Requirements on the external safety controller

A safety relay can be used as an alternative to a safety controller. The following requirements apply analogously.

  • The safety controller and all other safety-related subsystems must be approved for at least the safety class required in the overall system for the respective application-related safety function.
  • The following table shows an example of the required safety class of the safety controller:

Application

Requirement for safety controller

Performance level d according to EN ISO 13849-1, SIL 2 according to EN 62062

Performance level d according to EN ISO 13849‑1,

SIL 2 according to EN 61508

  • The wiring of the safety controller must be suitable for the endeavored safety class (see manufacturer's documentation). The STO input of the device can be switched dual-channel (sourcing/sinking output or serial sourcing output) or single-channel (sourcing output).
  • The values specified for the safety controller must be strictly adhered to when designing the circuit.
  • Electro-sensitive protective equipment (such as light grid or scanner) according to EN 61496‑1 and emergency stop buttons must not be directly connected to the STO input. The connection must be made using safety relays, safety controllers, etc.
  • To ensure protection against an unexpected restart in accordance with EN ISO 14118, the safe control system must be designed and connected in such a way that resetting the command device alone does not lead to a restart. This means that a restart may only be carried out after a manual reset of the safety circuit.
  • If no fault exclusion is used for the STO wiring according to DIN EN ISO 13849‑2 or DIN EN 61800‑5‑2, the external safety device must detect the following faults in the STO wiring within 20 s depending on the connection type:
    • Dual-channel, sourcing/sinking output:
    • Short circuit of 24 V at F_STO_P (Stuck-at 1)
    • Short circuit of 0 V at F_STO_M (Stuck-at 0)
    • Dual-channel serial sourcing output:
    • Fault exclusion is mandatory
    • Single-channel, sourcing output:
    • Short circuit of 24 V at F_STO_P (Stuck-at 1)

Dual-channel, sourcing/sinking output:

  • Test pulses can be used when the device is switched on or off.
    • The test pulses in the sourcing and sinking channel must not exceed 1 ms.
    • The next switch-off test pulse in the sourcing or sinking channel must only occur after a 2 ms time period.
    • A maximum of 3 switch-on test pulses may be generated in sequence at an interval of 2 ms. Wait for at least 500 ms after any packet before you generate another switch-on test pulse or another switch-on test pulse packet.
    • The signal levels must be read back by the safety controller and compared to the expected value.

Dual-channel serial sourcing output:

  • Fault exclusion in the connection lead is mandatory if no external test pulses are possible.

Single-channel, sourcing output:

  • Test pulses can be used when the device is switched on or off.
    • The test pulse in the sourcing channel must not exceed 1 ms.
    • The next switch-off test pulse may only occur after a time period of 2 ms at the earliest.
    • A maximum of 3 switch-on test pulses may be generated in sequence at an interval of 2 ms. Wait for at least 500 ms after any packet before you generate another switch-on test pulse or another switch-on test pulse packet.
    • The signal levels must be read back by the safety controller and compared to the expected value.