To comply with the Australian safety of machinery standard (AS4024.1), the safety-related part of a pneumatic or hydraulic control system is required to be in accordance with one or more of five categories, as discussed in part 1 in April/May of this series.
The recent revision of AS4024.1 clearly indicates that both in design and validation, foreseeable single faults are to be considered as well as the fault detection method used for category 2, 3 and 4 control systems. (Reference AS4024.1 2006 Part 1502 — Table 2.) This applies to mechanical, pneumatic, hydraulic and electrical systems.
To provide for the required fault detection, many designers chose to use pressure monitoring to identify stored energy or failures in the fluid power circuit. There is a number of applications in which safe pressure monitoring can provide for a reliable and economical detection solution. However, there is also need for careful consideration of the type of pressure monitor used and how they are applied.
Firstly, is the pressure monitor suited to a safety application? If the failure modes of the device itself are unknown, or if it can be easily defeated or adjusted, it would be difficult to be confident about the device providing the reliable detection required for safety application. A safety pressure monitor should have a fixed setpoint, defeat resistance, positive opening mechanically linked switch contacts, and only provide indication of the safe state at a predetermined safe level on de-energisation of the fluid power circuit.
‘Safety’ pressure monitors for pneumatic and hydraulic applications are available to industry today and are reasonably priced. Meeting the performance requirements for category 2 pneumatic or hydraulic control systems can sometimes be simply integrated by including a single safety pressure monitor.
Occurrence of a fault can lead to a loss of the safety function between the checking intervals undertaken by the machine control system, as per the system behaviour guidelines for a category 2 control system. The loss of the safety function is, however, required to be detected by the next check.
Categories 3 & 4, however, can be more challenging, as both of these categories share the requirement that no single fault must lead to a loss of the safety function. In category 3 the single fault must be detected as far as is practicable. For category 4 the single fault must be detected at or before the next demand on the safety function, and if this is not possible, then an accumulation of faults shall not lead to a loss of the safety function. This often produces the mindset that by applying two safety pressure monitors to a circuit with two series connected
block and bleed valves, category 3 and 4 requirements will be achieved. The following circuit examples demonstrate how this can be incorrect.
In each of the above examples, if the valves used were themselves monitored for the off position, the single faults demonstrated (ie, sticking valve) could have been detected without pressure monitoring. However, individual safety pressure monitors can add extra integrity to circuits with monitored safety valves.
A pneumatic example might include a safety pressure monitor being used to detect early stages of silencer clogging. This could be advantageous on applications such as safe press clutch control to prevent undetected gradual back-pressuring of the clutch leading to it remaining engaged.
Alternatively, where an air system takes some time to bleed out to a safe level, a safety pressure monitor might be used in conjunction with guard solenoid interlocking to prevent operator access while pressurised. With hydraulic systems, typical application includes use of two safety pressure monitors for ensuring an accumulator has been bled down following de-energisation of a pump. Again, interfacing the safety pressure monitors with appropriate guard solenoid interlocking systems can prevent operator access to the dangerous parts of the machinery while pressurised.
In summary, safety pressure monitors can sometimes be a key part of a safe, reliable design. However, incorrect type or application could lead to non-compliance with safety of machinery standards and potentially lead to an unintended machine movement, which can have horrific outcomes.
