exSILentia® v4

User Guide

RELEASED 2022.03.10
 Copyright © 2022 exida Innovation LLC. All rights reserved.
Information in this document is subject to change without notice. The software described in this
document is furnished under a license agreement or nondisclosure agreement. The software may be
used or copied only in accordance with the terms of those agreements. No part of this publication may
be reproduced, stored in a retrieval system, or transmitted in any form or any means electronic or
mechanical, including photocopying and recording for any purpose other than the purchaser's personal
use without prior written permission of exida Innovation LLC.

exida Innovation LLC

80 North Main Street
Sellersville, PA, 18960
USA
+1 215 453 1720
http://support.exida.com

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 2 of 292

 Contents
Part 1 Introduction 13

Chapter 1 Introduction 15

Chapter 2 Licensing and Installation 17

2.1 exSILentia® Standalone 17

2.1.1 Minimum System Requirements 17
2.1.2 Installation Process 17
2.1.3 Licensing 20
2.2 exSILentia® Cloud 21
2.2.1 Minimum System Requirements 21
2.2.2 Accessing exSILentia® Cloud 22
2.3 exSILentia® Site 23
2.3.1 Minimum System Requirements 23
2.3.2 Installation Process 23
2.3.3 Licensing 24
2.4 exSILentia® Server 25
2.5 exSILentia® Global Site 25

Chapter 3 Tool Overview 27

3.1 Dashboard 27
3.2 Process Hazard Analysis (PHA) 27
3.3 Layer of Protection Analysis (LOPA) 28
3.4 SIL Target Selection (SILect) 28
3.5 Safety Requirements Specification (SRS) 28
3.6 SIL Verification (SILver™) 29
3.7 Design SRS 29
3.8 SIS Logic 29
3.9 Proof Test Generator 30
3.10 Lifecycle Cost Estimator 30
3.11 Alarm Rationalization (SILalarm™) 30
3.12 Life Event Recording (SILStat™) 30
3.13 exSILentia® Cyber 31

Part 2 Getting Started 33

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 3 of 292

 Chapter 4 Getting Started 35

4.1 Where Do I Begin? 35

4.1.1 Training 35
4.1.2 Website Resources 36
4.1.3 Introduction Videos 36
4.1.4 exSILentia® Support 36
4.2 Launching the Program 37
4.2.1 Create a New Project 37
4.2.2 Open a Project 38
4.2.3 Save a Project 39
4.2.4 Auto-Save 39

Chapter 5 Menu Items and Short Cuts 41

5.1 Menu Toolbar 41

5.1.1 File 41
5.1.2 View 41
5.1.3 Export 42
5.1.4 Tools 42
5.1.5 Help 42
5.2 Shortcuts 43

Chapter 6 Dashboard 45

6.1 Project Information 45

6.2 Project Configuration 45
6.3 Risk Configuration 46
6.4 Action Items 46
6.5 Parking Lot Items 47
6.6 Team Members 48
6.7 Sessions 49
6.8 Generate Report 50
6.9 Export Data 50
6.10 Library 50
6.11 Tool Tabs 50
6.12 Dashboard Widgets 50

Chapter 7 Project Information 53

7.1 Cyber Security Checklist 53

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 4 of 292

 7.2 IEC 61511 Checklist 54

Chapter 8 Project Configuration 55

8.1 Plant Types 55

8.2 Node Types 57
8.3 Safeguard Categories 59
8.4 Recommendation Categories 60
8.5 Reference Types 63
8.6 Team Roles 64
8.7 Custom Data 65
8.8 Project Abbreviations 69
8.9 Project Definitions 70
8.10 SILver Project Parameters 71
8.11 Lifecycle Cost Estimator Settings 73
8.12 Project Configuration Reuse 73

Chapter 9 Project Risk Configuration 75

9.1 Consequence Categories and Severity Levels 75

9.2 Severity Matrix 76
9.3 Likelihood Categories and Levels 76
9.4 Likelihood Matrix 77
9.5 Risk Matrix 78
9.6 Risk Graph 78
9.7 SIL Selection 79
9.7.1 SIL Threshold 80
9.7.2 RRF Rounding Operand 81
9.8 Risk Configuration Reuse 81

Chapter 10 Report Generation 83

Chapter 11 Data Export 85

11.1 Direct Export 85

11.2 Library Export 86

Chapter 12 Data Import 87

12.1 Library Import 87

Chapter 13 Project Libraries 89

13.1 Causes Library 89

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 5 of 292

 13.2 Safeguards Library 91
13.3 Recommendations Library 92
13.4 References Library 95
13.5 Hazard Scenarios Library 96
13.6 Enabling Conditions Library 98
13.7 Conditional Modifiers Library 99
13.8 Sensor Groups and Legs 100
13.9 Logic Solver Models 101
13.10 Logic Solvers 101
13.11 Devices 101
13.12 Device Models 102
13.13 Final Element Groups and Legs 102
13.14 Tags 102
13.15 Proven In Use Justification 102
13.16 Library Clean Up 103

Chapter 14 Embedded Databases 105

14.1 LOPA Database 105

14.1.1 exida LOPA Database 106
14.1.2 Generic LOPA Database 106
14.1.3 User Defined Data LOPA Database 106
14.1.4 Managing LOPA Database Items 107
14.2 SERH Database 107

Chapter 15 Upgrading from exSILentia® v3 111

15.1 General Project Information 111

15.2 Process Hazard Analysis (PHA) 111
15.2.1 PHAx™ v2 112
15.2.2 exSILentia® v3 PHA Tab 112
15.3 SIF Identification 112
15.4 SIL Target Selection (SILect™) 112
15.4.1 Multiple Tolerable Risk Calibration 112
15.4.2 Risk Graph 112
15.4.3 Hazard Matrix 113
15.4.4 Frequency Based Targets/LOPA Tolerable Risk Calibration 113
15.4.5 Frequency Based Targets/LOPA Target SIL Selections 114

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 6 of 292

 15.5 Safety Requirements Specification 114
15.5.1 SIF SRS 114
15.5.2 Process SRS (SRSC&E) 115
15.5.3 Design SRS 118
15.6 SIL Verification (SILver™) 118
15.7 Lifecycle Cost Estimator 120

Part 3 Modules 121

Chapter 16 PHAx™ 123

16.1 Introduction 123

16.2 Hierarchy 123
16.2.1 Units 123
16.2.2 Nodes 124
16.2.3 Deviations 125
16.3 HAZOP Worksheet 126
16.3.1 Cause 127
16.3.2 Consequence 127
16.3.3 Safeguards 128
16.3.4 Safeguard Labels 130
16.3.5 Likelihood with Safeguards 130
16.3.6 Risk with Safeguards 130
16.3.7 Recommendations 131
16.3.8 LOPA 131
16.3.9 Comments 132
16.4 Navigation Tree 132
16.4.1 Tree Hierarchy / Navigation 133
16.4.2 Drag & Drop 133
16.4.3 Right Click Context Menu 134
16.5 User Interface / Usability 134
16.5.1 HAZOP Worksheet Column Widths 135
16.5.2 HAZOP Worksheet Column Visibility 135
16.5.3 Continuous Editing 135
16.5.4 Worksheet Search, Back, Forward and Bookmarks 136
16.6 PHAx™ Reports 136
16.7 PHAx Data Import 137

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 7 of 292

 16.7.1 Import Template 137
16.7.2 PHA Import 139
16.8 PHAx™ Data Export 141

Chapter 17 LOPAx™ 143

17.1 Introduction 143

17.2 LOPA Worksheet 144
17.2.1 Creating Hazard Scenarios 144
17.2.2 Specifying Target Frequencies 145
17.2.3 Initiating Events (IE) 146
17.2.4 Enabling Condition (EC) 148
17.2.5 Independent Protection Layers (IPL) 150
17.2.6 Conditional Modifiers (CM) 153
17.2.7 Calculating Required Risk Reduction Factors (RRF) 155
17.2.8 Comments 156
17.3 User Interface / Usability 156
17.3.1 LOPA Worksheet Column Widths 157
17.3.2 LOPA Worksheet Header Row Height 157
17.3.3 Severity Category Visibility 157
17.3.4 Apply to All 158
17.3.5 IE, EC, IPL, and CM Sequence 159
17.3.6 LOPA Worksheet Options 159
17.4 Hazard Scenario Data Transfer from PHAx™ 160
17.5 Achieved Risk Reduction Transfer from SILver™ 161
17.6 LOPAx Recommendations 162
17.7 LOPAx Reports 162
17.8 LOPAx Data Export 163

Chapter 18 SILect™ 165

18.1 Introduction 165

18.2 SILect Worksheet 166
18.2.1 Creating Hazard Scenarios 167
18.2.2 Instrumented Protection Function (IPF) 168
18.3 SILect Worksheet - LOPA 169
18.4 SILect Worksheet - Risk Graph 170
18.5 SILect Worksheet - Risk Matrix 171

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 8 of 292

 18.6 SILect Data Transfer 172
18.6.1 SIL Selection - LOPA 173
18.6.2 SIL Selection - Risk Graph 174
18.6.3 SIL Selection - Risk Matrix 174
18.7 SILect Reports 174

Chapter 19 Safety Requirements Specification 177

19.1 Introduction 177

19.2 SRS Worksheet 178
19.2.1 Creating Safety Instrumented Functions 178
19.2.2 General SIS Requirements 179
19.2.3 General SIF Requirements 182
19.2.4 SIF Specific Requirements 183
19.3 Safeguard to SRS Data Transfer 185
19.4 SRS Reports 185

Chapter 20 SILver™ 187

20.1 Introduction 187

20.2 SILver Worksheet 190
20.2.1 Creating Safety Instrumented Functions 191
20.3 SILver Worksheet - SIF Level 191
20.3.1 General SIF Information 192
20.3.2 Architectural Constraints 193
20.3.3 Systematic Capability 193
20.3.4 Mission Time 194
20.3.5 Startup Time 194
20.3.6 SIF Demand Mode 194
20.3.7 Batch Operation 195
20.3.8 I/O Channels on Separate Modules 195
20.3.9 Consider MTTFS 195
20.3.10 Site Safety Index 195
20.4 SILver Worksheet - Sensor Part 197
20.5 SILver Worksheet - Sensor Group 198
20.5.1 Group Options 198
20.5.2 Proof Testing 199
20.5.3 Application Level Diagnostic Test 200

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 9 of 292

 20.5.4 Legs 200
20.5.5 Leg Options 201
20.5.6 Devices 202
20.6 SILver Worksheet - Final Element Part 203
20.7 SILver Worksheet - Final Element Group 204
20.7.1 Group Options 205
20.7.2 Proof Testing 205
20.7.3 Partial Valve Stroke Test/Application Level Diagnostic Test 206
20.7.4 Legs 207
20.7.5 Leg Options 207
20.7.6 Devices 208
20.8 SILver Worksheet - Logic Solver Part 209
20.9 SILver Worksheet - Results 212
20.10 SILver Worksheet - Features 213
20.10.1 SIF Diagram 213
20.10.2 Beta Estimator 213
20.10.3 Proof Test Coverage Calculator 214
20.10.4 Partial Valve Stroke Test Coverage Calculator 215
20.10.5 Proven In Use Justification 216
20.10.6 SILver Parameter Update Utility 218
20.11 SILver Worksheet - Tags 219
20.12 SILver™ Reports 221
20.13 SILver™ Data Export 221

Chapter 21 Design SRS 223

21.1 Introduction 223

21.2 Design SRS Worksheet 223
21.2.1 Creating Safety Instrumented Functions 223
21.2.2 General SIF Requirements 224
21.2.3 SIF Specific Requirements 224
21.2.4 Sensor Legs, Auxiliary Input Legs and Parameters 224
21.2.5 Final Element Legs, Auxiliary Output Legs and Parameters 225
21.3 Design SRS Data Transfer 225
21.4 Design SRS Reports 225

Chapter 22 Proof Test Generator 227

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 10 of 292

 22.1 Introduction 227
22.2 Proof Test Generator Worksheet 227
22.2.1 Proof Test Suggestions 229
22.2.2 Proof Test Procedure 229
22.2.3 Starting PTG with an Existing Project File 232
22.3 Proof Test Generator Reports 233

Chapter 23 Lifecycle Cost Estimator 235

23.1 Introduction 235

23.2 Lifecycle Cost Estimator Worksheet 236
23.2.1 Estimator worksheet 236
23.2.2 Cost Benefit Analysis worksheet 238
23.3 Lifecycle Cost Estimator Reports 239

Chapter 24 exSILentia® Cyber 241

24.1 CyberPHAx™ 241

24.1.1 Introduction 241
24.1.2 Hierarchy 241
24.1.3 CyberPHA Worksheet 244
24.1.4 CyberPHAx Reports 247
24.2 CyberSL™ 247
24.2.1 Creating Cyber Event Scenarios 248
24.2.2 Specifying Target Likelihood 248
24.2.3 Cyber Threats (T) 248
24.2.4 Target Attractiveness 249
24.2.5 Countermeasures 250
24.2.6 Conditional Modifiers (CM) 251
24.2.7 Kill Chain Relevance 252
24.2.8 Calculating Remaining Cyber Risk 253
24.2.9 Comments 253

Part 4 Miscellaneous 255

Abbreviations 257

Terms and Definitions 259

Disclaimer and Assumptions 263

Software License Agreement – exSILentia® Standalone 267

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 11 of 292

 Software Service License Agreement – exSILentia® Cloud 275

Open Source Disclosure 285

Index 287

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 12 of 292

 Part 1
Introduction

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 13 of 292

 Chapter 1 Introduction
exSILentia® v4 is a significant extension of the exSILentia® platform. exSILentia® v4 allows a suite of
software tools, designed to support the Process Safety work process and Safety Instrumented System
Functional Safety Lifecycle, to work seamlessly together. exSILentia® v4 reduces the effort needed to
maintain information and improves overall consistency of Process Safety / Functional Safety tasks and
their deliverables. exSILentia® v4 is available in several options:

PHA Process Hazards Analysis tool

LOPA Layer of Protection Analysis tool

PHA + LOPA Combined Process Hazards Analysis and Layer of Protection Analysis tool

Alarm Alarm Rationalization tool

SILstat Life Event Recording tool

Base functionality for all users requiring Functional Safety standard
Standard
compliance
Additional functionality for the Process Hazards Analysis phases of the
Analysis
Process Safety work process and Safety Lifecycle
Operation Additional functionality for the Operation phases of the Safety Lifecycle

Ultimate Complete exSILentia® functionality

Complete exSILentia® Safety Lifecycle tool functionality including Life Event
Enterprise
Recording

In addition to these base options, the following functionality is available:

Cyber Risk Assessments and Security Level verification to
exSILentia® Cyber
evaluate vulnerability to Cyber attacks.
Automatically create the logic configuration for a DeltaV™
DeltaV™ SIS Configurator1 SIS safety PLC based on the conceptual design documented in
SILver™ and the Design SRS.

1Requires an exSILentia® Ultimate license

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 15 of 292

 The user guide is divided into 4 parts:
l Part 1 Introduction
l Part 2 Getting Started
l Part 3 Modules
l Part 4 Miscellaneous
Part 1 of this user guide provides this introduction, the various license platforms and installation of the
software on a local PC, as well as a high level overview of each of the software modules within the
exSILentia® Software. Part 2 covers all steps needed to getting you started using the exSILentia®
software ranging from project setup and configuration to the use of libraries as part of the base
exSILentia® platform. Part 3 provides detailed guidance for each of the exSILentia® modules (detailed
guidance for the SILalarm™ and exSILentia® Cyber modules is provided in separate User Guides). Part 4
covers Abbreviations, Terms and Definitions, Disclaimer and Assumptions as well as the exSILentia®
Software License Agreement, Open Source Disclosure, and an Index.
If this user guide does not answer your questions you can contact the exSILentia® Support Team via
http://support.exida.com.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 16 of 292

 Chapter 2 Licensing and Installation
exSILentia® v4 is available on five different licensing platforms.
Platform Description
Standalone The software is installed on the user’s PC. A USB license key is provided for each user.
Software can be installed on an unlimited number of PCs. The USB license key
enforces the single concurrent user per license. Updates must be installed on each
PC. The license is perpetual. Active maintenance subscription is required to receive
updates.
Cloud The software is installed and runs on the exida exSILentia server. Users login to the
server and use the software. A single access account per is provided per license.
Updates are installed by exida. The license is subscription period based.
Site The software is installed on each user’s PC. A single USB license key is provided with
the maximum number of concurrent users encoded. Software can be installed on an
unlimited number of PCs. The USB license key enforces the maximum number of
concurrent users per license. Updates must be installed on each PC. This platform is
intended for customers with multiple concurrent users. The license is perpetual.
Active maintenance subscription is required to receive updates.
Server The software is installed and runs on a Citrix® XenApp server within a customer’s IT
environment. Users login to the server and use the software. Updates are installed by
the customer’s IT department. The license is perpetual. Active maintenance
subscription is required to receive updates.
Global Site The software is installed on the user’s PC by the customer’s IT department using an
install script/global desktop setup. Software can be installed on an unlimited number
of PCs. Updates are installed by the customer’s IT department. The license is
perpetual. Active maintenance subscription is required to receive updates.

2.1 exSILentia® Standalone

2.1.1 Minimum System Requirements

To use exSILentia® v4 your system should meet the following minimum requirements
l Microsoft® Windows 8 64-bit (all service packs installed) or Windows 10 64-bit (all service packs
installed)
l Intel® Core™ i5 1.8 GHz or better processor
l 4 GB of RAM (8 GB recommended)
l 200 to 500 MB of free hard disk space (1 GB recommended)
l CD-ROM drive (for installation disk)
l Free USB port (for license key)
l Minimum screen resolution 1366 x 768 (1920 x 1080 recommended)

2.1.2 Installation Process

The exSILentia® v4 Standalone installation package consists of

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 17 of 292

 l exSILentia® v4 CD
l exSILentia® v4 USB key
l exSILentia® v4 User Guide
To install exSILentia® v4 Standalone on your computer place the exSILentia® v4 CD in your CD-ROM
drive. exSILentia® v4 setup will take you through the installation process.

Note: Do not insert the exSILentia® v4 USB key into your computer's USB port until you have
installed the exSILentia® v4 software.

If setup does not start automatically for any reason, follow these steps:
1. Insert the exSILentia® v4 CD into your CD-ROM drive.
2. Type Run in the Start Search box of the Start menu
3. Type d:\setup.exe, where d is the letter assigned to your CD-ROM drive.
4. Click OK.
Setup starts and guides you through the installation of the exSILentia® v4 software.

To continue the installation process you will need to accept the terms and conditions of the exSILentia®
v4 Software License Agreement. A copy of the agreement is included in this user guide, see Software
License Agreement – exSILentia® Standalone. If you do not agree with the exSILentia® v4 Software License
Agreement do not install the software on your system.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 18 of 292

 Clicking “Accept and Install” will continue the installation. The exSILentia® v4 installer will guide you
through the remaining steps. The exSILentia® v4 installer will create a menu item in your programs
folder and will also create an icon on your desktop.
During the installation process you will be able to indicate the location where you want the exSILentia®
v4 software to be installed.

When the installation is complete, a dialog box will appear that indicates that the exSILentia® v4 Setup
has been completed. Click “Finish” to conclude the installation.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 19 of 292

 In order to use exSILentia® v4 you will have to put the exSILentia® v4 USB key into a free USB port and
double click the exSILentia® v4 icon or select exSILentia® v4 from your Start menu.

2.1.3 Licensing
exSILentia® v4 uses the Thales Sentinel HASP software to enforce its licensing. Your Microsoft Windows
operating system will automatically install the required Sentinel HASP Drivers when you plug the
exSILentia® v4 USB key into you machine for the first time.

In order to use exSILentia® v4 you need the exSILentia® v4 USB key inserted in a USB port of your
system. The exSILentia® v4 program will not work without this USB key; if the USB key cannot be
detected an error message will appear. If this message appears when you do have the USB key inserted
in a USB port, please try using a different USB port. If that doesn’t resolve the issue, please contact exida
for additional support.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 20 of 292

 In some cases you may need to update your exSILentia® v4 USB key, e.g. if you renew your annual
maintenance, if your time limited license key expired, or you decide to upgrade your exSILentia® v4
license from, for example, the Standard option to the Ultimate option. To do so, select the Tools -
License Configuration menu option. Using the Authentication Mode on the License Configuration
window you can select the applicable license option, either key or server. If you select key, exSILentia®
will detect your current exSILentia® v4 license key and display the associated license key option. Next
you can click the Request Update button, this will send your key information to exida. Upon receipt of
your request, the exSILentia® v4 license processing team will validate your request and if valid generate
an update file for your license key. Once you receive confirmation that this update file is available you
can click the Check Request button to automatically update your exSILentia® v4 USB key.

The exSILentia® v4 licensing allows you to install the software on multiple machines, e.g. a desktop
station in the office and a laptop used while traveling. However the software can only be used on the
system where the USB key is inserted.

Note: exSILentia® 1.x, 2.x, 3.x USB license keys will not work with exSILentia® v4. If you have an
older version of exSILentia® your old USB license key will still work for that version of the software.
Multiple versions of the software can be installed on the same computer.
Contact the exSILentia® team at http://support.exida.com or your local exida representative for
upgrade options and pricing.

2.2 exSILentia® Cloud

2.2.1 Minimum System Requirements

The exSILentia® team does not provide specific minimum system requirements for use of the exSILentia®
Cloud environment. To access exSILentia®, the user must install the Citrix® Receiver client software.
These clients are available for a variety of operating systems, including:
l Apple iOS
l Apple Mac OS
l Microsoft Windows
l Ubuntu
l and more...
A screen resolution of 1920 x 1080 is recommended

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 21 of 292

 2.2.2 Accessing exSILentia® Cloud
For users of the exSILentia® Cloud license platform and account is created on the exSILentia® Cloud
server. Login credentials consisting of a username and a password will be provided to the registered
user.
You can access exSILentia® Cloud by opening a web browser and visiting https://my.exsilentia.com.
exSILentia® Cloud is published using the Citrix® platform. If the Citrix® Receiver client is not installed on
the machine from which you are trying to access exSILentia® Cloud, a message will indicate a download
path for you. Alternatively you can download the Citrix Receiver from
https://www.citrix.com/products/receiver/. Once you have installed Citrix® Receiver you need to close
and reopen your browser. You can now login using the login credentials provided.
Upon first login, the exSILentia® Cloud system will ask you to create a new password.
Once logged in, you will see an application list of all exida applications that have been enabled for you.
Click the exSILentia® icon to launch exSILentia®.

As the user of the exSILentia® Cloud platform, you can choose where you want to save your exSILentia®
project files (see section 4.2 Launching the Program). You can save your project files on the exSILentia®
Cloud server (typically you will have a dedicated H drive) or you can save your files on your local
machine by accessing the Client\ machine via the network options in the save as dialog. To be able to
save files to your local machine you will need to give the exSILentia® Cloud server by means of the Citrix®
Receiver permission to access your local files. When you launch exSILentia® you will see the following
security warning, simply select Permit all access.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 22 of 292

 CAUTION: If your internet connection drops in the middle of a save action, the incompletely saved
file will be corrupt and cannot be recovered. exida recommends saving a file on the exSILentia®
Cloud server and periodically saving the file to the local machine. exida also recommends to not
overwrite a file but instead save the local file under a different name, this will ensure you have a
backup just in case the internet connection drops in the middle of a save action.

2.3 exSILentia® Site

2.3.1 Minimum System Requirements

To use exSILentia® v4 your system should meet the same minimum requirements as described for
exSILentia® v4 Standalone, see section 2.1 exSILentia® Standalone.

2.3.2 Installation Process

The exSILentia® v4 Site installation package consists of
l exSILentia® v4 CD
l exSILentia® v4 Site USB key
l exSILentia® v4 User Guide
The installation process for an exSILentia® v4 Site license consists of 2 steps
1. Installation of the exSILentia® v4 software on the user's computer
2. Installation of the exSILentia® v4 Site USB key communication driver

Installing exSILentia® v4 on Computer

To install the exSILentia® v4 software on the target computer follow the steps as described for
exSILentia® v4 Standalone, see section 2.1 exSILentia® Standalone.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 23 of 292

 Note: Do not insert the exSILentia® v4 Site USB key into your (or the user's) computer's USB port,
the license key will be used in the dedicated license server.

Installing USB Key Communication Driver

The Site USB key Communication Driver is the Sentinel HASP/LDK Run- time. The exSILentia® team
recommends that you do a web search for the latest version of this run-time, alternatively you can
contact the exSILentia® team at http://support.exida.com for a download link.
The communication driver must be installed on both user's computer and the License Server, i.e. the
computer that will hold the exSILentia® v4 Site USB key. The license server does not need to be a
dedicated server, it could be the computer of one of the users of the software. In addition to installation
of the communication driver, you need to make sure that port 1947 is open for incoming traffic on the
license server and the same port (1947) is open for outgoing traffic on each of the users' computers.

2.3.3 Licensing
exSILentia® v4 uses the SafeNet HASP software to enforce its licensing. Insert the Site USB key in the
license server (and simply leave it there).

Upon first launch of exSILentia® v4 an error message will appear, this is as expected.

Click on the Configure Licensing link in the error message or select the Tools - License Configuration
menu option. For the Authentication Mode in the License Configuration window can select server. In the
Server text box enter either hostname for the license server, or the license server’s static IP address, and
press OK. exSILentia® v4 will establish a connection with the license server and you will be able to start
using exSILentia® v4.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 24 of 292

 The exSILentia® v4 Site license allows you to install the software on an unlimited number of systems. In
order to use the software, the user must make a connection with the license server and stay connected
with the license server. If the maximum number of concurrent connections is reached, exSILentia® v4 will
state that no license is available. exSILentia® v4.

2.4 exSILentia® Server

The deployment of the exSILentia® Server platform will be done in close cooperation with the
customer's IT department. This falls outside the scope of this user guide. The user's system must meet
similar requirements as for the exSILentia® Cloud platform, see section 2.2 exSILentia® Cloud.

2.5 exSILentia® Global Site

The deployment of the exSILentia® Global Site platform will be done in close cooperation with the
customer's IT department. This falls outside the scope of this user guide. The user's system must meet
similar requirements as for the exSILentia® Standalone platform, see section 2.1 exSILentia® Standalone.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 25 of 292

 Chapter 3 Tool Overview
This chapter provides an overview of different components of the exSILentia® v4 software. The
availability of some of the tools described in this chapter depends on your exSILentia® v4 license (see
Chapter 1 Introduction for an overview of the exSILentia® v4 license options).

3.1 Dashboard
The exSILentia® v4 Dashboard is the first window you will see when you open a project or after creating
a new project. The dashboard is exSILentia® v4's central hub through which all lifecycle activities are
initiated. It is shared by all exSILentia® v4 tools. In addition to providing the main navigation of the tool,
the dashboard also provides you with the ability to evaluate the status of a project through summary
information as well as graphical representation of results.
A detailed description of the various aspects of the dashboard as well as instructions on how to
customize your dashboard are provided in Chapter 6 Dashboard.

3.2 Process Hazard Analysis (PHA)

The PHA tab navigates to the exSILentia® v4 process hazard analysis tool PHAx™. Availability of the
PHA tab, and therefore the PHAx™ tool, is based on your exSILentia® v4 license (see Chapter 1
Introduction for an overview of the exSILentia® v4 license options). The PHAx™ tool allows process hazard
analysis to be performed using the Hazard and Operability (HAZOP) methodology. For a detailed
description of the PHAx™ tool refer to Chapter 16 PHAx™.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 27 of 292

 3.3 Layer of Protection Analysis (LOPA)
The LOPA tab navigates to the exSILentia® v4 layer of protection analysis tool LOPAx™. Availability of the
LOPA tab, and therefore the LOPAx™ tool, is based on your exSILentia® v4 license (see Chapter 1
Introduction for an overview of the exSILentia® v4 license options). The LOPAx™ tool allows detailed layer
of protection analysis to be performed for each hazard scenario, considering multiple initiating events,
multiple enabling conditions, conditional modifiers, and Independent Protection Layers with different
levels of effectiveness for different risk receptors as well as different initiating events. The hazard
scenarios, causes, and safeguards identified during the process hazard analysis will automatically pre-
populate the LOPA worksheet provided that you have used the PHAx™ tool for your process hazard
analysis. For a detailed description of the LOPAx™ tool refer to Chapter 17 LOPAx™.

3.4 SIL Target Selection (SILect)

The SILect tab navigates to the exSILentia® v4 Safety Integrity Level (SIL) selection tool SILect™.
Availability of the SILect tab, and therefore the SILect™ tool, is based on your exSILentia® v4 license (see
Chapter 1 Introduction for an overview of the exSILentia® v4 license options). The SILect™ tool supports
determination of the target SIL for each Safety Instrumented Function identified in the LOPA worksheet
that is required to provide risk reduction. The SILect™ tool will convert a target Risk Reduction Factor
(RRF) into a target SIL. For a hazard scenario that has a remaining RRF, the SILect™ tool supports the
identification of a SIF. The SILect™ tool worksheet is automatically pre- polulated with information
obtained form the LOPAx™ tool. The SILect™ tool also supports SIL selection based on the Risk Graph
and Risk Matrix methodologies. For a detailed description of the SILect™ tool refer to Chapter 18 SILect™.

3.5 Safety Requirements Specification (SRS)

The SRS tab navigates to the exSILentia® v4 safety requirements specification tool SRS. Availability of the
SRS tab, and therefore the SRS tool, is based on your exSILentia® v4 license (see Chapter 1 Introduction
for an overview of the exSILentia® v4 license options). The SRS tool allows detailed specification of
functional and integrity requirements for the Safety Instrumented System (SIS) as a whole, generic for all
Safety Instrumented Functions (SIF), and specific for each SIF. The SRS constitutes the basis upon which
the Safety Instrumented System and its Safety Instrumented Functions are designed. Several of the
requirements will be automatically pre-polulated based on information specified in the PHA, LOPA, and
SIL selection lifecycle phases. On the other hand, some requirements specified here, will automatically
pre-populate fields in the SIL verification tool SILver™. For a detailed description of the SRS tool refer to
Chapter 19 Safety Requirements Specification.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 28 of 292

 3.6 SIL Verification (SILver™)
The SILver tab navigates to the exSILentia® v4 Safety Integrity Level (SIL) verification tool SILver™.
Availability of the SILver tab, and therefore the SILver™ tool, is based on your exSILentia® v4 license (see
Chapter 1 Introduction for an overview of the exSILentia® v4 license options). The SILver™ tool allows
comprehensive modeling of each Safety Instrumented Function’s (SIF) conceptual design within an
exSILentia® v4 project. The objective during SIL verification is to determine if the conceptual design of
the SIF meets the requirements specified in the Safety Requirements Specification (SRS). The SILver™
tool allows users to account for many real- life configuration options within a Safety Instrumented
System (SIS), including but not limited to proof test coverage, transmitter fault direction, partial stroke
testing, etc. Several of the conceptual design configuration selections will be made automatically based
on information specified in the SRS phase (users can overwrite these selections if necessary). In turn
some of the selections specified as part of the conceptual design verification will automatically pre-
populate field in the Design SRS, Proof Test Generator, and Lifecycle Cost Estimator. The result of the SIL
verification will be an Achieved Safety Integrity Level for the specific SIF’s conceptual design. For a
detailed description of the SILver™ tool refer to Chapter 20 SILver™.

3.7 Design SRS

The Design SRS (DSRS) tab navigates to the exSILentia® v4 detailed design Safety Requirements
Specification tool Design SRS. Availability of the Design SRS tab, and therefore the Design SRS tool, is
based on your exSILentia® v4 license (see Chapter 1 Introduction for an overview of the exSILentia® v4
license options). The Design SRS tool allows detailed design specification of functional requirements for
each Safety Instrumented Function (SIF) identified in the exSILentia® project. The detailed design
requirements are a result of the conceptual design evaluation performed using the SILver™ tool. Most of
the detailed design requirements will be automatically pre-polulated based on information specified in
the SIL verification phase. For a detailed description of the Design SRS tool refer to Chapter 21 Design
SRS.

3.8 SIS Logic

The SIS Logic tab navigates to the exSILentia® v4 Safety Instrumented System (SIS) application logic
generation tool SIS Logic. Availability of the SIS Logic tab, and therefore the SIS Logic tool, is based on
your exSILentia® v4 license (see Chapter 1 Introduction for an overview of the exSILentia® v4 license
options). The SIS Logic tool assists in automatically generating the application program/logic
configuration for a specific target Safety PLC based on your SILver™ and Design SRS modeling. The
SIS Logic tool substantially reduces the amount of time needed to generate the application
program/logic configuration while eliminating the potential for interpretation and transcription errors.
For a detailed description of the SIL Logic tool refer to the designated user guide for each of the target
Safety PLC platforms.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 29 of 292

 3.9 Proof Test Generator
The Proof Test Generator provides proof test steps for all SIF devices selected for the SERH and allows
the user to create application specific proof test procedures. Availability of the Proof Test Generator tool,
is based on your exSILentia® v4 license (see Chapter 1 Introduction for an overview of the exSILentia® v4
license options). The Proof Test Generator tool allows detailed specification of proof tests to be
performed for each equipment item specified during your Conceptual Design Engineering work. Default,
product specific, proof tests with associated proof test coverage factors are provided from the exida
Safety Equipment Reliability Handbook (SERH) database. The Proof Test Generator tool allows you to
customize these proof test for use in your specific application. For a detailed description of the Proof
Test Generator tool refer to Chapter 22 Proof Test Generator.

3.10 Lifecycle Cost Estimator

The Cost tab navigates to the exSILentia® v4 Lifecycle Cost Estimator tool. Availability of the Cost tab,
and therefore the Lifecycle Cost Estimator tool, is based on your exSILentia® v4 license (see Chapter 1
Introduction for an overview of the exSILentia® v4 license options). The Lifecycle Cost Estimator tool
supports the evaluation of a Safety Instrumented Function's conceptual design on the basis of expected
overall lifecycle cost, accounting for aspects such proof test cost and proof test frequency. The Lifecycle
Cost Estimator tool can assist in making an economical justification why a particular conceptual design
may be better than an alternate conceptual design where both meet the same functional and integrity
requirements. The Lifecycle Cost Estimator tool relies on completion of the conceptual design
specification in the SIL verification phase. Most conceptual design performance variables will be
automatically pre-polulated based on information specified in the SIL verification phase. For a detailed
description of the Lifecycle Cost Estimator tool refer to Chapter 23 Lifecycle Cost Estimator.

3.11 Alarm Rationalization (SILalarm™)

The SILalarm tab navigates to the exSILentia® v4 alarm rationalization tool SILalarm™. Availability of the
SILalarm tab, and therefore the SILalarm™ tool, is based on your exSILentia® v4 license (see Chapter 1
Introduction for an overview of the exSILentia® v4 license options). The SILalarm™ tool facilitates the
alarm rationalization process for a given master alarm database. For a detailed description of the
SILalarm™ tool refer to exSILentia® SILalarm™ user guide.

3.12 Life Event Recording (SILStat™)

The exSILentia® SILStat™ module is tightly linked to exSILentia® v4 but is used as a standalone entity.
Please refer to the SILStat™ User Guide for guidance on using the SILStat™ tool.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 30 of 292

 3.13 exSILentia® Cyber
The CyberPHA tab navigates to the exSILentia® v4 cyber process hazard analysis tool CyberPHAx™
whereas the CyberSL™ tab navigates to the exSILentia® v4 cyber security level tool CyberSL™. Availability
of the CyberPHA and CyberSL tabs, and therefore the exSILentia® Cyber tools CyberPHAx™ and
CyberSL™, is based on your exSILentia® v4 license (see Chapter 1 Introduction for an overview of the
exSILentia® v4 license options). The CyberPHAx™ tool allows cyber risk assessment to be performed
based on the process industry Hazard and Operability (HAZOP) methodology. The CyberSL™ tool allows
for a security level evaluation to be performed on the various countermeasures identified for a particular
threat. For a detailed description of the CyberPHAx™ and CyberSL™ tools refer to Chapter 24 exSILentia®
Cyber.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 31 of 292

 Part 2
Getting Started

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 33 of 292

 Chapter 4 Getting Started
4.1 Where Do I Begin?
Starting with exSILentia® v4 can be a bit overwhelming. exida has created several resources that can
help you getting started.

4.1.1 Training
FSE 242: Process Hazard Analysis with exSILentia®
Process Hazard Analysis with exSILentia®, FSE 242, details how the exSILentia PHAx™ module can be
used to conduct HAZOP methodology based Process Hazard Analysis. This course is targeted towards
students that are experienced in process hazard analysis who want to learn how to leverage the
advanced features of PHAx™. It will cover how to configure a project, define risk criteria, and use the
advanced libraries to store valuable project specific information. The students will learn how to define
units, nodes, and how to benefit from the PHAx™ smart deviations. It also addresses how hazard
scenarios are to be defined for use in subsequent lifecycle phases.
FSE 243: Layer of Protection Analysis with exSILentia®
Layer of Protection Analysis with exSILentia®, FSE 243, explains how the exSILentia LOPAx™ module is
used to conduct a Layer of Protection Analysis and how SIF requirements can be documented using the
exSILentia SRS module. This course is targeted towards students that have a general understanding of
layer of protection analysis and safety requirements specifications who want to learn how to leverage
the advanced features of LOPAx™ and SRS. It will cover how to analyze hazard scenarios considering the
frequency of initiating events and the probability of failure for each independent protection layer (IPL) as
well as enabling conditions and conditional modifiers. This course will show how to calculate the
required Risk Reduction Factor of an IPL and identify Safety Instrumented Functions (SIF). Users will
learn how to record mandatory functional and integrity requirements for each SIF. It will teach users
how to transfer data from PHAx™ to LOPAx™ as well as from LOPAx™ to SRS.
FSE 244: SIL verification with exSILentia®
SIL verification with exSILentia®, FSE 244, explains how the exSILentia SILver™ module is used to
perform a SIL verification for Safety Instrumented Functions. Students will learn to leverage the tool to
model different SIF architectures ranging from simple 1oo1 configuration to more complex examples.
This course also covers review of the key parameters that determine the probability of failure of a SIF as
well as minimum hardware fault tolerance and systematic capability aspects. It will show the impact of
these parameters on the detailed design, implementation, and operation of the SIF. Furthermore,
students will learn how to transfer data from the SILver™ module to the Design SRS module and
subsequently complete the Design SRS requirements. Finally, the course covers the impact of proof
testing and specification of proof test procedures using the Proof Test Generator module.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 35 of 292

 4.1.2 Website Resources
exida has launched the exSILentia® website www.exSILentia.com , where you can find general
information about exSILentia®, downloads, and training information. The exida innovation team has
created a support website (http://support.exida.com) which includes a FAQ section. Frequently Asked
Questions are addressed here. The exida website provides additional resources like white papers and an
active blog addressing process & functional safety topics as well as exSILentia® specific topics. exida also
conducts regular webinars, which can be attended free of charge. Make sure you are subscribed to the
exida newsletter to keep up to date on the latest webinar offerings.

4.1.3 Introduction Videos

Several instructional videos were created to familiarize users with the basic functionality of exSILentia®
v4. For a list of videos, see the exSILentia website at www.exSILentia.com.

4.1.4 exSILentia® Support

This user guide is your first line of support when using the exSILentia® Safety Lifecycle tool. The user
guide gives an overview of all options part of exSILentia® and using various examples it explains how to
use the tool and its various modules. For additional support, use the support website through which you
can submit your queries on the exida software products. In the exida Support Center
(http://support.exida.com) you can open a new support ticket for any questions or issues you may have.
You can also check on the status of any open tickets.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 36 of 292

 Note: We cannot answer any detailed safety lifecycle engineering questions as that would go
beyond general tool support.

4.2 Launching the Program

To launch exSILentia® v4, double- click the exSILentia® v4 icon ( ) on your desktop or select the
exSILentia® v4 program from your programs/exida folder in your Start menu.
When the exSILentia® v4 program is launched, it will automatically launch the Welcome Screen. The
welcome screen shows the latest release notes and news items. On the welcome screen you can:
l Open a previous project (Open).
l Create a new Default exida project (Default exida)
l Create a new Empty project (Empty)
l Create a new Custom project (Custom)

4.2.1 Create a New Project

You can define a new exSILentia® v4 project by selecting one of the three Create options.
l Default Project – Creates a new empty project with exida default project and risk configurations
l Empty Project – Creates a new empty project without any default configurations
l Custom Project – Creates a new empty project with default configurations based upon user
default settings. This requires a previous file to be saved with user defaults. When this option is
selected the user must navigate to a file containing the user default configurations which can be
done using the navigation feature provided along the Based on below selection. The best way to
create a user default configurations file is to initially start with an exida default configurations file
which is subsequently edited and saved.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 37 of 292

 After selecting from one of the three Create Project options, you will be able to define the Project Type,
and specify high level project details. The Project Type allows you to choose between Functional Safety
Project and Alarm Rationalization Project. Since this user guide focuses on the Functional Safety tools
of exSILentia® v4, only the Functional Safety Project option is addressed from here on out.
After selecting Functional Safety Project, you can specify specific project information such as Project ID,
Project Name, Company, Project Revision, and Project Description. With the basic project definition
completed, exida recommends that you save the project at this time.

If you want to create a new exSILentia® v4 project once a project is already open, you can select the File
- New menu option. This will create a Default Project, as described above, allowing you to immediately
specify specific project information such as Project Type,Project ID, Project Name , Company , and
Project Description. If you would like to create an Empty or Custom new project you can select Cancel,
this will revert you to the Welcome Screen where you can choose these options.

4.2.2 Open a Project

When you select Open a project, a file menu dialog box will appear allowing you to navigate to a
previously saved project file. Select the file and click Open or double click on the filename. To open a
project from an older version of exSILentia, select the Project Files drop down, and select exSILentia 3
Project (*.exi), see also Chapter 15 Upgrading from exSILentia® v3. Please note only files saved with the
latest versions of exSILentia v3 (3.7, 3.8) can be converted to exSILentia® v4.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 38 of 292

 4.2.3 Save a Project
Saving a project is trivial in exSILentia®, simply select the File menu and click Save or Save As. In the
lower right hand corner of the exSILentia® window you can see when the file was saved last.

4.2.4 Auto-Save
exSILentia® has an auto-save feature. You can enable the auto-save by clicking on the circle in front of
the Last save information. You can enable the auto-save feature as well as specify the time interval for
the auto-save ranging from every minute to every 10 minutes.

Note: When enabling auto-save, exSILentia® will overwrite your file every time the auto-save is
executed. Undoing changes by simply not saving is not an option in this case.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 39 of 292

 In the unlikely event that exSILentia® abruptly stops working, or in the event that an error occurred at
the time of saving, your exSILentia® project file will likely be corrupted. Since the file is encrypted, data
may become unrecoverable for that file. In an event like this you can find a recovery file stored in a
temporary file location (C:\Users\User Name\AppData\Local\Temp\exida\exSILentia 4\backup). The
recovery files are only available for a limited period of time before being overwritten with new recovery
files. exSILentia® Cloud users should contact the exida support team for assistance with file recovery.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 40 of 292

 Chapter 5 Menu Items and Short Cuts
exSILentia® v4 has an interactive menu toolbar. The menu toolbar will make certain menu items
available based on the software tool that you are using. In addition to these dynamic menu items, a
wide range of short cuts have been implemented to make the tool use more efficient. An overview of the
exSILentia® v4 menu items as well as available short cuts is provided in this appendix.

5.1 Menu Toolbar

The Menu toolbar consists of the following main menus:
l File
l View
l Export
l Tools
l Help
Menu items available for each of these main menus are identified in the following sections.

5.1.1 File
Menu Item Keyboard Shortcut Function Description
New Ctrl+N Launches a new project
Open Ctrl+O Allows you to browse to a project file to be opened
Recent Shows recent projects that may then be opened
Save Ctrl+S Saves the project file
Save As Ctrl+Shift+S Allows you to save a project with a different file name
Close Ctrl+E Closes current project while keeping application open
Exit Alt+F4 Closes the application

5.1.2 View
Menu Item Keyboard Shortcut Function Description
Project Configuration Launches the Project Configuration window
Risk Configuration Launches the Risk Configuration window
Has four sub- items to launch the Safeguards,
Library Recommendations, References, and Hazard Scenarios
Library window respectively
Members Launches the Members window
Sessions Launches the Sessions window
Action Items Launches the Action Items window
Parking Lot Items Launches the Parking Lot Items window

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 41 of 292

 5.1.3 Export
Menu Item Keyboard Shortcut Function Description
Generate Report Allows you to auto generate reports for the various
exSILentia® v4 tools. Depending on the tool selected
additional, more detailed, options may be available.
l PHA Report
l LOPA Report
l Process SRS
l SIL verification
l Design SRS
l Proof Test Generation
Export Data Allows you to export data out of the various
exSILentia® v4 tools to a MS Excel
worksheet/workbook. Depending on the tool selected
additional, more detailed, options may be available.

