Introduction to the Industrial Safety Relay

What is the hardest aspect of PLC-based machinery design?

Would you agree that it’s the corner cases that cause the most trouble? For example, it’s relatively easy to construct a PLC-based system to control a machine. It’s a next-level problem to design a machine that is safe under all conditions. This is especially true when we consider how the user will interact with the machine and the wide range of failure modes.

When things go wrong, it’s essential to have a functional emergency stop circuit. For simple machines, this removes all sources of energy. For more complex machines, the emergency stop will initiate a controlled shutdown procedure that will protect the user, environment, and the machine itself against loss of control. An example is a suspended weight. Simply turning off electrical, pneumatic, or hydraulic energy sources could result in loss of control, potentially making a bad situation worse. Independent and dissimilar controls and fail-safe mechanisms may be required for complex systems.

This engineer brief is focused on the Schneider Electric XPSBAC14AP safety module. It describes the attributes of the module and presents a simple demonstration circuit showing the device in operation.

Figure 1: Picture of the Schneider Electric XPSBAC14AP Safety Relay installed on a Phase Dock base wired to enable a motor starter.

What is a safety relay?

The Schneider Electric XPSBAC14AP is officially described as a safety module. However, it is often referred to as a safety relay. Its defining attributes include safety-related (redundant) control paths for the associated emergency stop pushbutton or interlocking equipment guard. It also includes safety-related internal relays with series connected contacts to guard against internal faults such as contact welding, corrosion, or a stuck mechanism. The result is a compact, reliable, certified, and fail-safe device to monitor and respond to an emergency stop condition. While this is true, you are responsible for the code-compliant integration of the relay into your circuit.

What is a fail-safe condition?

The term fail-safe holds special meaning for industrial control and automation. It implies a design where the system will default to a safe condition upon failure. Here, safe implies no harm to people, the environment, or equipment. A good example is the cruise control in a car. Loss of feedback (detected as zero speed) should result in a fail-safe release of the throttle, as opposed to an out-of-control full-throttle attempt to restore the desired speed.

Safety warning

The following safety warning is taken directly from the Schneider Electric XPSBAC14AP Safety Relay’s user guide.

Only appropriately trained persons who are familiar with and understand the contents of this manual and all other pertinent product documentation as well as all documentation of all components and equipment of the machine/process are authorized to work on and with this product.

The qualified person must be a certified expert in functional safety.

The qualified person must be able to detect possible hazards that may arise from parameterization, modifying configurations, settings, and wiring, and generally from mechanical, electrical, or electronic equipment. The qualified person must be able to understand the effects that modifications to configurations, settings, and wiring may have on the safety of the machine/process.

The qualified person must be familiar with and understand the contents of the risk assessment as per ISO 12100-1 and/or any other equivalent assessment as well as all documents related to such risk assessment or equivalent assessments for the machine/process.

The qualified person must be familiar with the standards, provisions, and regulations for the prevention of industrial accidents, which they must observe when designing, implementing, and maintaining the machine/process.

The qualified person must be thoroughly familiar with the safety-related applications and the non-safety-related applications used to operate the machine/ process.

Note that ISO 12100 is a standard focused on risk assessment and risk reduction of machinery. A closely related standard is the IEC: 61508-1 which defines a Safety Integrity Level (SIL) for electrical, electronic, or programmable electronic (E/E/PE) systems. In both cases, the suitability of a safety module such as the Schneider Electric XPSBAC14AP must be evaluated for the freestanding and any integrated equipment installations. Always consult a certified Safety or Control Systems Engineer.

Demonstration circuit

The wire diagram for the demonstration circuit is included as Figure 2. It is installed on the small relay and PLC trainer described in this article.

Video 1 shows the circuit in operation.

  • Power (+24 VDC and ground) is provided via the normally closed switch blocks of a Schneider Electric XB4BS8444 emergency stop pushbutton.

  • The reset pushbutton is connected between the safety module’s Y1 and Y3 terminals. This configuration prevents automatic restarts as shown in Video 1. An alternative is to implement an automatic restart by connecting Y1 directly to Y2.

  • The green reset pushbutton’s lamp is powered via the safety relay’s 13 to 14 normally open contact pair.

  • A conventional 3-wire start stop circuit is enabled via safety relay contacts 23 and 24.

Tech Tip: The Y1 to Y3 reset pushbutton is falling-edge sensitive. This can be slightly disconcerting for the operator as the machine starts 100 ms after the start / stop pushbutton is released. This edge detection sensitivity is fundamental to the safety relay’s operation as it prevents unexpected equipment restarts and guards against failures as described later in this document.

Figure 2: Wire diagram of the demonstration circuit. Lighted pushbuttons are used for Reset and Start.

Video 1: Operation of the Schneider safety module.

Exploration of the safety relay’s failure modes

This section explores several failure modes that may be encountered by the safety module.

Failure of the emergency stop pushbutton

The emergency stop pushbutton circuit is designed with redundancy. From Figure 2 we see that +24 VDC and the return lines pass through independent normally closed switch blocks. A physical or electrical failure such as a broken wire in either supply line will cause the safety module to enter a powered off (safe) state. Protection remains if a single switch block is loose. However, protection is lost if the emergency stop plunger is mechanically broken.

