CPRE 545 TMRvsDUPLEX

CPRE 545 Project
Reliability Comparison of Triplex (TMR) and Duplex Control Systems

in Advanced Turbine Control Applications.
Author: Greg Johnson

CPRE 545 Project Turbine Control System Reliability Analysis Greg Johnson
Table of Contents
1.0 Summary: 3
2.0 Introduction: 4
3.0 Basic Concepts and Terminology: 5
4.0 System Model: 7
5.0 Solution Approach: 9
5.1 Model 1 - Duplex control system 9
5.2 Model 2 — Triplex Control System (2of3) 10
5.3 Model 3 — Triplex Control System (1 of 3) 11
6.0 Simulation Results: 12
6.1 Input Section 12
6.2 Output Section 12
6.3 Model 1 - Duplex control system. 12
6.4 Model 2 — Triplex Control System (2of3) 12
6.5 Model 3 — Triplex Control System (1 of 3) 12
7.0 Conclusions: 13
8.0 Additional Research 14
9.0 Appendix A 15
10.0 Appendix B 17
11.0 Appendix C 18
12.0 References: 19
04/30/01 Page 2 of 19
1.0 Summary:
This paper is composed of five sections. The first describes a common problem with reliability analysis in
complex real time control systems. The second provides a description of a typical real time control system
and lists the individual elements which will be included in the model. The third section describes the Fault
Tree and Markov models used for the reliability analysis. The fourth section compares the results from the
various simulations. The fifth section describes additional research that could be done in this area and
comments on some of the limitation of the research included in this paper.
04/30/01 Page 3 of 19
2.0 Introduction:
When a control system is analyzed for reliability it is typical for the analysis to calculate the
reliability of the control system. The analysis may also include the comparison of the reliability of a
duplex system against a triplex system. These analysis use concrete mathematical comparisons
and, depending on the complexity of the model, may include repair rates and other various
assumptions. These analysis do not however, account for the complex I/O environment
surrounding the control system. It is the purpose of this report to generate a comparison of a
duplex and triplex system including the external elements necessary for complete real time control
of a process.
A control system can generally be defined as consisting of three components: the operating
environment, the controlled system and the controlling system'. This paper will expand the
reliability analysis to include the controlled system as well as the controlling system. This will
include the sensors which monitor the operating environment, the electronics which read these
sensors and perform the control algorithms, and the actuators which modify the operating
environment. We will refer to the system which includes the controlled system and the controlling
system as the Complete System.
Sensors
Operating Operating
Environment Environment
Typical Reliability Analysis
Complete System Analysis
Figure 1
The purpose of this project is to determine the effect on the overall system reliability of a Complete
System due to the changes in the reliability of the electronic controlling system. Specifically this
paper will compare the reliability of a duplex control system vs. a triplex control system. The
control system used for this study will be a typical steam turbine and compressor train.
There are many documents and papers showing the theoretical values and reliability increases
gained by increasing the redundancy of the control system from a simplex system to a duplex
system. There are similar documents showing the theoretical increase in reliability of a triplex
system compared to a duplex system. However most of these studies limit the scope of the system
to those components directly contained in the control system.
04/30/01 Page 4 of 19
3.0 Basic Concepts and Terminology:

The concept of fault tolerance is considered to be the ability of a system to continue to perform its intended
function in the presence of system failures. There are three stages generally considered in the sequence of
a failure leading to a system fault. A failure is when a subsystem or component fails to deliver the service it
was intended to perform. A failure is the physical device failing or a software coding error, for example a
resistor failing to zero ohms. An error is when a failure manifests itself in the system as an erroneous state
or as incorrect information. A fault is when the error causes the control system to perform an incorrect
action.
Failure Error Fault
As an example of this sequence we will consider a simple switching power supply. In this example a
resistor fails causing the power supply to fail. The power supply powers the current loop for a pressure
signal transmitter. As the voltage dropped to zero, the pressure signal would ramp to zero also. The
control system would respond as if the pressure had actually changed to the incorrect value. In this
example, the resistor causes the output from a switching power supply to go to zero volts. This is the
failure. This failure propagates to cause the signal from the transmitter to incorrectly indicate the state of
the operating environment, this is the error. The control system responds according to what the erroneous
data indicates, this is the fault.
The system can address these three stages of a fault at any of the stages. If it is done at the Failure stage,
it is considered to be Fault Avoidance. If it is resolved at the Error stage, it is Fault Masking. And if it is
done at the Fault stage, it is considered Fault Tolerance.
As each of these are enhanced, Fault Avoidance, Fault Masking and Fault Tolerance, the system reliability
is increased. In the above example, the resistor could have been sized differently, increased from 1/4 watt to
1 watt, so that there was less chance of it failing in the circuit. This would be an example of Fault
Avoidance, and is the primary design practice responsible for the development of a reliable system.
If the power supply was in parallel with another power supply, the failure of the first power supply would be
unnoticed by the transmitter. This is fault masking. This method of providing increased reliability always
requires some level of hardware redundancy.
Taking this example further, as the transmitter fails due to the loss of the power supply, the control software
could detect the failure and switch to another transmitter or use a simplified algorithm which allows for
acceptable control without this particular transmitter. Both of these solutions incorporate some type of
redundancy. The alternate transmitter obviously includes a redundant transmitter while the simplified
algorithm requires a level of software redundancy — there need to be two different algorithms available to
the control system.
This paper is not intended to address the methods of providing fault tolerance or the associated cost issues,
but certainly the methods used to provide redundancy can dramatically affect the overall system cost.
Redundant transmitters can be expensive, while redundant algorithms can provide equivalent or certainly
adequate levels of fault tolerance.
In common literature Fault Masking and Fault Tolerance are lumped together and considered to be Fault
Tolerance. While these two techniques may seem similar, the significant difference is in the ability of the
system to diagnose the failure. In the case of Fault Masking the system may not be aware that a Failure
has occurred. For example a memory system with error correction codes will correct an internal ram failure
but will not indicate that there is a problem. In this case no maintenance will be done and the system is in a
less reliable state than before.
04/30/01 Page 5 of 19
To help clarify some of these terms, this paper will make use of the term Dependability. This term is used
in place of the term reliability to help resolve the confusion caused when reliability is used as a concrete
mathematical attribute of a system (system reliability) and also as a general description of a system (a
reliable system). This term is introduced and further defined in an IEEE paper titled Dependable Computing
from Concepts to Design Diversity'. A dependable system includes the attributes of reliability, availability,
and maintainability. While these latter attributes have defined mathematical definitions the concept of a
Dependable system is a combination of these that provide for the overall quality of the service provided by
the system.
04/30/01 Page 6 of 19
4.0 System Model:

Control systems can be divided into three primary sections. The inputs, the controller, and the
outputs. These represent the primary elements inherent in every control system. When a complete
system is analyzed for reliability or dependability, the effect on the system of all of these elements
must be considered.
The objective of this paper is to include the effects of the system inputs and outputs into the overall
system reliability analysis. Because the inputs and outputs for a control system are dependent on
the specific system being analyzed, it is necessary to determine a typical system and use this as
the base model for comparison.
The control system to be used for the typical model is a steam turbine driven compressor with two
stages. The control diagram is shown in appendix A. This control system consists of a speed
control unit (SIC1), a Flow Control Unit (PIC1) and two Anti-Surge Control Units (UIC1, UIC2). Also
a typical set of field I/O devices have been included. These include the flow measuring devices,
the speed sensors, the pressure and temperature transmitters and the valve control elements.
The sensor devices are connected to the controller through current isolators (Ill's) and the valves
are controlled by the use of current to pneumatic converters (I/P's).
The control system is modeled as a single electronic device performing all the control functions.
This is typical with today's high speed PLC and dedicated control systems. A single computer
based control system is capable of performing the speed control, the Antisurge control and the flow
control.
The control system will be further divided into three primary sub-systems. The processor, the Input
Output card and the power supply system.
Appendix B lists all the components of the system and their associated reliability numbers. These
numbers were gathered from field data, manufacturer's specifications and information from the
Reliability Analysis Center.'
The system model was then entered into a software program called HIMAP4. This program is used
to model the fault tree and convert the fault tree into the Markov model.
Appendix C shows the fault tree and detailed reliability calculations for each of the model systems.
In these systems it is assumed that all the field devices are simplex, except for the three speed
pickup units for the speed control system. These are configured so that they operate as a high
select set, only one of the three pickups need to be operational for the speed control system to
function properly. The remaining input signals are each considered to be simplex and necessary
for the system to correctly operate.
The repair rate for each component was set at 12 hours. The power supply system for all the
control systems was designed as a redundant power supply system. The power supply for the
transmitters in assumed to have a reliability of one and is therefore not included in the model.
Because the purpose of this paper is to measure the effect on the reliability of the complete system
as the reliability of the control system is changed, the input and output sections are considered to
be identical for all of the control systems.
Three separate control systems have been modeled.
1. Duplex system with diagnostics.
2. Triplex system with 2 out of 3 elements required for operation.
3. Triplex system with 1 out of 3 elements required for operation.
04/30/01 Page 7 of 19
The control system was divided into three sections, the processor, the input output board and the
power supply. These models assume that the processor, input output board and power supply are
independent. This means that a failure of one of these sub-systems does not depend on or cause
the failure of another sub-system. For example in the case of the triplex system (2 out of 3) there
could be one failed processor, one failed input output board and one failed power supply. The
system was modeled this way because it provides the most comprehensive set of test data, the
alternative case, where a processor is paired with a specific input output board is a sub-set of this
case and is easily determined from the data in this paper.
04/30/01 Page 8 of 19
5.0 Solution Approach:

To provide for a comparison of the three various control systems, a model for the complete system was first
entered into the HIMAP program. There were three primary components, the Inputs, the Outputs and the
Control. In all cases the Inputs and the Outputs remained the same. The Control block was altered
between the three models. Below is a short description of the three separate control block models. This
information is provided in its entirety in Appendix C.
5.1 Model 1 - Duplex control system.
Below is a diagram showing the fault tree for the duplex control system and for the Processor
subsection.
pi-cc hoard groc has Td
A A A 0 0
The assumption in this model is that there is 100% diagnostics of the redundant elements. This
means that if a processor fails, the backup unit always assumes control if it is available. The same
diagram is used for the IOC and the power supply. These can be seen in appendix C.
04/30/01 Page 9 of 19
5.2 Model 2 — Triplex Control System (2of3)

Below s a diagram showing the fault tree for the triplex (2of3) control system. In this model only one
of the processors or I/O cards can fail at a time. This configuration is used quite often in safety
systems or other systems where fail stop action is preferred over a high availability system.
2 ot 3
I
Q
- - -
pi of Pro2o3 11 of 10 Cio3 p01 of Power
Fos hoard proc hoard proc hoard
A A A 0 0 0
In this model the IOC and the Processor modules are considered failed if 2 of the three units are
failed. The power supply module is duplex.
04/30/01 Page 10 of 19
5.3 Model 3 — Triplex Control System (1 of 3)

This model uses the same triplex blocks but the module is considered to be operating if at least one
of the three units is still operating. This is a typical implementation for a Triplex control system
where the primary goal is to maintain high availability of the control system. This is typical for flight
control systems as well as critical industrial control systems.
locr3
I 3. cd 3
*
I 0 yrocecoor I Oprxeccor I 0 piccecoor Foe hand pro hard pros band
0 0 0 0 0 0
04/30/01 Page 11 of 19
6.0 Simulation Results:

All the simulations were made with a mission time of 1000 hours. All simulations included repair of
modules which could be repaired. The data for each model shows the reliability for the control system, the
reliability for the Complete Control System including the inputs and outputs and the MTTF in hours and
years for the Complete Control System.
6.1 Input Section
Reliability = 0.9597842749485
6.2 Output Section

Reliability = 0.9848657022490
6.3 Model 1 - Duplex control system.
Control System only:

Reliability = 0.9996858781572
MTTF = 3182978 hours 363 years
Complete System:
Reliability = 0.9449616875770
MTTF = 17664.4444 hours 2.016 years
6.4 Model 2 — Triplex Control System (2of3)

Reliability = 0.9990821381764
Complete System:
Reliability = 0.9443909971595
6.5 Model 3 — Triplex Control System (1 of 3)

