Veganic Posted August 27, 2014 Report Posted August 27, 2014 The attached drawing shows two ways to connect two contactors to a safety relay. Assume feedback loops and reset circuits. Is there a reason why one would not be acceptable as Cat. 3 architecture? Can anyone comment on the merits of each? Quote
Crossbow Posted August 27, 2014 Report Posted August 27, 2014 You do not have redundancy of the circuits. While you are turning on 2 loads, they are both run by the same contact. Single point of failure. Quote
JRoss Posted August 27, 2014 Report Posted August 27, 2014 The redundancy is in the safety relay itself, so you don't actually have a single point of failure. If this is a standard safety relay (no time delays), then both circuits will work the same and be equally safe. Splitting the loads over both sets of output contacts will allow you to switch higher loads, but that's the only advantage. If this is a time-delay relay where one of the contacts is immediate and the other is time-delay, then of course you'd get different functionality in the two circuits. If you want to increase the control reliability (i.e. safety) of the circuit, you should be using force guided motor contactors with External Device Monitoring (EDM). Quote
Veganic Posted August 27, 2014 Author Report Posted August 27, 2014 Thanks for the replies. It was a theoretical question. I have a distant memory from a training course that using the single channel was acceptable if the contactors were in the same enclosure. Independent channels being required if they were remote to give adequate separation and fault tolerance (all other considerations, load etc being equal). All this depends on the risk assessment, Plr, diagnostic coverage, and analylsis of common cause failure, etc, etc, etc. Do you work to ISO 13849-1 in the States? Quote
JRoss Posted August 27, 2014 Report Posted August 27, 2014 Your memory is correct, but the diagrams you provided show two loads with single channel connection to power, just that one has them both connected through the same set of contacts and the other gives them separate contacts. I'd have to look up the standards we use. I don't do enough safety to have it memorized! I have to look things up when actually designing circuits! Quote
Crossbow Posted August 28, 2014 Report Posted August 28, 2014 We do use ISO 13949-1 and IEC 61508 specs most commonly. Quote
IO_Rack Posted September 8, 2014 Report Posted September 8, 2014 (edited) Allen Bradley has a great explanation with diagrams. http://www.ab.com/en/epub/catalogs/3377539/5866177/3378076/10334651/Categories-of-Control-Systems.html My understanding is that these circuits are not equal. The circuit to the right has a point of failure at the output of the safety relay where the one on the left does not. Have a look at "Output Pulse Testing". Also, I believe neither circuit is Category 3 compliant. As JRoss has suggested, neither circuit has EDM feedback. This creates a single point of failure at each relay (contactor). Output Pulse Testing is not required for Category 3 but the EDM is. Safety circuits can look very simple yet be very confusing. Edit: The strikethrough text is a false statement. If one relay fails (welds closed), the other will open the circuit for a safe condition. The difference is, the safety circuit would sucessfully reset without EDM feedback and no one would ever know. At this point it will not be Category 3 compliant. Edited September 8, 2014 by IO_Rack Quote
JRoss Posted September 8, 2014 Report Posted September 8, 2014 If your edit is talking about the relay contacts inside the safety relay, then the original statement was more correct. EDM monitors external devices (hence External Device Monitoring). Generally, this is used to monitor safety rated load contactors that have force-guided relays in them, with one NC contact used specifically for EDM. These contacts are wired between two terminals on the safety relay, which can then check for contact weld. Both the Category 2 and 3 circuits in the link show this. The contacts inside the safety relay are already monitored in this way. EDM gives you a way to add external devices into the monitoring. Quote
IO_Rack Posted September 10, 2014 Report Posted September 10, 2014 Agreed. Since the original post asked, "Is there a reason why one would not be acceptable as Cat. 3 architecture?", I assumed the latter. I noticed after my last post that he also said, "Assume feedback loops and reset circuits.". In this case, I would say the one on the left is compliant and the one on the right is not. But.... after reviewing the following snip from AB's website, I'm not so sure. It's my understanding that 'Output Pulse Testing' would catch this fault. I may be wrong. Quote
Veganic Posted September 10, 2014 Author Report Posted September 10, 2014 I saw that AB page when I was wondering about this. It used to be the norm to show one output contactor connected to "0v rail" after the safety contacts and the other to the "+ve rail" before the safety contacts. Sort of one sink and one source. Not seen that in a while. Pulse testing is an input thing. Each input channel has a different pulse sequence so that shorts or wiring errors are caught. I think both are Cat.3 but they have different fault exclusion requirements. It's difficult to talk in the abstract about safety now as it is about the components used and avoiding common cause failures as much as the way it looks on the wiring diagram. Maybe safety needs a new forum category? Quote
JRoss Posted September 10, 2014 Report Posted September 10, 2014 I haven't seen pulse testing for outputs, only for inputs. Sounds like you're talking about complimentary channels (one NO, one NC). I remember seeing that specifically for interfacing a PLC into a safety circuit, for muting for example. You need two channels for redundancy and complimentary for cross-check. Main difference (as I see it) between Cat 3 and Cat 4 is that Cat 3 allows daisy-chaining safety input devices, and Cat 4 does not. Quote
Veganic Posted September 10, 2014 Author Report Posted September 10, 2014 I was originally thinking about Cat 3 and not cat 3 rather than 3 vs 4. I read some of the recommendations on daisy chaining and try to avoid it now more from a desire to avoid documentation and dubious assumptions than thinking it unsafe. Quote
JRoss Posted September 10, 2014 Report Posted September 10, 2014 And back to the original question! You need to defer to an industry expert on this one, but here's what I think. First, let's assume that the reset, EDM, pulse testing, etc. is at least Cat 3. If the two contactors refer to isolated loads, then the two circuits should be equivalent from a safety perspective. If the two contactors are redundantly driving the same load, and the safety circuit and contactors are in the same enclosure, then I believe both circuits would meet Cat 3. If the contactors are in a different enclosure than the safety circuit, then only the left hand drawing would meet Cat 3, as you are required to have redundant wiring between enclosures. Quote
JRoss Posted September 10, 2014 Report Posted September 10, 2014 Oh, and I just sat through some Jokab (now ABB) safety training. They actually have a series of safety devices that can be daisy-chained and still meet Cat 4. The TINA line of E-Stops and safety interface devices. Pretty neat. 1 Quote
IO_Rack Posted September 10, 2014 Report Posted September 10, 2014 I believe talking in abstract about safety is probably the only way to discuss it as components are constantly changing. For instance, JRoss says there are devices now that allow daisy chaining. I would not think that is possible as typical daisy chaining will allow "A Single Point of Failure". Somehow they must accomplish this... I'll have to look this up. A new forum category? Well there is certainly enough material and differences of opinion. We'll have to see how much interest there is here at MrPLC. I would like to here from some experts here. Quote
JRoss Posted September 11, 2014 Report Posted September 11, 2014 It's sort of like a simple network, actually. There's a four-wire connection that carries power and signal, and the devices invert and phase-shift a test pulse. Based on that the system knows how many devices are in the chain, and whether they are wired properly. So it meets the requirements of Cat 4, but takes a completely different approach to get there. It's all about control reliability and the ability to detect any fault. Redundancy it the usual path to get there, but not strictly required. Single point of failure is ok so long as you can always detect when it fails. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.