(Solved) ESTOP loop/scheme - external safety relay

[TLDR: need help setting up HAL with and2 and a momentary estop reset]

Ok, thanks to everyone's help I've got LCNC installed, gmoccapy up, and my spindle motor working.  Before I move to the axis motors I need to get my estop logic sorted out.  And yes, I currently have a working external estop - it's just not doing everything I want.  I'm good-to-go on the hardware/wiring side of things, but not so much in the HAL situation.

I've attached simplified version of my external power/estop circuit for anyone with the patience to help me sort this out.  Ignore the missing fuses and other safety stuff.  Here's what I have:

Main Power

• ON switch SW1, momentary NO
• OFF switch SW2, momentary NC
• Relay K1, DPDT

Estop

• ESTOP switch SW3, latching NC, two contact pairs
• RESET switch SW4, momentary NO, two contact pairs
• Relay K2, DPDT

Basic function:

• ON/OFF/K1 is a tandard industrial two push-button circuit to power sensors and permit estop loop
• When K1 is active, ESTOP can be unlatched and RESET pressed, permitting K2 to activate
• When 7i76 output is pulled low, K2 activates
• When K2 is active (ESTOP clear), drive contactors are active and 7i76 is signaled (external estop clear)
• Basically, the operator and LCNC can both drop the estop circuit (killing drives), but only the operator can clear an estop.

Eagle-eyed viewers will see this scheme results in circular logic: K2 needs to be active to signal ESTOP clear, but 7i76 output needs to be triggered to activate K2.  I have bypassed this by jumpering K2 coil to ground temporarily.

Functions I need help with:

• Assuming ESTOP SW3 is unlatched, I would like to use the RESET to signal LCNC through the 7i73 to trigger the 7i76 output as a 'estop-clear-request' signal.
• In addition to the K2 estop signal to 7i76, I'd like ESTOP SW3 to signal LCNC through the 7i73 of an estop enable or clear.  If the relay doesn't drop out for some reason (welded contacts), I'd like LCNC to know I still want an estop.  Belt and suspenders sort of thing, doesn't cost me anything.  I believe I need an and2 function, not sure.

So if someone can walk me through the process of adding & configuring the two functions above I'd appreciate it.  Keep in mind that I'm just barely grasping some of the HAL concepts and I haven't internalized anything beyond the difference between signals and pins, so short words without too much jargon would be welcome.  I'm learning, but I'm still in the rather painful stages.

HAL file attached.  I'm using a config generated by pncconf and tweaked by PCW earlier today for some spindle PID stuff, but it's otherwise straight outta' pncconf.

-R
 
 

Take  a look to estop_latch.
linuxcnc.org/docs/2.8/html/man/man9/estop_latch.9.html
You will found many examples. 
I learned from Rod.
162.243.45.186/47-hal-examples/25861-external-e-stop?start=10

chris@cnc wrote:

Take  a look to estop_latch.
linuxcnc.org/docs/2.8/html/man/man9/estop_latch.9.html
You will found many examples. 
I learned from Rod.
162.243.45.186/47-hal-examples/25861-external-e-stop?start=10
 

Thank you.

I read both of those links earlier today, but I guess it isn't really sinking in.

I am beginning to suspect that the text-based HAL/INI scheme is causing me problems; perhaps I'm more of a graphical learner.  I can comprehend anything in narrative form very quickly (tech manuals, novels, whatever), but any time I look at a HAL file I get lost & confused after about three seconds.  Which means HAL snippets pasted in a thread don't sink in - I have no experience, so any context goes over my head.

Even the MAN pages aren't working for me as they don't have examples with a description of how that example works.

I understand I need to add a function, and specify how many instances of that function.  I'm going to disect Rod's example, mostly as an exercise for myself:

loadrt estop_latch count=3
[Ok, just created three instances of the estop_latch function]

addf estop-latch.0 servo-thread
addf estop-latch.1 servo-thread
addf estop-latch.2 servo-thread
[Got it - just added all three functions to the servo-thread, meaning they'll run at a certain speed and get polled/resolved constantly.]

