Need some safety advice please

ceilingwalker

Lifetime Supporting Member
ceilingwalker
Join Date
Mar 2010
Location
Phoenix, AZ
Posts
1,586
Hello. Throughout the years, getting support on this forum, I have always been taught that safety systems such as a process furnace overtemp circuit should be wired outside of PLC control, just in case power is lost, the heating elements would shut down, for example.

I was told in a meeting that it is acceptable now to run these safety systems through a PLC. It is for the circumstance I mentioned above, the overtemp condition, and I want a separate stand-alone controller that will kill power to the heating elements and shut Hydrogen and HF process gas flow. We had a situation many years ago in which case a PLC-5 was controlling a CVD system. It was using a Remote I/O module for mass flow controllers, scrubbers, etc.... . The PLC just died, in the middle of a run, with HF and Hydrogen flowing. It launched our Scrubber like the space shuttle.

I just wanted to get opinions here please, to see if what I am being told is true or false. Have PLC's come a long way to where we can trust it keep human and machine safe, in this overtemp scenario? If my question needs more information, let me know and I will respond. Thank you
 
Last edited:
It depends entirely on the required PL or SIL you need (that comes from risk assesment). Basically, using standard plc wont get you anything you could actually call safety...

ps. That article was very bad. IMHO.

(i reserve right to assume ISO 13849 or IEC 61508 is required, i have no experience with IEC 61511)
 
Last edited:
ceilingwalker,

The very incident you mentioned should alert you to use caution IMHO.
As far as I know, if the plc dies and you have remote I/o, the I/O maintains their last state as if the plc is still running. I could be wrong.
Since you mentioned Hydrogen and HF, extra safety measures need to be taken in the way of redundant backups.

These are my thoughts.

We have temperature controllers as well as gas monitors everywhere.

james.
 
James Mcquade said:
ceilingwalker,

The very incident you mentioned should alert you to use caution IMHO.
As far as I know, if the plc dies and you have remote I/o, the I/O maintains their last state as if the plc is still running. I could be wrong.
Since you mentioned Hydrogen and HF, extra safety measures need to be taken in the way of redundant backups.

These are my thoughts.

We have temperature controllers as well as gas monitors everywhere.

james.
Click to expand...

Yes sir, we do as well. I was using an incident that occurred several years ago, at another company. From that moment on I let the PLC run things but when safety was critical, I had the stand-alone to shut things down, if something like the overtemp example I gave, occurred.
 
If I may just say;

In any case, where an operating control failure of any temperature controller or PLC would result in personal injury and/or loss
of property, it is the responsibility of the installer to add seperate devices (safety, limit controls) that protect against, or
systems (alarm, supervisory systems) that warn of, control failure.


In such systems, in addition to the primary temperature control, a second, seperate, high temperature limit control having seperate
temperature sensing means, must always be provided. It is acceptable to use auxillary contacts of a seperate high limit controller
for indication to the PLC, however it is absolutely not acceptable to "run these safety systems through a PLC". Connecting any
functional part of the high limit control "through the PLC", will eliminate any redundant safety provided by it, and can completely
eliminate the entire purpose of the limit control in the event of primary control failure, which may result in personal injury and/or
loss of property.
 
James Mcquade said:
ceilingwalker,

The very incident you mentioned should alert you to use caution IMHO.
As far as I know, if the plc dies and you have remote I/o, the I/O maintains their last state as if the plc is still running. I could be wrong.
Since you mentioned Hydrogen and HF, extra safety measures need to be taken in the way of redundant backups.

These are my thoughts.

We have temperature controllers as well as gas monitors everywhere.

james.
Click to expand...

Depends on the brand and type, I believe on some PLC's you can pre-determine the output state during loss of power and loss of communication to the PLC.

Whether this is restricted to safety PLCs and type of safety PLC's I'm unsure.
 
I would always have 'safety' outside of the PLC. You can never be held accountable for having too much safety.
Remeber you can have a safety PLC nowadays so maybe the person was discussing that

As others have said a risk assesment would detail the risks and the methods to minimise those risks
 
PeterW said:
Depends on the brand and type, I believe on some PLC's you can pre-determine the output state during loss of power and loss of communication to the PLC.

