Safety is bonded to our consciousness. Long gone are the days where a warning label on a piece of equipment is sufficient to make it safe.
Control systems not only have to provide layers of safety, they have to include methods to prevent humans from circumventing the layers of safety. Fortunately, automation manufacturers are not only onboard with the latest safety methods, they have gone out of their way to make the user experience, from a design perspective, practically painless.
Safety systems have come a long way from the early days of master control relays and e-stop buttons. We focus on safety for a number of reasons. Primary to that is to protect the people. Other reasons may include compliance with federal and local regulations, protection of equipment and minimizing liability and fines.
The driving force behind safety can be found in ANSI B11.20-1991, Paragraph 6.13, which indicates the control system shall be designed, constructed and installed such that a single component failure within the system does not prevent stopping action from taking place, but will prevent successive system cycles until the failure has been corrected.
The key elements of this directive are detecting the fault, monitoring the condition of the faulted device and introducing redundancy to ensure that no single device in a faulted condition can prevent the system from stopping or restarting.
The approach is redundancy, and the method is the use of dual safety circuits. Dual-channel devices mean that two circuits have to be made, and broken, to enable function of the controlled system. By monitoring the status of the devices, we detect the failure, or trip, and then watch for the restoration of the device to normal status before allowing the system to be reset and started.
It’s important to acknowledge that, while the highest degree of protection involves a redundant system using dual safety circuits, not all safety designs have dual circuits. A single circuit can be effectively utilized but should include as many means of redundancy as possible.
The degree to which a safety circuit is designed should take into consideration the relative risk to the people interacting with the equipment. Some functions are more risky than others, and every attempt should be made to ensure that everything possible is done to reduce or eliminate that risk.
The list of safety devices ever expands to meet the needs of the application. Examples of safety devices include the e-stop button, light curtain, safety mat, laser scanner, door switch and limit switch. However, the devices themselves are only of limited value without a means to monitor function and status. This is where a safety relay comes into play.
At minimum, a safety relay has one or two safety channels and one or more outputs to drive other devices. Internal design monitors the status of the safety channel and turns off the safety relay output if a fault—broken circuit—occurs on the channel.
Once broken, the internal logic observes how long the circuit was broken so that even momentary blips will prevent the safety relay from resetting. This helps to identify the device that has failed.
If it is a dual-channel setup, the monitor function will also compare the two channels against each other to detect if one channel stays active while the other one is down. Think of an e-stop button with dual contacts. If one of the contacts breaks without the other, this is a fault condition. If both channels do not reset within a pre-determined time, this is also a fault condition.
Further redundancy can be achieved by using two force-guided relays—these have extra-strong components to guarantee only a make-or-break situation with the associated contacts—on a single output from the safety relay. Wiring the safety-relay reset circuit through normally closed contacts on each of the force-guided relays will identify if one relay doesn’t truly turn off at the absence of power to the coil. Both force-guided relays must be off before the safety relay can be reset.
Safety controllers take the function of a safety relay and add the ability to provide additional logic to the safety devices attached to it. Like a regular programmable controller, a safety controller has multiple inputs and outputs for use by the designer.
The designed function is to assign one safety device to each input on the controller. Via the programming interface, additional logic can be added to combine individual inputs into logic groups. Unlike the channels on a safety relay, safety inputs on a safety controller can be combined using standard gate logic to create scenarios where, for instance, two-hand buttons might be combined with a light curtain in an OR function to maintain a 1 status for the safety channel. Logical gates, from transistor-transistor logic (TTL), offer a variety of functions to determine logic. An OR function of two conditions means one or the other must be true to make the result true—a logic state of 1.
Each input on a safety controller is internally monitored, just like on a safety relay, to detect momentary breaks or connections to identify a component that isn’t functioning correctly. A safety controller can also be programmed to group inputs that can be assigned to one of the safety outputs, thereby creating zones of safety within the controlled system.
This functionality saves money in the design of the system because, without a safety controller, one would have to have a separate safety relay for each zone on machine or process. Additionally, because all of the zones are programmed using the same safety controller, inter-zone operability can be achieved.
Another feature introduced recently is the safety I/O network. Based on a structure similar to IO-Link, these networks allow for simple four-wire connections between nodes to which safety devices are connected.
Depending on the node type, the device connected could be a simple e-stop, door switch or even a locking door switch. The network autoconfigures on power-up, and the safety relay to which the network is connected will provide a data table to provide status and commands for each device on the network.
Machine wiring is simplified because the main trunk of the network is a standard M12 cable identical to that used for sensors. Two conductors provide power, and the other two provide communications. A combination of five-wire and eight-wire, both output-signal-switching-devices (OSSD) and mechanical versions, can be combined on a single network.
All of the I/O goes back to the programmable controller via a network interface and appears in the tag database of the controller.
The latest evolution might just be the greatest. Hardware manufacturers have combined the programmable controller with the safety controller, offering a single device that contains both controllers. To maintain the safety aspect, the two controllers are completely independent of each other.
Standard and safety I/O can be placed anywhere in the rack. The great thing about this development is that the interconnection of standard and safety I/O means a user program can look at the status of a safety device in the standard program algorithm and vice versa.
With the evolution of safety hardware come improvements in the design and deployment of the devices making up the system. With safety controllers, regardless of stand-alone or combined with standard controllers, adding devices to the hardware tree brings in a tag structure associated with the type of device.
It might be as basic as input and output words, but if the device is from the same manufacturer as the safety controller, that tag structure might even be specific to that safety device with descriptive tags. The gate logic programming environment permits for building the algorithm using symbols that represent that actual devices.
It would be remiss to talk about all this and not mention that impact that safety relays and controllers have on the equipment downstream of the relay/controller. Since the output from a safety relay/controller includes all of the built-in self-monitoring logic, the resultant output can be used to trigger safety functions in devices such as variable-frequency drives (VFDs) and servo drives.
A safety output can be wired to an input on a drive that operates a safe torque off (STO) feature. This feature renders the output from the drive completely inoperable, regardless of any command it might be receiving via direct wire or network connection. This function eliminates the need to have safety contactors upstream or downstream of the drive.
In days gone by, to make the drive safe, we had to drop the power to it if the safety circuit dropped out. Most drives don’t like to have this done to them and, eventually, may even fail.
The same goes for a contactor between the drive and the motor. Most drives don’t like to have an open circuit on the output connections and may even generate a fault if the circuit from the drive to the motor is interrupted. A safe-torque-off function prevents unexpected startup of a device during an e-stop condition, fulfilling stop category 0.
There are other safety functions available in some drives, based on the output of the safety relay/controller. These include a safe stop or controlled stop, safe limited speed, safe maximum speed and safe brake control, used for hanging/vertical loads where a brake needs to activate upon dropping power output to the motor.
Safety can be incredibly stressful to the designer. The obligation to protect the people using the equipment or process is paramount and can be somewhat overwhelming. However, with all of the features available to a designer, the safety circuit is much more user-friendly and cost effective to deploy. It is safe to proceed.