GB 16655-1996 Basic requirements for the safety of industrial automation systems and integrated manufacturing systems
Some standard content:
National Standard of the People's Republic of China
Industrial automation systems
Basic requirements for safety of integrated manufacturing systems
Industrial automation systems--..Safety of integrated manufacturing systemsBasic requirements
GB16655
Basic requirements for safety of integrated manufacturing systems". This standard is equivalent to ISO11161 "Industrial automation systems 1 Subject content and scope of application
This standard specifies the basic requirements for safety of integrated manufacturing systems. 1996
This standard proposes safety requirements and recommendations for the design, composition, installation, programming, operation, maintenance, use and repair of integrated systems (see Figure 1).
This standard does not include safety requirements for single equipment. Physical environment
and power supply
Warning load
Safety protection devices
and interlocks
Materials and tools
Monitoring and control
Local network/data link
Safety protection space
Hazardous area
Hazardous area
Hazardous area
Edge materials
Hazardous area
Operation station
Figure 1 Typical safety protection system of basic integrated manufacturing system 2 Reference standards
GB2893 Safety color
GB2894 Safety signs
IEC204-1 Electrical equipment of industrial machines
Ergonomic principles for work system design ISO 6385
Approved by the State Administration of Technical Supervision on December 17, 1996522
Implemented on July 1, 1997
GB 16655--1996
ISO/TR8373Operational industrial robots - VocabularyISO10218Operational industrial robots - SafetyEN418Safety of machinery -
3 Terminology
3.1 Barrier
The physical boundary of the danger zone.
Emergency stop equipment
3.2 Awareness barrier
An auxiliary device or barrier that uses physical contact to warn that a danger is approaching or is likely to occur. 3.3 Controlled stop
Stop the machine by reducing the command signal to 0 meters. Once the 0 signal is confirmed, the operation stops immediately, but the actuators of the machine remain powered during the stop.
3.4 Enabling device
A manual operating device that allows dangerous functions to exist only when it is operated continuously in one position, but will not start. In any other position, the dangerous function is safely stopped. 3.5 Guard
A physical shielding mechanical component specially used for protection. According to its structure, it can be divided into protective cover, protective cover, protective screen, protective door, fence, etc.
3.6 Hazard
The source that may cause personal injury or endanger human health. 3.7 Hazard zone [area, space] Any area inside or around the machine that is harmful to health or where the human body may be injured. 3.8 Hazardous situation [condition, motion] Any situation that may cause danger to people.
3.9 Hold-to-run control device A manual start-stop control device. This device can only keep the machine running when it is held in the start position by hand. Once the hand is removed, it will automatically return to the stop position. 3.10 Integrated manufacturing system A system consisting of two or more industrial machines that are normally connected together. The system works in a coordinated manner and is controlled by a monitor or programmable controller for discrete parts processing. 3.11 Interlocking device (as used with a guard) Interlocking device (as used with a guard) A device that prevents system components from operating under specific conditions (usually when the guard is not closed). Usually mechanical, electrical or other types.
3.12 Limiting device limiting device
A device that prevents a system or system component from moving beyond the design limit. 3.13 Local control local control
A system or part of a system is in a state where it is operated by the console or hanging operation box of each single machine. 3.14 Lockout lockout
A locking device on an energy isolation device. When it is in the "OFF" or "OPEN" position, it indicates that the energy-isolating device or equipment is under control and cannot be operated before unlocking.
3.15 Muting
In normal operation, the protection function of the safety protection device is temporarily and automatically stopped. 3. 16 Operational stop523
GB16655—1996
At a certain point in the working process, once the process reaches this point, the processing process will be stopped immediately. 3.17 Pendant
A device connected to the control system to program (or drive) the system or part of the system. 3.18 Risk risk
The probability of personal injury caused by a specific dangerous state and the degree of personal injury. 3.19 Protective device protective device A device that reduces risk (other than protective devices), which can be used alone or in combination with protective devices. 3.20 Safety guard device safeguard
A protective device or device used to protect operators from dangers that have occurred or may occur. 3.21 Safety guarding
Using various special safety technical means such as safety stacks to protect workers from dangers that cannot be completely eliminated or completely avoided in the design of the equipment.
