![Show Menu](styles/mobile-menu.png)
![Page Background](./../common/page-substrates/page0041.jpg)
Immingham East Terminal – Gasoline Overfill Protection
Safety Instrument System
P & I Design Ltd
DOCUMENT NO: SI277001_RPT
2 Reed Street, Thornaby, UK, TS17 7AF
ISSUE:
F
DATE: 31.10.14
Tel: + 44 (0)1642 617444
PAGE 21 OF 29
Fax: + 44 (0)1642 616447
www.pidesign.co.ukThe actuator section of the sub system meets the requirements of SIL2 with a PFD of
7.09 x 10
-4
.
The valves will be operated, cycled, periodically on a monthly basis. This will provide a form
of regular stroke testing. The operations to open and close the valves will not affect the SIS
and will not prevent the activation of the SIS.
7.2.3.3 Final Element Subsystem Hardware Fault Tolerance
BS EN 61511-1:2003 Section 11.4 requires a minimum hardware fault tolerance.
Table 6 of the standard is reproduced below:
SIL
Minimum hardware fault tolerance
(see 11.4.3 and 11.4.4)
1
0
2
1
3
2
4
Special requirements apply
BS EN 61511-1:2003 Section 11.4.3 states that the fault tolerance in the above table should
be increased by 1, unless the dominant failure mode is to the safe state or dangerous failures
are detected.
In this application, for the valve, the dominant failure mode is to the safe state (Safe Fail
Fraction = 81%). Therefore, the fault tolerance has not been increased by 1.
In this application, for the actuator, the dominant failure mode is to the safe state (Safe Fail
Fraction = 73%). Therefore, the fault tolerance has not been increased by 1.
In this application, for the solenoid valve, the dominant failure mode is to the safe state (Safe
Fail Fraction = 99%). Therefore, the fault tolerance has not been increased by 1.
BS EN 61511-1:2003 Section 11.4.4 states that the fault tolerance in the above table can be
reduced by 1 if the hardware complies with the following:
The hardware of the device is selected on the basis of prior use
The device allows adjustment of process related parameters only. i.e. measuring
range, upscale and downscale failures.
The adjustment of the process related parameters is protected either by jumper or
password.
The function has a SIL requirement of less than 4.
In this application the above requirements are true for each final element subsystem and a
reduction of 1 applies.
Comparatively, BS EN 61508-2:2010 Section 7.4.3 requires architectural constraints on
hardware safety integrity.