Created Date: February 05,2004

Created by: ericn

You can never overstate the need for 'safety First '. Thank you, Mike, for providing 'real world ' examples of why this is so important... http://forum1.automationdirect.com/board/smile.gif

I don't know how many times we 've re-visited the "Anti-tiedown, two hand control " topic over at PLCs.net . We continue to emphasize that, although it's a good programming exercise, it should NEVER be used in 'real world ' applications where safety is an issue.

Even AD has this as one of their example programs (See EP-MISC-003 on THIS page). The description reads:

" This example shows how to program a two-button safety system for operators working around presses "

I'd like to see " But it should NEVER be used for these purposes " added to that description.

-Eric

Created Date: February 06,2004

Created by: kes

Continuing the concept here, I highly highly recommend feedback inputs for critical outputs (ie current transucers or auxillary contacts on a contactor).

Also, I haven't seen it mentioned too much but make sure you understand how solid state relays work and take appropriate cautions. Maybe it's just me, but they seem to ~always~ fail in the ON state!

Created Date: February 06,2004

Created by: elevmike

Hardwire Cirucit.

button1 button2 PLC Output Starter

--*^*--+---*^*---+---------| |---------(run)--

| |

* *

PLC input PLC input

X0 X1

Created Date: February 06,2004

Created by: marksji

You make a good point with the operator buttons. Anohter thing to keep in mind is when you 've got an important signal coming from accross the factory make sure that if the signal drops out your system shuts down.

Its just a matter of inverting your logic, but I 've seen one example where a forklift took out some conduit and a press kept on working, didn't even stop at end of stroke. Turns out the original programmer was looking for his end of stroke limit to turn ON, but with the wires gone it never did. That should have been a NC contact.

Another one that I 've posted before and I had to learn the hard way (a 3-million BTU flame stayed on durning a brownout that killed its fan).

On the 250 CPU using a 85-264VAC base (probably all 205, but I don't know for sure) if line voltage drops to about 65-70VAC the PLC locks up and the scan stops, but ALL THE OUTPUTS REMAIN IN THEIR CURRENT STATE, ON OR OFF.

Now here's the scary part.

When line voltage comes back up above 85VAC the outputs are not reset, what was on stays on until you do a RST on that output in your logic or power down the PLC and power it back up. This holds ture regardless of how your turn your outputs on and off (OUT, OROUT, SET...) Your outputs will still be on when full voltage is restored if it was on when voltage was reduced regardless of how you write your software.

My fix to this has been a single rung at the beginning of every project that performs a RST on all I/O on first scan only. This will clear everything up again and allow for brownout recovery.

Created Date: February 06,2004

Created by: marksji

I don't know of any saftey classes for PLCs either, but I always start with the same presmis...

Make sure everything that could lead to a dangerous situation in your system fails to OFF.

If you design fuel trains, only use valves that return to closed when power or signal is lost. If you design presses use two switches on each limit, one that's ON until satisfied, one that's OFF until satisfied. etc, etc, etc...

Also remember that your PLC outputs could fail OFF or ON or some combination of both, don't depend on the PLC to be the safety device, always have a big red E-STOP near the equipment and make sure that pushing it breaks the power line to your equipment. You can connect it to a PLC input, but don't depend on the PLC to actually kill power.

Created Date: February 26,2004

Created by: Phil

I have been using the DL-250&260 PLCs to control boilers. NFPA 85 dictates several requirements that increase safety:

1. The PLC that does the safety checks (high pressure, low water, etc) can not also perform combustion control (i.e. air/fuel ratio, O2 trim, pressure control, feed water, etc.).

2. All inputs must be fail safe in that loss of voltage indicates a fault.

3. There must be a master fuel trip relay that will break the circuit to power the fuel blocking valves.

4. If a PLC performs the safety logic it must have an external watchdog. I use a 1/2 second on/off pulsed output from the PLC to a motion sensing relay.

This type of relay will de-energize its output contact if the input locks high or low for more than 1 second.

This contact is in series with the master fuel trip.

This type of system will prevent the brownout problem since an external reset is required on the master fuel trip.

I also normally wire all of my safety devices in series with the master fuel trip and then check for line voltage between each device to determine which device is causing the fuel trip.

Hope this is usefull

Created Date: March 10,2004

Created by: FrankCarney

I was talking to an engineer who built a watchdog for a PLC using a standard relay and a PLC output. If I have this correctly, he used a DC output 24V signal and wired it to a 24VAC relay. If the signal stopped changing the relay would turn off. I need to ask him how he did this exactly. I think I may be missing something. The basic I idea was the external device required an alternating current and the PLC kept changing an output to simulate that current. I think he may have put a capacitor in between and used a 12VAC relay. That way unless the voltage was being turned on and off consistently the current could not go past the capacitor. In case you don't know, direct current (DC) cannot flow through a capacitor. So switching DC will cause the capactior to charge and discharge allowing a resulting alternating current (AC) to flow.

Anyway, the point is that is was a really interesting way to make a watchdog using off the shelf cheap components. Not to say using cheap components is a prerequisite in designing safety systems.

Thanks,

Frank

Created Date: February 05,2004

Created by: elevmike

I'm not the Chicken Little type but recently (a few weeks apart)I 've run accross three systems that depended solely on PLC inputs for safety. These imprudent designs were discovered after the units had been running for some time. This has prompted me to say something about safety (an issue seldom talked about on these types of forums).

With one unit (an elevator) all the outputs went on, and the elevator took off with the doors open, crushing a cleaning cart, and causing significant damage to the elevator cab, and landing door frame. (not a ADC PLC)

On a second unit, a PLC input stayed on with no power applied to it. (D2-16NA 110vac input module). This caused a pump to run continuiously and eventually burning out the motor and pump.

On a third unit a PLC output stayed on dispite the program logic, causing the machine to over-ride the final limit, crashing the machine while the operator looked on astonished with both hands in the air showing that he was off the momentary "safety " run buttons.

In all three of these cases providence intervened and nobody was hurt. However this was just a matter of luck.

Please do not count on your PLC to be 100% fail safe, and think about what could happen if an input or output went on regardless of your programming. PLCs are not safety devices. The people who operate and/or ride on the equipment we are building are counting on us to keep them safe.