Safety Integrated Ed4_e

7/24/2019 Safety Integrated Ed4_e

1/330

Der intelligente Schachzugzur lckenlosen Sicherheitstechnik

4. Edition ssafetyINTEGR TE

Application Manual

The Safety System for Industry

The intelligent move forseamless safety technology


2/330

The prevention of accidents

should not be considered a

question of legislation, but

instead, our responsibility to

fellow beings and economic

sense.

Werner von Siemens,Berlin in the year of 1880


3/330

Foreword

Standards and Regulations 1

Fail-Safe Communications

via Standard Fieldbuses 2

Safety-Related Low-Voltage Switching Devices

and Sensors (SIGUARD) 3

Controllers: Fail-Safe Control Systems (SIMATIC) 4

Motion Control Systems -

Safe, Innovative Motion Control 5

Applications 6

Circuit Examples 7

Appendix 8


4/330

4 Controllers: Fail-Safe Control Systems

(SIMATIC)

4.1 Introduction 4/2

4.2 SIMATIC S7-400F/FH 4/4

4.2.1 Introduction 4/4

4.2.2 Hardware 4/4

4.2.3 Programming 4/5

4.2.4 Configuration 4/5

4.2.5 Technical Data 4/7

4.3 SIMATIC S7-300F 4/94.3.1 Introduction 4/9

4.3.2 Typical configurations 4/10

4.3.3 Fail-safe I/O 4/11

ET 200S / ET 200M

4.3.4 Programming 4/12

4.3.5 ET 200S fail-safe motor starter 4/13

4.3.6 Technical Data 4/15

5 Motion Control Systems -

Safe, Innovative Motion Control

5.1 SINUMERIK Safety Integrated 5/3

The Safety Package for Machine Tools

5.1.1 Brief description 5/45.1.2 Equipment components 5/5

5.1.3 System requirements 5/8

5.1.4 Safe stopping process 5/9

5.1.5 Monitoring speed and position 5/12

5.1.6 Logically combining safety-related 5/14

process signals

5.1.7 Integrating sensors/actuators - basics 5/15

5.1.8 Sensor-actuator integration via separate 5/17

hardware I/O from the PLC and NC

5.1.9 Sensor/actuator integration through 5/23

the fail-safe ET 200S PROFIsafe modules

5.1.10Protection against vertical axes dropping 5/28

5.1.11Basic application principles 5/315.1.12Ordering data and documentation 5/33

5.2 Safely Operating Universal Drives 5/34

5.3 SIMOTION Safety Unit 5/35

The safety package for metal forming

technology

5.4 Technical Support & Engineering for 5/37

Safety Integrated - Motion Control Systems

Content

1 Standards and Regulations

1.1 General information 1/2

1.2 Regulations and Standards 1/3

in the European Union (EU)

1.2.1 Basic principles of European legislation 1/3

1.2.2 Health and safety at the workplace 1/3

in the EC

1.2.3 Safety of Machinery in Europe 1/4

1.2.4 Process technology in Europe 1/17

1.2.5 Furnace systems in Europe 1/211.3 Legal requirements and Standards 1/22

regarding safety at work in the US

1.3.1 Machine safety 1/23

1.3.2 Process industry 1/24

1.4 Safety requirements for machines in Japan 1/25

2 Fail-Safe Communications

via Standard Fieldbuses

2.1 PROFIsafe 2/4

2.2 AS-Interface Safety at Work 2/8

2.2.1 Safety at Work Products 2/10

2.2.2 Connecting examples 2/12

2.2.3 Connection assignments 2/162.2.4 Technical Data 2/17

3 Safety-Related Low-Voltage Switching

Devices and Sensors (SIGUARD)

3.1 SIGUARD Control and Signaling Devices 3/2

3.1.1 EMERGENCY STOP control devices 3/4

3.1.2 SIGUARD cable-operated switches 3/6

3.1.3 SIGUARD Two-hand operation consoles 3/9

and foot switches

3.1.4 SIGUARD position switches 3/12

3.1.5 SIGUARD magnetically operated position 3/23

switches3.1.6 SIGUARD safety switch strips 3/25

3.1.7 SIGUARD light curtains and light grids 3/27

3.1.8 SIGUARD light barriers 3/52

3.1.9 SIGUARD 3RG78 3 laser scanner 3/56

3.1.10 SIGUARD signaling devices 3/64

3.2 SIGUARD 3TK28 Safety Combinations 3/66

3.2.1 Safety relays 3/66

3.2.2 Safety electronics 3/70

3.2.3 Safety electronics with integrated 3/71

contactors

3.3 3RA7 Load Feeders with Integrated 3/76

Safety Technology

3.4 SIRIUS NET Motor Starter for AS-Interface 3/81and PROFIBUS-DP

3.4.1 SIMATIC ET 200S SIGUARD 3/82


5/330

6 Applications

6.1 Fail-Safe Communications 6/2

via Standard Fieldbuses

6.1.1 Two birds with one stone 6/2

6.2 Safety-Related Low-Voltage 6/4

Switching Devices and Sensors-

6.2.1 SIGUARD light curtains - 6/4

used in the automobile industry -

6.2.2 SIMATIC ET 200S SIGUARD 6/6

in the Food Industry6.2.3 SIMATIC ET 200S 6/10

innovative electrical cabinet construction

6.2.4 Cost effectiveness in crane construction 6/12

with Safety Integrated

6.3 Controllers: Fail-Safe Controls 6/14

6.3.1 SIMATIC S7-400F 6/14

application on an oil/gas platform

6.4 Motion Control Systeme 6/16

Safe Motion Control

6.4.1 More safety in the automobile industry 6/16

6.4.2 New standard for machine tools 6/17

6.4.3 Safety technology tests safety technology 6/19

6.4.4 Safety and speed of operation 6/206.4.5 Safe standstill in the printing industry 6/22

7 Circuit Examples

7.1 Safety-Related Low-Voltage Switchgear 7/2

and Sensors

7.1.1 Switch safely 7/2

7.1.2 SIGUARD 3TK28 Safety Combinations 7/5

7.1.3 Contactless Protective Devices 7/41

7.1.4 SIGUARD Switching Strips 7/47

7.1.5 Circuit examples, ET 200S SIGUARD 7/48

7.2 Controllers: Fail-safe controls 7/55

7.2.1 Circuit examples for S7-300F 7/55

7.2.2 Function block for the S7-300F 7/57muting function

7.3 Motion Control Systems: 7/59

Safe Motion Control

7.3.1 Application examples for EMERGENCY STOP 7/59

stop Category 0


stop Category 1

7.3.3 Application examples for EMERGENCY 7/61

SWITCHING-OFF and EMERGENCY STOP

stop Category 1


stop Category 1 for several drives

8 Appendix

8.1 Overview, Important Basic Safety, 8/2

Group and Specialist Standards under

the Machinery Directive

8.2 Important Addresses 8/8

8.3 Terminology and Abbreviations 8/10

8.3.1 Terminology 8/10

8.3.2 Abbreviations 8/12

8.4 Contact Internet & Hotlines 8/13

8.5 Seminars on Safety Technology, 8/13Standards and Directives

8.6 Type Test Certificates 8/18

8.6.1 Certificates for SIMATIC Safety Integrated 8/18

8.6.2 Certificates for SINUMERIK Safety Integrated 8/20

8.6.3 Certificate for SIMOVERT Masterdrive 8/23

8.6.4 Certificate for SIMODRIVE 611 U 8/24

8.7 List of contents 8/25


6/330

2 Safety Integrated Application Manual Siemens AG

Dear Readers,

Helmut GierseA&D Group Board

The founder of our company, Wernervon Siemens, recognized back in 1880that accident prevention should notjust be considered a question of legis-lation, but it is also our responsibilityto fellow beings and makes economicsense.

Today, this is also the philosophy ofautomation technology from Siemens.In addition to increasing availability andcost-effectiveness, our focus is alwayson human beings and the benefits wecan provide.This philosophy is espe-cially important where human beingswork directly at machines which canrepresent potential hazards, or wherehuman beings can be indirectlyinvolved as a result of subsequent

damage, e.g. due to environmentalstressing.

The fourth Edition of the successfulSafety Integrated Manual presentsthe ongoing development of theSiemens Automation and DrivesGroup (A&D) and the safety productsand systems: SIGUARD, SIMATIC andSINUMERIK/SIMODRIVE. For yearsnow, these have been setting thestandard in safety technology in manyapplications.

Current examples include both the

consequential expansion of the fail-safe SIMATIC PLCs by DistributedSafety with the S7-300F and ET 200SPROFIsafe components with the focuson the production and the new elec-tronic 3TK28 safety combinations.

We as A&D are taking into account,with Safety Integrated, the tremen-dous pace of development in thesafety technology market - a marketwhich is enjoying above averagegrowth.The harmonization of thesafety Standards within the EC andthe fact that these EC Standards arebeing applied worldwide are the maindrivers for this growth.

Using innovative, flexible solutions,Safety Integrated is increasing thesafety and availability of automationtasks, whilst also increasing the pro-ductivity.With Safety Integrated,users have access to a unified, inte-grated complete solution.This meansstandard, integrated control and fieldtechnology. A combined safety systemplatform will obtain new impetus asdrive and process technology continueto merge.

Innovation and success have pavedthe way to today's standard of safety

technology: As early as the 1960's,Siemens supplied the first pre-wiredsafety combinations. At the beginningof the 1980's, Siemens presented thecompact SIGUARD 3TK combinationusing safety contactor technology.At the same time, the programmableSIMATIC safety logic controller wasintroduced - the SIMATIC S5-110F forpress controls.The SIMATIC S5-115F,launched back in 1988, represented amilestone in process technology.


7/330

Safety Integrated Application Manual Siemens AG 3

The modular SIMATIC S5-95F compactPLC, introduced in 1994, created aworldwide standard in productiontechnology, for press controls, inprocess technology and in personneltransportation systems. In 1996,SINUMERIK/SIMODRIVE continuedthis tradition with the world's firstsafety-related control system formachine tools.

This means that our customers cansimply and cost-effectively implementthe requirements laid down in the ECMachinery Directive which came intoforce in 1995.The basis for a unified,Safety Integrated system is createdas a result of the certification of thesafety-related communications via thestandard fieldbuses - PROFIBUS in2000 and AS-Interface in 2001.Using the high-availability safety-related SIMATIC S7-400F/HF, since2000, safety concepts have beendirectly integrated, in a unified fashion,

into the Totally Integrated Automation(TIA) concept.In 2001, an optimized solution for theproduction industry was introduced inthe form of the S7-300F and ET200SPROFIsafe components.In parallel, the safety portfolio wasexpanded, in the sensor area, usingthe contactlessly operating SIGUARDlight curtains and laser scanners.

For automation tasks which are lesscomplex, in the area of evaluation, it isnow possible to use innovative wiringand communication solutions. Forinstance, 3TK28 electronic safety com-binations now optionally integrate thecontrol and main circuits in a completeunit.The standard actuator sensorinterface with the Safety Monitor aswell as safe input modules and directsensor connections can now be simply

expanded by safety functions.Safety Integrated allows user-friendlymachines to be created using simpleintelligent safety technology whichdoes not obstruct standard workingprocedures.

Sincerely,

Helmut Gierse


8/330


Thomas LeiA&D Project ManagerSafety IntegratedSiemens AG, Erlangen

Whether for applications in the area ofmachine safety or process technology -state-of-the-art technology used in theautomation process demands the high-est degree of safety for man, machineand the environment.

The Safety IntegratedApplicationManual, which has now been updatedseveral times, clearly shows how haz-ards, caused by functional faults, canbe reduced or completely resolved

using electrical and electronic equip-ment and devices.

From sensor systems through evalua-tion units up to safe shutdown and inthe future to the actuators, for exampledrives Safety Integrated now pro-vides maximum protection againstfunctional faults using the SIGUARD,SIMATIC and SINUMERIK/SIMODRIVEproduct groups.

These product groups have alreadyproven themselves for many years instandard automation solutions and thatworldwide.These components cannow also be combined in an overallsystem since safety-related communi-cations via PROFIBUS and via theActuator-Sensor interface were certi-fied in 2000 and 2001 respectively.

In addition to conventional hard-wiringbetween the individual components,as an alternative, it is also possible touse standard fieldbus systems for the

safety technology.This permits a uni-fied, integrated system and in turn,cost-effective engineering, reduces thehardware costs by using commoncomponents and simultaneouslyincreases the plant and system avail-ability thanks to improved diagnostics.

Open and integrated

An automation system mainly com-prises standard components such asPLCs, drives etc.The level of safetytechnology of a complete plant or sys-

tem can differ depending on the partic-ular application.However, irrespective of the particularapplication, the safety level alwayscomprises a series of sensors, safetyevaluation units and actuators for safeshutdown.Today, the two levels of a plant or sys-tem, standard and safety related tech-nology, are strictly separated. Gener-ally, different engineering techniques

and tools are used for these two lev-els.This not only results in higher costsassociated with personnel training, butalso in many cases, these two levelscan only be linked at considerablecost.

The requirement to achieve cost sav-ings can be fulfilled by selecting thecorrect installation technology. In stan-dard technology, the move to distrib-uted concepts and the use of modernfieldbuses has already resulted in sig-nificant cost savings. Further cost sav-

ings in the future will be achieved bytransferring additional safety-relatedsignals along existing standard field-buses.Safety Integrated is the practicalimplementation of this concept. Usingthis concept, both standard and safetycomponents can be cost-effectivelycombined to form a completely unifiedand transparent system.Costly wiring for diagnostics and feed-back signals can be eliminated. Stan-dard engineering tools and methods aswell as visualization concepts guaran-

tee cost saving in the planning phaseand also during installation and service.

Sincerely,

Thomas Lei

S a f e t y

Protection against

heat and fire

Protection against

electric shock

Protection against

dangerous radiation

Protection against

Protection against danger dueto functional faults anderrors

S a f e t y

Protection against

heat and fire

Protection against

electric shock

Protection against

dangerous radiation

Protection against

Protection against danger dueto functional faults anderrors


9/330


Controlling and Sensing Monitoring andEvaluation

Control and Stopping


10/330


Dr. rer. nat.M. SchaeferHead of Division: Machinery Safety,Control Techniques in the Instituteof Occupational Safety and Health,Germany

New technologies in the nameof safety

If you compare the safety controlsfrom the eighties employing conven-tional devices, with contacts and thesophisticated products of today, theadvantages of intelligent safety tech-nology using computer-based systemsbecomes quite clear:

New sampling-type sensors allow afinely graduated safety technologyoptimally adapted to the particularapplication

Computer channels, operating with

high clock frequencies, result inextremely short response times

Intelligent software allows agingprocesses to be identified beforethey can have a dangerous influence

Safety fieldbus systems significantlyreduce the amount of wiring andtherefore potential problems, espe-cially when troubleshooting.

However, new technologies can onlyhave a positive influence on safetytechnology if the development takesinto account measures, right from thevery start, for fault tolerance and avoid-ing faults (refer to DIN V VDE 0801 andIEC 61508). Measures such as thesenot only have a significant impact onthe complete development process,but generally enhance the availabilityabove and beyond the pure safetytechnology.The experience gainedfrom more than 150,000 customer sys-tems in the field indicates that hightechnology, applied in this fashion, isalso really safe.

Safety technology through dialoginstead of checking

Since the middle of the eighties, theBIA and several other testing bodieshave been developing testing methodsfor complex safety technology.Theinspection no longer occurs at the endof product production, it now accom-panies the development life cycle of aproduct from the initial concept through

to final production. Only by using suchsimultaneous development and testingprocedures is it possible to certifycomplex systems.The measures applied are checkedduring the safety life cycle at specificmilestones to an agreed standard,whilst error-avoiding techniques areapplied by the testing body itself aspart of the validation process. Usingtechniques and standards as definedabove, the testing body ensures thatthe development process of a productis perfect.This is the reason why com-

plex safety technology should be con-sidered more as a process rather thanas a product.

Increasing the acceptance of safetytechnology

New technology allows safety func-tionality to be directly integrated into amachine or plant as a result of thefunctional control. In newly developedCNC control systems with integratedsafety technology, reduced velocityrequired during setting up and the safestop are guaranteed using additional

software without any external monitor-ing devices.This means, for the user,that safety is incorporated in the con-trol and the likelihood of faults occur-ring is significantly reduced. In thesame way, using safety-related datacommunication concepts, standardhardware can be used to safely net-work various control systems or evencomplete production systems.Thiscompletely eliminates additional man-ual operations, for example, parameter-izing safety devices. Safety-relateddata can be centrally managed and

reported.

This eliminates barriers for the use ofsafety technology and the level ofacceptance is increased.

Safety technology from a cost per-spective

Especially in the nineties, cost issuesbecame increasingly important insafety technology. Although the devel-opment processes for complex safetytechnology are extremely cost-inten-sive, integrated safety, as a result ofthe software, can have an extremelypositive impact on the overall productcost. Furthermore, downtimes arereduced as a result of a far more effi-cient diagnostics capability due to theuse of safety computer systems.

From our perspective as the Beruf-sgenossenschaften [German TradeAssociation], we also see that in thefuture, it will be important that wesupport and promote the developmentprocess discussed above. And ofcourse, this Manual demonstrates thatthis is a safe route to take - and whichis extremely promising.

For the German Trade Association,innovation and prevention are impor-tant issues in working together. Oursociety requires ongoing innovation.This secures the competitiveness andfacilitates a lifestyle and working meth-ods to help humans generally.The German Trade Associations there-fore promote such innovation whichplays a role in reducing all types ofrisks and hazards or which improvesworking techniques and procedures.

In order to present especially outstand-ing developments for enhanced healthand safety at work to a larger tradepublic, for the first time, at the HanoverFair 2003, the innovation prize of theGerman Trade Associations will beawarded.

(For more detailed information, refer towww.hvbg.de/d/pages/presse/aktuell/foerder.htm).


11/330


Heinz GallHead of the business sectorAutomation, Software and InformationTechnologyTV Anlagentechnik GmbH, CologneCompany Group TV Rheinland/Berlin-Brandenburg

Automation systems and componentsare responsible for safety-relevant

tasks in many different applicationareas (machines and conveyor sys-tems, the process industry, buildingtechnology etc.).This means that thehealth and safety of personnel as wellas the protection of plant equipmentand the environment are dependent onthe correct functioning of these sys-tems and components.

Today, the correct functioning of sys-tems and components is handledunder the term of Functional Safety.This is documented in the IEC 61508Standard Functional safety of electri-cal, electronic and programmable elec-tronic safety-related systemswhichwas passed in 2000.

This Standard is, in the meantime, alsorecognized as EN 61508 and will beincluded in the German Standards.It is considered as a basis Standard,independent of the application andaddresses developers of application-specific standards as well as the con-tents (description of measures for thesafety concept, fault-avoidance andfault-controlling measures for hardware

and software) essentially to themanufacturers of safety-relatedsystems and components.

This has already been accepted by theapplication-oriented Standards groups.The first examples include the Draftsof IEC 61511 for the process industry,EN 50156 for the electrical equipmentof furnace systems as well as IEC62061 for safety-relevant control sys-tems for machines. It goes withoutsaying that in the area of machinesafety, application-specific Standards,for example EN 954, must be applied.

In the future, it is hoped and alsoexpected that other user groups willuse the existing base standard for theirwork, to standardized the require-ments placed on safety-related sys-tems and components.This especiallymakes sense, because the principlesinvolved with risk evaluation, riskreduction and the safety-related func-tions can be applied to the widestrange of applications. From an applica-

tion perspective, only a few aspectswould have to be considered, e.g. therequired response times or the safecondition for the process.

This means that manufacturers will beable to develop systems and compo-nents which will be able to be used forsafety tasks, with comparable degreesof risk, in various applications.To real-ize this, the following generally applica-ble data must be available for each par-ticular component:

Maximum Safety Integrity Level

(SIL) which can be achieved

Hardware fault tolerance in conjunc-tion with the component of safetyfailures ( sum of the failures in thedirection of a safe condition plus thesum of the failures which are recog-nized and controlled as a result ofthe internal diagnostics) referred tothe sum of all of the failures

Probability of failures where the sys-tem goes into a hazardous condition.

The above mentioned criteria will then

permit safety-related functions to beviewed across the complete applica-tion, which generally comprises thesensor system, logic (e.g. PLC) andactuators as well as communicationsbetween these components.

Field devices, sensor systems andactuator systems are becomingincreasingly intelligent.This means thatcommunications between the compo-nents of a safety-related function willincreasingly be realized via bus sys-tems.

In the last two years, considerableprogress has been made in the areaof standardized safety-related bus sys-tems.

This progress involves, on the onehand, the development of a basicphilosophy to Test and certify bussystems for the transfer of safety-related data and, on the other hand,the successful completion of concep-tual tests of such bus systems.

This means that in the foreseeablefuture it can be expected that devicesfrom various manufacturers will be

able to be operated on standardizedsafety bus systems.

In this case, manufacturers mustaccept the challenge to develop safety-related devices which can use thecapability of safety-related communica-tions via bus systems.

The TV Rheinland/Berlin-Branden-burg, in conjunction with the Automa-tion, Software and Information Technol-ogy business field, is supportingmanufacturers, project engineers andusers worldwide (Europe, USA, Japan)

in the implementation of the abovementioned safety-related tasks.

After a successful test, systems andcomponents will be certified and willreceive the FS test symbol FunctionalSafetyof the TV Rheinland/Berlin-Brandenburg.This documents thatthey are in conformance with therequirements laid down in the relevantStandards.

Engineers and users will be supportedin achieving the functional safety forboth the application and the imple-

mented safety functions.


12/330


Prof. Dr.-Ing.G. ReinhartHead of the Institute for Machine Toolsand Industrial Management (iwb),Technische Universitaet Muenchen

The features and performance of state-of-the-art production systems are

essentially determined by how themechanical system and control inter-act. Only a harmonized complete sys-tem will be able to fulfill the require-ments placed on the functionality,productivity and quality of today's pro-duction systems. A distributed installa-tion technology which offers diagnos-tics capability across the boardprovides the essential basis toincrease the availability of complexproduction systems. Beyond this, theintegration of safety-related functionsin control technology represents an

innovative way to adapt safety technol-ogy to the requirements of themachine operator - but still reducecosts.

Requirements placed on the safetytechnology of machine tools

The safety-related devices and equip-ment on machine tools are of specialsignificance within the control andinstallation systems of machine tools.On one hand, the legal and standardsrequirements which define, using haz-ard analysis, the scope and quality ofthe safety technology to avoid or

reduce potential hazards. On the otherhand, the continually increasing perfor-mance parameters of today's produc-tion systems.These include, for exam-ple, maximum axis velocity,acceleration and availability which isreflected in the Overall Machine Effec-tiveness (OME). In order to guaranteethe effectiveness of safety technologyin today's protection systems, i.e. tofulfill the requirements for personnelprotection in line with that required inpractice, innovative concepts arerequired. In this case, innovative safety

technology should be considered to bea technology which does not lagbehind the control and installationtechnology applied in the area of non-safety-relevant automation technology.For instance, features such as flexibil-ity, diagnostics capability and standard-ization.

Safety technology integrated in dri-ves and control systems

It becomes even more necessary tohave flexible safety circuits, on and inmachine tools, which take into account

everyday operator situations, if the cre-ative capabilities of the machine opera-tor are to be fully utilized in a produc-tion environment. From theperspective of personnel protection,the performance parameters of themachine required in automated pro-duction facilities must be reduced toa safe level when operators have tointervene.

When considering the performance oftoday's drives and production-relatedsecondary conditions, safety drivefunctions and safely monitored drivestatuses should be considered to bepart of the basic functionality of mod-ern variable-speed drives in productionsystems.

Furthermore, the ability to emulate allof the safety-relevant logic operations

in the software allows, on the onehand, a significantly stronger differenti-ation to be made regarding operatorcontrol, and on the other hand, coststo be significantly reduced over con-ventional solutions using devices withcontacts.The requirements placed onsafety and the ability to be integratedinto existing control structures are ful-filled by using existing control sub-systems which can communicate withone another and redundant shutdownpaths.

Distributed and standardized instal-lation technology in the machineenvironment

Ongoing developments in the area ofnon-safety-relevant installation technol-ogy clearly show the way how to maxi-mize cost-saving potential by using dis-tributed concepts and standardizedinterfaces for installation in themachine environment. By using plugconnections and pre-assembled cablesin the field area and by reducing thenumber of versions of manufacturer-specific field-bus components, the

machine OEM, the machine operatoras well as the component manufactur-ers reap the benefits - from both acost and functionality perspective.Simultaneously transferring safety-rele-vant and non-safety-relevant data alongone bus system based on a standardfieldbus system significantly reducesthe configuring/engineering, compo-nents, installation and commissioningcosts


13/330


Fig. 1 Distributed and standardized installation technology in the machine environment

Digitaldrives

FD MSD I/R

NC MMC

PLC

Non-safety-related Safety-related

I/O Fieldbusinterface

SafetyI/O

LinecontactorC

abinet

Communications

Fi

eldinstallation

M x

MSpindle

M3~ M3~

EMERGENCY OFF

Tumbler mechanism

Interlockingfunctions

Servo drives I/O Safety-relevant I/O

Cable colors Servo

Measuring system

Fieldbus

Actuator/sensor

Power

Component issafety-relevant

Additional terminal to safelyshutdown drives

The increasing number of DESINAcomponents (DESINA = Distributed

Standardized Installation technology onmachine tools) in the market and thesignificant interest on the part of themachine OEMs and users confirmsthe efforts made by the VereinsDeutscherWerkzeugmaschinenfab-riken e.V (VDW) and the Institute forMachine Tools and Business Sciences(iwb) to incorporate safety componentsin the standardization process in com-pliance with DESINA.The structure

of a unified safety concept for machinetools, which encompasses the above

mentioned issues relating to the inte-gration into the drive and control sys-tem, including DESINA, is illustrated inthe diagram.

Summary

Current research work at iwb indicatesthat, as a result of understanding thesafety-relevant behavior of movingmachine parts and their specific inter-action early on, in the near future, itwill be taken for granted that innova-tive safety systems will establishthemselves in machines tools.

Examples include bus-based datatransfer and data processing integrated

in the control.The advantages of beingable to take into account the detailedoperator requirements of machinetools operators, the improved effec-tiveness of safety technology andongoing cost reduction will onlybecome reality when component man-ufacturers and development engineersare ready to accept new concepts andsolutions openly and without any pre-conceptions.


14/330


D. SeibelHead of Electrical Engineering Depart-ment, Berufsgenossenschaft der Fein-mechanik und Elektrotechnik (The pro-fessional Association of PrecisionMechanics and Electrical Industries,Cologne)

International discussions relating tofault control/fault analysis were initi-ated using the main regulations fromSection 5.7 of EN 60204-1, ElectricalEquipment of Industrial Machines,status 1985.The safety considerations(protective goals), which are derivedfrom the contents of the Standard,especially in the application field Elec-trical controls, automatically leadinevitably and logically to different solu-tions.The goal of all of the basic solu-tions presented was, and still is, tocreate a unified, binding safety Stan-dard within the European Community.

