The present invention relates to programmable logic controllers (PLC""s) and in particular to a PLC finding specific application in safety systems.
PLC""s are special purpose computers used for the control of industrial processes and the like. During the execution of a stored control program, they read inputs from the controlled process and, per the logic of the control program, provide outputs to the controlled process. The outputs typically provide analog or binary voltages or xe2x80x9ccontactsxe2x80x9d implemented by solid state switching devices.
PLC""s differ from conventional computers both in their reliability and flexibility. In this latter regard, PLC""s are normally constructed in modular fashion to allow them to be easily reconfigured to meet the demands of the particular process being controlled. For example, the processor and I/O circuitry are normally constructed as separate modules that may be inserted in a chassis and connected together through a common backplane using permanent or releasable electrical connectors. This modular, backplane construction allows, for example, varying the number of I/O modules as needed for the particular controlled process. The modular backplane also allows network cards to be attached to the backplane, for example, to communicate over a control network with additional remote I/O modules.
While PLC""s have largely replaced systems composed of discrete interconnected relays for all but the smallest control systems, an exception exists in so-called safety applications. Safety applications are those in which failure of the control system could lead to significant hazard or injury. Safety systems, for use in such safety applications, may employ multiple redundant channels with monitoring and verification and may incorporate combinations of safety relays, sensors, and actuators, each with separate sets of interconnected wiring and cross-wiring to check for discrepancies between signal paths. The wiring of the safety system is done to move the safety system to a predetermined safe state if either of the redundant channels fails and or do not agree.
Such discrete safety systems can be costly to install and maintain, especially for complex control applications, where large amounts of point-to-point wiring is required both to implement the logic and to provide the redundant channels. For this reason, there is considerable interest in using PLC""s, where the logic is implemented in a computer rather than as device interconnections, to provide similar levels of safety operation.
In one such approach to implementing a safety system with an PLC, duplicate PLCs are connected to sensors and actuators using separate signal paths to each. Each PLC and its associated I/O represents an independent control channel and the controllers are cross-wired so that the failure in either one may be detected and a safe state maintained
For example, referring to FIG. 1, a prior art safety system may be implemented with duplicate PLC 10a and 10b. Each of the PLCs 10a and 10b may receive input signals from a multiple sensors or contact switches 14 along redundant input leads 16a and 16b received by input modules 24a and 24b respectively and may provide redundant output signals (from output modules 25a and 25b) along leads 18a and 18b to actuator 20. Both of signals 18a and 18b must be the same for the actuator 20 to be actuated. The output modules 25a and 25b may include internal testing and diagnostics, otherwise the status of outputs 18a and 18b may be monitored by inputs of input module 24a and 24b so that output faults can be detected.
Each of the PLC""s 10a and 10b include a chassis 12a and 12b holding one of separate control modules 22a and 22b executing a redundant control program. The redundant control programs may be essentially identical or may be different control program intended to provide the same control outputs. Control module 22a and I/O modules 24a and 25a communicate on backplane 40a, while control modules 22b and IPO modules 24b and 25b communicate on backplane 40b. Each backplane 40a and 40b is associated with one of chassis 12a and chassis 12b and communicates with its respective modules by electrical connectors (not shown). The backplanes 40a and 40b are supplied with power from power supplies 32a and 32b and include diagnostic circuitry to detect failures and go to a predetermined safe state.
Cross-wiring 26 between I/O modules 24a and 24b allows each PLC 10a and 10b to review the other""s inputs and outputs for disparity and testing if necessary. If a disparity or failure is detected, the control programs cause the controllers and their outputs to go into a safe state predefined according to the control application.
While this system provides the ability to detect and respond to failures, the cross-wiring can be costly to implement and maintain, especially for complex control applications. The need for duplicated hardware, including racks and backplanes, further increases the costs.
The present invention provides a safety system using duplicate PLCs and modules but providing substantially reduced wiring and, in certain embodiments, substantially reduced hardware costs.
The present inventors have recognized that in certain cases physical wiring may be replaced with equal safety through xe2x80x9cvirtualxe2x80x9d wiring implemented on a single unitary backplane of the PLC. Thus, physical cross-wiring may be eliminated in favor of backplane messages.
