Steve Mushero line
Technology Advisor for Startups and Investors

About Steve






Industrial Machine Automation Design - Steve is an expert in machinery design and operation.  The following is a distillation from memory of the principles he taught during years of work in manufacturing.

This is STILL IN PROGRESS and still needs formatting:

Industrial Machine Design and Automation


  1. Overview
  2. Documentation & Drawings
  3. Safety Systems
    1. Emergency Stops – The E-Stop system is the most critical safety component of a machine’s control system.  It can and will save lives, often as a last resort, so its design and operation should be of the utmost concern of the designer.

                                                               i.      Overview – The E-Stop system consists of two essential components.

1.      E-Stop Chain – This is the continuous normally-closed circuit that connects all of E-Stop buttons and other inputs together.  Red wire is often used so E-Stop circuits don’t get interconnected with other circuits in remote connection boxes.

2.      Relays that control all output power – When the E-Stop system is activated, all controlling power on the machine is normally disconnected, bringing all systems to their power-off state. 

a.       Note that E-Stops do not normally cut control or computer power to various systems, just to circuits that cause motion or processing.

b.      Input Power is also usually cut during E-Stop as a safety measure in case someone is being electrocuted; since the input power circuit is the most common on a machine.

                                                             ii.      Use Physical Mechanical Relays – All E-Stop systems must use physical mechanical relays to control power.  This means there can be no computer or controller in the E-Stop control process (a PLC can be in the chain, see below, but not replace the relays).  In addition, mechanical relays are preferred because they have a lower failure rate than solid state relays (they do not operate very often, so contact lifetime is not an issue), plus solid state relays tend to fail in the ON position, which is very undesirable in an E-Stop system.

1.      Relay Selection – Choose the heaviest control relays available for the E-Stop chain.  These will normally be heavy duty control relays the size of a human fist, not small ice cube relays.

2.      Contact Stacking – Many larger control relays allow for contact stacking to increase the number of contacts.  For safety, only add contact up to the limit minus one level of contacts, since this increases the ability of the relay spring to open the contacts in an emergency and as the relay ages.  For instance, many relays allow four levels of contacts, so in that case, limit E-Stop relays to three levels and add additional relays as necessary.

                                                            iii.      Single Button Loops & Monitoring – Historically, the E-Stop chain has been just that, a continuous chain of buttons out on the machine.  This can be a troubleshooting headache on a large machine, as it’s difficult to tell which button or circuit is open.  All E-Stops (or button clusters if several are on remote locations) should have two wires sent to them, building the actual chain on a terminal strip in the main control cabinet.  In addition, each button’s terminal should lead to a PLC input; this will show the machine operator which button is pressed, saving a lot of troubleshooting time.

                                                           iv.      PLC Triggered E-Stops – There may be cases when the PLC should trigger an E-Stop, such as upon a fire or high temperature indication.  In this case, use a dry contact output in the E-Stop chain and be sure it is normally picked up (i.e. do not drop the contact upon E-Stop, otherwise the E-Stop chain can never be closed for normal operation).

                                                             v.      Delayed E-Stop Action – There are some special cases where losing control power immediately upon E-Stop is undesirable and unsafe.  The most obvious example is with drive systems that need time for maximum deceleration.

1.      Time Delay Relay – To implement a time-delay E-Stop circuit, use a second E-Stop relay with pneumatic time delay.  This relay will stay closed for a few seconds after the main E-Stop system drops out, but will eventually open to disconnect all power in case of something like a drive’s failure to stop as commanded.  Wire the coil of this time delay relay to the coil of the main relays, not to the contacts of the main relays, otherwise if the main relays fail to open, the time delay would never open.

2.      Drives – The most common case of delayed E-Stop is when a regenerative drive system can stop a motor faster with power than without; this is very common in larger DC drives (5-500HP).  In this case, program the PLC to command the drive for maximum safe stopping with reverse power upon E-Stop.  Many systems will also activate brakes at the same time.  Time how long it takes each motor to stop and set the delayed E-Stop relay to 1-2 seconds beyond that.  This means that the delayed system will stay active just long enough to stop everything safely, but then cut out in case one of the drive components or PLC has failed.  The tradeoff here is that the PLC and drives will normally work and can generally stop the machine much faster under power than just coasting or with brakes.

3.      Other systems requiring power – There may be other systems that also require power during an E-Stop, either temporarily or continuously.  Examples include motorized valves that need power to close in an emergency.

