Verifying SIF Dangerous Fault Tolerance requirements

The DFT (Dangerous Fault Tolerance) requirements for the SIF Analysis are checked on the Subsystem level. The SIF design (Equipment selected in the Subsystem and Equipment Success Criteria) is checked against the DFT requirements that are set as per the ruleset (IEC-61511 acc to Shell). This ruleset can be found in in IMS SIS in Settings \ Maintenance \ SIS specific Data \ General \ Ruleset. 

To view the Fault Tolerance and implementation check details:

• Click Fault Tolerance.
  Click Fault tolerance to view the detail.
• A popup will open to give you an overview of the Fault tolerance check results for the applicable Subsystem. It considers the Equipment details, as well as the Equipment Success Criteria (when more than one Equipment is present in the Subsystem):

The Fault tolerance and implementation check details.

The Fault Tolerance and implementation check considers:

Base fault tolerance

Per Subsystem, based on integrity requirement, i.e., the SIL, as defined in the ruleset. For SIL 2 the Base fault tolerance = 1 (based on the “IEC-61511 acc to Shell” ruleset).

The integrity requirements at defined in settings for the IEC-61511 acc to Shell” ruleset. 

Fault tolerance modifier

This is set per Equipment on the Equipment Details Page, in the Implementation section. When all Fault Tolerance Modifiers on the Equipment (Fail Safe, prior use, write protect) are set to “Yes”, one level of Dangerous Fault Tolerance is claimed on this Equipment in the SIF design (indicated as -1 in the “Total” row of the Equipment Fault Tolerance table). This effectively means it can be used as a single Equipment in a SIL2 SIF design that requires one level of Dangerous Fault Tolerance without getting the Dangerous Fault Tolerance warning in the SIF Analysis design window. If there is more than one Equipment in the Subsystem, the value shown here and used to determine whether the DFT requirements for the Subsystem are met, is the highest value of any of the DFT modifiers per Equipment.

Inherent fault tolerance

Defined on the Equipment Details page. This value can be entered manually but for Sensors and Final Elements this is normally set to “0”. This is only set to “1” for SIL3 TuV rates safety PLC’s, as it has one level of inherent Fault tolerance (Failure of one component, e.g., an input card, does not lead to a failure of the SIF as the input cards has built-in redundancy to switch to the other input card channel.)

Fault tolerance required

The sum of the above three bullets AND the Subsystem Equipment Success Criteria. Any value above 0 will generate a warning, i.e., the Fault tolerance button will be “Red”. This means the SIF design is short of DFT requirements on that Subsystem. It is important to know that the Subsystem Equipment Success Criteria is included the Fault tolerance required value. E.g., a 1oo2 Equipment Success Criteria implies a Hardware Fault Tolerance level of 1. Therefore, for a 1oo2 Equipment Success Criteria the Fault tolerance required value (if greater than “0”) will be reduced by 1, showing “0” as the end result.

Example
Equipment A and B are both part of the same Subsystem in a SIL 2 SIF design. Equipment A has all Fault tolerance modifiers (Fail Safe, Prior Use, Write Protect) set to “Yes” and has a Fault tolerance modifier of “-1” (indicated in the Equipment Fault Tolerance table.)

Equipment A’s Fault Tolerance Modifiers.

Equipment B does not have all Fault tolerance modifiers set to “Yes” and has a Total Fault tolerance modifier of “0” (indicated in the Equipment Fault Tolerance table.)

Equipment B’s Fault Tolerance Modifiers.

 The Fault tolerance modifier value (that is also used to determine whether the DFT requirements for the subsystem are met) is “0”.

Fault tolerance modifier is set to “0”.

This means Fault tolerance required in the Subsystem design is 1, basically saying we are still one level short of the DFT requirements for this Subsystem in SIL2 application. This is shown on the Design Tab with a red Fault tolerance button.

The above however considers 2oo2 Equipment Success Criteria (This is because by default IMS sets the Equipment Success Criteria to MooM when more than one Equipment is inserted into a Subsystem for the first time, which is safe. If we change the Subsystem Equipment Success Criteria to 1oo2 by clicking Success Criteria (a 1oo2 Equipment Success Criteria implies a Hardware Fault Tolerance level of 1) the Fault tolerance required value (if greater than “0”) will be reduced by 1, showing “0” as the end result. The Fault tolerance button will become green, and the Fault tolerance required value will be “0” meaning that for this Subsystem the DFT requirements are met.

Fault tolerance required is now “0” for a 1oo2 Success Criteria. 

Equipment type allowance

This is the Equipment type allowed. Master Equipment can be set on the Master Equipment level to be allowed for use in SIF designs or not. If a Master Equipment type is set to not allowed for SIF designs, this is flagged in the Fault Tolerance and Implementation Check window with a red cross and is also indicated on the Design tab with a red Fault Tolerance button. 

Energize to trip (ETT) allowance

Based on integrity requirement, i.e., the SIL, as defined in the ruleset. The “IEC-61511 acc to Shell” ruleset states that below SIL 2, ETT Final Elements in the design are allowed. If ETT is not allowed for the SIF design, this is flagged in the Fault Tolerance and Implementation Check window with a red cross and is also indicated on the Design tab with a red Fault Tolerance button. 

Dangerous Fault Tolerance

If the Fault tolerance required value is greater than “0”, this is flagged in the Fault Tolerance and Implementation Check window with a red cross and is also indicated on the Design tab with a red Fault Tolerance button. You can override this if you have reasons to bypass the built in DFT check in IMS. If you want to override the built in Dangerous fault tolerance check, click Edit, check Override, and Save.