0% found this document useful (0 votes)

532 views198 pages

B11 - Technical Report

Uploaded by

kevin brenton

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

532 views198 pages

B11 - Technical Report

Uploaded by

kevin brenton

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 198

ANSI Technical Report B11.

TR6 – 2010

B11.TR6-2010

ANSI Technical Report for Machines –

Safety Control Systems for Machine Tools

Registered: 5 DECEMBER 2010

by the American National Standards Institute, Inc.

Secretariat and Accredited Standards Developer, prepared by:

B11 Standards, Inc.
42293 Young Lane
Leesburg, VA 21076

COPYRIGHT PROTECTED DOCUMENT

Copyright © 2010 by B11 Standards, Inc.
All rights reserved. Printed in the United States of America
No part of this publication may be reproduced in any form, in an electronic retrieval
system or otherwise, without the prior written permission of B11 Standards, Inc.

1
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

Copyright B11 Standards Inc. (Formerly AMT)

Provided by IHS under license with AMT ss` Licensee=SLAC National Accelerator Laboratory/5903178001
No reproduction or networking permitted without license from IHS Not for Resale, 01/14/2013 12:21:34 MST
ANSI Technical Report B11.TR6 – 2010

AMERICAN NATIONAL STANDARDS / TECHNICAL REPORTS

By registering this ANSI Technical Report, the ANSI Board of Standards Review confirms that the requirements for
due process, consensus, balance and openness have been met by AMT – The Association For Manufacturing
Technology (the ANSI-accredited standards developing organization).
American National Standards and Technical Reports are developed through a consensus process. Consensus is
established when substantial agreement has been reached by directly and materially affected interests. Substantial
agreement means much more than a simple majority, but not necessarily unanimity. Consensus requires that all
views and objections be considered, and that a concerted effort be made toward resolution. This process brings
together volunteers and/or seeks out the views of persons who have an interest in the topic covered by this
publication. While AMT administers the process and establishes procedures to promote fairness in the development
of consensus, it does not write the document and it does not independently test, evaluate or verify the accuracy or
completeness of any information or the soundness of any judgments contained in its standards or guidelines.
American National Standards and Technical Reports are promulgated through ANSI for voluntary use; their
existence does not in any respect preclude anyone, whether they have approved the standards/technical reports or
not, from manufacturing, marketing, purchasing, or using products, processes, or procedures not conforming to the
these documents. However, users, distributors, regulatory bodies, certification agencies and others concerned may
apply American National Standards or Technical Reports as mandatory requirements in commerce and industry.
The American National Standards Institute does not develop standards or technical reports and will in no
circumstances give an interpretation of an American National Standard. Moreover, no person shall have the right or
authority to issue an interpretation of an American National Standard in the name of the American National
Standards Institute. Requests for interpretations should be addressed to the Secretariat (AMT).
AMT MAKES NO WARRANTY, EITHER EXPRESSED OR IMPLIED AS TO THE FITNESS OF MERCHANTABILITY
OR ACCURACY OF THE INFORMATION CONTAINED WITHIN THIS TECHNICAL REPORT, AND DISCLAIMS
AND MAKES NO WARRANTY THAT THE INFORMATION IN THIS DOCUMENT WILL FULFILL ANY OF YOUR
PARTICULAR PURPOSES OR NEEDS. AMT disclaims liability for any personal injury, property or other damages
of any nature whatsoever, whether special, indirect, consequential or compensatory, directly or indirectly resulting
from the publication, use of, application or reliance on this document. AMT does not undertake to guarantee the
performance of any individual manufacturer or seller‘s products or services by virtue of this technical report, nor does
it take any position with respect to the validity of any patent rights asserted in connection with the items which are
mentioned in or are the subject of this document, and AMT disclaims liability for the infringement of any patent
resulting from the use of or reliance on this document. Users of this document are expressly advised that
determination of the validity of any such patent rights, and the risk of infringement of such rights, is entirely their own
responsibility.
In publishing or making this document available, AMT is not undertaking to render professional or other services for
or on behalf of any person or entity, nor is AMT undertaking to perform any duty owed by any person or entity to
someone else. Anyone using this document should rely on his or her own independent judgment, or as appropriate,
seek the advice of a competent professional in determining the exercise of reasonable care in any given
circumstances.
AMT has no power, nor does it undertake to police or enforce conformance to the requirements of this document.
AMT does not certify, test or inspect products, designs, or installations for safety or health purposes. Any
certification or other statement of conformance to any health or safety-related information in this document shall not
be attributable to AMT and is solely the responsibility of the certifier or maker of the statement.
NOTICE: This ANSI Technical Report may be revised or withdrawn at any time. The procedures of the American
National Standards Institute require that action be taken periodically to reaffirm, revise, or withdraw this technical
report. You may contact the Secretariat for current status information on this, or other B11 documents. Individuals
interested in obtaining up-to-date information on standards can access this information at http:\\www.nssn.org (or
by contacting ANSI). NSSN - A National Resource for Global Standards, provides a central point to search for
standards information from worldwide sources and can connect those who seek standards to those who supply
them.

Published by: B11 Standards, Inc.

42293 Young Lane, Leesburg, VA 20176, USA
[email protected]
Copyright © 2010 by B11 Standards, Inc. All rights reserved. Printed in the United States of America
No part of this publication may be reproduced in any form, in an electronic retrieval system or otherwise, without the prior
written permission of the publisher.

2
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

Copyright B11 Standards Inc. (Formerly AMT)

TABLE OF CONTENTS PAGE

Introduction and Overview of the ANSI B11 Series ...................................................... 13

1 Scope ................................................................................................................................. 15

2 References ......................................................................................................................... 15

3 Definitions .......................................................................................................................... 16

4 General Design Considerations for Mechanical, Fluid Power and Electrical

Technologies ............................................................................................................................ 21

4.1 ANSI B11.TR6 Circuit Analysis Tables ...................................................................... 21

4.2 Practical Use of TR6 .................................................................................................... 22

4.2.1 General ....................................................................................................................................22
4.2.2 Applying TR6 to a Sample Application ....................................................................................22

4.3 Reset Function of the Safety Circuit .......................................................................... 24

4.4 Start Function .............................................................................................................. 24

4.5 Testing & Verification of the Safety Function ........................................................... 24

4.5.1 Category 2 Periodic Test .........................................................................................................24

4.6 Fault Consideration..................................................................................................... 24

4.6.1 Fault Analysis ..........................................................................................................................25
4.6.2 Fault Exclusion ........................................................................................................................25

4.7 Response Time ............................................................................................................ 25

4.8 Mechanical Considerations (general) ........................................................................ 25

4.9 Fluid Power (Pneumatics & Hydraulics) .................................................................... 25

4.9.1 General Considerations ...........................................................................................................25
4.9.2 Basic Methodology for Safety Interfacing ................................................................................25
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

4.9.3 Pressure Vessels and Accumulators ......................................................................................26

4.9.4 Stored Energy (Trapped Pressure) .........................................................................................26
4.9.5 Reapplication of Pressure .......................................................................................................26
4.9.6 Hoses and Fittings ...................................................................................................................27
4.9.7 Fluid Power Valve Crossover Considerations .........................................................................28
4.9.8 Single Channel Fluid Power Device ........................................................................................28
3

Copyright B11 Standards Inc. (Formerly AMT)

4.9.9 Single Channel Fluid Power Device with Monitoring...............................................................28

4.9.10 Dual channel fluid power .........................................................................................................29
4.9.11 Dual Channel fluid power with Monitoring ...............................................................................29
4.9.12 Dual Channel Cross Monitoring Valve ....................................................................................29
4.9.13 Response Time Considerations ..............................................................................................29
4.9.14 Fault Reset Function ...............................................................................................................29
4.9.15 Position Fault ...........................................................................................................................29
4.9.16 Diminished Performance Fault ................................................................................................29
4.9.17 Failure Modes to be Considered .............................................................................................29
4.9.18 Non-Safety Devices .................................................................................................................30

4.10 Pneumatics .................................................................................................................. 30

4.10.1 Basic Pneumatic System Considerations ...............................................................................30
4.10.2 Safety Shut-Off and Exhaust Valve .........................................................................................30
4.10.3 Filtration ...................................................................................................................................31
4.10.4 Regulator .................................................................................................................................31
4.10.5 Lubrication ...............................................................................................................................31
4.10.6 Air Valve Mufflers ....................................................................................................................32
4.10.7 Environmental Influences ........................................................................................................32

4.11 Hydraulics .................................................................................................................... 32

4.11.1 Basic Hydraulic System Considerations .................................................................................32
4.11.2 General ....................................................................................................................................32
4.11.3 Accumulators ...........................................................................................................................33
4.11.4 Fluid Management ...................................................................................................................33
4.11.5 Filtration ...................................................................................................................................34
4.11.6 Relief/Pressure Reducing Valve ..............................................................................................36

4.12 Electrical Interfacing Considerations (General) ........................................................ 36

4.12.1 Basic Methodology of Safety Interfacing .................................................................................36
4.12.2 Protective Stop Circuits ...........................................................................................................36
4.12.2.1 Single-Channel Control ....................................................................................................................................... 36
4.12.2.2 Dual-Channel Control ......................................................................................................................................... 37
4.12.3 Safety Interface Module (SIM).................................................................................................37
4.12.4 Interfacing the Protective (Safety) Stop ..................................................................................38
4.12.4.1 Positive Logic ..................................................................................................................................................... 38
4.12.4.2 PES/PLC Interfacing ........................................................................................................................................... 38
4.12.5 Electro-Mechanical Contact Considerations ...........................................................................39
4.12.6 Failure Modes ..........................................................................................................................39
4.12.7 Power Supplies........................................................................................................................39
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

4.12.8 Environmental Influences ........................................................................................................39

4.13 Safety-Related Performance ....................................................................................... 40

5 Input Devices (safeguarding devices and complementary equipment) ......................... 42

Copyright B11 Standards Inc. (Formerly AMT)

5.1 Emergency Stop Devices............................................................................................ 42

5.1.1 Lowest Risk Reduction (Category 1) .......................................................................................43
5.1.1.1 Single Channel E-Stop Using a Control Relay (Category 1) ................................................................................ 43
5.1.2 Low / Intermediate Risk Reduction (Category 2) ....................................................................44
5.1.2.1 Dual Channel E-Stop Using Redundant Control Relays (Category 2) ................................................................. 44
5.1.3 Intermediate / High Risk Reduction (Category 3) ....................................................................45
5.1.3.1 Dual Channel E-Stop Using FGR Relays and Cross Monitoring (Category 3) ..................................................... 45
5.1.3.2 Multiple Dual Channel E-Stop with a Safety Relay Interface Module (Category3) ............................................... 46
5.1.4 Highest risk reduction (Category 4) .........................................................................................47
5.1.4.1 Single Button Dual Channel E-Stop with a SIM (Category 4) .............................................................................. 47
5.1.4.2 Single Button Dual Channel E-Stop* w/ Self Monitoring and a SIM (Category 4)................................................. 48

5.2 Contact Interlocking.................................................................................................... 49

5.2.1 Description of Positive-Opening Interlock Switches ................................................................49
5.2.2 Type 1 and Type 2 Considerations .........................................................................................50
5.2.2.1 Failure Modes ..................................................................................................................................................... 50
5.2.2.1.1 Type 1 ........................................................................................................................................................... 50
5.2.2.1.2 Type 2 ........................................................................................................................................................... 50
5.2.2.2 Categories .......................................................................................................................................................... 50
5.2.3 General Considerations ...........................................................................................................50
5.2.3.1 Physical installation ............................................................................................................................................ 50
5.2.3.2 Electrical interface .............................................................................................................................................. 50
5.2.3.2.1 PES/PLC Control System Monitoring ............................................................................................................. 51
5.2.3.2.2 Monitoring Series Connected Positive-Opening Interlocking Switches ........................................................... 51
5.2.4 Basic Circuit (Category B) .......................................................................................................52
5.2.4.1 Basic Interlocked Guard Monitoring Circuit (Category B) .................................................................................... 52
5.2.5 Lowest Risk Reduction (Category 1) .......................................................................................53
5.2.5.1 Interlocked Guard Monitoring Circuit – Single Channel (Category 1) ................................................................... 53
5.2.6 Low / Intermediate Risk Reduction (Category 2) ....................................................................54
5.2.6.1 Series Connection of Interlocks to a SIM (Category 2) ........................................................................................ 54
5.2.6.2 Interlocked Guard Monitoring – Single Channel w/ a SIM and PES (Category 2) ................................................ 55
5.2.7 Intermediate / High Risk Reduction (Category 3) ....................................................................56
5.2.7.1 Single Interlock to a SIM (Category 3) ................................................................................................................ 56
5.2.7.2 Series Connection of Interlocks to a SIM (Category 3) ........................................................................................ 57
5.2.8 Highest Risk Reduction (Category 4) ......................................................................................58
5.2.8.1 Interlocked Guard Monitoring – Dual Channel w/ Relay/Contactor and Reset Button (Category 4) ..................... 58
5.2.8.2 Interlocked Guard Monitoring – Dual Channel w/ a SIM (Category 4) ................................................................. 59

5.3 Guard Interlocking with Non-Contact Switches (without a Locking Function) ....... 60
5.3.1 Description of Non-Contact Interlock Switches .......................................................................60
5.3.2 General Considerations ...........................................................................................................60
5.3.3 Inductive Switches ...................................................................................................................60
5.3.4 Optical Switches ......................................................................................................................60
5.3.5 Magnetic Switches ..................................................................................................................60
5.3.6 Transponder Switches .............................................................................................................61
5.3.7 Basic Risk Reduction (Category B) .........................................................................................61
5.3.7.1 Non-Contact Interlocked Guard Monitoring using Standard Retro-Reflective Photo Sensor (Category B) ........... 61
5.3.7.2 Non-Contact Interlocked Guard Monitoring using Standard Magnetic Sensor (Category B) ................................ 62
5.3.8 Intermediate / High Risk Reduction (Category 3) ....................................................................63

5
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

Copyright B11 Standards Inc. (Formerly AMT)

5.3.8.1 Non-Contact Interlocked Guard Monitoring Circuit (Category 3) .......................................................................... 63

5.3.8.2 Interlocked Guard Monitoring – Dual Channel with a SIM (Category 3) ............................................................... 64
5.3.9 Highest Risk Reduction (Category 4) ......................................................................................65
5.3.9.1 Interlocked Guard Monitoring – Dual Channel with a SIM (Category 4) ............................................................... 65
5.3.9.2 Interlocked Guard Monitoring – Dual Channel with a SIM (Category 4) ............................................................... 66
5.3.9.3 Interlocked Guard Monitoring – Dual Channel with a SIM (Category 4) ............................................................... 67
5.3.9.4 Interlocked Guard Monitoring – Dual Channel with a SIM (Category 4) ............................................................... 68

5.4 Guardlocking Interlocks ............................................................................................. 69

5.4.1 General Considerations ...........................................................................................................69
5.4.2 Low / Intermediate Risk Reduction (Category 2) ....................................................................69
5.4.2.1 Power to Release, Inline Guardlocking Interlock (Category 2) ............................................................................. 69
5.4.3 Intermediate / High Risk Reduction (Category 3) ....................................................................70
5.4.3.1 Power to Release, Dual Axis Guardlocking Interlock (Category 3) ...................................................................... 70
5.4.4 Highest Risk Reduction (Category 4) ......................................................................................71
5.4.4.1 Power to Release, Inline Guardlocking Interlock (Category 4) ............................................................................. 71
5.4.4.2 Power to Release, Dual Axis Interlock Connected to a SIM (Category 4) ............................................................ 72
5.4.4.3 Power to Release, Dual Axis Interlock Connected to a SIM (Category 4) ............................................................ 73

--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---
5.4.4.4 Power to Release, Dual Axis Interlock Connected to a SIM (Category 4) ............................................................ 74

5.5 Optical Presence Sensing Devices ............................................................................ 75

5.5.1 General Considerations ...........................................................................................................75
5.5.1.1 Light Curtains ..................................................................................................................................................... 75
5.5.1.2 Single/Multiple Beam Devices (Point or Grid Devices) ........................................................................................ 76
5.5.1.3 Scanners ............................................................................................................................................................ 76
5.5.2 Lowest Risk Reduction (Category 1) .......................................................................................77
5.5.2.1 IEC 61496 Type 2 Presence Sensing Device with Control Relay (Category 1) .................................................... 77
5.5.3 Low / Intermediate Risk Reduction (Category 2) ....................................................................78
5.5.3.1 IEC 61496 Type 2 Presence Sensing Device with Force-guided Relay (Category 2) .......................................... 78
5.5.3.2 IEC 61496 Type 2 Presence Sensing Device with Force-guided Relay (Category 2) .......................................... 79
5.5.4 Intermediate / High Risk Reduction (Category 3) ....................................................................80
5.5.4.1 IEC 61496 Type 3 Presence Sensing Device with Safety Interface Module (Category 3) .................................... 80
5.5.5 Highest Risk Reduction (Category 4) ......................................................................................81
5.5.5.1 IEC 61496 Type 4 Presence Sensing Device with OSSD (Category 4) ............................................................... 81
5.5.5.2 IEC 61496 Type 4 Presence Sensing Device with Safety Interface Module (Category 4) .................................... 82

5.6 Mats / Edges ................................................................................................................ 83

5.6.1 General considerations ...........................................................................................................83
5.6.2 Low / Intermediate Risk Reduction (Category 2) ....................................................................83
5.6.2.1 Single Safety Mat Using a Safety Interface Module (Category 2) ........................................................................ 83
5.6.3 Intermediate / High Risk Reduction (Category 3) ....................................................................84
5.6.3.1 Multiple Safety Mats Using a Safety Interface Module (Category 3) .................................................................... 84

5.7 Two-Hand Control ....................................................................................................... 85

5.7.1 General Considerations ...........................................................................................................85
5.7.1.1 Minimum functional requirements for a Two-hand Control as required by NFPA 79 and IEC 60204-1 (Type III):. 85
5.7.1.2 Physical Installation and Electrical Interface Considerations: .............................................................................. 85
5.7.1.3 Two-Hand Control Safety Interface Modules ....................................................................................................... 86
5.7.2 Lowest Risk Reduction Two Hand Control (Type IIIa Category 1) .........................................86
5.7.2.1 Two Hand Control (Type IIIa Category 1) ............................................................................................................ 86
5.7.2.2 Low / Intermediate Risk Reduction Two-Hand Control (Type IIIa Category 1) ..................................................... 87
5.7.3 Intermediate / High Risk Reduction Two-Hand Control (Type IIIb Category 3) ......................88
6

Copyright B11 Standards Inc. (Formerly AMT)

5.7.3.1 Two Hand Control (Type IIIb Category 3) ............................................................................................................ 88

5.7.4 Intermediate / High Risk Reduction Two-Hand Control (Type IIIb Category 3) ......................89
5.7.4.1 Two-Hand Control (Type IIIb Category 3) ........................................................................................................... 89
5.7.5 Highest Risk Reduction Two-Hand Control (Type IIIc Category 4) .........................................90

5.8 Zero (Stand Still) Speed Detection ............................................................................. 91

5.8.1 General Considerations ...........................................................................................................91
5.8.2 Lowest Risk Reduction (Category 1) .......................................................................................92
5.8.2.1 Single Proximity Sensing (Category 1) ................................................................................................................ 92
5.8.3 Intermediate / High Risk Reduction (Category 3) ....................................................................93
5.8.3.1 Dual Proximity Sensors to Timers and Force-guided Relay Monitoring (Category 3) ........................................... 93
5.8.3.2 Dual Proximity Sensors to Timers and Force-guided Relay Monitored by a SIM (Category 3) ............................. 94
5.8.3.3 Dual Proximity Sensors to Dual Frequency Counters Monitored by a SIM (Category 3) ...................................... 95
5.8.3.4 Dual Proximity Sensors Plus Zero Speed or Stand Still SIM (Category 3 or 4) .................................................... 96
5.8.3.5 Encoder Speed Monitoring (Category 3) ............................................................................................................. 97
5.8.3.6 Motor Drive Back EMF Detection (Category 3 or 4) ............................................................................................ 98
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

5.9 Enabling Devices......................................................................................................... 99

5.9.1 General Considerations ...........................................................................................................99
5.9.2 Intermediate / High Risk Reduction (Category 3) ..................................................................101
5.9.3 Intermediate / High Risk Reduction (Category 3) ..................................................................102
5.9.3.1 Enabling device with overspeed (Category 3) ................................................................................................... 102
5.9.3.2 Enabling device with manual/auto switch (Category 3)...................................................................................... 103
5.9.3.3 Enabling device with manual mute enable (Category 3) .................................................................................... 104
5.9.4 Intermediate / High Risk Reduction (Category 4) ..................................................................105

6 Power Control Devices Interface (MPCE) ...................................................................... 106

6.1 General Considerations ............................................................................................ 106

6.2 Relays and Contactors.............................................................................................. 107

6.2.1 Lowest Risk Reduction (Category 1) .....................................................................................107
6.2.2 Low / Intermediate Risk Reduction (Category 2) ..................................................................108
6.2.3 Intermediate / High Risk Reduction (Category 3) ..................................................................109
6.2.4 Highest Risk Reduction (Category 4) ....................................................................................110

6.3 Variable Frequency Drives (VFD) ............................................................................. 111

6.3.1 Power Drive Systems - General Considerations ...................................................................111
6.3.2 Lowest Risk Reduction (Category 1) .....................................................................................114
6.3.2.1 Single Channel Interlock Stop Category 0 of an AC Motor using Standard Rated AC Drive .............................. 114
6.3.2.2 Single Channel Interlock Stop Category 1 of an AC Motor using Standard Rated AC Drive .............................. 115
6.3.3 Intermediate / High Risk Reduction (Category 3) ..................................................................116
6.3.3.1 Stop Category 0 of an AC Motor using Safety Rated AC Drive (Category 3) ..................................................... 116
6.3.3.2 Stop Category 1 (Controlled) Stop of an AC Motor using Safety Rated AC Drive .............................................. 117
6.3.4 Highest Risk Reduction (Category 4) ....................................................................................118
6.3.4.1 Dual Channel Interlock Stop Category 0 (Coast to Stop) of an AC Motor using Standard Rated AC Drive with
Checking (Category 4) ....................................................................................................................................................... 118

6.4 Pneumatic Systems .................................................................................................. 119

6.4.1 General Considerations .........................................................................................................119

Copyright B11 Standards Inc. (Formerly AMT)

6.4.1.1 Pneumatic Component Selection Process ........................................................................................................ 120

6.4.1.2 Air Preparation (Contamination Control) ........................................................................................................... 122
6.4.1.3 Non-Lubricated (Preferred) ............................................................................................................................... 122
6.4.1.4 Lubricated (Not Recommended) ....................................................................................................................... 122
6.4.1.5 Example Supply Circuit ..................................................................................................................................... 123
6.4.2 Exhaust (Blocking, Dump) Valve ...........................................................................................124
6.4.2.1 Basic Risk Reduction (Category B) ................................................................................................................... 124
6.4.2.1.1 Spring Centered Three Position Open Center (Category B) ......................................................................... 124
6.4.2.1.2 Lowest Risk Reduction (Category 1) ............................................................................................................ 125

--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---
6.4.2.2 Low / Intermediate Risk Reduction (Category 2) ............................................................................................... 126
6.4.2.2.1 Single Monitored Directional Valve (Category 2) .......................................................................................... 126
6.4.2.2.2 Spring Centered Three Position Open Center w/ Actuator Monitoring (Category 2) ..................................... 127
6.4.2.3 Intermediate / High Risk Reduction (Category 3) .............................................................................................. 128
6.4.2.3.1 Series Dump Safety Valve with Spring Centered Three Position Open Center (Category 3) ........................ 128
6.4.2.3.2 Series Monitoring Circuit (Category 3) ......................................................................................................... 129
6.4.2.4 Highest Risk Reduction Monitoring Circuit (Category 4) .................................................................................... 130
6.4.2.4.1 Dual Shift Time Monitored Valves (Category 4) ........................................................................................... 130
6.4.2.4.2 Safety Rated Valve – Manual Valve Reset (Category 4) .............................................................................. 131
6.4.2.4.3 Safety Rated Valve – Automatic Valve Reset (Category 4) .......................................................................... 132
6.4.3 Directional (Motion) Valve Selection .....................................................................................133
6.4.3.1 Category B and 1 .............................................................................................................................................. 133
6.4.3.1.1 Single Solenoid – Two Position – Spring Offset (Category B and 1) ............................................................ 133
6.4.3.1.2 Double Solenoid – Two Position – Detented (Category B and 1) ................................................................. 134
6.4.3.1.3 3 Position – Spring Centered – Open Centered (Category B and 1) ............................................................ 135
6.4.3.1.4 3 Position – Spring Centered – Close or Blocked Center (Category B and 1) .............................................. 136
6.4.3.2 Low / Intermediate Risk Reduction (Category 2) ............................................................................................... 137
6.4.3.2.1 2 Position Spring Offset – Monitored Spool Position (Category 2)................................................................ 137
6.4.3.3 Intermediate / High Risk Reduction (Category 3 and 4)..................................................................................... 138
6.4.3.3.1 Dual – 2 Position Spring Offset – Monitored Spool Position(s) (Category 3 and 4) ....................................... 138
6.4.4 Pilot Operated Check Valves ................................................................................................139
6.4.4.1 Basic / Lowest Risk Reduction (Category B and 1) ........................................................................................... 139
6.4.4.1.1 Pilot Operated Check Valve (Category B and 1) .......................................................................................... 139
6.4.4.2 Low / Intermediate Risk Reduction (Category 2) ............................................................................................... 140
6.4.4.2.1 Pilot Operated Check Valve (Category 2) .................................................................................................... 140
6.4.4.3 Intermediate / High Risk Reduction (Category 3) .............................................................................................. 141
6.4.4.3.1 Pilot Operated Check (Category 3) .............................................................................................................. 141
6.4.4.3.2 Pilot Operated Check with Spring Centered Three Position Open Center (Category 3) ................................ 142
6.4.4.4 Highest Risk Reduction (Category 4) ................................................................................................................ 143
6.4.4.4.1 Pilot Operated Check (Category 4) .............................................................................................................. 143
6.4.5 Rod Locks and Brakes ..........................................................................................................144
6.4.6 Flow Controls.........................................................................................................................145
6.4.6.1 Meter-IN – Controls the Fluid Flow Going into the Cylinder. .............................................................................. 146
6.4.6.2 Meter-OUT – Controls the Fluid Flow Coming Out of the Cylinder. ................................................................... 147
6.4.6.3 Meter-IN Flow Control Example ........................................................................................................................ 148
6.4.6.4 Meter-OUT Flow Control Example .................................................................................................................... 149
6.4.7 Pneumatic Air Logic Control Circuits .....................................................................................150
6.4.7.1 E-Stop .............................................................................................................................................................. 150
6.4.7.1.1 Lowest Risk Reduction (Category 1) ............................................................................................................ 150
6.4.7.2 Two hand control .............................................................................................................................................. 151
6.4.7.2.1 Lowest Risk Reduction (Category 1) ............................................................................................................ 151
6.4.7.2.2 Highest Risk Reduction (Category 4) ........................................................................................................... 152
6.4.7.3 Velocity Fuse .................................................................................................................................................... 153
6.5 Hydraulic Systems .................................................................................................... 154
6.5.1 General considerations .........................................................................................................154
6.5.1.1 Hydraulic Component Selection Process .......................................................................................................... 155
6.5.1.2 Fluid Preparation (Contamination Control) ........................................................................................................ 157

Copyright B11 Standards Inc. (Formerly AMT)

6.5.2 Dump (Blocking) Valve ..........................................................................................................157

6.5.2.1 Basic Risk Reduction (Category B) ................................................................................................................... 157
6.5.2.1.1 Spring Centered Three Position Exhaust Center (Category B) ..................................................................... 157
6.5.2.1.2 Spring Centered Three Position Exhaust Center w/ Actuator monitoring (Category 1) ................................. 158
6.5.2.2 Low / Intermediate Risk Reduction (Category 2) ............................................................................................... 159
6.5.2.2.1 Monitored Two Way Valve (Category 2) ...................................................................................................... 159
6.5.2.2.2 Spring Centered Three Position Exhaust Center w/ Control Circuit Functional Monitoring (Category 2) ....... 160
6.5.2.3 Intermediate / High Risk Reduction (Category 3) .............................................................................................. 161
6.5.2.3.1 Series Monitored Blocking Valve with Circuit Spring Centered Three Position Exhaust Center (Category 3) 161
6.5.2.4 Highest Risk Reduction (Category 4) ................................................................................................................ 162
6.5.2.4.1 Series Monitoring Circuit (Category 4) ......................................................................................................... 162
6.5.3 Directional (Motion) Valve Selection .....................................................................................163
6.5.3.1 Basic / Lowest Risk Reduction (Category B and 1) ........................................................................................... 163
6.5.3.1.1 2 Position - Spring Offset (Category B and 1) .............................................................................................. 163
6.5.3.1.2 2 Position – Detented (Category B and 1) .................................................................................................... 164
6.5.3.1.3 3 Position – Spring Centered – Open (Float) Centered (Category B and 1) ................................................. 165
6.5.3.1.4 3 Position – Spring Centered – Closed or Blocked Center (Category B and 1) ............................................ 166
6.5.3.2 Low / Intermediate Risk Reduction (Category 2) ............................................................................................... 167
6.5.3.2.1 2 Position Spring Offset – Monitored Spool Position (Category 2)................................................................ 167
6.5.4 Pilot Operated Check Valves ................................................................................................168
6.5.4.1 Basic / Lowest Risk Reduction (Category B and 1) ........................................................................................... 168
6.5.4.1.1 Pilot Operated Check – Example 1 of 2 (Category B and 1)......................................................................... 168
6.5.4.2 Pilot Operated Check – Basic / Lowest Risk Reduction; Example 2 of 2 (Category B and 1)............................. 169
6.5.4.3 Low / Intermediate Risk Reduction (Category 2) ............................................................................................... 170
6.5.4.3.1 Pilot Operated Check – Low / Intermediate Risk Reduction (Category 2) ..................................................... 170
6.5.4.4 Pilot Operated Check – Intermediate / High Risk Reduction (Category 3) ......................................................... 171
6.5.4.4.1 Intermediate / High Risk Reduction (Category 3) ......................................................................................... 171
6.5.4.4.2 Monitored Pilot Operated Check with Spring Centered Three Position Exhaust Center (Category 3) ........... 172
6.5.4.5 Highest Risk Reduction (Category 4) ................................................................................................................ 173
6.5.4.5.1 Pilot Operated Check (Category 4) .............................................................................................................. 173
6.5.5 Counter Balance Valve ..........................................................................................................174
6.5.6 Rod Locks and Brakes ..........................................................................................................175
6.5.7 Flow Controls.........................................................................................................................176
6.5.8 Velocity Fuse .........................................................................................................................177

ANNEX A – Analysis of circuit considerations ........................................................... 178

ANNEX L – Safety-Related Performance Levels ......................................................... 183

ANNEX M - External Device Monitoring by the Safety-Related Function ................. 188

ANNEX S – Symbols ..................................................................................................... 190

--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

ANNEX V – Valves ......................................................................................................... 195

Copyright B11 Standards Inc. (Formerly AMT)

Foreword
Recognizing the need for a guidance document on the subject matter, the ANSI B11
Accredited Standards Committee for Machine Safety formed a subcommittee consisting of
professionals that are involved in manufacturing, safety, design, integration and controls to
develop a technical report giving guidance in understanding and implementing safety
control functions when applied to machines covered by the ANSI B11 series of machine
safety standards.

The intent is to illustrate safety control circuit design concepts to help mitigate the risks
identified by a risk assessment. The following example circuits, explanations, and
minimum fault exclusions are for educational purposes and do not contain complete
information on electrical, fluid power, and mechanical design requirements. Substitutions,
additions, or changes to the circuits, components, safety modules, or safeguarding devices
should be thoroughly researched and examined as to the extent of the impact on the
integrity, reliability, and the level of performance of the safety functions. The designer
should refer to relevant standards, regulations, and codes to address all installation and
safety requirements.

The B11.TR6 Subcommittee began with current industrial circuit applications and provided
examples of common solutions in use at the time of creating this document; these are not
intended to limit innovation or the advancement of technology.

Industry users expressed the desire that example circuits be depicted in a NEMA format.
To provide clarity and enhance understanding the committee created symbols for safety
components that previously did not exist. These new symbols distinguish safety rated
components from their non-safety rated counterparts such as emergency stops and forced
guided relays. This document also identifies the relationship between ANSI B11.TR3 risk
level (now included within ANSI B11.0) and that of the Categories of ISO 13489.

The Circuit Analysis Table for each circuit diagram provides important guidance
information on the performance of safety-related functions, identification and analysis of
failures, and safety-related performance levels for categories B through 4 as referenced in
section 4.13.

Publication of this Registered Technical Report has been approved by the Accredited
Standards Developer. This document is registered as a Technical Report series of
publications according to the procedures for the Registration of Technical Reports with
ANSI. This document is not an American National Standard and the material contained
herein is not normative in nature. Comments on the content of this document should be
sent to the Accredited Standards Developer.
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

Copyright B11 Standards Inc. (Formerly AMT)

Summary of ISO 13849-1 Categories:

Category B Circuit
 Is designed in accordance with relevant standards.
 Can withstand the expected influences.
 The occurrence of a fault can lead to loss of the safety function.
Category 1 Circuit (includes Category B):
 Is designed in accordance with relevant standards.
 Well-tried components and well-tried safety principles are used.
 The occurrence of a fault can lead to loss of the safety function.
Category 2 Circuit (includes Category B and well tried safety principles):
 Safety function shall be checked at suitable intervals by the machine control system.
 The occurrence of a (single) fault can lead to loss of the safety function between the checks.
 The loss of safety function is detected by the check (automatic or manual).

--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---
NOTE: A suitable frequency of checking (periodic test interval) will be dependent on
the reliability of components and the probability of failure. A tolerable probability of
failure will be determined in the risk assessment.
Category 3 Circuit (includes Category B and well tried safety principles):
 A single fault does not lead to loss of the safety function, and whenever reasonably practicable the
single fault is detected (i.e. some but not all faults will be detected).
 Accumulation of undetected faults can lead to loss of the safety function.
Category 4 Circuit (includes Category B and well tried safety principles):
 A single fault does not lead to loss of the safety function, and the single fault is detected at or before
the next demand upon the safety function. If this is not possible, then an accumulation of faults
shall not lead to loss of the safety function.
 The faults will be detected in time to prevent loss of the safety function.

Guide for using this document

Process steps needed to use this document:
 Conduct a risk assessment
 Determine the risk reduction required (e.g., Category, performance level, control reliability, SIL, etc.)
 Define the safety function (what needs to happen)
 Implement the safety function by selecting component(s) and designing the control circuit
Steps in the application of this document:
 Determine failure modes to be managed
 Select the safeguarding device and/or complementary equipment,
 Using the Table of Contents Clause 5 (Input devices (safeguarding devices complementary
equipment)) subclause listings, choose the appropriate input device implementation
 Using the Table of Contents Clause 6 (Power controls and actuators) subclause listings, choose the
appropriate output device implementation
 Evaluate the effectiveness of that system for the desired results

Publication of this Technical Report has been approved by the Accredited Standards Developer – B11
Standards, Inc. This document is registered as a Technical Report by ANSI according to the ANSI
Procedures for the Registration of Technical Reports. This document is not an American National Standard
and the material contained herein is not normative in nature.

While standards generally use the term shall to denote a requirement and the term should to denote a
recommendation, this document is written using those terms consistent with how they are used in a standard
(normative requirement vs. an informative recommendation). Nonetheless, nothing in this document is
normative; Technical Reports are considered ‗informative‖ or ―guidance‖ documents.

This Technical Report was prepared by the B11.TR6 Subcommittee, processed by the B11 Accredited
Standards Committee (ASC) on Safety Standards for Machines, and submitted by its Secretariat for ANSI
registration.
11

Copyright B11 Standards Inc. (Formerly AMT)

At the time this Technical Report was processed and registered, the ANSI B11 Accredited Standards
Committee was composed of the following member organizations:

John W. Russell, PE, CSP, Chairman

Gary D. Kopps, Vice-Chairman
David A. Felinski, Secretary

Organizations Represented Name of Representative

Delegate Alternate
Aerospace Industries Association of America Willard J. Wood, ARM Lance E. Chandler, PE
Aluminum Extruders Council Melvin Mitchell Scott J. Burkett
American Society of Safety Engineers Bruce W. Main, PE, CSP George Karosas, PE, CSP
Association For Manufacturing Technology Russell A. Bensman Alan Metelsky
Automotive Industry Action Group Nancy Malo David A. Lalain
The Boeing Company Don R. Nelson Joe Oberuc
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

Canadian Standards Association Elizabeth Rankin, CRSP Thomas Eastwood

Deere & Co. Gary D. Kopps Scott Fowler
Komatsu America Industries George Schreck James Landowski
General Motors Corporation Michael Douglas
Metal Building Manufacturers Association Charles M. Stockinger Charles E. Praeger
Metal Powder Industries Federation Dennis R. Cloutier, CSP Teresa F. Stillman
National Institute for Occupational Safety & Health Richard S. Current, PE James R. Harris, PhD, PE
Occupational Safety & Health Administration Kenneth Stevanus Robert Bell
Omron Scientific Technologies Incorporated Frank Webster Christopher Soranno
Packaging Machinery Manufacturers Institute Charles F. Hayes Maria Ferrante
Pilz Automation Safety, LP Michael Beerman Lee Burk
Precision Metalforming Association James G. Barrett, Jr. PhD Bill Gaskin
Presence Sensing Device Manufacturers Association James V. Kirton Michael S. Carlson
Property Casualty Insurers John W. Russell, PE, CSP
Robotic Industries Association Jeffrey Fryman Claude Dinsmoor
Rockwell Automation Michael B. Miller
Sheet Metal & Air Conditioning Contractors National Assn. Michael McCullion Roy Brown
System Safety Society John Etherton, PhD, CSP Rod Simmons, PhD
Toyota Motor Manufacturing North America Barry Boggs Todd Mills
International United Automobile Workers Tom Ford

The B11.TR6 Subcommittee on safety control systems which developed this TR had the following members:

Sam Boytor Fox Controls Chairman

Chris Bacon Nexteer
Barry Boggs Toyota
Mike Carlson Banner Engineering
Eric Cummings Ross Controls
Howard DeWees SICK
Mike Douglas General Motors
Steve Dukich Rockwell Automation
Lee Farley Toyoda Machinery
Keith Jensen AA Electric
Heinz Knackstedt C & E Sales
Larry Morel Nexteer
Ted Sberna Applied Engineering Concepts
Dick Schnell Ross Controls
Frank Webster Omron STI
Mark Witherspoon Euchner
Dave Felinski B11 Standards, Inc. Secretary
Cindy Haas AMT Secretary

Copyright B11 Standards Inc. (Formerly AMT)

Introduction and Overview of the ANSI B11 Series

The primary purpose of every machine tool is to process parts. This is accomplished by the machine
imparting process energy onto the workpiece. Inadvertent interference with, or accidental misdirection of the
released energy during production, maintenance, commissioning and de-commissioning may result in injury.

The primary purpose of the ANSI B11 series of machine tool safety standards and technical reports is to
devise and propose ways to minimize risks of the potential hazards. This can be accomplished either by an
appropriate machine design or by restricting personnel or other individuals‘ access to hazard zones, and by
devising work procedures to minimize personnel exposure to hazardous situations. This is the essence of
the ANSI B11 series of safety standards and technical reports.

A general overview of the interaction between a typical ANSI B11 American National Standard and other
standards / technical reports follows. Figure 1 provides a graphical overview of this scheme and in particular
the responsibilities of and requirements for the manufacturer and user, including the user personnel.
Numbers in parentheses denote the particular clause or subclause in the typical B11 standard.
The responsibility for the alleviation of these risks is divided between the equipment manufacturer, the user
and the user‘s operating personnel, as follows (numbers in parentheses refer to the clause numbers in these
―base‖ B11 standards which address that responsibility).

Notes for Figure 1:

--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---
1) Scope – Provides the boundaries or limits of the standard (i.e., what is/is not included).
2) Normative references – Other standards which in whole or in part provide additional requirements
when referenced in the normative text (i.e., left-hand column of clauses 4 – 9) of this standard.
3) Definitions – Terms used in this standard, together with their definitions (terms used in the same
context as are generally understood and commonly used in everyday English are not defined).
4) Responsibility – The general responsibilities of the manufacturer (builder), user, and the user
personnel are listed in clause 4 together with which of the remaining clauses they have primary
responsibility.
5) Hazard control (task/hazard identification & risk assessment/risk reduction) – Although clause 5 is
intended to require a shared responsibility between manufacturer and user, the requirements of this
clause may fall primarily on either entity (see ANSI B11.0 for further explanation of hazard/task
identification and risk assessment/risk reduction).
6) Design and construction – It is assumed that the manufacturer will be responsible for the
requirements of clause 6 with the understanding that the user may add to or modify these
requirements through the purchase agreement.
7) Installation, testing and start-up – Although the requirements of clause 7 are predominantly the
responsibility of the user, the manufacturer will normally provide assistance either directly (providing
personnel) or indirectly (instruction materials).
8) Safeguarding – This is normally a shared responsibility but often, either the manufacturer or the user
will provide and/or meet the requirements of clause 8.
9) Operation and maintenance – The user is normally responsible for the requirements of clause 9 with
possible assistance from the manufacturer for training.

Copyright B11 Standards Inc. (Formerly AMT)

(2) Normative References

(1) Scope
(3) Definitions

(4) Responsibilities for

(4.1) (4.2) User (4.3) User

Manufacturer Personnel

(5) Hazard Control

(5.1) Task and Hazard
Identification B11.TR3
(5.2) Risk Assessment
/ Risk Reduction

NFPA 79 Comply with

Training and
B11.19 Safety Procedures
B11.TR1
B11.TR2
(6) Design and
Construction B11.TR3
B11.TR4
B11.TR5
B11.TR6

(7) Installation, NFPA 70

Testing, and Start-up NFPA 70E
NFPA 79

B11.19
(8) Safeguarding

B11.TR3

(9) Operation and

Maintenance

Figure 1 – Typical layout of B11 base standards showing the various responsibilities
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

The gray shading represents ANSI B11.0. A solid line between a block showing reference
standard(s) and a block showing a normative clause denotes part of the requirements. A dashed line
denotes an informative reference. See clause 2 for further information on standards referenced in
Figure 1.

Copyright B11 Standards Inc. (Formerly AMT)

ANSI B11.TR6
Safety Control Systems for Machines
1 Scope
This Technical Report provides guidance in understanding and implementing safety-related control functions
(functional safety) as they relate to electrical, electronic, mechanical, pneumatic, hydraulic components and
systems for machines covered by the B11 series of safety standards.
NOTE 1: The terminology used in this document may not be used consistently throughout
the industry, but this document does represent concepts which are important when using
and designing safety-related control systems.
NOTE 2: Usage of [machine] in the following text means any of the specific
machines/machine tools covered by the ANSI B11 ‗base‘ series of safety standards.
NOTE 3: This document is not intended to address programmable electronic
systems/programmable electronic devices (PES/PED). See B11.TR4.

