Industrial Control Safety
Industrial Control Safety
or How to Scare the Bejeesus Out of Me
by Jim Rowell
I received a set of prints recently from a well-known manufacturer. You won't find a more professional organization than this. Their factories are clean, organized and staffed by highly trained people who seem to enjoy their jobs. The prints were for a panel they wanted built and had been designed by a large machine builder in the US and stamped by an engineer. Imagine my surprise when I noticed the inputs to the PLC were all from the grounded side of the power supply. I asked about it and the reply was "Many of our machines are done that way. Is it a problem?".
Perhaps you don't catch the significance of this so let me give you a scenario. Joe is walking by a machine thinking about today's scheduling problems. Bob is driving his forklift down the aisle. Joe walks out from behind the machine a little faster than he should. Bob slams on the brakes just in time to avoid running over Joe but swerves a tad and gently rubs against the machine. Joe jumps back at the same moment and falls on top of some rollers. No real damage done. A piece of conduit pushed out of place. Couple of ripped wires. Whoops! The machine is starting up! Joe dies a horrible death. Okay, there should have been guards in place it's just a story, okay?
Why did the machine start up? Someone thought it was okay to wire a start button in an NPN fashion on a controller fed from a negative ground system. As soon as the damaged wire received a short circuit to ground, the PLC saw a request to start and did as it was told. Joe probably didn't appreciate its obedience.
The drawing below shows how things were done. The PLC is simply waiting for its input circuit to be completed and when that happens it will start the motor. Current will flow from the ungrounded side of the power supply (V+) into the module common terminal (COM), through the module's internal optical diode and out the "input", through the switch and into the grounded (V-) side of the supply. Now picture a short circuit to ground occurring between the PLC input module and the motor start button. The PLC doesn't know whether a short occurred or someone pressed the button. It's exactly the same thing either way. The fuse won't blow because we are merely shorting to the side of the supply that is already grounded. The correct way to wire this would be to simply reverse the supply connections. The V+ connection should go to the left side of the start button and V- should go to the COM terminals of the input module. Now a short circuit occurring on either side of the start button will cause the fuse to blow. The motor will not start up. Depending on the PLC, you may not be able to reverse the connections so choose your modules carefully before you order!
Input modules should have the common connected to the grounded side of the power source and output modules should have the common connected to the ungrounded side. Think of it this way: Positive or Hot signals should come out of outputs and go into inputs. Negatives & Neutrals shouldn't do anything but sit there looking pretty. Why do I keep seeing the opposite being done?
This drawing shows the wrong way to do it!
I see so many dangerous designs in my day-to-day work that it's beginning to scare me. And they are coming from people who should know better. Control specialists, technical graduates, professional engineers, you name it. So here's my list of Do's and Don'ts. Perhaps I should say it's my "Please, Please, For the Love of God, Don't Even Think About Doing Otherwise" list.
1) Always ground power supplies and transformers unless you plan on monitoring for accidental grounds. For control systems, it's just not worth the complexity needed to make an ungrounded system safe. We want a fully grounded system. Every time you create a new supply source (where the output is isolated from the input), you must re-ground the output. That means your control transformer needs a ground and so does your DC power supply. That includes power supplies built into PLC's. Each connection must be made right at the source device's output and should be wired direct to ground in plain view and as close to the device as possible. Use a dedicated screw into the cabinet backplate, not a din rail terminal and not a device support. Don't hide the screw or the wire in duct and don't put other grounds onto it. It should be obvious and easy to verify that it's still there. The norm in most of the world is to ground the negative side of a DC power supply and X2 in the case of an AC control transformer. Don't forget to bond the cabinet's backplate to the cabinet itself.
2) Fuse the ungrounded side of the source. Don't fuse the grounded side.
