Special documentation

Released for customers

System description
Protection and control systems
User information according to EN ISO 13849-1

TD10012367 EN 03
 Protection and control systems
User information according to EN ISO 13849-1

Table of contents

1 Application area......................................................................................................................4

2 Applie d methods, standards and guide lines .................................................................. 4

3 Description of the protection systems ............................................................................. 4

3.1 Machine safety concept ........................................................................................... 4
3.2 Protective measures.................................................................................................. 4
3.3 Exclusion of faults: .................................................................................................... 6
3.4 Limits for operation................................................................................................... 7
3.5 Operating modes ....................................................................................................... 8
3.6 Protection systems .................................................................................................... 8
3.6.1 Guard .......................................................................................................... 8
3.6.2 Action to take in an e mergency .......................................................... 8
3.6.3 Electrosensitive protective equipment .............................................9
3.6.4 Safety signals from interlinke d mac hines...................................... 10

4 Description of the control sy stems ..................................................................................13

4.1 Basics of safety functions .......................................................................................13

4.1.1 Acquisition ...............................................................................................13
4.1.2 Analysis .....................................................................................................15
4.1.3 Reaction ................................................................................................... 16
4.2 Functional description of switc hing de vices .....................................................17
4.3 Functional description of ASi safety ................................................................... 18
4.4 Functional description of safety PLC .................................................................. 19
4.5 Function of STO function of a frequency inverter .......................................... 21
4.5.1 Example of B&R freque ncy inverter ................................................22
4.5.2 Example of Danfoss frequenc y inverter .........................................22
4.5.3 Example of Allen Bradle y frequency inverter................................ 23
4.6 Design and proof of control systems performance........................................24
4.6.1 Calculation of failure rate λ (EN ISO 13849-1) ................................24
4.6.2 Assessment of the probability of a dangerous failure per hour
PFHd (EN 62061) .....................................................................................24
4.6.3 Determination of required performance leve l (EN ISO 13849-1)25
4.6.4 Example: Switc hing devices ...............................................................26
4.6.5 Example: ASI safety .............................................................................. 27
4.6.6 Example: Safety PLC (Siemens) .........................................................28
4.6.7 Example: Safety PLC (Rockwell) ....................................................... 29

5 Checking/maintenance of safety functions .................................................................30

Released for customers

5.1 Checking by KRONES...............................................................................................30

5.2 Maintenance ............................................................................................................. 32

TD10012367 EN 03 Table of contents 2 / 35

 Protection and control systems
User information according to EN ISO 13849-1
6 Glossary ................................................................................................................................... 33

6.1 Technical ter ms and abbreviations..................................................................... 33

Released for customers

TD10012367 EN 03 Table of contents 3 / 35

 Protection and control systems
User information according to EN ISO 13849-1

1 Application area

User information according to DIN EN ISO 13849-1.

For KRONES machines and lines

2 Applied methods, standards and guidelines

In compliance with the Conformity Assessment Procedures for machinery as set out
in directive 2006/42/EC, a risk assessment is compiled according to the procedure
described in ISO 12100.
The measures required to minimise identified risks can be derived from the risk as-
sessment. As soon as it becomes necessary to take measures with regard to the con-
trol system, these measures will be taken in compliance with ISO 13849-1 and their
effectiveness and construction will be validated according to ISO 13849-2.

3 Description of the protection systems

The following chapters show the basic procedures used at KRONES AG to implement
machine safety.
Examples of protection systems which have been put in place are shown using sys-
tem representations, block diagrams, connection diagrams and calculations.

3.1 Machine safety concept

In accordance with EN ISO 12100 and other applicable standards, the safety concept of
the machine consists of the following points:
 An inherently safer design of the machine.
 Protective measures where hazards cannot be avoided or adequately minimised
due to the design.
 User information pointing out residual hazards if hazards cannot be avoided de-
spite a safer design and protective measures.

3.2 Protective measures

Due to the machine's design, its method of operation and the state of the art, risks
and hazards cannot always be fully ruled out from an engineering standpoint.
The remaining risks and hazards must be ruled out or minimised by employing suita-
ble protective measures.

Technical safety precautions

 Separating and non-separating protective devices as measures for protection
against hazards such as moving parts.
 Fixed guards such as machine guarding, housings
 Movable guards with or without secured locking with automatic monitoring
Released for customers

as well as guard doors with secured locking and monitoring, and with a
key/tool for opening guard doors and protective covers
 Sensitive protective devices such as P.E. sensors, light curtains, sensing devic-
es, proximity switches

TD10012367 EN 03 3 Description of the protection systems 4 / 35

 Protection and control systems
User information according to EN ISO 13849-1
 Operating mode selector switches
 Jogging and enabling devices
 Additional non-guards such as limiting and/or monitoring devices for pressure,
temperature, emissions, speed, acceleration, torque
 Protective measures for reducing noise emissions, vibrations, hazardous materi-
als, radiation, for instance, in containments, silencers, vibration dampers, filters,
ventilation systems, baffles
 Protective measures for stability such as anchor bolts, locking devices, movement
limiters

Additional safety precautions

are protective measures which are neither inherently safe designs nor technical pro-
tective measures nor user information, but rather, measures which must be provided
based on the intended use and the reasonably foreseeable misuse of the ma-
chine/system, e.g.:
 Components and elements for stopping in the event of an emergency:
EMERGENCY STOP switch
 Measures for setting trapped persons free and rescuing them: Escape devices at
guard doors with secured locking
 Measures for disconnecting and dissipating energy sources: Master switches,
shut-off valves for compressed air, shut-off valves for liquids
 Precautions for the easy and safe handling of machines and heavy parts:
 Lifting device with slings
 Hook
 Eyebolts or holes with female thread
 Measures for safe access to machines: Steps, handles, stairways, crossovers, work
platforms, slip-resistant corridor areas, pedestrian routes, fastening points for
personal safety equipment

The hazards existing on a machine and the safety devices to be used vary. The haz-
ards on the machine are determined with a risk assessment according to EN ISO 12100
and subdivided into performance levels according to EN ISO 13849-1 to provide control
safety This makes it possible to have different performance levels on one machine.
The safety systems used satisfy these requirements.
It is therefore not possible to indicate a general performance level for individual ma-
chines and devices.
The following chapters describe how to provide control safety with regard to hazards.
Released for customers

TD10012367 EN 03 3 Description of the protection systems 5 / 35

 Protection and control systems
User information according to EN ISO 13849-1

3.3 Exclusion of faults:

Definition of exclusions of faults up to PL <d>
Exclusions of faults in accordance with EN ISO 13849 makes it possible to assume that
no dangerous fault can arise with certain subsystems or principles of cabling of a
safety function due to design reasons.

