Introduction:

Applying safety certified programmable logic controllers (PLCs) for use in critical industry applications has been accomplished for many years. They can be seen in all applications from high data calculation rate pipeline compressor control to process loop oriented chemical production and from slow hoist control to high-speed gas turbines. However when it comes to distributed I/O, and remote data acquisition, safety interlock systems using triple modular redundancy (TMR), or dual technologies to provide fault tolerant and/or fail safe operation have made limited inroads.

The question is why have the manufacturers ignored this user driven market demand? The answer lies not in the design of the PLC controller itself, but in the I/O structure communications and coupling. Most safety I/O subsystems have been designed for limited production of less than 1,000 systems annually. The result is a market driven objective to maintain low cost, and as a result, they have inherent design limitation characteristics which allow for only the so-called "card and rack" technology. This is the opposite of a mass produced purpose specific designed I/O communicating on a LAN system which can integrate remote intelligence, voted operation, and either remotely, independent of the CPU, "fail to safe" or provide "fault tolerant" modes of operation.

Today's microprocessors offer both low cost and enhanced intelligence that can be used in the new generation safety systems. "Smart switch" technology enhancements include the ability for competitive cost distributed I/O architecture, self-testing on-line, real time fault diagnostics and reporting. Low volume production has traditionally created a situation where the ability to provide current technology developments economically is challenged. Using advanced technologies inherent in mass-produced PLCs, they support configurations, which include TMR, and dual redundant based solutions. Capabilities in the remote I/O and communications off- load CPU diagnostics and offer improved deterministic functionality independently.

Increased Reliability and Availability:

Purpose Specific integrator PLC vendors currently use the "redundancy" approach to increase system availability. Redundant and / or "fault tolerant" system architectures can be used to make systems more fail safe by increasing the reliability. Some people use the terms "fault tolerant" and "redundant" interchangeably. A distinction should be made between the two:

"Redundant systems have individually-specified duplicated (or more) components and manual or automated means for detecting failures and switching to backup devices."

"Packaged fault tolerant modules (systems) have internally redundant parallel components and integral logic for identifying and bypassing faults without affecting the output."

Figure 1. A typical TMR Configuration

The ultimate safety goal of a dual or triple modular redundant system is to provide fail safe control in a fault tolerant mode. This allows the system to continue while any single fault is detected, diagnosed, isolated, and repaired before a second fault can occur.

Availability (REVEALED) is a function of reliability as measured by MEAN TIME BETWEEN FAILURE (MTBF) and MEAN TIME TO REPAIR (MTTR):

The MTBF and hence the availability of a Dual 1oo2D or TMR system can be extremely high when compared to that of a simplex (1 out of 1) system.

The MTBF of a typical SIS (Safety Interlock System) remote I/O and communications [1] can be an order of magnitude greater than that of the SIS (CPU Sub-system [2], I/O controllers [3], and actuator-sensor I/O devices). Fault tolerant LAN configurations can be used to increase reliability with that of the rest of the safety system. In fact, the hard wired sensors and actuators [4]outside of the PLC system hardware constitute the majority of failures within the overall control system architecture. The following failure distribution represents all of the failures within the control "system" in Figure 2:

Figure 2. Failure Distribution

For remote critical I/O and communications signals required in a distributed SIS, the ability to detect and report failures is essential. If the fault is of the type that causes the system to fail safe, it is considered a FTS (Fail-To-Safe) fault. For a normally energized system, the system is immediately tripped. In this FTS case, the MTTD (Mean Time To Diagnose) is fast because it causes an instant system shutdown. However if the fault is of an unrevealed type, then the MTTD could be such that a fault is considered a FTD (Fail-To-Danger) since the system did not trip upon the failure, as the fault is undetected for a longer period in time, up to infinity. The MTTD should be minimized from the time the FDT fault actually occurs, until it can be detected by the system.

This may be too late to prevent equipment or personnel danger. Here is where microprocessor based I/O with its "smart" capabilities allows distributed remote I/O capable (PLC) Programmable Logic Controllers to provide excellent support for safety critical applications. 100% on-line diagnostics can be obtained from a combination of I/O level and CPU embedded test code.

I/O Architecture:

Remote I/O architectures using on-board microprocessors enable the I/O to fulfill the requirements of complete online electrical testing. Due to the power of today's smart devices, these micros actually add functionality over and above conventional PLC I/O. These enhancements include the ability to self diagnose and report faults back to the CPUs (i.e. short circuits, no loads, input fail-to-high, loss of communication, etc).

