«
»

Safety related control systems

This article was originally written in the period 1995-2000

Introducing the EJA Engineering free guide to machinery safety legislation, this feature explores safety-related control systems.

A safety related control system (SRCS) is that part of the control system of a machine which prevents a hazardous condition from occurring. It can be a separate dedicated system or it may be integrated with the normal machine control system.

Its complexity will vary from a typical simple system, such as a guard door interlock switch and emergency stop switch connected in series to the control coil of power contactor, to a compound system comprising both simple and complex devices communicating through software and hardware.

In order to provide the safety function the system must continue to operate correctly under all foreseeable conditions.

So how do we design a system to achieve this, and when we have done that, how do we show it?

The draft European Standard prEN 954?1 ‘Safety related parts of control systems’ deals with these aspects.

It lays down a ‘language’ of five categories for benchmarking and describing the performance of SRCSs (see panel).

In order to translate these requirements into a system design specification there has to be an interpretation of the basic requirements.

First of all let us dispose of one popular misconception. It is a commonly held belief that category 1 gives the least protection and category 4 gives the best. This is not the reasoning behind the categories. They are intended as reference points which describe the functional performance of different method types of safety related control system (or their constituent parts).

Category 1 is aimed at the prevention of faults. It is achieved by the use of suitable design principles, components and materials. Simplicity of principle and design together with the use of materials with stable and predictable characteristics are the keys to this category.

Categories 2, 3 and 4 require that if faults cannot be prevented they must be detected (and appropriate action taken). Monitoring and checking are the keys to these categories. The most usual (but not the only) method of monitoring is to duplicate the safety critical functions (i.e. redundancy) and compare their operation.

Take a simple system comprising a guard door interlock switch connected in series to the control coil of a power contactor. If we consider that the aim is toward complete reliability with no possibility of a failure to a dangerous condition, which of the categories is most appropriate?

The first step is to separate the system into its major components and consider their modes of potential failure. In this example the components are:

  • Interlock switch
  • Contactor
  • Wiring

The interlock switch is a mechanical device. The task which it performs is a simple one ? opening the contacts when a guard door is opened. It fulfils the requirements of category 1 and by the use of correct design principles and materials it can be proved that, when used within its stated operating parameters, it will have no failures to a dangerous condition. This is made feasible by the fact that the device is relatively simple and has predictable and provable characteristics.

The contactor is a slightly more complex device and may have some theoretical possibilities for failure. Contactors from reputable manufacturers are extremely reliable devices. Statistics show that failures are rare and can usually be attributed to poor installation or maintenance. Contactors should always have their power contacts protected by an overcurrent cut-out device to prevent welding. They should be subject to a regular inspection routine to detect excessive contact pitting or loose connections which can lead to overheating and distortion.

It should be checked that the contactor complies with relevant standards which cover the required characteristics and conditions of use.

By attending to these factors it is possible to keep the possibilities of failure to a minimum. But for some situations even this is unacceptable and in order to increase the level of safety provision we need to use duplication and monitoring.

The wiring which connects the components together must also be considered. Undetected short circuit and earth faults could lead to a dangerous condition but if it is properly designed and installed using standards such as BS EN 60204 for guidance then the chances of failure are greatly reduced.

This system can provide a significant level of safety which will be adequate for many situations. But both the contactor and the wiring are prone to unlikely though theoretically foreseeable faults. In some cases it may be possible, by taking precautions (eg with regard to cable protection and routing) to eliminate all fault possibilities. If this is not feasible then techniques relevant to categories 2, 3 and 4 such as duplication and monitoring are usually both more practicable and cost effective.

For a system which fulfils the requirements of category 3, a Guardmaster Minotaur MSR6RT safety monitoring relay unit may be used to monitor a two channel control circuit. Any single fault on the wiring or contactors will be detected by the Minotaur at the next demand on the safety function. Note that, although the interlock switch now has double pole contacts, it is still a device which fulfils the requirements of category 1 ? forming part of a system which fulfils the requirements of category 3.

This poses the inevitable question of when, and to what degree, do we need to take such measures?

The simple answer is to say that it depends on the results of the risk assessment. This is the correct approach but we must understand that this includes all factors and not just the level of risk at the hazard point. For example, it may be thought that if the risk estimation shows a high level of risk, the interlock switch should be doubled up and monitored. But in many circumstances this device, due to its application, design and simplicity, will not fail to a danger and there will be no undetected faults to monitor.

Therefore the situation is becoming clear, the type of category used will depend on both the risk assessment and the nature and complexity of the device or system. It is also clear that where a total system meets the requirements of category 3 for example it may include devices to category 1.

If there are fault possibilities, the higher the degree of risk, obtained at the risk estimation, the greater the justification for measures to prevent or detect them and the type of category should be chosen to give the most suitable and efficient method of doing this. Remember, the level of risk estimate is one factor but the nature of the protective device or system and the machine’s operating characteristics must also be taken into account.

With the same basic circuit the interlock switch may be replaced by a safety light curtain. The safety light curtain is a complex device. Even in its simplest form, it will have a relatively large number of electronic components including integrated circuits. More sophisticated types (and hence with more features) may also depend on programmable devices and software.

To anticipate and eliminate all dangerous faults in an electronic but non-programmable device would be a huge task and with a programmable device it would be virtually impossible. Therefore we must accept that faults will be possible and the best answer is to detect them and ensure that the necessary protective action is taken (eg locking out to a safe state). So we would need a device that satisfies the requirements of category 2, 3 or 4. With a simple circuit such as this, the light curtain will also monitor the wiring and contactors. As all light curtains are relatively complex, the choice of categories will usually depend solely on the results of the risk assessment. This does not preclude the fact that it may be possible to work to a different category if a device uses an unconventional but provable approach.

We can see from the last two examples that the same degree of protection is provided by two types of systems using devices satisfying different categories.

Safebook 2 is a free guide from EJA Engineering, dealing with machine safety interlocking and machinery safety legislation. Circle the reader enquiry card for your free copy.

  • EJA Guardmaster
  • Tel: 01942 257112
  • Fax: 01942 523259

Added on 23 December 2008 at 5:40 pm | Read more machine building articles