Power-On Safety Macro for the Crouzet PLC

Automation and Control Industrial Automation and Control
, , , ,
1

Return to the Industrial Control and Automation Index for related content.

All Programmable Logic Controller (PLC) programmers must pay attention to the corner cases. It is never enough to make the machine function. Instead, we must consider how the system will respond to unexpected events. One such event is the machine’s immediate action when the power is first applied.

For this article we will focus on a class of machines that feature a physical ON / OFF switch. This physical switch may directly start the machine, or it may act as a master-enable signal for subsequent machine actions. In either case, we must clearly define how the machine will respond when the switch is in the ON position during a power interruption. For this discussion, we will assume this unexpected power-on situation is a hazard to be avoided.

We will explore a solution using a Crouzet EM4 Programmable Logic controller (PLC) programmed using the Crouzet-Soft software. Recall that the Crouzet PLCs are programmed using a combination Function Block Diagram (FBD) and Sequential Function Chart (SFC) elements.

You are encouraged to review an earlier article that introduces the SFC elements. It’s important to recognize that each SFC block functions as a state. Inputs to the left of any given block control the state activation – these input “open the gate” for the token. A box is active when it contains a token. When active, the output to the right is used to signal that a particular state is active.

Tech Tip: There are a few different ways to look at machine control and how switches and pushbuttons are used in your design. We have two choices: the switch can be in control of your machine, or the software can be in control. In this article, we have a physical ON / OFF switch. Normally, such a switch is in direct control of the machine. However, we have added a state-based mechanism that takes suggestions from the ON / OFF switch. In certain situation, such as initial application of power, the switch is no longer in control of the machine. Instead, the software is in control and places the machine into a fault state.

State Based Control

The power-on macro is shown in Figure 1. This is a Finite State Machine (FSM) embedded into the SFC blocks. Observe that there are three states including:

  • StateInitial: This is the initial power-on or reset state.

  • StateIdle: The StateInitial will transition to the StateIdle when the machine is placed into a safe condition. Here the term safe implies that all faults have been cleared and the power switch is in the OFF position.

  • StateEnabled: The StateIdle will transition to StateEnabled when the selector switch is placed into the ON position. The FSM will remain in this condition until the selector switch is placed in the OFF position causing a return to StateIdle. It may also return to the StateInitial if there is a fault. Recall that the resettable initial step SFC block has invisible control wires that will remove token(s) from all SFC blocks. For this application, any fault will place the FSM into StateInitial. Again, the machine will stay in state initial until it has been made safe by physically turning the selector switch to the OFF position.

Figure 1: The power-on-safety module is programmed graphically using a combination of FBD and SFC elements.
Figure 1: The power-on-safety module is programmed graphically using a combination of FBD and SFC elements.975×418 135 KB

Figure 1: The power-on-safety module is programmed graphically using a combination of FBD and SFC elements.

Figure 2: Picture of the Crouzet EM4 PLC with the power-on fault displayed screen.
Figure 2: Picture of the Crouzet EM4 PLC with the power-on fault displayed screen.975×731 76.3 KB

Figure 2: Picture of the Crouzet EM4 PLC with the power-on fault displayed screen.

Video 1: Demonstration of the power-on fault protection provided by the macro.

Tech Tip: It’s important to distinguish between “level activation” and “edge triggered activation.” A level-activation system will remain active for as long as the enable signal is present – remove the enable signal and the system stops. An example is the physical ON / OFF switch featured in this article. On the other hand, an edge triggered system will start when a momentary pulse is applied. It can be programmed to stop on a subsequent pulse, or it may stop when an abort pulse is received. Such a system contains memory to stay in a particular state. A classic example is the 3-wire motor starter with the start and stop pushbuttons.

Macro Highlights

Before we conclude, lets identify some of the non-obvious aspects of the Figure 1 graphical program.

  • The STATUS block is a window into the PLC’s housekeeping activities. For this application, we perform an OR of the cold and warm init lines. This provides a first program scan operation that is used to place the FSM into StateInitial.

  • There are two unique faults implicit in the macro. We see the internal FaultPowerOn that occurs on an initial power up when the primary switch is in the ON position. There are also ExternFaults that may occur outside of the block. An example is a motor starter that fails to close within a specified period. From within the top-level program (not shown) we can expect many such faults to be ORed together.

  • All faults, both internal and external, must be cleared before transitioning out of StateInitial.

  • The code is documented using three general techniques. A header (text box) is included to provide a general description of the macro. Comments are included for important blocks. For example, the text “State initial” is a comment within a block. Finally, Crouzet’s “Text” mode is used for wire identification. The teal-colored names make the program human readable. For example, the FaultPowerOn set/reset memory block is reset when the main selector switch is in the off position and when the reset button is pressed.

  • FaultPowerOn is latched. This latch is an absolute necessity from a troubleshooting perspective. It remembers the fault even after it has cleared. On a related note, it’s a good idea to log the faults to further assist in troubleshooting.

  • FaultPowerOn is latched independent of the SFC blocks. While we certainly could use the SFC state-based mechanism to handle the faults, it seemed prudent to keep them separate for program clarity.

Parting Thoughts

While all efforts have been made to present safe and reliable code, it should not be trusted. Things can and will go wrong. There may be errors in the macro, errors in the way that it is implemented in the top level, or other aspects of a program that have unintended consequences. There are also any number of ways the hardware may malfunction including switches, wires, power supply glitches, or even the PLC itself.

Please program defensively with safety as a priority. Also, consider incorporating fully independent safety systems. This could include equipment such as interlocks with safety relays.

Please provide comments and suggestion in the space below. If this macro (attached) was useful, we would very much like to hear from you. Also, we are open to ideas for new content. Please leave your requests below.

Best Wishes,

APDahlen

P ON Init.mcs (8.7 KB)

Return to the Industrial Control and Automation Index for related content.