Why your e-stop button logic can be a liability

I have lamented on a regular basis that many noobs are doing a disservice to the automation public by programming a typical stop button as an NC command (XIO), which an experienced control person knows it is wrong. Seriously, it is wrong.

Then I have seen these same inexperienced “programmers” use an emergency-stop button command as an NC, suggesting that an emergency stop (e-stop) is being used as a stop function for the connected rung output.

Wrong again.

A physical stop button is a pseudo safety device, which means that when a stop button is pressed the logically connected output needs to be de-energized and turned off. Should the wire come off, the output should be turned off, if the logical command used is an NO (XIC). One of the potential issues, however, is the fact that the contact block can fall off, so when the button is pushed, there is no actionable functionality, and the connected output does not stop. “Then what?” you may ask.

Hit the e-stop button to turn off power to the outputs. A drastic move? Maybe. But if the physical movement has to be stopped, it is the only option when a stop function has failed.

An e-stop is a safety device that, when pressed, must turn off power to the selected outputs. Imagine a pallet wrapper attempting to wrap a pallet while the product is leaning and in danger of falling over. The operator hits the stop button with no resulting action. He needs to hit the e-stop since the wrapper arm may hit the product and be damaged.

And it must stop—full stop.

It is wise to understand what a true safety device is and how it behaves, and the e-stop button is the most widely used safety device in automation.

A safety device is a device that is connected to a process whereby, when it is activated, the process must stop reliably. So, if the wire or contact block falls off, it must be detected. Take the wrapper application: if a person enters the cell, typically a door safety switch will shut down the wrapper for the safety of the individual. A light curtain may be used, as well.

So, protection of the process equipment and of the people surrounding it are the two main reasons for implementing a safety strategy.

Connecting an e-stop to a safety system may require a safety relay and/or a safety PLC which interfaces with the main automation control system to tell the main control strategy that the safety system has been activated.

Get your subscription to Control Design’s daily newsletter.

This can be accomplished in multiple ways. Some safety PLCs communicate over Ethernet and can tell the main control system the status of any part of the safety system. This is very advantageous when the safety application monitors more than one part of the process. An e-stop on a wrapping system may not shut down the output conveyor, for instance.

If you were using direct outputs from the safety PLC to inputs on the control system, control programming would be implemented to organize the effects of an e-stop being pressed.

This is where some confusion may come in. Do you energize the “safety OK” control point so that it is a logical 1 when all is OK, or is it a logical 0 when all is OK?

An e-stop engaged through a safety system will remove power from the controlled area creating a possible control nightmare.

Imagine in this wrapper application, the infeed conveyor motor is running and transferring a pallet into the wrapper when the operator notices the wrapper is out of film. While not an emergency as such, he hits the e-stop button turning off the power to the infeed conveyor motor and the wrapper.

The control strategy must know this so that alarms and diagnostics aren’t triggered, since the output to the conveyor motor would still be on in the logic but off in the real world. Other logistics may come into play as well causing the control system to perform an action which creates more issues since the conveyor isn’t running.

Knowing the condition of the areas of safety control is a must for a managed automated process. Having that knowledge in the process allows for a better and safer strategy for the process.

Machine control systems have two areas of concern—operational and safety. E-stops are a functional part of process control that needs to have specific considerations.

Be safe.