3

I was reading the specs. of an electronic module used in process-safety applications & came across this note:

Self-Checking (Circuitry): a circuit with the capability to electronically verify that all of its own critical circuit components, along with their redundant backups, are operating properly. Banner safety light screen systems and safety modules are selfchecking.

I'm curious, how exactly does one design a self checking circuit? Can someone post a circuit diagram of a self checking circuit?

Does the verifier have to only verify the primary or does the verifier circuit verify the verifier itself?

Edit: Here is a link to the actual device, a "Banner Muting Module ": http://info.bannerengineering.com/cs/groups/public/documents/literature/116390.pdf

A breif description of this device's function:

The Banner MMD-TA-11B / MMD-TA-12B Muting Module (the Module) is an accessory component of a safeguarding system, which may incorporate such primary safeguards as safety light screens, safety interlocked gates/guards, or other presencesensing safeguarding devices (PSSDs). The Module allows the machine to mute the primary safeguard by monitoring redundant inputs (two or four) and automatically suspend the safeguarding function of a safeguarding device during the non-hazardous portion of the machine cycle.

curious_cat
  • 213
  • 1
  • 7
  • Think in terms of a duplicate circuit or batch of code. If actual code A is not equal to duplicate code B, then there is an error in hardware or software. This is NOT an answer but a simplistic example. –  Jul 03 '16 at 02:50
  • @Sparky256 Thanks. Oh, so that's just like the aircraft avionics critical systems where 2 of 3 identical systems are compared and the consensus output is taken and an error signaled in case any output disagrees. So just sort of a black box approach. Sort of the brute force approach that flogs redundancy. – curious_cat Jul 03 '16 at 02:54
  • 1
    This is a very broad question. The nature of the self-test depends heavily on the purpose and nature of the device. – Nick Alexeev Jul 03 '16 at 03:01
  • @NickAlexeev. My concern is that a good answer is a mile long and full of links. Or a good answer is a compilation of several answers. This topic branches out into many fields. –  Jul 03 '16 at 03:09
  • @NickAlexeev Based on your critique I have edited my question to specify the exact device & its purpose. – curious_cat Jul 03 '16 at 03:27
  • @Sparky256 I've tried to narrow down the question. Does this help? In case a compilation of answers addresses my question can you point me to the related Electronics Stack Exchange answers that might help my understanding? – curious_cat Jul 03 '16 at 03:30
  • 1
    This is a specific use case for Built-in-test: http://www.prognostics.umd.edu/calcepapers/01_M.Pecht_EvaluationBuiltinTest_IEEETransonAerospaceElectronicSystems.pdf It is rather necessary if you want to ensure a safety critical system is properly functioning: http://www.baesystems-ps.com/flight-controls.php – Peter Smith Jul 03 '16 at 12:32

1 Answers1

8

One of my frustrations as a working electrical engineer is the lack of information on the internal workings of devices such as that you have linked. When the equipment was all relay based the manufacturers tended to give more information. A look at one of these may help to understand the concepts of redundancy and self-monitoring.

enter image description here

Figure 1. Approximate internals of a dual-channel safety relay.

How it works:

  • The loads to be made safe in the event of an emergency stop or safety gate opening are connected to terminals 14, 24 and 34 with power fed in on 13, 23 and 33.
  • The safety reset button is wired to K1.
  • The 2-pole emergency stop button contacts are wired to K2 and K3.
  • On power on (to A1/A2) all relays are de-energised.
  • Pressing RESET will energise K1. Provided the e-stop contacts are closed, K1 contacts will energise and K2 and K3. These will then latch on by their own contacts and remain on when RESET is released.
  • The load will be powered by the series-connected contacts of K2 and K3.

Dual channel

These relays are self-monitoring for a single failure. e.g., let's examine what happens if a K2's contact on line 33-34 welds during opening.

  • E-stop is pressed. K2 and K3 are de-energised.
  • For some reason a normally open contact of K2 welds and fails to open. K3's contacts do open, however, and the power is removed from the circuit to be made safe.
  • The contacts of K1, K2 and K3 are "guided" type. i.e., they are in a "comb" which prevents the normally-closed contacts from making contact until all the N.O. contacts are separated.
  • As a result of the fault the N.C. contact of K2 below the coil of K1 (reset relay) will not close and the circuit can not be reset.

The relay also protects against shorts on the e-stop wiring:

  • If the left e-stop contact is shorted out then pressing the e-stop will only de-energise K3. K2 will remain latched on. K3 should disconnect the load.
  • The fault will be detected at reset. K1 will be unable to be energised as K2 has not dropped out.

Terminals 41 and 42 can be used as fault indication contacts.

This should be enough information to give some understanding of the inner workings of the safety relay.

The fundamental problem with electronic safety is that semiconductors don't have a predictable failure mode. They can fail open or short-circuit. Solutions have been redundant processing with voting or "crowbar" to blow a fuse, AC coupling through all the stages to ensure that a DC situation caused by a failure doesn't get through, etc., and various other schemes (that I would be interested to learn about).

schematic

simulate this circuit – Schematic created using CircuitLab

Figure 2. (a) An unsafe system could latch on if Q1 fails short circuit. (b) A safety system might use an AC-coupled signal to generate AC to power the safety-rated relay (non-weld contacts, etc.).

It should be fairly clear that Figure 2b provides a higher level of safety than 2a.

  1. If the input stays on or off the transformer will not receive AC. Relay will drop out.
  2. If C1 fails the biasing may be loaded high or low. At best the circuit will work as long as an alternating signal is received.
  3. If R2 or R3 fails biasing will be wrong. The result will be the same as 2 above.
  4. If Q2 fails short-circuit XFMR1 will receive DC. The relay will drop.
  5. If Q2 fails open-circuit the XFMR will receive no current. The relay will drop.
  6. If XFMR1 fails open or short on either primary or secondary the relay will drop.
  7. If XFMR1 fails short-circuit primary to secondary there is no return path for the DC as the secondary circuit is isolated. Operation will not be affected.

To improve safety further a dual relay system could be employed with monitoring function as in Figure 1.

schematic

simulate this circuit

Figure 3. Circuit 2b modified to provide a DC safety output.

Figure 3 shows how to provide a safety DC output by leaving out the safety relay. Note that in this case it does matter if XFMR1 fails short-circuit primary to secondary. Special precautions would have to be taken in design and manufacture of the transformer - split bobbins, for example - to protect against this.

Transistor
  • 168,990
  • 12
  • 186
  • 385
  • Fascinating answer! Thank you very much. Makes me glad I asked the question. This is way more deeper than just duplication & polling. – curious_cat Jul 03 '16 at 18:10
  • @curious_cat: You can mark the answer as Accepted Correct, to give credit to author. – boardbite Jul 11 '16 at 12:19
  • 1
    @boardbite Thanks! Yes, I will eventually. I just like to give it some time. Who knows if someone comes up with an even better answer?! Although, I admit that in this case "transistor" has set the bar very high. :) – curious_cat Jul 11 '16 at 15:40