Safety pluggable I/O--is it safe?

kolyur

Lifetime Supporting Member + Moderator
Join Date
Oct 2004
Location
Wooster, Ohio
Posts
1,601
I'd like to hear opinions about using safety I/O with pluggable connections. I'm referring to the IP67-style fieldbus modules with a number of M8 or M12 plugs that accept redundant signals from safety rated door switches, light curtains, etc. These are becoming available from a number of manufacturers, the 1732DS-IB8 is just one example.

The quick-disconnect aspect is certainly convenient from a wiring standpoint, but isn't it susceptible to tampering? The plugs are all keyed alike so there's no way to ensure that two cables aren't swapped--whether maliciously or accidentally. Yes this can certainly happen with normal pluggable I/O too but the result isn't a severed finger, just a little extra challenge for the troubleshooter. This would lead me to think that every input device wired to a single safety module would need to have the same function (such as four door switches that all trigger the same safety zone). But even with that precaution, swapping cables could cause incorrect indication on an HMI which may not be a direct violation but could certainly lead to confusion.

For those of you who have used these devices, how did you handle these issues? Safe application seems very limited. What am I missing?

1732DS.png
 
They've been around a long time and I've had no issues with them. Which cables do you believe can be swapped? I see (3) different styles of connections other than the micros. 5 pin Dnet male, 5 pin Dnet female, 4 pin power male.
 
I'm not talking about the fieldbus or power cables... I mean the actual connections for safety devices. They are all the same type of plug, M12 typically. If someone would swap a few of these they could seriously screw up the safety functions of the machine.
 
If it's the highest safety rating the safety PLC/relay will send diagnostic pulses over the contacts so something wired incorrectly would be detected by the safety circuit.
 
That's true. Dual redundant inputs are used for critical safety items so a safety instruction fault would occur first. If the systems you're installing are prone to people messing around with wiring, it might be wise to go strictly hardwired.
 
If it's the highest safety rating the safety PLC/relay will send diagnostic pulses over the contacts so something wired incorrectly would be detected by the safety circuit.
I don't see how diagnostic/test pulses would help in this case. It isn't a short circuit situation.

The problem seems obvious to me, perhaps I am not explaining it well. Suppose you have safety switch #1 on door #1, plugged into port #1 of the safety module. And you have safety switch #2 on door #2, plugged into port #2. Each door protects a separate area of the machine and is independent of the other. So now if cables #1 and #2 are inadvertently swapped (easy to do, no tools required), entering door #1 causes the area behind door #2 to shut down and not the area behind door #1 which is where the person is. How do you prevent this?
 
But, let's say, two door switches were swapped. Would this affect the machine safety?

Yes, it probably would.

Pluggable connectors are safe, but not vandalism safe.
Anyone with a screwdriver could swap things around in your electrical cabinet. Or swap pneumatic hoses around on your cylinders. Or...
 
I don't see how diagnostic/test pulses would help in this case. It isn't a short circuit situation.

The problem seems obvious to me, perhaps I am not explaining it well. Suppose you have safety switch #1 on door #1, plugged into port #1 of the safety module. And you have safety switch #2 on door #2, plugged into port #2. Each door protects a separate area of the machine and is independent of the other. So now if cables #1 and #2 are inadvertently swapped (easy to do, no tools required), entering door #1 causes the area behind door #2 to shut down and not the area behind door #1 which is where the person is. How do you prevent this?


Put the thing inside an enclosure. Now tools are required.
 
If the cables are routed (and secured) in such a way that they can only connect to one sensor (and the other end is hardwired or in an enclosure), I would say that they are just as safe as a hardwired connection. i.e. you would need tools to change it.

On the other hand, if the two door switches were placed together so the cables could easily be swapped I might argue you have an issue. It depends on their relative functions. If all doors need to be closed--no problem, even swapping them won't affect safety (although it might make troubleshooting harder). If they lead to two different functions then there is an issue.

As with anything dealing with safety, you have to complete the hazard analysis and look at someone uses the machine or how someone may abuse the machine. And swapping cables is certainly something you have to analyze.
 
