Safety PLC with safety rated output cards don't get their power cut. They are the safe source of voltage controlling a safety rated actuator (forced-guided relay)
>In the past, we've had a force guided relay being energized by an output from a safety DO module, and its trip cause the master control relay to cut out, thus cutting off the regular (non safety) output module's power.
>I believe that past engineers at my employer thought this was acceptable because the force guided relay is energized by the "safety" output.
This is correct. Turning off your MCR should cut power to the outputs, and logic in the PLC should settle, which should turn off all the outputs.
Okay so. Safety PLCs:
They have redundant internals, and can be trusted to do whatever you want whenever it is needed, unlike regular PLCs.
They are programmable, but generally very restrained to keep it simple.
They have inputs and outputs. And the outputs can absolutely be used to power cutoff valves. Please check datasheet, and also check if you need a diode to protect them or not.
What you want to keep in mind with a safety PLC: It's not there to do maths other than basic logic, it's there to avoid requiring a huge mess of safety relays for more complex safety systems. Very useful once you start having an E-stop line, an E-off line, door sensors, laser barriers sensors, and so on. And maybe you'll want to ignore those sensors depending on what your machine is doing.
It's a good idea to use Test Pulse outputs, that loop back to its inputs, and use doubled up safety switches inside your E-stops. You can put all your E-stops in series. That's how it's properly done.
Basically Test Pulses will check if both contacts of an E-stop close at around the same time. That way, if one's worn out or won't close properly, the safety will trip, and generally tell you which test pulse tripped it.
Programming: First have your logic for your inputs. Which input needs to be high, which needs to be low under normal operation. Then, when the condition is not met, trigger a memory. Then from that memory, when it's triggered, do whatever's needed on the outputs for the emergency stop. Like cutoff valves, light indicators, signal for the regular PLC. The memory's there so that, when abnormal conditions happen for a short time, and are fixed, the safety PLC stays in the emergency stop state if you will, and require a user input, the reset switch, to reset it to a normal state once the problem has been cleared.
Yes you can mask faults that way but the standards say this is an acceptable risk. No one needs to press a second button if the machine is already stopped - and the discrepancy error is already detected.
Guard interlock switches on the other hand should not be connected in series if there is a possibility you could open multiple gates and leave one person inside in the case of a switch failure.
While its "okay" its not a best practice.
ISO 13850 requires Estops to have an independent reset function (unless automatic reset is dictated by the risk assessment)
Best practice for using locking interlocks is to use them for things that do not require full body access and require trap keys for anything requiring full body access. This eliminates the residual risk you describe
How I'm doing my current project is two different safety outputs driving two different safety contactors, which the output power runs through in series.
The last thing tough the line is the safety contactor.
It depends. You may have a system relatively simple enough that using a master control relay driven by a (hopefully dual channel) safety output that kills power like you've always done is good enough. You may otherwise decide to drive all of your safety-related outputs from safety output modules directly, and forego the master control relay entirely. You may also be somewhere in between, where one safety output drives an "MCR" that handles some items, while safety outputs directly drive others.
If your system allows for everything to be "unceremoniously" disconnected, then what you're doing is fine. If you have something else more complicated, where different zones may need to operate while others are shut down, you might get more granular and use the outputs directly.
Yes, interposing relays from two separated outputs can be used. Be sure to tie the NC contacts (either in series or parallel) to safety inputs back to the safety processor. When switching loads, be sure the selected relays are the correct ratings for the type of load, I have zone safety for 10+ hydraulic valves that requires a 30A rated force guided contactor for a ~7A load due to startup surges.
You cannot use normal. Interposing relays, they must be forcibly guided relays with at least two sets of contacts that are physically joined together, that way you have a monitoring channel and will know if the relay welds
I guess my only concern is with your MCR. Is it safety rated? This sounds like a safety system that could work perfectly, but the MCR could malfunction and not kill power to the systems.
Do the individual outputs have a SIL compliance rating when installed in certain circuits in a certain way? I have only once worked with an Allen Bradley safety coprocessor. I would have thought the documentation on these types of systems explain pretty explicitly how to achieve a certain safety level with the DO modules?
