silability user guide - xsericon · calculation. (the exceptions are the sil target field, which...

[email protected]+85226337727www.silability.com

SILability User GuideACOMPLETEGUIDETOSILABILITYSOFTWAREV1.2

DEVELOPEDBYXSERICON

Copyright©2017xSeriConLimited.Allrightsreserved.

2

1. Table of Contents

1. TableofContents.......................................................................................................2

1. CHAPTER1-INTRODUCTIONTOSILABILITY...............................................................6

1.1 WhatisSILability?..........................................................................................................6

1.2 WhatdoesSILabilitydo?................................................................................................6

1.3 WhatisthephilosophyofSILability?..............................................................................7

1.4 Featuresandlicensing....................................................................................................8

1.5 Howtogetinformationandhelp...................................................................................8

2. CHAPTER2-SETTINGUPSILABILITY...........................................................................9

2.1 Introduction...................................................................................................................9

2.2 GettingSILability............................................................................................................9

2.3 InstallingSILability.........................................................................................................9

2.4 Gettingsoftwareupdates...............................................................................................9

2.5 Licensing......................................................................................................................10

2.6 RunningSILability........................................................................................................10

3. CHAPTER3-MAKINGAPROJECT.............................................................................11

3.1 Introduction.................................................................................................................11

3.2 Projectparameters......................................................................................................11

3.2.1 Saveonthefly................................................................................................................12

3.2.2 Thewelcomescreen.......................................................................................................12

3.3 Creatinganewproject.................................................................................................13

3.4 Savingaproject...........................................................................................................13

3.5 Closingaproject..........................................................................................................13


3

3.6 Openinganexistingproject..........................................................................................13

4. CHAPTER4-WORKINGWITHSIFs............................................................................14

4.1 Introduction.................................................................................................................14

4.2 CreatingaSIF...............................................................................................................14

4.3 SelectingaSIF..............................................................................................................14

4.4 DeletingaSIF...............................................................................................................14

4.5 CopyingandimportingSIFs..........................................................................................14

4.6 StructureofaSIF..........................................................................................................15

4.7 Sub-SIFs.......................................................................................................................16

4.8 Treeview.....................................................................................................................17

4.9 Addinggroups,legsandcomponents...........................................................................17

4.10 Deletinggroups,legsandcomponents.........................................................................18

5. CHAPTER5-DATAHANDLINGFEATURES.................................................................18

5.1 Introduction.................................................................................................................18

5.2 Enteringdataintotextfields........................................................................................18

5.3 Enteringdataintonumericalfields...............................................................................18

5.4 Settingtheunitsofnumericalfields.............................................................................19

5.5 Settingcheckboxfields.................................................................................................19

5.6 UndoandRedo............................................................................................................20

5.7 Applyingcommentstodata.........................................................................................20

6. CHAPTER6-INPUTDATA.........................................................................................21

6.1 Introduction.................................................................................................................21

6.2 SIF-leveldatafields......................................................................................................21

6.3 Subsystemdatafields..................................................................................................22


4

6.4 Additionaldatafieldsforlogicsolversubsystem..........................................................24

6.5 Grouplevelparameters...............................................................................................26

6.6 Leglevelparameters....................................................................................................28

6.7 Componentlevelparameters.......................................................................................29

6.8 Engineeringunits.........................................................................................................34

7. CHAPTER7-THESILVERIFICATIONCALCULATION...................................................39

7.1 Introduction.................................................................................................................39

7.2 Methodology...............................................................................................................39

7.2.1 SIFlevel...........................................................................................................................40

7.2.2 Subsystemlevel..............................................................................................................40

7.2.3 Grouplevel.....................................................................................................................41

7.2.4 Leglevel..........................................................................................................................41

7.2.5 Componentlevel............................................................................................................42

7.3 Datachecksperformedbeforecalculation...................................................................42

7.3.1 Dataproblemmessages.................................................................................................43

8. CHAPTER8-OUTPUTTOSPREADSHEET...................................................................53

8.1 Introduction.................................................................................................................53

8.2 Howtogeneratethespreadsheetreport.....................................................................53

8.3 Whatthespreadsheetreportcontains.........................................................................54

8.3.1 Inputdata.......................................................................................................................54

8.3.2 Outputs(Calculationresults)..........................................................................................54

9. CHAPTER9-SPECIALTOOLSANDTIPS.....................................................................54

9.1 Datachecks..................................................................................................................54

9.1.1 SIFlevel...........................................................................................................................55


5

9.1.2 Componentlevel............................................................................................................55

9.1.3 Grouplevel.....................................................................................................................56

9.1.4 Sensorandfinalelementsubsystemlevel.....................................................................56

9.1.5 Logicsolversubsystemlevel...........................................................................................56

9.2 SILverificationmodellingtips......................................................................................57

9.2.1 ModellingSIFswithnosensorcomponents...................................................................57

APPENDICES....................................................................................................................58

APPENDIXA:WHERETOGETFAILURERATEDATA...................................................................58

APPENDIXB:ASSUMPTIONSMADEINCALCULATION...............................................................59

APPENDIXC:KNOWNLIMITATIONS.........................................................................................61

APPENDIXD:FORMATOFXMLPROJECTFILE...........................................................................61

APPENDIXE:TERMS&ABBREVIATIONS...................................................................................62

APPENDIXF:TERMS&CONDITIONS.........................................................................................64

APPENDIXG:FURTHERREADING..............................................................................................69

APPENDIXH:TROUBLESHOOTINGANDFAQ's..........................................................................71


6

1. CHAPTER 1 - INTRODUCTION TO SILABILITY 1.1 What is SILability?

Industrialfacilitiesandequipmentcommonlyuseautomaticsafetyfunctionstocontrolrisks.ThesefunctionsareoftenknownasSafetyInstrumentedFunctions(SIFs)orInstrumentedProtectiveFunctions(IPFs).Theirpurposeistomonitorspecificparameters(suchastemperatureofatank,positionofamovingpart,speedofamotor,orthepresenceofapersonorobjectusingasensorbeam)andtakeactionwhengivenconditionsaremet(suchasmotoroverspeed).

SIFsaredesignedtoreduceorlimitthefrequencyofunwantedoutcomesthatmayresultfromspecificupsetconditions.ThedesignofeachSIFshouldspecifyanumericalvaluerepresentingthetargetperformanceoftheSIF.Thiscanbeexpressedinthefollowingways:

• MaximumprobabilityoffailureondemandoftheSIF,averagedoveritsdesignlifetime(PFDavg)

• Minimumfrequencyreductionoftheunwantedevent—expressedastheratiooftheeventfrequencywithouttheSIF,tothemaximumtolerablefrequencywiththeSIF;thisisknownastheSIF’stargetriskreductionfactor(RRF)

• MaximumprobabilityoffailureperhouroftheSIF(PFH);thismeasureisusedforhazardousconditionsthatarealwaysorfrequentlypresent

DuringthebasicdesignphaseofaSIF,thedesignteamshouldconfirmthattheproposedSIFdesigniscapableofachievingthetargetperformancemeasure.ThistaskisknownasSILverification,andisarequirementoftherelevantinternationalstandards(seechapter7forfurtherdetails).SILability’spurposeistoassistthedesignerinexecutingSILverificationcorrectly,accuratelyandefficiently.

1.2 What does SILability do?

SILabilityperformscalculationstoconfirmwhethertwoofthespecificrequirementsofthestandardsaremet.WhileafulldescriptionoftherequirementsisbeyondthescopeofthisUserGuide,theycanbeoutlinedbrieflyasfollows:

• Randomhardwarefailureperformancerequirement:ThepredictedfailureperformanceoftheSIFintermsofrandomhardwarefailuresmustmeetthespecifiedtarget.Forexample,theSIF’sRRFmayneedtoexceed25.

• Architecturalconstraintsrequirement:TheSIFmustmeetatargetlevelofhardwarefaulttolerance—thatis,thenumberofhardwarefaultsthatcansimultaneouslyoccurintheSIFwithoutimpairingtheintendedfunction.

Calculatingwhethertheserequirementsaremetinvolvesalargenumberofinputparameters.SILabilitypromptstheusertoentervaluesforallrequiredparameters,andprovidesguidancewhennecessaryvaluesaremissingorinappropriate.Calculationsare


7

performedonthefly,sothattheusercaninstantlyseetheeffectofchangingaparametervalue.

PleasenotethatthetworequirementsabovearenottheonlyrequirementsfordemonstratingthataSIFachievescompliancewiththestandards.Inparticular,usersshouldbeawareoftheSILcapabilityrequirement:allthehardwareandsoftwareusedinaSIFneedssupportingevidencetoshowthatitissufficientlyfreeofdesignerrorsthatcouldleadtosystematicfailures.SILabilitydoesnotprovidesupportforthisrequirement,whichmustbeaddressedanddocumentedbyothermeans.

TheuseofSILabilityassumesreasonableknowledgeofthestandardsandthebasicphilosophyofSILverificationinthecontextoffunctionalsafetyengineering.Ifyouarenotsureofthemeaningofanyofthefunctionsortermsusedinthisuserguide,pleaseseekprofessionalguidancefromxSeriConbeforeuse.

1.3 What is the philosophy of SILability?

BecausesuchalargenumberofinputparametersarerequiredforSILverification,itisalltooeasytoenterwrongparametervaluesbymistake.Forinstance,asimpletypingerror,suchasentering1.62insteadof16.2,couldhaveadrasticeffectontheresult.Ultimately,thiscouldleadtoadangerouslevelofunder-protectionprovidedbytheas-builtSIF.

Inordertominimisetheriskofincorrectparametervalues,SILabilityhasthefollowingfeatures:

• Defaultvaluesareneverprovided.AnynumericalfieldforwhichtheuserhasnotenteredavalueisdisplayedasNotset.Noassumedvalueswillbeusedinthecalculation.(TheexceptionsaretheSILtargetfield,whichdefaultsto4,themostconservativetarget;andthecomponentACtype,whichdefaultsconservativelytotypeB.)

• Theusercanenternumericalvalueinanyappropriateunits.Forexample,testintervalscanbeenteredindays,weeks,monthsoryears.Thismeanstheuserdoesnothavetodoanyconversionbyhand.Theselectedunitisclearlydisplayedatalltimes.

• Alargebatteryof‘reasonablenesschecks’isperformedonthedataonrequest.Theseareintendedtospotdatainconsistencies,valuesoutsidethetypicalrange,anddifferencesbetweenSIFsthatmightbeunintentional.

• AfutureversionofSILabilitywillallowuserstolinkfieldstogethersothat,ifonefieldischanged,itslinkedfieldswillbechangedautomatically.Thisallowstheusertoensureconsistencybetweenitemsinthecalculation.Theuserismadeawareofthechangesmadetolinkedfields.

Manyotherfeaturesarealsounderplanningtohelpensurethatinputdataiscorrect.RegisteredusersofSILabilitywillbeinformedofnewreleasesassoonastheyareavailable.


8

TraceabilityisextremelyimportantinSILverification.SILabilitysupportsthisbyprovidingapowerfulcommentfeature.Almosteveryitemofinputdatacanhavemultiplecommentsattachedtoit.Thesecommentscanbeusedtoindicatethesourceofthedata,explaindiscrepancies,orforanyotherpurpose.Allcomments*areshowninthefinalreport.

AllprojectdatafilesgeneratedbySILabilityareinahuman-readable,portableformatknownasXML.Thismeans,whenyouneedtoimportSILabilitydataintoanotherapplication,itshouldbestraightforwardtowriteadataconversiontool,dependingontheimportcapabilitiesoftheotherapplication.ThedesignersofSILabilitychosethisapproachtohelpusersminimisetheriskofdatagettingchangedinadvertentlyduringexport/import,andtoreducetheneedforretypingorcopying/pastingdatabetweenapplications.DetailsofSILability’sXMLformataregiveninAppendixDofthisuserguide.

AnumberofassumptionsrelatingtothedesignoftheSIFaremadeinthecalculations.AllassumptionsarelistedinAppendixBofthisuserguide.

1.4 Features and licensing

SILabilityiscopyright-protected,licensedsoftware.Ifyouhaven’tyetpurchasedalicense,youcanviewexistingSILabilitydatafilesandperformalimitedrangeoftasks.ThefullfeaturesofSILabilityrequireyoutohaveapurchasedsoftwarekeyfromxSeriCon;pleaseseeourcontactdetailsatthefrontofthisUserGuide.

1.5 How to get information and help

ThedesignersofSILabilityarereadytohelpwithanyquestionsyoumayhave.WeareavailabletoprovidetrainingonSILabilityandonthetheoryofSILverification,viadistancelearningorinaclassroomformat;pleasecontactusfordetailsofavailabilityandpricing.

WewelcomeyourfeedbackonSILability,includinganyproblemsyouencounterwhileusingthesoftware,orsuggestionsforimprovement.OurcontactdetailsareatthefrontofthisUserGuide.Whensendingusfeedbackorproblemreports,pleasetellus:

• TheversionofSILabilityyouareusing(select‘AboutSILability’inthewelcomescreenortheFilemenu)

• Theexactversionofyouroperatingsystem(e.g.OSX10.10.5)• WhatcommandorfunctionofSILabilityyouwereusingwhentheproblemarose

(pleasebeasspecificaspossible),andwhichSIFyouwereworkingon• Whetheryouhavebeenabletorepeattheproblem• PleasesendustheSILabilityprojectanddatabasefilesyouwereusing;wewill

handleyourdatainstrictconfidenceandusethedataonlyforpurposesofresolvingtheissueyoureported.

*CertainexceptionsarenotedintheFAQ;seeAppendixH.


9

2. CHAPTER 2 - SETTING UP SILABILITY 2.1 Introduction

ThischapterdescribeshowtosetupSILabilityonyourcomputer,andcoverslicensingarrangements.

SILabilityrequiresacomputer(desktop,laptoportablet)runningWindows8.1orlater,orOSX/macOS.AninternetconnectionisrequiredforlicensecheckingeachtimeyoustartSILability.

2.2 Getting SILability

YoucandownloadthelatestreleaseofSILabilityfromhttp://www.silability.com/downloads.Foryoursafety,pleasevirus-scanthedownloadedpackagebeforeusingit.

Windowsversiondownloadfilenameis‘Install.exe.zip’.

OSX/macOSversiondownloadfilenameis‘SILability.zip’.

2.3 Installing SILability

OnWindows,thedownloadfileisnamed‘Install.exe.zip’.Runthisfilebydouble-clickingit(youmayneedadministratorrightsforthis).SILabilitywillinstallautomatically.

Windowsrequirements: -StableInternetconnection

-Minimumscreenresolution1152x864

-Windows8.1orlater

OnOSX/macOS,thedownloadfileisnamed‘SILability.zip’.Runthisfilebydouble-clickingit(youmayneedadministratorrightsforthis).SILabilitywillinstallautomatically.

MacOSXrequirements: -StableInternetconnection

-OSXYosemitev10.10.5orlater

2.4 Getting software updates

IfyouremailaddressisregisteredwithxSeriCon,wewillnotifyyouwhenanewversionisavailable.Youcandownloadandinstallthelatestversionfromhttp://www.silability.com/downloads.Yourexistinglicensewillremainvalidwithinthe


10

samemajorversionnumber(e.g.withinversion1,including1.0,1.1,1.2…).Tobenefitfromanupgradetoanewmajorversionnumber,youwillneedtorequestareplacementlicense.

2.5 Licensing

SILabilityislicensedonaper-machine,per-versionbasis.Forinstance,ifSusanpurchasesalicenseandusesitonherlaptopforSILability1.0,itwillonlyworkonSusan'slaptop,andonlyforSILability1.x(everyversionstartingwiththesamemajorversionnumber).

YouneedtopurchasealicensefromxSeriContogainaccesstoallofSILability’sfeatures.Youcanalsorequestatriallicensefreeofchargeforalimitedperiod.However,evenifyoudon'thavealicense,youcantryoutmanyofSILability’sfunctions.

Thefollowingfunctionsdependonthetypeoflicenseyouhave:Savingaprojectfile Requirestrialorfulllicense.Creatinganewprojectwith‘saveonthefly’enabled

Requirestrialorfulllicense.

AddanewSIFtoaproject Requiresfulllicense.Addmultiplecomponents,legsorgroupstoaSIF

Requirestrialorfulllicense.

CopyaSIF Requiresfulllicense.GenerateExceloutputfromaproject Requirestrialorfulllicense.

IfyouuninstallandreinstallSILabilityonthesamecomputer(withinthesamemajorversionnumber),yourexistinglicensekeywillstillwork.Youcanenterthesamekeyagain.

Ifyouwanttotransferyourlicensetoanothercomputer,pleasecontactxSeriCon.Wewillissueyouwithanewlicensekey,withthesameexpirydateasyouroldlicense,andcancelyourexistinglicensekey.

2.6 Running SILability

MakesureyourcomputerhasinternetaccesswhenstartingSILability.

OnWindows,launchSILabilitybydoingoneofthefollowing:

• Select“SILability”intheStartmenu.• Double-clickthe“SILability”icononthedesktop.• Searchfor“SILability”(presswindowskey+‘S’andtypeSILability)

OnOSX/macOS,launchSILabilitybydoingoneofthefollowing:


11

• Double-clickthe“SILability”icononthedesktop.• Double-clickthe“SILability”iconfromthe“applications”folderwithinthe“Finder”

tool

YouwillseeSILability’swelcomescreen.Whenfirstlaunched,itwillshowthatSILabilityisunlicensed.Ifyouhavealicensekey,click“Enterlicensekey”,typeorpastethelicensekeyyoureceivedfromxSeriCon,andpress<Enter>.Youwillseeaconfirmationmessageindicatingwhetherthelicensekeywasaccepted.

