The several bodies of safety validation are driving the design parameters behind safety controllers. Factory Mutual (FM) from United States, Health and Safety Executive (HSE) from the United Kingdom, and TUV from Germany each test for adherence to the stringent standards safety PLCs must meet. For instance, TUV typically tests products against IEC 61508, a standard that defines SILs (Safety Integrity Levels) 1 through 4. Safety PLCs are suited for applications at SIL2 and SIL 3 where they can be certified for use in common safety applications. SIL 4 addresses applications beyond standard industrial safety; it defines requirements controller for flight system (fly by wire) control, reactors nuclear or any number of applications whose failure would be catastrophic.
International and European standards finding their way into ANSI and OHSA standards in the United States are IEC 61508 and EN 954-1. IEC 61508 provides an exacting definition for safety of functional in programmable electronic systems. EN 954-1 outlines the requirements for the control systems of safety critical parts in machinery.
Specific standards of application for robotic devices are provided by ANSI-RIA 15.06. Mechanical stamping control requirements presses and other machines are defined in the ANSI-B11 series of standards.
Although there are some differences between the standards supported of each the primary validation bodies, each take total system approach. Specifications for entire systems of safety control take hardware, software, and operating systems into consideration. Some standards take the additional step of providing guidelines for specific applications.
Developers should be aware that architectures of specific control based on standard PLCs have been certified by safety governing bodies to use in specific applications. In specific examples, it may prove more cost effective to use the certified package versus taking new control architecture through the process of certification. And also end user need to evaluate the training needs, stocking and maintenance costs incurred by implementing a new system.
Programming Restrictions and Functional Safety of PLC
Functional and reliability safety are always problems present in industrial controller. IEC 61131 defines software and hardware characteristics to achieve this goal. Although, programming languages and programmers habits are likely sources of failures. To reduce failures it is necessary to limit the variability of the languages jointly and with clearly methodology. FVL (Full Variability Languages) like Pascal, C++ or Java, allow the programmers great freedom to define the program structure, the data and the program flow, so the probability of failure is greater compared to Limited Variability Languages (LVL) that are more restricted, and combine predefined and application specific functions.
The IEC 61131-3 languages are good sample for LVL’s. But the standard also includes additional restrictions to increase reliability, e.g. by limiting the program access and by fixing the program structure to hardware resources directly. This late restrictions means:
• The I/O channels are updated through Directly Represented Variables, e.g. the programs never write or read the I/O channels.
• The programs are not often compiled to a processor native code program. It is translated to a Pseudo assembler language or to Instruction List that runs in a supervised or interpreted mode.
IEC 61131-3 languages have been studied well in several papers, and they are known for their inconsistencies. For instance in SFC languages the state evolution can fall into unsafe states or impossible conditions derived from jumps from simultaneous divergences.
Dynamic problems like non deterministic execution time or critical races have to be avoided for better reliability, too. Critical races can be present in any language if simultaneous accessing to shared feedbacks or variables is used in FB’s. The result can depend on the order of execution. Non-deterministic execution time or infinite loops can be caused by classical structuring instruction like FOR or WHILE. In consequence, execution and language model restrictions must be stronger in those cases where reliability should be higher.