White Paper

Certified Level Sensor for the Liquefied Natural

Gas Industry

Date: 3 May 2006

Author(s): L. Monfilliettte, P. Versluys, M.J.M. Houtermans

Risknowlogy B.V.
Brunner bron 2
6441 GX Brunssum
The Netherlands
www.risknowlogy.com

RISKNOWLOGY Experts in Risk, Reliability and Safety

White Paper
L. Monfilliettte, P. Versluys, M.J.M. Houtermans
Certified Level Sensor for the Liquefied Natural Gas Industry

© 2002 - 2007 Risknowlogy B.V.

All Rights Reserved

Printed in The Netherlands

This document is the property of, and is proprietary to Risknowlogy. It is not to be disclosed in whole or in part and no portion of this document shall be
duplicated in any manner for any purpose without Risknowlogy’s expressed written authorization.

Risknowlogy, the Risknowlogy logo, and Functional Safety Data Sheet are registered service marks.

RISKNOWLOGY Experts in Risk, Reliability and Safety Page 2

White Paper
L. Monfilliettte, P. Versluys, M.J.M. Houtermans
Certified Level Sensor for the Liquefied Natural Gas Industry

Certified Level Sensor for the Liquefied Natural Gas

Industry

L. Monfilliette, P. Versluys
Whesso S.A., Calais, France
M.J.M. Houtermans 1
TUV Industrie Service, Cologne, Germany
Risknowlogy B.V., Brunssum, The Netherlands

Abstract
This paper will demonstrate in a practical way in which liquefied gas storage facilities around the
world can benefit from IEC 61508 compliant level sensor systems. World wide there are about 100
liquefied natural gas (LNG) storage facilities. This market is increasing about 8% on average over the
past 5 years due to the increased demand for clean fuels, the development of new gas fields and the
consequential requirement for more storage facilities.
The inherent hazardous situation of storing liquefied natural gas brings about that the industry
requires a very high level of safety. One of the main problems is that a storage tank may get
overfilled, which results in structural damage to the tank and a spill of the liquefied natural gas into the
environment bringing with it unpredictable hazardous situations and their associated risks. The LNG
storage tanks need to be equipped with special level sensors and emergency shutdown equipment to
assure that it is not possible to overfill the tank.
The purpose of this paper is to demonstrate how the liquefied gas market can benefit from SIL
certified level sensors. From an application level point of view the safety requirements are explained.
This paper will discuss the IEC 61508 requirements as well as the specific requirements of NFPA 59.
The paper explains how the sensor system fulfills these requirements and what efforts the company
had to take to meet these requirements. To end-users the paper will explain why and how the sensor
system has been tested. Further more, via a practical example of an LNG storage tank the paper will
demonstrate the achieved probability of failure on demand and the required proof test interval.

1 Introduction
The level sensor described in this paper consists of hardware, software and mechanical sub modules.
The applicable functional safety standard for these kinds of systems is IEC 61508. Although this
standard only has technical safety requirements for electrical, electronic and programmable electronic
systems, it is clearly stated in the standard that also supports other technology, like the mechanical
part of the level sensor, and can be used as long as it follows the framework and lifecycle approach of
IEC 61508. As the standard only has detailed requirements for electrical, electronic, and
programmable electronic devices, additional requirements were defined when the level sensor was in
the process of certification to address the mechanical parts.
This paper will demonstrate in a practical way in which liquefied gas storage facilities around the
world can benefit from IEC 61508 compliant level sensor systems. This paper will demonstrate how
the liquefied gas market can benefit from SIL certified level sensors. The safety requirements are

1
Corresponding author: m.j.m.houtermans@risknowlogy.com

RISKNOWLOGY Experts in Risk, Reliability and Safety Page 3

White Paper
L. Monfilliettte, P. Versluys, M.J.M. Houtermans
Certified Level Sensor for the Liquefied Natural Gas Industry

explained from an application level point of view. This paper will discuss the IEC 61508 requirements
as well as the specific requirements of NFPA 59.

2 LNG Storage Tank Solution

More and more LNG tank farms are build all over the world in order to temporarily store LNG before it
is either shipped to its final destination or before it is further processed. The filling of the tank is
typically controlled by a basic process control system and for safety purposes monitored by a safety
instrumented system (SIS). The main safety function of the SIS deals with potential overfilling of the
tank and measures the level with custom designed process level gauges. Besides the level gauges
other instrumentation and equipment is typically present like an LTD gauge, in-tank temperature
sensing and transmission devices as well as leak detection and cool-down monitoring systems.
Figure 1 gives an overview of a typical tank with three level gauges. The level gauges are placed
on top of the tank. In this case all three gauges are connected to both the safety instrumented system
(ESD system) and the basic process control system (DCS). Typically two level gauges serve as level
meters and one level gauge operates as over spill alarm. All three gauges are used to determine
whether the over spill position has indeed been reached. Besides the over spill alarm there are also a
low, high and high-high alarms.

Figure 1 – Overview LNG Tank with Level Gauges

The actual level sensor is shown in more detail in Figure 2. The gauge itself is build up out of
software, electronics, and a mechanical part, all enclosed in a rugged metal housing. The level gauge
sensing head is composed of TWO parts: the main sensing head body and a PVC displacer. The
main sensing head accommodates a coil and a linkage to the level gauge tape. The displacer floats
on the LNG surface. Following the changes in the actual LNG level, the displacer drives a core up or
down in above mentioned coil, thus changing the induction in the latter. The level gauge tape,
connected to the coil, consists of 2 conductors, linking this coil to the gauge’s electronics, where the
changes in induction (and thus of the actual LNG level) are being measured. The Tefzel® coated

RISKNOWLOGY Experts in Risk, Reliability and Safety Page 4

White Paper
L. Monfilliettte, P. Versluys, M.J.M. Houtermans
Certified Level Sensor for the Liquefied Natural Gas Industry

stainless steel tape can be as long as 75 meter, dependant on the storage tank height. The software
and electronics part not only exist to enable communication with the BPCS and SIS systems but also
to ensure a high level of self-diagnostics. Also the level gauge tape plays an integral part in the
diagnostics capabilities of the level gauge.
The displacer continuously floats on top of the liquid surface thus continuously sensing any
movements in the surface, thus continuously changing the induction in the sensing head coil. The rate
of change of this induction is measured and analyzed by the electronics, giving the following results:
ƒ The speed in which the induction changes is proportional to the speed at which the servo
motor should be driven.
ƒ The direction in which the induction changes sets the direction of the servo motor (up or
down)
ƒ If the changes up / down equal to zero, such indicates that the surface is merely showing
wave-action and no real level change at which point the servo motor is not activated.
ƒ If NO changes are measured during a 10 minute time span, the servo motor travels a short
distance up to re-find the actual level immediately after. This is a self check to ensure that the
system is still functioning properly.

Figure 2 - Level transmitter gauge, Model 1143-Mark II

The safety function of the level transmitter gauge is defined as follows:

To measure continuously the level of product and compare it to a “High over

spill set point”; should this set point be reached or passed, trigger the safety
relay that is connected to the Emergency Shutdown loop of the unit. This
safety function needs to be carried out with a safety integrity of SIL 3 and
needs to process its level signal within 10 seconds.

When the sensor was certified, the basis of the certification was the above defined safety function.
Without a well-defined safety function it is impossible to test the level sensors against the
requirements of the applicable standards. It is crucial to have a safety function definition that is not too
narrow since otherwise the end-users will not be able to use the device for safety.

RISKNOWLOGY Experts in Risk, Reliability and Safety Page 5

White Paper
L. Monfilliettte, P. Versluys, M.J.M. Houtermans
Certified Level Sensor for the Liquefied Natural Gas Industry

If the safety function is defined too wide it is too difficult to certify the device, as many requirements
can possibly not be met. A well-defined safety function makes also the testing task clear for anybody
involved in certification.

