Location: Home > Newsroom > Technical Article
Technical Article
How history, principles and standards led to the safety PLC Article 2
2013-11-26 17:25:00 share:

How history, principles and standards led to the safety PLC Article 2

Standard vs safety PLCs

Safety PLCs have become the dominant form of logic solver over the past 10 years through their ability to provide shared logic solver duties for many safety functions in one SIS. Safety PLCs are developed for their tasks through the provision of extensive diagnostic coverage using internal testing signals operating between scanning cycles of the application logic. The PLC detects its own faults and switches into a safe condition before the process has time to get into dangerous condition. The software of a safety PLC is developed to have a range of error detecting and monitoring measures to provide assurance at all times that the program modules are operating correctly. The application programs are developed with aid of function block or ladder logic languages, where each function his tested for robustness and only limited configuration options are available.

One major objection to safety PLCs has been their cost, and this is a problem for small plant applications. This is gradually being addressed, and smaller, cheaper units are now available. IEC 61511 also makes provision for safety-configured industrial PLCs. In some plants, it's been common practice to use a standard, industrial-grade PLC for some trip system tasks. This is unlikely to be compliant with IEC 61511.

Standard PLCs initially appear to be attractive for safety system duties for many reasons, such as low cost, scalable product ranges, familiarity with products, ease of use, flexibility through programmable logic, availability of good programming tools and good communications. However, standard PLCs have significant limitations in safety applications, such as they're:

        • Not designed for safety applications;

        • Limited failsafe characteristics;

        • High risk of covert failures (undetected dangerous failure modes) through lack of diagnostics;

        • Software reliability issues (also stability of versions);

        • Flexibility without security;

        • Unprotected Communications;

        • Limited redundancy.

The IEC standards require that programmable systems have information on measures and techniques used in the design to prevent systematic faults being introduced in hardware and software (including the PLC system software). The requirements are likely to be in excess of those available in standard industrial PLCs. Industrial PLCs aren't generally required to have high levels of protection against random hardware faults because they depend on basic reliability to be sufficient for the industrial control user. The problem with a PLC in safety is that the hardware isn't exercised frequently, so failed output states or stuck program loops will not be revealed as easily as they are when a machine stops or a continuous control loop goes wrong.

The SIS designer has to provide adequate coverage for many types of possible dangerous failures, and this is what a manufacturer does when it builds a safety PLC. IEC 61511 provides for using a safety-configured PLC in SIL 1 and SIL 2 applications. However, there are stringent requirements, and the standard requires that we meet the conditions for prior use, just as we must with an instrument. Generally, these requirements are beyond the scope of the average PLC user, but it may be that conversion of some PLCs can be achieved at an economic advantage where a large population exists.

In the safety PLC, the entire logic solver stage from input to output is duplicated, and if one unit fails, its diagnostic contact will open the output channel and remove that unit from service. The SIS function then continues to be performed by the remaining channel, while the faulty unit is being repaired. Notation “one out of two” (1oo2) applies because the system will still perform in the presence of one fault between two units. The parallel connection of the two units substantially improves the availability. Note that diagnostic performance is further improved by cross-linking between the CPU of one channel and the diagnostics of the second channel.

This PLC logic solver forms the brain of an SIS. It will provide the central point for the engineering of all functions required from SIS, and all critical trip functions will be kept secure through the program protection features. It will require some investment in time and training for the plant technicians. It's important to proceed carefully with the selection of the logic solver product for a new project because this is going to be a long-life item. It may require a considerable amount of expense over the years to ensure the product support and its software are available to the plant. However, most users of safety PLCs seem to find that the integrity the whole trip system is improved when compared with relay-based trip systems by virtue of having all the logic functions in a controlled software format.

When selecting a logic solver, always look for the complete hardware and software package to be from the same manufacturer and always ensure that it's available with certification for at least the highest SIL that you intend to use in your applications. The certification should always be to IEC 61508, and it should cover the hardware, operating system, programming tools and safety manual supplied with the product.

The article was first published in controlglobal

Copyright@Supmea Automation
Address:5th floor, Building 4, Singapore Hangzhou Science & Technology Park, Hangzhou, China
Email: info@supmea.com
Follow us on :
  • *NAME:
  • *EMAIL: