2oo3D voting

A

Thread Starter

amanemisa

Please help to explain if 1oo2D voting is just similar to 2oo3 voting for ESD system.

What application would a 2oo3 voting is more applicable to use?

We are currently upgrading our system and part of it is adding pressure transmitters that will trip the valve if the pressure rises beyond the stable pressure. How can I determine if its necessary to add 3 pressure transmitters or just 2 transmitter for this SIL 2 application?
 
W
2oo3 voting is a compromise between 1oo2 (most safe) and 2oo2 (most reliable, e.g. fewer spurious trips). It is not quite as safe as 1oo2 but better than 1oo2's spurious trip rate nor quite as good as 2oo2 for spurious strips but better than 2oo2 for safety, e.g a good compromise between the two. It is what most people generally use when they require redundancy to balance safety with spurious trips. If you are primarily concerned with achieving the highest safety and spurious trips are not as big of concern, choose 1oo2. If you primarily concerned about spurious trips and you can live with 2oo2's safety, choose 2oo2. If you are concerned about both, chose 2oo3. Of course, whatever you choose, must meet your SIL requirements.

William (Bill) L. Mostia, Jr. PE
ISA Fellow, SIS-TECH Fellow,
FS Eng. (TUV Rheinland)
SIS-TECH Solutions, LP

Any information is provided on Caveat Emptor basis.
 
Let's start with your requirement of tripping of valve on rise of line pressure beyond high limit. Now assume you have two pressure transmitters for interlock purpose of the ESD valve.

Considering the above case, let's see the effects on the valve:

1oo2 voting:
* If either transmitter gives high limit value it will trip the valve whether it is spurious or actual.

* If one transmitter fails, then also if other transmitter gives high limit value it will trip the valve whether it is spurious or actual.

* If one transmitter fails and other also did not give high limit value while actual in line, then valve will not trip resulting in damage to the system.

This voting system generally does not kept in critical line or vessels as reliability factor is low. However this type of system can be used for auto start of pump or low critical application depending on process requirement.

Lets add one more pressure transmitter to the system. Then consider the 2oo3 voting system.

2oo3 voting:
* If all the transmitter gives high limit value, it will trip the valve and chance of spurious in all three transmitters is very less.

* If any one transmitter fails, still other two transmitters are there for reading the live value and can trip on high limit value. Here chance of spurious is also low and reliability of the system increased as single failure does not affect the system.

* If any two transmitters fails, then only this voting system will not require and the probability of occurring the same is very low.

Also 2oo3 voting system does not end with installing one more transmitter to the existing 2 transmitters. Following points should meet for proper 2oo3 voting application with higher reliability and safety:

* Tapping for the transmitters should be individual from the main line.

* Transmitters to be configured in different analog input cards in the PLC system and not in single analog input card.
 
Continuing on with the subject, i am a little confused.

I have a process plant with reactor vessels with highly hazardous chemicals. The current ESD logics are based on 1oo1 for around 17 odd securities. This is true for around 6 different process areas.

Recently, i have had spurious trips on a couple of these trip interlock instruments and now need to review the system and modify the logics for greater reliability against these spurious trips.

I have the provision in most of the cases where a transmitter adjacent to the ESD instrument is giving reading to the DCS and i can divert that signal to ESD to make the logic 2oo2 for these signals. From ESD, i will then provide an AO to the DCS to ensure that reading remains available on DCS end as well.

In almost all such cases, i do not have another tapping available to make the logic 2oo3. Now i am in a complex situation where in order to avoid spurious trips i can provide 2oo2 logic which will make the system more reliable but at the same time add safety vulnerability to the Process.

How should i proceed? Are there any specific SIL standard that i can refer to assist me in this situation? Also, does it have to be an either/ or situation with safety/ reliability or is there some other way out?
 
W
The first thing to do is to figure out what is causing the spurious trips. If it is due to failures of the transmitters, I would suggest buying a more reliable instrument or solve what is causing the failure. If it is due the process, e.g. operating too close to your operating limits or due to large process transients or bumps, which do not represent a safety hazard, etc., fix that problem (not enough info to help here).

If this is a safety instrumented function, the DCS transmitter cannot be used if the DCS transmitter can be an initiating cause for the hazard the SIF is protecting against. Also, the 2oo2 arrangement will have twice the probability of failure than the 1oo1.

Making the system more complicated than is necessary is not the preferred path.

