Fail Safe

Download as pdf or txt
Download as pdf or txt
You are on page 1of 9

Lecture 4 FAIL-SAFE design

Topics: Protecting and functional safety of control systems. Safety certification Safety and acceptable risk
according to IEC 61508. Safety integrity level (SIL). F-system. Internal security system. PLC F-programming.
Classification of hazardous areas (IEC 61 241). ATEX. Explosion-proof units. Safety Rules for designing
systems with PLC. Safety Integrated control concept.
All systems will fail eventually. A fail-safe design will minimize the damage to people and equipment.
International safety standards such as the IEC 61508the International Electrotechnical Commission standard
governs functional safety in programmable electronic systems.
Safety PLC-based systems are less prone than hardwired safety systems to nuisance trips that can unnecessarily
shut down a factory operation. And they are much easier and faster to troubleshoot, resulting in less machine or
process downtime.
Fail-safe controls (F-PLC) in process technologies.
What's in a name?
The name is Safety programmable logic controller (PLC) means a special class of PLC designed for use in safety
critical applications. Safety PLCs and associated safety networks can help boost productivity. The unit meets all of
the requirements for use in applications up to SIL 3 (Safety integrity level - SIL) according to IEC 61508.
Fail-safe controllers are used widely in manufacturing processes to protect both personnel and machinery in the
event of a fault or power failure. Until recently, this type of device had to be hardwired into a system.
Example. PLC S7 300F ( F systems) mean fail safe CPU and signal modules. Software blocks of safety integrated
software are TV certified. What exactly guarantee that one PLC S7 300F system is actually a fail safe system. Is it
enough that they are TUV certified.

Fig.1 Failsafe PLC modules


Any S7 300 CPU from F series has two completely different sections inside the CPU. One is processing standard
program, other one is for safety functions. One F-PLC is sufficient for fail safe functions through time based
redundancy and diversity.
Two copies of the safety program execute in parallel, one using 16-bit word mode, and the second using single-bit
binary instruction mode. When the compile function is activated, the compiler takes safety logic and inverts it as
well as converts it to a WORD based logic (this gives diversity). When the safety program is executed, it will be
executed twice every time it is called (this is the "time based redundancy" part). In addition, diverse program
processing is monitored by two independent hardware timers.
When both executions are done the safety call compares the results with each other and "expects" that they will be
exactly opposite (and if not shut down the CPU). Siemens "gets away" with doing CAT4/SIL3 certified safety in a
single F-CPU.
Safety programmable logic controllers rely on redundant processing architectures to provide fail-safe or faulttolerant control
With the principle of diverse instruction processing, the safety program created by the user is executed twice - once
normally, and once with inverse logic. In inverse logic, AND becomes OR, for example, A becomes /A (A inverse)
and the binary operand BOOL becomes the variable WORD. If the result of the posi t i ve logic agrees with the
inverted result of the inverse logic, there is no error (Fig. 2).
This made it possible to carry out error detection by means of software and do it without a second, redundant CPU.
1

Fig. 2 The principle of diverse instruction processing with inverse logic.


First execution is done on what you programmed followed by an execution of the "diversified" (inverted and
WORD based) logic that the compiler created for you (this is the "time based redundancy" part).
Any S7 300 CPU from F series master unit and can see each others inputs and outputs. Using this concept, PLC
makes decisions about its own immediate safety environment.
FAIL-SAFE design
Consider the selection electrical connections. If wires are cut or connections fail, the equipment should still be safe.
For example, if a normally closed stop button is used, and the connector is broken, it will cause the machine to stop
as if the stop
button has been pressed.
NO (Normally open) - When wiring switches or sensors that start actions, use normally open switches so that if
there is a problem the process will not start.
NC (Normally Closed) - When wiring switches that stop processes use normally closed so that if they fail the
process will stop.
Use NO Starts buttons and wiring for inputs that start processes.
E-Stops must always be NC, and they must cut off the master power, not just be another input to the PLC.