5.1.4 Tools
Menu Item Keyboard Shortcut Function Description
Allows you to request an update to your license key
License Configuration and subsequently check for an available update
(requires exida license key processing)
Provides a list of user created exSILentia® v4 plug-in
Plugins
modules (once interfaces are made public)
Provides a list of all licensed exSILentia® v4 software
Modules
modules and their individual versions

5.1.5 Help
Menu Item Keyboard Shortcut Function Description
View Help Launches the help window
User Guide Allows you to access all User Guide material
Check for Updates Allows you to check if a more recent version of the
exSILentia® v4 program is available and install that
newer version if applicable
Contact exida Will launch a web browser and directs you to the
exSILentia® online support ticket system. Here you will
be able to launch a support request.
Release Notes Allows you to see the history of feature upgrades

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 42 of 292

 Menu Item Keyboard Shortcut Function Description
About Shows the current exSILentia® v4 version number and
license information

5.2 Shortcuts
For a Microsoft Windows based application you would expect a certain set of standard shortcuts, these
are also available in exSILentia® v4 in a wide variety of locations. The following is a limited overview of
some of the shortcuts implemented.
Keyboard Shortcut Function Description
Ctrl+C Copy
Ctrl+V Paste
Ctrl+X Cut
Delete (Del) Deletes the currently selected item(s)
Enter Create a new item
Shift+Enter Create a new child item
Shift+Enter In HAZOP Worksheet when consequence or associated Safeguard or
Recommendation selected: Create a new Safeguard
Ctrl+Shift+Enter In HAZOP Worksheet when consequence or associated Safeguard or
Recommendation selected: Create a new Recommendation
Tab In worksheet changes focus to next field from left to right, top to bottom
Shift+Tab In worksheet changes focus to previous field from right to left, bottom to top
Up/Down/Left/Right In worksheet changes focus to relevant surrounding field

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 43 of 292

 Chapter 6 Dashboard
The exSILentia® v4 Dashboard is the first window you will see when you open a project or after creating
a new project. The dashboard is exSILentia® v4's central hub through which all lifecycle activities are
initiated. It is shared by all exSILentia® v4 tools. In addition to providing the main navigation of the tool,
the dashboard also provides you with the ability to evaluate the status of a project through summary
information as well as graphical representation of results.
The configuration of your dashboard will depend on your exSILentia® v4 license. Some of the dashboard
functions are applicable to all software tools within the exSILentia® v4 framework, other options are
tightly linked to one of the software tools. The various features of the dashboard are described in the
subsequent sections.

6.1 Project Information

The projection information of your exSILentia® v4 project is described in detail in Chapter 7 Project
Information. Project Information allows you to change your Project Identifier, Name, and Description,
among others.

6.2 Project Configuration

The configuration of your exSILentia® v4 project is described in detail in Chapter 8 Project Configuration.
Project Configuration allows you to change many of the project default options and values.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 45 of 292

 6.3 Risk Configuration
The risk configuration that applies to your exSILentia® v4 project is described in detail in Chapter 9
Project Risk Configuration. In the Risk Configuration you can define your tolerable risk levels and you can
either select the exida default risk matrix or configure a risk matrix to match the risk criteria that are
applicable to your project.

6.4 Action Items

exSILentia® v4 provides the ability to define action items. Action items are intended for tasks to be
performed that will extend beyond the duration of a single session. To access an overview of all defined
action items for the current project click on the Action Items button on the dashboard. Alternatively you
can select the View - Action Items menu option.

To add an Action Item:

l Click on the green plus (+) symbol in the lower left hand portion of the window
l Highlight the new Action Item
l Edit the Action Item Properties, i.e. Nameand Description
l Select the Action Item Due Date using the calendar function
l Select the Action Item Status using the drop down selections; Open (default value), Closed, or
Review
l Select the Action Item Priority using the drop down selections; Low, Medium, or High
l Select the Action Item Responsible Person using the drop down selection based on the defined
team members
To modify an Action Item:

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 46 of 292

 l Highlight the Action Item
l Edit Action Item Properties, i.e. Name and Description
l Modify the Action Item Due Date using the calendar function
l Modify or select the Action Item Status and /or Priority
l Modify the Action Item Responsible Person
To delete an Action Item:
l Highlight the Action Item
l Click on the red minus (-) symbol in the lower left hand portion of the window
l This will remove that Action Item and its Action Item Properties

6.5 Parking Lot Items

exSILentia® v4 provides the ability to define parking lot items. Parking lot items are intended for short
term tasks to be performed such as obtaining information overnight for the next session, i.e. a focused
short term task. To access an overview of all defined parking lot items for the current project click on the
Parking Lot Items button on the dashboard. Alternatively you can select the View - Parking Lot Items
menu option.

To add a Parking Lot Item:

l Click on the green plus (+) symbol in the lower left hand portion of the window
l Highlight the new Parking Lot Item
l Edit the Parking Lot Item Properties, i.e. Nameand Description
l Select the Parking Lot Item Status using the drop down selections; Open (default value), Closed,
or Review
To modify a Parking Lot Item:

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 47 of 292

 l Highlight the Parking Lot Item
l Edit Parking Lot Item Properties, i.e. Name and Description
l Modify or select the Parking Lot Item Status
To delete a Parking Lot Item:
l Highlight the Parking Lot Item
l Click on the red minus (-) symbol in the lower left hand portion of the window
l This will remove that Parking Lot Item and its Parking Lot Item Properties

6.6 Team Members

exSILentia® v4 provides the ability to define various team members and document their roles. Once
team members are defined, they can be associated with various work sessions. To access an overview of
all team members defined for the current project click on the Members button on the dashboard.
Alternatively you can select the View - Members menu option.

To add a Team Member:

l Click on the green plus (+) symbol in the lower left hand portion of the window
l Highlight the new Team Member
l Edit the Team Member Properties, i.e. First Name, Last Name, Initials, Title, e-mail, and Notes
l Note that the initials are used when assigning recommendations

l Specify a role by selecting an option from the drop down list (the Team Roles can be modified
from within the project configuration)
To modify a Team Member:
l Highlight the Team Member
l Edit Team Member Properties, i.e. First Name, Last Name, Initials, Title, e-mail, and Notes
To delete a Team Member:

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 48 of 292

 l Highlight the Team Member
l Click on the red minus (-) symbol in the lower left hand portion of the window
l This will remove that Team Member and its Team Member Properties

6.7 Sessions
exSILentia® v4 provides the ability to define (work) sessions and document dates and associated
participants. To access an overview of all defined sessions for the current project click on the Sessions
button on the dashboard. Alternatively you can select the View - Sessions menu option.

To add a Session:
l Click on the green plus (+) symbol in the lower left hand portion of the window
l Highlight the new Session
l Edit the Session Properties, i.e. Name, Description, and Location
l Select the Session Start Date using the calendar function
l Select the Session End Date using the calendar function
l Select the Session Type, e.g. PHA, LOPA, etc.
l Check the relevant check boxes to indicate which Team Members are part of the Session
To modify a Session:

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 49 of 292

 l Highlight the Session
l Edit Session Properties, i.e. Name, Description, and Location
l Modify the Session Start Date using the calendar function
l Modify or select the Session End Date using the calendar function
l Modify the Session Type
l Check or uncheck the relevant check boxes to indicate which Team Members are part of the
Session
To delete a Session:
l Highlight the Session
l Click on the red minus (-) symbol in the lower left hand portion of the window
l This will remove that Session and its Session Properties

6.8 Generate Report

The generate report option allows you to auto generate reports for the various exSILentia® v4 tools.
Depending on the tool selected additional, more detailed, options may be available. The report
generation is described in detail in Chapter 10 Report Generation and for each individual exSILentia® v4
tool in their respective Appendix.

6.9 Export Data

The export data option allows you to export data out of the various exSILentia® v4 tools to a MS Excel
worksheet/workbook. Depending on the tool selected additional, more detailed, options may be
available. The data export is described in detail in Chapter 11 Data Export and for each individual
exSILentia® v4 tool in their respective Appendix.

6.10 Library
The library capability, build into exSILentia® v4, for identical items that can be (re-)used in multiple
locations, can dramatically increase the efficiency and consistency of the various work activities
performed. A detailed description of the Library functionality as well as an overview of the items for
which libraries are defined is provided in Chapter 13 Project Libraries.

6.11 Tool Tabs

The tool tabs on the exSILentia® v4 dashboard allow you to navigate between the different lifecycle
activities. The exSILentia® v4 main window will change based on your tool selection to allow for optimal
layout of the different lifecycle tasks.

6.12 Dashboard Widgets

The exSILentia® v4 dashboard allows you to display widgets with useful information. The type of
information ranges from status of work perform to news items and release notes.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 50 of 292

 You can move widgets on the desktop through dragging . You can add widgets by clicking on the green
"+" in the upper right hand corner of the widget area. This will show you the available widgets.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 51 of 292

 If you want to know more about the information displayed in a widget you can however over the title
bar of the widget and click on the "expand" button. This will make the widget pop out. If you want to
remove a widget from your dashboard, simply however over the title bar of the widget and click the red
"x".

To remove all widgets from you desktop click on the delete icon in the upper right hand corner of the
widget area.

To lock all widgets in place click on the lock icon in the upper right hand corner of the widget area.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 52 of 292

 Chapter 7 Project Information
In exSILentia® v4 when you create a project, a Project ID and Project Name are required to be specified.
In addition you can specify a Company, a Revision and a Project Description. This information can be
reviewed and modified in the Project Information window. To access the Project Information data, click
on Project Information on the exSILentia® v4 Dashboard and select the Project Tab. Alternatively you
can select the View - Project Information menu option.

7.1 Cyber Security Checklist

The Cyber Security Checklist feature in the Project Information allows you to review requirements from
IEC 62443-2-1 and document how you are compliant with these requirements. This allows you to address
cyber security concerns regarding your Safety Instrumented System.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 53 of 292

 7.2 IEC 61511 Checklist
The IEC 61511 Checklist feature in the Project Information allows you to review requirements from
IEC 61511 second edition and document how you are compliant with these requirements. This allows
you to prepare a safety case for your entire project.
Within the IEC 61511 Checklist you can define text fields that you can use throughout your argument.
The {{ ProjectName }} field for example will be using the Project Name for this project as you have
defined it within the Project Information.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 54 of 292

 Chapter 8 Project Configuration
exSILentia® v4 provides detailed project configuration options to dramatically increase the efficiency and
consistency of the various work activities to be performed. The various configuration options are
explained in detail in the subsequent sections. exSILentia® v4 comes with a comprehensive set of exida
default configuration settings. You can add, modify, or delete the values associated with the exida
defaults which will be retained within the exSILentia® v4 project file. exida defaults can always be
accessed by creating a new project. Your modified project configuration can be used by creating your
new project with the Custom Option, which allows you to start with the configuration settings of an
existing project file.

8.1 Plant Types

The exSILentia® v4 Plant project configuration defines a relationship between various plant types and
process types that are typical for that plant type. You can document the plant/process type being
reviewed using the Plant configuration. The exida default project includes a list of plant types and
associated process types to get you started.
To review the plant types that are defined in your project click on Project Configuration on the
exSILentia® v4 Dashboard and select the Plant Type Tab.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 55 of 292

 You can easily make changes to the default Plant Types and associated Process Types in the Project
Configuration.
To add a Plant Type to the Project Configuration:
l Click on the green plus (+) symbol in the lower left hand portion of the window
l Edit the Plant Type Properties, i.e. Code, Name, and Description
To modify a Plant Type in the Project Configuration:
l Highlight the Plant Type
l Edit the Plant Type Properties, i.e. Code, Name, and Description
To delete a Plant Type from the Project Configuration:
l Highlight the Plant Type
l Click on the red minus (-) symbol in the lower left hand portion of the window
l This will remove that Plant Type and its Plant Type Properties

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 56 of 292

 To add a Process Type to a Plant Type:
l Click on the green plus (+) symbol in the lower left hand portion of the Process Types window
l Edit the Process Type Properties, i.e. Code, Name, and Description
To modify a Process Type for a given Process Type:
l Highlight the Process Type
l Edit the Process Type Properties, i.e. Code, Name, and Description
To delete a Process Type from a given Plant Type:
l Highlight the Process Type
l Click on the red minus (-) symbol in the lower left hand portion of the Process Type window
l This will remove that Process Type and its Process Type Properties

8.2 Node Types

exSILentia® v4 has been designed to support smart deviations. Process Hazard Analysis deviations will
be assigned based on the Node Type you assign to your node. The deviations are based upon process
parameters and guidewords applicable to specific process node types. You must verify that the available
options and settings are applicable and sufficient for your specific plant application and environment.
exSILentia® v4 comes with a set of default Node Types and associated deviations. You can add to,
modify, or delete the default node types and deviations based on your project needs. The exida default
project includes a list of node types and associated deviations to get you started.
To review the node types and associated deviations that are defined in your project click on Project
Configuration on the exSILentia® v4 Dashboard and select the Node Type Tab.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 57 of 292

 To add a Node Type:
l Click on the green plus (+) symbol in the lower left hand portion of the window
l Highlight the new Node Type
l Edit the Node Type Properties, i.e. Code, Name, and Description
To modify a Node Type:
l Highlight the Node Type
l Edit the Node Type Properties, i.e. Code, Name, and Description
To delete a Node Type:
l Highlight the Node Type
l Click on the red minus (-) symbol in the lower left hand portion of the window
l This will remove that Node Type and its Node Type Properties
To add a Deviation to a Node Type:
l Highlight the Node Type
l Click on the green plus (+) symbol in the right hand portion of the Node Type properties window
l Highlight the new Deviation
l Edit the Deviation Name
To modify a specific Deviation:
l Highlight the Node Type
l Highlight the Deviation
l Edit the Deviation Name
To delete a Deviation from a Node Type:

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 58 of 292

 l Highlight the Node Type
l Highlight the Deviation
l Click on the red minus (-) symbol in the right hand portion of the Node Type properties window
l This will remove that Deviation from the Node Type selected

8.3 Safeguard Categories

exSILentia® v4 comes with a set of default Safeguard Categories. You can add categories, modify, or
delete the default categories based on your project needs.
To review the safeguard categories that are defined in your project click on Project Configuration on the
exSILentia® v4 Dashboard and select the Safeguards Tab.

To add a Safeguard Category:

l Click on the green plus (+) symbol in the lower left hand portion of the window
l Highlight the new Safeguard Category
l Select the Safeguard Category Type, i.e. IPF, ALM, Other
l Edit the Safeguard Category Properties, i.e. Code, Name, and Description

Note: The Safeguard Category Type allow you to define if a safeguard category is of type IPF,
ALM, or Other. Based on these selections certain additional fields will be available as part of a
safeguard. For example any safeguard category of type IPF will have additional Interlock fields
available as well as a Is SIF checkbox. The latter is the unique identifier for exSILentia® v4 to
indicate that a safeguard should be considered in subsequent Safety Instrumented Function
related lifecycle phases.

To modify a Safeguard Category:

l Highlight the Safeguard Category
l Modify the Safeguard Category Type, i.e. SIF, IPL, Other
l Edit the Safeguard Category Properties, i.e. Code, Name, and Description
To delete a Safeguard Category:

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 59 of 292

 l Highlight the Safeguard Category
l Click on the red minus (-) symbol in the lower left hand portion of the window
l This will remove that Safeguard Category and its Safeguard Category Properties
To link Custom Data (see section 8.7 Custom Data) to a Safeguard Category:
l Highlight the Safeguard Category
l Click on the Custom Data drop down
l Select the applicable Custom Data item

8.4 Recommendation Categories

exSILentia® v4 comes with a set of default Recommendation Categories. You can add categories, modify,
or delete the default categories based on your project needs.
To review the recommendation categories that are defined in your project click on Project
Configuration on the exSILentia® v4 Dashboard and select the Recommendations Tab.

To add a Recommendation Category:

l Click on the green plus (+) symbol in the lower left hand portion of the Category window
l Highlight the new Recommendation Category
l Edit the Recommendation Category Properties, i.e. Abbreviation, Name, and Description
To modify a Recommendation Category:
l Highlight the Recommendation Category
l Edit the Recommendation Category Properties, i.e. Abbreviation, Name, and Description
To delete a Recommendation Category:
l Highlight the Recommendation Category
l Click on the red minus (-) symbol in the lower left hand portion of the Category window
l This will remove that Recommendation Category and its Recommendation Category Properties

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 60 of 292

 You can make changes to the Recommendation Status options.

To add a Recommendation Status:

l Click on the green plus (+) symbol in the lower left hand portion of the Status window
l Highlight the new Recommendation Status
l Edit the Recommendation Status Properties, i.e. Code, Name, Description, and select a Color
To modify a Recommendation Status:
l Highlight the Recommendation Status
l Edit the Recommendation Status Properties, i.e. Code, Name, Description, and select a Color
To delete a Recommendation Status:

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 61 of 292

 l Highlight the Recommendation Status
l Click on the red minus (-) symbol in the lower left hand portion of the Status window
l This will remove that Recommendation Status and its Recommendation Status Properties
You can also make changes to the Recommendation Priorities options.

To add a Recommendation Priority:

l Click on the green plus (+) symbol in the lower left hand portion of the Priority window
l Highlight the new Recommendation Priority
l Edit the Recommendation Priority Properties, i.e. Code, Name, Description, and select a Color
To modify a Recommendation Priority:
l Highlight the Recommendation Priority
l Edit the Recommendation Priority Properties, i.e. Code, Name, Description, and select a Color
To delete a Recommendation Priority:
l Highlight the Recommendation Priority
l Click on the red minus (-) symbol in the lower left hand portion of the Priority window
l This will remove that Recommendation Priority and its Recommendation Priority Properties
To link Custom Data (see section 8.7 Custom Data) to Recommendations:
l Click on the General section for the Recommendations
l Click on the Custom Data drop down
l Select the applicable Custom Data item

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 62 of 292

 The Custom Data fields that are associated with the recommendations will be used in the
Recommendation Sign-Off Export.

8.5 Reference Types

exSILentia® v4 comes with a set of default Reference Types. You can add categories, modify, or delete
the default categories based on your project needs.
To review the reference types that are defined in your project click on Project Configuration on the
exSILentia® v4 Dashboard and select the References Tab.

To add a Reference Category:

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 63 of 292

 l Click on the green plus (+) symbol in the lower left hand portion of the window
l Highlight the new Reference Category
l Edit the Reference Category Properties, i.e. Abbreviation, Name, and Description
l Indicate if this category represents a Regulatory Standard by clicking the checkbox

Note: By indicating if a reference category is a Regulatory Standard, any documents marked with
the particular reference category will be included in the regulatory standard section of the various
reports.

To modify a Reference Category:

l Highlight the Reference Category
l Edit the Reference Category Properties, i.e. Abbreviation, Name, and Description
To delete a Recommendation Category:
l Highlight the Reference Category
l Click on the red minus (-) symbol in the lower left hand portion of the window
l This will remove that Reference Category and its Reference Category Properties

8.6 Team Roles

exSILentia® v4 comes with a set of default Team Roles. You can add roles, modify, or delete the default
roles based on your project needs.
To review the team roles that are defined in your project click on Project Configuration on the
exSILentia® v4 Dashboard and select the Team Roles Tab.

To add a Team Role:

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 64 of 292

 l Click on the green plus (+) symbol in the lower left hand portion of the window
l Highlight the new Team Role
l Edit the Team Role Properties, i.e. Abbreviation, Name, and Description
l Indicate if the Team Role represents a Leader by clicking the checkbox
l Document the Hourly Rate associated with this rol
To modify a Team Role:
l Highlight the Team Role
l Edit the Team Role Properties, i.e. Abbreviation, Name, Description, and Rate
To delete a Team Role:
l Highlight the Team Role
l Click on the red minus (-) symbol in the lower left hand portion of the window
l This will remove that Team Role and its Team Role Properties

8.7 Custom Data

exSILentia® v4 provides you with the ability to define user defined fields to record information not
already addressed within the exSILentia® modules. An example of where custom data may come in
handy is to enable specification of previously undefined process safety information (PSI) to be used in
the project. For each custom data field, there are different field types to choose from, the ability to
specify the name, unit and description of the field, to set default entries, and to add a tool tip that gives
the user additional details on the data that belongs in the field.
To review the custom data that is defined in your project click on Project Configuration on the
exSILentia® v4 Dashboard and select the Custom Data Tab.

To add Custom Data:

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 65 of 292

 l Click on the green plus (+) symbol in the lower left hand portion of the window
l Highlight the new Custom Data Configuration
l Edit the Custom Data Properties, i.e. Code and Name
To modify Custom Data:
l Highlight the Custom Data
l Edit the Custom Data Properties, i.e. Code and Name
To delete Custom Data:
l Highlight the Custom Data
l Click on the red minus (-) symbol in the lower left hand portion of the window
l This will remove that Custom Data and its Custom Data Properties
Once custom data is defined in a project, you can add data fields to it. A data field can be of type Text,
Yes/No, or Choice (which allows combo box information to be specified).
To add a Custom Data Field:
l Determine what type of field you want to add
l Select the New Text Field, New Yes/No Field, or New Choice Field button in the lower left hand
portion of the Custom Data Configuration window
l Highlight the new Custom Data Field
l Edit the Custom Data Field Properties, i.e. Name, Unit, Description, and Default Text as applicable.
l Use the Up and Down arrow buttons to move the new Custom Data Field in the right order.

To modify a Custom Data Field:

l Highlight the Custom Data Field
l Edit the Custom Data Properties, i.e. Name, Unit, Description, and Default Text as applicable.
l Use the Up and Down arrow buttons to adjust the Custom Data Field sequence, if
necessary.
To delete a Custom Data Field:

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 66 of 292

 l Highlight the Custom Data Field
l Click on the Delete Field button in the lower left hand portion of the Custom Data Configuration
window
l This will remove that Custom Data Field and its Custom Data Field Properties
If you select Choice as the type for the custom data field, you will have the option to define entries for
the combo box associated wit the data field. The data field can be setup to accept single selections only
or multiple selections.

To add selection items for a Choice Custom Data Field Type:

l Click on the green plus (+) symbol in the lower left hand portion within the Custom Data Field
window
l Highlight the new Choice Selection
l Edit the Choice Selection Properties, i.e. Name and Description
l Repeat this process until all Choice selections have been specified
To modify a Choice Selection:
l Highlight the Choice Selection
l Edit the Choice Selection Properties, i.e. Name and Description
To delete a Choice Selection:
l Highlight the Choice Selection
l Click on the red minus (-) symbol in the lower left hand portion within the Custom Data Field
window
l This will remove that Choice Selection and its Choice Selection Properties

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 67 of 292

 To see how the Custom Data will be displayed in the exSILentia® tool, check the Show Preview check
box. You can re-size the form in this Preview window. Simply drag the right hand side of the custom data
form in the Preview to adjust its width. You can also drag the (invisible) divider line between the custom
field name column and the custom data field data entry field column to adjust the width distribution
between the two columns. To accommodate the custom data form in the Preview you may need to
increase the Preview section size. You can do this by adjusting the size of the complete Project
Configuration window and/or dragging the divider line between the Custom Data Configuration section
and the Preview section of the Custom Data Tab.

The figure below provides a partial example using the ALM – Alarm Process Safety Information exida
default data and shows two text fields and a choice field.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 68 of 292

 To assign Custom Data to, for example, a Safeguard Category in exSILentia® v4, select the Safeguards
Tab in the Project Configuration window, select the Safeguard Category to which the Custom Data must
be assigned, and use the drop down list on the Safeguard Category Properties portion of the Safeguards
window to select the applicable Custom Data option.

Note: Custom Data may be used for more than one custom data type, i.e. "ALM - Alarm Process
Safety Information" can be linked to an Alarm safeguard category and could at the same time be
used for an "OCC - Occupancy Restriction" safeguard category if those two categories require
identical Custom Data.

8.8 Project Abbreviations

exSILentia® v4 comes with a set of default Abbreviations. You can add, modify, or delete the default
abbreviations based on your project needs.
To review the abbreviations that are defined in your project click on Project Configuration on the
exSILentia® v4 Dashboard and select the Abbreviations Tab.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 69 of 292

 To add an Abbreviation:
l Click on the green plus (+) symbol in the lower left hand portion of the window
l Highlight the new Abbreviation
l Edit the Abbreviation Properties, i.e. Abbreviation and Description
l You can reorder the Abbreviation using the Up and Down arrows
To modify an Abbreviation:
l Highlight the Abbreviation
l Edit the Abbreviation Properties, i.e. Abbreviation and Description
To delete an Abbreviation:
l Highlight the Abbreviation
l Click on the red minus (-) symbol in the lower left hand portion of the window
l This will remove that Abbreviation and its Abbreviation Properties

8.9 Project Definitions

exSILentia® v4 comes with a set of default Definitions. You can add, modify, or delete the default
definitions based on your project needs.
To review the definitions that are defined in your project click on Project Configuration on the
exSILentia® v4 Dashboard and select the Definitions Tab.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 70 of 292

 To add a Definition:
l Click on the green plus (+) symbol in the lower left hand portion of the window
l Highlight the new Definition
l Edit the Definition Properties, i.e. Term and Definition
l You can reorder the Definition using the Up and Down arrows
To modify a Definition:
l Highlight the Definition
l Edit the Definition Properties, i.e. Term and Definition
To delete a Definition:
l Highlight the Definition
l Click on the red minus (-) symbol in the lower left hand portion of the window
l This will remove that Definition and its Definition Properties

8.10 SILver Project Parameters

The SILver project parameters allow you to select defaults and project settings for the entire SIL
verification project. These can be modified per SIF in the SILver module.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 71 of 292

 The SILver project parameters begin with the General SIF Information defaults. This includes:
l Architectural Constraints
l Systematic Capability
l Mission Time
l Startup Time
l Demand Rate Mode
You can also choose if you would like to consider
l IO channels on separate modules
l Mean Time To Fail Spurious calculation results
l SSI in Failure Rate Selections
These SIF Parameters are explained in further detail in the SILver Worksheet - SIF Level in Appendix G.
For Sensors and Final Elements you can choose defaults for:
l Site Safety Index
l Beta Factor
l Mean Repair Time
l Proof Testing
l Leg Options
These Sensor and Final Element Group options are explained in further detail in Appendix G.
For Logic Solvers you can choose defaults for:
l Site Safety Index
l Beta Factor
l Mean Repair Time
These Logic Solver options are explained in further detail in Appendix G.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 72 of 292

 8.11 Lifecycle Cost Estimator Settings
The Lifecycle Cost Estimator Settings allow you to specify lifecycle cost parameters that apply to the
entire exSILentia® project. These parameters are:
l Discount Rate in percentages
l Plant Life in years
l Monetary Symbol, e.g. $, €
These parameters impact the overall lifecycle cost as calculated in the Lifecycle Cost Estimator tool.

8.12 Project Configuration Reuse

Being able to reuse a project Risk Configuration can save a significant amount of time when defining a
new project. At the same time changing a risk configuration in the middle of a project can have a
dramatic impact. When using exSILentia® v4 there is an easy way to prepare the risk configuration for a
new project based on the risk configuration of an existing project. When creating a new project, simply
select the Custom option for the new project. This will allow you to select an existing project that both
the project configuration and risk configuration, see section 9.8 , will be based on. None of the project
details will be copied only the project and risk configuration information will be transferred to the new
project.

Note: As exSILentia® v4 project schema can be expanded with every release, some older project
configurations, e.g. based on v4.0 or v4.1, may not set specific parameters like Safeguard Category
type, as this parameter was introduced after those releases. You should verify your project
configuration if the source file is older than the current released version of the software.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 73 of 292

 Chapter 9 Project Risk Configuration
To define your tolerable risk levels, you can either select the exida default risk matrix or configure a risk
matrix to match the risk criteria that are applied to the project.
Risk is the product of consequence and likelihood. exSILentia® v4 allows detailed configuration of both
consequence and likelihood categories and levels which provide complete customization options of the
risk matrix used in the project.
To access the Project Risk Configuration information, click on Risk Configuration on the exSILentia® v4
Dashboard. Alternatively you can select the View - Risk Configuration menu option.

9.1 Consequence Categories and Severity Levels

The first task in specifying the project risk matrix is to define the applicable consequence categories and
severity levels. To do so use the following steps:
1. In the Risk Configuration window select the Severity Tab
2. The information initially shown is the exida default risk matrix (unless you selected the create an
empty project option when starting this project in which case all entries will be blank).
3. Severity categories can be added or deleted by using the plus (+) or minus (-) symbols in the
lower left corner of the left window pane.
4. You can edit the default information for severity category Code, Name, and Description or enter
the relevant information for severity categories you may have added.
5. Severity levels can be added or deleted by using the plus (+) or minus (-) symbols in the lower left
corner of the right window pane.
6. You can edit the default information for severity level Code, Name, and Tolerable Frequency or
enter the relevant information for severity levels you may have added.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 75 of 292

 9.2 Severity Matrix
The second task in specifying the project risk matrix is to define the applicable consequence/severity
matrix. To do so use the following steps:
1. Ensure you specified all relevant information on the Severity Tab (see section 9.1 Consequence
Categories and Severity Levels)
2. In the Risk Configuration window select the Severity Matrix Tab
3. The information initially shown is part of the exida default risk matrix (unless you selected the
create an empty project option when starting this project in which case the severity matrix will be
blank).
4. The Severity Matrix matches severity levels to severity categories. The matrix is prepopulated
based on the information you specified on the severity tab.
5. You can edit the information in the matrix cells or enter the relevant information as applicable.

9.3 Likelihood Categories and Levels

The third task in specifying the project risk matrix is to define the applicable likelihood categories and
levels. To do so use the following steps:
1. In the Risk Configuration window select the Likelihood Tab
2. The information initially shown is the exida default risk matrix (unless you selected the create an
empty project option when starting this project in which case all entries will be blank).
3. Likelihood categories can be added or deleted by using the plus (+) or minus (-) symbols in the
lower left corner of the left window pane.
4. You can edit the default information for likelihood category Code, Name, and Description or enter
the relevant information for likelihood categories you may have added.
5. Likelihood levels can be added or deleted by using the plus (+) or minus (-) symbols in the lower
left corner of the right window pane.
6. You can edit the default information for likelihood level Code and Name or enter the relevant
information for likelihood levels you may have added.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 76 of 292

 9.4 Likelihood Matrix
The fourth task in specifying the project risk matrix is to define the applicable likelihood matrix. To do so
use the following steps:
1. Ensure you specified all relevant information on the Likelihood Tab (see section 9.3 Likelihood
Categories and Levels)
2. In the Risk Configuration window select the Likelihood Matrix Tab
3. The information initially shown is part of the exida default risk matrix (unless you selected the
create an empty project option when starting this project in which case the likelihood matrix will
be blank).
4. The Likelihood Matrix matches likelihood levels to likelihood categories. The matrix is
prepopulated based on the information you specified on the likelihood tab.
5. You can edit the information in the matrix cells or enter the relevant information as applicable.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 77 of 292

 9.5 Risk Matrix
The final task in specifying the project risk matrix is to combine the consequence/severity and likelihood
matrices. To do so use the following steps:
1. Ensure you specified all relevant information for the Severity and Likelihood Matrices (see section
9.2 and 9.4 )
2. In the Risk Configuration window select the Risk Matrix Tab
3. The information initially shown is part of the exida default risk matrix (unless you selected the
create an empty project option when starting this project in which case the severity matrix will be
blank).
4. The Risk Matrix is prepopulated based on the on the information you specified for the severity
and likelihood levels.
5. Risk levels can be added or deleted by using the plus (+) or minus (-) symbols in the lower left
corner of the window.
6. You can edit the default information for risk Code and Name or enter the relevant information for
risk level you may have added. Next you can specify a Color that represents the risk level by
double clicking the color box and making the appropriate selection.
7. Within the Risk Matrix shown in the right window pane, each cell is a drop down box. You can
select the appropriate Risk Level for each matrix cell based on the risk levels defined in the left
window pane.
8. The severity and likelihood axis of the risk matrix can independently be set in an ascending or
descending order by clicking on the gray triangle at the right side and/or bottom of the risk
matrix respectively.
9. The severity and likelihood axis can be swapped by clicking on the gray triangle in the upper left
hand portion of the Risk Matrix.

9.6 Risk Graph

To specify the project Risk Graph, which will be used for SIL selection based on the Risk Graph
methodology, combine the risk matrix parameters with additional Risk Graph parameters (layers of
protection) that could contribute to risk mitigation. To do so use the following steps:

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 78 of 292

 1. Ensure you specified all relevant information for the Severity, Likelihood, and Risk Matrices (see
section 9.2 , 9.4 , and 9.5 ). These entries will help to specify the Risk Graph, i.e., the x and y axis of
the Risk Graph, as well as the drop down options for each cell.
2. In the Risk Configuration window, select the Risk GraphTab.
3. The information initially shown is part of the exida default Risk Graph (unless you selected the
create an empty project option when starting this project in which case the Risk Graph will be
blank.)
4. The Risk Graph is pre-populated based on the information entered into the Severity, Likelihood,
and Risk Matrix.
5. Additional Risk Graph Parameters can be defined in the left window pane. Specify the parameter
as well as two likelihood options, A and B. For example, a default parameter for the Safety
category is 'Presence in the Danger Zone', with two likelihood options, A is Seldom to Frequently
and B is Frequently to Continuously.
6. To add a Risk Graph Parameter, select the 'Add Risk Graph Parameter' button at the bottom of
the left window pane. To delete the parameter, select the '-' symbol shown after the parameter
description.
7. For each severity level, you can choose to consider a Risk Graph Parameter by selecting the check
box under the parameter heading.
8. Within the Risk Graph shown in the right window pane, each cell is a drop down box. You can
select the appropriate Risk Level, including the associated SIL Level, for each cell. These Risk
Levels are defined in the Risk Matrix tab.
9. A separate Risk Graph should be defined for each Severity Category. The exida default project will
include three Severity Categories: Safety, Environmental, and Business. To define the Risk Graph
for each, select the Severity Category from the drop down box at the top of the window.

9.7 SIL Selection

For users who will eventually perform Safety Integrity Level target selection, the selection method and
its associated parameters must be specified as part of the risk configuration. To do this click on the
SIL Selection tab.
For the Layer Of Protection Analysis (LOPA) based SIL target selection method there are two parameters
that can be specified:

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 79 of 292

 l SIL Threshold
l RRF Rounding Operand

Both parameters are descried below and relate to the range of risk reduction factors associated with
each SIL as shown in the following figure.

9.7.1 SIL Threshold

The SIL Threshold parameter determines how the required risk reduction is translated into a Target SIL
given the range of Risk Reduction that is presented by each SIL level.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 80 of 292

 In an advanced quantitative LOPA, where initiating event frequencies and IPL probability of failures are
not quantified in whole orders of magnitude, a resulting required risk reduction factor could be any
value within the SIL range. For example, a calculated required risk reduction of 45 lies within the SIL 1
range. One could conclude that therefore the target SIL is 1. However a conceptual design engineer
seeing a target SIL of 1, could develop a Safety Instrumented Function that meets the requirements of
SIL 1, but only achieves a risk reduction of 20. This solution would not provide enough risk reduction..
Therefore, the correct way to communicate the actual requirement is to tell the conceptual design
engineer that the target SIL of 1 includes a minimum risk reduction of 45, i.e. SIL 1 + RRF > 45. For users
who do not want to communicate the additional RRF requirement, the target SIL could also be
communicated as SIL 2.
The SIL Threshold allows you to specify at what point you want to include the RRF requirement and at
what point you want to specify the next higher SIL level. The default SIL Threshold of 10, will not
increase the target SIL and always include the required risk reduction factor. A SIL threshold at the lower
boundary of 1, would always specify the next higher SIL level. Within exSILentia® users can choose any
integer value between 1 and 10 for their SIL threshold setting.

9.7.2 RRF Rounding Operand

The RRF Rounding Operand parameter determines how the required risk reduction is translated into a
Target SIL given the upper limit of the Risk Reduction range presented by each SIL level.
Looking at the ranges of risk reduction to the SIL level, one would notice that as the RRF is the reciprocal
value of PFDAVG, a Risk Reduction Factor of 100 is still considered within the SIL 1 range. However, within
the process industry, a RRF of 100 is typically equated to the lower limit of SIL 2. Within the exSILentia®
risk configuration, users can choose if a required risk reduction of 100 should be considered as a target
SIL 1 or a target SIL 2 by choosing the RRF Rounding Operand as "≤"or "<"respectively. The default
RRF Rounding Operand is "<".

9.8 Risk Configuration Reuse

Being able to reuse a project Risk Configuration can save a significant amount of time when defining a
new project. At the same time changing a risk configuration in the middle of a project can have a
dramatic impact. When using exSILentia® v4 there is an easy way to prepare the risk configuration for a
new project based on the risk configuration of an existing project. When creating a new project, simply
select the Custom option for the new project. This will allow you to select an existing project that both
the project configuration, see section 8.12 , and risk configuration will be based on. None of the project
details will be copied only the project and risk configuration information will be transferred to the new
project.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 81 of 292

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 82 of 292
 Chapter 10 Report Generation
To generate a report output for your project you can click on the Generate Report button on the
exSILentia® v4 dashboard or you can select Generate Report from the Export menu. This will launch the
Report Wizard.

The Report Wizard will allow you to select the report you want to generate. In addition through the
Report Options selections you can control what sections are included within the report. Once you
completed making all appropriate report option selections you can click the Generate Report button in
the lower right hand portion of the Report Wizard window. This will open the Save As dialog and prompt
you with a default name which is based on the project file name.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 83 of 292

 If the Launch Associated Viewer checkbox (to the left of the Generate Report button) was checked it will
automatically open the generated report.
Specific exSILentia® v4 tool report generation is described in each tool's detailed functionality
description.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 84 of 292

 Chapter 11 Data Export
exSILentia® v4 supports two types of data export. Direct Exports which will export data from your project
using predefined export templates and Library Exports. An overview of both is provided below.

11.1 Direct Export

To export data from your project using predefined export templates, you can click on the Data Export
button on the exSILentia® v4 dashboard or you can select Export Data from the Export menu. This will
launch the Export Wizard.

The Export Wizard will allow you to select what data you want to export. The Comprehensive Export will
create a single workbook with separate worksheets for Safeguards, Recommendations, Members, Action
Items, References, and Sessions. Once you make the appropriate data export selections you can click the
Export button in the lower right hand portion of the Export Wizard window. This will open the Save As
dialog and prompt you with a default name which is based on the project file name.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 85 of 292

 Specific exSILentia® v4 tool data export is described in each tool's detailed functionality description.

11.2 Library Export

exSILentia® v4 supports data export from the various libraries as defined in Chapter 13 Project Libraries.
The library exports (as well as imports) use a Microsoft Excel .xlsx worksheet as the interface. The export
feature exports all items within the selected library. The export feature is available using the highlighted
button below which is available for each library. To export click the export button of the specific library
and specify the file name on the save as dialog that appears.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 86 of 292

 Chapter 12 Data Import
exSILentia® v4 supports data imports into the Library. An overview is provided below.

12.1 Library Import

exSILentia® v4 supports data import into the various libraries as defined in Chapter 13 Project Libraries.
The library imports (as well as exports) use a Microsoft Excel .xlsx worksheet as the interface. The import
feature will create a new item for each row that exists within the .xlsx file, regardless if the same named
item already exists. The import feature is available using the highlighted button below which is available
for each library. To import click the import button of the specific library and select the import file using
the file browser that appears.

Note: The easiest way to ensure your import format conforms with what exSILentia® v4 is
expecting, it is best to export from the desired library and use this exported file as the template to
create the import file. The text of certain fields must match what is expected or the field will not
import.

The following screen shot shows a Microsoft Excel worksheet, prepared as an import file for the hazard
scenario library. The first row contains the column headings and the subsequent rows contain the data
to be imported. Notice column D which communicates a Boolean value of Yes/No regarding the
completeness of the LOPA. You must follow this format of TRUE or FALSE in this case to represent
Yes/No to ensure correct import into the exSILentia® v4 hazard scenario library.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 87 of 292

 CAUTION: The headings of the Microsoft Excel .xlsx file to be imported must match what is
expected for the given library. Importing into the incorrect library will yield unanticipated results.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 88 of 292

 Chapter 13 Project Libraries
exSILentia® v4 provides build in libraries for identical items that can be (re-)used in multiple locations. A
library item is a unique entity that can be referenced in multiple locations. A change to the library item
will automatically be applied to all locations the library item is referenced. Using libraries will
dramatically increase the efficiency and consistency of the various work activities to be performed.
Libraries are defined for the following items:
l Units
l Causes
l Safeguards (IPF and Other)
l Safeguard Groups
l Recommendations
l References
l Hazard Scenarios
l Enabling Conditions
l Conditional Modifiers
l Risk Modifiers
l Sensor Groups and Legs
l Logic Solver Models
l Logic Solver
l Devices
l Device Models
l Final Element Groups and Legs
l Tags
l Input and Output Parameters
l Labels
l Proven In Use Justification
Library items can be defined while you are using the various exSILentia® v4 tools or prior to your use of
the tool. When you open a library you will be able to see where the library item is used. If you predefine
library items they will show up in italic font, indicating they are not assigned to anything, and the
location used will be blank.

13.1 Causes Library

Causes that are defined in the Causes Library are available for use in various parts of exSILentia® v4 such
as the PHAx™ HAZOP worksheet and the LOPAx™ worksheet. Causes can be added from within the
Causes Library overview or as part of performing various Process Hazard Analysis or Layer of Protection
Analysis tasks.

Note: Causes are referred to as Initiating Events in Layer of Protection Analysis terminology.

To review causes defined in the Causes Library click on Library icon on the exSILentia® v4 Dashboard, or
select the View - Library menu option, and select the Causes Library item.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 89 of 292

 To add a Cause to the library:
l Click on the green plus (+) symbol in the lower left hand portion of the window
l Edit the Cause Properties, i.e. Name, Description, and Frequency (if known at this point)
l The PHA Comments and LOPA Comments are typically only specified when the respective

analysis is conducted
To modify a Cause in the library:
l Highlight the Cause
l Edit the Cause Properties, i.e. Name, Description, and Frequency
To delete a Cause from the library:
l Highlight the Cause
l Click on the red minus (-) symbol in the lower left hand portion of the window
l This will remove that Cause and its Cause Properties

CAUTION: Deleting a cause from the library deletes every instance of that cause on every
worksheet where it has previously been used.

To import Causes into the library from an MS Excel spreadsheet:

l Click the Import button
l Browse to and select the MS Excel spreadsheet
l Click Open
l The Causes defined in the spreadsheet will now be imported into the Causes Library

Note: The MS Excel spreadsheet should have columns defined for ID , Name , Description , and
Frequency.

It is possible that after adding, modifying, deleting, and/or importing causes, there will be gaps between
Cause IDs. IDs are assigned by exSILentia® v4 to be unique values, similar to a serial number. When a
cause is deleted it will create a gap between numbers. A feature has been provided to allow reordering
these IDs, but caution is advised if the IDs are being used external to the program as part of managed
documentation.
To reorder Cause IDs:

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 90 of 292

 l Click on Reorder Cause IDs in the lower left hand portion of the window

CAUTION: Reordering Cause IDs has the potential to cause inconsistency with data maintained
outside of exSILentia® v4. When you reorder Cause IDs you need to ensure that any reference
external to project file is updated manually.

13.2 Safeguards Library

Safeguards that are defined in the Safeguards Library are available for use in various parts of exSILentia®
v4 such as the PHAx™ HAZOP worksheet. Safeguards can be added from within the Safeguards Library
overview or as part of performing various Process Hazard Analysis tasks.
To review safeguards defined in the Safeguards Library click on Library icon on the exSILentia® v4
Dashboard, or select the View - Library menu option, and select the Safeguards Library item. The
Safeguards Library is divided into 2 parts in the Library, the first part shows all Safeguards of Safeguard
type IPF that were defined, the second part shows all other Safeguards.

To add a Safeguard to the library:

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 91 of 292

 l Click on the green plus (+) symbol in the lower left hand portion of the window
l Edit the Safeguard Properties, i.e. Name,Description, Tag (if available), PFD (if known at this
point), and select the Category from the drop down box
l See section 8.3 for more information on Safeguard Categories

To modify a Safeguard in the library:

l Highlight the Safeguard
l Edit the Safeguard Properties, i.e. Name , Description , Tag (if available), PFD , and select the
Category from the drop down box
To delete a Safeguard from the library:
l Highlight the Safeguard
l Click on the red minus (-) symbol in the lower left hand portion of the window
l This will remove that Safeguard and its Safeguard Properties

CAUTION: Deleting a safeguard from the library deletes every instance of that safeguard on every
worksheet where it has previously been used.

