Process Design Room Magic Talks 101: Voting the SIS way

The Design Room on Monday went democratic and started Voting. Not the politicking type that has some swearing to shave their beard if they lose but the type that has process engineers and other knights of the engineering Jedi order gibbering about safety instrumented systems (SIS) during a SIL verification process. I will give a slight knowledge-background before presenting our client’s situation.

According to IEC 61511, an SIS is a distinct, reliable system used to safeguard a process to prevent a catastrophic release of toxic, flammable, or explosive chemicals composed of sensors, logic solvers, and final control elements to take a process to a safe state, when predetermined conditions are violated.

For an SIS, voting specifies the impact of redundancy on the fault tolerance, and the architecture is usually based on a ‘K oo N’ concept which defines a structure of elements that is functioning when K-out-of-N channels are functioning, and which fails when (N-K+1) or more of its elements fail. This in layman’s terms may be interpreted as having K devices voting to trip, out of a total of N devices for a shutdown (or an action) to take place. Naturally, a de-energize-to-trip, fail-safe circuit design is employed in SIS execution where if power is removed from the circuit it will default into position hence triggering plant shutdown and safe condition. The selection of an appropriate voting arrangement needs to take into consideration the failure modes of the SIS equipment as being either a safe failure or dangerous failure.

An SIS in safe failure mode overtly causes the SIF to activate and shut down the plant when there was no actual demand or need to do so hence being spurious in nature with wiseacre syndrome. On the other hand, dangerous failures are like spies concealing themselves and patiently waiting for the SIF to be activated when in need but then prevent it from doing so by jamming its safety action.

In the process world, familiar voting arrangements are 1oo1, 1oo2, 2oo2, 2oo3. These are the common ballots cast and the arrangement that comes out with the best satisfaction of a given SIF(s) SIL requirement(s) is accepted but only through a rigorous assessment to confirm satisfaction of the requirements.

Now, our client has a SIF they need to implement with two independent level devices to monitor and manage O2 levels on a polymer line in their system with stringent quality requirements, each wired to a separate trip alarm. The process will trip if either level (being transmitted) reaches the set point (synonymous with 1oo2 voting) however if the alarm trip detects a fault (in input/device), the client does not want the process to trip as this may effectively have the line contents dumped into a closed drain. He argues that it should be possible to take the faulty device out of service as the process is left to continue running with only one working level and alarm trip trigger. This of course approximates the initial configuration to a 1oo1 arrangement (with the fault alarmed) until the faulty device is diagnosed and repaired (theoretically in at most 2 days).

If safety and spurious trips avoidance can be met by a 1oo1 choice, then that arrangement would be sufficient without a need for redundancy but it is key to note that in this configuration, the failure mode of a ‘closed circuit’ is a dangerous failure as failure prevents one from de-energizing the circuit to cause any safety action. However, the failure mode of an “open circuit” is a safe/spurious failure so one needs to exercise their selection wand wisely since this arrangement has no failure tolerance to either dangerous failures or safe failures.

On the other hand, dual-voted configurations (1oo2 OR 2oo2) are interesting. If we consider a 1oo2 arrangement, only one vote from either one of the devices (remember it is 1 out of 2 devices) will cause an action (or shutdown) to occur. This arrangement is the “safe” arrangement because for the system to fail dangerously, both of the individual devices would have to fail dangerously. This arrangement is tolerant to one dangerous failure because if say the ‘X’ device has a closed circuit, the ‘Y’ device circuit could still open to de-energize the overall system and bring the plant back to a safe state. However, if device ‘X’ suffers a safe failure, the entire system will fail spuriously thus making the arrangement not tolerant to any safe failures. Albeit the 1oo2 voting arrangement improves safety, the spurious trip rate is twice as high due to the addition of a second device whose spurious failure can result in overall system spurious failure.  

Voting a 2oo2 system, where both signals are required to be present for operation, will increase reliability (where the safe state is off or non-operational). This is desirable for the safe operation of critical processes. However, system availability which might otherwise be compromised because of the potential for a single loss of a component causing the system to shut down is prevented with fault degradation capability. This implies that the arrangement is not tolerant to dangerous failures since a failure of ‘X’ in a closed circuit by itself will result in a dangerous failure of the overall system, and the same is true for ‘Y’. The arrangement nonetheless is tolerant to one safe failure because if say ‘X’ were to spuriously fail in the safe open-circuit mode, power will still be conducted through the ‘Y’ circuit, preventing a system spurious shutdown. Nevertheless, this arrangement is commonly used in rotating equipment where space limitations make it difficult to install three devices to improve resistance to spurious failures at the cost of decreasing safety performance below what it would be if only a single device were used

Meanwhile, even if dual-voted configurations arent that effective, with SIS diagnostics, it is possible to achieve higher availability. Preliminary advice to our client is to consider having a 2oo2D configuration.

The 2oo3 arrangement is the most costly and complex of the above voting architecture options but it is the most applied option when considering meeting high SILs (SIL2 or SIL3). Mathematically, the system resembles elements of dual-configurations. The arrangement is merited in providing one degree of tolerance to safe failures and one degree of tolerance to dangerous failures because if one device suffers a dangerous failure mode, the other two would still move the process to a safe state and the same applies to if one device suffers a safe failure mode, the other two will prevent the entire system from being spuriously energized

What do you advise our client to do?