This topic can probably be applied to any Safety Module in general, so I'll keep my descriptions generic. In my case, I have a muting module by Banner.

My question is related to when the safety module has an error/fault that can only be reset by cycling power to the safety module.

It is a rare event for this to happen, but it does occasionally happen. The module's fault state will open up the contacts and stop the machine, regardless of the status of the monitored safety device. The PLC will assume the monitored device is the problem (ex: light curtain is blocked, guard is open, etc) when it's really the safety module that is the problem.

Not sure if this is a standard rule when it comes to safety modules, but on my machines, the module is powered directly from the 24V power supply. Therefore, when faults like this happen, users are basically finding it easier to cycle power to the entire machine (just to essentially reset the faulted muting module), rather than get help.

For my machine, cycling power can mess up communications, so I would like to prevent users from developing the habit of cycling power to the machine whenever the program is misbehaving.

So I am tempted with the idea of rewiring and reprogramming the machine so that the safety module's power can be cycled by the program. This will of course be done only under special circumstances and with safety in mind. (The purpose of the idea is basically to give the user the ability to resolve these rare events, without having to resort of killing power to the entire machine. It will basically be part of the 'machine reset' sequence that the users are already familiar with.)

My question is whether or not this idea is against any rules when it comes to safety. Am I pushing the convenience factor too far with this idea?

I'm pretty confident that the idea will work, and not decrease safety. I'm just a concerned about rules when it comes to how a safety module is powered.

Again, in my case the machines all came with them directly powered off the power supply. I was thinking of running power through a Normal Close relay. The Special reset procedure will briefly energize the relay, rebooting the Safety Module. Otherwise, the relays stay de-energized and hence the safety module stays powered the vast majority of the time.

 

I would be hesitant to use a PLC output to control the power to the E-Stop controller. While I agree with you that this should not really impact the safety of the machine, generally speaking it is the case that non-safety rated controllers shouldn't interface with safety-rated controllers except in very specific ways. In this case, you can imagine a scenario where logic detects the faulted controller and automatically cycles power, with no human intervention. The fact that your logic doesn't actually do that is inconsequential; once you've got the ABILITY to programmatically interfere with the safety controller you have to use safety rated logic.

On the other hand, a physical push button the removes power from the E-Stop controller is probably fine. It's somewhat bizarre that PLC logic is not okay but a push button is, but that's generally how it is. How to label this button and train users on it are issues, of course.

It is very odd that you have to cycle power to the controller to reset it. I would be concerned about that, and would talk to Banner about what is causing this and why a soft reset won't clear the fault. To me, a push-button for soft reset sounds better than one for interrupting power.

-James Ingraham
Sage Automation, Inc.

 

Hi James,

That is bizarre indeed. Is this explicitly stated in the ANSI or OSHA rules somewhere? I'd like to take a closer read.

With the Normal-Close relay idea previously mentioned, the Safety Module will be normally powered. It takes a high output from the PLC to turn off power to the Safety Module. Even if the PLC or the relay went nuts, the worst it could do is keep the Module permanently off. And as I understand it... by definition a safety-rated device stays in a safe when unpowered and/or when faulted.

So I feel like these safety rules contradict themselves and really break my balls!

And yes, I agree that this is something I should talk to Banner about. This problem shouldn't be happening in the first place. Their manual is also a bit unclear as to which faults can be reset by the soft reset. And I also agree this is a training/discipline issue, *sigh*. These faults occur so seldom that its hard to reproduce them, or be there after it happens before the users cycle power.

 

I don't think there's a major issue with turning off the power to a safety component using a PLC output, as long as the PLC cannot reset anything and allow motion to continue.

However I'm a little reluctant to endorse this idea just because I prefer that the safety system be separated from the control system and not interact with each other except in very specified ways. That does not mean that the idea itself is unsafe, it just just means it's my preference to keep the systems as separate as possible. I'm a little concerned though that you can't reset the module without cycling power. I've never seen that with a safety system before, it makes me wonder if it's not configured correctly in some way.