Safety Controller

[pfalcon]

Not only are the salesmen at the door with their safety controllers but they are darn close to selling the things to peeps here. NFPA79:2002 9.4.3 allows the use of programmable devices in a safety circuit providing it gives the same protection as hardwire. NFPA79:2007 adds additional cautions on how to handle the software.

I need some decent arguments to keep these critters out of the plant. Some of the peeps are willing to buy on the side so I need to get this headed off with safety. According to our local contract we cannot prevent our general electricians from tampering with these devices as 2007 requires.

Up to now I've answered these peeps with:
"The software is an integral component to the PLC; therefore the software has to be listed for use as a safety device just as the hardware is listed."
Similar to the edict that if you modify a UL listed device it is no longer considered UL listed.

Any additional suggestions?

 

[jim dungar]

Dedicated safety devices that are compatible with standards like SIL are not the same as redundant PLCs that are user programmed for safety.

From what I have seen the Europeans are light years ahead of the US when it comes to machine safety. How complex are your safety circuits.

 

[petersonra]

According to our local contract we cannot prevent our general electricians from tampering with these devices as 2007 requires.

Just don''t give them the password. Very little they can do without the password. And these things are not anywhere near as programmable as you may be thinking. I would consider them more configurable than programmable, although some can also handle non-safety related functions much like any general purpose PLC can.

Its a lot like having a safety relay that can be configured for different functions rather than having to buy a different relay for each type of function. Or for cases where you have a lot of inputs (say 10 gate switches). Its tough to interlock those properly with a traditional safety relay. Not so difficult with a safety PLC.

Many times they can still be defeated the same ways that electricians have been defeating safety circuits for years. There is nothing magical about them.

 

[tomP]

Just don''t give them the password. Very little they can do without the password. And these things are not anywhere near as programmable as you may be thinking. I would consider them more configurable than programmable, although some can also handle non-safety related functions much like any general purpose PLC can.

Its a lot like having a safety relay that can be configured for different functions rather than having to buy a different relay for each type of function. Or for cases where you have a lot of inputs (say 10 gate switches). Its tough to interlock those properly with a traditional safety relay. Not so difficult with a safety PLC.

Many times they can still be defeated the same ways that electricians have been defeating safety circuits for years. There is nothing magical about them.

I agree with these statements.
On some, you must be "authorized" or any changes you attempt to make will be disregarded.

These safety PLC's are redundant dual channel PLCs and can be as safe as safety relays, if programmed and used correctly.
Let me say that our plant has not yet accepted them for use, but will in the near future I'm sure.

We as a plant have a strong policy about bypassing safety circuits. We only do this if other protection is put in place first.
Such as a protective light screen was bypassed, but only after pipe was welded across the opening and caution tape strung across it.

Safety is what you make it. If electricians or anyone else is allowed or encouraged to bypass safety it will happen.
If you require safe work practices at your place of employment you won't have to worry about safeties being bypassed.

 

[gwpowell]

I was originally skeptical of programmable safety devices, however we purchased some German equipment that used Pilz safety PLC's and I have been converted. The maintenance guys can use the software for troubleshooting but changes cannot be made without the password. Allen Bradley also has a safety PLC that changes a unique number in a register anytime the password is entered and changes to the program are made. You can then monitor this register and know for certain whether changes have been made or not. How can you do this with a traditional hardwired circuit? Also pulsed circuits are available which make it almost impossible to jumper devices. Just my opinion but I think these devices with eventually obsolete all but the most simple safety circuits.

 

[pfalcon]

Well, some of your comments give me that warm fuzzy feeling about the safety PLCs themselves. I'm afraid our plant isn't yet ready for them. Contractual issues currently say I cannot hide passwords from skilled trades at the moment. I guess I'm gonna hafta stir that pot.

 

[tomP]

Some of the safety PLCs record the identification of the person making the change,
in a log, discouraging random changes without a lot of thought.

Our plant is not ready for safety PLCs either, however I see them in the very
near future at all manufacturing facilities.

 

[realolman]

Well, some of your comments give me that warm fuzzy feeling about the safety PLCs themselves. I'm afraid our plant isn't yet ready for them. Contractual issues currently say I cannot hide passwords from skilled trades at the moment. I guess I'm gonna hafta stir that pot.

Why would you want to hide passwords from the skilled trades?

