Confusing Safety Controls

Sergei Troizky said:
This is confusing me. How else can they be? In parallel? Assuming a safety relay, not a safety PLC.


Again assuming a safety relay, and not a safety PLC, this is what I said:
Cat.3 may have EDM, Cat.4 must have it.
Click to expand...

You would need multiple safety relays or a safety relay with multiple pairs of inputs such as Allen Bradley Next Generation "Dual Input" safety relays.

Practically speaking, if you actually need Cat 4, you'll probably want to use a programmable safety relay or safety PLC.
 
Sergei Troizky said:
Neither of slim safety relays (e.g. Allen Bradley MSR127 or Omron/Sti SR103) has pulse testing of the channels; still they are declared being Cat.4.

And an interesting detail: the manual of the latter directly states
"As well as the requirements of EN60204-1, the safety relay also fulfills the requirements for the safety category 4 as per EN954-1, on the condition that the start button between terminals S12 and S21 is not replaced by a bridge."
that is it cannot be wired for auto-reset.
Click to expand...

The safety relay is only one portion of a safety system. In a safety system you have inputs, logic and outputs as subsystems. Each subsystem will have its own performance level/category and the performance level of the worst subsystem will limit the overall performance level of the system.

This means you can have an MSR127 relay which is Cat 4 and presumably has a PLmax of e. If you wire one gate switch and two contactors to this relay and monitor those contactors you are at Cat 4. But if you choose to wire 10 gate switches in series into this safety relay your overall system will not meet Cat 4 requirements, even though the relay itself is sufficient for Cat 4.

Also, EN-954 is an obsolete standard, replaced by ISO13849 so I wouldn't put a ton of stock in that. You must reference the current standards.
 
hd_coop said:
But if you choose to wire 10 gate switches in series into this safety relay your overall system will not meet Cat 4 requirements, even though the relay itself is sufficient for Cat 4.
Click to expand...
Is this a personal interpretation or explicit requirement of the standard?
Makes no sense for me. How does this reduce the ability to detect faults?
Or how does this create fault accumulation leading to loss of the safety function?
 
Sergei Troizky said:
Is this a personal interpretation or explicit requirement of the standard?
Makes no sense for me. How does this reduce the ability to detect faults?
Or how does this create fault accumulation leading to loss of the safety function?
Click to expand...

http://www.machinery-safety-allianc...eID=Are_your_safeguards_as_safe_as_you_think?

This explains it much better than I can. Essentially multiple switches in series reduces your diagnostic coverage, and category 4 requires diagnostic coverage of 99%.
 
Christoff84 said:
Here's how the TUV Funtional Safety for Machinery defined CAT3 and CAT4:

One example that stuck out from the training was a tongue style safety switch. There is an exception for CAT 3 that allows a single tongue switch to be used and still meet dual channel. The tongue itself is a single point of failure, it breaks and you can't tell that its broken and stuck in the switch. CAT 4 does not allow that exception, you would need to use 2 switches as the odds of both breaking the same way at the same time are a lot smaller.
Click to expand...

If everything posted so far, this by far stands out.
I have not seen mention of this, but in terms of vigorous risk assements, these factors are hardly considered.
Of course, some devices claim that they will not fail, or if they do the integrity will not be compromised. (The Omron relays have that factor)
 
ASF said:
Just my 2c...

Having an internationally accredited certificate in machinery safety, all that I can tell you for certain is that all of the opinions above are more or less just that - opinions. The actual legislation is extremely (and deliberately) vague, and interpretations of it vary wildly.

I do a lot of work at one particular company that must have every machine's safety system validated by an external party before it can be handed over to the operators. In large part, the company they get to do the validation is chosen based on what kind of safety arrangement is in place, and what we know of the companies and their particular interpretations of the "rules".

An example: validation company A will not validate anything as Cat 3 or 4 if there is an e/stop and a guard switch in series. Period. Even though I know full well that many of the company A employees disagree with that assessment - and so do I, in many cases - that's the company line, and they have to toe it. Validation company B, on the other hand, will see an e/stop and a guard switch in series and ask a lot more questions about how many operators use the machine at once, where they are stationed, how often and for what purpose the guard is opened, and so on. After assessing all of these factors, they decide whether or not they will validate it as Cat 3. Quite often they will. So, if they get in a machine that has an e/stop and a guard switch in series, they'll call company B to do the validation. Maybe it'll pass without any further modifications, maybe it won't - but it definitely won't if they call in company A.

