"Ask the Experts" is moderated by Béla Lipták (http://belaliptakpe.com/), process control consultant and longtime editor of the Instrument Engineer's Handbook (IEH), 4th edition. Work is starting on the 5th edition. He is recruiting contributors/editors, and if you can participate in this effort, or if you have questions for our team of experts, please write to him at firstname.lastname@example.org.
Q: Is PLC processor redundancy worth the engineering cost and maintenance cost with the newer PLC systems, such as Modicon and Rockwell?
A: You have to determine the level of reliability needed. This need increases if your process is continuous, if your PLC serves safety functions, and if the industry you work in is critical (nuclear, space exploration, etc.)
Most vendors provide processor redundancy, and power supply redundancy is also common. If this is not enough, you can have a spare PLC that is kept in "shadow operation," and is switched on when the primary fails by simply by enabling its outputs.
The highest level of reliability is the voting system (usually referred to as 2oo3 or "two out of three") where three PLCs are synchronized and kept in operation. On every cycle their outputs are compared and selected (the "majority view"), while the "disagreeing" PLC is automatically alarmed for maintenance.
In critical applications—realizing that interfaces are subject to line transients, over-voltages and surges that cause point failure—triple-redundancy of the critical I/O points can also be provided with the voting logic being part of the PLC programming. Last and probably most important, you might consider redundancy on the input sources (valve status, voting multiple sensors, alarms, etc.)
A: Redundancy is one way to assure higher availability. One of the problems with redundancy is to know if/when a unit (PCL) has failed. Present day PLCs are extremely reliable if properly mounted, protected and cooled. They do not often just stop working. On the other hand, the I/O interfaces are subject to line transients, over-voltages and surges that cause point failure. For this reason, I often recommend redundancy of the I/O points and the use of voting logic directly in the PLC programming for critical points, rather than redundancy of the logic processor.
If you wish to have PLC redundancy, the only failure mode that is easy to detect is device total failure. Once a PLC unit has failed, then what? Do you have a spare already loaded with the same programming, but sitting idle? Idle spares will not have the control relays of the failed unit, and must begin without knowledge of the controlled process state. Therefore, an idle spare must drive the process to some known state, which can be very disruptive.
Alternatively, you may have a hot spare that, like the idle spare, has the same programming, but has been in shadow operation using all of the identical input logic and developing the same control relay information, but having outputs suppressed. Hot spares can be switched into operation simply by enabling outputs. This is reliable and easy to do when the primary unit fails. Unit failure is detected quickly with a diagnostic that may be a keep-alive relay that trips when the PLC itself fails to operate. This configuration is referred to as a 1oo2D (one out of two diagnostic) arrangement.
Finally, for ultimate protection, there is the 2oo3 (two out of three) arrangement that requires the synchronization of three PLCs operating with the same I/O and program logic. On every output, the result is compared by a voting circuit that selects one of the outputs that is identical with at least one other. If any output fails in this vote, the potential failure of the PLC producing that output is noted, and may result in that PLC being taken out of the loop if failures to agree with the two that agree with each other persist.
Meanwhile, don't worry about PLC reliability for any but the most critical of applications.
A: It depends on the number of I/O points in your system and how many field devices are being controlled. It also depends on the interdependence of devices controlled by the same PLC. This evaluation is required for basic process control systems (BPCS). For safety shutdown systems, the need for redundancy depends on the safety integrity level (SIL) calculations for the safety functions.
Hiten A. Dalal, PE, PMP
A: All systems fail; it's just a matter of when. Redundant systems fail less often (as it takes two simultaneous failures). Whether it's worth the expense or not depends on your down time costs. If you lose a million dollars due to an unplanned shutdown (e.g., a large refinery) then the cost is usually justifiable. If a failure has little impact, then it's often not worth the trouble or expense.
A: It entirely depends on your facility. If your process can stop and be down for a couple of hours while repairs are made, and then start back up with little or no financial consequence, redundancy is not cost-effective. On the other hand, if you have a process that takes a couple of weeks to reach steady state and produces hundreds of thousands of dollars per day of revenue, then it is most likely to be cost-effective. This question should be resolved by a cost-benefit analysis, where the cost of a nuisance shutdown is balanced against the cost of redundancy, using a 5-10 year mean time to failure (MTTF) for a typical, non-redundant industrial PLC.