With the maturity of industrial automation, modern factories have abandoned the original equipment, single function, and lack of security. Therefore, at the industrial automation site where we are engaged, emergency stop buttons, safety door locks, and safety systems are increasingly being applied to our automated production equipment and production lines. Their use has added safety assurance to the original hazardous equipment. . The safe monitoring of our work process not only allows the field operators to have a better safe production environment, but also contributes to the efficient production and safety management of the enterprise.

As the most important part of the safety family, safety PLC has been more and more recognized by people, but in the process of use, there are still many users confused, why a PLC similar to the previous one is labeled as a safety PLC. What are the differences between the safety PLC and the ordinary PLC? Share it with everyone here.

As we all know, the concept of safety design we must remember three words: 1. Redundancy; 2. Different; 3. Self-test. Only products that have been designed with the above three safety concepts can be considered as safety products, while ordinary PLC products do not have a safe design. Then let’s take a look at how the safety PLC is designed to achieve these three concepts.


There are one or more internal CPUs in a normal PLC, but the program usually performs one processing. The functions of multiple CPUs are to share the logical operations, arithmetic operations, and communication functions in the program, that is, cooperative processing.

The number of CPUs in the safety PLC is at least two or more. The function of the two CPUs is to execute the same program once, and then compare the records together. If the result is always, the output will be performed. If they are not consistent, the selection will be made. Safe result output (usually no output or downtime)

Safety PLC

Therefore, only a CPU with redundant design can be called a safety PLC. In addition to this, the detection of the CPU in the safety PLC has clock detection, monitoring clock, sequence check, and memory check.

Clock measurement: In the processor circuit, there are two different oscillators that cross check their behavior, and each processor uses one clock to check if the other is running. If it is detected that the other party is not running during a certain period, the CPU will enter a safe state. The firmware checks the accuracy of the two oscillators every second.

Watchdog Clock: A hardware and a firmware watchdog clock checks the PLC’s activity and execution time of the user logic. This is the same as a conventional PLC system.

Sequence Check: Sequence check monitors the execution of different parts of the CPU operating system.

Memory Check: All static memory areas, including Flash memory and RAM, are detected using Cyclic Redundancy Code (CRC) and dual code execution. The dynamic memory area is protected by dual code execution and periodically detected. These tests are reinitialized during a cold boot.

As can be seen from the above analysis, the diagnosis and detection of safety PLC is much more than that of conventional PLC, so the design of hardware and software is relatively more complicated. Of course, the scope of detection and diagnosis is broader and more detailed.

2. Different

Safety PLCs usually have two processors. Usually the processor is provided by two different manufacturers, such as a Motorola, an Intel, and both decoding and execution. This difference provides the following advantages of failure detection:

1. The two executable codes are generated on their own, and the difference in compilation makes it easy to detect system failures when the code is generated.

2. The two generated codes are executed by different processors, so the CPU can detect system failure and random failure of the PLC when the code is executed.

3. Two separate memory areas are used for the two processors, so the CPU is able to detect random failures of the RAM, which is not detected during the full RAM check of each scan cycle.


3. Self-test

Self-test of safety PLC is reflected in all aspects, including self-test of CPU processing, self-test of power supply monitoring, and self-test of board status of safety input and output points.

Here we introduce how the design of the safety input and output reflects the safety concept of self-testing.

Secure digital input

Secure digital input

The yellow part is the unique circuit design of the safety input point, and the common input point is not available.

Internal Diagnostics: Each input channel uses a common input circuit and two independent acquisition links, each of which drives a digital input serializer (DIS) to sample the input information. In addition, the microprocessor also drives a digital input restorer (DID), and then drives the diagnostic function block for diagnostics to achieve a synchronous comparison of the restored data with the input data.

Input channel error detection: The digital input monitors the field side power supply and uses external wiring to detect the leakage current. The minimum leakage current is 1 mA. If there is no leakage current, it means that the external circuit has an open circuit fault. In the case of a dry contact, A 10k ohm pull-up resistor is connected in parallel across the contact for disconnection detection of the external line. Each input circuit is configured with a switch that is periodically forced to 1 or 0 to detect if the circuit is healthy. Each input circuit is independently tested, and if a problem is found, the diagnostic position is set to 1, indicating that the channel is in an unhealthy state.

Secure digital output

Secure digital output

The yellow part is the unique circuit design of the safety input point, and the common input point is not available.

Internal Diagnostics: To check if the switch can be opened and closed, perform a pulse test on the output module (in the module’s internal circuit, insert a periodic diagnostic cycle).

The diagnostic sequence includes: changing the switch command, this time is very short, does not affect the actuator, the maximum does not exceed 1ms; verify the test results, and restore the correct switch command.

Power Monitoring: Each output circuit consists of two switches in series with two processors for control. The first microprocessor uses a digital output restorer (DOD) to drive its switches, while the second microprocessor drives its switches after the restorer. In each cycle, the midpoint voltages of the two microprocessor systems are compared to a threshold, and then they are exchanged, the state of the midpoint is evaluated, and the state of the switch is diagnosed. If the behavior of the error is detected in one channel, stop immediately and set the diagnostic bit to inform the CPU that there will be a fault message in the CPU.

In summary, I hope that everyone has a further understanding of the difference between safety PLC and ordinary PLC. Through the above introduction, we have learned three important concepts of safety product design. In the future, when using safety-related products, you can recognize these security products in combination with what you share today, and they are designed to be different from standard control products.
点击图标下载 App

Leave a Reply

Your email address will not be published. Required fields are marked *