SCHNEIDER Quantum Safety PLC: Complete Analysis of SIL3 Safety Control System
4. Operation mode and diagnosis
4.1 Security Mode and Maintenance Mode
Safe mode: default mode, prohibited from modification and maintenance, only allowed to start and stop PLC. All safety functions are activated and the diagnostic results have been fully evaluated.
Maintenance mode: used for debugging, forcing values, and modifying programs. The diagnosis is still running but the results have not been fully evaluated. The mandatory value remains unchanged when switching to safe mode.
Mode switching needs to be controlled through a key switch, Unity Pro XLS, or CPU keyboard. Modifications made in maintenance mode must comply with the requirements of IEC 61508 and refer to T Ü V's "Maintenance Override" document.
4.2 Diagnosis and Error Handling
The system has multi-level diagnosis:
CPU diagnosis: dual processor comparison, memory check, watchdog monitoring
I/O diagnosis: channel health status, communication CRC check, power monitoring
Communication diagnosis: Black channel protocol detects transmission errors, omissions, disguises, etc
Once an error is detected, the system behavior varies depending on the pattern:
In safe mode: enter error state, all safe outputs enter safe state
In maintenance mode: entering the shutdown state, communication and debugging can still be carried out
The error information is stored in the system words% SW125-% SW127 for subsequent analysis. When the I/O module fails, only the faulty channel enters a safe state, while the other channels continue to operate.
5. Communication Security and Network Integration
5.1 Secure Ethernet Peer to Peer Communication
By configuring NTP service, S-WR-ETH/S-RD-ETH function block, and IO scanning service, SIL3 level secure communication between PLCs can be achieved. This communication is based on a black channel mechanism, which can detect and manage transmission errors, delays, address errors, etc. All Ethernet devices (switches, NTP servers) do not contribute PFD/PFH values.
5.2 Write Protection and Memory Isolation
The secure memory area provides write protection for external devices such as HMI and other PLCs. The unrestricted memory area can receive external data, but it must be transferred to secure memory through the secure move function block before it can be used for secure logic. Unity Pro XLS checks this rule during editing and building to ensure data flow isolation.
5.3 Communication Restrictions
Do not use Ethernet or Modbus Plus to connect I/O modules
Prohibit the use of distributed I/O or fieldbus I/O
Allow Ethernet/Modbus Plus to be used for communication between PLCs or PLC-HMI, but read can only be for unlimited memory areas
6. Safety time and performance calculation
6.1 Process Safety Time (PST) and System Response Time
PST refers to the time window from the occurrence of equipment failure to the occurrence of hazardous events. The system response time must be less than PST, and its calculation formula is:
System response time=PLC response time+sensor time+actuator time
PLC response time=CPU response time+input module time+output module time
CPU response time=(2+N_CRC) x CPU cycle time
Among them, N_CRC is the maximum allowed number of consecutive CRC errors (1-3).
6.2 Maximum CPU cycle time calculation
When considering secure peer-to-peer communication, the maximum CPU cycle time must meet:
(1+N_CRC) x Max (CPU-sender cycle time)+Max (CPU-receiver cycle time)<PST - ∑ each link time
The timeout of the output module must be greater than the CPU cycle time to ensure that the safe state can be triggered in a timely manner in case of failure.
7. Configuration List and Implementation Suggestions
The manual provides multiple checklists covering configuration, programming, I/O modules, secure peer-to-peer communication, and operation and maintenance. Key recommendations include:
Use authenticated security and non-interference modules
Each rack is equipped with dual power supplies
Redundant I/O modules should be distributed in different remote stations
Enable all warning options during programming and review them one by one
Regularly backup projects and test recovery processes
Follow T Ü V documentation for maintenance and mandatory operations
8. Industry specific requirements
8.1 Fire and Gas System
Must comply with EN 54 standard, requirements:
Detect open/short circuits in the circuit and sound an alarm
power redundancy
Analog input requires monitoring of ground faults (leakage current), usually achieved through shunt resistors and grounding devices
8.2 Emergency Shutdown and Burner Management
The safety status is in power-off state. The burner system must comply with EN 298, ensuring that the entire time from detection to safe shutdown does not exceed 1 second, and the on-site power supply must be a 20-25 VDC regulated power supply.
