Safety AOIs with UDTs

[Rsflipflop256]

Hello all,

I am beginning my travels in designing a system with compact guardlogix controller and a planelview plus 7 standard HMI.

I have 3 valve trains, and each has 3 valves, 2 NC and 1 NO (Upstream, downstream, and Vent)

I want to make an AOI that will cycle these valves 20 times and do it with a safety AOI in a safety routine, however some of the inputs are standard and need to be mapped.

I have been on the phone with tech connect a few times and have a loose understanding of how this is done, by making "intermediary arrays to store bits and then move them to the standard side for outputting results of the test.

I would just like to make sure that IT IS POSSIBLE, basically. To use AOIs with their own UDT in a safety program and pass the data back and fourth as needed. And any tips on how to do it modularly would be greatly appreciated.

I currently have about 80% of the program and structure written, and time is starting to run out and I want to make sure im not headed towards a brick wall.

Thanks again and happy Monday

 

[ASF]

It can be done.

Non-safety routines can read safety tags normally and use them to turn on non-safety outputs. Limitations only exist in the other direction - safety logic can only read or write safety tags.

You *can* map non-safety tags to safety tags, using the option in (from memory) the Logic menu in Logix, but the second you do, you should be taking a big step back to ask yourself why you are sending non-safety signals into a safety routine, because in a not-insignificant amount of cases, doing so means what you're doing is no longer a safety function.

 

[Rsflipflop256]

The only signals coming in from non safe side are inputs from valve open and valve closed switches, as well as a couple of digital pressure switches. Nothing major to shake up the safety rating.

I don't know if they were correct or not in specifying a safety PLC for this, I'm leaning towards not. This is for 3 Nat gas valve trains, each with an upstream, downstream, and vent valve. My project is to cycle them all 20 times once a month, then close them all and perform a leak test.

The only reason I can think of for the safety PLC is that we are bypassing their NFPA-rated Honeywell flame safeguard controller to do the test. But we also added a safety relay on the 3 running interlocks for the test, which are "call for gas, Flame safety changes state, or the temp goes below 1400 degrees in the chamber, which will kick on the gas injector. So, double safe i suppose.

There are no estops, gates, mats, light curtains or anything for personnel safety, im controlling 3 sets of nat gas valves in a wastewater plant's incinerator for a once-monthly test that should take 20 mins and then hand back control to their main rack.

Doing it via a retrofit subpanel into their existing enclosure with interposing relays to "fake out the honeywell controller, and the NC contacts to prevent any feedback signals.

 

[cardosocea]

I envy your courage... :/ overriding a flame controller to test valves? If they specified the safe PLC, did anyone told you a target SIL to reach?

 

[Rsflipflop256]

Sil 2

How the whole thing got specced is kindof lost on me, I was told to do this project with this hardware and am learning as I go. It's been a really informative experience so far and im just beginning to crack the egg open on the real power of UDTS w/AOIs.

Thats just for cycling the valves, the leak test is performed in a regular safety subroutine.

 

[Robb B]

The only signals coming in from non safe side are inputs from valve open and valve closed switches, as well as a couple of digital pressure switches. Nothing major to shake up the safety rating.

I don't know if they were correct or not in specifying a safety PLC for this, I'm leaning towards not. This is for 3 Nat gas valve trains, each with an upstream, downstream, and vent valve. My project is to cycle them all 20 times once a month, then close them all and perform a leak test.

The only reason I can think of for the safety PLC is that we are bypassing their NFPA-rated Honeywell flame safeguard controller to do the test. But we also added a safety relay on the 3 running interlocks for the test, which are "call for gas, Flame safety changes state, or the temp goes below 1400 degrees in the chamber, which will kick on the gas injector. So, double safe i suppose.

There are no estops, gates, mats, light curtains or anything for personnel safety, im controlling 3 sets of nat gas valves in a wastewater plant's incinerator for a once-monthly test that should take 20 mins and then hand back control to their main rack.

Doing it via a retrofit subpanel into their existing enclosure with interposing relays to "fake out the honeywell controller, and the NC contacts to prevent any feedback signals.

This keeps coming up on the boards, but if you feel like it is not safe, you should either not do it, or have a written statement to management that it is their order to do it. I don't know what your companies culture is like, but your feeling should be a big red flag.

 

[Rsflipflop256]

With the addition of the safety relay guarding the interlocks my feeling has subsided quite a bit. I do appreciate the concern though.

