Was not the response I was expecting to hear from an audience member during my presentation on new SIS (safety instrumented system) hardware development at this week’s ISA Expo.  He obviously was concerned over my suggestion that with new SIS technology there’s no degradation of safety when you have a partial shutdown and, well in his words “run to destruction”.  I wasn’t sure how to respond, as my objective during this 30 minute talk, was to address how some new SIS technologies are available that actually increase safety.  As with any new concept, there’s bound to be objections, but this particular phrase just caught me off guard….hmm….so let me try to explain….

In the past, redundant systems were necessary to achieve both safety and availability.  Marketing hype took over, and confused the industry with just how much redundancy (dual, triple or even quadruple) was really necessary, and what were the actual benefits. 

Understanding the history, I wanted to tell a story.  So I started by going back to the 1980’s where TMR (Triple Modular Redundancy) was born, then in the 1990’s with the advances of the microprocessor, it was now possible to get diagnostics allowing you to (arguably) get the same level of safety and availability, with less redundancy, while saving money. 

Regardless of what level of redundancy you bought into, the fact still remained - if your system degraded from triple, to dual, (or dual to single) your level of safety would be negatively impacted.   While it might be well known, there was concern that this mode degraded operation was often overlooked and needed to be addressed within a reasonable amount of time.

Today there are a couple of new SIS’s touting that they offer the highest level of safety (SIL 3) without the need for redundancy.  To avoid a nuisance trip, redundancy could be added to enable the system to become fault tolerant.  So what happens if your system experiences a component failure?  You would hope that it would maintain its safety rating, and expect that somehow, something “else” is degraded, right? 

While I was not suggesting anyone “run to destruction”, I was suggesting that it might be a better scenario to maintain safety at the expense of availability particularly during those short stints when you are running degraded.