SIL Products & Services - rotork.com · SVM (Partial Stroke Test System) Rotork Fluid Systems’ patented, Smart Valve Monitor (SVM) is the most versatile and comprehensive partial

A4 US

US

A4

US

A4

A4 US

Redefining Flow Control

Market Leading SIL Solutions

SIL Products & Services

A4US

US

A4

US A4

US

A4

Section Page

2

Contents

Rotork is the global market leader in valve automation and flow control. Our products and services are helping organisations around the world to improve efficiency, assure safety and protect the environment.

We strive always for technical excellence, innovation and the highest quality standards in everything we do. As a result, our people and products remain at the forefront of flow control technology.

Uncompromising reliability is a feature of our entire product range, from our flagship electric actuator range through to our pneumatic, hydraulic and electro-hydraulic actuators, as well as instruments, gear boxes and valve accessories.

Rotork is committed to providing first class support to each client throughout the whole life of their plant, from initial site surveys to installation, maintenance, audits and repair. From our network of national and international offices, our engineers work around the clock to maintain our position of trust.

Rotork. Redefining flow control.

Product Overview 3

Projects & Services 4

Product Selection 5

Product Range 5

SIL Explained 10

A4 US

US

A4

US

A4

A4 US

Redefining Flow Control 3

SIL is an established system of measurement standards to indicate the performance required of a safety system. It is part of a functional safety plan that includes techniques, technologies, standards and procedures that help operators protect against hazards. Functional safety adopts a life-cycle approach to industries that deal with hazardous processes and includes plans from concept through to decommissioning.

The requirement to meet a given SIL standard is becoming increasing common in many industrial process environments. It can be a complicated and arduous undertaking to establish and maintain compliance. This is true in both new plant construction and upgrades to the safety systems in an existing plant. Once established, ongoing testing and verification of safety system performance are required for the operational lifetime of the plant.

A plant will have a Safety Instrumented System (SIS) that is made up of a number of Safety Instrumented Functions (SIF). An SIF consists of three sections: Sensors, Logic Solver and Final Elements. SIL applies to the SIF as a whole because a failure of any component compromises the safety function. However, when analysing the performance of the system, it is acceptable to assess the performance of each section separately. The majority of Logic Solvers and Sensors have built-in, automatic testing systems. Final Elements often require additional testing equipment and regimes to test and prove their level of performance.

Assessing the performance of the final elements is a complicated process for the end user. Data for the various components must be gathered, a suitable design must be formulated and then testing regimes applied to the design. This can be a lengthy process involving multiple vendors and a variety of lengthy calculations.

Vendors try and assist in this process by having products independently certified as “Suitable for Use” at particular SIL levels by independent organisations such as TÜV. However, the end user must still conduct all the necessary calculations to ensure that the selected Final Elements as a whole adhere to the requirements for the particular SIL level required.

Rotork’s experienced team can provide a variety of products and engineering services that help establish, maintain and verify the Final Elements of an SIS system, often facilitating a reduction of plant operating expense.

Certified Products

• Pneumatic actuators.

• Hydraulic actuators.

• Electro-hydraulic actuators.

• Electric actuators.

• Smart Valve Monitor partial stroke test system.

• Solenoid control systems.

Certified Personnel

• TÜV certified Functional Safety Professionals.

• International network of IEC 61508 specialists.

SIL System Design Services

• Final element design services for green field sites.

• Retrofit solutions for plant upgrades.

• Final element SIL verification calculations.

Product Overview

A4US

US

A4

US A4

US

A4

4

SIL Design and Verification Services

Rotork’s experienced engineering team can provide complete final element design solutions for SIL applications. With access to a comprehensive database of final element components, Rotork can assist with the design and selection of actuators and control systems and also prove compatibility and SIL performance when Rotork actuators are used in conjunction with a number of different manufacturers valves.

New Projects

For new SIL projects, this can include selection of the required control components backed-up by independently assessed performance data to provide the user with definitive testing regimes for both partial stroke and shutdown proof testing. This affords operators the maximum possible plant production up-time and provides verifiable data to prove that the required SIL rating is being met.

