71364263 voting-logic-sil-calculation

VOTING LOGIC
There are 1oo1, 1oo2, 2oo2, 2oo3 etc voting logic in the safety instrumented system
architecture. The voting logic architecture usually used in the field instrument and or
final control elements to reach certain Safety Integrity Level (SIL) or to reach certain
cost reduction due to platform shutdown. In general when we must use 1oo1, 1oo2,
2oo2, or 2oo3 voting logic architecture?
As mentioned above, there are two purposes why certain voting logic architecture
were chosen, first is to reach certain SIL and secondly to reach certain cost reduction
due to spurious platform shutdown. In order to determine a certain SIL requirement, a
risk or process hazard analysis is used to identify all process, safety and
environmental hazards, estimate their risks, and decide if that risk is tolerable. Where
risk reduction is required an appropriate SIL is assigned. The individual components
(sensors, logic solvers, final elements, etc.) that are working together to implement the
individual safety loops must comply with the constraints of the required SIL. In
essence, this means that all components within that loop must meet a certain
Probability of Failure on Demand (PFD), Safe Failure Fraction (SFF) and Hardware
Fault Tolerance (HFT) requirement for the intended SIL. Readers are encouraged to
see further detail regarding this PFDavg, SFF, and HFT in the IEC 61508 & IEC
61511.
As general rule, first of all the SIL requirement for any particular condition or
application will be determined using a risk or process analysis. After the SIL was
determined then the architecture of the sensor, logic solver, and final control element
is studied to investigate which architecture will fulfill the SIL requirement. For
example, if the SIL requirement for a high pressure incoming pipe line is SIL 3, then
the architecture of the pressure sensor and final element will be investigated. If 1oo1
sensor, 1oo1 logic solver, and 1oo1 shutdown valve can fulfill the SIL 3 requirement,
then this architecture is chosen. If not, then any other voting logic architecture is
investigated. Let’s say after several investigations the voting logic 1oo2 sensor, 1oo2
logic solver, and 1oo2 shutdown valve can fulfill the requirement of SIL 3, then this
voting logic is chosen. If the cost reduction study need to minimize spurious trip due
to one of the sensor failed, then may be the sensor voting logic architecture must be
upgraded to become 2oo3 architecture. This architecture may be chosen since if one
sensor failed, then the overall architecture is still fulfilling SIL 3 requirement with
1oo2 sensor configuration. Thus it doesn’t need to have a platform shutdown when
one sensor failed.
See below case studies to get a better understanding regarding above explanation.
Let’s say we need to design a High Pressure Protection System for the incoming
pipeline from the offshore platform with the SIL required is SIL 3 for this specific
application. The following data was provided by the transmitter manufacturer, logic
solver manufacturer, and shutdown valve manufacturer.
Pressure transmitter PFDavg = 1.52E-04, SFF = 93.10%
Logic Solver PFDavg = 6.9E-04
Shutdown valve PFDavg which consist of:
Solenoid Valve PFDavg = 4.38E-04, SFF = 65.80%
Actuator PFDavg = 2.59E-04, SFF = 96.4%

Ball Valve PFDavg = 6.29E-05, SFF = >90%
The Safety Integrity Level (SIL) for each component architectures (transmitter and
shutdown valve only) was calculated as follow:
Pressure Transmitter PFD and SIL Calculation for several voting logic
Voting Symbol Value Calculated
Physical
Constraint
Maximum
Claimed SIL
Logic SIL
Due to Physical
Constraint
TI 1 year
λDU 3.04E-04 /year HFT 01oo1
PFD 1.52E-04 SIL 3 SFF 93.10% SIL 2
TI 1 year
PFD 3.08E-08 /year SIL 4 SFF 93.10% SIL 3
TI 1 year
TI 1 year
Maximum claimed SIL for each shutdown valve component.
PFDavg
Calculated
SIL Physical Constraint
Maximum
Claimed SIL Due
to Physical
Constraint
Solenoid Valve 4.38E-04 SIL 3 HFT 0
SFF 65.80% SIL 2
Actuator 2.59E-04 SIL 3 HFT 0
SFF 96.40% SIL 3
Ball Valve 6.29E-05 SIL 4 HFT 0
SFF >90% SIL 3
From above shutdown valve component SIL calculation, we can get the SIL
calculation for a complete shutdown valve assembly which consists of 1 solenoid
valve, 1 actuator, and 1 ball valve as follow:

Shutdown Valve with 1 solenoid, 1 actuator, and 1 ball valve complete assembly SIL
Calculation.
Total
PFDavg
Calculated
SIL Physical Constraint
Maximum Claimed
SIL Due to Physical
Constraint
Shutdown Valve 7.60E-04 SIL 3 Combine SIL
SIL 2 (because the
lowest SIL for
shutdown valve is
SIL 2 which is a
solenoid valve SIL)
From above SIL calculation for a complete assembly shutdown valve, we can
calculate the PFDavg and SIL calculation for several voting logic scheme for
shutdown valve as bellow.
Shutdown Valve PFD and SIL Calculation for several voting logic
Voting Symbol Value Calculated Physical Constraint
Maximum Claimed
SIL
Logic SIL
Due to Physical
Constraint
TI 1 year
λDU
1.52E-
03 /year1oo1
PFD
7.60E-
04 SIL 3 Combine SIL SIL 2
TI 1 year
λDU
1.52E-
03 /year HFT 11oo2
PFD
7.70E-
07 /year SIL 4
Combine SIL =
Highest SIL + N SIL 3
TI 1 year
λDU
1.52E-
03 /year HFT 02oo2
PFD
1.52E-
03 /year SIL 2 Combine SIL SIL 2
TI 1 year
λDU
1.52E-
03 /year HFT 12oo3
PFD
2.31E-
06 /year SIL 4
Combine SIL =
Highest SIL + N SIL 3
After we get all PFDavg for possible voting logic combination, now we can
investigate which voting logic architecture for the transmitter and shutdown valve that
most suitable to achieve SIL 3 requirement. See below calculation for several possible
schemes.

1oo1 pressure transmitter, logic solver, and 1oo1 Shutdown Valve
PFDavg
total = 1.60E-03 Calculated SIL = SIL 2
Maximum Claimed SIL due to physical constraint = SIL 2
PFDavg
PFDavg
PFDavg
PFDavg
PFDavg
PFDavg
PFDavg

PFDavg
PFDavg
PFDavg
PFDavg
PFDavg
PFDavg
PFDavg
PFDavg

As per above SIL calculation, then we got the following possible voting logic
architecture to achieve SIL 3 requirement:
1. 1oo2 pressure transmitter, logic solver, and 1oo2 Shutdown Valve
The above order is also give us a cost estimation to buy that particular SIL 3 loop. The
uppermost will be the least cost and the lowermost will be the most costly loop. Now the next
step will be determine by the operator of the plant whether the shutdown cost is high or not. If
the shutdown cost is high and they don’t want to have a spurious plant shutdown then they
may chose 2oo3 pressure transmitter, logic solver, and then 2oo3 shutdown valve. With this
configuration, if there are one transmitter failed then the system is still can run by using 1oo2
pressure transmitter configuration. The same reason is also applied for using 2oo3 shutdown
valve configuration.
EQUATION USED IN THIS ARTICLE
PFD calculation for several voting logic architecture
Configuration PFD
1oo1  2/* TIdu
1oo2      3/*
22
TIdu
2oo2 TIdu *
2oo3  22
* TIdu
du = Dangerous undetected failure
TI = Test Interval
Safety Integrity Level
SIL PFD
1 10-1
- 10-2
2 10-2
- 10-3
3 10-3
- 10-4
4 10-4
- 10-5

Maximum claimed SIL due to architecture constraint type A hardware (simple
hardware)
Hardware Fault ToleranceSafe Failure
Fraction
0 1 2
<60% SIL 1 SIL 2 SIL 3
60% - <90% SIL 2 SIL 3 SIL 4
90% - < 99% SIL 3 SIL 4 SIL 4
>= 90% SIL 3 SIL 4 SIL 4
Maximum claimed SIL due to architecture constraint type B hardware (complex
hardware)
Hardware Fault ToleranceSafe Failure
Fraction
0 1 2
<60% Not Allowed SIL 1 SIL 2
60% - <90% SIL 1 SIL 2 SIL 3
90% - < 99% SIL 2 SIL 3 SIL 4
>= 90% SIL 3 SIL 4 SIL 4
Hardware Fault Tolerance:
0 = no hardware failure is tolerable
1 = one hardware failure is not affect the functional system (redundant)
2 = one or two hardware failure is not affect the functional system (triple modular
redundant)

71364263 voting-logic-sil-calculation

71364263 voting-logic-sil-calculation

More Related Content

What's hot

Similar to 71364263 voting-logic-sil-calculation

More from Mowaten Masry

Recently uploaded

71364263 voting-logic-sil-calculation