E-stops, safety controllers and sensors require planning and coordination

The space shuttle had three computers and needed a two-of-three voting system to determine if a sensed variable was real or phantom. This would be a good thing regarding a leaking door seal on the capsule. Safety sensing isn’t a new technology, but it seems that understanding what a safety system function is might be lacking a bit.

There are currently many options for creating a safety system for automation instead of the old approach of a master control relay (MCR) circuit. Technology has advanced almost to the point that safety strategies are as important as the control strategy.

A safety system has to protect people and the process machinery during the execution of the process or machine operation. Keeping people/operators out of harm’s way is a primary responsibility of the safety application.

I was in charge of the automation systems for a retailer in 1.7 million sq ft distribution system—lots of blind spots and moving parts. Part of the system was a conveyor that brought pallets of goods into a building called a high-bay where automated storage and retrieval system (ASRS) cranes picked up said pallet and deposited it in racking at a pre-determined location.

As part of the project to implement this functionality, a new wrapper was installed. The project required that a pre-start health and safety review (PSR) be completed by a consultant. The operator station was in an office with a door that led to the inspection station for the incoming pallet.

The PSR stated that a safety switch be integrated with the full conveyance system so that, if an operator opened that door, the full conveyance system would come to a halt. This created major issues for the automation because of timeouts and product flow. Productivity suffered greatly.

I’m sure you can figure out what happened next. Yep, the door sensor was removed from the door and tie-wrapped to the receiver so that the issue of stoppage was removed. Was it really required?

Sensor technology for safety encompasses various devices. Part of the mindset for safety is the need for redundancy. A standard mushroom head emergency-stop (e-stop) button in automation would have one normally closed (NC) contact, which when pressed would shut down the system. It was typically used as a stop function as such.

In the safety world, an e-stop button has two NC contacts wired internally so that if one fails, the other contact will sense the act of being pressed and shut down the system. Once that function is activated, the user has to rotate the button head to reset the function.

One of the technologies used in safety systems is dual-channel redundancy. There is a low-voltage signal that is passed through the devices to indicate that it is able to perform the required function when acted upon. In the case of a safety e-stop, if a contact block falls off due to vibration or an overzealous operator, the safety system will fail, and the automation control will stop.

Get your subscription to Control Design’s daily newsletter.

There are many sensor devices that qualify for use in a safety system. One device we tried to use was called the “eye in the sky.” While unsuccessful, due to production constraints, the intended use was to detect movement within a certain physical area, such as a person walking. It was part of the PSR for the project and had to be officially removed from the PSR since it adversely affected the process.

This leads us to a pressing question: How much safety is too much safety?

Standard devices and strategies such as e-stops, limit devices, guard-locking switches and light curtains, to name a few, all exhibit the same level of functionality with dual-channel redundancy.

These devices will connect to a safety PLC or relay, which will interface with the automation control system. One way to let the automation know that an e-stop has been set is to set an output in the safety system to act as an input to the control system. A second option would be to add a normally open (NO) contact block to the safety device and wire it into the control PLC.

Doing this, however, removes the redundant signaling from the safety PLC to the control PLC. There is a good possibility that the safety system can communicate to the control system over a network, and the full array of safety device status can be made available to the control system, human-machine interface (HMI) and supervisory control and data acquisition (SCADA) system.

Telling maintenance and operations where the safety breach happened can indicate a production issue at the same time, like opening a door to a system that really doesn’t pose a safety issue but shuts down the whole plant.

Safety is required, and, to be clear, is needed to do its job. Be careful to not to overprotect and have unintended consequences.