In Safety Instrumented System (SIS), Hardware fault tolerance is very vital to ascertain how long SIS can perform with the designed integrity.
Fault Tolerance is the ability of a functional unit to continue to perform a required function in the presence of faults or errors.
SIS Fault Tolerance
Fault Tolerance is one of the requirements that the Automation/Safety Design must meet to achieve the required safety.
In general, three forms of proof are required to claim that an SIS reaches a particular safety integrity level.
- The devices should be user-approved for the operating environment, application, and integrity level.
- Components of new Safety Instrumented Systems should be selected to meet SIL requirements and meets the criteria for proven-in-use.
- The device subsystems should meet the fault tolerance requirements.
- The overall SIS should achieve the target probability of failure on demand (PFD) when the SIS is operating in the continuous mode.
Hardware Fault Tolerance (HFT)
Hardware fault tolerance provides protection against Random failures. If it would result in additional failures and lead to decreased overall process safety, then the HFT may be reduced. This shall be justified and documented.
The justification shall provide evidence that the proposed architecture is suitable for its intended purpose and meets the safety integrity requirements.
The HFT requirements in below table represent the minimum system or, where relevant, the SIS subsystem redundancy.
Depending on the application, device failure rate, and proof-testing interval, additional redundancy can be required to satisfy the failure measure for the SIL of the SIF.
| SIL Level | Minimum required HFT |
| SIL 1 (Low/High/Continuous demand mode) | 0 |
| SIL 2 (Low demand mode) | 0 |
| SIL 2 (High/Continuous demand mode) | 1 |
| SIL 3 (Low/High/Continuous demand mode) | 1 |
| SIL 4 (Low/High/Continuous demand mode) | 2 |
As per IEC: 61511 “For all subsystems (for example, sensor, final elements, and non-PE logic solvers) excluding PE logic solvers the minimum fault tolerance specified in the above table may be reduced by one”.
In other words, SIL-2 SIS’s (Low demand) do not need any fault tolerance if:
- The sensors or final elements are selected on the basis of “prior use”
- The sensor or final element does not have a sophisticated computer with downloadable software, such as with analyzers; the device allows adjustment of process-related parameters only, for example, measuring range, upscale or downscale failure direction;
- The sensor or final element’s process-related parameters are access restricted (for example, jumper, password protected) to enable only qualified individuals can make the changes.
- The sensor or final element is not involved in a SIS requiring a risk reduction equal to or greater than 10,000 times.
The Generic Rule for Fault Tolerance
One may decrease the minimum fault tolerance requirement by 1 if ALL the following apply:
- Prior use
- Simple electronics based sensors, Final elements – only process-related parameter changes allowed
- Protection for changing the process-related parameters
- SIL-3 or less.
Alternately one must Increase the minimum hardware fault tolerance by 1 if:
The dominant failure mode is in the dangerous state & At least 60% of dangerous failures are not detected.
Methods to Overcome HFT issues
Fault tolerance is the preferred solution to achieve the required confidence that a robust architecture has been achieved.
When these conditions are satisfied, the purpose of the conclusion is to demonstrate that the proposed alternative architecture provides an equivalent or better solution.
This may vary depending on the application and/or the technology in use
A few examples are Backup arrangements (e.g., Analytical redundancy, replacing a failed sensor output with physical calculation results from other sensors outputs)
Using more reliable items of the same technology (as applicable)
Changing for a more reliable technology
Decreasing common cause failure impact by using diversified technology
Increasing the design margins (where it’s allowed)
Constraining the environmental conditions (e.g. for electronic components)
Decreasing the reliability uncertainty by gathering more field feedback or specialist opinion.
If you liked this article, then please subscribe to our YouTube Channel for Electrical, Electronics, Instrumentation, PLC, and SCADA video tutorials.
You can also follow us on Facebook and Twitter to receive daily updates.
Read Next: