TRICON Fault Tolerant Systems

TRICONEX
1

Definizioni
Safety (Sicurezza) Si definisce Sicurezza la libert da un rischio inaccettabile, per il Personale, la Collettivit, lAmbiente.

TRICONEX Systems
Goal : Strategy : Measurement: Method: Safety Fail Operationnal Reliability Fault Tolerance

Applications Areas

Safety

Safety/ Availability

Availability

Industries ...
Oil & Gas Pulp & Paper Textile Food Hydrocarbon Processing Marine Rubber and Plastics Pharmaceutical Utility Nuclear Cement Metals

Applications ...
Safety/ESD Equipment Fire & Gas Burner Management Automotive Presses Rotating Critical Control 4

Expertise in Major Safety and Critical Control Areas:

TRI-SEN SYSTEMS TRICON TMR SYSTEMS

Gas Turbine Control Steam Turbine Control Integrated Turbine Compressor/Anti-Surge Integrated Turbine Generator/Voltage Regulation

Safety/Emergency Shutdown Critical Control Burner Management Fire & Gas Detection New applications Nuclear & Transportation 5

Markets Served
11% 26% 23% 24% 8% 3% 5%

Chemical Manufacturing Petroleum Refining Oil & Gas Production Electric Power Utilities Marine Pulp & Paper Other

Technology and Quality

TRICON TMR (Triplicated Modular Redundant) system is viewed as the standard for safety and critical control Triconex is the leading supplier of fault tolerant control systems worldwide:
- Over 2 500 TMR and 4 200 Turbine Solutions installed worlwide and over 500 in Europe and Africa -62% market share (1996 Frost Sullican PLC study)

Our TMR Products are designed to meet the highest levels of safety certification - IEC 1508 class 3, DIN VDE 0801, 19250 level 6 (TV clas 6), FM Class 1 Div. 2 We continually certify our products to International standards - DIN, CSA, FM, IEC, UL, CE Mark, ABS
June, 1997 7

Strategy to fulfill safety requirements

" Fail Safe" strategy: A failure inside a subsystem must shutdown the safety system "Fail operationnal" strategy: A failure inside a subsystem do not lead to a shutdown

Safety Application Lifecycle

"FAIL SAFE"
MTTF
Spurious trips

MTTR t== few years

Startup phase

"FAIL OPERATIONNAL"
Spurious trips

MTTF

t == 100years

Statistically, the accidents occured in transition phases (start-up, shutdown)

9

Key Issues (Concept)

Reliability Maintenance Availibility Safety
Spurious trip

= To avoid spurious trips = To decrease downtime = To decrease production costs = To control failures
Process lifecycle

10

Strategy to become reliable

Avoid Failure
-Internal failures of the system (quality plan) -Exploitation failures (Programming tools, diagnostics, maintenance, training)

Support failures

-Electronic component failures -Mechanical component failures -No single point of failure -Redundancy -On line replacement
11

Dual Architectures

PLC

Process

Safety Availability Safety Availability

12

23D Voting system

A B

B C

A C

Safety Availability

Majority state Output = A.B + B.C + A.C

13

TMR Architecture
Input
A
Sensors

Processor
B V O T I N G A B C

Output
A B C
Voter

B C

Actuators

No propagation Supports 2 faults of different ranks Diagnostics are easy to manage

14

TRICON - TMR Fault Tolerant Controller

Utilizes Triple Modular Redundant Architecture from Input Termination to Output Termination Definition of Triconex Fault Tolerance: Identifies and Compensates for Failed Control System Elements and Allows On-Line Repair while Continuing its Assigned Task Without Process Interruption. High Safety Integrity - High Safety Availability Due to TMR Architecture, Diagnostics, and On-Line Repair High Availability - Eliminates Spurious (False) Trips
15

Triconex TMR vs. All Other PLC Technologies

1. No Single Point of Failure 1. No Single Point of Failure 2. Diagnostics 2. Diagnostics 3. On --Line Repair 3. On Line Repair
The Difference Between Long Term and Short Term Availability and Reliability ---- Diagnostics Diagnostics are Embedded in the System - Independent of User Written Application Programming!
16

Fully Triplicated Architecture

Auto Spare Input Leg A I/O Bus
Main Processor

Auto Spare Output Leg A TriBus I/O Bus

TriBus
Main Processor

A Output Leg B

Sensors

Input Leg B

Voter

Actuators

B TriBus
Main Processor

Input Leg C

C I/O Bus

Output Leg C Output Termination

Input Termination

- No propagation - Supports 2 faults of different ranks - Diagnostics are easy to manage

