www.sis-tech.

com

Module 11
Example Verification

Introduction
• Example SIFs will be assessed to illustrate how
choices in field device architecture, test interval,
and logic solver technology affect the achievable
PFD and spurious trip rate

Module 11 – Example Verification © SIS-TECH

www.sis-tech.com

Space Shuttle Columbia disaster

Despite Improvements, risks remain part of space equation

By MARKChronicle
Houston CARREAU

In 1981 for Columbia launch:

odds of catastrophic loss
1 in 25

After post-Challenger
improvements:
odds of catastrophic loss
1 in 78

Space Shuttle Columbia disaster

Despite Improvements, risks remain part of space equation

By MARKChronicle
Houston CARREAU

Dating back to 1981,

2 losses in 113 shuttle missions =
98%

Odds for flights in 2003

Odds of loss during launch, orbital
and landing phases:
1 in 250 missions

Odds of loss during shuttle launch:

1 in 556 flights

Module 11 – Example Verification © SIS-TECH

www.sis-tech.com

SIL Verification
• It is just a calculation
• It is only as meaningful as the:
– Boundary
• Include all contributors to failure
– Data
• In-service failure rates
• How uncertain is it?
– Assumptions
• What was excluded, neglected, etc.?
• If the event happens, the math is not a
protection layer

Target Failure Measures

• Low demand mode
Safety Required Average probability Availability
Integrity Risk Reduction of failure on
Level demand
(SIL) RRF = 1/PFDavg (PFDAVG) (1-PFDAVG) X 100%

4 >10,000 to ≤100,000 <10E-4 to ≥10E-5 <0.9999 to ≥0.99999

3 >1,000 to ≤10,000 <10E-3 to ≥10E-4 <0.999 to ≥ 0.9999

2 >100 to ≤1,000 <10E-2 to ≥10E-3 <0.99 to ≥ 0.999

1 >10 to ≤100 <10E-1 to ≥10E-2 <0.9 to ≥0.99

• High demand or continuous mode

Safety Integrity Level Average frequency of failure
(SIL) (failures per hour)
4 <10E-8 to ≥10E-9

3 <10E-7 to ≥10E-8

2 <10E-6 to ≥10E-7

1 <10E-5 to ≥10E-6

Module 11 – Example Verification © SIS-TECH

www.sis-tech.com

Important Design Parameters

• Device Integrity
– Dangerous failure rate, D
– Safe failure rate, S
• Proof Test Interval, TI
• Diagnostics
– Diagnostic Coverage, DC
– Diagnostic Interval, DI
• Partial Testing
– Test Coverage, TC
– Partial Test Interval, TIP
• Voting/Architecture
– M-out-of-N
• Common Cause Factor, β

Find data for each device

• Operating environment
– Internal and external environment
– Include process and electrical influences
• Device boundary as installed
– Device technology
– Process connections
– Required support systems
• Communication
• Power supply
• Mechanical integrity plan
– How was device inspected, maintained, and tested

Module 11 – Example Verification © SIS-TECH

www.sis-tech.com

Understand precision
• The calculation of risk reduction is an order of
magnitude estimate
– Do not get lost in searching for or calculating multiple
significant digits
• Not much difference between brands of field devices if each
brand has met user approval
– Focus on estimating order-of-magnitude values for
each device technology considering the expected
operating environment
• Most data is selected based on qualitative
judgment of the historical evidence

Verify Mode of Operation

• Hazard Rate (HR) = Demand Rate (DR) x
PFDavg
• High demand or continuous SIS
– Controlling frequency for the initiation of the event
– SIS cannot be better than the failure rate of its
devices and your ability to detect and correct failure
• Low demand SIS
– Acts as safeguard / IPL
– Demand Rate < 1 / year

10

10

Module 11 – Example Verification © SIS-TECH

www.sis-tech.com

Continuous Mode
(or High Demand)
• Calculate average frequency of failure, e.g., for a
BPCS Safety Control loop:

Reliability Block
Diagram

Fault Tree

ControlTransmitter
Total
 BPCS
Total
 Positioner
Total
 ControlValve
Total

11

11

Low Demand Mode

• Calculate the PFDavg, e.g., for a high pressure
trip of a pump:
Reliability
Block Diagram

Fault Tree

Safety Transmitter
PFDavg  PFDavg
Trip Amplifier
 PFDavg
Motor Contactor

12

12

Module 11 – Example Verification © SIS-TECH

www.sis-tech.com

Calculations – need equations

• ISA TR84.00.02
– Safety Instrumented Functions (SIF) – Safety Integrity Level
(SIL) Evaluation Techniques

• IEC 61508 Part 6

– Part 6 Guidelines on the application of IEC 61508-2 and IEC
61508-3

• ISO 12489 - 2013

– reliability block diagrams (RBD), fault trees (FT), Markovian
approach (MA), Petri nets (PN) and Monte Carlo simulation

13

13

Boolean Logic
Device failures are basic events.

