Safety PLC Questions

I have a project coming up that will need zoning and additional functionality added in the future. I wanted to get into distributed safety where a safety device could be added easily without having to branch into the main safety circuit.
I am having a hard time wrapping my head around the use and physical connections between safe outputs and field actuators. The system in question would be a B&R Safety PLC with digital I/O cards. It’s uses PLCopen Safety function blocks.
What I do know about the B&R platform is that there are two controllers. The main PLC which would take care of controlling the equipment and separately the Safe PLC which only monitors and reacts to safety events as instructed in its programming.
In a typical and simple world, you will have an estop, mcr/safety relay, and reset button. The mcr will remove power to all actuators and remove power to the output cards.

When using a Safe PLC with I/O, would you still need an MCR/Safety Relay?
Are the actuators controlled from the safe output card or is the output card just a glorified “safe” power supply?
As in, a safe output would actually power an output card?

It seems to me that a safety relay would still be needed to act as an interposing relay.

There are a number of architectures, but my typical application will have the safety outputs driving Safety Contactors, Dump Valves or Safe Stop/Safe Torque Off devices. This gives you removal of the energy source.

In:
E-Stop -> Controller
Reset -> Controller
SC Feedback -> Controller
DV Feedback -> Controller

Out:
Controller -> SC
Controller -> DV
Controller -> SS/STO

I would add:

In:
Guard/door switches/light curtains/safety mats etc. -> Controller

seth350 said:

Are the actuators controlled from the safe output card or is the output card just a glorified “safe” power supply?
As in, a safe output would actually power an output card?

Click to expand...

In Siemens safety, I've seen it both ways. There are safety output modules that work more or less like you'd expect, but there are also safety power modules that provide power to a group of IO cards. Both modules exist for Amperage reasons. The power modules go up to 10A, but the others are much less.

Most safety output modules I've seen have short pulses on them to detect things like short circuits, cross circuits, and ensure that the module still works. You can wire these to a standard relay no problem, but some high speed relays and intelligent devices can see the pulses and act on them. Therefore interposing relays are sometimes needed.

I also often see intelligent devices doing the safety over fieldbus (Profinet w/profisafe, EIP w/ CIP Safety, etc), which saves a lot of wiring. Not sure if B&R supports that or not.

Thanks guys for the insight.
B&R does support safety over fieldbus, through Powerlink and X2X which is just an extendable backplane connection.

I researched the B&R safety modules more last night and read their manual carefully again.
I did miss one module, that was called a power supply module. Typically, this term means that the module powers the rack. I overlooked it thinking it were the same as the standard PSU modules.

It actually has two safe outputs. One in particular will open power to the right of the module. Bingo!

The wiring schematic is slowly coming together in my head.

When you're setting up the wiring schematic, make sure you read the manuals for the safety modules first, at least the wiring diagrams. There are a few things about safety inputs and outputs that aren't exactly obvious.

The big one is that safety output modules come in two flavors. In Siemens terms (because those are the ones i'm familiar with) they are PP and PM. PM outputs are what you see the most, because they are easiest to wire up to meet European standards. It does the shut off at both the Output and ALSO at the return. This means that to get the full safety, the signal needs to be able to be wired from the module, to a contact, and back to the module. However, because it can check for things like short circuits and wire break electrically, you have a lot of flexibility with how you run the wires. You also sometimes need an interposing relay to connect to some devices.

There are also PP modules, which do the shutoff at the output twice. This is more what people tend to expect from a safety output. The advantage is that you don't need that return path, so it can be used in more situations without a relay. The downside is that it has less automatic diagnostics, so you need to be much more careful about your wiring practices to ensure that certain types of faults are not possible (short circuit, cross circuit, etc).\

On both inputs and outputs, its important to look at the wiring diagrams as well for simply which terminals are which. Because of the supply/return concept for most safety DIs and PM DOs, you need to keep those pairs in mind. You also need to take into account pairing on input modules if you want to use HW discrepancy checking: does channel 0 pair with channel 1? Channel 4?

I know saying something like "read the manual, look at the wiring diagram" sounds like super boring/basic advice, but I'm not kidding when I say that 90% of the time when I glance at the drawings for safety IO, I immediately see the problems listed above on 90% of the projects I get involved in. It's usually their first time, and they just copied the standard input/output module wiring without putting any extra effort in.

Thank you mk42, I appreciate the explanation.

B&R has what they call Type A and Type B outputs.
From their site:

"In order to handle all situations involving actuators, there are basically 2 different types of outputs: the high-side - low-side variant (type A) and the high-side - high-side variant (type B). Type A outputs have safety-related advantages since the actuator can be cut off in its connection cable in all error scenarios. Type A outputs are limited to actuators without ground potential (e.g. relays, valves). For actuators with ground potential (e.g. enable inputs on frequency inverters), type B outputs are required. It is important to observe the special notices for the cabling in this case."

I've been off this forum a while, but If you have any B&R safety questions, you can reply here and I'll get the email notification.

The way B&R does all their X20 and X67 power supply modules is that the bottom left is 24VDC for module logic and bottom right is 24VDC for output IO power. You can either jump them together or power the right side from a safety switched power source to kill subsequent outputs with E-Stop. Just like you discovered, they have a safety version that will internally switch the IO power. You could also use the safe output relay modules for that kind of thing.

Most B&R safe digital inputs support OSSD pulses to detect wire breaks or shorts. You have to turn them off if using a safety device that doesn't pass the input signal directly to the output.

Thanks CapinWinky, was hoping you would drop by.

I will have to get a quote on the difference between a safe PSU module and a standard. Doesn’t seem like it is needed unless doing safety entirely over Powerlink.

Now that I am thinking about it fresh, I don’t see why a safety plc would really be needed.

The line will be an addition or spur with long conveyor sections with processing equipment and walk through gates.
Seven e-stops and three non-contact gate switches. Also will need to tie in existing estop signal from main line and equipment.
One main line signal and seven pieces of equipment.

Future talks of four more machines added and more conveyor sections which will need estops and gate switches.

Being able to easily add on and diagnose problems quickly would be required.


Also, instead of zoning the line out, they would rather have any estop stop the entire line. They have had one instance where an operator got hung in the conveyor somehow. Another operator saw what happen and hit the closest estop. The entire line stopped which avoided serious injury.