Table of Contents Table of Contents
Previous Page  589 / 1145 Next Page
Information
Show Menu
Previous Page 589 / 1145 Next Page
Page Background

Page

1

of

10

Safety by Certificate – What happens when the Regulator says ‘No’ to

your SIL 2 certificate?

Paul Lucas, Principal Consultant, ABB Consulting, Belasis Hall Technology Park, Billingham TS23 4EB

Abstract:

In the process sector, hazards that have the potential to pose a high level of risk are

commonly protected by safety instrumented systems. For many years redundant systems have been

used to protect against the highest risks. This concept is embraced in the Functional Safety

Standards as the Hardware Fault Tolerance (HFT) requirement.

In recent times, manufacturers have utilised advances in technology by embedding intelligence

within the equipment enabling self-checking to be performed. The extent of this self-checking

influences what is called the Safe Failure Fraction (SFF). The advantage of this approach is that

high risks can be protected by single instruments, for example a SIL 2 can be protected by a single

device if the SFF > 90%. Information on the SFF is detailed on the manufacturer’s SIL Certificate.

ABB has been working with an end-user who assessed the risks for their storage tank and

concluded that SIL 2 overfill protection was required. The engineering contractor purchased a

single SIL 2 Certified Radar level gauge as the sensing element. Following a routine inspection by

the regulator, the end-user was asked to provide information to justify the performance of their

overfill protection. This information, including the SIL 2 certificate, was provided but rejected by

the regulator as not showing sufficient HFT.

On closer inspection, the device had a SFF below the threshold for SIL 2 and compliance was

claimed by ‘prior use’. The regulator requested details to support the prior use claim and again

rejected them stating that the data was 10 years old and did not differentiate between model

variants and software revisions.

The engineering contractor and end-user thought they had bought a SIL 2 solution because the

equipment had a SIL 2 certificate.

This paper will use this example to revisit the requirements for SIL 2 compliance to try and

understand the regulators decision, its implications for end users, and if the proposed changes in BS

EN 61511 Ed 2 would affect this decision.

Introduction

In the UK, owners and operators of high hazard process plants are regulated by the Control of Major

Accidents and Hazards regulations (COMAH, 2015). A key feature of the COMAH regulations is that

every operator shall take all necessary measures to prevent major accidents and limit their

consequences to people and the environment and reduce the risk of these accidents to ‘As Low as

Reasonably Practicable’ (ALARP).

In practice this means that the owner or operator: -

·

Must identify the potential hazards

·

Must quantify the risk posed by the hazards

·

Must demonstrate that the risk has been reduced As Low As Reasonably Practicable

Where the risk of the potential hazardous event is too high, then additional risk reduction measures

are required. These risk reduction measures may take many forms; for example reduced inventory,

remove sources of ignition, use less hazardous materials and installing instrumented systems.

Where instrumented systems are used for risk reduction, the current best practice in the process sector

is IEC 61511 (IEC, 2003), in the UK this is BS EN 61511 (BSI, 2004). The use of instrumented

systems to provide safety is termed ‘Functional Safety’ and BS EN 61511 is one of a number of sector

specific interpretations of the ‘parent’ functional safety standard, BS EN 61508 (IEC, 2010).

1 584 585 586 587 588 589 590 591 592 593 594 595 1145  FlippingBook