A 1oo1 B 1oo1
Event Event

High Demand/Continuous Mode Low Demand Mode Spurious

A
Dangerous
TI A
Safe
A
Dangerous

14

14

Module 11 – Example Verification © SIS-TECH

www.sis-tech.com

Boolean Algebra
Boolean gates correspond to algebraic relationship

A+B-A*B A*B
Negligible compared to Does not address potential for
A+B in PFD calculations dependent failures of A and B
15

15

Simplified Boolean Equations

D *TI
• 1oo1 PFDavg 
2
2
  D *TI   D *TI 
2
• 1oo2 PFDavg      (PFD1oo1 )2
 2  4
  D *TI 
• 2oo2 PFDavg  2 *     *TI  2*(PFD1oo1 )
D

 2 
2
  D *TI  3 2
• 2oo3 PFDavg  3*    *  *TI   3*(PFD1oo1 )
D 2

 2  4

FYI
16

16

Module 11 – Example Verification © SIS-TECH

www.sis-tech.com

Simplified Boolean Equations

• 1oo1 Basic Event  (TI )

Single Point of Failure PFDavg 
2
• 1oo2 One-out-of-two
Safe fault tolerant PFDavg   PFD1oo1  2

• 2oo2
PFDavg  2  PFD1oo1 
Two-out-of-two
Reliable fault tolerant

• 2oo3 Two-out-of-three
PFDavg  3  PFD1oo1 
Safe and Reliable 2
fault tolerant.
Acts like 3 - 1oo2
17

17

Expanded Boolean Equation

 (1 DC) DTI DC  D DI 

R
N!
PFD      D MTTRES 
R!(M 1)!  2 2 

Where for M-out-of-N voting, R=N-M+1

Common cause contribution is added to these as necessary. FYI

18

18

Module 11 – Example Verification © SIS-TECH

www.sis-tech.com

Markov
• Equations are developed for each SIS
based on architecture
• The probability of failure on demand as a
function of time is integrated to determine
the PFDavg

dP1  t 
  P1  t 
dt
19

19

Markov
• 2oo3 voting with diagnostic coverage

20

20

Module 11 – Example Verification © SIS-TECH

www.sis-tech.com

Simplified Markovian Equations

• 1oo1  (TI )
PFDavg 
2
• 1oo2 2 (TI)2
PFDavg 
3
• 2oo2 PFDavg   (TI )

• 2oo3 PFDavg   2 (TI ) 2

21

21

Diagnostics and Testing

• Diagnostics and testing may only detect part of
the failure modes
• Perform the analysis into two parts:
– Percentage detected
• Diagnostic Coverage = DC
• Test Coverage = TC
– Percentage not detected
• Diagnostics = 1 - DC
• Partial Test = 1 - TC

All failure modes must be tested at

some defined interval
22

22

Module 11 – Example Verification © SIS-TECH

www.sis-tech.com

Partial Testing

(1  TC )TI (TC )TIP

PFDavg  
2 2
• Test Coverage (TC) is estimated for partial test
conducted at a Partial Test Interval (TIP)
– TC is given as a percentage
• Failures modes not detected in partial test must
be covered by a full proof test conducted at a
defined Test Interval (TI)

23
25 of 45
23

Example:
Partial Stroke Testing of Block Valves
• Test coverage (TC) dependent on valve type
and operating environment
– General trend for TC is 60 to 85%
– Type of partial stroke test equipment does not affect
diagnostic coverage
• Does not test the:
– Ability of the valve to fully close
– Leak tightness of the valve
– Valve closure time
• Can count in math only if repair or shutdown will
be timely on detected failure

24

24

Module 11 – Example Verification © SIS-TECH

www.sis-tech.com

Block Valve – Partial

Stroke Test Imperfect Testing
OR

OR
SOV1

BV PST BV FST

PFDAVG = TC * D * TIPST/2 + (1-TC) * D * TIFST/2 + D * MTTRes

Detected by Partial Detected by Full Unavailability

Stroke Test Stroke Test due to predicted
repair.
Assume 70% Test Coverage (TC) and monthly test
PFDAVG = 0.7 * D * 730 hr/2 + 0.3 * D * 8760 hr/2 + D * MTTRes
25

25

Common cause
• Reduces the effect of system redundancy
or fault tolerance
– increases the probability of failure of two or
more channels in a multiple channel system

• Only Random failures are included in the

calculation
– Systematic failures
• Not in CCF calculation – managed by lifecycle

26

26

Module 11 – Example Verification © SIS-TECH

www.sis-tech.com

Common Cause
• Redundant devices can fail simultaneously due
to the same failure cause
• These are referred to as “dependent” failures

Dependent Dependent

Independent Independent

Device A Device B

27
34 of 45
27

Common Cause
• Reduces the effect of system redundancy or
fault tolerance
– increases the probability of failure of two or more
channels in a multiple channel system
• Random failures – included in the calculation
• Systematic failures – managed by lifecycle

28
35 of 45
28

Module 11 – Example Verification © SIS-TECH

www.sis-tech.com

 Factor Method
•  Factor = fraction of total failures that can result in the
failure of both devices due to the same cause

Independent Dependent

Failure Rate
Device A
Failure Rate
Device B
* DU
(1- )* DU (1- )* DU DU is based on
Device A or Device B
Many simplified calculations assume 1-β≈1