2 References
ANSI B11.0 – 2010 Safety of Machinery; General Requirements and Risk Assessment
ANSI B11.19 – 2010 Performance Criteria for Safeguarding
ANSI / NFPA 79 – 2007 Electrical Standard for Industrial Machinery
ANSI B11.TR3 – 2000 Risk Assessment and Risk Reduction – A guide to estimate, evaluate and reduce
risks associated with machine tools
ANSI B11.TR4 – 2004 Selection of Programmable Electronic Systems (PES/PLC) for Machine Tools
ANSI / U.L. 1998 – 2000 Software and programmable systems
ANSI / RIA R15.06 – 1999 Industrial Robots and Robot Systems – Safety Requirements
CSA Z434-03 – Industrial Robots and Robot Systems – General Safety Requirements
CSA Z432-04 – Safeguarding of Machinery
ISO 12100 – 2010 Safety of machinery—General principles for design—Risk assessment and risk reduction
ISO 13849-1:1999 Safety of machinery – Safety-related part of control systems – Part 1: General Principles
for Design
ISO 13849-2:2003 Safety of machinery – Safety-related part of control systems – Part 2: Validation
IEC 60204-1 – Safety of electrical equipment of machinery used for general electrical safety aspects
IEC 61508 Parts 1-7 – Functional safety of E/E/PE safety-related systems used for the design of complex
subsystems
IEC 62061 - Safety of machinery – Functional safety of safety-related electrical, electronic and
programmable electronic control systems
ISO 1219-1 2006- Fluid power systems and components -- Graphic symbols and circuit diagrams -- Part 1:
Graphic symbols for conventional use and data-processing applications
ISO 1219-2 1995 - Fluid power systems and components -- Graphic symbols and circuit diagrams -- Part 2:
Circuit diagrams
IEC 617-7 - Graphical symbols for diagrams
ISO 1436 - Rubber hoses and hose assemblies -- Wire-braid-reinforced hydraulic types for oil-based or
water-based fluids -- Specification
ISO 8573 2001 - Compressed air -- Part 1: Contaminants and purity classes
ISO 4414 1998 - Pneumatic fluid power -- General rules relating to systems
IEC 60947-5-8:2006 – Low voltage switchgear and control gear– Part 5-8: Control circuit devices and
switching elements – Three-position enabling switches
NFPA T2.25.1 R2-2005 - Pneumatic fluid power - Systems standard for industrial machinery - Supplement to
ISO 4414:1998 - Pneumatic fluid power - General rules relating to systems (third edition)
EN 853 - Rubber hoses and hose assemblies. Wire braid reinforced hydraulic type. Specification
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

SAE 100Rx - Test and Test Procedures for SAE 100R Series Hydraulic Hose and Hose Assemblies

Copyright B11 Standards Inc. (Formerly AMT)

3 Definitions
3.1 Acronyms: CA Concurrent Actuation
CH Channel
CON Contactor
CR Control Relay
EDM External Device Monitoring
FGC Force-guided Contactor
FGR Force-guided Relay
LS Limit Switch
M Muting module input
ME Motion Enable
MPCE Machine Primary Control Element
OSSD Output Signal Switching Device
PELV Protective Extra Low Voltage Supply
PED Programmable Electronic Device
PES Programmable Electronic System
PL Performance Level
SA Synchronous Actuation
SD Short Circuit Detection
SIL Safety Integrity Level
SIM Safety Interface Module
SOL Solenoid
SELV Safety Extra Low Voltage
SPED Safety Programmable Electronic Device
SPES Safety Programmable Electronic System
SRP/CS Safety-Related Part of the Control System
SSD Secondary Switching Device
TR Timing Relay

3.2 actuator: A mechanical device for moving or controlling motion or energy.

3.3 actuating control(s): An operator control used to initiate or maintain machine motion(s) or other
machine function(s).

3.4 anti-repeat: A function of the control system or device that limits the machine to a single cycle.

3.5 architecture (system): The configuration of the control system.

3.6 captive contact: See force-guided (3.25).

3.7 Category (safety performance): The categories state the required behavior of safety-related part
of a control system with respect to its resistance to faults (B, 1, 2, 3, 4). (ISO 13849 -1)

3.8 Category (stop): The categories state the required behavior of the control system with respect to a
stop command (0, 1, 2). (NFPA 79)

3.9 Category (E-stop): The categories state the required behavior of the control system with respect to
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

an E-stop command (0, 1). (NFPA 79)

3.10 common cause failure: Failures of different items resulting from a single event, where these
failures are not consequences of each other.
NOTE: Common cause failures should not be confused with common mode failures.

3.11 common mode failure: Failures of items characterized by the same fault mode.
NOTE: Common mode failures should not be confused with common cause failures, as the common
mode failures may result from different causes.

Copyright B11 Standards Inc. (Formerly AMT)

3.12 commissioning: Validation of the safety function after the initial installation/modification of the
machine and/or related equipment.

3.13 concurrent: (CA) Acting in conjunction; used to describe a situation where two or more actuating
controls exist in an operated condition at the same time.

3.14 control relay: A mechanical relay used for non-safety-related functions. See 3.55.

3.15 control reliability: The capability of the [machine] control system, the safeguarding, other control
components and related interfacing to achieve a safe state in the event of a failure within their safety-related
functions.
NOTE: The general term ―control reliability‖ really speaks to control integrity and does not imply a
specific level of safety performance. Depending upon the level of risk reduction indicated by the risk
assessment, control reliability can be achieved by different levels of safety performance.

3.16 direct (positive) opening: Achievement of contact separation as the direct result of a specified
movement of the switch actuator through non-resilient members (for example, not dependent on springs).
See 3.38.

3.17 emergency stop (also known as E-stop): A manually actuated device that initiates an immediate
stop command.

3.18 external device monitoring (EDM): A means by which a safety device monitors the state of
external devices.

3.19 failure: The termination of proper functioning or performance.

3.20 fault: A state of an item characterized by inability to perform a required function after a failure.

3.21 fault consideration: The identification of various failure modes that could negatively affect the
ability of safety system to resist faults.

3.22 fault exclusion: The elimination from consideration of a specific identified failure within the Safety-
Related Parts of the Control System because its probability is low relative to the systems‘ required
performance, through design, selection of components, or implementation of additional measures.

3.23 fault tolerance: Number of faults under which the safety-related control system will continue to
perform its required safety function.
Note: For a zero fault tolerant system, the safety-related control system loses its ability to perform its
required safety function due to one fault. For a single fault tolerant system, the safety-related control
system will perform its required safety function in the presence of one fault, but may fail to perform its
required safety function in the presence of multiple faults.

3.24 feedback: A means by which a device is monitored.

3.25
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

force-guided: Constructed in such a way that normally closed contact element(s) and normally
open contact element(s) cannot simultaneously be in the closed position.
Note: Although technically incorrect, force-guided is also referred to as mechanically linked.

3.26 functional safety: Part of the safety of the machine and the machine control system which depends
on the correct functioning of the Safety-Related Parts of the Control System (SRP/CS), other technology
safety-related systems and external risk reduction facilities (IEC 61508).

3.27 hand control: A hand-operated mechanism or device used as an actuating control.

Copyright B11 Standards Inc. (Formerly AMT)

3.28 immediate stop command: A command that initiates an action(s) to stop a hazardous motion (or
situation) at any point in the [machine] cycle.

3.29 listed for such use: Equipment, materials, or services included in a list published by a Nationally
Recognized Testing Laboratory (NRTL) and concerned with evaluation of products or services, that
maintains periodic inspection of the production of listed equipment or materials or periodic evaluation of
services, and whose listing states that either the equipment, material, or services meets identified standards
or has been tested and found suitable for a specified purpose.

3.30 machine control [control system]: Part of a machine that consists of (includes, but is not limited
to) control devices, display functions, data processing or storage, sensors, safety-related functions, and
power control elements (e.g., contactors, valves, speed control, etc.).

3.31 machine start-up: Initial cycle after the machine has been through extended idle time or after the
machine has been powered-down.

3.32 mechanically linked: See force-guided (3.25).

3.33 monitoring: The checking of system components to detect a failure of a component, subassembly
or module that affects the performance of the safety-related functions.

3.34 muting: The automatic temporary bypassing of any safety-related function(s) of the control system
or safeguarding device.

3.35 normal stop command: A command that initiates an action(s) to stop motion(s) or situation(s) at
the end of a [machine] cycle or at other points required by the [machine] functions.

3.36 OSSD (Output Signal Switching Device): Component of an electro-sensitive protective equipment
connected to the machine control system which, when the sensing device is actuated during normal
operation, responds by going to the OFF state.

3.37 PELV: A protective extra low voltage supply (earthed extra low voltage).
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

3.38 positively driven: Use of mechanical non-resilient linkage that is designed to separate the contacts
upon actuation of the device (commonly referred to as positive opening) see 3.16. This symbol is used to
designate positive driven contacts:

3.39 positively guided: See force-guided.

3.40 positive mode mounting: mounting of the switch such that the opening of the guard actuates the
safety switch via direct contact or rigid elements. This typically applies to type 1 switches. See also 5.2.2
and 5.2.2.1.1.

3.41 presence sensing device: A device that creates a sensing field, area, or plane to detect the
presence of an individual or object.

3.42 PED (Programmable Electronic Device): A device with input and output ports, central processing
unit(s), communication ports, sequenced or controlled by a program. For example: PLC, PC, CNC,
Embedded Microprocessors, etc.

Copyright B11 Standards Inc. (Formerly AMT)

3.43 PES (Programmable Electronic System): A system for control or monitoring using one or more
programmable electronic devices, including all elements of the system such as power supplies, sensors and
other input devices, data links and other communication paths, and actuators and other output devices.

3.44 redundancy: The use of multiple means to perform the same function.

3.45 relay: An electromagnetic device for remote or automatic control that is actuated by variation in
conditions of an electric circuit and that operates other devices (as switches) in the same (or different) circuit.

3.46 reset: A function that initializes or returns a device to its operating or enabling state.

3.47 risk reduction: As part of an overall risk assessment process, the implementation of protective
measures to decrease the probability of occurrence of harm or the severity of that harm.

3.48 safety control system: part or subpart(s) of a control system (e.g., sensors, logic, and actuators)
that perform safety-related functions. The combined Safety-Related Parts of the Control System begin at the
point where the safety-related signals are initiated and end at the output of the energy control elements. This
also includes safety-related monitoring systems.

3.49 synchronous actuation (SA): Concurrent operation within a specified time. Also known as Safety-
Related Parts of the Control System (SRP/CS).

3.50 safety event: When a safety rated device performs its intended function.

3.51 safety integrity level (SIL): Discrete level (one out of a possible four) for specifying the safety
integrity requirements of the safety functions to be allocated to the E/E/PE safety-related systems, where
safety integrity level 4 has the highest level of safety integrity and safety integrity level 1 has the lowest.

3.52 safety interface module (SIM): A device incorporating monitored redundancy, in a single body,
using safety principles to control electrical circuits. A safety interface module usually consists of monitored,
multiple, force-guided, captive contact relays, or other devices. A single discrete force-guided, captive
contact relay is not a safety interface module.

3.53 safety rated device: A device designed to an applicable safety standard and intended for use as a
safety-related device.

3.54 safety-related device: A device, when properly applied, reduces the level of risk. These include,
but are not limited to valves, guards, safeguarding devices, complimentary (protective) equipment, etc.

3.55 safety-related function: That portion of the control system or safeguarding device that either
eliminates or reduces exposure to a hazardous situation.

3.56 safety relay: See force-guided and Safety Interface Module (SIM) .
Note: The term safety relay has two common usages: to mean an individual Force-guided Relay or
to mean a SIM containing one or more Force-guided Relays.

3.57 safety reset: Return of the safety system to a permissive state, that will allow an initiation or restart
of the machine.

3.58 safety switch: An interlock device designed for safety-related application.

Type 1 safety switch: a position switch which can be operated without a specific external actuating
element (e.g., cam operated or hinge operated position switch);
Type 2 safety switch: a position switch which can only be operated with a specific actuating element
(e.g., tongue operated switch).

19
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

Copyright B11 Standards Inc. (Formerly AMT)

3.59 safety valve: A device incorporating monitored redundant function elements in a single body using
safety principles to control fluids. Monitoring can be internal or external.

3.60 SELV: An isolated (unearthed) extra low voltage (separated extra low voltage).

3.61 short-circuit detection (SD): Detection of unintended connection between two isolated channels.

3.62 SPED (Safety Programmable Electronic Device): A PED(s) designed specifically to control
safety-related functions.

3.63 SPES (Safety Programmable Electronic System): A PES for control of safety-related functions.
This is also referred to as SRECS (safety-related electrical control system).

3.64 SSD (Secondary Switching Device): A device which, in a failure or error condition, goes to the
OFF state. It may be used to initiate an appropriate machine control action, for example de-energizing the
machine secondary control element.

3.65 stop command: A command that initiates an action(s) to stop a hazardous motion or remove a
hazardous situation. The stop command can be immediate or normal. Also called a stop signal.

3.66 transponder switch: The transponder receives and processes electromagnetic fields from a
transceiver and the data signals are then sent back to the receiver. A transponder system receives and
processes electromagnetic fields between a master and slave element.

3.67 two–hand control: Actuating control that requires synchronous (less than or equal to 500 ms) use
of both hands of the operator to initiate or continue the machine cycle.
Note: Two-hand control requires operating the actuators during the hazardous portion of the machine

--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---
cycle. Premature removal of hand(s) results in an immediate stop signal of the machine cycle.

3.68 two-hand control device: An actuating control that requires the synchronous (less than or equal to
500 ms) use of the operator‘s hands to initiate or control machine motion during the hazardous portion of the
machine cycle.

3.69 two–hand trip: Actuating control that requires the synchronous (less than or equal to 500 ms) use
of both hands of the operator to initiate the machine cycle. See two hand control 3.67.
Note: Two-hand trip requires only a momentary concurrent operation of actuators to initiate the
machine cycle. Removal of the hand(s) does not stop the machine cycle.

3.70 two-hand trip device: An actuating control that requires the synchronous (less than or equal to 500
milliseconds) use of the operator‘s hands to initiate the machine cycle.

3.71 valve: A device for controlling the flow of a liquid, gas or other material through a passage or pipe.
(See Annex V for valve and two hand control 3.69).

3.72 valve element: The internal portion of a valve which moves to cause changes in the flow paths of
the air or fluid. This may be a spool, a poppet or other design.

3.73 validation: A process that confirms the specification and conformity of the design to the safety
requirement specification of the machinery.

3.74 verification: The process or act of confirming that a device or function conforms or performs to its
design.

3.75 well-tried: Components that have been widely used for a period of time and have been found
successful in similar applications.
20

Copyright B11 Standards Inc. (Formerly AMT)

4 General Design Considerations for Mechanical, Fluid Power and Electrical

Technologies
This technical report requires that a risk assessment be completed to determine the required level of
performance of the safeguarding system. See Table 2 and ANSI B11.0 for further information.

This section considers the areas of the design and construction of a safety control system for the safety-
related functions of the machine production system. These functions include, but are not limited to, the use
of the system during set-up, operation and maintenance. Good engineering practices and good machine
design principles must be employed such that well-tried, robust components and generally accepted safety
principles are part of the design, installation, operation, and maintenance. See ANSI B11.19 and ISO 13849-
2 for further information.

The manufacturer‘s instructions and specifications must be followed. The manufacturer of the device or
component should be consulted whenever conditions or questions arise that are not covered by the
manufacturer‘s instructions.

Care must be taken when configuring the safety system. The safety performance level of the output circuit
should meet the level of safety performance of the input circuit and vice versa. If safety performance levels
are not the same, the safety system meets the lower level of safety performance.

When designing the safety control system, it is necessary to determine the number, function and
requirements of all sensors, manual input devices, other machine systems or subsystems, safeguarding
devices, communication systems, and machine actuators which are connected to or controlled by the control
system).

4.1 ANSI B11.TR6 Circuit Analysis Tables

This Document contains ―Circuit Analysis Tables‖ that describe the safety-related components and wiring
configurations shown in this document (see Table 1 below).

A ―Circuit Analysis Table‖ is associated with each safety-related circuit diagram and contains four elements
that describe the safety details for each safety circuit. This information provides a high confidence level that
the safety functions described in the table perform properly or will fail to a safe state or condition.

These ―Circuit Analysis Tables‖ can also be used to provide a baseline comparison for other safety-related
functions and the supporting safety circuits, not covered in this document.

Table 1 – Example Table

Safety Purpose or goal of the safety circuit.
Function: That portion of the control system or safeguarding device that either eliminates or reduces exposure
to a hazardous situation (from this document).
Function initiated by an input signal processed by the Safety-Related Parts of the Control System to
enable the machine (as a system) to achieve a safe state (ISO 13849-1).
The function of the machine whose failure can result in an immediate increase in risk(s) (ISO 12100).
Fault Consideration of faults and other related issues with the circuit as defined. For additional examples of
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

Considerations: fault consideration refer to ISO13849-2, Annex B, C & D.

Fault Assumptions that can be made based on definable constraints necessary for achieving a fail-to-safe
Exclusions: mode of the circuit - such as but not limited to; low probabilities, good engineering practices, and
proper maintenance procedures. For additional examples of fault consideration refer to ISO13849-2,
Annex B, C & D.
Safety Engineering recommendations, best practices and requirements as described in standards-related
Principles: documents such as; ANSI B11.19, NFPA 79, ISO 13849-2, etc…. to achieve a desired risk level,
based on, or as part of, the requirements from an overall risk assessment such as ISO 14121-2 and
ANSI B11.

Copyright B11 Standards Inc. (Formerly AMT)

4.2 Practical Use of TR6

4.2.1 General
The TR6 example circuits are laid out in two general categories which, when interconnected, provide the
signal to (clause 5) and the power control of the hazard (clause 6).

4.2.1.1 Input Devices

Input devices, also known as Pilot devices, are typically comprised of sensing elements and safety-capable
elements capable of performing device status evaluation (SIM). The function of these circuits is to detect the
state of the machine or function (e.g., Guard Closed) and provide an output which can be used by the
second Category. The SIM also frequently provides a monitoring function of the Power Control Devices.

4.2.1.2 Power Control Devices

Power control devices are those components which ultimately and directly control the actual hazard. These
generally are contactors, drives, and fluid power valves. The input device(s) and their logic elements provide
an enabling signal to the power control device and usually receive a monitoring signal in response to the
state of the power control device.

4.2.2 Applying TR6 to a Sample Application

In a typical application, the designer selects an input circuit and a power control circuit which meet both the
safety performance level as determined by the risk assessment as well as the functional and operational
requirements of the task to be performed.
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

Below is an application requirement and a potential solution using the TR6 sample circuits. Statement of the
application requirement:
An automatically loaded machine has a pneumatically operated horizontal ram which represents a
crushing hazard to an operator who must regularly reach into the point of operation to clear a jam. This
manual operation is considered routine, repetitive, and integral to the production process, and therefore
qualifies for alternative safeguarding methods instead of manual lockout / tagout.
Risk analysis has determined that the ram motion must be halted immediately and that the risk
reduction required is highest (Category 4). To meet this risk reduction, the fluid pressure directional valve
must be blocked and vented.
Due to the limited requirement to manually interact with this portion of the machine, an interlocked
barrier guard providing only part body access is selected. While the guard is opened, the Safety-Related
Parts of the Control System (SRP/CS) must stop and exclude any motion of the ram. The ram constitutes
the only hazard exposed by the open barrier guard. The following barrier guard interface is selected from
clause 5.

Copyright B11 Standards Inc. (Formerly AMT)

Due to the need to assure that the ram is stopped and supply vented, the following blocking valve
combination was selected over a spring centered supply blocked, load ports vented directional valve from
6.4.2.4.1.

SOL1
SOL2

From Air Prep

(see General
Considerations) Hazardous Portion
of Machine

--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---
LS1
LS2

The selected circuits were inter-connected to provide the total solution:

Note that due to the partial body access of the barrier guard and the stipulation that there are no other points
SOL1
SOL2

From Air Prep

(see General
Considerations) Horizontal Ram Motion
Directional Control Valve

LS1
LS2
of access to the hazard, the SIM chosen has an Automatic Reset function. The machine cycle is started by
manual operation of a push button which is part of the machine control logic and which is not part of the
SRP/CS.

Copyright B11 Standards Inc. (Formerly AMT)

4.3 Reset Function of the Safety Circuit

The reset function of the safety circuit (e.g., safety interface module) can impact the risk reduction level. The
reset function may be automatic, manual or monitored manual.

Automatic reset does not require human intervention to execute the reset function. Manual reset allows
human intervention; a short or a tie down of the reset device may cause an unintended reset. Monitored
manual reset requires human intervention such that a shorted or tied down reset device cannot cause a reset
(e.g., open-close-open action).

Automatic reset can be used in situations where an individual is continually detected or the reset function is
provided by some other portion of the safety-related machine control.

Manual reset should be used in situations where an individual can pass through a safeguard and is no longer
detected or the reset function is required to prevent hazardous situations. Manual reset without monitoring
can be used when lower levels of risk reduction are required.

Monitored manual reset should be used where an individual can pass through a safeguard and higher levels
of risk reduction are required.

--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---
In the presence of a failure, the user shall be responsible to ensure that repetitive manual reset of the system
or device is not used for production operation.

4.4 Start Function

The machine start function is not shown in the figures within this document. Section 9.3.1 of NFPA 79 and
IEC 60204-1 require that the reclosing or resetting of a safeguard shall not initiate hazardous machine
motion or operation. This is intended to prevent a hazardous situation.

Special conditions apply for presence sensing device initiation (PSDI) and for interlocking guards with a start
function (control guards). See ANSI B11.1, ANSI B11.19 and ISO 12100.

The safety circuits in this technical report provide energy to the hazardous portion of the machine and do not
start the hazardous machine motion or operation. These safety circuits must perform a permissive function
prior to the start of the hazardous operation.

4.5 Testing & Verification of the Safety Function

The testing and verification of the safety function(s) shall be performed at commissioning, after changeover
of the process and when reasonably practicable at power-up, start-up, machine cycle, or at suitable intervals
as determined by the circuit design to meet the requirements of the risk assessment during operation. This
interval shall not be greater than one year. The initiation of this check may be manual or automatic by the
machine control system. The check of the safety function shall be either:
 Manually verified; or
 Machine controlled to allow operation if no faults have been detected or if a fault is detected to
generate an output indicating the fault.

4.5.1 Category 2 Periodic Test

A Category 2 control system structure is not self checking and requires a periodic test function. A single fault
can occur between these periodic checks which can prevent the safety function from being performed. A
suitable frequency of checking (periodic test interval) will be dependent on the reliability of components and
the probability of failure. A tolerable probability of failure will be determined in the risk assessment.

4.6 Fault Consideration

The identification of failure modes that could affect the ability of a specific circuit to perform its safety
function.

Copyright B11 Standards Inc. (Formerly AMT)

4.6.1 Fault Analysis

One of the primary analysis tools for safety systems is failure analysis. The designer and user must
understand how the safety system performs in the presence of faults. Many techniques are available to
perform the analysis. Examples include Fault Tree Analysis, Failure Modes, Effects and Criticality Analysis,
Event Tree Analysis, and Load-Strength reviews.

4.6.2 Fault Exclusion

During the analysis, certain faults may be uncovered that cannot be detected during operation without undue
economic costs. Further, the probability that these faults might occur may be extremely small, by using
mitigating design, construction and installation. Under these conditions, the faults may be excluded from
further consideration. This includes recommended maintenance procedures.
Fault exclusion can be based on but not limited to:
 the low probability of occurrence of some faults;
 tried and true (good) engineering safety practices;
 application specific technical requirements for the specific hazard.
Detail justification shall be given in the technical documentation for any excluded faults.

4.7 Response Time

Diminished performance of the safety function due to response time change should be considered:
 Spring weakening or breaking;
 Valves leaking;
 Over-current or mechanical binding causing relays to stick;
 Clogged exhaust path;
 Contaminants in the fluid;
 Unintended or unauthorized adjustments to device response time.

4.8 Mechanical Considerations (general)

Components must be selected to withstand the expected environment and physical or electrical forces such
as (including, but not limited to):
 Operating stresses, e.g., vibration, heat and temperature, force and frequency of braking, etc.
 Influence of the processed material, e.g., resistance to oils, cutting fluids, machining scrap, etc.

4.9 Fluid Power (Pneumatics & Hydraulics)

4.9.1 General Considerations
Fluid power portions of a safety circuit must be subjected to the same design criteria as the electrical portion
to satisfy the requirements of the risk assessment. The designer must recognize that merely removing
control voltage from the machine control valve does not ensure that a safe fluid power condition exists. The
designer must also take into account the failure modes of the fluid power components when designing the
safeguarding system. Therefore, additional safety circuitry may be required to meet the necessary
requirements of the risk assessment.

Strict adherence to the proper conditioning of the fluid power source can increase the mean time to
dangerous failure.

4.9.2 Basic Methodology for Safety Interfacing

There are five basic methods for reducing the hazards associated with fluid power control circuits:
 Blocking of the fluid power energy source;
 Removal of electrical power from the safety valve(s), conversion source (pump) and/or motion
control valves. Removal of electrical power may not result in a safe state as it may not remove fluid
power from the actuating device (e.g., detented valves or valves that have failed or stuck in position);
* Caution: Consider wind down time of the pump when calculating stopping time/distance
formulas.
 Exhausting or removal of stored energy;
 Selective trapping of fluid to maintain actuator position and prevent unintended hazardous movement
caused by other energy sources such as gravity, springs, etc.;
25
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

Copyright B11 Standards Inc. (Formerly AMT)

 Using a mechanical means to prevent or control hazardous motions caused by the release or
removal of the fluid‘s energy.
Note: There may be exceptions to Category circuit requirements based on the hazards and safe
guarding circuits utilized.

Fluid Power Example:

The risk assessment has determined that the control circuit required meets a Category 3 or 4 safety level.
For applications where stop distance is critical, such as when using a light curtain or two hand control
module, a single monitored valve or dual monitored blocking valve(s) would be required to remove energy
upstream of the motion control valve to ensure the motion stopped as intended. A single monitored blocking
valve may be acceptable if other monitoring of the actuator valve is also used and stopping time
considerations are made. The blocking valve is required because the motion valve cannot be relied on to
return to its de-energized position or remove the hazard.

An alternative to adding the blocking valve(s) is to provide solenoid interlocked barrier guards or doors that
inhibit personnel from entering the hazardous motion until it has completed. Requirements for opening the
door would be:
 Actuators in home or safe position are monitored indicating that the valves have shifted. For
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

Category 4 performance the monitoring must be performed in the Safety-Related Parts of the Control
System (SRP/SC);
 The door safety switch and circuitry must be consistent with the requirements of the Category level;
 The door opened SIM module must disable power to any hazardous motion valve coil(s);
 The motion valve design must be such that the valve cannot initiate an unexpected actuator motion
without being given an electrical command;
 Maintenance to be performed under OSHA approved lock-out/tag-out procedure.

Evaluating the failure modes (see 4.9.17) of the components used in the risk assessment will indicate if the
removal of, or maintaining fluid power energy, is the most appropriate manner of risk reduction for a
particular task/hazard.

4.9.3 Pressure Vessels and Accumulators

These devices store energy used for peak demands, assist the pump in supplying flows that exceed the
pump capabilities and limit system pressure spikes. For North America, all accumulators, and pneumatic
vessels whose inside diameter is larger than 150 mm (6 inches) shall conform to ASME Boiler & Pressure
Vessel Code Section VIII Division 1. In addition, all pneumatic vessels shall:
 Be equipped with a safety relief valve to prevent over pressurization;
 Be drained on a periodic basis to remove contaminants and have a bottom drain with a ball valve;
 Be provided with a visual means to verify the pressure in the vessel;
 Be provided with a means to release stored energy;
 Not have working pressure lines connected to its bottom.

4.9.4 Stored Energy (Trapped Pressure)

Circuits containing pressure vessels, accumulators, counterbalance valves, isolation valves or pilot operated
checks shall be provided with a means for non-hazardous dissipation or safe restraint of the stored or
residual energy. Additional measures, such as safety blocks, may be required to be installed before
releasing the stored energy.

Warning labels should be placed next to the device and a procedure describing the removal of the energy
shall also be placed on the machines lockout placard.

4.9.5 Reapplication of Pressure

The reapplication of pressure shall not create a hazard (e.g., rapid or unintended movement). The increased
speed may damage the actuators or machine components causing premature mechanical failures. In
pneumatic systems soft start valves or flow controls can be used to prevent this condition.

Copyright B11 Standards Inc. (Formerly AMT)

Cylinders and Other Actuator Devices:

To ensure safe operation of a cylinder the designer shall consider the following:
 Proper rod column strength to support the load at full stoke;
 Cushions to control end of stroke deceleration;
 Catastrophic cylinder failure (e.g., rod separation, seal failure);
 Tie rod separation;
 Cylinder creep which can occur as seals wear.

For hydraulic applications involving trapping the pressure on the rod end, pressure amplification must be
considered if pressure should be accidentally applied to the cap end.
For vertical cylinder applications the circuit shall be designed to eliminate pressure from the top of the
actuator.

4.9.6 Hoses and Fittings

Hoses and fittings shall meet the following requirements:
 SAE 100Rx & ISO 1436, ISO 3362 or EN 853;
 Manufacturers minimum bend radius;
 Fluid compatibility;
 Temperature;
 Safety factors that include allowances for system induced pressure spikes during normal valve
shifting and safety function applications.

Hose, plastic or nylon tubing shall not be used where its failure would lead to a hazardous situation. Hoses
are subject to torsional forces and abrasion which destroy the re-enforcement and outer cover shortening its
useful life. The hose installation shall eliminate the possibility of the hose or tubing becoming kinked
blocking the exhaust/return line of the actuator. Pilot checks and counter-balance (load holding) valves
should be mounted on the device they are intended to control. If this is not possible, rigid tube or pipe shall
be used between the check and the actuator. Push in type fittings shall not be used for applications which
place the plastic tubing in tension. Rigid pipe or steel tubing should be attached to machine members to
minimize vibration at fittings. Tubing clamps shall be used to secure tube or steel pipe and shall be spaced
per the following table.
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

Copyright B11 Standards Inc. (Formerly AMT)

Hose failures shall be protected by incorporating one or more of the following:

 physical restraint device;
 velocity fuse;
 barrier guard.
Figure A and Table 2: Hoses and Fittings

4.9.7 Fluid Power Valve Crossover Considerations

The crossover condition‘s influence on the circuit shall be understood for fluid power valves being used in
safety applications. These conditions may not be disclosed or may only be partially disclosed in catalog
information.

Valve functions and schematics will typically depict 2 or 3 position valves indicating their normal operating
positions. During operation, elements transit from an at rest condition to one (or two) energized positions.
This provides an infinite number of crossover positions as the valve elements shift. The designer must take
into consideration the effect on the load during the crossover condition.

There are two types of crossover conditions:

 Open crossover – fluid pressure (energy) will be open between the supply, an outlet, and an
exhaust/return port;
 Closed crossover – fluid pressure (energy) will be trapped at the outlet port with no flow path to
supply or exhaust/return port; see crossover position in Annex V.

4.9.8 Single Channel Fluid Power Device

 A device whose failure to operate properly may result in the loss of the safety-related function.

4.9.9 Single Channel Fluid Power Device with Monitoring

 A device whose failure to operate properly may result in the loss of the safety-related function;
 The device is monitored, either internally or externally; to provide indication of its operating status;
28
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

Copyright B11 Standards Inc. (Formerly AMT)

 A fluid power system with single channel control and monitoring, which can be internal or external to
the device (see Annex V).

4.9.10 Dual channel fluid power

 The use of redundant individual fluid power devices, where either can perform the safety-related
function;
 The failure of one of the devices reduces the control to a single channel.

4.9.11 Dual Channel fluid power with Monitoring

 The use of redundant individual fluid power devices or assemblies, where either device can perform
the safety-related function;
 The failure of one of the devices reduces the control to a single channel;
 The devices are monitored either internally or externally to provide indication of its operating status;
 The system designer must use the monitored status to prevent restarting of the fluid power system
and initiate corrective action on the failed device.

4.9.12 Dual Channel Cross Monitoring Valve

 Redundant valve components contained within one assembly with cross flow paths between
elements and monitoring that result in a Category 4 fluid power safety device;
 The monitoring can be internal or external to the device but must monitor for diminished performance
(see Annex V).

4.9.13 Response Time Considerations

 Valve response, line pressurization and exhaust times shall be considered in the safety distance
calculations for fluid power systems used in safety applications.

4.9.14 Fault Reset Function

 The reset of valves can be either automatic or manual.
 The automatic or manual resetting of a valve shall not create a hazard;
 Dual channel safety valves may require the de-energization of the command signal(s) followed by
the fault reset command to clear the fault condition.

4.9.15 Position Fault

A failure for the valve to completely shift to its intended controlled (energized or de-energized) position. See
also, crossover position in Annex V.

4.9.16 Diminished Performance Fault

A fault caused by the unacceptable increase in the shift time required for the valve. Standard fluid power
valves can become sluggish increasing shift time. For applications which involve stopping time/distance
(light curtains, interlocked doors or gates, etc.) an increase in shifting time will void the safety distance
previously calculated and can render the guarding unsafe.

4.9.17 Failure Modes to be Considered

Seal Failure – There can be many different seals within a valve or cylinder depending on its design. This
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

failure can be leakage past a seal, expansion of seals due to contaminants, or complete loss of the seal
being digested into the system. Leaking or failing seals in valves can result in sluggish behavior slowing or
preventing valve response or initiate valve shifting. Leaking or failing seals in cylinders or holding valves can
result in unintended motion due to the release of pressure that should be trapped to maintain cylinder
position for safety reasons.

Spring Failure – Spring fracture or complete breakage can slow or prevent valve response. Broken spring
parts can also contaminate the valve internal flow paths and prevent compete sealing of the valve. Spring
designs that prevent interleaving of the spring halves can eliminate some valve failure modes.

Coil Failure – The physical failure of a coil can result in the valve not functioning or functioning at an
unacceptable level. The broken part can result in the element being controlled by the coil being jammed into
29

Copyright B11 Standards Inc. (Formerly AMT)

an unknown position.

Complete or Partial Loss of Electrical Power – The loss of power below the coil operating requirements
will result in the valves de-energizing. It cannot be assumed the valve will return to its de-energized position
due to other valve failure modes.

Complete Loss of Fluid Power – The complete loss of supply pressure to a valve will result in the loss of
downstream pressure unless a checking device is utilized downstream. Piloted valves will de-energize as
the pilot pressure drops below the minimum operating pressure.

Partial Loss of Fluid Power – The partial loss of supply pressure to a valve will result in the loss of
downstream pressure unless a checking device is utilized downstream to specifically prevent this. Air piloted
valves may de-energize or partially de-energize resulting in the valve being stuck in a crossover position.

Slowing Response Time of the Device – There are a number of factors that can result in the slowing of the
movement of the valve elements. This will effect the exhaust time of the system and increase stopping
time/distance.

Valve Element Position Failure – Valve elements may stick at any position within its travel range.

Pilot Section Failure – The pilot portion of a solenoid piloted valve has the same failure modes as the main
elements of the valve. The resulting effects of this failure on the main valve elements must be considered
such as unintended main valve element shifting.

Mounting Orientation – The effects of gravity on valve and cylinder elements shall be considered and the
manufacturer‘s mounting recommendations followed.

Inertial Forces – Valves mounted on moving machine surfaces or subjected to vibration and shock loading
may change internal valve position due to these external forces. If these external forces are present consult
the manufacturer‘s of safety valves for their valve‘s shock rating. Valve elements shall be mounted
perpendicular to the motion to prevent unintended movement.

Line Blockage or Muffler Restriction – Pneumatic exhaust time can be increased significantly due to line
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

blockages and muffler restrictions due to contamination.

Conductor (Hose, Tube, Pipe)/Connector Failure – Load may drop, conductor may cause injury or
damage to equipment (whipping action).

4.9.18 Non-Safety Devices

Additional monitoring of the fluid power circuit may be necessary to maintain the system‘s integrity. This is
not considered a safety circuit and therefore devices may be used that are not safety rated. These additional
monitors should not be used as monitoring for verification of the operation of a safety valve. These devices
include pressure switches, flow switches, level switches, and temperature switches.

The circuit must be designed so that upstream non safety devices do not inhibit the return flow through the
safety devices (i.e., use valves with reverse flow checks, regulators, etc).

4.10 Pneumatics
4.10.1 Basic Pneumatic System Considerations
Pneumatic systems shall conform to the applicable sections of ISO 4414 & NFPA / T2.25.1 R2.

4.10.2 Safety Shut-Off and Exhaust Valve

An energy isolation device shall be provided to shut off and release pressure from the various systems
during times of maintenance and shall:
 be located outside of the hazardous area(s);
 be capable of being locked in the OFF position only;

Copyright B11 Standards Inc. (Formerly AMT)

 be easy to operate (e.g., a simple pull/push action);

 have an exhaust port equal to or greater than its supply line;
 have a pressure indicator (e.g., a gauge, pop-up indicator or pressure tap), that is visible to the
operator to indicate that the line is relieved of pressure.

4.10.3 Filtration
Filters shall meet or exceed the filtration requirements of the pneumatic safety devices as described by the
manufacturer in accordance with ISO 8573. Filters with automatic drains are encouraged.

Table 3: ISO-8573 part 1 – 2.4.2 - Pneumatics

Solid Particle Water Oil
3
Class Maximum number of particles per m Pressure (incl. vapor)
3
Dewpoint °C mg/m
0.1 - 0.5micron 0.5 - 1 micron 1.0 – 5micron
1 100 1 0 -70 0.01
2 100,000 1,000 10 -40 0.1
3 - 10,000 500 -20 1
4 - - 1,000 3 5
5 - - 20,000 7 -
6 - - - 10 -

Using the classes, a maximum level can be specified for each contaminant which is expressed as ISO
8573.1:2001 Class Solid / Particulate/ Water / Oil.
For example ISO 8573.1:2001 Class 1.2.1 equates to:
 100 solid particles 0.1-0.5 micron/m
3

 1 solid particle 0.5-1 micron/m

 0 solid particles 1-5 micron/m

 Water vapor pressure dewpoint - 40°C

 Oil aerosol and vapor 0.01 mg/m
3

--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---
NOTE: Contaminated air can cause valves to wear prematurely and their function to diminish to an
unacceptable level. This could directly affect stopping time when valves are directly involved in the stopping
of the hazardous motion.

4.10.4 Regulator
Control shall be provided to maintain the system pressure within safe limits, e.g., where pressure regulators
are used, they should be of the self-relieving type. Relieving type regulators are not safety relief devices and
shall not be the sole device to prevent excess pressure where its relief capability may be inadequate.

The preferred means of protection against excessive pressure are one or more pressure relief valves located
to limit the pressure in all parts of the system.

Loss of pressure or critical drops in pressure shall not expose personnel to a hazard. Regulators with a
bypass check valve should be considered to reduce exhaust times.
NOTE: Over pressurizing can result in premature wear due to an increase in forces created by
pneumatic devices above what is required by the manufacturer.

4.10.5 Lubrication
All components should be rated for dry service (pre-lubed) for its intended life. Where this is not possible,
lubrication should be accomplished using single point lubrication. The use of atomizing or mist type
lubricators is discouraged. Lubricators shall be adjusted to insure that the system is not over lubricated
which can cause malfunctions in downstream devices.

Copyright B11 Standards Inc. (Formerly AMT)

4.10.6 Air Valve Mufflers

Air mufflers for safety systems and air dumps shall have sufficient capacity so as not to restrict the
exhausting of the system. Sintered bronze or paper mufflers shall not be used.

Pneumatic exhaust ports shall not create a jet concern. Exhausts without a muffler shall be provided with a
shield or other device so as to guard from direct exposure to the exhausting air and eliminate the potential
blocking of the exhaust.

4.10.7 Environmental Influences

The design shall account for environmental influences and their effects on the performance of the pneumatic
safety system, such as:
 Temperature – Using pneumatic safety devices outside of their recommended temperature range
may result in reduced response time or malfunction due to the effect of temperature expansion of
different materials used in the valve elements and the temperature effects on valve lubrication;
 Moisture – Water extracted from the compressed air in the system due to condensation will affect
valve and system response depending on where the water accumulates. Pneumatic systems are
sized based on the desired response of the machinery which is based on the volume, pressure, and
flow rates throughout the system. The accumulation of water will alter the volume which will in turn
affect the pressure, flow, and response of the system;
 Electrical – noise and transients can initiate valve operation;
 Contamination ingression:
 Internally generated – Valve and cylinder wear can create contaminants;
 Externally generated – These contaminants can be created by the supply or by the process.
See ingression in Annex V.

Sources of contamination must be minimized, controlled or eliminated. Some methods to accomplish this
include:
 pressure filters;
 mechanical shielding or guarding (e.g., bellows;)
 coalescing filter;
 desiccant filters.

4.11 Hydraulics
4.11.1 Basic Hydraulic System Considerations
Hydraulic systems shall conform to the applicable sections of ISO 4413 and NFPA/T2.24.1 R1.

4.11.2 General
The ability of the components of the hydraulic system to perform their function reliably is primarily dependent
on the condition of the fluid.

Listed below are a series of design considerations that help ensure that the system will meet the required
reliability potential. In the case of hydraulic installations, since they are closed systems, managing wear is
important as the byproducts of component wear contaminates the system, becoming the source of further
wear and increasing the rate of component degradation.
 Keep working fluid below 55º C;
 Supply electronic temperature monitoring;
 Mount tank away from other heat sources and structures which limit convection cooling;
 Add heat exchanger. Thermal calculations should be based on 38º C ambient conditions;
 When using fixed displacement pumps use low pressure bypass for idle periods instead of dead
heading pump over system pressure relief/reducing valve, or use pressure compensated pumps;
 Keep fluid clean;
 Filtration requirements per ISO 4406 and filtration recommendation chart in 4.9.6;
 Element acceptance criteria: Elements shall meet the criteria for acceptance in accordance with
applicable sections of the following ISO Standards:

32
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

Copyright B11 Standards Inc. (Formerly AMT)

 ISO 4021 Method of Extracting Fluid Samples for Contamination Analysis;

 ISO 3722 Procedure for Cleaning Fluid Sample Containers;
 ISO 3723 End Load Test Method for a Filter Element;
 ISO 2942 Method of Determining Filter Element Fabrication Integrity;
 ISO 2943 Method of Verifying Filter Material Compatibility;
 ISO 3724 Method for Verifying Flow Fatigue of a Filter Element;
 ISO 2941 Method for Verifying Collapse/Burst Resistance of Filter Elements;
 ISO 11171 Method for Calibrating Liquid Automatic Particle Counters;
 ISO 4406 Method of Reporting Contamination Analysis Data;
 ISO 16889 Multi-Pass Method for Evaluating Filtration Performance;
 ISO 3968 Evaluation of Pressure Drop versus Flow.
 Electronic monitoring of filter pressure drop;
 Tank vent filter element sized 3 micron or less;
 Pre-filter make up and re-fill oil to 10 micron or less. This is dependent on components;
 For servo valves, add a 10 µm or less In-Line filter immediately up stream of the valve;
 Maintain wipers on cylinder rods;
 On-line particle monitoring or regular laboratory evaluation of fluid;
 Minimize water entry into the fluid:
 Water adsorption element in reservoir vent filter;
 Periodic inspections of heat exchanger, general plumbing and fluid sampling.
 Minimize dispersed and dissolved air in fluid:
 Reduce fluid turbulence in tank.
 Keep tank as large as practicable to reduce fluid cycles per hour;
 Add baffles to control flow and add fluid stationary time;
 Keep fittings and joint tight as they may ingest air.
 Use of power area ventilation may reduce steam, vapors, smog, and air born dirt particles in the
environment and keep them from entering the system.

4.11.3 Accumulators
Accumulators shall conform to the ASME Boiler & Pressure Vessel Code, Section VIII Division 1, and shall
have a means of automatically and manually releasing the stored energy.

If the system requires that accumulator pressure is maintained, it shall have a means to isolate the flow from
the safeguarded portion of the system as required. The risk assessment will determine what portion of the
fluid power system needs to be released. See Trapped Pressure in 4.9.4.

Environmental Influences:
The design shall account for environmental and operational influences and their effects on the performance
of the safety performance portion of the system, such as:
 Temperature – Temperatures above 55 degrees C (131 F) cause a degradation of the oil and its
additives reducing its lubrication, and anti-oxidation capability. This leads to increased valve wear,
loss of reliability and premature failure;
 Moisture – Water in the hydraulic fluid, both suspended and dissolved, leads to cavitation, heat
damage, and increased corrosion;
 Air in the hydraulic system, both in bubbles and dissolved, leads to cavitation driven erosion damage
 Particle Contamination ingression:
 Internally generated – Pump, valve and cylinder wear can create contaminants;
 Externally generated – These contaminants can be created by the supply or by the process (see
ingression in Annex V).

4.11.4 Fluid Management

Sources of contamination must first be identified, then eliminated, minimized or controlled. Some methods
to accomplish this include:
 Tank fill/vent filters;

33
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

Copyright B11 Standards Inc. (Formerly AMT)

 Return line filters;

 Supply line filters;
 Bypass filters;
 Inline Pressure filters;
 Suction line strainers;
 Tank magnetic separators;
 Heat exchangers;
 Mechanical shielding or guarding (e.g., bellows or tank baffles).

4.11.5 Filtration
Filtration shall meet or exceed the ISO cleanliness requirements of the hydraulic components as described
by the manufacturer in accordance with ISO 4406.

