Safety rated equipment primer

[gleblanc 1]

Can anybody suggest a good primer on Safety Relays and the like that I can give to my electricians? I asked them to replace the standard relay they had on a motor with a safety rated one, so that hopefully we won't have another failure like the one yesterday (near miss, no injuries), and all I got back was a blank stare.

[Mendon Systems 22]

Omron has a catalog called "Industrial Automation Safety Products Guide" with a lot of useful information. (about 600 pages of 8.5x11) You should be able to talk your local Omron rep out of one at no cost.

[BobLfoot 301]

My favorite has always been the Safety and Risk Analysis Information found in the pages of the Old STI {Safety Technologies} Catalogs. Since Omron bought them out it should be on this page somewhere http://www.sti.com/safety/index.htm I also just found a good write up in the front of AB Publication S117-CA001A-EN-P the Allen Bradley Safety Products Catalog.

[panic mode 246]

i agree to take a look at what safety catalogues offer (usually intro or appendix of few pages in any safety catalog). it may not be much but it is a start. check also link at the end of this post, it contains same kind of introduction. the other thing is - replacing single component will not make any difference. one certainly can replace control relay by a safety rated relay but this change alone will make no improvement. This is a common misconception, many believe that safety relays have word "safety" in the name because they just don't fail (due to some obscure magic power for example) which is obviously not true. safety relays can and do fail - just like any other equipment, and the contacts can oxidise or weld just like contacts in control relays. the key difference here is in the construction that guarantees that all contacts are moving in unison. if one of contacts welds and therefore remains in "energized" position, other contacts are guaranteed to also stay in that same position. this may not look as much of a improvement over regular relays and it may be even seen as flaw. instead of having only one phase due weld of a contact (and possibly all three), now we are guaranteed to have all three phases at the load, even though coil is de-energized, so how is this any better? as mentioned, simply replacing a control relay with a safety rated relay makes no improvement - until something else is added, and that something is called controller (or also "safety module" or also "safety relay" which is a bit of a confusing term). the key difference is that due this very feature (contacts operating together), safety relay or contactor can be monitored by a safety controller. if one contact is stuck, all of the contacts are stuck (including one used for monitoring) and when controller detects the problem, it turns off it's outputs and disables process. if some of the outputs are used to drive additional relays or contactors, they too have to be monitored (feedback loop monitors output devices using their NC contacts). hazards are not always the same and safety circuits requirements are different as well. proper category of a safety circuit needed for particular application is determined through process called Pre-Health and Safety Review (PHSR). it is based on severity of hazard or potential injury, frequency of exposure and likelihood to escape when hazard is recognized (recall compactor scene in Austin Powers movie, slow hazards are escapable, fast ones are not). once you have settled for a particular safety category, you design suitable circuit. there are requirements for each category. category B (i tend to think of it as "basic") is basically use of good materials and practices but no dedicated safety circuit. there is no light curtain or safety mat or two hand control attached to TV, fridge or microwave oven. all consumer goods are basically Cat-B. in a industrial environment normally other categories are used. they all use everything that lesser category has (such as Cat-B) plus some improvement: category I uses single channel safety circuit. there is no monitoring. this is commonly used in simple circuits like E-Stop. category II uses single channel plus monitoring. usually considered "the useless category" since failure of output relay means that circuit may remain energized. this deficiency is removed in next category (Cat-III). category III uses redundancy (dual channel) plus monitoring. everything is redundant, inputs (sensing), outputs (relays or contactors) and everything is monitored by controller. for example inputs are monitored by comparing two sensing channels. outputs are monitored by checking if all of output devices (relays or contactors) are really off when controller turns them off (this is where special construction and those linked contacts come to play). this check is performed on powerup and every time circuit is tripped. since now there are two relays/contactors in output, failure of one does not present loss of safety. second contactor will still kill the power when ordered to do so (it is very unlikely that both relays/contactors would fail at exactly the same moment). category IV uses redundancy and monitoring just like Cat-III but it also monitors for accumulation of faults. this (accumulation of faults) is something that Cat-III cannot do. In Cat-III single fault will be detected and circuit will trip, but it could be fooled by for example cycling power or tripping other device which does not have fault. If stakes are high, Cat-IV is needed. one of the problems is that Cat-II, Cat-III and Cat-IV circuits can be made to appear as functional even though they have design flaw. even if circuit schematic is correct, actual implementation still may be incorrect (wiring mistake). for example, one can remove one of output relays from Cat-III and it will still appear to work as if nothing changed, even though we lost redundancy. Such mistake basically renders it Cat-II circuit. does not seem to be too much of a disaster - only dropped one category level!? this is also easy to spot so it is not likely to be much of a problem. but what happens if instead of removing one of the output relays or contactors, monitoring is inactive? for example this is another common mistake where one just used jumper wire across monitoring input on a controller (or disabled monitoring in software) instead of daisy chaining NC contacts of safety output (relays/contactors) OR.... using standard (non-safe) output devices such as common control relays. well, any of this means no monitoring and therefore this is now at best Cat-I circuit. this is not easy to spot since safety relays are all in place (easy to count) but the wires are easy to miss. this can easily slip through with fragmented datasheets, they are not all equal so a bit more research may be needed. Omron datasheets such as G9S or G9SA show entire circuits and therefore even a newbee is unlikely to make a mistake. some dataheets are rather limited or even confusing. one example is when circuit is shown in bits and pieces (PNOZ-X3 for example). this does not mean that Pilz products are not good, it is just that the documentation is organized it a bit different way and one has to pay attention. For example Pilz has rather nice application manual that gives good introduction and plenty of circuit examples: http://www.pilz.com/...n_Manual_EN.pdf beware - safety is a serious matter. next time an accident happens, it may not be just a "near miss". this is why safety of equipment need to be evaluated and accepted by PENG specializing in machine safety.

[BobLfoot 301]

EXCELLENT SUMMARY PANIC. And yes he is right I once had a machine builder swear they had delivered a CAT III System as I specified when in Fact due to how they wired it what I had was CAT-I. Imagine their frustration at 11pm when I informed them the machine could not startup at 7 AM unless they rewired to the blueprint by then. I've never seen a contractor find so many electricians from the union hall that fast :) lol.

[panic mode 246]

thank you Bob, just trying to chip in from time to time.... pm