---

Suitable interlocks shall be provided to secure correct sequential starting.

In the case of machines requiring the use of more than one control station to initiate a start, each of these control stations shall have a separate manually actuated start control device. The conditions to initiate a start shall be:

• all required conditions for machine operation shall be met, and

• all start control devices shall be in the released (off) position, then

• all start control devices shall be actuated concurrently (see 3.6).

Stop category 0 and/or stop category 1 and/or stop category 2 stop functions shall be provided as indicated by the risk assessment and the functional requirements of the machine (see 4.1).

NOTE The supply disconnecting device (see 5.3) when operated achieves a stop category 0.

Stop functions shall override related start functions (see 9.2.5.2).

Where required, facilities to connect protective devices and interlocks shall be provided. If such a protective device or interlock causes a stop of the machine, it may be necessary for that condition to be signalled to the logic of the control system. The reset of the stop function shall not initiate any hazardous situation.

Where more than one control station is provided, stop commands from any control station shall be effective when required by the risk assessment of the machine.

This part of IEC 60204 specifies the requirements for the emergency stop and the emergency switching off functions of the emergency operations listed in Annex E, both of which are, in this part of IEC 60204, initiated by a single human action.

Once active operation of an emergency stop (see 10.7) or emergency switching off (see 10.8) actuator has ceased following a command, the effect of this command shall be sustained until it is reset. This reset shall be possible only by a manual action at that location where the command has been initiated. The reset of the command shall not restart the machinery but only permit restarting.

It shall not be possible to restart the machinery until all emergency stop commands have been reset. It shall not be possible to reenergize the machinery until all emergency switching off commands have been reset.

NOTE Emergency stop and emergency switching off are complementary protective measures that are not primary means of risk reduction for hazards (for example trapping, entanglement, electric shock or bum) at a machine (see ISO 12100 (all parts)).

Principles for the design of emergency stop equipment, including functional aspects, are given in ISO 13850.

The emergency stop shall function either as a stop category 0 or as a stop category 1 (see 9.2.2). The choice of the stop category of the emergency stop depends on the results of a risk assessment of the machine.

In addition to the requirements for stop (see 9.2.5.3), the emergency stop function has the following requirements:

• it shall override all other functions and operations in all modes;

• power to the machine actuators that can cause a hazardous situation(s) shall be either removed immediately (stop category 0) or shall be controlled in such a way to stop the hazardous motion as quickly as possible (stop category 1) without creating other hazards;

• reset shall not initiate a restart.

The functional aspects of emergency switching off are given in 536.4 of IEC 60364-5-53.

Emergency switching off should be provided where:

• protection against direct contact (for example with conductor wires, conductor bars, slip­ring assemblies, controlgear in electrical operating areas) is achieved only by placing out of reach or by obstacles (see 6.2.6); or

• there is the possibility of other hazards or damage caused by electricity.

Emergency switching off is accomplished by switching off the relevant incoming supply by electromechanical switching devices, effecting a stop category 0 of machine actuators connected to this incoming supply. When a machine cannot tolerate this stop category 0 stop, it may be necessary to provide other measures, for example protection against direct contact, so that emergency switching off is not necessary.

Movement or action of a machine or part of a machine that can result in a hazardous situation shall be monitored by providing, for example, overtravel limiters, motor overspeed detection, mechanical overload detection or anti-collision devices.

NOTE On some manually controlled machines, operators provide monitoring.

Hold-to-run controls shall require continuous actuation of the control device(s) to achieve operation.

NOTE Hold-to-run control can be accomplished by two-hand control devices.

Three types of two-hand control are defined in ISO 13851, the selection of which is determined by the risk assessment. These shall have the following features:

Type I: this type requires:

• the provision of two control devices and their concurrent actuation by both hands;

• continuous concurrent actuation during the hazardous situation;

• machine operation shall cease upon the release of either one or both of the control devices when hazardous situations are still present.

A Type I two-hand control device is not considered to be suitable for the initiation of hazardous operation.

Type II: a type I control requiring the release of both control devices before machine operation can be reinitiated.

Type III: a type II control requiring concurrent actuation of the control devices as follows:

• it shall be necessary to actuate the control devices within a certain time limit of each other, not exceeding 0,5 s;

• where this time limit is exceeded, both control devices shall be released before machine operation can be initiated.

Enabling control (see also 10.9) is a manually activated control function interlock that:

1. when activated allows a machine operation to be initiated by a separate start control, and

2. when de-activated

• initiates a stop function, and

• prevents initiation of machine operation.

Enabling control shall be so arranged as to minimize the possibility of defeating, for example by requiring the de-activation of the enabling control device before machine operation may be reinitiated. It should not be possible to defeat the enabling function by simple means.

Push-buttons and similar control devices that, when operated, alternately initiate and stop motion shall only be provided for functions which cannot result in a hazardous situation.

