Please select your location to go directly to the relevant Pilz country homepage. If you cannot select your country, click here: Global Site

Close
Australia | english

Single contactors for Category 3? Can faults be excluded?

It has been claimed that a single contactor can be used for safety control category 3 if you oversize the contactor between 1.5 and 1.8 times the rated capacity. 

The Australian standard for machine safety AS4024.1-2006 Safety of Machinery part 1501: Design of safety related parts of control systems-General principles for design ; section 7.2.4 lists Category 3 as the following: "The requirements of category B, the use of well-tried safety principles and the following requirements shall apply:

a) Safety-related parts of control systems to category 3 requirements shall be designed so that a single fault in any of these parts does not lead to the loss of the safety function.

b) Common-mode faults shall be taken into account when the probability of such a fault occurring is significant

c) Whenever reasonably practicable, the single fault shall be detected at or before the next demand upon the safety function.

Category 3 system behaviour allows that-

i) when a single fault occurs, the safety function is always performed;

ii) some but not all faults will be detected; and

iii) accumulation of undetected faults can lead to loss of the safety function.

NOTES:

1. This requirement of single fault detection does not mean that all faults will be detected. Consequently, the accumulation of undetected faults can lead to an unintended output signal and a hazardous situation at the machine. Typical examples of practicable measures for fault detection are the connected movement of relay contacts or monitoring of redundant electrical outputs .

2. If necessary because of technology and application, designers should give further details on the detection of faults.

3. ‘Whenever reasonably practicable’ means that the required measures for fault detection and the extent to which they are implemented depends mainly upon the consequences of a failure and the probability of the occurrence of this failure within the application. The technology used will influence the possibilities for the implementation of fault detection."

 

In short, category 3 requires redundant (two channel) input and output devices, so that a single fault cannot lead to a loss of the safety function.

How can "over-dimensioning" single output devices (e.g. motor contactors) satisfy the requirement that a " single fault … does not lead to the loss of the safety function"?

Let’s take a look at some of the faults that may occur within the outputs of a safety system.

Electrical Faults

Short circuit on the output or coil of the motor contactor

A short circuit on the output to the control voltage of a motor contactor will hold it on. If a single contactor is used, the machine cannot be turned off by the safety system in this case. A single fault has lead to the loss of the safety function. Higher end safety systems such as the PNOZmulti or PSS safety plc’s will detect the failure of feedback to changeover, but there is nothing the system can do to turn the machine off with this fault, unless the output being used is a dual-pole output, such as those provided by the PNOZmulti safety relay or PSS programmable safety and control system.

Short circuit on the feedback circuit

A short circuit in the input circuit can give the indication that the motor contactor is switched off; when in fact it may be switched on.

Welding of the contacts inside the contactor

This is the type of fault that over-sizing is meant to remove. But if the fusing of the circuit isn’t done correctly then this can still happen. This is a similar fault to a short circuit on the output of the safety system or contactor coil.

Mechanical Faults

Failure of the spring

If the spring inside the contactor fails, then the contactor may not "open" once power to the coil has been removed. This means power will still be applied to the motor. This type of failure was seen by a Pilz employee recently on a machine. Luckily, the incorrect state of the feedback contact was detected by the PSS programmable safety system being used.

Jamming

The contactor may become jammed closed due to grit or dust getting inside the mechanical parts of the contactor. Another example seen by Pilz employees is the distortion of the contactor case due to overheating. This can prevent the contactor from opening if the case is pressing against the mechanical parts.
These types of failure will have a similar effect to the failure of the spring.

Designers Duties as described by the Law

It is important to remember that the designer of the control system is the person responsible under the law. The designer is not the person who may have advised that a single contactor can be used if it is over-dimensioned - it is the person who puts the single contactor in the design of the machine control system.What are the alternatives to using redundant (two) motor contactors?

There are some applications where it is not possible to use redundant motor contactors, either due to size limitations or cost restrictions – large contactors can be quite costly. So what can be done in these cases?