Youonlyneedtoenterthelicensekeyonce;SILabilitywillstoreyourlicensekeyautomatically,ifit’svalid.Onsubsequentruns,SILabilitywillusethestoredlicensekey.Ifyougetanewlicensekey(e.g.foranupdatedversionofSILabilityorafteryourkeyhasexpired),click“Enterlicensekey”andenterthenewkey,followingthesameprocedureasthefirsttime.

NowyoucanstartusingSILability.Seechapter3forhowtogetstartedwithyourSILverificationproject.

3. CHAPTER 3 - MAKING A PROJECT 3.1 Introduction

Whatisa‘project’inSILability?AprojectisasetofSafetyInstrumentedFunctions(SIFs).SIFsaresometimesknownasInstrumentedProtectiveFunctions(IPFs),trips,orinterlocks.Chapter4providesabriefintroductiontotheconceptofaSIFanditsarchitecture.

Theprojectalsoincludesasetofdescriptiveparameterssuchasprojectnameanddate.Thesearedescribedinthenextsection.

3.2 Project parameters

Thefollowingparametersareusedforreportingandtraceabilitypurposes.YoucaneditthembychoosingFilemenu–Projectsettings.

Parametername Meaning

Projectname TheprojectnamethatwillbeshownintheSILverificationreport

Client Theowneroftherisk


12

Versionnumber VersioncontrolnumberoftheSILverificationtask.Youshouldincrementthismanuallyaftereverysignificantchangetothedataintheproject.

Editnumber Thisnumber,generatedbySILability,incrementsautomaticallyaftereverychangetoadatafieldthatisusedinthecalculation.(ItisalsodecrementedwhenadatachangeisreversedusingtheUndocommand.)Itspurposeistoallowyoutoconfirmthatthecurrentstateofthedataexactlymatchesthedatausedtoproducethefinalreport.

Teammembers ThenamesofpersonnelinvolvedintheSILverificationtask

Dateinitiated ThestartdateoftheSILverificationtask

3.2.1 Save on the fly

Asyouworkonyourproject,SILabilitycansaveyourworkforyoucontinuously.Youdon’tneedtousethe‘Save’command.Thisconceptiscalled‘saveonthefly.’

Evenifyourworkisinterruptedbyacomputercrashorpowerloss,noneofyourworkshouldbelost.Youcansimplyre-opentheprojectfileandSILabilitywillrecovertheprojectautomatically.

Ifyoudon’twanttosavethechangesasyouwork,youcancreateyourprojectin“Letmetryitout”mode.Later,ifyoudecidetosavechanges,usetheFilemenu–Saveprojectcommand.

AfutureversionofSILabilitywilloffera“sandbox”mode.Insandboxmode,youcanmakeexperimentalchangestothedatawithoutsaving.Whenyou’redone,youcaneitheracceptthechangesor“shakethesandbox”torestoretheprojectdatatoitspreviousstate.

3.2.2 The welcome screen

ThewelcomescreenisvisiblewhenyoulaunchSILability,andalsowhenevernoprojectisopen.

Fromhere,youcancreateanewprojectoropenanexistingproject.

Toreturntothewelcomescreen,closeallprojectsinthemainSILverificationscreenusingFilemenu–Closeprojects.


13

3.3 Creating a new project

Projectsarecreatedfromtemplates.ASILabilitytemplatefileissimplyanXMLprojectfilethatresidesintheTemplatesfolderinSILability’sworkspace(thefoldernamedSILabilityor.SILabilityasdiscussedinChapter2).

Tocreateaproject,select“Startnewproject”fromthewelcomescreen.Onthenextdialogue,selectthetemplateyouwanttouse.Ifyouwanttosavethenewprojectonthefly,select“Makenewprojectandsavemywork”.Otherwise,select“Letmetryitout”;thisoptionwillcreateaproject,buttheprojectwillnotbesaveduntilyouselectFilemenu–SaveprojectinthemainSILverificationscreen.

YoucanaddyourowntemplatejustbycopyingavalidprojectfiletotheTemplatesfolder.Itwillthenshowupinthetemplateslistnexttimeyouselect‘Createnewproject’fromthewelcomescreen.

3.4 Saving a project

Projectsaresavedautomaticallyby‘saveonthefly’.Ifnecessary,youcansavemanuallyusingtheFilemenu–Saveprojectcommand.Thisoffersyouthechoiceofsavingonce,orstartingsaveonthefly(sothatallfuturechangesaresavedautomatically).

Ifyouarenotsurewhethersavingontheflyisactive,justtryclosingtheproject(Filemenu–Closeproject).Awarningwillbeshownifthereareunsavedchangesintheproject.

3.5 Closing a project

The‘closeproject’commandisintheFilemenu.Awarningwillbeshownifthereareunsavedchanges.Also,ifthereisanopendatabasewithunsavedchanges,awarningwillbeshown.Whentheprojectissuccessfullyclosed,theWelcomescreenisshown,allowingyoutoopenanotherprojectifyouwish.

3.6 Opening an existing project

ThecurrentversionofSILabilityallowsonlyoneprojectopenatatime.(Futureversionswillremovethislimitation.)Anyopenprojectmustbeclosedbeforeyoucanopenanotherone.YoucanopenaprojectfromtheWelcomescreen,usingthe‘Openproject’or‘Openrecentproject’buttons.

Whenyoufirstopentheproject,itwillnotbesavedonthefly.(Thisistopreventunintendedchangestoyoursavedproject.)Tostartsave-on-the-fly,usetheSaveAscommandfromtheFilemenuinthemainSILabilitywindow.Westronglyrecommendthatyoualwaysusesave-on-the-flywheneveryouintendtomakepermanentchangestoyourproject.


14

4. CHAPTER 4 - WORKING WITH SIFs 4.1 Introduction

InChapter1,theconceptofaSIFwasintroduced.ThischapterexplainshowSIFsarehandledinSILability,includinghowtocreate,selectanddeleteSIFsandhowtonavigatearoundthestructureofaSIF.

4.2 Creating a SIF

WhenyoustartanewprojectinSILabilityusingthe“minimal”template(asdescribedinChapter3),yourprojectwillcontainoneSIFwithnodata.YoucanstartusingthisSIFimmediately.

TocreateanotherSIF,gototheSIFmenuandselectoneofthefollowing:

• NewSIFatend(addsanewSIFafterthelastSIFintheproject)• NewSIFafterthisone(insertsanewSIFbelowthecurrentlyselectedSIF)• NewSIFbeforethisone(insertsanewSIFabovethecurrentlyselectedSIF)

ThenewSIFwillbecreatedandselected.Ifyoudecideyoudon’twantthenewSIF,selectToolsmenu–Undotogobacktothepreviousstateoftheproject.

4.3 Selecting a SIF

WhenyouwanttovieworworkonadifferentSIF,selecttheSIFyouwantinthe“GotoSIF”choiceboxatthetopofthedataentrypanel.

4.4 Deleting a SIF

SelecttheSIFyouwanttodelete(usingthe“GotoSIF”choicebox).SelectSIFmenu–DeleteSIF.IfyoudeleteaSIFbymistake,usetheUndocommandintheToolsmenu.

Youcan’tdeleteaSIFifitistheonlySIFintheproject,becauseeachprojectmustcontainatleastoneSIF.

4.5 Copying and importing SIFs

TocopyaSIF,selectSIFmenu–‘CopySIF,’or‘CopySIFandgotothecopy.’ThenewSIFisinserteddirectlybelowtheoriginalSIF.YoucanundoSIFcopyingifnecessary.


15

4.6 Structure of a SIF

SIFsconsistofthreesubsystems:

• Sensors:thefielddevicestypicallyconnectedtotheequipmentundercontrol,includinginputdevicessuchassensors,transmitters,pushbuttons,signalconditioners,intrinsicallysafe(IS)barriers,andwiringuptotheinputofthelogicsolver.

• Logicsolver:adevicethatdecideswhethertheSIFshouldbeinthetrippedoruntrippedstate,basedonsignalsfromtheinputdevices.Typically,thisiseitheraprogrammablelogiccontroller(PLC)oranassemblyofsafetyrelays.Itincludesanyneededancillariessuchaspowersupplies.

• Finalelements:thefielddevicesthatactontheequipmentundercontrol,inordertoachievethedesignintentoftheSIF.Typicalexamplesarevalves,motorcontrolcircuits,clutches,relays,andsolenoids.Allequipmentwhosecorrectfunctioningisimportanttoachievethesafestateoftheequipmentshouldbeincluded,startingfromtheoutputofthelogicsolver.

SILabilityallowsyoutomodelsecondarySIFs(havingnosensorsubsystem)orpartialSIFs(withoneortwoemptysubsystemsempty).Toachievethis,acheckboxisprovided,“IncludethissubsysteminSIF”,toalloweachsubsystemtobeincludedin,orexcludedfrom,theSIF.


16

Fielddevicesinthesensorandfinalelementsubsystemsmaybenumerous,andstructuredinacomplexlogicalrelationship.Toallowthistobeaccuratelymodelled,SILabilityprovidesthreelevelsofhierarchy:groups,legsandcomponents.

Individualcomponentssuchassensorsandtransmittersareassembledintolegs;withinaleg,thecomponentsareassumedtobelogicallyconnectedinseries,suchthatallcomponentsmustfunctioncorrectlyforthelegtofunctionasawhole.Usually,there’sonlyoneinstanceofeachcomponentinaleg;however,occasionallyacomponentsuchasasolenoidmaybeprovidedasaredundantpairinaone-out-of-two(1oo2)architecture.1oo2meansthatevenifonesolenoidfails,theothercanstillprovidetherequiredfunction.

Legsareassembledintogroups.Typically,eachleginagroupwillbeidentical;forexample,ina2oo3overpressureSIF,threelegswillbeprovided,eachcontainingapressuresensor,pressuretransmitterandperhapsanISbarrier.However,in1oo2,1oo3,1oo4,2oo2,3oo3and4oo4architectures,SILabilityallowsthelegstobenon-identicalifrequired.

Groupsallowyoutomodelsituationswherethesensorshavemultiplewaystodetectthehazard.Forexample,adistillationcolumnprotectionSIFmaytriponhighpressureorhightemperature,botharisingfromthesamecauses.Tomodelthis,putthepressuresensorlegsinonegroup,andthetemperaturesensorlegsinanother.Similarly,groupscanalsobeusedinfinalelementsubsystems,forcaseswheretheSIFtakesmultipleactions(ina1ooNorNooNlogicalrelationship)toachievethesafestate.

Theinternallogicalstructureofthelogicsolverisusuallymorestraightforward,sogroupsandlegsarenotprovided.Instead,youcanlistallthemaincomponentsofthelogicsolverdirectlyinthesubsystem,suchasI/Ocards,CPU,powersupply,andrelays.Theextenttowhichyousubdividethelogicsolver’scomponentswilldependonthefailureratedataavailable.

4.7 Sub-SIFs

EachSIFcanincludeanotherSIFaspartofitsarchitecture.ThisenablesyoutoconstructSIFsofcomplexarchitecture,andprovidesamethodofinsertingcompletesubassemblies(suchasgroupsofsensors,groupsofvalves,andmachinemonitoringsystems)intomultipleSIFswithoutretypingorcopying.

ASIFthatcontainsanotherSIF(knownasasub-SIF)isdescribedasa“hostSIF”.Thesub-SIFresidesinthesensororfinalelementsubsystemofthehostSIF,andistreatedasagroupwithinthehostsubsystem.


17

Toaddasub-SIF,gototheSIFthatwillbecomethesub-SIF,andselectthe“UsethisSIFasasub-SIF”commandintheSIFmenu.YouarethenpromptedtonavigatetothesubsystemofthedesiredhostSIF,whichcanbedonebyusingthedropdownbox“GotoSIF”andthetreeview(leftsideofthescreen).Thenclickthe“Attach”buttoninthebottomsectionofthescreen.

Afteraddingasub-SIF,youwillneedtochangethearchitectureofthehostsubsystemtomatchthenewnumberofgroupsplussub-SIFsinthesubsystem.Forexample,ifthesubsystemnowcontainsonegroupandonesub-SIF,assign1oo2or2oo2architecturetothesubsystem.

Thesub-SIFanditshostSIFmustusethesameoperatingmodeandACmodel.

4.8 Tree view

ThehierarchyofthecurrentlyselectedSIFisshowninatreeviewontheleftsideofthescreen.Tomaketheviewmorecompact,youcancollapselegs,groupsandsubsystemsbyclickingthesmalltriangleontheleftofeachitem.

Clickaniteminthetreeviewtoviewandeditthedatainthatitem.Forexample,toeditthesensorsubsystem,click“Sensors”.Thecorrespondingdatawillappearinthedataentrypanel(upperrightsectionofthescreen).

4.9 Adding groups, legs and components

YoucanaddnewelementstotheSIFhierarchyintwoways:


18

• Displaytheparentoftheitemyouwanttocreate(e.g.thegroupthatwillcontainthenewleg)byclickingitinthetreeview.ThenselectSIFmenu-“Addnewitem”.(Themenutextshowswhichkindofitemwillbeadded.)

• Click<Additem>inthetreeview.

Thenewitemwillbeaddedimmediatelybelowthecurrentlyselecteditem.Youwillneedtoadjustthearchitectureoftheparenttomatchthenewnumberofitemsitcontains.

Ifyoudecideyoudon’twantthenewitem,usetheUndocommandintheToolsmenu.

4.10 Deleting groups, legs and components

Displaytheitemyouwanttodeletebyclickingitinthetreeview.SelectSIFmenu–“Deleteitem”.(Themenutextshowswhichkindofitemwillbedeleted.)Youwillneedtoadjustthearchitectureoftheitem’sparenttomatchthenewnumberofitemsexisting.

Ifyoudeleteanitembymistake,usetheUndocommandintheToolsmenu.

5. CHAPTER 5 - DATA HANDLING FEATURES 5.1 Introduction

SILabilityprovidesanumberoffeaturestoassistwithenteringthedataneededtoperformSILverificationcalculations.Thesefeaturesaredescribedinthischapter.

5.2 Entering data into text fields

Textfieldsdesignedtocontainsmallamountsofinformation,suchas“SIFTag”,cancontainonlyasinglelineoftext.Youcannavigatetoandfromthesefieldsbyclickinginthefield,orusingtheTaborShift+Tabkeys.Yourentryisstoredassoonasyouexitthefield.

Othertextfieldssuchas“SIFDescription”aremulti-linefields.Thesefieldswillstretchtocontainasmuchdataasyouwishtoprovide.YoucanstartanewlineusingtheEnterkey,andinsertatabusingtheTabkey.Tomovetoanotherfield,clickinthenextfield.

5.3 Entering data into numerical fields

Numericalfields,suchaslambdavalues(failurerates)incomponents,cancontainonlynumbers.Initially,thevalueisundefinedandthefieldshows“Notset”.Tosetthevalue,justenterthefieldandtypeanumber.There’snoneedtodeletethewords“Notset”;theywilldisappearautomaticallywhenyouexitthefield.Oncethevalueisset,youcannotunsetit(exceptbyusingUndo);evenifyoutype“Notset”,itwillbetreatedasanunrecognisedvalueandthefieldwillbeleftunchanged.


19

Youcanenteranyvalueyouwishinanumericalfield,evenifthevalueisinvalid(suchasanegativevalueforlambda).Youcanusescientificnotation,forexamplebyentering1e-2or1E-2for0.01.

Thevalueisstoredanddisplayedwithapredefinedlevelofprecision—eg3significantfiguresforlambdavalues—irrespectiveofhowmuchprecisionyouenter.Forinstance,ifyouenter1.23456inalambdafield,itwillchangeto1.23whenyouexitthefield.Thisistopreventtheuserfromclaimingamisleadingdegreeofprecisionforinputdata.

5.4 Setting the units of numerical fields

Mostnumericalfieldshavea“unit”choiceboxtotheirright.Selecttheunitmatchingthevalueyouentered.Forexample,whenenteringaβ(commoncausefactor)value,youcanenteranabsolutevalue(say0.1)withaunitof“nounit”,orapercentage(say10%)withaunitof“%”.Ifyouchangetheunitafterenteringthevalue,thevaluewillNOTbeautomaticallyconvertedtomatchthenewunit.Thisistoreducetheriskofvaluesunintentionallychangingwithouttheuserbeingawareofit.

Foreachcomponent,thelambda(failurerate)valueunitsarelockedtogether.Ifyouchangeone,theywillallchange.Thisisbecauselambdavaluesarenormallyprovidedwiththesameunit,soitisveryunlikelythatyouwouldintentionallysetonelambdaunitdifferentlyfromalltheotherswithinasinglecomponent.

5.5 Setting checkbox fields

Checkboxfields,suchas“Proveninuse”incomponents,areinitiallyundefined(neithercheckednorunchecked).Thisisdisplayedas©inWindowsandablueboxwithwhitehorizontallineinOSX/macOS.Whenyouclickthecheckbox,itwillchangetocheckedstatus.Youcannot“undefine”itagain(exceptbyusingUndo).


