recommended e stop practices
I have a PLC controlling a VFD in an on/off, forward / reverse situation. Is it better to put the Estop as part of the PLC or the VFD?
Yes I am new at this.
Depends on what motivates you with respect to safety . . .
1.) Looking an operator's spouse in the eye when you explain why the operator has lost a (limb, eye, life . . . fill in the blank here).
2.) Answering the lawyer as they pepper you with questions about a hazard / risk analysis, category I, II and III safety standards, safe-off, zero energy, bla bla bla
Here is how we do it . . .
Safety Rated E-STOP Button (dual contacts, forced contact open) -> Safety PLC or Safety Relay (Pilz is a good source for safety relays) -> Drive (PLC receives notification via. status output from the Safety Relay)
Depending on your hazard / risk analysis (documented with your safety committee) you need to classify CAT 1, 2 or 3 stop required - then you design the system per the requirements of those safety standards.
Cat 1 - wire the SAFETY RATED enable on the drive to the Safety Relay directly for immediate disabling of the drive.
all the way to . . .
Cat 3 - wire the immediate output contact on the Safety Relay to the SAFE STOP input on the drive to cause a current limited stop. Wire the time delayed output from the relay to the Safety Rated drive enable to shut off the IGBT so that current cannot go to the motor.
You should educate yourself on safety standards - if you are building machinery that does not include a well designed safety rated system - you are asking for liability that no insurance company will step up and write coverage for . . . and you do have product liability insurance don't you?
You do all of this and you will be in a much better position to eliminate the hazard and dramatically decrease the chance of injury.
MG is spot on.
There is also the other case where nothing in the control system can safe the equipment even if it's all working correctly. Then you need to consider mechanical issues as well. Clutch/Brakes, interlocks on the guarding, pressure release on air systems, cross piloting.
We had a can body maker with a 30 hp servo and a 1200 pound flywheel spinning at 500 rpm. That unit lived in an enclosure, when the stop was triggered the clutch/brake disconnected the flywheel and engaged a massive multiplate wet brake. The ram alone weighed 1200 pounds. From 500 rpm the machine could stop in 30deg of rotation.
It sounded like a bomb going off and smoke came out of the brake enclosure.
We wound up having to do some things to keep operators from using the estop as a cycle stop because it was hard on the machine. It took a supervisors over ride to recover from an estop.
As Guru stated, estop safety issues can be heavy reading. Here are a few URL's to get you started:
Safety Monitoring Relays
Banner iKnow(TM) - Machine Safety - Online Training
I also recommend you order a copy of NFPA-79.
Thanks Doug! You did my homework for me, I owe you one.
Originally Posted by doug6949
Funny enough, some of the mass produced automation for sewing has e stops the size of a pea. It took me a while to find it on some of my new tackers.
Here is a part of the OSHA requirements.
According to 9.2.2, “The three categories
of stop functions shall be as follows:
(1) Category 0 is an uncontrolled stop by
immediately removing power to the
(2) Category 1 is a controlled stop with
power to the machine actuators available
to achieve the stop then remove
power when the stop is achieved.
(3) Category 2 is a controlled stop with
power left available to the machine
In 18.104.22.168.1, it states that “each machine
shall be equipped with a Category 0
You cannot have the required Estop button, which must be accessable to the operator, run through a computer or plc to effect the shutdow unless OSHA has relaxed their rules.
Can the PLC "source" the E-Stop button, which can then shutdown the system?
Originally Posted by clampman
IOW, unless BOTH the PLC and the E-Stop are OK, the machine is powered off.
An output of the PLC, feeds the E-Stop button, which powers the Master Control Relay. Is that OK ?
Typically we run E-stop as a hard-wired circuit via safety relays with an INPUT to the PLC if it's tripped.
There are safety rated PLCs and safety rated relays . . . and certainly you can feed an E-Stop circuit with power from a PLC output.
If you don't have a safety rated PLC, it would be more appropriate to send a pulse train to an underspeed relay whose contacts will open if the pulsetrain stops and put this in the E-Stop loop . . . that way if the PLC stops working (regardless of the state of the output) the E-Stop loop opens.
When I put together a machine that ran off a plc, the Cat 0 Estop had to be totally independent of the plc. It would immediately cut power to the drill motor, tapping motor, air solenoids, and so on, so that the plc couldn't control anything on the machine.