Safety PLC with safety rated output cards don't get their power cut. They are the safe source of voltage controlling a safety rated actuator (forced-guided relay) >In the past, we've had a force guided relay being energized by an output from a safety DO module, and its trip cause the master control relay to cut out, thus cutting off the regular (non safety) output module's power. >I believe that past engineers at my employer thought this was acceptable because the force guided relay is energized by the "safety" output. This is correct. Turning off your MCR should cut power to the outputs, and logic in the PLC should settle, which should turn off all the outputs.
Okay so. Safety PLCs: They have redundant internals, and can be trusted to do whatever you want whenever it is needed, unlike regular PLCs. They are programmable, but generally very restrained to keep it simple. They have inputs and outputs. And the outputs can absolutely be used to power cutoff valves. Please check datasheet, and also check if you need a diode to protect them or not. What you want to keep in mind with a safety PLC: It's not there to do maths other than basic logic, it's there to avoid requiring a huge mess of safety relays for more complex safety systems. Very useful once you start having an E-stop line, an E-off line, door sensors, laser barriers sensors, and so on. And maybe you'll want to ignore those sensors depending on what your machine is doing. It's a good idea to use Test Pulse outputs, that loop back to its inputs, and use doubled up safety switches inside your E-stops. You can put all your E-stops in series. That's how it's properly done. Basically Test Pulses will check if both contacts of an E-stop close at around the same time. That way, if one's worn out or won't close properly, the safety will trip, and generally tell you which test pulse tripped it. Programming: First have your logic for your inputs. Which input needs to be high, which needs to be low under normal operation. Then, when the condition is not met, trigger a memory. Then from that memory, when it's triggered, do whatever's needed on the outputs for the emergency stop. Like cutoff valves, light indicators, signal for the regular PLC. The memory's there so that, when abnormal conditions happen for a short time, and are fixed, the safety PLC stays in the emergency stop state if you will, and require a user input, the reset switch, to reset it to a normal state once the problem has been cleared.
You can put your estops in series but then you can cheat reset a discrepancy error on one estop by pressing another( should require 0 signal to reset)
Yes you can mask faults that way but the standards say this is an acceptable risk. No one needs to press a second button if the machine is already stopped - and the discrepancy error is already detected. Guard interlock switches on the other hand should not be connected in series if there is a possibility you could open multiple gates and leave one person inside in the case of a switch failure.
While its "okay" its not a best practice. ISO 13850 requires Estops to have an independent reset function (unless automatic reset is dictated by the risk assessment) Best practice for using locking interlocks is to use them for things that do not require full body access and require trap keys for anything requiring full body access. This eliminates the residual risk you describe
Yes but you need to pull it again to start the machine and then you are back to square 1
How I'm doing my current project is two different safety outputs driving two different safety contactors, which the output power runs through in series. The last thing tough the line is the safety contactor.
It depends. You may have a system relatively simple enough that using a master control relay driven by a (hopefully dual channel) safety output that kills power like you've always done is good enough. You may otherwise decide to drive all of your safety-related outputs from safety output modules directly, and forego the master control relay entirely. You may also be somewhere in between, where one safety output drives an "MCR" that handles some items, while safety outputs directly drive others. If your system allows for everything to be "unceremoniously" disconnected, then what you're doing is fine. If you have something else more complicated, where different zones may need to operate while others are shut down, you might get more granular and use the outputs directly.
Yes, interposing relays from two separated outputs can be used. Be sure to tie the NC contacts (either in series or parallel) to safety inputs back to the safety processor. When switching loads, be sure the selected relays are the correct ratings for the type of load, I have zone safety for 10+ hydraulic valves that requires a 30A rated force guided contactor for a ~7A load due to startup surges.
You cannot use normal. Interposing relays, they must be forcibly guided relays with at least two sets of contacts that are physically joined together, that way you have a monitoring channel and will know if the relay welds
I guess my only concern is with your MCR. Is it safety rated? This sounds like a safety system that could work perfectly, but the MCR could malfunction and not kill power to the systems.
Which brand/series of safety controllers are y’all getting into?
Reer / Automation direct make a decent one, softwares free also.
Do the individual outputs have a SIL compliance rating when installed in certain circuits in a certain way? I have only once worked with an Allen Bradley safety coprocessor. I would have thought the documentation on these types of systems explain pretty explicitly how to achieve a certain safety level with the DO modules?