Page
2
of
10
The SIL 2 Safety Instrumented Function
The company that contacted ABB Consulting owns and operates a number of petroleum storage
terminals, the terminal in question is classified as a top tier COMAH site. To comply with regulator
expectation and legislative requirements, the approach outlined in BS EN 61511 was used to
demonstrate that potential hazardous events had been identified, the risks from these hazards
quantified, and reduced to As Low As Reasonably Practicable. Layer of Protect Analysis (LOPA) was
the methodology used for quantifying the risks from the identified potential hazardous events, and
those studies identified the requirement for a SIL 2 overfill protection Safety Instrumented Function
(SIF) to protect against a possible overfill scenario leading to a Vapour Cloud Explosion (VCE) during
the tank filling operation from a ship.
The engineering contractor installed a single radar level transmitter as the sensor part of the SIF. The
device is marketed as a SIL 2 Certified device with Hardware Fault Tolerance (HFT) of 0; this implies
that a single sensor can be used for a SIL 2 SIF.
During a scheduled regulatory inspection, a small number of EC&I actions were raised by a Specialist
Inspector of Health & Safety (EC&I) regarding the safety instrumented systems. One of these actions
concerned the compliance demonstration of the SIL 2 overfill protection SIF. Additional information
in the form of SIL certificates and a supporting Failure Modes, Effects and Diagnostics Analysis
(FMEDA) and Proven-in-use Assessment report provided by the manufacturer and the certification
body were sent to the Specialist Inspector at the HSE
After examining the evidence, the inspector stated that the information would not form the basis of
a suitable demonstration that Relevant Good Practice has been met and the company were advised
to consider alternate measures – in effect the HSE Inspector had said ‘No’ to the SIL 2 certificate.
Requirements for Hardware Fault Tolerance
The early safety lifecycle activities of hazard identification and SIL Determination determine whether
additional risk reduction is needed and the target Safety Integrity Level required.
It is the Control/ Instrument/ Electrical engineers task to demonstrate that the proposed or installed
safety instrumented function meets the target SIL. To do this, three criteria must be met: -
·
Control of Random Hardware Failures – these are the PFDavg calculations
·
Meet Architectural Constraints – Hardware Fault Tolerance
·
Control of Systematic Faults
This paper is particularly interested is the Hardware Fault Tolerance (HFT) requirements.
There are several ways of demonstrating HFT
§
BS EN 61511 Part
1 1Tables 5 and 6
§
BS EN 6150
8 2- 2 Route 1
H
- Type A/ Type B and Safe Failure Fractions
§
BS EN 61511 – Prior Use
§
BS EN 61508 - 2 Route 2
H
1
IEC 61511 Ed 1 2003
2
IEC 61508 Ed 2 2010