The ISO 4406 standard specifies three different sizes of 2, 5 and 15 microns. The scale number refers to the
total number of these particle sizes per a single 1 ml sample. The scale numbers are reported with a forward
slash between them, with the >2 micron scale number always first.

Table 4: Filtration
Number of particles (count) per milliliter Scale number
More Than Up to and Including
80,000 160,000 24
40,000 80,000 23
20,000 40,000 22
10,000 20,000 21
5,000 10,000 20
2,500 5,000 19
1,300 2,500 18
640 1,300 17
320 640 16
160 320 15
80 160 14
40 80 13
20 40 12
10 20 11
5 10 10
2.5 5 9

--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---
1.3 2.5 8
0.64 1.3 7
0.32 0.64 6
0.16 0.32 5
0.08 0.16 4
0.04 0.08 3
0.02 0.04 2
0.01 0.02 1
0.005 0.01 0
0.0025 0.005 00

For example, 21/19/12 means:

3 Code Particle Count
Size Count Scale
>2 11893 21
>5 3620 19
>15 28 12
ISO Code = 21/19/12

Copyright B11 Standards Inc. (Formerly AMT)

The table below describes the cleanliness level requirements for various pumps, valves, actuators,
transmissions and bearings.

Table 5: Cleanliness Requirements

< 14 MPa 14 Mpa - 21 MPa > 21 MPa
System Pressure: < 2000 PSI 2000 – 3000 PSI > 3000 PSI
< 140 bar 140 bar - 210 bar > 207bar
PUMPS
Fixed Gear 20/18/15 19/17/15 18/16/13
Fixed Vane 20/18/15 19/17/14 18/16/13
Fixed Piston 19/17/15 18/16/14 17/15/13
Variable Vane 19/17/15 18/16/14 17/15/13
Variable Piston 18/16/14 17/15/13 16/14/12

VALVES
Directional (solenoid) 20/18/15 19/17/14
Pressure (modulating) 19/17/14 19/17/14
Flow Controls (standard) 19/17/14 19/17/14
Check Valves 20/18/15 20/18/15
Cartridge Valves 20/18/15 19/17/14
Screw-in Valves 18/16/13 17/15/12
Prefill Valves 20/18/15 19/17/14
Load-sensing Directional Valves 18/16/14 17/15/13
Hydraulic Remote 18/16/13 17/15/12
Proportional Directional (throttle) Valves 18/16/13 17/15/12*
Proportional Pressure Controls 18/16/13 17/15/12*
Proportional Cartridge Valves 18/16/13 17/15/12*
Proportional Screw-in Valves 18/16/13 17/15/12
Servo Valves 16/14/11* 15/13/10*

ACTUATORS
Cylinders 20/18/15 20/18/15 20/18/15
Vane Motors 20/18/15 19/17/14 18/16/13
Axial Piston Motors 19/17/14 18/16/13 17/15/12
Gear Motors 21/19/17 20/18/15 19/17/14
Radial Piston Motors 20/18/14 19/17/15 18/16/13
Swashplate Design Motors 18/16/14 17/15/13 16/14/12

HYDROSTATIC TRANSMISSIONS
Hydrostatic Transmissions (in-loop fluid) 17/15/13 16/14/12* 16/14/11*

BEARINGS
Ball Bearing Systems 15/13/11*
Roller Bearing Systems 16/14/12*
Journal Bearings (high speed >400 RPM 17/15/13
Journal Bearings (low speed) <400 RPM 18/16/14
General Industrial Gearboxes 17/15/13
*Requires precise sampling practices to
verify cleanliness levels.

NOTE: Contaminated fluid can cause components to wear or stick prematurely diminishing their
function to an unacceptable level. This could directly affect stopping time when valves are directly
involved in the stopping of the hazardous motion.

35
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

Copyright B11 Standards Inc. (Formerly AMT)

4.11.6 Relief/Pressure Reducing Valve

Control shall be provided to maintain the system pressure within safe limits, e.g., where pressure reducing
valves are used, they should be of the relieving type.

The preferred means of protection against excessive pressure are one or more pressure reducing valves
located to limit the pressure in all parts of the system.

Loss of pressure or critical drops in pressure shall not expose personnel to a hazard.
NOTE: Over pressurizing can result in premature wear due to an increase in forces created by
hydraulic devices above what is required by the manufacturer.

4.12 Electrical Interfacing Considerations (General)

4.12.1 Basic Methodology of Safety Interfacing
The basic design philosophy of integration of the Safety-Related Part of the Control System to the machine
control based on a risk assessment is such that:
 the machine control is responsible for properly controlling the process;
 the Safety-Related Part of the Control System is responsible for safely removing, halting, or
otherwise preventing exposure to the hazard, and also providing status information to the machine
control;
 at no time should it be possible for the machine control to override a stop command from the Safety-
Related Part of the Control System, unless accomplished at the same or greater level of Safety
Performance Level.

In the event of a stop command being issued by the Safety-Related Part of the Control System, the machine
control should properly respond by (including, but not limited to):
 turning OFF appropriate outputs;
 taking appropriate action associated with the stop command;
 updating any machine status that may be required;
 display status information.

4.12.2 Protective Stop Circuits

A protective stop allows for an orderly cessation of motion for safeguarding purposes, which results in a stop
of motion and removal of power from the machine actuators (assuming this does not create additional
hazards).
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

Protective stop circuits can take many forms, though the most common are a minimum of two normally open
N.O. contacts from forced-guided, mechanically linked relays or the outputs of safety interface module, which
are monitored (through External Device Monitoring) to detect certain failures in order to prevent the loss of
the safety function. Such a circuit can be described as a ―safe switching point.‖

Typically, protective stop circuits are either connected in a single-channel method, which is a series
connection of at least two N.O. contacts; or dual-channel method, which is a separate connection of two N.O.
contacts in different circuits. In either method, the safety function relies on the use of redundant contacts to
control a single hazard (if one contact fails ON, the second contact will arrest the hazard and prevent the
next cycle from occurring).

4.12.2.1 Single-Channel Control

Single-channel control uses a series connection of contacts to form a safe switching point. After this point in
the machine‘s safety-related control system, failures can occur that would result in the loss of the safety
function (such as a short-circuit to a secondary source of energy or voltage).

For this reason, single-channel control interfacing should be used where protective stop circuit and the
devices under control are mounted within the same control panel, adjacent to each other, and are directly
connected to each other; or where the possibility of such a failure can be minimized and excluded. If this can
not be achieved, then dual-channel control should be used.

Copyright B11 Standards Inc. (Formerly AMT)

Methods to exclude the possibility of these failures include, but are not limited to:
 Physically separating interconnecting control wires from each other and from secondary sources of
power;
 Routing interconnecting control wires in separate conduit, runs, or channels;
 Locating all elements (modules, switches, and devices under control) within one control panel,
adjacent to each other, and directly connected with short wires;
 Properly installing multi-conductor cabling and multiple wires through strain relief fittings (over-
tightening of a strain-relief can cause short-circuits at that point.);
 Using positive-opening or direct-drive components, installed and mounted in a positive mode.

If single channel circuit (with or without monitoring) is used, proper wiring practices must ensure that it is not
possible to short across the protective stop circuit, short to a secondary source of power, or fail in such a
manner that the safety system can not effectively remove, halt, or otherwise prevent exposure to the hazard.

4.12.2.2 Dual-Channel Control

Dual-channel control provides the ability to electrically extend the safe switching point beyond the protective
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

stop contacts. With proper monitoring (i.e. EDM), this method of interfacing is capable of detecting certain
failures in the control wiring between the protective stop circuit and the devices under control (e.g., machine
actuators). These failures include a short-circuit to a secondary source of energy or voltage, or the loss of
the switching ability of one of the protective stop circuit contacts. Such failures could lead to the loss of
redundancy — or to a complete loss of safety, if not detected and corrected.

The possibility of a failure to the wiring increases as the physical distance between the protective stop circuit
and the devices under control increase, as the length or the routing of the interconnecting wires increases, or
if the protective stop circuits and the devices under control are located in different enclosures. For this
reason, dual-channel with monitoring typically is used where the protective stop circuit is located remotely
from the devices under control.

The use of diversity (different technologies, operating principles, devices, etc.) in dual channel circuits can
reduce the possibility of common mode failures (multiple failures resulting from a single source) causing
unexpected, unintended, or the loss of the safety function.

4.12.3 Safety Interface Module (SIM)

A Safety Interface Module (also known as a Safety Relay Module) is a combination of individual components
that provides a safety-related function(s) in a distinct system. Some of the safety-related function provided,
but are not limited to:
 protective stop circuits;
 auxiliary (non-safety) outputs;
 monitored manual reset function;
 self-monitoring for internal faults;
 input channel monitoring (for short circuits or proper function);
 external device monitoring.

Safety Interface Module must meet the expected reliability and reduce the level of risk of a failure resulting in
the loss of the safety function as determined by a risk assessment. This is achieved by the design,
construction, and installation of the Safety Interface Module and other system components (e.g., monitoring
characteristics of the mechanically linked design of Force-guided Relays – see EN 50205).

The term ―Safety Relay‖ is sometimes used to describe Safety Interface Modules. This term is also used to
refer to individual Force-guided Relays. The user must use caution not to confuse the functional capabilities
of each device. A Safety Interface Module may consist of multiple Force-guided Relays that are monitored to
detect certain failures. A single discrete Force-guided Relay by itself does not reduce the level of risk.

Input device examples (Clause 5) assume that the SIM Category is equal to or greater than the Category
shown in the subclause heading.
37

Copyright B11 Standards Inc. (Formerly AMT)

4.12.4 Interfacing the Protective (Safety) Stop

This circuit contains contacts or outputs of the safety device or the safety-related function of the machine
control, and can extend the safety performance level to the last electrically controlled device. This safe
switching point typically removes energy (i.e., power) from the device and causes the hazardous motion or
situation to cease (e.g., a clutch/brake of a mechanical power press).

The configuration of the protective stop circuit can take many forms, but in higher levels of risk reduction it
typically incorporates redundant contacts and monitoring of the device(s) under control. See also 4.13.2.2.
It must not be possible for hazardous motion to automatically start or restart by simply closing an interlocked
guard, clearing the sensing field of a Presence Sensing Safety Device (PSSD), rearming an E-stop button, or
otherwise satisfying the safety system. A start or restart must be the result of a deliberate action by an
individual as described by the appropriate operating procedure.

Typical considerations of interrupting power (NFPA functional stop Category 0); the protective stop circuit
should:
 interrupt the VDC output side rather than the VAC input side of the power supply;
 be as electrically close (i.e. the least number of components) to the device under control as possible.

This reduces the amount of time to remove power from the circuit by reducing the effect of stored energy in
other components (e.g., inductive or capacitive). When possible:
 All machine control logic should have the same power source and reference voltage as the input and
output devices;
 Positive logic should be used to minimize the result of broken wires, or corroded terminal contacts,
earth/ground faults, resistive contacts, etc.

4.12.4.1 Positive Logic

Positive logic typically uses current sinking inputs (i.e. a signal device applies power) and current sourcing
outputs (i.e. the output device supplies power) such that any short circuit to the reference potential or a wire-
breakage are interpreted by the inputs and loads as an ―off state.‖ This minimizes the possibility of fault
resulting in an unintended action by the machine.

The methodology of positive logic is typically applicable to PES/PLC logic, but can also be incorporated into
relay or other forms of machine control logic.

If using current sourcing inputs and current sinking outputs (negative logic) caution should be exercised
since a broken wire or earth/ground faults could be interpreted as the ―on state.‖ By the same reasoning,
you generally do not want to ―apply‖ a signal to issue a stop command. It should be noted that negative logic
is not recommended by IEC1131-2 as the primary means of logic.

A typically use of negative logic is as the second channel of a diverse redundant Dual Channel system (e.g.,
NO/NC switching or complementary switching) to minimize the possibility of common mode failures.

4.12.4.2 PES/PLC Interfacing

It is important not to remove power from the PES/PLC power supply or the logic module so not to lose the
logic program and to allow the use of diagnostics to minimize troubleshooting time.

Generally a protective stop circuit is either placed in the supply line to the output card, or is placed in one or
more of the output circuits controlling hazardous motion. A status signal from the safeguarding device
should be connected to the PLC input for feedback purposes. This allows the PLC to take proper action
when the safeguarding device has issued a protective stop (see clause 4.12 - Basic methodology of safety
interfacing).

If the method of interfacing the protective stop circuit results in removing supply power from a PES/PLC
output or output card:
 The PES/PLC outputs must directly control the last electrically powered device or actuator (e.g.,
valves and solenoids). They should not control interposing relays or contactors, unless they meet

38
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

Copyright B11 Standards Inc. (Formerly AMT)

the same or greater level of safety performance integrity requirements (e.g., a single failure does not
result in an unsafe condition);
 The only source of energy supplied to the outputs, and the devices connected to those outputs, is
controlled by the protective stop circuit. Relay output cards should only be used if the source of
energy that is switched by the relay output card can be interrupted by the safety device or system;
 Dropping power to the supply for the PES/PLC output card must remove all sources of energy that
may cause hazardous motion (i.e. no secondary sources of power). The resulting uncontrolled,
Category 0 stop (per NFPA79) must not cause additional hazards.

4.12.5 Electro-Mechanical Contact Considerations

Minimum current for proper operation of ―hard‖ contacts is typically 30 mA to 50 mA at 21-24V DC. Many
PLC input cards (opto-coupler isolated) operate around 5 mA to 10 mA, and may require pull-up or pull-down
resistors (e.g., 1K @ 1W in a +24V DC circuit) to ensure a minimum current flow to keep contacts clean
and free of corrosion. Refer to manufacture‘s specifications to determine minimum current or power
requirements.
NOTE: If the hard contact is rated as DRY, it is typically gold flashed to prevent corrosion. On such
contacts the current should not exceed the manufacturer‘s recommended maximum to prevent loss
of the flash and subsequently the corrosion protection.

4.12.6 Failure Modes

Failure modes of the safeguarding devices and other input devices, output devices and actuators, and the
controller (including interfaces) which can cause harm to individuals shall be identified and evaluated for any
given application, using appropriate analysis techniques. See Annex B for more information on the
identification in the analysis of failures. The failure modes to be considered include but are not limited to:
 short circuit of outputs, external wiring, or output devices/actuators, such as the loss of the switching
function due to a short to power across the output contacts;
 PES/PLC program alteration (unsecured logic) and programming errors;
 loss of PES/PLC memory;
 failure or fault of the safety device (e.g., internal components);
 false actuator/input signal (noise, external signal error, off-state currents or internal shorted/open
PES/PLC input);
 false ON condition of outputs (false trigger, off-state currents);
 uncontrollable oscillating outputs;
 opens in external wiring (e.g., broken wires, corroded terminal contacts);
 complete or partial loss of power;
 increase of device response time;
 common mode failures;
 common cause failures;
 other failures (or combination of failures) that result in unexpected or unintended operation.

4.12.7 Power Supplies

 intended grounding;
 unintended grounding;
 24 volt isolation (PELV & SELV).

4.12.8 Environmental Influences

The design must not exceed basic operating characteristics and account for environmental influences that
could result in unintended ON signals or the inability to turn OFF the machine actuator(s). These
considerations may include, but are not limited to:
 off-state or leakage current of input devices or logic controller outputs;
 incorrect polarity,;
 rapid changes in applied voltage or current;
 electrical noise and transients;
 surge current, over current, or over voltage.

39
--```,```,`,,,,,`,,`,`

Copyright B11 Standards Inc. (Formerly AMT)

Sources of electrical noise must be minimized or eliminated. These methods include, but are not limited to:
 line filters;
 isolation transformers;
 surge or arc suppressors;
 shielding;
 proper grounding circuits (see the appropriate Electrical Code);
 physically separating power circuits, high current circuit, logic circuits by distance or dedicated
conduit and wire trays.

Sources of electrical noise and transients include, but are not limited to:
 large, fast changing, (switching) inductive loads or other energy storing devices;
 motor starters;
 welding equipment;
 variable speed drives;
 high voltage (e.g., 480 V AC);
 electromagnetic radiation (e.g., Radio Frequency transceiver – ―walkie talkies‖);
 electro-static generators;
 magnetic fields;
 environmental (e.g., lightning).

4.13 Safety-Related Performance

The architectural safety categories within this document provide supplemental details and examples for
categories B through 4 as described in Table 5 below and in Figure B on the next page.

Table 6 – Simplified procedure for evaluating Performance Level achieved by the SRP/CS

--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---
Category B 1 2 2 3 3 4
DCavg none none low medium low medium high
MTTFd of each channel
Low a Not a b b c Not
covered covered
Medium b Not b c c d Not
covered covered
High Not c c d d d e
covered

Copyright B11 Standards Inc. (Formerly AMT)

ISO 13849 -1 Figure 5 TR 3

Low

Low / Intermediate

Intermediate

Intermediate / High

High

Figure B – Relationship between ISO 13849-1 and ANSI B11.0 (B11 TR3)

Circuit diagram(s) must include:

(See Clause 4.1 Circuit Analysis Table)
- Description of the Safety Function
- Identify Faults to consider
- List Faults to exclude and support for exclusion
- Describe the Safety Principle achieved

Is there a single Can the failure/fault Can the failure/fault Category 1

failure/fault to be excluded?* be detected by a
Yes No test/check?
No
danger?

No Yes Yes

List all relevant faults and

include the justification of Category 2
any excluded faults.

Yes
Is there an
accumulation of Can the failures/faults Is there a reason to Category 3
failures/faults** to be excluded?* drop the rating?***
Yes No No
danger?

No Yes

List all relevant faults and

--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

include the justification of

any excluded faults.

Category 4

Figure C provides a graphical method to determine which Category may be appropriate for the
application.

Copyright B11 Standards Inc. (Formerly AMT)

5 Input Devices (safeguarding devices and complementary equipment)

5.1 Emergency Stop Devices

Emergency Stop (E-stop) Push Button Requirements

The Emergency Stop device must provide contacts for safety which are closed when the device is armed.
Once activated, the E-stop device must open all its safety-rated contacts, and must require a deliberate
action (such as twisting, pulling, or unlocking) to return to the closed-contact, armed position. The device
must be a ―positive opening‖ (or direct-opening) type, as described by IEC 60947-5-1. A mechanical force
applied to such a button (or device) is transmitted directly to the contacts, forcing them open. This ensures
that the device contacts will open whenever the device is activated.

The following documents NFPA 79, IEC 60204-1, and ISO 13850 specify emergency stop device
requirements, including the following:
 Emergency Stop push buttons shall be located at each operator control station and at other
operating stations where emergency shutdown is required;
 Stop and Emergency Stop push buttons shall be continuously operable and readily accessible from
all control and operating stations where located. Do not mute or bypass E-stop buttons;
 Actuators of Emergency Stop devices shall be colored red. The background immediately around the
device actuator shall be colored Yellow. The actuator of a push-button-operated device shall be of
the palm or mushroom-head type;
 The Emergency Stop actuator shall be a self-latching type.
NOTE: Some applications may have additional requirements. The user must comply with all relevant
regulations.

In addition to the requirements stated above, the design and the installation of the emergency stop device
(e.g., device, button, or rope-pull) must be such that the possibility of a catastrophic failure of the device
resulting in the loss of the safety function must be excluded (designed out). The device must comply with
NFPA 79, IEC 60204-1, and ISO 13850 requirements such that the fault exclusions of ISO 13849-2 are
applicable. Electromechanical devices that have contacts designed in accordance to IEC 60947-5-1 Annex
K and that are installed per manufacturer‘s instructions are expected to open when the Emergency Stop
device is actuated.

Whenever two or more Emergency Stop devices are connected to in series, each device must be individually
actuated (engaged), then re-armed and the circuit reset. This allows the circuit to check each device and its
wiring to detect faults. Failure to test each device individually in this manner could result in undetected faults

--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---
and create an unsafe condition.

Copyright B11 Standards Inc. (Formerly AMT)

5.1.1 Lowest Risk Reduction (Category 1)

5.1.1.1 Single Channel E-Stop Using a Control Relay (Category 1)

E-Stop
Reset
CR1

CR1
Non-hazardous Portion of Machine

Hazardous Portion of Machine

CR1

Safety Function: When the E-stop is pressed, the power to the coil of CR1 is removed. The normally open
contacts of CR1 open and remove power to the hazardous portion of the machine.
While the E-stop is in the depressed state, the power to the hazardous portion of the machine
remains off.
When the E-stop is reset, the hazardous portion of the machine will not automatically restart.
Restart is accomplished by a separate deliberate action.
Faults to Stuck armature in CR1.
Consider: Welded contacts of CR1.

--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---
Wiring short from power to the coil of CR1.
Reset contacts held closed.
E-stop contacts falling off the push button actuator.
See Clause 4.12.
Fault Exclusion: Welded E-stop contacts can be excluded since direct opening action contacts are used.
Catastrophic failure of the e stop device can be excluded if designed and installed per ISO
13850 and tested at periodic intervals to achieve different categories.
Safety To achieve Category 2, the e stop circuit must be periodically tested.
Principles:

Copyright B11 Standards Inc. (Formerly AMT)

5.1.2 Low / Intermediate Risk Reduction (Category 2)

5.1.2.1 Dual Channel E-Stop Using Redundant Control Relays (Category 2)

Safety Function: When the E-stop is pressed, the power to the coils of CR1 and CR2 is removed. The normally
open contacts of CR1 and CR2 open and remove power to the hazardous portion of the
machine.
While the E-stop is in the depressed state, the power to the hazardous portion of the machine
remains off.
When the E-stop is reset, the machine will not automatically restart. Restart accomplished by a
separate deliberate action.
Faults to Stuck armature in CR1 or CR2.
Consider:
Welded contacts of CR1 or CR2.
Wiring short from power to the coil of CR1 or CR2.
The reset contacts held closed or shorted.
E-stop contacts falling off the push button actuator.
Fault Exclusion: Welded E-stop contacts can be excluded since direct opening action contacts are used.
Catastrophic failure of the e stop device can be excluded if designed and installed per ISO
13850 and tested at periodic intervals.
Safety Simple redundancy is not adequate to achieve Category 3.
Principles:
To achieve Category 2, the E-stop circuit must be periodically tested.
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

Copyright B11 Standards Inc. (Formerly AMT)

5.1.3 Intermediate / High Risk Reduction (Category 3)

5.1.3.1 Dual Channel E-Stop Using FGR Relays and Cross Monitoring (Category 3)
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

Safety Function: When the E-stop is pressed, the power to the coil of FGR1 and FGR2 is removed. The normally
open contacts of FGR1 and FGR2 open and remove power to the hazardous portion of the
machine.
While the E-stop is in the depressed state, the power to the hazardous portion of the machine
remains off.
When the E-stop is rest, the hazardous portion of the machine must not restart. Restart is
accomplished by a separate deliberate action.
Faults to E-stop contacts falling off the push button actuator.
Consider: See Clause 4.12.

Fault Exclusion: Welded E-stop contacts can be excluded since direct opening action contacts are used.
The NC and NO contacts of FGR1, FGR2 or FGR3 cannot be in the closed state at the same
time since mechanically linked contacts are used.
Catastrophic failure of the e stop device can be excluded if designed and installed per ISO
13850 and tested at periodic intervals.
Safety To achieve a Category 4, prevent a short circuit between E-stop contacts, use complimentary
Principles: switching or bi-polar switching. Category 3 requires dual contactors. Monitoring of at least one
contactor is required; monitoring of both is recommended.

Copyright B11 Standards Inc. (Formerly AMT)

5.1.3.2 Multiple Dual Channel E-Stop with a Safety Relay Interface Module (Category3)

Safety Function: Pressing the E-stop removes power to the hazardous portion of the machine.
While the E-stop is in the depressed state, the power to the hazardous portion of the
machine remains off.
When the E-stop is reset, the hazardous portion of the machine does not automatically
restart.
Faults to Wiring short across one set of E-stop contacts will be masked by the other E-stop contact.
Consider: E-stop contacts falling off the push button actuator.
See Clause 4.12.
Fault Exclusion: Welded E-stop contacts can be excluded since direct opening action contacts are used.
Catastrophic failure of the e stop device can be excluded if designed and installed per ISO
13850 and tested at periodic intervals.
Safety Principles: For this circuit to comply with Category 3, operation of multiple pushbuttons must be
excluded.
Category 3 requires dual contactors. Monitoring of at least one contactor is required;
monitoring of both is recommended.

46
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

Copyright B11 Standards Inc. (Formerly AMT)

5.1.4 Highest risk reduction (Category 4)

5.1.4.1 Single Button Dual Channel E-Stop with a SIM (Category 4)

Safety Function: Pressing the E-stop removes power to the hazardous portion of the machine.
While the E-stop is in the depressed state, the power to the hazardous portion of the machine
must remain off.
When the E-stop is reset, the hazardous portion of the machine must not restart. Restart must be
accomplished by a separate deliberate action.
If the E-stop contact block falls off the panel, the hazardous portion of the machine must stop.
Faults to E-stop contacts falling off the push button actuator.
Consider:
Fault Exclusion: Welded E-stop contacts can be excluded since direct opening action contacts are used.
The NO contacts of the monitoring safety relay failing shorted can be excluded because they are
redundant and cross monitored.
A short across the reset contacts or a stuck reset button is excluded because the safety interface
relay is looking for a change of state.
Safety For this circuit to comply with Category 4, Operation of Multiple Pushbuttons must be excluded. At
Principles: a minimum, the E-stop device should be designed and installed per ISO 13850 and tested at
periodic intervals.

47
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

Copyright B11 Standards Inc. (Formerly AMT)

5.1.4.2 Single Button Dual Channel E-Stop* w/ Self Monitoring and a SIM (Category 4)
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

Safety Function: While the E-stop is in the depressed state, the power to the hazardous portion of the machine
remains off.
When the E-stop is reset, the hazardous portion of the machine does not automatically restart.
If the E-stop contact block falls off the panel, the circuit does not lose the safety function.
Faults to None to consider.
Consider:
Fault Exclusion: Welded E-stop contacts can be excluded since direct opening action contacts are used.
The NO contacts of the monitoring safety relay failing shorted can be excluded because they are
redundant and cross monitored.
A short across the reset contacts or a stuck reset button is excluded because the safety
interface relay is looking for a change of state.
Catastrophic failure of the E-stop device can be excluded if designed and installed per ISO
13850 and tested at periodic intervals.
Safety At a minimum, the E-stop device should be designed and installed per ISO 13850 and tested at
Principles: periodic intervals.

*Detection or prevention of a dropped (separated) contact block on the E-stop operator is accomplished by and is
specific to the manufacturer. Examples include but are not limited to monitored contact blocks, individually mounted
contact blocks, contact blocks mechanically prevented from separating from the actuator.

Copyright B11 Standards Inc. (Formerly AMT)

5.2 Contact Interlocking

5.2.1 Description of Positive-Opening Interlock Switches
These electromechanical switches come in a variety of styles (e.g., key or tongue, roller, hinge, cam, etc.),
but all have the common design of ―positive-opening‖ contacts rated for safety. Safety interlock switches are
described as in their NORMAL state when the interlocked device is in the CLOSED position, operator (key)
inserted. They are OPERATED when the interlocked device is OPENED or the operator (key) is withdrawn.
The N.C. contacts are closed when the interlocked device is closed i.e. the safe condition.

Positive-opening operation is the full separation of the normally closed contact through a non-resilient linkage
(e.g., not dependent upon springs) as the direct result of a specified movement of the switch actuator when it
is disengaged or moved from the home position (see figure B).

Normally open contacts generally depend on spring action to accomplish the switching action and not
considered ―positive opening.‖ The normally open contacts are typically only used for auxiliary monitoring,
not for safety-related purposes.

Another common design characteristic is that positive-opening interlock switches also have electrically
isolated contact pairs. See IEC 60204-1, ISO 14119 / EN 1088, EN 60947-5-1 for further information.
Description of Positive-Mode vs. Negative-Mode Mounting (Actuation)
The proper installation of positive-opening interlocking switches typically results in a positive-mode of
actuation. Mounting in a positive-mode, such that when the actuator is disengaged or moved from the home
position, forces a non-resilient linkage (i.e., rigid elements) to open the normally closed contact. This force
ensures that the switching action occurs (See ISO 12100-2).

When a single interlocking switch is used to monitor the position of a guard, the switch should be mounted
(actuated) in the positive mode. Mounting in the negative-mode (or non-positive mode) is typically only
allowed when a second positive-opening interlocking switch is mounted in the positive-mode. This will
provide diverse redundancy to minimize common mode failures.

When the switch is mounted in

the ―Positive mode‖, the motion
to open the guard forces the Guard
non-resilient linkage to open the closed
normally closed contact (i.e. Guard open
positive-opening), which is used
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

to issue a safety stop command.

Safety rated, normally

closed contact Mechanical
non-resilient
force opens
linkage
safety rated
Non-Safety rated,
contact
normally open contact
used for feedback

spring

Figure B

Copyright B11 Standards Inc. (Formerly AMT)

5.2.2 Type 1 and Type 2 Considerations

5.2.2.1 Failure Modes

5.2.2.1.1 Type 1
 Loosening of the limit switch;
 Loosening or breaking of the actuator arm;
 Trip mechanism (cam, machine) falls away.

5.2.2.1.2 Type 2
 Actuator stays in the head;
 Actuator breaks or actuator screws fall off;
 Switch head is broken off the switch body.

5.2.2.2 Categories
Selection of the limit switch type does not define the Category of safety performance in the application.

5.2.3 General Considerations

The reliability and the safety of the circuitry in clauses 5.2.4 and 5.2.8 primarily, but not exclusively, relies on
the physical installation and the electrical interfacing of the positive-opening interlocking switches.
NOTE: See ANSI B11.19 and ISO 14119 / EN1088 and IEC 60947-5-1 for additional design,
construction, installation, operation and maintenance requirements.

Manufacturer Specifications
Manufacturer‘s specific components and recommendations should always be followed.
 Exceeding manufacturers opening and closing speed is a major cause for a limit switch failure;
 Slow actuation of the switch can cause nuisance tripping otherwise referred to as teasing;
 Consider environmental operating conditions and current ratings.

5.2.3.1 Physical installation

The physical installation of the guard and the interlocked switch should:
 ensure that individuals cannot reach the hazard by reaching over, under, around or through the
guard;
 be located at an adequate distance from the danger zone;
 use material of such design and strength as to protect personnel and contain hazards within the
guarded area, which may be ejected, dropped or emitted by the machine;
 be designed and installed so that the interlocking switches cannot be defeated in a simple manner;
 ensure that the interlocking switches are mounted so that the physical position cannot change;
 use reliable fasteners that require a tool to remove;
 not use the interlocking switches as a mechanical stop or as a mechanical alignment mechanism;

--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---
 mechanical alignment and mechanical stop should be done externally.

5.2.3.2 Electrical interface

The electrical interface of the interlocked switches should:
 ensure that the hazards guarded by the interlocking switches cannot operate until the guard is
closed;
 ensure that the switches open so that the system will issue a stop command if the guard is opened
while the hazard is present;
 ensure that closing the guard does not, by itself, initiate the hazardous motion (see 4.3 and 4.4);
 ensure that the reset function (e.g., of a safety interface module) does not increase the level of risk.
In high risk applications the reset function should be designed to be a monitored manual reset (open-
closed-open action) such that a shorted or tied-down button cannot cause a reset (see clause 4.3);
 ensure proper electrical installation, such as over-current and grounding, and all relevant electrical
codes are followed (per NEC & NFPA 79 or IEC 60204);
 ensure that the design, construction, and installation of the safety interface module and other system
50

Copyright B11 Standards Inc. (Formerly AMT)

components (e.g., monitoring characteristics of the mechanically linked design of Force-guided

Relays – see also, EN 50205) meet the expected functional reliability determined by a risk
assessment;
 ensure that a short circuit to a secondary source of power that would result in the loss of the
switching action of the protective stop circuit is not possible.

5.2.3.2.1 PES/PLC Control System Monitoring

An increase in the integrity of the safety circuit can be achieved if the control system (machine logic) has the
ability to detect a discrepancy between the status of an individual interlocking switches and the status of
other components of the safety-related function (e.g., safety interface module). If the PES/PLC control
system detects that an interlocking switch has been actuated, but the safety-related function did not respond,
the PES/PLC can issue an immediate stop command, warn the operator of the failure, and prevent re-
initiation of the machine cycle.

Unfortunately, this capability can not be completely relied upon, especially in high risk applications. There
are several failures within the PES/PLC control system, including the loss of monitoring signals, which could
go undetected and could ultimately result in a complete loss of the safety function. These failures must be
identified and eliminated, or the possibility of occurrence must be reduced to an acceptable (minimal) level of
risk. See ANSI B11.TR4 for further information.

5.2.3.2.2 Monitoring Series Connected Positive-Opening Interlocking Switches

When monitoring two individually mounted positive-opening interlocking switches (see Figure C), a faulty
switch will be detected if it fails to operate as the guard opens. Because at least one channel opened, the
safety interface module will de-energize its output relays and disable its reset function until the input
requirements are met (the faulty switch is replaced). However, when a series connection of interlocking
switches on several guards is monitored by a single safety interface module, the failure of one switch in the
system may be masked or not detected at all.

Safety Interface
Module Monitored
Reset

CH1
SD CA
CH2

CH1 CH2

―Key‖-style positive-opening
interlocking switches (x2) monitoring Short Circuit or
three guards with mechanical stops Failure to Open
that open to the left.

Figure C
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

The following scenarios assume two individually mounted, positive-opening interlocking switches on each
guard being monitored by a safety interface module with dual input channels that operate concurrently (i.e.,
both channels must open and re-close to allow a reset):
1) Masking of a failure -- If a guard is opened but a switch fails to operate, the redundant interlocking
switch will cause the safety interface module to de-energize its outputs. If the faulty guard is then
closed, both input channels are also closed, but a reset cannot occur because one channel did not
51

Copyright B11 Standards Inc. (Formerly AMT)

open. However, if a second functional ―good‖ guard is cycled, opening and then closing both input
channels, the safety interface module considers the failure to be corrected. With the input
requirements apparently satisfied, a reset is allowed. However, this system is no longer redundant
and may result in the accumulation of faults resulting in an unsafe condition (if the redundant switch
fails).
2) Non-detection of a failure -- If a functional good guard is opened, the safety interface module de-
energizes its outputs (a normal response). But, if a faulty guard is then opened and closed before
the good guard is re-closed, the failure on the faulty guard is not detected. Again, this system also is
no longer redundant and may result in a loss of safety if the redundant interlocking switch fails to
switch when needed.

Either scenario may not inherently comply with some requirements of detecting single faults and preventing
the next cycle. In multiple-guard systems using series-connected positive-opening interlocking switches, it is
important to periodically check the functional integrity of each interlocked guard individually. Operators,
maintenance personnel, and others associated with the operation of the machine must be trained to
recognize such failures and be instructed to correct them immediately.

A check should open and close each guard separately while verifying that the safety interface module
outputs operate correctly. Follow each guard closure with a manual reset, if needed. If a switch fails, the
reset function should not be enabled, and that interlocked guard must be immediately troubleshot and the
faulty switch must be immediately replaced.

5.2.4 Basic Circuit (Category B)

5.2.4.1 Basic Interlocked Guard Monitoring Circuit (Category B)
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

Safety Function: When the guard is opened, power is removed from the Control Relay (CR1) and the hazardous
portion of the machine. Note: Guard is shown in the closed position.
Faults to Loss of function of the interlocking switch, including a short circuit and a failure to open (e.g., due
Consider: to a broken spring).
The functional reliability and installation of the Control Relay (CR1) that could result in:
- Stuck armature in CR;
- Welded contacts of CR1;
- Wiring short from power to the coil of CR1;
- Wiring short across a contact of CR1;
- Reset button failing or tied-down in a closed condition causing an automatic or unexpected reset;
- Negative-mode mounting of the interlocking switch.
Fault Exclusion: None (no safety rated components employed).
Safety None to consider.
Principles:

Copyright B11 Standards Inc. (Formerly AMT)

5.2.5 Lowest Risk Reduction (Category 1)

5.2.5.1 Interlocked Guard Monitoring Circuit – Single Channel (Category 1)

Safety Function: When the guard is opened power is removed from the Control Relay (CR1) and the hazardous
portion of the machine The risk reduction is improved by adding a positive-opening interlocking
switch mounted in a positive-mode (see 5.2.1 and 5.2.2). Note: Guard is shown in the closed
position.
Faults to Loss of function of the interlocking switch by a short circuit across the switch or to another source
Consider: of power.
The functional reliability and installation of the Control Relay (CR1) that could result in:
- Stuck armature in CR1;
- Welded contacts of CR1;
- Wiring short from power to the coil of CR1;
- Wiring short across a contact of CR1;
- Reset button failing or tied-down in a closed condition causing an automatic or unexpected reset.
Fault Exclusion: If the positive-opening interlocking switch is properly installed (e.g., positive-mode) the opening of
the switch contacts can be expected to occur.
Safety With positive mounting, cam forces contacts of direct operating limit switch to open.
Principles:
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`--

Copyright B11 Standards Inc. (Formerly AMT)

5.2.6 Low / Intermediate Risk Reduction (Category 2)

5.2.6.1 Series Connection of Interlocks to a SIM (Category 2)

--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---
Safety Function: When any of the guards are opened, the SIM removes power from its output contacts and the
hazardous portion of the machine.
Faults to Shorts across one of the contacts of any of the interlock switches can be masked by the opening
Consider: and closing of another interlock switch.
Fault Exclusion: Faults related to the interlock switch can be excluded provided the installation and usage of the
interlock provides:
- adequate protection against overspeed of the actuator movement;
- end of travel stops to prevent mechanical damage to the interlock switch;
- misalignment of the actuator over time;
- robust installation hardware;
- secured operating head;
- exceeding recommended life;
- robustness of the interlock switch for its environment;
- maintenance procedures to assure the performance of the safety function over the life
to the machine.
If all these exclusions are not applied, this circuit reverts to Category B or 1.
Safety To achieve Category 2, the guard door interlock switch(es) must be periodically tested at
Principles: suitable intervals.

Copyright B11 Standards Inc. (Formerly AMT)

5.2.6.2 Interlocked Guard Monitoring – Single Channel w/ a SIM and PES (Category 2)

Safety When one the guards are opened, the SIM removes power from its output contacts and the hazardous
Function: portion of the machine.
The PES/PLC control system is monitoring the safety interface module and the door interlocks. When a
limit switch error occurs, the control system removes the power to the SIM contacts that feed the hazardous
portion of the machine.
This circuit has the capability of indicating the state of each individual guard, which is accomplished by
monitored signals from the normally-open (non-safety) contacts (see 5.2.3.2.1).
If the positive-opening interlocking switch is properly installed, the opening of the switch contacts can be
expected to occur.
The normally-open (non-safety) contact monitored by the PES/PLC control system provides diverse
redundancy.
A self-monitoring safety interface module is incorporated that is designed, constructed and certified to meet
the expected level of safety performance, which provides the monitoring of the interlocking switches and
provides protective stop circuits.
Faults to A catastrophic failure or a short circuit across a set of switch contacts or to another source of power of any
Consider: of the positive opening interlocking switch (see 5.2.3.2.2).
Unauthorized or unintended manipulation of the programming that effects the monitoring of the positive-
opening interlocking switches (see 5.2.3.2.1).
Fault Faults related to the interlock switch can be excluded provided the installation and usage of the interlock
Exclusion: provides:
- adequate protection against overspeed of the actuator movement;
- end of travel stops to prevent mechanical damage to the interlock switch;
- misalignment of the actuator over time;
- robust installation hardware;
- secured operating head;
- exceeding recommended life;
- robustness of the interlock switch for its environment;
- maintenance procedures to assure the performance of the safety function over the life to the machine.
If all these exclusions are not applied, this circuit reverts to Category B or 1.
Safety To achieve Category 2, guard door interlock switch(es) must be periodically tested at suitable intervals.
Principles:

55
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

Copyright B11 Standards Inc. (Formerly AMT)

5.2.7 Intermediate / High Risk Reduction (Category 3)

5.2.7.1 Single Interlock to a SIM (Category 3)

Safety Function: When the guard is opened, the SIM removes power from its output contacts and the hazardous
portion of the machine.
Faults to Mechanical failure of limit switch or actuator will not be detected.
Consider:
Fault Exclusion: Faults related to the interlock switch can be excluded provided the installation and usage of the
interlock provides:
- adequate protection against overspeed of the actuator movement;
- end of travel stops to prevent mechanical damage to the interlock switch;
- misalignment of the actuator over time;
- robust installation hardware;
- secured operating head;
- exceeding recommended life;
- robustness of the interlock switch for its environment;
- maintenance procedures to assure the performance of the safety function over the life to
the machine.
If all these exclusions are not applied, this circuit reverts to Category 3.
Safety To achieve a Category 3, prevent the failure or the loss of the switching function of the single
principles: interlocking switch.
Category 3 requires dual contactors. Monitoring of at least one contactor is required; monitoring
of both is recommended.
Undetected failures may be minimized by the correct installation and periodic individual testing
of the guard doors.

56
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

Copyright B11 Standards Inc. (Formerly AMT)

5.2.7.2 Series Connection of Interlocks to a SIM (Category 3)

Safety Function: When any of the guards are opened, the SIM removes power from its output contacts and the
hazardous portion of the machine.
Faults to Shorts across one of the contacts of any of the interlock switches can be masked by the opening
Consider: and closing of another interlock switch.
Mechanical failure of interlock switch or actuator will not be detected.
Fault Exclusion: Faults related to the interlock switch can be excluded provided the installation and usage of the
interlock provides:
- adequate protection against overspeed of the actuator movement;
- end of travel stops to prevent mechanical damage to the interlock switch;
- misalignment of the actuator over time;
- robust installation hardware;
- secured operating head;
- exceeding recommended life;
- robustness of the interlock switch for its environment;
- maintenance procedures to assure the performance of the safety function over the life to
the machine.
If all these exclusions are not applied, this circuit reverts to Category 2.
Safety To achieve a Category 3, prevent the failure or the loss of the switching function of the single
Principles: interlocking switch.
Category 3 requires dual contactors. Monitoring of at least one contactor is required; monitoring
of both is recommended.
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

Copyright B11 Standards Inc. (Formerly AMT)

5.2.8 Highest Risk Reduction (Category 4)

5.2.8.1 Interlocked Guard Monitoring – Dual Channel w/ Relay/Contactor and Reset Button
(Category 4)

Safety Function: When the guard is opened, power is removed from the Force-guided Relays (FGR1 and FGR2)
and the hazardous portion of the machine. The risk reduction is improved by monitoring those
relays via normally closed contacts in the reset circuit. It is further improved by ensuring that the
reset button cannot be tie-down causing an automatic or unexpected reset.
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

Faults to None to consider.

Consider:
Fault Exclusion: If the positive-opening interlocking switch is properly installed, the opening of the switch contacts
can be expected to occur. The standard interlocking switch is mounted in a negative-mode,
which provides diverse redundancy.
A wire to wire short between limit switch 1 and limit switch 2.
If one switch fails to function, the other will remove power from the hazardous portion of the
machine.
If the reset button or FGR3 fails ON, power will be removed from the hazardous portion of the
machine.
Safety The exclusions must be assured.
Principles:

Copyright B11 Standards Inc. (Formerly AMT)

5.2.8.2 Interlocked Guard Monitoring – Dual Channel w/ a SIM (Category 4)

Safety Function: When the guard is opened, the dual channel safety interface module detects the opening of the
contact of interlocking switches. Power is then removed from the hazardous portion of the
machine. The risk reduction is improved by adding the safety interface module, redundant
Force-guided Relays and monitoring those relays via normally closed contacts in the reset
circuit. It is further improved by ensuring the reset button cannot be tie-down causing an
automatic or unexpected reset.
Faults to None to consider.
Consider:
Fault Exclusion: A self-monitoring safety interface module is incorporated that is designed, constructed and
certified to meet the expected level of safety performance, which provides the monitoring of the
interlocking switches and the Force-guided Relays, and provides protective stop circuits.
Safety If the positive-opening interlocking switch is properly installed, the opening of the switch contacts
Principles: can be expected to occur. The standard interlocking switch is mounted in a negative-mode,
which provides diverse redundancy. Two positive-opening interlocking switches have the
advantage of the positive-mode actuation (see figure on left in above schematic).
If one interlocking switch fails to function, or the reset button or one of the Force-guided Relays
fail ON, the safety interface module will prevent a reset.
A self-monitoring safety interface module is incorporated that is designed, constructed and
certified to meet the expected level of safety performance, which provides the monitoring of the
interlocking switches and the Force-guided Relays, and provides protective stop circuits.

