We often see requirements for backup PLCs in specifications as clients understandably aim to improve their control system reliability. Adding a redundant controller can be a good choice as part of a holistic approach to system availability and reliability. When specifically addressing PLC failures as a cause of system downtime, here are a few tips to keep in mind:
Do you really need PLC redundancy? PLC hardware failures are not very common. Depending on the consequences of a failure, a pre-programmed on the shelf spare may be a better choice. Some of our clients have opted for in-rack spares that can be turned on by a programmer without the hassle that comes with a fully redundant system.
Research the manufacturer and model of PLC to ensure they support full redundancy. Some models only partially implement redundancy or require a lot of programming to make it work. The ideal solution requires no programming and supports completely "bumpless" transfer of control.
You will need more than a second PLC. Each PLC needs a separate rack, power supply, and communication cards. These cards and the additional design required will significantly add to the cost of your system.
Each rack must be fed by a completely different power source. This includes UPS backup. Each rack needs it's own UPS fed from a separate power source or else a plant-wide UPS system with its own redundancy scheme. Power failure is far more common than a PLC hardware failure, so if a single breaker trip can take out both PLCs, you haven’t protected against one of the more common causes of control system downtime.
A redundant PLC does NOT protect against PLC code failures. The same logic will be running in both PLCs, so if one faults, the other one will most likely fault too.
PLC redundancy adds complexity to your system. Make sure your maintenance staff is trained and practiced in the recovery process after a controller failure. This is different for different controllers and backup schemes, and it’s easy to cause a system failure by doing it wrong.
Consider that other system components are more likely to fail and can also take the process down. I/O card failures can prevent key system components from running and cause just as much mayhem as a PLC failure. Steps must be taken in the design process to minimize the effects of these failures.
Typical control systems have a lot of parts like the PLC, HMI, I/O, motor controls, and control networks, not to mention the various power feeds to each one of these sub-systems. Any one of these can be the cause of downtime. It’s important to address all of these areas when designing a highly reliable system.
Vertech recently upgraded a completely redundant system using Rockwell Automation ControlLogix processors. The original system was uniquely designed to be "fault tolerant" to any I/O or processor failure. Check out the case study on this project to learn more.