Understanding Redundant Sensors in SIF
In a single Safety Instrumented Function (SIF), multiple sensors may be deployed, each capable of independently detecting a dangerous situation. The most common configuration is a 2oo3 (two out of three) architecture, frequently used in High Integrity Pressure Protection Systems (HIPPS). These sensors are considered equivalent because they have the same ability to detect the initiating event. They are also redundant, meaning the safety function can still fulfill its purpose even if some of the sensors fail.
However, redundant initiators do not always have to be equivalent. They can differ in type, location, or operating principle. For example, a pump’s loss of feed can be detected either by low flow or low pressure at the suction or discharge point, depending on the pump’s exact configuration.
Criteria for Redundant Initiators
For initiators to be considered redundant in a SIF, they must meet two essential conditions:
- Comprehensive Detection: Each initiator must be capable of detecting the dangerous condition for all possible demand cases of the SIF.
- Failure Tolerance: Each initiator (or group of initiators) must be able to detect the hazardous condition even if all other initiators fail.
If the second condition is not met, the SIF may need to be divided into two separate functions:
- One with redundant initiators capable of detecting all demand cases independently.
- Another is with non-redundant initiators for cases where not all initiators can detect the condition independently.
Handling Redundant Sensors in a SIF
There are two primary methods for managing redundant initiators within a SIF:
1. Treat Initiators as a MooN Architecture
- In this approach, the initiators are handled as a MooN (M out of N) configuration, where N represents the number of redundant initiators.
- This method improves hardware fault tolerance (N – M), ensuring compliance with SIF architectural constraints.
- It also leads to a lower Probability of Failure on Demand (PFDavg) or Probability of Failure per Hour (PFH), enhancing overall system reliability.
2. Remove Some Redundant Initiators
- Reducing the number of initiators in a SIF can decrease the likelihood of spurious trips and lower maintenance and testing requirements.
- The selection of initiators for removal should follow the same principles used for redundant SIFs.
When an initiator is removed from the SIF, there are two possible options:
- Complete Removal from SIS Design: The initiator is not installed physically in the plant, eliminating unnecessary complexity.
- Retaining the Initiator Outside SIS: The initiator is removed from the SIS specification but still kept in the design (e.g., as a DCS trip). However, this does not reduce spurious trips since the device remains in the plant’s physical setup.
References:
Functional Safety from Scratch by Peter Clarke