59
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

Copyright B11 Standards Inc. (Formerly AMT)

5.3 Guard Interlocking with Non-Contact Switches (without a Locking Function)

5.3.1 Description of Non-Contact Interlock Switches
Non-contact interlock switches come in a variety of styles (e.g., magnetic, inductive, optical, RF Tag etc.).
The common characteristic of all varieties is that the switch does not necessarily come in physical contact
with an actuator, target, or the guard (other than mounting). Non-contact interlock switches are frequently
called ―proximity devices.‖

In higher levels of safety performance, the functionality of non-contact interlock switches should provide the
same or greater reliability as positive-opening interlocking switches (see 5.2.1). This is typically
accomplished by active monitoring by a Safety Interface Module or the internal design of the device.

5.3.2 General Considerations

The application of non-contact interlock switches to monitor the position of a guard is very similar to contact-
style devices. See clause 5.2.4.2 for considerations that affect the reliability and the safety of the interlocking
circuitry. In addition, the manufacturer‘s recommendations and instructions must be followed. See ANSI
B11.19 and ISO 14119 (EN1088) for further information.

5.3.3 Inductive Switches

Inductive (proximity) switches rely on the presence or absence of a detectable material for actuation.
Standard Inductive switches can be easily defeated and may fail due to common mode failures such as build
up of detectable material on the sensing surface, thus should be mounted in a protected and/or concealed
position.

For higher levels of safety performance, a safe-inductive switch whose design complies with an appropriate
safety (design) standard(s) should be used. At a minimum, the design of a safe-inductive switch must
prevent actuation if material builds up or is placed on the sensing surface and must ignore ―background‖
objects.

For proper operation, the switch sensing surface must be mounted a minimum distance from any detectable
materials and from other switches if mutual interference (influence) is possible. This distance will be stated
by the manufacturer.

5.3.4 Optical Switches

Optical switches rely on the presence or absence of light for actuation. Standard optical switches, frequently
called photoelectric sensors, can be easily defeated and may fail due to optical effects like ―false proxing‖
where unintended actuation occurs from shinny surfaces reflecting light. The optical switches must be
designed and installed so they cannot be easily defeated. The path of travel (movement) of the optic switch
should be perpendicular (at a right angle) to the optical axis to ensure proper switching action.

For higher levels of safety performance, a safe-optical switch whose design complies with an appropriate
safety (design) standard(s) should be used. At a minimum, the design of a safe-optical switch must respond

--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---
only to the appropriate source of light.

5.3.5 Magnetic Switches

In higher levels of safety performance, the design of dual channel magnetic switch typically uses
complementary switching in which one channel is open and one channel is closed at all times. This provides
redundancy (two contacts) and diversity (different principles of operation) to minimize the possibility of the
loss of the switching function due to common mode failures (e.g., secondary or residual magnetic fields and
potential short circuit). The circuitry or the safety interface module that is monitoring the magnetic switch will
detect and respond to a failure that results in the loss of the complementary state (e.g., a short circuit
between the channels, or a short circuit to other sources of power).

Coded and non-coded magnetic switches affect the ability of the switch to be defeated and withstand
common mode failures. Non-coded switches are easily defeated by the presence of a simple magnetic field
and should be mounted in a concealed position. A coded magnetic switch that uses alternating magnetic
poles should be used in applications for higher levels of safety performance.

Copyright B11 Standards Inc. (Formerly AMT)

The switch and its magnet must be mounted a minimum distance from any magnetized or ferrous materials
for proper operation. If either the switch or magnet is mounted on a material that can be magnetized (a
ferrous metal, such as iron), the switching distance will be affected. This distance will be stated by the
manufacturer. For magnetic switches that use reed contacts, provisions must be made to the limit the
current. A current that is too high can lead to welding of the reed contacts and cause a failure of the switch.

5.3.6 Transponder Switches

Transponder (e.g., Radio Frequency) switches rely on the presence or absence of a coded actuator that is
energized by the switch for actuation. For higher levels of safety performance, a Transponder switch whose
design complies with an appropriate safety (design) standard(s) should be used.

The switch and its actuator must be mounted a minimum distance from any electrically conductive or ferrous
materials for proper operation. If either the switch or actuator is mounted on such a material, switching
distance will be affected. This distance will be stated by the manufacturer.

5.3.7 Basic Risk Reduction (Category B)

5.3.7.1 Non-Contact Interlocked Guard Monitoring using Standard Retro-Reflective Photo Sensor
(Category B)

Safety Function: When the guard is opened, power is removed from the Control Relay (CR1) and the hazardous portion
of the machine.
Faults to Loss of function of the interlocking switch, including a short circuit or a failure to switch (e.g., due to
Consider: contamination buildup on sensing surface or ―false-proxing‖ due to shinny objects in field of view). The
possibility of ―false-proxing‖ can be reduced by using a polarized retro-reflective photoelectric sensor.
The functional reliability and installation of the Control Relay (CR1) that could result in:
- stuck armature in CR1;
- welded contacts of CR1;
- wiring short from power to the coil of CR1;
- wiring short across a contact of CR1;
- reset button failing or tied-down in a closed condition causing automatic or unexpected reset (see 4.3).
Fault Exclusion: None (no safety rated components employed).
Safety Principles: None to consider.

61
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

Copyright B11 Standards Inc. (Formerly AMT)

5.3.7.2 Non-Contact Interlocked Guard Monitoring using Standard Magnetic Sensor (Category B)

Safety Function: When the guard is opened, power is removed from the Control Relay (CR1) and the
hazardous portion of the machine.

Faults to Loss of function of the interlocking switch, including a short circuit or a failure to switch
Consider: (e.g., due to external magnet fields, residual magnetism, or intentional defeat by affixing
a magnet to sensor).
The functional reliability and installation of the Control Relay (CR1) that could result in:
- stuck armature in CR1;
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

- welded contacts of CR1;

- wiring short from power to the coil of CR1;
- wiring short across a contact of CR1;
- reset button failing or tied-down in a closed condition causing an automatic or
unexpected reset (see 4.3).
Fault Exclusion: None (no safety rated components employed).
Safety None to consider.
Principles:

Copyright B11 Standards Inc. (Formerly AMT)

5.3.8 Intermediate / High Risk Reduction (Category 3)

5.3.8.1 Non-Contact Interlocked Guard Monitoring Circuit (Category 3)
Dual Channel with Force-guided relay monitoring using standard inductive proximity sensors.

Monitored
Reset

FGR
3
FGR1 FGR2 MPCE1 MPCE2

FGR3
FGR
1
FGR1

FGR3
FGR
2
FGR2
Open
FGR3

Hazardous
Portion of Machine
FGR3 FGR1 FGR2
Non-hazardous
Portion of Machine

Safety Function: When the guard is opened power is removed from the Force-guided Relays (FGR1 and FGR2)
and the hazardous portion of the machine. The reset button cannot be tied-down causing an
automatic or unexpected reset by FGR3. FGR1 and FGR2 are monitored via normally closed
contacts in the reset circuit.
If one switch fails to function, the other will remove power from the hazardous portion of the
machine.
If the reset button or FGR3 fails ON, power will be removed from the hazardous portion of the
machine.
Complementary switching (PNP N.O. & PNP N.C.) of the inductive sensors helps prevent
common mode and common cause failures.
Faults to See general considerations in 4.12.8 and 5.3.3.
Consider: Possibility of contamination buildup on sensing surface or intentional defeat.
Fault Exclusion: Intentional defeat or contamination by protecting and/or concealing the sensing surfaces.
The use of standard proximity switches makes this circuit easy to defeat. Use of a SIM with
input change of state timing limits, and physical mounting or construction of the sensors to make
it difficult to defeat is required.
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

Safety This is Category 3 due to the use of standard inductive switches. See ISO 14119 (1998).
Principles: To achieve Category 4, the proximity sensors must 1) employ the safety principles of short
circuit, over load, over voltage, reverse polarity, transient and EMC protections, 2) use methods
to reduce or eliminate the probability of common mode failure, and 3) be mounted on
independent brackets.

Copyright B11 Standards Inc. (Formerly AMT)

5.3.8.2 Interlocked Guard Monitoring – Dual Channel with a SIM (Category 3)

--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---
Safety Function: When the guard is opened, the dual channel safety interface module detects the opening of the
interlocking switches. Power is then removed from the hazardous portion of the machine. The
safety interface module monitors the Force-guided Relays via the normally closed contacts in the
reset circuit.
The reset button cannot be tied-down because of the monitored manual reset of the safety
interface module.
Complementary switching (N.O. & N.C.) of the magnetic sensors helps prevent common mode
and common cause failures.
The possibility of intentional defeat by affixing a standard magnet to the sensor is reduced by the
design of the alternating poles (i.e., coding).
Faults to See general considerations in 4.12.8 and 5.3.5.
Consider:
Fault Exclusion: Catastrophic failure of the sensor resulting in the loss of the safety function (switching) can be
excluded due to the design of the magnetic and sensor and the complementary switching.
Safety Category 3 requires dual contactors. Monitoring of at least one contactor is required; monitoring
Principles: of both is recommended.
This is considered Category 3 due to the use of coded magnets and sensors and the series-
parallel connection of multiple sensors.
This example uses a special SIM which limits the current drawn from the reed contacts and uses
complimentary inputs.
The use of special reeds and coded magnets make this interlock difficult to defeat. An additional
feature often included in the SIM is a short time window during which both contacts must change
state.

Copyright B11 Standards Inc. (Formerly AMT)

5.3.9 Highest Risk Reduction (Category 4)

5.3.9.1 Interlocked Guard Monitoring – Dual Channel with a SIM (Category 4)

--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---
Safety Function: When the guard is opened, the dual channel safety interface module detects the opening of the
interlocking switches. Power is then removed from the hazardous portion of the machine. The
safety interface module monitors the Force-guided Relays via the normally closed contacts in the
reset circuit.
The reset button cannot be tied-down because of the monitored manual reset of the safety
interface module.
Complementary switching (N.O. & N.C.) of the magnetic sensors helps prevent common mode
and common cause failures.
The possibility of intentional defeat by affixing a standard magnet to the sensor is reduced by the
design of the alternating poles (i.e. coding).
Faults to See general considerations in 4.12.8 and 5.3.5.
Consider: The possibility of intentional defeat by affixing a standard magnet to the sensor is reduced by the
design of the alternating poles (i.e., coding).
Fault Exclusion: Catastrophic failure of the sensor resulting in the loss of the safety function (switching) can be
excluded due to the design of the magnetic and sensor and the complementary switching.
Safety Category 4 due to the use of an individual coded magnet/sensor and the frequency of exercising
Principles: the guard.

Copyright B11 Standards Inc. (Formerly AMT)

5.3.9.2 Interlocked Guard Monitoring – Dual Channel with a SIM (Category 4)

Safety Function: When the guard is opened, the dual channel safety interface module detects the opening of the
interlocking switches. Power is then removed from the hazardous portion of the machine. The
safety interface module monitors the Force-guided Relays via the normally closed contacts in the
reset circuit.
The reset button cannot be tied-down because of the monitored manual reset of the safety
interface module.
Multiple guards can be monitored on an optical loop without affecting the Category.
The possibility of intentional defeat by is reduced by the design and installation of the optical
switches.
Faults to See general considerations in 4.12.8 and 5.3.4.
Consider:
Fault Exclusion: Catastrophic failure of the switches resulting in the loss of the safety function (switching) can be
excluded due to the design of the optical switches and the fiber optic safety module.
The Fiber Optic Safety Module is specifically designed for the application and to applicable safety
standard(s).
Safety Category 4 due to the design of the Fiber Optic Safety System.
Principles:

66
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

Copyright B11 Standards Inc. (Formerly AMT)

5.3.9.3 Interlocked Guard Monitoring – Dual Channel with a SIM (Category 4)

Inductive Sensor Monitored

Safety Interface Reset
Open Module
CH1(Test)
SD SA
CH2 (IN) EDM
MPCE1 MPCE2

CH1 CH2 Hazardous

Portion of
Machine
Non-hazardous
Portion of
Machine

Safety Function: When the guard is opened, the dual channel safety interface module detects the opening of the
interlocking switches. Power is then removed from the hazardous portion of the machine. The
safety interface module monitors the Force-guided Relays via the normally closed contacts in the
reset circuit.
The reset button cannot be tied-down because of the monitored manual reset of the safety
interface module.
Multiple guards can be monitored depending on the inductive sensor interface module.
The possibility of intentional defeat by is reduced by the design and installation of the inductive
switches.
Faults to See general considerations in 4.12.8 and 5.3.3.
Consider:
Fault Exclusion: Catastrophic failure of the switches resulting in the loss of the safety function (switching) can be
excluded due to the design of the inductive switches and the inductive sensor safety module.
The Inductive Sensor Safety Module is specifically designed for the application and to applicable
safety standard(s).
Safety Category 4 due to the design of the Inductive Sensor Safety System.
Principles:

--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

Copyright B11 Standards Inc. (Formerly AMT)

5.3.9.4 Interlocked Guard Monitoring – Dual Channel with a SIM (Category 4)

Safety Function: When the guard is opened, the dual channel safety interface module detects the opening of the
interlocking switches. Power is then removed from the hazardous portion of the machine. The
safety interface module monitors the Force-guided Relays via the normally closed contacts in the
reset circuit.
The reset button cannot be tied-down because of the monitored manual reset of the safety
interface module.
Multiple guards can be monitored depending on the transponder sensor interface module.
The possibility of intentional defeat by is reduced by the design and installation of the
transponder sensors.
Faults to See general considerations in 4.12.8 and 5.3.6.
Consider:
Fault Exclusion: Catastrophic failure of the sensors resulting in the loss of the safety function (switching) can be
excluded due to the design of the sensors and the Transponder Safety Module.
The Transponder Safety Module is specifically designed for the application and to applicable
safety standard(s).
Safety Category 4 due to the design of the Transponder Safety System.
Principles:

68
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

Copyright B11 Standards Inc. (Formerly AMT)

5.4 Guardlocking Interlocks

5.4.1 General Considerations
Most guardlocking interlocks come in two basic types: power to release, where power is applied to a
solenoid to release the gate and power to lock, where power is applied to a solenoid to lock the interlock
closed.

In addition, construction affects how the guardlocking interlock is connected. There are two basic types of
construction: in-line, where the solenoid and actuator contacts are along the same axis and offset, where the
solenoid and actuator contacts are on separate axes.

The mechanically linked contacts of the contactor can provide checking on each energization and de-
energization of the safety circuit.

5.4.2 Low / Intermediate Risk Reduction (Category 2)

5.4.2.1 Power to Release, Inline Guardlocking Interlock (Category 2)

Safety The gate must be closed to allow the Reset button to energize the Force-guided Relay and to de-energize
Function: the solenoid (which locks the gate closed) and energize the hazardous portion of the machine.
The gate cannot be opened when the solenoid is de-energized.
Opening the gate removes power from the hazardous portion of the machine.
Closing the gate does not supply power to the hazardous portion of the machine without a manual reset.
Faults to Wiring short across the Reset button.
Consider:
Fault Faults related to the interlock switch can be excluded provided the installation and usage of the interlock
Exclusion: provides:
- adequate protection against overspeed of the actuator movement;
- end of travel stops to prevent mechanical damage to the interlock switch;
- misalignment of the actuator over time;
- robust installation hardware;
- secured operating head;
- exceeding recommended life;
- robustness of the interlock switch for its environment;
- maintenance procedures to assure the performance of the safety function over the life to the machine;
- wiring short from power to the solenoid;
- if all these exclusions are not applied, this circuit reverts to Category B or 1.
Failure of the door interlock limit switch.
Safety To achieve Category 2, the door interlock circuit must be periodically tested at suitable intervals.
Principles: The hazardous portion of the machine must stop before the user can reach the hazard.

69
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

Copyright B11 Standards Inc. (Formerly AMT)

5.4.3 Intermediate / High Risk Reduction (Category 3)

5.4.3.1 Power to Release, Dual Axis Guardlocking Interlock (Category 3)

--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---
Safety Function: A safety rated standstill monitor or delay timer enables power to the Gate Unlock button.
The gate remains locked until the Gate Unlock button is pressed.
Pressing the Gate Unlock button allows the gate to open and de-energizes the SIM outputs (Ch2
only).
Opening the gate and releasing the Gate Unlock button maintains the SIM safety outputs in the de-
energized state. CH1 SIM is de-energizes when gate is opened.
Closing the gate does not cause the SIM safety output to change state.
With the gate closed and the solenoid de-energized, the SIM safety outputs can be energized by
pressing the Reset button.
Faults to Failure of both limit contacts between uses (test).
Consider: Mechanical failure of switch or actuator will not be detected.
Fault Exclusion: Faults related to the interlock switch can be excluded provided the installation and usage of the
interlock provides:
- adequate protection against overspeed of the actuator movement;
- end of travel stops to prevent mechanical damage to the interlock switch;
- misalignment of the actuator over time;
- robust installation hardware;
- secured operating head;
- exceeding recommended life;
- robustness of the interlock switch for its environment;
- maintenance procedures to assure the performance of the safety function over the life to the
machine.
If all these exclusions are not applied, this circuit reverts to Category B or 1.
Wiring short from power to the solenoid.
Safety To achieve Category 3, the door interlock circuit must be periodically tested.
Principles:

Copyright B11 Standards Inc. (Formerly AMT)

5.4.4 Highest Risk Reduction (Category 4)

5.4.4.1 Power to Release, Inline Guardlocking Interlock (Category 4)

Safety Function: The gate must be closed to allow the Start button to remove power from the solenoid (which locks
the gate closed) and supply power to the hazardous portion of the machine.
The gate cannot be opened when there is no power to the solenoid.
Opening the gate prevents supply power to the hazardous portion of the machine.
Closing the gate does not supply power to the hazardous portion of the machine.
Faults to Wiring short from power to the solenoid.
Consider:
Fault Exclusion: Exclude shorts to power supply at FGR1 and FGR2 by protecting wire runs from physical damage.
Safety The hazardous portion of the machine must stop before the user can reach the hazard.
Principles:

71
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

Copyright B11 Standards Inc. (Formerly AMT)

5.4.4.2 Power to Release, Dual Axis Interlock Connected to a SIM (Category 4)

--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

Safety Function: The gate remains locked until the Gate Unlock button is pressed.
Pressing the Gate Unlock button allows the gate to open and de-energizes the SIM outputs.
Opening the gate and releasing the Gate Unlock button maintains the SIM safety outputs in the
de-energized state.
Closing the gate does not cause the SIM safety output to change state.
With the gate closed and the solenoid de-energized, the SIM safety outputs can be energized by
pressing the Reset button.
Faults to Wiring short across the Gate Unlock button.
Consider: Reset contacts held closed.
SIM.
Fault Exclusion: Wiring short from power to the solenoid.
Safety The hazardous portion of the machine must stop before the user can reach the hazard.
Principles:

Copyright B11 Standards Inc. (Formerly AMT)

5.4.4.3 Power to Release, Dual Axis Interlock Connected to a SIM (Category 4)

--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

Safety Function: The gate remains locked until the Gate Unlock button is pressed.
Pressing the Gate Unlock button allows the gate to open but does not change the state of the
SIM outputs.
Opening the gate de-energizes the SIM safety outputs 2. While standing on the mat, the power
to the hazardous portion of the machine must remain off.
Closing the gate does not cause the SIM safety output to change state.
With the gate closed and the solenoid de-energized, the SIM safety outputs can be energized by
pressing the Reset button.
Faults to Wiring short across the Gate Unlock button.
Consider: Reset contacts held closed.
SIM.
Fault Exclusion: Wiring short from power to the solenoid.
Safety The hazardous portion of the machine must stop before the user can reach the hazard.
Principles:

Copyright B11 Standards Inc. (Formerly AMT)

5.4.4.4 Power to Release, Dual Axis Interlock Connected to a SIM (Category 4)

--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

Safety Function: A safety rated delay timer or standstill monitor is used to allow the machine to run down to a safe
(e.g., zero) speed. When safe speed is achieved, power is applied to the Gate Unlock button.
When enabled, pressing the Gate Unlock button allows the gate to open and removes power
from the SIM outputs.
Opening the gate and releasing the Gate Unlock button maintains the SIM safety outputs in the
de-energized state.
Closing the gate does not cause the SIM safety output to change state.
With the gate closed and with no power to the solenoid, the SIM safety outputs can supply
power by pressing the Reset button.
Faults to None to consider.
Consider:
Fault Exclusion: Operator opens the gate immediately after a wiring short from power to the solenoid, and gains
exposure to the hazard during the machine rundown time.
Safety The safety performance of the standstill (zero speed) device feeding the Gate Unlock must be
Principles: equal to or greater than the system safety performance requirement.
The hazardous portion of the machine must stop before the user can reach the hazard.

Copyright B11 Standards Inc. (Formerly AMT)

5.5 Optical Presence Sensing Devices

5.5.1 General Considerations
In this clause, three styles of Optical Safeguarding Devices are specifically considered, other devices may be
included if they are comprised of, at a minimum:
 optically based sensing;
 means of controlling/monitoring; and
 safety output signal(s).

The three styles are:

 Light Curtains (Light Screen);
 Single and Multiple Beams (Point and Grid Systems);
 Area Scanners (Diffuse Reflection Devices).

An Optical Safeguarding Device sensing function relies on the presence or absence of light for actuation.
Typical methods are:
 Through beam principle, where the light beam(s) traverses the detection zone once, and an
interruption (blockage) of one or more beams detects an object;
 Retro-reflective principle, where the light beam(s) traverses the detection zone twice, and an
interruption (blockage) of one or more beams detects an object;
 Diffuse reflection, where light beam strikes an object and a portion of the light is reflected to a
receiving element(s) whereby the presence or location of the object is determined;
 Vision-based, where a receiving element(s) detects changes in the ambient light or the presence or
absence of an object.

Some designs have electromechanical relay outputs. Other designs provide solid state OSSD outputs,
which provide fault monitoring of the outputs.

The following circuits are depicted as light curtains but can be applied to any presence sensing device(s)
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

described by this clause.

5.5.1.1 Light Curtains

Light Curtains are typically micro-processor based products that are designed and constructed to meet
IEC61496-2. Primarily, they use the through-beam principle of sensing, but systems are available that use
the retro-reflective principle. In either design, an interruption of a beam of light (a ―dark‖ condition) causes
the outputs to go to an OFF-state, sending an immediate stop command to the machine control.

The Detection Zone (also known as Protected Height or Defined Area) is stated by the manufacturer and
describes a two dimensional area that an object of a particular size can be always be detected anywhere
within. The size of the object is known as the Detection Capability (Object Sensitivity or Resolution) of the
Light Curtain and typically equals the distance between the beam centers (Beam Spacing) plus the size of
the effective beam diameter (Beam Diameter). An object with a cross-section equal to or greater than this
dimension will interrupt at least one beam.

IEC 61496-2 describes two ―types‖ of light curtains that differ in their performance in the presence of faults
and under influences from environmental conditions. The requirements for a Type 2 system are less
stringent than for a Type 4 system. Thus, a Type 2 rating generally limits usage to Category 2 applications,
while a Type 4 rating is allowed in Category 4 applications.

Copyright B11 Standards Inc. (Formerly AMT)

Emitter Receiver

Detection Zone (Protected Height, Defined Area)

Object Sensitivity (Resolution) = Beam Spacing + Beam Diameter

Figure D

5.5.1.2 Single/Multiple Beam Devices (Point or Grid Devices)

Single/Multiple Beam Devices are typically micro-processor based products that are designed and
constructed to meet IEC 61496-2. They primarily use the through-beam principle of sensing and are typically
mounted to detect a torso of an individual entering an area. As with a Light Curtain, an interruption of a
beam of light (a ―dark‖ condition) causes the outputs to go to an OFF-state, sending an immediate stop
command to the machine control.

The Detection Zone (also known as Protect Height or Defined Area) is stated by the manufacturer and
describes the distance from the ―top‖ beam to the ―bottom‖ beam. The placement of the beams (Beam
Spacing) is intended to detect an individual that is passing under, over, or through the detection zone.

IEC61496-2 describes two ―types‖ of Single/Multiple Beam Devices that differ in their performance in the
presence of faults and under influences from environmental conditions. The requirements for a Type 2
system are less stringent than for a Type 4 system. Thus, a Type 2 rating generally limits usage to Category
2 applications, while a Type 4 rating is allowed in Category 4 applications.

Figure E
5.5.1.3 Scanners
Scanners use a diffuse reflection, time-of–flight principle to detect an object. A pulsing beam of light rotates
to create a safety plane. The size of the object detected typically depends on the distance and configuration
of the scanner. For example, the time-of-flight technique measures the time it takes the scanner to receive
the beam reflected by the object. This principle allows the scanner to establish a warning zone and a safety
zone. The warning zone is not safety-rated.

Scanners are micro-processor based products designed and constructed to meet IEC 61496-3. The diffuse
reflection principle and Type 3 rating typically limits their usage to Category 3 applications.

76
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

Copyright B11 Standards Inc. (Formerly AMT)

5.5.2 Lowest Risk Reduction (Category 1)

5.5.2.1 IEC 61496 Type 2 Presence Sensing Device with Control Relay (Category 1)

OSSD CR1

Sender Receiver
CR1
Hazardous Portion
of Machine

Non-hazardous Portion
of Machine
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

Safety Function: When the Light Curtain is interrupted, the relay removes power from the hazardous portion of
the machine.
Faults to Type 2 presence sensing devices do not detect all internal failures.
Consider: Failure of the OSSD to ―ON.‖
Failure of CR1 to drop or its contact to open.
Fault Exclusion: Wiring short from power to the relay coil of CR1.
Safety The safe distance must be established for placement of the OSSD such that the hazardous
Principles: portion of the machine must stop before the user can reach the hazard.

Copyright B11 Standards Inc. (Formerly AMT)

5.5.3 Low / Intermediate Risk Reduction (Category 2)

5.5.3.1 IEC 61496 Type 2 Presence Sensing Device with Force-guided Relay (Category 2)

Safety Function: When the Light Curtain is interrupted the Force-guided Relay removes power from the
hazardous portion of the machine.
Faults to The mechanically linked contacts of the Force-guided Relays provide checking on each
Consider: energization and de-energization of the safety circuit.
Type 2 presence sensing devices do not detect all internal failures.
Fault Exclusion: Wiring short from power to the Force-guided Relay.
Safety To achieve Category 2, the safety light curtain circuit must be periodically tested.
Principles: The safe distance must be established for placement of the OSSD such that the hazardous
portion of the machine must stop before the user can reach the hazard.

--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

Copyright B11 Standards Inc. (Formerly AMT)

5.5.3.2 IEC 61496 Type 2 Presence Sensing Device with Force-guided Relay (Category 2)

--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---
Safety Function: When the Light Curtain is interrupted the Force-guided Relay FGR1 removes power from the
hazardous portion of the machine.
The SSD output sends a signal to the machine control system if a fault is detected.
Upon detection of the SSD signal, the machine control system executes a stop function.
Faults to Type 2 presence sensing devices do not detect all internal failures.
Consider:
Fault Exclusion: Wiring short from power to the Force-guided Relay.
Safety The safe distance must be established for placement of the OSSD such that the hazardous
Principles: portion of the machine must stop before the user can reach the hazard.
The machine controlled test signal must be configured to check the operation of the light curtain
at intervals determined by the risk assessment.
The mechanically linked contacts of the Force-guided Relay and MPCE provide checking on
each energization of the safety circuit.
To achieve Category 2, the protective stop circuit must be periodically tested.

Copyright B11 Standards Inc. (Formerly AMT)

5.5.4 Intermediate / High Risk Reduction (Category 3)

5.5.4.1 IEC 61496 Type 3 Presence Sensing Device with Safety Interface Module (Category 3)

Safety Function: When the light curtain is interrupted the safety interface module removes power from the
hazardous portion of the machine.
For point of operation guarding the monitored reset can be changed to automatic reset.
For perimeter guarding applications, the SIM should be manually reset.
The SIM limits this circuit to Category 3.
Faults to Short across one or both of the feedback elements.
Consider:
Fault Exclusion: Short from power to the output of the SIM if the final switching elements are located in the same
control panel, wiring meets NFPA 79, shorts validated during commission or other equivalent
measures are used.
Safety The safe distance must be established for placement of the OSSD such that the hazardous
Principles: portion of the machine must stop before the user can reach the hazard.
Category 3 requires dual contactors. Monitoring of at least one contactor is required; monitoring
of both is recommended.

--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

Copyright B11 Standards Inc. (Formerly AMT)

5.5.5 Highest Risk Reduction (Category 4)

5.5.5.1 IEC 61496 Type 4 Presence Sensing Device with OSSD (Category 4)

OSSD1 Hazardous Portion

of Machine
OSSD2
Monitored Reset

MPCE1 MPCE2

EDM

Sender Receiver
Non-hazardous Portion
of Machine

Safety Function: When the Light Curtain is interrupted the Force-guided Relay removes power from the
hazardous portion of the machine.
Faults to None to consider.
Consider:
Fault Exclusion: Wiring short from power to the Force-guided Relay.
Safety The safe distance must be established for placement of the OSSD such that the hazardous
Principles: portion of the machine must stop before the user can reach the hazard.

81
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

Copyright B11 Standards Inc. (Formerly AMT)

5.5.5.2 IEC 61496 Type 4 Presence Sensing Device with Safety Interface Module (Category 4)

Safety Function: When the Light Curtain is interrupted the safety interface module removes power from the
hazardous portion of the machine.
For point of operation guarding the monitored reset can be changed to automatic reset.
For perimeter guarding applications, the SIM should be manually reset.
Faults to Short across one or both of the feedback elements.
Consider:
Fault Exclusion: Short from power to the output of the SIM if the final switching elements are located in the same
control panel, wiring meets NFPA 79, shorts validated during commission or other equivalent
measures are used.
Safety The safe distance must be established for placement of the OSSD such that the hazardous
Principles: portion of the machine must stop before the user can reach the hazard.
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

Copyright B11 Standards Inc. (Formerly AMT)

5.6 Mats / Edges

5.6.1 General considerations
Most safety mats come in two basic types: 4 wire or 2 wire with a terminating resistor. Both offer the same
level of safety performance. The control unit must be selected to accommodate the selected type. Edges
using safety mat technology are applicable.

5.6.2 Low / Intermediate Risk Reduction (Category 2)

5.6.2.1 Single Safety Mat Using a Safety Interface Module (Category 2)

Cat. 2
SIM

Safety Function: Stepping on the mat causes the outputs of the safety interface module to turn off.
While standing on the mat, the power to the hazardous portion of the machine must remain off.
Stepping off the mat must not allow the hazardous portion of the machine to restart. Press and
release the Reset button to close the safety contacts of the safety interface module.
Faults to Failure of the mat to detect an individual due to mechanical damage.
Consider:
Fault Exclusion: To exclude failure of the mat, damage which causes failure of the protective coating which would
cause the contact plates not to conduct when the mat is operated must be excluded.
Safety To achieve a Category 3 requires dual contactors. Monitoring of at least one contactor is
Principles: required; monitoring of both is recommended and requires testing.
A Category 4 capable controller must be used to monitor the safety mat.

83
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

Copyright B11 Standards Inc. (Formerly AMT)

5.6.3 Intermediate / High Risk Reduction (Category 3)

5.6.3.1 Multiple Safety Mats Using a Safety Interface Module (Category 3)

--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---
Safety Function: Stepping on the mat causes the outputs of the safety interface module to turn off.
While standing on the mat, the power to the hazardous portion of the machine must remain off.
Stepping off the mat must not allow the hazardous portion of the machine to restart. Press and
release the Reset button to close the safety contacts of the safety interface module.
Faults to Failure of any mat to detect an individual due to mechanical damage.
Consider:
Fault Exclusion: To exclude failure of the mat, damage which causes failure of the protective coating which would
cause the contact plates not to conduct when the mat is operated must be excluded.
Safety To achieve a Category 3 requires dual contactors. Monitoring of at least one contactor is
Principles: required; monitoring of both is recommended and requires testing. Use of multiple safety mats
does not change the safety performance of the system since the active circuit is common to
each.
A Category 4 capable controller must be used to monitor the safety mat.

Copyright B11 Standards Inc. (Formerly AMT)

5.7 Two-Hand Control

5.7.1 General Considerations
The reliability and the safety of the circuitry for two hand control primarily, but not exclusively, rely on the
physical installation and the electrical interfacing of the hand controls (actuating devices).

Type I and II two-hand controls are not intended for safety applications therefore this technical report details
only Type III.
Note: See ANSI B11.19 and ISO 13851 for additional design, construction, installation, operation
and maintenance requirements.
Note: See ANSI B11.TR1 Annex E for ergonomic considerations in two-hand control applications.

5.7.1.1 Minimum functional requirements for a Two-hand Control as required by NFPA 79 and IEC
60204-1 (Type III):
 Concurrent actuation by both hands within a 500 ms time frame;
 Where this time limit is exceeded, both hand controls shall be released before operation is initiated;
 Continuous actuation during hazardous condition;
 Cessation of hazardous condition if either hand control was released;
 Release and re-actuation of both hand controls to re-initiate the hazardous operation (i.e. ―anti-tie
down‖);
 The appropriate performance level of the safety-related function (e.g., Control Reliability, Category,
or SIL) as determined by a risk assessment.

ISO 13851 describes the functional and safety requirements of two-hand control and the relationship of the
Type designation to the Category requirements of ISO13849-1. This standard segments the Type III
designation into three sub-classifications: Type IIIa, Type IIIb, and Type IIIc.
While all three sub-classifications have the same functional requirements as described above, this standard
requires at a minimum that Type IIIa meets a Category 1, Type IIIb meets a Category 3, and Type IIIc meets
a Category 4 per ISO 13849-1.

The typical circuit characteristics for each are:

 Type IIIa, Category 1: A single failure can result in the loss of the safety function (e.g., a short circuit
across a single normally open contact in one palm button results in no stop signal when a hand is
removed from that palm button).
 Type IIIb, Category 3: A single failure does not result in the loss of the safety function, but an
accumulation of undetected failures can result in the loss of the safety function (e.g., a palm button
that has two independent normally open contacts can resist a single failure, but may fail unsafe if two
shorts across the redundant contacts occur).
 Type IIIc, Category 4: A single failure does not result in the loss of the safety function. This is
typically accomplished with a palm button that has two independent contacts, one normally open and
one normally closed.

5.7.1.2 Physical Installation and Electrical Interface Considerations:

 the design, construction, and installation of the hand controls (e.g., palm buttons). This includes
considering failure modes that would result in a short circuit, a broken spring, mechanical seizure,
etc. that would result in not detecting the release of a hand control;
 severe contamination or other environmental influences that may cause slow response when
released or false ON condition of the hand control(s), e.g., sticking of mechanical linkages;
 the functional reliability and installation of the logic devices (e.g., Timer Relays (TR), Control Relays
(CR) Two-Hand Control Safety Interface Modules (SIM));
 proper electrical installation, such as over-current protection (per NEC & NFPA 79 or IEC 60204);
 minimizing the possibility of defeat, and unintended or accidental actuation;
 ensure that a short circuit to a secondary source of power that would result in the loss of the
switching action of the protective stop circuit is not possible or reduced to a tolerable (minimal) level
of risk;
 routine functional checks and maintenance.

85
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

Copyright B11 Standards Inc. (Formerly AMT)

5.7.1.3 Two-Hand Control Safety Interface Modules

If a self-monitoring safety interface module is incorporated, the must be designed, constructed and certified
to meet the expected level of safety performance. Typically this includes the monitoring of the hand controls
and the Force-guided Relays, and provides protective stop circuits.

5.7.2 Lowest Risk Reduction Two Hand Control (Type IIIa Category 1)
5.7.2.1 Two Hand Control (Type IIIa Category 1)
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

Safety Function: Complies with basic functional requirements of a two-hand control per NFPA 79 and IEC 60204-
1, see 5.7.1.1.
NOTE: Contact TR1 is a normally open held closed with a delayed drop off of less than 500 ms.
Faults to The functional reliability and installation of the Timer Relay (TR) and the Control Relay (CR) that
Consider: could result in:
- Stuck armature in CR1;
- Welded contacts of CR1 or TR1;
- Wiring short from power to the coil or across a contact of CR1 or TR1;
- A change in the drop out time of TR1.
Fault Exclusion: Failure of the button to return when released (i.e., open the circuit).
Safety Principles: Well tried devices.

Copyright B11 Standards Inc. (Formerly AMT)

5.7.2.2 Low / Intermediate Risk Reduction Two-Hand Control (Type IIIa Category 1)

Safety The primary limitation of this circuit is the method that the hand controls are being monitored.
Principles: Since each button only provides a single normally open contact, a short circuit, a broken spring,
mechanical seizure, etc. can result in the safety module not detecting the release of the button.
A free hand could result without cessation of hazardous condition.
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

Copyright B11 Standards Inc. (Formerly AMT)

5.7.3 Intermediate / High Risk Reduction Two-Hand Control (Type IIIb Category 3)
5.7.3.1 Two Hand Control (Type IIIb Category 3)

Safety Function: Complies with basic functional requirements of a two-hand control per NFPA 79 and IEC 60204-
1, see 5.7.1.1.
The risk reduction is improved by adding redundant Force-guided Relays and monitoring those
relays via normally closed contacts in the timer relay circuit.
NOTE: Contact TR1 is a normally open held closed with a delayed drop off of less than 500 ms.
Faults to The functional reliability and installation of the Timer Relay (TR) that could result in a change in

--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---
Consider: the drop out time of TR1.
Fault Exclusion: Failure of the button to return when released (i.e., open the circuit).
Safety Input wire to wire shorts are detected by switching both sides of the circuit causing a short and
Principles: opening of the fuse (typically done on low voltage ungrounded circuits).
Category 3 requires dual contactors. Monitoring of at least one contactor is required; monitoring
of both is recommended.
The circuit must be periodically tested to assure the function of each push button.

Copyright B11 Standards Inc. (Formerly AMT)

5.7.4 Intermediate / High Risk Reduction Two-Hand Control (Type IIIb Category 3)
5.7.4.1 Two-Hand Control (Type IIIb Category 3)
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

Safety Function: Complies with basic functional requirements of a two-hand control per NFPA 79 and IEC60204-
1, see 5.7.1.1. At a minimum, this circuit complies with requirements of a Type IIIB Two-hand
Control per ISO13851.
Faults to The safety interface module must meet the required level of safety performance as determined
Consider: by the risk assessment for the expected level of risk reduction. It must be able to detect a short
circuit between input channels and issue an immediate stop.
The design, construction, and installation of the palm buttons must have redundant contacts that
have separate mechanical linkages and springs.
An accumulation of failures or short circuit in the interconnect wiring for a hand control and the
safety interface module will result in the loss of the stop command.
Fault Exclusion: Short within the input channel of the safety interface module.
Failure of the button to return when released (i.e., open the circuit).
Safety The method that the hand controls are being monitored is similar to the Type IIIA circuit (i.e.,
Principles: ―four wire‖ hookup), but to overcome the possibility of certain single failures, a second normally
open contact per button is required. The redundant contact configuration eliminates or
minimizes failures that can include a short circuit across a single contact, a single broken spring,
and some mechanical seizure issues. While these failures are not detected, this reduces the
chance of a free hand without cessation of hazardous condition.
Category 3 requires dual contactors. Monitoring of at least one contactor is required; monitoring
of both is recommended.

Copyright B11 Standards Inc. (Formerly AMT)

5.7.5 Highest Risk Reduction Two-Hand Control (Type IIIc Category 4)

Safety Function: Complies with basic functional requirements of a two-hand control per NFPA 79 and IEC 60204-
1, see 5.7.1.1. At a minimum, this circuit complies with requirements of a Type IIIC two-hand
control per ISO 13851.
Faults to The safety interface module must meet the required level of safety performance as determined
Consider: by the risk assessment for the expected level of risk reduction. It must be able to detect a short
circuit between input channels and issue an immediate stop.
The design, construction, and installation of the palm buttons must have redundant contacts that
have separate mechanical linkages and springs.
Fault Exclusion: Failure of the button to return when released (i.e., open the circuit).
Safety This method of monitoring the hand controls is superior to the ―four wire‖ hook-up of Type IIIA
Principles: and Type IIIB Two-Hand Control circuits. Hand Controls in a Type IIIC Two-Hand Control must
not only offer redundant contacts (or outputs), but also detect reasonably foreseeable failure
modes that would lead to not detecting the release of a hand control. The ―six-wire‖ NO/NC
hook up further eliminates or minimizes failures that Type IIIB addresses by monitoring for a
short circuit in the interconnect wiring. This further reduces the chance of a free hand without
cessation of hazardous condition.

90
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

Copyright B11 Standards Inc. (Formerly AMT)

5.8 Zero (Stand Still) Speed Detection

5.8.1 General Considerations
Zero speed detection is the ability to determine when hazardous motion has ceased or is at a very low
velocity/RPM. This process is used when the safeguarding device is too close to the hazardous motion to
assure that the motion has ceased before the hazard can be reached. Under this condition, access is
permitted to the hazard only after the motion is sufficiently slow to assure that motion has ceased before
access is gained. This is usually done through the use of solenoid operated locks or key release which
enable access through physical barrier(s). While the motion stop command may be from a non-safety
capable device, the act of gaining access must generate an immediate stop command whose capability
matches the risk assessment requirements. Additionally, if the speed detection is used to prevent access to
the hazard until motion has ceased due to insufficient separation distance from guard opening to hazard, the
safety performance of the speed detection circuit must be commensurate with the SRP/CS as indicated by
the risk assessment.

The zero speed detection device(s) has Normally Open contacts which close when the motion is at or below
the desired speed. There are numerous methods which may be used as an input mechanism to detect zero
speed. The method chosen and the point in the drive train chosen to monitor for speed must be carefully
evaluated to minimize the possibility of a false zero speed, in which the monitored point on the drive train has
stopped, but the hazard continues to move. A simple example of this could be monitoring the motor speed
on a belt drive output hazard such as a saw blade. In this case, the belt could fail during the breaking torque
allowing the saw blade to continue to spin even though the motor has ceased all motion.

Detection Means: Common means of determining zero speed are given below. These may range from
simple monitors to fully safety rated systems. Note that time delay only has not been included in the
methods due to the variation in stopping time which may exist under varying loads and speeds. Use of such
a design must be very carefully reviewed for both mechanical cause stop time variations and timer variation
and faults. The initiation of the timer sequence must also be reviewed to assure that the prime mover has
indeed been de-energized and started its deceleration, before coast timing is initiated.

Back EMF Sensing: The zero speed detection device measures the phase to phase voltage at the motor
leads after the supply power has been removed. The voltage (back EMF) generated by the revolving rotor
decreases as its RPM slows. When the voltage has reached a sufficiently low value, indicating an almost
stopped state, the zero speed detection device(s) energizes the output. Some devices look for the inverse
voltage spike which is generated at stop. Care should be taken in the use of these devices on variable
frequency drives, to assure that low drive frequencies do not generate false outputs. Consult manufacturers‘
date for the application of the device with variable frequency drives.

Encoder Sensing: The zero speed detection device(s) monitors the encoder pulse train to determine the
speed and direction of the hazardous motion. The encoder is usually mounted on the motor, but may be
attached to any drive train rotating shaft.

Proximity Switch Sensing: The sensor detects a number of discontinuities on the drive location to be
monitored. As they pass by the sensor, the output resets a timer. Most systems use inductive proximity
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---
switches, but see through or opposed mode photo-electric sensors are also used. The zero speed detection
device(s) monitors encoder pulses to determine the angular velocity of a rotating or moving target such as a
gear or rack. The number of discontinuities determines the relative sensitivity of the speed sensing and the
timing means. Comparison to the set point may be time between pulses or pulse train frequency. Higher
safety Category systems will use multiple sensors and sensing points.

The Proximity Switch and Encoder Sensing function can also be used to monitor actual speed, not just zero.
Limiting the maximum speed of a hazard may be used as part of an alternate safe guarding method. The
alternate method cannot be engaged unless the speed of the hazardous motion is below a pre-determined
rate, usually taken to be 250 mm/sec (10 in/sec) on linear motion. An ―overspeed‖ module has a N.O.
contact(s) which is maintain in the closed position as long as the module is powered and the input speed is
below the set point. This may be used to permit alternate safeguarding methods such as manual JOG/INCH
and Enabling devices which are operational only while the hazard is at reduced speed.

