TRICON

Fault Tolerant Systems

TRICONEX
1
 Definizioni

Safety
(Sicurezza)

Si definisce Sicurezza la libert da un rischio

inaccettabile, per il Personale, la Collettivit,
lAmbiente.

2
 TRICONEX Systems

Goal : Safety

Strategy : Fail Operationnal

Measurement: Reliability

Method: Fault Tolerance

3
 Applications Areas

Safety/
Safety Availability
Availability

Industries ...
Oil & Gas Hydrocarbon Processing Utility
Pulp & Paper Marine Nuclear
Textile Rubber and Plastics Cement
Food Pharmaceutical Metals

Applications ...
Safety/ESD Burner Management Rotating
Equipment
Fire & Gas Automotive Presses Critical Control

4
Expertise in Major Safety and
Critical Control Areas:
TRI-SEN SYSTEMS TRICON TMR SYSTEMS

Gas Turbine Control Safety/Emergency Shutdown

Steam Turbine Control Critical Control

Integrated Turbine Burner Management

Compressor/Anti-Surge Fire & Gas Detection
Integrated Turbine
Generator/Voltage Regulation New applications Nuclear
& Transportation

5
Markets Served
Chemical Manufacturing
11% 8% 3%
5% Petroleum Refining
Oil & Gas Production
26%
23%
Electric Power Utilities
24% Marine
Pulp & Paper
Other

6
 Technology and Quality
TRICON TMR (Triplicated Modular Redundant) system
is viewed as the standard for safety and critical control
Triconex is the leading supplier of fault tolerant control
systems worldwide:
- Over 2 500 TMR and 4 200 Turbine Solutions installed worlwide
and over 500 in Europe and Africa
-62% market share (1996 Frost Sullican PLC study)

Our TMR Products are designed to meet the highest

levels of safety certification - IEC 1508 class 3, DIN VDE
0801, 19250 level 6 (TV clas 6), FM Class 1 Div. 2
We continually certify our products to International
standards - DIN, CSA, FM, IEC, UL, CE Mark, ABS
7
June, 1997
 Strategy to fulfill safety requirements

" Fail Safe"

strategy: A failure inside a sub-
system must shutdown the safety system

"Fail operationnal" strategy: A failure inside a

subsystem do not lead to a shutdown

8
Safety Application Lifecycle

"FAIL SAFE"
MTTF MTTR
Spurious trips
t== few years
Startup phase

"FAIL OPERATIONNAL" t == 100years

MTTF
Spurious trips

Statistically, the accidents occured in transition

phases (start-up, shutdown)
9
Key Issues (Concept)

Reliability = To avoid spurious trips

Maintenance = To decrease downtime

Availibility = To decrease production costs

Safety = To control failures

Process lifecycle
Spurious trip

10
Strategy to become reliable

Avoid Failure
-Internal failures of the system (quality plan)
-Exploitation failures (Programming tools, diagnostics,
maintenance, training)

Support failures
-Electronic component failures
-Mechanical component failures
-No single point of failure
-Redundancy
-On line replacement

11
Dual Architectures

PLC

Process

Safety
Safety
Availability

Availability

12
23D Voting system

A B A Safety

B C C Availability

Majority state

Output = A.B + B.C + A.C

13
 TMR Architecture

Input Processor Output

A B
V A A
O
T
Sensors B I B B Voter Actuators
N
C G C C

No propagation

Supports 2 faults of different ranks

Diagnostics are easy to manage

14
 TRICON - TMR Fault Tolerant Controller

Utilizes Triple Modular Redundant Architecture

from Input Termination to Output Termination

Definition of Triconex Fault Tolerance:

Identifies and Compensates for Failed Control System
Elements and Allows On-Line Repair while Continuing its
Assigned Task Without Process Interruption.
High Safety Integrity - High Safety Availability Due to
TMR Architecture, Diagnostics, and On-Line Repair
High Availability - Eliminates Spurious (False) Trips

15
Triconex TMR vs. All Other PLC Technologies

1.1.No
NoSingle
SinglePoint
Pointof
ofFailure
Failure
2.2. Diagnostics
Diagnostics
3.3. On
On--Line
LineRepair
Repair
The Difference Between Long Term and Short Term
Availability and Reliability ---- Diagnostics

Diagnostics are Embedded in the System - Independent of

User Written Application Programming!

