E-Stop Wiring - Best Practices (Sub Machines)

theColonel26

Lifetime Supporting Member
Join Date
Feb 2014
Location
West Michigan
Posts
781
So I have this existing design. No, I did not design it.

There are three identical machines controlled by 1 PLC.

So there is the Main Control Box (with the PLC), with an E-Stop on the front, and each machine has it's own air solenoid box, with a master Air Solenoid, and it's own E-Stop.

The E-Stop on the main panel kills everything, but the E-Stop on each solenoid panel only kills that machine.

If I were gonna do this from scratch, I would have all 4 E-Stops in series each one would kill everything, or not have the E-Stop on the Main Panel at all, but leave the ones on the solenoid panels alone, to only control their machines.
 
If they are stand-alone/separate operator workstations and have just saved cost with one plc instead of three would that change your opinion? It should be everyone is the captain of their own ship if it’s a separate process regardless of where the main control box is located, each with its own separate safety circuit.
 
Best Practice is to Assess...

I know that when I reply with these kinds of posts it is probably never what the OP wants to hear, but hear it they must, I feel...

theColonel26 said:
E-Stop Wiring - Best Practices (Sub Machines)

Best practice is to carry out a Risk Assessment (I know you did not design this). This should determine how many/where, and what each Emergency Stop actuator should actually be intended to dissipate (Electrical/Pneumatic, etc.). Think Zonal Safety.

theColonel26 said:
...The E-Stop on the main panel kills everything, but the E-Stop on each solenoid panel only kills that machine...

You sound like you think they must all either do the same thing, or all do a separate thing, but not do a mix of things? Again, a Risk Assessment would (should) have decided this Zonal Safety design.

theColonel26 said:
...If I were gonna do this from scratch, I would have all 4 E-Stops in series each one would kill everything, or not have the E-Stop on the Main Panel at all, but leave the ones on the solenoid panels alone, to only control their machines.

Your Risk Assessment should decide what way you would design it. If properly assessed, you would (should) not really be saying things like the above. "I would have it this way, or if not this way, I'd have it that way"? That is not how Functional Safety Design works, or not how it should work. Assess the risks, reduce or mitigate what's possible, calculate the required Safety levels for the remainder, design and implement. Test, document, and where necessary, periodically proof test. If Zonal Safety was assessed to be the most suitable design here, then that is perfectly fine to implement.

Just because this design does not sit right with your way of thinking (or whatever it is about it you don't like?), it does not necessarily mean it is incorrect. If a proper Risk Assessment/Hazard Analysis had been carried out here, then there could be good reasons it is designed this way. The master control panel could be deemed exactly that - only to be used in certain circumstances, for a system-wide Emergency Shutdown (Master Zone). For each individual machine, if their local Emergency Stop actuator is deemed only necessary to bring that one machine to its Safe State, and no other machine need stop, and it does not create any further risks/hazards to other parts of the running system, or stopped machine, then it may be fine to use a Local Zone.

For Functional Safety Design, there is no best practice for vague or loosely similar scenarios, such as a multi-machine application. Each application may vary a little or a lot, especially with regard to the risks and hazards that may be involved. These are never predetermined or prescribed. From a Safety point of view, we cannot look at systems holistically. You must assess each system, or functional parts of a system, individually, and case by case.

The "Oh, I always this...", or "Oh, I never that..." mentality cannot and should not apply for Safety Design.

Even though Emergency Stop actuators are only classed as a complimentary protective measure to the primary Safety Related Parts of a Control System (SRP/CS), they are designed to provide an important function within the overall Safety Design. Therefore, we cannot apply standard practices in control philosophy when deciding which way we might like to wire them up.

An existing Risk Assessment, or a new Risk Assessment would be required here before any of us, and especially you, could determine if what has been implemented here is suitable, or not. Without that, I'm afraid, all else would simply be an "Oh, I..." control philosophy discussion, which has no real place here, in my Safety educated opinion.

So why might you think it was done this way? Or more importantly, why do you think it should not be done this way? This would be the beginning of you assessing this, but only consider possible risks and hazards when thinking about this. Not best practices, not control wiring principles, and not what sit right with you.

Functional Safety is all or nothing. You should not half implement it and you should not touch it if unsure. I say "should" because many do.

Regards,
George
 
jholm90- said:
If they are stand-alone/separate operator workstations and have just saved cost with one plc instead of three would that change your opinion? It should be everyone is the captain of their own ship if it’s a separate process regardless of where the main control box is located, each with its own separate safety circuit.

With respect,

This is a holistic approach and one of the points I am trying to make. Retro-recalling a previous or similar scenario that someone has previously implemented or is aware of and assertively applying the same "rules" to a different system. For Functional Safety, we cannot or should not pin any one design to another. This application is unique, and no matter how similar or identical we think it might be to other systems, we cannot apply the same Functional Safety Design here. It must be uniquely Risk Assessed.

I am not talking about an OEM manufacturing identical machines or systems with identical Safety Designs. That is fine. I am talking about one individual advising another, assertively, based on previous experiences.

Most definitely, one size does not fit all here.

Regards,
George
 
As mentioned, each system should be designed within its own rights (based on a risk assessment) and there's not a "one for all" rule.
 
I work on a system with 3 hot platen presses, one cooling press, a carriage, 4 assembly stations, a load station, an unload station, a main operator station and a master control panel.

Each one has an E-stop circuit with safety relay, but also has another safety relay in series tied to every other safety relay in the system. Pressing any 1 of the e-stops kills every machine, component and panel there. The safety relay that is tripped by the E-stop has to have its Reset PB pressed to reset that panel, but the second safety relays all reset automatically when the one (or all) tripped have been reset.

