Vous êtes sur la page 1sur 57

SIL Verification

Project:
Redundant Solenoid Analysis

Customer:
ASCO Numatics
Asia Pacific
India

Contract No.: ASC 14-05-075


Report No.: ASC 14-05-075 R001
Version V1, Revision R3, June 10, 2014
Chris O'Brien

CONFIDENTIAL INFORMATION

The document was prepared using best effort. The authors make no warranty of any kind and shall not be liable in any
event for incidental or consequential damages in connection with the application of the document.
© All rights reserved.
Management summary
This report documents the results of the SIL Verification for the Redundant Solenoid Analysis
project prepared for ASCO Numatics. The SIL Verification was performed by exida on behalf of
ASCO Numatics.
Industry standards for SIS require that for each Safety Instrumented Function (SIF), a Safety
Integrity Level (SIL) target is selected and achievement of that target is confirmed by quantitative
analysis. The SIL represents the amount of risk reduction that is required to ensure a tolerable risk
is achieved for each specific hazard that is safeguarded by a SIF. For each SIF, this is a function of
the risk the process poses without considering the benefit of the SIS. In order to determine the
amount of risk reduction that is achieved, the design of the SIF must be evaluated in a SIL
verification. The SIL verification considers both probability of failure and minimum redundancy
requirements that result from the target SIL for each SIF.
exida supported the SIL Verification process by performing the following tasks:
• Safety Integrity Level Verification
exida in cooperation with ASCO Numatics performed the SIL Verification to support design of the
Redundant Solenoid Configurations. The SIL Verification calculation and SIL Capability analysis
were performed to document the capabilities of the installed SIFs. Table 1 shows an overview of
each configuration that was evaluated. The table provides the achieved Safety Integrity Level, the
achieved risk reduction, and the Mean Time To Fail Spurious (MTTFS) obtained from the SIL
verification. The achieved SIL, risk reduction, and MTTFS were established using exida’s integrated
safety lifecycle engineering tool exSILentia, by means of its SILver subtool. Details of the SIL
verification process are presented in the exSILentia report in Appendix B and Appendix C.

© exida.com L.L.C. asc q14-5-075 r001 v1r3 redundant solenoid sil verificaiton report, June 10, 2014
Chris O'Brien Page 2 of 24
Table 1 SIL Verification Summary

Achieved SIL
Architectural
Constraints

Capability
System
MTTFS
Solenoid (years)
Architecture PFDAVG RRF
Valve

1oo2 327 B0 1.11E-04 9009 96 3 3 3

1oo2 327 B1 & B2 5.70E-05 17544 271 3 3 3

1oo2 327 B3 5.70E-05 17544 416 3 3 3

1oo2 327 A6 6.52E-05 15337 107 3 3 3

1oo2 327 B(WS) 5.86E-05 17065 331 3 3 3

1oo2 307 C8 1.96E-05 51020 110 4 3 3

1oo2 307 B5 6.30E-05 15873 86 3 3 3

1oo2 NACE 307 2.29E-05 43668 404 3 3 3

2oo2 327 B0 4.05E-04 2469 3319 2 3 2

2oo2 327 B1 & B2 2.15E-03 465 10130 2 3 2

2oo2 327 B3 2.15E-03 465 15757 2 3 2

2oo2 327 A6 2.44E-03 410 3737 2 3 2

2oo2 327 B(WS) 2.21E-03 452 12460 2 3 2

2oo2 307 C8 7.54E-04 1326 3854 3 3 3

2oo2 307 B5 2.36E-03 424 2945 2 3 2

2oo2 NACE 307 8.81E-04 1135 15290 2 3 2

© exida.com L.L.C. asc q14-5-075 r001 v1r3 redundant solenoid sil verificaiton report, June 10, 2014
Chris O'Brien Page 3 of 24
Achieved SIL
Architectural
Constraints

Capability
System
MTTFS
Solenoid (years)
Architecture PFDAVG RRF
Valve

2oo31, 2 327 B0 2.20E-04 4545 1702 3 3 3

2oo3 327 B1 & B2 1.12E-04 8929 5195 3 3 3

2oo3 327 B3 1.12E-04 8929 8081 3 3 3

2oo3 327 A6 1.28E-04 7813 1917 3 3 3

2oo3 327 B(WS) 1.16E-04 8621 6390 3 3 3

2oo3 307 C8 3.83E-05 26110 1977 4 3 3

2oo3 307 B5 1.24E-04 8065 1510 3 3 3

2oo3 NACE 307 4.49E-05 22272 7841 3 3 3

1
The 2oo3 configuration implemented for the solenoids is modeled by a 1oo2(2oo2) configuration.
2
The values associated with the 2oo3 configuration are valid for both the common bypass and individual
isolation implementations.

© exida.com L.L.C. asc q14-5-075 r001 v1r3 redundant solenoid sil verificaiton report, June 10, 2014
Chris O'Brien Page 4 of 24
Table of Contents
Management summary .................................................................................................... 2
1 Purpose and Scope ................................................................................................... 6
1.1 Background ..................................................................................................................6
1.2 Objectives and Scope ...................................................................................................6
2 Process and Roles ..................................................................................................... 7
2.1 exida .............................................................................................................................7
2.2 Project phases ..............................................................................................................7
2.3 Roles of the parties involved ........................................................................................7
2.4 Standards used ............................................................................................................8
2.5 Reference documents ..................................................................................................8
2.5.1 Industry Literature ................................................................................................8
2.5.2 Documentation generated by exida .....................................................................8
3 SIL Verification ........................................................................................................... 9
3.1 General Information ......................................................................................................9
3.2 Assumptions ...............................................................................................................10
3.3 Analysis Results .........................................................................................................11
4 Conclusions and Recommendations........................................................................ 13
4.1.1 SIF Equipment Testing.......................................................................................13
4.1.2 Proof Tests .........................................................................................................13
4.2 General Recommendations ........................................................................................13
5 Terms and Definitions .............................................................................................. 14
6 Status of the document ............................................................................................ 16
6.1 Liability ........................................................................................................................16
6.2 Releases .....................................................................................................................16
6.3 Future Enhancements ................................................................................................16
6.4 Release Signatures ....................................................................................................16
Appendix A SIL Verification Methodology .................................................................. 18
A.1 Overview .....................................................................................................................18
A.2 Markov Modeling ........................................................................................................19
A.3 Modeling Assumptions ...............................................................................................20
A.4 Data and Statistics ......................................................................................................20
Appendix B Failure Rates .......................................................................................... 22
Appendix C Detailed SIL Verification Report (exSILentia® SILver) ............................ 24

© exida.com L.L.C. asc q14-5-075 r001 v1r3 redundant solenoid sil verificaiton report, June 10, 2014
Chris O'Brien Page 5 of 24
1 Purpose and Scope
This report documents the results of the SIL Verification for the Redundant Solenoid Analysis
project prepared for ASCO Numatics. The SIL Verification was performed by exida on behalf of
ASCO Numatics.

1.1 Background
The functional safety standards describing the implementation of SIS are based on the safety
lifecycle. The safety lifecycle is a management system that will yield a functionally safe system if all
steps are implemented properly. The IEC 61511 standard, introduces the concept of Safety
Integrity Level (SIL). SIL is a measure of the amount of risk reduction that a Safety Instrumented
Function (SIF) is capable of providing, as defined by its average Probability of Failure on Demand
(PFDAVG) or Probability of Failure per Hour (PFH).
IEC 61511 requires that for each Safety Instrumented Function (SIF), a SIL target is selected and
achievement of that target is confirmed by quantitative analysis. The required amount of risk
reduction with respect to the SIS is a function of the residual unmitigated risk of the process, or the
risk the process poses without considering the SIF. In order to determine the amount of risk
reduction that is required, the process risk must be compared against guidelines for tolerable risk.
The difference between the process risk and the tolerable risk is the required risk reduction
capability for the SIF. In order to determine the amount of risk reduction that is achieved, the
conceptual design of the SIF is evaluated during a SIL verification where both probability of failure
and minimum levels of redundancy are analyzed.

1.2 Objectives and Scope


The objective of this study is to verify, through quantitative analysis, the achieved SIL for the Safety
Instrumented Functions previously identified in the Redundant Solenoid Analysis project. The SIL
verification process yields estimates for average probability of failure on demand (PFDAVG), SIL
(with and without architectural constraints), and mean time to fail spuriously (MTTFS).

© exida.com L.L.C. asc q14-5-075 r001 v1r3 redundant solenoid sil verificaiton report, June 10, 2014
Chris O'Brien Page 6 of 24
2 Process and Roles

2.1 exida
exida is one of the world’s leading certification and knowledge companies specializing in
automation system safety and availability with over 300 years of cumulative experience in
functional safety. Founded by several of the world’s top reliability and safety experts from
assessment organizations, end-users, and manufacturers, exida is a partnership with offices
around the world. exida offers training, coaching, project oriented consulting services, internet
based safety engineering tools, detailed product assurance and certification analysis and a
collection of on-line safety and reliability resources. exida maintains a comprehensive failure rate
and failure mode database on process equipment.

2.2 Project phases


This report, the SIL Verification for the Redundant Solenoid Analysis project, documents the results
of the SIL Verification performed by exida on behalf of ASCO Numatics.
exida performed the following tasks as part of this project:
• Safety Integrity Level Verification
exida will support subsequent safety lifecycle tasks if requested to do so.

2.3 Roles of the parties involved


ASCO Numatics Designer and manufacturer of the Redundant Solenoid Configurations
exida Project leader of the SIL Verification for the Redundant Solenoid Analysis
project

© exida.com L.L.C. asc q14-5-075 r001 v1r3 redundant solenoid sil verificaiton report, June 10, 2014
Chris O'Brien Page 7 of 24
2.4 Standards used
The services delivered by exida were performed based on the following standards.

Item Identification Description


N1 IEC 61508: 2010 Functional Safety of Electrical/Electronic/Programmable Electronic
Parts 1 to 7 Safety-Related Systems
N2 IEC 61511: 2003 Functional Safety: Safety Instrumented Systems for the Process
Industry Sector
N3 ANSI/ISA 84.00.01-2004 Functional Safety: Safety Instrumented Systems for the Process
(IEC 61511: Mod) Industry Sector

2.5 Reference documents

2.5.1 Industry Literature

Item Description
I1 Safety Equipment Reliability Handbook, Third edition, exida.com LLC, Sellersville, PA, USA.
ISBN-13 978-0-9727234-9-7

I2 William M. Goble, Control Systems Safety Evaluation & Reliability, 2nd edition, ISA, Research
Triangle Park, NC, USA.
ISBN 1-55617-636-8

2.5.2 Documentation generated by exida

Item Identification Description


R1 ASC Q14-5-075 R001 SIL Verification report for the ASCO Numatics Redundant Solenoid
V1R3 Redundant Solenoid Analysis project.
SIL Verificaiton Report,
June 10, 2014

© exida.com L.L.C. asc q14-5-075 r001 v1r3 redundant solenoid sil verificaiton report, June 10, 2014
Chris O'Brien Page 8 of 24
3 SIL Verification
This report, the SIL Verification for the Redundant Solenoid Analysis project, documents the results
of the SIL Verification performed by exida on behalf of ASCO Numatics.
exida supported the SIL Verification process by performing the following tasks:
• Safety Integrity Level Verification
The assumptions and results of these tasks are presented in the following sections.

