You are not registered yet. Please click here to register!


 
 
plc storereviewsdownloads
This board is for PLC Related Q&A ONLY. Please DON'T use it for advertising, etc.
 
Try our online PLC Simulator- FREE.  Click here now to try it.

---------->>>>>Get FREE PLC Programming Tips

New Here? Please read this important info!!!


Go Back   PLCS.net - Interactive Q & A > PLCS.net - Interactive Q & A > LIVE PLC Questions And Answers

PLC training tools sale

Reply
 
Thread Tools Display Modes
Old March 18th, 2017, 10:39 PM   #1
lonegator
Member
United States

lonegator is offline
 
Join Date: May 2008
Location: Missouri
Posts: 14
Emergency Stop Circuit Scenario

I have a project that I'm doing the automation for and wanted to throw my scenario out there to see if anyone could offer some advice/suggestions:

The project involves multiple smart MCCs, meaning each motor's MCC bucket has a motor management controller. These controllers are all connected to my PLC via Modbus...so I have no hard-wired outputs for motor control. There are multiple e-stop stations throughout the plant, that are wired back to my PLC panel(s), however, the customer did not account for a hard-wired e-stop circuit and expects me to use the PLC for an emergency stop. Even though in a recent call to my local MSHA office, I was told that they have no regulations for a full plant e-stop just individual machine e-stops, it's my company's policy (and my personal policy) that we NEVER program in a PLC-controlled e-stop. There is way too much risk and liability involved in this.

First off, I know the PLC-controlled e-stop situation has been discussed multiple times before. Can anyone direct me to any legal literature or guidelines that explain the dangers behind this? My customer isn't buying the "it's my company's policy" thing, and I'm being pressured by my GM (who knows nothing about the automation side of our business) on why we have this policy in the first place. I would like to be able to give them all some official document backing my stance so they'll get off my back.

Secondly, does anyone have any suggestions on any possible way for me to do an approved e-stop circuit in this situation? The customer has pulled back the wires from every remote e-stop station to my PLC. I'm ignorant when it comes to safety controllers and safety relays. Can I wire the e-stops through a safety controller or relay and communicate that back to my PLC in some way? Is that permissible? Short of killing power to the PLC during an e-stop, I don't know what I can do on my end. I've told my customer that the e-stop circuit needs to be wired through each motor bucket and showed them on the MCC schematics where the manufacturer accounted for a customer-supplied e-stop, but they didn't like to hear that and would like another solution.

Any help would be greatly appreciated!
  Reply With Quote
Old March 19th, 2017, 05:47 AM   #2
rdrast
Lifetime Supporting Member
United States

rdrast is offline
 
rdrast's Avatar
 
Join Date: Apr 2003
Location: South Carolina Lowcountry
Posts: 5,033
There is nothing wrong with modern network safety systems, AS LONG AS you are using an actual safety rated controller, that meets or exceeds the requirements from your safety assessment.
__________________
------------------------------------
How to ask questions the SMART Way!

Look First, Ask Second!

  Reply With Quote
Old March 19th, 2017, 11:52 AM   #3
Timbert
Member
United States

Timbert is offline
 
Timbert's Avatar
 
Join Date: May 2011
Location: The middle of the Pacific Ocean
Posts: 339
I agree with rdrast. There is nothing that explicitly prohibits PLCs in emergency stop systems. The current project I'm working on doesn't have a single hard-wired emergency stop in the entire facility. I'm fine with that because the system was designed around a modern safety controller.

You're going to have to return to the beginning to either prove to your client that you shouldn't use a PLC or to allay your fears regarding the use a programmable controller for safety. To give you an idea, the current system I'm working on is nearly 100 times safer (based on PFD, probability of failure on demand) than a similar facility with hard-wired emergency stops built two decades ago.

What does the risk assessment say with regard to the required safety integrity (SIL or PL) needed to handle risk at the plant? What is the maximum claim limit of your equipment? Is your system designed to reach that maximum?

Modern safety system design is based on the mathematics of risk not on simple rules of the thumbs about 'never use a PLC.'
__________________
An expert is a man who has made all the mistakes which can be made in a very narrow field. --Niels Bohr as quoted by Edward Teller
  Reply With Quote
Old March 19th, 2017, 02:22 PM   #4
janner_10
Member
United Kingdom

janner_10 is online now
 
Join Date: Dec 2014
Location: Tewkesbury
Posts: 288
A safety PLC is the same as a safety relay. Both will achieve the same SIL or PL rating.

You must use a safety PLC though. It all we use in our new build machines nowadays, not a safety relay insight.

Everyting is now under one roof, so to speak. It cuts down on wiring time and design time.