Hazard potential

A general control design (Graphic 2)must be the global starting point forpractical safety philosophy. Dependingon the potential hazard and themachine-specific operating conditions,it is necessary to have a graded levelof safety for the switching logic (gen-eral control circuits).The risk evaluationis a mandatory prerequisite. Protectivemeasures must be implemented,adapted to the hazard potential and

orientated to the particular process.

Personnel protection

Protective devices must be providedeverywhere, where plant and machin-ery can represent potential hazards.Moving protective devices, whichmechanically isolate machine parts, i.e.protective doors, are some of thepreferred ways of protecting personnelin the operating area of machines inindustrial production plants, from haz-

ardous motion or other dangers.In order to guarantee the specifiedpersonnel-protective function, movingprotective devices must be imple-mented and electrically interlocked, sothat personnel cannot enter the haz-ardous area before the dangerous con-ditions have been removed (e.g. rota-tional movement of a machine tool).

Redundancy

Conventional safety circuits, in con-junction with the interlocking systems,almost completely fulfill the required

personnel-protective functions.Thetypes of failures which can beexpected along with the associatedsafety risks are generally known andthe technical solution used to over-come these problems are availableand accepted (e.g. redundancy).

The position switch is the core ofevery latching or interlocking function.This must at least include one posi-tively opening contact (positively open-ing/positively isolating). If the protec-tive device is opened, the NC contact

in the position switch must safetyinterrupt the safety circuit.

Application examples

In order to make it easier to select andmount the different latching systemsand to ensure the required circuit inter-locking of the safety-relevant signalsensors with the downstream actua-tors (power contactors, relays), theGerman Trade Association [Beruf-sgenossenschaften] has drawn up andpresented numerous application exam-

ples.The individual solutions are shown asexample in the following documentsfrom the German Trade Association

BGI 575 Pamphlet to select andmount electro-mechanicallatching-interlocking devicesfor safety functions

and

BGI 670 Pamphlet to select andmount proximity switches inlatching/interlocking devices

for safety functionsA positively driven relay must be usedif it is necessary to identify a fault (e.g.if a relay does not drop out).


15/330


Fig. 2 General configuration of a machine control system (DIN VDE 0113/11.98)

N = nrated

K1

M

N = nrated

K1

M

S1

S2K1 S1

S2

Control voltage ON/OFF

Control circuits with safety functions

EnableLatching systems with and without tumbler mechanism

Control circuits with operating functions

Load circuit with possible hazard Load circuit without hazardMain control

Standards

The circuit versions which are pre-sented and the associated necessarysafety aspects (e.g. fault exclusionlists) have started to be included inEuropean Standards. In this case, it is

necessary to describe the two groupStandards (type B Standards))

EN 1088 Safety of MachineryLatching systems

in conjunction with isolating-protective devices

Guidelines for layoutand selection

and

EN 954-1 Safety of MachinerySafety-related parts

of controlsPart 1: General

layout guidelines

which specify a uniform evaluationStandard, independent of the applica-tion, based on the rules and regula-tions of the German Trade Association.

This means that these evaluationStandards can also be transferred to

the downstream safety and monitoringcircuits.This takes into account thenow available European StandardEN 60204-1 (Status 11.1998).

Typical applications include so-calledrelay safety combinations, which areused to transfer signals from safetytrips (e.g. protective door monitoringfunctions, switching strips, two-handcontrol devices, actions under emer-gency situations, light barriers etc.),maintaining the required control cate-gory in compliance with EN 954-1.


16/330

kapitel 1

Standards and Regulations


17/330

1.1 General information

1.2 Regulations and Standards in the European Union (EU)

1.3 Legal requirements and Standards regarding safetyat work in the US

1.4 Safety requirements for machines in Japan


18/330

Objectives

The goal of safety technology is to keepthe potential hazards for man and theenvironment as low as possible by apply-ing and utilizing the appropriate technol-ogy. However, this should be achievedwithout imposing unnecessary restric-tions on industrial production, the use ofmachines and the production of chemi-cals. By applying internationally harmo-

nized regulations, man and the environ-ment should be protected to the samedegree in every country. At the sametime, differences in competitive environ-ments, due to different safety require-ments, should be eliminated.

In the various regions and countriesaround the globe, there are different con-cepts and requirements when it comesto guaranteeing safety.The legal con-cepts and the requirements regardingwhat has to be proven and how, as towhether there is sufficient safety, arejust as different as the assignment of the

levels of responsibility.For example, in the EC, there are require-ments, placed both on the manufacturerof a plant or system as well as the oper-ating company which are regulated usingthe appropriate European Directives,Laws and Standards.On the other hand, in the US, require-ments differ both at a regional and evenat a local level. However, throughoutthe US, there is a basic principle that anemployer must guarantee a safe place ofwork. In the case of damage, as a resultof the product liability, the manufacturer

can be made liable due to the associa-tion with his product. On the other hand,in other countries and regions, other prin-ciples apply.

What is important for the manufacturersof machines and plant construction com-panies is that the legislation and rules ofthe location always apply in which themachine or plant is being operated. Forinstance, the control system of amachine, which is operated and used inthe US, must fulfill US requirements,

even if the machine manufacturer (i.e.OEM) is based in Europe. Even thoughthe technical concepts with which safetyis to be achieved, are subject to cleartechnical principles, it is still important toobserve as to whether legislation or spe-cific restrictions apply.

Functional safety

From the perspective of the object to beprotected, safety cannot be segregated.

The causes of hazards and the technicalmeasures applied to avoid them can dif-fer widely.This means that a differentia-tion is now made between various typesof safety, e.g. by specifying the cause ofthe potential hazard. For instance, theterm electrical safety is used if protec-tion has to be provided against electricalhazards, or the term functional safetyis used if the safety is dependent on thecorrect function.

This differentiation is now reflected inthe most recent Standards, in so much

that there are special Standards whichare involved with functional safety.Thearea of machinery safety EN 954 dealsspecifically with safety-relevant parts ofcontrol systems and therefore concen-trates on the functional safety.The IEChandles functional safety of electrical,electronic and programmable electronicsystems, independent of any specificapplication in the pilot Standard IEC61508 .

In IEC 61508, functional safety is definedas part of the overall safety relating tothe EUC* and the EUC control system

which depends on the correct function-ing of the E/E/PE** safety-related sys-tems, other technology safety-relatedsystems and external risk reduction facili-ties. In order to achieve functional safetyof a machine or a plant, the safety-rele-vant parts of the protective and controldevices must function correctly, and,when a fault or failure occurs, the plantor system must remain in a safe condi-tion or be brought into a safe condition.

To realize this, proven technology isrequired, which fulfills the demandsspecified by the relevant Standards.Therequirements to achieve functional safetyare based on the following basic goals:

Avoid systematic faults,

Control systematic faults,

Control random faults or failures.

The measure for the level of achieved

functional safety is the probability of theoccurrence of dangerous failures, thefault tolerance and the quality whichshould be guaranteed by avoiding sys-tematic faults. In the Standards, this isexpressed using various terms. In IEC61508: Safety Integrity Level (SIL), inEN 954: Categoriesand in DIN V19250 and DIN V VDE.0801: Requirement classes(AK).

Standardization goals

The demand to make plant, machines

and other equipment as safe as possibleusing state-of-the-art technology comesfrom the responsibility of the manufac-turers and users of equipment for theirsafety. All safety-significant aspects ofusing state-of-the-art technology aredescribed in the Standards. By maintain-ing and fulfilling these standards, it canbe ensured that state-of-the-art technol-ogy is applied therefore ensuring that thecompany erecting a plant or the manu-facturer producing a machine or a devicehas fulfilled his responsibility for ensuringsafety.

Note: The Standards, Directives andLaws, listed in this Manual are just aselection to communicate the essentialgoals and principles. We do not claimthat this list is complete.

1/2 Safety Integrated Application Manual Siemens AG

1.1 General information

* EUC: Equipment under control** E/E/PE: Electrical, electronic,

programmable electronic


19/330

Legislation states that we must focusour efforts ... on preserving and pro-tecting the quality of the environment,and protecting human health throughpreventive actions (Council Directive96/82/EC Seveso II).

It also demands Health and safety atthe workplace (Machinery Directive,workplace, health and safety legisla-tion, ...).Legislation demands that thisand similar goals are achieved for vari-ous areas (Areas which are legis-lated) in the EC Directives. In order toachieve these goals, legislation placesdemands on the operators and usersof plant, and the manufacturers ofequipment and machines. It alsoassigns the responsibility for possibleinjury or damage.

The EC Directives

Specify demands placed on plantand systems and theiroperators/users to protect the healthand safety of personnel and environ-mental quality;

Contain regulations about health andsafety at the workplace (minimumrequirements);

Define product features and charac-teristics to protect the health andsafety of users;

Make a differentiation between

requirements placed on the realiza-tion and implementation of productsto guarantee free trade and therequirements regarding the use ofproducts.

The EC Directives, which are associ-ated with implementing new products,are based on a new global concept(new approach, global approach):

EC Directives only contain generalsafety goals and define fundamentalsafety requirements.

Standards Committees, which havereceived an appropriate mandatefrom the EC Commission (CEN,

CENELEC), can define technicaldetails in the Standards.TheseStandards are harmonized under aspecific Directive and are listed in theOfficial Journal of the EC. When theharmonized standards are fulfilled,then it is assumed that the associ-ated safety requirements of thedirectives are also fulfilled (for moredetailed information, refer to Section1.2.3 Safety of Machinery)

Legislation no longer specifies thatspecific standards have to be met.

However, it can be reasonablyassumed that when specific stan-dards are observed, the associatedsafety goals of the EC Directives arefulfilled.

EC Directives specify that MemberStates recognize each other'snational regulations and laws.

The EC Directives have the samedegree of importance, i.e. if severalDirectives apply for a specify piece ofequipment or device, then the require-ments of all of the relevant Directives

have to be met (e.g. for a machinewith electrical equipment, the Machin-ery Directive, and Low-Voltage Direc-tive apply).

Other regulations apply to equipmentwhere the EC Directives are not applic-able.They include regulations and crite-ria for voluntary tests and certifica-tions.

The list of EC Directives with the asso-ciated lists of harmonized standards isprovided in the Internet under:

http://www.NewApproach.org/directiveList.asp

Low-Voltage Directive

The Low-Voltage Directive (73/23/EC)applies to electrical equipment with

rated voltages in the range between50 and 1000 V AC or between 75 and1500 V DC (for the revision presentlybeing carried-out, it is possible that thelower voltage limits may be omitted).This is a New Approach Directive.EN 60204-1 is listed under the Low-Voltage Directive for Electrical equip-ment of machines.This means, that ifEN 60204-1 is fulfilled, then it can bereasonably assumed that the Directiveis fulfilled.

(Note: The requirements to fulfill theLow-Voltage Directive are not dis-

cussed in any more detail in this Man-ual.)

The requirements placed on health andsafety at the workplace are based onArticle 137 (previously 118a) of the ECContract.The Master Directive Healthand Safety of Personnel at the Work-

place(89/391/EC) specifies minimumrequirements for safety at the work-place.The actual requirements are sub-ject to domestic legislation and canexceed the requirements of theseMaster Directives.The requirementsinvolve the operation of products (e.g.machines), and not with their imple-mentation.

* Note: The EFTA countries havedecided to adopt the EC concept.

Safety Integrated Application Manual Siemens AG 1/3

1.2.1 Basic principles ofEuropean legislation*

1.2.2 Health and safetyat the workplace in theEC

1.2 Regulations and Standardsin the European Union (EU) 111


20/330

Machinery Directive (98/37/EC)*

With the introduction of a commonEuropean market, a decision wasmade to harmonize the national stan-dards and regulations of all of the ECMember States.This meant that the

Machinery Directive, as an internalDirective, had to be implemented inthe domestic legislation of the individ-ual Member States. In Germany, thecontents of the Machinery Directivewere implemented as the 9th Decreeof the Equipment Safety law. For theMachinery Directive, this was realizedwith the goal of having unified protec-tive goals and to reduce trading barri-ers.The area of application of theMachinery Directive corresponds to itsdefinition Machinery means anassembly of linked parts or compo-

nents, at least one of which moves...which encompasses a wide scope.With the Change Directives, the areaof application has been subsequentlyextended to safety componentsandinterchangeable equipment.TheMachinery Directive involves theimplementation of machines.

Machinery is also defined as anassembly of machines which, in orderto achieve the same end, are arrangedand controlled so that they function asan integral whole"..

The application area of the MachineryDirective thus ranges from a basicmachine up to a complete plant.

The Machinery Directive has 14 Arti-cles and 7 Annexes.

The basic health and safety require-ments in Annex I of the Directive aremandatory for the safety of machinery.


1.2.3 Safety of Machineryin Europe

Fig. 1/1Overview of the Machinery Directive

Machinery Directive

Annex Article

Application area, sel-ling,marketing, free-dom of movement,health and safetyrequirementsArt.1 Art. 7

Certificationprocedure

Art. 8 Art. 9

CE marking,protection againstarbitraryfulfillment

Art. 10 Art. 12

Coming intoforce, transitionalregulations,cancellation ofthe regulationsArt. 13 Art. 14

Essential health and safety requirements relating to thedesign and construction of machinery, and 3 interchangeable equipment 5 safety components 10

Contents ofII 1. EC Declaration of Conformity for 4

machinery, and 5 interchangeable equipment 8 safety components

2. Manufacturer's declaration for 4 specific components of the machinery non-functioning machines

III CE marking 10

IV Types of machinery andsafety components, where

the procedure acc. to Article 8must be applied.

V EC Declaration of conformity formachinery, and 8 interchangeable equipment safety components

VI EC type examination formachinery and 8 interchangeable equipment safety components

VII Minimum criteria for testing bodies 9

* replaces 89/392/EC, 91/368/EC,93/44/EC, 93/68/EC.

In selecting the most appropriatemethods, the manufacturer must applythe following principles, in the ordergiven (Annex I Paragraph 1.1.2):

a) The machine design must guaran-tee that operation, equipping andmaintenance, when the machine iscorrectly used, does not represent anypotential danger to personnel.

The measures must exclude any riskof accident...

b) "When selecting the appropriatesolutions, the manufacturer must applythe following basic philosophy, andmore specifically in the specifiedsequence:

Eliminate or reduce the risks as far aspossible (integrating the safety con-cept into the development and theconstruction of the machine);

Take the necessary protective mea-sures against risks that cannot beeliminated;


21/330


111

A. Machinery

1. Circular saws (single or multi-blade) for working with wood and analogous materialsor for working with meat and analogous materials

1.1. Swing machines with fixed tool during operation, having a fixed bed withmanual feed of the workpiece or with a demountable power feed.

1.2. Sawing machines with fixed tool during operation, having a manuallyoperated reciprocating saw-bench carriage

1.3. Sawing machines with fixed tool during operation, having a built-in

mechanical feed device for the workpieces, with manual loading and/or unloading1.4. Sawing machines with movable tool during operation, with a mechanical feed device

and manual loading and/or unloading2. Hand-fed surface planing machines for woodworking3. Thicknesses for one-side dressing with manual loading and/or

unloading for woodworking4. Band-saws with fixed or mobile bed and band-saws with a mobile carriage,

with manual loading and/or unloading, for working with wood and analogous materi-als or for working with meat and analogous materials

5. Combined machines of the types referred to in 1 to 4 and 7 for working with woodand analogous materials

6. Hand-fed tenoning machine with several tool holders for woodworking7. Hand-fed vertical spindle molding machines for working with wood

and analogous materials8. Portable chain saws for woodworking

9. Presses, including press-brakes, for the cold working of metals, with manual loadingand/or unloading, whose movable workingparts may have a travel exceeding 6 mm and a speed exceeding 30 mm/s

10. Injection or compression plastic-molding machines with manual loadingor unloading

11. Injection or compression rubber-molding machines with manual loadingor unloading

12. Machinery for underground working or the following types: machinery or rails: Locomotives and brake-vans hydraulic-powered roof supports internal combustion engines to be fitted to machinery for underground working

13. Manually-loaded trucks for the collection of household refuse incorporating a com-pression mechanism

14. Guards and detachable transmission shafts with universal joints as described in Sec-tion 3.4.7..

15. Vehicle-servicing lifts16. Devices for the lifting of persons involving a risk of falling from a

vertical height of more than 3 meters17. Machines for the manufacture of pyrotechnics

B. Safety components

1. Sensor-controlled devices to detect personse.g. light barriers, sensor mats, electromagnetic detectors

2. Logic units which ensure the safety functions of bimanualcontrols

3. Automatic movable screens to protect the presses referred toin 9, 10 and 11 (Letter A)

4. Rollover protection structures (ROPS)5. Falling-object protective structures (FOPS)

Types of machinery and safety components, for which the procedurereferred to in Article 8, Paragraph 2, Letters b) and c) must be applied.

Fig. 1/2Annex IV of the Machinery Directive

Inform users of the residual risks dueto any shortcomings of the protectionmeasures adopted.

The protection goals must be responsi-bly implemented in order to fulfill thedemand for conformance with theDirective.

The manufacturer of a machine mustprove that the basic requirements havebeen fulfilled.This proof is made easier

by applying harmonized standards.A certification technique is required formachines listed in Annex IV of theMachinery Directive, which represent amore significant hazard potential. (Rec-ommendation: Machinery, which is notlisted in Annex IV, can also represent ahigh potential hazard and should beappropriately handled.) The precisetechnique to define whether compli-ance existswith the goals, is definedin Chapter II of the Directive.

StandardsTo sell, market or operate/use products,these products must fulfill the basicsafety requirements of the EC Direc-tives. Standards can be extremely help-ful when it involves fulfilling thesesafety requirements. In this case, a dif-ferentiation must be made betweenharmonized European Standards andother Standards, which although areratified, they have still not been harmo-nized under a specific Directive, as wellas other technical rules and regulationswhich are also known as National

Standards in the Directives.

