Using SIL-2 Devices in SIL-3 Loops

A

Thread Starter

Ahmed

This morning I had a discussion with a colleague who told me that the practice of using lower SIL-capable devices in higher SIL loops is no longer permitted as per IEC-61508/11, 2013 edition.
Is that true?

This requirement is of huge impact to me, because I am nearly done with a job where we use two SIL-2 level transmitters to achieve SIL-3.
The new transmitter is displacer type level transmitter and currently there are no SIL-3 capable displacer type level transmitters.
 
What do you define as 'lower SIL capable' and 'SIL2 level transmitter'.

IEC-61508/11 standard is for site overall funtional safety requirements by defining 'safety intrumented systems' (SIS).
It does not define individual pieces of equipment with a rating since, if you undertake these calculations it is the context of where each instrument is within the safety system and the calculated (or estimated) ability of not being failsafe.

At SIL3 and upwards you are recommended to seek advice from an experienced consultant since any control or configuration software has to be independently checked.
 
S
1oo2 of transmitters is only one part of complete loop. if you are looking for complete loop SIL 3, you have to have assessment of loop.

However, if you are talking about only for transmitters, then please take in account of SFF (safe Failure fraction) which is normally provided by manufacturers and HFT (Hardware failure tolerance) which provides you voting of your transmitters by using MooN. Based on IEC 61508, by combination SFF & HFT matrix will get required SIL.
 
If your SIL calculation gives you SIL 3 with those 2 transmitters based on their failure rate; then it is OK.

More commonly to provide more redundancy and reliability 3 transmitters are used in a 2oo3 configuration with deviation and stuck transmitter alarms.

When we upgraded our boiler BMS systems we went from 1oo2 pressure switches and level transmitters to 2oo3 logic.
 
If you are using smart transmitters in a SIL rated system then you must pull the jumper in the transmitter to disable configuration via communication when the system is in service.
 
M

masoud sadra

Ahmet,

It`s not true. you can use lower SIL rated device in higher loop as long as you maintain the min HFT (Hardware fault tolerance requirements. Take a look at the following table:<pre>
SFF of an element HFT
0 1 2

<60% SIL1 SIL2 SIL3

60% <90% SIL2 SIL3 SIL4

90%< 99% SIL3 SIL4 SIL4

>99% SIL3 SIL4 SIL 4</pre>
See IEC- 61508-2 Section 7.4.4.2.2 table
 
Where could I find the norme? is it downloadable from the net IEC- 61508-2 Section 7.4.4.2.2 table?

>It`s not true. you can use lower SIL rated device in higher
>loop as long as you maintain the min HFT (Hardware fault
>tolerance requirements. Take a look at the following
>table:<pre>
>SFF of an element HFT
>
> 0 1 2
>
><60% SIL1 SIL2 SIL3
>
>60% <90% SIL2 SIL3 SIL4
>
>90%< 99% SIL3 SIL4 SIL4
>
>>99% SIL3 SIL4 SIL 4</pre>
>See IEC- 61508-2 Section 7.4.4.2.2 table
 
W
First off I believe the latest version of 61508 is dated 2010 (https://webstore.iec.ch/publication/22273). There is no 61508-11 as far as I know, so I am not sure what standard is being referred to. In regards to using SIL 2 rated transmitters in a SIL 3 system, there are two options in IEC 61511.

The first option is prior use which would allow you to use the SIL 2 transmitter in a SIL 3 loop if the transmitters are selected based on prior use.

The second option is selection based on 3rd party approval to which IEC 61511-2018, Clause 11.4.3, refers you to IEC 7.4.4.2 (1h) or 7.4.4.3 (2h) to meet the required hardware fault tolerance.

IEC 61508 Clause 7.4.4.2 has the Table 3 for Type B (smart transmitter) devices, which has been provided by a previous poster. If you have smart transmitters, for example, a 1oo2 or 2oo3 arrangement would meet the required hardware fault tolerance of 1 for SIL 3.

The last thing you have to meet is the required systematic capability for the SIL 3 loop, e.g. SC=3. IEC 61508 Clause 7.4.3.2 allow redundant SC=2 elements (e.g. SIL 2 transmitters should be rated SC=2 or better) to achieve SC (N+1), e.g. SC=3 for SIL 3.

That is the long answer. The short answer is redundant 3rd party approved to IEC 61508 SIL 2 transmitters can be used in a SIL 3 loop.

William (Bill) L. Mostia, Jr. PE
ISA Fellow, FS Engineer (TUV Rheinland)
Winner of the 2018 ISA Raymond D. Molloy Award

Sr. Safety Consultant
SIS SILverstone, LLC
 
Top