3) If you opt for an ungrounded system with a ground detector then bear the following in mind. A ground detector must actually interrupt power when the first ground is detected and it must operate faster than your control system. A simple notification is not good enough. There is an excellent chance that the first short to ground is occuring across both conductors from a button or sensor and is thus bypassing the contacts. The common idea that no hazard exists until a second ground occurs is just plain wrong. Picture a broken conduit coupling bent over at 90 degrees and ripping the wiring inside. It bites into the insulation on the 2 wires going to a single pushbutton and turns on a ground detector's indicator light. It also launches an ICBM towards Moscow. An older idea is to switch both sides of the supply simultaneously which is still not very good and is impossible using things like PLC's that share a common between several I/O points. A properly wired, grounded system would just blow the fuse. A ground detector is also a liability. It can fail.
4) Never place a contact in a grounded conductor of your control system. It's too easily bypassed by shorts to ground. Remember, your grounded conductor doesn't mind additional connections to ground. Only the ungrounded conductor will detect attempts at bypassing contacts by blowing your protection fuse. Trying to decide between NPN or PNP sensors? It's not a matter of personal preference despite what some people will tell you. Assuming you have a grounded negative system (you should), the use of an NPN start signal or safety-related sensor is a crime. Use PNP! If the device is something like an encoder, you could generally use either since all that would happen in a bypass would be a loss of the encoder signal.
If you are confused by the terms PNP and NPN, here's a quick primer. They refer to the layered construction of semiconductors like transistors. The "N" stands for "Negative" and the "P" stands for "Positive". With respect to sensors, an NPN device is one that can switch the negative side of a circuit while a PNP device is designed to switch the positive side. In other words, a PNP device must sit between the controlled load and the connection to the positive side of the power supply. It switches the load on or off by making and breaking the load's positive line. It's easy to remember; NPN has the most N's in its name and it switches Negatives; PNP has the most P's in its name and it switches Positives. NPN is the norm in circuit board electronics but in industrial control, PNP = good and NPN = bad.
I'll say this a little louder
DO NOT USE NPN SENSORS OR WIRING METHODS
unless you are sure that a false activation will be harmless. No exceptions. EVER!
5) The rules for inputs also apply to outputs. Your loads should have one side hard- wired to the grounded side of the supply. Switch the ungrounded line. You don't want your PLC overruled by a short to ground.
6) You can't go by the terms "sourcing" and "sinking" when choosing I/O modules. Different manufacturers use the terms in opposite ways. You must check their drawings before you can be sure of what you are getting. A sourcing device is one that supplies positive charges to another. A sinking device accepts positive charges from a sourcing device. A pnp sensor is a source that sends positive signals to a sinking plc input module. The problem is that some manufacturers such as Mitsubishi label such an input module as sourcing presumably because it's designed to be used with sourcing field devices. Just the kind of confusion the industry needs.
7) Always ground everything conductive that could potentially be involved in a bypass attempt. That means enclosures, conduit, cable glands, etc. It also means anything nearby that flailing or falling wiring could touch such as machine sections, railings and guards. If you don't pre-ground these things, your fuse won't protect you, your contacts will be bypassed and you wasted your time grounding the supply in the first place. It doesn't matter if you are only using 24 volts. You still need everything grounded to prevent your contacts and sensors from being bypassed.
8) Stop using 120 volts for every little thing. Quit already. Okay? Use extra-low-voltage whenever possible. 24 volts is ideal and very widely used. Short circuits are gentler, cause less damage and maintenance people and operators won't get electrocuted by it. Anything over 50 volts is bad. You can still power your large contactors and whatnot inside of your main cabinet with 120v when needed. All of your field wiring to pushbuttons, limit switches, sensors, etc should be 24 volt.
9) Use DC for control in the field rather than AC. It doesn't take that much wire length before you have enough capacitance to magically bypass your contacts just like a short circuit. It can wreak havoc on a control system's operation. No point worrying about when it will cause a problem. Just don't use AC for control. Period.
10) Use only isolating type transformers for your control power. Choosing an autotransformer is a quick way to destroy PLC's, computers, test equipment and people. Similar warnings apply to DC power supplies. They must be isolating types built to the appropriate standards. Not all of them are.
11) Feed the top of contactors, switches, etc. Never feed the bottom. I don't care if you have to use an extra three feet of wire and go around and into the next duct to do it. This is a standard that has been around longer than there have been relays, contactors, control cabinets or you or me. As for "cube" relays, you don't have much choice with these sorry excuses of terminal contortions. They were designed by people that didn't know better or didn't care. If you are an actual designer of relays, power supplies and similar things smarten up.
12) Put Emergency Stop buttons all over the place. Think about where someone will be when an emergency happens. What if they are a new employee or a visitor who is not familiar with the machine? Will someone even be within sight of a button? Will they be able to reach it quickly? If they are physically trapped or in the process of being pulled into the machine, will they still be able to reach it? Use real E-Stops with large, red, mushroom heads. I have one client who installed several of these as start buttons because "they were all we had at the time". Could prove entertaining when the safety inspector comes by "No not that button. The little green one stops it, the black one starts it and the big red one is for Go Real Fast".
13) Don't make Emergency Stop buttons do things when pressed. Make them stop things when pressed. I once almost chopped a client's finger off because of this. I noticed he had his hand inside of a swaging machine adjusting it while it was running. Being a considerate guy, I punched the E-Stop so he wouldn't get hurt. The machine instantly retracted an air cylinder under full power in order to get back to its rest position. He pulled his hand out just in time with only slight bruising of one finger. I feel very stupid for doing that. Just the same, I'd love to get my hands on the idiot that designed it. Remember, they are called "Emergency" buttons for a reason.
14) An ordinary (non-mushroom) stop button can stop whatever you want it to, in whatever fashion you wish (it may even cause cylinders to retract). An E-Stop should immediately shut down everything. Don't mix up their purpose. Of course there are exceptions. Things like braking circuits are obvious candidates for staying on during an E-Stop. The general goal, however, is that whatever could possibly go wrong (or make a bad situation worse) should be on the included list of things that are killed by the E-Stops. The easy rule is that unless an item must stay on for safety, then every E-Stop should shut it off no matter what it is.
15) Releasing an E-Stop is not considered a "Start back up again, I was only kidding" signal. You should have to press a different button to restart. Don't use momentary E-Stops either. They are still sold because some people collect them as museum pieces. Today, we use only latching buttons so that once pressed, you have some confidence the system won't start up again even though a problem somewhere else is causing a start signal to be constantly generated. By the way, that's the standard first test of any stop button; if it's pressed, no other signals should be able to start up the machine.
16) If possible, an Emergency Stop should not only stop all motion, it should also relieve all pressure. This is especially true in machines that are complex when in manual mode. Air systems are a snap for this. The machine should "relax". If you are ever trapped, you'll be glad of this feature. Note: relax does not mean drop a pallet on someone.
17) Think about an "extraction procedure" when designing controls. This means what would have to be done if someone was caught in the machine in order to free them. Maybe you should add certain manual controls. An example might be an inching reverse ability for some of the motors along with clearly marked buttons. There was a case in my city where three workers were crushed badly under a several thousand ton punch press that dropped a bit while they were working under it. The ambulance and fire department had to wait more than an hour while the dying men pleaded for help. Apparently it's not easy to find someone at 3 in the morning who can reverse a motor with a complex control cabinet full of strange looking stuff. They didn't survive.
18) Don't rely on your PLC to respond to Emergency Stops. Use a master contactor that interrupts all control power and have the E-Stops kill that. You can monitor the action with the PLC or even operate both in series. Some localities allow PLC's to operate safety circuits without contactor assistance but many do not. I always use a contactor. What's the big deal? Contactors are cheap. I get the added assurance that should my program or the PLC itself fail in some weird manner, the operator can still nail that E-Stop and shut down the machine.
