Safety Mats

[SDM]

Hello all, I have a system that has a E-stop circuit with E-stops and Safety gates in it. I also have 3 safety mats that prevent certain parts of the machine from running if someone is on the mat. Right now when an operator leaves the mat I make him go over to the HMI and reset the mat for work to resume. This system is Compact Logix L32E and a Banner safety controller with Ethernet. The operators do not like having to reset the mat every time they leave the protected work area. It is my understanding that cycle can not resume (or start) by a safety device. Are my thoughts correct? Can I let cycle resume when the operator leaves the mat? Edited December 8, 2009 by SDM

[jstolaruk]

Last I looked into this, OSHA had not approved the practice, and I've not deviated from disallowing it; I require the operator to manually reset the safety circuit (or to restart autocycle). None of my customers have challenged me on it (to shortcut it) but the rules may have since changed. Edited December 8, 2009 by jstolaruk

[paulengr]

If it's an E-Stop, no matter what it's shaped like, then you need a manual reset or a lot of procedural paperwork. OSHA allows you to deviate from this and it's perfectly acceptable if it''s an operating procedure because it's no longer an outlying event, it's now a work routine and routine activities don't for instance require a full blown lock-out/tagout procedure. So first consider this route. All you need is for the safety department to write a procedure and you're off the hook. HOWEVER, be aware that most risk assessment codes, even simplified ones, are based on the idea that safety devices protect against unforseen events. An E-Stop for instance should never, never, never, ever be used as a general stop device. What happens in this situation though is that because emergency devices are rarely used and should rarely trigger, the level of maintenance inspections and such on them is also comparatively low. This is because they are treated as "low demand" devices and the key statistical measurement is the probability of failure on demand. With SIL levels for instance, SIL 1 is equal to 10^-1 to 10^-2 probability of a dangerous failure (1-10%) worst case over the life of the system. SIL 2 raises this to 10^-2 to 10^-3. Again, these are on demand requirements. This would be the case if the device triggers only say once a year or less. The other category is high demand or continuous (routine) use. In this case, the probability of a dangerous failure is now determined by the number of dangerous failures per hour, instead of looking at the probability of a one time event, since the system is being continuously exercised. In the case of SIL 1 for instance, the probability of failure would be raised to 10^-5 to 10^-6. At this point, you will probably be looking at safety mats PLUS light curtains (multiples) or some combination like this to achieve the same thing. It will be extremely difficult at best to provide this level of safety integrity since compared to a low demand system, you are well past what would be SIL 4 for a low demand system. This is using IEC 61508 which gets referenced in 61511 for processes or 62061 for machinery. The way that I've dealt with this in practice is to avoid the thing you are doing...you are mixing control (interlock) and safety systems. In reality you are probably already violating the safety code that you are using because you are using it in a high demand mode (routine activity), but the code is designed for a low demand situation. It can be done under extreme circumstances, but it is painful at best to achieve this level of integrity. A lot of transportation systems operate at this level. What works better is to have a two-layer system. For instance, place a light curtain around the area to be protected and place it inside the mats. Set up your safety system around the light curtains. Now the mats can serve as interlocks and are part of the machine control system but they are not part of the safety system. The safety system is a "last line of defense". As long as the machine isn't cycling when the operator passes through the light curtain, the safety system doesn't trigger. Since the system is already down (triggered off by the mat), only a failure of the pressure mat or an operator doing something stupid/creative will trigger the safety system and force a safety stop condition. The mats can just be ordinary PLC inputs since they aren't safety devices any more, even if you use safety grade pressure mats. The reason that I recommend a light curtain for this is timing...if you run the calcs on pressure mats, usually they need to be quite long to avoid the situation of someone theoretically running across the mat and getting past it (usually almost 2 meters long). With a light curtain and a very fast safety relay, you can usually get down to perhaps several inches (tens of centimeters) at most.

[TimWilborne]

Could you elaborate on how do you tie the cycling of the machine into the safety system without "bypassing" the safety system?

[SDM]

You saying if the machine is not in cycle you can use the mats to mute or disable the light curtain? Like TW asks? The fact is the operator has to enter this area. Entering this area while the gated part of this machine is operation is a must. I am great-full for the time your spending to explain this. I would happy to add light curtains or a laser to this area. Lets make sure I am going to do right.

