Pilz PNOZsigma Instructions for use
Application examples for project configuration –
safety relays PNOZsigma
Application Manual – October 2011 edition
Safety relays PNOZsigma
Why does Pilz offer more?
Because the integrality
of our business activities
is what sets us apart.
Pilz is a solution supplier for all automation
functions. Including standard control func-
tions. Developments from Pilz protect man,
machine and the environment. That’s why
all our experience and knowledge goes into
individual products as well as consistently
sophisticated system solutions.
• Sensor technology
• Control technology
• Networks
• Drive technology
• Operator and visualisation systems
• Software
• Consulting and engineering
• Training
Appropriate services relating to individual
components and independent generic
services guarantee that our customers obtain
customised automation solutions, all from one
source.
You can find more details about Pilz and
your products and services on the Inter-
net:
•www.pilz.com
Pilz is a family business
that’s closer to its customers
Pilz has a tradition as a family-run company
stretching back 60 years. Real proximity to
customers is visible in all areas, instilling
confidence through individual consultation,
flexibility and reliable service.
We are your contact, guide and competency
leader en route to an optimum automation
solution.
Support –
Technical help round the clock!
Technical support is available from Pilz round
the clock. This service is provided free of
charge beyond standard business hours.
You can reach our
international hotline on:
• +49 711 3409-444
Exclusion of liability
Our application manual has been compiled
with great care. It contains information
about our company and our products. All
statements are made in accordance with the
current status of technology and to the best
of our know-ledge and belief. However, we
cannot except liability for the accuracy and
entirety of the information provided, except
in the case of gross negligence. In particular
it should be noted that statements do not
have the legal quality of assurances or assu-
red properties. We are grateful for any feed-
back on the contents.
October 2011
All rights to this publication are reserved by
Pilz GmbH & Co. KG. We reserve the right to
amend specifications without prior notice.
Copies may be made for the user’s internal
purposes. The names of products, goods
and technologies used in this manual are
trademarks of the respective companies.
Safe Automation
Solution supplier for safety and standard
Pilz offers a universal concept for solutions
that can be applied right across industry.
Whether you need safety or standard control
functions, machine or plant, centralised or
decentralised, a single product or a total
solution: With Pilz you will definitely find a
solution for your automation function.
Are you looking for a flexible solution for
your automation functions?
• PMD: Electronic monitoring relays such
as voltage or true power monitors, for
example.
• PNOZ: Safety relays for simple plant and
machinery with up to 4 safety functions.
Safe monitoring of E-STOPs, safety gates
and light curtains/light grids, for example.
• PNOZmulti: The safety circuit is created
using a simple configuration tool.
Applicable from 4 safety functions.
• PSS: Programmable control systems for
use on complex machinery or distributed
plants, to monitor safety-related
functions and/or for complete machine
control.
• Industrial communication: Transfer input/
output signals and control data reliably
and safely.
Sensor technology, used in conjunction
with Pilz safe control technology, offers a
coordinated, complete solution that's
economical, approved and safe. The focus
is always on the protection of man and
machine, in compliance with the standards
and regulations.
Drive technology provides overall solutions
for automating your machinery. From
controller operation through to movement
of highly dynamic drives, including all safety
aspects.
Operator and visualisation systems
provide diagnostic and visualisation devices,
plus control and signal devices as part of
the Pilz solution. The focus is always on fast,
simple configuration. Machine downtimes
are clearly reduced thanks to the overall
diagnostic concept PVIS.
Software includes system software, user
software and software tools. Here you'll find
the right tool for every task. From product-
related software to diagnostic software,
through to the PAScal Safety Calculator.
Services in the field of machinery safety
are covered holistically by Pilz. From risk
assessment through to ESPE inspection.
Pilz also offers a comprehensive range of
training courses and seminars, covering
generic issues relating to machinery safety
as well as Pilz products.
