You are on page 1of 8

VOTING LOGIC There are 1oo1, 1oo2, 2oo2, 2oo3 etc voting logic in the safety instrumented system

architecture. The voting logic architecture usually used in the field instrument and or final control elements to reach certain Safety Integrity Level (SIL) or to reach certain cost reduction due to platform shutdown. In general when we must use 1oo1, 1oo2, 2oo2, or 2oo3 voting logic architecture? As mentioned above, there are two purposes why certain voting logic architecture were chosen, first is to reach certain SIL and secondly to reach certain cost reduction due to spurious platform shutdown. In order to determine a certain SIL requirement, a risk or process hazard analysis is used to identify all process, safety and environmental hazards, estimate their risks, and decide if that risk is tolerable. Where risk reduction is required an appropriate SIL is assigned. The individual components (sensors, logic solvers, final elements, etc.) that are working together to implement the individual safety loops must comply with the constraints of the required SIL. In essence, this means that all components within that loop must meet a certain Probability of Failure on Demand (PFD), Safe Failure Fraction (SFF) and Hardware Fault Tolerance (HFT) requirement for the intended SIL. Readers are encouraged to see further detail regarding this PFDavg, SFF, and HFT in the IEC 61508 & IEC 61511. As general rule, first of all the SIL requirement for any particular condition or application will be determined using a risk or process analysis. After the SIL was determined then the architecture of the sensor, logic solver, and final control element is studied to investigate which architecture will fulfill the SIL requirement. For example, if the SIL requirement for a high pressure incoming pipe line is SIL 3, then the architecture of the pressure sensor and final element will be investigated. If 1oo1 sensor, 1oo1 logic solver, and 1oo1 shutdown valve can fulfill the SIL 3 requirement, then this architecture is chosen. If not, then any other voting logic architecture is investigated. Lets say after several investigations the voting logic 1oo2 sensor, 1oo2 logic solver, and 1oo2 shutdown valve can fulfill the requirement of SIL 3, then this voting logic is chosen. If the cost reduction study need to minimize spurious trip due to one of the sensor failed, then may be the sensor voting logic architecture must be upgraded to become 2oo3 architecture. This architecture may be chosen since if one sensor failed, then the overall architecture is still fulfilling SIL 3 requirement with 1oo2 sensor configuration. Thus it doesnt need to have a platform shutdown when one sensor failed. See below case studies to get a better understanding regarding above explanation. Lets say we need to design a High Pressure Protection System for the incoming pipeline from the offshore platform with the SIL required is SIL 3 for this specific application. The following data was provided by the transmitter manufacturer, logic solver manufacturer, and shutdown valve manufacturer. Pressure transmitter PFDavg = 1.52E-04, SFF = 93.10% Logic Solver PFDavg = 6.9E-04 Shutdown valve PFDavg which consist of: Solenoid Valve PFDavg = 4.38E-04, SFF = 65.80% Actuator PFDavg = 2.59E-04, SFF = 96.4%

Ball Valve PFDavg = 6.29E-05, SFF = >90% The Safety Integrity Level (SIL) for each component architectures (transmitter and shutdown valve only) was calculated as follow:
Pressure Transmitter PFD and SIL Calculation for several voting logic Voting Logic TI 1oo1 DU PFD TI 1oo2 DU PFD TI 2oo2 DU PFD TI 2oo3 DU PFD 1 3.04E-04 1.52E-04 1 3.04E-04 3.08E-08 1 3.04E-04 3.04E-04 1 3.04E-04 9.24E-08 year /year /year year /year /year year /year /year SIL 4 HFT SFF 1 93.10% SIL 3 SIL 3 HFT SFF 0 93.10% SIL 2 SIL 4 HFT SFF 1 93.10% SIL 3 year /year SIL 3 HFT SFF 0 93.10% SIL 2 Symbol Value Calculated SIL Physical Constraint Maximum Claimed SIL Due to Physical Constraint

Maximum claimed SIL for each shutdown valve component. Maximum Claimed SIL Due to Physical Constraint 0 65.80% 0 96.40% 0 >90% SIL 3 SIL 3 SIL 2