Mechanical components
To rule out mechanical failure, make use of fundamental and proven safety principles
as well as tried-and-tested components.
 Example of a guard door switch:
A broken actuator of a guard door switch is ruled out as there are mechanical cen-
tring units for the specification-compliant immersion of the activators into the
guard door switches.
 Example of a rotary encoder:
A safety rotary encoder is used to monitor the reduced machine speed in the jog
mode. The detachment of the rotary encoder from the driven shaft can be ruled
out if all the required conditions are satisfied. This can be for example an over-
sized form-locking connection from the rotary encoder to the shaft.

Pneumatic/hydraulic systems
For example, proven safety principles such as "secured position" must be used with
pneumatic valves for safety applications. This means that the valve is held mechani-
cally in a defined position in the event of a voltage or compressed-air failure.

Electrical System
Use fundamental and proven safety principles as well as tried-and-tested compo-
nents.
 Example of wiring within an electrical enclosure:
 A short-circuit between any two conductors may be ruled out inside an elec-
trical enclosure if this enclosure meets the fundamental requirements.
 An open circuit is not allowed to be excluded and is never allowed to lead to a
dangerous fault (basic safety principle: the energyless state is the SAFE state).
This means that the single-channel wiring of safety-related signals is permit-
ted inside an electrical enclosure up to and including PL <d> or SIL <2>.

An important item when considering the exclusion of faults within the electrical sys-
tem is the safe disconnection of standard PLC output cards. The fact that this fault is
ruled out is assumed, as this has been confirmed by the manufacturer.

If fault exclusion for certain output cards is not allowed, then a safe disconnection
will take place after the PLC output.
Released for customers

TD10012367 EN 03 3 Description of the protection systems 6 / 35

 Protection and control systems
User information according to EN ISO 13849-1

3.4 Limits for operation

The limits for operation (e.g. ambient conditions, media, electrical, ...) must be com-
plied with in order to ensure that the safety functions work properly.
For detailed information, see the operating manual of the respective machine.

Example: Air for pneumatic components

Pressures and temperature
Maximum permissible supply 11 bar (g) [160 psig]
pressure, customer responsible for
safety precautions
Required supply pressure at trans- min. 7 bar (g) [101 psig] max. 10 bar (g) [145 psig]
fer point to machine
Value set at air service unit min. 7 bar (g) [101 psig] max. 8 bar (g) [116 psig]
Temperature min. +5 °C [+41 °F] max. +50 °C [+122 °F]

Media requirements
KRONES media code 3201
Solids content (*) ≤ 5 mg/m3
Particle size (*) ≤ 40 μm
Dew point temperature (*) -20 °C
Oil content (*) < 0.01 mg/m 3
(*) corresponds to class 6.3.1 according to ISO 8573-1 (2010-04)
Released for customers

TD10012367 EN 03 3 Description of the protection systems 7 / 35

 Protection and control systems
User information according to EN ISO 13849-1

3.5 Operating modes

The machine can be operated in the following modes:
 "Production" mode
 "Set-up" mode (depends on machine type)

Production Set-up
Qualification Operator Set-up/maintenance personnel
Safety level Highest safety level Lower safety level
 All safety devices are active with-  The safety devices can be
out any restrictions. partially deactivated (e.g.
open guard door).
 It is possible to enter the
machine, which can result in
a safety risk.
Machine functions Available functions: Available functions:
 All functions necessary for produc-  The production mode is
tion are active. disabled.
 The machine can be jogged only  The machine can be jogged
while the guard doors are closed. while a guard door is open.
Jogging is only possible from the Jogging is possible only from
main operator station. a local hand-held pendant.
 Expanded machine functions
are available (e.g. for change-
over and maintenance work).
Work Regular production Set-up
Maintenance
Maintenance

3.6 Protection systems

3.6.1 Guard
See protective measures

3.6.2 Action to take in an emergency

 EMERGENCY STOP device (stopping in case of an emergency)
An action which in the event of an emergency is intended to stop a process or
movement which is potentially hazardous.
 EMERGENCY STOP device (shut-down in case of an emergency)
An action which in the event of an emergency is intended to disconnect an entire
plant or part of it from the power supply, if there is a potential risk of an electric
shock or any other type of electrical hazard occurring.
Released for customers

TD10012367 EN 03 3 Description of the protection systems 8 / 35

 Protection and control systems
User information according to EN ISO 13849-1

3.6.3 Electrosensitive protective equipment

The minimum distance from the danger zone is calculated according to EN ISO 13855
using the following equation:

𝑆𝑆 = (𝐾𝐾 𝑥𝑥 𝑇𝑇) + 𝐶𝐶

It says that:
S is the minimum distance in millimetre [mm]
K is a parameter in millimetre per second [mm/s], derived from the data per-
taining to the approach speed of a body or arts of a body
T the overtravel of the entire system in seconds [s]
S is the minimum distance in millimetre [mm]

The protective function of the electrosensitive protective equipment may require

muting so that products or materials can enter or leave the machine.
Muting is a special control feature which deactivates the protective function of the
electrosensitive protective equipment while a product passes through. The muting
function trips and is ended automatically. This is done by using a combination of spe-
cifically selected and arranged sensors (P.E. sensors) in conjunction with signals from
the safety-related control system (conveyor drive control).
Activation of the muting function is indicated.
If the electrosensitive protective equipment is installed at the place of installation of
the machine, the structural design and necessary installation information for the
respective machine are provided separately, as for example in the electrical connec-
tion diagram.

