Technical Articles

This series of white papers are written by our engineers and it continues to grow. We hope you find them useful.
Safety

Imagine standing on your mark, waiting for your cue when, at the expected moment, there is a blinding flash, a deafening roar, and then… nothing. Or maybe it just gives you a scare and provides a story for later. In either case, an unintended pyro ignition can be bad news for actors, for pyrotechnicians, for system designers and for all involved. Aren’t there rules or standards to prevent pyrotechnic tragedies? There are, but you can’t always count on them to keep you safe, even when they are well intentioned. The National Fire Protection Association (NFPA) has aided in the safe presentation of pyrotechnics since 1978 by publishing and administering two standards for pyrotechnics: NFPA 1123 – Code for Fireworks Display, and NFPA 1126 – Standard for the Use of Pyrotechnics before a Proximate Audience. System designers and industry professionals contribute their expertise in a consensus process to regularly update these standards to reflect continually evolving technologies, products and practices. Any standards process inevitably lags behind current practice by some amount. It takes time to poll members, present issues, invite discussion, and arrive at and publish a final standard. Due to this lag shortcomings in the standards may be identified and may persist for some time before being corrected in a future revision. As a result, an unsafe system may still comply with applicable standards. Experience with the design and use of electric match ignition systems has identified just such a potentially hazardous fault mode which can occur in systems compliant with NFPA 1123 and NFPA 1126.

What’s the Problem?

The fault mode in question is characterized by unintended ignition of a shell or other pyrotechnic device connected to an electric firing system. The cause of these ignitions is multiple undetected ground faults in the electric match firing circuitry. Typically, but not always, these faults are in the wiring from the firing system modules to the electric matches. Unfortunately, although both NFPA 1123 and 1126 address the topic of electric firing systems, neither standard contains requirements that would prevent these potentially serious faults. Any unintended ignition of pyrotechnics can be hazardous, but, if while in the vicinity of pyrotechnics, actors or other personnel involved in a presentation rely on the firing system to prevent ignitions, an unintended ignition could cause serious injury or worse.

How Ground Faults Cause Unintended Ignition

Just as the hazard we are examining is characterized as an unintended ignition, ground faults are an unintended connection of a portion of a circuit to ground, or earth, or any other conductive structure, surface or material. When this happens, and it can and does easily happen, electrical current flows where it isn’t supposed to. If two ground faults happen, electrical current can flow from the point of one fault to the other, with possible nasty consequences.

Circuit 1 shows how two ground faults can cause an unintended ignition in a single electric match system by allowing current to flow from one ground fault to another, bypassing the firing relay contact intended to prevent ignition until commanded closed.

Circuit 2 shows how two ground faults can cause an unintended ignition in a multiple match system.

Bad Luck or Inevitable?

What are the chances of a system developing the necessary two ground faults at the right place at the right time to cause an unintended ignition? As it turns out, the chances are high that this condition can develop. Ground faults can be easily caused by abrasion of insulated wire on exposed metal surfaces, corners, or concrete. The widespread use of inexpensive “zip” cord and temporary wiring in fireworks displays contributes to the hazard.

Faults that are acceptable in a system governed by NFPA 1123, where personnel are cleared from the firing and fallout areas before ignition, can become hazards in a system operating under NFPA 1126. Many pyrotechnicians have personally witnessed misfires and unintended ignitions that go unexplained partly because they are transient conditions and partly because temporary systems are dismantled, making diagnosis impossible.

In a permanent installation, or even limited engagement system, there is far greater opportunity for the development of faults; traffic between and during shows increases wear on system components and produces faults; degradation over time inevitably leads to faults; entropy prevails. The standard of care in the effects industry includes the statement that “A fault that can go undetected must be assumed to have already occurred.”

The reason for this statement is that over time faults will accumulate in a system. Although a system may work perfectly when installed, as the faults accumulate eventually two or more faults combine to produce a hazardous or tragic event. In the history of engineering failures, it is most often these multiple fault scenarios that are responsible for tragedies.

Prevention

If we accept the fact that ground faults can cause unintended ignition, as has been demonstrated convincingly in tests and by cooperating spontaneous ground faults in pyrotechnic installations, what can be done to prevent this hazard?

What about isolation?

Isolation sounds like a good way to prevent unintended ignition. In fact, isolation is mentioned in both NFPA 1123 and 1126. In NFPA 1126 (2001), paragraph 6.3.2 states: “Power sources used for firing pyrotechnic devices shall be restricted to batteries or isolated power supplies used for firing purposes only.”

NFPA 1123 has a similar paragraph. Both further state that a transformer is an acceptable means of isolation. Transformers are commonly used in electrical systems for their ability to provide isolation between subsystems. However, in neither standard is there any reference to the purpose for using power source isolation or transformers. Interestingly, we have already proved the case that isolation doesn’t work in preventing unintended ignition due to ground faults.

Look back at Circuit 1 and Circuit 2. Each circuit represents the power source as a transformer-isolated source. Isolation didn’t help; the offending ground faults occur after the isolation. In fact, an argument can be made that a non-isolated, grounded power source would be safer, but that would distract us from the problem of the niggling ground faults. Isolation does have some possible benefits as to reliability, induced currents, and protection from shoot-through of high voltages, but these are complex scenarios that still don’t support a conclusion that isolation is always the best approach to ignition source design.

Finally, there is the problem that unless we monitor to insure the continued integrity of the isolation, we can’t count on it to be there when we need it. For our current concern we have to conclude that ignition power source isolation has no beneficial effect on system safety as regards ground faults.

What about grounding?

Grounding is frequently cited as an essential component of safe and reliable electrical system design. Can grounding solve the problem of unintended ignition due to ground faults? It could, if we carefully controlled every wire size, length, power supply size, match ignition current, fuse, etc.

Circuit 3 shows the same two-match fault as Circuit 2 but with one side of the firing system grounded. Ideally, all the current would go from Ground Fault #1 over to the system ground, bypassing Match #1 and Match #2. In practice however, the current will split among all available paths with some passing through Match #1, some through Match #2 and some straight to the system ground. This reduces the probability of an unintended ignition and increases the probability of a misfire (Match #1 may not fire when commanded) but cannot be relied upon to make the system safe.

Usually, grounded systems rely on the ground fault to produce a high enough current to trip a circuit protective device such as a fuse or circuit breaker, preventing all further current flow (in our case, stopping some portion of the show). Grounding does have other benefits relating to reduction of shock potential, dissipation of induced currents, and ease of troubleshooting and diagnostic self-tests. It does not however, solve our ground fault problem.

What about Shunts?

Shunting the match should prevent any current from passing through the shunted match. But, typical electric match resistance is 1.6 Ω. In practice, a few feet of wire, a few terminations, and a relay contact can easily approach 1.6 Ω. Because of this, the shunt is not perfect and the current is split between the shunt and the match.

Circuit 4 shows an example of a shunted match receiving current due to ground faults. Once again, the precaution improves performance, but is not an adequate guarantee of safety.

What about GFCIs?

Aren’t they designed to detect and protect against ground faults? Interestingly, GFCI stands for Ground Fault Circuit Interrupter, and sounds like the right animal for us. GFCIs detect “missing” current by comparing the current in both legs of the power source circuit; if the two currents aren’t equal some must have been “lost” to another path, usually a ground fault. On detecting this condition GFCIs interrupt the circuit (once again stopping some portion of the show). The first limitation of a GFCI is that it cannot do its job if it is installed before an isolation transformer. The second limitation is that in order to perform this detection GFCIs require a ground connection and this connection must be after any isolation device, contrary to the current code’s requirement. In theory this will solve our problem.

In practice, large distributed systems with many matches frequently have many low current ground faults or leakage paths. If the sum of all leakage paths approaches the current for a single match, the GFCI cannot distinguish between multiple harmless leaks or a single significant leak. This defeats the GFCI and results in nuisance tripping.

Design of a safe system

Fortunately for system designers, pyrotechnicians, and other personnel needing protection from unintended ignition, there is a viable solution to achieve a safe electric firing system. Ironically, the solution is described in NFPA 1126, but only in the appendix where it is relegated to “informational” status instead of the “requirement” status accorded the body of the standard. Paragraph A.6.3.3 states:

“Firing circuit design should be such that neither igniter lead is electrically connected to the firing power source until ignition is intended. It should not be permitted to wire one side of multiple match terminals together, then to switch current to the other terminal of the igniter.”

Another item from the appendix introduces another widely used (but not required!) safety element. Paragraph A.6.3 states in part:

“Electromagnetic induced currents in firing circuit wiring can be reduced by utilizing one or more of the following methods: … (4) Shunting near the electric match”

Finally, the body of the standard states clearly in paragraph 6.3.3 that:

“All firing systems shall be designed to ensure against accidental firing by providing at least a two-step interlock in which no firing power can be applied to any firing circuit unless the operator intentionally does both of the following: (1) Enables or arms the firing system and (2) Deliberately applies firing power”.

Circuit 5 shows a design incorporating all of the above requirements and recommendations as well as the previously discussed, but dubious, power source isolation. The features of this design include: separate arming switch, supply isolation, individual firing command control of each match circuit, dual-leg match isolation, and match shunts.

The essential feature of this design is the use of dual contacts to interrupt both sides of the match leads. This is what prevents those pesky ground faults from rendering the ignition system unsafe. (Note that while the schematic and text suppose the use of a relay, interruption of both sides of the match lead can equally well be accomplished by a solid state device such as a FET.)

Understanding Standards

Standards are not a substitute for common sense or engineering analysis. Even the NFPA recognizes this. In the “Important Notice About This Document” in NFPA 1126 it states: “..the NFPA … does not … verify the accuracy of any information or the soundness of any judgments contained in its codes and standards.”
And:
“Anyone using this document should rely on his or her own independent judgment or, as appropriate, seek the advice of a competent professional in determining the exercise of reasonable care in any given circumstances.”

Standards can be an obstacle to good system design. Ideally, standards are a mechanism for lay individuals to benefit from the experience of acknowledged experts (the standards’ authors) without having to understand the underlying technical details. When a standard omits requirements to address known unsafe conditions, such as our ground faults, a false sense of security is created which can lead to tragedy. Similarly, standards can impede improved system designs; as we have seen, the requirement in NFPA 1123 and 1126 for “isolated” power sources is of questionable value and may prevent superior designs that could benefit from the use of grounded distribution systems. It may be difficult or impossible to obtain a variance from the authority having jurisdiction to allow the use of such an improved design.

The NFPA developed two pyrotechnic standards to serve the needs of two types of pyrotechnic presenters. For a special events pyrotechnic systems engineer NFPA 1123 is typically the applicable standard. It dictates mostly sound practices which can be demonstrated to be safe because, and only because, the entire firing field and fallout area will be cleared of personnel before bringing the ignition power source anywhere near the ignition system. For these events there are two overriding principles:

(1) The show MUST go on; given the special event nature of many shows, anything that would delay or interrupt the show seriously diminishes the event. Minor flaws (such as unintended second ignitions or misfires) are not significant.

(2) The primary safety tactic: Clear the entire firing field and fallout area of personnel before bringing the ignition power source anywhere near the ignition system.

For a show systems engineer dealing with personnel in proximity to hazardous effects, NFPA 1126 is typically applicable but falls below the required standard of care with regard to the prevention of unintended ignition. To implement only the requirements of NFPA 1126 would be negligent because such a system IS NOT SAFE when personnel are in proximity to the effects. For these types of shows two different overriding principles apply:

(1) The safety of persons is PARAMOUNT; all potentially hazardous effects systems, including pyro, must be designed in a manner which does not allow undetected faults to cause a hazardous condition.

(2) A hazardous condition must be remedied even if it causes delay or forfeiture of all or portions of the show.

The Next Steps

After all is said and done there are two implications for NFPA 1126. First, electric match ignition systems that rely on single pole firing relays are not safe for use in situations where personnel are in proximity to the effects after the ignition power source is present in the system. The standard already recognizes this issue as indicated by the inclusion of paragraph A.6.3.3 wherein dual-leg match isolation is recommended. Hopefully, as the standards committee and industry professionals become aware of the potential for harm if this recommendation is not followed, the standard will be revised to require this practice.

Second, isolation of ignition sources as described in NFPA 1123 (2000) and 1126 (2001) is inadequately described. The benefits of isolation, if any, need to be described and coordinated with provisions for designs with grounded distribution systems. This will allow designers to continue to improve the safety of electric ignition systems.

Author David Crater PE is a principal with LumenEssence, providing consulting and turn-key design for show systems. LumenEssence has designed numerous systems for controlling all aspects of show systems including pyrotechnics, flames, mechanics, audio, video and film effects with installations at major (and minor) attractions worldwide.

An Unintentional Pyro Ignition Experience.

The NFPA 1126 2006 Edition incorporated the very suggested circuit solution described in the Birket newsletter and Protocol to permit and encourage fault detection, along with other language improvements. With the standards language in place, Birket began the design of a pyrotechnic controller product that realized NFPA suggested practice and included additional features not available elsewhere.

Why do I pursue this issue despite the skepticism of so many?

One respondent who called me rather than emailing, John Noonan, asked “Why you are passionate about this? You must feel like you are pushing on a string.” He’s right. This is why I am passionate about this:

Eleven years ago, at Treasure Island in Las Vegas, Birket Engineering, Inc. installed a pyro system, the first that we had designed and installed entirely on our own. It was a simple system using relays controlled by a PLC , but it was a widely distributed system over a large show with a lot of matches. We designed and installed the system just as we had seen it done on other shows designed by the best in the business. We also read the code, and followed it, including the requirement for an isolated power supply.

Sometime after the show opened two actors were injured as they stood near a charge that wasn’t supposed to go off for another couple of minutes. As I understood it, one was burned on his arm; the other lost his vision temporarily. Both made a full recovery. They were very lucky. We were very lucky. Our industry was very lucky.

I got on an airplane and spent most of two weeks considering every possible reason why this could have happened. Of course I started looking in the wrong places: software and controller problems, then EMI, then galvanic effects. Gradually I concluded that it did not happen because of a legitimate command from the system. Then I gradually concluded that there existed no other sufficient source of energy such as EMI or a naturally occurring voltaic cell. That only left our own firing supply – but how, since I had concluded that the match was a shunted at the time that it ignited. So, I started taking our firing circuit apart one ohm at a time. First, by redrawing the circuit showing the resistance of the wire I realized that it is quite possible to ignite a shunted match if there is enough current and voltage available, depending on how close the shunt is to the match, etc. Then, finally, the “two ground fault” thought hit me between the eyes. I realized that the requirement for an isolated supply allows ground faults to exist without penalty. So they do, at times. Given enough time, the right two ground faults will be present, allowing a deliberately ignited match to take another match with it, unexpectedly. Careful study of the circuit shows that there are other possible faults such as “fire on arm” and “spontaneous fire”.

Having reached this awareness, all I had to do was to walk the site with an ohm meter while shaking and pulling on wires to find the intermittent ground faults. Both ground faults were clearly a result of changes the local staff had innocently made using available wire. One was wire with low temperature insulation run through a conduit next to a very hot gas flame effect. The other was zip cord across an expanded metal surface that could be walked on. (I’m told that the blocking of the show had also changed, placing the actors closer to the errant pyro device than originally intended.) We already knew that the errant pyro ignited at the time as another legitimate ignition of a device in an other area. I found intermittent ground faults in the temporary wiring on the positive side of both of these match circuits. I was then able to convincingly explain and conclusively demonstrate to Thaine Morris, Jules Lauve, Bob Bauer, and June Fields exactly what had happened. As a solution, we implemented double pole contacts in the areas of concern. We would have liked to have grounded the supply but the code did not permit that. Everyone was satisfied that the problem had been identified, and a solution implemented.

In the weeks that followed, being unable to ground the supply, I attempted to implement a ground fault detection system for that show. I spent several days monitoring ground faults. I learned that high resistance ground faults are always present throughout such a system, and they combine in parallel into the net effect of a low resistance ground fault. I also found that from show to show it was not unusual to find one or more points in the system temporarily grounded, probably related to how to pyro was loaded for that show. It simply is not possible to control what happens beyond the match terminals after the designer/installer leaves the site. It should be noted that Treasure Island may be a particularly problematic show in this regard because of the water and temperature cycling, but in other ways it is probably typical of other large permanently installed distributed firing systems.

With regard to ground fault monitoring I concluded that while the occasional low resistance ground fault is often distinguishable, often it is not due to the presence of all of the other high resistance ground faults that exist because one side of the system is wired in common all the way out to the match. A GFCI outlet don’t help of course because it is on the wrong side of an isolation transformer. Thus the only near-certain solution is double pole relays (or another approach, including solid state, that breaks both lines to the match). Being unable to ground the supply, we went back and installed more double pole relays. On future systems we implemented individual isolated one-per-match firing sources, and continuous testing for grounds and cross-wire conditions at each match.

I have wondered since why the industry has been slow to learn from this incident, and why I encounter so much resistance when I explain it. I have to remind myself that it took me two weeks to find the problem on this show, and that understanding it requires a solid grasp of several electrical concepts for which most people have no good use. It is also too easy to attribute an unintended ignition to EMI or some other mysterious cause. Only I have had the benefit of a first hand experience, a successful and exhaustive field investigation, and then hashing this over and over in my head for eleven years.

On the other side of the fence is that prevailing (but erroneous in this case) feeling that “isolated” means “safe” because it is an NEC solution to a shock hazard. Finally, there is one other factor that I believe to be involved. The industry has developed very responsible attitude that says “it’s pyro, it can do bad things, so you have to stay away from it or somebody might get hurt.” Unfortunately I’ve heard that idea submitted as the “theory ” for an incident when science does not quickly present an easily digestible theory about an unintentional ignition. There is no NTSB of pyro. Had it not been for the support of the four aforementioned individuals, and my willingness at the time to do nothing else until we understood exactly what happened, the incident at Treasure Island would have been attributed to the “well, pyro can hurt people” theory and the solution would have been to “change something until we think it won’t happen again” and to change the show blocking so that if it did happen again there would be no one nearby – until complacency set in again.

Later John Noonan wrote:

“The skeptic would say that you are trying to change the rules to match your unique product. Personally, knowing you, I would guess that you are just trying to make the world a little safer.”

A completely fair question is, “Since Birket is the only one pushing this, does Birket have something to gain?” Possibly, but realistically, not much, and it is nothing that is not available to everyone else in the business. Is it a reason not to call attention to an important safety issue? No. In fact, I’ll explain exactly what we have so that others can have it too.

In the months and years after the Treasure Island incident we took it upon ourselves to develop a firing system that tests every match terminal for continuity to ground and to other match terminals using the same current-limited source used to test match continuity. We were counseled that it was patentable, but we did not feel it appropriate to pursue exclusivity on an important safety concept. So, go for it – it is a good idea. Our system marks each and every fault detected with an LED. We also use a isolated and pre-charged capacitor as the firing source for each match circuit. No possibility of cross-talk between circuits. And, we keep every match shunted until the very moment of intended ignition.

In other words, you bet, we took what we learned and designed a system to make sure that an unintentional ignition would never happen again on a system of our design. We feel that anything else would have been an abdication of responsibility after that event at Treasure Island . There are now several installations of our system around the world but they probably represent less than two percent of the pyro firing systems out there. They represent some larger, but still small, percentage of the fixed installations. Pyro is a relatively small part of what we do, and we are not in the mainstream of the pyro community. We have never done a temporary installation, and do not expect to have that opportunity. The likely market for our system will be for use in close proximity to personnel. The existing, trusted and popular systems have a lot of market momentum in this industry, and they have an excellent safety record. We would be naïve to think that we could push a change to the standard that would suddenly make our system the one to buy. By pressing this issue however, we have raised the industry’s awareness on an important safety issue, and that is the right thing to do. It is also an important function of this committee.

The above text was taken from an email dated 10/19/2004 from Glenn Birket, P.E. To part of the membership of the NFPA Technical Committee on Special Effects. In his email, Mr. Birket relates a story supporting a change to NFPA 1126 allowing non-isolated power supplies, and requiring that both sides of the match circuit be broken. It was written after he accepted that the committee would not be willing to add the requirement for breaking both sides of the match circuit for this revision cycle.

In 2002, Stage Directions Magazine suggested that I write a 1000-Word article on “How-To” and “Safety” on flame effects. As I didn’t want to be even indirectly responsible for a rash of theater fires, the article was light on “How-To” and heave on “Safety” with a strong flavor of “Don’t try this at home.” Here’s the article as originally submitted. See the June 2002 Stage Directions Magazine for the final version. The Published version included a short directory of flame effect vendors. – Daniel Birket

Birket Engineering, Inc., May 2002

If you’re thinking of using real flame in your next show, my advice is: think again. The regulatory and financial barriers are daunting and the added realism of an open flame is seldom worth its very real risks.

There is a good reason why you rarely see flame on stage except at big-budget “permanent” productions in New York, Las Vegas, and high-end theme parks. The history books of theater are scarred by horror stories of fires. Most fire marshals and other safety professionals won’t even say “flame” and “theater” in the same breath – if not because of the risks, then because it’s much easier to just say “no” than to go the extra mile required to make it safe.

Since you’re still reading, we’ll assume that the many theatrical flame substitutes available do not satisfy your needs and you must have real flame. In this rare case, here’s how to begin:

First, prepare to do some heavy reading. Get a copy of NFPA 101® – Code for Safety to Life from Fire in Buildings and Structures from the library or directly from the National Fire Protection Association, International® (www.nfpa.org). This book is likely to govern the regulatory decision to permit or prohibit your flame effect application. You’ll need it for an introduction to the vocabulary of fire safety and to simply get a feel for what you’re getting yourself into.

If your production is outdoors, you’ll have a little more latitude by sidestepping many of the building issues covered by this code, but “public assembly” and “structure” still covers a lot. The risk to the building is not the primary concern – the safety of the audience, cast, and crew is. Outdoor flame effects also bring their own problems, including how to cope with wind. The Buccaneer Bay outdoor stunt show at the Treasure Island at the Mirage® casino in Las Vegas, for example, has many thousand dollars in weather monitoring equipment alone.

Next, pay a visit to your friendly neighborhood AHJ or Authority Having Jurisdiction. This may be the county fire marshal, or a state, county, or local building, health, occupational, fire, or even electrical inspector. An insurance company’s inspector can also veto your plans. It’s very important to establish a good relationship with your AHJ from the beginning. They can stop you before you start, or worse, pull the plug after you’ve invested time and money in your flame effect. A communicative inspector is a jewel as they have considerable room for interpretation of the codes and standards. In many cases, exception and waiver is the only possible path to regulatory approval.

If your AHJ hasn’t said “no” immediately, next get NFPA 160 – Standard for Flame Effects Before an Audience. If you’re considering pyrotechnics too, you’ll want NFPA 1126 – Standard for the Use of Pyrotechnics before a Proximate Audience. They were developed by a broad range of experts specifically for the needs of the theatrical and themed entertainment professions. These are standards, not codes. A standard details how to design and operate your effect to get and keep a “yes” from your AHJ. The code gives your AHJ ways to say “no”.

If you’re unlucky, you may discover that your local AHJ hasn’t yet adopted the two special effect standards published by the NFPA Technical Committee on Special Effects since 1994. In this case, you may be faced with an inspector accustom to enforcing compliance with an older code like NFPA 85 – Boiler and Combustion Systems Hazards Code.This can become surreal: “Take me to your boiler.”

Both of the special effect standards are mercifully short and readable. In NFPA 160, you’ll find a list of requirements for approval, including the contents of the written Flame Effect Plan, a mention of the Flame Effect Demonstration, Fire Hazard Analysis, plus safety test documents, technical drawings, manuals and operating procedures – all possibly required prior to approval. However, the details of what you’ll need are almost entirely up to your AHJ. Thankfully, the designer of your flame effects can provide much of this pile of paperwork.

Another significant requirement is the Flame Effect Operator. This person is held responsible for all aspects of the flame effect, including maintenance, testing, pre, post, rehearsal, and emergency operation, fuel management, and supervision of any assistants. The operator must be at least 21 and may be required to have additional licenses or training required by the AHJ. (For example, the Clark County (Las Vegas) Fire Dept. requires flame effect operators to have a current pyro-technician’s license.) You’ll need Standby Fire Safety Personnel armed with supplemental fire-fighting equipment too. With even the smallest flames, a cool-headed crewmember standing in the wings with a ready fire extinguisher is a minimum precaution to avert disaster.

The standard discusses seven classes of flame effects. Manual operation is permitted for the simplest group (matches, cigarette lighters, candles, and small handheld torches with extinguisher caps) provided its operator attends the effect continuously. All other types require an automatic flame-safety control system to manage the flame and its fuel. Most installations use either natural gas or propane because gas-fueled flames can be cut off instantly in an emergency.

The more complex classes of effects have an interface between your show-control system and the dedicated flame-safety control system. The most stringent requirements apply to flame effects that operate in close proximity to cast, crew, or audience. For example, the flame effects at EFX Alive in the MGM Grand Hotel®, Las Vegas include two fire-breathing dragons and a ring of fire surrounding an actress. The flame-safety control system monitors every flame and fuel valve in detail and synchronizes and interlocks their operation with dozens of other effects, sound, lighting, and rigging.

Among the technical details in the balance of the standard is a requirement for an emergency stop system that can instantly shut down all flame effects. Other requirements cover safe isolation of fuel, ignition supervision, safety interlocks, atmospheric monitoring, and flame resistant materials. Did you know that absolutely nothing on the set of the Backdraft® attraction at Universal Studios Hollywood® is actually flammable? The entire set is an ingeniously ventilated fireproof enclosure and even the “paper” props on the set are actually painted aluminum sheets.

Even including the helpful information in the appendixes of NFPA 160, it remains a standard for minimum requirements, not a how-to manual. You’re still going to want the help of a company with experience in flame effects. Unexpectedly, the NFPA 160 standard can help here again, as the listing of the members of the NFPA Technical Committee on Special Effects is a Who’s-Who of experts in this very specialized field. A few calls to this group will quickly connect you to people that can turn your burning vision into safely functioning hardware.

Daniel Birket is a member of the NFPA Technical Committee on Special Effects and the Vice President of Birket Engineering, Inc., which specializes in the safe control of themed entertainment rides and shows and theatrical effects. Birket projects include: Buccaneer Bay at Treasure Island at the Mirage®, and EFX Alive at the MGM Grand Hotel®, Las Vegas, Backdraft® and Waterworld® at Universal Studios Hollywood®, and Illuminations 2000: Reflections of Earth, at Walt Disney World’s EPCOT®.

By Daniel Birket
Birket Engineering, Inc., February 2002

Synopsis
Pyro-technicians are trained to handle pyrotechnic devices with great care in part because “you never know when it might go off.” The basis of this prudent uncertainty can be traced in part to a lack of information and sometimes to inappropriate techniques. This document attempts to illuminate some obscure areas of pyrotechnics and list some practices that can reduce the risk of unexpected ignition.

To Fire or Not to Fire…
Pyrotechnics are a much-anticipated component of shows at theme-parks, theatres, and on tour. When the “fireworks” occasionally fail to fire or work, it disappoints the audience, stirs up the management, and stresses-out the pyro crew. But any pyro-technician (who would like to continue to count to ten on his fingers) knows that the problem of devices that don’t ignite when you expect is nothing compared to the hazard of ones that do when you don’t. The lack of a pyrotechnic accent may detract from the artistic presentation, but a charge that explodes unexpectedly will shut down the entire show whether or not it harms anyone. This problem of unexpected ignition is the focus of this document.

There is a fairly widespread notion that it’s easy to make a system that will ignite pyro-electric devices. After all, you only need a medium-size battery to ignite an electric match (often called a “squib”). Anyone able to fix a flashlight can build a system that fires an electric match. This is true: it is easy to ignite pyro. In fact, it’s hard to make a system that won’t light pyro – until you want to – and that is the question.

Ohms and Amperes and Watts, Oh my!
Voltage, current, resistance, and power determine whether or not an electric match will ignite and a good engineer will thoroughly analyze these parameters when designing a pyro-electric control system. But it’s not necessary to know Ohm’s Law to know how to avoid unexpected ignition – just a few rules of thumb.

An electric match will ignite if enough power is sent through it to heat it to its ignition temperature. A tiny amount of power won’t do it. When a pyro controller tests for continuity, it uses extremely low power to safely test for the presence of the match. All commercial pyro controllers take great care with the continuity check circuitry because it is an obvious area of risk – a little too much power during the test might ignite a match instead of just testing it.

Stopping Unexpected Power
There are two ways to avoid sending unwanted power through the electric match:

  • Block any unwanted power from reaching the match, and
  • Route any unwanted power away from the match.

Blocking unwanted power involves placing insulators and shields between possible power sources and the match. Similarly, routing unwanted power away from the match involves putting conductors between the match and a safe place to dump the unwanted power. With a little thought, we can usually block the unwanted power sources from reaching the match. For the remaining sources, including those we don’t expect, we can try to route the unwanted power away to a safe place.

There are several kinds of unwanted electrical power that might find their way to an electric match. Most are fairly obvious and easily avoided, but some are quite devious.

Unexpected Circuits
While everyone is used to wires guiding electricity along the circuits we want, circuits can and do form anywhere different voltages find a way to connect. Current can flow through catwalks, conduits, pipes, even damp stains on surfaces. Have you ever felt a tingle when touching some equipment? That electrical source might have been able to light an electric match.

Obviously, we don’t want the pyrotechnic wiring to come in contact with wiring for lighting, audio, or other power. There is more than enough power in a sound system to light an electric match. Cross-wires between ignition channels are another common cause of unexpected ignition. Cross-wires may occur where there are many channels of pyro or other wiring grouped together. A pyro controller that tests for channel cross-wires as it performs its continuity check will reduce this risk.

Ground Faults
One unexpected, but very common, route for unwanted power is the ground – that is, the dirt under our feet. In almost any electrical power wiring system you’ll find “ground” wires that lead ultimately to the earth. Metal frame structures are often tied to the earth with special wiring. “Lightning rods” are wired to the ground with thick cables to dissipate the natural voltage of passing rain clouds. Practically every electrical system uses “ground” on one side of its circuits. This is a good safe practice for most electrical wiring, but bad news for a pyro-electric system.

Although one connection to ground is harmless, it’s then easy for a stray wire strand, a fleck of metal, or even a drop of water to form a second connection somewhere else. A second connection may complete an electric circuit between an unwanted power source (perhaps another ignition channel) and the match through the ground. For this reason, good pyro control systems are isolated from ground to help prevent ground faults. Regular testing or a ground fault detection feature is necessary to insure that the system remains isolated from ground. A ground-fault detection circuit works like a “GFCI” (Ground Fault Circuit Interrupter) safety wall outlet to detect unexpected connections to the earth. (Note: Plugging a pyro controller into a GFCI outlet doesn’t work.)

Electromagnetic Interference

Electric power is able to “side-step” from one circuit into another even when there is no electrical conductor between. Wherever electricity flows there is a magnetic field that can cause current to flow in another circuit without ever touching. Power transformers use this principle. When it happens unintentionally, it’s called Electromagnetic Interference or EMI. If you have ever heard a 60-cycle “hum” in the audio system when the lighting system turns on you’ve seen this principle in action. The high-power lighting circuits can easily jump to unshielded audio wiring anywhere the wires are routed together, for example in a cable tray. High power circuits can have the same effect on unshielded pyro channel wiring.

Insulate, Isolate, Shield, Protect, and Verify
Here are some techniques for keeping these unexpected power sources out of the pyro-electric distribution system:

  • Grounded metal conduit: In a permanent installation, grounded metal conduit provides excellent physical protection for pyro channel wiring. Wiring is unlikely to be damaged inside the conduit and grounding the conduit helps to route unwanted power away from the pyro devices. Grounded metal conduit also shields the wire from EMI fields that may induce current in the pyro wiring. Note: If water collects in the conduit, it may eventually break through the wire’s insulation and produce a ground fault.
  • Heat and Abuse Resistant Insulation: Where pyro wiring is exposed or movable, the wire’s insulation should be able to stand up to burning fallout and rough handling. If the insulation melts or scrapes away, it’s easy to form an unwanted circuit. Teflon is one type of tough insulation.
  • Shielded wire: Shielded wire has a web of wire wrapped around the center conductors. When the shield (not the wire) is connected to ground at one end, it will block most
  • Electromagnetic Interference: Note: Take care not to ground the pyro channel wiring by allowing it to touch the shield.
  • Twisted-pair wire: When a pair of wires is twisted together, they become less susceptible to EMI. This is good alternative to more expensive shielded wire.
  • NO “Zip Cord”: Un-shielded, un-twisted, “zip” or lamp cord generally has a soft thin insulation that is neither heat nor abuse resistant. It may be cheap, but it’s not suitable for permanent wiring. Zip cord wiring is a common factor in many cases of unexpected ignition. Remove any temporary zip cord with the spent pyro.
  • IsolationTransformer: If a pyro system uses a low-voltage AC firing current, isolation transformers between zones can help block ground faults and other unwanted circuits from forming. Note: this technique provides only limited protection and is easily compromised unless the isolation is tested regularly.
  • Isolated Firing Circuits: One excellent way to avoid unwanted circuits from forming between one pyro channel and another is to isolate every circuit from every other. Good pyro control systems use individual firing capacitors to handle each channel independently.
  • Verified Circuits: To insure that every pyro channel is isolated from ground and from every other pyro channel, use a pyro controller that verifies every circuit during the continuity check. A simple continuity check will insure that a match will fire when expected, but ground-fault and cross-wire checks are necessary to insure that no match fires unexpectedly.

Shunts
After the pyro system designer and the pyro-technician user have taken every reasonable precaution to prevent unwanted power from reaching the electric match, it can still happen. To deal with this problem, pyro control systems “shunt” each pyro channel. The “shunt” is an automatic and/or manual switch on each pyro channel that conducts unwanted power away from the electric match where it will do no harm. This works very well – as long as the channel wiring is heavy enough. If the wiring is too long or too thin, the unwanted power may prefer to flow through the electric match instead of the shunt. It depends on the wire length, but 14-gauge wire is usually heavy enough to insure that channel shunts can provide reasonable protection for the match.

Some pyro systems use a manual shunt that protects the pyro-technician while loading the pyro devices. This is adequate for installations where no-one will go near the pyro after the shunt is removed, but inappropriate for a live-action show. Ideally, every pyro channel should be individually shunted up until the moment it is fired. With this style of controller, the entire cast and crew is protected from unexpected ignition at all times.

Notice
This document is presented as a service to the entertainment community for informational and promotional purposes only. It is not intended as engineering advice or opinion and is not guaranteed to be current, correct, or complete. Links to other web sites are not endorsements of those sites.

By Daniel Birket of Birket Engineering, Inc. Originally written Jan-2002

Synopsis
A poorly designed fault message system can desensitize operators to real problems. This document discusses control systems that cry, “Wolf!” and presents techniques to help keep messages meaningful.

Ancient Wisdom
Control systems depend on their human operators to handle problems beyond the computer’s capabilities. While a control system is usually very good at managing the details of complex equipment, it falls far short of the ability to handle every problem that may (and eventually will) occur. System designers close the gap between the expected, designed-for situations and the rest of the universe of possible situations by designing the system to yell for help with alarm messages. But yelling for help too often can lead to trouble.

Aesop’s fable of “The Shepherd’s Boy” teaches that people will eventually ignore a false alarm. Control systems that demand the operator’s attention too often or for too little reason tend to lose the operator’s attention instead. When the operator begins to treat alarm messages as a nuisance, the ability of the message to help insure safety is impaired or lost. If slapping the [Silence Alarm] button has become a Pavlovian response to the sound of the alarm buzzer, the alarm system is no longer effective – and no one will respond when the wolf really comes.

