Connect with us

E-Stop question

Discussion in 'Electrical Engineering' started by Anthony, Oct 22, 2004.

Scroll to continue with content
  1. Anthony

    Anthony Guest

    This question has came up a few times in the recent past, and I seemingly
    cannot find a definative answer. I was trained that an E-Stop circuit on
    a machine should always be hard-wired with redundant failsafes (i.e.
    safety relays, etc) and this makes perfect sense, as you do not want the
    E-stop circuit to fail, if possible.
    Lately though, we have been seeing machines where all the E-Stop circuits
    are ran through the PLC. There is *no* physical hard-wired E-Stop
    circuit, even the E-stop button is just wired to inputs on the PLC.
    IMHO, this is bad practice. I have already seen an instance where this
    design failed in practical application.
    In these designs, the PLC is responsible for shutting down everything
    else, which works fine, as long as the PLC is actually RUNNING. When the
    PLC 'locks up', or has other glitches (RAM problems, etc) this could lead
    to bad things.
    My question is: Is it mandated anywhere (OSHA, etc) that an E-stop
    circuit should be hard-wired?
    I was hoping that someone here could provide a link to information that
    specifically addresses this question.

    Thanks in advance.


    --
    Anthony

    You can't 'idiot proof' anything....every time you try, they just make
    better idiots.

    Remove sp to reply via email
     
  2. SQLit

    SQLit Guest

    I know of no written standard that requires hard wire. Most places I have
    worked do it both ways as added insurance.

    I created an program for an main-tie-main plc program that would prevent all
    three breakers from closing. Demonstrated it to death that it was impossible
    for all three to close. First thing that the customer wanted then was to
    close all three breakers for an phasing test by the utility. I did my best
    impression of "you have got to be kidding" politely.

    I like plc's but I would not trust one with my life, or body parts.
     
  3. John Gilmer

    John Gilmer Guest

    Well, like it or not, in more and more areas we DO have to trust the
    computers (with back up) with our lives.

    In the case of most PLC applications there is a reasonably well-definited
    "safe" state which usually means TURN EVERYTHING OFF RIGHT THIS INSTANT.

    Seems to me that the manufacturers COULD produce controllers that sort of
    "hard wire" this "off" condition.

    Frankly, however, if you fly or even drive a car, your life mgiht well
    depend upon computers working properly.
     
  4. Bob Peterson

    Bob Peterson Guest


    <snip>

    its not even required that you have an e-stop in all cases. You have to
    make a decision about what level of risk there is and add safety features
    until the risk is abated. estop pushbuttons are one feature that may reduce
    risk.

    in any case you are required to have a means of absolutely removing power
    from the machine - a disconnect switch serves this purpose.

    its not unheard of to have an "estop" wired to a plc and have the plc take
    the necessary action to bring the machine or process to a desired condition.
    these really should be called something other than estop - maybe master
    stop.
     
  5. John Gilmer

    John Gilmer Guest

    As even "small" systems become more complex, it might be useful to look at
    the "complex from the start" systems for guidance.

    Power plants usually have a "Panic Button" when brings the system to a
    crashing halt.

    BUT, it just doesn't cut the power to everything at once. Certain pumps and
    fans have to be keep operating, for example. Sometimes, these pumps and
    fans have to be turned ON.

    Perhaps the "human interface" types (whom am I kidding?) should put easily
    read information panels near "panic switches" that give an indication of
    WHAT should be expected to happen if the button or switch is activated.

    When designers throw PLCs are problems rather than a handfull of relays,
    it's quite likely that "safe" shutdown is different than pulling the plug.
     
  6. SQLit

    SQLit Guest

    not valid

    I am not asking them to stop in an emergency.
     
  7. Anthony

    Anthony Guest

    The machine type in question would be machining equipment. Basically
    everything should stop. In the particular bad case I have seen, the NC
    locked up. It faulted E-stop, but all the signals apparently never
    reached fully the PLC before it locked also. The PLC apparently had time
    to shut down 2 of the 3 drives it was controlling, however, it left the
    spindle running. It also allowed the door to be opened. There was no
    method that would shut the spindle down, with the exception of turning
    off the main power (E-stop pushbutton did nothing, because it was tied to
    PLC inputs).
    Now, had the E-stop button been physically tied to safety relays, which
    would have been included in the drive power enable circuit, as well as
    the NC and PLC with E-stop inputs, then with the exception of a failed
    safety relay, everything would have stopped when the button was pushed.
    The other bad part of this, is that the PLC apparently did *not* go into
    a 'default safe mode', it simply locked.
    The cause of the computer lock has never been identified, and likely
    never will. There were software changes made by the machine tool
    manufacturer and the electronics manufacturer to help prevent this type
    of situation from happening again, but IMHO, you are still dealing with a
    software solution to a hardwire issue and with that, come all the
    problems associated with software implementation, in that it only works
    if the software is actually *running*.
    I am a proponent of a hard-wired safety circuit on this type of
    equipment. If you physically remove power via a redundant circuit, along
    with a software solution, I feel the machine is safer.
    I wasn't sure there were any written guidelines on this subject, and I
    appreciate everyone's input.



    --
    Anthony

    You can't 'idiot proof' anything....every time you try, they just make
    better idiots.

