System Comparison Page 1 of 7

System Comparison
Safety Related
Programmable Logic Controller (PLC)
Fault tolerance
Main marketing
Main marketing area:
area: possible system
No. Manufacturer Product title area of business/ AK with/without
Geographical/ structures
processes time limit
Customer
(specialities)
1. ABB Industri AS Advant world-wide Chemical, 1oo1D 4,SIL2
Safeguard 400 Petro-chemical, 1oo2D 6,SIL3
Off-Shore, BMS
2. ABB Industri CS386 world-wide Chemical, 2oo3 6 AK5 without
(former August Triguard SC300E Petro-chemical, 2oo3 6
Systems) Off-Shore, BMS
3. ICS Triplex Regent Middle East, Petro-chemical, 2oo3 5 without
Trusted ICS Russia, USA, Latin in Off-Shore Nr.1 2oo3 6 AK5 without
(TMR, RISC-µP) America
4. SIEMENS Moore Quadlog world-wide Chemical, 1oo1D 4 without
Process Off-Shore, 1oo2D 5 with 72h
Automation FPSO 1oo2D 6 with 1h
5. SIEMENS AG S5-95F world-wide all 1oo2 6, SIL3? 0h
S5-115F 1oo2 6 0h
S7-400F all all 1oo1, 1oo2 CPU, I/O SIL3 0h
2oo2, 2oo2 CPU, I/O SIL3 without
S7-400FH
6. SMS FSC100,101 world-wide Chemical, 1oo2D 4 without
(Honeywell) FSC102 (>1200 systems) Petro-chemical, 1oo2D 5 72 h
FSC202 Off-Shore, BMS 2oo2D 6 1h
FSC new CPU 2oo4D 6,SIL3 without (no
with QMRÔ cert.)
7. TRICONEX TRICON V.6,7 world-wide Chemical, 2oo3 5
FoxGuard TRICON V.>7-10 (>2000 systems) Petro-chemical, 2oo3 6 AK5 without
(Foxboro/Eckardt) TRIDENT Exxon, Shell,Elf Off-Shore, BMS 2oo3 6,SIL3
8. YISS (Yokogawa ProSafe-DSP world-wide Petro-chemical, 1oo2 6
Industrial Safety PLS (former GTI) NAM, Shell Off-Shore 2oo3 6
System bv) ProSafe-PLC 1oo1D 4 without
(former GTI) (same system as 1oo2D 6 with
SIEMENS
Moore!)
9. HIMA H41q/H51q-MS world-wide Chemical, 2oo2 6 without
H41q/H51q-HS (>4000 systems) Petro-chemical, 2oo4 6 without
H41q/H51q-HRS Off-Shore, BMS 2oo4 6 without

System structure PLC

No. Fault-free syste Degradation 1 Degradation 2 System structure
1. 2oo4 (2von4) 1oo2 (2von2) Shutdown Safety related and fault tolerant
2. 1oo3 (3von3) Shutdown Safety related
3. 2oo3 (2von3) 1oo2 (2von2) Shutdown Safety related and fault tolerant
4. 1oo2D (2von2D) 1oo1D (1von1D) Shutdown Safety related and fault tolerant with time restriction
5. 1oo2 (2von2) Shutdown Safety related
6. 2oo2 (1von2) 1oo1 (1von1) Shutdown Safety related and fault tolerant with time restriction
7. 1oo1 (1von1) Shutdown Safety related

* PLC with high diagnostic coverage (D)

Strength/Weakness, Specialities in prices PLC

No. Manufacturer Product Strength Weakness Specialities Remarks

title in prices

ABB Triguard 1. Large applications with max fifteen 1. No module for hazardous areas
Industri SC300E chassis up to 9500 I/O. (Ex)i available.
2. Availability: Failures 3 times
more with the same complexity.
3. MTTF of Triconex modules
approximately 8 times higher as of
a comparable HIMA module.
4. External secondary shut down
way for safety related outputs
required, additional wiring.
5. Every fault activates the time
limitation (3-2-0, in redundant
operation).
6. Heating problems of the

http://www.spazint.ru/eng/faq04.htm 5/28/2009
System Comparison Page 2 of 7

system.
7. Quality problems of the system.
8. The triplicated channels are
susceptible to common cause
faults, because they are linked
together for voting, or all 3 input and
output channels reside on the same
module.
9. Bigger extent on space with
small and medium projects (high
basic work, I/O subrack 9 units
high).