16
 Fully Triplicated Architecture

Auto Spare Auto Spare

Input I/O Bus Output

Leg Main Leg
A Processor A
TriBus A

Main TriBus
Input Output
Leg Processor I/O Bus Voter Actuators
Sensors Leg
B B
B
Main
TriBus
Processor
Input C Output
Leg I/O Bus Leg
C C

Output
Input Termination
Termination
- No propagation
- Supports 2 faults of different ranks
- Diagnostics are easy to manage 17
Version 9 High Density Main Chassis
L
N
1
NO
C
NC
L
N
2
NO
RC C
NC

POWER A MP B C COM L 2 R L 3 R L 4 R L 5 R L 6 R L 7 R

REMOTE
1 RUN

PROGRAM
A STOP
PASS PASS PASS
PASS

FAULT
PASS PASS
PASS PASS PASS

FAULT FAULT FAULT

FAULT FAULT FAULT FAULT FAULT
LOCAL ACTIVE ACTIVE ACTIVE ACTIVE
ACTIVE ACTIVE ACTIVE ACTIVE ACTIVE
LOAD/ LOAD/
MAINT1 MAINT1 MAINT1 FUSE FUSE
MAINT2 MAINT2
1 1
MAINT2
1TX
115/230 VAC 1 1
2 2 1RX
2 2
3 3
NET 1
PASS 4 4
3 3

FAULT 4 4
5 5
ALARM
6 6 5 5
TEMP TX
RX 6 6
BATT LOW 7 7
B 8 8 7 7
2TX
2RX

9 9 8 8

10 10

11 11

12 12

13 13 3TX

NET 2 14 14 3RX

POWER MODULE 15 15
MODEL 8310
16 16

TX 17 17
RX
18 18

19 19 4TX
115/230 VAC
20 20 4RX

21 21
PASS
22 22
FAULT
ALARM 23 23
COM RX COM RX COM RX
TEMP 24 24
COM TX COM TX COM TX COMM
BATT LOW 9 9
TX 25 25
I/O RX I/O RX I/O RX
10 10 PRT
RX
C I/O TX I/O TX I/O TX 26 26
11 11
27 27
12 12
28 28
13 13
29 29
14 14
30 30
15 15
31 31
16 16
POWER MODULE EMP EMP EMP NCM 32 32 EICM
DIGITAL DIGITAL DIGITAL DIGITAL
MODEL 8310 3006 3006 3006 4329 INPUT INPUT OUTPUT OUTPUT 4119
3501E 3501E 3603B 3603B

D E F G H I J K L M N O P Q R S

18
 Chassis - Architecture
ELCO Connectors for I/O Termination
Terminal
Strip Power
1 Terminal Strip
Terminal 1 2 3 4 5 6
Strip
2
TRIBUS

Power
Supply
1

DUAL
POWER
RAIL
Power
Supply Leg A
Leg B Comm
2 Bus
Leg C

Leg A
Leg B I/O
Leg C Bus

Right I/O Module*

Main One Logical Slot
Left I/O Module
Processor
Communication Module
A, B & C
* Either the left module or right module functions as the active or hot spare at any particular time

19
 TRIBUS Hardware

Three Independent Serial Links Transmit Data

From Each Main Processor to the Other Two
Main Processors

Serial Links Operate at 4 MBits/Second

Utilizes a Fault-tolerant Clock (Tri-Clock)

