TurboSentry™ Overspeed Protection Device IEC and SIL...

CONFIDENTIAL INFORMATION

This document was prepared using best effort. The authors make no warranty of any kind and shall not be liable in any event for incidental or consequential damages in connection with the application of the document.

TurboSentry™ Overspeed Protection Device IEC 61511 Compliance and SIL Verification

Report

Harry L. Cheddie P. Eng Cteris Consulting Inc. ‐ Director ASQ Certified Reliability Engineer (CRE) ASQ Certified Quality Engineer (CQE) Certified Functional Safety Expert (CFSE)

Document ID Revision Status Date

C11-02-28 R1 1 Issued 25 March 2011

TurboSentry - IEC 61511 Compliance and SIL Verification Report Reference: C11-02-28 R1

Terms

AC: Architectural Constraints are stipulated by IEC 61508 and IEC 61511 to limit the SIL that can be claimed for any safety function on the basis of its hardware fault tolerance and its Safe Failure Fraction (SFF). They require a subsystem to have a minimum level of redundancy based on its SFF to insure the required hardware fault tolerance. For a device with a low SFF, redundancy may be required to satisfy SIL requirements.

Fixed program language (FPL): With this type of language, the user is limited to adjustment of a few parameters (for example, range of the pressure transmitter, alarm levels, network addresses). Typical examples of devices with FPL are: smart sensor (for example, pressure transmitter), smart valve, sequence of events controller, dedicated smart alarm box, small data logging systems.

Limited variability language (LVL): This type of language is designed to be comprehensible to process sector users, and provides the capability to combine predefined, application specific, library functions to implement the safety requirements specifications. An LVL provides a close functional correspondence with the functions required to achieve the application. Typical examples of LVL include ladder diagram, function block diagram and sequential function chart,

Full variability language (FVL): This type of language is designed to be comprehensible to computer programmers and provides the capability to implement a wide variety of functions and applications Typical example of systems using FVL are C, Pascal, Instruction List, assembler languages, C++, Java, SQL.

Hardware Fault Tolerance (HFT): Refer to section 6 of this report

IEC: International Electrotechnical Commission prepares and publishes international standards for all electrical, electronic and related technologies.

PFD: Probability of Failure upon Demand is a confidence factor that a device will function as prescribed when it is demanded to do so. For example, a temperature transmitter has a continuous demand to report a proper temperature measurement while an emergency shutdown valve must only operate in an emergency condition.

RRF: Risk Reduction Factor is a measure of how much protection is afforded to the system by application of a specific Safety Function

SFF: Safe Failure Fraction is the fraction of the overall random hardware failure rate of a device that results in either a safe failure or a detected dangerous failure. The SFF data contributes to a decision for the level of redundancy required to reach the required Safety Integrity Level (SIL) of the Safety Function (e.g., 1 out of 1; 1 out of 2; or 2 out of 3 architecture). SIF: Safety Instrumented Function - Safety Function with a specified Safety Integrity Level which is necessary to achieve functional safety and which can be either a safety instrumented protection function or a safety instrumented control function

of 25


SIL: SIL Integrity Levels (SIL-1, SIL-2, SIL-3, & SIL-4) indentify increased levels of required risk reduction. The Safety Integrity Level (SIL) achieved for a Safety Instrumented Functions is an indication of its ability to function correctly when required. The four discreet integrity levels have been defined in the standard ANSI/ISA-84.00.01-2004 (IEC 61511 Mod). Each level relates to the average probability of failure when a demand is placed on the system (PFDavg). This relates to the risk reduction as per the table 1 below:

Table 1

SIL Risk Reduction Factor (RRF)

1 10 – 100 2 100 – 1000 3 1000 - 10,000 4 10,000 - 100, 000

SIS: Safety Instrumented System - Instrumented system used to implement one or more safety instrumented functions. An SIS is composed of any combination of sensor (s), logic solver (s), and final elements(s)

of 25


Abbreviations

FIT Failure In Time (1x10-9 failures per hour)

FPL Fixed program language

FTA Fault tree analysis

FVL Full variability language

HFT Hardware fault tolerance

IEC International Electrotechnical Commission

LVL Limited variability language

MTTFS Mean Time to Fail Spurious

MTTR Mean Time to Repair

PTI Proof Test Interval

PES Programmable electronic system

PFD Probability of failure on demand

PFDavg Average probability of failure on demand

PLC Programmable logic controller

SFF Safe failure fraction

SIF Safety instrumented function

SIL Safety integrity level

SIS Safety instrumented system

S/W Software

RRF Risk Reduction Factor

of 25


Table of Contents Terms .............................................................................................................................. 2