Within the program itself were all the various things the machine did in the event of all the operator errors I could think of, like inadaquate air pressure for the heads or part shuttle, inadaquate hydraulic pressure for the clamp in the part fixture and so on.
Usually in that case, the machine wouldn't either turn or do anything if it was already running, and would leave me sitting there scratching my head until I remembered what I forgot to do. If it lost pressure or had impossible sensor readings, or none, while operatinig, it would do whatever I had programmed for that event - then it would just stay there, still leaving me scratching my head.
I want to dispel the comments that PLCs cannot be part of the E-Stop Circuit - if that is the case - there are a lot of PLC manufacturers that are improperly selling into that market.
Safety Rated PLCs are actually quite common. Dual Channel inputs, redundant processors, safety rated outputs over safety rated networks - some machines would be incredibly complex and troublesome without these kinds of systems.
We are engaged in designing on a system now that has under it's control over 130 axes of motion with light curtains, pull cords, E-Stop pushbuttons, multiple CNC controllers, transfer shuttles and press controls.
All of the safety inputs are spread out over 130 feet of production line with various parts of the machine going back and forth from one end of the machine to the other. Without a Safety PLC with which to marshal all of the Safety Inputs and then have it determine the proper safety zone behavior based on machine position and process and then communicate to the safety rated PLCs and CNCs up and down the line over a Safety Rated Network with the correct enabling / disabling of various levels of protection.
Rockwell has GuardLogix, Siemens has ProfiSafe . . . lots of options that cover up to CAT4 level of protection.
I am somewhat familiar with the Banner safety PLC. Most of what separates it from a regular PLC is that the estop redundancy logic is hard coded as opposed to user written.
To expand on MG's comment, yes, a regular PLC can initiate an estop event. One or more outputs can notify the safety relay (or safety PLC) of a problem. The event can be handled just like another red button if it is part of the button loop. Or the PLC outputs can be connected to separate inputs on a more elaborate safety monitor/PLC.
OK, now I cannot make sense of this at all.....
If the E-Stop button cuts all power to the machine...
I can understand that.
You hit the E-Stop button, and it WILL STOP. All power is Cut.
Now, you don't want it to just kick off and run if someone comes along and casually twists the E-Stop button.
In fact you want to be sure that they hit a few buttons on the panel to be sure that they are ready, and the machinery is ready, and not jammed from the sudden power loss.
Is someone saying that the PLC cannot drop the power to the E-Stop button to prevent this from happening? That the E-Stop button has to be powered direct and NOT from the PLC?
Or that the PLC could send an OK signal to the safety rated relay, and That could drop power to the E-Stop button?
Can anyone explain (if that is true) why the PLC, sending it's vote to the safety relay to allow it to power on the E-Stop switch, is safer than the PLC sending power to the E-Stop switch?
The only unsafe failure mode is the PLC continuing to send power to the E-Stop switch, which it could as easily be doing to the safety relay.
If the PLC drops power, either to the safety relay, or the E-Stop switch, it cannot power the machine back on.
I cannot find a scenario where the safety relay has any role that is not dependent on the PLC telling it is OK, and I cannot imagine letting the twist-lock release suddenly powering back on the machine without the supervision of the PLC.
Is this going to make sense, and still meet the "requirements" ?
You would never (or better stated you SHOULD never) have an E-Stop circuit that doesn't include a latching relay that requires a separate RESET button to restore power to the circuit.
Anything related to E-STOP circuits today should infer the use of a Safety Rated E-STOP Safety Relay . . . dual channels, mechanically forced open contacts, etc.
It sounds like you are thinking of an old-school E-Stop circuit that has none of those design features.
And - when referring to PLCs involved in Safety Systems - I am specifically referring to Safety Rated PLCs.
Industrial Safety | What Controls Safety? | Control Design
3t3d, On our machines, the safety circuit is powered by the 24V supply, NOT the plc. We have a few machines that use Safety Rated PLC's such as MG was discussing. Those are different.
On a normal PLC, the PLC CAN initiate an E-stop condition via contact on the safety relays. it also monitors the E-stop chain via safety relay contacts. Most of our physical outputs from the PLC are also powered through the E-stop chain. If the E-stop chain breaks, you lose power on the PLC output cards. This prevents the PLC from doing anything while in E-stop (There are exceptions to this.) As MG stated, you should have a latching relay that forces a physical "reset/fault clear" (pushbutton) to clear the E-stop.