Hand - Off - Auto Control Philosophy

[Bob A. 1]

Ok Guys, I have inherited a system where there are Hand - Off - Auto Selector Switches on the MCC doors. In Hand, the two button stations out in the plant are in a normal "Start & Hold" configuration. However in Auto, the PLC gets complete Two Wire Control of the MCC starter. The result is that the Stop PB in the field is no longer in the curcuit. I don't like this at all, but it is going to require a lot of effort to revise the Stop PB into the Auto scheme. Anyone have an opinion about this ?

[OkiePC 14]

By "Start & Hold" do you mean a momentary button that, when pushed, starts the motor and it continues to run when the button is released? Can you add a N.C. contact to the stop button as a PLC input so that you can keep the stop function when in auto?

[Armadillo852 25]

Not that it is the best solution, but I agree, can you at least add a NC contact and run it to the plc? We do something similar here, HOWEVER, the stop buttons are always active no matter what. We do it because we have multiple run stations controlling one cell. Whatever station's key is on, has control. If more then one is on, no one has control.

[BobLfoot 301]

Bob's Opinions - 1. Stop should always STOP the associated Equipment. 2. I pray you have good Emergency Stop or other safety provisions near the equipment.

[Bob A. 1]

Yes to the first question and Rewiring and reworking the PLC App is the "Lot of Effort". There is no available field wiring to add the stop PB to the PLC input. And the field PBs are 120 VAC from the MCC bucket power supplies and the PLC inputs are 24VDC (also a component in the "Lot of Effort").

[Bob A. 1]

Bob, I agree that Stop should always Stop and yes, I built a SIL Level 2 Plant Wide E-Stop, plus a complete Local Stop system at each machine. I have drawn this system at least 15 different ways and it defies being easy. The best way that I have seen is to do away with the Selector Switch and the bucket power supplies. Then wire the field PBs into the PLC, change all the MCC starter coils to 24 VDC and run them from the PLC panel. I have come to hate the concept of power supplies in each bucket. For years, I had one main control system for each MCC and one power supply for the entire system. Now I have a different supply in each bucket which comes to the interposing relays in the PLC panel. So now, there are about 30 independent supplies coming into the PLC panel, beside the one that actually runs it. I have made a speciality out of cleaning up messes created by others, but this one is by far the worst. Thanks for all your replies, Bob A. Edited 11 Sep 2010 by Bob A.

[OkiePC 14]

Rather than run the bucket power back to the PLC panel, you can put the interposing relays in each bucket...we have several MCCs done this way. I agree with you in general about having a separate control circuit for each motor...seems a waste to me too, but I inherited the same situation and have decided to live with it for now. Also, depending on how it's wired, it might be possible to change the PLC two wire control to three wire control, and keep the stop button N.C. contact in there to break the seal. Can't say for sure how hard this would be to implement without seeing the electrical diagram... I agree that a stop button needs to always function, no matter how much work it becomes to make it so... Edited 11 Sep 2010 by OkiePC

[paulengr 44]

This is NOT the standard way to do it. The standard way is that the selector (HOA) is just that...hand (as in ON), OFF, Auto. Most of the time, I actually put them in as a JOA (jog/off/auto). The jog function is spring loaded. Reason is that these things are there for maintenance, NOT production. It's ok to bump the motor but not run that way since the JOA normally bypasses all interlocks.

[Bob A. 1]

