For more information on Simplified Safety, click here.

Safety PLCs combine the functionality of a control system with a safety system in one controller, allowing manufacturers to greatly reduce machine life cycle costs. Only one programming language is needed for both control and safety circuits.

Safety PLCs help reduce wiring time by enabling safety networks to monitor and/or control each device on the safety circuit. Troubleshooting is often cut by 60-80% since each networked safety device communicates via the same HMI.

Safety system designs utilizing safety PLCs deliver multiple layers of protection. When unexpected events arise, each layer can mitigate the effect of the fault. Safety PLCs from Siemens have led the way creating this "Layers of Protection" concept, achieving the level of protection required for the controller to earn a SIL 3 safety rating. These layers consist of the traditional parts of the PLC, each doing their increased functional safety task to ensure each can act independently, and as a team, to ensure that faults are captured and pacified before they can cause harm.

The layers of protection in a Siemens safety PLC consist of four specific parts: a failsafe input module, a safety rated network, a diverse logic processor, and a failsafe output module. These layers work together in the safety PLC to provide protection previously available only with safety relays. Delivering this protection in a control architecture that is fully integrated in the automation PLC simplifies delivering safety to the operator. It also provides the power and flexibility to meet machine control requirements.

The Layers of Protection Function Beyond the Application Program
The first layer of protection is in the failsafe input module that assumes the task of "control reliable" monitoring and protection. Typically, all error handling has been done inside the PLC. But in the Safety PLC, error handling is moved out to the input module for greater protection at the closest point to the safety input device. Input modules divert to a safe shutdown mode (pacified) when failures are detected. This occurs independent of the PLC and does not rely on the PLC or the network for local error handling. Each failsafe input module is engineered to perform several tasks that ensure safe inputs are correctly monitored:

• The input module has built-in self testing, generating test pulse signals that ensure valid monitoring of the input devices.
• Intelligent modules provide local protection actions (lockout & reset).
• Discrepancy analysis and time out ensure timely reactions to faulty inputs.

The next layer is the safe communication network (e.g., PROFISafe), that provides the reliability ensuring data passed between the layers arrives correctly to the proper partner and is properly interpreted. Key features of the safety-rated bus are fault detection, fault reaction and recovery. A high-speed cyclic reading bus (such as PROFIBUS and PROFINET for Ethernet applications) make it the preferred candidate for of the role of open, safety-rated communication bus.

The central layer of protection is the safety-rated controller that creates redundant evaluation of input and safety commands for outputs. To provide the extreme level of reliability required, the controller is designed to detect single errors in the program execution and the electronic hardware as it executes the program logic. To achieve this in the safety-oriented program, the safety PLC safety package performs automatic safety checks while linking to additional, redundant safety blocks for error recognition and handling.

These control blocks create a level of time-bounded diverse logic that continuously monitors for software errors and hardware faults. When faults occur the corresponding reactions keep the safety system in a safe state or switch it to a safe state, either by bringing the controller to a safe stop or by sending shutdown signals to the other layers before allowing invalid program functions to affect the machine.

The final protection layer is the failsafe output module, an intelligent module that monitors its own redundant functions periodically to ensure it will be capable of removing power if it is given a de-energize command. Like the failsafe input module, this module provides local protection in case any internal module fault or wiring fault is detected. The module is at the end of the command react line and will only receive a command to energize its outputs if all the other layers have executed their functions error free and have communicated the energize command to the output channel.

Together, the Layers provide High Levels of Safety
The layers of protection ensure a low probability that any combination of failures capable of creating an event by preventing a safety-related output from being de-energized can occur. To put a number on this level of safety protection, the probability of failure required to reach SIL 3 level in these high-demand applications is approximately one dangerous failure in 11 centuries. What's more, these safety layers function without the need for any special programming by the application engineer, so they can be relied upon to protect the same way each time they are applied—as they have been more than 1 million times to date in other applications.

For more information on Simplified Safety, click here.