Fault Tolerant Control - Outputs


Thread Starter


I am working on a project to improve the fault tolerance of several compressor PLC's. What we have planned for our shutdown outputs is this: Two racks with CPU, two relay output cards in each. Outputs in each rack are series together, then the two racks are paralleled. We are now being told by an outside consultant that this setup with not meet the required SIL 2 level for these shutdowns. I would welcome any comments or opinions, as we have already purchased most of the hardware for several of these PLC's.

david mertens

Fault tolerance has nothing to do with safety. In fault tolerance, the aim is to increase availability by redundancy. If one element fails, the other takes over. A safety system's aim is to prevent an unsafe situation from occuring and if it occurs, it tries to minimise the time the unsafe situation exists. In safety systems, two or more elements guard each other and if one of them sees a difference between him and the others then all of them will go to a safe state (shutdown). This means that fail safe systems reduce availability instead of increasing it. Therefor it is common practice (but not mandatory) to create redundant fail safe systems, this usually means that not two but four systems are involved. Also fail safe systems are subject to audits by qualified and certified inspection teams checking not only the hardware but also the shutdown software. You can't just use any hardware, write some software and call it a fail safe system. All hardware used in these systems has to be certified, all standard software modules have to be verified and the resulting system with application software as a whole also have to be checked and certified.
I hear what you're saying. This project was conceived in an effort to deal with a nuisance tripping problem in our plant. The PLCs that we are replacing are not redundant in any way, either for safety or fault tolerance. Are they considered a safety system, because they are controlling machine shutdowns? And if we alter these controllers and their programs, have we made ourselves liable unless we follow SIS guidelines? Where can I go to gather more information on this topic?

Mindaugas Terleckis

You can use 3 PLC with his own output cards. Each output mus be connected to relay with group of 4 NO contact. Than you can connect these contact in such way, that output will be when 2 of PLC outputs is ON. Is only one of PLC generate ON state on his output, the main output is not connected. This is quite expensive, but if you interesting in, I can send to you a output relay commutation schema.

Mindaugas Terleckis

A little mistake in my prewiuos message. In fact, you can use relay with 2 groups of contacts and connect them in such way:
where 1,2,3 PLC relay's and a,b - relay contact group.
I've seen them done like you have shown with 3 PLC's. In fact, I tried to sell this approach early on; it accomplished fault tolerance without sacrificing safety. But what we have wound up with - at least at this stage - is two PLC's connected like this:


We are a small plant in an out of the way area, and have to pay dearly for high-dollar consultants to come out here from Houston and point out the errors of our ways. I can see that if PLC "A" locks up with both it's output cards 'on', then we have a problem. I don't think this is a good system, but I need a simple technically accurate explanation of why it's not good.... (or why it's okay, for my own peace of mind)
Without a bit more info, its difficult to give you a road map but here is one way I have approached this with an AB control logix PLC system used as an ESD set to a Yokogawa DCS:

assumptions - the plc's are networked in some fashion; you are trying to provide level 2 shutdowns to keep things from blowing up; you have back up power of some sort.

In typical ESD environments, you would use an NC (powered) connection. You can use this setup for many safety shutdowns without compromising normal ops and eliminate garbage trips so long as your power is stable and you have a UPS that actually works.

What you try to do is this, monitor the primary PLC watchdog circuit ( or build one if not inherent) and its control outputs. If, for a given amount of time, the primary WD does not reset, switch to SEC control, check power bits and react accordingly.

Its a fairly simple setup, does require some good programming skills and ability to design relay logic but it will save some bucks if true redundant control is just not possible.

This is a simple explanation but you've not given much to work with.

If you want a good consultant not so high-dollar, I'm in Denver.


Analog Process Systems
[email protected]
With such a logic, you can always ensure that you get a trip signal in the event of a failure.

If we assume that the particular input is a critical signal. Then , For Example input 1a says trip, so PLC 1 has to say trip, irrespective of what 1b, 2a and 2b say. Those three could be saying, No problems.

And in a proper failsafe condition, the outputs from both the PLC's would have to say safe for the plant to run. So you can say that in the event of any of 1a,1b,2a,2b failing, you will trip the plant.

You can circumvent this by counterchecking 1a and 1b inputs with 2a and 2b inputs. How, wel, when 1a says fault, use the communication between PLC's to check what 2a and 2b say and do a 3 of 4 logic when communication is healthy. And when communication is not healthy, then do the normal logic and trip. If 1a and 1b both say problem, then trip, no need for checking what 2a and 2b say.

Apply same logics for the other three inputs.

If you have 4 outputs, then you can hardwire in such a way that if 2 say trip, then trip. But yes any two outputs fail, plant trips!

But this will definitely have some affect on the communication network. Is possible put a communication block between the two PLC's for this purpose.

Hi Anon, Please visit my website www.smbd.org and follow the reliability link. Redundancy and fault tolerance are two different phrases with different meaning's.

There seems to be some confusion, as to whether you are looking for redundancy, looking for your system to tolerate a particular type of fault or generic faults.

Seems like you have gone some way and have large files of designs, procurement meets, and so much stuff that cannot come in a few lines of Email.

By your description you seem to be going for 1:1 redundancy. There are several such products from Siemens, Allen Bradley, Modicon, GE Fanuc and others. You will have to talk with your existing supplier and enquire, how, he could provide you with standard redundancy using the components that you have already purchased. By the way, can you open up and tell us what hardware you have with you so there can be some specific help. Whatever it be, You can create simple 1:1 logics inside your system, or do parallel processing and by using hardwired "Or" and "and" logics create a system that can provide you with the required level of safety. But this will not be fault tolerant to your expectations. You have probably already done some engineering yourself till date. So you / your engineers know the technical details best.

If you try to put two PLC's in two racks, and try to get what you want, you may leave out the various problems that have been encountered in redundant systems since a few decades, which experience, is now incorporated in standard redundant PLC's. Maybe you will waste a lot of time and resource in reinventing the wheel of redunsancy and internal fault tolerance!

You have one additional problem i.e. your SIL 2 certification. Your selection of system has to be guided by your SIL 2 certification, followed by your company needs, and your perception of likely faults that can occur because of systems inside your workplace.


Anand Iyer

Visit http://www.smbd.org
The website that changes regularly
Cruise Control project ongoing on www.smbd.org