Safety instrumented function design reduces nuisance trips | Hydrocarbo... http://www.hydrocarbonprocessing.com/Article/2925731/Safety-instru...

COPYING AND DISTRIBUTING ARE PROHIBITED WITHOUT PERMISSION OF THE PUBLISHER

Safety instrumented function design reduces nuisance trips

11.01.2011 | Kern, A.G., Tesoro Corp., Los Angeles, California

Implementing low-cost best practices can provide peace of mind

Keywords:

A conundrum frequently facing safety system designers and plant managers is whether to use two transmitters in a
one-out-of-two configuration (1oo2) or three transmitters in a two-out-of-three configuration (2oo3). While both
configurations may satisfy the safety requirements, 2oo3 is traditionally considered the only choice when nuisance trip
reduction is also a high priority, despite its higher cost, greater contribution to probability of failure on demand (PFD),
and often, a sense of transmitter overkill.

In recent years, the concepts of diagnostic coverage, discrepancy alarms and transmitter self-diagnostics have gained
acceptance and become proven in use. This trio of concepts gives 1oo2 greatly improved performance with regard to
nuisance trip reduction. In many regards, 1oo2D (1oo2 with diagnostic coverage) is the new 2oo3.

In addition, as end users continue their migration from switches, “dumb” transmitters and relay-based safety systems to
smart transmitters and PLC-based safety systems, some often over-looked low-cost practices can be adopted as further
insurance against nuisance trips.

Making the right choices in any particular safety application remains a multi-faceted question. It is a function of safety
integrity level (SIL), the importance of nuisance trip prevention, life-cycle cost, inherent difficulty of the measurement,
peace of mind and safety competency. But, as a guideline, 1oo2D can give comparable or better performance than
traditional 2oo3. Even 1oo1D can provide excellent PFD and probability of nuisance trip (PNT) performance in many
applications. Add to this some fundamental competency practices and nuisance trips can be largely eliminated.

Background.

The design of safety instrumented functions (SIFs) is initially based on achieving the required safety integrity level (SIL),
leading to the selection of one, two or sometimes three redundant transmitters (Fig. 1). In recent decades, the safety
community has rather brilliantly formalized and quantified this process according to ISA 84.01/IEC 61511, “Safety
instrumented systems for the process industry sector.”

1 de 5 09/12/2011 00:56
Safety instrumented function design reduces nuisance trips | Hydrocarbo... http://www.hydrocarbonprocessing.com/Article/2925731/Safety-instru...

Fig. 1. Typical transmitter configurations for

various safety integrity levels (SILs) for a
safety instrumented function that trips valve(s)
on high pressure.

Secondly, the SIF designer must also consider the acceptable level of spurious (or nuisance) trips, which is the likelihood
the safety function will activate unnecessarily, causing anything from a minor nuisance to a severe operational or
economic penalty. In recent years, awareness has grown that nuisance trips also carry safety penalties. This is because
even though, in theory, a trip is assumed to result in a safe state, a high proportion of incidents have been found to occur
during plant startup or restart activities.

Nuisance trips. Unfortunately, the safety community has not yet found a methodology to fully address the nuisance
trip aspect of SIF design. Methods are available to predict the expected frequency of nuisance trips—namely mean time
to failure spurious (MTTFS)—but not to determine an acceptable level for any particular SIF function. Spurious trip
level (STL) has been proposed, but as a purely economic function, it has limitations, including difficulty in assigning
cost, differences in cost scale from one site to another and a lack of factoring safety or other non-economic negative
impacts of spurious/nuisance trips. A practical performance goal is that a safety function should not result in more
nuisance trips than true trips.

What are the options available to reduce the probability of a nuisance trip (PNT), after the SIL level has been satisfied?
Historically, the only design option has been 2oo3, due to its inherent fault-tolerance (one transmitter can fail outright
and the SIF will continue to function safely as a 1oo2, without a nuisance trip, while the failed transmitter is repaired).
But in today’s world, with “smart transmitters” and other forms of diagnostic coverage, there are alternatives that can
provide similar or superior performance over 2oo3, in terms of both PFD and PNT, without the spectacle (and cost) of
either hanging three transmitters in the field for every SIF or leaving yourself exposed to the possibility of excessive
nuisance trips.

Diagnostic coverage. Diagnostic coverage is the ability to proactively detect faults and respond safely, preferably
without a nuisance trip. For transmitters, it comes in two common forms—self-diagnostics and discrepancy alarms.

Transmitter self-diagnostic coverage is the percentage of transmitter (or measurement) faults that can be detected by
the transmitter itself. For common smart transmitters, whose self-diagnostics have been steadily beefed up over the
years, coverage is often in the range of 50%. For “safety” transmitters, which are certified for use according to SIL level,
and which typically have greater self-diagnostics, measurement diagnostics (such as detection of impulse line pluggage)
and more rigorous manufacturing quality controls, coverage can be in the range of 90%. The coverage determination
comes from the manufacturer’s failure modes and effects diagnostic analysis (FMEDA) testing and review by a certifying
agency.