3.1 General Information


Safety Integrity Level (SIL) is an order of magnitude classification of the effectiveness of a Safety
Instrumented Function (SIF), as defined by a range of average Probability of Failure on Demand
(PFDAVG). Table 2 shows the relationship between SIL, PFDAVG, and Risk Reduction Factor (RRF),
for the low demand mode of operation.

Table 2 Safety Integrity Levels and Associated Parameters (Low Demand Mode)

Safety Integrity Level Average Probability of Failure on Demand Risk Reduction Factor
(SIL) (PFDAVG) (RRF)
3 10-3 to 10-4 1,000 to 10,000
-2 -3
2 10 to 10 100 to 1,000
1 10-1 to 10-2 10 to 100

A SIL is assigned to each individual SIF, and reflects the amount of risk reduction that is required to
move the process risk from its existing level to a level that is considered tolerable. The objective of
the SIL verification process is to verify that the equipment that has been selected for the SIF as part
of the conceptual design, meets the requirements of the selected SIL, both in terms of PFDAVG and
architectural constraints.

© exida.com L.L.C. asc q14-5-075 r001 v1r3 redundant solenoid sil verificaiton report, June 10, 2014
Chris O'Brien Page 9 of 24
3.2 Assumptions
Assumptions can be divided into general modeling assumptions and project specific assumptions.
An overview of the general modeling assumptions is provided in Appendix A. Project specific
assumptions are listed in this section.
• Based on the SIL selection, it is concluded that each SIFs demand interval is at least twice
as long as the longest proof test interval, therefore it is determined that all Safety
Instrumented Functions operate in low demand mode.
• The mission time is 15 years, therefore all equipment will be replaced/refurbished every 15
years or as directed in the product safety manual.
• The Startup time, the time it will take between a nuisance trip and restart of the unit, is 24
hours
• The Mean Time To Restoration (MTTR) is 24 hours on all equipment
• It is assumed that all equipment items, sensors, logic solvers, and final elements are
implemented in accordance with their safety manuals
• It is assumed that the only diagnostic capabilities implemented are the device internal
diagnostics, no application level diagnostics are implemented
• The proof test interval for all equipment is 12 months.
• It is assumed the no interposing relays are used in the design.
• All solenoids are modeled as de-energize-to-trip (DTT) with non-redundant coils.

© exida.com L.L.C. asc q14-5-075 r001 v1r3 redundant solenoid sil verificaiton report, June 10, 2014
Chris O'Brien Page 10 of 24
3.3 Analysis Results
The results of the SIL Verification study are shown in Table 3.
Table 3 SIL Verification Results

Achieved SIL
Architectural
Constraints

Capability
System
MTTFS
Solenoid (years)
Architecture PFDAVG RRF
Valve

1oo2 327 B0 1.11E-04 9009 96 3 3 3

1oo2 327 B1 & B2 5.70E-05 17544 271 3 3 3

1oo2 327 B3 5.70E-05 17544 416 3 3 3

1oo2 327 A6 6.52E-05 15337 107 3 3 3

1oo2 327 B(WS) 5.86E-05 17065 331 3 3 3

1oo2 307 C8 1.96E-05 51020 110 4 3 3

1oo2 307 B5 6.30E-05 15873 86 3 3 3

1oo2 NACE 307 2.29E-05 43668 404 3 3 3

2oo2 327 B0 4.05E-04 2469 3319 2 3 2

2oo2 327 B1 & B2 2.15E-03 465 10130 2 3 2

2oo2 327 B3 2.15E-03 465 15757 2 3 2

2oo2 327 A6 2.44E-03 410 3737 2 3 2

2oo2 327 B(WS) 2.21E-03 452 12460 2 3 2

2oo2 307 C8 7.54E-04 1326 3854 3 3 3

2oo2 307 B5 2.36E-03 424 2945 2 3 2

2oo2 NACE 307 8.81E-04 1135 15290 2 3 2

© exida.com L.L.C. asc q14-5-075 r001 v1r3 redundant solenoid sil verificaiton report, June 10, 2014
Chris O'Brien Page 11 of 24
Achieved SIL
Architectural
Constraints

Capability
System
MTTFS
Solenoid (years)
Architecture PFDAVG RRF
Valve

2oo33, 4 327 B0 2.20E-04 4545 1702 3 3 3

2oo3 327 B1 & B2 1.12E-04 8929 5195 3 3 3

2oo3 327 B3 1.12E-04 8929 8081 3 3 3

2oo3 327 A6 1.28E-04 7813 1917 3 3 3

2oo3 327 B(WS) 1.16E-04 8621 6390 3 3 3

2oo3 307 C8 3.83E-05 26110 1977 4 3 3

2oo3 307 B5 1.24E-04 8065 1510 3 3 3

2oo3 NACE 307 4.49E-05 22272 7841 3 3 3

3
The 2oo3 configuration implemented for the solenoids is modeled by a 1oo2(2oo2) configuration.
4
The values associated with the 2oo3 configuration are valid for both the common bypass and individual
isolation implementations.

© exida.com L.L.C. asc q14-5-075 r001 v1r3 redundant solenoid sil verificaiton report, June 10, 2014
Chris O'Brien Page 12 of 24
4 Conclusions and Recommendations
exida performed a SIL Verification study for the Redundant Solenoid Analysis project at the ASCO
Numatics located in Asia Pacific. The study determined the achieved Safety Integrity Levels for a
set of Safety Instrumented Functions that were identified during the SIL selection phase of this
project.

4.1.1 SIF Equipment Testing


The SIF equipment testing can be divided into two categories; application diagnostic tests and
scheduled proof tests. For the SIFs identified there are no application level diagnostic tests.

4.1.2 Proof Tests


The proof test interval for all equipment is 12 months for all equipment. Postponing testing beyond
the modeled intervals will invalidate the results of the SIL Verification. Manufacturer’s
recommended proof tests should be implemented.

4.2 General Recommendations


Review equipment against updated or As Built P&ID drawings.
exida recommends the user of the Redundant Solenoid Analysis include all SIS components into
the project Mechanical Integrity Database, to track their performance over time, as required by
applicable standards. If the SIS is the cause of more than usual spurious trips (e.g. more than one
trip over the SIS lifetime), then ASCO Numatics may decide to change the SIF design and/or
change SIF components to any other type that have proven to be more reliable (or at least with
better reliability data available, in terms of spurious trips, while providing similar reliability, regarding
dangerous failures, as the ones under use).
Above conclusions and recommendations are based on the probabilistic analysis of SIF designs
only. At this point no assessment has been made on all other aspects regarding SIF components
certification according to IEC 61508. This is a more complex and detailed evaluation that needs
documentation support from manufacturers and potential further work on their design and/or
manufacturing process and procedures, but it guarantees minimum systematic failures as required
by the integrity level under consideration. As the Redundant Solenoid Analysis project requires the
design of high integrity safety loops (SIL 2 and SIL 3), exida highly recommends ASCO Numatics to
work in conjunction with its preferred safety instrumentation vendors, in order to seek certification
for all those SIF components that currently do not have IEC 61508 certification. For the Redundant
Solenoid Analysis project ASCO Numatics will use IEC 61508 certified devices where available and
supplement these with non-certified devices based on proven in use considerations.

© exida.com L.L.C. asc q14-5-075 r001 v1r3 redundant solenoid sil verificaiton report, June 10, 2014
Chris O'Brien Page 13 of 24
5 Terms and Definitions
ALARP As Low As Reasonably Practicable
Architectural Constraints Limitations that are imposed on the hardware selected to implement a
safety-instrumented function, regardless of the performance calculated
for a subsystem. Architectural constraints are specified (in IEC 61508-2-
Tables 2 and 3, and IEC 61511-Tables 5 and 6) according to the required
SIL of the subsystem, type of components used, and SFF of the
subsystem’s components. Type A components are simple devices not
incorporating microprocessors, and Type B devices are complex devices
such as those incorporating microprocessors.
Availability The average probability that a device is operating successfully at any
moment in time. This is a measure of the “uptime” and is defined in units
of percent.
BPCS Basic Process Control System
Diagnostic Coverage A measure of a system’s ability to detect failures. This is a ratio between
the failure rates for detected failures to the failure rate for all failures in
the system.
FIT Failure unIT, 1 FIT = 1.00E-9 Failures / Hour
FMEDA Failure Modes Effects and Diagnostic Analysis
A systematic procedure during which each failure mode of each component is
examined to determine the effect of that failure on the system and whether that
failure is detected by any automatic diagnostic function
HFT Hardware Fault Tolerance
The number of dangerous random failures tolerated by a system while still
maintaining the ability to successfully perform the safety function
IEC International Electrotechnical Commission
MTTFS Mean Time To Fail Spurious
PFDavg average Probability of Failure on Demand
PFH Probability of Dangerous Failure per Hour
PLC Programmable Logic Controller
PTC Proof Test Coverage, the percentage failures that are detected during the
servicing of equipment.
PTI Proof Test Interval, the time interval between servicing of the equipment.
RRF Risk Reduction Factor, the inverse of PFDavg
SERH Safety Equipment Reliability Handbook
SFF Safe Failure Fraction

© exida.com L.L.C. asc q14-5-075 r001 v1r3 redundant solenoid sil verificaiton report, June 10, 2014
Chris O'Brien Page 14 of 24
A measure of safety integrity defined by IEC 61508-2 consisting of the ratio of
safe random failures plus dangerous detected random failures divided by all total
random failures. It is used to determine minimum levels of hardware fault
tolerance (redundancy for safety).
SIF Safety Instrumented Function
SIL Safety Integrity Level
Discrete level (one out of a possible four) for specifying the safety integrity
requirements of the safety functions to be allocated to the electronic /
programmable electronic safety-related systems, where safety integrity level 4
has the highest level of safety integrity and safety integrity level 1 has the lowest
[IEC 61508-4]

SIS Safety Instrumented System – Implementation of one or more Safety


Instrumented Functions. A SIS is composed of any combination of
sensor(s), logic solver(s), and final element(s).
SRS Safety Requirements Specification
TI Test Interval, used in risk analysis equations to represent the proof test
interval described above

© exida.com L.L.C. asc q14-5-075 r001 v1r3 redundant solenoid sil verificaiton report, June 10, 2014
Chris O'Brien Page 15 of 24
6 Status of the document

6.1 Liability
exida provides services and analyses based on methods advocated in international and national
standards. Input information for the SIL Verification is obtained from the customer / owner /
operator, i.e. xxx. exida accepts no liability whatsoever for the correct and safe functioning of a
plant or installation developed based on this SIL Verification analysis or for the correctness of the
standards on which the general methods are based.

6.2 Releases
Version: V1
Revision: R1
Version History: V0, R1: Draft; June 2, 2014
V1, R1: Released; June 5, 2014
V1, R2: Updated description of architecture, June 6, 2014
V1, R3: Updated description of isolation, June 10, 2014
Author: Chris O'Brien
Review: Greg Sauk (exida)

6.3 Future Enhancements


None are foreseen

6.4 Release Signatures

Chris O’Brien, Partner, CFSE

Greg Sauk, Senior Safety Engineer, CFSE

© exida.com L.L.C. asc q14-5-075 r001 v1r3 redundant solenoid sil verificaiton report, June 10, 2014
Chris O'Brien Page 16 of 24
© exida.com L.L.C. asc q14-5-075 r001 v1r3 redundant solenoid sil verificaiton report, June 10, 2014
Chris O'Brien Page 17 of 24
Appendix A SIL Verification Methodology
This appendix will provide an overview of the SIL verification methodology that was applied during
the SIL Verification study of the Redundant Solenoid Analysis project at the ASCO Numatics
located in Asia Pacific.