I think the desire to hide things from the people who are expected to fix things is galling. As if they wouldn't be capable of handling it.

People used to wire panels and provide a wiring schematic and diagram so that what was done could be understood.

Now that it involves nothing more than typed words, suddenly it's "proprietary", or in this case "compromises safety".

Baloney.

 

[tomP]

Why would you want to hide passwords from the skilled trades?

I think the desire to hide things from the people who are expected to fix things is galling. As if they wouldn't be capable of handling it.

People used to wire panels and provide a wiring schematic and diagram so that what was done could be understood.

Now that it involves nothing more than typed words, suddenly it's "proprietary", or in this case "compromises safety".

Baloney.

Good point.
I feel pretty much the same way, but didn't want to comment on it other than:

"Safety is what you make it. If electricians or anyone else is allowed or encouraged to bypass safety it will happen.
If you require safe work practices at your place of employment you won't have to worry about safeties being bypassed."

No pass words are hidden at our plant. It would never work here, we demand the right to do our jobs with minimum interference from anyone.

 

[pfalcon]

Why would you want to hide passwords from the skilled trades?

I think the desire to hide things from the people who are expected to fix things is galling. As if they wouldn't be capable of handling it.

People used to wire panels and provide a wiring schematic and diagram so that what was done could be understood.

Now that it involves nothing more than typed words, suddenly it's "proprietary", or in this case "compromises safety".

Baloney.

NFPA79:2007
9.4.3.1 Software Modifications. Programmable electronic systems shall be designed and constructed so that the ability to modify the application program shall be limited to authorized personnel and shall require special equipment or other means to access the program (e.g., access code, key-operated switch).
Exception: The manufacturer or supplier shall be permitted to retain the right not to allow the user to alter the program.

1) I hate and abhor passwords on manufacturing equipment.
2) I hate and abhor manufacturers and suppliers that do not allow the user to alter the machine or program.
3) Our lawyers construe text as written above to mean that the access code, key operated switch, etc, must be secured. Anyone creating an environment that does not secure those items is putting his home and hearth up for collateral when the company gets sued. The phrasing is not "qualified" but is "authorized" which means people who can be tracked.

Maybe the lawyers in (3) are wrong but I am unwilling to be their trial case to find out. I have made a reputation at my site for clear and open prints, and clear and open programming. I am not willing to put a box on the floor under the restrictions as implied by NFPA79. I do not understand anyone placing a box on the floor under the restrictions implied by NFPA79. I will not place a box on the floor under NFPA79 until I have a formal notice from my company that their interpretation of "authorized" includes all of our service electricians.

That being said these boxes will start appearing on my floor. I need my plant to be prepared for them. Something that doesn't require pricking a finger to sign.

[Edit] Sorry about getting all rantish above. I've also been informed recently that I have to have FR2 clothing if I go down to consult with an electrician on the floor. This even if everything is not energized and even if I have no plans to approach within 50 feet of the job site. After all, I might, just might, even maybe, be asked to hold his VOM for him while he rings wires on a dead panel.

 

[weressl]

Not only are the salesmen at the door with their safety controllers but they are darn close to selling the things to peeps here. NFPA79:2002 9.4.3 allows the use of programmable devices in a safety circuit providing it gives the same protection as hardwire. NFPA79:2007 adds additional cautions on how to handle the software.

I need some decent arguments to keep these critters out of the plant. Some of the peeps are willing to buy on the side so I need to get this headed off with safety. According to our local contract we cannot prevent our general electricians from tampering with these devices as 2007 requires.

Up to now I've answered these peeps with:
"The software is an integral component to the PLC; therefore the software has to be listed for use as a safety device just as the hardware is listed."
Similar to the edict that if you modify a UL listed device it is no longer considered UL listed.

Any additional suggestions?

We have been using Safety PLC's for the past thirty years for chemical process safety interlock functions. HIMA from Europe and Triconex from the US are the widely accepted products, but SIEMENS(Mooer) product has an offering also.

In some cases the PLC's were programemd BY the manufacturer and nobody but the manufacturer of the unit had access to it. That is how the safety level was guaranteed. Nowdays the user is allowed to perform programming changes, but it requires high level training. It is not your simple straightforward ladder logic, but much more complex. There are also many rules to follow, both from the machine point and safety circuit design standpoint.

