Emerson’s Mike Schmidt, a principal safety consultant in the Refining and Chemical industry center, presented Beyond 2oo3: Multi-sensor Architecture in SIF Design at the Emerson Exchange. You may recall Mike from an earlier post.
Mike discussed several cases and applications where more than three sensors are used in safety shutdown applications. Redundancy was his first example where more than one sensor is being used for the exact same purpose. An example is separate temperature sensors installed on the inlets to multiple reactors, perhaps because of fears of common cause failure. In fact, all three of these sensors measure the same thing. The inlet temperature is coming from the same header, so it is the same for all three new sensors.
Separate hazards are those serving unrelated purposes or are at independent points in the process. There is no redundancy here. The only possible architecture for the sensors is to have three separate instances of one-out-of-one (1oo1) voting.
Mike built the case of three tanks with three inlet temperatures sensors coming off a common header and said it could be argued that the three could be considered redundant. However, three sensors on the tank outlets could not be considered redundant since they are monitoring for separate hazards.
When evaluating fault tolerances, it is important to consider the number of success paths. Parallel paths provide redundancy where serial paths with multiple elements have single points of failure. If you have three identical temperature sensors in parallel, it is like having a path with three in parallel in series with common cause failure. Using different types of sensors greatly reduces this common cause failure to provide much lower probabilities of failure on demand (PFDAVG).
Mike discussed the case of a packed-bed reactor. These may be instrumented with ten or more temperature sensors to provide a temperature profile. The safety trip will be based on an abnormal profile. With advanced logic solvers, it is possible to perform the calculations necessary to reduce several measurements to profile parameters that can be used to trip a safety instrumented function (SIF). The profile is 1oo1 voting, but a rule might be that 8 out of 10 temperature sensors must be working to be considered a valid profile, so the PFDAVG is based on 8oo10 fault tolerance.
A separate issue to consider from a safety mitigation standpoint is multiple sensors for localized problems, like hot spots or leaks. Considering packed bed reactor hot spots, it sounds right to say we do not want to trip the reactor based on a single temperature sensor fault. Although this may sound right, Mike explored the math behind determining the PFDAVG. The example here is for an array of sensors installed to detect a hot spot within the packed bed, but it could just as easily be an array of analyzers around the outside of a piece of equipment installed to detect a leak of flammable or toxic gases.
He discussed the concept of the temperature sensors located next to the failed one. The sensors are primary for their respective zones and secondary for their neighboring zones. The key is to set up a separate safety instrumented function for each zone, which contains the primary sensor and the neighboring secondary sensors. This allow the reactor not be treated as a single SIF where any one sensor failure can trip it.
The math works out that no matter how many transmitters, and surrounding zones, the PFDAVG calculations are based on primary and one secondary, even in the case of multiple secondary zones. The voting is one out the number of surrounding zones plus the one primary zone, and the PFDAVG is always based on 1oo2 fault tolerance. No credit is taken for any of the additional secondary sensors in the PFDAVG calculations.
Mike summarizes these concepts by saying the number of sensors required for a SIF can be optimized to achieve the necessary coverage and the required redundancy. Using more than three sensors for redundancy does not really help. It may be necessary for coverage based on the geometry of the vessel, but not for increased redundancy.