Safety programmable logic controller (PLC) is designed for special–purpose machines and equipment used for critical control and safety applications. These controllers are usually the safety instrumented system (SIS) as part of use in detecting potentially dangerous processes in industrial environments. If danger is detected, SIS applications automatically, switch to the process safety. Here, the user may have a series of problems: conventional PLC has been used successfully for so many years, what‘s the difference compared with a safety PLC? Why critical control and safety applications, you cannot use the conventional PLC?
A secure PLC using a special designed to achieve two important goals:
1. System does not expire (redundant), even if the component failure is inevitable;
2. Failure is in the context of a predictable, once spent, the system into safe mode.
When designing a safety PLC, to take into account a number of factors, requires a lot of special designs. Like: a Taiwan security PLC more stressed internal diagnosis, combined hardware and software, can let equipment at any time detection itself work State of does not apply; a Taiwan security PLC has of software, to using series of special technology, can ensure software of reliability; a Taiwan security PLC has redundant function, even part failure, also can maintained system run; a Taiwan security PLC also has plus of security mechanism, not allows through digital communication interface casually read and write internal of data.
Safety PLC with conventional PLC is also different: safety PLC requires third–party safety certification for professional bodies to meet demanding international standards for security and reliability. Systems must be thoroughly, to design and test the safety PLC. Germany TUV expert and United States FM expert will provide safety PLC design and testing process, a third party independent verification and validation,
A special electronic circuit, careful analysis of diagnostic software, together with all possible failure to test the integrity of the design, ensures a safe PLC more than determination of 99% of potentially dangerous failure of internal components. A failure mode, effects and diagnostic analysis (FMEDA) method to guide the design, which will show how each component is causing the system to fail, and tell you how the system should detect this failure. TUV engineers will personally perform failure test, take it as part of their certification process.
Strict international standards software applications in a safe PLC. These standards require special techniques to avoid complexity. Further analysis and testing, meticulous examination of the tasks of the operating system interaction. This test includes real-time interaction, such as multitasking (when used), and interrupts. Also requires a special diagnosis, referred to as “program flow control“ and “data verification“. Flow checks to ensure that the basic functionality of the program can be executed in the correct order, the data confirm that all critical data in memory, redundant storage and effectiveness testing before use. In the software development process, a safe PLC requires additional software testing techniques. In order to verify the data integrity checking, you must perform a series of “software fault injection“ test, that is, human vandalism of procedures, to check if the response from the PLC to run in a secure way is expected. Software design and testing with detailed documentation, so third–party inspectors to understand PLC works, most software development does not use the standard operating procedures, this also shows why so many spam has so many bugs that cannot be found appears.
Second, for example
Following through Schneider Electric Company a safe PLC, to a more specific description of the safety PLC and the difference between conventional PLC.
2. 1 security with conventional PLC PLC CPU difference
Conventional PLC CPU number has one or more, or is their role: perform I/O scan user programs, and system diagnosis. But the user program is usually one at a time, multiple CPU‘s function is to program logic, arithmetic, communications functions such as sharing implementation, or collaborate.
CPU with at least two or more of the safety PLC, two CPU features are: respectively with one user program execution time and then compare the two results together, if the results are consistent, and will output the results, if it is inconsistent, select security outcomes. Thus, the safety PLC is the biggest difference with conventional PLC: redundant + more.
2. 2 structure of the safety PLC internal CPU
Safety PLC with 2 processors, each processor in its own storage area, implement their own safety logic, and then at the end of each cycle and compare each other‘s results, each processor has its own independent shut down channels, if test results or failure of components, it can implement the system shut down, cut to a safe state. This dual structure is called a choice within the structure.
Following figure represent the internal structure of the safety PLC:
Safety PLC usually have two processors, and decode and execute. These differences provide a failure detection of the following benefits:
Two executable code generated alone, when the differences in the code generated by the compiler, and easy to detect system failure.
Two generated code by different processors perform, therefore, when the CPU can execute code, random failure detected systems and PLC.
Two separate storage areas for the two processors, so CPU is able to detect RAM random failure, and that all the RAM in each scan cycle checking, not logging out.
Here we are then led to safety with conventional PLC PLC the second biggest difference: + step by step diagnosis and testing at any time. This either through one‘s own information, referred to as self-test; others by testing each other‘s information, known as interoperability. We will say more testing later.
2.3 of the safety PLC CPU detection
Clock measurements: the processor circuit, there are two different oscillator cross–check their behavior, a clock to check whether another run for each processor. If over a certain period, to detect each other is not running, CPU into a safe state. The firmware will check the accuracy of the two oscillators per second.
Watchdog timer: a watchdog timer hardware and firmware check the PLC‘s activities and the implementation of the execution time for user logic. This and conventional PLC systems are the same.
Sequence checking: monitor CPU sequence checking implementation of the different parts of the operating system.
Memory check: all the static storage area, including Flash memory and RAM, using a cyclic redundancy code (CRC) to detect, and double-code implementation. Dynamic memory area protected by the double code, periodically for testing. When the cold starts, these tests be reinitialized.
