7/24/2019 Safety Integrated Ed4_e
1/330
Der intelligente Schachzugzur lckenlosen Sicherheitstechnik
4. Edition ssafetyINTEGR TE
Application Manual
The Safety System for Industry
The intelligent move forseamless safety technology
7/24/2019 Safety Integrated Ed4_e
2/330
The prevention of accidents
should not be considered a
question of legislation, but
instead, our responsibility to
fellow beings and economic
sense.
Werner von Siemens,Berlin in the year of 1880
7/24/2019 Safety Integrated Ed4_e
3/330
Foreword
Standards and Regulations 1
Fail-Safe Communications
via Standard Fieldbuses 2
Safety-Related Low-Voltage Switching Devices
and Sensors (SIGUARD) 3
Controllers: Fail-Safe Control Systems (SIMATIC) 4
Motion Control Systems -
Safe, Innovative Motion Control 5
Applications 6
Circuit Examples 7
Appendix 8
7/24/2019 Safety Integrated Ed4_e
4/330
4 Controllers: Fail-Safe Control Systems
(SIMATIC)
4.1 Introduction 4/2
4.2 SIMATIC S7-400F/FH 4/4
4.2.1 Introduction 4/4
4.2.2 Hardware 4/4
4.2.3 Programming 4/5
4.2.4 Configuration 4/5
4.2.5 Technical Data 4/7
4.3 SIMATIC S7-300F 4/94.3.1 Introduction 4/9
4.3.2 Typical configurations 4/10
4.3.3 Fail-safe I/O 4/11
ET 200S / ET 200M
4.3.4 Programming 4/12
4.3.5 ET 200S fail-safe motor starter 4/13
4.3.6 Technical Data 4/15
5 Motion Control Systems -
Safe, Innovative Motion Control
5.1 SINUMERIK Safety Integrated 5/3
The Safety Package for Machine Tools
5.1.1 Brief description 5/45.1.2 Equipment components 5/5
5.1.3 System requirements 5/8
5.1.4 Safe stopping process 5/9
5.1.5 Monitoring speed and position 5/12
5.1.6 Logically combining safety-related 5/14
process signals
5.1.7 Integrating sensors/actuators - basics 5/15
5.1.8 Sensor-actuator integration via separate 5/17
hardware I/O from the PLC and NC
5.1.9 Sensor/actuator integration through 5/23
the fail-safe ET 200S PROFIsafe modules
5.1.10Protection against vertical axes dropping 5/28
5.1.11Basic application principles 5/315.1.12Ordering data and documentation 5/33
5.2 Safely Operating Universal Drives 5/34
5.3 SIMOTION Safety Unit 5/35
The safety package for metal forming
technology
5.4 Technical Support & Engineering for 5/37
Safety Integrated - Motion Control Systems
Content
1 Standards and Regulations
1.1 General information 1/2
1.2 Regulations and Standards 1/3
in the European Union (EU)
1.2.1 Basic principles of European legislation 1/3
1.2.2 Health and safety at the workplace 1/3
in the EC
1.2.3 Safety of Machinery in Europe 1/4
1.2.4 Process technology in Europe 1/17
1.2.5 Furnace systems in Europe 1/211.3 Legal requirements and Standards 1/22
regarding safety at work in the US
1.3.1 Machine safety 1/23
1.3.2 Process industry 1/24
1.4 Safety requirements for machines in Japan 1/25
2 Fail-Safe Communications
via Standard Fieldbuses
2.1 PROFIsafe 2/4
2.2 AS-Interface Safety at Work 2/8
2.2.1 Safety at Work Products 2/10
2.2.2 Connecting examples 2/12
2.2.3 Connection assignments 2/162.2.4 Technical Data 2/17
3 Safety-Related Low-Voltage Switching
Devices and Sensors (SIGUARD)
3.1 SIGUARD Control and Signaling Devices 3/2
3.1.1 EMERGENCY STOP control devices 3/4
3.1.2 SIGUARD cable-operated switches 3/6
3.1.3 SIGUARD Two-hand operation consoles 3/9
and foot switches
3.1.4 SIGUARD position switches 3/12
3.1.5 SIGUARD magnetically operated position 3/23
switches3.1.6 SIGUARD safety switch strips 3/25
3.1.7 SIGUARD light curtains and light grids 3/27
3.1.8 SIGUARD light barriers 3/52
3.1.9 SIGUARD 3RG78 3 laser scanner 3/56
3.1.10 SIGUARD signaling devices 3/64
3.2 SIGUARD 3TK28 Safety Combinations 3/66
3.2.1 Safety relays 3/66
3.2.2 Safety electronics 3/70
3.2.3 Safety electronics with integrated 3/71
contactors
3.3 3RA7 Load Feeders with Integrated 3/76
Safety Technology
3.4 SIRIUS NET Motor Starter for AS-Interface 3/81and PROFIBUS-DP
3.4.1 SIMATIC ET 200S SIGUARD 3/82
7/24/2019 Safety Integrated Ed4_e
5/330
6 Applications
6.1 Fail-Safe Communications 6/2
via Standard Fieldbuses
6.1.1 Two birds with one stone 6/2
6.2 Safety-Related Low-Voltage 6/4
Switching Devices and Sensors-
6.2.1 SIGUARD light curtains - 6/4
used in the automobile industry -
6.2.2 SIMATIC ET 200S SIGUARD 6/6
in the Food Industry6.2.3 SIMATIC ET 200S 6/10
innovative electrical cabinet construction
6.2.4 Cost effectiveness in crane construction 6/12
with Safety Integrated
6.3 Controllers: Fail-Safe Controls 6/14
6.3.1 SIMATIC S7-400F 6/14
application on an oil/gas platform
6.4 Motion Control Systeme 6/16
Safe Motion Control
6.4.1 More safety in the automobile industry 6/16
6.4.2 New standard for machine tools 6/17
6.4.3 Safety technology tests safety technology 6/19
6.4.4 Safety and speed of operation 6/206.4.5 Safe standstill in the printing industry 6/22
7 Circuit Examples
7.1 Safety-Related Low-Voltage Switchgear 7/2
and Sensors
7.1.1 Switch safely 7/2
7.1.2 SIGUARD 3TK28 Safety Combinations 7/5
7.1.3 Contactless Protective Devices 7/41
7.1.4 SIGUARD Switching Strips 7/47
7.1.5 Circuit examples, ET 200S SIGUARD 7/48
7.2 Controllers: Fail-safe controls 7/55
7.2.1 Circuit examples for S7-300F 7/55
7.2.2 Function block for the S7-300F 7/57muting function
7.3 Motion Control Systems: 7/59
Safe Motion Control
7.3.1 Application examples for EMERGENCY STOP 7/59
stop Category 0
7.3.2 Application examples for EMERGENCY STOP 7/60
stop Category 1
7.3.3 Application examples for EMERGENCY 7/61
SWITCHING-OFF and EMERGENCY STOP
stop Category 1
7.3.4 Application examples for EMERGENCY STOP 7/62
stop Category 1 for several drives
8 Appendix
8.1 Overview, Important Basic Safety, 8/2
Group and Specialist Standards under
the Machinery Directive
8.2 Important Addresses 8/8
8.3 Terminology and Abbreviations 8/10
8.3.1 Terminology 8/10
8.3.2 Abbreviations 8/12
8.4 Contact Internet & Hotlines 8/13
8.5 Seminars on Safety Technology, 8/13Standards and Directives
8.6 Type Test Certificates 8/18
8.6.1 Certificates for SIMATIC Safety Integrated 8/18
8.6.2 Certificates for SINUMERIK Safety Integrated 8/20
8.6.3 Certificate for SIMOVERT Masterdrive 8/23
8.6.4 Certificate for SIMODRIVE 611 U 8/24
8.7 List of contents 8/25
7/24/2019 Safety Integrated Ed4_e
6/330
2 Safety Integrated Application Manual Siemens AG
Dear Readers,
Helmut GierseA&D Group Board
The founder of our company, Wernervon Siemens, recognized back in 1880that accident prevention should notjust be considered a question of legis-lation, but it is also our responsibilityto fellow beings and makes economicsense.
Today, this is also the philosophy ofautomation technology from Siemens.In addition to increasing availability andcost-effectiveness, our focus is alwayson human beings and the benefits wecan provide.This philosophy is espe-cially important where human beingswork directly at machines which canrepresent potential hazards, or wherehuman beings can be indirectlyinvolved as a result of subsequent
damage, e.g. due to environmentalstressing.
The fourth Edition of the successfulSafety Integrated Manual presentsthe ongoing development of theSiemens Automation and DrivesGroup (A&D) and the safety productsand systems: SIGUARD, SIMATIC andSINUMERIK/SIMODRIVE. For yearsnow, these have been setting thestandard in safety technology in manyapplications.
Current examples include both the
consequential expansion of the fail-safe SIMATIC PLCs by DistributedSafety with the S7-300F and ET 200SPROFIsafe components with the focuson the production and the new elec-tronic 3TK28 safety combinations.
We as A&D are taking into account,with Safety Integrated, the tremen-dous pace of development in thesafety technology market - a marketwhich is enjoying above averagegrowth.The harmonization of thesafety Standards within the EC andthe fact that these EC Standards arebeing applied worldwide are the maindrivers for this growth.
Using innovative, flexible solutions,Safety Integrated is increasing thesafety and availability of automationtasks, whilst also increasing the pro-ductivity.With Safety Integrated,users have access to a unified, inte-grated complete solution.This meansstandard, integrated control and fieldtechnology. A combined safety systemplatform will obtain new impetus asdrive and process technology continueto merge.
Innovation and success have pavedthe way to today's standard of safety
technology: As early as the 1960's,Siemens supplied the first pre-wiredsafety combinations. At the beginningof the 1980's, Siemens presented thecompact SIGUARD 3TK combinationusing safety contactor technology.At the same time, the programmableSIMATIC safety logic controller wasintroduced - the SIMATIC S5-110F forpress controls.The SIMATIC S5-115F,launched back in 1988, represented amilestone in process technology.
7/24/2019 Safety Integrated Ed4_e
7/330
Safety Integrated Application Manual Siemens AG 3
The modular SIMATIC S5-95F compactPLC, introduced in 1994, created aworldwide standard in productiontechnology, for press controls, inprocess technology and in personneltransportation systems. In 1996,SINUMERIK/SIMODRIVE continuedthis tradition with the world's firstsafety-related control system formachine tools.
This means that our customers cansimply and cost-effectively implementthe requirements laid down in the ECMachinery Directive which came intoforce in 1995.The basis for a unified,Safety Integrated system is createdas a result of the certification of thesafety-related communications via thestandard fieldbuses - PROFIBUS in2000 and AS-Interface in 2001.Using the high-availability safety-related SIMATIC S7-400F/HF, since2000, safety concepts have beendirectly integrated, in a unified fashion,
into the Totally Integrated Automation(TIA) concept.In 2001, an optimized solution for theproduction industry was introduced inthe form of the S7-300F and ET200SPROFIsafe components.In parallel, the safety portfolio wasexpanded, in the sensor area, usingthe contactlessly operating SIGUARDlight curtains and laser scanners.
For automation tasks which are lesscomplex, in the area of evaluation, it isnow possible to use innovative wiringand communication solutions. Forinstance, 3TK28 electronic safety com-binations now optionally integrate thecontrol and main circuits in a completeunit.The standard actuator sensorinterface with the Safety Monitor aswell as safe input modules and directsensor connections can now be simply
expanded by safety functions.Safety Integrated allows user-friendlymachines to be created using simpleintelligent safety technology whichdoes not obstruct standard workingprocedures.
Sincerely,
Helmut Gierse
7/24/2019 Safety Integrated Ed4_e
8/330
4 Safety Integrated Application Manual Siemens AG
Thomas LeiA&D Project ManagerSafety IntegratedSiemens AG, Erlangen
Whether for applications in the area ofmachine safety or process technology -state-of-the-art technology used in theautomation process demands the high-est degree of safety for man, machineand the environment.
The Safety IntegratedApplicationManual, which has now been updatedseveral times, clearly shows how haz-ards, caused by functional faults, canbe reduced or completely resolved
using electrical and electronic equip-ment and devices.
From sensor systems through evalua-tion units up to safe shutdown and inthe future to the actuators, for exampledrives Safety Integrated now pro-vides maximum protection againstfunctional faults using the SIGUARD,SIMATIC and SINUMERIK/SIMODRIVEproduct groups.
These product groups have alreadyproven themselves for many years instandard automation solutions and thatworldwide.These components cannow also be combined in an overallsystem since safety-related communi-cations via PROFIBUS and via theActuator-Sensor interface were certi-fied in 2000 and 2001 respectively.
In addition to conventional hard-wiringbetween the individual components,as an alternative, it is also possible touse standard fieldbus systems for the
safety technology.This permits a uni-fied, integrated system and in turn,cost-effective engineering, reduces thehardware costs by using commoncomponents and simultaneouslyincreases the plant and system avail-ability thanks to improved diagnostics.
Open and integrated
An automation system mainly com-prises standard components such asPLCs, drives etc.The level of safetytechnology of a complete plant or sys-
tem can differ depending on the partic-ular application.However, irrespective of the particularapplication, the safety level alwayscomprises a series of sensors, safetyevaluation units and actuators for safeshutdown.Today, the two levels of a plant or sys-tem, standard and safety related tech-nology, are strictly separated. Gener-ally, different engineering techniques
and tools are used for these two lev-els.This not only results in higher costsassociated with personnel training, butalso in many cases, these two levelscan only be linked at considerablecost.
The requirement to achieve cost sav-ings can be fulfilled by selecting thecorrect installation technology. In stan-dard technology, the move to distrib-uted concepts and the use of modernfieldbuses has already resulted in sig-nificant cost savings. Further cost sav-
ings in the future will be achieved bytransferring additional safety-relatedsignals along existing standard field-buses.Safety Integrated is the practicalimplementation of this concept. Usingthis concept, both standard and safetycomponents can be cost-effectivelycombined to form a completely unifiedand transparent system.Costly wiring for diagnostics and feed-back signals can be eliminated. Stan-dard engineering tools and methods aswell as visualization concepts guaran-
tee cost saving in the planning phaseand also during installation and service.
Sincerely,
Thomas Lei
S a f e t y
Protection against
heat and fire
Protection against
electric shock
Protection against
dangerous radiation
Protection against
Protection against danger dueto functional faults anderrors
S a f e t y
Protection against
heat and fire
Protection against
electric shock
Protection against
dangerous radiation
Protection against
Protection against danger dueto functional faults anderrors
7/24/2019 Safety Integrated Ed4_e
9/330
Safety Integrated Application Manual Siemens AG 5
Controlling and Sensing Monitoring andEvaluation
Control and Stopping
7/24/2019 Safety Integrated Ed4_e
10/330
6 Safety Integrated Application Manual Siemens AG
Dr. rer. nat.M. SchaeferHead of Division: Machinery Safety,Control Techniques in the Instituteof Occupational Safety and Health,Germany
New technologies in the nameof safety
If you compare the safety controlsfrom the eighties employing conven-tional devices, with contacts and thesophisticated products of today, theadvantages of intelligent safety tech-nology using computer-based systemsbecomes quite clear:
New sampling-type sensors allow afinely graduated safety technologyoptimally adapted to the particularapplication
Computer channels, operating with
high clock frequencies, result inextremely short response times
Intelligent software allows agingprocesses to be identified beforethey can have a dangerous influence
Safety fieldbus systems significantlyreduce the amount of wiring andtherefore potential problems, espe-cially when troubleshooting.
However, new technologies can onlyhave a positive influence on safetytechnology if the development takesinto account measures, right from thevery start, for fault tolerance and avoid-ing faults (refer to DIN V VDE 0801 andIEC 61508). Measures such as thesenot only have a significant impact onthe complete development process,but generally enhance the availabilityabove and beyond the pure safetytechnology.The experience gainedfrom more than 150,000 customer sys-tems in the field indicates that hightechnology, applied in this fashion, isalso really safe.
Safety technology through dialoginstead of checking
Since the middle of the eighties, theBIA and several other testing bodieshave been developing testing methodsfor complex safety technology.Theinspection no longer occurs at the endof product production, it now accom-panies the development life cycle of aproduct from the initial concept through
to final production. Only by using suchsimultaneous development and testingprocedures is it possible to certifycomplex systems.The measures applied are checkedduring the safety life cycle at specificmilestones to an agreed standard,whilst error-avoiding techniques areapplied by the testing body itself aspart of the validation process. Usingtechniques and standards as definedabove, the testing body ensures thatthe development process of a productis perfect.This is the reason why com-
plex safety technology should be con-sidered more as a process rather thanas a product.
Increasing the acceptance of safetytechnology
New technology allows safety func-tionality to be directly integrated into amachine or plant as a result of thefunctional control. In newly developedCNC control systems with integratedsafety technology, reduced velocityrequired during setting up and the safestop are guaranteed using additional
software without any external monitor-ing devices.This means, for the user,that safety is incorporated in the con-trol and the likelihood of faults occur-ring is significantly reduced. In thesame way, using safety-related datacommunication concepts, standardhardware can be used to safely net-work various control systems or evencomplete production systems.Thiscompletely eliminates additional man-ual operations, for example, parameter-izing safety devices. Safety-relateddata can be centrally managed and
reported.
This eliminates barriers for the use ofsafety technology and the level ofacceptance is increased.
Safety technology from a cost per-spective
Especially in the nineties, cost issuesbecame increasingly important insafety technology. Although the devel-opment processes for complex safetytechnology are extremely cost-inten-sive, integrated safety, as a result ofthe software, can have an extremelypositive impact on the overall productcost. Furthermore, downtimes arereduced as a result of a far more effi-cient diagnostics capability due to theuse of safety computer systems.
From our perspective as the Beruf-sgenossenschaften [German TradeAssociation], we also see that in thefuture, it will be important that wesupport and promote the developmentprocess discussed above. And ofcourse, this Manual demonstrates thatthis is a safe route to take - and whichis extremely promising.
For the German Trade Association,innovation and prevention are impor-tant issues in working together. Oursociety requires ongoing innovation.This secures the competitiveness andfacilitates a lifestyle and working meth-ods to help humans generally.The German Trade Associations there-fore promote such innovation whichplays a role in reducing all types ofrisks and hazards or which improvesworking techniques and procedures.
In order to present especially outstand-ing developments for enhanced healthand safety at work to a larger tradepublic, for the first time, at the HanoverFair 2003, the innovation prize of theGerman Trade Associations will beawarded.
(For more detailed information, refer towww.hvbg.de/d/pages/presse/aktuell/foerder.htm).
7/24/2019 Safety Integrated Ed4_e
11/330
Safety Integrated Application Manual Siemens AG 7
Heinz GallHead of the business sectorAutomation, Software and InformationTechnologyTV Anlagentechnik GmbH, CologneCompany Group TV Rheinland/Berlin-Brandenburg
Automation systems and componentsare responsible for safety-relevant
tasks in many different applicationareas (machines and conveyor sys-tems, the process industry, buildingtechnology etc.).This means that thehealth and safety of personnel as wellas the protection of plant equipmentand the environment are dependent onthe correct functioning of these sys-tems and components.
Today, the correct functioning of sys-tems and components is handledunder the term of Functional Safety.This is documented in the IEC 61508Standard Functional safety of electri-cal, electronic and programmable elec-tronic safety-related systemswhichwas passed in 2000.
This Standard is, in the meantime, alsorecognized as EN 61508 and will beincluded in the German Standards.It is considered as a basis Standard,independent of the application andaddresses developers of application-specific standards as well as the con-tents (description of measures for thesafety concept, fault-avoidance andfault-controlling measures for hardware
and software) essentially to themanufacturers of safety-relatedsystems and components.
This has already been accepted by theapplication-oriented Standards groups.The first examples include the Draftsof IEC 61511 for the process industry,EN 50156 for the electrical equipmentof furnace systems as well as IEC62061 for safety-relevant control sys-tems for machines. It goes withoutsaying that in the area of machinesafety, application-specific Standards,for example EN 954, must be applied.
In the future, it is hoped and alsoexpected that other user groups willuse the existing base standard for theirwork, to standardized the require-ments placed on safety-related sys-tems and components.This especiallymakes sense, because the principlesinvolved with risk evaluation, riskreduction and the safety-related func-tions can be applied to the widestrange of applications. From an applica-
tion perspective, only a few aspectswould have to be considered, e.g. therequired response times or the safecondition for the process.
This means that manufacturers will beable to develop systems and compo-nents which will be able to be used forsafety tasks, with comparable degreesof risk, in various applications.To real-ize this, the following generally applica-ble data must be available for each par-ticular component:
Maximum Safety Integrity Level
(SIL) which can be achieved
Hardware fault tolerance in conjunc-tion with the component of safetyfailures ( sum of the failures in thedirection of a safe condition plus thesum of the failures which are recog-nized and controlled as a result ofthe internal diagnostics) referred tothe sum of all of the failures
Probability of failures where the sys-tem goes into a hazardous condition.
The above mentioned criteria will then
permit safety-related functions to beviewed across the complete applica-tion, which generally comprises thesensor system, logic (e.g. PLC) andactuators as well as communicationsbetween these components.
Field devices, sensor systems andactuator systems are becomingincreasingly intelligent.This means thatcommunications between the compo-nents of a safety-related function willincreasingly be realized via bus sys-tems.
In the last two years, considerableprogress has been made in the areaof standardized safety-related bus sys-tems.
This progress involves, on the onehand, the development of a basicphilosophy to Test and certify bussystems for the transfer of safety-related data and, on the other hand,the successful completion of concep-tual tests of such bus systems.
This means that in the foreseeablefuture it can be expected that devicesfrom various manufacturers will be
able to be operated on standardizedsafety bus systems.
In this case, manufacturers mustaccept the challenge to develop safety-related devices which can use thecapability of safety-related communica-tions via bus systems.
The TV Rheinland/Berlin-Branden-burg, in conjunction with the Automa-tion, Software and Information Technol-ogy business field, is supportingmanufacturers, project engineers andusers worldwide (Europe, USA, Japan)
in the implementation of the abovementioned safety-related tasks.
After a successful test, systems andcomponents will be certified and willreceive the FS test symbol FunctionalSafetyof the TV Rheinland/Berlin-Brandenburg.This documents thatthey are in conformance with therequirements laid down in the relevantStandards.
Engineers and users will be supportedin achieving the functional safety forboth the application and the imple-
mented safety functions.
7/24/2019 Safety Integrated Ed4_e
12/330
8 Safety Integrated Application Manual Siemens AG
Prof. Dr.-Ing.G. ReinhartHead of the Institute for Machine Toolsand Industrial Management (iwb),Technische Universitaet Muenchen
The features and performance of state-of-the-art production systems are
essentially determined by how themechanical system and control inter-act. Only a harmonized complete sys-tem will be able to fulfill the require-ments placed on the functionality,productivity and quality of today's pro-duction systems. A distributed installa-tion technology which offers diagnos-tics capability across the boardprovides the essential basis toincrease the availability of complexproduction systems. Beyond this, theintegration of safety-related functionsin control technology represents an
innovative way to adapt safety technol-ogy to the requirements of themachine operator - but still reducecosts.
Requirements placed on the safetytechnology of machine tools
The safety-related devices and equip-ment on machine tools are of specialsignificance within the control andinstallation systems of machine tools.On one hand, the legal and standardsrequirements which define, using haz-ard analysis, the scope and quality ofthe safety technology to avoid or
reduce potential hazards. On the otherhand, the continually increasing perfor-mance parameters of today's produc-tion systems.These include, for exam-ple, maximum axis velocity,acceleration and availability which isreflected in the Overall Machine Effec-tiveness (OME). In order to guaranteethe effectiveness of safety technologyin today's protection systems, i.e. tofulfill the requirements for personnelprotection in line with that required inpractice, innovative concepts arerequired. In this case, innovative safety
technology should be considered to bea technology which does not lagbehind the control and installationtechnology applied in the area of non-safety-relevant automation technology.For instance, features such as flexibil-ity, diagnostics capability and standard-ization.
Safety technology integrated in dri-ves and control systems
It becomes even more necessary tohave flexible safety circuits, on and inmachine tools, which take into account
everyday operator situations, if the cre-ative capabilities of the machine opera-tor are to be fully utilized in a produc-tion environment. From theperspective of personnel protection,the performance parameters of themachine required in automated pro-duction facilities must be reduced toa safe level when operators have tointervene.
When considering the performance oftoday's drives and production-relatedsecondary conditions, safety drivefunctions and safely monitored drivestatuses should be considered to bepart of the basic functionality of mod-ern variable-speed drives in productionsystems.
Furthermore, the ability to emulate allof the safety-relevant logic operations
in the software allows, on the onehand, a significantly stronger differenti-ation to be made regarding operatorcontrol, and on the other hand, coststo be significantly reduced over con-ventional solutions using devices withcontacts.The requirements placed onsafety and the ability to be integratedinto existing control structures are ful-filled by using existing control sub-systems which can communicate withone another and redundant shutdownpaths.
Distributed and standardized instal-lation technology in the machineenvironment
Ongoing developments in the area ofnon-safety-relevant installation technol-ogy clearly show the way how to maxi-mize cost-saving potential by using dis-tributed concepts and standardizedinterfaces for installation in themachine environment. By using plugconnections and pre-assembled cablesin the field area and by reducing thenumber of versions of manufacturer-specific field-bus components, the
machine OEM, the machine operatoras well as the component manufactur-ers reap the benefits - from both acost and functionality perspective.Simultaneously transferring safety-rele-vant and non-safety-relevant data alongone bus system based on a standardfieldbus system significantly reducesthe configuring/engineering, compo-nents, installation and commissioningcosts
7/24/2019 Safety Integrated Ed4_e
13/330
Safety Integrated Application Manual Siemens AG 9
Fig. 1 Distributed and standardized installation technology in the machine environment
Digitaldrives
FD MSD I/R
NC MMC
PLC
Non-safety-related Safety-related
I/O Fieldbusinterface
SafetyI/O
LinecontactorC
abinet
Communications
Fi
eldinstallation
M x
MSpindle
M3~ M3~
EMERGENCY OFF
Tumbler mechanism
Interlockingfunctions
Servo drives I/O Safety-relevant I/O
Cable colors Servo
Measuring system
Fieldbus
Actuator/sensor
Power
Component issafety-relevant
Additional terminal to safelyshutdown drives
The increasing number of DESINAcomponents (DESINA = Distributed
Standardized Installation technology onmachine tools) in the market and thesignificant interest on the part of themachine OEMs and users confirmsthe efforts made by the VereinsDeutscherWerkzeugmaschinenfab-riken e.V (VDW) and the Institute forMachine Tools and Business Sciences(iwb) to incorporate safety componentsin the standardization process in com-pliance with DESINA.The structure
of a unified safety concept for machinetools, which encompasses the above
mentioned issues relating to the inte-gration into the drive and control sys-tem, including DESINA, is illustrated inthe diagram.
Summary
Current research work at iwb indicatesthat, as a result of understanding thesafety-relevant behavior of movingmachine parts and their specific inter-action early on, in the near future, itwill be taken for granted that innova-tive safety systems will establishthemselves in machines tools.
Examples include bus-based datatransfer and data processing integrated
in the control.The advantages of beingable to take into account the detailedoperator requirements of machinetools operators, the improved effec-tiveness of safety technology andongoing cost reduction will onlybecome reality when component man-ufacturers and development engineersare ready to accept new concepts andsolutions openly and without any pre-conceptions.
