Developers Club geek daily blog

1 year ago
Automated control systems for technology process (Industrial control system) on the industrial programmable logic controllers (PLC) on objects of upgrade are implemented into the industries. Again delivered equipment, already by default contains an ACS on a PLC. But quality of design of industrial control system and programming of a PLC sometimes does not correspond to logic and requirements to reliable protection of managed object. In this article I will tell about a typical error of design and programming of normal industrial equipment.


Let's consider the typical object containing an ACS on a PLC in the industry. In the gornoobrabatyvayushchy industry, at the enrichment factories (EF) at a stage of crushing of minerals (ore) are applied different type of a mill. They are spherical, rod, vertical thin crushing, etc. Basic function of these mills is crushing of ore to fraction necessary further for chemical extraction of mineral. Such equipment has weak places in use. Pobeditovy main bearings, reducer, etc. They demand to themselves a constant control of temperature, lubricant availability, etc. In case of an overheat or the dry course of an ACS has to switch-off the unit until the status of nodes reached critical point. Program implementations of these protection and blocking are typical and standard for the such equipment.

What errors happen?

Let's consider two main errors at design and programming of an ACS for the equipment of this kind. The first error – the wrong design of relay part of management of the main drive or critical mechanism. The second error – a lack of the program regarding processing of fatal errors of a PLC.

Errors in schemes.

Let's consider a case with relay part. In drawing the example of such error is given. Only the part of management of shutdown of the main drive of the equipment is shown in the scheme.
Critical errors of design of industrial control system and programming of a PLC

At first sight normal relay circuit. But if to look narrowly at it, then it is possible to define that sooner or later there will come such moment when the relay circuit is not able to switch-off the main drive in case of emergency. Let's look narrowly at the scheme. Shutdown of the main drive is performed by a PLC a discrete output. In this scheme it relay, but maybe transistor, the essence from it will not exchange. And so, if for some reason the K1 relay coil burns down during equipment operating time, then at accident emergence, the controller will give a signal on shutdown of the main drive, but the signal further the burned-down relay coil will not go. But on technology, at shutdown of the main drive, also shutdown of ancillary equipment is required, in this case it is an oil pump. So waters at accident, the oil pump will be safely disconnected, and the main drive will need to be threshed on "dry". The system to everything also the notification will include the benefit, so, that in a disgusting way the shouting call and the blinking red lamp will draw to themselves attention of service personnel and "accident" will not occur. After that, local electricians or Kipovtsa, will find the reason of this disgrace, will change the relay and everything will fall into place, perhaps, somebody also will reflect as it to avoid in the future, but hardly.
So in this scheme of the K1 relay a weak link. What can be made that it did not happen. Elementary. A signal of shutdown of VV to put on the normal closed contact of the K1 relay, and to attract the relay during launch of the main drive and in working order to hold it attracted. By the way, the button abnormal stop, too so you should not include. Or contacts of the button have to switch-off directly the executive mechanism, or if it is several such mechanisms, to break off a chain of the relay which contacts already switch-off executive mechanisms. By the way, such turning on of intermediate relays of control of critical executive mechanisms gives rise also to wrong working off at errors of programming of a PLC.

Errors of programming of a PLC.

When programming a PLC, some programmers make the mistakes leading to faults on production.
Recently I had to come up against such situation. The scheme of relay part of shutdown of the main drive was such as it is given above. The error when programming led to the fact that the main drive worked at "dry" four o'clock that led to a reducer overheat. As a result the reducer completely failed, and it in this equipment an expensive element. What went not so?
At identification of the cause of accident which led to big material inputs it was established that the PLC passed into the FEET mode because of operation of the sentry timer. Respectively, the relay circuit disconnected all ancillary equipment, except the main drive. The sentry timer worked because of existence of the deadlock branch in algorithm which is not leading to cycling of the main function. And as it is known, almost at all firms of the making PLCs, transition of a PLC to the FEET mode, is followed by installation of discrete outputs in secure state. In this case in a status it is disconnected. In this ACS the programmer made two mistakes:
  1. The branched algorithm had the deadlock branch which led to operation of the sentry timer.
  2. Exception handling in the program was not made, passed with that PLC into the FEET mode.

We will write off the first error for complexity of the program in which it is difficult to find such type an error.
The second error, it is possible to write off only for lack of competence of the programmer.
It is known that many PLCs have software modules for working off of different fatal errors of a PLC. Let's consider such modules on the example of a PLC from firm siemens.
Here small example of such error.
Critical errors of design of industrial control system and programming of a PLC
Here the programmer makes linearization of an analog input on the basis of library function of FC105. In a main loop on inclusion of bit of M0.1 there is a scaling of an analog signal. Everything is good, but if not to load that FC105 into a PLC, then at execution of this line, the PLC will fall out in "SF STOP" if not to set the processor of software failures, so-called OB121. If such processor is filled in in a PLC, then at such errors indication of SF will appear, but the PLC will not go to the FEET mode, and will continue to execute the user program.

Let's sum up the results

The relay circuit needs to be designed so what in any fault, whether it be technology failure or error PLC, shutdown of executive mechanisms was carried out without fail is not dependent on an accident emergence sort. To approach programming of a PLC with all responsibility, the equipment which is urged to protect the industrial control system from critical operating conditions leading to destruction of mechanisms is much more expensive than the ACS.
In this scheme it was necessary to use the following inclusion of components of the relay circuit.
Critical errors of design of industrial control system and programming of a PLC
And in software module of OB121 to perform some operations on an archiving of the happened failure in a PLC.

Video showing behavior of a PLC at software failures and their processings is given below.


The circuit solution and program implementations conceal in themselves not seldom serious errors which not always come to light at a stage to starting adjustment. In use not always specialists of the enterprise carry out a complete test complex of reliability of system. Besides the service personnel very often lack qualification. Let's hope that such faults will be insignificant a little, and they will not lead to injuries on production.

You should not leave just empty program processing units of equipment rooms or software failures too. In them it is necessary to perform any operations on detecting of such errors or for collecting of statistics of failures of a PLC and possible reasons.

This article is a translation of the original post at
If you have any questions regarding the material covered in the article above, please, contact the original author of the post.
If you have any complaints about this article or you want this article to be deleted, please, drop an email here:

We believe that the knowledge, which is available at the most popular Russian IT blog, should be accessed by everyone, even though it is poorly translated.
Shared knowledge makes the world better.
Best wishes.

comments powered by Disqus