Copyright B11 Standards Inc. (Formerly AMT)

5.8.2 Lowest Risk Reduction (Category 1)

5.8.2.1 Single Proximity Sensing (Category 1)

To logic circuit requiring zero speed logic stopped indication status.

To make this a Category2, simply add a separate diagram for machine control monitoring.

Safety Function: The circuit ‗STOPPED‘ output goes high when then the rotation of the gear has approached zero
RPM. The STOPPED signal is used in the safety portion of the control circuit to gain access to the
safeguarded space when motion has ceased.
The proximity switch resets the off delay timer at each sensing pulse. When the interval between
pulses exceeds the off delay setting, the N.C. contact closes and pulls in holding relay CR1. MS-1
is the contactor that controls the hazardous motion. The normally closed auxiliary contact of MS-1
resets the holding circuit when the hazard is under power.
Faults to Failure of sensor to detect gear teeth causing immediate ―zero speed‖ indication.
Consider: Failure of sensor in the off mode causing immediate ―zero speed‖ indication.
Failure of the sensing gear coupling.
Loss of drive integrity between motor and hazardous motion.
Failure of timer TR1.
Failure of CR1 armature.
Welded contacts.
Power supply brown out causing false sensor output.
Fault Exclusion: On flexible drives, it may not be possible to assure that there is minimum slippage between the
components. Whenever possible, the sensing gear should be mounted on the hazardous motion.
Robust mounting and vibration tolerant fastening system should be use.
Power supply brown out may be excluded if the relay drop out voltage is higher than the sensor‘s
sensing failure voltage.
Safety The actual speed of the gear at ―zero‖ speed is a function of the number of teeth on the gear as well
Principles: as the timer setting. Error in setting the timer too short can produce an output even though the gear
is still rotating.

92
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

Copyright B11 Standards Inc. (Formerly AMT)

5.8.3 Intermediate / High Risk Reduction (Category 3)

5.8.3.1 Dual Proximity Sensors to Timers and Force-guided Relay Monitoring (Category 3)

TR1

TR2

TR1 FGR3
FGR1
FGR1

FGR1 MPCE1
TR2 FGR3
FGR2
FGR2

FGR2 MPCE2
TR3
FGR1 FGR2
TR3
FGR3

Stopped
FGR1 FGR2 FGR3

Safety The circuit output goes high when then the rotation of the gears has approached zero RPM. The
Function: ―STOPPED‖ output is used to enable the safety-related portion of the controls system to unlock the access to
the hazard. The MPCE motor starter is not part of the safety function as a failure to stop does not present a
hazardous situation as there will be no access. The MPCE supply should be interrupted by the safety circuit
when the access door is open to prevent a re-start.
Proximity sensors 1 and 2 pulses each reset their own off delay timer. When the pulse interval exceeds the
timer settings of each timer, their respective relay pulls in, setting each holding circuit. TR3 is to cover timing
differences in the timers and to bridge the interval when one FGR is energized but the other is not, as well as
the angular difference in sensor trip points. The hazardous motion MPCE‘s force-guided auxiliary contacts
drop the holding circuits when the hazard is under power assuring that the timer contacts open and their
FGRs drop out during hazard energization, pulling in FGR3 for the next cycle.
The gear must be coarse enough so the relays have time to cycle between lobes at the last transition.
The STOPPED signal is used in the safety portion of the control circuit to gain access to the safeguarded
space when motion has ceased.

--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---
Faults to Loss of drive to the sensor gears.
Consider: Loss of drive integrity between motor and hazardous motion.
Fault Failure of a sensor to detect the gear will be detected by the circuit which requires both timers to cycle for
Exclusion: each zero speed cycle.
If the two gears are mounted on separate shaft sections, the loss of gear drive may be excluded.
The failure of any of the timers will be detected by the circuit.
Use of Force-guided Relay and Contactor assures that welded contacts or stuck armature will be detected.
Power supply brown out may be excluded if the FGR drop out voltage is higher than the sensor sensing
failure.
Safety On flexible drives, it may not be possible to assure that there is minimum slippage between the components.
Principles: Whenever possible, the sensing gears should be mounted on the hazardous motion. The use of individual
mounting of both sensors and gears can remove common cause failures.
Only one contact per timer is used since electronic timers typically do not contain Force-guided Relays. By
having the times drive Force-guided Relays, the timer function can be reliably monitored in the circuit.
Category 3 requires dual contactors. Monitoring of at least one contactor is required; monitoring of both is
recommended.

Copyright B11 Standards Inc. (Formerly AMT)

5.8.3.2 Dual Proximity Sensors to Timers and Force-guided Relay Monitored by a SIM (Category 3)
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

Safety The circuit output goes high when then the rotation of the gears has approached zero RPM.
Function: The STOPPED signal is used in the safety portion of the control circuit to gain access to the safeguarded
space when motion has ceased.
Proximity sensors 1 and 2 each reset an off delay timer. When the pulse interval exceeds the off delay
timer settings of each timer, the respective relay pulls in. The hazardous motion MPCE‘s force-guided
auxiliary contacts drop the holding circuits when the hazard is under power assuring that the timer
contacts open and their FGRs drop out during hazard energization. The SIM monitors for single faults in
the sensing circuit.
Faults to Loss of drive to the sensor gears.
Consider: Loss of drive integrity between motor and hazardous motion.
Fault Failure of a sensor to detect the gear will be detected by the circuit which requires both timers to cycle for
Exclusion: each zero speed cycle.
If the two gears are mounted on separate shaft sections, the loss of gear drive may be excluded.
The failure of any of the timers will be detected by the circuit.
Use of Force-guided MPCE assures that welded contacts or stuck armature will be detected.
Power supply brown out may be excluded if the FGR drop out voltage is higher than the sensor sensing
failure.
Safety On flexible drives, it may not be possible to assure that there is minimum slippage between the
Principles: components. Whenever possible, the sensing gears should be mounted on the hazardous motion. The
use of individual mounting of both sensors and gears can remove common cause failures.
Only one contact per timer is used since electronic timers typically do not contain Force-guided Relays.
By having the times drive Force-guided Relays, the timer function can be reliably monitored in the circuit.

Copyright B11 Standards Inc. (Formerly AMT)

5.8.3.3 Dual Proximity Sensors to Dual Frequency Counters Monitored by a SIM (Category 3)
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

Safety Function: The circuit output goes high when then the rotation of the gears has approached zero RPM as
defined by the frequency (Rate) monitor set points.
Proximity sensors 1 and 2 each feed an OVERSPEED frequency counter. When the pulse
frequency is below the counter settings of each counter, their respective output contacts are closed.
The SIM monitors for single faults in the sensing circuit.
The STOPPED signal is used in the safety portion of the control circuit to gain access to the
safeguarded space when motion has ceased.
Faults to Loss of drive to the sensor gears.
Consider: Loss of drive integrity between motor and hazardous motion.
Fault Exclusion: Failure of a sensor to detect the gears will be detected by the circuit which requires both frequency
counters to cycle for each zero speed cycle.
If the two gears are mounted on separate shaft sections, the loss of gear drive may be excluded.
The failure of either of the frequency counters will be detected by the SIM.
Use of the Safety Interface Module assures that welded contacts or stuck armature will be detected.
Power supply brown out may be excluded if the SIM drop out voltage is higher than the sensor
sensing failure.
Safety On flexible drives, it may not be possible to assure that there is minimum slippage between the
Principles: components. Whenever possible, the sensing gears should be mounted on the hazardous motion.
The use of individual mounting of both sensors and gears can remove common cause failures.
Only one contact per timer is used since electronic timers typically do not contain Force-guided
Relays. By having the times drive Force-guided Relays, the timer function can be reliably monitored
in the circuit.
Care must be taken in setting and monitoring the set points for unauthorized changes as a high
frequency set point could enable the circuit ―zero‖ speed output at an unacceptable velocity.

Copyright B11 Standards Inc. (Formerly AMT)

5.8.3.4 Dual Proximity Sensors Plus Zero Speed or Stand Still SIM (Category 3 or 4)

Safety Function: The circuit output goes high when then the rotation of the gear has approached zero RPM
The STOPPED signal is used in the safety portion of the control circuit to gain access to the
safeguarded space when motion has ceased.
Proximity sensors 1 and 2 each feed pulses into a dual channel Zero Speed (Stand Still) SIM which
monitors the sensors and internal faults.
Faults to Loss of drive to the sensor gear.
Consider: Loss of drive integrity between motor and hazardous motion.
Fault Exclusion: Failure of a sensor to detect the gear will be detected by the circuit which requires both frequency
counters to cycle for each zero speed cycle.
If the two gears are mounted on separate shaft sections, then the loss of gear drive may be
excluded.
The failure of either of the frequency counters will be detected by the circuit.
Use of the Safety Interface Module assures that welded contacts or stuck armature will be detected.
Power supply brown out may be excluded if the SIM drop out voltage is higher than the sensor
sensing failure.
Manufacturer may have certification for a Risk Category 3 or 4.
Safety On flexible drives, it may not be possible to assure that there is minimum slippage between the
Principles: components. Whenever possible, the sensing gears should be mounted on the hazardous motion.
The use of individual mounting of both sensors and gears can remove common cause failures.
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

Copyright B11 Standards Inc. (Formerly AMT)

5.8.3.5 Encoder Speed Monitoring (Category 3)

Safety Function: The circuit output goes high when then the rotation of the encoder has approached zero RPM or
when it‘s below a safe speed.
Use of an encoder as input to the encoder speed monitor SIM.
The STOPPED signal is used in the safety portion of the control circuit to gain access to the
safeguarded space when motion has ceased.
Faults to Loss of drive to the encoder.
Consider: Loss of drive integrity between motor and hazardous motion.
Failure of the encoder output pulse.
Fault Exclusion: If the encoder is also used as the feedback to the drive control some failure modes will be detected
by the drive system. User must evaluate the impact of two devices on the encoder on performance
and mean time to failure.
Use of the Safety Interface Module assures that welded contacts or stuck armature will be detected.
Safety On flexible drives, it may not be possible to assure that there is minimum slippage between the
Principles: components. If the encoder is mounted on the motor, belt drives and other non-direct drives, then
the encoder may not detect zero speed.
Category 3 requires dual contactors. Monitoring of at least one contactor is required; monitoring of
both is recommended.

97
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

Copyright B11 Standards Inc. (Formerly AMT)

5.8.3.6 Motor Drive Back EMF Detection (Category 3 or 4)

Safety Function: The circuit output goes high when then the rotation of the drive motor has approached zero RPM.
Monitor the back EMF of the motor while coasting down. This is done either by monitoring the level
of the voltage induced in the open motor windings by the rotor motion during coast down which is
inversely proportional to the rotor RPM, or by using the voltage reversal spike generated at rotor
stop.
The STOPPED signal is used in the safety portion of the control circuit to gain access to the
safeguarded space when motion has ceased.
Faults to Loss of drive integrity between motor and hazardous motion.
Consider: False Zero due to noise induced negative voltage pulses at low drive frequency especially on
voltage reversal sensors.
Manufacturer may have certification for a Risk Category 3 or 4.
Fault Exclusion: If the drive is direct or gear train, the loss of drive integrity may be excluded. Flexible drives should
not be used in this method (e.g., Belt Drive) unless additional protective measures are taken to
detect a loss of drive integrity.
Back EMF SIMs to be used on variable frequency drives must be specifically approved by a
statement by the manufacturer. Use of a unit not suited for VFD may produce false ―zero speed‖ at
low drive frequencies while the motor is still under power.
Use of the Safety Interface Module assures that welded contacts or stuck armature will be detected.
Safety On flexible drives, it may not be possible to assure that there is minimum slippage between the
Principles: components. Belt drives and other non-direct drives should not be monitored for zero speed in this
manner.

98
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

Copyright B11 Standards Inc. (Formerly AMT)

5.9 Enabling Devices

5.9.1 General Considerations
An enabling device is a manually operated control device used in conjunction with a start control. The safety
function of the enabling switch has two parts: 1) when continuously held in the enabled position, the enabling
device allows machine operation, and 2) when released from the enabled position, the enabling device
initiates a stop command or prevents machine operation.

In the past, relevant machine standards described use of enabling devices incorporating a 2-position switch
when personnel were required to enter a normally guarded area of a machine with hazardous motion or
stored energy applied. In the event of an unexpected incident, the 2-position switch is designed to open
when released. The 3-position switch provides enhanced safety performance as it is designed to open when
either released or when depressed beyond the enabled state. The trend in recent updates of relevant
standards for machine safeguarding is towards the use of 3-position switches, due to the enhanced safety
performance. Various types of control devices use the 3-position switch as an enabling device. These are
typically standalone enabling pendants, multi-functional control pendants and portable HMI devices. This
technical report focuses on the use of 3-position enabling devices used as alternative safeguarding when
entering a normally guarded area of a machine or process while power is applied.

The design and performance requirements of 3-position switches are established by ANSI B11.19 and IEC
60947-5-8. The enabling device has three sequential actuator positions. The contacts are closed when the
actuator is in the mid position (position 2). The contacts are open when the actuator is at rest (position 1)
and, when fully depressed (position 3). When transitioning from position 3 to position 1, the contacts shall
remain open while passing through the middle (enabled) position (position 2).

Figure F
Enabling devices are typically used when access to the hazardous portion of the machine is needed with
power on the machine. Visual observations, minor adjustments, calibration, tool changes, teaching points
and lubrication are examples of tasks that may utilize an enabling device. Before accessing the machine,
the operator should place the machine in a reduced performance role. This is usually accomplished through
use of a selector switch or some other method of signaling to the control system to put the machine in a
special function (e.g., ―manual‖ or ―maintenance‖) mode. A risk assessment shall be performed to determine
the level of reduced performance. The level of safety achieved while working inside a normally guarded
hazardous area with an enabling pendant, with power on the machine, shall meet or exceed the level
identified through risk assessment while normal guards are in place. The concept is that in the event of an
unexpected event, the operator will either release or squeeze the actuator of the enabling device and disable
the machine, prior to getting injured.
99
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

Copyright B11 Standards Inc. (Formerly AMT)

Machine designers will quickly realize that the enabling device by itself is easy to understand – it simply has
a set of contacts. The application of the enabling device into a machine safeguarding system is the
challenge. Consideration shall be given to the following:

Type of access: Partial body and full body access to the hazard area require different systems for correct
usage of the enabling device. The safety system can be reset automatically in applications of partial body
access. The safety system shall be reset manually for full body access systems.

Multiple Users: When more than one person needs to access the hazard area, each person shall use an
enabling device. All enabling devices shall be actuated to initiate the hazard. Administrative procedures
shall be in place to inform users that all persons entering the hazard area shall utilize enabling devices.

Tasks being performed: The tasks being performed by the user will help determine what to do with the
machine. If the operation is only visual observation or minor adjustments with no attempt to access the
hazard, then the machine can be run a normal speed. If access to the normally guarded area of the hazard
is required, the enabling task may require that the machine operate at a reduced performance level.

Setting the machine in reduced performance mode: A key-operated mode selector switch is a common
method of setting the machine in a reduced performance mode. The operator selects the reduced mode and

--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---
then removes the key from the switch, taking the key with him or her. The control system shall be designed
to ensure that the machine is not changed back to normal performance mode during the enabling task.

Knowing the machine is in reduced performance mode: Sensors can be used to determine that reduced
performance of the machine is maintained. Position sensors, encoders or other devices, monitored by an
appropriate logic device, provide feedback to the control system which limits the performance level. If the
performance (e.g., operating speed) were to increase beyond a predetermined limit, the control system
would execute a stop command.

Bypassing a primary safeguard: To use the enabling switch, the primary safeguarding of the machine
should be bypassed. The primary safeguarding device could be an interlocked guard switch, a light curtain,
a scanner, a safety mat or other safeguard. Since each of these safeguarding devices has different
operating characteristics, the enabling circuit diagrams may differ for each type of safeguard device.

Indication of Usage: ANSI B11.19 requires a visual means to be provided to indicate that the enabling
device is active. An indicator light can be located on the device itself or on the control panel.

100

Copyright B11 Standards Inc. (Formerly AMT)

5.9.2 Intermediate / High Risk Reduction (Category 3)

This enabling device allows manual operation of hazard with the use of an enabling device and Jog / Inch
control. No monitored reduction of rate of hazardous motion.

Safety Function: In the manual mode, the hazard may not be initiated unless the enabling device has been operated
and held in the center position.
The Hazardous Function may be enabled when the protected zone gate is closed and the mode
Automatic OR the gate is open, manual mode has been selected, and the enabling device is held in
the enable mid position. When the enabling device is centered, the manual JOG/INCH button in the
control logic may produce motion.
Faults to Due to the series connection of gate interlock, mode selector, and enabling device some failures of
Consider: the gate, mode selector, and/or enabling device are not detected.
Fault Exclusion: Welded contacts and relay failure are detected by the SIM.
Safety Robust design and testing prior to use may reduce risk of undetected faults.
Principles: Single faults on the input channel, which may be detected by the SIM, are masked and/or reset by
the off/on cycling of any other device in series with the fault.
Alternate protective means, such as enabling device cable length, location of JOG/INCH operator
may be utilized to further reduce operator exposure.

101
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

Copyright B11 Standards Inc. (Formerly AMT)

5.9.3 Intermediate / High Risk Reduction (Category 3)

5.9.3.1 Enabling device with overspeed (Category 3)
Enabling device to allow manual operation of hazard with a safety rated overspeed device added to assure
the reduced rate of hazardous motion.

--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---
Safety Function: Manual Function is enabled when the protected zone gate is open and manual mode has been
selected. When the enabling device is centered, the manual JOG/INCH button may produce
motion. The hazardous motion RPM must remain below set point to enable the manual motion. A
manual reset is used to prevent semi-automatic hunting around the maximum speed.
Faults to Due to the series connection of gate interlock and enabling device some failures of the gate and/or
Consider: enabling device are not detected.
Fault Exclusion: Welded contacts and relay failure are detected by the SIM.
Safety Robust design and testing prior to use may reduce risk of undetected faults. Category 3 requires
Principles: dual contactors. Monitoring of at least one contactor is required; monitoring of both is
recommended.
Use of speed limiting can help reduce risk by increasing the possibility to escape the hazardous
motion and is most commonly used in manual mode with enabling devices and JOG/INCH
operators. The enabling device is functional only when the hazardous motion is below the value
determined by the risk analysis, usually in the range of 250 mm/sec (~10 in/sec) or less. Due to the
nature of the hazard this method usually used in High/Intermediate to High risk reduction safe
guarding applications.
Any of the faults of the maximum speed monitor may enable the JOG/INCH function to an unsafe
speed.

102

Copyright B11 Standards Inc. (Formerly AMT)

5.9.3.2 Enabling device with manual/auto switch (Category 3)

A muting module is used to permit manual operation of a safeguard of a reduced speed hazard with the use
of an enabling device.

Safety Function: Manual Function is enabled when the protected zone gate is open and manual mode has been
selected. When the enabling device is centered, the manual JOG/INCH button may produce
motion. The hazardous motion RPM must remain below set point to enable the manual motion. A
manual reset is used to prevent semi-automatic hunting around the maximum speed.
Faults to Due to the series connection of gate interlock and enabling device some failures of the gate and/or
Consider: enabling device are not detected.
Any of the faults of the zero speed monitor may enable the JOG/INCH function to an unsafe speed.
Fault Exclusion: Welded contacts and relay failure are detected by the SIM.
Safety Robust design and testing prior to use may reduce risk of undetected faults.
Principles: See also, 5.8 on speed sensing.

103
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

Copyright B11 Standards Inc. (Formerly AMT)

5.9.3.3 Enabling device with manual mute enable (Category 3)

A muting module is used to permit manual operation of a partial entry guard opening with a reduced speed
hazard using an enabling device.

Safety Function: Manual Function of this partial access guard opening machine is enabled when manual mode has
been selected. When the enabling device is centered, the manual JOG/INCH button may produce
motion. The hazardous motion RPM must remain below set point to enable the manual motion. A
manual reset is used to prevent semi-automatic hunting around the maximum speed
Faults to Due to the series connection of the enabling device some failures are not detected.
Consider: Due to the partial entry construction of the guarding, it is not required for the door to be open in
order to utilize the enabling device.
The muting enable in manual mode is not a safety but a control input.
Change of mode selector from manual may not inhibit the enable function once initiated.
Any of the faults of the zero speed monitor may enable the JOG/INCH function to an unsafe speed.
Fault Exclusion: Welded contacts and relay failure are detected by the SIM.
Since the Gate Closed limit switches directly interface with the SIM and closure of a partial body
entry interlocked gate excludes individuals from the hazard, the automatic gate closed operation is
not compromised by a series component connection and is considered Intermediate / High risk
reduction.
Safety Robust design and testing prior to use may reduce risk of undetected faults.
Principles: See also, 5.8 on speed sensing.
Use of the muting module allows limiting the length of an enable cycle based on module design.

104
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

Copyright B11 Standards Inc. (Formerly AMT)

5.9.4 Intermediate / High Risk Reduction (Category 4)

A muting module is used to permit manual operation of a safeguard of a reduced speed hazard with the use
of an enabling device. To assure highest possibility of detecting a device failure, each device is interfaced
with its own SIM. The Category 3 rating of the overspeed SIM limits the system performance level.
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

Safety Function: Manual Function is enabled when the door of the full body access gate is open and manual mode has
been selected. When the enabling device is centered, a manual JOG/INCH button may produce motion.
The hazardous motion RPM must remain below set point to enable the manual motion. A manual reset is
used to prevent semi-automatic hunting around the maximum speed.
Faults to The system performance is limited in the manual mode by the performance of the Over-speed SIM.
Consider: Performance in the automatic mode has not been compromised and is considered High risk reduction.
Any of the faults of the zero speed monitor may enable the JOG/INCH function to an unsafe speeds.
Fault Exclusion: Welded contacts and relay failure are detected by the SIM.
Detection of failure modes of individual devices has not been compromised by the addition of series
connected contacts in the SIM input channels.
Safety See also, 5.8 on speed sensing.
Principles: Use of the muting module allows limiting the length of an enable cycle based on module design.

105

Copyright B11 Standards Inc. (Formerly AMT)

6 Power Control Devices Interface (MPCE)

6.1 General Considerations
In many applications the logic devices used in the development of the Safety-Related Parts of the Control
System (SRP/CS) are adequate to directly control the hazard such as a small electrical operator. However,
devices such as SIMs are typically limited in output to 6 to 10 amp and 230 V AC. Many electrical devices
and combined electrical loads fall outside of that specification. In addition, many of the potential hazardous
motions are caused by fluid power devices such as cylinders and fluid motors and must be controlled by
special fluid power valves which have an electrical interface to the SRP/CS. Interface to fluid power devices
both pneumatic and hydraulic are specifically described in clause 6 and 7 respectively. The last device
which when switched to enable causes the hazardous state is called the Machine Primary Control Element
(MPCE), and in many cases is the power handling device.

In the case of electrical loads, there is a large selection of power control devices to accommodate both
current and voltage requirements. While solid state power control devices are available, most safety-related
power control is still accomplished with electro-mechanical devices. Special high frequency switching
application will employ the solid state control for normal cyclic operations and contactor(s) for the safety
function. As in the pilot device logic sections already covered in the previous clauses, the failure mode of
these devices must be understood and managed in order to preserve the integrity of the safety performance
designed into the logic and interface portion of the SRP/CS. The simplest approach is to continue the level
of integrity determined by the input design. That is, the same number of channels in the output and the

--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---
same safety capability of device performance feedback.

The previous clauses have emphasized the use of standard control and safety rated components to develop
SRP/CS output signals of various fault robustness to control the machine hazards.

The following clauses presume that a correct design using the previous clauses has been concluded, and
that their output is not to be directly interfaced to the hazardous device(s). The final switching element which
actually controls the hazardous motion or portion of the machine is called the Machine Primary Control
Element (MPCE). While the MPCE could be the direct output of the SRP/CS, this device is usually higher
power electrical, or by fluid power. The introduction of solid state OSSD in SIMs has made the use of
additional devices for hazard interface even more common. To use the following clauses, simply match the
required performance and SRP/CS outputs to the corresponding MPCE example. In some rare cases a
higher power capacity than the SRP/CSs capability may be needed to control the fluid power source(s).
Under those conditions the wiring suggested for the electrical MPCE should be used, along with the fluid
power recommendations of clause 6 and 7, including feedback of both types of devices.

106

Copyright B11 Standards Inc. (Formerly AMT)

6.2 Relays and Contactors

6.2.1 Lowest Risk Reduction (Category 1)

Safety Function: When the input from the SRP/CS goes low, the contactor drops and power to the hazardous portion
of the machine is removed.
If the contactor does not open all power contacts some portion of the hazard will remain energized.
Faults to Consider: Failure of the armature to drop due to jamming, residual magnetism or worn/broken springs.
Welded contacts failing to disconnect all load connections.
Short of the contactor coil wire to another power source.
Fault Exclusion: None to consider.
Safety Principles: Proper installation (e.g., gravity dependent devices).
The mean time between failures can be extended by correct load design and proper over current
protection.
Contacts should be inspected at a regular interval.
Contactors should be replaced when approaching their cycle life expectancy.
Shorting of the coil wire to another power source can be excluded if the SRP/CS source and the
contactor are in the same cabinet, or precautions to prevent such a short through isolation of the
wire example; in separate conduit on a remotely located contactor.

107
--```,```,`,,,,,`,,

Copyright B11 Standards Inc. (Formerly AMT)

6.2.2 Low / Intermediate Risk Reduction (Category 2)

Safety Function: When the input from the SRP/CS goes low, the contactors drop and power to the hazardous portion
of the machine is removed.
Contacts from dual contactors in series with the hazardous portion of the machine increase the
probability of a hazard disconnect. If one contactor fails to disconnect the hazard‘s power, the other
contactor will.
Faults to Since the contacts to the load are in series, over current damage during one run cycle is a common
Consider: cause failure mode which could cause simultaneous welded contact failure.
The contactor coils tied to the same SRP/CS source is a common cause failure point. Shorting of
the feed wire to another source of power will prevent either contactor from dropping.
Similarly, the series connection of the feedback auxiliary contacts is a common cause fault on a
short to another power source.
Fault Exclusion: Failure of the armature to drop due to jamming, residual magnetism or worn/broken springs and
welded contacts failing to disconnect all load connections will be detected through the use of the
force-guided auxiliary contact as feedback to the SRP/CS, preventing re-energization of another
hazardous cycle.
Loss of function of one contactor is detected by the feedback to the SRP/CS, preventing the
initiation of another cycle, and forcing repair before the second contactor fails.
Safety Principle: Proper installation (e.g., gravity dependent devices).
Power to the hazard must be overload protected and the contactor conservatively sized to prevent
common cause failures of welded contacts due to over current in the same stop cycle.
The single source failure mode of common wiring of coils and feedback may be excluded when the
SRP/CS source and monitoring are in the same cabinet and close proximity to the MPCE. If this is
not the case, special precautions must be taken to prevent shorting of these wires to a second
power source, such as separate conduit(s). Use of continuity instead power source feedback SIM
can eliminate false feedback signals due to shorting to another source of power. Category 3
requires dual valves. Monitoring of at least one valve is required; monitoring of both is
recommended.

108
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

Copyright B11 Standards Inc. (Formerly AMT)

6.2.3 Intermediate / High Risk Reduction (Category 3)

Safety Function: When the inputs from the SRP/CS go low, both contactors drop and power to the hazardous portion
of the machine is removed.
Contacts from dual contactors in series with the hazardous portion of the machine increase the
probability of a hazard disconnect. If one contactor fails to disconnect the hazard‘s power, the other
contactor will.
Faults to Since the contacts to the load are in series, over current damage during one run cycle is a common
Consider: cause failure mode which could cause simultaneous welded contact failure.
Fault Exclusion: Failure of the armature to drop due to jamming, residual magnetism or worn/broken springs and
welded contacts failing to disconnect all load connections will be detected through the use of the
force-guided auxiliary contact as feedback to the SRP/CS, preventing re-energization of another
hazardous cycle.
Failure of both coils to drop due to short to another power source is eliminated by use of two
channel supply, one per coil.
The use of dual channel feedback offers the opportunity to individually monitor the MPCE auxiliary
contacts. The ability of a SIM to detect a fault of a feedback contact shorted to another source of
power is a function of the SIM‘s feedback circuit and must be confirmed.
Safety Proper installation (e.g., gravity dependent devices).
Principles: Power to the hazard must be overload protected and the contactor conservatively sized to prevent
common cause failures of welded contacts due to over current in the same stop cycle.
The type of failures in the feedback from the MPCE which may be detected is a function of the SIM‘s
design. Some monitor the cycling of the inputs, or the concurrent state of the two feedback
channels. Those SIM‘s which only monitor the presence of voltage may not detect certain faults
such as short to another power source even though dual channel feedback is used.

109

--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

Copyright B11 Standards Inc. (Formerly AMT)

6.2.4 Highest Risk Reduction (Category 4)

--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---
Safety Function: When the inputs from the SRP/CS go low, both contactors drop and power to the hazardous portion
of the machine is removed.
Contacts from dual contactors in series with the hazardous portion of the machine increase the
probability of a hazard disconnect. If one contactor fails to disconnect the hazard‘s power, the other
contactor will.
Faults to Since the contacts to the load are in series, over current damage during one run cycle is a common
Consider: cause failure mode which could cause simultaneous welded contact failure.
Fault Exclusion: Failure of the armature to drop due to jamming, residual magnetism or worn/broken springs and
welded contacts failing to disconnect all load connections will be detected through the use of the
force-guided auxiliary contact as feedback to the SRP/CS, preventing re-energization of another
hazardous cycle.
Failure of both coils to drop due to short to another power source is eliminated by use of two
channel supply, one per coil.
The use of dual channel feedback offers the opportunity to individually monitor the MPCE auxiliary
contacts. The ability of a SIM to detect a fault of a feedback contact shorted to another source of
power is a function of the SIM‘s feedback circuit and must be confirmed.
Safety Proper installation (e.g., gravity dependent devices).
Principles: Power to the hazard must be overload protected and the contactor conservatively sized to prevent
common cause failures of welded contacts due to over current in the same stop cycle.
The type of failures in the feedback from the MPCE which may be detected is a function of the SIM‘s
design. Some monitor the cycling of the inputs, or the concurrent state of the two feedback
channels. Those SIM‘s which only monitor the presence of voltage may not detect certain faults
such as short to another power source even though dual channel feedback is used.

110

Copyright B11 Standards Inc. (Formerly AMT)

6.3 Variable Frequency Drives (VFD)

6.3.1 Power Drive Systems - General Considerations
Power drive systems rated for safety applications, PDS (SR), can be used as an alternative to contactors to
remove power from motors to achieve safety rated functions. IEC 61800-5-2 describes a set of safety rated
functions and sets out the design, development, integration and validation requirements for drives to achieve
a safety rating the meets the requirements of IEC 61508.

The safety functions set out in IEC 61800-5-2 are listed below. For the purposes of this Technical Report,
only Safe Torque Off is considered, as this technical report does not consider programmable devices. The
example circuits in this Technical Report achieve Safe Torque Off by hardware signals only.
 Safe Torque Off: Rotational or linear motor power is not applied or is removed; a Category 0 Stop.
 Safe Stop 1: Controls and monitors the motor deceleration rate within set limits to stop the motor,
then executes the Safe Torque Off function; a Category 1 Stop.
 Safe Stop 2: Controls and monitors the motor deceleration rate within set limits to stop the motor
and then executes the Safe Operating Stop function; a Category 2 Stop.
 Safe Operating Stop: Power is used to hold motor in a stopped condition. Mechanical brake may
not be needed.
 Safely Limited Speed: Prevents the motor from exceeding the specified speed limit.
 Safely Limited Torque: Prevents the motor from exceeding the specified torque or linear force limit.
 Safely Limited Position: Prevents the motor shaft from exceeding the specified position limit(s).
 Safely Limited Increment: Prevents the motor shaft from exceeding the specified increment: a jog.
 Safe Direction: Ensures that the motor shaft can move only in the specified direction.
 Safe Motor Temperature: Prevents the motor temperature from exceeding a specified limit.
 Safe Brake Control: Provides a safe output signal to control an external brake.
 Safe Cam: Provides a safe output signal to indicate whether the motor shaft position is within a
specified range.
 Safe Speed Monitor: Provides a safe output signal to indicate whether the motor speed is below a

--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---
specified limit.

Figure G below shows a block diagram of power drive systems.

Figure G

111

Copyright B11 Standards Inc. (Formerly AMT)

Figure H below describes the power section of the drive in a more detail. For AC powered drives, the
incoming power is rectified to DC power, which is stored in capacitors. The output transistors are pulsed in
specific sequences to achieve motor rotation. A high integrity disable is added to safety rated drives to
disable the transistor drive pulses.

High integrity disable

Pulse sequence control

A1 B1 C1

L1
L2 Motor
L3
A2 B2 C2

Figure H
Without the pushing of the output transistors, rotation of the motor is very limited. *For example, if transistor
A1 were to short in the ON state, the rotor would go to a locked condition. If A1 and B2 were to short
simultaneously (an improbable event), the rotor will rotate to a locked position. If the motor has 8 poles, then
the rotation is limited to 360/8 = 45 degrees. From then on, the motor will not rotate. In this design, software
does not play a role in the safety function. Current technologies and approaches to safety are achieved with
a focus on the drive circuitry to the output transistors.
*Based on manufacturer‘s designs (e.g., solid state output devices such as FET‘s, GTO‘s, BPGT) in
some drives the shorting of one of the transistors may allow for continued operation of the motor with
degraded performance.

Achievement of a safety rated functionality of many power drive systems is currently achieved by controlling
the gate drive circuits. To achieve the Safe Torque Off function, high integrity disabling hardware circuitry is
used. Future enhancements will allow safety rated software/firmware to control the output of the drive. This
approach is outside the scope of this technical report, at the time of publication.

For the purposes of this Technical Report, the operation of the drive is as follows. Drives from various
manufacturers may operate differently than described. Two block diagrams are used: one for standard rated
drives and one for safety rated drives. For both types of drives, pressing the Stop button initiates a
programmed deceleration of the motor to a stop condition with power remaining available to the motor. This
is a Category 2 stop. This Stop function is not safety rated.

For the standard drive, opening the enable signal executes a coast to stop. This coast to stop does not meet
the requirements of a Category 0 stop as power is still available at the output drive transistors.

Safety rated drives, often referred to as ―Safety Stand Still‖ drives are typically offered with a safety Category
rating. The safety rated drive has additional high integrity circuitry that inhibits modulation of the power
transistors. The high integrity circuitry must be connected to a safety rated stop signal which is appropriate
for the type of safety performance required. Some drive designs may have two external safety rated signals
(Ch1 and Ch2), while others use only one channel. A monitoring signal may be used to indicate that the
High Integrity Disable is active. At the time of this report, these drives are typically rated at Category 3.

The designer must carefully follow the manufacturer‘s directions to assure that the safety Category of the
drive is not compromised by the performance of the safety rated portion of the control system to which it is
112
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

Copyright B11 Standards Inc. (Formerly AMT)

interfaced. For example, a single channel enable safety rated drive may use coincidence between the stop
command and the transistor pulse enable (disable) while another may use pulse coded signals, or exclusion
by design to manage the potential failure of the control signal shorted to another source of power.

The Start and Stop signals are usually not part of the safety rated portion of the control system, but are used
in normal stopping and to provide an orderly shutdown or deceleration stop prior to the protective stop signal
being issued. See NFPA 79

The number of safety input

or monitor channels are
product specific and may
vary from this example

Ch1 Ch2
Drive (SR) Safety
Input
High Integrity
Enable Feedback
Disable
Drive (Std)
Start Start
I/O Control Modulation I/O Control Modulation
Stop Stop

L1 L1
L2 D.C. Motor L2 Rect. D.C. Motor
Rect. Inversion Inversion
L3 Storage L3 Storage

Standard Rated Drive Safety Rated Drive

Figure I
For this section of the report only the motor drive and a generic start/stop connection is shown. The interlock
control signals, whether safety or non-safety-related, are developed as part of the control. If the motor
control signal is part of the safety-related portion of the control system, its functionality may be chosen from
the many examples of interlocks and controls shown earlier. It, together with the drive design, will determine

--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---
the performance of this section of the safety-related portion of the control system.

113

Copyright B11 Standards Inc. (Formerly AMT)

6.3.2 Lowest Risk Reduction (Category 1)

6.3.2.1 Single Channel Interlock Stop Category 0 of an AC Motor using Standard Rated AC Drive

Safety Function: When the safety interlock control goes low, the drive is stopped by both the logic input and disabling of
the Enable line. The latter forces all output transistors to shut off immediately. The motor is
disconnected from the drive by the power poles of CON1, and will coast to a stop, with no torque.
While the safety interlock remains open, the power to the gate control circuitry in the drive remains off.
When the safety interlock is closed, the power to the gate control circuitry in the AC drive is restored,
and the motor connected to the drive by CON1. The motor will not rotate. Restart must be
accomplished by a separate deliberate action (e.g., press the start button of the drive).
The N.O. contact of CON1 in the enabling circuit prevents enabling the drive into an open load.
Faults to The drive cannot be considered part of the safety system as for this application it is considered as a
Consider: single solid state device.
The time required to reach the motion hazard must be longer than coast down time of the motor.
Wiring fault (short) to 24VDC at the safety interlock will keep the drive enabled and cause the
contactor to remain energized.
The contactor can weld or remain stuck in the closed state, failing to isolate the motor from the drive.
Fault Exclusion: The performance of the safety interlock is controlled by its design
Safety Robust design can reduce the likelihood of a contactor failure. Construction techniques can reduce

--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---
Principles: the likelihood of a short to 24VDC
The failure mode of the safety interlock may be managed by applying the safety principles of the
previous chapters
Use of a Force-guided Contactor in conjunction with the safety interlock can detect a non operative
contactor. If detected before a drive control failure, machine run-on may be avoided. Failure of the
drive to shut off at the logic level, can typically be detected by a resulting motor to command following
error or drive over voltage when the drive‘s active output is connected to an open load.
The direct acting auxiliary contacts of the contactor are monitored in the safety interlock circuit as
shown in the SIM diagrams as MPCE 1 and MPCE 2. This type of monitoring may promote this motor
connection to a Category2 performance.
Designer must review with drive manufacturer any specific requirements with the use of a contactor
between drive and motor. Some manufacturers may provide an L1, L2, L3 disconnect option which
keeps power on the controller.

114

Copyright B11 Standards Inc. (Formerly AMT)

6.3.2.2 Single Channel Interlock Stop Category 1 of an AC Motor using Standard Rated AC Drive

Safety When the safety rated interlock circuit goes low, the drive receives a logic level stop. The motor decelerates
Function: under control of the drive. After a time delay TR1 sufficient to decelerate the motor to a stop, the enabling
signal is removed forcing all output transistors to shut off. The motor is disconnected from the drive by Con 1
While the safety interlock remains open, the power to the gate control circuitry in the drive remains off.
When the safety interlock is closed, the power to the gate control circuitry in the AC drive is restored, and the
motor connected to the drive by CON1. The motor will not rotate. Restart must be accomplished by a
separate deliberate action (e.g., press the start button of the drive).
The N.O. contact of CON1 in the enabling circuit prevents enabling the drive into an open load.
Faults to The drive cannot be considered part of the safety system as for this application it is considered as a single
Consider: solid state device.
The time set on timer TR1 must be sufficient to bring the motor to a controlled stop under all reasonable load
conditions.
Wiring fault (short) to 24VDC at the safety interlock will keep the drive enabled and cause the contactor to
remain energized.
Failure of the timer to time accurately or fail to drop out will leave power available to the motor.
The contactor can weld or remain stuck in the closed state, failing to isolate the motor from the drive.
Fault Exclusion: The performance of the safety interlock is controlled by its design.
Safety Robust design can reduce the likelihood of a contactor failure. Construction techniques can reduce the
Principles: likelihood of a short to 24 V DC.
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

The failure mode of the safety interlock may be managed by applying the safety principles of the previous
chapters.
Use of a Force-guided contactor in conjunction with the safety interlock can detect a non-operative contactor.
If detected before a drive control failure, machine run-on may be avoided. Failure of the drive to shut off at the
logic level, can typically be detected by a resulting motor to command following error or drive over voltage
when the drive‘s active output is connected to an open load.
The direct acting auxiliary contacts of the contactor are monitored in the safety interlock circuit as shown in the
SIM diagrams as MPCE 1 and MPCE 2. This type of monitoring may promote this motor connection to a
Category2 performance.
Designer must review with drive manufacturer any specific requirements with the use of a contactor between
drive and motor. Some manufacturers may provide an L1, L2, L3 disconnect option which keeps power on
the controller.

115

Copyright B11 Standards Inc. (Formerly AMT)

6.3.3 Intermediate / High Risk Reduction (Category 3)

6.3.3.1 Stop Category 0 of an AC Motor using Safety Rated AC Drive (Category 3)

Safety Function: When the safety rated interlock circuit goes low, the drive receives both a logic level stop and the
power to gate control circuitry of the AC Drive through the High Integrity disable is removed forcing
all output transistors to shut off immediately. The motor will coast to a stop, with no torque.
While the safety interlock circuit remains open, the power to the gate control circuitry in the drive
remains off.
When the safety interlock circuit is closed and reset, the power to the gate control circuitry in the AC
drive is restored, but the motor does not rotate. Restart must be accomplished by a separate
deliberate action (e.g., press the start button of the drive).
Faults to A single fault in the safety rated drive will not cause the motor to rotate.
Consider: Short to 24 V DC of the safety interlock circuit may keep the drive enabled.
The time required to reach the motion hazard shall be longer than run coast time of the motor.
Fault Exclusion: Any failure modes of the safety interlock circuit are determined by the circuit design.
Safety The designer must follow the drive manufacturer‘s instructions to maintain the drive‘s safety
Principles: capability. As an example, some drives may require dual channel gate drive enable signals, self -
monitored inputs or provide dual channel monitoring. These must be strictly adhered to and their
integrity must be maintained. If these means are not provided other methods must be used to
prevent a loss of the safety function or monitoring by excluding a short to a source of 24 V DC
through the use of other design and construction methods. Category 3 requires dual valves.
Monitoring of at least one valve is required; monitoring of both is recommended.

116
--```,```,`,,,,,`,,`,`

Copyright B11 Standards Inc. (Formerly AMT)

6.3.3.2 Stop Category 1 (Controlled) Stop of an AC Motor using Safety Rated AC Drive
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

Safety Function: When the safety rated interlock circuit goes low, the drive receives a logic level stop. The motor
decelerates under control of the drive. After a time delay TR1 sufficient to decelerate the motor to a
stop, the power to gate control circuitry of the AC Drive through the High Integrity disable is removed
forcing all output transistors to shut off immediately.
While the safety interlock circuit remains open, the power to the gate control circuitry in the drive
remains off.
When the safety interlock circuit is closed and reset, the power to the gate control circuitry in the AC
drive is restored, but the motor does not rotate. Restart must be accomplished by a separate
deliberate action (e.g., press the start button of the drive).
Faults to A single fault in the safety rated drive will not cause the motor to rotate.
Consider: Short to 24 V DC of the safety interlock circuit may keep the drive enabled.
The time required to reach the motion hazard shall be longer than the deceleration time of the motor.
Fault Exclusion: Any failure modes of the safety interlock circuit are determined by the circuit design.
Safety The designer must follow the drive manufacturer‘s instructions to maintain the drive‘s safety
Principles: capability. As an example, some drives may require dual channel gate drive enable signals, self -
monitored inputs or provide dual channel monitoring. If these means are not provided other
methods shall be used to prevent a loss of the safety function or monitoring by excluding a short to a
source of 24 V DC through the use of other design and construction methods.
If the stopping time is not consistent, a zero speed switch should be used to replace the fixed time
delay of the safety interlock circuit, to assure that the drive‘s power is not removed prematurely
resulting in excessive coast time. This function may also be interconnected with a solenoid gate
lock, preventing entry until the motor has come to a complete stop.