3.22 Safeguarded space protected space space determined by safety guards. 3.23 Safe working procedure safe working procedure a special procedure used to reduce the possibility of injury when performing a specified task. 3.24 Task program task program
A set of instructions for actions and auxiliary functions specified for special operations of a manufacturing system. Such programs are generally compiled by users. 3.25 Trip device trip device
A device that shuts down a system or a part of a system when a person or a part of his body exceeds a safety limit. 3.26 Trouble shooting Efault finding]"The act of sequentially determining the reason why a system or a part of a system cannot perform a predetermined task or function. 3.27 Uncontrolled stop The machine stops moving by cutting off the power supply to the mechanical transmission device that caused the fault condition. At this time, all brakes and other stopping devices are fully activated.
4 Safety countermeasures
4.1: General
This clause specifies a comprehensive countermeasure for determining the safety requirements for a system. This countermeasure combines the measures taken at the design stage with the measures required to be implemented by the user.
First, consider the safety countermeasures in the system design under the premise of ensuring that the system has an acceptable performance level. This includes the following items:
Specify the limit parameters of the system (see 4.2); formulate safety countermeasures (see 4.3);
Specify all hazards (see 4.4); c.
Evaluate the relevant risks (see 4.5) and
eliminate the hazards or limit the risks as much as possible. e.
If the above measures are still not able to reduce the risks to an acceptable level, safety protection measures must be considered at the design stage. These measures must maintain the flexibility of the system without reducing the safety of the system. In addition, relevant information on those hazards that are difficult to identify must be provided (for example: writing instructions and warning labels). 4.2 System technical requirements
The system technical requirements shall at least include the following aspects: 8. Functional description,
Overall layout and/or model;
GB16655-1996
Comment on the relationship between different working processes and manual operations; process sequence analysis including manual interaction; description of the interface with the conveyor or transmission line; process flow chart;
Equipment foundation plan
Configuration plan of loading and unloading devices;
Determination of the space required for loading and unloading;
Useful accident records;
Study of similar system installations.
The designer should have a standardized written opinion on the activities of personnel that may occur on site, in particular, a.
Visit (the presence of third parties not related to the operation); process control and monitoring,
workpiece clamping;
Inspection and acceptance of equipment manually controlled by the operator; adjustment and manual intervention without disassembly;
Installation,
fault finding;
maintenance.
Based on the above, the designer can formulate corresponding work procedures based on the following matters: a.
Analysis of the past and relatively recent relevant conditions of other units; the tolerance of the impact of production changes (equipment wear, changes in product size, etc.), b.
The involvement of personnel related to the future work of the system. 4.2.1 System Design Criteria
In addition to the functional description, in the design criteria table, all necessary requirements to ensure safe operation must be considered, including protective measures that effectively reduce the various hazards listed in 4.4.
In this way, system design can minimize the phenomenon of engineering disconnection. The corresponding steps require a.
Integration of human-machine interface,
Predetermine the various workstations (time, space) in the system, b.
Pre-consider the disconnection mode when the single machine is working, and consider the environmental conditions (air quality, lighting conditions, noise, etc.). d.
System design is not only the design of its working performance, but also must be considered from the perspective of use and operation. 4.2.2 Project Organization
In the planning, design and construction of integrated manufacturing systems, various safety measures, especially those related to the interaction between each single machine, must be coordinated and consistent. This also applies to situations where the system is composed of subsystems and/or single equipment provided by different suppliers. The work phases to be coordinated include (for example): a.
Planning,
Equipment selection;
Equipment delivery and assembly,
Installation methods and test procedures;
Sub-item acceptance and general acceptance;
Delivery of the system in the form of a completed work order,
System verification (commissioning), including the correction of any defects and troubleshooting; 523
h. Maintainability;
i. Human-machine engineering factors.
4.3 Application of safety countermeasures
GB16655-1996
Integrated manufacturing systems must be designed and protected in accordance with risk assessment (see 4.5) to ensure that they can be properly shipped, installed, and used and maintained correctly and safely. To this end, the relationship between human factors, work tasks, possible accidents and production methods must be considered. Other harmful effects such as noise, harmful substances, high temperature, low temperature, radiation and the physical operating environment must also be considered to avoid damage to human health.