This subclause deals with the functional requirements of control systems employing cableless (for example radio, infra-red) techniques for transmitting commands and signals between a machine control system and operator control station(s).

NOTE Some of these application and system considerations can also be applicable to control functions employing serial data communication techniques where the communications link uses a cable (for example coaxial, twisted­pair, optical fibre).

Means shall be provided to readily remove or disconnect the power supply of the operator control station (see also 9.2.7.3).

Means (for example key operated switch, access code) shall be provided, as necessary, to prevent unauthorized use of the operator control station.

Each operator control station shall carry an unambiguous indication of which machine(s) is (are) intended to be controlled by that operator control station.

Measures shall be taken to ensure that control commands:

• affect only the intended machine;

• affect only the intended functions.

Measures shall be taken to prevent the machine from responding to signals other than those from the intended operator control station(s).

Where necessary, means shall be provided so that the machine can only be controlled from operator control stations in one or more predetermined zones or locations.

Operator control stations shall include a separate and clearly identifiable means to initiate the stop function of the machine or of all the operations that can cause a hazardous situation. The actuating means to initiate this stop function shall not be marked or labelled as an emergency stop device, even though the stop function initiated on the machine can fulfil an emergency stop function.

А machine which is equipped with cableless control shall have a means of automatically initiating the stopping of the machine and of preventing a potentially hazardous operation, in the following situations:

• when a stop signal is received;

• when a fault is detected in the cableless control system;

• when a valid signal (which includes a signal that communication is established and maintained) has not been detected within a specified period of time (see Annex B), except when a machine is executing a pre-programmed task taking it outside the range of the cableless control where no hazardous situation can occur.

Where a machine has more than one operator control station, including one or more cableless control stations, measures shall be provided to ensure that only one of the control stations can be enabled at a given time. An indication of which operator control station is in control of the machine shall be provided at suitable locations as determined by the risk assessment of the machine.

Exception: a stop command from any one of the control stations shall be effective when required by the risk assessment of the machine.

A variation in the battery voltage shall not cause a hazardous situation. If one or more potentially hazardous motions are controlled using a battery-powered cableless operator control station, a clear warning shall be given to the operator when a variation in battery voltage exceeds specified limits. Under those circumstances, the cableless operator control station shall remain functional long enough for the operator to put the machine into a non- hazardous situation.

The reclosing or resetting of an interlocking safeguard shall not initiate hazardous machine operation.

NOTE Requirements for interlocking guards with a start function (control guards) are given in 5.3.2.5 of ISO 12100-2.

Where an operating limit (for example speed, pressure, position) can be exceeded leading to a hazardous situation, means shall be provided to detect when a predetermined limit(s) is exceeded and initiate an appropriate control action.

The correct operation of auxiliary functions shall be checked by appropriate devices (for example pressure sensors).

Where the non-operation of a motor or device for an auxiliary function (for example lubrication, supply of coolant, swarf removal) can cause a hazardous situation, or cause damage to the machine or to the work in progress, appropriate interlocking shall be provided.

All contactors, relays, and other control devices that control elements of the machine and that can cause a hazardous situation when actuated at the same time (for example those which initiate contrary motion), shall be interlocked against incorrect operation.

Reversing contactors (for example those controlling the direction of rotation of a motor) shall be interlocked in such a way that in normal service no short circuit can occur when switching.

Where, for safety or for continuous operation, certain functions on the machine are required to be interrelated, proper co-ordination shall be ensured by suitable interlocks. For a group of machines working together in a co-ordinated manner and having more than one controller, provision shall be made to co-ordinate the operations of the controllers as necessary.

Where a failure of a mechanical brake actuator can result in the brake being applied when the associated machine actuator is energized and a hazardous situation can result, interlocks shall be provided to switch off the machine actuator.

Where braking of a motor is accomplished by current reversal, measures shall be provided to prevent the motor starting in the opposite direction at the end of braking where that reversal can cause a hazardous situation or damage to the machine or to the work in progress. For this purpose, a device operating exclusively as a function of time is not permitted.

Control circuits shall be so arranged that rotation of a motor shaft, for example manually, shall not result in a hazardous situation.

Where failures or disturbances in the electrical equipment can cause a hazardous situation or damage to the machine or to the work in progress, appropriate measures shall be taken to minimize the probability of the occurrence of such failures or disturbances. The required measures and the extent to which they are implemented, either individually or in combination, depend on the level of risk associated with the respective application (see 4.1).

The electrical control circuits shall have an appropriate level of safety performance that has been determined from the risk assessment at the machine. The requirements of IEC 62061 and/or ISO 13849-1, ISO 13849-2 shall apply.

Measures to reduce those risks include but are not limited to:

• protective devices on the machine (for example interlocking guards, trip devices);

• protective interlocking of the electrical circuit;

• use of proven circuit techniques and components (see 9.4.2.1);

• provision of partial or complete redundancy (see 9.4.2.2) or diversity (see 9.4.2.3);

• provision for functional tests (see 9.4.2.4).