29
37 of 45
29

Effect of Common Cause

Beta factor is added on to the equation for

• 1oo1 – not added each redundant architecture

• 1oo2
  * D * TI 
PFDavg  (PFD1oo1 )  
2
  * D * MTTR 
 2 
• 2oo2 – not added

• 2oo3   * D * TI 
PFDavg  3 * (PFD1oo1 ) 2     * D * MTTR 
 2 
30

30

Module 11 – Example Verification © SIS-TECH

www.sis-tech.com

Limitation Functions
• Must consider effectiveness when demonstrating
claimed risk reduction
– Health and Safety Executive studies show that fire &
gas systems detected less than 70% of incidents
– Detector effectiveness
• Is the event seen in a timely manner given placement of
sensors?
– Mitigation effectiveness
• Is the action taken effective in reducing the harm?
• Little effect on damage caused by initial event; some
reduction in subsequent damage

31

31

Data Examples

Dangerous Spurious Dangerous Spurious

Device Failure Rate Failure Rate MTTF MTTF
(1/Years) (1/Years) Years Years
Pressure Transmitter 6.67E-3 1.25E-2 150 80
General Purpose PLC 3.29E-2 4.00E-2 30 25
Trip Amplifier (non-PE) 1.40E-3 5.10E-3 714 196
Safety Configured PLC 4.03E-3 8.00E-2 248 13
TMR Logic Solver 4.9E-5 1.30E-3 20408 769
Solenoid (low wattage) 1.67E-2 3.33E-2 60 30
Valve 1.67E-2 6.67E-3 60 150

1 of 6

DATA SOURCE – SIL SOLVER 32

32

Module 11 – Example Verification © SIS-TECH

www.sis-tech.com

Data Examples

Dangerous Spurious Dangerous Spurious

Device Failure Rate Failure Rate MTTF MTTF
(1/Years) (1/Years) Years Years
Pressure Transmitter 6.67E-3 1.25E-2 150 80
General Purpose PLC 3.29E-2 4.00E-2 30 25
Trip Amplifier (non-PE) 1.40E-3 5.10E-3 714 196
Safety Configured PLC 4.03E-3 8.00E-2 SIL
248
1 13
TMR Logic Solver 4.9E-5 1.30E-3 Technology
20408 769
Solenoid (low wattage) 1.67E-2 3.33E-2 60 30
Valve 1.67E-2 6.67E-3 60 150

2 of 6

DATA SOURCE – SIL SOLVER 33

33

Data Examples

Dangerous Spurious Dangerous Spurious

Device Failure Rate Failure Rate MTTF MTTF
(1/Years) (1/Years) Years Years
Pressure Transmitter 6.67E-3 1.25E-2 150 80
General Purpose PLC 3.29E-2 4.00E-2 30 25
Trip Amplifier (non-PE) 1.40E-3 5.10E-3 714 196
Safety Configured PLC 4.03E-3 8.00E-2 248 13
TMR Logic Solver 4.9E-5 1.30E-3 20408 769
Solenoid (low wattage) 1.67E-2 3.33E-2 SIL602 30
Valve 1.67E-2 6.67E-3 Technology
60 150

3 of 6

DATA SOURCE – SIL SOLVER 34

34

Module 11 – Example Verification © SIS-TECH

www.sis-tech.com

Data Examples

Dangerous Spurious Dangerous Spurious

Device Failure Rate Failure Rate MTTF MTTF
(1/Years) (1/Years) Years Years
Pressure Transmitter 6.67E-3 1.25E-2 150 80
General Purpose PLC 3.29E-2 4.00E-2 30 25
Trip Amplifier (non-PE) 1.40E-3 5.10E-3 714 196
Safety Configured PLC 4.03E-3 8.00E-2 248 13
TMR Logic Solver 4.9E-5 1.30E-3 20408 769
Solenoid (low wattage) 1.67E-2 3.33E-2 60 30
Valve 1.67E-2 6.67E-3 SIL603 150
Technology

4 of 6

DATA SOURCE – SIL SOLVER 35

35

Data Examples

Dangerous Spurious Dangerous Spurious

Device Failure Rate Failure Rate MTTF MTTF
(1/Years) (1/Years) Years Years
Pressure Transmitter 6.67E-3 1.25E-2 150 80
General Purpose PLC 3.29E-2 4.00E-2 30 25
Trip Amplifier (non-PE) 1.40E-3 5.10E-3
High714 196
Safety Configured PLC 4.03E-3 8.00E-2 248 13
TMR Logic Solver 4.9E-5 1.30E-3 STR20408 769
Solenoid (low wattage) 1.67E-2 3.33E-2 60 30
Valve 1.67E-2 6.67E-3 60 150

5 of 6

DATA SOURCE – SIL SOLVER 36

36

Module 11 – Example Verification © SIS-TECH

www.sis-tech.com

Data Examples

Dangerous Spurious Dangerous Spurious

Device Failure Rate Failure Rate MTTF MTTF
(1/Years) (1/Years) Years Years
Pressure Transmitter 6.67E-3 1.25E-2 150 80
General Purpose PLC 3.29E-2 4.00E-2 30 25
Trip Amplifier (non-PE) 1.40E-3 5.10E-3
Low714 196
Safety Configured PLC 4.03E-3 8.00E-2 248 13
TMR Logic Solver 4.9E-5 1.30E-3 STR
20408 769
Solenoid (low wattage) 1.67E-2 3.33E-2 60 30
Valve 1.67E-2 6.67E-3 60 150

