MXa SIL

Guidance and Certification

SIL 3 capable for critical applications

Experience In Motion
Functional Safety in Plants
Safety and instrumentation engineers demand that a nature (e.g., pressure sensor), a PLC or DCS (host device
functional safety system’s probability of dangerous that receives the sensor input and outputs safety signal) and
failures be greatly reduced in order to minimize the risk an operator, which may consist of a valve and an actuator.
to humans and the environment. Functional safety can be The components of an SIS should each have a SIL capable
defined as a safety function which insures that, when a rating that enables a safety engineer to select the individual
device failure occurs, the device performs in a manner devices based upon their respective average Probability
so as not to jeopardize plant safety. This means that the of Failure on Demand (PFD). PFD is the probability that a
device performs its intended function when called upon device will not function when called upon in an SIS. The
(Emergency Shut Down or ESD mode) or its lack of average PFD for each device is added together to total the
performance (stay-put mode) does not increase the risk system PFD. This SIS total determines the overall SIL rating
of further failure. A method for determining exposure for the system in question. Selecting a low average PFD for
levels of functional safety is defined in IEC 61508, each component in the SIS increases the risk tolerance of
Functional Safety of Electrical/Electronic/Programmable the safety system.
Electronic Safety-related Systems. It is complemented
by IEC 61511, Functional safety — Safety Instrumented Electronic Actuators and SIL
Systems for the Process Industry Sector. These two
Electronic actuators are classified as type B, complex
standards are used to aid engineers in designing systems
devices or devices containing microprocessors,
that are functionally safe.
microcontrollers, and ASICs by IEC 61508. Some electronic
actuator manufacturers supply separate hardware devices
Safety Integrity Levels to bypass their internal microprocessors in order to acquire
Functional safety is vital in applications with potential to SIL certification. Flowserve Limitorque’s MXa is SIL
expose people and expensive equipment to random failures certified without adding unique hardware modules, meaning
and their ramifications. This is especially true for equipment that another potential point of failure is removed from the
that employs microprocessors and programmable logic. safety system. It is SIL 3 capable in “as built” configuration.
Users want not only assurances, but also hard proof that In fact, when compared to other actuator providers, the
confirms the equipment purchased for critical safety MXa’s PFD (Probability of Failure on Demand) is the lowest
installations is safe, meeting the stipulations of IEC 61508. in the industry for a type B, complex device. The PFD can
Plant operational functional safety categories are referred be improved by regularly exercising the actuator. This can
to as “SIL”, or Safety Integrity Level, a measurement of be accomplished by performing a partial stroke test (PST),
risk reduction beginning with level 1 and ascending to which is standard configuration for the MXa. It is highly
level 4. Each category change, level 1 to level 2 for example, recommended that a monthly PST be performed to improve
reduces the risk by a function of 10, as seen below: the average PFD of the MXa.

SIL PFDavg RRF (Risk Reduction Factor) For the MXa, SIL 2 is identified as Basic ESD and PST
(moves when commanded) in a “1oo1” configuration (one
4 10-5 ... < 10-4 10 000 to 100 000 out of one means that only one actuator is required to
3 10-4 ... < 10-3 1000 to 10 000 ensure the SIL 2 requirement is achieved). SIL 3 identified
as Stay-put (no unsolicited movement), Enhanced ESD and
2 10-3 ... < 10-2 100 to 1000 PST in a “1oo2” configuration (one out of two means that
1 10-2 ... < 10-1 10 to 100 redundant actuators and valves are required to ensure the
SIL 3 requirement is achieved).
Safety Instrumented Systems and Probability
Proof Test Interval
of Failure on Demand
Mission Time 1 year 3 years 5 years
Each device installed into a Safety Instrumented System
10 yr 2.96 E-3 5.93 E-3 9.52 E-3
(SIS) should be evaluated independently to determine its
FMEDA (Failure Modes Effects and Diagnostic Analysis) 15 yr 3.22 E-3 6.51 E-3 9.77 E-3
and subsequent safety tolerance values. Electric actuators
20 yr 3.47 E-3 6.60 E-3 1.00 E-2
do not, by themselves, comprise an SIS, but are an integral
subset of others devices, i.e., typically a sensor of some PFD table for MXa based upon monthly PST (Partial Stroke Test)
 flowserve.com

MX Multi-turn Smart Actuator

Heavy-duty
Handwheel

Three-phase
Motor
Declutch
Lever

Cast Aluminum Housing

Absolute Encoder

Worm
Gear Set

LCD
Multilingual
Display

Double-sealed
Plug-in
Design
Connectors
External Terminal
Compartment
Hall-effect Local
Control
Control Switches
Chamber

