A conundrum frequently facing safety system designers and plant managers is whether to use two transmitters in a one-out-of-two configuration (1oo2) or three transmitters in a two-out-of-three configuration (2oo3). While both configurations may satisfy the safety requirements, 2oo3 is traditionally considered the only choice when nuisance trip reduction is also a high priority, despite its higher cost, greater contribution to probability of failure on demand (PFD), and often, a sense of transmitter overkill.
In recent years, the concepts of diagnostic coverage, discrepancy alarms and transmitter self-diagnostics have gained acceptance and become proven in use. This trio of concepts gives 1oo2 greatly improved performance with regard to nuisance trip reduction. In many regards, 1oo2D (1oo2 with diagnostic coverage) is the new 2oo3.
In addition, as end users continue their migration from switches, dumb transmitters and relay-based safety systems to smart transmitters and PLC-based safety systems, some often over-looked low-cost practices can be adopted as further insurance against nuisance trips.
Making the right choices in any particular safety application remains a multi-faceted question. It is a function of safety integrity level (SIL), the importance of nuisance trip prevention, life-cycle cost, inherent difficulty of the measurement, peace of mind and safety competency. But, as a guideline, 1oo2D can give comparable or better performance than traditional 2oo3. Even 1oo1D can provide excellent PFD and probability of nuisance trip (PNT) performance in many applications. Add to this some fundamental competency practices and nuisance trips can be largely eliminated.
The design of safety instrumented functions (SIFs) is initially based on achieving the required safety integrity level (SIL), leading to the selection of one, two or sometimes three redundant transmitters (Fig. 1). In recent decades, the safety community has rather brilliantly formalized and quantified this process according to ISA 84.01/IEC 61511, Safety instrumented systems for the process industry sector.
Fig. 1. Typical transmitter configurations for
various safety integrity levels (SILs) for a
safety instrumented function that trips valve(s)
on high pressure.
Secondly, the SIF designer must also consider the acceptable level of spurious (or nuisance) trips, which is the likelihood the safety function will activate unnecessarily, causing anything from a minor nuisance to a severe operational or economic penalty. In recent years, awareness has grown that nuisance trips also carry safety penalties. This is because even though, in theory, a trip is assumed to result in a safe state, a high proportion of incidents have been found to occur during plant startup or restart activities.
Nuisance trips. Unfortunately, the safety community has not yet found a methodology to fully address the nuisance trip aspect of SIF design. Methods are available to predict the expected frequency of nuisance tripsnamely mean time to failure spurious (MTTFS)but not to determine an acceptable level for any particular SIF function. Spurious trip level (STL) has been proposed, but as a purely economic function, it has limitations, including difficulty in assigning cost, differences in cost scale from one site to another and a lack of factoring safety or other non-economic negative impacts of spurious/nuisance trips. A practical performance goal is that a safety function should not result in more nuisance trips than true trips.
What are the options available to reduce the probability of a nuisance trip (PNT), after the SIL level has been satisfied? Historically, the only design option has been 2oo3, due to its inherent fault-tolerance (one transmitter can fail outright and the SIF will continue to function safely as a 1oo2, without a nuisance trip, while the failed transmitter is repaired). But in todays world, with smart transmitters and other forms of diagnostic coverage, there are alternatives that can provide similar or superior performance over 2oo3, in terms of both PFD and PNT, without the spectacle (and cost) of either hanging three transmitters in the field for every SIF or leaving yourself exposed to the possibility of excessive nuisance trips.
Diagnostic coverage. Diagnostic coverage is the ability to proactively detect faults and respond safely, preferably without a nuisance trip. For transmitters, it comes in two common formsself-diagnostics and discrepancy alarms.
Transmitter self-diagnostic coverage is the percentage of transmitter (or measurement) faults that can be detected by the transmitter itself. For common smart transmitters, whose self-diagnostics have been steadily beefed up over the years, coverage is often in the range of 50%. For safety transmitters, which are certified for use according to SIL level, and which typically have greater self-diagnostics, measurement diagnostics (such as detection of impulse line pluggage) and more rigorous manufacturing quality controls, coverage can be in the range of 90%. The coverage determination comes from the manufacturers failure modes and effects diagnostic analysis (FMEDA) testing and review by a certifying agency.
