Safety PLC for dummies

Wilso

Member
Join Date
Nov 2012
Location
Newcastle
Posts
144
Can someone "dumb down" an explanation of the difference between a normal Siemens PLC and Safety PLC. What's the difference between the standard CPU and I/O and safetey PLC processor and I/O.
 
IEC 61508 implements Safety Integrity level (SIL)
There are requirements for each integrity level.
As far as I am familiar Siemens safety PLCs comply up to SIL3.
There are PLCs that comply even to SIL4 (as HIMA), but even in the standard is recommended that level 4 should be avoided.
 
safety plc's are in different (yellow) colour. :D:D:D

jokes aside, as once i read:
"while PLC will try run production even if a failure occurs somewhere, safety plc shut it down in a safe way."

safety plc consist of 2 cpu, one is for normal plc tasks while other is for safety program. it also consist of special safety I/O besides normal that continuously check themselves internally against failure through short pulses. safety program consist of very basic logic and can use special tags connected to safety I/O that controls critical parts.
if at any time failure occur (either CPU fault, or I/O triggered, or failure in one of safety I/O or there is difference in program logic results at end of scan in two CPU, etc.) safety PLC will trigger shutdown in a controlled way to prevent bigger damage.

safety program also cannot be edited online.
 
Last edited:
From a hardware perspective, the basic difference is fault tolerance.

A normal PLC has a fault tolerance of zero. Any single fault can cause the safety function to fail in a dangerous manner. A safety PLC (generally) has a fault tolerance of one. A single fault will not cause the safety function to fail in a dangerous manner. Additional faults could cause the safety function to fail.

Unlike a redundant system that is designed for ensuring uptime, where a fault in one controller causes operation to continue using only the non-faulted controller, a single fault in either safety PLC causes the system to enter it's safe state (usually off). You will sometimes see this referred to as "1oo2" or "one-out-of-two" meaning only 1 PLC (of 2) is required to keep the system safe.

Also inherent in the design of the controller and I/O is various diagnostics that detect when a fault occurs. This way when a fault occurs the system is prevented from restarting. This ensures that a single fault will fail to a safe (albeit non-operational) condition.
 
I can try.

Processors
The safety processors are different from the standard processors in that they can run two programs simultaneously, the standard program and the safety program. The safety program, if I understand it correctly, is copied and the logic inverted. The safety program actually runs twice, in its normal and inverted state, and the results checked for agreement, before any outputs are turned on.

Safety I/O modules
The safety I/O modules also include multiple processors that perform checks that must agree before it determines that an input is valid or that an output can be turned on.

The safety input modules can also accept dual-channel inputs (i.e. an input with two sets of contacts, but can also be setup to accept single-channel (i.e. normal single set of contact) inputs.

There are extensive diagnostics available for the safety I/O module that are not available for standard I/O modules. (There are some I/O modules, for example with ET200Pro that are called high feature, or HF. They include extra diagnostics, but not to the level of an actual safety I/O module).

There are several modules specific to safety (again my main experience is with ET200pro). For example, there's one called an F-switch. It only accepts a two-channel input, and it controls the power busses of objects connected to its right. IF a dual channel estop is connected and is actuated the F-Switch removes power from the module to the right.

If you are going to setup a VFD or motor starter, they are things called RSM and ASM modules that control the flow of the three-phase voltage. the RSM installs to the left of the VFD and can be used to connect/disconnect 400V to the VFD. THis allows the system to have a higher safety rating.

For example, a standard VFD without the safety modules may be able to achieve SIL 1. A VFD with the RSM module SIL 2, a system with an F-Switch, RSM module, and VFD, SIL 3. The extra safety components allow you to build systems with a higher safety rating.


Programming in general:
If a safety, or F processor, is used, you have to install and use S7 Distributed Safety software, which requires a license.

When you build up the hardware configuration, and then save and compile it, many FBs and DBs are added to the project. Some are added to every safety program, others are added due to the specific hardware in the project. For example, each F-switch or safety I/O module will have a safety FB and DB added. These are highlighted in yellow, and are typically locked.


When you program, all of the conventional non-safety logic can go in OB1 or blocks called from OB1.

The safety specific programming must go into a safety function or function block. You can create your own safety blocks and define the language as F-LAD or F-FBD (languages added by S7 Distributed safety) and the block will become a safety block).

I can give you more details on the actual project programming if you want. The safety programming is a little different, and you have to set it up through that new Safety Window in the SIMATIC Manager.
You start by defining a safety function, say FC1, as an F-call.
The simatic manager now includes an icon on its toolbar for a Safety Window.

The 1oo1 and 1oo2 applies to the evaluation of sensor signals. 1oo1 is a standard single-channel, 1oo2 applies to a sensor with two contacts.
 
