CONFIDENTIAL INFORMATION
This document was prepared using best effort. The authors make no warranty of any kind and shall not be liable in any event for incidental or consequential damages in connection with the application of the document.
TurboSentry™ Overspeed Protection Device IEC 61511 Compliance and SIL Verification
Report
Harry L. Cheddie P. Eng Cteris Consulting Inc. ‐ Director ASQ Certified Reliability Engineer (CRE) ASQ Certified Quality Engineer (CQE) Certified Functional Safety Expert (CFSE)
Document ID Revision Status Date
C11-02-28 R1 1 Issued 25 March 2011
TurboSentry - IEC 61511 Compliance and SIL Verification Report Reference: C11-02-28 R1
Terms
AC: Architectural Constraints are stipulated by IEC 61508 and IEC 61511 to limit the SIL that can be claimed for any safety function on the basis of its hardware fault tolerance and its Safe Failure Fraction (SFF). They require a subsystem to have a minimum level of redundancy based on its SFF to insure the required hardware fault tolerance. For a device with a low SFF, redundancy may be required to satisfy SIL requirements.
Fixed program language (FPL): With this type of language, the user is limited to adjustment of a few parameters (for example, range of the pressure transmitter, alarm levels, network addresses). Typical examples of devices with FPL are: smart sensor (for example, pressure transmitter), smart valve, sequence of events controller, dedicated smart alarm box, small data logging systems.
Limited variability language (LVL): This type of language is designed to be comprehensible to process sector users, and provides the capability to combine predefined, application specific, library functions to implement the safety requirements specifications. An LVL provides a close functional correspondence with the functions required to achieve the application. Typical examples of LVL include ladder diagram, function block diagram and sequential function chart,
Full variability language (FVL): This type of language is designed to be comprehensible to computer programmers and provides the capability to implement a wide variety of functions and applications Typical example of systems using FVL are C, Pascal, Instruction List, assembler languages, C++, Java, SQL.
Hardware Fault Tolerance (HFT): Refer to section 6 of this report
IEC: International Electrotechnical Commission prepares and publishes international standards for all electrical, electronic and related technologies.
PFD: Probability of Failure upon Demand is a confidence factor that a device will function as prescribed when it is demanded to do so. For example, a temperature transmitter has a continuous demand to report a proper temperature measurement while an emergency shutdown valve must only operate in an emergency condition.
RRF: Risk Reduction Factor is a measure of how much protection is afforded to the system by application of a specific Safety Function
SFF: Safe Failure Fraction is the fraction of the overall random hardware failure rate of a device that results in either a safe failure or a detected dangerous failure. The SFF data contributes to a decision for the level of redundancy required to reach the required Safety Integrity Level (SIL) of the Safety Function (e.g., 1 out of 1; 1 out of 2; or 2 out of 3 architecture). SIF: Safety Instrumented Function - Safety Function with a specified Safety Integrity Level which is necessary to achieve functional safety and which can be either a safety instrumented protection function or a safety instrumented control function
Page 2 of 25
TurboSentry - IEC 61511 Compliance and SIL Verification Report Reference: C11-02-28 R1
SIL: SIL Integrity Levels (SIL-1, SIL-2, SIL-3, & SIL-4) indentify increased levels of required risk reduction. The Safety Integrity Level (SIL) achieved for a Safety Instrumented Functions is an indication of its ability to function correctly when required. The four discreet integrity levels have been defined in the standard ANSI/ISA-84.00.01-2004 (IEC 61511 Mod). Each level relates to the average probability of failure when a demand is placed on the system (PFDavg). This relates to the risk reduction as per the table 1 below:
Table 1
SIL Risk Reduction Factor (RRF)
1 10 – 100 2 100 – 1000 3 1000 - 10,000 4 10,000 - 100, 000
SIS: Safety Instrumented System - Instrumented system used to implement one or more safety instrumented functions. An SIS is composed of any combination of sensor (s), logic solver (s), and final elements(s)
Page 3 of 25
TurboSentry - IEC 61511 Compliance and SIL Verification Report Reference: C11-02-28 R1
Abbreviations
FIT Failure In Time (1x10-9 failures per hour)
FPL Fixed program language
FTA Fault tree analysis
FVL Full variability language
HFT Hardware fault tolerance
IEC International Electrotechnical Commission
LVL Limited variability language
MTTFS Mean Time to Fail Spurious
MTTR Mean Time to Repair
PTI Proof Test Interval
PES Programmable electronic system
PFD Probability of failure on demand
PFDavg Average probability of failure on demand
PLC Programmable logic controller
SFF Safe failure fraction
SIF Safety instrumented function