Paul, I have been doing this a really long time and in my experience, if there is a "Standard" of anything, it would be that you always include a magnetically held element in the chain of control wherein prime movers are involved, simply to prevent an unexpected restart following a power loss. At this point in my evolution, I have augmented the "Magnetically Held" requirement to include provisions for Phase Loss. The wisdom of this approach was brought home to me just the other day (about 1982) when I was sent out as an "Expert" (someone with a briefcase and more than 50 miles from home) to help get a plant out of manufacturing trouble. As I was going through the front door, there was a mind bending blast at the main power feed right next the plant. Two hours later, when power had been restored, I was informed that the manufacturing line that I was there to see was out of commission. The maintenence guy told us that the blast resulted in a single phase condition and confessed that all 45 motors on the line had burned up as a result. It is well to remember that a dual element motor fuse is typically rated to carry 5 times the rated current for 10 seconds. So a 100 amp fuse is going to allow 500 amps for 10 seconds. When some code reader picks the fuse size at 125% (or more), what he is saying is that "I'm happy with the system having to endure at least 625 amps for 10 seconds". On a phase loss, the remaining good leg will see approximately double the running current and it is a horse race to see which one dies first, the fuse or the motor. If you get the opportunity to watch guys, who think that they can pick a fuse, explain to the plant manager why their protective devices failed to protect the equipment, what you are likely to hear is that their responsibility was to protect the wire or some other similar refrain. As the automation guy, "the buck stops here". My opinion is that you have to be the guy that is the advocate for the equipment. Look around, who else is going to do it? Engineering is building the next brainstorm, QA/QC is worrid about claims, maintenance is putting out the current fire and trying to figure out how to pay for the parts to rebuild from the one yesterday. That leaves the plant manager who is clueless but he cares to the extent that his bonus is effected. Thanks again for all the input and sorry for the rant! Bob A.

[gleblanc 1]

Sounds like we need an article on how to select protective devices. Send me a rough draft when you're done, and I'll review it!

[Bob A. 1]

Most of my fomative years were spent in a research facility as the electrical expert turned jack-or-all-trades. The interesting part was that there were no limits to anything, but unlimited possibility lead to unimaginable diversity. Our goal was to provide product improvement methodologies to our customers so that they would buy our products. It soon became clear that quick turn-around on equipment failures was of paramount importance. When we brought in senior management from large companies, there was an expectation of a very high degree of success. But with hundreds of machines all running in conjunction with each other, the probably of some failure was also pretty high as well. I was responsible for both operations and maintenance. So if it was running, I made it run faster and when it was parked, I made it more dependable. Since I frequently needed a source of good information and the Internet did not yet exist, the trade shows were very educational. And the best part of the trade show was the manufacturer's catalogs because in the back was an "engineering" section that protrayed the most up-to-date information available in any given segment of industry. Enter the SPD http://www.cooperbussmann.com/2/SPDTableofContents.html Fuses are of critical importance in this environment, probably not all that different than the ones that you all find yourselves in today. Soon it became very clear that there are many more kinds and families of fuses than there is time to digest their use. The Bussmann SPD "Selection of Protective Devices" is a PhD in the use of fuses and I have been reading it regularily for really long time...at least 30 years, maybe more. In time, I decided that I needed a system that could be understood and quickly applied (especially when CEOs were watching). So I solidified a scheme that included 8 families of fuses, four of the small glass (electronic) variety and four larger paper types (motors, etc). In the case of glass, there is the low voltage (clear glass) in both quick acting and delayed acting and then the higher voltage groups (not actually glass but white ceramic) that go up to line voltages in quick and delayed. Note: pay attention to the voltage rating on clear glass fuses...at around 4 amps or so, the voltage rating drops to 32 V! If you have clear glass fuses in line voltage applications bigger than about 4 amps, they may not be a fuse at all! Ceramic fuses are full of aluminia to quench the arc of a higher voltage failure. In regard to the paper groups, the uses were basically motors 250 VAC and below and 480 and these were dual element (later became LOW PEAK dual element). Then there are the little ones that are often found mounted in fuse holder on a power transformer in a combination starter, for example. And that leaves the semi-conductor group (very fast acting) for devices that were just beginning to appear, such as Solid State drives and the earily VFDs (hold up your hands...how many of you ever swapped the modules in a Parajust while the VP was watching?). My philosophy was simple, measure the current requirement and put in the smallest fuse that was bigger. If it failed unnecessarily, go up one. If a piece of equipment was unnecessarily damaged mechanically because a fuse did not fail, put in a smaller one. And if you are wondering why all this talk about fuses...it is really quite simple. When you take a fuse out of the box, it is new, it hs a well defined (and published) performance characteristic, it has no history, no memory, it was not cooked everyday for the last 14 years and they are a lot cheaper than the equipment that they protect, so use them accordingly! Admittedly, I had most every size of each of these fuses in stock and yes, I had to buy more of them occasionally. One day, there was a debriefing following a customer visit wherein we were all standing around talking informally about how things had gone. I mentioned to one of my guys that I had put a fuse into service that was bigger than I wanted because I did not have the right one. All of a sudden, my VP wheels around and in front of the whole group, he tells me "Don't ever let not having the right things become your excuse for failure; we are in the business of success....plan for it!" He was wearing a really well fitted blue suit with a red tie and an especially well appointed diamond tie tack. That was about 1980, but I still remember what he said as well as what he was wearing. Any questions ? Best Regards, Bob A.