Figure 1: Excerpt from the electrical connection diagram.

Released for customers

TD10012367 EN 03 3 Description of the protection systems 9 / 35

 Protection and control systems
User information according to EN ISO 13849-1

3.6.4 Safety signals from interlinked machines

EMERGENCY STOP signals
The exchange of a safety-related EMERGENCY STOP signal is not necessary unless a
reason is identified which makes it necessary based on the risk assessment.
If any one of the following situations is the case, then it will be necessary:
 Several machines are intended to operate together. If one of these machines is
stopped due to an emergency, then the other machines must not pose a hazard in
the area where the machine in question has been stopped (machine directive
2006/42/EC).
Otherwise, the machines which do pose a hazard if they continue operating must
then also be stopped for safety-related reasons => EMERGENCY STOP signal ex-
change.
 A person who actuates an EMERGENCY STOP control device must contemplate
what the resulting effect is (EN ISO 13850). It must therefore be possible to de-
termine which area is affected by the control device.
To determine whether a safety-related EMERGENCY STOP signal exchange is neces-
sary, it is irrelevant if the machines, machine components or connected equipment in
question have been provided by KRONES AG or by a third-party supplier.

Signal exchange between a KRONES machine and third-party machine

Safety-related EMERGENCY STOP signal exchange enables the following:
 The combination of two machines located in the immediate proximity of each
other into one EMERGENCY STOP area.
 The safety-related stopping of a third-party machine by actuating an EMERGENCY
STOP device of a KRONES machine.
 The safety-related stopping of a KRONES machine by actuating an EMERGENCY
STOP device of a third-party machine.

1 4 5 6

1 KRONES machine
2 KRONES subsystem with safety sys-
tem
3 Third-party machine with safety
system
4 Formation of enable signal (An enable
signal is provided only if all sensors do
2 NOT trip.)
5 EMERGENCY STOP KRONES own
machine
6 EMERGENCY STOP all machines
Figure 2: Schematic representation of the EMERGENCY STOP
signal exchange on single KRONES machines
Released for customers

TD10012367 EN 03 3 Description of the protection systems 10 / 35

 Protection and control systems
User information according to EN ISO 13849-1
Signal exchange for block machines

2 5 9

1 4 8

3 6 7 10 11

Figure 3: Schematic representation of the EMERGENCY STOP signal configuration and distribution on block machines

1 KRONES machine A, slave machine

2 KRONES subsystem with safety system
3 Hazardous drives and devices
4 KRONES machine B, master machine
5 KRONES subsystem with safety system
6 Third-party machine with safety system
7 Hazardous drives and devices
8 KRONES machine C, slave machine
9 KRONES subsystem with safety system
10 Hazardous drives and devices
11 KRONES machine block
Released for customers

TD10012367 EN 03 3 Description of the protection systems 11 / 35

 Protection and control systems
User information according to EN ISO 13849-1
Signals for separating and non-guards
After a machine is stopped for a safety-related reason after a protective signal is pro-
vided, the return of the signal will not automatically start the machine. The machine
cannot be restarted until after resetting, followed by a START command. This also
applies to guard signals which originate from third-party machines or other machines
(e.g. adjacent machines in a block arrangement) with safety-related connections.
Normally a safety-related guard signal exchange with third-party machines does not
need to be prepared in the standard version because the guard areas of third-party
machines often have no safety-relevant effect on the guard area of a KRONES ma-
chine. If a safety-related signal exchange based on the risk assessment is necessary, it
will be executed according to the following schematic representation.

1 4 5 6

1 KRONES machine
2 KRONES subsystem with safety sys-
tem
3 Third-party machine with safety
system
4 Formation of enable signal (An enable
2 signal is provided only if all sensors do
NOT trip.)
5 Guards KRONES own machine
6 Guards KRONES all machines

Figure 4: Schematic representation of the guard signal exchange

on single KRONES machines
Released for customers

TD10012367 EN 03 3 Description of the protection systems 12 / 35

 Protection and control systems
User information according to EN ISO 13849-1

4 Description of the control systems

4.1 Basics of safety functions

All safety functions consist of functions for "detection", "analysis" and "reaction". A
safety sensor registers the tripping signal of the safety function (e.g. guard door). This
signal is then analysed by a so-called safety logic circuit, which then causes the dan-
ger point to be shut down.

Acquisition
Circuit breaker or safety switch, EMERCENCY
STOP switch, module with safe inputs

Analysis
Safety control system/ASI safety, safety PLC,
circuit logic with safety relays

Reaction
Safety relay/extension, module with safe outputs,
contactors, frequency inverter
-

4.1.1 Acquisition
This involves the safety sensors which detect a potentially hazardous situation for
persons and therefore shut down the danger point.
The following are prime examples of this type of safety sensors:
 EMERGENCY STOP switch
 Guard door switch
 Safety light grids/safety P.E. sensors
 OK switch/JOG button
 Speed monitoring system
 …

The safety sensors in KRONES machines are normally always redundantly evaluated.
Both channels of the safety sensors are diagnosed by a safety logic circuit which fol-
lows:
Released for customers

TD10012367 EN 03 4 Description of the control systems 13 / 35

 Protection and control systems
User information according to EN ISO 13849-1
EMERGENCY STOP and guards
The following illustration shows an example of the redundant connection of an
EMERGENCY STOP switch and a guard door switch. The signals are registered by safe-
ty-related inputs.

1 2

4 3 4 3

Figure 5: Redundant connection of EMERGENCY STOP switch/guard door switch

1 EMERGENCY STOP switch
2 Guard door switch
3 Safety-related input CH1
4 Safety-related input CH2

Inching function in set-up mode

The inching function is restricted to specially trained personnel. For this reason, the
set-up mode can only be selected using the operating mode selector switch. This
makes it possible to move the machine at a reduced speed while the protective device
is open. The inching function can only be used in the area which is visible from the
open protective device. If another guard door is opened in an non-visible area, the
machine can no longer be jogged. The following example shows how this principle
works, keeping in mind that guard door 1 must always remain closed. Guard door 2
can remain open in the set-up mode (operating mode selector switch) in order to
receive an enable signal if the JOG button is pressed.

