Patent Application
20220276287
The present invention relates generally to electrical disconnects and more specifically electrical disconnects incorporating absence of voltage testers.
In an industrial environment, electrical equipment is often housed within a panel, cabinet, or other type of enclosure. Equipment ranging from power components (e.g., switches, circuit breakers, fuses, drives, contacts, etc.) toho control and network products (e.g., PLCs, controllers, network switches, and power supplies, etc.) are often enclosed not only to provide protection from harsh or dynamic environments, but also to provide various levels of safety and security. Unauthorized access to an electrical, control, or network panel, whether intentional or unintentional, can lead to various hazards depending on the application especially if the electrical components are energized.
In recent years there has been an increased emphasis on electrical safety in the workplace with efforts to promote awareness of shock, arc flash, and arc blast hazards. When working on or near electrical equipment, hazards such as arc flash, arc blast, and electrical shock exist when voltage is present. OSHA enforces electrical safety via the general duty clause, relying heavily on content in voluntary consensus standards such as NFPA 70E, the Standard for Electrical Safety in the Workplace. With each revision of NFPA 70E, it is becoming less and less acceptable to perform tasks on energized equipment. In most cases, work involving electrical hazards is required to be performed in an electrically safe work condition (e.g., de-energized state). However, NFPA 70E also recognizes that some diagnostics and testing activities must be performed while the equipment is energized.
With industrial facilities become increasingly automated and networked, diagnostic activities have become more sophisticated. In many cases, startup configuration, troubleshooting, and testing of devices can be performed with only control/network power. It is generally accepted that lower voltages are less hazardous with regards to both electrical shock and arc flash. NFPA 70E Article 130(A)(3) specifically indicates that energized work on equipment rated less than 50V can be permitted. In industrial automation, control/network functions typically run at lower voltage levels (24 Vdc). Thus, for many applications it is beneficial to have a separate infrastructure for control/network power within the panel that is not derived from the main power so that the main power source can be locked out while control/network power is available while certain tasks are performed.
Advances in technology have made personnel badging and access readers commonplace in many enterprise settings. Many industrial facilities also have measures in place to restrict and monitor access to various departments, laboratory, or production areas. These systems often run on network power or control voltage<50V. As power and control systems become intelligent with network capabilities, the lines between IT staff, electricians, and controls engineers are becoming blurred. With power, control, and network equipment all housed in similar enclosures, it is likely that someone who is unqualified to work on a particular type of equipment could try to access a panel creating hazards for him or herself, surrounding people, the equipment, or process—particularly in high pressure situations such as unplanned outages or situations where schedule delays must be avoided.
Additionally, the use of voltage indicators has become increasingly popular in industrial applications. Voltage indicators are typically hardwired to the load side of a circuit breaker or disconnect and use a series of LEDs to indicate when voltage is present in a panel or compartment. Powering a voltage detection and indication system via a separate source enables the sensor to actively indicate when voltage is not present. The embodiment of this installed voltage test device could include an optional output, for example dry contacts, which could be used to convey the results of the voltage test to another system.
When an enclosure is outfitted with a voltage detector, enclosure lock, controller, and optional credential reader (all powered independently from the main power circuit) new methods to address the safety, security, and maintenance problems that occur in industrial facilities are possible. Often, these elements do not exist or if a subset is present in an enclosure, they function independently. The new concept described herein, presents an opportunity to solve some of these problems by presenting a new method to usher in the next generation of safety to security and maintenance practices.
Unauthorized access to an electrical, control, or network panel, whether intentional or unintentional, can lead to safety and security hazards that may affect people, equipment, or process. Using an access control system at the enclosure level that includes an electronic lock in conjunction with a credential reader users can control or restrict access to authorized people at authorized times. By powering the controller, lock, and credential reader via a non-hazardous source or energy storage device separate from the primary power (such as the network (PoE), battery, ultracap, etc.), voltage is limited to a safe level (50V or less) and the devices will continue to function as long as the secondary power is available, regardless of the status of the main/primary power sources within the enclosure. To further reduce risk, it may be desirable in some cases to further restrict access to situations only when the panel has been de-energized, or if special circumstances have been met (e.g., completion of an energized work permit). Thus, incorporating a voltage detection system is also essential.