20

5.6 Undo and Redo

SILabilityprovidesfullUndoandRedofunctionality.AnychangetothedatacanberevertedusingtheUndocommandintheToolsmenu.Unlimitedundoisprovidedallthewaybacktothelasttimetheprojectfilewasopened(orcreated,ifit’sanewproject).

TheRedocommandintheToolsmenuallowsyouto“undoanundo”,ifyoudecidedyouwantedtokeeptheoriginalchangeafterundoingit.Ifyouundoaseriesofchanges,youcanredoeachoneinturnuntiltheyhaveallbeenredone.

WhenyouundoorredoachangetoaparameterthataffectstheSILverificationresult,itwillbeimmediatelyrecalculatedanddisplayed.

5.7 Applying comments to data

SILabilityprovidesapowerfulcommentingfunctionthatallowsyoutoattachcommentstoanyitemofdata.Forexample,youcandocumentthesourceofeachitemofdata,recordanyassumptionsmade,orexplainanydifferencesbetweensimilaritemsofdata.Thecommentsystemcouldalsobeusedtotrackchanges,ortorecordthenameofthepersonenteringeachitemofdata.

Toenteracomment,clickthecommentbuttontotherightofthedatafield.Thecommentdisplaynowappearsintheresultpanelatthebottomrightofthescreen.Clickandtypeintheemptycommentfield.Whenyou'vefinished,clickthe“Done”buttonorsimplyclickanywhereelseintheSILabilitywindow;yourentrywillbestoredautomatically.

Ifyouwanttoenteranothercommentforthesamedataitem,simplyclickon

thecommentbuttonagain.Anothercommentfieldwillappear.A“Delete”buttonisprovidedtoallowyoutodeleteeachcomment.

Allcomments(withcertainexceptions,seeFAQsinAppendixH)willbeshowninthespreadsheetreport(seechapter8).

Commententry,editinganddeletioncanbeundoneandredoneusingtheUndoandRedocommandsintheToolsmenu.


21

6. CHAPTER 6 - INPUT DATA 6.1 Introduction

Inthischapter,wedescribeallthedataneededfortheSILverificationcalculation.EachleveloftheSIFhierarchy—theSIFitself,subsystems,groups,sub-SIFs,legsandcomponents—hasanumberoffieldsfordatainput.Youcanprovidethedataby:

• typingintheinputdatafieldsintheupperrightpanelofthescreen,• addingcomponentsfromaSILabilitydatabase(seechapter7),or• preparingdatainanXMLfileandopeningitasaprojectfile.

Thetablesbelowshowalltheparametersforeachlevelofhierarchy,alongwithanexplanationofhowSILabilityusesthedata.

6.2 SIF-level data fields

Parametername Purpose Requiredforcalculation?SIFname Abrief,human-readablenamesuchas

“HighleveltripinsteamdrumV-100”No,onlyforreportingpurposes

SILtag ThetagnumberoftheSIFitself,asshownintheP&IDorC&ED.Typicallybeginswith‘UX’.

No,onlyforreportingpurposes

SIFdescription AdescriptionofthefunctionoftheSIF,intermsofsensorsandfinalelements.Example:“OnPAHH-123(2oo3):closeXV-200andcloseXV-201(2oo2).”


SIFreference ThereferencenumberandrevisionnumberofthedocumentthatdefinestheSIF,suchasanSRS,C&EDorESDnarrative.

No.Importantfortraceability,FSAandconfigurationmanagementpurposes

Hazard TheprocesshazardthattheSIFisdesignedtodetect.Example:“OverfillingofsteamdrumV-100”.ThiscanusuallybecopiedfromaHAZOPreport,SILdeterminationreport,orSRS.


Consequence TheimpactonriskreceptorsintheeventoffailureoftheSIFunderconsiderationandallotherrelevantlayersofprotection.Example:“Watercarryovertosteamheaderleadingtohammeringanddamage.Potentialoperatorinjury,downtimeforrepair.”



22

6.3 Subsystem data fields

Parametername Purpose Requiredforcalculation?Subsystemname Adescriptivenameforthesubsystemin

theSIF.Example:“ValvestopreventoverfillingofV-100”


Processarea Theunitorareacontainingthemainequipmentassociatedwiththehazard.


Operatingmode TheoperatingmodeoftheSIFperIEC61508andIEC61511:lowdemandmode,highdemandmodeorcontinuousmode.IftheprojectusesIEC61511:2003,select“Lowdemandmode”fordemandmode.IftheprojectusesIEC62061,selecthighdemandmodeorcontinuousmode,dependingontherelativefrequencyofdiagnostictestsanddemandontheSIF.

Yes

ACmodel Thehardwarefaulttolerance(HFT)oftheSIFcanbeevaluatedagainstanyofthefollowingarchitecturalconstraintrequirementmodels:IEC61508:2010Route1H,IEC61508:2010Route2H,IEC61511:2003,orIEC61511:2016.Alternatively,therequirementcanbewaived.Thisfieldallowsyoutoselectwhichmodeltoapply.

Yes

SILtarget TheSILtargetselectedfortheSIFduringapreviousSILdetermination.

Noeffectonthecalculation.ThereportwillindicatewhethertheSILachievedbytheSIFmeetsthetarget.

RRForPFHtarget TheSIF’sriskreductiontargetdefinedinapreviousSILdetermination.Inlowdemandmode,thisfieldcontainstheRRFtarget.Inotheroperatingmodes,thisfieldcontainsthePFHtarget.

NoeffectonthePFcalculation.ThereportwillindicatewhetherthePFachievedbytheSIFmeetsthetarget.

ThisparameterisusedintheACmodelIEC61508:2010Route2H.


23

Architecture Setsthevotingamongsensorgroups.Permittedarchitecturesare1oo1,1oo2,2oo2,1oo3,2oo3,3oo3,2oo4,and4oo4.TheNvalueinMooNmustmatchthenumberofgroupsdefinedinthesensorsubsystem.Ifyouselect2oo3or2oo4,allgroupsinthesensorsubsystemmustbeidentical;thisisarestrictioninSILability.

Yes

b(Beta) Definesthecommoncausefactorbetweengroups.Thisisthefractionoffailures(bothdangerousandsafe)thatcanbeattributedtoacommoncause,suchasanexternalstressororadesignflaw.RefertoIEC61508:2010part6forguidanceinselectingavalue.

ThevaluecannotbegreaterthanthebvaluesforanyofthegroupsintheSIF.Therationaleisthatstressorsleadingtocommoncausefailurebetweengroupsshouldbefewerthanstressorscausingfailurewithingroups,becausegroupsaregenerallymorediversethanlegs.

Yes,ifarchitectureisredundant(MooNarchitectureswithM<N,e.g.1oo2).ForMooNarchitectureswithM>1,bisusedtocalculateMTTFS.

ReduceHFTrequirement

IEC61508:2010-2architecturalconstraintRoute2Hclause7.4.4.3.2providesanalternativerulesetforcaseswhereadditionalredundancycanintroducehazards.IEC61511:2016-1clause11.4.6hasasimilarprovision.Thischeckboxallowsyoutoselectthealternativeruleset,whichgenerallyleadstoalowerHFTrequirement.

IfyouselectIEC61508:2010Route2HorIEC61511:2016,thischeckboxmustbeset(eithercheckedorunchecked;itsdefaultstateisundetermined).IfyouselectanyotherACmodel,thecheckboxisdisregarded.

UsedforACmodelsIEC61508:2010Route2HandIEC61511:2016.


24

6.4 Additional data fields for logic solver subsystem

Parametername Purpose Requiredforcalculation?Equipment Thebrandandmodelofhardwareused

toimplementthelogicsolver.No,onlyforreportingpurposes

Nameindatabase (Forfutureversion)Ifthelogicsolverwasselectedfromadatabase,thisshowsthenameofthelogicsolverinthedatabase.


Category (Forfutureversion)Thecategoryoftheequipment,suchassafetyPLC,relay-basedlogicsolver.

No,onlyforfilteringindatabase

Tripaction WhetherthelogicsolverimplementstheSIFbyenergisingorde-energising.ThisoptionallowsSILabilitytoselecttheappropriatelambdavalues,asexplainedinsection6.7.

Refertosection6.7

Missiontime Theplannedlifetimeoftheequipmentusedtoimplementthelogicsolver.Thecalculationassumestheequipmentwillbereplacedwithnewequipment,orrefurbishedtoas-newcondition,attheendofthemissiontime.Missiontimeiscountedfromthedatetheequipmentleavesthefactory,notthedateitisbroughtintoservice,assomecomponentsmaystarttodeteriorateimmediately.

Yes

Prooftestsuccessrate

Thefractionofproofteststhatareexpectedtobeperformedsuccessfully.Thisprovidesawaytoallowforthefactthatprooftestsmayoccasionallybedelayed,performedincorrectly,orgivefalsepositiveresults.ForPLCs,xSeriCon'ssuggestedvalueis0.95~0.98.

Yes

b(Beta) Sameasbforothersubsystems,exceptthatitreferstocommoncausefailuresbetweencomponents,ratherthangroups.



25

Meantimetorestore(MTTR)

Themeantimerequiredtorepair,testandrecommissionafaultinthesubsystem,startingfromthetimethefaultisdiscovered.

Yes

Prooftestinterval(PTI)

Theplannedintervalbetweenmanualprooftestsofthesubsystem.Ifnoprooftestingisplanned,setthisvalueto>MissionTimeforthesubsystem.(SILabilitywillnotallowyoutosimulateno-proof-testingbysettingProofTestCoveragetozero,becauseProofTestCoveragemustbegreaterthandiagnosticcoverage.)

Yes

Prooftestduration

Thetimeperiodpertestthatthesubsystemisunavailableduetoundergoingmanualprooftesting.

Yes

MTTRincludesdiagnosticstime

WhethertheMTTRincludesatimeallowancefortheintervalbetweenautomaticdiagnostictestsofthesubsystem.ThisisrequiredwhenACmodelIEC61508:2010Route1Hisselected,andcannormallybesettoYes(checked).

UsedforACmodelIEC61508:2010Route1HinLowDemandmode.

Detectsafefailuresinsensors

Whetherthelogicsolvercanraiseanalarm(insteadofatrip)intheeventofadetectedsafefailureofacomponentinthesensorsubsystem.ThisdetermineswhetherdetectablesafefailuresinthesensorsubsystemcontributetotheMTTFS.

UsedtocalculateMTTFS.

SafefailuresrepairedwithinMTTR

IfanundetectedsafefailureoccursinalogicsolverwithMooNarchitecturewhereM>1,itwillnotcauseaspurioustrip.However,itmayberepairedifitisrevealed(e.g.byadiscrepancyalarmbetweenchannelsofthelogicsolver).SetthischeckboxtocheckedifundetectedsafefailuresarelikelytoberevealedandrepairedwithintheMTTR.

Inpractice,itisunlikelythatundetectedsafefailureswouldbediscovereduntil

UsedtocalculateMTTFS.


26

thenextprooftest,andthecheckboxshouldnormallybeunchecked.

Programmable Whetherthelogicsolverisprogrammable.

UsedforACmodelIEC61511:2003,andforMTTFScalculations.

6.5 Group level parameters

Parametername Purpose Requiredforcalculation?Groupname Adescriptivenameforthegroup.

Example:“LevelsensorsinV-100”No,onlyforreportingpurposes

Architecture Setsthevotingamonglegsinthegroup.Permittedarchitecturesare1oo1,1oo2,2oo2,1oo3,2oo3,3oo3,2oo4,and4oo4.TheNvalueinMooNmustmatchthenumberoflegsdefinedinthegroup.Ifyouselect2oo3or2oo4,alllegsinthegroupmustbeidentical;thisisarestrictioninSILability.

Yes

b(Beta) Definesthecommoncausefactorbetweenlegs.Thisisthefractionoffailures(bothdangerousandsafe)thatcanbeattributedtoacommoncause,suchasanexternalstressororadesignflaw.RefertoIEC61508:2010part6forguidanceinselectingavalue.

Thevaluecannotbegreaterthanthebvaluesforallthecomponentsinthegroup.Therationaleisthatstressorsleadingtocommoncausefailurebetweenlegsshouldbefewerthanstressorscausingfailurebetweenidenticalcomponents,andredundantcomponentsareassumedtobeidentical.


Missiontime Theplannedlifetimeoftheequipmentusedtoimplementthegroup.Thecalculationassumestheequipmentwillbereplacedwithnewequipment,orrefurbishedtoas-newcondition,atthe

Yes


27

endofthemissiontime.Missiontimeiscountedfromthedatetheequipmentleavesthefactory,notthedateitisbroughtintoservice,assomecomponentsmaystarttodeteriorateimmediately.

Prooftestsuccessrate

Thefractionofproofteststhatareexpectedtobeperformedsuccessfully.Thisprovidesawaytoallowforthefactthatprooftestsmayoccasionallybedelayed,performedincorrectly,orgivefalsepositiveresults.

Yes

Partialvalvestroketestsuccessrate

ThefractionofPVSTsthatareexpectedtobeperformedsuccessfully.ThisprovidesawaytoallowforthefactthatPVSTsmayoccasionallybedelayed,performedincorrectly,orgivefalsepositiveresults.Thisparameterappliesonlytogroupsinthefinalelementsubsystem.

Yes

MTTR Meantimetorestore:thisisthemeantimerequiredtorepair,testandrecommissionafaultinthegroup,startingfromthetimethefaultisdiscovered.SeeFAQ’sinAppendixHforfurtherdetails.

Yes

Prooftestinterval Theplannedintervalbetweenmanualprooftestsofthegroup.Ifnoprooftestingisplanned,setthisvalue>Missiontimeforthegroup.

Itisassumedthatthewholegroupistestedatonetime.However,ifthegroupcontainsredundantlegs,itisassumedthatnotallthelegsaretakenofflinefortestingsimultaneously,sothatprotectionismaintainedduringtheprooftest.

Yes

Partialvalvestroketestinterval

TheplannedtimeintervalbetweenPVST’s.IfnoPVSTisplanned,uncheckthe“UsePVST”checkboxinallofthelegsofthisgroup.Thisparameterappliesonlytogroupsinthefinalelementsubsystem.

Yes,ifanyleginthisgrouphas“UsePVST”switchedon.


28

Prooftestduration

Thetimeintervalpertestthatthegroupisunavailableduetoundergoingmanualprooftesting.Ifnoprooftestingisplanned,setthisvaluetozero.SeeProoftestinterval(above)formoredetails.

Yes

MTTRincludesdiagnosticstime

WhethertheMTTRincludesatimeallowancefortheintervalbetweenautomaticdiagnostictestsofthegroup.ThisisrequiredwhenACmodelIEC61508:2010Route1Hisselected,andcannormallybesettoYes(checked).

UsedforACmodelIEC61508:2010Route1HinLowDemandmode.

SafefailuresrepairedwithinMTTR

IfasafefailureoccursinanelementwithMooNarchitecturewhereM>1,itwillnotcauseaspurioustrip.However,itmayberepairedifitisrevealed(e.g.byabadPValarmordiscrepancyalarm).SetthischeckboxtocheckedifundetectedsafefailuresarelikelytoberevealedandrepairedwithintheMTTR.

Inpractice,thisisplausibleforelementsinthesensorsubsystem.However,inthefinalelementsubsystem,itisunlikelythatundetectedsafefailureswouldbediscovereduntilthenextprooftest,andthecheckboxshouldnormallybeunchecked.

UsedforMTTFScalculation.

6.6 Leg level parameters

Parametername Purpose Requiredforcalculation?Legname Adescriptivenamefortheleg.Example:

“Levelsensorsleg1”.Thiscouldincludethedevicetagnumber.


UsePVST Whetheryouintendtoimplementpartialvalvestroketestingoftheleg.Appliesonlytolegsinthefinalelementsubsystem,andonlytolegscontainingprocessvalves.

Yes


29

6.7 Component level parameters

Parametername Purpose Requiredforcalculation?Componentname Thetagnumberorotherunique

identifierforthecomponentNo,onlyforreportingpurposes

Equipment Thephysicalequipment(brandnameandmodelnumber)usedtoimplementthecomponent.Youareadvisednottowritethetagnumberhere,asitcouldbestoredinthedatabase,causingconfusionwhenacomponentisretrievedfromthedatabase.

No,onlyforreportingpurposesandforstorageinthedatabase

Datasource Areferencetothesourceofinformationused,especiallythefailurerates.

No,onlyforreportingpurposesandforstorageinthedatabase

Nameindatabase Ifthecomponentwasselectedfromadatabase,thisshowsthenameofthedeviceinthedatabase.

No,onlyforidentificationinthedatabase

Category Thecategoryoftheequipment,suchasballvalve,actuator,pressuresensor,ISbarrier.

No,onlyforfilteringindatabase

Databasecomment

Acommentstoredinthedatabaserecordforthiscomponent.Youcanusethisforanypurposeyouwish;forexample,thenameofthepersonwhoaddedthecomponenttothedatabase,orthenameoftheprojectfromwhichitwasadded.

No,onlyforstorageinthedatabase

Architecture Whetherthecomponentisprovidedwithinternalredundancy.Forexample,iftwoidenticallimitswitchesortwosolenoidvalvesareprovided,andconfiguredsothatsuccessfuloperationofeitherofthemcanachievethedesignintentofthecomponent,youcansetthearchitectureto1oo2.Theoptionsare1oo1and1oo2.

