Requirements for external safety controllers
A safety relay can be used as an alternative to a safety controller. The following requirements apply mutatis mutandis.
- The safety controller and all other safety-related subsystems must be approved for at least the safety class required in the overall system for the respective application-related safety subfunction.
- The following table shows an example of the required safety class of the safety controller:
Application | Requirement for safety controller |
|---|---|
Performance level d in accordance with ISO 13849-1, SIL 2 in accordance with IEC 62061 | Performance level d in accordance with ISO 13849-1, SIL 2 in accordance with IEC 61508 |
Performance level e in accordance with ISO 13849-1, SIL 3 in accordance with IEC 62061 | Performance level e in accordance with ISO 13849-1, SIL 3 in accordance with IEC 61508 |
- The wiring of the safety controller must be suitable for the endeavored safety class (see manufacturer's documentation). The STO input of the device can be 2-pole switched (sourcing output).
- The values specified for the safety controller must be strictly adhered to when designing the circuit.
- To ensure protection against an unexpected startup in accordance with EN ISO 14118, the safe control system must be designed and connected in such a way that resetting the command device alone does not lead to a restart. This means that a restart may only be carried out after a manual reset of the safety circuit.
- If no fault exclusion is used for the STO wiring in accordance with ISO 13849‑2 or IEC 61800‑5‑2, the external safety device must detect the following faults in the STO wiring:
- 2-pole sourcing output:
- Short circuit of 24 V at STO_1+ or STO_2+ (Stuck-at 1)
- Crossfault between STO_1+ and STO_2+
2-pole sourcing output:
- Test pulses can be present when the device is switched on or off:
- The test pulses on both sourcing channels must be switched with a time delay. However, additional test pulses may occur simultaneously.
- The test pulses in both sourcing channels must not exceed 1 ms.
- The next test pulse in one sourcing channel must occur only after a 2 ms time period.
- A maximum packet of 3 switch-on test pulses may be generated in sequence at an interval of 2 ms. Wait for at least 500 ms after any packet before you generate another switch-on test pulse or another switch-on test pulse packet.
- The test pulses must be monitored in the safety device. If a fault is detected, the safety device must initiate a suitable fault response.
- The signal levels may have a maximum temporal discrepancy of 130 ms. In case of a larger temporal discrepancy, the device changes to the STO fault state.