Consisting of Three Independent Clocks and
Associated Selection Circuitry

20
 TRIBUS Functions
Synchronizes MPs at the Beginning of Each Scan

Votes DI Data Between MPs and Flags Disagreements

Transfers AI Data Between MPs

Compares DO and AO Between MPs and Flags Disagreements

Transfers Diagnostic and Program Data Between MPs

Transfers Incoming Communication Messages Between MPs

Communication Bus for Automatic Re-education of MP

21
 Main Processor Module
32 Bit Microprocessor Operating at 25 MHz
Floating Point Co-Processor
1800 Kbytes of User Memory
I/O and Communication Co-Processors
Fault Tolerant Interprocessor Bus (TRIBUS)
Hardware Voting and Comparison Circuits
Supports the Collection of Sequence of Events (SOE) Data
Extensive Background Diagnostics
On-Line Replacement

22
 Diagnostics - Hardware

MPs Inspect the Chassis Layout for Proper Cards

and Installed Cards
Any Download Commands Will Create a System
Inspection Query
Application Program File Compared with
Installed I/O Boards Firmware
If a Board is Missing or Improperly Installed, The
MPs Flag a System Alarm
During Downloads, TRISTATION Displays all
Disagreements
23
 Main Processor - Architecture

Dual Power Rails

Dual Failure
Power Vcc Detect Status Indicators
Regulators Circuitry
Main Processor
NS32GX32
512K EPROM Timing Interrupt Floating Point Processor
2MB SRAM Generator Controller NS32381
Internal System Bus

DMA Dual Port RAM Dual Port RAM Debug

Comm
TriBus Com Processor I/O Processor Port

Up Stream Fault Tolerant I/O Bus

Down Stream Fault Tolerant Communication Bus
Up Stream
Down Stream

24
 Fault Tolerant Power Subsystem

Dual High Density Power Supplies - Each Capable of

Powering Entire Chassis Load (175 Watts Each)
Dual Voltage Regulators - Two per Leg on Each
Module
Full Noise Isolation on Inputs and Outputs
Over-Temperature Alarm
On-Line Replacement
Batteries for Memory Back-up on Main Chassis
Backplane

25
 Diagnostics - Power Subsystem

Power Supplies, Batteries and Power Regulators are

Fully Redundant and Tested Frequently
Output Voltage is Measure
Main Chassis Batteries are Tested
Each MP, I/O and Communication Modules On-
board
Power Regulators are Toggled Off to Test the
Redundant Power Regulator
If Fault is Detected by MPs 2oo3 Vote, Power Supply Fault Light
is Energized and a System Alarm is Generated
26
Power Supplies - Architecture

Power supply #1
R A
E
- + G
Filter Converter Vdc
R
Rectifier
DC/DC E
G
NO
C Fault
NC Detection
R B
E
G
Power supply #2 R
Vdc
E
- + G

Filter Converter
DC/DC C
Rectifier R
E
NO G
C Fault
Detection Vdc
NC R
E
G

Fault
+V Bus 2
+V Bus 1
OV

27
 Enhanced TMR Digital Input Module

Independent Signal Conditioning, Power Sources

and Communications Paths
No Single Point of Failure
Tests for Stuck "ON" Circuits
Full Isolation Between Channels
Full Noise Immunity
On-Line Replacement

28
 Diagnostics - TMR EDI Module

Continuous On Board Testing for Stuck - On Circuits

Each of Three Input Circuits Per Point are Tested for

Stuck-ON Condition
Status of Circuit Sent to MPs for Alarming

If Circuitry is Found to be Stuck-On, MPs Vote to

Activate DI Module Fault LED and Generate a
System Alarm.

29
EDI Module - Architecture

Input cicuit Individual opto-isolator Intelligent I/O CONTROLLERS Triplicated I/O BUS

Threshold
Detect Mux. Miicro- Bus A
Opto-isolator processor Xcvr

Opto-
short-circuit detection isolator
Dual
Port
RAM

Threshold
Detect Mux. Miicro- Bus B
Opto-isolator processor Xcvr

Opto-
isolator
Dual
Port
RAM

Threshold
Detect Mux. Miicro- Bus C
Opto-isolator processor Xcvr

Opto-
isolator
Dual
Port
RAM

30
 TMR Analog Input Module
Triplicated A/D Converters and Multiplexors

Automatic Calibration Using Built-in Reference

Voltages

0.15% Full Scale Range Accuracy

No Single Point of Failure

Isolated Input Channels

On-Line Replacement
31
 Diagnostics - TMR AI Module

Mid-Value Select Algorithm with Measurement

Deviation
Testing
> 2% Standard Deviation from Mid-Value after 40
Deviations - Leg is Faulted

Main Processors Vote to Energize Fault LED

32
 TMR AI Module - Architecture

Signal Conditionning ADC for each leg Intelligent I/O Triplicated

Controllers I/O Bus
+
Amp ADC Miicro- Bus Xcvr A
- processor

Mux.

