Safety Relays vs PLC Logic for Two-Hand Controls and Light Curtains on Industrial Presses

Comparing Dual Two-Hand Start and Single-Button + Light Curtain Architectures Under OSHA and ISO Control Reliability Requirements

Author: Fred Fisher — President, Validus Group Inc. | Industrial Automation & Embedded Systems
Domain: Industrial Controls, Machine Safety, Press Guarding Technical White Paper

Abstract

This white paper examines two common safeguarding architectures used to cycle industrial presses: (1) dual two-hand control actuators and (2) a single start button combined with a safety light curtain. Both are evaluated against OSHA 29 CFR 1910.217 mechanical power press requirements and the ISO 13849-1 / ISO 13851 family of functional safety standards.

The central conclusion is that while a conventional PLC can coordinate non-safety automation logic, the core safety functions for two-hand control and presence-sensing guarding must be implemented in control-reliable, safety-rated hardware—typically a dedicated safety relay or a certified safety controller. Relying exclusively on generic PLC ladder logic cannot, in practice, achieve the diagnostic coverage, fault tolerance, and validated Performance Level (PL) demanded for point-of-operation protection.

Practical implementation patterns are provided for both scenarios, including dual-channel wiring, monitored contactors and pneumatic valves, and test strategies that detect welded contacts, broken conductors, and defeated two-hand stations. The paper is written from the perspective of engineers responsible for upgrading legacy presses or justifying design decisions to management, safety, and regulatory stakeholders.

1.0

Introduction and Scope

Press operations remain some of the most hazardous tasks in manufacturing. Operators routinely work within inches of a closing slide or platen, with limited visibility and high repeatability of motion. Modern standards recognize that control-reliable hardware and validated safety functions are required to reliably prevent point-of-operation injuries.

This document focuses on two real-world start-and-guarding configurations commonly seen on mechanical or hydraulic presses:

Scenario A: Dual two-hand start buttons controlling a press stroke.
The operator must depress two palm buttons simultaneously to initiate motion and, depending on mode, may be required to hold them through the hazardous portion of the stroke.
Scenario B: Single start button with safety light curtain guarding.
A single-cycle start button commands motion; a presence-sensing device (light curtain) prevents a stroke when obstructed and stops the press if the sensing field is violated during the dangerous portion of the cycle.

In both scenarios, this paper assumes:

Part-revolution press or equivalent controllable drive whose motion can be stopped within a measurable and repeatable stopping time; and
A requirement that the control system be control reliable and achieve at least PL d under ISO 13849-1 for point-of-operation protection.

Key Question: Can a non-safety PLC (e.g., a standard compact controller) alone satisfy OSHA 1910.217 control reliability and ISO 13849-1 PL d/e requirements for these safety functions? The answer, in practice, is “no”—a dedicated safety relay or safety controller is required.

2.0

Regulatory and Standards Framework

2.1 OSHA 29 CFR 1910.217 – Mechanical Power Presses

OSHA 29 CFR 1910.217 is the principal U.S. regulation governing mechanical power presses. Among other topics, it defines acceptable point-of-operation devices, control reliability, and brake monitoring. Specifically:

Paragraph (c) covers point-of-operation safeguarding and lists acceptable guards and devices, including two-hand controls, two-hand trips, and presence-sensing devices.
Paragraph (c)(5) specifies when control reliability and brake monitoring are required: in particular, when devices such as two-hand controls or presence-sensing devices are used on presses where the operator’s hands can enter the point of operation.
Paragraph (b)(13) defines control reliability for press controls and requires that a failure within the control system must:
- not prevent stopping action from being initiated, and
- prevent initiation of a successive stroke until the failure is corrected.

Control Reliability (OSHA 1910.217(b)(13)) is not a vague concept; it is a specific requirement that failures be detected and that the system default to a safe condition (no stroke) until the fault is corrected and verified.

2.2 ISO 13849-1 – Safety-Related Parts of Control Systems

ISO 13849-1 defines the design principles and performance metrics for safety-related parts of control systems (SRP/CS), regardless of whether those parts are electrical, pneumatic, hydraulic, or mechanical. It introduces the concept of Performance Level (PL), ranging from PL a (lowest) to PL e (highest), and provides categories and diagnostic coverage requirements to achieve each level.

For press point-of-operation safeguarding using two-hand controls or presence-sensing devices, risk assessments typically drive a required performance level of PL d or PL e. Achieving these levels requires:

Redundant architectures (e.g., Category 3 or 4),
Systematic diagnostic coverage of foreseeable faults, and
Demonstrated reliability (MTTF_d) of SRP/CS components.

2.3 ISO 13851 – Two-Hand Control Devices

ISO 13851 specifies the safety requirements for two-hand control devices (THCD), including their functional behavior and fault avoidance. Core functional requirements include:

Simultaneity: The two actuators must be operated nearly simultaneously (e.g., within 0.5 s) to generate an output signal.
Continuous actuation: The safety output must be removed if either actuator is released during the hazardous movement.
Anti tie-down: The device must require both actuators to be released before a new cycle is allowed, preventing one button from being taped or mechanically held.
Fault avoidance and detection: The design must prevent or detect faults such as stuck contacts or short circuits, in line with ISO 13849-1 principles.

2.4 Safety Distance – ISO 13855 and OSHA Formulas

Both two-hand controls and light curtains must be placed at a safety distance so that the press can be brought to a stop before the operator can reach the danger zone. OSHA 1910.217 and ISO 13855 provide similar formulas based on:

Machine stopping time at the defined monitoring point, and
Assumed approach speed of the operator’s hands or body.

Safety distance calculations are part of the overall safety function validation and must be documented along with control-reliability evidence.

3.0

Scenario A: Dual Two-Hand Start Architecture

In Scenario A, the operator initiates a press stroke via two palm buttons located outside the point of operation. This configuration is appropriate when the operator’s hands must be on the actuators and cannot be within the danger zone during the hazardous portion of the stroke.

3.1 Safety Objective

The safety function can be stated as:

“When a stroke is initiated, the operator’s hands must remain on two spatially separated actuators. If either actuator is released or a fault occurs in the two-hand control circuit or final control elements, the press must fail to a safe condition (no stroke or immediate stop), and further strokes must be inhibited until the fault is corrected.”

In ISO 13849-1 terms, this typically maps to a Performance Level requirement of PL d or PL e for the two-hand safety function, with a Category 3 or Category 4 architecture and monitored outputs.

3.2 Recommended Hardware Topology

Two safety-rated palm buttons: Each with dual, positively guided contacts, wired as two independent channels (e.g., CH1 and CH2).
Two-hand safety relay or safety controller: Implements simultaneity, anti tie-down, edge detection, and diagnostic monitoring per ISO 13851.
Dual final control elements: Two series-wired power contactors (for electrical drives) or a dual-channel safety-rated pneumatic valve for cylinder actuation, each with feedback (“mirror”) contacts.
External device monitoring (EDM): Feedback loop from the final elements back into the safety relay, to detect welded contacts or failure to drop out.

3.3 Conceptual Safety Relay Logic

While the internal logic of a certified safety relay is not user-editable, its behavior can be modeled conceptually. The following pseudocode illustrates the safety function achieved by a two-hand safety relay:

// Conceptual safety function for dual two-hand control (Scenario A)

on power_up:
    ensure CH1 == OFF and CH2 == OFF
    state = READY

loop:
    read CH1, CH2, feedback_K1, feedback_K2

    // Fault detection on feedback from final control elements
    if feedback_K1 == ON or feedback_K2 == ON when outputs == OFF:
        state = FAULT   // welded contact or valve
        outputs = OFF

    // Evaluate normal operation only if no faults
    if state == READY:
        if rising_edge(CH1) and rising_edge(CH2) within 500 ms:
            outputs = ON
            state = STROKE_ACTIVE

    if state == STROKE_ACTIVE:
        if CH1 == OFF or CH2 == OFF:
            outputs = OFF           // immediate stop command
            state = READY           // single-stroke completion
        if commanded_stop or guard_open:
            outputs = OFF
            state = READY

    // Anti tie-down: channels must return fully to OFF before next cycle
    if (CH1 == ON and CH2 == OFF) or (CH1 == OFF and CH2 == ON):
        // partial actuation is not acceptable between strokes
        inhibit_next_cycle()

Implementing the above behavior directly in a standard PLC would require custom diagnostics, edge tracking, time window enforcement, and fail-safe output control. Even if implemented correctly, proving the required PL under ISO 13849-1 and demonstrating control reliability to OSHA is significantly more difficult than using a certified two-hand safety relay or safety controller.

Implementation Warning: Wiring the two-hand buttons in series into a single PLC input and treating them as a “dual” control is non-compliant. Each button must be a separate channel into a safety-rated device capable of detecting mismatches, shorts, and stuck contacts.

4.0

Scenario B: Single Start Button with Safety Light Curtain

In Scenario B, the press is initiated via a single-cycle start button, and the point-of-operation is guarded by a presence-sensing device (light curtain). The light curtain must:

Prevent initiation of a stroke when obstructed, and
Stop the press if its field is interrupted during hazardous motion.

4.1 Safety Objective

The safety function can be stated as:

“A press stroke may only be initiated when the light curtain field is clear and all other safety conditions are met. If any beam is interrupted while the press is within the hazardous portion of its stroke, a stop command must be issued and the machine must stop within the validated stopping distance. Failures within the guarding or control circuits must be detected, prevent a successive stroke, and default to a safe condition.”