Discrepancy alarms. Discrepancy alarms are deviation alarms between redundant transmitters. For example, in a 1oo1D configuration, the SIF transmitter and the control system transmitter are compared and a deviation greater than, say, 5% of span is alarmed, prompting maintenance to resolve the discrepancy before it grows and leads to a nuisance trip. This simple concept is powerful in terms of diagnostic coverage. A discrepancy alarm involving two transmitters may be credited with up to 90% diagnostic coverage, and an alarm involving three transmitters can bring up to 99% coverage. Because it is valid to include control system transmitters in the discrepancy alarm, discrepancy alarm coverage is possible even for 1oo1 SIF configurations.
Discrepancy alarms have limited ability to protect against sudden transmitter or measurement failures, since the response mechanism to a discrepancy alarm involves normal maintenance and troubleshooting procedures. But many transmitter faults are gradual, such as calibration drift or impulse line pluggage, so that a discrepancy alarm can occur and be resolved before a nuisance trip results. A discrepancy alarm is not considered a transmitter failure, does not remove any of the transmitters from the voting logic, and does not result in a transmitter upscale/downscale response, as a self-diagnostic fault would.
Fault tolerance without 2oo3. Diagnostic coverage brings fault tolerance to 1oo2 configurations. These configurations have traditionally lacked fault tolerance, which was a major Achilles heel. Self-diagnostics, combined with configurable fail direction (upscale or downscale), means transmitters in a 1oo2D configuration can be configured to fail in the non-trip direction and the SIF will continue to function as a 1oo1 until the faulty transmitter is repaired. In this way, 1oo2D has fault tolerance to the extent of its diagnostic coverage, often 9099%.
The new math.
Fig. 2 shows comparative figures for traditional dumb transmitter-based configurations and for smart transmitter-based configurations with diagnostic coverage. The numbers represent the relative effect on PFD and PNT due to transmitter redundancy choice. This is based on transmitters with a 1% probability of causing either a failure on demand (a dangerous undetected fault) or a nuisance trip (a safe detected fault). As the numbers indicate, when diagnostic coverage is factored in, the effect is to transform safe detected faults, to the extent of the diagnostic coverage, into alarms that will trigger transmitter maintenance, rather than trigger nuisance trips.
Fig. 2. Comparative effect on probability of failure
on demand (PFD) and probability of nuisance trip
(PNT) due to transmitter configuration based on
transmitters with a 1% probability of causing
each. 1oo1, 1oo2 and 2oo3 reflect traditional
analysis based on transmitters with no diagnostic
coverage. 1oo1D and 1oo2D reflect smart
transmitters with various levels of diagnostic
coverage, including coverage by discrepancy
Of course, 2oo3 performance similarly improves with diagnostic coverage, but its main strength is fault tolerance, and cases where 2oo3 performance is inadequate have been rare. So while 2oo3 would stay ahead of the pack under this new math, it would do so by exceeding requirements (and one might as easily say that the difference is outweighed by regaining the superior PFD values of 1oo2). As Fig. 2 shows, in terms of meeting requirements, providing fault tolerance and avoiding nuisance trips, 2oo3 today has a lot of company.
The math isnt exactly new, either. Manufacturers of safety transmitters have been advertising 1oo2D as an alternative to 2oo3 for over 10 years, but traction has been spotty for several reasons. The primary focus in the safety community over this period has been PFD, not PNT. Industry adoption of smart transmitters and smart logic solvers has, of course, been gradual. And end-users in the field are slow to update their working paradigms. But this topic has great currency for the increasingly large number of end users who today find themselves with smart safety logic solvers and smart transmitters in place. This step, along with turning to ISA 84.01/IEC 61511 for greater guidance, can help improve all aspects of the safety system life-cycle performance.
2oo3 also has the virtue of compensating for shortcomings in safety competency. But this may be only perceived, and may not be a virtue. Most nuisance trips are found to be preventable, which means that some aspect of the safety management life cycle has been neglected. Adding more transmitters may not be money well spent, and may simply lead to more problems, where a neglected or overlooked safety competency is the root cause. Elements of safety competency include:
Independent pre-trip alarms
Implementation of diagnostic coverage and discrepancy alarms
Timely response to self-diagnostic and discrepancy alarms
Configuration control of 1oo2D fault tolerance (upscale/downscale)
Reliable best practice field instrument installation
SIF proof testing program
Appropriate use of time delays
Real-time monitoring of smart transmitter diagnostic alerts
Effective DCS/SIS communication link and HMI design
Elimination of switches, which defeat diagnostic coverage principles
Reliable wiring (wiring ideally makes a negligible contribution to faults).
