Chapter 5

Machinery Protection Devices

Contents
5.0 Guards
5.0.1 Fixed guards
5.0.2 Movable guards
5.0.2.1 Type A
5.0.2.2 Type B
5.0.3 Adjustable guards
5.0.4 Guard switches
5.0.4.1 Function of a guard monitoring relay
5.1 Locking systems
95
5.1.1 Mechanical trapped key interlocking

Devices
Machinery Protection
5.1.2 Electrical control interlocking
5.1.2.1 Typical connections
5.2 Electrosensitive and optoelectronic devices
5.2.1 Optoelectronic selection criteria
5.2.2 Types of approach
5.2.3 Examples of machine guarding
5.2.3.1 Area guarding on an assembly line
5.2.3.2 Access guarding
5.2.3.3 Guarding the interior of a large press
5.2.4 Connection to control circuit
5.2.4.1 Typical connection
5.2.5 Muting
5.2.5.1 Typical connections
5.2.6 Pressure-sensitive safety devices
5.2.6.1 Typical connection
 5.3 Emergency stop devices
5.3.1 Emergency stop switch
5.3.2 Emergency stop circuit
5.3.3 Final control element in a safety circuit
5.3.4 Typical connections
5.4 Two-hand controls
5.4.1 Typical connection
5.4.2 Programmable electronic systems (PES) for
two-hand control

96
Devices
Machinery Protection
 5.0 Guards

A guard is defined as part of a machine that is used specifically to

provide protection by means of a physical barrier (EN 292-1, Section
3.22). Section 1.4 of the Machinery Regulations concerns guards
and protection devices, and states that in general these must:

Be robust
Not give rise to any additional risk
Not be easy to bypass or render non-operational
(fixed enclosing guard)
2 Be located an adequate distance away from the
danger zone (fixed distance guard)
97
Cause minimum obstruction, enabling essential

Devices
Machinery Protection
work to be carried out without dismantling the
guard.

A suitable risk assessment must be carried out on the specific

machine to ensure that the appropriate guard is selected and
designed.

5.0.1 Fixed guards

These guards are fixed in place, i.e. not welded or fastened, and can
only be removed with the aid of tools (i.e. not with a coin or nail file).
Where possible, fixed guards should not be able to remain in place if
the fixings are removed (i.e. it should not be possible to lean the
guard in order to cover the danger zone). A fixed guard may be the
simplest of all the protection devices, but there are still some
important aspects to consider in their application. The best strategy
is to refer to the following specifications:
 EN 953 (Safety of machinery. Guards. General
requirements for the design and construction of fixed
and movable guards). This is the starting point. This
specification will describe such things as guard
height, mechanical requirements and fixings.
EN 294 (Safety of machinery. Safety distances to
prevent danger zones being reached by the upper
limbs).
EN 349 (Safety of machinery. Minimum gaps to avoid
crushing of parts of the human body).
EN 811 (Safety of machinery. Safety distances to
prevent danger zones being reached by the lower limbs). 3
98
5.0.2 Movable guards
Devices
Machinery Protection

5.0.2.1 Type A
Where possible, these must remain fixed to the machine. When
these guards are open they must be combined with a locking device
to prevent moving parts starting up while the danger zone is being
accessed. A stop command must be given when the guard is open.

5.0.2.2 Type B
These must be designed and incorporated into the control system so
that moving parts cannot start up while they are within the operator’s
reach. The exposed person must not be able to reach moving parts
once these are in motion. These guards can only be adjusted with
the aid of a tool or key. If any of the components on the guard fail,
the machine will be prevented from starting. If the machine has
already started up, all moving parts will be stopped. The function of
the associated locking device may be more or less sophisticated,
depending on the type of hazard, frequency of opening, etc.
 This will be determined by the risk assessment. Guards that meet the
requirements of Type B must be regarded carefully. Does the
opening of the guard:

a) Stop the entire machine by disconnecting the power

b) Stop moving parts in the danger zone, guarded for the duration of
this opening period?

To comply with the requirements of a), the guard switch or switches

can be treated as an emergency stop function. A suitable and
sufficient risk assessment can be carried out using the criteria
explained in Chapter 4. This type of interlocking is called power
4 interlocking (EN 1088).
99
To comply with the requirements of b), the method and integrity of the

Devices
Machinery Protection
guarding control circuit has to be assessed as an individual item and
the relevant specifications consulted. A risk assessment will also
have to be performed. This type of interlocking is called control
interlocking (EN 1088).

5.0.3 Adjustable guards

Adjustable guards are used to allow access only to those areas
where it is strictly necessary. It should be possible to adjust these
guards both manually and automatically, without the use of tools.
Where adjustable guards are required, operators should have access
to other protective devices such as jigs or push sticks, for example.

5.0.4 Guard switches

The criteria for guard switches are similar to those of the emergency
stop switch, i.e. the switch actuator moves the contacts along with
it to achieve separation of the contact element (EN 292-2,
EN 60947-5-1).
 Fig. 8: The guard switch

When a single actuator is used to drive the switch it must be of the

positive type, i.e. the actuator is held depressed by the open guard.
This is called positive mode actuation.
5
100
Devices
Machinery Protection

Guard open Guard closed

Fig. 9: Positive mode actuation

5.0.4.1 Function of a guard monitoring relay

The function of the guard monitoring relay is:

a) To monitor itself for functionality and integrity
b) To monitor the switches for functionality (opening and closing)
c) To monitor the switches for integrity (shorts etc.)
d) To monitor the switches for sequence (guard positioning).
 PST 2
PNOZ X6

6
Fig. 10: Two-channel control for Fig. 11: Two-channel control, high 101
position monitoring integrity

Devices
Machinery Protection
PNOZ
XM1

Fig. 12: Three-channel switches conforming to EN 422 and EN 201

NB. Please refer to Pilz Safety Catalogue (1) for relay details.
 5.1 Locking systems

Locking systems can be divided into two basic types: mechanical

trapped key interlocking and electrical control interlocking. Trapped
key interlocking is a proven high-integrity safety system that complies
with the design principles identified in EN 954-1, EN 1088, EN 292-1
and EN 1050. All energy sources (e.g. electrical, pneumatic,
hydraulic) can be reduced to zero, providing unrivalled operator
protection. Such a system is also very easy to retrofit and can be
customised to individual applications. Control interlocking offers rapid
access, machine diagnostics, ease of maintenance and the ability to
maintain power to the PLC.