- ABB
- General Electric
- EMERSON
- Honeywell
- HIMA
- ALSTOM
- Rolls-Royce
- MOTOROLA
- Rockwell
- Siemens
- Woodward
- YOKOGAWA
- FOXBORO
- KOLLMORGEN
- MOOG
- KB
- YAMAHA
- BENDER
- TEKTRONIX
- Westinghouse
- AMAT
- AB
- XYCOM
- Yaskawa
- B&R
- Schneider
- Kongsberg
- NI
- WATLOW
- ProSoft
- SEW
- ADVANCED
- Reliance
- TRICONEX
- METSO
- MAN
- Advantest
- STUDER
- KONGSBERG
- DANAHER MOTION
- Bently
- Galil
- EATON
- MOLEX
- DEIF
- B&W
- ZYGO
- Aerotech
- DANFOSS
- Beijer
- Moxa
- Rexroth
- Johnson
- WAGO
- TOSHIBA
- BMCM
- SMC
- HITACHI
- HIRSCHMANN
- Application field
- XP POWER
- CTI
- TRICON
- STOBER
- Thinklogical
- Horner Automation
- Meggitt
- Fanuc
- Baldor
- SHINKAWA
- Other Brands
-
BENTLY 128085-01 Keyphasor I/O Module (Internal Termination) -
BENTLY 128031-01 Proximitor Seismic I/O Module -
Bently Nevada 124761-01 8mm Proximity Probe -
Bently Nevada 128277-01 Half-Height Blank Panel -
Bently Nevada 128276-01 Communication Interface Module -
Bently Nevada 128275-01 Heavy Duty Drive Module -
Bently Nevada 3500/64M 140734-05 Dynamic Pressure Monitor -
ABB AX411/511010 Conductivity and pH Analyzer -
ABB AX411/511010 Single Input pH/ORP Analyzer -
BENTLY 1-536067-4 Proximitor Connector Lead -
BENTLY 3500/34 125696-01 TMR Relay Module -
BENTLY 125704-01 3500/32M I/O Module -
BENTLY 126632-01 Keyphasor I/O Module -
BENTLY 3500/25 125792-01 Keyphasor Module -
Bently Nevada 2300/25-00 Vibration Monitor -
Bently Nevada 3500/05-01-03-00-00-00 Rack -
Bently Nevada 3500/42M 140734-02 Monitor -
Bently Nevada 123M4610 Accelerometer -
Bently Nevada 3500/05-02-04-00-00-00 Rack -
Bently Nevada 3500/53 133388-01 Overspeed Detection Module -
Bently Nevada 3500/32 125712-01 Relay Module for Machinery Protection -
Bently Nevada 3500/20 125744-02 Rack Interface Module -
Bently Nevada 3500/40M 140734-01 Proximitor Monitor Module -
Bently Nevada 3500/60 163179-01 Temperature Monitor Module -
BENTLY 3500/22M 288055-01 Enhanced TDI Module -
BENTLY 3500/22M 146031-01 TDI Module -
BENTLY 133396-01 3500/22M I/O Module -
BENTLY 3500/34 TMR RMS Interface Module -
BENTLY 128275-01-E Proximitor I/O Module -
Bently Nevada 128276-011 Proximity Probe -
Bently Nevada 135489-03 Accelerometer -
Bently Nevada 135473-01 Seismic Transducer -
Bently Nevada 1900/55 General Purpose Monitor -
Bently Nevada ASSY78462-01U Proximitor Assembly -
Bently Nevada 330100-90-01 Proximity Probe for Vibration Monitoring -
Bently Nevada 330100-90-00 Proximity Probe for Machinery Monitoring -
Bently Nevada 132419-01 Proximitor Sensor for Vibration Monitoring -
Bently Nevada 10244-27-50-01 Proximity Probe Extension Cable -
Bently Nevada 22810-01-05-50-02 Proximity Probe System -
BENTLY 330980-51-00 3300 NSv Proximitor Sensor -
BENTLY 330130-045-00-00 3300 XL Extension Cable -
BENTLY 1X35668 Replacement Internal Module -
BENTLY 3300/16 Dual XY Vibration Monitor -
BENTLY 3500/15 133292-01 High Availability Power Supply -
Bently Nevada 3500/62 163179-03 Process Monitor -
Allen-Bradley 80190-100-01-R*3 Output Module -
Allen-Bradley 80190-099-01 Analog Module -
Allen-Bradley 80190-479-01 I/O Module -
Allen-Bradley 80190-480-01-R Control Module -
Bently 3500/15 125840-01 Power Supply Module -
Bently 24765-02-01 Signal Conditioner Module -
Bently 330130-085-00-00 Extension Cable -
Bently 3500/22M 138607-01 Vibration Monitor Module -
Bently 146031-02 Proximity Probe Sensor -
BENTLY 330104-00-05-10-02-CN Proximity Probe -
BENTLY 125768-01 3500 I/O Module Interface -