19) Do some research into "positive-guided relays" also known as "force guided relays". These and the new electronic "safety relays" can add a great deal of confidence that your system is still working the way you intended. They won't tell false tales to your PLC (in theory). For positive-guided, electro-mechanical relays, Omron sells the G7S. FGR International (www.fgri.com) sells various and AEG has small ones and even large power contactor sizes. Check the web.
20) Most of those new ultra-micro PLC's or "Smart Relays" that people are growing fond of are not for use where safety is even remotely involved. Read the specs carefully before you use them. If the inputs can be programmed to be either digital or analogue, that's a give-away that they are not isolated. Except for one high-end model made by Moeller, even the digital-only inputs are not isolated on any of the brands I've checked. An input failure on these, can travel through the internal circuitry and activate any of the other inputs or other parts of your control system. It could cause equally unpleasant actions by interfering with the internal logic and memory. Examples of these are the Alpha, Logo, Easy, Pico, Zelio etc.
21) Don't be too quick to use palm actuators and similar devices that use electronics, proximity triggers and other complex methods to issue start signals. They've been implicated in more than one accident (click here for an example). Some of the models that I have looked at, were low-grade devices that have no place in most industrial applications. They were single-channel, non-redundant, and non-self-checking (can you say non-acceptable?). Their focus was less on safety than on cashing in on the fears of repetitive strain lawsuits. Regardless, I wouldn't use even the best ones except in truly non-hazardous applications (where they might actually be quite useful). The addition of a "safety relay" does not miraculously change the situation either, unless your sales rep bears more than a passing resemblance to Jesus. Be aware too that standard proximity sensors (including infra-red and laser) are not safety rated nor are they intended to be. They're made for counting donuts not for detecting when an operator is clear of a pinch-point. High-hazard rated electronic sensors such as light curtains that will issue stop commands are feasible (when used properly) and available. Issuing start commands is a whole different matter.
22) Consider using a both a normally-open and a normally-closed contact on start buttons (or other sensors) that will initiate a hazardous operation. Declare an error condition if they are both open beyond a short amount of time or if they are ever both closed. A proper start sequence involves seeing that the N.C. contacts are in fact closed, followed by them opening, followed shortly by the N.O. contacts closing. This can help avoid false signals from wiring problems and tends to verify that the button's mechanical operation is good. If you need to use a 2-hand start then you absolutely should use this setup on each button (along with anti-tie-down timing).
23) Don't touch anything on a punch press or brake type of machine unless you are very familiar with the myriad of requirements and dangers. I say type because there are presses that are not called such by the makers but the laws still apply. It's a rather serious and heavily enforced area and you can get yourself into a heap of trouble. Most of the enforcement occurs after an accident. Incidents are often things like double amputations. If you think you can make a quick dollar installing light-curtains, think twice. Read and understand the rules. Even better, read your insurance policy.
24) Check the ratings on "supplementary" or "mini" breakers and certain all-in-one, overload/overcurrent motor protectors and watch how you use them. They've hurt more than a few workers. The problem is they can only safely interrupt a fault current if they are already closed when it occurs. Doing a closure into a fault and then having to immediately open is a serious stress. Some can't handle a fault at all and rely completely on upstream fuses. It goes like this: Motor burns out. Fuses ahead of breaker blow. Man flips breaker on and off a few times to see if that will fix things. Man leaves breaker in the off position. Man finds and changes fuses. Man flips on breaker. Breaker blows up in man's face. More fun stories for the kid's around the campfire.
25) You should go to extreme lengths to ensure that a single switch disconnects all power in a control cabinet. That would be the switch that's within reach of or mounted in the cabinet. Not the one across the factory and definitely not the one in Niagara Falls. It can get tricky when you are interconnecting machines. Add auxiliary contacts to the switch if you have to. If some things must remain live with the switch off then separate all of the involved components and terminals into a distinct area with a faceplate barrier. Label it and the switch with warnings. Better still, put them in a separate box labelled as containing multiple sources.
