The subject matter disclosed herein relates to fault tolerant digital outputs for a safety control system. More specifically, the subject matter relates to a termination board for connecting remote devices to digital output signals from a controller, such as a programmable logic controller, for a safety system.
A Programmable Logic Controller (PLC) is a special purpose computer typically used for real-time control of an industrial machine or process. The PLC has a modular design such that it may be readily configured for numerous types of machines or processes across a wide variety of industries. The PLC includes a rack, or multiple racks, typically containing an integral power supply and multiple slots to plug in different modules. The rack further incorporates a backplane such that different modules may communicate with each other. A wide variety of modules exist to accommodate the wide variety of applications for a PLC. This modular design provides a cost benefit because standard modules may be developed that are mass produced and configurable according to the machine or process to be controlled.
Some of these standard modules include the processor module as well as input and output modules. The inputs and outputs may be digital, where the presence or absence of a DC voltage level indicates a logical one or zero, or analog, where a continuously variable input voltage represents a range of input data. The input and output modules may further include varying number of channels, for example eight, sixteen, or thirty-two, such that the PLC may be easily configured according to the machine or process to be controlled.
Industrial control systems differ from conventional computer systems in that they provide highly reliable operation and deterministic real-time control. In part, this requires that data communicated between the processor and the input and output modules be transmitted in a predictable sequence. Further, a program must execute on the PLC in a predictable sequence to execute the control functions of the PLC. This program is typically developed in “ladder logic,” consisting of a series of “rungs.” Each rung typically monitors one or more inputs or internal conditions on the input portion of the rung to determine whether to execute the output portion of the rung. The output portion of the rung may set an output channel, start an internal timer, or perform some other function. The program executes as a continuous loop where one loop through the program constitutes a scan of the program.
“Safety controllers” are also special purpose computers used to ensure the safety of humans working in the environment of an industrial process which may be implemented using a PLC. A safety controller may share some hardware, such as remote sensors and actuators, when used for machine control and safety; however, in a process application the safety controller operates independently of the process controller. Typically, a safety controller operates independently of a process controller and is connected to a separate set of sensors and actuators to monitor the process forming a safety control system. The safety control system monitors operation of the process and may initiate an orderly shutdown of the process if the primary process control system fails. The safety control system is designed to monitor the machine or process and to protect machine operators, technicians, or other individuals required to interact with the machine or process as well as protect the equipment itself. The safety control system monitors the process for a potentially unsafe operating condition which may be caused by an out of control process. If the safety system detects a potentially unsafe operating condition, the safety controller operates to put the machine or process into a safe state.
To this extent, a certification process has been established to provide Safety Integrity Level (SIL) ratings to equipment, identifying different degrees of safety. These ratings are determined by such factors as mean time between failures, probability of failure, diagnostic coverage, safe failure fractions, and other similar criteria. These safety ratings may be achieved, at least in part, by incorporating redundancy into the safety system along with a means of verifying operation of the redundant components.
For example, redundancy may be incorporated by wiring two output modules in series. In this configuration, an output channel in a first module enables the power to a corresponding output channel in a second module. The output channel in the second module, in turn, drives the remote device. Each channel on both output modules are commanded to change state together. While, such a configuration can prevent the failure of a single module from improperly commanding an actuator, for example by failing in an energized state, this configuration requires that both output modules remain functioning properly in order to control an actuator, preventing fault-tolerant operation. In other words, if one of the output modules fails, it must be replaced prior to continuing operation. Thus, it would be desirable to provide a redundant control system wherein the control system may optionally remain operational in the event one output module fails using the output module that has not failed until the failed module may be replaced.
In addition, monitoring an output module often requires adding an input module. Each channel of the output module is wired to both the remote device and a channel on the input module. The controller is then able to compare the state of each channel on the input module to the commanded state of the corresponding output channel. However, this method of monitoring the output module is not without drawbacks. First, the input module presents an additional expense. Additional wiring is also required between the output module and the input module. In addition, the input module itself may subsequently require monitoring to verify proper operation. Thus, it would be desirable to provide a system for monitoring the output module without the additional complexity and expense of a dedicated input module.
Some custom output modules have attempted to address these drawbacks by providing a signal back to the controller which monitors the state of the output or that provide a means for testing whether the output channel can transition between states. However, such output modules require custom software be developed to monitor the additional signal, perform the test, and to monitor the results of the test. Developing custom software adds to the cost and complexity of the safety system. Further, custom software is more likely to include errors and to require increased debugging and startup expense than a standardized software routine. Thus it would be desirable to provide a standard controller and output module that satisfy the SIL requirements without the added cost or complexity of developing custom software.