Return to the Industrial Control and Automation Index
Injury is one of the greatest threats in an industrial environment. When programming a Programmable Logic Controller (PLC), we should take measures to prevent accidents by embedding safety into the program. In this article, we will briefly explore methods to prevent unexpected system starts using Crouzet-Soft Function Block Diagram (FBD) code shown in Figure 1. The featured PLC is a Millenium Slim and supporting equipment shown in the PLC trainer pictured in Figure 2.
For this setup, we will assume the equipment is designed with three controls as presented in Figure 2. Here we see:
-
selector switch as a master on – off control.
-
momentary normally Closed (N.C.) (red) pushbutton to stop a machine cycle.
-
momentary Normally Open (N.O.) (green) pushbutton to signal the start of a machine cycle.
As programmers, we must consider how the user will interact with this system. We must also consider the abnormal operation arising from impatient users and power failures. For example, consider what would happen if:
-
the user held the cycle start switch while the selector switch was turned on.
-
the user physically jammed the cycle start switch.
-
the main power was interrupted and then restored while the machine was turned on.
-
the user simultaneously holds the red reset and green cycle pushbuttons.
-
the mains power was interrupted and then restored while the machine was turned on with a physically jammed cycle switch.
With a little imagination, we can see that each of these situations could inadvertently start a machine cycle or cause a momentary glitch. These unexpected starts could cause damage to equipment and harm the operator and service personnel.
In all cases, we should program defensively to prevent these situations.
FBD Test Bed
The FBD presented in Figure 1 will be used to illustrate the problem and solution. The core of this code is the Set / Reset block. It is set when the selector switch (I1) is turned on and the momentary green cycle button (I3) is pressed. It is reset when the red reset button (I2) is pressed or when the selector switch (I1) is turned off. While not strictly required, the green cycle button (I3) is disabled via an AND gate when the machine is active.
Simulated Error to Illustrate Complex System Interactions
To accentuate the unintentional, start-up problem, we deliberately misconfigured the Set / Reset block. It is configured with the set line as priority over the reset line. It is also configured for a save-on-power-failure. This is done to illustrate what could go wrong such as when we build more complex state machines.
The immediate result is upside down priorities where the green “go” button has priority over the red “stop” button. Perhaps more dangerous is the save-on-power-failure configuration. When power is restored after an interruption, the system will immediately restart.
Rising Edge Pulse
The first line of defense is to make the momentary start pushbutton truly momentary. This may be accomplished by sending the pushbutton signal through a rising edge detector. In the Crouzet-Soft FBD environment, this is accomplished by using a type BW (pulse-on-rising-edge) function block as shown in Figure 1 on the I3 line. This simple operation goes a long way to preventing unexpected start. With this modification, the N.O. green cycle-start pushbutton must enter a relaxed (off) condition before the next cycle may begin. Stated another way, there is no reason for an operator or maintenance technician to physically jam the cycle start button.
At some point, we must go back and reconfigure the Set / Reset block as the system will glitch if the green and red buttons are activated together. The green start button with its rising edge pulse will temporarily set the system only to be immediately reset by the red stop button. The glitch is just long enough to activate the PLC outputs. It will jog associated motors.
Figure 1: Function Block Diagram converting the momentary N.O. switch press signal to a pulse.
Tech Tip: Observe that Figure 1 uses a 4-input OR gate in the place of a 3-input OR gate. The extra input receives a duplicate from one of the inputs. The result in Boolean algebra is F = A + A + B + C which is the same as F = A + B + C since (A + A) = A by the idempotent property.
Figure 2: Picture of the equipment setup with a ON selector switch and momentary switches as the red reset and green machine cycle start.
Tech Tip: The red reset / stop button features a physical N.C. contact. As a rule, things that stop a machine should use N.C while those that start a machine should use N.O. contacts.
First Scan is critical for device safety
Recall that a PLC operates using a repeated program scan. For a typical PLC the loop looks like this:
-
perform housekeeping activities
-
transfer screw-terminal inputs to memory
-
perform memory to memory operation based on the user’s program
-
transfer memory to screw terminal outputs
The important thing to remember is that the user’s program operates as a memory-to-memory interface. With that said, we need to consider what happens when the PLC is initially powered up. Recall that the Set / Reset block was deliberately misconfigured with a save-on-power-failure. The implication is that the machine will immediately restart when power is applied provided the selector switch is in the run position.
A solution is suggested in the First Scan (FSCAN) macro presented in Figure 1 which is then expanded in Figure 3. It consists of a TON timer and an XOR gate. On the first program scan, the timer begins its count. The XOR gate will see a fixed logic 1 and a zero from the output of the timer. The result is a logic high. On the second program scan, the timer’s output will be high causing the XOR to output a zero. The net result is literally a pulse on the first program scan. This macro may then be used to initialize all modules within the PLC.
Figure 3: Function Block Diagram implementation of the first-scan macro.
Shifting focus back to Figure 1, we see that the first-scan output is ORed with the red pushbutton and the selector switch. Consequently, the first scan is used to reset Set / Reset block.
Tech Tip: The macro-operation is used to encapsulate code. This is highly desirable as it simplifies the top-level code. It also allows code to be reused. On the other hand, there is an old troubleshooting adage that all programming issues are contained within the macros especially if there are large or poorly documented. Always program for clarity.
Conclusion
This article serves as a brief introduction to defensive programming to prevent unexpected equipment startup. Note that it is woefully incomplete as there are many additional things to consider. For example, state machines add a considerable amount of complexity as does material workflow through the machine. As an example, consider how a multifunction machine should respond when the operator breaks the light curtain. One solution is to add a two-button safety start that is outside the machine enclosure in such a way that the operator cannot press the buttons from within the enclosure.
That brings us to the concept of Safety Integrity Level (SIL) and application of redundant and independent safety devices - all topics for another day.
Keep learning and program defensively to guard against the unexpected.
Best Wishes,
APDahlen
Return to the Industrial Control and Automation Index
