Академический Документы
Профессиональный Документы
Культура Документы
The end-user executes a risk analysis for his process and depending on that he writes a
Safety Requirement Specification (SRS).
Part of the description of safety functions in the SRS is the required Process Safety Time.
The Software Requirement Specification for a specific controller shall contain clear
statements about the expected timing in order to fulfill the SRS.
But very often this is leading to a difficult question: What is really the correct consideration?
2 Definitions
Summary:
The Process Safety Time is a process related parameter and must be determined by the
end-user.
The HIMax system responds to faults that may result in a safety-critical operating state
within the configured safety time of the resource. It triggers predefined fault reactions that
bring the faulty parts to the safe state.
Safety Time is also depending on the maximum expected cycle time in the controller.
The basic rules are:
Safety Time > 2 x Watchdog Time (satisfies safety only)
Safety Time > 3 x Watchdog Time (satisfies safety & availability)
In some systems, e.g. HIMax and HIquad, the reaction on a detected fault can be delayed
(suppressed) by installed Noise Blanking. This is basically a feature improving the
availability but safety must not be compromised.
The maximum delay (suppressing) time is the PES Safety Time.
Summary:
The PES Safety Time is the guaranteed reaction time of a safety PES in case of a demand
from the process comes along with an internal (detected) fault and along with a maximum
cycle time (= Watchdog Time).
Watchdog Time
Response Time
Assuming that no delay results from the configuration or the user program logic, the
response time of HIMax controllers running in cycles is twice the system cycle time +
module hardware delay.
The response time may not be greater than the process safety time.
Response Time calculation presumes normal load conditions (constant cycle time) and error
free system (no active noise blanking).
The CPU is processing several tasks, such as self-test, reading hardware inputs, reading
communication inputs, logic, writing hardware outputs, writing communication outputs.
The execution time for all tasks is called Cycle Time.
All described approaches in this whitepaper basically exclude delays caused by logic!
.
3.1.2 Probability of safety demand from the process (initiating event)
Its always important to know the demand mode of the SIF.
High demand and continuous mode lead to a much higher probability of the initiating event
than low demand mode, which is typical in process industry.
Low demand mode in IEC 61508 is defined: the frequency of demands is not greater than
one per year
Probability estimation:
Therefore Reload must not be executed frequently during normal operation if the
expected response time does not consider minimum 2 x Watchdog Time.
See approach 4.2 and approach 4.3
4 The options
4.1 Conservative approach to slow processes and any demand mode
As a conservative (worst case) approach the Process Safety Time directly determines the
needed PES Safety Time. Therefore the known reaction times for the sensor, actuator and
I/O module must be considered and leading to the calculation:
PST minus delay sensor minus delay actuator minus I/O modules hardware delay
> PES Safety Time
This approach is even suitable if the following events all happen in parallel:
- Cycle time is not constant. Frequent load peaks cannot be avoided or are not limited.
Since the PES Safety Time is the guaranteed response time of the PES under all
circumstances, the probability it fails time-wise is insignificant.
The lowest possible PES Safety Time mainly depends on the real existing load conditions in
the PES, in particular on the calculated Watchdog Time (remember factor 3!)
Because of this factor the (by the system) required value for PES Safety Time is often getting
relatively high (several seconds), even in fast safety systems such as HIMax.
As long as the above executed calculation leads to an acceptable result, this shall be the
preferred approach!
In this popular approach the Process Safety Time directly determines the needed PES
Watchdog Time. Therefore the known reaction times for the sensor, actuator and I/O
module must be considered and leading to the calculation:
PST minus delay sensor minus delay actuator minus I/O modules hardware delay
> 2 x PES Watchdog Time
- Any cycle time up to the maximum cycle time (= Watchdog Time) may occur.
Load peaks (single cycle), caused e.g. by Reload or Synchronization, are acceptable.
If 2 x Watchdog Time calculated also permanent high load conditions are acceptable.
See 3.1.4 Probability estimation
There exists certain probability that the above mentioned preconditions are not fulfilled.
The SIF fails time-wise (means the response is taking longer than the assumed Watchdog
Time) if the process demand comes in parallel with a detected fault (triggering Noise
Blanking, which is limited by the Safety Time).
In this whitepaper this probability is called: PTF : Probability of Timing Failure
1. Example:
- PES cycle time is 40ms.
- Watchdog Time is 400ms
- Achieved Process Safety Time is 800ms + Sensor-/ Actuator-/ IO module hardware- delay
- The PES Safety Time is 3000ms
- One demand/year.
- One fault/year means one time in a year the response time on a demand can be up to
3000ms.
