Emergency Stop Circuit Scenario

lonegator

Member
Join Date
May 2008
Location
Missouri
Posts
15
I have a project that I'm doing the automation for and wanted to throw my scenario out there to see if anyone could offer some advice/suggestions:

The project involves multiple smart MCCs, meaning each motor's MCC bucket has a motor management controller. These controllers are all connected to my PLC via Modbus...so I have no hard-wired outputs for motor control. There are multiple e-stop stations throughout the plant, that are wired back to my PLC panel(s), however, the customer did not account for a hard-wired e-stop circuit and expects me to use the PLC for an emergency stop. Even though in a recent call to my local MSHA office, I was told that they have no regulations for a full plant e-stop just individual machine e-stops, it's my company's policy (and my personal policy) that we NEVER program in a PLC-controlled e-stop. There is way too much risk and liability involved in this.

First off, I know the PLC-controlled e-stop situation has been discussed multiple times before. Can anyone direct me to any legal literature or guidelines that explain the dangers behind this? My customer isn't buying the "it's my company's policy" thing, and I'm being pressured by my GM (who knows nothing about the automation side of our business) on why we have this policy in the first place. I would like to be able to give them all some official document backing my stance so they'll get off my back.

Secondly, does anyone have any suggestions on any possible way for me to do an approved e-stop circuit in this situation? The customer has pulled back the wires from every remote e-stop station to my PLC. I'm ignorant when it comes to safety controllers and safety relays. Can I wire the e-stops through a safety controller or relay and communicate that back to my PLC in some way? Is that permissible? Short of killing power to the PLC during an e-stop, I don't know what I can do on my end. I've told my customer that the e-stop circuit needs to be wired through each motor bucket and showed them on the MCC schematics where the manufacturer accounted for a customer-supplied e-stop, but they didn't like to hear that and would like another solution.

Any help would be greatly appreciated!
 
There is nothing wrong with modern network safety systems, AS LONG AS you are using an actual safety rated controller, that meets or exceeds the requirements from your safety assessment.
 
I agree with rdrast. There is nothing that explicitly prohibits PLCs in emergency stop systems. The current project I'm working on doesn't have a single hard-wired emergency stop in the entire facility. I'm fine with that because the system was designed around a modern safety controller.

You're going to have to return to the beginning to either prove to your client that you shouldn't use a PLC or to allay your fears regarding the use a programmable controller for safety. To give you an idea, the current system I'm working on is nearly 100 times safer (based on PFD, probability of failure on demand) than a similar facility with hard-wired emergency stops built two decades ago.

What does the risk assessment say with regard to the required safety integrity (SIL or PL) needed to handle risk at the plant? What is the maximum claim limit of your equipment? Is your system designed to reach that maximum?

Modern safety system design is based on the mathematics of risk not on simple rules of the thumbs about 'never use a PLC.'
 
A safety PLC is the same as a safety relay. Both will achieve the same SIL or PL rating.

You must use a safety PLC though. It all we use in our new build machines nowadays, not a safety relay insight.

Everyting is now under one roof, so to speak. It cuts down on wiring time and design time.

Get yourself on a Guardmaster course, you will be surprised at what they can do.
 
Assuming that the OP does not currently have a safety pic in place, I'm guessing that it will be more cost effective to pull wiring to the mcc and stations and use a safety relay than to buy a secondary safety plc, learn the programming, change the mcc controllers to safety comes, etc.
 
I agree, it does sound like that. He is right to say no to a standard PLC performing safety functions.

But moving forward, to have a company policy of no-PLC E-Stop, is a bit short sighted.
 
1) a number of posters have said Safety in PLCs is fine, as long as its a safety PLC. I agree.

You mentioned Modbus comms. I'm not aware of anyone that does safety over modbus, but AB does safety over Ethernet/IP and Siemens does safety over Profinet. Both have extra mechanisms built on top of the normal protocol (CIPSafe/Profisafe) to ensure the safety is met. At least on the Siemens end, this includes things like automatic watchdog timers so that if you lose communications the safety IO module automatically shuts itself down within a deterministic amount of time.

2) There are a number of safety standards to look at, but they aren't necessarily specific about what you have to do. In America, the only real requirement is that OSHA says you SHALL provide a safe workplace (paraphrased). NFPA 79 is the main safety standard referenced, but it is more about wiring standards than the process of designing a safe machine.

European standards like IEC/EN 62061 (SIL - Safety Integrity Levels) or ISO 13849 (PL - Performance Levels) exist to basically describe how to create a safe machine. There are also standards that discuss specific industries and applications, like robotic safety. You start with a Risk Assessment to figure out every way someone can get hurt on the machine (operators, maintenance, training, etc). Everything else flows from there.

Moral of the story is this: odds are if the main safety function in the system is an E-stop, you and your customer have a lot of reading to do if you want to try to follow the current standards.

But moving forward, to have a company policy of no-PLC E-Stop, is a bit short sighted.

Short sighted perhaps, but not necessarily bad. Especially with safety systems, you should never touch a something you aren't knowledgeable about.

Should they get up to speed? Probably. But they shouldn't touch a system with a safety PLC until they do.
 