The supplier of the system or system components must explain: the conditions of the physical environment and the requirements for the external power supply and how to connect them to ensure normal operation. The user should ensure that these conditions are met, or provide alternative means, and ensure that the system operates under environmental conditions in accordance with the technical requirements.
4.3.1 Design and development
In the development of single machines, subsystems and the entire system, all safety-related knowledge and experience must be taken into account so that these knowledge and experience can be used to avoid personal accidents and health hazards, or reduce them to an acceptable level. This includes visibility of the entire system, subsystems and single machines. In particular, the production process and machine operation must be fully observed from the normal operator's position. Sometimes, additional means (such as television monitoring) can be used.
The normal position of the operating and maintenance personnel must be easy to access and outside the danger zone. Parts that require regular maintenance (such as refueling points, positioning mechanisms) should also be arranged outside the danger zone as much as possible. Priority should be given to the use of non-hazardous devices to eliminate or reduce hazards in order to achieve the required safety level. The second is to improve the process or process sequence to obtain a lower risk level. The setting method of manual start and stop control must be clear to mark the hazardous area associated with it. 4.3.2 Safety protection
Whenever the measures described in 4.3.1 cannot or cannot completely reduce the risk to an acceptable level, safety protection devices should be provided in accordance with Chapter 6. The addition of these safety protection devices shall not make the operation and maintenance of the system unnecessarily complicated, and a clear layout of the entire system, subsystems and single-machine connections must be maintained. Depending on the design and use of the system, a single safety protection device or a combination of several different safety protection devices may be used. Safety protection devices are selected according to the identified hazards. Safety protection measures should remain effective in all operating modes (see 9.2.4 of IEC204-1 on the suspension of safety protection under specific conditions).
4.3.3 Warning signs and personal protective equipment
Warning signs of warning devices should indicate the presence of dangers that are difficult to prevent in places where some of the measures described in 4.3.1 and 4.3.2 cannot or only partially work. The following dangers may be difficult to prevent: a. Dangers caused by unexpected movements, wwW.bzxz.Net
b. Dangers caused by unexpected energy effects (such as overpressure, tension, rotation, overweight, noise, heat, low temperature, radiation); Dangers caused by leakage of dangerous substances.
Where necessary, personal protective equipment should be specified. 4.4 Hazard identification
Hazards may come from the following aspects:
The system itself;
The interaction between the system and other machines or devices; b.
c. The physical environment in which the system is located;
d. The interaction between the operator and the system. --- Some examples of hazardous sources are:
Moving mechanical parts in:
GB16655—1996
1) Normal operation in the hazardous area alone or with other parts of the system or related equipment; 2) Unexpected operating conditions (such as: falling of mechanical parts, tilting of the machine). Power supply.
Energy accumulation;
Interference:
1) Electrical interference (such as: electromagnetic interference (EMI), electrostatic discharge (ESD), radio frequency interference (REI); 2) Mechanical interference (such as: vibration, impact). Harmful gases and substances:
1) Explosive, flammable;
2) Corrosive;
3) Radiative (such as: ionization or heat). f.
Failure or malfunction:
1) Failure of protective facilities, including being moved, dismantled or abandoned; 2) Failure of components, devices or lines;
3) Failure of power supply or energy, including pulsation or disturbance; 4) Failure of information transmission.
g. Human error:
1) Errors in design, manufacture or modification; 2) Errors in operating system, application software and programming; 3) Errors in use and operation;
4) Fixture errors, including work placement, clamping, tool fixture, etc.; 5) Management or usage errors;
6) Maintenance and repair errors;
7) Documentation and training/instruction manual errors. h. Ergonomic factors:
1) lighting,
2) vibration;
3) noise,
4) climatic conditions,
5) design/layout of operator control stations. 4.5 Risk Assessment
Risk assessment is the basis for determining safety objectives and safety measures. Risks must be reduced to an acceptable level. To this end, this clause provides guidance on the development of procedures and plans to: a. Establish a safe working environment;
b. Ensure personal safety and health.
Evaluate the risks of all recognized hazards and determine reasonable safety measures and implementation plans to minimize the risks.
