Safety-Related Programmable Electronic Systems (PES)

in Plants with Hazard Potential

The following system specific indications refer to the HIMA HiQuad systems. General statements on
programmable electronic systems refer to all safety-related programmable electronic systems.

1 Characteristics of safety-related programmable electronic systems

Normal programmable electronic systems (PES) cannot be considered to be safety-related controls,

as in case of a failure the status of the outputs is undefined. Safe PES have to ensure that no imper-
missible, hazardous states occur during operation which may be due to internal and external influ-
ences such as component failures or electromagnetic interference. The safe state is – in accordance
with errors occurring outside a control – the switched-off, powerless state. Unlike conventional elec-
tronic controls or relays, PESs no longer have a causality between error cause and error effect.
Safety-related PESs distinguish between errors occurring before the PES is put into operation and
those occurring after the PES has been put into operation. For both types of errors strategies have to
be at hand which prevent errors or detect errors, respectively, and make the PES react in safe way.

Error source Error prevention measures

Operating system of the PLC
Function of the control,
programming
Verification of the programme
and the safety functions
Conversion of the program-
ming into the machine code
Manufacturing
Top-down design, modular structure,
inspection performed by an independent authority (e.g. TÜV) with
prototype test, certificate, report to the certificate with require-
ments.
Clear description of the function, must be understood,
e.g. language of function building blocks (ELOP II at HIMA),
syntax checks during entry.
Off-line test and on-line test.
Checklists, independent authorities, e.g. TÜV.
Automatic administration of memory locations.
Application of a proven compiler,
double compiling with code comparator,
Formation of signatures over the user programme.
Quality assurance measures,
Automatic tests during the module manufacturing process

Chart 1: Error sources and error prevention measures prior to commissioning

Error source Error detection measures

Random error in the hardware
Manipulation
External influences
Automatic tests during operation.
One central unit with two independent microprocessor systems
and comparison of results.
Formation of the version signature during operation.
Defined reaction in the case of an error (switch-off).
Blocking of functions, e. g. forcing of inputs/outputs,
Formation of run signature during operation.
Electromagnetic interference,
filters in the input circuits

Chart 2: Possible errors during operation and error control measures

Jülly, MA Safety-Related PLCs, Rev. 0 Page 1 of 17

During operation, individual errors which may lead to a hazardous state of operation are detected by
self-testing facilities within the fault tolerance time (1 sec min). The fault tolerance time is a process
related value which is often referred to as safety time in application guidelines.

Failures which have an effect only in combination with additional errors are detected by background
test within the multiple failure occurrence time. In the operating system it is defined as 3600 times the
safety time.

Automatic tests are distinguished as follows:

• Tests within the safety time (foreground tests):

Response time: immediately or within the safety time at the latest.
If for the process a safety time of 1 s is required, the cycle time must not exceed 500 ms.

• Tests within the multiple failure occurrence time (background tests)

They are performed one after the other in several cycles.
Response time: immediately or within the multiple failure occurrence time at the latest

2 Components of a safe PES

The safety-related HIMA PESs have a modular structure with 19 inch, 3 units high and 4 units (8
units) deep modules. One distinguishes between input modules, central units and output modules.

2.1 Safety-related input modules

The safety of input modules is achieved by automatic test routines performed during operation. In
case of an error occurring in one input channel, L signal is processed in digital circuits or the defined
error value in analogue circuits. For the user this response means the consistent continuation of the
wire-break safety idea (closed circuit current principle), which is common for safety circuits. The
switch-off by a sensor, due to a wire break or an error in the input amplifier, always means L signal in
logic processing.

2.2 Safety-related central unit, error response

The structure of a central unit is much more complex than that of the input/output modules. Even a
very large number of test routines is not enough to detect all errors. Therefore a second independent
microprocessor system with the same user programme was integrated into a central unit, and the
results of the two microprocessor systems are compared with each other.

One microprocessor system works with a memory in which the data are stored directly and the other
one with a memory holding the inverted data. A hardware comparator constantly compares whether
the data of the direct and the inverted memory are exactly inverse. If this is not the case or if the test
routines are negative, the complete central unit including the watchdog signal is switched off. This
means that a central unit operates with a 1oo2 structure with shut-down in the event of an error and it
can be used up to RC 6 /SIL 3 without any time limits.

