E-Stop question

This question has came up a few times in the recent past, and I seemingly cannot find a definative answer. I was trained that an E-Stop circuit on
a machine should always be hard-wired with redundant failsafes (i.e. safety relays, etc) and this makes perfect sense, as you do not want the E-stop circuit to fail, if possible. Lately though, we have been seeing machines where all the E-Stop circuits are ran through the PLC. There is *no* physical hard-wired E-Stop circuit, even the E-stop button is just wired to inputs on the PLC. IMHO, this is bad practice. I have already seen an instance where this design failed in practical application. In these designs, the PLC is responsible for shutting down everything else, which works fine, as long as the PLC is actually RUNNING. When the PLC 'locks up', or has other glitches (RAM problems, etc) this could lead to bad things. My question is: Is it mandated anywhere (OSHA, etc) that an E-stop circuit should be hard-wired? I was hoping that someone here could provide a link to information that specifically addresses this question.
Thanks in advance.
--
Anthony

You can't 'idiot proof' anything....every time you try, they just make
  Click to see the full signature.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

I know of no written standard that requires hard wire. Most places I have worked do it both ways as added insurance.
I created an program for an main-tie-main plc program that would prevent all three breakers from closing. Demonstrated it to death that it was impossible for all three to close. First thing that the customer wanted then was to close all three breakers for an phasing test by the utility. I did my best impression of "you have got to be kidding" politely.
I like plc's but I would not trust one with my life, or body parts.
--
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com ).
  Click to see the full signature.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

Well, like it or not, in more and more areas we DO have to trust the computers (with back up) with our lives.
In the case of most PLC applications there is a reasonably well-definited "safe" state which usually means TURN EVERYTHING OFF RIGHT THIS INSTANT.
Seems to me that the manufacturers COULD produce controllers that sort of "hard wire" this "off" condition.
Frankly, however, if you fly or even drive a car, your life mgiht well depend upon computers working properly.

Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
John Gilmer wrote:

There are now safety rated PLCs for E-stop purposes. Siemens has 'em. AB is going to have one if it is not already available. Moore Products (now Siemens) had the Quadlog system out for quite sometime now. Look for a TUV rating for safety. (with an umlaut over the U)
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
Quadlog is a safety system marketed to the power industry for multiburner gas boilers (one example). There are special error checking routines and redundant processing and I/O to perform automated error handling and safe shutdowns of complex control systems.
It has little to do with the wisdom of trusting your life to someone's elses programming abilities. Oops.
wrote:

Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

not valid
I am not asking them to stop in an emergency.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
<snip>

<snip>
its not even required that you have an e-stop in all cases. You have to make a decision about what level of risk there is and add safety features until the risk is abated. estop pushbuttons are one feature that may reduce risk.
in any case you are required to have a means of absolutely removing power from the machine - a disconnect switch serves this purpose.
its not unheard of to have an "estop" wired to a plc and have the plc take the necessary action to bring the machine or process to a desired condition. these really should be called something other than estop - maybe master stop.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

condition.
As even "small" systems become more complex, it might be useful to look at the "complex from the start" systems for guidance.
Power plants usually have a "Panic Button" when brings the system to a crashing halt.
BUT, it just doesn't cut the power to everything at once. Certain pumps and fans have to be keep operating, for example. Sometimes, these pumps and fans have to be turned ON.
Perhaps the "human interface" types (whom am I kidding?) should put easily read information panels near "panic switches" that give an indication of WHAT should be expected to happen if the button or switch is activated.
When designers throw PLCs are problems rather than a handfull of relays, it's quite likely that "safe" shutdown is different than pulling the plug.

Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

The machine type in question would be machining equipment. Basically everything should stop. In the particular bad case I have seen, the NC locked up. It faulted E-stop, but all the signals apparently never reached fully the PLC before it locked also. The PLC apparently had time to shut down 2 of the 3 drives it was controlling, however, it left the spindle running. It also allowed the door to be opened. There was no method that would shut the spindle down, with the exception of turning off the main power (E-stop pushbutton did nothing, because it was tied to PLC inputs). Now, had the E-stop button been physically tied to safety relays, which would have been included in the drive power enable circuit, as well as the NC and PLC with E-stop inputs, then with the exception of a failed safety relay, everything would have stopped when the button was pushed. The other bad part of this, is that the PLC apparently did *not* go into a 'default safe mode', it simply locked. The cause of the computer lock has never been identified, and likely never will. There were software changes made by the machine tool manufacturer and the electronics manufacturer to help prevent this type of situation from happening again, but IMHO, you are still dealing with a software solution to a hardwire issue and with that, come all the problems associated with software implementation, in that it only works if the software is actually *running*. I am a proponent of a hard-wired safety circuit on this type of equipment. If you physically remove power via a redundant circuit, along with a software solution, I feel the machine is safer. I wasn't sure there were any written guidelines on this subject, and I appreciate everyone's input.
--
Anthony