SIL Retrofit Upgrades

In the wake of recent incidents in a variety of industries many plants are undergoing a re-assessment of their SIL ratings. Operators sometimes discover that their plant is no longer up to the required standard. This can lead to untimely and costly replacement programmes for valves and actuators.

Rotork has the capability to assist plant operators with the assessment of existing equipment and, in conjunction with the retrofit of products such as our SVM Smart Valve Monitor for fluid power actuators or the SFCM for our electrically powered IQ actuators, provide cost effective solutions for SIL upgrades. In fact, cost savings have often been made in the productivity of the plant by facilitating strategic maintenance and extending compulsory maintenance shutdown intervals.

SIL Verification Calculations

Predictive Maintenance

Controls Design

Complete SIL Solution

FEED Contractor

Industry Safety and SIL Requirements

Valve Vendor

Projects & Services

A4 US

US

A4

US

A4

A4 US

5Redefining Flow Control

Electric Power Actuators Fluid Power Actuators

Actuator IQ SI EH CP RC RH GP/GH LP/LH

Max TorqueNm (lbf-in)

3,000(22,000)

4,500(39,800)

600,000(4,425,000)

4,500(39,800)

4,500(39,800)

4,500(39,800)

600,000(4,425,000) n/a

Max ThrustN (lbf) n/a

61,000(13,700)

5,500,000(1,200,000) n/a n/a n/a n/a

5,000,000(1,124,000)

SIL Rating 2 3 3 3 2,3 3 3 3

Partial Stroke ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔

Digital Comms ✔ ✔ ✔ ✔† ✔† ✔† ✔† ✔†

Diagnostics ✔ SVM SVM SVM SVM SVM SVM SVM

† Only in conjunction with SVM

SVM (Partial Stroke Test System)

Rotork Fluid Systems’ patented, Smart Valve Monitor (SVM) is the most versatile and comprehensive partial stroke valve test system for hydraulically or pneumatically actuated on/off valves available. It tests every element of the valve/actuator/control system and has several unique features that set it apart from the solutions offered by many competing products.

SVM facilitates strategic preventive maintenance and extended shutdown intervals.

• Comprehensive valve performance monitoring system.

• Partial stroke testing in real time.

• Test all final elements as required by IEC 61508.

• Compatible with virtually any fluid power actuator.

• Assists with SIL compliance — extends shutdown intervals.

• Completely transparent to normal valve operation.

• Facilitates strategic maintenance.

For further information see PUB026-001 and PUB026-002.

Notes:1. All failures rates are 10-9 failures/hour.2. Safe Failure Fractions for fluid power actuators take credit for partial stroke testing.

SIL Rating ALL

Hardware Fault Tolerance (HFT) N/A

Safe Failures (λS) 966

Dangerous Undetected Failures (λDU) 0

Dangerous Detected Failures (λDD) 0

Safe Failure Fraction (SFF) 100%

Hardware Type N/A

Product Selection

Product Range

A4US

US

A4

US A4

US

A4

6

IQ Pro (Electric Actuators)

The IQ is ideal for applications where it is not possible or practical to install pneumatic of hydraulic tubing and cost is critical. The IQ Pro with SFCM is TÜV certified suitable for use at SIL2 or SIL 3 in a 1oo2 (one out of two) configuration.

In addition the SIL card is an ideal retrofit solution for plants undergoing a SIL re-assessment. The SIL card can be retrofitted to any IQ Pro actuator supplied since 2001 and would replace the existing network card to provide a hard-wired operation. This provides the end-user with a simple and cost effective means of upgrading an existing plant’s SIL performance.

For safety applications the SIL card provides a second safety function that improves the performance of the actuator to prevent incorrect operation in non-ESD operation. By comparing the process input signal to the actuator with the output action, the SIL card can ensure that not only are the actuator internal assemblies functioning correctly, but also that the control system as a whole is performing the correct operation.

