'Gday folks, I asked this question some time ago in another newsgroup, and someone suggested I post it here also.
From the answers I recieved, I do not believe there is a regulation requiring hard-wired E-stop circuits on industrial machinery (specifically, machining equipment). I find this appalling, since I have been privey to one such instance where the PLC/NC failed to shut down all drives on the machine during an E-Stop situation. The particular machine has no hard-wired E-stop circuit, it all runs through the PLC. The E-stop was generated interally by the NC, but the NC locked up (froze), as did the PLC, and the signal to terminate never reached one drive. The doors were unlocked, the control would not function, and the drive could not be disabled by any means other than a main power shut- off. Since the control did unlock the doors, this was a potentially serious situation. Fortunately, the operator realized the drive was still energized. Had there been a redundant hard-wired safety circuit, a push of the E- stop button would have shut down the still energized drive. The drive/PLC manufacturer did a thorough investigation into this incident, and concluded there was a programming problem between the NC and the PLC. They did a software update to 'fix' this.
My question: Should there really be some industry standard that requires a fully redundant hard-wired safety E-Stop circuit? PLC's, while much improved, are still not infailable. There can still be software bugs, as in the case above, and they are still a computer and subject to glitches. I realize that mandating a hard-wired safety circuit will add some cost to a control system, however..all it takes is one person hurt....and that savings is shot to hell.
Your thoughts and comments on this subject would be appreciated.
Without looking for it specifically I think you will find that there is a requirement in the Machinery Directive of the EU and there are some standards that are attached to that. I would never consider a machine that had no means of shutting off actuators as anything like safe.
As a PES (Programmable Electronic System) was involved then you could also look at ISO/IEC 61508 "Functional Safety of Programmable Electronic Systems" which demands a risk based approach to determining the measures to be taken to ensure safety of the system.
There was also an article in one of the magazines recently (Industrial Technology or Drives Technology or similar) where there was a cautionary article on being careful about the selection of Estop systems. The article was definitely on the side of ensuring you have positive disconnection guaranteed following pressing any E-Stop.
On a side note, had there been an injury in using the machinery you described, a mere programming problem would not be an adequate defence in any litigation that followed from the incident. If I were you I would disable the machine (lock off the isolator to it) and prohibit its use until there is a full review of the control and improvements have been made. This may not please your production management but at least no one will get killed in the meantime.
"Paul E. Bennett" wrote in news:cq3o4o$ge4$1$ snipped-for-privacy@news.demon.co.uk:
The problem with that, is the particular machine manufacturer (a very large manufacturer) does all of thier machines in this manner (through the PLC). This is a widely used PLC/Drive system (I must be careful here..I do not want to subject myself to possible litigation from them.) I do know that the manufacturer did a considerable amount of investigation and extensive testing regarding this issue, before coming back with a software/firmware fix. We are a very large customer, and carry a lot of clout with them, and I personally was climbing thier a**es over this issue. They were very prompt at response, since they are also keenly aware of the possible litigation nightmare something like this could cause. The testing proved the fix they came up with did resolve the issue, but still, by relying 100% on the PLC, what other freak things could happen? The chances of what happened on this machine happening again would be rare. It was happenstance...by carefully controlling the signals in a manner to duplicate what we initially thought happened, they were finally able to re-create this particular issue in the test lab, however, in practical application, the chances would be really slim. It was just the right combination of several seemingly unrelated factors that happened by chance to occur at just the exact wrong time. The exact same machines next to it were unaffected. (The software/firmware has been updated in all machines of this type on the floor.) This incident occurred quite some time ago, and we have not had another issue. The reason this was brought up, is that we were having a discussion of E-stop circuits at work the other day on another project that is in development. I am a firm believer in a hard-wired redundantly protected E-Stop circuit. I feel that the PLC shouldn't 100% control the E-Stop, it should react to it, and I asked the question here to get feedback from others in the industry.
