De-Energize vs. Energize to Trip

harryggianakis

Member
H
Join Date
Oct 2016
Location
Philadelphia, Pa
Posts
20
I'm sure that this topic has been discussed many times in the past, but I wanted to engage the group again on their thoughts on what the prevailing guidance is (based on existing IEC standards and their own operating experience) on the use of De-Energize to Trip vs. Energize to Trip safety circuits in SIL 1 applications.

We are currently debating this right now, and the group seems split right down the middle on how to proceed.

As such, looking forward to hearing your feedback so that we can get some clear direction on this.
 
Can you provide a specific example of a circuit you are considering? Otherwise we are going to have to assume a lot about your situation.

Also, what is the basis for your disagreement? You say you are split, but what makes each side think they are right?
 
When you say... 'provide an example of a circuit you are considering'..., can you elaborate a little more on what exactly you're looking for?

In general, the de-energize to trip (DTT) group feels that this is the most fail-safe approach to pursue (i.e. any loss of power equates to SIL circuit activation). In addition, they feel that the technology is still not mature enough to design an energize to trip (ETT) circuit that could identify all problems with an ETT circuit (i.e. using end of line monitoring to identify a broken wire, short circuit, channel fault etc...), which could lead to a dangerous undetected situation where the ETT circuit might not function properly. Basically, the ETT group feels that the DTT design introduces a much higher risk for nuisance trips, and they feel that they can introduce a robust design to identify the aforementioned problems that could occur above.
 
DTT is the only way to go. As far as I've seen, that's been the standard for basic E-Stop circuits for ages. And for good reason.
 
harryting..., Depends on what?

As you can see, I'll be asking a lot of follow-up questions to get a clear understanding of your thoughts/guidance (i.e. to get us to a clear decision).

Hope everyone is OK with that.
 
What I meant was... Is this an E-stop circuit? A machine safety guard circuit? For the sake of the following, I'll assume an E-stop.

DTT is inherently safer with no or minimal level of diagnostics. There is a reason it is called "fail-safe" wiring. As you add more diagnostics, the difference becomes less, but I don't think ETT is ever safer.

The argument about the DTT circuit being more prone to nuisance trips is based on what? How can the ETT circuit differentiate a nuisance trip? I don't believe it can, you only know it's a nuisance after you troubleshoot it and determine what caused the trip. For every single condition that would drop the DTT circuit, the ETT circuit better drop too!
 
This is a SIL 1 Safety Interlock triggered off of a process parameter that opens some valves

By nuisance trips, I meant that any loss of power/energy in a DTT design would cause an unnecessary shut down of your equipment (vs. an ETT circuit)
 
Well, in a typical large system you will have a mix of both. So, it's important to realize that both team may have good point depending on the specific scenario.

In general, operator initiated trip are DTT. Automated trips can be either. Again, in general, the more complex (AND AND AND... ) the logic, the more it tend to be a ETT.
 
To me this is a fail-safe or fail-danger question. When power is lost or there is some disruption to the circuit, what is the acceptable state of your system? Valve open or valve closed? This should dictate whether your valve is energize to open or energize to close. If you must have an energized valve to maintain a safe system, then you've got to take a serious look at redundant power sources (UPS) and a plan for when the UPS batteries die.
 
harryggianakis said:
This is a SIL 1 Safety Interlock triggered off of a process parameter that opens some valves

By nuisance trips, I meant that any loss of power/energy in a DTT design would cause an unnecessary shut down of your equipment (vs. an ETT circuit)
Click to expand...

Process safety and Machine safety have very different standards and expectations, so that is part of why there is some debate about DTT vs ETT. Even within machine safety, there are different sub standards that are more specific about specific applications: presses vs robots, etc. In process safety, keeping the process running (availability) is a priority, because a refinery exploding is way more dangerous to the worker than getting his finger pinched in a valve. In machine safety, the priority is making sure someone doesn't lose an arm/leg/head, and the worst that happens if the process gets interrupted is you get a bad part/batch.

In machine safety, I've never seen someone implementing a SIL 1 application. No one (in the US) wants to be the guy signing the piece of paper that says "I think we can get away with doing less than the maximum safety". The European standards are all about appropriate responses to the risks and hazards. Over here, you either do nothing, or you do everything you can to try to avoid looking negligent in the lawsuit (but you have to pay either way).

I see DTT used every time in machine safety applications, because a nuisance trip has to be interpreted as an unsafe condition. As someone else said, you can't tell if the trip is a nuisance or not, until you actually go and diagnose it. Every safety PLC I've worked with has had DTT concepts built in. The PLC and IO have watchdog timers built in, and if the communication fails, both sides independently do what they need to do to shut down. If your safety system has so many nuisance trips that production is unprofitable then you need to re-visit the whole system, but at least it will have been safe.
 
harryggianakis said:
rupej... Thanks for the input. Can you provide some more info & detail on why you feel DTT is the 'only way' to go? Would like to understand your rationale some more
Click to expand...
It is supremely fail-safe. The only way to defeat it is to accidentally improse a voltage on somewhere it shouldn't be. Much more unlikely than a wire falling off/software glitches/ power failure, etc. And you can protect against even that with redundancy, and other methods.
 
Last edited:
+1 for DTT.
First example that comes to mind is a temperature controller with alarm output. Alarm output is used to drive a contactor in series with the controlling SSR. Contactor drops out if SSR goes shorted causing overtemp, Sensor break, or CPU lockup.The logic has a watchdog timer. If it's not updated by the clock (locked up), the timer times out and drops the relay.
Watchdogs are very common.
For an EMO circuit, DTT ensures all wiring is intact. Same method is used for burglar alarm sensors.
Loss of power is a serious event. Using ETT likely results in unattended restart when power returns, introducing several other safety issues.
 

Similar Topics

I
RSLogix500 Output will not energize
Hello, I'm new to programming. I'm using RSLogix500 to modify an existing program for a SLC500. My plan was to use one of the existing inputs...
2
Replies
26
Views
1,974
I_Automation
I_Automation
B
Compactlogix Rung true but OTE does not energize
Hey all, I have a wierd problem. I have a compact logix processor the rung condition is true but one input of the rung fluctuates as it...
Replies
5
Views
2,103
AustralIan
A
esp400
Output does not energize
Hi All, I've been programming RSLogix 500 for about 5 years now and I'm just getting into 5000 programming. One of my first projects here where...
Replies
11
Views
3,720
esp400
esp400
M
how to energize the contactor
hello Dear everyone... I am getting 24 VDC output, from mitsubishi FX5UMT/ES PLC...whether it is enough to energize the contactor of 18 A DC Motor
Replies
8
Views
3,230
maheshboobalan
M
V
PLC JSR De-energize
Hi Everyone, I'm writing a program to control 2 motors depending on a switch selector position A or B. In POS A, motor 1 should be running while...
Replies
12
Views
2,859
Mickey
Mickey
Back
Top Bottom