What is a safety PLC?
Let’s try to explain it in a simple way for non-experts. The fundamental difference with a general purpose PLC is summed up in one word “Diagnosis”. In addition, there are differences in terms of internal architecture, software and firmware, and certification for applications where compliance with a certain SIL level is required.
The safety PLC incorporates many diagnostic functions to detect any possible internal fault in the hardware or firmware, so that a failure in the PLC does not cause any “unsafe” situation. These diagnostics reduce the rates of dangerous undetected failures and the probability of failures used in the SIL calculations.
This is the essence that we will explain a little more. It also meets design standards of so called “Safety Instrumented Systems” (abbreviation SIS) which provides international standard IEC-61508, IEC-61511 (process industry), IEC-62061 (machinery industry) and others. Keep in mind that the safety PLC is a subsystem of the Safety Instrumented Function (sensor + PLC + actuator) whose design must be carried out so that it meets a certain SIL level. To design, compare and verify the SIL a tool like SILcet can be used.
Let’s see with an example what’s “diagnosis”. The first figure shows a simplified diagram of a digital output of a general-purpose PLC. If the output transistor is short-circuited we have a dangerous failure and the valve does not close when ordered by the CPU.
What improvements introduces a safety PLC? We see it in the second figure.
For detecting short circuit it uses a diagnostic routine by means of micro-pulses and monitoring output status. With this it can at least give an alarm in case of short circuit.
To further act on the output in case of failure it uses a second transistor in series, with an interlock with the monitoring circuit (called “watchdog”) which compares the status of both output transistors.
In this way we get a safe output circuit (“fail safe”), fault tolerant from the point of view of Safety. To get also Availability redundant architectures are used, in this example by paralleling two circuits of the same output as shown in the third figure.
There are many diagnostic functions in the safety PLC, both CPU and memory as inputs, outputs and communications, and that logically carries an additional cost.
It is important to note that the design of a safety system must consider the entire “SIS”, i.e.: the PLC, field devices, electrical supplies, control cabinet design, software, etc. Some designs are very focus on one part neglecting others, obtaining at the end a solution with weaknesses that we must correct. We will see some examples in another post.
Statistically there are more failures in sensors and actuators than in the PLC.
Finally, international standards make a classification of the applications according to its risk level: SIL-1, SIL-2, SIL-3 and SIL-4 (Safety Integrity Level), being part of the risk analysis to be performed by the SIS designer.
In summary, the fundamental differences of a safety PLC respect to general purpose are:
1-Meets design Standards of Safety Systems such as IEC61508, NFPA, FM, etc.
2-It is certified by competent organizations such as TÜV, Exida, etc.
3-Incorporates self-diagnostic routines of all hardware and software to detect any dangerous internal fault. If it occurs, it acts leading the machine or process to a safe situation. Therefore the dangerous undetected rates are lower than in the standard PLC.
4- The cost of the safety PLC is higher on the initial investment (CAPEX) but certainly lower in its total life cycle (OPEX).
The PLC is not always the most appropriate solution for the SIS, as it depends on various factors such as the number of SIFs, the complexity of the logic, etc. In this post we explain it in more detail.
Visit our website about Functional Safety