Strength/Weakness, Specialities in prices PLC

No. Manufacture Product Strength Weakness Specialities Remarks

title
ICS Triplex Trusted 1. TMR System with 40 channel input
ICS card with individual configuration per
channel.
2. Remote I/O rack with up to 480 I/O to
be located 10km distant, based on
250Mbaud high speed fibre-optic links.
3. Certified for Fire and Gas
applications (NFPA72 certification).
4. Channel by channel configurable
diagnostic LED´s.
5. SOE with 1ms time solution.
6. Very fast cycle time. No definition
about safety time or reaction time.
7. Real calculations with the µP.
in prices
1. Availability: Failures 3 times
more with the same complexity.
2. MTTF of ICS Triplex modules
approximately 8 times higher as of a
comparable HIMA module.
3. The triplicated channels are
susceptible to common cause faults,
because they are linked together for
voting, or all 3 input and output
channels reside on the same
module.

Strength/Weakness, Specialities in prices PLC

No. Manufacturer Product Strength Weakness Specialities in Remarks

title prices
PILZ PSS 3000 1. Short cycle times (10 ms upwards) 1. No big modular product available. 1. Cheap and The systems
PSS 3100 and a very fast response times PSS 3000 max. 288 digital I/O, max . 54 fast digital don’t can
PSS 3056 (Interrupt controlled safety-related analogue I/O; processing. realise
(-1,-2) digital inputs). PSS 3100 max. 160 digital I/O, max . 30 availability
PSS 3032 2. Safety related communication via analogue I/O; applications.
(devices) SafetyBusP (open bus structure, serial PSS 3056 max. 56 digital I/O; The system
bus, multi master features, based on PSS 3032 max. 32 digital I/O. is only used
CAN fieldbus) 2. Only 1oo3 (3von3) structure is in factory or
open means: different components from available (design diversity), AK 6, machinery
different manufactures can be no availability of the systems/devices automation
integrated, 64 subscribers, data transfer (shut down with one failure).
rate up to 500 kbits/s; 3. Complicated programming software.
(Certification for SafetyBusP not No software comparison, no Off-line test.
available).
3. Distributed safety-related I/O (on
the SafetyBusP).
4. Certification for all safety related
components (BUS also):
Kat. 4 according to EN 954-1
AK 6 according to DIN V 19250
UL, cUL according to UL 508
5. Low extent of work for installation
and wiring.
6. Coupling to all fieldbus: CAN,
Interbus or Profibus-DP.

Strength/Weakness, Specialities in prices PLC

No. Manufacturer Product Strength Weakness Weakness: Remarks

title HIMA solution
SIEMENS Quadlog 1. Safety rated I/O module, each 1. System structure with redundant 1. All system Structured
Moore channel by choice programmable as CCM (Critical Control Module) and single structures can text
Process input or output. channel I/O can only be used to AK4. be used up to programming
Automation 2. Structured text programming. 2. In a 1oo2D system one CCM is in a AK6. not
3. The shut down function of outputs „calculate mode“ the second CCM in 2. Higher test admissible for
can be select channel by channel. verify mode. To switch the CPU mode level because of process
4. Low operating temperature down from verify to calculate a „Master Enable interchanging safety critical
to minus 25°C. Relay“ is required. Failure to activate the operation mode circuits
verify module via the relay will shut down of the
the system. redundant
3. A detected output circuit failure will CPUs.
cause a 2 cycle glitch (lose of output 3. With
signal) until the passive output module redundant I/Os
set is activated. no effect to the
4. Only the CCM and one I/O module field.
(CDM: Critical Device Module) shall be 4. The CPU
used in process safety critical circuits. All and different
other hardware modules are only types of I/O
interference free (HIMA term: non- modules can be
interacting) modules, also the analogue used for critical
input module, and shall not be used for circuits also
process safety critical circuits. analogue

