Redul B500S – SIL3 Safety Controller

The REDUL B500S programmable logic controller (PLC) is designed for the use in emergency shutdown systems (ESD) and conforms to the functional safety integrity level 3 (SIL3), according to IEC 61508.

REDUL B500S Controller:

In some industries, it is extremely important to ensure reliable protection of personnel, process equipment, and the environment in case an emergency situation occurs at the facility that can lead to an accident. In these areas, using regular distributed control system (DCS) tools is not enough to automate the technological processes. An independent emergency shutdown system (ESD) must also be used. Industry standards impose very strict requirements on ESD systems and the controllers on which they are based. These requirements are reasonable but also difficult to comply with.

The new REDUL B500S controller is based on the experience from the use and operation of REDUL B500 controllers, but it is an entirely new product developed according to the IEC 61508 standard.

According to the IEC 61508 requirements, when developing the controller, deep analysis is required of the current progress, plans, design, and actual operation at all stages of the product life cycle. Careful analysis of hazards and risks is mandatory at the design and development stages. Data processing and reliability calculation are carried out using specialized certified software.

The REDUL B500S controller hardware fully conforms to the functional SIL3:

  • The controller provides everything necessary to ensure the reliability of the ESD systems: the independent hardware watchdog, hardware backup of various types (duplication, triplication), functional redundancy, and diagnostics and analysis systems with a comparison function to compare the values of technologically related parameters.
  • The controller provides comprehensive self-diagnostics that allows it to detect an internal failure and ensure that the entire process control system switches to the predetermined safe
  • Each input/output module has a built-in microprocessor that is certified for use in functional SIL3 systems and performs tasks related to functional safety.
  • Each controller module is powered with two internal buses. At the same time, constant diagnostics are carried out on the supply voltage. If failure occurs, the information is sent to the operating personnel, while the controller continues to operate and perform the functions of monitoring and control without switching to the safe state.

In addition to the self-diagnostic systems, the REDUL B500S controller offers developers a wide range of tools for monitoring the measurement and control of circuit parameters:

  • Sensor channel power monitoring with short-circuit and overload protection.
  • Digital input modules according to the NAMUR specification.
  • Digital output modules with circuit current monitoring. This in-depth, proactive diagnostics allows for early detection and evaluation of a failure, which, in turn, gives the operator time for troubleshooting.

To ensure continuous operation of process equipment, the REDUL B500S controller provides the use of backup input/output modules, called backup assemblies, that consist of two or three modules of the same type.

The channel capacity of the assembly modules at the application program level is combined according to the duplication or triplication method; that is, one input or output logic variable corresponds to two (or three) physical channels. The resulting redundancy allows the user to reduce the number of safe failures (failures caused not by an emergency situation at the facility but by a failure of the ESD system), including field and controller equipment. It allows for rapid replacement of duplicated system components without shutting down the process.

The presence of two independent data buses in the controller allows for the implementation of SIL3 high-availability systems on the basis of the controller. Such systems configured according to the 1oo2 scheme are used at high-risk facilities with a continuous process cycle. Any single failure in such systems does not lead to the command issue to switch the system to the safe state.