102 5.1.1 Mechanical trapped key interlocking

In many applications, mechanical interlocking provides the only
Devices
Machinery Protection

practicable method of safeguarding a machine or suite of machines.

This system ensures that a prescribed sequence of actions is taken
when accessing a machine. It is of particular use where there are
multiple hazard types or where access is required to a number of
danger zones over a wide area. The principle behind mechanical key
exchange control is that all sources of power are isolated and all
stored energy dissipated before the hazardous area of the machine
can be accessed. This tried and tested methodology can be used on
all machine installation categories.

A number of products can be configured to safeguard a diverse range

of hazards. Interlocks can be used to lock gates and to spool valves
and isolators. They can also be used to ensure that sources of
stored energy are made safe. Locks are designed in such a way that
the key can only be removed when the hazard has been isolated and
can only be reinstated when the key is trapped in the lock. This
means that the key represents the hazard status associated with that
lock. Keys are uniquely coded and can therefore control the
sequence and limit access to authorised personnel.

Time delay units can be used where a machine has a rundown

period. Under this system it is not possible to take out the key until
power has been removed and the pre-set time period has elapsed. If
the rundown period is predictable, the machine can be presumed to
have come to rest and the key can be used in the next sequence of
machine access.

ISOLATE
Removing the key
turns the electrical
supply OFF
103
EXCHANGE

Devices
Machinery Protection
The key from the
electrical supply is
trapped in the
mechanical exchange
box, allowing the
access keys to be
freed.

ACCESS
The access keys are
inserted into the access
locks to allow entry. A
second key can be
freed to provide
operator protection.

LINK
Key can transfer
to / from control
interlock

Fig. 13: Typical key exchange system

 Rotation sensor units operate in a similar way to time delay units, but
use measurements to prove that the rotating part of a machine has
stopped before access is granted. Key exchange boxes can be used
to ensure that certain actions are performed before others. They also
allow complex if/or sequences to be safely controlled. Solenoid
controlled locks ensure that a key is trapped until signalled by another
action. This could be a permission signal from a remote source or it
could be part of the machine shutdown system.

A safety key is an important feature of mechanical trapped key

systems. The key is removed and taken into the hazardous area,
ensuring that a machine cannot start up unexpectedly. This is
particularly important where personnel can move out of sight within a
104 guarded area. Maintenance personnel can therefore have uniquely
coded or sub-master keys, ensuring that only suitably trained staff
Devices
Machinery Protection

can instigate access.

The two systems can also be combined so that safety keys can be
used to protect individuals, while access keys are used to limit access
to authorised personnel. This is particularly useful when a robot
needs to be put into “teach mode” or a machine has to be reset.

5.1.2 Electrical control interlocking

Electrical control interlocks are common where rapid or frequent
access is required into a machine. Power to the machine control
system can be maintained while providing a safe method of entry.
Gate control is provided by means of solenoid controlled locks that
contain safety monitoring circuits. These circuits incorporate
positively-guided contacts that monitor the solenoid and the physical
position of the gate. Additional electrical contacts are provided to
help determine the machine status. Tongue entry products are typically
used on sliding doors, while handle-operated products can be used
for hinged gates, removing the need for additional door furniture.
5.1.2.1 Typical connections

1 1 3

R
AmStop4 AmStop4 AmStop4

FORTRES FORTRES FORTRES

INTERLOCK INTERLOCK INTERLOCK

2 2 4

1 5 3 7 2 6 4

+V/L 0V/N

24VDC

Reset
105

Devices
Machinery Protection
13 23 33

A1 Y1 Y2

PNOZ X1
41 42 A2

14 24 34

0V

Fig. 14: AMSTOP from Fortress Interlocks connected to a Pilz PNOZ X1, complying
with category 1/2, EN 954-1

Typically this would connect the two normally closed output terminals
on the AMSTOP directly to the supply terminal on the Pilz PNOZ X1
safety relay. The supply voltage for this relay is 24 VDC. Auto reset
is available with this connection.
 1 1 3

R
AmStop4 AmStop4 AmStop4

FORTRES FORTRES FORTRES

INTERLOCK INTERLOCK INTERLOCK

2 2 4

1 5 3 7 2 6 4

+V/L 0V/N

Reset
11
106 24
13 23
Devices
Machinery Protection

A1 S33 S34

PNOZ X5

S11 S12 A2

14 S12 S22

Fig. 15: AMSTOP from Fortress Interlocks connected to a Pilz PNOZ X5, complying
with category 3, EN 954-1

Using the two normally closed outputs on the AMSTOP with a

reference point from the safety relay, this connection is single-fault
tolerant and therefore meets the requirements of category 3,
EN 954-1. This is because both outputs from the AMSTOP must
respond correctly. If a fault occurs in one channel (for example, the
output not breaking or closing, or a fault to earth), the PNOZ X5 will
not reset. Auto reset is available with this connection.
 1 1 3