. 3 Button Emergency stop


Use redundancy in hardware.

Fig. 4 Non redundant hardware.

Fig. 5 Redundancy in hardware


Directly connect emergency stops to the PLC, or the main power supply. Use well controlled startup procedures that
check for problems. Shutdown buttons must be easily accessible from all points around the machine.
A set of safety rules was developed by Jim Rowell (http://www.mrplc.com, "Industrial Control Safety; or How to
Scare the Bejesus Out of Me"). These are summarized below.
Grounding and Fuses
Always ground power supplies and transformers.
Ground all metal enclosures, casings, etc.
All ground connections should be made with dedicated wires that are exposed so that their presence is obvious.
Use fuses for all AC power lines, but not on the neutrals or grounds.
If ground fault interrupts are used they should respond faster than the control system.
Programs
A fail-safe design - Programs should be designed so that they check for problems, and shut down in safe ways.
Most PLCs also have imminent power failure sensors, use these whenever danger is present to shut down the
system safely.
Proper programming techniques and modular programming will help detect possible problems on paper instead of
in operation.
Modular well designed programs.
Use predictable, non-configured programs.
Make the program inaccessible to unauthorized persons.
Check for system OK at start-up.
Use PLC built in functions for error and failure detection.
People
Provide clear and current documentation for maintenance and operators.
Provide training for new users and engineers to reduce careless and uninformed mistakes.
Hot vs. Neutral Wiring
Use PNP wiring schemes for systems, especially for inputs that can initiate actions.
Loads should be wired so that the ground/neutral is always connected, and the power is switched.
Sourcing and sinking are often confused, so check the diagrams or look for PNP/NPN markings.
AC / DC
Use lower voltages when possible, preferably below 50V.
For distant switches and sensors use DC.
Devices
Use properly rated isolation transformers and power supplies for control systems. Beware autotransformers.
Use Positive or Force-Guided Relays and contacts can fail safely and prevent operation in the event of a failure.
Some relay replacement devices do not adequately isolate the inputs and output and should not be used in safety
critical applications.
Select palm-buttons, and other startup hardware carefully to ensure that they are safety rated and will ensure that
an operator is clear of the machine.
When two-hand start buttons are used, use both the NO and NC outputs for each button. The ladder logic can then
watch both for a completed actuation.
Stops
E-stop buttons should completely halt all parts of a machine that are not needed for safety.
3

E-stops should be hard-wired to kill power to electrically actuated systems.


Use many red mushroom head E-stop buttons that are easy to reach.
Use red non-mushroom head buttons for regular stops.
A restart sequence should be required after a stop button is released.
E-stop buttons should release pressure in machines to allow easy escape.
An extraction procedure should be developed so that trapped workers can be freed.
If there are any power storage devices (such as a capacitor bank) make sure they are disabled by the E-stops.
Use NC buttons and wiring for inputs that stop processes.
Use guards that prevent operation when unsafe, such as door open detection.
If the failure of a stop input could cause a catastrophic failure, add a backup.
Construction
Wire so that the power enters at the top of a device.
Take special care to review regulations when working with machines that are like presses or brakes.
Check breaker ratings for overload cases and supplemental protection.
A power disconnect should be located on or in a control cabinet.
Wires should be grouped by the power/voltage ratings. Run separate conduits or raceways for different voltages.
Wire insulation should be rated for the highest voltage in the cabinet.
Use colored lights to indicate operational states. Green indicates in operation safely, red indicates problems.
Construct cabinets to avoid contamination from materials such as oils.
Conduits should be sealed with removable compounds if they lead to spaces at different temperatures and humidity
levels.
Cabinets should be protected with suitably rated fuses.
Finger sized objects should not be able to reach any live voltages in a finished cabinet, however DMM probes
should be able to measure voltages.
Electrical schematics used to layout and wire controls cabinets.
Grounding and shielding can keep a system safe and running reliably.
Failsafe designs ensure that a controller will cause minimal damage in the event of a failure.
PLC enclosure are selected to protect a PLC from its environment.