http://www.spazint.ru/eng/faq04.htm 5/28/2009
System Comparison Page 3 of 7

5. Some of the available elements of modules.

the function block programming are not 5. All function
admissible for process safety critical block elements
circuits. of ELOP II-NT
6. For fail safe sensors two different are admissible
CDMs have to be configured in AK5+6. for critical
7. For not fail safe sensors 2 x 2 circuits and
channels on 2 different CDMs are additionally a lot
required in AK5+6. of software
8. No safety related SIO building blocks.
communication available. 6. One safety
9. For Modbus communication a related input
special hardware module is required. module
10. The process safety time is 3.2 required.
seconds + 2 x cycle time or at least 6 x 7. 2 channels
cycle time (the longer time is the valid on one safety
one). related input
11. Time limit for the single channel module are
operation in AK 1-5: 72 h, in AK6: no required.
single channel operation or 1 h under 8. Safety
specified conditions. related
communication
with HIBUS-FS.
9. Modbus
communication
is part of the
central module
(in hardware
and opera-ting
system.
10. In all HIMA
PLCs the safety
time is
programmable
and min. 1
second.
11. No time
limit for AK6
single channel
operation.

Strength/Weakness, Specialities in prices PLC

No. Manufacturer Product Strength Weakness Specialities in Remarks

title
SIEMENS S5-95F 1. Inputs with fast response time.
S5-115F 2. Safety-related data
communication also possible over
communication protocol SINEC-L2
(Profibus-DP).
3. All certifications available
according different applications.
4. AK6 or SIL3 or category 4 (EN
954-1) operation is possible.
Definition in the TUV report:
IEC 61508 part1-3 in accordance with
SIL1-3.
Safety classes that can be reached...
Operating the S5-95F in quasi-safety
mode for AK6 or SIL3 or Cat4.
prices
1. I/O modules may only be changed in 1. Cheaper
the deenergized status. digital
2. Beginning with AK4 SIL2, 2 devices components.
S5 are required (central and extension
device), this results in higher extent in
work for wiring and a higher price.
3. No availability if one component fails
(central, I/O module), no single channel
operation.
4. Safety-related parts have to be
always in redundant (peripherals, I/O
modules), safety-related peripheral only
with external wiring.
5. The control of the safety-related
outputs requires extent of work for wiring.
6. No diagnostic display exist,
error diagnostic via communication
module resp. error annunciation module.
7. For the safety-related bus
transmission (SINEC-L1), an additional
master is necessary (e. g. S5-115U not
safety related), with a redundant bus two
additional masters are required.
8. No On-line modifications possible.
9. Off-line test intervals for a 2oo2
system is every 3 months (according to
IEC 61508).
10. Programming system Step 5 is not a
programming system according to IEC
61131-3.
11. Bad support or hotline from
SIEMENS.

Strength/Weakness, Specialities in prices PLC

No. Manufacturer Product Strength Weakness Specialities in Remarks

title prices
SIEMENS S7-400F / 1. Certification according IEC 1. VDI/VDE2180 says “to make strict 1. Expensive According to a
FH 61508 up to SIL3. division between process control components statement of
2. Software redundancy sufficient protective equipment and process control (double price SIEMENS the
for SIL3 applications. operation equipment” and “the hardware for central rack, development
3. ProfiSafe driver must be run must have a modular structure and digital I/O same of new (Ex)i
redundancy for SIL3. should be able to be used as an price and I/O safety
4. Totally integration in the DCS independent individual system”. Then to analogue I/O modules for
PCS7. Mixed mode with normal S7 expensive! more expensive the S7-
systems. 2. I/O modules may only be changed than HIMA (with 400F/FH
5. Mixed mode single 1oo2 and in the deenergized status. independent (ET200) are

http://www.spazint.ru/eng/faq04.htm 5/28/2009
System Comparison Page 4 of 7

2oo2 I/O level is possible. 3. The redundant I/O modules are in systems)! aspired.
6. Fieldbus master functionality the same ET200 module board (today).
available. 4. The ET200 must be linked via FO Additional
cable (galvanical isolation). development
5. Between the central unit and the for digital
I/O modules must be a fieldbus with an special
additional safety layer in the protocol version with
(Profibus-DP with ProfiSafe). reaction time
6. Central unit and extension device min. 100ms.
must be used (ET200 with I/O mod.), this
results in higher extent in work for wiring
and set up.
7. No availability in 1oo1 CPU and
1oo2 I/O level (SIL3 application).
Availability only in 2oo2 CPU and 2oo2
I/O configuration (SIL3).
8. Very complexly programming and
configuration of the system. With many
safety rules to check.
9. No easy integration.
10. Very high reaction time.
Single channel min. 220ms,
redundant min. 400ms up to 700ms.
11. Very long compilation time of
safety related Step7 programs (bigger
projects up to 2h).
12. The control of the safety-related
logic requires additional and separate
functional logic blocks (limited) in Step7
(prog. Languish). That means extra price.
13. Every hardware units needs
separate software license (runtime
license).
14. No diagnostic display exist, error
diagnostic via ext. HMI or via LED’s.
15. No Off-line test in Step7.
16. Bad support or hotline from
SIEMENS. System integrator gets no
information’s about the delivery schedule
for components.

Strength/Weakness, Specialities in prices PLC

No. Manufacturer Product title Strength Weakness Specialities in Remarks

SMS FSC100,101 1. Bigger project by the parent
Honeywell FSC102 company (package units, complete
(HSMS) FSC 202 plants).
FSC 2oo4D 2. QMR CPU approved by TÜV
for use in AK6 or SIL3. Also UL
proofed.
3. QMRÔ is trade marketed by
Honeywell.
4. Due to integration better
communication possible.
5. UCN bus communication with
Honeywell. Connection via interface
module in FSC to the UCB bus no
PLC gateway required. Coupling
also possible in redundant mode.
Advantage in prices only for new
plants.
6. More memory for the user
program because of pluggable
memory modules.
7. Mixed configuration HS and
HRS possible, only with additional
bus communication module.
8. With the new CPU also in
single channel systems no time
limitation.
9. Provides life-cycle safety
service around the world.
10. Safety consulting, for example
software “SIL validation tool”.
11. SOE independent from of the
scan cycle. Event resolution 1 ms
shall be possible.
prices
1. After each modification (also for set There is no
points out of the logic an EPROM has to certification for
be programmed for the communication the new CPU
module. with QMR
2. Only one non safety-related input available. The
module available (4-fold) for (Ex)i). development
3. Long compiler times (more than 15 of the
min). hardware
4. EMC problems (operation only with design is
closed cabinet). Using cabinets with finished, the
NEMA 1 certification. software is not
5. Different I/O modules with the same finished.
functions are required for the different
systems, no upward compatibility.
6. Redundant I/O modules have to be
arranged side by side.
7. Separated I/O subracks are required
for redundant and non-redundant I/O
modules and a combined system with
further bus communication modules.
8. No redundancy with power supplies,
for each CPU an own power supply.
9. With I/O modules the field signals
and the 5 V feeding are wired in one
connector.
10. Switching off of redundancy resp.
system after the occurrence time for the
second failure in case of failures on the
output module.
11. Redundant/secondary deenergizing
of the safety related outputs. Needs
external relays to each output or to a
group of outputs. If one output module of
one group fails, the whole group will shut
down.
12. No Off-line simulation with the
engineering software available.

Strength/Weakness, Specialities in prices PLC

No. Manufacturer Product Strength Weakness Specialities in Remarks

title prices
TRICONEX TRICON 1. Much memory for the user 1. Triconex sales have dropped in 1. Digital I/O
(FoxGuard) V.10 program, extendable. 1999-2000 from $90M to $45M. HIMA
2. Fast new CPU with new µP. Their European presence has dropped cheaper.
TRIDENT Shorter cycle times, but no from 17 to 1 technical service person. 2. Analogue
(for smaller information’s about safety time or 2. TRICON bigger extent on space I/O equal

http://www.spazint.ru/eng/faq04.htm 5/28/2009
System Comparison
applications complete reaction time from
up to 450 Triconex!
points) 3. Remote I/O coupling via optical
conductors with Triconex module
(RXM).
4. Floating point processor
available.
5. Direct communication with
Foxboro DCS I/A series. Connection
via redundant Ethernet module
(ACM) within the Triconex system to
the Foxboro I/A series nodebus.
Coupling may also be in redundant.
6. Communication to the
Honeywell PLS TDC3000 directly
with Triconex module (SMM) to the
UCN bus Honeywell. Coupling may
also be in redundant.
7. Intelligent communication
module with 4 serial ports
(MODBUS) and 1 parallel port
(Centronics, EICM).
8. Event recording (SOE)
integrated.
9. Programming interface
according to IEC 61131-3 on
Windows NT. Currently 4
programming languages are
realised: Structured text, function
block diagram, cause and effect
matrix (CAE) and ladder diagram.
10. The TRICON fulfils the NRC
guidelines in compliance with EPRI
TR-107330 (requirements ... safety
related app. In nuclear power
plants).
11. TRIDENT certified up to SIL3
according IEC 61508 (new standard
for safety related PLC).
12. 3oo3 (3-2-1-0) is possible only
done via software, but not allowed
for safety functions.
http://www.spazint.ru/eng/faq04.htm
Page 5 of 7
with small and medium projects (high price.
basic work, I/O subrack 9 units high).
3. No input modules with line
supervision available.
4. No safety related relay outputs
available.
5. No special modules for proximity
switches available (possible only with a
very expensive analogue input module)
6. No module for hazardous areas (Ex)
i available.
7. To get the possibility to interchange
I/O modules always a redundant slot has
to remain free directly near by the active
module (hot spare) weather it is used or
not.
8. Complete redundancy can only be
made if the backup slots are populated.
Normally the hot spare is not installed.
9. Availability: Failures 3 times more
with the same complexity.
10. MTTF of Triconex modules
approximately 8 times higher as of a
comparable HIMA module.
11. External relay required for the
secondary means of de-energization in
AK6. In addition periodical test of the
relay (every 6 months).
12. No mixing approved and not
approved modules. If you decide to mix
them, you must check that it will not
affect the safe functions.
13. Test of the memory by processing 2
kB data per processor and cycle. It takes
up to 25 s to test the existing 1 MB
memory.
5/28/2009
System Comparison Page 6 of 7

14. The triplicated channels are

susceptible to common cause faults,
because they are linked together for
voting, or all 3 input and output channels
reside on the same module.
The three µP are on the same backplane.
External communication channels are
single.
15. Error in one channel on one module -
>
no further tests of the other channels.
16. An unresolved fault is only detected
with comparison. No diagnostic where
the fault has occurred.
17. TMR is loading data through the
EICM interface, which is not triplicated or
diagnosed. The interface is only once
tested during booting
18. Every fault activates the time
limitation.
19. Many limitations of on-line
modifications:
no removing of parts of applications,
software only can be added but not
deleted on-line,
no changes of function blocks,
no changes at the amount of signals to
exchanged via serial communication,
no change of the system software
(operating system, I/O driver,...).
20. PID function and other “control
algorithms” are not suitable for safety
related functions.
21. Triconex will not guarantee upward
compatibility (V8 to V9, V10 new CPU,
Trident is not compatible with anything).

Strength/Weakness, Specialities in prices PLC

No. Manufacturer Product Strength Weakness Specialities Remarks

title in
prices
YISS ProSafe- 1. Reload of empty CPU 1. AK5/6 only with red. Systems 1. Redundant
(Yokogawa DSP PLS automatically with second CPU in 2. No safety related data transfer version very
Industrial (2oo3 red. Systems 3. No revision comparer expensive.
Safety System system) 2. Program can be read out of 4. For AK5/6 single channel operation
bv) the CPU with time limit
(former GTI) 3. Link to DCS with time stamp
4. In- and outputs can be
chosen

* The YISS ProSafe-PLC system is the same as the SIEMENS Moore System Quadlog.

General information’s PLC

Manufacturer Product Strength Weakness Specialities Remarks

No. title in
prices
HIMA Paul H41q-S 1. Good support or hotline 1. For big projects it is a strength for the 1. Very
Hildebrandt H51q-S (short response time for help or competitor to work with a powerfully parent cost effective
GmbH + Co answering questions). company (about the financing and discounts). because
KG 2. Very good service, world- individual
wide. configuration
3. Flexible engineering (scalable
(individual planning and availability).
construction of applications),
integration of company norms
(end user).

Sources: System documentations

Abbreviations: PLC Programmable logic controller
Programmable electronic systems (according IEC-
PES
61508)
MTBF Time between two faults
MTTF Time till a fault occurs
EMC Electromagnetic compatibility
I/O Input/Output
AK Risk class according DIN 19250
SIL Safety integrity level according IEC 61508
2oo4 2 out of 4 system structure (in German 2 from 4)
TMR triple modular redundant

http://www.spazint.ru/eng/faq04.htm 5/28/2009
System Comparison Page 7 of 7

QMR quadruple modular redundant

FSC fail safe controller by Honeywell
HSMS Honeywell safety management system
SOE sequence of events

Copyright © 2002 Open Join Stock Company "Spaz-Integrator"

Revised: 02-10-2002, Tel: (7 095) 728-4717
webmaster@spazint.ru

http://www.spazint.ru/eng/faq04.htm 5/28/2009