Cat 3 safety question

Nebul0us

Lifetime Supporting Member
Join Date
Dec 2015
Location
Spokane, WA
Posts
125
This isn't really PLC related, but I have a question about Cat 3 safety rating. We are using a new Festo air dump that has two proximity sensors on the side of it for fault monitoring/diagnostics. The manual states the sensors can be used to achieve PLd or PLe. My question is, as long as we have a monitoring safety relay in our safety circuit, can we achieve Cat 3 without using these 2 prox's? We will still have the redundant solenoids connected to the safety relay. So a single fault will not prevent safety functionality. I believe it's Cat 4 that requires monitoring of every safety device.

Can anyone shed some light? Much appreciated...
 
You need to use the prox's. The feedback forms part of your diagnostic coverage for the safety loop.

Even a little loss in diagnostic coverage starts reducing the performance level quite significantly.
 
You need to use the prox's. The feedback forms part of your diagnostic coverage for the safety loop.

Even a little loss in diagnostic coverage starts reducing the performance level quite significantly.

The question was not about performance level. It was can we still be Cat 3 rated without the prox's?
 
For category 3, the same requirements as those according to 6.2.3 for category B shall apply. “Well-tried safety principles” according to 6.2.4 shall also be followed. In addition, the following applies. SRP/CS of category 3 shall be designed so that a single fault in any of these parts does not lead to the loss of the safety function. Whenever reasonably practicable, the single fault shall be detected at or before the next demand upon the safety function.

The diagnostic coverage (DCavg) of the total SRP/CS including fault-detection shall be low. The MTTFd of each of the redundant channels shall be low-to-high, depending on the PLr. Measures against CCF shall be applied (see Annex F).

One and the same really. The cat 3 you're referring to is the system architecture.

An my answer still stands, yes you need to use the feedback.
 
There real answer here is you need to ask the vendor, but odds are that yes, you need them.
 
mk42,

my 2 cents.
the vendor has little or nothing to do with the circuit design other than answer questions and possibly offer suggestions. you must conform to the requirements to avoid any issue in case of an accident.

you must fully understand the requirements of a cat 3 circuit and ask a lot of what if questions.

regards,
james
 
If you don't use the monitoring, you effectively no longer have dual redundancy. If one solenoid sticks, you won't know because the other one will continue to isolate the air, and you're not monitoring the feedback. The system will likely run like that for a long time, until the second solenoid fails, and then you have a real problem.

I saw something similar to this just recently. In this case, the customer was using monitoring, but it was a pressure switch downstream of the dump valve. Same thing here - this won't actually flag the problem until both solenoids fail. Fortunately in this case, it was picked up before it became a catastrophic failure because the second solenoid started "sticking" but still closing, albeit half a second or a second late. This delay eventually started faulting out the safety monitoring system, which was after a discrepancy time of 0.5s or less, so we replaced the valve with one with proper spool position feedback monitoring.

tl;dr dual redundancy only provides protection if you can detect the primary failure.
 
mk42,

my 2 cents.
the vendor has little or nothing to do with the circuit design other than answer questions and possibly offer suggestions. you must conform to the requirements to avoid any issue in case of an accident.

you must fully understand the requirements of a cat 3 circuit and ask a lot of what if questions.

regards,
james

What I was saying is that I'd expect the manufacturer to have statements in the manual saying "for X safety rating use this way, for Y safety rating use that way".


Definitely agree that he needs to understand the requirements regardless. In theory, if you understand what you're doing, you shouldn't need the manual at all. In practice, it really helps a lot.
 
We might be talking about different products here. My experience with a Festo dump valve was that 2 prox's can provide enough DC to achieve up to Cat.3; using 3 prox's can achieve up to Cat.4, the third one covers the soft start valve.
 
While I do fully understand the Catagory 3 standard...

There are apparently contradictory statements under this standard and also a term which leaves the topic of diagnostics somewhat open to interpretation - "reasonably practicable". But when aren't standards open to interpretation?

Without wading into all that, may I first ask a simple question or two?...

If this device has been selected in part to satisfy mitigating an assumed assesed risk, to a minimum Catagory of safety, and comes with in built diagnostics features, and you are not sure should you or should you not include them, then why would you not just use them and remove all doubt?

Does it require more cabling or cost in some way and you are more hoping you don't need to use them?

Of course, just using the feature, without ever being sure whether or why you should use it, will not serve you well in the world of safety and risk mitigation.

I'm just curious (George) as to why you're not just default using the sensors as a possible good practice?

For instance, our company has a multinational minimum standard of dual redundancy for all Emergency Stop safety circuits, both input and output, regardless of the level of assesed risk. If an Emergency Stop is deemed required (it is not always), then it will automatically be minimum redundant. I, personally, hold this same minimum standard, and would apply the same even if the company did not specify it. I see it as a good practice, based on current standard norms and wide availability of redundancy capable devices. It also provides a minimum piece of mind.

Now I do realize that is not practical for all safety function design. Especially for OEM's where the bottom line is always in sharp focus. I have the luxury of running the department in one plant and this good practice has already been sold to the bean counters.

Again, that's without me getting into the requirements of this standard. I'm initially just curious to know your personal opinion?

How we approach safety, that is, our own safety philosophy, can play a big part in how we then go on to interpret safety standards.

Regards,
George
 

Similar Topics

I intend to use two contactors connected in series on the line side of my motor contactors and VFDs. I am designing for Cat 4 safety. My...
Replies
13
Views
4,896
I have three VFD motor drives. One is 480VAC from a set of fuses and a power distribution block, another is from a different fuse / distribution...
Replies
2
Views
1,519
Hi, Is there a way round the issue of running a project in <Local> mode when there is a safety project included in the solution?? I understand...
Replies
0
Views
853
Hi, I have TwinCat 3 project where I control 9 conveyers by inverters connected by EtherCat and multiple air valves by EtherCat. Everything is...
Replies
7
Views
2,350
Just installed TwinCAT 3.1 XAE (64-bit) to get familiar with. For some strange reason, SAFETY node is missing from any project so I cannot...
Replies
0
Views
2,199
Back
Top Bottom