Yes

Hardwaretype TypeAorTypeBasdefinedinIEC61508:2010.Inessence,TypeAaresimplenon-programmabledevices,suchaslimitswitches,valvesandthermocouples.TypeBareprogrammabledevices.

Yes,ifIEC61508:2010Route1HorRoute2HareselectedasACmodel


30

lDDTotal Thecomponent’stotalrateofdangerousrandomfailuresthataredetectablebydiagnostics.ThisistypicallythelDDvalueprovidedinthedevice’ssafetymanualorSILcapabilitycertificate.

AdangerousfailureisdefinedasanyfailurethatcanpreventtheSIFfromputtingtheprocess(orEUC)intothedefinedsafestate,intheabsenceofredundancy.

Ifyoudefinethetripdirection(high/low)oraction(e.g.energise/de-energise,open/close)andyouhaveseparatelDvaluesforthese,youcanusetheselDvaluesinsteadoflDDTotalbysetting‘Uselhigh/low’tochecked.

Yes,iftripdirection/actionisnotdefined,orif‘Useëhigh/low’isunchecked.

lDUTotal Thecomponent’stotalrateofdangerousrandomfailuresthatarenotdetectablebydiagnostics.ThisistypicallythelDUvalueprovidedbythemanufacturer.ForfurtherdetailsseelDDTotal.


lSDTotal Thecomponent’stotalrateofsaferandomfailuresthataredetectablebydiagnostics.ThisistypicallythelSDvalueprovidedbythemanufacturer.ForfurtherdetailsseelDDTotal.

AsafefailureisdefinedasanyfailurethatcancauseaspurioustripoftheSIF,unlessthedeviceisinMooNarchitecturewhereM>1(inwhichcase,Msuchfailurescancauseaspurioustrip),orthetripissuppressedbydiagnostics.


lSUTotal Thecomponent’stotalrateofsaferandomfailuresthatarenotdetectablebydiagnostics.ThisistypicallythelSUvalueprovidedbythemanufacturer.ForfurtherdetailsseelDDTotal.

Yes,iftripdirection/actionisnotdefined,orif‘Uselhigh/low’isunchecked.

lResidual Thecomponent’stotalrateofrandomfailuresthatareneithersafenor

No.Thisisprovidedforpossiblefutureuse.


31

dangerous.Atypicalexampleisfailureofadisplayoradiagnostic.

lDHigh Thecomponent’stotalrateofrandomfailures,detectablebydiagnostics,thatcauseitspuriouslytogiveahighsignal,energise,openorremaininenergised/openstate.ForfurtherdetailsseelDDTotal.

Yes,iftripdirection/actionisdefinedand‘Uselhigh/low’ischecked.

lDFreeze Thecomponent’stotalrateofrandomfailuresdetectablebydiagnostics,thatcauseitsanalogueoutputtoshowanincorrectvaluethatcouldbehigherorlowerthanthetruevalue.ForfurtherdetailsseelDDTotal.


lDLow Thecomponent’stotalrateofrandomfailures,detectablebydiagnostics,thatcauseitspuriouslytogivealowsignal,de-energise,closeorremaininde-energised/closedstate.ForfurtherdetailsseelDDTotal.


lUHigh Thecomponent’stotalrateofrandomfailures,notdetectablebydiagnostics,thatcauseitspuriouslytogiveahighsignal,energise,openorremaininenergised/openstate.ForfurtherdetailsseelDDTotal.


lUFreeze Thecomponent’stotalrateofrandomfailuresnotdetectablebydiagnostics,thatcauseitsanalogueoutputtoshowanincorrectvaluethatcouldbehigherorlowerthanthetruevalue.ForfurtherdetailsseelDDTotal.


lULow Thecomponent’stotalrateofrandomfailures,notdetectablebydiagnostics,thatcauseitspuriouslytogivealowsignal,de-energise,closeorremaininde-energised/closedstate.ForfurtherdetailsseelDDTotal.


TripdirectionorTripaction

Forcomponentsinthesensorsubsystem,thisdefinesthesenseofthetripfunction.Ifthefunctionisdesignedtotripwhenaprocessvariableisgreater

Yes


32

thanathresholdvalue,orwhenalogic1signalisgenerated(egfromalimitswitch),thetripdirectionis“high”.Ifthefunctionshouldtripwhentheprocessvariableisbelowathreshold,oralogic0signalisgenerated,thetripdirectionis“low”.

Forcomponentsinthelogicsolverandfinalelementsubsystems,theoptionsare“opentotrip”and“closetotrip”(forvalves),or“energisetotrip”and“de-energisetotrip”(forotherdevices).

Thisvalueisusedtodeterminewhichfailurerates(lvalues)areusedinthePFDavg/PFHandMTTFScalculations.Forexample,ifthetripdirectionissetto“high”,lHighistakenasasafefailurerate,whilelFreezeandlLowaretakenasdangerousfailurerates.

Ifyoudon’thavesufficientlydetailedldata,youcansettheTripdirectionorTripactionto“Undefined”,orset‘Uselhigh/low’tounchecked.SILabilitywillthenusethelTotalvaluestodeterminefailurerates,andlHigh,LowandFreezevalueswillbeignored.

bbetweeninstances

Definesthecommoncausefactorbetweeninstancesofidentical,redundantcomponents.Thisisthefractionoffailures(alltypes)thatcanbeattributedtoacommoncause,suchasanexternalstressororadesignflaw.RefertoIEC61508:2010part6forguidanceinselectingavalue.

Yes,ifarchitectureisredundant(1oo2).

Prooftestcoverage

Thefractionofallfailures(dangerousandsafe;detectableandundetectable)thatarecoveredbythedevice’sprooftestmethod.(Inafutureversion,youwillbeabletoenter3separatevalues:PTCHighcoversfailuresincludedinlDHighand

Yes


33

lUHigh;similarlyforPTCLowandPTCFreeze.)

Assomedeviceshaveseveralpossibletestmethods,makesuretousetheprooftestcoveragequotedforthemethodyouintendtoapply.Inlowdemandmode,thePFDavgcanbequitesensitivetothisparameter,soitisimportantnottooverestimateit.

Partialvalvestroketestcoverage

Thefractionoffailurescoveredbythedevice’spartialvalvestroketestmethod.Appliestocomponentsinthefinalelementsubsystemonly.IfyouarenotusingPVST,setthisparameterto0.Ifyouleavethevalueunset,itisassumedtobe0.(Inafutureversion,youwillbeabletoenterseparatevaluesforPVSTcoverageopenandclose,forPVST’sthatopenandclosethevalverespectively.)

Yes

Proveninuse Whetherthedevicehasundergonea‘proveninuse’or‘prioruse’assessment.YoucanalsosetthistocheckedifthedeviceisSILcertifiedbyamethodthatincludesprioruseassessment.

UsedinIEC61511:2003ACmodel.

Overridedatabasevalues

Ifthisissettochecked,youcanmanuallyoverrideanylvalues(andotherparameters)retrievedfromaSILabilitydatabase,bytypingnewvaluesintherespectivefields.Otherwise,ifthedevicewasselectedfromadatabase,thesefieldsarelockedforediting.

Ifchecked,thisfieldalsosuppressesautomaticupdatingofthedevice'slvaluesifthecorrespondingdatabaseitemischanged.Seechapter7fordetailsonusingadatabase.

No

Uselhigh/low Ifthisissettochecked,andiftheTripaction/directionfieldissettoavalueotherthan“Undefined”,thecalculationwilluselDHigh,lDFreeze,lDLow,lUHigh,lUFreeze,andlULowvaluesfor

Yes


34

thisdevice.Otherwise,thecalculationwilluselDDTotal,lDUTotal,lSDTotal,andlSUTotal.

Diagnosticsarefrequentenough

Setthistocheckedifthesumofthedevice’sdiagnostictestintervalandtimerequiredfortheSIFtoperformthesafetyactionortomaintainasafestateislessthantheprocesssafetytime.

UsedinIEC61508:2010ACRoute1Hforhighdemandandcontinuousmodes.ForotherACmodelsandlowdemandmode,theparameterisignored.

Parameteradjustmentisprotected

Setthistocheckedifthedeviceallowsonlylimitedadjustmentofparameters(notfullprogramming)andsuchadjustmentisprotected(e.g.bypassword).Fordeviceswithnoparameteradjustment(egswitches,RTDs,valves),thiscanalwaysbesettochecked.

UsedinIEC61511:2003ACmodel.

6.8 Engineering units

Allnumericalparametersprovideafieldforyoutosettheengineeringunitofyourchoice.Forexample,missiontimecanbegiveninhours,days,weeks,monthsoryears.Youcanfreelymixtheunitswithintheproject;forexample,prooftestintervalcanbegiveninmonthsandpartialvalvestroketestintervalinweeks,ifyouwish.Priortocalculation,SILabilityconvertsallvaluestoafixedsetofunitsinternally.

However,ifyouchangetheunitofanylvalueinacomponent,theunitsofallotherlvaluesinthesamecomponentchangeautomatically.Linkedvaluesinothercomponentswillalsochangeunitsautomatically(seechapter5foranexplanationoflinking).Thenumericalvaluesarenotchanged.Thisistoreducetheriskofaccidentallysettingtheunitofoneldifferentfromtheothers;mostlikely,thesourceoftheldatawillusethesameunitforalllvalues.

Alltimesrefertocalendartime,ratherthantimeinservice,becauseitisassumedthatrandomhardwarefailurescanoccurevenwhenequipmentisnotinservice.


35

7. CHAPTER 7 - THE SILability DATABASE

SILabilityallowsyoutobuildupyourowndatabaseofcomponentsforuseinSIFs.AlltheparametersneededtoperformSILverificationarestoredinthedatabase,alongwithidentificationfieldsandacommentfield.

ThedatabaseisstoredinanXMLfileinanylocationofyourchoice.Thefilecanbesharedbetweenprojectsandamongusers.PleasecontactxSeriConifyourequiredetailsofthefilestructure.SILabilitydatabasefileshavethefileextension.SILabilityDatabase.

7.1 Getting started with databases

First,makeacopyoftheemptydatabasefileprovidedwithyourSILabilitypackage;giveyourcopyameaningfulfilenamesuchas“MyDatabase.SILabilityDatabase”.

Tostartbuildingupadatabase,youneedtoopenaSILabilityproject(seechapter3).

Next,openyourcopyoftheemptydatabaseusingtheDatabasemenu–Opendatabasecommand.Inthedialoguethatappearsinthedataentrypanel,clickSelectandselectyouremptydatabasefilesuchas“MyDatabase.SILabilityDatabase”.

Ifyouwantyourworkonthedatabasetobesavedonthefly,click“SavechangesasIwork”.

Thenclick“Go”toopenthedatabase.

Youcanonlyopenonedatabaseatatime.Ifyouneedtofetchacomponentfromanotherdatabase,closethecurrentdatabasefirst(seesection7.3).

7.2 Populating your database

Toaddacomponenttoyourdatabase,firstsetupthecomponentinaSIFinyourproject.Enterallthecomponentparametersyouwanttostoreinthedatabase.Thefollowingparameterswillbestoredinthedatabase(seechapter6fordetailsofwhattheparametersmean):

• Equipment• Datasource• Alllvalues• bbetweeninstances• Prooftestcoverage• Partialvalvestroketestcoverage(forfinalelementcomponents)• Proveninuse• Uselhigh/low• Hardwaretype(A/B)


36

• Parameteradjustmentislimited

Othercomponent-relatedfields(suchasarchitecture)arenotstoredbecausetheyareimplementation-dependent–theirvaluevariesfromoneprojecttoanother.

IntheDatabasemenu,selectStorecomponentindatabase(orUpdatecomponentindatabase,ifthecomponentalreadyexistsinthedatabase;seebelow).Thedataentrypanelchangestoshowthe“Writecomponenttodatabase”view.

Enterthefollowinginformationforstorageinthedatabase(seeChapter6fordetailsofthemeaningofeachparameter):

• Componentnameindatabase:thisisthenamebywhichthecomponentwillbeknowninthedatabase.Itcanbedifferentfromthecomponentnameintheproject.Thisparametercannotbeleftblank.

• Equipment:thebrandnameandexactmodelofhardware.Thisisthefieldusedtomatchcomponentsintheprojecttocomponentsinthedatabase.Itcannotbeleftblank.(AnychangeyoumakeinthisfieldwillbecopiedbacktothecomponentintheprojectwhenyouclickGo.)

• Categoryindatabase:alistofpredefinedcategoriesisprovided;selectoneofthese,ortypeyourowncategory.Thecategoryisusefulforfilteringpurposes.

• Datasourcereference• Commentindatabase:acommentfieldyoucanuseforanypurpose,suchasthe

nameofthepersonenteringthedataandthedate.ItispurelyinformationalanddoesnotappearintheSILverificationreport.

Ifthedatabasealreadycontainsacomponentwiththesameequipmentbutdifferentparameters,themessage“Componentalreadyexistsindatabase”appears.WhenyouclickGo,theexistingdatabasecomponentwillbeoverwritten.Ifthiscreatesdiscrepancieswithothercomponentsintheproject,thediscrepanciesneedtoberesolved;seesection7.7laterinthischapter.

7.3 Saving your database

Tosaveyourdatabaseina.SILabilityDatabasefile,gototheDatabasemenuandselectSavedatabase.

Whenopeningthedatabase,ifyouclickthe‘SavechangesasIwork’checkbox,allsubsequentdatabasechangesaresavedimmediately,andthereisnoneedforyoutosavethedatabasemanually.Youarehighlyrecommendedtousethisoptionifyouarebuildingupthedatabase,asitwillavoidlosinganyworkifthereisacomputercrash.However,ifyouareusinganexistingdatabaseanddon’twanttosaveinadvertentchanges,uncheck‘SavechangesasIwork’.


37

7.4 Closing your database

Tocloseyourdatabase,gototheDatabasemenuandselectClosedatabase.Ifthereareanyunsavedchanges,youcansavethembyclickingtheSavebuttonthatappears.Iftherearenounsavedchanges,thedatabasewillcloseimmediately.

7.5 Checking which database is open

TheFilemenu-Projectinformationcommandwillshowthefilenameofthecurrentlyopendatabase,ifany.

7.6 Fetching a component from the database

ComponentsfromthedatabasecanbeinsertedasnewcomponentsintoaSIF.First,navigatetotheSIFthatwillreceivethenewcomponent.Gotoanexistinglegorcomponent,ortothelogicsolversubsystem.Navigatehere… Toinsertthenewcomponenthere…Alegwithinthesensororfinalelementsubsystem

Intheleg,beforeanyexistingcomponents

Anexistingcomponent ImmediatelyaftertheselectedcomponentThelogicsolversubsystem Inthesubsystem,beforeanyexisting

components

IntheDatabasemenu,select“Getcomponentfromdatabase”.

Youcannowselectacomponentfromthedatabase,filteringoncategoryifdesired.Selectthedatabasenameofthecomponentinthe“Componentname”dropdownbox.Theparametervaluesstoredinthedatabaseareshowninthedataentrypanel(inthemiddleofthescreen).ClickApplytotransfertheparametervaluestothecomponentintheproject.Thiswilllockthecomponenttothedatabase,sothatyoucan’tmakefurtherchangesuntilyouset‘Overridedatabasevalues’tochecked.

YoucanuseUndotoreversethisactionifneeded.

Thefollowingparametersintheprojectcomponentstillneedtobedefinedmanually,astheyareapplication-specific.Seechapter6foranexplanationoftheseparameters.

• Tripdirection/action• Architecture• Diagnosticsarefrequentenough


38

7.7 Locked and unlocked components

Whenacomponent’sparametersarefetchedfromadatabase,theprojectcomponentislockedtothecorrespondingdatabasecomponent.Thisistopreventinadvertentchangestotheprojectdata.Thecomponent’s‘locked’statusisshownbythewords“(lockedtodatabase)”inthedataentrypanel.

Ifyoutrytochangeadatabase-relatedparameterinalockedcomponent,thechangeisrejectedandthe‘Overridedatabasevalues’checkboxishighlightedasareminder.

Ifyouwishtochangedatabase-relatedparameters(aslistedinsection7.2),youneedtounlockthecomponentbycheckingitsOverridedatabasevaluescheckbox.Thecomponent’sstatuswillbeshownas“(fromdatabase,overridden)”.

Tolockthecomponentagain,uncheckOverridedatabasevalues.Thiswillrevertallthecomponent’sdatabase-relatedparameterstothevaluesstoredinthedatabase.

AlltheseactionscanbereversedwithUndoifneeded.

7.8 Discrepancy handling

Whenyouopenadatabase,orwriteacomponentintothedatabase,SILabilitychecksforanydiscrepanciesbetweenthedatabaseandtheproject.Forexample,ifboththedatabaseandtheprojectcontainacomponentwhoseequipmentis‘BrandXpressuretransmitterPT-100MkII’andtheyhavedifferentlvalues,thiscountsasadiscrepancy.

Discrepanciesmustberesolvedbeforeyoucanproceedwiththeproject.Alternatively,ifyouwereopeningadatabase,youcanabandonthedatabaseopeningbyclicking‘Canceldatabaseopening’intheresultpanelatthebottomrightofthescreen.