Jülly, MA Safety-Related PLCs, Rev. 0 Page 2 of 17

 Figure 1: Structure of a central unit in the HIQuad system

Two redundantly operating central units therefore form a 2oo4 architecture (HiQuad). Due to redun-
dant central modules having the same user programme, availability is achieved while the safety re-
mains the same. They communicate via a DPR (Dual Ported RAM) and each of these units has its
own IO bus. The simplified structure is shown in Figure 2.

Jülly, MA Safety-Related PLCs, Rev. 0 Page 3 of 17

2. 3 Safety-related output modules

The safety of output modules is ensured by a second independent way of shut-down to achieve the
safe (powerless) state in case there is an error in an output channel. This includes automatic test rou-
tines comparing the output signal with the internal logic signal and switching the output channel inde-
pendent from the logic signal for a short time.

In the safety-related output modules three testable semiconductor switches are switched in series.
Thus the second required way of shut-down is integrated into the output module and is therefore re-
ferred to as safety shut-down. Furthermore the watchdog signal is involved by the central unit so that
in case of the failure of a central unit all output modules are safely switched off. There is nothing more
dangerous with safety-related PLCs than the “freezing”of output signals!

Figure 2 shows the detailed structure of a channel of an output module together with the control via
the IO bus and the watchdog signal of redundant central units. In comparison with Figure 1, their
structure is shown in a very simplified way.

Figure 2: Structure of an output module and connections to redundant central units

Jülly, MA Safety-Related PLCs, Rev. 0 Page 4 of 17

3 Structures of safety-related and highly available PESs

HIQuad technology means that RC 6 / SIL 3 is achieved by one central unit in the central area. A re-
dundant central module will just increase availability. The input/output modules are also designed for
up to RC 6 / SIL 3 and can also be connected redundantly to increase availability. Such a safety- re-
lated system can be used very easily and allows various system structures which are distinguished
only by the required availability.

3.1 Safety and normal availability (H41q-MS and H51q-MS systems)

The simplest system structure has one input and output module and one central module and is de-
signed for RC 6 /SIL 3.

Figure 3: Structure for safety up to RC 6 / SIL 3 and normal availability

Even such a simple system configuration features good availability. The reasons are the following:
• Application of high-quality industrial circuits in combination with a high standard of production
(SMD) results in high MTBF values (Mean Time Between Failures)
• The modular system structure with one central module and separate input/output modules in 19
inch technology, 3 units high allows the replacement of modules during operation
• The clear diagnostic display of defective modules minimises the MTTR (Mean Time To Restora-
tion).

1oo2 AND logic of two channels, shut-down in case of an error

1oo1D one-channel with diagnosis, shut-down in case of an error
1oo2D OR logic of two channels with diagnosis, defective channel is switched off
2oo4 2 parallel 1oo2 systems, in case of an error in a 1oo2 system the faulty system is
switched off while the functioning 1oo2 system keeps up operation.

Jülly, MA Safety-Related PLCs, Rev. 0 Page 5 of 17

3.2 Safety and maximum availability (H41q-HRS and H51q-HRS systems)

Maximum availability is achieved when all components of safety-related circuits are redundant. The
signal from a sensor is connected to two independent input modules. This results in two input signals
which within the user programme and operated via an OR function or by the formation of the average
value in analogue circuits. Both central units receive the values via the DPR so that identical values
are processed in the two central units. Each central unit has its own output amplifiers and the output
amplifiers are switched in parallel to control the output elements.

Figure 4: Structure for safety up to RC 6 / SIL 3 and maximum availability

Any component error does not affect operation and the safety of the PLC. The defective input/output
module is switched off automatically and the position of this module is shown on the diagnostic dis-
play. After the replacement of the defective module, redundant operation is resumed automatically.

After the replacement of a central unit, the user programme has to be loaded. The central unit in op-
eration constantly tries to communicate with the other central unit. When the same user programme
with the same signature is downloaded in the central unit, the current data (e.g. actual values of tim-
ers etc.) are transferred to the other module. In the next cycle, redundant operation with both central
units is resumed.

