Just a few years ago it would have been unthinkable to use anything other than hard-wired electromechanical safety relays for the safety-related controls on machinery. But technology and machinery safety standards have now evolved to present machine builders with a much wider choice, as Jon Severn reports.

Machinery safety is an area that is seeing continual evolution, as new standards are published to cover particular types of machinery and in an attempt to keep up to speed with the rapidly changing technologies. In particular, electronic and programmable electronic systems are becoming more widely available, especially here in Europe where machinery safety is often seen to lead the world.
Programmable controllers suitable for safety-relevant control functions, often referred to as safety PLCs (programmable logic controllers), have been available for many years now, with manufacturers such as Pilz, Siemens and Rockwell Automation (Allen-Bradley) offering various alternatives. Indeed, Siemens announced a powerful new fail-safe CPU for its Simatic-S7300 controllers just a few months ago, enabling the company to offer what it says is the most comprehensive range of fail-safe controllers on the market. However, safety PLCs and programmable safety systems tend to be highly sophisticated and, therefore, costly to purchase and program. At the other end of the scale, implementing a low- or medium-complexity safety-related control system with hard-wired safety relays can become very involved, requiring significant engineering time, wiring time, and commissioning - after all, the more complicated the system, the more likely it will contain errors that have to be traced and corrected.
Following the launch of the world's first all-electronic safety device (effectively an electronic safety relay), Pilz has now launched several other models to cover a broad spectrum of applications from Category2 up to and including Category4 in accordance with EN954-1 (Safety of machinery - Safety related parts of control systems. General principles for design). A particularly useful feature is the ability to link two relays together to perform logic AND or OR functions.
Each device in the PNOZelog range combines the benefits of the classic electromechanical safety relay with those resulting from modern electronic design: compact dimensions (all are just 22.5mm wide), low power consumption, long service life, resistance to vibration and increased diagnostic capabilities (Fig. 1).
Dual diverse, redundant microprocessors provide improved fault monitoring on input and output circuits, which includes the detection of short-circuits and line and earth faults on input wiring, as well as the detection of line and earth faults on the two semiconductor fail-safe output circuits. LED indication on the front of the safety relays provides diagnostic information on the status of the inputs and outputs and details of the detected fault conditions. Alternatively, PLC drivers are available on a CD-Rom to enable the diagnostic data to be relayed to a PLC and, hence, to an operator display.
While the original PNOZe1p is suitable for monitoring emergency stop circuits, guard interlocks and light curtains with or without semiconductor outputs, the PNOZe1.1p can additionally be used in conjunction with other PNOZelog devices to perform logic functions. A further model, the PNOZe1vp, is similar to the e1.1p but with a user-settable timer for the safe shutdown of plant and machinery. Other products in the PNOZelog range include the PNOZe3.1p for use with the PilzPSEN sensors or other safety switches with normally-open and normally-closed contacts; the PNOZe3vp is similar but with the addition of a timer function as per the PNOZe1vp.
For machinery that utilises a two-handed start, the PNOZe2.1p is available for use in BSEN574 Type IIIC (high integrity) applications, and the PNOe2.2p is for BSEN574TypeIIIA (lower integrity) applications. If safety mats are used on applications up to Category 3, the new PNOZe4.1p and PNOZe4vp are available, approved for use with the MayserSM/BK type safety mats.
Another development in the Pilz range of electronic safety relays is the PNOZe5.11p and PNOZe5.13p dual-function relays. The first of these can be used to monitor both an emergency stop circuit and a safety gate, while the second is specially developed to monitor an emergency stop circuit and a gate protected by the Pilz PSEN non-contact gate switches.

