SIL Products & Services

Market Leading SIL Solutions

Redefining Flow Control

 Contents

Section Page

Product Overview 3
Projects & Services 4
Product Selection 5
Product Range 5
SIL Explained 10

Rotork is the global market leader in valve

automation and flow control. Our products and
services are helping organisations around the
world to improve efficiency, assure safety and
protect the environment.

We strive always for technical excellence, innovation and

the highest quality standards in everything we do. As a
result, our people and products remain at the forefront of
flow control technology.
Uncompromising reliability is a feature of our entire product
range, from our flagship electric actuator range through to
our pneumatic, hydraulic and electro-hydraulic actuators, as
well as instruments, gear boxes and valve accessories.
Rotork is committed to providing first class support to
each client throughout the whole life of their plant, from
initial site surveys to installation, maintenance, audits and
repair. From our network of national and international
offices, our engineers work around the clock to maintain
our position of trust.
Rotork. Redefining flow control.

2
Product Overview

SIL is an established system of measurement

standards to indicate the performance required
of a safety system. It is part of a functional safety
plan that includes techniques, technologies,
standards and procedures that help operators
protect against hazards. Functional safety
adopts a life-cycle approach to industries that
deal with hazardous processes and includes plans
from concept through to decommissioning.

The requirement to meet a given SIL standard is becoming

increasing common in many industrial process environments.
It can be a complicated and arduous undertaking to
establish and maintain compliance. This is true in both new
plant construction and upgrades to the safety systems in
an existing plant. Once established, ongoing testing and
verification of safety system performance are required for the
operational lifetime of the plant.
A plant will have a Safety Instrumented System (SIS) that is
made up of a number of Safety Instrumented Functions (SIF).
An SIF consists of three sections: Sensors, Logic Solver and
Final Elements. SIL applies to the SIF as a whole because a
failure of any component compromises the safety function.
However, when analysing the performance of the system,
it is acceptable to assess the performance of each section
separately. The majority of Logic Solvers and Sensors have
built-in, automatic testing systems. Final Elements often
require additional testing equipment and regimes to test and
prove their level of performance.
Assessing the performance of the final elements is a
complicated process for the end user. Data for the various
components must be gathered, a suitable design must be
formulated and then testing regimes applied to the design.
This can be a lengthy process involving multiple vendors and
a variety of lengthy calculations. Certified Products
Vendors try and assist in this process by having products • Pneumatic actuators.
independently certified as “Suitable for Use” at particular SIL
• Hydraulic actuators.
levels by independent organisations such as TÜV. However,
the end user must still conduct all the necessary calculations • Electro-hydraulic actuators.
to ensure that the selected Final Elements as a whole adhere
• Electric actuators.
to the requirements for the particular SIL level required.
• Smart Valve Monitor partial stroke test system.
Rotork’s experienced team can provide a variety of products
and engineering services that help establish, maintain and • Solenoid control systems.
verify the Final Elements of an SIS system, often facilitating a
reduction of plant operating expense. Certified Personnel
• TÜV certified Functional Safety Professionals.
• International network of IEC 61508 specialists.

SIL System Design Services

• Final element design services for green field sites.
• Retrofit solutions for plant upgrades.
• Final element SIL verification calculations.

Redefining Flow Control 3

Projects & Services

SIL Design and Verification Services SIL Retrofit Upgrades

Rotork’s experienced engineering team can provide complete In the wake of recent incidents in a variety of industries many
final element design solutions for SIL applications. With access plants are undergoing a re-assessment of their SIL ratings.
to a comprehensive database of final element components, Operators sometimes discover that their plant is no longer up
Rotork can assist with the design and selection of actuators to the required standard. This can lead to untimely and costly
and control systems and also prove compatibility and SIL replacement programmes for valves and actuators.
performance when Rotork actuators are used in conjunction
Rotork has the capability to assist plant operators with the
with a number of different manufacturers valves.
assessment of existing equipment and, in conjunction with
the retrofit of products such as our SVM Smart Valve Monitor
New Projects
for fluid power actuators or the SFCM for our electrically
For new SIL projects, this can include selection of the required powered IQ actuators, provide cost effective solutions for SIL
control components backed-up by independently assessed upgrades. In fact, cost savings have often been made in the
performance data to provide the user with definitive testing productivity of the plant by facilitating strategic maintenance
regimes for both partial stroke and shutdown proof testing. and extending compulsory maintenance shutdown intervals.
This affords operators the maximum possible plant production
up-time and provides verifiable data to prove that the required
SIL rating is being met.

Industry Safety and SIL Requirements

FEED Contractor

Complete SIL
Solution

Valve Controls SIL Verification Predictive

Vendor Design Calculations Maintenance

4
Product Selection

Electric Power Actuators Fluid Power Actuators

Actuator IQ SI EH CP RC RH GP/GH LP/LH

Max Torque 3,000 4,500 600,000 4,500 4,500 4,500 600,000

n/a
Nm (lbf-in) (22,000) (39,800) (4,425,000) (39,800) (39,800) (39,800) (4,425,000)

Max Thrust 61,000 5,500,000 5,000,000

n/a n/a n/a n/a n/a
N (lbf) (13,700) (1,200,000) (1,124,000)

SIL Rating 2 3 3 3 2,3 3 3 3

Partial Stroke ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
Digital Comms ✔ ✔ ✔ ✔† ✔† ✔† ✔† ✔†
Diagnostics ✔ SVM SVM SVM SVM SVM SVM SVM

† Only in conjunction with SVM

Product Range

SVM (Partial Stroke Test System)

Rotork Fluid Systems’ patented, Smart Valve Monitor (SVM) is
the most versatile and comprehensive partial stroke valve test
system for hydraulically or pneumatically actuated on/off valves
available. It tests every element of the valve/actuator/control
system and has several unique features that set it apart from
the solutions offered by many competing products.
SVM facilitates strategic preventive maintenance and
extended shutdown intervals.
• Comprehensive valve performance monitoring system.
• Partial stroke testing in real time.
• Test all final elements as required by IEC 61508.
• Compatible with virtually any fluid power actuator.
SIL Rating ALL
• Assists with SIL compliance — extends shutdown intervals.
Hardware Fault Tolerance (HFT) N/A
• Completely transparent to normal valve operation.
Safe Failures (λS) 966
• Facilitates strategic maintenance. Dangerous Undetected Failures (λDU) 0
For further information see PUB026-001 and PUB026-002. Dangerous Detected Failures (λDD) 0
Safe Failure Fraction (SFF) 100%
Hardware Type N/A

Notes:
1. All failures rates are 10 -9 failures/hour.
2. Safe Failure Fractions for fluid power actuators take credit for partial stroke testing.

Redefining Flow Control 5

Product Range

IQ Pro (Electric Actuators)

The IQ is ideal for applications where it is not possible or
practical to install pneumatic of hydraulic tubing and cost is
critical. The IQ Pro with SFCM is TÜV certified suitable for use
at SIL2 or SIL 3 in a 1oo2 (one out of two) configuration.

In addition the SIL card is an ideal retrofit solution for

plants undergoing a SIL re-assessment. The SIL card can be
retrofitted to any IQ Pro actuator supplied since 2001 and
would replace the existing network card to provide a hard-
wired operation. This provides the end-user with a simple
and cost effective means of upgrading an existing plant’s SIL
performance.

For safety applications the SIL card provides a second safety IQ with IQ with SFCM
function that improves the performance of the actuator SFCM ESD Stay Put
to prevent incorrect operation in non-ESD operation. By SIL Rating 2 3 2
comparing the process input signal to the actuator with the
Hardware Fault Tolerance (HFT) 0 1 0
output action, the SIL card can ensure that not only are the
actuator internal assemblies functioning correctly, but Safe Failures (λS) 10,034 12,529
also that the control system as a whole is performing the Dangerous Failures (λD) 1,542 50.6
correct operation. Dangerous Detected Failures (λDD) 609 0.32
Safe Failure Fraction (SFF) 86.7% 99.6%
For further information see publication PUB002-011.
Hardware Type B B

SI (Electro-Hydraulic Spring-Return Actuators)