Sometimes naming and shaming is necessary. However, I can understand that there may be reasons why you may not wish to do so. I will accept an email notification of this manufacturer so that I can be sure to check their systems out if I come across any.
One presumes that they had tested the system before they delivered it to you as well and that apparently failed to disclose this problem. Relying on testing of software alone does not really cut it where lives can be lost (potentially).
So, are the circumstances rare enough that you or your company are willing to risk more serious outcomes. I guess that you are not in UK or Eurpope where there is legislation in place that makes employers responsible for providing a safe working environment. Having machines that don't stop when the Emergency Stop is operated would be seen as condoning an unsafe place of work.
Press the point. Refer to ISO/IEC 61508 and get them to perform a full risk assessment for the working environment and prove that the risk is As Low As Reasonably Practical (ALARP). At least the final drives should be locked out in CNC machinery when the EM STop is pressed. You may have to consider whether the EM-Stops around the floor should stop all machines and whether or not the guarding interlocks and guard locking systems are adequate for the machinery. I am, therefore, with you on this topic.
"Paul E. Bennett" wrote in news:cq42lm$7i1$1$ snipped-for-privacy@news.demon.co.uk:
The problem was apparently that they missed, or for some reason didn't add a direct link to one of the drives in the firmware. Under normal circumstances, this would never show up. Drive 1 and 2 were direct connected to the E-stop of both the NC and PLC via firmware, however, drive 3 (spindle), was not, it was loopbacked from drive 2 through another loop in the plc/nc. In any situation, basically, except the one that occurred, all 3 drives would E-stop. What happened in this case though, was both the PLC and NC happened (we are fairly certian this occurred due to a power flicker/surge) to freeze (lock up) after issuing the shutdown command of drive 1 and 2, but before the loopback happened to drive 3, essentially leaving drive 3 running. The solution, among other added redundancy was to direct connect drive 3 as were drive 1 and
2, so that all drives receive the command simutaneously, eliminating the loopback.
I am in the US, and we do have all kinds of regulations. One other change was that the doors no longer unlock nor can they be unlocked (without physically removing the locking mechanism-requires disassembly of 1/2 of the machine) in E-Stop. This prevents personnel from accessing anything inside the machine until the E-Stop condition is cleared.
Many "line drives" (GE and ABB specifically) come with 3 stop functions. There is the normal stop function that is usually software. There is the E-Stop or Fast Stop which is a powered, regenerative stop (if reverse power is available). There is also a coast stop which disconnects power. The last 2 are always hardwired.
If you buy German equipment it will also come with m>'Gday folks,
I've brushed up against the software airworthiness requirements in DO-178B, and I've known people who've written software for medical devices that must be approved by the FDA for use on humans. In both cases the software design process that must be followed for life-critical software would boggle the mind of anyone who's used to doing "normal" software development.
Basically to design software for one of these life-critical applications you have to actually _design_ the software before its written, then do rigorous unit testing of each little bit of software before it's integrated, then test the integration, etc., etc. Nobody who isn't required to make their software life-critical will do so; if they did they'd go broke. If your software supplier hasn't gone broke yet, make the obvious conclusion.
In particular, DO-178B separates software into five levels of criticality, from E (software fails, pilot never knows), to C (software fails, it's a major PITA and the pilot may have to change flight plan) to A (software fails, pilot is part of a smoking hole in the ground). As your software's level of criticality rises from one level to the next the amount of time to design the software and get it certified goes up by about a factor of 7.
Your vendor's software is probably around the level of quality that would allow it to be certified at DO-178B level D. The _minimum_ level of software certification that I would feel comfortable with in a hard-stop application would be level B. So all your vendor has to do is spend about 50 times more on design and development time, and then you can consider them to be safe!
An E stop circuit should be routed differently. It should be hard wired and not go through the PLC. The E stop is a back up function if the PLC fails and the brown stuff starts heading towards the fan.
