What's in a name?
When the name is Safety programmable logic controller (PLC), the meaning seems obvious—a special class of PLC designed for use in safety critical applications.
Yet one fact that may not flow intuitively from the moniker is among the primary reasons these products may be primed for wider use by industrial companies. Namely, that Safety PLCs and associated safety networks can help save money and boost productivity.
So far, the market is relatively small. Sal Spada, a research director at ARC Advisory Services, Dedham, Mass., estimates that worldwide sales of Safety PLCs alone this year will total less than 25 million, compared to a market of about .45 billion for standard PLCs, excluding input/output (I/O), software and services sold separately.
But with time, says Spada, that is likely to change. “There’s a large untapped market for Safety PLCs,” he contends. “Once end users start to understand the concept, and how to employ it, you’ll see Safety PLCs taking on the same adoption curve that the original PLC took on in the early 1970s,” Spada predicts. “I think it’s going to be extremely high growth.”
Money savers
One reason for the optimism is the growing influence of international safety standards such as the IEC 61508—the International Electrotechnical Commission standard that governs functional safety in programmable electronic systems. As more end users become familiar with the standards, they are beginning to recognize the savings associated with Safety PLC-based systems, say industry sources.
Safety PLCs can produce bottom-line benefits for manufacturers in a variety of ways, Spada and others point out. Just as standard PLCs emerged as programmable replacements for hardwired relay logic in the 1970s, saving oodles of money in reduced wiring and engineering costs, Safety PLCs promise to do the same for safety relays. Moreover, Safety PLC-based systems are less prone than hardwired safety systems to “nuisance trips” that can unnecessarily shut down a factory operation. And they are much easier and faster to troubleshoot, resulting in less machine or process downtime.
“If I have some big, giant panel with tons of relays that failed at 3 a.m., and I’m trying to figure out what tripped and why, a microprocessor-based (Safety PLC) system is ten thousand percent the way to go, because it’s got diagnostics,” declares Mike Scott, vice president of process safety at AE Solutions, a Greenville, S.C.-based safety systems integrator.
AE Solutions earns the majority of its revenues in the process industries, which have historically made wider use of Safety PLCs than the manufacturing industries. But some vendors note that sales and interest in Safety PLCs lately have been picking up among manufacturers—particularly automotive. “The automotive industry is one of the early adopters in implementing Safety PLC-based solutions, because they’ve recognized the cost savings and benefits associated with it,” asserts Filomena Wardzel, automation solutions business manager at the Siemens Automation and Motion division, Alpharetta, Ga.
GM buys in
One case in point is General Motors Corp. The automaker will go live with several Safety PLC-based safety networks for the first time in a production environment this fall, says Craig Ulrich, engineering group manager, control development, at the GM Technical Center, in Warren, Mich. As part of a new vehicle program at GM’s Lake Orion, Mich., assembly plant, the company is deploying about 18 Allen-Bradley Guard Safety PLCs from Rockwell Automation, Milwaukee. Configured on Ethernet safety networks, the Guard units will provide safety monitoring and “control-reliable” access for plant personnel to robotic work cells that build vehicle doors, hoods and trunk lids.
Further, the Lake Orion program is only the beginning. “Starting in 2004, we will design all of our facilities using Safety PLCs,” says Ulrich. He provides no timetable for the rollout. But eventually, says the GM engineer, the company plans to deploy around 250 Safety PLCs for use in safety critical applications in each of 44 factories—for a total of around 11,000 Safety PLCs.
That’s a lot of boxes and modules. But GM isn’t making the move because its current systems are unsafe. “We’re already the safest company in the automotive industry, and we have the data to prove that,” Ulrich declares. “So we don’t feel we’re enhancing our safety at all by going to Safety PLCs. We’re really doing it to take cost out of our systems.”
GM’s current approach to safety includes fenced equipment work cells with gated entry systems monitored using control panel-mounted safety relays. By replacing the safety relays with a safety network and a Safety PLC for each cell, GM expects to reduce hardware and cabling costs by about 14 percent, with an additional 15 percent to 20 percent savings in engineering costs, says Ulrich. Without the safety relays, “the hardware design for the panels is minimized significantly,” he notes.
An added benefit will be better productivity, Ulrich confirms. “When we look at the mean time between failures and mean time to repair on safety relays, we know that our uptime is going to improve with Safety PLCs,” he says. “Compared to safety relays, it’s a lot easier to troubleshoot the Safety PLC circuits.”
Doubling up
Despite the growing interest in Safety PLCs, the idea is not new. Safety PLCs trace their history to the late 1970s and the early 1980s, say industry sources, when the first safety-specific PLC products emerged for use in the process industries.
In the early days, users also often configured standard PLCs in pairs for use in safety applications, notes Frank Watkins, safety control program manager at Rockwell. That approach—still sometimes used today—enables a safe and orderly equipment shutdown by the redundant PLC unit if the primary unit fails, Watkins notes. But it is also expensive, he says, requiring a great deal of engineering, hardware and custom software to support the safety function.
