Safety Sensors Rise to New Heights
An integrated safety system, like any control system, contains sensors, logic, and actuation, with I/O connections, networks, and software to tie it altogether. As connected sensors advance in functionality and fall in cost, redundancy and fail-safe designs reduce risk.
Mark T. Hoske, Control Engineering
Human life has value, which is why integrated safety systems protect workers, assets, environment, and nearby communities from hazardous workplace conditions. While education helps, smart designs and technologies overcome the ups and downs of humanity — lack of training and lapses of judgment — that cause accidents.
A new industrial elevator design, proven in the test tower shown, is being installed in several applications. Officials from Tower Elevator Systems Inc. provide a high-level view of how industrial sensors and smart designs integrate into a safety system.
Safety sensors create a no-entry area, past which safety sensing technology detects intrusion and sends a signal to attached logic, halting or drastically slowing whatever actuation (hydraulic, pneumatic, electric) might cause injury. Additionally, safety sensors are made to fail safely, meaning if a measurement or signal transmission doesn't occur, the attached logic ensures a safe outcome.
Safety sensors can also include elements of redundancy, so if one element fails, another takes over, avoiding productivity losses from a shutdown. Redundancy doesn’t necessarily mean a system is safe, nor does use of safety automation ensure that the assembled system is safe. Safety automation, rated by safety integrity level (SIL4 is safest) adds safety, and certification adds cost; how it’s integrated into overall design matters a great deal. Refer to applicable standards, codes, and best practices, and use risk assessments to reduce hazards to an acceptable level of risk. (Nothing is risk-free.) Other articles cited offer help in those areas.
Safety sensor or switch products can include automatic safety barriers, edges, electronic safety sensors, emergency stop (e-stop), palm buttons, safety controls, laser scanners, light curtains, mats, optoelectronic devices (single and multi-beam), and two-hand safety controls, among others.
Trends in safety sensors include greater integration, such as putting the photodiode and amplifier on the same chip, greater sensitivities in sensing elements, more efficient light-emitting diodes (LEDs), greater affordability, wider selection of available products and suppliers, and greater attentiveness to designing in functional safety and reliability, according to John Drinkard, vice president of engineering, Omron Scientific Technologies Inc.
“Factories can represent extreme environments. The main difference in safety and non-safety products is that, should a component in a safety product fail, or an improper attempt to bypass the safety function be made, the product is designed to detect these conditions and respond safely, with outputs off,” Drinkard says. In addition, designs of safety devices have changed to fit specific applications better, such as light curtains with new muting or blanking features, he says; configuration has also become easier, via dip switches or a PC. “We’re often looking at incremental improvements of existing products as we develop new safety sensing technologies,” Drinkard adds.
3D safety zone
While these existing safety sensor technologies follow the faster, lower power, easier to use, more economical technology trend, invention continues. A technology developer for another major safety automation company said (without naming competitors) that safe-area machine vision technology was the next major safety growth area, and he’d expect other major introductions, using complementary metal oxide semiconductor (CMOS) image sensor technology.
That observation followed the Pilz Automation Safety LP introduction of what Pilz called the world’s first 3D safe camera system for control and monitoring, SafetyEye, in June of last year. Such a sight-based, three-dimensional safety system has the potential to sense, monitor, and control potentially dangerous work processes more simply than networks of multiple two-dimensional sensors, such as light curtains, and other guarding. Pilz says the SafetyEye 3D system offers more safety with easy-to-configure (on a PC) detection zones, and fast diagnostics for rapid troubleshooting, and no barriers.
“As safety sensor technology continues to mature,” says Israel Alguindigue, automotive market manager, Sick Safety Systems Division, “devices have been enhanced with powerful self-diagnostics capabilities that provide information about the health and status of the device, and, in many cases, about the machine. This information can be used by machine users and builders to design robust maintenance schemes that go far beyond reactive maintenance, which aim to maximize machine availability.”
For example, Alguindigue says, new safety devices based on vision technology for press breaks collect valuable performance data from the machine, such as the maximum velocity and deceleration, which can be used to assess the health of the press brake. “A history of this information is readily available from the safety device. Because of the precision required to ensure the operators' safety, and the tight interface with the machine, safety sensors can often provide other useful data such as location, angles, and position.”
A vertical application helps provide context for how safety sensors help make equipment safer. Tower Elevator Systems Inc. (TESI) applied ASME A17.1 Safety Code for Elevators for freight and personnel to its industrial elevator. This is the only known industrial elevator system using a safety PLC with TUV SIL category 4 certification. These rack and pinion industrial elevators target industry, broadcast towers, mills, mines, power plant chimneys, oil rigs, refineries, ships, and other applications. They incorporate TESI Smart Reel technology, with redundant safety systems and a Siemens-based hardwired control system running the Profisafe network.