R
AmStop4 AmStop4 AmStop4

FORTRES FORTRES FORTRES

INTERLOCK INTERLOCK INTERLOCK

2 2 4

1 5 3 7 2 6 4

+V/L 0V/N

12 Reset

13 23 24
107

Devices
Machinery Protection
A1 S33 S34

PNOZ X2

S21 S22 A2

14 S11 S12

Fig. 16: AMSTOP from Fortress Interlocks connected to a Pilz PNOZ X2, complying
with category 4, EN 954-1

Using the two normally closed outputs on the AMSTOP connected to

two individual inputs on the safety relay, this connection is single-fault
tolerant and has some on-line fault detection, thereby meeting the
requirements of category 4, EN 954-1. The PNOZ X2 will react in the
same way as the PNOZ X5 in the previous example, but with the
additional feature that shorts across the input terminals will be
detected, causing the PNOZ X2 to de-energise. An additional option
with the PNOZ X2 range is for a monitored manual reset.
 1 1 3 3

INTERLOCK
FORTRES

INTERLOCK
FORTRES
2 2 4 4
AutoLok4

1 1
R Y
INTERLOCK

INTERLOCK
FORTRES

FORTRES
INTERLOCK

INTERLOCK
FORTRES

FORTRES

AutoLok4
2 AutoLok4
2

2 14 5 7 6 12 1 13 3 4
+V/L

0V/N
1 2
+ -

Reset 13
108
13 23 24
Devices
Machinery Protection

A1 S33 S34

PNOZ X2

S21 S22 A2

14 S11 S12

Fig. 17: AMLOK from Fortress Interlocks connected to a Pilz PNOZ X2, complying with
category 4, EN 954-1

Features are the same as in the previous example. Here, the locking
feature on the AMLOK must be used.
 1 1 3 3

INTERLOCKS
FORTRESS

INTERLOCKS
FORTRESS
AmLok

2 2 4 4

1 1
R YL
INTERLOCKS

INTERLOCKS
FORTRESS

INTERLOCKS

FORTRESS

INTERLOCKS
FORTRESS

FORTRESS

AmLok AmLok
2 2

2 14 5 7 6 12 1 13 3 4
0V/N
+V/L

1 2
+ - K1

13 23 24
Unlock A1 17 25 35 Y1 Y2
A1 S33 S34
PZA

14 PNOZ X 2.

S21 S22 A2 109

14 S11 S12 18 26 36 16 A2

Devices
Machinery Protection
K1
Start

Stop

K1

Fig. 18: AMLOK from Fortress Interlocks connected to a Pilz PNOZ X2 and PZA safety
timer, complying with category 4, EN 954-1
 L1
L2
L3

24VDC

1 1 3 3
INTERLOCK
FORTRES

INTERLOCK
FORTRES

2 2 4 4
AutoLok4

1 1
R Y
INTERLOCK

INTERLOCK
FORTRES

FORTRES
INTERLOCK

INTERLOCK
FORTRES

FORTRES

AutoLok4
2 AutoLok4
2

2 14 5 7 6 12 1 13 3 4
+V/L

0V/N

1 2
+ - Unlock
K

13 23 24
A1 S33S34 A1 13 23 41 L1 L2 L3
PSWZ
15
110 PNOZ X 2.

14 24 42 Y30 Y31Y32 Y1 Y2 A2
Devices
Machinery Protection

S21S22 A2 0 V + 24 V out
K
14 S11S12

S1 K2
K
M

S0 K
K

0V
K K K K

Fig. 19: AMLOK from Fortress Interlocks connected to a Pilz PNOZ X2 and PSWZ
standstill monitor, complying with category 4, EN 954-1
 Fig. 18:
With the AMLOK normally closed output contacts closed, the PNOZ
X2 will energise, making its safety outputs 13 and 14. When the start
button is depressed, K1 will energise, opening its normally closed
contact. The PZA will then de-energise, opening its safety contacts
17 and 18. When the stop button is pressed, K1 will energise,
allowing the PZA to perform its delay time function. After the pre-set
time has elapsed, PZA will energise, closing its safety contacts 17
and 18. The optional release switch can now be pressed, allowing
the AMLOK solenoid to release the lock.

Fig. 19:
16 In some cases, for example, where the guarded machine has uneven
rundown times, it is not efficient to use a delay timer because it has to 111
be set permanently to the maximum rundown time. The PSWZ

Devices
Machinery Protection
standstill monitor uses the regenerated voltage on two separate coils
of the motor and compares this with a pre-defined set point. With the
AMLOK normally closed contacts closed, the PNOZ X2 energises,
making its safety contacts 13 and 14, allowing a star delta start by
depressing S1. When the PSWZ detects voltage at points L1, L2 and
L3, its safety contacts 23 and 24 will open. When the stop relay S0 is
pressed, K2 will de-energise and disconnect the motor from the
supply, allowing the PSWZ to monitor the regenerated voltage. When
the pre-determined voltage level is reached, safety contacts 23 and
24 on the PSWZ will close. This means the optional release switch
S3 can be pressed, energising the AMLOK solenoid and releasing
the lock.
 5.2 Electrosensitive and optoelectronic devices

Mechanical guarding, whether fixed or movable, may not always

provide the solution for certain types of machinery. If an operator
requires regular access to a hazardous area, an electrosensitive or
optoelectronic solution may be better. The advantages are higher
productivity, with protection for both the operator and any third party.
However, it is important to remember that this method of guarding
offers no protection against flying materials.

