SCHNEIDER Quantum Safety PLC: Complete Analysis of SIL3 Safety Control System

4. Operation mode and diagnosis

4.1 Security Mode and Maintenance Mode

Safe mode: default mode, prohibited from modification and maintenance, only allowed to start and stop PLC. All safety functions are activated and the diagnostic results have been fully evaluated.

Maintenance mode: used for debugging, forcing values, and modifying programs. The diagnosis is still running but the results have not been fully evaluated. The mandatory value remains unchanged when switching to safe mode.

Mode switching needs to be controlled through a key switch, Unity Pro XLS, or CPU keyboard. Modifications made in maintenance mode must comply with the requirements of IEC 61508 and refer to T Ü V's "Maintenance Override" document.

4.2 Diagnosis and Error Handling

The system has multi-level diagnosis:

CPU diagnosis: dual processor comparison, memory check, watchdog monitoring

I/O diagnosis: channel health status, communication CRC check, power monitoring

Communication diagnosis: Black channel protocol detects transmission errors, omissions, disguises, etc

Once an error is detected, the system behavior varies depending on the pattern:

In safe mode: enter error state, all safe outputs enter safe state

In maintenance mode: entering the shutdown state, communication and debugging can still be carried out

The error information is stored in the system words% SW125-% SW127 for subsequent analysis. When the I/O module fails, only the faulty channel enters a safe state, while the other channels continue to operate.

5. Communication Security and Network Integration

5.1 Secure Ethernet Peer to Peer Communication

By configuring NTP service, S-WR-ETH/S-RD-ETH function block, and IO scanning service, SIL3 level secure communication between PLCs can be achieved. This communication is based on a black channel mechanism, which can detect and manage transmission errors, delays, address errors, etc. All Ethernet devices (switches, NTP servers) do not contribute PFD/PFH values.

5.2 Write Protection and Memory Isolation

The secure memory area provides write protection for external devices such as HMI and other PLCs. The unrestricted memory area can receive external data, but it must be transferred to secure memory through the secure move function block before it can be used for secure logic. Unity Pro XLS checks this rule during editing and building to ensure data flow isolation.

5.3 Communication Restrictions

Do not use Ethernet or Modbus Plus to connect I/O modules

Prohibit the use of distributed I/O or fieldbus I/O

Allow Ethernet/Modbus Plus to be used for communication between PLCs or PLC-HMI, but read can only be for unlimited memory areas

6. Safety time and performance calculation

6.1 Process Safety Time (PST) and System Response Time

PST refers to the time window from the occurrence of equipment failure to the occurrence of hazardous events. The system response time must be less than PST, and its calculation formula is:

System response time=PLC response time+sensor time+actuator time

PLC response time=CPU response time+input module time+output module time

CPU response time=(2+N_CRC) x CPU cycle time

Among them, N_CRC is the maximum allowed number of consecutive CRC errors (1-3).

6.2 Maximum CPU cycle time calculation

When considering secure peer-to-peer communication, the maximum CPU cycle time must meet:

(1+N_CRC) x Max (CPU-sender cycle time)+Max (CPU-receiver cycle time)<PST - ∑ each link time

The timeout of the output module must be greater than the CPU cycle time to ensure that the safe state can be triggered in a timely manner in case of failure.

7. Configuration List and Implementation Suggestions

The manual provides multiple checklists covering configuration, programming, I/O modules, secure peer-to-peer communication, and operation and maintenance. Key recommendations include:

Use authenticated security and non-interference modules

Each rack is equipped with dual power supplies

Redundant I/O modules should be distributed in different remote stations

Enable all warning options during programming and review them one by one

Regularly backup projects and test recovery processes

Follow T Ü V documentation for maintenance and mandatory operations

8. Industry specific requirements

8.1 Fire and Gas System

Must comply with EN 54 standard, requirements:

Detect open/short circuits in the circuit and sound an alarm

power redundancy

Analog input requires monitoring of ground faults (leakage current), usually achieved through shunt resistors and grounding devices

8.2 Emergency Shutdown and Burner Management

The safety status is in power-off state. The burner system must comply with EN 298, ensuring that the entire time from detection to safe shutdown does not exceed 1 second, and the on-site power supply must be a 20-25 VDC regulated power supply.