“Engineers try to stick to the rule of three for safety. Our system has up to five redundant levels to provide for safety of passengers and stop the elevator if it’s moving,” says Mark Burnett, TESI control systems manager. “That provides a higher level of assurance. This is an investment in a company’s most important asset, its people.”
Burnett says the latest Tower Elevator control system provides self monitoring, and fail-safe shut down in case of faults. The controller, with variable frequency drive (VFD) and encoder, checks the car’s speed up or down and stops the system if the actual reported speed is not within the expected tolerance, if the VFD senses a problem, or if power is interrupted to the motor or brake.
Mechanically applied safety brakes provide an extra layer of safety. System health monitoring checks the system every time it shuts off, compared to other systems that only may be inspected every year or every five years, depending on local requirements, Burnett says.
Sensors for speed and positioning, says Todd Grovatt, Tower Elevator president and chief operating officer, include the incremental quadrature encoder, non-contact proximity sensors and contact limit switches at the final over-travel stops. Rack and pinion positive mechanical connection to the drive shaft prevents slippage.
The non-contact proximity sensor resets the home position to calibrate and reset the count to zero each time the system returns to the lower landing stop. Another measured parameter is the amp draw on the motor, to tell if the system is dragging too much on the rack.
Other systems use one set of mechanical limit switches and cams to slow the car, another set to stop, and others to lock and unlock doors. The TC1K controls these and other functions with advanced control system logic and electronic devices. The safety PLC handles all critical functions, such as independent braking with two safety contactors, Grovatt says. The first system using the redesigned safety controller was tested in late March at an 80 foot test tower (cover image) and will be installed before end of June.
Integrated safety systems, in place for the past four or five years in many industrial settings, are expanding into other applications, such as industrial strength elevators, says J. B. Titus, manager of business development and industry standards at Siemens Energy and Automation. Results include increased uptime, safety, cost savings in installation, wiring, and diagnostics, as well as better operations.
Noting the value and growth of safety automation, Rockwell Automation acquired Cedes’ Safety and Automation business, said to be a leading European safety light curtain and optoelectronic sensor supplier. Afterward, ARC Advisory Group called Rockwell Automation the leader in machine and process safety technology.
Dan Hornbeck, Rockwell Automation marketing development manager for safety, noted that safety components provide information to the overall safety system, and recent advancements in products help with that.
“If something fails,” says Richard Galera, Rockwell Automation marketing manager for safety components, "the system needs to ensure the machine stops and does not injure people or damage the machines.” To increase reliability there's redundancy inside safety sensors, such as dual set of direct opening contacts or dual processors. Many older machine designs later wrapped safety around them as an afterthought; such add-ons might be thwarted. Now safety is integrated, mechanically and electronically, from day one of the design, improving safety and optimizing productivity, Galera says. "If you have to keep opening a door, use a light curtain," Hornbeck adds.
Analyzing a machine sensor’s outputs can help ensure efficiency and safety, says David Bell, SmartSignal’s vice president application engineering. Checking vibration patterns from validated sensors ensures that machines (such as hundreds of tons of rotating steam turbine at 3,600 rpm, or mechanical pulping machinery) remain safe. Validated sensors indicate when mechanical or electronic systems begin to fail, suggests Bell. In establishing a baseline signature for how machines operate, it’s not unusual for SmartSignal software to find that 3% to 8% of connected sensors are bad.
Sensor data and safety networks can combine to create safety zones more easily than hardwiring an application, says Helge Hornis, manager, Pepperl+Fuchs intelligent systems group. Doing so can improve productivity. “For instance,” Hornis says, “a sheet metal press may have several locations where material can be introduced.” If the press design allows the press part to be run safely as one in-feed is interrupted, Hornis says, “it is possible to keep the process going when workers are bringing new material in and adjusting it for feeding into the press.”
Ease of use, productivity, safer designs… it looks like no where but up as machine safety sensors continue to advance.
www.cesuppliersearch.com Control Engineering Buyer's Guide (search safety)
www.controleng.com/integrators (look for safety under engineering specialties)
Bosch Rexroth says safe motion technologies can be selected at the drive. In doing so, the drive can perform safe standstill and operational stop, safety reduced velocity or increment, safe direction of movement, safely limited absolute position, and safe brake management.
Carlo Gavazzi's new range of Safety switches are said to be ideal for all types of applications where workplace safety is desired. Typical markets that require this type of product include: Packaging, plastics, material handling, conveyor, mining, elevator and automatic door, and other industries, and most applications where an electrical enclosure is used.
Elobau says that for machine guard monitoring, non-contacting sensors can be used effectively they satisfy high protection standards, are free from wear and tear and particularly easy to install. All the systems which contain control units and sensors or locking bolt systems are approved according to the EN 954-1 and are consistent with safety categories 1-4. For multi-purpose requirements the sensors can be delivered in different design forms which also could have ATEX approval.
Honeywell's FF-SD Series Safety Sensitive Edges are pressure-sensitive protective devices designed to comply with requirements of the EN 1760 part 2 European Standard for protection of operators exposed to hazardous moving parts. When the safety edge is actuated, the control unit de-energizes its safety output relays, stopping the hazard. The system complies with Category 4 per EN 954-1 European Standard so can be used in high-risk applications with closing doors, presses, blades or similar hazards, Honeywell says.
Heidenhain encoder interface for safety-related positioning measuring systems, EnDat 2.2 , is certified as per (safety integrated level) IEC 61508, as per (performance level) ISO 13 849 and as per (category 3) EN 954-1 standards. It has
Inductive sensors, explains ifm efector , also can be designed to fail safely for use in safety applications.
Light curtains that eliminate the dead zone (areas where light beams do not provide protection) can save money and make system design easier, suggests Keyence .
Allen-Bradley SensaGuard non-contact safety switches are Category 4 /SIL 3 rated switches per EN954-1, TÜV functional safety approved to IEC61508. Featuring the latest generation of radio frequency identification (RFID) technology for coding and inductive technology for sensing, SensaGuard large sensing range and tolerance to misalignment is cost effective for a wide range of industrial safety applications, Rockwell Automation says. Switches can be connected to a standard safety relay, for example, the MSR126, MSR127, MSR200/300 Family, SmartGuard and Safety I/O Blocks. There are multiple actuator sizes for large sensing distance. Features: Multiple actuator sizes for large sensing distance typically (15- 25mm) IP69K environmental rating; Short circuit and over voltage protection; LED located on the switch for door status and troubleshooting; and 2 Safety PNP outputs and 1 auxiliary PNP output. Rockwell Automation offers an online safety cataloge.
Safe relay, more details
The MSR57 (more above) from Rockwell Automation monitors the speed of the motion through an encoder(s). It either monitors the encoder data already transmitting from the encoder to the drive or a new encoder can be installed and connected to the MSR57 independent of a drive.
Other MSR57 benefits include:
Versatility: Compatible with all PowerFlex , Kinetix and competitive drives
Encoder inputs: Supports all encoder types (Sin/Cos and TTL), except resolvers
Diagnostics and LEDs: Helps to identify a problem and reduce machine downtime
TÜV certified: For use in safety applications, up to SIL CL3 and Category 4
Faster Installation: Din rail mountable and removable terminal blocks
More on elevator safety
Five ways to safer industrial elevators, according to Tower Elevator Systems Inc. (TESI), are:
Positive Rack and Pinion Mechanical Connection, Engineered and Maintained to the A17.1 Elevator Code Requirement for an 8:1 Safety Factor at both the Drive and Safety Pinions.
Dual Drive and Safety Systems on all Trac-Cab Models provide redundancy, safety and efficiency.
UL Classified Elevator Control System based on Siemens Fail-Safe S7-300FS Safety PLC and ProfiSafe Network with Safety I/O.
Technically Advanced Speed and Position Control via precision Quadrature Encoder, the Siemens S7-300FS Safety PLC and the SEW MoviDrive VFD with Fail-Safe Technology. The encoder divides each revolution of the reel into 4,096 positions, representing 22.133 in. per revolution. Accuracy is less than 300,000th of an inch vertically. System health monitoring senses if there's trouble and if settings are moving, as opposed to prior or other systems that just say if there's a failure.
Independent Dual Rack and Pinion Safety System per the Code, actively monitored by the Safety PLC for Operational Condition and Activation. System is easily and remotely tested from the Ground Station HMI.
Todd Grovatt, Tower Elevator president and chief operating officer, says the Profisafe network saves field wiring. Information provided on the human machine interface and at the ground station includes system conditions, speed, position, and diagnostic information on key elements.
Mark Burnett, TESI control systems manager, says, We plan remote maintenance capabilities, where, with proper clearance, we'd dial into the system and be able to look at what's actually happening. If a car stops 500 feet up a chimney, the customer wants to get support and get back to work. Most systems don't offer instant support. Remotely, logs can be accessed, and data analyzed to see when things are starting to go bad. We would provide that on-request, as a situation requires. A maintenance contract would include ongoing support.”
