Step 3: Selecting the required safety type of optoelectronic protective device

The optoelectronic protective device is a component of the safety-related part of the machine control system and a component in the effective chain of a partial safety function consisting of sensor, control unit and actuator. From the risk assessment (graph) in accordance with EN ISO 13849‑1 or EN IEC 62061, the designer determines the safety-related performance required for the risk minimization for this partial safety function (see chapter 2.4 Safety-related parts of control systems or 3.4 Control Reliability, page 29). Regardless of the control system applied, the achieved level of safety-related performance (category, PL, SIL) of the entire safety function is always less than or equal to the lowest value (category, PL, SILCL) of one of its partial systems. Put simply, the chain is therefore as strong as its weakest link.

Optoelectronic protective devices have different safety-related capacities, depending on the detection principle and the internal technical setup. EN IEC 61496 and UL 61496 "Safety of machinery – Electro-sensitive protective equipment" define 3 different types of active optoelectronic protective devices (AOPD), which differ in their effectiveness and frequency of error detection, i.e. their safety-related performance. The following table 4.2.1-1 shows the requirements of this standard. For applications in the USA it must be determined which OSHA / ANSI control reliability requirement is relevant for the respective application case (observe machine-specific and regional specifications!) – see chapter 3 and 3.4, page 29). The corresponding AOPD type must then be selected.

AOPD type according to IEC / EN / UL 61496Functional safety (control reliability) of AOPDs in accordance with
IEC / EN / UL 61496 and requirements for the effectiveness and frequency of the error detection
Type 2A type 2 AOPD shall have means for a periodic test. A loss of the protective function between the tests is possible if a fault occurs.
A fault shall be detected
  • immediately
  • either with the next periodic test
  • or with activation of the sensor component
and must result in the switching off of at least one AOPD output.
Type 3
(Only defined for Safety Laser Scanners)
Despite a single fault the protective function of a type 3 AOPD is maintained. An accumulation of faults can lead to loss of the safety function.
A single fault that causes the loss of the detection capability shall be detected
  • immediately
  • either with activation of the sensor function,
  • with switching on/switching off
  • with start/restart interlock reset (if available)
  • or with an external test (if available)
and shall result in the AOPD outputs being switched off.
A single fault that impairs the detection capability shall be detected within the time specified in the relevant part of EN IEC 61496 (5 seconds for Safety Laser Scanners). With the non-detection of the first fault, a second fault may not result in the loss of the protective function.
Type 4With the occurrence of several faults the protective function of a type 4 AOPD is also maintained.
A single fault that causes the loss of the sensor detection capacity shall be detected
  • within the AOPD response time
and result in the outputs being switched off.
A single fault that impairs the response time or the switching off capacity of one of the AOPD outputs shall result in the AOPD outputs being switched off either
  • within the specified AOPD response time
  • with addressing the sensor component,
  • with switching on/switching off
  • or with the resetting (reset)
Table 4.2.1-1: Types and functional safety (control reliability) of electro-sensitive protective equipment in accordance with EN IEC 61496 and UL 61496.