Where memory retention is achieved for example, by battery power, measures shall be taken to prevent hazardous situations arising from failure or removal of the battery.

Means shall be provided to prevent unauthorized or inadvertent memory alteration by, for example, requiring the use of a key, access code or tool.

These measures include but are not limited to:

• bonding of control circuits to the protective bonding circuit for functional purposes (see 9.4.3.1 and Figure 2);

• connection of control devices in accordance with 9.4.3.1;

• stopping by de-energizing (see 9.2.2);

• the switching of all control circuit conductors to the device being controlled (see 9.4.3.1);

• switching devices having direct opening action (see IEC 60947-5-1);

• circuit design to reduce the possibility of failures causing undesirable operations.

By providing partial or complete redundancy, it is possible to minimize the probability that one single failure in the electrical circuit can result in a hazardous situation. Redundancy can be effective in normal operation (on-line redundancy) or designed as special circuits that take over the protective function (off-line redundancy) only where the operating function fails.

Where off-line redundancy which is not active during normal operation is provided, suitable measures shall be taken to ensure that those control circuits are available when required.

The use of control circuits having different principles of operation, or using different types of components or devices can reduce the probability of hazards resulting from faults and/or failures. Examples include:

• the combination of normally open and normally closed contacts operated by interlocking guards;

• the use of different types of control circuit components in the circuit;

• the combination of electromechanical and electronic equipment in redundant configurations.

The combination of electrical and non-electrical systems (for example mechanical, hydraulic, pneumatic) may perform the redundant function and provide the diversity.

Functional tests may be carried out automatically by the control system, or manually by inspection or tests at start-up and at predetermined intervals, or a combination as appropriate (see also 17.2 and 18.6).

Earth faults on any control circuit shall not cause unintentional starting, potentially hazardous motions, or prevent stopping of the machine.

Methods to meet these requirements include but are not limited to the following;

Method a) Control circuits, fed by control transformers:

1. In case of earthed control circuit supplies, the common conductor is connected to the protective bonding circuit at the point of supply. All contacts, solid state elements etc., which are intended to operate an electromagnetic or other device (for example, a relay, indicator light) are inserted between one side, the switched conductor of the control circuit supply and one terminal of the coil or device. The other terminal of the coil or device (preferably always having the same marking) is connected directly to the common conductor of the control circuit supply without any switching elements (see Figure 3).

Exception: Contacts of protective devices may be connected between the common conductor and the coils, provided that:

• the circuit is interrupted automatically in the event of an earth fault, or

• the connection is very short (for example in the same enclosure) so that an earth fault is unlikely (for example overload relays).

2. Control circuits fed from a control transformer and not connected to the protective bonding circuit, having the same arrangement as shown in Figure 3 and provided with a device that interrupts the circuit automatically in the event of an earth fault (see also 7.2.4).

Method b) Control circuits fed from a control transformer with a centre-tapped winding, this centre tap connected to the protective bonding circuit, arranged as shown in Figure 4 with the overcurrent protective device having switching elements in all control circuit supply conductors.

NOTE 1 On a centre-tapped earthed control circuit, the presence of one earth fault can leave 50 % voltage on a relay coil. In this condition, a relay can hold on, resulting in inability to stop a machine.

NOTE 2 Coils or devices may be switched on either or both sides.

Method c) Where the control circuit is not fed from a control transformer and is either:

1. directly connected between the phase conductors of an earthed supply, or;

2. directly connected between the phase conductors or between a phase conductor and a neutral conductor of a supply that is not earthed or is earthed through a high impedance,

Multi-pole control switches that switch all live conductors are used for START or STOP of those machine functions that can cause a hazardous situation or damage to the machine in the event of unintentional starting or failure to stop, or in the case of c) 2), a device shall be provided that interrupts the circuit automatically in the event of an earth fault

.

Figure 3 - Method а)

Overcurrent protective device (see 7.2.4)

Figure 4 - Method b)

The requirements detailed in 7.5 shall apply.

Where the control system uses a memory device(s), proper functioning in the event of power failure shall be ensured (for example by using a non-volatile memory) to prevent any loss of memory that can result in a hazardous situation.

Where the loss of continuity of safety-related control circuits depending upon sliding contacts can result in a hazardous situation, appropriate measures shall be taken (for example by duplication of the sliding contacts).

10 Operator interface and machine-mounted control devices

This Clause contains requirements for devices mounted outside or partially outside control enclosures.

As far as is practicable, those devices shall be selected, mounted, and identified or coded in accordance with relevant parts of IEC 61310.

The possibility of inadvertent operation shall be minimized by, for example, positioning of devices, suitable design, provision of additional protective measures. Particular consideration shall be given to the selection, arrangement, programming and use of operator input devices such as touchscreens, keypads and keyboards, for the control of hazardous machine operations. See IEC 60447.