Safety Guide.pdf - Datasensor

IndexThe meaning of safety in industrial environmentsSafety Directives and StandardsThe European Community Directives. Machinery Directive,Social Directive, Low Voltage Directive, ElectromagneticCompatibility DirectiveThe European StandardsVademecum for manufacturers and machine buyersRegulations and North American Standards68151818How to safeguard a machineType 2 operating protection point applicationsType 4 operating protection point applicationsType 2 access protection and presence control applicationsType 4 access protection applicationsAppendix:ISO EN 13849-1 / EN IEC 6206148495051GlossarySafety optoelectronic protective devicesSafety solutions and optoelectronic protective devicesGuide to selecting an optoelectronic protective devicesUse examples of optoelectronic protective devicesOptional functions19202831BibliographyDATASENSOR optoelectronic safety devicesType 2 operating protection pointType 4 operating protection pointType 2 access protection and presence controlType 4 access protectionAccessoriesSelection guide37384041444645

The meaning of safety in industrial environmentsThe safeguarding of amachine or a plant isnot an easy operationand requires detailedreasoning and analysis.PRODUCTIVITY AND SAFETY ARE OFTEN IN CONFLICTA machine without risksdoesn’t exist and thus themachine manufacturerhas to consider the differentfactors that affect therisk degree present in theproduction process phasesas well as the obviousnecessities of the productionefficiency and costreduction.Safety and productivityare often in conflict. Tosolve this conflict whilstfully respecting the safetyconditions, it is necessaryto think in terms of ‘intrinsicsafety’, that meansusing an approach whichintegrates performancesand safety together in aconcrete form, and not interms of ‘added safety’.A machine with addedsafety, that is without previousreasoning and planning,constrains necessarilythe user to partially ortotally infringe the safetysystems. The violation ofthe machine’s safetysystems is in fact one ofthe principal causes ofinjury.‘Intrinsic safety’ is thus asynonym of improvedproductivity, idle timeoptimisation, such asequipping, adjustment,maintenance and diagnostics;everything in asafe machine context.‘INTRINSIC SAFETY’Integration betweenperformances and safetySAFE MACHINE67

Safety optoelectronic protective devicesGuide to selecting an optoelectronic protective devicesThe Machinery Directiveis aimed at manufacturesof machines and safetysystems (refer to AnnexIV), as far as the responsibilityis concerned: ‘themanufacturer is obligedto undertake a risk analysisto discover all the dangerslinked to the machineand construct themachine respecting therisk analysis’.The risk analysis can beconducted according tothe following Standards:EN1050 Safety of themachinery - Principles forrisk estimationEN292-1/2 (ISO12100-1/2)General setting principlesEN954-1 (ISO13849-1)Parts of control circuitswith safety functionsIf the risk present on amachine results to behigher than the tolerablerisk, safety measures haveto be adopted to reducethe risk and thus obtaininga configurationwhere the remaining riskis lower than the tolerablerisk.The estimations of therisks linked to machinesand plants have to considera series of aspectsincluding:- the machine complexityfrom the safety point ofview, determining thedesign limits, also in thesingle machine life phases;- the complexity and interactionbetween man andthe machine, including anuse of the machine notconform to the intendeduse;- the identification ofhazards, dangerous situationsand the events thatcan cause damage;- the probability andforeseeable severity of adamage.The estimation follows acycle sequence of logicaloperation phases definedby the EN 1050, enablinga systematic analysis ofthe existing hazards pre-sent on the machine; theresult has to produce arisk reduction accordingto EN 292.The Riskreferred to the hazard to be considereddepends on:Damage entitypossibly due to:- the hazard to consider- the probability of the damage occurringconsidering:- Frequency and duration of risk exposure- Possibility of avoiding or limiting damages- Occurrence probability of a hazardous eventSAFETYRemainingriskTolerable riskDamage entityCan be evaluated according to:- Juridical entity to protect (people-objects-environment)- Health damage entity (light, reversible-severe, irreversible-mortal)-Number of people injuredAll people that can possibly be exposed to the hazardhave to be considered.Frequency and duration of risk exposureAccording to the need of accessing a hazardousarea, the following have to be evaluated: access type,period of permanence in the hazardous area, thenumber of people which have to necessarily haveaccess.The injury probability increases with the increase ofthese parameters.All machine operating modes have to be considered,amongst which adjustment, programming, reconfiguration,cleaning, failure search and maintenance.Occurrence probability of a hazardous eventCan be calculated considering:- Technological reliability, injury records (if available),data relative to health damages due to plants orsimilar machines, other data records.The occurrence of a hazardous event can be causedboth by technical and human factors.Minimum riskreductionReal riskreductionDANGERRISKRisk withoutsafety measures2021

Safety optoelectronic protective devicesIndependently from the technology used, the priority aim of the EN 954-1 Standard isto classify the technical requirements of the controls with safety functions in 5 categories,introducing simple and complex requirements, single-error safety, redundancy,self-control. A prospect is provided in the following table.CategoryB1RequirementsThe safety-related control circuit parts and/or protective devices,as well as their components, have to be configured, designed,selected, assembled and combined according to relatedStandards, in order to withstand the effects to be expected.The B requirements have to be satisfied. Safety-approved componentsand principles have to be used.System behaviourThe occurrence of a failure canlead to the loss of the safetyfunction.As in B, but the safety functionhas a higher reliability.Safety distanceThe reference Standard isthe EN 999 ‘Safety ofmachinery - the positioningof protective equipmentin respect ofapproach speeds of partsof the human body’.To effect a correct safetyR ≤ 40 mmfunction, the safety lightcurtain has to be positionedcorrectly respect tothe hazardous machinearea.In industrial applications,the selection of the particulartype of safety lightcurtain is the result of therisk estimation (EN 1050)Finger or hand protectionand is conditioned by theprotection desired (finger,hand, body, presence,access protection).234The B requirements have to be satisfied. Safety-approved componentsand principles have to be used.The machine circuit has to control the safety functions at appropriateintervals.The B requirements have to be satisfied. Safety-approved componentsand principles have to be used. The safety circuits haveto be configured in such a way these does not lead to the loss ofthe safety function and when feasible, the single failure has to bedetected.The B requirements have to be satisfied. Safety-approved componentsand principles have to be used. The safety circuits haveto be configured in such a way these does not lead to the loss ofthe safety function and when feasible, the single failure has to bedetected. If not possible, an accumulation of failures must thennot lead to the loss of the safety function.The occurrence of a failure canlead to the loss of the safetyfunction in the control interval.The loss of the safety function isdetected through the controloperation.If a single failure occurs, thesafety function remains active.Some failures will be detected.An accumulation of undetectedfailures will lead to the loss ofthe safety function.If a single failure occurs, thesafety function remains active.The failures are detected intime to prevent the loss of thesafety function.R > 70 mmR < 116 mmBody protectionPresence detectionR=resolutionIt is also necessary to calculate the total machine stopping time T, given by:T = t 1 + t 2 , wheret 1 = max. time between the detection actuation and the change of the device switching statust 2 = max. machine response timeThe minimum distance S between the hazardous area and the detection point isexpressed by the formula:S = (K x T) + C (result in mm), whereK is a parameter (mm/sec) linked to the approach speed of the human body or partsT is the total time (sec) necessary to stop the machineC is an additional distance (mm) based on the device typology used in terms of resolution, where the resolution isthe minimum dimension of an opaque object able to obscure at least one of the beams of the sensitive detectionarea.For categories B and 1, the principle for reaching safety is principally characterised by thecomponent selection.For categories 2, 3 and 4, the principle for reaching safety is principally characterised by thesystem structure.opaqueobject2425

