Page

8

of

10

A low demand SIF is the most common type of SIF in the process industries where the demand on

the SIF is no greater than one per year. The SIL 2 SIF being discussed in this paper would be classified

as low demand.

Initially, it would seem that the new version of IEC 61511 solves the problem for the device, however

this would be incorrect as it does not take into account other clauses within the standard.

IEC 61511-1 Ed 2 clause 11.4 defines the requirement for Hardware Fault Tolerance. It gives you

three choices for compliance: -

·

Follow the five sub-clauses in 11.4 of IEC 61511-1 Ed 2

·

BS EN 61508 - 2 Route 1

H

- Type A/ Type B and Safe Failure Fractions

·

BS EN 61508 - 2 Route 2

H

The five sub-clauses in 11.4 of IEC 61511-1 Ed 2 are derived from BS EN 61508 - 2 Route 2

H

. There is

no mention of ‘Prior Use’ in the clause 11.4 on Hardware Fault Tolerance.

However, as stated earlier, to demonstrate that the proposed or installed safety instrumented

function meets the target SIL, three criteria must be met: -

·

Control of Random Hardware Failures – these are the PFDavg calculations

·

Meet Architectural Constraints – Hardware Fault Tolerance

·

Control of Systematic Faults

If you are claiming compliance using IEC 61511 Ed 2, then clause 11.9, Quantification of random

failure (the PFDavg calculations) requires the reliability data to be ‘credible, traceable, documented ,

justified and shall be based on field feedback from similar devices in similar operating environment’.

Also, clause 11.5, Requirements for selection of devices, uses ‘Prior Use’, but in relation to control of

systematic failures, again demonstrating the performance of the device in similar operating

environments and the volume of operating experience.

The limitations of the manufacturers claim highlighted by the Specialist Inspector would seem to still

apply when considered against IEC 61511 Ed 2. The issues of the age of the report, the out of date

data against the installed version of equipment and the data not being site or operating

environment specific will still apply against clauses 11.5 and 11.9 – it is likely that the SIL 2 certificate

would still be rejected.

How the situation was resolved

ABB Consulting assisted the end user in demonstrating compliance by going back to the

manufacturers report and understanding which dangerous failures were not detected by the

diagnostics. By considering other checks and measurements that are routinely undertaken at the

terminal, an additional proportion of the dangerous failures were identified that those checks could

diagnose, thereby reducing λ

DU

and increasing λ

DD

so that the SFF was raised above the 90%

threshold required for SIL 2 and HFT 0. For example, some dangerous undetected failures relate to

the device being out of calibration and not providing a correct level reading. Performing a calibration

check is time consuming as a known volume of product has to be batched into the tank and

compared against the increase in level. However, the terminal handles petroleum products from a

number of suppliers and requires accurate figures for the amount of product offloaded from each

ship. This is achieved by using calibrated flowmeters. Twice a month, a calculation of the expected

tank level based upon measured flow is compared to the radar level gauge reading. Although this is

not a full calibration test, it will reveal a proportion of the dangerous failures and contribute to the

increase in the SFF.