A method for allowing access to an electrical enclosure having a disconnect includes upon initiation by a user or upon a change of state of the disconnect automatically performing the steps of checking for an absence of voltage, giving a positive indication of an absence of voltage, checking the state of each phase of the electrical disconnect to ensure contacts of the disconnect are open, and opening a lock on the enclosure.
The Absence of Voltage Tester (AVT, defined in UL 1436) has been treated as a separate component in an electrical system (
When the AVT function is built into another component, it becomes viable to automatically initiate the test when the component changes state. For example if it is a circuit breaker, switch, or contactor, when the contacts open the AVT function could automatically be triggered and the result signaled to the exterior of the enclosure.
Each of the three configurations could also leverage additional options for the external user interface portion of the AVT. For example, it could be incorporated into a HMI (human machine interface) or other portal for interaction. If the component is networked, it may be possible to initiate the test remotely over the network outside of the arc flash boundary. This would result in increased personnel safety. It is still likely that there will be an external interface so that any person actually entering the equipment (or area the equipment is supplying power to such as a machine cell, robotic cell, etc.) so that they could re-verify to ensure that the equipment is the same equipment that was previously tested via the network. An arrangement of visual signaling devices, such as a pilot light or stack light, could be used to signal which equipment was remotely tested.
In some applications when an absence of voltage verification test is performed there may not be power present on the line side of the disconnect. In these situations, if one or more phases of the electrical disconnect mechanically fails, even though an absence of voltage test may be satisfactorily completed, if a process triggers upstream power to be applied, the area that was tested can become re-energized (see
The present invention can add an additional condition to the AVT test to verify that each phase of the disconnect is open adding another layer of safety when establishing an electrically safe work condition (See Reference to NFPA 70E-2018 120.5). This product provides a way to electrically verify that a mechanical failure of the electrical disconnect did not occur before accessing or working on equipment downstream of the disconnect.
The product can be used as an optional accessory with an AVT, a product that is a combination of an AVT with an additional disconnect verification capability, or have the functionality for both the AVT and disconnect verification built into a disconnect component.
Typical applications may include:
The type of disconnect includes IEC rotary style disconnects and NEMA flange disconnects, including heavy duty safety switches.
To ensure an electrically safe work condition exists and that the equipment will not become energized if an upstream device is closed, after locking and tagging out the local disconnect where work will be performed best practice is to test for absence of voltage and then test for resistance across the contacts (line/load for phase A, B, and C). Similar to the advantages of an AVT when performing the absence of voltage test compared to using the portable test instrument, the reliability of electrically verifying each phase of the disconnect is open with a permanently mounted tester has several benefits: the test can be performed automatically, human error is reduced, and reliable test points are ensured if the tester includes an “installation test” to ensure that the test leads are in contact with a circuit part when the test is performed.
The tester can be hardwired electrically to components on both the line and load side of each phase of the disconnect being tested.
In this product, verifying the disconnect is open can involve the following steps:
The test sequence is typically initiated by the user at the local interface, although it could also be initiated over a network, via an HMI, or by the AVT if used in combination. Two test sequences and their possible signaling results are described in
Unauthorized access to an electrical, control, or network panel, whether intentional or unintentional, can lead to safety and security hazards that may affect people, equipment, or process. Using an access control system at the enclosure level that includes an electronic lock in conjunction with a credential reader users can control or restrict access to authorized people at authorized times. By powering the controller, lock, and credential reader via a non-hazardous source or energy storage device separate from the primary power (such as the network (PoE), battery, ultracap, etc.), voltage is limited to a safe level (50V or less) and the devices will continue to function as long as the secondary power is available, regardless of the status of the main/primary power sources within the enclosure. To further reduce risk, it may be desirable in some cases to further restrict access to situations only when the panel has been de-energized, or if special circumstances have been met (e.g., completion of an energized work permit).
Another method, shown in its simplest form in Error! Reference source not found.0 and 11, consists of a controller with input for a voltage tester and output to an electronic lock. The input and output contacts may be standard I/O, safety-rated and redundant, etc. or some combination. The voltage tester is configured to monitor the main power circuit within the enclosure. The voltage tester, lock, and controller are all powered from a non-hazardous voltage source independent of the main power circuit (this enables the devices in the system to operate even when the main power is isolated); the system components may be powered by the same source or separate sources (e.g., battery, network (PoE), etc.) The controller must have processing power to step through the logic outlined in Error! Reference source not found.0. The user requests access to the locked enclosure by testing for voltage. If voltage is present, the enclosure remains locked. If the absence of voltage has been verified, the controller will disengage the lock for a pre-determined amount of time (for instance, 10 seconds) allowing the user to open the door before the controller re-engages the lock. When the door is closed the process can be repeated again.