3 Certification of the level sensors

For companies, new to the world of functional safety, product development is a challenging task. Also
for Whessoe IEC 61508 and related terms like SIL were not heard of when the first customers started
to ask whether their sensor could fulfill these requirements in 2004.
After some initial investigation by the company, Whessoe’s management decided that complying with
functional safety should be an additional safety requirement for their products and was considered to
be a “must have” to survive the stringent and ever increasing safety requirements, imposed by the
market place. It was decided to have the level sensors tested by an independent party in order to
show to their clients Whessoe’s commitment to safety.
As the company was new to functional safety and IEC 61508 the first kick-off meeting included
training for the personnel to be involved in the project. As also senior management was involved, the
training proved to be particular useful. Normally only engineers attend these trainings, which makes it
difficult for management to fully understand the impact a new standard might have on the way the
company develops products and does business. In this case the involvement of management made it
easier for engineers to explain the time and resources needed to make product changes in order to
obtain the certification.
Sensors like these need to be very robust as they needs to withstand harsh environmental conditions.
Therefore, besides the functional safety and application specific standards, the sensor has also been
tested and certified to specific environmental, electrical safety and EMC standards. The following is
an overview of all the standards this level gauge has been tested and certified against:
ƒ IEC 61508 basic standard for functional safety.
ƒ IEC 61511 application specific standard for functional safety.
ƒ NFPA 59 A application specific standard for LNG storage.
ƒ 49 CFR. Part 13 US federal standards.
ƒ EN1473. 4. 5. 8 standards for seismic behavior.
ƒ EN 61326. 1 standard for electro magnetic compliance.
ƒ IEC 61010 standard for electrical safety.
ƒ ATEX: EN50014 standard for explosive atmosphere general requirements.
ƒ ATEX: EN50018 standard for explosive atmosphere flameproof.
ƒ ATEX: EN50020 standard for explosive atmosphere intrinsic safety.

This is quite a list of requirements to manage. Therefore any TüV certification project always starts
with three important documents. These three documents are:

ƒ Safety plan
ƒ Verification & validation plan
ƒ Safety requirements specification

RISKNOWLOGY Experts in Risk, Reliability and Safety Page 6

White Paper
L. Monfilliettte, P. Versluys, M.J.M. Houtermans
Certified Level Sensor for the Liquefied Natural Gas Industry

These documents are not demanded by TüV but they are a direct result from the requirements of
IEC 61508. Besides that, TüV having years of experience in dealing with functional safety projects
and having these three documents ready at the start of the project, is a guarantee that the project
runs faster and that everybody involved has a clear understanding of the project plan on how to
achieve safety.
The safety plan outlines the management of functional safety requirements and is basically the plan
or approach on how to achieve functional safety for the project. It outlines the people, departments
and organizations involved, the lifecycle to follow, the activities and documents in each step of the
lifecycle, the tools and measures that will need to be applied to avoid failures.
In other words, it is a document that outlines who will do what, how and at what time.
Since it is a plan, it is a living document that can be updated over the course of the project
whenever necessary.
The verification & validation plan is a document that outlines who will perform which verification
activities at what point in time. It does not outline actual tests but only the activities to come to these
tests. For example in the case of Whessoe, one of the activities was to understand the IEC 61508
standard. One cannot design and verify a design if one does not understand the requirements of IEC
61508…
The third document is the safety requirements specification (SRS). Where the first two documents
were process related, (that is: how we manage functional safety), the SRS is about the requirements
of the actual product or system. The SRS is the most important safety document as it outlines the
basic and top-level safety requirements of the product. It is a well-focused document, which does not
go into detail and does not include any non-safety requirements. For this project, a lot of time was
spend upfront to generate these three documents. This time was considered well spend though and
was gained back during the remainder of the project as less mistakes were made and less “surprises”
revealed themselves during the project. The following paragraphs give a more detailed overview of
the requirements directly related to functional safety and applied during certification of the product.

