TABLE OF CONTENTS The 1oo2D architecture is similar to the 2oo2D architecture except that additional control lines are added to allow one unit to de-energize the other unit. A 1oo2D architecture is shown in Figure F-30. Note that this architecture is defined as normally operating with all four switches closed. The specific PEC implementation discussed earlier in this thesis is a variation of the 1oo2D and operates with only one set of switches closed at a time. This model does not assume comparison diagnostics are present.
The primary difference in the 2oo2D versus the 1oo2D occurs when there is a dangerous undetected failure in one unit. Because of the added control lines and readback diagnostics, the operating unit can de-energize the failed unit. The 1oo2D architecture provides 1oo2 type functionality in this situation.
The 1oo2D fails dangerously only if both units fail dangerously and that failure is not detected by the diagnostics in either unit. The fault tree is shown in Figure F-31. An approximate PFD equation developed from the fault tree is
This should be compared to Equation B-5 for the 1oo2 architecture. The 1oo2D provides better safety performance than the 1oo2 because only undetected failures are included in the PFD.
The equation for PFDavg for the 1oo2D architecture is derived from Equation B-20.
Figure F-32 shows that a 1oo2D architecture will fail safely if there is...