17

Version 9 High Density Main Chassis

L N
1

NO C NC L N

2
RC

NO C NC

POWER

A
RUN

MP

COM

1
A

REMOTE

PROGRAM
PASS PASS FAULT ACTIVE MAINT1 MAINT2

PASS FAULT

PASS

PASS
FAULT

PASS FAULT ACTIVE

PASS FAULT ACTIVE LOAD/ FUSE

PASS FAULT ACTIVE LOAD/ FUSE

PASS FAULT ACTIVE

STOP LOCAL

FAULT ACTIVE MAINT1 MAINT2

FAULT
ACTIVE

ACTIVE MAINT1 MAINT2

ACTIVE

1 2
NET 1

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
4TX 4RX
3TX 3RX

115/230 VAC

1 2 3 4 5 6 7 8

1 2 3 4 5 6

1TX 1RX

3 4 5

PASS FAULT ALARM TEMP BATT LOW

TX RX

6 7 8 9 10 11 12 13

2TX

7 8

2RX

NET 2

14 15 16

POWER MODULE MODEL 8310

TX RX

17 18 19 20

115/230 VAC

PASS FAULT ALARM TEMP BATT LOW

COM RX COM TX I/O RX

21 22 23
COM RX COM TX I/O RX I/O TX

COM RX COM TX I/O RX I/O TX

COMM TX RX

24 25 26 27 28 29 30 31

9 10 11 12 13 14 15 16

9 10 11 12 13 14 15 16

PRT

I/O TX

POWER MODULE MODEL 8310

EMP 3006

EMP 3006

EMP 3006

NCM 4329

32

DIGITAL INPUT 3501E

DIGITAL INPUT 3501E

DIGITAL OUTPUT 3603B

DIGITAL OUTPUT 3603B

EICM 4119

18

Chassis - Architecture
ELCO Connectors for I/O Termination
Terminal Strip 1 Terminal Strip 2

Power Terminal Strip

TRIBUS

Power Supply 1

DUAL POWER RAIL

Power Supply 2 Leg A Leg B Leg C Leg A Leg B Leg C
Right I/O Module*

Comm Bus I/O Bus

Main Processor A, B & C

Left I/O Module

One Logical Slot

Communication Module * Either the left module or right module functions as the active or hot spare at any particular time

19

TRIBUS Hardware
Three Independent Serial Links Transmit Data From Each Main Processor to the Other Two Main Processors Serial Links Operate at 4 MBits/Second Utilizes a Fault-tolerant Clock (Tri-Clock) Consisting of Three Independent Clocks and Associated Selection Circuitry

20

TRIBUS Functions
Synchronizes MPs at the Beginning of Each Scan Votes DI Data Between MPs and Flags Disagreements Transfers AI Data Between MPs Compares DO and AO Between MPs and Flags Disagreements Transfers Diagnostic and Program Data Between MPs Transfers Incoming Communication Messages Between MPs Communication Bus for Automatic Re-education of MP
21

Main Processor Module

32 Bit Microprocessor Operating at 25 MHz Floating Point Co-Processor 1800 Kbytes of User Memory I/O and Communication Co-Processors Fault Tolerant Interprocessor Bus (TRIBUS) Hardware Voting and Comparison Circuits Supports the Collection of Sequence of Events (SOE) Data Extensive Background Diagnostics On-Line Replacement
22

Diagnostics - Hardware
MPs Inspect the Chassis Layout for Proper Cards and Installed Cards Any Download Commands Will Create a System Inspection Query Application Program File Compared with Installed I/O Boards Firmware If a Board is Missing or Improperly Installed, The MPs Flag a System Alarm During Downloads, TRISTATION Displays all Disagreements
23

Main Processor - Architecture

Dual Power Rails Dual Power Regulators Failure Detect Circuitry

Vcc

Status Indicators Main Processor NS32GX32 Floating Point Processor NS32381 Internal System Bus

512K EPROM 2MB SRAM

Timing Generator

Interrupt Controller

DMA TriBus Up Stream Down Stream Up Stream Down Stream

Dual Port RAM Com Processor

Dual Port RAM I/O Processor

Debug Comm Port

Fault Tolerant I/O Bus Fault Tolerant Communication Bus

24

Fault Tolerant Power Subsystem

Dual High Density Power Supplies - Each Capable of Powering Entire Chassis Load (175 Watts Each) Dual Voltage Regulators - Two per Leg on Each Module Full Noise Isolation on Inputs and Outputs Over-Temperature Alarm On-Line Replacement Batteries for Memory Back-up on Main Chassis Backplane
25

Diagnostics - Power Subsystem

Power Supplies, Batteries and Power Regulators are Fully Redundant and Tested Frequently
Output Voltage is Measure Main Chassis Batteries are Tested Each MP, I/O and Communication Modules Onboard

Power Regulators are Toggled Off to Test the Redundant Power Regulator If Fault is Detected by MPs 2oo3 Vote, Power Supply Fault Light is Energized and a System Alarm is Generated
26

