SCHNEIDER Quantum Safety PLC: Complete Analysis of SIL3 Safety Control System

Schneider Electric Quantum Safety PLC: A High Reliability Safety Control System for SIL3 Applications

1. Product Overview and Certification Background

Quantum Safety PLC is a safety related system developed by Schneider Electric based on the Quantum series programmable logic controller (PLC), specifically designed to meet the functional safety requirements of IEC 61508 standard. This system is certified by T Ü V Rheinland and supports applications up to SIL3, suitable for safety scenarios in low demand mode (PFD ≥ 10 ⁻⁴ to<10 ⁻³) and high demand mode (PFH ≥ 10 ⁻⁸ to<10 ⁻⁷). Its safety state is defined as the de energized state, which is typically applied to critical industrial processes such as emergency shutdown, burner management, fire protection, and gas systems.

In addition to IEC 61508, this PLC also complies with multiple international and industry standards such as IEC 61131-2, IEC 62061, EN ISO 13849, NFPA 85/86, EN 54, and EN 298, and has a wide range of applicability. The system must use certified security firmware and Unity Pro XLS programming software to ensure full chain security compliance from hardware to software.

2. Hardware architecture and security mechanisms

2.1 Secure CPU and Dual Execution Architecture

Quantum Safety PLC provides two types of safety CPUs:

140 CPU 651 60S: for standalone systems

140 CPU 671 60S: Used for Hot Standby high availability systems

The CPU adopts a dual processor architecture (Intel Pentium and application processor) internally, which executes the same security logic in independent memory areas and compares the results at the end of each cycle. This dual code generation and execution mechanism can effectively detect:

Systematic errors in code generation (through compiler diversity)

Systematic errors during code execution

Random errors in CPU and RAM

The CPU has built-in hardware and firmware watchdog to monitor PLC activity and user logic execution time. Static memory (Flash, PCMCIA card, RAM) is verified through cyclic redundancy check (CRC) and dual code execution; Dynamic memory is protected through dual code execution and periodic memory testing.

2.2 Safety I/O module

The system supports three types of certified secure I/O modules:

140 SAI 940 00S: Safety analog input (8 channels, 4-20 mA)

140 SDI 953 00S: Secure Digital Input

140 SDO 953 00S: Secure Digital Output

All safety I/O modules adopt a dual microcontroller system, running the same program and regularly cross checking. The module supports local backplane or remote I/O station installation, and communicates with the CPU through the "black channel" protocol to ensure that errors can be detected during data transmission. The module has comprehensive diagnostic functions, including wire breakage detection, overload, out of range, power monitoring, etc., and supports redundant configuration to improve availability (but redundancy does not enhance safety level).

2.3 Non interfering modules and power supply

The system allows the use of non-interference modules to expand non safety functions, such as:

Backboard (140 XBP 006/010/016 00)

Remote I/O adapter (140 CRP 932 00/140 CRA 932 00)

Ethernet module (140 NOE 771 11)

Standard digital/analog I/O module

These modules do not affect the execution of safety functions, and faults will not affect the safety modules. The power module (140 CPS 124 20/140 CPS 224 00) is certified but does not contribute PFD/PFH values. The system recommends equipping each rack with dual power supplies to achieve redundancy.

3. Programming and software requirements

3.1 Programming Environment and Language Limitations

Only Unity Pro XLS (XL Safety version) can be used for SIL3 project programming. This software provides project protection, self checking functions, and a library of security function blocks. Programming languages are limited to:

Function Block Diagram (FBD)

Ladder diagram (LD)

It is prohibited to use languages such as ST, IL, SFC, as well as subroutines, interrupt tasks, conditional segment execution, and jump labels. All security logic must be written in the MAST task segment.

3.2 Data and Memory Management

Memory is divided into safe memory area and unrestricted memory area (UMA):

Secure memory area: write protected, used for processing security related data

Unrestricted memory area: can be written, but data needs to be transferred to secure memory through the secure move function block (s_SMOVE-BIT/s_SMOVE_SWORD) before it can be used

Only basic data types (BOOL, INT, WORD, etc.) and simple arrays are allowed, and derived data types are prohibited. All variables must be located and their addresses must be within a valid memory range.

3.3 Safety Function Block Library

Unity Pro XLS provides a certified library of security feature blocks, covering functions such as mathematical operations, comparison, logic, statistics, timers, type conversion, high availability, and hot standby. The key functional blocks include:

S-AISIL2/S-DISIL2: Used for selecting and monitoring redundant analog/digital inputs

S-HSBY_SWAP: Used for switching between primary and backup CPUs in hot standby systems

S-WR-ETH/S-RD-ETH: Used for secure Ethernet peer-to-peer communication