Failsafe remotes

It should be noted though that protecting the STOP system is not enough to achieve a safe system, as it is reliant on the human operator to take appropriate and timely action in an emergency. The operator may not be present, or not be aware of the hazard, may not react in time, or may even take some action that makes the hazard worse. Some benefit is gained by ensuring that an unused transmitter turns off (initiating a STOP condition) when it has been idle for a period of time. But again, this alone is not sufficient, the controller must be protected against faults that cause the initiation of unexpected motion, without requiring the operator to activate the STOP.

Receivers should incorporate dual decoders and a voting system to ensure that they must both agree on a command, or it is not acted on, says Autec. This is one of the principal techniques used to achieve safety in a remote control system, it adds

For that reason, we consider here the safety performance of a remote control based on two possible failures:

- Failure of the STOP function.

- Unexpected motion from standstill caused by a fault (also called UMFS protection).

Duplicate STOP relays

One of the most predictable hazardous faults that could occur in a radio remote control system is that the STOP output does not turn off when required. Typically, this problem is addressed by using two STOP relays, and connecting them in series. While this is definitely an improvement over a single relay, it is not a complete solution. If one of the relays fails in the closed position, then we are relying on the second relay to open contacts and stop the machine. But if there is no indication that the first relay has failed, the radio control is now operating without the protection of a second STOP relay. A manual inspection of the relays may reveal a problem, but it is often impractical to schedule manual inspections at a close enough interval to ensure that a fault is detected before a second fault occurs. It is necessary for the control system to itself detect that a failure has occurred, and to prevent the machine from operating while only one relay is operational. This duplication with fault-detection may also be called redundancy with self-monitoring, and should be present in safety remote controls used on lifting machines.

The STOP outputs from a radio control receiver may utilise a special class of relay known as a "safety relay". Despite their name, their design is little "safer" than a regular relay. They are still vulnerable to welding, coil burnout, or other mechanical failure. What makes them different is the feature known as "forcibly guided contacts", and this name is more indicative of their real function. If one set of contacts jams in the ON position, the other set cannot return to the normally-closed position (as can happen in standard relays, particularly those with small contact spacings). This means that the control system can know with some certainty what one set of relay contacts is doing, by looking at the other set. This simplifies the design of a rugged safety control circuits, where one contact set is used for power switching, and the other set used for monitoring.

Note however that this is not the only solution, more complex solutions may use single-contact power relays for the STOP function which are directly monitored by an insulated control circuit. This may allow the use of more powerful relays, when required.

One of the most predictable hazardous faults that could occur in a radio remote control system is that the STOP output does not turn off when required

It is a requirement of EN418 that STOP buttons be normally-closed and positive-break, thus, the activation force of the button acts directly on the contacts to force them apart, and is not reliant on spring pressure or similar to open. Another requirement is that the STOP button should also be latching, and require manual reset. Some safety remote controls use STOP buttons with two separate channels, unless both channels are in the normal position (closed), the system cannot be operated.

Duplicate inputs

To protect the transmitter against failures of its electronic circuits causing unexpected motion, remote controls may use duplicated inputs. Some types use one physical actuator (for example, a button) that drives two separate channels for confirmation of the command.

Some models use two electrically and mechanically separated actuators driving the two control channels to confirm each command, thus achieving a higher safety level because protection is provided also against mechanical failures (such as broken springs or failed contacts or shorted cabling wires).

Duplicate decoders

As discussed in the last article, a safety radio remote control has a passive STOP function, for example, the receiver must receive a valid message from the transmitter within a certain time period (typically about 500ms) or a STOP condition will result. The device in the receiver that listens to the incoming messages and decides whether they are valid or not is known as the decoder. If the STOP system is to be protected against faults, it follows that the decoder must be similarly protected. This necessitates the duplication of the decoder (at least for the STOP functions), and putting a mechanism in place so that unless both decoders agree that a valid message has been received, a STOP will result.

Some radio control systems that are claimed to be failsafe do not meet this criteria, they are single-decoder designs. If there is only a single decoder, and the decoder fails, the STOP circuit may not operate correctly. A system of this type is vulnerable to programme or data corruption, or other types of controller failure. Watchdog timers, program checksums and other techniques can reduce this risk, but not to a tolerable level.

The situation is similar if we consider the protection against a single fault causing unexpected motion. Again, in a single decoder system, there is nothing to prevent the failure of the decoder from initiating motion. To protect against this (UMFS) requires duplication of not only the STOP functionality of the decoder, but of all "safety critical" commands it decodes.

Receivers should incorporate dual decoders and a voting system to ensure that they must both agree on a command, or it is not acted on. This is one of the principal techniques used to achieve safety in a remote control system.

Duplicate encoders

We have seen the importance of ensuring that a message is received and decoded correctly, which necessitates the use of dual decoders.

It may seem that this is sufficient protection, and that it is not necessary to duplicate the encoder in the transmitter. There is some justification for this argument, if we turn off power to the transmitter using a positive-break switch then it will stop transmitting. With duplicate decoders in the receiver, we know that at least one of them will detect the loss of communication and cause a STOP condition.

So we can achieve a basic level of fault protection for the passive-stop system using dual-decoders with a single-encoder transmitter. But duplicate decoders will be of no help if the message they are examining was correctly structured and sent, but contained the wrong commands because there was a fault in the encoding electronics of the transmitter. So there is also need for duplication of the encoders in the transmitter to protect the system against initiating unexpected motion due to a fault.

Duplicate outputs

As discussed, the STOP outputs in the receiver must be duplicated to ensure that at least one opens to stop the machine in the presence of a fault.

If we are to provide protection against unexpected motion (UMFS), then output duplication is also required for the motion commands of the machine. This may take the form of duplicating each command individually, but there is a balance to reach between reliability and safety. If we duplicate each output, we also double the complexity. And unless we monitor the duplicate outputs for possible failure, there is little advantage gained.

A compromise that achieves high safety with little added complexity, is to provide an additional output that acts as a confirmation for more than one single command. In this case, a confirmation output supplies power to the other motion outputs, and removes power from them if no motion commands are active. In this way, the system is protected against some output failures such as welded relays with a relatively simple system. If the confirmation output is duplicated and monitored, a high level of protection against unexpected motion may be achieved.

From EN IEC 60204-1 2005 9.2.7.3

"A machine which is equipped with a cableless control system shall have a means of automatically initiating the stopping of the machine and of preventing a potentially hazardous operation in the following situations:

- a stop signal is received.

- when a fault is detected in the cableless control system.

- when a valid signal (...) has not been detected within a specified period of time..."

We have so far examined and compared many of the techniques used to provide fault-resistance in radio control systems. In the final article in this series, we will see how safety performance can be quantified using existing standards and norms, and how risk assessments can be used to determine what level of safety is required in a given application.