Using sensor outputs, Grovatt explains, the HMI provides a graphical representation of the shaft and hoistway, where the car is and where it’s going, location of the landing stops, drive status info, emergency information, alarm messages if any. There's a telephone in the car, and a redundant ground station HMI showing full status information of the system health. “The dual interface points provide redundancy, allowing a technician to safely access powerful system diagnostic, status and testing information right from the ground. Another mechanical system, unique to the TESI rack and pinion design, is a hydraulic rescue lowering system. A fail-safe system applies spring-set brakes, which can be manually released, allowing a hydraulic speed governor to lower the car under a controlled reduced speed. Additionally, the Safety overspeed system is always active providing redundant protection, if for any reason the machine’s speed exceeds the preset limits.”
Burnett says the system shows every e-stop, door, door lock, and all system components, decreasing maintenance time since component time to failure can be shown. In traditional systems, the lowering function relies on the operator to "rides the brakes" down using a deadman lever, with instructions to stop every 10 meters to avoid overspeeding the car and damage to the brakes. The TESI rescue lowering system eliminates this potential hazard.
Grovatt says that per the elevator code, the overspeed safety system is tested every five years. The TESI design allows simple remote full functional testing and reporting, more redundancy, and self checking to look for anomalies, providing a higher level of assurance. A technician using the ground station interface, can easily test the system without anyone in the car. The improved safety control system isn't significantly more expensive. And while code doesn't require these levels of protections, Titus noted that OSHA generally smiles on higher levels of protection… which, Burnett adds, often becomes code later. We're choosing this level of protection because it's the right thing to do, the international market favors it, plus it represents quality engineering, and significant care for customers.
Siemens Energy & Automation products involved include Siemens Simatic S7-300 Safety PLC Control System with Integrated Safety I/O. Siemens says its safety PLCs have a published probability of total error in 1 hour of continuous operation of less than 0.00000001129 (11.29 E-09). The controllers monitor themselves, detect faults autonomously, and immediately change into or remain in a safe mode when a fault occurs, Siemens says.
More comments, discussion, advice on safety
You want to be sure that when everything goes wrong, the system always faults in a safe state," explains Richard Galera, Rockwell Automation marketing manager for safety components. Sensing advancements add flexibility and create fewer nuisance trips from vibration, such as using radio frequency identification (RFID) with 20 mm range in place of more traditional door latches with 2-3 mm range, he says.
Dan Hornbeck, Rockwell Automation marketing development manager for safety, says safe design and safety systems support machine safety and productivity, creating a more holistic, supportive approach, changing the perception of safety as a hindrance. Safety sensors detect faults and stop the machine if needed technology is the enabler, Hornbeck says; efficiency should be considered, as a wider variety of sensing devices are available for use with safety applications. Improved diagnostics locates the fault location to restart machine faster. Hornbeck says new safety products can incorporate safe speed and direction concepts that allow the machine to be controlled safely while running at a reduced speed. Based on the risk assessment, these products, combined with education, can operate machines at a safe, maintenance speed for certain procedures, rather than a full stop.
Simplicity is another important design principle, says Israel Alguindigue, automotive market manager, Sick Safety Systems Division. New safety devices are being designed to ensure simplicity of commissioning, configuring and troubleshooting. Resources in the factory floor are much more limited today than in the past, safety devices that are simple to use reduce time required to implement machine safety.
There is always the obvious differences of control reliability and redundancy that are built into the safety sensor to ensure its proper functioning, Alguindigue says. "Implementing safety in the past had a reputation for being cumbersome and inefficient. In many cases the operators of machines looked for ways to bypass safety to achieve production quotas. To ensure complete safety without compromising production, safety sensor manufacturers have had to design non-intrusive sensors that do not interfere with the operator's work, and flexible so that they allow the operator to accomplish complex tasks. New safety sensors are becoming more and more machine specific, so that they can accommodate intricacies of each machine and word processes.”
An integrated system can provide diagnostics information that can be used for implementing sound maintenance practices, Alguindigue says, and, more importantly proactive and predictive maintenance programs. He explains, The idea is to keep the factory floor up and running, and thus maximizing uptime. With the advent of safety networking, information about the health and status of a safety device can be made available in real time to anyone in a facility, not to mention the performance information about the machine that can often be collected by the safety sensor.
Further, Alguindigue, adds, while the primary purpose of a safety sensor is to safeguard the operator of a machine and other information can be provided. For example, complex devices, such as press brake vision safety devices, can be used for verifying the shape and size of the bending tool, thickness of the material and the bending angle. The camera also can easily detect wavy or irregular material since it looks across the sheet of metal. Another example is safety laser scanners on board of AGVs, the scanners are used for ensuring the safety of personnel and for navigation on AGV and other factory vehicles. Yet another area is machine performance, safety sensors can provide vast amounts of information about the machine health.”
