of 1 is sufficient for SIL 3, Similarly HFT of 0 is acceptable for SIL 2 application. Please note that while comparing the historical data, it must be referenced from a similar application (compar- ing a subsea instrument data with an instrument used in clean water service should not be done).3 The failure rate will always be different in these two bespoke services. Generally, if the failure data is evaluated based on route 2 H , it will be shown on the SIL certificate of the device. For example: Hence, if you have accurate data (high confidence, 90% quality of data), the architectural constraints can be reduced using Table 3. Achieving redundancy 4 When incorporating redundant sensors, design engineers must account for the impact of common cause failures. To mitigate this common cause of failure, redundant sensors may be physically separated (for example, separate tap- ping) and electrically isolated (for example, wiring with separate junction boxes and cables). This serves to dimin- ish common environmental stress. An alternative approach to reducing common causes of failure in redundant architecture involves using devices from different manufacturers. While this approach miti- gates common design and manufacturing defects to some extent, it is important to note that, as the sensors share the same technology, they will respond similarly to external disturbances. Diversity in technology presents another avenue for min- imising common mode failures. In this scenario, different sensor technologies are employed to measure the same variable in a redundant configuration. This helps decrease common faults but introduces new challenges, such as differing calibration procedures, varied repair methods, potential data mismatches due to distinct digital rounding practices, diverse maintenance cycles, dis- parate spare part requirements, and increased operational complexity. Therefore, when selecting various sensor technologies or manufacturers, it is crucial to weigh multiple trade- offs, considering their impact on operations and mainte- nance processes at sites, as indicated by the Site Safety Index (SSI). The SSI, a straightforward five-level model, is designed to evaluate the influence of operations and main- tenance processes at a given site. Redundancy and selected architecture affect How does redundancy affect PFD value during SIL calcu- lation, and how does selected architecture affect SIL veri- fication? To understand different types of voting logic and their impact, simple mathematical equations for PFD avg and spurious trip rate (STR) can be used. These simple approximate equations do not include the common cause, diagnostic, proof test coverage, and other key variables.
Architecture constraint vs SIL
SIL
Mode
Minimum HFT
1
High Demand Mode or
0
Continuous Mode (7.4.4.3.1 e_IEC-61508 P2)
2
Low Demand Mode
0
(7.4.4.3.1 d_IEC-61508 P2)
2
High Demand Mode or
1
Continuous Mode (7.4.4.3.1 c_IEC-61508 P2)
3
High Demand Mode or
1
Continuous Mode (7.4.4.3.1 b_IEC-61508 P2) Low Demand Mode (7.4.4.3.1 b_IEC-61508 P2)
1
3
4
Low Demand Mode
2
(7.4.4.3.1 a_IEC-61508 P2)
Table 3
field feedback/based on data collected in accordance with international standards (such as IEC 60300-3-2 or ISO 14224). It is important to note that if route 2 H is selected, the relia- bility data uncertainties will be considered when calculating the target failure measure (PFD avg or PFH), and the system will be improved until there is confidence greater than 90% that the target failure measure is achieved. As per route 1 H of IEC 61508, the HFT constraint to SIL is described in Table 2 . Hence, as per Table 2, if route 1 H is selected for type B element, SIL 2 can be achieved by HFT=0 and SFF greater than 90%. If IEC 61508:2010 route 2 H is followed, Table 3 can be constructed. This is the same as IEC 61511-2016. Example: Two level transmitters are used to design a SIF. The logic solver (PLC) is designed to trip if either transmit- ter detects a dangerous condition (1oo2). To what SIL can this configuration qualify per IEC 61511 or 61508 Route 2 H ? Since the HFT of this configuration is ‘1’, it means if one transmitter fails, the other transmitter can still perform the safety function. As per Table 3, the sensor configuration can qualify for SIL 3 for any mode. The Type A device (valve) can be better understood with the following example: If we follow Route 1 H and if SFF is <60%, then as per Table 2, we require three valves in a series to achieve SIL 3, and if SFF is >= to 60%, then we require two valves in series. Hence, designers and equipment manufacturers have always tried to prove that SFF>=60% to reduce the cost of having an additional valve while achieving SIL 3. Route 2 H is a method to calculate the target failure meas- ure (PFD avg ) based on the reliability data uncertainty for the entire element according to IEC 61508. It is based on the historical data of the device, where the confidence level is more than 90%. Instead of determining the safe failure fraction (SFF), Table 3 can be used to determine the max- imum possible SIL against each hardware fault tolerance. So, if the confidence level can be demonstrated, then HFT
84
PTQ Q2 2024
www.digitalrefining.com
Powered by FlippingBook