- Email: [email protected]
Fault Tolerance, Failsafety and their Combination in the Area of Electrical Energy Industry
Copyright © IFAC Fault Detection, Supervision and Safety for Technical Processes, Kingston Upon Hull, UK., 1997
"'ault tolerance, failsafety and their combination in the area of electrical
ener~'
industry
Prof. Dr. Istvan AjtonY'i, Csc and Dr. Hnos Czekkel University ofA4iskolc, Department ofAutomation H-3515 Miskolc-EgveteJllvaros (Hungary)
Abstract: The safety of the control circuits arc vcry important from the point of vie\\' of the production. Fault tolerant and fail-safe systems are suitable to continue to operate if one more faults cause parts of the control system to fail. The paper deal ,,;th the role of such a systems relation of an electrical power plant. Copyright © 1998 IFAC
heywords: Power station control. processcontroL safety.
Safety is becoming more and more important in modern manufacturing processes. That is why systems which represent a danger to man. machine. production and the environment in the case of fault must meet increasingly stringent safety requirements.
In many fields of automation increasingly high demands are being placed on the availability and fail safety of controllers. particularly in fields where a plant shutdown would be extremely expensive. In such cases. only redundant systems (safety device) can offer the standard of 3\'ailability required.
Faults related to safety can divided according to the Fig. l. There are faults in the process without an influence for safety of system. The nctive faults set going the evolution of the safety system immediately (e.g. short-circuit). The passive faults are hidden for a longer time (e.g . the damage of a valve) and theirs appearancc happcns \\;th delay.
Redundant systems meet these safety requirements. Redundant configurations contain more components than \\ould normally be necessary for the relevant functions . Fault-tolerant systems are designed to continue to operate e\'en if one morc faults cause parts of the control systems to fail. Fail-safe systems incorporate safeguarding subsystems to place the process in a safeslate. Fault-tolerant controllers will continue to operate with high degree of reliability in the event of failure of parts of the system causcd by one or more faults . Failsafcty is the prevention of hazardous operating states. In the event of a failure. the process is suspended and thc system enters a safe state. Fig.2 shows the process of the fault detection and the elimination of the fault in time. The essence of nctive safety is the elimination of detected faults \\ithin a predifincd time \vindow. This time is defined as the "faualt tolerant time of the process" or the Process Safety Time (PST)
Fig . 1
955
The fault tolerant systems are use fields: •
Rcfineries Chemicals Power stations Steehvorks Environmental protection technology Pipelines Off-shore installations.
During this time. any failure may occur either \\ithin the process or the safety system itself \\ithout any harm to the process or environment. In many process applications this time window is in ranges from microseconds (e.g. missiles) to minutes (reactions). Failure modes and their associated PSTs may be identified \\ithin the context of a full Failure Mode and Effect Analysis (FMEA) so as to provide to design basis for a suitable active safety approach. In an electrical energy industry plant the Control System (CS) receives the measured process variables such as flow. pressure. temperature. etc. from field instmmentation and controls the process \'Ia cquipment such as control valves. The CS also recei\es signals for alarm and management purposes. The main task of the CS is to maintain and optimize production. Indcpendent of these control loops. the process has to continuously monitored by a safeguarding or emcrgency shutdoml systems. This system receives critical parametcrs such as oil and water levels. prcssurc of gas and liquids. tempcraturcs and position of valves. Should the safeguarding system detect a changc from the predominated safe operating conditions. it will bring the process to a safe nonopermional status via safety devices such as shutdown valvcs. The safcty system O\'crmles the CS should a dangcrous condition occur \\ithin the process.
~o Fig.3/a
Given that a failure in the CS could lcad to a ncgati\'c effect on the entire process. even if safety can be maintained. it is advisable to use a fault tolerant system. A fault tolerant controller typically comprise two ccntral controllers (\\ith identical hardware and soft\\are). Each central controllers has a scparate link to the input ;lI1d output data The t\\O CPUs always operate synchronously and in parallel. one acting as the master and the other as a hot standbv rescrve. The fault tolerant controllers are not fail-safe The main differencc in thc fail-safc \crsion is that thc two subunits continuously compcratc their states and results - and prevent dangerous responses in the event of de\iations. Both subunits regularly emit test signals and thus constantly monitor each other tolerant. Thc comparison of fault tolerancc and fail safcty approach is shown in the figure:; la .b.
