Safety PLC I/O Points

I have limited experience with the controllogix and compactlogix plc's in terms of safety but I have a project for a grinder system that will have 4 estop buttons and 6 limit switch's that are all hard wired in series with the stop and start buttons to start all the motors on the other similar grinders we have.

I was looking to maybe use 1768-L45S controller but I thought on safety plc systems the I/O had to be redundant and that does not seem to be the case on this unit?

If someone could clarify this for me just a little it would be very helpful.

You are asking multiple questions here.

For any system to be safe, you must first do a risk assessment (with maintenace, operations, safety, and engineering involved). From this risk assessment, you will determine what kind of risk category you are in and what is needed for a properly designed safety system. There is no requirement that all I/O has to be dual channel or redundant.

One thing that is needed is that the system be designed properly. If someone gets hurt, then this document will find its way into court. If there is no documented risk assessment, then rest assured that will also be brought up.

There are many documents out there that describe the task of assessing the risk.

Here is one that I use because I like the banner safety controller: http://www.bannerengineering.com/en...E-Safety-Controller-with-Ethernet/#literature

Also there is some good stuff on the AB site and the STI site.

As for wiring the e-stop and start and stop buttons in series, I would say that is a improperly designed system. That really doesn't meet the definition of an estop since it is in series with the stop pushbutton and an e-stop requires seperate reset before being able to start the machine.

You need to alert your managers to the fact that these systems are not adequately designed and need to be upgraded. There is nothing worse that seeing someone get hurt (or even yourself) and realizing that you had the ability to prevent it.

They came from the machine builder wired this way. We are just moving components to a larger cabinet so we can put 2 of the DOL started motors on drives.

From what I saw the guardlogix plc does not have a option for safety IO? All the modules I saw were standard modules?

I have never done a risk assessment so do we have to do it or do we need to get a 3rd party?

This is a very simple and very small machine.

Is SIL 3 the highest level? Could we not just design to SIL 3 if it is the highest level to make sure of no issues.

Cost would not be a factor as we would rather over design the safety system rather than take any chance of issues.

Hi
Hi

I have never done a risk assessment so do we have to do it or do we need to get a 3rd party?

This is a very simple and very small machine.

A simple small machine is the perfect place to start as the same
Systems are needed for a bigger machine. If you move the items to a
Bigger panel did you now become " the owner of the machine"
You must provide a safe machine and it is up to you to show in writing
How you have designed the system.


Donnchadh

SIL 4 is the highest.

That few safety functions doesn't justify the cost of a safety PLC & safety I/O for me. As simple as it sounds, I would use a safety relay for the E-stop PBs to energize safety contactors in series with the motors. Of course, a safety assessment might yield more required functionality.

brucechase said:

As for wiring the e-stop and start and stop buttons in series, I would say that is a improperly designed system. That really doesn't meet the definition of an estop since it is in series with the stop pushbutton and an e-stop requires seperate reset before being able to start the machine.

Click to expand...

I have seen many older machines setup this way from different OEM though. Is the requirement for a seperate reset something that came about in the last 10 years? I have seen a lot of equipment like this but it was stuff that was 10-20 years old. Do the estop buttons to a safety relay need to be redundant wiring? I ask as most I have seen are this way

markcarter1982 said:

Do the estop buttons to a safety relay need to be redundant wiring? I ask as most I have seen are this way

Click to expand...

Its normally dictated by the safety assessment. But if you want to be sure, use redundant contacts (dual channel) on the safety operators.

It sounds like your company does not have much experience in safety systems? If not, I would highly recommend you engage a consultant to determine safety requirements for your system based off a risk assessment/s.

As mentioned above, your system does not sound like it needs a safety PLC, hard wiring and safety relays should do the trick. However you definitely need the proper assessment done, one complete the design requirements will fall into place.

markcarter1982 said:

I have seen many older machines setup this way from different OEM though. Is the requirement for a seperate reset something that came about in the last 10 years? I have seen a lot of equipment like this but it was stuff that was 10-20 years old. Do the estop buttons to a safety relay need to be redundant wiring? I ask as most I have seen are this way

Click to expand...

You need to be very careful about what you call an emergency stop. An emergency stop implies safety rated performance, and having a single contact pushbutton in a control circuit is not an 'emergency stop'.

Im not sure about the US, but in Australia we had requirements for a safety category (as opposed to SIL) through the machine guarding standard (AS4024) for a long time, longer than ten years certainly.

There are several safety standards which people seem to be mixing up here.
SIL was mentionen, based on EN61508. This ranges from SIL1 to SIL4, although SIL4 is not usually used. This standard is appropriate for most functional safety problems, but is complex, so you may be better off with a simpler standard.
Another standard is EN954, which has been incorporated into other standards such as the Australian standard AS4024. I would recommend using this as a starting point, as long as it will comply with your local standards. This uses the concept of safety categories from B, then proceeding from 1 to 4.
A quick summary of these categories are:
B = Normal well designed electrical circuits
1 = As for B, but with enhancements for reliability
2 = As for B and 1, but with checking for failures
3 = Dual channel redundant, single failures will not cause loss of safety, as much failure checking as practical.
4 = Dual channel, single failures cannot cause loss of safety, accumulated failures will either not cause loss of safety or will be detected.

Old machines that were well designed would generally conform to category 1.
The appropriate category would be chosen from the risk assessment, and you can have different categories for different parts of the machine. For example, a limit switch detecting that a guard has been removed may only be category 1, but the emergency stop on the same machine may be required to be category 4.

Finally, the EU has brought out a new standard that will likely be adopted worldwide over the comming years. This uses performance levels rated from a to e, and are roughly equivelent in safety to categories B to 4. This standard was improved to take into account probability of failure, and so should be a better standard than the old EN954.

Overkill

I have successfully completed a project using a guardlogix PLC and Safety IO. I would NOT recommend doing it. The company I did the system for requested it. I look at the majority of safety stuff out there as marketing hype more than anything. "You need this, its complex and cost a lot but Its for Safety"

There are no modules that can fit into the local guardlogix chassis that are safety rated. I used the 1734- Point guard IO from AB. So now you need a communication card for the control logix chassis and com adapter for the point guard IO. I chose Ethernet.

The system I did consisted of a guardlogix controller, Point IO safety modules to control redundant air shut off valves, trapped door safety door switches, Powerflex drive safe-off modules, global estops.

The system consisted of 5 independent zones that could be stopped and safe to enter while the other zones were operating. Then there were global devices like estops that shutdown all of the zones.

The only positive thing about the whole project was learning all about safety categories and how to apply them. If I could specify the safety hardware for the system I did, I probably would have used the modular safety relays. Even then I still think that is overkill.