Identify the hazards of each single device, the interaction between each single device, the system operating components, and the entire system. All set operating modes/conditions, including the state where normal safety protection measures are suspended, such as: programming, calibration, troubleshooting, maintenance or repair. This requirement also applies to system modifications. For normal operating conditions, when manual intervention is obviously also part of the production process, the operating risks should also be evaluated. If there is a hazard, normal production should avoid manual intervention. Risks should also be considered for local production processes that obviously require direct human intervention (e.g., clearing obstructions, card loading, programming/teaching, fault 527
GB16655---1996
finding, maintenance, etc.). It should be recognized that in some cases, the normal control sequence and some or even all normal safety protection devices may be suspended. In such cases, a backup safety system must be put into use as a special guarantee for local control and safety protection (e.g., locking). Dangerous signs should be marked for each area of the system where personnel may enter to facilitate identification. 4.6 Human-machine engineering considerations
4.6.1 Human-machine interface
The following measures are designed to facilitate automation system monitoring and data processing. 4.6.1.1 Direct observation of operation
The design of the site should facilitate the detection of information related to sensitive points of the system, and special attention should be paid to the layout of observation points or observation areas (auxiliary observation means such as reflectors and video systems can be used). 4.6.1.2 Display information
It should enable the user to obtain all necessary information about the actual status of the production cycle process. All information about the system status should be available from the human-machine interface. Special attention should be paid to selecting the information that should be displayed on the interface and the information that can be requested by the system operator. The language of information expression should take into account the action habits and technical culture of the system operator. The format and appearance of information display should comply with the following requirements:
The physical characteristics of signals and controls should be suitable for the observation and operation capabilities of all operators; the location of controls and information related to given actions and monitoring of their results should be close to each other; b.
The composition of information should be able to support diagnosis (that is, to facilitate the identification of important configurations of technical systems) and provide information to verify the reliability of displays. It should be arranged near the display; d.
The conventions used for the colors, abbreviations, spiral directions, and graphic orientations of all devices should be consistent with each other; e.
The design of the display system should be able to detect and repair display system faults; f
The device capacity should have margin to adapt to the expansion of production and user surfaces; g.
Repetition: It is usually necessary to display the same information in several locations on site. h.
During the on-site design phase, the possibility of users storing important events (installation, oil change, deviation, accident, incident, etc.) in the memory should be considered. These contents in the memory make it easy for users to track the history of the system. Furthermore, information transmitted through different interfaces should be interconnected, especially when the principle of redundancy is used, to ensure the consistency of information. 4.6.1.3 Manual operation control device
The design and installation position of the manual operation control device should be: to ensure that the status of the power drive equipment can be seen from the position of the manual control device; a.
b. Ensure that the function and status of the device can be clearly defined and displayed to the operator; by ensuring the unification between the different control components of the system, the name, orientation, etc. of the manual operation device are consistent; t.
d. The shape and size of the operating mechanism of the control device should be appropriately selected to ensure that the workshop operator can operate them correctly. The action effect of any manual control device should be clearly defined. The operating status of the manual control device must be clear and obvious. 4.6.2 Manual intervention
4.6.2.1 Control and maintenance operations
Define and arrange the intervention area to ensure sufficient action space to perform the intended task with minimum risk. Safeguard measures should be taken for the following areas in particular: a. The action area for system control and maintenance operations should avoid height changes and excessive movement as much as possible, and preventive measures should be taken for intersections;
b. For long-term, frequent or high-lift operations, the intervention space or platform should consider the human posture, body shape, environment and operation issues;
Interface configuration; the configuration of central and distributed control consoles (fixed or mobile) should be able to observe the operating components; and the risk of communication time constraints and communication barriers between operators should be reduced to a minimum; d. The lighting level in the work area and the on-site area requiring special monitoring should be suitable for operation. And it should be noted that visibility is not disturbed by glare or reflection.528
GB16655-1996
In some cases, the provision of adjustment of lighting conditions (intensity and direction of light) should also be provided: e. The use of lifting rings or other lifting devices and/or on-site formed parts and special loading and unloading tools of the equipment should facilitate the assembly and disassembly of the system.
