May-2024

Effect of redundancy/voting in SIL calculation

Developing safeguard strategies in the early stages of refinery and petrochemical project system design helps achieve optimal protection and prevent false alarms.

Partha S Mondal
Fluor Daniel India Pvt. Ltd

Article Summary

Engineers designing protective systems for a process plant often encounter and justify the use of redundancy. The questions encountered are:
• How are hardware fault tolerance (HFT) and redundancy related, and how are they applied in design?
• How much redundancy is required to achieve a targeted safety integrity level (SIL)?
• Why and when can we use route 2H to assess HFT?
• How is redundancy achieved using multiple devices with similar technology or diversified technology?
• What type of redundancy is required in system design (1oo2, 2oo2, 2oo2D, 2oo3)?
• How can redundancy affect the PFD value during SIL calculation, and how does selected architecture affect SIL verification?

The primary objective of redundancy is to avert any interruption in system operation in the event of a technical failure in one of the systems. This implies that if a single sensor fails to meet performance requirements, leading to a technical failure, redundant or multiple sensors are available without a loss of functionality. Redundancy is not solely designed to ensure plant safety but also to forestall false trips or false alarms and ensure availability. Parameters to consider when implementing redundancy in any system architecture will be reviewed to help system designers configure and justify redundancy.

Applying HFT and redundancy in design
Various types of redundant architecture can be applied in a safety instrumented system, such as 1oo1, 1oo2, 2oo2, 2oo3, 1oo2D, 2oo2D, and more. The term 1 ‘hardware fault tolerance’ of N means that N+1 is the minimum number of faults that could lead to a safety loss.

The relationship between redundancy (MooN) and HFT is expressed by the formula M-N. For a 1oo2 redundant architecture, the HFT will be 1; for 2oo2, the HFT will be 0; and for 2oo3, the HFT will be 1. It is important to note that redundancy is not the same as HFT. Table 1 provides examples of HFT and redundancy to illustrate the concept.

Redundancy required to achieve SIL
While evaluating SIL of a safety instrumented function (SIF), major factors deciding achieved SIL include:
υArchitectural constraints (redundancy)
 Target PFDavg or RRF to be achieved
Ž Requirement of systematic capability (SC).
IEC 61508 and IEC 61511 both define the minimum HFT (architectural constraint) requirement, which is required to meet the target SIL.
IEC 61508:2010 provides two routes to satisfy the architecture constraints to meet a particular SIL for a particular safety instrumented function:1
• Route 1H: It is based on safe failure fraction and hardware fault tolerance of each element.
• Route 2H: It is based on component reliability data from field feedback/based on data collected in accordance with international standards (such as IEC 60300-3-2 or ISO 14224).

It is important to note that if route 2H is selected, the reliability data uncertainties will be considered when calculating the target failure measure (PFDavg or PFH), and the system will be improved until there is confidence greater than 90% that the target failure measure is achieved. As per route 1H of IEC 61508, the HFT constraint to SIL is described in Table 2.

Hence, as per Table 2, if route 1H is selected for type B element, SIL 2 can be achieved by HFT=0 and SFF greater than 90%.

If IEC 61508:2010 route 2H is followed, Table 3 can be constructed. This is the same as IEC 61511-2016.

Example: Two level transmitters are used to design a SIF. The logic solver (PLC) is designed to trip if either transmitter detects a dangerous condition (1oo2). To what SIL can this configuration qualify per IEC 61511 or 61508 Route 2H? Since the HFT of this configuration is ‘1’, it means if one transmitter fails, the other transmitter can still perform the safety function. As per Table 3, the sensor configuration can qualify for SIL 3 for any mode.

The Type A device (valve) can be better understood with the following example: If we follow Route 1H and if SFF is <60%, then as per Table 2, we require three valves in a series to achieve SIL 3, and if SFF is >= to 60%, then we require two valves in series. Hence, designers and equipment manufacturers have always tried to prove that SFF>=60% to reduce the cost of having an additional valve while achieving SIL 3.

Route 2H is a method to calculate the target failure measure (PFDavg) based on the reliability data uncertainty for the entire element according to IEC 61508. It is based on the historical data of the device, where the confidence level is more than 90%. Instead of determining the safe failure fraction (SFF), Table 3 can be used to determine the maximum possible SIL against each hardware fault tolerance. So, if the confidence level can be demonstrated, then HFT of 1 is sufficient for SIL 3, Similarly HFT of 0 is acceptable for SIL 2 application.

Please note that while comparing the historical data, it must be referenced from a similar application (comparing a subsea instrument data with an instrument used in clean water service should not be done).3 The failure rate will always be different in these two bespoke services. Generally, if the failure data is evaluated based on route 2H, it will be shown on the SIL certificate of the device. For example:

Hence, if you have accurate data (high confidence, 90% quality of data), the architectural constraints can be reduced using Table 3.

Achieving redundancy⁴
When incorporating redundant sensors, design engineers must account for the impact of common cause failures. To mitigate this common cause of failure, redundant sensors may be physically separated (for example, separate tapping) and electrically isolated (for example, wiring with separate junction boxes and cables). This serves to diminish common environmental stress.

An alternative approach to reducing common causes of failure in redundant architecture involves using devices from different manufacturers. While this approach mitigates common design and manufacturing defects to some extent, it is important to note that, as the sensors share the same technology, they will respond similarly to external disturbances.

Diversity in technology presents another avenue for minimising common mode failures. In this scenario, different sensor technologies are employed to measure the same variable in a redundant configuration.

This helps decrease common faults but introduces new challenges, such as differing calibration procedures, varied repair methods, potential data mismatches due to distinct digital rounding practices, diverse maintenance cycles, disparate spare part requirements, and increased operational complexity.

Therefore, when selecting various sensor technologies or manufacturers, it is crucial to weigh multiple trade-offs, considering their impact on operations and maintenance processes at sites, as indicated by the Site Safety Index (SSI). The SSI, a straightforward five-level model, is designed to evaluate the influence of operations and maintenance processes at a given site.