Helge Hornis, manager, Pepperl+Fuchs intelligent systems group, says in traditional hardwired solutions status indication is accomplished via non-safe auxiliary contacts that are connected to PLC inputs. Similarly, indicators (very common on e-stops and door interlocks) are driven by outputs on the PLC, and the same is true for interlocks with solenoids that are used to mechanically lock an access door during machine operation.
When utilizing safety networks, these additional non-safe operations are also performed via the network, which further reduces the number of leads that installers must terminate at the safe devices. For instance, in the case of AS-Interface Safety at Work, a Category 4, IP20 panel-mount e-stop switch with illumination has only 2 terminals, or a single M12 quick disconnect that does not require landing any wires, compared to 8 leads for a traditional hard-wired e-stop switch (4 for the safe function, 2 for the auxiliary contacts and 2 for illumination). Similar changes apply to other devices that are connected to AS-Interface Safety at Work.
Safety sensors, designed to fail in "the safe state,"also are constructed redundantly, and allow or perform pulse testing, Hornis continues. Additionally, sensors used in safety system applications must undergo safety certification; a costly and time consuming process.
A properly designed safety system will increase plant performance, Hornis says, because:
In addition to the human tragedy of an accident, any accident is a time consuming and costly occurrence.
Properly designed safety systems protect workers and manage machine access.
Access doors to a press, cutting machine or any other system that can be harmful, can be protected by a safe door switch.
Once the door is opened, a safety system actively stops the unsafe motion. While this is safe, it is not necessarily ideal. In many cases a solenoid-powered safe door interlock can keep workers from opening the door in the first place, which can reduce, if not eliminate, inadvertent process interruptions.
When a person requires access to the work cell, it is typical to" request access" by pushing a button. This input signal is used by the PLC to bring the machine to a controlled stop before allowing access by releasing the solenoid.
In addition to that mentioned above, Hornis says safety networks improve applications in several ways:
Diagnostics—typically networked safety devices not only transmit data that tells the safety controller to keep everything running (or shutting everything down); they also allow users to solve problems like welded contacts or even intermittent wire connections. For instance, in the case of AS-Interface Safety at Work it takes only one rung of PLC ladder to detect that a safe contact on an e-stop or magnetic door switch is welded, Hornis continues. An even bigger problem is detecting an intermittent loss of continuity with the safe input device. In the past (when using hard wired safety systems) nothing could be done. As soon as the intermittent connection resolved itself the machine could be restarted. The only way to fix this problem — short of testing and verifying every wire connection and termination point– was to wait for a "solid failure"of the intermittent connection. Now an ohm meter can be used. In Safety at Work, finding this type of problem is trivial as the capability is built into the system itself.
Zoning — zoning an application is a great way to improve productivity. Unfortunately, this is very difficult when using hardwired safety solutions, but is quite easy when a flexible safety network is used. With zoning engineers can apply safety in such a way that only the involved part of the system is transitioned into the safe state.
Mark T. Hoske is editor-in-chief. Reach him at MHoske@cfemedia.com .
A March 2008 Control Engineering safety article focused on two applications of safety controllers showing safety system integration: a fiery roller coaster and a beverage can installation. This May article takes the measure of sensors within machine safety systems, while an August article will look at how actuators are integrated. An April Webcast delivers five tips for process safety, and online in June you’ll find links to process safety whitepapers. In 2007, safety article topics included networked safety and safe motion, among others. For links to these resources and more on what’s mentioned here, visit
Sensors enable first safety relay to slow hazardous motion
The new Allen-Bradley MSR (Minotaur Safety Relay) 57 speed monitoring safety relay from Rockwell Automation is said to be the first of its kind designed to allow personnel to enter hazardous areas while motion is present. MSR57, available later this year, works with input devices (e-stops, light curtains, switches, and interlock switches) to stop motion, put the machine into safe speed upon verification, and monitor personnel in the hazardous area during safe speed conditions.
The MSR57 is configured and monitored via the same tools used to program standard drives (Drive Explorer or an HIM device). During configuration, the user can set a variety of parameters to specific application requirements, including type of input devices, door locking and monitoring, enabling switches and a maintenance (safe speed) mode. For instance, the MSR57 can help increase productivity by unlocking doors automatically when zero speed is detected. It supports a variety of drive applications, can be adapted to current installations with standard drives, or use the “Safe Off” feature on Allen-Bradley drives. (Online: See image and link to more info.)