Safety Relay Reset Regs

[Geospark]

I am after a bit of info from anyone who is in the know about this but basically i am looking for a legal way to reset my pilz relay after an amount of time has passed, basically i will explain from the beginning...

Rob, for your piece of mind, it is not illegal to delay the reset of a safety relay. The reset is not required to be instantaneously available. The tripping of the relay is the important part that must be instantaneous if required by risk assessment, but you can also delay the tripping of the relay if the assessment deems it necessary. There are delay-on de-energize and delay-off de-energize PILZ relays available.

so i have a pilz relay, and that feeds the safety contactor for several PF40's so what i want to happen is that as soon as the safety circuit drops out it cannot be reset within 20 seconds to allow the drives to power down and stop anyone resetting it too early, before anybody says it, yes i know that a PLC should not have any control over a safety device, but i have one way i believe could work but i would like some advice, the way i was thinking is to have the timer in the PLC and after it powers down and the 20 seconds has elapsed then when the reset button is pressed and brings on the input, then this gives the output to the safety relay for resetting, but this output would go through the actual reset button on a second contact block before it goes to the reset input on the pilz relay, this would then mean that if an output was stuck on then it would not reset the safety relay after the e/stop was removed, can anybody see any issues with this from experience maybe?

You haven't stated why you want the drives to power down fully?
It's either a requirement of a risk assessment, or more likely, when an E-Stop or Safety Guard trips the safety relay, the power to the PF40s will be cut via the safety contactor(s) resulting in an F3 - Power Loss fault on the drives. To reset this fault you need to power cycle the drives. If the safety input (E-Stop or safety guard) is restored, and a reset is attempted before the PF40s have fully powered off, then the fault remains and the machine cannot be re-started until the drives are manually power cycled.
Is this correct?

If so, then OkiePC's contributions, I noticed they have all disappeared, were valid here as an alternative, better method to stopping the drives without having them power off(STO). Also, advice on where to position the safety contactors in relation to the drives is also valid as an alternative method to overcoming the necessity to use a delayed reset of the PILZ.

Simply answering the question asked isn't always the only, or best way to give someone advice, TurpoUpro.

Having said that, I do feel it's a little academic here, as you probably won't be able to change drive spec at this late stage Rob?

Are you working on assumptions or off actual drawings of what they will, or wont do with the reset of the safety relay?
As I've asked above...why do you need a delay and they haven't considered it?
If their older machine had a delay built in for the same reason, why would they not incorporate the same feature in an updated version of the same machine? i.e. is it required at all on the newer machine?
Why did they not advise/use STO? Are they working to your strict specs or their own?
Just some things I would be wondering about this project, in general Rob.

If you do want to use the PLC to delay the availability of the manual reset, then, similar to what others have suggested, wire a relay output from the PLC to a N/O on the blue reset button. The source of this output has to originate from the S12 terminal on the PNOZ s4. Then wire from the other side of the N/O on reset back to S34(manual reset only), or through the safety contactor(s) N/C auxiliary contact(s) and then back to S34(manual/monitored reset). Wire the semiconductor status output from Y32 to a PLC input to monitor the safety relay status. As mentioned, use the falling edge of this input to start your time delay, then when done output to the button. I would also advise using an interposing relay as some of the PILZ circuits can be high frequency, which may damage the output over time.

Note: S12 on the PNOZ s4 is the return of channel 1 input device as well as the source for the reset circuit. It will not necessarily be
high when your timer is done, but the input channel will have to be on first anyway before a reset is attempted. Either way your output will be high after the delay, making the reset circuit available as soon as the operator(s) finish the task.

I have circuits that use a PILZ with built in delay-on de-energize(up to 30s) to prevent light curtains from being reset too quickly. In this case it's a risk assessment that warranted the delay, so the delay has to be controlled by a safety rated device(PILZ).

Another option to consider is using the 22-COMM-E's to write to the clear fault bit in the Logic Command word in the PF40s. So when the safety relay is reset too quickly, you can still clear the drive faults without requiring a power cycle. I always wire a separate input from the blue reset PB to the PLC for resetting alarms etc. This can be used to enable this clear drive fault.

