71364263 voting-logic-sil-calculation

VOTING LOGIC

There are 1oo1, 1oo2, 2oo2, 2oo3 etc voting logic in the safety instrumented system architecture. The voting logic architecture usually used in the field instrument and or final control elements to reach certain Safety Integrity Level (SIL) or to reach certain cost reduction due to platform shutdown. In general when we must use 1oo1, 1oo2, 2oo2, or 2oo3 voting logic architecture?

As mentioned above, there are two purposes why certain voting logic architecture were chosen, first is to reach certain SIL and secondly to reach certain cost reduction due to spurious platform shutdown. In order to determine a certain SIL requirement, a risk or process hazard analysis is used to identify all process, safety and environmental hazards, estimate their risks, and decide if that risk is tolerable. Where risk reduction is required an appropriate SIL is assigned. The individual components (sensors, logic solvers, final elements, etc.) that are working together to implement the individual safety loops must comply with the constraints of the required SIL. In essence, this means that all components within that loop must meet a certain Probability of Failure on Demand (PFD), Safe Failure Fraction (SFF) and Hardware Fault Tolerance (HFT) requirement for the intended SIL. Readers are encouraged to see further detail regarding this PFDavg, SFF, and HFT in the IEC 61508 & IEC 61511.

As general rule, first of all the SIL requirement for any particular condition or application will be determined using a risk or process analysis. After the SIL was determined then the architecture of the sensor, logic solver, and final control element is studied to investigate which architecture will fulfill the SIL requirement. For example, if the SIL requirement for a high pressure incoming pipe line is SIL 3, then the architecture of the pressure sensor and final element will be investigated. If 1oo1 sensor, 1oo1 logic solver, and 1oo1 shutdown valve can fulfill the SIL 3 requirement, then this architecture is chosen. If not, then any other voting logic architecture is investigated. Let’s say after several investigations the voting logic 1oo2 sensor, 1oo2 logic solver, and 1oo2 shutdown valve can fulfill the requirement of SIL 3, then this voting logic is chosen. If the cost reduction study need to minimize spurious trip due to one of the sensor failed, then may be the sensor voting logic architecture must be upgraded to become 2oo3 architecture. This architecture may be chosen since if one sensor failed, then the overall architecture is still fulfilling SIL 3 requirement with 1oo2 sensor configuration. Thus it doesn’t need to have a platform shutdown when one sensor failed.

See below case studies to get a better understanding regarding above explanation.

Let’s say we need to design a High Pressure Protection System for the incoming pipeline from the offshore platform with the SIL required is SIL 3 for this specific application. The following data was provided by the transmitter manufacturer, logic solver manufacturer, and shutdown valve manufacturer.

Pressure transmitter PFDavg = 1.52E-04, SFF = 93.10%

Logic Solver PFDavg = 6.9E-04

Shutdown valve PFDavg which consist of:

Solenoid Valve PFDavg = 4.38E-04, SFF = 65.80%

Actuator PFDavg = 2.59E-04, SFF = 96.4%

Ball Valve PFDavg = 6.29E-05, SFF = >90%

The Safety Integrity Level (SIL) for each component architectures (transmitter and shutdown valve only) was calculated as follow:

Pressure Transmitter PFD and SIL Calculation for several voting logic

Voting Symbol Value Calculated Physical Constraint

Maximum Claimed SIL

Logic SIL Due to Physical Constraint

TI 1 year

λDU 3.04E-04 /year HFT 0 1oo1

PFD 1.52E-04 SIL 3 SFF 93.10% SIL 2

TI 1 year


PFD 3.08E-08 /year SIL 4 SFF 93.10% SIL 3

TI 1 year



TI 1 year



Maximum claimed SIL for each shutdown valve component.

PFDavg Calculated SIL Physical Constraint

Maximum Claimed SIL Due to Physical Constraint

Solenoid Valve 4.38E-04 SIL 3 HFT 0

SFF 65.80% SIL 2

Actuator 2.59E-04 SIL 3 HFT 0

SFF 96.40% SIL 3

Ball Valve 6.29E-05 SIL 4 HFT 0

SFF >90% SIL 3

From above shutdown valve component SIL calculation, we can get the SIL calculation for a complete shutdown valve assembly which consists of 1 solenoid valve, 1 actuator, and 1 ball valve as follow:

Shutdown Valve with 1 solenoid, 1 actuator, and 1 ball valve complete assembly SIL Calculation.