For further information see publication PUB002-011.

IQ with SFCM ESD

IQ with SFCM Stay Put

SIL Rating 2 3 2

Hardware Fault Tolerance (HFT) 0 1 0

Safe Failures (λS) 10,034 12,529

Dangerous Failures (λD) 1,542 50.6

Dangerous Detected Failures (λDD) 609 0.32

Safe Failure Fraction (SFF) 86.7% 99.6%

Hardware Type B B

SI-1 SI-2-1

SIL Rating 2 3 2 3

Hardware Fault Tolerance (HFT)

0 0

Safe Failures (λS) 776 746

Dangerous Failures (λD) 148 126

Dangerous Detected Failures (λDD)

126 141

PFDAVG 649,000 83,100 463,000 65,900

Safe Failure Fraction (SFF) 84% 98% 84% 98%

Hardware Type A A

Partial Stroke 0 1/month 0 1/month

SI (Electro-Hydraulic Spring-Return Actuators)

The SI range is a self-contained electro-hydraulic spring-return valve actuation solution available for both quarter-turn and linear applications. The actuators incorporate sophisticated electronics that provide non-intrusive set-up and interrogation via the infra-red/Bluetooth® Rotork Setting Tool. They are suitable for on/off, modulating and emergency shutdown duties. Skilmatic actuators are compatible with all major digital communication systems including Rotork’s own Pakscan.

• Intelligent, self-contained electro-hydraulic actuators.

• Linear thrusts up to 61 kN (13,700 lbf), quarter-turn torques up to 4,400 Nm (39,000 lbf-in).

• Two-position, ESD or modulating operation in spring-return or double-acting executions.

• Power supply: single-phase, three-phase or 24 VDC.

• Non-intrusive infrared setting & configuration.

• Multilingual text display for status and setup.

• Optional bus communications via all major protocols.

• Partial stroke test capability.

• Datalogger to log events, alarms and trends.

• Watertight or explosionproof: ATEX, FM, CSA, IEC and GOST.

• Separate, double-sealed terminal compartment.


Product Range

SI-1 SI-2-1

NO PST PST NO PST PST

SIL Rating 2 3 2 3

Hardware Fault Tolerance (HFT)

0 0

Safe Failures (λS) 1120 FIT 1130 FIT

Dangerous Failures (λD) 148 FIT 141 FIT

Dangerous Detected Failures (λDD)

141 FIT 134 FIT

PFDAVG 649,000 83,100 619,000 80,300

Safe Failure Fraction (SFF) 88.3% 99.4% 88.9% 99.4%

Hardware Type A A

Partial Stroke (Months) 0 1 0 1

A4 US

US

A4

US

A4

A4 US


EH (Electro-Hydraulic Spring-Return Actuators)

The EH range is a self-contained electro-hydraulic spring-return valve actuation solution. The actuator incorporates sophisticated electronics that provide non-intrusive set-up and interrogation via the infra-red/Bluetooth® Rotork Setting Tool. They are suitable for on/off, modulating and emergency shutdown duties and are compatible with all major digital communication systems including Rotork’s own Pakscan.

• Linear thrusts up to 5,500 kN (1.2 million lbf), quarter-turn torque output up to 600,000 Nm (5.3 million lbf-in).

• Power supply: single-phase, three-phase or 24 VDC.

• Multilingual text display for status and setup.

• Partial stroke test capability.

• Datalogger to log events, alarms and trends.

• Watertight or explosionproof: ATEX, FM, CSA, IEC and GOST.

• Separate, double-sealed terminal compartment.


SIL Rating 3

Hardware Fault Tolerance (HFT) 0

Safe Failures (λS) 4,270

Dangerous Failures (λD) 379


Safe Failure Fraction (SFF) 99.2%

Hardware Type A

Product Range

CP (Pneumatic Actuators)

CP range pneumatic actuators are a versatile, modular, scotch yoke design available in both double-acting and spring-return configurations. The compact and efficient design yields high torques even at low pressures. The design concepts found in Rotork’s large, heavy-duty actuators has been applied to the CP range, which brings heavy-duty actuator qualities to small, quarter-turn actuators.

