Introduction
Gas & Fuel Authorities are bringing out newer, tougher requirements
including requirements for approvals from independent testing
agencies like TUV. The IEC61508 standard for the functional safety of
electrical/electronic/programmable electronic (E/E/PE) safety-related
systems has been released and the Australian version AS61508 will be
fully published soon. Safe operating combustion equipment design is
not becoming easier.
“Like computer programs, the only true way of assessing a PES user-
program to ensure that it functions the way it was designed, is to test
run the program. It is not possible to inspect a PES program in its
entirety by visual examination and conclude that the program does
what it is required to do under all possible operating situations.
The new FM 7605 standard, first released in January 2000, for PLC
based BMS systems also requires compliance with the IEC 61508
saying: -
Output Monitoring
fig.1
Guarded Outputs
fig.3
Processor Protection
fig.5
fig.6
Power Monitoring
The quality of output signals is only as good as the power used to drive them.
To insure that outputs are not turned on when the power supply is out of
tolerance, a power monitor diagnostic can be added to the general purpose
PLC. Figure 7 shows the addition of a signal conditioner (trip alarm), which
detects if the power supply is under range or over range. To protect the outputs
from damage, possible dropout, or oscillation during brownout conditions, the
PLC must be programmed to de-energise the trip relay output if the power supply
goes out of range.
fig.7
Figure 8 shows the complete safety PLC output module block diagram
with the addition of the power monitor circuit. Like the trip alarm, the
power monitor circuit detects if the power supply goes over or under
range and can automatically trip the diagnostic cut-off relay to protect
the outputs. This circuit can also detect if the main fuse is blown.
fig.8
Communication Protection
Inter-module communications require diagnostics that can detect
corrupted messages or a loss of communication. Cyclical redundancy
checking (CRC) is a very reliable technique for confirming correct
transmission and receipt of data. Communication watchdog timers
should also be employed by every module on a bus to detect a loss of
bus activity. Safety PLCs will automatically set their outputs to a pre-
determined safe state (OFF) when an I/0 module has lost
communication with its control module. Redundant communications
paths, standard in safety PLCs, should be considered for general PLCs
for higher availability.
Address Verification
To insure input data is originating from the correct module and going
to the correct module, the processor should incorporate some form of
address verification. Safety PLCs use redundant serial data links to
communicate between the processor and the I/0 modules. Serial
communications allow for source and destination addressing to be
embedded into messages and compared with the hardware address
established by the backplane. Parallel backplane designs typically
found in general purpose PLCs do not usually incorporate any address
verification.
Common Cause
A "common cause" failure is defined as the failure of two or more
similar components due to a single stress event (a single cause). The
key word here is "stress." Stressor events include electrical events like
power spikes, lightning, and high current levels. Mechanical stress
includes shock and vibration. Chemical stress includes corrosive
atmospheres, salt air, and humidity. Physical stress includes
temperature. Heavy usage including high data rates is even a stress,
especially to system software. If the stress level is high enough, two
or more similar components can fail at the same time.
Figure 9. The 1oo1D architecture uses special diagnostic circuits to convert dangerous
failures into safe circuits.
When high availability is important in addition to safety, a redundant
architecture can be used. Two primary architectures are used, 2oo3
and 1oo2D. Figure 10 shows the 2oo3 (two out of three) architecture
that was designed to provide high safety and high availability. It is
typically implemented with three physical sets of electronics. Each set
of electronics includes the input circuitry, a logic solver, and output
circuitry. A 2oo3 system can tolerate a one-unit failure but is more
susceptible to common cause than the 1oo2D. Also, because the 2oo3
architecture requires more hardware it can be a complex and
expensive to implement.
Depending on the mix of analog and digital I/0, the cost of a modern
safety PLCs will not be much higher than a conventional PLC. In
addition, one significant advantage of the safety PLC is eliminating the
special engineering and application level programming required in the
conventional PLC. None of the special circuits shown in Figures 1, 3, 5
& 7 are needed when using a safety PLC. The installed cost of a safety
PLC can be significantly lower than a conventional PLC when
engineering and installation expenses are considered for burner
management applications.