PFDavg Solenoid Valve 4.38E-04

Calculated SIL SIL 3

Physical Constraint HFT SFF

Actuator

2.59E-04

SIL 3

HFT SFF

Ball Valve

6.29E-05

SIL 4

HFT SFF

From above shutdown valve component SIL calculation, we can get the SIL calculation for a complete shutdown valve assembly which consists of 1 solenoid valve, 1 actuator, and 1 ball valve as follow:

Shutdown Valve with 1 solenoid, 1 actuator, and 1 ball valve complete assembly SIL Calculation. Total PFDavg Calculated SIL Maximum Claimed SIL Due to Physical Constraint SIL 2 (because the lowest SIL for shutdown valve is SIL 2 which is a solenoid valve SIL)

Physical Constraint

Shutdown Valve

7.60E-04

SIL 3

Combine SIL

From above SIL calculation for a complete assembly shutdown valve, we can calculate the PFDavg and SIL calculation for several voting logic scheme for shutdown valve as bellow.
Shutdown Valve PFD and SIL Calculation for several voting logic Voting Logic TI 1oo1 DU PFD TI 1oo2 DU PFD TI 2oo2 DU PFD TI 2oo3 DU PFD 1 1.52E03 7.60E04 1 1.52E03 7.70E07 1 1.52E03 1.52E03 1 1.52E03 2.31E06 year /year /year year /year /year year /year /year SIL 4 HFT Combine SIL = Highest SIL + N 1 SIL 3 SIL 2 HFT Combine SIL 0 SIL 2 SIL 4 HFT Combine SIL = Highest SIL + N 1 SIL 3 year /year SIL 3 Combine SIL SIL 2 Symbol Value Calculated SIL Physical Constraint Maximum Claimed SIL Due to Physical Constraint

After we get all PFDavg for possible voting logic combination, now we can investigate which voting logic architecture for the transmitter and shutdown valve that most suitable to achieve SIL 3 requirement. See below calculation for several possible schemes.

1oo1 pressure transmitter, logic solver, and 1oo1 Shutdown Valve PFDavg total = 1.60E-03 Calculated SIL = SIL 2 SIL 2

Maximum Claimed SIL due to physical constraint = 1oo2 pressure transmitter, logic solver, and 1oo1 Shutdown Valve PFDavg total = 1.45E-03 Calculated SIL =

SIL 2 SIL 2

Maximum Claimed SIL due to physical constraint = 2oo2 pressure transmitter, logic solver, and 1oo1 Shutdown Valve PFDavg total = 1.75E-03 Calculated SIL =

SIL 2 SIL 2

Maximum Claimed SIL due to physical constraint = 2oo3 pressure transmitter, logic solver, and 1oo1 Shutdown Valve PFDavg total = 1.45E-03 Calculated SIL =

SIL 2 SIL 2

Maximum Claimed SIL due to physical constraint = 1oo1 pressure transmitter, logic solver, and 1oo2 Shutdown Valve PFDavg total = 8.42E-04 Calculated SIL =

SIL 3 SIL 2

Maximum Claimed SIL due to physical constraint = 1oo1 pressure transmitter, logic solver, and 2oo2 Shutdown Valve PFDavg total = 2.36E-03 Calculated SIL =

SIL 2 SIL 2

Maximum Claimed SIL due to physical constraint = 1oo1 pressure transmitter, logic solver, and 2oo3 Shutdown Valve PFDavg total = 8.44E-04 Calculated SIL =

SIL 3 SIL 2

Maximum Claimed SIL due to physical constraint = 1oo2 pressure transmitter, logic solver, and 1oo2 Shutdown Valve PFDavg total = 6.90E-04 Calculated SIL =

SIL 3 SIL 3

Maximum Claimed SIL due to physical constraint =

1oo2 pressure transmitter, logic solver, and 2oo2 Shutdown Valve PFDavg total = 2.21E-03 Calculated SIL = SIL 2 SIL 2