Power Supplies - Architecture

Power supply #1
+

R E G

A
Vdc

Filter
Rectifier

Converter DC/DC

NO C NC

R E G

Fault Detection
R E G

B
Vdc

Power supply #2
+

R E G

Filter
Rectifier

Converter DC/DC

NO C NC

Fault Detection
Fault

R E G R E G

C
Vdc

+V Bus 2 +V Bus 1 OV

27

Enhanced TMR Digital Input Module

Independent Signal Conditioning, Power Sources and Communications Paths No Single Point of Failure Tests for Stuck "ON" Circuits Full Isolation Between Channels Full Noise Immunity On-Line Replacement

28

Diagnostics - TMR EDI Module

Continuous On Board Testing for Stuck - On Circuits
Each of Three Input Circuits Per Point are Tested for Stuck-ON Condition Status of Circuit Sent to MPs for Alarming

If Circuitry is Found to be Stuck-On, MPs Vote to Activate DI Module Fault LED and Generate a System Alarm.
29

EDI Module - Architecture

Input cicuit Individual opto-isolator
Threshold Detect Opto-isolator short-circuit detection

Intelligent I/O CONTROLLERS Triplicated I/O BUS

Mux. Optoisolator Miicroprocessor
Bus Xcvr

Dual Port RAM

Threshold Detect Opto-isolator

Mux. Optoisolator

Miicroprocessor

Bus

Xcvr

Dual Port RAM

Threshold Detect Opto-isolator

Mux. Optoisolator

Miicroprocessor

Bus

Xcvr

Dual Port RAM

30

TMR Analog Input Module

Triplicated A/D Converters and Multiplexors Automatic Calibration Using Built-in Reference Voltages 0.15% Full Scale Range Accuracy No Single Point of Failure Isolated Input Channels On-Line Replacement
31

Diagnostics - TMR AI Module

Mid-Value Select Algorithm with Measurement Deviation Testing
> 2% Standard Deviation from Mid-Value after 40 Deviations - Leg is Faulted

Main Processors Vote to Energize Fault LED

32

TMR AI Module - Architecture

ADC for each leg
+

Signal Conditionning

Intelligent I/O Controllers

Miicroprocessor Bus Xcvr

Triplicated I/O Bus A

Amp

ADC

Mux.

+ -

Amp

ADC

Miicroprocessor

Bus Xcvr

Mux.

Amp

ADC

Miicroprocessor

Bus Xcvr

Mux.

33

TMR Enhanced Digital Output Module

Fault Tolerant Hardware Voter for Each Output Point Series / Parallel Quad Output Circuits No Single Point of Failure Field Loopback Sensing Latent Fault Detection Fully Isolated Output Channels On-Line Replacement
34

Diagnostics - TMR EDO Module

Stuck-On and Stuck-Off Tests are Performed Continuously

Both Tests Are Performed on All Output Circuits Regardless of Power Status. (NE or ND)

Output Switches are Closed then Opened, Voltage Loopback Verifies Proper Operation

If Switch is Found Faulty, MPs Vote to Activate DO Module Fault Light and Generate a System Alarm
35

TMR EDO Module : Architecture

Triplicated I/O Bus
A

Intelligent I/O Controllers

Bus Xcvr Miicroprocessor Point Register

Field Circuitry
Output Drive Circuitry
*

+V
A
*

Bus Xcvr

Microprociessor

Point Register

Output Drive Circuitry

A.B

Bus Xcvr

Miicroprocessor

Point Register

Output Drive Circuitry

C
* *

A et B

Load
Output Drive Circuitry

* All output switches are opto-isolated

Voltage Loopback detector

-V

36

Supervised Digital Output Module

Fault Tolerant Hardware Voter for Each Output Point Series / Parallel Quad Output Circuits 24 VDC Version Uses Smart FETs That Require No Fusing No Single Point of Failure Field Loopback Sensing Latent Fault Detection Fully Isolated Output Channels Blown Fuse Detection Line Monitoring of Field Load (Open or Short) On-Line Replacement
37

Diagnostics - Supervised DO
Stuck-On and Stuck-Off Tests are Performed Continuously Both Tests Occur on All Output Circuits Regardless of Power Status (NE or ND)
Output Circuits are Toggled, Voltage Loopback Circuits Verify Proper Operation Field Load Monitored by Use of Voltage Loopback Circuits
If Output Switch is Found Faulty, MPs Vote to Energize Fault LED and Generate a System Alarm If Load is Missing, MPs Vote to Energize Load LED - Field Device Failure, NOT TMR System Fault
38