956
the following
Fields with predominantly continuos processes. e.g.: • • • • • • •
Fig.2
111
Fig.3/b
R.:::{ID
•
Areas of production employing batch processes. e.g. : • • • • •
• •
The automotive industry Thc pharmaceutical industry The food industry In plants with flexible manufacturing systems In high-bay warehouses.
Telecontrol installations for gas and oil pipelines Systems for the production of hazardous gases.
In an electrical plant in Hungary the control system of the power station was examined in view of risk parameters. The SIEMENS SIMATIC and the HONEYWELL FSC (P&F) PLC's are the most knO\vTI in Hungary. The different PLC equipments also were examined in respect at fault tolerance and failsafety simularly The Table 1. shO\\is those HoneyweIl FSC Controllers wich come into consideration at such a control task .
The safety requirements which must be taking into consideration by a control system are set down in the proposed prEN 50156-1 standard. The so called risk graph is shO\m in Figure -l. W3W2W1
Table I Safet~'
leyels
1.. ... 6
1..... 5
FSC-202 FSC2021107 FSClOUR FSCIOIR
FSC-102
FSC-lOO FSC-lOl
FSCIUIRIIU2
FSC-102
FSCIOIR
FSC100R FSC10lR
..hail a-
1.•. 04
bilit~·
Normal
Increased
Optimal
Fig. 4 Thc intcrprctations of the dilTercnt parameters arc as follo\\s .
In the Table 2 are prescntcd thc comparisons between the two beforehand mentioned systems
Required Safcty Lcvel: - No safety requirements 1.2 ..... 8 Safety Lc\·cls Risk parameters - Consequences of the hazardous event S 1: Minor injury S2 : Serious permanent injury to onc more persons or death to one person S3 : Death to several people S-l : Very many peoplc killed - Frcqucncy and cxposure time to h:l7.1rd AI : Rare to more oftcn A2 : Frcquent to permancnt - Possibility of m ·oiding the hazardous event G I: Possible under certain conditions G2 : Almost impossible
On the basic of the investigations it was proposed an up-to-datc system for control of the burncr and of the heating in the elcctrical power plant. The investition is in progress no\\'. Table 2 Parameter
SIMATIC S5
Safety philosophy
Fault-tolerant Fail-safe
Self testing
CPU-so Memories. BUS S5 , etc.
Programming method
CSF-Control Systcm Flowch . LAD-Laddcr D. STL-Statemenl List
- Probability of unwanted occurrence W\: Vcry slight probability W2 : Slight probability W3: Relatively high probability Applications for rcquirement level 6 include • • •
Burncr controls. c.g. in coal-fired power stations transport systcms. such as cable railways. undcrground railways and fairground carousels Road tr:lffic signal systcm
957
HONEYWELL FSC Fault-tolerant Fail-safe All system tested. Excellcnt is the 110 testing meanwhile operation. and the continuos comparison between the FSC and the stored progr:lm FLC-Functional Logic Diagram
Deycloping
Windows on PC basis DIN V 19250 Saf.levels 1.. 6
Specific. individual DIN V 19250 Saf.levcls 1..6
Domestic spreading Communication
Larger
Lesser
SINECL network
MODBUS network
Possibility to form a distLsys.
Given
Given
Possibility to communicate with DCS sys.
by means ofa SINECL network
very excellent communicati on with a large number ofDCS's FSC-203 according to the 2 out of 3 logic
Different SSIISV mothcrboards could be applied 10 ... 20 s according to the configuration With the use of CAMfilc
Only specific mothcrboard could be applied 1...2 s
Can be applied to
Failtolerant/failsafe configu ration Possibility to interchange of HW elemcnts Testing time
Programming of fault detection
Difficult
REFERENCES : prEN 50 \S6-\ Electrical Equipment [or Furnaces. SIMATIC SS-l ISH and SS-IISF Programmable Controllers Catalog 199-+. Honeyweli (P&F) FSC PLC User Guide 1996. Storey. N. (\996) Safet:-·-Ctritical COII/puter Systell/s Addison- Wesley. Johnson B. W. (\989) Design and Ana~vsis of FaultTolerant Digital Systems Addison- WesIey.