All of the responses above are potentially valid observations, but they are absolutely not universal. And even if they can be justified and backed up, ultimately it doesn't matter if the person who's validating/assessing/reviewing your design has a different take on it.

As for my own opinion on the difference between Cat 3 and Cat 4? The only actual explicit difference I can find in the international machinery safety standard (ISO13849-1) is this:

Cat 3: Wherever reasonably practical, single faults will be detected at or before the next demand on the safety system (6.2.6)

Cat 4: A single fault will be detected at or before the next demand on the safety system (6.2.7)

"Wherever reasonably practical". Hardly a black and white, easily definable rule, is it!
Click to expand...

The company B is doing it wrong if it's considering the usage of the machine, it has nothing to do with category of the safety circuits. Usage should be considered when the required performance level is defined.

Generally E-Stops should not be mixed with other safety systems in same circuit. They fulfill different role. Also, E-stop is not handled with functional safety standards but are covered by their own standards (well, in here. maybe you guys do it upside down in DU ;) ). E-stop is not safety function, monitoring of the door is.

Company A is doing it wrong if they outright reject the system without inspection how the circuit is actually done. Devices can be in series if there is another means of detecting faults.
 
TurpoUrpo said:
The company B is doing it wrong if it's considering the usage of the machine, it has nothing to do with category of the safety circuits. Usage should be considered when the required performance level is defined.
Click to expand...

Company A would agree with you. But Company B disagrees, and so do I, personally. The biggest issue I can see with two guard switches in series is if one channel on one switch fails closed. If that guard switch is opened, then the safety relay will detect the fault, no problem. But what if the non-faulty guard is opened, and THEN the faulty one? The problem is not detected yet. Then, if the faulty guard is closed before the non-faulty one, the problem will stay undetected, and the safety circuit can be reset. This is clearly a problem! But that's where the usage of the machine comes in. If you have two gates, and the left gate closes over the top of the right gate, then two guards in series is a problem. Because you always have to open the left gate before the right, and you always have to close the right gate before the left. So if the right gate has a channel fail on, it can never be detected. Problem! But, lets say these two guard switches that are in series are not on a pair of overlapping gates, but on an infeed cover and an outfeed cover. Multiple times per hour, the infeed cover has to be opened to replace a roll of film/tape/etc, and multiple times per hour, the outfeed cover has to be opened to clean/adjust/clear something. In this case, you could, in my opinion, quite comfortably say that a fault on either guard switch will be detected very quickly. There's still a very slim chance it wouldn't be detected the very first time, and so I wouldn't consider this Cat 4 or PLe because your diagnostic coverage is reduced slightly, and Cat 4/PLe needs as high a DC as possible. But I'd consider Cat 3 to be reasonable, given it's wording around fault detection. You could also take into account how many operators run this machine. If there is only one operator, and the guards are at opposite ends of the machine, it's even less likely the fault would go undetected, as the operator will only be playing with one guard at a time. If there's an operator at both ends of the machine, that again changes things - it's now more likely that both guards will be opened at the same time, and by extension, slightly more likely that they will get opened in such a sequence as to mask the fault. Long story short, the way the machine is operated absolutely plays a part in the assessment.

TurpoUrpo said:
Company A is doing it wrong if they outright reject the system without inspection how the circuit is actually done. Devices can be in series if there is another means of detecting faults.
Click to expand...
Company B would agree with you, and personally, so do I. But that's the company line, and their employees have to toe it whether they like it or not. And Company A is one of the largest safety companies in the world, so it's hard to tell them they're doing it wrong. Having said that, they don't just ignore the design - as you say, if there are other means of detecting the faults they will accept it. We got around it in one case by using self-checking guard switches that do their own internal monitoring and detect faults internally, and Company A validated the machine with a dozen of those in series. But in general, they won't do it.

Again, all of this just goes to show that it there are tons of different interpretations and understandings of the legislation, and you can't hope for a clear cut, universal answer that will satisfy everyone.
 