6 of 6

DATA SOURCE – SIL SOLVER 37

37

High Pressure SIS

• High pressure in pipeline

initiates shutdown of
downstream block valve to
prevent pipeline rupture
• Current proposed testing
interval is 1 year
• Target SIL = 1
• Target MTTFs = 15 years

38

38

Module 11 – Example Verification © SIS-TECH

www.sis-tech.com

Performance Verification
• PFDSIS SIS architecture and
safety instrumented function
example with different devices
Sensors Logic solver Final elements

shown
NP NP NP
PE
PE PE PE
H/W S/W H/W S/W
H/W S/W

= PFDSensors {process to input point}

+ PFDLogic Solver {input point to output point}
+ PFDFinal Elements {output point to process action}
+ PFDSupport Systems{source to process action}
Used for energize-to-trip or air to operate

Adds Up!
PFDavg is no better than the weakest link!

39

39

High Pressure SIS

PFDavg Calculation

PFDSENSOR PFDLS PFDFE

PFDSIS = PFDPT-101 + PFDLS + PFDSOV + PFDVALVE

40

40

Module 11 – Example Verification © SIS-TECH

www.sis-tech.com

PFD Calculation
Dangerous
Device Failure Rate
(1/Years)
Pressure Transmitter 6.67E-03
Trip Amplifier (non-PE) 1.40E-03 SIF meets SIL 1
Solenoid (low wattage) 1.67E-02
λD * TI/2 at 1 year testing
Valve 1.67E-02

Device PFDavg % Contribution

PT-101 3.34E-03 16%
Trip Amplifier (non-PE) 7.00E-04 3%
Solenoid 8.34E-03 40%
Valve 8.34E-03 40%
Total 2.07E-02 100%

41

41

High Pressure SIS

PFDavg Calculation

Device PFDavg % Contribution

PT-101 3.34E-03 SIL16%
2
Trip Amplifier (non-PE) 7.00E-04 SIL3%
3
Solenoid 8.34E-03 SIL40%
2
Valve 8.34E-03 SIL40%
2
Total 2.07E-02 100%
SIL 1

The PFD adds up!

Not the SIL!

42

42

Module 11 – Example Verification © SIS-TECH

www.sis-tech.com

Typical Distribution?
• No typical distribution for the contribution
of each subsystems to the SIS
• Some practical aspects:
– The more centralized the logic solver (more
I/O per CPU), the greater the risk – balance
this with a logic solver that contributes less
than 10%
– Generally, the performance limitation is the
final elements – can go to nearly 100%
• Significant impact of mechanical components

43

43

Relative Device Ranking

0.025 Analyzers

Switches
0.020
Perceived
Probability of Failure on Demand (PFDavg)

Valves
distributions are
0.015 due to the relative
performance of
Transmitters
sensors, logic
0.010
solvers and final
Safety PLC
elements
0.005
Actual distributions
are quite variable
Relays
0.000
25 50 75 100 125 175 250 Trip Amps

-0.005
Mean Time to Failure Dangerous (MTTFD)

Proof Test Interval = 1 year, no on-line diagnostics

44

44

Module 11 – Example Verification © SIS-TECH

www.sis-tech.com

Performance Verification
• STRSIS

= STRSensors
+ STRLogic Solver
+ STRFinal Elements
+ STRSupport Systems
Adds Up!
Reliability is no better than the weakest link!

45

45

STR Calculation
Spurious
Device Failure Rate
(1/Years)
Pressure Transmitter 1.25E-02
Trip Amplifier (non-PE) 5.10E-03 1
MTTF spurious 
Solenoid (low wattage) 3.33E-02
SP
Valve 6.67E-03

Device STR (1/yr) % Contribution

PT-101 1.25E-02 22%
Trip Amplifier (non-PE) 5.10E-03 9%
Solenoid 3.33E-02 58%
Valve 6.67E-03 12%
Total 5.76E-02 100%
MTTFs= 17 years
46

46

Module 11 – Example Verification © SIS-TECH

www.sis-tech.com

Example – PFDavg

Case Input Logic Solver Output Total

1oo1 1oo1
Simplex PLC 3.39E‐03 1.64E‐02 1.69E‐02 3.68E‐02
9% 45% 46% 100%

Trip Amplifier 3.39E‐03 7.13E‐04 1.69E‐02 2.10E‐02

16% 3% 81% 100%

Safety‐configured 3.39E‐03 2.03E‐03 1.69E‐02 2.24E‐02

PLC 15% 9% 76% 100%

TMR Logic Solver 3.39E‐03 2.40E‐05 1.69E‐02 2.04E‐02

16.6% 0.1% 83.2% 100%

All SIL 1 at 1 year test interval

1 of 3 47

47

Example – PFDavg

Case Input Logic Solver Output Total

1oo1 1oo1
Simplex PLC 3.39E‐03 1.64E‐02 Non-safety
1.69E‐02 configured PLC is major
3.68E‐02
9% 45% contributor
46% at this level
100%for every
function it performs
Trip Amplifier 3.39E‐03 7.13E‐04 1.69E‐02 2.10E‐02
Overall system can never be better
16% 3% 81% 100%
than this
Safety‐configured 3.39E‐03 2.03E‐03 1.69E‐02 2.24E‐02
PLC 15% 9% 76% 100%

TMR Logic Solver 3.39E‐03 2.40E‐05 1.69E‐02 2.04E‐02

16.6% 0.1% 83.2% 100%

2 of 3 48

48

Module 11 – Example Verification © SIS-TECH

www.sis-tech.com

Example – PFDavg

Case Input Logic Solver Output Total

1oo1 1oo1
Simplex PLC 3.39E‐03 1.64E‐02 1.69E‐02 3.68E‐02
9% 45% 46% 100%

Valves
Trip are generally
Amplifier major contributors
3.39E‐03 7.13E‐04 1.69E‐02 2.10E‐02
Mechanical components
16% are a problem
3% 81% 100%

Safety‐configured 3.39E‐03 makes

Lack of periodic movement 2.03E‐03
failure 1.69E‐02 2.24E‐02
PLC
rate worse 15% 9% 76% 100%

TMR Logic Solver 3.39E‐03 2.40E‐05 1.69E‐02 2.04E‐02

16.6% 0.1% 83.2% 100%

3 of 3 49

49

Example – STR
Case Input Logic Solver Output Total
1oo1 1oo1
Simplex PLC 1.25E‐2 4.00E‐2 4.00E‐2 9.25E‐2
14% 43% 43% (11 years)
100%
Trip Amplifier 1.25E‐2 5.10E‐3 4.00‐02 5.76‐02
22% 9% 70% (17 years)
100%
Safety‐configured 1.25E‐2 8.00E‐2 4.00E‐2 1.33E‐1
PLC 9% 60% 30% (8 years)
100%
TMR Logic Solver 1.25E‐2 1.12E‐03 4.00E‐02 5.36E‐02
23% 2% 75% (19 years)
100%

1 of 5 50

50

Module 11 – Example Verification © SIS-TECH

www.sis-tech.com

Example – STR
Case Input Logic Solver Output Total
STR approximately 1/10 years1oo1
1oo1
Simplex PLC 1.25E‐2 4.00E‐2 4.00E‐2 9.25E‐2
14% 43% 43% (11 years)
100%
Trip Amplifier 1.25E‐2 5.10E‐3 4.00‐02 5.76‐02
22% 9% 70% (17 years)
100%
Safety‐configured 1.25E‐2 8.00E‐2 4.00E‐2 1.33E‐1
PLC 9% 60% 30% (8 years)
100%
TMR Logic Solver 1.25E‐2 1.12E‐03 4.00E‐02 5.36E‐02
23% 2% 75% (19 years)
100%

2 of 5 51

51

Example – STR
Case Input Logic Solver Output Total
STR approximately 1/20 years1oo1
1oo1
Simplex PLC 1.25E‐2 4.00E‐2 4.00E‐2 9.25E‐2
14% 43% 43% (11 years)
100%
Trip Amplifier 1.25E‐2 5.10E‐3 4.00‐02 5.76‐02
22% 9% 70% (17 years)
100%
Safety‐configured 1.25E‐2 8.00E‐2 4.00E‐2 1.33E‐1
PLC 9% 60% 30% (8 years)
100%
TMR Logic Solver 1.25E‐2 1.12E‐03 4.00E‐02 5.36E‐02
23% 2% 75% (19 years)
100%

3 of 5 52

52

Module 11 – Example Verification © SIS-TECH

www.sis-tech.com

Example – STR
Case Input Logic Solver Output Total
1oo1 1oo1
Simplex PLC 1.25E‐2 4.00E‐2 4.00E‐2 9.25E‐2
14% 43% 43% (11 years)
Non-HFT PLC is major100% contributor
at this level for every function it
Trip Amplifier 1.25E‐2 5.10E‐3 4.00‐02
performs 5.76‐02
22% 9% 70% (17 years)
Spurious failures of PLC 100%may cause
multiple functions to operate.
Safety‐configured 1.25E‐2 8.00E‐2 Overall4.00E‐2 1.33E‐1
system can never be better
PLC 9% 60% 30% (8 years)
than this 100%
TMR Logic Solver 1.25E‐2 1.12E‐03 4.00E‐02 5.36E‐02
23% 2% 75% (19 years)
100%

4 of 5 53

53

Example – STR
Case Input Logic Solver Output Total
1oo1 1oo1
Simplex PLC 1.25E‐2 4.00E‐2 4.00E‐2 9.25E‐2
14% 43% 43% (11 years)
100%
Trip Amplifier 1.25E‐2 5.10E‐3 4.00‐02 5.76‐02
22% 9% 70% (17 years)
Hardwired and HFT PLC contribute
100%
less than 10% to STR
Safety‐configured 1.25E‐2 8.00E‐2 4.00E‐2 1.33E‐1
PLC 9% 60% 30% (8 years)
100%
TMR Logic Solver 1.25E‐2 1.12E‐03 4.00E‐02 5.36E‐02
23% 2% 75% (19 years)
100%

5 of 5 54

54

Module 11 – Example Verification © SIS-TECH

www.sis-tech.com

Example - PFDavg
– Change to 5 year Test Interval

Case Input Logic Solver Output Total

1oo1 1oo1
Simplex PLC 1.67E‐2 8.22E‐2 8.36E‐2 1.83E‐1
9% 45% 46% 100%

Trip Amplifier 1.67E‐2 3.52E‐3 8.36E‐2 1.04E‐1

16% 3% 81% 100%

Safety‐configured 1.67E‐2 1.00E‐2 8.36E‐2 1.10E‐1

PLC 15% 9% 76% 100%

TMR Logic Solver 1.67E‐2 1.30E‐4 8.36E‐2 1.00E‐1

17% 0.1% 83% 100%

None met SIL 1 at 5 year test interval

55

55

Change input architecture

• Redundant transmitters are often used in SIS service

– Protection during repair and test
– Diagnostics
– Hardware fault tolerance

56

56

Module 11 – Example Verification © SIS-TECH

www.sis-tech.com

Example - PFDavg
– Change to 2oo3D on inputs
Case Input Logic Solver Output Total
2oo3D 1oo1
Simplex PLC 4.30E‐5 8.22E‐2 8.36E‐2 1.66E‐1
0% 50% 50% 100%

Trip Amplifier 4.30E‐5 1.06E‐4 8.36E‐2 8.38E‐2

(2oo3) 0% 0.1% 99.9% 100%

Safety‐configured 4.30E‐5 1.00E‐2 8.36E‐2 9.37E‐2

PLC 0% 11% 89% 100%

TMR Logic Solver 4.30E‐5 1.30E‐4 8.36E‐2 8.38E‐2

0% 0.2% 99.8% 100%

SIL 1 at 5 year
test interval

1 of 3 57

57

Example - PFDavg
– Change to 2oo3D on inputs
Case Input Logic Solver Output Total
2oo3D 1oo1
Simplex PLC 4.30E‐5 8.22E‐2 8.36E‐2 1.66E‐1
0% 50% 50% 100%

Trip Amplifier 4.30E‐5 1.06E‐4 8.36E‐2 8.38E‐2

(2oo3) 0% 0.1% 99.9% 100%

Safety‐configured 4.30E‐5 1.00E‐2 8.36E‐2 9.37E‐2

PLC 0% 11% 89% 100%

TMR Logic Solver 4.30E‐5 1.30E‐4 8.36E‐2 8.38E‐2

0% 0.2% 99.8% 100%

Transmitters no longer contribute significantly

2 of 3 58

58

Module 11 – Example Verification © SIS-TECH

www.sis-tech.com

Example - PFDavg
– Change to 2oo3D on inputs
Case Input Logic Solver Output Total
2oo3D 1oo1
Simplex PLC 4.30E‐5 8.22E‐2 8.36E‐2 1.66E‐1
0% 50% 50% 100%

Trip Amplifier 4.30E‐5 1.06E‐4 8.36E‐2 8.38E‐2

(2oo3) 0% 0.1% 99.9% 100%

Safety‐configured 4.30E‐5 1.00E‐2 8.36E‐2 9.37E‐2

PLC 0% 11% 89% 100%

TMR Logic Solver 4.30E‐5 1.30E‐4 8.36E‐2 8.38E‐2

0% 0.2% 99.8% 100%

Final Element is controlling the result

3 of 3 59

59

Example – STR
– Change to 2oo3D on inputs
Case Input Logic Solver Output Total
2oo3D 1oo1
Simplex PLC 7.71E‐6 4.00E‐2 4.00E‐2 8.00E‐2
0% 50% 50% (12.5 years)
100%
Trip Amplifier 7.71E‐6 1.28E‐6 4.00‐2 4.00‐02
(2oo3) 0.02% 0% 99.98% (25 years)
100%
Safety‐configured 7.71E‐6 8.00E‐2 4.00E‐2 1.20E‐1
PLC 0% 67% 33% (8 years)
100%
TMR Logic Solver 7.71E‐6 1.53E‐03 4.00E‐02 4.15E‐02
0% 4% 96% (24 years)
100%

1 of 3 60

60

Module 11 – Example Verification © SIS-TECH

www.sis-tech.com

Example – STR
– Change to 2oo3D on inputs
Case Input Logic Solver Output Total
STR approximately 1/10 years
2oo3D 1oo1
Simplex PLC 7.71E‐6 4.00E‐2 4.00E‐2 8.00E‐2
0% 50% 50% (12.5 years)
100%
Trip Amplifier 7.71E‐6 1.28E‐6 4.00‐2 4.00‐02
(2oo3) 0.02% 0% 99.98% (25 years)
100%
Safety‐configured 7.71E‐6 8.00E‐2 4.00E‐2 1.20E‐1
PLC 0% 67% 33% (8 years)
100%
TMR Logic Solver 7.71E‐6 1.53E‐03 4.00E‐02 4.15E‐02
0% 4% 96% (24 years)
100%

2 of 3 61

61

Example – STR
– Change to 2oo3D on inputs
Case Input Logic Solver Output Total
STR approximately 1/20 years 1oo1
2oo3D
Simplex PLC 7.71E‐6 4.00E‐2 4.00E‐2 8.00E‐2
0% 50% 50% (12.5 years)
100%
Trip Amplifier 7.71E‐6 1.28E‐6 4.00‐2 4.00‐02
(2oo3) 0.02% 0% 99.98% (25 years)
100%
Safety‐configured 7.71E‐6 8.00E‐2 4.00E‐2 1.20E‐1
PLC 0% 67% 33% (8 years)
100%
TMR Logic Solver 7.71E‐6 1.53E‐03 4.00E‐02 4.15E‐02
0% 4% 96% (24 years)
100%

3 of 3 62

62

Module 11 – Example Verification © SIS-TECH

www.sis-tech.com

Change output architecture

5 year proof test interval
• Adding a redundant block valve can significantly improve
the PFDavg if the valves are properly maintained

63

63

Example - PFDavg
– Change to Double Block Valve
Case Input Logic Solver Output Total
2oo3D 1oo2
Simplex PLC 4.30E‐5 8.22E‐2 7.08E‐3 8.93E‐2
0% 92% 8% 100%
SIL 1
Trip Amplifier 4.30E‐5 1.06E‐4 7.08E‐3 7.23E‐3
(2oo3) 0.6% 1.5% 98% 100%
SIL 2
Safety‐configured 4.30E‐5 1.00E‐2 7.08E‐3 1.72E‐2
PLC 0.3% 58% 41% 100%
SIL 1
TMR Logic Solver 4.30E‐5 1.30E‐4 7.08E‐3 7.25E‐3
0.6% 1.8% 98% 100% SIL 2

At 5 year test interval

64

64

Module 11 – Example Verification © SIS-TECH

www.sis-tech.com

Example – STR
– Change to Double Block Valve
STR driven by valve configuration

Case Input Logic Solver Output Total

2oo3D 1oo2
Simplex PLC 7.71E‐6 4.00E‐2 8.00E‐2 1.20E‐2
0% 33% 66% (8.33 years)
100%
Trip Amplifier 7.71E‐6 1.28E‐6 8.00E‐2 8.00‐02
0.01% 0% 99.99% (12.5 years)
100%
Safety‐configured 7.71E‐6 8.00E‐2 8.00E‐2 1.60E‐1
PLC 0% 50% 50% (6.25 years)
100%
TMR Logic Solver 7.71E‐6 1.53E‐03 8.00E‐02 8.15E‐02
0% 2% 98% (12.3 years)
100%

65

65

Example – PFDavg
Final Elements at 1 year test interval
Transmitters and Logic Solver at 5 years

Case Input
2oo3D Logic Solver Output Total
2oo3D 1oo2
Simplex PLC 4.30E‐5 8.22E‐2 3.04E‐4 8.26E‐2
0% 99.6% 0.4% 100%

Trip Amplifier 4.30E‐5 1.06E‐4 3.04E‐4 4.53E‐4

(2oo3) 9% 23% 67% 100%

Safety‐configured 4.30E‐5 1.00E‐2 3.04E‐4 1.04E‐2

PLC 0.4% 97% 3% 100%

TMR Logic Solver 4.30E‐5 1.30E‐4 3.04E‐4 4.77E‐4

9% 27% 64% 100%

1 of 5 66

66

Module 11 – Example Verification © SIS-TECH

www.sis-tech.com

Example – PFDavg
Final Elements at 1 year test interval
Transmitters and Logic Solver at 5 years

Case Input Logic Solver Output Total

2oo3D 1oo2
Simplex PLC 4.30E‐5 8.22E‐2 3.04E‐4 8.26E‐2
0% 99.6% 0.4% 100%
Non-HFT PLC is major contributor
Trip Amplifier 4.30E‐5 1.06E‐4 at this level for every 4.53E‐4
3.04E‐4 function it
(2oo3) 9% 23% performs
67% 100%

Safety‐configured 4.30E‐5 1.00E‐2 Overall system can never

3.04E‐4 be better
1.04E‐2
PLC 0.4% 97% than 3%
this 100%

TMR Logic Solver 4.30E‐5 1.30E‐4 3.04E‐4 4.77E‐4

9% 27% 64% 100%

2 of 5 67

67

Example – PFDavg
Final Elements at 1 year test interval
Transmitters and Logic Solver at 5 years

Case Input Logic Solver Output Total

2oo3D 1oo2
Simplex PLC 4.30E‐5 8.22E‐2 3.04E‐4 8.26E‐2
0% 99.6% 0.4% 100%
HFT PLC is NOT a major
contributor
Trip Amplifier 4.30E‐5 1.06E‐4 3.04E‐4 4.53E‐4
Valves ARE major contributors
9% 23% 67% 100%
Mechanical components are a
Safety‐configured 4.30E‐5
problem 1.00E‐2 3.04E‐4 1.04E‐2
PLC 0.4% 97% 3% 100%
Lack of periodic movement
makes failure
TMR Logic rate worse
Solver 4.30E‐5 1.30E‐4 3.04E‐4 4.77E‐4
9% 27% 64% 100%

3 of 5 68

68

Module 11 – Example Verification © SIS-TECH

www.sis-tech.com

Example – PFDavg
Final Elements at 1 year test interval
Transmitters and Logic Solver at 5 years

