Safety Circuit Setup for Multiple Cabinets/Output Modules

Hello,

We are re-wiring a multi-conveyor system used for educational purposes, and I'd like to run the basic design of the safety circuit/power supply setup by you guys more experienced in panel design/building to see what you think.

The system has one main cabinet with two safety relays, 5 sub-cabinets each with Siemens S7-1500 PLCs and 1x motor control center with 5 VFDs.
There are e-stop buttons at each sub-cabinet and the MCC, an e-stop button at the main cabinet and 2 safety circuits. All e-stop buttons are dual channel and the E-Stops at the sub-cabinets/MCC are wired in series to a safety relay in the main cabinet. Hitting any sub-cabinet/MCC E-Stop button cuts the +24V output power to one group of PLC outputs in each sub-cabinet.

In addition, hitting the E-stop button on the main cabinet cuts all mains power to all sub-cabinets and MCC. This is controlled by the main Safety Relay.

Each safety circuit uses redundant contactors for power switching.
For power to all other components (PLCs, HMIs), each sub-cabinet has its own +24V supply.

Does this method of E-Stop circuit setup sound reasonable? I’m not asking about SIL/etc. level, I just wasn’t sure if running all E-Stop controlled PLC outputs in separate cabinets from a single main supply is common practice, or if it is more common to have separate E-Stop circuits/Safety Relays in each sub-cabinet and use a local supply to power local outputs.

Thanks for the input.

Seems reasonable to me. By keeping your safety circuit on it's own supply source, you can avoid issues of other devices potentially causing problems with that supply.

It's all low voltage, so there is little safety concern about the external sources of power into the cabinet, but for troubleshooting and such you'll want to label the terminals as such. (Local regulations and such should always be followed for labeling external power sources feeding cabinets.)

I have multiple robotic machine tending cells where the robotic safety circuit emergency stop and safety gate system is sent through each separate machine on its own power supply, common to all devices in the safety circuit loop. Each machine interacts with it thru dry contacts.

Jieve,

I am not familiar with the rules in your country, so I will discuss the rules as I know them in the USA. Note that more experienced designers that go outside the USA may have a better answer.

If your country goes by the EU rules, you must design the circuit to those standards.

1. Only one safety relay, so what was your thoughts behind the use of 2?
Only one reset and start pushbutton and that's on the main panel.

2. Pressing any e-stop trips the safety relay which will kill the I/O power to everything. Note that there are certain exceptions and you must qualify those exceptions.

Since this is a multi conveyor system, if you hit the e-stop on the last section, all other conveyors feeding that conveyor must stop or you will jam up the conveyor system.

3. If you use a safety plc, you can program all systems below the e-stop to keep running while the ones upstream stop.



regards,
james

Guys, thanks so much for the replies.

The thoughts behind using 2 safety relays was that one circuit kills the +24V PLC outputs (only specific output groups for critical actuators), and the other circuit literally kills all line power to the sub-cabinets. While the complete shutdown may not be common practice, we were thinking that it would be an extra measure of safety since students will be programming this system.

The safety relay that controls the Output modules is cascaded with the main safety relay. There is a key switch on the main panel, as well as an output power on button. The key switch activates the main relay, which sends line power to each of the sub-cabinets. Once this main safety relay is active, the second safety relay (controlling PLC outputs) can be activated by pressing the "output power on" button.

The S7-1500 output modules allow separate power connections to each output group (8 digital outputs), so we are only switching off one group (and any potentially dangerous actuators would be connected to this group). LED's, etc are connected to the other outputs through non-safety local power supplies so they are not switched off when E-Stop is pressed.

One other reason we are going the single output group per PLC cut-off route, is because we are using 2 power supplies in parallel, which have a max of 8A each (total 16A). Each output module output group can handle 4A total output, so with 5 cabinets and our supplies we can supply about 3.2A per output group. This covers the actuator current draw for each subsection of the system.

Doing this all via safety PLCs probably would make it a bit easier and give us more flexibility, unfortunately the PLCs we already have are standard non-safety S7-1500's.

Jieve,

I'm sorry, but in my opinion its not allowed.
If this was an industrial application, it wouldn't be allowed and you need to teach your students how to do things based on real world applications.

By having the 2nd safety relay, you are teaching them that its ok.
When they graduate, that's how they will design the circuit, the way they were
taught. Your teaching methods will then be called into question and your school will also be called into question. Don't mean to be rude, but that's where I will stand if I were a business trying to hire someone from your school.

regards,
james

To me, this is a 2 zone application:

Zone 1: Master E-Stop. Takes down Main MCC and Sub Panels.
Zone 2: Sub Panel E-Stops. Takes down Sub Panels only.