Abbreviations ................................................................................................................... 4

1 Introduction ................................................................................................................ 6

2 Product description .................................................................................................... 8

2.1 TurboSentry Details ....................................................................................................... 9

3 Analysis of Failure Modes for TurboSentry main components ................................. 10

4 Failure Modes Effects and Diagnostics Analysis (FMEDA) ...................................... 11

4.1 Methodology ................................................................................................................ 11

4.2 Failure categories and descriptions ............................................................................. 12

4.3 Failure rate data ........................................................................................................... 12

4.4 Design information used .............................................................................................. 13

5 Results of Failure Modes Effects and Diagnostics Analysis (FMEDA) ..................... 13

Table 4 - Failure rates (FITS) .............................................................................................. 13

6 Requirements for hardware fault tolerance - IEC 61511 Clause 11.4 ...................... 14

7 Requirements for prior use....................................................................................... 16

8 PFD/ SIL verification results ..................................................................................... 20

8.1 Block diagram .............................................................................................................. 20

8.2 Component failure rates ............................................................................................... 20

8.3 Results of PFDavg Calculations ..................................................................................... 21

9 Summary of results .................................................................................................. 21

10 Conclusions ............................................................................................................. 22

Appendix A - Reference Documents.............................................................................. 23

Appendix B - Analysis and Results for 2oo2 output voting ............................................ 24

Appendix C - Analysis and Results for 1oo1 output voting ............................................ 25

of 25


1 Introduction

The TurboSentry™ Overspeed Protection Device is a product developed by Invensys Triconex. It is intended to be used for the overspeed protection of rotating equipment.

The use of this product for safety applications in the process industries can be covered by either of the following International Safety Standards:

• IEC 61508 – “Functional Safety of Electrical/Electronic/Programmable Electronic Safety-related Systems”

• ANSI/ISA-84.00.01-2004 (IEC 61511 Mod) – “Functional Safety – Safety Instrumented Systems for the Process Industry Sector”.

Based on the ANSI/ISA-84.00.01-2004 standard (Clause 11.5.2.1), components and subsystems selected for use as part of a safety instrumented system for SIL 1 to SIL 3 applications shall either be in accordance with IEC 61508-2 and IEC 61508-3, as appropriate, or else they shall be in accordance with clauses 11.4 and 11.5.3 to 11.5.6 of ANSI/ISA-84.00.01-2004, as appropriate.

Clause 11.4 relates to the Requirements for hardware fault tolerance

Clause 11.5.3 relates to the Requirements for the selection of components and subsystems based on prior use

Clause 11.5.4 relates to the Requirements for selection of FPL programmable components and subsystems based on prior use

Clause 11.5.5 relates to the requirements for the selection of LVL programmable components and subsystems based on prior use

Clause 11.5.6 relates to the requirements for the selection of FVL programmable components and subsystems

Irrespective of whether the use of a product is based on IEC 61508 or ANSI/ISA-84.00.01-2004, it has to be demonstrated that the component or subsystem:

a) is reliable enough to achieve the overall target PFD or target dangerous failure rate of the safety instrumented function,

b) meets the architectural constraint requirement, and c) has a sufficiently low likelihood of systematic faults.

The requirement of c) can be satisfied by compliance with the prior use requirements of ANSI/ISA-84.00.01-2004.

of 25


This report provides the design details and the basis/results of a detailed evaluation for the TurboSentry Overspeed Protection device for compliance with the appropriate requirements of ANSI/ISA-84.00.01-2004. As part of the evaluation the Safety Integrity Level (SIL) achieved for the product is documented

An FMEDA evaluation of the product was carried out in order to determine the failure rates required to calculate the PFDavg and SFF parameters Summary of results Based on the analysis we have concluded that the TurboSentry overspeed trip system can be used for SIL 2 applications provided that the two digital trip outputs are wired for 1oo2 voting.

Table 2 below summarizes the results for this configuration

Table 2

Mode of operation

Prior use requirements

SIL achieved based on

Architectural constraints

requirements

PFDavg SIL

achieved based on

PFDavg

RRF achieved

FINAL SIL

achieved

Outputs wired for 1oo2 as per Fig 1

OK 2 1.09E-3 2 916 2

of 25


2 Product description

The TurboSentry™ is an electronic overspeed trip device designed to provide reliable overspeed trip protection for rotating equipment using magnetic speed sensors to determine rotational speed. The TurboSentry monitors up to three magnetic speed sensors and trips the rotating equipment if at least two of the sensors simultaneously detect an overspeed condition. Two independent relays take the separately voted trip information and activate accordingly.

