Storage Tank SIL Selection and Verification Spreadsheet

Designed by Kenexis Consulting Corporation

2929 Kenny Rd Suite 225
Columbus OH 43221
USA
www.kenexis.com
admin@kenexis.com
This document was prepared using best effort. The authors make
no warranty of any kind and shall not be liable in any event for
incidental or consequential damages in connection with the
application of the document.
This document may be circulated for distribution, but it may not be
circulated as part of a commercial product under any
circumstances.
IT IS CRITICAL THAT THE FAILURE RATES USED IN THIS
SPREADSHEET BE REVIEWED AND CONFIRMED (OR REVISED) TO
ACCOUNT FOR YOUR OWN FACILITY. THIS CAN BE DONE THROUGH
REVIEWING INDUSTRY/LOCATION SPECIFIC INFORMATION,
EQUIPMENT VENDOR DATA, LOCAL MAINTENANCE RECORDS, OR
OTHER METHODS. IF THIS IS NOT DONE THE RESULTS WILL NOT
NECESSARILY REFLECT THE RISK REDUCTION ACHIEVED AT YOUR
SITE!
Instructions on Using the Spreadsheet
The purpose of the spreadsheet is to assist in SIL Selection and SIL
Verification for a high-high storage tank level safety function. Each
safety function should be analyzed using its own spreadsheet.
This spreadsheet should ONLY be used for simple functions whose
SIL target is 2 or less. Complex functions can't be handled by this
spreadsheet; a safety specialist should be consulted.
SIL Selection must be conducted with a multidisciplinary team
including a representative from process engineering,
instrumentation, operations and specialists as required. It should
be the same kind of team normally used for a PHA.
Review the accompanying presentation that further discusses
related aspects of safety engineering.
Read the information in the "Usage Notes" tab of this spreadsheet.
The team should start at the "SIL Selection" tab and describe the
function, hazard the function is intended to prevent, and
consequences.
The spreadsheet has capability for three different initiating events.
All initiating events and protection layers should be identified, then
check the RRF Required and SIL Rating for the function.
In general, purple spreadsheet cells are user entered and light
brown spreadsheet fields are automatically calculated by the
spreadsheet.
You can click the in-spreadsheet links that are in underlined blue
text to get more information on the item in question.
On the "SIL Verification" tab enter the equipment details for the
function.
REVIEW THE FAILURE DATA to be sure it matches your site
experience. Failure rate data can be modified on the "Data" tab.
If your equipment is not listed you can enter a custom equipment
and failure rate on the "Data" tab.
Review and print the "SIL Assumptions" tab to make sure that the
relevant assumptions are being used on your function.
Verify the RRF Achieved is greater than or equal to the RRF
Required, and also make sure each equipment subsystem's fault
tolerance requirements are satisfied.
Complete and print the report cover letter that should have come
with this spreadsheet.
Keep documentation that justifies failure rate information,
initiating event frequencies and protection layer risk reduction
factors.
STEP 1: Provide Safety Function background, Hazard Prevented, Consequence and TMEL:
In general, the purple spreadsheet fields are user entered and the light brown spreadsheet fields are calculated by the spreadsheet
Service Tank #219, West Facility
Safety Instrumented Function (SIF)
Description
High-High Storage Tank Level closes
tank inlet valve
Hazard Prevented High-high tank level could result in
overfilling of tank with petrol, which
could result in loss of containment. Loss
of containment with continued filling
could result in large cloud of
flammables, which if ignited could result
in fire or explosion.
Consequence Fire or explosion could result in multiple
injuries to on-site and possibly off-site
personnel.
Consequence Rating High (potential life-threatening injury)
TMEL Equivalent, per year: 0.00001
Event period (==1/TMEL), years: 100,000
STEP 2: Initiating Events and Protection Layers
Initiating Event #1:
Description Operator error during filling process
(wrong setpoint)
Frequency Medium (once per ten years)
Frequency, in years 0.1
Independent Protection Layer (IPL) for Initiating Event #1:
Description IPL RRF NOTES
Operator Intervention 10
BPCS (Control Loop) 10
Occupancy (<10%) 10
Other 1
None 1
Initiating Event #1 Mitigated
Frequency, in years 1.00E-04
Initiating Event #2:
Description BPCS Failure
Frequency Medium (once per ten years)
Frequency, in years 0.1
Independent Protection Layer (IPL) for Initiating Event #2:
Description IPL RRF NOTES
Operator Intervention 10
Occupancy (<10%) 10
None 1
None 1
None 1
Initiating Event #2 Mitigated
Frequency, in years 1.00E-03
Initiating Event #3:
Description
Frequency
Frequency, in years
Independent Protection Layer (IPL) for Initiating Event #3:
Description IPL RRF NOTES
None 1
None 1
None 1
None 1
None 1
Initiating Event #3 Mitigated
Frequency, in years
STEP 3: Check Safety Integrity Level (SIL) of SIF
SIF RRF Required 110
SIL Rating SIL 2
In general, the purple spreadsheet fields are user entered and the light brown spreadsheet fields are calculated by the spreadsheet
STEP 1: Provide information about SIF Hardware
SENSOR LOGIC SOLVER FINAL ELEMENT (FE) FE INTERFACE
Equipment Tag LAHH-69 Relay panel XV-69 SV-69
Voting 1oo2 1oo1 1oo2 1oo2
Type Generic Radar Generic SIL-3 PLC Generic Ball or Globe
valve
Generic 3-way solenoid
Description Generic radar,
overrange and
underrange PLC
diagnostics, vote to trip
on error
Generic SIL 3 Certified PLC,
with diagnostics
Generic air actuated ball
or globe valve, spring
return, fail safe
Generic solenoid operated
valve, 3-way, DTT
Failure Rate, dangerous
undetected, per hr 5.00E-07 1.00E-08 1.35E-06 8.00E-07
Test Interval, years 1 1 1 1
Max SIL Approved 2 3 2 2
Probability of Failure on
Demand (PFD): 0.0002 0.0000 0.0006 0.0004
*** SEE SIL VERIFICATION CALCULATION ASSUMPTIONS HERE ***
STEP 2: Check function meets SIL target
Achieved Target
SIF PFD 0.0013 0.009
SIF RRF 785 110
Does Function meet RRF
Required?
YES
Is Fault Tolerance
Achieved?
YES
SIL Verification Assumptions
If the safety function does not meet all the applicable assumptions the
calculation may not represent the true risk reduction factor!
If a radar sensor is used, overrange and underrange diagnostics are assumed.
These diagnostics may be employed at the PLC level.
In general, diagnostics should detect when the signal input is outside of
normal range (typically 4-20 mA or 1-5 V) and perform fail safe action, voting
in direction of trip.
Other sensors included in this spreadsheet do not include provision for
diagnostics of any kind.
All relays are assumed to be de-energize to trip (DTT)
All relays are assumed to be standard DTT relays, with a safe failure fraction
(SFF) of 80%.
If SIL 3 certified PLC is used, full diagnostics to achieve SIL 3, as prescribed by
the PLC manufacturer, are assumed. This includes I/O, PLC, terminal assembly,
software, and any other system-specific diagnostics needed.
If air operated shutoff valve is used, valve is assumed to be air-to-open with a
spring closed return. Valve safe state is assumed to be when valve is in closed
position.
If air operated control valve is used, valve is assumed to be air-to-open with a
spring closed return. Valve safe state is assumed to be when valve is in closed
position. Valve is assumed to be frequently used for active control, and valve
is independent of all initiating events and protection layers for this hazard.
If motorized valve is used, valve is assumed to be electrically activated, fail-in-
place, without battery backup or other special features.
If pump motor starter is used, device is assumed to be DTT.
If solenoid operated valve (SOV) is used, device is assumed to be 3-way DTT.
Loss of power to solenoid coil will change valve state, thereby releasing
actuator air to atmosphere through solenoid valve.
If interposing relay is used as final element interface device, it is assumed to
be dry contact.
When 1oo2 and 2oo3 voting is used, common cause failures (beta factor) are
expected to be 10% of total dangerous undetected failure rate.
Test interval is the maximum time expected between full functional proof
test.
The process services are assumed to be clean and/or the process connections
are suitably designed for their application such that the process connection
itself is not a significant source of SIF failure.
All SIF operate in the low demand mode of operation.
Equipment is assumed to be replaced before the end of its useful life as
specified by the manufacturer. Failure rates include random hardware
failures during the useful life, and not wear out failures that occur beyond
the end of the useful life.
Equipment is maintained and installed according to manufacturer
recommendations and procedures.
SPREADSHEET NOTES
Service
Enter service tag of tank here
Safety Instrumented Function (SIF) Description
Enter the description of the SIF
This is the set of minimum necessary and sufficient actions the SIF must make to prevent the hazard. The
function may take other auxiliary actions (such as stopping a pump, generating an alarm, etc) but those actions
may not be necessary to prevent the hazard the SIF is trying to prevent.
