channel. This allows either channel to handle the safety function. In case one channel experiences a dangerous failure (such as a short circuit), the other channel acts as a safeguard for the system. However, if both channels fail simultaneously, the safety function fails upon demand. PFD avg and STR can be calculated using the Table 4 equa- tions. In this architecture, the spurious trip does not improve much, but the PFD avg improves significantly. 2oo2 voting In the 2002 voting design, two channels are linked in par - allel, requiring both channels to initiate the safety function before it activates. If one channel is open, the system will not trip because the other channel remains active and energised. PFD avg and STR can be calculated using the Table 4 equa- tion. In this architecture, the spurious trip improves signifi - cantly, but the PFD avg does not improve much. 1oo3 voting The 1oo3 voting consists of three channels (three separate sensors with an IO channel) connected in parallel so that either channel can process the safety function. If two chan- nels fail dangerously (short-circuited), the other channel will protect the system. If all three channels fail simultane- ously, a safety function fails on demand. PFD avg and STR can be calculated using the Table 4 equa- tions. In this architecture, the spurious trip does not improve much, but the PFD avg improves significantly. 2oo3 voting The architectures discussed so far aim to enhance PFD avg or minimise spurious trips. To address both issues, the 2oo3 voting architecture shown in Figure 3 can be considered. This setup involves the use of three channels running in parallel, utilising a majority voting system for output sig- nals. This ensures that the output state remains unchanged if only one channel produces a result that differs from the other two. To explain the 2oo3 voting architecture, consider the 2oo3 voting circuit in Figure 3, which consists of three channels, and each channel consists of two output switches. This total of six switches are wired such that two are in series and three in parallel. Now, if subsystem ‘A’ fails dangerously
Equation for various voting
STR
PFD avg λ du * TI/2
Equations 1oo1 Equations 1oo2 Equations 2oo2 Equations 1oo3 Equations 2oo3
λ S
2 * λ S
( λ du * TI)²/3
2 * λ S ²/3 * λ S + 2/TI
λ du * TI
3 * λ S
( λ du * TI)³/4 ( λ du * TI)²
6 * λ S ²/5 * λ S + 2/TI
1oo1 1oo2 2oo2 2oo3
0.01/yr 0.02/yr
0.01
0.00013
0.0001/yr 0.0003/yr
0.02
0.0004
Table 4
The following equations are used only to explain the dif- ference between various architectures. Do not use these formulas for real PFD avg calculations. The consideration of case is de-energised to trip the circuit, with reference to the following terms: • MRT: Mean repair time • TI: Time interval between proof tests • MT: Mission time
• λ du: Dangerous failure rates undetected • λ ds: Dangerous failure rates detected • λ s: Safe failure rates
• λ su: Safe failure rates undetected • λ sd: Safe failure rates detected For the calculation, let us consider the below failure rates:
• λ du=0.02 failures/year • λ s=0.01 failures/year • TI=1 year Design variatons 1oo1 voting
In the 1oo1 voting design, there is a single channel without fault protection. When a demand occurs, the circuit opens to de-energise the final element. However, there is a risk of a dangerous failure where the output remains energised in a closed circuit. PFD avg and STR can be calculated using the Table 4 equations. 1oo2 voting The 1oo2 configuration comprises two channels, each connected in parallel with its own sensor and input/output
1oo3
Input circuit
Logic solver
Output circuit
Sensor
2oo2
Input circuit
Logic solver
Output circuit
Sensor
Input circuit
Logic solver
Output circuit
Sensor
Input circuit
Logic solver
Output circuit
Sensor
Input circuit
Logic solver
Output circuit
Final element
Sensor
Final element
Figure 1 2oo2 architecture⁷
Figure 2 1oo3 architecture⁷
86
PTQ Q2 2024
www.digitalrefining.com
Powered by FlippingBook