The actuator body is of rugged, ductile cast iron available in four body sizes. Cylinders are manufactured from carbon steel, electroless nickel-plated.

• Pneumatic and hydraulic actuators in double-acting and spring-return configurations.

• Corrosion resistant cylinders.

• Actuators certified to IP 66M/67M.

• Actuators certified to ATEX 94/9/EC.

• Actuators certified in accordance with PED 93/27/EC.

• Torque output to 4,500 Nm (39,800 lbf-in).

• Compatible with SVM partial stroke testing.

For further information see PUB013-001.

SIL Rating 3






Hardware Type A


A4US

US

A4

US A4

US

A4

8

Product Range

RC (Compact Pneumatic Actuators)

The RC range is an extremely compact pneumatic actuator. It’s scotch yoke design is particularly suited for valves with high start or end torque requirements. The aluminium body is available in both double-acting and spring-return configurations with output torque up to 4,400Nm (38,700 lbf-in). An optional manual override is available.

• Extremely compact scotch yoke pneumatic actuator.

• Double-acting and spring-return configurations.

• Contained spring module for safety and convenience.

• Torque output to 4,400 Nm (39,000 lbf-in).

• Valve mounting dimensions per ISO 5211/ DIN 3337.


For further information see PUB014-001 (metric build) and PUB014-002 (imperial build).

SIL Rating 3 3

Hardware Fault Tolerance (HFT) 0 0



Dangerous Detected Failures (λDD) 38 30


Hardware Type A A

DA SR

RH (Compact Hydraulic Actuators)

RH range rack & pinion actuators are specifically engineered to operate small to medium size ball, butterfly, plug and other quarter-turn valves for either on/off or modulating service. The heavy-duty construction and compact design make this product ideal for skid manufacturers and offshore and process applications which require robust yet space saving valve actuation solutions. It’s also suitable for applications requiring medium-depth submersion.

The housing is available in five sizes. A hydraulic cylinder can be attached to either or both sides. A spring can cylinder can also be fitted to either side for Emergency Shut Down (ESD) applications.

• Pneumatic and hydraulic rack and pinion actuators available in double-acting and spring-return configurations.

• Electroless nickel-plated cylinders and anti-blowout pinion.

• Output torque up to 4,100 Nm (36,600 lbf).



SIL Rating 3






Hardware Type A

A4 US

US

A4

US

A4

A4 US


LP / LH (Linear Actuators)

Rotork linear actuators offer the advantages of compact size, high performance and a simple but highly reliable design, and are ideal for operating on/off and control functions of both globe and wedge gate valves. Both spring-return and double-acting configurations are available with either pneumatic or hydraulic cylinders.


• Electroless nickel-plated cylinders, chromium-plated piston rods.

• Hammer blow and standard valve stem coupling designs available.

• Thrust up to 5,000,000 N (1,124,000 lbf).



SIL Rating 3 3






Hardware Type A A

LP LH

Product Range

GP/GH (Pneumatic and Hydraulic Actuators)

GP (pneumatic) and GH (hydraulic) range scotch yoke actuators are designed to provide a rotary, quarter-turn movement for either on/off or modulating duty. The rugged yet compact design is available with two different yoke designs. The classic symmetric yoke delivers peak torque at both ends of stroke. Alternatively, they can be supplied with canted torque arms designed to deliver peak torque at only one end of stroke. Use of canted arms can often reduce actuator size, weight and cost for valves with appropriate torque demand characteristics.


• Corrosion resistant cylinders.

• Actuators certified to IP 66M/67M.

• Actuators certified to ATEX 94/9/EC.

• Actuators certified in accordance with PED 93/27/EC.

• Torque output to 600,000 Nm (5.3 million lbf-in).



