2oo4D: A New Design Concept for Next-Generation Safety Instrumented Systems 07/2000

Transcription

1 2oo4D: A New Design Concept for Next-Generation Safety Instrumented Systems 07/2000

2 Copyright, Notices and Trademarks 2000 Honeywell Safety Management Systems B.V. Revision 01 July 2000 While this information is presented in good faith and believed to be accurate, Honeywell Safety Management Systems B.V. disclaims the implied warranties of merchantability and fitness for a particular purpose and makes no express warranties except as may be stated in its written agreement with and for its customer. In no event is Honeywell Safety Management Systems B.V. liable to anyone for any indirect, special or consequential damages. The information and specifications in this document are subject to change without notice. TotalPlant, TDC 3000 and Universal Control Network are U.S. registered trademarks of Honeywell Inc. PlantScape is a trademark of Honeywell International Inc. FSC and QMR are trademarks of Honeywell Safety Management Systems B.V. Other brands or product names are trademarks of their respective holders. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Honeywell Safety Management Systems B.V.

3 1. Introduction Safety instrumented systems In most industrial processes, safety instrumented systems (SIS) are used as the first layer of protection in order to prevent an out-ofcontrol process from leading to serious accidents. Such systems include sensing elements, logic solvers and actuating devices. It is becoming more and more common practice to use dedicated programmable logic controllers (PLCs) as logic solvers in process safeguarding applications. This obviously means that the applied safety-related PLCs need to be highly reliable. This reliability of the PLC can be considered from two points of view: Safety integrity of the PLC, and Safety availability of the PLC. Safety integrity If the safeguarded process is out of control, the PLC and the field devices are designed to bring the process to a safe state (which may mean shutdown). The higher the safety integrity (reliability), the higher the probability that the PLC will function properly. Safety availability On the other hand, a situation might also arise in which a failure of the PLC causes the process to be shut down (brought to a safe state), even though the process was perfectly under control. The PLC should also be highly reliable in this respect, which means that the probability of an undesired process shutdown must be acceptably low. This aspect is called system availability. Document scope This document describes a new design concept that is applied to a new-generation safety-related logic solver as part of a safety instrumented system. It uses the new 2oo4D voting principle, which is based on the currently successful 1oo2D voting principle. 2oo4D: A New Design Concept for Next-Generation Safety Instrumented Systems page 1 of 14

4 2. Role of Safety Standards Safety standards In order to ensure that the safety instrumented system (SIS) meets all kinds of safety requirements, compliance with the applicable standards is often considered to be 'good engineering practice'. Standards such as ANSI/ISA S84.01 and IEC identify clear requirements that need to be met in order to prevent typical failures that may occur during all lifecycle stages of the SIS. Roughly speaking, these requirements can be split into two categories: Qualitative requirements, and Safety Integrity Levels (quantitative requirements). Qualitative requirements A large number of qualitative requirements have been defined with regard to specification, design, engineering, assembly, testing, and operation of an SIS. Safety Integrity Levels (quantitative requirements) The standards mentioned above have also defined 'Safety Integrity Levels' (SIL), which denote the average probability of SIS failure to perform its design function on demand. IEC defines a total of four SILs, and S84.01 three. The higher the SIL, the higher the degree of protection. Quantitative reliability analyses need to be carried out to prove that the SIS complies with the required SIL. Safety integrity vs. safety availability Safety standards only consider safety integrity and do not lay down requirements on system availability. Nevertheless, the same reliability concepts can be applied to realize both. The next section describes the most relevant design aspects that have an impact on the reliability of the SIS. page 2 of 14 2oo4D: A New Design Concept for Next-Generation Safety Instrumented Systems

5 3. Realizing a Reliable Safety-Dedicated PLC Design parameters As mentioned in the introduction to this document, PLCs often form an essential part of the entire SIS. This section discusses a number of important design parameters that influence the reliability of the PLC: Use of highly reliable components, Off-line proof testing, Diagnostic coverage, Fault tolerance or voting, and Common cause. Use of highly reliable components The use of highly reliable, high-quality components will significantly reduce the overall failure rate of the PLC. There is a direct and obvious relationship between the failure rate and the probability that the PLC fails to fulfill its intended function. Great care should therefore be taken that only high-quality components are used. Off-line proof testing If a PLC failure has occurred, it depends on the time until the next off-line proof testing that this failure is detected and repaired. The longer the proof test interval (TI), the longer the failure will remain in the PLC and the higher the probability that the PLC is not able to fulfill its function in case of a demand. Diagnostic coverage Modern safety PLCs are often characterized by a high level of automatic on-line self-testing. All kinds of failures are immediately detected and located by the system itself. It is obvious that this has a tremendous impact on the reliability of the PLC. The sooner failures are detected, the sooner they can be repaired. The level of automatic self-testing is expressed in the diagnostic coverage (DC), which is the percentage of all failure modes together with their failure rates that are covered by self-testing. For example, a diagnostic coverage of 99.9% means that if a failure occurs, the probability that this failure will be immediately detected is at least 99.9%. 2oo4D: A New Design Concept for Next-Generation Safety Instrumented Systems page 3 of 14

