OSSDs, safety signals, or what’s in a name?
November 2013, IS & Ex
By Stephen Eltze, Sick Automation Southern Africa.
Just like any other industry or area of interest, the field of machine safety has its share of jargon, buzz words and acronyms. OSSDs are widely used in machine safety and are often seen as some kind of magical signal that somehow connects a safety device into the machine’s SRP/CS (safety relevant part of the control system).
But what are we actually talking about? The acronym, OSSD, stands for Output Signal Switching Device which, at first glance, might not appear terribly descriptive. In its most basic form, it is an electronic circuit that conditions a couple of 24 VDC transistor type signals in a certain way, so that they can be recognised as safety signals by the safety interfacing units into the control system of a machine. Most manufacturers of safety rated PLCs, PACs, DCSs, safety relays and safety controllers make provision in their devices to monitor these safety signals.
So, why would we want these special signals? What purpose would they serve?
Let’s start by going one step back and looking at machine safety as a system.
In this age of automation, the whole reason we want to install machines in our factories is that we expect them to work faster, harder and more efficiently than humans will, making products for us as fast as we can sell them. However, to a large extent, it is not possible to work completely without human intervention in the manufacturing process. Typically we need humans to interact with the machines especially during the ‘load’ and ‘unload’ phases of manufacture, as well as for maintenance and repair purposes.
Our factory machines are built to bend things, make holes in things, glue, join, weld, cut, twist, etc. There are certain unfortunate conditions where they just might bend, make holes in, glue, join, weld, cut, twist, etc. the machine operator, who may be in the wrong place at the wrong time. This is where the field of machine safety becomes an important issue, especially for the machine operator.
We can remove or limit the possible damage caused to the operator and the machine by installing specialised safety devices that can prevent or monitor access into the identified dangerous areas of the machine. A fortunate side-effect of a system like this is that we limit downtime and the effect on production. It is, after all, a whole lot easier dealing with an unscheduled stop, rather than an injury on duty.
These safety devices are available in many different forms, shapes and sizes, but they all need to be integrated in the safety relevant part of the machine’s control system. Usually we accomplish this through use of a safety controller of some kind which could be in the form of a PLC or one of the similar devices mentioned previously.
How do we connect the safety devices into the safety controller? One of the more obvious places to start would be to make use of a simple digital on/off signal, taken from an output on the safety device and into the safety controller. During the past few years, it has become internationally accepted that most safety devices will work with 24 V DC. This is usually readily available as it is used for other control equipment and it is a low enough voltage to be considered safe.
What happens if someone were to cut the wire carrying the signal into the controller? In this case, it makes sense to use an 'always on' signal from the safety device to the controller. Then, if the signal is removed or switched off in the event of an intrusion into the dangerous area, the controller will see the signal disappear and recognise this as a condition where it needs to switch off the machine, or inhibit certain functions on the machine. Now, if someone were to, accidentally or otherwise, disconnect the safety device from the safety controller, the controller will no longer be receiving the ‘All Okay’ signal from the safety device. The controller will interpret this in the same way as it would an intrusion, thereby protecting the operator even in the case of a deliberate or accidental attempt to remove the safety system. The safety controller is using the signal change from high to low for monitoring the condition of the safety device.
What happens if the signal is bypassed? It is entirely possible that due to an accidental situation, or a deliberate attempt to bypass the safety device, a secondary 24 VDC source may be used to supply a signal into the safety controller. The safety controller will not be able to differentiate between the signal from the safety device and the signal from another source, unless we somehow make it look a little different to a standard 24 VDC signal.
A fairly simple way of ‘coding the signal is to pulse it in some way. We do this by dropping the 24 V signal to zero volts every ‘x’ milliseconds, and then returning it to 24 V. This process is repeated continuously.
It might still be possible to have a bypassed signal that is present just long enough for someone to get hurt. How can we make the monitoring even safer? In this case we make use of a second similarly conditioned signal. We now have two separate signals being sent from the safety device to the safety controller. If either one, or both of the signals should disappear then the safety controller will judge that there has been an issue with the condition of the safety device requiring intervention.
Additionally, these two pulsed signals are out of synchronisation with each other. This has the added advantage that one pulsed output cannot be bridged across two inputs into the safety controller, as the controller will be monitoring the signals for the out-of-sync pulses.
Of course, if the signal is removed during the dip phase, or if a standard 24 V signal is applied during the non-dip phase, we would expect an additional delay to the response of the safety system. However, this delay is minimal. To give you some idea of how this affects the response time in the case of intrusion or loss of signal, a standard safety light curtain with a safety relay has a typical worst-case reaction time of under 100 ms.
The duration of these signal dips is so short that we can power a normal control relay with the 24 VDC signal from the safety device and the relay coil will not have time to react to the dips, meaning that the relay will remain energised as long as the signal is present. It is only smart devices, like our safety controller, that are monitoring the signal electronically that will notice the dip.
These dual pulsed signals are what we refer to as OSSD signals. By making use of OSSDs we fulfil the requirements of redundancy and diversity in our safety circuit.
It is the combination of monitoring, redundancy and diversity in signal conditioning that makes the OSSD signals such an effective part of the safety system. The likelihood of accidentally bypassing the safety signals so that we have a condition where the safety devices appear to be operating, but are actually not, becomes almost negligible. Even deliberate defeating of the safety signals becomes much more complicated through the use of OSSDs.
For more information contact Stephen Eltze, Sick Automation SA, +27 (0)11 472 3733, firstname.lastname@example.org, www.sickautomation.co.za