But now it gets murky:

# --- ESTOP CHAIN STARTS ---
net latch-reset iocontrol.0.user-request-enable
net latch-ok-in iocontrol.0.user-enable-out
[Starting to get lost.  Signal latch-reset has been connected to pin iocontrol.o.user-request-enable.  Ok, but where does that pin come from and what triggers it? Is it in a list of pins somewhere outside the HAL files?  Is the latch-reset signal something Rod made up for this function, or is it coming from sonewhere else?]

net latch-ok-in => estop-latch.0.ok-in
net latch0-out <= estop-latch.0.ok-out
net latch0-out => estop-latch.1.ok-in
net latch1-out <= estop-latch.1.ok-out
net latch1-out => estop-latch.2.ok-in
[The above seems to be the equivalent of a series circuit; the "ok" value is passed from one input to another and finally to signal estop-latch.2.ok-in. Still confused as to where these pins come from.]

net latch-reset => estop-latch.0.reset
net latch-reset => estop-latch.1.reset
net latch-reset => estop-latch.2.reset
[This seems to connect three pins to the same signal.]

net latch-out iocontrol.0.emc-enable-in <= estop-latch.2.ok-out
net estop-out estop-latch.2.fault-out
[Here he's connecting the 'final output' estop-latch.2.ok-out from earler to iocontrol.0.emc-enable-in.]

# --- EXTERNAL ESTOP SWITCH ---
net external-estop <= hm2_7i76e.0.7i76.0.0.input-00
net external-estop => estop-latch.0.fault-in
[Finally, something I think I understand.  A physical pin is connected to a software pin.]

Besides the physical pin on the 7i76e, where do these pins come from and what do they do?

Where do I find out what iocontrol.0.emc-enable-in does?  Where do I find out what estop-latch.0.fault-in does? 

Getting back to my original question... I want to use a momentary pushbutton to cause the estop to clear.  If I create one or more estop-latch functions, which results in estop-latch.N.ok-in and .ok-out

I think I understand the basig logic and sequencing, but it's the software pins that appear to be black holes.


O.M.G.  
Something just clicked as I was writing this.

Creating a function via loadrt results in software/HAL pins being created.

Every place in the HAL file that has a 'loadrt' statement will cause HAL pins to spring in to existence magically.  Nowhere in the MAN pages is this explicitly stated. Those just have a description of the function and a list of pins.

Even the nice picture in the HAL intro just implies this.

I'm sure everybody is going "well, DUH"... but until 3 minutes ago it wasn't obvious.

So now I can reverse-engineer by looking at a pin, figuring out what Function created it, and then look up that Function in the manual to see what that pin does.  Right?

For easier understanding think every estop-latch is one estop button.
To definie chain length use loadrt
loadrt estop_latch count=3 ->  means you have 4 "buttons / functions" 
estop-latch.0
estop-latch.1
estop-latch.2
estop-latch.3

next activate all buttons in servo-thread to get time cycle control of pin. All Pins now asking in ms steps are you true or not.
addf estop-latch.0            servo-thread
addf estop-latch.1            servo-thread
addf estop-latch.2            servo-thread
addf estop-latch.3            servo-thread

Now 5 important Pins active 
estop-latch.0.ok-in  -> chain start here with signal iocontrol.0.user-enable-out by press F1 or E-stop button in GUI

estop-latch.0.fault-in -> foult in PIN from hardware E.G hm2_7i76e.0.7i76.0.0.input-00-not 

estop-latch.0.reset -> reset Pin connect to iocontrol.0.user-request-enable. By press F1, estop fault reset if all buttons ok.
No self enable in case of EMG.

estop-latch.0.ok-out -> estop ok-out bit. Need to activate next chain member e.g. estop-latch.1.ok-in
Last chain member pin enable "iocontrol.0.emc-enable-in <= estop-latch.3.ok-out"

estop-latch.0.fault-out -> trigger bit to see in halshow what EMG is pressed. Last chain pin "net estop-out <= estop-latch.3.fault-out" close the chain.  Is GUI EMG or EMG buttons foult, chain is open  and can only reset by active all signals estop-latch.x.reset. Not self enable. I think that was your main problem.

Same pins for estop-latch.1 till 3
Search in halshow for estop.latch Pins for diagnostic

For safe is recommended to cut by EMG pressing the safety relay power. Only this way you have hard and software EMG.  

Thanks for the confirmation and assistance.

Last question on this subject before I start fiddling in HAL:

My momentary RESET button needs to be pressed to activate/energize the physical safety relay.  I'm not sure how this arrangement is going to work, because the estop-latch.0.fault-in is not yet cleared (relay isn't active yet), and that has to be cleared before estop-latch.0.reset works:

estop-latch.0.reset -> reset Pin connect to iocontrol.0.user-request-enable. By press F1, estop fault reset if all buttons ok.
No self enable in case of EMG.