958
"'ault tolerance, failsafety and their combination in the area of electrical
ener~'
industry
Prof. Dr. Istvan AjtonY'i, Csc and Dr. Hnos Czekkel University ofA4iskolc, Department ofAutomation H-3515 Miskolc-EgveteJllvaros (Hungary)
Abstract: The safety of the control circuits arc vcry important from the point of vie\\' of the production. Fault tolerant and fail-safe systems are suitable to continue to operate if one more faults cause parts of the control system to fail. The paper deal ,,;th the role of such a systems relation of an electrical power plant. Copyright © 1998 IFAC
heywords: Power station control. processcontroL safety.
Safety is becoming more and more important in modern manufacturing processes. That is why systems which represent a danger to man. machine. production and the environment in the case of fault must meet increasingly stringent safety requirements.
In many fields of automation increasingly high demands are being placed on the availability and fail safety of controllers. particularly in fields where a plant shutdown would be extremely expensive. In such cases. only redundant systems (safety device) can offer the standard of 3\'ailability required.
Faults related to safety can divided according to the Fig. l. There are faults in the process without an influence for safety of system. The nctive faults set going the evolution of the safety system immediately (e.g. short-circuit). The passive faults are hidden for a longer time (e.g . the damage of a valve) and theirs appearancc happcns \\;th delay.
Redundant systems meet these safety requirements. Redundant configurations contain more components than \\ould normally be necessary for the relevant functions . Fault-tolerant systems are designed to continue to operate e\'en if one morc faults cause parts of the control systems to fail. Fail-safe systems incorporate safeguarding subsystems to place the process in a safeslate. Fault-tolerant controllers will continue to operate with high degree of reliability in the event of failure of parts of the system causcd by one or more faults . Failsafcty is the prevention of hazardous operating states. In the event of a failure. the process is suspended and thc system enters a safe state. Fig.2 shows the process of the fault detection and the elimination of the fault in time. The essence of nctive safety is the elimination of detected faults \\ithin a predifincd time \vindow. This time is defined as the "faualt tolerant time of the process" or the Process Safety Time (PST)
Fig . 1
955
The fault tolerant systems are use fields: •
Rcfineries Chemicals Power stations Steehvorks Environmental protection technology Pipelines Off-shore installations.
During this time. any failure may occur either \\ithin the process or the safety system itself \\ithout any harm to the process or environment. In many process applications this time window is in ranges from microseconds (e.g. missiles) to minutes (reactions). Failure modes and their associated PSTs may be identified \\ithin the context of a full Failure Mode and Effect Analysis (FMEA) so as to provide to design basis for a suitable active safety approach. In an electrical energy industry plant the Control System (CS) receives the measured process variables such as flow. pressure. temperature. etc. from field instmmentation and controls the process \'Ia cquipment such as control valves. The CS also recei\es signals for alarm and management purposes. The main task of the CS is to maintain and optimize production. Indcpendent of these control loops. the process has to continuously monitored by a safeguarding or emcrgency shutdoml systems. This system receives critical parametcrs such as oil and water levels. prcssurc of gas and liquids. tempcraturcs and position of valves. Should the safeguarding system detect a changc from the predominated safe operating conditions. it will bring the process to a safe nonopermional status via safety devices such as shutdown valvcs. The safcty system O\'crmles the CS should a dangcrous condition occur \\ithin the process.
~o Fig.3/a
Given that a failure in the CS could lcad to a ncgati\'c effect on the entire process. even if safety can be maintained. it is advisable to use a fault tolerant system. A fault tolerant controller typically comprise two ccntral controllers (\\ith identical hardware and soft\\are). Each central controllers has a scparate link to the input ;lI1d output data The t\\O CPUs always operate synchronously and in parallel. one acting as the master and the other as a hot standbv rescrve. The fault tolerant controllers are not fail-safe The main differencc in thc fail-safc \crsion is that thc two subunits continuously compcratc their states and results - and prevent dangerous responses in the event of de\iations. Both subunits regularly emit test signals and thus constantly monitor each other tolerant. Thc comparison of fault tolerancc and fail safcty approach is shown in the figure:; la .b.