Safety optoelectronic protective devicesAccording to the approach direction, the Standard supplies three indications, valid for:- normal approach- parallel approach- angled approachNormal approach to the detection area1 safety light curtains with 40 mm maximum resolution,has to be:K = 2000 mm/secC = 8 (d - 14 mm), but not smaller than 0d = device resolution (mm)The minimum safety distance is:S = (2000 mm/sec x T) + 8(d-14 mm)This formula is valid for safety distances S up to 500 mm;if the result of the formula gives S higher than 500 mm, K has to be used with a value= 1600 mm/sec and use the following formula:S = (1600 mm/sec x T) + 8(d-14 mm)2 safety light curtains with 40 to 70 mm resolution:K = 1600 mm/secC = 850 mmHence the minimum safety distance is:S = (1600 mm/sec x T) + 850 mmIn all cases, the highest beam height is ≥ 900 mm and the lowest beam is ≤ 300 mm.3 Safety light grid developed with separate multiple beamsA light grid developed with 2, 3, 4 separate beams is often used to detect the intrusionof the human body or parts in a specific area; the number of beams and thedistance between them depends on the risk estimation made and by specific machineapplications. Risks such as slipping under the lower beam, passing over the higher26beam, passing through two beams have to be considered.The following table provides the heights from the ground or from reference plane fordifferent beams.Number of beams Heights of single beams from the plane (mm)4 300, 600, 900, 12003 300, 700, 11002 400, 900The minimum machine safety distance is: S = (1600 mm/sec x T) + 850 mmIn case of use of a single beam, in an industrial environment, a height of 750 mm isconsidered appropriate, with the device positioned at a machine distance S = (1600mm/sec x T) + 1200 mmParallel approach to the detection areaIn a horizontal installation to safeguard dangerousareas, the safety light curtain has to be positioned ata height where:Hmax = 1000 mmHmin = 15 (d - 50 mm), where d = resolution of thesafety light curtainThe minimum machine safety distance is calculated using the following formula,where: K = 1600 mm/secC = (1200mm - 0,4H), not less than 850mmS = (1600mm/sec x T) + (1200mm - 0,4H)Angled approach respect to the detection areaFor foreseeable approach angles bigger than 30°, we can follow the normal approachprocedure, while for angles inferior to 30° we follow the parallel approach procedure.27

Safety optoelectronic protective devicesUse examples of optoelectronic protective devicesOperating protection pointThe operating protection point isconsidered when the safety lightcurtain is installed directly on themachine and presents a resolutionable to detect an operator’slimb (finger or hand). The followingexample provides a practicaldemonstration of the effectof different possible resolutionson the safety distance which hasto be respected between the protectivedevice and the hazardousarea.Operating protection pointon a SHOE WORKINGMACHINEPresence control protectionDetection type obtained positioninghorizontally the safety light curtain. Thisinstallation allows to continuously controlthe presence of an obstacle inside aspecific area. The device resolutiondepends on the height of the detectionplane, in any case not greater than 116mm. This is a particularly useful solutionwhen dangerous area, not visible fromthe machine control points, has to beprotected.Calculation examples of the safety distanceK = 2000 mm/sMachine stopping time = 60 msC = 8 (d –14 mm) with d = resolution in mmExample 1. Safety light curtain h = 600 mm and 20 mm resolution (SE4-20-060-PP-W)Response time = 23 msS = (2000 mm/s x 0.083 s) + 8(20-14 mm) = 166 mm + 48 mm = 214 mmExample 2. Safety light curtain h = 600 mm and 30 mm resolution (SE4-30-060-PP-W)Response time = 20 msS = (2000 mm/s x 0.08 s) + 8(30-14 mm) = 160 mm + 128 mm = 288 mmExample 3. Safety light curtain h = 600 mm and 35 mm resolution (SE4-35-060-PP-W)Response time = 20 msS = (2000 mm/s x 0.08 s) + 8(35-14 mm) = 160 mm + 168 mm = 328 mmAccess protectionSingle-beam and multiple-beamsystems - usually two, three and fourbeams - are commonly used to controlthe access to a machine or toparticular machine area. These areextremely flexible solutions that allowalso the protection of very wideareas.HAZARDOUSAREASE4-20-060-PP-W214 mmSE4-30-060-PP-W288 mmSE4-35-060-PP-W328 mmAccess protection on PALLETISATIONPLANTS2829

Safety optoelectronic protective devicesUse of deviating mirrorsHazardous areas with differentaccess sides butadjacent to each other canbe protected by using onesingle safety devicetogether with deviatingmirrors installed appropriately.The drawing highlightsa possible solution tocontrol three differentaccess sides using two mirrorsinstalled at 45° anglerespect to the beams.When deviating mirrorsare used, the alignmentof the emitting and receivingunits becomes critical.The real operating distancesdecreases by around15% using only onedeviating mirror, the percentageincreases usingtwo or more mirrors.The presence of dust orOPTOELECTRONIC PROTECTIVE DEVICE SELECTION GUIDE1 DEFINITION OF THE AREA TO PROTECT2 DEFINITION OF THE DETECTION TYPE- Operating point protection- Access protection- Presence control protection3 DEFINITION OF THE SAFETY DISTANCE BETWEEN LIGHT CURTAIN AND HAZARDOUS POINT4 DEFINITION OF THE SAFETY CATEGORY TO USEProtection of two operating sides of aCERAMIC WORKING MACHINE using ondeviating mirrorHAZARDOUSAREAdirt on the reflecting surfaceof the mirror causesa drastic reduction of theoperating distance.In conclusion, an useful memorandum is given to determine the correct optoelectronicprotective device to use.mirrormirrorOptional functionsMutingMuting is defined as thetemporary automaticsuspension of the safetyfunction in order to enablenormal operationswithout stopping themachine. This function isobtained using specificexternal signals, usuallyphotoelectric sensors butalso inductive proximitysensors, key selectors,electromechanical switches,controlled by thesafety light curtain or byan external control unit.The muting function forcesthe safety system andthus the muting state hasto be signalled by a visiblesignalling indicatorcontrolled by the safetylight curtain itself, as wellas the muting state has tobe limited on time consideringthe real applicationneeds.The muting function islinked to the overridefunction that allows toforce the muting conditionif the machine has tobe restarted even in presenceof one or moreinterrupted beams. Theaim is to free the protectedarea from materialgathered in hazardousarea after failures duringthe work cycle.A typical application ofthe muting function isprovided by palletisers/depalletisers where thePALLETPASSAGEOKentry and/or exit of palletin the hazardous area isnecessary; different solutionscan be adopted:- safety light curtains /safety beams with mutingfunction obtained using aspecific external controlunit controlling also themuting sensors;- safety light curtains withmuting function obtained3031

Safety optoelectronic protective devicesconnecting directly themuting sensors to the lightcurtain;- ‘T’ shape safety lightcurtains for bi-directionalmuting application (palletentry/exit) with mutingsensors positioned in thepre-assembled, precabledand pre-alignedhorizontal profiles;- ‘L’ shape safety light curtainsfor mono-directionalmuting application (onlypallet exit) with mutingsensors positioned in thepre-assembled, precabledand pre-alignedhorizontal profiles;The safety light curtainswith the muting function,generally used for accesscontrol with multi-beamsystems are also used toprotect robotised areas,assembly lines, automaticwarehouses and areasthat require entry and exitof AGV.The following drawings indicate some possible applications of the muting functionusing optoelectronic through beam muting sensors. According to the different applications,retroreflex, polarised retroreflex and proximity sensors can be also used.VLB1 A1SEA2B2d1 d1DMuting function obtained using 4 couples ofthrough beam muting sensorsOPERATORPASSAGENOMuting function obtained using 2 couples ofthrough beam muting sensorsSEABd1For correct muting functioning, the maximum distance D between the sensors must beless than the object length L that has to pass between the safety light curtains.The muting functioning, in a temporal sequence, can be made only if the distance d1between the sensors is less than dmax and thus the request will be accepted; itdepends on the speed of the moving object according to the following formula:dmax [cm] = v [m/sp] · x [s] · 1003233

