3 process safety time (pst) – Rockwell Automation T8094 8000 Series TMR System Safety Manual User Manual
Page 25
SAFETY MANUAL
D oc N umber T8094
I ssue 27 – June 2013
Page 4 of 103
1.3.3 Process Safety Time (PST)
Every process has a safety time that is the period that the process can be controlled by
a faulty control-output signal without entering a dangerous condition. This is a function
of the process dynamic and the level of safety built into the process plant. The
Process Safety Time
1
(PST) can range from seconds to hours, depending on the
process. In instances where the process has a high demand rate and/or highly
dynamic process the PST will be short, for example, turbine control applications may
dictate process safety times down to around 100ms
The PST dictates the response time for the combination of the sensor, actuators and
each realised control or safety function. For demand or event-driven elements of the
system, the response time of the system shall be considerably less than:
(PST- Sensor and actuator delay)
For convenience within this document, we will refer to the element of the PST relevant
to the system’s response time as PST
E
, effective PST.
For cyclic elements of the system, the system’s scan time shall be considerably
less than of the effective PST, i.e.:
½ (PST- Sensor and actuator delay), or
½ (PST
E
)
The response time in the context of the process safety time must consider the
system’s ability to respond, i.e. its probability of failure on demand (including its ability
to fulfil the required function within the required time). The probability of failure on
demand is a function of the system’s architecture, its self-test interval and its
β
-factor
2
.
If the system architecture provided no fault tolerance, it would be necessary to ensure
that the sum of the response times (including sensors and actuators) and the fault
detection time does not exceed the process safety time.
In practice, many of a system’s self-test intervals vary from seconds to hours
depending on the element of the system under test. For higher requirements, the
system architecture shall provide sufficient fault tolerance, or faults shall result in fail-
safe actions, i.e. there shall be no potential covert failures for those safety-related
elements of the system. Degraded Operation
Non-fault tolerant (simplex) systems, by definition, do not have the ability to continue
their operation in the presence of fault conditions. If we consider a digital point, the
state may be 0, 1, or undefined (X). In the case of a fault within a non-fault tolerant
system we would normally assume that the state becomes undefined in the presence
of faults. For safety applications, however, it is necessary to be able to define how the
system will respond in the presence of faults and as faults accumulate, this is the
system’s defined degraded operation. Traditionally, 0 is considered the fail-safe state,
and 1 considered the operable condition. A standard non-fault tolerant system would
therefore be 1 channel operating (or 1-out of-1), degrading to undefined (X) in the case
of a fault. Obviously, this would be undesirable for safety applications, where we
require a fail-safe reaction in the case of a fault, a system providing this operation
would be 1-oo-1 fail-safe, or 1→0.
The additional element in the degradation path is that the fault may occur but may be
hidden, or covert. The fault could be such that it prevents the system from responding
when required to do so. Obviously, this would also be unacceptable for safety
1 The only source of information about the PST is the designer’s Loss Prevention Engineer. This data is not
normally supplied at bid or at the manufacturing stage, so a direct request for information should be made.
This data must form part of the safety considerations for the system and design reviews must be a
fundamental part of safety engineering.
2 The
β
-factor is a measure of common cause failure and is dependent on the equipment’s original design,
which is assessed and certified independently, and the implementation of the guidance providing within
this Safety Chapter. The compact nature of the TMR system provides a
β
-factor of better than 1%.