1. WELCOME TO SAFETY RELAYS 101 BASIC OPERATION AND FUNCTIONS

2. WPA SAFETY POSTERS FROM THE 1930’S

3. SAFETY LIFE CYCLE OF MACHINERY

4. Standards – EN, ISO and IEC 4 Type A applicable to all machinery –EN ISO 12100 Safety of machinery. Basic principles – Risk assessment and risk reduction Type B applicable to different aspects of machinery –EN ISO 13849-1 - Safety related parts of control systems –EN ISO 13850 - Emergency stop function –EN / IEC 62061 - Functional safety of electrical control systems –EN / IEC 60204-1 - Safety of machinery. Electrical Equipment –EN 574 / ISO 13851 – Two hand controls Type C applicable to specific types of machines –EN ISO 2860 - Earth Moving Machinery –EN ISO 8230 - Safety requirements for dry-cleaning machines

5. Universe Model of U.S. Machinery Standards OSHA Act A Level C Level B11.2 B65.1 HS-1738 B11.19 B11.20 R15.06 Electrical 1910.212 General 1910.213 Woodworking 1910.217 1910.214 Cooperage 1910.218 Forging B Level Safeguarding SAE Automotive Mechanical Presses Robots Hydraulic Presses Mfg Cells Printing B11.1 Z244.1 1910.147 NFPA79 B155.1 Packaging Machines B11.TR3 Risk Assessment 12100 Lockout/Tagout

6. Universe Model of EN Machinery Standards Machinery Directive “A” “C” EN1760 EN13814 EN415 EN574 Two Hand Control EN1088 Interlocks EN746 Thermo processing “B” Mats/Edges Packaging Amusement Rides EN1037 Start-Up EN954 Machine Safety EN999 Speed EN 60204 Electrical Safety EN418 E-Stop EN292 Principles of Safety EN1050 Risk Assessment EN1010 Printing Machinery

7. Universe Model of ISO Machinery Standards Machinery Directive “A” “C” ISO 10418 ISO 11161 ISO 12048 ISO 13851 Two Hand Control ISO 14119 Interlocks EN746 Thermo processing “B” Safeguarding Packaging Mfg. Cells ISO 14118 Start-Up ISO 13849 Machine Safety ISO 13857 Speed IEC 60204 Electrical Safety ISO 13850 E-Stop ISO 12100 Principles of Safety ISO 11111 Textile Machinery

8. Risk Assessment 8 1.Determine Machine Limits 2.Hazard Identification (all phases in the machine life cycle) 3.Elements of Risk Severity of harm Probability of occurrence (of that harm) RISK ASSESSMENT Machine Characteristics / Limits Hazard Identification Risk Estimation Risk Reduction Adequate Risk Reduction Risk Evaluation Too High OK

9. Risk Reduction Design it out Fixed enclosing guard Monitoring Access / Interlocked Gates Awareness Means, Training and Procedures (Administrative) Personal protective equipment Most Preferred Least Preferred Hierarchy of Protective Measures

10. Copyright © 2009 Rockwell Automation, Inc. All rights reserved. 10 S = Severity F = Frequency P = Probability Estimation of the Required Performance Level (PLr) Category B 1 2 3 4 PL Performance Level EN ISO 13849-1:2006

11. Copyright © 2009 Rockwell Automation, Inc. All rights reserved. 11 Then we choose the most suitable combination of Structure (Category), Reliability (MTTFd) and Diagnostics (DC) To achieve that Performance Level (PL) EN ISO 13849-1 Safety of machinery — Safety related parts of control systems

12. Copyright © 2009 Rockwell Automation, Inc. All rights reserved. 12 How do we meet these requirements? What else is required? We need to Satisfy the requirements for : Safety Function Specifications Structure and behaviour of the safety function under fault conditions (Designated Architecture Category) Reliability (MTTFd) Diagnostic coverage (DC) (see Annex E); Common cause failure (CCF) (see Annex F) Systematic failure and Environmental influences Safety-related Software EN ISO 13849-1:2006

