Safety Integrity Level Verification

Project:
Final Element Configurations

Customer:
Siemens
Spring House, PA
USA

Contract No.: Q04/08-20

Report No.: SIE 04/08-20 R001
Version V1, Revision R1.0, October 1, 2004
William Goble – Rachel Amkreutz

The document was prepared using best effort. The authors make no warranty of any kind and shall not be liable in
any event for incidental or consequential damages in connection with the application of the document.
© All rights reserved.
Management summary
This report summarizes the results of safety analyses on two final element configurations. In
both configurations an analog output on the PCS7 controls a digital valve positioner which
controls the air supply to the air-operated ball valve. Using the PCS7, partial valve stroke testing
of the air-operated ball valve is performed frequently.
In the first configuration an analog output of the PCS7 controls the digital valve positioner which
controls the air supply to the pneumatic actuator that activates the ball valve. In addition a digital
output of the S7F safety PLC controls a solenoid which is piped in series with the air supply
going to the actuator. In this configuration, the safety function part of the final element
configuration consists of the generic 3-way solenoid and the generic air-operated ball valve. The
PCS7 and digital valve positioner are not part of the safety function.
In the second configuration an analog output of the PCS7 controls the digital valve positioner
which controls the air supply to the pneumatic actuator that activates the ball valve. A relay is in
line with the analog output from the PSC7 to the digital valve positioner and can interrupt the
analog output signal. The relay is controlled by a digital output on the S7F safety PLC. For this
configuration, the safety function part of the final element configuration consists of the relay,
digital valve positioner and generic air-operated ball valve.
For the two final element configurations the average Probability of Failure on Demand (PFDAVG),
and Mean Time To Fail Spurious (MTTFS) are calculated for various proof test intervals. The
results are shown in Table 1.
Table 1 Final Element Configuration with Solenoid

PFDAVG
Proof Test Interval
Configuration with solenoid Configuration with relay
-3
1 year 6.27·10 3.89·10-3
2 years 1.13·10-2 6.98·10-3
3 years 1.62·10-2 1.01·10-2
4 years 2.11·10-2 1.31·10-2
5 years 3.09·10-2 1.93·10-2
This configuration with the generic 3-way solenoid has a Safe Failure Fraction of 67.0% and a
Mean Time To Fail Spurious (MTTFS) of 30 years.
The final element configuration using the generic relay to interrupt the analog signal to the
digital valve controller has a Safe Failure Fraction of 72.3% and a MTTFS of 35 years.
These results must be considered in combination with PFDAVG values of other devices of a
Safety Instrumented Function (SIF) in order to determine suitability for a specific Safety Integrity
Level (SIL).

© exida.com L.L.C. sie 04-08-20 r001 v110, 10/1/2004

William M. Goble – Rachel Amkreutz Page 2 of 12
Table of Contents
Management summary....................................................................................................2
Table of Contents...................................................................................................................3
1 Project management..................................................................................................4
1.1 exida.com ......................................................................................................................4
1.2 Roles of the parties involved...........................................................................................4
1.3 Standards / Literature used.............................................................................................4
1.4 Reference documents.....................................................................................................5
1.4.1 Documentation provided by Siemens ..................................................................5
1.4.2 Documentation generated by exida.com..............................................................5
2 Final Element Configurations .....................................................................................6
2.1 Assumptions ...................................................................................................................7
2.2 Failure rates ....................................................................................................................7
3 Reliability Analysis .....................................................................................................8
3.1 Description of the failure categories................................................................................8
3.2 Results for final element configuration with solenoid ......................................................8
3.3 Results for final element configuration with relay............................................................9
4 Terms and Definitions .............................................................................................. 10
5 Status of the document ............................................................................................ 11
5.1 Liability ..........................................................................................................................11
5.2 Releases .......................................................................................................................11
5.3 Future Enhancements...................................................................................................11
5.4 Release Signatures.......................................................................................................11
Appendix A Failure Rate Data.................................................................................... 12

© exida.com L.L.C. sie 04-08-20 r001 v110, 10/1/2004

William M. Goble – Rachel Amkreutz Page 3 of 12
1 Project management
1.1 exida.com
exida.com is one of the world’s leading knowledge companies specializing in automation
system safety and availability with over 100 years of cumulative experience in functional safety.
Founded by several of the world’s top reliability and safety experts from assessment
organizations like TUV and manufacturers, exida.com is a partnership with offices around the
world. exida.com offers training, coaching, project oriented consulting services, internet based
safety engineering tools, detail product assurance and certification analysis and a collection of
on-line safety and reliability resources. exida.com maintains a comprehensive failure rate and
failure mode database on process equipment.

