E-stop over Controlnet

I have been putting together the specifications for a new system we are planning to install. The system will be a Contrologix processor that is controlling a DC drive and some miscellaneous other pieces of equipment over Controlnet.

The processor will be in one cabinet and the DC drive in another cabinet about 200 ft away. The CLX processor will issue all drive commands and read all drive parameters over Controlnet.

So here is the question:

How would you guys handle an Emergency stop situation?

The whole point of using the network connection is so we do not have to hard wire the circuitry back and forth between the cabinets. I am not sure that I trust just using the network media as the sole source of the emergency stop command. I don’t however, want to do the extra wiring if it is not required.

This is our first attempt at using Controlnet to control the drives, so I am not sure how to approach this.

Hardwire the E-stop or trust the network?

IF IT FAILS, who talks to the lawyer, and who calls the widow?

Is it a true "emergency stop"? Will safety be an issue.

If it is critical, then hardwire!

Should at least be a hardwired e-stop at the equipment, minimum.

regards.....casey

Not to be concerned, we consider safety above and beyond all other aspects of machine design.

Every piece of equipment that we design has hardwired emergency stop circuitry where required.

We are well versed in machine safety, and I have the NFPA books on machine safety and design just not with me currently. This is just something I was thinking about over the weekend.

Is the Controlnet safety rated?

I use bus systems for E-Stop, but only safety rated ones.
So far, have used "ASi Safe", and our new plant will be on "Safetybus P".

For our new plant we have gone as far as using two groups of PLCs. Siemens S7 for the control, and Pilz safety PLC for the safety functions.

I would advise that if you want to run your e-stops off a bus, use a safety rated one only. If you want to stick with controlnet, hardwire your safety circuits.

Doug

John:

I have faced the blue screen of death TOO many times. When it is a PC, then by all means I would say NO! I will put some faith in a PLC shutting down a system. Ideally, this is a judgement call.

Networks can fail. But generally not. A data bit can be covered by "noise", maybe it isn't critical.

If you do go ahead with it, then I would have a "Fail OFF" in there.

If the e-stop wiring opens, the the logic shuts off, if communication is lost to the drives, then they would drop, too.

I was comforted to read your last post, you did have the background info that I thought you would have.

I have done work for several major corporations that would insist on hard-wired.

I have been at a few that wuld fight it, along with anything else OSHA, NEC, etc require, if it costs anything more.

best regards.....casey

Here in the UK , well certainly for the company i work for, all our e-stops are hard wired.Makes a tricky job at times interlocking everything together but at least i know they work. I don't think i've got the balls to try leaving critical safety to a plc to sort out. Maybe i should get my boss to let me give it a try though!

Bolty

NEC and NFPA...note OSHA uses NFPA, states that E-stops are to be hardwired.

We are presently in the process of programming and wiring an extruder project. This project is UK based.

The main DC drive is 815Kw and is controlled over devicenet, Whilst the network will possibly never fail unlike a pc running xp we are still going on the E-Stop Pilz Unit being hardwired back to the dc drive.

The EStop Unit has a devicenet addon so that the plc can monitor all the estop functions for the HMI display.

They also do a control net module

See Here

http://www.pilz.com/english/products/safety/safety_relay/pnozplus_n_products.htm#pnoz_xm1

and here

http://www.pilz.com/english/products/safety/safety_relay/pnozplus_n_products.htm#pcanop

I would say you need a hardwired E-Stop. If the panel with the PLC is the E-Stop location then run the wire - it is 24 VDC for most drives, so you don't need separate conduit.

If you have a separate E-Stop located near the machine, then you could use the Control-Net, but call it a stop, not an E-Stop and don't use the big red mushroom head.

If the VFD is in sight of the machine then you could also put an E-Stop on the drive enclosure, call the one at the panel a stop and don't use the big red mushroom head.

hardwire... if you put something that will look like E-Stop, have a EStop label, hardwire it - period.

Thanks for the input guys I really appreciate it.

I obviously know the best way to approach this is to install the hardwrired E-stop, but going through the manuals to the drive has brought some questions to mind.

Looking at the prints for the drive, it is apparent that the E-stop input to the drive is a "Digital" input. So what is the difference between my E-stop signal over controlnet failing or my "Digital" input to the drive failing?

Both of the signals to tell the drive to stop are "Digital" par se, so what does this mean? It is highly unlikely that my hardwired "Digital" input failing in the closed position, but what's to say it cannot happen? This scenario is no different than my E-stop command over Controlnet never getting there?

I could understand being dead set against it if the E-stop was directly in line with the armature circuitry and it was required to be closed to keep the armature contactor in. This does not seem to be the case. It appears that the drive issues the commands to the various controls through the software built into the drive. Does this not bring us back to the origianl problem of having software involved in an Emergency stop circuit?

Just so everyone can sleep well tonight, just know that this will be done the correct way. We will tie this into the Pilz safety relays that we already installed for the main plc system. I know you guys honestly worry when you think someone might do something wrong, but take comfort in the fact that we do know what we are doing and this will be done in the safest way possible.

The reason for this question was just to find out how others handle this situation and it appears as though everyone is on the same page with this. This is a fairly large project that requires a large amount of conduit, so I am sure that another piece of it won't hurt anyone.

I think the problem with your digital input is redundancy and cross monitoring.

Redundancy, what happens if it fails?
What happens if the new electrician, trying to trouble shoot the drive, hard wires your digital input to the on position?
What if something fails? How do you know if fails unless someone hits the e-stop? Then is it too late?

In a similar situation to yours, I have used the digital signal to drop the enable from the drive, then a safety rated timer opens two contactors feeding the power to the drive one second later. This has redundancy, and it is possible to monitor the status of the contactors.

I generally also use SEW VSDs. These now have a CAT 3 rated safety input (Movidrive B). Due to the laws of my state, by itself it is not good enough for e-stop push buttons. But it is potentially good enough for light curtains, safety gates and some other safety functions.

Machine safety is one area where I believe you cannot have too much knowledge, I also belive that a deeper understanding is required than the old rules of thumb such as "Don't use PLCs" and "Always hardwire", since it is possible to follow these rules and still have an un-safe machine.

Doug

Note to self, its been 6 months since last reading the standards, time for another read.

Jnelson said:

So what is the difference between my E-stop signal over controlnet failing or my "Digital" input to the drive failing?

Click to expand...

I would think (hope?) that the "enable" is not solely monitored by the software. Loss of this input should disable the output stage in the drive (in a 'hardwired' sense).

beerchug

-Eric

Eric Nelson said:

I would think (hope?) that the "enable" is not solely monitored by the software. Loss of this input should disable the output stage in the drive (in a 'hardwired' sense).

Click to expand...

Yes I would think this should be the case but it does not appear to be that way. It looks to me that the drive enable which is also reponsible for the monitoring of the E-stop condition is only monitored by the software.

I will look into this more tommorrow and post the findings.

Old fashion

John I`m sure you know all this BUT here`s my two bits.
We installed an extruder last year that had 150 hp dc motor. When you pull the hard wired Estop out it brings on a size 5 contactor that energizes the isolation transformer that feeds the drive. I don`t care what happens to the drive when someone hits the Estop it STOPS ( May coast a bit, but that`s been discused too.) With ac or dc drives if there is a danger to someone getting hurt we always stick a contactor in the line. We`ve had ac and dc drives fail and would run with no input signal at all. Anyone that`s run the little KB reversing drives knows I`ll bet you.