13. Category – NFPA 79 2002/EN 60204-1 Categories Classify the Stopping Action of a Machine Stop Types –Category 0 Immediate Removal Of Power To Actuators (Motor). –Category 1 Controlled Stop, Then Removal Of Power To Actuators –Category 2 Controlled Stop, Maintain Power To Actuators Each Machine Must Have A Category 0 Stop. An Emergency Stop Must Be A Category 0 Or 1 Stop. The E-stop must be a Red Mushroom head, direct acting, latching, with a yellow background. –For A Cat 0 Or Cat 1 E-stop, The Final Removal Of Power Must Be By Electromechanical Components. –Drives Do Not Qualify As Electromechanical. –NFPA79 2002 Allows Electronic Safety Features in E-Stop String. Final Power Removal Still Requires Electromechanical Components Resetting Of Any Stop Should Not Start Machine.

14. Auto/Manual & Monitored Manual Reset RP =MONITORED RESET TP=AUTO/MANUAL RESET

15. Used For Benchmarking And Describing Safety Related Parts Of A Control System Cat. B –When A Fault Occurs It Can Lead To Loss Of Safety Function Cat. 1 –Cat. B Plus Use Of Well Tried Safety Components And Principles Cat. 2 –Single Channel, Loss Of Safety Function Is Detected By A Check At Start- up Cat. 3 –Dual Channel, Checking, & Monitoring. Fault exclusion allowed. –When A Single Fault Occurs The Safety Function Is Always Performed Cat. 4 –Dual Channel, Checking, Monitoring & Accumulation Of Faults –Fault Is Detected Before Loss Of Safety Function Or An Accumulation Of Faults Does Not Cause Loss Of Safety Function. No fault exclusion allowed. EN954 NOW REPLACED BY ISO13849-1

16. Copyright © 2009 Rockwell Automation, Inc. All rights reserved. 16 The structure and behaviour of the safety function under fault conditions Designated Architecture Category B Requirements Basic Safety principles Withstand expected influences Behaviour under fault conditions A fault can cause a loss of the safety function. Typical implementation Machine Control Contactor Motor Sensor Designed to product standards e.g. IEC 60947-5-2 (not specific safety standards) Designed for environment and electrical safety aspects e.g. IEC 60204-1 EN ISO 13849-1 Safety of machinery — Safety related parts of control systems Categories - same as they always were (well almost!) Categories

17. CATEGORY B SYSTEM EXAMPLE

18. Copyright © 2009 Rockwell Automation, Inc. All rights reserved. 18 The structure and behaviour of the safety function under fault conditions Designated Architecture Category 1 Requirements Category B Well tried components Well tried safety principles Behaviour under fault conditions A fault can cause a loss of the safety function. Typical implementation Machine Control Contactor Motor Guard interlock switch EN ISO 13849-1 Safety of machinery — Safety related parts of control systems Categories

19. CATEGORY 1 SYSTEM EXAMPLE

20. Copyright © 2009 Rockwell Automation, Inc. All rights reserved. 20 The structure and behaviour of the safety function under fault conditions Designated Architecture Category 2 Requirements Category B Well tried safety principles Functional check at start up and periodically (on/off check) Behaviour under fault conditions A fault occurring between the checks can cause a loss of the safety function. Typical implementation Machine Control Contactor Motor Guard interlock switch Safety monitoring relay with start up check Now requires a test to demand ratio of >100:1 EN ISO 13849-1 Safety of machinery — Safety related parts of control systems Categories

21. CATEGORY 2 SYSTEM EXAMPLE

22. Copyright © 2009 Rockwell Automation, Inc. All rights reserved. 22 The structure and behaviour of the safety function under fault conditions Designated Architecture Category 3 Requirements Category B Well tried safety principles Single fault does not cause a loss of safety function Where practicable that fault should be detected Behaviour under fault conditions Accumulation of undetected faults can cause a loss of the safety function. Typical implementation Machine Control Contactors with mechanically linked contacts Motor Safety monitoring relay Contactor monitoring Guard interlock switches EN ISO 13849-1:2006

