Drop Outputs on an E-Stop

mcswc3

Member
M
Join Date
Feb 2012
Location
USA
Posts
24
As far as I can remember, we have always dropped power to our output cards (killing all outputs) during an E-stop of a packaging system.

I been searching for a reason why we do this...and can't find one. Does anyone know of an official or non-official reason why outputs must be dropped during an E-stop?
 
Also depends on the outputs. Some things are probably important to keep energized during an Emergency Stop event, like indicator lights.

I'm sure the SIL link explains it, but if all you did was turn off the PLC Output, but not shut off the available power, what would happen if your PLC Output had failed in the ON position? Your Output would remain energized even if you pressed your Emergency Stop which could definitely cause a dangerous situation.
 
guys, thanks for the quick reply.

dmargineau, I don't see where it says that the power to the outputs must be dropped during an e-stop on that page...

Tharon, why should we assume that an output that fails in an ON state is worse than always dropping power by default each and every e-stop?
 
dmargineau said:
Actually it is the outputs' supply power which gets "dropped"; it is a SIL (Safety Integrity Level) standard requirement.
http://en.wikipedia.org/wiki/Safety_Integrity_Level
Click to expand...
Nothing in any of the standards that use SIL (IEC 61508, IEC 61511, or IEC 62061) that I'm aware off make this an absolute requirement.

It is however considered good engineering practice if the system has been designed around de-energize-to-safe principles as it provides a redundant method of putting the machine into a safe state that does not rely on programmable logic.
 
mcswc3 said:
guys, thanks for the quick reply.

dmargineau, I don't see where it says that the power to the outputs must be dropped during an e-stop on that page...

Tharon, why should we assume that an output that fails in an ON state is worse than always dropping power by default each and every e-stop?
Click to expand...

I agree that the Wikipedia article does not state it; I don't have it in front of me, however, I believe it's a derivative of the IEC 61508 compliance.
 
safety should not be electronic switches, so leaves the safety relais.
when electronic the power is not shut off, only minimized to some leakage.
 
E-Stop almost always disables hazardous motion; which may or may not include output power. Dropping output power to disable hazardous motion is the most common method.

Everything depends on what the machine's Safety Assessment documents state.
 
You do not need to kill power to E-Stop cards, but you do need to design the system such that devices go to a safe state when an E-Stop occurs. For many devices, that means turning them off. Using just programming to do this does not meet the standards because an output card could fail, some one could have modified the program, or an output could be forced on. So to guaruntee that a device gets turned off, we need to break the circuit by means of emergency relay contacts. It it much easier to kill power to an output card than to kill each individual output.

We only kill power to the output cards that require it - some output cards remain powered up. Typically we have pilot lights etc on these cards, but there can be other outputs that do not require power removal upon an E-Stop condition. It's all part of the overall design of a safe system.
 
From your question, I gather you are wondering whether this is/was necessary in this case?

Without knowing the exact reasons for powering off all the output cards in your particular case, it would seem overkill, but the risk assessment may have deemed it necessary?

As pointed out, it's the output functions of the system that must be driven off in whatever manner the assessment deems necessary. Breaking the supply to many output cards, or one power supply unit, during a safety function, does save time and money.

But, it should be carefully considered at the safety function design stage. One important aspect to remember is if outputs are not driving their functions directly, but instead, through interposing relays. So again, as mention, you make sure you are breaking the function of the system through the safety function, in case of welded contacts, etc. on the interposing relays.
Does driving them all off prevent some dangers, but possibly introduce others? What is the safe state?

Usually, you would not need to break all output functions of a system, let alone the power to all the output cards, but it does depend on that risk assessment.
Usually, if the risk assessment does not require them all off, it's better practice to assign one or more output cards, specifically for the safety function and only break their output functions, or their supply, through the safety function.

So without knowing the specific requirements of your packaging systems risk assessment and safety function design, it may or may not have been overkill to have done this.

Your not sure how long this has been done on this particular system. It was most likely done at the design stage, but possibly, during a later re-assessment, a new hazard was identified that required this to be done, or it was done as a result of a near miss.

I'm not going to go into all the requirements for designing a safety system. Look for that risk assessment. It should tell you what was done and why.

Then, maybe, you can try and decide for yourself if it was indeed necessary?

G.
 
Thanks for all your replies.

I'm looking at creating a "standard" but it's difficult with so many exceptions to any standard. Honestly, there is no strict standard and everything should be decided on a case-by-case("risk assessments").

What does it take to do a "risk assessment" and what make's it official, or at least credible?
 
mcswc3 said:
Thanks for all your replies.

I'm looking at creating a "standard" but it's difficult with so many exceptions to any standard. Honestly, there is no strict standard and everything should be decided on a case-by-case("risk assessments").

What does it take to do a "risk assessment" and what make's it official, or at least credible?
Click to expand...

Excellent question and depending on the industry or customer, it depends. There is lots of info on the web including at the OSHA website. Even a simple documented assessment is far better than none.
 
What makes a risk assessment "official" is documentation and lots of it. You need to prove that you were diligent in finding all reasonably foreseeable hazards. To be perfectly honest, the final arbiter of whether a risk assessment is complete will be the judge presiding over any possible lawsuit because someone was injured.

There are many methods, all very similar, your best option is to determine what standard(s) you are building to. International machinery often uses IEC 62062, U.S. robots use ANSI/RIA R15.06, if there is hydraulic or pneumatic controls ISO 13849 is often the best choice. All of these describe a hazard analysis method. I would venture to guess that ISO 13849 is probably a good choice for a US-based packaging machine.

The basic step is to brainstorm all conceivable hazards of the baseline design. Then try and engineer out the hazards. There will be some you can't design out (at least not and have the machine still function). These will require safeguarding, either engineering controls, barriers, or awareness and training depending on the severity. Look to the standards for guidance on the minimum safeguards required for a particular hazard.
 
Honestly, there is no strict standard and everything should be decided on a case-by-case ("risk assessments").
Click to expand...
If there were no exceptions to strict standards, many every-day desirable actions would be illegal. Also the lawyers, testers, underwriters, insurers, and undertakers would have a lot less businsess.
 
mcswc3,

NFPA 79 - standard for electrical machinery defines e-stop conditions and what gets killed.

also look at NEC 70 - national electric code.

its the end of the day and i'm on call this weekend.
time for r & r before the honey do list tomorrow, and plant calls.

regards,
james
 

Similar Topics

B
0-10V signal drop with shield grounded
We have constructed a new vibrator control station with local pots on the panel and remote pots on a wireless system. We are running 6 AB 525...
Replies
5
Views
703
BradC
B
C
Drag and drop pens in Trend in Logix 5000
Hi, do you know how i can add pens in a trend by drag and drop the variables, without using "Add/configuring tags" windows. The Add/configuring...
Replies
2
Views
1,132
Mispeld
M
E
Modicon Quantum: Remote I/O Rack Problem (IOs communication or Drop-out)
System Details: We use hot redundant Modicon Quantum PLC with dual redundant communication having Remote IO racks (using CRP + CRA cards and...
Replies
0
Views
767
esotericstone
E
M
FT View Combo Box 2.0 Drop down list from Excel/CSV File
I am trying to create a recipe selector. I may be asking a lot, but hopefully, you folks can guide me. I have an excel file with 800 different...
Replies
0
Views
1,040
muffinpop
M
K
CompactLogix 35E I/O drop, no Fault
Hello all, I have a CompactLogix 35E that has been in operation for ,,, much longer then I have worked here! The problem is, the I/O will drop...
Replies
3
Views
1,809
JTCat
J
Back
Top Bottom