SIL Safety integrity level
SIS Safety instrumented system
S/W Software
RRF Risk Reduction Factor
Page 4 of 25
TurboSentry - IEC 61511 Compliance and SIL Verification Report Reference: C11-02-28 R1
Table of Contents Terms .............................................................................................................................. 2
Abbreviations ................................................................................................................... 4
1 Introduction ................................................................................................................ 6
2 Product description .................................................................................................... 8
2.1 TurboSentry Details ....................................................................................................... 9
3 Analysis of Failure Modes for TurboSentry main components ................................. 10
4 Failure Modes Effects and Diagnostics Analysis (FMEDA) ...................................... 11
4.1 Methodology ................................................................................................................ 11
4.2 Failure categories and descriptions ............................................................................. 12
4.3 Failure rate data ........................................................................................................... 12
4.4 Design information used .............................................................................................. 13
5 Results of Failure Modes Effects and Diagnostics Analysis (FMEDA) ..................... 13
Table 4 - Failure rates (FITS) .............................................................................................. 13
6 Requirements for hardware fault tolerance - IEC 61511 Clause 11.4 ...................... 14
7 Requirements for prior use....................................................................................... 16
8 PFD/ SIL verification results ..................................................................................... 20
8.1 Block diagram .............................................................................................................. 20
8.2 Component failure rates ............................................................................................... 20
8.3 Results of PFDavg Calculations ..................................................................................... 21
9 Summary of results .................................................................................................. 21
10 Conclusions ............................................................................................................. 22
Appendix A - Reference Documents.............................................................................. 23
Appendix B - Analysis and Results for 2oo2 output voting ............................................ 24
Appendix C - Analysis and Results for 1oo1 output voting ............................................ 25
Page 5 of 25
TurboSentry - IEC 61511 Compliance and SIL Verification Report Reference: C11-02-28 R1
1 Introduction
The TurboSentry™ Overspeed Protection Device is a product developed by Invensys Triconex. It is intended to be used for the overspeed protection of rotating equipment.
The use of this product for safety applications in the process industries can be covered by either of the following International Safety Standards:
• IEC 61508 – “Functional Safety of Electrical/Electronic/Programmable Electronic Safety-related Systems”
• ANSI/ISA-84.00.01-2004 (IEC 61511 Mod) – “Functional Safety – Safety Instrumented Systems for the Process Industry Sector”.
Based on the ANSI/ISA-84.00.01-2004 standard (Clause 11.5.2.1), components and subsystems selected for use as part of a safety instrumented system for SIL 1 to SIL 3 applications shall either be in accordance with IEC 61508-2 and IEC 61508-3, as appropriate, or else they shall be in accordance with clauses 11.4 and 11.5.3 to 11.5.6 of ANSI/ISA-84.00.01-2004, as appropriate.
Clause 11.4 relates to the Requirements for hardware fault tolerance
Clause 11.5.3 relates to the Requirements for the selection of components and subsystems based on prior use
Clause 11.5.4 relates to the Requirements for selection of FPL programmable components and subsystems based on prior use
Clause 11.5.5 relates to the requirements for the selection of LVL programmable components and subsystems based on prior use
Clause 11.5.6 relates to the requirements for the selection of FVL programmable components and subsystems
Irrespective of whether the use of a product is based on IEC 61508 or ANSI/ISA-84.00.01-2004, it has to be demonstrated that the component or subsystem:
a) is reliable enough to achieve the overall target PFD or target dangerous failure rate of the safety instrumented function,
b) meets the architectural constraint requirement, and c) has a sufficiently low likelihood of systematic faults.
The requirement of c) can be satisfied by compliance with the prior use requirements of ANSI/ISA-84.00.01-2004.