5.2.1 Optoelectronic selection criteria

The main criteria for specifying an optoelectronic guard are as
follows:
112
Define the zone to be guarded
Devices
Machinery Protection

This is based on the machine’s risk assessment, in which access

to the danger zone can be specified.
Define the safety function to be performed
Here you will need to define exactly what is to be detected within
the danger zone:
- A finger or hand (required when the operator is near to the
hazard). In all cases, the resolution of the active optoelectronic
protection device (AOPD) must be less than or equal to 14 mm.
- Arm or body (mainly for perimeter guarding)
- Presence of an operator (especially where the guarded
machine is not visible from the control point). This is also
suitable for guarding the approach to danger zones, and where
vehicles are involved.
Comply with the category of the safety-related control
Please refer to Section 4.4.
 Calculate the safety distance
The safety distance for an AOPD can be calculated as described
in prEN 999 (Safety of machinery. Hand/arm speed. Approach
speed of parts of the body for the positioning of safety devices),
or as described in any relevant specification for the
corresponding machine (i.e. press). The minimum distance
calculated using prEN 999 must be acceptable from an
operational and ergonomic point of view. The type and location
of the device must also be assessed in order to give complete
detection and protection. If the minimum distance calculated is
not acceptable for operational reasons, other options will need to
be considered.

prEN 999 provides the following general formula for calculating the 113
minimum distance from the danger zone:

Devices
Machinery Protection
S = (K * T) + C,

where:

S is the minimum distance in mm from the hazardous zone to the

detection point
K is the approach speed of the body or parts of the body (in mm
per second)
T is the overall stopping performance in seconds
C is the additional distance in mm, based on intrusion towards the
danger zone prior to actuation of the protective equipment.

Other factors should also be taken into account, such as the

resolution of the AOPD. Annex C of EN 692 (Mechanical presses.
Safety) provides the following table with regard to parameter C:
 Detection capability Additional distance C Cycle initiation by
in mm in mm the AOPD
≤ 14 0
>14 ≤ 20 80 Permitted
> 20 ≤ 30 130
> 30 ≤ 40 240 Not permitted
> 40 850

Fig. 20: Additional distance parameter C from EN 692

5.2.2 Types of approach

Generally we can distinguish between three types of approach:
19
114 Perpendicular
Devices
Machinery Protection

Angular
Parallel.

Hazardous Limit of protected field Hazardous Limit of protected field Hazardous

Limit of zone zone zone
S Direction of
protected penetration
field S

Direction of
Direction of penetration
penetration
AO
PD

ß
H AOPD
AOPD

H H

Floor Floor Floor

Fig. 21: Types of approach

 The following table shows the formulae for calculating the safety distance S:

Perpendicular
approach

ß = 90˚ (± 5˚) S = 2000T + 8 * (d – 14) NB. To prevent bypassing the

d = ≤ 40 mm where S > 100 mm AOPD, use EN 294. In practice,
this standard is not always
applicable because it regards
the hand as a deformable
element. In this case it is
necessary to seek the advice
of an accident prevention body.

where S > 500 mm

take S = 1600T + 8 * (d – 14).
In this case S cannot be
20 < 500 mm.

40 < d ≤ 70 mm S = 1600T + 850 Height of lowest beam ≤ 300 mm 115

Height of highest beam ≥ 900 mm

Devices
Machinery Protection
d > 70 mm No. of Recommended
multi-beam S = 1600T + 850 Beams heights
4 300, 600, 900, 1200 mm
3 300, 700, 1100 mm
2 400, 900 mm
single beam S = 1600T + 1200 1 750 mm

Parallel S = 1600T + (1200 – 0.4 * H) 15 * (d – 50) ≤ H ≤ 1000 mm.

approach where 1200 – 0.4 * H > 850 mm Where H ≥ 300 mm there is a
risk of undetected access under
ß = 0˚ (± 5˚) the beam to be taken into account
for H where d ≤ H/15 + 50

Angular Where ß > 30 ˚C, cf. d ≤ H/15 + 50 applies to the

approach perpendicular approach; lowest beam.
Where ß < 30 ˚C, cf. parallel
5˚ < ß < 85˚ approach;
S then applies to the furthest
beam whose height ≤ 1000 mm

S: Minimum distance H: Height d: Resolution

ß: Angle between plane of detection and direction of penetration T: Time

Fig. 22: Formulae for calculating the safety distance

 5.2.3 Examples of machine guarding

5.2.3.1 Area guarding on an assembly line

The diagrams below show two ways of installing an AOPD for the
same application (access guarding), taking into account both a
perpendicular and a parallel approach, as described above. It is
assumed that this is the only way in which the machine can be
accessed, that the risk is one of severe injury, and that the operator
has frequent access to the hazardous zone.
320 mm

x = d (or refer to C Standard)

21
AOPD: resolution 14 mm

116 Hazardous
zone
A
Y mm
Devices
Machinery Protection

Stopping time with

AOPD = 160 ms

S = 2000 * 0.16 + 8 (14 - 4)

S = 320 mm

Floor

Fig. 23: Perpendicular approach: point of operation guarding combined with area guarding

The calculation shown in the diagram results in a safety distance of

320 mm. This safety distance will increase if the resolution is reduced.
In any case, the safety distance shall not be less than 100 mm. Two
AOPDs are used to avoid the risk of non-detection: one is vertical and
is positioned at the safety distance (perpendicular approach), and the
other is horizontal and is intended to prevent non-detection behind
the vertical AOPD.

