LLR
LLR

DESIGN OF A CONTROL SYSTEM FOR A PACKAGING MACHINE

13-02-2026

This project forms part of my training as a Higher Technician, and it consists of an automation system that I designed as part of an assignment in electrical, hydraulic, and pneumatic systems. The objective was to integrate electrical and pneumatic systems to detect the position of boxes in a production line.

The sequential control system of the packaging process includes a safety mechanism capable of automatically stopping the installation upon detection of a fault or the presence of an blockage in a section. The system is equipped with pairs of photoelectric sensors located along the conveyor belt, in each section.

For example, Section 1 consists of a Sensor A at the entry point and a Sensor B at the end of the section. When a box passes Sensor A, a normally open TON timer relay (on-delay) is activated to measure the time it takes for the box to reach Sensor B. If the box arrives within the allowed time, the timer resets and the system continues normal operation. If the box does not arrive within the established time, that is, if the TON timer relay reaches its preset maximum time, it is assumed that an obstruction or fault has occurred and the Emergency Mode (Fault Mode) is activated.

Activation is carried out by changing the relay contact state from open to closed, thereby energizing a safety relay.

The emergency stop is performed at the electrical level, either automatically or via E-Stop, in all cases independent of the PLC. To achieve this, timer relays and safety relays are used which, upon detecting the fault condition, simultaneously command:

  • The deactivation of the three-phase motors of the conveyor belt.

  • The deactivation of the pneumatic solenoid valves that maintain pressure in the system’s pneumatic cylinders.

  • The shutdown of the compressed air supply.

In all cases, the system enters a Total Stop condition, with the cylinders in a rest state without air, which results in the retraction of the heads or devices associated with the cylinder pistons (for example, the packaging machine blade), in accordance with UNE-EN ISO 4414:2010 (“pressure losses or pressure drops must not constitute a hazard to persons and should not cause damage to machinery”).

An auxiliary circuit of the safety relay sends a signal to the PLC indicating that the safety system has been activated. The PLC receives additional information through supplementary sensors: inductive magnetic sensors that measure the position of the pistons of the pneumatic cylinders and the encoder of the three-phase motor of the conveyor belt. With this information, the PLC can verify that all elements have stopped correctly and entered a safe rest state before considering the system to be in an emergency condition and activating the visual alarm signals (red LED).

System reset can only be performed by means of a manual pushbutton (RESET) upon operator command. The Machinery Directive 2006/42/EC establishes fundamental safety principles regarding the commissioning of automated equipment, one of the essential requirements being the Prevention of Unexpected Start-up, whose compliance is detailed in the standard UNE-EN ISO 14118 (Safety of machinery — Prevention of unexpected start-up).

This means that the reset or restart of a machine, especially after a safety stop or a fault, must always be carried out through a voluntary, intentional, and confirmed action by the operator, and must never be an automatic process. The objective is to ensure that the machine remains in a safe stopped state while personnel are within the danger zone, guaranteeing that the operator has full control over the moment the machine returns to operation.

The pneumatic system consists of multiple pressure relief valves, which open in the event of overpressure and release air to the atmosphere, maintaining the pressure level within safe values and within the limits for which the system has been designed in all its components, in accordance with UNE-EN ISO 4414:2010.

In summary, the safety system is implemented through hardwired electrical logic using safety relays, separated from the PLC logic. This guarantees an immediate and reliable stop of the conveyor belt and the pneumatic system in the event of any obstruction, while the PLC receives feedback from the cylinder positions and the motor encoder to manage alarms and safe reset. The start-up of the machinery is always performed through a voluntary, intentional, and confirmed action by the operator, in compliance with the Machinery Directive 2006/42/EC. The hardware/software separation ensures a fail-safe system and prevents software errors from compromising safety.

Grafcet
Packing system

The conveyor belt has been divided into three sections. At the beginning and end of each section there are photoelectric sensors, which allow tracking the position of the boxes within the system. The sensors are as follows:

  • Section 1: Sensors A/B and transit time T1.

  • Section 2: Sensors C/D and transit time T2.

  • Section 3: Sensors E/F and transit time T3.

Section 1 is fundamentally a safety and flow verification zone, whose sole purpose is to ensure that the boxes on the conveyor belt move at the expected and stable speed. By using a timer that measures the time it takes for a box to travel from Sensor A to Sensor B, the system continuously verifies that no faults related to belt speed, jams, or friction are present that could compromise the safety of the process or the integrity of the sensitive machinery located in the downstream sections.

When the system is started and energized, the three-phase motor that drives the conveyor belt is powered, and the safety pneumatic cylinder is actuated by the insertion of pressurized air, which lowers the safety barrier and moves boxes toward the machinery. This corresponds to the event “System Initialized”, which triggers the transition to the state “Waiting for Box in Section 1”.

When a box enters Section 1, it is detected by Sensor A (event “Box detected by Sensor A”) and a timer relay starts a timer, which will reset when the box reaches Sensor B, at the end of the section.

For the transition to the next state, the system checks whether the box has triggered Sensor B before the time limit (event “Does Sensor B detect the box before T1?”, with “T1” being the time limit for Section 1). Depending on whether the answer is YES or NO, the system will enter one state or another.

When the timer exceeds this limit (box does not reach Sensor B on time), safety relays activate Fault Mode, cutting power to the three-phase motor (via a contactor) and stopping the air supply to the pneumatic cylinders, causing the conveyor and machinery to stop and return to a safe rest state; the safety barrier rises by the action of the mechanical spring in the safety cylinder.

