3 redundancy and monitoring – Rockwell Automation Safety Guidelines for the Application, Installation, and Maintenance of Solid-State Control User Manual

Publication SGI-1.1 - August 2009

Section 3: Application Guidelines

9

solid-state logic and output circuits. If this protection is not part of the DC

supplies for a system, a timing circuit external to the power supply can be

added to delay the application of power to output devices.

Removing all power or losing all power from a system simultaneously

usually does not result in a hazard since the power for machine operation

is also being removed. However, when power other than electrical power

is being controlled, a power interlock circuit may be required to protect

against unexpected machine motion. Power interlocks with automatic

shutdown should be included if erratic or hazardous operation results due

to loss of one power supply in a system with multiple supplies.

Automatic power supply sequencing should be employed in systems that

require the application or removal of power in a specific sequence. If the

STOP or E-STOP sequence normally employs dynamic braking,

alternative safeguards, such as automatic mechanical braking upon loss of

power, should be provided if coasting stops are hazardous.

If hazardous operation can result from unexpected restoration of power

during a power outage or a system shutdown, the system should include a

feature that requires a deliberate operator action before power is reapplied

to the system.

3.1.3 Redundancy and Monitoring

When solid-state devices are being used to control operations, which the user
determines to be critical, it is strongly recommended that redundancy and
some form of checking be included in the system. Monitoring circuits should
check that actual machine or process operation is identical to controller
commands; and in the event of failure in the machine, process, or the
monitoring system, the monitoring circuits should initiate a safe shutdown
sequence.

Comments: 3.1.3 Redundancy and Monitoring

The normal operating mechanism for solid-state components depends

upon a deliberate electrical signal input altering the internal molecular

structure of the semiconductor material.

Unfortunately, spurious input signals may also alter the internal molecular

structure without any means for external detection that this has happened.

Therefore, solid-state devices are subject to malfunction due to random

causes that are undetectable. Because of this, redundancy and monitoring

are the most highly recommended means for counteracting this situation.

When redundancy is used, dissimilar components not susceptible to

common cause failure should be used for the redundant elements if a

common cause could produce simultaneous failure of those elements in a

dangerous mode.

A “safe shutdown sequence” can involve much more than disconnecting

electrical power for some machinery and processes. Examples include

machines with high inertia and hazardous access points, processes that

become unstable at shutdown unless a specific sequence is followed, etc.

The control system for such applications should be configured to deal