Reliability = 0.9999878037549
Complete System:
Reliability = 0.9452470853490
04/30/01 Page 12 of 19
CPRE 545 Project Turbine Control System Reliability Analysis - Greg Johnson
7M Conclusions:
The results provided two very interesting results. The first is that a duplex control system provides better
reliability than a triplex (2 of 3) control system. From an analysis of the Markov map for the two systems it
can be seen that this is due to the increased probability of an additional failure on the triplex systems during
the time that the first module has failed and before it can be repaired. During this time the duplex system
has only one additional module, while the triplex system has two additional modules. Since a single
additional failure on either system will cause the failure of the system, the triplex system has twice the
probability of experiencing this additional failure.
The triplex (1 of 3) control system provides a significant reliability gain for the control system. The Mean
Time to Failure (MTTF) for all the systems is calculated as follows:
—1000
MTTF =
ln(reliability)
For the triplex system (1 of 3) the MTTF is 9359 years. The duplex system has a MTTF of 363 years. This
appears to be a significant difference. And at first glance it would appear that the Triplex (1 of 3) system is
significantly better than the duplex system. However when you incorporate the reliability of the inputs and
outputs into the complete system, you see that the MTTF of the triplex (1 of 3) system drops to 2.027 years
while the MTTF of the duplex system drops to 2.016 years.
For all three systems, the MTTF is within 20 days. This result clearly indicates that for complete systems
which have repairable modules, there is no significant reliability difference between either duplex, triplex (1
of 3 ) or triplex (2 of 3).
It also indicates that the reliability of the sensor elements is significant in determining the overall
dependability of the final complete control system. Any enhancements, whether they be adding transmitter
redundancy, decreasing individual components in the I/O loop, or adding software algorithms capable of
dealing with sensor failures will significantly improve the overall complete control system dependability.
04/30/01 Page 13 of 19
8.0 Additional Research

Further research would include a model capable of including the diagnostic coverage capabilities of the
duplex and triplex systems. Either of these systems could possibly continue improper operation after a
failure. If the failure is not properly diagnosed this could lead to incorrect system operation. The level of
diagnostic coverage is a difficult parameter to measure, but the effects and importance of this aspect could
be explored.
It would also be interesting to see the exact effects of adding redundant transmitters to select signals and
possibly including the option of replacing failed transmitters with calculated variables based on the physical
properties of the process. Theoretically this approach could effectively replace any single failed transmitter
until that transmitter could be repaired. I would estimate that this alone could increase the overall system
reliability by a significant amount.
For example it may be possible to calculate the compressor discharge pressure value based on the flow
signal, the inlet pressure and the temperatures. If a suitable algorithm linking these variables together
could be developed, then the loss of any of these transmitters would not cause a system failure. In effect,
all the transmitters would then become redundant without the additional cost of adding physical hardware.
The advantageous of this approach would be a large increase in the system dependability at a modest if not
negligible cost of additional software algorithms.
I believe that future enhancements to complete system reliability and dependability will be focused on
inventive techniques like those mentioned above. The reliability of hardware systems has achieved the
level where there are indistinguishable differences between a duplex control system and a triplex control
system.
04/30/01 Page 14 of 19
9.0 Notes on the Data Presented and HIMAP Limitations.

This is a separate section intended to describe some of the problems encountered with the HIMAP program
and possible associated data errors. I have included all the program data files on a CD for review and
testing if desired.
1. It is not possible to fully review the Markov map which was generated for the complete system. The
CENTER command does not allow scrolling so input and output states can not be reviewed. In
order to determine if the data was accurate smaller models were built and the Markov maps for
those were checked. However it was not possible to directly view the actual model used.
2. The complete system reliability was not able to be determined by running the HIMAP "Solve Fault
Tree (Markov Solver)". When this command was tried, no results were obtained for a mission time
of 1 hour. The computer was left to run for 4 hours. So the complete system reliability was
calculated using the BDD Solver. I believe this provides correct results, they were checked by
calculating the reliability for the subsystems and then hand calculating the complete system
reliability. But I was unsure about the effect of reparability on the complete system.
3. The combination of the two above problems caused some uncertainty as to whether or not the
system included the reparability factors into the reliability calculations. Smaller systems seemed to
work fine, but occasionally when I would go to check the Markov map for a subsystem it would
appear that the reparability had been removed. Below I show too examples of the same
subsystem. No program changes were made, only different solver techniques. I could not
determine why the repair data would disappear.
4. HIMAP would often crash or just shutdown. For example when trying to view the Systemlo3
Markov map the HIMAP will unload.
04/30/01 Page 15 of 19
10.0 Appendix A
System Diagram — P&I Drawing
04/30/01 Page 16 of 19
11.0 Appendix B
Component Reliability Values.
04/30/01 Page 17 of 19
Entire Project2compressorsrev2.vsd
I Tag Description Reliability MTBF Verified I

1000 In HIMAP
Venture Valve 0.9987507809246 0.00000125
Li_ Li-
C \I
cS
23 23
0
u,
ci
o
o
c,
Venture Valve 0.9987507809246
N.- C;
X x
800000
I FQ1Magnetic Speed Pickup 0.9990004998334 0.000001
Magnetic Speed Pickup 0.9990004998334 - 0.000001 7
c.1 el
Magnetic SpeedPickup 0.9990004998334
..
cr
w
Flow Transmitter 0.9982471520706
C,
rn c
NI Ns
`7" "T
w
D (9
Lo Lo
Flow Transmitter 0.9982471520706
I
.
i
,
XX XX X H
.- ,
, ID
... Lo
—
C \I
cD
U)
cu
-6
8
0
0
- e)- 0
,-
o
c,
0.9987507809246 800000
LI- LL LL LL. --- ---

x xx xx1xx
I to Iisolator 0.9987507809246 0.00000125

1
CNI Lo
o
o
0
0
,-
ci
o
I to Iisolator 0.9987507809246
'a
cu
0
0.9987507809246 0.00000125
—
CO
co
0
0
0
0
u) u)
0
0
0 0
XIXX
I.
0.9987507809246 0.00000125
x x
I to Iisolator 0.9987507809246 0.00000125 800000

I to Iisolator 0.9987507809246 0.00000125 800000
I to Iisolator 0.9987507809246 0.00000125 800000
X X X X
CU
—
CNJ
O
0
8
0
o
0.9987507809246 800000
O O
CV
a a p. 1cNi_ ,-. Cs! (Y) NI- LO CO r•- CO 0) ‘-•

CO CO
0
00
0o 0
d d
I to Iisolator 0.9987507809246
x x x x
0 'r-
XX
x
Ito Iisolator 0.9987507809246 0.00000125 800000
•t- (-e•-•NI
to Iisolator 0.9987507809246 0.00000125
:).
—
03
—
CO
cp
u)
..-.
0
8
XX
L 0.9987507809246
°
800000
C,
CO
c,-)
x
I to P converter 0.9966722160545 ° CO
\I °
300000
C
a. a. a
CO
IL w
° CO CY)
to CO CO
CO
co
6 (-6 cri
0 co ct,
X X
9
x
Ito P converter 0.9966722160545 300000

Performance Controller
si_ i\%, ..-

X
Pressure Transmitter 0.9982471520706 1.75439E-06 570000
i_ F_
C \I
X
Pressure Transmitter 0.9982471520706 1.75439E-06
i_
Cc)
0- 0- 0- 0-
X
Pressure Transmitter 0.9982471520706

L 1.75439E-06 570000
r--
CO
1.6
CD
NI-
c>
in
X
PT4 Pressure Transmitter 0.9982471520706 570000

0)
7
X
I PT5 Pressure Transmitter 0.9982471520706

L 1.75439E-06
SpeedController
CAF-
C.) i
X
ri
Temperature Transmitter L0.9982471520706L 1.75439E-06 570000
x
ITE2 Temperature Transmitter 0.9982471520706 1.75439E-06 570000

IEntire Project2compressorsrev2.vsd
I ,.<
Verified
—
MTBF
CL
RS
vs
7>
.-
to
Description
0)
1000 In HIMAP
•
1.75439E-06 570000
•
• ,
L
LLJ
A—
0.9982471520706
■ ,
• 1 1
XI X .
I I
Temperature Transmitter 0.9982471520706 J
D
AntiSurge Controller
. V, ‘1- 0 CV
I
0
5
AntiSurge Controller
O
O
O
O
c
Cs1
0,
,O
cp cp
0
in
0
i
I
,
100feet of wire 0.9995001249792 _ 1 1.
C \I
C.0
•cr
67000
(0
07,
Lo
co
Lo
co
O
O
1.49254E-05
_
C.)
to •
0
InputOutputCard
,
,
Processor Card 9.34579E-06