Figure1- TurboSentryTM schematic.

Sensor A

Speed Processor 1

Sensor B

Speed Processor 2

Sensor C

Speed Processor 3

Voter Logic A

Speed pickups

Trip valve

Voter Logic A

Relay

Relay

Trip valve

TurboSentry

1oo2 Voting for TurboSentry outputs

InterfaceProcessor

Operator Interface

For 1oo2 output voting, a dangerous failure of single

voter logic or relay will not lead to a loss of Safety Function

Power Supplies

Alarm and Analog outputs

(4-20 ma)

of 25


2.1 TurboSentry Details

The key features of the device are:

• Accepts three independent speed measurement inputs from magnetic speed sensors

• Overspeed trip (2 out of 3 voting) via three independent speed processors

• Two trip outputs from redundant voters

• Two alarm outputs

• Two force-trip inputs

• One 4–20 mA output indicating highest selected speed

• Dual-redundant power input (18–30 V DC) and distribution

• Dual power sources available for all processors

• Operator interface display

• Diagnostics

o Speed sensor failure

o Speed fail-safe timer

o Sensor continuity

o Check for communication loss

o Speed difference between the speed sensors

o Speed processor failure

The programming language is classified as Fixed program language (FPL) because only an adjustment of a few parameters is allowed

of 25


3 Analysis of Failure Modes for TurboSentry main components The failure modes and effects associated with the failure of a single main component are as per table 3 below. This is based on the outputs wired for 1oo2 voting as per Fig 1. 1

Table 3; FMEA results for single component failure

# Speed processor

Display processor

Operators interface

panel Voter logic /

Trip relay Single Power supply

Effect of Failure

1

Processor A or B or C

fails dangerously

OK OK OK OK

No loss of Safety Functions. Voting is 2oo3 hence other 2 active processors will provide trip function

2 OK Display

Processor fails dangerously

OK OK OK No loss of Safety Functions.

3 OK OK Interface Panel fails OK OK No loss of Safety

Functions.

4 OK OK OK

Voter logic or trip relay for A or B fails

dangerously

OK

No loss of Safety Functions. Output voting is 1oo2. Second output will enable trip.

5 OK OK OK OK Loss of power supply

No loss of Safety Functions.

Based on the above analysis, if the outputs voters and relays are wired as 1oo2, no single failure will cause a loss of the Safety Function

1 Refer to Appendix B and C for a summary of the results of an evaluation with the outputs wired for 2oo2 and 1oo1 voting

of 25


4 Failure Modes Effects and Diagnostics Analysis (FMEDA)

4.1 Methodology The Failure Modes, Effects and Diagnostic Analysis (FMEDA) methodology was used to estimate the failure rates, failure modes, and diagnostic capability of the product subsystems by reviewing each individual component of the subsystem. The subsystems/modules reviewed are:

• Power Supply • Single Speed Processor • Single Voter logic, relay and analog output • Interface processor and display

FMEDA is a technique recommended to generate failure rates for each important category i.e. safe detected, safe undetected, and dangerous detected,

FMEDA is an extension of the Failure Modes and Effects Analysis (FMEA) method that is widely used in the manufacturing and process industries to identify and evaluate the effects of different component failure modes, and to determine what action could be taken to eliminate or reduce the likelihood of failures

The FMEA methodology as per MIL STD 1629A, Failure Modes and Effects Analysis is extended to include safe and dangerous failure rates and to identify whether the failures can be detected via diagnostics.

An excel spread sheet was used to document and evaluate the results of the analysis. The format for the FMEDA used is shown below

Total FIT

Safe DangerousSafe

Coverage Factor

Dangerous Coverage Factor

Component 1 Mode 1 Output high YMode 2 Output low NMode 3 No Effect N

Component 2 Mode 1 Output high NMode 2 Output low YMode 3 No Effect N

Total (FIT)

Percent Safe Failures XX%Safe Coverage

XX%

Failure RatesDiagnostic coverage

factors Diagnostic Capable

ComponentFailure Modes

Effect of Failure

of 25


4.2 Failure categories and descriptions By inputting the data for each component we are able to calculate the following for each of the subsystems listed:

λ Total failure rate λS Safe failure rate λD Dangerous failure rate λSD Safe Detected failure rate λSU Safe Undetected failure rate λDD Dangerous Detected failure rate λDU Dangerous Undetected failure rate λNE No effect failure rate %Safe Percentage of Failures that will result in a Safe effect CD Dangerous Coverage factor (automated diagnostics) CS Safe Coverage factor (automated diagnostics) SFF Safe Failure Fraction

Fail Safe Failures causes the subsystem/module to go to the defined fail-safe state without a demand from the process. Safe failures are divided into safe detected (SD) and safe undetected (SU) failures.