Jülly, MA Safety-Related PLCs, Rev. 0 Page 6 of 17

3.3 Safety and assigned availability (H41q-HS and H51q-HS systems)

A system with maximum availability like that shown in Figure 4 is not often required while a system
with normal availability like that shown in Figure is insufficient. Therefore a system with assigned
availability is mostly used (see Figure 5). Redundant central units are almost always used – mainly
because on-line changes during operation are required.

Figure 5: Structure for safety up to RC 6 / SIL 3 and assigned availability

Input modules can be used in single-channel, redundant or 2oo3 operation. In this case the user
should not only consider the availability of the electronic modules but also the safety of the sensors. If
there are no safety-related sensors, two sensors must be installed at the same measuring point and
the two signals must be operated via AND logic. If three sensors are installed at one measuring point,
the signals are carried via a 2oo3 selector circuit. In every case discrepancy monitoring of the two or
three sensors signals is required.

Jülly, MA Safety-Related PLCs, Rev. 0 Page 7 of 17

4 Safe and redundant data transmission

The HIMA systems are designed for safe and redundant data transmission using open standards
such as

• Ethernet (IEEE 802.3) with TCP/IP for the connection to standard networks
• Ethernet (IEEE 802.3) with HIPRO-S for safety-related and redundant data transmission up to
RC 6 / SIL 3
• OPC (OLE (Object Linking and Embedding) for Process Control) for fast exchange of data with
any DCS or SCADA systems as well as for the connection to database systems
• PROFIBUS-DP (EN 50170) for networking in the field or DCS area
• MODBUS for the connection to process control systems

4.1 Communication via Ethernet

The big advantage of Ethernet is its high speed, its simple application on the basis of standard de-
vices as well as its global presence and acceptance. In HIMA systems Ethernet is used for safety-
related data transmission between HIMA systems or for reading and writing the values of variables
when the OPC software interface on the client server principle is applied.

Figure 6: Redundant safety-related communication via Ethernet up to RC 6 / SIL 3

including the connection of an OPC server

The connection to Ethernet is effected via self configuring modules. Very simple wiring is ensured by
the Twisted Pair (10BaseT) industrial standard with RJ-45 plug and a transmission rate of 10Mbit/s.
Standard hubs are used between the network segments and terminal devices which are also avail-
able with optical waveguide connections.

A bridge is used for the connection of the same or of different types of networks according to IEEE
802 and transmits messages/data bursts or filters them. A switch has the same function as the bridge,
however, the data are transmitted immediately after the identification of the receiver’s address and not
after they have been checked first. A router optimises the path selection in complex networks. It proc-
esses the IP address in the process.

Jülly, MA Safety-Related PLCs, Rev. 0 Page 8 of 17

4.2 Data transmission media

All known media can be used for the transmission of data, also of data relevant for safety.

Satellit

Satellitenantenne Satellitenantenne

Modem ISDN Modem ISDN

Funkmodem Funkmodem

LWL LWL

Figure 7: Data transmission with various media

Data transmission safety is not based on the medium but on the protocol used. Besides safety the
availability of the data transmission is of great importance. Therefore all components involved in data
transmission in the HIMA systems can be used as redundant components.

However, any redundancy is only as good as the quality of its monitoring. Each data transmission
path including the redundant ones is tested automatically during operation. Any failed component is
signalled and may be replaced during operation. In the event of a failure of a single-channel data
transmission path or the total failure of a redundant transmission path, all data received are reset after
a definable period of time.

5 Programming of a safety-related PLC

5.1 Programming basis

The task to be performed by a control should be laid down in a specification. It is the basis for verify-
ing whether it has been correctly implemented in the user programme. The way of representation or
description depends on the task:

Combinatorial logic
• Cause and effect scheme
• Logic operation with functions and function building blocks
• Function blocks with specified characteristics

Sequence control systems

• Verbal description of the steps with stepping conditions and actuators to be controlled
• Flow diagrams according to DIN 40719, Part 6
• Stepping conditions and actuators to be controlled in matrix or chart form
• Definition of the marginal conditions, e.g. modes of operation, EMERGENCY OFF etc.

