PLC/PAC with Secure Partitioning

R

Thread Starter

Rawkstar

I'm trying to find a commercial PLC or PAC that will support multiple programs at different safety levels executing on a single processor.

More specifically, what I need is a PLC or PAC whose run-time operating system guarantees that any failure resulting from a defect in a program operating at a lower safety level can not, under any circumstance, disrupt the operation of the higher safety level functions.

I know there are various RTOSes out there that claim to support such a design for embedded processing (e.g. Green Hills Integrity -178B), but we typically use PLCs in our control system designs, so I'm hoping to find a PLC (or similar) that supports this.

Does anybody know of any PLCs or PACs that support this?
 
I know that Siemens was selling a PLC with safety and non-safety functions in the same system. I don't know if they were in the same CPU however. As long as the integration between the safety and non-safety systems is good though, the details of the implementation shouldn't matter. I've also seen dedicated press control packages (for stamping presses) with combined functions.

 
J

James Ingraham

I can tell you that neither Siemens nor Allen-Bradley safety-rated PLCs do this. In either system, if you fault the processor in your non-safety program you'll halt the safety program as well. You'll fault to a safe state, of course, but it won't be running anymore.

Any reason not to just use two separate PLCs?

-James Ingraham
Sage Automation, Inc.
 
You could try Rockwell Automation, their Trusted range will allow this, as will their AAdvance if you're looking to only go to SIL2 I believe.
 
>Any reason not to just use two separate PLCs? <

There is a very good chance that we would just go with two separate PLCs, since we have always done this in the past, but I just want to see what other options are available.

Some advantages to using one PLC are:
- Take up less space (though limited space generally isn't a concern)
- Simplified electrical design
- Only need to have spare parts for one type of PLC
- Potential hardware cost savings
- Reduced documentation and effort for installation, commissioning, maintenance, etc.

There would be some disadvantages as well:
- Poor performance due to entire program running on safety PLC
- Difficulty convincing certification authorities that design is safe
 
>- Only need to have spare parts for one type of PLC

With the ones that I have seen, the "safety" related components are special so you need both safety and non-safety spare spares.

>- Potential hardware cost savings

I wouldn't count on that until you get firm prices on a system.

>- Reduced documentation and effort for installation, commissioning, maintenance, etc.

I would be cautious of coming to such a conclusion without having looked into it further.

To add to the potential disadvantages, it would be such a niche product that getting spare parts (especially the safety related ones) might be a long term problem. Also, doing process improvement related upgrades can be more difficult because you can also be affecting the safety system, which may have to be re-certified.

The main advantage for an integrated system would be if the process control system and safety interlock system needed to be closely integrated for operational reasons. In that case you might be willing to pay a premium for that capability.
 
>> - Potential hardware cost savings <<

>I wouldn't count on that until you get firm prices on a system. <

Agreed. What I'm thinking here is that, as opposed to using two separate PLCs that read the same inputs, thus requiring two sets of input modules, it would be possible to just have one set of input modules. They would all have to be "safety" modules, which are more expensive, but you would have to buy them for an independent safety PLC anyway.

One potential cost increase may be that, with a 2 PLC system, you may be able to get away with a less powerful/less expensive safety PLC, but when you put all functionality into one safety PLC a more powerful/more expensive PLC is required, which may ultimately be more expensive that buying one normal PLC and one less powerful safety PLC.

>> - Reduced documentation and effort for installation, commissioning, maintenance, etc. <<

> I would be cautious of coming to such a conclusion without having looked into it further. <

I was thinking one installation procedure instead of two. One PLC to maintain instead of two. But on second thought, the commissioning procedure would not be any less. There would just be one instead of two but it would be twice the size.

> To add to the potential disadvantages, it would be such a niche product that getting spare parts (especially the safety related ones) might be a long term problem. <

I'm not so sure this is a niche product. In fact, I think you will see more PLC manufacturers making systems that support this in the future. From what I've read on the manufacturer's websites, I think these two PLCs will do what I am looking for (though further investigation is still required):

- Siemens Fail-Safe S7-400
- Rockwell Automation Guardlogix Integrated Safety System

> Also, doing process improvement related upgrades can be more difficult because you can also be affecting the safety system, which may have to be re-certified. <

The idea would be that, since the software is partitioned into two independent parts, there is no way that a change to the non-safety functions could affect the safety functions. So, no re-certification should be required if only the non-safety part is modified.

If the process improvement requires changes to the safety functions, then this would be the case even if the safety functions were implemented on a separate PLC.
 
C

curt wuollet

To me it seems the single point of failure would override any cost savings. After all you're going through a lot of trouble to be safe. I'd just use two PLC and be done with it. You could select well networked PLCs so they can watch each other.

Regards,
cww
 
When the safety functions are handled by a separate device, the dividing line between the safety and non-safety control elements are reasonably clear. When they are in the same rack however, there are grey areas. If you are making a simple program change, there shouldn't be a problem. If you start moving and replacing cards in the rack or changing the CPU model, there is potential for error.

Whether or not this is a problem depends on what country you live in. In many countries you are required to have an engineering report that states the equipment meets all applicable laws and regulations. In those cases it is not enough to simply say "there is no way that a change to the non-safety functions could affect the safety functions". You have to prove it.

In the end, whether a single combined safety and control system is a good idea or not depends on the type of application. In some cases it makes sense, and in others it doesn't. I looked into using this type of system a few years ago, and concluded it didn't make sense for the types of applications I was dealing with.
 
This has been a great discussion and I'd like to thank everyone for their input.

Although I still believe this sort of architecture is a viable option, I don't think I'll ever implement a safety control system in this manner. The main reason being that there will be far too many people reviewing/approving the design who will be difficult to convince that the potential cost savings out weigh the risks. Sometimes it is easiest just to stick to the same old way of doing things because we know it works well and everybody accepts it as the way to go.
 
Why not create a whole PLC program with two main areas, safety and control in one safety PLC. This PLC (RTP3000) can make online downloads in all program, so then no stopping request.

Hotswapable hardware

Faster response scan circle 5 ms, and response time 12-16 ms so fast for many control applications. IEC 61511 section 11.2.2 let you make it.

regards
 
J

Joshua Goodall

Two points to your question.

First off you can install 2 separate processors into an AB ControlLogix rack and share I/O between them. So you could potentially have your main program in one and the safety in the other. This would enable you to lock the safety side of the system down and leave the other open.

Second, the AB GuardLogix allows you to have separate programs with the ability to lock the safety portion of the program.
 
Top