Don’t be a Nuisance
A nuisance message is the most common way that a system cries “Wolf!” Any message that the operator feels is a waste of time is a “nuisance”. Frequent nuisance messages will quickly train the operator to slap the [Silence Alarm] button without investigating.

A message may be labeled a nuisance for several reasons:

  • False Trigger: The message appears in response to an event other than the intended trigger. For example: A “Sensor failure” message triggered by turning a subsystem on or off.
  • Hair Trigger: The message appears when the system is operating outside its nominal range, but still within its tolerance limits. For example: A “Response failure” message when the response was merely a little slower than usual.
  • Poor Trigger: The parameters that trigger the message don’t consider all pertinent conditions. For example, a “water level too low” alarm that doesn’t matter if the water pumps are not running.
  • Misunderstood: Sometimes “nuisance messages” are simply poorly worded or not explained well. If the message doesn’t mean anything to the operator and doesn’t seem to affect anything, it will probably be regarded as a nuisance.

Consequences
One good rule-of-thumb for message systems is “If the system stops, its important to explain the problem with a message.” Sometimes this leads operators to believe the converse too – “If the system doesn’t stop, the message isn’t important.” This can lead to trouble when the system displays a warning message, but leaves it up the operator to deal with the problem.

This problem can be managed through the careful assignment of consequences to each message. Most messages should have a reasonable, measurable, and known impact on operation. A warning message that complains, “Train is too fast exiting slowdown brake” might not receive attention for some time. A fault message that announces, “Auto mode is disabled. Train is too fast exiting slowdown brake. Use supervisor’s key.” will get the immediate attention of a supervisor.

Wachusay?
One way to help insure the long-term effectiveness of a messaging system is to write clear, easy to understand messages. Some control systems report messages with extremely short messages (perhaps due to a character limit), numeric codes alone, or even just a light. This is common and acceptable in simple systems, but more complex systems require more explanation.

Cryptic messages are harder to understand than “plain English” and may get the wrong response or no response from an operator. Consider these two messages:

  • Fault: LEL sensor 4 high
  • EMERGENCY STOP: A flammable gas leak has been detected in the Southeast corner of the facility services room in the basement. Notify security immediately at extension 7911 and start the evacuation procedure. (LEL gas detector 4)

Both are possible messages describing a signal from a lower-explosion-limit gas detector, but only one is guaranteed to elicit a timely and appropriate reaction from the operator.

With a modern messaging system, the system designer can include all of the following information in a message:

  • When? The date and time of the fault. Advanced systems can record all messages in a searchable database for easy recall and analysis days or months later.
  • What? The complete identification of the faulted device or subsystem. The name should match the name used in the system’s manuals and drawings. Advanced systems can show a picture of the device and access the appropriate manual or drawings. Park-wide messaging systems will specify the attraction and system in addition to the device.
  • Where? The exact location of the faulted device or subsystem. Advanced systems can locate the device on an architectural drawing, map, or aerial view.
  • Why? The exact cause of the fault with as much explanation as is required. Advanced systems can display the program logic that triggered the alarm.
  • Who? The people required to respond to the fault: operations supervisor, maintenance crew, or the security department. Advanced systems can notify these people directly via email, pager, or other means.
  • How? The appropriate response and troubleshooting procedure for this problem. Advanced systems can display help files containing almost any necessary material, including manufacturer’s manuals and drawings.

News and Trivia
Messaging systems must take care to separate important news from trivial information. Some systems use the same alarm mechanism (perhaps a pop-up window) to announce all events regardless of their importance. If a system beeps and posts a message every time a minor event happens, any important message will be lost in the sea of trivial messages.

One way to avoid loosing important messages in the crowd is to separate messages into classes by severity. Colorizing the severity classes is one way to help the operator to distinguish the classes and react appropriately.

Some major severity classes are:

  • FAULT: A problem that prevents continued normal operation
  • WARNING: A problem that requires operator attention, but normal operation can continue at the operator’s discretion.
  • NOTICE: Information the operator may need at the moment.
  • LOG: Information that should be recorded for possible later review.

The FAULT and WARNING classes require operator attention and should ring the buzzer and/or blink the trouble light. The NOTICE and LOG classes don’t require the operator’s attention and should not. LOG messages are not of interest at the time they occur and should not appear to the operator at all.

The FAULT class of message reports problems that stop equipment. For example: “RIDE STOP: Segment 2 of slowdown zone brakes failed to engage. Call maintenance at x7611 and make Ride Stop announcement”.

WARNING messages don’t affect operation, perhaps because there is no clearly appropriate response to the trouble. For example: “WARNING: Unusually high average train speed from lift exit to slowdown brake entrance. Adjust lift chain exit speed”?

NOTICE messages should only be sent when the operator clearly needs coaching. For example, if the operator presses the [Dispatch] button on a roller coaster without effect, the system might provide this help: “Close the queue gates before dispatching the train”. The alarm sound should not be used with NOTICE messages.

The system designer must take care to avoid using the lower levels unnecessarily. In particular, LOG messages should not be presented to the operator at all. For example: “2002-02-22 14:22:00 Train 2 dispatched”. These messages are only useful for reconstructing the events that led up to a problem.

… and Nothing but the Truth
It’s also possible for a system to lose the trust of the operator by being too helpful. Systems are typically able to detect more problems than they can accurately diagnose. A system may be able to detect that a motor is no longer running, but can’t know if it has stopped because of lack of power, overheat, overload, relay failure, mechanical failure, or something else. If the system reports “Motor 1 overloaded” every time someone turns off the manual breaker, people will not trust the system’s diagnosis. Instead the system should only report what it actually knows, in this case: “Motor 1 has stopped unexpectedly. Check switch, overload, overheat, & rotation”.

Conclusion
Large systems require well-designed message systems to help manage their complexity. Simply ringing the bell and printing a cryptic line of text for every event is not enough. Poorly thought-out messages may fail to communicate their meaning or their importance. A pattern of “nuisance” messages will erode the operator’s confidence in the system. If the attention of the operator is lost, the alarm will no longer serves its purpose of enlisting human aid – and no help will come to deal with the wolf.

Notice
This document is presented as a service to the entertainment community for informational and promotional purposes. It is not intended as engineering advice or opinion and is not guaranteed to be current, correct, or complete. Links to other web sites are not an endorsement of those sites.

By Daniel Birket
Birket Engineering, Inc., December 2001

Synopsis
Undetected failures permit us to blindly trust safety systems that no longer work and can lead to situations that we thought couldn’t happen. This document explores strategies to identify and prevent Silent Death through automatic and manual validation.

What is Silent Death?
Silent Death is the undetected failure of a device that we rely upon to insure safety. The device may be anything: sensor, brake, motor, mechanical interlock, etc. that protects us against some risk. If a device fails without anyone noticing it, it has an undetected failure.

Why is Undetected Failure Important?
If the thing stops working and nobody can tell the difference – why do we need it?

Remember that the device was put there to guard against some significant risk. A significant risk will eventually become very significant reality. Ask Murphy. But now the gadget that should have handled the problem didn’t work when we needed it… and we didn’t have a clue. We didn’t even think the resulting mess was possible. Unsuspected Failure might be a better description.

A Silent Death Scenario
Imagine a simple ride system that starts using an electric motor and stops using a pneumatic brake. Bad things could happen if we can’t stop the ride promptly, so we want to be sure that we have air pressure at the brake before we run the motor. Simple: put a pressure switch on the air supply line and interlock it with the motor. Now we can’t start the ride unless there is enough air pressure to stop it again. We can stop worrying about air pressure.

Not really. Now we have to worry about the pressure switch – and we still have to worry about air pressure.

Over a season or two, the pressure switch quietly rusts in place, freezing the switch contacts where they are – ON. Nothing visibly changes. Nobody notices. The ride works fine and the switch even agrees with the actual pressure in the air line. Everything is fine until one day when a backhoe hits the air line, or maybe the compressor’s circuit breaker trips.

Now the air pressure for our brakes is gone, but we don’t know it because the pressure switch rusted shut last winter. Even worse, we’re sure that we’re protected from that problem – so go ahead and press the [Start] button. We can always trust the system to keep us out of trouble… Hey! Why won’t this thing stop?

Expect the Unexpected
The first step in solving any problem is to realize that we have one. In order to eliminate possible undetected failures we must first identify where they may occur. This can be a big task because just about everything fails eventually. We can trim the job a bit if we only worry about things that might impact safety.

One accepted system for finding out what can go wrong is an F.M.E.A.: Failure Mode & Effects Analysis. (Not F.E.M.A.; they clean up after disasters. An F.M.E.A. prevents them.) Although this subject can get very technical, it is still useful in its basic form. Even a casual safety analysis is better than none – just don’t assume that you’ll find all the problems by yourself.

This kind of safety analysis starts with making a list of the components in our system and sitting down with a pencil to think about each piece.

The questions to ask about each component are:

  1. How might this thing fail? (Failure Mode) Our pressure switch above might fail stuck in the ON or OFF position.
  2. What will happen when it fails in each mode? (Effect) It’s very helpful to categorize these by severity: “possible injury”, “safety loss”, “downtime”, “expensive”, or “complaint”. Effects of “bad appearance” or “no effect” don’t need the same attention. Our stuck ON pressure switch above goes in the “safety loss” category because it no longer protects us against an air pressure failure. If it were stuck OFF, we’d use the “downtime” category because the ride wouldn’t start.
  3. How likely is it to fail? This can be tough to figure out, but categories will help again. We can count on “Human Error”. (Don’t forget the human “component” of the system.) “Factory Defect” and “Fatigue” will nail us regularly. Murphy defined the criteria: “Anything that can go wrong, will.” If we can think of a way it can break without an absurd concatenation of improbable events, we should consider it.
  4. How do we detect the failure? Here is our first chance to make a difference. If we choose a good way to detect the failure, we’ll know when we need to do something. See below.
  5. How do we correct the failure? The simple (and usual) way to keep our system safe is to “correct” the failure by shutting everything down: E-Stop. If we want to enhance reliability too, we must find a way to safely continue without the component until we can fix it.

This component-by-component analysis of our system may turn up a variety of interesting things that we had not realized before. But, since our subject is undetected failure, our interest now is any failure with an effect of “safety loss” and a detection type of “undetected”.

Solve Silent Death
Now that we know where to expect undetected failures, what can we do about them? There are just two ways to eliminate undetected failures: detect the failure or prevent the failure.

Prevent the Failure

There is a hard way and an easy way to prevent the failure of a component:

  • The hard way is to make the component 100.0 % reliable. This is really tough and most designs settle for a one-in-a-billion chance. Even if we use two components, there is still the chance that a shared event will wipe out both components. Lightning. Corrosion. Power Failure. Redundancy doesn’t solve everything and it always introduces new and more complex problems.
  • The easy way is to eliminate the component. Simplify the system. The biggest problem with undetected failure is that we think we’re protected when we’re not. If we can do without the gadget we won’t depend on something that will let us down. The guy in the rental car with the broken gas gauge will run out of gas. The guy on the motorcycle without a gas gauge will never let his tank go dry – he’ll unscrew the cap and look.

Detect the Undetected
There are two major ways to detect a failure: Automatically using a sensor (and maybe a control computer) or manually using our hands and eyes. Automatic detection has the advantage of saving us from trying to watch everything at once, but brings complexity that is itself susceptible to failure. The problem of detecting the failure of the sensor that we installed to detect a failure is validation. Our pressure switch above got us into trouble because we didn’t confirm that it was still valid – that is, still reporting meaningful information.

There are three major ways to automatically validate a sensor (or other component), plus manual validation makes four.

  1. Continuous Automatic Validation: This is the best form of validation and usually involves buying two sensors instead of one. By comparing the two sensors we will know instantly when one has failed. (But like a man with two watches, we generally won’t know which one is right.)
  2. Cyclic Automatic Validation: The next best way to check our sensor is every time (or cycle) that we use it. If we have a sensor to detect when the load gates are ajar, we should check that the sensor notices each time we open and close the gates. (Note: it can be important to detect a failure prior to each cycle of operation instead of during; otherwise we may be too late to correct it.)
  3. Periodic Automatic Validation: The remaining automatic means of validating a sensor is simply to check it on some regular schedule: daily, weekly, etc. We could have automatically checked our pressure switch aboveby cutting off the air each morning.
  4. Periodic Manual Validation (Inspection): Here’s the method so familiar to ride maintenance people – open it up and look – every day or month or season. This is as good a method as the people, time, and money we devote to it.

Conclusion
Adding sensors and interlocks to a system may not make it any safer and will always add complexity and new problems. The solution is to design the system so that it naturally validates its own operation. A poorly designed system will at best require a lot of time-consuming inspection and at worst may give a false appearance of safety. A well-designed system will use the intrinsic characteristics of the equipment, crosschecks between components, and feedback to insure that nothing fails undetected.

Notice
This document is presented as a service to the entertainment community for informational and promotional purposes only. It is not intended as engineering advice or opinion and is not guaranteed to be current, correct, or complete. Links to other web sites are not endorsements of those sites.

BIRKET Engineering News, Jan/Feb 1994

About the only universal point of agreement among designers, owners and operators of systems is that human safety is the most important issue. Not surprisingly, designers relentlessly pursue the foolproof safety interlock. Sometimes these good intentions actually lead to an increase in the probability of a harm causing event!

Consider the example of an electric lawn mower that is equipped with a mercury tilt switch as a backup to the main power switch. The motor and blade will always stop when the lawn mower is tipped up. We feel better because the user, repair person, and others near the mower will almost never be exposed to a spinning blade. The interlock also appeals to us because it is simple in operation and is not likely to fail.

In spite of the warning label that says to always unplug the mower before placing hands near the blade, operators gradually take the interlock for granted. Also note that when the mower is tipped, the interlock obscures the fact that the mower is not switched off or unplugged. Consider that some users will have to mow grass on a steep hill. They can be relied upon to bypass the tilt switch with a piece of wire so that they can get the job done. Maybe someone will bypass the tilt switch to work on the mower. Either way, they may forget to remove the bypass, and probably will not tag the mower for other users to indicate that the interlock has been defeated; after all, who would ever put their hand near a mower blade without first unplugging the thing.

Eventually, the mower will be tipped up for cleaning by an operator that has come to depend upon the interlock. If not this, then the operator will be distracted and forget to unplug or turn off the mower at the power switch. Finally, after cleaning, the operator will grab the mower with fingers partly in the blade area, set the mower upright, and loose a few fingers as the motor starts.

Readers who have experience with interlock design may suggest that the interlock was not properly designed. The interlock could incorporate a feature requiring that the power switch be cycled once each time that the tilt switch stops the motor, so that the motor can’t start unexpectedly. Is this really an improvement? Imagine what the new, uninformed user will do the first time that the mower is tipped and then does not restart when it is righted again. The user may not start investigating with the power switch, but by poking around under the mower (with the power switch still on) to see what is holding the blade. This “improvement” may prompt a mower maintenance person to defeat the interlock after being requested to repair the mower by an owner that is confused by this feature. In both cases, designer may be considered guilty of inviting harm.

The discussion of this example could go on, and it would not lead to clear conclusions. Still, we benefit from considering the issues. There is plenty of literature on the subject of interlocks, but there is no source of clear and simple rules; each device or system must be considered on its own merits. It is possible to find court cases on both sides of these difficult issues. Below are some design issues related to this example. The discussion of each issue is consistent with the safety literature, but remember that each interlock must be considered based upon the details of the design and the intended use.

Safety ultimately depends upon people, not interlocks. Safety is best achieved through an active training program. Interlocks that invite reliance upon the interlock instead of upon safety awareness and training often create more harm than they prevent because they discourage use of the proper safety procedure.

The best way to make a machine or system safe for service or inspection is to disconnect it from all of its power sources and from all sources of stored energy. This is often called the “zero mechanical state” or “primary protection”. The OSHA lockout/tagout procedure relies upon this idea. Avoid reliance upon secondary protection.

It is almost routine to circumvent interlocks, either during maintenance and test, or to increase production. Assume that this will happen. Design interlocks to require frequent verification, preferably as a part of normal operation. Avoid interlocks that can fail without being detected, especially if (as is usually the case) the preventative maintenance and periodic inspection programs are not reliable.

Do not depend upon people to read warning labels. There is a tendency to “liability-proof” machines with warning labels, but this often leads to an overload of information and warnings that are not followed.

The best interlocks are simple in design and implementation. They are easily understood, and easy to maintain. It is rarely a good idea to interlock an interlock, but often good to use two dissimilar interlocks to address the same safety concern, if the redundancy can be assured through routine verification.

Lighting

By Tom King, 2011

Color temperature is measured in degrees Kelvin (degrees K). but William Thompson Lord Kelvin did not create this term in reference to the chromaticity of light. Why is his name associated with the science of light? Read on.

First let’s introduce a new term (to some readers). It is a “black body”.

A black body is a theoretical object that absorbs 100% of the radiation that hits it. Therefore it reflects no radiation and appears perfectly black

As the term “theoretical’ indicates it is an object that can only be confirmed by scientific and mathematical processes. In scientific terms it is a “body” that only exists at a temperature of absolute 0. (That is -273.15 degrees centigrade.) This is the temperature at which all molecular motion ceases. Therefore any action placed upon this black body at absolute 0 is totally absorbed by the body. Enter Lord Kelvin since he is the person that identified the existence of absolute zero and therefore where the absolute “black body” exists. Since absolute 0 has never been reached (but close to it) a pure black body has never been “seen”.

