Safety PLC/Hardware question Category 3 vs Category 2

[chris_p]

I've ready through the the previous posts, and we've worked with safety design for a long time.

In the past, we worked with Pilz directly, and they stated to us that if we drove an expansion relay (with K1 & K2) from a single safety output, with feed back of the relay into the safety PLC, that we would achieve Category 3. Most of the rockwell literature states that a single output to a single safety contactor only achieves Cat 2. But it also doesn't show feedback of the contactor to a safety input.

It's been debated in our office, and bottom line is we can find no documents or literature anywhere that states a Category 3 rating for this circuit. Is this open to interpretation or is there some hard evidence?

Most systems in automotive are Category 3 (PLd) at best. Rockwell L80 Safety Partner is required to get to PLe, but we all know that a system is only as good as it's weakest rated device/circuit. But customers want the safety partner regardless of the PLd rating. General discussion here, would be great to get some feedback with some reference material to share! Thank you all!

Chris.

 

[JeffKiper]

My interpretation is 1 point of failure that looses the safety function is Cat 2 or less. If I drive multiple force guided contactors with 1 output and that output fails ON I have lost the safety function when putting a demand on the system.

If I use 2 outputs driving multiple contactors and 1 output fails ON I haven't lost my safety function. So Cat 3.

 

[ndzied1]

Could it depend on how the “safety output” works inside the safety PLC? If the output has redundancy and monitoring inside safety PLC then maybe it is OK. ?

 

[mk42]

If its a standard output, then it would be single point of failure.

Safety outputs are already redundant, that's why they can be used for SIL3/PLe systems, regardless of if they are driving contactors or devices directly. I don't know if these are industry terms or not, but Siemens sells both PP and PM failsafe outputs. PP breaks the output twice at the output and then the signal can return anywhere. PM breaks the output once at the output and once at the return, but you HAVE to return it back to the module. The upside of PM is that you can detect cross circuit errors, etc, whereas with PP you have to take extra care with your wiring to try to ensure they would be impossible.

The Siemens manuals also show driving 2 relays/contactors from a single failsafe output as an option. The safe out has built in redundancy, and the 2 contactors are redundant, and so it can be ok.

 

[robertmee]

A single safety ouput to a contactor with feedback would not achieve SIL 3. A safety output monitors the output status of that channel, and the safety input monitors the input status of the feedback. The safety plc and safety IO insure safety integrity of the modules. Proper coding insuring safe state before energizing, using the feedback signal, are all part of Sil 2. But a simple short to 24VDC on the output wire to your single contactor renders all of that moot. Or a bridged contact on that single contactor also renders the system unsafe. A safety output and safety input gain some integrity, but it's not a panacea to avoid a single point of failure as mentioned earlier. Without redundant means of removing power from a device, SIL 3 isn't achieved in the strictest sense.

With that said, the reason you aren't seeing that specifically called out in literature is because SIL ratings are about probability and failure rates. Manufacturers I've noticed can claim their single channel relay is SIL3 rated because they include diagnostics just as a properly wired and coded single channel rockwell input/output. BUT as demonstrated, the overall system doesn't achieve that rating due to a single failure point.

 

[Jeev]

The Safety of Machinery standards quantify Category Architecture and PL/SIL.

Your part if the world: ISO 13849-1
My part of the world: AS4024.1503

As of several years ago, an important distinction that should be made in machine safety is between Category and PL/SIL. It sounds to me as if some of these concepts are being mixed up or confused. For example, you will find many PLd systems are Category 3, which is a dual channel architecture. You can also achieve PLd using Category 2, which is a single channel architecture if your MTTF and DC are high enough. To me, it seems like this might be some of the confusion.

 

[JeffKiper]

I'm old school I agree with the cross between the CAT&PL vs SIL.

Cat is the physical design. PL is the calculated failure rate (MTFD) in my eyes.

Yes you can get PLd in a Cat 2.

 

[Jeev]

It's unethical of me to share specific standards here, however it can be difficult to find information on machine safety. There are a number of vendors who prepare material based on these standards and distribute it openly. Some of the freely available resources I have found over the years can be referenced below:

Rockwell SafeBook 5

SICK - Guide For Safe Machinery

PILZ - The Safety Compendium

Wieland - Safety Manual

Schneider - Safe Machinery Handbook

Siemens - Introduction and Terminology for Functional Safety of Machines and Systems

SMC - Safety In Focus

FESTO - Guideline For Functional Safety

SISTEMA - Cookbook 1

Parker - A comprehensive Guide To Machine Safety


**Please note that not all information is current as per the standards.

 

[chris_p]

To add to the discussion about a single point of failure. I believe the comment was made if the output shorts and it

My interpretation is 1 point of failure that looses the safety function is Cat 2 or less. If I drive multiple force guided contactors with 1 output and that output fails ON I have lost the safety function when putting a demand on the system.

If I use 2 outputs driving multiple contactors and 1 output fails ON I haven't lost my safety function. So Cat 3.

Thank you Jeff. The first place I go with this is if there is adequate safety logic, which again opens it up to interpretation and discussion on whether items are programmed properly and the requirement of going through a complete technical validation of all safety systems after installation, but with adequate safety logic, we've programmed a channel fault into the output configuration, so if a single output is shorted on, the driven relay turns on and we get a channel fault in the PLC and it disables the output. So it would actually take two failures to cause a hazard: Shorted output, and the feedback circuit failing at the exact same time. Thoughts? I might be underthinking this entirely.

 

[robertmee]

To add to the discussion about a single point of failure. I believe the comment was made if the output shorts and it

Thank you Jeff. The first place I go with this is if there is adequate safety logic, which again opens it up to interpretation and discussion on whether items are programmed properly and the requirement of going through a complete technical validation of all safety systems after installation, but with adequate safety logic, we've programmed a channel fault into the output configuration, so if a single output is shorted on, the driven relay turns on and we get a channel fault in the PLC and it disables the output. So it would actually take two failures to cause a hazard: Shorted output, and the feedback circuit failing at the exact same time. Thoughts? I might be underthinking this entirely.

If the output to a single contactor is shorted to the supply voltage, external to the PLC, then no amount of feedback or safety logic prevents the motor connected to that contactor from running. You could turn the PLC off and the motor still runs.