In industries like chemical and refining, we often hear requests for safety-type PLCs. However, when we inquire about pricing, we find that these are quoted on a project-wide basis, and the budget is at least 50% higher than that of ordinary PLCs . Safety-type PLCs also have a distinctive appearance: they typically have a red casing. So why are safety-type PLCs so expensive? What are the differences between them and ordinary PLCs?
In this article, we will analyze the characteristics of a safety-oriented PLC from six aspects.
As the most important component of the safety family, safety PLCs are becoming increasingly recognized. However, many users are still confused about why a PLC similar to those used before is called a safety PLC, and what the differences are between a safety PLC and a regular PLC. Here, we will share some insights.
As we all know, there are three key concepts in safety design that we must remember:
(1) Redundancy
(2) Different
(3) Self-testing
Only products that implement the above three safety design principles can be considered safe products; ordinary PLC products lack safety design features. Let's now examine how a safe PLC achieves these three principles through its design.
redundancy
A typical PLC has one or more CPUs, but the program usually performs one process. The function of multiple CPUs is to share the logical operations, arithmetic operations, communication functions, etc. in the program, which is called collaborative processing.
A safety PLC has at least two or more CPUs. The function of the two CPUs is to execute the same program once each, and then compare the results. If the results are the same, an output will be made; if they are different, a safe result will be output (usually no output or shutdown).
Therefore, only CPUs with redundant designs can be called safe PLCs. In addition, the CPU detection in a safe PLC includes clock detection, clock monitoring, sequence checks, and memory checks.
Clock Measurement: In the processor circuitry, two distinct oscillators cross-check their behavior, with each processor using one clock cycle to check if the other is running. If, within a defined cycle, the other is detected as not running, the CPU enters a safe state. The firmware checks the precision of both oscillators every second.
Monitor clock: A hardware and firmware monitor clock checks the PLC's activity and the execution time of user logic. This is the same as in a conventional PLC system.
Sequence checking: Sequence checking monitors the execution of different parts of the CPU operating system.
Memory checks: All static memory areas, including Flash memory and RAM, are checked using Cyclic Redundancy Check (CRC) and executed with double-code verification. Dynamic memory areas are protected by double-code verification and are checked periodically. These checks are reinitialized during a cold boot.
As the analysis above shows, the diagnostics and testing required for safety PLCs are significantly more extensive than those for conventional PLCs, resulting in more complex hardware and software design. Naturally, the scope and detail of the diagnostics and testing are also broader and more detailed.
Safety PLCs typically have two processors, usually supplied by two different manufacturers, such as Motorola and Intel, which simultaneously perform decoding and execution. This difference provides the following advantages for failure detection: the two executables are generated independently, and the differences in compilation make it easier to detect system failures during code generation.
The two generated codes are executed by different processors, so the CPU can detect system failures and random PLC failures during code execution.
Two separate memory areas are used by two processors, so the CPU can detect random RAM failures that cannot be detected during a full RAM check in each scan cycle.
Self-testing in safety PLCs is reflected in many aspects, including CPU processing self-testing, power supply monitoring self-testing, and circuit board status self-testing for safety input/output points. Here, we will introduce how the design of safety input/output points embodies this safety concept of self-testing.
The yellow section represents the unique circuit design of safety input points, which is not present in ordinary input points.
Internal diagnostics: Each input channel uses a common input circuit and two independent acquisition links. Each microprocessor drives a digital input serializer (DIS) to sample the input information. In addition, the microprocessor also drives a digital input restorer (DID), which in turn drives the diagnostic function block to perform diagnostics, enabling synchronous comparison between the restored data and the input data.
Input channel error detection: The digital input monitors the field-side power supply and uses external wiring to detect leakage current. The minimum leakage current is 1mA. If there is no leakage current, it indicates an open circuit fault in the external circuit. In the case of dry contacts, a 10kΩ pull-up resistor is connected in parallel across the contact for external line breakage detection. Each input circuit is equipped with a switch that is periodically forced to 1 or 0 to check the circuit's health. Each input circuit is tested independently. If a problem is detected, the diagnostic setting is set to 1, indicating that the channel is in an unhealthy state.
The yellow section represents the unique circuit design of safety input points, which is not present in ordinary input points.
Internal diagnostics: To check whether the switch can open and close, a pulse test is performed on the output module (within the module's internal circuitry, a periodic diagnostic loop is inserted).
The switching command is modified in a very short time, which will not affect the actuator, with a maximum duration of 1ms; the test results are verified, and the correct switching command is restored. Power supply monitoring: Each output circuit includes two switches connected in series, controlled by two processors. The first microprocessor uses a Digital Output Restorer (DOD) to drive its switch, while the second microprocessor drives its switch after the restorer. In each cycle, the midpoint voltage of the two microprocessor systems is compared with a threshold, and then their values are swapped to evaluate the midpoint state and diagnose the switch status. If erroneous behavior is detected in one channel, the system is immediately stopped, diagnostic bits are set, the CPU is notified, and fault information is displayed in the CPU.
In summary, we hope this has given you a better understanding of the differences between safety PLCs and regular PLCs, and that the above introduction has highlighted three key design principles for safety products. When using safety-related products in the future, we hope you can apply what we've shared today to understand these safety products and how their design distinguishes them from standard control products.
Disclaimer: This article is a reprint. If it involves copyright issues, please contact us promptly for deletion (QQ: 2737591964). We apologize for any inconvenience.