4.6.2.2 Main manual operations
Apply ergonomic methods and data to make operation easier and reduce human errors during intervention (repair, maintenance, inspection, programming, operation, etc.) to improve the safety level. The design of system components with manual intervention should take into account human characteristics. Such as: body shape, posture, physical strength, movement and physical ability (ISO) 6385). It is necessary to ensure that the operator:
maintains a normal body position;
b, can communicate (visually and verbally). 4.7 Marking
The system should provide special marking, which should have at least the following information: manufacturer/supplier name and address;
b. System identification;
Applicable certificate (where required).
4.8 Documentation Requirements
System documentation shall be written in the language agreed upon by the user and the supplier at the time of ordering and shall include (at least) the following: a.
Clear and detailed system description and installation instructions including equipment installation and external power connection; copies of markings visible on the system (see 4.7); system performance specifications;
External power specifications;
Physical environment specifications (e.g., lighting, vibration, noise level, atmospheric pollution, etc.); description of potentially hazardous conditions and how to avoid them (e.g., closed, blocked, locked); how to identify and correct abnormal features; information on:
1) programming,
2) operation,
3) Inspection cycle,
4) Functional test cycle and method,
5) Repair and maintenance guide for the system and its safety protection devices; Maintenance work procedure records to help operators with recommended procedures for operation or troubleshooting; i
Provide instructions for various safety protection devices, interactive functional components, and interlocking protection devices for dangerous actions, especially the interlocking protection devices of interactive equipment (including various wiring diagrams), and instructions for safety protection measures and methods to be taken when the original safety protection devices are suspended, k.
Interface instructions for control circuit and power circuit connection (including drawings), 1.
Limit device adjustment procedures.
The system's operating manual should include special operating manuals for its various components. 5 Design requirements for control system safety performance
5.1 Overview
The following requirements apply to all aspects of integrated manufacturing system control (electrical, hydraulic, pneumatic, mechanical, etc.). The design and manufacture of the control system must ensure that no personal safety accidents will occur during automatic or manual operation as long as it is used in accordance with technical conditions. This requirement also applies to the interaction between the overall control system and the individual controls, as well as the 329
relationship between the individual control systems.
GB 16655-1996
Electrical equipment in the control system must comply with IEC204-1, especially the provisions of Chapter 9. Power supply and grounding must comply with the standards recommended by the supplier. 5.2
2 Interference
The design and installation of the control system must have good engineering measures to ensure that the control functions and the control system are not affected by interference sources. If it can be foreseen that the risk is caused by interference, isolation measures must be taken to ensure that interference with the control function will not cause harm at any time when the machine is working.
Examples of interference sources are as follows:
Electromagnetic interference;
Electrostatic discharge;
Radio frequency interference;
Vibration/shock;
Spatial noise:
f. Light;
Radiation.
5.3 Limitation of the impact of faults on safety
The design, assembly, installation and use of the control system cannot avoid the failure of a single control component in the system and the resulting shutdown action, but it should ensure that the system will not start or continue to operate before the fault is eliminated. This requirement does not apply to components whose failure will not cause a dangerous state. When analyzing faults, the following provisions must be followed (see Figure 2): a. Each fault must not cause any personal accident. b. The failure of the first fault to be identified and the subsequent failure shall not cause any personal accident. It is assumed that two independent faults are unlikely to occur, but the designer must consider various common types of failures. Failures are considered to ensure safety in the event of failures and/or to detect certain types of failures. Therefore, research and evaluation (failure analysis) must be carried out based on the assumption of various failure modes of various components. 5.4 Safety measures
5.4.1 Safety measures for control
In addition to the requirements of 5.3, the use of mature circuits and components and one or more of the following safety measures must also be considered. a. Partial or complete redundancy
Failure protection of control components of electrical, electronic or hydraulic systems is usually achieved by connecting multiple components or multiple channels in parallel or in series. Failure protection of control components should not rely solely on simple redundancy. Component redundancy is the use of two or more control components in parallel or in series to ensure reliable operation. Therefore, a failure in a redundancy device may not be detected and it is still operating safely on the surface. If the redundancy components fail one after another, unsafe conditions may still occur. It is very important to monitor and countermeasure the failure of such a single device. b. Use distributed control mode (according to 9.4.2.3 of IEC204-1) to reduce the speed (power) of dangerous actions. The "deceleration method" is adopted based on the fact that personnel can exit the danger zone in time when an accident occurs. When there is no danger of shearing or squeezing, the speed of dangerous actions can be set not to exceed 15m/min; when there is a danger of shearing or squeezing, the speed of dangerous actions shall not exceed 2m/min. This data is also applicable to the enabling device used for deceleration.
d. Monitoring and control function
The purpose of adopting the "monitoring and control function" measure (which can also be implemented by simulation) is to monitor at fixed time intervals in a certain way to determine how to identify faults from the perspective of risk assessment, and to send a safety signal (mostly a stop signal) when a fault is found. 530
The first fault
May there be
danger code?
