SIL-2 Certified SIS transmitters Diagnostics integration in ESD system

  • Thread starter Girishkant Gupta
  • Start date

Thread Starter

Girishkant Gupta

I want an advice regarding integration of SIL-2 SIS transmitters integration with ESD system. We are using 3051 CTL SIS transmitters from Rosemount.

Our ESD system (Yokogawa Prosafe) AI cards are not HART pass through cards thus diagnostics related to SIS transmitters are not available in the our PRM server (Plant resource manager). In many instance we are using single SIL-2 SIS transmitter to meet the Target SIL by virtue of its PFD and SFF values. This is different from proven in use installation where we would normally use Proven in transmitter , 2 nos in 1oo2 config to meet SIL-2.

Is it OK in the above situation that I use a single SIL-2 transmitter whose HART diagnostics are not captured by the PRM to meet Target SIL-2. Is it absolute must to have the diagnostic integrated in PRM to schedule any predictive maintenance.

SIL-2 certification scope as per FMEDA restricts itself only to the instrument, its hardware and software but does not talk anything on the integration of its diagnostics with ESD system.

Now HART pass through ESD AI card is available from Yokogawa and we are looking at changing these cards for SIL-2 loops only. But again the cost is exorbitant and before I go down that path and recommend this solution, I want to be sure that this is an absolute must. I am really not comfortable using single transmitter for SIL-2 application and if we also ignore the diagnoses then is it really a proper installation.

Is this requirement governed by IEC 61509 or IEC61511 ?

Seek your reply & help
my e-mail contact is gupta_g_r [at]
Dear Girishkant,

> Is it OK in the above situation that I use a single SIL-2 transmitter whose HART diagnostics are not captured by the PRM to meet Target SIL-2. <

The only things that determine whether it is appropriate to use a single SIL2 transmitter are whether you;

- have checked the hardware reliability of the whole loop, sensor -> final element;

- meet the min architectural requirements;

- have followed the lifecycle activities during the design i.e. did you follow good design & documentation procedures;

- have applied the principle of ALARP;

- have had the design done by an organisation that is capable.

If you haven't got the documentation recording/demonstrating the above then that could be a problem for your regulator.

It is not a requirement that HART information is integrated into an asset management system although that is undoubtably a good thing especially during the maintenance phase of the instrument function. It is also not a requirement that the HART info is brought directly into an input card. So don't buy it - unless other advantages mean its a good thing.

Do maintain your instrument, this is required by IEC61508/11. The relaibility calcs will have assumed a proof test interval. This you can take as being the maintenance interval usually but check the asssumptions made. Sometimes people assume unrealistic intervals to manipulate the PFD figure. This is not helpful to front line maintenance staff who are usually worked hard these days anyway.

Use of PRM to document maintenance can help you record/prove you are meeting your commitments during the operational phase.

What is important is that the dangerous detected faults are signalled by the instrument to the safety system (e.g. by sending the analgoue signal to a defined value, say >21mA) and that the safety system responds to maintain or achieve a safe state (e.g. close valve). It is also important that you comply with any restrictions on the instrument when used in a safety loop. Sometimes found in a safety manual or in the safety section of the instrument documentation. For example HART enabled instruments usually require that the remote writing of parameters from the asset management system is disabled.

Hope this helps. If you need more get back to me.

Thanks Dave for your reply on my query. Yes, it helps to clarify the matter. I was only worried while reading FMEDA report of these transmitters where in they have indicated Safe failure rates and dangerous failure rates. I wanted to make sure whether the report has taken credit of HART diagnostics to increase the SFF value. It does say that Logic solver should be designed to detect Fail high and Fail Low.

Are you aware on any such diagnostics reported by SIS transmitters over HART to PRM or AMS which will increase the SFF value and allow to schedule predictive maintenance. In that case ignoring such diagnostics will make that failure as Dangerous undetected as opposed to Dangerous detected thus reducing the SFF value. for SIS transmitter (Type-B device) to be used as single sensor in SIL-2 application requires the SFF value to be in excess of 90% to meet Architectural constraints.

I have standardized the proof test interval to 1 year and have done proper documentation (SIL Study report, SIL Verification report, Safety requirement specification etc) to capture the design and implementation aspects of SIS. Operations will developing the proof testing regime SIF wise based on these report and schedule in SAP.

Best Regards,

To my knowledge no credit has ever been claimed, with respect to SFF, for any diagnostic information transmitted to a AMS type system. SFF is based purely on internal instrument diagnostics and sending the signal high or low for the logic solver to respond to appropriately.
IEC61511 has some specific requirements in this respect if that's what you're designing to Section 11 part 1.

Just a note. Depending on the site of the plant and SIS even a 1 year proof test can be demanding in practice. Otherwise it sounds like you've got most things covered.

Good luck
Dear Sirs,

Please send me the mentioned documentation regarding the SIL and safety and rest of mentioned documentation.