+ Miicro- B
Amp ADC Bus Xcvr
- processor

Mux.

+ Miicro-
Amp ADC Bus Xcvr C
- processor

Mux.

33
 TMR Enhanced Digital Output Module
Fault Tolerant Hardware Voter for Each Output Point

Series / Parallel Quad Output Circuits

No Single Point of Failure

Field Loopback Sensing

Latent Fault Detection

Fully Isolated Output Channels

On-Line Replacement

34
 Diagnostics - TMR EDO Module

Stuck-On and Stuck-Off Tests are Performed

Continuously
Both Tests Are Performed on All Output Circuits
Regardless of Power Status. (NE or ND)
Output Switches are Closed then Opened, Voltage
Loopback Verifies Proper Operation

If Switch is Found Faulty, MPs Vote to Activate

DO Module Fault Light and Generate a System
Alarm

35
 TMR EDO Module : Architecture

Triplicated Intelligent I/O Field Circuitry

I/O Bus Controllers
A
A Miicro- Point Output
Bus Xcvr processor Drive
Register Circuitry +V
* *
A B
A.B
Output
B Micro- Point Drive
Bus Xcvr prociessor Register Circuitry

B C
Output A et B
Drive
Circuitry * *
C Point
Bus Xcvr Miicro-
processor Register Load

C
Output
Drive
Circuitry Voltage
Loopback
* All output switches are opto-isolated detector -V

36
 Supervised Digital Output Module
Fault Tolerant Hardware Voter for Each Output Point
Series / Parallel Quad Output Circuits
24 VDC Version Uses Smart FETs That Require No Fusing
No Single Point of Failure
Field Loopback Sensing
Latent Fault Detection
Fully Isolated Output Channels
Blown Fuse Detection
Line Monitoring of Field Load (Open or Short)
On-Line Replacement

37
 Diagnostics - Supervised DO
Stuck-On and Stuck-Off Tests are Performed
Continuously
Both Tests Occur on All Output Circuits
Regardless of Power Status (NE or ND)
Output Circuits are Toggled, Voltage Loopback
Circuits Verify Proper Operation
Field Load Monitored by Use of Voltage Loopback
Circuits
If Output Switch is Found Faulty, MPs Vote to Energize Fault
LED and Generate a System Alarm
If Load is Missing, MPs Vote to Energize Load LED - Field
Device Failure, NOT TMR System Fault
38
SDO Module -Architecture
Triplicated Intelligent I/O Field circuitry
I/O Bus Controllers
Voltage
A Sensor

A Miicro Point Output +V (secondary)

Bus Xcvr Processor Register Drive +V
Circuitry (primary)
Dual * *
Ported A C
RAM A or B
Output Voltage/ Voltage/
Point Drive Current Current
B Miicro Sensor Sensor
Bus Xcvr Processor Register Circuitry

Dual
Ported B
RAM Output B A or B
Drive
* *
Miicro Circuitry
C Point Load
Bus Xcvr Processor Register
C
Dual Output
Ported
RAM
Drive
Circuitry
Voltage
Sensor -V
* All output switches are galvanically isolated

39
 TMR Analog Output Module
Triplicated D/A Converters for Each of the 8 Output Points
2oo3 Selection Circuit Selects Correctly Operating DAC for
Each Point and Periodically Selects Each DAC to Check Its
Correct Operation
Loopback Checking of All Analog Output Channels
Automatic Calibration Using Built-in Reference Voltages
0.15% Full Scale Accuracy
No Single Point of Failure
On-Line Replacement

