Maker Pro
Maker Pro

E-Stop question

A

Anthony

Jan 1, 1970
0
This question has came up a few times in the recent past, and I seemingly
cannot find a definative answer. I was trained that an E-Stop circuit on
a machine should always be hard-wired with redundant failsafes (i.e.
safety relays, etc) and this makes perfect sense, as you do not want the
E-stop circuit to fail, if possible.
Lately though, we have been seeing machines where all the E-Stop circuits
are ran through the PLC. There is *no* physical hard-wired E-Stop
circuit, even the E-stop button is just wired to inputs on the PLC.
IMHO, this is bad practice. I have already seen an instance where this
design failed in practical application.
In these designs, the PLC is responsible for shutting down everything
else, which works fine, as long as the PLC is actually RUNNING. When the
PLC 'locks up', or has other glitches (RAM problems, etc) this could lead
to bad things.
My question is: Is it mandated anywhere (OSHA, etc) that an E-stop
circuit should be hard-wired?
I was hoping that someone here could provide a link to information that
specifically addresses this question.

Thanks in advance.


--
Anthony

You can't 'idiot proof' anything....every time you try, they just make
better idiots.

Remove sp to reply via email
 
S

SQLit

Jan 1, 1970
0
Anthony said:
This question has came up a few times in the recent past, and I seemingly
cannot find a definative answer. I was trained that an E-Stop circuit on
a machine should always be hard-wired with redundant failsafes (i.e.
safety relays, etc) and this makes perfect sense, as you do not want the
E-stop circuit to fail, if possible.
Lately though, we have been seeing machines where all the E-Stop circuits
are ran through the PLC. There is *no* physical hard-wired E-Stop
circuit, even the E-stop button is just wired to inputs on the PLC.
IMHO, this is bad practice. I have already seen an instance where this
design failed in practical application.
In these designs, the PLC is responsible for shutting down everything
else, which works fine, as long as the PLC is actually RUNNING. When the
PLC 'locks up', or has other glitches (RAM problems, etc) this could lead
to bad things.
My question is: Is it mandated anywhere (OSHA, etc) that an E-stop
circuit should be hard-wired?
I was hoping that someone here could provide a link to information that
specifically addresses this question.

Thanks in advance.


--
Anthony

You can't 'idiot proof' anything....every time you try, they just make
better idiots.

I know of no written standard that requires hard wire. Most places I have
worked do it both ways as added insurance.

I created an program for an main-tie-main plc program that would prevent all
three breakers from closing. Demonstrated it to death that it was impossible
for all three to close. First thing that the customer wanted then was to
close all three breakers for an phasing test by the utility. I did my best
impression of "you have got to be kidding" politely.

I like plc's but I would not trust one with my life, or body parts.
 
J

John Gilmer

Jan 1, 1970
0
I like plc's but I would not trust one with my life, or body parts.

Well, like it or not, in more and more areas we DO have to trust the
computers (with back up) with our lives.

In the case of most PLC applications there is a reasonably well-definited
"safe" state which usually means TURN EVERYTHING OFF RIGHT THIS INSTANT.

Seems to me that the manufacturers COULD produce controllers that sort of
"hard wire" this "off" condition.

Frankly, however, if you fly or even drive a car, your life mgiht well
depend upon computers working properly.
 
B

Bob Peterson

Jan 1, 1970
0
My question is: Is it mandated anywhere (OSHA, etc) that an E-stop
circuit should be hard-wired?


<snip>

its not even required that you have an e-stop in all cases. You have to
make a decision about what level of risk there is and add safety features
until the risk is abated. estop pushbuttons are one feature that may reduce
risk.

in any case you are required to have a means of absolutely removing power
from the machine - a disconnect switch serves this purpose.

its not unheard of to have an "estop" wired to a plc and have the plc take
the necessary action to bring the machine or process to a desired condition.
these really should be called something other than estop - maybe master
stop.
 
J

John Gilmer

Jan 1, 1970
0
its not unheard of to have an "estop" wired to a plc and have the plc take
the necessary action to bring the machine or process to a desired condition.
these really should be called something other than estop - maybe master
stop.

