PLC - Architecture Vs Safety

[sameenkhan]

Hi Guys,

Does a QMR architecture is much more safer than a TMR or DMR??

Is there any relationship between architecture & safety???

Best Regards,

Sameen

[ibrahim]

Sameen, its obvious in N Modular Redundancy, chances of incidents due to malfunctioning of loop decreases with N increases. But at the cost of higher capital cost. So yes QMR is much more reliable than TMR and DMR.
Reliability is defined as the probability of not failing in a particular environment for a specific mission time. Reliability is a statistical probability and there are no absolutes or guarantees. The goal is to increase the odds of success as much as you can within reason. So we can safety is a function of reliability i.e. higher the reliability of the control system, more safer you equipment will be.

[sameenkhan]

Hi Ibrahim,

I agree with concept of reliability. But safety is something that is embedded into the system... For a safety system, the most important thing that you always want is that it should fail in predetermined safe state. By using different architectures, we increase the availability of the system & in terms reliability of the system.. but in the mean time we make it more complex. Tests are performed to figure out all the possible failure scenarios and measures are taken so that if system fails it should not fail in danger state. But looking at the system complexity, the big Question comes.. Have we covered all possibilities?? Answer is NO... and not knowing is big enough justification... so system can be reliable and more available but I doubt that it becomes more safer with complex architecture..

So question still stands that Does QMR architecture is more "SAFER" than TMR or DMR?

Regards,
Sameen

[ali.abbas]

Sameen,

This answer to this question is not very simple. However, if I were to place the redundancy schemes in order of safety, this is what my order would be,

2004 / 1oo3 --> 2oo3 / 1oo2D --> 2oo2

Control Systems have 2 important parameters that a consumer might be interested in
1- the system does not fail, i.e. high availability or fault tolerance,
2- the system must fail in a safe manner, i.e. high safety level.
You are absolutely correct in saying that as availability increases, safety level is compromised.
For instance, 1oo1 voting is the simplest to install. It can be programmed to be fail-safe and hence vote a trip. The disadvantage of the scheme is that the production losses will be higher due to false trips, and therefore the system cannot be termed as fault-tolerant at all. 1oo1D voting is an improvement over 1oo1 voting, the architecture improves fault-tolerance by converting dangerous failures into safe failures by de-energizing the output.


Comparing this to the 2oo2 configuration, now both the votes will need to be present to effect a shutdown. The system will be more fault tolerant than the 1oo1 configuration but safety level will be compromised since there will be conditions in which one of the units might be out service (for instance during maintenance) and in that case, even if the other unit votes a trip, trip will not be actuated. 2oo2 configuration is also referred to as a 2-1-0 scheme. It is estimated to be three times more available than the TMR architecture, but only half as safe as a simplex (single channel) configuration. This is because both channels must fail for the system to experience a spurious trip, and both must operate for the system to achieve the safe state, and herein lies the problem.

The solution is provided by the 1oo2D configuration, which provides the availability level of the 2oo2 scheme and the safety level of the 1oo1 scehem. In the 1oo2D configuration the convention used will be that only one of the two votes need be present to shutdown.

In case of a single failure, its diagnostic contact will open the output channel and remove that unit from service. The SIS function then continues to be performed by the remaining channel. The system can then be said to operating on a 1oo1D configuration. That is normally the scheme operates with a 2-1-0 configuration but reverts to 2-0 scheme when a fault occurs that cannot be resolved. However, such a scheme depends greatly on the system's internal diagnostics.

Then come the TMR systems. The advantage of the TMR system is their relatively lesser dependence on the system's internal diagnostics. Simple voting can be used to determine a fault in any one of the units after which the faulty unit can be eliminated from control. The TMR systems also have 2 possible degradation modes, the 3-2-0 and the 3-2-1 mode, the former being safer while the latter ensuring higher availability. The level of fault tolerance can definitely be improved if adequate internal diagnostics are also incorporate into the TMR scheme.

Summing it up, the objective of increasing redundancy is to improve availability and not safety. The determining factor is that how is the system (whether DMR, TMR or QMR) designed to ensure high safety level in spite of increased redundancy and that pretty much depends on how the manufacturer has designed the internal diagnostics of the system, that is to say how has the manufacturer ensured that there is no instance where a process may be left in a vulnerable state. For instance, there are some QMR control systems that have 2 independent channels, both channels being redundant within themselves (thats how they get the QUAD configuration) and capable of operating at SIL3 independently. Moreover, the two channels are entirely isolated and keep monitoring each other for faults. The internal diagnostics are designed such that at least one of the channels must be entirely fault-free fot continued operation.

In addition what also determines how safe/available a system is the possible degradation modes available. In that aspect, the QMR scheme is at least compatible with the TMR scheme since both have the same number of degradation modes, i.e. 3-2-0 and 4-2-0.

Another aspect is comparison of PFD(avg) expressions for each system. Referring to ISA TR84.02, Part 2, 1998, one can quickly determine that the Quad (2oo4) architecture is comparable to the ultra safe 1oo3 architecture, as both have cubic terms in their equations for PFD. By comparison, TMR (2oo3) is comparable to the 1oo2D architecture in that both have squared (second order) terms in their equations. This comparison concludes that the QMR (2oo4) architecture provides an order of magnitude better safety performance than either TMR (2oo3) or 1oo2D architecture, and is a major technological enhancement in safety system performance.Heres a comparison of these architectures.

1oo2: PFD avg. = (λ^DU)^2 x (TI/3)^2 + . . .
1oo3: PFD avg. = (λ^DU)^3 x (TI/4)^3 + . . .
2oo3: PFD avg = (λ^DU)^2 x (TI)^2 + . . .
2oo4: PFD avg = (λ^DU)^3 x (TI)^3 + . . .

This is the reason why I listed the schemes in the order that I did in the start of my reply. I hope I have clarified.

[ali.abbas]

Here is another comparison of the TMR and QMR. I hope i clarifies further.

[AbsarShah]

Just a thought - first, the level of redundancy does not imply a safer system. Even a simple redundant system can be safer than a QMR system (as proven by many FMEDA reports that can be viewed from websites of system vendors, including Invensys). If a system in rated for the particular SIL level, the level of redundancy of the system, in my opinion, is irrelevant.

[ali.abbas]

I agree !!

But one would assume that the SIL level of any system would be the SIL level of the device rated as the minimum, since that will be the weakest link of the chain. However, given a single control loop, does it seem relevant to define its SIL level? If yes, do you know of any technique as to how it might be done?

[AbsarShah]

That would be the SIL rating of that particular loop, not specifically of the SYSTEM HARDWARE. I just presumed we were talking about the system hardware.

[ali.abbas]

What I meant to ask was that if the system only comprises of a single control loop, what factors or technique would you consider to determine its SIL level?