Once it has been determined that a facility should be protected from equipment failure or operator error by an alarm or shutdown system, further evaluation can help to anticipate the result of a failure within the protective system itself. Should the plant, or unit, or an affected portion of a plant continue to operate, or should it shut down “fail safe?” This disposition following failure is referred to as the failure modes and is an essential design consideration.
The desired behavior of the plant upon failure of the protective system is often achieved through the use of normally energized or normally de-energized components. These components can be designed to either trip when de-energized or trip when energized. For example, a de-energize-to-trip component might be a valve, which is held open during normal operation by air supply and electrical power, but which would close upon failure of either air or power.
Failures can be classified into two types, safe-failures and dangerous-failures. Safefailures are those failures that cause the shutdown system to put the plant in a safe state, typically shutting the plant down. Dangerous-failures are those failures that keep the shutdown system from properly executing its protective function. Dangerous-failures do not become a problem unless they occur coincident with a hazardous event. Dangerous-failures can be exposed by periodically testing the shutdown system.
As an example, let’s look at a furnace fuel gas line with a Chopper valve controlled by a solenoid valve. The safe state is to de-energize the solenoid valve, close the Chopper, and stop the flow of fuel gas. A safe-failure would be loss of power forcing the solenoid valve de-energized and shutting down the furnace. A dangerous-failure would be the solenoid spring breaking. Now, the solenoid valve is stuck open and the safety system cannot control it. The safety system is in a dangerous mode. The safety system cannot chop fuel gas, even if a hazardous situation exists.
Redundancy is a means to reduce safe-failures and dangerous-failures. A single, one-out-of-one (1oo1) configuration, has a certain reliability for safe-failures and dangerous-failures. Dual systems are either 1oo2 configuration (i.e., the system requires one of the two sensors to indicate trip in order to trip the plant) or 2oo2 configuration (i.e., the system requires two out of two sensors to indicate trip in order to trip the plant). A 1oo2 configuration is best for reducing dangerous-failures and the worst for safe-failures. A 2oo2 configuration is best for reducing safe failures and is the worst for dangerous-failures. A 2oo3 configuration is a compromise. 2oo3 provides a good reduction in both safe and dangerous failures.
For a better understanding of these tradeoffs, refer to ISA S84.01 and ISA draft TR84.02; or contact the ERTC M&CS Safety Interlock Specialist.