Page top

Lead Contents

Safety Components

Safety components are defined in the broadest sense as shown below according to Article 1 of the Machinery Directive.

Related Contents

Primary Contents

Safety Components

The Definition of Safety Components

The need for safety components within safety-related control systems arises when devising basic principles to prevent mechanical accidents and attain safety in machines.

● Definitions in the Machinery Directive

Safety components are defined in the broadest sense as shown below according to Article 1 of the Machinery Directive.

(1)Parts provided to ensure safety functions.

(2)A part that poses a threat to the health and safety of workers if damaged or functionally imperfect.

● Items Specified in the Machinery Directive

The following five items are designated safety components in the Annex IV.

(1)Sensors that electronically detect workers

(2)Logic units (checks safety functions in two-handed control devices)

(3)Protective screens for presses

(4)Roll over protection structures (ROPS)

(5)Falling object protection structures (FOPS)

Note:Annex IV contains a safety component list. Refer to the Machinery Directive for details.

● OMRON's View of Safety Components

OMRON generically defines safety components as parts in the broadest meaning mentioned above as well as safety-related parts that are stipulated for use in safety circuits.

● The Function of Safety Components

Control systems that affect safety must be designed to minimize the possibility of danger occurring even when there is a malfunction in an interlock device. Safety devices are equipped with functions such as a direct opening mechanism for switches and a forcibly guided mechanism for relays, as required by standards. These functions are designed to operate correctly within the control system in which they are used.

The following describes safety components that are commonly used to develop safety functions.

1.Emergency Stop Switches

An emergency stop switch is a switch which is attached to a machine to interrupt operation in the event of an emergency.

● Standards for the Emergency Stop Function: ISO 13850 and IEC 60204-1

The most relevant standards for emergency stop applications are ISO 13850 and IEC 60204-1. ISO 13850 contains functional aspects and principles for design. IEC 60204-1 is about the safety of machinery and electrical equipment of machines.

● Emergency Stop Devices

1.Types

The following are typical types of emergency stop devices:

A pushbutton operated switch

A pull-cord operated switch

2.Requirements

Electric contacts must have a direct opening mechanism.

Emergency stop devices must have a holding function that will mechanically hold in the stop position until the device is manually reset.

Actuators of an emergency stop device must be colored red and of a mushroom shape. The background immediately behind the actuator must be colored yellow.

Consideration must be given to the following items when a wire is used as an actuator.

(1)The amount of deflection needed to generate the emergency stop signal

(2)The maximum deflection possible

(3)The minimum clearance between the wire and the nearest machine in the vicinity

(4)The amount of force required for operation

(5)The ease with which an operator can locate the device, by use of a marker flag or other method

(6)The automatic generation of an emergency stop signal in the event that the wire breaks or becomes detached

2.Safety Switches

Safety switches come in the form of safety door switches and safety limit switches.

The safety door switch can be a mechanical or electrical switch that is connected to the direct opening mechanism, and which does not allow the machine to operate unless certain conditions have been met, such as the door being closed etc. It also has functions that stop it from being easily nullified.

A safety limit switch is connected to the direct opening mechanism and is a switch is used for door monitoring and to ensure that objects are not pushed too far.

(1) Door Monitoring and Interlocking

Door monitoring and interlocking switches are one of the most important types of protective devices to prevent dangerous situations by taking power away from the machine.

When it is decided to protect the machine with protective fences, we must be sure that the only way inside the dangerous area is through the guard. If the guard is opened, a mechanically actuated position detector stops the machine. Every guard in the fence must have mechanically actuated position detectors to ensure the safety of personnel. A basic requirement is that it the door is opened, the machine must stop before anyone can reach the hazardous moving parts of the machine.

The most import selection criteria of an interlocking device are:

the conditions of use and intended use (ISO12100-1)

the hazard present at the machine (ISO12100-1)

the severity of the possible injury

the probability of failure of the interlocking device

stopping time and access time considerations

the frequency of access

the duration of person’s exposure to the hazard

performance considerations

The position switch shall be actuated in the positive mode. The break contact of the position switch shall be of the "positive opening operation" type. (IEC60947-5-1)

The security of an interlock switch is dependent on its ability to withstand attempts to "cheat" or defeat the mechanism. An interlock switch should be designed so that is cannot be defeated in a simple manner. This means that the intended operation will be achieved manually or with a readily available object. Readily available objects may be:

screws, needles, sheet-metal pieces;

objects in daily use such as keys, coins, tools required for the intended use of the machine

(2) ISO14119

ISO14119 "interlocking devices associated with guards" provides guidance of interlocking devices and is intended to be used together with EN60947-5-1 for electromechanical switches.

(3) Requirements for Door Monitoring

Door monitoring must ensure that the safety door protects the hazardous area as defined in the risk assessment (ISO14121).The sensors and the signal processing must comply with all required norms and directives.

Switches must be designed to withstand all expected and foreseeable stresses

Switches must comply with safety standards, especially, direct opening contacts and safety door switches must be used.

The principles of redundancy and diversity must be considered in the mechanical design of switches and signal processing.

The signal processing must be designed to be in accordance with the categories of ISO13849-1 defined in the risk assessment.

(4)Requirements for Door Interlocking

An interlocking device with guard locking shall be used when the stopping time is greater than the access time taken by a person to reach the danger zone.
The device is intended to lock a guard in the closed position and linked to a control system so that:

the machine cannot operate until the guard is closed and locked;

the guard remains locked until the risk has passed.

For applications requiring frequent access, the interlocking device shall be chosen to provide the least possible hindrance to the operation of the guard.
In that case also requirements of intended use, conditions of use, risk assessment and stopping time and access time must be taken into account.

● Mechanically actuated devices:

There are three types of mechanical actuation. These are:

1.Cam operated actuation

When one single detector is used it shall be actuated in the positive mode since, among other characteristics, this mode of actuation prevents the detector from being defeated in a simple manner.A higher level protection against defeat can be achieved, e.g., by enclosing the cam and detector in the same housing.

2.Operation key operated actuation

The operation key operated switch is designed to prevent easy cheating of the switch.
A dedicated operation key is needed every time.
These switches can be used on sliding, hinged and lift-off guards. Mainly they are used in interlocking switches.
A disadvantage in these switches is that can be defeated by using an operation key which is not attached to the guard.
Preventing this kind of defeat is possible and it can be achieved by:

Physical obstruction or shielding preventing introduction of spare actuators

Permanent assembly (by welding, riveting, "one way" screw) of the operating key with the guard to render dismantling more difficult.

3.Hinge operated actuation

In hinged door switches it is very difficult to defeat the switch. That is a very good feature of hinged door switches. Another feature is easy use in small size guards, where key operated switches cannot be used due to operation key radius. Care must be taken for large wide guard doors because the opening angle results in a bigger movement of the door. That can result in a significant gap in the opening edge on very wide guard doors.

(5)Circuit Example

Below you will find some door monitoring application examples.

G9SB-3012-A 24V AC/DC

- category 4
- auto reset
S1: Safety limit switch with direct Opening (D4N, D4B-[])
S2: Safety limit switch (D4N, D4BN)
KM1/KM2: Contactor
M: 3-phase motor

(6) Form Lock Mechanism

As shown in the following illustration, the safety limit switch has a positive opening mechanism that consists of inelastic, uneven parts engaged with one another so that the actuator will not be deformed or displaced by a strong force which may be applied on the actuator when a contact is welded.

Note:The lever is secured with uneven parts so that the lever will not fail if a strong force is applied to it. The lever cannot be attached backwards.

(7) Contact Positive Opening Mechanism

(1)Contact welded

(2)Positive Opening

(3)Completed Positive Opening

The contacts must withstand the impulse voltage specified by IEC60947-5-1 when the contacts have been forcibly opened with the positive operating force (POF) and positive overtravel (POT) exceeding the contact welding force, which is equivalent to 10 N.

(8) Contact Configuration

EN 60617 applies to diagram marks to be used when designing electrical circuits.
EN 60617 is harmonized with IEC 60617 and JIC C 0617. These diagram mark standards must be followed in the product design.
The following figure shows contact marks used in the user's guide as cited from EN 60617.

IllustrationMarkContact typeApplicable modelsRemarks
YA165
EA22E
Two contacts switched together
ZaD4B-N (snap action)•Four contacts switched together: One movable contact blade opens and closes.
•This type cannot use power with different voltages or polarities.
ZbD4B-N(slow action)
D4BS
D4BL
D4N
D4NS
D4N-R
D4NH
D4NL
D4GS-N
D4F
D4JL
D4GL
•Four contacts switched together:The two movable contact blades are insulated from each other.
•This type can use power with different voltages or polarities.

Terminals 11 and 12 in the illustration are the contacts forcibly opened.

(9) Negative Operation and Positive Operation

(10) Mounting Precautions

The following conditions must be observed to ensure safety.

Switch Mounting

Do not mount a safety switch where it can be easily operated while the safety door is open if a Safety Limit Switch is used to check the door for safety.

We recommend using an operation key operated switch like the D4BS to check a safety door or a removable safety cover for safety.

Dog Mounting

Make sure the angle, operating speed, and operating direction of the dog are correct or premature malfunction of the switch may occur.

Safety Switch Mounting

Install safety switches where they can be replaced and maintained without difficulty. Do not mount them inside machines. Always mount outside.

Switch Protection

Safety Limit Switch
Install a stopper to prevent actuator operation or overtravel from damaging the switch.

Cable Layout

Wrap sealing tape around the connector conduits of safety switches connected to cables. The bending radius (r) must be at least 5 times the cable diameter (d).

Safety Door Switch
Do not use the switch as a stopper. Install a stopper to protect both the switch and the operation key, and adjust placement position (a) within the set zone of the operation key.

Install an operation key operated switch in hazardous places where someone might reach in if the door is open.

3.Safety Light Curtains

Safety light curtains use blocked light to detect workers in hazardous machine areas and to stop machines before workers are injured. Unlike ordinary sensors, safety area sensors use a combination of hardware and software to check constantly for internal faults to ensure safe operation.
The following section describes the faults and malfunctions the F3SJ/F3SN detects to ensure safety.

(1) Compliance with Machinery Directive

The safety standards for safety area sensors are the same requirements stipulated for safety in the Machinery Directive, and European standards like IEC61496 ensure compliance with those requirements. IEC61496-1 stipulates exactly how type 4 ESPE will ensure safety for an accumulation of up to three faults. In the F3SJ, F3SN-A, F3SH-A, F3SL, F3SS and MS4800 safety was designed in by using dual CPUs that check each other as well as by using redundant signal processing and output circuits. FMEA * analysis was also used to demonstrate safe operation and thus ensure complete safety.

*FMEA: Failure model and effects analysis

(2) Applications

The F3SJ, F3SN-A, F3SH-A, F3SL and MS4800 Safety Light Curtains and F3SS Single-beam Safety Sensor can be used even with the most hazardous machines. (EC Machinery Directive Type 4)
These products can be used for all applications in categories B, 1, 2, 3, and 4 (ISO 13849-1) for safety-related parts produced for machine hazards. The F3SN-B and E3FS/E3ZS Single-beam Safety Sensors *, which are Type 2 Safety Area Sensors, can be used for applications in categories B, 1, and 2.

*Used as a set with the special Controller.

(3) Press Safety Standards

When safety area sensors are to be used with press equipment in Japan, they must pass the "model test" stipulated in Article 44, Item 2, of the Occupational Health and Safety Law. The F3SJ, F3SN, F3SH, F3SL and MS4800 have not been subjected to this model test, so they cannot be used in the applications described in Article 42 of the Occupational Health and Safety Law as "Safety devices for presses or shearing machines."

(4) Safety Distances

When installing a presence-sensing device, such as a Safety Light Curtain, the minimal distance that is required to stop the machine before a person who enters the detection zone will reach the machine is stipulated by EN999 and other standards.

● Calculating the safety distance based on ISO13855 (EN999)

Safety distance (S) = Person's approach speed × response time + additional distance due to the sensor's detection capability

● Finger or hand detection
• S = (K × T) + 8 (d-14) d ≤ 40

K = 2,000 mm (assuming entry speed of finger)
T = Machine's maximum stop time + Light Curtain response time
d = Light Curtain's minimum detection object value

Note:
f S = ≤ 100 mm, S = 100 mm
If S = ≥ 500 mm, recalculate with K = 1,600
If the calculation result is S ≤ 500 mm, S = 500 mm

● Body detection
• S = (K × T) + 850 40 < d ≤ 70

K = 1,600 mm (assuming person's walking speed)
T = Machine's maximum stop time + Light Curtain response time
C = 850 mm (assuming entry with an outstretched arm)

● S = (K × T) + (1,200 − 0.4 H)

K = 1,600 mm (assuming person's walking speed)
T = Machine's maximum stop time + Light Curtain response time
H = Light Curtain installation height= 15(d − 50)

Note: 1.H must not exceed 1,000 mm
Note: 2.f H exceeds 300 mm (200 mm for non-industrial applications), there is a danger of someone slipping under. This must be considered in the risk assessment.
Note: 3.When detecting entry with a Safety MatS = (1,600 × T) + 1,200