Our internal process have very highly structured control over it and even though our DCS's are allowed to be reconfigured or midified by our technicians, our SIS lkevel safety systems are not. Safety design is regulated by ISA/ANSI standards;

1. 
   [*]ISA/ANSI S84.01 ? 1996, "Application of Safety Instrumented Systems for the Process Industries"
   [*]ISA ?TR84.00.03, "Testing of Safety Instrumented Systems (SIS)"

The level of training requires specialization and proficiency. There needs to be a skill level recognition. You dont use a brain surgeon to clen your scraped knee and put a band-aid onit, nor would you want to have the nurse perform brain surgery on you.

 

[realolman]

NFPA79:2007
9.4.3.1 Software Modifications. Programmable electronic systems shall be designed and constructed so that the ability to modify the application program shall be limited to authorized personnel and shall require special equipment or other means to access the program (e.g., access code, key-operated switch).
Exception: The manufacturer or supplier shall be permitted to retain the right not to allow the user to alter the program.

I see nothing there that excludes the person who will be troubleshooting the equipment.

There is no reason to exclude him.

If the brain surgeon expects the nurse to do the troubleshooting, the nurse is entitled to the password. ( And the brain surgeon's knowlege may not be as all inclusive as he thinks. )

Actually, although I don't like it, I can understand it better from the perspective of the equipment manufacturer, who does not give ANYONE access to ANY of the programming.

 

[tomP]

We as skilled trades have much of the responsibility of policing ourselves on safety at our plant. This includes LOTO and other safety programs.

How much "specialization and proficiency" do you feel is needed to work with safety PLCs?

We currently use many safety relays is this that much more difficult?

Is there training that is beyond the understanding of an electrician?

Do you feel that electricians cannot do this work?

This is not an attack. I am simply trying to see how the engineering/management side looks at this, so we can make informed decisions on this important equipment.

 

[weressl]

We as skilled trades have much of the responsibility of policing ourselves on safety at our plant. This includes LOTO and other safety programs.

How much "specialization and proficiency" do you feel is needed to work with safety PLCs?

We currently use many safety relays is this that much more difficult?

Is there training that is beyond the understanding of an electrician?

Do you feel that electricians cannot do this work?

This is not an attack. I am simply trying to see how the engineering/management side looks at this, so we can make informed decisions on this important equipment.

Somewhere along the line the electrician decided that he has no desire to be involved in advanced sytems and in-depth understanding of electrical systems and decided to become a tradesperson.

I do know electrical enginers who were electricians first and decided that they are not satisfied with the level of understanding of the subject andwent back to study the subject at a much deeper level. They had demonstarted knowledge and profficiency not only in basic physics related to electricity, but were required to take courses in advanced mathematics that develops a capability to design complex systems and view them in their entire functionality. They also have to have mechanical and process knowledge to understand the different failure modes so they can ask the proper questions from their peers and design the safetly PLC logic accordingly. Safety PLC's programs do not stop at the Boolean algebral level like most PLC's do, but are requiring advanced mathematics in the calculation of the safety levels (SIL) and become complex systems that require continuous proficiency in the use of the programming language. They require conversion of engineering units, familiarity with bunary and hexadecimal number systems and so on. The required manuals are several books of hundreds of pages.

Would you call the above work that belongs to an electrician?

 

[realolman]

Somewhere along the line the electrician decided that he has no desire to be involved in advanced sytems and in-depth understanding of electrical systems and decided to become a tradesperson.

I do know electrical enginers who were electricians first and decided that they are not satisfied with the level of understanding of the subject andwent back to study the subject at a much deeper level. They had demonstarted knowledge and profficiency not only in basic physics related to electricity, but were required to take courses in advanced mathematics that develops a capability to design complex systems and view them in their entire functionality. They also have to have mechanical and process knowledge to understand the different failure modes so they can ask the proper questions from their peers and design the safetly PLC logic accordingly. Safety PLC's programs do not stop at the Boolean algebral level like most PLC's do, but are requiring advanced mathematics in the calculation of the safety levels (SIL) and become complex systems that require continuous proficiency in the use of the programming language. They require conversion of engineering units, familiarity with bunary and hexadecimal number systems and so on. The required manuals are several books of hundreds of pages.

Would you call the above work that belongs to an electrician?

The electricians I am and work with ...yes.

Additionally, I find your condescending attitude insulting.

 

[weressl]

The electricians I am and work with ...yes.

Additionally, I find your condescending attitude insulting.

What qualifications do you have to be able to evaluate weather they are capable or not?

I would be more than glad to apologize if you can point out specifically where did I make any condescending remarks. (Just because you "feel" condescended to does not mean you were. Your sense of resentment may come from somewhere else and misdirected in this case.)

 

[tomP]

Somewhere along the line the electrician decided that he has no desire to be involved in advanced sytems and in-depth understanding of electrical systems and decided to become a tradesperson.

First let me answer this statement.
I resent your blanket statement about tradespersons.
Possibly in your plant or industry they have no desire, but our electricians (on the most part) do have a desire
to be involved in advanced systems and in-depth understanding
Please judge only the tradespersons you deal with not all of us.

I know some lousy engineers, but I know there are many more good ones than poor ones.

We not only deal with, but require our company to keep us up-to-date on the new equipment and processes related to our industry.
This is why I ask the questions I did, not to say we are as good as you or better I just wished to know what complex programming we would need to do.
As far as,
"They require conversion of engineering units, familiarity with bunary and hexadecimal number systems and so on. The required manuals are several books of hundreds of pages."
we do know a little about binary, hexadecimal and have had some programming experience.
My library of books is quite extensive and several more would not scare me too much.

"Would you call the above work that belongs to an electrician?"

Absolutely no questions asked we can and will do it when the time comes.

 

[pfalcon]

*sigh*

There are things that only EEs should do. There are things that only ELs should do. There are plenty of fuzzies in between we can all argue about.

I don't know a good EE that doesn't want to know more EL. I don't know a good EL that doesn't want to know more EE. Which makes the fuzzy zone in between all the bigger.

As to why the EL is restricted from the Safety Controller AT MY SITE:

Rule 1 of Computer Security: If you don't control the hardware then you don't control anything.

Rule X of Computer Security: If more than a handful of people can read the data then it's open to the world. If more than a handful of people can write the data it's a scratch disk.

Although circumstance modifies those two rules somewhat they are generally true. NFPA79:2007 requires restricted access to the write portion of the Safety Controllers. Therefore once the number of people gets past a dozen it is very questionable whether you are in violation.

Okay, so you have a business say that has 2 EE and 5 EL. They all have access to write the safety controllers but no one else in the place does. IMO you have met NFPA79:2007.

In my building I have 100+ ELs. If they require special access to something then their supervisors will have to know it to give it to them. Another 25+ people then have access. Of course the EEs who are responsible for the program will end up knowing it - another 15+ people. Then there are the MEs who may be around and just want to be helpful. The jobsetters that are competent. And the bathroom wall. All because BY CONTRACT if I give access to a single EL in my plant then ALL ELs have a right to get that access.

When I say I have to stir the pot about passwords at my plant it is purely a political (contractual) issue. To meet NFPA79:2007 I have to get the number of people with access down to a controllable number (20/-). Some EEs have to have it because they have the responsibility over this. But by contract if I include 1 EL I must include them all. That means 250+ people at my plant will quickly have access. That IMO is a violation of NFPA79:2007.

 

[petersonra]

In some respects, it is not really a big deal. Anyone that has access to electrical cabinets can modify traditional safety circuits.

The problem with programmable systems is that it is very easy to make changes that result in unintentional side effects. It often does not matter much if you do trial and error programming on a machine all that much. Getting a safety circuit wrong might be a little more serious.

It is so easy to change, that the temptation is very high to put in changes without seriously investigating just what you are doing and and the potential effects. IMO, that is the main reason to restrict access to these things. Give access to a few people and make it clear to them that they need to be very serious about any changes they decide to make.

 

[M. D.]

What qualifications do you have to be able to evaluate weather they are capable or not?

I would be more than glad to apologize if you can point out specifically where did I make any condescending remarks. (Just because you "feel" condescended to does not mean you were. Your sense of resentment may come from somewhere else and misdirected in this case.)

I don't believe you would be "more than glad to apologize" , you have way of not recognizing when you have offended people and when it is pointed out to you , you simply dismiss it as "misdirected".

Intended or not I also find some of your statements insulting,..

When one persons says your fat ,dismiss it ,.. when two people tell you you're fat , look in the mirror,.. when three people tell you you're fat,..time to go on a diet you're most likely fat.

You may not think you are insulting , that does not mean that you have not insulted.

In other words try to imagine how what you are writing will be perceived , it is part of communication.