Safety optoelectronic protective devicesReset modeThe object interruption ofat least one beam of theoptoelectronic safetydevice causes outputswitching and the machinesafeguarding.The resetting of normaldevice functioning can bemade in two differentmodes:Automatic reset, if afterthe interruption, causedby the detection of anobject, the optoelectronicdevice returns to normalfunctioning as soon asthe object is removedfrom the controlled area.Manual reset is madewhen the device returnsto normal functioningonly after pressing thereset push-button, alwaysif the object is removedfrom the controlled area.BlankingBlanking is a configurationof the detectioncapability that guaranteesthat the presence ofan object in a specificarea does not stop thefunctioning of the controlledmachine.‘Fixed blanking’ is whenthis area does notchange during machinefunctioning; ‘floatingblanking’ if the blankingarea follows the movementof the workedobject. ‘Reduced resolution’is when the detectioncapability can be changedin order that smallerobjects of a certaindimension are not detectedinside the detectionarea.The safety light curtainswith the blanking functionbelong generally to theType 4 category, for operatorfinger and handprotection. Typical applicationsof the blankingfunction are mainly toolmachines and metalworking machines. It isalso used on machinesthat have fixed protrusionsin a certain areadue to the presence offixing supports orbrackets.Cascade connectionThe cascade connectionor ‘L’ connection is a particularcharacteristic thatallows to connect two ormore safety light curtainstogether (indifferentlyType 2 or Type 4); usuallysafety light curtain for fingerand hand protection.Generally only the mainsafety light curtain, alsoknown as ‘host’ or‘master’ is connected tomachine stopping circuits;the ‘guest’ or‘slave’ safety light curtains(usually one or twocouples) are controlledby the main safety lightcurtain.Applications that requirecascade connection arethose where the operatingpoint control as wellas the operator presencecontrol (e.g. on presses),or the control of differentoperating points of thesame machine are necessary.HostCascade connection of twosafety light curtain couples;‘Host’ and ‘Guest’Guest3435

Safety optoelectronic protective devicesDATASENSOR optoelectronic safety devicesSafetyBUS pType 2 operating protection pointSafety light curtains withsafety fieldbus interfacesare used to guarantee thesafety of plants andmachines with considerabledimensions.Applications that foreseethe use of safety fieldbussolutions can be foundabove all in the automotiveindustry, but also inpress lines, wood workinglines, luggage sortingcentres in airports.The safety fieldbus, availableor in definition arethe following: SafetyBUSp, Safety at work- ASInterface, PROFISafe,Interbus Safety andDeviceNet Safety.DATASENSOR is aneffective member ofSafetyBUS p and is thefirst manufacturer to havedeveloped a safety lightcurtain implemented withSafetyBUS p.According to IEC 61496-1 /IEC 61496-2SE2-35SF2-30POWER SUPPLY 24 Vdc 24 VdcEDMThe EDM function (External Device Monitoring) allows to control, through the safety lightcurtain, the external device status, generally final switching devices (FSD) or primarycommand elements of the machines (MPCE).This function is particularly useful when the safety light curtain is not connected tomachine stopping circuits using self-controlled safety relay modules, but using guidedrelays whose malfunctioning, if not detected, can jeopardise the safety of the machine.RESOLUTION 35 mm 30 mmOPERATING RANGE 0.2...15 m 0.2...15 mCONTROLLED HEIGHT 150...1650 mm 150...1500 mmRESPONSE TIME 15...32 ms 24 ms max.OUTPUT 2 transistor PNP 2 transistor PNPCONNECTIONRx: M12 8 poles; Tx: M12 4 polesRx: M12 5 poles; Tx: M12 4 polesDIMENSIONS 35 x 40 mm 31 x 32 mmDEVICE FUNCTIONS Test TestManual/auto reset selection Manual resetTotal/partial Muting selection Automatic resetOverrideCERTIFICATIONS II3D II3D3637

DATASENSOR optoelectronic safety devicesType 4 operating protection pointType 4 operating protection pointSE4-14 SE4-14 PLUS SE4-20SE4-30 SE4-30 PLUS SE4-35According to IEC 61496-1 /IEC 61496-2According to IEC 61496-1 /IEC 61496-2POWER SUPPLY 24 Vdc 24 Vdc 24 VdcRESOLUTION 14 mm 14 mm 20 mmOPERATING RANGE 0.2...6 m 0.2...6 m 0.2...6 mCONTROLLED HEIGHT 150...900 mm 150...1200 mm 150...1650 mmRESPONSE TIME 18...39 ms 18...39 ms 16...39 msOUTPUT 2 transistor PNP 2 transistor PNP 2 transistor PNPCONNECTION Rx: M12 8-poles; Rx: M12 8-poles; Rx: M12 8-poles;Tx: M12 4-poles Tx: M12 4-poles; Tx: M12 4-polesRx: M12 5-poles (only Cascading);Tx: M12 5-poles (only Cascading)DIMENSIONS 35 x 40 mm 35 x 40 mm 35 x 40 mmDEVICE FUNCTIONS Test Test TestManual/auto reset selection Manual/auto reset selection Manual/auto reset selectionTotal/partial Muting selection EDM selection Total/partial Muting selectionOverride 4 models available: OverrideversionEDMFixed/Floating BlankingCascadingCascading/BlankingCERTIFICATIONS II3D II3D II3DPOWER SUPPLY 24 Vdc 24 Vdc 24 VdcRESOLUTION 30 mm 30 mm 35 mmOPERATING RANGE 0.2...15 m 0.2...15 m 0.2...15 mCONTROLLED HEIGHT 150...1650 mm 150...1650 mm 150...1650 mmRESPONSE TIME 15...32 ms 15...32 ms 15...32 msOUTPUT 2 transistor PNP 2 transistor PNP 2 transistor PNPCONNECTION Rx: M12 8-poles; Rx: M12 8-poles; Rx: M12 8-poles;Tx: M12 4-poles Tx: M12 4-poles; Tx: M12 4-polesRx: M12 5-poles (only Cascading);Tx: M12 5-poles (only Cascading)DIMENSIONS 35 x 40 mm 35 x 40 mm 35 x 40 mmDEVICE FUNCTIONS Test Test TestManual/auto reset selection Manual/auto reset selection Manual/auto reset selectionTotal/partial Muting selection EDM selection Total/partial Muting selectionOverride 4 models available: OverrideversionEDMFixed/Floating BlankingCascadingCascading/BlankingCERTIFICATIONS II3D II3D II3D38 39

DATASENSOR optoelectronic safety devicesType 2 access protection / Presence controlType 4 access protectionSE2-P SB-BWS-T2+Sx-ST2 SF2-50 / SF2-90SE4-P SE4-Q SB-BWS-T4+Sx-ST4According to IEC 61496-1 /IEC 61496-2SB-BWS-T2 control unitS5-ST2 M18 plastic safety sensorsS10-ST2 M18 metal safety sensorsS30-ST2 maxi safety sensorsAccording to IEC 61496-1 /IEC 61496-2SB-BWS-T4 control unitS5-ST4 M18 plastic safety sensorsS10-ST4 metal safety sensorsSL5-ST4 laser M18 plastic safety sensorsS30-ST4 maxi safety sensorsPOWER SUPPLY 24 Vdc 24 Vdc 24 VdcN° BEAMS/RESOLUTION 2-3-4 up to 2 50 mm / 90 mmOPERATING RANGE 0.5...50 m up to 50 m up to 15 mCONTROLLED HEIGHT 500-800-900-1200 mm 500 mm 300...1500 mmRESPONSE TIME 14 ms 22 ms max. 15...24 msOUTPUT 2 transistor PNP 2 relay 2 transistor PNPCONNECTION Rx: M12 8-poles; SAFETY SENSORSRx: M12 5-poles;Tx: M12 4-poles 3-pole shielded cable S5/S10-ST2M12 connector – S5/S10/S30-ST2Tx: M12 4-polesDIMENSIONS 35 x 40 mmTerminal block – S30-ST235 x 40 mmDEVICE FUNCTIONS Test Test TestManual/auto reset selection Manual reset Manual resetTotal/partial Muting selectionAutomatic resetOverrideCERTIFICATIONS II3D II3DPOWER SUPPLY 24 Vdc 24 Vdc 24 VdcN° BEAMS 2-3-4 2-3-4 2-3-4OPERATING RANGE 4...50 m 0.5...25 m up to 50 mCONTROLLED HEIGHT 500-800-900-1200 mm 500-800-900-1200 mmRESPONSE TIME 14 ms 14 ms 32 ms max.OUTPUT 2 transistor PNP 2 transistor PNP 2 relayCONNECTION Rx: M12 8-poles; Rx: M12 8-poles;Tx: M12 4-polesTx: M12 4-polesDIMENSIONS 35 x 40 mm 35 x 40 mmDEVICE FUNCTIONS Test Test TestManual/auto reset selection Manual/auto reset selection Manual/auto reset selectionTotal/partial Muting selection Total/partial Muting selection Total/partial Muting selectionOverride Override Double Muting/OverrideversionCERTIFICATIONS II3D II3DSAFETY SENSORS3-pole shielded cable S5/S10-ST4M12 connector – S5/S10/S30-ST4Terminal block – S30-ST440 41

DATASENSOR optoelectronic safety devicesType 4 access protectionSE4-TSAFETY LIGHT CURTAINSWITH INTEGRATEDMUTING SENSORSSE4-LSAFETY LIGHT CURTAINSWITH INTEGRATEDMUTING SENSORSSE4-SSAFETY LIGHT CURTAINSWITH EXTERNALMUTING SENSORSSE4-RLINEAR VERSIONSE4-R‘L’ VERSIONSE4-R‘T’ VERSIONAccording to IEC 61496-1 /IEC 61496-2According to IEC 61496-1 /IEC 61496-2POWER SUPPLY 24 Vdc 24 Vdc 24 VdcN° BEAMS 2-3 2-3 2-3OPERATING RANGE 0.5 ... 3 m 0.5 ... 3 m 0.5 ... 25 mCONTROLLED HEIGHT 500-800 mm 500-800 mm 500 mmRESPONSE TIME 14 ms 14 ms 14 msOUTPUT 2 transistor PNP 2 transistor PNP 2 transistor PNPCONNECTION Rx: M12 8-poles; Rx: M12 8-poles; Rx: M12 8-poles;Rx: M12 5-poles; Rx: M12 5-poles; Rx: M12 5-poles;Tx: M12 4-poles Tx: M12 4-poles Tx: M12 4-polesDIMENSIONS 35 x 40 mm 35 x 40 mm 35 x 40 mmDEVICE FUNCTIONS Test Test TestManual /auto reset selection Manual /auto reset selection Manual /auto reset selectionMuting time-out selection Muting time-out selection Muting time-out selectionOverride Override OverrideEDM selez. EDM selez. EDM selez.CERTIFICATIONSII3D II3D II3DPOWER SUPPLY 24 Vdc 24 Vdc 24 VdcN° BEAMS 2 2 2OPERATING RANGE 0...7.5 m 0...3 m 0...3 mCONTROLLED HEIGHT 500 mm 500 mm 500 mmRESPONSE TIME 14 ms 14 ms 14 msOUTPUT 2 transistor PNP 2 transistor PNP 2 transistor PNPCONNECTION Active unit: M12 5-poles; Active unit: M12 5-poles; Active unit: M12 5-poles;M12 8-poles M12 8-poles M12 8-polesDIMENSIONS Active unit: 35 x 40 mm Active unit: 35 x 40 mm Active unit: 35 x 40 mmPassive unit: 52 x 55 mm Passive unit: 52 x 55 mm Passive unit: 52 x 55 mmDEVICE FUNCTIONS Test Test TestManual /auto reset selection Manual /auto reset selection Manual /auto reset selectionEDM EDM EDML and T Muting selection L and T Muting selection L and T Muting selectionMuting time-out selection Muting time-out selection Muting time-out selectionOverride Override OverrideCERTIFICATIONS II3D II3D II3D42 43

DATASENSOR optoelectronic safety devicesAccessoriesCONNECTOR Testo CABLESSHIELDED CABLESCV seriesM12 axial and radial connector cables with 4 and 8 polesCable lengths: 3, 5, 10, 15, 25 mCable material: PVCThe use of shielded cables is compulsory for the safety devices of theSE2 and SE4 series; suggested for the Sx-ST2/ST4 seriesUNSHIELDED CABLESCS seriesM12 axial and radial connector cables with 4 and 5 polesCable lengths: 3, 5, 7, 10 mCable material: PVCM12 8-pole non-cabled connectors are availableCONNECTION BOXSE-SRT seriesConnection box for on-board installation with two integratedsafety relays, Reset/Override push-button, Muting lamp andON/OFF key. To be used with the SE4-R and SE4-T/L safetylight curtain seriesLASER POINTERFIXING BRACKETSSE-LP seriesTo be used with the SE2 and SE4 safety light curtain seriesST seriesThe fixing brackets are supplied together with the safety lightcurtains for the SE2, SE4 and SF2 seriesStandard fixing brackets (4pcs kit) are available for the SE2 andSE4 safety light curtains, as well as orientable and antivibrationsupports. Anti-scratch fixing brackets (4pcs kit) areavailable for the SF2 safety light curtain seriesMUTING DEVICES LMS seriesMUTING LAMPS: standard, tower modular, withhorizontal and vertical mountingMUTING SENSORS: DATASENSOR non-safety sensorscan be used (refer to relative documentation)FLOOR STANDSSE-S seriesTo be used with the SE2, SE4, SF2 safety light curtain series andSE-DM deviating mirror seriesAvailable in different heights:800, 1000 and 1200 with 30 x 30 mm profile dimensions1500 and 1800 mm with 45 x 45 mm profile dimensionsGround fixing plate dimensions: 240 x 240 mmPROTECTIVE STANDSSE-P seriesTo be used with the SE2, SE4 and SF2 safety light curtain seriesAvailable in different heights ranging from 273 mm to 1743 mmTEST PIECESVersions with 14, 20, 30 and 35 mm diametersTP seriesSAFETY RELAYSE-SR2 SERIES: Type 4 safety relay - safety contacts: 3 NO1 NC. To be used with the SE2, SE4, SF2, SE4-R and SE4-T/Lsafety light curtain seriesDEVIATING MIRRORSSE-DM seriesTo be used with the SE2, SE4 and SF2 safety light curtain seriesand the Sx-ST2/ST4 monobeam safety photosensor seriesAvailable in different heights ranging from 150 mm to 1800 mmDeviating mirror dimensions: 124 mm width, 6 mm depth4445

DATASENSOR optoelectronic safety devicesSelection guideTYPE 2TYPE 4Type Products Resolution (mm) Operating range (m)OPERATING PROTECTION POINTACCESS PROTECTION / PRESENCE CONTROL PROTECTIONSF2-30SE2-3530351515SEVERITY OF DAMAGESEVERITY OF DAMAGESE4-14SE4-14 PLUS141466SEVERE(normally irreversible)HAZARD EXPOSURE FREQUENCYAND / OR DURATIONFREQUENT /CONTINUOUSRARE /SHORTLIGHT(normally reversible)SEVERE(normally irreversible)HAZARD EXPOSURE FREQUENCYAND / OR DURATIONFREQUENT /CONTINUOUSRARE /SHORTLIGHT(normally reversible)SE4-20SE4-30SE4-30 PLUSSE4-35SE2-P20303035615151550AVOIDABLEHAZARDAVOIDABLEHAZARDAVOIDABLEHAZARDAVOIDABLEHAZARDSB-BWS-T2 +Sx-ST2up to 50 ** 8 m with S5/S10-ST2; 50 m with S30-ST2YES NO YES NOTYPE 4 TYPE 2 TYPE 2SE4-14 SE4-30SE2-35SE2-35SE4-14 PLUS SE4-30 PLUSSF2-30SF2-30SE4-20 SE4-35YES NO YES NOTYPE 4 TYPE 2 TYPE 2SE4-L SE4-P SE2-PSE2-PSE4-Q SE4-RSE4-T SE4-SSB-BWS-T4 + Sx-ST4SB-BWS-T2+Sx-ST2SF2-50 / SF2-90SB-BWS-T2+Sx-ST2SF2-50 / SF2-90SE4-QSE4-PSE4-T / SE4-LSE4-SSE4-R LinearSE4-R ‘L’ / SE4-R ‘T’37.53252550The selection guide has been schematised according to EN 954-1.The given information is indicative and synthetic; it is compulsory to refer to the complete EN954 Standard for a correct risk and safety type estimation.SB-BWS-T4 +Sx-ST4SF2-50SF2-9050901515up to 50 ** 8 m with S5/S10-ST4; 40 m with SL5-ST4; 50 m with S30-ST446 47

