240-119638133 Control Systems Design For Redundancy and Diversity Standard

Asset
Standard
Management
Title: Control Systems Design for Unique Identifier: 240-119638133

Redundancy and Diversity
Standard
Alternative Reference Number: N/A
Area of Applicability: Generation,

Engineering
Documentation Type: Standard
Revision: 2
Total Pages: 20
Next Review Date: February 2027
Disclosure Classification: CONTROLLED

DISCLOSURE
Compiled by Approved by Authorised by
………………………………….. ………………………………….. …………………………………..

Dr. Craig D. Boesack K. Sobuwa P. Madiba
Chief Engineer C&I Chief Engineer C&I Senior Manager C&I
17/01/2022
Date: …………………………… 18-Jan-2022
Date: …………………………… 2022-01-27
Date: ……………………………
Supported by SCOT/SC/TC
…………………………………..
Dr. Craig D. Boesack
Power Plant C&I SC
Chairperson
17/01/2022
Date: ……………………………
PCM Reference: 240-56355828

SCOT Study Committee Number/Name: Power Plant C&I Study Committee, PP C&I SC08-03
Control Systems Design for Redundancy and Diversity Unique Identifier: 240-119638133
Standard Revision: 2
Page: 2 of 20
CONTENTS
Page
EXECUTIVE SUMMARY .............................................................................................................................................. 3
1. INTRODUCTION ...................................................................................................................................................... 4
2. SUPPORTING CLAUSES ........................................................................................................................................ 4
2.1 SCOPE .............................................................................................................................................................. 4
2.1.1 Purpose ..................................................................................................................................................... 4
2.1.2 Applicability................................................................................................................................................ 5
2.2 NORMATIVE/INFORMATIVE REFERENCES .................................................................................................. 5
2.2.1 Normative .................................................................................................................................................. 5
2.2.2 Informative ................................................................................................................................................. 5
2.3 DEFINITIONS .................................................................................................................................................... 6
2.3.1 Disclosure Classification ........................................................................................................................... 6
2.4 ABBREVIATIONS .............................................................................................................................................. 6
2.5 ROLES AND RESPONSIBILITIES .................................................................................................................... 7
2.6 PROCESS FOR MONITORING ........................................................................................................................ 7
2.7 RELATED/SUPPORTING DOCUMENTS ......................................................................................................... 7
3. CONTROL SYSTEMS DESIGN FOR REDUNDANCY AND DIVERSITY .............................................................. 8
3.1 GENERAL REQUIREMENTS FOR REDUNDNACY ...................................................................................... 10
3.2 CONTROL SYSTEM DESIGN FOR RELIABILITY ......................................................................................... 12
3.3 INDEPENDENCE OF CONTROL SYSTEMS ................................................................................................. 13
3.4 REDUNDANT CONTROL SYSTEMS AND DIVERSITY ................................................................................ 13
4. REDUNDANCY AND DIVERSITY IMPLEMENTATION ........................................................................................ 15
4.1 USE OF NON-REDUNDANT CONTROL SYSTEMS ..................................................................................... 15
4.2 CONTROL SYSTEM REDUNDANCY AND DIVERSITY ................................................................................ 16
4.3 IO REDUNDANCY REQUIREMENTS ............................................................................................................ 19
4.4 HMI INTERFACING REQUIREMENTS FOR REDUNDANCY ....................................................................... 19
5. CONCLUSION ........................................................................................................................................................ 20
6. AUTHORISATION .................................................................................................................................................. 20
7. REVISIONS ............................................................................................................................................................ 20
8. DEVELOPMENT TEAM ......................................................................................................................................... 20
9. ACKNOWLEDGEMENTS ...................................................................................................................................... 20
FIGURES
Figure 1 – Basic Principles of Control System Redundancy (modified based upon [5]) .............................................. 8
Figure 2 – Control System Redundancy Architecture [5] ............................................................................................. 9
TABLES
Table 1 – A Control System Redundancy Checklist ................................................................................................... 11

