Safety Application Controllers

The Safety Application Controller receives signals from a safety input device and controls whether the machine should be started or not.

(1) Safety Relay Units

A typical configuration for the operation control of machinery and equipment is shown in Fig. 1.

Non-safety-related Parts
The role of non-safety-related parts is to start and continue the operation of devices upon receiving an operate command signal from an automatic control system.
Safety-related Parts
The role of safety-related parts is to enable operation only when the safety of the machinery and equipment is confirmed.
Judging Function
The judging function sends an operate signal to a power control element only when it has judged that both the above-mentioned operate command
signal, which is sent from a non-safety-related part, and the safety check signal, which confirms the safety of the machinery, allow operation.
Judging Function Elements
The judging function cannot be created by simply combining multiple elements.
Its circuit must incorporate elements that will minimize risks caused by a failure in machinery or equipment. These circuit configuration elements typically include items 1 to 5 shown below.
Necessity of Safety Relay Units
It is possible to configure a safety-verified circuit by incorporating safety relays with forcibly guided contacts. However, this requires a certain level of
technology to configure the circuit and some expense for its certification. As a result, it has become general practice to use standard units that specialized
manufacturers have developed by incorporating safety relays. These are provided as a series of Safety Relay Units with proven functional safety.

When configuring a judging function circuit, it is necessary to consider mainly the following circuit configuration measures for minimizing risks caused by a failure in the system. (1) The use of proven circuit technology and components (2) Periodical implementation of functional tests (3) Redundancy (4) Single failure detection (5) Short-circuit protection detection

(2) Safety Application Controllers

Safety Relay Units are suited to simple relay sequence configurations for single input/single output applications. Advanced units with electronic or programmable control have been developed to handle complicated applications (with multiple inputs and outputs) that are difficult for simple relay sequences. Even in these advanced units, the following technologies ensure sufficient safety.

Dual CPUs
We pursued safety to the limit to deliver safety and reliability backed by the highest level of safety design and FMEA. Two CPU Units perform mutual checking and diagnostic monitoring of each I/O section, and the safety of operations is further verified by FMEA and process-controlled design and production.

Dual CPU Mechanism

Effective Functions

1. Logic Connections
For example, an AND condition is required for both partially stopping each module of a device and stopping the entire device. By making this AND logic into a function, it can be used in combinations to enable flexible response to even complicated applications.
- When the Emergency Stop Switch is pressed, the entire machine will stop.
- When a door is open, the corresponding part will not activate.

Logic AND connection

Doors

Emergency stop

Main door

Pallet changer door

Tool changer door

Open

Closed

Open

Closed

Open

Closed

System not operating

Power
shut OFF

Power ON

Power
shut OFF

Power ON

Power
shut OFF

Power ON

System operating

Power shut OFF

Power shut OFF

Power shut OFF

(2) Programmability

By creating safety programs, the designer can more flexibly handle complex applications. There are, however, four requirements for safety in programming safety circuits.

Preventing User Programming Errors
Safety functions (such as emergency stop buttons and two-hand operating buttons) are provided as verified function blocks to ensure safety at the function block level.
(The safety of the combination of function blocks must be verified to ensure final safety.)
Preventing Unexpected Operation from Incorrect Wiring
External wiring faults are detected, including incorrect wiring, ground faults, short circuits, and disconnection. Internal circuit faults are also detected.
Preventing Unintentional Settings
Checks are performed to ensure that the parameters input by the user are correctly transferred to and set in the devices before automatically enabling starting.
Preventing System Access Except by Administrators
Passwords are set for devices to allow only administrators to change parameters, operating modes, or others aspects of operation.

Connection diagram

(3) Networking

Creating networks for safety circuits enables applications that require distributing safety devices, as well as expansion of I/O capacity. The following four measures are taken in implementing safety circuit networks.

Cross-checking Communications Data (System Redundancy)
Redundancy is implemented for safety data by sending inverted data together with safety data to improve safety.
Special Check Code for Safety Data (Safety-CRC)
Check codes called Safety-CRC are attached to both the safety data and inverted data to ensure that any message corruption is detected.
IDs for Transmitters and Receivers
Safety devices have unique ID codes, which can be used by the devices to prevent incorrect data communications.
Data Time Management
Safety devices attach time stamps to the data they send. These are managed by the devices to ensure that communications are handled in a suitable timeframe and a suitable order to monitor for reversed or late communications data.

Networking diagram

Recommended Products

Programmable Safety Controller

G9SP

Configurable Safety Controller with flexible range suits any system.

Standstill Monitoring Unit

G9SX-SM

Sensor-less monitoring of standstill for machines with long inertia.