Page

9

of

10

Conclusions

By examination of the relevant clauses of BS EN 61511 Ed 1, it can be shown that the Specialist

Inspector was correct in not accepting the manufacturer’s certificate and supporting report as

evidence of HFT compliance for the SIL 2 SIF. There will be many other installations of this radar level

sensor that are claiming SIL 2 compliance on the basis of the manufacturers documentation that

have not been subject to the increased level of examination that took place by this Specialist

Inspector.

BS EN 61511 is a process sector functional safety standard for end users. The difficulty for

manufacturers claiming compliance with this standard is how they can take into account the

important site or operating environment specific affects upon failure. For complex sensors, such as

this radar level transmitter, the importance of tracking the operating hours against each revision of

the product and making this information available is also a challenge.

It is disappointing that certification bodies issue such certificates, the average system integrator or

end user will purchase the equipment believing that they have bought a SIL 2 solution.

The new version of IEC 61511 at first inspection makes HFT easier, but taken into consideration with

other clauses, the outcome is no different from BS EN 61511 Ed 1. It has also been pointed out by

some experts in functional safety that if failure rates based upon operating conditions are used, then

it will be very difficult to achieve the PFDavg for SIL 2 with reasonable test intervals without

redundant equipment (Gruhn, 2015).

Many end users are unsure how to collect the data to enable compliance with IEC 61511 Ed 2. This

seems to be acknowledged and increased requirements have been provided within the new version

of IEC 61511 Ed 2 to enable the end user to monitor, analyse and benefit from the later safety

lifecycle activities. The standard introduces additional requirements such as collecting data relating

to demand rate and SIS reliability (clause 16.2.2), reliability data used for quantifying the effects of

random failures based upon field feedback in similar operating environments (clause 11.9.3) , better

management during the bypass of a SIF (clause 16.2.3), analysis of discrepancies between expected

behaviour and actual behaviour by monitoring demand rates and the failure of equipment forming

part of compensating measures (clause 16.2.9) and a mandatory requirement for periodically

carrying out a Functional Safety Assessment (FSA ) during the operations and maintenance phase

(clause 5.2.6.1.10)

This theme is be supported by the UK Regulators. In a recent Humber Major Hazards Group Annual

Conference, a HSE Principal Specialist Inspector for Safety Instrumented Systems stated that

guidance on the management of safety instrumented systems will be produced in 2017 and this will

be based on IEC 61511 Ed 2.

Claiming compliance based upon plant and operational based data will always be problematical for

manufacturers and certification bodies. However, IEC 61511 Ed 2 and upcoming guidance may steer

end users to collect and analyse data to enable them to make compliant demonstrations against

IEC61511 Ed 2.