956
the following
Fields with predominantly continuos processes. e.g.: • • • • • • •
Fig.2
111
Fig.3/b
R.:::{ID
•
Areas of production employing batch processes. e.g. : • • • • •
• •
The automotive industry Thc pharmaceutical industry The food industry In plants with flexible manufacturing systems In high-bay warehouses.
Telecontrol installations for gas and oil pipelines Systems for the production of hazardous gases.
In an electrical plant in Hungary the control system of the power station was examined in view of risk parameters. The SIEMENS SIMATIC and the HONEYWELL FSC (P&F) PLC's are the most knO\vTI in Hungary. The different PLC equipments also were examined in respect at fault tolerance and failsafety simularly The Table 1. shO\\is those HoneyweIl FSC Controllers wich come into consideration at such a control task .
The safety requirements which must be taking into consideration by a control system are set down in the proposed prEN 50156-1 standard. The so called risk graph is shO\m in Figure -l. W3W2W1
Table I Safet~'
leyels
1.. ... 6
1..... 5
FSC-202 FSC2021107 FSClOUR FSCIOIR
FSC-102
FSC-lOO FSC-lOl
FSCIUIRIIU2
FSC-102
FSCIOIR
FSC100R FSC10lR
..hail a-
1.•. 04
bilit~·
Normal
Increased
Optimal
Fig. 4 Thc intcrprctations of the dilTercnt parameters arc as follo\\s .
In the Table 2 are prescntcd thc comparisons between the two beforehand mentioned systems
Required Safcty Lcvel: - No safety requirements 1.2 ..... 8 Safety Lc\·cls Risk parameters - Consequences of the hazardous event S 1: Minor injury S2 : Serious permanent injury to onc more persons or death to one person S3 : Death to several people S-l : Very many peoplc killed - Frcqucncy and cxposure time to h:l7.1rd AI : Rare to more oftcn A2 : Frcquent to permancnt - Possibility of m ·oiding the hazardous event G I: Possible under certain conditions G2 : Almost impossible
On the basic of the investigations it was proposed an up-to-datc system for control of the burncr and of the heating in the elcctrical power plant. The investition is in progress no\\'. Table 2 Parameter
SIMATIC S5
Safety philosophy
Fault-tolerant Fail-safe
Self testing
CPU-so Memories. BUS S5 , etc.
Programming method
CSF-Control Systcm Flowch . LAD-Laddcr D. STL-Statemenl List
- Probability of unwanted occurrence W\: Vcry slight probability W2 : Slight probability W3: Relatively high probability Applications for rcquirement level 6 include • • •
Burncr controls. c.g. in coal-fired power stations transport systcms. such as cable railways. undcrground railways and fairground carousels Road tr:lffic signal systcm
957
HONEYWELL FSC Fault-tolerant Fail-safe All system tested. Excellcnt is the 110 testing meanwhile operation. and the continuos comparison between the FSC and the stored progr:lm FLC-Functional Logic Diagram
Deycloping
Windows on PC basis DIN V 19250 Saf.levels 1.. 6
Specific. individual DIN V 19250 Saf.levcls 1..6
Domestic spreading Communication
Larger
Lesser
SINECL network
MODBUS network
Possibility to form a distLsys.
Given
Given
Possibility to communicate with DCS sys.
by means ofa SINECL network
very excellent communicati on with a large number ofDCS's FSC-203 according to the 2 out of 3 logic
Different SSIISV mothcrboards could be applied 10 ... 20 s according to the configuration With the use of CAMfilc
Only specific mothcrboard could be applied 1...2 s
Can be applied to
Failtolerant/failsafe configu ration Possibility to interchange of HW elemcnts Testing time
Programming of fault detection
Difficult
REFERENCES : prEN 50 \S6-\ Electrical Equipment [or Furnaces. SIMATIC SS-l ISH and SS-IISF Programmable Controllers Catalog 199-+. Honeyweli (P&F) FSC PLC User Guide 1996. Storey. N. (\996) Safet:-·-Ctritical COII/puter Systell/s Addison- Wesley. Johnson B. W. (\989) Design and Ana~vsis of FaultTolerant Digital Systems Addison- WesIey.
958