You can't 'idiot proof' anything....every time you try, they just make
  Click to see the full signature.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
Good example, I will usually provide the PLC with the status of the E-stop, so that it knows to shutdown the system. Of course this is only so that restoring normal stop button position does not yield automatic restarts.
The main purpose of the e-stop is to remove the power from the output cards AC/DC common. Leave the processor running for controlled restart. Of course bad programming can still yield an automatic restart when restoring power. I just fixed an automatic restart on a piece of EOM programming today.
wrote:

Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

Obviously, your PLC wasn't of a "mature" design.
Seriously, in your SPECIFIC case, there should have been a simple series loop on the holding coil for the main contactor for the machine.
I don't have specific PLC design experience but I have worked on spacecraft systems.
"There are ways" of preventing control units from "locking up." A possibility is a "sanity check" every 1/2 second (or whatever) which, if failed, causes hardware to revert to a "safe" state and wait for instructions from the ground.

Well, like it or not, "software" and "hardware" are really part of one spectrum.
Hardware failure (you HAVE known of "stuck" relays/contactors) can screw up the most conservative safety scheme.
IMO the "solution" is for designers to seriously think truly worse case and design hardware and software to address that potential situation.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

Actually, it is a mature PLC, by a reputable, well known, very experienced company. As I said, they did find a software glitch because of this incident.
--
Anthony

You can't 'idiot proof' anything....every time you try, they just make
  Click to see the full signature.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

Well, just as NASA often screws up, so can a PLC maker.

Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

I don't think the NEC or OSHA rules address PLC logic and E stops specifically, but require manually operable disconnects within sight of the equipment. There are numerous rules on this in the NEC Article 430 and in OSHA 1910.305(j). The NEC also has some rules requiring Class 1 circuits for safety remote control circuits. 725.8 Safety-Control Equipment. (A) Remote-Control Circuits. Remote-control circuits for safety-control equipment shall be classified as Class 1 if the failure of the equipment to operate introduces a direct fire or life hazard. Room thermostats, water temperature regulating devices, and similar controls used in conjunction with electrically controlled household heating and air conditioning shall not be considered safety-control equipment. (B) Physical Protection. Where damage to remote-control circuits of safety control equipment would introduce a hazard, as covered in 725.8(A), all conductors of such remote-control circuits shall be installed in rigid metal conduit, intermediate metal conduit, rigid nonmetallic conduit, electrical metallic tubing, Type MI cable, Type MC cable, or be otherwise suitably protected from physical damage.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

the
That address a different potential problem: machinery starting up while repair people have their arms and bodies stuck inside. That kind of stuff merely ensures that "OFF" equipment stays "OFF" so long as the repairmen are working.
BUT when you are considering more complicated and larger systems you have to consider the necessity of men repairing parts of a large (and dangerous) system while other parts continue to "spin" and otherwise operate.
These things CAN be done and done in relative safety. BUT it definitely requires a change of attitude of the designers.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

stuff
are
to
You sound like the engineers that designed Pump Station 8 on the trans-Alaska pipeline. Some repairmen were taking the filter screen access cover off and did not to turn off and lock out the suction valve. There was no policy to do this, at the time. Another crew was working on the turbine and running the software program. They accidentally opened the suction valve using the software. The resulting fire and explosion cost $85 million and one life. The resulting federal investigation caused the implementation of a rigid permitting and lock out procedure. It does not matter how complicated a system is, if persons working on these systems while they are energized are in danger of being hurt, then the system has to be deengergized and in some cases, locked out. This is Federal OSHA mandated law! Software E-Stops are not acceptable methods for insuring this level of safety. OSHA has a voluntary compliance program that allows persons to ask for a free consultation without being fined. I suggest that you ask for this. I have worked on some very complicated oil field machinery, and believe me it is turned off and locked out before we work on it. We never depend on software to insure our safety when we work on this equipment.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

It may be that different regulatory bodies within the same jurisdiction have different requirements. In Ontario, NH3 refrigeration equipment must be stoppable with a hardwired E-stop as well as with hardwired safety switches (pressure, temperature, oil, etc.). This is not a requirement for food processing equipment, though I think it should be. Our equipment is all PLC controlled. E-stops at operator panels kill power to motor starter coils. The PLCs read the E-stop return signal and sequence down ancillary equipment (like remote exhaust fans or up stream equipment).
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
Anthony wrote:

Take a good look at NFPA-79. Also post this question on sci.engr.control newsgroup.
ARM
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
As another respondent has mentioned. A thorough risk assessment should be performed on the processes performed by the machine. The categories include, but are not limited to, frequency of operation, likelihood of injury and most importantly, severity of injury that is likely. All these factors add up to give a score, that can be compared with tables, provided by manufacturers of safety controls and equipment, that will then categorize the level of safety required for your application. Any of the leading manufacturers have readily available guidance notes. Some to consider are Telemecanique, Pilz, SIemens and EJA guardmaster (part of Allen Bradley now)

--
Richard

Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

Polytechforum.com is a website by engineers for engineers. It is not affiliated with any of manufacturers or vendors discussed here. All logos and trade names are the property of their respective owners.