Redundancy and Diagnostics in Safety Instrumented System Sensors

This past Emerson Exchange conference has a treasure trove of presentations as it does every year. I’ve gone into the trove and mined this presentation, Measurement Diagnostics in Safety Instrumented Systems, by Emerson’s Mark Menezes. The presentation is based on an article from several years ago, Measurement Best Practices for Safety Instrumented Systems by Mark and DuPont’s Stephen R. Brown.

Mark opened the presentation making three key points:

  • Most covert, dangerous failures of measurements are caused by real-world common cause, not transmitter electronics
  • Diagnostics are available in HART transmitters that detect some of these failures
  • Users need to quantify real-world failure rates and diagnostic coverage to realize the benefits

I’ll focus this post primarily on the first point.

He showed a picture with some examples of how components in a safety instrumented function could fail:

Sensor, Logic Solver, Final Control Element

Mark next showed the Failure, Modes, Effects and Diagnostics Analysis from exida for the Rosemount 3051S pressure transmitter. Statistically, it has a dangerous, undetected failure rate (λDU) of ~0.01 /year. This means 1 in 100 devices in this application will experience a dangerous, covert failure every year. Redundancy can reduce these risks if the failures are independent (i.e. no “common cause”) and if the two transmitters are set as “1 out of 2” (1oo2), which means that the process keeps operating only if BOTH transmitters say conditions are “safe”.

In 1oo2, the risk goes from 0.01 /year to 0.012 or 1 in 10,000 devices that statistically may failure dangerously every year. This increased risk reduction is accompanied by a doubling of a spurious or unnecessary trip risk, since either transmitter can cause the spurious trip condition. Therefore, 1oo2 improves safety but reduces availability.

In a two-out-of-two (2oo2) arrangement—keep operating if EITHER transmitter says “safe”—the risk of a dangerous failure doubles by adding the second transmitter, but availability improves. In a two-out-of-three (2oo3) arrangement, safety and availability both improve.

Mark noted that the transmitter is only one contributor to total risk, since the number is derived through analysis for the transmitter in isolation. Some other contributors to risk may include:

  • Pressure: Impulse line plugging
  • Flow: orifice plate misalignment or damage
  • Temperature: coating, electrical noise
  • Level: process or fill fluid density change
  • Material compatibility, environmental conditions
  • Extreme pressures & temperatures
  • Installation or maintenance errors

If any of these conditions can affect more than one sensor than there is a common cause condition. Mark shared an example where history indicated a risk of line plugging of 1 in 200 per year or a probability of failure on demand (PFD) of 0.005. Next, the question is what’s the likelihood that the plugged line will be detected before the redundant sensor’s line is also plugged. Questions around this include how common is the line between the two, how alert is the operator, how stable is the process, and how quickly can the hazard develop? If a risk of 20% detection is assigned, the net risk is 0.004.

With the transmitter PFD of 0.01 and the interface PDF of 0.004, Mark shared three redundancy scenarios:

  • No redundancy: risk = 0.01 + 0.004 = 0.014
  • 2x redundancy: risk = (0.01)2 + 0.004 ~ 0.004
  • 3x redundancy: risk = (0.01)3 + 0.004 ~ 0.004 (Zero improvement)

He made the point that once redundant transmitters are present, overall risk could not be reduced further with reducing the risk of dangerous, undetected failure of the common cause interface.

For field devices, it’s best to minimize real-world, installed common cause effects before adding redundancy. Use shorter, wider impulse lines and select stronger devices and stronger materials. Look for ways to inspect/test for common cause. Look to apply diverse technologies—for example using vortex or Coriolis to back up a dp-flowmeter, or radar to back up a dp-level meter (or vice versa). Finally, use associated diagnostics, like HART diagnostics. In safety certified transmitters, these diagnostics are automatic and put the transmitter in failsafe mode if/when a failure is detected. These diagnostics are credited in the device’s FMEDA.

There was much more to Mark’s presentation than I could cover in this post, so take a look at the article on which the presentation was based for additional insights.


  1. Nice and Easy explaination. Well Appreciated.

Leave a Reply