E-Stop question

This question has came up a few times in the recent past, and I seemingly
cannot find a definative answer. I was trained that an E-Stop circuit on
a machine should always be hard-wired with redundant failsafes (i.e.
safety relays, etc) and this makes perfect sense, as you do not want the
E-stop circuit to fail, if possible.
Lately though, we have been seeing machines where all the E-Stop circuits
are ran through the PLC. There is *no* physical hard-wired E-Stop
circuit, even the E-stop button is just wired to inputs on the PLC.
IMHO, this is bad practice. I have already seen an instance where this
design failed in practical application.
In these designs, the PLC is responsible for shutting down everything
else, which works fine, as long as the PLC is actually RUNNING. When the
PLC 'locks up', or has other glitches (RAM problems, etc) this could lead
to bad things.
My question is: Is it mandated anywhere (OSHA, etc) that an E-stop
circuit should be hard-wired?
I was hoping that someone here could provide a link to information that
specifically addresses this question.
Thanks in advance.
Reply to
Anthony
Loading thread data ...
I know of no written standard that requires hard wire. Most places I have worked do it both ways as added insurance.
I created an program for an main-tie-main plc program that would prevent all three breakers from closing. Demonstrated it to death that it was impossible for all three to close. First thing that the customer wanted then was to close all three breakers for an phasing test by the utility. I did my best impression of "you have got to be kidding" politely.
I like plc's but I would not trust one with my life, or body parts.
Reply to
SQLit
Well, like it or not, in more and more areas we DO have to trust the computers (with back up) with our lives.
In the case of most PLC applications there is a reasonably well-definited "safe" state which usually means TURN EVERYTHING OFF RIGHT THIS INSTANT.
Seems to me that the manufacturers COULD produce controllers that sort of "hard wire" this "off" condition.
Frankly, however, if you fly or even drive a car, your life mgiht well depend upon computers working properly.
Reply to
John Gilmer
There are now safety rated PLCs for E-stop purposes. Siemens has 'em. AB is going to have one if it is not already available. Moore Products (now Siemens) had the Quadlog system out for quite sometime now. Look for a TUV rating for safety. (with an umlaut over the U)
Reply to
No Spam
its not even required that you have an e-stop in all cases. You have to make a decision about what level of risk there is and add safety features until the risk is abated. estop pushbuttons are one feature that may reduce risk.
in any case you are required to have a means of absolutely removing power from the machine - a disconnect switch serves this purpose.
its not unheard of to have an "estop" wired to a plc and have the plc take the necessary action to bring the machine or process to a desired condition. these really should be called something other than estop - maybe master stop.
Reply to
Bob Peterson
As even "small" systems become more complex, it might be useful to look at the "complex from the start" systems for guidance.
Power plants usually have a "Panic Button" when brings the system to a crashing halt.
BUT, it just doesn't cut the power to everything at once. Certain pumps and fans have to be keep operating, for example. Sometimes, these pumps and fans have to be turned ON.
Perhaps the "human interface" types (whom am I kidding?) should put easily read information panels near "panic switches" that give an indication of WHAT should be expected to happen if the button or switch is activated.
When designers throw PLCs are problems rather than a handfull of relays, it's quite likely that "safe" shutdown is different than pulling the plug.
Reply to
John Gilmer
not valid
I am not asking them to stop in an emergency.
Reply to
SQLit
"John Gilmer" wrote in news:417956ce$0$ snipped-for-privacy@dingus.crosslink.net:
The machine type in question would be machining equipment. Basically everything should stop. In the particular bad case I have seen, the NC locked up. It faulted E-stop, but all the signals apparently never reached fully the PLC before it locked also. The PLC apparently had time to shut down 2 of the 3 drives it was controlling, however, it left the spindle running. It also allowed the door to be opened. There was no method that would shut the spindle down, with the exception of turning off the main power (E-stop pushbutton did nothing, because it was tied to PLC inputs). Now, had the E-stop button been physically tied to safety relays, which would have been included in the drive power enable circuit, as well as the NC and PLC with E-stop inputs, then with the exception of a failed safety relay, everything would have stopped when the button was pushed. The other bad part of this, is that the PLC apparently did *not* go into a 'default safe mode', it simply locked. The cause of the computer lock has never been identified, and likely never will. There were software changes made by the machine tool manufacturer and the electronics manufacturer to help prevent this type of situation from happening again, but IMHO, you are still dealing with a software solution to a hardwire issue and with that, come all the problems associated with software implementation, in that it only works if the software is actually *running*. I am a proponent of a hard-wired safety circuit on this type of equipment. If you physically remove power via a redundant circuit, along with a software solution, I feel the machine is safer. I wasn't sure there were any written guidelines on this subject, and I appreciate everyone's input.
Reply to
Anthony
Obviously, your PLC wasn't of a "mature" design.
Seriously, in your SPECIFIC case, there should have been a simple series loop on the holding coil for the main contactor for the machine.
I don't have specific PLC design experience but I have worked on spacecraft systems.
"There are ways" of preventing control units from "locking up." A possibility is a "sanity check" every 1/2 second (or whatever) which, if failed, causes hardware to revert to a "safe" state and wait for instructions from the ground.
Well, like it or not, "software" and "hardware" are really part of one spectrum.
Hardware failure (you HAVE known of "stuck" relays/contactors) can screw up the most conservative safety scheme.
IMO the "solution" is for designers to seriously think truly worse case and design hardware and software to address that potential situation.
Reply to
John Gilmer
Quadlog is a safety system marketed to the power industry for multiburner gas boilers (one example). There are special error checking routines and redundant processing and I/O to perform automated error handling and safe shutdowns of complex control systems.
It has little to do with the wisdom of trusting your life to someone's elses programming abilities. Oops.
Reply to
dummy
I don't think the NEC or OSHA rules address PLC logic and E stops specifically, but require manually operable disconnects within sight of the equipment. There are numerous rules on this in the NEC Article 430 and in OSHA 1910.305(j). The NEC also has some rules requiring Class 1 circuits for safety remote control circuits. 725.8 Safety-Control Equipment. (A) Remote-Control Circuits. Remote-control circuits for safety-control equipment shall be classified as Class 1 if the failure of the equipment to operate introduces a direct fire or life hazard. Room thermostats, water temperature regulating devices, and similar controls used in conjunction with electrically controlled household heating and air conditioning shall not be considered safety-control equipment. (B) Physical Protection. Where damage to remote-control circuits of safety control equipment would introduce a hazard, as covered in 725.8(A), all conductors of such remote-control circuits shall be installed in rigid metal conduit, intermediate metal conduit, rigid nonmetallic conduit, electrical metallic tubing, Type MI cable, Type MC cable, or be otherwise suitably protected from physical damage.
Reply to
Gerald Newton
Good example, I will usually provide the PLC with the status of the E-stop, so that it knows to shutdown the system. Of course this is only so that restoring normal stop button position does not yield automatic restarts.
The main purpose of the e-stop is to remove the power from the output cards AC/DC common. Leave the processor running for controlled restart. Of course bad programming can still yield an automatic restart when restoring power. I just fixed an automatic restart on a piece of EOM programming today.
Reply to
dummy
It may be that different regulatory bodies within the same jurisdiction have different requirements. In Ontario, NH3 refrigeration equipment must be stoppable with a hardwired E-stop as well as with hardwired safety switches (pressure, temperature, oil, etc.). This is not a requirement for food processing equipment, though I think it should be. Our equipment is all PLC controlled. E-stops at operator panels kill power to motor starter coils. The PLCs read the E-stop return signal and sequence down ancillary equipment (like remote exhaust fans or up stream equipment).
Reply to
bargepole
That address a different potential problem: machinery starting up while repair people have their arms and bodies stuck inside. That kind of stuff merely ensures that "OFF" equipment stays "OFF" so long as the repairmen are working.
BUT when you are considering more complicated and larger systems you have to consider the necessity of men repairing parts of a large (and dangerous) system while other parts continue to "spin" and otherwise operate.
These things CAN be done and done in relative safety. BUT it definitely requires a change of attitude of the designers.
Reply to
John Gilmer
"John Gilmer" wrote in news:4179b893$0$ snipped-for-privacy@dingus.crosslink.net:
Actually, it is a mature PLC, by a reputable, well known, very experienced company. As I said, they did find a software glitch because of this incident.
Reply to
Anthony
Take a good look at NFPA-79. Also post this question on sci.engr.control newsgroup.
ARM
Reply to
Alan McClure
Well, just as NASA often screws up, so can a PLC maker.
Reply to
John Gilmer
You sound like the engineers that designed Pump Station 8 on the trans-Alaska pipeline. Some repairmen were taking the filter screen access cover off and did not to turn off and lock out the suction valve. There was no policy to do this, at the time. Another crew was working on the turbine and running the software program. They accidentally opened the suction valve using the software. The resulting fire and explosion cost $85 million and one life. The resulting federal investigation caused the implementation of a rigid permitting and lock out procedure. It does not matter how complicated a system is, if persons working on these systems while they are energized are in danger of being hurt, then the system has to be deengergized and in some cases, locked out. This is Federal OSHA mandated law! Software E-Stops are not acceptable methods for insuring this level of safety. OSHA has a voluntary compliance program that allows persons to ask for a free consultation without being fined. I suggest that you ask for this. I have worked on some very complicated oil field machinery, and believe me it is turned off and locked out before we work on it. We never depend on software to insure our safety when we work on this equipment.
Reply to
Gerald Newton
As another respondent has mentioned. A thorough risk assessment should be performed on the processes performed by the machine. The categories include, but are not limited to, frequency of operation, likelihood of injury and most importantly, severity of injury that is likely. All these factors add up to give a score, that can be compared with tables, provided by manufacturers of safety controls and equipment, that will then categorize the level of safety required for your application. Any of the leading manufacturers have readily available guidance notes. Some to consider are Telemecanique, Pilz, SIemens and EJA guardmaster (part of Allen Bradley now)
In message , Anthony writes
Reply to
R. Tooke

PolyTech Forum website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.