Safety Relays: Are Parallel Infeeds OK?

[Shackled Designer]

Greetings.

Suppose it is determined by a risk assessment that a safety circuit must achieve at least a SIL 2, PL d, Category 3 (EN 954-1) rating. Suppose also, that setup of the related equipment requires a monitored safety guard that can be open without disabling the safety output contactors provided that a three-position safety switch is engaged while the guard is open, but for not more than, say, 30 seconds continuously (so satisfying the OSHA requirement that a safety enable device not be used to permanently circumvent normal guarding). Naturally, there is also an E-Stop pushbutton involved in this safety system.

Now, normally in such a scenario, the designer would normally utilize a small safety PLC, since it is fairly simple to program a solution for this scenario with its several, connected devices and functional requirements. However, the boss (who remembers those happy times when the safety system consisted of an E-Stop, a reset pushbutton, a few general-purpose relays, and a master contactor) is trying to make the equipment more affordable and so questions whether the cost of a safety PLC is justified. He suggests that some cost might be saved if a safety-rated relay is instead used.

The designer does some more research and finds that among the myriad of safety relays on the market, there exist the several different functionalities needed for the circuit and proceeds to sketch up a wiring diagram involving four (4) safety relays:

Safety Relay 1 -- Door/Guard monitor
Safety Relay 2 -- 3-Position Switch monitor with time-limited usage
Safety Relay 3 -- E-Stop circuit monitor
Safety Relay 4 -- A Safety-rated Relay that monitors two separate dual-channel safety inputs and enables the safety outputs if either input pair is properly made (i.e. a logical safety OR circuit)

The boss sees that relays 1 through 3 are essential, but he asks why #4 is needed. Would it not be acceptable, he asks, to parallel the safety outputs from both the door guard monitor and the 3-position timed monitor into the power feed side of the E-Stop relay's safety output? (See the attached, primitive illustration.)

The designer questions whether parallel connections to the final relay infeed is acceptable, wondering whether the SIL2, Category 3 requirements could be met by such a circuit.

I suspect there is some written safety requirement somewhere for a parallel input situation, but I have been unsuccessful locating such documentation with safety relay examples since, I suppose, most designers would resort to a safety PLC if more than two or three safety relays are required, and most example scenarios involving two or more safety relay devices typically make use of simple AND logic for safety, a very straightforward, simple approach.

I welcome any comments on the question of whether a design meets the stated safety and functional requirements with just the three relays? A reference to any safety standard addressing such an arrangement would be very helpful.

Best regards,
Shack

 

[petersonra]

I don't see a problem with it as long as the logic is correct.

You still have redundant circuits.

Personally, I would not do it this way as there are safety relays that allow a muting function that would be better suited for this kind of thing, but off the top of my head I can't see any real obvious reason not to do it like this.

My only question is whether this setup with or without the parallel contacts even meets PL d.

 

[Shackled Designer]

Thanks for your response, Bob.

Interesting. Since I've apparently been spoiled with safety PLCs, I've never had to think through any potential failure with AND-linked safety relays. What potential failures do you think would keep such a system from PL d?

My diagram was indeed primitive. Not shown on it are the feedback connections that link the operation of other external safety-related device to each safety relay . . . in case you were questioning that omission.

Shak

 

[petersonra]

Did you run the calculations? As I understand it technically it cannot be pld unless Sistema or a similar software package says it is.

 

[Shackled Designer]

I have not yet attempted calculations for this in Sistema, though I have the software. In part, I have not yet attempted this because of my uncertainty over how, if it is even possible, to model such a configuration in Sistema. That stated, I do find in some of the Sistema literature (Cookbook, V1.0), the following statement:

The procedure described here is geared to the application of EN ISO 13849-1 and its "designated architectures" for the Categories. If modelling to one of the categories is not possible, even when additional components or channels are omitted, the simplified method described in the standard cannot be applied. In this case, the probability of failure must be verified with recourse to other methods, such as Markov modelling, as described in EN 61508-6, Annex B.

Now, if I properly understand how that statement is applied, there are some system designs which Sistema simply cannot address. So your suggestion that not being able to use EN ISO 13849-1 compliant software tools like Sistema may throw the example system outside the realm of EN ISO 13849-1 seems perhaps to be valid.

If that is the case, then it would seem there are some designs which are functionally necessary but that can never fit into the schema of what is the accepted, harmonized standard for safety design. I am not stating this as a fact. I might be misinterpreting the quoted statement.