Page 6 of 25
TurboSentry - IEC 61511 Compliance and SIL Verification Report Reference: C11-02-28 R1
This report provides the design details and the basis/results of a detailed evaluation for the TurboSentry Overspeed Protection device for compliance with the appropriate requirements of ANSI/ISA-84.00.01-2004. As part of the evaluation the Safety Integrity Level (SIL) achieved for the product is documented
An FMEDA evaluation of the product was carried out in order to determine the failure rates required to calculate the PFDavg and SFF parameters Summary of results Based on the analysis we have concluded that the TurboSentry overspeed trip system can be used for SIL 2 applications provided that the two digital trip outputs are wired for 1oo2 voting.
Table 2 below summarizes the results for this configuration
Table 2
Mode of operation
Prior use requirements
SIL achieved based on
Architectural constraints
requirements
PFDavg SIL
achieved based on
PFDavg
RRF achieved
FINAL SIL
achieved
Outputs wired for 1oo2 as per Fig 1
OK 2 1.09E-3 2 916 2
Page 7 of 25
TurboSentry - IEC 61511 Compliance and SIL Verification Report Reference: C11-02-28 R1
2 Product description
The TurboSentry™ is an electronic overspeed trip device designed to provide reliable overspeed trip protection for rotating equipment using magnetic speed sensors to determine rotational speed. The TurboSentry monitors up to three magnetic speed sensors and trips the rotating equipment if at least two of the sensors simultaneously detect an overspeed condition. Two independent relays take the separately voted trip information and activate accordingly.
Figure1- TurboSentryTM schematic.
Sensor A
Speed Processor 1
Sensor B
Speed Processor 2
Sensor C
Speed Processor 3
Voter Logic A
Speed pickups
Trip valve
Voter Logic A
Relay
Relay
Trip valve
TurboSentry
1oo2 Voting for TurboSentry outputs
InterfaceProcessor
Operator Interface
For 1oo2 output voting, a dangerous failure of single
voter logic or relay will not lead to a loss of Safety Function
Power Supplies
Alarm and Analog outputs
(4-20 ma)
Page 8 of 25
TurboSentry - IEC 61511 Compliance and SIL Verification Report Reference: C11-02-28 R1
2.1 TurboSentry Details
The key features of the device are:
• Accepts three independent speed measurement inputs from magnetic speed sensors
• Overspeed trip (2 out of 3 voting) via three independent speed processors
• Two trip outputs from redundant voters
• Two alarm outputs
• Two force-trip inputs
• One 4–20 mA output indicating highest selected speed
• Dual-redundant power input (18–30 V DC) and distribution
• Dual power sources available for all processors
• Operator interface display
• Diagnostics
o Speed sensor failure
o Speed fail-safe timer
o Sensor continuity
o Check for communication loss
o Speed difference between the speed sensors
o Speed processor failure
The programming language is classified as Fixed program language (FPL) because only an adjustment of a few parameters is allowed
Page 9 of 25
TurboSentry - IEC 61511 Compliance and SIL Verification Report Reference: C11-02-28 R1
3 Analysis of Failure Modes for TurboSentry main components The failure modes and effects associated with the failure of a single main component are as per table 3 below. This is based on the outputs wired for 1oo2 voting as per Fig 1. 1
Table 3; FMEA results for single component failure
# Speed processor
Display processor
Operators interface
panel Voter logic /
Trip relay Single Power supply
Effect of Failure
1
Processor A or B or C
fails dangerously
OK OK OK OK
No loss of Safety Functions. Voting is 2oo3 hence other 2 active processors will provide trip function
2 OK Display
Processor fails dangerously
OK OK OK No loss of Safety Functions.
3 OK OK Interface Panel fails OK OK No loss of Safety
Functions.
4 OK OK OK
Voter logic or trip relay for A or B fails
dangerously
OK
No loss of Safety Functions. Output voting is 1oo2. Second output will enable trip.
5 OK OK OK OK Loss of power supply
No loss of Safety Functions.