A.1 Overview
National and International standards that describe the implementation of automated systems for
safety related purposes, including ANSI/ISA 84.00.01-2004, IEC 61508, and IEC 61511 present the
safety lifecycle model, which is a management system for implementing Safety Instrumented
Systems (SIS). These standards define either three or four Safety Integrity Levels (SIL) that
represents the effectiveness of each Safety Instrumented Function (SIF). SIL are categories of the
average Probability of Failure on Demand (PFDAVG). Table 4 shows categories of SIL and the
performance parameters that are related to those categories, including PFDAVG and Risk Reduction
Factor (RRF), which is the inverse of PFDAVG, for the low demand mode of operation.

Table 4 Safety Integrity Levels and Associated Parameters (Low Demand Mode)

Safety Integrity Level Average Probability of Failure on Demand Risk Reduction Factor
(SIL) (PFDAVG) (RRF)
3 10-3 to 10-4 1,000 to 10,000
2 10-2 to 10-3 100 to 1,000
-1 -2
1 10 to 10 10 to 100

The requirements that are defined for a SIS specify both design features (hardware, software,
redundancy, etc.) and operational philosophy (inspection maintenance policy, frequency and quality
of testing, etc.). These attributes of a SIS, as described above, will determine how that system will
function. An important part of the safety lifecycle includes quantitatively describing the effectiveness
of each SIF. SIF performance is usually described by the metrics of PFDAVG and Mean Time To Fail
Spurious (MTTFS).
SIF performance metrics can be estimated using the historical system performance data of the
individual components that comprise a SIF. A number of techniques that estimate the performance
metrics based on the performance of the components that comprise a system and a description of
how they are logically related have been employed for the task of SIS analysis. Collectively, these
techniques are called “fault propagation models”. Some of the most commonly used fault
propagation models include fault tree analysis, event tree analysis, reliability block diagrams, and
Markov models.

© exida.com L.L.C. asc q14-5-075 r001 v1r3 redundant solenoid sil verificaiton report, June 10, 2014
Chris O'Brien Page 18 of 24
While PFDAVG is the key variable that SIS designers are concerned with, safe failures must also be
considered. The safe failures are alternately referred to as nuisance trips, or spurious trips. Safe
failures are typically described by the Mean Time To Fail Spurious (MTTFS) metric. Spurious trips
can adversely impact the safety of a process in number of ways. Process start-up and shutdown
are typically higher risk time periods than normal operation; thus, unnecessarily increasing the
number of startups will often have a detrimental effect on safety. In some cases, the nuisance
shutdown itself may cause hazards, such as hydraulic hammer of pipe work, that are as great as
the hazard that the SIF is protecting against. As a result, reducing the number of spurious trips
often increases the safety of the process. Spurious trips may also cause financial losses due to
decreased productivity, lost product, and decreased product quality. Increasing acceptable MTTFS
requirements can often be justified because of the high cost associated with a spurious trip.

A.2 Markov Modeling


Andrei Andreyevich Markov (1856-1922), a Russian mathematician, studied probability while
teaching at St. Petersburg University in the late 1800s. He defined the “Markov process”, in which
the future variable is determined by the present variable but is independent of predecessors.
Markov emphasized sequences where the variable takes on particular discrete values; these
sequences are known as Markov chains. That work has been extensively developed over the
years. These methods apply nicely to the failure/repair process because combinations of failures
create discrete system states. In addition, the failure/repair process moves between discrete states
only as a result of current state and current failure.
The Markov model building technique involves definition of all mutually exclusive success/failure
states in a system. Labeled circles represent these states. The system can transition from one state
to another whenever a failure or a repair occurs. Transitions between states are shown with arrows
(transition arcs) and are labeled with the appropriate failure or repair probabilities (often
approximated using failure/repair rates). This model is used to describe the behavior of the system
with time. If time is modeled in discrete increments (for example, once per hour), simulations can
be run using the probabilities shown in the models. Calculations can be made showing the
probability of being in each state for each time interval. Since some states represent system
success, the probabilities of these states are added to obtain either system reliability or system
availability as a function of time. Many other reliability metrics are also obtained using various
techniques.
The Markov modeling technique uses only two simple symbols, as shown in Figure 1. It provides a
complete set of evaluation tools when compared with many other reliability and safety evaluation
techniques.
Circles (states) show combinations of successfully operating components and failed components.
Possible component failures and repairs are shown with transition arcs, arrows that go from one
state to another. A number of different combinations of failed and successful components are
possible. Some represent system success states, while others represent system failure states. It
shall be noted that multiple failure modes can be shown on one drawing.

© exida.com L.L.C. asc q14-5-075 r001 v1r3 redundant solenoid sil verificaiton report, June 10, 2014
Chris O'Brien Page 19 of 24
State Transition

Figure 1 Markov Model Symbols


A Markov model can show on a single drawing the entire operation of a fault-tolerant control
system. If the model is created completely, it will show full system success states. It will also show
degraded states where the system is still operating successfully but vulnerable to further failures.
The drawing will also show all failure modes.

A.3 Modeling Assumptions


While performing Redundant Solenoid Analysis SIL Verification study, the following assumptions
about the SIS and SIFs under consideration were made when modeling its performance.
• The SIS being evaluated is be designed, installed, and maintained in accordance with all
applicable national and international standards regarding SIS.
• The failure rate of components is assumed to be constant over the useful life of the system.
• It is generally assumed that the failure of an individual component is statistically
independent of the failure of other components. All failure events are independent events.
• The failed state and the operating state are mutually exclusive; a component must be either
completely failed or completely operational at all points in time.
• Once a component has failed, it remains in the failed state until repaired.
• Unless specifically noted otherwise, all repairs will return a component to its original failure-
free state.
• Testing frequencies are assumed to be much higher than failure rates.

A.4 Data and Statistics


The analysis presented in this report depends, to a substantial degree, on the reliability and failure
data that was used to calculate the various SIF performance parameters. The data needed for a
component is usually presented in terms of four variables: failure rate (λ), percentage safe versus
dangerous failures, diagnostic coverage of safe failures (Cs), and diagnostic coverage of
dangerous failures (Cd), or in terms of failure rates for each mode. Using these component
performance parameters and information about system maintenance and testing, the PFDAVG and
MTTFS are calculated.

© exida.com L.L.C. asc q14-5-075 r001 v1r3 redundant solenoid sil verificaiton report, June 10, 2014
Chris O'Brien Page 20 of 24
Collection, analysis and presentation of this data are important parts of the analysis process.
Quantification of equipment failure rates depends on historical information regarding how events
that cause or propagate an accident have occurred in the past. The best source of failure rate data
is records of failures and maintenance of equipment that exist in the process plant that is being
studied. This information is best because the failure rate describes the actual conditions under
which the process equipment is being used. Unfortunately, historical reliability data is often
unavailable.
In cases where company specific data is unavailable or incomplete, industry average data has
been used. exida has compiled a proprietary equipment failure database. The database is a
compilation of failure data collected from a variety of public and confidential sources. exida has
selected the most appropriate data from the various sources and combined them on a consistent
basis for many types of process equipment and services. Basic event frequencies used in this
study are included at the end of the appendices that contain detailed calculation information.
exida recognizes that some data provides a more accurate representation of failure rates than
others. The following priority is given to the various data sources that might be available for an
equipment item.
1. Results of FMEDA analysis that is integral in the certification report presented by a well-
respected independent third-party organization.
2. Results of FMEDA analysis performed by generally accepted practices, using generally
accepted and comparable databases of component reliability. Prior to use of this type of
data exida would review and approve of the analysis process and data. NOTE: exida does
not use MTTF data published by equipment vendors that was determined on the basis of
field returns, as that data is often misleading.
3. Compilation of published and proprietary failure rates for instruments used in the process
industries.
The exida reliability database is published in the “Safety Equipment Reliability Handbook”. Third
Edition (ISBN-13: 978-0-9727234-9-7).

© exida.com L.L.C. asc q14-5-075 r001 v1r3 redundant solenoid sil verificaiton report, June 10, 2014
Chris O'Brien Page 21 of 24
Appendix B Failure Rates
The subsequent pages in this appendix provide a summary of the failure rates used for the
individual solenoid models.

Table 5 Reliability Data ASCO 327 B0


Failure Rates [1/h] Arch. SFF
Component
DD DU SD SU Residual Type [%]

Each Leg 75.0


ASCO Series 327, 327B0***, 3.56E-07 6.12E-07 4.56E-07 A -
DTT, redundant [2014.1.02]

Table 6 Reliability Data ASCO 327 B1 & B2


Failure Rates [1/h] Arch. SFF
Component
DD DU SD SU Residual Type [%]

Each Leg 71.2


ASCO Series 327, 327B1/B2***, 1.88E-07 2.16E-07 2.48E-07 A -
DTT [2014.1.02]

Table 7 Reliability Data ASCO B3


Failure Rates [1/h] Arch. SFF
Component
DD DU SD SU Residual Type [%]

Each Leg 67.4


ASCO Series 327, 327B3***, 1.88E-07 1.41E-07 2.48E-07 A -
DTT [2014.1.02]

Table 8 Reliability Data ASCO 327 A6


Failure Rates [1/h] Arch. SFF
Component
DD DU SD SU Residual Type [%]

Each Leg 81.7


ASCO Series 327, 327A6***, 2.14E-07 5.49E-07 4.09E-07 A -
DTT [2014.1.02]

© exida.com L.L.C. asc q14-5-075 r001 v1r3 redundant solenoid sil verificaiton report, June 10, 2014
Chris O'Brien Page 22 of 24
Table 9 Reliability Data ASCO 327 B(WS)
Failure Rates [1/h] Arch. SFF
Component
DD DU SD SU Residual Type [%]

Each Leg 71.2


ASCO Series 327, 1.93E-07 1.77E-07 3.01E-07 A -
327B3(WS)IS, DTT [2014.1.02]

Table 10 Reliability Data ASCO 307 C8


Failure Rates [1/h] Arch. SFF
Component
DD DU SD SU Residual Type [%]

Each Leg 90.7


ASCO Series 307 C8 6.60E-08 5.33E-07 1.09E-07 A -

Table 11 Reliability Data ASCO 307 B5


Failure Rates [1/h] Arch. SFF
Component
DD DU SD SU Residual Type [%]

Each Leg 80.0


ASCO Series 307 B5 2.07E-07 6.80E-07 1.46E-07 A -

Table 12 Reliability Data NACE 307


Failure Rates [1/h] Arch. SFF
Component
DD DU SD SU Residual Type [%]

Each Leg 85.0


ASCO Series NACE 307 7.70E-08 1.45E-07 2.90E-07 A -

© exida.com L.L.C. asc q14-5-075 r001 v1r3 redundant solenoid sil verificaiton report, June 10, 2014
Chris O'Brien Page 23 of 24
Appendix C Detailed SIL Verification Report (exSILentia® SILver)
The subsequent pages in this appendix provide a detailed overview of the SIL verification results
for the SIFs in the Redundant Solenoid Analysis project that required risk reduction. The SIL
verification was performed using the exida exSILentia® SILver tool.