How to safeguard a machineType 2 operating protection point applicationsType 4 operating protection point applications• Automatic machines for packing and packaging• Benders and cutters• Automatic warehousing and materials handling• Metal, plastic and leather working machines• Automatic assembling lines (pick and place)• Textile, ceramic, wood and leather industryAutomatic working machines• Presses and punching machines• Metal forming, milling and drilling machinesBenders and cuttersAutomatic assembling linesMetal working machinesAutomatic packaging machinesPresses and punching machines48 49

How to safeguard a machineType 2 access protection and presence control applicationsType 4 access protection applications• Palletisers and depalletisers• Palletisers and depalletisers• Automatic warehouses• Automatic warehouses• Access control, working areas and robots• Transfer areasRobots• Access control, working areas and robots• Transfer areasConveyorsAutomatic warehousesPalletisersTransfer areasAssembly robotised lines50 51

AppendixISO EN 13849-1 / EN IEC 62061Categories and SIL: new prospective in the circuit evaluation forsafety functionsThe Standards concerning the safety aspects of command systems arebeing revised. In particular, the lEN-954-1 is already in an advancedrevision status denominated as EN ISO 138949-1, while the EN IEC62061 has been published and harmonised in 2005 and denominatedFunctional Safety of safety electrical, electronic and programmableelectronic control systems. The method ‘philosophy’ will be analysed inthe following paragraphs.Fundamentally, the basic principles of the existing EN 954-1, theconsideration and the definitions used in the ‘safety categories’ and circuitapplications will remain unchanged.A new method will be introduced, based on probabilities i.e. on numericestimations in order to calculate with major precision the effective safetylevel reached by an architectural configuration with specific components.The philosophy of the new Standards will consent to carry-out moreeffective evaluations concerning the determination of a safety categoryassigned to both a circuit solution as well as to safety device. Which newfeatures have been introduced by these two Standards? Both will have incommon the definition and need to use parameters such as MTTF, DC,CCF etc, while the revision of the EN 954-1 will define a new parameterdenominated Performance Level (PL) and the EN IEC 62061 will definethe Safety Integrity Level (SIL).EN ISO 13849-1 and EN IEC 62061 applicationsThe revision of the EN ISO 13849-1 will define an application field basedon the existing applications to the technologies used in mechanics,pneumatics and hydraulics, but also electro mechanics, to which the ‘lowcomplexity’ electronic components (also programmable) will be added.Consequently, the EN IEC 62061 has to be used for the ‘high complexity’components.

Other parameters can be used to identify which Standard to use. Theseparameters are synthesised in the following table:Control function technologies EN ISO 13849-1 (rev) EN IEC 62061A Non-electric for example XNot applicablehydraulics, pneumaticsB Electro mechanics, forexample relays and/orsimple electronicsLimited to the foreseen 1architectures and max. PL= eAll architectures up to SIL3CComplex electronics (forexample programmableelectronics)Limited to the foreseen 1architectures and max. PL= dD A combined with B Limited to the foreseen 1 X 2architectures and max. PL= eE C combined with B Limited to the foreseen 1architectures and max. PL= dF C combined with A or X 3 X 2C combined with A and BAll architectures up to SIL3All architectures up to SIL3reduction. Substantially, the definition indicates the capacity to carry-outthe safety function considering the possible failures and the capability toreact.The EN 954-1 revisionA first important aspect is the new definition of Performance Level (PL),which indicates the command system capacity to carry-out a certain safetyfunction in specific working conditions in order to reach the necessary risk1 The foreseen architectures are described in the Annex B of the EN ISO 13849-1Standard and indicate the simplified approach to quantify the performance levels.2 For non-electric technologies: use parts conforming to EN ISO 13849-1 assubassemblies.3 For complex electronics: the use of foreseen architectures conforming to EN ISO13849-1 up to PL = d or other architecture conforming to EN IEC 62061.This parameter will become, together with the ‘safety category’ definition,very important. In fact, the risk evaluation procedure, the table present inthe existing Standard version becomes the table shown here where thefinal result is the PL to reach. The table presents 5 Performance Levels,defined in terms of probable dangerous system failures.The following parameters has to be considered to determine the PL:1. command system architecture (single channel, with or withoutmonitoring, double channel, etc.);2. reliability of the parts that form command system: Mean Time ToFailure (MTTF) parameter;

3. command system reaction capability and behaviour consequentto a failure: Diagnostic Coverage (DC) and Common CauseFailure (CCF) parameters;4. ‘systematic failure’ aspects that involve the development andproduction of a command system, operation stress, etc.The first three points refer to quantifiable aspects or measures, while thelast defines non-quantifiable parameters. For example, systematic failuresderive from a non-appropriate planning both for the process point of view(software) and the procedure point of view, as well as documentation.With respect to the existing EN 954-1 definitions, new concepts has beenintroduced (except the parametisation using MTTF, DC, CCF etc.).Beginning from the present revision status, the safety categories have toconsider the following aspects:• the components chosen have to guarantee a certainreliability;• the choice of the circuit type to develop;• the development of the monitoring functions;• others.The principal difference is the possibility of determining the final result inapplying the EN 954-1 according to precise numeric parameters.The single parameters are analysed in the following paragraphs.ArchitectureFour typologies are synthesised:

MTTF – Mean Time to FailureThis parameter is a reliability indicator of a component and is indicated inyears. The value identifies the time within which 63% of the componentsproduces failures. In the example provided, the parameter is referred onlyto dangerous failures and is so identified as MTTF d .The Standard identifies three MTTF d levels, synthesised in the followingtable:An example of a safe failure is a contactor which cannot be closed - in acondition where a moving part does not depart, while a dangerous failleis the same contactor which cannot be opened.MTTF d identificationLowMediumHighMTTF d range3 years ≤ MTTF d < 10 years10 years ≤ MTTF d < 30 years30 years ≤ MTTF d

For electro mechanic components (for example contactors, electrovalves), the MMTF parameter can be calculated from another parameterdenominated B 10 , which indicates the number of cycles within which 10%of the components have undergone a failure. To calculated the MTTF, thenumber of use cycles in a year have to be calculatedB10dMTTFd=C × 0.1where C is the number of operations in a yeardayop× hourop× 3600 sC =htcicloExample :DC – Diagnostic CoverageIs a parameter that identifies the percentage of dangerous failures that thecommand system can detect respect to the total number of dangerousfailures. More precisely, this parameter represents the probabilityreduction of dangerous hardware failures that derive from automaticdiagnostic tests.Calculation of the MTTF d of a relay (contactor)B10d= 2.000.000 operationsC = number of operations per year = 200.000d 10d( )MTTF = B 0,1× C = 100yN° dangerous failure detected ∑ λDC = =N° dangerous failure ∑λThis parameters is divided in four levels:DDDTotalDC identificationDC rangeNone DC< 60 %Low 60 % ≤ DC< 90 %Medium 90 % ≤ DC< 99 %High DC ≥ 99 %

This data is also supplied either by the component supplier or can befound in the Annex :Annex E of EN ISO 13849 – DC estimationsMeasure DC CommentBasic safety principles 60 % NO/NA contacts without forced openingUse of NO/NA contacts for 99 % Possible check (single channel)forced openingCross monitoring anddynamic test90 % Double circuit channel without short-circuitdetectionComplete monitoring 99 % Circuit with 2 separate and triggeredchannelsCCF – Common Cause FailureThis parameter can be used in presence of double channel architectures,requiring the susceptibility control of common cause failures, obtainedthrough the check of some features (for example the use of diversityprincipals, EMC immunity) indicated in the Annex F. The calculation canbe made only in presence of a positive response, otherwise the projecthas to be revised.In presence of a double channel system, the Annex F supplies a form thatconsents the susceptibility control of the system planned according toCCF. A score is assigned to each feature. The sum of the scores must notsurpass 100. The system is conform to the necessary requirements, whenthe value is superior to 65.

Consider that:• I 1 and I 2 are outputs of a safety light curtain with short-circuitcontrol;• L 1 and L 2 are formed by a safety PLC;• O 1 and O 2 are two force guided contactors with externalmonitoring (EDM).for which• I 1 and I 2 : DC = 99%, MTTF = 200000 h = 22 y;• L 1 and L 2 : DC = 99%, MTTF = 60 y;• O 1 and O 2 : DC = 90%, MTTF = 32 y.The following results are obtained1 1 12× 0.99× + 2× 0.99× + 2× 0.9×MTTF MTTF MTTFDCAVG=1 1 12× + 2× + 2×MTTF MTTF MTTFfrom whichI1I2 PSS OO 1 2II 12 PSS OO 1 2DCAVG=0.96Knowing the MTTF of the single devices that form the channels, the MTTF dof each channel is obtained through the following:1 1 1 1 1= = + +MTTFD , CMTTF1 D,CMTTF1 IMTTF1 PSSMTTFO1whereMTTFDC,= MTTF1DC , 2= 10.7 yearsUsing the formula to calculate the MTTF d for double channel systemsprovided by table 1, the following is obtained:⎡⎤2⎢1⎥MTTFd = ⎢MTTFd, C+ MTTF1 d, C− ⎥ = MTTF2 d, C= MTTF1 d,C= 10.7 years13 ⎢1 1+⎥⎢MTTFdC,MTTF ⎥⎣1 dC , 2 ⎦Using the data obtained, the point of the table can be identified and sothe PL can be determined:The system is a double channel system and thus the susceptibility of thesystem planned according to CCF has to be checked. The formula abovegives a final result of 80 which is superior to 65% and so the test issurpassed.

The results are summarised in the following table:Ch.1Ch.2MTTF(years)DC% CCF Channel n° Years MTTFd ClassificationI 1 - 22 99 80 Double 10,7 MTTF d,C1 medium- I 2 22 99 10,7 MTTF d,C2 mediumL - 60 99 > 65% CCF valid- L 60 99 10,7 MTTF d medium0,92 DC Avg mediumO 1 - 32 90 Category 3- O 2 32 90 PL c-dThe table clearly reveals a PL uncertainty between c and d. In this case,the Annex K of the Standard has to be used. The corresponding PL iscalculated knowing the average MTTF d and DC Avg of the two channels(where MTTF d = 10,7 approximated by defect to 10 and so consider aworse condition).

The PFH d value is calculated from the table, where in this case is1.36 10 −6 × .Simplified methodA simplified procedure can be used for a combination of devices thatform the safety circuit, for which a well-defined PL is assigned. Thismethod is used in presence of complex subsystems.Example:• area scanner: PL “d”;• programmable PLC: PL “e”;• safety relays: PL “e”The following phases are used in the procedure:1. identify the component with the lowest PL, PL Low (in the example:“d”);2. identify the number of components with PL Low (in the example: 1);3. determine the total PL using the table given aside (in the example:“d”)The new EN IEC 62061 StandardThis Standard derives from the general IEC 61508 Standard relative tothe safety functions of the electronic devices and programmable electronicfor safety functions.This Standard can be applied in alternative to the EN ISO 13849-1, orexclusively in case of use of programmable complex electroniccomponents, complex architectures, with PL equal to “e”.The final result obtained using the Standard is denominated SIL,considered as the Safety Integrity Level. The different discrete levels, thatidentify the capability of a circuit to carry-out the safety functions withincertain limits, have to be considered. The SIL levels foreseen by theStandard are numbered from 1 to 3 progressively: 3 is the maximumlevel.

How to proceed with the EN IEC 620611. Determination of dangers2. Risk evaluation (EN IEC 62061 method - Se, Fr, Pr, Av)3. Determination of Safety Integrity Level (SIL)4. Planning and development of the safety function5. Determination of the SIL througha. probability of dangerous failures per hour (PFH d );b. diagnostic capability (DC, SFF);6. Comparison between the SIL required and the SIL obtained.1. Determination of dangersThe possible dangers the operator can encounter have to beestablished and which have to be detected by the safety function.2. Risk evaluation (risk analysis)Previously, the risk estimation was carried-out according to theEN954-1, referring to the well-known diagram given in Annex BThe EN IEC 62061 Standard derives from the IEC 61508, whereAnnex 5 proposes a more complete diagram necessary to effect therisk estimation. With respect to the previous diagram, the possiblecombinations are higher.

The EN IEC 62061 establishes that the risk estimation has to becarried-out determining, for each danger type, the following riskparameters: Se, Fr, Pr, Av. The table given in Annex 2 of the Standardis provided below, where the parameter determination procedure isschematised.i

The following paragraphs analyse each parameter and relativeestimation:a. Se : severity of damageThe severity of health damage can be evaluated consideringthe reversibility, irreversibility and death. The suitable damagevalue has to be chosen from the Table A.1 considering that :SeverityConsequences(Se)4 Fatal injury (death) or irreversibleinjury that obstacles work after cure;3 Sever irreversible injury that obstaclesthe continuation of the same job aftercure. Can include a reversible but severinjury, eg. Breaking of arm;2 Reversible injury, including severelacerations, grazes,burns that require careful medications;1 Light injuries including grazes and softburns, that require soft medicationsb. Fr : Frequency and/or duration of danger exposureThis parameter is determined independently from Pr and Av,considering in each case the worst condition and so avoid tounderrate the SIL.The following aspects have to be considered to determine theexposure level:• need to access the danger zone according to workingconditions: normal working cycle, maintenance;• access type to the danger zone, for manual machineloading or set-up operations.The average interval between the exposures has to be possiblyevaluated and so the average access frequency. The durationshould also be foreseen, for example if longer than 10 min.Frequency and duration of exposure (Fr)Frequency of exposureDuration(> 10 min)≤ 1 hour 5> 1 hour and ≤ 1 day 5> 1 day and ≤ 2 weeks 4> 2 weeks and ≤ 1 year 3> 1 year 2When the duration of the interval is minor than 10 minutes,the value can be decreased to one level. This cannot beapplied to access frequencies ≤ 1 hour.c. Pr : Probability that the event can occurThis parameter depends on:• machine behaviour indifferent use modes (risk ofunexpected restarts – the risk in case of failures has tobe estimated);• specified or foreseeable characteristics of humanbehaviour (solicitations, damage limitationperceptions, risk knowledge, capacity, experience,training, machine complexity).

PrEvent probabilityVery high 5Probable 4Possible 3Rare 2Irrelevant 13. Estimation of the Safety Integrity Level (SIL)The Standard supplies an evaluation table to use to calculate the SILforeseen for the system or safety function.d. Av : Probability to avoid dangerous eventThis parameter depends on:• incoming speed of dangerous event;• possibility to avoid danger;• nature of the system (evident or hidden risk);• possibility to identify a danger.Probability to avoid or limit damage AvImpossible 5Rare 3Probable 1

An example:‣ Severity of damage (Se) → 3‣ Classification (Cl) : Cl = Fr + Pr + Av‣ Cl = Fr + Pr + Av = 5 + 3 + 5 → 13‣ RESULT → SIL 2SeCI classification3 - 4 5 - 7 8 - 10 11 - 13 14 - 154 SIL 2 SIL 2 SIL 2 SIL 3 SIL 33 OM SIL 2 SIL 2 SIL 32 OM SIL 1 SIL 21 OM SIL 1Requested safety measurementsRecommended safety measurements4. Planning and developing the safety functionThe system architecture has to be defined in this phase. The Standardsuggests 4 possible simplified architectures, shown in the followingtable:The meaning of the architecture denominations is the following:M00N = M out of N channelM00ND = M out of N channel with DiagnosticArchitectureStructure1001 Single channel – Fault Tolerance = 01002 Double channel without monitoring – Fault Tolerance = 11001D Single channel with monitoring – Fault Tolerance = 01002D Double channel with monitoring – Fault Tolerance = 1Fault Tolerance = N means that N+1 failures can jeopardise thesafety function

a. Architecture A (1001)b. Architecture B (1002)λ = λ + K + λDssA De1DenPFHDssA= λ × 1hDssAIn this architecture every working defect of any subsystemcauses the loss of the safety function.( 1 )( λ + λ )2 De1 De2DssB= − ×De1× De2× T1+ ×λ β λ λ βPFHDssB= λ × 1hDssBwhereT 1 : test interval or life time (the smallest of the two)β : common failure susceptibility2

