anything wrong w/ issuing E-stop thru plc?

First let me explain what we're doing. The E-stop circuit is hardware based. We have some very large pumps that normally go through a controlled shutdown where the discharge valve closes first (very slowly to eliminate pressure surges). When the valve is confirmed closed, the pump motor stops. We have E-stop buttons locally at the motors to instantly stop the motor and close the valve quickly for safety reasons. None of the E-stop logic goes through the plc.

However, the client wanted to be able to E-stop the pump using SCADA, which means initiating an E-stop command through software. The reason for wanting to issue the remote E-stop is in case the normal stop sequence fails. Suppose the discharge valve limit switch fails to activate when the valve closes. The operator would then issue the remote E-stop to kill the pump motor. This is a convenience issue, not a safety issue.

The plc output will activate the same hardware based E-stop circuit as the local mushroom. The integrator is telling the client that's some kind of violation of a code he can't specifically quote, stating it's an inappropriate use of E-stop. I know NFPA-79 (10.7.2.3)says Emergency stop switches shall not be flat switches or graphic representations based on software applications.

First of all, is NFPA-79 considered a code? If not, is there anything in the NEC or elsewhere that prohibits ISSUING an E-stop command through a plc, in addition to the normal safety E-stop local buttons? Maybe we should just call it something else besides E-stop, like Fast-Stop or Instant-Stop. But that doesn't change the fact that we're still going to activate the same E-stop circuit as the local mushroom.

If the shoe fits?

Imagine you are the person needing the E-Stop to do its thing and by chance the SCADA unit is balky that moment, you may answer your own question. The codes of our profession are for our protection and just because the "code" does not specifically say you can or can not do something, is not reason to go ahead. IMO, E-Stop had better make the things E-Stop, especially if I am the one who needs for the darn thing to quite ripping my arm or leg off!

If it's not a safety issue try to avoid using Emergency Stop, it just creates confusion. What it really is, is a controlled stop performed by the PLC that mirrors what the hard-wired E-stop circuit does.

I agree with the other posters. We had an HMI with a button labelled "Quick Stop" instead of E-stop. All the operators in any plant I work at are informed what the differences are between E-stops, Zone stops and Quick stops. Once someone knows the purpose of an E-stop, they may hit something improperly labelled an E-stop and think all is well when it really isn't. Keep E-stops E-STOPs and develop other names for other stop routines.

I agree that under no circumstances should you call the HMI object used to shut your system down an "E-stop." In software, the pump halt routine could recognize that the valve either failed to close or that the LSC failed to make and then shut down the pump anyway.

If I could make a suggestion, however, about your E-stop scheme in general. If there is risk to the equipment because of pressure surges at pump shut-down, you could conceivably be provoking a safety hazard with your E-stop...jumping from the frying pan of an undesireable situation into the fire of a truly dangerous one. If I were you, I would investigate the possibility of using a CE-approved safety relay that incorporates one or more sets of time-delayed contacts along with the instantaneous ones. That way, an E-stop condition will cause the valves to begin closing immediately, and then will shut down the pumps X seconds later, giving the system time to depressurize. In addition, if you choose and wire the safety relay properly, you'll get the added protection of using a monitored safety circuit instead of what you have now.

It's not a perfect solution, but I think it might be superior to the slam-off scheme you have now.

EStop

We use two types were I work, The first is your normal e-stop and
the second one is called a "System Stop". System Stop could easily mean an HMI button.

I am not arguing the other posters here, I agree with them from the stand point of the local e-stop, killing everthing.

My understanding from the original post is that they want to be able to do an e-stop from a remote location, which could be miles away, perhaps not even in the same state or region. Since this is for the normal sequence not working properly, and wanting a quick stop, it changes normal thinking.

Looking at it from that perspective, then the PLC based e-stop should (Notice SHOULD, not WOULD) be acceptable for what they are trying to do. Local jurisdictions may dictate NFPA, NEC, and in some cases OSHA guidelines with higher authority. NEC is really not a factor here.

If the case there was an actual emergency arm being ripped off shutdown, and the only person who could hit the button was miles away, then what are the other options?

1) A hard wired control circuit to the remote location, which could become intermittent, especially if it is a "dry circuit". If it were live, then any intermittentcy could cause the machine (system) to shutter, or just plain quit.

2) A radio remote circuit, such as a fireman's two tone pager, with a relay or "shunt trip" circuit. Possibly a touch tone decoder, so any number of portable radios could access it (direct or thru a repeater).

3) A dial up relay circuit, or phone with a decoder circuit of some kind.

4) Hop in the Jeep and drive like 4377!

5) Telekinesis

6) ???

Considering these, then I would have to say YES, it is permissable.

Since this is not replacing the original quick shut down e-stops, and since they are not going thru the PLC, it appears acceptable to me. If it were a real safety issue, then I would hope that there would be 2 man operations.

regards to all......casey

tgreif said:

This is a convenience issue, not a safety issue.

Click to expand...

If this statement is true, then I see no problem with this method.

In all my systems, I have a PLC output driving a relay connected in series with the hardwired E-Stop loop. This allows the PLC to initiate an E-Stop if it needs to. Mind you, this is NOT intended for OPERATOR safety, but simply as a way for the PLC to have a say in things.

I use the normally-open contacts of the relay in the E-Stop circuit, so if the PLC output turns OFF, the E-Stop loop is opened. Very similar to the dedicated "RUN" contact on larger PLCs.

