Chemical Engineering World |
| OCTOBER 2009
of the SIF’s in the system.This fault-tolerant TMRarchitecture with 2003 voting logicprovides a very high degree of operational availability, since theoccurrence of spurious safety tripsdue to internal SIS errors are greatlyreduced.First-generation, fault-tolerantTMR technology was created beforethe advent of the internationalstandards that apply today.Originally, they were designed toprovide more operational availabilitywhile providing the needed safetyshutdown functions. As internationalstandards were created, the firstgeneration products were modifiedto meet them. In some cases, thestandard placed requirements onthese systems that could not bemet, forcing users to implementadditional protection outside of thefirst generation system.However, the regulations alsorequire that any single failure, evenin a triplicated fault-tolerant system,must be repaired within a finite timeperiod. Mean Time To Repair is oneof the parameters that goes into theSIL certification calculations fora given SIS configuration. Thus,unless the faulty component canbe repaired online, a previouslyunplanned shutdown will needto be scheduled to be able toperform the repair quickly. This isnot generally a problem with thefirst generation systems, but somesecond generation systems backslidon this requirement.Unplanned shutdowns results inlost production. This can cost theowner-operator many thousandsof dollars and really screw up theprofit/loss report in any given month.With first-generation TMR systems,design and architectural constraintslimited the ability to perform onlinesystem modifications or upgrades,requiring shutdowns to be scheduledthat might otherwise have beenavoided.
Second Generation SIS Systems
As technology progressed, moreSIS systems came on the market.Due to advancing technology,these systems tend to have moreextensive diagnostic capabilities.Due to improved diagnostics, manyof these products do not offer tripleredundancy, the feeling being thatthe improved diagnostics makeTMR architectures obsolete. Inmany cases, even simple redundancyis not the standard offering. Thispresents a problem that did not existwith first generation TMR systems.Since the SIS is simplex, it cannotbe repaired on line, meaning thataccording to ISA84, any fault in theSIS will require that a shutdown bescheduled.On the other hand, new redundantarchitectures were introduced with1002 and 2004 schemes. With somelimitations, most of these systemswork very well. The main error inthese second-generation systemsis not in the diagnostics or in theredundancy or lack thereof. Thefault is in the target. These systemswere designed to do well or toincrementally improve upon thefirst generation systems. Third-generation systems were designedto provide the user with the safestavailable and to provide maximumuptime.
Third Generation Fault-TolerantSystems
The latest generation of fault-tolerant,simplex, dual-and triple-modularredundant safety instrumentedsystems combines all the benefitsof first- and second-generationSIS technology with improveddiagnostics, safety availability,operational availability, andsignificantly lower lifecycle costs.This has been accomplished byimplementing new, more flexibleredundancy approaches, increaseddiagnostic coverage, better processingand communications performance,plus new online repair, modification,and upgrade capabilities. The goalof these systems is not incrementalimprovement, but providing the userwith the SIS that will provide thevery best protection against unsafesituations while providing minimalinterference with the operation of the facility.Furthermore, unlike earliergenerations of safety systemtechnology, the new simplex, dual-and triple-modular redundant SISscan often come configured as SILcertified right out of the box, withfew, if any, restrictions imposed bythe certifying body.The net result is that thirdgeneration redundant safety systemscan often deliver significantlyincreased integrity and availabilityover first and second-generationsystems. With safety integrity in excessof 99.9999 per cent (six nines) whenconfigured in triplicated fashion,third-generation SIS can eliminatethe one in ten outages attributable tothe control system while significantlyreducing nuisance trips to provideoperational availability in excess of 2000 years.With third-generation safetysystems, any faults are automaticallyidentified by the system withoutthe need for user application