Table 2 – Common Plant Functional AP Allocation Example..................................................................................... 17
Table 3 – Unit Functional AP Allocation Example ...................................................................................................... 18
CONTROLLED DISCLOSURE
When downloaded from the EDMS, this document is uncontrolled and the responsibility rests with the user to ensure it is in line
with the authorised version on the system.
Page: 3 of 20
EXECUTIVE SUMMARY
This standard presents guiding principles for implementing control system redundancy and diversity.
Redundant systems are designed to ensure the availability of process plant, systems and within the
context of this standard, the dependability of control systems. Diversity focuses on the design of
control systems to protect against common cause failures, and therefore redundantly diverse control
systems forms the basis of modern power plant automation and control.
Page: 4 of 20
1. INTRODUCTION
This standard presents guiding principles for implementing control system redundancy and diversity.
Redundant systems are designed to ensure the availability of process plant, systems and within the
context of this standard, the dependability of control systems. Diversity focuses on the design of
control systems to protect against Common Cause Failures (CCF) or Common Mode Failures
(CMF), and therefore redundantly diverse control systems forms the basis of modern power plant
automation and control.
Furthermore, the terms CCF and CMF are used synonymously within this standard and describes
the potential causes of common control system failure, which should be considered during the
development of risk assessments to influence the design of C&I systems to prevent CCF’s or
CMF’s. To prevent CCF’s, focus during C&I design should be applied to both the design of control
system hardware, and the design of control system software with their varied components to
mitigate failure.
The design of these systems to meet the objectives is of great interest to C&I design and give
assurance to the reliable operation of control action during both normal and abnormal events. The
degree of assurance and quality obtained in C&I design is proportional to the principles of
redundancy implemented and the operational and maintenance practices followed throughout the
life of the control system.
It should be noted as well, that strict analysis is needed in control system development, to
investigate failure mechanisms and to design accordingly to mitigate failure. This requires clear
functional specifications, of logical design, requirements for testing and especially the separation of
control and protection systems. These are largely influenced during conceptual design studies and
specific failure modes analysis of control systems and technology.
Therefore, this Standard provides guidance and best practice on the design of power plant control
systems to meet the objectives of highly available and reliable control system operations.
2. SUPPORTING CLAUSES
2.1 SCOPE
This document sets forth requirements for performing C&I design to meet the functional objectives
for Redundancy and Diversity. It is particularly focused on control system design and in some
measure relates to all aspects of power plant automation and control. It provides guidelines in terms
of redundancy, control system independency and design through diversity. It focuses especially on
digital control systems, such as modern DCS technologies and solutions and has application to both
control and protection systems. However, the applications under control systems are presently
given preference in this standard.
It should be noted that this Standard does not replace sound engineering practice and processes
but aims at providing a process to document principles for use during the engineering and
construction of control systems. To this end, the document provides sufficient information to
successfully implement Control System Design for Redundancy and Diversity.
2.1.1 Purpose
The purpose of this Standard provides minimum guidelines for Control System Design to meet the
following objectives.
1. To set forth minimum requirements for Control System Redundancy.
2. To specify minimum requirements for Control System Diversity.
Page: 5 of 20
3. To specify minimum performance specifications to ensure control system Determinism or

Deterministic Performances of C&I technologies.
4. To consider acceptable hardware architecture, for Field, Automation Systems, Networks, HMI
and Actuation, for the design of redundant and diverse C&I application.
5. To give guidance on software design to meet the objectives.
2.1.2 Applicability
The Standard is applicable to the Generation fleet of Coal Fired Power Plants only.
Excluded are.
1. Nuclear Power Plants, Hydro Stations, Gas Stations and Renewables Stations.
2. Transmission and Distribution.
The Standard is intended for those in the control systems design and application fraternity and
includes the follow people.
3. Control System Engineers (e.g., Power Plant C&I System Engineers).
4. Control System Design Engineers (e.g., C&I OEM’s and Contractors).
5. Instrumentation and Control Technicians (e.g., those Operating and Maintaining of C&I
Systems).
This Standard is to be used throughout the lifecycle of the redundantly diverse control system and is
to be used in the following project stages.
6. Design.
7. Installation.
8. Configuration.
9. Logical Programming.
10. Testing and Commissioning.
11. Operations and Maintenance of Systems.
2.2 NORMATIVE/INFORMATIVE REFERENCES
2.2.1 Normative
[1] ISO 9001 Quality Management Systems.
[2] Engineering Change Management Procedure.
2.2.2 Informative
[3] “Defences Against Common-Mode Failures in Redundancy Systems – A Guide for
Management, Designers and Operators”, SRD R196, AJ Bourne, GT Edwards, DM Hunns,
DR Poulter, IA Watson, January 1981.
Page: 6 of 20
[4] “Common Cause Failures and Ultra Reliability”, Harry W. Jones. NASA AMES Research
Center.
[5] “4 Design of Fail-Safe Computer System”, Dr. Charles Kim. Electrical and Computer
Engineering Howard University.
[6] Patrick D.T. O’Connor (1985). “Practical Reliability Engineering”, 2nd Ed.
2.3 DEFINITIONS
Definition Description
Common Mode Failure A Common Mode Failure is the result of an event(s) which
because of dependencies, causes a coincidence of failure
states of components in two or more separate channels of a
redundancy system, leading to the defined systems failing to
perform its intended function [3].
Common Cause Failure A common cause failure is a specific type of dependent
failure where several failures result from a single shared
cause. A common event failure is a specific type of common
cause failure where multiple failures result from one single
external event. The failures are usually simultaneous or
nearly so. Or, common event failures can occur in an
extended cause and effect sequence, called a cascade
failure. Common event failures are a concern for on-line
redundant systems [4].
2.3.1 Disclosure Classification

