passwordg
Member
Nay...
PLC programmers are expendable, not unlike automobile tires.
Ya can't get anywhere without 'em, but they just get used up and thrown away when the next generation comes out.
Wat ?
Health and safety when using plc
- Thread starter bungouk
- Start date
Wat ?
Another one jumps into the ring...welcome.
Your perfectly entitled to your opinion mae. I welcome hole pickers!
All I have conveyed is my opinion too, but it's backed by training and experience in this field.
I'll show you why I think your opinion is flawed, in the health and safety world. But first I'll clear this bit up...
You cut my quote right down to "unpredictable" and were right to call it a part, as it's only part of a larger quote.
That's not what I mean. I am very careful how I choose my words. The original quote read:
It's unpredictability lies in how it is used by people. Not that it's ever changing by it's own design. We are all prone to mistakes, bad judgment, laziness, tiredness. This is not a denigration of the many brilliant coders out there. We are simply human.
Summed up: PLC code is unpredictable in the hands of people and so cannot be relied upon alone to prevent harm, injury or death to persons. Other safety measures must be put in place to safeguard against the unpredictability of code manipulation to protect human life. I will not trust my own code to ensure an un-isolated, dangerous process does not start. Whether a PLC is just sitting there, or being worked on, you don't work in or around dangerous processes that are not isolated from the PLC's control.
This is a risk assessment of a PLC environment where dangerous processes are being controlled.
This is what our esteemed PLC Trainer, bin952, should have stated with regard to the risks and hazards posed by PLC manipulation, such as forces and project verify.
Now your opinion:
Remember this is not an attack on the reputability of anyone's coding. It's in relation to health and safety not trusting it alone to protect human life.
From your statement, you are saying that all PLC programs that you have written, and commissioned, can assure that they will know exactly what will happen in any situation. That's a bold statement to make.
Would you be willing to step into an un-guarded dangerous machine with just your code keeping the machine off?
Even if code has been tested and is working for many years, you would be foolish to rely on it not to do something when it shouldn't. Many here could write a book on the unpredictably weird and wonderful things that a PLC has done during their experiences with them. As robust as we like to think we write code, you cannot conceivable code for every possible permutation, at least not at the beginning. Over time, yes, you can go back and modify for glitches and bugs. But during those intervals anything can, and sadly has happened:
http://www.digital-rights.net/?p=1168
So the argument doesn't swing back the other way again...
In the cases where it is being used to protect life, it is one of many features in place. It should not be the only method used. The code of one PLC still cannot be solely responsible for this role. That is why you use redundancy, and redundancy, and redundancy. This is still a "reduce" risk method, not "remove". It will never be entirely failsafe, but the likelihood of failure is extremely remote.
G.
Your perfectly entitled to your opinion mae. I welcome hole pickers!
All I have conveyed is my opinion too, but it's backed by training and experience in this field.
I'll show you why I think your opinion is flawed, in the health and safety world. But first I'll clear this bit up...
mae said:
You cut my quote right down to "unpredictable" and were right to call it a part, as it's only part of a larger quote.
That's not what I mean. I am very careful how I choose my words. The original quote read:
Geospark said:
It's unpredictability lies in how it is used by people. Not that it's ever changing by it's own design. We are all prone to mistakes, bad judgment, laziness, tiredness. This is not a denigration of the many brilliant coders out there. We are simply human.
Summed up: PLC code is unpredictable in the hands of people and so cannot be relied upon alone to prevent harm, injury or death to persons. Other safety measures must be put in place to safeguard against the unpredictability of code manipulation to protect human life. I will not trust my own code to ensure an un-isolated, dangerous process does not start. Whether a PLC is just sitting there, or being worked on, you don't work in or around dangerous processes that are not isolated from the PLC's control.
This is a risk assessment of a PLC environment where dangerous processes are being controlled.
This is what our esteemed PLC Trainer, bin952, should have stated with regard to the risks and hazards posed by PLC manipulation, such as forces and project verify.
Now your opinion:
Remember this is not an attack on the reputability of anyone's coding. It's in relation to health and safety not trusting it alone to protect human life.