It is better practice to place the safety contactors down-line from the drives. It prevents over cycling yes, but more importantly, you open the drive output immediately. If killing the power before the drive, you cannot control what the drive may do for a short period before releasing the motor. Some larger drives can store a lot of energy, which may hold the drive for a brief period longer than intended. It depends on the drive, process and risk assessment requirements. That's why STO was introduced, as drive manufacturers didn't want their drives being over cycled, and to conform to safety standards.

If I'm right in why you want to do this, consider our options...if I'm wrong, I wasn't even here! (>>>TurpoUpro)
ps.

I would always mail your reason for changing...it and just make sure that he or she replys.

I'm curious Donnchadh, who are you referring to here?

G.

 

[robw53]

i know its not illegal to delay the start i was asking if its legal to use a PLC output as a form of reset on any safety circuit as this could be classed as a potential automatic reset of the safety circuit in some peoples eyes.

the documents issued by canada stated that all drives should power down after an e/stop it does also mention the safe torque off but that is for PF70 and PF40P VFD's

yes you are correct about the F3 under voltage fault, it happens so often on our older plants and it is very annoying to be called out just to put the estop in and reset.

your right we are stuck with what we have got with regards VFD's, apart from one of our suppliers who i am good friends with from california who has spent alot of time over here with one of his first machines they ever made, anyway this is the company i am doing abit of research for as to good ways to do this what is also safe and would comply with relevant safety standards in the EU

i know this from discussions with my friend that this is how they wanted to do it, the delay they originally had was to delay the reset button for 30 seconds which cost us alot of time as you might press the reset and wait and then nothing happens then you realise a gaurds still open, and it was a PITA so it was changed and the delay removed

they are working to our company's spec's which was wrote in canada.

on the S4 you can just use 24vdc from the same PSU that is powering the relay to do the reset, so i could just use a normal transistor output say a 1769-OB16.

i would still request that he reset any faulted drives after powerup using the tags in the PLC but i was looking more from the short cycling side of things.

unfortunatly our spec states to power down the drives and this is what they are going for, as changing it now would mean increased costs and delays that my company wouldn't want.
the drives we are talking about are 0.75-2.2kw

thanks for such a informative reply Geospark.


Rob

 

[TurpoUrpo]

...

Okies and plckids discussion went to "which one is better ABB or AB" direction (okie must have seen itself, either i doubt he would have deleted those posts).

Also OP clearly stated that it was in their requirements (he has no control of) and could not change the fact. I also prefer STO over anything. But when one is forced he is forced.

Reset circuit itself usually does not perform safety function, in this case it seemed clear that was not the case. So its viable to interrupt it for some time if wanted to.

Depending on desing it might be better option to interrupt control voltage for contactors (in series with safety relay, no safety function performed there either).

 

[Geospark]

i know its not illegal to delay the start i was asking if its legal to use a PLC output as a form of reset on any safety circuit...

Delay the reset you mean.
Rob, regardless of what I thought you meant, I may not have answered you clearly enough with regard to the legal issues. So I'm going to do so now as it's very important to know, not just for you, but anyone reading this.

There is no law that states you cannot delay the reset of a safety relay using a PLC. However, there can be legal implications in doing so. There is a difference.

If the delayed reset is required to prevent an assessed risk, it must be performed by a safety rated device. If you use the PLC in this case, and the delay is some how cut short, and a reset is effected before the safe period has elapsed, and someone is hurt or killed, you may find yourself before a judge.

If you are delaying the reset for any other reason than preventing a known risk, you may use any suitable method, as long as that method does not pose or create a risk. There is no legal implications in this case.

Hopefully that answers your question better.

That is why, even though I had a fair idea, I needed to know for sure why you needed a delayed reset.

...this could be classed as a potential automatic reset of the safety circuit in some peoples eyes.

It's not about how it might look in other people's eyes Rob, someone you have to please looking down on you from the high moral ground. It's about how it looks in your eyes. If you want to implement this delayed reset yourself, you have to decide firstly if an automatic reset could pose or create a risk to the operators, and then decide if the method you use to implement your delay could create that automatic reset?
If an auto reset is no risk don't worry about it. If it is, make sure your PLC delayed reset method cannot create that auto reset. It's your modification, it's your responsibility. If you're not doing it, the OEM, or who ever is must assess and decide this.