Software systems are more difficult to assess with respect to safety than hard wired ones.
Two sections from NPFA 79-2002 Electrical Standard for Industrial Machinery
9.4.3* Control Systems Incorporating Software and Firmware Based Controllers. Control systems incorporating software and firmware based controllers performing safety-related functions shall conform to all of the following: (1) In the event of any single failure perform as follows: (a) Lead to the shutdown of the system in a safe state (b) Prevent subsequent operation until the component failure has been corrected (c) Prevent unintended startup of equipment upon correction of the failure (2) Provide protection equivalent to that of control systems incorporating hardwired/hardware components (3) Be designed in conformance with an approved standard that provides requirements for such systems
9.2.2 Stop Functions. The three categories of stop functions shall be as follows: (1) Category 0 is an uncontrolled stop by immediately removing power to the machine actuators. (2) Category 1 is a controlled stop with power to the machine actuators available to achieve the stop then remove power when the stop is achieved. (3) Category 2 is a controlled stop with power left available to the machine actuators.
9.2.5.3 Stop.
9.2.5.3.1 Each machine shall be equipped with a Category 0 stop.
9.2.5.3.2 Category 0, Category 1, and/or Category 2 stops shall be provided where indicated by an analysis of the risk assessment and the functional requirements of the machine. Category 0 and Category 1 stops shall be operational regardless of operating modes, and Category 0 shall take priority. Stop function shall operate by de-energizing that relevant circuit and shall override related start functions.
9.2.5.3.3 Where required, provisions to connect protective devices and interlocks shall be provided. Where applicable, the stop function shall signal the logic of the control system that such a condition exists. The reset of the stop function shall not initiate any hazardous conditions.
9.2.5.4* Emergency Operations (Emergency Stop, Emergency Switching Off).
9.2.5.4.1 Emergency Stop. Emergency stop functions provided in accordance with 9.2.5.3 shall be designed to be initiated by a single human action.
9.2.5.4.1.1 In addition to the requirements for stop, the emergency stop shall have the following requirements: (1) It shall override all other functions and operations in all modes. (2) Power to the machine actuators, which causes a hazardous condition(s), shall be removed as quickly as possible without creating other hazards (e.g., by the provision of mechanical means of stopping requiring no external power, by reverse current braking for a Category 1 stop). (3) Reset of an emergency stop circuit shall not initiate a restart.
9.2.5.4.1.2 Where required, provisions to connect additional emergency stop devices shall be provided in accordance with Section 10.7.
9.2.5.4.1.3 The emergency stop shall function as either a Category 0 or a Category 1 stop (see 9.2.2). The choice of the category of the emergency stop shall be determined by the risk assessment of the machine.
9.2.5.4.1.4 Where a Category 0 stop is used for the emergency stop function, it shall have only hardwired electromechanical components. Exception: An electronic logic (hardware or software) system as well as the communication network or link that complies with both 9.4.3 and 11.3.4 and is listed for Category 0 emergency stop function shall be permitted. The final removal of power shall be accomplished by means of electromechanical components.
9.2.5.4.1.5 Where a Category 0 or a Category 1 stop is used for the emergency stop function, final removal of power to the machine actuators shall be ensured and shall be by means of electromechanical components. Where relays are used to accomplish a Category 0 emergency stop function, they shall be nonretentive relays.
9.2.5.4.2.1 Emergency switching off shall be permitted as follows: (1) Where protection against direct contact (e.g., with collector wires, collector bars, slip-ring assemblies, control gear in electrical operating areas) is achieved only by placing out of reach or by obstacles. (2) Where other hazards or damage caused by electricity are possible.
9.2.5.4.2.2 Emergency switching off shall be accomplished by disconnecting the incoming supply circuit of the machine effecting a Category 0 stop. Where the machine cannot tolerate the Category 0 stop, it shall be necessary to provide other protection (e.g., against direct contact), so that emergency switching off is not necessary.
PolyTech Forum website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.