4.2 Regulatory Considerations

OSHA 1910.217 allows presence-sensing devices as point-of-operation safeguarding only on part-revolution presses whose slides can be stopped mid-stroke within a predictable stopping time.
For certain presence-sensing device initiation (PSDI) modes, additional certification and third-party validation apply; this paper assumes a conventional guarding mode where the light curtain does not initiate the stroke but only permits or stops motion.
Control reliability and brake monitoring requirements are the same as for two-hand controls when the operator’s body may enter the guarded zone.

4.3 Recommended Hardware Topology

Single start button: A standard industrial pushbutton wired into a non-safety controller (PLC) or directly into the safety controller as a request signal.
Safety light curtain: With OSSD outputs (dual channels) wired into a safety relay or safety controller.
Dual final control elements: As in Scenario A, two monitored contactors or a dual-channel safety valve that removes motive power on any safety fault.
Safety controller/relay interlock: The start command must be logically ANDed with the light curtain’s “guard clear” state inside a safety-rated device.

4.4 Conceptual Safety Function for Light Curtain Guarding

// Conceptual safety function for single-button + light curtain (Scenario B)

loop:
    read LC_CH1, LC_CH2, feedback_K1, feedback_K2, start_request

    // Light curtain OSSD diagnostics
    if LC_CH1 != LC_CH2 or LC_CH1 == FAULT_STATE:
        state = FAULT
        safety_outputs = OFF

    if feedback_K1 == ON or feedback_K2 == ON when safety_outputs == OFF:
        state = FAULT
        safety_outputs = OFF

    if state == FAULT:
        inhibit_stroke()
        continue

    guard_clear = (LC_CH1 == ON and LC_CH2 == ON)

    // Enable power to press drive only when guard is clear
    if guard_clear:
        safety_outputs = ON
    else:
        safety_outputs = OFF

    // Start logic: PLC or pushbutton may request a stroke
    if start_request and guard_clear and no_other_safety_faults:
        issue_stroke_command()  // to press clutch / hydraulic valve

    // Any guard interruption during stroke
    if stroke_active and not guard_clear:
        safety_outputs = OFF
        command_stop()
        inhibit_next_stroke_until_reset()

Again, while a PLC can be used to request a stroke and coordinate non-safety automation, the enforcement of guard-clear, OSSD diagnostics, and EDM must reside in the safety relay or safety controller to meet ISO 13849-1 and OSHA control-reliability obligations.

5.0

Why Safety Relays and Safety Controllers, Not Generic PLC Logic

Many legacy installations rely on standard PLC ladder logic to combine two-hand buttons, start signals, and light curtain inputs. While such systems may appear to function correctly in normal operation, they rarely satisfy the formal requirements of control reliability and PL d/e without additional certified hardware and design evidence.

Aspect	Safety Relay / Safety Controller	Standard PLC Logic
Standards Basis	Certified for use in ISO 13849-1 SRP/CS with published PFH_d, DC, Category.	Typically no safety certification; performance not quantified for PL or SIL.
Control Reliability (OSHA 1910.217(b)(13))	Designed to detect single faults and prevent successive strokes until corrected.	Possible only with custom design and extensive validation; difficult to prove.
Diagnostics	Built-in monitoring of input and output discrepancies, cross-faults, shorts, and EDM.	Must be modeled manually; diagnostic coverage often incomplete or undocumented.
Logic Integrity	Safety logic is protected, change-controlled, and often password- or tool-locked.	Logic can be edited easily; risk of unauthorized or unreviewed modifications.
Certification & Documentation	Manufacturer provides safety manual, application limits, and example circuits.	Designer bears full burden of proof for PL/Category calculations and validation.
Regulatory Acceptance	Aligns directly with OSHA guidance and industry best practices for press guarding.	Requires case-by-case justification; vulnerable under audit or incident investigation.

Practical Guidance: Use the PLC for sequencing, HMIs, and non-safety interlocks. Use a safety relay or safety controller as the final authority on whether motion is permitted, and as the device that can physically interrupt power via dual monitored contactors or valves.

6.0

Implementation Patterns and Integration

6.1 Signal Partitioning Between PLC and Safety Relay

A robust design cleanly separates Safety and Non-Safety responsibilities:

Safety relay / controller:
- Two-hand control channels and light curtain OSSD inputs,
- E-stop circuits and guard door switches,
- External device monitoring (EDM) of contactors/valves,
- Safety-rated outputs that directly control final elements.
Standard PLC:
- Mode selection (auto, setup, inch),
- Stroke request from HMI or panel pushbuttons,
- Status display, diagnostic messaging, and data logging,
- Non-safety interlocks (material present, upstream/downstream coordination).

