Safety Reset over Ethernet?

russg

Member
Join Date
Aug 2012
Location
UK
Posts
275
Hi,

I'm looking at a newish system we have on site and noticed they are resetting the Pilz safety PLC via ethernet comms from the main Siemens PLC. The reset button is wired to the Siemens PLC and then passed through over profinet.

This seems a bit risky to me. It's used to reset the E-stop Pilz block, which is set to manual on a positive edge trigger, but I'm surprised that Pilz even allow this to be used for the reset?

Is there anything wrong with doing this, and if so does it break any of the safety regulations?

I found this thread: http://www.plctalk.net/qanda/showthread.php?t=65761

…which talks more about using a PLC output as the reset of a safety relay. That doesn't sound as bad as using communications, as we all know these call fail in many different ways, hence the use of a watchdog / tick-tock monitor.

Thanks

Russ
 
In my experience with Siemens safety PLCs, the examples always show the safety reset to coming in on a standard input, so in principle, I don't see why the PILZ couldn't get a reset from a PLC. I also commonly see resets from the HMI.

My understanding is that RESET is not a safety function. A Safety Function would be something like "ensure the machine stops if something crosses the light curtain". This safety function is not (or at least shouldn't be) affected in any way by a failure of the reset signal. Either the failure doesn't allow the station to reset (it remains in its safe state) or it gets reset accidentally, at which point it detects that the light curtain is still broken and nothing actually happens.
 
If they are using the Pilz PNOZmulti configurator, then in my experience, there's nothing wrong with resetting through ethernet.
They will probably also get the emergency button IO from the ethernet communication. This could spare a lot of wiring.



Like mk42 said, the reset itself stands apart. In my view, if the PLC output is broken, or the simple push button, what's the difference?


note: the safety program inside the Pilz should be engineered correctly. You can mess it up there.
 
Last edited:
Depends who you ask.

One of my major clients gets each and every new or modified machine externally validated by a CMSE before they let production anywhere near it, and they use a variety of external auditors for this. I too am a CMSE, but don't typically validate their systems as I have more fun designing them than validating them, and they (quite rightly) don't want the same person designing and validating.

Of all the CMSE's I've asked this question (including myself) - some will tell you yes, others will tell you no. Some will allow a safety reset directly over comms from a HMI; others won't even allow a safety reset from a relay hardwired into a safety input - they have to see the reset button itself wired into the safety input. Ultimately it would come down to risk assessment and validation.
 
Reset isn't a safety function.

The feedback monitoring however is.

So as long as it is purely a reset. No issue.

The only argument against doing this, is, where is the operator when reseting the device. The reset location should be as such the operator can make sure it is safe to reset. I.e clearly see that persons aren't climbing around the machine.
 
I’ve never used pilz so I don’t know that hardware specifically. With a banner safety relay, in order to use a networked reset the plc and the safety relay have to pass back and forth an activation code to ensure any other safety relays that may be on the network receive the correct reset.

Obviously it’s a lot more complex then that, but to answer your original question, yes it is allowed as long as the end user is ok with it.
 
Its perfectly acceptable as the reset isn't a safety function.

If there is a comms loss - it will never reset.

If the output stays high, it will also not reset as the PILZ unit needs to see a transition.

As long as the operator has a good view from the HMI.

Why do you think this is risky?
 
Last edited:
I dont see why would there be any problem using comms to reset the safety.

What you could do though, is to make sure that the reset must go true and then false before reset is accepted.
 
Not recommended

Hello. Although you could do it and there is a low chance it would be a problem, it does not meet the standards and is therefore not recommended.
https://new.abb.com/low-voltage/products/safety-products/using-an-hmi-for-reset-and-start

I know from previous training that Siemens have created a special protocol especially for using an HMI for safety reset but I can't find any information on it right now. If I find it I will post it here.

Edit: I found what I was referring to, see page 576 section 13.13.1. https://support.industry.siemens.com/cs/attachments/54110126/ProgFAILenUS_en-US.pdf
 
Last edited:
Hello Puddle :) . EN ISO 13849. I have never seen a machine from a reputable company that has anything other than a physical reset button.

Once the function is made available to an HMI it is then on the network ready for any device to use it. I would not recommend using it unless you have validated and approved method for using an HMI for safety reset.
 

Similar Topics

Hi guys! I know we should use a OSF to the safety reset PB on the PLC logic, but.. wondering, is there any standard ANSI, ISO or any from rockwell...
Replies
3
Views
601
Suppose you have a safety zone with as actuators in the zone : a failsafe pneumatic pressure release valve with safety feedback, drives on...
Replies
6
Views
2,188
Hypothetically we have a machine with safety door switch and a E-Stop. The operator places the work piece into the machine, the door is closed and...
Replies
20
Views
7,232
Good afternoon, I'm having issues resetting my safety relay. Sometimes it resets, other times it does not. We end up cycling power and hoping it...
Replies
9
Views
3,759
I have to install a reset button for a safety relay. Should it be a flush non illuminated PB or an extended head PB with guard or without guard...
Replies
2
Views
1,947
Back
Top Bottom