Let's say we have 3 redundant pressure transmitters and we want to use them to generate a 2oo3 high high pressure trip. Instead of the standard way of making this logic, we can first select the middle of the three analog signals (the median). Then have a single PAHH block (instead of three PAHH blocks). This arrangment can be easier to implement when we have complex calculations. I know that Honeywell, as an exmaple, has a standard MIDOF3 block in its advanced process control. For "control" purposes this is perfectly possible.

My question is does this arrangement (if implemented in a safety system) provide the same integrity level as the standard 2oo3 logic?

 

Unless my understanding of ' middle of three' is incorrect - your use of a median in this application would be flawed.
The concept of 2oo3 is to take the three pressure transmitter results to provide your high high pressure trip. It is only when one [of the three] appears to give an erroneous result does the other two 'outvote' the one, and provide an alarm to that effect.

This error could be out of calibration, and it is very much up to your control system as to how far out of calibration would become an error.

 

Using redundant sensors for tripping purposes works best when one considers the predominant failure mode of the sensors and then choosing the signal which helps to prevent nuisance trips. Using pressure transmitters it can sometimes be difficult to assess the predominant failure mode (does it failure more often in the high signal condition or in the low signal condition). But simply choosing the middle ("median") signal value is not really providing as much protection from nuisance tripping as might be otherwise possible.

We also don't understand if the control system (safety system) is TMR (Triple Modular Redundant), or dual redundant ("hot standby") or non-redundant. How critical is the process the signal is protecting? Why are three sensors being used instead of two or one? Simply having three sensors for one parameter doesn't protect against nuisance alarms/trips.

 

I guess my question was not clear. Suppose that we have 3 analog transmitters wired to an ESD syste. They are supposed to provide a 2oo3 trip. The question is how do we implement this trip function in the ESD.

One method is to have 3 trip blocks in the ESD, so each analog signal is compared with a set-point. Then the three (digital) trip signals will be arranged in 2oo3. In addition, we should consider the "bad signals" from the AI cards of transmitters connected into AND gates with trip signals. With this arrangement let's say we have one bad signal from transmitter A and a trip detected by transmitter B ... we will have a 2oo3 trip.

Another way which I'm suggesting here and I have seen it in engineering documents is as follows. First take the median of the 3 analog signals. This can be implemented by using two high selectors and one low selector:
MEDIAN = MIN[ MAX(PT_A, PT_B), MAX(PT_B, PT_C) ]
Then have just one trip block on the median signal. Again we should consider the bad signals detected by AI cards as well.

The benefit of the second arrangement is in more complicated cases when a trip signal is not generated from only 3 trnsmitters. Let's say we have a low low air-to-fuel ratio trip. If we have 3 different fuels, each with 3 flow transmitters, and 3 flow transmitters for air ... we will have 12 flow transmitters in total. Using the second method (working with the median of each transmitter group) makes our job easier. The question is does is provide the same integrity level?

 

You clearly have not understood my posting.
From what I recall of the 'Triplex PLC' configuration, each i/p is configured into 2oo3, so the answer to your point:
question is how do we implement this trip function in the ESD.
is simply seen as one ESD trip signal and programmed in accordingly.
So, for your complicated configuration in the last paragraph, you deal with 3 flow transmitters and 1 air flow.

You have not clarified how Median calculations would give correct results if say PT_B drops to zero. How do you exclude it from your median calculations ?
You should not only consider bad signals detected by AI cards, but also AI card fault / PLC internal faults with view to a 'fault tolerant system'.

 

You clearly have not understood my posting.
From what I recall of the 'Triplex PLC' configuration, each i/p is configured into 2oo3, so the answer to your point:
question is how do we implement this trip function in the ESD.
is simply seen as one ESD trip signal and programmed in accordingly.
So, for your complicated configuration in the last paragraph, you deal with 3 flow transmitters and 1 air flow.

You have not clarified how Median calculations would give correct results if say PT_B drops to zero. How do you exclude it from your median calculations ?
You should not only consider bad signals detected by AI cards, but also AI card fault / PLC internal faults with view to a 'fault tolerant system'.

