united electric controlsueonline.com/whatnew/one_series_sil_verification.pdf · sil verification...

The document was prepared using best effort. The authors make no warranty of any kind and shall not be liable in any event for incidental or consequential damages in connection with the application of the document.

© All rights reserved.

SIL Verification Summary

Project:

One Series in High Pressure Protection SIF

Customer: United Electric Controls

Watertown, MA USA

Contract No.: UEC 08/04-43 Report No.: UEC 08-04-43 R001

Version V1, Revision R1, December 15, 2008

© exida consulting L.L.C. uec 08-04-43 r001 v1 r1 one series sil verification, December 15, 2008 Chris O'Brien of 35

1 Summary ...................................................................................................................3

2 Example SIF: High Pressure Protection.....................................................................3 2.1 Functional Description ................................................................................................. 3 2.2 SIL Verification Results................................................................................................ 3 2.3 Proof Test Requirements............................................................................................. 4

3 SIF Summary Details .................................................................................................5 3.1 SIF 1001 High Pressure Protection - One Series ........................................................ 5 3.2 SIF 1001A High Pressure Protection - Generic Switch ............................................... 6 3.3 SIF 1001B High Pressure Protection - Generic Transmitter........................................ 7 3.4 SIF 1001C High Pressure Protection - Certified Transmitter....................................... 8

4 SIF Detailed Analysis.................................................................................................9 4.1 General Information ..................................................................................................... 9 4.2 Safety Integrity Levels ................................................................................................. 9 4.3 SILver – SIF 1001 High Pressure Protection - One Series........................................ 10

4.3.1 Sensor Part Configuration ................................................................................. 12 4.3.2 Logic Solver Part Configuration......................................................................... 13 4.3.3 Final Element Part Configuration ...................................................................... 14

4.4 SILver - SIF 1001A High Pressure Protection - Generic Switch................................ 16 4.4.1 Sensor Part Configuration ................................................................................. 18 4.4.2 Logic Solver Part Configuration......................................................................... 19 4.4.3 Final Element Part Configuration ...................................................................... 20

4.5 SILver - SIF 1001B High Pressure Protection - Generic Transmitter ........................ 22 4.5.1 Sensor Part Configuration ................................................................................. 24 4.5.2 Logic Solver Part Configuration......................................................................... 25 4.5.3 Final Element Part Configuration ...................................................................... 26

4.6 SILver - SIF 1001C High Pressure Protection - Certified Transmitter ....................... 28 4.6.1 Sensor Part Configuration ................................................................................. 30 4.6.2 Logic Solver Part Configuration......................................................................... 31 4.6.3 Final Element Part Configuration ...................................................................... 32

5 Abbreviations ...........................................................................................................34

6 Disclaimer, Assumptions, Equipment Data ..............................................................35 6.1 Disclaimer .................................................................................................................. 35 6.2 Assumptions SILver................................................................................................... 35 6.3 Equipment data.......................................................................................................... 35


1 Summary The IEC 61511 (ANSI/ISA-84.00.01-2004) standards provide requirements and guidance on the design of high reliability systems to protect against hazards. For a Safety Instrumented Function (SIF) to be designed in accordance with the standards the risk reduction provided must be confirmed in a step that is referred to as SIL Verification. This report compares the results of the SIL Verification step for an example SIF using various pressure sensing devices.

In addition to the risk reduction requirement the standards also list requirements for Architectural Constraints and SIL Capability. These requirements must also be addressed by the designed of the SIF and are not explicitly covered by this report. To demonstrate the SIL Capability of a device an assessment to IEC 61508 or a Proven in Use Analysis is required.

2 Example SIF: High Pressure Protection

2.1 Functional Description The “High Pressure Protection” SIF measures steam pressure in the boiler output header and opens a vent s valve if the pressure exceeds the setpoint. The SIF was modeled using four (4) unique pressure measuring instruments.