The probability for that is: 3000ms/31536000000ms(one year) = 9,51E-8 = PTFt
Normally this value must be added to the PFD(logic solver) but this particular value is again
insignificant because very low.
2. Example:
- PES cycle time is 40ms
- Watchdog Time is 400ms
- Achieved Process Safety Time is 800ms + Sensor-, Actuator-, IO module hardware - delay
- The PES Safety Time is 3000ms
- One demand/year.
- Noise Blanking is triggered 5 times/day 1825 times/year (disturbances, noise etc.)
Now 1825 times in a year the response time on a demand can be up to 3000ms.
The probability for that is: 1825x3000ms/31536000000ms(one year) = 1,73E-4 (PTF), which
is already 17% of SIL3!
This value cannot be ignored anymore!
The two examples show very well the impact of the mentioned boundary conditions.
The fault conditions in the second example are most likely not acceptable and would lead
back to the conservative approach (chapter 4.1) again.
The lowest possible Watchdog Time is mainly depending on the really existing load
conditions in the PES, in particular on the size of logic, amount of I/O modules and
communication load.
In this advanced approach the Process Safety Time directly determines the maximum
allowed PES Response Time. Therefore the known reaction times for the sensor, actuator
and I/O module must be considered and leading to the calculation:
PST minus delay sensor minus delay actuator minus I/O modules hardware delay
> PES Response Time (2 x PES cycle time)
The SIF fails time-wise (means the real response is taking longer than the calculated
Response Time) if the process demand comes in parallel with a detected fault (triggering
Noise Blanking, which is limited by the Safety Time) and the real cycle time is much longer
than calculated for the Response Time
1. Example:
- PES cycle time is 40ms.
- Watchdog Time is 400ms
Page 8/11 Timing consideration on a safety PLC.docx
Copyright, HIMA Paul Hildebrandt GmbH. Any copy, even in extracts, are prohibited unless by permission from HIMA.
- Achieved Process Safety Time is 80ms + Sensor-/ Actuator-/ IO module hardware- delay
- The PES Safety Time is 3000ms
- One demand/year.
- One fault/year means one time in a year the response time on a demand can be up to
3000ms.
- No Reloads are executed and no Synchronization happens.
The probability for that is: 3000ms/31536000000ms(one year) = 9,51E-8 = PTF
Normally this value must be added to the PFD(logic solver) but this particular value is again
insignificant because very low.
2. Example:
- PES cycle time is 40ms.
- Watchdog Time is 400ms
- Achieved Process Safety Time is 80ms + Sensor-/ Actuator-/ IO module hardware- delay
- The PES Safety Time is 3000ms
- One demand/year.
- One fault/year means one time in a year the response time on a demand can be up to
3000ms. The probability for that is still:
3000ms/31536000000ms(one year) = 9,51E-8 (PTFfault)
Lets assume Reloads are executed frequently.( 2 times/week). During Reload many cycles
one after another are close to the Watchdog Time limit. Lets assume this phase takes 1
Minute per Reload (which is not unusual but can even be much longer).
Now 54 minutes in a year the response time on a demand can be up to twice the Watchdog
Time much more than the expected Response Time.
The total duration of high cycle times in a year is 52x60x1000ms = 312000ms
The probability for that is:312000ms/31536000000ms(one year) = 9,89E-5 (PTFReload).
This value cannot be ignored anymore!
For the PFD(logic solver) the added value must be considered: PTFtotal = PTFfault + PTFReload
3. Example:
- PES cycle time is 40ms.
- Watchdog Time is 400ms
- Achieved Process Safety Time is 80ms + Sensor-/ Actuator-/ IO module hardware- delay
- The PES Safety Time is 3000ms
- One demand/year.
- Noise Blanking is triggered 5 times/day 1825 times/year (disturbances, noise etc.)
- Reloads are also executed frequently.( 5 times/week)
PTFfault =1,73E-4,
PTFReload = 15600000ms/31536000000ms = 4,94E-4
PTFtotal = PTFfault + PTFReload = 6,67E-4
The examples show again very well the impact of the mentioned boundary conditions.
The conditions in the third example are most likely not acceptable and would lead back to the
conservative approach (chapter 4.1).
Mr. Eugen Kull is a senior technical system trainer in the Training and Customer Service
department ECTC of HIMA. He started with HIMA in the year 2000 and is meanwhile
responsible for advanced technical education of HIMA employees worldwide.
Mr. Eugen Kull is also involved in several product development projects, member of HIMA
Customer Support Team, technical consultant for nuclear customers and a system expert for
HIMA PES, especially HIMax.
Contact
Albert-Bassermann-Str. 28
68782 Brhl, Germany
Tel.: +49 6202 709-428
Fax: +49 6202 709-199
e.kull@hima.com
www.hima.com