DAIMLERCHRYSLER
MANUFACTURING TECHNICAL INSTRUCTIONS - SAFETY
Subject: Control Reliability for Machinery & Equipment
ISSUE DATE: EFFECTIVE DATE: REVIEW DATE. SERIES & NO.
January 3, 2005 January 31, 2005 SMI-162
I. PURPOSE
To establish Chrysler Group (DCX/CG) corporate direction and identify requirements to ensure that manufacturing
machinery, equipment, and systems meet control reliability industry standards.
II. REFERENCES
Federal and State Occupational Safety and Health Requirements
ANSI/RIA 15.06(1999) Industrial Robots and Robot Systems Safety Requirements
ANSI B11.19-2002 Performance Criteria for Safeguarding
ANSI Z244.1-2003 Control of Hazardous Energy Lockout/Tagout and Alternative Methods
NFPA 79, Electrical Standard for Industrial Machinery (2002)
MTI SMI-107, Control of Hazardous Energy (Lockout)
MTI SMI-109, Safeguarding of Robots and Robot Systems
MTI SMI-145, Automation Safeguarding Requirements for Design, Construction, Manufacturing and Installation of
Automated Systems
IEC 60947 Low-voltage Switchgear and Control
EN-954, Safety of Machinery – Safety-related Parts of Control Systems
III. FUNCTIONS AFFECTED
Plant Manufacturing Engineering
Plant Facilities Engineering
Plant Production Engineering
Plant Material Handling Engineering
Plant Safety
IV. OPERATIONS AFFECTED
DaimlerChrysler/Chrysler Group (DCX/CG) and Subsidiaries
V. DEFINITIONS
1. Control Reliability
The capability of the machine control system, the safeguarding, other control components and related interfacing to
achieve a safe state in the event of a failure within their safety related functions. When a failure condition is
detected, the machine is halted and the next successive cycle is prevented until the failure is corrected.
S A F E T Y
Page 1 of 6
�2. Diagnostics
The reporting and displaying of the status of the circuit or device that is doing the monitoring.
Note: The type of device(s) selected may determine the level of diagnostics available for display.
3. Hardwired
The portion of a circuit consisting of only electro-mechanical components. Its operation shall not depend on
electronic logic (hardware or software) or the transmission of commands over a communications link.
4. Industrial Rated
Components that are listed by a National Recognized Testing Laboratory (NRTL) to meet the requirements of UL
508 Standard for Safety of Industrial Control Equipment or the appropriate part of IEC 60947 Low-voltage
Switchgear and Control gear and also meets the requirements of NFPA 79 Electrical Standard for Industrial
Machinery.
5. Kit
An engineered package that may include loose or assembled components that when installed into an existing system
alters the “As Designed” safety circuits.
6. Monitoring
Self checking of a circuit or device. Monitoring may be accomplished using hardware, software, or firmware based
devices.
7. Refurbish
The repair of equipment or systems to their original specification without modification. [R15.06]
8. Remanufacture
The engineering or modification of existing equipment or systems to a new or a revised specification. [R15.06]
9. Safety Related Function
That portion of the control system that detects and either eliminates or reduces the exposure to a hazard.
10. Safety Rated Device
Any device that has been tested by a Nationally Recognized Testing Laboratory (NRTL), or proven to operate in a
reliable and acceptable fashion, when used in a safety related function of the system. [R15.06]
11. Safety PLC
A software and firmware-based controller designed such that any single safety related component or firmware failure
shall lead to the shutdown of the system in a safe state and prevent subsequent automatic operation until the
component failure has been corrected. A safety PLC is certified by a Nationally Recognized Testing Laboratory
(NRTL) to an approved standard applicable for safety devices.
12. Safety Relay
A hardwired safety device that will initiate an immediate stopping action command, or shall not prevent normal
stopping action from taking place, when; a stopping command is initiated, when a single safety related component
within the module fails, or a single abnormal input condition occurs where two or more inputs are used.
VI. RESPONSIBILITY
Each division within DCX/CG shall be responsible for ensuring the requirements of this section are enforced
through reference drawings and design guidelines.
S A F E T Y
Page 2 of 6
�VII. SAFETY RELATED FUNCTIONS
This SMI complies with the following government and industry consensus standards: Federal and State OSHA
requirements, ANSI B11.19-2002, and ANSI Z244.1-2003.
Safety related functions shall be implemented using one of two methods, dual channel monitored or single channel
PLC logic validation.
Both methods shall be designed, constructed, and applied so that any single failure shall
• not prevent the stopping action of the equipment or system,
• detect the fault at the time of failure,
• generate a stop signal, and
• prevent the re-initialization of the system until the fault is corrected.
In the presence of a failure, the user shall be responsible to ensure that the repetitive manual reset of the system or
device is not used for production operation.
The selection of which method is applicable to the specific system is determined by the specific safety related
function as stated below.
VIII. FUNCTIONALITY COMPLIANCE AND RISK ASSESSMENT
This SMI provides a listing of the most common safety related devices and functions for control reliability as shown
in Appendix “A” (Safety Related Devices, Functions & Methods Chart). Analysis of these circuits and devices was
accomplished using risk assessment and evaluation of multiple safety related functions.
Not all safety related circuits are required to be control reliable. Industry standards allow risk assessments to be
conducted to determine circuit requirements.
The method of implementation for control reliability shall conform to the chart in Appendix “A”.
Risk assessments shall be performed for functions and devices not covered by Appendix A (EN 954).
