Sign in to follow this  
Followers 0
Veganic

Safety architecture

16 posts in this topic

The attached drawing shows two ways to connect two contactors to a safety relay. Assume feedback loops and reset circuits. Is there a reason why one would not be acceptable as Cat. 3 architecture? Can anyone comment on the merits of each?

Share this post


Link to post
Share on other sites
You do not have redundancy of the circuits. While you are turning on 2 loads, they are both run by the same contact. Single point of failure.

Share this post


Link to post
Share on other sites
The redundancy is in the safety relay itself, so you don't actually have a single point of failure. If this is a standard safety relay (no time delays), then both circuits will work the same and be equally safe. Splitting the loads over both sets of output contacts will allow you to switch higher loads, but that's the only advantage. If this is a time-delay relay where one of the contacts is immediate and the other is time-delay, then of course you'd get different functionality in the two circuits. If you want to increase the control reliability (i.e. safety) of the circuit, you should be using force guided motor contactors with External Device Monitoring (EDM).

Share this post


Link to post
Share on other sites
Thanks for the replies. It was a theoretical question. I have a distant memory from a training course that using the single channel was acceptable if the contactors were in the same enclosure. Independent channels being required if they were remote to give adequate separation and fault tolerance (all other considerations, load etc being equal). All this depends on the risk assessment, Plr, diagnostic coverage, and analylsis of common cause failure, etc, etc, etc. Do you work to ISO 13849-1 in the States?

Share this post


Link to post
Share on other sites
Your memory is correct, but the diagrams you provided show two loads with single channel connection to power, just that one has them both connected through the same set of contacts and the other gives them separate contacts. I'd have to look up the standards we use. I don't do enough safety to have it memorized! I have to look things up when actually designing circuits!

Share this post


Link to post
Share on other sites
We do use ISO 13949-1 and IEC 61508 specs most commonly.

Share this post


Link to post
Share on other sites
Allen Bradley has a great explanation with diagrams. http://www.ab.com/en/epub/catalogs/3377539/5866177/3378076/10334651/Categories-of-Control-Systems.html My understanding is that these circuits are not equal. The circuit to the right has a point of failure at the output of the safety relay where the one on the left does not. Have a look at "Output Pulse Testing". Also, I believe neither circuit is Category 3 compliant. As JRoss has suggested, neither circuit has EDM feedback. This creates a single point of failure at each relay (contactor). Output Pulse Testing is not required for Category 3 but the EDM is. Safety circuits can look very simple yet be very confusing. Edit: The strikethrough text is a false statement. If one relay fails (welds closed), the other will open the circuit for a safe condition. The difference is, the safety circuit would sucessfully reset without EDM feedback and no one would ever know. At this point it will not be Category 3 compliant. Edited by IO_Rack

Share this post


Link to post
Share on other sites
If your edit is talking about the relay contacts inside the safety relay, then the original statement was more correct. EDM monitors external devices (hence External Device Monitoring). Generally, this is used to monitor safety rated load contactors that have force-guided relays in them, with one NC contact used specifically for EDM. These contacts are wired between two terminals on the safety relay, which can then check for contact weld. Both the Category 2 and 3 circuits in the link show this. The contacts inside the safety relay are already monitored in this way. EDM gives you a way to add external devices into the monitoring.

Share this post


Link to post
Share on other sites
Agreed. Since the original post asked, "Is there a reason why one would not be acceptable as Cat. 3 architecture?", I assumed the latter. I noticed after my last post that he also said, "Assume feedback loops and reset circuits.". In this case, I would say the one on the left is compliant and the one on the right is not. But.... after reviewing the following snip from AB's website, I'm not so sure. It's my understanding that 'Output Pulse Testing' would catch this fault. I may be wrong.

Share this post


Link to post
Share on other sites
I saw that AB page when I was wondering about this. It used to be the norm to show one output contactor connected to "0v rail" after the safety contacts and the other to the "+ve rail" before the safety contacts. Sort of one sink and one source. Not seen that in a while. Pulse testing is an input thing. Each input channel has a different pulse sequence so that shorts or wiring errors are caught. I think both are Cat.3 but they have different fault exclusion requirements. It's difficult to talk in the abstract about safety now as it is about the components used and avoiding common cause failures as much as the way it looks on the wiring diagram. Maybe safety needs a new forum category?

Share this post


Link to post
Share on other sites
I haven't seen pulse testing for outputs, only for inputs. Sounds like you're talking about complimentary channels (one NO, one NC). I remember seeing that specifically for interfacing a PLC into a safety circuit, for muting for example. You need two channels for redundancy and complimentary for cross-check. Main difference (as I see it) between Cat 3 and Cat 4 is that Cat 3 allows daisy-chaining safety input devices, and Cat 4 does not.

Share this post


Link to post
Share on other sites
I was originally thinking about Cat 3 and not cat 3 rather than 3 vs 4. I read some of the recommendations on daisy chaining and try to avoid it now more from a desire to avoid documentation and dubious assumptions than thinking it unsafe.

Share this post


Link to post
Share on other sites
And back to the original question! You need to defer to an industry expert on this one, but here's what I think. First, let's assume that the reset, EDM, pulse testing, etc. is at least Cat 3. If the two contactors refer to isolated loads, then the two circuits should be equivalent from a safety perspective. If the two contactors are redundantly driving the same load, and the safety circuit and contactors are in the same enclosure, then I believe both circuits would meet Cat 3. If the contactors are in a different enclosure than the safety circuit, then only the left hand drawing would meet Cat 3, as you are required to have redundant wiring between enclosures.

Share this post


Link to post
Share on other sites
Oh, and I just sat through some Jokab (now ABB) safety training. They actually have a series of safety devices that can be daisy-chained and still meet Cat 4. The TINA line of E-Stops and safety interface devices. Pretty neat.
1 person likes this

Share this post


Link to post
Share on other sites
I believe talking in abstract about safety is probably the only way to discuss it as components are constantly changing. For instance, JRoss says there are devices now that allow daisy chaining. I would not think that is possible as typical daisy chaining will allow "A Single Point of Failure". Somehow they must accomplish this... I'll have to look this up. A new forum category? Well there is certainly enough material and differences of opinion. We'll have to see how much interest there is here at MrPLC. I would like to here from some experts here.

Share this post


Link to post
Share on other sites
It's sort of like a simple network, actually. There's a four-wire connection that carries power and signal, and the devices invert and phase-shift a test pulse. Based on that the system knows how many devices are in the chain, and whether they are wired properly. So it meets the requirements of Cat 4, but takes a completely different approach to get there. It's all about control reliability and the ability to detect any fault. Redundancy it the usual path to get there, but not strictly required. Single point of failure is ok so long as you can always detect when it fails.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0