Jülly, MA Safety-Related PLCs, Rev. 0 Page 9 of 17

In addition to the above, the field circuits, i.e. the kind of sensors and actuators, have to be specified:

Sensors (digital or analogue)

• Signal in normal operation of the PLC
(closed circuit current principle with digital sensors, life-zero with analogue sensors)
• Signal in the event of an error
• Determination of redundancies required by safety (1oo2, 2oo3)
with discrepancy monitoring and reaction in the event of an error

Actuators
• Position and activation in normal operation
• Safe reaction/position in case of shut-down or power failure

5.2 Programming according to IEC 1131-3

Today’s standard programming according to IEC 1131-3 knows 5 different programming languages:

FBL Function building block language

FSC Functional sequence chart
ST Structured text
IL Instruction list
LD Ladder diagram

Up to now HIMA has only implemented the function building block language and the sequence lan-
guage in ELOP II; the structured text is currently being prepared. Programming with the list of instruc-
tions or the ladder diagram does not meet the requirements of the general IEC 1508 safety standard.
A user programme for safety-related controls must be easily understood, comprehensible and easy to
change.

An essential characteristic of programming according to IEC 1131-3 is enclosing same functionalities

in functions or in function building blocks, respectively. Before programming starts, this requires a
thorough analysis of the task and the structuring of the user programme. Very often existing functions
or function building blocks can be used which may just have to be modified and which are copied into
the project library from the user’s, the company’s or a department’s library. For many PES program-
mers this means a radical change of views, as before the programmes often consisted of purely basic
functions (“spaghetti code”) and very often based on hard wired systems.

5.3 How to program the safety-related HIMA PESs

The following is an outline of programming:

• Specification of the control function as the basis of programming

• Writing of the user programme using functions and function building blocks (basic functions from
the IEC library, existing ones or to be self-defined from basic functions)
• Verification of the user programme by off-line simulation
• Compiling of the user programme with the C code generator
• The C code is compiled twice by the proven C compiler (GNU-CC) and the generated codes are
compared. By this method PC errors are detected.
• Loading of the machine code into the PLC with subsequent test
• Definition of the final parameters and start of safety-related operation.

Jülly, MA Safety-Related PLCs, Rev. 0 Page 10 of 17

5.4 Protection against manipulation during operation of the safety-related PES

The code generator and the PES in operation automatically generate version numbers (signatures)
via the programme (programme version) and via the programme including parameters (RUN version).
During operation of the PES they can be called on the diagnostic display and be compared with the
programme printout. This way it cannot be detected which changes have been made, but it can be
seen that changes have been made.

In a safety-related PES, the system parameters should be adjusted in a way that a change of the pro-
gramme is not possible without loading it anew. In practice this means that the PES is switched off.
The operators of PESs which are in operation uninterruptedly for years refuse switching the PES off.
Therefore it is often determined specifically for the system which manipulations may be made during
safety-related operation of the PES. The operator is responsible for the authorisation of employees
and the required protective measures.

5.5 On-line- changes in a safety-related PES

On-line changes are only permissible after consultation with the test authority in charge. During the
complete on-line change process, the engineer in charge of the on-line change has to ensure that the
process is sufficiently monitored for safety by technical and other organisational measures. The
changes in the user programme have to be carefully tested by simulators before the programme is
transmitted to the PES.

On-line changes are possible in a PES with one a central unit. While the new user programme is be-
ing transmitted, the existing user programme is not being run and the outputs maintain their signal
status until the download of the new user programme is completed. This may result in result in con-
flicts with the required safety time of the PES. We therefore recommend making on-line changes only
in systems with redundant central units.

In systems with redundant central units, the second central unit continues running the old user pro-
gramme in MONO operation while the first central unit is being loaded. Then the newly loaded central
unit receives the current data from the other central unit in operation and starts MONO operation with
the new user programme. After the second central unit is downloaded, it receives the current data and
then both central units resume redundant operation.

6 Programming example for an oil burner

This example is to demonstrate the implementation of the requirements stated in Chapter 5. A user
programme for a burner constitutes a typical example of a sequential control which in each operation
phase has only one defined status. Therefore the operation phases themselves, the conditions for the
transition to the next operation phase and the outputs to be controlled in the individual phases can be
easily defined. The definition of the disturbances to be expected during operation is of special impor-
tance, if the expected check-back signals are not received within the pre-set time or if the flame is not
(no longer) detected.

Major burner controls often consist of several burners which may be supplied by different types of fuel
and may have a common purging. In this case we recommend defining one function building block for
the purging and one function block for each burner. The way of programming for these function build-
ing blocks can be completely taken over from the example.

For plants subject to acceptance by the authorities, we recommend consulting the authority in charge
as early as possible during the project planning stage.

Jülly, MA Safety-Related PLCs, Rev. 0 Page 11 of 17

6.1 Specification of the Functions - overview

Operation phases 0 1 2 3 4 5 6 7 8 0

On/Off =& ====== ====== ====== ====== ====== ====== ====== ====/&
Air flap position max. =& ====== =
Air flap position min. ====== = =& ====== ====== ====== ====== ==
Signal flame =& ====== ====== ======

Purge time =====&

Ignition time =====&
Ignition stabilisation ====== =====&
time
Time release control =====&

Air flap
Ignition valve
Ignition transformer
Flame detector device
Oil valve
Release control
Lamp operation

Disturbance phases 11 12 14 15 16 17 17
Max. time to open air &
flap
Air flap max. position /& /&
Min. time to close air &
flap
Air flap min. position /&
Signal flame /& /& /& /&
Ignition stabilisation &
time

Disturbance phase 13
Signal flame &

Operat. phases Disturbance

phases
0 Ready 11 Air flap no max. position
1 Open air flap 12 Air flap no max. position during purge
2 Purge 13 Flame while purging
3 Close air flap 14 Air flap no min. position
4 Ignition ignition flame 15 No flame after ignition stabilisation
5 Ignition stabilisation 16 Flame failure after ignition
6 Ignition oil 17 Flame failure during operation
7 Operation
8 Operation and control
= H signal of input & scan for H signal /& scan for L signal H signal of output

Table 3: Overview of the specification of the function of an oil burner

The individual phases (states) of the burner are designated by numbers which cover both normal op-
eration (phases 0...8) and disturbances that may be expected in the burner (phases 11...17). These
values are represented by the “Step/Status”variable of the UINT type = Unsigned Integer, i.e. values
ranging from 0 to 65535 are possible. The type of variable is VAR_EXTERN within the function build-
ing blocks and VAR_GLOBAL within the user programme. The designations of the operation phases
are identical with the entity names of the “Step”building blocks in the programming of the function
building block.

The table states which input signals have to be available or after what period of time there is a transi-
tion to the next operation phase. The bottom part of the table shows which outputs are controlled in
which phase. The last section of the table shows the disturbances during operation. In the event of a
disturbance, outputs are not activated any longer and thus the safe state is achieved.

Jülly, MA Safety-Related PLCs, Rev. 0 Page 12 of 17

6.2 The Oilburner function building block

Figure 8: Interface declaration of the Oilburner building block

The next step in programming is declaration of the interfaces of the function building block, i.e. the
layout of the function building block with the definition of the type and designation of the input and
output variables are determined. It is important to make sure that the designation of the inputs and
outputs is clear, comprehensible and meaningful.

6.3 The programme of the Oilburner building block

For each operation phase a self-defined function building block “Step”was used. The complexity of
the OELBREN-SA function building block is not determined by a great variety of different functions
and function building blocks but by the more frequent use of the same “Step” building block alone.
This can be easily seen at each “Step”function building block:

• Use of the function building block by assigning a meaningful entity name

• Conditions for switching on the clock frequency (previous step, time values of variables)
• Values of the Step variables (operation phase or disturbance phase)
• Which outputs are controlled in the individual operation phases based on the action blocks
• Branching after each phase into the next operation phase or disturbance phase

The listing of the “Step”function building blocks on the left of the sheet for the normal operation
phases and on the right for the disturbance phases also contributes to clarity. The correct implemen-
tation of the specification can be easily verified.

An off-line or on-line test of the function can also be performed very easily. If there are errors in pro-
gramming, an operation phase or disturbance phase can be set and the cause of a malfunction can
be quickly found.

Jülly, MA Safety-Related PLCs, Rev. 0 Page 13 of 17