Standards and certifications
Mobile Panel 40/50 User's manual V1.80
97
In this regard, it is important to note that in category 3 and later, single faults must be detected promptly in order
to prevent an accumulation of faults, which could then lead to a loss of the
safety
function.
In electrical and electronic systems, faults that must be detected include cross faults between circuits, interruptions,
short circuits or stuck contacts. Specially certified
safety
relays
with their own specific PL are often used for detecting
faults in the individual
safety
circuits. The overall PL necessary for the
safety
function is only achieved, however,
if the connection with the corresponding circuits has also been implemented for the respective PL in accordance
with the product description and the PL of all components contributing to the
safety
function have been taken into
account.
The PL for an overall
safety
function must therefore always be calculated from the individual components or mod-
ules.
Standard
EN
ISO
13849-1 provides guidelines for more easily determining the PL for a
safety
function consisting
of multiple components.
Note that with
safety
components connected in series, the PL of the
safety
function is determined by the
safety
component with the lowest PL in the
safety
function. For example, a
safety
function consisting of 3 components
with category 4 PL e, category 3 PL d and category 2 PL c would result in a performance level of PL c for the
overall
safety
function. Further note that a fault would result in the loss of the
safety
function even though category
4 PL e components are integrated in the
safety
function. This is because one of the components being used is
only category 2.
Combining several PLs
can
reduce the overall PL.
A FMEA (
failure
mode and effects analysis)
can
ensure that a fault will not lead to the loss of the
safety
function. This
is done by theoretically, or even practically, running through all possible faults and showing that the requirements
of the category are sufficiently fulfilled.
5.4.6 Restart interlock per
EN
1037:1995 (
Safety
of machinery - Prevention of unexpected start-
up)
Keeping a
machine
in a state of rest while personnel are working in the danger zone is one of the most important
requirements for safely operating machines.
Startup refers to the transition of a
machine
or its parts from a state of rest to a moving state. A startup is considered
unexpected if caused by one of the following:
•
A startup command generated due to
controller
failure
or external influences on the
controller
.
•
A startup command generated due to incorrect operation of a startup
control
actuator
or another part of
the
machine
.
•
Restoration of the power supply after an interruption.
•
External/Internal influences on parts of the
machine
.
To prevent unexpected startup of machines or parts of machines, power should be removed and dissipated. If this
is not practical (e.g. frequent brief interventions in danger zones), other measures must be taken:
•
Measures to prevent randomly generated startup commands.
•
Measures to prevent randomly generated startup commands from causing unexpected startup.
•
Measures to automatically stop the dangerous part of the
machine
before a dangerous situation
can
be
caused by unexpected startup.