Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
IEC 62745:2017 – Safety of Machinery – Requirements for Cableless Control Systems
💡 Key Insight: Cableless (wireless) control systems introduce unique failure modes — signal loss, interference, latency, and battery depletion — that wired systems don’t face. This standard systematically addresses these risks to ensure safety integrity equivalent to wired control.
1. Scope and Application
IEC 62745 specifies requirements for the functionality and interfacing of cableless control systems (CCS) that provide communication between operator control station(s) and the control system of machinery. The standard covers various wireless technologies including radio frequency (RF) and infrared (IR) communications. It specifically addresses portable operator control stations that can be carried by the operator.
The standard uses a role-based architecture: the “remote station” is the portable operator control station carried by the operator, and the “base station” interfaces with the machine control system. This allows bidirectional communication where applicable. The standard does NOT cover cableless communication between parts of a machine that are not operator control stations.
✅ Safety Context: Wireless controls are increasingly used in overhead cranes, industrial trucks, construction equipment, and automated manufacturing cells. A failure in the wireless link can result in loss of safe control — the standard ensures that manufacturers systematically address these risks.
2. Functional Requirements and Stop Functions
2.1 Stop Function Categories
The standard defines specific stop functions with distinct safety integrity requirements. The emergency stop function must initiate and maintain the stop condition even after communication loss. The manual stop function is operator-initiated via a dedicated pushbutton. The automatic stop function (ATS) activates automatically upon detecting specified conditions (e.g., loss of signal, low battery, position outside safe zone). The passive stop function triggers when the operator releases the enabling device — critical for handheld pendants where “dead-man” control is required.
2.2 Communication Integrity
The standard mandates error detection codes with minimum Hamming distance requirements and imposes strict limits on latency for safety-related commands. For the stop function, the maximum acceptable time between actuation and execution is specified. The communication protocol must include sequence numbering, time-stamping, or other mechanisms to prevent replay attacks and ensure message freshness.
| Stop Function Type | Trigger | Safety Integrity Requirement |
|---|---|---|
| Emergency stop | Dedicated red pushbutton (mushroom head) | Must function after communication loss |
| Manual stop | Operator action | Same PLr as machine stop function |
| Automatic stop (ATS) | Loss of signal, low battery, timeout | Autonomous activation without operator |
| Passive stop | Release of enabling device | Immediate upon operator release |
2.3 Operational Prevention Measures
To prevent unintended operation, the standard requires specific prevention measures: the remote station must have addressed communication (each remote station has a unique address code), the system must detect communication errors with a minimum Hamming distance, and timeout mechanisms must stop the machine if communication is lost for longer than a specified period (typically ≤ 500 ms for safety-related commands).
⚠️ Critical Engineering Requirement: The battery voltage must be continuously monitored. Before the voltage drops below the level required for safe operation, the CCS must initiate an automatic stop. This requires a battery monitoring circuit with defined thresholds and hysteresis to prevent nuisance trips.
3. Verification and Validation
3.1 Verification Requirements
The manufacturer must provide verification that the CCS meets all functional requirements. Verification includes: type testing of communication range under specified conditions, environmental testing (temperature, humidity, vibration as per machine environment), electromagnetic compatibility testing, and battery endurance testing. The standard provides detailed verification tables specifying what must be verified by the CCS manufacturer versus what must be verified by the machine integrator.
| Verification Item | Responsible Party | Method |
|---|---|---|
| Communication range | CCS manufacturer | Type test under specified conditions |
| Stop function performance | CCS manufacturer + integrator | Timing measurement, fault injection |
| Battery endurance | CCS manufacturer | Life cycle test under load |
| EMC immunity | CCS manufacturer | Per IEC 61000 series standards |
| Environmental resistance | CCS manufacturer | Temperature/humidity cycling |
| System integration | Machine integrator | Integration test with machine control |
3.2 Information for Use
The standard specifies information that must be provided to the user, including: operating instructions covering all stop functions, battery charging and replacement procedures, range limitations and factors affecting communication reliability, restrictions on use in hazardous areas if applicable, and maintenance requirements including periodic functional testing.
4. Engineering Design Insights
💡 Practical Takeaways for Engineers:
- Redundancy architecture: For safety-related commands (especially stop functions), consider using dual-channel communication or diverse transmission media. The standard allows this but doesn’t mandate it — your risk assessment should determine the required architecture.
- Address coding strategy: In environments with multiple machines (e.g., a factory floor with 20 overhead cranes), the address coding scheme must prevent cross-communication. The Hamming distance requirement ensures that bit errors in the address field don’t result in one CCS controlling the wrong machine.
- Battery management is safety-critical: Implement battery monitoring with at least two independent methods (voltage sensing and coulomb counting). The automatic stop threshold should include hysteresis to prevent oscillation near the cutoff voltage.
- Latency budget analysis: From operator action to machine response, the total latency includes: input processing + protocol encoding + transmission time + protocol decoding + safety logic execution + actuator response. Each component must be characterized and budgeted.
- Environmental interference mitigation: Radio links in industrial environments face interference from motors, welders, and other RF sources. Frequency hopping spread spectrum (FHSS) or digital channel selection with automatic retry should be considered.
5. Frequently Asked Questions
Q1: Can a CCS be used as the sole means of emergency stopping?
The emergency stop function on a CCS can be used as a supplementary emergency stop device, but the standard requires that the machine also have at least one emergency stop device accessible from a fixed location. The CCS emergency stop must have a dedicated red pushbutton (mushroom head type) and must function even after loss of communication.
Q2: What is the maximum acceptable latency for stop commands?
The standard does not specify a single universal latency value — it must be determined by risk assessment based on the specific machine hazards. However, typical industrial applications aim for stop function latency ≤ 500 ms for general commands and ≤ 200 ms for safety-related stop commands. The key is that the total stopping distance (including latency) must be within the safe distance determined by risk assessment.
Q3: How does the standard address multiple operators using CCS on the same machine?
The standard requires that when multiple remote stations are used with one machine, the system must prevent conflicting commands. This may be implemented through a “token passing” scheme (only one remote station has control at any time), a “voting” scheme (commands require agreement between stations), or a priority-based scheme. The specific approach depends on the risk assessment for the application.
Q4: What happens when a CCS loses communication with the machine?
Upon loss of communication (detected by timeout or excessive error rate), the CCS must initiate an automatic stop. The machine must be designed to fail to a safe state. The remote station must indicate the communication loss to the operator (typically via visual and audible indicators). Resumption of operation requires intentional operator action after communication is restored.
