As the most important part of the safety family, safety PLC has been increasingly recognized by people. However, in the process of use, there are still many users who are confused about why a set of PLCs similar to those used in the past is called safety PLC. What are the differences between safety PLC and ordinary PLC? Here, I will share with you.
As we all know, the concept of security design must remember three words: redundancy, dissimilarity, and self detection. Only products designed with the above three safety concepts can be considered safe, while ordinary PLC products do not have a safe design. Next, let’s take a look at how the safety PLC achieves these three concepts through design.
- Redundancy
There are one or more CPUs inside a regular PLC, but the program usually performs one processing. The function of multiple CPUs is to divide and implement logical operations, arithmetic operations, and communication functions in the program, that is, collaborative processing.
There should be at least two or more CPUs inside the safety PLC. The function of two CPUs is to execute the same program once each, and then compare the demerits together. If the results are consistent, they will be output. If they are inconsistent, the safe result output will be selected (usually meaning no output or shutdown)
24d3f322-328f-11ed-ba43-dac502259ad0.jpg
Therefore, only CPUs with redundant design can be called safe PLCs. In addition, the detection of CPU in safety PLC includes clock detection, monitoring clock, sequence check, and memory check.
Clock measurement: In the processor circuit, there are two different oscillators that cross check their behavior, and each processor uses one clock to check if the other is running. If it is detected that the other party is not running within a certain period, the CPU will enter a safe state. The firmware checks the accuracy of two oscillators every second.
Monitoring clock: A hardware and firmware monitoring clock checks the activity of the PLC and the execution time of user logic. This is the same as a conventional PLC system.
Sequence check: Sequence check monitors the execution of different parts of the CPU operating system.
Memory check: All static memory areas, including Flash memory and RAM, are checked using cyclic redundancy code (CRC) and double code execution. The dynamic memory area is protected by dual code execution and periodically detected. During cold start, these detections are reinitialized.
From the above analysis, it can be seen that the diagnosis and detection of safety PLCs are much more extensive than those of conventional PLCs, so the design of hardware and software is relatively more complex. Of course, the scope of detection and diagnosis is also broader and more detailed.
2 Different
Safety PLCs usually have two processors, which are usually provided by two different manufacturers, such as Motorola and Intel, for both decoding and execution. This difference provides the following advantages of failure detection:
Two executable codes are generated independently, and the differences in compilation make it easy to detect system failures during code generation.
The two generated codes are executed by different processors, so the CPU can detect system failures and random failures of the PLC during code execution.
Two independent memory areas are used for two processors, so the CPU can detect random RAM failures, which cannot be detected during the full RAM check of each scan cycle.
24e74670-328f-11ed-ba43-dac502259ad0.jpg
3 Self testing
The self-test of safety PLC is reflected in various aspects, including self-test of CPU processing, self-test of power monitoring, and self-test of circuit board status of safety input and output points. Here we introduce how the design of secure input and output embodies the security concept of self detection.
(1) Secure digital input
The yellow section represents the unique circuit design of the safety input point, which is not present in ordinary input points.
Internal diagnosis: Each input channel uses a common input circuit and 2 independent acquisition links, and each microprocessor drives a digital input sequencer (DIS) to sample input information. In addition, the microprocessor also drives a digital input restorer (DID), which in turn drives the diagnostic function block for diagnosis, achieving synchronous comparison between the restored data and the input data.
Input channel error detection: The digital input monitors the on-site power supply and uses external wiring to detect leakage current. The minimum leakage current is 1mA. If there is no leakage current, it means that the external circuit has an open circuit fault. In the case of a dry contact, a 10k ohm pull-up resistor is connected in parallel at both ends of the contact for external line disconnection detection. Each input circuit is equipped with a switch that periodically forces it to 1 or 0 to detect if the circuit is healthy. Each input circuit is independently tested. If a problem is found, diagnose position 1 and declare that the channel is in a non healthy state.
(2) Secure digital output
252431b6-328f-11ed-ba43-dac502259ad0.jpg
The yellow section represents the unique circuit design of the safety input point, which is not present in ordinary input points.
Internal diagnosis: In order to check whether the switch can be opened and closed, a pulse test should be performed on the output module (in the internal circuit of the module, inserting periodic diagnostic cycles).
(3) Diagnostic sequence
Change the switch command, this time is very short and will not affect the actuator, with a maximum of 1ms; Verify the test results and restore the correct switch commands.
Power monitoring: Each output circuit includes two series connected switches, which are controlled by two processors. The first microprocessor uses a digital output restorer (DOD) to drive its switches, while the second microprocessor drives its switches after the restorer. In each cycle, the midpoint voltage of two microprocessor systems needs to be compared with a threshold, and then their if values need to be exchanged to evaluate the midpoint status and diagnose the switch status. If an erroneous behavior is detected in a channel, it will immediately shut down and set a diagnostic bit to notify the CPU, which will display fault information.
In summary, we hope that everyone has a further understanding of the differences between safety PLCs and ordinary PLCs, and through the above introduction, has also learned about the three important concepts of safety product design. When using security related products in the future, it is possible to understand these security products by combining the content shared today, and differentiate them from standard control products through their design.
