Definition:
Architecture in functional safety refers to the configuration and redundancy scheme of components within a Safety Instrumented Function (SIF) to achieve the desired risk reduction and system reliability. This can apply to instruments, logic solvers, or final elements (but most typically applies to instruments).
The Functional Safety Engineer will balance spurious trip rate (STR) against PFDavg. There are various ways to think through that, but architecture is one of the most impactful. The architecture 2oo3 is very common for this reason. Some programs simply require all SIFs have a 2oo3 logic on instruments to standardize from an engineering, procurement, and testing perspective.
Architecture is always listed in the format of MooN.
- Instruments – This is a Boolean OR statement. M is how many instruments must be true while N is how many instruments there are.
- Final elements – Have to be thought of a little differently as the piping arrangement of the valves matters. If the FEs are in a series arrangement, then any one valve closing would satisfy. So these would be 1ooN (you would never need 2+ valves to close).
- There is also the term vote to trip which some practitioners use as architecture here, but SIL Safe suggests against that (it is related to how diagnostics are treated).
Key Points:
- 1oo1 (one out of one) – means there is only one sensor or final element and it must work.
- 1oo2 – common choice
- 2oo3 – a very common choice. This mathematically serves a good balance between PFDavg and STR.
- Architectural constraints impact achievable SIL due to fault tolerance requirements.
Example:
A 2oo3 voting configuration on pressure transmitters ensures that at least two must detect high pressure before triggering a shutdown. This was chosen by the engineers to balance PFDavg and STR.
See Also: PFDavg, STR, STR blog article, vote to trip
Cited Source:
- IEC 61508-2:2010, Clause 7.4.4
- IEC 61511-1:2016, Clause 3.2.1