From the above analysis we can see that safety PLC Diagnostics and testing than conventional PLC a lot more, so relatively speaking, more complex hardware and software design. Of course, the detection and diagnosis of the scope is broader, more nuanced.
2. 4 security PLC I/O diagnosis overview
Above we have the safety PLC‘s CPU was a simple analysis, we‘ll see security below the input/output module.
All safety I/O module to do both of the following Diagnostics:
Additional system–level diagnosis, including: RAM, ROM test, as well as
According to the different module types, field–level diagnosis,
The following table lists the field diagnosis of safety I/O module:
Also, safety PLC communication between security CPU and I/O diagnosis, such as using a CRC checksum. Therefore, not only to check the data sent is equal to the received data and to check the data changes. In order to solve the disturbance, such as EMC‘s influence, which could instantly damage your data, so you need to each module, configure a very large contiguous CRC error diagnostic.
When you power on Diagnostics: when in power, I/O module perform the extended self test, if an error occurs, the module is considered unhealthy, all input and output set to 0.
Run–time diagnostic: while the system is running, I/O module perform the self test, input module verifies that data can be read from the sensor to the entire range, output module performs pulse tests on their switches, cycles of less than 1ms, digital input and digital output module, power–on self test failure and when there is no external 24V power supply of the module, the module does not work.
Diagnosis: electronic components, theoretically, the supply voltage exceeds the maximum value, they should not be working, so the I/O module from the backplane power supply voltage has to be monitored.
The following table describes the supply voltage monitoring:
2. 5 safety the safety PLC analog input module
Earth break detection: safe analogue input modules with monitor ground failure (leakage current) function. Outside the terminal end is usually connected to the neutral, earthing terminal with a shunt resistor can be connected between the neutral (250 ohm), analog input leakage current through the resistor voltage detected.
Internal diagnostics: site includes up to 8 separate independent input channels, each input with 2 same circuits, each circuit of the microprocessor through its analog–digital converters, then through the isolators are input values. In addition, when a diagnosis is, microprocessor driving the digital–analog converter and put it into a high–impedance (non-interference) or low impedance, forced to work for the analog–digital converter input.
Analog input modules:
Short self test. Using a regular, periodic difference detection, determine whether the internal failure.
Long post. Use the health status of each channel to verify whether internal failure.
Power supply monitor: no power monitor, the function by the analog–digital converter testing periods, analog–digital converters and digital–analog converter provides values based on their power supply voltage is to be achieved.
2. Secure digital input module 6 safety PLC
Internal diagnostics: a common input for each input channel circuit and 2 independent access link, each a digital microprocessor–driven input serializer (DIS) to enter information on sampling. In addition, a digital microprocessor–driven input reducer (DID), and then diagnose drive diagnostic function blocks realized restoring data synchronization with the input data.
Input channel error detection: digital input monitor power supply, use of external connection for leakage current detection, minimal leakage current of 1mA, if there is no leakage current, on behalf of open circuit failure on the external circuit, in the case of dry contact, contact a 10K pullup resistors in parallel, for the external line break detection. Each input circuit configured switches periodically to a 1 or 0, for the detection circuit is healthy. Each input circuit for independent testing, if problems are found in the diagnosis of position 1, declare channel is in a healthy state.
2. 7 safety PLC digital output module
Internal diagnostics: in order to check that the switch is open and closed, in the output module (module internal circuit, insert a diagnosis of periodic cycle) is a pulse test.
Diagnostic sequences include:
Change the switching command, this time is very short, and does not affect actuator, Max less than 1ms;
Verification of test results, and
Restore the correct switch command.
Power supply monitor: each output circuit consists of two tandem switch, there are two control processors respectively. First microprocessor with digital output reducer (DOD) drive switch, driven by the second processor after you restore it on and off. In each cycle, two microprocessor system of neutral-point voltage is compared with a threshold, and then exchange them if, midpoint assessment of status, diagnose the switching State. If an error has been detected in a channel, then immediately shut down, and set up Diagnostics, notify the CPU.
Summary of the third,
Through the introduction of the first two chapters and understand basic differences of the safety PLC and General PLC, have, in fact, like: external sensor connection of different, internal functional blocks of your operating system, software settings and software programming of the different requirements, as well as secure communications protocol specification, and so on, have the opportunity to interact with your readers.
Certainly, security PLC and General PLC also has many similar of at, like said: both are has implementation logic and counts calculation of capacity; both are has typical of entered and output (I/O) module, provides explained from process sensor signal and implementation control to eventually components of capacity; both are is used scan entered, then for calculation, last wrote to output; both are has typical of digital communication interface. General PLC not based on fault-tolerant and fail-safe design, this is the most fundamental difference between them.
Because many users find conventional PLC cannot be used for protection in critical applications, resulting in a demand for safety PLC. Safety PLC in design, manufacturing and installation standards are very high. If the project facilities, ignore these standards, or by the method implementation below these standards, from the perspective of occupational and social, is deceptive and irresponsible.