IEC 61508 Functional Safety Assessment
Project:
ASCO Redundant Control System
Customer:
ASCO Valve, Inc
Florham Park, NJ
USA
Contract No.: Q08/12-44
Report No.: ASCO 08-12-44 R002
Version V1, Revision R1, June 15, 2009
Chris O'Brien, Iwan van Beurden
The document was prepared using best effort. The authors make no warranty of any kind and shall not be liable in any
event for incidental or consequential damages in connection with the application of the document.
© All rights reserved.
Management summary
This report summarizes the results of the functional safety assessment according to IEC 61508
carried out on the:

Redundant Control System, RCS
The functional safety assessment performed by exida consulting consisted of the following
activities:
-
exida consulting assessed the development process used by ASCO by an on-site audit and
creation of a detailed safety case against the requirements of IEC 61508.
-
exida consulting performed a detailed Failure Modes, Effects, and Diagnostic Analysis
(FMEDA) of the devices to document the hardware architecture and failure behavior. This
included detailed Markov models of the fault tolerant architectures done in order to show
accurate average probability of failure on demand.
The functional safety assessment was performed to the requirements of IEC 61508, SIL 3. A full
IEC 61508 Safety Case was prepared, using the exida SafetyCaseDB tool, and used as the
primary audit tool. Hardware process requirements and all associated documentation were
reviewed. Environmental test reports were reviewed. Also the user documentation (safety manual)
was reviewed.
The results of the Functional Safety Assessment can be summarized by the following statements:
The RCS was found to meet the requirements of SIL 3 when configured with Automatic
Diagnostic Tests.
The RCS was found to meet the requirements of SIL 2 when configured with Manually
Initiated Tests.
© exida.com L.L.C.
Chris O'Brien, Iwan van Beurden
asco 08-12-44 r002 v1 r1 iec 61508 assessment, 6/15/2009
Page 2 of 16
Table of Contents
Management summary .................................................................................................... 2 1 Purpose and Scope ................................................................................................... 4 2 Project management .................................................................................................. 5 2.1 2.2 2.3 2.4 exida .............................................................................................................................. 5 Roles of the parties involved .......................................................................................... 5 Standards / Literature used ............................................................................................ 5 Reference documents .................................................................................................... 5 2.4.1 Documentation provided by ASCO ..................................................................... 5 2.4.2 Documentation generated by exida..................................................................... 6 3 Product Description .................................................................................................... 7 3.1 ASCO RCS .................................................................................................................... 7 4 IEC 61508 Functional Safety Assessment ................................................................. 8 4.1 Methodology .................................................................................................................. 8 4.2 Assessment level ........................................................................................................... 8 5 Results of the IEC 61508 Functional Safety Assessment .......................................... 9 5.1 Lifecycle Activities and Fault Avoidance Measures ....................................................... 9 5.1.1 Functional Safety Management........................................................................... 9 5.1.2 Safety Requirements Specification and Architecture Design .............................. 9 5.1.3 Hardware Design............................................................................................... 10 5.1.4 Validation........................................................................................................... 10 5.1.5 Verification......................................................................................................... 11 5.1.6 Modifications ..................................................................................................... 11 5.1.7 User documentation .......................................................................................... 11 5.2 Hardware Assessment ................................................................................................. 12 5.2.1 RCS with Automated Diagnostic Tests ............................................................. 12 5.2.2 RCS with Manually initiated Diagnostic Tests ................................................... 13 6 Terms and Definitions .............................................................................................. 15 7 Status of the document ............................................................................................ 16 7.1 7.2 7.3 7.4 Liability ......................................................................................................................... 16 Releases ...................................................................................................................... 16 Future Enhancements .................................................................................................. 16 Release Signatures ...................................................................................................... 16 © exida.com L.L.C.
Chris O'Brien, Iwan van Beurden
asco 08-12-44 r002 v1 r1 iec 61508 assessment, 6/15/2009
Page 3 of 16
1 Purpose and Scope
Generally three options exist when doing an assessment of sensors, interfaces and/or final
elements.
Option 1: Hardware assessment according to IEC 61508
Option 1 is a hardware assessment by exida according to the relevant functional safety standard(s)
like IEC 61508 or EN 954-1. The hardware assessment consists of a FMEDA to determine the fault
behavior and the failure rates of the device, which are then used to calculate the Safe Failure
Fraction (SFF) and the average Probability of Failure on Demand (PFDAVG). When appropriate, fault
injection testing will be used to confirm the effectiveness of any self-diagnostics.
This option provides the safety instrumentation engineer with the required failure data as per IEC
61508 / IEC 61511. This option does not include an assessment of the development process.
Option 2: Hardware assessment with proven-in-use consideration according to IEC 61508 /
IEC 61511
Option 2 extends Option 1 with an assessment of the proven-in-use documentation of the device
including the modification process.
This option for pre-existing programmable electronic devices provides the safety instrumentation
engineer with the required failure data as per IEC 61508 / IEC 61511. When combined with plant
specific proven-in-use records, it may help with prior-use justification per IEC 61511 for sensors,
final elements and other PE field devices.
Option 3: Full assessment according to IEC 61508
Option 3 is a full assessment by exida according to the relevant application standard(s) like
IEC 61511 or EN 298 and the necessary functional safety standard(s) like IEC 61508 or EN 954-1.
The full assessment extends option 1 by an assessment of all fault avoidance and fault control
measures during hardware and software development.
This option provides the safety instrumentation engineer with the required failure data as per IEC
61508 / IEC 61511 and confidence that sufficient attention has been given to systematic failures
during the development process of the device.
This assessment shall be done according to option 3.
This document shall describe the results of the IEC 61508 functional safety assessment of the
ASCO RCS.
© exida.com L.L.C.
Chris O'Brien, Iwan van Beurden
asco 08-12-44 r002 v1 r1 iec 61508 assessment, 6/15/2009
Page 4 of 16
2 Project management
2.1 exida
exida is one of the world’s leading knowledge companies specializing in automation system safety
and availability with over 300 years of cumulative experience in functional safety. Founded by
several of the world’s top reliability and safety experts from assessment organizations and
manufacturers, exida is a partnership with offices around the world. exida offers training, coaching,
project oriented consulting services, internet based safety engineering tools, detailed product
assurance and certification analysis and a collection of on-line safety and reliability resources.
exida maintains a comprehensive failure rate and failure mode database on process equipment.
exida-certification is the market leader for IEC 61508 certification for industrial control products.
2.2 Roles of the parties involved
ASCO
Manufacturer of the RCS
exida
Performed the IEC 61508 Functional Safety Assessment according to
option 3 (see section 1)
ASCO contracted exida in May 2009 with the updated of the IEC 61508 Functional Safety
Assessment of the above mentioned devices.
2.3 Standards / Literature used
The services delivered by exida were performed based on the following standards / literature.
[N1]
IEC 61508 (Parts 1 - 7):
2000
Functional Safety of Electrical/Electronic/Programmable
Electronic Safety-Related Systems
2.4 Reference documents
2.4.1 Documentation provided by ASCO
[D1]
[D2]
ECN
Marketing Data Sheet –
Rev C
Engineering Change Notice (web-system)
RCS Marketing Specification Document
[D3]
Catalog 33A, 7/1/2003
[D4]
V7363R2
Solenoid Valves, Air Operated Valves, Combustion
Products, Accessories Catalog
Redundant Control System Brochure
[D5]
MP-I-121, 10/24/2003
Procedure for handling of ASCO Valve, Inc. Stop Orders
[D6]
EDP-013
[D7]
Valve Engineering R&D investigation/corrective action
procedure
EDP-136, Rev D, 11/1/2005 Engineering Development Process
[D8]
EDP-145, Rev F; 9/5/2003
Valve Engineering Design Review Process
[D9]
EDP-148, Rev A; 5/16/2002 Qualification Test Plan procedure
[D10] 600028-QTP-289587-2 –
Qualification Test Plan
10/5/05
© exida.com L.L.C.