© exida.com L.L.C. asc q14-5-075 r001 v1r3 redundant solenoid sil verificaiton report, June 10, 2014
Chris O'Brien Page 24 of 24
SIL Verification
IEC 61511 Compliance Report

Redundant Solenoid

The document was prepared using best effort. The authors make no warranty of any kind and shall not be liable in
any event for incidental or consequential damages in connection with the application of the document. The report
format is copyright © 2000-2014, exida.com, L.L.C., all rights reserved.
IEC 61511 Compliance Report

1 A1: 1oo2 - 327 B0 SIF A1


This chapter displays the analysis results for Safety Instrumented Function A1: 1oo2 - 327 B0 SIF A1.

1.1.1 Final Element Part Configuration


The functional safety and spurious trip behavior of the final element part of the A1: 1oo2 - 327 B0 SIF A1
Safety Instrumented Function is quantified as follows.
Final Element part PFDavg: 1.11E-04
Final Element part HFT: 1
Final Element part MTTFS: 95.85 years

Final Element part Architectural Constraints (IEC 61508:2000) allow use up to SIL 3.

The Final Element part of the A1: 1oo2 - 327 B0 SIF A1 Safety Instrumented Function has a Maintenance
Capability of MCI 2 (Good – 90%). It consists of 1 Final Element Group(s). The voting between these
Final Element Groups is 1oo1.

1.1.1.1 Final Element Group 1: Final Element Group1


The information and reliability data underneath describe the Final Element Group1 final element group as
it has been analyzed in this Safety Integrity Level verification.
Voting within group: 1oo2
HFT: 1
Voting type: Identical
Equipment Leg (each): ASCO Series 327, 327B0***, DTT, redundant (Sys. Cap.: 3)
Clean service, Full Stroke, Close on Trip
β−factor: 5 [%]
MTTR: 24 hours
Proof Test Interval: 12 months
Proof Test Coverage: 99 [%]

Table 1 shows the reliability data used during the SIL verification of final element group Final Element
Group1.
Table 1 Reliability Data Final Element Group Final Element Group1
Failure Rates [1/h] Arch. SFF
Component
DD DU SD SU Residual Type [%]

Each Leg 75.0


ASCO Series 327, 327B0***, 3.56E-07 6.12E-07 4.56E-07 A -
DTT, redundant [2014.1.02]

Automatically generated by exSILentia Version 3.2.0.888 05 Jun 2014


exSILentia the Safety Lifecycle engineering tool by exida Page 2 of 33
IEC 61511 Compliance Report

2 A2: 1oo2 - 327 B1 & B2 SIF A2


This chapter displays the analysis results for Safety Instrumented Function A2: 1oo2 - 327 B1 & B2 SIF
A2.

2.1.1 Final Element Part Configuration


The functional safety and spurious trip behavior of the final element part of the A2: 1oo2 - 327 B1 & B2
SIF A2 Safety Instrumented Function is quantified as follows.
Final Element part PFDavg: 5.70E-05
Final Element part HFT: 1
Final Element part MTTFS: 271.32 years

Final Element part Architectural Constraints (IEC 61508:2000) allow use up to SIL 3.

The Final Element part of the A2: 1oo2 - 327 B1 & B2 SIF A2 Safety Instrumented Function has a
Maintenance Capability of MCI 2 (Good – 90%). It consists of 1 Final Element Group(s). The voting
between these Final Element Groups is 1oo1.

2.1.1.1 Final Element Group 1: Final Element Group1


The information and reliability data underneath describe the Final Element Group1 final element group as
it has been analyzed in this Safety Integrity Level verification.
Voting within group: 1oo2
HFT: 1
Voting type: Identical
Equipment Leg (each): ASCO Series 327, 327B1/B2***, DTT (Sys. Cap.: 3)
Clean service, Full Stroke, Close on Trip
β−factor: 5 [%]
MTTR: 24 hours
Proof Test Interval: 12 months
Proof Test Coverage: 99 [%]

Table 2 shows the reliability data used during the SIL verification of final element group Final Element
Group1.
Table 2 Reliability Data Final Element Group Final Element Group1
Failure Rates [1/h] Arch. SFF
Component
DD DU SD SU Residual Type [%]

Each Leg 71.2


ASCO Series 327, 327B1/B2***, 1.88E-07 2.16E-07 2.48E-07 A -
DTT [2014.1.02]

Automatically generated by exSILentia Version 3.2.0.888 05 Jun 2014


exSILentia the Safety Lifecycle engineering tool by exida Page 3 of 33
IEC 61511 Compliance Report

3 A3: 1oo2 - 327 B3 SIF A3


This chapter displays the analysis results for Safety Instrumented Function A3: 1oo2 - 327 B3 SIF A3.

3.1.1 Final Element Part Configuration


The functional safety and spurious trip behavior of the final element part of the A3: 1oo2 - 327 B3 SIF A3
Safety Instrumented Function is quantified as follows.
Final Element part PFDavg: 5.70E-05
Final Element part HFT: 1
Final Element part MTTFS: 415.64 years

Final Element part Architectural Constraints (IEC 61508:2000) allow use up to SIL 3.

The Final Element part of the A3: 1oo2 - 327 B3 SIF A3 Safety Instrumented Function has a Maintenance
Capability of MCI 2 (Good – 90%). It consists of 1 Final Element Group(s). The voting between these
Final Element Groups is 1oo1.

3.1.1.1 Final Element Group 1: Final Element Group1


The information and reliability data underneath describe the Final Element Group1 final element group as
it has been analyzed in this Safety Integrity Level verification.
Voting within group: 1oo2
HFT: 1
Voting type: Identical
Equipment Leg (each): ASCO Series 327, 327B3***, DTT (Sys. Cap.: 3)
Clean service, Full Stroke, Close on Trip
β−factor: 5 [%]
MTTR: 24 hours
Proof Test Interval: 12 months
Proof Test Coverage: 99 [%]

Table 3 shows the reliability data used during the SIL verification of final element group Final Element
Group1.
Table 3 Reliability Data Final Element Group Final Element Group1
Failure Rates [1/h] Arch. SFF
Component
DD DU SD SU Residual Type [%]

Each Leg 67.4


ASCO Series 327, 327B3***, 1.88E-07 1.41E-07 2.48E-07 A -
DTT [2014.1.02]

Automatically generated by exSILentia Version 3.2.0.888 05 Jun 2014


exSILentia the Safety Lifecycle engineering tool by exida Page 4 of 33
IEC 61511 Compliance Report

4 A4: 1oo2 - 327 A6 SIF A4


This chapter displays the analysis results for Safety Instrumented Function A4: 1oo2 - 327 A6 SIF A4.

4.1.1 Final Element Part Configuration


The functional safety and spurious trip behavior of the final element part of the A4: 1oo2 - 327 A6 SIF A4
Safety Instrumented Function is quantified as follows.
Final Element part PFDavg: 6.52E-05
Final Element part HFT: 1
Final Element part MTTFS: 106.77 years

Final Element part Architectural Constraints (IEC 61508:2000) allow use up to SIL 3.

The Final Element part of the A4: 1oo2 - 327 A6 SIF A4 Safety Instrumented Function has a Maintenance
Capability of MCI 2 (Good – 90%). It consists of 1 Final Element Group(s). The voting between these
Final Element Groups is 1oo1.

4.1.1.1 Final Element Group 1: Final Element Group1


The information and reliability data underneath describe the Final Element Group1 final element group as
it has been analyzed in this Safety Integrity Level verification.
Voting within group: 1oo2
HFT: 1
Voting type: Identical
Equipment Leg (each): ASCO Series 327, 327A6***, DTT (Sys. Cap.: 3)
Clean service, Full Stroke, Close on Trip
β−factor: 5 [%]
MTTR: 24 hours
Proof Test Interval: 12 months
Proof Test Coverage: 99 [%]

Table 4 shows the reliability data used during the SIL verification of final element group Final Element
Group1.
Table 4 Reliability Data Final Element Group Final Element Group1
Failure Rates [1/h] Arch. SFF
Component
DD DU SD SU Residual Type [%]

Each Leg 81.7


ASCO Series 327, 327A6***, 2.14E-07 5.49E-07 4.09E-07 A -
DTT [2014.1.02]

Automatically generated by exSILentia Version 3.2.0.888 05 Jun 2014


exSILentia the Safety Lifecycle engineering tool by exida Page 5 of 33
IEC 61511 Compliance Report

5 A5: 1oo2 - 327 B(WS) SIF A5


This chapter displays the analysis results for Safety Instrumented Function A5: 1oo2 - 327 B(WS) SIF A5.

5.1.1 Final Element Part Configuration


The functional safety and spurious trip behavior of the final element part of the A5: 1oo2 - 327 B(WS) SIF
A5 Safety Instrumented Function is quantified as follows.
Final Element part PFDavg: 5.86E-05
Final Element part HFT: 1
Final Element part MTTFS: 331.11 years

Final Element part Architectural Constraints (IEC 61508:2000) allow use up to SIL 3.

The Final Element part of the A5: 1oo2 - 327 B(WS) SIF A5 Safety Instrumented Function has a
Maintenance Capability of MCI 2 (Good – 90%). It consists of 1 Final Element Group(s). The voting
between these Final Element Groups is 1oo1.

5.1.1.1 Final Element Group 1: Final Element Group1


The information and reliability data underneath describe the Final Element Group1 final element group as
it has been analyzed in this Safety Integrity Level verification.
Voting within group: 1oo2
HFT: 1
Voting type: Identical
Equipment Leg (each): ASCO Series 327, 327B3(WS)IS, DTT (Sys. Cap.: 3)
Clean service, Full Stroke, Close on Trip
β−factor: 5 [%]
MTTR: 24 hours
Proof Test Interval: 12 months
Proof Test Coverage: 99 [%]

Table 5 shows the reliability data used during the SIL verification of final element group Final Element
Group1.
Table 5 Reliability Data Final Element Group Final Element Group1
Failure Rates [1/h] Arch. SFF
Component
DD DU SD SU Residual Type [%]

Each Leg 71.2


ASCO Series 327, 1.93E-07 1.77E-07 3.01E-07 A -
327B3(WS)IS, DTT [2014.1.02]

Automatically generated by exSILentia Version 3.2.0.888 05 Jun 2014


exSILentia the Safety Lifecycle engineering tool by exida Page 6 of 33
IEC 61511 Compliance Report

6 A6: 1oo2 - 307 C8 SIF A6


This chapter displays the analysis results for Safety Instrumented Function A6: 1oo2 - 307 C8 SIF A6.

6.1.1 Final Element Part Configuration


The functional safety and spurious trip behavior of the final element part of the A6: 1oo2 - 307 C8 SIF A6
Safety Instrumented Function is quantified as follows.
Final Element part PFDavg: 1.96E-05
Final Element part HFT: 1
Final Element part MTTFS: 109.88 years

Final Element part Architectural Constraints (IEC 61508:2000) allow use up to SIL 4.

The Final Element part of the A6: 1oo2 - 307 C8 SIF A6 Safety Instrumented Function has a Maintenance
Capability of MCI 2 (Good – 90%). It consists of 1 Final Element Group(s). The voting between these
Final Element Groups is 1oo1.

