Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Standard view
Full view
of .
Save to My Library
Look up keyword
Like this
0 of .
Results for:
No results containing your search query
P. 1
RTP Corporation - Features Beyond Fault Tolerance

RTP Corporation - Features Beyond Fault Tolerance

Ratings: (0)|Views: 86 |Likes:
Published by Ecisgroup
An history of triple modular redundancy TMR in automation
An history of triple modular redundancy TMR in automation

More info:

Published by: Ecisgroup on Dec 03, 2010
Copyright:Traditional Copyright: All rights reserved


Read on Scribd mobile: iPhone, iPad and Android.
download as PDF or read online from Scribd
See more
See less



Chemical Engineering World |
| OCTOBER 2009
Beyond Fault Tolerance
Third Generation SIS Approaches for Optimizing Safety Integrity and Operational Availability 
hen introduced in the80’s the Triple ModularRedundant(TMR)emergency safety shutdown(ESD)systems made a landmark byproviding high level of safety integritywhile reducing the maintenancecharges. Latter on these typesof systems became well-knownas Safety Instrumented Systems(SIS). The traditional TMR safetysystems are expensive to purchase,implement and maintain and also addan additional degree of complexitywhich is impossible to handle bymany of today’s downsized processplants.In the recent years, many newSIS approaches have been launched.These include new integrates systemsthat use a common platform for bothSIS and Distributed Control System(DCS) functionality. Some of the newintegrated systems depart from theredundant module approach anduse logic solver processors mountedwithin a common module. Whendesigned and implemented correctly,these systems can help to reducelifecycle costs while providing theneeded Safety Integrity Levels(SIL). However, without modularredundancy, integrated systemsare not nearly as fault-tolerant astraditional TMR systems and cannotbe repaired of upgraded online.Currently, a third option is alsoavailable. These are known as, third-generation, fault-tolerant SIS’s thatcombine well-proven redundancyapproaches with more flexibly andmodern system architectures. Inthis process, the new systems deliverunmatched safety integrity andoperational availability with thereduced lifecycle costs that today’sprocess manufacturer’s demand.
Why Owner-Operators InstallSafety Systems
Every operator tries to make theprocesses as safe as possible. Whenrisks exist in spite of that, it may benecessary to install the SIS. Theprimary purpose of the SIS is totake the process to a safe state if needed. Preferably, rather than being
By any name traditional TMR safety systems tend to be expensive to purchase implement andmaintain. Traditional SIS’s also add an additional degree of complexity which many of today’sdownsized process plants cannot afford to handle. Third generation fault tolerant SIS’s deliver unmatched safety integrity and operational availability with reduced lifecycle costs that today’sprocess manufacturers demand
Chemical Engineering World |
| OCTOBER 2009
available to perform the requiredSafety Instrumented Function (SIF)at the right moment, the SIS shouldhave no impact on the processmanufacturing operations. However,some internal faults or errors in thesystem can create unauthentic safetytrips.While safety trips are designedto prevent costly and dangerousaccidents, in almost all cases, asafety system trip itself will result inthe production of off-spec product,reduced production, or a completeloss of production. In situationswhere the SIS trip is to response toan immediate or impending processdemand, safety trips are necessaryand justifiable. Spurious trips, dueto internal faults or errors in the SIS,cannot so easily be justified.These spurious ‘nuisance’ tripsare not only extremely costly inrespect to lost production but they canin themselves, create a safety hazard.This is because shutdowns andstartups and especially unplannedshutdowns and startups are whenmost accidents occur in processplants.
Safety Availability vs OperationalAvailability
Safety systems typically operateindependently the basic processcontrol system and require ahigher degree of integrity, or safetyavailability. Safety availabilityinvolves the availability of the SISto perform the appropriate SIF upona process demand. Safety availabilityis measured in terms of averageProbability of Failure upon Demand(PFDavg).
Safety Integrity Levels
The specific degree of safetyavailability required for each SIFdepends upon a formal processhazard analysis. In refineries andchemical plants, SIL levels typicallyrange in criticality from SIL 1 to SIL3. Each successive SIL represents anorder of magnitude risk reductionfactor. Specific SIL levels areachieved through a combinationof SIS hardware quality andredundancy, internal diagnostics,periodic proof testing, estimatedrepair times, resistance to commoncause failures and successful fieldexperience. Current IEC and ISAprocess safety standards focus onthe performance characteristicsrequired to achieve specific SILlevels.The way by which they areachieved is left up to the individualowner-operators. In the US,compliance to these performance-based safety standards is largelyoptional and heavily dependenton a specific company’s operatingphilosophy. In Europe and someother regions, compliance to processsafety standards is mandated bylaw.Considerably, the frequency of spurious SIS trips or any other SIS-related issues that can negativelyeffect the operational availability,have little if any impact on the PFDcalculations. That’s because theexisting safety standards are onlyconcerned with the availability of theSIS to perform the appropriate SIFupon a process demand. Spurioustrips are of interest only to the degreethat they trip in a safe manner.It’s safe to say that operationalavailability is of little interest to thestandard bodies that establish processsafety guidelines and regulations. Onthe other hand, owner-operators of process manufacturing plants arevery concerned with maintaininghigh levels of operational availability,since the ability to manufactureproduct goes right to their bottomlines.To comply with ISA/IEC safetysystem standards, internal faults inthe SIS must be declared and repairedduring a relatively small time window.Unless the faulty module can berepaired or replaced on line, a hastilyscheduled production shutdownwill be required to allow the fault tobe remediated. SIS modifications,upgrades and periodic proof testingmust also typically be performedduring scheduled outages, creatingadditional pressures for plant staffsthat are already typically workingaround the clock to complete thegiven tasks in the shortest possibleperiod of time so that productioncan resume.