Based on the above analysis, if the outputs voters and relays are wired as 1oo2, no single failure will cause a loss of the Safety Function
1 Refer to Appendix B and C for a summary of the results of an evaluation with the outputs wired for 2oo2 and 1oo1 voting
Page 10 of 25
TurboSentry - IEC 61511 Compliance and SIL Verification Report Reference: C11-02-28 R1
4 Failure Modes Effects and Diagnostics Analysis (FMEDA)
4.1 Methodology The Failure Modes, Effects and Diagnostic Analysis (FMEDA) methodology was used to estimate the failure rates, failure modes, and diagnostic capability of the product subsystems by reviewing each individual component of the subsystem. The subsystems/modules reviewed are:
• Power Supply • Single Speed Processor • Single Voter logic, relay and analog output • Interface processor and display
FMEDA is a technique recommended to generate failure rates for each important category i.e. safe detected, safe undetected, and dangerous detected,
FMEDA is an extension of the Failure Modes and Effects Analysis (FMEA) method that is widely used in the manufacturing and process industries to identify and evaluate the effects of different component failure modes, and to determine what action could be taken to eliminate or reduce the likelihood of failures
The FMEA methodology as per MIL STD 1629A, Failure Modes and Effects Analysis is extended to include safe and dangerous failure rates and to identify whether the failures can be detected via diagnostics.
An excel spread sheet was used to document and evaluate the results of the analysis. The format for the FMEDA used is shown below
Total FIT
Safe DangerousSafe
Coverage Factor
Dangerous Coverage Factor
Component 1 Mode 1 Output high YMode 2 Output low NMode 3 No Effect N
Component 2 Mode 1 Output high NMode 2 Output low YMode 3 No Effect N
Total (FIT)
Percent Safe Failures XX%Safe Coverage
XX%
Failure RatesDiagnostic coverage
factors Diagnostic Capable
ComponentFailure Modes
Effect of Failure
Page 11 of 25
TurboSentry - IEC 61511 Compliance and SIL Verification Report Reference: C11-02-28 R1
4.2 Failure categories and descriptions By inputting the data for each component we are able to calculate the following for each of the subsystems listed:
λ Total failure rate λS Safe failure rate λD Dangerous failure rate λSD Safe Detected failure rate λSU Safe Undetected failure rate λDD Dangerous Detected failure rate λDU Dangerous Undetected failure rate λNE No effect failure rate %Safe Percentage of Failures that will result in a Safe effect CD Dangerous Coverage factor (automated diagnostics) CS Safe Coverage factor (automated diagnostics) SFF Safe Failure Fraction
Fail Safe Failures causes the subsystem/module to go to the defined fail-safe state without a demand from the process. Safe failures are divided into safe detected (SD) and safe undetected (SU) failures.
Fail Dangerous Undetected Failures are dangerous failures that are not being diagnosed by internal diagnostics.
Fail Dangerous detected Failures are dangerous failures that are being diagnosed by internal diagnostics.
Fail No Effect Failure of a component that is part of the safety function but that has no effect on the safety function.
Refer to section 6 for a definition of SFF
4.3 Failure rate data The failure rate data sources used by Ceteris in this FMEDA review are listed in Appendix A of this report
Page 12 of 25
TurboSentry - IEC 61511 Compliance and SIL Verification Report Reference: C11-02-28 R1
4.4 Design information used The following information relating to the design of the product were used to obtain design and component data for the TurboSentry™ elctronic overspeed trip device
User manual for Turbo Sentry. Doc # 9720090-003
TurboSentry BOM_050901
PCB Schematics Dwg # 69SC3084 Sht 1 of 8
PCB Schematics Dwg # 69SC3084 Sht 2 of 8
PCB Schematics Dwg # 69SC3084 Sht 3 of 8
PCB Schematics Dwg # 69SC3084 Sht 4 of 8
PCB Schematics Dwg # 69SC3084 Sht 5 of 8
PCB Schematics Dwg # 69SC3084 Sht 6 of 8
PCB Schematics Dwg # 69SC3084 Sht 7 of 8
PCB Schematics Dwg # 69SC3084 Sht 8 of 8
5 Results of Failure Modes Effects and Diagnostics Analysis (FMEDA)
The failure rates calculated for the 4 subsystems/modules listed in section 4.1 are as per the table 4 below.
