TABLE OF CONTENTS Figure F-15 shows an architecture that uses a single controller channel with diagnostic capability and a second diagnostic channel wired in series to utilize the diagnostic signal to de-energize the output. This differs from the 1oo1 only in that the switch is wired in series with the output to de-energize the output on a diagnostic fault. This system represents an enhancement used for safety applications. Diagnostics allow a detected dangerous failure to be converted into a safe failure. In general, additional failure rates must be included in quantitative analysis to account for the extra diagnostic channel. In systems using external diagnostic control devices (like watchdog timers), additional failure rates for these external devices must be added to the single-board rates.
The 1oo1D architecture has a second diagnostic channel that will de-energize when failures are detected by the diagnostics. Therefore, the only failures that cause system failure with outputs energized are dangerous undetected failures. The fault tree has only one failure group, DU, as shown in Figure F-16.
The approximation equation derived from the fault tree for PFD is
The approximate equation for PFDavg is:
Figure F-17 shows that a 1oo1D architecture will fail safely if the unit fails with SD, SU or DD failures.
The approximation techniques can be used to generate a formula for probability...