PMI-PRO
Configurationsoftware
forthePMI
®
-Range
Fulllicence
OrderNumber:310400
Konfigurationssoftware
fürdieSystemfamilie PMI
®
Vollizenz
Bestellnummer:310400
Softwarediconfigurazione
perlafamiglia di sistemi PMI
®
Licenza completa
Numerod‘ordine:310400
Softwaredeconfiguración
paralafamiliadesistemas PMI
®
Licenciacompleta
Númerodepedido: 310 400
Logicielde configuration
pour la gamme PMI
®
Licencecomplète
Référence:310400
CD-ROMVersion5.50 SP7
English/Deutsch/Français/
Español/Italiano
PNOZmulti
Configurator
Baugruppennummer:100544-17
©Pilz GmbH & Co. KG, 2008
CD-ROMVersion6.0.0
Deutsch/English
PVISOPCTools 1.4.0
Your requirements: Our solution: Supplementary
product ranges:
PMD electronic
monitoring relays
PNOZ safety relays
PSS programmable
control systems
Industrial
communication networks
Sensor technology
Drive technology
Operator and
visualisation systems
Software
Services
PNOZmulti configurable
control system
Contents
5.1
3.0
2.5
2.4
2.3
2.2
2.1
3.1
1.0
1.1
2.0
3.0
4.6
Standards and Directives
Standards and Directives
Application Examples
Safety Gate Applications
ESPE Applications
Two-hand Applications
Emergency Stop Applications
Service
Further Applications
Pre-sales, after sales, Your partner for practical traning,
Business terms and conditions
3.1
1.1-1
1.1
Standards and Directives
Pilz GmbH & Co. KG, Felix-Wankel-Straße 2, 73760 Ostfildern, Germany, Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: [email protected] 2008-09
Contents Page
Standards and Directives
European directives and position of the standards in Europe 1.1-2
Risk assessment 1.1-4
Legal regulations outside Europe 1.1-5
and standards for functional safety
Safety-related parts of control systems – 1.1-6
General principles for design in accordance with EN ISO 13849-1
Functional safety and legal position of EN/IEC 61508 1.1-8
Functional safety in accordance with EN/IEC 62061 1.1-9
Risk parameters and categories in accordance with EN 954-1/EN ISO 13849-1 1.1-11
1.1-2
1.1
Incorporation of the directives into domestic law (using Germany as an example)
Standards and Directives
European directives and position of the standards in Europe
Pilz GmbH & Co. KG, Felix-Wankel-Straße 2, 73760 Ostfildern, Germany, Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: [email protected] 2008-09
European directives
The concept of a single European internal
market in terms of the “New Approach” can
be traced right back to the start of the 70s:
The low voltage directive is the first piece of
European legislation to take into account the
approach towards harmonisation of a com-
mon single market.
Products that are covered by one or more
of the following directives have to apply a
CE-mark, i.e. the product must be accompa-
nied by a declar-ation of conformity. With a
declaration of conformity the manufacturer
confirms that his product meets all the re-
quirements of the European directives that
relate to his product. This means he can
launch and sell his product within the scope
of the EU without consideration of any natio-
nal regulations.
Key engineering directives:
• General product safety (2001/95/EC)
• Health and safety (89/391/EEC)
• Use of work equipment (89/655/EEC)
• Lifts (95/16/EC)
• Waste electrical and electronic equipment
(2002/96/EC)
• Electromagnetic compatibility (EMC)
(2004/108/EC)
• Devices for use in potentially explosive
areas (ATEX) (94/9/EC)
• Machinery (98/37/EC) / (2006/42/EC)
• Low voltage equipment (2006/95/EC)
• Personal protective equipment (89/686/EEC)
• Cable cars (2000/9/EC)
The directives are addressed to member sta-
tes, who are obliged to incorporate the Euro-
pean directives into domestic law. In Germany
this is normally achieved through the device
safety law.
1.1-3
1.1
Position of the standards in Europe
The legal position of standards is discussed
again and again. Inside Europe, i.e. within
the scope of the European directives that
are subject to the CE-marking obligation,
a manufacturer is not bound by standards
or other specifications. He simply needs to
comply with the health and safety require-
ments of the directive(s). The associated
benefits of a division between standards and
legislation are obvious: It is easier for legis-
lators to agree on the essential requirements
than on technical details. Also, the directives
do not regularly have to be adapted to the
state of technology; member states can use
their own legal system for incorporation and
manufacturers are free to select the ways in
which they implement the requirements of
the directive.
So what are the benefits of applying the
standards? With so-called harmonised
standards with presumption of conformity,
there is a shifting of the burden of proof, i.e.
if manufacturers apply these standards, it
is presumed that they will also comply with
the specific requirements of the European
Standards pyramid
EN ISO 12100 Safety of machinery
EN 1050 Risk assessment
A standards have priority over all others
and deal with essential safety re uire-
ments for machinery
A
B1, B2
C
B1 standards deal with aspects
of safety
B2 standards deal with safety
devices
EN 954-1 Safety-related parts
EN 574 Two-hand controls
EN 418 Emergency stop e uipment
C standards deal with
specific types or groups
of maschinery
EN 12415 Turning machines
EN 422 Blow moulding machi
EN 692 Mech. presses
Standards and Directives
European directives and position of the standards in Europe
Pilz GmbH & Co. KG, Felix-Wankel-Straße 2, 73760 Ostfildern, Germany, Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: [email protected] 2008-09
directives. The regulatory authorities would
therefore need to prove that a manufacturer
did not meet the legal requirements.
However, should a manufacturer deviate
from the harmonised standards, he himself
must prove how he has met the essential sa-
fety require-ments. This is generally done via
a hazard analysis. In practice one would en-
deavour to apply the harmonised standards,
unless the products concerned are highly
innovative and no harmonised standards
yet exist. The standards for which this “pre-
sumption effect” applies can be researched
in the Official Journal of the EU (e.g. on the
Internet). Standards in Europe are subdivided
into what are termed A, B and C standards.