From your statement, you are saying that all PLC programs that you have written, and commissioned, can assure that they will know exactly what will happen in any situation. That's a bold statement to make.
Would you be willing to step into an un-guarded dangerous machine with just your code keeping the machine off?
Even if code has been tested and is working for many years, you would be foolish to rely on it not to do something when it shouldn't. Many here could write a book on the unpredictably weird and wonderful things that a PLC has done during their experiences with them. As robust as we like to think we write code, you cannot conceivable code for every possible permutation, at least not at the beginning. Over time, yes, you can go back and modify for glitches and bugs. But during those intervals anything can, and sadly has happened:
http://www.digital-rights.net/?p=1168
So the argument doesn't swing back the other way again...
In the cases where it is being used to protect life, it is one of many features in place. It should not be the only method used. The code of one PLC still cannot be solely responsible for this role. That is why you use redundancy, and redundancy, and redundancy. This is still a "reduce" risk method, not "remove". It will never be entirely failsafe, but the likelihood of failure is extremely remote.
G.
Last edited:
there are many reasons for not using a PLC to perform safety functions.
the main one is the Safety checking principle.
- What checks the output
- What checks the Input
- What checks the checker
- What guarantees the input/output does not get bypassed.
All safety related devices have a Fail to safe Mode.
Programmable Safety devices have fail to safe features.
there are also specific passworded / access funcions to check and confirm the program.
As far as a standard PLC goes, this is not possible, so the PLC should never be used for safety control, other than purely monitoring.
the main one is the Safety checking principle.
- What checks the output
- What checks the Input
- What checks the checker
- What guarantees the input/output does not get bypassed.
All safety related devices have a Fail to safe Mode.
Programmable Safety devices have fail to safe features.
there are also specific passworded / access funcions to check and confirm the program.
As far as a standard PLC goes, this is not possible, so the PLC should never be used for safety control, other than purely monitoring.
If everyone is happy so far...
We can now look at the importance of health and safety when working with PLC controlled equipment where the PLC is part of the safety system.
Now Ian, your back on topic and you have brought us on to the next step:
Yes Ian, that's correct. So, if not the PLC, what does perform the safety functions?
Redundancy systems have been around since the 80's, but have always been cost prohibitive to smaller plants and projects. They typically were triple redundant, involving multiple distributed systems across a plant. This is ok in a nuclear plant or large chemical facility where the benefit-to-cost ratio was justified. Smaller plants or projects could not afford the expensive outlay and so a market of smaller, separate, safety devices grew.
A trend has emerged in the last number of years, driven by new safety standards such as ANSI/ISA 84.01, IEC 61508 and IEC 61511, to conform to an industrial safety standard in industrial applications. These standards outline the necessary functional requirements in order to elevate critical processes to an acceptable safety level.
Because of high levels of automation and supervisory control, and in an effort to conform to those safety standards, manufacturers of PLCs and process instrumentation started making safety rated PLCs and PLDs(Programmable Logic Devices). Last I looked there were about 20 manufacturers of such equipment, it's a growing market. These PLCs and PLDs are now much more affordable, more so the PLDs, and so have become very popular when implementing DCS, MES, SCADA, etc.
These devices are used to create what are known as Safety Instrumented Systems(SIS).
Other similar systems used include:
Emergency Shutdown(ESD)
Emergency Shutdown Systems(ESS)
Safety Shutdown Systems SSD
But the main type used, by today's standards, is Safety Instrumented Systems(SIS).
SIS - Principle of Operation:
An SIS is any electronic or microprocessor based system that is capable of leading a process into a safe state, when an assessed, dangerous or catastrophic event has occurred, so as to prevent damage to people, equipment, or the environment.
A basic PLC controlled process is known as a Basic Process Control System(BPCS). More critical process systems that require a "Safe State" to avoid adverse health, safety and environmental consequences use a Safety Instrumented System(SIS).
An SIS runs independently along side the BPCS. The sole function of the SIS is to monitor the critical process I/O and ensure they are within safe limits. If proved safe the SIS then routes the critical I/O to the BPCS for normal use. If not safe, the process is lead to the Safe State. To achieve this an SIS uses a Safety Instrumented Function(SIF). These are used to carry out the safety functions listed by Ian.
An SIF includes a combination of a dynamic Logic Solver and Redundant Circuits that have Voting capabilities. The logic solver has error checking and failure detection built in. Only the critical process I/O is monitored by the SIS.
At process design stage the required Safety Integrity Level(SIL) rating is calculated for the SIFs. Ratings go from SIL1 to SIL4, 1 being the lowest reliability level and SIL4 being most reliable with a 0.00001% chance of Probability of Failure on Demand(PFD). Most processes require a SIL2 rating, but more critical processes usually use SIL3. Extremely high risk applications use SIL4. SIL4 would be used on emergency stop systems on drilling platforms, extreme time dependent safety circuits, High Integrity Pressure Protection Systems(HIPPS), NASA, nuclear reactor primary shutdown systems. Most SIS can drive to the safe state in the order of 30ms, a SIL4 can do it in under 10ms.
Interesting to note, the only SIL4 rated SIS in the world, Hima's Planar4, does not use software to program the safety function's logic solvers. It's done using wiring configurations on the backplane. Definitely not trusting code there!
Once the SIL rating has been decided for the processes safety functions i.e. the PLC or PLDs, the I/O devices also need to meet the SIL certified rating.
A chain is only as strong as it's weakest link.
The field devices used in an SIS should be suitably SIL rated. They can be basic boolean, but usually are analog, Fieldbus, HART enabled, and capable of sending back position, level, volume, %, etc, type data for diagnosis, and in some cases require self diagnosis.
The SIS can be a basic one-out-of-one(1oo1) architecture up to two-out-of-three(2oo3D), with self diagnostics. An example of 2oo3D would be 3 pressure transducers, measuring the same critical medium, input to 3 separate SIS PLCs or PLDs. The result of which 2 out of the 3 would have to be at the threshold value, then sent to external voting relays, before the SIS would trigger the Safe State. This is triple redundancy at the CPU level. The advantage of this is 1 PT, or CPU failure would not affect the SIS's function, but would show the discrepancy in the single PT or CPU unit for maintenance. On the output side, you could have 2 out of 3 outputs required from an output logic solver to activate a valve. You could also use a second paralleled valve for redundancy to the first. And so on. They are very modular systems.
The safety rated PLCs and PLDs can be programmed many different ways to achieve the necessary SIL rating required. Some PLDs now offer up to 200,000 logic gates and over 150 I/O pins for less than $20.
As PLCs, and process instrumentation all morph into safety standard rated devices, safety instrumented systems will not just be important, they will be the norm.
G.
We can now look at the importance of health and safety when working with PLC controlled equipment where the PLC is part of the safety system.
Now Ian, your back on topic and you have brought us on to the next step:
iant said:
Yes Ian, that's correct. So, if not the PLC, what does perform the safety functions?
Redundancy systems have been around since the 80's, but have always been cost prohibitive to smaller plants and projects. They typically were triple redundant, involving multiple distributed systems across a plant. This is ok in a nuclear plant or large chemical facility where the benefit-to-cost ratio was justified. Smaller plants or projects could not afford the expensive outlay and so a market of smaller, separate, safety devices grew.
A trend has emerged in the last number of years, driven by new safety standards such as ANSI/ISA 84.01, IEC 61508 and IEC 61511, to conform to an industrial safety standard in industrial applications. These standards outline the necessary functional requirements in order to elevate critical processes to an acceptable safety level.
Because of high levels of automation and supervisory control, and in an effort to conform to those safety standards, manufacturers of PLCs and process instrumentation started making safety rated PLCs and PLDs(Programmable Logic Devices). Last I looked there were about 20 manufacturers of such equipment, it's a growing market. These PLCs and PLDs are now much more affordable, more so the PLDs, and so have become very popular when implementing DCS, MES, SCADA, etc.
These devices are used to create what are known as Safety Instrumented Systems(SIS).
Other similar systems used include:
Emergency Shutdown(ESD)
Emergency Shutdown Systems(ESS)
Safety Shutdown Systems SSD
But the main type used, by today's standards, is Safety Instrumented Systems(SIS).