Another variation is to include a form of credential authentication in the process to add additional security and prevent unauthorized personnel from accessing equipment. This is shown in 12 and 13. This method is similar to the basic process in Error! Reference source not found.0, but includes an extra step to verify the identity of the user (most likely prior to checking for voltage, although the sequence could be interchangeable). This additional functionality requires the controller to have two additional inputs for a credential reader (hardware installed on the exterior of the enclosure) and credential verification system. The credential verification system will typically consist of a database of credentials approved for access, external to the system linked via network from another system to the controller. However, in some cases this could be maintained within the controller. Regardless, in this embodiment, in addition to processing ability, the controller must also contain memory to store the credentials if operating as a standalone device or should the network connection be lost. The credential reader must be powered in the same manner as the controller, voltage tester, and lock.
In this embodiment, the user requests access to the system by presenting his or her credentials (something that you have—badge; something that you know—PIN or password; or something that you are—biometrics) to a credential reader. The credential reader is used to authenticate the identity of the user. If the credential presented to the reader is verified by the controller as valid based on the most-recent status from the credential verification system, a test for the absence of voltage is then conducted. If voltage is not present, the lock is opened and the user is granted access. However, if the credentials are not validated or the presence of voltage is detected or undeterminable, access is denied and the lock remains engaged.
It is possible to expand upon this concept in a more complex embodiment with advanced features, as shown in Error! Reference source not found.14 and 15. Depending on the desired functionality, the embodiment may consist of all or a subset of these features.
The process begins by a user requesting access to an electrical panel with the elements shown in Error! Reference source not found.15 installed. The user may be requesting access based on a workorder he or she received generated in an enterprise asset management system. The workorder system may be linked as an input to the controller or it may be operating independently. By integrating the workorder system, it is possible to add checks to the process to ensure that the correct equipment is being accessed and the work can be scheduled in a timeframe that is least disruptive to other processes. Verifying that the correct equipment is being accessed will help increase safety as many industrial enclosures look similar and every year incidents occur when someone accesses the wrong equipment due to improper labeling or “look-alike” features. Further, damage to surrounding equipment or process can occur if the equipment being serviced is not first shut-down properly. Particularly in process industries, this can be hazardous to people, the environment, and surroundings. Thus, being able to set a timeframe for approved access is desirable. This feature can also be used to limit access to a particular area or piece of equipment for service technicians or contractors.
Once it has been determined that the equipment attempted to be serviced was approved for access, the next step is to verify the user's credentials. The user presents his or her credentials to the reader. This process may include scanning a badge or fob, entering a PIN or password on a keypad, or presenting a fingerprint, among other methods. The system completes the process to authenticate the credentials by validating them via the credential verification system whether it is internal to the controller or linked via a separate system. This system may be linked to an active directory with a network connection to a server where credentials are stored. The credential may be further enhanced by including additional characteristics such as making sure the employee is authorized to access a particular type of equipment (for example, distinctions can be made by job role (maintenance versus office worker), or between people authorized to access high and low voltage equipment, different types of equipment such as control and automation equipment versus power distribution, equipment from a specific manufacturer, equipment in a particular zone or work cell, etc.) and cross-referencing a training database to ensure credentials are up-to-date. By integrating the credentials with training records, access can be contingent on ensuring that required classes or skill audits have been completed and documented within the system. This also sets the foundation to deliver specific need-based training on demand. For instance, prior to accessing a motor control center the user who requested access may be required to watch a brief safety video unique to a particular model of equipment or review a safety procedure.
Once credentials are validated, the controller can seek status from the voltage detector. If the voltage test determines that the equipment is de-energized, the lock can be disengaged granting the user access. However, if the panel is energized access can be denied or an additional set-of requirements can be incorporated into the controller logic to determine if access can be granted. For instance, energized work may be dependent on having additional documentation (approved energized work permit, completed job briefing, etc.) in the workorder or other linked system. Additionally, for some tasks, procedures may require more than one person to be present. The access system could be configured to require credentials from more than one user to be presented and authenticated prior to performing energized work or performing any work in a restricted area.
