Advanced search

Safety System Report

Wednesday, December 20, 2006

Management Summary

The RTP 2500 SIS System has a hybrid architecture that uses a set of advanced design techniques to provide SIL 3 safety integrity and high availability. Safety integrity and high availability are achieved on a system that also provides an unusual level of architecture flexibility and computing speed (25 msec. scan rates). This combination of safety integrity, high availability, flexibility and performance sets new levels of expectation among safety PLC users.

Architectures available include:

Input Module: Single 1oo1, Dual 1oo2, Triple 2oo3
CPU Module: Single 1oo1, Dual 1oo2, Triple 2oo3
Output Module: Single 1oo1D, Dual 2oo2D

Each subsystem and each I/O module can have a different architecture depending on the criticality of application functions using those modules. In this way a cost optimized system based on application risk can be designed. 

Input modules with a single (1oo1) architecture provide cost effective inputs with a safety integrity rating of SIL 2. The dual architecture (1oo2) will provide high safety integrity to a rating of SIL 3. The triple architecture (2oo3) is used to provide higher availability of the input subsystem. Diagnostics are primarily provided via comparison in the Node Processor.

Node Processor modules can be configured with single, dual and triple architectures. The single (1oo1) architecture is the base configuration. A dual architecture (1oo2) is used to achieve high safety integrity. A triple architecture (2oo3) is used to achieve both safety integrity and high availability. Comparison diagnostics between the Node Processors provide high effectiveness fault detection even with transient bit errors and soft failures in small geometry integrated circuits. The approach of using detail comparison instead of extensive self-diagnostics also frees computing power to ensure higher application function performance.

Output modules with a single (1oo1D) architecture will provide high safety integrity to a rating of SIL 3 with no redundancy. The dual (2oo2D) architecture is used to provide higher availability for each output subsystem. Single channel safety integrity is achieved through automatic diagnostics which will initiate an output shutdown if potentially dangerous failures are detected.

The diagnostics are run locally in the output module, in the chassis (I/O) processor and in some cases in the node processor.

A Markov model was developed to analyze the behavior of the RTP 2500 SIS system under fault conditions for two common configurations:

1. Maximum Safety (1oo2, 1oo1D)
2. Maximum Availability and Safety (2oo3, 2oo2D)

Using the Markov models and the failure rates from the FMEDA, example average Probability of Failure on Demand (PFD AVG ) and Mean Time To Fail Spurious (MTTFS) values are calculated.

The results confirm the level of high safety integrity and high availability achieved by the design.

To read Exida's full report, click here.