Safety, particularly machine safety, has kept the design industry busy for more than 20 years. While the conscious thought of safety goes back much further, it has really been the past 20 years or so that products have been produced specifically with safety in mind.
I can remember back to an earlier time when safety meant putting a latching pushbutton in series with a master control relay so that one could press the e-stop button and count on the device not starting back up until the button was returned to the released state.
Physical barriers were positioned around a particularly dangerous device to prevent accidental contact with the moving parts of the machine. We counted on the “don’t be stupid” approach to safety. I call the physical barrier more of a “whoops” protection.
We don’t want to stop the machine, but we want to have you bounce off something physical to prevent you from falling into the belly of the beast. Again, the “don’t be stupid” part explained why one wouldn’t open the door of the barrier while the machine was running. At some point, this “aw, shucks” approach to safety was no longer tolerable, and that is where the safety industry really got its start.
Safety circuits are basically broken down into preventable (Category 1) and detectable (categories 2, 3 and 4). Each category builds on the conditions of the previous one but start with a basic Category B that defines the components used. Let’s break down the concepts.
Category B covers the components selected for the safety circuits and ensures that they are designed, constructed, selected, assembled and combined in accordance with standards so they can withstand the expected influence on them. From the viewpoint of a designer, the point is to select components that are certified by your supplier to conform to safety standards and construction.
Category 1 stipulates that all components in the circuit must be of reliable construction (Category B) and applied in a manner that produces repeatable results. For example, the use of a limit switch on a guard door must be mounted in such a way that the switch is secure, and the activation of the switch by the guard door must not result in the switch being pushed out of the way instead of being activated.
Category 2 and beyond builds on the foundation of Category 1 but assumes that faults in the circuit will occur, in spite of the attempts made in the Category-1 circuit to prevent failure. The components selected for the Category-1 circuit may seem to be safe, but what, for example, would happen if the door switch mechanically sticks in the close position or the relay or contactor that engages activity mechanically or electrically welds shut the contacts. A Category-2 circuit uses an external monitoring device to circuit or component faults during normal operation and prevent resetting of the safety control circuit in such circumstances.
Category 3 includes all of the criteria for categories B, 1 and 2 but takes it a step further so that a single fault in any of its parts does not result in the loss of a safety function. The protection here involves the use of dual redundancy. Each safety input uses two channels in parallel—two contacts on an e-stop button, for example—the safety monitoring device uses dual internal circuits driving dual output circuits tied to two force-guided relays which must both be on for the resulting output circuit to be enabled. Two contacts, one for each force guided relay, are monitored to make sure they are not welded shut and turn off before the safety circuit is able to be reset following a trip.
An accumulation of undetected faults can lead to the loss of the safety function. This circuit has a self-maintaining function, which means that the restoration of a safety device, an e-stop or light curtain, to its normal condition does not automatically restore the safety circuit. An additional switch, or reset button, must be pressed to restore operation.
Category 4 takes all of the previous criteria and adds a fourth point: that the single fault be detected at or before the next demand on the safety function. If not detected, then an accumulation of undetected faults will not result in a loss of the safety function.
Now, what I have just gone over is public knowledge and provides the basis of any good safety circuit. There isn’t a point, with the technology available today, to design a circuit that isn’t at least Category 3 or Category 4. It all boils down to common sense. We want a safety circuit that is self-monitoring and prevents an automatic reset or resumption of operation without an addition interaction between the user and the protective circuit.
We want dual redundancy to ensure that sticky contacts don’t result in a loss of protection, and we want a monitoring relay that ensures that a circuit turns off before it can be turned on. This, for example, would prevent someone from tying down the reset button.
This brings us to a newer technology that prompts some consideration. The past couple of years have seen a rapid increase in the use of wireless networks to connect sensors and other devices to a control system. One such application of the technology would be the elimination of wire looms to follow an overhead crane around. End travel switches, for example, could be deployed on a wireless network to eliminate the need for flexible cables. Process devices, such as flow and pressure monitoring sensors, could be deployed in hard-to-reach locations and connected to the control system via wireless transmission.
The basic premise of any wireless device is that it must get a source of power from somewhere. The most common wireless device we see every day is a cell phone or tablet. Battery power is fairly good, but we still have to return the device to a charging station or plug it in from time to time.
Extend this thought to the use of wireless sensors in automation. While the lack of physical wires is an attractive option, the need to periodically recharge the batteries limits the practical uses.
Recently, I had an opportunity to look into what for me is a new concept. There are companies out there that are selling a personal protection device that is wireless. My colleague received the same email advertisement as I did, and I have to admit I was caught up in his excitement about the possibility of using these devices for our maintenance team members as an added level of personal protection when working around some of our larger equipment.
It didn’t take much imagination to picture our technicians wandering about the facility with devices in their tool belts that they could trigger when they needed to go into a work cell. As long as the personal device was triggered, the work cell was rendered to a safe condition.
Now, back to safety systems. They have advanced from a simple circuit of trusted components to a method of circuit design that introduces dual redundancy and, finally, monitored inputs and outputs to verify the correct function of the individual components so the pending failure of the device can be caught before it happens.
The concept of a wireless e-stop is that multiple e-stop devices communicate wirelessly with a safety PLC, which activates a local e-stop condition if any of the remote devices is triggered. The particular system that I reviewed had five personal e-stop stations communicating with a single safety PLC. Each station has a traditional e-stop button mounted to a device that is a power source—14-hour battery—and wireless communications device in one.
As a designer, while I love the concept of extending the safety ring around a piece of equipment or process, I am finding it hard to wrap my head around the wireless aspect introduced by this new technology.
It took many years to get everyone to think in terms of dual-redundant circuits and dedicated devices. This old guy is having a hard time with the wireless aspect. What happens if the battery fails? What if one of the devices gets out of range of the radio? How about the confidence level of the technician wearing one of these devices? Well, for me, the jury is out.
The safety integrity level (SIL) is defined as the risk reduction level provided by a safety function. The levels are 1 for least and 4 for most. The particular system I reviewed has SIL 3 certification. I admit that I had to dig into this further as my recent project workload seems to have steered me away from the terminology.
SIL 3 has a moderately high reduction of risk when used in a safety circuit. SIL certification is established by the criteria put forth in International Electrotechnical Commission (IEC) standard 61508, under which an object must meet both hardware and systematic safety integrity qualifications.
These work out the probability of failure on demand and an associated relative risk factor for single actions and, in a continuous trigger of the device, a probability of failures per hour and associated relative risk factor. Based on the confidence of the certifying body, further investigation of this emerging technology is warranted.
The research journey that emerged from my exposure of this new technology just goes to show we have to stay current where we can to keep ahead in a fast-moving industry. Perhaps wireless communication has come of age and a deeper dig into the subject is in order.