Discrepancy alarms. Discrepancy alarms are deviation alarms between redundant transmitters. For example, in a
1oo1D configuration, the SIF transmitter and the control system transmitter are compared and a deviation greater than,

2 de 5 09/12/2011 00:56
Safety instrumented function design reduces nuisance trips | Hydrocarbo... http://www.hydrocarbonprocessing.com/Article/2925731/Safety-instru...

say, 5% of span is alarmed, prompting maintenance to resolve the discrepancy before it grows and leads to a nuisance
trip. This simple concept is powerful in terms of diagnostic coverage. A discrepancy alarm involving two transmitters
may be credited with up to 90% diagnostic coverage, and an alarm involving three transmitters can bring up to 99%
coverage. Because it is valid to include control system transmitters in the discrepancy alarm, discrepancy alarm
coverage is possible even for 1oo1 SIF configurations.

Discrepancy alarms have limited ability to protect against sudden transmitter or measurement failures, since the
response mechanism to a discrepancy alarm involves normal maintenance and troubleshooting procedures. But many
transmitter faults are gradual, such as calibration drift or impulse line pluggage, so that a discrepancy alarm can occur
and be resolved before a nuisance trip results. A discrepancy alarm is not considered a transmitter failure, does not
remove any of the transmitters from the voting logic, and does not result in a transmitter upscale/downscale response,
as a self-diagnostic fault would.

Fault tolerance without 2oo3. Diagnostic coverage brings fault tolerance to 1oo2 configurations. These
configurations have traditionally lacked fault tolerance, which was a major Achilles heel. Self-diagnostics, combined
with configurable fail direction (upscale or downscale), means transmitters in a 1oo2D configuration can be configured
to fail in the non-trip direction and the SIF will continue to function as a 1oo1 until the faulty transmitter is repaired. In
this way, 1oo2D has fault tolerance to the extent of its diagnostic coverage, often 90–99%.

The new math.

Fig. 2 shows comparative figures for traditional dumb transmitter-based configurations and for smart
transmitter-based configurations with diagnostic coverage. The numbers represent the relative effect on PFD and PNT
due to transmitter redundancy choice. This is based on transmitters with a 1% probability of causing either a failure on
demand (a dangerous undetected fault) or a nuisance trip (a safe detected fault). As the numbers indicate, when
diagnostic coverage is factored in, the effect is to transform safe detected faults, to the extent of the diagnostic coverage,
into alarms that will trigger transmitter maintenance, rather than trigger nuisance trips.

Fig. 2. Comparative effect on probability of failure

on demand (PFD) and probability of nuisance trip
(PNT) due to transmitter configuration based on
transmitters with a 1% probability of causing
each. 1oo1, 1oo2 and 2oo3 reflect traditional
analysis based on transmitters with no diagnostic
coverage. 1oo1D and 1oo2D reflect smart
transmitters with various levels of diagnostic
coverage, including coverage by discrepancy
alarms.

Of course, 2oo3 performance similarly improves with diagnostic coverage, but its main strength is fault tolerance, and
cases where 2oo3 performance is inadequate have been rare. So while 2oo3 would stay ahead of the pack under this new
math, it would do so by exceeding requirements (and one might as easily say that the difference is outweighed by
regaining the superior PFD values of 1oo2). As Fig. 2 shows, in terms of meeting requirements, providing fault tolerance
and avoiding nuisance trips, 2oo3 today has a lot of company.

The math isn’t exactly new, either. Manufacturers of safety transmitters have been advertising 1oo2D as an alternative

3 de 5 09/12/2011 00:56
Safety instrumented function design reduces nuisance trips | Hydrocarbo... http://www.hydrocarbonprocessing.com/Article/2925731/Safety-instru...

to 2oo3 for over 10 years, but traction has been spotty for several reasons. The primary focus in the safety community
over this period has been PFD, not PNT. Industry adoption of smart transmitters and smart logic solvers has, of course,
been gradual. And end-users in the field are slow to update their working paradigms. But this topic has great currency
for the increasingly large number of end users who today find themselves with smart safety logic solvers and smart
transmitters in place. This step, along with turning to ISA 84.01/IEC 61511 for greater guidance, can help improve all
aspects of the safety system life-cycle performance.

Safety competency.

2oo3 also has the virtue of compensating for shortcomings in safety competency. But this may be only perceived, and
may not be a virtue. Most nuisance trips are found to be preventable, which means that some aspect of the safety
management life cycle has been neglected. Adding more transmitters may not be money well spent, and may simply lead
to more problems, where a neglected or overlooked safety competency is the root cause. Elements of safety competency
include:
• Independent pre-trip alarms
• Implementation of diagnostic coverage and discrepancy alarms
• Timely response to self-diagnostic and discrepancy alarms
• Configuration control of 1oo2D fault tolerance (upscale/downscale)
• Reliable best practice field instrument installation
• SIF proof testing program
• Appropriate use of time delays
• Real-time monitoring of smart transmitter diagnostic alerts
• Effective DCS/SIS communication link and HMI design
• Elimination of switches, which defeat diagnostic coverage principles
• Reliable wiring (wiring ideally makes a negligible contribution to faults).

At first glance, this may appear to be a long list of complicated competencies, but most of them fall into place naturally
as users move to safety-PLC based safety systems and smart transmitters. The challenge facing most end users today is
to institute a culture of awareness and management of safety competencies. The competencies themselves are mostly
fundamental and are a product of ISA 84.01/IEC 61511 guidance, rather than a challenge in its compliance.

Note that while a computer-based logic solver is surely best practice in today’s world, the benefits of diagnostic coverage
can be captured even with legacy relay-based SIS systems by dialing in the appropriate configuration of
upscale/downscale transmitter failure and implementation of discrepancy alarms in the control system (assuming SIF
transmitters are brought into a modern DCS for monitoring).

Recommendations.

While all of ISA 84.01/IEC 61511 and the safety competencies listed previously are important, a productive, low-cost
starting strategy to reduce nuisance trips is to verify:
• At least two transmitters and a discrepancy alarm on every SIF
• Reliable best practice field installation
• Proper upscale/downscale design and configuration control.

In terms of selecting the number of transmitters, use these guidelines:

• Use 1oo2D as the normal starting point for SIL2 applications.
• Consider 2oo3 where nuisance trip prevention is overriding, or where measurement reliability is poor and multiple
rapid measurement failures are possible, such as dirty, viscous or plugging service, or very weak signal strength.
• Consider 1oo1D to improve SIL1 performance, and as a simpler approach to SIL2, where the measurement is
inherently reliable, such as a clean, low viscosity, low temperature service with robust signal strength. HP

4 de 5 09/12/2011 00:56
Safety instrumented function design reduces nuisance trips | Hydrocarbo... http://www.hydrocarbonprocessing.com/Article/2925731/Safety-instru...

SIL and SIF basics

SIFs can be thought of as safety loops, because they have a lot in common with control loops—they comprise sensors
(such as transmitters), final elements (such as valves), and a safety algorithm, usually a fairly straight-forward piece of
logic. But rather than doing process control, the purpose of SIFs is to increase process safety (or reduce risk). When the
sensors indicate a potential unsafe condition, the final elements are activated (or deactivated) to bring the process to a
safe state, such as shutting down a heater on high temperature. To help achieve the required reliability, SIFs are usually
implemented in a safety instrumented system (SIS) that is separate and independent from the basic process control
system (BPCS or DCS).

Each SIF is designed to meet a specified SIL, which is basically a level of reliability. A SIL1 SIF must work at least nine
times out of 10, thereby providing a risk reduction factor (RRF) of 10 and a probability of failure on demand (PFD) of
0.1. A SIL2 SIF must work at least 99 times out of 100, thereby providing a RRF of 100 and a PFD of 0.01. And a SIL3
SIF must work at least 999 times out of 1,000.

Practically speaking, it is difficult to design a SIF with greater reliability than SIL3. SIL4 is considered largely
unachievable in the context of most conventional industry practices. Where this level of risk reduction is found to be
necessary, it is recommended to investigate an inherently safer process design or alternative layers of protection.

For a given process, the necessary SIFs and their required SIL levels are determined within the safety life-cycle
management framework defined by ISA 84.01/IEC 61511, “Safety instrumented systems for the process industry
sector,” especially within the process hazard and risk analysis step. The SIL rating of any SIF depends on a reliability
analysis of all loop components, demand frequency, proof test interval, diagnostic coverage, human factors and other
considerations.

As Table 1 and Fig. 1 show, a single transmitter will usually suffice for a SIL1 SIF. For a SIL2 SIF, a single transmitter
may suffice if demand frequency is low and the measurement is reliable. Or, two transmitters may be necessary if
demand is high, and this may, in turn, require a third transmitter to prevent excessive nuisance trips, if the
measurement is difficult or there is no diagnostic coverage.

Protective functions are very similar to safety functions in design, but their purpose is to protect against equipment
damage, without safety implications. Protective functions often fall under the same engineering and management
practices as SIFs, but greater user discretion is allowed with regard to cost vs. reliability, since money, not safety, is at
stake. For brevity, the term SIF in this article encompasses safety and protective functions.

The vast majority of SIFs in industry are demand mode, meaning that upon detection of unsafe conditions, the function
is triggered, placing a “demand” on the SIF. In this way, a SIF with an undetected dangerous fault may not result in a
failure on demand if no demand occurs, i.e., if the fault is found and remedied without a demand occurring. A
continuous mode SIF is one that results in a hazard immediately if it becomes unavailable, such as GPS-based
positioning systems on (unanchored) deepwater drilling rigs.

5 de 5 09/12/2011 00:56