As any of us who are involved in the design of control systems will confess to, the effort put into the actual control of the system is at least equal to the effort that must be put into the safe operation of the system. As our designs become more elaborate, faster and stronger, the safety design must match it, lock step, to make sure that we are not introducing a risk to the end user.
In a previous article, I wrote in depth about the evolution of the safety circuit. From a simple control relay designated specifically to handle overloads and safety devices to a purpose-built relay, adding dual channels and self-monitoring, the safety relay took the next logical step into the realm of controllers. The automation controller and the safety controller now share the same physical package with conventional and safety I/O modules occupying the same backplane connections. Status of both types of I/O is available to each controller and can aid in reacting faster to conditions in the whole control system.
As with other advances in control system design, when the safety controllers get more sophisticated, the devices that interact with them need to advance similarly to match the technology. For the designer, there is always something new to learn and, naturally, we seek out safety devices that will integrate easily with our existing safety designs.
Traditionally, hardware vendors tend to develop products that have the same look and feel as their other product offerings. Mounting methods and connection means would also tend to match the family brand. Out of diversity seems to come invention, and the pandemic in our not-too-distant shared history seems to have been the right growing environment for a more open market when it comes to hardware products, particularly in the field of safety.
One such device perhaps did not come out of the pandemic, but my team came upon it due to some supply issues caused by the pandemic. We had a brand of light curtain that lined up with our preferred brand of safety relay. They were easy to install and integrate into our safety relay. However, we were unable to purchase our favorite light curtain and looked instead to some competing brands to get us out of a tight spot on a project we were building to increase our production during the pandemic. One brand caught our eye not because we could get it in a need and not because it was cost-competitive. What caught our eye was the thought that went into the interface between light curtain and safety circuit. A small module, DIN-rail mounted, took care of the quick-connect cables to the light curtain sender and receiver but also had easy-to-use terminals for the output switch signal device (OSSD) channels in our safety circuit. This is just one example of a known automation provider who acknowledged that designers might want to use their products as part of a more open/flexible safety circuit design.
Our favorite supplier for safety relays also made such a decision with its latest offering. This automation provider makes a family of safety products that works as part of a system utilizing a communications protocol similar to IO-Link, but for its family of safety sensors and devices. Rather than focus strictly on their proprietary link, they also included the ability to configure the safety channels to contain standard OSSD devices or a combination of both. Further, by using communication node modules, one can use a combination of link devices and OSSD devices on the same safety string. By doing so, the manufacturer has made it easier to integrate its safety relay with devices from other brands. The flexibility could be critical to getting a design to production.
While we are talking about safety relays, my team recently ran into a pointed reminder about one of the basic functions of a safety relay. We were in the middle of a controls upgrade to a ribbon blender. The blender was first installed nearly 20 years ago, and the original equipment manufacturer (OEM) implemented an interesting interpretation of a safety circuit. The blender system is split over two floors with the blender on the ground floor and various unit ops are located on the second floor, where the individual ingredients are added to the blender through a number of ports in the top of the blender body. There is an operator station upstairs—for setting up the operational parameters for introducing the various components into the batch—and a second one downstairs—for completing the batch and discharging the results into drums or totes for distribution to the finished packaging areas of our operations. A platform, in the room on the main floor, surrounds the blender and provides access to the lid of the blender, as well as some inspection ports.
The OEM used some creativity to incorporate three e-stop buttons, one on each human-machine interface (HMI) and one on the platform, into a safety circuit that is spread over the two floors of controls. Each control panel has a master control relay (MCR), and each of the three e-stop buttons has one channel wired to each of those two MCRs. So, to describe this better, 24-V power from the lower control panel would route through the two e-stop buttons on the main floor and then up through the single e-stop button on the upper HMI station before coming back down to the lower control panel and to the master control relay in that panel. The reverse happens in the upper control panel where 24-V power starts in that panel, goes through the single e-stop button on the upper HMI station, down to the lower panel where it passes through the two e-stop buttons on that floor and then back to the the master control panel in the upper control panel. Devices in the upper control panel rely on the output from the MCR in that panel for safety outputs, while devices in the lower control panel rely on output from the lower MCR for safety outputs in that panel. The circuits described above work, but they are hard to troubleshoot and do not meet current design standards for a dual-channel, dual-redundant safety circuit.
During our planning for this controls upgrade, we also noted that, while the blender lid and inspection doors all had magnetically operated door switches, the OEM was only using the auxiliary contacts—the normally open pair—on each door switch to provide feedback to the programmable logic controller (PLC). These signals were used to generate an alarm for each lid/door that would drop out the run command to any devices currently in operation. Clearly, this could not remain this way for our updated controls.
For our upgrade, we selected a current safety relay from our automation vendor as a base for the updated design. The relay would be located in our lower control panel and bring the three e-stop buttons down to the lower control panel for wiring purposes. We would also bring the normally closed contacts on the four lid/doors back to that lower panel and make them part of the safety channel, as well. When the circuit was satisfied and the relay was reset, we used the output from that relay to drive a pair of force-guided relays through which the safety outputs were powered. Safety power was then applied to the original MCR in each control panel to tie the original system back in. We also used that safety output power to provide the safe torque off signal to each of the variable-frequency drives in our control systems.
The point of the detailed discussion of the old and new safety circuits is to point out the detail to which we might have to go to upgrade a system to current code expectations. It is from this conversion that we learned a couple of lessons. The first lesson had to do with the lid switches on the blender main lid and the three inspection doors mounted to that lid. The magnetic safety switches that were already mounted on the blender were, as previously mentioned, only using the normally open (NO) auxiliary contacts for PLC status. We needed to incorporate the dual normally closed (NC) safety contacts in our safety circuit. It was during the process of testing out that revised safety circuit that we ran into our first surprise. The safety switches had seven wires matching the circuit diagram for that family of devices—four wires for the safety contacts, two wires for the auxiliary contact and one wire for ground.
We could get one safety channel to work, but the other circuit remained open, no matter what we did. After a lot of head scratching, we discovered that, while seemingly a two-channel safety switch with auxiliary output, the switch was, in fact, only a single safety channel with auxiliary output. The package looks identical to the dual-channel version and had all of the appropriate wires and colors but, sadly, it was single channel.
The first lesson is not everything is as it seems. The safety switches are rather expensive as they are used in a washdown environment. Luckily, we had the dual-channel version that we ordered for another project, but going back to our management group with a serious upgrade price for the remaining eight blenders in our upgrade plans was not a fun experience.
The second learning goes back to the fundamental features of a modern safety relay. We had wired up the three e-stops in series and then added the four lid switches in series to complete our safety chain. Our new issue was that after we solved the dual-channel issue with the lid switches, we could not get the two channels to light up on our safety relay.
With lots of head scratching and ringing out of the e-stop portion of the circuit, we did not solve the situation. Here is where the fundamental function comes into play. We could put our meter across the first channel connections of S11 and S21 and get continuity. We could meter out the second channel at S12 and S22 and get continuity. The answer comes from the fact that these are monitored safety channels. The relay sends out a marker pulse on each safety channel and expects to see it on the return channel. The pulses are different for the two safety channels on the relay. We had kept the original OEM wiring of the three e-stop buttons. In those, the circuits crossed over. What we had happening is we were sending out on channel 1 (CH1) and getting the result back on channel 2 (CH2). While the wiring was complete, the crossover meant we could ring out the channels, but the safety relay did not like getting CH1 pulse back on CH2.
Safety devices remove risk from our designs. They also, as the last two examples revealed, help us to avoid mistakes. It is always best to do lots of homework when upgrading, and fortunately the devices themselves can save us from ourselves.