SIS - Principle of Operation:
An SIS is any electronic or microprocessor based system that is capable of leading a process into a safe state, when an assessed, dangerous or catastrophic event has occurred, so as to prevent damage to people, equipment, or the environment.
A basic PLC controlled process is known as a Basic Process Control System(BPCS). More critical process systems that require a "Safe State" to avoid adverse health, safety and environmental consequences use a Safety Instrumented System(SIS).
An SIS runs independently along side the BPCS. The sole function of the SIS is to monitor the critical process I/O and ensure they are within safe limits. If proved safe the SIS then routes the critical I/O to the BPCS for normal use. If not safe, the process is lead to the Safe State. To achieve this an SIS uses a Safety Instrumented Function(SIF). These are used to carry out the safety functions listed by Ian.
An SIF includes a combination of a dynamic Logic Solver and Redundant Circuits that have Voting capabilities. The logic solver has error checking and failure detection built in. Only the critical process I/O is monitored by the SIS.
At process design stage the required Safety Integrity Level(SIL) rating is calculated for the SIFs. Ratings go from SIL1 to SIL4, 1 being the lowest reliability level and SIL4 being most reliable with a 0.00001% chance of Probability of Failure on Demand(PFD). Most processes require a SIL2 rating, but more critical processes usually use SIL3. Extremely high risk applications use SIL4. SIL4 would be used on emergency stop systems on drilling platforms, extreme time dependent safety circuits, High Integrity Pressure Protection Systems(HIPPS), NASA, nuclear reactor primary shutdown systems. Most SIS can drive to the safe state in the order of 30ms, a SIL4 can do it in under 10ms.
Interesting to note, the only SIL4 rated SIS in the world, Hima's Planar4, does not use software to program the safety function's logic solvers. It's done using wiring configurations on the backplane. Definitely not trusting code there!
Once the SIL rating has been decided for the processes safety functions i.e. the PLC or PLDs, the I/O devices also need to meet the SIL certified rating.
A chain is only as strong as it's weakest link.
The field devices used in an SIS should be suitably SIL rated. They can be basic boolean, but usually are analog, Fieldbus, HART enabled, and capable of sending back position, level, volume, %, etc, type data for diagnosis, and in some cases require self diagnosis.
The SIS can be a basic one-out-of-one(1oo1) architecture up to two-out-of-three(2oo3D), with self diagnostics. An example of 2oo3D would be 3 pressure transducers, measuring the same critical medium, input to 3 separate SIS PLCs or PLDs. The result of which 2 out of the 3 would have to be at the threshold value, then sent to external voting relays, before the SIS would trigger the Safe State. This is triple redundancy at the CPU level. The advantage of this is 1 PT, or CPU failure would not affect the SIS's function, but would show the discrepancy in the single PT or CPU unit for maintenance. On the output side, you could have 2 out of 3 outputs required from an output logic solver to activate a valve. You could also use a second paralleled valve for redundancy to the first. And so on. They are very modular systems.
The safety rated PLCs and PLDs can be programmed many different ways to achieve the necessary SIL rating required. Some PLDs now offer up to 200,000 logic gates and over 150 I/O pins for less than $20.
As PLCs, and process instrumentation all morph into safety standard rated devices, safety instrumented systems will not just be important, they will be the norm.
G.
thanks for the huge essay Geospark.
FYI
I said STANDARD PLC's I have 30 years experiance in safety systems.
we do not Use SIL but an equivelant.
Appart from writing an international safety code document, I was mearly stating the easy explanation. many first timers do not know and believe they can use plc's for safety - in principle they can not. but the reason is often far above the level of newcommers.
So I short form it.
Dont forget it is not the SAfETY PLC that does all the work, the additional hardware also must be safety rated.
there are other posts on this site about safety specifically.
FYI
I said STANDARD PLC's I have 30 years experiance in safety systems.
we do not Use SIL but an equivelant.
Appart from writing an international safety code document, I was mearly stating the easy explanation. many first timers do not know and believe they can use plc's for safety - in principle they can not. but the reason is often far above the level of newcommers.
So I short form it.