Chris O'Brien, Iwan van Beurden
asco 08-12-44 r002 v1 r1 iec 61508 assessment, 6/15/2009
Page 5 of 16
[D11] 600028-QTP-289587-2QTR
Qualification Test Plan Results
[D12] TSS template, Rev C;
1/2/2002
[D13] SM001, 9/11/2006
[D14] ELP-161, Rev E; 11/8/1982
Technical Specification Sheet (TSS) template
RCS Safety Manual
Conducting valve engineering laboratory life tests
[D15] VSP-14, 9/1/2005
Procedure for handling valve returns
[D16] ASCO_DMDO_Results_fina Competency procedures / records - example
l 5-27-2004.pdf
2.4.2 Documentation generated by exida
[R1]
ASCO 08-12-44 R001 V1
R2 FMEDA RCS,
06/15/2009
FMEDA report, ASCO RCS
[R2]
ASCO 06-04-37 R003
SafetyCase Review, V1
R1, 10/13/2006
ASCO IEC 61508 Compliance Assessment,
SafetyCaseDB Review (internal document)
[R3]
ASCO 06-04-37 R002 V1
R1 IEC 61508
Assessment, 10/13/2006
IEC 61508 Functional Safety Assessment, ASCO RCS
(this report)
[R4]
ASCO 08-12-44 R002 V1
R1 IEC 61508
Assessment, 6/15/2009
IEC 61508 Functional Safety Assessment, ASCO RCS
(this report)
© exida.com L.L.C.
Chris O'Brien, Iwan van Beurden
asco 08-12-44 r002 v1 r1 iec 61508 assessment, 6/15/2009
Page 6 of 16
3 Product Description
3.1 ASCO RCS
The RCS is an electro-mechanical and pneumatic device that controls the air supply to
pneumatically actuated block valves. The RCS contains redundant solenoids and a pneumatic
bypass valve. Pressure switches are used to confirm the proper position of the solenoid valves and
the bypass switch. When used in conjunction with a safety rated logic solver, it provides diagnostics
on the performance of the subsystems.
The RDC is available in multiple configurations including 1oo1 Hot Standby (HS), 2oo2, and Double
Acting. For safety instrumented systems usage it is assumed that the pneumatic output from V1
(V1 and V2 in the case of double acting) is used as the primary safety variable. The RCS is
classified as a Type A1 device according to IEC 61508, having a hardware fault tolerance of 0. The
failsafe state of the device in a 1oo1HS, or 2oo2 configuration is de-energized with V1 vented to
atmosphere. The failsafe state of a device in a double acting configuration is supply pressure
connected to V1 and V2 vented to atmosphere.
1
Type A component:
IEC 61508-2.
“Non-Complex” (sub)system (using discrete elements); for details see 7.4.3.1.2 of
© exida.com L.L.C.
Chris O'Brien, Iwan van Beurden
asco 08-12-44 r002 v1 r1 iec 61508 assessment, 6/15/2009
Page 7 of 16
4 IEC 61508 Functional Safety Assessment
The IEC 61508 Functional Safety Assessment was performed based on the information received
from ASCO and is documented in [R2].
4.1 Methodology
The full functional safety assessment includes an assessment of all fault avoidance and fault
control measures during hardware and software development (if applicable) and demonstrates full
compliance with IEC 61508 to the end-user. The assessment considers all requirements of IEC
61508. Any requirements that have been deemed not applicable have been marked as such in the
full Safety Case report, e.g. software development requirements for a product with no software.
As part of the IEC 61508 functional safety assessment the following aspects have been reviewed:


Development process, including:
o
Functional Safety Management, including training and competence recording, FSM
planning, and configuration management
o
Specification process, techniques and documentation
o
Design process, techniques and documentation, including tools used
o
Validation activities, including development test procedures, test plans and reports,
production test procedures and documentation
o
Verification activities and documentation
o
Modification process and documentation
o
Installation, operation, and maintenance requirements, including user documentation
Product design
o
Hardware architecture and failure behavior, documented in a FMEDA
The review of the development procedures is described in section 5. The review of the product
design is described in section 5.2.
4.2 Assessment level
The RCS have been assessed per IEC 61508 to the following levels:

SIL 3 capability
The development procedures will be assessed as suitable for use in applications with a maximum
Safety Integrity Level of 3 (SIL3) according to IEC 61508.
© exida.com L.L.C.
Chris O'Brien, Iwan van Beurden
asco 08-12-44 r002 v1 r1 iec 61508 assessment, 6/15/2009
Page 8 of 16
5 Results of the IEC 61508 Functional Safety Assessment
exida consulting assessed the development process used by ASCO for this development against
the objectives of IEC 61508 parts 1 and 2. The assessment was done on July 25 and 26, 2006 onsite at Aiken, SC. Additionally a Safety Case was completed, see [R2].
5.1 Lifecycle Activities and Fault Avoidance Measures
ASCO has a 6-phase staged-gate process in place for product development with specific
deliverables, reviews and approvals at each gate. This is documented in EDP-136 [D7]. The same
process is used for modifications. No software is part of the design and therefore any requirements
specific from IEC 61508 to software and software development due not apply.
This functional safety assessment has shown that the process sufficiently meets the requirements
of IEC 61508, SIL 3. The assessment investigated the compliance with IEC 61508 of the
processes, procedures and techniques as implemented for the ASCO development. The
investigation was executed using subsets of the IEC 61508 requirements tailored to the SIL 3 work
scope of the development team. The result of the assessment can be summarized by the following
observations:
The audited ASCO development process complies with the relevant managerial
requirements of IEC 61508 SIL 3.
5.1.1 Functional Safety Management
FSM Planning
ASCO has a 6-phase staged-gate process in place for product development with specific
deliverables, reviews and approvals at each gate. This is documented in EDP-136 [D7]. The same
process is used for modifications. This process and procedures referenced herein fulfill the
requirements of IEC 61508 with respect to functional safety management.
Version Control
All documents as called out for in EDP-136 are under version control. Design drawings and
documents are also under version control.
Training, Competency recording
Personnel training records are kept per standard quality procedures. ASCO provided an example
training record for ProE training, see [D16]. ASCO hired exida to be the independent assessor per
IEC 61508 and to provide specific IEC 61508 knowledge.
5.1.2 Safety Requirements Specification and Architecture Design
The first step for any new development is the creation of a Marketing Data Sheet (MDS) by the
Marketing Department. Once this has been reviewed and the project accepted, engineering will
develop the project Technical Specification Sheet (TSS). This captures in detail all the
requirements for the devices, such as critical functions, performance targets etc. exida reviewed the
content of the specification for completeness per the requirements of IEC 61508.
As the valves are simple electro-mechanical devices, there is no need for a separate architecture
design phase. The MDS and TSS will indicate if the design is new or based on an existing design.
© exida.com L.L.C.
Chris O'Brien, Iwan van Beurden
asco 08-12-44 r002 v1 r1 iec 61508 assessment, 6/15/2009
Page 9 of 16
Requirements as specified in the Technical Specification Sheet (TSS) are tracked through all
development phases.
Items from IEC 61508-2, Table B.1 include project management, documentation, separation of
safety requirements from non-safety requirements, structured specification, and inspection of the
specification. As the function of the valve is simple and clearly defined there is no need for semiformal methods such as functional block diagrams. The application is considered when specifying
the requirements; the devices may be required to meet specific applications standards. This meets
SIL 3.
5.1.3 Hardware Design
The hardware design process consists of two distinct phases: concept verification, and design and
development. During concept verification all possible solutions are reviewed and the most
promising is detailed. During this phase also the Qualification Test Plan and Agency Approval Plan
is developed (equal to validation plan per IEC 61508). In the design and development phase, the
design is further detailed and Qualification testing is performed on beta units. Per EDP-145, a
preliminary design review, an intermediate and final design review is conducted. ASCO has
standards for documentation with specified output documents.
ASCO uses ProE and AutoCad as development tools. Version numbers should be listed and requalification should be done when the tool vendor makes revisions. Re-qualification test results
should be documented and reviewed. ASCO confirmed in discussions during the on-site audit that
tool re-qualification is performed.
Items from IEC 61508-2, Table B.2 include observance of guidelines and standards, project
management, documentation (design outputs are documented per EDP-136 and other quality
guidelines), structured design, modularization, use of well-tried components, and computer-aided
design tools. This meets SIL 3.
5.1.4 Validation
Validation Testing is done via a documented plan, the Qualification Test Plan, written per the
Technical Specification Sheet and includes compliance testing per application standards, through
the Agency Approval Plan which is part of the QTP. The QTP is traceable to the TSS. As the RCS
are purely electro-mechanical devices with a simple safety function, there is no separate integration
testing necessary. However, the components do undergo several separate tests before the RCS is
integrated; this is part of the Qualification Test Plan. The RCS performs only 1 safety function,
which is extensively tested under various conditions during validation testing.
Procedures are in place for corrective actions to be taken when tests fail. Every run of the
Qualification Test Plan is documented in a Qualification Test Report and reviewed.
Items from IEC 61508-2, Table B.3 include functional testing, project management, documentation,
and black-box testing (for the considered devices this is similar to functional testing). Field
experience and statistical testing via regression testing are not applicable. This meets SIL 3.
Items from IEC 61508-2, Table B.5 included functional testing and functional testing under
environmental conditions, project management, documentation, failure analysis (analysis on
products that failed), expanded functional testing, black-box testing, and fault insertion testing
(results included in the QTR). This meets SIL 3.
© exida.com L.L.C.
Chris O'Brien, Iwan van Beurden
asco 08-12-44 r002 v1 r1 iec 61508 assessment, 6/15/2009
Page 10 of 16
5.1.5 Verification
The development and verification activities are defined in the New Product Development Process,
EDP-136. For each phase the objectives are stated, required input and output documents and
review activities. Checklists are used for e.g. the review of the Marketing Data Sheet. Design
reviews are governed by EDP-145, Valve Engineering Design Review Process. Per EDP-136, the
following verification steps are defined: product idea review, concept definition review, feasibility
review, design and development review, pilot run review, and introduction review. All verification
activities are documented. This meets SIL 3.
5.1.6 Modifications
Modifications are done per the Engineering Change Notice procedure. A web-based system is in
place to track ECNs. The ECN system allows to user to identify if a certified device is affected.
Affected documents and/or drawings are also listed. If design changes are identified as a result of
an ECN, they are usually treated as a derived product and therefore the same general procedure is
used for both new development and modifications. All design change requests are reviewed to
determine if there is any negative impact on product safety. This review is done by both the
assigned engineer and the appropriate engineering manager. This meets SIL 3.
5.1.7 User documentation
ASCO creates the following user documentation: product catalogs see [D3], [D4], and [D13].
Items from IEC 61508-2, Table B.4 include operation and maintenance instructions, user
friendliness, maintenance friendliness, project management, documentation, limited operation
possibilities (RCS performs well-defined action) and operation only by skilled operators (operators
familiar with type of valve, although this is partly the responsibility of the end-user). This meets SIL
3.
© exida.com L.L.C.
Chris O'Brien, Iwan van Beurden
asco 08-12-44 r002 v1 r1 iec 61508 assessment, 6/15/2009
Page 11 of 16
5.2 Hardware Assessment
To evaluate the hardware design of the RCS a Failure Modes, Effects, and Diagnostic Analysis was
performed by exida. This is documented in [R1].
A Failure Modes and Effects Analysis (FMEA) is a systematic way to identify and evaluate the
effects of different component failure modes, to determine what could eliminate or reduce the
chance of failure, and to document the system in consideration. An FMEDA (Failure Mode Effect
and Diagnostic Analysis) is an FMEA extension. It combines standard FMEA techniques with
extension to identify online diagnostics techniques and the failure modes relevant to safety
instrumented system design.
5.2.1 RCS with Automated Diagnostic Tests
From the FMEDA failure rates are derived for each important failure category for the RCS with
Automated Diagnostic Tests. Table 1 lists these failure rates as reported in the FMEDA report. The
failure rates are valid for the useful life of the devices. Based on ASCO endurance test data and
general field failure data a useful life period of approximately 10 years is expected for the RCS.
This is listed in the FMEDA reports.
Table 1 Failure rates according to IEC 61508 for RCS with Automated Diagnostic Tests
sd
su2
dd
du
Solenoid Valve
594 FIT
261 FIT
502 FIT
10 FIT
Bypass Valve
57 FIT
88 FIT
7 FIT
0 FIT
Pressure Switch
444 FIT
5 FIT
0 FIT
0 FIT
Device
If the RCS is used as the only component in a final element subassembly with Automated
Diagnostic Tests, the design can meet SIL 3 @ HFT = 0 based on a SFF > 90%.
Using Markov modeling, an average Probability of Failure on Demand (PFDAVG) calculation was
performed for the RCS with Automated Diagnostic Tests in a 1oo1HS, 2oo2, and Double Acting
configurations. The failure rate data used in these calculations is shown in Table 1. Summary
results for these configurations are shown in Table 2.
Table 2 PFDAVG for the RCS with Automated Diagnostic Tests
Configuration
Beta Factor
Proof test interval (years)
1
2
3
MTTFS
(years)
1oo1HS
1%
1.24 x 10-4
2.12 x 10-4
3.00 x 10-4
1,464
2oo2
3%
1.23 x 10-4
2.10 x 10-4
2.97 x 10-4
1,784
3%
-4
-4
-4
1,784
Double Acting
1.23 x 10
2.10 x 10
2.97 x 10
2
It is important to realize that the “no effect” failures are included in the “safe undetected” failure category
according to IEC 61508. Note that these failures on their own will not affect system reliability or safety, and
should not be included in spurious trip calculations
© exida.com L.L.C.
Chris O'Brien, Iwan van Beurden
asco 08-12-44 r002 v1 r1 iec 61508 assessment, 6/15/2009
Page 12 of 16
The PFDAVG is based on an ADT time of 24 hours and a repair time of 24 hours. The calculation
assumes that the switch between solenoid valves is fast enough that it will not cause a trip of the
block valve.
For SIL 3 applications, the PFDAVG value needs to be ≥ 10-4 and < 10-3. This means that for a SIL 3
application, with a proof test interval of 1 year, an ADT of 24 hours and a repair time of 24 hours,
the PFDAVG of the RCS in a 1oo1HS configuration is equal to 12.4% of the range and for the 2oo2
and Double Acting configuration the PFDAVG of the RCS is 12.3% of the range.
Given the uniqueness of the RCS architecture, simplified equations are not recommended for
accurate results. A complete and accurate calculation can be made with the exida exSILentia® tool
(SILverTM) available from exida.
These results must be considered in combination with PFDAVG values of other devices of a Safety
Instrumented Function (SIF) in order to determine suitability for a specific Safety Integrity Level
(SIL). The Safety Manual states that the application engineer should calculate the PFDAVG for each
defined safety instrumented function (SIF) to verify the design of that SIF.
The analysis shows that design of the RCS with Automated Diagnostic Tests meets the
hardware requirements of IEC 61508, SIL 3.
5.2.2 RCS with Manually initiated Diagnostic Tests
From the FMEDA failure rates are derived for each important failure category for the RCS with
Manually initiated Diagnostic Tests. Table 3 lists these failure rates as reported in the FMEDA
report. The failure rates are valid for the useful life of the devices. Based on ASCO endurance test
data and general field failure data a useful life period of approximately 10 years is expected for the
RCS. This is listed in the FMEDA reports.
Table 3 Failure rates according to IEC 61508 for RCS with Manually Initiated Diagnostic Tests
sd
su3
dd
du
Solenoid Valve
0 FIT
855 FIT
0 FIT
512 FIT
Bypass Valve
0 FIT
145 FIT
0 FIT
7 FIT
Pressure Switch
0 FIT
449 FIT
0 FIT
0 FIT
Device
If the RCS is used as the only component in a final element subassembly with Manually initiated
Diagnostic Tests, the design can meet SIL 2 @ HFT = 0 based on a SFF > 60%.
Using Markov modeling, an average Probability of Failure on Demand (PFDAVG) calculation was
performed for the RCS with Automated Diagnostic Tests in a 1oo1HS, 2oo2, and Double Acting
configurations. The failure rate data used in these calculations is shown in Table 3. Summary
results for these configurations are shown Table 4.
3
It is important to realize that the “no effect” failures are included in the “safe undetected” failure category
according to IEC 61508. Note that these failures on their own will not affect system reliability or safety, and
should not be included in spurious trip calculations
© exida.com L.L.C.
Chris O'Brien, Iwan van Beurden
asco 08-12-44 r002 v1 r1 iec 61508 assessment, 6/15/2009
Page 13 of 16
Table 4 PFDAVG for the RCS with Manual Diagnostic Tests
Configuration
Beta Factor
1oo1HS
2oo2
Double Acting
Proof test interval (years)
MTTFS
(years)
1
2
3
1%
1.11 x 10-4
1.99 x 10-4
2.87 x 10-4
3%
1.10 x 10
-4
1.97 x 10
-4
2.84 x 10
-4
1.10 x 10
-4
1.97 x 10
-4
2.84 x 10-4
3%
61.50
62.72
62.72
The PFDAVG is based on a Manual Diagnostic Interval of 24 hours. The calculation assumes that
the switch between solenoid valves is fast enough that it will not cause a trip of the block valve.
For SIL 2 applications, the PFDAVG value needs to be ≥ 10-3 and < 10-2. This means that for a SIL 2
application, with a proof test interval of 1 year, and a Manual Diagnostic Test Interval of 24 hours,
the PFDAVG of the RCS in a 1oo1HS configuration is equal to 1.1% of the range and for the 2oo2
and Double Acting configuration the PFDAVG of the RCS is 1.1% of the range.
Given the uniqueness of the RCS architecture, simplified equations are not recommended for
accurate results. A complete and accurate calculation can be made with the exida exSILentia® tool
(SILverTM) available from exida.
These results must be considered in combination with PFDAVG values of other devices of a Safety
Instrumented Function (SIF) in order to determine suitability for a specific Safety Integrity Level
(SIL). The Safety Manual states that the application engineer should calculate the PFDAVG for each
defined safety instrumented function (SIF) to verify the design of that SIF.
The analysis shows that design of the RCS with Manually Initiated Diagnostic Tests meets
the hardware requirements of IEC 61508, SIL 2.
© exida.com L.L.C.
Chris O'Brien, Iwan van Beurden
asco 08-12-44 r002 v1 r1 iec 61508 assessment, 6/15/2009
Page 14 of 16
6 Terms and Definitions
Fault tolerance
FIT
FMEDA
HFT
Low demand mode
MTTFS
PFDAVG
SFF
SIF
SIL
Ability of a functional unit to continue to perform a required function in the
presence of faults or errors (IEC 61508-4, 3.6.3)
Failure In Time (1x10-9 failures per hour)
Failure Mode Effect and Diagnostic Analysis
Hardware Fault Tolerance
Mode, where the frequency of demands for operation made on a safetyrelated system is no greater than twice the proof test frequency.
Mean Time To Fail Spurious
Average Probability of Failure on Demand
Safe Failure Fraction summarizes the fraction of failures, which lead to a
safe state and the fraction of failures which will be detected by diagnostic
measures and lead to a defined safety action.
Safety Instrumented Function
Safety Integrity Level
SIS
Safety Instrumented System – Implementation of one or more Safety
Instrumented Functions. A SIS is composed of any combination of
sensor(s), logic solver(s), and final element(s).
Type A (sub)system
“Non-Complex” (sub)system (using discrete elements); for details see
7.4.3.1.2 of IEC 61508-2
“Complex” (sub)system (using micro controllers or programmable logic); for
details see 7.4.3.1.3 of IEC 61508-2
Type B (sub)system
© exida.com L.L.C.
Chris O'Brien, Iwan van Beurden
asco 08-12-44 r002 v1 r1 iec 61508 assessment, 6/15/2009
Page 15 of 16
7 Status of the document
7.1 Liability
exida prepares reports based on methods advocated in International standards. Failure rates are
obtained from a collection of industrial databases. exida accepts no liability whatsoever for the use
of these numbers or for the correctness of the standards on which the general calculation methods
are based.
7.2 Releases
Version:
V1
Revision:
R1
Version History: V1, R1:
First Release; June 15, 2009
V0, R1:
Draft; June 15, 2009
Authors:
Chris O'Brien, Iwan van Beurden
Review:
V0, R1:
Bill Goble
Release status: Released
7.3 Future Enhancements
At request of client.
7.4 Release Signatures
Dr. William M. Goble, Principal Partner
Chris O’Brien, Director of Business Development
Iwan van Beurden, Director of Engineering
© exida.com L.L.C.
Chris O'Brien, Iwan van Beurden
asco 08-12-44 r002 v1 r1 iec 61508 assessment, 6/15/2009
Page 16 of 16