1.1-4
1.1
Risk assessment
Under the terms of the machinery directive,
a machine manufacturer must assess the ha-
zards in order to identify all the hazards that
apply to his machine. He must then design
and construct the machine to take account
of his assessment. This requirement also ap-
plies to operators who act as manufacturers
under the terms of the machinery directive.
For example, this may occur with machines
that are interlinked or for machinery that has
been upgraded and substantially modified.
EN ISO 14121-1 contains “Principles for
risk assessment” on machinery. These ap-
proaches can be called upon as part of a
comprehensive analysis. EN ISO 13849-1 ex-
pands on EN ISO 14121-1 with regard to the
assessment of safety-related parts of control
systems.
The hazards emanating from a machine may
be many and varied, so for example, it is
necessary to consider not just mechanical
hazards through crushing and shearing, but
also thermal and electrical hazards and ha-
zards from radiation. Risk reduction is there-
fore an iterative process, i.e. it is carried out
before and during the planning phase and
after completion of the plant or machine.
Standards and Directives
Risk assessment
Iterative process in accordance with EN ISO 14121-1
Determination of the
limits of the machine
Hazard identification
Risk estimation
Start
Risk analysis
No
Risk evaluation
Is the
machinery
safe?
Risk reduction
Yes
End
Risk assessment
Lifecycles, limits application area,
training level, other groups of people,
etc.
Annex A of EN 1050
point 4, EN 292-1
etc.
Extent, probability, group of people,
human factors, reliability of the safety
function, possibility of defeat, etc.
Hazard removed?
Protective measures appropriate?
User information sufficient?
Pilz GmbH & Co. KG, Felix-Wankel-Straße 2, 73760 Ostfildern, Germany, Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: [email protected] 2008-09
1.1-5
1.1
Legal regulations outside Europe
The situation is somewhat different in the USA:
people there are mainly familiar with two types
of standards: ANSI (American National Stan-
dards Institute) and OSHA (Occupational Safe-
ty and Health Administration).
OSHA standards are published by the state
and compliance is mandatory. ANSI stan-
dards, on the other hand, are developed by
private organisations and their application is
generally not absolutely essential. However,
ANSI standards can still be found included
as part of a contract. Beyond that ANSI
standards are being taken over by OSHA.
You can also still come across the NFPA
(National Fire Protection Association), which
developed NFPA 79 as a counterpart to EN
60204-1, for example. The OSHA standards
can be compared with the European direc-
tives. Unlike the European directives, OSHA
standards are more involved with formulating
technical specifications than abstract re-
quirements.
The legal basis in the USA can be seen as a
mix of product standards, fire codes (NFPA),
electrical codes (NEC) and national laws. Lo-
cal government bodies have the authority to
monitor that these codes are being enforced
and implemented.
Russia and the CIS states have implemented
GOST-R certification for some years now, in
other words, technical devices that fall within
a specific product area must undergo a cer-
tain certification process. Machinery and any
corresponding technical accessories under-
go a type approval test through a European
notified body, for example. This test is gene-
rally recognised by a Russian-based appro-
vals body. From the point of view of safety,
the same requirements apply as in Europe.
China, on the other hand, has introduced
CCC certification. Similar to the position in
Russia, technical products are subject to
mandatory certification through a national ap-
provals body in China. In addition, production
sites are inspected. If a technical device falls
with the scope of the product list, which is
subdivided into 19 categories, certification is
mandatory, otherwise it will be necessary to
supply a type of “declaration of no objection”
from a national notified body.
Japan is currently in a transition period: The
plan is for Japan to adopt the European “new
approach” – in other words, to keep stan-
dards and legislation separate. At the mo-
ment the international ISO and IEC standards
are being directly incorporated into national
legislation, which is why people are currently
confronted with frequent amendments to
laws and lengthy implementation periods.
Standards for functional safety
Different standards may be called upon to
observe functional safety on control sy-
stems, depending on the application. In the
area of machine safety, EN ISO 13849-1 is
the main standard named for safety-related
control systems. Irrespective of the techno-
logy, this applies for the whole chain from
the sensor to the actuator. The risk graphs
and corresponding risk parameters can be
used to estimate the potential risk for danger
zones on machinery. The category is then
established without the use of risk-reducing
measures.
Standards and Directives
Legal regulations outside Europe and standards for functional safety
Pilz GmbH & Co. KG, Felix-Wankel-Straße 2, 73760 Ostfildern, Germany, Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: [email protected] 2008-09
1.1-6
1.1
Standards and Directives
Safety-related parts of control systems –
General principles for design in accordance with EN ISO 13849-1
Safety-related parts of control systems
– General principles for design in accor-
dance with EN ISO 13849-1
As the successor standard to EN 954-1,
EN ISO 13849-1 is based on the familiar ca-
tegories. Equally, it examines complete safety
functions, including all the components in-
volved in their design. EN ISO 13849-1 goes
beyond the qualitative approach of EN 954-1
to include a quantitative assessment of the
safety functions. A performance level (PL) is
used for this, building upon the categories.
