Author Topic: Safety issue: output is ON when PLC power OFF  (Read 7493 times)

DW_Microsys

  • Newbie
  • Posts: 42
  • I'm a llama!
    • View Profile
Safety issue: output is ON when PLC power OFF
« on: January 18, 2012, 09:19:29 AM »
For the past 6 years I have been using Tri PLC from T100MD to FMD1616 and F1616. Recently I encountered a safety issue on output channels which should be notified via user manual and/or application notes. I'm quite disappointed, especially when I found this topic on the forum:

"Re:Output State on Power Off"

Here are some details.
PLC: FMD1616, DO#1-8 are connected to one mechanical relay and 7 SSR, which are used to control motors and high pressure valves.
Issue: at one moment, the 24V to PLC is lost, but 24V to relays and SSRs are still connected. Instantly, output #1-8 go to ON status: all the motors start running and high pressure valves start opening, which lead to an quite dangerous situation.

After some debuging, I found it is caused by the ULN2803 flyback diode. By bending Pin 10 out I solve the problem.

This can be a very serious safety issue when someone try to control a motor and high pressure gas. From this forum, I can see that Triangle knew this issue from years ago. I don't understand why this issue is not fixed, and/or at least the user should be notified to pay attention when using these channels.


support

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 3170
    • View Profile
    • Internet Programmable PLCs
Re:Safety issue: output is ON when PLC power OFF
« Reply #1 on: January 18, 2012, 12:14:06 PM »
Thank you for your feedback. When the PLC loses power to control the equipment and yet the power to the load are still connected the outcome can be unpredictable. This situation doesn't normally occur and so far there isn't many users who encountered such a situation.

We suggest that if the PLC and the load are using different power supplies, then the power supply to the PLC should be used to control a relay that supply the +24V power supply to high side of the load. This way when you turn off the CPU power supply the load will also lose power.

We will certainly take your suggestion to add warning about this potential scenario in the next revision of the PLC's user manual.

Do take note that by removing the pin 10 of ULN2803A there is no flyback connection and if the inductive kick energy is high enough when an inductive load (such as a relay coil) is turn off it could damage the ULN2803A IC. So you will need to add Transorb diodes at the load to absorb the inductive kick.
« Last Edit: January 18, 2012, 12:27:57 PM by support »
Email: support@triplc.com
Tel: 1-877-TRI-PLCS

DW_Microsys

  • Newbie
  • Posts: 42
  • I'm a llama!
    • View Profile
Re:Safety issue: output is ON when PLC power OFF
« Reply #2 on: January 18, 2012, 02:36:39 PM »
In my case, the PLC and the relays/SSRs are sharing the same 24V PWR. The case happens when the +24V wire to PLC power input is damaged/loose. So bend pin 10 is the only solution.

For you, the better solution is to put this pin 10 on a different terminal, so user can choose to connect it to external 24V PWR directly, or leave it.

support

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 3170
    • View Profile
    • Internet Programmable PLCs
Re:Safety issue: output is ON when PLC power OFF
« Reply #3 on: January 18, 2012, 04:31:03 PM »
We did a test of your scenario by connecting the DC 24V power to a load and disconnect the 24V power to the CPU and what we learned is that the load power goes through the load and the flyback diode and attempts to turn on the PLC that has no +24V power connection. The PLC draws about 100mA and it is enough power to turn on the SSR. In this case all the loads appear to be connected in parallel to supply power to the PLC but the PLC is not turned ON because voltage is too low.

The on chip flyback diode is convenient as it protects the output driver even if the user neglects to add flyback diodes to their inductive loads. But the negative outcome you mentioned in case of loose wire is also of concern. We will certainly submit your concern to development team for consideration.
« Last Edit: January 18, 2012, 06:42:48 PM by support »
Email: support@triplc.com
Tel: 1-877-TRI-PLCS

support

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 3170
    • View Profile
    • Internet Programmable PLCs
Re:Safety issue: output is ON when PLC power OFF
« Reply #4 on: January 18, 2012, 06:41:28 PM »
One suggestion is to use an unused output to control a power relay and the relay contact is used to supply power to the load. This way it ensures that the PLC is powered up and done all necessary initialization before it turns on the load power relay. The load will only receive power after the PLC is powered up.