Other
safety measures to be provided
Enabling device (see 6.5)
GB 16655---1996
Consequence of failure
Is it an interruption?
Second fault
Could it be dangerous?
Fault assessment
Consequence of failure
Is it an interruption?
Figure 2 Fault assessment
No further
Fault assessment
The "enabling device" measure is adopted so that the person using the enabling device can detect the danger and take immediate action in time to prevent the accident. f. Use unlockable non-return valves, periodic switching action of slide valves that are not frequently actuated, pressure valves, pulse valves without elastic action. Considerable energy may be stored in hydraulic or pneumatic systems. It must be ensured that they do not cause dangerous actions. The accumulated energy can trigger the safety function (such as recovery action). If necessary, additional measures should be provided to prevent subsequent dangers (such as dangers caused by pressure drop, main line closure, leakage, pipeline rupture, etc.), such as mechanical force locking, unlockable non-return valve, etc. 5.4.2 Additional safety measures
When the simple control safety measures are not enough to prevent the consequences of dangerous failures, supplementary measures such as mechanical safety protection and backup lighting must be taken.
5.4.3 Combination of safety measures
It is usually necessary to use a combination of multiple safety measures. Safety measures are determined in the control system design of each single machine in the integrated manufacturing system. It must meet safety requirements and undergo risk assessment (see 4.5). When new safety requirements arise in the combination of system components, they should be resolved at the system level.
5.5 Manual operation control devices
Various manual control devices must be quickly found, easily identifiable, and have appropriate markings or labels. These safety-related measures must be placed in a position where they can be safely operated decisively, quickly and accurately. These devices must be placed outside the danger zone, unless they are certain devices used as safety measures (such as emergency stop devices, enabling devices, etc.) 5.6 Status display
The status display shows the operating status of the system or a specific area of the system. 5.7 Selection of system operation mode
The control equipment should provide at least the following operation modes: Normal (production) mode: All normal safety protection devices are connected and put into operation; a.
GB 16655---1996
b. Operation in which some normal safety protection devices are suspended; c. Operation in which the dangerous state caused by system startup or remote manual startup is prohibited (such as: local operation, power isolation or mechanical locking of dangerous conditions).
The selection of operation mode allows certain operations (such as: programming, verification, maintenance) to be performed under monitoring. For parts where operating conditions may bring about dangerous conditions, the access to the dangerous zone must be interlocked. 5.8 Control measures for suspension of safety protection devices When
- Setting (see 8.4.2a)
\- Programming (see 8.4.2a, 8.5)
Program verification (see 8.4.2b, 8.6)
- Fault inspection (fault finding and observation of production cycle) (see 8.4.2b, 8.7) - Maintenance (see 8.8)
such control mode cannot perform operations outside the safety protection space, the relevant safety protection device can be suspended to allow personnel to enter the danger zone. The suspension of the safety protection device must be limited in time (such as 10s). The suspension can be achieved by a lockable selection device or by other devices with the same safety level.
Sufficient safety level can be achieved by other measures than using only lockable selection devices. When personnel need to enter the danger zone, the following safety measures must be provided in the control system in accordance with the requirements of Chapter 8: a.
Holding operation;
Enabling device;
Slowing down;
Reducing power;
Handheld emergency stop.
As mentioned above, when the safety protection device is suspended, no dangerous state will be caused from outside the danger zone. Normal production is possible only when the protective effect of the safety protection device is restored. In order to provide assistance to the operator when the safety protection device is suspended, the following methods can be considered: a.
Display the status of safety-related functional elements, circuits and actuators that can cause danger; display the status of important elements (for example: working operation status, location parameters of equipment components, temperature). b.