However, by placing a current through metallic alloy of carbon and tungsten a correlation between the light produced and the Kelvin temperature scale can be created. (Lord Kelvin’s experiments did make use of carbon to find an absolute black body.) As the current passes through this alloy, it is heated and begins to glow. The light emitted at particular temperatures (heat) measured in degrees Kelvin follows a temperature scale. As the emitted light goes from no light to red in color through the spectrum to ranges of white (and into the ultra violet and beyond) the temperature of the alloy is measured (in degrees K), hence the term “Light Temperature”. If the alloy is at absolute 0 in temperature, no light would be emitted (remember no molecular movement at 0 degrees absolute) regardless of the electrical energy “pumped” into the alloy.

So even though Lord Kelvin had nothing to do with light measurement his temperature scale is used in light measurements. “He never saw the light” associated with his scientific efforts.

Now to Color temperature
The Kelvin scale is used in the measurement of the color temperature of light sources. Color temperature is based upon the principle that a black body radiator emits light whose color depends on the temperature of the radiator. (I think that I just said that above.)

Black bodies with temperatures below about 4000 K appear reddish whereas those above about 7500 K appear bluish. Color temperature is important in the fields of image projection and photography where a color temperature of approximately 5600 K is required to match “daylight” film emulsions. In astronomy, the stellar classification of stars and their place on the Hertzsprung-Russell diagram are based, in part, upon their surface temperature, known as effective temperature. The photosphere of the Sun, for instance, has an effective temperature of 5778 K. (Oh me now we are “way out”.)

In other words Color temperature is a characteristic of visible light that has important applications in lighting, photography, videography, publishing, manufacturing, astrophysics, and other fields. The color temperature of a light source is the temperature of an ideal black-body radiator that radiates light of comparable hue to that of the light source. Color temperature is conventionally stated in the unit of absolute temperature, the kelvin, having the unit symbol K. (Gee, I must have had it correct above.)

Another way to describe it is: The color temperature of a light source is the temperature at which the heated black body matches the color (appearance) of the light source in question. (Did I repeat myself?)

Color temperatures over 5,000K are called cool colors (bluish white), while lower color temperatures (2,700–3,000 K) are called warm colors (yellowish white through red).

In case you still don’t get the picture here it is:

Planckian locus in the CIE 1931 chromaticity diagram.

(CIE is the International Commission on Illumination.)

The CIE 1931 x,y chromaticity space, also showing the chromaticities of black-body light sources of various temperatures (Planckian locus), and lines of constant correlated color temperature.

Planckian locus defined:
In physics and color science, the Planckian locus is the path or locus that the color of an incandescent black body would take in a particular chromaticity space as the blackbody temperature changes. It goes from deep red at low temperatures through orange, yellowish white, white, and finally bluish white at very high temperatures.

It is a curious thing that what we refer to as a “warm white” occurs at the lower temperatures while what we refer to as “cool white” occurs at the highest temperatures.

Are you thoroughly confused now? I rest my case.

By Glenn Birket, 2004

The purpose of this paper is to review photometry concepts which are applicable to strobes, to better understand how strobes are specified. The issue is considered from the perspectives of energy in and light out, then also from the photographer’s approach to quantifying light.

The light output from a strobe is usually quantified in one of three ways.

  • Joules: The electrical energy input to the strobe may be stated in joules. These figures can only be compared if one may assume that the strobes compared convert energy to light with the same efficiency.
  • Candela: The light output may be specified in candela, a measure of luminous intensity. Candela must be specified for a specified direction. It is therefore usually stated in one of two ways: (a) Mean Spherical Candela is the average of the light output in all directions. (b) Beam Candela is the light output in a specific direction, usually the maximum. Ideally a luminous intensity diagram (usually a polar plot) is provided for each of two mutually perpendicular planes, thus indicating the candela output in all directions.
  • Guide Number: For photographic purposes, light output from a strobe is specified as a Guide Number. Given a particular film speed, the guide number may be divided by the flash-to-subject distance to obtain the required camera aperture for a proper exposure.
    This paper explains the relationship of these three methods of quantifying light from a strobe. It is intended to serve as an aid to interpreting strobe specifications. To begin, a introduction to photometry is provided. Topics related to strobes are introduced later in the paper.

This paper explains the relationship of these three methods of quantifying light from a strobe. It is intended to serve as an aid to interpreting strobe specifications. To begin, a introduction to photometry is provided. Topics related to strobes are introduced later in the paper.

Photometry
Photometry is the measurement of the intensity of light and its illuminating power. Luminance is light leaving a light source. Illuminance is light incident upon a surface. When considering the light from a luminaire, including a strobe, we are interested in luminance. When lighting a subject we are more interested in illuminance. Either way, we must understand luminance first, because it is the luminance that creates the illuminance.

Luminous Intensity
In both the SI and English measurement systems the basic measure of luminous intensity is the candela (cd). (The predecessor of the candela was the candle. One candela = 0.98 candle.)

To understand the candela, assume that we have the ideal candle. It would be an isotropic point source of light, meaning that all light comes from a central point and radiates uniformly outward in all directions. For measurement purposes, imagine the light passing through an imaginary sphere centered on the light source.

Area on the surface of the sphere may be measured in steradians (sr). A steradian is an area equal to the square of the radius of the sphere. For example, if the radius of the sphere is one meter, one steradian is the solid angle projected on one square meter of the surface of a sphere with a one meter radius. Similarly a steradian yields one square foot at one foot from the point source. A steradian is independent of distance from the center of the sphere; it is the measure of solid angle. Since the surface area of a sphere is 4π times the square of the radius of the sphere, there are always exactly 4π steradians in a sphere.

A candela is a point source of light yielding 1/683 watt (W) of light energy per steradian.

1 cd = 1/683 W/sr

Just as the steradian is independent of the length of the radius of the sphere, the candela is independent of the distance from the light source.

Think of candela as an emission from a source which loses interest in what happens to the photons it emits. The photons may diverge or may have been focused in a single direction.

An isotropic one candela source will radiate a total of 4π candelas (12.57 candelas) which is 4π/683 watts (1.84 x10-2watts).

Light from a real source is of course not uniform in all directions. Therefore luminous intensity in candela is always specified in a specific direction from the source. A luminous intensity diagram, usually a polar plot, may be provided showing the intensity in all directions. Often two diagrams are provided, in each of two perpendicular planes.

Luminous Flux
Once light has left its source it is luminance and is quantified by the unit of luminous flux which is the lumen (lm). Think of a lumen as light that has left the source but has not yet arrived at a destination.

By definition, an isotropic one candela light source emits one lumen per steradian. Thus one lumen has 1/683 watt of illuminating power.

1 cd = 1 lm/sr

1 lm = 1/683 W = 1.464 x 10-3 W

Imagine the one candela isotropic point source above. Since the luminous flux in one steradian is one lumen, then the luminous flux over one square meter at a distance of one meter from the source is one lumen. The same can be said of the luminous flux over one square foot at one foot from the source. The sum of the luminous flux in all directions then is 4π lumens, or 12.57 lumens, or 1.84 x10-2 watts of luminous power for an isotropic one candela source.

Thus, the candela and the lumen are interchangeable in a sense, because one results directly from the other. The candela describes light from its source while the lumen describes light flux in transit. The key difference is in how the measurements relate to distance from the source. Since light usually spreads out as it travels, as you move farther from the source it takes more surface area to capture the one lumen that resulted from the one candela at the source. A candela is independent of distance; a lumen is not.

Even though practical light sources do not emit light uniformly, the output from a lamp is usually quoted in lumens. This is accomplished by summing the lumens in all directions with consideration for the varying intensity in different directions. Mathematically this is:

F = ∫I dR

over the entire sphere where F is luminous flux in lumens, I is intensity in candela, and dR is an element of solid angle. In practice, this value is measured by placing the light source in the center of an integrating sphere which captures and measures all of the light leaving the source, in all directions.

A light source may be fully specified by its output in lumens and two mutually perpendicular plots of the luminous intensity (candela) distribution.

Illuminance
When luminous flux strikes a surface, illumination is provided. The unit of illuminance is the lux (lx). It is defined as one lumen per square meter.

1 lx = 1 lm/m2

In the English system the similar unit is the foot-candle, which is defined as one lumen per square foot. One foot-candle equals 10.76 lux.

A spherical surface will receive one lux of illuminance from a point light source that emits one candela of luminous intensity in its direction from a distance of one meter.

Inverse Square Law
The density of flux (illumination) radiating out from a point source diminishes by the reciprocal of the square of the distance. Beginning with an isotropic one candela source, we know that at one meter we will have one lumen per square meter of spherical surface, i.e. one lux. According to the inverse square law we will have one quarter lux at two meters, one ninth lux at three meters, and so on.

To apply this relationship, we must know the effective point of the origin of the light. For a simple lamp, it will be the lamp. If the light is somehow focused though, the virtual source maybe elsewhere, such as behind the apparent source. If the light is perfectly collimated, the source will be at infinity and the level of illumination will not change with distance.

Practical sources are never truly a point. The inverse-square law will however give good results if the distance from the source is at least five times the diameter of the source. Similarly, when the distance to the source decreases to less than 1/20 of the diameter of the source, changes in distance no longer affect the flux density.

For different distances from the same source:

E1 r12 = E2 r22 or E1 = E2 (r2 / r1)2

Using this relationship, we may measure the flux at one distance from the source and know the flux at another distance from the source.

If E is flux density in lux from a source of intensity I, and r is the distance from the source in meters, then:

E = I/r2 or I = E r2.

Using this relationship we may determine the intensity of the source in candela simply by multiplying the flux density by the square of the distance.

Luminance from a Surface
Once light from a lamp has struck a surface, some part of the light is reflected. Only a polished reflector will reflect nearly all of the light. Dark matte surfaces reflect almost no light. Other surfaces are somewhere in between.

Thus an illuminated surface becomes a new source of light. It is an area source though, not a point source. The surface is called a Lambertian Surface if it provides uniform diffusion; luminance which is the same in all directions. If the surface is an extended surface, meaning that it extends a great distance in all directions compared to the viewing distance from the surface, the luminance from the surface is again independent of distance from the surface.

Light from such a source is measured in candela per square meter (cd/m2), or foot-lamberts (fL)in the English system. One foot-lambert equals 10.76/π candela/square meter.

Just as the candela and the lumen are related, so are the candela/square meter and the lux. The first is a source specified in a way which is independent of distance, and the other is illuminance which may decrease with distance from the source.

Summary of Units
Summarizing the units of measurement to this point:

  • Intensity of the source is measured in candelas (cd)
  • Flux transmitted through space is measured in lumens (lm)
  • Light illuminating a surface is measured in lux (lx = lm/m2) or foot-candles
  • Light reflected from an area (luminance) is measured in cd/m2 or foot-lamberts (fL).

Color and Luminous Efficiency
Throughout this discussion color has not been mentioned. A monochromatic light source was assumed. White light (a combination of a variety of light colors) is now introduced to complete the topic of light measurement.

Consider that the eye is more efficient for some colors, i.e. wavelengths or frequencies, than others. Because of this, it takes more energy to create a blue or red light that seems as bright to the eye as a green or yellow light. Likewise, the eye will perceive a blue light as less intense than a green light even when an instrument reports that the two are emitting the same amount of energy.

The V-lambda curve describes the CIE standard photometric observer, i.e. a human. It provides luminous efficiency vs. color. It is a bell-shaped curve with a maximum efficiency at 555 nm, which is a yellow-green light color. Thus, all of the units of measure for light are stated at 540 x 10-12 Hz, which is about 555 nm, a yellow-green light to which the eye is most sensitive. When dealing with other colors of light which contain many parts of the spectrum, such as “white” light, the instrument must weigh each distinct color of light according to its efficiency on the V-lambda curve. This is usually done with a filter in front of the sensor. The filter makes the sensor respond similar to the human eye. Throughout this discussion it has been assumed that we are either measuring light at 555 nm, or that we are measuring white light using an instrument provided with a V-lambda filter.

Photographic Light Meters, Exposure Value and Guide Number
As might be predicted from the discussion above, units for luminance and illuminance are regularly confused and interchanged. If it is desired to use a photographic light meter to measure light, this confusion will likely be encountered. Light meters report the luminance of a subject in lux or foot-candles (units of illuminance) when they should report in candela/square meter or foot-lamberts. The light meter is reporting the illumination which if reflected from a perfectly reflective surface would produce the same value in luminance.

In photography one “stop” or one Exposure Value (EV) is related to luminance measured in foot-lamberts. When using a photographic light meter that reports lux, divide by 10.76 to get foot-lamberts. When using a light meter that reports in foot-candles, use the value as if it were in foot-lamberts.

An understanding of EV is useful because it relates to the Guide Number which is a useful means of quantifying light from a strobe. EV is used to express the amount of exposure to light required by film. For this use, EV is:

EV = SV + BV

where SV (the film speed value) = log2(0.32S) where S is the ISO (ASA) film speed, and BV (brightness value or luminance) = log2(B) where B is in foot-lamberts. BV = 0 at 1 foot-lambert.

EV is also used to express the amount of light that will be admitted to the film. For this use, EV is:

EV = AV + TV

where AV (aperture value) = log2(N2) = 2log2(N) where N is the aperture f-number, and TV (time value) = log2(1/t) where t is the shutter speed in seconds.

A proper exposure is obtained when the EV admitted equals the EV required to properly expose the film, i.e. SV + BV = AV + TV.

The light meter measures luminance which is the BV component of the EV. Therefore, each stop of light change reported by the light meter (one f-number) corresponds to one unit of log2(B) where B is in foot-lamberts. Since we are using base two logarithms, this means that each one stop increase represents a doubling of the luminance in cd/m2 or foot-lamberts.

The maximum power of a photographer’s strobe is reported as a Guide Number (GN) for the strobe. The GN is always specified for a particular film speed, and in either feet or meters. The GN is the product of the flash-to-subject distance and the aperture f-number.

GN = (aperture f-number) * (strobe-to-subject distance)

For example, a better than average photographic strobe has a GN of 66 in feet for ASA 100 film. A good camera may have an aperture as large as f-2.8. The greatest distance at which a subject can be adequately illuminated by this strobe is then 66/2.8 = 23.5 feet. Typical disposable cameras have weaker strobes and apertures with larger apertures (smaller aperture openings) yielding even shorter distances. This explains the great number of disappointing photographs taken from the bleachers and the back of the auditorium.

As can be seen, if the GN of a strobe is known the f-number can be calculated for a particular distance, and from that a luminance value can be calculated. The math is left as an exercise.

Strobes: Energy in vs. Light Out
Light from a strobe is produced by dumping charge from a capacitor through a xenon flashtube. The intensity in candelas of the light from the flashtube is proportional to the energy supplied to the flashtube. The energy supplied is the initial energy in the capacitor less the energy that remains

E = ½CV12 – ½CV22 = ½C(V12 – V22)

Only a portion of the energy in the capacitor will be converted to radiant energy, perhaps half. Of that radiant energy, only about 30% is visible. Of that which is visible, much of it must be discounted due to its low luminous efficiency on the V-lambda curve. (The flash meter takes this into consideration.)

One watt of power, if converted into light with 100% efficiency would yield 683 lumens. Efficient mercury-vapor lamps may achieve 100 lumens per watt because their radiant energy output is concentrated near the 555 nm wavelength which is most efficient for the human eye. The practical limit for incandescent lamps is 40 lumens per watt. The luminous efficiency of a xenon-filled flashtube is in the range of 10 to 50 lumens per watt, less than 10% efficient.

A strobe is such a brief light source that it is most useful to express its output by summing all of the light coming in a single flash, essentially a report of the total number of photons emitted by the flash. This is accomplished by integrating (summing) the illuminance over the duration of the flash. The result is lux-seconds. Another useful value is candela-seconds, essentially a measure of the light energy released by a single flash. One watt equals one joule/second. A candela is 1/683 watts. Thus a candela-second represents 1/683 joule.

Consider an example. Suppose our flashtube emits an efficient 50 lumens total luminous flux per watt. This is 50/683 (about 7%) of the ideal. If this power is radiated uniformly in all directions it is from a 50/4π = 3.98 candela/watt source. Thus, we can say that this efficient strobe produces 50 lumen-seconds per joule from a source of about 4 candela-seconds per joule. This value can be multiplied by the actual duration of the flash (or better, integrate the area under the lumen v. time curve) to obtain joules output. Then, given the anticipated efficiency of the flashtube, this result may be compared to the joules input as a check.

Peak (initial) intensity and duration are the two aspects of a strobe flash that may be controlled. Typically the maximum intensity is achieved within a few microseconds of triggering. As the capacitor voltage drops, so does the light output. Watching the light output with a scope across a photo-detector, the strobe’s decay is seen to be exponential, but appears almost linear for much of the decay. The maximum light intensity produced and the shape of the light pulse will be affected by several factors including the inductance and resistance of the wire between the capacitor and the flashtube.

Strobes: Energy in vs. Guide Number
The relationship between the energy delivered to the flash the photographic guide number G is given by:

GN = K(E)½

The guide number is proportional to the square root of the flash energy. K is a constant that varies widely depending on the design of the reflector and any losses which may occur due to light absorption.

Strobes Underwater
Air is so thin that for any reasonable distance light loss due to attenuation in air can be ignored. When light passes through water there are noticeable losses. Attenuation over a given distance can be calculated using the Beer-Lambert law,

I = I0 e–eL

where I is the final intensity, I0 is the initial intensity, e is the absorbtivity or extinction coefficient, and L is the path length. It says that light intensity decays exponentially with distance in an absorbing medium. This decay is in addition to the angular dilution effect (inverse square law) which applies in all mediums. The extinction coefficient e varies with wavelength. In water, the attenuation is much greater at the red end of the spectrum than at the blue end, so flash illumination only works over a very short range underwater.

In photographic terms, water’s effect is to reduce the effective guide number of a flash by a factor of 3. The water also acts as a filter with a density of about 0.12 red per meter of light path; which means that you lose a whole stop of red for every 2.5m, and since the light must travel from flash to subject, and then from subject to camera, you lose 1 stop of red when you are only 1.25m away from the subject.