6.1.1.1 Final Element Group 1: Final Element Group1


The information and reliability data underneath describe the Final Element Group1 final element group as
it has been analyzed in this Safety Integrity Level verification.
Voting within group: 1oo2
HFT: 1
Voting type: Identical
Equipment Leg (each): ASCO Series 307 C8 (Sys. Cap.: 3) (My Own)
Clean service, Full Stroke, Close on Trip
β−factor: 5 [%]
MTTR: 24 hours
Proof Test Interval: 12 months
Proof Test Coverage: 99 [%]

Table 6 shows the reliability data used during the SIL verification of final element group Final Element
Group1.
Table 6 Reliability Data Final Element Group Final Element Group1
Failure Rates [1/h] Arch. SFF
Component
DD DU SD SU Residual Type [%]

Each Leg 90.7


ASCO Series 307 C8 6.60E-08 5.33E-07 1.09E-07 A -

Automatically generated by exSILentia Version 3.2.0.888 05 Jun 2014


exSILentia the Safety Lifecycle engineering tool by exida Page 7 of 33
IEC 61511 Compliance Report

7 A7: 1oo2 - 307 B5 SIF A7


This chapter displays the analysis results for Safety Instrumented Function A7: 1oo2 - 307 B5 SIF A7.

7.1.1 Final Element Part Configuration


The functional safety and spurious trip behavior of the final element part of the A7: 1oo2 - 307 B5 SIF A7
Safety Instrumented Function is quantified as follows.
Final Element part PFDavg: 6.30E-05
Final Element part HFT: 1
Final Element part MTTFS: 86.19 years

Final Element part Architectural Constraints (IEC 61508:2000) allow use up to SIL 3.

The Final Element part of the A7: 1oo2 - 307 B5 SIF A7 Safety Instrumented Function has a Maintenance
Capability of MCI 2 (Good – 90%). It consists of 1 Final Element Group(s). The voting between these
Final Element Groups is 1oo1.

7.1.1.1 Final Element Group 1: Final Element Group1


The information and reliability data underneath describe the Final Element Group1 final element group as
it has been analyzed in this Safety Integrity Level verification.
Voting within group: 1oo2
HFT: 1
Voting type: Identical
Equipment Leg (each): ASCO Series 307 B5 (Sys. Cap.: 3) (My Own)
Clean service, Full Stroke, Close on Trip
β−factor: 5 [%]
MTTR: 24 hours
Proof Test Interval: 12 months
Proof Test Coverage: 99 [%]

Table 7 shows the reliability data used during the SIL verification of final element group Final Element
Group1.
Table 7 Reliability Data Final Element Group Final Element Group1
Failure Rates [1/h] Arch. SFF
Component
DD DU SD SU Residual Type [%]

Each Leg 80.0


ASCO Series 307 B5 2.07E-07 6.80E-07 1.46E-07 A -

Automatically generated by exSILentia Version 3.2.0.888 05 Jun 2014


exSILentia the Safety Lifecycle engineering tool by exida Page 8 of 33
IEC 61511 Compliance Report

8 A8: 1oo2 - NACE 307 SIF A8


This chapter displays the analysis results for Safety Instrumented Function A8: 1oo2 - NACE 307 SIF A8.

8.1.1 Final Element Part Configuration


The functional safety and spurious trip behavior of the final element part of the A8: 1oo2 - NACE 307 SIF
A8 Safety Instrumented Function is quantified as follows.
Final Element part PFDavg: 2.29E-05
Final Element part HFT: 1
Final Element part MTTFS: 403.91 years

Final Element part Architectural Constraints (IEC 61508:2000) allow use up to SIL 3.

The Final Element part of the A8: 1oo2 - NACE 307 SIF A8 Safety Instrumented Function has a
Maintenance Capability of MCI 2 (Good – 90%). It consists of 1 Final Element Group(s). The voting
between these Final Element Groups is 1oo1.

8.1.1.1 Final Element Group 1: Final Element Group1


The information and reliability data underneath describe the Final Element Group1 final element group as
it has been analyzed in this Safety Integrity Level verification.
Voting within group: 1oo2
HFT: 1
Voting type: Identical
Equipment Leg (each): ASCO Series NACE 307 (Sys. Cap.: 3) (My Own)
Clean service, Full Stroke, Close on Trip
β−factor: 5 [%]
MTTR: 24 hours
Proof Test Interval: 12 months
Proof Test Coverage: 99 [%]

Table 8 shows the reliability data used during the SIL verification of final element group Final Element
Group1.
Table 8 Reliability Data Final Element Group Final Element Group1
Failure Rates [1/h] Arch. SFF
Component
DD DU SD SU Residual Type [%]

Each Leg 85.0


ASCO Series NACE 307 7.70E-08 1.45E-07 2.90E-07 A -

Automatically generated by exSILentia Version 3.2.0.888 05 Jun 2014


exSILentia the Safety Lifecycle engineering tool by exida Page 9 of 33
IEC 61511 Compliance Report

9 B1: 2oo2 - 327 B0 SIF B1


This chapter displays the analysis results for Safety Instrumented Function B1: 2oo2 - 327 B0 SIF B1.

9.1.1 Final Element Part Configuration


The functional safety and spurious trip behavior of the final element part of the B1: 2oo2 - 327 B0 SIF B1
Safety Instrumented Function is quantified as follows.
Final Element part PFDavg: 4.05E-03
Final Element part HFT: 0
Final Element part MTTFS: 3318.93 years

Final Element part Architectural Constraints (IEC 61508:2000) allow use up to SIL 2.

The Final Element part of the B1: 2oo2 - 327 B0 SIF B1 Safety Instrumented Function has a Maintenance
Capability of MCI 2 (Good – 90%). It consists of 1 Final Element Group(s). The voting between these
Final Element Groups is 1oo1.

9.1.1.1 Final Element Group 1: Final Element Group1


The information and reliability data underneath describe the Final Element Group1 final element group as
it has been analyzed in this Safety Integrity Level verification.
Voting within group: 2oo2
HFT: 0
Voting type: Identical
Equipment Leg (each): ASCO Series 327, 327B0***, DTT, redundant (Sys. Cap.: 3)
Clean service, Full Stroke, Close on Trip
β−factor: 5 [%]
MTTR: 24 hours
Proof Test Interval: 12 months
Proof Test Coverage: 99 [%]

Table 9 shows the reliability data used during the SIL verification of final element group Final Element
Group1.
Table 9 Reliability Data Final Element Group Final Element Group1
Failure Rates [1/h] Arch. SFF
Component
DD DU SD SU Residual Type [%]

Each Leg 75.0


ASCO Series 327, 327B0***, 3.56E-07 6.12E-07 4.56E-07 A -
DTT, redundant [2014.1.02]

Automatically generated by exSILentia Version 3.2.0.888 05 Jun 2014


exSILentia the Safety Lifecycle engineering tool by exida Page 10 of 33
IEC 61511 Compliance Report

10 B2: 2oo2 - 327 B1 & B2 SIF B2


This chapter displays the analysis results for Safety Instrumented Function B2: 2oo2 - 327 B1 & B2 SIF
B2.

10.1.1 Final Element Part Configuration


The functional safety and spurious trip behavior of the final element part of the B2: 2oo2 - 327 B1 & B2
SIF B2 Safety Instrumented Function is quantified as follows.
Final Element part PFDavg: 2.15E-03
Final Element part HFT: 0
Final Element part MTTFS: 1.01E+04 years

Final Element part Architectural Constraints (IEC 61508:2000) allow use up to SIL 2.

The Final Element part of the B2: 2oo2 - 327 B1 & B2 SIF B2 Safety Instrumented Function has a
Maintenance Capability of MCI 2 (Good – 90%). It consists of 1 Final Element Group(s). The voting
between these Final Element Groups is 1oo1.

10.1.1.1 Final Element Group 1: Final Element Group1


The information and reliability data underneath describe the Final Element Group1 final element group as
it has been analyzed in this Safety Integrity Level verification.
Voting within group: 2oo2
HFT: 0
Voting type: Identical
Equipment Leg (each): ASCO Series 327, 327B1/B2***, DTT (Sys. Cap.: 3)
Clean service, Full Stroke, Close on Trip
β−factor: 5 [%]
MTTR: 24 hours
Proof Test Interval: 12 months
Proof Test Coverage: 99 [%]

Table 10 shows the reliability data used during the SIL verification of final element group Final Element
Group1.
Table 10 Reliability Data Final Element Group Final Element Group1
Failure Rates [1/h] Arch. SFF
Component
DD DU SD SU Residual Type [%]

Each Leg 71.2


ASCO Series 327, 327B1/B2***, 1.88E-07 2.16E-07 2.48E-07 A -
DTT [2014.1.02]

Automatically generated by exSILentia Version 3.2.0.888 05 Jun 2014


exSILentia the Safety Lifecycle engineering tool by exida Page 11 of 33
IEC 61511 Compliance Report

11 B3: 2oo2 - 327 B3 SIF B3


This chapter displays the analysis results for Safety Instrumented Function B3: 2oo2 - 327 B3 SIF B3.

11.1.1 Final Element Part Configuration


The functional safety and spurious trip behavior of the final element part of the B3: 2oo2 - 327 B3 SIF B3
Safety Instrumented Function is quantified as follows.
Final Element part PFDavg: 2.15E-03
Final Element part HFT: 0
Final Element part MTTFS: 1.58E+04 years

Final Element part Architectural Constraints (IEC 61508:2000) allow use up to SIL 2.

The Final Element part of the B3: 2oo2 - 327 B3 SIF B3 Safety Instrumented Function has a Maintenance
Capability of MCI 2 (Good – 90%). It consists of 1 Final Element Group(s). The voting between these
Final Element Groups is 1oo1.

11.1.1.1 Final Element Group 1: Final Element Group1


The information and reliability data underneath describe the Final Element Group1 final element group as
it has been analyzed in this Safety Integrity Level verification.
Voting within group: 2oo2
HFT: 0
Voting type: Identical
Equipment Leg (each): ASCO Series 327, 327B3***, DTT (Sys. Cap.: 3)
Clean service, Full Stroke, Close on Trip
β−factor: 5 [%]
MTTR: 24 hours
Proof Test Interval: 12 months
Proof Test Coverage: 99 [%]

Table 11 shows the reliability data used during the SIL verification of final element group Final Element
Group1.
Table 11 Reliability Data Final Element Group Final Element Group1
Failure Rates [1/h] Arch. SFF
Component
DD DU SD SU Residual Type [%]

Each Leg 67.4


ASCO Series 327, 327B3***, 1.88E-07 1.41E-07 2.48E-07 A -
DTT [2014.1.02]

Automatically generated by exSILentia Version 3.2.0.888 05 Jun 2014


exSILentia the Safety Lifecycle engineering tool by exida Page 12 of 33
IEC 61511 Compliance Report

12 B4: 2oo2 - 327 A6 SIF B4


This chapter displays the analysis results for Safety Instrumented Function B4: 2oo2 - 327 A6 SIF B4.

12.1.1 Final Element Part Configuration


The functional safety and spurious trip behavior of the final element part of the B4: 2oo2 - 327 A6 SIF B4
Safety Instrumented Function is quantified as follows.
Final Element part PFDavg: 2.44E-03
Final Element part HFT: 0
Final Element part MTTFS: 3737.18 years

Final Element part Architectural Constraints (IEC 61508:2000) allow use up to SIL 2.

The Final Element part of the B4: 2oo2 - 327 A6 SIF B4 Safety Instrumented Function has a Maintenance
Capability of MCI 2 (Good – 90%). It consists of 1 Final Element Group(s). The voting between these
Final Element Groups is 1oo1.