To import Safeguards into the library from an MS Excel spreadsheet:

l Click the Import button
l Browse to and select the MS Excel spreadsheet
l Click Open
l The Safeguards defined in the spreadsheet will now be imported into the Safeguards Library

Note: The MS Excel spreadsheet should have columns defined for ID , Description , Tag , and
Category.

It is possible that after adding, modifying, deleting, and/or importing safeguards, there will be gaps
between Safeguard IDs. IDs are assigned by exSILentia® v4 to be unique values, similar to a serial
number. When a safeguard is deleted it will create a gap between numbers. A feature has been provided
to allow reordering these IDs, but caution is advised if the IDs are being used external to the program as
part of managed documentation.
To reorder Safeguard IDs:
l Click on Reorder Safeguard IDs in the lower left hand portion of the window

CAUTION: Reordering Safeguard IDs has the potential to cause inconsistency with data maintained
outside of exSILentia® v4. When you reorder Safeguard IDs you need to ensure that any reference
external to the project file is updated manually.

13.3 Recommendations Library

Recommendations that are defined in the Recommendations Library are available for use in various
parts of exSILentia® v4 such as the PHAx™ HAZOP worksheet. Recommendations can be added from
within the Recommendations Library overview or as part of performing various Process Hazard Analysis
tasks. Recommendations, however, are generally entered as part of a review utilizing the various
worksheets or software tools.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 92 of 292

 To review recommendation defined in the Recommendations Library click on Library icon on the
exSILentia® v4 Dashboard, or select the View - Library menu option, and select the Recommendations
Library item.

To add a Recommendation to the library:

l Click on the green plus (+) symbol in the lower left hand portion of the window
l Edit the Recommendation Properties, i.e. Name, Description, select the Category from the drop
down box, select the Assigned to from the drop down box, specify the Due Date, and select the
Status from the drop down box.
l See section 8.4 for more information on Recommendation Categories

l See section 6.6 for more information on Team Members

To modify a Recommendation in the library:

l Highlight the Recommendation
l Edit the Recommendation Properties, i.e. Name, Description, select the Category from the drop
down box, select the Assigned to from the drop down box, specify the Due Date, and select the
Status from the drop down box.

CAUTION: Modifying a recommendation in the library will impact all instances where the
recommendation is used.

To delete a Recommendation from the library:

l Highlight the Recommendation
l Click on the red minus (-) symbol in the lower left hand portion of the window
l This will remove that Recommendation and its Recommendation Properties

CAUTION: Deleting a recommendation from the library deletes every instance of that
recommendation on every worksheet where it has previously been used.

To import Recommendations into the library from an MS Excel spreadsheet:

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 93 of 292

 l Click the Import button
l Browse to and select the MS Excel spreadsheet
l Click Open
l The Recommendations defined in the spreadsheet will now be imported into the
Recommendations Library

Note: The MS Excel spreadsheet should have columns defined for ID , Description , Category ,
Assigned To, Due Date, and Status.

It is possible that after adding, modifying, and/or deleting recommendations, there will be gaps between
Recommendation IDs. IDs are assigned by exSILentia® v4 to be unique values, similar to a serial number.
When a recommendation is deleted it will create a gap between numbers. A feature has been provided
to allow reordering these IDs, but caution is advised if the IDs are being used external to the program as
part of managed documentation.
To reorder Recommendation IDs:
l Click on Reorder Recommendation IDs in the lower left hand portion of the window

CAUTION: Reordering Recommendation IDs has the potential to cause inconsistency with data
maintained outside of exSILentia® v4. When you reorder Recommendation IDs you need to ensure
that any reference external to project file is updated manually.

To view details for a recommendation, you can select the recommendation in the library, right click, and
select View.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 94 of 292

 In addition to the details directly viewable in the Library, the Recommendation details also show any
Custom Data that may be assigned to the recommendation for the Recommendation Sign Off Checklist.

13.4 References Library

References that are defined in the References Library are available for use in various parts of exSILentia®
v4 as well as for reporting purposes. References can be added from within the Reference Library
overview or as part of performing various lifecycle tasks. It is useful to enter standard References in the
References library prior to their use as this will increase overall efficiency.
To review references defined in the Reference Library click on Library icon on the exSILentia® v4
Dashboard, or select the View - Library menu option, and select the References Library item.

To add a Reference to the library:

l Click on the green plus (+) symbol in the lower left hand portion of the window
l Edit the Reference Properties, i.e. Document Number, Title, Description, Revision, Revision Date,
and select the Reference Type from the drop down box.
l See section 8.5 for more information on Reference Types

l You can create a hyperlink (Link) to the reference or embed (Attachment) the actual reference in
the project
To modify a Reference in the library:
l Highlight the Reference
l Edit the Reference Properties, i.e. Document Number, Title, Description, Revision, Revision Date,
and select the Reference Type from the drop down box.
l You can delete the reference Link or Attachment by clicking on the red X icon next to the link or
attachment. You can then specify an alternate file to hyperlink or embed.

CAUTION: Modifying a reference in the library will impact all instances where the reference is used.

To delete a Reference from the library:

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 95 of 292

 l Highlight the Reference
l Click on the red minus (-) symbol in the lower left hand portion of the window
l This will remove that Reference and its Reference Properties

CAUTION: Deleting a reference from the library deletes every instance of that reference where it
has previously been used.

To import References into the library from an MS Excel spreadsheet:

l Click the Import button
l Browse to and select the MS Excel spreadsheet
l Click Open
l The References defined in the spreadsheet will now be imported into the References Library

Note: The MS Excel spreadsheet should have columns defined for ID, Document Number, Title,
Revision, Revision Date, and Type.

It is possible that after adding, modifying, and/or deleting references, there will be gaps between
Reference IDs. IDs are assigned by exSILentia® v4 to be unique values, similar to a serial number. When a
reference is deleted it will create a gap between numbers. A feature has been provided to allow
reordering these IDs, but caution is advised if the IDs are being used external to the program as part of
managed documentation.
To reorder Reference IDs:
l Click on Reorder Reference IDs in the lower left hand portion of the window

CAUTION: Reordering Reference IDs has the potential to cause inconsistency with data maintained
outside of exSILentia® v4. When you reorder Reference IDs you need to ensure that any reference
external to project file is updated manually.

13.5 Hazard Scenarios Library

Hazard Scenarios that are defined in the Hazard Scenarios Library are available for use in various parts
of exSILentia® v4 such as the PHAx™ HAZOP worksheet and the LOPAx™ worksheet. Hazard scenarios can
be added from within the Hazard Scenarios Library overview or as part of performing various lifecycle
tasks.
To review hazard scenarios defined in the Hazard Scenarios Library click on Library icon on the
exSILentia® v4 Dashboard, or select the View - Library menu option, and select the Hazard Scenarios
Library item.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 96 of 292

 To add a Hazard Scenario to the library:
l Click on the green plus (+) symbol in the lower left hand portion of the window
l Edit the Hazard Scenario Properties, i.e. Name
To modify a Hazard Scenario in the library:
l Highlight the Hazard Scenario
l Edit the Hazard Scenario Properties, i.e. Name

CAUTION: Modifying a hazard scenario in the library will impact all instances where the hazard
scenario is used.

To delete a Hazard Scenario from the library:

l Highlight the Hazard Scenario
l Click on the red minus (-) symbol in the lower left hand portion of the window
l This will remove that Hazard Scenario and its Hazard Scenario Properties

CAUTION: Deleting a hazard scenario from the library deletes every instance of that hazard
scenario on every worksheet where it has previously been used.

It is possible that after adding, modifying, and/or deleting hazard scenarios, there will be gaps between
Hazard Scenario IDs. IDs are assigned by exSILentia® v4 to be unique values, similar to a serial number.
When a hazard scenario is deleted it will create a gap between numbers. A feature has been provided to
allow reordering these IDs, but caution is advised if the IDs are being used external to the program as
part of managed documentation.
To reorder Hazard Scenario IDs:
l Click on Reorder Hazard Scenario IDs in the lower left hand portion of the window

CAUTION: Reordering Hazard Scenario IDs has the potential to cause inconsistency with data
maintained outside of exSILentia® v4. When you reorder Hazard Scenario IDs you need to ensure
that any reference external to project file is updated manually.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 97 of 292

 13.6 Enabling Conditions Library
Enabling Conditions that are defined in the Enabling Conditions Library are available for use in various
parts of exSILentia® v4 such as the LOPAx™ worksheet. Enabling Conditions can be added from within
the Enabling Conditions Library overview or as part of performing various Layer of Protection Analysis
tasks.
To review enabling conditions defined in the Enabling Conditions Library click on Library icon on the
exSILentia® v4 Dashboard, or select the View - Library menu option, and select the Enabling Conditions
Library item.

To add a Enabling Condition to the library:

l Click on the green plus (+) symbol in the lower left hand portion of the window
l Edit the Enabling Condition Properties, i.e. Name and Probability (if known)
To modify a Enabling Condition in the library:
l Highlight the Enabling Condition
l Edit the Enabling Condition Properties, i.e. Name, Probability (if known)
To delete a Enabling Condition from the library:
l Highlight the Enabling Condition
l Click on the red minus (-) symbol in the lower left hand portion of the window
l This will remove that Enabling Condition and its Enabling Condition Properties

CAUTION: Deleting a enabling condition from the library deletes every instance of that enabiling
condition on every worksheet where it has previously been used.

To import Enabling Conditions into the library from an MS Excel spreadsheet:

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 98 of 292

 l Click the Import button
l Browse to and select the MS Excel spreadsheet
l Click Open
l The Enabling Conditions defined in the spreadsheet will now be imported into the Enabling
Conditions Library

Note: The MS Excel spreadsheet should have columns defined for ID, Name, and Probability.

It is possible that after adding, modifying, deleting, and/or importing enabling conditions, there will be
gaps between Enabling Condition IDs. IDs are assigned by exSILentia® v4 to be unique values, similar to
a serial number. When an enabling condition is deleted it will create a gap between numbers. A feature
has been provided to allow reordering these IDs, but caution is advised if the IDs are being used external
to the program as part of managed documentation.
To reorder Enabling Condition IDs:
l Click on Reorder Enabling Condition IDs in the lower left hand portion of the window

CAUTION: Reordering Enabling Condition IDs has the potential to cause inconsistency with data
maintained outside of exSILentia® v4. When you reorder Enabling Condition IDs you need to ensure
that any reference external to project file is updated manually.

13.7 Conditional Modifiers Library

Conditional Modifiers that are defined in the Conditional Modifiers Library are available for use in various
parts of exSILentia® v4 such as the LOPAx™ worksheet. Conditional Modifiers can be added from within
the Conditional Modifiers Library overview or as part of performing various Layer of Protection Analysis
tasks.
To review conditional modifiers defined in the Conditional Modifiers Library click on Library icon on the
exSILentia® v4 Dashboard, or select the View - Library menu option, and select the Conditional Modifiers
Library item.

To add a Conditional Modifier to the library:

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 99 of 292

 l Click on the green plus (+) symbol in the lower left hand portion of the window
l Edit the Conditional Modifier Properties, i.e. Name and Probability (if known)
To modify a Conditional Modifier in the library:
l Highlight the Conditional Modifier
l Edit the Conditional Modifier Properties, i.e. Name and Probability (if known)
To delete a Conditional Modifier from the library:
l Highlight the Conditional Modifier
l Click on the red minus (-) symbol in the lower left hand portion of the window
l This will remove that Conditional Modifier and its Conditional Modifier Properties

CAUTION: Deleting a conditional modifier from the library deletes every instance of that
conditional modifier on every worksheet where it has previously been used.

To import Conditional Modifiers into the library from an MS Excel spreadsheet:

l Click the Import button
l Browse to and select the MS Excel spreadsheet
l Click Open
l The Conditional Modifiers defined in the spreadsheet will now be imported into the Conditional
Modifiers Library

Note: The MS Excel spreadsheet should have columns defined for ID, Name, and Probability.

It is possible that after adding, modifying, deleting, and/or importing conditional modifiers, there will be
gaps between Conditional Modifier IDs. IDs are assigned by exSILentia® v4 to be unique values, similar to
a serial number. When a conditional modifier is deleted it will create a gap between numbers. A feature
has been provided to allow reordering these IDs, but caution is advised if the IDs are being used external
to the program as part of managed documentation.
To reorder Conditional Modifier IDs:
l Click on Reorder Conditional Modifier IDs in the lower left hand portion of the window

CAUTION: Reordering Conditional Modifier IDs has the potential to cause inconsistency with data
maintained outside of exSILentia® v4. When you reorder Conditional Modifier IDs you need to
ensure that any reference external to project file is updated manually.

13.8 Sensor Groups and Legs

The library stores each sensor group defined in SIL Verification in the SILver module. The group
information stored in the library includes:

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 100 of 292
 l Group Name
l Description
l Application Test Parameters
l Voting
l Beta Factor
l Mean Repair Time
l Proof Test Parameters
l Places Used
Likewise, the library stores each sensor leg defined in SIL Verification in the SILver module. The leg
information stored in the library includes:
l Leg Name
l Description
l Places Used
These parameters can be modified in the library if you prefer, and will be updated accordingly in the
SILver module. For details on each of these parameters see section 20.5 SILver Worksheet - Sensor Group.

13.9 Logic Solver Models

The library stores each Logic Solver Model used during SIL Verification in the SILver module. One Logic
Solver Model can be used for various Logic Solvers and can be selected from exida's Safety Equipment
Reliability Handbook database or entered as a User Defined Logic Solver Model. You can also add Logic
Solver Models directly into the library if you have, for example, many logic solvers of the same model
from the same vendor in a process.
To add a Logic Solver Model directly into the library, select the + button, and select a Logic Solver Model
from exida's SERH.

13.10 Logic Solvers

The library stores each individual Logic Solver defined during SIL Verification in the SILver module. Each
Logic Solver specified during the design of your safety instrumented system is given a unique entry in
the library, making it possible to re-use the Logic Solver in different SIFs. For more information on Logic
Solvers see section 20.8 SILver Worksheet - Logic Solver Part.

13.11 Devices
The library stores each individual device defined during SIL Verification in the SILver module. Each
sensor or final element specified during the design of your safety instrumented system is given a unique
entry in the library, making it possible to re-use the device in different SIFs. For more information on
Sensor Devices see section 20.5 SILver Worksheet - Sensor Group. For more information on Final Element
Devices, see section 20.7 SILver Worksheet - Final Element Group.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 101 of 292
 13.12 Device Models
The library stores each Device Model used during SIL Verification in the SILver module. One Device Model
can be used for various devices and can be selected from exida's Safety Equipment Reliability Handbook
database or entered as a User Defined device model. You can also add Device Models directly into the
library if you have, for example, many sensors or final elements of the same model from the same
vendor in a process.
To add a Device Model directly into the library, select the + button, and select a device model from
exida's SERH.

13.13 Final Element Groups and Legs

The library stores each final element group defined in SIL Verification in the SILver module. The group
information stored in the library includes:
l Group Name
l Description
l Application Test Parameters
l Voting
l Beta Factor
l Mean Repair Time
l Proof Test Parameters
l Places Used
Likewise, the library stores each final element leg defined in SIL Verification in the SILver module. The
leg information stored in the library includes:
l Leg Name
l Description
l Places Used
These parameters can be modified in the library if you prefer, and will be updated accordingly in the
SILver module. For details on each of these parameters see section 20.7 SILver Worksheet - Final Element
Group.

13.14 Tags
The library stores tag information input in the SILver module during SIL Verification. The tags can also be
input directly into the library and linked to a Sensor Leg or Final Element Leg. For more details on tags,
see section 20.11 SILver Worksheet - Tags.

13.15 Proven In Use Justification

The library stores each Proven In Use Justification completed during SIL Verification in the SILver
module. For more details on Proven In Use Justification, see section 20.10 SILver Worksheet - Features.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 102 of 292
 13.16 Library Clean Up
Depending on your use of exSILentia® v4, it is possible that the various libraries collect unused items. For
example, when you are modeling a SIF and remove a Sensor Group from a SIF after concluding that it is
identical to one you already modeled or if the sensor group represents an auxiliary action, the extra
sensor group may remain in the library. Several of the library views will have clean up function that will
remove any item in that library that is not used within the project, e.g. orphaned sensor groups. To
initiate the clean up action, you can click on the broomstick icon. exSILentia® will then determine
which entries in the library are not used and provide you with a message box asking for confirmation
that you want to remove the unused library items.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 103 of 292
 Chapter 14 Embedded Databases
Consistency and efficiency during the execution of the various Safety Lifecycle tasks revolves around the
use and availability of reliability data. exSILentia® is equipped with two embedded databases. These are:
l LOPA database
l SERH database
The embedded databases are accessible through the respective tools that they are used in. In addition
they can be accessed from the exSILentia® v4 Dashboard.

14.1 LOPA Database

exSILentia® v4 provides an embedded LOPA database. The LOPA database provides a mechanism to
store properties, like assumptions, references, and data, for different Initiating Events, Enabling
Conditions, Independent Protection Layers, and Conditional Modifiers. These properties can easily be
(re-)used throughout the various LOPA worksheets. When a database item is referenced in the
LOPA worksheet, the properties of the database item are copied to the LOPA worksheet item. Any
changes to the database item will not be propagated to the LOPA worksheet. Therefore a database
change will not impact previous work performed.
The LOPA database contains three sub-databases/data sources. These are:
l exida
l Generic
l User Defined Data
You can access the LOPA database by clicking on the LOPA icon on the exSILentia® v4 Dashboard. On the
LOPA Database Editor dialog you can switch between the different data sources through the drop down
list on the upper right hand side of the database dialog. You can also switch between the different data
item types, e.g. protection layers, enabling conditions, conditional modifiers, and initiating events using
the tabs on the dialog.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 105 of 292
 14.1.1 exida LOPA Database
The exida LOPA database is a read-only database with initiating event frequencies and independent
protection layer probabilities of failure on demand. The data is evaluated by exida and deemed
applicable for use in process industry layer of protection analysis. The exida LOPA database is
automatically installed on your system with the exSILentia® v4 installation. Updates to this database will
be included in exSILentia® v4 updates. Note that there is no data specified for enabling conditions and
conditional modifiers in the exida LOPA database as these are application specific.

14.1.2 Generic LOPA Database

The Generic LOPA database is one of two databases that you as a user can define. The Generic
LOPA database is a database that resides on the computer that exSILentia® v4 is installed on. Any data
item, initiating event, enabling condition, independent protection layer, or conditional modifier, that you
define in the Generic LOPA database will be available for all exSILentia® v4 projects that you perform on
the particular computer. When you open your exSILentia® v4 project on a different computer with a fresh
install of exSILentia® v4, the database items properties will still be available if you referenced the
database item in the LOPA Worksheet, however the database item will no longer show up as a item you
can reference from the database. Your LOPA worksheet calculations will not be affected.
The Generic LOPA Database file is automatically stored in the ..\Documents\exida\exSILentia
4\generic.lopadb location. You can copy the generic.lopadb file to a different machine to ensure the
same user defined LOPA database is available for use in that specific exSILentia® v4 installation.

14.1.3 User Defined Data LOPA Database

The User Defined Data LOPA Database is the second database that you as a user can define. In contrast
to the Generic LOPA database, the User Defined Data database is embedded within the specific
exSILentia® v4 project file. Therefore when you open the project file on a different computer, the same
database items will be available as on the original computer the project was created on. On the other
hand when you create a new project the database items from the User Defined Data LOPA database will
no longer exist. This functionality is specifically intended for projects with a project specific LOPA
database.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 106 of 292
 14.1.4 Managing LOPA Database Items
You can review LOPA database entries by clicking on the LOPA icon on the exSILentia® v4 Dashboard
which will launch the LOPA Database Editor dialog. When you select the Generic LOPA database or User
Defined Data LOPA Database Data Source you will be able to maintain the respective entries, i.e. add,
modify or delete a database items. The management of a protection layer, enabling condition,
conditional modifier, or initiating event database item is identical, you just need to make sure you have
selected the appropriate LOPA Database tab.

To add a Database Item to the LOPA database:

l Click on the green plus (+) symbol in the lower left hand portion of the window
l Edit the Database Item Properties directly in the grid layout, i.e. Name,Frequency or Probability,
Reference, Assumptions, and Comments
To modify a Database Item in the library:
l Highlight the Database Item
l Edit the Database Item Properties directly in the grid layout, i.e. Name,Frequency or Probability,
Reference, Assumptions, and Comments
To delete a Database Item from the library:
l Highlight the Database Item
l Click on the red minus (-) symbol in the lower left hand portion of the window
l This will remove that Database Item and its Properties

14.2 SERH Database

exSILentia® v4 provides an embedded safety equipment failure rate database for use in SIL verification.
The exida Safety Equipment Reliability Handbook (SERH) provides a collection of failure rate data that is
applicable for use in Safety Instrumented System (SIS) conceptual design verification in the process
industry. The Safety Equipment Reliability Handbook is the ultimate reference source for any safety
engineer involved in Conceptual Design and Safety Integrity Level verification. The set comes in three
different volumes

Volume 01: Sensors

This includes Fire and Gas, Flame Monitoring, Flow, Level, Pressure, Proximity, and Temperature
measurements

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 107 of 292
 Volume 02: Logic Solvers and Interface Modules

This includes Barriers, Surge protection devices, Relays, logic solvers, Fire and Gas Systems, and
solenoid drivers

Volume 03: Final Elements

This includes Final Element interfaces such as solenoids and digital valve positioners, Pneumatic
interfaces such as Quick Exhaust valves, Actuators, Valves such as ball, butterfly, gate, etc. valves, and
Gas Pressure Regulating Valves.

You can access the SERH database by clicking on the SERH icon on the exSILentia® v4 Dashboard. This
will launch the SERH database window. Within the window you can search, sort, filter etc. to view the
equipment items in the database.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 108 of 292
 By expending the right hand side bar, you will be able to view the SERH data page for the equipment
item that you selected.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 109 of 292
 Chapter 15 Upgrading from exSILentia® v3
This chapter provides an overview of differences between the exSILentia® v3 and exSILentia® v4
software. exSILentia® v4 can open exSILentia® v3 format project files, but will at that point convert the
project information to the new exSILentia® v4 format. In most cases the conversion is one- to- one
between the two versions of the software, however in some cases the structure of the two versions differ
which require a specific conversion algorithm to be implemented. For each of the exSILentia® v3 tools an
overview is provided on how information is converted for which there is no direct one- to- one
relationship with an exSILentia® v4 data item.
When you upgrade your exSILentia® v3 project to the exSILentia® v4 format, a log will be created of all
conversion actions taken. The log will be embedded as a reference in the exSILentia® v4 project. In
addition the original exSILentia® v3 project file will be embedded as a reference as well.

15.1 General Project Information

The following table lists exSILentia® v3 general project information fields that are no longer supported in
exSILentia® v4. The table also documents the conversion action applied on these fields.
exSILentia® v3 Field Conversion Action
Company The company name is added to the Project Description.
A Team Member is created. The leader flag is set for the team
Project Leader member. The first space in the Project Leader text field is
interpreted as the separator between first name and last name.
Project Initiated The project start date is added to the Project Description.

15.2 Process Hazard Analysis (PHA)

There are two aspects to conversion of PHA information from exSILentia® v3. The conversion of the
standalone tool information and conversion of PHA information available within exSILentia® v3.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 111 of 292
 15.2.1 PHAx™ v2
The PHAx™ component of exSILentia® v3 was available as a standalone product. This standalone product
was PHAx™ v2. To convert a PHAx™ v2 project to the exSILentia® v4 PHAx module, simply open a PHAx™
v2 project file. On the project open dialog, see section 4.2 Launching the Program, select the PHAx 2
Project (.pxi) file type and then select the appropriate project file.
The PHAx™ v2 project information is completely converted to exSILentia® v4.

15.2.2 exSILentia® v3 PHA Tab

The information on the exSILentia® v3 PHA tab is a result of importing PHA data from for example PHAx™
v2. As this information is not directly linked to a PHA, none of the information is imported in to
exSILentia® v4.

15.3 SIF Identification

In exSILentia® v4, Safety Instrumented Functions are Safeguards of type Independent Protection Function
(IPF) that are marked as SIF. For each SIF identified in the exSILentia® v3 project, a safeguard is created
of type IPF with the Is SIF checkbox checked. During the conversion process, the exSILentia® v3
SIF Identification information is transferred to the relevant Safeguard.

15.4 SIL Target Selection (SILect™)

The SILect™ tool has seen the most dramatic change going from exSILentia® v3 to exSILentia® v4. The
main changes in v4 include:
l In v4 there is one tolerable risk specification per Risk Category (Safety, Environmental, Business,
etc) option for the Layer of Protection Analysis method.
l In v4 there is one SIL Target Selection method hazard scenario, i.e. Risk Matrix, Risk Graph, or
Frequency Based Targets.
l In v4 the Layer of Protection Analysis functionality extracted into standalone LOPA tool, with the
SIL Selection step finalized in SILect.
The changes to the SILect™ tool structure and their impact if any are described in the following sections.

15.4.1 Multiple Tolerable Risk Calibration

For exSILentia® v3 projects that have multiple tolerable risk calibrations defined, the exSILentia® v3 to
exSILentia® v4 conversion will determine which tolerable risk calibration method was used most. This
will be set as the method according to which the conversion will be executed. SILect™ selections for SIFs
that were made using a different method within the exSILentia® v3 project will not be transferred to
exSILentia® v4. The affected SIFs will be identified in the conversion log for further evaluation.

15.4.2 Risk Graph

exSILentia® v4 supports the Risk Graph SIL Target Selection method. When converting an exSILentia® v3
project that uses the Risk Graph SIL Target Selection method, the Risk Graph tolerable risk calibration
and individual SIF selections will be placed in a temporary container, embedded in the project file.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 112 of 292
 15.4.3 Hazard Matrix
The exSILentia® v3 Hazard Matrix tolerable risk calibration is directly copied into the exSILentia® v4 Risk
Configuration Risk Matrix. The Hazard Matrix method is renamed to Risk Matrix. To review the
exSILentia® v4 Risk Configuration click on the Risk Configuration button on the Dashboard, see Chapter 9
Project Risk Configuration.
The exSILentia® v4 SILect™ module supports the Risk Matrix SIL Target Selection method. When
converting an exSILentia® v3 project that uses this SIL Target Selection method, the individual SIF
selections will be placed in a temporary container, embedded in the project file. Upon release of the
SILect™ module the data conversion will be completed.

15.4.4 Frequency Based Targets/LOPA Tolerable Risk Calibration

The exSILentia® v3 Frequency Based Targets/LOPA SIL Target Selection methods are all converted to the
exSILentia® v4 Risk Configuration as described in section 9.1 Consequence Categories and Severity Levels.
Each of the six methods available in exSILentia® v3 specify a tolerable frequency based on a severity
level selection. As such when converting the Frequency Based Target (FBT) tolerable risk calibration,
only the Severity Categories, Severity Levels, and Severity Matrix will be specified. The resulting
exSILentia® v4 Risk Configuration will have no Likelihood settings. For each of the risk receptors defined
in exSILentia® v3 that are included in the tolerable risk calibration a Severity Category is created.
The SIL Threshold parameter specified with each FBT tolerable risk calibration is converted to a SILect™
phase parameter, outside of the exSILentia® v4 Risk Configuration.

Linear Tolerable Risk

The Health and Safety Executive, IEC 61511-3, Annex D, E, and Single Tolerable Risk Quantitative FBT
tolerable risk calibration options are all covered by the Linear Tolerable Risk conversion. These tolerable
risk calibrations are not a direct fit for the exSILentia® v4 Risk Configuration as they only specify a single
target frequency. The actual severity levels are defined through a combination of individual event
consequence and a risk tolerance set per year for each risk receptor. For the conversion of these
tolerable risk calibrations all Severity Levels are determined for each risk receptor while determining the
associated tolerable frequency. For each unique tolerable frequency a Severity Level is defined in the
exSILentia® v4 Risk Configuration. Though the conversion results in an exact match, it is recommended
that you review your SIL Target Selection results upon completion of the conversion.

Single Tolerable Risk Qualitative

The Qualitative option of the Single Tolerable Risk calibration option is a close fit for the exSILentia® v4
Risk Configuration. In the conversion a fixed set of 7 Severity Levels is created. The weight factors
specified for the personnel category are used to calculate the tolerable frequency for each severity level.
Generic descriptions are used of the severity level names. If weight factors differ for the different risk
receptors, you should review your SIL Target Selection results upon completion of the conversion.

Tolerable Risk Categories (Qualitative)

The Qualitative option of the Tolerable Risk Categories is a direct fit for the exSILentia® v4 Risk
Configuration. Tolerable risk calibration level descriptions are directly copied into the exSILentia® v4
project.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 113 of 292
 Tolerable Risk Categories (Quantitative)

The Quantitative option of the Tolerable Risk Categories is a close fit for the exSILentia® v4 Risk
Configuration. The Personnel Fatalities and Personnel Injuries risk receptors are combined into 1
Severity Category. Tolerable risk calibration level descriptions are directly copied into the exSILentia® v4
project.

15.4.5 Frequency Based Targets/LOPA Target SIL Selections

The exSILentia® v3 Frequency Based Targets/LOPA SIL Target Selections match directly to the
exSILentia® v4 LOPAx™ worksheet, see section 17.2 LOPA Worksheet. The main difference between the
exSILentia® v3 Frequency Based Targets/LOPA SIL Target Selections and the exSILentia® v4 LOPAx™
worksheet from a conversion perspective is how the Independent Protection Layer (IPL) effectiveness for
different Severity Categories is identified. In exSILentia® v3 one can set different Probability of Failure on
Demand (PFD), or Risk Reduction Factor (RRF), for each of the different risk receptors (Severity
Categories), In exSILentia® v4 there is only one probability of failure, or risk reduction factor, per IPL. The
IPL is then either flagged as effective of ineffective for a specific Severity Category.
During the conversion if the PFD of an IPL is set to 1, it is assumed that the IPL is not effective for that
specific Severity Category. If the PFD is less than 1, it is set as effective for that specific Severity Category
and the value of the PFD specified for the Personnel Risk Receptor is used to define the IPL probability of
failure. If you used different probability of failure smaller than 1 for an IPL, you should review your
SIL Target Selection results upon completion of the conversion.
Since exSILentia® v3 did not distinguish in the user interface between Independent Protection Layers
and Conditional Modifiers, all IPLs are converted as if they are IPLs. You will need to manually move IPLs
to the Conditional Modifier category if so desired.

15.5 Safety Requirements Specification

The exSILentia® v3 Safety Requirements Specification will be documented through the combination of
Process SRS and Design SRS. In exSILentia® v4 the SIF SRS is replaced by the equivalent of the
exSILentia® v3 Process SRS, thought the functionality of the exSILentia® v4 SRS is drastically expanded.
The Design SRS has become and separate module in exSILentia® v4.

15.5.1 SIF SRS

The following table lists exSILentia® v3 SIF SRS fields that are no longer supported in exSILentia® v4 or
whose type changed from exSILentia® v3 to exSILentia® v4. The table also documents the conversion
action applied on these fields.
exSILentia® v3 Field Conversion Action
Changed from text field to number field. Field is left blank, the v3
SIF Test Interval
field text is added to the Notes.
Changed from text field to number field. Field is left blank, the v3
Overall Response Time
field text is added to the Notes.
Changed from text field to toggle field with options de-energize to
Protection Method trip and energize to trip. Selection set to de-energize to trip, the
v3 field text is added to the Notes.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 114 of 292
 exSILentia® v3 Field Conversion Action
Changed from text field to number field. Field is left blank, the v3
Max. Spurious Trip Rate
field text is added to the Notes.
Diagnostics The diagnostic description is added to the Notes.
Notes Added text from fields where a type change occurred from v3 to v4.
The sensor part description is added to the Input / Output
Sensor Part Description
Functional Relationship field.
The logic solver part description is added to the Input / Output
Logic Solver Part Description
Functional Relationship field.
The final element part description is added to the Input / Output
Final Element Part Description
Functional Relationship field.

The following table lists exSILentia® v3 SIF SRS fields that have been renamed or redefined in exSILentia®
v4. The core functionality of these fields has not been affected, the name and/or functionality has been
improved.
exSILentia® v3 Field exSILentia® v4 Field
Desired Proof Test Interval Sensor Part
SIF Test Interval Desired Proof Test Interval Logic Solver Part
Desired Proof Test Interval Final Element Part
Overall Response Time Maximum Response Time SIF
Sensor Part Description
Logic Solver Part Description Input / Output Functional Relationship
Final Element Part Description

15.5.2 Process SRS (SRSC&E)

The exSILentia® v3 Process SRS consists of three main topics, General SIS Requirements, General
SIF Requirements, and SIF Specific (PHA based) Requirements.

General SIS Requirements

The following table lists exSILentia® v3 Process SRS General SIS Requirements fields that are no longer
supported in exSILentia® v4 or whose type changed from exSILentia® v3 to exSILentia® v4. The table also
documents the conversion action applied on these fields.
exSILentia® v3 Field Conversion Action
Action on Logic Solver Fault
Added boiler plate text to field text.
Detection
The boiler plate text and environment conditions text is added to
Environment Conditions
the Other Environmental Extremes field.
The interior equipment environment conditions text is added to the
Interior Equipment Environment
Other Environmental Extremes field.
The exterior equipment environment conditions text is added to
Exterior Equipment Environment
the Other Environmental Extremes field.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 115 of 292
 The following table lists exSILentia® v3 Process SRS General SIS Requirements fields that have been
renamed or redefined in exSILentia® v4. The core functionality of these fields has not been affected, the
name and/or functionality has been improved.
exSILentia® v3 Field exSILentia® v4 Field
Environment Conditions
Interior Equipment Environment Other Environmental Extremes
Exterior Equipment Environment

General SIF Requirements

The following table lists exSILentia® v3 Process SRS General SIF Requirements fields that are no longer
supported in exSILentia® v4 or whose type changed from exSILentia® v3 to exSILentia® v4. The table also
documents the conversion action applied on these fields.
exSILentia® v3 Field Conversion Action
Changed from text field to number field. Field is left blank, the v3
Max. Spurious Trip Rate
field text is added to the General SIF Notes.
Changed from text field to list field. Field is left blank, the v3 field
Demand Mode
text is added to the General SIF Notes.
Changed from text field to number field. Field is left blank, the v3
Mission Time
field text is added to the General SIF Notes.
Changed from text field to number field. Field is left blank, the v3
Maximum Response Time Sensor
field text is added to the General SIF Notes.
Maximum Response Time Logic Changed from text field to number field. Field is left blank, the v3
Solver field text is added to the General SIF Notes.
Maximum Response Time Final Changed from text field to number field. Field is left blank, the v3
Element field text is added to the General SIF Notes.
Changed from text field to number field. Field is left blank, the v3
Test Interval
field text is added to the General SIF Notes.
Changed from text field to reference field. Field is left blank, the v3
Design Guidelines
field text is added to the General SIF Notes.
The transmitter low detection description is added to the
Transmitter Low Detection
Transmitter Fail Safe State field.
The transmitter low detection value is added to the Transmitter Fail
Transmitter Low Detection Value
Safe State field.
The transmitter high detection description is added to the
Transmitter High Detection
Transmitter Fail Safe State field.
The transmitter high detection value description is added to the
Transmitter High Detection Value
Transmitter Fail Safe State field.
Diagnostics The diagnostic description is added to the General SIF Notes.
The maintenance override text 1 field is added to the General
Maintenance Override Text 1
SIF Maintenance Override field.
The maintenance override text 2 field is added to the General
Maintenance Override Text 2
SIF Maintenance Override field.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 116 of 292
 The following table lists exSILentia® v3 Process SRS General SIF Requirements fields that have been
renamed or redefined in exSILentia® v4. The core functionality of these fields has not been affected, the
name and/or functionality has been improved.
exSILentia® v3 Field exSILentia® v4 Field
Desired Proof Test Interval Sensor Part
Test Interval Desired Proof Test Interval Logic Solver Part
Desired Proof Test Interval Final Element Part
Transmitter Low Detection
Transmitter Low Detection Value
Transmitter Fail Safe State
Transmitter High Detection
Transmitter High Detection Value
Maintenance Override Text 1
General SIF Maintenance Override
Maintenance Override Text 2

SIF Specific (PHA based) Requirements

The following table lists exSILentia® v3 Process SRS SIF Specific Requirements fields that are no longer
supported in exSILentia® v4 or whose type changed from exSILentia® v3 to exSILentia® v4. The table also
documents the conversion action applied on these fields.
exSILentia® v3 Field Conversion Action
Changed from text field to number field. Field is left blank, the v3
SIF Test Interval
field text is added to the Notes.
Changed from text field to number field. Field is left blank, the v3
Overall Response Time
field text is added to the Notes.
Changed from text field to toggle field with options de-energize to
Protection Method trip and energize to trip. Selection set to de-energize to trip, the
v3 field text is added to the Notes.
Changed from text field to number field. Field is left blank, the v3
Max. Spurious Trip Rate
field text is added to the Notes.
Diagnostics The diagnostic description is added to the Notes.
Notes Added text from fields where a type change occurred from v3 to v4.
Added text from Demand fields where a type change occurred from
Demand Source
v3 to v4.
Changed from text field to number field. Field is left blank, the v3
Demand Rate
field text is added to the Demand Source.
Changed from text field to list field. Field is left blank, the v3 field
Demand Mode
text is added to the Demand Source.
Changed from text field to number field. Field is left blank, the v3
Mission Time
field text is added to the Notes.

The following table lists exSILentia® v3 Process SRS SIF Specific Requirements fields that have been
renamed or redefined in exSILentia® v4. The core functionality of these fields has not been affected, the
name and/or functionality has been improved.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 117 of 292
 exSILentia® v3 Field exSILentia® v4 Field
Desired Proof Test Interval Sensor Part
SIF Test Interval Desired Proof Test Interval Logic Solver Part
Desired Proof Test Interval Final Element Part
Overall Response Time Maximum Response Time SIF

15.5.3 Design SRS

The exSILentia® v4 the Design SRS has become a separate module meant to document the conceptual
SIS design after SIL Verification is complete. exSILentia v3 SRS data will be completely converted to the
v4 format, with a change log detailing all changes upon conversion.

15.6 SIL Verification (SILver™)

When opening an exSILentia® v3 project in exSILentia® v4, all equipment items that are selected in your
project will be updated per the latest version of the Safety Equipment Reliability Handbook database. If
all of your project data is up to date this will have no impact. If some of your data is out of date, this
could have an impact on your calculated SIF. Any user defined data is unaffected by this action.
exSILentia® v4 SILver uses an updated algorithm to account for logic solver I/O channels and modules.
I/O channels are included in the sensor and final element group voting. In addition you can indicate if
channels should land on different I/O modules, in which case the I/O modules are also included in the
sensor and final element groups.

CAUTION: It is unrealistic to expect that SILver in exSILentia® v4 will yield the same results as
SILver in exSILentia® v3 due to the change in logic solver channel and module handling as well as
potential for updated failure rate data.

The following table lists exSILentia® v3 SILver™ fields or selections that are no longer supported in
exSILentia® v4. The table also documents the conversion action applied on these fields and if the
conversion action could impact the calculated SIL verification results of the SIF.
SIFs
exSILentia® v3 Field/Selection Conversion Action
Impacted
Architectural Constraints: Use IEC 61511 Architectural Constraints selection is changed
Yes
tables [ignore 11.4.3 for Type A devices] to Use IEC 61511 Tables per IEC 61511-1:2016.
Architectural Constraints selection is changed
Architectural Constraints: Use IEC 61511 Yes
to Use IEC 61508 Tables per IEC 61511-1:2016.
Architectural Constraints selection is changed
to Use IEC 61508 Tables per IEC 61508-2:2010
Architectural Constraints: Use IEC
in accordance with IEC 61511- 1:2016 clause Yes
61508:2000
11.4.3, you should review the SILver results for
the affected SIFs.
The selection is no longer supported. The
modeling of all application level tests will be
Application Test Method - IEC 61508:2010 No
done using the IEC 61508:2010 modeling
methodology.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 118 of 292
 SIFs
exSILentia® v3 Field/Selection Conversion Action
Impacted
The selection is no longer supported. The
modeling of all application level tests will be
Application Test Method - IEC 61508:2000 Yes
done using the IEC 61508:2010 modeling
methodology.
Change to 1oo1 voting and set Trip on
Sensor Group Voting: 1oo1D No
Transmitter Fault to Yes
Change to 1oo2 voting and set Trip on
Sensor Group Voting: 1oo2D No
Transmitter Fault to No

The following table lists exSILentia® v3 SILver™ fields that have been renamed in exSILentia® v4. The
functionality of these fields has not been affected, the name and/or description has been improved.
exSILentia® v3 Field exSILentia® v4 Field
Maintenance Capability Index Site Safety Index
Architectural Constraints: Use IEC 61508:2010
IEC 61511-1 11.4.5, IEC 61508:2010 tables
tables [per 61511-1 11.4.5]
Architectural Constraints: Use IEC 61511 tables IEC 61511-1 tables 5 & 6
Sensor Group Configuration: Alarm setting Transmitter Fault Direction
Sensor Group Configuration: Over/Under Range Out of Range Detection
Sensor Group Configuration: Alarm Filter Transmitter Fault Filter
Sensor Group Configuration: Alarm Voted as Trip Trip on Transmitter Fault

The following table lists specific exSILentia® v3 to exSILentia® v4 SILver™ conversion actions including if
the conversion action could impact the calculated SIL verification results of the SIF.
SIFs
Conversion Action exSILentia® v3 to v4 Conversion Step Description
Impacted
The v3 to v4 converter only converts the automatically
Logic Solver I/O Channel Count determined number of I/O channels due to a Yes
restructuring of the I/O channel handling.
The v3 to v4 converter attempts to convert the v3 string
Tag EU Low to a Decimal value in v4. If the converter is not No
successful the Range Low value in v4 will be left empty
The v3 to v4 converter attempts to convert the v3 string
Tag EU High to a Decimal value in v4. If the converter is not No
successful the Range High value in v4 will be left empty
The v3 to v4 converter attempts to convert the v3 string
Tag Trip Limit to a Decimal value in v4. If the converter is not No
successful the Limit value in v4 will be left empty

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 119 of 292
 15.7 Lifecycle Cost Estimator
The exSILentia® v4 Lifecycle Cost Estimator module functionality is an extension of the Lifecycle Cost
Estimator functionality in exSILentia® v3. All information is converted into the new exSILentia® v4
functionality.
The exSILentia® v4 Lifecycle Cost Estimator module is currently not yet released. exSILentia® v4 will
support all exSILentia® v3 Lifecycle Cost Estimator fields. Therefore no specific conversion actions are
taken. When converting an exSILentia® v3 project with configured Lifecycle Cost Estimator data, the data
will be placed in a temporary container, embedded in the project file. Upon release of the Lifecycle Cost
Estimator module the data conversion will be completed.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 120 of 292
 Part 3
Modules

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 121 of 292
 Chapter 16 PHAx™
The PHA tab navigates to the exSILentia® v4 process hazard analysis tool PHAx™. Availability of the
PHA tab, and therefore the PHAx™ tool, is based on your exSILentia® v4 license (see Chapter 1
Introduction for an overview of the exSILentia® v4 license options). The PHAx™ tool allows process hazard
analysis to be performed using the Hazard and Operability (HAZOP) methodology.

16.1 Introduction
The HAZOP functionality in the PHAx™ tool uses a spreadsheet type interface with defined columns for
the various HAZOP items.

In the subsequent sections the PHAx™ tool hierarchy, the worksheet, and its reporting capability will be
explained.

16.2 Hierarchy
The hierarchical top level for an exSILentia® v4 project is a plant. Within the plant level several units can
be defined and within the unit level nodes can be defined. Deviations which are the cornerstone of the
HAZOP methodology are defined for each node.
l Plant (exSILentia® v4 project)
l Units

l Nodes

l Deviations

16.2.1 Units
A unit allows division of an exSILentia® v4 project plant.
To add a Unit:

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 123 of 292
 l Click on the green plus (+) symbol in the Unit row
l Edit the Unit Properties, i.e. Name, select the Plant Type from the drop down box (optional), and
select the Process Type from the drop down box (optional)
l See section 8.1 for more information on Plant and Process Types

Note: The default value for Plant Type is Unknown . The Process Type field will remain blank
without drop down box selections until a Plant Type has been defined.

