Fail-safe Mode Research Articles

The Importance of Correct Control Valve Fail-safe Mode Documentation in Avoiding Process Incidents

Abstract Achieving and maintaining a safe state during abnormal situations is essential for the safety design and safe operation of process facilities. This applies first of all to process control valve loops. The selection of the different control loop components can become a bit complicated because there are several design options and at least two different signal-response actions per component. This is especially true for split-range control loops with exclusively sequenced control valves that operate in different control ranges. These valves will never be open simultaneously and their fail-safe position under loss of signal and loss of motive utility requires special design attention. If the design was flawed or was compromised during maintenance then the system can respond in an unexpected manner during certain operating modes. Such an unexpected response was a contributing factor to a recent incident in a heavy oil processing facility. It involved very large vessels and resulted in a loss of containment situation inside and near a building where more than 40 people were working. Quick operator intervention prevented worse from happening but some of the vessels needed to have their “fitness for service” reconfirmed.

Failsafe modes in incomplete minority game

We make a failsafe extension to the incomplete minority game model, give a brief analysis on how incompleteness will effect system efficiency. Simulations that limited incompleteness in strategies can improve the system efficiency. Among three failsafe modes, the “Back-to-Best” mode brings most significant improvement and keeps the system efficiency in a long range of incompleteness. A simple analytic formula has a trend which matches simulation results. The IMMG model is used to study the effect of distribution, and we find that there is one junction point in each series of curves, at which system efficiency is not influenced by the distribution of incompleteness. When p I ¯ > p I ¯ c the concentration of incompleteness weakens the effect. On the other side of p I ¯ c , concentration will be helpful. When p I is close to zero agents using incomplete strategies have on average better profits than those using standard strategies, and the “Back-to-Best” agents have a wider range of p I to win.

Fail-Awareness: An Approach to Construct Fail-Safe Systems

We present a framework for building fail-safe hard real-time applications in timed asynchronous distributed systems subject to communication partitions and performance, omission, and crash failures. Most distributed systems built from commercial-off-the-shelf (COTS) processor and communication services are subject to such partitions because their COTS components do not provide hard real-time guarantees. Also custom designed systems can be subject to partitions due to unmaskable link or router failures. The basic assumption behind our approach is that each processor has a local hardware clock that proceeds within a linear envelope of real-time. This allows one to compute an upper bound on the actual delays incurred by a particular processing sequence or message transmission. Services and applications can use these computed bounds to detect when they cannot guarantee all their standard properties because of excessive delays. This allows an application to be fail-aware, that is, to detect when it cannot guarantee all its safety properties and in particular, to detect when to switch to a fail-safe mode.

Aspects of the design of low noise, negative resistance, reflection mode transistor amplifiers

The authors consider the use of microwave transistors in the negative resistance reflection mode and present the conditions for optimum noise performance. Possible advantages include the possibility of higher gain in the millimeter-wave region, which can be achieved by absorbing the parasitic common lead inductance into the feedback circuit designed to generate the negative resistance, and the existence of a failsafe mode of operation, in that the failure of the active device or its power supply is likely to lead a low return loss, resulting in a small insertion loss through the amplifiers, which may permit continued, although degraded, system operation. The latter potential advantage has proved to be of interest to radar system designers.< <ETX xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">&gt;</ETX>

Fail-Safe Computer-Based Plant Protection Systems

A fail-safe mode of operation for computers used in nuclear reactor protection systems was first evolved in the UK for application to a sodium cooled fast reactor. The fail-safe properties of both the hardware and the software were achieved by permanently connecting test signals to some of the multiplexed inputs. This results in an unambiguous data pattern, each time the inputs are sequentially scanned by the multiplexer. The “test inputs” simulate transient excursions beyond defined safe limits. The alternating response of the trip algorithms to the “out-of-limits” test signals and the normal plant measurements is recognised by hardwired pattern recognition logic external to the computer system. For more general application to plant protection systems, a “Test Signal Generator” (TSG) is used to compute and generate test signals derived from prevailing operational conditions. The TSG, from its knowledge of the sensitivity of the trip algorithm to each of the input variables, generates a “test disturbance” which is superimposed upon each variable in turn, to simulate a transient excursion beyond the safe limits. The “tripped” status yielded by the trip algorithm when using data from a “disturbed” input forms part of a pattern determined by the order in which the disturbances are applied to the multiplexer inputs. The data pattern formed by the interleaved test disturbances is again recognised by logic external to the protection system’s computers. This fail-safe mode of operation of computer-based protection systems provides a powerful defence against common-mode failure. It also reduces the importance of software verification in the licensing procedure.

Fail-safe fiber-optics data bus using active multimode mirror terminals

A prototype fail-safe optical data bus utilizing active LiTaO(3) electrooptic mirror terminals has been constructed and tested. Features of the system include (1) a single optical source; (2) an optical insertion loss of less than 6 dB and a tapoff ratio of 13 dB for the mirror terminals in the fail-safe mode; (3) compatibility with commercially available LED sources, P-I-N photodiode detectors, and step-index multimode monofibers; (4) remote terminal modulation depth approaching 50% for 100 V applied; and (5) the use of a pulse transformer technique which allows the required electrooptic modulation voltages to be obtained from a 5-V electrical supply. The construction of a working prototype data bus using mirror terminals demonstrates the feasibility of such systems for use in optical communications at the present state of the art.

Microprocessor System for Plate Column Control

The application of microprocessors in the chemical industry for process control, alarm scanning, and data collection is expected to be of major importance in the near future. A 600-mm diameter plate column which could be used for distillation and gas absorption has been controlled in an on/off mode by a 6502 microprocessor. Special precautions are required to ensure a fail-safe mode of operation during abnormal events such as power failure. The microprocessor system has been highly reliable and introduced an expanded flexibility for the operator in altering set point and alarm conditions.

Shutter and Collimator with Rotating Radiation-Cooled Elements for the Beam from the Princeton A. V. F. Cyclotron

A beam collimator and shutter assembly has been designed and fabricated to define and interrupt the high maximum areal power density (30 kW/cm2) external beam anticipated for the Princeton A. V. F. Cyclotron. Pairs of graphite cylinders which rotate at 300 r/min about parallel axes a precisely adjustable distance apart, define the beam in each of the horizontal and vertical directions. A similar rotating graphite cylinder which is raised and lowered by an air cylinder operating in a fail-safe mode functions as the beam shutter. The power of the beam incident of these cylinders is dissipated by thermal radiation to surrounding water-cooled structures. Tests with an electron gun have shown that the slit cylinders can successfully dissipate a beam power of 2.2 kW with an areal density power of 10 kW/cm2 with no indication of deterioration or overheating of critical components. Calculations indicate power levels up to 5.0 kW with 50kW/cm2 areal density may be tolerated by these slits.

Universality of blank-correction and error-detection (Corresp.)

A blank-correction error-detection decoder can be used to give any desired degree of decoding from simple error detection to essentially maximum likelihood error correction. Failsafe per-refinance is obtained if a fixed number of digits are erased before decoding with maximum failsafe protection obtained with a zero threshold detector preceeding the decoder which results in error detection only. In agreement with theory there is a nonzero threshold which maximizes the rate of transmission for any SNR. Maximum likelihood decoding is obtained by iterative decoding with successively increasing thresholds as long as errors are detected. Comparison of the performance of the decoder in a failsafe mode and a maximum likelihood mode are given.