Safety Relays vs CAT 4; Comments on Safety, Redundancy, Risk

By J.B. Titus July 20, 2009
July 20, 2009
Recently I visited a manufacturing company to discuss their machine guarding strategy for the control system on automated palletizer machines. After some discussion, I asked for a plant floor tour to see these machines being manufactured. During the tour they showed me a CAT 4 application mitigated by applying a CAT 4 rated safety relay. The owner also pointed out that they were able to generate a diagnostic fault on this circuit easily via the safety rated relay. Being immediately curious, I asked if they could describe how they accomplished the CAT 4 circuit including the fault display.

They answered by saying that the CAT 4 rated safety relay has two redundant latched circuits. So, we wired one output to the actuator and the second output to the operator display panel. Bingo, we have a CAT 4 circuit with diagnostics!

What’s wrong with this picture?

Posted by J.B. Titus on July 20, 2009

COMMENTS

September 2, 2009

In response to: Safety Relays vs CAT 4Federico Badillo commented:

To achive Cat 4, redundancy has to be applied to the outputs, double contactor (a model with linked contacts ) to stop the dangerous movement and monitoring of the contactors operation by the safety relay, about the inputs, using redundancy and oposite polarity at each channel to detect wiring faults.

September 2, 2009

In response to: Safety Relays vs CAT 4JSmith commented:

That is correct. The redundancy built into the device is what allows the device to be rated as CAT IV. What is truly interesting is when these devices are used in conjunction with a bus system such as profibus. I have built configurations with regular and safety IO sharing the same bus and still maintaining the CAT IV safety rating.

September 2, 2009

In response to: Safety Relays vs CAT 4BKelly commented:

The redundant channels are to ensure that the safety function is achieved on the failure of a single channel. This redundancy must be carried out to the actuators. i.e. if the goal is to shut down a motor then each channel must feed separate contactors and de-energizing either contactor removes power from the motor. The diagnostics should then be handled via auxiliary contacts on the actuators in conjunction with the (usually) normal closed monitoring contacts on the safety relay itself. In the configuration you describe a single failure in the channel connected to the actuator completely defeats the safety function and therefore would not meet category 4 requirements, regardless of the rating on the relay.