Discrepanciesareshownintheresultpanel.Foreachdiscrepancy,youcanresolveitbyselectinganactionfromthe<Chooseaction>dropdownbox:

• Ignoredatabase:thiswillkeepthevaluesinthedatabaseandprojectunchanged,andsetthe‘Overridedatabasevalues’checkboxoftheaffectedcomponenttoYes.

• Usedatabasevalue:thiswilltransfertheparametervaluefromthedatabasetotheprojectcomponent.Usethisoptionifyoutrustthedatabase.

• Makecomponentstandalone:thisbreaksthelinkbetweenthedatabasecomponentandtheprojectcomponent.Intheprojectcomponent,the‘Nameindatabase’parameteriscleared.

• Overwritedatabasevalue:thistransferstheparametervaluefromtheprojectcomponenttothedatabase.Ifthesamecomponentisusedelsewhereintheprojectorinotherprojects,thismaycausenewdiscrepanciestoappear.


39

The‘Showintree’buttonnexttoeachdiscrepancynavigatesthetree(leftsideofscreen)totheaffectedcomponentintheproject,allowingyoutoseetheaffectedSIF.

Allactionstakentoresolvediscrepancieswillberevertedifyouclick‘Canceldatabaseopening.’Also,youcanrevertalltheactionsindividually,aswellasre-closingthedatabase,usingtheUndofunction.

7.9 PLCs in the database

ThiswillbeimplementedinafutureversionofSILability.

8. CHAPTER 8 - THE SIL VERIFICATION CALCULATION 8.1 Introduction

ThischapterprovidesabriefdescriptionofthecalculationsperformedbySILability,andexplainsthemeaningofthecalculationresults.Iftheinputdataisincompleteoroutofrange,SILabilitywillraiseaproblemmessageandwillnotexecutetheaffectedpartofthecalculation.Problemmessagesyoumayencounter,theirmeanings,andhowtoresolvethem,arealsocoveredinthischapter.

Asexplainedinchapter1,useofSILabilityassumesknowledgeoffunctionalsafetyengineeringandtheapplicablestandards,inparticularIEC61508andIEC61511.Ifanyconceptsortermsusedinthischapterareunfamiliartoyou,pleaserefertothestandardsorotherresourcesorcontactxSeriConforfurtherassistanceandtraining.SomesuggestedfurtherreadingislistedinAppendixGofthisuserguide.

8.2 Methodology

FailuremeasuresarecalculatedintermsofProbabilityofFailureonDemandoftheSIF,averagedoverthelifetimeoftheSIF(PFDavg),forSIFsinlowdemandmode.TheresultisdisplayedasaRiskReductionFactor(RRF),whichissimply1/PFDavg.IftheSIFisinhighdemandorcontinuousmode,thefailuremeasureistheSIF’sProbabilityofFailureperHour(PFH).

SILabilityusesa‘simplifiedequations’approachtocalculatingthefailuremeasures.Forlowdemandmode,thetime-dependentprobabilityoffailureiscalculatedforeachelementoftheSIF,withasamplingintervalof3months(ortheshortesttestintervalused,whicheverisless),andcompoundedtogetherpriortotime-averaging.Thecalculationtakesintoaccounttheunavailabilityofeachdeviceduetoprooftesting,restorationafterdiscoveryofafaultbyprooftesting,andrestorationafterdiscoveryofafaultbydiagnostics.Acarefullyselectedsetofassumptionsismade,aslistedinAppendixB.


40

ThecalculationgeneratesthefollowingoutputsforeachSIF,ifsufficientdatahasbeeninput:

8.2.1 SIF level

Parameter NotesSILachieved ThemaximumSILachievedbytheSIFasawhole,taking

PFDavg/PFHandarchitecturalconstraints(AC)intoaccountPFDavg/PFH ThePFDavgorPFH(dependingontheoperatingmode)

achievedbytheSIFasawholeFailureratetargetmet Aboolean(yesorno)valueindicatingwhethertheSIFhas

metitsPFDavg/PFHtargetRiskReductionFactor Theriskreductionfactor(RRF)achievedbytheSIFasa

whole,ifinlowdemandmodeMaximumSIL(failurerate) TheSILachievedbytheSIFasawhole,takingintoaccount

PFDavg/PFHonlyArchitecturalconstraintstargetmet

Aboolean(yesorno)valueindicatingwhethertheSIFhasmetitsACtarget,unlesstheACmodelissetto‘Waived’

MaximumSIL(architecturalconstraints)

TheSILachievedbytheSIFasawhole,takingintoaccountarchitecturalconstraintsonly(unlesstheACmodelissetto‘Waived’)

PFDavg/PFHcontributionsfromeachsubsystem

ThepercentagecontributiontotheoverallPFDavg/PFHoftheSIFfromeachsubsystem

MTTFS(Spurioustrip) ThemeantimetofailspuriousoftheSIFasawhole.Thisisthepredictedmeantimebetweenspurioustripscausedbyrandomhardwarefailures.Ifallapplicablelvaluesaresettozero,thismaybereportedas∞.

8.2.2 Subsystem level

Parameter NotesMaximumSILachievedbysubsystem

ThenotionalSILachievedbythesubsystem,takingintoaccountPFDavg/PFHandAC(unlesstheACmodelissetto‘Waived’)

MaximumSIL(failurerate) ThenotionalSILachievedbythesubsystem,takingintoaccountPFDavg/PFHonly


41

Parameter NotesMaximumSIL(architecturalconstraints)

ThenotionalSILachievedbythesubsystem,takingintoaccountAConly(unlesstheACmodelissetto‘Waived’)

PFDavg/PFH ThePFDavg/PFHofthesubsystemHFT Thehardwarefaulttoleranceofthesubsystem(notshown

forlogicsolver,asitcanbededuceddirectlyfromtheMooNarchitectureofthelogicsolver)

MTTFS Themeantimetofailspuriousofthesubsystem.Thisisthepredictedmeantimebetweenspurioustripscausedbyrandomhardwarefailures.Ifallapplicablelvaluesaresettozero,thismaybereportedas∞.

PFDavg/PFHcontributionspergroup/component

ThepercentagecontributiontotheoverallPFDavg/PFHofthesubsystemfromeachgrouporcomponentinthesubsystem.Notshownforcertainarchitectures,ifthegroup/componentPFDavg/PFHisnotdirectlyrelatedtothesubsystemPFDavg/PFH.

8.2.3 Group level

Parameter NotesPFDavg/PFH ThePFDavg/PFHofthegroupMTTFS Themeantimetofailspuriousofthegroup.Thisisthe

predictedmeantimebetweenspurioustripscausedbyrandomhardwarefailures.Ifallapplicablelvaluesaresettozero,thismaybereportedas∞.

PFDavg/PFHcontributionsperleg

ThepercentagecontributiontotheoverallPFDavg/PFHofthesubsystemfromeachleginthegroup.Notshownforcertainarchitectures,iftheleg'sPFDavg/PFHisnotdirectlyrelatedtothesubsystemPFDavg/PFH.

8.2.4 Leg level

Parameter NotesPFDavg/PFH ThePFDavg/PFHoftheleg


42

Parameter NotesSafefailurefraction(SFF) Theratioofthesafefailureratetothetotalfailurerateof

theleg,excludingresidual(‘noeffect’)failures.CalculatedaccordingtothemethodgiveninIEC61508:2010-2.

PFDavg/PFHcontributionspercomponent

ThepercentagecontributiontotheoverallPFDavg/PFHofthesubsystemfromeachcomponent(orredundantpairofcomponents,ifthecomponent’sarchitectureissetto1oo2)intheleg.

8.2.5 Component level

Parameter NotesPFDavg/PFH ThePFDavg/PFHofthecomponent(orredundantpairof

components,ifthecomponent’sarchitectureissetto1oo2).Safefailurefraction(SFF) Theratioofthesafefailureratetothetotalfailurerateof

thecomponent,excludingresidual(‘noeffect’)failures.CalculatedaccordingtothemethodgiveninIEC61508:2010-2.

ThedisplayedSFFreferstoasingleinstanceofthecomponent,evenifthecomponent’sarchitectureissetto1oo2.Thus,itcanbeusedasacross-checkagainstanypublishedSFFinthesourceyougotthefailureratedatafrom.

8.3 Data checks performed before calculation

SILabilitycalculatesallthevalueslistedabove,everytimeyouchangetheinputdataorsettingsforaSIF.Thisisdoneautomaticallyandthereisnoneedtorequestarecalculation.SILabilitynevershowsyouinvalidorout-of-dateresults.

Beforecalculating,SILabilitychecksthattheinputdataiscompleteandthatallvaluesaresuitable.Ifanyofthedataisincompleteorunsuitable,partorallofthecalculationmaynotbeperformed.Whenthisoccurs,SILabilitydisplaysproblemmessagesinsteadoftheresults.TheproblemmessagesyouseearerelevanttotheportionoftheSIFcurrentlyselectedinthetreeview(leftsideofthescreen).Forinstance,ifthesensorsubsystem(oranygroup,


43

legorcomponentinthesensorsubsystem)isselected,youwillseeproblemmessagesrelatingtothesensorsubsystemonly.

Nexttoeachproblemmessageisa‘Showme’button.Thisprovidesashortcuttothedataparameterthatiscausingtheproblem.Forexample,ifal(failurerate)valueisoutofrange,the‘Showme’buttonwillmakethedataentrypaneljumptothecomponentcontainingthatvalue,andthevaluewillbehighlighted.

Thedatachecksareintendedtoensurethatthecalculationcanproduceameaningfulresult.Theydonotcheckthatthedataisconsistentorwithinnormalranges.Aseparatefunctionisprovidedforthis:seeChapter9.

Inthespreadsheetoutput(describedinChapter8),anyvaluesthatcannotbecalculatedareleftblank.

Hereisacompletelistoftheproblemmessagesyoumaysee,inalphabeticalorder.

8.3.1 Data problem messages

Message Explanation Possiblesolutions

AllcomponentACtypesmustbeidenticalwhenusingthisgroup/subsystemarchitecture

Forsensorandfinalelementsubsystems,ifyouselect2oo3or2oo4grouparchitecture,alllegsandcomponentswithinthatarchitecturemustbeidentical(thisisaSILabilityrestriction).

Adjusttheparametersofcomponentswithintheaffectedgrouporsubsystem,toensuretheyareidentical.

Betavaluesmustbeidenticalacrossallcomponentswhenusingthisgroup/subsystemarchitecture

Referto“AllcomponentACtypesmustbeidenticalwhenusingthisgroup/subsystemarchitecture”.


44


‘Detectsafefailuresinsensors’checkboxinlogicsolversubsystemisundefined

Ifthesensorsubsystemhasanysafedetectablefailuremodes,SILabilityneedstoknowwhetherthelogicsolvercandetectthem.

• Ifyouarenotsure,setthelogicsolver’s“Detectsafefailures”checkboxtounchecked.or

• Makesurethelogicsolver's“Programmable”checkboxissetcorrectly.(Ifthelogicsolverisnotprogrammable,SILabilityassumesitcannotdetectsafefailures,sothere’snoneedtodefinethe“Detectsafefailures”checkbox.)

‘Diagnosticsarefrequentenough’checkboxmustbedefinedwhenusingRoute1HACmodelinhighdemandorcontinuousmode

TheIEC61508:2010ACRoute1Hmodelneedstoknowwhetheranydiagnosticsforeachcomponentarefrequentenoughtofindfailuresbeforeademandoccurs(seeChapter6fordetails).

• Ifyoudon’tknowthestatusofanycomponent,set“Diagnosticsarefrequentenough”tounchecked.or

• ChecktheSIFoperatingmode.or

• ChangetoadifferentACmodel(atSIFlevel).

Eachlegmusthavethesamenumberofcomponentswhenusingthisgroup/subsystemarchitecture


FVL/LVLlegsmusthaveDC≥0.6inIEC61511:2016ACmodel

InIEC61511:2016clause11.4.8,thereisarequirementthatallFVL/LVLelementshavediagnosticcoverage≥0.6.ThismessagemeansthatSILabilityhascalculatedtheDCofalegcontainingoneormoreFVL/LVLcomponent(s)as<0.6.(AcomponentisconsideredtobeFVL/LVLifitistypeBandits‘Parameteradjustmentislimited’checkboxisnotchecked.)

Checkthecomponentlvaluesinthelegarecorrect.

CheckthatthecomponentACtype(AorB)and‘Parameteradjustmentislimited’checkboxaresetcorrectlyforallcomponentsintheleg.

UseadifferentACmodel(atSIFlevel).


45


Groupbcan'tbegreaterthancomponentb

Inagroup,SILabilityassumesthatcommoncausefailurebetweenidenticalcomponentsismorelikelythanbetweenlegs,ascomponentshaverelativelymorecommonfailuremodes.Therefore,thebofthegroupshouldnotbegreaterthanthebofanycomponentinthegroup.

Increasecomponentb,orreducegroupb.Ifyouseethismessageunexpectedly,youmayhavesetmismatchedunitsforb(absolutevalue,suchas0.1,orpercentage,suchas10%).

Grouparchitecturemustbeselected

IneachgroupthatisincludedintheSIF,youmustspecifythearchitecturetobeusedinthecalculation.

SetthearchitecturetoanyvalueMooNwhereNisthenumberoflegsinthegroup.

Grouparchitecturesmustbeidenticalwhenusingthissubsystemarchitecture


Lambdavaluesmustbeidenticalacrossallcomponentswhenusingthisgroup/subsystemarchitecture


Logicsolverbcan’tbegreaterthancomponentb

Inalogicsolver,SILabilityassumesthatcommoncausefailurebetweenidenticalcomponentsismorelikelythanbetween“channels”(redundantprocessingpathways),ascomponentshaverelativelymorecommonfailuremodes.Therefore,thebofthesubsystemlogicsolvershouldnotbegreaterthanthebofanycomponentinthelogicsolver.

Increasecomponentb,orreducelogicsolverb.Ifyouseethismessageunexpectedly,youmayhavesetmismatchedunitsforb(absolutevalue,suchas0.1,orpercentage,suchas10%).

Logicsolverarchitecturemustbeselected

Inthelogicsolver,youmustspecifythearchitecturetobeusedinthecalculation.

SetthearchitecturetoanyvalueMooNwhereNisthenumberofprocessingchannelsinthelogicsolver.


46


‘MTTRincludesdiagnostics’mustbedefinedwhenusingIEC61508:2010Route1H

TheIEC61508:2010ACRoute1HmodelneedstoknowwhethertheMTTRvalueincludesanallowanceforthediagnostictestinterval(seeChapter6fordetails).

• Ifyouarenotsure,setthegroup’sorlogicsolver’s“MTTRincludesdiagnostics”checkboxtounchecked.or


Nocomponentsdefined(needatleast1)

Eachleg,andthelogicsolversubsystem,mustcontainatleastonecomponent.

Inaleg:createandpopulateacomponentintheleg,ordeletetheleg.

Inthelogicsolversubsystem:createandpopulateacomponent,orswitchoffthelogicsolverbyunchecking“IncludelogicsolverinSIF”.

Nogroupsdefined(needatleast1)

Thesensorandfinalelementsubsystemsmustcontainatleastonegroup(orsub-SIF)each.

• Createagroupinthesubsystemandpopulateitwithatleastonelegandonecomponent.or

• Populatethesubsystemwithasub-SIF.or

• Switchoffthesubsystembyunchecking“IncludethissubsysteminSIF”.

Nolegsdefined(needatleast1)

Eachgroupmustcontainatleastoneleg.

• Createaleginthegroupandpopulateitwithatleastonecomponent.or

• Youmighthaveaccidentallycreatedanemptygroup.Ifso,deletetheunwantedgroupandadjustthesubsystemarchitecturetomatchtheremaininggroups.


47


ParameterAdjustmentcheckboxmustbedefinedwhenusingIEC61511:2003ACmodel

TheIEC61511:2003ACmodelneedstoknowwhethereachcomponenthasrestrictedparameteradjustmentcapability.

• Ifyoudon’tknowthestatusofanycomponent,set“Parameteradjustmentislimited”tounchecked.or


PIUcheckboxmustbedefinedwhenusingIEC61511:2003ACmodel

TheIEC61511:2003ACmodelneedstoknowwhethereachcomponentis“proveninuse”(PIU).

• Ifyoudon’tknowthePIUstatusofanycomponent,setittounchecked.or


‘Programmable’checkboxinlogicsolversubsystemisundefined

SILabilityneedstoknowwhetherthelogicsolverisprogrammable(i.e.whetheritisaPLC,ratherthanafixedlogicsolversuchasarelayassembly).

Setthelogicsolver’s“Programmable”checkbox.IfthelogicsolverisaPLC,setittochecked.

ProgrammablelogicsolvermusthaveDC≥0.6inRoute2HACmodel

InIEC61508ACroute2H,thereisarequirementthatalltypeBelementshavediagnosticcoverage≥0.6.ThismessagemeansthatSILabilityhascalculatedtheDCofthelogicsolveras<0.6.

• Checkthecomponentlvaluesinthelogicsolverarecorrect.or

• Checkthatthe“Programmable”checkboxofthelogicsolverissetcorrectly.or

• UseadifferentACmodel(atSIFlevel).

ProgrammablelogicsolvermusthaveDC≥0.6inIEC61511:2016ACmodel

Sameasabove,forIEC61511:2016ACmodel.

‘Programmable’mustbedefined

Thelogicsolverneedstobedefinedasprogrammableornon-programmable.ThisinformationisusedintheACcalculation.