According to EN 294 (Safety of machinery. Safety distances to prevent

danger zones being reached by the upper limbs), if height “A” of the
danger zone is 1000 mm, y equals 1800.
 1256 mm minimum

x = d < H / 15 + 50 (or refer to C Standard)

Hazardous zone

Stopping time with

AOPD = 160 ms
where H = 500 mm
AOPD: resolution 30 mm
S = 1600 * 0.16 + (1200 - 0.4 * 500)
S = 1256 mm
C > 850 mm
H = 500 mm

Floor

Fig. 24: Parallel approach: area guarding

In this case a horizontal AOPD is used. The diagram above shows

22 the calculation of the safety distance S and the positioning of the
AOPD. If the installation height of the AOPD is increased beyond 117
300 mm the safety distance will be less, but you will need to allow for

Devices
Machinery Protection
the risk of a person entering the hazardous zone undetected by
passing under the AOPD. In such a case you would need to install
an additional device, based on the risk assessment.
Fig. 25 shows the results of both these methods. Operating constraints
will enable you to decide which is best for your application.

Advantages Disadvantages
Solution no. 1 Higher productivity because Safety device is more
S = 320 mm the operator is closer. expensive.
The short distance between the
vertical barrier and the hazardous
zone enables material to be stored
close to the machine.
Solution no. 2 Safety device is less expensive. Operator much further away.
S = 1336 mm Enables access to be guarded, Difficult to store products on the
regardless of the height of ground because the barrier takes up
hazardous zone “A”. a great deal of space.
Lower productivity.
Higher productivity cost.

Fig. 25: Advantages/disadvantages of perpendicular and parallel approach

 5.2.3.2 Access guarding
Perimeter guarding using 3 beams (at heights of 300, 700 and
1100 mm) allows for a perpendicular approach as described above.
This method must allow for the possibility of the operator becoming
undetected between the AOPD and the hazardous zone, so additional
precautions will need to be taken. For example, the local control
should be positioned in such a way that the whole of the hazardous
zone is visible; it should also be beyond the reach of the operator
while in the hazardous zone.

1106 mm minimum
on all sides with access
to the machine

23
Hazardous zone

118 1100

Stopping time with

Devices
Machinery Protection

AOPD = 160 ms
700 where H = 300 mm

S = 1600 * 0.16 + 850

S = 1106 mm
300

Floor

Fig. 26: Access guarding

5.2.3.3 Guarding the interior of a large press

This type of guarding is recommended for large presses that can be
accessed at ground level. In such a case it is necessary to stop the
press starting up while the operator is inside. It is important to note
that this is a secondary guarding system that should on no account
replace the main guarding system (consisting of an AOPD or two-
hand control). The safety distance must be calculated for the main
guarding system, whose function is to stop the press, and not for the
secondary guarding system, which detects the presence of an
operator inside the press and prevents the press from starting up.
 5.2.4 Connection to control circuit
Each safety device must be incorporated into the machine’s control
system to form an integral part. This means that all parts of the
control system - the relevant part of the machine’s control circuit, its
connection to the safety device and the safety device itself – must
take into account the category defined during the risk assessment (as
per EN 954-1 and EN 61496).

The diagrams overleaf explain the safety categories suitable for an

AOPD and control unit, in line with EN 954-1, taking into account the
whole system, including the stop valve. The diagrams also show how
safety devices of a particular category react in the event of a fault. If
24 a safety device is activated under normal operating conditions (e.g. a
hand enters the protected field), the machine will always stop, 119
regardless of the safety category. Fault tolerance in the respective

Devices
Machinery Protection
safety categories will differ.

For further reading on the application of electrosensitive and

optoelectronic devices, please refer to the guidance document
HSG180, available from the HSE.
 Category 2 Normal Operation Safety function may be lost
operation with error
between checks. Faults
free detected at time of external
Protection field test. Risk of accident in the
occupied
period between the fault
occurring and the next test.

External test cycle

T

T
RISK
on
OSSD / FSD off

Category 3 Normal Operation A single fault assures the

operation with error safety function as an output
free signal for stopping can still
Protection field be generated (e.g. if a hand
occupied
enters the protection field).
The fault is detected either
External test cycle when the hand enters the
T

T
protection field or by internal
checking.
120 on
Accumulation of faults may
lead to loss of the safety
1 function.
off
The system shall be designed
Devices
Machinery Protection

OSSD / FSD on so that a single fault in any

2 of its parts does not lead to
off
the loss of safety functions.

Category 4 Normal Operation A single fault still assures the

operation with error safety function. In addition
free to category 3 the safety
Protection field function must be assured in
occupied
case of an accumulation of
faults. Internal tests must
External test cycle therefore be within the
response time of the safety
T

device.
The single fault is detected
on at or before the next demand
1 on the safety function. If the
off
detection is not possible then
on an accumulation of faults
OSSD / FSD 2 shall not lead to a loss of the
off
safety function.

Fig. 27: Suitable safety categories in line with EN 954-1

5.2.4.1 Typical connection

+ 24 VDC

FGS

5 6 7 3 4 2

K1M 25
121

Devices
Machinery Protection
13
A1 S52 S12 S22 S21 13 23 33 41 Y36
Reset

14
PNOZ 8 K1
2 K2M
3 1 3 2 1 3 K2
24V

Y32 K3

Y35 K1 K2 K3

0V
M
S11 Y1 Y2 A3 14 24 34 42 Y37 A2
3
K1M

K2M

Fig. 28: Typical connection of a category 4 device (Pilz PNOZ 8) with a Sick FGS light
curtain, manual reset
 5.2.5 Muting
The muting of protective devices raises the problem of an
installation’s safety. For example, EN 415-4 (Palletizers and
depalletizers) relates to packaging machinery on which all operations
on the palletised load are carried out entirely and automatically by
machine. Under normal operating conditions, there is a risk at both
the entrance and exit of the interior zone. The AOPD must be muted
at the moment the pallet passes through, but it must also be possible
to detect the presence of an operator. The muting system must
therefore be able to discriminate between the pallet and the operator.

