Logic Solver - Safety PLC and System Architectures

Programmable Logic Controllers (PLCs) are devices that use microprocessors to handle logic control. PLCs are usually
used to replace the relays that have often been used for logic control and safety systems. Most modern PLCs also have the
functionality to perform analog PID control and indication.
A conventional ("standard") PLC as shown in the Figure (top) provides only a single electronic path through what is known
as a 1oo1 (one-out-of-one) architecture. Sensors send process signals to the input modules. 2 modes of PLC failure - fail
dangerously and fail safe - are shown in the fault tree as in the Figure.

The logic solver evaluates these input signals, determines if a potentially hazardous condition exists and energizes or de-
energizes the solid-state output. In a de-energized to trip safety system, the output de-energizes to move the process to a safe
state. If any of the components in the single path fail in such a way that the output cannot be de-energized, the PLC will not
provide its desired safety protection function. Other limitations include limited fail safe characteristics, high risk of covert
failures through lack of diagnostics, problems of reliability of softwares (also stability of versions), flexibility without
security, unprotected communications, and limited redundancy.

Safety PLC
Safety Programmable Logic Controllers are normally an integral part of a safety system. A safety PLC was specifically
designed to accomplish two important objectives:
(1) do not fail (redundancy that works well) but if that cannot be avoided,
(2) fail only in a predictable, safe way.
There are certainly many similarities between a safety PLC and a conventional PLC. Both have the ability to perform logic
and math calculations. Both typically have input and output (I/O) modules that provide them with the ability to interpret
signals from process sensors and actuate control final elements. Both will scan inputs, perform calculations and write
outputs. Both typically have digital communications ports. But the PLC was not initially designed to be fault tolerantand
fail-safe. That is the fundamental difference.
Fault tolerant has the following requirements:
A single fault in the system must not create erroneous inputs or outputs, nor shall it prevent the system from
functioning as designed
Any fault must be alarmed and indicated the location of occurrence
Any single fault must be repairable on-line without interruption in operation
To meet the fault tolerant and fail safe requirements, a safety PLC has many special design considerations taken into
account, for example:
Emphasis on internal diagnostics - a combination of hardware and software that allows the machine to detect
improper operation within itself (e.g. memory, CPU, communications, etc)
Relies on software that uses a number of special techniques to insure software reliability
Redundancy to maintain operation even when parts fail, e.g. extra security on any reading and writing via a digital
communications port
Certified by third parties to meet rigid safety and reliability requirements of international standards
The Figure (bottom) shows a non-redundant safety PLC with 1oo1D (one-out-of-one, with diagnostics) architecture to
convert dangerous failures into safe failures by de-energizing the output.

1oo1 voting is the simplest to install. Multiple taps are not needed, programming is easiest, and installation and cable costs
are lowest. It can be programmed to be fail-safe and hence vote a trip. The disadvantage of the scheme is that long-term
plant cost and production losses will be higher due to false trips.
Although 1oo1D voting is an improvement over 1oo1 voting, the problem that remains is that since by definition no single
fault must leave the SIS function unprotected it must always cause a trip when a fault is detected. Consequently the
availability may suffer, i.e. nuisance trip rate increases. To improve availability, some format of voting configuration is used
instead.

Back on Top