6.2 Example Integration Pseudocode

The PLC can treat the safety controller as a high-integrity “permission” source:

// PLC-side logic (non-safety) coordinating with a safety controller

// Inputs from safety controller
BOOL SAFE_OK;         // true when all safety functions are satisfied
BOOL GUARD_CLEAR;     // true when light curtain and doors are clear
BOOL SAFETY_FAULT;    // true when any safety fault is latched

// Operator commands
BOOL CMD_STROKE;      // single-stroke request from HMI or start button

// PLC logic
IF SAFETY_FAULT THEN
    // inhibit all motion and prompt maintenance
    ALARM := TRUE;
    STROKE_CMD_OUT := FALSE;
ELSIF SAFE_OK AND GUARD_CLEAR AND CMD_STROKE THEN
    // issue stroke request to press control
    STROKE_CMD_OUT := TRUE;
ELSE
    STROKE_CMD_OUT := FALSE;
END_IF;

The safety controller, in turn, decides whether to energize its safety outputs based on all safety inputs and internal diagnostics; the PLC cannot force a stroke when the safety controller has locked out motion.

7.0

Validation, Testing, and Maintenance

Achieving control reliability and PL d/e on paper is insufficient; the system must be validated in the field and maintained over time. Recommended practices include:

Formal risk assessment: Documented analysis of hazards, required safety functions, and target PL_r for both two-hand control and presence sensing.
Stopping-time measurement: Periodic testing of press stopping time at defined intervals to ensure safety distance assumptions remain valid.
Functional tests: Routine checks of:
- Two-hand control simultaneity and anti tie-down behavior,
- Light curtain obstruction responses,
- E-stop and guard door functions,
- EDM response to simulated welded contact (where safely practicable).
Change management: Any modification to safety wiring, device types, or logic must trigger a revalidation of the safety function and associated documentation.
Training: Operators, maintenance, and engineering personnel must understand that bypassing or “jumping” safety circuits is prohibited and undermines the design intent.

8.0

Summary and Recommendations

Key Takeaways

Two-hand controls and light curtains are not inherently “safe”—they must be integrated into a control-reliable safety architecture with monitored outputs and validated stopping distances.
OSHA 1910.217 control reliability and brake monitoring, combined with ISO 13849-1 PL d/e requirements, effectively require safety-rated hardware for these press safety functions.
Dedicated safety relays or safety controllers provide the diagnostics, redundancy, and certification needed to meet these requirements; generic PLC logic does not.
Scenario A (dual two-hand start) should use a certified two-hand safety relay or safety controller with dual monitored contactors or valves and anti tie-down logic per ISO 13851.
Scenario B (single start button + light curtain) should treat the start button as a non-safety request and the light curtain as a safety input into a safety controller, which then controls dual final elements and enforces guard-clear conditions.
PLCs remain valuable for automation, HMI, and non-safety interlocks, but the final authority over motion must rest with safety-rated hardware.

Upgrading a press from legacy controls to a modern, control-reliable architecture is more than a wiring exercise. It requires understanding OSHA and ISO requirements, selecting appropriate safety-rated hardware, and validating that the implemented safety functions behave as intended under both normal and fault conditions. When properly executed, dual two-hand control and light-curtain guarding can coexist in a plant-wide safety strategy that materially reduces the risk of serious injury while supporting production throughput and maintainability.

9.0

References and Further Reading

OSHA, 29 CFR 1910.217 – Mechanical Power Presses. U.S. Occupational Safety and Health Administration.
OSHA, STD 1-12.21 – Mechanical Power Presses, Clarifications. Interpretation of control reliability and brake monitor requirements.
ISO 13849-1:2023 – Safety of machinery — Safety-related parts of control systems — Part 1: General principles for design.
ISO 13851:2019 – Safety of machinery — Two-hand control devices — Principles for design and selection.
ISO 13855 – Safety of machinery — Positioning of safeguards with respect to the approach speeds of parts of the human body.
ANSI B11.1 – Safety Requirements for Mechanical Power Presses.
ANSI B11.19 – Performance Requirements for Risk Reduction Measures (Safeguarding).
Manufacturer safety manuals for selected two-hand safety relays, safety light curtains, and safety controllers (Pilz, Sick, Rockwell Automation, Siemens, etc.).

© Validus Group Inc. All Rights Reserved.
Authored by Fred Fisher, President — Validus Group Inc.

This document is the intellectual property of Validus Group Inc. and is provided for informational and professional reference only. No portion of this publication may be reproduced, distributed, or transmitted in any form or by any means, including copying, scanning, or posting to external websites, without the prior written consent of the author.

Permission is granted to share this material internally within your organization for engineering, maintenance, or training purposes, provided that all content remains unaltered and full attribution is retained.

Unauthorized reproduction or commercial use is strictly prohibited.