40
TMR Pulse Input Module

Triplicated Pulse Counter for Each of the 8 Input Points

Accurate Timers Are Used on Each Point to Determine

Time Required to Accumulate the Required Number of
Pulses (1 Microsecond Accuracy)

Measures Speed (RPM) to an Accuracy of 0.01% at

Normal Operating Speeds

No Single Point of Failure

On-Line Replacement

41
TMR Thermocouple Input Module

Triplicated A/D Converters and Multiplexors

Automatic Calibration Using Built-in Reference

Voltages

Supports Thermocouple Types J, K, and T

Provides 32 Differential, Non-commoned Inputs

No Single Point of Failure

On-Line Replacement

42
 Typical Architecture

Main Chassis Expansion Chassis RXM Chassis

P.S P.S P.S
1 1 1
I/O I/O I/O I/O I/O I/O I/O I/O I/O RXM I/O I/O I/O I/O Room 1
CPU or or or or or or or or or Prim.
COM COM COM COM COM COM COM COM COM
P.S P.S P.S
2 2 2

30 m max
RXM Chassis Expansion Chassis
Remote Room
P.S
1
P.S
1
up to 12 Kms
I/O I/O I/O I/O I/O I/O I/O I/O I/O
through Triplicated Fiber Optic
RXM
Rem.
P.S P.S
2 2

43
 Communication Capabilities

MODBUS Master MODBUS Master

ETHERNET 802.3

Console DCS or PCs

P.S P.S
1 1

C PU C PU I/O I/O EICM NCM

I/O I/O
EICM NCM -------
ACM
P.S P.S
2 2 -------
SMM

Tristation, SOE, DDE,TCP/IP

44
 Communication Capabilities (cont..)

Peer to Peer Communication TSSA, Proprietery protocal

P.S P.S
1 1

NCM C PU
... Up to 10 Tricon systems
C PU I/O I/O EICM I/O I/O EICM NCM

P.S P.S
2 2

45
 Triconex Communication Modules
Network Communication Module (NCM)
Supports Two IEEE 802.3 Ports
Intelligent Communications Module (EICM)
Four Isolated RS-232/ 422 Serial Ports (One Port Used for TriStation and
Others Typically Used for MODBUS Communication to DCSs and Other
Computer or SubSystems)
One Parallel Printer Port
Safety Manager Module (SMM)- Honeywell TDC 3000
Connects to TDC 3000 Universal Control Network (UCN)
Advanced Communication Module (ACM)- Foxboro I/A Series
Connects to Foxboro I/A Series Nodebus
Supports Additional 802.3 Port and Two RS-232/ 422 Serial Ports

46
 Sequence of Events : SOE
SOE Utility through the
NCM Module

Printer

TCP/IP 802.3 Network

P.S P.S P.S P.S

1 1 1 1

I/O I/O I/O I/O I/O I/O I/O I/O

CPU or or EICM NCM CPU or or EICM NCM CPU or or EICM NCM CPU or or EICM NCM
COM COM COM COM COM COM COM COM
P.S P.S P.S P.S
2 2 2 2

Peer to Peer communication

47
 SOE - Features
All the variables are recorded and time stamped in the
memory of the TRICON
Accuracy : scan time
SOE block are setting up within Tristation (maximun of
14 SOE
The control program manages event collection by means
of functions that the user includes in his program
All the informations can be retrieved through the
different communication modules
SOE Data Retrieval utility program is available through
the Network Communication Module NCM.

48
 Raffineria di Priolo
Configurazione di rete Ethernet
ridondante, con connessioni rame-fibra CAVO IN RAME
ottica e Bridge per ottimizzazione del
traffico di rete CAVO COASSIALE IN
RAME

NCM-2 NCM-1 FIBRA OTTICA

Node 6 Node 5

C FO

FO B C C B FO

FIBRA BRIDGE COAX BRIDGE FIBRA

COAX
OTTICA OTTICA

Printer1_1 Printer2_1
C FO FO C C FO FO C

PR1_2 PR1_1 SG10_1 SG10_2

P1 P2

49