MXa — up to SIL 3 capable, even

when option boards are installed!
MXa and SIL Certification
The SIL certification for the basic MXa, awarded by The FIT for the MXa option boards are:
exida® Certification Services, now includes a suite of Failures in Time (FIT) of MXa Option Boards
option boards which meet the requirements for systematic
integrity up to SIL 3. A SIL 2 or SIL 3 capable MXa can Device λSD λSU2 λDD λDU
include even network protocol field units, e.g., Foundation Arctic Option – ESD Mode 0 0 0 6
Fieldbus H1, Profibus DP & PA, DeviceNet HART and
Modbus DDC. The MXa is identified as SIL 3 capable, Backup Power Board – Stayput Mode 3 0 0 0
meaning it is suitable for any safety integrity levels up to
UPS Power Board – Stayput Mode 5 0 0 0
SIL 3, even with analog or digital out PCBs, or if installed
into an arctic environment down to (-60°C). Please note that Analog Option Board – Stayput Mode 53 0 9 0
to meet the requirements of exida Certification for the SIL
HART Board – Stayput Mode 51 0 9 0
2 or SIL 3 capable MXa the electronic actuator must be
installed, configured and operated, and PST performed at HART Board – ESD Mode 0 0 60 0
regularly defined intervals. Please consult SIL Safety
Manual, LMENIM2350, located on www.limitorque.com for DeviceNet Board – Stayput Mode 9 0 6 0
complete instructions. Foundation Fieldbus Board and
47 0 0 10
Profibus PA – Stayput Mode
MXa and Failures in Time MODBus Board – Stayput Mode 7 0 6 0
For the user this means an MXa can be ordered with any
ProfiBus DP Board – Stayput Mode 47 0 0 10
combination of option boards, including network protocol
field units, with the added confidence that each option has ProfiBus PA Board – ESD Mode 0 0 57 0
been analyzed by exida Certification. exida performed an
Relay Option Board – NI –
FMEDA analysis for both the basic MXa and its associated 11 0 6 0
Stayput Mode
option boards. Each option board was supplied an FIT
(Failure in Time) calculation. A device failure is classified Relay Option Board –
112 2 119 2
Monitor – Stayput Mode
by IEC 61508 as a particular event which impacts proper
and expected performance when requested. Failures In Arctic Option – Stayput Mode 0 9 0 0
Time (FIT) is an indication of the number of failures in
109 hours, or approximately 114 000 years. So, an FIT of
“1” would mean one failure can be expected every 114 000 MXa, Safe Failure Fraction (SFF),
years. The symbol used for the FIT calculation is Lambda and Hardware Fault Tolerance (HFT)
(λ), and the subscript indicates the mode of failure, safe The FIT for each option board can be used to develop a
or dangerous, detected or undetected. The different
safety system’s safe failure fraction (SFF) equation. An SFF
classifications of “failures” and the expected response
is expressed in percent of safe failures which correspond
of an actuator are defined below:
to the overall failure rate. A high SFF value lowers the
• Fail-safe mode = Failure that causes the device to go to its probability of a dangerous event impacting the SIS, e.g.,
defined fail-safe state without a demand from the process 75% SFF is better than 50%.
–– ESD Mode = State in which the device is driven to its The SFF determines the range of acceptable hardware fault
defined safe state (either open or close) tolerance (HFT) for the safety instrumented system. An HFT
–– Stayput mode = State in which the actuator does not is the device’s capability of acting on a safety signal in spite
move (stays put) of system faults. The MXa and its suite of option boards has
• Safe detected = number of safe, detected failures in 109 a Hardware Fault Tolerance of “0”, as determined by exida
hours. (λSD) Certification. This means that, for a SIL 2 application, the
• Safe undetected = number of safe, but undetected failures MXa with any combination of option boards having an HFT
in 109 hours (λSU) of “0” can be installed into an SIS requiring an SFF range
from 90% to < 99%. For an SIL 3 application, redundant
• Fail dangerous, detected = Failure that is potentially
MXa actuators with any combination of option boards can
dangerous and is diagnosed by device diagnostics in
be installed into an SIS requiring an SFF of >/= 99%.
109 hours. (λDD)
• Fail dangerous, undetected = Failure that is potentially
dangerous and is not diagnosed by device diagnostics
in 109 hours (λDU)
MXa SIL Advantages
Advantages of the SIL certification for the MXa include • HFT = Hardware Fault Tolerance – the ability of the device
continued torque and position protection, even when a safety to act upon a valid safety signal in spite of system faults.
event occurs. Also, the need to use external devices to track It is expressed in percentage.
the position of the actuator is removed — the MXa’s reliable • RRF = Risk Reduction Factor – the amount of reduction
Limigard feature insures the user’s connection to the actuator’s in risk gained by specifying an increase in SIL levels.
internal relays do not need to be bypassed. No peripheral An increase of one level (SIL 1 to SIL 2) reduces the
wiring is required to isolate the actuator from its internal RRF by a function of ten (10).
programmable logic for safe operation. The internal safeguard
features of the MXa are sufficient to report the actuator status
and respond when an ESD is asserted.
The addition of the option boards and arctic temperature
components indicates Flowserve Limitorque’s continued
commitment to providing the safest, most reliable electronic
actuator in the industry.

Glossary:
• ESD = Emergency Shut Down – configuration of an actuator
so that it enters a “safe state” when plant control issues an
emergency signal.
• SIL = Safety Integrity Level – relative level of risk reduction
required for a Safety Instrumented Function (SIF). SIL is
generally identified by levels of risk reduction, where SIL 1
is the least dependable classification to SIL 4, the most
dependable classification.
• SIF = Safety Instrumented Function – the specific control
functions performed by a Safety Instrumented System (SIS).
• SIS = Safety Instrumented System – generally, a system
that is instrumented with hardware and software which are
specifically used in critical process applications. They may
consist of a process monitoring device that is connected to
a programmable logic device that transmits to equipment
that controls the safety and reliability of the process.
• FMEDA = Failure Modes Effects and Diagnostic Analysis –
generally a procedure to determine in detail the causes of
errors and their impact on a system.
• PFD = Probability of Failure on Demand – the probability
that a device will not safely function when a dangerous
failure occurs.
• PST = Partial Stroke Test – a test scenario which partially
strokes the actuator/valve combination when enabled. Its
purpose is to routinely actuate a valve in order to preclude
or diagnose a potentially dangerous undetected event
before it occurs.
• FIT = Failures in Time – generally defined as the frequency
of failure for an engineered system or component, expressed
in hours. For SIL evaluations, FIT is expressed in number
of events in 109 hours.
• SFF = Safe Failure Fraction – expressed in percent of safe
failures which correspond to the overall failure rate, e.g.,
SFF = {1-(λDD (λDD) + (λSD) + (λSU) + (λDU)}
 flowserve.com

For more information on the

features, options and certifications
of the Limitorque MX, consult
Flowserve bulletin LMENBR2302.
www.limitorque.com

Flowserve Corporation England Singapore

Flow Control Flowserve Limitorque Flowserve Limitorque
Euro House 12, Tuas Avenue 20
United States Abex Road Singapore 638824
Flowserve Limitorque Newbury Phone: 65-6868-4628
5114 Woodall Road Berkshire, RG14 5EY Facsimile: 65-6862-4940
P.O. Box 11318 United Kingdom
Lynchburg, VA 24506-1318 Phone: 44-1-635-46999 China
Phone: 434-528-4400 Facsimile: 44-1-635-36034 Limitorque Beijing, Pte., Ltd.
Facsimile: 434-845-9736 RM A1/A2
Japan 22/F, East Area, Hanwei Plaza
Limitorque – Nippon Gear Co., Ltd. No. 7 Guanghua Road, Chaoyang District
NOF Bldg. 9th Floor Beijing 100004, Peoples Republic of China
1-11-11, Kita-Saiwai, Nishi-Ku Phone: 86-10-5921-0606
Yokohama (220-0004) Facsimile: 86-10-6561-2702
Japan
Phone: 81-45-326-2065 India
Facsimile: 81-45-320-5962 Flowserve Limitorque, Ltd.
Plot No 4
Export Promotional Industrial Park
Whitefield, Bangalore 560066
India
Phone: 91-80-40146200
Facsimile: 91-80-28410286

FCD LMENFL2351-02 May 2016

Flowserve Corporation has established industry leadership in the design and manufacture of its products. When properly selected, this Flowserve product is designed to perform its
intended function safely during its useful life. However, the purchaser or user of Flowserve products should be aware that Flowserve products might be used in numerous applications
under a wide variety of industrial service conditions. Although Flowserve can (and often does) provide general guidelines, it cannot provide specific data and warnings for all possible
applications. The purchaser/user must therefore assume the ultimate responsibility for the proper sizing and selection, installation, operation, and maintenance of Flowserve products.
The purchaser/user should read and understand the Installation Operation Maintenance (IOM) instructions included with the product, and train its employees and contractors in the safe
use of Flowserve products in connection with the specific application.

While the information and specifications contained in this literature are believed to be accurate, they are supplied for informative purposes only and should not be considered certified or
as a guarantee of satisfactory results by reliance thereon. Nothing contained herein is to be construed as a warranty or guarantee, express or implied, regarding any matter with respect
to this product. Because Flowserve is continually improving and upgrading its product design, the specifications, dimensions and information contained herein are subject to change
without notice. Should any question arise concerning these provisions, the purchaser/user should contact Flowserve Corporation at any one of its worldwide operations or offices.

© 2016 Flowserve Corporation, Irving, Texas, USA. Flowserve is a registered trademark of Flowserve Corporation.