    1. Special Safety Systems - In addition to regular E-Stop safety systems, some machines require specialized safety management systems.  Most of these systems should be handled in hardware or specialized controller modules that are dedicated to that activity; in general, it’s bad practice to manage key safety systems in user-written software.

                                                               i.      Burner & Flame Management – A common special case is flame and burner management, where failure of the controllers can have catastrophic and explosive consequences.  For this case, there are many specialized burner controllers that supervise the process and automatically act when there is a failure or emergency situation.  In most cases, these specialized systems can be controlled or commanded by regular PLCs, but will take specialized action on their own when needed.  For example, burner controllers automatically manage gas purge valves, flame detection delays, and safety cycling lockouts.

                                                             ii.      Use dedicated safety controllers – Some manufacturers are also making specialized PLCs and other controllers that are more flexible than dedicated systems, but still contain highly reliable safety-related components.  Use special care when programming such units.

  1. Computer Systems & User Interfaces – Most modern machinery operates under the control of sophisticated computerized controls.  Today’s control systems are often a combination of dedicated controllers, PLCs, dedicated user interfaces, message centers, PCs with touchscreens, drive and multi-axis coordinated motion controllers, and much more.
    1. PLC – The basic Programmable Logic Controller is the mainstay of machine control.  Simple to program and understand, yet flexible and powerful, PLCs are involved in nearly every aspect of automation.

                                                               i.      Basic Implementation – PLCs generally control all aspects of a machine’s operation, directly sensing and controlling every switch, motor, and device.

1.      PLC Location – Most machines have only one PLC CPU, typically located in the main control cabinet.  There are cases where multiple PLCs are utilized, often where there are several semi-independent subsystems or where autonomous operation is required.

2.      Remote I/O – On large machinery, remote I/O chasses are often used to locate the power wiring as close a possible to the devices being controlled.  This is especially useful for placing I/O in pits, on gantries or on mobile subsystems

3.      Power Circuit Checking – As noted in the power section, most machines will have several control power circuits.  It’s important for the PLC to monitor those, so a breaker trip can be detected and the machine shut down safely.  Such a trip can easily happen due to a short or failure in the field (such as burned out solenoid) and if not detected can lead to unsafe situations.  This is especially true as output power is usually grouped by I/O chassis, though I/O purpose can be scattered between chassis; this can lead to situations such as a pair of connected drive motors on separate control power circuits and if one loses power, damage can result.  To combat this, each control power circuit should be routed to a PLC input and monitored.

a.       High Voltage Power Monitoring – The PLC should also usually monitor high voltage circuits.  This is most easily accomplished with a phase monitor, which can detect loss of power, missing phases, or swapped phase conditions.  Missing phases (from bad contacts or a blown fuse) are problematic for heating and motor circuits and swapped phases will drive all motors backwards, a very unsafe condition.

                                                             ii.      Software Basics – Traditional PLCs are programmed in ladder logic, the format used to represent relay logic for nearly 100 years.  Newer languages are available, including flow-charts, state machines, and even procedural languages such as C++ or BASIC.  This document focuses on ladder logic, as this is still the dominant language in use today.

1.      It is important to follow good programming practices, as outlined here, as PLC systems can become incredibly complex.  As PLCs have replaced traditional control relays, the internal logic complexity has escalated considerably.  When this is coupled with the constant changes experienced by PLC programs, the system can quickly get out of control unless good practices are followed.

2.      Each object in a PLC program should carry a symbol and each rung or rung block should carry a comment.  Contacts should never show up in ladder without a symbol that names them; this is way too dangerous and invites the use of the incorrect contact in critical logic paths.

                                                            iii.      Safety Issues

1.      E-Stop Management – The E-Stop system is critical to the safety of the machine and its personnel.  Although the E-Stop system functions separately from the PLC, the PLC is still the key controller of a machine and usually needs to be involved.

a.       E-Stop In – The PLC must monitor the E-Stop system to it can detect an E-Stop condition (which is also normally present at startup, but not always, as the PLC can be started with the E-Stop chain already picked up). 