Figure 6: Inching function in set-up mode

1 Guard door 1
2 Guard door 2
Released for customers

3 Operating mode selector switches

4 JOG button

TD10012367 EN 03 4 Description of the control systems 14 / 35

 Protection and control systems
User information according to EN ISO 13849-1
Speed monitoring in the set-up mode
In the set-up mode, the machine can only be moved at a reduced speed with the inch-
ing function. Depending on the requirements, this reduced machine speed is moni-
tored at the drives in question. If the permissible limit speed is exceeded, the drives
will be disconnected for safety-related reasons.

2
1

6 5 4
Figure 7: Speed monitoring in the set-up mode
1 Speed measurement
2 Motor
3 Frequency inverter with STO input
4 Safety-related output
5 Safety-related input CH2
6 Safety-related input CH1

4.1.2 Analysis
The safety logic circuit of a machine analyses the signals from the safety sensors. The
sensors are checked, for instance, to determine whether they are operating properly.
If they are faulty, they will be disconnected.
Besides that several signals (e.g. EMERGENCY STOP and guards) are combined to dis-
connect certain danger points with several signals or safety sensors.
At KRONES the following systems are used for the safety logic circuit, depending on
the machine type:
 Safety control system/ASi safety
 Safety control system/safety PLC
 Safety relay
Released for customers

TD10012367 EN 03 4 Description of the control systems 15 / 35

 Protection and control systems
User information according to EN ISO 13849-1

4.1.3 Reaction
The actuators which turn OFF the danger points are meant here. This can be for in-
stance be the stopping of hazardous movement or the reduction of hazardous pres-
sure in a line.

The following are prime examples of this type actuator:

 Frequency inverters of conventional and servo drive systems (STO function of
frequency inverter)

Figure 8: Frequency inverter of conventional and servo drive systems

 Contactors for non frequency-controlled drive systems

Figure 9: Contactors for non frequency-controlled Figure 10: Contactors for non frequency-controlled
drive systems (single-channel) drive systems (double-channel)
 Pneumatic cylinder for mechanical movement

Figure 11: Pneumatic cylinder for mechanical movement

 Flap valves for media supply

Figure 12: Flap valves for media supply

Safety-relevant actuators in KRONES machines are designed to meet the require-

Released for customers

ments of the risk assessment. This usually results in two channels being disconnected
and includes a diagnosis of the channels or it results in a single channel being discon-
nected.

TD10012367 EN 03 4 Description of the control systems 16 / 35

 Protection and control systems
User information according to EN ISO 13849-1

4.2 Functional description of switching devices

The signal lines shown in red in the schematic represent the safety-related signal
flow. This means that if a sensor trips via the wiring of the safety relays this will trig-
ger a safety-related disconnection of a hazardous drive (in this case the motor).

1 3 5

2 4 6

Figure 13: Functional description of switching devices

1 EMERGENCY STOP switch Safety-related signal flow

2 Interlocking guard
Standard bus system
3 Standard PLC
4 Safety relay (PILZ) Standard signal flow
5 Frequency inverter
6 Safety-related input (e.g. STO)
7 Actuator

Application:
Suitable for simple safety systems. The reduced number of components mean that
this system is inexpensive and easy to maintain.
Released for customers

TD10012367 EN 03 4 Description of the control systems 17 / 35

 Protection and control systems
User information according to EN ISO 13849-1

4.3 Functional description of ASi safety

The ASI bus system with the ASi safety protocol for the connection of safety and
standard sensors is shown in yellow. The signal cables shown in red in the main cir-
cuit diagram illustrate the safety-related signal flow from the safety logic to the ac-
tuator. This means that if a sensor trips by virtue of the safety-related programming
in the combined ASi safety device, this will trigger a safety-related disconnection of a
hazardous drive.

1 3 8

2 4 5 6
9

7 10

Figure 14: Functional description of ASi safety

1 EMERGENCY STOP switch Safety-related signal flow

2 Interlocking guard
Standard bus system
3 Standard PLC
4 Combined ASi safety device ASi bus system with ASi safety
5 Safe output protocol
6 Contact expansion module
7 Monitoring return circuit
8 Frequency inverter
9 Safety-related input (e.g. STO)
10 Actuator

Application:
The ASi safety system is used for complex lines to reduce the wiring and maintenance
effort and to offer an extensive, freely programmable safety system. As a result, addi-
tional safety-oriented functions, such as the set-up mode with guard doors open and
extensive diagnostics, are enabled if an error occurs.
This safety control system separated from the standard PLC, is provided with pass-
word protection to prevent unauthorised changes.
Released for customers

TD10012367 EN 03 4 Description of the control systems 18 / 35

 Protection and control systems
User information according to EN ISO 13849-1

4.4 Functional description of safety PLC

The signal cables shown in red in the main circuit diagram illustrate the connection of
the safety-related sensors and actuators. These are wired on special input and output
cards (shown in yellow). This means that if a sensor trips by virtue of the safety-
related programming in the control system, this will trigger a safety-related discon-
nection of a hazardous drive.

Example of Siemens PLC

1 3

4
2
9
6 7
5

10

Figure 15: Functional description of safety PLC (example of Siemens)

1 EMERGENCY STOP switch Safety-related signal flow

2 Interlocking guard Standard bus system
3 Standard PLC
4 Safety PLC
5 Connection
6 Safe input card
7 Safe relay output card
8 Frequency inverter
9 Safety-related input (e.g. STO)
10 Actuator
Released for customers

TD10012367 EN 03 4 Description of the control systems 19 / 35

 Protection and control systems
User information according to EN ISO 13849-1
Example of Rockwell PLC

1 3
9

2
4 6 8 10

5 7 11

Figure 16: Functional description of safety PLC (example of Rockwell)

1 EMERGENCY STOP switch Safety-related signal flow

2 Interlocking guard Standard bus system
3 Safety and standard PLC
4 Connection
5 Safe input
6 Safe electrical output
7 Monitoring return circuit
8 Contact expansion module
9 Frequency inverter
10 Safety-related input (e.g. STO)
11 Actuator
Released for customers

TD10012367 EN 03 4 Description of the control systems 20 / 35

 Protection and control systems
User information according to EN ISO 13849-1

4.5 Function of STO function of a frequency inverter

The STO (SafeTorqueOff) function of a frequency inverter prevents a drive from start-
ing up in a safety-oriented manner. It is activated by interrupting the safe control
signal at a frequency inverter terminal. It deenergises the drive, making it torque-free.
This is achieved with a galvanic separation of the control pulses of the IGBT output
stage. As a result, a rotating field is no longer generated and the drive cannot turn.
The electrical power supply of the drive is interrupted. The drive is in a safe pulse lock.
If the motor is still moving when the STO function is activated, an uncontrolled shut-
down is carried out (Category 0 stop).
The STO function is suitable for minor interventions or for troubleshooting malfunc-
tions. It does not represent a network switch-off of the frequency inverter. Electrical
work on the frequency inverter and its drive train may only be carried out with a net-
work enable (master switch).

8 7
1

5
2

3 4

Figure 17: Method of operation of STO function deactivated, drive active

8 7 6
1

5
2

3 4

Figure 18: Method of operation of STO function activated, drive shut down safely
1 Frequency inverters 5 Motor
2 Control unit 6 Location of energy separation due to missing signal
3 IGBT driver 7 Power supply
4 IGBT output unit/rotating field generation 8 Control signal for the IGBT driver
Released for customers

TD10012367 EN 03 4 Description of the control systems 21 / 35

 Protection and control systems
User information according to EN ISO 13849-1

4.5.1 Example of B&R frequency inverter

The control of the STO function of the B&R frequency inverter has a one-channel de-
sign according to the following schematic circuit diagram.
PL d or SIL 2 is achieved with these parameter settings:

+24V 0V

STO
Enable 2

COM (1)

COM (3)
Enable 1

B&R
ACOPOSmulti
Figure 19: STO parameter settings of B&R frequency inverter

4.5.2 Example of Danfoss frequency inverter

The control of the STO function of the Danfoss frequency inverter has a one-channel
design according to the following schematic circuit diagram.
PL d or SIL 2 is achieved with these parameter settings:

+24V 0V

STO
D IN 37

COM D IN 20

Danfoss FC 302
Released for customers

Figure 20: STO parameter settings of Danfoss frequency inverter

TD10012367 EN 03 4 Description of the control systems 22 / 35

 Protection and control systems
User information according to EN ISO 13849-1

4.5.3 Example of Allen Bradley frequency inverter

The safe control of the STO function is carried out two-channel as mandatory for Al-
len Bradley frequency inverters in conjunction with a safe relay option card, called
“DriveGuard”.
The control of the STO function of the Allen Bradley frequency inverter has a two-
channel design according to the following schematic circuit diagram.
PL d or SIL 2 is achieved with these parameter settings:

0V +24V +24V 0V

STO
Stopp 01

DCOM 04
4

Safe-Off Option Card

PowerFlex
Figure 21: STO parameter settings of Allen Bradley frequency inverter
Released for customers

TD10012367 EN 03 4 Description of the control systems 23 / 35

 Protection and control systems
User information according to EN ISO 13849-1

4.6 Design and proof of control systems performance

In order to prove that the required performance reached , it is calculated using soft-
ware. The data corresponding to the components is taken from the connection dia-
gram. The values corresponding to the material numbers serve as the basis for the
calculation.
The values of the individual components used to achieve a certain function such as
B10 d, PFHd and SIL cl are managed by KRONES AG in a database using the respective
material numbers.
With the help of the software it is possible to prove that, in conjunction with their
connection, the components meet the individually required performance levels.

4.6.1 Calculation of failure rate λ (EN ISO 13849-1)

𝐵𝐵10
𝐵𝐵10𝑑𝑑 = [1]
𝑁𝑁𝑁𝑁𝑁𝑁𝑁𝑁𝑁𝑁𝑁𝑁 𝑜𝑜𝑜𝑜 𝑑𝑑𝑑𝑑𝑑𝑑𝑑𝑑𝑑𝑑𝑑𝑑𝑑𝑑𝑑𝑑𝑑𝑑 𝑓𝑓𝑓𝑓𝑓𝑓𝑓𝑓𝑓𝑓𝑓𝑓𝑓𝑓𝑓𝑓

𝐵𝐵10𝑑𝑑
𝑀𝑀𝑀𝑀𝑀𝑀𝑀𝑀𝑑𝑑 = [𝑌𝑌𝑌𝑌𝑌𝑌𝑌𝑌𝑌𝑌]
0.1 ∗ 𝑠𝑠𝑜𝑜𝑜𝑜

1 1
𝜆𝜆𝐷𝐷 = � �
𝑀𝑀𝑀𝑀𝑀𝑀𝑀𝑀𝑑𝑑 ∗ 8760 ℎ

4.6.2 Assessment of the probability of a dangerous failure per hour

PFHd (EN 62061)
λ -> Architecture of the subsystem -> PFHd

Architecture A
Zero fault tolerance (HFT) (hardware fault tolerance = 0) without diagnostic function
Example: One relay

𝜆𝜆𝐷𝐷𝐷𝐷𝐷𝐷𝐷𝐷 = 𝜆𝜆𝐷𝐷1 + ⋯ + 𝜆𝜆𝐷𝐷𝐷𝐷

λD1 … λDn: Failure rate of TSE (subsystem element)

λDssA : Dangerous failure rate of TS (subsystem) with architecture A

Architecture B
One fault tolerance (HFT) (hardware fault tolerance = 1) without diagnostic function
Example: Two (redundant) relays connected in series