William (Bill) L. Mostia, Jr. PE
ISA Fellow, SIS-TECH Fellow,
FS Eng. (TUV Rheinland)
SIS-TECH Solutions, LP

Any information is provided on Caveat Emptor basis
 
Thanks for the feedback Bill. Let me clarify further.

The spurious trips are being caused by failures as: temperature element failure, wrong actuation of pressure switch, termination issues, vibration impact causing value fluctuation from local JB and similar.

All these Instruments are top of the line maintained as per vendor recommended frequencies. These instruments are from Rosemount, Yokogawa, Ashcroft etc.

Another issue is since we are a petrochemical complex, the various hazardous chemicals are causing an impact not only in service but also externally on the tubings etc. even though we are using high metallurgy instruments as Hastelloy, Tantallum, Monel tubing etc.

What i meant by using the DCS transmitter was to remove the loop for transmitter from DCS side and rather bringing it to ESD side to use in safety function and then for the purpose of DCS operator to have a visual on the reading provide AO from ESD to DCS which would have no impact on the Safety function.

Also, can you clarify how the 2oo2 system will be more vulnerable than 1oo1 in terms of spurious failure probability.

Awaiting some good feedback on this for a healthy discussion.
 
W
srh,

I left off a couple of words when I was talking about "probability of failure". I should of said "probability of failure on demand," which would be of concern if your system requires a SIL verification calculation. The spurious trip rate of 2oo2 arrangement is quite a bit lower than 1oo1 or 1oo2 voting arrangements and better than 2oo3. From what you have said it would appear that your 2oo2 arrangement would help you in regards to spurious trips and would be allowable from a safety instrumented function perspective if you still meet your PFDavg required by your SIL level and the other requirements in the applicable SIS standard. I would recommend that you provide a deviation alarm for the two transmitters, which would help you in the PFDavg department.

I don't have any knowledge of your process or installation, but I have been in the chemical and refining industry for almost 40 years and I have worked as an instrument tech, I&E engineer, and as some other varieties of engineer. While it sounds like you have a tough process, my experience is that fixing your failures should not be an insurmountable task, however, it may be somewhat costly.

What concerns me is that your spurious trips are caused by failures that fail in the safe direction or failure resulting from failsafe action by the instrument/system, e.g. safe failures. Well there are two sides to the coin and the other side of the coin is the dangerous failures. If you are having a high rate of safe failures, you may also have a high rate of dangerous failures, which then brings safety into the picture.

After reading your post, I got to wondering if this is a new problem or a growing problem?

William (Bill) L. Mostia, Jr. PE
ISA Fellow, SIS-TECH Fellow,
FS Eng. (TUV Rheinland)
SIS-TECH Solutions, LP

Any information is provided on Caveat Emptor basis.
 
Bill,

definitely a better clarity on what you meant earlier and you are spot on as regards dev alm. I was having a discussion with my colleague today to review the pros and cons of going for this 2oo2 logic modifications and this was indeed a subject under consideration to provide dev alm. However, figuring out the limits of these dev alarms would be a tricky business.. !!

Also, as regards Process hazards, it is an ongoing battle. Sometimes we are on top of it while at other times the process upsets win the battle causing carryovers and acid/ alkaline deviations resulting in impact on installed equipment & instruments (this includes excessive exchanger tube leaks). Cost is definitely then a major issue in such circumstances.

As regards your point on dangerous failures, do you mean to say the final element not responding to the Process issue and then causing a major safety hazard?

And yes, this and similar problems have been there for the last 07 years of plant operation since commissioning but the spurious trips have just increased this year in the last couple of months. Keep in mind this is a relocated plant which has already seen over 30 years of service at another location.

I will be putting forward this proposal for 2oo2 logic on trip securities to management for implementation; however personally i am still a little shaky on the Safety trade-off involved and the risk that might come into play as a result of dangerous failure of the Instrument.
 
W
srh,

As a general statement regarding dangerous failures, the valves are included because they are exposed to the process and surrounding environment. They are less likely to cause a spurious trip but that can't be said regarding their solenoids, which will typically have a higher spurious trip rate. More specific to the sensor side is the potential for a higher dangerous failure rate if you are experiencing increased safe failures. Of course, this depends on the failure mechanisms present that are causing the safe failures and whether they too can cause dangerous failures under some cases. This may also be generalized to all the instrument in the area, not just the ones experiencing spurious trips.

William (Bill) L. Mostia, Jr. PE
ISA Fellow, SIS-TECH Fellow,
FS Eng. (TUV Rheinland)
SIS-TECH Solutions, LP

Any information is provided on Caveat Emptor basis.
 
Top