Controlled disclosure: controlled disclosure to external parties (either enforced by law, or
discretionary).
2.4 ABBREVIATIONS
Abbreviation Description
C&I Control and Instrumentation
CCF Common Cause Failure
CMF Common Mode Failure
DCS Distributed Control System
EMI Electro-Magnetic Interference
HMI Human Machine Interface
IO Input / Output
OEM Original Equipment Manufacturer
PLC Programmable Logic Controller
SCADA Supervisory Control and Data Acquisition
Page: 7 of 20
2.5 ROLES AND RESPONSIBILITIES

This document shall be used whenever control system design is performed, especially considered
during C&I modification, C&I retrofit and C&I new build. It is the responsibility of the C&I Engineer to
diligently follow the principles applied herein and as is common within practice.
2.6 PROCESS FOR MONITORING

The Control System Care Group operating under the C&I Power Plant Study Committee shall
ensure that this document is maintained.
2.7 RELATED/SUPPORTING DOCUMENTS

None.
Page: 8 of 20
3. CONTROL SYSTEMS DESIGN FOR REDUNDANCY AND DIVERSITY

Control Systems can be implemented in different architectural topologies, depending upon the
design function and levels of automation or protection required. The simplest implementation of
control systems are simplex systems or systems which does not employ redundancy. This can be
applied to either basic control systems or even fail-safe systems, depending upon the failsafe
behaviour of the control system and its components. This inevitably requires the accurate detection
of system faults, either of sensor or actuator or of control system failure and needs to be engineered
as part of control system design.
However, when simplex systems fail, or faults cannot be reliably detected it is necessary to employ
control system redundancy. This is where two identical control systems (or components) are
configured redundantly and run in parallel. The objective of redundant topologies is to ensure the
integrity of control action, and especially to mitigate control system failure.
Control Output
Sensor Module A (Main)
Error Detection
Error / Alarm
Module B
Redundancy Principle A
Sensor Module A
Voting System
Control Output
Module B
Redundancy Principle B
Figure 1 – Basic Principles of Control System Redundancy (modified based upon [5])
The principles of control system redundancy are illustrated in Figure 1. It is clear to see that
redundancy bears with it aspects of fault detection, reliability of operation and principles of fault
tolerance.
These are applied to all aspects of the control system design and includes although not limited to
the following C&I components.
1. Controllers, PLC’s and DCS’s.
Page: 9 of 20
2. Human Machine Interfaces and SCADA Systems.

3. Input / Output Modules.
4. Sensors and Actuators.
5. Networks and Networked Components.
6. Drives and Tripping Devices.
7. Cabling and Field Installation Components.
8. Wiring of Sensors, Control Modules and of Outputs.
Each of the control system components in some measure or the other can be configured in a
redundant manner. This mitigates uncertainties in measurements and control, and it plays a role in
the detection of faults and failures.
Furthermore, redundancy affords the effective monitoring and control of systems, minimising
uncertainties due to measurement error and provides for the detection of failures, through
comparative error detection (see Figure 1, redundancy Principle A).
In the power plant automation environment, the more commonly applied redundancy methodology is
Redundancy Principle B, see Figure 1. In which, a voting system is used to guarantee control
system output, based upon redundant IO, control and outputs.
In Figure 2, details of C&I design principles are illustrated more fully, and incorporate principles of
power supply redundancy, sensor redundancy, automation system redundancy and final control
element or Effector redundancy. The idea is that each redundant system operates independently,
and also performs independent final control element actuation. Each control group is known as a
Channel.
Figure 2 – Control System Redundancy Architecture [5]
Page: 10 of 20
3.1 GENERAL REQUIREMENTS FOR REDUNDNACY
The following General Requirements are considered for redundancy.