Upon completion of all study items associated with a particular unit, the Complete check box can be
checked. The box to the far right of the unit will turn orange and show a green bold check mark.
To navigate between units you can use the navigation tree in the left hand side bar, click the Unit drop
down box and select the desired Unit, or click on the up or down icons until the applicable Unit is
selected.
To modify a Unit:
l Highlight the Unit
l Click the icon
l Edit the Unit Properties, i.e. Name, select the Plant Type from the drop down box (optional), and
select the Process Type from the drop down box (optional)
To delete a Unit:
l Highlight the Unit
l Click on the red minus (-) symbol in the Unit row
l Click Yes to confirm you want to delete the Unit
l This will remove that Unit, its Unit Properties, and all associated data

16.2.2 Nodes
A HAZOP Node represents a specific section of the plant unit system in which (the deviations of ) the
design/process intent are evaluated.
To add a Node:
l Select the Unit where the node will be added
l Click on the green plus (+) symbol in the Node row
l Edit the Node Properties, i.e. Name, Node Intention, and Comments (optional)
l To take advantage of Smart Deviations:
l Check the Smart Deviation check box

l Within the Node Window, select the node type from the drop down box that aligns with

the actual process node

Upon completion of all study items associated with a particular node, the Complete check box can be
checked. The box to the far right of the node will turn orange and show a green bold check mark.
To navigate between nodes you can use the navigation tree in the left hand side bar, click the Node drop
down box and select the desired Node within a Unit, or click on the up or down icons until the
applicable Node is selected for the selected Unit.
To modify a Node:

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 124 of 292
 l Highlight the Node
l Click the icon
l Edit the Node Properties, i.e. Name, Node Intention, and Comments (optional)
To delete a Node:
l Highlight the Node
l Click on the red minus (-) symbol in the Node row
l Click Yes to confirm you want to delete the Node
l This will remove that Node, its Node Properties, and all associated data
You can link references from the reference library (see section 13.4 for more information on the
Reference Library) to a Node by clicking on the link Icon and selecting a reference from the list of
available references. Once a reference is linked, you can click on the red minus (-) symbol to remove the
link.

16.2.3 Deviations
A HAZOP Node Deviation is a way in which the process conditions may depart from its design/process
intent. It is created by combining guide words with process parameters resulting in a possible deviation
from design intent.
If you selected the Smart Deviations check box when defining the Node the deviations associated with
the specific Node Type will be automatically defined for the Node. The following steps can be used if you
did not use Smart Deviations or want to add or modify the Smart Deviations. You will also be able to
delete a smart deviation if it is not applicable to the Node, however to document that you considered
the specific deviation it is better to leave it in the project and mark it as not applicable.
To add a Deviation:

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 125 of 292
 l Select the Node where the deviation will be added
l Click on the green plus (+) symbol in the Deviation row
l Edit the Deviation Properties, i.e. Name and Design Intent
Upon completion of all study items associated with a particular deviation, the Complete check box can
be checked. The box to the far right of the deviation will turn orange and show a green bold check mark.
If for a deviation no causes or consequences of no significance are found, then the “No Issues” check box
can be checked. This will document “No Issues Found ” on the worksheet.
To navigate between deviations you can use the navigation tree in the left hand side bar, click the
Deviation drop down box and select the desired Deviation within a Node, or click on the up or down
icons until the applicable Deviation is selected for the selected Node.
To modify a Deviation:
l Highlight the Deviation
l Click the icon
l Edit the Deviation Properties, i.e. Name and Design Intent
To delete a Deviation:
l Highlight the Deviation
l Click on the red minus (-) symbol in the Deviation row
l Click Yes to confirm you want to delete the Deviation
l This will remove that Deviation, its Deviation Properties, and all associated data

16.3 HAZOP Worksheet

The PHAx™ tool HAZOP worksheet uses columns for the selected Deviation in a spreadsheet type
interface. This allows the Cause data to be viewed quickly so one Cause- Consequence pair can be
compared to another Cause-Consequence pair within the same Deviation. Within the worksheet columns
buttons exist for adding Causes, Consequences, Safeguards, and Recommendations. For Cause and
Consequences content can be edited directly from within the worksheet. Content for the Safeguards and
Recommendations can also be directly edited from within the worksheet, however as they are part of
the Project Libraries (see Chapter 13 Project Libraries) additional functionality is available. Within the
worksheet you will be able to add a new Safeguard or Recommendation. When you begin typing a new
name for a Safeguard or Recommendation the auto-complete feature will display a list of Safeguards or
Recommendations which match the entered text. You can double click on an item in the list to create a
link between the relevant Safeguard or Recommendation and the current Cause-Consequence pair.
An example of the PHAx™ tool HAZOP worksheet is shown in the figure below.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 126 of 292
 16.3.1 Cause
PHAx™ causes are comprised of four related data fields, i.e. ID, Description, Cause Category, and Cause
Likelihood. The Cause ID is automatically generated and assigned to ensure relational data integrity. If
more than one Likelihood Category was defined in the Risk Matrix, a drop down list will allow you to
select the applicable Cause Category. The Cause Likelihood is intended to be the likelihood with NO
Safeguards or the scenario where all safeguards have failed. When combining the Cause Likelihood with
the Consequence Severity a Risk Without Safeguards is obtained from the Risk Matrix. The Cause
Likelihood is selected from a drop down list of likelihoods configured within the Risk Matrix. The list that
appears is based on the associated Cause Category.
To add a Cause:
l Click on the Add Cause button at the bottom of the HAZOP worksheet
l Edit the Cause Properties, i.e. Description, Cause Category, and Cause Likelihood
l Once a Cause Description has been entered you can click the Enter key on your keyboard to add
a new Cause
To delete a Cause:
l Highlight the Cause ID
l Click on the Delete key on your keyboard
l Click on Yes when asked if the Cause is really to be deleted

CAUTION: Deleting a Cause will delete all consequences, safeguards, and recommendations that
are related to it.

16.3.2 Consequence
PHAx™ consequences are comprised of five related data fields, i.e. ID, Description, Consequence
Category, Severity, and Risk. The Consequence ID is automatically generated and assigned to ensure
relational data integrity. If more than one Consequence Category was defined in the Risk Matrix, a drop
down list will allow you to select the applicable Category. The Consequence Severity is selected from a
drop down list that is based on the Consequence Category selected. The Risk, representing the risk
without safeguards, is automatically determined based on the Risk Matrix given the Cause Likelihood
and Consequence Severity selected.
To add a Consequence:

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 127 of 292
 l Click on the Add Consequence button that is in line with the Cause that you want to add the
Consequence to.
l Enter Consequence Description, and choose the Severity Categories that apply. Multiple severity
categories can be attributed to one consequence. For each applicable category, choose the
severity from the drop down and the tool will show the applicable Risk from the Risk
Configuration.
l If you often analyze all severity categories, select the 'Severity Categories Start as
Applicable' check box. In this case all severity categories will be automatically selected
(buttons will be orange), and you can indicate if any are not applicable (button will appear
gray). If you would like to hide categories that do not apply select the 'Hide Non
Applicable Severity Categories' check box.
l If you often analyze one severity category at a time, leave the 'Severity Categories Start as

Applicable' check box unchecked. In this case the categories are not applicable by default
(buttons will be gray), and you can indicate which are applicable (button will appear
orange).
l If you prefer, you can select 'Ask for Severity Categories', and the tool will allow you to

select applicable categories from a window upon adding each new consequence.
l Once a Consequence Description has been entered you can click the Enter key on your keyboard
to add a new Consequence
To delete a Consequence:
l Highlight the Consequence ID
l Click on the Delete key on your keyboard
l Click on Yes when asked if the Consequence is really to be deleted

CAUTION: Deleting a Consequence will delete all safeguards and recommendations that are
related to it.

16.3.3 Safeguards
PHAx™ safeguards are comprised of four related data fields, i.e. ID, Description, Safeguard Tag, and
Safeguard Category. The Safeguard ID is automatically generated and assigned to ensure relational data
integrity. The Safeguard Tag can be used to uniquely identify a specific Safeguard within a process plant.
The Safeguard Tag also enables links to the Safeguard from other applications. The Safeguard Category
is selected from a drop down list. Categorizing Safeguards allows for enhanced safeguard reporting.
Furthermore Safeguard Category specific process safety information can be specified by clicking on the
Category Icon. In addition to the four data fields identified above, Custom Data/process safety
information data fields can be configured in the Custom Data section within the Project Configuration
(see section 8.7 ).
To add a New Safeguard:
l Click on the Add Safeguard button that is in line with the Consequence that you want to add the
Safeguard to
l Edit the Safeguard Properties, i.e. Description, Safeguard Tag, and Safeguard Category
l Once a Safeguard Description has been entered you can click the Enter key on your keyboard to
add a new Safeguard
To add a Safeguard directly from the Safeguard Library:

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 128 of 292
 l Click on the Link Safeguard Icon
l For ease, search the safeguard library using the search bar at the bottom of the link window. This
will search all attributes of the safeguard including name, tag, and type as well as any labels
applied to the safeguard.
l Highlight the Safeguard to add
l Click on Add
To delete a Safeguard:
l Highlight the Safeguard ID
l Click on the Delete key on your keyboard
l Click on Yes when asked if the Safeguard is really to be deleted

Note: When a Safeguard is deleted and it is the last place where it is used, you will be asked if you
want to permanently delete the Safeguard from the Library. Click Yes or No as applicable.

To edit the Custom Data/process safety information for a safeguard, click on the icon. The applicable
Custom Data entry form will appear.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 129 of 292
 16.3.4 Safeguard Labels
User defined labels can be defined in the library under the labels entry. The label name, description and
label color can be configured there. To apply labels to a safeguard, navigate to the safeguard library, and
view the safeguard. At the bottom of the safeguard view, select the label button and apply the
appropriate labels from the list. There is no limit to the number of labels applied to a safeguard.

16.3.5 Likelihood with Safeguards

The Likelihood with Safeguards is intended to reflect the Cause Likelihood assuming ALL Safeguards are
successful. The Likelihood is selected from a drop down list of likelihoods configured within the Risk
Matrix. The list that appears is based on the associated Cause Category.

16.3.6 Risk with Safeguards

The Risk with Safeguards is automatically determined based on the Risk Matrix given the Likelihood with
Safeguards and Consequence Severity selected.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 130 of 292
 16.3.7 Recommendations
PHAx™ recommendations are comprised of six related data fields, i.e. ID, Description, Category, Assigned
to, Due Date, and Status. The Recommendation ID is automatically generated and assigned to ensure
relational data integrity. The Recommendation Category is selected from a drop down list. Categorizing
Recommendation allows for easy recommendation sorting and reporting. The Assigned to is selected
from a drop down list. The list is populated with Member names that can be configured from the
Dashboard (see section 6.6 ). The Due Data is selected from the pop-up calendar. The Status is selected
from a drop down list where Open is the default value.
To add a New Recommendation:
l Click on the Add Recommendation button that is in line with the Consequence that you want to
add the Recommendation to
l Edit the Recommendation Properties, i.e. Description, Category, Assigned to, Priority,Due Date, and
Status
l Once a Recommendation Description has been entered you can click the Enter key on your
keyboard to add a new Recommendation
To add a Recommendation directly from the Recommendation Library:
l Click on the Link Recommendation Icon
l Highlight the Recommendation to add
l Click on Add
To delete a Recommendation:
l Highlight the Recommendation ID
l Click on the Delete key on your keyboard
l Click on Yes when asked if the Recommendation is really to be deleted

16.3.8 LOPA
The LOPA column allows the PHA team to record if a detailed Layer of Protection Analysis (LOPA) is
required for a specific Cause-Consequence pair scenario. The drop down list allows a Yes, No, or N/A
(default) selection. When a Cause- Consequence pair scenario is to be further evaluated it can be
assigned to a Hazard Scenario. To add, edit, or remove a Hazard Scenario click on the Hazard Scenario
icon .

Note: The Cause-Consequence pair will only be available for further evaluation in the LOPAx™
worksheet if the LOPA drop down box selection is Yes, even when the Cause-Consequence pair is
assigned to a Hazard Scenario.

To create a new Hazard Scenario for a Cause-Consequence pair:

l Click on the green + symbol
l Edit the Hazard Scenario Properties, i.e. Name (the Hazard Scenario ID is automatically generated
and assigned to ensure relational data integrity)
l Once a Consequence Description has been entered you can click the Enter key on your keyboard
to add a new Consequence
To add a Hazard Scenario to a Cause-Consequence pair:

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 131 of 292
 l Highlight the applicable Hazard Scenario
l Click on the Left arrow
To remove a Hazard Scenario from a Cause-Consequence pair:
l Highlight the assigned Hazard Scenario
l Click on the Right arrow

16.3.9 Comments
Comments can be edited directly in the Comments text box. A Comment is associated with a single
Cause. To delete a comment, highlight the text and click on the Delete key on your keyboard.

16.4 Navigation Tree

The exSILentia® v4 PHAx™ tool uses a Navigation Tree to allow for easy moving between the different
HAZOP worksheets. In addition the navigation tree provides you with an outline of the project
worksheets hierarchy. It allows you to quickly identify items that are completed and items that are not
through the presence or absence of the completion mark next to the item.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 132 of 292
 16.4.1 Tree Hierarchy / Navigation
The PHAx™ Navigation Tree allows a quick glance at the project hierarchy from the Unit all the way down
to the Safeguards, Recommendations, and Hazard Scenarios. In addition it allows rapid navigation
throughout the project by double clicking on any entry. The Navigation Tree also has Expand and
Contract buttons to allow a portion of the hierarchy to be expanded or collapsed. This allows for quick
reference to make changes without having to navigate back and forth repeatedly. This also ensures that
you can compare entries rather quickly by switching the selection back and forth.

16.4.2 Drag & Drop

The PHAx™ Navigation Tree is enabled with drag and drop actions. This allows you to move a particular
Unit, Node, Deviation, Cause, Consequence, Safeguard, Recommendation, and/or Hazard Scenario. For
instance, you can drag a Node from one Unit to a different Unit or you can drag that Node onto a
different Node within the same Unit to reorder them. The table below provides a complete overview of
the drag and drop operations.
As you are dragging you can hover over the potential destination which may be collapsed and it will
automatically expand. As you drag down or up within the Navigation Tree, the tree will scroll in the
direction you are dragging the item.

Note: If you are in the middle of a drag and drop operation and you wish to abort you can press
the escape (ESC) key on your keyboard to abort the operation.

Drag Drop On Operation

Unit Unit Moves Unit directly above the Unit that it was dropped on.
Node Unit Moves Node to end of the Unit that it was dropped on.
Node Node Moves Node directly below the Node that it was dropped on,
either within the same Unit or a different Unit.
Deviation Node Moves Deviation to end of the Node that it was dropped on.
Deviation Deviation Moves Deviation directly below the Deviation that it was
dropped on, either within the same Node or a different Node.
Cause Deviation Moves Cause to end of the Deviation that it was dropped on.
Cause Cause Moves Cause directly below the Cause that it was dropped on,
either within the same Deviation or a different Deviation.
Consequence Cause Moves Consequence to end of the Cause that it was dropped on.
Consequence Consequence Moves Consequence directly below the Consequence that it was
dropped on, either within the same Cause or a different Cause.
Safeguard Consequence Moves Safeguard to the end of the Safeguard list within the
Consequence. Since a Safeguard is a Library item, the link to the
old Consequence will be replaced with a link to the new
Consequence.
Safeguard Safeguard Moves Safeguard to the location it is dropped, allowing user to
reorder the safeguards.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 133 of 292
 Drag Drop On Operation
Recommendation Consequence Moves Recommendation to the end of the Recommendation list
within the Consequence. Since a Recommendation is a Library
item, the link to the old Consequence will be replaced with a
link to the new Consequence.
Recommendation Recommendation Not permitted. The order of the Recommendations within a
Consequence is chronological, this list is not sorted and cannot
be reordered.
Hazard Scenario Consequence Moves Hazard Scenario to the end of the Hazard Scenario list
within the Consequence. Since a Hazard Scenario is a Library
item, the link to the old Consequence with be replaced with a
link to the new Consequence.
Hazard Scenario Hazard Scenario Not permitted. The order of the Hazard Scenarios within a
Consequence is chronological, this list is not sorted and cannot
be reordered.

16.4.3 Right Click Context Menu

The PHAx™ Navigation Tree is equipped with a right click context menu. The following options are
available in the context menu:
l View
l Cut
l Copy
l Paste
l Delete
l Bookmark
When right clicking on a Deviation an additional menu item is available:
l Open PHA Worksheet
This menu option will open the PHAx™ Worksheet associated with the particular deviation in a separate
window. This will allow you to review the particular deviation's information while working on
documenting the process hazard analysis information for another deviation.
Within the Navigation Tree you can right click on any item except Safeguards and Recommendations to
Copy the selected item or Copy all of the items contained therein and Paste them to the same location
or a different location depending upon the available hierarchy.

16.5 User Interface / Usability

The PHAx™ tool allows several User Interface customizations to allow you to setup the tool to the best of
your liking and improve your overall efficiency.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 134 of 292
 16.5.1 HAZOP Worksheet Column Widths
When using the PHAx™ tool HAZOP worksheet, the number of columns in the worksheet and the width of
your screen can result in not all columns being displayed on your screen. Scrolling left and right to be
able to view the respective columns can be inconvenient during a PHA session. PHAx™ allows you to
adjust the width of each column on the HAZOP worksheet by placing the cursor over a vertical line
between column headings and drag left or right until the column is the desired width.

16.5.2 HAZOP Worksheet Column Visibility

In addition to adjusting the width of the columns in the PHAx™ tool HAZOP worksheet, you can also
decide that certain columns are not relevant for your PHA session. You can hide these columns on the
worksheet. To do so, click on the Column Visibility button at the lower left hand side of the HAZOP
worksheet. This will bring up a list of all column headings on the worksheet. The list shows a check mark
in front of each heading. The check mark indicates that the column is visible on the worksheet. My
clicking on a specific column heading, the column will be hidden on the worksheet and the check mark
in front of the column heading will be removed. By default all columns are visible, so a check mark will
appear in front of each column heading.

16.5.3 Continuous Editing

The PHAx™ tool HAZOP worksheet is developed such that the user can document the PHA results using
the keyboard only, minimizing the need to switch back and forth from keyboard to mouse. For users
who prefer to be using both keyboard and mouse, the continuous editing option has been implemented
in the worksheet. This option is comparable to older style HAZOP worksheet implementations such as
PHAx™ v2.x.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 135 of 292
 16.5.4 Worksheet Search, Back, Forward and Bookmarks
The PHA worksheet allows the user to search the entire PHA using the Search Button in the header, next
to the Nodes. To find a particular item in the worksheet, the user can select the Search button and enter
the name, description, or tag they are looking for. This will show the all places the item is found and
allow the user to select an entry and navigate to it.

The PHA worksheet allows the user to move back and forward to the previous deviations analyzed. It
also allows the user to set bookmarks at any unit, node, deviation, cause, consequence, safeguard or
recommendation. This makes it possible to navigate easily to specific places in the worksheet. To set a
bookmark, the user can select a location, right click and select bookmark from the menu. To find a
bookmark select the Bookmark button in the header, next to the search button. This will show all
bookmarks, allowing the user to choose a location by double clicking the specific bookmark.

16.6 PHAx™ Reports

In order to generate a PHAx™ report select the PHA Report option from the Report Wizard. The Report
Wizard will show applicable Report Options.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 136 of 292
 The Report Options allow you to Filter the Team Members in the report as well as specify the and Unis
and Nodes that should be included in the report. In addition you can choose which introductory sections
should be included in the report. Finally, you can indicate what columns should be included in the
HAZOP worksheets in the report as well as if empty Nodes and Deviations should be included or
Deviations that are marked "No Issue".

16.7 PHAx Data Import

16.7.1 Import Template

The following fields are supported for import into PHA. The fields appear in the 2nd row and must have
the following name as specified in the Field Name column. The data must appear within the 3rd row and
beyond. If the file is a .CSV the field names must appear within the first row and the data following in the
2nd row and beyond.
Data
Category Field Name Valid Values Required
Type
Unit Unit Name String
Node Name String X
Intention String
Node Information
List of one or more references
Node Reference String
delimited by a semicolon ‘;’

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 137 of 292
 Data
Category Field Name Valid Values Required
Type
Deviation Name String X
Design Intent String
Deviation "TRUE", "T", "YES", "FALSE", "F", "NO"
Complete String
Blank or not specified is unchecked
"TRUE", "T", "YES", "FALSE", "F", "NO"
No Issues String
Blank or not specified is unchecked
Cause Name String X
Matches Code field in Likelihood
Cause Category String
Categories
Cause
Matches Code field in Likelihood
Likelihood String
Levels
Frequency Decimal
Consequence Name String X
Matches Code field in Severity
Severity Category String
Category
Severity String Matches Code field in Severity Levels
Consequence
String
Consequence Comments
Likelihood w/ Matches Code field in Likelihood
String
Safeguards Levels
"TRUE", "T", "YES", "FALSE", "F",
LOPA String
"NO", "N/A"
Hazard Scenario String
Safeguard Name String X
Safeguard
String
Description
Safeguard Tag String
Matches Code property in Safeguard
Safeguard Category String Category within the Project
Configuration
Safeguards "TRUE", "T", "YES", "FALSE", "F", "NO"
Note: Requires Safeguard Category to
Safeguard is SIF String
be selected that has its Category Type
set to IPF
List of one or more references
Safeguard Reference String
delimited by a semicolon ‘;’
Safeguard
String
Comments

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 138 of 292
 Data
Category Field Name Valid Values Required
Type
Recommendation
String X
Name
Recommendation
String
Description
Matches Code property in
Recom. Category String Recommendation Category within the
Project Configuration
Recommendations
Recom. Assigned To String "Firstname Lastname"
Recom. Due Date Date
Matches Code property in
Recom. Status String Recommendation Status within the
Project Configuration
Recommendation
String
Comments

16.7.2 PHA Import

Open PHA and select a target unit to import into or create a new unit and select it. Right click on the unit
and choose Import from the context menu.

A dialog will appear. Click on the button Open File to Import. The file types that you can select include
.xls, .xlsx, .xlsm and .csv. You may select more than one file to import. See the next section on the
template. If you want to reuse existing Nodes, Deviations, Causes and Consequences check that box
prior to importing. This setting will always default to unchecked.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 139 of 292
 After the import completes you should see the tree view populated with your imported items as shown
below in this example import.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 140 of 292
 16.8 PHAx™ Data Export
In order to export PHAx™ data select the Export Data button from the Dashboard, this will launch the
Export Wizard. The Export Wizard will show applicable Export Selections, i.e. Action Item, Comprehensive,
Hazard Scenario , Member , Parking Lot Item , Recommendation , Recommendation Sign off , Reference ,
Safeguard, and Session.
When you select any of the PHAx™ export selections, except the Comprehensive option, and click on
Export Selected, the relevant data will be exported to a MS Excel Worksheet creating a single Workbook
for each selected export item. If you select the Comprehensive export selection a single Workbook will be
generated with worksheets for each of the individual selection options except for the Parking Lot Items.
In some cases when you use the export data function, you may be asking for a particular export
selection to be generated while no data is available for that option. exSILentia® v4 will in that case not
create a Workbook or Worksheet for that item. If you however wish that even empty Workbooks or
Worksheets are generated you can select the Create Worksheets Even When No Data Available option.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 141 of 292
 Chapter 17 LOPAx™
The LOPA tab navigates to the exSILentia® v4 layer of protection analysis tool LOPAx™. Availability of the
LOPA tab, and therefore the LOPAx™ tool, is based on your exSILentia® v4 license (see Chapter 1
Introduction for an overview of the exSILentia® v4 license options). The LOPAx™ tool allows layer of
protection analysis to be performed using a Hazard Scenario basis with multiple initiating events and
variable effectiveness of protection layers for each initiating event and each Severity Category.

17.1 Introduction
The layer of protection analysis functionality in the LOPAx™ tool uses a spreadsheet type interface that
enables the specification of multiple Initiating Events (IE) and their associated Enabling Conditions (EC),
Independent Protection Layers (IPL), and Conditional Modifiers (CM).

In the subsequent sections the LOPAx™ worksheet, its embedded risk reduction calculations
functionality, and its reporting capability will be explained. The available interfaces with the PHAx™ tool
will also be addressed.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 143 of 292
 17.2 LOPA Worksheet
The LOPAx™ tool layer of protection analysis worksheet uses a spreadsheet type interface for the
evaluation of each Hazard Scenario. This provides a clear overview of the applicable initiating events
and protection layers for the respective Severity Categories. Within the worksheet interface buttons exist
for adding Initiating Events (IE), Enabling Conditions (EC), Independent Protection Layers (IPL), and
Conditional Modifiers (CM) to the LOPA Worksheet for a specific Hazard Scenario. Applicability of a EC,
IPL, and/or CM can be edited directly in the worksheet. As the Initiating Events, Enabling Conditions,
Independent Protection Layers, and Conditional Modifiers are part of the Project Libraries (see Chapter
13 Project Libraries) they can be linked to existing items. The LOPA worksheet consists of three main
areas: the toolbar, the Hazard Scenario list, and the workspace.
An example of the LOPAx™ tool layer of protection analysis worksheet is shown in the figure below.

17.2.1 Creating Hazard Scenarios

LOPAx™ Hazard Scenarios are comprised of two related data fields, i.e. ID and Name. The Hazard
Scenario ID is automatically generated and assigned to ensure relational data integrity. Hazard
Scenarios can be defined manually within the LOPAx™ tool or obtained from the work previously done
using the PHAx™ tool. The transferring of data from PHA to LOPA is described in section 17.4 Hazard
Scenario Data Transfer from PHAx™.
To add a Hazard Scenario:
l Click on the Add Hazard Scenario button in the upper left hand corner of the toolbar
l This will immediately add the Hazard Scenario to the Hazard Scenario list
To edit the Hazard Scenario Name:
l Right click on the Hazard Scenario in the Hazard Scenario list and select View, or
l Double click the Hazard Scenario name in the upper left hand corner of the worksheet

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 144 of 292
 To delete a Hazard Scenario:
l Select the Hazard Scenario in the Hazard Scenario list
l Click on the Delete key on your keyboard
l Click on Yes when asked if the Hazard Scenario is really to be deleted

CAUTION: Deleting a Hazard Scenario will delete all instances where the Hazard Scenario was
used. This will include any linking done in the PHAx™ tool.

17.2.2 Specifying Target Frequencies

LOPAx™ uses Target Frequencies to help determine if the accident frequency is tolerable. In case the
accident frequency is higher than the target frequency a required risk reduction will be determined that
must be implemented to bring the frequency to a tolerable level. For Hazard Scenarios that are manually
defined within the LOPA worksheet, LOPAx™ will define a target frequency of 1.00E-5 events per year.
The target frequency should be defined on a per year basis. Note that the target frequencies do not need
to be the same for all Severity Categories.

You can also define the target frequencies based on severity levels associated with the Hazard Scenario.
You can change this basis for the target frequencies by clicking on the User Defined button in the header
.
The target frequencies that are used in this case are linked to the severity levels as defined earlier in the
Risk Configuration, see section 9.1 Consequence Categories and Severity Levels.

When transferring data from PHA to LOPA, see section 17.4 Hazard Scenario Data Transfer from PHAx™,
the target frequencies will be automatically defined based on the severity level selections related to the
Hazard Scenario. Again in this case, the target frequencies that are used were defined earlier in the Risk
Configuration, see section 9.1 Consequence Categories and Severity Levels.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 145 of 292
 17.2.3 Initiating Events (IE)
An initiating event represents the start of a Hazard Scenario sequence. During the process hazard
analysis, Initiating Events are referred to as Causes. Though the label is different, in PHAx™and LOPAx™
the cause and initiating event entities are the same.
To add a new Initiating Event:
l Click on the Add IE button at the upper left hand corner of the toolbar
l This will immediately add the Initiating Event to the LOPAx™ Worksheet
l This will also add the Initiating Event to the Causes (Initiating Events) library
To edit the Initiating Event Name:
l Double click the initiating event name in the worksheet, or
l Right click on the initiating event in the worksheet and select View
To add an Initiating Event directly from the Causes (Initiating Events) Library:
l Click on the Link Initiating Event Icon
l Highlight the Initiating Event(s) to add
l Click on Link Selected

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 146 of 292
 To delete an Initiating Event:
l Highlight the Initiating Event
l Click on the Delete key on your keyboard (or right click and select Delete)
l Click on Yes when asked if the Initiating Event is really to be deleted

Note: When an Initiating Event is deleted and it is the last place where it is used, you will be asked
if you want to permanently delete the Initiating Event from the Library. Click Yes or No as
applicable.

When you add an initiating event a default initiating event frequency of 1 per year is associated with the
initiating event. This value can of course be update as needed. There are two ways to update the
associated initiating event frequency, you can
l Directly edit the frequency within the workspace, or
l Reference one of the LOPA databases, see section 14.1 LOPA Database regarding the source or
population of these databases
To directly edit the frequency within the workspace:
l Highlight the Initiating Event frequency value
l Type in the applicable value (frequency must be per year)
l Manually add the applicable assumptions, comments, and reference by clicking on the notes icon

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 147 of 292
 To obtain data from one of the LOPA databases:
l
Click on the database icon
l Select the applicable initiating event from the database
l Click on Apply Data
l A warning message will appear asking for confirmation to overwrite any existing data
l Upon confirmation, the applicable initiating event frequency, assumptions, comments, and
reference will be copied to the selected Initiating Event

Note: When an Initiating Event is used in multiple locations, changing its properties (including the
initiating event frequency) will impact all locations where that initiating event is used.

17.2.4 Enabling Condition (EC)

An enabling condition is a situation that must occur at the same time as a given initiating event to allow
that specific initiating event to propagate to a consequence of interest. A typical enabling condition is
time at use; this would allow to account for batch process operation where initiating event frequencies
may be based on an assumption of continuous operation.
To add a new Enabling Condition:
l Click on the Add EC button at the upper left hand corner of the toolbar
l This will immediately add the Enabling Condition to the LOPAx™ Worksheet
l This will also add the Enabling Condition to the Enabling Conditions library
To edit the Enabling Condition Name:
l Double click the Enabling Condition name in the worksheet, or
l Click on the Edit icon when hovering over the Enabling Condition, or
l Right click on the Enabling Condition in the worksheet and select View
To add an Enabling Condition directly from the Enabling Condition Library:

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 148 of 292
 l Click on the Link Enabling Condition Icon
l Highlight the Enabling Condition(s) to add
l Click on Link Selected
To delete an Enabling Condition:
l Highlight the Enabling Condition
l Click on the Delete key on your keyboard (or right click and select Delete)
l Click on Yes when asked if the Enabling Condition is really to be deleted

Note: When an Enabling Condition is deleted and it is the last place where it is used, you will be
asked if you want to permanently delete the Enabling Condition from the Library. Click Yes or No
as applicable.

When you add an Enabling Condition a default probability of the situation occurring of 1 is associated
with the Enabling Condition. In addition the Enabling Condition is set to be Not Applicable (NA) to all
Initiating Events in the LOPAx™ Worksheet. Applicability and probability of the situation occurring can be
update as needed. To change the applicability of an enabling condition to a specific initiating event,
simply double click the intersection of enabling condition and initiating event. The NA will then change
to the probability associated with the enabling condition.

There are two ways to update the Enabling Condition probability, you can
l Manually edit the probability, or
l Reference one of the LOPA databases, see section 14.1 LOPA Database regarding the source or
population of these databases
To manually edit the probability:
l Click on the Edit icon when hovering over the Enabling Condition or right click on the Enabling
Condition in the worksheet and select View
l Type in the applicable value (probability must range from 0 to 1)
l Manually add the applicable assumptions, comments, and reference by clicking on the notes icon

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 149 of 292
 To obtain data from one of the LOPA databases:
l
Click on the database icon
l Select the applicable Enabling Condition from the database
l Click on Apply Data
l A warning message will appear asking for confirmation to overwrite any existing data
l Upon confirmation, the applicable Enabling Condition probability, assumptions, comments, and
reference will be copied to the selected Enabling Condition

Note: When an Enabling Condition is used in multiple locations, changing its properties (including
the enabling condition probability) will impact all locations where that enabling condition is used.

17.2.5 Independent Protection Layers (IPL)

An independent protection layer (IPL) is a device, system, or action that is capable of preventing a
scenario from proceeding to its undesired consequence independent of the initiating event or the action
of any other layer of protection associated with the scenario. Typical independent protection layers are
BPCS interlock, operator responding to alarm, check valve, relief valve, etc. During the process hazard
analysis, Independent Protection Layers are referred to as Safeguards. Though the label is different, in
PHAx™and LOPAx™ the safeguard and independent protection layers are the same.
To add a new Independent Protection Layer:
l Click on the Add IPL button at the upper left hand corner of the toolbar
l This will immediately add the Independent Protection Layer to the LOPAx™ Worksheet
l This will also add the Independent Protection Layer to the Safeguards library
To edit the Independent Protection Layer Name:
l Double click the Independent Protection Layer name in the worksheet, or
l Click on the Edit icon when hovering over the Independent Protection Layer, or
l Right click on the Independent Protection Layer in the worksheet and select View
To add an Independent Protection Layer directly from the Independent Protection Layer Library:
l Click on the Link Independent Protection Layer Icon
l Highlight the Independent Protection Layer(s) to add
l Click on Link Selected
To delete an Independent Protection Layer:

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 150 of 292
 l Highlight the Independent Protection Layer
l Click on the Delete key on your keyboard (or right click and select Delete)
l Click on Yes when asked if the Independent Protection Layer is really to be deleted

Note: When an Independent Protection Layer is deleted and it is the last place where it is used,
you will be asked if you want to permanently delete the Independent Protection Layer from the
Library. Click Yes or No as applicable.

When you add an Independent Protection Layer a default probability of failure of 1 is associated with the
Independent Protection Layer. In addition the Independent Protection Layer is set to be Not Applicable
(NA) to all Initiating Events in the LOPAx™ Worksheet. Applicability and probability of failure can be
update as needed. To change the applicability of an independent protection layer to a specific initiating
event, simply double click the intersection of independent protection layer and initiating event. The NA
will then change to the probability associated with the enabling condition.

There are three ways to update the Independent Protection Layer probability, you can
l Manually edit the probability, or
l Reference one of the LOPA databases, see section 14.1 LOPA Database regarding the source or
population of these databases
l Use the achieved Risk Reduction from the SILver tool, see Chapter 20 SILver™, if the IPL is a SIF
To manually edit the probability:
l Click on the Edit icon when hovering over the Independent Protection Layer or right click on
the Independent Protection Layer in the worksheet and select View
l Type in the applicable value (probability must range from 0 to 1)
l Manually add the applicable assumptions, comments, and reference by clicking on the notes icon

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 151 of 292
 To obtain data from one of the LOPA databases:
l
Click on the database icon
l Select the applicable Independent Protection Layer from the database
l Click on Apply Data
l A warning message will appear asking for confirmation to overwrite any existing data
l Upon confirmation, the applicable Independent Protection Layer probability, assumptions,
comments, and reference will be copied to the selected Independent Protection Layer

Note: When an Independent Protection Layer is used in multiple locations, changing its properties
(including the independent protection layer probability) will impact all locations where that
enabling condition is used.

To use the achieved Risk Reduction from the SILver tool for a SIF:
l Click on the Edit icon when hovering over the Independent Protection Layer or right click on
the Independent Protection Layer in the worksheet and select View
l
Click on the SILver icon
l The calculated achieved Risk Reduction will be copied to the LOPA probability of failure/Risk
Reduction

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 152 of 292
 17.2.6 Conditional Modifiers (CM)
A conditional modifier is typically defined as one of the three independent factors of probability of
ignition, probability of occupancy, and probability of injury, i.e. probabilities generally associated with
the post incident part of an incident sequence.
To add a new Conditional Modifier:
l Click on the Add CM button at the upper left hand corner of the toolbar
l This will immediately add the Conditional Modifier to the LOPAx™ Worksheet
l This will also add the Conditional Modifier to the Conditional Modifiers library
To edit the Conditional Modifier Name:
l Double click the Conditional Modifier name in the worksheet, or
l Click on the Edit icon when hovering over the Conditional Modifier, or
l Right click on the Conditional Modifier in the worksheet and select View
To add a Conditional Modifier directly from the Conditional Modifier Library:
l Click on the Link Conditional Modifier Icon
l Highlight the Conditional Modifier(s) to add
l Click on Link Selected
To delete a Conditional Modifier:
l Highlight the Conditional Modifier
l Click on the Delete key on your keyboard (or right click and select Delete)
l Click on Yes when asked if the Conditional Modifier is really to be deleted

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 153 of 292
 Note: When a Conditional Modifier is deleted and it is the last place where it is used, you will be
asked if you want to permanently delete the Conditional Modifier from the Library. Click Yes or No
as applicable.

When you add a Conditional Modifier a default probability of 1 is associated with the Conditional
Modifier. In addition the Conditional Modifier is set to be Not Applicable (NA) to all Initiating Events in
the LOPAx™ Worksheet. Applicability and probability can be update as needed. To change the
applicability of an conditional modifier to a specific initiating event, simply double click the intersection
of conditional modifier and initiating event. The NA will then change to the probability associated with
the conditional modifier.

There are two ways to update the Conditional Modifier probability, you can
l Manually edit the probability, or
l Reference one of the LOPA databases, see section 14.1 LOPA Database regarding the source or
population of these databases
To manually edit the probability:
l Click on the Edit icon when hovering over the Conditional Modifier or right click on the
Conditional Modifier in the worksheet and select edit
l Type in the applicable value (probability must range from 0 to 1)
l Manually add the applicable assumptions, comments, and reference by clicking on the notes icon

To obtain data from one of the LOPA databases:

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 154 of 292
 l
Click on the database icon
l Select the applicable Conditional Modifier from the database
l Click on Apply Data
l A warning message will appear asking for confirmation to overwrite any existing data
l Upon confirmation, the applicable Conditional Modifier probability, assumptions, comments, and
reference will be copied to the selected Conditional Modifier

Note: When a Conditional Modifier is used in multiple locations, changing its properties (including
the conditional modifier probability) will impact all locations where that conditional modifier is
used.

17.2.7 Calculating Required Risk Reduction Factors (RRF)

The LOPAx™ Worksheet determines an Intermediate Frequency for each initiating event in a Hazard
Scenario. This Intermediate frequency is calculated by multiplying the initiating event frequency with the
probabilities associated with the applicable Enabling Conditions, Independent Protection Layers, and
Conditional Modifiers. The calculated Intermediate Frequency is displayed on the right hand side of the
worksheet for each initiating event.
The actual hazard scenario frequency is calculated by adding each initiating event’s intermediate
frequency. This Hazard Scenario actual frequency is displayed in the menu bar of the worksheet for each
severity Category.

Hazard Scenario Risk Reduction Factor

Given the target frequency specified and the actual frequency calculated a target Risk Reduction Factor
(RRF) for the Hazard Scenario is calculated. If the actual frequency is less than or equal to the target
frequency, the Risk Reduction Factor will state a NA for not applicable, indicating no further risk
reduction is required. The calculated Risk Reduction Factor is input to the SIL Target Selection
performed in the SILect™ tool where a Safety Instrumented Function is to be defined that protects
against the initiating events identified for the Hazard Scenario.

Specific IPL Risk Reduction Factor

If the Hazard Scenario risk reduction factor indicates that additional risk reduction is needed, LOPAx™
can also determine the required risk reduction for one of more specific Independent Protection Layers.
This is useful for a scenario where one of the independent protection layers identified is a potential
Safety Instrumented Function, rather than assuming a specific target SIL the tool will allow the
calculation of the exact risk reduction required for.
To enable the automatic required risk reduction calculation for a specific independent protection layer:
l Click on the Edit icon when hovering over the Independent Protection Layer, or right click on
the Independent Protection Layer in the worksheet and select edit, and click the Calculator
icon right next to the probably specification fields, or
l Click on the Calculator icon when hovering over the Independent Protection Layer

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 155 of 292
 The calculation algorithm will look at the severity category with the worst case difference between
actual and target frequency and use that as the basis for the Risk Reduction Factor calculation.
If you indicate that you want to “calculate probability for multiple independent protection layers,
LOPAx™ will perform a similar calculation assuming that each IPL must provide adequate risk reduction
weighed to the initiating event, or initiating events, they are protecting against.
If the target frequency cannot be met due to the limited applicability of the independent protection
layer, the calculated required risk reduction will be 1, i.e. the probability of failure on demand of the
independent protection layers is assumed to be 1. In this case a target risk reduction will be indicated
for the Hazard Scenario.
An Independent Protection Layer that is marked of type SIF, where risk reduction is required, is
automatically flagged for subsequent activities in the Safety Lifecycle. In this case the calculated Risk
Reduction Factor is simply to be converted into a target SIL during the SIL Target Selection performed in
the SILect™ tool.

17.2.8 Comments
Comments can be edited directly in the Comments text box. A Comment is associated with a single
Initiating Event. To delete a comment, highlight the text and click on the Delete key on your keyboard.
Note that LOPAx Comments are independent of the PHAx Comments.

17.3 User Interface / Usability

The LOPAx™ tool allows several User Interface customizations to allow you to setup the tool to the best
of your liking and improve your overall efficiency.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 156 of 292
 17.3.1 LOPA Worksheet Column Widths
When using the LOPAx™ worksheet, the number of columns in the worksheet and the width of your
screen can result in not all columns being displayed on your screen. Scrolling left and right to be able to
view the respective columns can be inconvenient during a LOPA session. LOPAx™ allows you to adjust
the width of each column on the LOPA worksheet by placing the cursor over a vertical line between
column headings and drag left or right until the column is the desired width. LOPAx™ also allows you to
change the width of the navigation list by placing the cursor over the vertical line between the
navigation list and the worksheet area. You can hide or unhide the navigation list by clicking on the line
between the navigation list and the worksheet area.

17.3.2 LOPA Worksheet Header Row Height

In addition to adjusting the width of the columns in the LOPAx™ worksheet, you can also adjust the
height of the Column Header Row by placing the cursor over the horizontal line right under the Initiating
Event header line and dragging up or down until the header row has the desired height.

17.3.3 Severity Category Visibility

The LOPAx™ worksheet is designed such that you can perform a LOPA analysis for each Severity
Category individually or for all Severity Categories at the same time. The number of separate Severity
Category options depend on your risk configuration, see section 9.1 Consequence Categories and Severity
Levels. To switch between single severity category and all severity categories visibility modes click on the
Individual and Multiple buttons in the upper left hand corner of the LOPAx™ worksheet. The dropdown
box underneath these two buttons allows you to select the different severity categories in case you have
opted to look at each LOPA analysis seperately.

When opting to review the LOPA analysis for multiple severity categories at the same time the LOPAx™
worksheet can be easily used to determine for which severity categories a protection layer is considered
effective.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 157 of 292
 When opting to review the LOPA analysis for a single severity category at a time, the LOPAx™ worksheet
limits the visibility to only those selections that are applicable.

17.3.4 Apply to All

To indicate that an Enabling Conditions, Independent Protection Layers, or Conditional Modifier applies
to a specific Initiating Event - Severity Category combination, you double click the intersection. For those
scenarios where the EC, IPL, or CM applies to all intersections, you can simply click the Apply to All
button that is located underneath the edit icon for each EC, IPL, and CM.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 158 of 292
 Once the Apply to All button is used it converts to an Un-Apply fromAll button. Clicking this button
will set all intersection to NA.

17.3.5 IE, EC, IPL, and CM Sequence

When determining the frequency at which each projection layer is expected to be activated, the
sequence of Enabling Conditions, Independent Protection Layers, and Conditional Modifiers is essential.
You would, for example, want to indicate that a SIF operated prior to a Relief Valve (provided the set
points are appropriately determined). To change the order of ECs, IPLs, and CMs, you can simply click on
the left and right arrow buttons next to the edit icon for the ECs, IPLs, and CMs respectively.
Though the order of ECs, IPLs, and CMs can be changed, Enabling Conditions will always be first,
followed by Independent Protection Layers, followed by Conditional Modifiers.
Though the order of the Initiating Events does not impact the demand frequency calculation on, e.g., an
Independent Protection Layer, the sequence in which Initiating Events are viewed in the LOPA worksheet
can be altered as well. To change the order in which the IEs show in the LOPA worksheet, simply click on
the up and down arrow buttons next to the edit icon for the respective Initiating Event.

17.3.6 LOPA Worksheet Options

There are several LOPA Worksheet Options a user can set. To view these options, click on the settings
icon in the header of the LOPA Worksheet.

Through the available options, you can indicate if you want to include the Safeguard Tag in the
IPL header and if you want the LOPA tool to indicate if the required Risk Reduction from the LOPA does
not meet the achieved Risk Reduction from the SILver analysis of the specific SIF. In this latter case a red
SILver icon will appear for the specific SIF.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 159 of 292
 17.4 Hazard Scenario Data Transfer from PHAx™
The exSILentia® v4 integration of Process Safety / Functional Safety software tools allows for seamless
data exchange between the different phases of the Lifecycle. If the Process Hazard Analysis was
performed using PHAx™, Hazard Scenarios were created, and the associated Cause-Consequence pair
was flagged for LOPA evaluation, information from the PHA can be automatically transferred to LOPAx™.
The PHA data is transfer to the LOPA Worksheet as indicated in the table below.

