How to Design Fail Safe PLC System: Key Steps and Example
To design a fail safe
PLC system, implement redundancy with backup CPUs and power supplies, use error detection and diagnostics, and program safe shutdown sequences. Incorporate watchdog timers and regular system health checks to ensure the system can detect faults and respond safely.Syntax
A fail safe PLC system design involves these key parts:
- Redundancy: Duplicate critical components like CPUs and power supplies.
- Error Detection: Use diagnostics and watchdog timers to detect faults.
- Safe Shutdown: Program the PLC to enter a safe state on error.
- Communication Monitoring: Check network and I/O health continuously.
structured_text
(* Example of watchdog timer setup in Structured Text *)
PROGRAM FailSafeWatchdog
VAR
WatchdogTimer : TON; (* Timer On Delay *)
SystemOK : BOOL := TRUE;
END_VAR
WatchdogTimer(IN:=SystemOK, PT:=T#5S);
IF WatchdogTimer.Q = FALSE THEN
(* Trigger safe shutdown *)
SafeShutdown();
END_IF;
(* SafeShutdown is a user-defined procedure to stop outputs safely *)Example
This example shows a simple fail safe logic using a watchdog timer and safe shutdown procedure in Structured Text. The watchdog timer resets if the system is healthy. If it times out, the system triggers a safe shutdown.
structured_text
PROGRAM FailSafeExample
VAR
WatchdogTimer : TON; (* Timer On Delay *)
SystemOK : BOOL := TRUE;
OutputSafe : BOOL := FALSE;
END_VAR
(* Start watchdog timer when system is OK *)
WatchdogTimer(IN:=SystemOK, PT:=T#3S);
IF WatchdogTimer.Q = FALSE THEN
(* Watchdog timed out, trigger safe shutdown *)
OutputSafe := FALSE; (* Turn off outputs *)
ELSE
OutputSafe := TRUE; (* Normal operation *)
END_IF;
(* Simulate safe shutdown procedure *)
IF NOT OutputSafe THEN
(* Code to safely stop machinery *)
(* e.g., close valves, stop motors *)
END_IF;Output
OutputSafe = TRUE when system is healthy; OutputSafe = FALSE triggers safe shutdown when watchdog times out.
Common Pitfalls
- Not implementing redundancy can cause total system failure if one component fails.
- Ignoring watchdog timers or diagnostics leads to undetected faults.
- Failing to program safe shutdown sequences risks unsafe machine states.
- Overlooking communication checks can cause missed error signals.
Always test fail safe logic under fault conditions to verify correct behavior.
structured_text
(* Wrong: No watchdog timer, no safe shutdown *)
PROGRAM UnsafeExample
VAR
OutputSafe : BOOL := TRUE;
END_VAR
(* Outputs always on, no fault detection *)
(* Right: Add watchdog and safe shutdown *)
PROGRAM SafeExample
VAR
WatchdogTimer : TON;
SystemOK : BOOL := TRUE;
OutputSafe : BOOL := FALSE;
END_VAR
WatchdogTimer(IN:=SystemOK, PT:=T#3S);
IF WatchdogTimer.Q = FALSE THEN
OutputSafe := FALSE; (* Safe shutdown *)
ELSE
OutputSafe := TRUE;
END_IF;Quick Reference
| Fail Safe PLC Design Element | Description |
|---|---|
| Redundancy | Duplicate CPUs, power supplies, and critical modules |
| Watchdog Timer | Detects system hangs and triggers safe shutdown |
| Error Detection | Use diagnostics to monitor hardware and software faults |
| Safe Shutdown | Program outputs to safe states on error |
| Communication Monitoring | Continuously check network and I/O health |
Key Takeaways
Implement redundancy to avoid single points of failure in your PLC system.
Use watchdog timers and diagnostics to detect faults early.
Always program safe shutdown procedures to protect people and equipment.
Monitor communication and I/O health continuously for reliable operation.
Test your fail safe logic regularly under fault conditions.