23. CATEGORY 3 SYSTEM EXAMPLE

24. Copyright © 2009 Rockwell Automation, Inc. All rights reserved. 24 The structure and behaviour of the safety function under fault conditions Designated Architecture Category 4 Requirements Category B Well tried safety principles An accumulation of faults does not cause a loss of safety function Behaviour under fault conditions Faults will be detected in time to prevent a loss of safety function Typical implementation Machine Control Contactors with mechanically linked contacts Motor Safety monitoring relays Contactor monitoring Guard interlock switches Fault Exclusion – under the microscope! EN ISO 13849-1 Safety of machinery — Safety related parts of control systems Categories

25. CATEGORY 4 SYSTEM EXAMPLE

26. Integrated safety solutions

27. Question: Do I have to use Safety products to be safe? The answer is NO But it’s costly, especially engineering effort (design, development, testing, maintenance) Chn A Chn B Safety Application Requirements

28. Chn A Chn B Safety PLCs and Components simplify the safety process Safety PLCs and Components

29. D D D 29 What Makes a Product Safe? Duality (Also known as Redundancy) –If one thing fails, there is another thing that can bring the system to a safe state –In parallel for Inputs or in series for Outputs Diversity –Protects against two things failing in exactly the same way at the same time Diagnostics –Safety products spend much of their time performing self-diagnostics –If a problem is detected, the system will go to its “safe state” and will not allow the system to be restarted until the problem is fixed

30. Chn A Chn B Diversity Duality Diagnostics Can you find the three D’s of Safety in this standard example? Three D’s of Safety

31. 31 What Makes a Safety Relay Safe? DiversityDuality Diagnostics

32. 32 Safety PLC Output Module Input Module How many D’s can you find ?? Duality Diagnostics Duality & Diagnostics What Makes a Safety PLC Safe?

33. 33 What Makes Components Safe? Direct Driven Contacts –Actuating force drives contacts open (breaks welds). –Does not rely on a spring to open contacts such as a Limit switch. Mechanically Linked/Positively Guided –Linked means that if one contact welds, all contacts stay closed – for monitoring ! Redundant Contacts –A single failure can be tolerated Failure Mode Orientation –Device fails to the safe state Over-dimensioning/Over-design, factor of 2 times –If current is 4A; use a device rated to 8A Symbol Found on Front of Contactor Welded contact isforcedopen when actuator is removed Symbol Found on Switch

34. SAFETY CHALK TALK #1 MSR100 FAMILY STAND ALONE DEDICATED RELAY SYSTEM

35. Approvals cULus BG CE Inputs 1 NC 2 NC Light Curtain Input Resistance 110 ohms Reset Automatic/Manual or Monitored Manual Terminals Removable S. S. Outputs None Aux Outputs 1 NC Housing 22.5mm Safety Outputs 3 NO, 5A Supply 24/115/230V MSR127RTP SAFETY RELAY

36. Approvals CE Inputs 1 NC 2 NC Light Curtains Input Resistance 135 ohms Reset Automatic/Manual or Monitored Manual Terminals Removable S. S. Outputs 1 PNP Input Closed 1 PNP Outputs Active Delayed Outputs 2 NO Delay Time 3 Ranges 0.15-30s Housing 45mm Safety Outputs 2 NO, 6A Supply 24/115/230V MSR138DP SAFETY RELAY W/TIMED OUTPUTS

37. Approvals CE, cULus, TUV Inputs 1 NC or 2NC Delay 0 to 300s Reset Automatic Terminals Removable or Fixed S. S. Outputs None Aux Outputs 2 NC Housing 22.5mm Safety Outputs 4 NO, 6A Supply 24V MSR132EDP SAFETY EXPANSION RELAY

38. SWS Next Generation Safety Relays Concept & Innovations Scalable platform to address single- and multi-zone applications for a variety of standard and special functional requirements Single-Wire Safety Connection (Single Chanel Safety Input) TÜV approved concept of one-wire connection to expand and cascade safety functions to SIL3 Simplifies wiring Increases number of I/O on terminal Maintains PLe, SIL3 rating Universal Input A single catalog number to support all types of safety components e-stops switches mats light curtains 6 part numbers will cover a majority of safety applications with consistent wiring. Single Rotary Switch TÜV approved concept to eliminate double switches. Unique validation method. Expedite configuration Single device can address a broader range of reset modes, time delays, etc. Dual Input Dual Channel Modules Twice the functionality of a single input dual channel relay in a 22.5mm housing. Reduced wiring for commissioning and multiple inputs can have logic configured simply in a single relay.