The muting conditions defined in standard EN 415-4 state that:

26 Muting may only occur during the operating cycle when the
122 loaded pallet obstructs access to the hazardous zone
Muting shall be automatic
Devices
Machinery Protection

Muting shall not depend on a single electrical signal

Muting shall not depend entirely on software signals
If muting signals occur as part of an invalid combination,
they shall not allow a state of muting, or they shall ensure
that the machine is locked out
The state of muting must be deactivated as soon as the
pallet has passed through the detection zone.

The diagrams below show how a light curtain can be used to meet all
these requirements. The device incorporates a system of temporary
muting by automatic discrimination. The AOPD is muted by the
sensor pairs A1/A2 and B1/2. In this case the distance between A1
and B2 must be less than the length of the pallet. The light curtain
can also be used to define the maximum duration of the muting
period, in stages of 1 second.
 LCU-P output
in ON state

AOPD output

A1

A2

B1

B2

Muting
< 50 ms > 50 ms

Fig. 29: Muting: pulse diagram

Figs. 30 and 31 give a schematic overview of the muting process.

27
123

Devices
Machinery Protection
A1 A2 B1 B2 LCU

Fig. 30: Muting: the conveyed material is identified; no muting signal is emitted

A1 A2 B1 B2 LCU

Fig. 31: Muting: the operator is identified; the light curtain initiates an (emergency) stop
 5.2.5.1 Typical connections

S24 S12
X1

X2
PST 1 S23 S11 S1 K1

Reset
K2
LC

28 Y36 Y37 Y2

124 PNOZ 8
Devices
Machinery Protection

S12 S52 S21S22

K1 K2

Fig. 32: Typical muting circuit using Pilz safety relays

NB. Please refer to Pilz Safety Catalogue (1) for relay details.
 3 4

B SERIES
RECEIVER 2
24VDC
1

A1 A2
S12 13
3 4
14
B SERIES 2
PILZ
S22
EMITTER 24VDC PNOZ X5
1
S33 23

24

S34
L N E

F1 1A

29
24VDC
125
POWER SUPPLY
eg. LUTZ 722-930

Devices
Machinery Protection
0V
F2 2A
24V

B1 B2 S11 S12
A1 A2 S33 S34
S21 13
S11 13 PILZ SAFETY O/P 1
MUTE 1
PNOZ X3 14
PILZ 14
PNOZ X2.1 23
S22
S12 SAFETY O/P 2
24
S31
MUTE 2 S21 23 33
SAFETY O/P 3
24 34
S32
S22
S33 S34

NOTES
1) MUTE 1 & 2 INPUTS SHOULD BE FORCED FEEDBACK FROM
BREAK LIMIT SWITCHES EXTERNAL
MONITORED CONTACTORS
2) IF THE APPLICATION REQUIRES A FAILSAFE MAN. RESET.
MUTE INDICATOR, A UNIT WITH FAILSAFE
MONITORING OF THE MUTE DEVICE
SHOULD BE USED

Fig. 33: Typical muting circuit using Pilz safety relays

NB. Please refer to Pilz Safety Catalogue (1) for relay details.
 5.2.6 Pressure-sensitive safety devices
Another alternative to mechanical guarding is to use a device that will
sense presence by contact, i.e. a pressure-sensitive device. The two
most common types are contact-sensing bumpers and pressure mats.
These devices are manufactured following the guidance of EN 1760-1
(Safety of machinery. Pressure-sensitive protective devices).

The technology used in these devices may consist of wires or optical

fibres, wire being the most common type at the moment. They are
installed in accordance with prEN 999 (Safety of machinery.
Hand/arm speed. Approach speed of parts of the body for the
positioning of safety devices). Such devices will allow access where
30 required, without the constraints of mechanical interlocked guards. For
126 example, in robot cells where access is required in order to teach the
robot, pressure mats on the floor are interlocked into the safety system
Devices
Machinery Protection

to prevent the operator straying into the hazardous area. Contact

sensing bumpers can be used on safe edges on numerous machine
applications or as bumpers on automatic guided vehicles (AGVs).

5.2.6.1 Typical connection

Reset

Final control element

Fig. 34: Typical pressure mat connection with Pilz PNOZ 16

NB. Please refer to Pilz Safety Catalogue (1) for relay details.
5.3 Emergency stop devices

Every machine must be fitted with a control to bring it to a complete

stop safely. On a complex machine, each workstation must be fitted
with a stop so that all or some of the moving parts can be rendered
safe. Where machinery has complex movements or high inertias, the
stop function must not cause damage to the machine or create a
dangerous situation. This means it is vital to consider the way in
which the machine is brought to a safe condition. The energy supply
to the machine’s actuators must be removed once the stop has been
achieved.

Section 9 of EN 60204-1 categorises stop functions as follows: 31

127
Category 0: Stopping by immediate removal of power to the

Devices
Machinery Protection
machine actuators, all brakes or mechanical devices
being activated (i.e. an uncontrolled stop).

Category 1: Stopping by means of the machine actuators (i.e. a

controlled stop). Power is finally removed once the stop
has been achieved.

Category 2: A controlled stop with the power left available to the

machine actuators.