6 Fault tolerance or voting Probably one of the most important design parameters to realize a highly reliable PLC is the concept of fault tolerance. Systems become fault-tolerant if multiple channels are used and not all of them are needed to fulfill the safety function. Fault tolerance is normally expressed as a specific voting scheme. For example, 1oo2 voting (one-out-of-two) implies that only one channel of a two-channel system is required to fulfill the intended safety function. In case of a 'safe' failure of one the channels (e.g. switching from logic 1 to logic 0), the system will bring the process to a safe state. Similarly, a 2oo2 voting system requires healthy operation of both channels to fulfill the safety function. However, one safe failure does not lead to a spurious process trip. Section 4 on page 5 discusses the most commonly used voting principles for safety PLCs. Common cause If fault tolerance is applied, common cause (CC) or common mode failures can significantly contribute to the reliability of a safety PLC (or lack of it). If the PLC is designed to be fault-tolerant, then the probability of simultaneous failure of more than one channel due to a common cause might dominate the probability of failure on demand. The contribution of common-cause failure can be reduced by the application of channels of completely separated modules. Using diversity of hardware and software will of course also significantly reduce the probability of a common-cause failure. page 4 of 14 2oo4D: A New Design Concept for Next-Generation Safety Instrumented Systems

7 4. Background on Voting Principles Voting principles As defined in ANSI/ISA S , an MooN voting system requires at least M of the N channels to be in agreement before the SIS can take action (M out of N). The following voting principles are most commonly used: 1oo1 (one out of one) 1oo2 (one out of two) 2oo2 (two out of two) 2oo3 (two out of three) 1oo2D (one out of two with diagnostics) 2oo4D (two out of four with diagnostics) 1oo1 The 1oo1 voting principle involves a single-channel system, and is normally designed for low-level safety applications. If such a system is characterized by a high level of diagnostic coverage, this voting is expressed as 1oo1D. The 'D' denotes the applied concept of automatic failure diagnostics. Nevertheless, this voting system is zero-faulttolerant, which means that a system failure will always and immediately result in the loss of the safety function or shutdown of the process. 1oo2 The 1oo2 voting principle was developed to improve the safety integrity performance of 1oo1-based safety systems. If one channel fails in a dangerous mode, the other one is still able to fulfill the safety function. Unfortunately, this concept does not improve the spurious trip rate. Even worse, the probability of a spurious trip is almost doubled (see references [1] and [3] on page 14). 2oo2 The major disadvantage of a single (i.e. non-redundant) safety system is that a single failure in a safety mode immediately results in a process trip. Duplication of the channels and application of the 2oo2 voting concept significantly reduces the probability of a spurious trip, since both channels must fail in a safe mode before the system will shut down the safeguarded process. On the other hand, the system does have the disadvantage that the probability of failure on demand is two times higher than that of a single system (see references [1] and [3] on page 14). 2oo4D: A New Design Concept for Next-Generation Safety Instrumented Systems page 5 of 14

8 2oo3 (TMR) In 2oo3 voting (also called TMR, or Triple Modular Redundant), there are three channels, two of which need to operate healthy in order to fulfill the safety functions. This voting concept is therefore also one-fault-tolerant for safety. The 2oo3 voting principle is best applied if there is a clear and thorough physical separation of the microprocessors. However, this does require them to be located on three different modules, which results in a 'heavily equipped' hardware system. Although the latest systems have been enhanced by an increasing level of diagnostics, 2oo3-based (TMR) safety systems still retain the disadvantage of having a probability of failure on demand which is about three times higher than that of 1oo2-based systems (see references [1], [3] and [6] on page 14). Furthermore, some manufacturers of TMR-based safety logic solvers have unfortunately designed their system in such a way that all three CPU microprocessors are located on a single printed circuit board. It is not hard to imagine the impact this has on the probability of a commoncause failure. 1oo2D During the development of the second-generation safety-dedicated PLCs, the advantages of the 1oo2 and 2oo2 voting principles were combined, without the disadvantages of the less reliable and 'heavy' 2oo3 voting system. The 1oo2 concept has an excellent performance with regard to safety, but its availability performance is not fault-tolerant. Therefore, a new voting concept was designed called 1oo2D. As mentioned before, 'D' stands for 'Diagnostics', because such systems are characterized by a high level of automatic system self-testing. The impact on voting is such that a single, automatically detected failure will not immediately lead to loss of the safety function or a process trip, but the affected channel will be isolated, and operation will continue through the healthy channel. As soon as the diagnostic coverage approaches really high levels (as is the case with 1oo2D), the negative impact of common-cause failure for the 2oo3 concept will exceed the probability of a spurious trip due to a safe undetected (SU) channel failure. This is why extensive calculations in the past have shown that the 1oo2D concept performs better with regard to safety integrity as well as system availability using less hardware (see reference [6] on page 14). 1oo2D systems are therefore often said to achieve the safety levels of a 1oo2 system and the availability levels of a 2oo2 system. page 6 of 14 2oo4D: A New Design Concept for Next-Generation Safety Instrumented Systems