Ratified Standards describe recognizedstate-of the-art technology.This means,that by proving that he has appliedthem, a manufacturer can prove that hehas fulfilled what is a recognized state-of-the-art technology.

Generally, all Standards, which havebeen ratified as European standards,must be included, unchanged in thedomestic (national) Standards of the


22/330

Fig. 1/3European Standards for Safety of Machinery

Group safety standards

Basic design principlesand terminology for machines

B1 StandardsGeneral safetyaspects

Special safety features forindividual machine groups

Basic safety standards

SpecialistStandards

TypeA Standards

TypeB Standards

B2 StandardsReference to specialprotective devices

Type C Standards

Member States.This is independent ofwhether they are harmonized under aparticular Directive or not. ExistingNational Standards, handling the samesubject, must then be withdrawn.Thus, within a period of time inEurope, a unified set of regulations willbe created (without any contradic-tions).

Note: IEC 61508 is an important Stan-dard which has not been harmonizedunder a particular EC Directive - Func-

tional safety of electrical/electronic/pro-grammable electronic safety-relatedsystems, as there is no appropriateharmonized standard. It is ratified as

EN 61508.The German Draft Stan-dards DIN V VDE 0801 and DIN V19250 and 19251 will therefore bewithdrawn by August 2004.

Harmonized European Standards

These are drawn up by the two stan-dards organizations CEN (ComitEuropen de Normalisation) and CEN-ELEC (Comit Europen de Normalisa-tion lectrotechnique) as mandatefrom the EC Commission in order to

fulfill the requirements of the EUDirectives for a specific product, whichmust be published in the official Coun-cil Journal of the European communi-

ties.These Standards (EN Standards)are then transferred into the nationalstandards unchanged.

They are used to fulfill the basic healthand safety requirements and the pro-tective goals specified in Annex I ofthe Machinery Directive.

DIN and DKE are the contactpartners for CEN / CENELEC .

By fulfilling such harmonized stan-dards, there is an automatic presump-

tion of conformity, i.e. the manufac-turer can be trusted to have fulfilled allof the safety aspects of the Directiveas long as they are covered in the par-



23/330

Typ-C Fachnormen

SpezifischeAnforderungen

an bestimmteMaschinen

Type ABasic safetystandards

Type B1Higher-levelsafety aspects

Type B2Requirements forsafety related devices

Also refer to Section 8 List of harmonized standards

EN 292Safety of Machinery

Basic terminology, generaldesign principles

EN 1050Safety of Machinery

Principles of risk assessment

etc.

Elevators

EN 81-3

Injection molding machines

EN 201

Presses + sheersEN 692EN 693

Numericallycontrolled lathesEN 12415, EN 12418

Safety clear-ances againstaccessingdangerouslocations withthe upper limbs

EN 294

Safety ofmachinesinter-latchingdevices withand withouttumbler

EN 1088

Electricalequipmentofmachines

EN 60204-1

Safety-relevantparts ofcontrolsystems

EN 954

Two-handcircuit

EN 574

Emergency stop equipment, functionalaspects design guidelines

EN 418

Light barriers,light curtains

EN 61496-1

Minimumclearancesto prevent

parts of thebody being

crushed

EN 349

Type C- Specialist stan-

dards Specificrequirements

on specificmachines


111Note for users:

If harmonized C Standards exist for the particular product, thenthe associated B and if relevant, also the A Standards can beconsidered as secondary.

ticular Standard. However, not everyEuropean Standard is harmonized inthis sense.The listing in the Europeandocumentation is definitive The latestversions can be found in the Internet(address:http:// www.NewApproach.org/directiveList.asp).

The European Standards for the safetyof machinery are hierarchically struc-tured as follows

A Standards,also known as Basic Standards.

B Standards,also known as Group Standards.

C Standards,also known as Product Standards.

The diagram above shows the struc-ture.

Type A Standards/Basic Standards

Type A Standards contain basic termi-

nology and definitions for all machines.This includes EN 292 Safety ofmachinery - Basic concepts, generalprinciples for design.

Type A Standards primarily addressthose parties setting B and C Stan-dards.The techniques for minimizingrisks, specified there, can, however,also be helpful for manufacturers ifthere are no relevant C Standards.

Type B Standards/Group Standards

These include all Standards withsafety-related statements, which caninvolve several types of machines.

Type B Standards also primarily

address those parties setting C Stan-dards. However, they can also be help-ful for manufacturers


24/330


when designing and constructingmachinery if there are no relevant CStandards.

For B Standards an additional subdivi-sion was made:

Type B1 Standards for higher-levelsafety aspects, e.g. ergonomic designprinciples, safety distances frompotential sources of danger, minimumclearances to prevent crushing of body

parts.Type B2 Standards for safety equip-ment are specified for various machinetypes, e.g. EMERGENCY STOP equip-ment, two-hand controls,interlocking/latching, non-contact pro-tective devices, safety-related parts ofcontrols.

Type C Standards/Product Stan-dards

These involve the machinery-specificStandards, e.g. for machine tools,

woodworking machines, elevators,packaging machines, printing machinesetc.

The European Standards are structuredso that general statements which arealready included in type A or type Bstandards are not repeated. Refer-ences to these are made in type CStandards

Product Standards include machinery-specific requirements.These require-ments, under certain circumstances,deviate from the Basic and Group

Standards. For machinery OEMs, typeC Standard/Product standards have thehighest priority.They (the machineryOEMs) can then assume that they ful-fill the basic requirements of Annex Iof the Machinery Directive (automaticpresumption of conformity).If there is no Product Standard for aparticular machine, then Type B Stan-dards can be applied for orientationpurposes when constructing machin-ery.

In order to provide a method to harmo-nize the basic requirements of theDirective, with the mandate of the ECcommission, harmonized standardswere drawn-up in the technical com-mittees of the CEN and CENELEC formachinery or machinery groups foralmost all areas. Drawing-up the stan-dards essentially involves representa-tives of the manufacturer of the partic-ular machinery, the regulatory bodies,

such as Trade Associations as well asusers. An overview of the most impor-tant type A, B and C standards is pro-vided in Section 8. A complete list ofall of the listed Standards as well asthe activities associated with Stan-dards - with mandate - are provided inthe Internet under:

http://www.NewApproach.org/directiveList.asp

Recommendation: Technology is pro-gressing at a tremendous pace which

is also reflected in changes made tomachine concepts. For this reason,especially when using Type C Stan-dards, they should be checked toensure that they are up-to-date. Itshould also be noted that it is notmandatory to apply the standard butinstead, the safety objective must beachieved.

National Standards

If harmonized European Standards arenot available, or they cannot be appliedfor certain reasons, then the manufac-

turer can utilize National Standards.Allof the other technical rules fall underthis term, e.g. also the accident pre-vention regulations and standards,which are not listed in the EuropeanCouncil Journal (also IEC or ISO Stan-dards which were ratified as EN). Byapplying ratified standards, the manu-facturer can prove that recognizedstate-of-the-art technology was ful-filled. However, when such standardsare applied, the above mentionedautomatic presumption of confor-mity does not apply.

Risk evaluation/assessment

As a result of their general design andfunctionality, machines and plants rep-resent potential risks.Therefore, theMachinery Directive requires a riskassessment for every machine and, ifrelevant, risk reduction, so that theremaining risk is less than the tolerablerisk.The following Standards should beapplied for the technique to assess

these risks:EN 292 Safety of machinery Basic

concepts, general principles fordesign and

EN 1050 Safety of machinery Prin-ciples for risk assessment

EN 292 mainly handles the risks to beevaluated and design principles toreduce risks. EN 1050 basically han-dles the iterative process with riskassessment and risk reduction toachieve safety.

Risk assessment

Risk assessment is a sequence ofsteps, which allows hazards, which arecaused by machines, to be systemati-cally investigated.Where necessary,the risk assessment phase is followedby risk reduction.The interactiveprocess (refer to Graphic 1/5) isobtained by repeating this procedure.This allows potential hazards to beremoved as far as possible, and allowsthe appropriate protective measures tobe taken

The risk assessment includes:

Risk analysisa) Determining the limits of the ma-chine (EN 292, EN 1050 Paragraph 5)b) Identification of hazards (EN 292,EN 1050 Paragraph 6)c) Techniques to estimate risks (EN1050 Paragraph 7)

Risk evaluation (EN 1050 Paragraph 8)

After risks have been estimated, a riskevaluation is made as part of an itera-tive process to achieve safety. In this

case, a decision has to be made


25/330


111

Risk

related to theconsidered hazard

Determine the machine limits

Severity

of the possibleharm for theconsidered hazard

Probability of OCCURRENCE ofthat harm

Frequency and duration ofexposure

Probability of occurrence ofhazardous event

Possibility to avoid or limit

the harm

Identify the hazard

Risk estimation

Risk evaluation

Is the machine safe?

