Safety First! – Categories and Terms Part 2: Modern Machine Safety – Talk the Talk so you can Walk the Walk
In part 1, we discussed general safety terms and categories and covered the concept of risk. By understanding risk, we can determine a structure for the architecture needed to manage that risk. That structure will result in a controller that accomplishes all the tasks involved with the lowest acceptable risk to equipment and staff. In part 2, we will dig deeper into terms and categories to understand their impact on machine safety.
The concept of building this structure is called Functional Safety Engineering. Here, functional safety means that the automation protection protocols correctly operate in response to inputs. According to the International Electrotechnical Commission 61508 (IEC): “Functional safety is the detection of a potentially dangerous condition resulting in the activation of a protective or corrective device or mechanism to prevent hazardous events arising or providing mitigation to reduce the consequence of the hazardous event”.
Functional safety is achieved by doing the following:
- Identify the safety functions and perform HAZIDS (Hazard Analysis), HAZOPS (Hazard and Operability Study) to understand what issues must be mitigated.
- Assess the Risk and how the safety functionality will reduce it. This assessment is an end-to-end risk of the system and not simply the controller itself.
- Ensure that the safety system meets design requirements and functions as intended. This not only means testing but also verifying that the safety works in load conditions that include incorrect inputs or failure modes.
- Conduct functional safety audits to ensure that the safety functions will work throughout the lifecycle of the controller.
A Deeper Look at Categories
In Functional Safety Engineering, the safety features of a controller are built in. Which PLCs are used will depend on the assessed need of the system. The categories previously discussed scale in complexity from lowest safety requirement to highest. And the safety requirements that each type of automation or piece of equipment will have will determine the category of the safety circuit used.
- Category B – Category B safety circuits are built with only basic safety principals. This is for use when danger to equipment, facility or operators is highly unlikely. It may also mean that a fault can lead to loss of the safety functionality.
- Category 1 – Category 1 safety circuits have a single channel to a safety relay. The same Category B safety principals require, but the standard for Category 1 also requires that the circuit be designed and constructed using “well-tried” components and principals. A “well-tried component” will have been used successfully and repeatedly in past applications. It is important to note that “well-tried components” applies to things such as screws, springs, break pins and cams but does not include use of complex electronics like standard PLCs, microprocessors, etc.
- Category 2 – Category 2 safety circuits have two channels. One is wired to an e-chain stop and the second can be PLC monitoring of auxiliary contacts on safety switches. They are also required to be constructed with “Well-tried” components and principals, but they also require that their functionality be monitored by the machine’s control system. These occur at machine startup, or before the machine moves to a new cycle where conditions could be hazardous. The checks will either allow the machine to operate if no faults are found or it will halt the machine or initiate a control response if a fault is present.
- Category 3 – Category 3 safety circuits have two hardwired channels. This is often found in drives with the “safe-off” functionality. They also use the same requirement for “well-tried” components and principles, but they are considered “control reliable” and are designed with some degree of fault tolerance. This means that they are designed so that a single fault in any part does not lead to the loss of safety functionality.
- Category 4 – Category 4 safety circuits have the strictest requirements and is the most reliable. They have two hardwired channels but also include a self-monitoring safety relay. They too have the “well-tried” requirement and as Category 3 does, they also have the requirement that they continue to perform the safety function even with a single fault. The difference is that Category 4 takes undetected faults into account and ensures that the safety function remains active regardless the fault or accumulation of faults, making it more reliable under difficult or dangerous conditions.
Safety and PLCs
The modern programmable logic controller (PLC) has come a long way over the decades to become a flexible and integral part of most advanced control systems for equipment. This includes their part in functional safety. And while they are not the only element in functional safety engineering, their versatility and integration within a system is critical to the overall safety of that system.
While there are many variations, there are essentially two types of PLC that are most common:
- Fixed/Integrated PLC – This type of PLC has a fixed number of Input/Outputs (I/O) that cannot be expanded because they are integrated into the controller itself. Because the inputs and outputs are limited, a fixed PLC may have some limited error detection, but it is limited to the point that it cannot be used as a component in the functional safety design itself. It is limited with I/Os because it cannot detect wring errors like channel mismatches.
- Modular PLC – Modular PLCs are used for large industrial control systems and increase the number of I/Os that can be used. These I/Os may be independent of one another and are connected in a rack for easy centralization. By separating the modules, fault detection is easier than with a regular PLC because each function is separated by a module within the whole. However, as PLCs alone cannot constitute a functional safety system, using the modular PLC for fault detection requires knowledge of the PLC circuitry to apply the safety protocols in designing the overall safety system.
Using a Safety PLC
One reason that PLCs have been excluded from safety system design is because they are software dependent. But a safety PLCs have been designed to provide control and safety measures for automated equipment. This means that a safety PLC will have advanced programming dedicated to error detection.
This includes rigorous design and design methods that extend not just from the mechanical, physical aspects of the PLC but also to strong requirements for software integrity (a reservation traditionally held by many system designers is software). They are also held to higher standards for electrical safety, user manual integrity and rigorous lifecycle testing. Safety PLCs also rely on strong internal diagnostics and redundancy to protect software integrity and ensure the safety functionality remains in place.
Designing for Functional Safety
In designing for functional safety, these terms can guide a system engineer in choosing the right components to meet safety needs. By first identifying the required safety functions, determining appropriate risk, ensuring the system meets design requirements and auditing and testing extensively, engineers can arrive at the right category and combination of components needed to make any system and its PLCs and safety PLCs function dependably.
Have a suggestion for products we should compare? Leave a comment below, or send us a message on Facebook, Twitter or LinkedIn.