This morning I had a discussion with a colleague who told me that the practice of using lower SIL-capable devices in higher SIL loops is no longer permitted as per IEC-61508/11, 2013 edition.
Is that true?
This requirement is of huge impact to me, because I am nearly done with a job where we use two SIL-2 level transmitters to achieve SIL-3.
The new transmitter is displacer type level transmitter and currently there are no SIL-3 capable displacer type level transmitters.
What do you define as 'lower SIL capable' and 'SIL2 level transmitter'.
IEC-61508/11 standard is for site overall funtional safety requirements by defining 'safety intrumented systems' (SIS).
It does not define individual pieces of equipment with a rating since, if you undertake these calculations it is the context of where each instrument is within the safety system and the calculated (or estimated) ability of not being failsafe.
At SIL3 and upwards you are recommended to seek advice from an experienced consultant since any control or configuration software has to be independently checked.
1oo2 of transmitters is only one part of complete loop. if you are looking for complete loop SIL 3, you have to have assessment of loop.
However, if you are talking about only for transmitters, then please take in account of SFF (safe Failure fraction) which is normally provided by manufacturers and HFT (Hardware failure tolerance) which provides you voting of your transmitters by using MooN. Based on IEC 61508, by combination SFF & HFT matrix will get required SIL.
If your SIL calculation gives you SIL 3 with those 2 transmitters based on their failure rate; then it is OK.
More commonly to provide more redundancy and reliability 3 transmitters are used in a 2oo3 configuration with deviation and stuck transmitter alarms.
When we upgraded our boiler BMS systems we went from 1oo2 pressure switches and level transmitters to 2oo3 logic.