If all conditions have been determined satisfactory for the lock to disengage, access is granted to the enclosure. Depending on the style of lock used, the lock could engage automatically after a pre-determined period of time or it may be dependent on the position of the door. If a door position sensor is used, the controller could incorporate additional logic to determine when to send an alert or notification if the door has been open too long, if it is unexpectedly open, if it remains open when the panel is re-energized, etc. This further enhances safety and security of the overall system.
In addition to the usage already explained, another reason to implement such a system is to log and record access for energized and/or de-energized work. After access is granted or approved, the request and resulting process analysis and result can be logged. These results can then be sent as an alert or alarm if a communication mechanism is available or they could be displayed on a physical interface, for instance an HMI, mobile device, etc. Notifications of both access grants and denies are important and can be used to alert other affected personnel if work is being performed. For example, if access to energized work is approved, an alert could be sent to HMIs nearby within the arc flash boundary. Similarly, before a maintenance worker attempts to access a piece of equipment, he or she may be interested in viewing the previous access attempts and when they occurred (similar to how alarms are displayed on HMIs). The user could request to review these results via the panel HMI (or other similar visual interface); if access attempts are recent or align with when a problem began, the worker may want to get more information before beginning his work and attempting to open the panel.
The processes described herein represent three embodiments ranging from basic to advanced; one skilled in the art will recognize that there are other variations in sequence that may be just as effective or desirable based on the combination of features and functionality implemented. For example, the system could be configured to only require credentials if the system is energized in which case the voltage test would occur before the credential verification step.
The required hardware will depend on the amount of functionality desired and implemented. In the basic embodiment, the logic could be embedded in a stand-alone controller. As additional functionality is added, a networked option and/or software to provide easier management of credentials and conditions may provide a useful interface.
Network connection—to interface with databases for credentials, training records, etc. and to log access attempts, voltage test results, and time door is open, etc. (optional)
Any time equipment is energized, electrical shock and arc flash hazards exist; however, voltages less than 50V AC or 60V DC are generally considered safe. Utilizing a safe powered access control or enclosure “lock” could prove beneficial in the following scenarios:
In applications where each minute of downtime comes with a price tag of thousands of dollars, minimizing process disruptions is essential. Additionally, certain processes may be hazardous if not properly controlled, thus limiting access to control functions and settings can have major security and safety implications. The access control or enclosure “lock” is also applicable in the following scenarios:
Monitoring and controlling access at the panel or compartment level in industrial environments has the potential to revolutionize maintenance and record keeping, especially when combined with voltage testing. As companies are facing stricter documentation requirements in regulations and codes, there is a need for product and tools that simplify compliance. The following scenarios describe how an access control or enclosure “lock” can help improve basic maintenance tasks.
Additionally, the ability to lock out the primary power source and still access control functions could have the following benefits:
Adding intelligence, via the network capability, to voltage detection and indication systems enables additional information such as status of components related to safety to be available in real time. By adding network capability (or output contacts) to the voltage detector additional display and information activities are now possible. For instance, if switching is performed remotely, the output from the voltage detector could also be displayed via a HMI in remote locations. Additionally, if using a continuous power source (such as PoE), rather than an intermittent source, a positive indication for both the absence and presence of voltage will be displayed as long as power is available. Network capability also allows to supplement the physical interface with a more intricate display, for example indicating when voltage was last detected or more information on any other status changes.
Another embodiment could include an override code or key to allow access to the energized panel in special situations that may be required for certain applications or by qualified personnel if allowed by safety policy.
While particular embodiments and applications of the present invention have been illustrated and described, it is to be understood that the invention is not limited to the precise construction and compositions disclosed herein and that various modifications, changes, and variations may be apparent from the foregoing without departing from the spirit and scope of the invention as described.
This application claims benefit to International Patent Application Serial No. PCT/US2020/043437, filed Jul. 24, 2020 and U.S. Provisional Patent Application No. 62/882,042 filed on Aug. 2, 2019, the entirety of which is hereby incorporated by reference herein.
| Filing Document | Filing Date | Country | Kind |
|---|---|---|---|
| PCT/US2020/043437 | 7/24/2020 | WO |
| Number | Date | Country | |
|---|---|---|---|
| 62882042 | Aug 2019 | US |