SIL Rating 3 3



Dangerous Failures (λD) 14.5 1.48



Hardware Type A A

GP GH


A4US

US

A4

US A4

US

A4

10

SIL Explained

In this document, Rotork has set out to explain SIL and its consequent impact upon the provision of valves & actuators in relation to Safety Instrumented Systems (SIS).

If you would like further clarification, please contact us.

What is SIL?

SIL, an acronym for Safety Integrity Level, is a system used to quantify and qualify the requirements for Safety Instrumented Systems. The International Electro-technical Commission (IEC) introduced the following industry standards to assist operators with quantifying the safety performance requirements for hazardous operations:

IEC 61508 Functional Safety of Electrical/Electronic/Programmable Electronic Safety-Related Systems

IEC 61511 Safety Instrumented Systems for the Process Industry Sector

These standards have been widely adopted in the hydrocarbon and oil & gas industries to define Safety Instrumented Systems and their reliability as a means of improving safety and availability of Safety Instrumented Systems.

What are Safety Integrity Levels?

Safety Integrity Levels are targets applied to the reliability and performance of the safety systems used to protect hazardous activities such as hydrocarbon refining or production. There are 4 SIL levels. The higher the perceived associated risk,the higher the performance required of the safety system and therefore the higher the SIL rating number. The IEC standards define the performance requirements of the safety systems for the required SIL rating.

How are SIL ratings determined?

Once the scope of an activity is determined, the operator can identify the possible hazard(s) and then assess their potential severity. The risk associated with a hazard is identified by assessing the likely frequency of occurrence and the potential consequences if the hazard is realized. The operator must then assign a number for the severity of consequence and frequency.

These numbers are then fed into a matrix to allow the operator to assign the required SIL rating to protect against the hazard. Many tools are available to assist an operator with this process (e.g., HAZOP software — Hazard and Operability). An example of such a matrix is shown below in figure 1.

How are hazards protected against?

Once the SIL ratings have been determined, the operator can then design a risk reduction strategy to protect against these hazards. This is accomplished by applying multiple layers of protection. Risk reduction can be an expensive procedure; therefore, the operator will look to reduce the risk to a level As Low As Reasonably Practicable (ALARP).

Figure 2 shows multiple layers of protection are used to develop the required safety strategy. Safety Instrumented System has been highlighted because this is the layer that applies to shutdown systems and valve actuators. The SIS assists in reducing the frequency of the likely manifestation of the hazard and therefore improves the reliability of the system. The consequence of a failure is not addressed by SIS but by other aspects of the risk reduction strategy.

Freq

uenc

y

Severity of Consequence

5 SIL3 SIL4 X X X

4 SIL2 SIL3 SIL4 X X

3 SIL1 SIL2 SIL3 SIL4 X

2 - SIL1 SIL2 SIL3 SIL4

1 - - SIL1 SIL2 SIL3

1 2 3 4 5

Fig. 1. Frequency/consequence matrix.

Emergency Response

Passive Protection

Active Protection

Isolated Protection

High Level Process Control

Low Level Process Control

Design

Hazardous Activity Plant Engineering & Design

Basic Production Control System

Operational Intervention

Safety Instrumented System

Relief Valve, Rupture Disc, etc.

Bund, Blast Wall, etc.

Emergency Response

MitigationPrevention

Protectio

n Layers

Protectio

n Layers

Fig. 2. Layers of hazard protection.

A4 US

US

A4

US

A4

A4 US


SIL Explained

How is SIL used?

Safety Integrity Levels are part of a larger scheme called Functional Safety that deals with techniques, technologies, standards and procedures that help operators protect against hazards. Functional Safety adopts a life cycle approach to industries that deal with hazardous processes that includes plans from concept through to final decommissioning of plants. This process is cyclical and any phase is effected by the requirements of the previous stage(s) so, subsequent stages must be revisited to assess the impact of a change to a previous stage.

Figure 3 below is a simplified depiction of the four basic steps of the life cycle.

Pre-Design Phase

This is the phase where the scope of the project is determined, all hazards are assessed, and a Safety Requirements Specification is formulated. This specification will determine the SIL ratings to be applied to the various activities.

