This is a very dumb question and I am looking for dumb answers. This is for a school project model with a control system that will be using whatever cheap plc I can find that will suit our needs. Looking for any ways to show off some use of functional safety, I'm familiar-ish the big ISO/IEC specs and have them on hand for reference. Looking for suggestions on how to architect a system without a safety plc, for budget reasons, that is SIL 3. I'm thinking this is probobally gonna have to involve a safety rated relay and maybe some dumb stuff like triple redundant sensors. I know this is dumb but having documentation on functional safety and being able to say our model control system has a SIL rating will help our project team stand out from others(this is also a competition) who don't even know what a SIL rating is. If you're going to comment that I probobaly don't need SIL 3 the model is intended to represent very dangerous real life equipment so SIL 3 is kinda necessary. Although I haven't begun that process to determine that yet, it is going to be extremely hard to prove this system only requires SIL 2. Again, I know this is dumb, but any suggestions on how to do something like this without spending thousands of dollars on a model is greatly appreciated, thank you!

 

Is this something that needs to represent a real world solution or exactly be a real world solution?

Either way, I would probably go with a programmable safety controller to sit next to your PLC. I've had really good results from a Keyence GC-1000 programmable controller. It has all the safety ratings, a pretty solid IO count and our price is well under $1000US. We have a few very simple metal forming machines where the logic is so simple that we put the entire machine operation in a GC-1000. Your system may not fit that way, but a small process PLC sitting next to the GC would work well.

 

This is a very dumb question and I am looking for dumb answers. This is for a school project model with a control system that will be using whatever cheap plc I can find that will suit our needs. Looking for any ways to show off some use of functional safety, I'm familiar-ish the big ISO/IEC specs and have them on hand for reference. Looking for suggestions on how to architect a system without a safety plc, for budget reasons, that is SIL 3. I'm thinking this is probobally gonna have to involve a safety rated relay and maybe some dumb stuff like triple redundant sensors. I know this is dumb but having documentation on functional safety and being able to say our model control system has a SIL rating will help our project team stand out from others(this is also a competition) who don't even know what a SIL rating is. If you're going to comment that I probobaly don't need SIL 3 the model is intended to represent very dangerous real life equipment so SIL 3 is kinda necessary. Although I haven't begun that process to determine that yet, it is going to be essay extremely hard to prove this system only requires SIL 2. Again, I know this is dumb, but any suggestions on how to do something like this without spending thousands of dollars on a model is greatly appreciated, thank you!

Try triple redundant sensors for multiple independent measurements, and diversify sensor types to mitigate common cause failures. Additionally, I recommend isolating safety circuits from non-safety circuits to prevent interference.

 

Is this something that needs to represent a real world solution or exactly be a real world solution?

Either way, I would probably go with a programmable safety controller to sit next to your PLC. I've had really good results from a Keyence GC-1000 programmable controller. It has all the safety ratings, a pretty solid IO count and our price is well under $1000US. We have a few very simple metal forming machines where the logic is so simple that we put the entire machine operation in a GC-1000. Your system may not fit that way, but a small process PLC sitting next to the GC would work well.

this sounds like a good idea as there will be safety and non safety functions involved. Yes this is supposed to represent a real world solution, not be exactly the same due to scale but representative and basically function the same way a real world solution would. Would this programmable safety controller just be in charge of safety functions or just be in charge of what the main plc tells it to do, or would it not need to talk to the main plc at all?

 

this sounds like a good idea as there will be safety and non safety functions involved. Yes this is supposed to represent a real world solution, not be exactly the same due to scale but representative and basically function the same way a real world solution would. Would this programmable safety controller just be in charge of safety functions or just be in charge of what the main plc tells it to do, or would it not need to talk to the main plc at all?

Any/all of the above? If your main function is super simple, the GC-1000 can handle it. Most likely not, though. I would have it just be in charge of the safety functions and have the other PLC handle the process. The GC has some aux outputs and can be expanded, but it also talks over Ethernet. I've connected them to AB MicroLogix 1400 and CompactLogix PLCs pretty easily to read/write stuff. Worked very well.

 

Try triple redundant sensors for multiple independent measurements, and diversify sensor types to mitigate common cause failures. Additionally, I recommend isolating safety circuits from non-safety circuits to prevent interference.

Any/all of the above? If your main function is super simple, the GC-1000 can handle it. Most likely not, though. I would have it just be in charge of the safety functions and have the other PLC handle the process. The GC has some aux outputs and can be expanded, but it also talks over Ethernet. I've connected them to AB MicroLogix 1400 and CompactLogix PLCs pretty easily to read/write stuff. Worked very well.

can you keep SIL rating of the function if say the GC takes in a request from a non safety rated plc to perform some action? My insticts say this is possible as correct me if I'm wrong but SIL rating is dictated by the potential for failure of a safety function when it is demanded not by whats demanding it. So say I wanted a safety function that was responible for controlling a brake and monitoring it etc. the non safety plc can essentially tell the GC "hold this brake open" and then the GC can handle everything from monitoring it to shutting down the system if some checkback fails or whatever demands an estop of the system.

 

The safety function itself must be within the SIL-rated controller.

Here's an example we did with a GC and a process PLC to control (in part) a hydraulic pump. The e-stop needs to stop the pump but we also wanted the process PLC to be able to start/stop the pump based on operator input, idle time, etc. The safety controller monitors the e-stop button and resets it properly. It controls redundant safety contactors that block power to the pump. That's all SIL rated. You can then have the process PLC send a signal to the safety controller asking to run the pump. If the safety function is satisfied (button pulled out and properly reset), then the safety controller will accept the request from the process PLC and run the pump.

A temptation is to have a motor starter controlled by the process PLC that's wired in series with the redundant safety contactors controlled by the safety controller. The problem with this setup is that, if the process PLC holds the motor starter on while the safety controller turns off its contactors, and the safety controller is reset and engages its contactors, the pump will start as soon as the safety function is reset, which could be a violation. In my example above, the safety controller directly controls the motor and only starts it when it receives a pulse from the process PLC that comes after the safety function is reset.