The subject matter disclosed herein relates to fault tolerant analog inputs for a safety control system. More specifically, the subject matter relates to a termination board for connecting remote devices that provide analog signals to a controller, such as a programmable logic controller, for a safety system.
A Programmable Logic Controller (PLC) is a special purpose computer typically used for real-time control of an industrial machine or process. The PLC has a modular design such that it may be readily configured for numerous types of machines or processes across a wide variety of industries. The PLC includes a rack, or multiple racks, typically containing an integral power supply and multiple slots to plug in different modules. The rack further incorporates a backplane such that different modules may communicate with each other. A wide variety of modules exist to accommodate the wide variety of applications for a PLC. This modular design provides a cost benefit because standard modules may be developed that are mass produced and configurable according to the machine or process to be controlled.
Some of these standard modules include the processor module as well as input and output modules. The inputs and outputs may be digital, where the presence or absence of a DC voltage level indicates a logical one or zero, or analog, where a continuously variable input voltage represents a range of input data. The input and output modules may further include varying numbers of channels, for example eight, sixteen, or thirty-two, such that the PLC may be easily configured according to the machine or process to be controlled.
Industrial control systems differ from conventional computer systems in that they provide highly reliable operation and deterministic real-time control. In part, this requires that data communicated between the processor and the input and output modules be transmitted in a predictable sequence. Further, a program must execute on the PLC in a predictable sequence to execute the control functions of the PLC. This program is typically developed in “ladder logic,” consisting of a series of “rungs.” Each rung typically monitors one or more inputs or internal conditions on the input portion of the rung to determine whether to execute the output portion of the rung. The output portion of the rung may set an output channel, start an internal timer, or perform some other function. The program executes as a continuous loop where one loop through the program constitutes a scan of the program.
“Safety controllers” are also special purpose computers used to ensure the safety of humans working in the environment of an industrial process which may be implemented using a PLC. A safety controller may share some hardware, such as remote sensors and actuators, when used for machine control and safety; however, in a process application the safety controller operates independently of the process controller. Typically, a safety controller operates independently of a process controller and is connected to a separate set of sensors and actuators to monitor the process, forming a safety control system. The safety control system monitors operation of the process and may initiate an orderly shutdown of the process if the primary process control system fails. The safety control system is designed to monitor the machine or process and to protect machine operators, technicians, or other individuals required to interact with the machine or process as well as protect the equipment itself. The safety control system monitors the process for a potentially unsafe operating condition which may be caused by an out of control process. If the safety system detects a potentially unsafe operating condition, the safety controller operates to put the machine or process into a safe state.
To this extent, a certification process has been established to provide Safety Integrity Level (SIL) ratings to equipment, identifying different degrees of safety. These ratings are determined by such factors as mean time between failures, probability of failure, diagnostic coverage, safe failure fractions, and other similar criteria. These safety ratings may be achieved, at least in part, by incorporating redundancy into the safety system along with a means of cross-checking the redundant components against each other.
For example, two sensors may be used to monitor one operating condition or a single sensor may be connected to two different inputs in a controller. Still further redundancy may be achieved by providing two separate input modules operating in two separate racks having separate processors and by connecting an input signal to each of the two input modules. However, it is apparent that as redundancy increases, the complexity and number of wiring connections that are required similarly increases. Thus, it would be desirable to provide a control system that satisfies the certification requirements for a safety system while reducing the complexity and number of wiring connections.
In addition, redundant sensors and wiring do not, by themselves, satisfy the certification requirements for a safety system. A sensor may be wired to two different input modules; however, it is possible that an individual input module may experience a failure. Consequently, developers of safety systems must develop custom software to monitor the operation of the input modules. However, developing custom software adds to the cost and complexity of the safety system. Further, custom software is more likely to include errors and to require increased debugging and startup expense than a standardized software routine. Thus, it would be desirable to provide improved reliability of an input module without the added cost or complexity of developing custom software.