350000
1
2.85714E-06
,
x x•x ,,
I
Power Supply 0.9971469348910

1
.
,
,
.
.
1
I
I
,
•
1
i
.
:
I
1
1
Definitions
1
I
R(t) = exp(-At) F = - failure rate

MTBF= 1/X
12.0 Appendix C
HIMAP output
04/30/01 Page 18 of 19
Systemlo2.BRE
Duplex System Reliability Times

Duplex Control System
Repairable System
Simplex Inputs and Outputs
1000 hour mission time
Total BDD build Time is : 0.230 sec
Total BDD walk Time is : 0.0100 sec
Reliability = 9.449616875770e-001 Unreliability = 5.503831242298

e-002
End Ordered list


e-002
End Ordered list
Page 1
Conlo2.rel
Control Block
1 of 2 with diagnostics
All modules are repairable
1 1
MISSION 1
PHASE1
REL: .999685878157D+00
UNREL: .314121842780D-03
CUMULATIVE RELIABILITY FOR 1 MISSIONS: 9.996858781572D-01

CUMULATIVE UNRELIABILITY FOR 1 MISSIONS: 3.141218427802D-04
FAILURE PROBABILITY OF LAST_ MISSION: 3. 141218427802D-04
MTBCF OF THE SYSTEM: 3.183143643891D+06
Page 1
1-1.1.X4 A P tir V1,-,e1,a1;rin. A P•arlr.mr. TIONT Trs.u.1 Ct•af. I InivPrcitv
HIMAP- Hierarchical Modeling Analysis Package DCNL Iowa State University
HIMAP- HIerarchical Modeling Analysis Package DCNL Iowa State University
System2o3.BRE
Triplex System Reliability Times

2 of 3 triplex configuration
Repairable System

e-002
End Ordered list


e-002
End Ordered list
Page 1
Con2o3.rel
Control Block
Triplex 2 of 3 system
all modules repairable
1 1
MISSION 1
PHASE1
REL: .999082138176D+00
UNREL: .917861823644D-03

FAILURE PROBABILITY OF LAST MISSION: 9.178618236445D-04
Page 1
HIMAP- HIerarchical Modeling Analysis Packqap nrivr. . Qt•Ito T inivorcity
Tem,
k. •
HIMAP- Hierarchical Modeline Analysis Package TICTSt. • Inva,-. T In;cror-cits,
Systemlo3.BRE
Triplex System Reliability Times

Triplex Control System 1 of 3
Repairable System

e-002
End Ordered list


e-002
End Ordered list
Page 1
Conlo3.rel
Control Block
1 of 3 Triplex System
All modules repairable
1 1
MISSION 1
PHASE1
REL: .999987803755D+00'
UNREL: .121962451197D-04

Page 1
proc board proc board proc board

HIMAP- HIerarchical Modeling Analysis Package 11(7NT, Iowa State University
Inputs.rel
Input Block
Repair for MPU's
1 of 3 for MPU's
All other signals are simplex
MISSION 1
PHASE1
REL: .959784274949D+00
UNREL: .402157250515D-01

Page 1
Outputs.rel
Output Block
No Repair
Valves are Simplex
1 1
MISSION 1
PHASE1
REL: .984865702249D+00
UNREL: .1513429775100-01

Page 1
Input Plocb
Speed inputs UICI inputs UIC2 inputs PIC inputs
A
PTS of PT
PT2 of PT PTI of PT PT3 of PT PT4 of PT
A A A A
File: Inputs.ps Monday, April 23, 2001
HIMAP- Hierarchical Modeling Analysis Package TICNT, Town state Ilnivercitv

HIMAP- HIerarchical Modeling Analysis Package VCNL Iowa State University
Fa lure of FION Transmitter
Wire Connection I to I Device Flow Trans Flow Device
0 0 0 0
File: Ft.ps Monday, April 23, 2001
HIMAP- Hierarchical Modelinp Analysis Packac' T1r/V11