PHA LOPA Comments

Cause Initiating Event
Independent Protection Upon transfer the IPL is set to be Not Applicable
Safeguard
Layer (NA) to its associated Initiating Events
If the Hazard Scenario is linked to multiple cause-
consequence pairs with different severity levels,
Consequence Severity the worst case severity level will be used to
Target Frequency determine the target frequency.
Level
The target frequency is defined for each Severity
Category separately.

The automatic transferring of data from the PHA to the LOPA worksheet ensures that all relevant
information is transferred. As a user you will still need to determine if PHA identified safeguards are
indeed IPLs and assign the relevant probability of failures. In addition you will need to assign the
applicable frequency to each Initiating Event and review any potential Enabling Condition and/or
Conditional Modifiers.
There are two ways to transfer data from the PHA to the LOPA worksheet, you can transfer data
l for all Hazard Scenarios at once
l for one Hazard Scenario at a time
To transfer data for all Hazard Scenarios at once:
l Select the LOPA tab in exSILentia®
l Click on the Load data from PHA for all Hazard Scenarios button
To transfer data for one Hazard Scenario at a time:

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 160 of 292
 l Select the LOPA tab in exSILentia®
l Select the desired Hazard Scenario in the Navigation List
l Click on the Load data from PHA for current Hazard Scenario button
When transferring data there are two warning messages that you will need to answer affirmatively. The
first warning advises you that the PHA information will be merged into the existing Hazard Scenario
LOPA information which could delete information that you specified previously.

The second warning advises you that the currently specified target frequency for the Hazard Scenario
will be overwritten.

17.5 Achieved Risk Reduction Transfer from SILver™

The exSILentia® v4 integration of Process Safety / Functional Safety software tools allows for seamless
data exchange between the different phases of the Lifecycle. If the Layer of Protection Analysis is done
as part of a re- validation, it is very likely that for Independent Protection Layers that are Safety
Instrumented Functions, a SILver analysis was already performed. In this case you can transfer the
achieved Risk Reduction (and probability of failure) from the SILver module to the LOPA module to be
used as the probability of failure for the SIF IPL.
There are two ways to transfer data from SILver to the LOPA worksheet, you can transfer data
l for all Hazard Scenarios (all LOPA worksheets)
l for each IPL individually
To transfer data for all Hazard Scenarios:
l Select the LOPA tab in exSILentia®
l Click on the Load SILver calculation results for all SIFs for all Hazard Scenarios button

A message box will appear, allowing you to choose if you want a SIF that is currently in "calculate" mode
to be set to manual entry with the SILver based results or if you would like it to remain in the "calculate"
mode.
To transfer data for one IPL at a time:

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 161 of 292
 l Select the LOPA tab in exSILentia®
l Select the desired Hazard Scenario in the Navigation List
l Click on the Edit icon when hovering over the Independent Protection Layer or right click on
the Independent Protection Layer in the worksheet and select View
l
Click on the SILver icon
l The calculated achieved Risk Reduction will be copied to the LOPA probability of failure/Risk
Reduction

17.6 LOPAx Recommendations

You can add recommendations to a LOPA worksheet.
To add a new recommendation click on the green plus (+) symbol in the lower left hand portion of the
Recommendation window or the Link Icon to link an existing recommendation from the Library. Once
a recommendation is linked to a specific Hazard Scenario it will also appear in the LOPA worksheet.
Double clicking the intersection of initiating event and recommendation will allow you to specifically
indicate that a recommendation applies to a specific initiating event and not just the Hazard Scenario
globally.

17.7 LOPAx Reports

In order to generate a LOPAx™ report select the LOPA Report option from the Report Wizard. The Report
Wizard will show applicable Report Options.
The Report Options allow you to Filter the Team Members and Hazard Scenarios in the report as well as
specify the order of the Hazard Scenarios and any associated Recommendations. In addition you can
choose which introductory sections should be included in the report. You can indicate if you would like
to include LOPA worksheet comments as well as Hazard Scenarios with a target frequency of 0 in your
LOPA report. Finally, you can indicate if the LOPA worksheets should combine all severity categories into
1 LOPA diagram, or if you want separate diagrams per severity category.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 162 of 292
 17.8 LOPAx Data Export
In order to export LOPAx™ data select the Export Data button from the Dashboard, this will launch the
Export Wizard. The Export Wizard will show applicable Export Selections, i.e. Action Item , Hazard
Scenario , Member , Parking Lot Item , LOPA , Recommendation , Recommendation Sign off , Reference ,
Safeguard, Session, etc.
When you select the LOPA export option, the relevant data will be exported to a MS Excel Worksheet
creating a single Workbook with worksheets for each Hazard Scenario evaluated in the LOPA. Several
options are available to be included with the LOPA worksheets.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 163 of 292
© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 164 of 292
 Chapter 18 SILect™
The SILect tab navigates to the exSILentia® v4 Safety Integrity Level (SIL) selection tool SILect™.
Availability of the SILect tab, and therefore the SILect™ tool, is based on your exSILentia® v4 license (see
Chapter 1 Introduction for an overview of the exSILentia® v4 license options). The SILect™ tool supports
determination of the target SIL for each Safety Instrumented Function identified in the LOPA worksheet
that is required to provide risk reduction. The SILect™ tool also supports SIL selection based on the Risk
Graph and Risk Matrix methodologies for those users who do not use the LOPA methodology.

18.1 Introduction
The Safety Integrity Level selection process in the SILect™ tool is rather straight forward. The interface
depends on the type of SIL selection method used, e.g. LOPA, Risk Graph, or Risk Matrix.

In the subsequent sections the SILect™ worksheet, the embedded relationship between Hazard
Scenarios and Safety Instrumented Functions, and its reporting capability will be explained. The
available interfaces with the PHAx™ and LOPAx™ tool will also be addressed.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 165 of 292
 18.2 SILect Worksheet
The SILect™ tool safety integrity level target selection worksheet interface depends on the type of SIL
selection method used, e.g. LOPA, Risk Graph, or Risk Matrix (see sections 18.3 , 18.4 , and 18.5
respectively). The SIL target selection is typically performed for each Hazard Scenario individually as you
would want to address multiple initiating events that can lead to the consequence of concern. The
SILect™ tool, however, allows you to look at the SIL selection from both a Hazard Scenario perspective
as well as an individual Instrumented Protection Functions (IPF) / Safety Instrumented Function (SIF)
perspective.
Within the SIL selection worksheet interface buttons exist for adding Hazard Scenarios as well as IPFs.
The Hazard Scenarios and Instrumented Protection Functions are part of the Project Libraries (see
Chapter 13 Project Libraries). The SILect™ worksheet consists of three main areas: the toolbar, the Hazard
Scenario list or IPF list, and the workspace.
An example of the SILect™ tool LOPA based SIL target selection worksheet with a Hazard Scenario focus
is shown in the figure below

An example of the SILect™ tool LOPA based SIL target selection worksheet with an IPF focus is shown in
the figure below.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 166 of 292
 18.2.1 Creating Hazard Scenarios
SILect™ Hazard Scenarios are comprised of several data fields including an ID. This Hazard Scenario ID is
automatically generated and assigned to ensure relational data integrity. Other fields that make up a
Hazard Scenario include Name, Description, and Consequence Severity levels. Hazard Scenarios can be
defined manually within the SILect™ tool or obtained from the work previously done using the PHAx™
and LOPAx™ tools. The transferring of data from PHA and/or LOPA to SILect is described in section 18.6
SILect Data Transfer.
To add a Hazard Scenario:
l Click on the Add Hazard Scenario button in the upper left hand corner of the toolbar
l This will immediately add the Hazard Scenario to the Hazard Scenario list
To edit the Hazard Scenario Name:
l Right click on the Hazard Scenario in the Hazard Scenario list and select view

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 167 of 292
 To delete a Hazard Scenario:
l Select the Hazard Scenario in the Hazard Scenario list
l Click on the Delete key on your keyboard
l Click on Yes when asked if the Hazard Scenario is really to be deleted

CAUTION: Deleting a Hazard Scenario will delete all instances where the Hazard Scenario was
used. This will include any linking done in the PHAx™ and LOPAx™ tools.

18.2.2 Instrumented Protection Function (IPF)

An Instrumented Protection Function (IPF) is an instrumented safeguard that prevents a particular
Hazard Scenario from proceeding to its undesired consequence. If the amount of risk reduction assigned
to the IPF is greater than 10, then by definition, the IPF is a Safety Instrumented Function (SIF). During
the process hazard analysis, Instrumented Protection Functions are referred to as Safeguards, while
during the layer of protection analysis they are referred to as Independent Protection Layers. Though the
label is different, in PHAx™, LOPAx™, and SILect™ the safeguard, independent protection layers, and
instrumented protection functions entities are the same.
To add a new Instrumented Protection Function to a Hazard Scenario:
l Select the Hazard Scenario in the Hazard Scenario list
l Click on the Add IPF button at the top of the SILect™ workspace
l This will immediately add the Instrumented Protection Function to the SILect™ Worksheet
l This will also add the Instrumented Protection Function to the Safeguards library
To edit the Instrumented Protection Function Name:
l Double click the Instrumented Protection Function name in the worksheet, or
l Right click on the Instrumented Protection Function in the worksheet and select view
To delete an Instrumented Protection Function:

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 168 of 292
 l Highlight the Instrumented Protection Function
l Click on the Delete key on your keyboard (or right click and select Delete)
l Click on Yes when asked if the Instrumented Protection Function is really to be deleted

Note: When an Instrumented Protection Function is deleted and it is the last place where it is used,
you will be asked if you want to permanently delete the Instrumented Protection Function from
the Library. Click Yes or No as applicable.

When you add an Instrumented Protection Function a default Analysis RRF of 1 is associated with the
Instrumented Protection Function in case you use the LOPA SIL selection method. In addition the "Is SIF"
checkbox is unchecked. To define that the instrumented protection function is a SIF, simply click the
checkbox. To specify the LOPA RRF double click the default RRF of 1 and type the appropriate value.

18.3 SILect Worksheet - LOPA

When using the LOPA methodology, the SILect™ worksheet is rather bare. In this case most of the heavy
lifting is done in the LOPAx™ tool. In the majority of cases the SIL target selection is performed for each
Hazard Scenario individually as tolerable risk is defined on a per Hazard Scenario basis.
To perform the actual SIL target selection, transfer the LOPA RRF over to the Target RRF by clicking on
the RRF transfer button . You can also manually type in the Target RRF, for example if you want to
apply rounding. The Target SIL will then be automatically calculated considering the Risk Configuration
SIL Selection settings as described in section 9.7 SIL Selection. Comments can be edited directly in the
Comments text box. A Comment is associated with a single Instrumented Protection Function. To delete
a comment, highlight the text and click on the Delete key on your keyboard. You can also include a
comment for the entire SIL selection exercise in the header, or at the end of SIL Selection for each SIF.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 169 of 292
 By changing the SILect™ worksheet view from Hazard Scenario focus to IPF/SIF focus you can look at the
various Hazard Scenarios that a particular SIF is part of. This can help identifying which of the Hazard
Scenarios is driving the target RRF for a specific SIF and provide an easy way to identify for which Hazard
Scenario additional layers of protection may need to be defined.

18.4 SILect Worksheet - Risk Graph

To perform SIL Selection using the Risk Graph, use the drop down in the header to choose this method.
Once 'Risk Graph' is selected, the view will change to showing the applicable IPFs/SIFs and associated
Risk Graph selection options. For each IPF, select the corresponding Likelihood and Consequence levels.
For each Parameter defined, choose the associated A or B path. Additionally, you can add Risk Modifiers
into the SIL Selection model, for example any IPL or conditional modifier that is relevant to the SIL
Selection.

To review the structure of the risk graph during the SIL selection process, click the eyeball icon .
This will launch a dialog with the risk graphs as defined for each of the severity categories.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 170 of 292
 The result from the Risk Graph SIL selection is shown for each IPF/SIF under the heading Target SIL:
l Under the heading 'Category' the resulting Target SIL Level for the Severity Category is shown,
l Under the heading 'Hazard Scenario' the resulting Target SIL Level for the entire Hazard Scenario
is shown. This is the worst case between the different Severity Categories.
l Under the heading 'Overall'; the final resulting Target SIL Level is shown. This is the worst case
between all Hazard Scenarios the SIF is protecting against.
By changing the SILect™ worksheet view from Hazard Scenario focus to IPF/SIF focus you can look at the
various Hazard Scenarios that a particular SIF is part of.

18.5 SILect Worksheet - Risk Matrix

To perform SIL Selection using the Risk Matrix, use the drop down in the header to choose this method.
Once 'Risk Matrix' is selected, the view will change to showing the applicable IPFs/SIFs and associated
Risk Matrix selection options. For each IPF, select the corresponding Likelihood and Consequence levels.
Additionally, you can add Risk Modifiers into the SIL Selection model, for example any IPL or conditional
modifier that is relevant to the SIL Selection.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 171 of 292
 To review the structure of the risk matrix during the SIL selection process, click the eyeball icon .
This will launch a dialog with the risk matrix as defined for the project.

The result from the Risk Matrix SIL selection is shown for each IPF/SIF under the heading Target SIL:
l Under the heading 'Category' the resulting Target SIL Level for the Severity Category is shown,
l Under the heading 'Hazard Scenario' the resulting Target SIL Level for the entire Hazard Scenario
is shown. This is the worst case between the different Severity Categories.
l Under the heading 'Overall'; the final resulting Target SIL Level is shown. This is the worst case
between all Hazard Scenarios the SIF is protecting against.
By changing the SILect™ worksheet view from Hazard Scenario focus to IPF/SIF focus you can look at the
various Hazard Scenarios that a particular SIF is part of.

18.6 SILect Data Transfer

The exSILentia® v4 integration of Process Safety / Functional Safety software tools allows for seamless
data exchange between the different phases of the Lifecycle. The transfer of data will depend on the SIL
selection method chosen. To initiate the data transfer click on the Transfer data from PHA / LOPA to
SILect button . This will launch the SILect Data Transfer Window.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 172 of 292
 18.6.1 SIL Selection - LOPA
If the Layer of Protection Analysis was performed using LOPAx™, Hazard Scenarios and Independent
Protection Layers were defined. If the Independent Protection Layers are of type IPF, they could
represent potential SIFs. The automatic transferring of data from the LOPA to the SILect worksheet
ensures that all relevant information is transferred. As a user there is very little left to do, other than
confirming that the required risk reduction from the analysis work applies to the IPF and if the IPF is an
actual SIF. When you open the SILect™ tab in exSILentia® v4, you will notice that the Hazard Scenarios
and Independent Protection Layers of type IPF with their associated LOPA RRF automatically populate
the SILect™ workspace. You can now transfer the LOPA RRF over to the Target RRF to perform the target
SIL selection.
The Data Transfer can make this task easier. In the SILect Data Transfer Window choose the Transfer
From - From LOPA and the Transfer To - LOPA options.
Next you can choose to transfer the LOPA RRF over to the Target RRF
l for all Hazard Scenarios at once
l for the current Hazard Scenario only
Clicking the 'Begin Transfer' button will now transfer the LOPA RRF over to the Target RRF and target
SILs will be automatically calculated for each Instrumented Protection Function considering the Risk
Configuration SIL Selection settings as described in section 9.7 SIL Selection.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 173 of 292
 18.6.2 SIL Selection - Risk Graph
If you perform SIL selection using the Risk Graph method, you will notice that when you open the
SILect™ tab in exSILentia® v4, that the Hazard Scenarios are automatically shown in the SILect™
workspace. In this case you will need to transfer the PHA information including likelihood and severity
level selections to SILect.
When you launch the SILect Data Transfer Window choose the Transfer From - From PHA and the
Transfer To - Risk Graph options.
Next you can choose to transfer data
l for all Hazard Scenarios at once
l for the current Hazard Scenario only
Clicking the 'Begin Transfer' button will now transfer the PHA information including all IPF safeguards to
the SILect™ module.

18.6.3 SIL Selection - Risk Matrix

If you perform SIL selection using the Risk Matrix method, you will notice that when you open the
SILect™ tab in exSILentia® v4, that the Hazard Scenarios are automatically shown in the SILect™
workspace. In this case you will need to transfer the PHA information including likelihood and severity
level selections to SILect.
When you launch the SILect Data Transfer Window choose the Transfer From - From PHA and the
Transfer To - Risk Matrix options.
Next you can choose to transfer data
l for all Hazard Scenarios at once
l for the current Hazard Scenario only
Clicking the 'Begin Transfer' button will now transfer the PHA information including all IPF safeguards to
the SILect™ module.

18.7 SILect Reports

There are several SILect™ specific reports in exSILentia®. These are
l SILect Detailed Report: Documents all required information for functional safety standard
conformance.
l SILect Summary Report: Provides a one paragraph summary of key SIL selection parameters and
results for each SIF. Details include target SIL and RRF, if applicable.
In order to generate one of the SILect™ reports select the SILect Detailed Report or SILect Summary
Report option from the Report Wizard. The Report Wizard will show applicable Report Options.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 174 of 292
© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 175 of 292
 Chapter 19 Safety Requirements Specification
The SRS tab navigates to the exSILentia® v4 safety requirements specification tool SRS. Availability of the
SRS tab, and therefore the SRS tool, is based on your exSILentia® v4 license (see Chapter 1 Introduction
for an overview of the exSILentia® v4 license options). The SRS tool allows detailed specification of
functional and integrity requirements for the Safety Instrumented System (SIS) as a whole, generic for all
Safety Instrumented Functions (SIF), and specific for each SIF.

19.1 Introduction
The Safety Requirements Specification functionality in the SRS tool uses a template type interface that
enables the specification of general SIS, general SIF, and SIF specific requirements.

In the subsequent sections the SRS worksheet, its template structure and integrated relationship
between general SIS, general SIF, and SIF specific requirements, and its reporting capability will be
explained. The available interfaces with the SILect™ and SILver™ tools will also be addressed.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 177 of 292
 19.2 SRS Worksheet
The Safety Requirements Specification functionality in the SRS tool uses a template type interface that
enables the specification of general SIS, general SIF, and SIF specific requirements. The output of the
SRS tool is a detailed Safety Requirements Specification document. Furthermore, much of the
information specified here, will serve as the basis for the SIL verification task. The interface has been set
up such that specification of requirements benefits from information defined in previous phases of the
Lifecycle as well as information defined as generally applying to the SIS and all SIFs. The work flow is
setup such that you define general requirements first and then transfer those requirements to the
individual SIF specific requirements. The SRS worksheet consists of three main areas: the toolbar, the
SIF navigation list, and the workspace.
An example of the SRS tool safety requirements specification worksheet is shown in the figure below.

19.2.1 Creating Safety Instrumented Functions

Within exSILentia® v4 Safety Instrumented Functions (SIF) are Safeguards of Safeguard Category Type
IPF (Instrumented Protection Function) where the "Is SIF" property is checked. The exSILentia® v4 SIFs
therefore comprise of many related data fields inherited from Safeguards, IPFs, and SIF specific fields.
Each SIF has a unique Safeguard ID which is automatically generated and assigned to ensure relational
data integrity. SIFs can be defined manually within the SRS tool or obtained from the work previously
done using the PHAx™, LOPAx™, and/or SILect™ tools. The transferring of data from PHA to SRS, LOPA to
SRS, and/or SIL selection to SRS is described in section 19.3 Safeguard to SRS Data Transfer.
To add a SIF:
l Click on the New SIF button in the upper left hand corner of the toolbar
l This will immediately add the SIF to the SIF navigation list
To edit the SIF properties:

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 178 of 292
 l Right click on the SIF in the SIF navigation list and select view, or
l Edit the SIF Name and SIF Tag directly in the toolbar
To delete a SIF:
l Select the SIF in the SIF navigation list
l Right click on the SIF and select Delete, click on the Delete SIF button, or click on the Delete key
on your keyboard
l Click on Yes when asked if the SIF is really to be deleted

CAUTION: Deleting a SIF will delete all instances where the SIF was used. This will include any
linking done in the PHAx™, LOPAx™, and/or SILect™ tools.

19.2.2 General SIS Requirements

The SRS tool divides the General SIS requirements into 3 sections, i.e. General Information, SIS Logic
Solver Hardware Requirements, and SIS Application Software Requirements. These 3 sections together
with the General SIF Requirements (see below) can be specified in the right hand area of the SRS
worksheet. Using the Requirements Selection drop down box you can navigate between requirements
sections.

General Information

The General Information section of the General SIS Requirements allows you to specify an overall
purpose and scope of the SIS, specify specific references, and terms and abbreviations that are
applicable to the SRS document.
To edit the SRS General Information:
l Select General Information from the Requirements Selection drop down box
l Edit the relevant information on the right hand side of the worksheet

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 179 of 292
 To add a reference to the list of standards/references in the General Information section:
l Click the green plus (+) symbol below the list of references
l From the overview of references defined in the reference library that appears select the
applicable reference you want to add and click the Link button
To add a definition to the list of definitions in the General Information section:
l Click the green plus (+) symbol below the list of definitions
l From the overview of definitions defined in the definition library that appears select the
applicable definition you want to add and click the Link button
To add an abbreviation to the list of abbreviations in the General Information section:
l Click the green plus (+) symbol below the list of abbreviations
l From the overview of abbreviations defined in the abbreviation library that appears select the
applicable abbreviation you want to add and click the Link button

SIS Logic Solver Hardware Requirements

The SIS Logic Solver Hardware Requirements section of the General SIS Requirements allows you to
specify general requirements with regard to the hardware of the Safety Instrumented System, focusing
specifically on the logic solver. Aspects that need to be addressed revolve around the systematic
capability of the logic solver, the expected response of the logic solver upon detection of a failure, etc. In
addition, interfaces to an engineering station, the BPCS etc. should be specified as well as environmental
extremes the logic solver must be able to withstand. All requirements are specified through text fields.
To edit the SRS SIS Logic Solver Hardware Requirements:

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 180 of 292
 l Select SIS Logic Solver Hardware Requirements from the Requirements Selection drop down
box
l Edit the relevant information on the right hand side of the worksheet

In addition to the exSILentia® v4 defined SRS fields for the SIS Logic Solver Hardware Requirements you
can add your own requirement fields through the Custom Data option which is shown at the bottom of
the list of SIS Logic Solver Hardware Requirements. From the dropdown box select the applicable
custom data data-set. This will add the fields specified in the custom data data-set to the exSILentia® v4
defined fields.

CAUTION: Deleting or changing the custom data data-set will remove all associated fields from the
project. Any custom data specified information will be lost.

SIS Application Software Requirements

The SIS Application Software Requirements section of the General SIS Requirements allows you to
specify general requirements with regard to the user defined application program of the Safety
Instrumented System. Aspects that need to be addressed revolve around structure of the application
program, validation of process variables, performance, and monitoring functionality. Furthermore
,communication interfaces must be defined as well as any requirements to support normal operation
and test and maintenance activities like proof testing. All requirements are specified through text fields.
To edit the SRS SIS Application Software Requirements:
l Select SIS Application Software Requirements from the Requirements Selection drop down box
l Edit the relevant information on the right hand side of the worksheet

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 181 of 292
 In addition to the exSILentia® v4 defined SRS fields for the SIS Application Software Requirements you
can add your own requirement fields through the Custom Data option which is shown at the bottom of
the list of SIS Application Software Requirements. From the dropdown box select the applicable custom
data data-set. This will add the fields specified in the custom data data-set to the exSILentia® v4 defined
fields.

CAUTION: Deleting or changing the custom data data-set will remove all associated fields from the
project. Any custom data specified information will be lost.

19.2.3 General SIF Requirements

The General SIF Requirements section allows you to specify requirements that are valid for all SIFs. You
will be able to copy these general requirements to the individual SIF Specific Requirements. Aspects that
need to be addressed revolve around operating modes, operator interfaces for manual shutdown and
trip reset, and response time requirements. In addition, performance requirements must be addressed
as well as desired proof test intervals and environmental extremes for the field equipment of the SIF. All
requirements are specified through text fields.
To edit the SRS General SIF Requirements:
l Select General SIF Requirements from the Requirements Selection drop down box
l Edit the relevant information on the right hand side of the worksheet

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 182 of 292
 In addition to the exSILentia® v4 defined SRS fields for the General SIF Requirements you can add your
own requirement fields through the Custom Data option which is shown at the bottom of the list of
General SIF Requirements. From the dropdown box select the applicable custom data data-set. This will
add the fields specified in the custom data to the exSILentia® v4 defined fields. By adding custom data to
the General SIF Requirements you will automatically add the same custom data fields to the set of SIF
specific requirements fields.

CAUTION: Deleting or changing the custom data data-set will remove all associated fields from the
project. For General SIF Requirements custom data this also means that the fields will be removed
from the SIF Specific Requirements. Any custom data specified information will be lost.

19.2.4 SIF Specific Requirements

The SIF Specific Requirements are, as their name already indicates, specified for each SIF individually.
Though some requirements for different SIFs may be identical, and therefore specified in the General SIF
Requirements section, it is essential that each SIF is addressed individually to ensure that the conceptual
design that results will adequately protect against the specific Hazard Scenario identified. The SIF
Specific Requirements are specified in the left hand area of the SRS worksheet. Simply select a SIF from
the SIF navigation list and edit the applicable fields. Aspects that need to be addressed are those
identified for the General SIF Requirements as well as SIF specific items like process variable ranges, trip
point, units of measure (UOM), safety action, etc. The majority of requirements are specified through text
fields.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 183 of 292
 There are two ways to copy specifications from the General SIF Requirements to SIF Specific
Requirements. You can copy data from the general SIF requirements to SIF specific requirements
l for all SIFs at once
l for one SIF at a time
To transfer data for all SIFs at once:
l Click on the Load data from General SIF Requirements to SIF Specific Requirements for all SIFs
button
To transfer data for one SIF at a time:
l Select the desired SIF in the SIF Navigation List
l Click on the Load data from General SIF Requirements to SIF Specific Requirements for current
SIF button
When transferring data, you will receive a warning that advises you that the General SIF Requirements
data will be merged into the existing SIF(s) Specific Requirements which could delete information that
you specified previously.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 184 of 292
 19.3 Safeguard to SRS Data Transfer
The exSILentia® v4 integration of Process Safety / Functional Safety software tools allows for seamless
data exchange between the different phases of the Lifecycle. If the Process Hazard Analysis was
performed using PHAx™ and Safeguards where defined of Safeguard Category Type IPF additional data
fields where added to the safeguard. One of these data fields allowed you to check the "Is SIF" property
which ensured that the specific SIF showed up in the SIF navigation list in the SRS tool. Similarly, if the
Layer of Protection Analysis was performed using LOPAx™ or the SIL selection was done using SILect™
and Safeguards/IPLs defined of Safeguard Category Type IPF the same additional data fields were added
to the safeguard. Any data specified in the safeguards data fields can be automatically transferred to the
SRS tool.
There are two ways to transfer safeguard data to the Safety Requirements Specification. You can copy
safeguard data to a SIF's SRS data
l for all SIFs at once
l for one SIF at a time
To transfer data for all SIFs at once:
l Click on the Copy safeguard data to SRS for all SIFs button
To transfer data for one SIF at a time:
l Select the desired SIF in the SIF Navigation List
l Click on the Copy safeguard data to SRS for selected SIF button
When transferring data, you will receive a warning that advises you that the safeguard data will be
copied into the SIF (s) Specific Requirements which could overwrite information that you specified
previously.

19.4 SRS Reports

In order to generate a SRS report select the SRS Report option from the Report Wizard. There are no
Report Options for the SRS report.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 185 of 292
© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 186 of 292
 Chapter 20 SILver™
The SILver tab navigates to the exSILentia® v4 Safety Integrity Level (SIL) verification tool SILver™.
Availability of the SILver tab, and therefore the SILver™ tool, is based on your exSILentia® v4 license (see
Chapter 1 Introduction for an overview of the exSILentia® v4 license options). The SILver™ tool allows
comprehensive modeling of each Safety Instrumented Function’s (SIF) conceptual design within an
exSILentia® v4 project to determine if that conceptual design meets the requirements specified in the
Safety Requirements Specification (SRS). The result of the SIL verification will be an Achieved Safety
Integrity Level for the specific SIF’s conceptual design.

20.1 Introduction
The SILver™ tool uses a discrete Markov model calculation technique during all analyses. For equipment
selections, it features the exida Safety Equipment Reliability Handbook database. This allows you to
perform a reliability analysis of your favorite equipment without the hassle of manually filling in all
reliability data, while ensuring accurate calculation results. The exSILentia® development process, and
specifically the SILver™ calculation engine development, meets IEC 61508 software development process
requirements. The user of the SILver™ tool should review and understand all assumptions that are the
basis of SILver™ calculations. The user is also responsible for reviewing all selections made during the
analysis.

Note: SIL verification using the exSILentia® SILver™ tool can be performed for all conceptual
designs up to SIL 4. For any safety functions that need to achieve SIL 4, independent verification of
the results should be performed by the user as required by IEC 61508 / IEC 61511.

When modeling a SIF conceptual design in SILver™, it is essential to understand the structure of the
SILver™ tool. Similar to the functional safety standards IEC 61508 and IEC 61511, SILver™ distinguishes
three unique parts in a SIF:
l Sensor Part
l Logic Solver Part
l Final Element Part

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 187 of 292
 More detailed modeling of a SIF's conceptual design is supported through the ability to divide the
Sensor Part and the Final Element Part into groups. A maximum of 10 groups is supported for both the
Sensor Part and the Final Element Part. These groups allows you to model voting arrangements between
groups of equipment items, e.g. a main fuel valve in series with 4 individual burners valves.
SILver™ supports the following voting options for voting between groups (in words with X being the
number of groups):
l 1ooX: one group needs to trip for the safety function to trip.
l XooX: all groups need to trip for the safety function to trip.
l 2oo3: two out of three groups need to trip for the safety function to trip; available only in case 3
groups are used in the conceptual design.
SILver™ supports further definition of the Sensor and Final Element groups through the use of legs.
These legs can be either identical or diverse. The maximum number of legs within a group depends on
the voting arrangements available for the particular group.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 188 of 292
 SILver™ provides the following voting options for Sensor groups:
l 1oo1
l 1oo2, 2oo2
l 1oo3, 2oo3, 3oo3
l 1oo4, 2oo4, 3oo4, 4oo4
l 1oo5, 2oo5, 3oo5, 4oo5, 5oo5 (Identical legs only)
l MooN (Identical legs only)
SILver™ provides the following voting options for Final Element groups:
l 1oo1
l 1oo2, 2oo2
l 1oo3, 2oo3, 3oo3
l 1oo4, 4oo4
l 2oo4 [2oo(1oo2)] (Identical legs only)
l 1oo5, 5oo5 (Identical legs only)
l 6oo6 (Identical legs only)
l 7oo7 (Identical legs only)
l 8oo8 (Identical legs only)
l 9oo9 (Identical legs only)
l MooN (Identical legs only)

Note: Given the flexibility of the voting arrangements within the Sensor and Final Element groups,
SIFs are typically modeled using a single group only.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 189 of 292
 In the subsequent sections the SILver™ worksheet, its modeling options for sensors, logic solvers, and
final elements, and its reporting capability will be explained. In addition the concept of devices and
device models will be addressed. The available interfaces with the SRS tool will also be addressed.

20.2 SILver Worksheet

The SILver™ tool conceptual design verification worksheet uses an interactive interface to effectively
guide you through the steps of modeling a SIF's conceptual design. This allows you to focus on the, for
that task, relevant portion of the SIF, e.g. from SIF level to leg level. Within the interface buttons exist for
adding SIFs, recalculating SIF results, as well as specification of detailed parameters like PLC detection
behavior for analog sensor signals. The SILver™ tool interface also allows you to easily interact with the
Safety Equipment Reliability Handbook database (see section 14.2 SERH Database). In addition sensor
groups and legs as well as final element groups and legs are part of the Project Libraries (see Chapter 13
Project Libraries). This elevates the ability to re-use conceptual design components to the next level. In
addition SILver™ introduces the concept of devices and device models, the latter will allow you to easily
find your project preferred equipment when you are modeling your conceptual design. The SILver™
worksheet consists of four main areas: the toolbar, the SIF list, the SIF diagram, and the workspace.
An example of the SILver™ tool conceptual design verification worksheet is shown in the figure below.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 190 of 292
 20.2.1 Creating Safety Instrumented Functions
Within exSILentia® v4 Safety Instrumented Functions (SIF) are Safeguards of Safeguard Category Type
IPF (Instrumented Protection Function) where the "Is SIF" property is checked. The exSILentia® v4 SIFs
therefore comprise of many related data fields inherited from Safeguards, IPFs, and SIF specific fields.
Each SIF has a unique Safeguard ID which is automatically generated and assigned to ensure relational
data integrity. SIFs can be defined manually within the SILver™ tool or obtained from the work
previously done using the PHAx™, LOPAx™, SILect™, and/or SRS tools. The transferring of data from PHA,
LOPA, and SIL selection to SIL verification and SRS to SIL verification is described in section SILver Data
Transfer.
To add a SIF:
l Click on the New SIF button in the upper left hand corner of the toolbar
l This will immediately add the SIF to the SIF navigation list
To edit the SIF properties:
l Right click on the SIF in the SIF navigation list and select view, or
l Edit the SIF Name and SIF Tag directly in the SIF worksheet (see below)
To delete a SIF:
l Select the SIF in the SIF navigation list
l Right click on the SIF and select Delete or click on the Delete key on your keyboard
l Click on Yes when asked if the SIF is really to be deleted

CAUTION: Deleting a SIF will delete all instances where the SIF was used. This will include any
linking done in the PHAx™, LOPAx™, SILect™, and/or SRS tools.

20.3 SILver Worksheet - SIF Level

To start the modeling of a SIF's conceptual design in the SILver™ tool, select the SIF in the SIF list. The
SILver™ workspace will now show the SIF level conceptual design information as shown in the figure
below. The information to be recorded can be divided into general information and several specific
parameters per the sections below.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 191 of 292
 20.3.1 General SIF Information
The General SIF Information in the SILver™ SIF level conceptual design includes the following properties
that are part of the IPF Type Safeguard information and are therefore most likely already specified in the
PHA, LOPA, SILect, and/or SRS tools.
l SIF Name
l SIF Description
l SIF Tag
In addition to these properties, there are specific items that are unique to the SILver™ tool
l Analyst
l Analysis Date
l Comments
l Design References
l Units
To define an Analyst, simply select a Team Member from the drop down box. See section 6.6 Team
Members for more information on specifying Team Members.

To specify the Analysis Date, enter the date directly into the date field or use the Calendar Icon to
select the date from the calendar pop-up.
In the Comments field you can document any specific remarks or assumptions related to the SIL
verification of this SIF.
The Design References item allows you to link specific project references to the SIL verification of this
SIF. Click the Link Icon and select the applicable reference from the list that appears by double
clicking that reference.
The Units section allows you to identify what unit this SIF is part of. The units are typically defined in the
PHA tool, but can also be directly defined in the library.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 192 of 292
 20.3.2 Architectural Constraints
You can indicate if Architectural Constraints should be considered in the conceptual design evaluation of
this SIF. Architectural constraints place minimum Hardware Fault Tolerance (HFT) requirements on the
elements in a Safety Instrumented Function. SILver™ provides the following architectural constraints
options:
l None
l Use IEC 61508 Tables
l Use IEC 61511 Tables
If you select None, minimum hardware fault tolerance requirements are ignored when determining the
achieved SIL level for this SIF.
If you select IEC 61508 Tables, the achieved SIL of the Safety Instrumented Function will be limited to
the SIL supported by either Route 1H or Route 2H as defined in IEC 61508. Per clause 11.4.3 of IEC 61511
users can opt to follow the IEC 61508 tables instead of the IEC 61511 tables. Route 1 H architectural
constraints are described in clause 7.4.4.2 and table 2 or 3 of IEC 61508-2:2010. These are based on
Equipment Type, Safe Failure Fraction and Hardware Fault Tolerance. Route 2H architectural constraints
are described in clause 7.4.4.3 of IEC 61508-2:2010.
If you select IEC 61511 Tables, the achieved SIL of the SIF will be limited to the SIL supported by clause
11.4.5 to 11.4.9 of IE 61511:2016 clause 11.4 which includes table 6 of that standard.
The architectural constraints are set for each SIF individually. To specify the applicable architectural
constraints, simply select your preferred method from the drop down box in the SILver™ SIF level
workspace. To specify the default SSI values for this project, see section 8.10 SILver Project Parameters.

20.3.3 Systematic Capability

You can indicate if Systematic Capability should be considered in the conceptual design evaluation of
this SIF. Per IEC 61511, systematic failure robustness for equipment must be justified either by an
assessment of that equipment per IEC 61508 or by documenting successful experience in the form of a
Proven-In-Use/Prior-Use assessment. For equipment developed and assessed per IEC 61508, techniques
and measures appropriate for the specified Safety Integrity Level have been used to prevent systematic
faults. For equipment that was not developed and/or assessed per IEC 61508, a user can justify use of
that equipment by means of a proven- in- use argument. In this case, the user is taking over the
responsibility from the manufacturer in justifying that the equipment has a sufficiently low chance of
having systematic faults. An appropriate plant operational experience tracking system needs to be in
place to be able to make this argument.
When the Systematic Capability option is selected, SILver™ will take into account the IEC 61508
assessment levels and/or the Proven- In- Use justification levels (the Systematic Capability) of the
equipment specified in determining the achieved SIL of a Safety Instrumented Function. In order to
achieve a certain SIL level, all equipment used in a Safety Instrumented Function must either be
assessed up to that SIL level and/or theProven-In-Use justification for the equipment must be up to that
specific SIL level.
To specify the default Systematic Capability value for this project, see section 8.10 SILver Project
Parameters.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 193 of 292
 20.3.4 Mission Time
In the Mission Time field, the time period that the SIF is expected to be operational should be selected.
For Low Demand applications, the PFD AVG parameter, which determines the achieved Safety Integrity
Level, is determined over this mission time. At the end of the mission time it is expected that all
equipment in the SIF is either replaced or factory-new refurbished. The mission time is typically at least
as long as the largest proof test interval. To account for different replacement or refurbishment intervals
per sensor group/final element group/logic solver see section 20.5 , 20.7 , and 20.8 respectively.
To specify the default Mission Time value for this project, see section 8.10 SILver Project Parameters.

20.3.5 Startup Time

In the Startup Time field you can list the number of hours it takes to re- start the process after a
shutdown. This should be an integer number between 4 and 336 hours. The start up time is typically the
sum of the repair time and any clean up time.

Note: It is a common misconception that the Startup Time should be greater than the mean repair
time (MRT) as logic dictates that the sum of repair time and clean up time is always greater than
the repair time assuming the clean up time is not 0. In conceptual design evaluation, a MRT is
typically chosen such that there is an extra buffer of time that allows the user to make sure the
replacement part is in place and/or the system is in a good state to shutdown. As such the mean
repair time typically specified is the repair time plus a order part/wait time.

To specify the default Startup Time value for this project, see section 8.10 SILver Project Parameters.

20.3.6 SIF Demand Mode

The SILver™ tool distinguishes between three modes of operation, i.e.
l Low Demand
l High Demand
l Continuous Demand
Using the Demand Mode drop down box you can specify which mode of operation you want to consider
for the SIF. You can either explicitly select Low Demand, High Demand, or Continuous Demand or your
can define that SILver™ should determine the mode of operation for the SIF based on the demand rate
of the SIF. When you select the Based On Demand Rate option, an extra field will appear that allows
you to enter the Demand Interval in months. SILver™ will subsequently determine the mode of operation
per IEC 61511:2017.
For Low demand applications the average Probability of Failure on Demand (PFD AVG ) is calculated. For
High and Continuous demand applications the Probability of a Dangerous Failure per Hour (PFH) is
calculated. In High Demand applications credit for automatic diagnostics is taken whereas the automatic
diagnostics are considered ineffective in Continuous demand applications.

Note: To indicate that the SIF is operating in continuous mode when using the Based On Demand
Rate option, the demand interval should be specified as 0 month.

To specify the default Demand Mode value for this project, see section 8.10 SILver Project Parameters.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 194 of 292
 20.3.7 Batch Operation
The SILver™ tool allows you to indicate if the SIF is active in a Batch operation environment. In batch
operation, the Hazard Scenario may not be present when the process is offline. If the SIF is not expected
to protect against the Hazard Scenario its Probability of Failure is 0. Due to the more frequent startup
and shutdown actions, there is an opportunity to perform more tests, for example, a full stroke at the
end of each batch. By selecting the Batch Operation option, you can specify the Batch Duration as well
as the Time Between Batches.

20.3.8 I/O Channels on Separate Modules

The SILver™ tool allows you to indicate if individual I/O channels should be connected to the same or to
different I/O modules for the relevant channels in this SIF. In a redundant configuration, if the channels
are wired to the same I/O module, no voting is applied over this I/O module. If the channels are wired to
different I/O modules, the voting applied to the sensor and final element groups will also be applied to
the input and output modules respectively.

20.3.9 Consider MTTFS

The SILver™ tool allows you to indicate if the Mean Time To Fail Spurious (MTTFS) should be calculated
as part of your SIL verification. If you un-check the check box, MTTFS results will not be displayed in the
GUI nor in the SILver Summary and SILver Detailed reports.

20.3.10 Site Safety Index

The Site Safety Index (SSI) model accounts for site specific operational practices. It allows a site with
strong safety processes to take credit for that accomplishment while not masking issues at other sites.
The Site Safety Index takes a variety of factors into consideration, including the maintenance capability
which was used in exSILentia® v3 as well as failure rates. In addition to this, the SSI accounts for
different overall failure behavior between sites, which is observed during field failure studies.
A total of 5 levels have been identified for the Site Safety Index (SSI), these are shown in the table below.
Level Description
Perfect - Repairs are always correctly performed, Testing is always done correctly and on
schedule, Equipment is always replaced before end of useful life, Equipment is always
selected according to the specified environmental limits and process compatible materials,
SSI 4
Electrical power supplies are clean of transients and isolated, Pneumatic supplies and
hydraulic fluids are always kept clean, etc. This level is generally considered not possible but
retained in the model for comparison purposes.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 195 of 292
 Level Description
Almost perfect - Repairs are correctly performed, Testing is done correctly and on schedule,
Equipment is replaced before end of useful life, Equipment is normally selected based on the
SSI 3 specified environmental limits and a good analysis of the process chemistry and compatible
materials, Electrical power supplies are normally clean of transients and isolated, Pneumatic
supplies and hydraulic fluids are mostly kept clean, etc.
Good - Repairs are usually correctly performed, Testing is done correctly and mostly on
schedule, Equipment is mostly replaced before end of useful life, Equipment is often selected
SSI 2 according to the specified environmental limits and process compatible materials, Electrical
power supplies may have transient voltage spikes and surges, Pneumatic supplies and
hydraulic fluids are usually kept clean, etc.
Medium – Repairs are mostly correctly performed, Testing is done and often on schedule,
Equipment is sometimes replaced before end of useful life, Equipment is sometimes selected
SSI 1 according to the specified environmental limits and process compatible materials, Electrical
power supplies have transient voltage spikes and surges, Pneumatic supplies and hydraulic
fluids are sometimes kept clean, etc.
None - Repairs are not always done, Testing is not done, Equipment is replaced upon failure,
Equipment is selected based on history, Electrical power supplies may drop out and have
SSI 0
transient voltage spikes and surges, Pneumatic supplies and hydraulic fluids are sometimes
kept clean, etc.

The Site Safety Index is a parameter that is specific for each SIF individually and can be specified for
sensors, logic solvers, and final elements separately. To specify the applicable Site Safety Indexes for this
SIF, simply select the appropriate level from the drop down boxes in the SILver™ SIF level workspace. To
specify the default SSI values for this project, see section 8.10 SILver Project Parameters.
Furthermore you can indicate if the Site Safety Index should be considered in the failure rate selection
for each of the devices in the SIF. In the figure below you can see that the Safety Equipment Reliability
Handbook holds different failure rates for different SSI levels. For exSILentia® v4 projects created prior to
the 4.9 release, the failure rates are set to SSI 2 level which corresponds with good process industry
practices. If your plant approaches a near laboratory application environment with perfect maintenance
etc., the SSI 4 failure rates may be applicable. If your plant is a plain mess and good process industry
practices are not applied, you may need to use SSI 1 or even SSI 0 failure rates.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 196 of 292
 20.4 SILver Worksheet - Sensor Part
To configure the SIF's Sensor Part in the SILver™ tool, select Sensor Part for the SIF in the SIF list. The
SILver™ workspace will now show the sensor part conceptual design information as shown in the figure
below.

As described in section 20.1 Introduction a Sensor Part can consist of up to 10 Sensor Groups.
To add a new Sensor Group to the Sensor Part:
l Click on the Add Group button in the middle of the SILver™ workspace
l This will immediately add the Sensor Group to the SILver™ workspace
l This will also add the Sensor Group to the Sensor Groups library
To add a Sensor Group directly from the Sensor Groups Library:
l Click on the Link Sensor Group Icon
l Double Click the Sensor Group to add the group to the Sensor Part
After adding the applicable number of Sensor Groups to the Sensor Part, update the Sensor Part voting,
i.e. the voting between groups, in the upper left hand corner of the SILver™ workspace. You can also
specify the beta factor to account for common cause between groups. The beta factor must be entered
as an integer between 0% and 100%. The default value for the common cause between groups is 0% as
different groups are typically used to model independent equipment items. In case there is no complete
independence however, i.e. there is common cause susceptibility, a beta factor other than 0% should be
used. Use the beta factor estimator feature for assistance in determining an applicable beta factor by
clicking the beta estimator icon , see also section 20.10 SILver Worksheet - Features.
To delete a Sensor Group from the Sensor Part:

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 197 of 292
 l Right click on the specific Sensor Group
l Select Delete from the pop-up menu
l Click on Yes when asked if the Sensor Group is really to be deleted

Note: When a Sensor Group is deleted and it is the last place where it is used, you will be asked if
you want to permanently delete the Sensor Group from the Library. Click Yes or No as applicable.

20.5 SILver Worksheet - Sensor Group

To configure a SIF's Sensor Group in the SILver™ tool you can either do this in the SILver™ workspace
when you have selected the Sensor Part or by selecting the specific Sensor Group in the SIF list. The
SILver™ workspace shows the sensor group conceptual design information as in the figure below.

As part of the Sensor Group conceptual design configuration, you can specify a Name and Description
for the sensor group.

Note: Uniquely naming a Sensor Group is not essential to perform a SIL verification, however to
efficiently use the full library aspects of exSILentia®, it is highly encouraged.

20.5.1 Group Options

The group options for a Sensor Group allow you to specify:
l The Voting within the sensor group, with standard options as defined in section 20.1 Introduction
l The Voting Type for redundant voting options, i.e. are the redundant legs in the group identical
or diverse
l The Beta Factor for redundant voting options, a percentage ranging from 0 and 100%. See
section 20.10 SILver Worksheet - Features for details on the Beta Estimator.
l The Mean Repair Time (MRT), the expected time to repair the equipment items in the group in
case of a detected failure (failure detected by automatic equipment item diagnostics). The MRT is
an integer between 4 and 336 hours.
l The Group Mission Time for this sensor group in case it has a different replacement or
refurbishment interval than the entire SIF.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 198 of 292
 The Group Details button allows you to see the equipment that you selected for the Sensor Group
including the associated failure rates. Click this button once you have completed the configuration of
the Sensor Group.

When you change the Voting option within the Sensor Group, a Warning Icon will appear next to the
Voting selection in addition to a message box. This icon indicates that after you change the voting
option, the number of legs associated with the Sensor Group no longer matches the voting option.
SILver™ can automatically adjust the number of legs or you can do this manually. The warning icon and
message are shown in the next figure.

Note: Sensor Legs are also an exSILentia® Library item and can therefore be reused in multiple
locations, not necessarily within the same Sensor Group.

20.5.2 Proof Testing

To model the proof testing applied to the Sensor Group you need to specify:
l The Proof Test Interval for the sensor group, the time interval between two proof tests. The
proof test is the periodic test performed to reveal failures undetected during normal operation.
The interval ranges from 1 to 600 months and can be specified in years, months, and/or days.
You can also indicate how the proof test is Performed , either Online or Offline . If a proof test is
performed while online you can specify the following:
l For redundant configurations, is the testing done Staggered or not. Staggered indicates that only
one of the redundant units is bypassed at a time, ensuring that the sensor configuration remains
capable to react to a process demand.
l Is Alternate Protection available during the proof test. This indicates if during the bypassing of
the sensor configuration other means are available to detect the hazard and bring the process to
a safe state.
l The Duration of the proof test. This shows how long the sensor configuration is in bypass, the
duration ranges from 1 to 24 hours.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 199 of 292
 Finally you can indicate if the Proof Test Coverage of the proof test specified for the sensor group
should be determined based on the data associated with the respective equipment items selected for
the group, or if the you want to override that data and manually enter the Proof Test Coverage factor.
The Proof Test Coverage indicates the effectiveness of a proof test in revealing failures undetected
during normal operation. A 100% proof test coverage would mean that ALL failures would be revealable
by the test, which realistically is only feasible through replacement or complete refurbishment to an as
new state. The proof test coverage must be a value between 0 and 100%. See section 20.10 SILver
Worksheet - Features for details on the Proof Test Coverage Calculator.

20.5.3 Application Level Diagnostic Test

Application Level Diagnostic Testing allows you to account for additional testing an end- user
implements in addition to any automatic self-diagnostics that are part of a specific device. You should
not select Application Level Diagnostic Test to account for standard device automatic self diagnostics as
these are accounted for in the device's failure rates.
To model application level diagnostic testing to the Sensor Group, first select the "Enabled" check box
for this option. Once enabled, you need to specify:
l The Application Level Diagnostic Test Interval for the sensor group, the time interval between two
tests. This can be specified in months and years.
l The Application Level Diagnostic Test Duration. This can be specified in hours.
l The Application Level Diagnostic Test Coverage. This indicates the effectiveness of the application
level diagnostic test in revealing failures. The test coverage must be a value between 0 and 100%.
You can also indicate if the test is automatic vs. manual, buy selecting the "Automatic" check box for this
option. Only in the case of an automatically performed application test does this impact the safe failure
fraction. The order of magnitude difference between the demand interval and diagnostic test interval is
not considered in classifying a failure as detected or undetected by automatic diagnostics.

20.5.4 Legs
You can add Sensor Legs to your SIF by allowing SILver to automatically adjust the number of legs based
on the Sensor Group voting. If you are modeling identical legs, you need only specify them once. If you
have selected the "Is Diverse" check box, you will need to specify each separately. As part of the Sensor
Leg conceptual design configuration, you can specify a Name and Description for the sensor leg.

Note: Uniquely naming a Sensor Leg is not essential to perform a SIL verification, however to
efficiently use the full library aspects of exSILentia®, it is highly encouraged.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 200 of 292
 20.5.5 Leg Options
Once the Sensor Legs are created in SILver, you can select your Leg Options starting with the
Measurement Type . The different measurement types include:
l Pressure
l FireGas
l Proximity
l Flow
l Temperature
l Level
l Other
The remaining Leg Options allow you to specify if the Trip Direction is High or Low, and if you have
External Comparison. If you have selected and a sensor that uses analog signals, you will be able to
specify if a Transmitter Fault drives the signal Over Range or Under Range.
Trip Setting:Specify whether a High Trip or Low Trip is configured in the application software. This is
especially important for 4-20 mA operating devices. For such devices a failure resulting in an output
below 4 mA is considered a Fail Low failure and a failure resulting in an output above 20 mA is
considered a Fail High failure. Depending on the PLC Detection Configuration settings, Fail Low and Fail
High failures will either be classified as safe or dangerous, detected or undetected.
External Comparison: External Comparison is an additional diagnostic implemented by the user. It
indicates whether the device signal is compared with a similar second signal. External comparison is
highly effective for analog signals since one can monitor differences in dynamic signals and see if
something is wrong with one of the analog devices. It is very ineffective for digital signals since digital
signals have a static output. IEC 61508 allows claims up to 99% diagnostic coverage on external signal
comparison. In exSILentia the user can specify a value ranging from 0% to a more conservative 95% for
the external comparison. The default value is 90% for analog signals and 0% for digital signals.
Transmitter Fault Direction: The Transmitter Fault Direction selection determines whether the analog
output is driven Over Range or Under Range by the transmitter, upon detection of an internal failure
(Fail Detected). This is typically done by setting a switch on the transmitter itself. This will determine
how Fail Detected faults are classified, either Fail High or Fail Low. This will lead to subsequent
classification into safe or dangers, detected or undetected.

PLC Detection Configuration (Analog Devices Only). These options allow you to indicate the type of input
signal diagnostics that are implemented in the logic solver connected to the devices selected in the
Sensor Group. These options appear in the Sensor Group view after you choose an analog device.
Out of Range Detection: Select this option if the logic solver connected to the devices selected can
detect out of range signals (>20 mA and <4 mA) and you programmed the logic solver to use this
functionality, there is input range checking. If this is the case for your application, select the check box
for Out of Range Detection.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 201 of 292
 Transmitter Fault Filter: Select this option if the logic solver performs a type of sampling, for example,
the value communicated form the input card to the CPU is averaged or a median value is used. The
effect here is that if there is an internal fault in, for example, a transmitter which drives the output over
range (Fail High) and you would have a high trip this will not immediately lead to a trip on the
application level as sudden input signal transitions are filtered. A next sampling of the input signal is
very likely to show an over range signal rather than a signal in active scale above the trip point as
internal failure transitions are typically very fast. If this is the case for your application, select the check
box for Transmitter Fault Filter.
Trip on Transmitter Fault: Select this option if you would like to trip the plant in the event of a
transmitter fault. In some cases, end-users do not want to cause any transmitter malfunction to result in
a shutdown of a unit but simply have an alarm and perform maintenance on the specific unit that failed.
Other end-users do not want to operate in such a degraded mode where, arguable, the SIF protection is
lost. If this is the case in your application, select the check box for Trip on Transmitter Fault.

20.5.6 Devices
For each Sensor Group the following devices must be specified:
l Process Connection (1 per Sensor Leg): Select the "New Process Connection" button. exida's
SERH database will open in a new window showing all available process connections for the
measurement type selected. Scroll to the device of your choosing and double click to apply it to
your SIF. You can also select the device once and click the "Add Device" button.
l Sensor (1 per Sensor Leg): Select the "New Sensor" button. exida's SERH database will open in a
new window showing all available sensors for the measurement type selected. Scroll to the
device of your choosing and double click to apply it to your SIF. You can also select the device
once and click the "Add Device" button.
l Input Interface (Unlimited): Select the "New Input Interface" button. exida's SERH database will
open in a new window showing all available interfaces for the measurement type selected. Scroll
to the device of your choosing and double click to apply it to your SIF. You can also select the
device once and click the "Add Device" button.

Devices already specified in other SIF's can be re-used by selecting the link button and selecting the
device in question. Keep in mind, this would mean the SIFs share this equipment. If you are re-using a
Device Model used previously in the project, select the from the device drop down list. In this case, this is
a new device in the safety instrumented system, but an identical device model.
To specify a User Defined device, select the UD button for the specific device type. This will open a
new window that allows you to fill in the device information including applicable failure rates. Upon
completing the information there, you can apply the device to your SIF by selecting the "Create" button.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 202 of 292
 Note: If you specify an analog device for the Sensor Leg, additional Leg Options will appear that must
also be specified.
Note: As part of the process connections in exida's SERH database, the following selections are available
for Impulse lines:
l Clean Service: This selection means there is no plugging
l Impulse Line - plugging very unlikely: This selection means there is a low frequency of plugging (1
per 400 years).
l Impulse Line - plugging unlikely: This selection means there is a medium frequency of plugging (1
per 40 years).
l Impulse Line - plugging likely: This selection means there is a high frequency of plugging (1 per 4
years).

20.6 SILver Worksheet - Final Element Part

To configure the SIF's Final Element Part in the SILver™ tool, select Final Element Part for the SIF in the
SIF list. The SILver™ workspace will now show the final element part conceptual design information as
shown in the figure below.

As described in section 20.1 Introduction a Final Element Part can consist of up to 10 Final Element
Groups.
To add a new Final Element Group to the Final Element Part:
l Click on the Add Group button in the middle of the SILver™ workspace
l This will immediately add the Final Element Group to the SILver™ workspace
l This will also add the Final Element Group to the Final Element Groups library
To add a Final Element Group directly from the Final Element Groups Library:

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 203 of 292
 l Click on the Link Final Element Group Icon
l Double Click the Final Element Group to add the group to the Final Element Part
After adding the applicable number of Final Element Groups to the Final Element Part, update the Final
Element Part voting, i.e. the voting between groups, in the upper left hand corner of the SILver™
workspace. You can also specify the beta factor to account for common cause between groups. The beta
factor must be entered as an integer between 0% and 100%. The default value for the common cause
between groups is 0% as different groups are typically used to model independent equipment items. In
case there is no complete independence however, i.e. there is common cause susceptibility, a beta
factor other than 0% should be used. Use the beta factor estimator feature for assistance in determining
an applicable beta factor by clicking the beta estimator icon , see also section 20.10 SILver Worksheet -
Features.
To delete a Final Element Group from the Final Element Part:
l Right click on the specific Final Element Group
l Select Delete from the pop-up menu
l Click on Yes when asked if the Final Element Group is really to be deleted

Note: When a Final Element Group is deleted and it is the last place where it is used, you will be
asked if you want to permanently delete the Final Element Group from the Library. Click Yes or No
as applicable.

20.7 SILver Worksheet - Final Element Group

To configure a SIF's Final Element Group in the SILver™ tool you can either do this in the SILver™
workspace when you have selected the Final Element Part or by selecting the specific Final Element
Group in the SIF list. The SILver™ workspace shows the final element group conceptual design
information as in the figure below.

As part of the Final Element Group conceptual design configuration, you can specify a Name and
Description for the final element group.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 204 of 292
 Note: Uniquely naming a Final Element Group is not essential to perform a SIL verification,
however to efficiently use the full library aspects of exSILentia®, it is highly encouraged.

20.7.1 Group Options

The group options for a Final Element Group allow you to specify:
l The Voting within the final element group, with standard options as defined in section 20.1
Introduction
l The Voting Type for redundant voting options, i.e. are the redundant legs in the group identical
or diverse
l The Beta Factor for redundant voting options, a percentage ranging from 0 and 100%. See
section 20.10 SILver Worksheet - Features for details on the Beta Estimator.
l The Mean Repair Time (MRT), the expected time to repair the equipment items in the group in
case of a detected failure (failure detected by automatic equipment item diagnostics). The MRT is
an integer between 4 and 336 hours.
l The Group Mission Time for this final element group in case it has a different replacement or
refurbishment interval than the entire SIF.
The Group Details button allows you to see the equipment that you selected for the Final Element Group
including the associated failure rates. Click this button once you have completed the configuration of
the Final Element Group.

When you change the Voting option within the Final Element Group, a Warning Icon will appear next to
the Voting selection in addition to a message box. This icon indicates that after you change the voting
option, the number of legs associated with the Final Element Group no longer matches the voting
option. SILver™ can automatically adjust the number of legs or you can do this manually. The warning
icon and message are shown in the next figure.

Note: Final Element Legs are also an exSILentia® Library item and can therefore be reused in
multiple locations, not necessarily within the same Final Element Group.

20.7.2 Proof Testing

To model the proof testing applied to the Final Element Group you need to specify:

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 205 of 292
 l The Proof Test Interval for the final element group, the time interval between two proof tests.
The proof test is the periodic test performed to reveal failures undetected during normal
operation. The interval ranges from 1 to 600 months and can be specified in years, months,
and/or days.
l Indicate if a Leak Test will be performed as part of the proof test by checking the associated
checkbox.
l Indicate if the proof test will be performed At Operating Conditions by checking the associated
checkbox.
You can also indicate how the proof test is Performed , either Online or Offline . If a proof test is
performed while online you can specify the following:
l For redundant configurations, is the testing done Staggered or not. Staggered indicates that only
one of the redundant units is bypassed at a time, ensuring that the final element configuration
remains capable to react to a process demand.
l Is Alternate Protection available during the proof test. This indicates if during the bypassing of
the final element configuration other means are available to detect the hazard and bring the
process to a safe state.
l The Duration of the proof test. This shows how long the final element configuration is in bypass,
the duration ranges from 1 to 24 hours.
Finally you can indicate if the Proof Test Coverage of the proof test specified for the final element group
should be determined based on the data associated with the respective equipment items selected for
the group, or if the you want to override that data and manually enter the Proof Test Coverage factor.
The Proof Test Coverage indicates the effectiveness of a proof test in revealing failures undetected
during normal operation. A 100% proof test coverage would mean that ALL failures would be revealable
by the test, which realistically is only feasible through replacement or complete refurbishment to an as
new state. The proof test coverage must be a value between 0 and 100%. See section 20.10 SILver
Worksheet - Features for details on the Proof Test Coverage Calculator.

20.7.3 Partial Valve Stroke Test/Application Level Diagnostic Test

To model partial valve stroke testing to the Final Element Group, first select the "Enabled" check box for
this option. Once enabled, you need to specify:
l The Partial Valve Stroke Test Interval for the final element group, the time interval between two
tests. This can be specified in months and years.
l The Partial Valve Stroke Test Duration. This can be specified in hours.
l Indicate if the Partial Valve Stroke Test is initiated automatically by checking the Automatic
checkbox.
Finally you can indicate if the Partial Valve Stroke Test Coverage should be determined based on the
data associated with the respective equipment items selected for the group, or if the you want to
override that data and manually enter the Partial Valve Stroke Test Coverage factor. The Partial Valve
Stroke Test Coverage indicates the effectiveness of the partial valve stroke test in revealing failures. The
test coverage must be a value between 0 and 100%. See section 20.10 SILver Worksheet - Features for
details on the Partial Valve Stroke Test Coverage Calculator.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 206 of 292
 20.7.4 Legs
You can add Final Element Legs to your SIF by allowing SILver to automatically adjust the number of legs
based on the Final Element Group voting. If you are modeling identical legs, you need only specify them
once. If you have selected the "Is Diverse" check box, you will need to specify each separately. As part of
the Final Element Leg conceptual design configuration, you can specify a Name and Description for the
final element leg.

Note: Uniquely naming a Final Element Leg is not essential to perform a SIL verification, however
to efficiently use the full library aspects of exSILentia®, it is highly encouraged.

20.7.5 Leg Options

Once the Final Element Legs are created in SILver, you can select your Leg Options. Here you must
specify if:
l Tight Shutoff is Required. This option allows you to select if Tigh Shutoff is required for the valve
or actuator- valve combination to achieve the safe state of the SIF. Based on the selection
appropriate failure rates from exida's Safety Equipment Reliability Handbook database will be
selected. If you have specified a User Defined device, the failure rates entered should reflect Tight
Shutoff service.
l The application qualifies as Severe Service for your final element. This option allows you to
indicate if a valve or actuator-valve combination will likely be used in severe service conditions.
Severe Service is defined as the condition that exists when material through the valve has
abrasive particles, as opposed to clean service where these particles are absent. Based on the
selection appropriate failure rates from exida's Safety Equipment Reliability Handbook database
will be selected. If you have specified a User Defined device, the failure rates entered should
reflect the Severe Service conditions.
l The Valve Opens on Trip. You will need to indicate if the valve or actuator-valve combination
opens or closes to achieve the safe state. Based on the selection appropriate failure rates from
exida's Safety Equipment Reliability Handbook database will be selected. If you have specified a
User Defined device, the user is responsible for entering data that is representative for the open
or close to trip situation.
Note: Not all valves and actuator- valve combinations listed in exida's Safety Equipment Reliability
Handbook database may have data specified for Open on Trip / Close on Trip, Tight Shutoff and Severe
Service. Either the valve or actuator-valve combination cannot be used in one of these selections or
additional study of the performance of the device still needs to be performed. If you select an option for
which data is not currently available, an error message will be displayed. If this happens, please select a
different device or enter a User Defined device.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 207 of 292
 20.7.6 Devices
Within the SILver™ tool a distinction is made between remote actuated valves and non-remote actuated
valves as the final element. For each Final Element Group that includes a remote actuated valve, the
following devices can be specified:
l Output Interface (Unlimited): Select the "New Output Interface" button. exida's SERH database
will open in a new window showing all available output interfaces. Scroll to the device of your
choosing and double click to apply it to your SIF. You can also select the device once and click
the "Add Device" button.
l If the remote actuated valve is an integrated Remote Actuated Valve Assembly
l Remote Actuated Valve Assembly (1 per Final Element Leg): Select the "New Remote

Actuated Valve Assembly" button. exida's SERH database will open in a new window
showing all available remote actuated valve assemblies. Scroll to the device of your
choosing and double click to apply it to your SIF. You can also select the device once and
click the "Add Device" button.
l If the remote actuated valve is build up from individual devices
l Final Element Interface (1 per Final Element Leg): Select the "New Final Element

Interface" button. exida's SERH database will open in a new window showing all available
final element interfaces. Scroll to the device of your choosing and double click to apply it
to your SIF. You can also select the device once and click the "Add Device" button.
l Pneumatic Element (Unlimited): Select the "New Pneumatic Element" button. exida's

SERH database will open in a new window showing all available pneumatic elements.
Scroll to the device of your choosing and double click to apply it to your SIF. You can also
select the device once and click the "Add Device" button.
l If the Actuator and Valve are delivered as an integrated assembly

l Actuator Valve Assembly (1 per Final Element Leg): Select the "New Actuator

Valve Assembly" button. exida's SERH database will open in a new window
showing all available actuator valve assemblies. Scroll to the device of your
choosing and double click to apply it to your SIF. You can also select the device
once and click the "Add Device" button.
l If the Actuator and Valve are individual devices

l Actuator (1 per Final Element Leg): Select the "New Actuator" button. exida's SERH

database will open in a new window showing all available actuators. Scroll to the
device of your choosing and double click to apply it to your SIF. You can also select
the device once and click the "Add Device" button.
l Valve (1 per Final Element Leg): Select the "New Valve" button. exida's SERH

database will open in a new window showing all available valves. Scroll to the
device of your choosing and double click to apply it to your SIF. You can also select
the device once and click the "Add Device" button.

For each Final Element Group that does not include a remote actuated valve, the following devices must
be specified:

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 208 of 292
 l Output Interface (Unlimited): Select the "New Output Interface" button. exida's SERH database
will open in a new window showing all available output interfaces. Scroll to the device of your
choosing and double click to apply it to your SIF. You can also select the device once and click
the "Add Device" button.
l Other (1 per Final Element Leg): Select the "New Other" button. exida's SERH database will open
in a new window showing all available other final element options. These include alarm bells,
relays, motor starters , general MCC's, among others. Scroll to the device of your choosing and
double click to apply it to your SIF. You can also select the device once and click the "Add Device"
button.

Devices already specified in other SIF's can be re-used by selecting the link button and selecting the
device in question. Keep in mind, this would mean the SIFs share this equipment. If you are re-using a
Device Model used previously in the project, select the from the device drop down list. In this case, this is
a new device in the safety instrumented system, but an identical device model.
To specify a User Defined device, select the UD button for the specific device type. This will open a
new window that allows you to fill in the device information including applicable failure rates. Upon
completing the information there, you can apply the device to your SIF by selecting the "Create" button.

20.8 SILver Worksheet - Logic Solver Part

To configure the SIF's Logic Solver Part in the SILver™ tool, select Logic Solver Part for the SIF in the
SIF list. The SILver™ workspace will now show the logic solver part conceptual design information as
shown in the figure below.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 209 of 292
 As described in section 20.1 Introduction a Logic Solver Part does not have any further division into
groups like the Sensor and Final Element Parts.
To add a new Logic Solver to the Logic Solver Part:
l Click on the EBD button on the top right hand side of the SILver™ workspace
l exida's SERH database will open in a new window showing all logic solvers. Scroll to the logic
solver of your choosing and double click to apply it to your SIF. You can also select the device
once and click the link button .
l This will immediately add the logic solver to the SILver™ workspace
l This will also add the logic solver to the Logic Solvers library
To add a Logic Solver directly from the Logic Solver Library:
l Open the top drop down list in the SILver™ workspace
l Select the applicable logic solver to add it to the Logic Solver Part
To remove a Logic Solver from the Logic Solver Part:
l Click the EBD button and select a different logic solver from the exida SERH database, or
l Select a different logic solver from the drop down list
To permanently delete a Logic Solver from the exSILentia(R) Project:
l Open the project Library
l Select the specific logic solver from the Logic Solvers library
l Click the "-" button
l Confirm the action by clicking the Yes button

Caution: When a Logic Solver is deleted from the library, it will be deleted from all SIFs that it is
being used in.

To further configure the Logic Solver you can specify:

l The Group Mission Time for this logic solver in case it has a different replacement or
refurbishment interval than the entire SIF.
l The Mean Repair Time (MRT), the expected time to repair the logic solver in case of a detected
failure (failure detected by automatic equipment item diagnostics). The MRT is an integer
between 4 and 336 hours.
To model the proof testing applied to the Logic Solver you need to specify:
l The Proof Test Interval for the logic solver, the time interval between two proof tests. The proof
test is the periodic test performed to reveal failures undetected during normal operation. The
interval ranges from 1 to 600 months and can be specified in years, months, and/or days.
You can also indicate how the proof test is Performed , either Online or Offline . If a proof test is
performed while online you can specify the following:

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 210 of 292
 l For redundant configurations, is the testing done Staggered or not. Staggered indicates that only
one of the redundant units is bypassed at a time, ensuring that the sensor configuration remains
capable to react to a process demand.
l Is Alternate Protection available during the proof test. This indicates if during the bypassing of
the sensor configuration other means are available to detect the hazard and bring the process to
a safe state.
l The Duration of the proof test. This shows how long the sensor configuration is in bypass, the
duration ranges from 1 to 24 hours.
Finally you can indicate if the Proof Test Coverage of the proof test specified for the logic solver should
be determined based on the data associated with the selected logic solver, or if the you want to override
that data and manually enter the Proof Test Coverage factor. The Proof Test Coverage indicates the
effectiveness of a proof test in revealing failures undetected during normal operation. A 100% proof test
coverage would mean that ALL failures would be revealable by the test, which realistically is only
feasible through replacement or complete refurbishment to an as new state. The proof test coverage
must be a value between 0 and 100%. See section 20.10 SILver Worksheet - Features for details on the
Proof Test Coverage Calculator.

Application Level Diagnostic Testing allows you to account for additional testing an end- user
implements in addition to any automatic self-diagnostics that are part of the logic solver. You should not
select Application Level Diagnostic Test to account for standard device automatic self diagnostics as
these are accounted for in the device's failure rates.
To model application level diagnostic testing to the Logic Solver, first select the "Enabled" check box for
this option. Once enabled, you need to specify:
l The Application Level Diagnostic Test Interval for the sensor group, the time interval between two
tests. This can be specified in months and years.
l The Application Level Diagnostic Test Duration. This can be specified in hours.
l The Application Level Diagnostic Test Coverage. This indicates the effectiveness of the application
level diagnostic test in revealing failures. The test coverage must be a value between 0 and 100%.
You can also indicate if the test is automatic vs. manual, buy selecting the "Automatic" check box for this
option. Only in the case of an automatically performed application test does this impact the safe failure
fraction. The order of magnitude difference between the demand interval and diagnostic test interval is
not considered in classifying a failure as detected or undetected by automatic diagnostics.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 211 of 292
 20.9 SILver Worksheet - Results
Once all of the parts of the Safety Instrumented Function are specified, SILver will display the overall
SIF performance metrics in the header at the top. You can now review the results and see if the
SIF meets the desired Safety Integrity Level. These metrics also include the RRF, PFDavg, MTTFS and the
SIL level according to PFDavg, Architectural Constraints and Systematic Capability. For each SIF these
metrics are shown for the sensor, logic solver and final element parts in addition to the overall SIF
results. Also included are pie charts that indicate the contribution of each part to the overall
SIF performance metrics for PFDavg and MTTFS respectively.

If the results do not meet the required SIL or if you want to try different selections, you can easily edit
the configuration by clicking on the specific group you want to change in the navigation tree. Note that
all SILver input and calculated results will be part of the exSILentia report for functional safety standard
compliance.
PFD Charts: The PFD charts show the PFD as a function of mission time in combination with the PFDavg
over the entire mission time. The clearly indicate the effects of the proof test interval and proof test
coverage. For SIFs where the various parts of the SIF use different proof test intervals, the PFD graphs
provide an indication of each parts proof test.
The PFD Charts can be viewed by selecting the "PFD Charts" button on the right side of the results
header. A window will open showing four PFD charts, one for the sensor group, logic solver, final
element group and overall SIF.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 212 of 292
 20.10 SILver Worksheet - Features
There are several features build in the SILver Worksheet. In most cases these are available for sensor
groups, final element groups, and the logic solver.

20.10.1 SIF Diagram

At the top of the SILver worksheet, an abstract graphical representation of the SIF is provided in the
SIF diagram. From left to right, the diagram shows:
l Sensor group name
l Voting within the sensor group
l Voting between sensor groups
l Logic solver name
l Voting between final element groups
l Voting within the final element group
l Final element group name

20.10.2 Beta Estimator

The beta factor is the common cause factor; this is the percentage of failures that is subject to common
cause. The beta factor must be entered as an integer between 0 and 100%. For 1oo1 configurations, no
beta factor needs to be entered.
Apart from the equipment selected for redundant configurations, the beta factor is the most dominant
parameter when it comes to the behavior of the redundant configuration. Making the (unrealistic) claim
that the beta factor is equal to 0% would indicate a true redundant behavior where no two failures can
occur at the same time. The other extreme claim would be a beta factor of 100%. This would indicate
that the redundant units of the configuration always fail at the same time, i.e. the configuration would
behave as a single, non-redundant configuration.
If you are uncertain as to what beta factor to select you can use the Beta Estimator. Group Voting is
selected in the Sensor Group or Final Element Group Views. If a redundant voting configuration is
chosen, a beta factor window will appear with a default value of 10%. To launch the Beta Estimator,
select the Beta Estimator button next to the beta factor window.
The Beta Estimator evaluates the beta factor to be used for common cause modeling based on the
method presented in IEC 61508-6 for sensors and final elements. The tool presents statements about the
measures that influence the occurrence of common cause failures and thus the value of the beta factor
for the application. To estimate the beta factor one must ascertain which statements apply to the
system in question and check the relevant boxes.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 213 of 292
 The scoring has been designed to allow for items that are not mutually exclusive. For example, a system
with logic subsystem channels in separate racks is entitles to score for "Are the logic subsystem channels
in separate cabinets?" and that for "Are the logic subsystem channels on separate printed circuit-
boards?". A number of items relate to the operation of the system, which may be difficult to predict a
the design time. In these cases, the designers should make reasonable assumptions and subsequently
ensure that the eventual user of the system is made aware of these assumptions. You can either
manually enter the resulting beta factor on the Sensor Group or Final Element Group views or have the
beta estimate automatically copy the calculated beta factor.

20.10.3 Proof Test Coverage Calculator

Proof test coverage is an indication of the amount (percentage) of failures that are revealed during a
proof test that were not detected by automatic diagnostics. A proof test can be performed online or
offline. Proof Test coverage, in combination with the mission time, can have a drastic effect of achieved
PFDavg. The higher the proof test coverage the lower the calculated PFDavg; the lower the proof test
coverage, the higher the calculated PFDavg will be for constant mission time intervals.
The proof test coverage factor ranges from 0 to 100%. If the analyst is makes the assumption of a perfect
proof test (proof test coverage is 100%), it is implied that all failures unrevealed during normal operation
are revealed during the proof test and that the device is as new after the proof test. On contrast, a proof
test factor of 0% would indicate that the proof test does not reveal any undetected failures or that the
proof test is simply not performed.
Many manufacturers have published suggested proof tests with associated proof test coverage factors.
This information is part of exida's Safety Equipment Reliability Handbook database. Based on the
equipment selections made, and the associated proof tests and proof test coverages in the exida SERH
database, the Proof test coverage calculator will automatically determine the overall proof test coverage
for your sensor group, logic solver, or final element group.
By default, the Proof Test Coverage Calculator will calculate the respective proof test coverage based on
your equipment selection. To review the calculated coverage factor, you can click on the icon. The
Proof Test Coverage dialog box will appear showing the individual device proof test coverage as well as
the weighted average for the sensor group, logic solver, or final element group. The calculated proof test
coverage will automatically update with any equipment selection change you make.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 214 of 292
 If you prefer to manually enter your proof test coverage factor instead of using the coverage factors
associated with the equipment you have selected, simply check the Override Equipment Data checkbox
and a proof test coverage factor field will appear for you to manually enter the coverage factor that you
want to assume in the calculation.

20.10.4 Partial Valve Stroke Test Coverage Calculator

Partial Valve Stroke Test coverage is an indication of the amount (percentage) of failures that are
revealed during a partial valve stroke test that were not detected during normal operation. The partial
valve stroke coverage factor ranges from 0 to 100%. For all Remote Actuated Valve type final element
devices in exida's Safety Equipment Reliability Handbook database, there are two sets of failure rates. A
failure rate that applies in normal operation and a failure rate that applies in partial valve stroke test
operation (even if partial valve stroking does not provide any benefit, i.e. the normal and partial valve
stroke test failure rates are identical). The Partial Valve Stroke Test Coverage calculator will
automatically determine the overall partial valve stroke test coverage for your final element group based
on your equipment selection and the associated failure rate sets in the exida SERH database.
By default, the Partial Valve Stroke Test Coverage Calculator will calculate the respective partial valve
stroke test coverage based on your equipment selection. To review the calculated coverage factor, you
can click on the icon. The Partial Valve Stroke Test Coverage dialog box will appear showing the
individual device partial valve stroke test coverage as well as the weighted average for the final element
group. The calculated partial valve stroke test coverage will automatically update with any equipment
selection change you make.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 215 of 292
 If you prefer to manually enter your partial valve stroke test coverage factor instead of using the
coverage factors associated with the equipment you have selected, simply check the Override
Equipment Data checkbox and a partial valve stroke test coverage factor field will appear for you to
manually enter the coverage factor that you want to assume in the calculation.

20.10.5 Proven In Use Justification

exSILentia allows you to identify if a specific equipment item is considered Proven in Use. The Proven In
Use concept allows a user to justify the use of a specific component that has not been assessed per IEC
61508. The justification that the user is to provide along with the Proven In Use claim is intended to
demonstrate that the product in that specific use does not have any systematic failures. With the Proven
In Use Justification the end-user takes away the burden for the manufacturer to demonstrate that they
followed good engineering practices while developing the product. This is a significant responsibility the
end-user takes on themselves so exida urges you to be conservative in the use of the Proven In Use
check box on these property dialog boxes.
Claiming Proven In Use will impact the SIL verification results in two ways. First, IEC 61511 architectural
constraints allows reduction of the minimum Hardware Fault Tolerance by 1 if a device is proven in use
(note that other requirements apply as well thought compliance with these requirements is trivial).
Secondly, if you claim proven in use for a device you are able to specify its Systematic Capability, i.e. the
SIL level up to which you claim that the systematic integrity of the proven in use is identical to that of a
product developed per IEC 61508.
To complete the Proven In Use Justification in exSILentia, first specify your equipment selection. Once
you have chosen your equipment, whether from exida's SERH database or a user defined device, you can
then open the device details using the edit button . In the device details view, you can select the
Proven In Use check box. A dialog box will open asking if you would like to document the Proven In Use
Justification for this device. If so, select "Yes". This will open a new window. Select the edit button
and you will see a checklist appear.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 216 of 292
 The Proven In Use Justification checklist will allow you to specify the application that the proven in use
justification applies to. It also allows you to specify the specific revision of the product. The specific
application is important to ensure that the proven in use justification actually applies to the proposed
use of the equipment in the safety instrumented function, for example, proven experience in control
(dynamic) environment may not suit safety (static) application use. The revision is especially important
with regard to the software version of the product as this is usually the place with the majority of
systemic failures.
exida has specified a set of Proven In Use Justification criteria based on the IEC 61508 and IEC 61511
functional safety standards. The intent of the justification is to provide a rationale and reference to
reference documents why a criterion is met for the specific equipment item.
At the top of the dialog box, the Device Model and Device Usage should be automatically filled in. Then
you can document the revision of the Proven In Use Justification documentation, input the Device
Systematic Capability you are claiming, and list the Preparing Engineer and Project Engineer from the
team members listed in the Library. Next you will see a list of PIU Justification Requirements. For each
requirement that applies to your application, you select the adjacent check box. You can then document
your rationale and link any references from the library that apply. For those requirements that are not
met by the application, there is a space at the bottom to specify a basis for proven in use without those
requirements.
Once you complete a Proven In Use Justification it will be stored as part of the exSILentia project. If you
want to claim proven in use on the same device for a different SIF, simply choose the item from the drop
down list at the top of the Proven In Use Justification window. The Proven In Use Justification
documentation is stored in the Library for each Device Model.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 217 of 292
 20.10.6 SILver Parameter Update Utility
Occasionally when you are working on the conceptual design verification of a number of SIFs, based
design parameters get change and you see yourself needing to update a large number of SIFs. For
example, mid project it could be decided that the mission time for the overall SIS needs to be set to 25
years from 20 years. Instead of manually updating each SIF individually, you can use the SILver
Parameter Update Utility. To do so click the SIF Overview button in the SILver worksheet header. The
SIF Overview dialog will appear. On the left hand side of the dialog you will see a list of all your SIFs and
their currently specified parameters. On the right hand side of the dialog you will see an overview of all
parameters that you can modify at once within the SILver module.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 218 of 292
 To modify a specific parameter, e.g. mission time, enter the new value in the corresponding field on the
right hand side of the dialog. Then make sure the check mark on the right of the specific value is
highlighted. Next select the SIFs that the specific update needs to be applied to and click on the Apply
To Selected SIFs button.

20.11 SILver Worksheet - Tags

Tag information can be applied to each sensor and final element legs. Though the tag information is not
critical for the SIL Verification calculation, it can be used in the SRS, SILstat, the DeltaV SIS Configurator,
and third party tools that interface with exSILentia.
To add tag information, select the sensor or final element leg in the navigation tree. At the bottom, there
is a section labeled "Equipment Tag". On the far right there is a + button. If you select that + button, a
window will open from the library that will allow you to enter the tag information. This includes:

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 219 of 292
 l Name: Here you would type in the tag name to be used in your application logic.
l Description: Here the user can describe the sensor or final element leg and the impact it has on
the system
l Unit of Measure: Input the unit of measure.
l Type: Chose from Sensor Type or Final Element Type.
l Input Type (Sensor Type Only): Chose from Process or Discrete
l Process Value (Sensor Type Only): Chose from Analog or Digital
l Range Low (Analog Sensor Type Only): Input the process value at 4 mA in the unit of measure
specified above.
l Range High (Analog Sensor Type Only): Input the process value at 20 mA in the unit of measure
specified above.
l Tolerance (Analog Sensor Type Only): Input the tolerance for the Range Low/High values.
l Profiles: Multiple profiles can be assigned to each tag.
l For Sensor Type, Analog: Input the trip direction, the limit (or set point), and the basis of

the limit.
l For Sensor Type, Digital: Input the trip direction, and the basis.

l For Final Element Type, Remote Actuated Valve: Input the action, fail position and if

tight shutoff is required.

l For Final Element Type, Non-Remote Actuated Valve: Input trip action and fail position.

Note: If you plan to use this information in your safety logic configuration this must match the
nomenclature used in the application program.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 220 of 292
 20.12 SILver™ Reports
There are several SILver™ specific reports in exSILentia®. These are
l Proven In Use Report: Documents the Proven In Use justification for a device entered into the
SILver module.
l SIF List: Provides an overview of all the safety instrumented functions that are associated with
the current project. Details include the tag, name, description, status, required SIL and RRF, and
achieved SIL and RRF.
l SIF Detailed Report: Documents all required information for functional safety standard
conformance.
l SIF Summary Report: Provides a one page summary of key SIL Verification selections and results
of each SIF. Details include achieved SIL, calculated PFDavg, RRF and MTTFS results, as well as a
graphical representation of the SIF as modeled in SILver.
For the SILver Summary Report there are several report options which allow you to specify the order of
the SIFs as which SIFs to include in the summary report.
In order to generate one of the SILver™ reports select the Proven In Use Report, SIF List, SILver Detailed
Report, or SILver Summary Report option from the Report Wizard. The Report Wizard will show applicable
Report Options.

20.13 SILver™ Data Export

SILver allows you to export SIL verification data into excel including.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 221 of 292
 The SILver Summary Export documents SIF information in an excel format. Includes:
l Project
l Unit Name
l SIF Name
l SIF Tag
l SIF Description
l Required SIL
l Achieved SIL
l Achieved RRF
l Achieved PFDavg
l SIL (Arch. Const.)
l SIL Capability
l MTTFS
l Proof Test Interval and Coverage for each device
l Limiting Subsystem
The SILver Tags Export documents information in an excel format including:
l SIF Name
l SIF Parts
l Part Tags
l Part Group
l Achieved SIL
In order to generate one of the SILver™ exports, navigate to the top menu and select Export and Export
Data, them choose from SILver Summary Export and SILver Tags Export.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 222 of 292
 Chapter 21 Design SRS
The Design SRS tab navigates to the exSILentia® v4 detailed design Safety Requirements Specification
tool Design SRS. Availability of the Design SRS tab, and therefore the Design SRS tool, is based on your
exSILentia® v4 license (see Chapter 1 Introduction for an overview of the exSILentia® v4 license options).
The Design SRS tool allows detailed design specification of functional requirements for each Safety
Instrumented Function (SIF) identified in the exSILentia® project. The detailed design requirements are a
result of the conceptual design evaluation performed using the SILver™ tool.

21.1 Introduction
The Design Safety Requirements Specification functionality in the DSRS tool uses a template type
interface that enables the specification of general SIS, general SIF, and SIF specific requirements.
In the subsequent sections the DSRS worksheet, its template structure and integrated relationship
between general SIS, general SIF, and SIF specific requirements, and its reporting capability will be
explained. The available interfaces with the SILect™ and SILver™ tools will also be addressed.

21.2 Design SRS Worksheet

The Design Safety Requirements Specification functionality in the Design SRS tool uses a template type
interface that enables the specification of general SIS, general SIF, and SIF specific requirements. The
output of the Design SRS tool is a detailed Design Safety Requirements Specification document meant to
communicate the conceptual SIF design to the implementation team. Much of the information needed in
the DSRS will already be specified in the SILver tool. Any changes to the SILver twool will automatically
update the DSRS template. The work flow is setup such that you define general requirements first and
then transfer those requirements to the individual SIF specific requirements. The SRS worksheet consists
of three main areas: the SIF navigation tree, and the SIF Worksheet and System Level Worksheet.

21.2.1 Creating Safety Instrumented Functions

Within exSILentia® v4 Safety Instrumented Functions (SIF) are Safeguards of Safeguard Category Type
IPF (Instrumented Protection Function) where the "Is SIF" property is checked. The exSILentia® v4 SIFs
therefore comprise of many related data fields inherited from Safeguards, IPFs, and SIF specific fields.
Each SIF has a unique Safeguard ID which is automatically generated and assigned to ensure relational
data integrity. SIFs should be specified in the library or in PHA, LOPA, SILect, SRS or SILver. You should
complete your SIL Verification calculations for each SIF before working on the Design SRS.
To edit the SIF properties:
l Right click on the SIF in the SIF navigation list and select view, or
l Edit the SIF Name and SIF Tag directly in the toolbar
To delete a SIF:

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 223 of 292
 l Select the SIF in the SIF navigation list
l Right click on the SIF and select Delete, click on the Delete SIF button, or click on the Delete key
on your keyboard
l Click on Yes when asked if the SIF is really to be deleted

CAUTION: Deleting a SIF will delete all instances where the SIF was used. This will include any
linking done in the PHAx™, LOPAx™, SILect™, and/or SILver tools.

21.2.2 General SIF Requirements

The General SIF Requirements section allows you to specify requirements that are valid for all SIFs. You
will be able to copy these general requirements to the individual SIF Specific Requirements.
To edit the DSRS General SIF Requirements:
l Select General SIF Requirements tab on the right hand panel of the DSRS.
l Edit the relevant information in this tab.

21.2.3 SIF Specific Requirements

The SIF Specific Requirements are, as their name already indicates, specified for each SIF individually.
Though some requirements for different SIFs may be identical, and therefore specified in the General SIF
Requirements section, it is essential that each SIF is addressed individually to ensure that each SIF is
properly implemented. The SIF Specific Requirements are specified in the left hand area of the DSRS
worksheet. Simply select a SIF from the SIF navigation tree and edit the applicable fields.
There are two ways to copy specifications from the General SIF Requirements to SIF Specific
Requirements. You can copy data from the general SIF requirements to SIF specific requirements
l for all SIFs at once
l for one SIF at a time
To transfer data for all SIFs at once:
l Click on the Load data from General SIF Requirements to SIF Specific Requirements for all SIFs
button
To transfer data for one SIF at a time:
l Select the desired SIF in the SIF Navigation List
l Click on the Load data from General SIF Requirements to SIF Specific Requirements for current
SIF button
When transferring data, you will receive a warning that advises you that the General SIF Requirements
data will be merged into the existing SIF(s) Specific Requirements which could delete information that
you specified previously.

21.2.4 Sensor Legs, Auxiliary Input Legs and Parameters

The DSRS automatically accounts for the Sensor Legs specified in the SILver module. For each leg, the
leg type (analog or digital) is determined from the selections in the SIL Verification calculation. In
addition, the PID number, Model/Datasheet, Action, Comparison Tag and Maintenance Override can be
documented in the DSRS.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 224 of 292
 Auxiliary Input Legs can also be added to a SIF in the DSRS. To add a new Auxiliary Input Leg, select 'Add
Auxiliary Leg' in the SIF Specific Sensor Section of the DSRS. Here you can enter Name, Description,
Type, PID number, Model/Datasheet, Action, Comparison Tag and Maintenance Override.
Finally Auxiliary Input Parameters can be added to a SIF in the DSRS. To add a new Auxiliary Input
Parameter, select 'Add Auxiliary Parameter' in the SIF Specific Sensor Section of the DSRS. Here you can
enter the Name, Description, Type, Security, Unit of Measure, Range, Setpoint and Trip Direction.

21.2.5 Final Element Legs, Auxiliary Output Legs and Parameters

The DSRS automatically accounts for the Final Element Legs specified in the SILver module. For each leg,
the leg type is determined from the selections in the SIL Verification calculation. In addition, the
PID number, Model/Datasheet, Action, Resent Options and ETT or DTT selection can be documented in
the DSRS.
Auxiliary Output Legs can also be added to a SIF in the DSRS. To add a new Auxiliary Output Leg, select
'Add Auxiliary Leg' in the SIF Specific Sensor Section of the DSRS. Here you can enter Name, Description,
Type, the PID number, Model/Datasheet, Action, Resent Options and ETT or DTT selection.
Finally Auxiliary Input Parameters can be added to a SIF in the DSRS. To add a new Auxiliary Input
Parameter, select 'Add Output Parameter' in the SIF Specific Sensor Section of the DSRS. Here you can
enter the Name, Description, and Type.

21.3 Design SRS Data Transfer

The exSILentia® v4 integration of Process Safety / Functional Safety software tools allows for seamless
data exchange between the different phases of the Lifecycle. The Design SRS is meant to document the
conceptual design based on SIL Verification. Much of the information input into the SILver module will
be included in the Design SRS report. This will be done automatically, and any changes to the SILver tool
will update in Design SRS without any prompt from the user.

21.4 Design SRS Reports

In order to generate a Design SRS report select the Design SRS Report option from the Report Wizard.
There are no Report Options for the Design SRS report.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 225 of 292
 Chapter 22 Proof Test Generator
The Proof Test Generator tab navigates to the exSILentia® v4 proof test generator tool. Availability of the
PTG tab, and therefore the Proof test generator tool, is based on your exSILentia® v4 license (see Chapter
1 Introduction for an overview of the exSILentia® v4 license options). The proof test generator tool
provides and easy way to generate a proof test plan for the equipment items specified as part of your
Conceptual Design verification using the SILver™ tool.

22.1 Introduction
Proof Test Generator is an automated way to create a draft proof test plan for inclusion in your
mechanical integrity program. The Proof Test Generator can save you hours of engineering time as it will
provided specific proof test for each equipment item specified as part of your Conceptual Design
verification using the SILver™ tool. The proof tests are directly obtained from the exida Safety Equipment
Reliability Handbook (SERH) database which contains both the proof test steps as well as the associated
proof test coverage.
A proof test is a manual test designed to reveal equipment item failures undetected by automatic
diagnostics during normal operation. This includes both safe and dangerous undetected failures as well
as diagnostic failures. The proof test interval in combination with the comprehensiveness of the proof
test, expressed through the proof test coverage, can have a dramatic impact on the achieved Safety
Integrity Level for the SIF that the equipment item is part of.

22.2 Proof Test Generator Worksheet

The PTG module should be used to create proof test procedures on the SIF devices modeled during SIL
Verification. Once the conceptual design for a SIF is finalized, open the PTG module and select 'Create all
Proof Tests' button. If you have already created some proof tests but want to add more to the module,
select the 'Create Missing Proof Tests' button instead. Proof Tests can be defined per SIF, Group, or Leg.
This is a project wide setting that can be made in the Project Configuration under the Proof Test Settings
entry.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 227 of 292
 In the Proof Test Generator (PTG) module, the navigation tree view options include organizing the proof
tests per SIF (Group by SIF), or simply listing the proof tests (No Grouping). For proof tests organized per
SIF, the proof test can be created on the same level the the proof test is defined. The other levels are
shown as reference, but are not used to build the proof test. In this case, the proof test pane will indicate
'No proof test on this level'. Simply navigate to the level on which the proof test will be defined.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 228 of 292
 22.2.1 Proof Test Suggestions
Many SIF devices specified using exida's SERH have associated proof test steps that help to determine
the proof test coverage used in the SIL Verification calculation. These steps are not application specific
and are often provided from the manufacturer. In the 'Proof Test Suggestions' pane, to the right of the
navigation tree, the PTG module automatically populates these suggestions for the user to apply to the
proof test procedure. This can be done by selecting the arrow button next to each step to apply steps
one at a time. To apply all steps at once select the apply all suggestions button in the column between
the suggestions and the proof test.

Proof Test suggestions can be modified in the library in the Device Model view. Before making changes
remember that the steps provided correlate to the proof test coverage used in the SIL Verification
calculation. Changing the procedure to exclude steps would affect this coverage, rendering your results
invalid. However, information specific to the application or site may be added without affecting the
coverage. User defined steps may also be added to the Device Model library and will automatically
populate along with steps provided by the SERH.

22.2.2 Proof Test Procedure

In the far right pane the proof test procedure can be customized. Each proof test can be given a Name,
Description, Creation Date, Author and Status. You can indicate if a Final Comment is mandatory for
each proof test and add custom data as needed.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 229 of 292
 Steps can be added directly to the proof test using the 'Add Step' button. If any suggestions were
applied, they will appear in the Proof Test Procedure as well. Here the steps can be specified further.
This includes editing the text to add any application or site specific information to this procedure. They
can be re-ordered or deleted using the arrow and delete buttons to the far right of each step. The layout
can be specified to indicate the response or result required by the recorder of the proof test. Passing
criteria can also be specified. Child steps can be added by selecting the plus button next to the layout for
each step.
The different layouts include:
Text - In this case no passing criteria need be specified. The recorder is expected to write in
results.
Boolean - In this case a checkbox will appear. The user can indicate if the box should be checked
or left unchecked for passing criteria.
Number - In this case you can indicate that the result should be a value greater than, less than,
greater than or equal to, less than or equal to, equal to, not equal to or greater than or equal to
AND less than or equal to the specified value. A tolerance can be added for passing criteria, and
unit of measure can be indicated.
None - In this case a checkbox will appear to show that the step is completed, and nothing more.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 230 of 292
 Upon completion of each proof test the status can be changed to 'Complete'. A green checkmark will
appear in the navigation tree to show which proof tests are complete. The header at the top of the
module shows number of 'Proof Tests Created' and 'Proof Tests Completed'. All proof tests created are
saved in the library, under Proof Tests.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 231 of 292
 22.2.3 Starting PTG with an Existing Project File
If the SIL Verification was completed in a project file 4.7 or earlier, the SERH may need to be updated
before starting with the PTG. This will ensure the proper suggestions are given in the PTG module. To
update the SERH, use the SERH widget on the Dashboard. This can be found by navigating to the
Dashboard tab, and selecting the green plus button on the far right hand side. This shows all the widgets
available for the dashboard. Select the widget titled 'exida Safety Equipment Database'. The widget will
open on the dashboard. Select the checkbox that says show all devices. Make sure all are highlighted
and then select the 'Update All' button. This will populate the proof test suggestions needed to create
your proof test.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 232 of 292
 22.3 Proof Test Generator Reports
In order to generate a Proof Test report select the Proof Test Procedures option from the Report Wizard.
The Report Wizard will show applicable Report Options.
The Report Option allows you to choose a report organized per SIF or per Proof Test. For each you can
choose to include all defined in the project, or select individual tests to be included.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 233 of 292
 Chapter 23 Lifecycle Cost Estimator
The Cost tab navigates to the exSILentia® v4 Lifecycle Cost Estimator tool. Availability of the Cost tab,
and therefore the Lifecycle Cost Estimator tool, is based on your exSILentia® v4 license (see Chapter 1
Introduction for an overview of the exSILentia® v4 license options). The Lifecycle Cost Estimator tool
supports the evaluation of a Safety Instrumented Function's conceptual design on the basis of expected
overall lifecycle cost, accounting for aspects such proof test cost and proof test frequency. The Lifecycle
Cost Estimator tool can assist in making an economical justification why a particular conceptual design
may be better than an alternate conceptual design where both meet the same functional and integrity
requirements. The Lifecycle Cost Estimator takes many aspect into consideration, including spurious trip
rates, frequency of proof tests, maintenance requirements, installation cost etc., and determines based
on a discount rate what the net current cost is of a proposed Safety Instrumented Function. Many of the
parameters that impact overall lifecycle cost are automatically obtained from the conceptual SIF design
as modeled in the SILver™ tool.
In addition, the exSILentia® v4 Lifecycle Cost Estimator tool allows you to perform a cost benefit analysis
for a particular SIF, determining the financial impact of a SIF on overall plant risk.

23.1 Introduction
The lifecycle cost estimation functionality in the Cost tool use s a spreadsheet type interface to allow
you to specify SIF equipment, Design and Implementation, and Operation and Maintenance cost.

In the subsequent sections the Cost worksheet for both Lifecycle Cost Estimation and Cost Benefit
Analysis will be explained, as wells as the reporting capability. Interactions with the library regarding
items as Device Models and Team Members will also be addressed.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 235 of 292
 23.2 Lifecycle Cost Estimator Worksheet
The Lifecycle Cost Estimator worksheet consists of two sub-worksheets, the Estimator worksheet and
the Cost Benefit Analysis worksheet. The cost benefit analysis relies on information specified as part of
the estimator work, so always start with the estimator.

23.2.1 Estimator worksheet

The estimator worksheet is divided into several sections to make specifying the individual cost aspects
easy.

SIF equipment

The SIF Equipment area shows all device models that are part of the specific SIF. The Cost tool
automatically determines the total quantity of device used for each device model as specific in the
SILver™ tool. For each device, you can specify:
l Cost per Device
l Reserve
The cost per device is automatically associated with the specific device model, meaning that if you
specify a cost for a device model here, it will automatically be used for all estimations that use the same
device model. This also means that you can specify the cost per device in the Device Model library.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 236 of 292
 Design and Implementation

Design and Implementation cost are specified on a task basis.

To add a design and implementation task click the Add New Task button. You can now specify a
description for the task, e.g. SIL verification. You can then add a Role to the task by clicking on the Add
Role button. Once a role is added to a task you can select the team role from the drop down list. The
roles available are specified in the Project Configuration, see section 8.6 Team Roles. For each role you
can then calculate the Labor Cost by specifying:
l Hourly Rate
l Number of People
l Hours per Person
The hourly rate is automatically associated with the specific team role, meaning that if you specify an
hourly rate for a team role here, it will automatically be used for all estimations that use the same team
role. This also means that you can specify the hourly rate in the Team Roles section of the Project
Configuration.
Next you can specify Materials Cost and a Reserve per Task to determine the Task Subtotal.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 237 of 292
 Operation and Maintenance

Operation and Maintenance Cost are further divided into Plant Events, Proof Tests, Routine
Maintenance, and Other Tasks. For each section events can be defined similar to the tasks in the Design
and Implementation cost section. In addition to the fields available for the Design and Implementation
tasks, the Operation and Maintenance section also include a field to specify the frequency of the event
per year.

23.2.2 Cost Benefit Analysis worksheet

The cost benefit analysis worksheet shows all Hazard Scenarios that the current SIF is protection
against. You can specify the cost per occurrence of the Hazard Scenario for each severity category. If you
used exSILentia™ LOPA tool on this project the frequency of occurrence of the hazard without the SIF
will be automatically calculated. Given the probability of failure of the SIF as calculated in SILver and the
SIF cost as determined in the estimator portion of the Cost tool, the annualized cost of the Hazard
Scenario with and without the SIF is calculated.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 238 of 292
 23.3 Lifecycle Cost Estimator Reports
In order to generate a Lifecycle Cost Estimator report select the Lifecycle Cost Report option from the
Report Wizard. The Report Wizard will show applicable Report Options.
The Report Option allows you to include or exclude SIFs in your Lifecycle Cost report.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 239 of 292
 Chapter 24 exSILentia® Cyber
The CyberPHA tab navigates to the exSILentia® v4 cyber process hazard analysis tool CyberPHAx™
whereas the CyberSL™ tab navigates to the exSILentia® v4 cyber security level tool CyberSL™. Availability
of the CyberPHA and CyberSL tabs, and therefore the exSILentia® Cyber tools CyberPHAx™ and
CyberSL™, is based on your exSILentia® v4 license (see Chapter 1 Introduction for an overview of the
exSILentia® v4 license options). The CyberPHAx™ tool allows cyber risk assessment to be performed
based on the process industry Hazard and Operability (HAZOP) methodology. The CyberSL™ tool allows
for a security level evaluation to be performed on the various countermeasures identified for a particular
threat.

24.1 CyberPHAx™
The CyberPHAx™ tool allows cyber risk assessment to be performed based on the process industry
Hazard and Operability (HAZOP) methodology.

24.1.1 Introduction
Since the cyber risk assessment approach is based on the HAZOP methodology, CyberPHAx™ shows
many similarities with exSILentia® PHAx™, see Chapter 16 PHAx™ . The CyberPHAx™ tool uses a
spreadsheet type interface with defined columns for the various cyber risk assessment items.
In the subsequent sections the CyberPHAx™ tool hierarchy, the worksheet, and its reporting capability
will be explained.

24.1.2 Hierarchy
The hierarchical top level for an exSILentia® v4 project is a plant. Within the plant level several cyber
zones can be defined and within the cyber zone level, cyber nodes can be defined. Threat vectors which
are the cornerstone of the cyber risk assessment are defined for each cyber node.
l Plant (exSILentia® v4 project)
l Cyber Zones

l Cyber Nodes

l Threat Vector

Cyber Zones

A cyber zone allows division of an exSILentia® v4 project plant.

To add a Cyber Zone:
l Click on the green plus (+) symbol in the Cyber Zone row
l Edit the Cyber Zone Properties, i.e. Name , select the Plant Type from the drop down box
(optional), and select the Process Type from the drop down box (optional)
l See section 8.1 for more information on Plant and Process Types

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 241 of 292
 Note: The default value for Plant Type is Unknown . The Process Type field will remain blank
without drop down box selections until a Plant Type has been defined.

Upon completion of all study items associated with a particular cyber zone, the Complete check box can
be checked. The box to the far right of the unit will turn orange and show a green bold check mark.
To navigate between cyber zones you can use the navigation tree in the left hand side bar, click the
Cyber Zone drop down box and select the desired Cyber Zone, or click on the up or down icons
until the applicable Cyber Zone is selected.
To modify a Cyber Zone:
l Highlight the Cyber Zone
l Click the icon
l Edit the Cyber Zone Properties, i.e. Name , select the Plant Type from the drop down box
(optional), and select the Process Type from the drop down box (optional)
To delete a Cyber Zone:
l Highlight the Cyber Zone
l Click on the red minus (-) symbol in the Cyber Zone row
l Click Yes to confirm you want to delete the Cyber Zone
l This will remove that Cyber Zone, its Cyber Zone Properties, and all associated data

Cyber Nodes

A HAZOP Cyber Node represents a specific section of the cyber zone system in which threat vectors are
evaluated.
To add a Cyber Node:
l Select the Cyber Zone where the node will be added
l Click on the green plus (+) symbol in the Cyber Node row
l Edit the Cyber Node Properties, i.e. Name, Node Intention, and Comments (optional)
l To take advantage of Smart Threat Vectors:
l Check the Smart Threat Vectors check box

l Within the Cyber Node Window, select the cyber node type from the drop down box

Upon completion of all study items associated with a particular Cyber node, the Complete check box can
be checked. The box to the far right of the node will turn orange and show a green bold check mark.
To navigate between cyber nodes you can use the navigation tree in the left hand side bar, click the
Cyber Node drop down box and select the desired Cyber Node within a Cyber Zone, or click on the up
or down icons until the applicable Cyber Node is selected for the selected Cyber Zone.
To modify a Cyber Node:
l Highlight the Cyber Node
l Click the icon
l Edit the Cyber Node Properties, i.e. Name, Node Intention, and Comments (optional)
To delete a Cyber Node:

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 242 of 292
 l Highlight the Cyber Node
l Click on the red minus (-) symbol in the Cyber Node row
l Click Yes to confirm you want to delete the Cyber Node
l This will remove that Cyber Node, its Cyber Node Properties, and all associated data
You can link references from the reference library (see section 13.4 for more information on the
Reference Library) to a Cyber Node by clicking on the link Icon and selecting a reference from the list
of available references. Once a reference is linked, you can click on the red minus (-) symbol to remove
the link.

Threat Vectors

A Threat Vector is a way in which the process conditions may depart from its design/process intent. It is
created by evaluating the susceptibility of the specific Cyber Node.
If you selected the Smart Threat Vectors check box when defining the Cyber Node the threat vectors
associated with the specific Cyber Node Type will be automatically defined for the Cyber Node. The
following steps can be used if you did not use Smart Threat Vectors or want to add or modify the Smart
Threat Vectors. You will also be able to delete a smart threat vector if it is not applicable to the Cyber
Node, however to document that you considered the specific threat vector it is better to leave it in the
project and mark it as not applicable.
To add a Threat Vector:
l Select the Cyber Node where the threat vector will be added
l Click on the green plus (+) symbol in the Threat Vector row
l Edit the Threat Vector Properties, i.e. Name and Design Intent
Upon completion of all study items associated with a particular threat vector, the Complete check box
can be checked. The box to the far right of the threat Vector will turn orange and show a green bold
check mark.
If for a threat vectors no threats or consequences of no significance are found, then the “No Issues”
check box can be checked. This will document “No Issues Found ” on the worksheet.
To navigate between threat vectors you can use the navigation tree in the left hand side bar, click the
Threat Vector drop down box and select the desired Threat Vector within a Cyber Node, or click on the
up or down icons until the applicable Threat Vector is selected for the selected Cyber Node.
To modify a Threat Vector:
l Highlight the Threat Vector
l Click the icon
l Edit the Threat Vector Properties, i.e. Name and Design Intent
To delete a Threat Vector:
l Highlight the Threat Vector
l Click on the red minus (-) symbol in the Threat Vector row
l Click Yes to confirm you want to delete the Threat Vector
l This will remove that Threat Vector, its Threat Vector Properties, and all associated data

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 243 of 292
 24.1.3 CyberPHA Worksheet
The CyberPHAx™ tool worksheet uses columns for the selected Threat Vector in a spreadsheet type
interface. This allows the Threat data to be viewed quickly so one Threat-Consequence pair can be
compared to another Threat-Consequence pair within the same Threat Vector. Within the worksheet
columns buttons exist for adding Threats, Consequences, Countermeasures, and Recommendations. For
Threats and Consequences content can be edited directly from within the worksheet. Content for the
Countermeasures and Recommendations can also be directly edited from within the worksheet,
however as they are part of the Project Libraries (see Chapter 13 Project Libraries ) additional
functionality is available. Within the worksheet you will be able to add a new Countermeasure or
Recommendation. When you begin typing a new name for a Countermeasure or Recommendation the
auto-complete feature will display a list of Countermeasures or Recommendations which match the
entered text. You can double click on an item in the list to create a link between the relevant
Countermeasure or Recommendation and the current Threat-Consequence pair.

Threats

CyberPHAx™ threats are comprised of four related data fields, i.e. ID, Description, Threat Category, and
Threat Likelihood. The Threat ID is automatically generated and assigned to ensure relational data
integrity. If more than one Likelihood Category was defined in the Risk Matrix, a drop down list will allow
you to select the applicable Threat Category. The Threat Likelihood is intended to be the likelihood with
NO Countermeasures or the scenario where all countermeasures have failed. When combining the
Threat Likelihood with the Consequence Severity a Risk Without Countermeasures is obtained from the
Risk Matrix. The Threat Likelihood is selected from a drop down list of likelihoods configured within the
Risk Matrix. The list that appears is based on the associated Threat Category.
To add a Threat :
l Click on the Add Threat button at the bottom of the CyberPHA worksheet
l Edit the Threat Properties, i.e. Description, Threat Category, and Threat Likelihood
l Once a Threat Description has been entered you can click the Enter key on your keyboard to add
a new Threat
To delete a Threat :
l Highlight the Threat ID
l Click on the Delete key on your keyboard
l Click on Yes when asked if the Threat is really to be deleted

CAUTION: Deleting a Threat will delete all consequences, countermeasures, and recommendations
that are related to it.

Consequence

CyberPHAx™ consequences are comprised of five related data fields, i.e. ID, Description, Consequence
Category, Severity, and Risk. The Consequence ID is automatically generated and assigned to ensure
relational data integrity. If more than one Consequence Category was defined in the Risk Matrix, a drop
down list will allow you to select the applicable Category. The Consequence Severity is selected from a
drop down list that is based on the Consequence Category selected. The Risk, representing the risk
without countermeasures, is automatically determined based on the Risk Matrix given the Threat
Likelihood and Consequence Severity selected.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 244 of 292
 To add a Consequence:
l Click on the Add Consequence button that is in line with the Threat that you want to add the
Consequence to
l Edit the Consequence Properties, i.e. Description, Consequence Category, Severity, and Risk
l Once a Consequence Description has been entered you can click the Enter key on your keyboard
to add a new Consequence
To delete a Consequence:
l Highlight the Consequence ID
l Click on the Delete key on your keyboard
l Click on Yes when asked if the Consequence is really to be deleted

CAUTION: Deleting a Consequence will delete all countermeasures and recommendations that are
related to it.

Countermeasures

CyberPHAx™ countermeasures are comprised of four related data fields, i.e. ID, Description,
Countermeasure Tag, and Countermeasure Category. The Countermeasure ID is automatically generated
and assigned to ensure relational data integrity. The Countermeasure Tag can be used to uniquely
identify a specific Countermeasure within a process plant. The Countermeasure Tag also enables links to
the Countermeasures from other applications. The Countermeasure Category is selected from a drop
down list. Categorizing Countermeasures allows for enhanced Countermeasure reporting. Furthermore
Countermeasure Category specific process safety information can be specified by clicking on the
Countermeasure Icon. In addition to the four data fields identified above, Custom Data/process safety
information data fields can be configured in the Custom Data section within the Project Configuration
(see section 8.7 ).
To add a New Countermeasure:
l Click on the Add Countermeasure button that is in line with the Consequence that you want to
add the Countermeasure to
l Edit the Countermeasure Properties, i.e. Description, Countermeasure Tag, and Countermeasure
Category
l Once a Countermeasure Description has been entered you can click the Enter key on your
keyboard to add a new Countermeasure
To add a Countermeasure directly from the Countermeasure Library:
l Click on the Link Countermeasure Icon
l Highlight the Countermeasure to add
l Click on Add
To delete a Countermeasure :
l Highlight the Countermeasure ID
l Click on the Delete key on your keyboard
l Click on Yes when asked if the Countermeasure is really to be deleted

Note: When a Countermeasure is deleted and it is the last place where it is used, you will be asked
if you want to permanently delete the Countermeasure from the Library. Click Yes or No as
applicable.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 245 of 292
 To edit the Custom Data/process safety information for a Countermeasure, click on the icon. The
applicable Custom Data entry form will appear.

Likelihood with Countermeasures

The Likelihood with Countermeasures is intended to reflect the Threat Likelihood assuming ALL
Countermeasures are successful. The Likelihood is selected from a drop down list of likelihoods
configured within the Risk Configuration. The list that appears is based on the associated Threat
Category.

Risk with Countermeasures

The Risk with Countermeasures is automatically determined based on the Risk Matrix given the
Likelihood with Countermeasures and Consequence Severity selected.

Recommendations

CyberPHAx™ recommendations are comprised of six related data fields, i.e. ID, Description, Category,
Assigned to, Due Date, and Status. The Recommendation ID is automatically generated and assigned to
ensure relational data integrity. The Recommendation Category is selected from a drop down list.
Categorizing Recommendation allows for easy recommendation sorting and reporting. The Assigned to
is selected from a drop down list. The list is populated with Member names that can be configured from
the Dashboard (see section 6.6 ). The Due Data is selected from the pop-up calendar. The Status is
selected from a drop down list where Open is the default value.
To add a New Recommendation:
l Click on the Add Recommendation button that is in line with the Consequence that you want to
add the Recommendation to
l Edit the Recommendation Properties, i.e. Description, Category, Assigned to, Due Date, and Status
l Once a Recommendation Description has been entered you can click the Enter key on your
keyboard to add a new Recommendation
To add a Recommendation directly from the Recommendation Library:
l Click on the Link Recommendation Icon
l Highlight the Recommendation to add
l Click on Add
To delete a Recommendation:
l Highlight the Recommendation ID
l Click on the Delete key on your keyboard
l Click on Yes when asked if the Recommendation is really to be deleted

CyberSL

The CyberSL column allows the CyberPHA team to record if a detailed Cyber Security Level Verification is
required for a specific Threat-Consequence pair scenario. The drop down list allows a Yes, No, or N/A
(default) selection. When a Threat- Consequence pair scenario is to be further evaluated it can be
assigned to a Cyber Event Scenario. To add, edit, or remove a Cyber Event Scenario click on the Cyber
Event Scenario icon .

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 246 of 292
 Note: The Threat-Consequence pair will only be available for further evaluation in the CyberSL™
worksheet if the CyberSL drop down box selection is Yes, even when the Threat-Consequence pair
is assigned to a Cyber Event Scenario.

To create a new Cyber Event Scenario for a Threat-Consequence pair:

l Click on the green + symbol
l Edit the Cyber Event Scenario Properties, i.e. Name (the Cyber Event Scenario ID is automatically
generated and assigned to ensure relational data integrity)
l Once a Consequence Description has been entered you can click the Enter key on your keyboard
to add a new Consequence
To add a Cyber Event Scenario to a Threat-Consequence pair:
l Highlight the applicable Cyber Event Scenario
l Click on the Left arrow
To remove a Cyber Event Scenario from a Threat-Consequence pair:
l Highlight the assigned Cyber Event Scenario
l Click on the Right arrow

Comments

Comments can be edited directly in the Comments text box. A Comment is associated with a single
Threat. To delete a comment, highlight the text and click on the Delete key on your keyboard.

24.1.4 CyberPHAx Reports

In order to generate a CyberPHAx report select the Cyber PHA Report option from the Report Wizard.
There are no additional Report Options for the CyberPHAx report.

24.2 CyberSL™
The Cyber SL tool SL Verification analysis worksheet uses a spreadsheet type interface for the evaluation
of each Cyber Event Scenario. This provides a clear overview of the applicable cyber threats and
countermeasures for the respective Severity Categories. Within the worksheet interface buttons exist for
adding Threats (T), Countermeasures (CMR), Target Attractiveness (TA), Kill Chain Relevance (KCR), and
Conditional Modifiers (CM) to the Cyber SL Worksheet for a specific Cyber Event Scenario. Applicability of
a CMR, TA, KCR, and/or CM can be edited directly in the worksheet. As the Cyber Threats, Cyber
Countermeasures, Cyber Event Scenarios, Target Attractiveness, Kill Chain Relevance and Conditional
Modifiers are part of the Project Libraries (see Chapter 13 Project Libraries) they can be linked to existing
items. The Cyber SL worksheet consists of three main areas: the toolbar, the Cyber Event Scenario list,
and the workspace.
An example of the LOPAx™ tool layer of protection analysis worksheet is shown in the figure below.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 247 of 292
 24.2.1 Creating Cyber Event Scenarios
Cyber SL Cyber Event Scenarios are comprised of two related data fields, i.e. ID and Name. The Cyber
Event Scenario ID is automatically generated and assigned to ensure relational data integrity. Cyber
Event Scenarios can be defined manually within the tool or obtained from the work previously done
using the Cyber PHAx tool.
To add a Cyber Event Scenario:
l Click on the Add Cyber Event Scenario button in the upper left hand corner of the toolbar
l This will immediately add the Cyber Event Scenario to the Cyber Event Scenario list
To edit the Cyber Event Scenario Name:
l Right click on the Cyber Event Scenario in the Cyber Event Scenario list and select edit, or
l Double click the Cyber Event Scenario name in the upper left hand corner of the worksheet
To delete a Cyber Event Scenario:
l Select the Cyber Event Scenario in the Cyber Event Scenario list
l Click on the Delete key on your keyboard
l Click on Yes when asked if the Cyber Event Scenario is really to be deleted

CAUTION: Deleting a Cyber Event Scenario will delete all instances where the Cyber Event Scenario
was used. This will include any linking done in the Cyber PHAx tool.

24.2.2 Specifying Target Likelihood

Cyber SL uses Target Likelihood to help determine if the likelihood of a cyber event is tolerable. In case
the Likelihood of Success is higher than the Target Likelihood a Remaining Cyber Risk will be determined
that must be implemented to bring the likelihood to a tolerable level. For Cyber Event Scenarios that are
manually defined within the Cyber SL worksheet, Cyber SL will define a target likelihood of 1.00E-5
events per year. You can update these target likelihood by directly editing in the Cyber SL worksheet
toolbar. The target likelihood should be defined on a per year basis. Note that the target likelihoods do
not need the same for all Severity Categories.
When transferring data from Cyber PHA to Syber SL, the target likelihood will be automatically defined
based on the severity level selections related to the Cyber Event Scenario. The target likelihoods that are
used in this case were defined earlier in the Cyber Risk Configuration.

24.2.3 Cyber Threats (T)

A cyber threat represents the start of a cyber event scenario sequence. Some threats will already be
defined from the Cyber PHA, and are stored in the library.
To add a new Threat:
l Click on the Add T button at the upper left hand corner of the toolbar
l This will immediately add the Threat to the Cyber SL Worksheet
l This will also add the Threat to the Cyber Threats library
To edit the Threat Name:

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 248 of 292
 l Double click the threat name in the worksheet, or
l Right click on the threat in the worksheet and select edit
To add a Threat directly from the Cyber Threats Library:
l Click on the Link Threat Icon
l Highlight the Threat(s) to add
l Click on Link Selected
To delete a Threat:
l Highlight the Threat
l Click on the Delete key on your keyboard (or right click and select Delete)
l Click on Yes when asked if the Threat Event is really to be deleted

Note: When a Threat is deleted and it is the last place where it is used, you will be asked if you
want to permanently delete the Threat from the Library. Click Yes or No as applicable.

When you add a threat a default threat likelihood of attack of 1 per year is associated with the threat.
This value can of course be update as needed, directly in the workspace.
To directly edit the likelihood within the workspace:
l Highlight the Threat Likelihood value
l Type in the applicable value (likelihood must be per year)
l Manually add the applicable assumptions, comments, and reference by clicking on the notes icon

Note: When a Threat is used in multiple locations, changing its properties (including the Threat
Likelihood) will impact all locations where that initiating event is used.

24.2.4 Target Attractiveness

The Target Attractiveness is a factor applied to the SL Verification calculation that accounts for the
attractiveness of the target of a cyber event. This will add a factor of 1 through 5, indicating that an
attack would be more for some plant or organization types than for others.
To add a new Target Attractiveness:
l Click on the Add TA button at the upper left hand corner of the toolbar
l This will immediately add the Target Attractiveness to the Cyber SL Worksheet
l This will also add the Target Attractiveness to the Target Attractiveness library
To edit the Target Attractiveness Name:
l Double click the Target Attractiveness name in the worksheet, or
l Click on the Edit icon when hovering over the Target Attractiveness, or
l Right click on the Target Attractiveness in the worksheet and select edit
To add a Target Attractiveness directly from the Target Attractiveness Library:

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 249 of 292
 l Click on the Link Target Attractiveness Icon
l Highlight theTarget Attractiveness(s) to add
l Click on Link Selected
To delete a Target Attractiveness:
l Highlight the Target Attractiveness
l Click on the Delete key on your keyboard (or right click and select Delete)
l Click on Yes when asked if the Target Attractiveness is really to be deleted

Note: When an Target Attractiveness is deleted and it is the last place where it is used, you will be
asked if you want to permanently delete the Target Attractiveness from the Library. Click Yes or No
as applicable.

When you add a Target Attractiveness, a default factor of 1 is associated with the Target Attractiveness.
In addition the Target Attractiveness is set to be Not Applicable (NA) to all Cyber Threats in the Cyber SL
Worksheet. Applicability and probability of the situation occurring can be update as needed. To change
the applicability of an Target Attractiveness to a specific threat, simply double click the intersection of
Target Attractiveness and Cyber Threat. The NA will then change to the factor associated with theTarget
Attractiveness.
To manually edit the Target Attractiveness factor:
l Click on the Edit icon when hovering over the Target Attractiveness or right click on the Target
Attractiveness in the worksheet and select edit
l Type in the applicable value (probability must range from 1 to 5)
l Manually add the applicable assumptions, comments, and reference by clicking on the notes icon

24.2.5 Countermeasures
A Countermeasure (SMR) is a device, system, or action that is capable of preventing a cyber event
scenario from proceeding to its undesired consequence independent of the threat or the action of any
other countermeasure associated with the scenario.
To add a new Countermeasure:
l Click on the Add CMR button at the upper left hand corner of the toolbar
l This will immediately add theCountermeasure to the Worksheet
l This will also add the Countermeasure to the Cyber Countermeasures library
To edit the Countermeasure Name:
l Double click the Countermeasure name in the worksheet, or
l Click on the Edit icon when hovering over the Countermeasure, or
l Right click on the Countermeasure in the worksheet and select edit
To add an Countermeasure directly from the Cyber Countermeasure Library:
l Click on the Link Countermeasure Icon
l Highlight the Countermeasure(s) to add
l Click on Link Selected
To delete an Countermeasure:

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 250 of 292
 l Highlight the Countermeasure
l Click on the Delete key on your keyboard (or right click and select Delete)
l Click on Yes when asked if the Countermeasure is really to be deleted

Note: When a Countermeasure is deleted and it is the last place where it is used, you will be asked
if you want to permanently delete the Countermeasure from the Library. Click Yes or No as
applicable.

When you add an Countermeasure a default probability of failure of 1 is associated with the
Countermeasure. In addition the Countermeasure is set to be Not Applicable (NA) to all Cyber Theats in
the Worksheet. Applicability and probability of failure can be update as needed. To change the
applicability of a Countermeasure to a specific cyber threat, simply double click the intersection of
Countermeasure and Cyber Threat. The NA will then change to the probability associated with the
Countermeasure.
To manually edit the Countermeasure:
l Click on the Edit icon when hovering over theCountermeasure or right click on
theCountermeasure in the worksheet and select edit
l Type in the applicable value (probability must range from 0 to 1)
l Manually add the applicable assumptions, comments, and reference by clicking on the notes icon

24.2.6 Conditional Modifiers (CM)

To add a new Conditional Modifier:
l Click on the Add CM button at the upper left hand corner of the toolbar
l This will immediately add the Conditional Modifier to the Worksheet
l This will also add the Conditional Modifier to the Conditional Modifiers library
To edit the Conditional Modifier Name:
l Double click the Conditional Modifier name in the worksheet, or
l Click on the Edit icon when hovering over the Conditional Modifier, or
l Right click on the Conditional Modifier in the worksheet and select edit
To add a Conditional Modifier directly from the Conditional Modifier Library:
l Click on the Link Conditional Modifier Icon
l Highlight the Conditional Modifier(s) to add
l Click on Link Selected
To delete a Conditional Modifier:
l Highlight the Conditional Modifier
l Click on the Delete key on your keyboard (or right click and select Delete)
l Click on Yes when asked if the Conditional Modifier is really to be deleted

Note: When a Conditional Modifier is deleted and it is the last place where it is used, you will be
asked if you want to permanently delete the Conditional Modifier from the Library. Click Yes or No
as applicable.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 251 of 292
 When you add a Conditional Modifier a default probability of 1 is associated with the Conditional
Modifier. In addition the Conditional Modifier is set to be Not Applicable (NA) to all Cyber Threats in the
Cyber SL Worksheet. Applicability and probability can be update as needed. To change the applicability
of an conditional modifier to a specific Cyber Threat, simply double click the intersection of conditional
modifier and Cyber Threat. The NA will then change to the probability associated with the conditional
modifier.
To manually edit the probability:
l Click on the Edit icon when hovering over the Conditional Modifier or right click on the
Conditional Modifier in the worksheet and select edit
l Type in the applicable value (probability must range from 0 to 1)
l Manually add the applicable assumptions, comments, and reference by clicking on the notes icon

24.2.7 Kill Chain Relevance

The Kill Chain Relevance is a factor applied to the SL Verification calculation that accounts for the
required steps that a threat agent must complete before initiating a given Cyber Threat. This approach is
developed from the Lockheed Martin Cybersecurity Kill Chain® and accounts for the fact that prior steps
such as detailed system reconnaissance or the compromise of other devices within the IACS are
necessary for certain engineered attacks. This will add a factor of 1 or less, indicating that an engineered
attack requiring previous successful attacks may be to some extent less likely than an attack that does
not require any previous actions.
To add a new Kill Chain Relevance:
l Click on the Add KCR button at the upper left hand corner of the tool bar
l This will immediately add the Kill Chain Relevance to the Cyber SL Worksheet
l This will also add the Kill Chain Relevance to the Kill Chain Relevance library
To edit the Kill Chain Relevance Name:
l Double click theKill Chain Relevance name in the worksheet, or
l Click on the Edit icon when hovering over the Kill Chain Relevance, or
l Right click on the Kill Chain Relevance in the worksheet and select edit
To add a Kill Chain Relevance directly from the Kill Chain Relevance Library:
l Click on the Link Kill Chain Relevance Icon
l Highlight the Kill Chain Relevance(s) to add
l Click on Link Selected
To delete a Kill Chain Relevance:
l Highlight the Kill Chain Relevance
l Click on the Delete key on your keyboard (or right click and select Delete)
l Click on Yes when asked if the Kill Chain Relevance is really to be deleted

Note: When a Kill Chain Relevance is deleted and it is the last place where it is used, you will be
asked if you want to permanently delete the Kill Chain Relevance from the Library. Click Yes or No
as applicable.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 252 of 292
 When you add a Kill Chain Relevance, a default factor of 1 is associated with the Kill Chain Relevance. In
addition the Kill Chain Relevance is set to be Not Applicable (NA) to all Cyber Threats in the Cyber SL
Worksheet. Applicability and probability of the situation occurring can be update as needed. To change
the applicability of an Kill Chain Relevance to a specific threat, simply double click the intersection of Kill
Chain Relevance and Cyber Threat. The NA will then change to the factor associated with the Kill Chain
Relevance.
To manually edit the Kill Chain Relevance factor:
l Click on the Edit icon when hovering over the Kill Chain Relevance or right click on the Kill
Chain Relevance in the worksheet and select edit
l Type in the applicable value (probability must range from 0 to 1)
l Manually add the applicable assumptions, comments, and reference by clicking on the notes icon

24.2.8 Calculating Remaining Cyber Risk

The Cyber SL Worksheet determines a Mitigated Likelihood for each Cyber Threat in a Cyber Event
Scenario. This Mitigated Likelihood is calculated by multiplying the Cyber Threat Likelihood with the
probabilities and factors associated with the applicable Countermeasures, Conditional Modifiers, Kill
Chain Relevance, and Target Attractiveness. The calculated Mitigated Likelihood is displayed on the right
hand side of the worksheet for each Cyber Event.
The Likelihood of Success is calculated by adding the Mitigated Likelihood for each Cyber Threat across
the Cyber Event Scenario. This Cyber Event Scenario Likelihood of Success is displayed in the menu bar
of the worksheet for each severity Category.

Cyber Event Scenario Remaining Cyber Risk

Given the Target Likelihood specified and the Likelihood of Success calculated, a Remaining Cyber Risk
(RCR) is calculated for the Cyber Event Scenario. If theLikelihood of Success is less than or equal to the
Target Likelihood, the Remaining Cyber Risk will state a NA for not applicable, indicating no further risk
reduction is required.