Fig.6 The use of "barriers"


Let us describe the Lockout devices.
Lockout-Tagout (LOTO)
Lockout-Tagout is a small lock that can prevent any electrical device from being plugged in. A lockout is a work
stoppage in which an employer prevents employees from working.
Lockout (shutout) is a control action resisting employee's demands; employees are barred from entering the
workplace until they agree to terms.
A lock-out device is a system which, in its most common form, is designed to detect the first signal(s) it receives,
and ignore subsequent signals.
Lockout-Tagout (LOTO) or lock and tag is a safety procedure which is used in industry and research settings to
ensure that dangerous machines are properly shut off and not started up again prior to the completion of
maintenance or servicing work. It requires that hazardous power sources be "isolated and rendered inoperative"
before any repair procedure is started. "Lock and tag" works in conjunction with a lock usually locking the device or
the power source with the hasp, and placing it in such a position that no hazardous power sources can be turned on.
The procedure requires that a tag be affixed to the locked device indicating that it should not be turned on.

Fig. 7 A lock-out device. Source http://www.lock-out.com/


Modern machinery can contain many hazards to workers, from things like electrical, mechanical, pneumatic or
hydraulic sources. For example a typical industrial machine may contain things like hot fluids, moving presses,
blades, propellors, electrical heaters, conveyor belts with pinch points, moving chains, ultraviolet light, etc.
Disconnecting or making safe the equipment involves the removal of all energy sources and is known as isolation.
The steps necessary to isolate equipment are often documented in an Isolation Procedure or a Lockout Tagout.
The isolation procedure generally includes the following tasks:
Identify the energy source(s)
Isolate the energy source(s)
Lock and/or Tag the energy source(s)
Prove that the equipment isolation is effective
The locking and/or tagging of the isolation point lets others know not to de-isolate the device.
In industrial processes it can be difficult to establish where the appropriate danger sources might be. For example a
food processing plant may have input and output tanks and high temperature cleaning systems connected, but not in
the same room or area of the factory. It would not be unusual to have to visit several areas of the factory in order to
effectively isolate a device for service (e.g. device itself for power, upstream material feeders, downstream feeders
and control room).
Modern safety manufacturers provide a range of isolation devices specifically designed to fit various switches,
valves and effectors. For example most modern circuit-breakers have a provision to have a small padlock attached to
prevent their activation. For other devices such as ball or gate valves, plastic pieces which either fit against the pipe
and prevent movement, or clam-shell style objects, which completely surround the valve and prevent its
manipulation are used.
A common feature of these devices is their bright color, usually red to increase visibility and allow workers to
readily see if a device is isolated. Also, the devices are usually of such a design and construction to prevent it being
removed with any moderate force. (That is to say that an isolation device does not have to stand up to a chainsaw,
but if an operator forcibly removes it, it will be immediately visible that it has been tampered with).

Fig. 8 Tagged out controls in the control room of an abandoned power plant. (Contributed and licensed under the
GFDL by the photographer, Gregory Maxwell. {{GFDL}})

A wide variety of safety and facility products include stock signs, pipe markers, tags, warning labels, Arc Flash
signage, voltage/electrical/fiber optic markers, quality/inspection labels, on-demand print (Fig. ) and underground
hazard tapes (Fig. )

