The subject matter disclosed herein relates to fault tolerant digital inputs for a safety control system. More specifically, the subject matter relates to a termination board for connecting remote devices that provide digital signals to a controller, such as a programmable logic controller, for a safety system.
A Programmable Logic Controller (PLC) is a special purpose computer typically used for real-time control of an industrial machine or process. The PLC has a modular design such that it may be readily configured for numerous types of machines or processes across a wide variety of industries. The PLC includes a rack, or multiple racks, typically containing an integral power supply and multiple slots to plug in different modules. The rack further incorporates a backplane such that different modules may communicate with each other. A wide variety of modules exist to accommodate the wide variety of applications for a PLC. This modular design provides a cost benefit because standard modules may be developed that are mass produced and configurable according to the machine or process to be controlled.
Some of these standard modules include the processor module as well as input and output modules. The inputs and outputs may be digital, where the presence or absence of a DC voltage level indicates a logical one or zero, or analog, where a continuously variable input voltage represents a range of input data. The input and output modules may further include varying number of channels, for example eight, sixteen, or thirty-two, such that the PLC may be easily configured according to the machine or process to be controlled.
Industrial control systems differ from conventional computer systems in that they provide highly reliable operation and deterministic real-time control. In part, this requires that data communicated between the processor and the input and output modules be transmitted in a predictable sequence. Further, a program must execute on the PLC in a predictable sequence to execute the control functions of the PLC. This program is typically developed in “ladder logic,” consisting of a series of “rungs.” Each rung typically monitors one or more inputs or internal conditions on the input portion of the rung to determine whether to execute the output portion of the rung. The output portion of the rung may set an output channel, start an internal timer, or perform some other function. The program executes as a continuous loop where one loop through the program constitutes a scan of the program.
“Safety controllers” are also special purpose computers used to ensure the safety of humans working in the environment of an industrial process which may be implemented using a PLC. A safety controller may share some hardware, such as remote sensors and actuators, when used for machine control and safety; however, in a process application the safety controller operates independently of the process controller. Typically, a safety controller operates independently of a process controller and is connected to a separate set of sensors and actuators to monitor the process forming a safety control system. The safety control system monitors operation of the process and may initiate an orderly shutdown of the process if the primary process control system fails. The safety control system is designed to monitor the machine or process and to protect machine operators, technicians, or other individuals required to interact with the machine or process as well as protect the equipment itself. The safety control system monitors the process for a potentially unsafe operating condition which may be caused by an out of control process. If the safety system detects a potentially unsafe operating condition, the safety controller operates to put the machine or process into a safe state.
Many of the sensors in the safety control system provide discrete inputs which are commonly at 24 volts DC and normally high, or on. While the inputs may be wired either normally high or normally low, these inputs are often wired such that a “safety event” causes an input to transition to a low, or off, state. A safety event may be detected when an input monitoring at least a portion of the machine or process for a safe operating condition changes state. For example, an input may indicate a light curtain has been broken or an operator stepped on a mat in a specific portion of the machine. By wiring the input to go to a low state to trigger a safety event the safety system is requiring a positive action, such as holding the input high, to indicate a safe state. By requiring an input to be on to indicate a safe state, the safety controller prevents the machine from operating under conditions in which the safety controller would otherwise not be able to detect a safety event. For example, a broken wire, mistaken wiring, or a tripped circuit breaker may each remove power from the input preventing the input from operating. By requiring the input to be high to indicate a safe state, the safety controller will treat such conditions where it is unable to monitor an input as unsafe and require that the machine enter a safe state.
To this extent, a certification process has been established to provide Safety Integrity Level (SIL) ratings to equipment, identifying different degrees of safety. These ratings are determined by such factors as mean time between failures, probability of failure, diagnostic coverage, safe failure fractions, and other similar criteria. These safety ratings may be achieved, at least in part, by incorporating redundancy into the safety system along with a means of cross-checking the redundant components against each other.
For example, two sensors may be used to monitor one operating condition or a single sensor may be connected to two different inputs in a controller. Still further redundancy may be achieved by providing two separate input modules operating in two separate racks having separate processors and by connecting an input signal to each of the two input modules. However, it is apparent that as redundancy increases, the complexity and number of wiring connections that are required similarly increases. Thus, it would be desirable to provide a control system that satisfies the certification requirements for a safety system while reducing the complexity and number of wiring connections.
In addition, redundant sensors and wiring do not, by themselves, satisfy the certification requirements for a safety system. A sensor may be wired to two different input modules; however, it is possible that an individual input module may experience a failure. Consequently, developers of safety systems must develop custom software to monitor the operation of the input modules. However, developing custom software adds to the cost and complexity of the safety system. Further, custom software is more likely to include errors and to require increased debugging and startup expense than a standardized software routine.
As an attempt to detect failure of an input module, custom input modules have been developed. These custom input modules have additional firmware and hardware incorporated into the module in order to integrate diagnostics within the input module such that the module is able to test whether the input module itself is operating normally or has experienced a failure. However, the additional firmware and hardware add cost and complexity to the input module. Thus, it would be desirable to provide improved reliability of an input module without the added cost or complexity of developing custom software or using a custom input module.