117

Copyright B11 Standards Inc. (Formerly AMT)

6.3.4 Highest Risk Reduction (Category 4)

6.3.4.1 Dual Channel Interlock Stop Category 0 (Coast to Stop) of an AC Motor using Standard
Rated AC Drive with Checking (Category 4)

Safety Function: When the safety interlock circuit switch goes low, the drive receives a logic level stop and the
power to gate control circuitry in the AC Drive is removed. The latter forces all output transistors
to shut off immediately. The motor will coast to a stop, with no torque. The motor is isolated
from the drive by the two force-guided contactors FGC1 and 2.
While the safety interlock circuit remains open, the power to the gate control circuitry in the drive
remains off.
When the safety interlock circuit is closed, the power to the gate control circuitry in the AC drive
is restored, and the motor reconnected to the drive by FGC1 and 2, but the motor will not rotate.
Restart must be accomplished by a separate deliberate action (e.g., press the start button of the
drive).
Faults to The drive cannot be considered part of the safety system.
Consider: The time required to reach the motion hazard shall be longer than run down time of the motor.
Fault Exclusion: Any failure modes of the safety interlock circuit are determined by the circuit design.
The failure of either of the two FGR to disconnect the motor will be detected by the safety
interlock circuit, preventing further operation.
Safety A safety rated motor drive may be used to help prevent the opening of the contactors while the
Principles: drive output is high. As shown in other circuits a time delay or zero speed switch may be used to
provide active power for deceleration prior to dropping the FGR.
Note: Stop Category 1 may be constructed by using a time delay for both contactor FGC1 and
FGC2 as shown in 6.3.4.2.
The direct acting auxiliary contacts of the contactor are monitored in the safety interlock circuit
as shown in the SIM diagrams as MPCE 1 and MPCE 2.
Designer must review with drive manufacturer any specific requirements with the use of a
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

contactor between drive and motor. Some manufacturers may provide an L1, L2, L3 disconnect
option which keeps power on the controller.

118

Copyright B11 Standards Inc. (Formerly AMT)

6.4 Pneumatic Systems

6.4.1 General Considerations
Pneumatic circuits use compressed gas (air) to store the energy necessary to perform work. This stored
energy must be properly managed and conditioned to minimize or eliminate hazards associated with
component failures and the release of stored energy.

To effectively mitigate these hazards the pneumatic design process should be broken up into the following
steps:
 Determine the pneumatic hazards based on the risk assessment;
 Select the appropriate air preparation components based on the required contamination control (see
6.4.1.2), filtration level required (see 4.10.3), and lubrication only if it is required (see 4.10.5);
 If a blocking valve is required to remove stored energy select the appropriate valve based on the
hazard level requirements (see 6.4.2);
 Select the actuator valve most appropriate for your applications (see 6.4.3);
 If a load needs to be held in place select a pilot operated check (see 6.4.4);
 If the load needs to be stopped or held by mechanical means select the appropriate lock, brake, or
equivalent mechanical device (see 6.4.5);
 If speed control is required or the re-application of pressure can create a hazard select the
appropriate flow control solution (see 6.4.6);
 Evaluate each remaining risk to determine whether or not it is tolerable.
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

119

Copyright B11 Standards Inc. (Formerly AMT)

6.4.1.1 Pneumatic Component Selection Process

Figure J (flowchart) and Figure K (example schematic) are intended as a guide to the proper selection and
implementation of components.

--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

Figure J

120

Copyright B11 Standards Inc. (Formerly AMT)

Section 4.8.2
6.4.1.5
6.4.1.3, 6.4.1.4,
Sections 4.8.3,
ISO 8573 -1, C lass
5.5.5.7.4 o r bet te r
Status
Fault

Section 6.4.2
Monitor
Internal Fault

PNEUMATIC CIRCUIT EXAMPLE

Section 6.4.3

6.4.5 and 6.4.6

Section 6.4.4,
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

Figure K

121

Copyright B11 Standards Inc. (Formerly AMT)

6.4.1.2 Air Preparation (Contamination Control)

A fluid power circuit‘s reliability is influenced by contamination, also known as its cleanliness level. Care
must be taken to select fluid conditioning components appropriate for the intended level of reliability. Strict
adherence to the proper conditioning of the fluid power source can increase the mean time to dangerous
failure.

6.4.1.3 Non-Lubricated (Preferred)

Non-lubricated pneumatic systems, also known as pre-lubricated because the actuators are pre-lubed for the
intended life of the equipment, are preferred because of an inherently higher level of reliability and reduced
operational costs, and should be used wherever possible.

6.4.1.4 Lubricated (Not Recommended)

Air-line atomized or mist type lubricated circuits and components must be serviced at frequent intervals. If
the lubricators are not maintained and allowed to run dry the lubrication will quickly dry out and become tacky
resulting in a decreased level of reliability of the pneumatic systems control components. Motion control
valves main spools and pilot valves can stick in a number of positions preventing the valves ability to return
to a de-energized position and stop a hazardous motion as intended.

122

--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

Copyright B11 Standards Inc. (Formerly AMT)

6.4.1.5 Example Supply Circuit

The following example contains a safety lockout valve, safety blocking valve, filters, regulator and gauge.

Safety Function: Proper air preparation conditions the incoming fluid supply increasing the circuit‘s life, reliability
and performance.
The air drop header connection to top of main header minimizes contamination transfer to
equipment increasing the overall system reliability. Connections to the bottom of the header will
act as a drain, increasing the level of contamination to the machine and is not permitted.
Safety exhaust lockout valve - Installation in vertical drop allows for convenient lock out placement
close to and at the same height as the electrical disconnect. This saves time in removing energy
in a hazardous situation. The valve may also be located next to filter. The exhausting lockout
valve shall meet the requirements of 4.10.2.
Air Preparation-Drip leg acts as a collector for majority of supply contaminants greatly increasing
filter life.
Filtration requirements as defined by ISO 8573.
System regulator shall be set to the minimum pressure required for proper operation. Pressures
set above minimum requirements unnecessarily increase operational costs and increase
component wear which may lead to a decrease in overall reliability.
Safety exhaust (blocking) valve(s) - Performance requirements to be determined by the risk
assessment.
Faults to Filter failure, high liquid level or poor maintenance will pass contamination to the system.
Consider: Regulator failure or improper adjustment can cause excessive pressures in the system.
Fault Exclusion: None to consider.
Safety The application of the principles above will greatly increase the mean time to dangerous failure
Principles: and are applicable to all levels of design.

123

--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

Copyright B11 Standards Inc. (Formerly AMT)

6.4.2 Exhaust (Blocking, Dump) Valve

6.4.2.1 Basic Risk Reduction (Category B)
6.4.2.1.1 Spring Centered Three Position Open Center (Category B)
A Category B circuit does not require a safety exhaust (blocking) valve to be used upstream of the motion or
process control valve(s). The following example represents a 5 ported 4-way valve used to directly control
the hazardous motion.

To
Hazardous
motion

From Air
prep

Safety Function: When the electrical command signal is removed, the valve shifts to center position blocking the
fluid from flowing into, and exhausting the energy out of the hazardous motion device.
A slow or sticking valve may affect response time of the safety system.
Faults to Consider: Solenoid pilot section of valve stuck in actuated position.
Pilot seal failure – can lead to unexpected valve element movement.
Pilot section manual actuator seal failure – can lead to unexpected valve element movement.
Leakage or improper sealing of components.
Valve element not actuating or de-actuating properly due to fluid contamination or internal wear.
Broken components (piston, poppet, spring) within a valve element.
Spool sticking or spring failure in the spring centered directional valve may cause its failure to
center the spool, keeping supply and exhaust available to the hazardous motion device.
Fault Exclusion: None to consider.
Safety Principle: Well tried device designed to contain and prevent interleaving of broken centering springs.
The fact that the process is operating cannot be taken as an indication that the valve will center.
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

124

Copyright B11 Standards Inc. (Formerly AMT)

6.4.2.1.2 Lowest Risk Reduction (Category 1)

A Category 1 circuit does not require a safety exhaust (blocking) valve to be used upstream of the motion or
process control valve(s). The following example represents a 3 way valve used on a single acting cylinder or
a simple process control valve. A 5 ported 4-way valve used for motion control can also be used.
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

Safety Function: When the electrical command signal is removed, the valve exhausts fluid power from the
hazardous portion of the machine.
A slow or sticking valve may affect response time of the safety system.
Faults to Consider: Solenoid pilot section of valve stuck in actuated position.
Pilot seal failure – can lead to unexpected valve element movement.
Pilot section manual actuator seal failure - can lead to unexpected valve element movement.
Leakage or improper sealing of components.
Valve element not actuating or de-actuating properly due to fluid contamination or internal wear.
Broken components (piston, poppet, spring) within a valve element.
Fault Exclusion: None to consider.
Safety Principle: Well tried device designed to be mechanically biased to exhaust downstream fluid power.

125

Copyright B11 Standards Inc. (Formerly AMT)

6.4.2.2 Low / Intermediate Risk Reduction (Category 2)

6.4.2.2.1 Single Monitored Directional Valve (Category 2)
A Category 2 circuit does not require a safety exhaust (blocking) valve to be used upstream of the motion or
process control valve(s). A Category 2 circuit requires the addition of monitoring to the safety function as
designed into what otherwise would be a Category 1 circuit. System monitoring is done through the use of
methods using external or integral devices such as integrated safety switches used to detect valve function,
actuator motion, or a downstream pressure switch monitoring the safety function (a minimum operating
switch is not intended for this use due to pressure change set point). The following example represents a 3
way valve used on a single acting cylinder, a process control valve, or as an exhaust valve for one or more
downstream actuator valves. Monitoring is not shown.
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

Optional
Switch

Safety Function: When the electrical signal is removed, the valve exhausts fluid power from the hazardous portion
of the machine.
A safety rated device indicates the position of the valve element in a de-energized state.
A slow or sticking valve may affect response time of the safety system.
Faults to Consider: Solenoid pilot section of valve stuck in actuated position.
Pilot seal failure – can lead to unexpected valve element movement.
Pilot section manual actuator seal failure – can lead to unexpected valve element movement.
Leakage or improper sealing of components.
Valve element not actuating or de-actuating properly due to fluid contamination or internal wear.
Broken components (piston, poppet, spring) within a valve element.
Failure of safety device LS1 to indicate valve element position.
Fault Exclusion: None to consider.
Safety Principle Well tried device designed to be mechanically biased to exhaust downstream fluid power.
When the valve element is in the energized position the safety device contacts of LS1 must be
directly driven open.
To achieve Category 2 the dump valve must be periodically tested (see 4.5.1).

126

Copyright B11 Standards Inc. (Formerly AMT)

6.4.2.2.2 Spring Centered Three Position Open Center w/ Actuator Monitoring (Category 2)
A Category 2 circuit does not require a safety exhaust (blocking) valve to be used upstream of the motion or
process control valve(s). A Category 2 circuit requires the addition of monitoring to the safety function as
designed into what otherwise would be a Category 1 circuit. System monitoring is done through the use of
methods using external or integral devices such as integrated safety switches used to detect valve function,
actuator motion, or a downstream pressure switch monitoring the safety function (a minimum operating
switch is not intended for this use due to a high pressure change set point). The following example
represents a 5 ported 4-way valve used to directly control the hazardous motion. Monitoring is not shown.

To
Hazardous
motion

From Air
prep

Safety Function: When the electrical command signal is removed, the valve shifts to center position blocking the
fluid from flowing into, and exhausting the energy out of the hazardous motion device.

--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---
A slow or sticking valve may affect response time of the safety system.
Faults to Consider: Solenoid pilot section of valve stuck in actuated position.
Pilot seal failure – can lead to unexpected valve element movement
Pilot section manual actuator seal failure – can lead to unexpected valve element movement
Leakage or improper sealing of components.
Valve element not actuating or de-actuating properly due to fluid contamination or internal wear.
Broken components (piston, poppet, spring) within a valve element.
Spool sticking or spring failure in the spring centered directional valve may cause its failure to
center the spool, keeping supply and exhaust available to the hazardous motion device.
Fault Exclusion: None to consider.
Safety Principle: Well tried device designed to contain and prevent interleaving of broken centering springs.
The fact that the process is operating cannot be taken as an indication that the valve will center.
To achieve Category 2 the spring centered valve should be periodically tested (see 4.3.1). This
could be accomplished by:
 Energize one of the solenoids and immediately de-energize to center. Monitor actuator
position to see if it reaches its end stop or if it halts as expected. This must be done in
both directions.

127

Copyright B11 Standards Inc. (Formerly AMT)

6.4.2.3 Intermediate / High Risk Reduction (Category 3)

6.4.2.3.1 Series Dump Safety Valve with Spring Centered Three Position Open Center (Category 3)
A Category 3 fluid power circuit may only require a single monitored safety valve if used in conjunction with
motion valves whose actuators are indirectly monitored for proper operation within the safety system.

Safety Function: When the electrical command signals are removed, the dump valve blocks the incoming supply and
exhausts supply energy from the motion valve. The motion valve will also block the fluid from flowing
into, and exhausting the energy out of the hazardous motion device.
LS1 device indicates the position of the blocking valve element in the exhaust state.
Slow or sticking valves may affect response time of the safety system.
Faults to Solenoid pilot section of valve stuck in actuated position.
Consider: Pilot seal failure – can lead to unexpected valve element movement.
Pilot section manual actuator seal failure – can lead to unexpected valve element movement.
Leakage or improper sealing of components.
Valve element not actuating or de-actuating properly due to fluid contamination or internal wear.
Broken components (piston, poppet, spring) within a valve element.
Exhaust time may be increased significantly depending on valve failure position.
Valve crossover conditions, i.e., flow paths, shall not inhibit the ability to exhaust the output energy.
Sluggish response of valve resulting in diminished performance may go undetected.
Failure of safety device LS1, to indicate valve element position.
Spool sticking or spring failure in the spring centered directional valve may cause its failure to center
the spool, keeping supply and exhaust available to the hazardous motion device.
Fault Exclusion: None to consider.
Safety Principle: Well tried blocking valve designed to be mechanically biased to exhaust downstream fluid power.
Well tried three position valve designed to contain and prevent interleaving of broken centering
springs.
The spring centered valve does not have a monitoring function, nor does the continued function of
the machine indicate the ability of the valve to spring center and stop the motion. To maintain a high
level of performance, the ability for the directional valve to stop the motion by centering must be
tested at regular intervals.
The spring centered valve could be functionally tested on a regular basis by:
 Energize a solenoid and immediately de-energize to center. Monitor actuator position to
see if it reaches its end stop or if it halts as expected. This must be done in both directions.
 Some directional valves are offered with sensors which directly monitor the motion valve
spool position. These may be used in an application where the dynamic performance of the
spools must be monitored to assure that the safe separation distance is maintained.

128
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

Copyright B11 Standards Inc. (Formerly AMT)

6.4.2.3.2 Series Monitoring Circuit (Category 3)

The following example represents redundant monitored valves.

Safety Function: When the electrical command signals are removed the valve(s) exhaust fluid power from the
hazardous portion of the machine.
LS1 and LS2 devices indicate that the position of the valve element in an exhaust state.
Slow or sticking valves may affect response time of the safety system.
While the valve is in the faulted state, the fluid power to the hazardous portion of the machine shall
remain off.
Faults to Consider: Solenoid pilot section of valve stuck in actuated position.
Pilot seal failure – can lead to unexpected valve element movement.
Pilot section manual actuator seal failure - can lead to unexpected valve element movement.
Leakage or improper sealing of components.
Valve element not actuating or de-actuating properly due to fluid contamination or internal wear.
Broken components (piston, poppet, spring) within a valve element.
Exhaust time may be increased significantly depending on valve failure position.
Valve crossover conditions, i.e., flow paths, shall not inhibit the ability to exhaust the output energy.
Sluggish response of valve resulting in diminished performance may go undetected.
Fault Exclusion: None to consider.
Safety Principle: Well tried devices designed to be mechanically biased to exhaust downstream fluid power.
Failure of safety device LS1or LS2 to indicate valve element position is detected by the monitoring
of both within the SRP/CS.
Response and cycling of both valves is monitored in the Safety-Related Parts of the Control
System.
Where the safety distance is impacted by the response time of the valves, dynamic monitoring in
the Safety-related Portion of the Control System which assures that the valve shifts within a given
period of time after the command signals has been removed from the valves is required. See
6.4.2.5.1.

129
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

Copyright B11 Standards Inc. (Formerly AMT)

6.4.2.4 Highest Risk Reduction Monitoring Circuit (Category 4)

6.4.2.4.1 Dual Shift Time Monitored Valves (Category 4)
The following example represents redundant monitored valves that might be supplying a single acting
cylinder, a simple process control application or multiple motion control valves.

Safety Function: When the electrical command signals are removed the valve(s) exhaust fluid power from the
hazardous portion of the machine.
LS1 and LS2 safety rated devices indicate that the position of the valve element in an exhaust state.
Slow or sticking valves may affect response time of the safety system.
While the valve is in the faulted state, the fluid power to the hazardous portion of the machine shall
remain off.
Faults to Solenoid pilot section of valve stuck in actuated position.
Consider: Pilot seal failure – Can lead to unexpected valve element movement
Pilot section manual actuator seal failure - Can lead to unexpected valve element movement
Leakage or improper sealing of components.
Valve element not actuating or de-actuating properly due to fluid contamination or internal wear.
Broken components (piston, poppet, spring) within a valve element.
Exhaust time may be increased significantly depending on valve failure position.
Valve crossover conditions, i.e., flow paths, shall not inhibit the ability to exhaust the output energy.
Sluggish response of valve resulting in diminished performance may go undetected.
Fault Exclusion: None to consider.
Safety Principle: Well tried devices designed to be mechanically biased to exhaust downstream fluid power.
Failure of safety device LS1or LS2 to indicate valve element position is detected by the monitoring of
both within the SRP/CS.
When the valve element is in the energized position the safety device electrical contacts of LS1 and
LS2 must be directly driven open or must use a normally open switch that is held or forced closed
when the valve is de-energized.
Response and cycling of both valves is monitored in the Safety-Related Parts of the Control System.
Where the safety distance is impacted by the response time of the valves, dynamic monitoring in the
Safety-related Portion of the Control System which assures that the valve shifts within a given period
of time after the command signals has been removed from the valves is required.
Non-synchronous movement of the independent elements while actuating or de-actuating is monitored
by the Safety-related Portion of the Control System and shall result in a fault condition (diminished
performance fault). The level of this configuration may be elevated to Category 4 with the proper
monitoring and reset control derived from the Safety-Related Parts of the Control System.

130
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

Copyright B11 Standards Inc. (Formerly AMT)

6.4.2.4.2 Safety Rated Valve – Manual Valve Reset (Category 4)

Internal Fault
Monitor
Fault
Status

--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---
Safety Function: When the electrical signals are removed the valve exhausts fluid power from the hazardous portion
of the machine.
The internal dynamic monitoring shall ensure both independent valve elements function
simultaneously.
Non-synchronous movement of the independent elements while actuating or de-actuating shall
result in a fault condition (diminished performance fault).
While the valve is in the faulted state, the fluid power to the hazardous portion of the machine shall
remain off.
When a faulted condition exists, PS1 can provide status feedback to a PLC input.
Pilot and power spool failures and changes in dynamic response are detected by internal valve
function.
Faults to Valve crossover conditions, i.e., flow paths, shall not inhibit the ability to exhaust the output energy.
Consider: Pilot and power spool failures and changes in dynamic response are detected by internal valve
function.
Failure of PS1 device to annunciate faults that automatically reset.
Fault Exclusion: None to consider.
Safety Principle: Reset is not intended to be used for production but is provided for maintenance only.
PS1 is provided for status indication purposes and is not considered as part of the Safety-Related
Part of the Control System.
Consider the impact of restoring the fluid power when operating the reset function.
Resetting the valve shall not cause the valve to shift and provide pressure downstream.

131

Copyright B11 Standards Inc. (Formerly AMT)

6.4.2.4.3 Safety Rated Valve – Automatic Valve Reset (Category 4)

Internal Fault
Monitor
Fault
Status

Safety Function: When the electrical signals are removed the valve exhausts fluid power from the hazardous
portion of the machine.
The internal dynamic monitoring shall ensure both independent valve elements function
simultaneously.
Non-synchronous movement of the independent elements while actuating or de-actuating shall
result in a fault condition (diminished performance fault).
While the valve is in the faulted state, the fluid power to the hazardous portion of the machine
shall remain off.
Provides feedback when a faulted condition exists. PS1 Fault status switch may also be
connected to a PLC input for status indication.
PS1 provides monitoring of the valve fault condition.
Pilot and power spool failures and changes in dynamic response are detected by internal valve
function.
Faults to Consider: Failure of PS1 device to annunciate faults that automatically reset.
Fault Exclusion: None to consider.
Safety Principle: The reset is triggered by de-energization of the solenoid valves. The control circuit should
prevent the normal reset and require an acknowledgement that a valve failure has occurred
before the valve can be re-energized.
Monitoring of PS1 device used to prevent repetitive automatic reset.
Resetting the valve shall not cause the valve to shift and provide pressure downstream.

132

--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

Copyright B11 Standards Inc. (Formerly AMT)

6.4.3 Directional (Motion) Valve Selection

Direction valves control the motion of linear or rotary actuators. From a safety perspective, directional or
motion valves should be selected based on the desired action the designer would like to see occur when
power is removed from the solenoid and under what conditions might the valve shift from the de-energized to
the energized position without being given a command signal.

6.4.3.1 Category B and 1

6.4.3.1.1 Single Solenoid – Two Position – Spring Offset (Category B and 1)

133

Copyright B11 Standards Inc. (Formerly AMT)

6.4.3.1.2 Double Solenoid – Two Position – Detented (Category B and 1)

Safety Function: When the electrical signal is removed the valve spool will maintain its last commanded position.
The intent is to maintain actuator position on a loss of electrical power.
Designs should be limited to short strokes or actuators where a loss of pressure, due to an
unexpected loss of solenoid power, would lead to a safety hazard. Recommended applications are
grippers, collets, part indexers and strokes less than 75 mm (3 inches).
Faults to Pilot or main spool can stick in any position causing a failure of the motion to reverse upon
Consider: energization of the opposite solenoid as intended.
Pilot section manual actuator seal failure – can lead to unexpected main spool movement.
Leakage or improper sealing of components.
Failure of pilot stage can initiate a shift of the main spool causing unintended motion of the
actuator.
Valve will allow motion to continue after power has been removed from the coil.
Broken components (spring and seals) within a valve element.
Solenoid pilot section of valve stuck in actuated position.
Fault Exclusion: None to consider.
Safety Principle: Well-tried device and sufficient detent to maintain command position.
By design this valve will allow motion to continue after power has been removed from the solenoid
until the actuator has reached the end of its stroke.
Depending on the process, the continued operation of the machine is indication that the valve is
cycling.
If electrical power is lost, the actuator cannot be reversed.
If the motion of the actuator is mechanically stopped by any interference (other than its intended
end stop) the subsequent removal of electrical power from the solenoid will not prevent motion if
the mechanical interference is removed.

--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

134

Copyright B11 Standards Inc. (Formerly AMT)

6.4.3.1.3 3 Position – Spring Centered – Open Centered (Category B and 1)

Valve element not actuating or de-actuating properly due to fluid contamination or internal wear.
Broken components (spring and seals) within a valve element.
Solenoid pilot section of valve stuck in actuated position.
Exhaust capacity of the mufflers can result in a slow response to exhaust air from the actuator
and to bring motion to a halt.
The valve‘s ability to hold the actuator in mid-stroke or to a minimum pressure depending on
valve configuration must be tested at an interval dictated by the risk assessment and circuit
performance requirements. The fact that the valve continues to cycle the actuator under solenoid
control does not assure its ability to center the spool. Depending on safety performance
requirements, the Safety-Related Parts of the Control System should test the ability of the valve
to center at regular intervals. For higher Category applications an upstream safety exhaust valve
is used in conjunction to ensure hazardous energy is removed.
Fault Exclusion: None to consider.
Safety Principle: Well-tried device.
With electrical power removed, the actuator is free to move due to outside influences such as
external force and gravity. Other means (such as check valves or mechanical means) must be
used to control motion, if such forces are present and present potentially hazardous situations.
In safety applications, non-monitored spring center open center valves are limited to Category 1
applications.
Depending on safety performance requirements, the Safety-Related Parts of the Control System
should test the ability of the valve to center at regular intervals.
For higher Category applications an upstream safety exhaust valve is used in conjunction to
ensure hazardous energy is removed.

135

Copyright B11 Standards Inc. (Formerly AMT)

6.4.3.1.4 3 Position – Spring Centered – Close or Blocked Center (Category B and 1)

Safety Function: When the electrical signal is removed, the valve will return to its center position, block the supply
pressure, and trap pressure in both actuator control lines. The Intent is to stop and hold the
actuator in mid-position when the electrical power has been removed from the coils.
Faults to Pilot or main spool can stick in any position causing a failure of the motion to stop or reverse as
Consider: intended.
Solenoid pilot section of valve stuck in actuated position allowing motion to continue after power
has been removed from the coil.
Pilot section manual actuator seal failure – can lead to unexpected main spool movement.
Failure of pilot stage can initiate a shift of the main spool causing unintended motion of the
actuator.
Leakage or improper sealing of components including downstream devices will cause motion.
Spool valves will leak resulting in the reduction of trapped pressure over time causing motion.
Valve element not actuating or de-actuating properly due to fluid contamination or internal wear.
Broken components (spring and seals) within a valve element.
Solenoid pilot section of valve stuck in actuated position.
The valve‘s ability to hold the actuator in mid-stroke to block air flow must be tested at an interval
dictated by the risk assessment and circuit performance requirements. The fact that the valve
continues to cycle the actuator under solenoid control does not assure its ability to center the
spool. Depending on safety performance requirements, the Safety-Related Parts of the Control
System should test the ability of the valve to center at regular intervals. For higher Category
applications, an upstream safety exhaust valve is used in conjunction to ensure hazardous
supply energy is removed.
Fault Exclusion: None to consider.
Safety Principle: In safety applications, non-monitored spring center closed center valves are limited to Category 1
applications.

--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---
With electrical power removed, the actuator is trapped and unable to move even with outside
influences such as external force and gravity. Means to exhaust the trapped air from the actuator
must be provided if there is an entrapment hazard.
Depending on safety performance requirements, the Safety-Related Parts of the Control System
should test the ability of the valve to center at regular intervals.
Blocking valve will prevent runaway motion should this valve fail in a shifted position.
A blocking valve at the actuator can stop motion due to high inertia loads.

136

Copyright B11 Standards Inc. (Formerly AMT)

6.4.3.2 Low / Intermediate Risk Reduction (Category 2)

6.4.3.2.1 2 Position Spring Offset – Monitored Spool Position (Category 2)

LS1

Safety Function: Valve is intended to return power spool to the home position and thus move the actuator to
home or retracted position on a loss of electrical power.
All hazards in the retract direction must be guarded or eliminated by design.
When the electrical signals is removed, the valve exhausts fluid power from the port supplying
the hazardous actuator condition and applies fluid pressure to the port supplying the non-
hazardous actuator condition.
LS1, a safety rated device indicates the position of the valve element in a de-energized state.
Faults to Consider: Pilot or main spool can stick in any position causing a failure of the motion to reverse as
intended upon de-energization of the solenoid.
Pilot section manual actuator seal failure – can lead to unexpected valve element movement.
Leakage or improper sealing of components.
Failure of pilot stage can initiate a shift of the main spool causing unintended motion of the
actuator.
Valve element not actuating or de-actuating properly due to fluid contamination or internal wear.
Broken components (spring and seals) within a valve element.
Solenoid pilot section of valve stuck in actuated position.
Failure of safety device LS1 to indicate valve element position.
Fault Exclusion: None to consider.
Safety Principle: Well-tried device design to be mechanically biased to exhaust downstream fluid power.
When the valve element is in the energized position the safety device contacts must be direct
driven open.
LS1 must be monitored by the Safety-Related Parts of the Control System at regular intervals to
assure that the valve has shifted.
By design this valve will allow motion to continue after power has been removed from the
solenoid until the actuator has reached the end of its stroke.
Depending on the process, the continued operation of the machine is indication that the valve is
cycling.
If electrical power is lost, the actuator will be reversed.
Strict adherence to the proper conditioning of the fluid power source can increase the mean
time to dangerous failure.
Loss of the pneumatic pilot or electrical supply power to the valve will cause the valve to return
to its de-energized position resulting in the actuator returning to the home position.
The status of the spool is monitored in the Safety-Related Parts of the Control System to verify
that the spool has shifted when the solenoid is de-energized.

137
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

Copyright B11 Standards Inc. (Formerly AMT)

6.4.3.3 Intermediate / High Risk Reduction (Category 3 and 4)

6.4.3.3.1 Dual – 2 Position Spring Offset – Monitored Spool Position(s) (Category 3 and 4)

Monitor
Internal
Fault
Safety Function: When the electrical signals are removed from the dual coils the dual valves return the actuator to
the home position.
The dynamic monitoring internal to the valve shall ensure both independent valve elements
function simultaneously.
Non-synchronous movement of the independent elements while actuating or de-actuating shall
result in a fault condition (diminished performance fault).
While the valve is in the faulted state, the fluid power to the hazardous portion of the machine
shall remain off.
Provides feedback when a faulted condition exists. Fault status switch may also be connected to
a PLC input for diagnostics.
Faults to Failure of PS1 device to annunciate faults that automatically reset.
Consider: Repetitive de-energized faults of a single element not being annunciated.
Fault Exclusion: Exhaust flow will not be diminished due to cross flow construction.
Safety Principle: Reset is Not intended to be used for production but is provided for maintenance only.
The reset is triggered by de-energization of the solenoid valves. The control circuit should prevent
the normal reset and require an acknowledgement that a valve failure has occurred before the
valve can be re-energized.
Monitoring of PS1 device used to prevent repetitive automatic reset.

--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

138

Copyright B11 Standards Inc. (Formerly AMT)

6.4.4 Pilot Operated Check Valves

Pilot operated checks are used to trap or store energy (pneumatic pressure) in the actuator(s) to maintain
force or position. This energy may not be removed by turning off the air supply safety lockout exhaust valve.
See 4.7.4 on trapped pressure.

Pilot operated (P.O.) checks maintain the vertical actuator‘s position by trapping air between the valve and
the actuator piston. To assure quick response, the entrained volume between the valve and the actuator
should be kept to a minimum. P.O. check use should be limited to light (< 30 lbs) vertical loads or for maintaining
clamping force. P.O. checks, piston, rod seal, fittings or line leaks can cause a lowering motion that needs to be
considered during the risk assessment.

Caution: Dual P.O. checks should never be used to trap pressure (stored energy) on both sides of the
actuator and applies to both vertical and horizontal circuits. This is because a leak will cause an unintended
movement of the actuator towards the leak. The pilot pressure supply may directly affect the closing of the
check which may impact the stopping time/distance of the actuator. The supply should be connected
downstream of the safety blocking valve.

6.4.4.1 Basic / Lowest Risk Reduction (Category B and 1)

6.4.4.1.1 Pilot Operated Check Valve (Category B and 1)

PO Check - External PO Check - Solenoid with External

Air Pilot Air Pilot

--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---
Safety Function: When the electrical or pneumatic pilot signal is removed, the valve will trap pressure downstream
of the outlet port.
Faults to Pilot or main spool can stick in any position causing a failure of the motion to stop as intended.
Consider: Solenoid pilot section of valve stuck in actuated position (if applicable).
Pilot seal failure – Can lead to unexpected main spool movement (if applicable).
Pilot section manual actuator seal failure – Can lead to unexpected main spool movement (if
applicable).
Valve element not actuating or de-actuating properly due to fluid contamination or internal wear.
Broken components (spring and seals) within a valve element.
Stored energy may cause unexpected motion when released during service.
Leakage or improper sealing of components including downstream devices will cause motion.
Fault Exclusion: None to consider.
Safety Principle: Well-tried device designed to be mechanically biased to trap downstream fluid power.
Strict adherence to the proper conditioning of the fluid power source can increase the mean time
to dangerous failure.

139

Copyright B11 Standards Inc. (Formerly AMT)

6.4.4.2 Low / Intermediate Risk Reduction (Category 2)

6.4.4.2.1 Pilot Operated Check Valve (Category 2)

PO Check - External Air Pilot with PO Check - Solenoid with External Air Pilot
Switch with Switch
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

LS1
LS1

Safety Function: When the electrical or pneumatic pilot signal is removed, the valve will trap pressure downstream
of the outlet port.
A safety rated device indicates the position of the valve element in a de-energized state.
Faults to Pilot or main spool can stick in any position causing a failure of the motion to stop as intended.
Consider: Solenoid pilot section of valve stuck in actuated position (if applicable).
Pilot seal failure – Can lead to unexpected main spool movement (if applicable).
Pilot section manual actuator seal failure – Can lead to unexpected main spool movement (if
applicable).
Valve element not actuating or de-actuating properly due to fluid contamination or internal wear.
Broken components (spring and seals) within a valve element.
If an increase in response time is a consideration, then additional monitoring is required.
Stored energy may cause unexpected motion when released during service.
Leakage or improper sealing of components including downstream devices will cause motion.
Failure of safety device LS1 to indicate valve element position.
Fault Exclusion: None to consider.
Safety Principle: Well-tried device design to be mechanically biased to trap downstream fluid power.
When the valve element is in the energized position the safety device contacts must be direct
driven open.
The valve must be periodically tested and LS1 monitored by the Safety-Related Parts of the
Control System to ensure that the valve is functional.
The status of the valve element is monitored in the Safety-Related Parts of the Control System to
verify that the spool has shifted to trap pressure when the solenoid is de-energized.

140

Copyright B11 Standards Inc. (Formerly AMT)

6.4.4.3 Intermediate / High Risk Reduction (Category 3)

6.4.4.3.1 Pilot Operated Check (Category 3)

Redundant PO Check - Redundant PO Check -

External Air Pilot with Solenoid with External Air
Switch Pilot with Switch

LS1 LS2 LS1 LS2

Safety Function: When the electrical or pneumatic pilot signal is removed, the valve will trap pressure
downstream of the outlet port.
Slow or sticking valves may affect response time of the safety system.
Non-synchronous movement of the independent elements while actuating or de-actuating shall
result in a fault condition (diminished performance fault).
Provides feedback when a faulted condition exists. Fault status switch may also be connected
to a PLC input for status indication.
Stored energy may cause unexpected motion when released during service.
Faults to Consider: Broken components (piston, poppet, spring) within a valve element.
Leakage or improper sealing of components including downstream devices will cause motion. --```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

Pilot or main spool can stick in any position causing a failure of the motion to stop as intended.
Fault Exclusion: None to consider.
Safety Principle: Well tried check valve designed to be mechanically biased to block downstream fluid flow.
Failure of safety device LS1or LS2 to indicate valve element position is detected by the
monitoring of both within the SRP/CS.
Where the safety distance is impacted by the response time of the valves, dynamic monitoring in
the Safety-related Portion of the Control System which assures that the valve shifts within a
given period of time after the command signals has been removed from the valves is required
See 6.4.4.4.1

141

Copyright B11 Standards Inc. (Formerly AMT)

6.4.4.3.2 Pilot Operated Check with Spring Centered Three Position Open Center (Category 3)

Safety Function: When the electrical or pneumatic pilot signal is removed the check valve will trap pressure
between the check and the actuator, while the directional valve blocks flow into, and exhausts
pressure from of the hazardous motion device. .
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

Slow or sticking valves may affect response time of the safety system.
LS1 Provides feedback when a faulted condition exists. Fault status switch may also be
connected to a PLC input for status indication.
Stored energy may cause unexpected motion when released during service.
Spool sticking or spring failure in the spring centered directional valve may fail to center the
spool keeping supply and exhaust available to the hazardous motion device.
Faults to Failure of safety device LS1 to indicate valve element position.
Consider: Broken components (piston, poppet, spring) within a valve element.
Leakage or improper sealing of components including downstream devices will cause motion.
Pilot or main spool can stick in any position causing a failure of the motion to stop as intended.
Spool sticking or spring failure in the spring centered directional valve may cause its failure to
center the spool, keeping supply and exhaust available to the hazardous motion device.
Fault Exclusion: None to consider.
Safety Principle: Well tried check valve designed to be mechanically biased to block downstream fluid flow.
Well tried device designed to contain and prevent interleaving of broken centering springs.
The spring centered valve does not have a monitoring function, nor does the continued function
of the machine indicate the ability of the valve to spring center and stop the motion. To maintain
a high level of performance, the ability for the directional valve to stop the motion by centering
must be tested at regular intervals.
The spring centered valve could be functionally tested on a regular basis by:
 Energize a solenoid and immediately de-energize to center. Monitor actuator position
to see if it reaches its end stop or if it halts as expected. This must be done in both
directions.
 With both solenoids de-energized, monitor pressure switches a both ports. Must be
done after a move in each direction, and could be part of the normal machine cycle.
 Some directional valves are offered with sensors which directly monitor the power spool
position. These may be used in an application where the dynamic performance of the
spools must be monitored to assure that the safe separation distance is maintained.

142

Copyright B11 Standards Inc. (Formerly AMT)

6.4.4.4 Highest Risk Reduction (Category 4)

6.4.4.4.1 Pilot Operated Check (Category 4)

Redundant PO Check - Redundant PO Check -

External Air Pilot with Solenoid with External Air
Switch Pilot with Switch

LS1 LS2 LS1 LS2

Safety When the electrical or pneumatic pilot signal is removed, the valve will trap pressure downstream of the outlet
Function: port.
The dynamic monitoring shall ensure both independent valve elements function simultaneously.
Slow or sticking valves may affect response time of the safety system.
Non-synchronous movement of the independent elements while actuating or de-actuating shall result in a fault
condition (diminished performance fault).
Provides feedback when a faulted condition exists. Fault status switch may also be connected to a PLC input
for status indication.
Stored energy may cause unexpected motion when released during service.
Faults to Failure of safety device LS1 or LS2 to indicate valve element position.
Consider: Broken components (piston, poppet, spring) within a valve element.
Leakage or improper sealing of components including downstream devices will cause motion.
Pilot or main spool can stick in any position causing a failure of the motion to stop as intended.
Fault Exclusion: None to consider.
Safety Well tried check valve designed to be mechanically biased to block downstream fluid flow.
Principle: Failure of safety device LS1or LS2 to indicate valve element position is detected by the monitoring of both
within the SRP/CS.
Where the safety distance is impacted by the response time of the valves, dynamic monitoring in the Safety-
related Portion of the Control System which assures that the valve shifts within a given period of time after the
command signals has been removed from the valves is required.
Non-synchronous movement of the independent elements while actuating or de-actuating is monitored by the
Safety-related Portion of the Control System and shall result in a fault condition (diminished performance fault).
Non-synchronous movement of the independent elements while actuating or de-actuating shall result in a fault
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

condition (diminished performance fault).

143

Copyright B11 Standards Inc. (Formerly AMT)

6.4.5 Rod Locks and Brakes

--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---
Safety Function: Stopping or holding of actuator mid-stroke with motion valve centered or exhausted.
Faults to Failure of rod lock or brake to hold or stop the load.
Consider: Separation between the rod and tooling.
Pressurization of the cylinder prior to releasing the break will preload and launch the actuator
rapidly.
Used on loads greater than 30 lbs. This is only a general guideline as load design greatly
influences acceptable weight.
Lock or brake wear will negatively impact the actuator stopping distance or load holding
performance and should be considered during the risk assessment.
Fault Exclusion: None to consider.
Safety Principle: An upstream safety exhaust valve will remove the pressure supply to the brake in order to eliminate
the hazard created by the potential brake command valve failure.
The brake command valve is primarily used to remove pneumatic supply timing issues.
See also individual valve for failures and safeguards.
Position of lock cylinder may be monitored or drift may be detected in the Safety-Related Parts of
the Control System.

144

Copyright B11 Standards Inc. (Formerly AMT)

6.4.6 Flow Controls

Flow controls are used to control the actuator speed. They can be used to limit the flow into a port causing
the actuator to build pressure and move at a limited rate. The flow control can also be used to limit the flow
out of an actuator when being exhausted. This only reduces speed when air pressure is present on the
downstream side of the actuator.

When the reapplication of pressure occurs after an energy isolation event, meter-in flow controls can be used
to limit the flow into the cylinder to prevent the rapid acceleration that will occur when there is an absence of
pressure in the opposite end of the actuator.

On applications with over running loads, limiting the flow both into and out of an actuator may be the most
appropriate solution. This reduces or eliminates the rapid advance caused by lack of air in an exhausted
meter-out circuit and allows for braking of fast moving applications where inertia is a factor.

Meter-in flow controls should be used on all applications where the cylinder lines are exhausted, either by the
safety valve, or by the motion control valve.
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

145

Copyright B11 Standards Inc. (Formerly AMT)

6.4.6.1 Meter-IN – Controls the Fluid Flow Going into the Cylinder.
Advantages: Controlled motion after air has been exhausted from both actuator lines.
Disadvantages: Slip-stick or jerky motions while moving large bore actuators slowly.

--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---
Safety Function: Controls actuator speed within application design parameters minimizing tooling and component
damage. Controls flow into the cylinder reducing the rapid acceleration that occurs with meter-out
flow controls after the downstream air has been exhausted.
Faults to Operator adjustment.
Consider: Contamination will change actuator speed influencing stop distance formulas and placement of
safe guarding devices.
Check may get stuck open due to contamination resulting in an increase in actuator speed.
Fault Exclusion: None to consider.
Safety Principle: Well tried devices.

146

Copyright B11 Standards Inc. (Formerly AMT)

6.4.6.2 Meter-OUT – Controls the Fluid Flow Coming Out of the Cylinder.
Advantages: Slightly better control of slow moving actuators.
Disadvantages: Actuator velocity can be extremely fast if both cylinder lines have been exhausted as the
compressed are that is normally used for speed control has been removed.

Safety Function: Controls the flow out of the cylinder.

Faults to Operator adjustment.
Consider: Contamination will change actuator speed influencing stop distance formulas and placement of
safe guarding devices.
Check may get stuck open due to contamination resulting in an increase in actuator speed.
Rapid unexpected motion will occur when the downstream air has been removed from the actuator.
Fault Exclusion: None to consider.
Safety Principle: Well tried devices.

147
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

Copyright B11 Standards Inc. (Formerly AMT)

6.4.6.3 Meter-IN Flow Control Example

Meter-in flow
controls are used
to prevent run-
away condition
caused by removal
of air.
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

148

Copyright B11 Standards Inc. (Formerly AMT)

6.4.6.4 Meter-OUT Flow Control Example

Addition of Meter-Out Flow Control to Slow Descent During Normal Operation and When Relieving Stored
Energy for Service.

Meter-out flow control is used in

conjunction with meter-in flow
controls to control downward
speed for automatic operation,
and is used to control
downward speed during manual
bleed.

--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

149

Copyright B11 Standards Inc. (Formerly AMT)

6.4.7 Pneumatic Air Logic Control Circuits

The following covers pneumatic air logic control circuits and should not be confused with the electrical circuit
diagrams.

6.4.7.1 E-Stop
6.4.7.1.1 Lowest Risk Reduction (Category 1)

E-Stop
Reset
R1

R1-1
Non-hazardous Portion of Machine

Hazardous Portion of Machine

R1-2

Safety Function: Blocks supply pressure and removes pneumatic pressure downstream of the E-Stop valve.
Faults to Consider: Stuck main spool will prevent removal of downstream pressure.
Broken spring within a valve element will prevent reapplication of pressure.
Fault Exclusion: None to consider.
Safety Principle: Reduces the risk when clearing jams if air pressure supply is not vented.

--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

150

Copyright B11 Standards Inc. (Formerly AMT)

6.4.7.2 Two hand control

6.4.7.2.1 Lowest Risk Reduction (Category 1)

Safety Function: Concurrent actuation by both hands within a 500 ms time frame.
Where this time limit is exceeded, both hand controls shall be released before operation is
initiated.
Continuous actuation during hazardous condition. Cessation of hazardous condition if either
hand control was released.
Release and re-actuation of both hand controls to re-initiate the hazardous operation (i.e., ―anti-
tie down‖).
Faults to Failure of R1-1 or R1-2 flow paths to open when R1 is de-pressurized. TR1 fails to open.
Consider:
Fault Exclusion: None to consider.
Safety Principle: Air supply must be vented to prevent rapid motion of cylinder when a jam is cleared.
--```,```,`,,,,,`,,`,```,```,,,-`-`,,

151

Copyright B11 Standards Inc. (Formerly AMT)

6.4.7.2.2 Highest Risk Reduction (Category 4)

―anti-tie down‖).
Faults to Consider: The safety interface module must meet the required level of safety performance as determined
by the risk assessment for the expected level of risk reduction.
The design, construction, and installation of the two-hand controls must have redundant
flowpaths that have separate mechanical spools and springs.
Fault Exclusion: None to consider.
Safety Principle: Air supply must be vented to prevent rapid motion of cylinder when a jam is cleared.