1.2 Roles of the parties involved

Siemens Manufacturer of the PCS7 and safety PLC
exida.com Project leader of the final element configuration safety analysis

1.3 Standards / Literature used

The services delivered by exida.com were performed based on the following standards /
literature.

[N1] IEC 61508-2: 2000 Functional Safety of Electrical/Electronic/Programmable

Electronic Safety-Related Systems
[N2] FMD-91 & FMD-97, RAC Failure Mode / Mechanism Distributions, Reliability
1991, 1997 Analysis Center. Statistical compilation of failure mode
distributions for a wide range of components
[N3] NPRD-95, RAC 1995 Nonelectronic Parts Reliability Data, Reliability Analysis
Center. Statistical compilation of failure rate data, incl.
mechanical and electrical sensors
[N4] Safety Equipment Reliability exida.com L.L.C, Safety Equipment Reliability Handbook,
Handbook, 2003 2003, ISBN 0-9727234-0-4
[N5] Online Safety Equipment exida.com L.L.C, Online Safety Equipment Reliability
Reliability Handbook Handbook, 2004

© exida.com L.L.C. sie 04-08-20 r001 v110, 10/1/2004

William M. Goble – Rachel Amkreutz Page 4 of 12
1.4 Reference documents
1.4.1 Documentation provided by Siemens
[D1] e-mail & phone Final Element Description
conversations

1.4.2 Documentation generated by exida.com

R1 Sie 04-08-20 R001 Final element configuration safety analysis (this report)
V110.doc, V110, October
1, 2004

© exida.com L.L.C. sie 04-08-20 r001 v110, 10/1/2004

William M. Goble – Rachel Amkreutz Page 5 of 12
2 Final Element Configurations
Two final element configurations have been analyzed. In both configurations an analog output
on the PCS7 controls a digital valve positioner which controls the air supply to the air-operated
ball valve. Using the PCS7 partial valve stroke testing of the air-operated ball valve is performed
frequently.
In the first configuration (see Figure 1) an analog output of the PCS7 controls the digital valve
positioner which controls the air supply to the pneumatic actuator that activates the ball valve. In
addition a digital output of the S7F safety PLC controls a solenoid which is piped in series with
the air supply going to the actuator. In this configuration, the safety function part of the final
element configuration consists of a generic 3-way solenoid and the generic air-operated ball
valve. The PCS7 and digital valve positioner are not part of the safety function.

S7F Safety
PLC

PCS7
S
Digital
valve Pneumatic
I/A Actuator
positioner
Solenoid

Ball
valve

Figure 1 Final Element Configuration including solenoid

In the second configuration (see Figure 2) an analog output of the PCS7 controls the digital
valve positioner which controls the air supply to the pneumatic actuator that activates the ball
valve. A relay is inline with the analog output from the PSC7 to the digital valve positioner and
can interrupt the analog output signal. The relay is controlled by a digital output on the S7F
safety PLC. For this configuration, the safety function part of the final element configuration
consists of the relay, digital valve positioner and generic air-operated ball valve.

S7F Safety
PLC

PCS7 relay

Digital
I/A valve Pneumatic
positioner Actuator

Ball
valve

Figure 2 Final Element Configuration with relay

© exida.com L.L.C. sie 04-08-20 r001 v110, 10/1/2004

William M. Goble – Rachel Amkreutz Page 6 of 12
For the final element configuration the average Probability of Failure on Demand (PFDAVG) and
Mean Time To Fail Spurious (MTTFS) are calculated for several proof test intervals.