Fig.9 Lockout-Tagout

Fig. 10 Write-On Safety Tags

Fig. 11 Underground hazard tapes


www.panduit.com/.../LockoutTagoutSafetyNetworkSecuritySolutions/index.htm
Fail Safe Design problems
It is necessary to predict how systems will fail. Some of the common problems that will occur are listed below.
Component jams - An actuator or part becomes jammed. This can be detected by adding sensors for actuator
positions and part presence.
Operator detected failure - Some unexpected failures will be detected by the operator. In those cases the operator
must be able to shut down the machine easily.
Erroneous input - An input could be triggered unintentionally. This could include something falling against a start
button.
Unsafe modes - Some systems need to be entered by the operators or maintenance crew. People detectors can be
used to prevent operation while people are present.
Programming errors - A large program that is poorly written can behave erratically when an unanticipated input is
encountered. This is also a problem with assumed startup conditions.
Sabotage - For various reasons, some individuals may try to damage a system. These problems can be minimized
preventing access.
Random failure - Each component is prone to random failure. It is worth considering what would happen if any of
these components were to fail.
Some design rules that will help improve the safety of a system are listed below.
Programs
A fail-safe design - Programs should be designed so that they check for problems, and shut down in safe ways.
Most PLCs also have imminent power failure sensors, use these whenever danger is present to shut down the
system safely.
Proper programming techniques and modular programming will help detect possible problems on paper instead of
in operation.
6

Modular well designed programs.


Use predictable, non-configured programs.
Make the program inaccessible to unauthorized persons.
Check for system OK at start-up.
Use PLC built in functions for error and failure detection.
People
Provide clear and current documentation for maintenance and operators.
Provide training for new users and engineers to reduce careless and uninformed
mistakes.
Addition
IEC 60079-27 Design and implementation of intrinsically safe fieldbus networks in hazardous areas
IEC 61158 CPF3 CP3/2 - PDM Communication PROFIBUS PA
IEC 61784- 1:2002 Ed1 CP 3/1 - DP protocol
IEC 61508 Functional Safety of Electrical/Electronic/Programmable Electronic Safety-Related Systems
IEC 61158-2 Ttransmission technique
IEC 61131 Programmable Logic Controllers
IEC 62305. Lightning Protection
DIN EN 50020. Electrical apparatus for potentially explosive atmospheres intrinsic safety
DIN EN 61326 NE21 Electromagnetic Compatibility
Eesti Harmoniseeritud dokumendid: EVS-EN 60364 Low-voltage electrical installations
Sertification TV Anlagentechnik GmbH corresponds to IEC
Electrical/Electronic/Programmable Electronic Safety-Related Systems.

61508

Functional

Safety

of

Fig. 12 Sertification TV label


DESINA (DistributEd and Standardized INstallAtion technique for machine tools)
ATEX. EC Declaration of Conformity

II
1

2G
2

E
4

Ex
5

ib
6

IIC
7

T4
8

Directive 94/9/EC
:
I ()
II
3.

4.
E European CENELEC standards EN 50..../60079...
5.
Ex
6.
Ib
7.
II - < 60 J
8.
T2 - (300C)

Fig. 13 PROFIBUS PA sensors (ATEX)