[dogleg43 1]

Sparky, From your description this a very common and accepted control scheme in my experience as a controls engineer (over 25 yrs). The Start and Stop/Hold buttons are bypassed in AUTO and then some sort of limit switch or other device will start and stop the motor/machine in an orderly process. My question is, in HAND should the Start PB always start something or should there be some sort of control device to inhibit the running of the machine? Example: If the machine is in HAND should the operator be able to start it and run an engine block off the end of the conveyor or should there be a photoeye wired/programmed in to stop the line if the engine block gets to the end of the line? Believe me, I've seen this happen. Management said HAND means HAND.............until two engine blocks were run off the end of the line. Then they said well, what we really meant was that HAND should still prevent stupid things from happeining. Yeah, right.

[Bob A. 1]

I was fairly certain that this question would provoke some excellent soul searching and discussion. It is amazing to me that we see this stuff everyday and still, there is all this discussion about somthing that should be fairly clear. Everytime I figure out the best way to do this circuit, something else happens that changes my thinking. Thanks very much for all the thoughtful comments! Bob A.

[sirius0 1]

Use a (shudder!) relay that is piloted from the field buttons when the stop button is pressed to force the mode back into Hand whilst also causing the stop to work, Edited 21 Sep 2010 by sirius0

[paulengr 44]

I have heard the same B.S. about "hand means hand" or "manual is manual" before. When you get into risk assessments you find out two things right away: 1. Risk assessments rarely ever call for an "E-Stop". In a calm, non-panic situation, with enough training, operators can be expected to do the right thing 90% of the time. That's a 10^-1 probability of error, or SIL 1. Just as with PLC's and other devices, you can't make the system substantially better than the weakest link. By nature, an E-Stop is of course meant to be used in a panic situation and rarely gets used so of course it is not a 10^-1 probability of error at all. A SIL 2 E-Stop system is vast overkill since the initiating event to prevent an accident is never greater than 10^-1 reliability. Worse yet since this is only a PFD (probability of failure on demand), it shouldn't get used more than once a year so then your E-Stop training hardly ever goes into play. Otherwise it is considered a continuous system and meeting SIL 1 requirements ratchets up significantly, well beyond the capabilities of an operator. 2. Safety systems should be operational AT ALL TIMES, regardless of what the operator does, unless things are completely locked out. That's not to say that you can't have a 4-level system ("auto", "mostly manual", "operational lockout", "maintenance locked out"). It is to say that whatever an operator should be able to do in manual does NOT remove the safety system. It merely means that you probably bypass a LOT of interlocks and sequencing that should be present during automatic operation. This applies whether you are looking at IEC 61508, 61211, OSHA, or any other risk assessment system in most 1st world countries. By definition if it is locked out, then you've disabled all sources of potential harmful energy so the controls don't matter any more. BUT you can have an operational state similar to lockout and might even have physical padlocks involved but it's not the same as locking out for maintenance activities. In general I usually just have 2 sets of interlock strings. Set 1 is ALWAYS active and can't be disabled. Set 2 kicks in only in "auto" mode. By the way, I had a plant manager challenge me on this once. He wanted auto to mean auto and meant to enforce it. I explained that in good conscience I would comply but only if I had a signed statement explaining this. I had the signed statement in hand before discussing it. I wrote it in completely neutral language. It stated something like this: I understand that my engineer's opinion is that removing all interlocks is in violation of OSHA regulations and may damage equipment. I understand that disabling motor overload protection is a National Electric Code violation. I understand that disabling interlocks on the radiation detection system may allow radioactive materials to enter the system.... Remember though, doing this has to be done in a nonthreatening manner. You are there to provide a service function and execute based on the demands placed on you. You have to do what is right in good conscience and point this stuff out. It is absolutely critical to get all of your own emotions out of the picture and stick with purely factual requirements and codes/regulations that actually exist. And if you do so, make sure you have a strong leg to stand on and can handle getting terminated (we'll find someone else to do it). In my particular case, I was setting the plant manager up to be terminated and he knew it. By the way, the plant manager after this incident was on my team and production had to back down. We sat down in a follow up meeting and walked down through every single interlock. We kept only the ones that we ALL agreed were absolutely necessary in "manual" mode. All others were disabled. We made all manual functions momentaries as well...operators had to conscientiously push a "dead man" switch to do it, and we made all automatic functions disabled and slowed down all the actuators...basically you couldn't "run" the machinery at all in manual control.