Design Phase

Once the pre-design phase is completed, the operator will design the required safety systems and plan how they will be executed. It is this stage where the safety systems are specified. This is also when the testing regimes are allocated to ensure that the SIL ratings can be met.

Realisation Phase

Upon the completion of the design phase, the plant is built and commissioned. All safety systems are tested to ensure that they meet the established safety requirements.

Operation Phase

The plant is now operational and producing. The safety systems are now regularly tested to ensure that they continue to perform as designed and required.

How does equipment fail?

There are three ways in which safety equipment can fail: systematic, common cause, and random hardware failure. These failures are addressed by the safety life cycle in the following manner.

Systematic Failures

These types of failure are not failures of individual components but the system as a whole. These failures are reduced by using proper engineering practice and design during the design phase. These are very rare failures as years of experience and documentation have helped engineers understand how systems interact.

Common Cause Failures

This type of failure is when identical components within the safety system fail at the same time. Again, experience with products and documentation help engineers design systems that prevent this. Also, these failures can be virtually eliminated by using redundant and diverse systems. Common cause failures are generally the result of environmental effects like flooding or excessive temperatures.

Random Hardware Failure

This is the main type of failure mode — random by their nature. This is the type of failure Safety Instrumented Systems protect against. Engineers try to predict the probability of these failures by assessing the failure rates of the equipment used. This is where SIL specifies the performance and architectural constraints that a safety system requires.

PRE-DESIGN PHASE

Concept & Scope

Hazard Risk Analysis

Safety Requirements Specification

DESIGN PHASE

Planning:

Installation

Commissioning

Validation

Safety

Instumented

System

E/E/PES

Other Safety

Systems and

Technologies

External Risk

Reduction Plant

Community

REALISATION PHASE

Installation

Commissioning

Validation

OPERATION PHASE

Operation/Maintenance

Modification

De-commissioning

Fig. 3. Functional safety life cycle.

A4US

US

A4

US A4

US

A4

12

SIL Explained

How is the SIS performance quantified?

The Probability of Failure on Demand (PFD) is the measure used to define the level of protection offered by the system. EIC 61508 defines the maximum allowable PFDavg (the average probability, from 0 to 1, that the safety function will fail to operate on demand) for the Safety Instrumented Function (SIF).

The allowable level is dependant upon whether the system is deemed to be low demand or high demand. Low demand systems are defined as having an expected safety demand interval of greater than one year, and a proof test interval for the equipment that is at least twice that of the expected safety demand interval. The vast majority of fluid power actuated safety valves fall into this low demand type. IEC 61508 defines the required PFDavg as shown in figure 4.

High Demand safety control systems are defined as those that are operated more frequently than once per year.

What does this mean in terms of performance for the SIF?

The figures quoted in figure 4 apply to the entire Safety Instrumented Function and not the individual components. Any SIF is comprised of three discrete areas: “Sensors”, “Logic Solvers” and “Final Elements”. Figure 5 indicates these areas of an SIF for over-pressure isolation.

The “Sensors” detect the presence of the potential onset of a hazardous condition (e.g., over-pressure). The “Logic Solver” is the programmable logic controller (PLC) which determines what action to take after the “Sensors” have detected a potentially hazardous event. The “Final Elements” perform the required safety action (e.g., ESD of the valve). The scope of this document only covers the “Final Elements” as this is area where fluid power actuators function.

When assessing the performance of the SIF we must consider the solenoid valve, actuator and valve as a single entity with regard to the PFDavg calculation as the failure of any of these components will cause the SIF to fail.

In order to prove that the SIF is performing to the required SIL rating, it is necessary to know the failure rates of the equipment used so that it can be verified that the maximum allowable PFDavg is not exceeded. Failure rate data gives the operator a measure of when the equipment is likely to fail over a given period of time (i.e., the older the equipment, the more likely it is to fail when required to operate). The PFDavg can be calculated from this data. When it reaches the maximum allowable level, the plant must be shutdown and all safety systems fully tested.

