3 redundancy and monitoring – Rockwell Automation Safety Guidelines for the Application, Installation, and Maintenance of Solid-State Control User Manual
Page 9
Publication SGI-1.1 - August 2009
Section 3: Application Guidelines
9
solid-state logic and output circuits. If this protection is not part of the DC
supplies for a system, a timing circuit external to the power supply can be
added to delay the application of power to output devices.
Removing all power or losing all power from a system simultaneously
usually does not result in a hazard since the power for machine operation
is also being removed. However, when power other than electrical power
is being controlled, a power interlock circuit may be required to protect
against unexpected machine motion. Power interlocks with automatic
shutdown should be included if erratic or hazardous operation results due
to loss of one power supply in a system with multiple supplies.
Automatic power supply sequencing should be employed in systems that
require the application or removal of power in a specific sequence. If the
STOP or E-STOP sequence normally employs dynamic braking,
alternative safeguards, such as automatic mechanical braking upon loss of
power, should be provided if coasting stops are hazardous.
If hazardous operation can result from unexpected restoration of power
during a power outage or a system shutdown, the system should include a
feature that requires a deliberate operator action before power is reapplied
to the system.
3.1.3 Redundancy and Monitoring
When solid-state devices are being used to control operations, which the user
determines to be critical, it is strongly recommended that redundancy and
some form of checking be included in the system. Monitoring circuits should
check that actual machine or process operation is identical to controller
commands; and in the event of failure in the machine, process, or the
monitoring system, the monitoring circuits should initiate a safe shutdown
sequence.
Comments: 3.1.3 Redundancy and Monitoring
The normal operating mechanism for solid-state components depends
upon a deliberate electrical signal input altering the internal molecular
structure of the semiconductor material.
Unfortunately, spurious input signals may also alter the internal molecular
structure without any means for external detection that this has happened.
Therefore, solid-state devices are subject to malfunction due to random
causes that are undetectable. Because of this, redundancy and monitoring
are the most highly recommended means for counteracting this situation.
When redundancy is used, dissimilar components not susceptible to
common cause failure should be used for the redundant elements if a
common cause could produce simultaneous failure of those elements in a
dangerous mode.
A “safe shutdown sequence” can involve much more than disconnecting
electrical power for some machinery and processes. Examples include
machines with high inertia and hazardous access points, processes that
become unstable at shutdown unless a specific sequence is followed, etc.
The control system for such applications should be configured to deal