It's still a circular logic problem as far as I can tell.  What I need is some function or scheme that tries to reset the estop-latch, and if it doesn't clear within a second or two it fails.  Example:

1. Safety relay de-energized and estop button de-asserted (RESET has not been pressed)
   1. estop-latch.0.fault-in is active (signal from de-energized relay not present)
   2. estop-latch.0.reset will not work because estop-latch.0.fault-in is active, thus
   3. 7i76 output will not permit safety relay to energize (relay coil path to 0v not present)
2. RESET button is pressed
   1. estop-latch.0.reset signal is active
   2. 7i76 output goes low, pemitting safety relay to energize
3. If estop-latch.0.ok-in is not active within a second (or whatever)
   1. estop-latch.0.reset is disregarded
   2. 7i76 output goes high, prohibiting safety relay from energizing

Make sense?  I need a 'bypass' that permits the relay to activate long enough for the estop-latch.0.ok-in signal to be present.

Unless someone can think of a different wiring arrangement that permits LCNC to de-energize the safety relay but not energize it.  Human and LCNC can stop it, but only human can energize it.

Here's what I've come up with, and I don't think it requires an estop-latch function as I only have one external estop signal source.  If I want to add a signal from the estop button itself, I'd add a second or2 or use the estop-latch function.

I'd be grateful for a critique, BTW

Add or2 to HAL and get it running:

loadrt or2 count=1
addf or2.0 servo-thread

Add input button logic:
#--- momentary reset button and safety relay physical pins connected to arbitrary signals
net estop-reset-request1    <=    [HMOT](CARD0).7i73.0.1.input-03 (reset button)
net estop-reset-request2    <=    [HMOT](CARD0).7i76.0.0.input-20 (safety relay output to Mesa input)

#--- reset button and safety relay signals connected to or2 inputs
net estop-reset-request1    =>    or2.0.in0
net estop-reset-request2    =>    or2.0.in1

#--- or2 output connected to user enable pin through estop-ext signal
net estop-ext            <=    or2.0.out
net estop-ext             =>    iocontrol.0.emc-enable-in

Add output logic
#--- 'estop fault' signal from LCNC interrupts safety relay coil path to 0V through output-15.
net estop-out            <=    iocontrol.0.user-enable-out
net estop-out            =>    [HMOT](CARD0).7i76.0.0.output-15 (estop relay coil ground)

Theory:
As stated earlier, to activate the safety relay the estop pushbutton must be unlatched AND the momentary reset pushbutton is pressed.  

1. Reset button pushed
2. Mesa estop-out output goes low (estop clear)
3. Relay coil can fire if estop pushbutton is clear
4. Coil fires, relay activates, relay estop-clear signal present
5. Reset button released, but relay is now active so the relay signal 'holds' the external estop cleared logic.

So LCNC can de-activate the safety relay (killing drives), but can't come out of estop until the operator presses the reset button.

Testing tonight, wish me luck.

-R

Good luck, I cross fingers...
If not work my idea.
As long you push SW1 -> K1 close . You could reset with SW1.
 

(Sorry for the late response...distracted by all the other LCN setup details.)

For posterity:

• ESTOP
  • E-stop scheme for controlling a mechanical safety relay wired as a holding circuit (latching NC estop btn w/momentary NO reset switch).  LCNC can de-energize the relay via an output, but cannot energize the relay.  Human and LCNC have to agree to clear the estop condition.  No need to connect the reset switch through a bunch of or2 gates.
• Bonus feature #1
  • LCNC turns ON when external estop is cleared by energizing the relay.  I didn't see the point in having a separate ON function - if the operator clears the estop, the machine needs to be ON.  Used a oneshot and timedelay to clear the estop first, then a two seconds later LCNC turns ON
• Bonus feature #2
  • Air pressure safety switch.  If no air pressure, no clearing estop.  I dont want to have my (future) ATC fail mid-tool change because of insufficient air pressure.  Uses a simple 100psig NO air switch plumbed in to the pneumatic manifold.

net AIR_PRESSURE_OK   <=  [HMOT](CARD0).7i76.0.0.input-24 (air switch)
net estop-relay-clear          <=    [HMOT](CARD0).7i76.0.0.input-20 (estop relay is-energized 24V)

net AIR_PRESSURE_OK   => and2.0.in1
net estop-relay-clear          => and2.0.in2
net estop-clear                 <= and2.0.out

net estop-clear                 =>    iocontrol.0.emc-enable-in
net estop-out                   <=    iocontrol.0.user-enable-out
net estop-out                   =>    [HMOT](CARD0).7i76.0.0.output-15 (estop relay coil path to 0V)

(LCNC needed a little delay between estop clearing and machine-on state being requested)
setp oneshot.0.width  2
setp timedelay.0.off-delay  2
net estop-clear                => oneshot.0.in
net machine-on-delay      <=  oneshot.0.out
net machine-on-delay      =>  timedelay.0.in
net machine-on-signal     <=  timedelay.0.out
net machine-on-signal     =>  halui.machine.on

Thanks for the guidance!

-Ralph