In reality, all machinery should be fitted with a category 0 stop

function, but where safety or functional requirements demand it,
category 1 or 2 should be provided. Category 0 and 1 stops have
priority over all machine functions.
 5.3.1 Emergency stop switch
The switch is the device that initiates the emergency stop. It must
sustain this signal until disengaged by the appropriate action.
EN 418 is the consultative document for emergency stopping,
explaining the differences between the design of a normal stop and
an emergency stop. It defines the safety requirements of the device
as “having the principle of positive actuation to achieve contact
separation that is not dependent on springs …Any action on the
actuator which generates the signal for an emergency stop must
result in a latching of that actuator. The resetting of the actuator shall
be only by a manual action”.

32 The emergency stop switch actuator may take different forms,

128 depending on the application in which it is being used, for example:
Devices
Machinery Protection

Mushroom-headed buttons
Bars
Levers
Kick-plates
Pressure-sensitive cables.

The colour or the actuator must be red. Where used, the background
colour must be yellow.

5.3.2 Emergency stop circuit

The integrity of the circuit can be decided in conjunction with the risk
assessment. EN 954-1 outlines the requirements for safety-related
controls. In general, the stop circuit can be viewed along the
following lines.
 E-Stop

Final control element

Fig. 35: Category B and 1 stop circuit

This is the type of circuit that meets the requirements of categories B

and 1, in accordance with EN 954-1. The emergency stop push 33
button has positive actuation and will always break the circuit. The 129
control relay is a spring-return device. As the failure mode is not

Devices
Machinery Protection
clearly defined, this could lead to failure to closed circuit. However,
the aim of these categories is to achieve good design using well-tried
components and, if a failure does occur, the risk to the operator or
environment is low.

E-Stop

Reset

Final control element

Fig. 36: Category 2 stop circuit using a safety relay

 The next category of EN 954-1 makes greater demands on the
components. Not only do they have to be good by design and
nature, but the safety function must also be checked and the loss of
the safety function must be detected by this check.

This can be achieved by duplicating the critical safety elements. The

normal method, as shown, is to use redundant relays whose
actuation is checked on start-up and reset. However, although the
emergency stop button is positively driven, if a wiring error or short
occurs across the switch terminals, the safety circuit will be rendered
inoperable. The fault will only be noticed when the button is
operated, so these circuits will require an off-line test, the frequency
34 of which should be decided by the circuit’s demand rate.
130
Devices
Machinery Protection

E-Stop

Reset

Final control element

Fig. 37: Category 3 stop circuit using a safety relay

 E-Stop

Reset

Final control element

Fig. 38: Category 4 stop circuit using a safety relay

35
In accordance with EN 954-1, the demands of category 3 include all 131
those of the previous categories, with the additional requirement that

Devices
Machinery Protection
a single fault should not lead to the loss of the safety function and
that this fault, wherever practicable, should be detected.

As in the case of category 2, where the critical safety device was

considered to be the relay, the input devices must now be duplicated
so their movement can be checked. More switches could be added
to the input circuit, minimising the cost, but this would compromise
the spirit of category 3. For example, if multiple gate switches are
used and more than one gate is open, a single fault on one switch
might not be detected. Again, an off-line test may be required.
The final category of EN 954-1 has the highest demands on the
safety-critical circuit. These are very similar to those of category 3, in
that no single fault will lead to the loss of the safety function, but with
the additional requirement that the fault be detected at or before the
next call on the safety system. If this is impossible, an accumulation
of faults shall not lead to the loss of the safety function.
 Electromechanical and hydraulic circuits work on three faults (for
more details please refer to Chapter 6, Programmable Safety
Systems).

The input device is duplicated, as in category 3. However, to conform

to the requirements, both input devices must have separate
monitored supplies. Multiple input devices are discouraged.

5.3.3 Final control element in a safety circuit

The old British standard BS 2771 established the protection criteria in
case of failure to a dangerous condition by recommending a
redundant proving system. It went on to suggest that this method be
36 used where intermediate relays are used in a safety circuit. This
132 effectively incorporated safety relays into the safety circuit and left the
final control element (i.e. the contactor) to good design principles.
Devices
Machinery Protection

The new specification EN 954-1 states that the combined safety-

related PARTS of a control system start at the point at which the
safety-related signals are initiated and end at the output power control
elements. Future specification EN 61508 will require even more care
to be taken over the whole safety-related control system and will lay
down some stringent criteria, so it is essential to deal with the final
control element as a relevant part of the safety system.

Referring to EN 954-1, the requirements for category 2 onwards are

looking for more than just well-tried components. Well-proven final
elements with a low demand rate on the system might be sufficient
for category 2 and 3, but this really depends on a suitable risk
assessment and appropriate design methods. Duplication is almost
unavoidable if you wish to meet the requirements of category 4.
 Y1 Y1
Y2

E-Stop

37
133

Devices
Machinery Protection
Reset

Y2

R1 R2

Fig. 39: The normally closed contact of the final control element is monitored by the
feedback loop Y1/Y2
 Y1
Y1
E-Stop
Y2

38
134
Devices
Machinery Protection

Reset

Y2

R1 R2

Fig. 40: The normally closed contacts of the final control elements R1 and R2 are
monitored by the feedback loop Y1/Y2
 R2

Y1
Y1
E-Stop
Y2

39
135

Devices
Machinery Protection
Reset

Y2

R1

Fig. 41: The normally closed contacts of the final control elements R1 and R2 are
monitored by the feedback loop Y1/Y2
 5.3.4 Typical connections

L1

L2

L3

F0
Control Circuit
Fuses Q1
Main
Isolator
T1
Control
Transformer
40
Fuses F1
136
F0 K1M
Devices
Machinery Protection