Components/devices require the following
safety parameters:
•Category (structural requirement)
•PL: Performance level
•MTTFd: Mean time to dangerous failure
• DC: Diagnostic coverage
• CCF: Common cause failure
The standard describes how to calculate
the performance level (PL) for safety-related
parts of control systems, based on designa-
ted architectures. EN ISO 13849-1 refers any
deviations to IEC 61508.
Parameters S, F and P are used on the risk
graph to determine the required performance
level (PLr) for a safety function. The selection
of parameters is no different to the procedure
used in EN 954-1 (1996). However, the result
is no longer a category but a PL.
Pilz GmbH & Co. KG, Felix-Wankel-Straße 2, 73760 Ostfildern, Germany, Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: [email protected] 2007-02
Risk assessment in accordance with EN
ISO 13849-1
Risk assessment is an iterative process, i.e. it
will need to be carried out more than once. The
risk must be estimated and the performance
level defined for each hazard on which the risk
is to be reduced through control measures.
The risk is estimated through consideration
of the severity of injury (S), the frequency and
duration of exposure to the hazard (F) and the
possibility of avoiding or limiting the harm (P).
Determination of the required Performance Level (PLr
S Severity of injury
S1= Slight (normally reversible injury)
S2= Serious (normally irreversible injury, including death)
F Frequency and/or exposure to a hazard
F1= Seldom to less often and/or the exposure time is short
F2= Fre uent to continuous and/or the exposure time is long
P Possibility of avoiding the hazard or limiting the harm
P1= Possible under specific conditions
P2= Scarcely possible
Low risk
High risk
Starting point
for evaluation
of safety
functions
contribution to
risk reduction
Required Performance Level PLr
1.1-7
1.1
Performance Levels (PL
in accordance with EN ISO 13849-1
a
b
c
d
e
Probability of a
dangerous failure
per hour [1/h]
10
-5
< PFH < 10
-4
3x10
-6
< PFH < 10
-5
111
11110
-6
< PFH < 3 x 10
-6
10
-7
< PFH < 10
-6
10
-8
< PFH < 10
-7
Standards and Directives
Safety-related parts of control systems –
General principles for design in accordance with EN ISO 13849-1
Pilz GmbH & Co. KG, Felix-Wankel-Straße 2, 73760 Ostfildern, Germany, Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: [email protected] 2007-02
Relationship between categories DC, MTTF
d
and PL
10
-4
10
-5
3x10
-6
10
-6
10
-7
10
-8
a
b
c
d
e
PFH/h
-1
Performance Level
3 years
10 years
30 years
100
years
Cat. B
DC
avg
= none
Cat. 1
DC
avg
= none
Cat. 2
DC
avg
= low
Cat. 2
DC
avg
= med.
Cat. 3
DC
avg
= low
Cat. 3
DC
avg
= med.
Cat. 4
DC
avg
= high
MTTF
oc
= low, MTTF
oc
= medium, MTTF
oc
= high
Performance level
The performance level (PL) classifies 5 levels
of probability of failure. The table shows the
relationship between PL and the probability
of dangerous failure per hour PFHD).
Once the required PL has been established,
the PL achieved by the safety function (SRP/
CL) is calcu-lated. To do this the SRP/CL can
be divided into logical blocks, such as input,
logic solving and output for example.
When using a designated architecture or an
architecture of similar structure, the achieved
PL can be calculated graphically using the
bar chart. To do this the architecture of the
SRP/CL in divided into categories. MTTFD
and DCavg are also required. From Category
2 onwards, the CCF will also need to be
examined. A com-ponent’s MTTFDvalue is
usually provided by the manufacturer. The
standard provides tables and check lists for
calculating the other values.
It is also possible to calculate the achieved
PL of an SRP/CL. The probability of dange-
rous failure of all the blocks that combine to
form the safety function is added up:
PFHSystem =
PFHInput + PFHLogic + PFHOutput
The PL achieved by an SRP/CL must be at
least as high as the PL required by the safety
function.
If this condition is not met, the safety func-
tion must be implemented differently.
Input Logic
solving Output
1.1-8
1.1
IEC
61508
IEC
62061
IEC
62304
IEC
61511
IEC
61513
Machinery sector Medical sector
Transport sector
Power station sector
Process sector
Functional safety and legal position of EN/IEC 61508
Standards and Directives
Functional safety with EN/IEC 61508?
EN/IEC 61508 is regarded as a generic safe-
ty standard, which deals with the functional
safety of electrical, electronic and program-
mable electronic systems, irrespective of the
application.
One of the main tasks of EN/IEC 61508 is
to serve as a basis for the development of
application-oriented standards. Standards’
committees are currently busy in the areas
of machine safety with EN/IEC 62061, and
process safety with EN/EC 61511.
