Writing Ladder using the Fail-Safe Convention
Birket Engineering Cookbook
Choose the sense of the inputs, outputs, and internal bits so that:
- 1 = On, active, enabled, good, OK, pass, start, continue, resume, running, etc.
- 0 = Off, inactive, disabled, bad, faulted, fail, stop, don’t continue, don’t resume, idle, etc.
THINK and write in terms of what limited conditions should permit an action to continue, not what conditions should stop the action.
Consider the three mutually exclusive sets of conditions which can occur:
- Conditions which you think should allow the action to CONTINUE (START conditions of a latching action are a sub-set of this set.)
- Conditions which you think should force the action to STOP
- UNEXPECTED Conditions which of which you didn’t think (A “failure” of the software.)
If you think and write in terms of the CONTINUE set, the STOP set and the UNEXEPECTED set are lumped together. Unexpected conditions will cause the action to stop – Fail-Safe.
If you think and write in terms of the STOP set (including using 1=fault), unexpected conditions will allow the action to continue unexpectedly or even start unexpectedly – Fail-Unsafe.
You can not always conceive or predict ALL the universe of conditions under which your system will operate. Murphy’s law shows no mercy.
Sticking to the Fail-Safe convention produces rungs which tend to be horizontal ANDs of N/O (normal) contacts. ANDs (XIC instructions) can be immediately read and understood and take little screen and paper to display.
Using the inverted sense produces ANDs of N/C (inverted) contacts and also vertical ladders of OR’ed conditions. Inverted (XIO) instructions take a bit more thought to interpret. OR’s require additional instructions (and time) to construct the branches.
The Fail-Safe Convention Applied to Latches
START/STOP Latch Form
- Sensitive to order of evaluation
- Priority is not obvious to novice programmers
- The output is not valid between the two rungs (if they are separated)
- Is not cleared automatically by pre-scan when PLC starts – initial conditions are unpredictable
- Invites unnecessary complexity, particularly adding CONTINUE conditions to START rung.
- If STOP conditions are incomplete, will continue running (or even start) unexpectedly.
Figure 1 : START/STOP Latch Form (Avoid)
START/CONTINUE Seal Form
- Unaffected by order of evaluation
- Priority is obvious
- The output is evaluated once and is thereafter valid
- Is cleared automatically by pre-scan when PLC starts – initial condition is OFF
- Complexity can be simplified between START and CONTINUE conditions
- If CONTINUE conditions are incomplete, actions will only stop unexpectedly.
Figure 2 : START/CONTINUE Seal Form (Prefer)