Something that *may* work for your situation is to put all of the ES in series on terminal blocks in your PLC cabinet since the wires are already pulled. You can then use these on a safety relay to give an "okay to run" input to the PLC. This would be cheap and effective.

If there are spare conductors or more may be pulled you can also give an input to the PLC to determine which safety it is.
 
Something that *may* work for your situation is to put all of the ES in series on terminal blocks in your PLC cabinet since the wires are already pulled. You can then use these on a safety relay to give an "okay to run" input to the PLC. This would be cheap and effective.

If there are spare conductors or more may be pulled you can also give an input to the PLC to determine which safety it is.

Cheap yes. Effective, no.

I think the problem is how to safely shut down the MCCs. Giving the PLC a "safety OK" bit is important so that the PLC doesn't get confused why the system isn't responding as expect. What it doesn't do is guarantee safe shutdown of remote MCC cabinets.
 
Even though in a recent call to my local MSHA office, I was told that they have no regulations for a full plant e-stop just individual machine e-stops, it's my company's policy (and my personal policy) that we NEVER program in a PLC-controlled e-stop.

Are you sure that you even need an e-stop? Just because a button in the field stops a motor, that does not make it an e-stop, it could (and usually is) just a stop button. What regulation(s) did they refer too?
 
Cheap yes. Effective, no.

I think the problem is how to safely shut down the MCCs. Giving the PLC a "safety OK" bit is important so that the PLC doesn't get confused why the system isn't responding as expect. What it doesn't do is guarantee safe shutdown of remote MCC cabinets.

Providing you run the hots to pull in the contractors through the safety relays, yes this can provide a safe **** down of the mccs. That being said I'm unfamiliar with how smart mccs operate.
 
Providing you run the hots to pull in the contractors through the safety relays, yes this can provide a safe **** down of the mccs. That being said I'm unfamiliar with how smart mccs operate.

Sparkie,

Yes, running the hots through the safety relay is fine. However, based on my read of the OP, the only connection they have from the MCC is Modbus. No way to do safety there:

The project involves multiple smart MCCs, meaning each motor's MCC bucket has a motor management controller. These controllers are all connected to my PLC via Modbus...so I have no hard-wired outputs for motor control.

I've seen smart MCCs that can do safety over profinet no problem. I assume they exist for EIP as well. I've never heard of anything like that over modbus, whether he means RTU or TCP.
 
Thank you for all the feedback. I enjoy reading everyone's thoughts on this, but no one really hit on the issue I was questioning until mk42. The smart MCCs are connected through a 2-wire Modbus serial network. All of my motor control from the processor is via Modbus. I don't have any physical outputs being used for motor run permissives. I was wanting to know if there was a safety-rated solution to perform an emergency stop over the Modbus network. I didn't know if I could somehow intertwine a safety controller in this network or if there was another solution that didn't require hard-wiring an e-stop circuit through each MCC bucket.

I know many of you think my company is behind the times because we refuse to allow any PLC-controlled e-stops. I'm not talking about killing power to my outputs. I am talking about relying on one PLC input for my e-stop circuit status and killing all motor control via my program over Modbus. There are too many what-ifs in this type of layout and any malfunction that caused serious injury or death would put all of the liability on my company (and probably me as well). Most of our projects are for various rock quarries and mines. There are large conveyors, crushers, surge bins, etc in close contact to the operators at these sites. These are high risk locations. Any injury that occurs is typically pretty serious, and my company is not about to stake someone's life over a PLC input.

I wanted to pick everyone's brains on if there are any safety-rated solutions that I could design for one of these projects based on the scenario presented, but it doesn't sound like there is.

Thanks for your help!
 
I wanted to pick everyone's brains on if there are any safety-rated solutions that I could design for one of these projects based on the scenario presented, but it doesn't sound like there is.

As an FYI, as far as I know any safety communication solution for this would have to be explicitly supported both in the PLC and in the MCC. It's possible that maybe the MCCs support multiple protocols, and maybe the manufacturer supports safety over one of the others?
 
There are several safety PLCs that support safety communications links.

Beckhoff has TwinSafe that runs over EtherCat.

AB, simens, etc all have theres. I have not heard of any safety over Modbus safety controllers though.

I am in no way an expert or even a novice on this subject, but I believe that the one thing that all "safety comms" have in common is that they are built on deterministic protocols.
 

Similar Topics

I'm working on a project that has e-stop pull cords around the full length of a conveyor system which is about 750 feet long and it has 16 e-stop...
Replies
16
Views
7,885
Hello everyone. This is my first time designing a system from scratch. The system is for a rubber injection molding press. I have the PLC all put...
Replies
35
Views
11,222
Hi, My company uses Schmersal SRB-C.46 relays in an emergency stop circuit. The relay has 3 NO outputs and 1 NC output for monitoring. When the...
Replies
5
Views
4,039
Hello, I have plc Schneider TM241CE40T with the hmi HMIS5T. Do you have idea how to disable a button after an emergency stop to vijeo designer ...
Replies
5
Views
1,378
Dear colleagues I am learning to program siemens plc. I have a problem with how to solve the problem with a power outage and emergency STOP...
Replies
3
Views
1,674
Back
Top Bottom