The description should start with the sensing action that takes place (ex, high-high level) and it ends with the
output action (ex, closes a valve).
Hazard Prevented
Enter the hazard the SIF is employed to prevent
The user should "tell the story" of how an out-of-bounds conditions could progress to a specific credible hazard.
The description should follow a clear linear sequence so that later readers can follow the team's description of
the scenario. As part of the scenario do NOT account for protection layers or conditional modifiers, as those will
be included later in the spreadsheet.
The description should start with the abnormal condition (ex, high-high level), follow a logical sequence, and end
with the hazard (ex, fire or toxic cloud). It should not YET include the impact of the hazard (injuries, damage).
The impacts are described in the "Consequences" section.
Consequence
Enter the consequences that would arise from the hazard in the outlined scenario
Describe the consequences to "receptors" as a result of the hazard. Receptors at the minimum should include
personnel; many organizations also require the team to detail environmental, societal and commercial
receptors. Consult your organization's specifications and guidelines to determine which receptor categories
should be considered.
With respect to safety, the consequence should include the most likely credible result if an individual were in the
immediate area of the hazard, and should NOT include factors like occupancy rate or time-at-risk. Such
probability modifiers can be accounted for in the IPL section of this spreadsheet.
Consequence Rating
Enter the consequence category outlined in your organization's risk management guidelines. This is so the
consequence used as part of these calculations can be cross-referenced with your oganization's risk
management guidelines.
TMEL Equivalent
TMEL = Target Maximum Event Likelihood
Enter the numerical value that represents the maximum event likelihood deemed permissible for this type of
event, per your organization's risk management specifications and guidelines. The number must be the event
frequency, in years.
For organizations where the TMEL method is the adopted risk management philosophy, this may be identified
very clearly. For example, your organization may state that an event likelihood for a serious injury is 1x10-4
years, once in 10,000 years.
For organizations that use a Risk Matrix method, you may need to determine the TMEL indirectly from the
matrix. Most Risk Matrices are simple 2-dimensional tables, with one axis the initiating event frequency and the
other axis the consequence category. The value at each intersection of the matrix is the number of orders of
magnitude in risk reduction required for that initiating event frequency / consequence pair.
If the above describes your organization's risk matrix, you may be able to determine the effective TMEL by
selecting your consequence category on one axis and observing how much risk reduction is required if the
initiating event frequency were yearly.
*** WARNING *** The TMEL is a critical component in determining the integrity level of the SIF so consult a risk
professional if you are not certain of what number to enter in this field.
Tolerable incident rates vary by organization and by consequence. They could also be set by national or local
authorities. Many organizations use between 1x10-4 and 1x10-6 as a TMEL when life-threatening injuries are
possible.
Event Period
This is 1/TMEL, or the average minimum number of years expected between events
Initiating Event Description
An initiating event is an event that starts the sequence of events in motion that, if unmitigated, will result in a
hazard. Something like an alarm or a lack of operator response is not an initiating event, although a control loop
failure or procedure misoperation could be initiating events.
Frequency
Enter the frequency category outlined in your organization's risk management guidelines. This is so the
frequency used as part of these calculations can be cross-referenced with your oganization's risk management
guidelines.
Frequency, in years
Each initiating event should have its own frequency entered. The frequency units is 1/years.
IEC-61511 states that the frequency of a Basic Process Control System (BPCS) loop should not be assumed to be
less than 1 / 10 years, unless the loop has been designed like a safety system. BPCS loops that have stated failure
frequencies lower than 1 / 10 years are extremely rare.
The 1 / 10 year failure frequency for a BPCS loop takes into account all components of the loop (sensors, logic
solver, outputs). So you do not need to enter one initiating event for the transmitter, and another for the valve,
etc
Operator error is another common initiating event. This could include lining up the wrong tank, entering the
wrong loading setpoint or other errors. A common industry practice is to claim an error rate of once per 100 to
1000 opportunities for an operator to incorrectly follow a procedure. This assumes a non-stressed, adequately
trained and experienced operator who is going through an established routine.
One way to determine an annual operator error frequency is to count the number of times per year a procedure
is done to that one tank, then multiplying by the probability of operator error. The user should confirm that the
resulting calculation is realistic with respect to actual operating conditions.
Independent Protection Layer (IPL)
An IPL is a protection layer that serves to stop a sequence of events that can result in a hazard. It does not
prevent an initiating even from occurring, it serves its function after an initiating event has occurred. If an IPL is
considered it must be able to completely prevent the hazard in question, not just slow it down or reduce the
severity.