These sector-specific standards are intended
to continue the principle approaches of EN/
IEC 61508 and to implement the requirements
for the relevant application area in a suitably
practical manner.
Sector standards from EN/IEC 61508
What is the legal status of EN/IEC 61508?
As EN/IEC 61508 is not listed in the Official
Journal of the European Communities for im-
plementation as a European directive, it lacks
the so-called “effect of presumption”, so if the
standard is used on its own, a control system
designer cannot presume that the relevant re-
quirements of the specific European directive
have been met.
Pilz GmbH & Co. KG, Felix-Wankel-Straße 2, 73760 Ostfildern, Germany, Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: [email protected] 2008-09
1.1-9
1.1
3-4
SIL 2
5-7
SIL 2
OM
8-10
SIL 2
SIL 1
OM
11-13
SIL 3
SIL 2
SIL 1
OM
14-15
SIL 3
SIL 3
SIL 2
SIL 1
Class Cl Frequency
and duration
£ 1 hour
> 1 h £ 1 day
> 1 day £ 2 wks
> 2 wks £ 1 year
> 1 year
Fr
5
5
4
3
2
Probability of hzd.
event
Very high
Likely
Possible
Rarely
Negligible
Pr
5
4
3
2
1
Avoidance
Impossible
Possible
Likely
P
5
3
1
Risk assessment and determination of required Safety Integrity Level (SIL
Consequences
Death, losing an eye
or arm
Permanent,
losing fingers
Reversible,
medical attention
Reversible, first aid
S
4
3
2
1
AM = Other measures recommended
Standards and Directives
Functional safety in accordance with EN/IEC 62061
Functional safety of safety-related elec-
trical, electronic and programmable elec-
tronic control systems in accordance with
EN/IEC 62061
EN/IEC 62061 represents a sector-specific
standard under EN/IEC 61508. It describes
the implementation of safety-related electrical
control systems on machinery and examines
the overall lifecycle from the concept phase
through to decommissioning. Quantitative
and qualitative examinations of the safety
functions form the basis.
Risk estimation is an iterative process, i.e. it
will need to be carried out more than once.
The risk must be estimated and the SIL de-
fined for each hazard on which the risk is to
be reduced through control measures. The
risk is estimated through consideration of
the severity of injury (Se), the frequency and
duration of exposure to the hazard (Fr), pro-
bability of occurrence of a hazardous event
(Pr) and the possibility of avoiding or limiting
the harm (Av).
Pilz GmbH & Co. KG, Felix-Wankel-Straße 2, 73760 Ostfildern, Germany, Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: [email protected] 2007-02
The required SIL is assigned using the table
above, where Cl = Fr + Pr + Av.
1.1-10
1.1
Safe failure
fraction (SFF
< 60 %
60 % < 90 %
90 % < 99 %
99 %
Hardware fault
tolerance
0
Not allowed
SIL 1
SIL 2
SIL 3
Hardware fault
tolerance
1
SIL 1
SIL 2
SIL 3
SIL 3
Hardware fault
tolerance
2
SIL 2
SIL 3
SIL 3
SIL 3
Safety Integrity Level (SIL
in accordance with EN IEC 62061
No special safety re uirement
1 (1 failure in 100 000 h)
1 (1 failure in 100 000 h)
2 (1 failure in 1 000 000 h)
3 (1 failure in 10 000 000 h)
Probability of a
dangerous failure
per hour [1/h]
10
-5
< PFH < 10
-4
3x10
-6
< PFH < 10
-5
111
11110
-6
< PFH < 3 x 10
-6
10
-7
< PFH < 10
-6
10
-8
< PFH < 10
-7
SIL assignment
The safety integrity level (SIL) classifies three
levels of probability of failure. The table
shows the relationship between SIL and the
probability of dangerous failure per hour
(PFHD).
The SRECS (safety-related electrical control
system) is divided into subsystems. The sub-
systems are assigned to actual devices. The
SIL must be defined for each subsystem.
The probability of a dangerous failure is cal-
culated by adding the probabilities of failure
of all the subsystems of the SRECS:
PFHD= PFHD1 + .... + PFHDn
The selection or design of the SRECS must
always meet the following minimum require-
ments:
Standards and Directives
Functional safety in accordance with EN/IEC 62061
Pilz GmbH & Co. KG, Felix-Wankel-Straße 2, 73760 Ostfildern, Germany, Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: [email protected] 2007-02
Requirements for hardware safety integrity,
comprising
•Architectural constraints for hardware
safety integrity
•Requirements for the probability of
dangerous random hardware failures
plus requirements for systematic safety inte-
grity, comprising
•Requirements for avoidance of failures and
•Requirements for the control of
systematic failures.
The following parameters are required in
assessing hardware safety integrity:
λD: Dangerous failure rate
T1: Proof test
T2: Diagnostic test interval
DC: Diagnostic coverage
β: Common cause failure
The calculated probability of failure (PFHD) of
each SRECS must be less than the probabi-
lity of failure required by the safety function.