Safety PLCs, by contrast, typically build redundancy into a single PLC chassis. “In a Safety PLC, you may have two, three or even four microprocessors that perform the exact same logic, check against each other and only write the outputs if there’s agreement,” Watkins explains. “And those microprocessors will be diagnosing each other from time to time to make sure that they are all operating correctly.” On average, a dual-processor Safety PLC may be priced at a 25 percent to 30 percent premium over a comparable standard PLC, Watkins says.
Architecture wars
Different vendors offer varying architectures. Rockwell’s Allen-Bradley Guard Safety PLC line, for example, incorporates two identical central processing units and includes a variety of built-in self-monitoring hardware systems and diagnostics. The Guard relies on an architecture known as “1 out of 2D,” in which the D stands for diagnostics, and the 1 out of 2 implies that if a fault is detected in one of the two processors, the other can execute a safety function or bring the system to a known safe state.
Another twist on the dual-processor approach involves a combination of diversity with redundancy in central processing units. The Programmable Safety System (PSS) line of Safety PLCs from German-based Pilz Automation Safety, for example, uses microprocessors from two different manufacturers. “That way, if there’s some kind of internal bug in one manufacturer’s chip, the other chip is going to catch it, and it will still guarantee a safe condition,” explains Tina Hull, a Pilz applications engineer.
Siemens takes yet a different approach with its S7-400/300 line of Safety PLCs. These products rely on dual processing in a single controller, with safety reliability assured through a technique know as “time diversity,” says Christian Kurtz, a Siemens product specialist. Using this approach, two copies of the safety program execute in parallel, one using 16-bit word mode, and the second using single-bit binary instruction mode.
Like many Safety PLCs incorporating two or more processors, the Siemens S7-400/300 line is certified by a third-party agency for use in Safety Integration Level (SIL) 3 and Category 4 systems, as defined by the IEC 61508 and EN 954-1 (European Norm) standards, respectively. These are the highest levels typically found in traditional industrial plants.
Unlike some of its competitors, which focus primarily on either the process or the manufacturing industries, Siemens provides both fault-tolerant and fail-safe versions of its Safety PLC products. The Allen-Bradley Guard product, for one, is configured only for fail-safe applications, says Rockwell’s Watkins.
Fail-safe systems are used primarily in manufacturing, and are typically programmed to protect worker safety by safely shutting down machinery when faults or problems occur. Fault-tolerant systems, by contrast, are generally set up to keep processes running when faults are detected. This approach is favored for many continuous process applications in which a shutdown might actually be dangerous to workers or the environment, and could also produce economic damage in lost product or equipment. Fault-tolerant systems are generally designed with “hot-swappable” components, so that a faulty processor or I/O card, for example, can be replaced while the system is running.
“In the machine industry, you want to stop the motion—now—so you don’t hurt somebody. But in the process industry, you want to keep it running, because a forced shutdown might cause overtemperatures or pressure events, for example, that could cause equipment failures and end up leaking flammable or toxic materials,” sums up Bill Goble, principal partner at Exida.com, a Sellersville, Pa.-based safety training and consulting firm.
The variety of Safety PLC architectures and differing approaches on the market can be confusing for end users, observes Scott, at integrator AE Solutions. Safety PLCs suitable for SIL 3 system applications are often configured in 1 out of 2D, 2 out of 2D, 2 out of 4D and triply redundant varieties, while simplex, single-processor units are often sold for use in lower-level SIL 1 or SIL 2 systems. Each approach has its advantages and disadvantages. “The vendors are all fighting architecture wars, saying, ‘Mine’s better than yours,’ ” Scott says.
The “Rolls Royce” of Safety PLCs for the process industries, according to Scott, are the systems from Triconex, in Irvine, Calif., that use three processors as well as triply redundant I/O. “If I have one processor die, it’s no big deal, I degrade to a one out of two scheme. And if another processor dies, I degrade to a one out of one and I’m still making product,” Scott says.
But Scott is quick to add that depending on a user’s application, the high-end Triconex system is not always the way to go. “You need to do a life cycle cost analysis to make sure that you can overcome the initial capital cost, because that Rolls Royce costs you a lot of money,” he says.
At Triconex, a unit of London-based Invensys, Marketing Vice President Bill Barkovitz concedes that his company’s triple modular redundancy (TMR) systems generally sell for a price premium over competitive products. “We would typically be in the range of 10 percent to 20 percent higher than a 1 out of 2D-type system,” he says.
But Barkovitz argues that the premium is minimal, given the overall cost of a typical process industry safety system. “When you include the design, the programming and commissioning, the installation and everything that goes with it, the cost of the hardware is maybe 10 percent of the whole project,” he says. Besides, Barkovitz adds, “we don’t really sell on price. Our customers buy our product because it’s high quality and very easy to use, and for all of the benefits they get with TMR technology.”