Avoid claiming preventative maintenance, good practices and procedures and administrative controls as IPLs
because it is assumed that those practices are already occurring and have already been "baked into" the given
numbers.
Four common characteristics of an IPL:
Specificity - The IPL must be specifically designed to address and prevent the hazard.
Independence - The IPL must be independent from the cause (initiating event) and other IPLs. Particularly, do
not claim an IPL from a control loop where that control loop is the initiating event for the hazard!
Dependability - It should be repeatable and expected to function atleast 90% of the time for a single IPL credit.
Auditability - The device can be tracked and measured to verify it provides the stated level of protection.
Common IPLs
BPCS (Control Loop)
BPCS loop RRF should not be greater than 10 unless it has been designed to the same standard as a SIF.
Do not include a BPCS loop (or alarm) as an IPL if it is taken from the same transmitter that is causing the
initiating event!
Occupancy (<10%)
Occupancy, or time-at-risk, is not strictly an IPL but it is included with the IPLs so the user can account for as part
of the SIL selection process. If the probability of an operator being in the area at the time the hazard occurs is
less than 10% then this credity may be considered. The user should support some documentation to justify the
credit, such as a breakdown of how frequently an operator is near it for normal rounds, how frequently a
maintenance person is in the area, etc...
Operator Intervention
For Operator Intervention to be claimed the alarm should be annunciated to a continuously manned location
and there should be proper training for operator response. The operator should be able to recognize, diagnose
and respond within a reasonable amount of time before the hazard happens. Some sources use a rule of thumb
of 20 minutes as the minimum time needed for an operator to respond to an alarm, in order to justify the credit.
Do not take credit for operator intervention if the alarm is taken from the same BPCS loop that is the initiating
event!
Other
This is a user-entered field. Provide description and justification for this credit in the Notes field.
IPL Description
Select the IPL from the list. Included are common IPLs and the capability to enter a user-defined IPL.
More details about IPLs
IPL Risk Reduction Factor (RRF)
RRF is a measure of how much mitigation that protection layer provides, by reducing the probability the
initiating event will propogate to the full hazard.
For example, a protection layer with a RRF of 10 decreases the probability of a hazard occurring by a factor of 10.
The higher the RRF the better protection the IPL provides.
When an IPL is selected the spreadsheet will fill in a RRF commonly used for that IPL. The user can modify the
RRF by entering the desired RRF in the spreadsheet.
More details about IPLs
IPL Notes
Enter any description or notes that may be helpful to identify or clarify the use of the IPL
More details about IPLs
SIF RRF Required
RRF = Risk Reduction Factor
The RRF Required is the amount of function integrity needed in order to reduce the overall hazard risk to an
acceptable level. The higher the RRF Required the higher integrity needed for the function. This functional
integrity can be increased by a combination of factors, including testing frequency, device type, device
diagnostics and voting arrangement. It correlates to the SIL Rating as show below:
Safety Integrity Level (SIL)
Probability of Failure on Demand (PFD) for the function
Risk Reduction Factor
SIL Rating
SIL = Safety Integrity Level
The SIL is a measure of functional integrity needed in order to reduce the overall hazard risk to an acceptable
level. It is correlated to the SIF RRF (above). The higher the SIL level the higher integrity needed for the function.
This functional integrity can be increased by a combination of factors, including testing frequency, device type,
device diagnostics and voting arrangement.
Equipment Tag
Enter the equipment identification for all equipment used by the SIF
Voting
This is the architecture of the equipment subsystem. Although there are many possible architectures, this
spreadsheet is programmed to include only the most likely for each subsystem. These include 1oo1, 2oo2, 1oo2
and 2003. Each subsystem can have its own architecture. For example, a single SIF could have 2oo3 sensors,
1oo1 logic solver and 1oo1 final elements.
What is an EQUIPMENT SUBSYSTEM?
Type
Select the equipment type that is currently used for each equipment subsystem in the SIF. This spreadsheet is
programmed to include only some of the most likely for each subsystem. The user can also supply their own
information by completing the "Custom" fields on the "Data" tab.
What is an EQUIPMENT SUBSYSTEM?
Description
Once the user has selected the equipment type this field will be automatically filled with the device description.
Also included in the description are some of the assumptions made when estimating the failure rates. If the
function is not developed per the description then the integrity calculation may not calculate the integrity of
your function.