12.1.1.1 Final Element Group 1: Final Element Group1


The information and reliability data underneath describe the Final Element Group1 final element group as
it has been analyzed in this Safety Integrity Level verification.
Voting within group: 2oo2
HFT: 0
Voting type: Identical
Equipment Leg (each): ASCO Series 327, 327A6***, DTT (Sys. Cap.: 3)
Clean service, Full Stroke, Close on Trip
β−factor: 5 [%]
MTTR: 24 hours
Proof Test Interval: 12 months
Proof Test Coverage: 99 [%]

Table 12 shows the reliability data used during the SIL verification of final element group Final Element
Group1.
Table 12 Reliability Data Final Element Group Final Element Group1
Failure Rates [1/h] Arch. SFF
Component
DD DU SD SU Residual Type [%]

Each Leg 81.7


ASCO Series 327, 327A6***, 2.14E-07 5.49E-07 4.09E-07 A -
DTT [2014.1.02]

Automatically generated by exSILentia Version 3.2.0.888 05 Jun 2014


exSILentia the Safety Lifecycle engineering tool by exida Page 13 of 33
IEC 61511 Compliance Report

13 B5: 2oo2 - 327 B(WS) SIF B5


This chapter displays the analysis results for Safety Instrumented Function B5: 2oo2 - 327 B(WS) SIF B5.

13.1.1 Final Element Part Configuration


The functional safety and spurious trip behavior of the final element part of the B5: 2oo2 - 327 B(WS) SIF
B5 Safety Instrumented Function is quantified as follows.
Final Element part PFDavg: 2.21E-03
Final Element part HFT: 0
Final Element part MTTFS: 1.25E+04 years

Final Element part Architectural Constraints (IEC 61508:2000) allow use up to SIL 2.

The Final Element part of the B5: 2oo2 - 327 B(WS) SIF B5 Safety Instrumented Function has a
Maintenance Capability of MCI 2 (Good – 90%). It consists of 1 Final Element Group(s). The voting
between these Final Element Groups is 1oo1.

13.1.1.1 Final Element Group 1: Final Element Group1


The information and reliability data underneath describe the Final Element Group1 final element group as
it has been analyzed in this Safety Integrity Level verification.
Voting within group: 2oo2
HFT: 0
Voting type: Identical
Equipment Leg (each): ASCO Series 327, 327B3(WS)IS, DTT (Sys. Cap.: 3)
Clean service, Full Stroke, Close on Trip
β−factor: 5 [%]
MTTR: 24 hours
Proof Test Interval: 12 months
Proof Test Coverage: 99 [%]

Table 13 shows the reliability data used during the SIL verification of final element group Final Element
Group1.
Table 13 Reliability Data Final Element Group Final Element Group1
Failure Rates [1/h] Arch. SFF
Component
DD DU SD SU Residual Type [%]

Each Leg 71.2


ASCO Series 327, 1.93E-07 1.77E-07 3.01E-07 A -
327B3(WS)IS, DTT [2014.1.02]

Automatically generated by exSILentia Version 3.2.0.888 05 Jun 2014


exSILentia the Safety Lifecycle engineering tool by exida Page 14 of 33
IEC 61511 Compliance Report

14 B6: 2oo2 - 307 C8 SIF B6


This chapter displays the analysis results for Safety Instrumented Function B6: 2oo2 - 307 C8 SIF B6.

14.1.1 Final Element Part Configuration


The functional safety and spurious trip behavior of the final element part of the B6: 2oo2 - 307 C8 SIF B6
Safety Instrumented Function is quantified as follows.
Final Element part PFDavg: 7.54E-04
Final Element part HFT: 0
Final Element part MTTFS: 3854.26 years

Final Element part Architectural Constraints (IEC 61508:2000) allow use up to SIL 3.

The Final Element part of the B6: 2oo2 - 307 C8 SIF B6 Safety Instrumented Function has a Maintenance
Capability of MCI 2 (Good – 90%). It consists of 1 Final Element Group(s). The voting between these
Final Element Groups is 1oo1.

14.1.1.1 Final Element Group 1: Final Element Group1


The information and reliability data underneath describe the Final Element Group1 final element group as
it has been analyzed in this Safety Integrity Level verification.
Voting within group: 2oo2
HFT: 0
Voting type: Identical
Equipment Leg (each): ASCO Series 307 C8 (Sys. Cap.: 3) (My Own)
Clean service, Full Stroke, Close on Trip
β−factor: 5 [%]
MTTR: 24 hours
Proof Test Interval: 12 months
Proof Test Coverage: 99 [%]

Table 14 shows the reliability data used during the SIL verification of final element group Final Element
Group1.
Table 14 Reliability Data Final Element Group Final Element Group1
Failure Rates [1/h] Arch. SFF
Component
DD DU SD SU Residual Type [%]

Each Leg 90.7


ASCO Series 307 C8 6.60E-08 5.33E-07 1.09E-07 A -

Automatically generated by exSILentia Version 3.2.0.888 05 Jun 2014


exSILentia the Safety Lifecycle engineering tool by exida Page 15 of 33
IEC 61511 Compliance Report

15 B7: 2oo2 - 307 B5 SIF B7


This chapter displays the analysis results for Safety Instrumented Function B7: 2oo2 - 307 B5 SIF B7.

15.1.1 Final Element Part Configuration


The functional safety and spurious trip behavior of the final element part of the B7: 2oo2 - 307 B5 SIF B7
Safety Instrumented Function is quantified as follows.
Final Element part PFDavg: 2.36E-03
Final Element part HFT: 0
Final Element part MTTFS: 2944.88 years

Final Element part Architectural Constraints (IEC 61508:2000) allow use up to SIL 2.

The Final Element part of the B7: 2oo2 - 307 B5 SIF B7 Safety Instrumented Function has a Maintenance
Capability of MCI 2 (Good – 90%). It consists of 1 Final Element Group(s). The voting between these
Final Element Groups is 1oo1.

15.1.1.1 Final Element Group 1: Final Element Group1


The information and reliability data underneath describe the Final Element Group1 final element group as
it has been analyzed in this Safety Integrity Level verification.
Voting within group: 2oo2
HFT: 0
Voting type: Identical
Equipment Leg (each): ASCO Series 307 B5 (Sys. Cap.: 3) (My Own)
Clean service, Full Stroke, Close on Trip
β−factor: 5 [%]
MTTR: 24 hours
Proof Test Interval: 12 months
Proof Test Coverage: 99 [%]

Table 15 shows the reliability data used during the SIL verification of final element group Final Element
Group1.
Table 15 Reliability Data Final Element Group Final Element Group1
Failure Rates [1/h] Arch. SFF
Component
DD DU SD SU Residual Type [%]

Each Leg 80.0


ASCO Series 307 B5 2.07E-07 6.80E-07 1.46E-07 A -

Automatically generated by exSILentia Version 3.2.0.888 05 Jun 2014


exSILentia the Safety Lifecycle engineering tool by exida Page 16 of 33
IEC 61511 Compliance Report

16 B8: 2oo2 - NACE 307 SIF B8


This chapter displays the analysis results for Safety Instrumented Function B8: 2oo2 - NACE 307 SIF B8.

16.1.1 Final Element Part Configuration


The functional safety and spurious trip behavior of the final element part of the B8: 2oo2 - NACE 307 SIF
B8 Safety Instrumented Function is quantified as follows.
Final Element part PFDavg: 8.81E-04
Final Element part HFT: 0
Final Element part MTTFS: 1.53E+04 years

Final Element part Architectural Constraints (IEC 61508:2000) allow use up to SIL 2.

The Final Element part of the B8: 2oo2 - NACE 307 SIF B8 Safety Instrumented Function has a
Maintenance Capability of MCI 2 (Good – 90%). It consists of 1 Final Element Group(s). The voting
between these Final Element Groups is 1oo1.

16.1.1.1 Final Element Group 1: Final Element Group1


The information and reliability data underneath describe the Final Element Group1 final element group as
it has been analyzed in this Safety Integrity Level verification.
Voting within group: 2oo2
HFT: 0
Voting type: Identical
Equipment Leg (each): ASCO Series NACE 307 (Sys. Cap.: 3) (My Own)
Clean service, Full Stroke, Close on Trip
β−factor: 5 [%]
MTTR: 24 hours
Proof Test Interval: 12 months
Proof Test Coverage: 99 [%]

Table 16 shows the reliability data used during the SIL verification of final element group Final Element
Group1.
Table 16 Reliability Data Final Element Group Final Element Group1
Failure Rates [1/h] Arch. SFF
Component
DD DU SD SU Residual Type [%]

Each Leg 85.0


ASCO Series NACE 307 7.70E-08 1.45E-07 2.90E-07 A -

Automatically generated by exSILentia Version 3.2.0.888 05 Jun 2014


exSILentia the Safety Lifecycle engineering tool by exida Page 17 of 33
IEC 61511 Compliance Report

17 C1: 1oo2(2oo2) - 327 B0 SIF C1


This chapter displays the analysis results for Safety Instrumented Function C1: 1oo2(2oo2) - 327 B0 SIF
C1.

17.1.1 Final Element Part Configuration


The functional safety and spurious trip behavior of the final element part of the C1: 1oo2(2oo2) - 327 B0
SIF C1 Safety Instrumented Function is quantified as follows.
Final Element part PFDavg: 2.20E-04
Final Element part HFT: 1
Final Element part MTTFS: 1702.02 years

Final Element part Architectural Constraints (IEC 61508:2000) allow use up to SIL 3.

The Final Element part of the C1: 1oo2(2oo2) - 327 B0 SIF C1 Safety Instrumented Function has a
Maintenance Capability of MCI 2 (Good – 90%). It consists of 2 Final Element Group(s). The voting
between these Final Element Groups is 1oo2. A common cause factor of 5% was considered between
the groups in this Final Element part.

17.1.1.1 Final Element Group 1: Final Element Group1


The information and reliability data underneath describe the Final Element Group1 final element group as
it has been analyzed in this Safety Integrity Level verification.
Voting within group: 2oo2
HFT: 0
Voting type: Identical
Equipment Leg (each): ASCO Series 327, 327B0***, DTT, redundant (Sys. Cap.: 3)
Clean service, Full Stroke, Close on Trip
β−factor: 5 [%]
MTTR: 24 hours
Proof Test Interval: 12 months
Proof Test Coverage: 99 [%]

Automatically generated by exSILentia Version 3.2.0.888 05 Jun 2014


exSILentia the Safety Lifecycle engineering tool by exida Page 18 of 33
IEC 61511 Compliance Report

Table 17 shows the reliability data used during the SIL verification of final element group Final Element
Group1.
Table 17 Reliability Data Final Element Group Final Element Group1
Failure Rates [1/h] Arch. SFF
Component
DD DU SD SU Residual Type [%]

Each Leg 75.0


ASCO Series 327, 327B0***, 3.56E-07 6.12E-07 4.56E-07 A -
DTT, redundant [2014.1.02]

17.1.1.2 Final Element Group 2: Final Element Group2


The information and reliability data underneath describe the Final Element Group2 final element group as
it has been analyzed in this Safety Integrity Level verification.
Voting within group: 2oo2
HFT: 0
Voting type: Identical
Equipment Leg (each): ASCO Series 327, 327B0***, DTT, redundant (Sys. Cap.: 3)
Clean service, Full Stroke, Close on Trip
β−factor: 5 [%]
MTTR: 24 hours
Proof Test Interval: 12 months
Proof Test Coverage: 99 [%]

Table 18 shows the reliability data used during the SIL verification of final element group Final Element
Group2.
Table 18 Reliability Data Final Element Group Final Element Group2
Failure Rates [1/h] Arch. SFF
Component
DD DU SD SU Residual Type [%]

Each Leg 75.0


ASCO Series 327, 327B0***, 3.56E-07 6.12E-07 4.56E-07 A -
DTT, redundant [2014.1.02]

Automatically generated by exSILentia Version 3.2.0.888 05 Jun 2014


exSILentia the Safety Lifecycle engineering tool by exida Page 19 of 33
IEC 61511 Compliance Report

18 C2: 1oo2(2oo2) - 327 B1 & B2 SIF C2


This chapter displays the analysis results for Safety Instrumented Function C2: 1oo2(2oo2) - 327 B1 & B2
SIF C2.