Reduce risk

START

ENDYES

NO

Risk analysis Risk assessment

Risk reduction and the selection of appropriate safety measures are not part of the risk assessmentFor a further explanation, refer to Section 5 of EN 292-1 (1991) and EN 292-2.

is afunctionof

and

Fig. 1/4Risk elements

Fig. 1/5Iterative process to achieve safety in accordance with EN 1050


26/330


whether it is necessary to reduce arisk. If the risk is to be further reduced,suitable protective measures must beselected and applied.The risk evalua-tion must then be repeated.

If the required degree of safety hasstill not been reached, measures arerequired to further reduce the risk.The risk must be reduced by suitablydesigning and implementing the

machine. For instance, using suitablecontrol or protective measures for thesafety functions (also refer to the Sec-tion Requirements of the MachineryDirective). If the protective measuresinvolve interlocking or control func-tions, then these must be configuredin accordance with EN 954.Whenusing electronic controls and bus sys-tems to implement these protectivemeasures, then, in addition, IEC / EN61508 must also be fulfilled.

Standard EN 1050 calls this operationan iterative process to achieve safety

(refer to Fig. 1/5).Risk elements are defined as a sup-port tool to evaluate risks. Graphic 1/4shows the inter-relationship betweenthese risks elements.

Residual risk (EN 1050)

Safety is a relative term inour technical environment. Unfortu-nately, it is not possible to implementthe so-called zero risk guaranteewhere nothing can happen under anycircumstances.The residual risk is

defined as: Risk, which remains afterthe protective measures have beenimplemented.In this case, protective measures rep-resent all of the measures to reducerisks.

Reducing risks

In addition to applying structural mea-sures, risk reduction for a machine canalso be realized using safety-relevantcontrol functions. For these controlfunctions, special requirements mustbe observed, which are classified

according to the level of risks.These

Fig. 1/6Possible selection of the Categories in accordance with EN 954-1

Category

Starting point forestimating the riskof the safety-relatedpart of the control

B 1 2 3 4

S1

S2

F1

F2

P2

P1

P2

S Severity of the injuryS1 Slight (normally reversible) injuryS2 Severe (normally irreversible) injury including death

F Frequency and/or exposure time to the hazardous conditionF1 Seldom up to quite often and/or the exposure time is shortF2 Frequent up to continuous and/or the exposure time is long

P Possibility of avoiding the hazardP1 Possible under specific conditionsP2 Scarcely possible

Selecting the categoryB, 1 to 4 Categories for safety-related parts of control systems

Preferred categories for reference points

Possible categories requiring further steps

Measures which can be over-dimensioned for the relevant risk

P1

are described in EN 954-1 and, forcomplex control systems with pro-grammable electronics, in IEC 61508.

The requirements placed on safety-rel-evant parts of control systems areclassified in categories according tothe level of risk.Techniques to select asuitable Category as reference pointfor configuring the various safety-related parts of a control system arerecommended in Annex B of EN 954-1(refer to Fig. 1/6). A detailed concept toevaluate the risk and to determine thenecessary requirements placed on thecontrol system are presently drawn-upin the form of Draft IEC 62061. It isimportant that all of the parts and com-ponents of the controls, which areinvolved in implementing the safety-relevant function fulfill these require-ments.

After the control has been imple-

mented, it is necessary to check

whether the requirements of theselected Category have been fulfilled.The control must be validated.Thedetails of how this validation processis actually carried-out and what has tobe taken into account is described inSection 2 of EN 954. Presently, thissection is available as Draft prEN954-2.

The adjacent table shows a brief sum-mary of the requirements for the vari-ous categories.The complete text ofthe requirements is contained in EN954-1 Safety-related parts of controlsystems, Section 6 Categories. Basicrequirements for configuring controlsystems are defined in the various cat-egories.These are intended to makethe systems tolerant to hardware fail-ures.

Additional aspects must be taken intoconsideration for more complex controlsystems, especially programmable

electronic systems, so that


27/330

random hardware failures can becontrolled,

systematic errors/faults in the hard-ware and software are avoided

systematic errors/faults in the hard-ware and software can be controlled,

and sufficient functional safety isachieved for safety-critical tasks.Thenecessary requirements are described

in the International IEC 61508 Standard(the previous DIN V VDE 0801 will bewithdrawn in August 2004 as part ofthe European harmonization ofEN 61508) and for contactless protec-tive devices such as light arrays orlaser scanners IEC / EN 61496-1.Thescope of the required measures is alsograded corresponding to the riskreduction required.

In order to support the implementationand application of these systems,presently, other standards are beingdeveloped with IEC 62061 Safety of

Machinery Functional safety ofsafety-related electrical, electronic andprogrammable electronic control sys-tems and IEC 61800-5-2Adjustable speed electrical powerdrive systems - functional safetyrequirements.

Validation

The subject of validation is handledin the Draft Standard prEN954-2Safety of Machinery Safety-relatedparts of control systems. In this case,

validation means that the safety func-tionality to be achieved is checked andevaluated.This Standard correspondsto the status of a B1 safety groupStandard (general safety aspects).Thepurpose of the validation is to confirmthe definitions and level of conformityof the safety-related parts of the con-trols within the overall definition ofsafety requirements on the machinery.

Fig. 1/7Description of the requirements for theCategories in accordance with EN 954-1

Category1) Summary of requirements System behavior2) Principles toachieve safety

B Safety-related parts of control The occurrence of a faultsystems and/ortheirprotective- can lead to the loss ofequipment,as well as their com- the safety functionponents, shall be designed, con-structed selected, assembled andcombined in accordance with rele-vant standards so that they canwithstand the expected influence.

1 Requirements of B shal l The occurrence of aapply.Well-tried components and fault can leadwell-tried safety principles to the loss ofshall be used. the safety function

but the probabilityof occurrence islower than forCategory B.

2 Requirements of B and the use The occurrence of aof well-tried safety principles fault can lead to theshall apply. loss of the safetyThe safety function shall be function betweenchecked at suitable intervals by the checks.the machine control system.

The loss of thesafety function

is detected bythe check.

3 Requirements of B and the use When the singleof well-tried safety principles fault occurs, theshall apply. safety function isSafety-related parts shall be always performed.designed, so that: Some but not a single fault in any of these all faults willparts does not lead to the loss be detected.of the safety function, a nd Accumulation

whenever reasonably of undetected faultspracticable, the single can lead to the lossfault is detected. of the safety function

4 Requirements of B and the use When the faultsof well-tried safety principles occur, the safetyshall apply. function is alwaysSafety-related parts shall be performed.designed so that: The faults will be a single fault in any of these detected in time toparts does not lead to a loss prevent the loss ofof the safety function and the safety function.

the single fault is detected at orbefore the next demand uponthe safety function. If this is notpossible, then an accumulation offaults shall not lead to a lossof the safety function

1) The categories are not intended to be used in any given order or in any given hierarchy in respect ofsafety requirements.

2)

The risk assessment will indicate whether the total or partial loss of the safety function(s) arising fromfaults is acceptable.

Mainlycharacterized by

selection ofcomponents

Mainlycharacterized bystructure


111


28/330

The validation must show that everysafety-related part or component ful-fills the requirements laid down inEN 954-1.The following aspects aredescribed:

Validation using analysis

Validation using testing

Fault lists

Validation of safety functions

Validation of categories

Validation of the environmentrequirements

Validation of the service/maintenancerequirements

An overview of the validation tech-nique in compliance with EN 954-2 isshown in Fig. 1/8.

The validation plan must identify anddescribe the requirements to carry-outthe validation technique for the defined

safety functions and their categories.Where appropriate, it must also docu-ment these. Fig. 1/9 illustrates therequirements placed on the documen-tation corresponding to the variousCategories.

The requirements, described in EN954-1, are not adequate for systemsutilizing programmable electronic sys-tems.This is the reason that EN 954-2specifies that additional standards, e.g.the IEC 61508 or contactless protec-tive devices, IEC 61496 are used forvalidation.

These extensive requirements refer tothe development and implementationof controls, not to the application andparameterization of certified systems,Simatic S7-300F, Sinumerik Safety Inte-grated, Siguard Laser Scanner andLight Curtains, PROFIsafe or AS-iSafety at Work.

Considerations when designing Validation plan Validation principle

START

Documents

Criteria for excluding faults

Fault list

Analysis

Is the analysisadequate?

END

Test

Validation report

Is the testcomplete?

NO NO

YES

YES


Fig. 1/8Overview of the validation process (from prEN 954-2)

Fig. 1/9Documentation requirements (from prEN 954-2)

Documentation requirements Category for whichdocumentation is required

B 1 2 3 4

Basic safety principles X X X X X

Stressing expected in operation X X X X X

Influence of the material being processed X X X X X

Performance during other relevant external influences X X X X X

Proven components X

Proven safety principles X X X X

The test technique for safety function(s) X

Defined test internals X

Individual faults which can be predicted and have been taken X X Xinto account in the design and the detection technique applied

All identified faults with a common cause and how they can X Xbe prevented

How the safety function is maintained for each fault/error X X

Faults which are to be detected X X X

Various fault groups which must be taken into account X Xin the design

How the safety function should be maintained for all X

combinations of faults


29/330

Safety Integrated

The measures which are required tomake a complex control adequatelyand functionally safe for safety tasksare extremely extensive and involvethe complete development and manu-facturing process.Therefore, controlshave to be specifically designed to ful-fill safety functions. SIMATIC S7-300F /S7 400F/FH and SINUMERIK Safety

Integratedare examples of such con-trol systems.This also applies to thecommunication systems PROFIsafeand AS-i Safety at Work, PROFIBUSand AS-i which are used to transfersafety-related data.

Safety-related functions

The safety-related functions include,in addition to conventional functions

Stop

Actions in an emergency situation

Preventing accidental startingand, in the meantime, even complexfunctions, such as

State-dependent interlocking

Speed limiting

Position limiting

Speed deviation, to name just a few

The classic functions are definedin EN 60204-1 and were, up untilnow, generally implemented usingmechanical components. Electronic

programmable systems can also beused to implement more complexfunctions, if they fulfill the relevantStandards (IEC 61508, EN 954). Com-plex functions, e.g. which involve thebehavior of variable-speed drives, aredescribed in draft IEC 61800-5-2.

Stop

Stop categories of EN 60204-1

Three stop categories are defined inEN 60204-1 (VDE 0113 Part 1) whichdefine the control sequence for stop-ping, independent of an emergency

situation:

Stop category 0

Uncontrolled stop by immediatelyremoving the power to the machinedrive elements.

Stop Category 1

Controlled stop; the power is onlyremoved after the machine has cometo a standstill.

Stop Category 2

Controlled stop, where power is stillfed to the machine at standstill.

Emergency operations and actions

EN 60204-1/11.98 has, harmonizedwith HD 384 (IEC 60364; VDE 0100)defined the following possible actionsfor emergency situations (EN 60204-1Annex D):

Action in an emergency situationincludes

individually, or a combination of:

- Stopping in an emergency situation(EMERGENCY STOP);

- Starting in an emergency situation(EMERGENCY START);

- Power-off in an emergency situation(EMERGENCY SWITCHING-OFF);

- Power-on in an emergency situation(EMERGENCY SWITCHING-ON).

According to EN 60204-1 and EN 418,these functions are exclusively initi-

ated by a conscious manual interven-tion.In the following text, only Power-off inan emergency situation and stoppingin an emergency situation will bediscussed.The latter fully correspondsto the same terminology in the ECMachinery Directive. For reasons ofsimplicity, EMERGENCY SWITCHING-OFF and EMERGENCY STOP will beused in the following.

EMERGENCY SWITCHING-OFF

This is an intervention (action) in anemergency situation, which discon-nects power to a completesystem or installation or part of it,if there is a risk of electric shock oranother risk caused by electricity(from EN 60204-1 Annex D).

Functional aspects to disconnect thepower in an emergency situation are

defined in IEC 60364-4-46 (this isidentical to HD 384-4-46 and VDE 0100Part 460).

Power must be disconnected in anemergency situation, where

- Protection against direct contact(e.g. with contact cables, slip ringassemblies, switchgear in electricalrooms) is only achieved by maintain-ing a clearance or barrier;

- Other hazards or damage could occuras a result of electric power.

Further, the following is specified in9.2.5.4.3 of EN 60204-1:

In an emergency situation, the powersupply is disconnected from themachine, which results in a Category 0Stop.

If a Category 0 Stop is not permissiblefor a machine, then it may be neces-sary to provide other protection,e.g. against direct contact, so thatpower does not have to be discon-nected in an emergency situation.

This means that EMERGENCYSWITCHING-OFF should be usedwhere the risk analysis indicates ahazard due to electric voltage/powerand therefore requires that the voltageis immediately disconnected from thecomplete machine.

111



30/330

In the EC, EMERGENCY SWITCHING-OFF devices fall under the Low-VoltageDirective 73/23/EC if they are not usedin conjunction with machines. If theyare used in conjunction with machines,then they come under the MachineryDirective 98/37/EC as is true for all ofthe other electrical equipment associ-ated with a machine.

EMERGENCY STOP

This is an action, in an emergencysituation, which is defined to stop aprocess or movement which wouldotherwise have potentially hazardousconsequences (from EN 60204-1Annex D).

Further, the following is defined in9.2.5.4.2 of EN 60204-1:

Stop

In addition to the requirements forStop (refer to 9.2.5.3), the following

requirements apply for an emergencystop:

it must have priority over all otherfunctions and actions in all operatingmodes;

the power to the machine actuators,which could cause a hazardous con-dition or conditions must be discon-nected as quickly as possible withoutcreating other hazards (e.g. usingmechanical stopping/braking devices,which do not require an externalsupply, by using counter-currentbraking for Stop Category 1);

resetting may not initiate a restart.

Stopping in an emergency situationmust either be effective as a Stop, Cat-egory 0 or Category 1 (refer to 9.2.2).The Stop Category in an emergencysituation must be defined as the resultof the risk evaluation for the particularmachine.

To technically implement EMER-GENCY STOP corresponding to

the recommended applicationin the Foreword of EN 60204-1,either the requirements specifiedin EN 60204-1 or in EN 954 andIEC 61508 can be applied.EN 60204-1 primarily requiresthat this is implemented usingelectromechanical components,as basic (programmable) elec-tronic systems are not safeenough. By correctly applyingEN 954 and, if required, IEC61508, electronic and program-mable electronic components

become functionally safe enoughthat they can also be used toimplement EMERGENCY STOP forall categories (German NationalForeword: ... this therefore clearlystates that electronic equipmentcan also be used for EMERGENCYSTOP devices independent of theStop Category ...).

Devices for EMERGENCY SWITCH-ING-OFF and EMERGENCY STOP

Devices which are used to stop equip-ment and machinery in an emergencysituation must be provided at everyoperator control location and also atother locations where it may be neces-sary to initiate a stop in an emergencysituation (exception: operator controlstations which are not connected

through cables). In order to fulfill theprotective goals, specified inEN 60204-1 as well as EN 418, thefollowing requirements apply for bothfunctions (also refer to 10.7 inEN 60204-1):

When contacts switch even with justa brief actuation, the control devicemust positively latch.

It is not permissible that the machinecan be restarted from a remote mainoperator control station without thehazard or danger first having been

removed.The emergency off devicemust be consciously released againlocally.

Operator control stations which areconnected without using cables musthave a dedicated and clearly identifiedpossibility of initiating the Stopfunction of the machine.The operatorsection, which initiates this stopfunction, may not be marked or labeledas a device to shut down the machinein an emergency situation.

Implementing safety-related

functions

When implementing safety-relatedcontrol functions using programmableelectronic systems, the requirementsof EN 954 and IEC 61508 must befulfilled. When the requirements ofthese standards are taken intoaccount, it is possible, to even imple-ment complex functions by usingelectronics and programmable elec-tronic systems, for example, a fail-safeSIMATIC or SINUMERIK.Thesefunctions can then be implemented in

a safety-related fashion.



31/330

111

Fig. 1/10Colors for pushbuttons and their significance in accordance with EN 60204-1(VDE 0113 Part 1): 06.93

Man MachineIn order to simplify the interactionbetween man and machine, referenceis made to Standards EN 60073 andDIN EN 60204.

Switches, pushbuttons and signalinglamps are predominantly used asmachine components as the interfacebetween man and the machine.Theseoperator control elements are clearlyand uniformly identified using colorcoding, which has a very specific sig-nificance.This guarantees that thesafety of operating personnel isincreased and it is easier to handle andmaintain the operatingresources/plants and systems.

The colors of pushbuttons, the signifi-cance of these colors, explanationsand application examples are shown inFig. 1/10.

According to DIN EN 60204-1(VDE 0113 Part 1) the followinginformation has to be observed:

The preferred colors for START/ONoperator devices should be WHITE,GREY or BLACK - preferably WHITE.GREEN may be used, RED may notbe used.

RED must be used for EMERGENCYSTOP devices.The colors forSTOP/OFF operator control devicesshould be BLACK, GREY or WHITE -preferably BLACK. RED is also permit-ted. It is not permissible to useGREEN.

WHITE, GREY and BLACK are the pre-ferred colors for pushbuttons, whichcan be used alternating as START/ONand STOP/OFF pushbuttons. It is notpermissible to use RED,YELLOW orGREEN.

WHITE, GREY and BLACK are thepreferred colors for pushbutton controlelements which initiate an operationwhile they are being pressed and endthat operation when they are released(e.g. jogging). It is not permissible to

use RED,YELLOW or GREEN.

Color Meaning Explanation Examples of application

RED Emergency Actuate in the event EMERGENCY STOP,of a hazardous condi- Initiation of EMERGENCY STOP functions,t ion oremergency conditional for STOP/OFF

YELLOW Abnormal Actuate in the Intervention to suppress an abnormalevent of an condition,abnormal Intervention to restart an interruptedcondition automatic cycle

GREEN Normal Actuate to START/ON,initiate normal however WHITE should beconditions or preferably used

normal status

BLUE Mandatory Actuate for a Reset functioncondition requi

Safety Integrated Ed4_e

Documents

Transcript of Safety Integrated Ed4_e