Mean Spherical Candela vs. Beam Candela
Candela is a measure of light which is independent of the distance from the source of the light. It is therefore perhaps the best value to use in the specification of the light from a source. The light output from a real-world source varies according to the direction from the source. Candela measurements are therefore only meaningful if the direction from the source is given for the measurement. This fact is typically addressed in two ways. Light output is specified as either Mean Spherical Candela or Beam Candela.

Mean Spherical measurements are made in an integrating sphere. The light in all directions is collected and then divided by the 4π steradians in a sphere yielding lumens/steradian, which is candela. This then is an average value of candela for that fixture, over all directions.

Beam Candela samples only a very narrow angle of light from the source. Typically the manufacture will measure light in the brightest direction from the fixture. The figure is often misleading because the direction is not specified, nor is the spread over which the value applies.

To fully and fairly characterize light from a fixture, polar plots of luminous intensity are required, one for each of two mutually perpendicular planes. In this way the candela output can be expressed in all directions.

Strobe Intensity Measurement Example
The intensity of a representative Birket strobe is measured with a Quantum Instruments Calcu-Flash II. The strobe and flash meter are positioned in a large dark area such that the center of the strobe’s flash-tube is 305mm or about 1 foot from the incident light dome of the instrument. An increment of one in the instrument’s digital display (d) corresponds to 1/3 EV and 0.78125*2d/3 lux-sec. A 5 corresponds to f-1.0 @ ASA 100 or 2.5 lux-sec.

First, an oscilloscope is also used to read the duration of the flash. Maximum intensity occurs within 100 μsec of trigger and the intensity decays to ten percent within 2 msec. From an energy perspective (area under the curve) the strobe can be considered to be at maximum intensity for 1 msec.

With the strobe vertical, readings of 15 are observed from all radial positions except for one area of about 20 degrees which reads 14. This is the area in which the anode wire partially blocks the view of the flash-tube.

With the end of the strobe pointing toward the instrument from the same distance, a reading of 8 is recorded. It is observed that the low of 8 is only present when the tube is pointed directly at the instrument. Tilting the tube to partially expose a side to the instrument gives an abrupt rise to a reading of 14 or 15.

A 15 corresponds to 25 lux-seconds. An 8 corresponds to 5 lux-seconds.

From most directions, the strobe emits 25 lux-seconds of radiant energy for 1 msec. Thus the strobe can be characterized as emitting 25000 lux in most directions, at a distance of 305 mm. By the inverse-square law, this represents about 25000/(.305)2 = 2326 candela. Considering the dark ends of the strobe, we will estimate that the average value over all directions is about 1200 candela. Totaling this over a sphere we have 1200 * 4π = ~15,000 cd. Multiplying this by 1/683 watts/candela, we get about 22 watts. As the flash lasts for only one millisecond, this would be about 22 millijoules.

Energy into the flash equals ½CV2 = ½ (68μF) (300) 2 = 3.1 joules. Efficiency of the flash is then about .022/3.1 = 0.7%, roughly what might be expected, considering the several assumptions made throughout this example.

Notice: Birket Engineering is not qualified to offer definitive advice or information on the subject of photosensitive epileptic seizures, or to evaluate certain lighting effects with regard to this concern. Even those knowledgeable regarding photosensitive epileptic seizures admit that the mechanism by which rhythmic light stimulation can cause a seizure is not well understood.

In the implementation of strobes, each public venue is unique as is each designer’s creative intent. Lighting designers must evaluate their requirements in light of the available information on epilepsy to ensure that the combination of factors at their venue does not pose a risk to the public. The information presented here offers a starting point for this discovery effort.

Epilepsy and Public Displays of Strobes in Quantity

By Glenn Birket, 2003

Designers implementing strobes in public settings must be aware of concerns regarding photosensitive epileptic seizures which may be triggered by certain strobe sequences. While it is quite unlikely that a lighting designer using Birket’s DMX Multi-Strobe Brik would create an effect that could induce a photosensitive epileptic seizure, it is strongly advised that designers become familiar with the lighting effects which are capable of causing seizures so as to most effectively avoid them. This paper is intended as a guide toward the needed familiarity.

Key Points

  • About one in 4000 individuals has photosensitive epilepsy. Repetitive flashing lights may induce seizures in these individuals. The flash frequency of concern is from 5 Hz to 70 Hz, with most individuals only susceptible in the range of 15 Hz to 20 Hz.
  • A flashing strobe (or a close combination of multiple strobes sequenced together) must not be programmed to flash in the 5 Hz to 70 Hz frequency range.
  • Slower flash rates, and randomly flashing lights are not known to be a cause of photosensitive epilepsy.
  • Point sources of light are much less likely to induce seizures than a diffuse source of light which covers a large part of a person’s field of vision.
  • To induce a seizure the light must be present in the center of the field of vision as opposed to the periphery.
  • Reducing brightness or increasing distance between a photosensitive viewer and the light source is effective for preventing photosensitive epileptic seizures.
  • Lights flashing in the distance, even in the frequency range of concern, are not known to cause seizures when in the presence of other lights of a more natural or chaotic nature.
  • The probability of inducing a seizure is greatly increased (by up to a factor of ten) if the light source is arranged in a regular pattern, such as a raster scan image. (This would be far more difficult to accomplish with the DMX Multi-Strobe Brik than with say, a television image.) Stated another way, avoid adding spatial contrast (pattern) to temporal contrast (flickering).

Each of these points is derived from reading Graham Harding’s “Photosensitivity: a vestigial echo? The first Grey Walter lecture.” in the International Journal of Psychophysiology, 1994, volume 16, pages 273-279.

Introduction

Individual strobes, or small groups of strobes have been used in entertainment venues for years. Photosensitive epilepsy has been known and studied for many years. Consequently, a considerable body of knowledge exists relative to strobes and photosensitive epilepsy. Standards exist regarding the use of strobes in signaling applications such as for fire alarms. For example, the NFPA and ADA codes seek to insure that fire alarm strobes do not blink faster than twice per second so that a person between two adjacent strobes which happen to be synchronized and alternating will not experience a combined blink rate faster than four flashes per second (4 Hz).

A product such as Birket’s DMX Multi-Strobe Brik facilitates the creation of strobe light sequences using dozens or even hundreds or more of separate strobe fixtures for creative purposes in public settings. Examples are twinkle-effects on a building, trees, or across large areas of a theme park; chase light sequences on billboards, and special lighting effects within confined environments such as theaters and attractions. While the Birket DMX Multi-Strobe Brikdoes not permit programming a single strobe to flash faster than once per second, the time between successive strobe firings may be as fast as DMX channels update – about 30 Hz. Thus, for example, thirty strobes in one location could be made to create a continuous flicker as fast as 30 Hz. With effort, the DMX Multi-Strobe Brik could be made to operate in a way which, at close range, could induce a photosensitive epileptic to have a seizure.

Research and experience is quite limited with the strobe effects which may be generated with a controller such as Birket’s DMX Multi-Strobe Brik i.e. numerous small strobes distributed over a field of view. There are no industry consensus standards from which to draw specific guidance regarding the responsible creative implementation of large quantities of strobes. Neither is there any evidence that these strobe effects have ever caused a single epileptic seizure. Still, it would seem that there is a risk, so each designer must consider what is known about photosensitive epilepsy when creating strobe lighting effects.

It should be noted that it is not the “strobe” that is the problem. Any light flashing at the noted frequencies may be a problem. In fact, flashing television images are the best known source of concern.

Much more may be learned by reading the journal papers listed at the end of this paper. If only one such reference to be read, we suggest the paper in the International Journal of Psychophysiology by Graham Harding titled “Photosensitivity: a vestigial echo? The first Grey Walter lecture.”

What is Epilepsy?

Epilepsy is a neurological disorder characterized by recurrent episodes (ranging from several times a day to once in several years) of convulsive seizures, impaired consciousness, abnormal behavior, and other disturbances produced by uncontrolled electrical discharges from nerve cells in the brain. Trauma to the head, brain tumor, chemical imbalances, and other factors may be associated with epilepsy, but in most cases the cause is unknown. [i]

About 4.7 people in 1000 will have two or more seizures in their lifetime.[ii] Seizures are considered to be either “grand mal” or “petit mal”, meaning very bad, or a little bad. During a grand mal seizure, a person will begin by stiffening up, and perhaps “yelp” as the lungs are squeezed by the stiffening chest muscles. The person loses consciousness, and then starts to shake all over for about one to three minutes. The person “comes to” being confused and often combative, regaining normal awareness within an hour. Two or more grand mal seizures without regaining normal awareness is a serious medical emergency requiring immediate hospitalization. With a petit mal seizure a person just seems to “fade out”. If speaking, they may start dropping words, then stop speaking completely. There may be eye blinking, lip smacking, chewing movements, or head turning. This may last up to three minutes followed by mild confusion and a return to normal within minutes. In either case, the person is not aware of what happened during the seizure.[iii] Single seizures that impair consciousness are almost never fatal, although fatalities from epilepsy are possible.[iv]

Many things can trigger seizures, the most common being lack of sleep, lack of food, alcohol or other drugs, and failure to take anti-seizure medication. In fact, anything can trigger seizures including certain smells, memories, a sunrise, or a particular voice. When a specific event triggers a seizure, this is called “reflex epilepsy”. One type of reflex epilepsy is photosensitive epilepsy in which certain light events trigger a seizure.

What is known about photosensitive seizures?

Photosensitive seizures are those triggered by either flashing or flickering lights, or rapidly changing geometric shapes or patterns. Many people with epilepsy are unaware that they are sensitive to certain kinds of lights or flickering patterns until they have a seizure.

Less than 5% of those who suffer from epilepsy are photosensitive. This means that approximately one in 4,000 individuals suffer from this – less than 100,000 in the U.S. population. The characteristics of each individual’s susceptibility are unique. A certain photosensitive individual may not be susceptible to a given light display at all. Still it is clear that every public display of lights can expect to regularly entertain photosensitive epileptics – thus a high degree of diligence is due the effort to eliminate displays which may trigger seizures.

Seizures in photosensitive individuals may be triggered by events such as:

  • flickering or rolling television images
  • certain video games
  • computer monitors
  • alternating patterns of different color

It is well documented that the range of 15 to 20 Hz is of greatest concern, however some individuals are susceptible to flashing lights as slow as 5 Hz and some as high as 84 Hz.

What can be done to reduce or eliminate the concern?
Do not program strobes to flash at continuous rates between 5 and 70 Hertz, particularly when the strobe light is in close proximity to observers. Increasing distance between the viewer and the strobe light and decreasing light intensity are both effective for eliminating the risk of photosensitive epileptic seizures. Less clear is “how far” and “how bright is too bright”. Little research has been done to determine the extent to which reducing brightness or increasing distance eliminate the possibility of inducing seizures. However, there is clear evidence that both of these are valid techniques for preventing photosensitive epileptic seizures. Indications are that the flashing light must be present in a substantial part of a susceptible individual’s field of vision to induce a seizure. To learn about distance and brightness relative to photosensitive epilepsy, read the documents suggested at the end of this paper. You will find that the existing research approaches the issue from the opposite perspective – that of insuring adequate intensity to detect an impending seizure in a clinical setting.

Relevant experiences

  • Informal inquiries of major theme park operators with extensive experience using strobes has not indicated any incidences of seizures resulting from strobes in public settings.
  • Large commercially available and widely used strobes exist for theatrical and night-club applications. Some are easily programmed to operate up to 15 Hz (and reportedly faster). While at a recent entertainment trade show I asked to see one such strobe operate. The vice-president of the strobe manufacture directed the strobe at my face at a range of about two feet and turned it to maximum intensity at 15 Hz. Surprised, I asked if this wasn’t capable of causing a seizure in a small segment of the population. He replied that the concern is only for rates above 15 Hz. He went on to explain that his competitor’s strobes operate up to 30 Hz but to address this concern his only operate up to 15 Hz. Based upon what I’ve read, he is wrong! A meaningful percentage of the public would react negatively to the intense close-range 15 Hz demonstration he gave me. I include this story only as an indication that the concern must not be large or this man and his company, who have both been in the strobe business for over a decade, would know and would have reacted to the negative consequences upon their business.

Standards addressing photosensitive epilepsy
Historically, strobes have been implemented in smaller quantities than is possible with the Birket DMX Multi-Strobe Brik. Only two standards address strobes as related to epilepsy. The Americans With Disabilities Act Accessibility Guidelines (ADAAG) and NFPA 72[v] address the concern for photosensitive epilepsy with respect to the use of strobes for signaling purposes such as fire alarms. A recent revision to NFPA 72 lowered the requirement from “below 3 Hz” to “below 2 Hz” due to a concern for adjacent strobes synchronizing to create an apparent flash rate double that of one strobe. Their goal was to insure that a composite rate does not reach 5 Hz.

Suggested Reading

  • Binnie, C. D., Darby, C. E., De Korte, R. A., Veldhuizen, R., & Wilkins, A.J. (1980). EEG Sensitivity to Television: Effects of Ambient Lighting. Electroencephalography and Clinical Neurophysiology, 50, 329-331.
  • Binnie, C. D., Estevez, O., Kasteleijn-Nolst Trenite, D. G. A., & Peters, A. (1984). Colour and Photosensitive Epilepsy, Electroencephalography and Clinical Neurophysiology, 58, 387-391.
  • Harding, G. (1994). Photosensitivity: a vestigial echo? The first Grey Walter Lecture. International Journal of Psychophysiology, 16, 273-279.
  • Leijten, F. S., Dekker, E., Spekreijse, H., Kasteleijn-Nolst Trenite, D. G., & Van Emde Boas, W. (1998). Light Diffusion in Photosensitive Epilepsy. Electroencephalography and Clinical Neurophysiology, 106, 387-391.
  • Plaster, G. A., Lodge, K. J., & Mulvaney, D. E. (1979). Effect of Distance of Photostimulation on a Photosensitive Epileptic Subject, Psychological Reports, 45, 271-274.
  • Takahashi, T. (1989). Techniques of Intermittent Photic Stimulation and Paroxysmal Responses. American Journal of EEG Technology, 29, 205-218.
  • Wilkins, A. J., Darby, C. E., Binnie, C. D., Steransson, S. B., Jeavons, P. M., & Harding, G. F. A. (1979). Television Epilepsy – The Roll of Pattern. Electroencephalography and Clinical Neurophysiology, 47, 163-171.

Footnotes

  • [i] Rothenberg, M. A., & Chapman, C.F. (1989). Dictionary of Medical Terms for the Non-medical Person, 2nd Ed. New York: Barrons.
  • [ii] Centers for Disease Control (1994). Current Trends Prevalence of Self-Reported Epilepsy – United States, 1986-1990, CDC MMWR Weekly
  • [iii] Shinder, T. W. (1998). Flashing Light Hazard: Strobe-Induced Seizures, 1998
  • [iv] Epilepsy Association, http://www.epilepsy.com, September 24, 2002
  • [v] National Fire Protection Association, NPPA 72 – National Fire Alarm Code. Boston: NFPA, 1999
Design

BIRKET Engineering News, May/June 1995

Page one of the Control Engineer’s Handbook might say, “In order to maximize personnel safety, minimize personnel contact with moving equipment or related controlled functions.” In other words, keep people away from things that might hurt them. In the entertainment world, this kind of thrilling man/machine or man/special effect interaction is encouraged, equating to popular attractions and money in the bank for park owners.

The designer of a ride or show control system that involves fire effects must make guest and cast safety his primary design criteria. Fire control system designers are concerned with the occurence or presence of explosive mixtures, the potential of fire/people interaction, and the show area’s air quality. The concern for air quality introduces the need for environmental monitoring.

The objective of environmental monitoring is to safeguard the air quality offered to attraction guests or personnel and to provide early alarming of unacceptable conditions. While the specification of gas system and environmental monitoring components and their locations are left to the gas specialists, the controls designer is responsible for how they are implemented within the overall show control system.

Typical gas system items of interest to the controls designer are gas sniffers, oxygen deficiency sensors, carbon monoxide excess sensors, air flow sensors, and temperature sensors. Each of these sensors perform a specific function and therefore not all sensors are required in a particular installation.

The most universally used sensors are gas sniffer sensors. Gas sniffer sensors are used to detect a percentage of the lower explosive limit (LEL) concentration. These sensors provide warning and alarm signals to the fire system controller in the event of a gas leak that produces concentrations great enough to permit ignition. Remembering that natural gas rises and propane sinks, sensor placement is all important.

Oxygen deficiency and carbon monoxide sensors are installed in enclosed places where operators or guests may spend long periods of time. In the event of unacceptable air quality, the sensor will transmit warning and alarm signals to the fire system controller. For example, too much oxygen in the air may indicate a leak in an oxygen feed line, while an oxygen deficiency may indicate excessive fire. Too much fire may consume the oxygen available for breathing.

Temperature sensors are sometimes required to monitor ambient temperature. As an effect is operated, the surrounding temperature may reach levels that are unacceptable for a human. The temperature sensor transmits to the show controller the entire range of temperatures. Setpoints are chosen for warning and alarm signals. Upon reaching an unacceptable temperature, the heat source is shut down and cooling fans are turned on. In addition to ambient air and surface temperature sensors, radiant heat sensors may be necessary. They detect radiated heat (like light) as opposed to conducted or convected (moved via air) heat.

Air handlers are required in shows that have enclosed show space areas. Air handlers are responsible for getting fresh air in and the products of combustion (sulfur, smoke) out. The volume of air moved by these systems is dependent on the size of the show area. These systems may be controlled directly by the show control system or they may be part of the building facility. In either case, this environmental monitoring element must have the the capability of transmitting a “flow OK” signal to the fire system processor. Many shows require constant ventilation.

Finally, it is not enough to just monitor all of these devices and stop the show when an overlimit condition is detected. What if a sensor fails in a state that indicates that conditions are safe? If the sensing system is important, then it is important to know that sensing system is working correctly. Sensors must be routinely validated. For example, if a certain temperature shows an increase of 30 degrees at the midpoint of every show, then if this normal behavior is not observed, the sensor is marked as bad. The error is reported and the next show is disabled until the problem is addressed. Another approach is to periodically create an artificial overlimit condition while observing the resultant emergency stop. The system can be designed to disable the show if this test is not performed on schedule. Sensor validation is a critical aspect of fail-safe design.