As even "small" systems become more complex, it might be useful to look at
the "complex from the start" systems for guidance.

Power plants usually have a "Panic Button" when brings the system to a
crashing halt.

BUT, it just doesn't cut the power to everything at once. Certain pumps and
fans have to be keep operating, for example. Sometimes, these pumps and
fans have to be turned ON.

Perhaps the "human interface" types (whom am I kidding?) should put easily
read information panels near "panic switches" that give an indication of
WHAT should be expected to happen if the button or switch is activated.

When designers throw PLCs are problems rather than a handfull of relays,
it's quite likely that "safe" shutdown is different than pulling the plug.
 
S

SQLit

Jan 1, 1970
0
John Gilmer said:
Well, like it or not, in more and more areas we DO have to trust the
computers (with back up) with our lives.

In the case of most PLC applications there is a reasonably well-definited
"safe" state which usually means TURN EVERYTHING OFF RIGHT THIS INSTANT.

Seems to me that the manufacturers COULD produce controllers that sort of
"hard wire" this "off" condition.

Frankly, however, if you fly or even drive a car, your life mgiht well
depend upon computers working properly.

not valid

I am not asking them to stop in an emergency.
 
A

Anthony

Jan 1, 1970
0
As even "small" systems become more complex, it might be useful to
look at the "complex from the start" systems for guidance.

Power plants usually have a "Panic Button" when brings the system to a
crashing halt.

BUT, it just doesn't cut the power to everything at once. Certain
pumps and fans have to be keep operating, for example. Sometimes,
these pumps and fans have to be turned ON.

Perhaps the "human interface" types (whom am I kidding?) should put
easily read information panels near "panic switches" that give an
indication of WHAT should be expected to happen if the button or
switch is activated.

When designers throw PLCs are problems rather than a handfull of
relays, it's quite likely that "safe" shutdown is different than
pulling the plug.

The machine type in question would be machining equipment. Basically
everything should stop. In the particular bad case I have seen, the NC
locked up. It faulted E-stop, but all the signals apparently never
reached fully the PLC before it locked also. The PLC apparently had time
to shut down 2 of the 3 drives it was controlling, however, it left the
spindle running. It also allowed the door to be opened. There was no
method that would shut the spindle down, with the exception of turning
off the main power (E-stop pushbutton did nothing, because it was tied to
PLC inputs).
Now, had the E-stop button been physically tied to safety relays, which
would have been included in the drive power enable circuit, as well as
the NC and PLC with E-stop inputs, then with the exception of a failed
safety relay, everything would have stopped when the button was pushed.
The other bad part of this, is that the PLC apparently did *not* go into
a 'default safe mode', it simply locked.
The cause of the computer lock has never been identified, and likely
never will. There were software changes made by the machine tool
manufacturer and the electronics manufacturer to help prevent this type
of situation from happening again, but IMHO, you are still dealing with a
software solution to a hardwire issue and with that, come all the
problems associated with software implementation, in that it only works
if the software is actually *running*.
I am a proponent of a hard-wired safety circuit on this type of
equipment. If you physically remove power via a redundant circuit, along
with a software solution, I feel the machine is safer.
I wasn't sure there were any written guidelines on this subject, and I
appreciate everyone's input.



--
Anthony

You can't 'idiot proof' anything....every time you try, they just make
better idiots.

Remove sp to reply via email
 
J

John Gilmer

Jan 1, 1970
0
The machine type in question would be machining equipment. Basically
everything should stop. In the particular bad case I have seen, the NC
locked up. It faulted E-stop, but all the signals apparently never
reached fully the PLC before it locked also. The PLC apparently had time
to shut down 2 of the 3 drives it was controlling, however, it left the
spindle running. It also allowed the door to be opened. There was no
method that would shut the spindle down, with the exception of turning
off the main power (E-stop pushbutton did nothing, because it was tied to
PLC inputs).
Now, had the E-stop button been physically tied to safety relays, which
would have been included in the drive power enable circuit, as well as
the NC and PLC with E-stop inputs, then with the exception of a failed
safety relay, everything would have stopped when the button was pushed.
The other bad part of this, is that the PLC apparently did *not* go into
a 'default safe mode', it simply locked.