The required probability of failure, depending
on the SIL, can be taken from the table. If
this condition is not met, the safety function
must be implemented differently.
The achieved SIL can only be as high as the
lowest SILCL (SIL Claim Limit) of a sub-
system involved in performing the safety
function.
1.1-11
1.1
Risk parameters
S = Severity of injury:
1 = Slight (normally reversible) injury
2 = Serious (normally irreversible) injury, in-
cluding death
F = Frequency and/or exposure to the hazard:
1 = Seldom to quite often and/or exposure
time is short
2 = Frequent to continuous and/or exposure
time is long
P = Possibility of avoiding the hazard:
1 = Possible under specific conditions
2 = Scarcely possible
Categories in accordance with EN 954-1
The control system requirements derived from
the risk graph are specified as follows:
Standards and Directives
Risk parameters and categories in accordance with EN 954-1/EN ISO 13849-11)
Risk graph from EN 954
Categories
Categories
Starting point for
risk estimation
Pilz GmbH & Co. KG, Felix-Wankel-Straße 2, 73760 Ostfildern, Germany, Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: [email protected] 2008-09
Category B
Basic category with no special requirements
= “good industrial standard”
Category 1
Safety-related parts must be designed and
constructed using well-tried components and
well-tried safety principles.
Well-tried means: the components have been
widely used in the past with successful results
in similar applications, or they have been ma-
nufactured using principles that demonstrate
its suitability and reliability for safety-related
appli-cations.
Example: safety switch with forced-opening
contacts.
Well-tried safety principles are circuits that are
constructed in such a way that certain faults
can be avoided by the appropriate arrange-
ment or layout of components.
Example: avoiding a short circuit through ap-
propriate separation, avoiding component fai-
lures that result from overdimensioning, using
the failsafe principle (on switching off).
Note: The occurrence of a fault can lead to
the loss of the safety function.
Category 2
Safety-related parts of control systems must
be designed so that their safety function(s) are
checked at suitable intervals by the machine
control system. The safety function(s) must
be checked: at the machine start-up and prior
to the initiation of any hazardous situation;
periodically during operation, if the risk as-
sessment and the kind of operation show that
it is necessary.
This check may be initiated automatically
or manually. Automatically, for example, the
check may be initiated by a signal generated
from a control system at suitable intervals.
The automatic test should be provided by
preference. The decision about the type of
test depends on the risk assessment and
the judgement of the end user or machine
builder. If no fault is detected, operation may
be approved as a result of the test. If a fault
is detected, an output must be generated to
initiate appropriate control action. A second,
independent shutdown route is required for
this.
Notes: In some cases Category 2 is not ap-
plicable because the checking of the safety
function cannot be applied to all components
and devices. Moreover, the cost involved
in implementing Category 2 correctly may
be considerable, so that it may make better
economic sense to implement a different ca-
tegory.
In general Category 2 can be realised with
electronic techniques. The system behaviour
allows the occurrence of a fault to lead to the
loss of the safety function between checks;
the loss of the safety function is detected by
the check.
Category 3
Safety-related parts of control systems must
be designed so that a single fault in any of
these parts does not lead to the loss of the
safety function.
Whenever reasonably practicable, the single
fault shall be detected at or before the next
demand upon the safety function.
This does not mean that all faults will be de-
tected. The accumulation of undetected faults
can lead to an unintended output signal and a
hazardous situation at the machine.
Category 4
Safety-related parts of control systems must
be designed so that a single fault in any of
these parts does not lead to a loss of the
safety function; the single fault must be de-
tected at or before the next demand upon the
safety functions (e.g. immediately at switch
on, at the end of a machine operating cycle).
If this detection is not possible, then an ac-
cumulation of faults shall not lead to a loss of
the safety function.
1) Only applicable until November 2009.