𝛽𝛽 ∗ ( 𝜆𝜆𝐷𝐷1 + 𝜆𝜆𝐷𝐷2 )
𝜆𝜆𝐷𝐷𝐷𝐷𝐷𝐷𝐷𝐷 = ( 1− 𝛽𝛽 ) ∗ 𝜆𝜆𝐷𝐷1 ∗ 𝜆𝜆𝐷𝐷2 ∗ 𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝐶1 +
2

λD1 / λD2 : Failure rate of TSE (subsystem element)

λDssA : Dangerous failure rate of TS (subsystem) with architecture B

Architecture C
Zero fault tolerance (HFT) (hardware fault tolerance = 0) with diagnostic function
Example: A positively driven relay with contact (diagnosis) with check-back signal

𝜆𝜆𝐷𝐷𝐷𝐷𝐷𝐷𝐷𝐷 = 𝜆𝜆𝐷𝐷1 ∗ ( 1 − 𝐷𝐷𝐷𝐷1) + … + 𝜆𝜆𝐷𝐷s ∗ ( 1 − 𝐷𝐷𝐷𝐷𝑠𝑠 )

Released for customers

λD1 … λDn: Failure rate of subsystem element

λDssC : Dangerous failure rate of subsystem with architecture C

TD10012367 EN 03 4 Description of the control systems 24 / 35

 Protection and control systems
User information according to EN ISO 13849-1
Architecture D
One fault tolerance (HFT) (hardware fault tolerance = 1) with diagnostic function Example: EMERGENCY
STOP switch with two positively driven contacts which are diagnosed in a control system (criss-cross com-
parison of contacts)

𝑇𝑇2 𝑇𝑇1 (𝜆𝜆𝐷𝐷1 +𝜆𝜆𝐷𝐷2)

𝜆𝜆𝐷𝐷𝐷𝐷𝐷𝐷𝐷𝐷 = (1 − 𝛽𝛽) 2 ∗ �[𝜆𝜆𝐷𝐷1 ∗ 𝜆𝜆𝐷𝐷2 ∗ ( 𝐷𝐷𝐷𝐷1 + 𝐷𝐷𝐷𝐷2)] ∗ + [𝜆𝜆𝐷𝐷1 ∗ 𝜆𝜆𝐷𝐷2 ∗ ( 2 − 𝐷𝐷𝐷𝐷1 − 𝐷𝐷𝐷𝐷2)] ∗ � + 𝛽𝛽 ∗
2 2 2

λD1 / λD2 : Failure rate of TSE (subsystem element)

λDssD : Dangerous failure rate of TS (subsystem) with architecture D

4.6.3 Determination of required performance level (EN ISO 13849-1)

Performance level (PL) Probability of dangerous failures per hour Safety integrity level (SIL)
[1/h]
a 10-5 <= PFHd < 10-4 No corresponding level
b 3*10-6 <= PFHd < 10-5 1
c 10-6 <= PFHd < 3*10-6 1
d 10-7 <= PFHd < 10-6 2
with 10-8 <= PFHd < 10-7 3

The calculated PFHd value will only then correspond to the PL if the required structural
characteristics of all subsystems are as required. The structural characteristics limit
the PL or the SIL value which can be reached. It is therefore imperative that they be
given consideration when the PL is being determined.
Released for customers

TD10012367 EN 03 4 Description of the control systems 25 / 35

 Protection and control systems
User information according to EN ISO 13849-1

4.6.4 Example: Switching devices

-F101 -F131

-F132

-T101

-F251 -F252 -F281

Figure 22: Example of switching devices - as shown in connection diagram (excerpts)

Acquisition Analysis Reaction

Safety function:
Machine drive, protective device (separating type without secured locking) -- starts safety-related stop
function of the machine drive.
Components used:
Device: Manufac- Type: EDV no.: PFHd: SILCL: T10d:
turer
-F101 Circuit breaker Schmersal RSS36-D-ST-2823 0903050515 2.70E-10 3 20
-F131 Circuit breaker Schmersal RSS36-D-ST-2823 0903050515 2.70E-10 3 20
-F132 Safety relay/basic PILZ S4 0901474392 2.31E-09 3 20
device
-F251 Safety relay/basic PILZ S4 0901474392 2.31E-09 3 20
device
-F252 Safety relay/time- PILZ S9 0901474396 2.14E-09 3 20
delay relay
-F281 Safety relay/basic PILZ S4 0901474392 2.31E-09 3 20
device
-T101 Frequency inverter Danfoss FC302 0900783835 1.00E-10 2 20
Calculated results:
Required PL: Achieved PL: Achieved SIL: PFHd: Status:
d d 2 9.31E-09 Fulfilled
Released for customers

TD10012367 EN 03 4 Description of the control systems 26 / 35

 Protection and control systems
User information according to EN ISO 13849-1

4.6.5 Example: ASI safety

-K422
-F101

-T101

-F251

Figure 23: Example of ASi safety - as shown in connection diagram (excerpts)

Acquisition Analysis Reaction

Safety function:
Small infeed worm
Protective device (separating type without secured locking) -- starts safety-related stop function.
Components used:
Device: Manufac- Type: EDV no.: PFHd: SILCL: T10d:
turer
-F101 Circuit breaker Schmersal RSS36-ST-AS-2823 0903130201 5.13E-10 3 20
-K422 Safety control sys- B&W BWU2635 0903730166 5.36E-09 3 20
tem/ASi safety
-F251 Safety re- Pilz S7 0901474395 2.31E-09 3 20
lay/expansion
module
-T101 Frequency inverter B&R 8BAC:KRO_I0055 0900783835 1.00E-10 2 20
WD-1
Calculated results:
Required PL: Achieved PL: Achieved SIL: PFHd: Status:
d d 2 8.28E-09 Fulfilled
Released for customers

