How Can We Reach SIL 2 With Manual Intervention?

In my opinion, this system is not a safety instrumented function (SIF) or safety instrumented system (SIS) because it is not automatic and requires a human function to provide the overall protective function. Per IEC 61511, Sec. 1, Scope: "...In particular, this standard...does not place any direct requirements on the individual operator or maintenance person..." ANSI/ISA 84.01, Section 1.2.14 says, "Systems where the operator action is the sole means required to return the process to a safe state are not covered by this standard (e.g., alarm systems, fire and gas monitoring systems, etc.)."

...So the safety standards IEC 61511 and ANSI/ISA 84.01 do not apply. This is not to say that the principles of these standards could not be applied but simply that they are not required to be. Any safety system should have special care in its design and use recognized and generally accepted good engineering practices.

...Even if you were to apply the principles of safety integrity level (SIL) to this system, it would be at best a SIL 1 system (and a number of things must be satisfied to accomplish this, such as specificity, dependability, availability, procedures, training, administrative controls, etc.). In my opinion, it certainly it would not achieve a SIL 2 rating--the reliability of human action is not sufficient to support a SIL 2 rating.

...There is a paper on this subject at www.srs.gov/general/pubs/fulltext/ms2002091/ms2002091.html that claims operator action can be a safety instrumented function. I believe it misinterprets IEC 61511, however, it does give some insight to the subject.

Can the system be shown to meet SIL 2? Yes and no. The combination of UV/IR (flame) temperature and gas detectors can be shown to meet SIL 2. This requires knowing device failure rates, levels of diagnostics, architecture (redundancy), and test intervals. Voting of sensors may or may not be required.

...The "certified for use in SIL 2" logic box is the easiest piece of the pie. Presuming that one implements it correctly, it will meet the requirements. One unknown in this overall solution is what you are using for final elements. If it's simply turning off motor contactors, reaching SIL 2 numbers should be relatively easy. Shutting off engine fuel flow with valves will most likely require dual block valves.

...However, it's doubtful that the overall system will meet SIL 2 because it relies on a human operator. Claiming that an operator will respond correctly to a hazardous situation greater than 99% of the time is a stretch I would not be willing to make.

...If you have so much confidence in the hardware, why not make it a totally automated system? If the concern is over nuisance trips and the resulting lost production and downtime, proper voting of sensors, along with a redundant logic box, will go a long way in minimizing this problem.

...It should be stressed that simply using a logic box certified to a certain level in no way means you have a system that meets that level.

At a first pass, most people would say this cannot be done. However, if we look to IEC 61511 for guidance, a couple of clauses are pertinent to this problem: "If the operator is required to select options or bypass the system for certain operations, then an operator function will become part of the overall SIS function. This should be avoided where possible because of the potential for operator error. Experience has shown that the potential for operator error is high when such actions need to be carried out on a frequent basis or at times of high operator workload such as at startup or when the plant is disturbed."

...In Sec. 2 (Guidelines) it states: "Where an operator, as a result of an alarm, takes action and the risk reduction claimed is greater than a factor of 10, then the overall system will need to be designed according to IEC 61511-1. The system that undertakes the safety function would then comprise the sensor detecting the hazardous condition, the alarm presentation, the human response, and the equipment used by the operator to terminate any hazard. It should be noted that a risk reduction of up to a factor of 10 might be claimed without the need to comply with IEC 61511. Where such claims are made, the human-factor issues will need to be carefully considered."

...So we see that IEC 61511 does not preclude using operators for this type of problem. Since the question requires a design for a SIL 2 application, consideration must be taken as to the probability of failure on demand (PFD) that can be claimed for all the components of this SIF. In other sections, the PFD assigned to an operator action is 0.1, so to achieve a SIL 2, we would need three operators, assuming independence of the operators. This would also mean the means the operators have of initiating the SIL 2 PLC would need to be independent. So although it may be possible to achieve a SIL 2 for the stated problem, it may not be economically viable.