2.2 SIL Verification Results

Achieved Tag Description

RRF Architect. Constraint

SIL Capability1

MTTFS(years)

SIF 1001 High Pressure Protection – One Series 93 1 - - 7.03

SIF 1001A High Pressure Protection – Generic Switch 12 1 - - 6.21

SIF 1001B High Pressure Protection – Generic Transmitter 42 1 - - 6.74

SIF 1001C High Pressure Protection – Safety Transmitter 87 2 - - 6.74

1 SIL Capability must be confirmed through the use of certified equipment of the creation of a Proven in Use report.


2.3 Proof Test Requirements The following proof test intervals and test coverage factors were assumed during the SIL Verification.

Element PTI [months]

PTC [%]

Ref. Period[years]

Proof Test

Sensor 60 99 15 Move process variable to trip condition and confirm trip.

Logic Solver 60 98 15 Per Safety Manual

Final Control Element 12 85 15 Perform full stroke test of valve


3 SIF Summary Details

3.1 SIF 1001 High Pressure Protection - One Series

Project Name Ones Series Switch Analysis Unit Name Boiler 1001

SIF Tag SIF 1001 SIF Description Loss of combustion control can lead to excessive steam pressure. SIF Reference

Responsible Analysis Date December 14, 2008 Mission Time 15 years

Safety Instrumented Function Performance Achieved SIL 1 PFDavg 1.07E-02SIL (PFDavg) 1SIL (Arch. Constraints IEC 61508) 1SIL (Equipment Capability) -Achieved RRF 93MTTFS (years) 7.03

PFDavg MTTFS SILac Sensor Part 1.88E-03 1216.71 1 Logic Solver Part 4.24E-03 7.79 2 Final Element Part 4.62E-03 75.75 3

Remarks: The SIF operates in Low demand mode.

Note: The results shown in this SIL verification Summary are based on detailed calculation. All SIL verification assumptions like reliability data are documented in the detailed exSILentia report.


3.2 SIF 1001A High Pressure Protection - Generic Switch


SIF Tag SIF 1001A SIF Description Loss of combustion control can lead to excessive steam pressure. SIF Reference



PFDavg MTTFS SILac Sensor Part 7.62E-02 51.49 1 Logic Solver Part 4.24E-03 7.79 2 Final Element Part 4.62E-03 75.75 3




3.3 SIF 1001B High Pressure Protection - Generic Transmitter


SIF Tag SIF 1001B SIF Description Loss of combustion control can lead to excessive steam pressure. SIF Reference



PFDavg MTTFS SILac Sensor Part 1.33E-02 - 1 Logic Solver Part 6.03E-03 7.4 2 Final Element Part 4.62E-03 75.75 3




3.4 SIF 1001C High Pressure Protection - Certified Transmitter


SIF Tag SIF 1001C SIF Description Loss of combustion control can lead to excessive steam pressure. SIF Reference



PFDavg MTTFS SILac Sensor Part 8.35E-04 - 2 Logic Solver Part 6.03E-03 7.4 2 Final Element Part 4.62E-03 75.75 3




4 SIF Detailed Analysis

4.1 General Information Project Identification: United Electric Controls Project Name: Ones Series Switch Analysis Company: United Electric Controls Project Leader: Rick Frauton Project Initiated On: 14 Dec 2008 Project Description: - The following characterizes the Safety Instrumented Function. SIF Name High Pressure Protection - One Series SIF Description Loss of combustion control can lead to excessive steam pressure. SIF Reference Unit Name Boiler 1001 Hazard High pressure steam in the output header can lead to a rupture of the steam

header. Consequence Potential Loss of Life and three months loss of production.

4.2 Safety Integrity Levels The target Safety Integrity Level determined for this Safety Instrumented Function is: To Be Determined SIL verification determined that the Safety Integrity Level achieved by the Safety Instrumented Function is: SIL 1


4.3 SILver – SIF 1001 High Pressure Protection - One Series This section provides a detailed overview of the Safety Integrity Level verification performed for Safety Instrumented Function SIF 1001 High Pressure Protection - One Series. In order to perform the reliability calculations part of the Safety Integrity Level verification, the following assumptions have been made. Mission Time: 15 years Startup time: 24 hours Demand Rate: low The SIF operates in Low demand mode. The SIL verification has been performed on 14 Dec 2008.


