Failsafe wiring practice is one of those topics that separates control system designers and electricians from other technical specialties. This is one of the areas that show up as problems if the design/installation team are not normally controls oriented. This is also an area that causes a lot of rework on the part of the installers and the integrators when they meet during checkout onsite because it requires a lot of crosstalk in order to get in sync.
To enter a discussion of the merits of failsafe wiring, we need to come to an understanding of some of the basics terms:
- The term failsafe implies fault-tolerant, as opposed to fault-free, operation. In other words, a device or system is allowed to fail, but only to a known safe state. An example of a failsafe signal is one that is wired to generate an alarm if power flow is interrupted to an alarm detection device, such as a relay that drives a horn or a system OK
- The phrase failsafe wiring refers to a design practice that causes an interruption of current flow when the sensing device is in any condition other than its normal operating condition. For a wiring scheme to be failsafe, the device in question needs to be energized when process conditions are normal.
- The term shelf state refers to the state of a devices output switches as they would appear on the shelf, with the device being unwired or unpowered. Depiction of a relays shelf state would show its contact sets in the de-energized state, with N.C. contacts in the closed position, ready to pass power if connected to a source, and N.O. contacts shown in the open position, blocking current flow. This is the default condition typically shown in schematic and connection drawings.
The term normal operating condition should not be confused with the terms normally open (N.O.) or normally closed (N.C.). Normal operating conditions are those in effect with the equipment running normally, and the process variable being measured is within tolerance. Turning the equipment off, having the process variable go out of tolerance, or having any other component in the system fail will cause a loss of voltage (logical zero) at the annunciator or PLC, causing the alarm to be generated. Note that such an alarm does not necessarily indicate that an alarm condition exists in the process (e.g., tank level too high), but that either the alarm condition exists or the alarm condition is no longer being monitored.
In the below circuit, a motor will start or stop based on an operator pressing the spring-loaded start or stop push buttons. The operator presses the start button, the relay energizes, and then the operator can release the button as the relay has sealed a set of contacts around the push button. If, however, the tank level is not in range, the motor starter coil will not energize because the level switches will not permit current to flow to the starter coil, and the motor will not start. If, after the motor starts, the level subsequently changes out of range, the relay will de-energize. The motor will not restart, even if the level returns to normal, until the operator presses the button.
This circuit shown in Above Figure possesses all the key elements of a failsafe circuit. The end device operates only under prescribed process conditions and prescribed electrical conditions. If anything happens to the power supply or any other part of the circuit, rendering it inoperable, the relay de-energizes, and an alarm is generated. The only circumstance that would cause this circuit to fail in its function are mechanical problems, with either the relay contacts fusing together (which is rare now that most relays are encased and better protected from moisture) or the level switches failing to respond to changes in head pressure (level) as they are designed to do.
Most of the time, failsafe circuits use normally open contacts for interlock chains. In the case discussed above, however, a set of normally closed contacts was properly used. This was proper because the level switches used here are dumb unpowered, non-electronic switches that switch the state of their outputs strictly based on pressure. As the level in the tank rises, so does the pressure at the sensing point, which is fed to each switch via tubing. The increased pressure causes a bellows to inflate inside the switch body. Eventually, the bellows inflates to a point where it exerts enough force on a contact set to overcome its mechanical reluctance (a mechanical setting that can be adjusted, or tuned, to a particular pressure), and the switch activates. So using one switch as a low level switch and another as a high level switch depends simply on where you mount the switches and how you adjust their response to pressure changes. The fact that the switch has a Form-C contact set allows the same model switch to be configured for failsafe operation, using the N.C. set for high levels and the N.O. set for low levels. With the tank empty, the low-level switchs N.O. contacts are open, removing the interlock for the motor. As the level rises, the low-level switch operates its N.O. contacts, closing them and enabling the circuit. The next time the operator presses the start button, the motor will start and run until the tank empties or until the level reaches the high setting, at which time the relay de-energizes. The operator cannot restart the motor until the level falls below the high-level point.
Most modern electronic level switches give the installer an option for how a switchs output should behave, so those can and should be configured to always use N.O. contacts since the outputs will only stay energized if the unit has power and the process conditions being monitored are within tolerance. In all cases, the PLC or annunciator looks for a loss of signal to signify an alarm condition.
Whenever possible, failsafe wiring practice should be employed on feedback signals (digital inputs), non-mission-critical control relays, and annunciator systems. This gives the plant operators knowledge that the sensing or alarm system is in fact monitoring the process and is standing ready to inform them of upset conditions. Judgment does need to be exercised, however. On some control circuits that are mission-critical, it might be better to let the circuit fail unnoticed than to bring down the plant due to a faulty relay. But the default should be to make all circuits failsafe. This causes an increase in power consumption because the load is always energized. Nonetheless, the personnel and process safety considerations usually outweigh the relatively minor economic ones.
To summarize, the following are some rules of thumb for failsafe wiring practice:
- If the sensing device is a dumb switch (such as a float switch) employed as a high-process alarm (e.g., high temperature, high level), then its normally closed contacts should be used to support failsafe operation. Why? The switch will not change from its shelf state until it detects an alarm condition. So it needs to pass power when in its shelf state and when the process is in its normal state.
- If the sensing device is a dumb switch, employed as a low-process alarm (e.g., low temperature, low level), then its normally open contacts should be used to support failsafe operation. Why? The switch will change from its shelf state as soon as the process variable (e.g., temperature, level) reaches its normal operating condition. If the process variable falls below the alarm point, the device will return to its normally open shelf state, and the circuit will de-energize.
- If the sensing device is electronic, its normally open contacts will generally support failsafe operation because it will probably be configurable. Most sensing devices today are electronic, and most of them provide a user-configurable setting that allows the device to be configured for failsafe operation. Whenever possible, the normally open contact should be made to close during normal operating conditions. It is wise to place a note on the loop sheet to that effect to remind the installer of the need to make that field adjustment.