[JRoss]

You must have a manual reset for the final safety relay. If the machine is stopped for a safety reason (someone was about to get hurt), then the only way to restart is to manually rest the safety relay. However, if the safety system is set up properly, this will only happen if there is truly an emergency. If the operators are safety stopping the system on a regular basis, then either they are extremely unsafe operators, or your system could be set up better. I would recommend asking your local safety distributor or integrator to look at the system to do a better analysis, but I can give you some pointers. Take them at your own risk! Since I don't know anything about your machine or process, here are several scenarios: 1. Operators are stepping onto the mat during machine cycle because the mat is too big. Probably this has to do with safety distances, as Paul suggested. A light curtain has a shorter safety distance (can be closer to the machine) for too reasons. First, it's not mechanical and has a faster reaction time. Second, the "depth of penetration" or "DoP" is much shorter. DoP is how far a person can get into the safety are before the safety devices registers their presence. Safety mats have a high DoP, because you can stick your arm into the area, or leap into the area without tripping the mat. A safety light curtain with a resolution (distance between light beams) of 1/2" has a much shorter DoP, because you can only get the tip of your finger in without tripping it. If you switch to a light curtain, you can decrease the safe area. 2. Operators are stepping onto the mat during machine stops to add/remove parts. The process can be improved by adding a safety controller with muting capability in between the safety mat and the final safety relay. PLC outputs (dual complementary, for redundancy) or sensors, or both, indicating when the machine is stopped would be used as muting inputs. This must be done with care! When the machine is stopped, the safety controller would not trip the safety relay. If the machine would start while someone is on the mat, or someone would step onto the mat while the machine is running, the controller would trip the relay. Muting is perhaps most commonly used with light curtains, but is valid with any safety device. With the right hardware, you could even use the safety system to signal the machine to restart. I've seen light curtains that have that functionality built in. 3. Operators are stepping onto the mat to access a stopped portion of the machine, while other portions could keep running. If the "stay-running" portions of the machine are also accessed via the mat, remove the safety mat and use light curtains with muting at the access point to each section of the machine. If the "stay-running" portions of the machine have separate, gated access, then refer to scenario "2". The only difference would be what conditions mute the safety devie. In conclusion, you should be able to improve your system. Start with your distributor, and if you aren't comfortable with doing the design and modifications, hire an outside contractor.

[Harikumar]

No, As per the safety standard it is not correct. When the safety parts are getting ON the operator must to press the reset. As per my experience Compact logix and Banner controller its required for reset. Other wise you can use the Safety PLC which is no need to reset the mat every time they leave the protected work area. if you need more information about safety PLC please let me know I will explain. Best Regards Hari

[SDM]

I have a few AB L61S controllers here. It also has manual or automatic reset, and muting. Thanks for your offer. I think I will add light curtains as the "E-stop" portion of the machine and allow muting when safe.

[paulengr]

You do NOT tie them together. That's the mistake. For instance, take a simple level sensor, level switch, pump, and blocking valve. The level switch is tied to the blocking valve and energizes at 105% of the operating range, and uses a safety relay. The control system (PLC) operated) uses the level sensor to shut off the pump at the 100% level. The safety system is placed just outside the operating range and triggers only in the event that we have an out-of-limits situation. In practice you may want to use the safety relay to provide power to the pump starter relay as well. That way the safety switch both kills the pump and closes the blocking valve. In the event that the pump starter welds shut, the blocking valve still works. The pump starter and level sensor need not have any sort of safety rating. In your case, placing a light curtain at the end of the safety mat provides the same function. The safety mat no longer serves a safety function. However, if you need to pass things through the light curtain, then this requires something different. It is called muting. This is where you suspend the safety functions in a nonhazardous part of the machine cycle. Detection of the machine's cycle must be done with the same integrity as the safety function itself. So in practice, place safety-grade photoeyes or similar devices where they can monitor the machine itself rather than personnel. This causes the safety mats (the muted input) to be ignored. How you actually wire this up depends on the muted safety relay module you are using. The machine itself can use the non-safety outputs of the module to inhibit cycling. The muting inputs have to be configured to trigger fast enough to shut everything down if the non-safety functions fail.