2.1 Assumptions
The following assumptions were made during the reliability analysis of the final element
configurations:
• The application is de-energize-to-trip, i.e. the safety function’s action is to de-energize
the relay or the solenoid, which removes air from the actuator which causes the valve to
close
• The frequency at which the digital valve positioner performs a partial valve stroke is an
order of magnitude greater than the demand frequency. Therefore the partial valve
stroke can be considered an automatic self-diagnostic for the final element configuration
• To the digital valve positioner “clean air” is supplied per manufacturers instructions
• Online repair of all devices in the final element configurations takes 8 hours
• Startup of the process after a nuisance trip takes 24 hours
• The following proof test interval have been considered: 1 year, 2 years, 3 years, 4 years,
and 5 years

2.2 Failure rates

The failure rates used in the reliability analyses are from the exida process equipment failure
database, based on [N4], which is part of the exida SIL verification tool, SILver. A detailed
overview of the failure rates for each component of the final element configurations, including its
particular source, is provided in Appendix A.
The user of these numbers is responsible for determining their applicability to any particular
environment. Accurate plant specific data may be used for this purpose. If a user has data
collected from a good proof test reporting system that indicates higher failure rates, the higher
numbers shall be used. Some industrial plant sites have high levels of stress. Under those
conditions the failure rate data is adjusted to a higher value to account for the specific
conditions of the plant.

© exida.com L.L.C. sie 04-08-20 r001 v110, 10/1/2004

William M. Goble – Rachel Amkreutz Page 7 of 12
3 Reliability Analysis
The reliability analysis was performed based on information on the final element configurations
obtained from Siemens and is documented in [R1].

3.1 Description of the failure categories

In order to judge the failure behavior of the final element configurations, the following definitions
for the failure modes of the devices that constitute the configuration were considered.
Fail-Safe State State where output is de-energized, i.e. the relay or solenoid is de-
energized, which removes air from the actuator which causes the
valve to close.
Fail Safe Failure that causes the final element configuration to go to the
defined fail-safe state without a demand from the process. Safe
failures are divided into safe detected (SD) and safe undetected
(SU) failures.
Fail Dangerous Failure that has the potential to put the final element configuration
in a hazardous or fail-to-function state, by leaving the output
energized.
Fail Dangerous Undetected Failure that is dangerous and that is not being diagnosed by
diagnostics.
Fail Dangerous Detected Failure that is dangerous but is detected by diagnostics.

3.2 Results for final element configuration with solenoid

In this final element configuration, the safety function consists of a generic 3-way solenoid and
the generic air-operated ball valve. The digital valve positioner is not part of the safety
instrumented function. This application was graphically represented in Figure 1.
Based on the assumptions in section 2.1 and the detailed failure rates in Appendix A, the
reliability analysis of this final element configuration yields the following results. The calculations
assume partial valve stroke coverage of 70% on the air-operated ball valve. There is no
additional coverage on the generic 3-way solenoid due to the partial valve stroke testing.
Table 2 Final Element Configuration with Solenoid

Proof Test Interval PFDAVG

1 year 6.27·10-3
2 years 1.13·10-2
3 years 1.62·10-2
4 years 2.11·10-2
5 years 3.09·10-2
This configuration has a Mean Time To Fail Spurious (MTTFS) of 30 years. The Safe Failure
Fraction (SFF) for this configuration is 67.0%.

© exida.com L.L.C. sie 04-08-20 r001 v110, 10/1/2004

William M. Goble – Rachel Amkreutz Page 8 of 12
3.3 Results for final element configuration with relay
In the second final element configuration (see Figure 2) the safety function consists of a generic
relay, the digital valve positioner, 0-20mA mode, and a generic air-operated ball valve.
Based on the assumptions in section 2.1 and the detailed failure rates in Appendix A, the
reliability analysis of this final element configuration yields the following results.
Table 3 Final Element Configuration with Relay

Proof Test Interval PFDAVG

1 year 3.89·10-3
2 years 6.98·10-3
3 years 1.01·10-2
4 years 1.31·10-2
5 years 1.93·10-2
This configuration has a Mean Time To Fail Spurious (MTTFS) of 35 years. The Safe Failure
Fraction (SFF) for this configuration is 72.3%.

A comparison of the final element configuration with relay and the final element configuration
with solenoid is shown in Figure 3.