4 IEC 61508 requirements

The basis for functional safety is always the IEC 61508 standard. No matter which other standards
are involved, the basic requirements of IEC 61508 need to be met. Besides IEC 61508 other
standards can easily be involved for application specific purposes like IEC 61511 or NFPA 59 A. For a
product to comply with IEC 61508 the following requirements need to be addressed:
ƒ Functional safety management,
ƒ Hardware,
ƒ Software,
ƒ Reliability and
ƒ Documentation.

The functional safety management requirements are in general dealt with in the safety plan and the
verification & validation plan. Detailed verification & validation documentation is created for each step
of the lifecycle, both for hardware as well as for software. The hardware and software requirements
are, on a general level, explained in the safety requirements specification and in more detail in the
supporting design specifications.
A qualitative and quantitative reliability analysis needs to be carried out on the hardware and is part
of the hardware verification documentation. Besides specifications, verification and validation, also
supporting documentation needs to be created like a user manual, including the safety manual.

RISKNOWLOGY Experts in Risk, Reliability and Safety Page 7

White Paper
L. Monfilliettte, P. Versluys, M.J.M. Houtermans
Certified Level Sensor for the Liquefied Natural Gas Industry

One of the most important IEC 61508 concepts that need to be addressed is the architectural
constraint. According to IEC 61508, it is not possible to just build any kind of safety system, as the
architecture is limited according to the requirements in Table 1. This table applies to so-called
subsystems. Typical subsystems are sensors, valves, logic solvers, etc.
For each subsystem we need to determine the following:

ƒ The type
ƒ The safe failure fraction
ƒ The hardware fault tolerance

The type of the subsystem deals with the complexity of the component.
There are two types, A or B. Type A subsystems are simple systems with well-defined failure
modes and failure behavior. Type B subsystems are complex systems where one or more failure
modes are not clear or where we cannot fully understand the failure behavior of the system.
The safe failure fraction is a measure of the “fail-safe” design and build-in diagnostics of the safety
system. The more internal failures go to the safe side, or the more failures we can detect via build in
diagnostics, the higher the safe failure fraction.
The hardware fault tolerance is a measure of redundancy. A hardware fault tolerance of 0 means
that the safety function of the subsystem is lost when 0+1=1 dangerous failure occurs.
A single subsystem has a hardware fault tolerance of zero;
A redundant subsystem has a hardware fault tolerance 1, and so on.

Table 1 – Architectural constraints for subsystems

Type A Type B
Safe Failure
Hardware Fault Tolerance (HFT) Hardware Fault Tolerance (HFT)
Fraction (SFF)
0 1 2 0 1 2
< 60 % SIL 1 SIL 2 SIL 3 N.A. SIL 1 SIL 2

60 % - < 90% SIL 2 SIL 3 SIL 4 SIL 1 SIL 2 SIL 3

90 % - < 99% SIL 3 SIL 4 SIL 4 SIL 2 SIL 3 SIL 4

> 99 % SIL 3 SIL 4 SIL 4 SIL 3 SIL 4 SIL 4

The level gauge can actually be divided into three subsystems as shown in Figure 3.
The division is based on the type of the subsystem according to IEC 61508. A single level gauge is
a mixed Type subsystem as it consists of Type A mechanical hardware, Type A electronic hardware
and type B electronic hardware. In order for a single level gauge to achieve SIL 2 the following
conditions need to be met:
ƒ Type A mechanical hardware needs to have a safe failure fraction of 60-90%
ƒ Type A electronic hardware needs to have a safe failure fraction of 60-90%
ƒ Type B electronic hardware needs to have a safe failure fraction of 90-99%

RISKNOWLOGY Experts in Risk, Reliability and Safety Page 8

White Paper
L. Monfilliettte, P. Versluys, M.J.M. Houtermans
Certified Level Sensor for the Liquefied Natural Gas Industry

Sub system
level sensor
1143-2

Sub system Sub system Sub system

mechanical electronic electronic
hardware hardware hardware
Type A Type A Type B

Figure 3 – Subsystems 1143-2 level sensor

To verify the safe failure fraction of a single sensor a detailed component level failure modes and
effects analysis (FMEA) has been carried out. This FMEA addresses the mechanical as well as the
electronic hardware of the sensor. For every single internal component of the level gauge, the failure
modes were listed and the effects of these failure modes were analyzed taking into account the safety
function as defined before. This was indeed a tedious task but it documented the full possible failure
behavior of the level sensor as required by the standard.

