Can emergency stops or gate switches be wired in series to a safety control system? It’s a question that raises debate throughout industry. One manufacturer says yes, others say no. Some devices can, some can’t. But how do you determine what can and can’t be wired in series?
Emergency stop devices can be wired in series (they must be a Category 4 device according to AS 4024.1) as the likelihood of more than one switch being operated at the same time is minimal. The machine will stop when the first emergency stop is operated and any faults will be detected.
Emergency stops can’t be wired in series with other devices, however, because they must override all other machine functions.
Other types of switches
First, we’ll take a look at the safety-related part of control system categories from AS4024.1-2006 Safety of Machinery, as the level of risk associated with a machine’s hazard usually determines the wiring for these switches.
Categories B and 1 allow that a single fault within the safety system can cause the loss of the safety function, which means a single channel switch may suffice. Category 2 may also use single-channel switches but they must be checked at machine start or periodically by the machine control system in order to detect any faults.
Categories 3 and 4 require dual-channel (redundant) switches, since the standard states that a single fault shall not cause a loss of the safety function. The primary difference between the two refers to single fault detection. Both categories state that the single fault shall be detected at or before the next demand on the safety function, but Category 3 has the clause “whenever reasonably practicable” before this statement.
The notes for Category 3 state: “Whenever reasonably practicable means that the required measures for fault detection and the extent to which they are implemented depends mainly upon the consequences of a failure and the probability of the occurrence of this failure within the application. The technology used will influence the possibilities for the implementation of fault detection.”
According to Victoria’s OH&S Act 2004, “To avoid doubt regard must be had to the following matters in determining what is (or was) reasonably practicable in relation to ensuring health and safety:
a) the likelihood of the hazard or risk concerned eventuating;
b) the degree of harm;
c) what the person concerned knows about the hazard;
d) availability and suitability of ways to eliminate the hazard;
e) the cost of eliminating the hazard”
For categories B and 1 wiring switches in series is acceptable, as there is no requirement to detect faults. For category 2 switches can still be wired in series as faults will be detected when the regular check is performed. For category 3 it is generally not acceptable to wire mechanical switches in series, unless you can justify why it is reasonably practicable to do so.
Wiring switches in series may meet category 3 if only one switch/guard may be opened at a time. This would generally mean that there is only one operator at the machine and that a regular check is performed on the switches to check for faults. Wiring mechanical switches in series is not allowed for category 4.
Why is this so? Consider the image on page 10 showing two switches wired in series (Fig 1a). A faulty contact is present in the first switch, which should be detected as per AS 4024.1-2006, which says “single fault detected at or before the next demand on the safety function”.
If the faulty switch is opened, the machine should shut off as at least one contact has opened (Fig 1b). If the switch is closed, the safety relay will detect the fault.
If, however, the second switch is operated (Fig 1c), and it has no faults, the faulty contact in the first switch is now not seen by the safety relay or safety control system as both input circuits have been broken.
A comment that is sometimes made is, “The safety relays we use have simultaneity monitoring and will detect the faulty switch contact if it has not opened within 500ms – 3s.”
This can be true, but what happens if the faulty switch is opened after the non-faulty switch? The fault is not detected as, again, both input circuits have been broken.
As mentioned above, there are switches on the market that can be wired in series and are third-party approved to meet Category 4. These switches have solid state outputs in place of mechanical switch contacts.
Inside the switches are micro-controllers that continually test the outputs of the switch for voltage intrusions and also monitor the input circuits of the switch. Any change in the input circuit and the switch will shut off the outputs.
The wiring between switches must be secure to ensure that there can be no voltage intrusions in both input circuits of the PSENcode.
Designers, and this includes anyone who is altering existing designs, must carefully consider the question of what is “reasonably practicable” when selecting interlocks and monitoring devices for a safety application. The device selected and the environment it is used in will determine whether series wiring for categories 3 and 4 is acceptable.
* Frank Schrever has 29 years’ experience in the instrumentation and automation markets and established Pilz Safe Automation - 03 9544 6300.