Last edited:
As with anything dealing with safety you have to complete the hazard analysis and look at someone uses the machine or how someone may abuse the machine. And swapping cables is certainly something you have to analyze.

+1

In doing my machine safety training, one of the things that comes up is that you have to assess and protect against all hazards that could arise during the intended use of the machine, and also the foreseeable misuse of the machine.

So, you look at the foreseeable misuse of the machine. Given the position of the on-machine safety I/O, the cable routing to and from it, and the ease of disconnection of those cables, is it reasonably foreseeable that someone might be inclined to deliberately (or might have cause to accidentally) swap two safety sensors over?

Maybe the safety block is positioned underneath a machine cover that nobody ever removes, unless they're changing out a faulty safety device. If so, it's not really foreseeable that someone might deliberately or accidentally swap two cables. Maybe the device is way up on top of the machine where nobody has any reason to access. Same deal. But maybe it's behind a cover that a mechanical maintenance person might have to remove occasionally to grease some bearings. And maybe it's quite close to these bearings, to the point that it becomes foreseeable that the grease man might want to unplug a couple of cables for a moment so he can get his grease gun on a better angle.

So then, you look at the consequences. Maybe everything that's plugged into this particular block is protecting one zone. If so - there's no safety issue, only a functional one - one that would hopefully be detected by erroneous HMI messages the next time one of the swapped safety devices is actuated. If so - still no hazard, no problem.

But if you have an e/stop, which stops all zones, and a door switch, which only stops one zone - then now you might have a problem. Opening the guard will now stop all zones, which causes a functional problem, but not a safety one. But pressing the e/stop only stops zone 1, when it should stop all zones.

What are the consequences of this? The e/stop, after all, is IN zone 1 - would it constitute a risk if it no longer stopped zones 2 and 3? Are zones 2 and 3 visible from the zone 1 e/stop? Is it likely that someone might see a dangerous situation occurring in zone 2 or 3, while standing at the zone 1 e/stop, and attempt to use that zone 1 e/stop to arrest the danger in zone 2 or 3? Maybe the zone 1 e/stop is in a room with only zone 1 equipment, and there's no way you could possibly know that zones 2 or 3 needed to be stopped from that position. In that case, perhaps you could suggest that the consequences are not severe enough to prevent you from using that method of wiring. You might assess that the likelihood is very low - because the plugs are only accessible to a maintenance technician once a month, and he has no special need to disconnect them - and that the consequences are minor, because of the reasons above and the fact that even if it does happen, the error will get picked up the first time someone opens a guard or presses the e/stop, and the wrong error message appears on the HMI.

Or you might assess that the potential consequences constititue an unacceptable risk, and thus you have to rule out using that particular wiring method. Maybe you put two blocks on your machine, one for zone 1 devices only and one for global devices, and mount them far enough apart that cables cannot be inadvertently or deliberately swapped.

Ultimately, there's no right or wrong answer (okay, maybe there are some wrong ones). You just have to go through that process, do a complete and thorough risk assessment, and fully document every decision you make. Like the old example of a scalpel - it's highly dangerous in my hands, but can save your life in the hands of a skilled surgeon. Use it right and this equipment can be lifesaving, use it wrong and you could mangle someone for the rest of their life.
 
Last edited:
This is all good advice. I agree that the usage of these modules needs to be included in the risk assessment and that is where my concerns would be addressed, on a case-by-case basis. ASF, your thought process is spot on, thank you.
 

Similar Topics

Loving AB right now... We have an Allen-Bradley 2094-EN02D-M01 Kinetix 6500 servo drive that once had safe-speed monitoring which was eliminated...
Replies
2
Views
84
Is there anything I Should take into account while updating the firmware on a safety processor? I have a 1756-L61S running version 17 and need...
Replies
0
Views
70
Hey guys, the scenario is: I have already completed the drawing package for my system utilizing an A-B 440R-N23126 (Minotaur) safety relay. SoS...
Replies
0
Views
101
I have an application where I want to use a safety relay in combination with a flame detector as the sensing element. The flame detector has relay...
Replies
23
Views
925
Back
Top Bottom