                                                                                                                                       i.      Wire Point - This input should be wired to the COIL of the primary E-Stop relay, NOT to a contact.  This allows the PLC to detect an E-stop even if the E-Stop relay fails and the contacts do not change position.  Since the PLC will turn off all outputs upon E-Stop, this is an extra measure of safety.

b.      E-Stop Out – The PLC should be able to initiate an E-Stop if it detects various unsafe conditions.  This is done via a dry contact that obviously cannot be dependent upon the E-Stop Input (or else you could never pick up the E-Stop chain).

c.       E-Stop Usage in Ladder – The E-Stop In contact must be in EVERY rung that has an output.  This will cause all outputs to be turned off upon E-Stop detection, which is a backup in case of E-Stop relay failure and also resets all logic to a known state.

d.      Latch Logic – In general, output-driving logic in the PLC should be latching, in that a rung has a triggering mechanism and then latches on during its run.  The E-Stop In contact is in the rung, too, and can then easily open the rung to its deactivated state whenever an E-Stop occurs.  When the E-Stop is reset, the run will still require action to initiate an output; otherwise, certain rungs could automatically activate when the E-Stop is reset, a very unsafe condition.

2.      System On/Off – Many machines have the concept of being On or Off.  The On state typically starts various required subsystems, such as hydraulics and air, and enables the machine to function.  The On contact should be in every output rung, in series with the E-Stop contact.

                                                           iv.      Structured Programming – The best PLC programming techniques involve using standardized and structured logic and run format.

1.      Standard Rungs – Most control logic consists of an input that triggers something to be on for a while, as long as some conditions are satisfied.  To this end, a set of standard rungs have been identified as necessary for virtually all functions.  Together these form a rung group, which may be unidirectional (e.g. Door Open) or bi-directional (e.g. Door Open & Close). 

a.       Control Word – A word should be reserved in memory for this operation or rung group.  A standard should be set so that bit 0 is for the start rung, bit 1 for the Stop rung, etc.

b.      Start Rung – The Start Rung contains contacts that initiate the action.  This may include push buttons, contacts from an automatic sequence, or inputs from a remote user interface.  The rung terminates in an internal contact that will be used to Start the main output run.

c.       Stop Rung – The Stop Rung contains contacts that terminate an action.  This may include the same types of contacts as the start rung, but limit switches are NOT included here, as they are permission items.  It is key to understand that the Stop run is only temporarily energized to stop a motion and is best thought of as analogous to the Stop Button.  Things like limit switches, which continuously inhibit motion, do not belong in the stop rung.

d.      Permission Rung – The Permission Rung contains contacts that must be true for this action to operate.  This usually includes requirements such as hydraulics or air pressure, machine on and maybe the E-Stop contact.  Most importantly, this run contains contacts for things like limit switches for moving units.  Many systems use limit switches to stop movement, such as a door close operation; these switches belong here, not in the stop circuit, as they are absolute stopping conditions and must always inhibit the main rung (the Stop Rung is only temporarily energized).

e.       Message Rungs – One of the most frustrating situations is when an operator wants to do something, such as start a machine, and it simply won’t start.  This is usually due to a missing condition, such as insufficient air pressure or a safety door not being closed, but there is no way for the operator to know all of these conditions.  The solution is to use message rungs which are based on the permission contacts in the Permission Rung.

                                                                                                                                       i.      Structure – The essential structure of a Message rung is to use the start rung logic in series with each permission contact to set a message bit.  So, if a door must be closed before a machine can start, the Message rung would consist of the Start contact (from the Start rung) and the door contact.  If the start button is pushed (energizing the Start rung)  but the door isn’t closed, the message bit is latched.  This will, in turn, trigger an operator interface message about the door.  Message bits are usually reset automatically by a system-wide clean up rung after 15 seconds or so.

                                                                                                                                     ii.      Individual Alarm Rungs – The Alarm Rungs are specialized logic to detect fault conditions pertaining to this operation.  These come in several flavors, such as special limit switches or other warning devices, such as gas detectors.

                                                                                                                                    iii.      Alarm Word – Each operation should reserve an alarm word memory for exclusive use by this operation.  This allows various alarm rungs to set contacts (bits) in that word, such that if the word is non-zero, there is an alarm present.

                                                                                                                                   iv.      Latching – Most alarms will latch their contacts on, so the alarm indication will be durable until reset by the operator.