Be sure to check all the SIL Verification Assumptions to ensure your function is being modeled properly!
Failure Rate, dangerous undetected, per hr
The equipment failure rate is the rate at which an undetected, function inhibiting failure will occur. When you
select a piece of equipment its tentative failure rate is automatically put into this field. The Failure rates included
in this spreadsheet are for "generic" devices for each type. They are a conglomeration of industry experience,
field data, publically printed information and Failure Modes & Effects studies. They may be MORE or LESS
conservative than what you experience at your facility. They should only be used as an approximation and
should be replaced by data from your organization, which is tailored to your specific usage, environment and
maintenance pattern. The failure rate information can be modified through the "Data" tab.
Failure rate is one key component in determining the Risk Reduction Achieved for the SIF. The higher the failure
rate the lower the risk reduction achieved and thus the lower the performance.
IT IS CRITICAL THAT THE FAILURE RATES USED IN THIS SPREADSHEET BE REVIEWED AND CONFIRMED (OR
REVISED) TO ACCOUNT FOR YOUR OWN FACILITY. THIS CAN BE DONE THROUGH REVIEWING
INDUSTRY/LOCATION SPECIFIC INFORMATION, EQUIPMENT VENDOR DATA, LOCAL MAINTENANCE RECORDS, OR
OTHER METHODS. IF THIS IS NOT DONE THE RESULTS WILL NOT NECESSARILY REFLECT THE RISK REDUCTION
ACHIEVED AT YOUR SITE!
Test Interval, years
Test inteval is the maximum time expected to elapse between full functional test of the SIF. It is a value that
must be entered by the user. This spreadsheet assumes a single functional test will be performed that checks
starting at the sensing element, through the sensor, through the logic solver and to the final element, where the
output action will be observed.
Testing should not be done simply by forcing the sensor signal through a device communicator and by forcing
the output by manipulating it locally.
Test interval is one key component in determining the Risk Reduction Achieved for the SIF. The more frequent
the test interval the higher the risk reduction achieved and thus the higher the performance.
Max SIL Approved
The Max SIL Approved is the highest SIL capable for each subsystem. For sensors, final elements and final
element interfaces the Max SIL is determined primarily by what voting has been selected. Not accounting for the
benefit of diagnostics, only 1oo2 and 2oo3 voting can be approved for SIL 2 functions. Max SIL Approved is
automatically determined by the spreadsheet.
In practice the Max SIL also depends on the device type, diagnostic elements, safe-to-dangerous failure ratio and
"prior use" claim. For logic solvers these factors ARE included in determining Max SIL. For sensors, final elements
and final element interfaces, this spreadsheet does not account for all those factors in determining Max SIL.
Refer to IEC-61508 for more details.
EACH equipment subsystem must be greater than or equal to the Selected SIL in order for the function to be
capable for that SIL level.
What is an EQUIPMENT SUBSYSTEM?
Probability of Failure on Demand (PFD):
The PFD is calculated by the spreadsheet based on the voting arrangement, equipment dangerous failure rate
and test interval. The calculation is done as described in the IEC-61511 Technical Reports. The PFD is determined
for EACH equipment subsystem for informational purposes. For the complete SIF PFD, the subsystem PFDs are
summed.
What is an EQUIPMENT SUBSYSTEM?
SIF PFD
SIF Probability of Failure on Demand (PFD) is the combined PFD for all equipment subsystems that comprise the
SIF. It represents the probability that a demand will be placed on the function and the function will fail to
respond. The lower the PFD the better safety performance of the function. SIF PFD is dependent upon the voting
arrangement, equipment failure rate and test interval for the function.
SIF RRF
SIF Risk Reduction Factor (RRF) is a measure of the amount of hazard protection that the safety function
provides. It is equal to (SIF PFD)^-1. The higher the RRF the better safety performance of the function. SIF RRF is
dependent upon the voting arrangement, equipment failure rate and test interval for the function.
Does Function meet RRF Required?
In order for the function be compatible with IEC-61511 design standards, the function RRF achieved must be
greater than or equal to the RRF required. ALSO, the function must have Fault Tolerance criteria satisfied.
The function RRF achieved must be greater than or equal to the RRF required because that demonstrates that
the function provides sufficient risk reduction for the hazard, as determined by the SIL selection team.
Is Fault Tolerance Achieved?
In order for the function be compatible with IEC-61511 design standards, the function RRF achieved must be
greater than or equal to the RRF required. ALSO, the function must have Fault Tolerance criteria satisfied.