SDO Module -Architecture

Triplicated I/O Bus
A

Intelligent I/O Controllers A

Bus Xcvr
Miicro Processor
Dual Ported RAM

Field circuitry
Voltage Sensor

Point Register

Output Drive Circuitry

*

+V (secondary) +V (primary) A
*

A or B
Point Register Output Drive Circuitry

C
Voltage/ Current Sensor

Bus Xcvr

Miicro Processor
Dual Ported RAM

Voltage/ Current Sensor

Bus Xcvr

Miicro Processor
Dual Ported RAM

Point Register

Output Drive Circuitry

B
* *

A or B Load

Output Drive Circuitry

Voltage Sensor

-V

* All output switches are galvanically isolated

39

TMR Analog Output Module

Triplicated D/A Converters for Each of the 8 Output Points 2oo3 Selection Circuit Selects Correctly Operating DAC for Each Point and Periodically Selects Each DAC to Check Its Correct Operation Loopback Checking of All Analog Output Channels Automatic Calibration Using Built-in Reference Voltages 0.15% Full Scale Accuracy No Single Point of Failure On-Line Replacement
40

TMR Pulse Input Module

Triplicated Pulse Counter for Each of the 8 Input Points Accurate Timers Are Used on Each Point to Determine Time Required to Accumulate the Required Number of Pulses (1 Microsecond Accuracy) Measures Speed (RPM) to an Accuracy of 0.01% at Normal Operating Speeds No Single Point of Failure On-Line Replacement
41

TMR Thermocouple Input Module

Triplicated A/D Converters and Multiplexors Automatic Calibration Using Built-in Reference Voltages Supports Thermocouple Types J, K, and T Provides 32 Differential, Non-commoned Inputs No Single Point of Failure On-Line Replacement
42

Typical Architecture
Main Chassis
P.S 1 CPU P.S 2 I/O or COM I/O or COM I/O or COM I/O or COM P.S 2 P.S 1 I/O or COM I/O or COM I/O or COM I/O or COM I/O or COM P.S 2

Expansion Chassis

RXM Chassis
P.S 1 RXM Prim. I/O I/O I/O I/O

Room 1

30 m max

RXM Chassis
P.S 1 RXM Rem. P.S 2 I/O I/O I/O I/O P.S 2 P.S 1

Expansion Chassis

Remote Room
I/O

I/O

I/O

I/O

I/O

up to 12 Kms through Triplicated Fiber Optic

43

Communication Capabilities
MODBUS Master MODBUS Master

ETHERNET 802.3

Console DCS or PCs

P.S 1 P.S 1

C PU P.S 2

I/O

I/O

C PU

EICM NCM
P.S 2

I/O

I/O

EICM NCM ------ACM ------SMM

Tristation, SOE, DDE,TCP/IP

44

Communication Capabilities (cont..)

Peer to Peer Communication

TSSA, Proprietery protocal

P.S 1

P.S 1

C PU P.S 2

I/O

I/O

EICM

NCM

C PU P.S 2

I/O

I/O

EICM

NCM

... Up to 10 Tricon systems

45

Triconex Communication Modules

Network Communication Module (NCM)

Supports Two IEEE 802.3 Ports Four Isolated RS-232/ 422 Serial Ports (One Port Used for TriStation and Others Typically Used for MODBUS Communication to DCSs and Other Computer or SubSystems) One Parallel Printer Port Connects to TDC 3000 Universal Control Network (UCN) Connects to Foxboro I/A Series Nodebus Supports Additional 802.3 Port and Two RS-232/ 422 Serial Ports
46

Intelligent Communications Module (EICM)

Safety Manager Module (SMM)- Honeywell TDC 3000

Advanced Communication Module (ACM)- Foxboro I/A Series

Sequence of Events : SOE

SOE Utility through the NCM Module

Printer
TCP/IP 802.3 Network

P.S 1 I/O I/O or EICM NCM or COM COM

P.S 1 I/O I/O or EICM NCM or COM COM

P.S 1 I/O I/O or EICM NCM or COM COM

P.S 1 I/O I/O or EICM NCM or COM COM

CPU P.S 2

CPU P.S 2

CPU P.S 2

CPU P.S 2

Peer to Peer communication

47

SOE - Features
All the variables are recorded and time stamped in the memory of the TRICON Accuracy : scan time SOE block are setting up within Tristation (maximun of 14 SOE The control program manages event collection by means of functions that the user includes in his program All the informations can be retrieved through the different communication modules SOE Data Retrieval utility program is available through the Network Communication Module NCM.
48

Raffineria di Priolo
Configurazione di rete Ethernet ridondante, con connessioni rame-fibra ottica e Bridge per ottimizzazione del traffico di rete
NCM-2 Node 6 NCM-1 Node 5 CAVO IN RAME CAVO COASSIALE IN RAME FIBRA OTTICA

FO

FO
FIBRA OTTICA

B
BRIDGE

C
COAX

C
COAX

B
BRIDGE

FO
FIBRA OTTICA

FO

Printer1_1

FO

FO

Printer2_1

FO

PR1_2
P1

PR1_1

SG10_1 P2

SG10_2

49