At first glance, this may appear to be a long list of complicated competencies, but most of them fall into place naturally as users move to safety-PLC based safety systems and smart transmitters. The challenge facing most end users today is to institute a culture of awareness and management of safety competencies. The competencies themselves are mostly fundamental and are a product of ISA 84.01/IEC 61511 guidance, rather than a challenge in its compliance.
Note that while a computer-based logic solver is surely best practice in todays world, the benefits of diagnostic coverage can be captured even with legacy relay-based SIS systems by dialing in the appropriate configuration of upscale/downscale transmitter failure and implementation of discrepancy alarms in the control system (assuming SIF transmitters are brought into a modern DCS for monitoring).
While all of ISA 84.01/IEC 61511 and the safety competencies listed previously are important, a productive, low-cost starting strategy to reduce nuisance trips is to verify:
At least two transmitters and a discrepancy alarm on every SIF
Reliable best practice field installation
Proper upscale/downscale design and configuration control.
In terms of selecting the number of transmitters, use these guidelines:
Use 1oo2D as the normal starting point for SIL2 applications.
Consider 2oo3 where nuisance trip prevention is overriding, or where measurement reliability is poor and multiple rapid measurement failures are possible, such as dirty, viscous or plugging service, or very weak signal strength.
Consider 1oo1D to improve SIL1 performance, and as a simpler approach to SIL2, where the measurement is inherently reliable, such as a clean, low viscosity, low temperature service with robust signal strength. HP
SIL and SIF basics
SIFs can be thought of as safety loops, because they have a lot in common with control loopsthey comprise sensors (such as transmitters), final elements (such as valves), and a safety algorithm, usually a fairly straight-forward piece of logic. But rather than doing process control, the purpose of SIFs is to increase process safety (or reduce risk). When the sensors indicate a potential unsafe condition, the final elements are activated (or deactivated) to bring the process to a safe state, such as shutting down a heater on high temperature. To help achieve the required reliability, SIFs are usually implemented in a safety instrumented system (SIS) that is separate and independent from the basic process control system (BPCS or DCS).
Each SIF is designed to meet a specified SIL, which is basically a level of reliability. A SIL1 SIF must work at least nine times out of 10, thereby providing a risk reduction factor (RRF) of 10 and a probability of failure on demand (PFD) of 0.1. A SIL2 SIF must work at least 99 times out of 100, thereby providing a RRF of 100 and a PFD of 0.01. And a SIL3 SIF must work at least 999 times out of 1,000.
Practically speaking, it is difficult to design a SIF with greater reliability than SIL3. SIL4 is considered largely unachievable in the context of most conventional industry practices. Where this level of risk reduction is found to be necessary, it is recommended to investigate an inherently safer process design or alternative layers of protection.
For a given process, the necessary SIFs and their required SIL levels are determined within the safety life-cycle management framework defined by ISA 84.01/IEC 61511, Safety instrumented systems for the process industry sector, especially within the process hazard and risk analysis step. The SIL rating of any SIF depends on a reliability analysis of all loop components, demand frequency, proof test interval, diagnostic coverage, human factors and other considerations.
As Table 1 and Fig. 1 show, a single transmitter will usually suffice for a SIL1 SIF. For a SIL2 SIF, a single transmitter may suffice if demand frequency is low and the measurement is reliable. Or, two transmitters may be necessary if demand is high, and this may, in turn, require a third transmitter to prevent excessive nuisance trips, if the measurement is difficult or there is no diagnostic coverage.
Protective functions are very similar to safety functions in design, but their purpose is to protect against equipment damage, without safety implications. Protective functions often fall under the same engineering and management practices as SIFs, but greater user discretion is allowed with regard to cost vs. reliability, since money, not safety, is at stake. For brevity, the term SIF in this article encompasses safety and protective functions.
The vast majority of SIFs in industry are demand mode, meaning that upon detection of unsafe conditions, the function is triggered, placing a demand on the SIF. In this way, a SIF with an undetected dangerous fault may not result in a failure on demand if no demand occurs, i.e., if the fault is found and remedied without a demand occurring. A continuous mode SIF is one that results in a hazard immediately if it becomes unavailable, such as GPS-based positioning systems on (unanchored) deepwater drilling rigs.