HIMA Safety Architectures

Safety PLC vs. standard PLC –

what’s the difference?

Î Standard PLC has unknown failure modes –

don’t know how it will fail before it fails

Î Safety PLC is guaranteed to fail safely to

within certified probability (SIL 1, 2 or 3)

Î Safety PLC is certified by a 3rd party to

international standards IEC 61508
applications - TÜV

Î Safety PLC must be configured by person

with appropriate safety competency
 Safety PLC certification

Î The TÜV in Germany is the recognized

certification body for safety PLC’s

Î Certification is issued for use of the PLC in a

SIL 1,2 or 3 application

Î TÜV certification is comprised of TÜV

certificate, TÜV report to the certificate and
vendor Safety Manual

Î All three must be read, understood and

followed to in order for the safety PLC to be
certified
 Safety PLC certification

Î Not all safety PLC’s are “certified” out of

the box

Î Safety manual must be followed for

certification to be valid
E.G. Rockwell “ControLogix PLC” requires 40-60
hours of user configuration – not associated with
the application program – just to “make it safe” for
SIL 2 – miss one step or restriction and it is “not
certified”

E.G. For SIL 3 (RC6) operation, Tricon TMR system

must be configured by the user to shut down
after 2nd CPU failure. Failure to do so invalidates
certification
 Different SIS Architectures

ÎSafety PLC’s use different architectures

and strategies to achieve safety integrity

ÎDifferent SIS’s have different levels of

inherent fault tolerance (availability or
spurious trip rate)

ÎSafety & Availability are independent

issues - not related

ÎField device voting for safety is

independent of device voting for
availability
 Different SIS Architectures
Î E.G. - TMR - 2oo3 Voting to achieve SIL 3 safety integrity

Î Availability inherent by-product of safety voting architecture –

Voting to fixed and non-scaleable
trip

SIL3 Voting for

safety
 Different SIS Architectures
Î HIMA – uses diagnostic to achieve SIL 3 safety integrity for each
component - no triplicated circuits required
Voting to
Î Availability is scalable and achieved by……..
trip

Voting for
SIL3
safety
 Scaleable availability

ÎAdding CPU card……

Both processors
need to fail before
system trips

SIL3
 Scaleable availability

ÎAdding I/O cards……

Red Modules

Both I/O cards need

to fail before system
trips

SIL3

Red Modules
 Scaleable availability – mix & match

Red Modules Single Module

Mix & Match I/O fault

tolerance together
with processing fault
tolerance

Tailor the availability

to suit application

SIL3

Red Modules Single Module

 MAXIMUM Availability
Î No single point of failure, no time limit on fault
Î Always SIL 3 – no degradation
Complete
subcomponent
separation

Max availability with

max safety
Diagnostics Diagnostics

DPR
µP2 µP2 µP2 µP2

SIL3 CM1 CM2

Compare to TMR Structure
 TMR SIL 3 Architecture
Î 2oo3 Voting to achieve SIL 3 safety integrity

SIL3
 HIMA SIL 3 Architecture
Î HIMA – uses diagnostic to achieve SIL 3 safety integrity, no
triplicated circuits, no voting required

SIL3
 Modes of Operation – CPU
Degradation

All 3 CPU modules

healthy

Mode: 3-2-0

SIL3
 Modes of Operation – CPU
Degradation

CH1 CH2 CH3

1st CPU modules

failure

Mode: 2-0 µP1

CM1
X µP2
CM2
µP3
CM3

SIL3

CH1 CH2 CH3

2oo3 voting

* Some time restriction to replace CPU, system must be configured by user to

trip within restriction in order to meet SIL 3
 Modes of Operation – CPU
Degradation

CH1 CH2 CH3

2nd CPU modules

failure

SIL3
XµP1
CM1
XµP2
CM2
µP3
CM3

CH1 CH2 CH3

2oo3 voting

* System trip is not automatic, must be configured by user to meet SIL 3

 Modes of Operation – I/O
Degradation

CH1 CH2 CH3

All 3 voting channels

healthy

Mode: 3-2-0
µP1 µP2 µP3
CM1 CM2 CM3
SIL3

CH1 CH2 CH3

2oo3 voting
 Modes of Operation – I/O
Degradation

XCH1 CH2 CH3

1st voting channel

failure

Mode: 2-0
µP1 µP2 µP3
CM1 CM2 CM3
SIL3

CH1 CH2 CH3

2oo3 voting
 Modes of Operation – I/O
Degradation

XX
CH1 CH2 CH3

2nd voting channel

failure

µP1 µP2 µP3

CM1 CM2 CM3
SIL3

CH1 CH2 CH3

2oo3 voting

* Trip is not automatic, must be configured by user to meet SIL 3

 Modes of Operation – CPU
Degradation
HIMA CPU Degradation – Mono System (MS)

Both µProcessors
healthy

Mode: 2-0 Diagnostics

µP2 µP2
SIL3
CM1
 Modes of Operation – CPU
Degradation
CPU Degradation – Mono System (MS)

1st Central Module

Failure
Diagnostics

µP2 µP2

SIL3
CM1

* Trip is automatic, no user configuration, SIL 3 always

 Modes of Operation – I/O
Degradation
I/O Degradation – Mono System (MS)