Given the reliability data and calculation details described in the subsequent subsections in this report the SIF 1001 High Pressure Protection - One Series Safety Instrumented Function achieves the functional safety performance as displayed in Table 1. Table 1 Functional Safety Performance

PFDavg RRF SIL (PFDavg)

SIL (Architectural

Constraints IEC 61508)

SIL (Equipment Capability)

1.07E-02 93 1 1 N/A

The SIF 1001 High Pressure Protection - One Series Safety Instrumented Function was also evaluated on spurious trip behavior. The results expressed in the MTTFS are displayed in Table 2. Table 2 Spurious Trips

MTTFS (years)

7.03


4.3.1 Sensor Part Configuration The functional safety and spurious trip behavior of the sensor part of the SIF 1001 High Pressure Protection - One Series Safety Instrumented Function is quantified as follows. Sensor part PFDavg: 1.88E-03 Sensor part HFT: 0 Sensor part MTTFS: 1216.71 years Sensor part Architectural Constraints (IEC 61508) allow use up to SIL 1. The Sensor part of the SIF 1001 High Pressure Protection - One Series Safety Instrumented Function consists of 1 Sensor Group(s). The voting between these Sensor Groups is 1oo1.

4.3.1.1 Sensor Group 1: Pressure Switch The information and reliability data underneath describe the Pressure Switch sensor group as it has been analyzed in this Safety Integrity Level verification. Voting within group: 1oo1 HFT: 0 Voting type: - Equipment Leg (each): Clean Service

United Electric One Series 2W2D00, SIL, High trip Alarm Setting: Under Range Diagnostic Filtering: On

β-factor: - MTTR: 24 hours Proof Test Interval: 60 months Proof Test Coverage: 99 [%] Table 3 shows the reliability data used during the SIL verification of sensor group Pressure Switch. Table 3 Reliability Data Sensor Group Pressure Switch

Failure Rates [1/h] Component Fail

Low Fail High

Fail Det. DD DU SD SU No

Effect

Arch. Type

SFF [%]

Each Leg 81.4

Clean Service A -

United Electric One Series 2W2D00, SIL

1.76E-07 8.40E-08 9.40E-08 9.20E-08 B -


4.3.2 Logic Solver Part Configuration The functional safety and spurious trip behavior of the logic solver part of the SIF 1001 High Pressure Protection - One Series Safety Instrumented Function is quantified as follows. Logic Solver part PFDavg: 4.24E-03 Logic Solver part HFT: 0 Logic Solver part MTTFS: 7.79 years Logic Solver part Architectural Constraints (IEC 61508) allow use up to SIL 2. The information and reliability data underneath describe the Logic Solver logic solver group as it has been analyzed in this Safety Integrity Level verification. Logic Solver Name: Logic Solver Equipment: Generic SIL2 Certified PLC MTTR: 24 hours Proof Test Interval: 60 months Proof Test Coverage: 98 [%] β-factor: 0 [%] Architectural Constraint Type: B Table 4 shows the reliability data used during the SIL verification of logic solver group Logic Solver. Table 4 Reliability Data Logic Solver Logic Solver

Failure Rates [1/h] Component

Number used in analysis

per leg Safe

Detected Safe

Undetected Dangerous Detected

Dangerous Undetected

SFF [%]