 

[kekrahulik]

I'll probably re-iterate some of what's been said and hopefully add some new info:

1. Yes, you can pass regular tags to safety by mapping. One of the big dangers in doing this is that any joe-shmo can alter those regular tags whereas safety program and tags can be locked down. So you need to make sure that alteration of the regular tags and logic cannot have an adverse affect on safety. I realize that you've been told to do this, but in doing it you become liable.

2. You do not need AOI's or UDT's to do any of this. They add nothing to the performance of the code - they are just conveniences for programmers. Many end users prefer to not have them. One of the big downsides to them are that they cannot be altered online. So if you find that you made one simple mistake, you need to stop the processor and perform a download to fix it. Not always practical - not often welcomed. You can also make the AOI code hidden from the end user. Where I work, we specify in every contract that we as end users own and can see/alter all code. We also specify that all AOI's need to be approved by us prior to use - and you need to convince us why its necessary.

If I were developing new code, I would develop it in a regular safety routine. If I really wanted an AOI, I'd covert the code to an AOI later.

 

[EastSideSquirrel]

Echoing what Cardosocea said, what is your rated safety level / performance level (SIL 4/PLe)? The risk assessment done by your safety engineer will have one of these. You should have access to a safety engineer on your staff or consult with one so they can fully inform you what the expectations are. Ask them why a safety PLC is required.

There are no hardwired E-Stops integrated to your PLC, are you getting CIP safety signals from a separate PLC somewhere with an E-Stop, or is this a standalone system? What happens if something goes wrong with your 20 minute test, how does an operator stop it?

When you are bypassing the honeywell controller, are you invalidating the TSSA (or whatever governing body is applicable) certification of the existing panel? I don't know what is new equipment and what is old existing equipment. Are you getting the panel recertified? Who is certifying the program, a senior on your team?

I don't really have a clue when it comes to burners/combustible gasses, but I do know enough that you really shouldn't be uncertain about the way the system is designed from a hardware perspective.

Have a look at Rockwell Automation Publication 1756-RM093J-EN, page 90. In appendix D there are a series of checklists, they may be useful to you.

Just throwing some thoughts out there, I'm sure there are much more knowledgeable people here who can guide you in the right direction.

 

[Rsflipflop256]

We dont have a staff safety engineer, small company of less than 40, and in the controls group we have 3, none of which have done safety logix programming unfortunately.

 

[EastSideSquirrel]

We dont have a staff safety engineer, small company of less than 40, and in the controls group we have 3, none of which have done safety logix programming unfortunately.

So has the client done a risk assessment, does the client have a safety engineer who has dictated to you what the exactly safety requirements are?

 

[Rsflipflop256]

Not that im aware of, and no. Its kinda meatball controls around here if you catch the mash reference.

 

[robertmee]

It can be done.

Non-safety routines can read safety tags normally and use them to turn on non-safety outputs. Limitations only exist in the other direction - safety logic can only read or write safety tags.

You *can* map non-safety tags to safety tags, using the option in (from memory) the Logic menu in Logix, but the second you do, you should be taking a big step back to ask yourself why you are sending non-safety signals into a safety routine, because in a not-insignificant amount of cases, doing so means what you're doing is no longer a safety function.

Curious how you would do a PF 525 with STO board without passing drive comm status and safe off status of the PF 525 to the safety routine.

 

[joseph_e2]

For EDM from a 525, I usually configure one of the relay outputs to STO status. It can be wired back to a safety input. As far as I can tell, the 525 doesn't support CIP Safety over Ethernet, so it has to be hard wired anyway. Am I wrong about that?

 

[robertmee]

For EDM from a 525, I usually configure one of the relay outputs to STO status. It can be wired back to a safety input. As far as I can tell, the 525 doesn't support CIP Safety over Ethernet, so it has to be hard wired anyway. Am I wrong about that?

Correct no CIP Safety. 2 channel OB8s for the STO enable, but i use a CROUT instruction for the redundant outputs. Entries are the feedback and feedback status. Interesting approach to wire back a signal for the safe torque status. I pass the status along with the health of the status (good comms) as the feedback and input status of the CROUT.
I do the same for Kinetix 6500 with STO as well. Most customers aren't wiring an STO status back from every axis (VFD or servo) and aren't trying to achieve PLe. If that steps necessary we have redundant safety contractors on the load side of the 525. According to AB, PLd, Sil 2 doesn't require the 525 feedback, but I've always incorporated it via the PLC to Safety comms. That's why I'm interested in ASFs solution and others. Your suggestion is certainly one I've not entertained.