Fault Tolerance is a concept that describes how many individual components in the system can fail without
compromising the function performance. It is primarily based on architecture, although device characteristics
such as safe-to-dangerous failure ratio, diagnostics and device type will also have some impact on Fault
Tolerance.
As an example (and ignoring device characteristics), 1oo1 and 2oo2 architecture have 0 level of fault tolerance. If
any component fails the function will fail to operate. 1oo2 and 2oo3 architecture have 1 level of fault tolerance.
Each component has some redundancy so a single failure will still allow the function to operate.
IEC-61511 requires that, again ignoring device characteristics, any function that is SIL 2 must have 1 level of fault
tolerance, regardless of the RRF achieved. When device characteristics are included it is possible for high-
performance subsystems to satisfy this requirement even though a single device is employed.
This spreadsheet ignores the effects of diagnostics and other device characteristics for purposes of faul tolerance
determination for sensors, final elements and final element interfaces. It is included for logic solvers.
Equipment Subsystem
A SIF is comprised to four subsystems, Sensor, Logic Solver, Final Element and Final Element Interface. They
operate together to provide a response when an abnormal and potentially hazardous situation happens.
SENSOR
A sensor is the name of the subsystem that directly touches the process material and provides a measurement
of atleast one of its properties.
Common sensors include level switches, level transmitters, pressure switches/transmitters and thermocouples.
LOGIC SOLVER
A logic solver is the name of the subsystem that detects the input and allows an action to a final element. A
"logic solver", as used in this spreadsheet, can be a programmable or a non-programmable device.
Common logic solvers include a PLC, relay or trip amp.
FINAL ELEMENT (FE)
A final element is the name of the subsystem that takes action to prevent the hazard. It is usually either
contacting the process fluid or is as close as possible to contacting the process fluid.
Common final elements include a valve or a pump motor starter.
FE INTERFACE
A final element interface is the name of the subsystem that interposes between the logic solver and final
element. It sometimes transduces a signal from one physical form to another. It does not directly contact the
process fluid.
Common final element interfaces include a solenoid (that dumps air from a shutoff valve) or relay (that closes a
motorized valve or stops a pump).
1 2 3 4
10%-1% 1%-0.1% 0.1%-0.01% <0.01%
10-99 100-999 1,000-9,999 >10,000
Sensor List: Ldu Description
Generic Float Switch 1.25E-06 Level switch, generic, float type
Generic Mechanical Switch 3.60E-06 Level switch, generic, mechanical limit type
Generic Radar 5.00E-07 Generic radar, overrange and underrange PLC diagnostics, vote to trip on error
Generic Servo Gauge 1.00E-06 Generic servo gauge, mechanical, no diagnostics
Other - Custom 1.10E-06 <description of device here>
LS List: Ldu Description Max SIL Approved
Generic PLC, not SIL rated 6.47E-06 Generic Industrial PLC, no special safety diagnostics 1
Generic Relay 3.00E-07 Generic electromechanical relay, DTT 2
Generic Relay with Trip Amp 5.50E-07 Generic electromechanical relay, DTT, with trip amplifier 1
Generic SIL-3 PLC 1.00E-08 Generic SIL 3 Certified PLC, with diagnostics 3
Other - Custom 1.10E-06 <description of device here> 1
Final Element (FE) List Ldu Description
Generic Ball or Globe valve 1.35E-06 Generic air actuated ball or globe valve, spring return, fail safe
Generic control valve 4.50E-07 Generic control valve, frequently used for control, indep of initating event
Generic motor actuated valve 5.00E-06 Generic motor operated valve
Generic pump motor starter 3.00E-07 Generic motor starter circuit, DTT
Other - Custom 1.10E-06 <description of device here>
FE Interface List Ldu Description
Generic 3-way solenoid 8.00E-07 Generic solenoid operated valve, 3-way, DTT
Generic interposing relay 1.60E-07 Generic interposing relay, dry contact
Other - Custom 1.10E-06 <description of device here>
IPL List RRF
BPCS (Control Loop) 10
None 1
Occupancy (<10%) 10
Operator Intervention 10
Other 1
Sensor, LS Voting List Max SIL Approved (from IEC Fault Tolerance Table)
1oo1 1
1oo2 2
2oo2 1
2oo3 2
FE, FE Interface Voting List
1oo1 1
1oo2 2
Generic radar, overrange and underrange PLC diagnostics, vote to trip on error
Max SIL Approved
Generic control valve, frequently used for control, indep of initating event