Main Processor 1 6.93E-06 7.00E-08 2.85E-06 1.50E-07 98.5

Power Supply 1 2.25E-06 - 2.50E-07 - 100.0

Digital In Module 1 5.70E-07 3.00E-08 3.80E-07 2.00E-08 98.0

Digital In Channel 1 1.24E-07 7.00E-09 6.70E-08 4.00E-09 -

Digital Out Low Module 1 7.92E-07 8.00E-09 1.90E-07 1.00E-08 98.9

Digital Out Low Channel 1 1.39E-07 1.00E-09 5.70E-08 3.00E-09 -


4.3.3 Final Element Part Configuration The functional safety and spurious trip behavior of the final element part of the SIF 1001 High Pressure Protection - One Series Safety Instrumented Function is quantified as follows. Final Element part PFDavg: 4.62E-03 Final Element part HFT: 0 Final Element part MTTFS: 75.75 years Final Element part Architectural Constraints (IEC 61508) allow use up to SIL 3. The Final Element part of the SIF 1001 High Pressure Protection - One Series Safety Instrumented Function consists of 1 Final Element Group(s). The voting between these Final Element Groups is 1oo1.

4.3.3.1 Final Element Group 1: Final Control Valve The information and reliability data underneath describe the Final Control Valve final element group as it has been analyzed in this Safety Integrity Level verification. Voting within group: 1oo1 HFT: 0 Voting type: - Equipment Leg (each): Generic 3-way solenoid

Bettis G-Series Pneumatic, Spring-Return Fisher Controls Design EZ - Clean service, Full Stroke, Open on Trip Partial Valve Stroke Testing is performed; data from SERH.

β-factor: - MTTR: 24 hours Proof Test Interval: 12 months Proof Test Coverage: 85 [%] Table 5 shows the reliability data used during the SIL verification of final element group Final Control Valve. Table 5 Reliability Data Final Element Group Final Control Valve


DD DU SD SU No Effect Arch. Type

SFF [%]

Each Leg 94.4

Generic 3-way solenoid 5.79E-07

5.85E-07 6.00E-09

1.01E-06

1.01E-06

5.00E-07 5.00E-07

A -

Bettis G-Series Pneumatic, Spring-Return

4.14E-07

6.28E-07 2.14E-07

4.49E-07

4.49E-07

1.97E-06 1.97E-06

A -

Fisher Controls Design EZ - Clean service, Full Stroke, Open To Trip

1.24E-07

2.44E-07 1.20E-07

5.50E-08

5.50E-08

6.07E-07 6.07E-07

A -


The failure rates displayed in red & italic font show the adjusted failure rates due to the Partial Stroke Test performed (if any). Diagnostic coverage factor(s) for the Partial Stroke Test is (are) provided on a per leg basis.


4.4 SILver - SIF 1001A High Pressure Protection - Generic Switch This section provides a detailed overview of the Safety Integrity Level verification performed for Safety Instrumented Function SIF 1001A High Pressure Protection - Generic Switch. In order to perform the reliability calculations part of the Safety Integrity Level verification, the following assumptions have been made. Mission Time: 15 years Startup time: 24 hours Demand Rate: low The SIF operates in Low demand mode. The SIL verification has been performed on 14 Dec 2008. Comments:


Given the reliability data and calculation details described in the subsequent subsections in this report the SIF 1001A High Pressure Protection - Generic Switch Safety Instrumented Function achieves the functional safety performance as displayed in Table 6. Table 6 Functional Safety Performance


SIL (Architectural



8.44E-02 12 1 1 N/A

The SIF 1001A High Pressure Protection - Generic Switch Safety Instrumented Function was also evaluated on spurious trip behavior. The results expressed in the MTTFS are displayed in Table 7. Table 7 Spurious Trips

MTTFS (years)

6.21


4.4.1 Sensor Part Configuration The functional safety and spurious trip behavior of the sensor part of the SIF 1001A High Pressure Protection - Generic Switch Safety Instrumented Function is quantified as follows. Sensor part PFDavg: 7.62E-02 Sensor part HFT: 0 Sensor part MTTFS: 51.49 years Sensor part Architectural Constraints (IEC 61508) allow use up to SIL 1. The Sensor part of the SIF 1001A High Pressure Protection - Generic Switch Safety Instrumented Function consists of 1 Sensor Group(s). The voting between these Sensor Groups is 1oo1.