TD10012367 EN 03 4 Description of the control systems 27 / 35

 Protection and control systems
User information according to EN ISO 13849-1

4.6.6 Example: Safety PLC (Siemens)

-K512

-B101

-K512

-F-CPU
-K252

-K512

-K512 -T101
-K512

Figure 24: Example of safety PLC (Siemens) - as shown in the connection diagram (excerpts)

Safety function:
Protective device (electrosensitive) -- starts a safety-related stop function.
Components used:
Device: Manufac- Type: EDV no.: PFHd: SILCL: T10d:
turer
-B101 Safety light Leuze CPT14-1200/T1-10 m 0903715867 2.67E-08 3 --
grid/transm.
-K512 Safe input Siemens 6ES7138-4FA05- 0903522789 1.00E-10 3 --
0AB0
-F252 Safety controller Siemens 6ES7151-7FA21-0AB0 0902861557 3.50E-10 3 --
-K512 Safe output/relay Siemens 6ES7138-4FR00- 0901944692 1.00E-09 3 --
0AA0
-T101 Frequency inverter B&R 8ACP: 8V1320.001-2 0901889633 4.00E-09 2 --
Calculated results:
Required PL: Achieved PL: Achieved SIL: PFHd: Status:
d d 2 3.22E-08 Satisfied
Released for customers

TD10012367 EN 03 4 Description of the control systems 28 / 35

 Protection and control systems
User information according to EN ISO 13849-1

4.6.7 Example: Safety PLC (Rockwell)

-CPU204 -LS101
-IO014

-AFD101

-IO028
-CR251

Figure 25: Example of safety PLC (Rockwell) - as shown in the connection diagram (excerpts)
Acquisition Analysis Reaction

Safety function:
Machine drive
EMERGENCY STOP -- controlled stopping in an emergency (stop category 1)
Components used:
Device: Manufac- Type: EDV no.: PFHd: SILCL: T10d:
turer
-LS101 Circuit break- Rockwell TLS1-GD2 0902124793 1.00E-08 2 20
er/interlock
-IO014 Safe input Rockwell 1734-IB8S 0902463175 1.34E-10 3 20
-CPU204 Safety controller Rockwell 1756- 0902928990 1.20E-09 3 20
L72S&LSP
-IO028 Safe output/double Rockwell 1734-OB8S 0902463096 1.38E-10 3 20
channel
-CR251 Safety relay/basic Rockwell 440R- 0900532638 1.45E-09 3 20
device N23126
-AFD101 Frequency inverter Danfoss FC302 0901754857 1.00E-10 2 20
Calculated results:
Required PL: Achieved PL: Achieved SIL: PFHd: Status:
d d 2 1.30E-08 Fulfilled
Released for customers

TD10012367 EN 03 4 Description of the control systems 29 / 35

 Protection and control systems
User information according to EN ISO 13849-1

5 Checking/maintenance of safety functions

5.1 Checking by KRONES

Before the machine is delivered and commissioned, the safety functions are checked
using the appropriate work instructions and the results are recorded in the test pro-
tocol and then archived.
Work instructions and test reports appropriate for the control system of the machine
are used.

For start-up at the KRONES plant or for commissioning at the customer's facilities
Component Safety components

Position  Entire machine

Inspection criteria Inspection criteria according to work instructions

Work  Safety functions according to work instructions

 Compile a report

Figure 26: Example of work instructions Figure 27: Example of test report
Released for customers

TD10012367 EN 03 5 Checking/maintenance of safety functions 30 / 35

 Protection and control systems
User information according to EN ISO 13849-1
Checking the "EMERGENCY STOP switch" safety function - excerpt from the work
instructions:
 Setting the key switch to the production mode:
 Close all guard doors.
 Make sure that no EMERGENCY STOP switch has been pressed.
 Turn the machine on.
 Press each "individual" EMERGENCY STOP switch one after the other. Check the
functions according to the following table.
 Check all of the malfunction warnings and help messages on the touch-screen (if
provided).
 Visual inspection:
Safety switching device (basic device) Contact expansion module (if provided)
K1 IN1, IN2 LED turned OFF K1 IN1, IN2 LED turned OFF
K2 IN1, IN2 LED turns OFF, machine K2 IN1, IN2 LED turns OFF, machine
EMERGENCY STOP EMERGENCY STOP
K3 IN1, IN2 LED turns OFF after a 3.0 K3 IN1, IN2 LED turns OFF after a 3.0
second delay second delay
K4 IN1, IN2 LED ON K4 IN1, IN2 LED ON
K5 IN1, IN2 LED turns OFF after a 3.0 K5 IN1, IN2 LED turns OFF after a 3.0
second delay second delay
K8 IN1, IN2 LED ON K6 IN1, IN2 LED ON

 Turn the key switch to the "Set-up mode".

 Close all guard doors.
 Make sure that no EMERGENCY STOP switch has been pressed.
 Turn the machine on.
 Press each "individual" EMERGENCY STOP switch one after the other. Check the
functions according to the following table.
 Check all of the malfunction warnings and help messages on the touch-screen (if
provided).
 Visual inspection:
Safety switching device (basic device) Contact expansion module (if provided)
K1 IN1, IN2 LED ON K1 IN1, IN2 LED ON
K2 IN1, IN2 LED turns OFF, machine K2 IN1, IN2 LED turns OFF, machine
EMERGENCY STOP EMERGENCY STOP
K3 IN1, IN2 LED turns OFF after a 3.0 K3 IN1, IN2 LED turns OFF after a 3.0
second delay second delay
K4 IN1, IN2 LED ON K4 IN1, IN2 LED ON
K5 IN1, IN2 LED turns OFF after a 3.0 K5 IN1, IN2 LED turns OFF after a 3.0
second delay second delay
K8 IN1, IN2 LED ON K6 IN1, IN2 LED ON
Released for customers

Inputs/outputs which are not used cannot be tested. To find out which outputs are to
be used on the machine in question, see the connection diagram.