152

Copyright B11 Standards Inc. (Formerly AMT)

6.4.7.3 Velocity Fuse

A velocity fuse is a device that will automatically react to the sudden loss of pressure that occurs when a
downstream hose or fitting is disconnected or broken. The sudden loss of pressure will result in an
unsecured hose whipping around potentially causing injuries or damage unless a velocity fuse is installed.

The device must be installed on the supply side of the hose to prevent the whipping action from occurring.
When used on vertical loads to prevent rapid lowering during a conductor failure the device must be installed
directly into the actuator port.

Safety Function: Shuts off or reduces the flow to a flexible conductor during a failure.
Faults to Pilot or main spool can stick in any position causing a failure of the flow to stop as intended.
Consider: Valve element not actuating or de-actuating properly due to fluid contamination or internal wear.
Broken components (spring and seals) within a valve element.
These devices will typically reset automatically.
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

Fault Exclusion: None to consider.

Safety Principle: Well tried devices.

153

Copyright B11 Standards Inc. (Formerly AMT)

6.5 Hydraulic Systems

6.5.1 General considerations
Hydraulic circuits use hydraulic fluid to transfer energy to perform work. This energy must be properly
managed and conditioned to minimize or eliminate hazards associated with component failures and the
release of stored energy.

To effectively mitigate these hazards the hydraulic design process should be broken up into the following
steps:
 Determine hazards presented by motions powered by hydraulic energy and other hazards
associated with a fluid under pressure;
 Select the appropriate fluid preparation components based on the required contamination control
filtration level required (see 4.11.5);
 Determine if a blocking valve is required to isolate or remove energy. Select the appropriate valve
performance based on the risk Category requirements (see 6.5.2);
 Select the motion valve most appropriate for your applications (see 6.5.3);
 If a vertical load needs to be held in place select a pilot operated check or counter-balance
valve (see 6.5.4 or 6.5.5);
 If the load needs to be stopped or held by mechanical means select the appropriate lock,
brake, or equivalent mechanical device. Additional hydraulic support means may also be
required (see 6.5.6);
 If speed control is required or the re-application of pressure can create a hazard select the
appropriate flow control solution (see 6.5.7);
 Evaluate each remaining risk to determine whether or not it is tolerable.

The following hydraulic examples use direct acting valves which represent the majority of valves used in
industry for flows less than 20 GPM. Direct acting valves have fewer failure modes than pilot operated
valves regarding a valves ability to initiate a motion without being given an electrical command signal. A pilot
operated valves design should be evaluated to determine if there are failure modes which would initiate a
motion and what addition controls might need to be installed to mitigate this risk. Both valve types have
similar failure modes regarding a valves inability to return to the de-energized position but the pilot operated
valves have an additional concern and that is the potential inability of the valve to exhaust or drain the pilot
pressure preventing the main spool from returning.

154
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

Copyright B11 Standards Inc. (Formerly AMT)

6.5.1.1 Hydraulic Component Selection Process

Figure L (flowchart) and Figure M (example schematic) are intended as a guide to the proper selection and
implementation of components. The schematic contains the reservoir, pump cooling and filtration circuit.
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

Figure L

155

Copyright B11 Standards Inc. (Formerly AMT)

Figure M
156

Copyright B11 Standards Inc. (Formerly AMT)

Safety Function: Proper pre-filtering conditions the incoming fluid supply increasing the circuit‘s reliability.
Filtration requirements as defined by ISO 4406.
Safety valve(s) - Use and implementation as determined by the risk assessment.
Faults to Consider: Filter failure, high fluid temperature, ingression or poor maintenance will pass contamination to the system
causing premature failure of components and potentially invalidating vendor‘s mean time to failure data.
Regulator failure or improper adjustment can cause excessive pressures in the system.
Fault Exclusion: None to consider.
Safety Principles: The application of the principles above will greatly increase the mean time to dangerous failure and are
applicable to all levels of design.

6.5.1.2 Fluid Preparation (Contamination Control)

A fluid power circuit‘s reliability is influenced by contamination, also known as its cleanliness level. Care
must be taken to select fluid conditioning components appropriate for the intended level of reliability.
Strict adherence to the proper conditioning of the fluid power source can increase the mean time to
dangerous failure.

6.5.2 Dump (Blocking) Valve

6.5.2.1 Basic Risk Reduction (Category B)
6.5.2.1.1 Spring Centered Three Position Exhaust Center (Category B)
A Category B circuit does not require a safety exhaust (blocking) valve to be used upstream of the motion or
process control valve(s). The following example represents a 4-way valve used to directly control the
hazardous motion.

To
Hazardous
motion

From Hydraulic power source

--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---
Pilot seal failure – Can lead to unexpected valve element movement.
Pilot section manual actuator seal failure - Can lead to unexpected valve element movement.
Leakage or improper sealing of components.
Valve element not actuating or de-actuating properly due to fluid contamination or internal wear.
Broken components (piston, poppet, spring) within a valve element.
Spool sticking or spring failure in the spring centered directional valve may cause its failure to
center the spool, keeping supply and exhaust available to the hazardous motion device
Fault Exclusion: None to consider.
Safety Principle: Well tried device designed to contain and prevent interleaving of broken centering springs
The fact that the process is operating cannot be taken as an indication that the valve will center

157

Copyright B11 Standards Inc. (Formerly AMT)

6.5.2.1.2 Spring Centered Three Position Exhaust Center w/ Actuator monitoring (Category 1)
A Category 1 circuit does not require a safety exhaust (blocking) valve to be used upstream of the motion or
process control valve(s). The following example represents a 4-way valve used to directly control the
hazardous motion.

--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---
Hazardous
motion

From Hydraulic power source

Safety Function: When the electrical command signal is removed, the valve shifts to center position, blocking fluid
from flowing into the actuator and exhausting the energy out of the hazardous motion device.
A slow or sticking valve may affect response time of the safety system.
Faults to Consider: Solenoid pilot section of valve stuck in actuated position.
Pilot seal failure – Can lead to unexpected valve element movement
Pilot section manual actuator seal failure - Can lead to unexpected valve element movement
Leakage or improper sealing of components.
Valve element not actuating or de-actuating properly due to fluid contamination or internal wear.
Broken components (piston, poppet, spring) within a valve element.
Spool sticking or spring failure in the spring centered directional valve may cause its failure to
center the spool, keeping supply and exhaust available to the hazardous motion device.
Fault Exclusion: None to consider.
Safety Principle: Well tried device designed to contain and prevent interleaving of broken centering springs
The fact that the process is operating cannot be taken as an indication that the valve will center
To achieve Category 2 the spring centered valve must be periodically tested (see 4.5.1). This
could be accomplished by :
- Energize a solenoid and immediately de-energize to center. Monitor actuator position to
see if it reaches its end stop or if it halts as expected. This must be done in both directions
- With both solenoids de-energized, monitor pressure switches a both ports. Must be done
after a move in each direction, and could be part of the normal machine cycle.

158

Copyright B11 Standards Inc. (Formerly AMT)

6.5.2.2 Low / Intermediate Risk Reduction (Category 2)

6.5.2.2.1 Monitored Two Way Valve (Category 2)
A Category 2 circuit does not require a safety exhaust (blocking) valve to be used upstream of the motion or
process control valve(s). System monitoring is done through external methods. The following example
represents a monitored 3 way valve used on a single acting cylinder or a simple process control valve

--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---
Safety Function: When the electrical signal is removed, the valve exhausts fluid power from the hazardous
portion of the machine.
A safety rated device monitors or indicates the position of the valve element in a de-energized
state.
Slow or sticking valves may not be identified by the SRPCS.
While the valve is in the faulted state, the fluid power to the hazardous portion of the machine
shall remain off.
Faults to Consider: Exhaust time may be increased significantly depending on valve spool failure position.
Sluggish response of valve resulting in diminished performance may go undetected if it is
within the timing period specified by the Safety-Related Parts of the Control System.
Fault Exclusion: None to consider.
Safety Principle: Well tried devices designed to be mechanically biased to exhaust downstream fluid power.
The monitoring of LS1 and LS2 by the SRP/CS shall ensure both independent valve elements
have transitioned.
When the valve element is in the energized position the safety device contacts must be
directly driven open.
Response and cycling of both valves is monitored in the Safety-Related Parts of the Control
System.
Where the safety distance is impacted by the response time of the valves, dynamic monitoring
shall ensure both independent valve elements function simultaneously.
The level of this configuration may be elevated to Category 4 with the proper monitoring and
reset control derived from the Safety-Related Parts of the Control System. See 6.5.4.2.1
Fault status may also be connected to a PLC input for status indication.

159

Copyright B11 Standards Inc. (Formerly AMT)

6.5.2.2.2 Spring Centered Three Position Exhaust Center w/ Control Circuit Functional Monitoring
(Category 2)
A Category 2 circuit does not require a safety exhaust (blocking) valve to be used upstream of the motion or
process control valve(s). The following example represents a 4-way valve used to directly control the
hazardous motion.

To
Hazardous
motion

From Hydraulic
power source

--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---
Safety Principle: Well tried device designed to contain and prevent interleaving of broken centering springs.
The fact that the process is operating cannot be taken as an indication that the valve will
center.
To achieve Category 2 the spring centered valve must be periodically tested (see 4.5.1).
This could be accomplished by :
Energize a solenoid and immediately de-energize to center. Monitor actuator position to see
if it reaches its end stop or if it halts as expected. This must be done in both directions

160

Copyright B11 Standards Inc. (Formerly AMT)

6.5.2.3 Intermediate / High Risk Reduction (Category 3)

6.5.2.3.1 Series Monitored Blocking Valve with Circuit Spring Centered Three Position Exhaust
Center (Category 3)

--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---
Safety Function: When the electrical command signals are removed, the dump valve blocks the incoming supply
and exhausts supply energy from the motion valve. T he motion valve will also block the fluid
from flowing into, and exhausting the energy out of the hazardous motion device.
Slow or sticking valves may affect response time of the safety system.
LS1 Provides feedback when a faulted condition exists. Fault status switch may also be
connected to a PLC input for status
Stored energy may cause unexpected motion when released during service.
Spool sticking or spring failure in the spring centered directional valve may fail to center the spool
keeping supply and exhaust available to the hazardous motion device
Faults to Consider: Failure of safety device LS1 to indicate valve element position.
Broken components (piston, poppet, spring) within a valve element.
Leakage or improper sealing of components including downstream devices will cause motion.
Pilot or main spool can stick in any position causing a failure of the motion to stop as intended.
Spool sticking or spring failure in the spring centered directional valve may cause its failure to
center the spool, keeping supply and exhaust available to the hazardous motion device.
Fault Exclusion: None to consider.
Safety Principle: Well tried blocking valve designed to be mechanically biased to exhaust downstream fluid power
Well tried device designed to contain and prevent interleaving of broken centering springs
The spring centered valve does not have a monitoring function, nor does the continued function of
the machine indicate the ability of the valve to spring center and stop the motion. To maintain a
high level of performance, the ability for the directional valve to stop the motion by centering must
be tested at regular intervals
The spring centered valve could be functionally tested on a regular basis by :
Energize a solenoid and immediately de-energize to center. Monitor actuator position to see if it
reaches its end stop or if it halts as expected. This must be done in both directions
Some directional valves are offered with sensors which directly monitor the power spool position.
These may be used in an application where the dynamic performance of the spools must be
monitored to assure that the safe separation distance is maintained

161

Copyright B11 Standards Inc. (Formerly AMT)

6.5.2.4 Highest Risk Reduction (Category 4)

6.5.2.4.1 Series Monitoring Circuit (Category 4)

Safety Function: When the electrical command signals are removed the valve(s) exhausts fluid power from
the hazardous portion of the machine.
A safety rated device monitors or indicates the position of the valve element in a de-
energized state.
The monitoring of LS1 and LS2 by the SRP/CS shall ensure both independent valve
elements have transitioned.
Slow or sticking valves may not be identified by the SRPCS.
Non-synchronous movement of the independent elements while actuating or de-actuating
shall result in a fault condition (diminished performance fault).
While the valve is in the faulted state, the fluid power to the hazardous portion of the
machine shall remain off.
Faults to Consider: Exhaust time may be increased significantly depending on valve spool failure position.
Sluggish response of valve resulting in diminished performance may go undetected if it is
within the timing period specified by the. SRP/CS
Fault Exclusion: None to consider.
Safety Principle: Well tried devices designed to be mechanically biased to exhaust downstream fluid power.
When the valve element is in the energized position the safety device contacts must be
directly driven open.
Response and cycling of both valves is monitored in the Safety-Related Parts of the Control
System.
Where the safety distance is impacted by the response time of the valves, dynamic
monitoring shall ensure both independent valve elements function simultaneously.
Non-synchronous movement of the independent elements while actuating or de-actuating
shall result in a fault condition (diminished performance fault).
The level of this configuration may be elevated to Category 4 with the proper monitoring and
reset control derived from the Safety-Related Parts of the Control System.
Fault status may also be connected to a PLC input for status indication.

162

--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

Copyright B11 Standards Inc. (Formerly AMT)

6.5.3 Directional (Motion) Valve Selection

Direction valves control the motion of linear or rotary actuators. From a safety perspective, directional or
motion valves should be selected based on the desired action the designer would like to see occur when
power is removed from the solenoid and what failure modes may lead to a shifting of the main spool without
being given an electrical command.

6.5.3.1 Basic / Lowest Risk Reduction (Category B and 1)

6.5.3.1.1 2 Position - Spring Offset (Category B and 1)

Safety Function: Valve is intended to return actuator to home or retracted position on a loss of electrical power.
All hazards in the retract direction must be guarded or eliminated by design.
When the electrical signal is removed, the valve removes fluid power from the port supplying the
hazardous actuator condition and applies fluid pressure to the port supplying the non-hazardous
actuator condition.
Faults to Pilot or main spool can stick in any position causing a failure of the motion to reverse as intended.
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

Consider: Pilot section manual actuator seal failure - Can lead to unexpected valve element movement
Leakage or improper sealing of components.
Failure of pilot stage can initiate a shift of the main spool causing unintended motion of the actuator.
Broken components (spring and seals) within a valve element.
Solenoid pilot section of valve stuck in actuated position.
Fault Exclusion: None to consider.
Safety Principle: Well-tried device.
Strict adherence to the proper conditioning of the fluid power source can increase the mean time to
dangerous failure.
Depending on the process, the continued operation of the machine is indication that the valve is
cycling.
Loss of the electrical supply power to the valve will cause the valve to return to its de-energized
position resulting in the actuator returning to the home position.

163

Copyright B11 Standards Inc. (Formerly AMT)

6.5.3.1.2 2 Position – Detented (Category B and 1)

Safety Function: When the electrical signal is removed the valve spool will maintain its last commanded position.
The intent is to maintain actuator position on a loss of electrical power.
Designs should be limited to short strokes or actuators where a loss of pressure would lead to a
safety hazard. Recommended applications are grippers, collets, part indexers and strokes less
than 3 inches. The intent is to maintain motion to the end of travel, and to keep operational
pressure on the actuator on the loss of electrical power to the solenoid.
Faults to Pilot or main spool can stick in any position causing a failure of the motion to stop as intended.
Consider: Pilot section manual actuator seal failure - Can lead to unexpected main spool movement.
Leakage or improper sealing of components.
Failure of pilot stage can initiate a shift of the main spool causing unintended motion of the
actuator.
Valve will allow motion to continue after power has been removed from the coil.
Broken components (spring and seals) within a valve element.
Solenoid pilot section of valve stuck in actuated position.
Fault Exclusion: None to consider.
Safety Principle: Well-tried device and sufficient detent to maintain command position.
By design this valve will allow motion to continue after power has been removed from the
solenoid until the actuator has reached the end of its stroke.
Depending on the process, the continued operation of the machine is indication that the valve is
cycling.
If electrical power is lost, the actuator cannot be electrically reversed.

164

--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

Copyright B11 Standards Inc. (Formerly AMT)

6.5.3.1.3 3 Position – Spring Centered – Open (Float) Centered (Category B and 1)

Safety Function: When the electrical signal is removed the valve will return to its center position, block the supply
pressure, and remove pressure from both actuator lines. The Intent is to stop the actuator in mid-
position when the electrical power has been removed from the coils. The actuator has no
pressure so high inertia or gravity may cause motion after the electrical power has been
removed.
Faults to Pilot or main spool can stick in any position causing a failure of the motion to stop as intended.
Consider: Solenoid pilot section of valve stuck in actuated position.
Pilot section manual actuator seal failure - Can lead to unexpected main spool movement.
Leakage or improper sealing of components.
Valve element not actuating or de-actuating properly due to fluid contamination or internal wear.
Broken components (spring and seals) within a valve element.
High pressure or pressure surges in the drain or tank line may cause motion.
Typical production operation may not involve the use of the center position of the valve except
during machine shutdown or E-stops. Center position may be unobtainable due to multiple
spring failures effectively turning spring centered valve into a detented valve.
Fault Exclusion: None to consider.
Safety The valve‘s ability to hold the actuator in mid-stroke or to a minimum pressure depending on
Principles: valve configuration must be tested at an interval dictated by the risk assessment and circuit
performance requirements. The fact that the valve continues to cycle the actuator under solenoid
control does not assure its ability to center the spool. Depending on safety performance
requirements, the Safety-Related Parts of the Control System should test the ability of the valve
to center at regular intervals. For higher Category applications, an upstream safety exhaust
valve is used in conjunction to ensure hazardous energy is removed.
Well-tried device.
With electrical power removed, the actuator is free to move due to outside influences such as
external forces, springs and gravity. Additional circuitry may be required to prevent or control
these conditions.
In safety applications Non Monitored spring center open center valves are limited to Category B
and 1 application.

165
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

Copyright B11 Standards Inc. (Formerly AMT)

6.5.3.1.4 3 Position – Spring Centered – Closed or Blocked Center (Category B and 1)

Safety Function: When the electrical signal is removed, the valve will return to its center position, block the supply
pressure, and trap pressure in both actuator control lines. The Intent is to stop and hold the
actuator in mid-position when the electrical power has been removed from the coils.
Faults to Pilot or main spool can stick in any position causing a failure of the motion to stop as intended.
Consider: Solenoid pilot section of valve stuck in actuated position.
Pilot section manual actuator seal failure - Can lead to unexpected main spool movement.
Leakage or improper sealing of components including downstream devices will cause motion.
Spool valves will leak resulting in the reduction of trapped pressure over time causing motion.
Valve element not actuating or de-actuating properly due to fluid contamination or internal wear.
Broken components (spring and seals) within a valve element.
Typical production operation may not involve the use of the center position of the valve except
during machine shutdown or E-stops. The center position not being operational may be
undetected during normal operation. Center position may be unobtainable due to multiple spring
failures effectively turning spring centered valve into a detented valve.
Fault Exclusion: None to consider.
Safety Principle: The valve‘s ability to hold the actuator in mid-stroke or to a minimum pressure depending on
valve configuration must be tested at an interval dictated by the risk assessment and circuit
performance requirements. The fact that the valve continues to cycle the actuator under solenoid
control does not assure its ability to center the spool. Depending on safety performance
requirements, the Safety-Related Parts of the Control System should test the ability of the valve
to center at regular intervals. For higher Category applications, an upstream safety exhaust
valve is used in conjunction to ensure hazardous energy is removed.
In safety applications Non Monitored spring center closed center valves are limited to Category B
and 1 application.
With electrical power removed, the actuator is trapped and unable to move even with outside
influences such as external force and gravity. Means to release the trapped oil from the actuator
must be provided if there is an entrapment hazard.
Depending on safety performance requirements, the Safety-Related Parts of the Control System
should test the ability of the valve to center at regular intervals
High inertial loads can create pressure spikes when the valve centers. Additional controls, i.e.,
relief valves, may be required to mitigate this risk.
Well-tried device.

166
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

Copyright B11 Standards Inc. (Formerly AMT)

6.5.3.2 Low / Intermediate Risk Reduction (Category 2)

6.5.3.2.1 2 Position Spring Offset – Monitored Spool Position (Category 2)

Safety Function: Valve is intended to return actuator to home of retracted position on a loss of electrical power.
All hazards in the retract direction must be guarded or eliminated by design.
When the electrical signals is removed, the valve exhausts fluid power from the port supplying the
hazardous actuator condition and applies fluid pressure to the port supplying the non-hazardous
actuator condition.
A safety rated device LS1 indicates the position of the valve element in a de-energized state.
Faults to Pilot or main spool can stick in any position causing a failure of the motion to stop as intended.
Consider: Pilot section manual actuator seal failure – can lead to unexpected valve element movement.
Leakage or improper sealing of components.
Failure of pilot stage can initiate a shift of the main spool causing unintended motion of the
actuator.
Valve element not actuating or de-actuating properly due to fluid contamination or internal wear.
Broken components (spring and seals) within a valve element.
Solenoid pilot section of valve stuck in actuated position.
Failure of LS1 device.
Fault Exclusion: None to consider.
Safety Principle: Well-tried device design to be mechanically biased to exhaust downstream fluid power.
When the valve element is in the energized position the safety device contacts must be direct
driven open.
LS1 must be monitored by the Safety-Related Parts of the Control System at regular intervals to
assure that the valve has shifted.
By design this valve will allow return motion to continue after power has been removed from the
solenoid until the actuator has reached the end of its stroke.
Depending on the process, the continued operation of the machine is indication that the valve is
cycling.
If electrical power is lost, the actuator will be reversed.
Strict adherence to the proper conditioning of the fluid power source can increase the mean time
to dangerous failure.
Loss of power, due to circuit failure or loss of pilot supply will cause the un-shifting of a shifted
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

valve, and resultant motion of the drive component unless the fluid power supply is exhausted.
The status of the spool is monitored in the Safety-Related Parts of the Control System SRP/CS to
verify that the spool has shifted when the solenoid is de-energized and returned to its de-
energized position.

167

Copyright B11 Standards Inc. (Formerly AMT)

6.5.4 Pilot Operated Check Valves

Pilot operated checks are used to trap or store energy (hydraulic pressure) in the actuator(s) to maintain
position. This energy may not be removed by turning off the hydraulic power unit. See also, 4.7.4

Pilot operated checks maintain a vertical actuators position by trapping fluid between the actuator piston and
the check. Their application should be limited to light loads. PO check seal leaks, piston seal, rod seal,
fittings or line leaks can cause a lowering motion that needs to be considered during the risk assessment.

Caution: Hydraulic intensification on single rod cylinders and pressure spikes caused by quickly stopping a
moving load must be considered as one of the failure modes. Where these conditions exist, the proper valve
to use is the counter-balance valve since it can safely reduce the pressure by venting the intensified
pressure to drain. See also, 6.5.5.

The pilot pressure supply may directly affect the closing of the check which may impact the stop
time/distance of the actuator. The pilot supply should be connected downstream of the safety blocking valve.

6.5.4.1 Basic / Lowest Risk Reduction (Category B and 1)

6.5.4.1.1 Pilot Operated Check – Example 1 of 2 (Category B and 1)

PO Check - External PO Check - Solenoid with Internal

Fluid Pilot Fluid Pilot

Safety Function: When the electrical or hydraulic pilot signal is removed the valve will trap fluid in a portion of the
circuit.
Faults to Consider: Pilot or main spool can stick in any position causing a failure of the motion to stop as intended.
Solenoid pilot section of valve stuck in actuated position (if applicable).
Pilot seal failure – can lead to unexpected main spool movement (if applicable).
Pilot section manual actuator seal failure - can lead to unexpected main spool movement (if
applicable).
Valve element not actuating or de-actuating properly due to fluid contamination or internal wear.
Broken components (spring and seals) within a valve element.
Stored energy may cause unexpected motion when released during service.
Leakage or improper sealing of components including downstream devices will cause motion.
Fault Exclusion: None to consider.
Safety Principle: Well tried device designed to be mechanically biased to trap downstream fluid power.

168
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

Copyright B11 Standards Inc. (Formerly AMT)

6.5.4.2 Pilot Operated Check – Basic / Lowest Risk Reduction; Example 2 of 2 (Category B and 1)
A Category B or 1 circuit does not require a safety exhaust (blocking) valve to be used upstream of the
motion or process control valve(s). The following example represents a 4-way valve used to directly control
the hazardous motion and a PO check to suspend the load. Applications should be limited to light loads
without a need to perform braking or deceleration. Where braking or deceleration is required, counter
balance valves shall be used.

To
Hazardous
motion

From Hydraulic
Supply

Safety Function: When the electrical command signal is removed, the valve shifts to center position.
Blocking fluid from flowing in or out of the hazardous motion device.
A slow or sticking valve may affect response time of the safety system.
Faults to Consider: Solenoid pilot section of valve stuck in actuated position.
Pilot seal failure – can lead to unexpected valve element movement.
Pilot section manual actuator seal failure – can lead to unexpected valve element movement.
Leakage or improper sealing of components.
Valve element not actuating or de-actuating properly due to fluid contamination or internal
wear.
Broken components (piston, poppet, spring) within a valve element.
Spool sticking or spring failure in the spring centered directional valve may cause its failure to
center the spool, keeping supply and exhaust available to the hazardous motion device.
Fault Exclusion: None to consider.
Safety Principle: Well tried device designed to contain and prevent interleaving of broken centering springs.
The fact that the process is operating cannot be taken as an indication that the valve will
center.
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

169

Copyright B11 Standards Inc. (Formerly AMT)

6.5.4.3 Low / Intermediate Risk Reduction (Category 2)

6.5.4.3.1 Pilot Operated Check – Low / Intermediate Risk Reduction (Category 2)

PO Check - External PO Check - Solenoid with Internal

Fluid Pilot Fluid Pilot

Safety Function: When the electrical or hydraulic pilot signal is removed the valve will trap pressure between
the check and the actuator suspending or stopping the hazardous motion.
A safety rated device indicates the position of the valve element in a de-energized state.
Faults to Consider: Pilot or main spool can stick in any position causing a failure of the motion to stop as intended.
Solenoid pilot section of valve stuck in actuated position (if applicable).
Pilot seal failure – can lead to unexpected main spool movement (if applicable).
Pilot section manual actuator seal failure – can lead to unexpected main spool movement (if
applicable).
Valve element not actuating or de-actuating properly due to fluid contamination or internal
wear.
Broken components (spring and seals) within a valve element.
If an increase in response time is a consideration, then additional monitoring is required.
Stored energy may cause unexpected motion when released during service.
Leakage or improper sealing of components including downstream devices will cause motion.
Fault Exclusion: None to consider.
Safety Principle: Well tried device design to be mechanically biased to trap downstream fluid power.
When the valve element is in the energized position the safety device contacts must be direct
driven open.
To maintain a Category 2, the valve must be periodically tested and LS1 monitored by the
Safety-Related Parts of the Control System to ensure that the valve is functional.
Strict adherence to the proper conditioning of the fluid power source can increase the mean
time to dangerous failure.

170

--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

Copyright B11 Standards Inc. (Formerly AMT)

6.5.4.4 Pilot Operated Check – Intermediate / High Risk Reduction (Category 3)

6.5.4.4.1 Intermediate / High Risk Reduction (Category 3)

PO Check - External PO Check - Solenoid with Internal

Fluid Pilot Fluid Pilot

--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---
Safety Function: Pilot or main spool can stick in any position causing a failure of the motion to stop as
intended.
When the electrical or hydraulic pilot signal is removed the valve will trap pressure
downstream of the outlet port.
The dynamic monitoring shall ensure both independent valve elements function
simultaneously. Slow or sticking valves may affect response time of the safety system.
This SIM can detect slow or sticking valves through monitoring LS1 and LS2.
Non-synchronous movement of the independent elements while actuating or de-
actuating shall result in a fault condition (diminished performance fault).
Provides feedback when a faulted condition exists. Fault status switch may also be
connected to a PLC input for status indication.
Stored energy may cause unexpected motion when released during service.
Faults to Consider: Failure of LS1 or LS2 devices.
Broken components (piston, poppet, spring) within a valve element.
Leakage or improper sealing of components including downstream devices will cause
motion.
Fault Exclusion: None to consider.
Safety Principle: Well tried device designed to be mechanically biased to trap downstream fluid power.
When the valve elements are in the energized position the safety device contacts must
be direct driven open. Many manufacturers current designs drive the contacts open
when de-energized. Is this acceptable?
The level of this configuration may be elevated to Category 4 with the proper monitoring
and reset control derived from the Safety-Related Parts of the Control System.

171

Copyright B11 Standards Inc. (Formerly AMT)

6.5.4.4.2 Monitored Pilot Operated Check with Spring Centered Three Position Exhaust Center
(Category 3)

Safety Function: When the electrical or pneumatic pilot signal is removed the valve will trap pressure downstream of
the outlet port, while the directional valve blocks flow in and out of the hazardous motion device.
Slow or sticking valves may affect response time of the safety system.
LS1 Provides feedback when a faulted condition exists. Fault status switch may also be connected to
a PLC input for status indication.
Stored energy may cause unexpected motion when released during service.
Spool sticking or spring failure in the spring centered directional valve may fail to center the spool
keeping supply and exhaust available to the hazardous motion device.
Faults to Failure of safety device LS1 to indicate valve element position.
Consider: Broken components (piston, poppet, spring) within a valve element.
Leakage or improper sealing of components including downstream devices will cause motion.
Pilot or main spool can stick in any position causing a failure of the motion to stop as intended.
Spool sticking or spring failure in the spring centered directional valve may cause its failure to center
the spool, keeping supply and exhaust available to the hazardous motion device.
Fault Exclusion: None to consider.
Safety Principle: Well tried check valve designed to be mechanically biased to block downstream fluid flow.
Well tried device designed to contain and prevent interleaving of broken centering springs.
The spring centered valve does not have a monitoring function, nor does the continued function of the
machine indicate the ability of the valve to spring center and stop the motion. To maintain a high level
of performance, the ability for the directional valve to stop the motion by centering must be tested at
regular intervals.
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

The spring centered valve could be functionally tested on a regular basis by:
- Energize a solenoid and immediately de-energize to center. Monitor actuator position to see if it
reaches its end stop or if it halts as expected. This must be done in both directions
- With both solenoids de-energized, monitor pressure switches a both ports. Must be done after a
move in each direction, and could be part of the normal machine cycle.
Some directional valves are offered with sensors which directly monitor the power spool position.
These may be used in an application where the dynamic performance of the spools must be
monitored to assure that the safe separation distance is maintained.

172

Copyright B11 Standards Inc. (Formerly AMT)

6.5.4.5 Highest Risk Reduction (Category 4)

6.5.4.5.1 Pilot Operated Check (Category 4)

PO Check - External PO Check - Solenoid with Internal

Fluid Pilot Fluid Pilot
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

Safety Function: Pilot or main spool can stick in any position causing a failure of the motion to stop as intended.
When the electrical or hydraulic pilot signal is removed the valve will trap pressure downstream of
the outlet port.
The dynamic monitoring shall ensure both independent valve elements function simultaneously.
Slow or sticking valves may affect response time of the safety system. This SIM can detect slow or
sticking valves through monitoring LS1 and LS2.
Non-synchronous movement of the independent elements while actuating or de-actuating shall
result in a fault condition (diminished performance fault).
Provides feedback when a faulted condition exists. Fault status switch may also be connected to a
PLC input for status indication.
Stored energy may cause unexpected motion when released during service.
Faults to Consider: Failure of LS1 or LS2 devices.
Broken components (piston, poppet, spring) within a valve element.
Leakage or improper sealing of components including downstream devices will cause motion.
Fault Exclusion: None to consider.
Safety Principle: Well tried device designed to be mechanically biased to trap downstream fluid power.
When the valve elements are in the energized position the safety device contacts must be direct
driven open. Many manufacturers current designs drive the contacts open when de-energized.
Response and cycling of both valves is monitored in the Safety-Related Parts of the Control
System. Where the safety distance is impacted by the response time of the valves, dynamic
monitoring shall ensure both independent valve elements function simultaneously. Non-
synchronous movement of the independent elements while actuating or de-actuating shall result in
a fault condition (diminished performance fault).

173

Copyright B11 Standards Inc. (Formerly AMT)

6.5.5 Counter Balance Valve

In addition to trapping the fluid in the actuator the counter balance valve has valve has a relief function that
will prevent pressure intensification and allow for braking. Since the pressure relief setting is adjustable care
must be taken to ensure that the valve is set 300 PSI above that required to suspend the load. Care must
also be taken to support or lower the load before releasing the trapped pressure. A means of relieving the
trapped pressure must be provided. Some counter balance valves are provided with the manual override.

Safety Function: When the electrical or hydraulic pilot signal is removed the valve will trap fluid in a portion of the
circuit.
Relief function that will prevent pressure intensification and allow for braking.
Faults to Pilot or main spool can stick in any position causing a failure of the motion to stop as intended.
Consider: Solenoid pilot section of valve stuck in actuated position (if applicable).
Pilot seal failure – Can lead to unexpected main spool movement (if applicable).
Pilot section manual actuator seal failure - Can lead to unexpected main spool movement (if
applicable).
Valve element not actuating or de-actuating properly due to fluid contamination or internal wear.
Broken components (spring and seals) within a valve element.
Stored energy may cause unexpected motion when released during service.
Leakage or improper sealing of components including downstream devices will cause motion.
Fault Exclusion: None to consider.
Safety Principle: Well tried device designed to be mechanically biased to trap downstream fluid power.
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

174

Copyright B11 Standards Inc. (Formerly AMT)

6.5.6 Rod Locks and Brakes

Rod locks or brakes apply a mechanical force to the side of the actuator rod to stop motion or hold position.
The designer must take care in selecting components that are rated by the manufacturer for their intended
application, i.e., dynamic stopping or static load holding. Not all brakes will do both. Consideration must
also be given to the design requirements of the brake. Is it intended to just support the load under gravity, or
must it also be able to stop the load if the brake is engaged and the hydraulic motion valve is in a position
trying to power the actuator.

Safety Function: Stopping or holding of actuator mid-stroke with motion valve centered or exhausted.
Faults to Failure of rod lock or brake to hold or stop the load.
Consider: Separation between the rod and tooling. Pressurization of the cylinder prior to releasing the
break will preload and launch the actuator rapidly.
Lock or brake wear will negatively impact the actuator stopping distance or load holding
performance and should be considered during the risk assessment. Periodic testing may be
required.
Fault Exclusion: None to consider.
Safety Principle: Upstream exhaust valve will eliminate the pressure supply to the brake to eliminate the brake
command valve failure.
The brake command valve is primarily used to remove pneumatic hydraulic supply timing issues.
See also individual valve for failures and safeguards.
Position of lock cylinder may be monitored or drift may be detected in the Safety-Related Parts of
the Control System.
If safeguarding is dependent on tooling stopping time, then performance of the rod lock may need
to be monitored.

175

--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

Copyright B11 Standards Inc. (Formerly AMT)

6.5.7 Flow Controls

Meter-in flow controls can be used to prevent intensification on the rod end of the cylinder but will not quickly
stop an over-running load. Meter-out flow controls should be used to where braking is required and
intensification is not an issue.

Safety Function: Controls actuator speed within application design parameters minimizing tooling and component
damage. Controls flow into the cylinder reducing the rapid acceleration that occurs with meter-out
flow controls after the downstream air has been exhausted.
Faults to Operator adjustment.
Consider: Contamination will change actuator speed influencing stop distance formulas and placement of
safe guarding devices.
Check may get stuck open due to contamination resulting in an increase in actuator speed.
Fault Exclusion: None to consider.
Safety Principle: Good engineering practice and/or well tried devices.
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

176

Copyright B11 Standards Inc. (Formerly AMT)

6.5.8 Velocity Fuse

A velocity fuse is a device that will automatically react to the sudden loss of pressure that occurs when a
downstream hose or fitting is disconnected or broken. The sudden loss of pressure will result in unsecured
hoses whipping action or a sudden drop of a vertical load potentially causing injuries or damage.

The device must be installed on the supply side of the hose to prevent the whipping action from occurring or
directly at the cylinder port on vertical applications. When used on vertical loads to prevent rapid lowering
during a conductor failure the device must be installed directly into the actuator port.
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

Safety Function: Shuts off or reduces the flow to a flexible conductor during a failure.
Prevents a vertical load from dropping on a conductor failure.
Faults to Pilot or main spool can stick in any position causing a failure of the flow to stop as intended.
Consider: Valve element not actuating or de-actuating properly due to fluid contamination or internal wear.
Broken components (spring and seals) within a valve element.
These devices will typically reset automatically.
Fault Exclusion: None to consider.
Safety Principle: Well-tried device designed to be mechanically biased to restrict or block fluid power supply when
the downstream demand exceeds the device setting.

177

Copyright B11 Standards Inc. (Formerly AMT)

ANNEX A – Analysis of circuit considerations

For additional examples of consideration, refer to ANSI B11.TR4.

Component / equipment failures

The component / equipment failures to be addressed in the design of the System Isolation Equipment
include but are not limited to:
1) Power contactor failures:
a) Power contact(s) broken or welded, won't open;
b) Aux contact won't change state due to mechanical link failure;
c) Aux contact(s) welded;
d) Aux contact(s) not making circuit due to corrosion or other foreign material.
2) Connection from monitored circuits to voltage check component (e.g., relays) failures:
a) One wire open;
b) Multiple wires open.
3) Voltage check (e.g., relays) failures:
a) Open coil;
b) Contact won't change state due to mechanical link failure;
c) Contact(s) welded;
d) Contact(s) not making circuit due to corrosion or other foreign material.
4) Component failure:
a) Example failures to consider:
i) Open coil;
ii) Other internal failure of the respective component.
b) Contact failures:
i) Circuits to switch shorted;
ii) Circuits to switch open;
iii) N.O. contacts will not open;
iv) N.O. contacts will not close;
v) N.C. contacts will not open;
vi) N.C. contacts will not close;
vii) Contacts won't change state due to mechanical link failure;
viii) N.C. aux contact will not open;
ix) N.C. aux contact will not close.
c) Verification light at disconnect station failures:
i) Light burn out.

The results for each failure event to be addressed in the design of the SYSTEM ISOLATION EQUIPMENT
include but are not limited to:
1) Effect on Verification Light;
2) Detection of the failure;
3) Overall design of the System Isolation Equipment such that any failure will not diminish the
required Category 4 safety performance.

Failure analysis techniques

The failure analysis techniques that can be used include but are not limited to:
1) Failure mode and effects analysis (FMEA for hardware and FMECA for the consequences – see
Note below) as appropriate to:
a) Evaluation of the effects and the sequences of events caused by each identified failure;
b) Determination of the significance or criticality of each failure to the system‘s correct function
or performance;
c) Classification of identified failure according to their detect ability and any other relevant
characteristic;
d) Estimate the significance and probability of failure.
Note: The Failure Modes and Effects Analysis (FMEA) and Failure Modes, Effects and Criticality Analysis
(FMECA) are methods of reliability analysis intended to identify failures that have significant consequences

178
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

Copyright B11 Standards Inc. (Formerly AMT)

affecting the system performance in the application considered. For more information about FMEA
methodology see IEC 60812 "Analysis Techniques for System Reliability - Procedure for Failure Mode and
Effects Analysis (FMEA)"
2) Fault tree analysis (FTA) as appropriate to:
a) Identification of the causes or combinations of causes leading to the hazard;
b) Determination of whether a particular reliability measure meets a stated requirement;
c) Demonstration that assumptions made in other analyses, regarding the independence of
systems and non-relevance of failures, are not violated;
d) Identification of common events or common cause failures.

Note: The fault tree is particularly suited to the analysis of complex systems comprising several
functionally related or dependent subsystems with different performance objectives. The fault tree
itself is an organized graphical representation of the conditions or other factors causing or
contributing to the occurrence of a defined undesirable event, referred to as the "top event.‖ Fault
tree analysis is basically a deductive (top-down) method of analysis aimed at pinpointing the causes
or combinations of causes that can lead to the defined top event. For more information about FTA
methodology see IEC 61025 "Fault Tree Analysis (FTA)."

System or component failures

System or component failures to be considered and managed include, but are not limited to:
1) Safeguarding devices and other inputs:
a) Failure of the output devices;
b) Failure to detect the safeguarded individual(s);
c) EMC interference;
d) Improper response time;
e) Power source failure.
2) Interfaces:
a) Failure to respond due to short or open;
b) Indeterminate response;
c) Failure to perform its safety-related function(s).
3) Control elements of the machine actuators:
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

a) Failure to turn off / release / stop;

b) Indeterminate output.
4) Failure of the PED:
a) Input:
i) No response to input signal;
ii) Indeterminate response.
b) Output:
i) Output stays on or off;
ii) Indeterminate output.
c) Memory:
i) Loss or corruption;
ii) Bit failure;
iii) Not easily alterable;
iv) Security procedure;
v) Address or data gate failures.
d) Internal communications links and busses:
i) Loss of connection;
ii) I / O failures;
iii) Response time;
iv) Data corruption.
e) Central Processing Unit:
i) Improper response to commands;
ii) I / O failures;
iii) Response time.
f) Environmental considerations. The following environmental conditions can cause faults to

179

Copyright B11 Standards Inc. (Formerly AMT)

occur in those items described above (5.3.4 A through E):

i) EMC (EMI, RFI, ESD), burst, fast transient, conductive induced, surge;
ii) EMC emissions, RF, line conducted, EMI;
iii) Temperature / humidity;
iv) Pollution, dust, water, oil, corrosives;
v) Shock / vibration.
g) Input power (variations and interruptions):
i) See ANSI / NFPA 79 for additional information.

Example of System Fault Analysis

Figure N below shows a schematic of a common dual channel safety system using a safety interface module
(SIM). Two dual channel interlocks are connected in series to the input of the SIM. The SIM turns on two
Force-guided Relays, which in turn, energize the hazardous portion of the machine.

A basic understanding of the SIM is required to help with the fault analysis. The figure shows the basic parts
of a typical SIM. Power enters the SIM and goes through a Short Circuit Protection (SCP) device. The
power is ―conditioned‖ and fed to the other internal parts of the SIM. The power exits the SIM to go to one of
the contacts of the interlock. After passing through the interlocks the power is connected to a Force-guided
Relay driving Channel 1. Channel 1 is pulled-up to power. The SIM power is connected to the Force-guided
Relay driving Channel 2. The negative side of Channel 2 goes out to the interlock. After passing through the
interlocks, the signal goes back into the SIM and connects Channel 2 to ground. Channel 2 is pulled down to
ground. There are other techniques used by SIMs; this figure is intended to show the principles of fault
detection. The following example shows wiring short circuit faults. Other faults (such as open circuit,
mechanical, component) must also be considered to complete the analysis.

The safety system designer must answer these questions about potential faults:
1. Can the fault be detected?
2. When can the fault be detected?
3. How does the system react to the fault?
4. Can the fault be masked or reset?
5. If the fault cannot be detected, how does the system respond if an additional fault occurs?
6. Can alternative measures be employed or can fault exclusion be justified?

Fault analysis:
1. Fault from power to CH1.
a. This fault is detected by the SIM.
b. When the interlock is open, the SIM de-energizes the hazardous portion of the machine,
When the interlock is closed, the fault is detected by the SIM.
c. The SIM prevents energization of the hazardous portion of the machine.
d. This fault cannot be masked by opening and closing the interlocks. The fault can be reset by
cycling power to the SIM.
2. Fault across one of the interlock contacts.
a. This fault is detected by the SIM
b. When the interlock is open, the SIM de-energizes the hazardous portion of the machine,
When the interlock is closed, the fault is detected by the SIM.
c. The SIM prevents energization of the hazardous portion of the machine.
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

d. This fault can be masked by opening and closing the other interlock. The fault can be reset
by cycling power to the SIM.
e. If masked or reset, a second fault across the other interlock contact leads to the loss of the
safety function.
3. Fault across CH1 at the SIM terminals
a. Same as Fault 1.
4. Fault across CH1 at the SIM terminals
a. The results are similar to Faults 1 and 3.
5. Fault from CH1 to CH2 at the SIM
a. This fault is detected by the SIM.