General formulaS=K × T + C
d ≤ 40 mm100 mm ≤ S ≤ 500 mmS= (2,000 mm/s × T) + 8 (d-14 mm)
S > 500 mmS= (1,600 mm/s × T) + 8 (d-14 mm)
40 mm < d ≤ 70 mmS= (1,600 mm/s × T) + 850 mm
Single beamS= (1,600 mm/s × T) + 1,200 mm

(5) Muting Function (IEC 61496-1)

The muting function temporarily stops the detection function of the Safety Light Curtain and automatically keeps it ON regardless of whether the light is incident or interrupted.
The muting function can be added to the Safety Light Curtain by connecting the F3SP-U2P Muting controller or by connecting the Safety Light Curtain with accessories (F3SJ + Muting Cap).
Conventionally when objects such as AGVs or transport pallets passed through the detection area, the work process was stopped by the light interruption of the Safety Light Curtain each time they passed. With the addition of the muting function, the safety output can be turned OFF only when a person enters the area, while automatically maintaining the safety output when a workpiece passes through. This makes it possible for work to continue without stopping the production line.
However, when muted, the safety detection function is deactivated, which means that it cannot output an OFF signal to the hazard source when a person enters the detection area.

● Installation

The following items are necessary to add the muting function.
(Example)
F3SN-A Safety Light Curtain: 1 set
F3SP-U2P Muting Controller: 1
E3Z-R81 Muting Sensors: 2
Muting Lamp (OMRON recommended product): 1

Note:
The F3SP-U2P Muting Controller distinguishes the difference between a workpiece and a person passing through by the difference in the detection timing of Muting Sensors A and B. Adjust the installation locations and detection directions of Muting Sensors A and B so that the light will not be interrupted in both when a person passes through.

Workpieces and persons are distinguished by multiple Muting Sensors. Because a dangerous situation may occur if the installation positions and other factors are not correct for the Muting Sensors, have a person with sufficient knowledge and experience perform a risk assessment when deciding the selection, installation locations, detection directions, and other factors for the Muting Sensors.
For more details, refer to the operation manual for the F3SP-U2P Muting Controller.

● Prior to Use

It is necessary to alert people in the vicinity when muting is being used. A Muting Lamp must be installed for this purpose. Also, the F3SP-U2P is equipped with an override function that forcibly applies muting. The safety output is explicitly disabled by this function, so ample safety considerations must be made in it use.

Example of Improper Use

No Muting Lamp installed.

Persons approach a hazard source during muting.

Example of Proper Use

A Muting Lamp is installed to inform people in the vicinity that muting is being used and the safety detection function is being disabled.

Persons do not approach a hazard source during muting.

(6) Blanking Application

Fixed Blanking:

Some applications have problems in mounting the light curtain. Therefore it is helpful to take out zones from the protection field. With the blanking function it is possible to specify beams that will not be interrupted by the light curtain. This is called fixed blanking.
The remaining field or zone has to be protected by mechanical guards.

Floating Blanking:

The floating blanking function allows the output to remain ON when beams of the sensor are interrupted anywhere in the protection field. In contrast with fixed blanking function, which invalidates the fixed detection area, the floating blanking function ignores objects smaller than a specified radius. This reduces the optical resolution.

(1): No detection

(2): Detection of 1 beam

(3): Moving of work piece
(Detection of 1 beam)

(4): Detection of 2 beams
(Detection of a value exceeding the set value)

Application Example: Wire or Tape Take-up Winder

When it is not possible to provide the entire take-up winder with a safety cover or other device.

For calculating the safety distance this reduced resolution has to be taken into account. (See table below.)

Floating blanking gapSmallest detectable object diameter (mm)
Beam pitch(mm)01234 *
9 (F3SJ-A[]14, F3SN-A[]14)1423324150 *
15 (F3SJ-A[]20)2035506580
15 (F3SN-A[]25)25405570---
25 (F3SJ-A[]30)305580105130
30 (F3SN-A[]40)4070100130---
60 (F3SN-A[]70)70130190250---
Number of interrupted beams to turn OFF the control output1 beam2 beams3 beams4 beams5 beams

*Can be set only with the F3SJ series

4.Safety Relays

Unlike other relays, safety relays ensure the safety function even if contacts are welded together
because they have forcibly guided (linked) contacts (EN 50205).

Note: Welding cannot be pulled apart.

(1) Main Safety Relay Requirements

The gap between contacts must be at least 0.5 mm during normal operation or when a fault occurs.

Contact load switching must conform to AC-15 and DC-13 (IEC 60947-5-1).

The mechanical service life must be at least 10 million operations.