5.9 Peripheral operation
When local operation of equipment is performed in the danger zone, this situation must be notified to the rest of the system. The method of local operation should be designed to allow the operator or other person to locally operate the equipment in a specific area, but to prevent any external means from driving any equipment in the area.
For systems or areas with local operation, the optional methods should be: a. Located outside the hazardous area,
b. Can be controlled by the operator or other designated personnel (for example: using a key switch or access password). Machines and related equipment in local operation must be under the direct control of the system operator. When local control is in place, remote control or external operation must never cause a dangerous condition. The switch for local and remote or external operation should not itself produce any dangerous conditions. 5.10 Startup
Only when all safety protection devices related to the protection zone are in place and functional, and all normal operating conditions are met, can the system or the machine or related equipment in the system operation area be started by a control station located outside the protection zone. When the system (or a specific zone) requires simultaneous start-up by several control stations, the start-up method must be interlocked to prevent false start-up when the specified number of control stations is not reached.
Conversely, when a special area of the system requires single control point start-up for safety reasons, other start-up controls should be designed so that other areas of the system cannot be started, or the area cannot be started from other parts. 5.11 Shutdown
Each system or area within the system must have at least two levels of shutdown: one is related to safety measures; the other is related to normal operating conditions. Normal operating conditions include all safety measures. The implementation of the shutdown function is based on risk assessment. 5.11.1 Stop function
The stop function does not take into account the associated start function. The stop function must be selected according to the risk assessment and according to the following types. The three stop types are as follows:
a. Type 0: Stop by directly disconnecting the power supply to the actuator that caused the hazardous condition (i.e. uncontrolled stop - see 3.30); b. Type 1: Controlled stop with power maintained to the actuator that caused the hazardous condition (see 3.3) and then disconnected after stopping; c. Type 2: Controlled stop with power maintained to the actuator that caused the hazardous condition. Types 0 and 1 should be designed in accordance with 5.3
Based on the risk assessment, each area will be equipped with type 0 or 1 (or both), and after a shutdown according to type 0 or 1, the restoration of normal power supply should not cause a hazardous condition.
5.11.2 Emergency stop
The system shall provide one or more emergency stop functions, which may be applicable to the entire system or to clearly demarcated areas within the system. In the case of clearly demarcated areas within the system, each area should have an emergency stop function for use only in this area. When one or more areas are in an emergency stop state, this state should be reported to the system (or the rest of the system). Due to the clear demarcation, after an emergency stop device is activated, there must be no danger at the interface between this area and other areas of the system. All emergency stop functions implemented by circuits must comply with the provisions of IEC204-1, and those implemented using hydraulic drives must also comply with EN418.
The reset of the emergency stop circuit is intervened by designated personnel. The reset of the emergency stop shall not trigger or restart any dangerous movement or create any dangerous conditions.
Each control station must have a manual emergency stop device, which is connected to the clearly demarcated areas. The actuator of the manual emergency stop shall comply with the provisions of EC204-1.
5.11.3 Interruptions by safety guards Safety guards (i.e. tripping devices or interlocking devices) should be connected to a type 0 or type 1 stop function. In most cases, the function of these safety guards is part of the system engineering procedures. It is therefore important that this stop function allows the system or its stopped part to be easily restarted. When this requirement is not possible according to the production process procedures, an operating stop function is required, which can be activated before the safety guard is activated. The operating stop function should be designed to stop at the natural stopping point of the production process to avoid affecting the machine, workpiece and process procedures. When an operating stop is provided, if it is not possible to stop the process at any production cycle or in the middle of it for safety reasons, an electrical interlock protection with protective locking must be used as a safety protection to prevent personnel from entering the danger zone until the production cycle is completed and all dangerous conditions are eliminated.
5.11.4 Operating stop
The operating stop function is a type 2 stop and must comply with the provisions of IEC204-1. This level of shutdown is a functional or operational shutdown, not a safety measure. 5.12 Emergency Action
The action mode of system components in emergency must be provided. Examples are as follows: a. Under power failure conditions:
Open the overflow valve to reduce the system pressure;
- Manually release the mechanical brake to prevent additional hazards. b. Under power supply conditions:
Manual: Manually control various devices with pilot valves/drivers; 533
Tip: This standard content only shows part of the intercepted content of the complete standard. If you need the complete standard, please go to the top to download the complete standard document for free.