Maximum Claimed SIL due to physical constraint = 1oo2 pressure transmitter, logic solver, and 2oo3 Shutdown Valve PFDavg total = 6.92E-04 Calculated SIL =

SIL 3 SIL 3

Maximum Claimed SIL due to physical constraint = 2oo2 pressure transmitter, logic solver, and 1oo2 Shutdown Valve PFDavg total = 9.94E-04 Calculated SIL =

SIL 3 SIL 2

Maximum Claimed SIL due to physical constraint = 2oo2 pressure transmitter, logic solver, and 2oo2 Shutdown Valve PFDavg total = 2.51E-03 Calculated SIL =

SIL 2 SIL 2

Maximum Claimed SIL due to physical constraint = 2oo2 pressure transmitter, logic solver, and 2oo3 Shutdown Valve PFDavg total = 9.96E-04 Calculated SIL =

SIL 3 SIL 2

Maximum Claimed SIL due to physical constraint = 2oo3 pressure transmitter, logic solver, and 1oo2 Shutdown Valve PFDavg total = 6.90E-04 Calculated SIL =

SIL 3 SIL 3

Maximum Claimed SIL due to physical constraint = 2oo3 pressure transmitter, logic solver, and 2oo2 Shutdown Valve PFDavg total = 2.21E-03 Calculated SIL =

SIL 2 SIL 2

Maximum Claimed SIL due to physical constraint = 2oo3 pressure transmitter, logic solver, and 2oo3 Shutdown Valve PFDavg total = 6.92E-04 Calculated SIL =

SIL 3 SIL 3

Maximum Claimed SIL due to physical constraint =

As per above SIL calculation, then we got the following possible voting logic architecture to achieve SIL 3 requirement: 1. 1oo2 pressure transmitter, logic solver, and 1oo2 Shutdown Valve 2. 1oo2 pressure transmitter, logic solver, and 2oo3 Shutdown Valve 3. 2oo3 pressure transmitter, logic solver, and 1oo2 Shutdown Valve 4. 2oo3 pressure transmitter, logic solver, and 2oo3 Shutdown Valve
The above order is also give us a cost estimation to buy that particular SIL 3 loop. The uppermost will be the least cost and the lowermost will be the most costly loop. Now the next step will be determine by the operator of the plant whether the shutdown cost is high or not. If the shutdown cost is high and they dont want to have a spurious plant shutdown then they may chose 2oo3 pressure transmitter, logic solver, and then 2oo3 shutdown valve. With this configuration, if there are one transmitter failed then the system is still can run by using 1oo2 pressure transmitter configuration. The same reason is also applied for using 2oo3 shutdown valve configuration.

EQUATION USED IN THIS ARTICLE

PFD calculation for several voting logic architecture Configuration 1oo1 1oo2 2oo2 2oo3 PFD

du * TI / 2

* TI / 3
2 2 du

du * TI
du 2 * TI 2

du = Dangerous undetected failure


TI = Test Interval

Safety Integrity Level

SIL 1 2 3 4

PFD 10-1 - 10-2 10-2 - 10-3 10-3 - 10-4 10-4 - 10-5

Maximum claimed SIL due to architecture constraint type A hardware (simple hardware)

Safe Failure Fraction <60% 60% - <90% 90% - < 99% >= 90%

Hardware Fault Tolerance 0 SIL 1 SIL 2 SIL 3 SIL 3 1 SIL 2 SIL 3 SIL 4 SIL 4 2 SIL 3 SIL 4 SIL 4 SIL 4

Maximum claimed SIL due to architecture constraint type B hardware (complex hardware)

Safe Failure Fraction <60% 60% - <90% 90% - < 99% >= 90%

Hardware Fault Tolerance 0 Not Allowed SIL 1 SIL 2 SIL 3 1 SIL 1 SIL 2 SIL 3 SIL 4 2 SIL 2 SIL 3 SIL 4 SIL 4

Hardware Fault Tolerance: 0 = no hardware failure is tolerable 1 = one hardware failure is not affect the functional system (redundant) 2 = one or two hardware failure is not affect the functional system (triple modular redundant)

You might also like