4.4.1.1 Sensor Group 1: Pressure Switch The information and reliability data underneath describe the Pressure Switch sensor group as it has been analyzed in this Safety Integrity Level verification. Voting within group: 1oo1 HFT: 0 Voting type: - Equipment Leg (each): Clean Service

Generic DP/ Pressure Switch, High trip Alarm Setting: Under Range Diagnostic Filtering: On

β-factor: - MTTR: 24 hours Proof Test Interval: 60 months Proof Test Coverage: 99 [%] Table 8 shows the reliability data used during the SIL verification of sensor group Pressure Switch. Table 8 Reliability Data Sensor Group Pressure Switch


Low Fail High


Effect

Arch. Type

SFF [%]

Each Leg 40.0

Clean Service A -

Generic DP/ Pressure Switch

3.60E-06 2.40E-06 A -


4.4.2 Logic Solver Part Configuration The functional safety and spurious trip behavior of the logic solver part of the SIF 1001A High Pressure Protection - Generic Switch Safety Instrumented Function is quantified as follows. Logic Solver part PFDavg: 4.24E-03 Logic Solver part HFT: 0 Logic Solver part MTTFS: 7.79 years Logic Solver part Architectural Constraints (IEC 61508) allow use up to SIL 2. The information and reliability data underneath describe the Logic Solver logic solver group as it has been analyzed in this Safety Integrity Level verification. Logic Solver Name: Logic Solver Equipment: Generic SIL2 Certified PLC MTTR: 24 hours Proof Test Interval: 60 months Proof Test Coverage: 98 [%] β-factor: 0 [%] Architectural Constraint Type: B Table 9 shows the reliability data used during the SIL verification of logic solver group Logic Solver. Table 9 Reliability Data Logic Solver Logic Solver



per leg Safe

Detected Safe



SFF [%]


Power Supply 1 2.25E-06 - 2.50E-07 - 100.0

Digital In Module 1 5.70E-07 3.00E-08 3.80E-07 2.00E-08 98.0

Digital In Channel 1 1.24E-07 7.00E-09 6.70E-08 4.00E-09 -




4.4.3 Final Element Part Configuration The functional safety and spurious trip behavior of the final element part of the SIF 1001A High Pressure Protection - Generic Switch Safety Instrumented Function is quantified as follows. Final Element part PFDavg: 4.62E-03 Final Element part HFT: 0 Final Element part MTTFS: 75.75 years Final Element part Architectural Constraints (IEC 61508) allow use up to SIL 3. The Final Element part of the SIF 1001A High Pressure Protection - Generic Switch Safety Instrumented Function consists of 1 Final Element Group(s). The voting between these Final Element Groups is 1oo1.






SFF [%]

Each Leg 94.4


5.85E-07 6.00E-09

1.01E-06

1.01E-06

5.00E-07 5.00E-07

A -


4.14E-07

6.28E-07 2.14E-07

4.49E-07

4.49E-07

1.97E-06 1.97E-06

A -


1.24E-07

2.44E-07 1.20E-07

5.50E-08

5.50E-08

6.07E-07 6.07E-07

A -


4.5 SILver - SIF 1001B High Pressure Protection - Generic Transmitter This section provides a detailed overview of the Safety Integrity Level verification performed for Safety Instrumented Function SIF 1001B High Pressure Protection - Generic Transmitter. In order to perform the reliability calculations part of the Safety Integrity Level verification, the following assumptions have been made. Mission Time: 15 years Startup time: 24 hours Demand Rate: low The SIF operates in Low demand mode. The SIL verification has been performed on 14 Dec 2008. Comments:


Given the reliability data and calculation details described in the subsequent subsections in this report the SIF 1001B High Pressure Protection - Generic Transmitter Safety Instrumented Function achieves the functional safety performance as displayed in Table 11. Table 11 Functional Safety Performance