I/O module healthy

Mode: 1-0 Diagnostics

µP2 µP2

SIL3
CM1

* Trip is automatic, no user configuration, SIL 3 always

 Modes of Operation – I/O
Degradation
I/O Degradation – Mono System (MS)

X
1st I/O module failure

Diagnostics

µP2 µP2
SIL3
CM1
 Modes of Operation – CPU
Degradation
CPU Degradation – High Availability System (HS/HRS)

All 4 x µProcessors
healthy

Mode: 4-2-0

SIL3
 Modes of Operation – CPU
Degradation
CPU Degradation – High Availability System (HS/HRS)

1st Central Module

Failure

Mode: 2-0

SIL3
 Modes of Operation – CPU
Degradation
CPU Degradation – High Availability System (HS/HRS)

2nd Central Module

Failure

SIL3

* Trip is automatic, no user configuration, SIL 3 always

 Modes of Operation – I/O
Degradation
I/O Degradation – High Availability System (HS/HRS)

Both I/O modules

healthy
Diagnostics Diagnostics
Mode: 2-1-0
DPR
µP2 µP2 µP2 µP2

SIL3 CM1 CM2

 Modes of Operation – I/O
Degradation
I/O Degradation – High Availability System (HS/HRS)

X
1st I/O modules
failure
Diagnostics Diagnostics
Mode: 1-0
DPR
µP2 µP2 µP2 µP2

SIL3 CM1 CM2

 Modes of Operation – I/O
Degradation
I/O Degradation – High Availability System (HS/HRS)

X X
2nd I/O modules
failure
Diagnostics Diagnostics

DPR
µP2 µP2 µP2 µP2

SIL3 CM1 CM2

* No time restriction to replace faulted module, 2nd module not req’d for safety
 SAFE - NO FAULT TOLERANCE

Safety integrity via

1oo1D Single Module
diagnostics

SIL3 Diagnostics

Inherent fail safe

µP2 µP2

Single Module
CM1

1oo1D Single Module

 SAFE - TAILORED FAULT
TOLERANCE
Red Modules Single Module

Mix & Match I/O fault

tolerance together
with processing fault
tolerance

Tailor the availability

to suit application
Red Modules

SIL3 Red Modules Single Module

 SAFE – MAXIMUM FAULT
TOLERANCE
Red Modules

Complete
subcomponent
separation

Max availability with Diagnostics Diagnostics

max safety
DPR
µP2 µP2 µP2 µP2

CM1 CM2
Red Modules
SIL3

Red Modules
 Flexible I/O Connectivity

Simple connection –
one device to one
channel on one module
 Flexible I/O Connectivity

Simple connection –
one device to one
channel on one module

Field device voting in

logic 1oo2, 2oo2
 Flexible I/O Connectivity

Simple connection –
one device to one
channel on one
module

Field device voting in

logic 2oo3

I/O Module voting 2003

to trip
 Flexible I/O Connectivity

More Complex
connection – one
device to multiple
channel on different
I/O module

Field devices voted in

logic 2oo3

I/O modules voted

2oo2 to trip
 Flexible I/O Connectivity

Different Complex
connection – one device
to dedicated channel on
dedicated redundant
pair of I/O modules

Each device is wired

2oo2 to trip regardless
of how signal is being
voted
 Summary HIMA Technology
ÎAlways SIL 3, no matter the structure
ÎRedundancy is only for availability
ÎHIMA availability is scaleable
ÎConnection to field devices is flexible
ÎTailor availability to suit application and
field device architecture

ÎSave on capital, operational & maintenance

costs with optimized architecture
 E.G. Optimized BMS Solution

Burners grouped
onto simplex loops

Common trips on
redundant loops

Common signals with Individual burners with

redundant I/O boards single I/O boards
 Availability Benchmark
Î STR for TMR system = 1,137 years
Î STR for HIMA system = 1,549 years

Benchmark System
Î 32 AI pts
Î 32 DI pts
Î 16 DO pts

* STR calc method – exact

equations as per ISATR84.0.02

Spurious Trip Rate - STR

 Real World Safety Loop
TMR Implementation
Single I/O
Module Single I/O
Availability built into Module
loop

µP3
CM3
Multiple failures will

CH1 CH2 CH3

not trip loop X
PTx

CH1 CH2 CH3

2oo3 voting
Limiting factor for
X
CH1 CH2 CH3
loop availability is
X
µP2
CM2
PTx

CH1 CH2 CH3

1oo1 SDV
X

2oo3 voting
CH1 CH2 CH3

STR of loop is approx

PTx

46 years

µP1
CM1

Single I/O Module

- CCF?
 Real World Safety Loop
HIMA Implementation

Availability built into

loop 4 x I/O
Modules
Multiple failures will 2 x I/O
not trip loop Modules

Limiting factor for

loop availability is
1oo1 SDV
X
X
STR of loop is approx X
51 years X

No CCF
 Summary – Differences in
Architectures
Î Safety integrity via diagnostics rather than
voting

Î Both architectures provide SIL 3 safety AND

availability

SIL3 Î Fault tolerance is scalable rather than fixed -

mix & match I/O structures

Î Process availability not always impacted by SIS

availability

Î HIMA architecture gives you the choice to pay

for the availability you need
Questions?