TABLE OF CONTENTS Another dual controller configuration was developed for the situation in which it is undesirable to fail with outputs de-energized. This system is used in energize-to-trip protection systems. The outputs of two controllers are wired in parallel (Figure F-10). If one controller fails with its output de-energized, the other is still capable of energizing the load.
A disadvantage of the configuration is its susceptibility to failures in which the output is energized. If either controller fails with its output energized, the system has failed with output energized. This configuration is not suitable for de-energize to trip protection systems unless each unit is of an inherently fail-safe design.
Since the controllers are wired in parallel, any short circuit (dangerous) failure of the components results in a dangerous (outputs energized) failure of the system. This is shown in Figure F-11. The first order approximation equation to solve for PFD is:
and the equation for PFDavg 2oo2 derived from the fault tree is:
This architecture is designed to tolerate an open circuit failure. The fault tree of Figure F-12 shows this. The system will fail open circuit (de-energized, safe) if there is a safe common cause failure. Other than common cause, an open circuit failure on both A and B must occur.
The first order approximation equation to solve for...