39. Universal Inputs Universal Input All sensor types go to same terminals Automatic cross-loop monitoring – no configuration by switch setting or hardwired-jumper required Supports both single-channel and two dual-channel safety inputs Two dual-channel inputs on DI models configured by logic switch All Faults including Cross- Loop are detected by test outputs S11 and S21 S12 S22 S32 S42 A1 A2 S11 S21 IN1IN2 Safety Inputs PWR Test Out S11 (CH1) S21 (CH2) Cross fault Laser Scanners Safety Mats Contact Interlocks Grip Switches Hinge Switches Cable Pull Switches Non Contact Interlocks E-Stops Light Curtains CH1 CH2

40. Single wire safety connection L12 L11 Y32 S34 LogicFeedback/ Reset IN OUT L11 – dynamic test pattern & ≥ & ≥ +4 Logic/ ZoningExpansion A single wire safety connection is used to expand and cascade multiple relays while maintaining a PLe / SIL3 rating A dynamic signal with specific test patterns is transmitted through a single wire which is the only signal the input will recognize. (Any other signal will be a fault) – Terminal L11 – sends the Logic signal (output) – Terminal L12 – receives the Logic signal (input) Single Wire Safety input (L12) can be configured with safety inputs of device using AND/OR logic – Safety functions can be cascaded through multiple zones – Expansion modules are easily added to a base relay while leaving all safety outputs of base module available for use

41. Guardmaster 440C-CR30 Software Configurable Safety Relay Safety made Simple & Flexible Supports four to ten safety input circuits and up to five safety output zones Flexible configuration allows you to re-engineer and rapidly integrate application without having to incur high costs of rewiring Innovative safety logic editor reduces the effort involved in setting up a safety system by minimizing manual input for a “best-in-class” configuration experience Optimize Panel Space 22 Safety I/O in a compact 110mm wide housing Expand by up to 16 standard I/O using front mounted plug-in slots that allow you to maintain the 110mm horizontal footprint Part of the Connected Components Workbench™ Bundle Preferred compatibility within the bundle Reduced supply chain costs One software package supports Guardmaster 440C-CR30, Micro800 controllers, PowerFlex ® drives, Kinetix™ 3 servo drives and PanelView™ Component terminals Safety & Productivity Embedded serial port for direct diagnostic communications to PanelView Component terminals or Micro800™ controllers 16 user-configured status LEDs allow you to tailor indication to best suit your application

42. Guardmaster 440C-CR30 Anatomy Block-style Safety Relay – 22 points Configurable LED Indicators RS232 Serial Port (non-isolated) USB Programming Port Verification ID Display Switch Two Plug-in Slots DIN Rail or Panel Mount 2 Single-Wire Safety or Safety N.C. Inputs 2 Single-Wire Safety or Safety Outputs 10 Dedicated N.C. Safety Inputs 6 Configurable Safety Terminals (N.C. Inputs, N.O. Inputs, Test Sources, or Outputs) 2 Safety Outputs

43. Guardmaster 440C-CR30 Key Features Keeps safety simple, separate and flexible Easy to Use: –Innovative rapid configuration editor 2080 Plug-in support: –Expansion of standard I/O Single Wire Safety support: –A single wire to expand safety I/O Serial Port for Diagnostics –PanelView Component or Micro800

44. Guardmaster 440C-CR30 Ease of Use 44 Assigned safety function via Drag ’n’ Drop Ease of configuration – No previous programming skills required DONE! Configure Safety Function Validate and Verify Configure Device Logic configured with Simple Drag and Drop Function Block Editor Checklist to walk through validation and verification process Configured in CCW

45. Guardmaster 440C-CR30 Function Blocks Auto Configuration of I/O based on Function block assignment –Rapid configuration with pre-configured function blocks 1. 2.