Tech Tip: The emergency stop pushbutton is considered a safety-related operation. An essential consideration is the dual redundancy. By contrast, the reset button has no such redundancy and is considered a non-safety-related operation.

The emergency stop pushbutton’s normally closed switch blocks are essential for safety. This article provides additional information about the switch assembly.

Tech Tip: Regular inspection of the emergency stop pushbutton is necessary to ensure integrity of the mechanical assembly. Also verify that the switch blocks are operational, as a stuck contact compromises redundancy with potential for a complete failure of the safety feature. Maintenance is especially important in harsh industrial or marine environments where corrosion could damage the internal switch contacts. Always remember that the switch must operate like-new, even when it has been in operation for decades.

Failure of the reset pushbutton

There are three general failure modes associated with the reset pushbutton include a failed open, failed closed, and short circuited. All three situations are dealt with by the module’s falling-edge detection circuitry. In all three cases, a fault situation will fail to make the necessary high-to-low transition.

Tech Tip: While we shouldn’t be too harsh with machine operators, we recognize that the module’s falling edge active transition will prevent inadvertent restarts if a technician or operator ties down the reset pushbutton. This is one of those unsafe corner cases that we must always guard against. It’s a recognition that we need to protect the sleepy 3 AM operators and maintenance crews.

Failure of the internal relays

Internally, the Schneider module features two safety-related (redundant) relays. Like all safety relays, the contacts are connected in series to prevent a single failure. For example, a stuck mechanism or a welded contact will be detected. The module is designed to detect these internal failures. It will respond by entering a fault condition and display an error code on the front panel LEDs.

Tech Tip: The module’s fault condition is cleared when powered down. This can result in confusion and troubleshooting delays. There is a good argument for inclusion of a transparent window in your control panel so that the technicians can see the module’s errors along with and PLC errors before opening or powering down the control panel. A close-up image of the module is shown in Figure 3.

Power supply failure

The safety module monitors the voltage of the 24 VDC power supply:

  • It will immediately enter a fail-safe off condition if the power is lost. This is indistinguishable between a power-on reset.
  • It will enter a power supply fault condition if the power supply drops below approximately 18 VDC. The red front panel power LED will be lit. The unit must be power cycled (emergency stop button pressed) to clear the fault.

Figure 3: Close up of the safety module’s front panel. It is shown in the running state.

Tech Tip: A red power supply power indication is an excellent troubleshooting symptom. A proper failure analysis is required, should this fault be detected. Chances are high it will occur again, possibly resulting in nuisance trips. The nuisance trip can be dangerous as operators and technicians tend to discount their importance. Worse, there is a temptation to disable the trip circuitry.

Do not disable or modify a machine without strict adherence to federal, state, and local safety procedures. This requires a full understanding of the implications, explicit permission from informed upper management (higher than the foreman or immediate supervisor), and implementation of proper Lock Out Tag Out (LOTO) to inform all operators of deficient and potentially dangerous machine operation.

It is very difficult to identify and understand the impact of modifying a machine. There are simply too many corner cases where the machine can hurt someone or result in costly loss of control. For this reason, I strenuously recommend again modification. Instead, identify the root cause and fix the machine before you even think about bypassing safety measures. Resist the foreman’s demands and hold to proper safety procedures. Listen to that little voice that says something could go wrong if you move that wire.

Downstream failures

The Schneider Electric XB4BS8444 features 4 dual-redundant normally closed safety contacts as well as a pair of normally open contacts. The contacts are conservatively rated for 3 to 5 A (voltage and regulatory agency dependent), providing several options for your safety critical system. A few options include:

  • Direct control of a load such as small three-phase systems.

  • Shunt trip of a large circuit breaker.

  • Send a control signal to an independent system which then initiates an orderly shutdown. For example, the signal may activate a braking mechanism while simultaneously disconnecting power and venting pneumatic energy.

  • Enable signal for a contactor as shown in Figure 2.

  • Provide an enable (+24 VDC) signal to one or more PLC output blocks.

There are many ways the associated systems could malfunction. You are responsible for performing a risk analysis of your equipment and designing fail-safe control systems. The analysis must comply with all applicable international, federal, state, and local codes. As mentioned in the Tech Tip, this is not a trivial exercise.

Parting thoughts

The safety relay is an essential component for the modern control panel. It allows us to outsource many of the safety critical features that would otherwise be challenging to correctly design and implement. Despite this simplicity, we must be vigilant. Downstream equipment must be properly configured, and our technicians must routinely verify the integrity of the safety features.

As a challenge, I encourage you to identify all of the features incorporated into the safety relay. What would it take to design a similar circuit? Also, how would you ensure reliability against failure?

Best wishes,

APDahlen

Related information

Please follow these links to related and useful information:

About this author

Aaron Dahlen, LCDR USCG (Ret.), serves as an application engineer at DigiKey. He has a unique electronics and automation foundation built over a 27-year military career as a technician and engineer which was further enhanced by 12 years of teaching (interwoven). With an MSEE degree from Minnesota State University, Mankato, Dahlen has taught in an ABET-accredited EE program, served as the program coordinator for an EET program, and taught component-level repair to military electronics technicians. Dahlen has returned to his Northern Minnesota home and thoroughly enjoys researching and writing articles such as this.