Safe Machine Design: A Mechanical Engineer’s Guide to, uh, Electrical Engineering.

I’ve had to do a bit of learning on the fly at work and so thought I’d write down some of my thoughts to make things easier if I forget bits and pieces. Then I thought I’d publish it so all 3 of my subscribers can reap the benefits of my frustration.

Disclaimer: I’m not a safety authority or an electrical engineer and this article is not a substitute for an up-to-date safety standard.


As an engineer in Australia, you’ll need to be aware of three standards of safety of machinery:

AS 4024.1-2014

This standard uses Safety Categories- CAT B, CAT 1, CAT 2, CAT 3, and CAT 4 to designate what kind of architecture you’ll need to use for your safety related circuits. So, once you’ve done a hazard analysis to determine what could go wrong and determined what safeguards are required to protect from those hazards, you then need to do a risk assessment to determine what safety category those safeguards must be.

The image below shows the basic risk analysis from NHP’s website.


NHP’s website also has a really good rundown of the safety categories at the link below. They range from “Don’t do anything stupid” (CAT B) to double redundancy with constant self-checking (CAT 4).

Most of the machinery I can think of is going to end up as Category 2 which means a safety relay is needed or Category 3 which means dual channel interlocks/estops as well as the safety relay.

Unfortunately, this method of determining machine safety is on the way out. It’s based on EN954-1 which has been superseded by ISO 13849-1. AS 4024 was recently updated to accept either EN954-1’s method or ISO 13849-1’s method with the intent that people will transition to the latter over time and the former can eventually be disallowed. In order to future-proof your processes, it’s best to use the ISO 13849-1 method.

EN/ISO 13849-1

This standard takes the above approach and adds to it a Mean Time To Failure (MTTF) calculation, a Diagnostic Coverage (DC) fudge factor and a check for Common Cause Failure (CCF).

Eaton have a good manual on how do do this here:


You calculate the Mean Time To Failure based on B10d specs you get from manufacturer’s websites (like Schneider have here: Then you calculate the MTTF of the whole system based on those numbers using a few equations given in the standard (and explained pretty well in the above links).


If you’re using a PLe or SIL 3 safety relay (check the manufacturer’s website), dual channel safety circuits with cross checking (more on this later) and redundant contactors of a reputable brand, you can assume 99% DC. These three elements are pretty much industry standard so you only really need to worry about diagnostic coverage if you’re deviating from the norm.


Common Cause Failure is checked by scoring the safety system against table F.1 from ISO 13849-1 which I unfortunately don’t have a link to but again- it’s explained pretty well in the Eaton manual linked above. It’s not factored into the calculation at all and is a bit subjective to be honest. The circuit itself should cause no issues if properly designed but this check might prompt you to think about problems that might take out two or more parts of the system at once… like metal dust taking out both a magnetic and optical sensor.

So once you have the CAT, MTTF and DC, you can determine the PL from the chart below (again, it’s from Eaton’s manual). There’s a more precise calculation in the standard.


You might at this point be thinking about how much of a pain all this is- and you’d be right! Fortunately, most suppliers have done the work for you and sell packages that have the calcs already done. Eaton, Phoenix Contact, Omron all do this and the others probably do, too. Sometimes the best thing to do is just call these guys and tell them what you’re trying to do- While regulatory bodies often seem to want to make your life as difficult as possible, the suppliers of these electronics will take a lot of load off your shoulders if it means a sale.

IEC 62061

SIL is a little bit like PL (Diagnostic Coverage, Common Cause Failure) but uses a dangerous failure rate rather than a Mean Time To Failure. It also factors in the diagnostic test interval and fraction of safe failures. Because of these two elements, you might have a machine reach a higher or lower standard of safety by using this or ISO 13849.

I’ve yet to use this standard and don’t really plan to in the future so I won’t write more about it. It’s covered in Eaton’s safety manual.

Explanation of some Components/Terms

I thought I’d throw this section in because I didn’t know any of this stuff when I started doing electrics.


Click for a link to the part on my local supplier's website

Click for a link to the part on my local supplier’s website

Interlocks are what you should use in your safety circuit to check door, gate or guard closure. Note that there’s quite a few different types available, not just the key type shown above- you can get hinges with interlocks built in, pin type ones suitable for gates and so on (as well as a myriad of other safety devices like light curtains, pullwires and so on but that’s well beyond the scope of this article). Anyway, you should use them instead of cheaper, more conventional switches/sensors because

  1. They usually use a switching method that is difficult for an operator to bypass such as a key, a magnetic signal or a switch internal to a hinge that is inaccessible.
  2. They usually have two more more contacts which you’ll need to run dual channel safety circuits

If you can cut power to your machine and have it reach a safe state reliably before an operator can access the dangerous bits, that’s all you need… but if they can put them self into harm’s way before the machine will shut down, you’ll need a locking interlock, of which there are two types that I am familiar with:

Click for a link to the part on my local supplier's website

Click for a link to the part on my local supplier’s website

The first is the key type locking interlock- Very similar to the key interlock shown above but a few hundred dollars more expensive and it will lock the key in place so the guard/door/whatever can’t be opened when the machine is in a dangerous state. These are the cheaper alternative (though you might not realise that when you’re paying for them) but have two disadvantages that I’ve encountered: They are sensitive to alignment between the key and the lock and they can be broken by heavy handed operators, misalignment, overslam or just plain heavy equipment.