                                                                                                                                     v.      TTO Timers – One common alarm mechanism for moving systems is a Time-To-Operate timer.  This is a timer that turns on for the duration of an operation and is designed to alarm if the operation takes too long.  For instance, a door might typically close in 10 seconds, so the timer would be set for 12 seconds; if the door is broken, or the close limit switch fails, or the tracks are dirty, this alarm will trip and shut down the door before major damage occurs.

f.        Alarm Word Scan Rung – This rung simply detects if there is an alarm for this operation by checking to see if the alarm word is non-zero.  If it is, an alarm is present and the Alarm bit is set in the control word.

g.       Main Output Rung – The Main Rung is the actual logic that drives the output that makes something happen.  The purpose of all the preceding rungs is to make this rung as simple and standardized as possible.  The format is outlined below and follows classic simple ladder logic structure, as used for 100 years.

                                                                                                                                       i.      Stop Contact – The normally closed stop contact from the Stop Rung is first.

                                                                                                                                     ii.      Latch with parallel Start Contact – The rung latch contact is next, usually the output coil itself (or a latch bit in the control word).  In parallel with this latch is the Start Contact from the Start Rung.  The latch contact is in the mainline rung because it is always present only once, while there can be several start contacts that can potentially be used to start the rung.

                                                                                                                                    iii.      Alarm Contact – The Alarm contact, from the Alarm Scan rung is next, such that any alarm terminates the operation.

                                                                                                                                   iv.      Permission Contact – The Permission contact from the Permission Rung is always the last contact before the output.  This ensures that any parallel contacts or other rung complexity do not accidentally bypass the critical permission contact.

                                                             v.      State Machines – In some cases, a state machine is more applicable to an operation than simple start/stop latching ladder logic.  This is common with motor drive systems that can be in one of several states and require special steps to change state.

1.      State Rungs

                                                           vi.      Alarms – The general alarm system consists of a dedicated memory block, that can be scanned for any latched bits, indicating an alarm.  Each rung block monitors its own alarm word, but there is also a master block scanner that looks for any alarms and shows an indicator to the operator.

1.      Alarm Display – When an alarm is set, this message or bit is usually transmitted to the operator interface as a message.  It can be a message number or some type of table lookup, depending on the display system.  Always use a text message, such as “Door Close Time To Operate Alarm (#432)” message.  An alarm number should also be included, as this makes it easier to communicate the alarm to others or to look it up in a Solutions Guide.

a.       Solution Guide – It is often good practice to develop a solutions guide that assists the operator in dealing with the alarm.  If alarms are indexed and displayed by number, their solutions can be easily accessed, either in computerized or paper form.

2.      Reset – The operator should normally be able to reset all alarms, usually by triggering a rung that just zeros out the alarm block. 

a.       Special Alarms – In some cases, the operator interface may only allow an operator to acknowledge certain alarms, requiring a password to reset other, more critical ones.

3.      Alarm Logs – In some cases, it is useful to retain alarm histories or logs.  This is most easily done in the operator interface system, though it’s possible to build a ring buffer or stack in the PLC to retain this information.

                                                          vii.      Messages – Since a machine that won’t start is a very frustrating situation, good machine design includes a messaging system to tell the operator why something won’t happen.  The messaging system operates just like the Alarm system, using internal PLC bits to generate messages on the Operator Interface.

                                                        viii.      Text Messaging Boxes

                                                           ix.      Lighted Push Buttons

                                                             x.      Push Buttons vs. Touch Screens – Safety-related items.

                                                           xi.      PID Loops

                                                          xii.      Match with Arrays & Block Files

                                                        xiii.      High-Level Languages

    1. Operator Interfaces (UI or MMI) – Most modern machines use a computerized operator interface that is connected to the PLC. 

                                                               i.      Interface Types –  Operator interfaces generally fall into one of four categories:

1.      Traditional Push Buttons & Lights – The oldest of interfaces, this consists of simple buttons and lights, often combined into lighted pushbuttons.  These are fairly limited in user interaction, but are wholly adequate for many operations.  In particular, the use of light signals in the buttons can convey a good deal of information; for instance, blinking slowly can mean operating, while a fast blink is an alarm.  In addition, push buttons and lights are often used in combination with other computerized displays for a full (and safe) operator interface.

2.      PC-Driven Complex Interfaces, with Touch Screen – For complex machines, the most common modern interface is a personal computer running an machine control display system.  These are dedicated systems that are designed to allows operators to manage sophisticated machinery.  While the PLC actually controls the machine, the PC provides significant functionality, such as complex graphics, recipe and sequence storage, alarm and message management, etc.  Since the PC generally has permanent storage (a hard disk) and output capability (printer), it allows for complex data and historical tracking management, way beyond what typical PLC systems are capable of.