In this architecture every working defect of any subsystemdoesn’t cause the loss of the safety function. The safetyfunction will be lost only in presence of more subsystems withdefects.c. Architecture C (1001D)( 1 DC ) K ( 1 DC )λ = λ × − + + λ × −PFH = λ × 1hDssC De1 1Den nDssCDssCEach dangerous error/defect not detected of any of thesubsystems causes the loss of the safety function. When adefect is detected, the system reacts as specified by theStandard.

d. Architecture D (1002D)In this architecture every working defect of any subsystemdoesn’t cause the loss of the safety function.As:T 1 : test interval or life time (the smallest of the two)T 2 : diagnostic test intervalβ : common failure susceptibilityλD = λDD + λDUλ = λ × DCλ = × −DD DDUλD 1( DC)and soFor different subsystems:2 ⎧TT2 1⎫λDssD = ( 1− β) × ⎨⎡λDe × λ ( ) ( )1 De× DC2 1+ DC ⎤2× + ⎡λDe × λ 21 De× −DC 21− DC ⎤2× ⎬+⎩⎣ ⎦ 2 ⎣ ⎦ 2⎭⎛ ( λDe+ λ ) ⎞1 De2⎜β× ⎟⎜ 2 ⎟⎝⎠PFHDssD= λ × 1hDssD

Per same subsystems:λ = − β⎧T⎫× ⎨ λ × × × + λ × − × ⎬+ ⎩⎣ ⎦ 2 ⎣ ⎦⎭β×λPFH = λ × 1h( 1 ) 2 ⎡ 2 2 DC⎤ 2 ⎡ 2( 1 DC) ⎤ T ( )DssD De De 1DeDssDDssD5. Determination of the SILThe beginning is the same, with the exception that instead of MTTF,1the inverse value is used, that is failure rate λ → λ = .MTTF( h)This parameter is defined asFailure per time unitλ () t = Number of componentsIn the calculations relative to the different architectures defined in theStandard, DC value is always used. This parameter is similar to CCF,denominated in this case β (common failure susceptibility). Otherparameters, listed below, have to be considered:• T 1 : test interval or life time (the smallest of the two). This timeperiod normally coincides with the life duration equal to 20 years;• T 2 : diagnostic test intervalThe Standard suggests, for each of the classic architectures to be usedin command systems, a formula to calculate the total SIL.

The principals contained in this Standard consent the setting ofquantiative and qualitative analyses of the safety functions, with aTop-Down method suitable for safety function analyses applied tomore complex command and control systems, using a proceduredenominated Functional Decomposition.The first is SFF (Safe Failure Fraction) :λ + λ + λ λ + λSFF =∑ ∑ ∑=∑ ∑λ + λ + λ + λ λSD SU DD S DD∑ ∑ ∑ ∑ ∑SD SU DD DU TotalSFF is the sum of the safe and dangerous failures detected differentfrom the sum of total failures. How are SFF and DC linked?DC64748∑λSλDD+∑λS + λDD λS + λ λDDDλDSFF =∑ ∑=∑ ∑ ∑ ∑=∑λ λTotal ∑λS + ∑λD∑ S+ 1λTheβ parameter is the common failure susceptibility (similar to theCCF of the ISO EN 13849-1) which is identified in % (1% 2% 5%10%) and can be calculated according to the questionnaire of theAnnex F (Table F.1). The result obtained is shown in the table F.2from which β can be calculated.∑DAs anticipated in the previous section where the typical architecturesare described, some new parameters have to be considered todetermine the SIL. These new parameters are different from thoseused to calculate the PL but fundamentally are linked to the others.

According to the system architecture, the λTothas to calculated usingthe formulas given above where the also the other parameters arenecessary. From λ Total, the PFH D is calculated and the system SIL andPL are obtained, using the following table:PerformanceLevel (PL)ISO EN 13849-1Performance Level (PL)Average probability of SILdangerous failures per hour (EN IEC 62061)PFH[1/h]−−10 ≤ PFH < 10 No special safetyprecaution−3× 10−≤ PFH < 101−1× 10−≤ PFH < 3× 101−10−≤ PFH < 102−10−≤ PFH < 103a5 4b6 5c6 6d7 6e8 7

The following is an example where for simplicity the same PL calculation just shown is used:Subsystem 1 (Sensors) Subsystem 2 (Logic) Subsystem 3 (Actuators)PFH = PFH + PFH + PFHTotal Sub1 Sub2 Sub3

withPFHwhereSub= λ × 1h1 12 ⎧T2 T1⎫λSub = ( 1− β) × ⎨( ) ( )1 ⎣⎡λDe × λ1 De× DC2 1+ DC ⎤2 ⎦× + ⎡λDe × λ 21 De× −DC 21− DC ⎤2× ⎬+2 ⎣ ⎦⎩2⎭⎛⎜β×⎜⎝( λDe+ λDe)1 22Sub⎞⎟⎟⎠

In this example:Subsystem 1 (Sensors) Subsystem 2 (Logic) Subsystem 3 (Actuators)MTTF 22 22λ 1 5.2 10 −6 (1) 6× 5.2×10 −hβ % 1000.05T1anni 20.00T2giorni 7DC % 1000.99 (2) 0.99MTTF 60 60λ 1 1.9×10 −6 1.9×10 −6hβ % 1000.05T1anni 20.00T2giorni 7DC % 1000.99 0.99MTTF 32 32λ 1 3.6×10 −6 3.6×10 −6hβ % 1000.05T1anni 20.00T2giorni 7DC % 1000.90 0.90λ Sub1= 6.91×10λ−7Totλ Sub2= 1.01×10−7= 1.17× 10 → PFH = 1.17 × 10−6 −6TotSIL 1 – PL “c”λ Sub2= 3.81×10−7λ =MTTF × 24h×365gg(2) The DC is the same and so the formula is the simplified one relative to the equal subsystems.(1)1

The result is coherent with the PL “c” obtained proceeding according toEN ISO 13849-16. Comparison between the SIL requested and the SIL obtainedThe result obtained from the calculated might not be coherent withthe structure chosen to develop the safety function, as the Standardestablishes the maximum SIL that can be reached with the architectureadopted. This check consents to establish the type of components touse to develop the safety function. Infact, if the SIL obtained from thecalculations is superior to the maximum value allowed, the system isoverdimensioned for the safety function to develop. Consequently,components with inferior performances have to be used (and thusrelative inferior index values according to EN IEC 62061) or use adifferent architecture.The Standard suggests Table 5 that consents to establish themaximum SIL that can be reached analysing each subsystem, knowingthe failure tolerance and the SFF (architecture constraints).(NOTE 1)Hardware Fault Tolerance (HFT)SFF0 1 2< 60 % Not allowed (NOTE SIL 1 SIL 23)≥ 60 % e < SIL 1 SIL 2 SIL 390 %≥ 90 % e < SIL 2 SIL 3(NOTE 2)SIL 399 %≥ 99 % SIL 3 SIL 3 (NOTE 2) (NOTE 2)SIL 3NOTE 1. Fault Tolerance = N means that N+1 failures cancause a loss of the safety functionsNOTE 2. SIL 4 required is this Standard. For SIL 4 refer IEC61508-1NOTE 3. For exceptions refer to 6.7.7

When a subsystem is conform to the EN ISO 13849-1, the following The following table consents to define the PFH threshold values andtable consents to define the maximum SIL that can be obtained and a identify the corresponding HFT and DCidentify the corresponding HFT and SFF:Hardware FaultPFH D : thresholdSFFHardware FaultSFF Maximum SIL allowedTolerance (HFT)value requested (perTolerance (HFT)hour) for theaccording withCategory It’s assumed that the category subsystemssubsystemarchitecturaldefined here aside have the characteristicsCategoryconstraintsIt’s assumed that the category subsystems definedshown belowPFH D (MTTF subsysem ,here aside have the characteristics shown below1 0 < 60 % Refer NOTE 1 of theT Test , DC) (Refer toStandardNOTE 1 of the2 0 60 % - 90 % SIL 1Standard)1 < 60 % SIL 11 0 < 60 % Supplied by3manufacturer or equal1 60 % - 90 % SIL 2to generic value(NOTE 3 of the Standard)> 1 60 % - 90 % SIL 34(ANNEX D)1 > 90% SIL 3 (NOTE 4 of the Standard) 2 0 60 % - 90 %6≥ 10 −3 1 60 % - 90 %7≥ 2×10 −> 1 60 % - 90 %8≥ 3×10 −41 > 90%8≥ 3×10 −