I also built a panel for a rinse line after a deburr machine and made sure that if the e-stop on either one was pressed it killed the other machine, since they were connected together in a single line and the e-stop at the entrance of the rinse line was right at the deburr machine exit.

Unless the OP's 3 machines are completely independent and separated I would be thinking of one loop.
 
If I were gonna do this from scratch, I would have all 4 E-Stops in series each one would kill everything, or not have the E-Stop on the Main Panel at all, but leave the ones on the solenoid panels alone, to only control their machines.
It is totally acceptable to design a safety system where an E-stop does not neccessarily stop everything.

If for example pressing an E-stop causes the stop of an entire production line, thereby causing a significant loss of production, then that is an incentive to "misuse", like bypassing the E-stop interlocking between machines. Taking this into account can therefore make a safer system, because it prevents mis-use.

You go about that by your risk assessment you decide to split the areas where there will be operators into "zones".
So if you have an operator that can be in a zone "z1" where he has access to machine areas "a1" and "a2", but not area "a3", then the E-stop in zone z1 is wired to a safety relay that will stop the machinery in area a1 and a2.
If there is another zone z2 where an operator has access to a machine areas a2 and a3, but not a1, well you get the idea.

To put it simple, in a zone where an operator or maintenancen person can be, and there are any risks that arent always guarded, then there must be an E-stop in that zone that stops these risks within the area the zone covers. The E-stop in an area does not have to stop risks outside the area in question. Zones can be overlapping.
 
Oh, regarding the mis-use, then it is a greater concern that many believe.
This because that when individual machines are interlocked via their safety circuits, then that is usually done via safety relays. The E-stop contacts on one machine are not directly connected to other machines.
This has the effect that the safety contacts will drop not only when there is an emergency, but any time that the safety relay is off. For example when the machine is powered down for maintenance. So the safety relay contacts will be off much more frequently then you would think, and that makes the need to avoid stopping other machines unneccessarily more important.
 
in regards from doing this from scratch, you MUST follow the rules as set forth in the following.
NEC70 - electrical code
NFPA70E - arc flash
NFPA 496 - purging and pressurizing of enclosures - if applicable
NFPA 79 - electrical standard for industrial machinery.
other codes may apply based on your application.
doesn't matter what is at your facility, when doing a new design, you have to go by these codes.


James
 
While I appreciate the level of detail. My question was more along the lines if shouldn't it be one or the other not both, as it seems it would confuse people.

As for running risk assessments I have heard this time and time again on this form but I have yet to ever meet an Engineer that does them or even knows anything about how to do one.

The most risk assessment I have ever done is sitting around a table with a couple other people and discussing the possibilities of what could happen and whether we think they are very likely, and how that ways against productivity.
 
in regards from doing this from scratch, you MUST follow the rules as set forth in the following.
NEC70 - electrical code
NFPA70E - arc flash
NFPA 496 - purging and pressurizing of enclosures - if applicable
NFPA 79 - electrical standard for industrial machinery.
other codes may apply based on your application.
doesn't matter what is at your facility, when doing a new design, you have to go by these codes.


James
Yes I try to Follow the NEC 70, but most of it is inapplicable to what I design though. I still try to follow the spirit of it though.

I am actually going to order a copy of the NFPA 79 and NFPA 496 right now. I've heard people mention the NFPA 79 but I've never had a copy to look at.
 
Last edited:
My two cents worth - and pardon me if I repeat what others may have written.
The primary purpose of an e-stop is to protect people. There is legislation EVERYWHERE as to where they are to be placed and how they must work. This is the purpose of a risk assessment. In today's society of "sue first and ask questions later", I would not reposition/remove an e-stop without engineering approval/sign-off and they shouldn't request its relocation without a risk assessment. Here in Ontario, virtually any change to a safety circuit an engineered review with an associated paper trail. ...FWIW
 
My two cents worth - and pardon me if I repeat what others may have written.
The primary purpose of an e-stop is to protect people. There is legislation EVERYWHERE as to where they are to be placed and how they must work. This is the purpose of a risk assessment. In today's society of "sue first and ask questions later", I would not reposition/remove an e-stop without engineering approval/sign-off and they shouldn't request its relocation without a risk assessment. Here in Ontario, virtually any change to a safety circuit an engineered review with an associated paper trail. ...FWIW

The above statement is so true and is a reason I am so happy to be retired and out of this field.

My bosses did not like it when a situation required the above to be done and resented it when I’d tell them these type of rules needed to be followed, basically saying “Why do you have to make everything so complicated?”
 
If you have one plc, with 4 separate e-stops, one for each station, could you not tie the estops just to the output cards of their respective stations? This way, if you estop station 1, only station 1 output cards turn off, motor contactors open up, etc.? Would this be a valid option, if the risk assessment approved it?
 

Similar Topics

Hi, I would like some recommendations/advice on wiring of a dual channel Emergency Stop for a 240V AC motor (single phase), I have 3 options in...
Replies
47
Views
13,201
Hi All, I have a panel where 600VAC is step down to 120VAC and I have wired start, stop & E-stop button on this panel. (The panel contains...
Replies
15
Views
4,923
I'm sure I know the answer, but... Can you wire an illuminated E-Stop 120 VAC so the power to the E-Stop when removed (button pushed) from the...
Replies
7
Views
2,118
I do realize this is a PLC forum, but I was hoping someone on here might be able to help me, or point me in the right direction, responses here...
Replies
5
Views
7,018
I am nearly finished with my PLC trainer (Micrologix 1000(1761-AWA) and PanelView 300 Micro), and along with the 6 input switches, I would also...
Replies
8
Views
2,858
Back
Top Bottom