Answer to your question: if PT_B drops to zero and say PT_A and PT_C give respectively 6 barg and 6.1 barg, then the median is 6 barg.
Let's put the bad signal, card failure, etc aside as they're not related to the question.

 

Personally, when I encounter a question like this on a running system (and we don't know much of ANYTHING about this safety system!!!) I see how it was handled with other similar inputs.

I'm going to tap out of this thread. It's his site and if he's going to wait for a free World Wide Web forum to approve something that he's not willing to share pertinent information about, it's not worth any more of my time. If he's convinced he's met all of the requirements of his process with his programming suggestion, who are we to say otherwise with the information provided.

"A horse can be led to water, but it can't be made to drink."

 

I am asking a general conceptual question. It's not about a running system and I'm not expecting the free www to act as a notary body.
For sake of argument we can assume we have a SIL-3 capable logic solver. Whether it is TMR or whatever I don't think is pertinent. let's assume it is TMR.
The trip function is a PAHH trip on a pressurised vessel. PAHH opens a blowdown valve. The SIF has been allocated SIL 2. Three PTs are wired to the logic solver.
What I'm suggesting is to take the median signal, then have the PAHH trip block once, instead of 3 trip blocks in a 2oo3 arrangement.
I'm not convinced this solution meets the requirements; hence asking the question.

 

Looking at Honeywell MIDOF3 algorithm, it is, with the best of intentions, incompatible with any possible SIL rating, unless Honeywell can provide a great deal of supporting evidence [over the years] that it is almost 100% failsafe, and can provide mathematical evidence of it's fail-to-danger statistics.

A colleague made the comparison of asking if the Titanic, on it's maiden voyage from Liverpool would ever reach the iceberg is was destined for with a large hole in the hull below the waterline.

 

Point taken. But I can see from our project documents that we have specified such an arrangement in various projects over more than a decade. It might be that some major petrochemical plants across the globe have "large holes in the hull".

 

Very Interesting

Are any of these sites COMAH rated: and have any related projects been rated to SIL3, or subject to HAZOP reviews.

If so you [the main contractor] should have historic records of where and why the Honeywell median system was used - if not then the QA Manager needs to be informed on an urgent basis.

 

Well, firstly this is what we have specified on paper (as an engineering company) but how exactly those 2oo3 trips were implemented by the likes of Honeywell, HIMA, etc I don't know.
The MIDOF3 which I mentioned earlier was something that I found in Honeywell documents. I didn't say that it was used in a SIL rated application.
Still I haven't got the answer though. Using the median signal plus a trip function "on paper" works exactly as a proper 2oo3 voting. I can tell that you didn't like the idea! But why?

 

You seem to be chasing your own tail here. If you don't know how the Honeywell trips were implemented then I would try to find out.
I would want to see the source code for MIDOF3 to see exactly what it is doing. If it's not available then as a safety feature it would be rejected and would question why Honeywell is operating in this area.

Have you contacted them on this.

 

Looking at Honeywell MIDOF3 algorithm, it is, with the best of intentions, incompatible with any possible SIL rating, unless Honeywell can provide a great deal of supporting evidence [over the years] that it is almost 100% failsafe, and can provide mathematical evidence of it's fail-to-danger statistics.

A colleague made the comparison of asking if the Titanic, on it's maiden voyage from Liverpool would ever reach the iceberg is was destined for with a large hole in the hull below the waterline.

I'll add this, If you have redundant logic from each Transmitter, High-High off the alarm block you can take these out of service for maintenance One at a time. Some implement a High alarm from a Good Transmitter and a High-High equals a Trip. Some implement 2 Transmitters bad = your Master goes to manual. Some Systems make you select a Transmitter to run on when you have Failed Transmitters..The bottom line.to this Story is it depends on the application you are running this on. Boiler codes also have Specifics on this kind of logic. I think Oneeye14, CSA would say the same. You better run this application through Honeywell due to the Safety involved in this application. A Good Controls Engineer is needed. I dealt with a lot of Boilers, Steam Turbines, Gas Turbines and I was corrected many times from Siemens, GE, Foxboro, Allen Bradley why you don't do it like you thought. Just my 2 cents..Happy Friday.