Fail Dangerous Undetected Failures are dangerous failures that are not being diagnosed by internal diagnostics.

Fail Dangerous detected Failures are dangerous failures that are being diagnosed by internal diagnostics.

Fail No Effect Failure of a component that is part of the safety function but that has no effect on the safety function.

Refer to section 6 for a definition of SFF

4.3 Failure rate data The failure rate data sources used by Ceteris in this FMEDA review are listed in Appendix A of this report

of 25


4.4 Design information used The following information relating to the design of the product were used to obtain design and component data for the TurboSentry™ elctronic overspeed trip device

User manual for Turbo Sentry. Doc # 9720090-003

TurboSentry BOM_050901

PCB Schematics Dwg # 69SC3084 Sht 1 of 8








5 Results of Failure Modes Effects and Diagnostics Analysis (FMEDA)

The failure rates calculated for the 4 subsystems/modules listed in section 4.1 are as per the table 4 below.

Table 4 - Failure rates (FITS)

Failure category

Power Supply

Single Speed Processor

Single Voter logic, relay and analog output

Interface processor

and display

Fail Safe 1628 623 654 0

Fail Dangerous Detected 250 596 333 0

Fail Dangerous Undetected 0 411 560 0

No Effect failures 0 0 60 628

Safe Failure Fraction (SFF) 1 0.75 0.64 1

of 25

TurboSentrReference:

6 Requ

Based onhardwarecontinue more danexample,compone

The hard

Table 5

Architec

1oo1

1oo2

2oo2

2003

1003

The Turband 1oo2

As per IEbe as sho

Table 6 –

ry - IEC 61511 C11-02-28 R1

uirements

n IEC 61511e fault tolerato be able to

ngerous faul two devices

ents or subsy

ware fault to

cture H

1

2

2

3

3

boSentry™ O2 output votin

EC 61511 Claown in Table

– Minimum h

Compliance an1

s for hard

Clause 11.4nce. Hardwo undertake ts in hardwas and the arystems does

olerance for

Hardware FaTolerance

0

1

0

1

2

Overspeed Png.

ause 11.4.2e 6 below.

hardware fau

nd SIL Verifica

dware fau

4, sensors, lware fault tol

the requiredare. A hardwchitecture iss not preven

various arch

ault e

Protection De

, for PE logic

ult tolerance

ation Report

ult tolera

logic solverslerance is thd safety instr

ware fault toles such that tht the safety

hitectures ar

evice is a log

c solvers, th

of PE logic

nce - IEC

s and final elhe ability of arumented fuerance of 1 mhe dangerouaction from

re as per tab

gic solver wi

he minimum

solvers

C 61511 C

lements shaa componentnction in themeans that t

us failure of ooccurring.

ble 5 below:

ith 2oo3 spe

hardware fa

Clause 11

all have a mint or subsystee presence othere are, foone of the tw

eed processo

ault tolerance

.4

nimum em to of one or or wo

or voting

e shall

of 25

TurboSentrReference:

The SFF

For outpusingle faiSingle Voper table

ry - IEC 61511 C11-02-28 R1

for the vario

uts wired for lure without oter logic, re6.

Compliance an1

ous modules

r 1oo2 as pea loss of the

elay and ana

nd SIL Verifica

s as per tab

r Fig 1, the He Safety funclog output. S

ation Report

le 4 are ba

HFT = 1 sincctions. SinceSFF = 0.64.

ased on the e

ce in this moe the modulFor this cas

equation bel

ode the devile with the lo

se SIL 2 is b

ow:

ce can toleraowed SFF isbeing achiev

ate a s the ved as

of 25


7 Requirements for prior use

IEC 61511 requirements for prior are based on the following clauses:

1. Clause 11.5.3 relates to the Requirements for the selection of components and subsystems based on prior use

2. Clause 11.5.4 relates to the Requirements for selection of FPL programmable components and subsystems based on prior use

3. Clause 11.5.5 relates to the requirements for the selection of LVL programmable components and subsystems based on prior use

4. Clause 11.5.6 relates to the requirements for the selection of FVL programmable components and subsystems

Items 3 and 4 above do not apply since the programming language fro the TurboSentry is classified as Fixed program language (FPL).

