A customer has a Safety Instrumented Function they need to implement with two independent level transmitters (radar), each wired to a separate STA Functional Safety Trip Alarm. The process will trip if either level reaches the set point, for example a 1 out of 2 (1oo2) voting. However, if the alarm trip (STA) detects an input or unit fault, the customer did not want the process to trip. Instead they wanted to take the faulty unit out of service leaving the process running with the one good level and alarm trip. This effectively degrades the configuration from a 1oo2 to 1oo1 (with the fault alarmed) until the fault is diagnosed and repaired (normally within 72 hours).
Before we outline the solution we should review the safety aspect of the system. As defined in IEC61508-6 Annex B , 1oo1 represents a minimum system. No fault tolerance is provided by this system and no failure mode protection is provided, see figure 1.
In 1oo2, the effect of a dangerous failure is minimized since either trip can cause the system to fail-safe. The 1oo2 system offers low probability of failure on demand, but it increases the probability of a “false trip”.
Figure 1. Safety Architectures 1oo1 Simplex, 1oo2 High Integrity, and 2oo2 High Availability
Using 2oo2 voting reduces spurious trips but also increases the probability of failure on demand. In older systems 2oo3 voting was commonly used. This provided both high integrity and availability but at higher system cost.
These architectures do not use diagnostics as part of the automatic system. Safety architectures have been developed which incorporate diagnostics to improve both integrity and availability at lower costs.
The Value of Diagnostics
Let’s take a look at 1oo1D, which differs from the 1oo1 only in that the switch is wired in series with the output, allowing it to de-energize the output on a diagnostic fault. This system represents an enhancement used for safety applications. Diagnostics allow a detected dangerous failure to be converted into a safe failure.
In the example, the STA with trip and fault relays is wired in series. In the 2oo2D, two 1oo1D units are wired in parallel so BOTH A and B need to trip and/or fail. Once a unit fails, the system acts as a 1oo1 system, see figure 2.
In examining 1oo2D, we see it is the same as 2oo2D EXCEPT that each unit monitors the other and will fall back to 1oo2 IF the other unit fails.
Figure 2. Safety Architectures 1oo1D, 1oo2D, and 2oo2D
Safety Architecture Solution for The Customer
There are many variations to the standard architectures defined in IEC61508. Here’s a solution using the STA with diagnostics to provide 1oo2 voting with high availability. It does not shut down the process unnecessarily, letting it degrade the configuration from a 1oo2 to a 1oo1 while the customer investigates the fault, see figure 3.
It does shut down the process if both STAs have diagnostic faults.
Figure 3. 1oo2 Voting with Diagnostics for High Availability
Relay Wiring for 1oo2 High Availability Architecture
Trip relays are wired in series for 1oo2 voting fault relays.
Fault relays are wired into a safety repeater to provide additional fault contacts, like Moore Industries’ SRM (SRM A & B), see figure 4.
NC contacts from each Safety Relay Modules (SRM) are wired in parallel with corresponding STA trip relays to bypass the trip relay if there is a diagnostic fault.
This creates 1oo1 voting for the healthy STA in the case of a fault
NO contacts from both SRMs are wired in parallel and then in series with the process to trip if both units have a fault.
2 additional NO contacts are available on both SRMs for fault annunciation
Figure 4. This configuration is 1oo2 voting where the trip level set point input from either transmitter will trip the SIF. The first diagnostic fault will degrade the configuration from a 1oo2 to a 1oo1 until the fault is diagnosed and repaired.
Source - miinet