Obviously, your PLC wasn't of a "mature" design.

Seriously, in your SPECIFIC case, there should have been a simple series
loop on the holding coil for the main contactor for the machine.

I don't have specific PLC design experience but I have worked on spacecraft
systems.

"There are ways" of preventing control units from "locking up." A
possibility is a "sanity check" every 1/2 second (or whatever) which, if
failed, causes hardware to revert to a "safe" state and wait for
instructions from the ground.
The cause of the computer lock has never been identified, and likely
never will. There were software changes made by the machine tool
manufacturer and the electronics manufacturer to help prevent this type
of situation from happening again, but IMHO, you are still dealing with a
software solution to a hardwire issue and with that, come all the
problems associated with software implementation, in that it only works
if the software is actually *running*.

Well, like it or not, "software" and "hardware" are really part of one
spectrum.

Hardware failure (you HAVE known of "stuck" relays/contactors) can screw up
the most conservative safety scheme.

IMO the "solution" is for designers to seriously think truly worse case and
design hardware and software to address that potential situation.
 
G

Gerald Newton

Jan 1, 1970
0
Anthony said:
This question has came up a few times in the recent past, and I seemingly
cannot find a definative answer. I was trained that an E-Stop circuit on
a machine should always be hard-wired with redundant failsafes (i.e.
safety relays, etc) and this makes perfect sense, as you do not want the
E-stop circuit to fail, if possible.
Lately though, we have been seeing machines where all the E-Stop circuits
are ran through the PLC. There is *no* physical hard-wired E-Stop
circuit, even the E-stop button is just wired to inputs on the PLC.
IMHO, this is bad practice. I have already seen an instance where this
design failed in practical application.
In these designs, the PLC is responsible for shutting down everything
else, which works fine, as long as the PLC is actually RUNNING. When the
PLC 'locks up', or has other glitches (RAM problems, etc) this could lead
to bad things.
My question is: Is it mandated anywhere (OSHA, etc) that an E-stop
circuit should be hard-wired?
I was hoping that someone here could provide a link to information that
specifically addresses this question.

Thanks in advance.


--
Anthony

You can't 'idiot proof' anything....every time you try, they just make
better idiots.

Remove sp to reply via email

I don't think the NEC or OSHA rules address PLC logic and E stops
specifically, but require manually operable disconnects within sight of the
equipment.
There are numerous rules on this in the NEC Article 430 and in OSHA
1910.305(j).
The NEC also has some rules requiring
Class 1 circuits for safety remote control circuits.
725.8 Safety-Control Equipment.
(A) Remote-Control Circuits. Remote-control circuits for safety-control
equipment shall be classified as Class 1 if the failure of the equipment to
operate introduces a direct fire or life hazard. Room thermostats, water
temperature regulating devices, and similar controls used in conjunction
with electrically controlled household heating and air conditioning shall
not be considered safety-control equipment.
(B) Physical Protection. Where damage to remote-control circuits of safety
control equipment would introduce a hazard, as covered in 725.8(A), all
conductors of such remote-control circuits shall be installed in rigid metal
conduit, intermediate metal conduit, rigid nonmetallic conduit, electrical
metallic tubing, Type MI cable, Type MC cable, or be otherwise suitably
protected from physical damage.
 
B

bargepole

Jan 1, 1970
0
Anthony said:
This question has came up a few times in the recent past, and I seemingly
cannot find a definative answer. I was trained that an E-Stop circuit on
a machine should always be hard-wired with redundant failsafes (i.e.
safety relays, etc) and this makes perfect sense, as you do not want the
E-stop circuit to fail, if possible.
Lately though, we have been seeing machines where all the E-Stop circuits
are ran through the PLC. There is *no* physical hard-wired E-Stop
circuit, even the E-stop button is just wired to inputs on the PLC.
IMHO, this is bad practice. I have already seen an instance where this
design failed in practical application.
In these designs, the PLC is responsible for shutting down everything
else, which works fine, as long as the PLC is actually RUNNING. When the
PLC 'locks up', or has other glitches (RAM problems, etc) this could lead
to bad things.
My question is: Is it mandated anywhere (OSHA, etc) that an E-stop
circuit should be hard-wired?
I was hoping that someone here could provide a link to information that
specifically addresses this question.