With diagnostics integrated directly into the I/O structure, the MTTR is reduced dramatically since fault detection, reporting, isolation and repair is made possible within very short time periods. By off-loading some of the system testing from the CPU directly to the I/O architecture, overall system response is improved.

Complete on-line automatic control testing accomplished for outputs must be such that no "bump" occurs in the controlled output, nor is the system operation in bypass during the test time as diagrammed in Figure 3. Key to this is the ability to test output points for on/off switching without actually switching the load. The initiation of the tests rotates from each of the PLCs. Test results are reported to all three processors via the LANs.

Figure 3. Automatic Control Testing

For inputs, the ability to report status or value and diagnostics to multiple PLCs at the same time without PLC intervention is essential for high-speed operation. This eliminates the need for CPU to CPU interprocessor communications for I/O data exchange excludes the need for common "voters" and makes virtually impossible the probability of one processor corrupting another.

Providing remote location (and distribution) of the CPUs and I/O reduces installation wiring costs, increases reliability, and reduces catastrophic geographical problems (i.e. fire in a single location). Essential to successfully implement this is the advanced high speed LAN technology. The deterministic (IEEE 802.4) I/O LAN communications protocol has an imbedded 2oo3 data signal voting system with robust CRC-6 error checking on each segregated independent triplicated LAN. Reduced reliance on the CPU itself via more remote intelligence, again, reduces the probability of one processor corrupting another.

Introduction of deterministic Ethernet communication schemes will be commonplace in the near future. As a flexible media able to share multiple compatible protocols, Ethernet will adapt itself most due to wide acceptance and low cost hardware interfaces.

Extending Remote Capabilities

For remote applications involving the I/O communication to the CPU(s), it is often desirable to communicate to distributed locations or over long distances. This is a requirement when safety systems are involved in large process applications, offshore transportation delivery/shipping, and other similar applications.

For "local" control, some solutions require remote distribution even over short distances. Skid mount turbo-compressors generate high noise and require high-speed robust communications that can be corrupted if no insurance on signal quality is implemented. Wide choices of communication products are available now, specifically designed to function in harsh, industrial environments. These devices provide the foundation for critical safety system communications.

Fiber Optic Modem Technology

Fiber modems may be used to extend range or provide electrical immunity. For protection against transients such as lightning, fiber optics between locations provide total electrical isolation. This same capability can be used to protect against systems that have poor grounding systems, eliminating ground loop paths from existing in the safety system.

Wide ranges of data rates (1200 to 115,200 baud asynchronous and from 1 to 100 Mbaud synchronous) are available. The distance for communication over fiber ranges from a few feet to ten miles. Range can be extended further with Repeaters.

Many improvements have been made with the handling and installation of fiber, however, care must still be exercised in the installation of the fiber, which is inherently somewhat fragile. Unless range is greater than a mile or so, multimode fiber is the best choice, as it is lower cost and more robust. The fiber must always be physically protected, kept dry and carefully routed and installed to prevent accidental disturbance or breakage.

Fiber optic modems can be configured to function with redundant "self healing" paths, which will automatically reroute the data-flow if a break in the fiber path or an equipment failure occurs. This is illustrated in Figure 4.

Figure 4 . Internal Microprocessor-Controlled Smart-Fault Sense System

Spread Spectrum Radio Technology

Radio modems are another data communication option that also eliminate shifting ground plane and ground loop problems and can be cheaper and more convenient to deploy than either fiber or wire type modems. Rapidly advancing radio technology, much of it derived from military and space programs, has made spread spectrum radio modems an excellent choice for secure and reliable critical data communications. Spread spectrum modems are available with ranges of tens of miles and asynchronous data rates of up to 115,200 baud. Most spread spectrum radio modems operate in the license free ISM (Industrial/Medical/Scientific) 902-928MHz and 2.400-2.438GHz frequency bands.

Frequency hopping spread spectrum technology is designed to be particularly immune to interference. These devices packetize the data stream and transmit the packets on one hundred or more sub-bands using a pseudo-random hopping pattern an in Figure 5. Any packet, which might be interfered with, is retransmitted at a different frequency, in accordance with a pre-set hopping algorithm.

Figure 5. Frequency Hopping Spread Spectrum Technology
Gives High Immunity to Interference

Frequency hoppers have been specifically designed to operate in close proximity to each other, easily allowing redundant channel operation. The underlying technology also provides high assurance against interference that might appear from unpredictable sources in the future. Spread spectrum radio modems may be operated point-to-point or multi-point, or multi-drop. Both polling and report by exception configurations may be used. Repeaters (Fig. 6) provide range extension, to overcome line-of-sight limitations and for redundancy. Spread spectrum modems are available with environmental extended operating temperate ranges of -40°C to +75°C.