(2) Forcibly Guided (Linked) Contact Structure (Type G7S Safety Relay)

If at least one normally open contact is welded, when the coil is de-energized, all normally closed contacts maintain a gap of at least 0.5 mm. Even if a normally closed contact is welded, all normally open contacts maintain a gap of at least 0.5 mm in the coil energized mode (in accordance with EN 50205).
Relays that use forcibly guided contacts for all of the contacts are called Class A and indicated by the

(3) Structural Comparison of General Relays and Relays with Forcibly Guided Contacts

5.Safety Application Controllers

The Safety Application Controller receives signals from a safety input device and controls whether the machine should be started or not.

(1) Safety Relay Units

A typical configuration for the operation control of machinery and equipment is shown in Fig. 1.

● Non-safety-related Parts

The role of non-safety-related parts is to start and continue the operation of devices upon receiving an operate command signal from an automatic control system.

● Safety-related Parts

The role of safety-related parts is to enable operation only when the safety of the machinery and equipment is confirmed.

● Judging Function

The judging function sends an operate signal to a power control element only when it has judged that both the above-mentioned operate command signal, which is sent from a non-safety-related part, and the safety check signal, which confirms the safety of the machinery, allow operation.

● Judging Function Elements

The judging function cannot be created by simply combining multiple elements.
Its circuit must incorporate elements that will minimize risks caused by a failure in machinery or equipment. These circuit configuration elements typically include items 1 to 5 shown below.

● Necessity of Safety Relay Units

It is possible to configure a safety-verified circuit by incorporating safety relays with forcibly guided contacts. However, this requires a certain level of technology to configure the circuit and some expense for its certification. As a result, it has become general practice to use standard units that specialized manufacturers have developed by incorporating safety relays. These are provided as a series of Safety Relay Units with proven functional safety.

(2) Safety Application Controllers

Safety Relay Units are suited to simple relay sequence configurations for single input/single output applications. Advanced units with electronic or programmable control have been developed to handle complicated applications (with multiple inputs and outputs) that are difficult for simple relay sequences. Even in these advanced units, the following technologies ensure sufficient safety.

● Dual CPUs

We pursued safety to the limit to deliver safety and reliability backed by the highest level of safety design and FMEA. Two CPU Units perform mutual checking and diagnostic monitoring of each I/O section, and the safety of operations is further verified by FMEA and process-controlled design and production.

● Effective Functions

1. Logic Connections

For example, an AND condition is required for both partially stopping each module of a device and stopping the entire device. By making this AND logic into a function, it can be used in combinations to enable flexible response to even complicated applications.

When the Emergency Stop Switch is pressed, the entire machine will stop.

When a door is open, the corresponding part will not activate.

DoorsMain doorPallet changer doorTool changer door
Emergency stopOpenClosedOpenClosedOpenClosed
System not operatingPower
shut OFF
Power ONPower
shut OFF
Power ONPower
shut OFF
Power ON
System operatingPower shut OFFPower shut OFFPower shut OFF

2. Programmability

By creating safety programs, the designer can more flexibly handle complex applications. There are, however, four requirements for safety in programming safety circuits.

(1) Preventing User Programming Errors

Safety functions (such as emergency stop buttons and two-hand operating buttons) are provided as verified function blocks to ensure safety at the function block level.
(The safety of the combination of function blocks must be verified to ensure final safety.)

(2) Preventing Unexpected Operation from Incorrect Wiring

External wiring faults are detected, including incorrect wiring, ground faults, short circuits, and disconnection. Internal circuit faults are also detected.

(3) Preventing Unintentional Settings

Checks are performed to ensure that the parameters input by the user are correctly transferred to and set in the devices before automatically enabling starting.

(4) Preventing System Access Except by Administrators

Passwords are set for devices to allow only administrators to change parameters, operating modes, or others aspects of operation.

3. Networking

Creating networks for safety circuits enables applications that require distributing safety devices, as well as expansion of I/O capacity.
The following four measures are taken in implementing safety circuit networks.

(1) Cross-checking Communications Data (System Redundancy)

Redundancy is implemented for safety data by sending inverted data together with safety data to improve safety.

(2) Special Check Code for Safety Data (Safety-CRC)

Check codes called Safety-CRC are attached to both the safety data and inverted data to ensure that any message corruption is detected.

(3) IDs for Transmitters and Receivers

Safety devices have unique ID codes, which can be used by the devices to prevent incorrect data communications.

(4) Data Time Management

Safety devices attach time stamps to the data they send. These are managed by the devices to ensure that communications are handled in a suitable timeframe and a suitable order to monitor for reversed or late communications data.