Get yourself on a Guardmaster course, you will be surprised at what they can do.
  Reply With Quote
Old March 19th, 2017, 03:45 PM   #5
g.mccormick
Member
United States

g.mccormick is offline
 
Join Date: Jul 2012
Location: IN
Posts: 383
Assuming that the OP does not currently have a safety pic in place, I'm guessing that it will be more cost effective to pull wiring to the mcc and stations and use a safety relay than to buy a secondary safety plc, learn the programming, change the mcc controllers to safety comes, etc.
  Reply With Quote
Old March 19th, 2017, 04:17 PM   #6
janner_10
Member
United Kingdom

janner_10 is online now
 
Join Date: Dec 2014
Location: Tewkesbury
Posts: 288
I agree, it does sound like that. He is right to say no to a standard PLC performing safety functions.

But moving forward, to have a company policy of no-PLC E-Stop, is a bit short sighted.
  Reply With Quote
Old March 19th, 2017, 10:31 PM   #7
mk42
Member
United States

mk42 is offline
 
Join Date: Jun 2013
Location: MI
Posts: 1,427
1) a number of posters have said Safety in PLCs is fine, as long as its a safety PLC. I agree.

You mentioned Modbus comms. I'm not aware of anyone that does safety over modbus, but AB does safety over Ethernet/IP and Siemens does safety over Profinet. Both have extra mechanisms built on top of the normal protocol (CIPSafe/Profisafe) to ensure the safety is met. At least on the Siemens end, this includes things like automatic watchdog timers so that if you lose communications the safety IO module automatically shuts itself down within a deterministic amount of time.

2) There are a number of safety standards to look at, but they aren't necessarily specific about what you have to do. In America, the only real requirement is that OSHA says you SHALL provide a safe workplace (paraphrased). NFPA 79 is the main safety standard referenced, but it is more about wiring standards than the process of designing a safe machine.

European standards like IEC/EN 62061 (SIL - Safety Integrity Levels) or ISO 13849 (PL - Performance Levels) exist to basically describe how to create a safe machine. There are also standards that discuss specific industries and applications, like robotic safety. You start with a Risk Assessment to figure out every way someone can get hurt on the machine (operators, maintenance, training, etc). Everything else flows from there.

Moral of the story is this: odds are if the main safety function in the system is an E-stop, you and your customer have a lot of reading to do if you want to try to follow the current standards.

Quote:
Originally Posted by janner_10 View Post
But moving forward, to have a company policy of no-PLC E-Stop, is a bit short sighted.
Short sighted perhaps, but not necessarily bad. Especially with safety systems, you should never touch a something you aren't knowledgeable about.

Should they get up to speed? Probably. But they shouldn't touch a system with a safety PLC until they do.
  Reply With Quote
Old March 20th, 2017, 01:11 AM   #8
sparkie
Supporting Member
United States

sparkie is offline
 
Join Date: Nov 2014
Location: KS
Posts: 579
Something that *may* work for your situation is to put all of the ES in series on terminal blocks in your PLC cabinet since the wires are already pulled. You can then use these on a safety relay to give an "okay to run" input to the PLC. This would be cheap and effective.

If there are spare conductors or more may be pulled you can also give an input to the PLC to determine which safety it is.
  Reply With Quote
Old March 20th, 2017, 07:24 AM   #9
mk42
Member
United States

mk42 is offline
 
Join Date: Jun 2013
Location: MI
Posts: 1,427
Quote:
Originally Posted by sparkie View Post
Something that *may* work for your situation is to put all of the ES in series on terminal blocks in your PLC cabinet since the wires are already pulled. You can then use these on a safety relay to give an "okay to run" input to the PLC. This would be cheap and effective.

If there are spare conductors or more may be pulled you can also give an input to the PLC to determine which safety it is.
Cheap yes. Effective, no.

I think the problem is how to safely shut down the MCCs. Giving the PLC a "safety OK" bit is important so that the PLC doesn't get confused why the system isn't responding as expect. What it doesn't do is guarantee safe shutdown of remote MCC cabinets.
  Reply With Quote
Old March 20th, 2017, 07:45 AM   #10
proof
Member
United States

proof is offline
 
Join Date: Jan 2014
Location: Illinois
Posts: 116
Quote:
Originally Posted by lonegator View Post
Even though in a recent call to my local MSHA office, I was told that they have no regulations for a full plant e-stop just individual machine e-stops, it's my company's policy (and my personal policy) that we NEVER program in a PLC-controlled e-stop.
Are you sure that you even need an e-stop? Just because a button in the field stops a motor, that does not make it an e-stop, it could (and usually is) just a stop button. What regulation(s) did they refer too?
  Reply With Quote
Old March 20th, 2017, 11:32 AM   #11
sparkie
Supporting Member
United States

sparkie is offline
 
Join Date: Nov 2014
Location: KS
Posts: 579
Quote:
Originally Posted by mk42 View Post
Cheap yes. Effective, no.

I think the problem is how to safely shut down the MCCs. Giving the PLC a "safety OK" bit is important so that the PLC doesn't get confused why the system isn't responding as expect. What it doesn't do is guarantee safe shutdown of remote MCC cabinets.
Providing you run the hots to pull in the contractors through the safety relays, yes this can provide a safe **** down of the mccs. That being said I'm unfamiliar with how smart mccs operate.
  Reply With Quote
Old March 20th, 2017, 01:57 PM   #12
mk42
Member
United States

mk42 is offline
 
Join Date: Jun 2013
Location: MI
Posts: 1,427
Quote:
Originally Posted by sparkie View Post
Providing you run the hots to pull in the contractors through the safety relays, yes this can provide a safe **** down of the mccs. That being said I'm unfamiliar with how smart mccs operate.
Sparkie,

Yes, running the hots through the safety relay is fine. However, based on my read of the OP, the only connection they have from the MCC is Modbus. No way to do safety there:

Quote:
Originally Posted by lonegator View Post
The project involves multiple smart MCCs, meaning each motor's MCC bucket has a motor management controller. These controllers are all connected to my PLC via Modbus...so I have no hard-wired outputs for motor control.
I've seen smart MCCs that can do safety over profinet no problem. I assume they exist for EIP as well. I've never heard of anything like that over modbus, whether he means RTU or TCP.
  Reply With Quote
Old March 20th, 2017, 02:58 PM   #13
lonegator
Member
United States

lonegator is offline
 
Join Date: May 2008
Location: Missouri
Posts: 14
Thank you for all the feedback. I enjoy reading everyone's thoughts on this, but no one really hit on the issue I was questioning until mk42. The smart MCCs are connected through a 2-wire Modbus serial network. All of my motor control from the processor is via Modbus. I don't have any physical outputs being used for motor run permissives. I was wanting to know if there was a safety-rated solution to perform an emergency stop over the Modbus network. I didn't know if I could somehow intertwine a safety controller in this network or if there was another solution that didn't require hard-wiring an e-stop circuit through each MCC bucket.

I know many of you think my company is behind the times because we refuse to allow any PLC-controlled e-stops. I'm not talking about killing power to my outputs. I am talking about relying on one PLC input for my e-stop circuit status and killing all motor control via my program over Modbus. There are too many what-ifs in this type of layout and any malfunction that caused serious injury or death would put all of the liability on my company (and probably me as well). Most of our projects are for various rock quarries and mines. There are large conveyors, crushers, surge bins, etc in close contact to the operators at these sites. These are high risk locations. Any injury that occurs is typically pretty serious, and my company is not about to stake someone's life over a PLC input.

I wanted to pick everyone's brains on if there are any safety-rated solutions that I could design for one of these projects based on the scenario presented, but it doesn't sound like there is.

Thanks for your help!
  Reply With Quote
Old March 20th, 2017, 03:10 PM   #14
mk42
Member
United States

mk42 is offline
 
Join Date: Jun 2013
Location: MI
Posts: 1,427
Quote:
Originally Posted by lonegator View Post
I wanted to pick everyone's brains on if there are any safety-rated solutions that I could design for one of these projects based on the scenario presented, but it doesn't sound like there is.
As an FYI, as far as I know any safety communication solution for this would have to be explicitly supported both in the PLC and in the MCC. It's possible that maybe the MCCs support multiple protocols, and maybe the manufacturer supports safety over one of the others?
  Reply With Quote
Old March 20th, 2017, 09:24 PM   #15
g.mccormick
Member
United States

g.mccormick is offline
 
Join Date: Jul 2012
Location: IN
Posts: 383
There are several safety PLCs that support safety communications links.

Beckhoff has TwinSafe that runs over EtherCat.

AB, simens, etc all have theres. I have not heard of any safety over Modbus safety controllers though.

I am in no way an expert or even a novice on this subject, but I believe that the one thing that all "safety comms" have in common is that they are built on deterministic protocols.
  Reply With Quote
Reply
Jump to Live PLC Question and Answer Forum

Bookmarks


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Similar Topics
Thread Thread Starter Forum Replies Last Post
Emergency Stop Relay a_rishi LIVE PLC Questions And Answers 11 January 10th, 2015 10:28 AM
Automating two seperate linear actuators richard0956 LIVE PLC Questions And Answers 24 July 4th, 2014 12:43 PM
Emergency stop circuit Sillver LIVE PLC Questions And Answers 5 February 4th, 2010 08:57 AM
Emergency Stop Unregistered LIVE PLC Questions And Answers 11 May 26th, 2005 11:05 AM
VFD Standard labingtone LIVE PLC Questions And Answers 11 January 31st, 2003 06:28 PM


All times are GMT -5. The time now is 12:49 AM.


.