Safety rules, TwinCat 3

Hi,

I have TwinCat 3 project where I control 9 conveyers by inverters connected by EtherCat and multiple air valves by EtherCat. Everything is controlled from touchscreen.

I question is: how should looks like a safety project for it? Should safety PLC send a command for PLC to undertake safety procedures or safety plc should directly disconnect the power to motors and air block, or maybe something else?

What is a general principle for Safety PLC's?

Thanks.

1) If you don't know the answer to that question, you shouldn't be designing a safety system. I'd strongly recommend getting some qualified help on this project, so you can learn and maybe do the next one yourself.

2) The general principle is that in the event of an error, the system should react in a guaranteed safe way. A risk assessment should be done, to determine what hazards exist. Then you design a safety system to prevent those hazards from affecting people. First choice is to design away the hazards.

The backup is to use safety PLCs as appropriate. This generally means dual contactors for each motor/drive that controls a hazard, controlled directly from the safety PLC. However, some drives have built in safety, sometimes even over the fieldbus.

If you have the regular PLC pass on the safety messages, an error in the regular PLC could cause an unsafe situation. However, it is good practice to have the standard PLC be informed when there are safety actions taken, so that it can take appropriate actions like canceling jobs and move commands.

3) Note that an ESTOP button is generally not sufficient for safety; you usually need light curtains/scanners and/or doors with safety switches to control access to the hazardous area.

According to risk assessment I was given and my experience in this factory worst thing a man can do it is to put his hand to the place where belt meets sprocket, but it is a challenge to do that. But IF eventually something occur there are emergency cable switch all the way every conveyor.

Basically, that's all what I wanted to know. Ill get some contactors and control them from my safety PLC. From the supply side Ill connect them just after drive output.

One more question; where in the UK can I learn safety standards for factory automation?

Thanks for help

I don't know about UK specific standards, but I think the two big European/Global standards for machine safety are ISO 13849-1 (Performance Levels eg PLe) and IEC 62061 (Safety Integrity Levels eg SIL3).

Safety is only as good as its weakest link. You should never use a standard controller in any part of the input, logic, or control elements of a safety function. (in this case standard means not rated for safety, there are some 'standard' controllers that do in fact have a rating for safety).

An emergency stop is not considered to be part of a functional safety system.

In the case of a belt and sprocket like you mentioned. As mk42 said, the first is to design out the hazard (unlikely in this case). Second is to provide guarding and to monitor that guard to ensure it is in place. Next, you need proper warning placards that say "don't stick your hands in here."

You don't mention a required SIL or PLr from the hazard analysis. That will tell you how safe you need to make the system. ISO 13849 and IEC 62061 are the international standards for functional safety.

Itrim said:

According to risk assessment I was given and my experience in this factory worst thing a man can do it is to put his hand to the place where belt meets sprocket, but it is a challenge to do that. But IF eventually something occur there are emergency cable switch all the way every conveyor.

Basically, that's all what I wanted to know. Ill get some contactors and control them from my safety PLC. From the supply side Ill connect them just after drive output.

One more question; where in the UK can I learn safety standards for factory automation?

Thanks for help

Click to expand...

PILZ in Northampton do a Machine Safety Course. C&G accredited too.

A bit unclear. You mention "safety PLC". Does this mean you have separate safety modules? In Beckhoff world, these are yellow and have a dedicated logic controller with its own safety program (also yellow). They yellow stuff acts independently and simply shares the communication path with the machine PLC. Other companies have similar yellow modules.

If true, your question seems to be "should the safety controller output a normal-shutdown request to the machine PLC?". In many scenarios, that is a valid approach, to protect the machine and process. At the same time, the safety PLC can be more authoritative, such as "if we ever get this signal, do this, regardless of what the machine PLC is doing".

RocketTester said:

A bit unclear. You mention "safety PLC". Does this mean you have separate safety modules? In Beckhoff world, these are yellow and have a dedicated logic controller with its own safety program (also yellow). They yellow stuff acts independently and simply shares the communication path with the machine PLC. Other companies have similar yellow modules.

If true, your question seems to be "should the safety controller output a normal-shutdown request to the machine PLC?". In many scenarios, that is a valid approach, to protect the machine and process. At the same time, the safety PLC can be more authoritative, such as "if we ever get this signal, do this, regardless of what the machine PLC is doing".

Click to expand...

Exactly. That's what I'd like to do, additionally it will cut of power to the motors to be 100% sure they'll stop.