Basic Understanding of Safety Circuits

By Lisa Eitel

Contributed By Digi-Key's North American Editors

This article reviews the basics of safety circuits for automated machinery. The discussion will touch on standards that dictate required features; common setups; mechanisms for addressing faults and preventing tampering; and the functions of components often found in safety-circuit installations.

History and function of safety circuits

In the early industrial period, machinery was extremely dangerous. It was common for both factory and agricultural workers to lose fingers, limbs, and even their lives through entrapment in moving machinery. This led to the development of systems of guarding and other safety devices.

Interlocks — which make the state of two or more machine functions interdependent — are core to the function of today’s safety systems. These prevent machines from injuring operators or damaging their own components. For example, an interlock may prevent a machine from starting if its guard is open and stop the machine if a guard is opened during operation.

Many simple interlock systems are purely mechanical. For example, in some machine designs, the guard pivots about an axis with an interlock cam attached. When the guard is open, the cam engages with a matching cam on the machine’s drive shaft to prevent operation of the axis. That means it’s only possible for the machine to operate when the guard is closed.

Most modern machines use electronic safety circuits or even microprocessor control to implement interlock safety systems. Electronics give far greater flexibility in the arrangement of guards and the complexity of safety procedures than mechanical solutions.

Typical electronic safety circuits only allow the machine to operate if the circuit is closed — a structure called normally closed (NC) operation. They also wire safety components in series to maximize effectiveness and minimize complexity and cost.

Consider a typical safety installation with a number of position switches that are NC when the corresponding section of guard is closed. These position switches are wired into the installation in series so that if any section of the guard is not closed properly, the whole circuit will be open, and the machine will not run. In fact, controls in a safety circuit also require series wiring to ensure safe conditions in the event of any loosening of connections or sudden breaks in (such as severing of) the safety-component wiring.

One caveat related to the series wiring of safety circuits: when a circuit contains more than four safety switches or includes frequently used switches or gates, there’s a decrease in the design’s performance level (PLr — which is detailed in the next article section) as well as an increased risk of fault masking. The latter is when the emergence and resolution of one open switch or fault obscures the presence of another open switch or fault. Fault masking is most likely to occur where an installation includes volt-free contacts such as relays having no other power connections beyond that for the switch connection. Where such risk is unacceptable, more sophisticated wiring systems and methodologies may be necessary.

Image of Banner Engineering SC10 Series safety controllerFigure 1: Shown here is a Banner Engineering SC10 Series safety controller designed to deliver the functionality of three safety relay modules. (Image source: Banner Engineering)

Trapped-key interlocks are often used to ensure that all guards are locked shut before operating a machine. In these systems, locks on each safety guard have keys which can only be removed when the guard is barred shut. The keys can then be taken to the control or power unit and used to activate the machinery. Similarly, the keys are held captive while the machine is activated and can only be removed from the power unit after the machine has been shut down. The keys can then be used to open the guards again.

Risk assessments and the requirements of governing standards

ISO 14119 covers the safety of machinery with interlocking devices associated with guards and outlines design and selection principles to ensure machinery safety. It refers to other standards for general principles of risk assessment and risk reduction in the design of machinery.

The basic function of an interlocking guard is to prevent the execution of hazardous operations it covers until that guard closes. So, if something or someone forces the guard open during operation, the guarded operation should stop. In some cases, a guard-locking device may be fitted to prevent opening of the guard during machine operation.

It should be noted that although machines can operate when the guards are closed, the closure of a guard shouldn’t trigger the beginning of a hazardous operation. Instead, such operations should require a separate start command. One exception is something called a control guard — a special type of interlocking guard with a start function capable of starting a hazardous operation when the guard is closed, without a separate start command.

Also covered in ISO 14119 is the concept of a safety-system defeat. This is an action that bypasses a machine’s interlocks. For example, an operator may accidentally or deliberately rest a heavy object on a position switch while the guard is open, which in turn may grant access to workspaces that become dangerous when the machine is in operation. Properly designed safety systems make it impossible to defeat interlocks in any reasonably foreseeable manner — either manually or with readily available objects nearby. This includes the removal of switches or actuators using tools that are used to operate the machine or are readily available such as screw drivers, hex tools, adhesive tape or wire. This also means that spare keys should not be accessible for trapped key systems.

ISO 14119 puts interlocking devices into four categories:

  • Type 1 interlocking devices have mechanically actuated position switches with uncoded actuators such as a rotary cam, linear cam, or hinge. These are relatively easy to defeat by resting an object on the switch or holding it in position in some other way.
  • Type 2 interlocking devices have mechanically actuated position switches with coded actuators such as a shaped actuator (tongue) or trapped-key. These are considerably more difficult to defeat.
  • Type 3 interlocking devices have non-contact position switches with uncoded actuators such as proximity switches. The difficulty involved in defeating Type 3 interlocks depends on the actuation principle involved. Capacitive, ultrasonic and optic actuators can be defeated by a wide range of objects. Inductive actuators may be defeated by any ferric metal object. Magnetic actuators require a magnet to defeat them.
  • Type 4 interlocking devices have non-contact position switches with coded actuators, such as RFID tags, coded magnets or coded optical tags. These are extremely difficult to defeat if properly constructed so that the coded actuator cannot be removed.

When designing a safety circuit, interlocking devices should be selected to minimize the possibility of a defeat. Consideration should also be given to:

  • The overall system stopping performance, which is the amount of time required for the machine to become safe after a stop command is issued.
  • The access time, which is the time it takes a person to reach the hazard after the stop command has been initiated.

The overall system stopping performance must be significantly more rapid than the access time. There should also be consideration of whether guards require emergency release, to allow manual opening from outside, or escape release to allow manual release from inside.

ISO 13849 is referenced by ISO 14119, it is in two parts, covering the principles of designing and validating the safety-related part of a control system (SRP/CS). According to this standard, the SRP/CS can be classified according to its:

  • Resistance to faults
  • Behavior if a fault does occur

All design work on a machine incorporating safety should start with a risk assessment according to ISO 12100 to identify hazards and estimate risks. The risk-reduction process then involves first applying inherently safe design, then safeguards, and finally information for use. Any protective measures that depend on the control system must then be evaluated using a special iterative process. This involves determining the required performance level (PLr) for each safety function and its mean time to dangerous failure (MTTFD) to determine the reliability of the SRP/CS. Each part may be assigned a performance level from a through to e — with PLa having the highest probability of a dangerous fault and PLe having the lowest probability. The specific way that the failures may occur involves the considerations set out above for ISO 14119.

Variations on safety-circuits — and some example arrangements

For large enclosures such as gated robotic cells, safety arrangements are a little different. This is because guards are often closed with the operator inside the active workspace. So, in many instances, trapped-key systems are used to ensure that operators are outside the workspace upon the closing of gates; and only then can the robot begin its full-speed operation.

Of course, traditional robots can typically be operated in a low-speed teach mode with the operator in the cell, but when operating at full speed (unlike collaborative robots) they must not come into close proximity to humans. Even in teach mode, unless the robot is fitted with a force feedback system, there is still the danger of the operator being crushed. The handheld control unit is therefore normally fitted with a dead man’s switch which will shut down the robot if the operator becomes incapacitated.

Image of safety circuits associated with roboticsFigure 2: Particularly unique are safety circuits associated with robotics — especially for robotics that employ teach pendants (as shown here) as well as collaborative robots.

Another automation situation requiring specialized safety is personnel-tended conveyor systems. Here, it may be necessary for personnel to work alongside conveyors operating rather quickly. This has a significant risk of entrapment resulting in serious injury, and so should be avoided wherever possible. But where such workspaces are essential to an operation’s productivity — as in Amazon Fulfillment Centers, for example — distributed stop switches in the form of pull-cords and stop strips must be installed. These give personnel a reliable means to stop the conveyor along its entire length. Such stops should be arranged so that an operator can easily grab or press them without having to hunt for them during an emergency.

The safety devices should also be positioned so that an injured or unconscious person falling or being pulled into the conveyor automatically triggers a stop. Multiple stop devices and redundant circuits may be required, and where conveyors are accessible from both sides, such safety devices must be present on both sides as well.

Common safety-circuit components

Mechanical switches include position switches, used to detect gate and guarding positions, and manually activated stop switches such as e-stop palm buttons and pull-cords. Non-contact switches, such as light and inductive sensors, may be also used in a similar way. These types of interlock components tend to be used with physical guards and gates. They are covered well by the standards discussed above. Other types of safety components that may be used within safety circuits include light curtains, laser scanners, and safety mats.

Safety mats use pressure sensors embedded in a rubber platform to provide a simple way of detecting when a person steps into a guarded area. These have, in recent years, been largely replaced by optical systems such as light curtains and laser scanners.

Light curtains can remove the need for physical guarding by creating a virtual guard to stop a machine axis if any of the curtain’s beams are broken. The light curtain consists of two parts — a transmitter and a receiver. The transmitter projects an array of parallel light beams. The receiver detects these beams and if any of them is broken, it triggers a machine stop. Benefits of light curtains include clear visibility of the working area as well as unrestricted access and rapid movement in and out of the protected area.

Laser scanners function much like light curtains. However, instead of having a separate transmitter and receiver to maintain a barrier, laser scanners can monitor gateways as well as portal areas from a single piece of hardware. In other words, light curtains provide perimeter guarding whereas laser scanners provide protection for larger portals into areas such as conveyor and robotic cells. As with all safety components, use of laser scanners requires calculation of the minimum safety distance. This value depends on the overall system stopping performance and the access time. However, the overall system stopping performance is likely to be considerably longer for laser scanners than that for light curtains due to the additional processing involved.

Image of SX series safety laser scanners from Banner EngineeringFigure 3: SX Series safety laser scanners from Banner Engineering can safeguard access points and areas in industrial applications. The device continuously scans 275° to protect personnel and machinery with warnings and safety zones customizable with free configuration software. Muting functions are also configurable in this software that, along with muting sensors networked to the SX Series scanner, eliminate the need for an additional module or controller. (Image source: Banner Engineering)

The electronic safety circuits and safety components of today afford plant and OEM design engineers flexible options for protecting personnel and equipment. Software and other supplier resources help simplify the specification of safety systems for traditional interlock arrangements, workspaces protected by trapped-key designs, and even flexible areas that require plant personnel or machine operators to work in close proximity to conveyors, robotics, and other moving equipment associated with industrial automation.

Disclaimer: The opinions, beliefs, and viewpoints expressed by the various authors and/or forum participants on this website do not necessarily reflect the opinions, beliefs, and viewpoints of Digi-Key Electronics or official policies of Digi-Key Electronics.

About this author

Lisa Eitel

Lisa Eitel has worked in the motion industry since 2001. Her areas of focus include motors, drives, motion control, power transmission, linear motion, and sensing and feedback technologies. She has a B.S. in Mechanical Engineering and is an inductee of Tau Beta Pi engineering honor society; a member of the Society of Women Engineers; and a judge for the FIRST Robotics Buckeye Regionals. Besides her contributions, Lisa also leads the production of the quarterly motion issues of Design World.

About this publisher

Digi-Key's North American Editors