GuardLogix "All Safe" Bit to Control Standard Output

[pediepit]

I have a GuardLogix PLC with safety inputs of HMI, Estops, Light Curtains, and Gates. Is it considered safe for the safety program to monitor the inputs and control one "All Safe" bit and then use that bit in the standard program? Like an XIC in the rungs with the standard outputs. An example is attached. I'm a little new to the safe PLC topic. Thanks

 

[Rob...]

Is the output for indication only or does it have an effect on something requiring safety control.

If the latter, what you're doing is a no go.

 

[ASF]

You must have clear delineation between safety and non-safety functions.

Take the example of tank with an agitator in it. The tank may have an emergency stop next to it, and a guard switch on the lid. Either of those must stop the agitator. The agitator has a standard motor contactor to start and stop it, and the power supply to that contactor comes via a pair of safety contactors.

The monitoring of the emergency stop and guard switch must be done exclusively by the safety code.

The energisation and de-energisation of the safety contactors, when emergency stop or guard switch are activated, must be done exclusively by the safety code.

The monitoring of those safety contactors to ensure they are operating correctly must be done exclusively by the safety code.

The energisation and de-energisation of the agitator's standard contactor would be done by the standard code. It does, of course, make sense that the standard code would check the status of the safety systems before turning on its output. For one thing, it's just standard good practice to make sure that you don't try and start a motor until all the preconditions for it being able to run are met. For another, many standards require that a reset of the safety systems do not permit an automatic restart of machinery, so it makes sense for the standard code to monitor the safety system and ensure it doesn't try to start until the safety systems are healthy and then subsequently a new start command is received. And thirdly, energising your standard contactor won't do a thing if your upstream safety contactors are de-energised.

The old way of doing this was to have a standalone, hardwired safety relay handling all of the safety "code", and then it would send a digital input to the PLC as a "status" feedback. That digital input would be used in the control logic for all devices. Using that method, you have very clear delineation of safety vs non-safety - there are separate physical devices. The hardwired safety circuits manage safety, and the PLC (and it's ladder logic) manage non-safety, with a simple status interface between to allow the PLC to make informed "decisions" about whether motors are ready to be started or not. But even if the PLC makes an "incorrect" decision about whether a motor can be safely started, the hardwired safety system will enforce the safety requirements with no ability for the PLC to override them (i.e. because the upstream safety contactors will cut power to the agitator even if the standard contactor is incorrectly energised).

Now with safety PLC's becoming more common, it tends to look slightly different - there's a safety task, which handles all of the safety functions, and it passes the status to the non-safety code via an internal tag rather than a digital input. But exactly the same thing applies - the safety task manages safety, and the standard tasks manage non-safety, with a simple status interface between to allow the PLC to make informed "decisions" about whether motors are ready to be started or not. But even if the non-safety task makes an "incorrect" decision about whether a motor can be safely started, the safety task will enforce the safety requirements with no ability for the non-safety task to override them (i.e. because the upstream safety contactors will cut power to the agitator even if the standard contactor is incorrectly energised).

In practice, the way this second approach looks is very much as it appears in your screenshot above. As long as the safety task is doing its thing independently, it's totally fine for the non-safety task to receive information from the safety task about the current safety status, to assist it with making non-safety, functional decisions about the state of the machine.

 

[jstolaruk]

I have a GuardLogix PLC with safety inputs of HMI, Estops, Light Curtains, and Gates. Is it considered safe for the safety program to monitor the inputs and control one "All Safe" bit and then use that bit in the standard program? Like an XIC in the rungs with the standard outputs. An example is attached. I'm a little new to the safe PLC topic. Thanks

I use similar rungs. Often, a non-safe output module's power is supplied through safety contactor/relays controlled by the safety task. If the safety task has disabled the power, not much sense in trying to energize the output so I put a safety monitoring tag in the rung.

Let me preface this all that the risk assessment will detail what is safe and what isn't.

 

[cardosocea]

The easiest way to think about safety is to design them in such a way that both programs don't need to see each other to "be safe".

So your safety program has to manage all the safety activation outputs as per the design that came out of the risk assessment.

I do understand what you're trying to do and my suggestion would instead be for you to map that bit into a standard tag. When tags are mapped across, I usually create one named SAFE_XXXX and a STD_XXXX to denote that they're mapped from the Safety Program.

