We often see requirements for backup PLCs in specifications as clients understandably aim to improve their control system reliability. Adding a redundant controller can be a good choice as part of a holistic approach to system availability and reliability. When specifically addressing PLC failures as a cause of system downtime, here are a few tips to keep in mind:
- Do you really need PLC redundancy? PLC hardware failures are not very common. Depending on the consequences of a failure, a pre-programmed on the shelf spare may be a better choice. Some of our clients have opted for in-rack spares that can be turned on by a programmer without the hassle that comes with a fully redundant system.
- Research the manufacturer and model of PLC to ensure they support full redundancy. Some models only partially implement redundancy or require a lot of programming to make it work. The ideal solution requires no programming and supports completely "bumpless" transfer of control.
- You will need more than a second PLC. Each PLC needs a separate rack, power supply, and communication cards. These cards and the additional design required will significantly add to the cost of your system.
- Each rack must be fed by a completely different power source. This includes UPS backup. Each rack needs it's own UPS fed from a separate power source or else a plant-wide UPS system with its own redundancy scheme. Power failure is far more common than a PLC hardware failure, so if a single breaker trip can take out both PLCs, you haven’t protected against one of the more common causes of control system downtime.
- A redundant PLC does NOT protect against PLC code failures. The same logic will be running in both PLCs, so if one faults, the other one will most likely fault too.
- PLC redundancy adds complexity to your system. Make sure your maintenance staff is trained and practiced in the recovery process after a controller failure. This is different for different controllers and backup schemes, and it’s easy to cause a system failure by doing it wrong.
- Consider that other system components are more likely to fail and can also take the process down. I/O card failures can prevent key system components from running and cause just as much mayhem as a PLC failure. Steps must be taken in the design process to minimize the effects of these failures.
Typical control systems have a lot of parts like the PLC, HMI, I/O, motor controls, and control networks, not to mention the various power feeds to each one of these sub-systems. Any one of these can be the cause of downtime. It’s important to address all of these areas when designing a highly reliable system.
Vertech recently upgraded a completely redundant system using Rockwell Automation ControlLogix processors. The original system was uniquely designed to be "fault tolerant" to any I/O or processor failure. Check out the case study on this project to learn more.