3.      Non-PC Display or Touch Screens – Complex PC systems are expensive and complex to purchase, program, and maintain.  In many systems of moderate complexity, it’s often easier to use specialized operator interface units that are designed for this purpose.  These units are not as flexible as PCs, but are more reliable and tend to be a better fit for personnel involved in machinery design and support.  Typical units include good graphics display and management, alarm tracking, printing, and touch screen interaction.  In addition, it’s common for these units to be used in conjunction with PC-based systems to build complex interfaces with multiple operator stations (a PC at the main station, but these devices are remote or mobile locations).

4.      Small Dedicated Display/Input Units – When PCs or dedicated touch screens are too costly or complex, small interface units are often used.  These vary widely, but can consist of a numeric keypad, a few function keys, and a single line text display.  While fairly limited, these units can still convey a good deal of information and provide for operator input of key values, such as times and temperatures.

                                                             ii.      Operator Interface to PLC Communications – One of the trickier problems in interface design is how to connect the operator interface to the PLC.

1.      Dedicated Devices – These are the simplest, as they often come from the same manufacturer as the PLC.  Most units simply connect to the remote I/O communications subsystem and therefore look like regular I/O pushbuttons and lights to the PLC.  They are programmed in the same manner as buttons and lights, with the addition of being able to transfer numbers, such as temperatures, often via a block or numeric transfer mechanism.

a.       Serial or Ethernet Link – For smaller devices, or ones not supported by a PLC manufacturer, serial or Ethernet connections are common, though a variety of methods are used at the actual bit transfer level.

2.      PC-based Systems – These systems have the most complex interfaces and generally require dedicated memory blocks in which to exchange information.

a.       Sweep ONS Blocks – The key challenge in connecting the PLC to a PC-based system is how to handle button-type inputs.  This is because of timing issues between the PLC and PC.  This is not an issue with regular I/O, as the data is always available at the start of a ladder scan, but PC input can occur at any time and is difficult to synchronize.  The best solution is for the PC to set bits in a dedicated memory block.  The PLC then copies that block to another ‘working’ block at the top of each scan and zeros out the PC block.  This allows the PC-set bits to be available for a full PLC scan; they get reset automatically on the next scan by the next copy.  This system makes PC inputs appear and operate exactly like push buttons, such that they can be intermixed in standard logic without any worries about timing.

    1. DCS – Distributed Control System; time delays, more data-oriented with PLCs doing real control.
    2. Drive Systems
  1. Power Systems
    1. Feeds

                                                               i.      Single Cabinet Systems

                                                             ii.      Multi-Cabinet Systems – Often fed from Power Centers; be sure feeds and disconnects are well marked.  Mark cabinet as having multiple power sources (at least for 120VAC, shouldn’t have multiple 480VAC in one cabinet).

    1. Grounding

                                                               i.      Ground Rods

                                                             ii.      Machine Grounding

                                                            iii.      Cabinet Grounding

                                                           iv.      Motor Grounding – Run ground to each motor, do not depend on conduit and especially Liquid-Tite.

                                                             v.      Signal Grounding – Single point direct to ground, avoid noise

    1. Emergency Feeds

                                                               i.      Separate

                                                             ii.      Use blinking light to indicated emergency available

                                                            iii.      E-Stop Interaction – May operate under e-stop

                                                           iv.      Color Codes – Yellow

    1. Filtered Computer Power - Sola
    2. Input Power – Single Circuit
    3. Output Power – Circuit per PLC Rack
    4. 24 VDC – Use big rectifiers, separate from signal power supplies
    5. Drive Isolation – Separate transformer for each DC drive; chokes not adequate.
    6. Fusing – Fuse for wire, not load, usually 15A.
    7. Motor Overloads – Size properly, according to chart; go 1 size larger if tripping
  1. Construction & Wiring
    1. Cabinets
    2. Terminal Boxes – Use often as test/repair points
    3. Conduit

                                                               i.      Rigid Pipe

                                                             ii.      EMT

                                                            iii.      Liquid-Tite

    1. Cat-Tracks – Use Terminal box on both ends, easy to damage
    2. Wire Size
    3. Wire Color
    4. Signal Wire – Size, shielding type, shield grounding




Also See

"Steve provided by far the best requirements that we've ever received from a client... our COO and software team passes along their thanks"

- Engineering Team Manager