The SI range is a self-contained electro-hydraulic spring-return
valve actuation solution available for both quarter-turn and
linear applications. The actuators incorporate sophisticated
electronics that provide non-intrusive set-up and interrogation
via the infra-red/Bluetooth® Rotork Setting Tool. They are
suitable for on/off, modulating and emergency shutdown
duties. Skilmatic actuators are compatible with all major digital
communication systems including Rotork’s own Pakscan.
• Intelligent, self-contained electro-hydraulic actuators.
• Linear thrusts up to 61 kN (13,700 lbf), quarter-turn
torques up to 4,400 Nm (39,000 lbf-in).
• Two-position, ESD or modulating operation in SI-1 SI-2-1
spring-return or double-acting executions.
NO PST PST NO PST PST
• Power supply: single-phase, three-phase or 24 VDC. SIL Rating 2 3 2 3
• Non-intrusive infrared setting & configuration. Hardware Fault 0 0
Tolerance (HFT)
• Multilingual text display for status and setup.
Safe Failures (λS) 1120 FIT 1130 FIT
• Optional bus communications via all major protocols.
Dangerous Failures (λD) 148 FIT 141 FIT
• Partial stroke test capability. Dangerous Detected 141 FIT 134 FIT
• Datalogger to log events, alarms and trends. Failures (λDD)
PFDAVG 649,000 83,100 619,000 80,300
• Watertight or explosionproof: ATEX, FM, CSA, IEC and GOST.
Safe Failure Fraction (SFF) 88.3% 99.4% 88.9% 99.4%
• Separate, double-sealed terminal compartment.
Hardware Type A A
For further information see publication PUB021-001. Partial Stroke (Months) 0 1 0 1

6
Product Range

EH (Electro-Hydraulic Spring-Return Actuators)

The EH range is a self-contained electro-hydraulic spring-
return valve actuation solution. The actuator incorporates
sophisticated electronics that provide non-intrusive set-up
and interrogation via the infra-red/Bluetooth® Rotork Setting
Tool. They are suitable for on/off, modulating and emergency
shutdown duties and are compatible with all major digital
communication systems including Rotork’s own Pakscan.
• Linear thrusts up to 5,500 kN (1.2 million lbf), quarter-turn
torque output up to 600,000 Nm (5.3 million lbf-in).
• Power supply: single-phase, three-phase or 24 VDC.
• Multilingual text display for status and setup.
• Partial stroke test capability.
• Datalogger to log events, alarms and trends. SIL Rating 3
• Watertight or explosionproof: ATEX, FM, CSA, IEC Hardware Fault Tolerance (HFT) 0
and GOST. Safe Failures (λS) 4,270
• Separate, double-sealed terminal compartment. Dangerous Failures (λD) 379

For further information see publication PUB021-001. Dangerous Detected Failures (λDD) 341
Safe Failure Fraction (SFF) 99.2%
Hardware Type A

CP (Pneumatic Actuators)
CP range pneumatic actuators are a versatile, modular, scotch
yoke design available in both double-acting and spring-return
configurations. The compact and efficient design yields high
torques even at low pressures. The design concepts found in
Rotork’s large, heavy-duty actuators has been applied to the
CP range, which brings heavy-duty actuator qualities to small,
quarter-turn actuators.
The actuator body is of rugged, ductile cast iron available
in four body sizes. Cylinders are manufactured from carbon
steel, electroless nickel-plated.
• Pneumatic and hydraulic actuators in double-acting and
spring-return configurations.
• Corrosion resistant cylinders.
• Actuators certified to IP 66M/67M. SIL Rating 3
• Actuators certified to ATEX 94/9/EC. Hardware Fault Tolerance (HFT) 0

• Actuators certified in accordance with PED 93/27/EC. Safe Failures (λS) 770
Dangerous Failures (λD) 12
• Torque output to 4,500 Nm (39,800 lbf-in).
Dangerous Detected Failures (λDD) 9
• Compatible with SVM partial stroke testing.
Safe Failure Fraction (SFF) 99.6%
For further information see PUB013-001. Hardware Type A

Notes:
1. All failures rates are 10 -9 failures/hour.
2. Safe Failure Fractions for fluid power actuators take credit for partial stroke testing.

Redefining Flow Control 7

Product Range

RC (Compact Pneumatic Actuators)

The RC range is an extremely compact pneumatic actuator.
It’s scotch yoke design is particularly suited for valves with
high start or end torque requirements. The aluminium
body is available in both double-acting and spring-return
configurations with output torque up to 4,400Nm (38,700
lbf-in). An optional manual override is available.
• Extremely compact scotch yoke pneumatic
actuator.
• Double-acting and spring-return configurations.
• Contained spring module for safety and
convenience.
• Torque output to 4,400 Nm (39,000 lbf-in).
DA SR
• Valve mounting dimensions per ISO 5211/ DIN 3337. SIL Rating 3 3
• Compatible with SVM partial stroke testing. Hardware Fault Tolerance (HFT) 0 0

For further information see PUB014-001 (metric build) and Safe Failures (λS) 0 261
PUB014-002 (imperial build). Dangerous Failures (λD) 40 31
Dangerous Detected Failures (λDD) 38 30
Safe Failure Fraction (SFF) 94.8% 99.5%
Hardware Type A A

RH (Compact Hydraulic Actuators)

RH range rack & pinion actuators are specifically engineered
to operate small to medium size ball, butterfly, plug and other
quarter-turn valves for either on/off or modulating service.
The heavy-duty construction and compact design make this
product ideal for skid manufacturers and offshore and process
applications which require robust yet space saving valve
actuation solutions. It’s also suitable for applications requiring
medium-depth submersion.
The housing is available in five sizes. A hydraulic cylinder can
be attached to either or both sides. A spring can cylinder can
also be fitted to either side for Emergency Shut Down
(ESD) applications.
• Pneumatic and hydraulic rack and pinion actuators
available in double-acting and spring-return
configurations. SIL Rating 3
Hardware Fault Tolerance (HFT) 0
• Electroless nickel-plated cylinders and anti-blowout pinion.
Safe Failures (λS) 198
• Output torque up to 4,100 Nm (36,600 lbf).
Dangerous Failures (λD) 18
• Compatible with SVM partial stroke testing. Dangerous Detected Failures (λDD) 14
For further information see PUB019-004. Safe Failure Fraction (SFF) 97.9%
Hardware Type A

8
Product Range

GP/GH (Pneumatic and Hydraulic Actuators)

GP (pneumatic) and GH (hydraulic) range scotch yoke
actuators are designed to provide a rotary, quarter-turn
movement for either on/off or modulating duty. The rugged
yet compact design is available with two different yoke
designs. The classic symmetric yoke delivers peak torque at
both ends of stroke. Alternatively, they can be supplied with
canted torque arms designed to deliver peak torque at only
one end of stroke. Use of canted arms can often reduce
actuator size, weight and cost for valves with appropriate
torque demand characteristics.
• Pneumatic and hydraulic actuators in double-acting and
spring-return configurations.
• Corrosion resistant cylinders. GP GH
• Actuators certified to IP 66M/67M. SIL Rating 3 3
• Actuators certified to ATEX 94/9/EC. Hardware Fault Tolerance (HFT) 0 0

• Actuators certified in accordance with PED 93/27/EC. Safe Failures (λS) 145 433
Dangerous Failures (λD) 14.5 1.48
• Torque output to 600,000 Nm (5.3 million lbf-in).
Dangerous Detected Failures (λDD) 11 0
• Compatible with SVM partial stroke testing.
Safe Failure Fraction (SFF) 97.7% 99.7%
For further information see PUB011-001.
Hardware Type A A

LP / LH (Linear Actuators)
Rotork linear actuators offer the advantages of compact size,
high performance and a simple but highly reliable design, and
are ideal for operating on/off and control functions of both
globe and wedge gate valves. Both spring-return and double-
acting configurations are available with either pneumatic or
hydraulic cylinders.
• Pneumatic and hydraulic actuators in double-acting and
spring-return configurations.
• Electroless nickel-plated cylinders, chromium-plated
piston rods.
• Hammer blow and standard valve stem coupling
designs available.
LP LH
• Thrust up to 5,000,000 N (1,124,000 lbf).
SIL Rating 3 3
• Compatible with SVM partial stroke testing.
Hardware Fault Tolerance (HFT) 0 0
For further information see publication PUB020-001. Safe Failures (λS) 154 165
Dangerous Failures (λD) 13 13
Dangerous Detected Failures (λDD) 10 10
Safe Failure Fraction (SFF) 98.0% 98.2%
Hardware Type A A

Notes:
1. All failures rates are 10 -9 failures/hour.
2. Safe Failure Fractions for fluid power actuators take credit for partial stroke testing.