SIL (Architectural



2.38E-02 42 1 1 N/A

The SIF 1001B High Pressure Protection - Generic Transmitter Safety Instrumented Function was also evaluated on spurious trip behavior. The results expressed in the MTTFS are displayed in Table 12. Table 12 Spurious Trips

MTTFS (years)

6.74


4.5.1 Sensor Part Configuration The functional safety and spurious trip behavior of the sensor part of the SIF 1001B High Pressure Protection - Generic Transmitter Safety Instrumented Function is quantified as follows. Sensor part PFDavg: 1.33E-02 Sensor part HFT: 0 Sensor part MTTFS: - years Sensor part Architectural Constraints (IEC 61508) allow use up to SIL 1. The Sensor part of the SIF 1001B High Pressure Protection - Generic Transmitter Safety Instrumented Function consists of 1 Sensor Group(s). The voting between these Sensor Groups is 1oo1.

4.5.1.1 Sensor Group 1: Pressure Transmitter The information and reliability data underneath describe the Pressure Transmitter sensor group as it has been analyzed in this Safety Integrity Level verification. Voting within group: 1oo1 HFT: 0 Voting type: - Equipment Leg (each): Clean Service

Generic DP/ Pressure Transmitter, High trip Alarm Setting: Under Range Diagnostic Filtering: On

β-factor: - MTTR: 24 hours Proof Test Interval: 60 months Proof Test Coverage: 99 [%] Table 13 shows the reliability data used during the SIL verification of sensor group Pressure Transmitter. Table 13 Reliability Data Sensor Group Pressure Transmitter


Low Fail High


Effect

Arch. Type

SFF [%]

Each Leg 60.0

Clean Service A -

Generic DP/ Pressure Transmitter

4.00E-07

1.50E-07

1.50E-07

7.00E-07

6.00E-07 6.00E-07

2.00E-07 2.00E-07

B -

The data shown in blue and italic indicates the effect of the diagnostic filtering performed by the logic solver on the sensor group data.


4.5.2 Logic Solver Part Configuration The functional safety and spurious trip behavior of the logic solver part of the SIF 1001B High Pressure Protection - Generic Transmitter Safety Instrumented Function is quantified as follows. Logic Solver part PFDavg: 6.03E-03 Logic Solver part HFT: 0 Logic Solver part MTTFS: 7.4 years Logic Solver part Architectural Constraints (IEC 61508) allow use up to SIL 2. The information and reliability data underneath describe the Logic Solver logic solver group as it has been analyzed in this Safety Integrity Level verification. Logic Solver Name: Logic Solver Equipment: Generic SIL2 Certified PLC MTTR: 24 hours Proof Test Interval: 60 months Proof Test Coverage: 98 [%] β-factor: 0 [%] Architectural Constraint Type: B Table 14 shows the reliability data used during the SIL verification of logic solver group Logic Solver. Table 14 Reliability Data Logic Solver Logic Solver



per leg Safe

Detected Safe



SFF [%]


Power Supply 1 2.25E-06 - 2.50E-07 - 100.0

Analog In Module 1 9.50E-07 5.00E-08 9.00E-07 1.00E-07 95.1

Analog In Channel 1 4.80E-08 3.00E-09 4.80E-08 3.00E-09 -




4.5.3 Final Element Part Configuration The functional safety and spurious trip behavior of the final element part of the SIF 1001B High Pressure Protection - Generic Transmitter Safety Instrumented Function is quantified as follows. Final Element part PFDavg: 4.62E-03 Final Element part HFT: 0 Final Element part MTTFS: 75.75 years Final Element part Architectural Constraints (IEC 61508) allow use up to SIL 3. The Final Element part of the SIF 1001B High Pressure Protection - Generic Transmitter Safety Instrumented Function consists of 1 Final Element Group(s). The voting between these Final Element Groups is 1oo1.






