TABLE OF CONTENTS Two controllers can be wired to minimize the effect of dangerous failures. For de-energize-to-trip systems, a series connection of two output circuits requires that both controllers fail in a dangerous manner for the system to fail dangerously. The 1oo2 configuration typically utilizes two independent main processors with their own independent I/O (see Figure F-6). The system offers low probability of failure on demand, but it increases the probability of a fail-safe failure. The "false trip" rate is increased in order to improve the ability of the system to shut down the process.
Figure F-7 shows the PFD Fault Tree for the 1oo2 architecture. The system can fail dangerously if both units fail dangerously due to a common cause failure, detected or undetected. Other than common cause, it can fail dangerously only if both A and B fail dangerously.
A first order approximation for PFD can be derived from the fault tree. The equation for PFD is:
The approximation equation for PFDavg derived from the fault tree is:
When imperfect proof test is considered, the equation becomes:
A comparison of Equation F-7 with Equation F-8 shows that any term from F-7 that contains a TI has a proof test coverage multiplier and that a duplicate term is added with (1 - C PT) and LT substituted in Equation F-8.
Figure F-8 shows the PFS fault tree...
