Safety Bypass ?????

Safety Bypass Switch

I need your thoughts on this...

On this fine piece of equipment that I am rebuilding are two Elevators, each independent from each other. They are driven up and down w/ a 3hp 3 ph 440v motor, w/ a 90vdc brake on the motor. The motor, via a vee belt, turns a ball screw that has a 3ph, 440v spring set brake on it. This screw brake is held released unless I loose power, or the carrage overtravels up/down. Now there is one Fault condition that I have found that is causing me concern...mainly in how best to clear it. If the fuse or the CB feeding the 90vdc brake opens, the carrage drops to the bumper springs at the bottom...OK, its not a good thing, but the springs were put there by the OEM back in 1966. I am going to moniter the 120v power in the brake controler and set the screw brakes if it fails. But if the carriage does go all the way down, it trips the down overtravel LS, which prevents the screw brake from being released and the and drops out the MCR, which means the elevator motor can not run. Now if, Heven forbid, someone is caught, or for any reason, what would you do to be able to over-ride that LS and raise the elevator ? Right now, and as far as I know this is true for all of these machines { there are hundreds out there !} the only way is to put a 3 foot pipe wrench on the screw shaft {ouch} and lift the carriage up until the screw brake pulls in...after fixing the bown fuse / CB.

! Key switch to over-ride LS, locater inside PB panel ?...don't like key switches, but...

Some sort of switch inside PB panel to set a line of over- ride conditions in the AD 250-1 ?.... no safety controls should be in a PLC....

Come on folks, I'm in need of some Stelar ideas....

I put this on Ron site first 'cuse I don't think I should run it thru the PLC...Thanking one and all for your time and ideas.

David
beerchug

Deja Vu!...

See my reply over at Ron's site

beerchug

-Eric

David,

Safety is one of the trickyest problems that most automation engineers come across. You may need to step back a bit from your problem to see if you are going about it the right way.
Now, I am not familiar with the American way of doing things, but in the land of OZ we have to start with a risk analisis. Normally we do this as a team, since individuals have a bad habit of missing risks.
1, Define all risks. You seem to have done this, at least partially. Before you go modifying your machine you should check your list of risks to see if there is anything you missed.
2, For each risk, determine the probability of it happening. This is related to how often a person is likely to be exposed to the risk, and one exposed, how easy is it to avoid.
3, look at concequences. Will the exposed person end up with a few cuts an bruises? a missing arm? dead? multiple fatalities?

From this you can then work on corrective action. You will see if you need to do a lot or a little. Example: fatalities with a high chance of happening will need a high effort to eliminate. Minor bruising occasionally may need only a warning sign.

After you have planned your corrective action, repeat the above process.
1, what risks still remain, what new risks have been created?
2, what is the new probability of these things happening?
3, what are the new concequences.

Repeat until an acceptable outcome has been arrived at.

Hope this helps

Doug

Thanks Doug,
I have a few constraints in that I am just retrofitting a 1966 era machine w/ a new control system, and installing it in a new facility here in our plant. I would have liked to modify it and have done a lot more updating, but the time is just not there. I am really trying to make it 'user safe'...the folks that will be running it are not what you would call Rhodes candidates, sort of the leftovers of the brain drain. Nice kids, but we don't let them have any gum. I am making certain that they will have a safe, reliable, and easy to run machine... after all, if the machine runs well, without jamups and crashes, the operators will be less likly to become part of the machine.
Thank you for the good sequence that you use with your teams... I will be using that as a guide as we finish up this fun little project!!!

Ya'll have to come up an set a spell on the porch..swig a few cold ones, an talk 'bout things down under...***t, I've been in Kentucky toooooo long. I even type like them...my backspace key is getting worn out....

Have a great day, David

beerchug

Safety pendant

You can provide a connector which would allow you to plug in a
pendant type PB station. Normally this connector would have nothing plugged in. If you need to provide a safety by-pass you would plug in
the pendant. Umbilical cord would allow you to observe the critical
section of the equipment while you are by-passing the safeties.
Push buttons would only operate the equipment when pressed (i.e.
no latching mode of operation should be allowed).

Certainly, if power is lost, the screw-brake should engage immediately. In fact, if the program detects (Level detection? Encoder on the Screw?) that the screw is moving unexpectedly (Motor Trip? Belt-break?), then the screw-brake should release and engage, and of course, the motor signal should drop-out.

That is a controlled-crash.

All control-system crashes should be one-hell-of-a-lot-better than the one experienced by Columbia! Maybe even 10, or 100, or 1000 times better! (I think I have a plan to overcome that damned one-chance-up and one-chance-down problem for the Shuttle! Worthy, I think, of a thread of its own!)

Now, to recover from a controlled-crash... it would be nice to know the cause of the crash. Was it a motor-fault, or a belt-fault, or...? A particular fault-type indicator/detector would be nice.

The means to recover from a controlled-crash should certainly be available. In fact, a recovery from any kind of crash should be available! The key is to make the recovery process painful - not physically painful, but operationally painful.

The recoverery process should never be so convenient that the operators include it as part of their normal operating routine. The recovery process needs to be a pain-in-the-a$$ and yet, none the less, available when it is needed!

If the motor faulted (over-load trip), then the program should know that the Aux Contact opened unexpectedly.

If a belt broke, then the program should know that the elevator was moving either faster or slower than it should have been. Or maybe, that it was moving in the wrong direction! In any case, the motion was not as expected.

So, whatever the PLC can discern, as far as the program goes, maybe the program should impose a particular recovery process that is specific to the failure.

In any case, the recovery procedure should involve pressing multiple, hard to reach, push-buttons. (maybe even, patting one's head and rubbing one's belly, all at the same time!)

The idea being, at some point, this procedure might be needed... and, if so, then they need to be reminded, painfully, of the possible concerns.

David-
I don't know that I have any answers, just more questions.
I may be missing something in the application, but why is the brake on the motor a standard power-set brake? Or more to the point, can you replave the current brake with a spring-set brake? This would make your failure mode a little more friendly.

I may get some serious disagreement on this one but I usually don't consider end-of-travel limit switches safety devices. Machine protection, yes; personal safety, no. As a machine protection element I would be much looser on any bypass requirements since someone might break the machine using the bypass but they won't hurt anyone.

It sounds like your end-of-travel limits might be too all-encompassing. Why would any given overtravel prevent motion in the opposite direction? In the specific case of the down overtravel, why would the screw brake be worried about at all, unless the down overtravel is a significant distance above the springs? I think you may want to restructure your limits so they only stop motion in the direction of violation.

Keith