First Generation TMRTechnology
Fault-tolerant redundancyapproaches developed for theaerospace industry led to thedevelopment and introduction of afirst generation of Triple ModularRedundant (TMR). Essentially,these were triplicated PLCs usingvoting schemes that required twoof the three (2003) logic solversto agree before the system wouldinitiate a safety trip. These wereconsidered to be fault-tolerant,since the safety system couldcontinue to function (although ina diminished state) even after afaulty logic solver processor wasdiscovered. Hardware options forinput/output (I/O) also provided adegree of fault-tolerance relative tothe sensing and actuating elements
Chemical Engineering World |
| OCTOBER 2009
of the SIF’s in the system.This fault-tolerant TMRarchitecture with 2003 voting logicprovides a very high degree of operational availability, since theoccurrence of spurious safety tripsdue to internal SIS errors are greatlyreduced.First-generation, fault-tolerantTMR technology was created beforethe advent of the internationalstandards that apply today.Originally, they were designed toprovide more operational availabilitywhile providing the needed safetyshutdown functions. As internationalstandards were created, the firstgeneration products were modifiedto meet them. In some cases, thestandard placed requirements onthese systems that could not bemet, forcing users to implementadditional protection outside of thefirst generation system.However, the regulations alsorequire that any single failure, evenin a triplicated fault-tolerant system,must be repaired within a finite timeperiod. Mean Time To Repair is oneof the parameters that goes into theSIL certification calculations fora given SIS configuration. Thus,unless the faulty component canbe repaired online, a previouslyunplanned shutdown will needto be scheduled to be able toperform the repair quickly. This isnot generally a problem with thefirst generation systems, but somesecond generation systems backslidon this requirement.Unplanned shutdowns results inlost production. This can cost theowner-operator many thousandsof dollars and really screw up theprofit/loss report in any given month.With first-generation TMR systems,design and architectural constraintslimited the ability to perform onlinesystem modifications or upgrades,requiring shutdowns to be scheduledthat might otherwise have beenavoided.
Second Generation SIS Systems
As technology progressed, moreSIS systems came on the market.Due to advancing technology,these systems tend to have moreextensive diagnostic capabilities.Due to improved diagnostics, manyof these products do not offer tripleredundancy, the feeling being thatthe improved diagnostics makeTMR architectures obsolete. Inmany cases, even simple redundancyis not the standard offering. Thispresents a problem that did not existwith first generation TMR systems.Since the SIS is simplex, it cannotbe repaired on line, meaning thataccording to ISA84, any fault in theSIS will require that a shutdown bescheduled.On the other hand, new redundantarchitectures were introduced with1002 and 2004 schemes. With somelimitations, most of these systemswork very well. The main error inthese second-generation systemsis not in the diagnostics or in theredundancy or lack thereof. Thefault is in the target. These systemswere designed to do well or toincrementally improve upon thefirst generation systems. Third-generation systems were designedto provide the user with the safestavailable and to provide maximumuptime.
Third Generation Fault-TolerantSystems
The latest generation of fault-tolerant,simplex, dual-and triple-modularredundant safety instrumentedsystems combines all the benefitsof first- and second-generationSIS technology with improveddiagnostics, safety availability,operational availability, andsignificantly lower lifecycle costs.This has been accomplished byimplementing new, more flexibleredundancy approaches, increaseddiagnostic coverage, better processingand communications performance,plus new online repair, modification,and upgrade capabilities. The goalof these systems is not incrementalimprovement, but providing the userwith the SIS that will provide thevery best protection against unsafesituations while providing minimalinterference with the operation of the facility.Furthermore, unlike earliergenerations of safety systemtechnology, the new simplex, dual-and triple-modular redundant SISscan often come configured as SILcertified right out of the box, withfew, if any, restrictions imposed bythe certifying body.The net result is that thirdgeneration redundant safety systemscan often deliver significantlyincreased integrity and availabilityover first and second-generationsystems. With safety integrity in excessof 99.9999 per cent (six nines) whenconfigured in triplicated fashion,third-generation SIS can eliminatethe one in ten outages attributable tothe control system while significantlyreducing nuisance trips to provideoperational availability in excess of 2000 years.With third-generation safetysystems, any faults are automaticallyidentified by the system withoutthe need for user application

You're Reading a Free Preview

/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->