18.1.1 Final Element Part Configuration


The functional safety and spurious trip behavior of the final element part of the C2: 1oo2(2oo2) - 327 B1 &
B2 SIF C2 Safety Instrumented Function is quantified as follows.
Final Element part PFDavg: 1.12E-04
Final Element part HFT: 1
Final Element part MTTFS: 5194.97 years

Final Element part Architectural Constraints (IEC 61508:2000) allow use up to SIL 3.

The Final Element part of the C2: 1oo2(2oo2) - 327 B1 & B2 SIF C2 Safety Instrumented Function has a
Maintenance Capability of MCI 2 (Good – 90%). It consists of 2 Final Element Group(s). The voting
between these Final Element Groups is 1oo2. A common cause factor of 5% was considered between
the groups in this Final Element part.

18.1.1.1 Final Element Group 1: Final Element Group1


The information and reliability data underneath describe the Final Element Group1 final element group as
it has been analyzed in this Safety Integrity Level verification.
Voting within group: 2oo2
HFT: 0
Voting type: Identical
Equipment Leg (each): ASCO Series 327, 327B1/B2***, DTT (Sys. Cap.: 3)
Clean service, Full Stroke, Close on Trip
β−factor: 5 [%]
MTTR: 24 hours
Proof Test Interval: 12 months
Proof Test Coverage: 99 [%]

Automatically generated by exSILentia Version 3.2.0.888 05 Jun 2014


exSILentia the Safety Lifecycle engineering tool by exida Page 20 of 33
IEC 61511 Compliance Report

Table 19 shows the reliability data used during the SIL verification of final element group Final Element
Group1.
Table 19 Reliability Data Final Element Group Final Element Group1
Failure Rates [1/h] Arch. SFF
Component
DD DU SD SU Residual Type [%]

Each Leg 71.2


ASCO Series 327, 327B1/B2***, 1.88E-07 2.16E-07 2.48E-07 A -
DTT [2014.1.02]

18.1.1.2 Final Element Group 2: Final Element Group2


The information and reliability data underneath describe the Final Element Group2 final element group as
it has been analyzed in this Safety Integrity Level verification.
Voting within group: 2oo2
HFT: 0
Voting type: Identical
Equipment Leg (each): ASCO Series 327, 327B1/B2***, DTT (Sys. Cap.: 3)
Clean service, Full Stroke, Close on Trip
β−factor: 5 [%]
MTTR: 24 hours
Proof Test Interval: 12 months
Proof Test Coverage: 99 [%]

Table 20 shows the reliability data used during the SIL verification of final element group Final Element
Group2.
Table 20 Reliability Data Final Element Group Final Element Group2
Failure Rates [1/h] Arch. SFF
Component
DD DU SD SU Residual Type [%]

Each Leg 71.2


ASCO Series 327, 327B1/B2***, 1.88E-07 2.16E-07 2.48E-07 A -
DTT [2014.1.02]

Automatically generated by exSILentia Version 3.2.0.888 05 Jun 2014


exSILentia the Safety Lifecycle engineering tool by exida Page 21 of 33
IEC 61511 Compliance Report

19 C3: 1oo2(2oo2) - 327 B3 SIF C3


This chapter displays the analysis results for Safety Instrumented Function C3: 1oo2(2oo2) - 327 B3 SIF
C3.

19.1.1 Final Element Part Configuration


The functional safety and spurious trip behavior of the final element part of the C3: 1oo2(2oo2) - 327 B3
SIF C3 Safety Instrumented Function is quantified as follows.
Final Element part PFDavg: 1.12E-04
Final Element part HFT: 1
Final Element part MTTFS: 8080.52 years

Final Element part Architectural Constraints (IEC 61508:2000) allow use up to SIL 3.

The Final Element part of the C3: 1oo2(2oo2) - 327 B3 SIF C3 Safety Instrumented Function has a
Maintenance Capability of MCI 2 (Good – 90%). It consists of 2 Final Element Group(s). The voting
between these Final Element Groups is 1oo2. A common cause factor of 5% was considered between
the groups in this Final Element part.

19.1.1.1 Final Element Group 1: Final Element Group1


The information and reliability data underneath describe the Final Element Group1 final element group as
it has been analyzed in this Safety Integrity Level verification.
Voting within group: 2oo2
HFT: 0
Voting type: Identical
Equipment Leg (each): ASCO Series 327, 327B3***, DTT (Sys. Cap.: 3)
Clean service, Full Stroke, Close on Trip
β−factor: 5 [%]
MTTR: 24 hours
Proof Test Interval: 12 months
Proof Test Coverage: 99 [%]

Automatically generated by exSILentia Version 3.2.0.888 05 Jun 2014


exSILentia the Safety Lifecycle engineering tool by exida Page 22 of 33
IEC 61511 Compliance Report

Table 21 shows the reliability data used during the SIL verification of final element group Final Element
Group1.
Table 21 Reliability Data Final Element Group Final Element Group1
Failure Rates [1/h] Arch. SFF
Component
DD DU SD SU Residual Type [%]

Each Leg 67.4


ASCO Series 327, 327B3***, 1.88E-07 1.41E-07 2.48E-07 A -
DTT [2014.1.02]

19.1.1.2 Final Element Group 2: Final Element Group2


The information and reliability data underneath describe the Final Element Group2 final element group as
it has been analyzed in this Safety Integrity Level verification.
Voting within group: 2oo2
HFT: 0
Voting type: Identical
Equipment Leg (each): ASCO Series 327, 327B3***, DTT (Sys. Cap.: 3)
Clean service, Full Stroke, Close on Trip
β−factor: 5 [%]
MTTR: 24 hours
Proof Test Interval: 12 months
Proof Test Coverage: 99 [%]

Table 22 shows the reliability data used during the SIL verification of final element group Final Element
Group2.
Table 22 Reliability Data Final Element Group Final Element Group2
Failure Rates [1/h] Arch. SFF
Component
DD DU SD SU Residual Type [%]

Each Leg 67.4


ASCO Series 327, 327B3***, 1.88E-07 1.41E-07 2.48E-07 A -
DTT [2014.1.02]

Automatically generated by exSILentia Version 3.2.0.888 05 Jun 2014


exSILentia the Safety Lifecycle engineering tool by exida Page 23 of 33
IEC 61511 Compliance Report

20 C4: 1oo2(2oo2) - 327 A6 SIF C4


This chapter displays the analysis results for Safety Instrumented Function C4: 1oo2(2oo2) - 327 A6 SIF
C4.

20.1.1 Final Element Part Configuration


The functional safety and spurious trip behavior of the final element part of the C4: 1oo2(2oo2) - 327 A6
SIF C4 Safety Instrumented Function is quantified as follows.
Final Element part PFDavg: 1.28E-04
Final Element part HFT: 1
Final Element part MTTFS: 1916.5 years

Final Element part Architectural Constraints (IEC 61508:2000) allow use up to SIL 3.

The Final Element part of the C4: 1oo2(2oo2) - 327 A6 SIF C4 Safety Instrumented Function has a
Maintenance Capability of MCI 2 (Good – 90%). It consists of 2 Final Element Group(s). The voting
between these Final Element Groups is 1oo2. A common cause factor of 5% was considered between
the groups in this Final Element part.

20.1.1.1 Final Element Group 1: Final Element Group1


The information and reliability data underneath describe the Final Element Group1 final element group as
it has been analyzed in this Safety Integrity Level verification.
Voting within group: 2oo2
HFT: 0
Voting type: Identical
Equipment Leg (each): ASCO Series 327, 327A6***, DTT (Sys. Cap.: 3)
Clean service, Full Stroke, Close on Trip
β−factor: 5 [%]
MTTR: 24 hours
Proof Test Interval: 12 months
Proof Test Coverage: 99 [%]

Automatically generated by exSILentia Version 3.2.0.888 05 Jun 2014


exSILentia the Safety Lifecycle engineering tool by exida Page 24 of 33
IEC 61511 Compliance Report

Table 23 shows the reliability data used during the SIL verification of final element group Final Element
Group1.
Table 23 Reliability Data Final Element Group Final Element Group1
Failure Rates [1/h] Arch. SFF
Component
DD DU SD SU Residual Type [%]

Each Leg 81.7


ASCO Series 327, 327A6***, 2.14E-07 5.49E-07 4.09E-07 A -
DTT [2014.1.02]

20.1.1.2 Final Element Group 2: Final Element Group2


The information and reliability data underneath describe the Final Element Group2 final element group as
it has been analyzed in this Safety Integrity Level verification.
Voting within group: 2oo2
HFT: 0
Voting type: Identical
Equipment Leg (each): ASCO Series 327, 327A6***, DTT (Sys. Cap.: 3)
Clean service, Full Stroke, Close on Trip
β−factor: 5 [%]
MTTR: 24 hours
Proof Test Interval: 12 months
Proof Test Coverage: 99 [%]

Table 24 shows the reliability data used during the SIL verification of final element group Final Element
Group2.
Table 24 Reliability Data Final Element Group Final Element Group2
Failure Rates [1/h] Arch. SFF
Component
DD DU SD SU Residual Type [%]

Each Leg 81.7


ASCO Series 327, 327A6***, 2.14E-07 5.49E-07 4.09E-07 A -
DTT [2014.1.02]

Automatically generated by exSILentia Version 3.2.0.888 05 Jun 2014


exSILentia the Safety Lifecycle engineering tool by exida Page 25 of 33
IEC 61511 Compliance Report

21 C5: 1oo2(2oo2) - 327 B(WS) SIF C5


This chapter displays the analysis results for Safety Instrumented Function C5: 1oo2(2oo2) - 327 B(WS)
SIF C5.

21.1.1 Final Element Part Configuration


The functional safety and spurious trip behavior of the final element part of the C5: 1oo2(2oo2) - 327
B(WS) SIF C5 Safety Instrumented Function is quantified as follows.
Final Element part PFDavg: 1.16E-04
Final Element part HFT: 1
Final Element part MTTFS: 6390.24 years

Final Element part Architectural Constraints (IEC 61508:2000) allow use up to SIL 3.

The Final Element part of the C5: 1oo2(2oo2) - 327 B(WS) SIF C5 Safety Instrumented Function has a
Maintenance Capability of MCI 2 (Good – 90%). It consists of 2 Final Element Group(s). The voting
between these Final Element Groups is 1oo2. A common cause factor of 5% was considered between
the groups in this Final Element part.

