Through optimized design, the SINAMICS V90 ensures excellent servo control performance, offering economic practicality, stability, and reliability. Overview: Domestic enterprises are increasingly emphasizing equipment safety, yet accidents still occur frequently. Why is this? Mainly due to numerous misconceptions about safety protection. For example, many believe that a highly stable and powerful PLC can replace the role of a safety controller. This is a misconception; often, significant investment fails to guarantee true safety. In fact, a safety-oriented PLC possesses a unique "redundancy + comparison" working mode, with comprehensive and meticulous detection and diagnostics, enabling the construction of a truly safe control loop.
As the most important component of the safety family, safety PLCs are becoming increasingly recognized. However, many users are still confused about why a PLC similar to those used before is called a safety PLC, and what the differences are between a safety PLC and a regular PLC. Here, we will share some insights.
As we all know, there are three key concepts in safe PLC design: redundancy, differentiation, and self-detection. Only products that implement these three safety principles can be considered truly safe; ordinary PLCs lack this safety design. Let's examine how a safe PLC achieves these three principles through its design. 1. Redundancy: Ordinary PLCs have one or more CPUs, but the program typically processes data in a single operation. The multiple CPUs share the logical operations, arithmetic operations, and communication functions within the program—in other words, they collaborate. Safe PLCs have at least two or more CPUs. The function of each CPU is to execute the same program once, then compare the results. If the results match, an output is generated; otherwise, a safe result is selected for output (usually, no output or system shutdown).
Therefore, only CPUs with redundant designs can be called safe PLCs. In addition, the CPU detection in a safe PLC includes clock detection, clock monitoring, sequence checks, and memory checks.
Clock Measurement: In the processor circuit, two different oscillators cross-check their behavior, with each processor using a clock to check if the other is running. If, within a defined cycle, the other is not running, the CPU enters a safe state. The firmware checks the accuracy of both oscillators every second. Monitor Clock: A hardware and firmware monitor clock checks the PLC's activity and the execution time of user logic. This is the same as in a conventional PLC system. Sequence Check: Sequence checks monitor the execution of different parts of the CPU operating system. Memory Check: All static memory areas, including Flash memory and RAM, are checked using Cyclic Redundancy Code (CRC) and executed with double-code. Dynamic memory areas are protected by double-code execution and are checked periodically. These checks are reinitialized during a cold start. From the above analysis, it can be seen that the diagnostics and checks in a safety PLC are much more extensive than those in a conventional PLC, making the hardware and software design relatively more complex. Naturally, the scope of detection and diagnostics is also broader and more detailed. 2. Differential safety PLCs typically have two processors, usually supplied by two different manufacturers, such as Motorola and Intel, which simultaneously perform decoding and execution. This difference provides the following advantages for failure detection:
The two executables are generated independently, and the differences in compilation make it easier to detect system failures during code generation.
The two generated codes are executed by different processors, so the CPU can detect system failures and random PLC failures during code execution.
Two separate memory areas are used by two processors, so the CPU can detect random RAM failures that cannot be detected during a full RAM check in each scan cycle.
3. Self-testing in a safety PLC is reflected in many aspects, including CPU processing self-testing, power supply monitoring self-testing, and circuit board status self-testing for safety input/output points. Here, we will introduce how the design of the safety input/output points embodies this self-testing safety concept.
(1) Secure digital input
The yellow section represents the unique circuit design of safety input points, which is not present in ordinary input points. Internal Diagnostics: Each input channel uses a common input circuit and two independent acquisition links. Each microprocessor drives a Digital Input Serializer (DIS) to sample input information. Additionally, the microprocessor drives a Digital Input Restorer (DID), which in turn drives a diagnostic function block to perform diagnostics, achieving synchronous comparison between the restored data and the input data. Input Channel Error Detection: The digital input monitors the field-side power supply, using external wiring for leakage current detection. The minimum leakage current is 1mA. If no leakage current is detected, it indicates an open-circuit fault in the external circuit. In the case of dry contacts, a 10kΩ pull-up resistor is connected in parallel across the contact for external line breakage detection. Each input circuit is equipped with a switch that periodically forces the input to 1 or 0 to check circuit health. Each input circuit is tested independently; if a problem is detected, the diagnostic setting is 1, declaring the channel unhealthy.
(2) Secure digital output
The yellow section represents the unique circuit design of safety input points, which is not present in ordinary input points. Internal diagnostics: To check whether the switch can open and close, a pulse test is performed in the output module (within the module's internal circuitry, a periodic diagnostic loop is inserted).
(3) Diagnostic sequence
The switching command is changed in a very short time, which will not affect the actuator, with a maximum duration of 1ms; the test results are verified, and the correct switching command is restored. Power monitoring: Each output circuit includes two switches connected in series, controlled by two processors respectively. The first microprocessor uses a digital output restorer (DOD) to drive its switch, while the second microprocessor drives its switch after the restorer.
In each cycle, the midpoint voltage of the two microprocessor systems is compared with a threshold, then their values are swapped to evaluate the midpoint state and diagnose the switch status. If erroneous behavior is detected in one channel, the system immediately stops, a diagnostic bit is set, and the CPU is notified; the CPU will then display fault information. In summary, we hope this has given you a better understanding of the differences between safety PLCs and ordinary PLCs, and that the above introduction has highlighted three important design principles for safety products. In the future, when using safety-related products, we hope you can understand these safety products by referring to the content shared today, and learn how their design distinguishes them from standard control products.
