To effectively prevent and significantly reduce the risk of hazardous chemical accidents, safety instrumented systems (SIS) equipped with lifecycle management functions are required for new projects and operational facilities, such as installations, tanks, and more. These systems undergo a professional evaluation of their Safety Integrity Level (SIL). The interlock control logic, being the core component of the Safety Instrumented Function (SIF) loop, not only has a critical impact on the architecture of the SIF loop but also plays a key role in determining the overall safety of the system.
This article explores the safety performance differences of pressure transmitters with varying configurations, while meeting the SIL level requirements. The analysis will be based on a case study of an atmospheric crude oil distillation unit’s furnace feed safety interlock control loop. The aim is to verify whether the configuration of measuring components under the SIL level requirements is reasonable.
SIL Levels and Configurations in Pressure Transmitters
Let us begin by examining the safety interlock control loop of the furnace feed. The requirement is that the loop should have a SIL2 safety rating under normal operation conditions. The loop is triggered by high-pressure or high-temperature alarms for the fuel gas pipeline. Upon triggering, the system should close the fuel gas inlet valve. In this scenario, we assume that the pressure transmitter and temperature sensing elements are configured with SIL2 levels.
For this specific example, the SIL2-rated pressure transmitter is used to trigger the safety interlock of the system. The key safety parameters of this configuration are as follows:
| Parameter | Value |
|---|---|
| FIT (Failure In Time) | 10^-9 hours |
| TS (Test Interval) | N/A |
| TI (Repair Time) | N/A |
| TR (Trip Reset Time) | N/A |
This configuration is typical in many safety applications, but to understand the full safety profile of the system, we need to analyze multiple configurations with different redundancy schemes.
Pressure Transmitter Configurations for SIL2 and SIL1 Levels
1oo1 Configuration (Single Transmitter)
In this configuration, a single SIL2-rated pressure transmitter is used. The system design follows a 1oo1 (one-out-of-one) logic, meaning the failure of this single transmitter would result in system failure, triggering the interlock. The simplified formula for calculating the Probability of Failure on Demand (PFD) for this configuration yields:
PFDavg = 4.2 × 10^-4
This configuration ensures that the safety system meets the SIL2 requirement, but it leaves the system more vulnerable to failures. The main issue here is that the system’s availability (STR) is significantly reduced, as a single failure of the pressure transmitter compromises the entire loop.
1oo2 Configuration (Dual Transmitters)
In this configuration, two SIL1-rated pressure transmitters are used in a 1oo2 logic arrangement (one-out-of-two), meaning that if one transmitter fails, the other will still provide reliable data, maintaining the system’s integrity. This configuration improves reliability significantly by utilizing redundant sensors. The parameters for this configuration are as follows:
| Parameter | Value |
|---|---|
| FIT (Failure In Time) | 10^-6 hours |
| SFF (Safe Failure Fraction) | 84% |
| PFDavg | 6.975 × 10^-6 |
| STR (Safe Trip Rate) | 1.68 × 10^-7 |
The 1oo2 configuration offers a balance between safety performance and availability. However, its operational availability (STR) is lower than that of a 2oo3 configuration, which may be preferable in some high-reliability systems.
2oo3 Configuration (Triple Transmitters)
The 2oo3 configuration employs three SIL1-rated pressure transmitters in a two-out-of-three logic arrangement. This means that at least two out of the three transmitters must operate correctly for the system to function properly. It provides the highest safety level by reducing the chance of a failure that would lead to system shutdown. The key parameters of this configuration are:
| Parameter | Value |
|---|---|
| FIT (Failure In Time) | 10^-5 hours |
| SFF (Safe Failure Fraction) | 91% |
| PFDavg | 2.0925 × 10^-5 |
| STR (Safe Trip Rate) | 5.568 × 10^-10 |
The 2oo3 configuration has the lowest PFD value and provides the best operational reliability. This configuration is highly suitable for critical systems where system availability is paramount. Despite its higher cost, the 2oo3 configuration offers the most dependable performance, particularly in applications where safety and availability are both essential.
Comparison of Configurations under the Same SIL Level
In summary, the three configurations discussed above—1oo1, 1oo2, and 2oo3—demonstrate varying safety performance and system availability (STR), even under the same SIL2 requirement. The following table summarizes the findings:
| Configuration | PFDavg | STR |
|---|---|---|
| 1oo1 (Single Transmitter) | 4.2 × 10^-4 | High failure risk |
| 1oo2 (Dual Transmitters) | 6.975 × 10^-6 | Moderate availability |
| 2oo3 (Triple Transmitters) | 2.0925 × 10^-5 | Very high availability |
Key Conclusions and Recommendations
From the calculations and analysis presented, the 2oo3 configuration stands out as the best option, offering a solid balance between safety and availability. While it is more complex and expensive, it offers the greatest reliability in daily operations. The 1oo1 configuration, although meeting SIL2 requirements, presents the highest risk in terms of safety and system availability due to its single point of failure.
Additionally, in the case of high-demand safety systems, incorporating a level of redundancy (such as using HFT in configurations like 1oo2 or 2oo3) is highly recommended. This not only enhances safety but also increases operational availability, which is vital for long-term performance.
In real-world SIS designs and verifications, the standard practice often includes SIL2-rated pressure transmitters in configurations with additional redundancy or self-diagnosis capabilities. This helps prevent failure-triggered downtimes and optimizes the safety function’s performance. For applications with high safety demands, consider higher redundancy or enhanced diagnostic systems for greater protection.