- -
Wire Connection Pressure Trans Pressure Element hot trans
0 0 0 0
File: Pt.ps Monday, April 23, 2001
HIMAP- HIerarchical Modeling Analysis Package :1)CNL ' Iowa State University
- -
Wire Connection Thermal Element Temp Trans Itol trans
0 0 0 0
File: Te.ps Monday, April 23, 2001
HIMAP- Hierarchical Modeling Analysis Package nCNT Inura cf•.1-1. T !In ;v. r-c; t
SIC output UICI ou puts UIC2 outputs
S1CVaI UlCval UIC2valve
File: Outputs.ps Monday, April 23, 2001

Nlech Valve Pneumatic Pos I to P Wire Connection 1(01 trans
0 0 0 0 0
File: ValveOut.ps Monday, April 23, 2001
I-TIM A P- Hierarchical Modeling Analysis Package Tle'NTr Inwa Ctate University

CPRE 545 TMRvsDUPLEX

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CPRE 545 TMRvsDUPLEX

Uploaded by

Copyright:

Available Formats

CPRE 545 Project

Reliability Comparison of Triplex (TMR) and Duplex Control Systems

Author: Greg Johnson

Typical Reliability Analysis

Complete System Analysis

3.0 Basic Concepts and Terminology:

Failure Error Fault

4.0 System Model:

5.0 Solution Approach:

pi-cc hoard groc has Td

5.2 Model 2 — Triplex Control System (2of3)

5.3 Model 3 — Triplex Control System (1 of 3)

I 0 yrocecoor I Oprxeccor I 0 piccecoor Foe hand pro hard pros band

6.0 Simulation Results:

6.2 Output Section

6.3 Model 1 - Duplex control system.

Control System only:

6.4 Model 2 — Triplex Control System (2of3)

Control System only:

6.5 Model 3 — Triplex Control System (1 of 3)

Control System only:

8.0 Additional Research

9.0 Notes on the Data Presented and HIMAP Limitations.

I Tag Description Reliability MTBF Verified I

LI- LL LL LL. --- ---

I to Iisolator 0.9987507809246 0.00000125

I to Iisolator 0.9987507809246 0.00000125 800000

a a p. 1cNi_ ,-. Cs! (Y) NI- LO CO r•- CO 0) ‘-•

Ito Iisolator 0.9987507809246 0.00000125 800000

Ito P converter 0.9966722160545 300000

si_ i\%, ..-

Pressure Transmitter 0.9982471520706 1.75439E-06 570000

Pressure Transmitter 0.9982471520706 1.75439E-06

Pressure Transmitter 0.9982471520706

PT4 Pressure Transmitter 0.9982471520706 570000

I PT5 Pressure Transmitter 0.9982471520706

ITE2 Temperature Transmitter 0.9982471520706 1.75439E-06 570000

Processor Card 9.34579E-06

Power Supply 0.9971469348910

R(t) = exp(-At) F = - failure rate

Duplex System Reliability Times

Total BDD build Time is : 0.230 sec

Total BDD walk Time is : 0.0100 sec

Reliability = 9.449616875770e-001 Unreliability = 5.503831242298

End Ordered list

Total BDD walk Time is : 0.0100 sec

Reliability = 9.449616875770e-001 Unreliability = 5.503831242298

End Ordered list

CUMULATIVE RELIABILITY FOR 1 MISSIONS: 9.996858781572D-01

FAILURE PROBABILITY OF LAST_ MISSION: 3. 141218427802D-04

MTBCF OF THE SYSTEM: 3.183143643891D+06

Triplex System Reliability Times

Total BDD build Time is : 0.410 sec

Total BDD walk Time is : 0.000 sec

Reliability = 9.443909971595e-001 Unreliability = 5.560900284048

End Ordered list

Total BDD walk Time is : 0.0100 sec

Reliability = 9.443909971595e-001 Unreliability = 5.560900284048

End Ordered list

CUMULATIVE RELIABILITY FOR 1 MISSIONS: 9.990821381764D-01

FAILURE PROBABILITY OF LAST MISSION: 9.178618236445D-04

MTBCF OF THE SYSTEM: 1.089153405794D+06

Triplex System Reliability Times