3.50E-02

3.00E-02

2.50E-02
Probability

2.00E-02
Conf i gur at i on wi t h s ol enoi d

Conf i gur at i on wi t h r el ay
1.50E-02

1.00E-02

5.00E-03

0.00E+00
0 1 2 3 4 5
Years

Figure 3 Average Probability of Failure on Demand

© exida.com L.L.C. sie 04-08-20 r001 v110, 10/1/2004

William M. Goble – Rachel Amkreutz Page 9 of 12
4 Terms and Definitions

FIT Failure In Time (1x10-9 failures per hour)

FMEDA Failure Mode Effect and Diagnostic Analysis
HART Highway Addressable Remote Transducer
HFT Hardware Fault Tolerance
Low demand mode Mode, where the frequency of demands for operation made on a safety-
related system is no greater than one per year and no greater than twice
the proof test frequency.
MTTFS Mean Time To Fail Spurious
PFDAVG Average Probability of Failure on Demand
SFF Safe Failure Fraction summarizes the fraction of failures, which lead to a
safe state and the fraction of failures which will be detected by
diagnostic measures and lead to a defined safety action.
SIF Safety Instrumented Function
SIL Safety Integrity Level
SIS Safety Instrumented System – Implementation of one or more Safety
Instrumented Functions. A SIS is composed of any combination of
sensor(s), logic solver(s), and final element(s).

Type A component “Non-Complex” component (using discrete elements); for details see
7.4.3.1.3 of IEC 61508-2
Type B component “Complex” component (using micro controllers or programmable logic);
for details see 7.4.3.1.3 of IEC 61508-2

© exida.com L.L.C. sie 04-08-20 r001 v110, 10/1/2004

William M. Goble – Rachel Amkreutz Page 10 of 12
5 Status of the document

5.1 Liability
exida.com prepares safety analysis reports based on methods advocated in International
standards. Failure rates are obtained from a collection of industrial databases. exida.com
accepts no liability whatsoever for the use of these numbers or for the correctness of the
standards on which the general calculation methods are based.
5.2 Releases
Version: V1
Revision: R1.0
Version History: V1, R1.0: Released to Siemens; October 1, 2004
Authors: William M. Goble – Rachel Amkreutz
Review: V0, R1.0: Iwan van Beurden (exida.com); October 1, 2004
Release status: released

5.3 Future Enhancements

At request of client.

5.4 Release Signatures

Dr. William M. Goble, Principal Partner

Rachel Amkreutz, Safety Engineer

© exida.com L.L.C. sie 04-08-20 r001 v110, 10/1/2004

William M. Goble – Rachel Amkreutz Page 11 of 12
 Appendix A Failure Rate Data
The failure rates used in the reliability analysis of the final element configuration are presented
in Table 4.

Table 4 Device failure rates

Device λDD [hr-1] λDU [hr-1] λSD [hr-1] λSU [hr-1] Source

Digital valve positioner,

0 5.00·10-08 0 7.00·10-07 [N5]
2-wire, 0-20mA mode
Generic relay 0 6.00·10-07 0 9.00·10-07 [N4]
Generic 3-way solenoid 0 1.20·10-06 0 2.20·10-06 [N5]
Generic Air Operated
Ball valve, Hard Seat, 5.60·10-07 2.40·10-07 1.65·10-07 0 [N5]
Full Stroke only

The failure rates for the digital valve positioner and the generic air operated ball valve reflect
partial valve stroke testing at a high frequency (more than 10 times the demand rate) and a
partial valve stroke testing coverage of 70%.
Overall failure rates for the final element configuration that consists of the generic 3-way
solenoid and generic ball valve:
λSD = 1.65·10-07 [hr-1]
λSU = 2.20·10-6 [hr-1]
λDD = 5.60·10-07 [hr-1]
λDU = 1.44·10-06 [hr-1]
The Safe Failure Fraction (SFF) for this configuration is 67.0%

Overall failure rates for the final element configuration that consists of the generic relay, digital
valve positioner and the generic ball valve:
λSD = 1.65·10-07 [hr-1]
λSU = 1.60·10-06 [hr-1]
λDD = 5.60·10-07 [hr-1]
λDU = 8.90·10-07 [hr-1]
The Safe Failure Fraction (SFF) for this configuration is 72.3%

© exida.com L.L.C. sie 04-08-20 r001 v110, 10/1/2004

William M. Goble – Rachel Amkreutz Page 12 of 12