Puzzling . . .
Shack

 

[Shackled Designer]

A fairly knowledgeable safety guy at my local distributor of "blue-octagon" automation parts sent me the application note at the following link:

http://literature.rockwellautomation.com/idc/groups/literature/documents/at/safety-at067_-en-e.pdf

Aside from the product that he would obviously endorse, the document he referenced demonstrates that a multiple safety relay solution can indeed be evaluated in Sistema. So my earlier concerns that a solution involving more that a single safety relay might fall outside EN ISO 13849-1 are not valid.

For what it is worth, the individual who pointed me to this application example did not seem overly concerned with the parallel connection in my sketch.

Further food for thought is welcome.

Regards,
Shack

 

[petersonra]

I think you can evaluate a system with multiple safety relays but I am not sure you can evaluate the parallel part of it.

In any case, why would something like this need to be PL d in the first place? I think people go nuts overdoing this kind of thing. EStop PB circuits are not a primary safety means. You are not supposed to have to engage something to make the machine safe. There is no code that says that you can cheat on any safety requirements just because you have an EStop PB. Nor are you allowed to depend on an EStop PB as a protective feature for some known hazard.

As for the gate switches, unless you are using them to protect the operator from a pretty serious hazard, I don't see how they would need to be PL d.

I am curious how your risk analysis came up with the idea the circuit needs to be PL d.

PL d is not all that easy to make work. In many cases you have actuators and other stuff the safety circuits have to de-energize that are very hard to make reliable enough for the whole thing to be PL d.

 

[Shackled Designer]

Thank you for your comments, Bob.

Having read a good bit about this over the past few days, and getting to understand the 13849-1/Sistema approach, it looks like the parallel situation can be evaluated by treating each side of the OR branch as its own safety function, i.e. one safety function while the enabling button is released (making the monitored gate switch the active safety function), or activating the enabling button and allowing it to temporarily be used in place of the gate switch. Both safety functions, as viewed through Sistema, include the E-Stop circuit.

You and I agree that an E-Stop pushbutton does not qualify as a primary protective feature. Neither should it be thought of as an excuse to allow poor design of the safety subsystem(s) linked to it. The E-Stop circuit is instead a last resort for stopping any unforeseen and presumably dangerous operating condition. Designers ought to make every reasonable effort to limit the need for an E-Stop, but I hope there is no engineer with the arrogance to believe he/she has designed the ultimate safety system that needs no E-Stop.

Since you asked about why PLd might be required, the guard in question isolates the operator from both a flying knife and a crushing, rotating jaw set. In spite of these "pretty serious" hazards, the area does need the occasional access during setup (during which time the necessary setup/threading motion is slowed considerably), which is why the safety enable switch is proposed as a short-time bypass. The user holds the switch while performing setup adjustments in the protected zone. If the user either releases the enable button while the guard is open or grips it too tightly at any time, motion is immediately disabled. (The tight-grip feature is not detailed on my sketch, but it effectively works like an extra safety power cut-off in series with the safety enable circuit.)

With this system's description, I hope any inference that the design here is somehow a cheat might be carefully reconsidered. The risk assessment of the area must account not only for its hazards, but also the functional requirements for operation. As I am sure you understand, a safety design that makes a machine section too difficult to use practically begs its user to defeat the safety measures. (ISO 14119 was written to address the incentives that operators have for tampering with the safety system, so apparently some in the industry recognize the psychological aspects involved with users and safety systems.)

As for the difficulty of achieving PLd with regard to the actuators, you rightly observe that there are some higher requirements to meet. One typical safety output of this kind uses two redundant, series-connected power contactors that provide feedback to the controlling safety system as well as switch power to whatever motion or other energy devices are safety-controlled. It is a bit more involved than lower PL systems but by no means an insurmountable design task.

Best regards,
Shack

 

[petersonra]

I did not mean to imply you were trying to cheat on anything in this case. Just pointing out some issues that are often overlooked.

I don't consider myself an expert on any of this stuff, so take it for what it is worth.

Incidentally, how are you keeping the speed to a "safe" rate? I don't see anything in the safety circuit you showed that monitors the speed and trips if it exceeds the allowed speed when the gate is open.

 

[Shackled Designer]

Bob,

Your comments are worth a lot to me! As things stand, I have more than one boss, and some of them will challenge my design choices. (When it comes to safety, this can actually be a good thing, as I am not yet an expert either.) I appreciate the opportunity to consider possible objections and also to take the opportunity to remedy mistakes before they are built into a released design.

My diagram was quite abbreviated so that my original question could focus on the issue of a simple OR condition in the relays. For this reason, I left out the speed monitoring relay.

Kind regards,
Shack