Page
9
of
10
Conclusions
By examination of the relevant clauses of BS EN 61511 Ed 1, it can be shown that the Specialist
Inspector was correct in not accepting the manufacturer’s certificate and supporting report as
evidence of HFT compliance for the SIL 2 SIF. There will be many other installations of this radar level
sensor that are claiming SIL 2 compliance on the basis of the manufacturers documentation that
have not been subject to the increased level of examination that took place by this Specialist
Inspector.
BS EN 61511 is a process sector functional safety standard for end users. The difficulty for
manufacturers claiming compliance with this standard is how they can take into account the
important site or operating environment specific affects upon failure. For complex sensors, such as
this radar level transmitter, the importance of tracking the operating hours against each revision of
the product and making this information available is also a challenge.
It is disappointing that certification bodies issue such certificates, the average system integrator or
end user will purchase the equipment believing that they have bought a SIL 2 solution.
The new version of IEC 61511 at first inspection makes HFT easier, but taken into consideration with
other clauses, the outcome is no different from BS EN 61511 Ed 1. It has also been pointed out by
some experts in functional safety that if failure rates based upon operating conditions are used, then
it will be very difficult to achieve the PFDavg for SIL 2 with reasonable test intervals without
redundant equipment (Gruhn, 2015).
Many end users are unsure how to collect the data to enable compliance with IEC 61511 Ed 2. This
seems to be acknowledged and increased requirements have been provided within the new version
of IEC 61511 Ed 2 to enable the end user to monitor, analyse and benefit from the later safety
lifecycle activities. The standard introduces additional requirements such as collecting data relating
to demand rate and SIS reliability (clause 16.2.2), reliability data used for quantifying the effects of
random failures based upon field feedback in similar operating environments (clause 11.9.3) , better
management during the bypass of a SIF (clause 16.2.3), analysis of discrepancies between expected
behaviour and actual behaviour by monitoring demand rates and the failure of equipment forming
part of compensating measures (clause 16.2.9) and a mandatory requirement for periodically
carrying out a Functional Safety Assessment (FSA ) during the operations and maintenance phase
(clause 5.2.6.1.10)
This theme is be supported by the UK Regulators. In a recent Humber Major Hazards Group Annual
Conference, a HSE Principal Specialist Inspector for Safety Instrumented Systems stated that
guidance on the management of safety instrumented systems will be produced in 2017 and this will
be based on IEC 61511 Ed 2.
Claiming compliance based upon plant and operational based data will always be problematical for
manufacturers and certification bodies. However, IEC 61511 Ed 2 and upcoming guidance may steer
end users to collect and analyse data to enable them to make compliant demonstrations against
IEC61511 Ed 2.