Table 4 - Failure rates (FITS)
Failure category
Power Supply
Single Speed Processor
Single Voter logic, relay and analog output
Interface processor
and display
Fail Safe 1628 623 654 0
Fail Dangerous Detected 250 596 333 0
Fail Dangerous Undetected 0 411 560 0
No Effect failures 0 0 60 628
Safe Failure Fraction (SFF) 1 0.75 0.64 1
Page 13 of 25
TurboSentrReference:
6 Requ
Based onhardwarecontinue more danexample,compone
The hard
Table 5
Architec
1oo1
1oo2
2oo2
2003
1003
The Turband 1oo2
As per IEbe as sho
Table 6 –
ry - IEC 61511 C11-02-28 R1
uirements
n IEC 61511e fault tolerato be able to
ngerous faul two devices
ents or subsy
ware fault to
cture H
1
2
2
3
3
boSentry™ O2 output votin
EC 61511 Claown in Table
– Minimum h
Compliance an1
s for hard
Clause 11.4nce. Hardwo undertake ts in hardwas and the arystems does
olerance for
Hardware FaTolerance
0
1
0
1
2
Overspeed Png.
ause 11.4.2e 6 below.
hardware fau
nd SIL Verifica
dware fau
4, sensors, lware fault tol
the requiredare. A hardwchitecture iss not preven
various arch
ault e
Protection De
, for PE logic
ult tolerance
ation Report
ult tolera
logic solverslerance is thd safety instr
ware fault toles such that tht the safety
hitectures ar
evice is a log
c solvers, th
of PE logic
nce - IEC
s and final elhe ability of arumented fuerance of 1 mhe dangerouaction from
re as per tab
gic solver wi
he minimum
solvers
C 61511 C
lements shaa componentnction in themeans that t
us failure of ooccurring.
ble 5 below:
ith 2oo3 spe
hardware fa
Clause 11
all have a mint or subsystee presence othere are, foone of the tw
eed processo
ault tolerance
.4
nimum em to of one or or wo
or voting
e shall
Page 14 of 25
TurboSentrReference:
The SFF
For outpusingle faiSingle Voper table
ry - IEC 61511 C11-02-28 R1
for the vario
uts wired for lure without oter logic, re6.
Compliance an1
ous modules
r 1oo2 as pea loss of the
elay and ana
nd SIL Verifica
s as per tab
r Fig 1, the He Safety funclog output. S
ation Report
le 4 are ba
HFT = 1 sincctions. SinceSFF = 0.64.
ased on the e
ce in this moe the modulFor this cas
equation bel
ode the devile with the lo
se SIL 2 is b
ow:
ce can toleraowed SFF isbeing achiev
ate a s the ved as
Page 15 of 25
TurboSentry - IEC 61511 Compliance and SIL Verification Report Reference: C11-02-28 R1
7 Requirements for prior use
IEC 61511 requirements for prior are based on the following clauses:
1. Clause 11.5.3 relates to the Requirements for the selection of components and subsystems based on prior use
2. Clause 11.5.4 relates to the Requirements for selection of FPL programmable components and subsystems based on prior use
3. Clause 11.5.5 relates to the requirements for the selection of LVL programmable components and subsystems based on prior use
4. Clause 11.5.6 relates to the requirements for the selection of FVL programmable components and subsystems
Items 3 and 4 above do not apply since the programming language fro the TurboSentry is classified as Fixed program language (FPL).
The attached document “IEC 61511 Proven In Use / Prior Use Justification TurboSentry™ Overspeed Protection Device” provides the required justification for the TurboSentry.
Page 16 of 25
IEC 61511 Proven In Use / Prior Use Justification
TurboSentry™ Overspeed Protection Device
Page 1 of 3
1 Basis for Proven In Use / Prior Use Justification IEC 61511 allows components to be used in Safety Instrumented Systems, when a documented assessment has shown that there is appropriate evidence, based on the previous use of the component, that the component is suitable for use in a safety instrumented system. This document provides the required justification for the TurboSentry™ Overspeed Protection Device based on the requirements of IEC 61511
1.1 Requirements The justification for use is based on the following relevant IEC 61511 clauses:
Requirements Yes/ No Rational and reference
Clause 11.5.3.1 Appropriate evidence shall be available that the components and subsystems are suitable for use in the safety instrumented system.
Yes This is an established product. It has been, and is still being used worldwide for turbine overspeed trips since 2004. Between 2008 and 2010 over 275 units were sold for overspeed applications. During this period there is no record of any TurboSentry failure causing a machine to be damaged due to overspeed.