7/24/2019 Safety Integrated Ed4_e
14/330
10 Safety Integrated Application Manual Siemens AG
D. SeibelHead of Electrical Engineering Depart-ment, Berufsgenossenschaft der Fein-mechanik und Elektrotechnik (The pro-fessional Association of PrecisionMechanics and Electrical Industries,Cologne)
International discussions relating tofault control/fault analysis were initi-ated using the main regulations fromSection 5.7 of EN 60204-1, ElectricalEquipment of Industrial Machines,status 1985.The safety considerations(protective goals), which are derivedfrom the contents of the Standard,especially in the application field Elec-trical controls, automatically leadinevitably and logically to different solu-tions.The goal of all of the basic solu-tions presented was, and still is, tocreate a unified, binding safety Stan-dard within the European Community.
Hazard potential
A general control design (Graphic 2)must be the global starting point forpractical safety philosophy. Dependingon the potential hazard and themachine-specific operating conditions,it is necessary to have a graded levelof safety for the switching logic (gen-eral control circuits).The risk evaluationis a mandatory prerequisite. Protectivemeasures must be implemented,adapted to the hazard potential and
orientated to the particular process.
Personnel protection
Protective devices must be providedeverywhere, where plant and machin-ery can represent potential hazards.Moving protective devices, whichmechanically isolate machine parts, i.e.protective doors, are some of thepreferred ways of protecting personnelin the operating area of machines inindustrial production plants, from haz-
ardous motion or other dangers.In order to guarantee the specifiedpersonnel-protective function, movingprotective devices must be imple-mented and electrically interlocked, sothat personnel cannot enter the haz-ardous area before the dangerous con-ditions have been removed (e.g. rota-tional movement of a machine tool).
Redundancy
Conventional safety circuits, in con-junction with the interlocking systems,almost completely fulfill the required
personnel-protective functions.Thetypes of failures which can beexpected along with the associatedsafety risks are generally known andthe technical solution used to over-come these problems are availableand accepted (e.g. redundancy).
The position switch is the core ofevery latching or interlocking function.This must at least include one posi-tively opening contact (positively open-ing/positively isolating). If the protec-tive device is opened, the NC contact
in the position switch must safetyinterrupt the safety circuit.
Application examples
In order to make it easier to select andmount the different latching systemsand to ensure the required circuit inter-locking of the safety-relevant signalsensors with the downstream actua-tors (power contactors, relays), theGerman Trade Association [Beruf-sgenossenschaften] has drawn up andpresented numerous application exam-
ples.The individual solutions are shown asexample in the following documentsfrom the German Trade Association
BGI 575 Pamphlet to select andmount electro-mechanicallatching-interlocking devicesfor safety functions
and
BGI 670 Pamphlet to select andmount proximity switches inlatching/interlocking devices
for safety functionsA positively driven relay must be usedif it is necessary to identify a fault (e.g.if a relay does not drop out).
7/24/2019 Safety Integrated Ed4_e
15/330
Safety Integrated Application Manual Siemens AG 11
Fig. 2 General configuration of a machine control system (DIN VDE 0113/11.98)
N = nrated
K1
M
N = nrated
K1
M
S1
S2K1 S1
S2
Control voltage ON/OFF
Control circuits with safety functions
EnableLatching systems with and without tumbler mechanism
Control circuits with operating functions
Load circuit with possible hazard Load circuit without hazardMain control
Standards
The circuit versions which are pre-sented and the associated necessarysafety aspects (e.g. fault exclusionlists) have started to be included inEuropean Standards. In this case, it is
necessary to describe the two groupStandards (type B Standards))
EN 1088 Safety of MachineryLatching systems
in conjunction with isolating-protective devices
Guidelines for layoutand selection
and
EN 954-1 Safety of MachinerySafety-related parts
of controlsPart 1: General
layout guidelines
which specify a uniform evaluationStandard, independent of the applica-tion, based on the rules and regula-tions of the German Trade Association.
This means that these evaluationStandards can also be transferred to
the downstream safety and monitoringcircuits.This takes into account thenow available European StandardEN 60204-1 (Status 11.1998).
Typical applications include so-calledrelay safety combinations, which areused to transfer signals from safetytrips (e.g. protective door monitoringfunctions, switching strips, two-handcontrol devices, actions under emer-gency situations, light barriers etc.),maintaining the required control cate-gory in compliance with EN 954-1.
7/24/2019 Safety Integrated Ed4_e
16/330
kapitel 1
Standards and Regulations
7/24/2019 Safety Integrated Ed4_e
17/330
1.1 General information
1.2 Regulations and Standards in the European Union (EU)
1.3 Legal requirements and Standards regarding safetyat work in the US
1.4 Safety requirements for machines in Japan
7/24/2019 Safety Integrated Ed4_e
18/330
Objectives
The goal of safety technology is to keepthe potential hazards for man and theenvironment as low as possible by apply-ing and utilizing the appropriate technol-ogy. However, this should be achievedwithout imposing unnecessary restric-tions on industrial production, the use ofmachines and the production of chemi-cals. By applying internationally harmo-
nized regulations, man and the environ-ment should be protected to the samedegree in every country. At the sametime, differences in competitive environ-ments, due to different safety require-ments, should be eliminated.
In the various regions and countriesaround the globe, there are different con-cepts and requirements when it comesto guaranteeing safety.The legal con-cepts and the requirements regardingwhat has to be proven and how, as towhether there is sufficient safety, arejust as different as the assignment of the
levels of responsibility.For example, in the EC, there are require-ments, placed both on the manufacturerof a plant or system as well as the oper-ating company which are regulated usingthe appropriate European Directives,Laws and Standards.On the other hand, in the US, require-ments differ both at a regional and evenat a local level. However, throughoutthe US, there is a basic principle that anemployer must guarantee a safe place ofwork. In the case of damage, as a resultof the product liability, the manufacturer
can be made liable due to the associa-tion with his product. On the other hand,in other countries and regions, other prin-ciples apply.
What is important for the manufacturersof machines and plant construction com-panies is that the legislation and rules ofthe location always apply in which themachine or plant is being operated. Forinstance, the control system of amachine, which is operated and used inthe US, must fulfill US requirements,
even if the machine manufacturer (i.e.OEM) is based in Europe. Even thoughthe technical concepts with which safetyis to be achieved, are subject to cleartechnical principles, it is still important toobserve as to whether legislation or spe-cific restrictions apply.
Functional safety
From the perspective of the object to beprotected, safety cannot be segregated.
The causes of hazards and the technicalmeasures applied to avoid them can dif-fer widely.This means that a differentia-tion is now made between various typesof safety, e.g. by specifying the cause ofthe potential hazard. For instance, theterm electrical safety is used if protec-tion has to be provided against electricalhazards, or the term functional safetyis used if the safety is dependent on thecorrect function.
This differentiation is now reflected inthe most recent Standards, in so much
that there are special Standards whichare involved with functional safety.Thearea of machinery safety EN 954 dealsspecifically with safety-relevant parts ofcontrol systems and therefore concen-trates on the functional safety.The IEChandles functional safety of electrical,electronic and programmable electronicsystems, independent of any specificapplication in the pilot Standard IEC61508 .
In IEC 61508, functional safety is definedas part of the overall safety relating tothe EUC* and the EUC control system
which depends on the correct function-ing of the E/E/PE** safety-related sys-tems, other technology safety-relatedsystems and external risk reduction facili-ties. In order to achieve functional safetyof a machine or a plant, the safety-rele-vant parts of the protective and controldevices must function correctly, and,when a fault or failure occurs, the plantor system must remain in a safe condi-tion or be brought into a safe condition.
To realize this, proven technology isrequired, which fulfills the demandsspecified by the relevant Standards.Therequirements to achieve functional safetyare based on the following basic goals:
Avoid systematic faults,
Control systematic faults,
Control random faults or failures.
The measure for the level of achieved
functional safety is the probability of theoccurrence of dangerous failures, thefault tolerance and the quality whichshould be guaranteed by avoiding sys-tematic faults. In the Standards, this isexpressed using various terms. In IEC61508: Safety Integrity Level (SIL), inEN 954: Categoriesand in DIN V19250 and DIN V VDE.0801: Requirement classes(AK).
Standardization goals
The demand to make plant, machines
and other equipment as safe as possibleusing state-of-the-art technology comesfrom the responsibility of the manufac-turers and users of equipment for theirsafety. All safety-significant aspects ofusing state-of-the-art technology aredescribed in the Standards. By maintain-ing and fulfilling these standards, it canbe ensured that state-of-the-art technol-ogy is applied therefore ensuring that thecompany erecting a plant or the manu-facturer producing a machine or a devicehas fulfilled his responsibility for ensuringsafety.
Note: The Standards, Directives andLaws, listed in this Manual are just aselection to communicate the essentialgoals and principles. We do not claimthat this list is complete.
1/2 Safety Integrated Application Manual Siemens AG
1.1 General information
* EUC: Equipment under control** E/E/PE: Electrical, electronic,
programmable electronic
7/24/2019 Safety Integrated Ed4_e
19/330
Legislation states that we must focusour efforts ... on preserving and pro-tecting the quality of the environment,and protecting human health throughpreventive actions (Council Directive96/82/EC Seveso II).
It also demands Health and safety atthe workplace (Machinery Directive,workplace, health and safety legisla-tion, ...).Legislation demands that thisand similar goals are achieved for vari-ous areas (Areas which are legis-lated) in the EC Directives. In order toachieve these goals, legislation placesdemands on the operators and usersof plant, and the manufacturers ofequipment and machines. It alsoassigns the responsibility for possibleinjury or damage.
