Limit Switch help?

HI All,
Today I was called to a company to assist with a few problems.
All of their limit switches are configured as:
0=Healthy
1= HI or Low or Fault

As the system is looking for a 1, when there has been problems the operators have disconnected them to get the system away.

This is a major problem for safety as any lack of supply, broken cables or switches make the system look fine.

The site was a German build 5 years ago.

My question is what rules and regulations should this have been built to and what should it conform to now?

Any assistance or links would be very greatfull as I can see this causing major problems in the near future.

Rob

Wow. Germany is usually a lot better than that.

Well, what's the controller? And what are the switches attached to? Most motion controllers let you program the switches so that logical one can be either 0VDC or 24VDC (assuming PNP, opposite for NPN). Can you get into the controller and flip the logic? And if so, can the switches then be reconfigured if need be?

You're mostly having to go through and rebuild the machine to fail safe, it sounds like. What are the existing controller and switches??

Paul T

HI,

Thanks for that, Thats what I am used to working with for the last 20 years. I was very shocked. It is a Yokogawa DCS, The part I was working on was the sand system, hoppers, lifts, screws, HI levels Low Levels.
Whilst looking through the code I think most if not all are like it.
So I spent the day checking and checking again.

Done some tests to prove it in the field and disconnected HI & Low limits, lift faults etc. No alarms or events generated and the system continues to run fine. So if a real cable problem occurs there will be major damage to plant or worse.

Yes I can get into the code but this is going to be a major job, and I don't think some of the switches can be changed, so that would mean new...££££££££ but safety comes 1stas allways.

What regs govern this or is it down to the individual company?

Rob

If it were the US it would be up to the individual company. Best practice, of course, would be to build a fail-safe system but there is no law that requires it. Guarding, yeah, there are laws about that, not that you see a lot of enforcement until after the accident. But how you wired your switches, and how you programmed your controller? No.

Hm. I would think that the DCS would allow you to wire NPN or PNP, not that it should matter much - a closed circuit is a closed circuit. If they're using NO solid state limit switches on NPN inputs, then yeah you're screwed and you'll need to replace them. There seem to be tons of 3 wire NO switches, not as many NC or NO/NC although they're out there. Fortunately, sounds like you can use big form factor switches on your system.

I'm guessing most of your switches are 3 wire DC? Just because if they were mechanical, they'd be easy to replace and you probably wouldn't be too worried about it. Well, easier to replace anyway. If they are solid state, try Banner for four wire prox switches that have both NC and NO states. If they're mechanical, well, I haven't used mechanical limit switches in years so IDK where to look first. Somebody else probably does though.

Finally, if you do replace the switches, then a simple way to "fix" the logic is to:

- Buffer each switch input into an internal tag
- Tie the internal tag to a new coil
- Use the contact associated with new coil in place of the original switch contact in the program

That will give you minimal changes to the logic, with hopefully minimal chance of messing it up.

GL... how many switches are we talking? And what kind are they?

Please do not change the software, but to make it failsafe, you could use some resistors and a alarmrack as extra.
put a resistor of 10 kilo ohm over the switch and check if there is a small voltage on the back line. For this you could use small micro controller as this switches at 5 volts (protection is needed with a resistor and a diode) this way you can make a bank with leds for operating switches.
If possible to change the working of a sensor, then use a lot of small relais to interface to the NO state.

be wary of inventing your own safety system - if it fails you will be blamed.
in Aus - when this type of system is discovered it is time to examine the safety seperately.
- wire a failsafe stopping system - CAT 4 or what ever your risk anaylsis determines.
Make it seperate of the existing DCS system - in the event of a failure the system can now be shutdown -

I am sorry Shooter - good Idea - was used many years ago - but i am not sure if it would be acceptable these days

usedplcs said:

HI All,
Today I was called to a company to assist with a few problems.
All of their limit switches are configured as:
0=Healthy
1= HI or Low or Fault

As the system is looking for a 1, when there has been problems the operators have disconnected them to get the system away.

This is a major problem for safety as any lack of supply, broken cables or switches make the system look fine.

The site was a German build 5 years ago.

My question is what rules and regulations should this have been built to and what should it conform to now?

Click to expand...

Sorry for the late reply, I missed this post earlier.

The machine in question should have complied with the European Machinery Directive 98/37/EC and should have a "CE" marking. I'm not an expert but I don't see how this arrangement could get a "CE" marking at all. Unless those switches serve no safety related function at all. It still wasn't even basic good engineering practice.

At the time it should have conformed to EN 954-1, which as of December 31 will not longer be acceptable. If built today it should now comply with ISO 13849 or IEC 61508.