An automatic reset is not a safety measure. It's a control function of safety devices that allows the machine to return to the ready to run state as soon as the safety input(s) have been closed. It's perfectly ok to use auto reset in certain circumstances.

on the S4 you can just use 24vdc from the same PSU that is powering the relay to do the reset, so i could just use a normal transistor output say a 1769-OB16.

This is a common practice and mistake, especially with PILZ relays. Just because you can do something does not mean you should. I stated in my last post that the reset circuit has to originate from the S12 terminal on a PNOZ s4 and that it is also the return from Channel 1 safety input. The Channel 1 return signal has to be present before the reset circuit can be powered. It's part of the safety function.

On a PNOZ s4 and other PILZ safety relays, when using Manual/Monitored Reset, which you will be, the following self checking measures are used:

Dual-channel operation with detection of shorts across contacts: redundant input circuit
detects
– earth faults in the reset and input circuit,
– short circuits in the input circuit
and, with a monitored reset, in the reset circuit too,
– shorts between contacts in the input circuit.​

If you source the supply to the reset circuit from any where other than S12, you are defeating the safety functions self checking measures. If the reset push button has constant power to it and it shorts or is defeated(held in), the PILZ can only detect a short between S12 and S34, not between the +24VDC source and S34. So it's checking logic thinks there is no short. It could potentially create that auto reset your risk assessment doesn't want. PILZ do not condone this practice. No where in the reset wiring diagrams does it show an external supply as an option for the reset circuit, only S12. It's common practice because it saves extra work. Often it's easier loop a near-by common to the reset PB rather than run an extra wire out. Remember, just because you can...

So if your risk assessment allows a PLC delayed reset, use which ever method you prefer from the advice given, but you shouldn't need to wrap the reset back through the push button a second time. That would be over thinking it Rob.

If you don't have a relay output use an interposing relay controlled by the transistor output. Wire S12 to a contact on this relay and then back to the reset push button. Whether you use N/O or N/C is up to you. You could make it N/O and the output N/High. The PILZ relay tripping will drive the output low and the timer done resets the output high again. This would failsafe the relay, but it's not essential to do it this way. You could also switch another input through a second contact on the interposing relay to monitor this relays status - "Safety Relay-Delayed Reset Active" or similar. How far you go with it is up to you.

...the documents issued by canada stated that all drives should power down after an e/stop...

...they are working to our company's spec's which was wrote in canada...

...unfortunatly our spec states to power down the drives and this is what they are going for, as changing it now would mean increased costs and delays that my company wouldn't want.

Ok, this gets tricky, but I'll keep it brief as I can.

I have not, or am not going to look into Canadian safety regulations in detail. I do know they conform to either SSC or CHOSS national standards, which in turn should conform to ANSI or IEC international standards.

Do you work for a Canadian multi-national?
Your Canadian colleagues are drafting machine design and safety specifications according to their national standards?
The machine is being built in Canada/US and shipped to the UK?

It's important to know that the machine safety and design laws and regulations of the country in which a machine is to be operated in are always to be followed, even when it's made in another country. This machine must have CE markings beside the manufacturers name on the nameplate/logo. Parts of the machine may have CE conformance, but the whole machine as a design must conform to CE to be used in the UK. The OEM should know this. They must declare conformity by certification. American or Canadian conformance, such as CSA, UL or c-UL, is not valid in the EU. In the EU we fall under the Machinery Directive 2006/42/EC. This is what your CA colleague should be using to make his US manufactured machines conform to EU standards.

All this conformance and standards stuff may seem irrelevant once the machine is installed and working fine, but if something happens and someone is hurt or worse, you'll find yourself looking for it for the court case. If you are over this project, don't let your company put you in this position. Check it out for yourself.

I work for a US based multi, I have experienced this first hand.

G.

