Hiya-
ScottyUK posted a reference to the Guardlogix manuals which I perused. They are are very interesting and bring up some good points for any design.
1. First and formost, safety comes from the design rigor and/or designing for safety. Well, yep. In the computer biz, the old saying of 90% of the code runs 10% of the time. A corollary is that the majority of the code takes care of "non normal" process flow.......
2. The implementation of a watchdog timer. This can be easily incorporated into almost any plc design that has timers. Although the Rockwell includes a lower level watchdog timer, one can easily implement his/her own in ladder logic. Something to think about for the design cycle of ANY plc type design. However, see note 4 below.
3. Similar to this are the concepts of remote hardware verification of I/O functionality. On input it seems to be open circuit type faults and on the output side, moitoring of the output to actually verify that the hardware output operation has occurred. Along with this the Rockwell seems to place a lot of emphasis on "pulse testing" of the system.
I'm not too sure as to the validity of this. Still things like having an extra set of contacts on the relays to monitor the state of the switch might be in order. I would feel that DC instead of AC ought to be passed as the detection of AC might lead to "interesting" delays, but OTOH, this too could be a rung in the ladder program. Something like:
If the hardware output of interest is asserted AND the input representing the voltage to the load is NOT asserted, THEN set the FAULT relay.
I found it interesting that one of the Rockwell figures showed that primarily faults occur in the sensors and actuators with only 10% of the PFS being in the controller. Hummmm, I have a feeling that this is HARDWARE only. If through system analysis is done, including the software, the figure might be a bit higher......
4. For most of the PLCs life, there have been "master relays". This one gave me pause for thought. When I designed the little PLC that I have, the master relay was/is a bit in a "special flags register" along with the state of the overflow bit, the zero bit, etc. The state of the master relay is denergized during the output of the PLC cycle. There is naturally a delay for this synchronous process to occur. Indeed one might argue to have an "asynchronous" rule set for the master relay. Hummm, going to have to think about that one. Might have to turn on the
WDT on the PIC for my code generator.......
5. Redundant systems. I have delt with redundant systems and this, IMHO, is the one of the hardest parts of systems architecture. It is also the hardest to analyze. I might suggest that as an addendum to the proof testing of the Rockwell documentation, if one were rigorous with the testing, one would include deliberately faulting the primary controller and verifying proper switch over rather than just testing both sides individually as suggested. And indeed, fault insertion of the secondary controller and watching a report of the secondary fault on the primary controller. From what I skimmed through the manual, it seems that they use a "heartbeat" type control. With carefull design, these too can be implemented with ladder logic. However, one could easily get oneself going around in circles.
As ScottyUK point programming would be interesting. From what I could see, and NOT what I had hoped for was that it's still pretty much the same old ladder logic programming. I was hoping for some sort of automated analysis of the resulting code to determine the safety feasability of the designed code. Remember the old "lint" program in unix for C code? Something a little more system integrated than just that. Sigh, maybe in the future.
So, with that in mind the old adage:
"Safety is designed in" is still the watchword.
Cheers,
Rich S.
