Manual
P/N 116390 rev. C 21
Banner Engineering Corp. • Minneapolis, U.S.A.
www.bannerengineering.com • Tel: 763.544.3164
MMD-TA-11B / MMD-TA-12B Muting Module
Instruction Manual
System Installation
3.5.6 SSI and MSSI Interfacing
The Safety Stop Interface (SSI) provides easy integration of
safeguards. This interface consists of two input channels (A
and B), which are compatible with Banner Engineering safety
devices that have solid-state OSSD outputs or other devices with
sourcing +24V dc outputs. SSI is also compatible with devices
that have normally open hard contacts or relay outputs (voltage-
free).
The Muteable Safety Stop Interface (MSSI) input is a specialized
SSI that can be muted during the non-hazardous portion of the
machine cycle.
The input channels (A and B) must meet a simultaneity
requirement of 3.0 seconds upon closing and opening. A
mismatch of more than 3.0 seconds will result in a lockout. A
lockout that is due to a failure to meet simultaneity requirements
can only be cleared by:
1. Cycling the MSSI (or the SSI, depending on which failed) with
simultaneity being met, and then
2. If the Module is configured for Manual Reset, performing a
reset routine (see Section 1.3).
The MSSI and the SSI can be interfaced with devices with solid-
state OSSD outputs, safety interlocking switches, E-stop buttons,
rope/cable pull devices, and other machine control devices that
switch +24Vdc. To be interfaced with a safety mat, a safety mat
controller must be connected between the mat and the interface
(see Figure 3-22).
NOTE:
If the SSI is not to be used, the input channels must be
jumpered. See Section 3.4.
Depending on the level of risk associated with the machine or
its operation, an appropriate level of safety circuit performance
(i.e., integrity) must be incorporated into the design. Standards
that detail safety performance levels include ANSI/RIA
R15.06 Industrial Robots, ANSI B11 Machine Tools, OSHA
29CFR1910.217 Mechanical Power Presses, and ISO 13849-1
(EN954-1) Safety-Related Parts of a Control System.
Safety Circuit Integrity Levels
Safety circuits in International and European standards have
been segmented into categories, depending on their ability
to maintain their integrity in the event of a failure. The most
recognized standard that details safety circuit integrity levels
is ISO 13849-1 (EN954-1), which establishes five levels:
Categories B, 1, 2, 3, and the most stringent, Category 4.
In the United States, the typical level of safety circuit integrity
has been called ”control reliability.” Control reliability typically
incorporates redundant control and self-checking circuitry and
has been loosely equated to ISO 13849-1 Categories 3 and 4
(see CSA Z432 and ANSI B11.TR4).
If the requirements described by ISO 13849-1 (EN954-1) are
to be implemented, a risk assessment must first be performed
to determine the appropriate category, in order to ensure that
the expected risk reduction is achieved. This risk assessment
must also take into account national regulations, such as U.S.
control reliability or European “C” level standards, to ensure that
the minimum level of performance that has been mandated is
complied with.
Fault Exclusion
An important concept within the category requirements of ISO
13849-1 (EN954-1) is the “probability of the occurrence of the
failure,” which can be decreased using a technique termed “fault
exclusion.” The rationale assumes that the possibility of certain
well-defined failure(s) can be reduced to a point where the
resulting fault(s) can be, for the most part, disregarded—that is,
“excluded.”
Fault exclusion is a tool a designer can use during the
development of the safety-related part of the control system
and the risk assessment process. Fault exclusion allows the
designer to design out the possibility of various failures and
justify it through the risk assessment process to meet the intent
requirements of Category 2, 3 or 4. See ISO 13849-1/-2 for
further information.
WARNING . . . SSI and MSSI Safety
Categories
The level of safety circuit integrity can be
greatly impacted by the design and installation of the safety
devices and the means of interfacing of those devices. A
risk assessment must be performed to determine the
appropriate safety circuit integrity level or safety category
as described by ISO 13849-1 (EN 954-1) to ensure that the
expected risk reduction is achieved and that all relevant
regulations are complied with.
WARNING . . . Emergency Stop
Functions
Do not connect any Emergency Stop devices
to the MSSI Input; do not mute or bypass any Emergency
Stop device. ANSI NFPA79 and IEC/EN 60204-1 require that the
Emergency Stop function remain active at all times. Muting or
bypassing the safety outputs will render the Emergency Stop
function ineffective.
3.5.6.1 Safety Circuit Integrity and ISO 13849-1 (EN954-1)
Safety Circuit Principles
Safety circuits involve the safety-related functions of a machine
that minimize the level of risk of harm. These safety-related
functions can prevent initiation, or they can stop or remove a
hazard. The failure of a safety-related function or its associated
safety circuit usually results in an increased risk of harm.
The integrity of a safety circuit depends on several factors,
including fault tolerance, risk reduction, reliable and well-tried
components, well-tried safety principles, and other design
considerations.