The EC Directives
Specify demands placed on plantand systems and theiroperators/users to protect the healthand safety of personnel and environ-mental quality;
Contain regulations about health andsafety at the workplace (minimumrequirements);
Define product features and charac-teristics to protect the health andsafety of users;
Make a differentiation between
requirements placed on the realiza-tion and implementation of productsto guarantee free trade and therequirements regarding the use ofproducts.
The EC Directives, which are associ-ated with implementing new products,are based on a new global concept(new approach, global approach):
EC Directives only contain generalsafety goals and define fundamentalsafety requirements.
Standards Committees, which havereceived an appropriate mandatefrom the EC Commission (CEN,
CENELEC), can define technicaldetails in the Standards.TheseStandards are harmonized under aspecific Directive and are listed in theOfficial Journal of the EC. When theharmonized standards are fulfilled,then it is assumed that the associ-ated safety requirements of thedirectives are also fulfilled (for moredetailed information, refer to Section1.2.3 Safety of Machinery)
Legislation no longer specifies thatspecific standards have to be met.
However, it can be reasonablyassumed that when specific stan-dards are observed, the associatedsafety goals of the EC Directives arefulfilled.
EC Directives specify that MemberStates recognize each other'snational regulations and laws.
The EC Directives have the samedegree of importance, i.e. if severalDirectives apply for a specify piece ofequipment or device, then the require-ments of all of the relevant Directives
have to be met (e.g. for a machinewith electrical equipment, the Machin-ery Directive, and Low-Voltage Direc-tive apply).
Other regulations apply to equipmentwhere the EC Directives are not applic-able.They include regulations and crite-ria for voluntary tests and certifica-tions.
The list of EC Directives with the asso-ciated lists of harmonized standards isprovided in the Internet under:
http://www.NewApproach.org/directiveList.asp
Low-Voltage Directive
The Low-Voltage Directive (73/23/EC)applies to electrical equipment with
rated voltages in the range between50 and 1000 V AC or between 75 and1500 V DC (for the revision presentlybeing carried-out, it is possible that thelower voltage limits may be omitted).This is a New Approach Directive.EN 60204-1 is listed under the Low-Voltage Directive for Electrical equip-ment of machines.This means, that ifEN 60204-1 is fulfilled, then it can bereasonably assumed that the Directiveis fulfilled.
(Note: The requirements to fulfill theLow-Voltage Directive are not dis-
cussed in any more detail in this Man-ual.)
The requirements placed on health andsafety at the workplace are based onArticle 137 (previously 118a) of the ECContract.The Master Directive Healthand Safety of Personnel at the Work-
place(89/391/EC) specifies minimumrequirements for safety at the work-place.The actual requirements are sub-ject to domestic legislation and canexceed the requirements of theseMaster Directives.The requirementsinvolve the operation of products (e.g.machines), and not with their imple-mentation.
* Note: The EFTA countries havedecided to adopt the EC concept.
Safety Integrated Application Manual Siemens AG 1/3
1.2.1 Basic principles ofEuropean legislation*
1.2.2 Health and safetyat the workplace in theEC
1.2 Regulations and Standardsin the European Union (EU) 111
7/24/2019 Safety Integrated Ed4_e
20/330
Machinery Directive (98/37/EC)*
With the introduction of a commonEuropean market, a decision wasmade to harmonize the national stan-dards and regulations of all of the ECMember States.This meant that the
Machinery Directive, as an internalDirective, had to be implemented inthe domestic legislation of the individ-ual Member States. In Germany, thecontents of the Machinery Directivewere implemented as the 9th Decreeof the Equipment Safety law. For theMachinery Directive, this was realizedwith the goal of having unified protec-tive goals and to reduce trading barri-ers.The area of application of theMachinery Directive corresponds to itsdefinition Machinery means anassembly of linked parts or compo-
nents, at least one of which moves...which encompasses a wide scope.With the Change Directives, the areaof application has been subsequentlyextended to safety componentsandinterchangeable equipment.TheMachinery Directive involves theimplementation of machines.
Machinery is also defined as anassembly of machines which, in orderto achieve the same end, are arrangedand controlled so that they function asan integral whole"..
The application area of the MachineryDirective thus ranges from a basicmachine up to a complete plant.
The Machinery Directive has 14 Arti-cles and 7 Annexes.
The basic health and safety require-ments in Annex I of the Directive aremandatory for the safety of machinery.
1/4 Safety Integrated Application Manual Siemens AG
1.2.3 Safety of Machineryin Europe
Fig. 1/1Overview of the Machinery Directive
Machinery Directive
Annex Article
Application area, sel-ling,marketing, free-dom of movement,health and safetyrequirementsArt.1 Art. 7
Certificationprocedure
Art. 8 Art. 9
CE marking,protection againstarbitraryfulfillment
Art. 10 Art. 12
Coming intoforce, transitionalregulations,cancellation ofthe regulationsArt. 13 Art. 14
Essential health and safety requirements relating to thedesign and construction of machinery, and 3 interchangeable equipment 5 safety components 10
Contents ofII 1. EC Declaration of Conformity for 4
machinery, and 5 interchangeable equipment 8 safety components
2. Manufacturer's declaration for 4 specific components of the machinery non-functioning machines
III CE marking 10
IV Types of machinery andsafety components, where
the procedure acc. to Article 8must be applied.
V EC Declaration of conformity formachinery, and 8 interchangeable equipment safety components
VI EC type examination formachinery and 8 interchangeable equipment safety components
VII Minimum criteria for testing bodies 9
* replaces 89/392/EC, 91/368/EC,93/44/EC, 93/68/EC.
In selecting the most appropriatemethods, the manufacturer must applythe following principles, in the ordergiven (Annex I Paragraph 1.1.2):
a) The machine design must guaran-tee that operation, equipping andmaintenance, when the machine iscorrectly used, does not represent anypotential danger to personnel.
The measures must exclude any riskof accident...
b) "When selecting the appropriatesolutions, the manufacturer must applythe following basic philosophy, andmore specifically in the specifiedsequence:
Eliminate or reduce the risks as far aspossible (integrating the safety con-cept into the development and theconstruction of the machine);
Take the necessary protective mea-sures against risks that cannot beeliminated;
7/24/2019 Safety Integrated Ed4_e
21/330
Safety Integrated Application Manual Siemens AG 1/5
111
A. Machinery
1. Circular saws (single or multi-blade) for working with wood and analogous materialsor for working with meat and analogous materials
1.1. Swing machines with fixed tool during operation, having a fixed bed withmanual feed of the workpiece or with a demountable power feed.
1.2. Sawing machines with fixed tool during operation, having a manuallyoperated reciprocating saw-bench carriage
1.3. Sawing machines with fixed tool during operation, having a built-in
mechanical feed device for the workpieces, with manual loading and/or unloading1.4. Sawing machines with movable tool during operation, with a mechanical feed device
and manual loading and/or unloading2. Hand-fed surface planing machines for woodworking3. Thicknesses for one-side dressing with manual loading and/or
unloading for woodworking4. Band-saws with fixed or mobile bed and band-saws with a mobile carriage,
with manual loading and/or unloading, for working with wood and analogous materi-als or for working with meat and analogous materials
5. Combined machines of the types referred to in 1 to 4 and 7 for working with woodand analogous materials
6. Hand-fed tenoning machine with several tool holders for woodworking7. Hand-fed vertical spindle molding machines for working with wood
and analogous materials8. Portable chain saws for woodworking
9. Presses, including press-brakes, for the cold working of metals, with manual loadingand/or unloading, whose movable workingparts may have a travel exceeding 6 mm and a speed exceeding 30 mm/s
10. Injection or compression plastic-molding machines with manual loadingor unloading
11. Injection or compression rubber-molding machines with manual loadingor unloading
12. Machinery for underground working or the following types: machinery or rails: Locomotives and brake-vans hydraulic-powered roof supports internal combustion engines to be fitted to machinery for underground working
13. Manually-loaded trucks for the collection of household refuse incorporating a com-pression mechanism
14. Guards and detachable transmission shafts with universal joints as described in Sec-tion 3.4.7..
15. Vehicle-servicing lifts16. Devices for the lifting of persons involving a risk of falling from a
vertical height of more than 3 meters17. Machines for the manufacture of pyrotechnics
B. Safety components
1. Sensor-controlled devices to detect personse.g. light barriers, sensor mats, electromagnetic detectors
2. Logic units which ensure the safety functions of bimanualcontrols
3. Automatic movable screens to protect the presses referred toin 9, 10 and 11 (Letter A)
4. Rollover protection structures (ROPS)5. Falling-object protective structures (FOPS)
Types of machinery and safety components, for which the procedurereferred to in Article 8, Paragraph 2, Letters b) and c) must be applied.
Fig. 1/2Annex IV of the Machinery Directive
Inform users of the residual risks dueto any shortcomings of the protectionmeasures adopted.
The protection goals must be responsi-bly implemented in order to fulfill thedemand for conformance with theDirective.
The manufacturer of a machine mustprove that the basic requirements havebeen fulfilled.This proof is made easier
by applying harmonized standards.A certification technique is required formachines listed in Annex IV of theMachinery Directive, which represent amore significant hazard potential. (Rec-ommendation: Machinery, which is notlisted in Annex IV, can also represent ahigh potential hazard and should beappropriately handled.) The precisetechnique to define whether compli-ance existswith the goals, is definedin Chapter II of the Directive.