Clause 11.5.3.2 The evidence of suitability shall include the following:
• consideration of the manufacturer’s quality, management and configuration management systems;
Yes The product is designed by Invensys (Triconex) and manufactured by Grayhill, an ISO9001 certified company.
• adequate identification and specification of the components or subsystems;
Yes Refer to user manual for Turbo Sentry. Doc # 9720090-003
• demonstration of the performance of the components or subsystems in similar operating profiles and physical environments;
Yes Hundreds of devices are presently in use successfully worldwide
Page 17 of 25
IEC 61511 Proven In Use / Prior Use Justification
TurboSentry™ Overspeed Protection Device
Page 2 of 3
Requirements Yes/ No Rational and reference
Clause 11.5.4.1 The requirements of 11.5.2 and 11.5.3 apply.
Clause 11.5.3 is addressed above. The requirements of 11.5.2 are: 11.5.2 General requirements
11.5.2.1 Components and subsystems selected for use as part of a safety instrumented system for SIL 1 to SIL 3 applications shall either be in accordance with IEC 61508-2 and IEC 61508-3, as appropriate, or else they shall be in accordance with IEC 61511 clause 11.4 and 11.5.3 to 11.5.6, as appropriate.
Yes 11.4 relates to the requirements for hardware fault tolerance. Refer to section 6 of this report. 11.5.3 to 11.5.6 are addressed by this justification
11.5.2.2 Components and subsystems selected for use as part of a safety instrumented system for SIL 4 applications shall be in accordance with IEC 61508-2 and IEC 61508-3, as appropriate.
NA The use of this product for SIL 4 applications not addressed
11.5.2.3 The suitability of the selected components and subsystems shall be demonstrated through consideration of • manufacturer hardware and embedded
software documentation; • if applicable, appropriate application • language and tool selection (see 12.4.4).
Yes Fixed program language (FPL) is used, and there are no know issues The user manual for Turbo Sentry. Doc # 9720090-003 provides all configuration details
11.5.2.4 The components and subsystems shall be consistent with the SIS safety requirements specifications.
Yes The SRS to be developed by end user based on their specific application requirements. This is highlighted in the conclusion section of this report
NOTE For the selection of components and subsystems, all the other applicable aspects of this standard still apply, including architectural constraints, hardware integrity, behavior on detection of a fault and application software.
Yes All other aspects of the IEC 61511 standard apply wherever appropriate.
Clause 11.5.4.2 Unused features of the components and subsystems shall be identified in the evidence of suitability, and it shall be established that they are unlikely to jeopardize the required safety instrumented functions.
Yes Potential unused features are the analog output and digital outputs for alarms. Refer to section 3 of this report for a review of the impact of failures of the unused components of this product.
Page 18 of 25
IEC 61511 Proven In Use / Prior Use Justification
TurboSentry™ Overspeed Protection Device
Page 3 of 3
Requirements Yes/ No Rational and reference
Clause 11.5.4.3 For the specific configuration and operational profile of the hardware and software, the evidence of suitability shall consider • characteristics of input and output signals; • modes of use; • functions and configurations used; • previous use in similar applications and physical
environments.
Yes For SIL 2 applications the outputs have to be configured for 1oo2 voting There are no other suitability issues
Based on the above documented assessment, we conclude that there is appropriate evidence, based on the previous use of the component, that the component is suitable for use in a safety instrumented system.
Page 19 of 25
TurboSentry - IEC 61511 Compliance and SIL Verification Report Reference: C11-02-28 R1
8 PFD/ SIL verification results
8.1 Block diagram The block diagram that is the basis for the SIL verification calculations is as per Fig 2 below.
Fig 2
8.2 Component failure rates The failure rates used in the calculation for the key components are as per table 7 below. Table 7 - Failure rates for key components
Component λ
(Dangerous undetected)
λ
(Dangerous detected)
λ (Safe)
Single Speed Processor 0.411x 10-6/hr 0.596x 10-6/hr 0.623 x 10-6/hr
Single Voter logic and relay 0.560x 10-6/hr 0.333x 10-6/hr 0.654x 10-6/hr
Page 20 of 25
TurboSentry - IEC 61511 Compliance and SIL Verification Report Reference: C11-02-28 R1
8.3 Results of PFDavg Calculations The results are as per table 8 below
Table 8 – PFDavg calculation results
Mode of operation Proof Test interval PFDavg RRF
achieved SIL achieved
based on PFDavg
Outputs wired for 1oo2 as per Fig 1 12 months 1.09E-3 916 2
9 Summary of results
Based on a review of the 3 key IEC 61511 requirements i.e.:
1. Prior use requirements 2. SIL achieved based on Architectural constraints requirements 3. SIL achieved based on PFDavg
we have concluded that the TurboSentry overspeed trip system can be used for SIL 2 applications provided that the two digital trip outputs are wired for 1oo2 voting.