IX. DUAL CHANNEL MONITORED
Control reliable circuits for the highest risk level shall be dual channel (both of which are hardwired) with
monitoring.
A control reliable dual channel hardwired circuit of industrial-rated components using a safety relay or safety PLC
(which is used in concert with a safety field bus and safety rated devices), to ensure integrity and performance of the
safeguarding system, shall be designed to ensure protection equivalent to a mechanical disconnect switch or master
shut off valve.
The level of diagnostics displayed will be determined by the components used.
X. HARDWIRED SINGLE CHANNEL WITH PLC LOGIC VALIDATION
Hardwired single channel with PLC logic validation is a dual channel circuit (one of which is hardwired) of
industrial rated components that is self-checking or monitored through the use of a safety relay or a PLC to ensure
integrity and performance of the control circuits. These systems typically have redundant interlock switch safety
contacts, redundant isolation through positively guided electro-mechanical relays, and are monitored or self-
checking through use of a safety relay or a PLC that is designed and installed to a high level of integrity through the
selection of robust components.
Hardwire single channel circuits with PLC logic validation may be used for some safety related functions per
Appendix A, or based on a risk assessment as described in Section VIII.
The level of diagnostics displayed will be determined by the components used.
S A F E T Y
Page 3 of 6
�XI. NEW SYSTEMS OR EQUIPMENT
Designs of new systems or equipment including OEM pre-designed, commodity, or "black box" systems, shall
utilize the applicable dual channel monitored or single channel PLC logic validation methods. Use of Logic
Validation (one hardwired circuit with redundant software back checking) as a means to meet control reliability
requirements must be phased out for some circuits (per Appendix A) in new systems to begin production for 2007
model year and later programs.
The decision to use hardwired based devices or safety PLC’s, for the dual channel monitored method, is dependent
on the following factors:
• Cost effectiveness
• Asset reallocation
• Control design standardization
• Operational considerations
XII. MULTIPLE SAFETY RELATED FUNCTIONS
Where multiple safety related functions overlap, the application shall include but is not limited to at least one dual
channel monitored safety related function. The selection is applicable to the operational conditions.
XIII. REMANUFACTURE OF EXISTING EQUIPMENT
The remanufacture of existing equipment or systems shall also ensure the safety related functions of the system meet
the requirements of new equipment or systems.
XIV. EXISTING, REFURBISHED OR KITTED SYSTEMS
The requirement of dual channel with monitoring does not apply to existing, refurbished or kitted systems, and will not
require existing processes to be converted. However, systems in which the safety circuits are not altered, the equipment
and processes must continue to meet “As designed” safety requirements.
Existing, refurbished or kitted systems in which safety circuits are altered, the added portion of the circuit must be designed
to meet either hardwired single channel with PLC logic validation or dual channel monitored.
XV. TRAINING AND COMMUNICATION
Training shall be provided to ensure that the purpose and function of this SMI is understood by employees. The
training shall include the following:
- Definition of Control Reliability
- Definition of Dual Channel Monitored vs. Hardwired Single Channel with PLC Logic Validation
- How to recognize compliance
- Conducting Risk Assessments (EN-954) when required
S A F E T Y
Page 4 of 6
�APPENDIX “A” Safety Related Devices, Functions, and Methods Chart
Method
Control Reliable
Hardwired
Not Required Single Dual
Device/Circuit Functionality to be Control Channel Channel
Reliable PLC Logic Monitored
Validation
A circuit used to monitor the position of a
Safety Pin
1 mechanical safety pin. (In/Out) X
Position Indicator
A device used to disconnect control power (MR)
Safety Pin
2 to only the power interface panel to which the X
Interlock
interlock is wired.
A device using hardwire based components that
override all other robot and related equipment
3 E-stop X
controls, removes all drive power, and causes all
moving parts to stop.
Devices used to detect entry into a restricted or
Light Screen/PLS,
4 hazardous area. X
Safety Mats
Devices/circuits used to remove drive power,
5 Pinch Point when the device/circuit is violated. X
A device used to allow entry into a line and/or
6 Safety Gate machine. X
A controlled shut down of a device, station, or
zone that de-energizes the automatic mode and
7 Cycle Stop removes power to all robot and transfer drives X
while permitting selected local manual operations
including robot teach.
A circuit, which is active at all times, used to
8 Perimeter Zone detect the violation of a restricted area during a X
"clear to enter/automatic mode" condition.
A circuit used to protect the operator and
9 Work Zone Safe X
condition any automation in the station.
Circuit used to turn power on/off.
10 Master Relay X
Circuit used to condition motion outputs.
11 Motion Enable X
A device/circuit used to allow and or inhibit
Enabling
12 hazardous motion. X
Circuit/Device
A circuit used to allow "teaching capability" to
13 Teach Permissive Robots. X
Position Devices used to indicate the position of tooling,
14 Sensors/Zone turntables, robots, etc. X
Switches
Zero Speed Devices used to sense the absence of rotary
15 Sensors/Solid and/or hazardous motion. X
State Timers
A device and/or circuit used to control the
Clutch Brake
16
Circuit
starting and stopping of machinery with X
continuously rotating output motion.
S A F E T Y
Page 5 of 6
�XVI. CHANGE HISTORY
Document Revision History:
Revision: Date of Last Revision: 5/21/2004 Last Approval Date: 2/15/2005
Document Author: Process Owner/Document Manager:
DaimlerChrysler Corporation DaimlerChrysler Corporation
Reason for Change: New release
Revision: Sec/ Para Changed Change Made: Date
S A F E T Y
Page 6 of 6