Configurable controllers

As the complexity of a safety-related control system increases, the use of safety relays or their electronic equivalents becomes less attractive. To fill the gap between relays and programmable safety systems, Pilz has introduced the PNOZmulti (Fig. 2), a cost-effective software-configurable safety controller for all safety functions in applications up to EN954-1Category4 (see panel).
The PNOZmulti is claimed to be as simple to use as a traditional electromechanical relays, with drag-and-drop configuration software that needs no specialist programming skills. Furthermore, the modular nature of the controller means that the customer only has to purchase and install the required functionality, thereby saving both costs and cabinet space. Using the modules already available, customers can employ a PNOZmulti controller for safety related control systems with emergency stop switches, gate switches, limit switches, light curtains, safety mats and two-handed starts.
In operation, the PNOZmulti provides comprehensive diagnostics, either by using the multicoloured LEDs on the front of the unit or via a communications port that transmits diagnostic log files to the programming software; online diagnostics are planned for the next generation systems. Should the safety system ever need to be upgraded or modified, it is easily reconfigured in software - or the controller can be completely reused on a replacement machine. Being entirely electronic, with no moving or wearing parts, means that the PNOZmulti should prove exceptionally reliable and long-lived, even in areas where shock or vibration cause difficulties for traditional electromechanical relays.
For many applications, the PNOZm1p base unit alone is sufficient, having 20 freely configurable inputs, four test pulse outputs, one auxiliary output, four safe semiconductor outputs (or two for Category4 applications) and two safe relay outputs (or one for Category4 applications). However, for more complex safety-related control systems, customers can add up to eight of the available expansion modules. These are the PNOZmi1p eight-input module, the PNOZmo1p with two safe semiconductor outputs, the PNOZmo2p with one safe relay output (or this can be used to provide two auxiliary outputs), and the PNOZmc1p communications module that has 16 auxiliary semiconductor outputs. Each additional module is simply plugged into the adjacent module, with no need for wiring and, therefore, no risk of wiring errors being made.

Configuration is entirely in software, which can take place before any hardware has been purchased. Using the PNOZmulti Configurator software is very intuitive: first, the user defines the inputs and outputs, then the logic functions are specified and, finally, the links are made between the inputs, outputs and logic operators. Comprehensive help files and application examples are provided to assist with the process, and documentation is also largely automated.
Once the configuration is programmed and approved, it can be downloaded to the PNOZmulti hardware by using a Smartcard (the same technology as a mobile telephone SIM card). The Smartcard can be quickly and securely written to, then installed in the PNOZmulti base unit. Should modifications to the configuration ever be required, the Smartcard is easily reprogrammed. The facility for writing Smartcards is especially useful where series machines are being built. In this case, the configuration need only be carried out once in software, then multiple Smartcards produced.

Modular safety

A different approach has been adopted by Allen-Bradley Guardmaster (a division of Rockwell Automation), in the form of the MSR200 modular safety system. This has also been designed to fill the gap between safety relays and programmable systems, but it seeks to achieve its aims through modular, expandable hardware, with auto-configuration and no programming (Fig. 3).
MSR200 modules can be assembled to create Category4 safety-related control systems with up to 22 emergency stop switches. As well as emergency stops, the system can also monitor limit switches, safety mats, photo-electric switches, light guards, gate switches and standstill sensing devices.
Starting with a base unit that measures 45mm wide, users simply plug together additional expansion modules with no need for any wiring. To assist commissioning and troubleshooting, a separate diagnostic module enables data transfer to a PC via a standard RS232/RS485 serial interface, with a further option of Devicenet or Profibus modules for factory-wide communications using those industrial fieldbus standards. Another alternative is to use the MSR200's own diagnostic module that displays the status of all connected modules, as well as undertaking automatic mode diagnosis and recording the most recent emergency stop event until it is manually reset.
For machine builders who have decided to implement safety-related control systems that utilise the AS-interface 'Safety at Work' safety fieldbus (Asisafe), Siemens has announced that Version2.0 of its safety monitor is now available, with upgraded Asimon configuration and diagnostic software.
Several new functions have been incorporated within the new monitor, such as a set of And, Or and Flip-Flop logic operators that simplify the implementation of complex applications. Timing functions have also been included for the first time so that, for example, users can implement an On delay, Off delay or a pulse. In addition, the main memory has been boosted from 32 to 48 monitoring modules.
Machinery safety has evolved almost beyond recognition in the last five to ten years. There are still some engineers who are dubious about using anything other than hard-wired electromechanical safety relays, but the advantages offered by electronic and programmable alternatives - such as greater flexibility, easier modification and faster troubleshooting - make it difficult to argue against them.