IEC/EN 60079-10
A place in which an explosive atmosphere consisting of a mixture with air of flammable substances in the form of
gas, vapor or mist is
ZONE 0 if present continuously or for long periods or frequently
ZONE 1 if likely to occur in normal operation occasionally
ZONE 2 if not likely to occur in normal operation but, if it does occur, will persist for a short period only.
IEC/EN 61241-10
A place in which an explosive atmosphere, in the form of a cloud of combustible dust in air, is ZONE 20 if
present continuously, or for long periods or frequently for short periods.
ZONE 21 if likely to occur occasionally in normal operation.
ZONE 22 if not likely to occur in normal operation but, if it does occur, will persist for a short period
Safety PLC integrates Simplified Safety via Yellow modules
Advances in control network technology, coupled with new legislation means that systems can now be configured
for all safety functions and automated control requirements using a common family of Simatic S7 programmable
controllers. It is one of a number of new products developed by Siemens as part of their Safety Integrated control
concept.
The new Simatic S7-400F Fail-safe PLC is the first device of its type in the world to achieve safety integrity
across SIL levels 1 to 3 of the IEC 61508 standard, for a single processor.
STEP 7 software can be ported directly onto the new fail-safe PLCs, without the need for any programming
changes. Todays Safety PLCs from Siemens have embraced this Layers of Protection concept internally to
achieve the level of protection required for the controller to reach a SIL3 safety rating.
The layers of protection in a Siemens safety PLC consist of the four parts, a failsafe input module, a safety rated
network, a diverse logic processor and a failsafe output module. These diverse layers work together in the safety
PLC to provide protection previously available only in the Safety relays. By delivering this protection in a control
architecture that is fully integrated in the automation PLC it simplifies the process of delivering the statuses of the
safety system directly to the operator panel and provides the power and flexibility of the automation controller to
solve the safety related control requirements.
The Layers of Protection function beyond the Application Program
The first layer of protection is in, the failsafe Input module that has taken the task of control reliable monitoring and
protection. Typically all error handling was done inside the PLC, but in the safety PLC we have moved the error
handling out to the input module for greater protection at the closes point to the safety input device. These modules
divert to a safe shutdown mode (pacified) upon any detected failure independent of the PLC and do not rely on the
PLC or the network for local error handling. These I/O modules performs functions previously only found in safety
relays and seamless connect these functions into the automation controller. As listed below each Failsafe input
module is relied upon to perform several tasks that insure safe inputs are correctly monitored:
Monitored signal wire. The input module has built in self testing. It generates test pulse signals that are used to
insure valid monitoring of the input devices
Intelligent modules provide local protection actions (lockout and reset)
Discrepancy analysis and time out to insure reactions to faulty inputs
Communication watchdog time out

Error detection of communication telegrams to the safety PLC Category 3 and 4 requires redundant monitoring
signals, so two inputs per device can be easily software configured to function together
The central layer of protection is the safety rated Controller which creates redundant evaluation of input and safety
commands for outputs. In order to provide the extreme level of reliability required the controller is designed to
detect single errors in the program execution and the electronic hardware as it executes the program logic. To
achieve this in the safety-oriented program, the S7 Distributed Safety package performs automatic safety checks and
links in additional redundant safety blocks for error recognition and handling. These control blocks create a level of
time bounded diverse logic that continuously monitors for software errors and hardware faults. When faults occur
the corresponding reactions keep the safety system in a safe state or switch it to a safe state by either bringing the
controller to a safe stop or sending shutdown.
The next layer encountered is the safe communication network (PROFISafe) that provides the reliability to insure
that data passed between the layers arrives correctly to the proper partner and is properly interpreted.
communication bus it actually accounts for less that 1% of the risk formula in the safety analysis. Key features of
the safety rated bus are fault detection, fault reaction and recovery. A high speed cyclic reading bus like PROFIBUS
provided several inherent features that made it a great candidate for the first choice of and open safety rated
communication bus.

Referenses
1.
2.
3.
4.
5.
6.
7.

Jim Rowel . http://www.mrplc.com.


The ABB Group. www.abb.com
www.lcautomation.com/pdf/siemens/fail_safe_plc.pdf PLCs for safety ... and savings.
S1MATIC Automation System S7-300. Fail-Safe Signal Modules: Manual. Edition 04/2006.
Siemens. 236 p.
Mitsubishi Safety Programmable Controller. MELSEC QS Sries. CC- Link Safety System. Remote I/O
Module: User's Manual. Mitsubishi.
Be Not Afraid -- the Time has come to Trust Safety rated PLCs. By Tim Parmer, Siemens Energy and
Automation.
www.youtube.com/watch?v=dfWQ0W4MgGA YouTube - PLC Tutorial - Ladder Logic Programming
Tutorial - NOT 19 Aug 2009 ... Programming is also used in failsafe and interlock programming. ...
Automation Technologies, Intro To PLC Programming Training Video, ...

You might also like