Contributing to this article are Sr. Systems Analyst Dan Birket and Director of Projects Marcial Godoy, whose résumés of fire and effect control systems include Buccaneer Bay for Treasure Island at the Mirage, EFX for the MGM Grand Hotel Casino and Theme Park, Escape from Pompeii for Busch Gardens Williamsburg, the Viking Adventure Stunt Show for Wakayama Marina City in Japan, the Wild Wild Wild West Stunt Show for Universal Studios Florida, and Backdraft and the upcoming Waterworld Stunt Show for Universal Studios Hollywood.

Birket Engineering News, Sept/Oct 1994 (U)

Regardless of how simple or complex a control system is, it is fully dependent on a good E-Stop logic circuit for it safety. An E-Stop chain can be as simple as having only one component in the chain or multiple components of different types such as switches, relay contacts, limit switches, etc. Regardless of how complex the E-Stop chain is, it takes a special procedure to reset all the components in the chain and consequently powering up the E-Stop bus. This article will describe in some detail some of the most common techniques used to reset the E-Stop bus in a safe and dependable manner.

Figure 1 shows some of the most common devices to be part of an E-Stop logic circuit. I will briefly describe the objective of each device and to recover once it is tripped.

  • E-Stop Switch: It is understood that this type of switch is provided in a system as an operator interface to interfere when a condition requires that the system be stopped. The resetting procedure for a manual switch is simple and it is mostly up to the operator to ensure that, in the first place, the problem that caused the E-Stop has been corrected and that the area around the machine is clear. The switch is reset by pulling the operator. In a processor based system this switch must also have a secondary contact monitored as an input.
  • Over Travel Limit Switch (O.T.): This type of switch goes untested for very long periods of time since the objective of the system is to never reach an over travel condition any way. When an O.T. switch is tripped, a special procedure is required to reset the E-Stop bus since this contact is not closed until the system is returned to its normal state. A common way to recover from an O.T. condition is to install a momentary push button in parallel with the O.T. switch as shown in figure 1. This switch is then used in conjunction with the reset switch to energize the E-Stop bus. If the system is processor based an input from the bypass switch may have to be connected to allow a software bypass as well as a hardware bypass. It goes without saying that a resetting of an O.T. switch must not be attempted without first correcting or at least investigating the condition that caused the system to reach this state.
  • Phase Rotation and Phase Loss Monitor: Systems that operate machinery running on three phase power may have phase rotation or phase loss detection circuits. Although this wiring will not be altered on a regular basis after installation, it is important to keep it well monitored to avoid damage to the equipment or simply equipment malfunction. What these devices do is that they ensure that during installation and test and adjust, or after equipment replacement the E-Stop bus cannot be powered until all three phase circuits have been properly wired. Phase loss detection is included here but depending on the type of equipment, it may only be required to start a soft shut down of the affected machine and not the entire system. In this case the monitor would simply be an input to the processor. Causes of loss of a phase could be a blown fuse, tripped circuit breaker or even a burned wire due to overheating. All these conditions must be corrected before attempting to re-power the system. These devices do not need a resetting procedure since they reset when the offending cause is corrected.
  • Processor Watch Dog Timer (W.D.T.): In some applications where a processor is used, it may be required to use a W.D.T. relay in order to detect processor malfunction. This device must receive a constant pulse of at least 1 Hz frequency from a processor output bit. While the signal is being received as an input the device will keep its dry contact closed. This device must be such that if the input signal were to latch in a high state or a low state it would trip and open the dry contact. Resetting of this device takes place automatically as soon as the processor outputs are re-started. This implies that what ever condition caused the processor to malfunction must be corrected before re-starting the system.
  • Pressure, Temperature, Level and other sensors: These are typical sensors used in hydraulic applications. in most cases these will be over-range monitors and therefore they will not be tripped during normal operation. It may be convenient in some cases to provide for means to periodically test these devices to ensure that they are operating properly and most importantly that they have not been jumpered. In the case that they are tripped because of system error an E-Stop will be invoked and the system will stop. The system must be such that when stopped it will allow these sensors to be restored to their normal operating range.
  • System Reset: There are two ways of resetting the E-Stop bus once all field E-Stop conditions have been cleared. The most typical and used in systems with no processor controlled is strictly hardware oriented and it consists of connecting a Reset switch across the latching contact of the E-Stop relay. This technique is acceptable for small systems that do not have many E-Stop causing conditions but it most not be used in large systems where the processor monitors critical conditions that because of their nature do not belong in the E-Stop bus. If some of these conditions were not satisfactory to the processor but the processor does not have a vote in the E-Stop chain, the E-Stop bus could be reset by simply pressing the reset switch. What makes this technique inappropriate for large systems is that a device can be jumpered undetected and by simply pressing the reset switch the E-Stop bus can be activated indefinitely even if the E-Stop relay doesn’t latch.

    The second technique is based on the processor having the final vote in the E-Stop chain. In this logic the E-Stop bus is never energized even by pressing the reset switch. The reset switch becomes an input to the processor instead of a hardware device across the E-Stop chain. Only when the processor has tested that all E-Stop conditions are valid and the reset switch is pressed will it close the contact that latches the E-Stop chain. During running mode it takes opening any of the contacts across the E-Stop chain or triggering any of the critical inputs to the processor to open the processor vote and turn off the E-Stop bus.

BIRKET Engineering News, Sept/Aug 1994

In a control system, analog variables such as speed, pressure, temperature, and position are often communicated by a varying voltage or current. In the industrial automation world, the 4-20ma current loop is the standard. We note that those who specify entertainment control systems favor 0-10 volt DC signals without, it seems, due consideration of the merits of the 4-20ma standard. There are several good reasons why current mode signals should be considered.

Although errors can be introduced into any signal, voltage mode signals are susceptible to more than their share of problems. These include the impedance of the voltage source and other supply fluctuations, wire and connection resistance, the integrity of wire insulation, electrostatic and electromagnetic noise, and ground potential differences. Care must be taken not to load a voltage signal as new devices are added. The only real advantage of voltage mode signals is that they interface directly with D/A and A/D converters and analog multiplexing devices.

Current mode signals have comparative strengths in most of the areas where voltage mode signals have weaknesses. They are immune to loop resistance found in long wire runs and faulty connections. Additional devices generally can be added to the loop without concern for the signal, supply permitting. Current mode signals are relatively immune to noise, the only exception being electromagnetically induced noise which can be substantially eliminated through the proper use of shielded twisted pairs. Intrinsically safe system practices (as described in NEC Article 504-2) are inherently compatible with 4-20ma signals; something which is becoming more of a concern with the growing interest in gas effects. Shorts and opens in the circuit are readily revealed for use with automated diagnostics. Finally, 4-20ma current loop transmission is a more widely accepted industry standard. Any perceived incompatibility with D/A, A/D and multiplexing devices is no longer an issue if the designer uses the widely accepted input and output cards from major manufactures such as Allen-Bradley.

We believe that the 4-20ma standard should be given more consideration in applications where voltage mode signals are common place, especially if the voltage signal is used only because “it has always been done that way.”

BIRKET Engineering News, Jan/Feb 1994

Designing and assembling control panels is one of the engineering services provided by BIRKET Engineering. It is important that panels be built to recognized standards of quality and safety. ETL tests assembled equipment, such as control panels, for compliance to these accepted standards.

For the purposes of ETL, a control panel is a general term for what may be a computer cabinet, operator console, junction box, distribution box, sensor enclosure, or other miscellaneous enclosure that contains components necessary for a control system. Electrical enclosures housing controls components are specially designed to protect their contents from elements that might affect their performance unfavorably while providing ready access to these components. These unwanted elements include heat, moisture, dust and dirt, chemical or organic matter, or other things that might accelerate the maintenance requirements of the system.

A control system is, in the broadest sense, any interconnection of components to provide a desired function. The portion of the system to be controlled is called the process. It is affected by applied signals, called inputs, and produces signals of interest, called outputs. In the example of the control system for a roller coaster, the process is the vehicle speeding around the track and guests having fun. The inputs are sensors telling the computer where the vehicle is on the track, or the ride operator dispatching the vehicle from the station. The outputs are lift motor controllers and brakes along the track slowing the vehicles down.

There are several types of control panels or other electrical enclosures. The computer cabinet or rack is the enclosure that houses the computer or other processing unit. It is central to the control system. It receives inputs (sensors, switches, or other monitors), processes them, and initiates outputs (indicator lights, messages, solenoids, valves, motor drives, or other equipment action). Usually one of the larger enclosures, it often also houses the system power supply, whatever signal conditioning and communications equipment is required, and emergency stop hardware. The computer cabinet may be located a great distance away from the inputs it is receiving and the outputs it is controlling.

A person may be required to provide inputs to the system (though many systems do not). This person or operator may determine system parameters such as speed, quantity produced, or dispatch rate. The operator inputs this information into the system through switches and buttons at another type of control panel: the operator console. The operator console may also provide outputs from the system to the operator in the form of lights, buzzers, or alphanumeric message indicators to prompt action on the part of the operator.

Signals from inputs to the processor and from the processor to outputs are typically transmitted over electrical wires. Often two or more wires are dedicated for use by a single input or output. In a control system of any size, this means there are often thousands of wires of every description headed in every direction. Wires coming from the computer cabinet are connected to wires coming from remote input and output locations at another type of control panel: the junction box. A junction box is an enclosure that provides a ready means of protecting, terminating, reassigning, and labeling electrical wires and cables. If a cable enters an enclosure and the wires leave the enclosure and go to many different places, then the enclosure may be called a distribution box or breakout box.

A sensor enclosure houses a sensor. Limit switches, motion detectors, and proximity switches are common types of sensors. When a sensor must be placed in a hazardous or environmentally unfriendly area, the sensor is often protected by having its own enclosure.

Other examples of control panels or boxes include monitor cabinets, remote emergency stop button enclosures, and motor control centers, to name a few.

Some control system integrators providing design services similar to ours do not maintain in-plant assembly capability. We do because it allows a close working relationship between engineers and the production staff. In this way we can best accommodate short schedules and our customers’ inevitable last minute changes.

BIRKET Engineering News, July/Aug 1993

Computers are useless without I/O (inputs and outputs). In an office, we could not function without the keyboard and the mouse as inputs, and the CRT and the printer as outputs. In our business of automation and process control, the computer receives inputs from sensors that indicate the status of the system. The computer’s outputs control the process. The large number of variables that a computer can be asked to sense and control give rise to an enormous variety in the configurations of inputs and outputs. The meanings of some common terms used to describe inputs and outputs are given below.

Both inputs and outputs can be analog or digital in nature. Digital indicates that the signal can take on only certain discrete states. Often only two states are possible: on and off. A common example of a digital signal is a line which has only the states of zero volts and five volts, or perhaps zero volts and 24 volts. Sometimes a phase shift is used to indicate an “on” state. These approaches lend themselves to the representation of numbers using the binary (base 2) counting system.

Analog data can take on a continuous range of values. A true analog signal can be any possible value between the defined extremes such as zero and ten volts, or four milliamps and twenty milliamps. An opportunity for confusion arises when analog signals are created by digital means. In such a case, the so-called analog signal is actually only able to take on a certain number of discrete states between the limits. For example, if a twelve bit digital-to-analog converter is used to create a representation of a zero to ten volt analog signal, the resulting analog signal will always occupy one of 4,096 possible values, each separated from the other by 2.44 millivolts. The information content of an analog signal is often more difficult to extract because the information is conveyed by obscure means (compared to digital signals) such as the value or magnitude of some characteristic of the waveform such as the amplitude, phase, or frequency.

Serial and parallel are terms which are generally used when referring to the communication of digital data. A serial or parallel input or output usually requires both an electrical and a protocol specification. A few standards such as MIDI specify both the electrical characteristics and the protocol. Serial communications are generally achieved with a single line or pair of lines for communication in each direction. The information is contained in the time sequencing of the signal. RS232, 422, and 485 are electrical definitions for serial communication. Protocols vary widely and are generally defined in the software as agreed upon by the developers of the two communicating devices. Many standard and proprietary protocols exist. Some elements of the protocol may be implemented with additional electrical lines between the computers such as the RTS, CTS, DCD, DSR, and DTR lines on a modem using RS232 communication.

Parallel communication uses a greater number of wires and associated electronic hardware. This generally offers faster communications. Communication of 8, 16, or 32 bit digital data requires one line per bit plus a strobe and other control signals which are all referenced to a single common potential. Each digital value that is to be communicated is represented on the lines as a binary number, after which its presence is indicated by manipulation of the strobe or other lines.

Without regard to a signal’s other characteristics, a signal may be sourcing or sinking. We generally imagine that a computer will apply a voltage to its output to indicate an “on” condition. It is just as valid and almost as common for a computer to have a sinking output which merely provides a return path for a voltage or current coming “from” the input device. It is difficult to read the state of a sinking output with a meter or scope unless it is connected to its destination.

Another important characteristic of inputs and outputs especially when they are distant or separately powered is isolation. When there are concerns about ground loops, or the sending and receiving systems are not referenced to a common potential, it is necessary to provide isolation at either the sending or receiving end. Isolation may be accomplished in several ways; common options are relays and opto-isolators. The terms contact closure and dry contact are often included in specifications to enforce isolation. Both refer to the use of a relay.

Thousands of possible configurations exist for I/O implementations, each a unique variation of the concepts presented above and many others which were not mentioned. Each has merit in certain circumstances and disadvantages in others. The choice affects cost, system integrity, and maintainability.

BIRKET Engineering News, May/June 1993

Interlocks are designed into a system as a degree of protection against harm resulting from events such as equipment failure, human error, and unusual circumstances.

The Frequency of operation of an interlock has an important relationship to the reliability of the interlock. This is not only because a busy interlock may wear out more quickly, but because an interlock that does not cycle often enough is not tested often. Everyone that designs or maintains interlocked systems knows that routine testing is important. We can all list several reasons why an interlock may not be there when it is needed. Therefore, the frequency of the operation is a key consideration in the implementation of an interlock.

A Quiescent (Passive) Interlock remains in the same position for long time periods, often until it is called into play as a safety device1. Imagine a switch that monitors the presence of a permanent but removable stationary guard. Testing of the switch requires removing of the guard or the switch. The switch may freeze from old age or be bypassed and borrowed on a “temporary-permanent” basis without ever being detected. Quiescent interlocks are of questionable value because they invite reliance upon themselves but may not function when called upon. If they are used, they must be part of a dependable periodic inspection program.

A Modicum (Active) Interlock does not necessarily operate with every show, or cycle of the machine, but it is at least accessible for checking1. Verification of this type of interlock can (and should usually) be made mandatory by software that requires the switch to be actuated by an operator or by a maintenance person between each show or at startup each day. For this reason, a modicum interlock can be much more dependable then a quiescent interlock. The odds are exceedingly small that the interlock will be called upon to prevent harm and will have failed or been bypassed since the last verification of the interlock.

A Cycling Interlock changes state routinely, because it is actuated with every operation of the interlock system1. When this type of interlock prevents a harm causing event or just fails itself, a proper hardware or software design can easily prevent all further operation of the system until the harm causing event is remedied or the interlock is fixed. Coupled with a proper fail-safe design, this type of interlock offers the most dependable protection.

Note that there is a special concern with modicum and cycling interlocks. Suppose that an operator rigs the interlock’s sensor (button, limit switch, I.R. beam, etc.) so that is always appears to be actuated. This may take many forms including tying back a switch or wedging a screwdriver or match stick into the button. We have all seen it done, and usually with the best of intentions. It may be done for convenience, to increase production, to conduct a test, to perform maintenance, or just because the operator is lazy.

An improper implementation of the interlock may allow the system to continue without the protection of the interlock. A proper interlocking design will detect this condition on the very next operation by requiring that the state-change as well as the state of the sensor be used in the interlock logic. By constantly checking its own interlock, the system will eliminate the necessity of periodic inspections and will stop for a bypassed interlock almost as soon as it will stop for an unsafe condition.

(1)Frank B.Hall, P.E., J.D., “Safety Interlocks – The Dark Side,” Triodyne, Inc. Safety Brief, v.7 #3, June 1992.

Birket Engineering Standards, 1993

This document establishes a company standard for the design of systems that have a bearing on human safety. The material in this document is compiled from over twelve years of our design notes and discussions with our associates in other companies who also design the same type of systems. We have compiled this information due to the absence of any other written control system design standard that addresses the unique safety requirements of the theme park industry. This is not a comprehensive document; it is a growing document that collects generally accepted safety design philosophy for the theme park industry. It is intended to be used with our other standards for design, the design process, and assembly.

This document addresses control system safety issues only. Clearly most systems have significant mechanical and structural safety issues that are often more critical than the control system safety issues. We are not qualified to address mechanical and structural safety issues. We must avoid the appearance of responsibility in this area while not ignoring the probability of these failures and their effect on the design of the control system. In fact, it is typically the control system that provides a second line of defense against harm from mechanical or structural failure of the controlled system. This document is not an exhaustive treatment of this subject by any means. From time to time we address safety issues that are not covered by this document. We do so by applying the design process and fundamentals that are encouraged by this document.

The design of all safety systems must contain the following three elements:

  1. Involvement of the owner in the operational and implementation details of the design,
  2. Peer review of the design within our company, and
  3. A safety acceptance test procedure performed on the completed system with the owner’s participation.

This document begins by establishing a broad goal. A safety system design tool is discussed. A definition of a safe system is presented. Finally, some details of implementation are offered.

