Effect of redundancy/voting in SIL calculation
Developing safeguard strategies in the early stages of refinery and petrochemical project system design helps achieve optimal protection and prevent false alarms
Partha S Mondal Fluor Daniel India Pvt. Ltd
E ngineers designing protective systems for a process plant often encounter and justify the use of redun- dancy. The questions encountered are: • How are hardware fault tolerance (HFT) and redundancy related, and how are they applied in design? • How much redundancy is required to achieve a targeted safety integrity level (SIL)? • Why and when can we use route 2 H to assess HFT? • How is redundancy achieved using multiple devices with similar technology or diversified technology? • What type of redundancy is required in system design (1oo2, 2oo2, 2oo2D, 2oo3)? • How can redundancy affect the PFD value during SIL calculation, and how does selected architecture affect SIL verification? The primary objective of redundancy is to avert any inter- ruption in system operation in the event of a technical failure in one of the systems. This implies that if a single sensor fails to meet performance requirements, leading to a technical fail- ure, redundant or multiple sensors are available without a loss of functionality. Redundancy is not solely designed to ensure plant safety but also to forestall false trips or false alarms and ensure availability. Parameters to consider when implement- ing redundancy in any system architecture will be reviewed to help system designers configure and justify redundancy. Applying HFT and redundancy in design
2oo3, 1oo2D, 2oo2D, and more. The term 1 ‘hardware fault tolerance’ of N means that N+1 is the minimum number of faults that could lead to a safety loss. The relationship between redundancy (MooN) and HFT is expressed by the formula M-N. For a 1oo2 redundant architecture, the HFT will be 1; for 2oo2, the HFT will be 0; and for 2oo3, the HFT will be 1. It is important to note that redundancy is not the same as HFT. Table 1 provides examples of HFT and redundancy to illustrate the concept. Redundancy required to achieve SIL While evaluating SIL of a safety instrumented function (SIF), major factors deciding achieved SIL include: IEC 61508 and IEC 61511 both define the minimum HFT (architectural constraint) requirement, which is required to meet the target SIL. IEC 61508:2010 provides two routes to satisfy the archi- tecture constraints to meet a particular SIL for a particular safety instrumented function: 1 • Route 1 H : It is based on safe failure fraction and hardware fault tolerance of each element. • Route 2 H : It is based on component reliability data from u Architectural constraints (redundancy) Target PFD avg or RRF to be achieved Requirement of systematic capability (SC).
SFF vs SIL vs HFT
Various types of redundant architecture can be applied in a safety instrumented system, such as 1oo1, 1oo2, 2oo2,
Safe failure fraction
Instrument type
Hardware fault tolerance
of an element
0
1
2
<60% <60%
Type A Type B Type A Type B Type A Type B Type A Type B
SIL1
SIL2 SIL1 SIL3 SIL2 SIL4 SIL3 SIL4 SIL4
SIL3 SIL2 SIL4 SIL3 SIL4 SIL4 SIL4 SIL4
Not allowed
60-<90% 60-<90% 90-<99% 90-<99%
SIL2 SIL1 SIL3 SIL2 SIL3 SIL3
Redundancy and HFT examples
Redundancy
HFT
1oo1 1oo2 2oo2 2oo3 1oo3
0 1 0 1 2 1 0
>=99% >=99%
‘Type A’ devices have well-defined failure modes of all constituents, the behaviour of the element under fault conditions cannot be completely determined, and they have sufficient dependable failure data. ‘Type B’ devices have complex behaviour and failure modes, and typically contain embedded microprocessors and software. Example of Type A: Pressure switch. Example of Type B: Electronic pressure transmitter.
1oo2D
3oo3
Table 2 1
Table 1
83
PTQ Q2 2024
www.digitalrefining.com
Powered by FlippingBook