The attached document “IEC 61511 Proven In Use / Prior Use Justification TurboSentry™ Overspeed Protection Device” provides the required justification for the TurboSentry.

of 25

IEC 61511 Proven In Use / Prior Use Justification

TurboSentry™ Overspeed Protection Device

Page 1 of 3

1 Basis for Proven In Use / Prior Use Justification IEC 61511 allows components to be used in Safety Instrumented Systems, when a documented assessment has shown that there is appropriate evidence, based on the previous use of the component, that the component is suitable for use in a safety instrumented system. This document provides the required justification for the TurboSentry™ Overspeed Protection Device based on the requirements of IEC 61511

1.1 Requirements The justification for use is based on the following relevant IEC 61511 clauses:

Requirements Yes/ No Rational and reference

Clause 11.5.3.1 Appropriate evidence shall be available that the components and subsystems are suitable for use in the safety instrumented system.

Yes This is an established product. It has been, and is still being used worldwide for turbine overspeed trips since 2004. Between 2008 and 2010 over 275 units were sold for overspeed applications. During this period there is no record of any TurboSentry failure causing a machine to be damaged due to overspeed.

Clause 11.5.3.2 The evidence of suitability shall include the following:

• consideration of the manufacturer’s quality, management and configuration management systems;

Yes The product is designed by Invensys (Triconex) and manufactured by Grayhill, an ISO9001 certified company.

• adequate identification and specification of the components or subsystems;

Yes Refer to user manual for Turbo Sentry. Doc # 9720090-003

• demonstration of the performance of the components or subsystems in similar operating profiles and physical environments;

Yes Hundreds of devices are presently in use successfully worldwide

of 25



Page 2 of 3


Clause 11.5.4.1 The requirements of 11.5.2 and 11.5.3 apply.

Clause 11.5.3 is addressed above. The requirements of 11.5.2 are: 11.5.2 General requirements

11.5.2.1 Components and subsystems selected for use as part of a safety instrumented system for SIL 1 to SIL 3 applications shall either be in accordance with IEC 61508-2 and IEC 61508-3, as appropriate, or else they shall be in accordance with IEC 61511 clause 11.4 and 11.5.3 to 11.5.6, as appropriate.

Yes 11.4 relates to the requirements for hardware fault tolerance. Refer to section 6 of this report. 11.5.3 to 11.5.6 are addressed by this justification

11.5.2.2 Components and subsystems selected for use as part of a safety instrumented system for SIL 4 applications shall be in accordance with IEC 61508-2 and IEC 61508-3, as appropriate.

NA The use of this product for SIL 4 applications not addressed

11.5.2.3 The suitability of the selected components and subsystems shall be demonstrated through consideration of • manufacturer hardware and embedded

software documentation; • if applicable, appropriate application • language and tool selection (see 12.4.4).

Yes Fixed program language (FPL) is used, and there are no know issues The user manual for Turbo Sentry. Doc # 9720090-003 provides all configuration details

11.5.2.4 The components and subsystems shall be consistent with the SIS safety requirements specifications.

Yes The SRS to be developed by end user based on their specific application requirements. This is highlighted in the conclusion section of this report

NOTE For the selection of components and subsystems, all the other applicable aspects of this standard still apply, including architectural constraints, hardware integrity, behavior on detection of a fault and application software.

Yes All other aspects of the IEC 61511 standard apply wherever appropriate.

Clause 11.5.4.2 Unused features of the components and subsystems shall be identified in the evidence of suitability, and it shall be established that they are unlikely to jeopardize the required safety instrumented functions.

Yes Potential unused features are the analog output and digital outputs for alarms. Refer to section 3 of this report for a review of the impact of failures of the unused components of this product.

of 25



Page 3 of 3


Clause 11.5.4.3 For the specific configuration and operational profile of the hardware and software, the evidence of suitability shall consider • characteristics of input and output signals; • modes of use; • functions and configurations used; • previous use in similar applications and physical

environments.