Replaced by EN ISO 13849-1
Emergency Stop Applications
Pilz GmbH & Co. KG, Felix-Wankel-Straße 2, 73760 Ostfildern, Germany, Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: [email protected] 2011-10 2.1-1
2.1
Contents Page
Emergency stop applications
PNOZ s3 – Dual-channel operation,
contact expansion through contactor PL d of EN ISO 13849-1,
SIL 2 of EN 62061 2.1-2
PNOZ s3 – Dual-channel operation,
contact expansion through PZE X4.1P PL e of EN ISO 13849-1,
SIL 3 of EN 62061 2.1-5
PNOZ s4 – Dual-channel operation,
contact expansion through contactor PL e of EN ISO 13849-1,
SIL 3 of EN 62061 2.1-8
PNOZ s5 – Safe standstill of one drive PL e of EN ISO 13849-1,
SIL 3 of EN 62061 2.1-11
PNOZ s5 – Safe standstill of two drives PL e of EN ISO 13849-1,
SIL 3 of EN 62061 2.1-14
PNOZ s5 – Combined with two PNOZ s7 PL e of EN ISO 13849-1,
SIL 3 of EN 62061 2.1-19
PNOZ s7 – Combined with PNOZ s4 PL e of EN ISO 13849-1,
SIL 3 of EN 62061 2.1-23
PNOZ s9 – Combined with PNOZ s4,
safe standstill of one drive PL e of EN ISO 13849-1,
SIL 3 of EN 62061 2.1-26
PNOZ s10 – Combined with PNOZ s4 PL e of EN ISO 13849-1,
SIL 3 of EN 62061 2.1-29
Emergency Stop Applications
5.1-
Pilz GmbH & Co. KG, Felix-Wankel-Straße 2, 73760 Ostfildern, Germany, Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: [email protected] 2011-10 2.1-2
2.1
PL d of EN ISO 13849-1, SIL 2 of EN 62061
PNOZ s3 - Dual-channel operation, contact expansion through contactor
Features
Dual-channel operation
Monitored reset with falling edge
Contact expansion through positive-
guided contactors
Feedback loop to monitor contact ex-
pansion
Description
E-STOP function
When the E-STOP pushbutton S1 is
operated, the input circuit on the safety
relay PNOZ s3 (K1) is interrupted, the safety
contacts on K1 open. Contactors KM1 and
KM2 de-energise.
Settings on the unit
The terminator on the PNOZ s3 (K1) must
be connected.
The operating mode selector switch
(mode) on the safety relay PNOZ s3 (K1)
must be set to “Monitored reset, falling
edge without detection of shorts across
contacts (In2+)”.
Start/reset
The safety relay PNOZ s3 (K1) can be
started by pressing reset button S2 if:
E-STOP pushbutton S1 has not been
operated and
Contactors KM1 and KM2 have de-
energised.
Feedback loop
The positive-guided N/C contacts on
contactors KM1 and KM2 are monitored in
feedback loop S12-S34 of safety relay
PNOZ s3 (K1).
Safety assessment
The safety relay K1 and contactors KM1
and KM2 must bei installed in a single
mounting area (control cabinet) in order
to exclude a short across the output.
Earth fault in the input circuit is detected.
A fault on the device does not lead to the
loss of the safety function.
The safety relay PNOZ s3 (K1) can be
started when the input circuit at K1 is
closed first, followed by reset button S2.
This avoids an unwanted reset before the
input circuit is closed or as a result of the
reset button being overridden.
If the position of the operating mode
selector switch (mode) is changed during
operation, an error message will be
triggered; the safety contacts on K1
open. This fault condition can only be
rectified by switching the supply voltage
on the safety relay PNOZ s3 (K1) off and
then on again.
Pilz products
Number Designation Order number
1 PNOZ s3 750 103
1 PITestop Set1.1 400 410
Emergency Stop Applications
Pilz GmbH & Co. KG, Felix-Wankel-Straße 2, 73760 Ostfildern, Germany, Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: [email protected] 2011-10 2.1-3
2.1
Safety-related characteristics in
accordance with EN ISO 13849-1
Prerequisites:
Common cause failure (CCF):
Requirements are considered to be met
(must be tested on implementation)
Mission time: 20 years
Operating interval (electromechanical
components):
- Sensor: One operation per week
- Actuator: One operation per week
Characteristic data of contactors KM1/KM2:
B10d: 2,000,000
Safety-related characteristics in
accordance with EN 62061
Prerequisites:
Common cause failure (CCF): ß = 2 %
(must be tested on implementation)
Proof test interval: 20 years
Operating interval (electromechanical
components):
- Sensor: One operation per week
- Actuator: One operation per week
Characteristic data of contactors KM1/KM2:
B10d: 2,000,000
Dangerous failure rate: 65%
Classification in accordance with EN 954-1
Depending on the application area and its
respective regulations, this connection example
is suitable for applications up to Category 3 of
EN 954-1.
EN ISO 13849-1EN ISO 13849-1
EN ISO 13849-1EN ISO 13849-1
EN ISO 13849-1 Performance LevelPerformance Level
Performance LevelPerformance Level
Performance Level Safety-rSafety-r
Safety-rSafety-r
Safety-related partselated parts
elated partselated parts
elated parts
of the controf the contr
of the controf the contr
of the control systemol system
ol systemol system
ol system
Safety function: Machine shut down PL dPL d
PL dPL d
PL d Sensor (PITestop S1)
via E-STOP Logic (PNOZ s3)
Actuator (contactors KM1, KM2)
EN 62061EN 62061
EN 62061EN 62061
EN 62061 SafetySafety
SafetySafety
Safety SubsystemsSubsystems
SubsystemsSubsystems
Subsystems
Integrity LevelIntegrity Level
Integrity LevelIntegrity Level
Integrity Level
Safety-related Machine shut down SIL 2SIL 2
SIL 2SIL 2
SIL 2 Sensor (PITestop S1)
control function via E-STOP Logic (PNOZ s3)
(SRCF): Actuator (contactors KM1, KM2)
Please note the further requirements of EN ISO 13849-1, e.g. requirements for avoiding systematic faults.
Please note the further requirements of EN 62061, e.g. requirements for systematic safety integrity.
PL d of EN ISO 13849-1, SIL 2 of EN 62061
PNOZ s3 - Dual-channel operation, contact expansion through contactor
Pilz GmbH & Co. KG, Felix-Wankel-Straße 2, 73760 Ostfildern, Germany, Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: [email protected] 2011-10 2.1-4
2.1
5HYLVLRQ
1DPH
5'6
'DWH
1DPH
'HS
:('
&6
(1,623/G
(16,/
3LO]*PE+&R.*
)HOL[:DQNHO6WU
2VWILOGHUQ
(PHUJHQF\VWRSH[WHQVLRQFRQWDFW
E\FRQWDFWRUDQGPRQLWRUHGVWDUW
0RXQWLQJSODFH
3DJH
312=VB
312=DFWLYH
3/&
/
/
/
9$&
,Q ,Q
$$
PRGH
3RZHU
,Q
,Q
2XW
5HVHW
)DXOW
6
;
6
;
6
;
<
;
6
;
6
;
$
;
$
;
.
312=69'&
312=69'&
3,/=
$
:
2(/)/(;
[TPP
:
2(/)/(;
[TPP
6
(VWRS
,
6
VWDUW
UHVHW
.0
.0
)
9'&
&$
.
)
.0
.0
;
8 9 :
0
a
0
3(
$
$
.0
$
$
.0
9'&
9'&
9'&
9'&
3(6&+
Emergency Stop Applications
Pilz GmbH & Co. KG, Felix-Wankel-Straße 2, 73760 Ostfildern, Germany, Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: [email protected] 2011-10 2.1-5
2.1
PL e of EN ISO 13849-1, SIL 3 of EN 62061
PNOZ s3 - Dual-channel operation, contact expansion through PZE X4.1P
Features
Dual-channel operation with
detection of shorts across contacts
Monitored reset with falling edge
Contact expansion through PZE X4.1P
(contact expander module)
Feedback loop to monitor contact ex-
pansion
Description
E-STOP function
When the E-STOP pushbutton S5 is
operated, the input circuit on the safety
relay PNOZ s3 (K5) is interrupted, the safety
contacts on K5 open. As a result the input
circuit on the contact expander module PZE
X4.1P (K6) is interrupted, the safety
contacts on K6 open.
Settings on the unit
The terminator on the PNOZ s3 (K5) must
be connected.
The operating mode selector switch
(mode) on the safety relay PNOZ s3 (K5)
must be set to “Monitored reset, falling
edge with detection of shorts across
contacts (In2-)”.
Start/reset
The safety relay PNOZ s3 (K5) can be
started by pressing reset button S6 if:
E-STOP pushbutton S5 has not been
operated and
Feedback loop Y1/Y2 on contact
expander module PZE X4.1P (K6) is
closed and
Contactors KM1 and KM2 have de-
energised.
Feedback loop
The feedback loop on the safety relay PNOZ
s3 (K5) is connected to the feedback loop
on the contact expander module
PZE X4.1P (K6).
The positive-guided N/C contacts on
contactors KM1 and KM2 are monitored in
feedback loop S12-S34 of safety relay
PNOZ s3 (K5).
Safety assessment
The safety relay K1 and the contactors
KM1 and KM2 must be installed in a
single mounting area (control cabinet) in
order to exclude a short across the
output.
Earth faults and shorts between contacts
in the input circuit are detected.
A fault on the device does not lead to the
loss of the safety function.
The safety relay PNOZ s3 (K5) can be
started when the input circuit at K5 is
closed first, followed by reset button S6.
This avoids an unwanted reset before the
input circuit is closed or as a result of the
reset button being overridden.
Pilz products
Number Designation Order number
1 PNOZ s3 750 103
1 PZE X4.1P 777 587
1 PITestop Set1.1 400 410
If the position of the operating mode
selector switch (mode) is changed during
operation, an error message will be
triggered; the safety contacts on K5
open. This fault condition can only be
rectified by switching the supply voltage
on the safety relay PNOZ s3 (K5) off and
then on again.
Table of contents
Other Pilz Relay manuals
Pilz
Pilz P1HZ X1 User manual
Pilz
Pilz PNOZ po4p User manual
Pilz
Pilz PNOZ e2.2p User manual
Pilz
Pilz PNOZ 2VJ User manual
Pilz
Pilz PNOZ 11 User manual
Pilz
Pilz PNOZ XV3.1 User manual
Pilz
Pilz PNOZ XV3.1P Owner's manual
Pilz
Pilz PNOZ s6.1 User manual
Pilz
Pilz PNOZ XV3 User manual
Pilz
Pilz PZE X4.1P User manual