Figure 6. Multi-Point Spread Spectrum Radio Modems with Repeaters

Ethernet Radio Modem Systems

Subsets of spread spectrum radio modems are a new generation of Ethernet radio modems. Ethernet is emerging as a very popular industrial communication medium, not only because of its speed, but, as importantly, for its ease of application and its inherent data multiplexing capability. The same characteristics described above for spread spectrum radio modems also hold for the Ethernet versions. The 2.4GHz band modems offer higher throughput (typically 1 Mbps) because of the greater bandwidth available compared to the 902MHz band (typically 80 kbps). However, the 902 band offers greater range and is less susceptible to interference. Therefore, if data rate (throughput) is not a critical part of the application, the 902 band is the best choice. Likewise, frequency hoppers are generally more appropriate than direct sequence type spread spectrum radio modems for data reliability reasons.

Note: Some direct sequence modems offer up to 10 Mbps at low ranges under ideal conditions, but any degree of interference will rapidly degrade performance to well below 1 Mbps and could result in total loss of the communications link.

The Ethernet spread spectrum radio modem also lends itself to redundant operation. Both point-to-point and multi-point Ethernet network bridging can be accomplished with ease using dual radio modems on parallel paths. An example of such a scheme is shown below in Figure 7:

Figure 7. Dual Redundant SRM6200E Radio Ethernet System

^ Top of Page ^

Wireline Modem Technology

In many cases wire is the appropriate communication path if properly implemented. Sometimes it is the only choice, particularly if distances are very great. Wide ranges of wire type modems are available for different operating conditions. For shorter ranges, high EMI noise immune modems can be used, often as redundant communication path devices in combination with fiber optic modems. FSK (Frequency Shift Key) is a well established, robust technology that is particularly well suited to operation in high noise environments.

For long range communication utilizing Telco provided lines, both analog and digital line products are now available. If continuous communications is needed, leased lines with a dial-up back-up provide a very reliable redundant link at moderate cost. An example of such a system is demonstrated in Figure 8:

Figure 8. DLM4000 Leased Lines with Dial-up Back-up System

Finally, it should be noted that a hybrid path (fiber/radio/wire) is often the best choice, either in parallel for redundancy, or in series for ease of implementation, economy and optimum performance. Also, high reliability communication paths will often employ back channel communications for diagnostics, maintenance and programming. Such back channel communications can be employed for emergency primary communications if the system is designed with the appropriate data path switching.

Summary:

A High Integrity SIS With Remote I/O and Communication Topology

Distributed Modular Redundancy( (DMR) utilizes existing technology based on standard block I/O and PLC products for safety certified simplex, duplex, triple and hot-standby architectures. By using the embedded purpose specific capabilities (the 1oo1, 1oo2, 2oo2, and 2oo3 input voting, alarm handling routines, error checking, etc.) in the communications network, a reliable and cost effective off the shelf solution using existing PLC system components can provide high reliability remote operation.

Using wireless direct and/or spread spectrum radio-modem technology extends the system overall capability for long distance supervision. Fiber optics eliminate point to point electrical interference and provide high-speed data transfer. Wireline modems extend the limits of controlled access for diagnostic and information retrieval. Using remote features can enhance the system capabilities and reliability.

References:

1. Maes, R., Steffey, J., "Repairing The Weak Link In Data Acquisition and Control" A-B Journal, 1997

2. Cieri J., Walczak T., "Fault Tolerant Triple Redundant Programmable Controller Architecture Design Consideration Capabilities", ESD / IPC Proceedings, Detroit 1993

3. Jones R., Sikora D., "Emergency Shutdown System", IEEE paper PCIP-89-04

4. Walczak T., "Critical Control Capabilities Using Programmable Controllers", ISA Proceedings, Houston 1992

5. Walczak, T., Hefner, R., "Fire and Gas Safety System Integration into PLCs Using Intelligent I/O Devices", ISA Proceedings, Chicago 1993

6. Walczak, T., ""Emergency Shutdown Systems Using Programmable Logic Controllers in a Fault Tolerant Configuration", IEEE Tutorial, Amarillo 1993

Data-Linc Group
1125 12th Ave. NW, Suite B-1 • Issaquah, WA 98027 USA
Tel (425) 882-2206 • Fax (425) 867-0865 •