StandardsTo sell, market or operate/use products,these products must fulfill the basicsafety requirements of the EC Direc-tives. Standards can be extremely help-ful when it involves fulfilling thesesafety requirements. In this case, a dif-ferentiation must be made betweenharmonized European Standards andother Standards, which although areratified, they have still not been harmo-nized under a specific Directive, as wellas other technical rules and regulationswhich are also known as National
Standards in the Directives.
Ratified Standards describe recognizedstate-of the-art technology.This means,that by proving that he has appliedthem, a manufacturer can prove that hehas fulfilled what is a recognized state-of-the-art technology.
Generally, all Standards, which havebeen ratified as European standards,must be included, unchanged in thedomestic (national) Standards of the
7/24/2019 Safety Integrated Ed4_e
22/330
Fig. 1/3European Standards for Safety of Machinery
Group safety standards
Basic design principlesand terminology for machines
B1 StandardsGeneral safetyaspects
Special safety features forindividual machine groups
Basic safety standards
SpecialistStandards
TypeA Standards
TypeB Standards
B2 StandardsReference to specialprotective devices
Type C Standards
Member States.This is independent ofwhether they are harmonized under aparticular Directive or not. ExistingNational Standards, handling the samesubject, must then be withdrawn.Thus, within a period of time inEurope, a unified set of regulations willbe created (without any contradic-tions).
Note: IEC 61508 is an important Stan-dard which has not been harmonizedunder a particular EC Directive - Func-
tional safety of electrical/electronic/pro-grammable electronic safety-relatedsystems, as there is no appropriateharmonized standard. It is ratified as
EN 61508.The German Draft Stan-dards DIN V VDE 0801 and DIN V19250 and 19251 will therefore bewithdrawn by August 2004.
Harmonized European Standards
These are drawn up by the two stan-dards organizations CEN (ComitEuropen de Normalisation) and CEN-ELEC (Comit Europen de Normalisa-tion lectrotechnique) as mandatefrom the EC Commission in order to
fulfill the requirements of the EUDirectives for a specific product, whichmust be published in the official Coun-cil Journal of the European communi-
ties.These Standards (EN Standards)are then transferred into the nationalstandards unchanged.
They are used to fulfill the basic healthand safety requirements and the pro-tective goals specified in Annex I ofthe Machinery Directive.
DIN and DKE are the contactpartners for CEN / CENELEC .
By fulfilling such harmonized stan-dards, there is an automatic presump-
tion of conformity, i.e. the manufac-turer can be trusted to have fulfilled allof the safety aspects of the Directiveas long as they are covered in the par-
1/6 Safety Integrated Application Manual Siemens AG
7/24/2019 Safety Integrated Ed4_e
23/330
Typ-C Fachnormen
SpezifischeAnforderungen
an bestimmteMaschinen
Type ABasic safetystandards
Type B1Higher-levelsafety aspects
Type B2Requirements forsafety related devices
Also refer to Section 8 List of harmonized standards
EN 292Safety of Machinery
Basic terminology, generaldesign principles
EN 1050Safety of Machinery
Principles of risk assessment
etc.
Elevators
EN 81-3
Injection molding machines
EN 201
Presses + sheersEN 692EN 693
Numericallycontrolled lathesEN 12415, EN 12418
Safety clear-ances againstaccessingdangerouslocations withthe upper limbs
EN 294
Safety ofmachinesinter-latchingdevices withand withouttumbler
EN 1088
Electricalequipmentofmachines
EN 60204-1
Safety-relevantparts ofcontrolsystems
EN 954
Two-handcircuit
EN 574
Emergency stop equipment, functionalaspects design guidelines
EN 418
Light barriers,light curtains
EN 61496-1
Minimumclearancesto prevent
parts of thebody being
crushed
EN 349
Type C- Specialist stan-
dards Specificrequirements
on specificmachines
Safety Integrated Application Manual Siemens AG 1/7
111Note for users:
If harmonized C Standards exist for the particular product, thenthe associated B and if relevant, also the A Standards can beconsidered as secondary.
ticular Standard. However, not everyEuropean Standard is harmonized inthis sense.The listing in the Europeandocumentation is definitive The latestversions can be found in the Internet(address:http:// www.NewApproach.org/directiveList.asp).
The European Standards for the safetyof machinery are hierarchically struc-tured as follows
A Standards,also known as Basic Standards.
B Standards,also known as Group Standards.
C Standards,also known as Product Standards.
The diagram above shows the struc-ture.
Type A Standards/Basic Standards
Type A Standards contain basic termi-
nology and definitions for all machines.This includes EN 292 Safety ofmachinery - Basic concepts, generalprinciples for design.
Type A Standards primarily addressthose parties setting B and C Stan-dards.The techniques for minimizingrisks, specified there, can, however,also be helpful for manufacturers ifthere are no relevant C Standards.
Type B Standards/Group Standards
These include all Standards withsafety-related statements, which caninvolve several types of machines.
Type B Standards also primarily
address those parties setting C Stan-dards. However, they can also be help-ful for manufacturers
7/24/2019 Safety Integrated Ed4_e
24/330
1/8 Safety Integrated Application Manual Siemens AG
when designing and constructingmachinery if there are no relevant CStandards.
For B Standards an additional subdivi-sion was made:
Type B1 Standards for higher-levelsafety aspects, e.g. ergonomic designprinciples, safety distances frompotential sources of danger, minimumclearances to prevent crushing of body
parts.Type B2 Standards for safety equip-ment are specified for various machinetypes, e.g. EMERGENCY STOP equip-ment, two-hand controls,interlocking/latching, non-contact pro-tective devices, safety-related parts ofcontrols.
Type C Standards/Product Stan-dards
These involve the machinery-specificStandards, e.g. for machine tools,
woodworking machines, elevators,packaging machines, printing machinesetc.
The European Standards are structuredso that general statements which arealready included in type A or type Bstandards are not repeated. Refer-ences to these are made in type CStandards
Product Standards include machinery-specific requirements.These require-ments, under certain circumstances,deviate from the Basic and Group
Standards. For machinery OEMs, typeC Standard/Product standards have thehighest priority.They (the machineryOEMs) can then assume that they ful-fill the basic requirements of Annex Iof the Machinery Directive (automaticpresumption of conformity).If there is no Product Standard for aparticular machine, then Type B Stan-dards can be applied for orientationpurposes when constructing machin-ery.
In order to provide a method to harmo-nize the basic requirements of theDirective, with the mandate of the ECcommission, harmonized standardswere drawn-up in the technical com-mittees of the CEN and CENELEC formachinery or machinery groups foralmost all areas. Drawing-up the stan-dards essentially involves representa-tives of the manufacturer of the partic-ular machinery, the regulatory bodies,
such as Trade Associations as well asusers. An overview of the most impor-tant type A, B and C standards is pro-vided in Section 8. A complete list ofall of the listed Standards as well asthe activities associated with Stan-dards - with mandate - are provided inthe Internet under:
http://www.NewApproach.org/directiveList.asp
Recommendation: Technology is pro-gressing at a tremendous pace which
is also reflected in changes made tomachine concepts. For this reason,especially when using Type C Stan-dards, they should be checked toensure that they are up-to-date. Itshould also be noted that it is notmandatory to apply the standard butinstead, the safety objective must beachieved.
National Standards
If harmonized European Standards arenot available, or they cannot be appliedfor certain reasons, then the manufac-
turer can utilize National Standards.Allof the other technical rules fall underthis term, e.g. also the accident pre-vention regulations and standards,which are not listed in the EuropeanCouncil Journal (also IEC or ISO Stan-dards which were ratified as EN). Byapplying ratified standards, the manu-facturer can prove that recognizedstate-of-the-art technology was ful-filled. However, when such standardsare applied, the above mentionedautomatic presumption of confor-mity does not apply.
Risk evaluation/assessment
As a result of their general design andfunctionality, machines and plants rep-resent potential risks.Therefore, theMachinery Directive requires a riskassessment for every machine and, ifrelevant, risk reduction, so that theremaining risk is less than the tolerablerisk.The following Standards should beapplied for the technique to assess
these risks:EN 292 Safety of machinery Basic
concepts, general principles fordesign and
EN 1050 Safety of machinery Prin-ciples for risk assessment
EN 292 mainly handles the risks to beevaluated and design principles toreduce risks. EN 1050 basically han-dles the iterative process with riskassessment and risk reduction toachieve safety.
Risk assessment
Risk assessment is a sequence ofsteps, which allows hazards, which arecaused by machines, to be systemati-cally investigated.Where necessary,the risk assessment phase is followedby risk reduction.The interactiveprocess (refer to Graphic 1/5) isobtained by repeating this procedure.This allows potential hazards to beremoved as far as possible, and allowsthe appropriate protective measures tobe taken
The risk assessment includes:
Risk analysisa) Determining the limits of the ma-chine (EN 292, EN 1050 Paragraph 5)b) Identification of hazards (EN 292,EN 1050 Paragraph 6)c) Techniques to estimate risks (EN1050 Paragraph 7)
Risk evaluation (EN 1050 Paragraph 8)
After risks have been estimated, a riskevaluation is made as part of an itera-tive process to achieve safety. In this
case, a decision has to be made
7/24/2019 Safety Integrated Ed4_e
25/330
Safety Integrated Application Manual Siemens AG 1/9
111
Risk
related to theconsidered hazard
Determine the machine limits
Severity
of the possibleharm for theconsidered hazard
Probability of OCCURRENCE ofthat harm
Frequency and duration ofexposure
Probability of occurrence ofhazardous event
Possibility to avoid or limit
the harm
Identify the hazard
Risk estimation
Risk evaluation
Is the machine safe?