Sergei_Troizky said:
Quote:
Originally Posted by TurpoUrpo View Post
E-stop is not safety function...
At this point I heave to leave this discussion, to preserve the remnants of my common sense.
Click to expand...
While I understand the sentiment, the point TurpoUrpo was making is valid. When you're doing a risk assessment on a machine, you don't count an emergency stop as reducing the risk. If the emergency stop is used, then the hazard has already caused injury, and while having an emergency stop nearby might save a crushed arm from becoming an amputated arm, the point of a safety system is to stop it getting to that point in the first place. E/Stops are like the PPE of a safety system - before you even consider PPE as a protective measure, you should go through all possible other options (Eliminate, substitute, isolate, engineering, administration) and only then think about PPE. Likewise, you should follow a similar procedure with reducing the risk of a machine, and only once you've reduced the risk as low as possible by the same control methods, should you go "OK. Now that the risk is suitably low, where should we put e/stops as a final, just-in-case backup?". It's worth noting that even putting guards and guard switches in comes four steps down that procedure, under "engineering" - putting a guard around something should NOT be your first response to a hazardous machine, though most people approach it that way.

And one more time, this is all my personal opinion based on training and experience, and if you can't find someone who disagrees with me then I'll eat a bug.
 
TurpoUrpo said:
Generally E-Stops should not be mixed with other safety systems in same circuit. They fulfill different role. Also, E-stop is not handled with functional safety standards but are covered by their own standards (well, in here. maybe you guys do it upside down in DU ;) ). E-stop is not safety function, monitoring of the door is.
Click to expand...

I think I agree with this, the wording of "E-stop is not safety function, monitoring of the door is." is perhaps easily misunderstood.
 
ASF said:
While I understand the sentiment, the point TurpoUrpo was making is valid. When you're doing a risk assessment on a machine, you don't count an emergency stop as reducing the risk. If the emergency stop is used, then the hazard has already caused injury, and while having an emergency stop nearby might save a crushed arm from becoming an amputated arm, the point of a safety system is to stop it getting to that point in the first place. E/Stops are like the PPE of a safety system - before you even consider PPE as a protective measure, you should go through all possible other options (Eliminate, substitute, isolate, engineering, administration) and only then think about PPE. Likewise, you should follow a similar procedure with reducing the risk of a machine, and only once you've reduced the risk as low as possible by the same control methods, should you go "OK. Now that the risk is suitably low, where should we put e/stops as a final, just-in-case backup?". It's worth noting that even putting guards and guard switches in comes four steps down that procedure, under "engineering" - putting a guard around something should NOT be your first response to a hazardous machine, though most people approach it that way.

And one more time, this is all my personal opinion based on training and experience, and if you can't find someone who disagrees with me then I'll eat a bug.
Click to expand...


I've always heard E-stops referred to as a "Supplementary" safety function. As you say, they are the last resort backup, after the real safety process is implemented.
 
Sergei Troizky said:
At this point I heave to leave this discussion, to preserve the remnants of my common sense.
Click to expand...

As told to you by others. But to stress the difference some more, i'll answer on this some more.

Safety function is something that is done to allow working in safety with the machinery. Safety function can be monitoring of the door position via guard switch. The monitoring of the door is the safety function, its totally irrelevant on what method is actually used to monitor the closed position of the door.

E-stop is emergency stop. It is an action of bringing the machine to safe state in situation of emergency. If it would be worded similarly to safety function, it would be worded "emergency function". What should be noticed here, is that pressing of the emergency stop itself is not going to necessarily bring the machine immediately to safe state. Think about paper machine with a large many ton roll's. Those wont be necessarily be stopped in very rapid way after pressing of the e-stop. Now consider safety function that is intended to keep you out of harms way (those fast rolling rolls), that would work so that you have lockable door that allows opening only after the roll is actually in safe state, eg. stopped. Risk assessment is the thing here that defines the required safety functions and what is PLr for those safety functions.
 
ASF said:
Company A would agree with you. But Company B disagrees, and so do I, personally. The biggest issue I can see with two guard switches in series is if one channel on one switch fails closed. If that guard switch is opened, then the safety relay will detect the fault, no problem. But what if the non-faulty guard is opened, and THEN the faulty one? The problem is not detected yet. Then, if the faulty guard is closed before the non-faulty one, the problem will stay undetected, and the safety circuit can be reset. This is clearly a problem! But that's where the usage of the machine comes in. If you have two gates, and the left gate closes over the top of the right gate, then two guards in series is a problem. Because you always have to open the left gate before the right, and you always have to close the right gate before the left. So if the right gate has a channel fail on, it can never be detected. Problem! But, lets say these two guard switches that are in series are not on a pair of overlapping gates, but on an infeed cover and an outfeed cover. Multiple times per hour, the infeed cover has to be opened to replace a roll of film/tape/etc, and multiple times per hour, the outfeed cover has to be opened to clean/adjust/clear something. In this case, you could, in my opinion, quite comfortably say that a fault on either guard switch will be detected very quickly. There's still a very slim chance it wouldn't be detected the very first time, and so I wouldn't consider this Cat 4 or PLe because your diagnostic coverage is reduced slightly, and Cat 4/PLe needs as high a DC as possible. But I'd consider Cat 3 to be reasonable, given it's wording around fault detection. You could also take into account how many operators run this machine. If there is only one operator, and the guards are at opposite ends of the machine, it's even less likely the fault would go undetected, as the operator will only be playing with one guard at a time. If there's an operator at both ends of the machine, that again changes things - it's now more likely that both guards will be opened at the same time, and by extension, slightly more likely that they will get opened in such a sequence as to mask the fault. Long story short, the way the machine is operated absolutely plays a part in the assessment.