Control Circuit Main Contactor

fuse

F21
Thermal
Overload

S1
Emergency
Stop F2
Thermal
Overload
S2 Relay
Stop

S3 K1M
Start

M
K1M

Direct-on-line
Starter

Fig. 42: Simplified E-Stop circuit for category B & 1

 L1

L2

L3

F0
Control Circuit
Fuses Q1
Main
Isolator
T1
Control
Transformer

41
F0 Fuses F1
Control Circuit 137
fuse
K1M

Devices
Machinery Protection
Main Contactor
S1 F21
Emergency Thermal
Stop Overload

S2
Stop

F2
S3 Thermal
K1M Overload
Start
Relay

K1M
A1 13
Y1

PNOZ X7

S4
Reset
Y2
A2 14
M
K1M

Direct-on-line
Starter

Fig. 43: Simplified E-Stop circuit for category 2 (Pilz PNOZ X7)
 L1

L2

L3

F0
Control Circuit
Fuses Q1
Main
T1 Isolator
Control
Transformer

Fuses F1
42 F0
Control Circuit
fuse K1M
138 Contactor
F2
Thermal
Devices
Machinery Protection

Overload

S2
Stop
S1 K2M
Emergency Contactor
Stop S3 K1M K2M
Start

F2
K1M Thermal
A1 T11 T12 T22 13 33 Overload
T33 Relay
K2M Reset
PNOZ 1
T34
A2 14 34

K1M K2M

M
Direct-on-line
Starter

Fig. 44: Simplified E-Stop circuit for category 3 (Pilz PNOZ 1)

 L1

L2

L3

F0
Control Circuit
Fuses Q1
Main
T1 Isolator
Control
Transformer

Fuses F1
F0
Control Circuit
43
fuse K1M
Contactor 139
F2
Thermal

Devices
Machinery Protection
Overload

S2
Stop
K2M
S1
Contactor
Emergency
Stop S3 K1M K2M
Start

F2
K1M Thermal
A1 S21 S22 S31 S32 13 33 Overload
S33 Relay
K2M Reset
PNOZ X3
S34
A2 14 34

K1M K2M

M
Direct-on-line
Starter

Fig. 45: Simplified E-Stop circuit for category 4 (Pilz PNOZ X3)
 24V
Monitored dump valves
E-Stop P P
V1 V2

1
1
3 3 2
2
24V 2
44 3
1 2 3
140 0V
Devices
Machinery Protection

Pilz relay Start

V1 V2 V3 V3

0V

Fig. 46: Pilz E-Stop relay used with Norgren monitored dump valves
5.4 Two-hand controls

Two-hand controls are mainly used to ensure that operators keep

their hands clear of the danger zone before any movement is
initiated. Applications vary from hedge trimmers to manually-operated
presses; machine setters can also use two-hand controls when other
safeguards have been locked out. As these controls are only of value
to one specific operator, other safeguards should be considered when
using more dangerous classes of machinery, either to prevent others
from entering the danger zone or to increase the level of protection
for that operator.

All types of two-hand controls must comply with the requirements of 45

EN 292-1 and, in the case of two-hand control relays, EN 60204. The 141
design and selection will depend upon:

Devices
Machinery Protection
The hazard present
The risk assessment
The experience of the technology used
Other factors, such as the prevention of accidental
actuation and wilful defeat.
 EN 574 (Safety of machinery. Two-hand controls) defines 3 types of
two-hand controls, setting out the minimum measures of safety for
each device, as shown in the table below:

Requirements Types
I II III
A B C
Use of both hands (simultaneous actuation) X X X X X
Relationship between input signals and output signal X X X X X
Cessation of the output signal X X X X X
Prevention of accidental operation X X X X X
Prevention of defeat X X X X X
Re-initiation of the output signal X X X X
46 Synchronous actuation X X X
142 Use of category 1 (EN 954-1: 1996) X X
Use of category 3 (EN 954-1: 1996) X X
Devices
Machinery Protection

Use of category 4 (EN 954-1: 1996) X

Fig. 47: Minimum safety measures for two-hand devices

The requirements are listed as follows:

Operators shall use both hands during the same time period;
this is simultaneous action and is independent of any time
lag between the two input signals
The two activating signals shall initiate and maintain the
output as long as both signals are present
The release of one or both activating signals will stop the
output
The risk of accidental operation shall be minimised
Prevention of accidental operation or prevention of defeat
shall be mainly achieved via mechanics and ergonomics
 It shall only be possible to reinitiate the output signal after
both inputs have been released
The output signal may only appear when both inputs are
activated within 0.5 seconds of each other. If the inputs are
not actuated synchronously, the output will be prevented
until the inputs are re-applied within this time scale. This is
called synchronous actuation.

In the case of failure, the parts of the two-hand control device shall
behave in accordance with EN 954-1.

5.4.1 Typical connection

47
143
Inputs

Devices
Machinery Protection
PLC
Output supply
Outputs
Input supply

Y1
P2HZ X1
Y2

Enable
machine
movement

Fig. 48: Typical two-hand circuit with Pilz P2HZ X1

NB. Please refer to Pilz Safety Catalogue (1) for relay details.
 5.4.2 Programmable electronic systems (PES) for two-hand
control
There is still a considerable amount of development to be done into
the ways in which programmable electronic systems can be validated
for use in safety systems. However, where such systems are being
used to achieve the functional characteristics of a two-hand control,
the hardware and software shall be validated in accordance with the
risk assessment and the PES guidelines from the HSE (please refer
to Chapter 6, Programmable Safety Systems).

It is clear, however, that EN 574 requires that the output signal for
Types IIIB and IIIC two-hand controls should not be generated solely
48 by a single-channel programmable electronic system.
144
Devices
Machinery Protection