1. Home

Redundancy in Technological Systems

March 10, 2010
Redundancy is a concept frequently applied in technological systems. When investigating in detail why redundancy is used, one will find that there are many reasons for doing this. Looking at several redundant implementations should make this clear. Still, all aspects of redundancy have one idea in common: increased ability to control a system even when problems occur.

Functional safety systems are probably the most common automation solutions based on redundancy. Here the rationale is to provide a control system that is able to safely shut down a machine in case of emergency. Depending on a detailed safety evaluation, safety solutions of varying complexity can be used to address the particular needs of the application. Safety systems are still designed to comply with EN954, which divides applications into five classes between B at the low end and CAT 4 at the upper end. To show that not all redundant systems are equal, let's focus on two scenarios. Figure 1 shows a safety system where a number of redundant-safe input devices (e-stops and magnetic interlock switches) are connected redundantly in a series. These safety strings are then connected to a safety relay, which is ultimately responsible to shut down motors, drives or other potentially harmful devices. Consider a situation where one of the safe contacts on a magnetic safety switch is welded or simply sticky. Due to the redundant nature of the safety string, the machine will still come to a safe shutdown as soon as the door, evaluated by this magnet, is opened. Even better, the safety relay will not even allow a restart of the system after the door has been closed. The reason for this is that the safety relay demands that as soon as one of its safe inputs shows an open contact, the second input must also go open, clearly a condition not satisfied due to the welded contact. Unfortunately, it is rather trivial to trick the safety relay. All one has to do is open and close another door. As soon as this happens, the safety relay detects its two inputs as open, making this a resettable condition. As soon as this happens, the redundant nature of the system is compromised. All it takes is a second fault at the magnetic door switch, and it will not be able to result in safe system shutdown.

Redundancy is a concept frequently applied in technological systems.  When investigating in detail why redundancy is used, one will find that there are many reasons for doing this.  Looking at several redundant implementations should make this clear.  Still, all aspects of redundancy have one idea in common: increased ability to control a system even when problems occur.

Safety

Functional safety systems are probably the most common automation solutions based on redundancy.  Here the rationale is to provide a control system that is able to safely shut down a machine in case of emergency.  Depending on a detailed safety evaluation, safety solutions of varying complexity can be used to address the particular needs of the application.   Safety systems are still designed to comply with EN954, which divides applications into five classes between B at the low end and CAT 4 at the upper end.  To show that not all redundant systems are equal, let's focus on two scenarios.  Figure 1 shows a safety system where a number of redundant-safe input devices (e-stops and magnetic interlock switches) are connected redundantly in a series.  These safety strings are then connected to a safety relay, which is ultimately responsible to shut down motors, drives or other potentially harmful devices.  Consider a situation where one of the safe contacts on a magnetic safety switch is welded or simply sticky.  Due to the redundant nature of the safety string, the machine will still come to a safe shutdown as soon as the door, evaluated by this magnet, is opened.  Even better, the safety relay will not even allow a restart of the system after the door has been closed.  The reason for this is that the safety relay demands that as soon as one of its safe inputs shows an open contact, the second input must also go open, clearly a condition not satisfied due to the welded contact.  Unfortunately, it is rather trivial to trick the safety relay.  All one has to do is open and close another door.  As soon as this happens, the safety relay detects its two inputs as open, making this a resettable condition.  As soon as this happens, the redundant nature of the system is compromised.  All it takes is a second fault at the magnetic door switch, and it will not be able to result in safe system shutdown.

Download