If everyone is happy so far...
We can now look at the importance of health and safety when working with PLC controlled equipment where the PLC
is part of the safety system.
Now Ian, your back on topic and you have brought us on to the next step:
iant said:
there are many reasons for not using a PLC to perform safety functions.
the main one is the Safety checking principle.
- What checks the output
- What checks the Input
- What checks the checker
- What guarantees the input/output does not get bypassed.
All safety related devices have a Fail to safe Mode.
Programmable Safety devices have fail to safe features.
there are also specific passworded / access funcions to check and confirm the program.
As far as a standard PLC goes, this is not possible, so the PLC should never be used for safety control, other than purely monitoring.
Yes Ian, that's correct. So, if not the PLC, what does perform the safety functions?
Redundancy systems have been around since the 80's, but have always been cost prohibitive to smaller plants and projects. They typically were triple redundant, involving multiple distributed systems across a plant. This is ok in a nuclear plant or large chemical facility where the benefit-to-cost ratio was justified. Smaller plants or projects could not afford the expensive outlay and so a market of smaller, separate, safety devices grew.
A trend has emerged in the last number of years, driven by new safety standards such as ANSI/ISA 84.01, IEC 61508 and IEC 61511, to conform to an industrial safety standard in
industrial applications. These standards outline the necessary functional requirements in order to elevate critical processes to an acceptable safety level.
Because of high levels of automation and supervisory control, and in an effort to conform to those safety standards, manufacturers of PLCs and process instrumentation started making safety rated PLCs and PLDs(Programmable Logic Devices). Last I looked there were about 20 manufacturers of such equipment, it's a growing market. These PLCs and PLDs are now much more affordable, more so the PLDs, and so have become very popular when implementing DCS, MES, SCADA, etc.
These devices are used to create what are known as
Safety Instrumented Systems(SIS).
Other similar systems used include:
Emergency Shutdown(ESD)
Emergency Shutdown Systems(ESS)
Safety Shutdown Systems SSD
But the main type used, by today's standards, is Safety Instrumented Systems(SIS).
SIS -
Principle of Operation:
An SIS is any electronic or microprocessor based system that is capable of leading a process into a safe state, when an assessed, dangerous or catastrophic event has occurred, so as to prevent damage to people, equipment, or the environment.
A basic PLC controlled process is known as a
Basic Process Control System(BPCS). More critical process systems that require a "
Safe State" to avoid adverse health, safety and environmental consequences use a
Safety Instrumented System(SIS).
An SIS runs independently along side the BPCS. The sole function of the SIS is to monitor the critical process I/O and ensure they are within safe limits. If proved safe the SIS then routes the critical I/O to the BPCS for normal use. If not safe, the process is lead to the Safe State. To achieve this an SIS uses a
Safety Instrumented Function(SIF). These are used to carry out the safety functions listed by Ian.
An SIF includes a combination of a dynamic
Logic Solver and
Redundant Circuits that have
Voting capabilities. The logic solver has error checking and failure detection built in. Only the critical process I/O is monitored by the SIS.
At process design stage the required
Safety Integrity Level(SIL) rating is calculated for the SIFs. Ratings go from SIL1 to SIL4, 1 being the lowest reliability level and SIL4 being most reliable with a 0.00001% chance of Probability of Failure on Demand(PFD). Most processes require a SIL2 rating, but more critical processes usually use SIL3. Extremely high risk applications use SIL4. SIL4 would be used on emergency stop systems on drilling platforms, extreme time dependent safety circuits, High Integrity Pressure Protection Systems(HIPPS), NASA, nuclear reactor primary shutdown systems. Most SIS can drive to the safe state in the order of 30ms, a SIL4 can do it in under 10ms.
Interesting to note, the only SIL4 rated SIS in the world, Hima's
Planar4, does not use software to program the safety function's logic solvers. It's done using wiring configurations on the backplane. Definitely not trusting code there!
Once the SIL rating has been decided for the processes safety functions i.e. the PLC or PLDs, the I/O devices also need to meet the SIL certified rating.
A chain is only as strong as it's weakest link.
The field devices used in an SIS should be suitably SIL rated. They can be basic boolean, but usually are analog, Fieldbus, HART enabled, and capable of sending back position, level, volume, %, etc, type data for diagnosis, and in some cases require self diagnosis.
The SIS can be a basic one-out-of-one(1oo1) architecture up to two-out-of-three(2oo3D), with self diagnostics. An example of 2oo3D would be 3 pressure transducers, measuring the same critical medium, input to 3 separate SIS PLCs or PLDs. The result of which 2 out of the 3 would have to be at the threshold value, then sent to external voting relays, before the SIS would trigger the Safe State. This is triple redundancy at the CPU level. The advantage of this is 1 PT, or CPU failure would not affect the SIS's function, but would show the discrepancy in the single PT or CPU unit for maintenance. On the output side, you could have 2 out of 3 outputs required from an output logic solver to activate a valve. You could also use a second paralleled valve for redundancy to the first. And so on. They are very modular systems.
The safety rated PLCs and PLDs can be programmed many different ways to achieve the necessary SIL rating required. Some PLDs now offer up to 200,000 logic gates and over 150 I/O pins for less than $20.
As PLCs, and process instrumentation all morph into safety standard rated devices, safety instrumented systems will not just be important, they will be the norm.
G.