 

[robw53]

thanks for the detailed response that has answered and made me understand quite alot.

as for this equipment there is no risk if an auto startup occured i just was under the assumption that no matter what a PLC shouldn't be used for a reset, so now this has cleared it up for me.

thanks for info on the PILZ relay reset, so i take it that if you wire the reset from S12 to the reset terminal as per pilz drawings then if the relay see's the reset and CH1 go high at the same time this knows that there is a short across the button, or terminals.

yes i am working for a canadian multi national, they are following the CE regs, the canadian standards are for the PLC and other control equipment standards, we have modified this document to suite our business.

im not overseeing the project im working for the guys in this position, my job is just to liase with suppliers and do the software side of the integration of the equipment, i leave the safety side of things to the suppliers, but was going to request the delayed powerup if this was something that was possible.

could you recommend any suitable training courses which would be beneficial to bringing me upto speed with this? i have inquired about a PILZ course but don't know if this is the best approach or if there are better things out there.

 

[Geospark]

Yes i am working for a canadian multi national, they are following the CE regs, the canadian standards are for the PLC and other control equipment standards, we have modified this document to suite our business.

The "PLC and other control equipment" you mention, as a system, need to conform to CE standards as well Rob. At the very least each component should have the CE logo. Are all the suppliers EU/UK based or US/Canadian? I'm not sure what you mean by having modified a document to suit your business? To what end exactly? Have you modified your Canadian colleagues standards to meet EU standards?

...i have inquired about a PILZ course but don't know if this is the best approach or if there are better things out there.

PILZ run excellent machinery safety courses. I've done a couple of them. Have you looked at their course schedule for the UK?

http://www.pilz.com/en-GB/services/trainings/seminars

For beginner level maybe do the 1 day introductory course. It will give you a good grounding on some of the safety regs and standards I've mentioned.
For intermediatary level you could then move on to the 4 day machinery safety course. It's City & Guilds certified.

Depending on your business and your role within it, you could do the individual SIL, PUWER, Robot, Packaging, ATEX, Safety Design courses.

If you decide you want to go more advanved, consider the Certified Machinery Safety Expert(CMSE) course. It's TÜV NORD certified. I've done this one. It's excellent for anyone who wants to know what they're at when dealing with machine related safety.

http://www.cmse.com/cmse/course-details/training/index.html.en

G.

 

[robw53]

i meant we have modified the canadian document to suite what we require, they suggest compactlogix L24, we want L33-ER etc, etc we have suppliers from canada, US, UK, Europe.

yes i have looked at it, i was interested in the four day course but if you think doing the one day course first would be beneficial then maybe i will see about doing that, yes ive also been looking at the CMSE course but they require you have been doing it for i think 5 years in the design aspect of safety, but something i am looking to work up to at some stage.

 

[Geospark]

...we have suppliers from canada, US, UK, Europe.

Ok, just make sure the US/Canadian suppliers are supplying CE conforming components. Many companies conform to international standards these days, all on one product, to save manufacturing separately for different markets. So you might see all of, or a combination of, CE, TUV, RoHS, CCC, CSA, C-Tick, UL, cUL, cULus, and others, on the same product. They're often identical products on different markets. Different supply voltages obviously play a big part in this too. It's not that they might not work because our air is thinner or something silly, it's just for conformance/insurance reasons(A*s covering!)

...yes i have looked at it, i was interested in the four day course but if you think doing the one day course first would be beneficial then maybe i will see about doing that...

The 1 day would be the least I'd recommend, but if you're already thinking about the 4 day course, start there.

...yes ive also been looking at the CMSE course but they require you have been doing it for i think 5 years in the design aspect of safety, but something i am looking to work up to at some stage

Definitely do the 4 day before looking at the CMSE course Rob.
You should really have a few years experience in and around machine safety. Even if it's just some design/selection and wiring/configuring for small projects. Demonstration of basic safety concepts, etc. You don't have to be a safety design expert by any means.

I don't think I've read what your job description is exactly on this forum yet Rob, but I've been assuming you're at least an Electrician/Technician?

There is an application process, via link above, from which your qualifications/experience will be assessed before acceptance for the CMSE course. I wouldn't worry too much. Having done the 4 day will prove to them your readiness(more money!).

G.