In industrial processes multiple machines are used to perform automated tasks. These processes are commonly controlled and supervised through programmable logic controllers (PLC) or other pieces of automation equipment capable of controlling and driving machines. In case of malfunction, process disruption or other incidents posing hazardous risks to personnel or other machines, the controller needs to intervene in the process. For example by cutting the power supply to a machine or changing the mode of operation of a machine into safe mode. In short, the control circuit enables to switch into a fail safe state.
This requires the presence of actuators, sensors and/or other equipment to implement a safety function. Safety functions are applied in all those applications where system malfunctions have a decisive effect on the safety of personnel, the environment and equipment concerned. Such a safety function may be assessed by its' level of integrity: the Safety Integrity Level (SIL). This reflects the ability of the system to reduce risks to a tolerable level.
The design of a Safety Instrumented System is subject to the international standard IEC 61508 for “Functional Safety of Electrical/Electronic/Programmable Electronic Safety-Related Systems” as developed by the International Electro-technical Commission (IEC). This standard specifies both the risk assessment and the measures to be taken in the design of safety functions consisting of sensor, logic solver and actuator. Such measures include “fault avoidance” (systematic faults) and “fault control” (systematic and random faults). It provides a design standard for Safety Instrumented Systems to reduce the risk to a tolerable level.
One class of switching equipment concerns safety relays, of which the design requirements are defined in Standard EN 50205 “Relays with forcibly guided contacts”. Safety relays with forcibly guided contacts play a decisive role in avoiding accidents on machines and in systems. Forcibly guided contacts monitor the function of the safety control circuits. For this safety function, all the assumed faults that can occur must already have been taken into consideration and their effects examined.
Relays with forcibly guided contacts have at least two contacts that provide opposite connective states, while one is “open” the other may be closed. Such safety relays have the characteristic that make and break contacts can never both be closed at the same instance. In particular, power relays with at least one break contact and at least one make contact are designed that by mechanical means make and break contacts can never be simultaneously in the closed position. This requires that contact gaps may never be less than 0.5 mm over the operating life, not only under normal operating conditions, but also when a fault occurs. This requirement allows the respective exclusive-or contact to detect the fault of a contact to open.
For example, the malfunction of a make contact is indicated by the non-opening of the break contact when the energization is switched on.
Or vice versa, the malfunction of a break contact is indicated by the non-closing of the make contact when the energization is switched on.
Safety relays with forcibly guided contacts as described above are energized only in case a safety issue is detected, under normal operating conditions the relays are in de-energized mode. Hence, a process not encountering any safety issues during long periods of uptime, does not energize any of the relays. Accordingly, over time uncertainty may arise about the reliability of the relays in case of emergency, as a relay failure will not be detected until energization of the contacts. For example, the contact may have become welded or the contact spring has broken. In order to check the operation of the relay and the reliability of the safety circuit, preventive periodical verifications need to be performed. These interventions require a shutdown of the system or process under investigation, which resulting downtime poses a main disadvantage.