1oo1D voting The 1oo1D voting design involves a single channel with diagnostic capability. Unlike the 1oo1 voting, a diagnostic circuit is connected in series with the switch (see Figure 4 ), causing the output to de-energise in the event of a diagnos- tic fault. Any dangerous fault detected through diagnostics will be transformed into a safe failure. When conducting quantitative analysis, it is essential to account for the added failure rates associated with the supplementary diagnostic channel. 2oo2D voting When two 1oo1Ds are wired in parallel, as per Figure 5 , it is called 2oo2D voting architecture. So even if one diagnos- tic channel fails, the other channel keeps running the plant. Effective diagnostics are essential to this architecture as an undetected dangerous failure on either channel will fail the system. 1oo2D voting The 1oo2D architecture (see Figure 6 ) resembles 2oo2D voting, with the key distinction being that the diagnostic unit of one channel can can also diagnose the other chan- nel. To facilitate this, additional control lines were incorpo- rated, allowing each unit to control both its own diagnostics and that of the other channel. This significantly enhances safety compared to 2oo2D voting architecture. However, it is important to note that the effectiveness of 1oo2D voting relies heavily on reliable diagnostics. Based on all reviewed architectures, Table 5 can be for- mulated to describe different types of architectures. Hybrid-based architectures⁶ Hybrid fault tolerance/diagnostic-based architectures incorporate various combinations of architectures, such as 2oo(1oo2D). For instance, hybrid architecture is a combi- nation of 1oo2 and 1oo1D. This hybrid approach ensures high safety integrity with a minimal number of modules. The following examples are derived from a hybrid system that offers flexibility in architecture with multiple variations. Configuration 1 (see Figure 7 ) aims to achieve maximum
2oo3
A Output circuit 1
Input circuit
Logic solver
Sensor
Output circuit 2
Output circuit 1
Logic solver B
Input circuit
Sensor
Output circuit 2
Output circuit 1
Logic solver C
Input circuit
Sensor
Output circuit 2
Final element
A
A
B
B
C
C
Figure 3 2oo3 architecture⁷ and 2oo3 voting circuit
(short-circuited), the remaining switch ‘B’ is still in a healthy condition to de-energise, open, and bring the system to a safe state when demand occurs. If one has failed safely (for example, ‘A’ switch is open circuit), the final element is still energised as ‘B’ and ‘C’ are healthy and continue to provide power supply to the final element. PFD avg and STR can be calculated using the equations in Table 4. In this architecture, both the spurious trip and PFD avg improve significantly but are still no better than 1oo2 voting in terms of PFD avg and 2oo2 voting (in terms of spurious trip). Microcomputer engineers have introduced automatic diagnostics in the redundancy architectures, as discussed in the following examples of these types of redundancy configurations.
2oo2D
Diagnostic circuit
Input circuit
Logic solver
Output circuit
Sensor
1oo1D
Diagnostic circuit
Diagnostic circuit
Input circuit
Logic solver
Output circuit
Input circuit
Logic solver
Output circuit
Sensor
Sensor
Final element
Final element
Figure 4 1oo1D architecture⁷
Figure 5 2oo2D architecture 7
88
PTQ Q2 2024
www.digitalrefining.com
Powered by FlippingBook