26) There are various types of charge storage devices. Make sure these don't interfere with your E-Stop system or present a maintenance hazard. Capacitors should have draining resistors added to them if they don't have internal ones.
27) I'm sure you've heard it before but don't mix voltages in your conduits. 24 volts goes in one conduit. 120 volts goes in another. 380, 480 or 600 go in still another. Induced current is the usual reason given for separating them but it's not the only problem. Conduits and cables are where shorts occur. You don't need 600 volts travelling into your 24-volt PLC cards. Strange things could happen. For the same reason, use wire rated for the highest voltage in a cabinet. Don't use 300 volt wiring for the low voltage "cause thets all I'm a usin on thet thar particlar wyre. U know, thet one thets a leanin up agin the 600 volt moter contractor". [Sorry. I couldn't resist]
28) Choose whether you need N.O. or N.C. contacts very carefully. You need a sensor or contact to "fail to safe" rather than "fail to hazard". Statistically, it is much more likely in a failure that you will have a loss of connection rather than closures like locked or bypassed contacts that don't blow the fuse. This means a failure will most likely be a bad joint, a wire pulled away from a terminal or something similar that results in an open circuit rather than a closed circuit. I call it the Broken Wire question. Ask yourself, what will happen if a wire on these contacts breaks off. Do I have a safe condition or a hazardous one? If the button is a start button and the wire falls off, you DON'T want that to mimic a press of the button. If the start button circuit has to be closed to start then a wire break will not hurt anything. If it has to be opened to start then the wire break would be the same as a start signal. Therefore we want start buttons to be "close on activate" or N.O. A stop button is the opposite. We want a wire break to be the same as someone pressing the stop button so we use N.C. (open on activate). Otherwise, if we made a stop button "close on activate" and the wire fell off, pressing the button would not stop the machine.
You need to really think hard about things like door safety contacts and other odd switches. You usually want a door to strike a switch when the door is closed thus closing the contacts and signalling "guards in place safe to run". That requires a N.O. contact. If the wire falls off the switch, it's the same as opening the door. Machine stops.
29) Recognise that everything wears out and fails eventually. If the failure of a limit switch means something catastrophic will happen (like frogs falling from the sky or maybe an expensive machine ripping itself apart) then back it up with a second switch!
30) Use green lights to indicate normal conditions like "Motor is On". Red used to mean pretty much everything. It's better to reserve it for things with a negative connotation like "Error", "Emergency", "Overload", etc. There are many other colours you can choose from to identify various conditions. Leave red for the bad stuff.
31) Don't drill holes or run cables into the top of cabinets & boxes in oily or wet environments. That's just asking to have stuff drip all over everything inside.
32) Conduits should be sealed with a removable compound (duct-seal) if they run to outdoor equipment or between any areas that differ greatly in temperature. If not, you'll get warm, moist air travelling through the conduit and condensing on the equipment at the cold end. That leads to corrosion, arcing, flash-over, icing and freezing of parts.
33) Don't mount terminal strips lower than 18" above the floor. Give all those people with blown out knees & bad backs a break. Pretty please? ;-)
34) Protect your system with current limiting fuses having suitable interrupt ratings. That means 200,000 amp interrupting capacity for the main and wherever else you can manage. Breakers are poor choices for main protection even if you know what the available fault current is. The machine may move to a new home someday.
35) Everything in your panel should be built to an IP20 rating. That means finger-size objects can not touch any live parts. No exposed fuse blocks or transformer lugs thank you very much. Don't make it difficult for test probes however. They should be able to go anywhere. It's also smart to leave enough physical room and wire slack wherever you might need to use a current clamp to check loading such as at motor contactors and fuses. There's nothing like a pretty panel that nobody can work on.
Telling people to follow safe operating procedures is all well and good but people don't really believe in procedures. They do believe in you and your control system. Don't let them down.
May we all live to see retirement!