TD10012367 EN 03 5 Checking/maintenance of safety functions 31 / 35

 Protection and control systems
User information according to EN ISO 13849-1

5.2 Maintenance
In order to maintain the defined performance of the safety-related parts, regular pre-
ventive maintenance or servicing is necessary.
 The preventive maintenance must be done by trained professionals.
 For the instructions on preventive maintenance (including periodic inspections),
see the documentation of the safety-related parts used.
 To find the information required for troubleshooting and the replacement of
internal parts, see in particular the respective documentation of the safety-
related parts used and the connection diagram of the machine.
 Use only original parts.

Regular maintenance at the customers

Component Safety components

Position  Entire machine

Inspection criteria Inspection criteria according to the information provided in the

operating manual
Work  Safety functions according to the information provided in
the operating manual

Figure 28: Example of "Interval: Before starting pro- Figure 29: Example of "Interval: Every 6,000 operat-
duction; Check the safety and protective devices" ing hours or at the latest after one year; Have a safety
inspection conducted
Released for customers

TD10012367 EN 03 5 Checking/maintenance of safety functions 32 / 35

 Protection and control systems
User information according to EN ISO 13849-1

6 Glossary

6.1 Technical terms and abbreviations

This section contains technical terms and abbreviations from EN ISO 13849-1 and EN
IEC 62061 as well as the corresponding definitions.
Designation Definition
SRP/CS The part of a control system that responds to safe-
The safety-related part of a ty-related input signals and generates safety-
control system. related output signals.
Category Classification of the safety-related parts of a con-
trol system with respect to their resistance to
faults and their subsequent behaviour in the fault
condition, and which is achieved by the structural
arrangement of the parts, fault detection and/or
by their reliability.
Error State of an item characterised by the inability to
perform a required function, excluding the inabil-
ity during preventive maintenance or other
planned actions, or due to lack of external re-
sources.
Failure Termination of the ability of an item to perform a
required function.
Dangerous failure Failure which has the potential to put the SRP/CS
in a hazardous or fail-to-function state.
CCF Failures of different items, resulting from a single
Common cause failure event, where these failures are not consequences
of each other.
Systematic failure Failure related in a deterministic way to a certain
cause, which can only be eliminated by a modifica-
tion of the design or of the manufacturing process,
operational procedures, documentation or other
relevant factors.
Muting Temporary automatic suspension of a safety func-
tion(s) by the SRP/CS
Manual reset (note: Corre- Function within the SRP/CS used to restore manu-
sponds to “RESET”) ally one or more safety functions before re-starting
a machine
Hazard Potential source of harm
Hazardous situation Circumstance in which a person is exposed to at
least one hazard, the exposure having immediate-
ly or over a long period of time the potential to
result in harm.
Risk Combination of the probability of occurrence of
harm and the severity of that harm
Residual risk Risk remaining after protective measures have
been taken
Released for customers

Risk assessment Overall process comprising risk analysis and risk

evaluation

TD10012367 EN 03 6 Glossary 33 / 35
 Protection and control systems
User information according to EN ISO 13849-1

Designation Definition
Risk analysis Combination of the specification of the limits of
the machine, hazard identification and risk estima-
tion
Risk evaluation Judgement, on the basis of risk analysis, of wheth-
er risk reduction objectives have been achieved
Intended use of a machine Use of the machine in accordance with the infor-
mation provided in the instructions for use
Reasonably foreseeable misuse Use of a machine in a way not intended by the
designer, but which may result from readily pre-
dictable human behaviour
Safety function Function of the machine whose failure can result
in an immediate increase of the risk(s)
Monitoring Safety function which ensures that a protective
measure is initiated if the ability of a component
or an element to perform its function is diminished
or if the process conditions are changed in such a
way that a decrease of the amount of risk reduc-
tion is generated
PES, PLC A system for control, protection or monitoring
Programmable electronic sys- dependent for its operation on one or more pro-
tem grammable electronic devices, including all ele-
ments of the system such as power supplies, sen-
sors and other input devices, contactors and other
output devices
PL Discrete level used to specify the ability of safety-
Performance level related parts of control systems to perform a safe-
ty function under foreseeable conditions
PL r Performance level (PL) applied in order to achieve
Required performance level the required risk reduction for each safety function
MTTFd Expectation of the mean time to dangerous failure
Mean time to dangerous fail-
ure
DC Measure of the effectiveness of diagnostics, which
Diagnostic coverage may be determined as the ratio between the fail-
ure rate of detected dangerous failures and the
failure rate of total dangerous failures
Protective measure Measure intended to achieve risk reduction
TM Period of time covering the intended use of an
Mission time SRP/CS
rt Frequency of automatic tests to detect faults in an
Test rate SRP/CS, reciprocal value of diagnostic test interval
rd Frequency of demands for a safety-related action
Demand rate of the SRP/CS
rr Reciprocal value of the period of time between
Repair rate detection of a dangerous failure by either an
online test or obvious malfunction of the system
and the restart of operation after repairs or sys-
Released for customers

tem/component replacement
T10 d: The operating time of the component is the time
Operating time until 10 % of the components fail dangerously

TD10012367 EN 03 6 Glossary 34 / 35
 Protection and control systems
User information according to EN ISO 13849-1

Designation Definition
SIL Discrete level (one of four possible ones) for speci-
Safety integrity level fying the safety integrity of the safety functions
which are assigned to the E/E/PE safety-related
system. Safety integrity level 4 is the highest level
and safety integrity level 1 is the lowest
PFHd Mean probability of a dangerous failure per hour
of a safety-related system/subsystem which per-
forms defined safety functions over a specified
period of time
SIL CL SIL claim limit (for a subsystem)
Maximum SIL which can be claimed for an SRECS
subsystem with regard to the structural limits and
systematic safety integrity
STO Safely disconnected torque
Safe torque off The motor is not supplied with any power able to
cause movement. The drive system does not sup-
ply the motor with any power able to generate
torque (or force). This safety function corresponds
to uncontrolled stopping (according to EN 60204,
Stop Category 0) and can be used when disconnec-
tion of the power is required to prevent an unex-
pected start.
Released for customers

TD10012367 EN 03 6 Glossary 35 / 35