SIL CALCULATION EXAMPLES

this module will illustrate how seal calculations for safety functions are performed using practical examples the calculation formulas and the general procedure are explained in detail in module seal verification and we recommend you to complete this course in advance for better understanding before we begin with an example calculation we would first like to briefly clarify the general procedure and the calculation method as explained in previous modules using the risk analysis the risk to be covered will first be analyzed and the so-called target seal determined according to which the safety loop will be later designed for using the example of overfill protection we will briefly review the calculation method as a general rule two things are required all components of the sensors the actuators as well as the safety system must conform to the structural constraint which means in accordance with the hardware fault tolerance hft and the safe failure fraction sff this value is normally taken from the manufacturer's declaration secondly it must be verified that the probability of failure on demand the pfd value conforms to the required target seal this means that the sum of the failure rates of the sensors the actuators as well as the safety system is between 10 to the power of minus 2 and 10 to the power of minus 3 per year in case the target seal was found to be seal 2. for the calculation of the sensors as well as the actuators the formulas described in the module seal verification are used the lambda du value corresponds to the number of dangerous undetected failures within a unit of time in iec 61508 this value is expressed in fit fit stands for failure in time where the unit of time is defined as 10 to the power 9 hours which corresponds to approximately 114 000 years a lambda d u equals 65 f i fit would correspondingly mean that the device will have on average 65 dangerous undetected failures within a period of 10 to the power 9 hours or 114 000 years as a general rule this lambda d u value is taken from the manufacturer's certificates in this example the value of the level switch is 33 fit in cases where no manufacturer certification exists for the sensor or the actuators so-called generic failure rates can be used which are described in detail in the module generic values the variable ti stands for the test interval in which the safety loop is regularly tested as mentioned previously the cyclic test of the safety function is of central importance as it can be seen in the formula the test interval has direct impact on the pfd value the less often the loop is tested the higher the probability to fail on demand the purpose of calculating the safety loop is to determine the test interval so that the pfd value of the entire safety loop conforms to the required seal classification the following examples will now illustrate the calculation process the safety loop calculation will be illustrated firstly using the example of a hydrogen compressor in the compressor shown schematically here hydrogen is compressed to 200 bar or 2 900 psi respectively the risk in this application is that the hydrogen combines with oxygen and results in an ignitable mixture the risk associated with this application is that hydrogen passes through the shaft seal in the pre-chamber and in the shaft space so that the hydrogen comes into contact with the oxygen a compound of oxygen and hydrogen is highly ignitable and the risk of an oxyhydrogen gas explosion exists which in this case represents an immediate danger to people standing in close proximity to the compressor to avoid the formation of a flammable or ignitable mixture the shaft space is inerted with nitrogen thereby preventing the ignition of the gas the task of the safety function in this case would be to ensure that the shaft space is always inerted with nitrogen during operation of the compressor if for any reason the inertia can no longer be guaranteed the compressor must be switched off immediately to ensure the safety of personnel located in the immediate vicinity as already mentioned a risk analysis must first be carried out the extent of damage in case of failure of the inerting and subsequent explosion due to the combining of oxygen and hydrogen is rated with cb since flying parts from the compressor can easily cause severe and irreversible injury to persons the exposure time of persons in the immediate vicinity of the compressor is to be evaluated with fb since personnel are often active in this area since avoidance of the danger is hardly possible pb must be used in the risk graph at the end of the risk analysis when using the risk graph method there is also the question of the probability of the risk occurrence that is an explosion of the oxygen hydrogen mixture this is assumed to be low or w2 in this example since the respective operator was able to prove in this case by means of statistics using an identical compressor with equivalent inerting that no event of damage had taken place within a period of ten years therefore the target seal is assigned with seal two according to which the safety loop has to be designed for we will now turn to the functional diagram of the compressor in order to ensure safe operation the inerting of nitrogen as previously mentioned must be safeguarded by means of a safety function a variable area flow meter which monitors the inerting is best suited for that purpose as soon as the measured flow of nitrogen falls below a certain amount the digital signaler of the measuring device reports logic 0 and the safety function must be triggered which means the compressor has to be switched off it should be noted that the evaluation is selected via logic zero in order to cover a possible circuit break in the safety function the connected safety controller can now interrupt the power supply of the compressor via a hybrid motor starter for the design of the safety function we will now define the structure the sensor consists of a variable area flow meter that monitors the nitrogen inerting in this example we're using the krona h250 m40 measuring device which has seal two classification for the min max switch we will therefore begin the design with single channel architecture called one out of one configuration the hema f35 is used as the safety controller which has cl3 classification as standard since a safe voltage disconnection is required for the actuators in this safety function a hybrid motor starter from phoenix contact is used which can safely switch off up to four kilowatts as this device also has a cl3 approval we will first use it as single channel for the next stage we require verification of at least a structural co2 capability for all components as well as the value for the lambda du failure rate which represents the number of dangerous undetected failures we will begin with the h. 250 m40 variable area flow meter looking at the seal certification it shows the structural capability of seal 2 in accordance with sff and hft as well as the lambda du value of 77 fit next we require the corresponding values for the hema f35 controller it's important to note the structural capability for all hema safety controllers is seal three pfd values are normally specified directly since calculating these values using the failure rates is too complex for end users the values for this controller with a 10-year test interval is 12.

09 times 10 to the power minus 5. finally the safety characteristics of the hybrid motor starter are still needed in addition to the structural capability of seal 3 the lambda du value is specified with 6. 82 fit therefore all the relevant data needed for the calculation is now available as mentioned previously if the lambda du values for sensors or actuators are not available generic values can be used we now come to the last stage which is the calculation of the entire safety chain as mentioned previously the total probability of failure on demand the pfd avg value is the sum of the pfd value of the sensors the controller and the actuator as a reminder we will show once again the calculation formulas for the pfd calculation which are applied to the sensor and the actuator at this point it should be reiterated that the pfd values of the control system are normally taken from the corresponding safety manual and not calculated according to the formula shown for the calculation of the sensor the h250 m40 variable area flow meter we apply the formula for single channel use or the one out of one architecture for the lambda du values we use the value 77 fit for the ti test interval we want to import one year to begin with meaning and 8760 hours the unit of hours cancel one another out and the result is a pfd value for the sensor of 0.

00034 or 0. 34 multiplied by 10 to the power minus 3 respectively we've taken the pfd value for the controller of 0. 121 times 10 minus 3 for a 10-year test interval from the corresponding hemodocumentation at this point we may again point out that independent of the actual test interval for the safety loop for simplicity we've always calculated a 10-year test interval for all hemocontrollers for the calculation of the actuators we are also using the one out of one formula the lambda d u value of 6.

82 f i t and a test interval of 8 760 hours the result is 0. 029 multiplied by 10 to the power minus 3. as the overall result we have a pfd value of 0.

488 multiplied by 10 to the power minus 3 for a 12 month test interval in accordance with cl2 specifications a pfd avg value of lower than 10 multiplied by 10 to the power -3 is required for cl2 capability which in this calculation example is achieved by more than a factor of 20. finally to illustrate once again the dependency of the pfd value of the safety function from the defined test interval we've calculated the total pfd value once more at different test intervals if you were to test the safety loop once a month in the formula you would use for the ti test interval of 8760 hours divided by 12 resulting in 730 hours and the total pfd would have a value of 0. 15 multiplied by 10 to the power minus three for a three month test interval zero point two one multiplied by ten to the power minus three for a six month test interval zero point three four multiplied by 10 to the power minus 3 for 12 months 0.

48 multiplied by 10 to the power minus 3 and 0. 86 multiplied by 10 to the power minus 3 for 24 months and finally 1. 96 for a 72 month test interval as mentioned previously the structural constraint is independent of the test interval and for the safety function always seal two since the variable area flow meter only has a cl2 classification to conclude this example it should be said that in this case we have a particularly simple structure and very good pfd values so that even without further measures a five-year test interval would be acceptable in the following examples and according to the same learning method we will show other safety loops which have other special features such as seal three requirements redundant connections and diagnostic coverage consumption measurement of atomizing air will be illustrated in this example we will illustrate a safety function for the air consumption measurement of atomizing air to the rotary kiln in a hazardous waste incinerator at a large chemical company in a rotary kiln the residues of a chemical process are burned by means of an atomizer lance the residues are evenly distributed in the rotary kiln it's important in this process that atomizing air is constantly blown in during the combustion so that the material can be uniformly and completely pre-burned in the combustion chamber all toxic residues are then oxidized at about 1100 degrees celsius or 2000 degrees fahrenheit the risk in this application is if the atomizing air is interrupted the consequence of this would be that the material cannot be completely burned a high concentration of carbon monoxide forms and there is risk of explosion of the rotary kiln due to deflagration the safety function for this application must ensure that atomizing air is blown in constantly during operation of the rotary kiln if this can no longer be assured then the supply of liquid waste must be interrupted immediately the combustion of the material still inside the rotary kiln is not stopped at this point in order to avoid a dangerous explosive atmosphere inside the kiln as already described in the first example the risk analysis must first be carried out the extent of damage in case of failure of the supply of atomizing air and subsequent explosion due to deflagration is rated with cc because individuals standing in close proximity to the furnace could be killed in the worst case scenario by flying parts from the rotary kiln the exposure time of persons in the immediate vicinity of the rotary kiln is to be evaluated with fa since the operator has made this area accessible only to control personnel since avoidance of the danger is also hardly possible pb must be used in the risk graph at the end of the risk analysis when using risk graphs there is also the question of the probability of the risk occurrence in this case the explosion of the rotary kiln this is considered as low or w2 in this example since this has not happened before to identical rotary kilns in the past five to eight years therefore the target seal is assigned with seal two according to which the safety function has been designed for as in the first calculation example so for a detailed description of the safety function we will look at the functional diagram of this application again once the supply of atomizing air can no longer be guaranteed the supply of the chemical residues must be immediately interrupted vortex measuring devices are ideal for the measurement of atomizing air since they have by comparison a very high dynamic range covering between 70 and 800 standard cubic meters without generating any significant pressure loss in the previous example where nitrogen is measured by means of a variable area flow meter digital limit switches have been evaluated in the sensory part in order to determine when the inerting amount falls below a minimum level in this case the analog measuring signal must be evaluated since the amount of atomizing air required is dependent on the consistency of the chemical residues and is therefore variable the control valve with the pneumatic positioner is used as the final element which in the event of triggering of the safety function immediately interrupts the supply of the chemical residues object for the design of the safety function we will first define the structure again the sensor technology consists of the optisworld 4200 vortex measuring device to monitor the atomizing air the integrated pressure and temperature compensation is emitted here for two reasons the absolute measurement accuracy in this safety function is not of crucial importance in addition for measuring devices according to this measuring principle only the flow measurement without pressure and temperature compensation is seal certified therefore the measuring device in this application can be used in a cl2 safety function in single channel use and we again specify the the hema f60 safety system has as shown in the previous calculation example a cl3 classification as standard the samson 241 control valve with a pneumatic positioner and a pneumatic drive is used for the final element to stop the flow of chemical residues all three components of this assembly must have a seal to approval for the structural which is the case here the lambda du failure rates of all three components are added together for further calculation since all components of this assembly have proof of structural seal2 capability we will also use it as single channel for the next stage as previously mentioned we require verification of at least a structural cl2 capability for all components as well as the value for the lambda du failure rates meaning the number of dangerous undetected failures we will begin with the optiswell 4200 vortex measuring device in addition to the structural suitability in seal 2 which is only given if no temperature and pressure compensation is used the cl certificate specifies a lambda du value of 150 fit the input card of the hemocontroller indicates a pfd value of 1.

75 times 10 to the power minus 5 for a 10-year test interval for the hema f60 main controller a value of 4. 88 times 10 to the power -5 is given and like the important output cards it has a seal 3 classification the output card is on a similar level as the input card the 241 control valve from samsung has with the valve the pneumatic positioner as well as the pneumatic drive a total rate of 54. 9 fit all components also have the required cl2 classification finally to illustrate once again the dependency of the pfd value of the safety function from the defined test interval we've calculated the total pft value at different test intervals if you were to test the safety loop once a month the pfd value would be 0.

17 times 10 to the minus 3 which is significantly below the required value of 0. 01 or 10 times 10 to the minus 3. for a three-month test interval the value increases to 0.

32 times 10 to the minus 3. for a six month test interval to zero point five four times ten to the minus three for a twelve month test interval to zero point nine nine times ten to the minus three and one point eight nine times 10 to the minus 3 for a 24 month test interval as well as 4. 58 times 10 to the minus 3 if the safety function is tested every 5 years the structural capability as previously mentioned is independent of the test interval and for this safety loop always seal two this example illustrates that for cl2 requirements according to five-year inspection intervals the pfd values are still realistic with a safety factor of two as a general rule test intervals in the industry are set to one or two years to illustrate the topic of diagnostic coverage using a practical example we will now show in detail an application for general inerting of gases in a shredder color pigment paste is ground and then dried in a burner after the drying process there is a risk of dust explosion since the concentrate is considered to be highly flammable with an oxygen concentration of above eight percent for this reason nitrogen is supplied in order to lower the oxygen concentration and minimize ignition of the medium with an oxygen concentration of greater than six percent the nitrogen valve is opened up at more than eight percent the safety function is triggered all assemblies and ignition sources must be switched off the danger lies in the dust explosion which can cause the entire structure to burst and thus endanger people switching off the fan and rotary feeder prevents this situation to ensure that the oxygen meter is supplied with sufficient medium from the tank the flow in the feed line must be continuously measured if the flow rate falls below a critical value the safety function must be triggered that is switching off the fan and the rotary feeder since the correct oxygen measurement can no longer be insured the safety function is also triggered when the oxygen meter reports an oxygen concentration of greater than eight percent as in the first example a risk analysis must also be carried out next the extent of damage in the event of a dust explosion could cost many lives and is therefore rated with cc as the entire structure may rupture in the worst case scenario the exposure time of persons in the immediate vicinity of the compressor is to be evaluated with fb since several people are often standing near to this part of the system avoidance of the danger is hardly possible since a dust explosion is triggered by a spark and does not allow time for a reaction of the workers therefore as the next step pb must be inserted in the risk graph the result is again the question of the probability of the risk occurrence that is the probability that the dust explosion occurs unless a protection function is used this is assumed to be very low or w1 in this example since these types of systems have been operating for considerably longer than 10 years and without any claims for loss or damage in addition no oxygen concentration greater than seven percent has been measured in this period therefore the target seal is assigned with seal two according to which the safety device has been designed for before we illustrate the structure of the safety loop we will take a look at the functional diagram once again the sensor of the safety loop in this case is solely the oxygen meter since the oxygen concentration in this example is the primary measured variable based on which it is decided whether the safety function must be triggered however experience has shown that in approximately twenty percent of all failures of the oxygen meter too little medium was supplied without a warning being issued by the measuring device this twenty percent can be easily identified and diagnosed through a measurement solution by using a variable area flow meter directly in front of the oxygen meter this meter can trigger the safety function using the min max limit switch at too low medium supply since it can be assumed that an oxygen measurement without sufficient medium is unreliable in any case this type of improvement of the safety loop is referred to in iec 61508 as diagnostic coverage or dc a diagnostic coverage range of 20 percent in this case means that 20 percent of the expected failures are covered in the oxygen measurement with a suitable device that is an upstream flow meter an important note in this context is that the diagnosis is still not a direct part of the safety loop and therefore does not have to have seal approval rather in this case the availability of the diagnosis is calculated that is the availability of the measurement which is assumed to be 100 percent a detailed description of the calculation of the diagnostic factor is described in iec 61508 however in practice the values used are usually based on experience let's now look at the functional diagram of the safety loop as already illustrated in the previous slide the dk-32 variable area flow meter from kroner is from a safety point of view only for diagnostic coverage therefore as a general rule the addition of the letter d is entered in the description which indicates that in addition to the one out of one architecture diagnostic coverage is present in the sensor part the use of a variable area flow meter is also recommended since the medium feed can be manually adjusted using the existing standard flow valve and monitored visually with the display indicators since the oxygen measurement a polytron 7000 by drega is the primary measurement it is the actual sensor for the purpose of the safety function for a cl2 classification we use the device in single channel execution where a one out of one architecture is present the hema h-41q modulus safety system is used as the controller the actuating elements in this case are a classic two out of two architecture since in order to reach the safe state they must be switched off independently from the fan and the rotary valve both devices are connected by a four kilowatt semiconductor contactor type contactron contactron4in1 by phoenix contact as in the first example we now need the safety related characteristics lambda du as well as the structural capability of all installed components the drager oxygen meter has a structural cl2 capability a lambda du value of 357 fit however in this case since a diagnostic coverage of 20 was realized by the upstream flow meter the lambda du specification in this example can be reduced by 20 to 286 fit the kroner dk 32 variable area flow meter also has cl2 approval which is not required in this example since the device is only used for diagnostic coverage the hema h-41q is used as the safety controller which has cl3 approval as standard and also correspondingly low failure rates two semiconductor contactors by phoenix contact from the contractron series are used as the actuators since these are purely electronic devices without wear prone mechanical parts the lambda du failure rates are very low at 2.

5 f i t as in the first examples we've used different values for the test interval for the calculation of the pfd value the detailed description for the different test intervals work exactly the same way as in the first examples looking at the results of the calculation shows that the overall result even with a proof test interval of 72 months is still well below the requirement of less than 0. 01 that is less than one failure in 100 years the next calculation example comes from the energy sector a cooling water monitoring system for a gas kiln for the cooling of a gas kiln cooling water is stored in large cooling water tanks which are about 2. 5 meters by 6 meters in size the kiln is water cooled the cooling water is cooled in special tubes in the cooling water tank if the cooling water level drops below the minimum the cooling tubes are exposed and would overheat the entire cooling water tank is therefore liable to explode for this reason the level in the tank must be continuously monitored and in the event of a fall below the minimum water level the inlet opened if the cooling water level falls below the cooling tubes the gas kiln must be switched off immediately due to the danger of explosion of the cooling water tank first we will carry out the risk analysis again due to its size the extent of damage caused by an explosion of the cooling water tank has devastating consequences it can kill or seriously injure several people and is therefore rated with cc the exposure time of persons in the immediate vicinity of the compressor is to be evaluated with fb since several people are often standing near to this part of the system avoidance of the danger is very difficult since overheating of the cooling tubes in the tank is not noticeable and does not allow time for a response from the people in the vicinity therefore as the next step pb must be inserted in the risk graph the result is again the question of the probability of the risk occurrence that is the probability that the explosion will take place unless a protection function is used this is assumed to be low or w2 in this example since this event has happened before to an identical power plant therefore the target sill is assigned with seal 3 according to which the safety device has been designed for to achieve seal 3 capability for the sensor elements there are essentially two options the first option is a diverse redundant design that is either with regard to the measuring principle based on two different processes or two measuring devices of different manufacturers the second option is the use of a measuring device which is designed in redundant configuration for seal three both variants reduce the systematic failure sources to a cl3 level in the example shown a diverse redundant solution was realized firstly the level measurement should be designed as an analog system in order to measure the actual level for this purpose a level transmitter can be used that works with guided microwaves this measuring device continually sends out microwaves on a wire rope which are reflected on the water surface the time difference measurement allows for a very precise level measurement in this case furthermore a level switch was used which functions according to the tuning fork principle the tuning fork is set at resonance frequency upon contact with the medium it is deeper since the mass of the tuning fork increases a simple measurement of this frequency gives an indication of whether contact with the medium is present or not in this way a diverse redundant measurement has been realized as both measuring methods function completely differently the level switch would meet the seal 3 capability in a 1 out of 2 voting on its own however in this case an additional analog measurement was requested by the operator in this safety function the voltage disconnection of the gas furnace is needed for the actuators for this purpose a load contactor with 400 kilovolts and a coupling relay is used for design data in redundant circuit design at this point it should be noted that for devices without software such as contactors and relays that is type a devices a homogenous redundancy is sufficient to meet a seal three requirement since there are no systematic failure sources let's look at the functional diagram of the safety loop again as described in the previous slides the sensor elements are a diverse redundant level measurement firstly the analog level meter which records the level with guided microwaves secondly a level switch that digitally records whether there is sufficient cooling water a hemax controller is used as the safety control the actuators in this case are a homogeneous one out of two architecture each with a load contactor and a coupling relay to switch off the gas kiln in this application for sealed three approval of the entire safety loop we need verification for the sensor the controller and the actuators each independent from one another in seal three the sensor is suitable for seal three application through the diverse redundant connection of two cl2 devices the failure rates of the analog optiflex 2200 level transmitter are clearly higher than the technically simple optiswitch 5000c level switch since the analog level transmitter using guided microwaves is technically more complicated than a level switch the safety control is built around a hema hemax system which has cl3 certification for both the input and output cards and the controller the actuator system consists of a coupling relay by phoenix contact which already has seal 3 approval as standard as well as the 400 kilovolt dilm 26 load contactor by miller the lambda du value of 700 fit for the load contactor has been calculated in accordance with the machinery directive 13849-1 using b10d values an explanation of this calculation is not part of this learning module if interested please call the hotline of krona academy online since both the coupling relay and the load contactor are type a devices the structural cl3 capability for the actuators is given in this case in this example we've also used different values for the test interval for the calculation of the pfd value looking at the results of the calculation shows that the overall result even with a test interval of 12 and also 24 months the whole pfd value with 0.

48 and 0. 57 is still okay a test interval of 72 months is not possible in this construction as the calculated pfd value of 1. 06 multiplied by 10 minus 3 does not meet the seal 3 requirement in general it should be noted that a 24-month test interval with this seal 3 application is not advisable and a higher outlay in terms of redundancy diversity diagnostic coverage and further measures would be more worthwhile since the extent of damage is very critical in the final calculation example a temperature monitoring safety function is explained which also illustrates the subject of diagnostic coverage using a downstream flow meter in a chemical process for paper manufacturing dicatine is processed the risk in this application is that overheating of the dicatine leads to a conversion into ketene as well as overpressure therefore there is a risk of uncontrolled leakage of the hot medium through the safety valve which contains acetic acid among other things any person standing in the danger zone could be seriously injured the pressure tank is measured for over temperature and at fixed limit value of 120 degrees celsius or 248 degrees fahrenheit respectively the inlet of the cooling water through valve 1 must be completely opened the outlet through valve 2 must also be opened to drain the medium which is too hot and converted into catin due to the high aggressiveness of the medium and solid particles duty factors are used for the second valve which impair the calculated failure rates in relation to the actuators duty factors are used when the sensor or actuator is not used according to the manufacturer specifications which are described in the safety manual in this example the medium is loaded with solids higher than the manufacturer of the valve allows therefore there is a greater risk for example of a shaft break in the ball valve which must be taken into account when calculating the safety function a duty factor of 4 means that the valve in this application is not calculated with the manufacturer's specification of 64 fit but with four times the higher value thus 256 fit for determining this value either the manufacturer can provide information or own statistics may be used the risk analysis leads to the following result the extent of damage caused by uncontrolled leakage of the medium can lead to irreversible injury such as loss of eyesight if any persons located in the immediate vicinity come into contact with the medium therefore the extent of damage is rated with cb the exposure time of persons in the immediate vicinity of the compressor is evaluated with fb since several people are often standing near to this part of the system avoidance of the danger is possible since the temperature of the medium is clearly visible on the boiler and personnel can possibly push the emergency stop button therefore as the next step pa must be inserted in the risk graph the result is again the question of the probability of the risk occurrence in this example this is assumed to be relatively high or w3 since at the time of planning there was still no practical experience for this application which would justify a different assessment therefore the target seal is assigned with seal two for the safety function in this example the sensing element temperature transmitter with a cl2 classification in this application it's important to note that the thermo well is suitable for continuous use with dicatine and catene and can withstand temperatures up to 150 degrees celsius or 300 degrees fahrenheit for the actuators two valves are required for the safety function as mentioned previously firstly valve 1 for full opening of the cooling secondly the medium must be drained as soon as possible as mentioned previously a duty factor of 4 is used in this application due to the high aggressiveness of the medium and solid particles for valve 2.

to compensate the resulting increase in lambda values a diagnostic coverage can be used as already shown in the third calculation example since there is a risk of shaft breakage of the ball valve in conjunction with solid particles a downstream flow measurement is particularly suitable for the diagnosis the basic idea of this diagnosis can be described as follows both the 4 to 20 milliamp feedback of the ball valve and the flow measurement signal are processed in the safety controller an open ball valve and full flow rate would be plausible for example even an open ball valve and low or no flow rate need not necessarily be a fault since the reason for the low flow rate in the example could be due to too little pre-pressure or an empty boiler if however flow rate is measured when the ball valve is still closed then there will be clear information that there is shaft damage of the ball valve the controller can output at this time a warning to the operator that there is obviously a fault in the assembly since the occurrence of shaft damage which is very rare in practice generally does not take place at the same time as the occurrence of the hot medium there is sufficient time for the operator to check the error and if necessary resolve it according to statistics shaft damage accounts for about half of all ball valve failures and this failure is detected reliably with the downstream flow measurement experts usually calculate a diagnostic coverage range of 50 percent at this point we would like to emphasize that the applicable diagnostic coverage of 50 percent always depends on the application and should be clarified with the local authorities in advance the assumption of fifty percent in this application cannot be generalized let's now look at the functional diagram of the safety loop in all calculation examples as shown in the previous slides the sensor is a temperature assembly with a cl2 certified temperature transmitter the hema h41q controller is used as a safety system in this case the actuating elements are designed in a two out of two architecture consisting of two complete armatures each armature consists in turn of multiple components the actual valve the drive as well as the positioner or solenoid valve for valve 2 the downstream flow measurement is used for the diagnostic coverage only which is indicated by the additional letter d to conclude the last calculation example we will show the safety related characteristics once again for the temperature measurement we're using a temperature assembly with the optitemp tt51 safety transmitter which is single channel and has co2 classification a lambda du of 40 fit for the safety control the h41q safety controller is used as in the third example calculation for the actuators we're using the fifa stop valves including solenoid valves in which the entire armature has structural cl2 classification and a lambda du value of 124 fit for the ball valve situated in the flow we calculate the duty factor 4 resulting in a overall failure rate of 496 fit this value will be lowered further by the diagnostic coverage of 50 percent to 248 fit for the diagnostic coverage function of the ball valve a kroner optimas 1000 mass flow meter is used let's now consider the calculation results as a first step we want to view the calculation results when no diagnostic coverage is used which would be a value of 496 f i fit for the ball valve situated in the flow we can see that with a 12 month test interval we're still within the cl2 range with a pfd value of 5. 52 multiplied by 10 minus three however with a twenty four month test interval the results are already considerably higher with eleven multiplied by ten minus three now let's consider the results with calculated diagnostic coverage the calculated pfd value with a test interval of 24 months has improved significantly to 6. 64 multiplied by 10 minus 3.