Page
8
of
10
A low demand SIF is the most common type of SIF in the process industries where the demand on
the SIF is no greater than one per year. The SIL 2 SIF being discussed in this paper would be classified
as low demand.
Initially, it would seem that the new version of IEC 61511 solves the problem for the device, however
this would be incorrect as it does not take into account other clauses within the standard.
IEC 61511-1 Ed 2 clause 11.4 defines the requirement for Hardware Fault Tolerance. It gives you
three choices for compliance: -
·
Follow the five sub-clauses in 11.4 of IEC 61511-1 Ed 2
·
BS EN 61508 - 2 Route 1
H
- Type A/ Type B and Safe Failure Fractions
·
BS EN 61508 - 2 Route 2
H
The five sub-clauses in 11.4 of IEC 61511-1 Ed 2 are derived from BS EN 61508 - 2 Route 2
H
. There is
no mention of ‘Prior Use’ in the clause 11.4 on Hardware Fault Tolerance.
However, as stated earlier, to demonstrate that the proposed or installed safety instrumented
function meets the target SIL, three criteria must be met: -
·
Control of Random Hardware Failures – these are the PFDavg calculations
·
Meet Architectural Constraints – Hardware Fault Tolerance
·
Control of Systematic Faults
If you are claiming compliance using IEC 61511 Ed 2, then clause 11.9, Quantification of random
failure (the PFDavg calculations) requires the reliability data to be ‘credible, traceable, documented ,
justified and shall be based on field feedback from similar devices in similar operating environment’.
Also, clause 11.5, Requirements for selection of devices, uses ‘Prior Use’, but in relation to control of
systematic failures, again demonstrating the performance of the device in similar operating
environments and the volume of operating experience.
The limitations of the manufacturers claim highlighted by the Specialist Inspector would seem to still
apply when considered against IEC 61511 Ed 2. The issues of the age of the report, the out of date
data against the installed version of equipment and the data not being site or operating
environment specific will still apply against clauses 11.5 and 11.9 – it is likely that the SIL 2 certificate
would still be rejected.
How the situation was resolved
ABB Consulting assisted the end user in demonstrating compliance by going back to the
manufacturers report and understanding which dangerous failures were not detected by the
diagnostics. By considering other checks and measurements that are routinely undertaken at the
terminal, an additional proportion of the dangerous failures were identified that those checks could
diagnose, thereby reducing λ
DU
and increasing λ
DD
so that the SFF was raised above the 90%
threshold required for SIL 2 and HFT 0. For example, some dangerous undetected failures relate to
the device being out of calibration and not providing a correct level reading. Performing a calibration
check is time consuming as a known volume of product has to be batched into the tank and
compared against the increase in level. However, the terminal handles petroleum products from a
number of suppliers and requires accurate figures for the amount of product offloaded from each
ship. This is achieved by using calibrated flowmeters. Twice a month, a calculation of the expected
tank level based upon measured flow is compared to the radar level gauge reading. Although this is
not a full calibration test, it will reveal a proportion of the dangerous failures and contribute to the
increase in the SFF.