Whether this is restricted to safety PLCs and type of safety PLC's I'm unsure.
Click to expand...

Yes Sir, I understand this. It is a question I always ask myself when I program is, "how do I want this to recover from a power outage". I don't remember all the specifics of our scrubber/space shuttle but I do remember that over temp alarm announced, turning off the furnace' heating elements. However, the dead man valves for the Hydrogen into the reactor was still open, allowing Hydrogen to build up in the reactor. We believe a spark came from the pump motor near the scrubber and that's what launched it. It was controlled by a PLC-5.
 
cjd1965 said:
I would always have 'safety' outside of the PLC. You can never be held accountable for having too much safety.
Remeber you can have a safety PLC nowadays so maybe the person was discussing that

As others have said a risk assesment would detail the risks and the methods to minimise those risks
Click to expand...

I am with you on this. Ashamedly I haven't kept myself up-to-date on the latest and greatest so I had to bite my tongue so I didn't give inaccurate information. I did tell them that I remember it almost killing a man so I won't put my name on any of this unless this additional safety is in place. I don't care how advanced PLC's may be, common sense still seems to say, plan for worst case and I don't feel comfortable relying solely on the PLC. Thanks for your input.
 
JRB said:
In such systems, in addition to the primary temperature control, a second, seperate, high temperature limit control having seperate
temperature sensing means, must always be provided. It is acceptable to use auxillary contacts of a seperate high limit controller
for indication to the PLC, however it is absolutely not acceptable to "run these safety systems through a PLC". Connecting any
functional part of the high limit control "through the PLC", will eliminate any redundant safety provided by it, and can completely
eliminate the entire purpose of the limit control in the event of primary control failure, which may result in personal injury and/or
loss of property.
Click to expand...

Thanks JRB (y)
 
PeterW said:
Depends on the brand and type, I believe on some PLC's you can pre-determine the output state during loss of power and loss of communication to the PLC.

Whether this is restricted to safety PLCs and type of safety PLC's I'm unsure.
Click to expand...

This is exactly how it worked with the safety PLCs and IO I've worked with in the past (Siemens). Every output is assigned a default safe state, in the event that it detects an error, such as a loss of communications. For digital outputs, it is a simple on or off, but for drives, there are many more advanced options, like a safe limited speed.
 
@JRB:
You do realize that there are now fully safety certified PLC's and IO, right? We aren't talking about using just the regular processor and IO for safety systems, but when an actual Safety PLC is installed, that is a different story.

Distributed, networked safety systems have been around for quite a while, and the current PLC Integrated ones are just as reliable.
 
We used both

We would use a high limit in the PLC to control outputs and alarms, but we also used what we called high-high limits that would shut down load or system and require a reset on the device so you had to check the fault out.
 

Similar Topics

M
Need help with safety relay
Hi, Guys: we have safety relay 440R-G23216 with reset function, in our application we jumped Y1 and Y2, the reset button one wire connects to S33...
Replies
9
Views
3,274
kamenges
K
J
I need Help to find the right safety items in the code USA
I am having a bit of trouble with mechanical engineers and safety. They are doing things like saying "a light curtain is being used as a "go...
Replies
14
Views
5,336
Pete.S.
P
D
I need help to make a Working Schedule for Make-up Air unit
I'm fairly new to Rockwell software, I've had some basic training in the past but nothing too advanced. My company and I use Reliable products for...
Replies
8
Views
81
Duchx2
D
C
Need Help Accessing/Printing a Program - CIMPLICITY
Hi all, I am having issues accessing my Cimplicity software - the site code changed after re-install and I am no longer able to attain a new key...
Replies
10
Views
131
Steve Bailey
Steve Bailey
E
Need help updating E700 firmware from 2.x to 6.x. Have E700v610.bin file.
Good day all! Can someone help me with the procedure to update Beijers E700 firmware? The Panel I am working on is firmware 2.04v and I would...
Replies
1
Views
53
parky
P
Back
Top Bottom