According to current international standards, machine control circuits can be divided into two main parts. One part is the control circuit responsible for the machine's operating functions, and the other part is the control circuit that implements safety protection functions. The above-mentioned division of control circuits has become a standard requirement in international standards (1), and entries related to "work protection" can also be found in the laws of many countries. Different ways of thinking Control circuits with safety functions - hereinafter also called "machine safety-related control parts" or "safety circuits" - are distinguished from control circuits that control the operation of the machine by taking essential and/or structural measures, thereby providing specialized handling protection against dangerous actions and other mechanical hazards caused by the machine to workers within the working range, and also protecting workers in the event of a malfunction. One aspect to be studied here is the machine stop command, and the other is the protection against the accidental start-up of the machine or machine parts. Illustration 1: Basic structure of machine control The controllability (i.e., reliability) of the circuit structure that controls the normal operation of the machine becomes the focus of research. That is, the study: the effect on predictable tasks within a given time. The structure of the control circuit that implements safety functions is related to protecting workers from unavoidable harm in the event of component failure and malfunction. In other words, safety must be ensured during the design of machine control components related to safety. Even in the event of a malfunction, no harm to life or health is permitted. A related question is what will happen to machine control in terms of personnel protection in the following situations: • Power outage • Damaged cable • Failure of structural components (of the same type), i.e., inability to open or close when given functional instructions to the machine • Mechanical breakage, jamming, etc. Only a few examples are given here. The annex to the standard IEC 13849-2 (2) provides a more comprehensive description of the malfunctions or malfunction probabilities under study. The purpose of the design process should be to achieve a control circuit with safety functions through appropriate measures, so as to minimize the possibility of malfunctions or disturbances that cause danger (3). This possibility depends on the degree of danger. Categories of Machine Control and Safety-Related Parts In order to determine the additional measures to be taken according to the degree of risk, the technical requirements for achieving safety function control circuits are divided into different "categories" from an economic and safety technical perspective, for example, in the standard ISO 13849-1 (4), these are called control categories. It can be said that it involves 5 different safety, technical, and quality levels. A brief description of this is given below (5): Control Category B: Safety-related parts and/or protective devices and components in the control must be constructed, manufactured, selected, assembled, and combined in accordance with relevant standards to withstand anticipated effects. Explanation: Components with functional and safety technical characteristics and features should be used according to the recommendations of generally valid standards, such as IEC and ISO standards. Control Category 1: The requirements in Category B must be met, and mature and reliable components and safety principles must be used. Explanation: Reliable components refer to those that can withstand long-term use (proven in use), such as electromechanical switches, while microprocessors are not considered reliable components. Reliable safety principles include, for example, the current stabilization principle in safety circuits, the forced disconnection contacts of switches or the forced operation relay contacts, protective contacts, etc. Control Category 2: The requirements in Category B and the application of reliable safety principles must be met. Safety functions must be verified by machine control at appropriate time intervals. Explanation: This requires periodic verification of the specified functions. For example: Before starting the machine at the beginning of each shift, the protective cover should be opened and then closed before production can begin; this should become a conscious practice. There are differing opinions among experts regarding the length of the inspection cycle. Common interpretation of Categories B, 1, and 2: These control categories are generally single-channel structures. That is, personnel may be injured if interference or malfunction occurs during machine operation. Control Category 3: The requirements of Category B and the application of reliable safety principles must be met; a fault in any component should not lead to the failure of safety functions. If possible, appropriate methods should be used to identify faults. Explanation: This relates to the single-fault safety requirements already discussed. That is, starting with Control Category 3, safety circuits are generally redundant structures, i.e., dual-channel. If one of the two channels experiences interference or a fault, the second channel will assume the safety function, or the circuit will be broken due to a conflict between the two channels. In principle, Control Category 3 involves logical comparisons for fail-safe operation. For hidden faults, they should be identified no later than the next machine start-up, and the machine should be locked to prevent restarting. Control Category 4: The requirements of Category B and the application of the reliable safety principle must be met. A single fault in any component must not lead to the failure of the safety function, and the fault must be identified before the safety function is implemented or before the next implementation. If this is not done, the accumulation of faults will not lead to the failure of the safety function. Explanation: The single-fault safety requirement applies here as well, but all potentially hidden faults must be identifiable. That is, the fault identification measures in Control Category 4 are much stricter, to the point of being more stringent than the accumulation of faults. In addition, regular and frequent inspections of the safety circuit are very effective measures. According to ISO 13849-1 Risk Assessment The selection and use of control categories depends on risk assessment. For risk assessment, an available auxiliary tool provides a reference called a risk map (6). As published in Annex 13849-1, risk assessments must be conducted based on the following parameters: - Degree of harm (S) - Frequency and/or location of danger (F) - Probability of avoiding the danger (P) The illustration below illustrates how the parameters S, F, and P are combined to classify risk levels and categorize them into control categories B through 4, based on the understanding and assessment of these parameters. Higher risk levels require more stringent protective measures to control the hazard. Illustration 2: ISO 13849-1 Risk Diagram S Severity of Injury - S1 Minor (generally recoverable) injury - S2 Severe (generally irreversible) injury, including death F Frequency and/or Persistence of Hazard Occurrence - F1 Rare to frequent and/or intermittent occurrence - F2 Frequent to persistent and/or enduring occurrence P Probability of Avoiding Hazard - P1 Possible under certain conditions - P2 Unlikely Type B, 1 to 4, control section for safety-related components The above risk assessment studies are always related to safety circuits and consist of signal transmitters, safety sensors, control logic, and actuators. Illustration 3: Safety Circuit Structure Safety-Relay-Component Given that there is no significant cost difference between control categories 2, 3, and 4, and especially to simplify planning and data logic as much as possible, the logic section of safety circuits now generally adopts a safety-relay-component approach. Illustration 4: Example of a safety relay-assembly manufactured by the Schmersal Group Safety relay-assemblies are the connecting link between the safety sensor technology layer and the machine control-related safety actuator layer. This logical connection enables safety technology at both the input and output ends. These devices are manufactured to be fail-safe according to safety technology requirements, meaning they are designed for limited circuit failures. The housing is openable and allows for direct installation, meeting the requirements of ISO 13849-1 Category 4. The direct-installation construction of safety relay-assemblies allows for easy and space-saving installation in machine cabinets. This saves significant wiring time and avoids errors in the safety circuit design phase, reducing the time spent on troubleshooting and error finding. Furthermore, these relays are sold with certificates of inspection from reputable testing institutions, providing consumers with peace of mind. Depending on the external wiring connected to the input and output ends, all types of safety circuits can be implemented; only the "weakest link in the circuit" determines the level of safety standards. In other words, a single-channel input circuit and a safety-relay-component conforming to control category 4 generally only achieves category 2, or even category 1, rather than category 4, but adding "troubleshooting" at the input and output is permissible. That is, depending on the application, it is permissible to select components beyond the category requirements or take additional measures to troubleshoot faults or interference. Circuit Technology Safety-relay-component circuits are implemented using so-called 2- or 3-relay techniques, depending on the task. A 3-relay technique means that this circuit has its own starting relay (K1), which operates independently through the starting circuit and drives channel relays K2 and K3; the 2-relay technique differs in that the circuit's start-up does not go through its own starting relay. More precisely, the power distribution process begins during the activation of the self-holding functions of the two distribution relays. While these two types of circuits are not different in terms of safety technology, they differ in function. For example, the start-up detection or processing of feedback signals during start-up required in control categories 2 and 4 can only be achieved with a 3-relay circuit. All safety relays in the application have forced-action contacts. According to the structure, most relays operate on the principle of rotating armature, and some operate on the principle of pivot armature. Illustration 5: Example of implementation of graded protection measures, control category 3 structure 1. Two contacts, at least one of which is definitely open. 2. Protection class of contactor/relay IP54. 3. Use general-purpose sheathed wire for lead wire. 4. The coil of contactor/relay and the coil of control circuit share a common ground. Illustration 6: Example of implementation of graded protection measures, control category 4. Structure: 1. Control category 3 as described above. 2. Wiring of switching signals, sheathed wires should be wired separately or have short circuit, cross identification or "special shielded cable" in the line. 3. Power-on detection. ___________ (1) See ISO 12100-1/-2: Safety of machines - basic concepts/general structural principles. (2) IEC 13849-2: Safety-related components in machine control - Part 2: Verification. (3) Compare IEC 60204-1:1997, section 9.4.1: Control functions/general requirements in failure. (4) IEC 13849-1: Safety-related components in machine control - Part 1: General structural principles. This is the currently valid text, and the requirements in the standard known as the implementation level are being drafted. Other similar safety standards include IEC 61508: Electrical/electronic/programmable systems with safety functions. (5) Detailed information is available in both parts of standard ISO 13849 and other documents, and relevant information is also available from all well-known manufacturers of machine safety components. (6) For complex machines and processing systems, the question of whether to install a programmable system with safety functions may arise.