In order that the virtual wiring provide the same level of safety as the physical wiring, a xe2x80x9cconnectedxe2x80x9d communication protocol must be used which both ensures reliable transmission of messages through pre-established connections and which detects failure of the virtual wiring represented by a connection. Generally, connected messaging systems require opening of connections to reserve necessary bandwidth and other network resources needed by the connection. After being opened, the connection may implement any of a variety of features to ensure the integrity of the connection including message echoing and comparison, I/O broadcast and verification of results or the regular transmission of a heart beat signal. Each connection becomes a virtual wire that mimics physical wire, but unlike a physical wire, the virtual wire is a fail safe component since each connection contains the redundancy and verification that would send the outputs to a safe de-energized state in the event of a connection anomaly such as a wire break or connection device failures.
Through the use of the reliable virtual wiring of connections, the actual physical wiring required to implement a safety system is much reduced as well as the number of I/O points. The ability to use a single backplane may allow the entire safety system to be implemented in a single chassis as opposed to duplicate chassis. Support of multicast/broadcast communications allows the messages implementing the cross wiring required for redundancy, monitoring and verification to be simultaneously transmitted to multiple devices, reducing the burden on network bandwidth.
Specifically, then, the present invention provides a PLC for safety applications including a backplane that may allow connection to at least two I/O modules and a first and second control module. The backplane, I/O modules, and control modules include communications circuitry supporting a connected communications protocol in which failure of a connection between modules may be detected by the modules. This connected communications protocol may, but need not, provide a producer/consumer broadcast messaging which allows the sharing of input and output information over the single backplane.
Each of the first and second control modules redundantly execute a control program to: (i) open connections over the backplane with the at least two I/O modules; (ii) receive over connections, redundant input signals from the I/O modules; (iii) generate a redundant output signal based on the received input signals; and (iv) transmit over a connection the redundant output signal to at least one I/O module.
Thus, it is one object of the invention to provide the safety benefits of redundant physical wiring for inputs using virtual connections which embody the safety features of actual wires. In this way, each controller can incorporate logic to analyze each other""s inputs simultaneously to ensure they are in agreement.
It is another object of the invention to provide a safety system that may be implemented on a single logical backplane supporting connected and redundant messaging.
Each given first and second control module further redundantly execute the control program to: (v) receive over a connection, the redundant output signal of the other control module (for example, by using an output echo); (vi) compare the redundant output signal of the given control module and the other control module; and (vii) enter a predefined safety state when the result of the comparison is that the signals do not match.
It is thus another object of the invention to internalize the cross-wiring previously necessary to implement safety systems, eliminating the cost of physical cross-wiring. The cross wiring allows checking that all inputs agree and that all outputs agree to determine failures and where the failure has occurred.
The given control module may receive the output signal of the other control module via a connected message from an output module.
Thus one feature of the invention allows the output of the other controller to be checked directly, without intervention by the other controller.
The backplane may be a unitary circuit board or two co-planar circuit boards.
Thus, it is another object of the invention to provide for more compact implementation of the safety system that may reduce hardware costs.
More than one circuit board may be interconnected to provide a single logical backplane. The circuit boards may communicate between each other via a pair of network cards, one connected to each circuit card and joined by network media, the network cards providing a protocol supporting the connected communications protocol.
It is another object of the invention to permit the size of the safety system to be arbitrarily expanded beyond the confines of a single physical chassis using standard industrial control networks providing for high reliability communication protocols.
The connected communications protocol may detect failure of a connection between modules by echoing messages transmitted from a first module to a second module back to the first module or may detect failure of a connection between modules by detection of the absence of a heartbeat signal over a connection for more than a predetermined period of time.
The I/O module may provide self-diagnostics and the communication protocol may indicate a failure of a connection when the self-diagnostics indicate a failure of the I/O module.
It is thus another object of the invention to employ positive indication of connection failure so that a safety state may be adopted.
It is another object of the invention to expand the concept of connection failure to include failures of components used in the safety system.
The communication protocol may support multicasting or broadcasting of messages transmitted over a connection, for example, by using a producer consumer protocol.
It is thus another object of the invention to allow for the multiplication of backplane messages that cross-connections imply without unduly taxing the backplane capacity, especially for complex systems.
The foregoing objects and advantages may not apply to all embodiments of the inventions and are not intended to define the scope of the invention, for which purpose claims are provided. In the following description, reference is made to the accompanying drawings, which form a part hereof, and in which there is shown by way of illustration, a preferred embodiment of the invention. Such embodiment also does not define the scope of the invention and reference must be made therefore to the claims for this purpose.