9 2oo4D During the development of the second-generation safety-dedicated PLCs, the advantages of the 1oo2 and 2oo2 voting principles were combined. A new, third-generation breed of safety PLCs is currently emerging, which is characterized by a two-fault-tolerant, two-level system. Redundant Central Parts each contain two main processors, and since only two modules are used to achieve quadruple redundancy, the probability of common-cause failure is even further reduced compared to previous voting principles. This architecture is called 2oo4D (with 'D' again signifying 'Diagnostics' to indicate the high level of diagnostic coverage). Section 5 on page 8 explains the concept and advantages of the newgeneration 2oo4D PLCs in more detail. Figure 1 below illustrates the evolution of safety-related PLC architectures. 1oo1 1oo2 2oo3 1oo2D 2oo4D Figure 1 Evolution of safety PLC architectures 2oo4D: A New Design Concept for Next-Generation Safety Instrumented Systems page 7 of 14

10 5. The concept and advantages of 2oo4D voting 2oo4D voting This section explains the concept and advantages of 2oo4D voting with regard to safety integrity as well as system availability. Probably the best way to illustrate the functioning of this new concept is by using the Reliability Block Diagram (RBD) technique or the Markov modeling technique (see references [4] and [5] on page 14). In this section we use the Markov technique since Markov models are probably the clearest graphical representation to explain fault tolerance. We will not go into details regarding technical reliability calculations using complicated formulas and equations, but will instead use a conceptual approach to explain the difference in reliability between the voting principles discussed earlier. 1oo2, 2oo3, 1oo2D: one-fault tolerant Figure 2 below shows the basic Markov model of a single-faulttolerant safety system, which typically use 1oo2, 2oo3, or 1oo2D voting. Such safety systems can basically be in either of three states. First of all, there is the OK state, in which all channels are operating healthy. If a failure occurs, the system will degrade but will still be able to fulfill its safety function (intermediate state). Only after a second failure will the system no longer be able to perform its intended safeguarding function. The safety system will then not bring an out-of-control the process to a safe state (process demand). 1st failure 2nd failure System OK System degraded System fails to function Common-cause failure Figure 2 1oo2, 2oo3 and 1oo2D are one-fault-tolerant for safety The Markov model as shown in Figure 2 above also applies to the availability performance of such systems. In other words, they are also one-fault-tolerant for system availability. page 8 of 14 2oo4D: A New Design Concept for Next-Generation Safety Instrumented Systems

11 It is important to explain the arrow at the bottom, which represents the probability of a common-cause failure. It is not hard to imagine that if the occurrence of common-cause failures is not minimized, the probability of the system failing to function will be dominated by these common-cause failures. 2oo4D: two-fault tolerant In order to meet the market expectations regarding high safety integrity and system availability (economic reasons), experts generally agree that a safety PLC should be two-fault-tolerant for safety integrity and at least one-fault-tolerant for system availability. The 2oo3 voting concept (TMR) only meets the first requirement, and in order to minimize common-cause failures, three different modules would need to be applied. This is why the TMR concept is not suitable, and a completely new voting principle had to be developed. This has resulted in the 2oo4D concept (also called QMR, or "quadruple modular redundant"). Figure 3 below shows the Markov model of 2oo4D voting regarding safety integrity. The main difference with the previous model is that it is not immediately after the second failure but only after a third failure that the system will not be able to perform its safety function. The probability of failure on demand due to random hardware failure of more than two microprocessors is negligible. The 'old' objection that the more hardware is used the higher the probability of a common-cause failure, is disproved through a two-level approach: the probability of common-cause failure for microprocessors located on a single printed circuit board, and the probability of common-cause failure for microprocessors located on a different printed circuit boards. With regard to system availability, the 2oo4D concept is entirely one-fault-tolerant, as represented in the Markov model shown in Figure 2 above. 1st failure 2nd failure 3rd failure System OK System degraded System degraded System fails to function Common-cause failure Figure 3 2oo4D is two-fault-tolerant for safety 2oo4D: A New Design Concept for Next-Generation Safety Instrumented Systems page 9 of 14

