Understanding Safety Instrumented Systems (SIS) Field Device Fault Tolerance Requirements

The IEC 61511 standard includes a table listing the fault tolerance requirements for field devices for different safety integrity levels. There are clauses stating how the fault tolerance requirements may need to be increased in some cases, may be decreased in some cases, and alternative fault tolerance tables from IEC 61508 may be used in some cases.

The table from the standard showing the minimum hardware fault tolerance of sensors and final elements is reproduced here as Table 1.

Table 1-Field Device Fault Tolerance Table from IEC 61511

Table 1-Field Device Fault Tolerance Table from IEC 61511

A hardware fault tolerance of X means that X + 1 dangerous failures would cause a loss of the safety function. Another way to phrase it would be that a hardware fault tolerance of X means that the function could survive X dangerous failures. Table 2 is a listing of various configurations and their fault tolerance numbers. For MooN voting, the fault tolerance is simply N – M.

 

Table 2-Configurations and Their Fault Tolerance Numbers

Table 2-Configurations and Their Fault Tolerance Numbers

The tables mean that non fault tolerant field device designs will meet SIL 1 requirements. SIL 2 or higher will require fault tolerant designs. One end user company has documented that each jump in SIL beyond SIL 1 represent an increase in cost of approximately $50,000 per function; that’s how much the total installed cost of the extra field devices will be.

Note that “fault tolerance” is not synonymous with “redundant”. Redundant simply means more than one. 2oo2 is redundant, yet not fault tolerant (of dangerous failures).

 

Cases where fault tolerance must be increased

Clause 11.4.3 states that if the dominant failure mode is not to the safe state, or if dangerous failures are not detected, then the fault tolerance requirements need to be increased by one. An example of such a case would be an energize-to-trip function that does not utilize line monitoring to reveal open circuits in wiring. Normally de-energized devices are not inherently fail-safe. Fault tolerant designs for SIL 1 are obviously not financially attractive.

 

Cases where fault tolerance may be decreased

Clause 11.4.4 states that the fault tolerance requirements can be reduced by one if certain conditions apply, primarily that the devices are selected on the basis of prior use. This requires the user to document that the failure rates of their field devices are low enough to meet SIL 2 in a 1oo1 configuration.

 

Cases where alternative fault tolerance tables may be used

Clause 11.4.5 states that alternative fault tolerance tables may be used providing an assessment is made according to the requirements of IEC 61508. This requires knowing the safe failure fraction (SFF) of the devices.

 

Learn more about prior use, safe failure fraction, the fault tolerance tables in IEC 61508, and upcoming changes to the fault tolerance table coming in the 2nd version of IEC 61511 by reading the full paper here.

Download White Paper

Leave a Reply

Your email address will not be published. Required fields are marked *