Concept Of Fail Safe Circuit - Mitsubishi Electric MELCEC Q Series User Manual

9. LOADING AND INSTALLATION
9.2

Concept of Fail Safe Circuit

When the programmable controller is powered on or off, improper outputs may be
generated temporarily depending on the delay time and start-up time differences between
the programmable controller power supply and the external power supply for the control
target (especially, DC).
For example, if the external power supply for a DC output module is powered on and then
the programmable controller is powered on, the DC output module may generate incorrect
outputs temporarily upon the programmable controller power-on. To prevent this, it is
required to build a circuit by which the programmable controller is powered on first.
Also, an external power failure or programmable controller failure may lead to erroneous
operation.
In order to eliminate the possibility of an system error and to ensure fail-safe operation,
create a circuit (emergency stop circuit, protection circuit, interlock circuit, etc.) outside the
programmable controller for the parts whose faulty operation could cause mechanical
damage and/or accidents.
A system design circuit example based on the above is provided later.
WARNING
Configure safety circuits external to the programmable controller to ensure that the
entire system operates safely even when a fault occurs in the external power supply
or the programmable controller. Failure to do so may result in an accident due to an
incorrect output or malfunction.
(1) Configure external safety circuits, such as an emergency stop circuit, protection
circuit, and protective interlock circuit for forward/reverse operation or upper/
lower limit positioning.
(2) When the programmable controller detects the following error conditions, it
stops the operation and turn off all the outputs.
• Overcurrent or overvoltage protection of the power supply module is activated.
• The CPU module detects an error such as a watchdog timer error by the self-
diagnostic function.
All outputs may turn on when an error occurs in the part, such as I/O control
part, where the CPU module cannot detect any error. To ensure safety
operation in such a case, provide a safety mechanism or a fail-safe circuit
external to the programmable controller. For a fail-safe circuit example, refer to
Chapter 9 LOADING AND INSTALLATION in this manual.
(3) Outputs may remain on or off due to a failure of an output module relay or
transistor. Configure an external circuit for monitoring output signals that could
cause a serious accident.
In an output module, when a load current exceeding the rated current or an
overcurrent caused by a load short-circuit flows for a long time, it may cause smoke
and fire. To prevent this, configure an external safety circuit, such as a fuse.
Configure a circuit so that the programmable controller is turned on first and then
the external power supply. If the external power supply is turned on first, an accident
may occur due to an incorrect output or malfunction.
9 - 15