SFF [%]

Each Leg 94.4


5.85E-07 6.00E-09

1.01E-06

1.01E-06

5.00E-07 5.00E-07

A -


4.14E-07

6.28E-07 2.14E-07

4.49E-07

4.49E-07

1.97E-06 1.97E-06

A -


1.24E-07

2.44E-07 1.20E-07

5.50E-08

5.50E-08

6.07E-07 6.07E-07

A -


4.6 SILver - SIF 1001C High Pressure Protection - Certified Transmitter This section provides a detailed overview of the Safety Integrity Level verification performed for Safety Instrumented Function SIF 1001C High Pressure Protection - Certified Transmitter. In order to perform the reliability calculations part of the Safety Integrity Level verification, the following assumptions have been made. Mission Time: 15 years Startup time: 24 hours Demand Rate: low The SIF operates in Low demand mode. The SIL verification has been performed on 14 Dec 2008. Comments:


Given the reliability data and calculation details described in the subsequent subsections in this report the SIF 1001C High Pressure Protection - Certified Transmitter Safety Instrumented Function achieves the functional safety performance as displayed in Table 16. Table 16 Functional Safety Performance


SIL (Architectural



1.15E-02 87 1 2 N/A

The SIF 1001C High Pressure Protection - Certified Transmitter Safety Instrumented Function was also evaluated on spurious trip behavior. The results expressed in the MTTFS are displayed in Table 17. Table 17 Spurious Trips

MTTFS (years)

6.74


4.6.1 Sensor Part Configuration The functional safety and spurious trip behavior of the sensor part of the SIF 1001C High Pressure Protection - Certified Transmitter Safety Instrumented Function is quantified as follows. Sensor part PFDavg: 8.35E-04 Sensor part HFT: 0 Sensor part MTTFS: - years Sensor part Architectural Constraints (IEC 61508) allow use up to SIL 2. The Sensor part of the SIF 1001C High Pressure Protection - Certified Transmitter Safety Instrumented Function consists of 1 Sensor Group(s). The voting between these Sensor Groups is 1oo1.

4.6.1.1 Sensor Group 1: Pressure Transmitter The information and reliability data underneath describe the Pressure Transmitter sensor group as it has been analyzed in this Safety Integrity Level verification. Voting within group: 1oo1 HFT: 0 Voting type: - Equipment Leg (each): Clean Service

Rosemount 3051C / 3051L, SW Rev 7.0 or above, High trip Alarm Setting: Under Range Diagnostic Filtering: On

β-factor: - MTTR: 24 hours Proof Test Interval: 60 months Proof Test Coverage: 99 [%] Table 18 shows the reliability data used during the SIL verification of sensor group Pressure Transmitter. Table 18 Reliability Data Sensor Group Pressure Transmitter


Low Fail High


Effect

Arch. Type

SFF [%]

Each Leg 93.1

Clean Service A -

Rosemount 3051C / 3051L, SW Rev 7.0 or above

3.30E-08

5.90E-08

2.64E-07

3.56E-07

3.70E-08 3.70E-08

1.38E-07 1.38E-07

B -

The data shown in blue and italic indicates the effect of the diagnostic filtering performed by the logic solver on the sensor group data.


4.6.2 Logic Solver Part Configuration The functional safety and spurious trip behavior of the logic solver part of the SIF 1001C High Pressure Protection - Certified Transmitter Safety Instrumented Function is quantified as follows. Logic Solver part PFDavg: 6.03E-03 Logic Solver part HFT: 0 Logic Solver part MTTFS: 7.4 years Logic Solver part Architectural Constraints (IEC 61508) allow use up to SIL 2. The information and reliability data underneath describe the Logic Solver logic solver group as it has been analyzed in this Safety Integrity Level verification. Logic Solver Name: Logic Solver Equipment: Generic SIL2 Certified PLC MTTR: 24 hours Proof Test Interval: 60 months Proof Test Coverage: 98 [%] β-factor: 0 [%] Architectural Constraint Type: B Table 19 shows the reliability data used during the SIL verification of logic solver group Logic Solver. Table 19 Reliability Data Logic Solver Logic Solver



per leg Safe

Detected Safe



SFF [%]