Setthe‘Programmable’checkboxtocheckedorunchecked.IfyouareusingaPLC,youcansetthecheckboxtochecked.


48


Prooftestcoveragecan’tbelessthandiagnosticcoverage

Prooftestingshouldbeabletorevealahigherfractionoffailuremodesthandiagnostics.(Ifthiswerenottrue,therewouldbenopointinperformingprooftesting.)Therefore,eachcomponent’sprooftestcoveragevalueshouldbehigherthanthediagnosticcoveragecalculatedbySILability.

Thisproblemcouldbecausedby:

• Averyhighdiagnosticcoverageduetoincorrectlvaluesor

• Alowprooftestcoveragevalueor

• Alowprooftestsuccessratevaluedefinedatgrouplevel

Prooftestcoveragevaluesmustbeidenticalacrossallcomponentswhenusingthisgroup/subsystemarchitecture


PVSTcoveragecan’tbelessthandiagnosticcoverage

Partialvalvestroketestingshouldbeabletorevealahigherfractionoffailuremodesthanautomaticdiagnostics.(Ifthiswerenottrue,therewouldbenopointinperformingstroketesting.)Therefore,eachcomponent’sPVSTcoveragevalueshouldbehigherthanthediagnosticcoveragecalculatedbySILability.


• Averyhighdiagnosticcoverageduetoincorrectlvaluesor

• AlowPVSTcoveragevalueor

• AlowPVSTsuccessratevaluedefinedatgrouplevelor

• ‘UsePVST’checkboxinthelegsettoCheckedwhenPVSTisnotrequired


49


PVSTcoveragecan'tbelessthanprooftestcoverage

ProoftestingshouldbeabletorevealahigherfractionoffailuremodesthanPVST.(Ifthiswerenottrue,therewouldbenopointinperformingprooftesting.)Therefore,eachcomponent’sprooftestcoveragevalueshouldbehigherthanitsPVSTcoveragevalue.


• AhighPVSTsuccessratevaluedefinedatgrouplevelor

• Alowprooftestsuccessratevaluedefinedatgrouplevel

IfyouintendtouseonlyPVSTandnotprooftest,youcansetthegroup’sprooftestintervalequaltothemissiontimeandtheprooftestdurationto0.Thiswillmeanthatprooftestinghasnoeffectinthecalculation,soyoucansetprooftestcoveragetoanarbitraryvalueof100%.

PVSTcoveragevalueneeded(oryoucanswitchoffPVSTintheleg)

Inafinalelementcomponent,youmustsupplyaPVSTcoveragevalueifyouswitchedonPVSTatleglevel.

• SupplyaPVSTcoveragevalue.or

• Unselect“UsePVST”inthelegcontainingthecomponent.

PVSTCoveragevaluesmustbeidenticalacrossallcomponentswhenusingthisgroup/subsystemarchitecture


‘ReduceHFTrequirement’mustbedefinedwhenusingRoute2H

IfyouselectedtheIEC61508:2010Route2HACmodel,SILabilityneedstoknowwhetheryouwishtoinvokeclause7.4.4.3.2ofpart2ofthestandard,toreducetheHFTrequirementofeachsubsystem.SimilarlyforIEC61511:2016ACmodel.

• Ifyouarenotsure,set“ReduceHFTrequirement”tounchecked.or



50


‘SafefailuresrepairedwithinMTTR’checkboxmustbedefinedwhenusingthisarchitecture

Inagrouporlogicsolver,iftheMooNarchitecturehasM>1,SILabilityneedstoknowifanyundetectedsafefailureswillbenoticedandrepairedwithintheMTTR.

Ifyouarenotsure,setthegroup’s(orlogicsolver’s)“SafefailuresrepairedwithinMTTR”checkboxtounchecked.(SeeChapter6formoredetails.)

‘SafefailuresrepairedwithinMTTR’mustbeidenticalwhenusingthissubsystemarchitecture

Ifyouselect2oo3or2oo4architectureforasensororfinalelementsubsystem,allgroupswithinthatsubsystemmustbeidentical(thisisaSILabilityrestriction).

Ifyouarenotsure,setallthegroup’s“SafefailuresrepairedwithinMTTR”checkboxestounchecked.(SeeChapter6formoredetails.)

Selectedarchitecturecan’tbeused

YouselectedanarchitecturethatSILabilitycan’tcalculate.

Assignadifferentarchitectureintheaffectedelement.

Selectedarchitecturedoesn’tmatchnumberofgroupsdefined

Inasubsystem,theMooNarchitecturemustmatchthenumberofgroupsplussub-SIFs(N).

SelectanarchitectureMooNwhereNisthesameasthenumberofgroupsplussub-SIFs.

Youmayhaveaccidentallyaddedanextraemptygrouptothesubsystem.Ifthesubsystemcontainsemptyorunneededgroups,deletethem.

Selectedarchitecturedoesn’tmatchnumberoflegsdefined

Inagroup,theMooNarchitecturemustmatchthenumberoflegs(N).

SelectanarchitectureMooNwhereNisthesameasthenumberoflegs.

Youmayhaveaccidentallyaddedanextraemptylegtothegroup.Ifthegroupcontainsemptyorunneededlegs,deletethem.


51


Subsystembcan'tbegreaterthangroupb

Inasubsystem,SILabilityassumesthatcommoncausefailurebetweenlegswithinagroupismorelikelythanbetweengroups,aslegswillgenerallyhaverelativelymorecommonfailuremodes.Therefore,thebofthesubsystemshouldnotbegreaterthanthebofanygroupinthesubsystem.

Increasegroupb,orreducesubsystemb.Ifyouseethismessageunexpectedly,youmayhavesetmismatchedunitsforb(absolutevalue,suchas0.1,orpercentage,suchas10%).

Subsystemarchitecturemustbeselected

IneachsubsystemthatisincludedintheSIF,youmustspecifythearchitecturetobeusedinthecalculation.

SetthearchitecturetoanyvalueMooNwhereNisthenumberofgroupsplussub-SIFsinthesubsystem.

TypeBlegsmusthaveDC≥0.6inRoute2HACmodel

InIEC61508ACroute2H,thereisarequirementthatalltypeBelementshavediagnosticcoverage≥0.6.ThismessagemeansthatSILabilityhascalculatedtheDCofalegcontainingoneormoretypeBcomponent(s)as<0.6.

Checkthecomponentlvaluesinthelegarecorrect.

CheckthatthecomponentACtype(AorB)issetcorrectlyforallcomponentsintheleg.

UseadifferentACmodel(thisissetatSIFlevel).

Uselhigh/lowcheckboxmustbedefinedwhenleg’stripdirection/actionisdefined

Ifyousetthetripaction/directionofalegtoanyvalueotherthan“Undefined”,youneedtotellSILabilitywhetheryouwanttouselhigh/low/freezevaluesratherthanlTotalvaluesforthecomponentsintheleg.

• Setthe“Uselhigh/low”checkboxtoeithercheckedoruncheckedor

• Settheleg’s“Tripaction”to“Undefined”.ThiswillmakeSILabilityuselTotalvaluesforthecomponentsintheleg.

‘UsePVST’checkboxmustbedefined

Ineveryfinalelementleg,youmustspecifywhethertousePVST.

Ifyouarenotsure,settheleg’s“UsePVST”checkboxtounchecked.


52


Valueisoutsideacceptablerange

Anumericalvalueisoutsidetheallowablerange.

Ifthevalueseemstobecorrect,checkthatyouhaveselectedtheappropriateunit.Forexample,youmayhaveselectedhr-1insteadofFITforalvalue.(Youcanentervaluesinanyunit;SILabilityautomaticallyconvertsthevaluestotheunitsrequiredforcalculation.)

Valueisundefined

Arequirednumericalparameterhasnotbeenassignedanyvalue.Itwillbeshownas“Notset”inthedataentrypanel.

Thismayoccurif:• Youlefta‘dead’element

(e.g.component)intheSIFthatyoudon’tintendtouse.DeletetheelementandchangetheSIFarchitecturetomatch(egfrom1oo3to1oo2).or

• SILabilityislookingforavaluethatyoudidn’trealisewasrequired.Forexample,ifyouselect“Uselhigh/low”inacomponent,youneedtosupplyvaluesforlD/UHigh/Low.Unselectthe“Uselhigh/low”checkboxtoremovethisrequirement.

Valuesmustbeidenticalbetweengroupswhenusingthissubsystemarchitecture


lhigh/low/-freezevaluesneeded

Inacomponent,ifyouselect“Uselhigh/low”andset“Tripaction”toanyvalueotherthan“Undefined”,youneedtosupplyvaluesforlD/UHigh,LowandFreeze.

Removethisrequirementby:• unselectingthe“Usel

high/low”checkbox;or• setting“Tripaction”to

“Undefined”


53


lDD/DU/SD/SUTotalvaluesneeded

Inacomponent,ifyoudeselect“Uselhigh/low”orset“Tripaction”to“Undefined”,youneedtosupplyvaluesforlDD,DU,SDandSUTotal.

IfyoudonothavevaluesforlDDorlSD(becausethecomponenthasnodiagnostics),setthesevaluestozero.

Ifyouwanttouselhigh/lowvaluesinstead,selectthe“Uselhigh/low”checkbox,andset“Tripaction”toanyvalueotherthan“Undefined”.

9. CHAPTER 9 - OUTPUT TO SPREADSHEET 9.1 Introduction

WhenyouhavecompletedaSILverificationtask,it’slikelyyouwillneedtoproduceareport.SILabilitysupportsthisbyprovidinganexportfunctiontospreadsheet.ThisgeneratesanicelyformattedspreadsheetinMicrosoftExcelformat(.xlsx)containingalltheinputdataandcalculationresults.YoucaneasilypastethespreadsheetcontentsintoawordprocessorasanappendixtoyourSILverificationreport.ThespreadsheetcolumnwidthsarepresettosuitatypicalA4portraitlayoutinyourreport.

9.2 How to generate the spreadsheet report

IntheFilemenu,select“MakeExcelreport”.Thedataentrypanel(toprightofthescreen)showsoptionsrelatingtothereportasfollows:

• Filename:Enterthefullfilenameforthespreadsheetdocumenttobecreated.• “Select”button:Thisopensastandardfilenameentrydialogue.Thefilenameyou

selectinthedialoguewillbeautomaticallyinsertedintothe“Filename”field.• “Overwriteexistingfile”checkbox:ifafilealreadyexistswiththefilenamespecified,

itwillonlybeoverwrittenifyoucheckthischeckbox.• “AllSIFsinoneworksheet”/“SeparateworksheetperSIF”checkboxes:Selectthe

reportstyleyourequire:eithertheentireprojectinoneworksheet,oraseparateworksheet(inthesamespreadsheetfile)perSIF(plusonesheetforprojectinformation).

• “Rundatachecks”button:ThisbuttonrunsthedataconsistencychecksdescribedinChapter9.Youdon’thavetorunthechecksbeforeproducingthereport,butit’shighlyrecommended.

• “Exit”button:Cancelsthereportingoperationandreturnstothenormaldataentrydisplay.


54

• “Go”button:Producesthereport.

9.3 What the spreadsheet report contains 9.3.1 Input data

Allinputdataprovidedbytheuserisshowninthereport.Thisincludestheproject's“editnumber”,which,asexplainedinChapter3,isincrementedeverytimethedataischanged.Thisallowsyoutoconfirmthatthedatausedtogeneratethereportisexactlythesameasthedatainthelatestversionoftheprojectfile.

Anyundefined(“Notset”)numericalvaluesareshownas<Undefined>.AnyundefinedcheckboxvaluesareshownasUndefined.

Someinputdatafieldsareremovedfromthereportiftheyarenotrelevant.Forexample,inanysystemwith1oo1architecture,theβ(commoncause)factorisnotapplicableandsoitisnotshown.

Allcommentsenteredbytheuserareshownatthebottomofeachsectionofthereport.Commentsarenumbered,andthecorrespondingnumbersareshowninsquarebracketsnexttothecorrespondingdataitem,likethis:[12]indicatestherearetwocomments,no.1andno.2.Identicalcommentswithineachsectionareassignedthesamenumbertoavoidrepetition.(Commentsattachedtoundefinedbooleanparametersareomittedfromthereport.)

ThetotalnumberofSIFsintheprojectisdisplayedwithintheprojectoverviewsection,excludinganySIFswhichareusedassub-SIFs.

9.3.2 Outputs (Calculation results)

Allcalculatedresultsareshownintherelevantsections.Ifanycalculationscouldnotbeperformed(asexplainedinChapter7),theresultsareleftblank.

10. CHAPTER 10 - SPECIAL TOOLS AND TIPS 10.1 Data checks

ThetaskofSILverificationrequiresahugenumberofinputdataitems,derivedfrommanydifferentsources.Nomatterhowcarefullythedataisentered,itiseasytomakeamistakewhileenteringdata,ortoforgetthatachangetothedatainoneSIFmayneedtobemirroredinanotherSIF.

Tohelpthefunctionalsafetyengineerworktowardsanerror-freeSILverification,SILabilityprovidesapowerfuldatachecktool.Thisrunsanarrayofconsistencychecksontheentiredatasetwithinaproject,andreportsanyanomaliesfound.


55

YoucanrunthedatachecksbyselectingtheToolsmenuandclickingDatachecks,orbypressingthe“Datacheck”buttoninthespreadsheetoutputsetupscreen(seeChapter8).

Anomaliesfoundwillbereportedintheresultpanelatthebottomrightofthescreen.Alltheanomaliesintheentireprojectwillbeshownatonce,notjusttheanomaliesrelatingtothecurrentlyselectedSIFandelement(inthetreeview).Ifseveralanomaliesarefound,youmayneedtousethescrollbartoviewthecompletelist.Eachitemreportedhasa“Showme”buttonthatnavigatestotheaffecteddataitem,justliketheproblemreportdescribedinChapter7.

Checksonspecificdataitemsareskippedifthedataitemsarenotneededinthecalculation.

Pleasenote,evenifanomaliesarefound,SILabilitywillstillattempttoperformthecalculations.Youarestronglyadvisedtorunthechecksimmediatelybeforeproducingthespreadsheetoutput.Itiswisetorunthechecksatothertimesaswell,asyouprogressthroughtheproject,tohelpyoucatchanydataentryproblemsasearlyaspossible.

AcompletelistofdatachecksperformedbySILabilityisshownbelow.DetailsofthemeaningofeachdataitemaregiveninChapter6.

10.1.1 SIF level

• ACmodel:ConsistentforallSIFsacrosstheproject• PFD/RRFtarget:Theuser'schoiceofwhethertoprovideaPFDavgtargetoranRRF

targetisconsistentforallSIFsacrosstheproject• ACmodel:NotusingACmodelIEC61511:2003incombinationwithhighdemand

operatingmode.HighdemandmodeisdefinedonlyinIEC61508andinIEC61511:2016,notinIEC61511:2003,sothiswouldmeanthattheuserisapplyinginconsistentstandards.

10.1.2 Component level

• Prooftestcoverage:Notlessthandiagnosticcoverageforthecomponent• Prooftestcoverage:Consistentacrosssimilarcomponentsacrosstheproject• PVSTcoverage:Notmorethanprooftestcoverageforthecomponent• PVSTcoverage:Consistentacrosssimilarcomponentsacrosstheproject• bfactor:Intherange2~10%• lvalues:Intherange0~10000FIT• lvalues:Consistentacrosssimilarcomponentsacrosstheproject• Proveninuse(checkbox):Consistentacrosssimilarcomponentsacrosstheproject• Uselhigh/low(checkbox):Consistentforcomponentswiththesamelvalues• Diagnosticsarefrequentenough(checkbox):Consistentforcomponentswiththe

samelvalues• Parameteradjustmentislimited(checkbox):Consistentforcomponentswiththe

samelvalues


56

10.1.3 Leg level

• UsePVST:Consistentacrosssimilarlegsacrosstheproject

10.1.4 Group level

• Prooftestinterval:NotlessthanPVSTintervalforthegroup• Prooftestinterval:Notmorethanmissiontimeforthegroup• Prooftestsuccessrate:Intherange80~100%• Prooftestsuccessrate:Consistentforsimilargroupsacrosstheproject• Missiontime:Intherange5~20years• Missiontime:Consistentforsimilargroupsacrosstheproject• MTTR:Intherange1hour~6months• MTTR:Consistentforsimilargroupsacrosstheproject• PVSTinterval:Atleast0.1month• PVSTinterval:Notmorethanprooftestintervalforthegroup• PVSTinterval:Consistentforsimilargroupsacrosstheproject• PVSTsuccessrate:Intherange80~100%• PVSTsuccessrate:Consistentforsimilargroupsacrosstheproject• bfactor:Intherange2~10%• bfactor:Consistentforsimilargroupsacrosstheproject• MTTRincludesdiagnosticstime(checkbox):Consistentforsimilargroupsacrossthe

project• SafefailuresrepairedwithinMTTR(checkbox):Consistentforsimilargroupsacross

theproject

10.1.5 Sensor and final element subsystem level

• ReduceHFTrequirement(checkbox):Consistentforsimilarsubsystemsacrosstheproject

10.1.6 Logic solver subsystem level

• Detectsafefailuresinsensors(checkbox):Consistentforsimilarlogicsolversacrosstheproject

• Programmable(checkbox):Consistentforsimilarlogicsolversacrosstheproject• Tripaction(choicebox):Consistentforsimilarlogicsolversacrosstheproject• MTTRincludesdiagnosticstime(choicebox):Consistentforsimilarlogicsolvers

acrosstheproject• SafefailuresrepairedwithinMTTR(checkbox):Consistentforsimilarlogicsolvers

acrosstheproject• Prooftestinterval:Notmorethanmissiontimeforthesubsystem


57

• Prooftestsuccessrate:Intherange80~100%• Prooftestsuccessrate:Consistentforsimilarlogicsolversacrosstheproject• Missiontime:Intherange5~20years• Missiontime:Consistentforsimilarlogicsolversacrosstheproject• MTTR:Intherange1hour~6months• MTTR:Consistentforsimilarlogicsolversacrosstheproject• bfactor:Intherange2~10%• bfactor:Consistentforsimilarlogicsolversacrosstheproject• ReduceHFTrequirement(checkbox):Consistentforsimilarlogicsolversacrossthe

project

10.2 SIL verification modelling tips 10.2.1 Modelling SIFs with no sensor components

Sometimes,theactionofoneSIFmaydirectlyplacedemandonanotherSIF,inordertopreventasecondaryconsequencearisingasaresultofthefirstSIFtripping.Forexample,ifacentrifugalpumpistrippedbyaSIF,itmaybenecessarytoclosethepump’soutletvalvetopreventbackflowthroughthepump.