Case Input Logic Solver Output Total

2oo3D 1oo2
Simplex PLC 4.30E‐5 8.22E‐2 3.04E‐4 8.26E‐2
0% 99.6% 0.4% 100%

Trip Amplifier 4.30E‐5 1.06E‐4 3.04E‐4 4.53E‐4

(2oo3) 9% 23% 67% 100%

Safety‐configured 4.30E‐5 1.00E‐2 3.04E‐4 1.04E‐2

PLC 0.4% 97% 3% 100%

TMR Logic Solver 4.30E‐5 1.30E‐4 3.04E‐4 4.77E‐4

9% 27% 64% 100%

Fully HFT SIS meets SIL 3 with annual final element test
4 of 5 69

69

Example – PFDavg
Final Elements at 1 year test interval
Transmitters and Logic Solver at 5 years

Case Input Logic Solver Output Total

2oo3D 1oo2
Once other
Simplex PLCdevice 4.30E‐5 8.22E‐2 3.04E‐4 8.26E‐2
architectures are made
0% 99.6% 0.4% 100%
HFT, the function SIL 1
becomes dependent4.30E‐5
Trip Amplifier on 1.06E‐4 3.04E‐4 4.53E‐4
the non-HFT PLC 7% 23% 67% 100% SIL 3
All functions are similarly
Safety‐configured 4.30E‐5
affected. 1.00E‐2 3.04E‐4 1.04E‐2
PLC 0.4% 97% 3% 100%
SIL 1
TMR Logic Solver 4.30E‐5 1.30E‐4 3.04E‐4 4.77E‐4
9% 27% 64% 100% SIL 3

5 of 5 70

70

Module 11 – Example Verification © SIS-TECH

www.sis-tech.com

Example – STR
- No change from previous since only final element TI changed
STR driven by valve configuration

Case Input Logic Solver Output Total

2oo3D 1oo2
Simplex PLC 7.71E‐6 4.00E‐2 8.00E‐2 1.20E‐2
0% 33% 67% (8.33 years)
100%
Trip Amplifier 7.71E‐6 1.28E‐6 8.00E‐2 8.00‐02
0.01% 0% 99.99% (12.5 years)
100%
Safety‐configured 7.71E‐6 8.00E‐2 8.00E‐2 1.60E‐1
PLC 0% 50% 50% (6.25 years)
100%
TMR Logic Solver 7.71E‐6 1.53E‐03 8.00E‐02 8.15E‐02
0% 2% 98% (12.3 years)
100%

71

71

Example – PFDavg
Double Block Valve at 1 year
ASCO RCS with monthly SOV test
Transmitters and Logic Solver at 5 years
Case Input Logic Solver Output Total
2oo3D 1oo2
Simplex PLC 4.30E‐5 8.22E‐2 1.97E‐4 8.25E‐2
0% 99.6% 0.4% 100%

Trip Amplifier 4.30E‐5 1.06E‐4 1.97E‐4 3.46E‐4

(2oo3) 9% 23% 67% 100%

Safety‐configured 4.30E‐5 1.00E‐2 1.97E‐4 1.03E‐2

PLC 0.4% 97% 3% 100%

TMR Logic Solver 4.30E‐5 1.30E‐4 1.97E‐4 3.70E‐4

9% 27% 64% 100%

Fully HFT SIS meets SIL 3 with annual valve test

72

72

Module 11 – Example Verification © SIS-TECH

www.sis-tech.com

Example – STR
- Big Change due to ASCO RCS
STR reduced significantly due to redundant
Case Inputconfiguration
solenoid LogicofSolver
ASCO RCSFOutput Total
2oo3D 1oo2
Simplex PLC 7.71E‐6 4.00E‐2 1.37E‐2 5.37E‐2
0.01% 74% 26% (18.6 years)
100%
Trip Amplifier 7.71E‐6 1.28E‐6 1.37E‐2 1.37‐02
0.01% 0% 99.99% (73 years)
100%
Safety‐configured 7.71E‐6 8.00E‐2 1.37E‐2 1.03E‐2
PLC 0% 85% 15% (10.7 years)
100%
TMR Logic Solver 7.71E‐6 1.53E‐03 1.37E‐02 1.52E‐02
0% 10% 90% (66 years)
100%

73

73

Example – PFDavg
Block Valve at 5 year TI / monthly PST
ASCO RCS with monthly SOV test
Transmitters and Logic Solver at 5 years
Case Input Logic Solver Output Total
2oo3D 1oo2
Simplex PLC 4.30E‐5 8.22E‐2 1.57E‐4 8.24E‐2
0% 99.8% 0.2% 100%
SIL 1
Trip Amplifier 4.30E‐5 1.06E‐4 1.57E‐4 3.07E‐4
(2oo3) 14% 35% 51% 100% SIL 3

Safety‐configured 4.30E‐5 1.00E‐2 1.57E‐4 1.02E‐2

PLC 0.4% 98% 2% 100%
SIL 1
TMR Logic Solver 4.30E‐5 1.30E‐4 1.57E‐4 3.30E‐4
9% 27% 64% 100% SIL 3

Same low STR for HFT configurations

74

74

Module 11 – Example Verification © SIS-TECH

www.sis-tech.com

Summary
• The example illustrated how the percent
contribution of each device to the PFDavg and
MTTFSP can be used to improve the design
• The example further demonstrated the
importance of addressing the architecture and
proof test interval

75

75

Module 11 – Example Verification © SIS-TECH