Failure rate data was added to the FMEA in order to calculate the safe failure fraction. During the
FMEA also existing diagnostics features of the gauge were taken into account.
Not all diagnostics as required by the standard were available in the first design of the level sensor.
The FMEA revealed that there were several improvements to be made in order to achieve the
required safe failure fractions. Additional software diagnostics were implemented. The accepted
design for a single level sensor currently meets the safe failure fractions for SIL 2. As it is possible to
use multiple sensors in different architectures, it is also possible to achieve SIL 3.
NFPA 59 A requirements
gives a complete overview of the possible architectures for the level sensor and their achievable
SIL levels according to IEC 61508.

Table 2 – Overview of the possible architectures and their achievable SIL level

Architecture
Attribute 1oo1 1oo2 2oo3
Hardware fault tolerance 0 1 1
Fit for use in SIL 2 3 3

5 NFPA 59 A requirements
Level sensors for LNG tanks need to comply in many countries to the US standard NFPA 59 A. This
standard is application specific, which means that besides the IEC 61508 requirements it is also
necessary for these levels gauges to comply with the NFPA 59 A standard.

RISKNOWLOGY Experts in Risk, Reliability and Safety Page 9

White Paper
L. Monfilliettte, P. Versluys, M.J.M. Houtermans
Certified Level Sensor for the Liquefied Natural Gas Industry

Although this being a US standard, many countries in the world storing LNG apply this standard as
a basis when building LNG storage tanks. There are a few very significant requirements in the
standard that need to be considered when using level gauges. The requirements within NFPA 59A
call for three level gauges, one being dedicated to high – high level alarming only.
In other words, no matter how well the level sensors perform according to the IEC 61508 standard if
a company needs to comply with NFPA 59 A then per definition they need to use three level gauges.
At the time of writing the NFPA 59 A standard, IEC 61508 was not known to the committee. Possibly
in the future the requirement of using 3 sensors may be reduced to 1 or 2 levels gauges fit for use in a
certain SIL level according to IEC 61508.

6 Environmental conditions
At design stage the safety system should integrate the following environmental factors
ƒ Temperature range: 20°C to + 50°C
ƒ Enclosure: IP 65
ƒ Components Tropical type protection: Optional coating for PCB
ƒ Pressure range: Up to 500 mBar relative to atmospheric pressure
ƒ Seismic resistance: Up to 2g in all directions

Besides the above, the level gauges must also comply to the EMC requirements.

7 Quantitative reliability analysis

IEC 61508 requires the calculation of the probability of failure on demand for a safety function. A
safety function usually consists of sensors, logic solvers, actuators and other peripheral equipment.
The probability of failure on demand is the probability that the safety function cannot be carried out
because of an internal failure of the safety system. For each SIL level the PFD range is presented in
the following table.
Table 3 - Safety Integrity Levels
SIL Average Probability of Failure On
Demand
1 ≥10-5 to <10-4
2 ≥10-3 to <10-2
3 ≥10-4 to <10-3
4 ≥10-5 to <10-4

Although the PFD can only be calculated for a complete safety function, in this paper we will
calculate the contribution the level sensor will have to the overall safety function. One of the most
advanced techniques to make reliability calculations is Markov analysis [11]. To make the
calculations, three Markov models were created for the three possible architectures the level sensors
can be used in. For each Markov model the reliability data as resulted from the FMEA were used as
failure rate inputs. The actual voting of the 1oo2 and 2oo3 system occurs in the logic solver of the
ESD system. As the level sensors have excellent diagnostics capabilities, it is possible to send to the
logic solver signals indicating safe and dangerous detected failures. In other words, the logic solvers
know which signal from which sensor to trust and which signal not to trust. This helps significantly in
deciding whether to shutdown or to indicate to the operators to repair the sensors. The results of the

