24 July 2001
Integrating Safety Relays in Control Systems
The importance and use of safety relays (relays with force-guided contacts) is increasing for applications where possible injury to man, or damage to the machinery or manufactured product, can occur. Safety systems of various com- plexities predominate on machine tools, welding systems, robots, and conveyor systems in the manufacturing and assembly industry.
Driven by Occupational Safety and Health Administration requirements in North America and the Machine Directive in Europe, system safety is achieved by ensuring a predefined behavior of the electrical control system. Safety relays provide safe shutdown when an unsafe situation occurs and ensure that on system restart, all possible dangers are no longer present.
Because there's currently no NEMA or UL standard, I'll instead reference the European safety standards and provide insight into the selection criteria of safety systems.
Safety Relay vs. Electromechanical Relay
The safety relay is a specialized and enhanced part based on the electromechanical relay (see "How Do Relays Work?", Motion Control, July/August 1999). An electromechanical relay consists of a set of contacts that open or close, depending on their arrangement and the coil voltage. A safety relay's contact arrangement is mechanically interlocked. Interlocking the contacts allows the relay's behavior to operate in a predetermined fashion and is achieved by either applying the mechanical interlock or force guiding the contact set.
A mechanical bar interlinking all the contact sets ensures that all normally open (N/O or Form A) contacts don't close if the normally closed (N/C or Form B) contacts don't open. If the contacts of either the N/O or the N/C type are welded shut, the bar prevents the opposing contact type from operating. Therefore, when a relay contact fails to open, the opposing (or other) contacts don't close. In addition, the N/C and N/O contact may not be closed simultaneously.
When experiencing an error, a safety relay's equivalent (or equal) contact(s) goes into an undefined state. In the event that a relay contact welds together or fails to open, fault tolerance is achieved by allowing all the possible contact sets to open to a gap larger than 0.5 millimeters. The minimum contact set for a safety relay consists of a Form A (N/O) and Form B (N/C) contact.
Why Safety Technology?
Automated or machine production creates motion with potential danger. The goal of any safety technique, therefore, is to protect the man (the operator), the machine, and the workpiece(s). The results: reduced danger, improved system availability, and increased reliability. Danger results when any of the following occurs:
- Insufficient or missing mechanical safety methods are used.
- The safety system is compromised or manipulated.
- Dangers are inproperly evaluated.
- Work routines become monotonous, and attention drops.
- Operator and operation instructions are ignored.
- Limited maintenance work is carried out.
You can reduce danger by doing the following:
- Installing guards on the machines (with tamper-free covers).
- Having protective interlocks in the electrical control circuit.
- Using proven electrical circuitry and techniques.
- Having partial or full redundancy.
- Incorporating functional testing in the design or construction.
- Continuously improving safety in the system.
Machine Safety Basics
The machine guidelines in Europe are recognized as a uniform rule in the Euopean Community, a safety standard for all countries that helps break down trade barriers. The guidelines are valid for every machine and machine builder. Every machine must carry the CE symbol. This means that compliance with and conformity to the current standards are documented and certified. It isn't a test mark. Each manufacturer certifies its own product for conformance.
The planning or engineering phase is the best stage to consider machine safety. The following questions could assist in improving the safety of a machine:
- Is standard A, B, or C valid?
Type A is basic safety. EN292-1, Safety of machines, is the current standard.
Type B is covered by group safety standards, both general safety (B1)EN954-1, Safety relevant parts of controls, and EN60204-1, Electrical systems on machinesand special safety (B2)EN418, Emergency stop fixtures and two-hand control.
Type C refers to the technical standards and encompasses special safety considerations by machine or industry, including these:
EN201, Injection molding machinery
EN691, Woodworking machinery
EN692, Mechanical press machinery
EN1010, Printing and publishing machinery
EN1921, Automated assembly machinery
Danger and Risk Assessment
Two steps are required in evaulating potential hazards:
1) Establish the danger (using EN1050), as shown in Figure 1.
2) Define the risk parameter (using EN954), as shown in Figure 2.
The goal in this case is to achieve the required reduction in risk. I've mentioned the steps involved in establishing and defining potential dangers and risks. In this example, shown here with a press (Figure 3), the following steps would arrive at this result.
|S Severity of the injury||S2 Severe, irreversible|
|F Frequency and/or duration of the danger||F2 Continuous|
|P Probability of avoiding the hazard||P2 Scarcely possible|
The result is an application that corresponds to Safety Category 4.
To review the categories we used in our analysis, we should also consider the following steps, with the basis being Category B, leading up to Category 4 (Figure 4).
Category B refers to safety-related parts that must be constructed in such a way that they withstand the expected influences. Example:
- Selection of conductor size and cross section
- Different colors for cabling
- Control system with no safety or fail-safe behavior
System behavior: An error can lead to the loss of safety.
Category B's requirements must be fulfilled, and additionally proven components and wiring principles should be utilized. Examples include the use of proven (tried and tested) components (e.g., limit switches for safety applications) and proven principles, including forced opening and operation.
System behavior: An error can lead to the loss of safety (the probability of occurrence is less than in Category B).
The requirements of Category B and Category 1 must be fulfilled, and the safety function must be tested at regular time intervals. Examples include the use of proven components, such as limit switches and barriers for safety applications. An overdimensioning of components and the structure of the control should allow for cyclic tests.
System behavior: An error would lead to a loss of safety between the test cycles. The test cycle will identify the error.
The requirements of Category B and Category 1 must be fulfilled. Safety-related parts must be configured in such a way that one error doesn't lead to a loss in safety, and the one error is identified.
System behavior: Redundant in nature when an error occurs. Safety isn't compromised. (multiple errors do lead to loss in safety).
The requirements of Category B and Category 1 must be fulfilled. One error doesn't lead to a loss in safety, and the single error is identified on or before the next step or instruction in the machine. The system structure is built up in a redundant fashion, and there are interlocks (both in time and between signals) to ensure that safety is maintained in the case of a single error. All errors must be identified.
Safety in machines, particularly in motion control and robotics applications, remains a crucial element in new and revised applications. Safety to man, machine, and workpiece leads to improved efficiency and profitability. It should be considered the most important benefit to be integrated in any new design or product that's designed for global applications. Continuous improvements in safety mean the subject matter is dynamic, and the reader is reminded to keep up to date with the topic. MC
Figures and Graphics
- Figure 1. Process to achieve machine safety.
- Figure 2. Risk evaluation: EN954-1.
- Figure 3. Evaluating risk parameters.
- Figure 4. Categorical risk analysis.
- Integrating Safety Relays in Control Systems [pdf file]
Arnold Offner is product manager for interface products at Phoenix Contact Inc. in Harrisburg, Pa. He can be reached at (717) 948-3469.