Emergency Stop or Emergency Shutdown Wiring

[rroark0003]

Is anyone fimiliar with a standard/code for wiring emergency stop or emergency shutdown circuits? Engineering at our facility is proposing to use a plc to control the e-stop circuitry, replacing the conventional hard wired circuit using a main control relay. Any help would be greatly appreciated.

Thanks
Russell

 

[jim dungar]

The best source of reference is probably NFPA 79 the standard for electrical machinery.

There are actually 2 levels of 'E-stopping'.

 

[StephenSDH]

There are Safety PLCs today. Pilz, AB, Siemens all have them. If it is not a safety rated PLC with Safety IO then you are entering into dangerous territories. I just troubleshot a Pilz safety controller which failed in a non-safe condition. Pilz is sending me replacement hardware, I hope they fixed the bug.

In the US there are no strict guidelines on machine safety like there is in Europe. In the US you are required and liable to produce a safe machine. US has generally adopted the European Standard, thought it is not a requirement. European standards has 4 categories, SIL 1-4 Levels. 1 is a bruise and 4 is certain unavoidable death.

You should make sure it is a safety rated controller with safety rated IO, and a knowledgeable engineer programming it. If there is a chance of death in the machine all safety devices should be redundant if not they should be upgraded to be redundant. E-Stops and safety devices fail all the time.

 

[brother]

There are Safety PLCs today. Pilz, AB, Siemens all have them. If it is not a safety rated PLC with Safety IO then you are entering into dangerous territories. I just troubleshot a Pilz safety controller which failed in a non-safe condition. Pilz is sending me replacement hardware, I hope they fixed the bug.

In the US there are no strict guidelines on machine safety like there is in Europe. In the US you are required and liable to produce a safe machine. US has generally adopted the European Standard, thought it is not a requirement. European standards has 4 categories, SIL 1-4 Levels. 1 is a bruise and 4 is certain unavoidable death.

You should make sure it is a safety rated controller with safety rated IO, and a knowledgeable engineer programming it. If there is a chance of death in the machine all safety devices should be redundant if not they should be upgraded to be redundant. E-Stops and safety devices fail all the time.

Even if it was 'legal' I dont think I would want a 'plc' to used as my 'safety emergency shutoff' when it comes to life.

 

[Doug S.]

Is anyone fimiliar with a standard/code for wiring emergency stop or emergency shutdown circuits? Engineering at our facility is proposing to use a plc to control the e-stop circuitry, replacing the conventional hard wired circuit using a main control relay. Any help would be greatly appreciated.

Thanks
Russell

I wouldn't even consider it. The closest thing I've ever seen has it's code compiled, and the source is NOT available. It also has oodles of watch-dog timing so if the processor even has a hick-up... ... ... down she goes.
AND to top it all off it is not a be all and end all safety, the controllers are only for "safe-stops". The machine also has hard-wired "E-stop" buttons fed through E-stop controllers that cut main power.

My 2?
Doug S.

 

[StephenSDH]

Even if it was 'legal' I dont think I would want a 'plc' to used as my 'safety emergency shutoff' when it comes to life.

I only use them when the safety circuit gets so complicated that wiring them would would take up a whole panel. When you have many safety devices, they are all redundant, with several safety zones, and safe startup/shutdown procedures the safety circuit gets so complicated that you spend hours troubleshooting it and there is a good chance while troubleshooting it people would manipulate the safety circuit. With the safety plc when a device fails you can look right on the controller and see which contact of which device failed. You can have methods of safety shutting down a process. They are not like your average 'PLC' and are very ridgid in how you program them to limit programming mistakes, but if someone wanted to they could program it incorrectly, just like someone could wire it incorrectly.

They must be used in certain situations.

 

[StephenSDH]

I wouldn't even consider it. The closest thing I've ever seen has it's code compiled, and the source is NOT available. It also has oodles of watch-dog timing so if the processor even has a hick-up... ... ... down she goes.
AND to top it all off it is not a be all and end all safety, the controllers are only for "safe-stops". The machine also has hard-wired "E-stop" buttons fed through E-stop controllers that cut main power.