1. Redundancy shall be applied to control systems to keep people and equipment safe. The
reliability of a control system has different connotations, but it is especially applied to the
process under control. Here the action of the control system needs to safeguard against failure,
and the consequences of incorrect control action.
2. Therefore, a detailed risk assessment of the specific application, and how the control system
through redundancy mitigates failure is to be performed prior to control system design and
implementation.
3. A control system with a redundant topology shall increase reliability, and shall reduce plant
outage, and shall be designed to remove Common Cause / Mode Failures.
4. Components of a redundant control system shall consist of identical pairs of equipment, to keep
the machine or process under control running and operational. Components include.
a. Redundant IO Communication Networks.
b. Redundant Control or Automation Processors.
c. Redundant HMI Control Networks.
d. Redundant Power Supply Configurations.
5. Redundancy operational concepts shall be implemented as follows (principally, this may vary
from Vendor to Vendor).
a. “Master” or primary controller – This is the master controller controlling the process under
control.
b. “Slave” or secondary controller – This controller fulfils a standby function, to take control of
the process in the event that the “Master” fails or is Switched Over. This controller resides in
a different control chassis or is completely independent from the “Master”.
c. Switchover – Control transfer from the “Master” to the “Slave occurs at Switchover.
Switchover shall be bumpless, where the “Slave” then becomes the “Master” and vice versa
(i.e., the previous “Master” then becomes the “Slave”).
d. The state of the control system shall not change during Switchover. This may depend upon
system configuration, but especially the control action (outputs) should not experience any
change in state. The transfer should be bumpless.
6. Controller Switchover shall occur for any of the following reasons,
a. Loss of Power Supply – The power supply feeding redundant control systems shall also be
redundantly configured as depicted in Figure 2. This topology of power supply configuration
removes CCF’s due to power supply design. This also means that the electrical boards
feeding the design are also redundant. For AC supplies, redundant UPS shall be used and for
DC supplies, redundant battery charger supplies are used.
b. A Fault on the Controller – controller faults shall be clearly defined and documented, with
appropriate alarm response procedures. These faults are to be alarmed as part of the
hardware proxy of the controller and alarm to the plant operator.
c. Removal or Insertion of control modules on the “Master” chassis.
d. Failure of any control module forming part of the “Master”.
e. Via Command.
Page: 11 of 20
f. Via Software.
g. Technology specific Switchover is to be clearly known and documented.
7. The overview of the requirements for control system redundancy is tabulated in Table 1. (The
checklist below gives some additional design considerations for redundancy. However, a word of
caution on the use of checklists (or templates) especially when designing of control systems, is
briefly given. During the development of the checklist, effort has been given to the accuracy of
the template and of its content; it has been consulted with stakeholders. However, it should not
be blindly applied; a working knowledge of the system engineering is required for the
implementation of redundant system. A full understanding of the design, its context and rationale
is required).
Table 1 – A Control System Redundancy Checklist
# Considerations for Control System Redundancy Checklist Check

1. It is important to approach the C&I design problem based upon an informed 
assessment of the system, its environment and especially of the associated risks
documented forming part of the Control System Architecture. This may include a
risk analysis, hazard analysis and specific requirements necessary to fulfil the
control function.
2. Are the system requirements documented, and who owns the system 
requirements, and who is responsible for its maintenance? It is important that the
process followed in the preparation of the control system requirements are
clearly known and comprehensively recorded. This forms part of the initial project
definition phases, but specific engineering activities in design requires special
emphasis.
3. Describe the process and approach to risk assessments and analysis. As part of 
the Control System design, considering operational experience, past incidents
and all hazards and mitigation through C&I design.
4. Requirements for redundancy are stated clearly and with one interpretation 
between various stakeholders, and effectively communicated.
5. Document all functional requirements of the Control System, include qualitative 
measures (such as performances, reliability, and availability performances).
6. Document the design strategy, demonstrating all functional, reliability, availability, 
and safety performance to be met by the design.
7. How does the system incorporate sensor redundancy? Consider aspects of error 
detection, alarming, and sensor diagnostics.
8. How does the system incorporate logical redundancy? Consider aspects of 
logical diagnostics, error detection, fault tolerance and control self-diagnostics.
9. How does the system incorporate final element redundancy? Consider aspects 
of actuation, interfaces to drives, and tripping mechanisms. Also consider
elements of signal path.
10. Consider signal sensors for providing inputs to redundant IO? Are redundant IO 
adequately separated? Is wiring consistent with redundancy principles?
11. What are the failure modes of the control system, and how does the control 
system architecture mitigate such failure?
Page: 12 of 20
12. What are the failure modes of networked devices, communication interfaces and 
how is the network architecture tolerate to failure and its mitigation?
13. It is important to consider Control System Interfaces and its given boundaries. 
This includes aspects of dependencies and also interfaces to external system
components.
14. Document the effects of system failures on interfacing systems. 
15. Configuration management of DCS systems to implement necessary redundant 
control functions shall be defined.
16. Operational and Maintenance aspects of the life cycle of control system 
technologies need to be considered during design stages.
3.2 CONTROL SYSTEM DESIGN FOR RELIABILITY
Modern power plant control systems are large integrated systems, varying in technology and digital
complexity and in order to meet the objectives of reliability, effective design principles needs to be
followed. Reliability is concerned with the likelihood of failure and all aspects of design which
contributes to failure.
The reliability of control systems depends upon the structure and architecture of the system, its
components, and sub-systems. It is further dependent upon the probability that the system will
perform according to the specifications of the design. It is therefore necessary to understand these
design aspects, and to implement design solutions within control systems for mitigating the effects
of failure.
The intent of this discourse is not to focus on the mathematical aspects of reliability (this is
contained within referenced texts), but to give practical insight into the design of reliable and robust
control systems.
Systems shall be carefully designed and shall consist of the following design elements:
1. Control System Hardware Reliability

The reliability of control systems is achieved by design and is influenced by the decisions made
during the design process. Basic requirements for design requirements for reliable and failure
free control systems shall be made as early as possible in the design stage. Elements to be
taken into consideration include:
a. Design by Analysis – Control Systems shall be designed by analysis; this shall include
elements of a risk assessment-based analysis in which control system architectures are
designed by analysing risk and mode of failure. Thereafter, designs shall be implemented
which mitigates these failures. Analysis methods include:
i. Failure Modes, Effects and Criticality Analysis (FMECA) – the analysis of design through
FMECA is one of the most widely used and accepted analysis methods for control
systems, and especially of safety related control systems. Although this can be tedious
and expensive, it yields satisfactory design results and effective mitigation of failure.
ii. Fault Tree Analysis (FTA) – This method is a reliability design analysis method and
considers the system failure effects. It differs slightly from the FMECA approach, in that
it is a top-down approach considering all component failure modes. It is especially
beneficial to large control system design analysis.
Page: 13 of 20
b. The effective implementations of design principles for redundancy – The application of

redundancy shall under all circumstances operate properly, and avoid common mode
failures.
2. Control System Software Reliability
Control System Software plays another important role in the design of reliable systems. A
control system software fault could lead to a failure, and inevitably means that the specifications
of the control system are not met. If control system software fails, it could lead to a control output
not complying with the correct control action or requirements.
It is there deemed necessary that the reliability of software be confirmed through effective
design and testing. The development of control systems software is a pure design function, and
it is therefore deterministic, meaning that it is predictable and repeatable in its processing and
action. Under specific conditions (of inputs, time, and internal state), control system software will
always return the same output.
The plant environment, however, is not deterministic and can be classified as being related to a
stochastic process.
3. Assurance through Testing

a. Functional Testing – Functional testing of all hardware and software shall be performed. This
consists of the verification of control system functions, modes, and normal operations.
b. Failure Mode Testing – Testing of control systems shall be performed to confirm the detection
of faults, handling of failures, errors in signals, instrument measurement, actuators and other
control equipment forming part of the control system.
c. Performance Testing – Performance testing shall be performed, over different operational
modes of the Units.
d. Integration Testing – Testing of integration between two or more control system shall be
tested.
3.3 INDEPENDENCE OF CONTROL SYSTEMS
Control Systems for power plant automation are to be designed functionally separate. This includes
elements of systems interdependence and system separation. This is especially true in the case of
Control Systems and Protection Systems; however, depending upon the design requirements
systems can have some measure of separate independence. This includes elements of different
systems, physical separation and having different automation systems performing different
functions.
As an example of this, functional separation of control systems according to functional areas
implemented on different automation processes for part of the independence of control systems. In
this case, failure of one functional system does not impact failure of the entire system but may
cripple the capability of the system. Therefore, physical redundancy of systems is followed
functional independency according to functional area dictates.
3.4 REDUNDANT CONTROL SYSTEMS AND DIVERSITY
Design diversity has been applied to protect against Common Mode Failures and has been used in
both the design of hardware systems and that of software systems. In general, CMF’s or CCF’s
include errors in design, operational failures and can also be attributed to interferences such as
Electro-Magnetic Interferences (EMI) or power supplies to name but a few. A large percentage of
Page: 14 of 20
these can be mitigated through defence in depth of design and by considering the principles
contained in this Standard.
The use of redundancy in C&I control system design is to enhance the reliability and dependability
of the system. The assumption used during the application of redundancy principles is that if one
component fails, the remaining systems will continue to give the correct control response. This
inherently makes the control system resistant to faults and failures. Therefore, different systems are
required to fail independently and to have no common or overlapping failure mechanisms.
To achieve this, diversity focuses on implementing control functions, two or more redundant
systems or components with different attributes. In practice, this may be achieved through varied
components based upon different designs, design principles or may even consist of different OEM
solutions. The motivation behind this approach is that although system may functionally perform the
same function, because of its diversity, its respective mode of failure will be different.
The principles of diversity are applied to all aspects of control system design.
1. Design Diversity.
2. Equipment Diversity.
3. Functional Diversity.
4. Signal Diversity.
5. Logical (or Software) Diversity.
Strategies for realising diversity consist of the following general approaches and can be applied to
power plant automation in its entirety.
1. Diversity strategies based upon different technologies.
2. Diversity strategies based upon different approached within the same technology.
3. Diversity strategies based upon different architectures within the same technology.
It is important to note that the overall dependability of the control system is enhanced by the
application of diversity principles, and enhances the reliability of the control system architecture, its
configuration and design.
The implementation of hardware diversity is well understood since it yields a low probability of
failure. However, software diversity requires design effort and may require specific design
dedication and engineering. It should be noted as well, that the more complex systems become, the
more difficult the implementation of diversity becomes. Aspects relating to design, development,
installation, operation, and maintenance become immediate design challenges which is needs to be
carefully considered along with practical and financial restraint.
In the case of software diversity, one of the more applied concepts to achieve software diversity is to
acquire multiple versions of the software using different software development teams. The
reasoning behind this approach is that different software developers will make different mistakes
within their software and using different logical algorithms.
Depending upon the criticality of the control and protection system, there is a compromise between
simplicity of design and reliability. As the complexity of the design increases, the number of
components to the system also increases which can have a negative impact on system
performances and may lead unexpected failures or system interactions.
Therefore, the first rule in control system design is simplicity of design to meet the functional intents
of the design objective. This is then verified through both pre and post analysis.
Page: 15 of 20
4. REDUNDANCY AND DIVERSITY IMPLEMENTATION

The study of redundancy covers a broad area of research and applicability and can be classified
into the following forms, the most common forms of redundancy are:
1. Hardware Redundancy – such as modular redundancy, or modular triple redundancy such as in
the case of safety critical systems.
2. Redundancy of Information – such as in the detection of errors (error detection) and correction.
Fault tolerant systems can also be classified under this section.
3. Time Redundancy – such as software systems implementing the same function multiple times or
the transmission of the same information multiple times.
4. Software Redundancy – enables the continuation of failed control tasks based upon standby
systems. This increases the availability of the control system and can also be classified as fault-
tolerant systems.
5. Examples of where redundancy would mitigate failure would include:
a. Failure of CPU components (power supply, backplane bus).
b. Failure due to hardware failure, or of software errors.
c. Redundant communication cable failure.
Each of the redundancy principles are used within Eskom control system technologies and are
applied in various forms and implementation strategies.
4.1 USE OF NON-REDUNDANT CONTROL SYSTEMS
It is mindful to consider the application of when redundancy is not required, and for this reason not
all control systems are configured redundantly. The use of single automation processors (PLC’s,
standalone controllers or simplex control systems) is feasible in many situations; however,
engineering analysis and design is thoughtfully required.
In most cases the level of redundancy required for control systems needs to match the level of
redundancy of the physical plant. Depending upon the control topology selected, and the control
architecture designed, the availability of the control system needs to be higher than that of the
physical plant.
Examples of where simplex systems can be used are as follows:
1. Simple skid control systems – many standalone systems use single automation systems, and
this is where the availability of the system is not high.
2. Considerations of cost – increasing redundancy increases cost, therefore many control system
installations weighs aspects of cost.
3. Levels of availability – the levels of control system availability will dictate the levels of
redundancy required.
a. Field Networks – Simplex control systems typically are configured with single networks and
provides a means of communication between networked field devices and the automation
processor. Examples include various forms of Fieldbus, such as Profibus.
b. Control Level Networks – the automation networks are very seldom selected as simplex
networks. However, in smaller control applications, or standalone applications (such as
individual control skids), these are selected as simplex.
c. Actuator / Sensor Interfaces – The interface between actuators and sensors (instrumentation)
takes place through hardwired IO, remote IO, and in some cases via fieldbus.
Page: 16 of 20
4.2 CONTROL SYSTEM REDUNDANCY AND DIVERSITY
The generally accepted methodology form implementing principles of redundancy and diversity is to
follow modular and scalable hardware architecture. This makes provision for modifications and
changing control system requirements throughout the life of control system equipment.
Control systems shall follow the following design principles for achieving redundancy and diversity:
1. Individual control systems shall be used for the Units.
a. Individual control systems for every Unit.
b. Individual control systems for the Common Plant.
2. Each control system (depending upon its specific application) shall in principle consist of the
following elements.
a. An automation system for performing basic automation and control task, such as the
acquisition of measured variables from the field, performs open loop and closed loop control
functions, and commands for actuation.
b. Automation system processors shall be based upon a 1 out of 2 principles, and switches from
“master” to “slave” in the event of a fault.
c. Safety related automation and protections systems. A separate protection system from the
automation system shall be installed.
i. Turbine Protection.
ii. Boiler Protection.
d. Communication modules for networked integration with third party systems, such as PLC’s,
DCS’s and standalone controllers.
e. Operating and Monitoring Systems, this includes all HMI systems. The HMI system for each
Unit / Common Plant shall be redundantly configured.
f. All servers form part of control systems shall be redundantly configured.
3. Networked communication shall be redundant and single fault tolerant.
4. The control system architecture is designed in such a manner that no single component failure
can results in a major plant failure. The basic concept of system (or plant control function)
allocation to automation processes is given in Table 2 and Table 3. All AP’s are redundant,
which include communication networks.
5. Power supplies shall be configured redundantly. No load sharing distribution shall be allowed.
Page: 17 of 20
Table 2 – Common Plant Functional AP Allocation Example
Function Description AP allocation IO

Distribution
of Signals
CFG01 Coal Plant AP1, AP2 Functionally

distributed, IO on
(Depending upon different racks.
size of plant)
CFG02 Ash Plant AP2
CFG03 Raw Water AP3
CFG04 WTP AP3
CFG05 Potable Water AP3
CFG06 Demineralised Water AP3
CFG07 Cooling Water (North Plant or East AP4 Each CW Pump

Plant) IO on different IO
racks.
Cooling Water (South Plant or West
Plant) AP5
CFG08 Cooling System AP4
CFG09 Service Water AP4
CFG10 Fire Protection AP4
CFG11 Fuel Oil and Propane AP2
CFG13 Compressor Plant (North Plant or East AP2 Each

Plant) Compressor IO
on Different IO
Compressor Plant (South Plant or West racks.
Plant) AP6
CFG14 Air Conditioning and Ventilation AP2
CFG15 Environmental AP2
CFG16 SO3 AP3
CFG17 Common/Unit SER (North Plant or East AP5 Functionally

Plant) distributed, IO
functionally
Common/Unit SER (South Plant or West distributed.
Plant) AP6
Page: 18 of 20
Table 3 – Unit Functional AP Allocation Example
Function Functional AP allocation IO Allocation

Group Description
(Notes)
FG01a Boiler Protection AP1 Functionally

distributed on
different IO racks.
FG01b Turbine Protection AP2 Functionally

distributed on
different IO racks
FG02 Unit Coordinator AP3
FG03 Fuel Oil and Gas AP5
FG04a Mill A - C AP5 Each Mill IO

functionally
distributed on
different IO racks.
FG04b Mill D – F AP6 Each Mill IO

functionally
distributed on
different IO racks.
FG05a Draught Group (Left) AP5 LH Draught

Group IO on
different IO racks.
FG05b Draught Group (Right) AP6 RH Draught

Group IO on
different IO racks.
FG06 Soot blowers AP7
FG07 Main Steam AP7
FG08 Unit Auxiliaries AP8
FG09 Condensate AP8
FG10 Feed water AP8
FG11 Turbine Control AP4 IO functionally

distributed
according to
control functions.
FG12 Turbine Governor AP4
FG13 Turbine Auxiliaries AP4
FG14 Generator AP3
FG15 Precipitators AP6
FG16 Unit Sampling AP8
Page: 19 of 20
It should be noted as well that the distribution of AP’s according to functional areas shall be
diligently implemented; taking the number of AP’s available as per design and an effective cost
compromise between the numbers of AP’s used.
A knowledgeable and experienced control system engineer shall follow a systematic approach in
the design allocation of AP’s to functional areas and subsystems. The design principles in the
allocation of AP’s shall consider aspects of redundancy, mitigation of control system failure,
mitigation of MUT risk, and on performing the necessary critical design decisions for control system
architecture and functions. A conservative and systematic approach shall maximise availability of
plant control systems.
4.3 IO REDUNDANCY REQUIREMENTS
IO modules provide the hardware interfacing requirements for the control system. This interface
consists of field instrumentation, transduces, sensors and actuators. The configuration of the
automation system defines the IO architecture and the requirements for IO redundancy.
Most IO modules can be configured for redundant (duplex) or non-redundant (simplex) operations.
The wiring configuration of the IO module shall allow for redundant connections. The modules shall
be located within the same IO module base, or completely within separate IO module bases. It is
recommended that redundant IO modules be separately located on different bases.
IO modules perform analogue to digital conversion of process variables (such as temperature,
pressure, or other measurable quantity). These modules then perform the data conversion required
for analogue, digital, current or voltage and input or output into digital format or vice versa.
Typical redundant configurations for IO are:
1. One out of two (1oo2).
2. Two out of three (2oo3).
3. Two out of two (2oo2).
One out of two (1oo2) configurations is safe, while two out of three (2oo3) configurations provide
both safe and reliable operations. Two out of Two (2oo2) configurations are less safe and is not
recommended without an overall assessment of the safety requirements.
In addressing common mode failure, IO configurations 1oo2 and 2oo3 shall be used.
4.4 HMI INTERFACING REQUIREMENTS FOR REDUNDANCY
High availability control systems make extensive use of redundancy for all control system
components, which includes the Human Machine Interface (HMI). The intent of HMI redundancy
ensures the operational integrity of the control system in the presence of hardware failure, and it
enables plant operation during failure.
As discussed before, redundancy is implemented through automation redundancy, IO redundancy
and through HMI redundancy.
HMI redundancy shall consider the following aspects in its design:
1. HMI client workstation redundancy – each HMI workstation shall be designed with a specific HMI
function in mind, and segregated in its control, distributed function and in concept of power
supply.
2. HMI servers are redundantly configured – each server is active and in the case of failure the
“standby” redundant server shall take over.
Page: 20 of 20
3. HMI redundancy assumes redundant network communication – this is providing for reliable and
undisrupted control operation. This also applies to redundant network switches.
5. CONCLUSION
Redundancy and Diversity of Control System design are important concepts to mitigate technical
risk and to improve on the reliability and availability of control systems. This standard has given
some guidance on redundantly diverse control systems and their application.
6. AUTHORISATION
This document has been seen and accepted by:
Name Designation
Andrew Botshe Manager: C&I (Generation)
Christoph Kohlmeyer Chief Engineer: C&I
Cornelius Visagie Chief Technologist: C&I
Jorge Nunes Chief Engineer: C&C
Khaya Sobuwa Chief Engineer: C&I
Paul Du Plessis Chief Technologist: C&I
Prudence Madiba Senior Manager: C&I.
Zubair Moola Chief Engineer: C&I
7. REVISIONS
Date Rev. Compiler Remarks
September 2016 0.0 CD. Boesack First Draft for internal Review
February 2017 0.1 CD. Boesack Final Draft for Formal Comments Review Process
February 2017 0.2 CD. Boesack Updated Final Draft after Comments Review Process
February 2017 1 CD. Boesack Final Document for Authorisation and Publication
January 2022 1.1 CD. Boesack Minor updates for renewal.
January 2022 1.2 CD. Boesack Updated Final Draft after Comments Review Process
January 2022 2 CD. Boesack Final Rev 2 Document for Authorisation and Publication
8. DEVELOPMENT TEAM
The following people were involved in the development of this document:
• Dr. Craig D. Boesack
9. ACKNOWLEDGEMENTS
• Cornelius Visagie.
• Jorge Nunes.

240-119638133 Control Systems Design For Redundancy and Diversity Standard

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

240-119638133 Control Systems Design For Redundancy and Diversity Standard

Uploaded by

Copyright:

Available Formats

Asset

Title: Control Systems Design for Unique Identifier: 240-119638133

Area of Applicability: Generation,

Documentation Type: Standard

Next Review Date: February 2027

Disclosure Classification: CONTROLLED

Compiled by Approved by Authorised by

………………………………….. ………………………………….. …………………………………..

PCM Reference: 240-56355828

Table 1 – A Control System Redundancy Checklist ................................................................................................... 11

1. To set forth minimum requirements for Control System Redundancy.

2. To specify minimum requirements for Control System Diversity.

3. To specify minimum performance specifications to ensure control system Determinism or

5. To give guidance on software design to meet the objectives.

2.2 NORMATIVE/INFORMATIVE REFERENCES

2.3.1 Disclosure Classification

2.5 ROLES AND RESPONSIBILITIES

2.6 PROCESS FOR MONITORING

2.7 RELATED/SUPPORTING DOCUMENTS

3. CONTROL SYSTEMS DESIGN FOR REDUNDANCY AND DIVERSITY

2. Human Machine Interfaces and SCADA Systems.

Figure 2 – Control System Redundancy Architecture [5]

3.1 GENERAL REQUIREMENTS FOR REDUNDNACY

The following General Requirements are considered for redundancy.

Table 1 – A Control System Redundancy Checklist

# Considerations for Control System Redundancy Checklist Check

3.2 CONTROL SYSTEM DESIGN FOR RELIABILITY

1. Control System Hardware Reliability

b. The effective implementations of design principles for redundancy – The application of

3. Assurance through Testing

3.3 INDEPENDENCE OF CONTROL SYSTEMS

3.4 REDUNDANT CONTROL SYSTEMS AND DIVERSITY

4. REDUNDANCY AND DIVERSITY IMPLEMENTATION

4.1 USE OF NON-REDUNDANT CONTROL SYSTEMS

4.2 CONTROL SYSTEM REDUNDANCY AND DIVERSITY

Table 2 – Common Plant Functional AP Allocation Example

Function Description AP allocation IO

CFG01 Coal Plant AP1, AP2 Functionally

CFG02 Ash Plant AP2

CFG03 Raw Water AP3

CFG04 WTP AP3

CFG05 Potable Water AP3

CFG06 Demineralised Water AP3

CFG07 Cooling Water (North Plant or East AP4 Each CW Pump

CFG08 Cooling System AP4

CFG09 Service Water AP4

CFG10 Fire Protection AP4

CFG11 Fuel Oil and Propane AP2

CFG13 Compressor Plant (North Plant or East AP2 Each

CFG14 Air Conditioning and Ventilation AP2

CFG15 Environmental AP2

CFG16 SO3 AP3

CFG17 Common/Unit SER (North Plant or East AP5 Functionally

Table 3 – Unit Functional AP Allocation Example

Function Functional AP allocation IO Allocation

FG01a Boiler Protection AP1 Functionally

FG01b Turbine Protection AP2 Functionally

FG02 Unit Coordinator AP3

FG03 Fuel Oil and Gas AP5

FG04a Mill A - C AP5 Each Mill IO

FG04b Mill D – F AP6 Each Mill IO

FG05a Draught Group (Left) AP5 LH Draught