Table of Contents Table of Contents
Previous Page  590 / 1143 Next Page
Information
Show Menu
Previous Page 590 / 1143 Next Page
Page Background

Page

2

of

10

The SIL 2 Safety Instrumented Function

The company that contacted ABB Consulting owns and operates a number of petroleum storage

terminals, the terminal in question is classified as a top tier COMAH site. To comply with regulator

expectation and legislative requirements, the approach outlined in BS EN 61511 was used to

demonstrate that potential hazardous events had been identified, the risks from these hazards

quantified, and reduced to As Low As Reasonably Practicable. Layer of Protect Analysis (LOPA) was

the methodology used for quantifying the risks from the identified potential hazardous events, and

those studies identified the requirement for a SIL 2 overfill protection Safety Instrumented Function

(SIF) to protect against a possible overfill scenario leading to a Vapour Cloud Explosion (VCE) during

the tank filling operation from a ship.

The engineering contractor installed a single radar level transmitter as the sensor part of the SIF. The

device is marketed as a SIL 2 Certified device with Hardware Fault Tolerance (HFT) of 0; this implies

that a single sensor can be used for a SIL 2 SIF.

During a scheduled regulatory inspection, a small number of EC&I actions were raised by a Specialist

Inspector of Health & Safety (EC&I) regarding the safety instrumented systems. One of these actions

concerned the compliance demonstration of the SIL 2 overfill protection SIF. Additional information

in the form of SIL certificates and a supporting Failure Modes, Effects and Diagnostics Analysis

(FMEDA) and Proven-in-use Assessment report provided by the manufacturer and the certification

body were sent to the Specialist Inspector at the HSE

After examining the evidence, the inspector stated that the information would not form the basis of

a suitable demonstration that Relevant Good Practice has been met and the company were advised

to consider alternate measures – in effect the HSE Inspector had said ‘No’ to the SIL 2 certificate.

Requirements for Hardware Fault Tolerance

The early safety lifecycle activities of hazard identification and SIL Determination determine whether

additional risk reduction is needed and the target Safety Integrity Level required.

It is the Control/ Instrument/ Electrical engineers task to demonstrate that the proposed or installed

safety instrumented function meets the target SIL. To do this, three criteria must be met: -

·

Control of Random Hardware Failures – these are the PFDavg calculations

·

Meet Architectural Constraints – Hardware Fault Tolerance

·

Control of Systematic Faults

This paper is particularly interested is the Hardware Fault Tolerance (HFT) requirements.

There are several ways of demonstrating HFT

§

BS EN 61511 Part

1 1

Tables 5 and 6

§

BS EN 6150

8 2

- 2 Route 1

H

- Type A/ Type B and Safe Failure Fractions

§

BS EN 61511 – Prior Use

§

BS EN 61508 - 2 Route 2

H

1

IEC 61511 Ed 1 2003

2

IEC 61508 Ed 2 2010

1 585 586 587 588 589 590 591 592 593 594 595 596 1143  FlippingBook