12 Once again, 'D' stands for 'Diagnostics'. If a failure occurs and this failure is immediately detected and located, it can subsequently also immediately be repaired. This has a tremendous impact on the safety integrity performance as well as the system availability. After all, the sooner a failure is repaired, the sooner the safety function is recovered. Another good property of the 2oo4D concept is that you do not need to apply four different modules, but you can use only two, each of which contains two microprocessors. This has the advantage that it does not result in a 'heavy' hardware system. page 10 of 14 2oo4D: A New Design Concept for Next-Generation Safety Instrumented Systems

13 6. Implementation of the 2oo4D concept in FSC Release 530 FSC system FSC Release 530 supports the new 2oo4D voting principle. The safety-related PLC design has been enhanced to support two CPU modules, each equipped with two main processors. The 2oo4D voting is realized by combining 1oo2 voting for both main processors on one module, and 1oo2D voting between the two modules (i.e. between Central Parts) (see Figure 4 below). Voting is therefore applied on two levels: on a module level and between the Central Part modules. ESD WD O M OC Sensor xx yyy IC I M Input modules Main SMOD Quad-voter SMOD IC I M Main O M OC WD Output modules Final element Figure 4 FSC 2oo4D system architecture System response Safety integrity Explaining the voting mechanism is probably best done by illustrating the safety system behavior based on particular failure scenarios: With regard to safety integrity, the following minimum failure scenarios lead to a loss of the safeguarding function: a dangerous undetected (DU) failure of at least three microprocessors, or a detected failure on one module (which results in isolation of this module), in combination with a dangerous undetected (DU) failure on both microprocessors of the remaining module. 2oo4D: A New Design Concept for Next-Generation Safety Instrumented Systems page 11 of 14

14 Safety availability With regard to system availability, the following minimum failure scenarios lead to a safe action (spurious process trip): a safe undetected (SU) failure of at least two microprocessors, or a safe undetected (SU) failure on one module (one microprocessor) in combination with a detected failure on the other module, or a detected failure on both modules. It can be concluded that this indeed results in two-fault tolerance for safety integrity and one-fault tolerance for system availability. Continued operation after fault detection Since the 2oo4D voting concept is characterized by two-fault tolerance with regard to its safety integrity function, the concept of the second fault timer is no longer an issue. In fact, one detected failure that occurs on one of the Central Part modules will result in isolation of this Central Part. The system will continue operation through the other Central Part. A second failure in this other Central Part will never result in loss of the safety function (only a third failure will). This means that the time requirements as laid down in IEC Part 2 would only be applicable in case of a third fault. However, the probability of a third failure is so unlikely that the German certification authority TÜV does not demand such a restriction, even at AK6 as per DIN V (see reference [9] on page 14). page 12 of 14 2oo4D: A New Design Concept for Next-Generation Safety Instrumented Systems

15 7. Conclusions Conclusions The following conclusions can be drawn: 1. The 2oo4D concept is characterized by a high level of fault tolerance. It is two-fault-tolerant with regard to safety integrity, and one-fault-tolerant with regard to system availability. 2. Due to consistent and extensive application of diagnostic coverage, the probability of spurious trips due to random hardware failure is negligible since detected failures can be repaired immediately. 3. Second fault time restriction with regard to continued operation is no longer an issue. In fact, a third fault timer could be applicable but is not required by the German TÜV. 4. The probability of a common-cause failure using the 2oo4D concept with two modules is lower than for 2oo3 voting, even if the three channels are applied on three different modules. 2oo4D: A New Design Concept for Next-Generation Safety Instrumented Systems page 13 of 14

16 8. References References 1. IEC 61508, Functional safety of electrical/electronic/ programmable electronic safety-related systems. 2. ISA S84.01, 67 Alexander Drive, P.O. Box 12277, Research Triangle Park, NC 27709, U.S.A. 3. ISA dtr84.02 version 3, December 1997, 67 Alexander Drive, P.O. Box 12277, Research Triangle Park, NC 27709, U.S.A. 4. IEC 61078, Analysis techniques for dependability Reliability block diagram method, IEC ( ), Application of Markov techniques. 6. Knegtering, B. Conceptual comparison of two commonly used safeguarding principles, 17th International Conference SAFECOMP '98 Heidelberg, Germany, October 1998 Proceedings. 7. Knegtering, B. Brombacher, A.C. Application of micro Markov models for quantitative safety assessment to determine safety integrity levels as defined by IEC standard for functional safety. Reliability Engineering and System Safety 66, Elsevier Goble, W.M. Evaluating control systems reliability Techniques and applications, ISA resources for measurement and control series DIN V 19250, Leittechnik. Grundlegende Sicherheitsbetrachtungen für MRS-Schutzeinrichtungen, 1994 page 14 of 14 2oo4D: A New Design Concept for Next-Generation Safety Instrumented Systems