Inthissituation,thesecondSIFisknownasasecondarySIFandshouldbemodelledwithnosensorcomponents,asitistriggereddirectlybythefirstSIFviaasoftwaresignalinthelogicsolver.ThiscanbedonebyexcludingthesensorsubsystemfromtheSIF(uncheckthe‘IncludethissubsysteminSIF’checkboxinthesensor’sdataentrypanel).

Alternatively,youcanmodelitasasensorsubsystemwithnosensorcomponents.SinceSILabilityrequiresyoutohaveatleastonecomponentineachincludedsubsystem,youneedtocreatea“dummy”componenthavingzerofailureratevalues.Youshouldalsosetthegroup’sprooftestdurationtozero;thisisneededbecauseSILabilityallowsfortheprobabilitythatthegroupisunavailableduetotesting,whichisirrelevantiftherearenocomponentstotest.


58

APPENDICES

APPENDIX A: WHERE TO GET FAILURE RATE DATA

TheresultoftheSILverificationcalculationdependsheavilyonvalidfailureratedataforthehardwarecomponentsintheSIFs.Sometimes,publisheddataisavailableforaspecificdevicethatmatchesorcloselyresemblesthecomponentyouareusing.Inothercases,youmayneedtousegenericdataforasimilardevice,oranaverageobtainedfromseveralsimilardevices.

ThebestsourceoffailureratedatawillgenerallybethesafetymanualorSILcertificatefortheexactcomponentyouareusing.However,itiswisetobeskepticalofverylowlDclaimedfailureratesinlowdemandmodeapplications,especiallyifthelDismuchlowerthansimilardevicesfromothermanufacturers.Somefailureratevaluesareobtainedbyperforminglaboratorycycletests,andthismaygiveanoptimisticallylowlDvaluecomparedwithfield(observedreal-world)failureratesfordeviceswithmovingpartsthatstandidleforlongperiodsoftime.Forsimilarreasons,bewaryofapplyingB10failurerates(whichapplytocontinuousmodeofoperation)tolowandhighdemandmodeSIFs.

Sources of failure rate data

• Guidelinesforprocessequipmentreliabilitydata,ACCPSpublicationfromtheAmericanInstituteofChemicalEngineers,1989.Thiscontainstablesofgenericfailureratesmeasuredinthefieldforawiderangeofdevices.Inmanycases,onlyasinglefailurerateisgiven,notbrokendownintotypesoffailure,soitwillgenerallyonlyprovideaworst-caselDU,nototherlvalues.

• Offshoreandonshorereliabilitydata(OREDA),6thedition.Mainlyfocusesonoffshoreequipment,butsomeonshoreequipmentisalsoincluded.Failureratesarecollectedfromobservedreliabilityinthefield.

• Safetyautomationequipmentlist,onlinesearchatwww.exida.com/SAEL.ContainsFMEDAreportsandSILcertificates,showingfailureratedata,foracarefullyselectedrangeofhardwaresuitableforuseinSIL-ratedapplications.

• SILSafedata,acollectionoftypicaldangerousfailureratesforsafety-relatedhardware,www.silsafedata.com

• Safetyequipmentreliabilityhandbook,4thedition,exida.AcollectionoffailureratedataassembledbyexidafromindustrysourcesandfromitsownFMEDAstudies.Breaksdownthedatatoafinelevelofdetail,showingseparatelvaluesformanyindividualdevices.

• Individualequipmentmanufacturers.Somemanufacturersmakesafetymanualsavailableontheirwebsitesfordownload;thesemayincludefailureratedataandothernecessaryinformationsuchasprooftestcoverage.Othermanufacturersmayprovidesuchdataonrequest.

• Fieldfailuremeasurements.Ifyourorganisationhasasignificantnumberofsimilardevicesinserviceandkeepsgoodfailureeventrecords,theserecordscanbeusedto


59

estimatereal-world(oratleastworst-case)failureratevalues.ThexSeriConwebsite,www.xsericon.com,hasadditionalresourcesonthistopic.

SeealsotheresourceslistedinAppendixGforfurtherdatabasesandlistsoffailurerates.

APPENDIX B: ASSUMPTIONS MADE IN CALCULATION

ThefollowingassumptionsaremadeinthealgorithmusedtoperformSILverificationcalculationsinSILability.

1. Allcomponentfailureratesareindependentoftime,throughoutthemissiontimeofthegrouptowhichthecomponentbelongs.

2. Allcomponentsareinserviceonlyduringtheirpublishedlifetime,andwillbefullyrefurbishedorreplacedattheendoftheirlifetime.“Infantmortality”(earlyfailureofcomponentsduetomanufacturingormaterialdefects)arenotconsidered,astheseshouldbefoundbymanufacturersduringburn-intestingbeforecomponentsareshippedtoendusers.

3. Nofailuresareundetectablebyprooftestingyetdetectablebydiagnostics.4. Nofailuresareundetectablebyfullprooftestingyetdetectablebypartialvalve

stroketesting.5. Prooftestingexecutionisimperfectandmaynotbecorrectlyexecutedineverycase.6. Theprooftestcoverage,PVSTcoverageandb(commoncause)factorareconstant

foralltypesoflvalue(DD,DU,SDetc)inasinglecomponent.7. Theb(commoncause)factorisconstantforalllegsinasinglegroup.8. Theb(commoncause)factorisconstantforallgroupsinasinglesubsystem.9. Thediagnosticintervalissoshortthatthetimewaitingforadetectablefaulttobe

detectedisnegligibleinlowdemandandhighdemandmodes.10. NounprotectedbypassesareusedduringprooftestsandPVST.Thatis,theSIFwill

beabletodetectthehazard(intheabsenceoffaults)oncompletionoftheprooftestorPVST.

11. ProoftestintervalandPVSTintervalthesameforallthelegswithinagroup.12. ForaMooNarchitectureinagroupwhere1<M<N,allthelegsinthegroupare

requiredtobeidentical.Thesameappliestogroupswithinasensorsubsystem.13. ThedowntimeofaSIFduetorestorationfollowingdiscoveryofsimultaneousnon-

commoncausefailuresisnegligibleinlowdemandmode.14. MTTRisconstantforalllegswithinagroup.15. Inalogicsolversubsystemwitharchitectureotherthan1oo1,thechannelsofthe

logicsolverareidentical.16. Onlyonestandard,IEC61508:2010,IEC61511:2003orIEC61511:2016,isappliedto

eachSIF.IfIEC61508:2010isapplied,eitherRoute1HorRoute2HisselectedforthewholeSIF.


60

17. Ifasubsystemcontainsredundantlegsorgroups,thelegs/groupsarenottestedsimultaneously,sothattheequipmentundercontrolremainsprotectedduringprooftesting.

18. Theprobabilityoffailureofaredundantsystemdoesnotchangeduringprooftestingandrestoration,eventhoughtheeffectivearchitectureisdifferentatthattime.

19. ForaSIFprotectingagainstahazardthatisnotalwayspresent,thefractionoftimethatthehazardispresent(sometimecalledusageratio)isnottakenintoaccount.ItisassumedthatcredithasalreadybeentakenforthisattheSILdeterminationstage.

20. DetectedsafefailuresarerestoredduringtheMTTR.21. Thereisnoredundancybetweendifferenttypesofcomponentsinasingleleg.That

is,thearchitectureofalegisassumedtobeNooN.22. Thecomponentswithina1oo2componentarchitectureareidentical.23. Anygrouporlogicsolverreachingtheendofitsmissiontimeisfullyrestored

immediately.24. IEC61508:2010-2Clause7.4.4.1.4(takingcreditfordiagnostics)isappliedonlyto

SFFcalculationandnotPFD/PFHcalculations.


61

APPENDIX C: KNOWN LIMITATIONS

ThecurrentversionofSILabilityisknowntohavethefollowingissues,whichwillbeaddressedinfutureversions:

1. AlthoughitispossibletoopenaSILabilityprojectfilecreatedusingthirdpartysoftware,SILabilitydoesnotrobustlycheckthatthefileisvalid.Thismayleadtoasoftwarecrash.

2. Themainscreencanbedifficulttouseonlowresolutionscreens(800x600).3. Ifyouhavemadealargenumberofeditssincetheprojectfilewaslastopened,the

‘saveonthefly’filemaycontainmanyeditrecords,whichcanslowtheSIFcalculation.Closeandreopentheprojectfileoccasionallytoresolvethis.

APPENDIX D: FORMAT OF XML PROJECT FILE

TheprojectfilecreatedandopenedbySILabilityisinXMLformat.PleasecontactxSeriConifyourequiredetailsoftheXMLsyntax.


62

APPENDIX E: TERMS & ABBREVIATIONS

TermorAbbreviation Definitionβ(Beta) Commoncausefactor:thefractionoffaults(safe

anddangerous)thatwouldaffectallredundantelementssimultaneously

λ(Lambda) Failurerate

λDD DangerousfailureratedetectablebydiagnosticsλDU Dangerousfailurerateundetectableby

diagnosticsλSD SafefailureratedetectablebydiagnosticsλSU SafefailurerateundetectablebydiagnosticsAC ArchitecturalconstraintsC&ED CauseandeffectdiagramCPU CentralprocessingunitDC DiagnosticcoverageESD EmergencyshutdownEUC EquipmentundercontrolFSA FunctionalSafetyAssessment–anactivityin

whichanas-builtSISisassessedtodetermineifitachievesitssafetyobjectives

HAZOP Hazardandoperability(study)HFT HardwarefaulttoleranceI/O Input/outputIEC InternationalElectrotechnicalCommissionIPF Instrumentedprotection(orprotective)functionIS IntrinsicallysafemacOS TheoperatingsystemprovidedwithAppleMac

computers(startingfrommacOS10.12)MooN AnarchitecturewithNvoters,suchthatatleast

MvotesarerequiredtogenerateatripMTTFS MeantimetofailsafeMTTR MeantimetorestoreNooN AnarchitecturewithNvoters,suchthatallN

votesarerequiredtogenerateatripOSX TheoperatingsystemprovidedwithAppleMac

computers(priortoOSX10.12)


63

TermorAbbreviation DefinitionP&ID PipingandinstrumentationdiagramPF ProbabilityoffailurePFD ProbabilityoffailureondemandPFDavg Probabilityondemand,averagedoverthe

lifetimeoftheprojectPFH ProbabilityoffailureperhourPLC ProgrammablelogiccontrollerPIU ProveninusePT ProoftestPTC ProoftestcoveragePTI ProoftestintervalPVST PartialvalvestroketestRoute1H MethodwithinIEC61508:2010todeterminethe

hardwarefaulttolerancerequirementRoute2H MethodwithinIEC61508:2010todeterminethe

hardwarefaulttolerancerequirementRTD ResistancetemperaturedetectorRRF RiskreductionfactorSFF Safefailurefraction(theratiooftheratesofsafe

failurestosafe+dangerousfailuresinacomponentorassemblyofcomponents)

SIL SafetyintegritylevelSIF SafetyinstrumentedfunctionSIS SafetyinstrumentedsystemSRS SafetyrequirementsspecificationXML ExtensibleMarkupLanguage


64

APPENDIX F: TERMS & CONDITIONS

Acceptance of Terms

xSeriConLimited(“Company”)offerstheuseandservicesofSILabilitysoftware(“Software”)tocustomer/client(“User”)subjecttothefollowingtermsandconditions(“TermsofUse”),whichmaybemodifiedfromtimetotimewithoutpriornotice.Bycontinuingtousethissoftwarefollowingsuchchanges,youagreetobeboundbysuchmodifications.

Authorized User

InregardstopaidCompanyproductsandservices,Useragreesnottoprovideormakeknownhis/herproductkeytoanyotherpersontoenablethatperson’saccessandunauthorizeduseoftheSoftware.TheUser’scomputerusedtoregistertheSoftwareistheonlycomputerlicensedtousetheproductkeysuppliedbyCompany.Useragreestoprovidetrue,accurate,currentandcompleteinformationasrequestedbyCompanyandmaintainandpromptlyupdatetheregistrationdatatokeepittrue,accurate,currentandcomplete.

Rights to Make Changes

TheCompanyreservestherighttochangeordiscontinue,temporarilyorpermanently,theuseofSoftware(oranypartthereof)atanytimewithoutpriornotice.TheCompanyshallnotbeliabletotheUserortoanythirdpartyforanymodification,suspensionordiscontinuanceoftheSoftware.

Links to other websites

TheCompanyshallnotberesponsibleforthecontentsavailableonortheset-upofanyotherwebsiteslinkedtothisSoftware.AccesstoanduseofsuchotherwebsitesisattheUser’sownriskandsubjecttoanytermsandconditionsapplicabletosuchaccess/use.Byprovidinghyperlinkstootherwebsites,ifany,theCompanyshallnotbedeemedtoendorse,recommend,approve,guaranteeorintroduceanythirdpartiesortheservice/productstheyprovideontheirwebsite,orhaveanyformofcooperationwithsuchthirdpartiesandwebsites.TheCompanyisnotapartytoanycontractualarrangementsenteredintobetweentheUserandtheprovideroftheexternalwebsite.


65

Links to SILability Website

UsermaysetupahyperlinktothisSoftware’swebsitebyfirstobtainingthewrittenapprovalfromtheCompany(whichmaybewithdrawnatanytimeatthediscretionoftheCompany).UserwillterminatethehyperlinkwithintwodaysofreceiptofanoticefromtheCompany.

User Conduct

AsaconditionofUser’suseofthisSoftware,Usermustnot:a.trespass,breakinto,access,useorattempttotrespass,breakinto,accessoruseanyotherpartsofCompanyservers,and/oranydataareasforwhichtheUserhasnotbeenauthorisedbyCompany;b.restrictorinhibitanyotherlicensedUserfromusingandenjoyingthisSoftware.

Intellectual property rights

AllintellectualpropertyrightssubsistinginrespectofthisSoftwarebelongtotheCompany.ExceptwiththeexpresspermissionoftheCompany,Usersarenotallowedtoupload,post,publish,reproduce,transmitordistributeinanywayanycomponentofthisSoftwareitselforcreatederivativeworkswithrespectthereto.UseragreesthattheCompanyarefreetouse,disclose,adoptandmodifyallandanyideas,concepts,knowhow,proposals,suggestions,commentsandothercommunicationsandinformation(“Feedback”)providedbyUsertotheCompanyinconnectionwithitsSoftwareand/orproductsandserviceswithoutanypaymenttotheUser.Userherebywaivesandagreestowaiveallandanyrightsandclaimsforanyconsideration,fees,royalties,chargesand/orotherpaymentsinrelationtoCompanyuse,disclosure,adoptionand/ormodificationofanyorallofUserFeedback.

Indemnity

Useragreestoindemnify,defendandholdharmlesstheCompanyfromandagainstallliabilities,claims,actions,costs,expenses,lossanddamagesarisingorinconnectionwiththeUser’sbreachoftheTermsofUseand/oranyotheractivitybytheUserinconnectionwiththeuseofthisSoftware.

InnoeventshalltheCompanybeliabletoanypartyfordirect,indirect,special,incidental,orconsequentialdamages,includinglostprofits,arisingoutoftheuseofthissoftwareanditsdocumentation,eveniftheCompanyhasbeenadvisedofthepossibilityofsuchdamage.


66

TheSoftwareandaccompanyingdocumentation,ifany,providedhereunderisprovided“asis”.TheCompanyhasnoobligationtoprovidemaintenance,support,updates,enhancements,ormodifications.

Termination

TheCompanymayinitssolediscretion,terminateorsuspendtheUser’saccesstoallorpartoftheSoftwareforanyreason,including,withoutlimitation,breachoftheTermsofUse.TheCompanywillnotbeliabletotheUseroranythirdpartyforanyclaimsrelatedtotheterminationoftheuseofSoftware.

Privacy Policy

ForinformationaboutCompanyprivacypoliciesandpractices,pleaserefertoCompany‘PrivacyPolicyStatement’below.

Governing Law and Jurisdiction

TheTermsofUseshallbegovernedbythelawoftheHongKongSpecialAdministrativeRegion.Useragreestosubmittothenon-exclusivejurisdictionoftheHongKongcourts.