Click for a link to the part on my local supplier's website

Click for a link to the part on my local supplier’s website

The second type is the magnetic type- They use super strong electromagnets to hold your whatsit closed. They’re a couple hundred more expensive than the key type but are a hell of a lot more difficult to break and aren’t as sensitive to alignment. Once you’ve broken a key type interlock, you’ll wish you bought one of these.

Safety Relay

Click on the picture for a link to the part on Omron's website. I'm not being paid to say this but hopefully the referral will discourage them from suing me for ripping off their stock image.

Click on the picture for a link to the part on Omron’s website. I’m not being paid to say this but hopefully the referral will discourage them from suing me for ripping off their stock image.

These things are called a safety relay by most but are more of a safety controller. Their functions are fourfold:

  1. They monitor a dual channel safety circuit to detect things like activation of E-stops, interlocks and so on.
  2. They check the circuit mentioned above for any cross talk between the two channels (this is to check that the circuit hasn’t failed closed… more on this later)
  3. They periodically check a feedback circuit through all the contactors to detect any welded contacts
  4. Based on the results of the checks above, they will activate one or more relay contacts.

Dual channels and cross checking

Let’s start with the most basic circuit we can think of. I pulled an example circuit from Omron’s manual, modified it and highlighted the part we’re talking about.

Don't do this

Don’t do this

This is a basic, single Estop circuit. It’s normally closed, then when you hit the button it opens the circuit and the relay turns off the machine as a result. That’s all well and good, but what if someone drops a heavy piece of steel on the cable and crushes both those wires together? Or what if the Estop box is left out in the rain and fills with water? In both those cases, it might short together and the next time someone hits the Estop, the machine won’t stop! It only detects open circuit failures. If you changed the circuit to have a normally open contact but then you run into the same problem in reverse- the circuit will only detect closed circuit failures. You need to change it so that closed circuit failures are caught.

You could do this by having two circuits- one normally open and one normally closed- but this doesn’t work so well with multiple Estops. It would require wiring all the normally open circuits in parallel and all the normally closed circuits in series. A better solution is shown below- it’s the industry standard system.

Dual channel Estop circuit

Dual channel Estop circuit

There’s two circuits with normally closed contacts in the Estop. The safety relay monitors both these circuits for cross-talk, which means if you bridge the two circuits together anywhere (fill the Estop box with water, crush and short the wires, etc), it will trip the relay and shut down the machine. This is called cross checking.


So, by having dual channels and cross checking the system is now fairly redundant and safe on the input side, but how about the outputs? You run into a similar problem to the Estop circuit: The simplest solution is to have a single contactor controlling the motor (or device) but if that contactor fails to cut the power (welded contacts are a common failure mode), the safety relay can’t do anything to stop the machine.

So you install a second contactor and run the two in series. For a while this works great. Both contactors turn on and off as required until one of them welds shut… and the machine continues to operate as normal, except only one of the contactors is now switching. This could continue for a long time until the second contactor welds, rendering the safety circuit useless. In order to do this, the safety relay needs to check that when both contactors are “off,” they really are both off. To do this, you put an auxiliary contact on each contactor and wire them into a feedback circuit with a reset switch as shown below.

Contactor feedback circuit

Contactor feedback circuit

Now, the machine has two contactors in series controlling the motor and these contactors are both checked for welded contacts any time the machine is reset. This makes for a pretty safe system but note that it assumes that the contactors all have positively guided contacts. If the contacts are not positively guided, the reset circuit will reset the machine ready for operation, even if one of the contactors has welded shut.

Eaton's XT series contactors are all positively guided.

Eaton’s XT series contactors are all positively guided.

You might also see something like what is shown below referred to as a safety relay:

Relay with positive guided contacts

Relay with positive guided contacts

This is simply a relay with positively guided contacts- No monitoring or anything like that. I use these as an auxiliary relay to the safety controller if I want to control more NO and/or NC contacts than is available.

Well, that’s all I’mma write for now. This was originally just going to be about how to satisfy AS4024 but snowballed somewhat. Hope it helps someone out there.

This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s