Reduce risk
START
ENDYES
NO
Risk analysis Risk assessment
Risk reduction and the selection of appropriate safety measures are not part of the risk assessmentFor a further explanation, refer to Section 5 of EN 292-1 (1991) and EN 292-2.
is afunctionof
and
Fig. 1/4Risk elements
Fig. 1/5Iterative process to achieve safety in accordance with EN 1050
7/24/2019 Safety Integrated Ed4_e
26/330
1/10 Safety Integrated Application Manual Siemens AG
whether it is necessary to reduce arisk. If the risk is to be further reduced,suitable protective measures must beselected and applied.The risk evalua-tion must then be repeated.
If the required degree of safety hasstill not been reached, measures arerequired to further reduce the risk.The risk must be reduced by suitablydesigning and implementing the
machine. For instance, using suitablecontrol or protective measures for thesafety functions (also refer to the Sec-tion Requirements of the MachineryDirective). If the protective measuresinvolve interlocking or control func-tions, then these must be configuredin accordance with EN 954.Whenusing electronic controls and bus sys-tems to implement these protectivemeasures, then, in addition, IEC / EN61508 must also be fulfilled.
Standard EN 1050 calls this operationan iterative process to achieve safety
(refer to Fig. 1/5).Risk elements are defined as a sup-port tool to evaluate risks. Graphic 1/4shows the inter-relationship betweenthese risks elements.
Residual risk (EN 1050)
Safety is a relative term inour technical environment. Unfortu-nately, it is not possible to implementthe so-called zero risk guaranteewhere nothing can happen under anycircumstances.The residual risk is
defined as: Risk, which remains afterthe protective measures have beenimplemented.In this case, protective measures rep-resent all of the measures to reducerisks.
Reducing risks
In addition to applying structural mea-sures, risk reduction for a machine canalso be realized using safety-relevantcontrol functions. For these controlfunctions, special requirements mustbe observed, which are classified
according to the level of risks.These
Fig. 1/6Possible selection of the Categories in accordance with EN 954-1
Category
Starting point forestimating the riskof the safety-relatedpart of the control
B 1 2 3 4
S1
S2
F1
F2
P2
P1
P2
S Severity of the injuryS1 Slight (normally reversible) injuryS2 Severe (normally irreversible) injury including death
F Frequency and/or exposure time to the hazardous conditionF1 Seldom up to quite often and/or the exposure time is shortF2 Frequent up to continuous and/or the exposure time is long
P Possibility of avoiding the hazardP1 Possible under specific conditionsP2 Scarcely possible
Selecting the categoryB, 1 to 4 Categories for safety-related parts of control systems
Preferred categories for reference points
Possible categories requiring further steps
Measures which can be over-dimensioned for the relevant risk
P1
are described in EN 954-1 and, forcomplex control systems with pro-grammable electronics, in IEC 61508.
The requirements placed on safety-rel-evant parts of control systems areclassified in categories according tothe level of risk.Techniques to select asuitable Category as reference pointfor configuring the various safety-related parts of a control system arerecommended in Annex B of EN 954-1(refer to Fig. 1/6). A detailed concept toevaluate the risk and to determine thenecessary requirements placed on thecontrol system are presently drawn-upin the form of Draft IEC 62061. It isimportant that all of the parts and com-ponents of the controls, which areinvolved in implementing the safety-relevant function fulfill these require-ments.
After the control has been imple-
mented, it is necessary to check
whether the requirements of theselected Category have been fulfilled.The control must be validated.Thedetails of how this validation processis actually carried-out and what has tobe taken into account is described inSection 2 of EN 954. Presently, thissection is available as Draft prEN954-2.
The adjacent table shows a brief sum-mary of the requirements for the vari-ous categories.The complete text ofthe requirements is contained in EN954-1 Safety-related parts of controlsystems, Section 6 Categories. Basicrequirements for configuring controlsystems are defined in the various cat-egories.These are intended to makethe systems tolerant to hardware fail-ures.
Additional aspects must be taken intoconsideration for more complex controlsystems, especially programmable
electronic systems, so that
7/24/2019 Safety Integrated Ed4_e
27/330
random hardware failures can becontrolled,
systematic errors/faults in the hard-ware and software are avoided
systematic errors/faults in the hard-ware and software can be controlled,
and sufficient functional safety isachieved for safety-critical tasks.Thenecessary requirements are described
in the International IEC 61508 Standard(the previous DIN V VDE 0801 will bewithdrawn in August 2004 as part ofthe European harmonization ofEN 61508) and for contactless protec-tive devices such as light arrays orlaser scanners IEC / EN 61496-1.Thescope of the required measures is alsograded corresponding to the riskreduction required.
In order to support the implementationand application of these systems,presently, other standards are beingdeveloped with IEC 62061 Safety of
Machinery Functional safety ofsafety-related electrical, electronic andprogrammable electronic control sys-tems and IEC 61800-5-2Adjustable speed electrical powerdrive systems - functional safetyrequirements.
Validation
The subject of validation is handledin the Draft Standard prEN954-2Safety of Machinery Safety-relatedparts of control systems. In this case,
validation means that the safety func-tionality to be achieved is checked andevaluated.This Standard correspondsto the status of a B1 safety groupStandard (general safety aspects).Thepurpose of the validation is to confirmthe definitions and level of conformityof the safety-related parts of the con-trols within the overall definition ofsafety requirements on the machinery.
Fig. 1/7Description of the requirements for theCategories in accordance with EN 954-1
Category1) Summary of requirements System behavior2) Principles toachieve safety
B Safety-related parts of control The occurrence of a faultsystems and/ortheirprotective- can lead to the loss ofequipment,as well as their com- the safety functionponents, shall be designed, con-structed selected, assembled andcombined in accordance with rele-vant standards so that they canwithstand the expected influence.
1 Requirements of B shal l The occurrence of aapply.Well-tried components and fault can leadwell-tried safety principles to the loss ofshall be used. the safety function
but the probabilityof occurrence islower than forCategory B.
2 Requirements of B and the use The occurrence of aof well-tried safety principles fault can lead to theshall apply. loss of the safetyThe safety function shall be function betweenchecked at suitable intervals by the checks.the machine control system.
The loss of thesafety function
is detected bythe check.
3 Requirements of B and the use When the singleof well-tried safety principles fault occurs, theshall apply. safety function isSafety-related parts shall be always performed.designed, so that: Some but not a single fault in any of these all faults willparts does not lead to the loss be detected.of the safety function, a nd Accumulation
whenever reasonably of undetected faultspracticable, the single can lead to the lossfault is detected. of the safety function
4 Requirements of B and the use When the faultsof well-tried safety principles occur, the safetyshall apply. function is alwaysSafety-related parts shall be performed.designed so that: The faults will be a single fault in any of these detected in time toparts does not lead to a loss prevent the loss ofof the safety function and the safety function.
the single fault is detected at orbefore the next demand uponthe safety function. If this is notpossible, then an accumulation offaults shall not lead to a lossof the safety function
1) The categories are not intended to be used in any given order or in any given hierarchy in respect ofsafety requirements.
2)
The risk assessment will indicate whether the total or partial loss of the safety function(s) arising fromfaults is acceptable.
Mainlycharacterized by
selection ofcomponents
Mainlycharacterized bystructure
Safety Integrated Application Manual Siemens AG 1/11
111
7/24/2019 Safety Integrated Ed4_e
28/330
The validation must show that everysafety-related part or component ful-fills the requirements laid down inEN 954-1.The following aspects aredescribed:
Validation using analysis
Validation using testing
Fault lists
Validation of safety functions
Validation of categories
Validation of the environmentrequirements
Validation of the service/maintenancerequirements
An overview of the validation tech-nique in compliance with EN 954-2 isshown in Fig. 1/8.
The validation plan must identify anddescribe the requirements to carry-outthe validation technique for the defined
safety functions and their categories.Where appropriate, it must also docu-ment these. Fig. 1/9 illustrates therequirements placed on the documen-tation corresponding to the variousCategories.
The requirements, described in EN954-1, are not adequate for systemsutilizing programmable electronic sys-tems.This is the reason that EN 954-2specifies that additional standards, e.g.the IEC 61508 or contactless protec-tive devices, IEC 61496 are used forvalidation.
These extensive requirements refer tothe development and implementationof controls, not to the application andparameterization of certified systems,Simatic S7-300F, Sinumerik Safety Inte-grated, Siguard Laser Scanner andLight Curtains, PROFIsafe or AS-iSafety at Work.
Considerations when designing Validation plan Validation principle
START
Documents
Criteria for excluding faults
Fault list
Analysis
Is the analysisadequate?
END
Test
Validation report
Is the testcomplete?
NO NO
YES
YES
1/12 Safety Integrated Application Manual Siemens AG
Fig. 1/8Overview of the validation process (from prEN 954-2)
Fig. 1/9Documentation requirements (from prEN 954-2)
Documentation requirements Category for whichdocumentation is required
B 1 2 3 4
Basic safety principles X X X X X
Stressing expected in operation X X X X X
Influence of the material being processed X X X X X
Performance during other relevant external influences X X X X X
Proven components X
Proven safety principles X X X X
The test technique for safety function(s) X
Defined test internals X
Individual faults which can be predicted and have been taken X X Xinto account in the design and the detection technique applied
All identified faults with a common cause and how they can X Xbe prevented
How the safety function is maintained for each fault/error X X
Faults which are to be detected X X X
Various fault groups which must be taken into account X Xin the design
How the safety function should be maintained for all X
combinations of faults
7/24/2019 Safety Integrated Ed4_e
29/330
Safety Integrated
The measures which are required tomake a complex control adequatelyand functionally safe for safety tasksare extremely extensive and involvethe complete development and manu-facturing process.Therefore, controlshave to be specifically designed to ful-fill safety functions. SIMATIC S7-300F /S7 400F/FH and SINUMERIK Safety
Integratedare examples of such con-trol systems.This also applies to thecommunication systems PROFIsafeand AS-i Safety at Work, PROFIBUSand AS-i which are used to transfersafety-related data.
