I have a query to the experts and participants of this forum about the TMR concept.

We have a PLC of brand X whose hardware is configured as a TMR. There are three processors: P1, P2 & P3. The philosophy of process shutdown is standard 2oo3. Now, if P1 goes offline because of some internal diagnostic error or communication fault or any other reason which is ONLY P1 specific, P2 and P3 can still work in unison and process is unaffected. BUT if P2 goes offline too because of some internal diagnostic error or communication fault or any other reason which is ONLY P2 specific then the whole process is tripped as both P1 & P2 are now offline.

My query starts from this point. If P3 is healthy, why can't the process be allowed to continue? The abnormal condition that arose wasn't process specific. It was system specific. It was PLC specific. P3 still claims to be working without any problem. It would be fine to trip the process due to a process specific 2oo3 mismatch. But is it not wrong to trip the process for a PLC system specific fault? What will be the consequences of a system that was designed to keep the process running with only P3 in such a scenario? Will it be against some standards in Automation industry if we implement a system that will continue to run even if P1 and P2 goes down while making sure that process specific abnormalities are not ignored.

Thank you.

Regards,
Ritika

 

Hi Ritika,

Forget TMR, conventional design engineering prefers break to alarm/trip. Why so, when the problem is not in process but in system or associated hardware? Simply because, when the protection function is not in place, the preferred choice is shutting down the process. It may increase spurious trip rate but will drastically reduce dangerous failures which is catastrophic. Objective of design is to balance safety with availability.

Along with inbuilt diagnostics, voting in TMR provides additional level of validation through "threads of similarity", which allows the system to use in higher SIL rated applications.

If a TMR hardware is chosen for an application to eliminate nuisance trips only, simply you may follow 3-2-1-0 degradation as suggested by you. Otherwise by default it is 3-2-0 only, if it is not F&G application.

Hope above clarifies.

Regards.

 

The concept of 2oo3 redundancy requires that at least 2 of the 3 CPUs agree on a solution to the input data.

If 2 processors fail you have two problems.

1. Two CPUs may have agreed that they cannot solve for the given inputs and have reacted by faulting. You should shut down the plant.

2. You have no backup CPU to agree with the running CPU so there is no way of safely confirming that the one remaining processor is running correctly. You should shut down the plant.

2oo3 redundancy is designed primarily to ensure safe operation of the plant, not to maximise reliability of the control system.

Rob
www[.]lymac.co.nz

 

TMR can be used for many purposes.

If your goal is safety, losing more than one of the three processors should be evaluated. If the risks associated with continuing running on only one processor are less than the risks associated with the shutdown and restart, then you may not want to trip immediately - but immediate maintenance may become mandatory. If the risks associated with continued operation without voting outweigh the risks of the process shutdown and restart, then a shutdown likely becomes mandatory. (This would of course include the risks of total loss of the protective function after a single failure in the only remaining protective device.)

If your goal is availability, then a TMR device that supports operation with only one processor certainly offers more tolerance to faults and failures than a single channel device could offer. After all, you have already survived two failures.

 

I would suggest reading "Loss-Prevention and Risk-Mitigation in Equipment Protection Systems" by Philip P. Corso PE. This paper has indepth probabilistic analysis, factors affecting performance as well as MTBF that details the fallacy of TMR claims.

 

There is at least one TMR system that can operate in 3-2-1-0 mode. For the system to operate with a single processor, the conditions are very restrictive, for example there should be no I/O fault, etc. In this forum I can't give you the name of this system that is widely used in industries.

All our safety system installations are required to operate in 3-2-0 mode. Accordingly we add the instruction in the logic to initiate a shutdown when the TMR system is operating with a single processor. Of course you can argue that, by this instruction in the logic, it is not a hardware 3-2-0 mode of operation. I agree, but that is how it works. Till now, after more than 23 years of service, this system has given us reliable protection to our oil production, processing and refining facilities.

 

I would suggest posting the paper to your company's website.