Micrologix with Safe Output

I currently have a Micrologix system but feel I need to prevent one output from failing and turning ON a motor starter. The system has an E-Stop Safety Relay on it but feel it would be too late to prevent an injury. I know there are safety PLCs out there and even programmed the AB SmartGuard 600. What can I do with the existing Micrologix?



What do you guys feel about something like the attached... It shows the Micro Output wired in series with a Force guided relay that is controled by a start button and is latched in.

Could make it two start buttons... What about driving some kind of Safety Relay? Two Micro Outputs driving a two channel Safety Relay...

How about an additional contactor driven from an output, in series with the motor. Monitor the auxiliary contact (if you can)on an input. Do the same with the motor starter if possible, then you will know if the starter is latched in permanently by a failed output (assuming it fails closed). The second contactor will still isolate the drive, assuming its output does not fail as well. (which is unlikely)

If it is that essential, then I would have two outputs to two relays and both need to be on to drive the motor. Signals fed back into the PLC to monitor the state.

Or use of safety relays that check the n/c contacts of the above.

Depends on the level of safety that the risk assesment determines is required.

mjohnsonc said:

The system has an E-Stop Safety Relay on it but feel it would be too late to prevent an injury. I know there are safety PLCs out there and even programmed the AB SmartGuard 600. What can I do with the existing Micrologix?...

Click to expand...

Umm ... If the design of the safety system does not prevent injury then the safety system is the problem. The simple answer is you could connect all the outputs of your mirologix together and still not achieve Cat#1 level of safety.
A safety system must be separate & independant from the control system & when required the safey system overrides any commands from the control system, isolating energy from the machine & protecting the user.
Probably need to know more information about your application before I can offer a possible solution - could you elaborate on what this motor does??

I'do do risk assessment first to define required safety category (SIL). From there you will see what hardware and in which way you'll need...

_Woody_ said:

Umm ... If the design of the safety system does not prevent injury then the safety system is the problem. The simple answer is you could connect all the outputs of your mirologix together and still not achieve Cat#1 level of safety.
A safety system must be separate & independant from the control system & when required the safey system overrides any commands from the control system, isolating energy from the machine & protecting the user.
Probably need to know more information about your application before I can offer a possible solution - could you elaborate on what this motor does??

Click to expand...

A safety system must be separate & independant from the control system
QUESTION
I am mystified by this statement. How can it be independent? For example a light curtain on a press (brake, punch etc). When operator hits GO and curtain is blocked then it will not let machine actuate.

& when required the safey system overrides any commands from the control system, isolating energy from the machine & protecting the user.
QUESTION
Again using the light curtain on the press - if it does not let the control circuit get completed to allow the clutch relay to activate then is this not "overriding"

Obviously I have a lot to learn with these new safety systems.
I may be stuck in the old school of redundant contacts relays etc. Yet again I remember an equipment engineer who selected an AB PLC to control a brake press which was equipped with a light curtain.
Dan Bentler

leitmotif said:

A safety system must be separate & independant from the control system
QUESTION
I am mystified by this statement. How can it be independent? For example a light curtain on a press (brake, punch etc). When operator hits GO and curtain is blocked then it will not let machine actuate.

& when required the safey system overrides any commands from the control system, isolating energy from the machine & protecting the user.
QUESTION
Again using the light curtain on the press - if it does not let the control circuit get completed to allow the clutch relay to activate then is this not "overriding"

Obviously I have a lot to learn with these new safety systems.
I may be stuck in the old school of redundant contacts relays etc. Yet again I remember an equipment engineer who selected an AB PLC to control a brake press which was equipped with a light curtain.
Dan Bentler

Click to expand...

The safety system when designed is generally independant from the control system. For example when protecting a simple machine say a pnuematic punch. The sheet metal is feed by electric motors.
If we build a cage around the punch with a door and our sensing device is a tongue switch on this door, once the operator opens the door we must isolate all energy (air & electric) from the machine.
For the machine control system we might have a PLC which has an output to a VSD (run / stop) and also an output to an electric coil for the air valve.
For the safety system (if doing cat #3 or #4) out tongue switch is double pole (N/C) to our separate safety controller (monitored relay) the outputs of our safety controller are TWO force guided safety relays or contactors to isolate the electric energy from the VSD and a dual monitored pnuematic valve to isolate and dump the air. Both contactors and the airvalave have feedback to the safety controller so their operation can be monitored. THUS the safety system is independant and overrides the control system. Nice to have option - an output from the safety system to the control syste to say it has been tripped.

"Press brake" is a large all encompasing term often misused for many machines - for example, recently I was involved in some remedial safety work on a "C" frame press. This type of press involves an electric driven flywheel and simple blocking pin for clutch operation. Without going into pages of detail, when this type of press has a stroke initiated there is no way to stop the motion of the press until it returns to top dead centre position. Someone thought it was OK to fit a light curtain and everyone went on happily thinking all was safe (lucky no one was injured if you ask me) we fitted a cage and a solenoid locking safety switch to the press tool along with a safety limit to detect the blocking pin was in place before unlocking the cage. Also a motion detection safety relay to monitor the flywheel had stopped.
Moral: A poorly designed safety system is more dangerous than no safety system at all - the machine operators get more relaxed because they think the machine is safer to operate.

If it's a relay output break the 24v (or whatever) going to the front side of the relay with the E-Stop, that way the output would not have any power leaving the PLC even if it were "stuck" on.