GlossaryELECTRO-SENSITIVE PRO-TECTIVE EQUIPMENT(ESPE): a group of devicesand/or components thatfunction together for protectivetripping or presencedetection purposes andinclude as a minimum: asensing device, monitoring/controllingdevicesand output signal switchingdevices.DETECTION AREA: an areawhere a specific test pieceis detected by the ESPE.SAFETY LIGHT CURTAIN: anactive optoelectronic protectivedevice (AOPD) thatincludes an assembly integratedwith one or moreemitting units and one ormore receiving units whichform a detection area witha detection capacity specifiedby the supplier.BLANKING:an optional function thatallows an object biggerthan the detection capacityof the ESPE to be positionedinside the detectionarea and the output signalswitching device becomesinactive. The fixed blankingcondition is when theblanking area inside thedetection area does notchange during machinefunctioning. Floatingblanking when theblanking area follows theobject position inside thedetection area duringmachine functioning.DETECTION CAPABILITY(= RESOLUTION):a sensing function parameterlimit, specified by thesupply, that will activate theelectrosensitive protectiveequipment (ESPE). In anactive optoelectronic protectivedevice (AOPD), theresolution is the minimumdimension of an opaqueobject able to obscure atleast one of the beams thatform the detection area.EXTERNAL DEVICE MONI-TORING (EDM):a means by which the electrosensitiveprotectiveequipment (ESPE) monitorsthe state of control deviceswhich are external to theESPE.OUTPUT SIGNAL SWIT-CHING DEVICE (OSSD):a component of the electrosensitiveprotectiveequipment (ESPE) connectedto the machine controlsystem which, when thesensing device is actuatedduring normal functioning,responds by becominginactive.FINAL SWITCHING DEVI-CE (FSD):a component of the machinesafety control systemthat interrupts the circuit tothe machine primary controlequipment (MPCE)when the output signalswitching device (OSSD)becomes inactive.ACTIVE OPTOELECTRO-NIC PROTECTIVE DEVICE(AOPD):a device in which thedetection function is generatedby using optoelectronicemitter and receiverunits, that detect the opticradiation interruptions insidethe device generated byan opaque object presentin the specified detectionarea. An active optoelectronicprotective device(AOPD) can function in thethrough beam mode aswell as in the polarisedretroreflex mode.SAFETY MONOBEAMDEVICE:is an active optoelectronicprotective device (AOPD)that includes an emittingand a receiving unit, andthe detection area is notspecified by the supplier.MACHINE PRIMARYCONTROL ELEMENT(MPCE):an element electricallypowered that controlsdirectly the normal functioningof a machine. It is thelast element, in time, tofunction when the machinehas to be active orblocked.START INTERBLOCK(= START): a means thatprevents the automaticstart of the machine whenthe ESPE is under tension,or when the power supplyis interrupted and re-supplied.RESTART INTERBLOCK(= RESTART):a means that prevents theautomatic restart of amachine after the activationof the sensing deviceduring a hazardous phaseof the machine functioningcycle, after a change in themachine functioning cycleand after a variation in themeans of start control ofthe machine.MUTING:a temporary automaticsuspension of one or moreof the safety functionsgenerated by the safetyrelatedparts of the controlsystemOVERRIDE:a function that allows there-activation of the mutingfunction in order to free ablock in the machine areawhere the muting sensorsare positioned.RESPONSE TIME: themaximum time between theoccurrence of the eventgenerating the sensor deviceactivation and reachingthe inactive state of the outputsignal switching device(OSSD).

BibliographyDATASENSOR productsIEC 61496-1IEC 61496-2Safety of machinery - Electrosenstive protective equipment: generalrequirements and testsSafety of machinery - Electrosenstive protective equipment: particularrequirements for equipment using active optoelectronic protectivedevices (AOPD)SAFETY DEVICESThe necessity to guarantee operator protection in industrialwork environments, reinforced by health and safety regulations,plays a primary role. The DATASENSOR safety devicerange (control units, light beam devices and light curtains), incompliance with international standards, represents the idealand most reliable solution, guaranteeing intrinsic safety.EN 292-1/2EN 954-1EN 999EN 105089/392/EC Directive andsuccessive ammendments91/368/EC, 93/44/EC,93/68/EC e 98/37/EC89/655/EC Directive and successiveammendment 95/63/EC73/23/EC Directive andsuccessive ammendment93/68/EC89/336/EC DirectiveSafety of machinery - Basic concepts, general principles for designSafety of machinery - Safety-related parts of control systems: generalprinciples for designSafety of machinery - The positioning of protective equipment inrespect of approach speeds of parts of the human bodySafety of machinery - Principles for risk assessmentMachinery DirectiveSocial DirectiveLow Voltage DirectiveElectromagnetic Compatibility DirectiveThe DATASENSOR wide range of optoelectronic sensorsincludes universal and application optic functionsincluding background and/or foreground suppression,contrast and colour sensors with white lightemission and luminescence sensors with ultravioletsolid-state emission. The microcontroller, present inmany of these sensors, guarantees improved precisionand rapid automatic teach-in setting. All themain optic functions are also available with laseremission, a wide range of formats that range from miniature to compact, from tubularto maxi, concluding with fibre-optics sensors.MEASUREMENT & INSPECTIONTo better support the needs that emerge from the continuoustechnological development of industrial automation,DATASENSOR proposes a large range of products dedicatedto measurement and inspection. The range includes aninnovative laser distance sensor with patent-covered time offlight technology, retroreflex line sensors, ultrasonic sensors,detection and measurement light grids and the intelligentcompact vision sensor.PHOTOELECTRIC SENSORSTEMPERATURE CONTROLLERSAmongst the automation products, DATASENSOR also offers acomplete range of temperature controllers. These products includeanalogue models, for the simplest applications, microcontroller-basedmodels which offer maximum precision and keypadconfiguration of all functions, such as the temperature sensortype, PID auto-adaptive regulation and LFA advanced diagnosticof the regulation loop.

DATASENSOR IBÉRICA SLc/ Samontá, 21 • Planta Baja • Local 008970 Sant Joan Despí • Barcelonatel. +34 (0)93 4772059fax +34 (0)93 4777272info@datasensor.esDATASENSOR UK LtdWedgwood Road 17OX26 4UL Bicester • Oxfordshiretel. +44 (0)1869 249800fax +44 (0)1869 249855info@datasensor.co.ukDATASENSOR SpAvia Lavino, 26540050 Monte San PietroBologna • Italytel. +39 051 6765611fax +39 051 6759324info@datasensor.comDATASENSOR GmbHTegernseer Str. 75D-83624 Otterfingtel. +49 (0)8024 902770fax +49 (0)8024 9027799info@datasensor.deDATASENSOR FRANCELe Parc Technologique de Lyon333 cours du 3ème Millénaire69800 Saint Priesttel. +33 (0)4 72476180fax +33 (0)4 72470721info@datasensor.frDATASENSOR ASIA LtdSuite 1809 • Suncome Liauw’s Plaza738 Shang Cheng Rd • Pudong200120 Shanghaitel. +86 (0)21 58366693fax +86 (0)21 58366695htao@datasensor.comDATASENSOR INDIA Ltd370, 10th Cross • IV PhasePeenya Industrial Area560 058 Bangaloretel. +91 (0)80 41512688fax +91 (0)80 41512689datasensor@airtelmail.inDistributed by:DATASENSOR GROUPwww.datasensoroptics.it - www.infrainternational.com - www.specialvideo.it9C500005E - Rev. 05 - Printed in Italy in April 2008