Company B would agree with you, and personally, so do I. But that's the company line, and their employees have to toe it whether they like it or not. And Company A is one of the largest safety companies in the world, so it's hard to tell them they're doing it wrong. Having said that, they don't just ignore the design - as you say, if there are other means of detecting the faults they will accept it. We got around it in one case by using self-checking guard switches that do their own internal monitoring and detect faults internally, and Company A validated the machine with a dozen of those in series. But in general, they won't do it.

Again, all of this just goes to show that it there are tons of different interpretations and understandings of the legislation, and you can't hope for a clear cut, universal answer that will satisfy everyone.
Click to expand...

I'm just gonna repeat. Any usage scenarios should be taken into account when doing the risk assessment and finding the actual PLr and needed safety functions. Usage pattern cannot affect the category of the circuit, only design of the circuit affects it. The diagnostics are only diagnostics done by the safety system, not by operators operating the machine (if not forced by the safety system).
 
Last edited:
TurpoUrpo said:
I'm just gonna repeat. Any usage scenarios should be taken into account when doing the risk assessment and finding the actual PLr and needed safety functions. Usage pattern cannot affect the category of the circuit, only design of the circuit affects it. The diagnostics are only diagnostics done by the safety system, not by operators operating the machine (if not forced by the safety system).
Click to expand...

You've definitely got a valid point - but just run with me for a second here...

On a Cat 3 system, single faults will be detected "at or before the next demand on the safety system, wherever reasonably practical".

"Wherever reasonably practical" is wide open to interpretation, and I believe that the usage of the machine can come into this.

On a machine with two guards switches in series, a single-channel fault will remain undetected if both guards are opened and closed in a certain sequence. If I can determine based on the intended usage, forseeable misuse, and maintenance requirements of the machine that this sequence of events is exceedingly unlikely - and that it is exceedingly likely that the above fault will be detected through normal use, forseeable misuse, and maintenance operations - then it could quite well be argued that the fault is being detected "where reasonably practical".

"Wherever reasonably practical" could reasonably be interpreted as "in all except in very rare circumstances", and therefore, the system above could meet Cat 3. If, on the other hand, the use of the machine meant that most of the time both guards would be open together, you could never argue Cat 3.

I'm happy for your opinion to be different, and I don't claim that the one above is either right or wrong. As before - you can interpret the legislation a lot of different ways!
 

Similar Topics

Mas01
Siemens S7/TIA v16: 'Download to Device' dialogue box confusing....
I've just created a small program and saved it. Then I clicked on the 'Download to device' icon and this dialogue box appeared. Do I need to...
2
Replies
20
Views
1,433
Mas01
Mas01
A
Tag Design in RSLOGIX 5000 is confusing me
Basin[1].Chain[0].Valve.Status Trying to figure out what this tag is made up of Looks like Basin[0] is a array of dints Chain[0] is an array of...
Replies
6
Views
2,658
ASF
A
TimD
Confusing: AO Card vs Loop Calibrator output - Why does my AI see these differently?
Hello, I'm confused today. I have a pump controller that has it's own 24vdc supply and takes a 4-20ma input from a level sensor to drive a pump...
Replies
7
Views
4,516
Lancie1
Lancie1
M
Confusing Digital Voting logic Question?
Hi, I have a question to implement digital logic. these are.....I have total 8 inputs and my question is any 2 of 8 inputs is true, the output...
Replies
4
Views
2,158
TConnolly
TConnolly
B
plc5 adressing is confusing the hell out of me
hey everyone. Can some one please explain the addressing. I am quite new to plcs 5. can some one provide a pictographic explanation.I have read a...
Replies
12
Views
3,571
Ron Beaufort
Ron Beaufort
Back
Top Bottom