Redefining Flow Control 9

SIL Explained

In this document, Rotork has set out to explain 5 SIL3 SIL4 X X X

SIL and its consequent impact upon the 4 SIL2 SIL3 SIL4 X X

Frequency
provision of valves & actuators in relation to
3 SIL1 SIL2 SIL3 SIL4 X
Safety Instrumented Systems (SIS).
2 - SIL1 SIL2 SIL3 SIL4
If you would like further clarification, please contact us.
1 - - SIL1 SIL2 SIL3
1 2 3 4 5
What is SIL? Severity of Consequence
SIL, an acronym for Safety Integrity Level, is a system used to
quantify and qualify the requirements for Safety Instrumented Fig. 1. Frequency/consequence matrix.
Systems. The International Electro-technical Commission (IEC)
introduced the following industry standards to assist operators How are hazards protected against?
with quantifying the safety performance requirements for
Once the SIL ratings have been determined, the operator can
hazardous operations:
then design a risk reduction strategy to protect against these
IEC 61508 Functional Safety of hazards. This is accomplished by applying multiple layers of
Electrical/Electronic/Programmable protection. Risk reduction can be an expensive procedure;
Electronic Safety-Related Systems therefore, the operator will look to reduce the risk to a level
As Low As Reasonably Practicable (ALARP).
IEC 61511 Safety Instrumented Systems for
the Process Industry Sector
These standards have been widely adopted in the Emergency Response
hydrocarbon and oil & gas industries to define Safety Passive Protection

Protection Layers
Instrumented Systems and their reliability as a means of
Active Protection
improving safety and availability of Safety Instrumented
Isolated Protection
Systems.
High Level Process Control
What are Safety Integrity Levels? Low Level Process Control

Safety Integrity Levels are targets applied to the reliability and Design
Prevention Mitigation
performance of the safety systems used to protect hazardous Hazardous Activity
activities such as hydrocarbon refining or production. There Plant Engineering & Design
are 4 SIL levels. The higher the perceived associated risk,the Basic Production Control System
higher the performance required of the safety system and
Protection Layers

Operational Intervention
therefore the higher the SIL rating number. The IEC standards
define the performance requirements of the safety systems for Safety Instrumented System

the required SIL rating. Relief Valve, Rupture Disc, etc.

Bund, Blast Wall, etc.
How are SIL ratings determined? Emergency Response
Once the scope of an activity is determined, the operator
can identify the possible hazard(s) and then assess their
Fig. 2. Layers of hazard protection.
potential severity. The risk associated with a hazard is
identified by assessing the likely frequency of occurrence and
the potential consequences if the hazard is realized.
Figure 2 shows multiple layers of protection are used to
The operator must then assign a number for the severity
develop the required safety strategy. Safety Instrumented
of consequence and frequency.
System has been highlighted because this is the layer that
These numbers are then fed into a matrix to allow the applies to shutdown systems and valve actuators. The SIS
operator to assign the required SIL rating to protect against assists in reducing the frequency of the likely manifestation
the hazard. Many tools are available to assist an operator with of the hazard and therefore improves the reliability of the
this process (e.g., HAZOP software — Hazard and Operability). system. The consequence of a failure is not addressed by SIS
An example of such a matrix is shown below in figure 1. but by other aspects of the risk reduction strategy.

10
SIL Explained

How is SIL used? Pre-Design Phase

Safety Integrity Levels are part of a larger scheme called This is the phase where the scope of the project is
Functional Safety that deals with techniques, technologies, determined, all hazards are assessed, and a Safety
standards and procedures that help operators protect against Requirements Specification is formulated. This specification
hazards. Functional Safety adopts a life cycle approach to will determine the SIL ratings to be applied to the various
industries that deal with hazardous processes that includes activities.
plans from concept through to final decommissioning of
plants. This process is cyclical and any phase is effected by Design Phase
the requirements of the previous stage(s) so, subsequent Once the pre-design phase is completed, the operator will
stages must be revisited to assess the impact of a change to design the required safety systems and plan how they will
a previous stage. be executed. It is this stage where the safety systems are
Figure 3 below is a simplified depiction of the four basic steps specified. This is also when the testing regimes are allocated
of the life cycle. to ensure that the SIL ratings can be met.

Realisation Phase
Upon the completion of the design phase, the plant is built
PRE-DESIGN PHASE and commissioned. All safety systems are tested to ensure
that they meet the established safety requirements.
Concept & Scope
Hazard Risk Analysis Operation Phase
Safety Requirements Specification
The plant is now operational and producing. The safety
systems are now regularly tested to ensure that they continue
to perform as designed and required.

How does equipment fail?

DESIGN PHASE
There are three ways in which safety equipment can fail:
Planning: Safety Other Safety External Risk systematic, common cause, and random hardware failure.
Installation Instumented Systems and Reduction These failures are addressed by the safety life cycle in the
Commissioning System Technologies Plant
following manner.
Validation E/E/PES Community
Systematic Failures

These types of failure are not failures of individual

components but the system as a whole. These failures are
reduced by using proper engineering practice and design
REALISATION PHASE during the design phase. These are very rare failures as years
Installation of experience and documentation have helped engineers
Commissioning understand how systems interact.
Validation
Common Cause Failures
This type of failure is when identical components within
the safety system fail at the same time. Again, experience
with products and documentation help engineers design
systems that prevent this. Also, these failures can be virtually
eliminated by using redundant and diverse systems. Common
OPERATION PHASE
cause failures are generally the result of environmental effects
Operation/Maintenance like flooding or excessive temperatures.
Modification
De-commissioning Random Hardware Failure
This is the main type of failure mode — random by their
nature. This is the type of failure Safety Instrumented Systems
Fig. 3. Functional safety life cycle. protect against. Engineers try to predict the probability of
these failures by assessing the failure rates of the equipment
used. This is where SIL specifies the performance and
architectural constraints that a safety system requires.

Redefining Flow Control 11

SIL Explained

How is the SIS performance quantified? The “Sensors” detect the presence of the potential onset of a
hazardous condition (e.g., over-pressure). The “Logic Solver”
The Probability of Failure on Demand (PFD) is the measure
is the programmable logic controller (PLC) which determines
used to define the level of protection offered by the system.
what action to take after the “Sensors” have detected a
EIC 61508 defines the maximum allowable PFDavg (the
potentially hazardous event. The “Final Elements” perform
average probability, from 0 to 1, that the safety function
the required safety action (e.g., ESD of the valve). The scope
will fail to operate on demand) for the Safety Instrumented
of this document only covers the “Final Elements” as this is
Function (SIF).
area where fluid power actuators function.
The allowable level is dependant upon whether the system
When assessing the performance of the SIF we must consider
is deemed to be low demand or high demand. Low demand
the solenoid valve, actuator and valve as a single entity with
systems are defined as having an expected safety demand
regard to the PFDavg calculation as the failure of any of these
interval of greater than one year, and a proof test interval
components will cause the SIF to fail.
for the equipment that is at least twice that of the expected
safety demand interval. The vast majority of fluid power In order to prove that the SIF is performing to the required
actuated safety valves fall into this low demand type. SIL rating, it is necessary to know the failure rates of the
IEC 61508 defines the required PFDavg as shown in figure 4. equipment used so that it can be verified that the maximum
allowable PFDavg is not exceeded. Failure rate data gives the
operator a measure of when the equipment is likely to fail
SIL LEVEL Max PFDavg Chance of Failure
over a given period of time (i.e., the older the equipment,
1 0.1 <10% the more likely it is to fail when required to operate). The
2 0.01 <1% PFDavg can be calculated from this data. When it reaches the
3 0.001 <0.1% maximum allowable level, the plant must be shutdown and all
4 0.0001 <0.01% safety systems fully tested.

Fig. 4. SIL ratings. Is it possible to procure an actuator with a SIL

rating approval?

High Demand safety control systems are defined as those that The simple answer is no. Only the complete SIF can have a
are operated more frequently than once per year. SIL rating, not individual components. However, components
(e.g., actuators) can be certified “suitable for use” at a
What does this mean in terms of performance for particular SIL rating.
the SIF?
Operators and contractors may look for components certified
The figures quoted in figure 4 apply to the entire Safety as “suitable for use” as this will simplify the design process.
Instrumented Function and not the individual components. In addition, if the component has failure rates that are known
Any SIF is comprised of three discrete areas: “Sensors”, “Logic to be compatible with the required SIL rating, the safety
Solvers” and “Final Elements”. Figure 5 indicates these areas calculations are also made much simpler.
of an SIF for over-pressure isolation.
How are actuators certified as “suitable for use” for
specific SIL ratings?
There are two aspects to the process of attaining a SIL
PLC certificate. The first is assessing the design and failure rates of
the equipment. This can be accomplished through either of
two techniques: FMEDA (Failure Modes, Effect and Diagnostic
Analysis) and “Proven in Use”.
The second aspect is the auditing the vendor's manufacturing
and quality processes. This audit proves that the vendor
is capable of manufacturing the product to the designed
Sensors Logic Solver Final Elements performance standard. These assessments must be audited by
an approved accreditation body such as Exida or TÜV.

Fig. 5. Example of an over-pressure shutdown.

12
SIL Explained

Suitable for Use Method 1 – FMEDA

FMEDA is a technique that assesses the performance of a
device by evaluating the effects of the different failure modes
of all components in the design. Every component is assessed
for the type of failure (dangerous or safe) and the likelihood
of failure (failure rate). All of this data is then collated to
produce overall dangerous and safe failure rates that can be
used in safety calculations.
FMEDA studies can be conducted either by the vendor or a
third-party body but, in both circumstances, must be audited
by an accredited body to prove that best practices have
been used.

Suitable for Use Method 2 – Proven in Use

It may not be possible, practical or cost effective to conduct
an FMEDA on a product, particularly if it is of an old or
complex design. In these cases, products may be certified by
using “Proven In Use”.
“Proven In Use” as defined in the IEC 61508 standard is
a documented assessment that has shown that there is
appropriate evidence, based on previous use history of the
component, that it is suitable for use in a safety system.
This documented evidence must include the following:
• The manufacturer’s quality and management systems.
• The volume of the operating experience with statistical
evidence to show that the claimed failure rate is
sufficiently low.

Failure Rate Data

Once the studies have been completed, the user is
presented with the failure rate data. This data falls into two
fundamental categories: dangerous failure rate (λD) and safe
failure rate (λS).
The dangerous failure rate (λD) data relates to failures that
will result in the SIF being unable to perform the required
safety function upon demand. The safe failure rate (λS) data
relates to those failure modes that will put the safety function
in its safe state (e.g., shutdown).
SIL is only concerned with the dangerous failure data but the
safe failure data is important as this provides the operator a
measure of how likely the safety system is to spuriously trip.

Do we need to test the SIF?

As described in earlier sections, SIL prescribes the maximum
level that the PFDavg is permitted to reach. There are
two types of tests that can be performed to help maintain
the PFDavg at a suitably low level: Proof Tests and
Diagnostic Tests.

Redefining Flow Control 13

SIL Explained

Proof tests
A proof test is a manual test performed during shutdown
that tests the entire functionality of the SIF from sensing to
actuation. It must be suitably configured to test all aspects of
the safety function to prove that the SIF is “as good as new”.
There may be several negative ramifications — particularly
expense related — due to a proof test necessitating a process
shutdown.