Table 8 below summarizes the results for this configuration
Table 8 - Results summary
Mode of operation
Prior use requirements
SIL achieved based on
Architectural constraints
requirements
PFDavg SIL
achieved based on
PFDavg
RRF achieved
FINAL SIL achieved
Outputs wired for
1oo2 as per Fig 1
OK 2 1.09E-3 2 916 2
Page 21 of 25
TurboSentry - IEC 61511 Compliance and SIL Verification Report Reference: C11-02-28 R1
10 Conclusions
1. The TurboSentry™ Overspeed Protection Device is fit for use in applications up to SIL-2, provided that the outputs are wired for 1oo2 voting as per Fig 1 and the proof test interval (PTI) is at least every 12 months.
2. The TurboSentry™ Overspeed Protection Device is fit for use in applications up to SIL-1, if the outputs wired for 1oo1 or 2oo2. Refer to Appendix B and C for additional details.
3. The end user has to ensure that the components and subsystems are consistent with the SIS Safety Requirements Specifications (SRS). The SRS to be developed by end user based on their specific application requirements.
4. Final verification calculations of the compete SIF, including sensors, logic solver, and all final elements has to be completed by the end user to determine the SIL achieved for the complete function, to ensure that the function satisfies that SIL requirement.
Page 22 of 25
TurboSentry - IEC 61511 Compliance and SIL Verification Report Reference: C11-02-28 R1
Appendix A - Reference Documents
______. ANSI/ ISA-84.00.01-2004 (IEC 61511 Mod) Functional Safety- Safety Instrumented Systems for the Process Industry Sector. Edition 1. Research Triangle Park, North Carolina, USA: ISA. 2004.
______. IEC 61508 Functional safety of electrical/electronic/ programmable electronic safety-related systems. Edition 1. Geneva, Switzerland: IEC. 2003.
______. User manual for Turbo Sentry. Doc # 9720090-003
______. MIL-HDBK-217
Page 23 of 25
TurboSentry - IEC 61511 Compliance and SIL Verification Report Reference: C11-02-28 R1
Appendix B - Analysis and Results for 2oo2 output voting
Fig 3 – 2oo2 output voting
Outputs wired for 2oo2 voting as per Fig 3 above
For outputs wired for 2oo2 as per Fig 3, the HFT = 0 since in this mode the device cannot tolerate a single failure without a loss of the Safety functions. Since the module with the lowed SFF is the Single Voter logic, relay and analog output. SFF = 0.64. For this case SIL 1 is being achieved as per table 6.
Table 8 - Results summary
Mode of operation
Prior use requirements
SIL achieved based on
Architectural constraints
PFDavg SIL achieved
based on PFDavg
RRF achieved
FINAL SIL
achieved
Outputs wired for 2oo2 as per Fig 3
OK 1 5.36E-3 2 187 1
Page 24 of 25
TurboSentry - IEC 61511 Compliance and SIL Verification Report Reference: C11-02-28 R1
Appendix C - Analysis and Results for 1oo1 output voting
Fig 4 – 1oo1 output voting
Outputs wired for 1oo1 voting as per Fig 4 above
For outputs wired for 1oo1 as per Fig 3, the HFT = 0 since in this mode the device cannot tolerate a single failure without a loss of the Safety functions. Since the module with the lowed SFF is the Single Voter logic, relay and analog output. SFF = 0.64. For this case SIL 1 is being achieved as per table 6.
Table 9 - Results summary
Mode of operation
Prior use requirements
SIL achieved based on
Architectural constraints
PFDavg SIL achieved
based on PFDavg
RRF achieved
FINAL SIL
achieved
Outputs wired for 1oo1 as per Fig 4
OK 1 2.91E-3 2 344 1
Page 25 of 25