Safety Design Goal
As a broad goal, we believe that a person that rides an attraction vehicle, sits in the theater, or participates in an effect on stage, should experience no more risk than when that same person rides a mass transit vehicle. Trained Client personnel charged with maintaining elements of the attraction should experience no more risk than when trained personnel maintain a mass transit vehicle. Client personnel charged with operating elements of the attraction or equipment should experience no more risk from the attraction or equipment than operators of a mass transit vehicle experience from the equipment that they operate. We make the comparison to mass transit systems because this is an area with a long established design history that is well documented. There are design process standards that have been created for the mass transit industry that we draw from when designing for the theme park entertainment industry. We believe that this is desirable because there are no similar widely accepted design process guidelines in the theme park or entertainment industry.

Similarly, an actor in a live show such as a stunt show should not experience any more risk as a result of his/her interaction with the equipment than he/she would experience when properly trained to operate equipment typical of an industrial manufacturing workplace designed and operated in accordance with OSHA requirements.

This goal seems reasonable, but how can it be determined that a design meets the goal? Design tools and statistical methods exist that allow the probability of harm causing events to be accurately determined. These methods include hazard analysis, risk analysis, failure mode and effects analysis, fault tree analysis and sneak circuit analysis. Each of these tools have their own goals and field of application. For example, some are oriented toward determining the probability of a failure of an existing design so that insurance rates may be established. Others are oriented toward predicting maintenance costs and schedules. One tool is particularly appropriate for discovering and avoiding harm causing events of systems and subsystems during the design phase. This tool is called Fault Tree Analysis.

Fault Tree Analysis
Fault Tree Analysis is a design tool that structures relationships between the events in a system into a Boolean logic model that leads to accident causation. These events are structured so that they lead to a specified outcome. This approach to analysis is called deductive. A deductive approach assumes the failures and examines lower order events to determine all of the combinations that could cause the specified harm-causing event. In the design phase, this approach to determining the causation of a harm causing event is superior to other approaches that use inductive logic. Failure mode and effect analysis, and hazard analysis use inductive logic.

Deductive reasoning is a logical process in which a conclusion is drawn from a set of premises containing no more information than the premises taken collectively. For example: a relay can only fail open or closed; if the relay fails open the system is safe because…; if the relay fails closed the system is safe because…; therefore, the relay’s failure can only result in a safe situation.

Inductive reasoning by contrast is a logical process in which a conclusion is proposed that contains more information than the observation or experience on which it is based. This type of relay has never been seen to fail; this type of relay will never fail. Note that the truth of the conclusion is verifiable only in terms of future experiences. Certainty is attainable only if all possible instances have been examined. There is no certainty that this relay will not fail tomorrow, though it would seem very unlikely.

Inductive logic must not be used in an analysis of a safety control system. Deductive logic shall be used in the safety analysis of the system. Fault tree analysis encourages a deductive approach.

Fault tree analysis is explained in several texts including System Safety Engineering and Management, 2nd ed., Harold E. Roland and Bryan Moriarty, Chapter 29. It is not a requirement that a complete quantitative fault tree analysis be performed for a system. To do so would require that the probability of failure of each single point in the system be known.

Fault tree analysis, however, should be understood and applied as a qualitative tool. This qualitative analysis is more commonly used because it does not require quantitative knowledge of the probability of failure for the system components. An understanding of qualitative fault tree analysis enhances the mental process when designing system logic to avoid harm causing events. By understanding fault tree analysis and following the mental process that it encourages, the analyst will be forced to understand the system beyond the level of the normal system designer. Accordingly, the probability of harm causing events will be reduced to an acceptable level. The definitions and design specifics presented in this paper were derived within the design process encouraged by Fault Tree Analysis.

Safety Requirements and Definitions
This section presents our definition of a safe design and then explains each element of the definition in detail.

The systems that we design shall be failsafe. We define failsafe to mean that every single point failure and critical multiple point failure that may occur in a system results in a safe state.

A single point failure is simply any single thing that can fail in the system. It must be assumed that any single point that might fail will fail. Only points that have a probability of failure that is extremely low can be considered infallible. Examples of single point failures include everything that can go wrong. Examples are: broken switches and wires, fatigued metal, software defects, processor errors, stuck output drivers, and non-deliberate operator error.

Extremely low probability of failure is a subjective characteristic. It means that it reasonably appears that the equipment would have to be operated for over one hundred times the design life of the equipment before a single failure would be expected. For example, an apparent mean time between failures of over one hundred million operations, where there are expected to be less than one million operations over the life of the equipment, would be the worst acceptable failure rate. Accordingly, if an installation has a ten year design life, the equipment would have to be operated for one thousand years for a single failure to be likely. This guideline, coupled with the fact that such failures are more probable at the end of a design life, insures that the design will consider all failures that might occur during the life of the installation. Note that this discussion does not rely on a periodic inspection program. If a periodic inspection program can be trusted, allowances may be made for it that allow less reliable equipment to be considered infallible.

Critical multiple point failures are combinations of more than one single point failure where the probability of concurrent failure of the combination of single point failures is equal to or greater than the probability of a normal single point failure. It is not sufficient to design a system to be failsafe for single point failures alone. It must also be designed to be failsafe for the occurrence of double or multiple point failures if the probability of the multiple failure is not extremely low.

The meaning of a safe state is usually obvious. Systems with moving parts are generally in a safe state when all moving parts have become unpowered, detached from any sources of stored energy, and motionless. Power buses or other items with exposed electrical parts are safe when they are unpowered. Sometimes, stopping a device once it has begun to move may cause greater harm than to allow the motion to proceed to completion. In such a case, the selection of the safe state must be carefully considered. Unusual situations shall be identified and presented to the Client for consideration prior to electing an non-obvious definition of a safe state.

We shall attempt to prevent harm from operation of the system with malicious intent, and from operation of the system after alterations to the delivered design, but the safety of the system under these circumstances cannot be assured. Where possible, we shall design the system to be self checking for alterations such as jumpers installed to override safety circuits.

Validation Requirements
In the analysis of a system to determine if it is failsafe, any point which may fail undetected must be assumed to have already failed. Therefore, any point in the system that may have a bearing on safety and which may fail undetected, shall be validated every cycle as not failed if it is to be relied upon. This requires that systems that achieve safety through redundancy incorporate periodic validation of the redundant components. Failure of the validation of a redundant element as operational in one cycle shall prevent operation of the equipment in the next cycle.

Points in the system that may have a bearing on safety and which may fail undetected, but do not cycle periodically under normal conditions must be forced to cycle periodically to insure that they remain capable of producing the desired result. Examples are emergency stop buttons and circuits, over-pressure switches and over-travel limit switches. This is best enforced by system design, but in some cases the only practical way to enforce such cycling will be by written operational requirements.

Consider an over-limit switch. The system may operate for years before the primary limit fails allowing the over-limit to come into play. Since the over limit switch may have been disconnected, bypassed, or otherwise failed in the days or months prior to the failure of the primary limit, the over limit switch cannot be relied upon to provide any additional system safety. Another means of achieving the backup shall be used if human safety is involved, and is recommended for equipment safety.

Another example of a device requiring validation because it may fail undetected is an enable switch. In this example, a potentially hazardous event will be permitted only if the momentary action enable switch is depressed. How can it be known that the enable switch has not failed in a way that makes it appear to always be depressed? What if the contacts have been shorted? To address this and many similar situations, the system must be designed so that the enable status is granted only when the transition of the switch from “not-enabled” to “enabled” is seen. Stated another way, system permissives are required to be “edge sensitive” rather than “state sensitive”.

Unless special circumstances dictate otherwise, a design should be based upon the assumption that there is a higher probability of failure due to open signals than to shorted signals. Stated another way, the design shall be failsafe for wires that become disconnected rather than wires that are shorted together unless this is inappropriate to the safety of a particular situation. If human safety is an issue, the system shall be failsafe in both cases.

Emergency Stop System Architecture
An emergency stop system shall respond to appropriate events (identified during the design process) by causing the system to enter a safe state as defined previously. The design of the emergency stop system shall be failsafe as defined previously. See the sections on Emergency Stop Circuit Design for additional details on the design of the emergency stop system.

Each emergency stop button shall incorporate a red light. This red light shall be illuminated when an emergency stop condition exists, and not illuminated under normal operating conditions. To accomplish this, these lamps are powered from an “emergency stop not” bus. Where possible, a means of recording the time and location of an emergency stop event shall be incorporated into the design.

All emergency stop systems shall be periodically validated to insure that they remain capable of performing as designed. This periodic verification must be enforced, (preferably by an automated process, but possibly by written operational policy) such that each button, contact, etc. that is able (by design) to drop the emergency stop bus is demonstrated to be presently capable of dropping the emergency stop bus. In a processor based architecture, this process shall be automated so that at each start-up of the system the processor(s) demonstrate the capability to drop the emergency stop bus.

This discussion assumes the more complex situation where there is a Master controller which is responsible for the control of one or more (typically many) Subsystem controllers. The Master manages the enable, trigger, monitor and emergency stop signals of all of the subsystems. In a system with out a Master-Subsystem architecture, a subset of these notes will apply.

Any Subsystem with human safety issues shall include a failsafe emergency stop circuit. This emergency stop circuit shall control an emergency stop bus within the Subsystem controller. The emergency stop bus shall power all devices that may cause harm. The emergency stop circuit shall be designed to power the bus whenever the 24VDC emergency stop signal from the Master is powered and other Subsystem conditions are met.

The Subsystem emergency stop bus shall become unpowered any time that the emergency stop signal from the Master becomes unpowered. The Subsystem emergency stop bus must also become unpowered as a result of pressing the emergency stop button on the face of the Subsystem control enclosure, or at other locations remote from the Subsystem control enclosure. Other fault conditions within the Subsystem may also cause the Subsystem emergency stop bus to become unpowered.

The local error conditions that cause the Subsystem emergency stop bus to become unpowered shall not cause the Master emergency stop bus to become unpowered unless this is appropriate to the situation. However, two normally closed contacts of the emergency stop button on the face of the Subsystem shall be returned to the Master so that pressing this button does cause the Master emergency stop bus to become unpowered. This addresses the requirement that pressing “any red mushroom emergency stop button” associated with the attraction will cause the Master and all attraction Subsystem’s to become unpowered.

A possible exception to the global nature of the emergency stop system described above exists. This exception shall be considered on a case by case basis and used only after the Client’s approval. The exception addresses the desire to operate a Subsystem in the manual mode while the system wide emergency stop bus from the Master is down, thus preventing all Subsystems from operating. This exception will be granted only in the circumstances where the control panel of the Subsystem is within easy line of sight of all of the equipment controlled by the Subsystem. Further, a red warning placard will be required on the face of the Subsystem adjacent to the Subsystem’s red emergency stop button explaining the exception. The red warning shall read: “when this Subsystem is in local (manual) mode it will not respond to the attraction emergency stop bus”. Under this exception, the Subsystem’s emergency stop bus becomes powered when the Subsystem is in the local or manual mode and the emergency stop button on the face of the Subsystem is not depressed, without regard for the status of the emergency stop signal from the Master. This allows local maintenance to be performed on the equipment controlled by the Subsystem without regard for the status of the Master emergency stop bus.

The emergency stop button on the face of the Subsystem also contains a red light. This red light will be powered only by the Master. It will be on when the emergency stop bus is not powered.

If the button on the face of the Subsystem is not pressed, and there are no other error conditions within the Subsystem which are causing an emergency stop condition, the Subsystem’s emergency stop bus should become powered as soon as power is returned to the emergency stop signal from the Master. A determination must be made for each Subsystem as to the result of powering the emergency stop bus. In some systems, powering the emergency stop bus may immediately result in motion of equipment. In other systems it would be more safe to design a system such that equipment will not move when the emergency stop bus is powered. In these systems a separate reset or start signal coupled with an enable signal from the Master will be required to initiate motion after recovery from an emergency stop.

The following presents the previous discussion in a tabular form:

Signal

Normal

Master
Internal
EStop

Master
EStop
Button

OCC
EStop
Button

Subsystem
Internal
EStop
(Type A)
Subsystem
Internal
EStop
(Type B)

Subsystem
EStop
Button

Master’s EStop Bus24vdc00024vdc00

Subsystem’s EStop Bus,

Subsystem in Auto

24vdc000000

Subsystem’s EStop Bus,

Subsystem in Local or Manual

24vdc000000

Subsystem’s EStop Bus,

Subsystem in Local or Manual

(Exception granted.)*

24vdc

24vdc

24vdc

24vdc

0

0

0

Indicator

Lamp on all EStop buttons

that did not initiate the EStop.

Offn/aOnOnn/an/aOn

Lamp on the EStop button

that did initiate the EStop.

Offn/a+Flash+Flashn/an/a+Flash

EStop is an abbreviation for emergency stop. A “Type A” Subsystem Internal emergency stop is one that causes the Subsystem emergency stop bus to drop, but does not cause the Master emergency stop to drop. A “Type B” Subsystem Internal emergency stop is one that causes both the Subsystem and the Master emergency stop to drop. See the earlier text.

*The “Exception granted” note implies that it has been determined by the Client that it is acceptable for this Subsystem to bring its emergency stop bus up even when the global emergency stop bus is not up. See the earlier text describing this situation and associated requirements.

+Special cases where each emergency stop indicator is controlled independently by a PLC digital output.

Emergency Stop Circuits in Master Systems
The Master shall receive two normally closed contacts from each emergency stop button, regardless of the location of the button. One contact shall be wired in series with all the other buttons, creating a chain that powers the Master emergency stop relay. The other contact shall be monitored by a discrete input of the PLC in the Master. PLC logic shall both drop the emergency stop bus and cause the same result by logically preventing further operation, when any button is pressed.

In special cases where a Subsystem has different operating voltages from the voltage used for the Emergency stop chain (normally 24VDC) a relay may be used whose coil is controlled directly by the remote Emergency stop switch. A contact of this relay shall be connected in series with the Emergency stop chain and a separate contact shall be directly monitored by a discrete input of the processor. As with normal Emergency stop switches, this logic must be tested daily to insure the normal functionality of both the remote switch and its interposing relay. The test must be monitored by the processor to insure that the combination of hardware is capable of causing an Emergency stop.

The emergency stop signal derived by the Master shall control the emergency stop relay in the Master. The 24VDC status bus power or a separate 24VDC power supply shall pass through normally-open contacts of this relay to create an emergency stop bus within the Master. The corresponding normally closed contacts of the form-C contact set of this emergency stop relay shall be used to short across the Master emergency stop bus when the emergency stop relay is not energized.

All Master system outputs that cause motion or are otherwise safety related shall be powered by this emergency stop bus. Systems controlled by the Master shall be designed and built failsafe such that loss of power on the emergency stop bus makes them safe.

The Master shall make its internal emergency stop bus available to each Subsystem so that the Subsystem can create a local Subsystem emergency stop bus that tracks the bus in the Master. The Subsystem emergency stop bus is specified in the Subsystem Controller General Specification.

The Master shall also make an “emergency stop not” signal available to each Subsystems that is used by the Subsystem to illuminate the emergency stop button when the emergency stop bus is not powered. In special cases a unique signal shall be generated by a PLC digital output for each and every destination button. The signal sent to the button that caused the emergency stop shall be a square wave with a one second period so the that offending button flashes. This facilitates finding which emergency stop button needs to be pulled out after an emergency stop has been manually initiated.

Emergency Stop Circuits in Subsystems
The emergency stop signal from the Master shall be terminated at the coil of a 24VDC emergency stop relay in the Subsystem. The 24VDC status bus power or a separate 24VDC power supply shall pass through normally-open contacts of this relay to create an emergency stop bus within the Subsystem. The corresponding normally closed contacts of the form-C contact set of this emergency stop relay shall be used to short across the Subsystem emergency stop bus when the emergency stop relay is not energized.

All Subsystem outputs that cause motion or are otherwise safety related shall be powered by this emergency stop bus. Their safety related systems shall be designed and built failsafe such that loss of power on the emergency stop bus makes them safe.

Figures 1 and 2 below present an implementation of a power bus structure and emergency stop system in a subsystem controller that follows the design guidelines presented in this document.

Watchdog Timer
The purpose of a watchdog timer signal is to insure that a processor is still processing and that it is processing the code that it is intended to be processing. Barring a deliberate attempt to circumvent this safety feature, only the intended code will create a watchdog timer signal of the appropriate frequency on the appropriate output.

In a one processor system the watch dog signal shall be monitored by a watchdog timer relay configured to maintain a contact closure output if the input signal is within a reasonable tolerance of the intended frequency. There shall be a means of periodically validating the proper function of the watchdog timer relay.

If the Master and the Subsystem both contain a processor, they shall exchange watchdog timer (WDT) signals. This is accomplished by generating the signal at the Master and echoing it back from the Subsystem after an inversion by the Subsystem. To accomplish this, the Subsystem shall receive the incoming WDT signal on an input point of its intelligent controller. The intelligent controller software shall invert this signal, and apply it to an output of the intelligent controller for return to the Master for verification. This test may also be implemented as a part of the information conveyed via a serial link, if such may be agreed upon with the designer of the Master. The ability to receive, invert and return this signal will serve as a test to the intelligent controller’s valid operation. The inversion prevents hard wiring the signal back to the Master.

In a redundant controller architecture, watchdog signals shall be exchanged by the processors.

Placards
Procedures involving safety shall be summarized on black placards placed on the face of the Subsystem. System conditions and erroneous procedures which pose a threat to safety shall also be described on red warning placards placed on the face of the Subsystem. The text used for each of the placards shall also be contained in a special “placard” section of the system documentation. Such warning placards shall be in a language or languages suitable and appropriate to the installation site.

Power Cycling
The system shall be designed such that power may be applied or removed at anytime without causing damage to the controlled equipment. No motion shall result in any of the controlled equipment, when power to the system is applied or removed.

Ladder Logic

Birket Engineering Cookbook

Given:
Any two bit terms ‘S’et and ‘R’eset. S and R may be any logic that evaluates to a single bit, including combinations of most input instructions. Also, an output bit X (before evaluation) or X’ (after evaluation).