BENTLY 3500/92 136180-01 Communication Gateway -
BENTLY 84152-01 Proximitor Sensor Cable -
BENTLY 3300/20 Dual Driver Proximitor Housing -
BENTLY 3300/16-11-01-03-00-00-01 16-Channel Monitor -
DEIF PPU-3 Power Protection Unit for Genset Control -
DEIF RMV-112D Reactive Power Divider and Voltage Matching Relay -
DEIF OPM-1 Output Protection Module for Gensets -
DEIF IPM-1 Integrated Protection Module for Generators -
DEIF CM-2 Control Module for Industrial Power Systems -
DEIF PSM-1 Power System Manager Module -
DEIF DELOMATIC-3 DGU2 Automatic Generator Control Unit -
DEIF DLQ144-PC-NB Power Monitoring Meter -
DEIF DU-2/MKIII Voltage Relay Controller -
DEIF IOM4.2 Input/Output Module for Power Management -
DEIF SCM-1 Synchronizing Control Module -
DEIF GPU/2/GS Genset Parallel Unit Controller -
EMERSON PR6426/010-110 CON021 Proximity System -
EMERSON PR6423/011-110+C0N021 Proximity Sensor System -
DEIF LSU-112DG Load Sharing Unit -
DEIF PCM4.4 Advanced Power Control Module -
DEIF TAC-311DG Transducer for AC Voltage -
DEIF SCM4.1 Engine Start Control Module -
DEIF PCM4.3 Power Control Module -
Emerson 2500M/AI4UNIV Universal Analog Input Module -
Emerson PR6424/011-140 Eddy Current Sensor -
Emerson KJ3242X1-BK1 12P4711X042 Analog Input Module -
Emerson FX-316 960132-01 Control Processor Module -
Emerson KJ4006X1-BD1 Power Supply Module -
EMERSON 1C31181G01 Ovation Analog Output Module -
EMERSON CE4003S2B6 DeltaV Analog Module -
EMERSON KJ4001X1-CK1 DeltaV I/O Carrier Card -
EMERSON VE4012S2B1 DeltaV I/O Module Specifications -
EMERSON SS6501T01 DeltaV System Assembly Technical Overview -
Emerson A6370D/DP Display -
Emerson P188.R2 Power Supply -
Emerson A6824R 24-Ch Relay -
Emerson KJ2201X1-JA1 Serial -
Emerson VE3008 Main Controller -
Emerson VE3008 CE3008 KJ2005X1-MQ1 Controller Module -
Emerson TPMC917 Embedded Processor Module -
Emerson P152.R4 Industrial Control Module -
Emerson DA7281520 P152 Power Module -
Emerson PR6423/008-110 Eddy Current Sensor -
EMERSON 5X00273G01 Ovation DCS Digital Output Module -
EMERSON KJ4001X1-NB1 12P3368X012 REV:E Redundant Controller Backplane -
EMERSON KJ4001X1-NA1 12P3373X012 REV:C Intrinsically Safe Interface -
EMERSON KJ4001X1-BE1 12P0818X072 REV:L DeltaV I/O Carrier -
EMERSON KJ2221X1-BA1 DeltaV SIS SISNet Repeater Module -
EMERSON PR6423/000-131 Eddy Current Sensor -
EMERSON 5X00790G01 Ovation Digital Output Module -
EMERSON 5X00846G01 Ovation Analog Input Module -
EMERSON KJ4110X1-BA1 DeltaV Power Supply Base -
EMERSON CSI3125 A3125/022-020 Dual Channel Monitor -
EMERSON A6740 Displacement Case Expansion Monitor -
EMERSON A6312/06 Speed Monitoring Module -
EMERSON KJ4001X1-BE1 DeltaV Carrier Module -
EMERSON SE3008 KJ2005X1-MQ2 DeltaV Controller -
EMERSON KJ4001X1-CA1 DeltaV Terminal Block -
Emerson PR6423/00R-010 CON031 Eddy Current Probe System -
Emerson A6824 9199-00090 Operator Workstation -
Emerson A6410 9199-00005 Operator Workstation -
Emerson A6110 9199-00001 Operator Workstation -
Emerson 9199-00002 A6120 Operator Workstation -
Emerson KJ3002X1-BF1 12P1732X042 FIELDVUE DVC6200 -
Emerson 5X00500G01 Ovation Analog Output Module -
Emerson VE4001S2T2B4 DeltaV Controller Module -
Emerson 5X00502G01 Ovation Analog Input Module -
Emerson A6824R 9199-00098-13 Operator Workstation -
EMERSON A6140 9199-00058 Dual Channel Monitor -
EMERSON VE3007 KJ2005X1-BA1 DeltaV Controller -
EMERSON DB1-1 Connection Termination Block -
EMERSON PMC-IO-ADAPTER Mezzanine Interface Card