Yes For SIL 2 applications the outputs have to be configured for 1oo2 voting There are no other suitability issues

Based on the above documented assessment, we conclude that there is appropriate evidence, based on the previous use of the component, that the component is suitable for use in a safety instrumented system.

of 25


8 PFD/ SIL verification results

8.1 Block diagram The block diagram that is the basis for the SIL verification calculations is as per Fig 2 below.

Fig 2

8.2 Component failure rates The failure rates used in the calculation for the key components are as per table 7 below. Table 7 - Failure rates for key components

Component λ

(Dangerous undetected)

λ

(Dangerous detected)

λ (Safe)

Single Speed Processor 0.411x 10-6/hr 0.596x 10-6/hr 0.623 x 10-6/hr

Single Voter logic and relay 0.560x 10-6/hr 0.333x 10-6/hr 0.654x 10-6/hr

of 25


8.3 Results of PFDavg Calculations The results are as per table 8 below

Table 8 – PFDavg calculation results

Mode of operation Proof Test interval PFDavg RRF

achieved SIL achieved

based on PFDavg

Outputs wired for 1oo2 as per Fig 1 12 months 1.09E-3 916 2

9 Summary of results

Based on a review of the 3 key IEC 61511 requirements i.e.:

1. Prior use requirements 2. SIL achieved based on Architectural constraints requirements 3. SIL achieved based on PFDavg

we have concluded that the TurboSentry overspeed trip system can be used for SIL 2 applications provided that the two digital trip outputs are wired for 1oo2 voting.

Table 8 below summarizes the results for this configuration

Table 8 - Results summary

Mode of operation




requirements

PFDavg SIL

achieved based on

PFDavg

RRF achieved

FINAL SIL achieved

Outputs wired for

1oo2 as per Fig 1

OK 2 1.09E-3 2 916 2

of 25


10 Conclusions

1. The TurboSentry™ Overspeed Protection Device is fit for use in applications up to SIL-2, provided that the outputs are wired for 1oo2 voting as per Fig 1 and the proof test interval (PTI) is at least every 12 months.

2. The TurboSentry™ Overspeed Protection Device is fit for use in applications up to SIL-1, if the outputs wired for 1oo1 or 2oo2. Refer to Appendix B and C for additional details.

3. The end user has to ensure that the components and subsystems are consistent with the SIS Safety Requirements Specifications (SRS). The SRS to be developed by end user based on their specific application requirements.

4. Final verification calculations of the compete SIF, including sensors, logic solver, and all final elements has to be completed by the end user to determine the SIL achieved for the complete function, to ensure that the function satisfies that SIL requirement.

of 25


Appendix A - Reference Documents

______. ANSI/ ISA-84.00.01-2004 (IEC 61511 Mod) Functional Safety- Safety Instrumented Systems for the Process Industry Sector. Edition 1. Research Triangle Park, North Carolina, USA: ISA. 2004.

______. IEC 61508 Functional safety of electrical/electronic/ programmable electronic safety-related systems. Edition 1. Geneva, Switzerland: IEC. 2003.

______. User manual for Turbo Sentry. Doc # 9720090-003

______. MIL-HDBK-217

of 25


Appendix B - Analysis and Results for 2oo2 output voting

Fig 3 – 2oo2 output voting

Outputs wired for 2oo2 voting as per Fig 3 above

For outputs wired for 2oo2 as per Fig 3, the HFT = 0 since in this mode the device cannot tolerate a single failure without a loss of the Safety functions. Since the module with the lowed SFF is the Single Voter logic, relay and analog output. SFF = 0.64. For this case SIL 1 is being achieved as per table 6.


Mode of operation




PFDavg SIL achieved

based on PFDavg

RRF achieved

FINAL SIL

achieved


OK 1 5.36E-3 2 187 1

of 25


Appendix C - Analysis and Results for 1oo1 output voting

Fig 4 – 1oo1 output voting

Outputs wired for 1oo1 voting as per Fig 4 above

For outputs wired for 1oo1 as per Fig 3, the HFT = 0 since in this mode the device cannot tolerate a single failure without a loss of the Safety functions. Since the module with the lowed SFF is the Single Voter logic, relay and analog output. SFF = 0.64. For this case SIL 1 is being achieved as per table 6.


Mode of operation




PFDavg SIL achieved

based on PFDavg

RRF achieved

FINAL SIL

achieved


OK 1 2.91E-3 2 344 1

of 25

TurboSentry™ Overspeed Protection Device IEC and SIL...

Documents

Transcript of TurboSentry™ Overspeed Protection Device IEC and SIL...