Documentos de Académico
Documentos de Profesional
Documentos de Cultura
As the old adage has it, a chain is no stronger than its weakest
link. This is demonstrably true in control systems design,
where statistical theory is used to predict the behavior of
complex systems. When a single sensor/logic/effector chain
has inadequate reliability, redundant systems can be brought
into play to reduce the probability of failure on demand or
to reduce the probability of false tripping or to yield both
functions.
There are several approaches available, and the correct
choice of method depends on the relative sensitivity of the
systems to the two failure modes, in economic and humanfactor risk, and the cost and practicality of proof testing.
I/O REDUNDANCY AND VOTING
When assembling a high-reliability system with current generation equipment, the logic solver is the most reliable component of the chain, as it will normally be provided with a
high level of internal diagnostics, and redundant input/output
(I/O). The vast majority of faults in logic systems come from
faults in functional specification, where the equipment performs in accordance with the designers stated requirement,
but the concept itself is faulty.
The field sensor(s) will be, for preference, analog devices
rather than switches, as the latter, by their very nature, provide little facility for online fault detection.
The least reliable components are normally the effectors,
the final control elements. IEC 61508 usefully divides safetyrelated systems into two categories; demand-type systems,
where proof testing is practical at a frequency significantly
higher than the anticipated frequency of demand, and continuous-type systems where this is not so.
Demand-type systems are then rated to PFDavethe average probability of failure on demand over the period between
successive proof tests. It should be noted that the PFDave tends
to deteriorate between successive proof tests, as no proof test
can enable the return of the system to its original reliability
rating, because it can detect only some fraction of hidden
faults. Continuous rated systems are more difficult to build
to equivalent levels of functionality, because of the difficulty
involved in demonstrating the absence of concealed faults. A
typical example would be automotive ABS braking systems,
where the demand rate can be several times per minute. This
192
2002 by Bla G. Liptk
TABLE 2.6a
Redundancy and Probability of Failure
Redundancy
1oo1
Average Probability of
Failure on Demand
DU
TABLE 2.6b
Estimated Failure Rates for Siemens Moore 345 Transmitter
Probability of
False Tripping
TI
-----2
2oo3
1oo3
( TI )
---------------------------4
DU
TI
DU
TI )
17.5
Open/fail underrange
(FU) output 3.6 mA
162.7
295.4
Fail-safe reaction
(FO, FU, or 3.7 mA)
475.6
SDSafe
detected
Fail-safe reaction to
3.7 mA
174.1
SUSafe
undetected
Output normal
86.5
DUDangerous
undetected
29.2
AUDiagnostic
annunciation
failure
None
94.2
S 2
6 ( ) MTTR
As far as practical, redundant measurements should utilize differing technologies, both hardware and software, to
minimize common mode effects, but this needs to be balanced against the innate probabilities of failure of the equipment. There is no point in using different technology if one
of the devices is appreciably less reliable than the other.
Common-mode failures and systematic faults add separate terms to both probabilities, limiting the effect of redundancy in reducing the effects of individual failure.
The probability of failure on demand is the sum of the
probabilities of failure of each series component in the system.
This means that the chain is always poorer than the least reliable
component.
The discussion above is deliberately simplified. More
precise methods take into account common-mode failures,
the probability of further failures during the repair period,
and systematic errors. The effect of online diagnostic cover
is also important in many cases.
Several approaches to these calculations can be found in
the ISA TR84.0.02 series, and in IEC 61508 Part 4. Computer
programs that analyze complex systems are readily available
from several sources, such as exida.com and Honeywell. In
all cases, however, the most difficult part of the calculation
is obtaining accurate failure rate data for the components.
Some indicative figures are to be found in ISA TR84.0.02
Part 1, which were derived from the records of several major
chemical plants. The variation between these sets is appreciable. Other data can be found in OREDA, which covers
most of the oil platforms in the North Sea. In all cases, it
must be borne in mind that these reflect previous generations
of equipment, and all manufacturers have been working
toward higher reliability.
With newly designed equipment, historical data cannot
be relied on and analytical techniques such as FMEDA (Failure Modes, Effects and Diagnostic Analysis) are applied by
the manufacturers to provide estimates of the frequencies of
the various types of potential failures.
A published example of such data for the Siemens-Moore
Critical Transmitter is shown in Tables 2.6b and 2.6c below.
DDDangerous
detected
2 ( ) MTTR
2
Output Response
S 2
2oo2
DU
Type
( TI )
---------------------------3
DU
1oo2
193
TABLE 2.6c
Alternative Format for Table 2.6b Data
Parameter
Value
Remarks
MTTF
147.7 years
MTTFD
226 years
94.2%
C = /(
DD
DD
+ )
DU
194
>
>
<
>
>
<
<
<
TABLE 2.6e
NAMUR Transmitter Signal Ranges for Nominal 420 mA
Signals
MEDIAN OF THREE INPUTS
Signal
Condition
70
65
60
55
50
45
40
35
A
B
C
Z
3
Time
FIG. 2.6d
Median signal select.
Output 21.0
Overrange
Maximum scale
20.0
Minimum scale
4.0
Underrange
3.6 Output
195
ASIC
Dual Element
MycroSENSOR
Linearization and
Compensation
Microprocessor A/D
D/A
Detects Known
Sensor Failure
Modes
Output 1
Comparator
Output 2
Verify Out
Transmitter Output
FIG. 2.6f
Siemens-Moore 345 XTC Critical Transmitter block diagram. Redrawn from the Siemens-Moore 345 Instruction Manual.
A recent development in process measurement technology has been the appearance of SIL 2 rated pressure and
differential pressure transmitters from at least two suppliers
(Siemens-Moore XTC series and ABB 600T series). SIL 2
DU
signifies that the equipment offers a MTTF better than 100
years. Such a level of integrity would normally require use
of two transmitters with data comparison.
Both the XTC and 600T apply redundant measurement
systems with onboard diagnostic techniques to compare the
(duplicated) process sensor measurements through the internal signal conversion/temperature compensation and the
actual output current, and provide diagnostic messages of
detected problems for an installed cost higher but comparable
with older designs. These designs do suffer from a possibility
of common-mode failure if the process connection becomes
plugged, and both sensors see a constant value, but an analysis of expected process noise can in some cases detect this
DU
fault. The suppliers both claim SIL 3 (MTTF greater than
1000 years) if two such transmitters are fitted in a redundant
installation with suitable voting; this would normally require
three good-quality transmitters at higher installed cost; see
Figure 2.6f.
The effector or final control element is traditionally the
most expensive item in an individual loop. Not only are process
valves large, high-pressure equipment, but they are exposed
to the flow of the process fluid, which may contain erosive,
corrosive, or gummy components to reduce the reliability of
the device.
For a shutdown system to be testable, the effector must
be tested. Unless the valve is closed under flowing conditions,
there can be no certainty that it will operate when required.
Even then, most block valves cannot be given better than SIL 1
1oo1
3oo4
FIG. 2.6g
Valve redundancy patterns.
196
Redundancy I
Redundancy II
Redundancy III
Signal
V1
V3
V2
V4
3
2
1
FIG. 2.6h
Schematic representation of a Herion 2oo3 voting solenoid valve. Internal Piloted Herion 2oo3 solenoid valve with switching position
monitoring. V1, V4, and (V2/V3) can be independently energized (triplicated output) or from a single source.
197