    Remove sp to reply via email
     
  8. John Gilmer

    John Gilmer Guest

    Obviously, your PLC wasn't of a "mature" design.

    Seriously, in your SPECIFIC case, there should have been a simple series
    loop on the holding coil for the main contactor for the machine.

    I don't have specific PLC design experience but I have worked on spacecraft
    systems.

    "There are ways" of preventing control units from "locking up." A
    possibility is a "sanity check" every 1/2 second (or whatever) which, if
    failed, causes hardware to revert to a "safe" state and wait for
    instructions from the ground.
    Well, like it or not, "software" and "hardware" are really part of one
    spectrum.

    Hardware failure (you HAVE known of "stuck" relays/contactors) can screw up
    the most conservative safety scheme.

    IMO the "solution" is for designers to seriously think truly worse case and
    design hardware and software to address that potential situation.
     
  9. I don't think the NEC or OSHA rules address PLC logic and E stops
    specifically, but require manually operable disconnects within sight of the
    equipment.
    There are numerous rules on this in the NEC Article 430 and in OSHA
    1910.305(j).
    The NEC also has some rules requiring
    Class 1 circuits for safety remote control circuits.
    725.8 Safety-Control Equipment.
    (A) Remote-Control Circuits. Remote-control circuits for safety-control
    equipment shall be classified as Class 1 if the failure of the equipment to
    operate introduces a direct fire or life hazard. Room thermostats, water
    temperature regulating devices, and similar controls used in conjunction
    with electrically controlled household heating and air conditioning shall
    not be considered safety-control equipment.
    (B) Physical Protection. Where damage to remote-control circuits of safety
    control equipment would introduce a hazard, as covered in 725.8(A), all
    conductors of such remote-control circuits shall be installed in rigid metal
    conduit, intermediate metal conduit, rigid nonmetallic conduit, electrical
    metallic tubing, Type MI cable, Type MC cable, or be otherwise suitably
    protected from physical damage.
     
  10. bargepole

    bargepole Guest

    It may be that different regulatory bodies within the same jurisdiction have
    different requirements. In Ontario, NH3 refrigeration equipment must be
    stoppable with a hardwired E-stop as well as with hardwired safety switches
    (pressure, temperature, oil, etc.). This is not a requirement for food
    processing equipment, though I think it should be. Our equipment is all PLC
    controlled. E-stops at operator panels kill power to motor starter coils.
    The PLCs read the E-stop return signal and sequence down ancillary equipment
    (like remote exhaust fans or up stream equipment).
     
  11. John Gilmer

    John Gilmer Guest

    That address a different potential problem: machinery starting up while
    repair people have their arms and bodies stuck inside. That kind of stuff
    merely ensures that "OFF" equipment stays "OFF" so long as the repairmen are
    working.

    BUT when you are considering more complicated and larger systems you have to
    consider the necessity of men repairing parts of a large (and dangerous)
    system while other parts continue to "spin" and otherwise operate.

    These things CAN be done and done in relative safety. BUT it definitely
    requires a change of attitude of the designers.
     
  12. Anthony

    Anthony Guest

    Actually, it is a mature PLC, by a reputable, well known, very
    experienced company. As I said, they did find a software glitch because
    of this incident.



    --
    Anthony

    You can't 'idiot proof' anything....every time you try, they just make
    better idiots.

    Remove sp to reply via email
     
  13. John Gilmer

    John Gilmer Guest

    Well, just as NASA often screws up, so can a PLC maker.
     
  14. You sound like the engineers that designed Pump Station 8 on the
    trans-Alaska pipeline. Some repairmen were taking the filter screen access
    cover off and did not to turn off and lock out the suction valve. There was
    no policy to do this, at the time. Another crew was working on the turbine
    and running the software program. They accidentally opened the suction
    valve using the software. The resulting fire and explosion cost $85 million
    and one life. The resulting federal investigation caused the implementation
    of a rigid permitting and lock out procedure.
    It does not matter how complicated a system is, if persons working on these
    systems while they are energized are in danger of being hurt, then the
    system has to be deengergized and in some cases, locked out. This is
    Federal OSHA mandated law! Software E-Stops are not acceptable methods for
    insuring this level of safety. OSHA has a voluntary compliance program that
    allows persons to ask for a free consultation without being fined. I
    suggest that you ask for this.
    I have worked on some very complicated oil field machinery, and believe me
    it is turned off and locked out before we work on it. We never depend on
    software to insure our safety when we work on this equipment.
     
  15. R. Tooke

    R. Tooke Guest

    As another respondent has mentioned. A thorough risk assessment should
    be performed on the processes performed by the machine.
    The categories include, but are not limited to, frequency of operation,
    likelihood of injury and most importantly, severity of injury that is
    likely.
    All these factors add up to give a score, that can be compared with
    tables, provided by manufacturers of safety controls and equipment, that
    will then categorize the level of safety required for your application.
    Any of the leading manufacturers have readily available guidance notes.
    Some to consider are Telemecanique, Pilz, SIemens and EJA guardmaster
    (part of Allen Bradley now)
     
Ask a Question
Want to reply to this thread or ask your own question?
You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.
Electronics Point Logo
Continue to site
Quote of the day

-