180

Copyright B11 Standards Inc. (Formerly AMT)

b. This fault is detected immediately by the SCP of the SIM.

c. The outputs of the SIM de-energize and remove power to the hazardous portion of the
machine.
d. This fault cannot be masked or reset.
6. Short from CH2 to ground.
a. This fault is detected by the SIM.
b. When one of the interlocks is opened, the SIM de-energizes the hazardous portion of the
machine. When the interlock is closed, the fault is detected by the SIM.
c. The SIM prevents energization of the hazardous portion of the machine.
d. This fault cannot be masked by opening and closing the interlocks. The fault can be reset by
cycling power to the SIM.
7. Short from Power to Output 2 of the SIM.
a. This fault is detected by the SIM.
b. When one of the interlocks is opened, the SIM de-energizes the hazardous portion of the
machine by turning off FGC1. When the interlock is closed, the fault is detected by the reset
circuit of the SIM.
c. The SIM prevent re-energization of the hazardous portion of the machine.
d. This fault cannot be masked by opening and closing the interlocks. The fault can be reset by
cycling power to the SIM.
8. Short circuit from FGR1 to FGR2.
a. This fault cannot be detected by the SIM. This fault must be considered for exclusion.
b. A second fault, fault #7 will lead to the loss of the safety function.
9. Short across one of the FGR1 feedback contacts.
a. This fault cannot be detected by the SIM. This fault must be considered for exclusion.
10. Short across the reset connections of the SIM.
a. If the SIM is designed or configured for automatic reset, this fault can only be detected by
observation of the machine user. The safety system will be reset as soon as the interlocks
are closed. This fault is not detected by the SIM. If the SIM is designed or configured for
monitored reset, this fault will be detected by the SIM.
b. If the reset is monitored, the SIM will not re-energize its outputs.
11. Fault across one of the output contacts of the FGR1.
a. This fault cannot be detected by the safety system. This fault must be considered for
exclusion.

181
--```,```,`,,,,,`,,`,```,```,,,-`-

Copyright B11 Standards Inc. (Formerly AMT)

Figure N
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

182

Copyright B11 Standards Inc. (Formerly AMT)

ANNEX L – Safety-Related Performance Levels

Safety-related performance levels are used to define the degree of certainty that a safety function will be
performed when needed. This factor is specified using different terminology in the various machine safety
standards, but they all give a similar result. In machine control systems, the performance level required to
achieve a desired reduction of risk is generally defined in one of two ways: by specifying the probability that a
safety function will fail, or by specifying the control system architecture and diagnostic requirements.
Note: The following explanation is a simplified overview and is not intended as a precise definition of
performance levels.

1. Specifying the theoretical probability that a safety function will fail –

The possibility that a safety function will fail to be performed is defined in terms of failures per hour of
continuous operation. The probability of a dangerous failure is determined by analysis. This probability
factor is referred to as a Safety Integrity Level (SIL). Various worse case assumptions must be made when
determining these factors. Calculating the SIL of a given control system design depends on the accuracy of
these assumptions as well as many engineering estimates (guesses). Consequently, a given SIL level is not
precise and can vary over a magnitude. This method of defining safety performance is particularly useful for
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

complex control systems (e.g., software based, programmable) where the failure modes cannot be precisely
determined.

From Table 3 (Table L.1 of TR6) of IEC 61508-1 — ―Safety integrity levels: target failure measures for a
safety function, allocated to an E/E/PE safety-related system operating in high demand or continuous mode
of operation‖

Table L.1
Safety High demand or continuous mode of operation
integrity level (Probability of a dangerous failure per hour)
 10 to  10
-9 -8
4
 10 to  10
-8 -7
3
 10 to  10
-7 -6
2
 10 to  10
-6 -5
1

SIL 1 means that a dangerous failure can occur once every 11 to 114 years of continuous operation.
SIL 2 means that a dangerous failure can occur once every 115 to 1,141 years of continuous operation.
SIL 3 means that a dangerous failure can occur once every 1,142 to 11,410 years of continuous operation.
Note: SIL 4 is defined but is needlessly high for machine safety applications and is not considered
economically practical.

The analysis and calculation of the SIL of a given control system is extremely complex and is not intended to
be performed by design engineers or machine builders. However, experts do provide help for designers by
publishing recommended techniques and system architectures that can be used to achieve a desired SIL
level.

2. Prescribing the use of well-tried control architectures and design techniques

The equipment that performs the safety function is designed in accordance with a prescribed architecture
and incorporates well-tried diagnostic methods to detect and respond to random failures. The thoroughness
of built in diagnostics and the ability to perform the safety function in the event of a failure determines the
performance level. By performing a thorough FMEA, the effectiveness of this method can be verified fairly
accurately. This method of defining safety performance is most useful for control systems of low complexity
(e.g., not software based).

The performance levels that are specified in the different standards documents can be anything from vague
architectural requirements (dual channel with cross monitoring) to specifying required behaviors in the
presence of random hardware failures (faults shall be detected within the stated response time). In most
cases, the recommended architectures and specified diagnostic techniques have been analyzed by experts

183

Copyright B11 Standards Inc. (Formerly AMT)

to determine their relative risk reduction performance levels. While this method of describing performance
levels is easy to understand, in many cases the requirements are vague and subject to widely different
interpretations. How these performance levels correspond to various risk reduction requirements are
described in the tables of the different standards. A brief summary of these tables and correlations is shown

SECTION A (ANSI B11.TR3) SECTION B (CSA Z434-04)

ANSI B11.TR3 System Architecture Circuit Performance RIA / CSA Index European Category
Risk Level (ANSI B11.TR3) (RIA 15.06 / CSA Z434-04) (ISO 13849-1:1999)
High Redundancy with continuous Control Reliable R1 Category 3 & 4
self-checking
Control Reliable R2A Category 3 & 4
Medium Redundancy with self-checking No Equivalent N/A N/A
upon startup
Low Redundancy that may be No Equivalent N/A N/A
manually checked
N/A No Equivalent Single channel with monitoring R2B Category 2
Negligible Single channel Single channel R2C Category 1
Single channel R3A Category 1
N/A No Equivalent Simple R3B Category B
Simple R4 Category B
in the following two charts.
Table L.2 – Safety Performance Comparison Based on Circuit Architecture and
Diagnostic Function
There is no intent to imply that circuit performance classifications are equivalent to RIA, CSA or ISO
machinery safety categories.

NOTES:
Section A is from ANSI B11.TR3 performance requirements (now contained in ANSI B11.0-2010)
Section B is from CSA Z434 Clause 8.4 (Safety Categories, ISO 13849-1 included for reference)
Sections A & B are compared based on system performance language

--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

184

Copyright B11 Standards Inc. (Formerly AMT)

Table L.3 – Safety Performance Comparison

Based on Safeguard Language
SECTION A (ANSI B11.TR3) SECTION B (CSA Z434-04)
ANSI B11.TR3 Safeguard Performance Safeguard Performance (RIA RIA 15.06 / Safety Category (ISO
Risk Level (ANSI B11.TR3) 15.06 / CSA 434-04) CSA 434-04 13849-1)
Index
N/A No Equivalent Hazard elimination or hazard R1 Category 3 & 4
substitution
High Barrier guard or protective device Engineering controls R2A Category 3 & 4
preventing intentional exposure of any preventing access to the
part of the body to the hazard, and hazard, or stopping the
secured with special fasteners or a lock. If hazard, e.g., interlocked
moveable, such a barrier should be barrier guards, light curtains,
interlocked using system control criteria as safety mats, or other
defined in this paragraph. presence sensing devices
R2B Category 2

Medium Barrier guard or protective device

preventing unexpected exposure of any
part of the body to the hazard, and not
removable or adjustable by unauthorized
persons. If moveable, such a barrier R2C Category 1
should be interlocked using system control
criteria as defined in this paragraph.
Physical devices that do not require
adjustment for use or other operator
intervention.
Low Barrier guard or protective device Non-interlocked barrier, R3A Category 1
providing simple guarding against clearance, procedures and
inadvertent exposure to the hazard. equipment
Examples are a fixed screen, chuck guard,
or moveable barrier with simple
interlocking using system control criteria R3B Category B
as defined in this paragraph. Physical
devices that require adjustment for use.
Negligible Physical barrier providing tactile or visual Awareness means R4 Category B
awareness of the hazard, or minimal
protection against inadvertent exposure.
Examples are post and rope, swing-away
shield, or movable screen.

There is no intent to imply that circuit performance classifications are equivalent to RIA, CSA or ISO
machinery safety categories.

NOTES:
Section A is from ANSI B11.TR3 performance requirements (now contained in ANSI B11-2010)
Section B is from CSA Z434 Clause 8.4 (Safety Categories, ISO 13849-1 included for reference)
Sections A & B are compared based on system performance language.

Table L.4 below is intended to provide a practical comparison of ANSI B11.TR6 degrees of risk reduction
with levels of performance found in various other documents used to achieve those degrees of risk reduction.
This table is merely a practical tool with which to provide real-world guidance in comparing disparate source
material.

IMPORTANT: The level of risk reduction in Column 1 is only intended to relate to any one of the individual
columns (2 through 5) that follow it. While there are similarities between columns 2 through 5, an exact one-
to-one comparison is virtually impossible. Where protective measures depend on configurable devices, the
reliability of these devices and the system should be appropriate for the level of risk.

185

--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

Copyright B11 Standards Inc. (Formerly AMT)

Table L.4: Approximate Relationships between Levels of B11.TR6

Risk Reduction & Performance
Performance
Risk Reduction System Architecture
Level
Column 1 Column 2 Column 3 Column 4 Column 5
Robotics Industry CATEGORY
ANSI B11.TR6 SIL
ANSI B11.TR3 (RIA R15.06 / CSA (ISO 13849-1)
(ISO 13849-1) (IEC 61508)
Z434)
Highest: Requirements of B and the
use of well-tried safety principles shall
apply. Safety-related parts shall be
Highest:
designed, so that a single fault in any
Redundancy w/
of these parts does not lead to a loss
continuous self- R1 / R2A
of the safety function, and the single
checking (e.g., Dual 4 3
fault is detected at or before the next (Control reliable)
channel w/
demand upon the safety function, but
continuous
that if this detection is not possible, an
monitoring)
accumulation of undetected faults shall
not lead to the loss of the safety
function.
Intermediate / High: Requirements of B
Intermediate / High:
and the use of well-tried safety
Redundancy w/ self-
principles shall apply. Safety-related R2A / R2B
checking upon start-
parts shall be designed, so that a
up (e.g., Dual (Control reliable / Single 3 3 to 2
single fault in any of these parts does
channel w/ channel with monitoring)
not lead to the loss of the safety
monitoring at
function, and whenever reasonably
cycle/start-up)
practicable, the single fault is detected.
Low / Intermediate:
Low / Intermediate: Requirements of B R2B / R2C
Redundancy that
and the use of well-tried safety
may be manually (Single channel with
principles shall apply. Safety function 2 2 to 1
checked (e.g., Dual monitoring / Single
shall be checked at suitable intervals
channel w/ optional channel)
by the machine control system.
manual monitoring)
Lowest: Requirements of B shall apply. R3A
Lowest: Single 0
Well-tried components and well-tried 1
channel (Single channel)
safety principles shall be used.
B: SRP/CS and/or their protective
equipment, as well as their
components, shall be designed,
constructed, selected, assembled and
R3B / R4 (Simple) B
combined in accordance with relevant
standards so that they can withstand
the expected influence. Basic safety
principles shall be used.

Table L.5 below summarizes the expected performance and fault tolerance for safety circuits. It is not
intended to provide design requirements or recommendations of when a particular level of performance is
required. The reader must refer to the requirements of control reliability in the various source documents
(OSHA 29 CFR 1910.217, ANSI B11 ‗base‘ safety standard, and ANSI/RIA R15.06) and Category B, 1, 2, 3
and 4 (ISO 13849-1) for complete information.

186
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

Copyright B11 Standards Inc. (Formerly AMT)

Table L.5: Summary of Requirements of Safety Circuit Performance

OSHA (29 CFR 1910.217) & ISO13849-1
ANSI/RIA R15.06 Interpretation of Circuit Requirements
ANSI B11 (EN954-1)
n.a. Simple Category B Control as per basic specifications.
Use of well-tried and tested components and
n.a. Single Channel Category 1
principles.
Safety function shall be tested/checked at suitable
intervals (frequency determined according to
Single Channel application).
n.a. Category 2
w/Monitoring
Single fault may cause the loss of the safety
function.
A single fault must not cause the loss of the safety
function. The fault should be detected whenever
Category 3 reasonably practicable.
An accumulation of faults may cause the loss of the
safety function.
Control Reliable (1) Control Reliable (2)
A single fault must not cause the loss of the safety
function. The fault shall be detected at or before the
Category 4 next demand of the safety function.
An accumulation of faults must not cause the loss of
the safety function.

(1) The ANSI B11 series of machine tool safety standards include a note within an explanatory annex stating
that control reliability for machine tools is not directly comparable to the requirements of ISO 13849-1 and
exceeds a Category 2.
(2) ANSI/RIA R15.06 (clause 4.5) includes a note that states that the ISO 13849-1 Categories are different
from the performance criteria within R15.06, and exceed Categories B, 1, 2, and 3. Control reliability for
robots typically exceeds a Category 3, but is not necessarily intended to be a Category 4. Circuits that are
―dual channel with monitoring‖ and safeguarding devices with dual safety outputs that are certified for
Category 3 usage, such as safety mats and area scanners, are generally accepted for use in robot
applications that require Control Reliable safety performance, as defined in that standard.

--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

187

Copyright B11 Standards Inc. (Formerly AMT)

ANNEX M - External Device Monitoring by the Safety-Related Function

External Device Monitoring
Depending on the level of risk, it may be critical to verify the normal functioning of control elements (such as
Force-guided Relays) between safety-related function and the machine actuators. A common method of
accomplishing this is a monitoring feedback function, which is typically called External Device Monitoring
(EDM).

For this monitoring to be reliable, the system must include a normally closed feedback contact that can
accurately reflect the status of the control elements. For proper monitoring, typically, the control element
must have a mechanically linked design (see EN 50205). This ensures that their normally open contacts
used for controlling hazardous motion, has a positive relationship with the normally closed monitoring
contacts.

In a Force-guided Relay, the mechanically linked design assures that if the normally open contact welds
closed (or otherwise loses its ability to control hazardous motion), the monitor contact will not return to a
closed state when the relay coil de-energizes. This open monitor contact signals a fault to the External
Device Monitoring function. This is not always the case with standard ―ice cube‖ or IEC-style relays;
because they cannot detect a welded contact, they should not be used in a high risk safety circuit.

Energized De-energized
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

Monitoring Safety Monitoring Safety

Contact Contact Contact Contact
Open Closed Closed Open

In a redundant circuit, when the fault is detected (immediately or at the next demand on the safety system),
the second output channel opens to signal the stop command and the reset function is prevented.
The External Device Monitor function can take several forms, but is typically described as ―Single-Channel‖,
―Dual-Channel,‖ or ―Power-Monitoring.‖ The following general descriptions are generic and are not intended
to be all encompassing and are only intended to highlight the common concepts of the External Device
Monitoring function.

Single-Channel Monitoring
Single-channel monitoring is a common method in which normally closed contacts from each control element
are fed back to the safety-related function (e.g., Safety Interface Module) monitoring input in a series
connection. The input must be closed before run cycle can begin and must re-close after each stop
command before another run cycle can begin.

With more sophisticated systems, the timing may be checked to verify that not only does the monitor input
close, but that it switches within a specified period of time before another run cycle can begin. This is to
detect slowing or sticking control elements that may increase response time which may effect the safe
positioning (safety distance) of some safeguards.

Single channel monitoring is typically accomplished where the safety-related function supplies a return path
for current flow (left figure), where the signal is generated by the supply voltage (center figure), or where both
the manual reset and external device monitoring are combined into one input (right figure).

188

Copyright B11 Standards Inc. (Formerly AMT)

-V

FGR
FGR 1
1
FGR
FGR 2
2 FGR
1

FGR
2

Dual-Channel Monitoring
In redundant systems, Dual-channel monitoring verifies the operation of each control element separately.
The monitoring function is similar to single channel monitoring such that the input must be closed before run
cycle can begin and must re-close after each stop command before another run cycle can begin.

One difference is that a fault condition is generated if the two inputs are ever in different states (i.e., one
open and open closed). This gives Dual-channel monitoring the ability to detect additional faults than Single-
channel monitoring (e.g., a short across a monitoring contact). Depending on the sophistication of the
system, diagnostics can also identify which specific element has slowed by checking timing or has
completely failed.

Dual-channel monitoring is typically accomplished where the safety-related function supplies a return path for
current flow (left figure), or where the signal is generated by the supply voltage (right figure).
+V

-V

FGR FGR
1 1

FGR FGR
2 2

Power Monitoring
External Device Monitoring function is accomplished through the power supply feed is called Power
Monitoring. One normally closed and one normally open contact from each of the control elements are
arranged in a series-parallel monitoring circuit (see figure below).

If either control element should experience a failure (such as a welded normally open contact) the difference
in states is detected in the power monitoring circuit and will remove power from the safety circuit or safety
device. The power supply for the safety device must be designed to tolerate normal transitions of the control
elements as they change states. This design can also be configured to detect slowing or sticking control
elements if the time of the transition extends beyond a predetermine time.
+V

-V

FGR
1

FGR
2
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`

189

Copyright B11 Standards Inc. (Formerly AMT)

ANNEX S – Symbols

E-stop Emergency stop switch with a mushroom head latching

pushbutton with terminals and single, positive opening,
normally closed contact.
E-stop Emergency stop switch with a mushroom head latching
pushbutton with terminals and dual, positive opening,
normally closed contacts that are electrically isolated and
mechanically linked. The double dotted line indicates that
both contacts are mechanically linked.
E-stop Emergency stop switch with a mushroom head latching
pushbutton with terminals and dual, positive opening
contacts with one normally closed and one normally open.
The contacts are electrically isolated and mechanically

--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---
linked. The double dotted line indicates that both contacts
are mechanically linked.
E-stop Emergency stop switch with a mushroom head latching
pushbutton with terminals and dual, positive opening,
normally closed contacts that are electrically isolated and
mechanically linked, with contact block sensing contact. The
double dotted line indicates that both contacts are
mechanically linked, and the spring indicates a normally
open contact that is intended to be used for the monitoring
circuit. In this case the normally open held closed is used to
detect if the contact block separates from the button.
E-stop Emergency stop switch with a mushroom head latching
pushbutton with terminals and single, positive opening,
normally closed contacts that are electrically isolated and
mechanically linked, with contact block sensing contact. The
spring indicates a normally open contact that is intended to
be used for the monitoring circuit. In this case the normally
open held closed is used to detect if the contact block
separates from the button.
Switch, Interlock This shows a switch with one direct (positive) opening
normally closed contact with its guard door closed (limit
switch released).

Switch, Interlock This shows a switch with one direct (positive) opening
normally closed contact and one non-direct (positive)
opening normally open contact with its guard door closed.

Switch, Interlock This shows a switch with direct (positive) opening normally
closed contacts with its guard door closed. The double
dotted line indicates that both contacts are connected by
non-resilient members.

FGR1 Contact, Force-guided Control This is a normally closed contact that is mechanically linked
Relay to the other contacts of the control relay, in this example
designated FGR1.
FGR1 Contact, Force-guided Control This is a normally open contact that is mechanically linked to
Relay the other contacts of the control relay, in this example
designated FGR1.
CR1 Contact, Control Relay This is a normally closed contact that is not mechanically
linked to the other contacts of the control relay, in this
example designated CR1.
CR1 Contact, Control Relay This is a normally open contact that is not mechanically
linked to the other contacts of the control relay, in this
example designated CR1.

190

Copyright B11 Standards Inc. (Formerly AMT)

SIM1 Contact, Safety Interface This is a normally closed contact from a safety interface
Module module. See ANSI B11.19 section 12.7.

SIM1 Contact, Safety Interface This is a normally open contact from a safety interface
Module module. See ANSI B11.19 section 12.7.
Coil, Force-guided Control This shows a control relay with all contacts electrically
Relay isolated and mechanically linked (positive-driven, force-
FGR1 guided).

Gate switch Type 2 interlock gate switch with 2 normally closed direct
acting contacts. . The double dotted line indicates that both
contacts are mechanically linked. The removal of the
actuator key is direct acting to these safety-related contacts.

Guardlocking Interlock Solenoid safety contact is mechanically interlocked to

(Dependent) actuator safety contacts. The double dotted line indicates
that both contacts are mechanically linked. The removal of
the actuator key is direct acting to the safety-related
contacts.

Guardlocking Interlock Solenoid and actuator are independent. The double dotted
(Independent) line indicates that both contacts are mechanically linked.
The removal of the actuator key is direct acting to the safety-
related contacts.
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

Light Curtain Light Curtain Light Curtain has two OSSD (solid state) outputs.

OSSD1

OSSD2

Sender Receiver

Light Curtain Light Curtain Light Curtain has two FGR (force-guided) outputs.
FGR1

FGR2

Sender Receiver

Safety Mat

Inductive Proximity Sensor

191

Copyright B11 Standards Inc. (Formerly AMT)

Magnetic Sensor

Non contact interlock

Photoelectric Sensing

Pneumatic Safety Valve (dual Redundant internally monitored cross flow valve with
channel) solenoid reset. The valve will inhibit further operation should
an internal fault occur and will maintain the faulted condition
until the reset action takes place. The status switch provides
optional feedback and is not required for the valves safety
function.

Pneumatic Safety Valve (dual Redundant internally monitored cross flow valve with
channel) automatic reset and a status switch. Because the device
resets automatically the status switch must be externally
monitored to detect faults and prevent further operation.

Energy Isolation Device Valve intended to block incoming pneumatic energy and
relieve downstream pneumatic energy. It must meet the
criteria of 4.3.?.
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

Valve (single channel) with This valve has three ports (inlet, outlet, and exhaust) and two
sensing positions (de-energized and energized). When un-energized
the valve blocks the inlet supply and exhausts the
downstream pneumatic energy. The switch monitors the
position of internals providing feedback regarding valve
position.

192

Copyright B11 Standards Inc. (Formerly AMT)

Valve (single channel) This valve has three ports (inlet, outlet, and exhaust) and two
positions (de-energized and energized). When un-energized
the valve blocks the inlet supply and exhausts the
downstream pneumatic energy.

Flow control – Meter-IN Device controls the flow going into the cylinder, also known
as meter-IN.

Applies to both pneumatics and hydraulics

Flow control – Meter-OUT Device controls the flow coming out of the cylinder, also
known as meter-OUT.

Rod Lock (Brake)- Device used to stop or hold actuator by clamping or creating
friction against the rod.

Velocity fuse Device used to reduce or eliminate hose whip after a failure.
May also be used to support vertical loads during a
conductor failure.

193

--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

Copyright B11 Standards Inc. (Formerly AMT)

Nomenclature for Labeling a SIM

1) The module should be labeled ―Safety Interface Module‖ or in special applications, the ―function‖
and then ―Safety Interface Module‖ (e.g., Two-hand Control Safety Interface Module)
2) Input Channels are labeled ―CH1‖ ―CH2‖ (etc.) for input Channel One, Channel Two.
3) Output Channels are labeled ―CH1‖ ―CH2‖ (etc.) for input Channel One, Channel Two, though may
not have a relation to input channels.
4) The Reset button when used should be labeled ―Reset‖
a) ―Monitored Reset‖ when monitored manual reset function is required.
b) For auto reset, a reset button is not shown and there is no label.
5) Between the input channel labels is function description:
a) ―SD‖ = Short-circuit Detection
b) ―SA‖ = Synchronous Actuation
c) ―CA‖ = Concurrent Actuation
6) External Device Monitoring (EDM) - if used, aaEDM is shown between the connections.
a) MPCE1 = Machine primary control element
b) MPCE2 = Machine primary control element

194
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

Copyright B11 Standards Inc. (Formerly AMT)

ANNEX V – Valves
Actuator
Component (for example, motor, cylinder) that transforms fluid energy into mechanical energy.

Direct acting
A valve whose main spool, or elements position, is controlled by generating a force through a coil to a push
pin or rod which pushes or pulls on the spool to control position.

Pilot operated
A valve whose main spool or elements position is controlled by a secondary valve that delivers or vents
pressure to the ends of the main element to control position.

Interleaving Spring
A spring designed such that a break will not allow the 2 sections to coil into themselves resulting in a shorter
spring length. Springs must be installed around a rod or mounted in a hole.

Ingression
A means or place where contamination is generated or enters the system. Contamination can come from the
supply, can be generated internally due to wear of metal or rubber components, or can come from the
process, typically from material that has collected on the cylinder rods or ingested through the reservoir

--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---
breather.

Fluid
Hydraulic, pneumatic, lubrication or other liquids or gasses.

Valve element
The internal portion of a valve which moves to cause changes in the flow paths of the air or fluid. This may
be a spool, poppet, slide, or other design. This may also include pilot sections of pilot operated valves.

Poppet valve (hydraulic or pneumatic)

A type of element construction in which the element moves perpendicular to the sealing surface (similar to
the exhaust poppet in an automobile engine). When applied to machines supplied with industrial quality air or
hydraulics the poppet design is the most dependable due to the internal force balances on the elements.
The internal valve forces are biased towards the un-energized condition. The fluid also flows over the
sealing surface which helps prevent contaminants from being deposited. It typically requires component
failure or severe contamination to cause an unsafe fault condition.

Resilient seal spool valve (pneumatic only)

A type of element construction incorporating a spool which slides inside of soft seals (such as o-rings) which
provide sealing between the ports in the body and the spool. Failure modes: Resilient seal wear due to high
cycles or contamination causing leakage which can lead to unintended motion. Failure is normally slow over
the life of the product but can be sudden and catastrophic. Contamination can also lead to a delay in shift
time, failure to shift at all and stopping at any point in its travel. This design is the least sensitive to sticky
contamination but most prone to wear from solid particulate.

195

Copyright B11 Standards Inc. (Formerly AMT)

Spool valves
A type of element construction incorporating a spool which slides on a thin film of the pressurized media (air
or oil). Failure modes: normal leakage and metal to metal seal wear resulting in leakage. Wear is gradual
over time and does not normally result in unintended motion. Contamination can also lead to a delay in shift
time, failure to shift at all and stopping at any point in its travel. In pneumatic systems this design is
particularly sensitive to lubrication that has been allowed to dry. This design is the most sensitive to sticky
contamination but least prone to wear from solid particulate.

Slide valve (pneumatic only)

A type of element construction incorporating a plate which slides on a thin film of the pressurized air.
Failure modes: Plate-to-plate seal wear resulting in leakage. Wear is gradual over time and does not
normally result in unintended motion. Contamination can also lead to a delay in shift time, failure to shift at
all and stopping at any point in its travel. In pneumatic systems this design is particularly sensitive to
lubrication that has been allowed to dry.
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

Relative Dependability Guide

Table V.2 Relative Valve Dependability Guide

Crossover Poppet ―O‖ ring spool Air Bearing Slide/plate
Valve Construction Construction spool Construction
Construction
High Low

196

Copyright B11 Standards Inc. (Formerly AMT)

Valve cross over and “ghost” positions

Valve elements transit over various conditions as they shift. The published schematics are not able to
convey this valve shifting position information. These conditions may not be disclosed or may only be
partially disclosed in catalog information. The typical valve can be described as having an open crossover or
a closed crossover. In an open crossover position the fluid path is open between the three ports instead of
the typical two which can result in a port not being fully pressurized. In a closed crossover position the fluid
path is blocked trapping pressure that is expected to be fully pressurized or exhausted.

The designer is cautioned to investigate these conditions in safety and non safety valving within the circuit
and to insure that they do not create an unsafe condition. Images A through E display some potential spool
and sleeve valve positions. These are meant to illustrate the potential crossover hazards that can exist
within a valve. Crossover position concerns are not limited to a particular valve design or manufacturer.

Image A:
An un-energized spool and sleeve valve has one
port open from in to out with the exhaust blocked.
The other potential outlet port is open to exhaust.

Image B:
An energized spool and sleeve valve has the second
outlet port open to the inlet and the initial outlet port
open to exhaust.

Image C:
This depicts a spool and sleeve valve that is stuck in
a mid-position that blocks all ports. The outlet
pressure is trapped and cannot be exhausted.

Image D:
This depicts a spool and sleeve valve that is stuck in a
mid-position that supplies inlet pressure to both outlet
ports and the exhaust is blocked.
--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---

197

Copyright B11 Standards Inc. (Formerly AMT)

Image E:
This depicts a spool and sleeve valve that is stuck in a
mid-position that has the supply open to an outlet and
exhaust port while the second outlet port exhaust path
is blocked.

--```,```,`,,,,,`,,`,```,```,,,-`-`,,`,,`,`,,`---
Internal Safety valve monitoring
A means to determine the required safety level of the
valve is present. Detection of a fault (diminished performance or traditional) of one element in a dual
channel device indicates a reduction in the level of safety protection previously provided due to the loss of
the redundant feature. In single channel devices detection of a fault indicates the possible inability of the
valve to operate properly and the complete loss of any safety level previously present. The monitoring
should also inhibit further operation of the machine upon fault detection until the valve is reset. The valve
reset must be consistent with 4.3.21.

External valve monitoring

Electrical devices external to a sensing type valve (see below) that provide for safety valve monitoring. A
safety PLC or an appropriate safety interface module (SIM) can be programmed to detect diminished
performance and standard faults.

Standard industrial quality solenoid valves

These are not safety devices and shall not be used as such. However they may be used as the motion
control valves provided that their energy supply comes from a safety valve whose rating meets the
appropriate safety level determined during the risk assessment.

Soft start valves

A valve which gradually reapplies the pneumatic pressure to avoid shock. When the risk assessment
determines that the reapplication of the pneumatic supply causes dangerous undesirable rapid movement of
components such as cylinders, the designer should consider incorporating a soft start type valve to gradually
re-pressurize the system, providing slow gradual movement. The soft start valve should not inhibit the
exhausting of the downstream air.

Velocity Fuse (hose failure automatic shut off valve)

A device which senses the change in flow which occurs upon a failure of a hose end and automatically
reduces or shuts off the flow so as to avoid hose whip. Currently, 29 CFR 1926.302(b)(7) (OSHA) only
requires these on hoses greater than ½ inch, and only when used with hand tools.

198

Copyright B11 Standards Inc. (Formerly AMT)

Hydraulic Power Presses
No ratings yet
Hydraulic Power Presses
73 pages
Programming Reference
100% (1)
Programming Reference
1,074 pages
ANSI B15 1-2000R2008 Pre
0% (1)
ANSI B15 1-2000R2008 Pre
7 pages
Class 8 Geography Chapter 1 Extra Questions and Answers Resoures
100% (4)
Class 8 Geography Chapter 1 Extra Questions and Answers Resoures
3 pages
Preview - B11 B11 TR1 2016
No ratings yet
Preview - B11 B11 TR1 2016
6 pages
Declaration (37 CFR 1.63) For Utility or Design Application Using An Application Data Sheet (37 CFR 1.76)
100% (1)
Declaration (37 CFR 1.63) For Utility or Design Application Using An Application Data Sheet (37 CFR 1.76)
2 pages
Preview B11.TR6-2010
No ratings yet
Preview B11.TR6-2010
15 pages
Protection of Traditional Knowledge - The Indian Perspective
No ratings yet
Protection of Traditional Knowledge - The Indian Perspective
13 pages
California Building Code Edition California Building Code Effective Date Based On Model Code Edition
No ratings yet
California Building Code Edition California Building Code Effective Date Based On Model Code Edition
1 page
Ansi B11.24-2002 (R2007)
No ratings yet
Ansi B11.24-2002 (R2007)
63 pages
Rep of The Phils Vs Agunoy SR - 155394 - February 17, 2005 - J
No ratings yet
Rep of The Phils Vs Agunoy SR - 155394 - February 17, 2005 - J
9 pages
Auc-08 U-1
No ratings yet
Auc-08 U-1
3 pages
What Are The Essential Features of Trademark
No ratings yet
What Are The Essential Features of Trademark
24 pages
Preview ANSI+B11.0 2020
No ratings yet
Preview ANSI+B11.0 2020
9 pages
ANSI B11-20 - Safety Requirements For Integrated Manufacturing Systems
100% (2)
ANSI B11-20 - Safety Requirements For Integrated Manufacturing Systems
54 pages
1 NREL Reviewer
No ratings yet
1 NREL Reviewer
16 pages
Ansi C37.51a Metal Enclosed Low-Voltage Ac Power Circuit Breakers Switchgear Assemblies-Conformance Tet Procedures
No ratings yet
Ansi C37.51a Metal Enclosed Low-Voltage Ac Power Circuit Breakers Switchgear Assemblies-Conformance Tet Procedures
10 pages
Ansi C12.1-2014
No ratings yet
Ansi C12.1-2014
134 pages
Certified Access Specialist Program Best Practices Manual: November 2019
No ratings yet
Certified Access Specialist Program Best Practices Manual: November 2019
23 pages
Case 2nc
No ratings yet
Case 2nc
3 pages
Calcasp Academy: Four Full Days of Engaging and Practical Disabled Access Training
No ratings yet
Calcasp Academy: Four Full Days of Engaging and Practical Disabled Access Training
441 pages
QUIZ
No ratings yet
QUIZ
3 pages
Privileges Under The Evidence Decree
No ratings yet
Privileges Under The Evidence Decree
18 pages
Amgen Inc. v. F. Hoffmann-LaRoche LTD Et Al - Document No. 932
No ratings yet
Amgen Inc. v. F. Hoffmann-LaRoche LTD Et Al - Document No. 932
10 pages
Ansi C84-1
0% (2)
Ansi C84-1
11 pages
Downfile PDF
100% (1)
Downfile PDF
139 pages
Ansi C80.3-2005
No ratings yet
Ansi C80.3-2005
17 pages
Casp Class
50% (2)
Casp Class
890 pages
Equity Detail of Universities
No ratings yet
Equity Detail of Universities
5 pages
Asme B15.1-2000 (2008)
No ratings yet
Asme B15.1-2000 (2008)
20 pages
ANSI C136 10 2010 Contents and Scope PDF
No ratings yet
ANSI C136 10 2010 Contents and Scope PDF
9 pages
Interim Relief and Intellectual Property Issue
No ratings yet
Interim Relief and Intellectual Property Issue
9 pages
Examination and Certificatio N Handbook: Certified Access Specialist Progr Am
No ratings yet
Examination and Certificatio N Handbook: Certified Access Specialist Progr Am
27 pages
Ansi C12.21-2006
100% (1)
Ansi C12.21-2006
79 pages
Ansi 535.4
No ratings yet
Ansi 535.4
49 pages
Margaret Jane Radin
No ratings yet
Margaret Jane Radin
32 pages
Ansi C 80.6 (Imc)
No ratings yet
Ansi C 80.6 (Imc)
17 pages
Previews 1816310 Pre
No ratings yet
Previews 1816310 Pre
10 pages
PM Journal1
No ratings yet
PM Journal1
10 pages
Ansi/nema C84.1-2006
No ratings yet
Ansi/nema C84.1-2006
13 pages
OVPAA Res Form 1.0 Tables
No ratings yet
OVPAA Res Form 1.0 Tables
10 pages
Cheaper Medicines Act 2008 Rules
No ratings yet
Cheaper Medicines Act 2008 Rules
67 pages
J.5 ANSI Z535!2!2011 - Environtmental & Facility Safety Signs
100% (3)
J.5 ANSI Z535!2!2011 - Environtmental & Facility Safety Signs
52 pages
Ansi Z136-1
100% (4)
Ansi Z136-1
186 pages
Ansi B11.19-2010
No ratings yet
Ansi B11.19-2010
10 pages
Ansi B11.8-2001 (R2007)
100% (1)
Ansi B11.8-2001 (R2007)
55 pages
Quest Nettech v. Valassis Communications Et. Al.
No ratings yet
Quest Nettech v. Valassis Communications Et. Al.
14 pages
Session 3 - IBC CH - 1 - 13 - 27 - 28.pptx Chris
No ratings yet
Session 3 - IBC CH - 1 - 13 - 27 - 28.pptx Chris
77 pages
ANSI C37.50 1989 Test Procedures For Low Voltage AC Power Circuit Breakers Used in Enclosures
No ratings yet
ANSI C37.50 1989 Test Procedures For Low Voltage AC Power Circuit Breakers Used in Enclosures
29 pages
07100-00018C - Triton RL5000 User Manual (3.0)
No ratings yet
07100-00018C - Triton RL5000 User Manual (3.0)
200 pages
(ANSI C84.1-2006) Electric Power Systems and Equipment - Voltage Ratings (60 Hertz)
100% (4)
(ANSI C84.1-2006) Electric Power Systems and Equipment - Voltage Ratings (60 Hertz)
23 pages
Ansi C80.1
No ratings yet
Ansi C80.1
13 pages
Ansi Nema C37.55-2002
No ratings yet
Ansi Nema C37.55-2002
48 pages
Patent Protest on Media Transport System
No ratings yet
Patent Protest on Media Transport System
76 pages
Horizon V Actavis VIMOVO
No ratings yet
Horizon V Actavis VIMOVO
26 pages
ANSI C12.11 Final
No ratings yet
ANSI C12.11 Final
11 pages
Foundation Inspection Check List
No ratings yet
Foundation Inspection Check List
9 pages
Ansi C37 58 PDF
No ratings yet
Ansi C37 58 PDF
25 pages
Sanho Corporation v. Kaijet Tech. - Complaint
No ratings yet
Sanho Corporation v. Kaijet Tech. - Complaint
27 pages
Mondevices v. Ledo Network - Complaint
No ratings yet
Mondevices v. Ledo Network - Complaint
28 pages
Ansi B11.9-2010
No ratings yet
Ansi B11.9-2010
74 pages
Generics Threats and Opportunities:: Mounting An Effective Defense Strategy
No ratings yet
Generics Threats and Opportunities:: Mounting An Effective Defense Strategy
28 pages
Competition Law
No ratings yet
Competition Law
42 pages
026-Ansi Z 535.4 2007
No ratings yet
026-Ansi Z 535.4 2007
49 pages
ANSI C12.1-2008 电测量用代码
No ratings yet
ANSI C12.1-2008 电测量用代码
120 pages
ANSI C1219 2012 Final
No ratings yet
ANSI C1219 2012 Final
566 pages
Ansi C80.1-2005
No ratings yet
Ansi C80.1-2005
21 pages
RM - Module 5
No ratings yet
RM - Module 5
33 pages
Ansi C84 2011
No ratings yet
Ansi C84 2011
23 pages
Ansi C84.1 2006
No ratings yet
Ansi C84.1 2006
23 pages
Ansi C37-55 PDF
No ratings yet
Ansi C37-55 PDF
48 pages
NEMA C80.3-2005 For Steel Electrical Metallic Tubing (EMT)
0% (1)
NEMA C80.3-2005 For Steel Electrical Metallic Tubing (EMT)
17 pages
ANSI C37 51 2003 Metal Enclosed Low Voltage AC Power Circuit Breaker Switchgear Assemblies Conformance Test Procedures
No ratings yet
ANSI C37 51 2003 Metal Enclosed Low Voltage AC Power Circuit Breaker Switchgear Assemblies Conformance Test Procedures
31 pages
J.6.ANSI Z535!3!2011 - Criteria For Safety Symbol
50% (2)
J.6.ANSI Z535!3!2011 - Criteria For Safety Symbol
57 pages
Ansi C84.1-2011
100% (5)
Ansi C84.1-2011
23 pages
ANSI C37.54-2002 (R2010) - Indoor AC HV Circuit Breakers Applied As Removable Elements in Metal-Enclosed Switchgear - Confromance Test Procedures
No ratings yet
ANSI C37.54-2002 (R2010) - Indoor AC HV Circuit Breakers Applied As Removable Elements in Metal-Enclosed Switchgear - Confromance Test Procedures
46 pages
Nokia TMR880 en
No ratings yet
Nokia TMR880 en
133 pages
OPC 40223 - UA Companion Specification For Pumps and Vacuum Pumps 1.00
No ratings yet
OPC 40223 - UA Companion Specification For Pumps and Vacuum Pumps 1.00
132 pages
ANSI C12.20.2002 - Electric Meters 0.2 and 0.5 Accuracy Classes
100% (2)
ANSI C12.20.2002 - Electric Meters 0.2 and 0.5 Accuracy Classes
28 pages
Ansi C37.57-2003 (R2010)
No ratings yet
Ansi C37.57-2003 (R2010)
42 pages
ANSI C 84.1-06 Electric Power Systems and Equipment - Voltage Ratings (60 Hertz)
No ratings yet
ANSI C 84.1-06 Electric Power Systems and Equipment - Voltage Ratings (60 Hertz)
23 pages
Ansi C84.1-1995 (R2005)
100% (1)
Ansi C84.1-1995 (R2005)
26 pages
ANSI C84.1 - Electric Power Systems and Equipment - Voltage Ratings (60 Hertz)
No ratings yet
ANSI C84.1 - Electric Power Systems and Equipment - Voltage Ratings (60 Hertz)
23 pages
ANSI C80.1 RS Conduit
No ratings yet
ANSI C80.1 RS Conduit
13 pages
NEMA C84.1 2005 Electric Power Systems and Equipment-Voltage Ratings 60 HZ
No ratings yet
NEMA C84.1 2005 Electric Power Systems and Equipment-Voltage Ratings 60 HZ
26 pages
Ansi C37.51 - 2003
No ratings yet
Ansi C37.51 - 2003
31 pages
Ansi Nema C37.58-2003
No ratings yet
Ansi Nema C37.58-2003
25 pages
Ansi C37-85
No ratings yet
Ansi C37-85
18 pages
Ansi B11.0 - 2010
100% (1)
Ansi B11.0 - 2010
85 pages
ISO - Machine Guard14120-2015
100% (2)
ISO - Machine Guard14120-2015
13 pages
Fluid Power Standard - ISO 4413 PDF
64% (11)
Fluid Power Standard - ISO 4413 PDF
76 pages
Asme B30.20 2021
50% (2)
Asme B30.20 2021
68 pages
Ansi B11.0-2023
100% (4)
Ansi B11.0-2023
135 pages
FMEA 4th Edition
100% (11)
FMEA 4th Edition
148 pages
Asme B30.26-2015
100% (3)
Asme B30.26-2015
54 pages
Asme Y14.5 - 2018
100% (11)
Asme Y14.5 - 2018
347 pages
Engineers Black Bok 2nd Edition
92% (52)
Engineers Black Bok 2nd Edition
84 pages
BS en Iso 14122-3
100% (10)
BS en Iso 14122-3
34 pages
Asme B30.10-2019 PDF
100% (10)
Asme B30.10-2019 PDF
28 pages
ISO 13849-1 for Safety Engineers
100% (2)
ISO 13849-1 for Safety Engineers
119 pages
Iso 12100-2
100% (11)
Iso 12100-2
39 pages
Technical Drawing For Product Design: Stefano Tornincasa
100% (13)
Technical Drawing For Product Design: Stefano Tornincasa
310 pages
Ultimate GD&T Pocket Guide - Bas - Alex Krulikowski
90% (21)
Ultimate GD&T Pocket Guide - Bas - Alex Krulikowski
135 pages
Asme Y14.5.1-2019
93% (28)
Asme Y14.5.1-2019
101 pages
Practical Root Cause Failure Analysis
100% (12)
Practical Root Cause Failure Analysis
169 pages
ASME B30.9 Slings - Jan 2010 PDF
100% (1)
ASME B30.9 Slings - Jan 2010 PDF
80 pages
Root Cause 0502 PDF
100% (48)
Root Cause 0502 PDF
249 pages
Industrial Hydraulics Manual
100% (16)
Industrial Hydraulics Manual
337 pages
ASM Handbook of Case Histories in Failure Analysis, Vol 3, 2019
100% (13)
ASM Handbook of Case Histories in Failure Analysis, Vol 3, 2019
709 pages
GD&T
100% (12)
GD&T
356 pages
The ISO Geometrical Product Specifications Handbook PDF
83% (6)
The ISO Geometrical Product Specifications Handbook PDF
382 pages
Manufacturing Engineering Handbook
97% (35)
Manufacturing Engineering Handbook
1,193 pages
Blakes Design of Mechanical Joints PDF
100% (13)
Blakes Design of Mechanical Joints PDF
426 pages
Handbook of Mechanical Design
100% (12)
Handbook of Mechanical Design
286 pages
Handbook of Machinery Dynamics
100% (15)
Handbook of Machinery Dynamics
597 pages
Handbook of Mechanical Engineering Terms
96% (51)
Handbook of Mechanical Engineering Terms
366 pages