Things I would note:
1) Decide which category/PL/SIL you are aiming for.
2) I don't regard dropping 24V DC from output cards as safety. Others' may have differing opinions.
3) If you have motors, use safety contactors or safe stop/safe torque off.
4) If you have Pneumatics/Hydraulics, use safety valves.
5) Decide if daisy-chaining E-Stops meets your safety level.
6) Do your E-stops need test pulses? This is also safety level related.
7) Your safety performance is only as good as your weakest part. If you use 2 channel E-stops, but a single safety contactor, dump valve, or only 1 safe signal; your system is not "Dual Channel".
8) Decide on which reset behaviour you want. Single reset, or multiple reset as per zone.

You're on the right track here with the hardware, but you need to tweak the design a little. Your Master E-Stop and Relay are wired correctly. They should be shutting down safety contactors for the Main and Sub zone supplies. One way to achieve your sub-zone is to use your second relay and E-stops to drive another pair of safety contactors. These safety contactors will go after the first pair, and interrupt only the sub panel supplies.

Without going silly, this would be an "ok" example. As a teaching example, you could bring up the topic of segregated relays, zones and the use of daisy-chained safety devices. I tend to type a lot without being concise, so if you require a diagram, just ask.

Thanks for the replies.

James, I agree with you completely here in terms of teaching real world applications. This is also the reason I posted this question, so I really appreciate the feedback. So you're seeing there being an issue with using a second safety relay? I'm using the following Siemens safety relays:

3TK2825-1BB40, this is the main for shutting down all MCC and sub-cabinet power. The 3-phase to the MCC and 1-phase to the cabinets is run through 2 contactors in series that are controlled by this safety relay. The E-stop pushbutton is dual channel and wired into the relay. The key switch resets the relay.

3TK2841-1BB40, this is the relay being used to the switch off the +24V output groups in the sub-cabinets and will be used as the signal for the VFDs' safe torque off failsafe inputs. The +24V from the power supplies run through 2 contactors in series controlled by this safety relay. All sub-cabinet E-Stops are chained dual channel input to this safety relay, and the "output power on" pushbutton switches it on.

In the relay manual for the 3TK2841-1BB40, there is a wiring example of two safety relays cascaded. One circuit is used for an E-Stop, the other for protective door monitoring, and this is the wiring method that I used. The E-Stop shuts off both safety relays, the protective door only the lower relay.

So what specifically do you see as the problem, and how would you go about changing it?

Jeev, thanks so much for your input also. It seems to me like the description of the way I've wired this system is exactly as you describe in your second to last paragraph. I would be really grateful if you could maybe send/post an example or two of multi-zone E-stop circuit wiring using multiple relays... I haven't been able to find good examples of this in any of the literature I've found.

Also, when you say you don't find switching off the +24V PLC outputs safety enough, you just mean that the better option would be to make all valves etc. safety devices? I was always taught that cutting outputs is standard and it has been in many systems I've seen. What would you recommend instead?

Jieve,

As I stated earlier, I am familiar with USA rules and have never seen a dual safety controller used as you described. I have only been allowed to use a single safety circuit.

At this point I can only suggest that you look at a safety plc relay. it will stop all conveyors upstream and continue running downstream.

Maybe someone else can add to your post, but I don't think I can add much more help.

you might also do a search on programming techniques, methods, advise, starting a project. lots of useful help.

regards,
james

James Mcquade said:

Jieve,

As I stated earlier, I am familiar with USA rules and have never seen a dual safety controller used as you described. I have only been allowed to use a single safety circuit.

At this point I can only suggest that you look at a safety plc relay. it will stop all conveyors upstream and continue running downstream.

Maybe someone else can add to your post, but I don't think I can add much more help.

you might also do a search on programming techniques, methods, advise, starting a project. lots of useful help.

regards,
james

Click to expand...

Multiple Safety circuits are not a problem and are the solution in many cases on large process lines. It all depends on the equipment, Layout, Distance between e-stops and a lot of other factors which have to be considered in the risk assessment.

Jieve

What you have proposed is ok for educational purposes but I would go a step further and explain that this is not the common method and you should teach the single circuit method as well as the zoned method.

Also you should go a step further and teach the importance of a risk assessment and make sure your students understand that unless it's a skid machine that no 2 safety systems are the same and even with skid machines that's the case in a lot of situations.

For your example it all depends on how far the E-Stops are from each other and if they are within sight of each other, Distance of the conveyor and other hazards.

Just remember when talking safety systems there is very seldom a cut and dry one size fits all answer.

To answer your questions; dropping the supply from a PLC output card is a control function. It is the same as turning your outputs off, but in hardware. This used to be classed as "safety" years ago, but it does not use safety hardware, nor is it redundant. If your only safety is dropping the +ve, -ve, or both from an output card, you're asking for a supply fault to render your design useless. Some of our much older machines have used this, and I cringe every time I see it.

Not every valve and contactor have to be safety contactors. In the simplest example I can give; take a small machine with some motors, valves and cylinders. Dropping the main supply to the motors with safety contactors and the main supply to the air with a dump valve might be all that's needed. This can differ greatly for some pneumatic or hydraulic systems where the safe state is to actually trap pressure in the cylinder. In which case it's a safety check-valve. Dump valves are used for removal of residual energy.

There are 2 flavours of circuits depending on the reset behaviour you require:

1) Hitting the Main E-Stop and then pressing the Main Reset will reset everything (I don't like this one).
2) Hitting the Main Estop and then pressing the Main Reset will Reset the Main Zone, but the Sub Zone can only be reset after also pressing the Sub Reset.

Before I draw something up, are there any motors in your Main MCC? What's dropping the 3 phase doing there? Are your Sub Panels all single phase, with single phase VFDs? If this is the case, and you are using the safe stop function, I would not drop the phases.

As PBUCHANAN pointed out, this scenario, and all others involving protecting operators and machinery, is in desperate need of a risk-safety assessment.

Thanks everyone for the responses.

Jeev, the reset behavior the way the system is currently wired is how you have described under #2 of your post. Cutting the master safety relay using the main E-Stop literally shuts down all power to the cabinets. When the power is turned back on, the second zone relay still needs to be reset as well for the PLC output power to come back on. Again, both safety relays use a pair of contactors EACH to cut power.

At the risk of sounding redundant, the PLC outputs are cut in the same way. +24V runs through two NO contacts of two separate contactors in series. These contactors are controlled by the second safety relay. In order to have a power fault that would cause the PLC outputs to not shut off, both contactors would have to weld shut and this would have to go undetected. Both circuits are setup as category 3 safety circuits based on the older EN 954-1 norm.

There are a total of 5 Siemens VFDs (G120), each driving a separate 3-phase motor (these are small 1/3hp squirrel cage motors) in the MCC. The motors are mounted on the conveyors. 3-Phase power comes into the main cabinet (separate from the 1-phase that's powering all of the sub-cabinets), through the main safety circuit (again, NO contacts on paired contactors), then goes out of the main cabinet to the MCC. The phases are only dropped when the MASTER E-stop is pressed, if any of the other E-Stops are pressed, only the +24V that is going from the main cabinet to the redundant failsafe inputs of each VFD is cut, triggering the "Safe Torque Off" state for each motor.

PBuchanan, just to clarify, when you say "not the common method" you're referring to cutting the sub-panel power completely using a master safety relay, right? I've never been a major fan of cutting all PLC power when hitting E-Stops, but again this was just an extra safety measure for the students. The reality is that at the moment there isn't much potential for injury, but we are treating the system as if there is.

Jieve said:

PBuchanan, just to clarify, when you say "not the common method" you're referring to cutting the sub-panel power completely using a master safety relay, right? I've never been a major fan of cutting all PLC power when hitting E-Stops, but again this was just an extra safety measure for the students.

Click to expand...

Jieve

When I said not the common method I meant a zoned E-Stop method. Single circuit non zoned E-Stops are the most common.

I also am not a fan of killing all power to the panel unless it's necessary or the best method of which it very rarely is. There is not often any reason to kill power to inputs or PLC's or many outputs. We only need to put hazardous items in a safe condition.

Notice I said put hazardous items in a safe condition not turn off their output. In some cases things may need to move from the position they are in to get to a safe state and many times an output needs to come on to be in a safe state it just depends on what it is and how it's applied thus where the safety risk assessment comes in.

90% of the time to put things in a safe state that does mean removing power from the output or load but not always.

Jieve said:

The reality is that at the moment there isn't much potential for injury, but we are treating the system as if there is.

Click to expand...

And that my friend is the way to teach students. Even though it is a simulation of sorts they need to be taught and they need to act like it's a real production system they are working with with consequences that are paid with possible loss of life and property damage.

If I may make a suggestion another thing that I don't see being taught well to most students new to the industry is good design thought. Such as when you have a zoned E-Stop system what methods you need to design into the system to let operators and technicians know where the fault is quickly.

I don't know how many process lines I have run into that would in the field that have 6-8 E-Stop zones with 15-20 devices in each zone that could cause the E-Stop condition and the only HMI alarm you got was one like this here "E-Stop active Zone 1" and that's fine most times you can find then issue but what about when an e-stop device gets flaky and it takes hours and multiple line stops from false e-stop conditions to find the culprit.

Jieve said:

In order to have a power fault that would cause the PLC outputs to not shut off, both contactors would have to weld shut and this would have to go undetected.

Click to expand...

All it takes is a short between the supply and the wire going to the output card, and it bypasses the entire safety side. Single point of failure, single fault, undetected.

I've tried to understand your setup as best as possible from the description. Is the attached what you currently have?

(Yes, I'm aware that this is the worst drawing to ever be seen by human eyes. It was quick and dirty, and frankly I'm ashamed of it )