: Pilz E-Stop relay used with Norgren monitored dump valves
44
V1
0V
24V
0V
P P
1
1
2
2
3
3 3 2
Pilz relay Start
E-Stop
V2 V3 V3
V1 V2
Monitored dump valves
24V
1 2 3
8/8/2019 Machinery Protection Devices
47/50
141Ma
chineryProtection
De
vices
5.4 Two-hand controls
Two-hand controls are mainly used to ensure that operators keep
their hands clear of the danger zone before any movement is
initiated. Applications vary from hedge trimmers to manually-operated
presses; machine setters can also use two-hand controls when other
safeguards have been locked out. As these controls are only of value
to one specific operator, other safeguards should be considered when
using more dangerous classes of machinery, either to prevent others
from entering the danger zone or to increase the level of protection
for that operator.
All types of two-hand controls must comply with the requirements of
EN 292-1 and, in the case of two-hand control relays, EN 60204. The
design and selection will depend upon:
The hazard present
The risk assessment
The experience of the technology used
Other factors, such as the prevention of accidental
actuation and wilful defeat.
45
8/8/2019 Machinery Protection Devices
48/50
142Ma
chineryProtection
De
vices
EN 574 (Safety of machinery. Two-hand controls) defines 3 types of
two-hand controls, setting out the minimum measures of safety for
each device, as shown in the table below:
Requirements Types
I II III
A B C
Use of both hands (simultaneous actuation) X X X X X
Relationship between input signals and output signal X X X X X
Cessation of the output signal X X X X X
Prevention of accidental operation X X X X X
Prevention of defeat X X X X X
Re-initiation of the output signal X X X X
Synchronous actuation X X X
Use of category 1 (EN 954-1: 1996) X X
Use of category 3 (EN 954-1: 1996) X X
Use of category 4 (EN 954-1: 1996) X
Fig. 47: Minimum safety measures for two-hand devices
The requirements are listed as follows:
Operators shall use both hands during the same time period;
this is simultaneous action and is independent of any time
lag between the two input signals
The two activating signals shall initiate and maintain the
output as long as both signals are present
The release of one or both activating signals will stop the
output
The risk of accidental operation shall be minimised
Prevention of accidental operation or prevention of defeat
shall be mainly achieved via mechanics and ergonomics
46
8/8/2019 Machinery Protection Devices
49/50
143Ma
chineryProtection
De
vices
It shall only be possible to reinitiate the output signal after
both inputs have been released
The output signal may only appear when both inputs are
activated within 0.5 seconds of each other. If the inputs are
not actuated synchronously, the output will be prevented
until the inputs are re-applied within this time scale. This is
called synchronous actuation.
In the case of failure, the parts of the two-hand control device shall
behave in accordance with EN 954-1.
5.4.1 Typical connection
Fig. 48: Typical two-hand circuit with Pilz P2HZ X1
NB. Please refer to Pilz Safety Catalogue (1) for relay details.
47
Inputs
PLC
OutputsOutput supply
Input supply
Y1
Y2
P2HZ X1
Enablemachinemovement
8/8/2019 Machinery Protection Devices
50/50
144Ma
chineryProtection
De
vices
5.4.2 Programmable electronic systems (PES) for two-hand
control
There is still a considerable amount of development to be done into
the ways in which programmable electronic systems can be validated
for use in safety systems. However, where such systems are being
used to achieve the functional characteristics of a two-hand control,
the hardware and software shall be validated in accordance with the
risk assessment and the PES guidelines from the HSE (please refer
to Chapter 6, Programmable Safety Systems).
It is clear, however, that EN 574 requires that the output signal for
Types IIIB and IIIC two-hand controls should not be generated solely
by a single-channel programmable electronic system.48