Requirements on the external safety controller
A safety relay can be used as an alternative to a safety controller. The following requirements apply analogously.
- The safety controller and all other safety-related subsystems must be approved for at least the safety class required in the overall system for the respective application-related safety function.
- The following table shows an example of the required safety class of the safety controller:
Application | Safety controller requirements |
---|---|
Performance level d according to EN ISO 13849-1, SIL 2 according to EN 62062 | Performance level d according to EN ISO 13849-1 SIL 2 according to EN 61508 |
Performance level e according to EN ISO 13849-1, SIL 3 according to EN 62061 | Performance level e according to EN ISO 13849-1, SIL 3 according to EN 61508 |
- The wiring of the safety controller must be suitable for the required safety class (see manufacturer documentation). The STO input of the device can be switched with 2 poles (sourcing output, sourcing/sinking, or serial sourcing), or with 1 pole (sourcing).
- The values specified for the safety controller must be strictly adhered to when designing the circuit.
- Electro-sensitive protective equipment (such as light grid or scanner) according to EN 61496‑1 and emergency stop buttons must not be directly connected to the STO input. The connection must be made using safety relays, safety controllers, etc.
- To ensure protection against unintended restart in accordance with EN ISO 14118, the safe control system must be designed and connected in such a way that resetting the command device alone does not lead to a restart. A restart may be carried out only after a manual reset of the safety circuit.
- If no fault exclusion is used for the STO wiring according to EN ISO 13849‑2 or DIN EN 61800‑5‑2, the external safety device must detect the following faults in the STO wiring within 20 s depending on the connection type:
- 2-pole sourcing output:
- Short circuit of 24 V at F_STO_P1 or F_STO_P2 (Stuck-at 1)
- Crossfault between F_STO_P1 and F_STO_P2
- 2-pole sourcing/sinking:
- Short circuit of 24 V at F_STO_P1 (Stuck-at 1)
- Short circuit of 0 V at F_STO_M (Stuck-at 0)
- 2-pole serial sourcing:
- Fault exclusion is mandatory
- 1-pole sourcing output:
- Short circuit of 24 V at F_STO_P (Stuck-at 1)
2-pole sourcing output:
- Test pulses can be used when the device is switched on or off.
- The test pulses on both sourcing channels must be switched with a time delay. However, additional switch-off test pulses may occur simultaneously.
- The test pulses in both sourcing channels must not exceed 1 ms.
- The next switch-off test pulse in one sourcing channel must only occur after a 2 ms time period.
- A maximum of 3 switch-on test pulses may be generated in sequence at an interval of 2 ms. Wait for at least 500 ms after any package before you generate another switch-on test pulse or another switch-on test pulse package.
- The signal levels must be read back by the safety controller and compared to the expected value.
- The signal levels may have a maximum temporal discrepancy of 130 ms. In case of a larger temporal discrepancy, the device changes to the STO fault state (F20.11).
2-pole sourcing/sinking:
- Test pulses can be used when the device is switched on or off.
- The test pulses in the sourcing and sinking channel must not exceed 1 ms.
- The next switch-off test pulse in the sourcing or sinking channel must only occur after a 2 ms time period.
- A maximum of 3 switch-on test pulses may be generated in sequence at an interval of 2 ms. Wait for at least 500 ms after any package before you generate another switch-on test pulse or another switch-on test pulse package.
- The signal levels must be read back by the safety controller and compared to the expected value.
2-pole serial sourcing:
- Fault exclusion in the connection lead is mandatory if no external test pulses are possible.
1-pole sourcing output:
- Test pulses can be used when the device is switched on or off.
- The test pulse in the sourcing channel must not exceed 1 ms.
- The next switch-off test pulse may only occur after a time period of 2 ms at the earliest.
- A maximum of 3 switch-on test pulses may be generated in sequence at an interval of 2 ms. Wait for at least 500 ms after any package before you generate another switch-on test pulse or another switch-on test pulse package.
- The signal levels must be read back by the safety controller and compared to the expected value.