Dont forget it is not the SAfETY PLC that does all the work, the additional hardware also must be safety rated.
there are other posts on this site about safety specifically.
I'm sorry Ian if you felt I was trying to teach you in particular. I didn't intend the "then what does" question at you directly as if you didn't know the answer. It was a general question, to lead onto the explanation(essay). I had intended to write that post regardless of whether you had made your comments or not, but was delighted that you did as it provided a stepping stone.
I wrote it to balance out the topic, as there are two sides to the importance of H&S when working with programmable controlled equipment. When I explained the dangers and reasons for not trusting them with H&S, some felt I was anti PLC. Not so. While lengthy posts, they still only brush the surface of this subject.
So many threads go way off topic here you forget what the OP asked. It's easy get side tracked and into debates. Look at the "OTE in middle of rung" debate. That's why when I saw the comments discussing faults and needing PLCs left on for fault finding, it was time to reply. If I didn't where would this thread be now?
This forum is read by hundreds, if not thousands, every day. It's important the right information in relation to the question asked is conveyed. If I have that information, and the time, I will oblige. It's intended for those that do not know what we know.
G.
I wrote it to balance out the topic, as there are two sides to the importance of H&S when working with programmable controlled equipment. When I explained the dangers and reasons for not trusting them with H&S, some felt I was anti PLC. Not so. While lengthy posts, they still only brush the surface of this subject.
So many threads go way off topic here you forget what the OP asked. It's easy get side tracked and into debates. Look at the "OTE in middle of rung" debate. That's why when I saw the comments discussing faults and needing PLCs left on for fault finding, it was time to reply. If I didn't where would this thread be now?
This forum is read by hundreds, if not thousands, every day. It's important the right information in relation to the question asked is conveyed. If I have that information, and the time, I will oblige. It's intended for those that do not know what we know.
G.
Ian,
Having read our last posts again I think I see where you were offended. I think you mis-read my remark after your quote as saying...
If you think the PLC doesn't perform the safety functions, then what does?
As if to imply you were incorrect and my "correct" remark was somehow sarcastic.
I totally agreed with your comments that the standard PLC cannot perform the safety functions. I went on to outline how the PLC forms part of a safety system, in which it does not perform the safety functions, as you had stated. Your comments were/are 100% correct. I just elaborated on them.
You are also correct that the hardware has to be suitable rated. I referred to it as the "weakest link".
Apologies again if you were offended.
G.
Having read our last posts again I think I see where you were offended. I think you mis-read my remark after your quote as saying...
If you think the PLC doesn't perform the safety functions, then what does?
As if to imply you were incorrect and my "correct" remark was somehow sarcastic.
I totally agreed with your comments that the standard PLC cannot perform the safety functions. I went on to outline how the PLC forms part of a safety system, in which it does not perform the safety functions, as you had stated. Your comments were/are 100% correct. I just elaborated on them.
You are also correct that the hardware has to be suitable rated. I referred to it as the "weakest link".
Apologies again if you were offended.
G.
Ned_Flanders
Member
No need tto appologise - I was not offended - I am just getting older
I know the feeling!!
Albert LaFrance
Lifetime Supporting Member
Very relevant to the topic of software performing safety functions is the story of the Therac 25, a radiation-therapy machine which seriously overdosed several patients in the mid-1980s, killing three of them. The Wikipedia article (http://en.wikipedia.org/wiki/Therac-25) gives a good overview, but Nancy Leveson's detailed case study will probably be the most interesting to forum members: http://sunnyday.mit.edu/papers/therac.pdf
Similar Topics
I think every now and then, there should be a discussion on here about H&S.
Machines can kill - and often do.
So this post is to remind you to be...
Can anybody describe for me the importance of Health and Safety when working with PLC's and the associated equipment? I am totally new to PLC's...
- GeorgieB
- LIVE PLC Questions And Answers
Now that im getting older.... 52 next month I have been looking at my health more and more, I dont get out as much as I use to (doing physical...
Management has decided they want a monitoring screen for every PLC and IO module in the plant. Also looking for a way to monitor when a PLC fails...
Hi all,
I'm trying to check the health of the main and failover servers in a Terminal Services Intouch installation.
There are 2 servers, each...