Distributed Control / Flow

PLC Redundancy- How Much is Enough?

Is PLC Processor Redundancy Worth the Engineering Cost and Maintenance Cost? What Device Should I Use to Measure Flow of Liquid Sodium in Hazardous Environments?

"Ask the Experts" is moderated by Béla Lipták (http://belaliptakpe.com/), process control consultant and longtime editor of the Instrument Engineer's Handbook (IEH), 4th edition. Work is starting on the 5th edition. He is recruiting contributors/editors, and if you can participate in this effort, or if you have questions for our team of experts, please write to him at liptakbela@aol.com

Q: Is PLC processor redundancy worth the engineering cost and maintenance cost with the newer PLC systems, such as Modicon and Rockwell?

Brian Arrington

A: You have to determine the level of reliability needed. This need increases if your process is continuous, if your PLC serves safety functions, and if the industry you work in is critical (nuclear, space exploration, etc.)

Most vendors provide processor redundancy, and power supply redundancy is also common. If this is not enough, you can have a spare PLC that is kept in "shadow operation," and is switched on when the primary fails by simply by enabling its outputs.

The highest level of reliability is the voting system (usually referred to as 2oo3 or "two out of three") where three PLCs are synchronized and kept in operation. On every cycle their outputs are compared and selected (the "majority view"), while the "disagreeing" PLC is automatically alarmed for maintenance.

In critical applications—realizing that interfaces are subject to line transients, over-voltages and surges that cause point failure—triple-redundancy of the critical I/O points can also be provided with the voting logic being part of the PLC programming. Last and probably most important, you might consider redundancy on the input sources (valve status, voting multiple sensors, alarms, etc.)

Béla Lipták

A: Redundancy is one way to assure higher availability. One of the problems with redundancy is to know if/when a unit (PCL) has failed. Present day PLCs are extremely reliable if properly mounted, protected and cooled. They do not often just stop working. On the other hand, the I/O interfaces are subject to line transients, over-voltages and surges that cause point failure. For this reason, I often recommend redundancy of the I/O points and the use of voting logic directly in the PLC programming for critical points, rather than redundancy of the logic processor.

If you wish to have PLC redundancy, the only failure mode that is easy to detect is device total failure. Once a PLC unit has failed, then what? Do you have a spare already loaded with the same programming, but sitting idle? Idle spares will not have the control relays of the failed unit, and must begin without knowledge of the controlled process state. Therefore, an idle spare must drive the process to some known state, which can be very disruptive.

Alternatively, you may have a hot spare that, like the idle spare, has the same programming, but has been in shadow operation using all of the identical input logic and developing the same control relay information, but having outputs suppressed. Hot spares can be switched into operation simply by enabling outputs. This is reliable and easy to do when the primary unit fails. Unit failure is detected quickly with a diagnostic that may be a keep-alive relay that trips when the PLC itself fails to operate. This configuration is referred to as a 1oo2D (one out of two diagnostic) arrangement.

Finally, for ultimate protection, there is the 2oo3 (two out of three) arrangement that requires the synchronization of three PLCs operating with the same I/O and program logic. On every output, the result is compared by a voting circuit that selects one of the outputs that is identical with at least one other. If any output fails in this vote, the potential failure of the PLC producing that output is noted, and may result in that PLC being taken out of the loop if failures to agree with the two that agree with each other persist.

Meanwhile, don't worry about PLC reliability for any but the most critical of applications.

Dick Caro

A: It depends on the number of I/O points in your system and how many field devices are being controlled. It also depends on the interdependence of devices controlled by the same PLC. This evaluation is required for basic process control systems (BPCS). For safety shutdown systems, the need for redundancy depends on the safety integrity level (SIL) calculations for the safety functions.

Hiten A. Dalal, PE, PMP

A: All systems fail; it's just a matter of when. Redundant systems fail less often (as it takes two simultaneous failures). Whether it's worth the expense or not depends on your down time costs. If you lose a million dollars due to an unplanned shutdown (e.g., a large refinery) then the cost is usually justifiable. If a failure has little impact, then it's often not worth the trouble or expense.

Paul Gruhn

A: It entirely depends on your facility. If your process can stop and be down for a couple of hours while repairs are made, and then start back up with little or no financial consequence, redundancy is not cost-effective. On the other hand, if you have a process that takes a couple of weeks to reach steady state and produces hundreds of thousands of dollars per day of revenue, then it is most likely to be cost-effective. This question should be resolved by a cost-benefit analysis, where the cost of a nuisance shutdown is balanced against the cost of redundancy, using a 5-10 year mean time to failure (MTTF) for a typical, non-redundant industrial PLC.

Ed Marszal

A: Yes. In my view and experience, especially in continuous process. In batch process, where one can shut down and change cards, it may not be required.

We go for redundancy in CPU, power and communication applications.

H. S. Gambhir

A: One needs to understand the difference between redundancy and contingency. The application of double- or triple-redundancy applies to the space shuttle. Once airborne, no Apollo 13 issues can take place. No room for error. On a very tricky process that has a huge lag time and/or a large start-up or shutdown time associated with it, then redundancy is a valid approach. This, of course, depends on the cost associated with the downtime (scheduled or not), and the switch-over is immediate and automatic.

Contingency, on the other hand, allows the process or machine to recover quickly, but with manual intervention.

Processor redundancy is easy. Most vendors do it for you. Power supplies can be redundant as well. Most systems don't design for failure, since the consequences aren't that important. The system shuts down, and it gets fixed. But if you can't do that, then the result of full system redundancy is priceless.

Be aware that most failures come from external devices like valves, drives and sensors. PLC hardware has proven to be very robust. You can go too far!

Jeremy Pollard, CET

A: Brian, that depends on the use to which the PLC is being put. If you can tolerate shutdowns, planned or not, caused by PLC failure, then you don't need a redundant PLC. If you're working in a critical control area or a safety instrumented system, you probably want all the redundancy you can get. Batch processing in the food, pharma and biopharma industries are examples of critical control, where having a fail-over redundant system might save hundreds of thousands of dollars or more.

Walt Boyes

Q: I have a very peculiar case wherein I have to measure the flow of liquid sodium in an environment that has a very high level of radiation and temperatures between 500 °C to 700 °C. I know the usual instruments will never work in such a harsh environment, but if I have to satisfy my customer, what options do I have? Is there any manufacturer who can supply such a measuring device? It has to be a non-contact type, but I am worried about the temperature and radiation part.

Wihang Bendre

A: I once used Foxboro Target flowmeter with remote mounted electronics on molten salt in a melamine plant. Operating temperature was about 450 °F. I would expect they may have a high-temperature version.


A: The only one that can be used at this high temperature is Flexim's non-contact (www.flexim.com/ultrasonicflowmeter/ultrasonicflowmeterpro_hightemp.php). Many have had success with them. They are only up to 400 °C, but the vendor may be willing to help it go higher.

Gerald Liu