Safe Vacuum Furnace Operation – Why you Should use a Safety PLC

A number of years have passed since EN ISO 13849-1 and IEC 62061 replaced the outdated EN 954-1 as the technical standards concering the safety of control systems. However, the question at this point is whether they are being thoroughly applied in all technological fields, including that of vacuum furnaces.

Safety Programmable Logic Controllers (PLCs) are increasingly replacing common safety relays in several non-trivial applications. But are they really useful?

Below are five reasons that explain why a safety PLC should be installed on a vacuum furnace.

Emergency Stop is not the Only Safety Function

When the electrical cabinet of a not so recent vacuum furnace is opened, the emergency stop is likely to be the only feature that is managed strictly according to IEC 62061 and EN ISO 13849-1 standards.

This would be normal for a simple machine, whose only risk is caused by a moving part that has to be stopped either by pressing the E-STOP button or opening a protection. However, this is not a case for a vacuum furnace with pressurized gas quenching, where pressure and temperature have significant safety implications.

Until recently, a few hardwired safeties (if any) added externally to the functional controller were the state of the art. These however do not fulfill the newer standards for several reasons, such as limited redundancy (since the functional controller cannot be considered in the evaluation of the safety function) or poor diagnostic coverage (for instance in case of short circuit).

It is necessary to understand what more can a safety PLC offer compared to conventional safety relays, even under the assumption that more safety functions should be applied based on the latest standards.

Safety PLCS can Elaborate Analog Signals

Pressure and temperature are essentially analog entities. While the latest safety PLCs can be integrated with input boards to read and then elaborate a range of analog signals (like those coming from TCs, Pt100 or several other transducers), safety relays are capable of processing only digital information (like a limit switch or a button).

But what is the advantage compared to using temperature and pressure switches to provide digital signals to the safety relays?

Analog Signals Provide Better Diagnostic Coverage

Using redundancy to increase the safety level is a basic safety practice. For instance, using two temperature switches instead of just one.

However, sooner or later the first will fail without being noticed, then the second could also fail and the safety function might be lost if the two switches are not checked at least against each other. But if the switchover point is set at a temperature that can never be reached under typical circumstances, how the two sensors be checked to see if they are consistently switching when they are not even switching at all?

Periodically removing the temperature switch and calibrating is correct, however, it is necessary to check in the maintenance log when was the last time that this was performed for the over-temperature switches installed on the vessels of the furnaces.

Even if the switchover point is really crossed (in a diagnostic procedure or a normal operation), how is it possible to tell that the two switches are switching consistently?

This is generally checked for limit switches using a time window, but it is not possible to safely apply this to pressure or temperature switches, as both of them will probably not switch at exactly the same time, and the delay is caused due to the difference of switchover point only by the rate of change of the measure, which is usually unknown.

This is the point where the possibility to safely elaborate analog values comes into action: if there are two temperature measures, they can be compared all of the time, even when the user is not close to the switchover point. The user will be able to instantly recognize when one sensor breaks as soon as the two readings differ more than an allowed tolerance.

During normal operation, if the switchover point is crossed even the combination of one analog signal with one digital signal can possibly be achieved, as this would not only provide diversity, but also eliminate common cause failures.

Safety PLCS can Implement More Complex Logics

There are particular applications where the safety functions do not just rely on the actual state of one or more sensors, but also on a particular sequence of operations. For example, in a furnace using hydrogen as process atmosphere, it is indeed important to know that an inert gas purge has been safely completed prior to admitting hydrogen or before venting after using hydrogen.

This certainly has been the kind of application where safety PLCs have spread rapidly, and are already installed on the hydrogen furnaces of almost all the major manufacturers.

Safety PLCS can Significantly Reduce Tampering Risks

It is quite common for a furnace to get stuck due to a sensor that failed or required calibration. This could have happened while the customer was pressing to get the load out of the furnace, and some smart service engineer bypassed the faulty safety sensor to get it done. Another situation is when the smart engineer was called to attend some urgent task and the next cycle was initiated with the safety sensor still bypassed.

Manufacturers have the responsibility to use reliable components to reduce faults and provide effortless use to prevent the need to bypass any safety. They are also responsible for preventing or detecting that a safety function has been modified as far as technically possible. But does a safety PLC help to do so?

It certainly does! First of all, a safety PLC helps to ensure that all of the safety logic are securely embedded inside the controller itself. While anyone can modify a hardwired safety logic with a screwdriver, the logic in a safety PLC can be modified only with a specific software and a password set by the manufacturer for the single furnace.

It is possible to further increase the security level by combining the safety PLC with smart sensors, which apply a time shift to the triggered signal emitting from the PLC or that generate the trigger themselves. In this manner, it is not possible to bypass a smart safety sensor with a short circuit, unlike standard sensors that depend only on dry contacts.

Forcing a contactor by pressing it with a screw driver is also considered to be correct. However, there still things that a safety PLC cannot do, no matter how powerful it can be.

This information has been sourced, reviewed and adapted from materials provided by TAV Vacuum Furnaces.

For more information on this source, please visit TAV Vacuum Furnaces.

Ask A Question

Do you have a question you'd like to ask regarding this article?

Leave your feedback