There are monitoring devices on the market that can be utilised such as safe voltage monitors. The units will only switch their safe relay outputs when no voltage is detected in the circuit. These outputs can then be used to energise a solenoid lock or similar device that prevents access while the machine is running – or voltage is present in this case. Therefore, if a single contactor was to fail, safety is ensured by prevention of access to the hazard.

Click here to see an example of this circuit

Applications where there are a number of motors that are all switched off at once can still use redundant contactors, but the arrangement can be reconsidered. A master contactor can be used, and then each motor has its own contactor. There are still two contactors providing the power.

Click here to see an example of this circuit

A safety relay (or safety plc) will switch all the contactors in this type of circuit, and will also monitor the contactors with a positively guided N/C feedback contact.

Fault Exclusion

Based on some very welcome feedback to this article, the following information on fault exclusion has also been included.

AS4024.1-2006 Safety of Machinery part 1501: Design of safety related parts of control systems - General principles for design; section 8 Fault Consideration covers fault considerations for the safety related parts of a control system. The standard states:

"8.1 General

In accordance with the category required, safety-related parts shall be selected on their ability to resist faults (see Clause 5.2). To assess their ability to resist faults the various modes of failure shall be considered. Also certain faults may be excluded (see Clause 8.2)...

8.2 Fault exclusion

It is impractical to assess the safety-related parts of control systems without assuming that certain faults can be excluded. The faults which can be excluded are a compromise between the technical requirements for safety and theoretical possibilities of occurrence. This will be influenced by the design, dimensioning, installation and arrangement of components in the safety-related parts. The designer shall declare, justify and list all fault exclusions.

Fault exclusion should consider-

(a) The improbability of occurrence of certain fault(s);

(b) Generally accepted technical experience which can be applied independently of the application under consideration; and

(c) Technical requirements deriving from the application and the specific risk under consideration; and

(d) The harshness of the environment such that fault exclusion for a less harsh environment are not applicable."

So, can contactor faults be excluded? That is for the designer to decide. A detailed analysis must be undertaken to determine if this is possible. How could the faults listed above be excluded?

Short circuit on the output or coil of the motor contactor

Using a dual pole output that switches the voltage to both sides of the motor contactor coil can ensure the contactor can be switched off – but the wiring must be protected such as a metal conduit to ensure that there can be no way for the field wiring to be compromised.

Short circuit on the feedback circuit

Using a test pulse in the circuit could ensure the safety control system is looking for a unique signal at the input, and it will detect if there are any shorts to 24V or any other signals. Again consideration should be given to the wiring to ensure the feedback signal itself is not compromised.

Welding of the contacts inside the contactor

Over sizing of the contactor coil and excellent fusing could be a justification to exclude this fault.

Failure of the spring 

This is possibly the hardest fault to exclude, and will make use of the statement c from section 8.2 of the standard "generally accepted technical experience…".

Jamming 

To quote one of our valued readers "… if I used a quality contactor installed in a climate controlled dustproof enclosure not exposed to vibration then I could claim that the potential faults you have identified have been managed … this argument is not generally practiced as the cost of doing the analysis is more than the cost of the contactor".

Conclusion

After looking at the possible failures that can be experienced, and the description of Category 3, can a single contactor be used if it is "over-rated"? By strictly following the principles of fault exclusion discussed, it may be possible, however, all possible single faults would have to be dealt with and excluded. Some faults are easier to exclude than others, and the costs associated with dual redundant contactors versus a detailed fault exclusion analysis and associated considerations may be much lower.

The first wiring example provided showing a single contactor and a safe voltage monitor may not apply to all applications, as a solenoid locking guard switch will not be of any use in an application that cannot have physical guards, so a single contactor using fault exclusion principles may be the only solution for cases with extremely large contactors.

The designer/modifier can consider the principles of fault exclusion in their safety design analysis and shall provide a careful rationale where this principle is relied upon.