Safety-related functions
The safety-related functions include,in addition to conventional functions
Stop
Actions in an emergency situation
Preventing accidental startingand, in the meantime, even complexfunctions, such as
State-dependent interlocking
Speed limiting
Position limiting
Speed deviation, to name just a few
The classic functions are definedin EN 60204-1 and were, up untilnow, generally implemented usingmechanical components. Electronic
programmable systems can also beused to implement more complexfunctions, if they fulfill the relevantStandards (IEC 61508, EN 954). Com-plex functions, e.g. which involve thebehavior of variable-speed drives, aredescribed in draft IEC 61800-5-2.
Stop
Stop categories of EN 60204-1
Three stop categories are defined inEN 60204-1 (VDE 0113 Part 1) whichdefine the control sequence for stop-ping, independent of an emergency
situation:
Stop category 0
Uncontrolled stop by immediatelyremoving the power to the machinedrive elements.
Stop Category 1
Controlled stop; the power is onlyremoved after the machine has cometo a standstill.
Stop Category 2
Controlled stop, where power is stillfed to the machine at standstill.
Emergency operations and actions
EN 60204-1/11.98 has, harmonizedwith HD 384 (IEC 60364; VDE 0100)defined the following possible actionsfor emergency situations (EN 60204-1Annex D):
Action in an emergency situationincludes
individually, or a combination of:
- Stopping in an emergency situation(EMERGENCY STOP);
- Starting in an emergency situation(EMERGENCY START);
- Power-off in an emergency situation(EMERGENCY SWITCHING-OFF);
- Power-on in an emergency situation(EMERGENCY SWITCHING-ON).
According to EN 60204-1 and EN 418,these functions are exclusively initi-
ated by a conscious manual interven-tion.In the following text, only Power-off inan emergency situation and stoppingin an emergency situation will bediscussed.The latter fully correspondsto the same terminology in the ECMachinery Directive. For reasons ofsimplicity, EMERGENCY SWITCHING-OFF and EMERGENCY STOP will beused in the following.
EMERGENCY SWITCHING-OFF
This is an intervention (action) in anemergency situation, which discon-nects power to a completesystem or installation or part of it,if there is a risk of electric shock oranother risk caused by electricity(from EN 60204-1 Annex D).
Functional aspects to disconnect thepower in an emergency situation are
defined in IEC 60364-4-46 (this isidentical to HD 384-4-46 and VDE 0100Part 460).
Power must be disconnected in anemergency situation, where
- Protection against direct contact(e.g. with contact cables, slip ringassemblies, switchgear in electricalrooms) is only achieved by maintain-ing a clearance or barrier;
- Other hazards or damage could occuras a result of electric power.
Further, the following is specified in9.2.5.4.3 of EN 60204-1:
In an emergency situation, the powersupply is disconnected from themachine, which results in a Category 0Stop.
If a Category 0 Stop is not permissiblefor a machine, then it may be neces-sary to provide other protection,e.g. against direct contact, so thatpower does not have to be discon-nected in an emergency situation.
This means that EMERGENCYSWITCHING-OFF should be usedwhere the risk analysis indicates ahazard due to electric voltage/powerand therefore requires that the voltageis immediately disconnected from thecomplete machine.
111
Safety Integrated Application Manual Siemens AG 1/13
7/24/2019 Safety Integrated Ed4_e
30/330
In the EC, EMERGENCY SWITCHING-OFF devices fall under the Low-VoltageDirective 73/23/EC if they are not usedin conjunction with machines. If theyare used in conjunction with machines,then they come under the MachineryDirective 98/37/EC as is true for all ofthe other electrical equipment associ-ated with a machine.
EMERGENCY STOP
This is an action, in an emergencysituation, which is defined to stop aprocess or movement which wouldotherwise have potentially hazardousconsequences (from EN 60204-1Annex D).
Further, the following is defined in9.2.5.4.2 of EN 60204-1:
Stop
In addition to the requirements forStop (refer to 9.2.5.3), the following
requirements apply for an emergencystop:
it must have priority over all otherfunctions and actions in all operatingmodes;
the power to the machine actuators,which could cause a hazardous con-dition or conditions must be discon-nected as quickly as possible withoutcreating other hazards (e.g. usingmechanical stopping/braking devices,which do not require an externalsupply, by using counter-currentbraking for Stop Category 1);
resetting may not initiate a restart.
Stopping in an emergency situationmust either be effective as a Stop, Cat-egory 0 or Category 1 (refer to 9.2.2).The Stop Category in an emergencysituation must be defined as the resultof the risk evaluation for the particularmachine.
To technically implement EMER-GENCY STOP corresponding to
the recommended applicationin the Foreword of EN 60204-1,either the requirements specifiedin EN 60204-1 or in EN 954 andIEC 61508 can be applied.EN 60204-1 primarily requiresthat this is implemented usingelectromechanical components,as basic (programmable) elec-tronic systems are not safeenough. By correctly applyingEN 954 and, if required, IEC61508, electronic and program-mable electronic components
become functionally safe enoughthat they can also be used toimplement EMERGENCY STOP forall categories (German NationalForeword: ... this therefore clearlystates that electronic equipmentcan also be used for EMERGENCYSTOP devices independent of theStop Category ...).
Devices for EMERGENCY SWITCH-ING-OFF and EMERGENCY STOP
Devices which are used to stop equip-ment and machinery in an emergencysituation must be provided at everyoperator control location and also atother locations where it may be neces-sary to initiate a stop in an emergencysituation (exception: operator controlstations which are not connected
through cables). In order to fulfill theprotective goals, specified inEN 60204-1 as well as EN 418, thefollowing requirements apply for bothfunctions (also refer to 10.7 inEN 60204-1):
When contacts switch even with justa brief actuation, the control devicemust positively latch.
It is not permissible that the machinecan be restarted from a remote mainoperator control station without thehazard or danger first having been
removed.The emergency off devicemust be consciously released againlocally.
Operator control stations which areconnected without using cables musthave a dedicated and clearly identifiedpossibility of initiating the Stopfunction of the machine.The operatorsection, which initiates this stopfunction, may not be marked or labeledas a device to shut down the machinein an emergency situation.
Implementing safety-related
functions
When implementing safety-relatedcontrol functions using programmableelectronic systems, the requirementsof EN 954 and IEC 61508 must befulfilled. When the requirements ofthese standards are taken intoaccount, it is possible, to even imple-ment complex functions by usingelectronics and programmable elec-tronic systems, for example, a fail-safeSIMATIC or SINUMERIK.Thesefunctions can then be implemented in
a safety-related fashion.
1/14 Safety Integrated Application Manual Siemens AG
7/24/2019 Safety Integrated Ed4_e
31/330
111
Fig. 1/10Colors for pushbuttons and their significance in accordance with EN 60204-1(VDE 0113 Part 1): 06.93
Man MachineIn order to simplify the interactionbetween man and machine, referenceis made to Standards EN 60073 andDIN EN 60204.
Switches, pushbuttons and signalinglamps are predominantly used asmachine components as the interfacebetween man and the machine.Theseoperator control elements are clearlyand uniformly identified using colorcoding, which has a very specific sig-nificance.This guarantees that thesafety of operating personnel isincreased and it is easier to handle andmaintain the operatingresources/plants and systems.
The colors of pushbuttons, the signifi-cance of these colors, explanationsand application examples are shown inFig. 1/10.
According to DIN EN 60204-1(VDE 0113 Part 1) the followinginformation has to be observed:
The preferred colors for START/ONoperator devices should be WHITE,GREY or BLACK - preferably WHITE.GREEN may be used, RED may notbe used.
RED must be used for EMERGENCYSTOP devices.The colors forSTOP/OFF operator control devicesshould be BLACK, GREY or WHITE -preferably BLACK. RED is also permit-ted. It is not permissible to useGREEN.
WHITE, GREY and BLACK are the pre-ferred colors for pushbuttons, whichcan be used alternating as START/ONand STOP/OFF pushbuttons. It is notpermissible to use RED,YELLOW orGREEN.
WHITE, GREY and BLACK are thepreferred colors for pushbutton controlelements which initiate an operationwhile they are being pressed and endthat operation when they are released(e.g. jogging). It is not permissible to
use RED,YELLOW or GREEN.
Color Meaning Explanation Examples of application
RED Emergency Actuate in the event EMERGENCY STOP,of a hazardous condi- Initiation of EMERGENCY STOP functions,t ion oremergency conditional for STOP/OFF
YELLOW Abnormal Actuate in the Intervention to suppress an abnormalevent of an condition,abnormal Intervention to restart an interruptedcondition automatic cycle
GREEN Normal Actuate to START/ON,initiate normal however WHITE should beconditions or preferably used
normal status
BLUE Mandatory Actuate for a Reset functioncondition requi