[Bob A. 1]

Once again, thanks for all the thoughtful replies. To clairify a few issues, which I didn't think were real pertinent at the outset, this plant has some really out of the ordinary conditions that must be considered when designs are done. First, it is in a flood plane so there is water in there every few years. So as much as possible of the control and MCCs. etc. is on the second floor while all the heavy stuff is on the ground. Second, the material being processed is flammable metals that catch fire and cannot be extinguished, so equipment gets damaged and replaced occasionally. So to address these issues, inexpensive equipment is available close to the operator and as much as possible is upstairs. The deviecs being started are mostly pumps so no Jog function is necessary. In the Auto position at the MCC bucket, two wire control from the PLC is in turn controlled from the MMI in the risk area. This overrides the Two Button, three wire control in Hand, which are located in the Pump Room on the ground floor. I have convenced the management that we should revise the wiring so that the Stop PB in the Pump Room will remain functional, even in Auto, so now I will draw that whole thing for about the 20th time with that in mind. A hydraulic rebuild is coming shortly so the problem can be addressed during an outage. As for the SIL 2 Plant Wide E-Stop, it was required by the insurance company (for use during the fires) and so it is there, and in two years, it has be used twice, once by accident. We have assembled a phase monitor / power quality monitor and I'm seeking to tie it to an input in the E-Stop system, but so far, that has not been a simple matter. My argument is that on a single phase condition or a low voltage condition, the plant wide equipment shutdown needs to happen, which is exactly what the E-Stop does. Conclusion: Nothiing is ever as easy as it should be !

[BobLfoot 301]

Just one thought on this, If your plant is anywhere as spread out as ours you'll eventaully have multiple Power Monitors. And will want to consider the Plant Wide Shutdown for the situation of incoming brownout or single phasing, but for Interally Caused single pahse situations you might want to shed the process in question from the bus and leave the rest of the processes under power. With asutomated power montiors and coordianting plc or pc code this all happens in a fraction of a second. Just an idea.

[Bob A. 1]

This plant is not huge. When the power blinks, everything stops and has to be restarted now. The real challenge it to get everything on the same page. Some deviecs already have phase loss protection (such as VFDs) but other items do not. Some devices are under the control of PLCs that are on UPS protection, where their loads obviously are not. My objective is to get a universal stop when a blip, excessive sag or a single phase situation occurs. It is far easier to do a complete restart that it is to go around and evaluate every device to see what is not working correctly. Since we are coming to a large upgrade, all these issues will be added to list to be addressed. Bob A.