PLC architecture can provide high safety integrity
Staff -- Control Engineering, 9/1/1998
Lynchburg, Va.—There's no safety like nuclear safety. Consequently, process safety instrumented systems (SIS) requiring a high safety integrity level (SIL) can benefit from a programmable logic controller (PLC) architecture used in nuclear safety systems. (See this issue's cover articles for related safety topics.)
For instance, a PLC module developed by Framatome Technologies is among those using redundancy and diversity to enhance reliability. If an unsafe condition is detected, the module's two safety-function microprocessors can cause any of the relay outputs to open. Watch-dog timers will open the relay outputs if either processor stops running. Also, an OR gate can be substituted for the AND gate for devices requiring a contact closure (non-failsafe output) to actuate.
Using microprocessors that differ in design, microcode, and software compiler manufacturer minimizes common mode failures that could defeat safety interlocks. Using a common functional design document, diverse software is developed by two software teams working independently. Software is then tested and validated by a third team, independent of the developers.
Different microprocessors with different software ensure the SIS will achieve its safety mission, even if a hardware and/or software fault disables one microprocessor.
Diversity aids reliabilityThe PLC's self-contained redundancy and diversity complements other redundant and diverse elements to provide an SIS with SIL 3 integrity. SIL 3 is quantified in the ANSI/ISA-S84.01-1996 standard, "Application of Safety Instrumented Systems for the Process Industry," as a probability of failure on demand average range (PFD avg) of 10-3 to 10-4.
Specifying diversity in sensor type, manufacturer, and activation methods reduce common mode failures. For example, using one RTD (resistance thermal detector) and one thermocouple, and pressure sensors and ventvalves from different manufacturers, reduces common mode failures. Adding a hardwired, manually operated emergency shutdown circuit also provides diversity. When a high-high pressure, or high-high temperature input signal is detected, the PLC's fail-safe outputs open redundant emergency vent valves to depressurize the reactor.
PLC testing is done on line using continuous diagnostic routines. Off-line testing uses a test computer that injects simulated process signals into the PLC module. Input signals are varied by the test computer and PLC output responses are monitored. Both microprocessors are tested at the same time, and hard copy test records are developed.
Shared memory and a separate microprocessor in the PLC module handle communications with external systems. This architecture makes SIS data available, yet prevents communication interrupts from interfering with safety requirements. This PLC architecture provides the same high reliability and high availability of two PLCs.
For more information about Framatome Technologies, visit www.controleng.com/info.
View All Blogs
Now Playing:
