When Safety Relays Attack!

It was a dark and stormy night.  All was quiet at the operator console, when suddenly the alarm panel lit up with the dreaded “SIS Fault” alarm.  What happened?  What will our hero engineer do to save the day?

OK, OK, today’s post isn’t quite that exciting.  Honestly, it’s kind of a down in the weeds “techie” kind of post.  But maybe this tidbit of information will save you from a confusing problem someday.  Read on to find out!

Supervised Outputs

Many high-end safety PLCs provide a feature commonly called output supervision.  You may already be familiar with this feature, but if not, we will briefly describe it and provide a link to more detailed information.

The essential feature of supervised outputs is that there is (i) a feedback mechanism to monitor the circuit and (ii) logic to periodically pulse output for a very short time, typically microseconds up to a millisecond or two.

In many SIS applications, the system outputs may stay energized (or sometimes de-energized) for very long periods of time before they are required to respond to a demand.  This would leave an unsupervised digital output to be susceptible to various latent failures in the field wiring, including short circuits, open circuits, etc. depending on the application.

The supervised outputs will periodically pulse the signal to the safe position, then back to the normal operating position.  The pulse is intended to be long enough to measure the electrical response of the circuit, but short enough to not impact the final element.  If the circuit does not respond as expected to the pulse, a fault is raised on the affected channel.

This functionality works quite well for many solenoids and relay circuits.  It causes an annoying flickering on incandescent lamps, and LED indicators give it problems, but generally you can just turn off the supervision logic on these non-safety critical outputs.  But what if the problem is on a safety critical output?

It turns out that supervised outputs can have problems with any low impedance device or a device with “unusual” active electrical characteristics.  This problem is not specific to any single vendor, but this Rockwell Automation Application Note (see p29) describes potential issues and workarounds, summing up the problem as:

“Digital output line monitoring algorithms expect the output current and voltage to be predictable. This is adequate for linear loads (e.g. resistive, inductive), but many field devices do not present simple loads.”

Safety Relays

Which brings us back to the original problem.  You would think that safety relays specifically designed for use in Safety Instrumented Systems and certified per IEC 61508 would be aware of this common Logic Solver functionality and would be designed to be compatible.  You would be wrong!

Not all SIL-certified safety relays are compatible with the diagnostic pulses from the Logic Solver.  The pulses from the PLC are too short to make the safety relays move spuriously, but the “active” electrical components in the safety relay may cause a non-linear (and even sinusoidal) response.  This unusual response characteristic may cause the Logic Solver to raise spurious channel fault alarms.

Once this problem has been observed, there are three potential field workarounds (consult your PLC vendor):

  1. Customizing the diagnostic settings to match the device characteristics (tricky)
  2. Add loading resistors to the circuit (messy)
  3. Disable supervision on the point (less safe)

None of these solutions is desirable, especially as a field retrofit.  The ideal solution is to only install safety relays that you know are compatible with the supervised digital output.  Unfortunately, the detailed electrical information required to determine compatibility is not usually readily available.

Fortunately, safety relay vendors are beginning to be more aware of this issue, and there are several vendors with products explicitly claiming compatibility with “PLC test pulses”.  These products include:

  • Weidmuller SAFESERIES
  • Pepperl & Fuchs K-System
  • Phoenix Contact PSR series
  • GMI D5096S

Of course, your mileage may vary.  Trust but verify! Be sure to check out another story of instrument misbehaviors in our Fail Safe Regulators post.

Stephen Thomas, PE, CFSE
Stephen Thomas, PE, CFSE

Stephen is the founder and editor of functionalsafetyengineer.com. He is a functional safety expert with over 26 years of experience.  He is currently a system safety engineer with a leading developer of autonomous vehicle technology. He is a member of the IEC 61508 and IEC 61511 functional safety committees. He is a member of the non-profit CFSE Advisory Board advising the exida CFSE program. He is the Director of Education & Professional Development for the International System Safety Society and an associate editor for the Journal of System Safety.

Leave a Reply

Your email address will not be published.