Total

PFDavgCalculated SIL Physical Constraint

Maximum Claimed SIL Due to Physical Constraint

Shutdown Valve 7.60E-04 SIL 3 Combine SIL

SIL 2 (because the lowest SIL for shutdown valve is SIL 2 which is a solenoid valve SIL)

From above SIL calculation for a complete assembly shutdown valve, we can calculate the PFDavg and SIL calculation for several voting logic scheme for shutdown valve as bellow.

Shutdown Valve PFD and SIL Calculation for several voting logic

Voting Symbol Value Calculated Physical Constraint Maximum Claimed SIL

Logic SIL Due to Physical Constraint

TI 1 year

λDU 1.52E-

03 /year 1oo1

PFD 7.60E-

04 SIL 3 Combine SIL SIL 2

TI 1 year

λDU 1.52E-

03 /year HFT 11oo2

PFD 7.70E-

07 /year SIL 4 Combine SIL = Highest SIL + N SIL 3

TI 1 year

λDU 1.52E-

03 /year HFT 02oo2

PFD 1.52E-

03 /year SIL 2 Combine SIL SIL 2

TI 1 year

λDU 1.52E-

03 /year HFT 12oo3

PFD 2.31E-

06 /year SIL 4 Combine SIL = Highest SIL + N SIL 3

After we get all PFDavg for possible voting logic combination, now we can investigate which voting logic architecture for the transmitter and shutdown valve that most suitable to achieve SIL 3 requirement. See below calculation for several possible schemes.

1oo1 pressure transmitter, logic solver, and 1oo1 Shutdown Valve

PFDavg total = 1.60E-03 Calculated SIL = SIL 2

Maximum Claimed SIL due to physical constraint = SIL 2






















As per above SIL calculation, then we got the following possible voting logic architecture to achieve SIL 3 requirement:

1. 1oo2 pressure transmitter, logic solver, and 1oo2 Shutdown Valve




The above order is also give us a cost estimation to buy that particular SIL 3 loop. The uppermost will be the least cost and the lowermost will be the most costly loop. Now the next step will be determine by the operator of the plant whether the shutdown cost is high or not. If the shutdown cost is high and they don’t want to have a spurious plant shutdown then they may chose 2oo3 pressure transmitter, logic solver, and then 2oo3 shutdown valve. With this configuration, if there are one transmitter failed then the system is still can run by using 1oo2 pressure transmitter configuration. The same reason is also applied for using 2oo3 shutdown valve configuration.

EQUATION USED IN THIS ARTICLE

PFD calculation for several voting logic architecture

Configuration PFD

1oo1 2/* TIdu

1oo2 3/* 22 TIdu

2oo2 TIdu *

2oo3 22 * TIdu

du = Dangerous undetected failure

TI = Test Interval

Safety Integrity Level

SIL PFD

1 10-1 - 10-2

2 10-2 - 10-3

3 10-3 - 10-4

4 10-4 - 10-5

Maximum claimed SIL due to architecture constraint type A hardware (simple hardware)

Hardware Fault Tolerance Safe Failure Fraction 0 1 2

<60% SIL 1 SIL 2 SIL 3

60% - <90% SIL 2 SIL 3 SIL 4

90% - < 99% SIL 3 SIL 4 SIL 4

>= 90% SIL 3 SIL 4 SIL 4

Maximum claimed SIL due to architecture constraint type B hardware (complex hardware)

Hardware Fault Tolerance Safe Failure Fraction 0 1 2

<60% Not Allowed SIL 1 SIL 2

60% - <90% SIL 1 SIL 2 SIL 3

90% - < 99% SIL 2 SIL 3 SIL 4

>= 90% SIL 3 SIL 4 SIL 4

Hardware Fault Tolerance:

0 = no hardware failure is tolerable

1 = one hardware failure is not affect the functional system (redundant)

2 = one or two hardware failure is not affect the functional system (triple modular redundant)

71364263 voting-logic-sil-calculation

Engineering