Page

3

of

10

Hardware Fault Tolerance Requirements BS EN 61511 Ed 1 – Tables 5 & 6

For many decades, higher risk was reduced by using multiple, redundant instrumented systems in

voting configurations. An example is 1oo2, where two sensors are installed and only 1 out of the 2

sensors need to detect the hazardous condition for the safety function to be initiated. This implies

that the 1oo2 configuration can tolerate a single sensor failing and still detect the hazardous

condition – it has a Hardware Fault Tolerance of 1.

This principle is implemented in BS EN 61511 Ed 1. For non-programmable instrumentation that

makes up the safety instrumented function (sensors, non-programmable logic solvers and final

elements), requirements for hardware fault tolerance are shown in Table 6 – shown below

:

SIL Minimum hardware fault tolerance for sensors, non-

programmable logic solvers and final elements

1

0

2

1

3

2

4

Special requirements apply (see BS EN 61508)

Figure 1 – BS EN 61511 Ed 1 Table 6

This table shows that for target SIL 2, a hardware fault tolerance of 1 is indicated – this means that

two sensors are required for the safety instrumented function.

However, instrument technology has moved forward and in more recent times, manufacturers have

utilised advances in technology by embedding intelligence and diagnostics within the equipment

enabling potentially dangerous failures to be detected.

The measure of how effective diagnostics are is called the Safe Failure Fraction (SFF) which is derived

from four failure modes.

Figure 2 – Failure modes when diagnostics are used

The Safe Failure Fraction (SFF) is calculated as: -

ܵ

ܨܨ

= λ SU + λ SD + λ DD

λ SD + λ SU + λ DD + λ DU