Unlike in the US where the responsibility lies with the employer, in the EU the responsibility for machine safety lies with the builder. I imagine whoever built that machine is no longer in business. That kind of design was considered unsafe decades ago let alone now with so many safety standards in place.

Unlike in the US where the responsibility lies with the employer, in the EU the responsibility for machine safety lies with the builder.

Click to expand...

I think you are misinformed on this subject. The responsibility is shared here. The builder must build it safe according to standards. The owner-employer must operate it safely and according to builder's instructions.

In most injury court cases in the US, the plaintiff's attorneys go after ALL parties, not just the builder and owner, but any sub-contractor, parts supplier, shipper, or insurer that had anything to do with the injury or can be made to pay for it.

Unlike in the US where the responsibility lies with the employer, in the EU the responsibility for machine safety lies with the builder.

Click to expand...

Not true. Machine builders are required by law to build to current safety standards here in the US and can face both criminal and civil actions if the rules are not met.

Also, unless the limit switch is for a guard or protects the operator from harm it is not considered a safety device and does not come under those requirements.

Lancie1 said:

In most injury court cases in the US, the plaintiff's attorneys go after ALL parties, not just the builder and owner, but any sub-contractor, parts supplier, shipper, or insurer that had anything to do with the injury or can be made to pay for it.

Click to expand...

I wasn't completely clear about my statement. The primary duty to maintain a safe workplace is with the employer in the US. As far as bodies such as OSHA are concerned, they will fine the employer and not the builder, as the employer is responsible for making a safe workplace.

You're right, with the litigious nature of the US, in the event of an accident, the lawyers will sue everybody, no matter how tenuous the connection, in an effort to make sure no pocket goes unemptied.

Timbert,

I totally disagree with your statement !
The machine builder can and will be held responsible for any machine they build that hurts someone or fails to perform according to required specs. Whether they are building a part or testing parts, if someone gets hurt, the OEM will have questions to answer.

I have worked for several companies in which we were ordered by engineering to change the machine operations and test procedures on two machines. We did only after a lot of discussion and paperwork was signed.

That document told us us what to do and had their signatures on it and saved us from some massive lawsuits, those engineers cost their companies over 100 million dollars and were fired.

regards,
james

Generally the law is identical in Aust. but you find some importers - not US or EU - send unsafe M/C's then vannish -

as Far as Littigation - If someone is injured - if it was me - I would - definately go all the way.

iant said:

Generally the law is identical in Aust. but you find some importers - not US or EU - send unsafe M/C's then vannish -

as Far as Littigation - If someone is injured - if it was me - I would - definately go all the way.

Click to expand...

We like importing "Down Under" your rules are very similar to ours here. The worst for us tends to be Eastern Canada but not for the safety rulse more for all the paper work.

To cover our rears we always work with licensed engineers (mech and elect) in the country we are importing to. Saves alot of headaches.

How many switches are wired non-fail safe on your application?
I am not sure what industry you work in but my background is from the oil / gas industry where the following and more are required as good engineering practice:
Safety systems are implemented in emergency shutdown systems (ESD) NOT DCS.
Control is implemented in DCS.
ESD systems are implemented in PLC or Safety PLC systems conforming to the IEC 61508 standard.
I/O for ESD systems are wired for fail safe operation wherever possible.
Presumably your company did not specify the use of ESD or fail safe I/O during the tender period for your system.
Also it seems that your company did not specify that they would require someone from your projects department to be involved with the monitoring and review of designs before approving the final design for the instrumentation
Maybe you dont have a projects department with technical design personnel? My experience is that when you leave suppliers and consultants entirely on their own during the design then you will usually not like the results but then it is too late to do anything about it without major cost and schedule implications and then you are more or less forced into accepting second best.

You now probably have major system re-design to do if you are truly interested in safety for your system and personnel. However you now have to convince management if you want to go down that road. Remember safety always comes at a price which depends upon how much your company is prepared to pay.

HI All,

Thanks for all replys.
The switches are not on a dedicated safety system. There is a system that takes care of this. "Boiler Control" etc

The switches concerned are on various other bits of plant, ash handling, sand system etc controlled via the DCS.

There is an occasional switch that is configured correctly for high level. Other switches could cause problems if the fail when handling hot ash or sand.

I have still got to get the extent of this and produce a report.

So as such, no one machine builder but various builders for kit and a DCS integrator. The main contractor is now not involved as they left some time ago after settling in a court case!

So I guess the problem lays with the owner and if the switches are identified as a safety risk to humans or plant.

Thanks Again