Power Supply 1 2.25E-06 - 2.50E-07 - 100.0

Analog In Module 1 9.50E-07 5.00E-08 9.00E-07 1.00E-07 95.1

Analog In Channel 1 4.80E-08 3.00E-09 4.80E-08 3.00E-09 -




4.6.3 Final Element Part Configuration The functional safety and spurious trip behavior of the final element part of the SIF 1001C High Pressure Protection - Certified Transmitter Safety Instrumented Function is quantified as follows. Final Element part PFDavg: 4.62E-03 Final Element part HFT: 0 Final Element part MTTFS: 75.75 years Final Element part Architectural Constraints (IEC 61508) allow use up to SIL 3. The Final Element part of the SIF 1001C High Pressure Protection - Certified Transmitter Safety Instrumented Function consists of 1 Final Element Group(s). The voting between these Final Element Groups is 1oo1.






SFF [%]

Each Leg 94.4


5.85E-07 6.00E-09

1.01E-06

1.01E-06

5.00E-07 5.00E-07

A -


4.14E-07

6.28E-07 2.14E-07

4.49E-07

4.49E-07

1.97E-06 1.97E-06

A -


1.24E-07

2.44E-07 1.20E-07

5.50E-08

5.50E-08

6.07E-07 6.07E-07

A -


5 Abbreviations IPL Independent Protection Layers HFT Hardware Fault Tolerance MTTFS Mean Time To Fail Spurious MTTR Mean Time To Repair PFDavg Average Probability of Failure on Demand PFH Probability of a Dangerous Failure per Hour PIU Proven In Use RRF Risk Reduction Factor SERH Safety Equipment Reliability Handbook SFF Safe Failure Fraction SIF Safety Instrumented Function SIL Safety Integrity Level SRS Safety Requirements Specification β-factor Beta factor, indicating common cause susceptibility DD Dangerous Detected DU Dangerous Undetected SD Safe Detected SU Safe Undetected AD Annunciation Detected AU Annunciation Undetected


6 Disclaimer, Assumptions, Equipment Data

6.1 Disclaimer The user of the exSILentia software is responsible for verification of all results obtained and their applicability to any particular situation. Calculations are performed per guidelines in applicable international standards. exida.com L.L.C. accepts no responsibility for the correctness of the regulations or standards on which the tool is based. In particular, exida.com L.L.C. accepts no liability for decisions based on the results of this software. The exida.com L.L.C. guarantee is restricted to the correction of errors or deficiencies within a reasonable period when such errors or deficiencies are brought to our attention in writing. exida.com L.L.C. accepts no responsibility for adjustments made to this automatically generated report made by the user.

6.2 Assumptions SILver De-energize-to-trip SILver is designed to verify Safety Instrumented Systems (SIS) that are based on the de-energize-to-trip principle. De-energize-to-trip implies that on loss of power the SIS will go to a safe state. A list of all other assumptions on which SILver is based can be found in the online SILver Help.

6.3 Equipment data exida has compiled a proprietary equipment failure database. This database is a compilation of failure data collected from a variety of public and confidential sources and presents an industry average. The database is published as the “Safety Equipment Reliability Handbook” ISBN-13: 978-0-9727234-1-1. The reliability data collection process as described in this book applies to the SILver equipment data collection process. The user is responsible for determining the applicability of the failure data to any particular environment. The stress levels assumed to determine the equipment failure rate are average for an industrial environment and can be compared to the RAC Ground Benign classification. Accurate plant specific data is preferable to general industry average data. Industrial plant sites with high levels of stress must use failure rate data that is adjusted to a higher value to account for the specific conditions of the plant.

united electric controlsueonline.com/whatnew/one_series_sil_verification.pdf · sil verification...

Documents