RISKNOWLOGY Experts in Risk, Reliability and Safety Page 10

White Paper
L. Monfilliettte, P. Versluys, M.J.M. Houtermans
Certified Level Sensor for the Liquefied Natural Gas Industry

PFD calculation are presented in Table 4. The PFD calculations are performed for 1 and 10 years
continuous operation.

Table 4 – Architecture and configuration overview

Architecture
Attribute 1oo1 1oo2 2oo3
PFD after 1 year 1.802e-004 4.404e-008 3.287e-007
Percentage of PFD after 1 year 0.180% 0.004% 0.033%
PFD after 10 years 1.771e-003 4.181e-006 3.201e-005
Percentage of PFD after 10 year 17.7% 0.42% 3.20%
Fit for use in SIL 2 3 3
PFS after 1 year 1.154e-006 9.701e-005 1.918e-010
Fit for use in STL 5 4 9

Figure 4 shows how the probability of failure on demand develops over time for all three
architectures. A graphical representation like this can be used by an end user to determine periodic
proof test interval. This can only be done though if the logic solver and actuating part are also
included in the calculation. The 1oo1 architecture clearly performs the worst of the three architectures.
The reason that the 1oo2 architecture has a better performance then the 2oo3 architecture is because
the 2oo3 has more possibilities to fail.

Figure 4 – Probability of Failure on Demand for 1oo1, 1oo2, and 2oo3 architectures.

RISKNOWLOGY Experts in Risk, Reliability and Safety Page 11

White Paper
L. Monfilliettte, P. Versluys, M.J.M. Houtermans
Certified Level Sensor for the Liquefied Natural Gas Industry

8 Conclusions
The paper presented the work performed by Whessoe S.A. to certify their LNG level sensor to the IEC
61508 and related standards. The level sensors were rigorously tested, not only for functional safety,
but also for specific environmental conditions. Whessoe decided to have the level sensor certify by
TÜV. This certification ensure the end-user that they do not need to evaluate the sensor any more
according to the IEC 61508 standard. The independent review by TÜV demonstrated that the level
sensor is capable of achieving SIL 2 in a 1oo1 configuration and SIL 3 in a 1oo2 or 2oo3
configuration.

9 References
1 IEC 61508, Functional safety of electrical, electronic, programmable electronic safety-related
systems. International Electrotechnical Committee, Geneva,. Switzerland, 1999
2 IEC 61511, Functional safety – safety instrumented systems for the process industry.
International Electrotechnical Committee, Geneva, Switzerland, 2003
3 NFPA 59, NFPA 59: Utility LP-Gas Plant Code. National Fire Protection Association, Quincy, MA,
USA, 2004
4 49 CFR. Part 13 USA
5 EN1473. 4. 5. 8, Installation and equipment for liquefied natural gas. Design of onshore
installations, 1997
6 EN 61326. 1, Electrical equipment for measurement, control and laboratory use - EMC
requirements. International Electrotechnical Committee, Geneva, Switzerland, 2005
7 IEC 61010, Safety requirements for electrical equipment for measurement, control, and
laboratory use, International Electrotechnical Committee, Geneva, Switzerland, 2003
8 EN50014, Electrical apparatus for potentially explosive atmospheres. General requirements,
1998
9 EN50018, Electrical apparatus for potentially explosive atmospheres. Flameproof enclosure 'd',
2000
10 EN50020, Electrical apparatus for potentially explosive atmospheres. Intrinsic safety 'i', 2002
11 Börcsök, J., Electronic Safety Systems, Hardware Concepts, Models, and Calculations, ISBN 3-
7785-2944-7, Heidelberg, Germany, 2004

RISKNOWLOGY Experts in Risk, Reliability and Safety Page 12