46. Guardmaster 440C-CR30 Function Blocks (cont’d) Diagnostic tool tips for application troubleshooting Online Monitoring Color-coded online monitoring helps troubleshoot code Diagnostic tooltips provide natural language fault descriptions

47. Single Wire Safety Support The 440C-CR30 Supports Single Wire Safety for easy integration/expansion with GSR relays: Add Safety Relay Outputs Add multiple dry contact outputs by utilizing GSR EM (Expansion module) while only consuming a single safety output configured for Single-Wire Safety Connect Upstream GSR Relays Expand inputs and functionality using GSR relays by connection through Single-Wire Safety

48. 2080 Plug-in Support Expansion I/O with no impact to panel footprint 2080-IQ4OB4 plug-in for expansion I/O: Reset Feedback Monitoring Mute Sensors Standard Input Expansion Use standard inputs for standard signals such as circuit resets, feedback monitoring or mute sensors Standard Diagnostics Land auxiliary contacts of series wired safety devices and share with PanelView Component terminals Use standard outputs to drive indicator LEDs or send gate unlock commands

49. Direct Serial Connection to PanelView Component or Micro800 Share diagnostics with HMI or controller: CR30 Direct PanelView Component Connectivity Embedded Serial Port on CR30 can be directly connected to a PanelView Component terminal Direct Micro800 Controller Connectivity Embedded Serial Port on CR30 can be directly connected to a Micro800 controller

50. Additional Resources 50 Category File names/hyperlink Documentatio n Guardmaster 440C-CR30 Safety Relay Product Profile http://literature.rockwellautomation.com/idc/groups/literature/documents/ pp/440c-pp001_-en-p.pdf Guardmaster 440C-CR30 Safety Relay User Manual http://literature.rockwellautomation.com/idc/groups/literature/documents/ um/440c-um001_-en-e.pdf Guardmaster 440C-CR30 Safety Relay Product Catalog http://www.ab.com/en/epub/catalogs/3377539/5866177/5985760/44442 81/12620950/12620952/Introduction.html Guardmaster 440C-CR30 Safety Relay Web Page Guardmaster 440C-CR30 Safety Relay Virtual Brochure Videos (YouTube) Guardmaster 440C-CR30 Safety Relay Videos Software Connected Components Workbench Web page http://ab.rockwellautomation.com/Programmable- Controllers/Connected-Components-Workbench-Software Connected Components Workbench R6.0 https://download.rockwellautomation.com/esd/ocx.aspx?sdrsid=S12387 https://download.rockwellautomation.com/esd/ocx.aspx?sdrsid=S12388 CCW R6.00 Release notes http://literature.rockwellautomation.com/idc/groups/literature/documents/ rn/cc-rn001_-en-p.pdf

51. TUV Technician Training Now Available from Rockwell Automation Who Should Attend Machine technicians, application engineers, safety specialists and those repairing and maintain safety aspects of machinery should attend this course. Length This is a three day course. Exam The exam consists of an examination with 25-30 multiple choice questions. Student Manual may be used during the exam. Eligibility Requirements FS Technician (TÜV Rheinland) – The following requirements have to be met in order to receive the FS Technician (TÜV Rheinland) certificate: – Minimum of 1 to 2 years of experience working on industrial machinery. – Experience in machinery maintenance and operation, certified by employer. – Attend three day course – Successfully pass the exam with 70% or better. Certification Exam participants will receive individual notification of results and the FS Technician Machinery (TÜV Rheinland) certificate (if exam has been passed and eligibility requirements are fulfilled) from TÜV Rheinland. Course Number The course number is SAF-TUV3. 51 A New and unique safety training and certification program available only from Rockwell Automation, from July 2013