It may be that different regulatory bodies within the same jurisdiction have
different requirements. In Ontario, NH3 refrigeration equipment must be
stoppable with a hardwired E-stop as well as with hardwired safety switches
(pressure, temperature, oil, etc.). This is not a requirement for food
processing equipment, though I think it should be. Our equipment is all PLC
controlled. E-stops at operator panels kill power to motor starter coils.
The PLCs read the E-stop return signal and sequence down ancillary equipment
(like remote exhaust fans or up stream equipment).
 
J

John Gilmer

Jan 1, 1970
0
I don't think the NEC or OSHA rules address PLC logic and E stops
specifically, but require manually operable disconnects within sight of the
equipment.

That address a different potential problem: machinery starting up while
repair people have their arms and bodies stuck inside. That kind of stuff
merely ensures that "OFF" equipment stays "OFF" so long as the repairmen are
working.

BUT when you are considering more complicated and larger systems you have to
consider the necessity of men repairing parts of a large (and dangerous)
system while other parts continue to "spin" and otherwise operate.

These things CAN be done and done in relative safety. BUT it definitely
requires a change of attitude of the designers.
 
A

Anthony

Jan 1, 1970
0
Obviously, your PLC wasn't of a "mature" design.

Actually, it is a mature PLC, by a reputable, well known, very
experienced company. As I said, they did find a software glitch because
of this incident.



--
Anthony

You can't 'idiot proof' anything....every time you try, they just make
better idiots.

Remove sp to reply via email
 
J

John Gilmer

Jan 1, 1970
0
Actually, it is a mature PLC, by a reputable, well known, very
experienced company. As I said, they did find a software glitch because
of this incident.

Well, just as NASA often screws up, so can a PLC maker.
 
G

Gerald Newton

Jan 1, 1970
0
John Gilmer said:
That address a different potential problem: machinery starting up while
repair people have their arms and bodies stuck inside. That kind of stuff
merely ensures that "OFF" equipment stays "OFF" so long as the repairmen are
working.

BUT when you are considering more complicated and larger systems you have to
consider the necessity of men repairing parts of a large (and dangerous)
system while other parts continue to "spin" and otherwise operate.

These things CAN be done and done in relative safety. BUT it definitely
requires a change of attitude of the designers.
You sound like the engineers that designed Pump Station 8 on the
trans-Alaska pipeline. Some repairmen were taking the filter screen access
cover off and did not to turn off and lock out the suction valve. There was
no policy to do this, at the time. Another crew was working on the turbine
and running the software program. They accidentally opened the suction
valve using the software. The resulting fire and explosion cost $85 million
and one life. The resulting federal investigation caused the implementation
of a rigid permitting and lock out procedure.
It does not matter how complicated a system is, if persons working on these
systems while they are energized are in danger of being hurt, then the
system has to be deengergized and in some cases, locked out. This is
Federal OSHA mandated law! Software E-Stops are not acceptable methods for
insuring this level of safety. OSHA has a voluntary compliance program that
allows persons to ask for a free consultation without being fined. I
suggest that you ask for this.
I have worked on some very complicated oil field machinery, and believe me
it is turned off and locked out before we work on it. We never depend on
software to insure our safety when we work on this equipment.
 
R

R. Tooke

Jan 1, 1970
0
As another respondent has mentioned. A thorough risk assessment should
be performed on the processes performed by the machine.
The categories include, but are not limited to, frequency of operation,
likelihood of injury and most importantly, severity of injury that is
likely.
All these factors add up to give a score, that can be compared with
tables, provided by manufacturers of safety controls and equipment, that
will then categorize the level of safety required for your application.
Any of the leading manufacturers have readily available guidance notes.
Some to consider are Telemecanique, Pilz, SIemens and EJA guardmaster
(part of Allen Bradley now)
 
Top