I dont mean to de-rail this thread at all, hopefully my question is not too dissimilar to the one above and can maybe add to the discussion.

My experience comes with Allen-Bradley Plc´s. I have never used a Safety PLC just ControlLogix, CompactLogix, MicroLogix and SLC 500. The machines I have worked on have also all be relatively simple (maximum of give or take 5 servos). In what circumstances would I need a Safety PLC instead of a "Normal" Safety Relay? I can see the advantage of Safety PLC´s (you could should down devices in a sequencial order etc) but I cannot come up with a good reason for why I would need one.

Please try and keep the example to the Machines area, I could imagine in Batch controls that you could have serious issues if you did not use a safety PLC but these kind of situations I believe would be much rarer in Packaging machines, robotos or similar.

Thanks in advance for any response.
Ian
 
In what circumstances would I need a Safety PLC instead of a "Normal" Safety Relay? I can see the advantage of Safety PLC´s (you could should down devices in a sequencial order etc) but I cannot come up with a good reason for why I would need one.
For Allen-Bradley, it is more for ease of integration. If you are already using a ControlLogix you could switch to GuardLogix instead of adding and interfacing to an external safety device. It's programmed in the same environment you can access status of the device and sensor to use elsewhere in your logic. If you have complex interlocking requirements rather than let's say a simple single e-stop switch for a stand-alone machine it's a much better choice. If you have a machine with 5 axes of motion and had a requirement to allow 2 axes to move at full speed while 2 other axes had to be at reduced speed and one axis halted when the operator loaded the machine it would be much easier to do with a safety PLC. If your requirement is simply stop all motion when the operator accesses the machine a simple safety relay would be the choice.

It won't make you any safer, its just a more flexible, expandable tool.
 
For Allen-Bradley, it is more for ease of integration. If you are already using a ControlLogix you could switch to GuardLogix instead of adding and interfacing to an external safety device. It's programmed in the same environment you can access status of the device and sensor to use elsewhere in your logic. If you have complex interlocking requirements rather than let's say a simple single e-stop switch for a stand-alone machine it's a much better choice. If you have a machine with 5 axes of motion and had a requirement to allow 2 axes to move at full speed while 2 other axes had to be at reduced speed and one axis halted when the operator loaded the machine it would be much easier to do with a safety PLC. If your requirement is simply stop all motion when the operator accesses the machine a simple safety relay would be the choice.

It won't make you any safer, its just a more flexible, expandable tool.

Thanks for the explanation. It helps a lot to consider these kinds of things. Most of the machines I work on are simple 1 or 2 E-stop button machines so a safety PLC would be overkill.

Thanks
 
There is a fear that a standard PLC could have a program 'Glitch'
It is also easily programmed and can be changed by anyone with the software.

The SAFETY PLC has a program that self checks as well as checks All its other I/O devices.
There are several redundant controls in the PLC's CPU
the program can be securely passworded and can only be accessed with specific software.
As far as the CPU's
they have different scanning times. the 315F is a lot slower than the 319F
This scan time is required for the Total machine stopping time.
eg.
on a 1000t mechanical press
250mS = between 150 ~ 200 mm slide travel
200mS = 75 mm
the movement is not that important Unless you have Light curtains. the Mounting distance is calculated from the stopping time.
If you want the Light curtain within 700mm the total stopping time is crucial - If the PLC scan was 200ms you are already in trouble.

Personally unless I had a large machine with a CAT.4 (Aus. Top rating) safety risk assessment I would avoid them for now.


hope that helps
 
i saw somewhere a that is a debate nowadays between normal mulitcore plcs and safety plc. the argument is that multicore can do jobs that before 2 cpu had to do it.
 
@Balash
the issue is still any Tom, Dick or Harry can reprogram to bypass safety devices. the programmable safety devices can be passworded and or Date stamped - the first Safety PLC had 3 CPU's it was a honeywell.

Remember Safety systems require several levels of redundancy.

A standard PLC can never do this.
At the end of the day ALL Standard PLC outputs consist of a single silicon barrier. there is NO protection at all
 

Similar Topics

I've ready through the the previous posts, and we've worked with safety design for a long time. In the past, we worked with Pilz directly, and...
Replies
9
Views
429
Hello, I have been programming with Logix for over 2 years now, my current job just put me on a job where we had to change some of our original...
Replies
7
Views
900
So I'm still a little new to LC muting, and currently do not have a test bench. THE SITUATION My LC function is set to manual reset. I mute the...
Replies
3
Views
925
Hi guys, This my first time posting hope I get help in my issue.. I have Allen bradley control logix safety PLC (1756-L61S) connected with...
Replies
11
Views
2,252
Good evening, I'm primarily a Siemens user, but I have an incoming project where I need to use Allen Bradley everything. So far I know that the...
Replies
7
Views
2,587
Back
Top Bottom