Why do pneumatic valves need both a Safety Relay and an Air Dump to be safe?

Question

If air dumps safely release pneumatic pressure from an industrial machine when an E-Stop is pressed, why is it also standard practice to cut electrical control power from the valves with a safety relay? This would be useful if the air dump failed, but those are already incredibly safe so I feel like there must be a better reason to reasonably justify the added cost and complexity.

The air dump removes pneumatic potential energy from the system (assuming no closed-center valves or check valves). How does a safety relay reduce the potential for motion?

Maybe it has nothing to do with machine safety, but is rather for maintenance reasons? I have seen machines that can be put in "maintenance mode" that leaves air enabled but disables electrical control, and then trained maintenance personnel can enter the machine without fear of it automatically moving for any reason but can still manually move actuators using the override buttons present on most valves.

Cat 4 Dump Valve $\mathrm{MTTF_D}=95 \ \textrm{yr}$

Edit: Actually going through the calculation, I found that Category 3 / Category 4 dump valves are not nearly as safe as I thought. For example, the SMC VP544-X538 dual residual pressure release valve (air dump) is rated with $B_{10\text{D}} = 10\,000\,000 \ \mathrm{cycles}$, where $B_{10\text{D}}$ is the number of cycles until a dangerous failure occurs for 10% of the components. Assuming 100% uptime, a 30 second cycle time, and an operator entering a machine every cycle to load/unload it, we can calculate the dump completes about one million operations every year.

$$ \begin{align} \mathrm{n_{op}} &= \frac{365 \ \mathrm{day/yr}\times24 \ \mathrm{hr/day}\times3600 \ \mathrm{s/hr}}{30 \ \mathrm{s/cycle}}\\ &= 1\,051\,200 \ \left.\mathrm{cycle}\middle/\mathrm{yr}\right.\\ \end{align} $$

Then using the formulas helpfully laid out in the Festo Guideline: Functional Safety (and originally from ISO 13849-1), the mean time to dangerous failure $\mathrm{MTTF_D}$ is calculated at just 95 years.

$$ \begin{align} \text{MTTF}_\text{D} &= \frac{B_{10\text{D}}}{0.1\times\mathrm{n_{op}}}\\ &= \frac{10\,000\,000 \ \text{ cycles}}{0.1\times1\,051\,200 \ \left.\mathrm{cycle}\middle/\mathrm{yr}\right.}\\ &= 95.1 \ \mathrm{yr} \end{align} $$

Assuming a factory has at least 100 of these dump valves, then on average a dangerous failure would be expected every 10 years (assuming only 10% of the components have a dangerous failure).

Although I am slightly confused SMC has the same $B_{10\text{D}}$ rating for both their single-valve Cat 1 and dual-valve Cat 3 dumps. I'm not sure how to account for increased safety from dual valves versus a single valve, so perhaps I am missing something else with the $\mathrm{MTTF_D}$ calculation that would significantly reduce the risk for dual-valve dumps.

Answer 1

Because the air dump isn't fail-safe

And because just de-energizing doesn't remove the pneumatic hazard. It's is all about safety.

Answer 2

The MTTFd of a valve is the B10d life divided by the number of operations. The higher the cycling frequency of the valve the lower your mission time (point of replacement). You are correct that 10 Million switching cycles is not that high. I have been preaching the value of higher rated B10 life for some time. Safety valves will prevent unexpected startup of the machine because they need both pressure and solenoid actuation to function. The added value is the dual channel units are monitored. This means one fault should cause the valve to fail safe and open to exhaust. A detected failure is considered safe because the control system can respond. Safety valves do fail as many contain internal monitoring and onboard electronics. For this reason, machine safety standards require that both channels are monitored, and test pulsing is implemented.

Answer 3

Failsafe design and engineering requires a total conceptual understanding of every aspect of the sequence of operations for the system under consideration, together with all subsystems. Countless examples of flawed "failsafe" systems are available. No good answer can be given off the cuff.

Answer 4

@MicahLindstrom, The correct application for safety valves is close to the energy source for rapid exhaust. At least the pneumatic varieties. There should be no valves downstream of the safety valve because this could potentially inhibit the backflow of air on exhaust by either blocking it or reducing its flow rate - unless I misunderstand your application. Removing power may help with unexpected movement of the machine but again, depends on the design of the circuit. Monitored two channel (redundant) valves power down during a fault or controlled stop to the open to exhaust position and cannot re-energize until the fault is cleared (safe de-energization/prevention of unexpected start up principle).