Still would not be 100% but pretty safe

Clint

From that drawing, you will only prevent a motor start, without the start button is pushed. It won't do anything, if the output welds, in shutting off the motor once it is running (which would be the more likely failure, than an output turning on randomly) If this is what you want, you could just use another contact on the start button, and skip the CR. I would normally use a master control relay, to shut off all power to outputs that need to remain off. As others said, however, depending on the safety requirements of the machine, you may need a separate system, to monitor safety.

-brian

Brijm said:

.... if the output welds, in shutting off the motor once it is running (which would be the more likely failure, than an output turning on randomly)

Click to expand...

AND... make sure that its a real output not a triac, triac fail closed a lot (from what I have heard) a relay fails open most of the time

Just something else to think about

geniusintraining said:

AND... make sure that its a real output not a triac, triac fail closed a lot (from what I have heard) a relay fails open most of the time

Just something else to think about

Click to expand...

Hmmm... That seems to be the opposite of my experience... relay contacts seem to normally weld shut, where as triacs simply quit working. Triacs will however appear to always be on, if you lose a neutral, or whatever you are turning on opens. Downside of triacs are their current capability, and some tricky troubleshooting, until you get use to them... Upside, is higher duty cycle, and speed.


By far the majority of outputs, that I have had to move or replace, are contacts, and all most all of those have been welded closed. I guess it all depends on what you are driving though, if the triac fails open or fails shorted.

-brian

All of the triac failures i have seen (maybe 20 output points total in 12 years), only one was "stuck on".

I have seen hundreds of relay contact failures, and only two times have I seen them weld shut on a power contactor, but have had many failures in either state of small control relays.

On the OP subject: I think this has already been proposed, but we typically use a control reliable safety circuit to remove power from the PLC relay contact or group of contacts, or use a control reliable contact in series with the output so that the PLC can only energize the final control elements with the safety circuit closed.

The final control element can still weld closed, so rather than only interrupting the control power to its coil, let your safety circuit also intrerupt the three phase (assuming 3phase motor starter) via a second contactor wired upstream of the one already in use.

Depending on the requirements of the machine, you may need two safety rated power contactors for redundancy in case one of them were to weld shut.

OkiePC said:

The final control element can still weld closed, so rather than only interrupting the control power to its coil, let your safety circuit also interrupt the three phase (assuming 3phase motor starter) via a second contactor wired upstream of the one already in use.

Click to expand...

My 2 cents on this...



My ideal approach in most control systems (where applicable) is to place a MCR contactor (Master Control Relay) that is over sized for the worst case ampere fault load and enabled only through the appropriate interlocks (i.e. – E-Stop(s), limit switch(es), or appropriate hard contact device).



A MCR installed to disable all output motion (motors, valves, actuators, etc.) while maintaining input control to the PLC or logic controls will provide a high level a protection to person and equipment.



As the MCR is not switching the system load on normal start-up, but will interrupt the power to the motion device on a fault condition (operator E-Stop activation, over travel, safety cover opening, etc.) there by is very less susceptible to contact weld (provided that the operators DO NOT use the E-stop as a system stop for a system that is not designed correctly).

End of 2 cents..........

I currently have a Micrologix system but feel I need to prevent one output from failing and turning ON a motor starter. The system has an E-Stop Safety Relay on it but feel it would be too late to prevent an injury.

Click to expand...

My original post mentioned a Safety relay but thought I should show it in a drawing. See Picture below. I added diodes across the coils to reduce contact welding, the 480 Cutoff contactor is sized high to always insure it will not weld. Not shown are feedback from each relay going into the Micrologix and the diagnostics in the program that will prevent a start if the relays are NOT working properly. The Safety relay has it's feedback from the critical devices so it will not be allowed to reset if a failure exists there.

I have seen about 3 times in 23 years where a PLC would turn on outputs due to overheating of the prcessor. AC units would shut down. We now make sure the temp never gets that hot with a thermostat. PLC2's and a Westinghouse PC900 would have outputs in the Image Table set to ON (1) while the program logic was setting the ouput to OFF (0). This went away after the temperature had gone down. Back then we did not have Safety PLCs or Safety relays. The micrologix is still a single point failure and pressing E-Stop might be too late for un-intended movement of the mechanical device.

Safety Relays and Safety PLCs have two channels that are sometimes diverse, so I thought adding a simple relay and controlling it off the start button would be like another diverse channel.

So now everyone asks, why not use a Safety PLC in this situation? I am really only concerned about this one output turning ON. The rest are lamps. Does this circuit comply with the standards? I believe it does! It has two diverse Channels. It has diagnostics in the PLC and the Safety Relay.

I hope I clarified my original post. What are your thoughts!

Maybe OT, but was a comprehensive HRA (Hazard Risk Assessment) study performed for this system?


A Safety PLC or Safety Relay may not provide the essential protection as you stated, “Pressing E-Stop might be too late for un-intended movement of the mechanical device”

Installation of components that you mentioned (over sizing apparatus and redundancy) will achieve a high MBTF factor (Mean Time Between Failure) in the system components / performance and greatly improve the safety of a control system.


Some additional mechanical component or system maybe required to isolate the stored / kinetic energy of the system / process to inhibit the motion of the process; i.e. motor brake(s), automatic pneumatic shut off, automatic lock bars, appropriate installed safety guards interlocked to the aforementioned devices, etc.


On side note that I feel we all can support, no well designed / engineered system will truly eliminate all potential hazards and must be supplemented though the proper training of the operators and enforcement of a proper safety program from the business that the system is installed in, to prevent an accident from occurring.


An Old School Engineer once told me, which echo’s in my mind always, “You can system fool-proof, you can even make it idiot-proof, but you can’t make it G*d Dam idiot-proof”.

From what I read, I sense that you have strived to address the issues for proper system safety and suggest further study maybe needed.