CDOIF

Chemical and Downstream Oil

Industries Forum

CDOIF is a collaborative venture formed to agree strategic areas for

joint industry / trade union / regulator action aimed at delivering

health, safety and environmental improvements with cross-sector

benefits.

Guideline – Demonstrating Prior Use v4

Page 6 of 30

tolerance requirements for SIL 4 are beyond the scope of BS EN 61511 and the reader

of BS EN 61511 is referred to BS EN 61508. This guidance document on prior use will

likewise focus only on SIL 1, SIL 2 and SIL 3.

2.2

Hardware Fault Tolerance

Hardware fault tolerance describes the ability of a subsystem or element to continue

working successfully in the presence of dangerous faults. Consider a safety

instrumented function (SIF) with two sensors configured such that only one of the

sensors detecting the hazardous condition is needed to trigger the safety function. The

occurrence of a dangerous fault in one sensor does not prevent the safety function from

operating successfully. The sensor subsystem can therefore be described as having a

hardware fault tolerance of 1. Were the sensor subsystem to have only one sensor, it

would have a hardware fault tolerance of zero. A dangerous fault in the single sensor

would prevent the safety instrumented function from operating.

For safety instrumented functions, BS EN 61511 sets out the minimum hardware fault

tolerance requirements for sensors, logic solvers and final elements

2

. Table 1 below

shows minimum hardware fault tolerance requirements set out in BS EN 61511-1 for

Sensors and Final Elements and non-Programmable Electronic Logic Solvers:

SIL

Minimum Hardware Fault Tolerance

1

0

2

1

3

2

4

Special requirements apply

(refer to BSEN 61508)

Table 1 Minimum hardware fault tolerance of sensors and final elements and

non-PE logic solvers

The values in Table 1 apply provided that the dominant failure mode is to the safe state

or dangerous failures are detected, otherwise the fault tolerance shall be increased by

one. However, the standard also indicates that the values in Table 1 may be reduced by

one if the devices used comply with all of the following:

•

the hardware of the device is selected on the basis of prior use

•

the device allows adjustment of process-related parameters only, for example,

measuring range, upscale or downscale failure direction;

•

the adjustment of the process-related parameters of the device is protected, for

example, jumper (an electrical connector on a circuit board), password;

•

the function has an SIL requirement of less than 4.

2

BS EN 61511-1 Clause 11.4