The principal of safety and basic process control controllers is very well known in the process automation or turbomachinery control system environment. However with the latest controllers, often these two separate controller could be integrated on one hardware and software platform. How does this work? iAUTOMATION will explain the ICSS concept in this article.
The Process safety certified controller is usually a PLC with special controller functionality to check the memory and data consistency while executing data manipulations. This will make sure that data and memory are not changed or corrupted during execution or storage in the controller memory. The communication for a safety controller is usually a protocol like profisafe, these protocols have a validation on communication data frames that make sure that data is sent and receive in the correct order, unchanged, from the correct station and in time.
In most control systems the modules and controller have a logo or colour coding to highlight the fact that the controller or IO is safety. This can help onsite engineer to find the correct controllers, and not change a fail-safe controller while they are not allowed to for instance.
In a lot of cases a safety controller is made redundant, this is a bad thing for the actual safety number on the loop, but increases the availability of the functionality. Because it is not good for a safety system to be designed as a redundant system, an engineer should really keep the system as a single controller, unless the controller has multiple tasks. The IO system might need to have a 1oo2 voting system when a safety loop is concerned, so the considerations for IO and PLC are very different. This is obviously dependent on the make and SIL rating of the PLC, IO, field device and SIL requirement for the safety loop.
Redundancy most often comes into play when taking PFD values into account. The PFD or Probability of Failure on demand value is given by a manufacturer of a sensor or actuator. In case this value is not good enough (High probabilities are worse), the safety function might require 2 of these sensors or actuators to be used. These sensors must be active at the same time though, so the safety loop is not allowed to be considered safe when only one sensor is active.
Therefore often a 2oo3 voting system is introduced in these functions. The 3 sensors should be from different manufacturer preferably, as the same equipment might have the same errors at the same time due to firmware or manufacturer related issues. This “Common cause” failure mode can be omitted when using equipment from different manufacturers in one safety function.
This 2oo3 voting system is not a safety feature though, as in the case of the IO or PLC, there is a form of availability built into the 3 sensor system. It only means we have (3 times) a 2 sensor configuration available for our safety function. This third sensor (which can be any of the three) can be in maintenance while the 2 other sensors are performing the safety function, and are upholding a 2oo2 safety function which is in fact a degraded 2oo3 loop.
Because the safety controller can be the same make and model as the basic process controller, and the IO systems are often the same and can be mixed, it is also possible for a controller to run both a safety and non safety control program in the same PLC. Obviously the same principles apply to the way of communication and data processing in the PLC. So the basic process data will go through the controller in a normal way, and the safety data will be processed in a failsafe way.
The controller will obviously be loaded more, then when it has just basic process control(BPC) running on it. But for most PLC firmware that allow this integration of systems, a firmware system is put in place where is will delay the BPC execution for 1 or more cycles to allow the safety processing to continue in case of processor overloading, or in case processing groups are running at the same time interval.
Single units or smaller processes therefore get a lot cheaper when integrating the basic process control and safety system, and there is nothing that will get impacted in the safety system by doing so. Added benefits come in to play when connecting HMI software to the controller, as now a single HMI solution can be selected, and the safety and non safety equipment can be show in the same process overview. Also the engineering will become cheaper, as there is one engineering environment, and the same engineers can do the programming. This way less computers and less spares are needed on site.
iAUTOMATION is an automation specialist that focuses on industrial automation, IT and the links between these two fields. With many years of experience in the industrial automation and IT world, iAUTOMATION is a mature partner that will benefit you.
iAUTOMATION provides complete projects for the industrial automation world with a specialty in PCS 7 consultancy and engineering. But other systems are also known to us and can be implemented by iAUTOMATION.
With knowledge of virtualization, networks, domains and IT management, iAUTOMATION is also a very suitable partner for all your IT questions and projects. We will always assist you with great enthusiasm and knowledge in your projects, and try to relieve our customers by proactively and positively tackling your project.