Separated Override

Context

A control system for a work machine or for an industrial process is being developed. The SEPARATED SAFETY pattern has been utilized so that the control system functionality is divided into two separate systems: basic control system and safety system. The separation of safety and basic control systems is followed strictly (to e.g. enable easier certification process). The separated systems may in

some places control the same functionalities or process variables.

Problem

Safety system and basic control system control the same process quantities.

Consequently, the basic control system may interfere with operation of the safety system, but the safety system must have the final word on system operation.

Functional Safety System Patterns 10

Forces

Safety: Safety control system must always be able to drive the system into safe state (i.e. a state in which system minimizes the risk of damaging itself or people around it) regardless of the state of the basic control system

Non-interference: Separation of the basic and safety system is the main concern Hardware: Additional hardware is not a problem in terms of cost, space, and weight etc.

Hardware: Actuators with sufficient safety level and suitable functionality can be hard to find (e.g. hydraulic proportional control valves with SIL 3 certificate are not too widely available)

Solution

Use separated actuators for safety and basic control systems. The purpose of safety actuator is to drive the controlled process variable into safe state as controlled by the safety system. The basic control system operates its own actuator for control purposes and the safety system operates a separated actuator for safety purposes.

The principle of the architecture is presented in Fig 4. A separate actuator for safety system is added in the points in which the safety system needs to have control over the basic control system. The safety control system must always be able to override the control system’s operations. Ensure that the safety function cannot be circumvented or bypassed in any way by the control system. The safety system has an ability to drive the state of the controlled quantity to the safe state regardless of the control system state. Only the actuator controlled by the safety system has to comply with safety (standard) requirements whereas the basic control system’s actuator can be chosen freely.

Notice, that safety function typically wants to either fully enable or disable the controlled variable. The actuator controlled by the safety system is then placed in parallel or in series in terms of the control actuator respectively. The safety actuator must be placed so that the normal control system cannot bypass it. Consider also the order of the actuators. The safety actuator may be positioned before or after the basic control actuator depending on the system.

Example

A possible application of the separated override principle can be found for example in processes in which steam flow to a heat exchanger is controlled (see Fig. 5). The

Fig 4. Principle of separated override Uncontrolled

Functional Safety System Patterns 11

safety function is to prevent overheating of the heated element. The control system is responsible for controlling the flow using a proportional valve. In addition the steam line is equipped with a safety valve controlled by the safety system. Now, regardless of the basic control system the safety control system may halt steam flow in the heat exchanger. Notice that the figure illustrates only a part of a system.

Fig. 5. Example of separated override in steam flow control

Consequences

(Complete) separation between safety and basic control systems is obtainable Safety is retained by safety system if control system fails (e.g. control actuator gets stuck)

Selection of the safety system actuator is disengaged from selection of the basic control actuator

Main control actuator(s) can be chosen freely without need for certain safety properties

Simplest possible safety system approach can be chosen in terms of actuator type (binary on/off actuator is typically sufficient)

The approach doesn’t restrict selection of data transfer method from controllers to actuators (e.g. safety system may use analog signaling and the basic control system Flexray bus etc.)

Increased cost due to additional safety actuator

Increased weight and space requirements due to additional safety actuator Additional hardware may increase the complexity of the hardware system Resulting Context

The safety control system may override the control system in all situations and thus safety is not dependent on the basic control system. An actuator for the safety system is added to the system in each point the safety system needs to have control over the basic control system.

Related Patterns

The MERGED SAFETY ACTUATION describes how total amount of safety actuation hardware and cost can be decreased by merging actuation of multiple safety functions into single actuator.

The DE-ENERGIZED OVERRIDE PATTERN describes an alternative solution to similar problem. The pattern describes how separated actuator for safety system can be

Functional Safety System Patterns 12

replaced with a relay (or similar switching device) to reduce need for actuator hardware.

The SAFETY LIMITER describes an alternative solution to similar problem. Safe operation can be achieved by circumventing the control signal calculated by the basic control system through a safety function that limits the value without a need for an additional relay or other hardware. Consequently no additional hardware is required besides the control actuator, but potentially complex safety-related application software needs to be developed.