The load power control relay should be controlled by an output that is not driven by ULN2803 or ULN2003 IC. On the FMD1616-10 this will be output 9-16 and on the FMD88-10 this will be output 7 or 8.
« Last Edit: January 18, 2012, 06:43:39 PM by support »
Email: support@triplc.com
Tel: 1-877-TRI-PLCS

DW_Microsys

  • Newbie
  • Posts: 42
  • I'm a llama!
    • View Profile
Re:Safety issue: output is ON when PLC power OFF
« Reply #5 on: January 19, 2012, 08:12:22 AM »
Adding a power relay on one channel between #9-16 will help, but WILL NOT solve the problem in certain scenario.

Keep in mind FMD1616 only need about 11V to be in ON state.

Consider there are 4 solenoid valve coils on DO#1-4, each coil has resistance of 200 ohm (3W coil). There are 4 SSRs on DO#5-8. One power relay on #9 to provide +24V to these coils/SSRs per your recommendation.

When PLC is ON, DO#9 is ON to provide 24V to coils & SSRs on #1-8, and DO#1-8 are in OFF state.

At this moment, the 24V wire to PLC is loose.

Now, the PLC will get enough current from #1-4 to stay in ON state (PLC is running at around 12V), it will not shut down DO#9 to cut off +24V to DO#1-8. The solenoid valve may or may not be activated, but SSRs will be activated for sure.

Please correct me if I'm wrong.


support

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 3170
    • View Profile
    • Internet Programmable PLCs
Re:Safety issue: output is ON when PLC power OFF
« Reply #6 on: January 19, 2012, 11:23:31 PM »
The scenario you described is plausible, but most likely scenario is that when the power supply wire to the PLC is loose, the PLC will temporarily lose power and undergo a power-on reset. The PLC takes about 1 second to boot up and during boot up time the PLC cuts off power all its output, which means the the relay will be turned OFF and terminating the current flowing through the flyback diode and the PLC will therefore not be turned ON.

For the sake of discussion, if one were to solder a wire from the PLC's power supply pin and use it to control a power relay that supply power to the I/O then it will completely eliminate any possibility of loose wire causing the I/O power flowing through the flyback diode to the PLC's +ve power.  In this case no output is needed to control the power relay, since the power relay is controlled by the PLC's 24V power supply and if there is a loose wire the power relay will be turned OFF.







Email: support@triplc.com
Tel: 1-877-TRI-PLCS

DW_Microsys

  • Newbie
  • Posts: 42
  • I'm a llama!
    • View Profile
Re:Safety issue: output is ON when PLC power OFF
« Reply #7 on: January 20, 2012, 08:42:53 AM »
I will test the senarios we discussed here and post the results. I recommend your tech team do the samething. For working with 3000psi gas, I don't want any supprise.

For now, I have to manage to visit some of existing cucstomers to bend pin #10 out. Unfortunately, they are everywhere - US, Japan, China, Germany. What a mess.

support

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 3170
    • View Profile
    • Internet Programmable PLCs
Re:Safety issue: output is ON when PLC power OFF
« Reply #8 on: January 20, 2012, 01:38:27 PM »
Thank you for bringing attention to us about this potential problem that only occurs if the power supply wire to the PLC is loose or cut by mistake. We will certainly look into how to take this scenario into our design consideration and may revise the design for future productions.

Certainly if the output is controlling something critical you will want take all precautions even though it probably rarely occur. So removing pin 10 from the ULN2803A (pin 9 on ULN2003A) is one quick fix (since your load are all non-inductive), or use other outputs that are not controlled by ULN2803A chip (it would be output 9-16 for FMD1616-10*). Another possible precautionary measure is to solder a parallel wire from power supply to the PLC's power supply pin. This way if either the regular power cable to the power supply screw terminal or the soldered power wire broke loose from the pin, the CPU will still be powered and will not cause the output to be turned on by a failure in the wiring or loose screw terminal.

* Note: For the benefit of other users, the following list the outputs that WILL NOT be turned on by back-flow current via the flyback diode in the IC driver if the power supply cable to the PLC is broken:

1) FMD88-10  : output 7 & 8
2) FMD1616-10: output 5 to 8
3) F2424: Output 5 to 24
4) F1616-BA: All 16 outputs
5) Nano-10: All 4 outputs
6) EXP4040 & EXP1616R: All outputs



« Last Edit: January 20, 2012, 02:11:57 PM by support »
Email: support@triplc.com
Tel: 1-877-TRI-PLCS