Diagnostic Tests
A diagnostic test is an automatic test performed online that
does not necessitate process shutdown. This type of test
must be performed at least ten times more frequently than
the expected SIF demand rate.
A diagnostic test will test only a percentage of the total
possible failure modes of the SIF; this percentage is called the
Diagnostic Coverage (DC). These tests contribute to reducing
the PFDavg of the SIF and thus assist in the extension of the
proof test interval. The higher the DC, the greater the benefit
gained from the test. For the “final elements” within the
scope of this document, this type of test is called a partial
stroke test.

What is the experience of Rotork when addressing SIL

requirements?
In addition to having actuators currently operating in both
SIL 2 and SIL 3 environments, Rotork also has a Partial Stroke
Testing tool (the SVM Smart Valve Monitor) that provides the
highest possible diagnostic coverage.
Rotork also provides services related to the safety calculations
for the entire final element assembly, including the valve
and controlling solenoid valves. By creating a database of
known failure rates for various final elements, Rotork is able
to provide recommendations for control mechanisms and
valves that will provide the end-user with the best possible
performing system that yields the best possible long-term
financial benefits.
Our services assist the end user in extending shutdown
intervals to the maximum possible time frame within the
required SIL rating and also provide peace of mind against
spurious trips.

14
SIL Explained

Can Rotork supply actuators for my SIL 2/3

requirements?
Yes.
SIL and other statutory requirements such as ATEX and PED
place great demands upon suppliers. A consequence of SIL
is the requirement for a product with a declared reliability
according to IEC standards.
A valve actuation provider must be much more than a
manufacturer to meet these ever increasing demands.
Suppliers for SIL applications must be extremely well versed in
the industries and applications that they serve. They must also
possess the engineering know-how and resources required to
properly execute the process of supply for SIL applications.
Rotork is a global leader in valve actuation technology.
We provide a comprehensive range of valve actuators,
controls and associated equipment, as well as a variety of
valve actuator services including commissioning, preventive
maintenance and retro-fit solutions. We are dedicated
to providing the marketplace with the latest technology,
consistently high quality, innovative design, excellent reliability
and superior performance. Most importantly, we have a
longstanding commitment to meeting the special needs of a
wide range of applications including: oil and gas exploration
and transportation; municipal water and wastewater
treatment; power generation; and the chemical and process
industries. With more than fifty years of engineering and
manufacturing expertise, we have tens of thousands of
successful valve actuator installations throughout the world.
Rotork maintains dedicated engineering groups for
Applications, Product Improvement and New Product
Development so that our customers can gain all the benefits
that ever advancing technologies have to offer and also to
ensure our efforts are in step with the continually evolving
needs of our customers.
To properly support our customers around the globe, Rotork
maintains manufacturing facilities throughout the world.
In addition to these manufacturing facilities, we maintain a
network of Centres of Excellence strategically located around
the world. These actuation specialist centres hold stock,
provide application engineering and packaging of control
components as well as providing sales, service, installation
and commissioning support. With these vast resources
available, we are able to provide solutions for any application
requirement. In conclusion, Rotork is capable of providing
complete SIL solutions for final elements used
Are there examples of SIL 2 or SIL 3 systems that Rotork
in Safety Instrumented Systems. We have
can provide for review?
extensive project and industry experience
Yes. working with and providing SIL certified
Rotork has employed all the methods outlined above. Specific actuators and services for the oil & gas and
information can be made available for review upon request. hydrocarbon industries.

Redefining Flow Control 15

Electric Actuators and Control Systems
Fluid Power Actuators and Control Systems
Gearboxes and Gear Operators
Precision Control Instruments
Projects, Services and Retrofit

UK USA
Rotork plc Rotork Controls Inc.
tel +44 (0)1225 733200 tel +1 (585) 247 2304
fax +44 (0)1225 333467 fax +1 (585) 247 2308
email mail@rotork.com email info@rotork.com

A full listing of our worldwide sales and

service network is available on our website.

www.rotork.com

As part of a process of on-going product development, Rotork reserves the right to amend and
change specifications without prior notice. Published data may be subject to change. For the
very latest version release, visit our website at www.rotork.com
PUB000-012-00
The name Rotork is a registered trademark. Rotork recognises all registered trademarks.
Issue 06/12 Published and produced in the UK by Rotork Controls Limited. POWSH0512