Is it possible to procure an actuator with a SIL rating approval?

The simple answer is no. Only the complete SIF can have a SIL rating, not individual components. However, components (e.g., actuators) can be certified “suitable for use” at a particular SIL rating.

Operators and contractors may look for components certified as “suitable for use” as this will simplify the design process. In addition, if the component has failure rates that are known to be compatible with the required SIL rating, the safety calculations are also made much simpler.

How are actuators certified as “suitable for use” for specific SIL ratings?

There are two aspects to the process of attaining a SIL certificate. The first is assessing the design and failure rates of the equipment. This can be accomplished through either of two techniques: FMEDA (Failure Modes, Effect and Diagnostic Analysis) and “Proven in Use”.

The second aspect is the auditing the vendor's manufacturing and quality processes. This audit proves that the vendor is capable of manufacturing the product to the designed performance standard. These assessments must be audited by an approved accreditation body such as Exida or TÜV.

Final ElementsLogic Solver

PLC

Sensors

SIL LEVEL Max PFDavg Chance of Failure

1 0.1 <10%

2 0.01 <1%

3 0.001 <0.1%

4 0.0001 <0.01%

Fig. 4. SIL ratings.

Fig. 5. Example of an over-pressure shutdown.

A4 US

US

A4

US

A4

A4 US


SIL Explained

Suitable for Use Method 1 – FMEDA

FMEDA is a technique that assesses the performance of a device by evaluating the effects of the different failure modes of all components in the design. Every component is assessed for the type of failure (dangerous or safe) and the likelihood of failure (failure rate). All of this data is then collated to produce overall dangerous and safe failure rates that can be used in safety calculations.

FMEDA studies can be conducted either by the vendor or a third-party body but, in both circumstances, must be audited by an accredited body to prove that best practices have been used.

Suitable for Use Method 2 – Proven in Use

It may not be possible, practical or cost effective to conduct an FMEDA on a product, particularly if it is of an old or complex design. In these cases, products may be certified by using “Proven In Use”.

“Proven In Use” as defined in the IEC 61508 standard is a documented assessment that has shown that there is appropriate evidence, based on previous use history of the component, that it is suitable for use in a safety system. This documented evidence must include the following:

• The manufacturer’s quality and management systems.

• The volume of the operating experience with statistical evidence to show that the claimed failure rate is sufficiently low.

Failure Rate Data

Once the studies have been completed, the user is presented with the failure rate data. This data falls into two fundamental categories: dangerous failure rate (λD) and safe failure rate (λS).

The dangerous failure rate (λD) data relates to failures that will result in the SIF being unable to perform the required safety function upon demand. The safe failure rate (λS) data relates to those failure modes that will put the safety function in its safe state (e.g., shutdown).

SIL is only concerned with the dangerous failure data but the safe failure data is important as this provides the operator a measure of how likely the safety system is to spuriously trip.

Do we need to test the SIF?

As described in earlier sections, SIL prescribes the maximum level that the PFDavg is permitted to reach. There are two types of tests that can be performed to help maintain the PFDavg at a suitably low level: Proof Tests and Diagnostic Tests.

A4US

US

A4

US A4

US

A4

14

SIL Explained

Proof tests

A proof test is a manual test performed during shutdown that tests the entire functionality of the SIF from sensing to actuation. It must be suitably configured to test all aspects of the safety function to prove that the SIF is “as good as new”. There may be several negative ramifications — particularly expense related — due to a proof test necessitating a process shutdown.

Diagnostic Tests

A diagnostic test is an automatic test performed online that does not necessitate process shutdown. This type of test must be performed at least ten times more frequently than the expected SIF demand rate.

A diagnostic test will test only a percentage of the total possible failure modes of the SIF; this percentage is called the Diagnostic Coverage (DC). These tests contribute to reducing the PFDavg of the SIF and thus assist in the extension of the proof test interval. The higher the DC, the greater the benefit gained from the test. For the “final elements” within the scope of this document, this type of test is called a partial stroke test.