Consider the following ladder logic program fragments:

1. Reset Priority Latches

1.1. Double Output Latch, -(L)- then -(U)-

A matched pair of -(L)- and -(U)- instructions.

Table of result X’, given S,R, and initial X.

X’S,R
X0,00,11,11,0
00001
11001

Boolean equation of result X’, given S,R, and initial X.

X’ = (S | X) & ~R

1.2. Single Output Latch, Reset Priority

A handmade latch, using the -( )- instruction, and giving priority to the Reset term.

Table of result X’, given S,R, and initial X.

X’S,R
X0,00,11,11,0
00001
11001

Boolean equation of result X’, given S,R, and initial X.

X’ = (S | X) & ~R

2. Set Priority Latches

2.1. Double Output Latch, -(U)- then -(L)-

The same matched pair of -(L)- and -(U)- instructions, but reversed in sequence.

Table of result X’, given S,R, and initial X.

X’S,R
X0,00,11,11,0
00011
11011

Boolean equation of result X’, given S,R, and initial X.

X’ = S | (X & ~R)

2.2. Single Output Latch, Set Priority

A handmade latch, using the -( )- instruction, and giving priority to the Set term.

Table of result X’, given S,R, and initial X.

X’S,R
X0,00,11,11,0
00011
11011

Boolean equation of result X’, given S,R, and initial X.

X’ = S | (X & ~R)

3. Observations

There exists a exact equivalent for any pair of -(L)-, -(U)- rungs that can be written on one rung, modifying the output bit X only once per scan. Example 1.2 is equivalent to example 1.1, and example 2.2 is equivalent to example 2.1. The single rung latch uses no more instructions than the double rung latch, including the rung and branch begin and end instructions. The single rung latch may even use fewer instructions if S and R contain common terms allowing simplification of the rung.

If you reverse the order of the -(L)- and -(U)- rungs, the result is different for the case where both S and R are true. (See examples 1.1 and 2.1 and compare the tables.) When the -(L)- and -(U)- rungs are both active, the last one executed ‘wins’. This behavior is like an electrical latch relay which gives priority to either the set or reset input when both are active, but unlike an electrical latch relay because the priority is determined by the order of evaluation in the program. The single rung latch makes the priority clear by its construction (compare the ladder logic of examples 1.2 and 2.2) and is not subject to swapping.

The order of evaluation has another effect if the -(L)- and -(U)- rungs are not next to each other. Any rungs that come between the -(L)- and -(U)- rungs will not see the same value for X as the rungs that follow the pair. Again, the problem occurs when both S and R are true. The single rung latch is not subject to this problem.

4. Summary

It is a principle of the design of maintainable software that you should minimize or eliminate the scope where a variable can contain an invalid value. Maintaining programmers will expect a variable to contain the value described. If the variable does not always contain the correct value it can be misused. By using the Single Rung Latch construction, you can insure that the latch variable always contains a valid result and eliminate the chance that the variable will be misused. Remember that the maintenance programmer who’s time you save may be yourself.

5. Using the Single Rung Latch with the Fail-Safe Sense Convention

The Single Rung Latch works well with the Fail-Safe Sense Convention. Consider a general case of a device controlled by a START and ESTOP button and OK and READY sensors or bits. All devices are wired Fail-Safe.

6. Using the Single Rung Latch with the OK (NOT Fault) Convention

The Single Rung Latch works well with the OK Convention. Consider a general case of an OK bit set by a RESET button and cleared (faulted) by two over-travel limit switches (LIM1 and LIM2). All devices are wired Fail-Safe.

7. Using the Single Rung Latch for Estop Bus Control

The Single Rung Latch is ideal for Estop Bus Control. Consider a Estop bus where the PLC controls an Estop power VOTE relay with a RESET and ESTOP button and an ALL_OK term. The PLC also receives the status of the Estop BUS. All devices are wired Fail-Safe.

Birket Engineering Cookbook

Coding for an operator interface often requires a push-on, push-off toggle function. In a typical scenario, the panel has a simple lighted pushbutton, but the user interface design requires a push-on, push-off button. The simpler momentary switch is usually more desirable, both because it is cheaper, and because the PLC can choose to override the basic push-on, push-off behavior.

Although a simple function, I’ve seen (and written) some suprising complex implementations of this basic operation. Here is the simplest one I’ve found yet:

Given BUTTON, an input, and LIGHT, an output:

Construct a strobe, BUT_STB from the button. Strobe is high for one-scan on rising edge of button press.

Invert the LIGHT each time BUT_STB pops on for a scan. Set the light to the XOR of the old light and the strobe.

The relationship between the new light and the old light is clearer in this Karnaugh map:

  • S = BUT_STB
  • L = old LIGHT
  • L’= new LIGHT
L’L
S01old Light
001no change to light when strobe is OFF
110light inverts when strobe is ON
  • L’ = (L and (not S)) or ((not L) and S)
  • L’ = L xor S
  • L’ = L _ S

Blinker Bit

The same technique works well for constructing a blinker bit from a self resetting timer:

Reset a timer with its own Done bit to obtain a done bit which periodically pops ON for one scan.

Use the strobing Done bit to toggle a blinker bit.

The advantages of this toggle function are:

  • It requires only one rung and 7 instructions (including branch start and end) and no additional bit to implement.
  • It is easily adapted to word or file instructions for mass implementation.

The disadvantages are:

  • It requires a previously constructed strobe bit.
  • It’s function is not immediately obvious.

It is the simplest way in ladder I have seen for making a T flip-flop. The blink circuit is good when you want to flash a light at an interval that is readliy observable and editable by accessing the timer preset. I often use a bit from the free running clock (S:4) to be my flasher instruction. If you don’t care that the flash period is a little odd, say 1.28 seconds, then you can simply use an XIC instruction with the address S:4/6 to utilize the 7th bit of the free running clock and label it FLASHER. If you want a faster or slower flash rate, then use a lower or higher bit of the clock.

Birket Engineering Cookbook

The following rungs implement a simple 2-way response check for a device which is controlled by an output and provides a monitoring input. We use this check more than any other diagnostic test.

This method of implementing Stuck-On and Stuck-Off tests is simpler (by several instructions) than the pattern I have used before. Thanks to Ken K. for the improvement.

Some examples of devices which should use this check are:

DEVICEOUTPUTINPUT
Relay or ContactorCoilAux Contact
EStop RelayCoilEstop Bus
Shut-Off ValveSolenoidProof-of-Closure
Coaster BrakeValveBrake Position Prox.
Air CannonValve(s)Tank Pressure Sensor

Sample Code for a Motor Contactor with a coil and Aux contact

Note that the two OK rungs do not include a latch or acknowledge. Those functions are presumed to be handled elsewhere by the Latch & Ack section of the Diagnostics routine.

Construct Timer-On and Timer-Off Done bits from the output and set permissible response delays in each direction.

Birket Engineering Cookbook

You can write better, simpler ladder logic by learning to recognize several common patterns within your rungs. Each of these patterns can be written in a shorter and simpler form that does the same thing. If you use the simpler forms your rungs will be easier to understand and change (which helps you write software that works the way you intend) and your programs will run faster and use less memory too.

Simplification Techniques

This document explains how to apply several simple laws taken from boolean algebra to ladder logic. You may remember the names of these laws from an old math class: Associative, Distributive, Communicative, Identity. Boolean algebra adds a few more: DeMorgan, Absorption, Tautology, and Contradiction. You won’t have to remember the names of the laws – just learn to recognize their patterns and simplifications.

  • Extracting Duplicated Patterns
  • Inverting Branched Rungs
  • Combining Common Contacts
  • Absorbing Unnecessary Contacts

Extracting Duplicated Patterns

One simplification technique you will use very often is extracting patterns which appear more than once into a rung of their own. The pattern is then evaluated only once, and the result can be used in two or more rungs that follow without evaluating the same pattern again and again. This simplification is based on the associative law of boolean algebra.

When you use this simplification, it is important to remember that, unlike the electric circuit that it resembles, your ladder logic program is evaluated rung-by-rung, in order, from top to bottom. You should design your ladder program so that bits are always defined (right-side rung outputs) before they are referenced (left-side rung inputs). (As card inputs are defined prior to the start of the program, you need only worry about internal and output bits.) Following this rule will allow your program to react as quickly as possible (one scan) and avoid some rather devious program bugs.

The “simpler” code is actually slightly longer than the original – it uses two more instructions. However, this simplification is still desirable because it makes the program easier to understand. It is also clear that the MANU_MODE and AUTO_MODE results will be useful elsewhere in the program. Obviously, if the duplicated patterns had been larger or used branches, then the savings in speed and size could have been significant, in addition to improving the readability of the program.

Inverting Branched Rungs

Branches in rungs affect the complexity, size, and speed of ladder logic. A set of branches requires three or more instructions in addition to the contacts appearing on the branches. Each set of branches in a rung requires a branch-start and branch-end instruction, plus a next-branch instruction for every branch after the first. You can write faster, smaller, simpler programs by avoiding unnecessary branches.

Fortunately, it is possible to convert any rung from a “tall” rung which uses many branches to a “wide” rung using fewer branches by using DeMorgan’s Law. To invert a rung, change all parallel branches (ORs) to series contacts (ANDs) and vice-versa, and invert all the contacts from N/O to N/C and vice-versa. Then use the output of the rung in the opposite sense from its original use.

Combining Common Contacts

Another way to cut down on your program’s size and increase its scanning speed is to combine common contacts using the boolean distributive law. This technique may be useful if you see the same contact on two or more branches of the same group or on branches of adjacent branch groups.

The programmer has literally implemented a user interface specification which states: “the arm’s ready light shall be ON if the pressure is High and the arm is at the upper limit switch, or if the pressure is Low and the arm is at the lower limit switch, or if the pressure is High and the footswitch is pressed.” Note that the limit switches are normally closed and open when the arm is at each limit.

Absorbing Unnecessary Contacts

This simplification allows you absorb unnecessary contacts from branched rungs by using boolean algebra’s law of absorption. You can find this pattern by looking for both a N/O and N/C contact of the same bit used on adjacent branches (or inside and outside a branch).

Consider the example below. This ladder segment compares the output to a motor starter (or contactor) to an input from the starter’s aux contact. The aux contact input should always follow the output. If the aux contact is either stuck ON or stuck OFF (not following the output) for longer than the tolerance of a timer, then the fallen DoNe bit of the timer unlatches an OK bit to record the problem.

The results of X and Y for all combinations of A and B is given by this truth-table:

ABXY
0011
0111
1111
1000

Notice that the results of X and Y are exactly the same for all possible combinations of A and B, despite the missing A contact in the second rung. Clearly the first contact of A is unnecessary and can be “absorbed” into the the other contact of A.

The truth table for these two rungs is given below, showing that the results of X and Y are identical.

ABXY
0011
0111
1100
1000

Birket Engineering Cookbook

There are many applications where you need to know if a connection to a remote device is intact and/or that the remote device is functioning.

Examples include:

  • Main PLC to Subsystem PLC via remote I/O
  • Main PLC to Subsystem PLC via hardwired lines
  • Dual PLCs to each other via DH+ network
  • PLC to (dumb) remote rack via remote I/O
  • SLC-500 to SLC-500 via DH-485
  • PLC to any remote device via connectorizedz cable

You can usually detect the failure of the link or the remote device by sending a alternating signal to the remote device and back, then looking at the return signal. If the return signal should stop alternating, either in the 0 or 1 state, either the link or the device which reflects the signal may be bad. When this occurs, your PLC can report a fault message, ignore the inputs from the remote device, disable the affected device or whatever other action is appropriate.

The watchdog signal returning from the remote (slave) device is inverted by the N/C -|/|- contact and sent back to the remote device. The remote device returns the unchanged signal immediately to be inverted again. This constant inversion causes the watchdog signal to oscillate between 0 and 1 at high speed, limited only by the scan rate of the PLC(s) and the response time of the link. The TON and TOF instructions detect if the oscillating signal ever stops in either the 1 or 0 states respectively. Choose the time-outs to reflect the worst case round trip speed of the link and scan times. The Done (DN) bits from the two timers are ANDed together to determine if the link and device is still running. The DOG_OK bit is not latched but may be latched for an alarm and acknowledgment. Either the unlatched or latched version can be used to qualify inputs from the remote device, disable the device, Emergency Stop the system or other appropriate action. If the unlatched bit is used the system will recover immediately when the link is restored; the latched version will require an operator acknowledgment.

The slave device merely has to return the watchdog signal. Note that the symbols in the Slave PLC may not match those in the Master. I’ve used the same symbols here to make the relationship clear. If the slave device is also a PLC, it can also use the TON and TOF instructions and the DOG_OK rung to check the link for its purposes. However, only the master should use the N/C contact to invert the watchdog signal.

The advantages to this system are:

  • As with any WatchDog circuit, it can detect both stuck-ON and stuck-OFF cases, so it doesn’t require periodic validation as a static loop-back does.
  • It requires almost nothing from the remote device to implement. In the simplest case, the remote device requires nothing more than a loop-back jumper at the connector. The cost to a PLC is merely an input and an output and the simplest of rungs. Even the most uncooperative vendor should be willing to loop the signal back.
  • It requires only the two timers to test the returning signal. The natural oscillator eliminates the need for another timer or two to generate the alternating signal. The scheme is actually simple enough to implement entirely in hardware where there is no PLC. (If timers are at a premium, a variant scheme using a dual edge detector would require only one timer, but this method is less obvious to an unfamiliar reader.
  • Since the oscillation free-runs at a frequency limited by the scan time of the processor(s) and the bandwidth of the link, the test can also detect if the link degrades below the time-out set in TOF and TON. This can be very useful on remote I/O, DH-485, and DH+ links. Also as the signal alternates (by definition) as fast as possible, a break in the link can be detected faster than if a slower alternating signal were used.
  • Since the signal won’t oscillate unless there is a complete loop, the test can detect a break in the link in either direction. If your output dies, but not your input, you’ll still know. Some schemes have each PLC generate its own alternating signal to transmit to the other. This allows each to detect if the input from the other is intact, but fails to check if the output to the other is OK.
  • The signal is naturally synchronized to the update activity of the remote I/O or DH+ link. The signal may be used to blink a remote light as fast as possible, or at any divisor of the watchdog frequency without the erratic “beat” patterns that occur when using an unsynchronized timer to create the blinker bit.
  • With the addition of a counter and a timer, you can easily determine the update rate of the link in cycles per second. Simply count the number of cycles in one or more seconds. This figure can be very useful in debugging a possibly overloaded DH+ or DH-485 link, or a troublesome Remote I/O link.
  • If so desired, the same I/O line can be used for multiple devices, but this makes the failing device anonymous.

The disadvantages of this system are:

  • The test does not distinguish between failure of the input, output, outward link, inward link, or loop-back (indicating the remote PLC is running). Any of these failures are reported as the same fault – watchdog died.
  • If the output involves a relay, the relay will wear out more rapidly than if a slower alternating signal is used (which will also wear out eventually, so don’t use a relay.)
  • The time-out must be determined after evaluating the oscillation period, instead of just adding 10% to 50% to the known oscillation period of a timer- driven signal.

The single timer variation detects both the rising and falling edge of the watchdog signal by comparing it to the last output (prior to inverting the output again). As long as the signal continues to rise and fall more frequently than the time-out of the TOF, the TOF will receive a periodic pulse, keeping the Done bit of the TOF high and satisfying the OK bit. This test is unfortunately sensitive to the order of the rungs as the inversion and output of the watchdog signal must follow the edge detector rung. (The OK bit rung can come before or after the output rung, as long as it follows the edge detector.)

Birket Engineering Cookbook

Choose the sense of the inputs, outputs, and internal bits so that:

  • 1 = On, active, enabled, good, OK, pass, start, continue, resume, running, etc.
  • 0 = Off, inactive, disabled, bad, faulted, fail, stop, don’t continue, don’t resume, idle, etc.

THINK and write in terms of what limited conditions should permit an action to continue, not what conditions should stop the action.

Consider the three mutually exclusive sets of conditions which can occur:

  1. Conditions which you think should allow the action to CONTINUE (START conditions of a latching action are a sub-set of this set.)
  2. Conditions which you think should force the action to STOP
  3. UNEXPECTED Conditions which of which you didn’t think (A “failure” of the software.)

If you think and write in terms of the CONTINUE set, the STOP set and the UNEXEPECTED set are lumped together. Unexpected conditions will cause the action to stop – Fail-Safe.

If you think and write in terms of the STOP set (including using 1=fault), unexpected conditions will allow the action to continue unexpectedly or even start unexpectedly – Fail-Unsafe.

You can not always conceive or predict ALL the universe of conditions under which your system will operate. Murphy’s law shows no mercy.

Sticking to the Fail-Safe convention produces rungs which tend to be horizontal ANDs of N/O (normal) contacts. ANDs (XIC instructions) can be immediately read and understood and take little screen and paper to display.

Using the inverted sense produces ANDs of N/C (inverted) contacts and also vertical ladders of OR’ed conditions. Inverted (XIO) instructions take a bit more thought to interpret. OR’s require additional instructions (and time) to construct the branches.

The Fail-Safe Convention Applied to Latches

START/STOP Latch Form

Problems:

  • Sensitive to order of evaluation
  • Priority is not obvious to novice programmers
  • The output is not valid between the two rungs (if they are separated)
  • Is not cleared automatically by pre-scan when PLC starts – initial conditions are unpredictable
  • Invites unnecessary complexity, particularly adding CONTINUE conditions to START rung.
  • If STOP conditions are incomplete, will continue running (or even start) unexpectedly.

START/CONTINUE Seal Form

Advantages:

  • Unaffected by order of evaluation
  • Priority is obvious
  • The output is evaluated once and is thereafter valid
  • Is cleared automatically by pre-scan when PLC starts – initial condition is OFF
    Complexity can be simplified between START and CONTINUE conditions
  • If CONTINUE conditions are incomplete, actions will only stop unexpectedly