The language of process safety is filled with its own jargon. Architectures are described as 1oo1, 1oo2, 2oo2, 2oo3, etc. The “oo” means “out of”. So, 1oo1 means one-out-of-one.

William M. Goble and Harry Cheddie wrote a book, Safety Instrumented Systems Verification – Practical Probabilistic Calculations, to explain how to do probabilistic calculations based on these various architectures to accomplish safety integrity level (SIL) verification for safety systems.

Safety instrumented system suppliers have introduced hybrid SIS architectures that don’t fit neatly into the XooY buckets. An exida whitepaper, A Hybrid Fault Tolerant Architecture, highlights the role diagnostics play in calculating probabilities and how they factor into overall safety integrity and availability.

I caught up with Emerson’s Gary Law, a certified functional safety expert (CFSE) and CFSE board member. Gary is a technologist for the DeltaV and DeltaV SIS systems. He provided me some background. Per the DeltaV SIS IEC 61508 Functional Safety Assessment:

The analysis shows that the system has a safe failure fraction > 99% and therefore per even worst case assumptions, the non-redundant unit may be used up to SIL 3 based on architecture constraints.

DeltaV SIS certifications include:

• IEC 61508: 2000; Part 1-7, SIL3 capability
• IEC 61511: 2004
• EN 54-2: 1997
• EN 298: 2003
• EN 50156-1: 2004
• NFPA 72: 2007
• NFPA 85: 2007

Section 2 of the DeltaV SIS Safety Manual provides the failure rate data required for SIL verification. With either simplex or redundant DeltaV SIS logic solvers, they can be applied in safety instrumented functions up to SIL 3.

The redundancy provides additional availability, but counterintuitively, lowers the average probability of failure on demand (PFD_avg) for the safety instrumented function. I asked Gary to help explain to me why this is so.

Think of circuit with two switches. If they are in series, it is a 1oo2 architecture. The safety integrity improves because either switch can open the electrical circuit. Conversely, the availability decreases because either switch can spuriously open the circuit.

Now imagine the two switches in parallel—a 2oo2 architecture. A spurious opening of either switch will not open the circuit, thus increasing availability. A failure close of either switch will prevent the circuit from de-energizing, thus reducing the safety integrity. All of these failure probabilities, both detected and undetected, go into the overall SIL capability ratings for a safety instrumented system and are part of their certifications for use.

For those attending the October 24-28 Emerson Exchange in Nashville, Gary will be part of a DeltaV “Deep Dive” session. If you have more questions related to the DeltaV and DeltaV SIS system architectures, plan on attending this session.