The inductive magnetic sensors on the cylinders inform the PLC that the cylinders are in the rest position (without air), and the encoders indicate that the three-phase motor has stopped. In addition, the safety relays have auxiliary circuits connected to PLC inputs, which inform the controller that the emergency system has been activated, thereby triggering the transition to the “Fault Mode” state in the PLC. In this state, the controller activates visual and audible indicators to notify operators of faults in the corresponding section and waits for the operator to press the RESET button.

It is important to note that signaling to the operators and entry into the logical state “Fault Mode” only occurs when the controller has verified that:

  • The three-phase motor of the conveyor has stopped correctly: verified via the encoder.

  • The safety barrier has risen: verified via the inductive magnetic sensors on the safety pneumatic cylinder.

  • All box alignment and packaging machinery has stopped and returned to a rest state without air.

This ensures that the operator can inspect any incidents with the minimum risk to their safety.

When the operator presses the RESET button and removes any obstructed, defective, or broken boxes (event “Operator removes box and presses RESET”), the system transitions to a “Verification” state, in which the controller checks that the system is ready to resume operation. Verification involves confirming that:

  • The three-phase motor of the conveyor has started and reached the desired speed in a stable manner.

  • The safety barrier has been lowered by the action of the safety pneumatic cylinder.

  • All sensors are functioning nominally.

  • The box alignment and packaging machinery are active and operating correctly.

If it is determined that all systems are ready to operate (“Are reset conditions met?”), the system transitions back to the state “Waiting for Boxes in Section 1”, returning to its normal operational cycle. If the system fails the safety verifications and the reset conditions are not met, the system remains locked in a Total Stop, returning to the “Fault Mode” state.

Returning to Fault Mode requires the operators to press the RESET button again, so that, in compliance with the Machinery Directive 2006/42/EC, the system can only restart when an operator issues a voluntary and intentional command. Otherwise, if the system remained in the verification state and periodically checked whether reset conditions were met, it could start unexpectedly while an operator is working on the installation to resolve incidents.

If the box reaches Sensor B without issues and within the time limit, the first timer resets, and the system waits to detect whether the box enters Section 2 (state “Waiting for box in Section 2”), which is determined by Sensor C located at the beginning of Section 2, next to Sensor B.

The same sensors could be used for the start and end of sections. For example, using Sensor B as both the end of Section 1 and the start of Section 2. However, in that case, a failure in this sensor, such as a broken cable, would cause the system to detect faults in both Section 1 and Section 2, making error detection more difficult and increasing the frequency of stops due to malfunctions.

On the other hand, using two adjacent sensors of the same type (Sensor B and C) increases cost and maintenance, but provides a redundancy system that ensures more robust safety. If Sensor B fails, Sensor C can take over as the end of Section 1 and the start of Section 2 (the PLC detects that Sensor C was activated before B, indicating a fault in B. In that case, the PLC compares the arrival time at Sensor A with the arrival time at Sensor C to determine the transit time in Section 1).

Once the box reaches Section 2 and is detected by Sensor C, the system enters the state “Box Alignment Check", where it checks whether the box is properly aligned and positioned on the conveyor belt. Boxes must be as aligned as possible so that the packaging machinery can operate correctly.

For this purpose, two limit switches can be used, each positioned at one lateral end of the conveyor. If a box is misaligned or rotated, it triggers one of the limit switches, which activates two pneumatic cylinders that gently push the box from both sides to align it parallel to the belt, without causing dents, by incorporating rubber or other flexible materials at the ends of the alignment actuators. This corresponds to symmetrical lateral push alignment, and the system enters the “Pneumatic Correction” state for alignment.

Additionally, machine vision systems can be incorporated using open-source libraries such as OpenCV to obtain more precise information about the box alignment.

It is important to note that during the alignment process, timer relays count the time the box remains in the alignment section, so that if the box does not reach Sensor D on time (the end-of-Section 2 sensor), a blockage or system fault is assumed, and Fault Mode is activated, just as in Section 1. The time limit in Section 2 may differ from the maximum times in Sections 1 and 3, corresponding to the variable T2.

Once the boxes are aligned, they are transferred to Section 3, the packaging section, where the same timer system is used to detect blockages and faults. In this section, the packaging machine receives the boxes and packages them. If the machine fails and boxes become stuck, the timer-based safety system will detect this when the time exceeds the limit T3, triggering Fault Mode.

Packing Steps

Finally, if there are no incidents in this section, the boxes reach the end of the conveyor belt and are transferred to the collection area. With the process successfully completed, the system resets to return to the initial state, transitioning back to “Waiting for Box in Section 1” to receive the next box.

The system has been designed as a single-box sequential process, in accordance with the sequential approach of the assignment. In real high-production facilities, an independent state machine could be implemented for each section, allowing the simultaneous processing of multiple boxes; however, this solution is beyond the scope of this work.

References

  • BOE. Directiva 2006/42/CE del Parlamento Europeo y del Consejo, de 17 de mayo de 2006, relativa a las máquinas y por la que se modifica la Directiva 95/16/CE (refundición). Diario Oficial de la Unión Europea, núm. 157, de 9 de junio de 2006, páginas 24 a 86.
  • Asociación Española de Normalización (UNE). (2018). UNE-EN ISO 14118: Seguridad de las máquinas. Prevención del arranque inesperado.
  • Asociación Española de Normalización (UNE). (2010). UNE-EN ISO 4414: Neumática. Reglas generales y requisitos de seguridad para los sistemas y sus componentes.