|
"A fault in the control circuit logic, or failure of or damage to the control circuit must not lead to dangerous situations." This is the declaration of the EU's Machinery Directive and EN 292-2:1991 under the heading 1.2.7. "Failure of the control circuit".
The significance of this statement is that a fault such as a jammed relay, a short circuit in a transistor or a short circuit between two conductors should and must not result in the safety function failing with the risk of consequent personal injuries.
Please note, "a fault" means that the system is only expected to handle one fault at a time. Two components failing at the same time is not regarded as likely as long as they cannot be made to fail by an external interference.
The above wording can be found in various regulations and standards. This safety requirement has not been recently introduced with the machine directive but has existed in other regulations for many years.
Methods for Increased Safety
In order to increase the reliability of a safety circuit, the following methods are usually used:
- Well-tried safety components/reliable components
- Redundancy/duplication
- Supervision
The European Standard EN 954-1
EN 954-1 is a standard specifically relating to safe control systems. The standard has a category system based on the above mentioned methods which increases the reliability of a safety function.
Category B
- Basic requirement
- Correctly rated components
- Circuits handling earth faults
Category 1
- All conditions of B apply
- Well-tried safety components and safety principles
- Components with a greater reliability
Category 2
- All conditions of B apply
- Individual supervised components
- The safety function may fail but the fault is detected at suitable intervals.
Category 3 & 4
- All conditions of B apply
- Duplication and supervision
The difference between category 3 and 4 is that certain types of fault are not detected in category 3.
A RT9 with an optional safety category facilitates choice.
Choice of Category
It is above all a question of the technique available. Gate operation equipment can for example be fitted with a control led interlocking switch (category 1). However, interlocking circuits with relays and transistors, etc. normally require solutions in categories 2 - 4 in order to achieve a higher safety level than for standard control circuits.
Appendix B to EN954-1 shows an example of how a category is chosen. The example gives some guidance but is quite inadequate. The safety category is chosen based on the safety risk of the machinery. The risk is estimated based on the parameters S, F and P.
|
Fig. 1 - Method for selecting a safety category for safety-related parts of control system. Annex B (informative) of standard EN 954-1.
|
 |
 |
Possible category which can require additional measures.
|
 |
Specified category according to this method.
|
 |
Possible category according to this method.
|
S
|
Severity of Injury
|
|
S1
|
Slight (normally reversible) injury
|
|
S2
|
Serious (normally irreversible) injury including death
|
F
|
Frequency and / or Exposure time to the Hazard
|
|
F1
|
Seldom to quite often and /or the exposure time is short
|
|
F2
|
Frequent to continuous and/or the exposure time is long
|
P
|
Possibility of avoiding the hazard
|
|
P1
|
Possible under specific conditions
|
|
P2
|
Scarcely possible
|
By taking the 3 parameters S, F and P into account as shown in the drawing (figure 1), a satisfactory control system category can be obtained according to this method. However, the problem with this table is that it does not give a clear-cut answer but several alternatives. For example, an automatic production plant with estimated risk factors of S2 (serious injuries), F1 (seldom to quite often), P2 (scarcely possible to avoid an accident) comes under the categories 1 - 4 although category 2 and 3 would be the preferred choice as these are marked with two black filled rings. A higher category can always be chosen and category 1 is also an option if the safety level is the same.
In practice, an interlocked gate often utilizes a mechanical interlocking switch that is monitored by a safety relay. The mechanics of the interlocking switch fall within category 1 while the safety relay is category 4. The cable, if considered separately, falls within category 1, 3 or 4 depending on the connection alternative chosen (1 or 2 channels).
The fact that categories 1 and 4 are combined in the same safety circuit is due to the standard not specifying a strict hierarchical safety order. When comparing categories 2 - 4, category 4 is normally the safest. However, when comparing category 1 with categories 2, 3 and 4, this is not always a matter of course. The construction of the interlocking switch must however be designed to withstand the forseen usage.
As regards the interlocking switch, it is usually considered enough to use a category 1 device for automatic plants. This is supported by numerous standards for specialist machinery, e.g. protection at the back of a press in accordance with EN 692.
Why then choose a safety relay in category 4?
The manufacturing of safety relays is practically the same whether they are of category 2, 3 or 4. A relay that fulfills category 2 requires some sort of duplication for its monitoring. If you look closer at the definition of category 3, it states, "a single fault is detected when reasonable possible". This could be interpreted as there being no difference between the safety relays in category 3 and 4 as it is quite possible to monitor all eventual faults within the unit.
However to beon the safe side, it would be better to choose a safety relay that fulfils category 4. The analysis of risks also becomes fairly simple as there is not much more to do.
|