Language Version

Ifthereisanyconflictordifferencebetweenthedifferentlanguageversionsofthe‘TermsofUse’anditsEnglishversion,theEnglishversionprevails.Ifanypartoftheotherlanguageversionisunclear,referenceshouldbemadetotheEnglishversion.ThelanguageversionmaynotbetranslatedintoEnglishforthepurposeofcomparingwithorinterpretingtheEnglishversion.

PRIVACY POLICY STATEMENT

xSeriConLimited("theCompany")iscommittedtoprotectingUserprivacy.


67

Types of Data Collected

Fromtimetotime,itisorwillbenecessaryfortheUsertosupplytotheCompanydataincludingbutnotlimitedtowhentheUserhasenquiriesorpurchasesCompanyproducts&services.VisitingCompanywebsitesmayplace“cookies”intheUser’sbrowsertocollectpersonalidentificationdatasuchasname,dateofbirth,emailaddress,address,telephonenumber,accountnumberandotherrelevantinformationtorealizeUserpreferences.FailuretosupplysuchdatamayresultintheCompany’sbeingunabletoprovideitsproducts&servicestotheUser.

Purposes for which data are used

ThepurposesforwhichtheCompanymayusethedatacollectedortobecollectedbytheCompanyaredividedintoobligatorypurposesandvoluntarypurposes.Ifthedataistobeusedforanobligatorypurpose,UserMUSTprovidethedatatotheCompanytoprovidetherelevantproductsorservicesforwhichtheUserhasrequested.Ifthedataisonlytobeusedforavoluntarypurpose,theCompanywillobtainUserconsentandwillhavetheoptiontotelltheCompanynottousethedataforthatpurposeandwewillnotdoso.

Purposesforwhichitisobligatoryforyoutoprovidethedataare:

1.handlingandfollowingupenquiriesandmattersrelatedhereto;2.meetingtherequirementstomakedisclosureunderrequirementsofanylawbindingontheCompany;3.toprocessUserrequestsorenquiries;4.toprocessandcompletetransaction(s)requestedbyUser;5.designingneworenhancingexistingproducts&servicesprovidedbyCompanyforUser’suse;6.tosendUseradministrativecommunications,suchasinformationaboutanyaccountUsermayhavewiththeCompanyoraboutfuturechangestothisPrivacyPolicyStatement;7.toadministerandenforcetherulesofpromotionsand/orthetermsofCompanycommercialdealings;8.forCompanyinternalbusinessandadministrativepurposes;9.toassistinlawenforcementpurposesandtomeetrequirementsimposedbylaworforclaims-relatedpurposes;10.forsafetyorsecuritypurposes;11.toensureongoingcreditworthinessoftheUser;12.todetermineamountsowedtoorbytheUser;13.toenforceUserobligations,includingwithoutlimitationthecollectionofamountsoutstandingfromUserandthoseprovidingsecurityforUser;14.purposesrelatingthereto.


68

PurposesforwhichitisvoluntaryforUsertoprovidethedataare:1.sendingtoUserdirectmarketing,promotionalinformationand/ormaterialsand/oroffersandnewsoftheCompany’sproductsandservices,2.sendingUserourfuturemarketingpurposesandinconjunctionwithproducts;and3.conductingcustomerandservicesurveys.

Notice for Direct Marketing

CompanyintendstouseUserpersonaldataincludingyourname,telephonenumbers,faxnumber,emailandothercontactinformationcollectedformarketingcommunicationsinrelationtotheclassesofproductsandservicesthatareonoffer.CompanywillnotuseyourpersonalinformationfordirectmarketingwithoutUserconsent.IfUserdoesnotallowandagreetheCompanytousethedataforthevoluntarypurposesincludingdirectmarketingaslistedabove,pleaseinformCompanybyusingtheopt-outmethodbelow.

Youmayopt-outfromreceivinganyoftheCompany’sdirectmarketinginformationandservicesatanytime,freeofcharge.Toopt-outpleaseemail:

[email protected]/invoicenumber.

UserwillberemovedfromCompanymailinglistwithinfourteen(14)HongKongbusinessdaysuponCompany’sreceiptofUser’srequest.

Disclosure of Personal Data

DataheldbytheCompanyrelatingtotheUserwillbekeptconfidential.IncaseswheretheCompanydoescollectthedatafromtheUser,wewill:1.notifyUser(bywayofthisPrivacyPolicyStatementorbyaseparatenotification)thattheCompanyisdoingsoandtheusethattheCompanywillmakeofsuchdatawecollect;2.whererelevant,theCompanywillgiveUsertheopportunityto“optout”(thatistorestricttheusestheCompanywillmakeofsuchdata);

TheCompanymay,wheresuchdisclosureisnecessarytosatisfythepurpose,oradirectlyrelatedpurpose,forwhichthedatawascollectedprovidesuchdatatothefollowingparties:

1.anyagent,contractororthirdpartyserviceproviderwhoprovidesservicestotheCompany;2.anycreditreferenceagencies,intheeventofdefault,todebtcollectionagencies;and3.anyotherpersonorcompanywhoisunderadutyofconfidentialitytotheCompanyandhasundertakentokeepsuchinformationconfidential.


69

Access and Correction of Personal Data

Userhastherightto:1.checkwhethertheCompanyholdsanypersonaldatarelatingtotheUserandtherightofaccesstosuchdata;2.requiretheCompanytocorrectanydatarelatingtotheUserwhichisinaccurate;and3.ascertaintheCompany'spoliciesandpracticesinrelationtopersonaldata.

RequestforaccessandcorrectionofdataandthekindsofdataheldshouldbeemailedtoCompanyaddressedto:

[email protected]/invoicenumberinthesubjectline.

YoumayalsorequesttheCompanytodeletethedatafromanyactivemailingordistributionlist.ToexerciseanyoftheUser’srights,[email protected].

TheCompanymaytakereasonablestepstoverifyUseridentitybeforegrantingaccessorpermittingcorrectionstoUserinformation.TheCompanyhastherighttochargeareasonablefeefortheprocessingofanydataaccessrequest.

APPENDIX G: FURTHER READING

IfyouarenotfamiliarwiththerelevantIECstandards(aslistedbelow)andthetheoryandpracticeofSILverificationinthecontextoffunctionalsafetyengineering,youarestronglyadvisedtofamiliariseyourselfwiththefollowingmaterialsbeforeusingSILability.Also,xSeriConprovidestrainingintheseareasinonlineandclassroomformats.

1. InternationalElectrotechnicalCommission(IEC),2016,IEC61511Functionalsafety—safetyinstrumentedsystemsfortheprocessindustrysector,Parts1and2.

2. InternationalElectrotechnicalCommission(IEC),2010,IEC61508FunctionalSafetyofElectrical/Electronic/ProgrammableElectronicSafety-relatedSystems,Parts1,2,4and7.

3. I.CameronandR.Raman,Processsystemsriskmanagement,Elsevier,2005.Section8.7.2providesasubstantiallistofsourcesoffailureratedata.

4. W.M.GobleandH.Cheddie,Safetyinstrumentedsystemsverification:practicalprobabilisticcalculations,ISA,2005.ThestandardtextbookonthetheoryofSILverification.

5. W.M.Goble,Controlsystemssafetyevaluationandreliability,3rdedition,ISA,2010.Importantbackgroundonthefailurebehaviourofsafety-relatedequipment.


70

6. K.J.KirkcaldyandD.Chauhan,Functionalsafetyintheprocessindustry,self-published(availablefromAmazon),2012.Chapters13and14containagentleintroductiontoSILverificationandthecalculationoffailurerates.

7. D.J.SmithandK.G.L.Simpson,Safetycriticalsystemshandbook,3rdedition,Butterworth-Heinemann,2011.Chapter6isdedicatedtothesourcingoffailureratevalues.


71

APPENDIX H: TROUBLESHOOTING AND FAQ’s

IfyouexperienceproblemsrunningSILability,pleasecheckthequestionsandanswersbelow.Shouldyoustillhaveunresolvedissues,pleasecontacttheSILabilityteamatxSeriCon,whowillassistyouasquicklyaspossible.

Question Answer

1 Mysensorsubsystemcontainsjustonesetof2oo3transmitters.ShouldImodelitasthreelegsinonegroup,orthreegroupscontainingonelegeach?

Bothmethodsareacceptable,andtheywillgiveessentiallythesameresult.xSeriConrecommendsmodellingthisas3legsinonegroup,asitwillbeeasiertoenterthedata.

2 Someofthedatainputfieldsarenotvisibleinthedataentrypanel(toprightareaofthescreen).

Youmayneedtodragthehorizontaldividerbetweenthedataentrypanelandresultpaneldownwardstorevealthemissingfields.

3 IhaveavalidSILabilitylicensekey,butSILabilityisnotrecognisingit.

Alicensekeyisvalidforonecomputeronly.Ifakeyhasalreadybeenusedononecomputer,itcan’tbeusedonanother.

Licensekeyshaveanexpirydate.PleasecontactxSeriContofindoutifyourlicensehasexpired.

ThelicensekeymustbeenteredexactlyassuppliedbyxSeriCon.Itiscase-sensitive.PleasetrypastingthekeyfromtheemailyoureceivedfromxSeriCon.Ifyouareretypingit,checkyouarenotconfusinglettersI/Owithdigits1/0.

4 Ican’tseethecomponentsofmySIFinthetreeview(leftsideofthescreen).

Bydefault,legsareshown‘collapsed’inthetreeviewtosavespace.Expandthelegsbyclickingthesmalltriangleontheleftoftheleg.

5 MycomputercrashedwhileIwasusingSILability.HaveIlostallmyworkonthecurrentproject?

Ifyouwereusing‘saveonthefly’,nothingshouldbelost.SimplyreopentheprojectfileinSILabilityandallyourworkshouldberecoveredautomatically.Wehighlyrecommendusing‘saveonthefly’atalltimes.Touseit,chooseSaveAsfromtheFilemenu,assoonasyouopenaprojectfile.

6 MySILverificationprojectisfinishedandIdon’tneedthe

We'resorry,butlicensesarenotrefundableonceactivated.


72

Question AnswerSILabilitylicenseanymore.CanIgetarefund?

7 WherecanIfindlvalues(failurerates)touseinmySILverificationproject?

PleaseseeAppendixAoftheuserguideforguidance.

8 Thecomponentorlegshowsalowerthanexpectedsafefailurefraction.What’sthecause?

Inlowdemandmode:Gotothecorrespondinggroup,andcheckwhetherthe“MTTRincludesdiagnosticstime”checkboxischecked.

Inhighdemandorcontinuousmode:Gotothecorrespondingcomponents,andcheckwhetherthe“Diagnosticsarefrequentenough”checkboxesarechecked.

Ineachcase,ifthecheckboxesarenotchecked,lDDfailureswillbetreatedasdangerousfailures,leadingtoalowerSFF.

9 WhyistherecalculationoftheSIFsgraduallygettingslower?

RefertoAppendixCforguidanceonthisissue.

10 WhydoesmyprobabilityoffailureincreasewhenIremoveacomponent/decreaseitsdangerousfailurerate?

InaNooNarchitectureitispossiblethatareductionintheprobabilityoffailureofaleg,viachangeofcomponentfailureratesorremovalofacomponent,cancauseanincreaseintheoverallprobabilityoffailureofagroup.Thisisduetoareductionincommoncauseprobabilityoffailureandthedominanceofthenon-commoncausefailurerate.ThiseffectmayalsooccuratsubsystemlevelafterachangetooneofthegroupswithinaNooNconfiguration.

11 RecalculationgetsslowerwhenIdecreasePTIorPVSTIvaluesbelow3months.

Inordertooptimizeperformance,SILabilitydynamicallyselectsasamplingintervaldependingontheshortestPTIandPVSTIintheSIF.IfyouneedtouseshortPTIorPVSTIvalues,onesolutionistosetalltheotherparametersoftheSIFfirst,andthensetthePTI/PVSTIattheend.

12 WhydoesmyPFDavg/PFHincreaseforasubsystemafterdisablinganothersubsystem?

ThiscanoccurifthesubsystemyouhavedisabledcontainsthelongestmissiontimeintheSIF.InSILabilitylowdemandmode,PFDvaluesarecalculatedforoperatingtimesuptothelongestmissiontimeintheSIF.Wheneachgroupreachesitsmissiontime,itisassumedtobereturnedtoas-


73

Question Answernewcondition,resultinginlowerPFDvaluesfortimesafteritsmissiontimeuntilthetimelimitisreached.WhentheselowerPFDvaluesarenolongerincludedinthecalculation,thePFDavgwillincrease.

13 WhydoestheMTTFSofmysensorsubsystemdecreaseafterdisablingthelogicsolversubsystem?

The‘detectsafefailures’and‘programmable’switchesinthelogicsolversubsystemmayhavebeencheckedpreviously.Disablingthelogicsolverwillautomaticallytreattheseswitchesasunchecked,becausethelogicsolverisnotavailabletodetectsafefailures.ThiswillcausetheMTTFSofthesensorsubsystemtodecrease.

14 WhenestimatingMTTR,shouldIincludethetimeduringwhichtheprocessisoffline,ifIhavetoshutdowntheprocesstorepairtheSIF?

MTTRrepresentsthetimeduringwhichthehazardisnotaddressedbytheSIFduetotheSIFbeingoffline.Itdoesnothavetoincludetimeduringwhichthehazardisnotpresent.

IftheprocessistakenofflineforsometimeTduringtherepair,suchthatthehazardaddressedbytheSIFisnotpresent,theMTTRcanbereducedbyT.

15 Mygrouphasredundantlegs(e.g.2oo3).Ifonelegfails,thegroupcanstilladdressthehazard.ShouldIthereforesetthegroup’sMTTRtozero?

No,youshouldstillsettheMTTRasifnoredundancyispresent.TheMTTRisrequiredforcalculationofMTTFSincertaincases.SILabilitywillautomaticallytakeredundancyintoaccount.

16 Whydoesn’tthenumberofSIFsinthe“GotoSIF”dropdownboxmatchthenumberofSIFsinprojectoverviewofthespreadsheetreport?

Sub-SIFsarenotincludedwithinthe“NumberofSIFs”fieldoftheprojectoverviewsectionofthespreadsheetreport.

17 MySIFhadasub-SIFinit,butnowithasdisappeared.Asaresult,thesubsystemarchitecturenolongermatchesthenumberofgroups.Whathappened?

YoumayhavedeletedtheSIFthatwasusedasthesub-SIF.Whenyoudothis,SILabilityautomaticallydeletesitfromanySIFshostingitasasub-SIF.YoucanundotheSIFdeletion;thesub-SIFswillthenreappearautomatically.

Ifyouintentionallydeletedthesub-SIF,youwillhavetomanuallyadjustthearchitectureofallsubsystemsthatwerehostingit.SILabilitydoesnotadjustthearchitectureautomatically,toavoid


74

Question Answermakingassumptionsaboutthearchitectureyouintendedtouse.

18 IamopeningadatabasethatIknowcontainsdiscrepanciesrelativetocomponentsinthecurrentlyopenproject.YetIamnotseeingadiscrepancywarning.Whyisthis?

Ifanycomponentsinyourprojecthavetheir“Overridedatabase”checkboxeschecked,thediscrepancycheckwillnotbeperformedforthesecomponents.

19 WhyisitwhenI“ReduceHFTrequirement”foraSIFusingIEC61511:2016,theminimumHFTrequiredforSIL4isaHFTof1,whenthisisnotstatedinthestandard?

Whilstclause11.4.6withinIEC61511:2016doesnotspecifyspecificvaluestoreducetheHFTrequirementsto,xSeriConusedclause7.4.4.3.2fromIEC61508:2010Route2H(whichwaswhereclause11.4.6wasderivedfrom)toselectaminimumHFTof1forSIL4.

20 HowdoesSILabilitydifferentiatebetweenFPL,LVL,andFVLforacomponent?

AFPLcomponentwillbeACtypeBandwillhavethe“Parameteradjustmentisprotected”switchchecked.AnLVLorFVLcomponentisACtypeBandwillhavethe“Parameteradjustmentisprotected”switchunchecked.

21 Iamresolvingdiscrepancieswhenopeningadatabase.WhenIselect“overwritedatabasevalue”,anewdiscrepancyappears.Whyisthis?

“Overwritedatabasevalue”changesthecomponentparametersinthedatabase.Thismightcauseanewdiscrepancywithanothercomponentintheproject.SILabilityisshowingyouthenewdiscrepancyresultingfromthechange.

22 TheSILabilityuserguidestatesthatalluser-enteredcommentsshowupintheExcelreport.Arethereanyexceptionstothis?

Commentsattachedtocheckboxesthatarenotset(neithercheckednorunchecked)arenotsavedintheprojectfile.Asaresult,theywillnotbeshowninthereportwhentheprojectisreopened.

23 WhenIfirstrunSILability,myfirewallwarnsmethatSILabilityistryingtoaccesshttp://8.8.8.8.Whatisthis,andisitsafe?

ThisistheaddressofapublicDNS(domainnameserver)runbyGoogle.Itiscalledtoconfirmthatyourcomputerhasinternetaccess,sothatitcanreachxSeriCon’slicensingserver.Nodatawillbedownloadedfrom8.8.8.8andyoucansafelyallowaccess.

silability user guide - xsericon · calculation. (the exceptions are the sil target field, which...

Documents