Electronic safety control systems include programmable equipment, assemblies of electronic devices and components, field bus and cableless controls. The hardware and software of these systems can be complex compared with the hard-wired systems using relay logic. For safety systems that rely on the correct operation of the electronic circuits to ensure safety, there are many more possible failure modes so the system has to be designed to minimize the dangers that can arise from system faults (4.5.1 and 9.9).
For safety systems that include hard-wired interlocking techniques to achieve safety, the safety performance of the complex components is less critical. In such systems poor design of complex components can result in failures causing production reliability problems (section 9.9 for comment on safe failures). All electronic equipment must be immune to the effects of electro-magnetic interference, mains borne power supply interference and variations in power supplies that could have a detrimental effect on safety. The re-instatement of power supplies after a loss must not cause dangerous parts of the machine to start up (IEC 60204–1 cl.7).
Servo-controlled motor drives are complex control systems. Con- trollers for higher risk machine applications, such as robots, CNC machines, machining centres, etc., require continuous monitoring. Although these machines are provided with safeguards to prevent operators from approaching dangerous parts during normal operations, occasions arise, such as during machine setting and teaching, when moving dangerous parts have to be approached. In these circumstances, operators should use portable control stations fitted with hold-to-run controls and an emergency stop switch (6.8).
Where a remote diagnostic facility is included for either local or distant use, the safety of the machines must be maintained under all modes of diagnostic operations. The diagnostic circuits must be included in the safety assessments of the safety related machine control systems.
9.8.8.1 Hard-wired interlocking
Where possible the interlocking device should be connected between the electronic controller and the power switching device. In the majority of applications the controller has to be informed that the power switching element has been opened. This can be achieved by using a second contact of the interlocking device (Figure 9.19).
Machine controls
Electronic controller (including programmable
controllers)
Safety related part of control circuit
Power control element From power
source
Power to the dangerous parts of the
machine Signal to inform controller that safety device
has activated
Interlocking device e.g.
guard switch
Figure 9.19a Block diagram.
Figure 9.19 Interlocking with electronic controllers.
Output interface (with relay
logic)
Guard switch Electronic
controller (signal processing
section) Inputs
Control supply
Machine drive motor Power supply
K1
~
Note: The guard switches have an auxiliary switching element which provides a stop signal to the controller. An option is to use two guard switches which increases the safety integrity level.
Figure 9.19b Circuit diagram with the interlocking device in the output signal from the controller.
Output interface (with relay
logic) Electronic
controller (signal processing
section) Guard switch Control supply
Control supply Inputs
Machine drive motor Power supply
K1
~
Figure 9.19c Circuit diagram with the interlocking device in the control supply to the output interface.
9.8.8.2 Reliance for safety on complex systems
Electronic controllers can be used as one or more of the safety-related channels of control systems but when used as a single channel they become safety critical and should incorporate automatic monitoring and
other diagnostics dictated by the design assessment (section 9.9). The automatic discontinuous monitoring techniques described in section 9.8.2 will satisfy the safety criteria for low risk applications.
In multi-channel systems, diversity between channels – for both the software of programmable equipment as well as the electronic hardware with built-in diagnostics (section 9.9) – should be employed to reduce the probability of common mode failures. As a general rule, low complex electronic safety control elements should, as a minimum requirement, meet the same level of safety as that achieved by the equivalent hard wired relay logic. Where practicable this should also apply to complex systems.
9.8.8.3 Programmable controllers
Programmable controllers vary in size from a single microprocessor (P) application to large mainframe systems. All have the same basic operat- ing principles and when the safety performance has to be considered, predicting failures and locating faults requires in-depth analysis.
Software that is programmed by the manufacturer is not accessible to the user and is referred to as embedded software. Other software has to be added and programmed to suit the final use and is referred to as applica- tion software. Access to software must be secured so the unauthorized operators cannot make changes that could lead to a risk of injury (IEC 60206–1 cl 11). This can be by a key switch built into a keyboard terminal or a security code. Safety software should be designed to minimize the probability of it failing to danger due to systematic errors (IEC 61508 and IEC 62061 cl 6).
The accuracy of the initial software specification for safety perform- ance requirements of the control system is of fundamental importance – if the software specification is incorrect, the follow-on stages in the development cycle will not prevent systematic faults from being inadver- tently introduced.
To minimize the possibility of software errors, the machine designer should set up, or work to, a quality control procedure that ensures that design and development is well managed and that verification and val- idation of the software occurs throughout the development cycle including any final work during commissioning activities.
The current popular programmable controller for machine use is the Programmable Logic Controller (PLC), which is a version of a micro- processor that makes it relatively easy to use compared with other forms of processor that require programme rewrites to change configurations.
Designers will have preprogrammed the PLC so that simple logic lan- guage can be used, e.g. if conditions A and B occur but not C, switch on motor M. Conditions A, B and C are input signals which are passed into the PLC processor section via an input interface and the action signal M is transferred to a motor controller via an output interface.
The input and output interfaces contain devices that condition the signals to be compatible with the processor electronics. They include devices that maintain galvanic separation between internal elements and the outside hard-wired world.
The signals A, B and C in the above example are step signals, i.e. they are either ‘off’ or ‘on’, and are one of the communicating formats. Other types of signal such as analogue or digital pulse can be accepted by input interfaces designed for that format. The output devices can be relay contacts or solid state switches of various forms. The input signals are scanned by the processor which is governed by an internal clock. When a change of state of any input is recognized, the processor acts on that instruction and updates the output signals. The devices for entering the programme commands can be hand-held stations equipped with a visual display screen or desktop terminal. The display screens present the programming tools and show the programmed command in graphic format. Popular programming formats are in the form of ladder diagrams or function blocks (Figure 9.21). Some manufac- turers use their own bespoke formats.
Input interface
Output interface Processor (CPU)
User programming interface e.g. keyboard
Programming and memory sections A
B
C
M
Figure 9.20 Typical elements of a PLC.
Ladder logic
A B C M
A
B M
C
Function block
&
END
Figure 9.21 Examples of ladder and function block formats.
9.8.8.4 Field-bus systems
These safety networks are a development that uses computer-based signal processing techniques to allow integration of all the safety-related inputs, including monitoring, of a safety system with the minimum use of hard wiring. The information derived from the system signal processing can be used by other networks within the management systems. Figure 9.22 shows typical safety networks and Figure 9.23 shows the use of a bus single highway.
9.8.8.5 Cableless controls
These are control systems where the operator interface communicates with the safety-related control system using infrared or radio signals. They are in common use on overhead travelling cranes and other machines where the operator needs to have a degree of mobility. The critical safety feature is the reliability of the stop signal to perform at all times. In many applications it is not possible to provide a readily accessible emergency stop device (section 9.8.9), so the functional stop commands must include redundancy features and multichannel communication or equally effective methods to ensure that the correct control signal is received at the machine. Infrared signals require ‘line of sight’ operation but radio-based systems do not.
Thus when using a radio system there may be a safety concern where the operation of the machine could occur while out of sight of the operator.
To prevent unauthorized use of hand-operated controls they must include a security key. Individual control stations must not interfere with the opera- tion of a machine that is not designated to that station.
Main computer
Satellite processors Distributed system
Figure 9.22 Typical safety networks.
Safety field-bus controller
Output interface providing voltage free output contacts or;
Output interface for connection to programmable controller or higher level bus system Devices designed
for bus connection e.g. photo-electric sensors Interface for contact type or
non-contact switching devices e.g. guard switches
Field-bus highway
Figure 9.23 Typical elements of a field-bus network for interlocking.