Once that tag is in the Standard program, I wouldn't necessarily put it where you have it, although there's nothing wrong with that, and instead use it to enable your HMI push buttons. There's nothing more maddening to an operator than pressing a button that does nothing. Having them disabled provides feedback that there's something wrong that they need to tend to. It is then a matter of your alarming and diagnosis system being good to lead them to the problem.

 

[pediepit]

Let me give a little more detail just to make sure I understand correctly. I appreciate the responses as well. The output is an SMC manifold through ethernet. The "AllSafe" bit is mapped from the safety task that is monitoring all the redundant inputs to turn on the "all safe" bit. The valve is a standard output through ethernet which is why I’m hesitant. The valve output power is never disconnected, just the output bit. The valve has output control power straight from a 24v power supply that is not turned off with safety. I guess I have hesitancy because the output is not redundant and just a standard output

 

[joseph_e2]

Is the valve actuating something hazardous? If not, you're ok. If so, then changing it to a "safety" output won't matter if the valve isn't also redundant and safety rated. What we typically do is have a safety rated pneumatic dump valve upstream of the standard directional valves and have safety signals control/monitor the dump valve. Then the standard valves are fine to be controlled by standard outputs.

 

[pediepit]

Is the valve actuating something hazardous? If not, you're ok. If so, then changing it to a "safety" output won't matter if the valve isn't also redundant and safety rated. What we typically do is have a safety rated pneumatic dump valve upstream of the standard directional valves and have safety signals control/monitor the dump valve. Then the standard valves are fine to be controlled by standard outputs.

Yes the valves are controlling hazerdous cylinders. I've always thought of safety as something that should be hard to bypass. That's why the safety task is password protected and must be confirmed before changing. With the example I sent, any maintenance guy could go into the standard program and bypass the "AllSafe" bit. But, with what you stated, if the dump valve dumps the air, then nothing could move anyway, correct?

 

[joseph_e2]

With a properly designed pneumatic system, the dump valve will render it safe regardless of the position/state of the directional valves. SMC makes the safety valves. The last one I ordered was their VG342R-5DZ-06N-MB-X87.

 

[ASF]

joseph_e2 has it right.

If there's a pneumatic hazard, isolating the electricity is almost never a safety-rated solution, no matter what safety logic devices are in between. You need to remove the energy source. The energy source is not electricity, the electricity just controls the flow of the energy source. The energy source is the compressed air. So, you need to not just cut off the supply of compressed air, but also remove the existing compressed air (stored energy) from the system. Safety-rated dump valves are very similar to a dual-contactor safety setup in that they will have dual coils, and position feedback on both of those coils. So you use two safety outputs to separately energise the solenoid coils, and you monitor the position feedback to make sure the valves correctly de-energise when you drop out the safety outputs.

Some safety dump valves (I typically used the SMC VP744-5DZ1-04-X538) are literally just two solenoid coils, and two limit switches attached to the solenoid shuttle pins. Others (like the Festo MS6) are a bit smarter, with their own onboard electronics and self-monitoring that just accept two inputs and have a single "safety integrity OK" relay output for your monitoring. I don't like those ones because they can fault out if air pressure is lost and require a power cycle to clear the fault, but that might be a "feature" in the right context.

One final caveat - dumping the air is usually the right way to remove a pneumatic hazard - removal of the stored energy and all that - but not always. If you've got a second source of stored energy - say, gravity - that the compressed air is counteracting, then dumping the air might cause damage or introduce another hazard. E.g. if you dump the air and cause a machine head to come crashing down uncontrolled, that's not a good solution. In those sorts of situations, you might need to take a different approach, e.g. with safety-rated locking cylinders or something. Ultimately, it comes back - as it always does when safety is concerned - to a risk assessment.

Also, edit - and yes, as per your original question, the dump valve needs to be controlled and monitored by safety code, not standard code.

 

[L33er]

I have a GuardLogix PLC with safety inputs of HMI, Estops, Light Curtains, and Gates. Is it considered safe for the safety program to monitor the inputs and control one "All Safe" bit and then use that bit in the standard program? Like an XIC in the rungs with the standard outputs. An example is attached. I'm a little new to the safe PLC topic. Thanks

Not safe!

 

[I_Automation]

To stay safe, if you have unused safety IO, program your All_Safe as you have it, but as a safety output not a BOOL tag.


Then you wire that safety output to a safety input, and in your program you can check the All_Safe_Input


EDIT: Plus you could also use the All_Safe_Output to light a green All Safe indicator, or the All_Safe_Input status to show All Safe on a HMI