I typically use this to automatically shut the machine down when certain machine faults occur. For example, if a cylinder fails to reach its end of stroke within a predetermined time, there's a good chance that it's jammed. Why wait for an operator to notice the machine alarm and stroll over to push the E-Stop, when the PLC can have the ability "push the E-Stop" NOW?

beerchug

-Eric

I have on occasion powered the E-Stop from one of the PLC Outputs. This way if the PLC Faults, and power is cut to the output card, the E-stop gets automatically tripped.

gbradley:

I really like that!

I may have to "borrow" that idea sometime.

My apologies if you don't get credit in the program notes.

best regards.....casey

Here, it is fairly common practice (with PLC based systems) to have one output driving a relay (PLC_ESR), then having a set of contacts from PLC_ESR in series with the actual hardwired ESTOP loop.

The full-motion zero-potential energy stop is then properly engaged if a PLC drops out of run, or faults, or some true illegal condition is detected with machinery. In Essence, the PLC_ESR contact is used for any time the PLC detects something that can be a major problem.

That being said, we do not place any ESTOP operators on HMI displays. Even as a mimic or convenience. If you must have that kind of function on an HMI display, I would definately call it something else (PUMP LOCKOUT? SECTION STOP?), and have it perform the stop you are looking for independent of an Emergency Stop loop.
Even if it performs exactly the same function at the pump.

As other's here have stated, we also often have several different modes of stopping a line, which can appear on an HMI (Normal Stop, Fast Stop, Programmed Stop), but the E-STOP is unique in that any operator so labeled is absolutely, 100% going to have the desired effect of a complete shut down, as fast as possible. No HMI has yet proven so reliable that I'd label a button on one ESTOP.

NEC requires a means of stopping the equipment that is located within sight of the machine. There are exceptions and detailed requirements, but in general you need a red mushroom head E-Stop or safety disconnect within sight of the pump.

There is nothing wrong with putting a "Manual Stop" or "Quick Stop" or "Run Enable/Disable" in SCADA as you want to do. However, by convention in most industries (every one I've seen in fact) "E-Stop" always refers to a hardwired device used to stop the machine. Violating this convention by calling an icon on SCADA an E-Stop is going to at least cause confusion, may cause a safety hazard, and certainly can't eliminate the required hardwired E-Stop.

When I have done projects with this type of valve/pump set-up, I have the PLC control the valve and the pump. This eliminates the problem of the pump being stuck on if the valve fails to close (you don’t get a signal from the valve that it is closed). I create two alarms, Valve Failed To Open and Valve Failed To Close. When I send the Valve Close signal I start a timer, if the valve doesn’t close within a certain amount of time I set the Valve Failed To Close alarm and turn off the pump. I also display how long the valve took to close on the HMI so that the operators can inspect a valve that is taking longer than normal to close.

In your case if you can’t change the system to have the PLC control the valve and the pump I would install a relay into the E-Stop circuit and have a Valve Failed To Close alarm control the relay along with a button in the HMI. As others have noted I would not call it an E-Stop, I would label it “Dead Stop” or “Valve Failure Stop”, something to let the operators know you’re not suppose to use this unless the there’s a problem with the valve.

On occaision, Specs for Diesel engines (for pumps, fire pumps, generators, barge propullsion, etc) have required one of two smitches.

EMERGENCY SHUTDOWN

One is the emergency shutdown, which sometimes closes an air damper stopping all air flow into the engines intake. Other times, it causes CO2 to be released into the intake, again shutting down the engine. These are in addition to fuel shut off, Rack Solenoid, or governor retarding.


EMERGENCY NON SHUTDOWN "RUN TO DESTRUCT"

The other switch requested for time to time is "RUN TO DESTRUCT". Sort of an emergency NON-SHUT-DOWN. Engine will run, but shutdown alarms are bypassed, such as no oil pressure, no water/coolant, overspeed. I don't want to be around a Diesel that lets go! Sometimes you are willing to sacrifice an engine to keep water or sewage flowing, or keep a barge from running into a bridge.


NOTE:
This is not advocating no e-stops on machines, or bypassing them.

I REPEAT:
This is not advocating no e-stops on machines, or bypassing them.

regards......casey

Thanks for all the input guys. I'm going to defer to the collective majority here and rename the software function Motor Trip. This should eliminate any future confusion.

In response to a couple of your questions:

Jefersonian: Quick stopping the pump can cause surge pressures but will not likely be destructive to equipment unless there are some weak pipe joints. This is no different than a stop under power failure. That hasn't been a problem, so neither should this.

Tark: I really don't want to stop the pump automatically if the valve just fails to close. I want the operator to make a conscious decision that he's going to do this. These are large pumps and we generally just let the pump continue to run if the discharge valve fails to close on a normal shutdown. We don't want reverse flow through these pumps, which would occur if the valve is still open. I've stood next to a 300 HP pump running in full reverse and I can tell you, it's scary. I swore that the darn thing was going to dance right off the pad before we got the valve shut. The operator will generally know if the limit switch has been balky and he'll make the decision to trip the pump.

Casey: On your reference to RUN TO DESTRUCT. This is very common for fire pumps. In fact, to my knowledge, fire pump controls are not allowed to stop the pump due to equipment malfunction alarms.

Thanks again folks