My 2?
Doug S.

You can put E-Stops into them. They are not only for shutdowns. If you go through the expense of buying a safety controller I would wire E-Stops into them.

You mentioned watch dog timers. What you are probably seeing is the controller monitors the dual contacts of devices. It wants to see both of them transition together within a couple milliseconds. If they don't transition together then you likely have faulty devices. This prevents the machine from running with welded/jumpered contacts.

 

[pfalcon]

Is anyone fimiliar with a standard/code for wiring emergency stop or emergency shutdown circuits? Engineering at our facility is proposing to use a plc to control the e-stop circuitry, replacing the conventional hard wired circuit using a main control relay. Any help would be greatly appreciated.

Thanks
Russell

Disclaimer: NFPA 79 is not required unless adopted by your company.

See NFPA79:2007:9.2.5 Operation.
This section includes Start, Stop, Estop

See NFPA79:2007:9.4 Control Functions in the Event of Failure.
This section includes 9.4.3 Control Systems Incorporating Software and Firmware Based Controllers.

Your PLC must be listed for its usage. Safety is a special listing. Most PLCs cannot be used in safety applications.

There are safety components listed for use that are hardwired, softwired, I/O cards, and PLCs. Most vendors we work with have moved from hardwired to softwired components - Programmable Safety Relays. I am not yet seeing many move to I/O cards or PLCs.

Programmable Safety Relays include a variable number of inputs for Estops, Light Curtains, Muting, Power On/Off, etc.

 

[Doug S.]

You can put E-Stops into them. They are not only for shutdowns. If you go through the expense of buying a safety controller I would wire E-Stops into them.

You mentioned watch dog timers. What you are probably seeing is the controller monitors the dual contacts of devices. It wants to see both of them transition together within a couple milliseconds. If they don't transition together then you likely have faulty devices. This prevents the machine from running with welded/jumpered contacts.

I am familiar with many of the safety controllers. (Pilz, Leuze, and Siemens are what I've played with mostly) When I mentioned watch-dogs I meant what I said, it's a Microsys controller utilizing inter-bus and Ethernet for distributed I/O. Lot's of tight timing windows between interfaces. ...and yes I think it's nuts but it works.

All that being said I do like the timing features on some of the controllers, it can make things a little harder to spoof the for operators, and makes redundant monitoring much easier.

Regards,
Doug S.

 

[Cold Fusion]

Even if it was 'legal' I dont think I would want a 'plc' to used as my 'safety emergency shutoff' when it comes to life.

You're about 20 years too late. First one I saw was in a papermill in the late 80's - the control system had just been rebuilt, brand new state of the art stuff. I standing in the control room looking out at the operating floor. I asked about the few e-stops on the floor (two). The chief engineer said the operator up here sees all that is going on. If there is a problem, he hits the e-stop.

I ask: E-stop goes to the plc, or direct to each motor bucket?

CE: To the PLC. PLC outputs control the motor buckets.

Me: (contained shiver) Oh.

E-stops going through PLCs have been out there a while - with no sil ratings available on the first of the installations.

For example, about 5 years ago, I recall a group telling me about researching AB sil rated processors. AB said they had one - It had redundant processors, but the group said that did not make it sil rated. As I recall, AB did not agree with them.

cf

 

[big john]

I've never read NFPA 79, but in our plants, any e-stops on the PLCs simply disconnect the power to the PLC. The PLC outputs are all normally open, and our motor controllers are normally open, so de-energizing the PLC de-energizes our machinery. Not sure if that's compliant, but it's how they're wired.

-John

 

[pfalcon]

I've never read NFPA 79, but in our plants, any e-stops on the PLCs simply disconnect the power to the PLC. The PLC outputs are all normally open, and our motor controllers are normally open, so de-energizing the PLC de-energizes our machinery. Not sure if that's compliant, but it's how they're wired.

-John

Maybe a little over the top if you are disabling the PLC. Most disable the power to the appropriate output cards. Only those that contribute to hazardous motion need to be disabled.

And whoever is the electrical engineer for your facility really needs to look at the NFPA79 and consider its adoption.