Pilz Australia on wiring switches in series
The question often asked of Pilz is can E-STOP’s or gate switches be wired in series to a safety control system? or words to that effect.
It is a question that raises debate throughout industry. One manufacturer says yes, others say no. Some devices can, some cannot.
But how do you determine what can and cannot be wired in series?
If you read June’s issue of the safety update, you will know that emergency stop devices can be wired in series (they must be a category 4 device) as the likelihood of more than one switch being operated at the same time is minimal, the machine will stop when the first E-STOP is operated and any faults will be detected.
E-STOP’s cannot be wired in series with other devices however, since the E-STOP must override all other machine functions. So what about other types of switches, such as gate switches?
First take a look at the safety related part of control system categories from AS4024.1-2006 Safety of Machinery, as the level of risk associated with a machine’s hazard usually determines the wiring for our switches.
Categories B and 1 allow that a single fault within the safety system can cause the loss of the safety function. This means that a single channel switch may suffice.
Category 2 also may use single channel switches, but they must be checked at machine start or periodically by the machine control system in order to detect any faults.
Categories 3 and 4 require dual channel (redundant) switches, since the standard states that a single fault shall not cause a loss of the safety function.
The primary difference between the two refers to single fault detection. Both categories state that the single fault shall be detected at or before the next demand upon the safety function, but Category 3 has the clause whenever reasonably practicable before this statement.
The notes for Category 3 state whenever reasonably practicable means that the required measures for fault detection and the extent to which they are implemented depends mainly upon the consequences of a failure and the probability of the occurrence of this failure within the application.
The technology used will influence the possibilities for the implementation of fault detection.
Victoria’s Occupational Health and Safety Act, 2004 in defining reasonably practicable states to avoid doubt regard must be had to the following matters in determining what is (or was) reasonably practicable in relation to ensuring health and safety-
- The likelihood of the hazard or risk concerned eventuating
- The degree of harm
- What the person concerned knows about the hazard
- Availability and suitability of ways to eliminate hazard
- The cost of eliminating the hazard
So, all the above mentioned factors must be taken into account when determining what is reasonably practicable.
Summing up the descriptions of the risk categories:
- Categories B and 1 - faults may go undetected
- Category 2 - faults in switches will be detected when the machine forced regular test/check on the safety is performed. A fault after or in between checks can cause the loss of safety
- Category 3 – faults cannot go undetected, unless it was not reasonably practicable to do so. An accumulation of faults can go undetected
- Category 4 – faults must be detected, and if the first fault is not detected, an accumulation of faults will not cause a loss of safety
What faults may occur that should be detected?
- Welded/stuck contact in a switch
- Shorts in the wiring e.g. 24VDC short
- Shorts between the contacts of a switch itself e.g. filling with water or contamination
- Failure of a single mechanical element such as the tongue of a tongue switch
So this leads us to the following conclusions:
- Categories B and 1 - Wiring switches in series is ok, as we have no requirement to detect faults
- Category 2 - Switches may be wired in series as faults will be detected when the regular check is performed
- Category 3 - Wiring mechanical switches in series is generally not allowed unless you can justify why it is reasonably practicable to do so
Pilz believes that wiring switches in series may meet category 3 if the following conditions are met:
- Only one switch/guard may be opened at a time (very tight administrative control); typically this would mean that there is only
- One operator at the machine; and
- A regular check is performed on the switches to check for faults
- Category 4 - Wiring mechanical switches in series is not allowed
A comment that is sometimes made is the safety relays used may have simultaneity monitoring and will detect the faulty switch contact if it has not opened within 500ms – 3 s. This can be true, but what happens if the faulty switch is opened after the non-faulty switch? The fault is not detected as, again, both input circuits have been broken.
As mentioned above there are switches on the market, such as the Pilz PSENcode, that can be wired in series and are third party approved (by BG) to meet Category 4.
These switches have solid state outputs, in place of mechanical switch contacts. Inside the switches are micro-controllers that continually test the outputs of the switch for voltage intrusions, and also monitor the input circuits of the switch.
Any change in the input circuit and the switch will shut off the outputs. The wiring between switches must be secure to ensure that there can be no voltage intrusions in both input circuits of the PSENcode.
Designers and this includes anyone who is altering existing designs, must carefully consider the question of reasonably practicable when selecting interlocks and monitoring devices for a safety application.
The device selected and the environment it used in will determine whether series wiring for categories 3 and 4 is acceptable.
4-Dec-2007