21.1.1.1 Final Element Group 1: Final Element Group1


The information and reliability data underneath describe the Final Element Group1 final element group as
it has been analyzed in this Safety Integrity Level verification.
Voting within group: 2oo2
HFT: 0
Voting type: Identical
Equipment Leg (each): ASCO Series 327, 327B3(WS)IS, DTT (Sys. Cap.: 3)
Clean service, Full Stroke, Close on Trip
β−factor: 5 [%]
MTTR: 24 hours
Proof Test Interval: 12 months
Proof Test Coverage: 99 [%]

Automatically generated by exSILentia Version 3.2.0.888 05 Jun 2014


exSILentia the Safety Lifecycle engineering tool by exida Page 26 of 33
IEC 61511 Compliance Report

Table 25 shows the reliability data used during the SIL verification of final element group Final Element
Group1.
Table 25 Reliability Data Final Element Group Final Element Group1
Failure Rates [1/h] Arch. SFF
Component
DD DU SD SU Residual Type [%]

Each Leg 71.2


ASCO Series 327, 1.93E-07 1.77E-07 3.01E-07 A -
327B3(WS)IS, DTT [2014.1.02]

21.1.1.2 Final Element Group 2: Final Element Group2


The information and reliability data underneath describe the Final Element Group2 final element group as
it has been analyzed in this Safety Integrity Level verification.
Voting within group: 2oo2
HFT: 0
Voting type: Identical
Equipment Leg (each): ASCO Series 327, 327B3(WS)IS, DTT (Sys. Cap.: 3)
Clean service, Full Stroke, Close on Trip
β−factor: 5 [%]
MTTR: 24 hours
Proof Test Interval: 12 months
Proof Test Coverage: 99 [%]

Table 26 shows the reliability data used during the SIL verification of final element group Final Element
Group2.
Table 26 Reliability Data Final Element Group Final Element Group2
Failure Rates [1/h] Arch. SFF
Component
DD DU SD SU Residual Type [%]

Each Leg 71.2


ASCO Series 327, 1.93E-07 1.77E-07 3.01E-07 A -
327B3(WS)IS, DTT [2014.1.02]

Automatically generated by exSILentia Version 3.2.0.888 05 Jun 2014


exSILentia the Safety Lifecycle engineering tool by exida Page 27 of 33
IEC 61511 Compliance Report

22 C6: 1oo2(2oo2) - 307 C8 SIF C6


This chapter displays the analysis results for Safety Instrumented Function C6: 1oo2(2oo2) - 307 C8 SIF
C6.

22.1.1 Final Element Part Configuration


The functional safety and spurious trip behavior of the final element part of the C6: 1oo2(2oo2) - 307 C8
SIF C6 Safety Instrumented Function is quantified as follows.
Final Element part PFDavg: 3.83E-05
Final Element part HFT: 1
Final Element part MTTFS: 1976.54 years

Final Element part Architectural Constraints (IEC 61508:2000) allow use up to SIL 4.

The Final Element part of the C6: 1oo2(2oo2) - 307 C8 SIF C6 Safety Instrumented Function has a
Maintenance Capability of MCI 2 (Good – 90%). It consists of 2 Final Element Group(s). The voting
between these Final Element Groups is 1oo2. A common cause factor of 5% was considered between
the groups in this Final Element part.

22.1.1.1 Final Element Group 1: Final Element Group1


The information and reliability data underneath describe the Final Element Group1 final element group as
it has been analyzed in this Safety Integrity Level verification.
Voting within group: 2oo2
HFT: 0
Voting type: Identical
Equipment Leg (each): ASCO Series 307 C8 (Sys. Cap.: 3) (My Own)
Clean service, Full Stroke, Close on Trip
β−factor: 5 [%]
MTTR: 24 hours
Proof Test Interval: 12 months
Proof Test Coverage: 99 [%]

Automatically generated by exSILentia Version 3.2.0.888 05 Jun 2014


exSILentia the Safety Lifecycle engineering tool by exida Page 28 of 33
IEC 61511 Compliance Report

Table 27 shows the reliability data used during the SIL verification of final element group Final Element
Group1.
Table 27 Reliability Data Final Element Group Final Element Group1
Failure Rates [1/h] Arch. SFF
Component
DD DU SD SU Residual Type [%]

Each Leg 90.7


ASCO Series 307 C8 6.60E-08 5.33E-07 1.09E-07 A -

22.1.1.2 Final Element Group 2: Final Element Group2


The information and reliability data underneath describe the Final Element Group2 final element group as
it has been analyzed in this Safety Integrity Level verification.
Voting within group: 2oo2
HFT: 0
Voting type: Identical
Equipment Leg (each): ASCO Series 307 C8 (Sys. Cap.: 3) (My Own)
Clean service, Full Stroke, Close on Trip
β−factor: 5 [%]
MTTR: 24 hours
Proof Test Interval: 12 months
Proof Test Coverage: 99 [%]

Table 28 shows the reliability data used during the SIL verification of final element group Final Element
Group2.
Table 28 Reliability Data Final Element Group Final Element Group2
Failure Rates [1/h] Arch. SFF
Component
DD DU SD SU Residual Type [%]

Each Leg 90.7


ASCO Series 307 C8 6.60E-08 5.33E-07 1.09E-07 A -

Automatically generated by exSILentia Version 3.2.0.888 05 Jun 2014


exSILentia the Safety Lifecycle engineering tool by exida Page 29 of 33
IEC 61511 Compliance Report

23 C7: 1oo2(2oo2) - 307 B5 SIF C7


This chapter displays the analysis results for Safety Instrumented Function C7: 1oo2(2oo2) - 307 B5 SIF
C7.

23.1.1 Final Element Part Configuration


The functional safety and spurious trip behavior of the final element part of the C7: 1oo2(2oo2) - 307 B5
SIF C7 Safety Instrumented Function is quantified as follows.
Final Element part PFDavg: 1.24E-04
Final Element part HFT: 1
Final Element part MTTFS: 1510.2 years

Final Element part Architectural Constraints (IEC 61508:2000) allow use up to SIL 3.

The Final Element part of the C7: 1oo2(2oo2) - 307 B5 SIF C7 Safety Instrumented Function has a
Maintenance Capability of MCI 2 (Good – 90%). It consists of 2 Final Element Group(s). The voting
between these Final Element Groups is 1oo2. A common cause factor of 5% was considered between
the groups in this Final Element part.

23.1.1.1 Final Element Group 1: Final Element Group1


The information and reliability data underneath describe the Final Element Group1 final element group as
it has been analyzed in this Safety Integrity Level verification.
Voting within group: 2oo2
HFT: 0
Voting type: Identical
Equipment Leg (each): ASCO Series 307 B5 (Sys. Cap.: 3) (My Own)
Clean service, Full Stroke, Close on Trip
β−factor: 5 [%]
MTTR: 24 hours
Proof Test Interval: 12 months
Proof Test Coverage: 99 [%]

Automatically generated by exSILentia Version 3.2.0.888 05 Jun 2014


exSILentia the Safety Lifecycle engineering tool by exida Page 30 of 33
IEC 61511 Compliance Report

Table 29 shows the reliability data used during the SIL verification of final element group Final Element
Group1.
Table 29 Reliability Data Final Element Group Final Element Group1
Failure Rates [1/h] Arch. SFF
Component
DD DU SD SU Residual Type [%]

Each Leg 80.0


ASCO Series 307 B5 2.07E-07 6.80E-07 1.46E-07 A -

23.1.1.2 Final Element Group 2: Final Element Group2


The information and reliability data underneath describe the Final Element Group2 final element group as
it has been analyzed in this Safety Integrity Level verification.
Voting within group: 2oo2
HFT: 0
Voting type: Identical
Equipment Leg (each): ASCO Series 307 B5 (Sys. Cap.: 3) (My Own)
Clean service, Full Stroke, Close on Trip
β−factor: 5 [%]
MTTR: 24 hours
Proof Test Interval: 12 months
Proof Test Coverage: 99 [%]

Table 30 shows the reliability data used during the SIL verification of final element group Final Element
Group2.
Table 30 Reliability Data Final Element Group Final Element Group2
Failure Rates [1/h] Arch. SFF
Component
DD DU SD SU Residual Type [%]

Each Leg 80.0


ASCO Series 307 B5 2.07E-07 6.80E-07 1.46E-07 A -

Automatically generated by exSILentia Version 3.2.0.888 05 Jun 2014


exSILentia the Safety Lifecycle engineering tool by exida Page 31 of 33
IEC 61511 Compliance Report

24 C8: 1oo2(2oo2) - NACE 307 SIF C8


This chapter displays the analysis results for Safety Instrumented Function C8: 1oo2(2oo2) - NACE 307
SIF C8.

24.1.1 Final Element Part Configuration


The functional safety and spurious trip behavior of the final element part of the C8: 1oo2(2oo2) - NACE
307 SIF C8 Safety Instrumented Function is quantified as follows.
Final Element part PFDavg: 4.49E-05
Final Element part HFT: 1
Final Element part MTTFS: 7841.14 years

Final Element part Architectural Constraints (IEC 61508:2000) allow use up to SIL 3.

The Final Element part of the C8: 1oo2(2oo2) - NACE 307 SIF C8 Safety Instrumented Function has a
Maintenance Capability of MCI 2 (Good – 90%). It consists of 2 Final Element Group(s). The voting
between these Final Element Groups is 1oo2. A common cause factor of 5% was considered between
the groups in this Final Element part.

24.1.1.1 Final Element Group 1: Final Element Group1


The information and reliability data underneath describe the Final Element Group1 final element group as
it has been analyzed in this Safety Integrity Level verification.
Voting within group: 2oo2
HFT: 0
Voting type: Identical
Equipment Leg (each): ASCO Series NACE 307 (Sys. Cap.: 3) (My Own)
Clean service, Full Stroke, Close on Trip
β−factor: 5 [%]
MTTR: 24 hours
Proof Test Interval: 12 months
Proof Test Coverage: 99 [%]

Automatically generated by exSILentia Version 3.2.0.888 05 Jun 2014


exSILentia the Safety Lifecycle engineering tool by exida Page 32 of 33
IEC 61511 Compliance Report

Table 31 shows the reliability data used during the SIL verification of final element group Final Element
Group1.
Table 31 Reliability Data Final Element Group Final Element Group1
Failure Rates [1/h] Arch. SFF
Component
DD DU SD SU Residual Type [%]

Each Leg 85.0


ASCO Series NACE 307 7.70E-08 1.45E-07 2.90E-07 A -

24.1.1.2 Final Element Group 2: Final Element Group2


The information and reliability data underneath describe the Final Element Group2 final element group as
it has been analyzed in this Safety Integrity Level verification.
Voting within group: 2oo2
HFT: 0
Voting type: Identical
Equipment Leg (each): ASCO Series 307 NACE (Sys. Cap.: 3) (My Own)
Clean service, Full Stroke, Close on Trip
β−factor: 5 [%]
MTTR: 24 hours
Proof Test Interval: 12 months
Proof Test Coverage: 99 [%]

Table 32 shows the reliability data used during the SIL verification of final element group Final Element
Group2.
Table 32 Reliability Data Final Element Group Final Element Group2
Failure Rates [1/h] Arch. SFF
Component
DD DU SD SU Residual Type [%]

Each Leg 85.0


ASCO Series 307 NACE 7.70E-08 1.45E-07 2.90E-07 A -

Automatically generated by exSILentia Version 3.2.0.888 05 Jun 2014


exSILentia the Safety Lifecycle engineering tool by exida Page 33 of 33