What is the experience of Rotork when addressing SIL requirements?

In addition to having actuators currently operating in both SIL 2 and SIL 3 environments, Rotork also has a Partial Stroke Testing tool (the SVM Smart Valve Monitor) that provides the highest possible diagnostic coverage.

Rotork also provides services related to the safety calculations for the entire final element assembly, including the valve and controlling solenoid valves. By creating a database of known failure rates for various final elements, Rotork is able to provide recommendations for control mechanisms and valves that will provide the end-user with the best possible performing system that yields the best possible long-term financial benefits.

Our services assist the end user in extending shutdown intervals to the maximum possible time frame within the required SIL rating and also provide peace of mind against spurious trips.

A4 US

US

A4

US

A4

A4 US


Can Rotork supply actuators for my SIL 2/3 requirements?

Yes.

SIL and other statutory requirements such as ATEX and PED place great demands upon suppliers. A consequence of SIL is the requirement for a product with a declared reliability according to IEC standards.

A valve actuation provider must be much more than a manufacturer to meet these ever increasing demands. Suppliers for SIL applications must be extremely well versed in the industries and applications that they serve. They must also possess the engineering know-how and resources required to properly execute the process of supply for SIL applications.

Rotork is a global leader in valve actuation technology. We provide a comprehensive range of valve actuators, controls and associated equipment, as well as a variety of valve actuator services including commissioning, preventive maintenance and retro-fit solutions. We are dedicated to providing the marketplace with the latest technology, consistently high quality, innovative design, excellent reliability and superior performance. Most importantly, we have a longstanding commitment to meeting the special needs of a wide range of applications including: oil and gas exploration and transportation; municipal water and wastewater treatment; power generation; and the chemical and process industries. With more than fifty years of engineering and manufacturing expertise, we have tens of thousands of successful valve actuator installations throughout the world.

Rotork maintains dedicated engineering groups for Applications, Product Improvement and New Product Development so that our customers can gain all the benefits that ever advancing technologies have to offer and also to ensure our efforts are in step with the continually evolving needs of our customers.

To properly support our customers around the globe, Rotork maintains manufacturing facilities throughout the world. In addition to these manufacturing facilities, we maintain a network of Centres of Excellence strategically located around the world. These actuation specialist centres hold stock, provide application engineering and packaging of control components as well as providing sales, service, installation and commissioning support. With these vast resources available, we are able to provide solutions for any application requirement.

Are there examples of SIL 2 or SIL 3 systems that Rotork can provide for review?

Yes.

Rotork has employed all the methods outlined above. Specific information can be made available for review upon request.

SIL Explained

In conclusion, Rotork is capable of providing complete SIL solutions for final elements used in Safety Instrumented Systems. We have extensive project and industry experience working with and providing SIL certified actuators and services for the oil & gas and hydrocarbon industries.

A4US

US

A4

US A4

US

A4

www.rotork.com

A full listing of our worldwide sales and service network is available on our website.

PUB000-012-00Issue 06/12

As part of a process of on-going product development, Rotork reserves the right to amend and change specifications without prior notice. Published data may be subject to change. For the very latest version release, visit our website at www.rotork.com

The name Rotork is a registered trademark. Rotork recognises all registered trademarks. Published and produced in the UK by Rotork Controls Limited. POWSH0512

UKRotork plctel +44 (0)1225 733200fax +44 (0)1225 333467email [email protected]

USARotork Controls Inc.tel +1 (585) 247 2304fax +1 (585) 247 2308email [email protected]

Electric Actuators and Control Systems

Fluid Power Actuators and Control Systems

Gearboxes and Gear Operators

Precision Control Instruments

Projects, Services and Retrofit

SIL Products & Services - rotork.com · SVM (Partial Stroke Test System) Rotork Fluid Systems’ patented, Smart Valve Monitor (SVM) is the most versatile and comprehensive partial

Documents