24.2.9 Comments
Comments can be edited directly in the Comments text box. A Comment is associated with a single
Cyber Threat. To delete a comment, highlight the text and click on the Delete key on your keyboard.
Note that Cyber SL Comments are independent of the Cyber PHA Comments.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 253 of 292
 Part 4
Miscellaneous

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 255 of 292
 Abbreviations
BMS Burner Management System
BPCS Basic Process Control System
C&E Cause and Effect
CCF Common Cause Failure
CFSE Certified Functional Safety Expert
CFSP Certified Functional Safety Professional
CHAZOP Control Hazard & Operability Analysis
CISSP Certified Information Systems Security Professional
CM Conditional Modifier
CMF Common Mode Failure
DTT De-energize To Trip
E/E/PE Electrical/Electronic/Programmable Electronic
EC Enabling Condition
EMC Electro-Magnetic Compatibility
ESD Emergency Shutdown
ETT Energize To Trip
FAT Factory Acceptance Testing
FBT Frequency Based Targets
FMEA Failure Mode and Effects Analysis
FMEDA Failure Modes Effects and Diagnostic Analysis
FPL Fixed Program Language
FSA Functional Safety Assessment
FSM Functional Safety Management
FVL Full Variability Language
HAZOP Hazard and Operability study
HFT Hardware Fault Tolerance
HMI Human Machine Interface
IACS Industrial Automated Control System
IE Initiating Event
IEC International Electrotechnical Commission
IPL Independent Protection Layer
ISA International Society of Automation
L Likelihood
LOPA Layer of Protection Analysis
LVL Limited Variability Language
MOC Management Of Change
MTTFS Mean Time To Fail Spurious
MTTR Mean Time To Repair
PFD Probability of Failure on Demand

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 257 of 292
 PFDAVG Average Probability of Failure on Demand
PFH Probability of a Dangerous Failure per Hour
PHA Process Hazard Analysis
PIU Proven In Use / Prior Use
PLC Programmable Logic Controller
PSI Process Safety Information
PSCAI Process Safety Controls, Alarms and Interlocks
PTC Proof Test Coverage
PTI Proof Test Interval
QRA Quantitative Risk Assessment
R Risk
RRF Risk Reduction Factor
S Severity of Consequence
SAT Site Acceptance Testing
SERH Safety Equipment Reliability Handbook
SFF Safe Failure Fraction
SG Safeguard
SIF Safety Instrumented Function
SIL Safety Integrity Level
SILac Achieved Safety Integrity Level based on Architectural Constraints
SILcap Achieved Safety Integrity Level based on Equipment Systematic Capability
SILpfd Achieved Safety Integrity Level based on Safety Instrumented Function
probability of failure
SIS Safety Instrumented System
SLC Safety Lifecycle
SOP Standard Operating Procedure
SRS Safety Requirements Specification
SSI Site Safety Index

β-factor Beta factor, indicating common cause susceptibility

DD Dangerous Detected
DU Dangerous Undetected
SD Safe Detected
SU Safe Undetected
AD Annunciation Detected
AU Annunciation Undetected
No Effect Failure of a component that is part of the safety critical circuit that has no
impact on the successful execution of the safety function

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 258 of 292
 Terms and Definitions
Basic Process Control System System that responds to input signals from the process, its
associated equipment, other programmable systems and/or an
operator and generates output signals causing the process and its
associated equipment to operate in the desired manner but that
does not perform any safety instrumented functions with a claimed
SIL greater than or equal to 1.
Batch Process A process that leads to the production of finite quantities of material
by subjecting quantities of input materials to an ordered set of
processing activities over a finite period of time using one or more
pieces of equipment.
Common Cause Failure Failure, which is the result of one or more events, causing failures of
two or more separate channels in a multiple channel system,
leading to system failure.
Common Mode Failure Failure of two or more channels in the same way, causing the same
erroneous result.
Conditional Modifier One of several possible probabilities included in scenario risk
calculations when risk criteria endpoints are expressed in impact
terms (e.g., fatalities) instead of in primary loss event terms (e.g.,
release, vessel rupture). Conditional modifiers include, but are not
necessarily limited to:
l Probability of a hazardous atmosphere
l Probability of ignition or initiation
l Probability of explosion

l Probability of personnel presence

l Probability of injury or fatality

l Probability of equipment damage or other financial impact

Consequence The undesirable result of an incident, usually measured in health

and safety effects, environmental impacts, loss of property, and
business interruption costs.
Enabling Condition A condition that makes possible the initiating event or initiating
cause of a scenario. An enabling condition is neither a failure nor a
protection layer. It consists of an operation or condition that does
not directly cause the scenario, but that must be present or active in
order for the scenario to proceed to a loss event. Note that
mitigating factors, such as the probability of personnel presence or
of emergency evacuation, are conditional modifiers and not
enabling conditions. The term enabling event is sometimes used for
enabling condition. The term enabling condition is preferred, since
enabling conditions are not generally events but rather conditional
states.
Event An occurrence involving a process that is caused by equipment
performance or human action or by an occurrence external to the
process. Events include initiating events, loss events and success or
failure of safeguards.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 259 of 292
 Failure Modes Effects and A systematic procedure during which each failure mode of each
Diagnostic Analysis component is examined to determine the effect of that failure on the
system and whether that failure is detected by any automatic
diagnostic function
Hardware Fault Tolerance The number of dangerous random failures tolerated by a system
while still maintaining the ability to successfully perform the safety
function
Hazard Scenario Scenario that consists of one or more sequence of events that
results in a final consequence of concern. Each Hazard Scenario
consists of at least one cause - consequence pair.
Impact A measure of the ultimate loss and harm of a loss event. Impact may
be expressed in terms of numbers of injuries and/or fatalities, extent
of environmental damage and/or magnitude of losses such as
property damage, material loss, loss of intellectual property, lost
production, market share loss, and recovery costs.
Incident An event or sequence of events that either resulted in or had the
potential to result in adverse impacts.
Independent Protection Layer A device, system, or action that is capable of preventing a scenario
from proceeding to the undesired consequence regardless of the
initiating event or the action of any other protection layer associated
with the scenario.
Initiating Event The event that initiates the scenario leading to the undesired
consequence.
Layer of Protection Analysis An approach that analyzes incident scenario(s) (cause-consequence
pair(s)) using values for the initiating event frequencies, enabling
conditions, independent protection layer failure probabilities, and
conditional modifiers as applicable in order to compare a Hazard
Scenario risk estimate to risk criteria to determine if additional risk
reduction or more detailed analysis is needed. Scenarios are
identified elsewhere, typically using a scenario based hazard
evaluation procedure such as a HAZOP Study.
Likelihood A measure of the expected frequency with which an event occurs.
This may be expressed as a frequency (e.g. events per year), a
probability of occurrence during a time interval (e.g. annual
probability), or a conditional probability (e.g. probability of
occurrence, given that a precursor event has occurred).
Mean Time To Repair The expected time to repair equipment items in case of a failure
detected by automatic equipment item diagnostics
Mission Time The time period that a SIF is expected to be operational. Typically
this period corresponds to the interval when all devices are either
replaced or refurbished to “as new condition”. It should not be
confused with the proof test interval.
Probability of Failure on Demand The probability that a system or other protective measure will fail to
perform a specified function on demand. PFD is expressed as a
dimensionless number ranging from zero to one.
Process Hazard Analysis A hazard evaluation of broad scope that identifies and analyzes the
significance of hazardous situations associated with a process or
activity.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 260 of 292
 Proven In Use / Prior Use A Proven In Use assessment is a study of product operational hours,
revision history, fault reporting system, and field failures to
determine if there is evidence of systematic design faults in a
product. The IEC 61508 standard provides levels of operational
history required for each SIL level.
Quantitative Risk Assessment The systematic development of numerical estimates of the expected
frequency and consequence of potential incidents associated with a
facility or operation based on engineering evaluation and
mathematical techniques.
Risk A measure of human injury, environmental damage, economic loss,
loss of intellectual property or loss of privacy in terms of both the
incident likelihood and the magnitude of the loss or injury. A
simplified version of this relationship expresses risk as the product
of the likelihood and the consequences (i.e. Risk = Consequence x
Likelihood) of an incident.
Risk Assessment The process by which the results of a risk analysis (i.e. risk
estimates) are used to make decisions, either through relative risk
ranking of risk reduction strategies or through comparison with
tolerable risk levels.
Risk Mitigation A reduction of risk due to a reduction of the likelihood or impact
associated with a loss event.
Risk Receptor Something which could come to harm, including human health,
environment, or financial well-being.
Risk Reduction Factor (RRF) - The measure of the degree of risk reduction achieved by a
Achieved safeguard, countermeasure, or protection strategy. Achieved RRF
can be expressed as the ratio of unmitigated risk divided by
mitigated risk resulting from that safeguard, countermeasure, or
protection strategy. For an independent low demand safety
function, this can be expressed as the reciprocal of the average
probability of failure on demand.
Risk Reduction Factor (RRF) - The measure of the degree of risk reduction needed to achieve
Target/Required tolerable risk. RRF can be expressed as the ratio of unmitigated risk
divided by tolerable risk. Within exSILentia® a distinction is made
between Target and Required RRF.
Target RRF is used to identify the risk reduction needed to achieve
tolerable risk resulting from the LOPA/SIL selection.
Required RRF is used to identify the risk reduction specified in the
SRS which the SIF as designed should meet. The required RRF is
typically equal to or greater than the target RRF (if the user decides
to round the target RRF).
Risk Tolerance 1. Willingness by authority having jurisdiction to live with a risk so as
to secure certain benefits in the confidence that the risk is one that
is worth taking and that it is being properly controlled. However, it
does not imply that everyone would agree without reservation to
take that risk or have it imposed on them.
2. Risk the organization is willing to accept.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 261 of 292
 Risk Tolerance Criteria A predetermined measure of risk used to aid decisions about
whether further efforts to reduce risk are warranted.
Safety Freedom from unacceptable risk.
Safety Integrity Level Discrete level (one out of a possible four) for specifying the safety
integrity requirements of the safety functions to be allocated to the
electronic / programmable electronic safety-related systems, where
safety integrity level 4 has the highest level of safety integrity and
safety integrity level 1 has the lowest [IEC 61508-4]
Safety Integrity Level - Within exSILentia® a distinction is made between Target and
Target/Required Required SIL.
Target SIL is used to identify the SIL needed to achieve tolerable risk
resulting from the LOPA/SIL selection.
Required SIL is used to identify the SIL specified in the SRS which the
SIF as designed should meet. The required SIL is typically equal to
the target SIL but would allow different target SILs to result from the
different SIL selection methods.
Severity A measure of the degree of impact of a particular consequence.
SIL Threshold Parameter to specify the boundary between target Safety Integrity
Levels Assume a calculated Required Risk Reduction Factor of 29,
which would fall in the 10 - 100 Risk Reduction range. With a SIL
Threshold Ratio of 1, a calculated Risk Reduction Factor of 29 would
result in a Target SIL of SIL 2. The calculated Risk Reduction Factor
is in this case greater than the SIL determination threshold which
lies at 10 (10 * 1). With a SIL Threshold Ratio of 3, a calculated Risk
Reduction Factor of 29 would result in a Target SIL of SIL 1. The
calculated Risk Reduction Factor is in this case less than the SIL
determination threshold which lies at 30 (10 * 3).
Startup Time The time it takes to re-start the process after a shutdown
Systematic Capability Indication of systematic failure protection for an equipment item.
Per IEC 61511 users of existing hardware either need to select
hardware that is developed and assessed per IEC 61508 or justify the
use of that hardware. The objective of the assessment or
justification is to identify that there are “no” systematic problems
with the equipment item under consideration. Systematic failure
protection is part of IEC 61508 compliant development processes,
alternatively sufficient recorded experience can also be used to
identify that there is no known systematic problem.
Useful Life That portion of life when the failure rate can be described by the
exponential distribution, i.e. constant failure rate. The useful life
follows infant mortality or burn- in and precedes the wear- out
portions of the overall life. For functional safety applications,
devices are expected to be replaced at the end of their useful life.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 262 of 292
 Disclaimer and Assumptions
Limitations and assumptions associated with the use of exSILentia® v4 are documented in the following
sections.

Disclaimer

The user of the exSILentia® v4 software is responsible for verification of all results obtained and their
applicability to any particular situation. Calculations are performed per guidelines in applicable
international standards and common methods described in subject matter literature. exida Innovation
LLC accepts no responsibility for the correctness of the regulations, standards, or literature on which the
software tool is based.
In particular, exida Innovation LLC accepts no liability for decisions based on the results of the
exSILentia® v4 software. The exida Innovation LLC guarantee is restricted to the correction of errors or
deficiencies within a reasonable period when such errors or deficiencies are brought to the attention of
exida Innovation LLC in writing. exida Innovation LLC accepts no responsibility for modifications made by
the user to any reports and exports automatically generated by the exSILentia® v4 software.

Assumptions exida LOPA Database

exida has compiled a proprietary initiating event frequency and protection layer probability of failure
database. This database is a compilation of failure data collected from a variety of public and
confidential sources and presents an industry average. The database is available in the LOPAx™ module
of exSILentia® v4.
The user is responsible for determining the applicability of the initiating event frequencies and
protection layer probabilities of failure to any particular application. Accurate plant specific data
(historic data) is preferable to general industry average data. Industrial plant sites with high levels of
stress must use initiating event and protection layer data that is adjusted to a higher value to account
for the specific conditions of the plant.

Assumptions exida SERH Database

exida has compiled a proprietary equipment failure database. This database is a compilation of failure
data collected from detailed predictive analysis performed through Failure Modes, Effects, and
Diagnostics Analysis (FMEDA) for specific manufacturer specific products and a variety of public and
confidential sources. The failure rate data presents an average worst-case estimate of failure rates to be
expected during normal operation of a particular equipment item. The database is published as the
“Safety Equipment Reliability Handbook, fourth edition” ISBN 978-1-934977-15-6. The reliability data
collection process is described in the SERH book.
The user is responsible for determining the applicability of the failure data to any particular
environment. The stress levels assumed to determine the equipment failure rate are average worst-case
for an industrial environment and are documented in the SERH book. Accurate plant specific data is
preferable to general industry average data. Industrial plant sites with high levels of stress must use
failure rate data that is adjusted to a higher value to account for the specific conditions of the plant.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 263 of 292
 Assumptions LOPA

The following assumptions apply to the LOPA Worksheet calculations.

l The severity level translation into tolerable frequencies is based on the user specified risk
configuration
l Unmitigated event frequencies are directly calculated from initiating event frequencies and
probabilities for enabling conditions, independent protection layers, and conditional modifiers
using algebraic formulas.
l LOPA calculations assume that there is no correlation between an initiating event and the
associated enabling condition(s), independent protection layer(s), and/or conditional modifier(s).
l The required Risk Reduction Factor is obtained directly from the relation between tolerable
frequency and unmitigated frequency.

Assumptions SILect

The following assumptions apply to the SILect Worksheet calculations.

l The Target Safety Integrity Level is obtained from the relation between required Risk Reduction
Factor and Safety Integrity Level boundaries.
l The SIL boundaries are adjusted based on the Target SIL Threshold Ratio specified

Assumptions SILver - Reliability Modeling

The SILver Worksheet calculations are based on many of the assumptions that are identified in IEC
61508-6, Annex B. Specific assumptions on which the calculations within SILver Worksheet are based are
listed below.
l The sensor part ranges from the actual sensing element up to and including the logic solver input
channel or the logic solver input module depending on logic solver I/O channel configuration by
the user
l The logic solver part ranges from the logic solver input module to the logic solver output module
or includes just the CPU based on the logic solver I/O channel configuration by the user.
l The final element part ranges from the logic solver output channel or the logic solver output
module depending on the I/O channel logic solver configuration by the user up to and including
the final actuating element within the safety instrumented function
l Equipment item failure rates are constant over the useful life of the equipment item
l Only a single failure can occur within one independent part of a configuration
l The embedded diagnostic test time is much shorter than the average repair time
l The proof test interval is at least two orders of magnitude greater than the embedded diagnostic
test interval
l Limited coverage of failures during a proof test is modeled using the proof test coverage factor, it
is assumed that the proof test coverage has effect on all states, undetected and detected
l For each sensor, logic solver, and final element group there is a single proof test interval and
Mean Time To Repair
l Multiple repair teams are available to work on all known failures
l Repair rates are constant
l The Mean Time To Repair (MTTR) is an order of magnitude less than the expected demand rate
l Common cause failures are assumed to be the same in redundant units

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 264 of 292
 Assumptions SILver - Proof Test Coverage Calculator

The SILver Worksheet Proof Test Coverage Calculator determines a suggested Proof Test Coverage factor
based on a manufacturer identified proof test and the effectiveness of that proof test. If you use the
suggested proof test coverage, you must ensure that the actual test(s) performed is (are) at least as
effective as the manufacturer suggested test(s).

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 265 of 292
 Software License Agreement –
exSILentia® Standalone
IMPORTANT – READ CAREFULLY: This Software License Agreement is the legal agreement
(“Agreement”) between you, the customer who has acquired the software (“You”) and exida Innovation
LLC (“exida”) with offices at 80 North Main Street, Sellersville, PA, 18960, USA. Please read this
agreement carefully before completing the installation process and using the exida exSILentia ® tool
(together with its accompanying documentation, the “Software”). This agreement provides a license to
use the Software and contains warranty information and liability disclaimers.
BY INSTALLING, COPYING OR OTHERWISE USING THE SOFTWARE, YOU ARE CONFIRMING YOUR
ACCEPTANCE OF THE SOFTWARE AND AGREEING TO BECOME BOUND BY THE TERMS OF THIS
AGREEMENT. IF YOU DO NOT AGREE, DO NOT INSTALL OR USE THE PRODUCT.
IF YOU DID NOT ACQUIRE THE SOFTWARE FROM exida, THEN YOU MAY NOT ENTER INTO THIS
AGREEMENT OR USE THE SOFTWARE. NO OTHER PARTY HAS THE RIGHT TO TRANSFER A COPY OF
THE SOFTWARE TO YOU.
The Software is owned by exida and is protected by copyright laws and international copyright treaties,
as well as other intellectual property laws and treaties. THE SOFTWARE IS LICENSED, NOT SOLD.
If you have any questions or concerns about this agreement, please contact exida at the above listed
address.

1. DEFINITIONS
a. “Affiliates” means any company or entity controlled by, controlling, or under common
control with You or exida. For the purposes of this definition, “control” shall mean the
power to cause the direction of the management of such company or entity, directly or
indirectly, whether through ownership of voting securities or otherwise, it being
understood that ownership of 50% or more of the voting securities of another shall in all
circumstances constitute control.
b. “exida” means exida Innovation LLC and its Affiliates
c. “You”, “Your” means you, your company, and your company’s Affiliates
d. “Documentation” means the user manuals and any other materials in any form or medium
customarily provided by exida to You which will provide sufficient information to operate,
diagnose, and maintain the Software properly, safely and efficiently
e. “Software” means the product provided to You, which includes the exSILentia ® tool and
the associated media, printed materials, and “online” or electronic documentation. The
Software includes any updates or new versions that may be provided to You.
f. “Maintenance” is defined in the Maintenance and Support Article, section 4 of this
agreement
g. “Proprietary Information” means all of Your and your affiliates plans, processes, products,
business information, data, technology, Information Resources, computer programs and
documentation and the like. It includes any information or material that (a) is marked
“Confidential”, “Restricted”, or “Proprietary Information” or other similar marking, (b) is
known by the parties to be considered confidential and proprietary, or (c) should be

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 267 of 292
 known or understood to be confidential or proprietary by an individual exercising
reasonable commercial judgment.
2. OWNERSHIP. The Software is owned and copyrighted by exida. The license granted to You
confers no title or ownership in the Software and is not a sale of any rights in the Software. exida
warrants that it has full power and authority to grant the licenses and rights granted under this
License Agreement without the consent or approval of any third party.
a. All information, artwork, graphics, text, copy, data, software, and other material included
in the Software are exida’s exclusive intellectual property.
3. LICENSE
1. GRANT OF LICENSE. exida grants You the following rights provided You comply with all
terms and conditions of this agreement. For each license You have acquired for the
Software:
a. You are granted a non-exclusive, non-transferable, license during the term of this
Agreement to install and use for your business purposes the Software on an
unlimited number of Your workstations. If the Software is a software suite or
bundle with more than one specified Software product, this license applies to all
such specified Software products.
b. You are granted a non-exclusive, non-transferable, right to apply quarterly updates
to the Safety Equipment Reliability Handbook database for the duration of 1 year
c. The USB license key(s) restricts use to a specified number of concurrent users only
d. You may make one copy of the Software for backup, disaster recovery, or archival
purposes
2. DOCUMENTATION. You are hereby granted the right to reproduce the user manuals and
other written materials created by exida to describe the functionality and use of the
Software (the “Documentation”) and to distribute a single copy of the Documentation in
soft form or in print to each user over Your internal network.
3. LICENSE RESTRICTIONS. You shall not grant access to the Software to any persons or
entities other than those of Your employees and on-site contractors who are located at
Your facilities nor shall You sell, lease or distribute the Software to any person or entity as
a standalone or bundled product or make any other commercial use thereof. You shall not
modify, reverse engineer, decompile, or disassemble the Software. You shall not adapt,
translate, or create derivative works based on the Software or the Documentation without
the prior written approval of exida. You shall not exceed the scope of the license granted
in Sections 3.1 and 3.2 above. You shall not export the Software or Documentation, or any
copies thereof, to any user in violation of applicable laws and regulations.
4. COPYRIGHT. exida owns the Software and related Documentation and their copyrights
that are protected by United States copyright laws and international treaty provisions.
This Agreement does not and shall not be construed as transferring ownership rights of
the Software, Documentation, any modifications thereto or any related materials to You or
to any third party. exida owns and shall retain all right, title and interest in the Software,
including all copyrights, patents, trade secret rights, trademarks, and other intellectual
property rights therein. You shall retain all copyright and trademark notices on the
Software and Documentation and as otherwise necessary to protect exida intellectual
property rights.
5. YOUR RESPONSIBILITY. You expressly agree to be fully responsible for compliance by
Your employees and on-site contractors with the applicable terms of this Agreement.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 268 of 292
 6. COPIES. You are permitted to copy the Documentation and written materials for
distribution to employees using the Licensed Software, and to make and retain a copy of
the Software for archival purposes.
4. MAINTENANCE AND SUPPORT.
1. SUPPORT.
a. Limited Technical Support. During the term of this agreement You are entitled to
limited technical support. exida will provide technical support via its support
website http://support.exida.com . Safety Instrumented Function Consultancy is
excluded from the exida support under this agreement.
b. Upon payment of the Annual Maintenance Fee, You shall be entitled to 2 hours of
technical support per year for each concurrent user license. Bug reporting and
resolution is not counted towards your technical support allotment.
2. MAINTENANCE AND UPDATES.
a. Definitions. For the purposes of this section, the following shall apply:
i. Bug Fix: The term “Bug Fix” means any engineering patch intended to fix
bugs and errors in the Software.
ii. Functionality Update: The term “Functionality Update” means any new
release of the Software. Functionality Updates are issued provided that
maintenance and support is in good standing, i.e. maintenance period is
active and no lapses have occurred in the maintenance period. Updates do
not include any exida software, which constitutes a separate product by
virtue of different features or functionality. Updates do not include
standalone products that can be integrated with the Software.
iii. Equipment Database Update: The term “Equipment Database Update”
means any new version of the Safety Equipment Reliability Handbook
Database embedded in the Software. Equipment Database Updates are
issued quarterly.
iv. Maintenance: The term “Maintenance” means technical support,
Functionality Updates, and Equipment Database Updates, provided during
the Maintenance Period.
v. Maintenance Period. The term “Maintenance Period” for the Software
means any period commencing at the date of sale of the Software, or any
anniversary thereof, for which You have paid the Maintenance Fee for each
license of the Software you purchased.
b. Delivery of Updates. For any period in which You have paid the Maintenance Fee (or
the relevant pro-rated portion thereof in accordance with section 4.3), exida shall
provide automatic download of functionality, and Equipment Database updates.
c. License to Updates. exida hereby grants You a nonexclusive; nontransferable
license during the term of this Agreement to use the Updates delivered under this
section.
3. RENEWAL. If exida continues to offer support and updates for the Software, You may
renew Maintenance by delivering exida a purchase order referencing this Agreement on or
before the expiration of the Paid Maintenance Period. If You elect to renew the
Maintenance, You must do so for all copies of the Software licensed hereunder. As a
courtesy, exida agrees to notify you via automated message prior to the expiration of the
Maintenance Period to allow ample time for renewal. exida assumes no responsibility for
lapses in the Maintenance Period that occurs as a result of You failing to renew the

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 269 of 292
 Maintenance Period before its expiration. If Maintenance is not renewed, maintenance fees
must be paid for the time of the maintenance lapse, in order to obtain full Functionality
and Equipment Database updates.
5. RESTRICTED USE.
a. You agree to use reasonable efforts to prevent unauthorized copying of the Software
b. You may not disable any licensing or control features of the Software or allow the
Software to be used with such features disabled
c. You may not share, rent, or lease Your right to use the Software
d. You may not modify, sublicense, copy, rent, sell, distribute or transfer any part of the
Software except as provided in this Agreement
e. You may not reverse engineer, decompile, translate, create derivative works, decipher,
decrypt, disassemble, or otherwise convert the Software to a more human-readable form
for any reason
f. You may not use the Software for any purpose other than to perform safety lifecycle tasks
in accordance with the accompanying documentation
g. You may not remove, alter, or obscure any confidentiality or proprietary notices (including
copyright and trademark notices) of exida on, in or displayed by the Software
h. You will return or destroy all copies of the Software if and when Your right to use it ends
i. You may not use the Software for any purpose that is unlawful
6. PROPRIETARY INFORMATION.
1. EXIDA SHALL
a. Not use or disclose Proprietary Information to any third party except as is clearly
necessary to provide the Services, provided such party is bound by a written
confidentiality agreement with terms no less stringent than the terms herein.
b. Not attempt to access any portion of Information Resources without authorization
of You. If unauthorized access is nevertheless obtained, whether inadvertently or
otherwise, exida shall have a duty to promptly report to You, in writing, each
instance thereof, setting out the extent and circumstances of such access.
c. Not attempt to defeat any security provisions maintained by You for the protection
of Information Resources or information contained therein.
d. Not remove, copy, alter, or install any software or information or data on any of
Your computers unless specifically authorized by You in connection with the
Services or make any attempt to learn or document passwords or other
information which could facilitate unauthorized access to Information Resources.
e. Require each of its employees, contractors and agents needing access to
Information Resources to obtain passwords from Your authority responsible for the
security of Information Resources, to use and protect passwords as required by
You, and to follow such protocols governing access as may be set out by You.
2. CONFIDENTIALITY. Neither party shall, during the term of this Agreement or thereafter,
disclose, make commercial or other use of, give or sell to any person, firm, or corporation,
any information of the other party that is treated and identified in writing as confidential,
except either party may disclose such information if (i) required to do so pursuant to
applicable law; (ii) it was rightfully in their possession from a source other than the other
party prior to the time of disclosure of said information; (iii) it was in the public domain
prior to the time of receipt; (iv) it became part of the public domain after the time of
receipt by any means other than an unauthorized act or omission by such party; (v) it is
supplied after the time of receipt without restriction by a third party who is under no
obligation to maintain such information in confidence; or (vi) it was independently

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 270 of 292
 developed prior to the time of receipt. Both parties will use at least the same standard of
care as they do to protect their own Proprietary Information to ensure that their
employees, agents or consultants do not disclose or make any unauthorized use of such
Proprietary Information. Both parties will promptly notify the other party upon discovery
of any unauthorized use or disclosure of the Proprietary Information.
3. TERMINATION OF exida’s RIGHT TO POSSESS PROPRIETARY INFORMATION. Upon final
acceptance or earlier termination of this Agreement for any reason, exida's rights to
possession and use of any of the Proprietary Information in connection with the
performance of its obligations hereunder or otherwise shall terminate and exida shall
immediately deliver to You all of the Proprietary Information and all copies of any portion
thereof. exida shall, upon completion of such delivery, certify in writing to You that it has
fulfilled its obligations under this Article. exida will keep one copy of all Proprietary
Information provided for future reference and legal liability requirements.
7. DISCLAIMER OF WARRANTY. The Software is provided on an “AS IS” basis, without warranty of
any kind, including, without limitation, the warranties of merchantability, fitness for a particular
purpose, non-infringement title, and results. The entire risk as to the quality and performance of
the Software is borne by You. If the Software is intended to link to, extract content from or
otherwise integrate with a third party product, exida makes no representation or warranty that
Your particular use of the Software is or will continue to be authorized by law in Your jurisdiction
or that the third party product will continue to be available to You. This disclaimer of warranty
constitutes an essential part of the agreement.
1. WARRANTY. exida warrants that the Software does not infringe the intellectual property
rights of any third party.
8. LIMITATION OF LIABILITY. UNDER NO CIRCUMSTANCES AND UNDER NO LEGAL THEORY,
TORT, CONTRACT, OR OTHERWISE, SHALL exida BE LIABLE TO YOU OR ANY OTHER PERSON
OR SHALL YOU BE LIABLE TO exida OR ANY OTHER PERSON FOR ANY INDIRECT, SPECIAL,
PUNITIVE, INCIDENTAL, OR CONSEQUENTIAL DAMAGES OF ANY CHARACTER INCLUDING,
WITHOUT LIMITATION, DAMAGES FOR WORK STOPPAGE, COMPUTER FAILURE OR LOSS OF
REVENUES, PROFITS, GOODWILL, USE, DATA OR OTHER INTANGIBLE OR ECONOMIC LOSSES.
IN NO EVENT WILL exida BE LIABLE FOR ANY DAMAGES IN EXCESS OF THE AMOUNT PAID TO
LICENSE THE SOFTWARE, EVEN IF YOU OR ANY OTHER PARTY SHALL HAVE INFORMED exida
OF THE POSSIBILITY OF SUCH DAMAGES, OR FOR ANY CLAIM. NO CLAIM, REGARDLESS OF
FORM, MAY BE MADE OR ACTION BROUGHT BY YOU MORE THAN ONE YEAR AFTER THE BASIS
FOR THE CLAIM BECOMES KNOWN TO THE PARTY ASSERTING IT.
9. TERM AND TERMINATION.
1. TERM. This Agreement shall continue for an indefinite period of time so long as the
License Fee is paid and use of the license as documented in this contract is not violated.
Maintenance and Support is defined in section 4 of this Agreement. You may choose to
renew the Maintenance Agreement upon expiration.
2. TERMINATION. exida may terminate Your license if You do not abide by the license terms.
Upon termination of license, You shall immediately discontinue the use of the Software
and shall within ten (10) days return to exida the USB License Key(s) and all copies of the
Software or confirm that You have destroyed all copies of it. Your obligations to pay
accrued charges and fees, if any, shall survive any termination of this Agreement. You
agree to indemnify exida for reasonable attorney fees in enforcing its rights pursuant to
this license. Sections 2, 5, 7, 8, 9 and 15 will survive expiration or termination of this
Agreement for any reason.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 271 of 292
 10. exSILentia® USE. You are required to perform any verification activities when using the software
as described in the Documentation.
11. REGISTRATION. The software will only function if You are using a valid “License Key”. The
License Key will be provided by exida. Software registration is required.
12. UPGRADES. If this copy of the software is an upgrade from an earlier version of the software, it is
provided to You on a license exchange basis. Your use of the Software upgrade is subject to the
terms of this license, and You agree by Your installation and use of this copy of the Software to
voluntarily terminate Your earlier license and that You will not continue to use the earlier version
of the Software or transfer it to another person or entity.
13. ADDITIONAL SOFTWARE. This license applies to updates, upgrades, options and any other
additions to the original Software provided by exida, unless exida provides other terms along
with the additional software.
14. THIRD PARTY PRODUCTS.
a. The Software may make use of 3 rd party content. This 3 rd party content will be used per
the usage agreements and other restrictions set forth by the 3 rd party. exida agrees to
bear all responsibility for the proper implementation of embedded 3rd party content.
b. This Software may have the ability to make use of, link to, or integrate with 3 rd party
content not embedded within the Software or not required to enable You to use the
Software. The availability of this content is at the sole discretion of the 3 rd party content
providers and may be subject to usage agreements and other restrictions. You agree to
indemnify and hold harmless exida from all claims, damages, and expenses of whatever
nature that may be made against exida by these 3rd party content providers as a result of
Your use of the Software.
15. GENERAL.
1. SERVICES. There are no services provided under this Agreement. Support, maintenance,
and other services, if available, must be purchased separately from exida
2. APPLICABLE LAW. This license shall be interpreted in accordance with the laws of the
Commonwealth of Pennsylvania, USA without giving effect to any choice of law principles
that would require the application of the laws of a different state or country. Any disputes
arising out of this license shall be adjudicated in a court of competent jurisdiction in
Pennsylvania, USA. The United Nations Convention on Contracts for the International Sale
of Goods and the Uniform Computer Information Transactions Act (USA) do not apply to
this Agreement.
3. GOVERNING LANGUAGE. Any translation of this License is done for local requirements
and in the event of a dispute between the English and any non- English versions, the
English version of this License shall govern.
4. COMPLIANCE WITH LAWS. You will comply with all applicable export and import control
laws and regulations in your use or re-exportation of the Software and, in particular, you
will not export or re-export the Software without all required United States Bureau of
Export and Administration licenses. You will defend, indemnify, and hold harmless exida
and its suppliers from and against any violation of such laws or regulations by You.
5. RELATIONSHIP BETWEEN THE PARTIES. The parties are independent contractors and
neither party is the agent, partner, employee, fiduciary, or joint venture of the other party
under this Agreement. You may not act for, bind, or otherwise create or assume any
obligation on behalf of exida. There are no third party beneficiaries under this Agreement.
6. EXPORT OF TECHNICAL DATA. Neither party shall export, directly or indirectly, any
technical data acquired from the other party or any of its affiliated companies, or any

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 272 of 292
 direct product of that technical data, to any other country for which the United States
Government or any agency of that government at the time of export requires an export
license or other governmental approval without first obtaining that license or approval,
when required by applicable United States law.
7. ASSIGNMENTS. You may not assign or transfer, by operation of law or otherwise, your
rights under this Agreement (including your licenses with respect to the Software) to any
third party without exida’s prior written consent. Any attempted assignment or transfer in
violation of the foregoing will be void. exida may freely assign its rights or delegate its
obligations under this Agreement.
8. SEVERABILITY. If any provision of this Agreement is held unenforceable by a court, such
provision may be changed and interpreted by the court to accomplish the objectives of
such provision to the greatest extent possible under applicable law and the remaining
provisions will continue in full force and effect. Without limiting the generality of the
foregoing, you agree that Section 8 will remain in effect notwithstanding the
unenforceability of any other provision of this Agreement.
9. TRADEMARKS AND TRADE NAMES. Nothing in this Agreement shall confer on You any
right to use any trademark or trade name belonging to exida.
16. ENTIRE AGREEMENT. This Agreement constitutes the entire agreement between the parties
relating to the Software and supersedes any proposal or prior agreement, oral or written, and any
other communication relating to the subject matter. Both parties acknowledge that they have not
been induced to enter into this Agreement by any representations or promises not specifically
stated herein. Any conflict between the terms of this License Agreement and any Purchase Order,
invoice, or representation shall be resolved in favor of the terms of this License Agreement. In the
event that any clause or portion of any such clause is declared invalid for any reason, such
finding shall not affect the enforceability of the remaining portions of this License and the
unenforceable clause shall be severed from this license. Any amendment to this agreement must
be in writing and signed by both parties.

IN WITNESS WHEREOF, this Agreement has been executed by the parties hereto as of the date first below
written.

exida Innovation LLC

By: By:

(Print): Iwan van Beurden (Print):

Chief Technology Officer / Director of Product

Title: Title:
and Service Development

Date: Date:

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 273 of 292
 exida exSILentia® Software License Agreement v1.8 – Standalone (July 8, 2020)
Copyright © 2000-2020 exida Innovation LLC
80 North Main Street
Sellersville, PA 18960
USA
exSILentia ® , SILect™, SILver™, PHAx™, LOPAx™, SERH, SILstat™, and SILalarm™ are trademarks of exida
Innovation LLC

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 274 of 292
 Software Service License Agreement –
exSILentia® Cloud
IMPORTANT – READ CAREFULLY: This Software Service License Agreement is the legal agreement
(“Agreement”) between you, the customer who has obtained access to the software service for the Term
of the agreement (“You”) and exida Innovation LLC (“exida”) with offices at 80 North Main Street,
Sellersville, PA, 18960, USA. Please read this agreement carefully before accessing or using all or any
portion of the exida exSILentia ® tool on the Cloud Licensing Platform (together with its accompanying
documentation, the “Software Service”). This agreement documents your access rights to the Software
Service for the Term of the agreement and contains warranty information and liability disclaimers.
THE TERMS AND CONDITIONS OF THIS AGREEMENT APPLY TO ANY AND ALL USE OF THE SOFTWARE
SERVICE BY YOU, WHETHER YOU ARE USING THE SOFTWARE SERVICE PURSUANT TO ANY TRIAL
PERIOD, OR THE TERM OF THIS AGREEMENT AND YOU AGREE TO BE BOUND BY THIS AGREEMENT
REGARDLESS OF THE TYPE OF USE OF THE SOFTWARE SERVICE BY YOU.
BY ACCESSING OR USING ALL OR ANY PORTION OF THE SOFTWARE SERVICE, OR BY PAYING FOR
THE SERVICE BY ANY MEANS OFFERED BY EXIDA, YOU ACCEPT ALL TERMS AND CONDITIONS OF
THIS AGREEMENT. YOU AGREE THAT THIS AGREEMENT IS ENFORCEABLE LIKE ANY WRITTEN
NEGOTIATED AGREEMENT SIGNED BY YOU. IF YOU DO NOT AGREE, DO NOT PAY FOR OR USE THE
SOFTWARE SERVICE.
IF YOU DID NOT ACQUIRE ACCESS TO THE SOFTWARE SERVICE FROM exida, THEN YOU MAY NOT
ENTER INTO THIS AGREEMENT OR USE THE SOFTWARE SERVICE. NO OTHER PARTY HAS THE RIGHT
TO TRANSFER ACCESS TO THE SOFTWARE SERVICE TO YOU.
The Software is owned by exida and is protected by copyright laws and international copyright treaties,
as well as other intellectual property laws and treaties. THIS AGREEMENT DOES NOT CONSTITUTE A
SALE OF THE SOFTWARE.
If you have any questions or concerns about this agreement, please contact exida at the above listed
address.

1. DEFINITIONS
a. “Affiliates” means any company or entity controlled by, controlling, or under common
control with You or exida. For the purposes of this definition, “control” shall mean the
power to cause the direction of the management of such company or entity, directly or
indirectly, whether through ownership of voting securities or otherwise, it being
understood that ownership of 50% or more of the voting securities of another shall in all
circumstances constitute control.
b. “exida” means exida Innovation LLC and its Affiliates
c. “You”, “Your” means you, your company, and your company’s Affiliates
d. “Documentation” means the user manuals and any other materials in any form or medium
customarily provided by exida to You which will provide sufficient information to access
and operate the Software Service properly, safely and efficiently
e. “Software” means the product provided to You, which includes the exSILentia ® tool and
the associated media, printed materials, and “online” or electronic documentation. The
Software includes any updates or new versions that may be provided to You.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 275 of 292
 f. “Software Service” means access to the “Software” via the Cloud Licensing Platform
g. “Maintenance” is defined in the Maintenance and Support Article, section 4 of this
agreement
h. “Term” is defined in the Term and Termination Article, section 9 of this agreement
i. “Proprietary Information” means all of Your and your affiliates plans, processes, products,
business information, data, technology, Information Resources, computer programs and
documentation and the like. It includes any information or material that (a) is marked
“Confidential”, “Restricted”, or “Proprietary Information” or other similar marking, (b) is
known by the parties to be considered confidential and proprietary, or (c) should be
known or understood to be confidential or proprietary by an individual exercising
reasonable commercial judgment.
2. OWNERSHIP. The Software is owned and copyrighted by exida. The access to the Software
Service granted to You confers no title or ownership in the Software and is not a sale of any rights
in the Software. exida warrants that it has full power and authority to grant the licenses and
rights granted under this License Agreement without the consent or approval of any third party.
a. All information, artwork, graphics, text, copy, data, software, and other material included
in the Software are exida’s exclusive intellectual property.
3. LICENSE
1. GRANT OF LICENSE. exida will provide and You and Your authorized Users will have
access to the Software Service during the Term, as defined in section 9, subject to this
Agreement. Subject to Your compliance with your obligations under this Agreement, You
are granted a non-exclusive, non-transferable, license during the Term of this Agreement
to:
a. Access and execute the Software on exida’s application server over the Internet.
b. Use the Documentation related to the Software.
c. Transmit data related to Your use of the Software to and from exida's application
server over the Internet and store such data on exida's application server.
d. Access and use exida's User interface on its website, https://my.exSILentia.com (the
“Site”).
2. SITE ACCESS.
a. Subject to the restrictions on use as set forth herein, You will have access to the
Software Service for its intended purpose and in accordance with the specifications
set forth in any Documentation relating to the Software Service provided by exida.
Such use and access will be continuous on a twenty-four (24) hour a day, seven (7)
day a week basis except for interruptions by reason of maintenance or downtime
beyond exida's reasonable control.
b. To access the Site the User will be provided a username and a password (the
“Login Credentials”). You are solely responsible in all respects for all use of and for
protecting the confidentiality of your Login Credentials. You agree to notify exida
immediately of any unauthorized use of your Login Credentials and any other
suspected breach of security regarding the Site. You are responsible for changing
your password if you believe your password has been stolen or might otherwise be
misused. exida has no duty or obligation to verify the identity of a user and may
assume, without independent investigation, that any person who logs on to this
Site through your Login Credentials does so with your consent and approval.
c. You will not:
i. Transmit or share identification or password codes to persons other than
authorized Users.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 276 of 292
 ii. Permit the identification or password codes to be cached in proxy servers
and accessed by individuals who are not authorized Users.
iii. Permit access to the Software Service through a single identification or
password code being made available to multiple users on a network.
d. You may not access the Software Service if you are a direct competitor of exida,
except with exida's prior written consent. In addition, you may not access the
Software Service for purposes of monitoring its availability, performance or
functionality, or for any other benchmarking or competitive purposes.
e. You will be responsible for all equipment and software required for You to access
the Internet including, without limitation, a web browser compatible with the exida
Software Service.
3. DOCUMENTATION. You are hereby granted the right to reproduce the user manuals and
other written materials created by exida to describe the functionality and use of the
Software (the “Documentation”) and to distribute a single copy of the Documentation in
soft form or in print to each user over Your internal network.
4. LICENSE RESTRICTIONS. You shall not grant access to the Software or Software Service
to any persons or entities other than those of Your employees and on-site contractors who
are located at Your facilities nor shall You sell, lease or distribute the Software or Software
Service to any person or entity as a standalone or bundled product or make any other
commercial use thereof. You shall not modify, reverse engineer, decompile, or
disassemble the Software or Software Service. You shall not adapt, translate, or create
derivative works based on the Software, Software Service, or the Documentation without
the prior written approval of exida. You shall not exceed the scope of the license granted
in Sections 3.1, 3.2, and 3.3 above. You shall not export the Software, Software Service, or
Documentation, or any copies thereof, to any user in violation of applicable laws and
regulations.
5. COPYRIGHT. exida owns the Software and related Documentation and their copyrights
that are protected by United States copyright laws and international treaty provisions.
This Agreement does not and shall not be construed as transferring ownership rights of
the Software, Documentation, any modifications thereto or any related materials to You or
to any third party. exida owns and shall retain all right, title and interest in the Software,
including all copyrights, patents, trade secret rights, trademarks, and other intellectual
property rights therein. You shall retain all copyright and trademark notices on the
Software and Documentation and as otherwise necessary to protect exida intellectual
property rights.
6. YOUR RESPONSIBILITY. You expressly agree to be fully responsible for compliance by
Your employees and on-site contractors with the applicable terms of this Agreement.
4. MAINTENANCE AND SUPPORT.
1. SUPPORT.
a. Limited Technical Support. During the term of this agreement You are entitled to
limited technical support. exida will provide technical support via its support
website http://support.exida.com . Safety Instrumented Function Engineering
Services are excluded from the exida support under this agreement.
b. During the Term of this Agreement, You shall be entitled to technical support for a
duration, prorated based on the duration of the Term, of 2 hours per year for each
concurrent user license. Bug reporting and resolution is not counted towards your
technical support allotment.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 277 of 292
 2. MAINTENANCE AND UPDATES.
a. Definitions. For the purposes of this section, the following shall apply:
i. Bug Fix: The term “Bug Fix” means any engineering patch intended to fix
bugs and errors in the Software.
ii. Functionality Update: The term “Functionality Update” means any new
release of the Software. During the Term of this Agreement, You will have
access to all Functionality Updates as they are implemented to the Software
or Software Service. Updates do not include any exida software, which
constitutes a separate product by virtue of different features or
functionality. Updates do not include standalone products that can be
integrated with the Software.
iii. Equipment Database Update: The term “Equipment Database Update”
means any new version of the Safety Equipment Reliability Handbook
Database embedded in the Software. During the Term of this Agreement,
You will have access to all Equipment Database Updates as they are issued
to the Software or Software Service. Equipment Database Updates are
issued quarterly.
iv. Maintenance: The term “Maintenance” means technical support,
Functionality Updates, and Equipment Database Updates, provided during
the Term of this Agreement.
v. Maintenance Period. The term “Maintenance Period” for the Software of
Software Service is equal to the Term of this Agreement.
b. Delivery of Updates. Updates are deployed to the Software Service when they
become available. No action is needed by You to implement an update.
c. License to Updates. exida hereby grants You a nonexclusive; nontransferable
license during the Term of this Agreement to use the Updates delivered under this
section.
5. RESTRICTED USE.
a. You agree to use reasonable efforts to prevent unauthorized access of the Software
Service
b. You agree to use reasonable efforts to prevent unauthorized copying of the Software
c. You may not disable any licensing or control features of the Software Service or allow the
Software Service to be used with such features disabled
d. You may not share, rent, or lease Your right to use the Software Service
e. You may not modify, sublicense, copy, rent, sell, distribute or transfer any part of the
Software or Software Service except as provided in this Agreement
f. You may not reverse engineer, decompile, translate, create derivative works, decipher,
decrypt, disassemble, or otherwise convert the Software to a more human-readable form
for any reason
g. You may not use the Software Service for any purpose other than to perform safety
lifecycle tasks in accordance with the accompanying documentation
h. You may not remove, alter, or obscure any confidentiality or proprietary notices (including
copyright and trademark notices) of exida on, in, or displayed by the Software and
Software Service
i. You will cease accessing the Software Service if and when Your right to use it ends
j. You agree to use the Software or Software Service in a manner consistent with this
Agreement and with all applicable laws and regulations, including without limitation, all
copyright, trademark, patent, trade secret and export control laws, as well as those laws

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 278 of 292
 prohibiting the use of telecommunications facilities to transmit illegal, obscene,
threatening, harassing, or other offensive messages.
k. You acknowledge that exida is not responsible for any use or misuse of the Software
Service by Your employees and on-site contractors who are located at Your facilities. In
particular, You will not, nor shall You permit or assist others, to abuse or fraudulently use
the Software Service, including but not limited to:
i. Obtaining or attempting to obtain access to the Software Service by any
unauthorized means or device with intent to avoid payments.
ii. Using the Software Service to interfere with the use of the Software Service by
other companies or users.
6. PROPRIETARY INFORMATION.
1. EXIDA SHALL
a. Not use or disclose Proprietary Information to any third party except as is clearly
necessary to provide the Services, provided such party is bound by a written
confidentiality agreement with terms no less stringent than the terms herein.
b. Not attempt to access any portion of Information Resources without authorization
of You. If unauthorized access is nevertheless obtained, whether inadvertently or
otherwise, exida shall have a duty to promptly report to You, in writing, each
instance thereof, setting out the extent and circumstances of such access.
c. Not attempt to defeat any security provisions maintained by You for the protection
of Information Resources or information contained therein.
d. Not remove, copy, alter, or install any software or information or data on any of
Your computers unless specifically authorized by You in connection with the
Services or make any attempt to learn or document passwords or other
information which could facilitate unauthorized access to Information Resources.
e. Require each of its employees, contractors and agents needing access to
Information Resources to obtain passwords from Your authority responsible for the
security of Information Resources, to use and protect passwords as required by
You, and to follow such protocols governing access as may be set out by You.
2. CONFIDENTIALITY. Neither party shall, during the term of this Agreement or thereafter,
disclose, make commercial or other use of, give or sell to any person, firm, or corporation,
any information of the other party that is treated and identified in writing as confidential,
except either party may disclose such information if (i) required to do so pursuant to
applicable law; (ii) it was rightfully in their possession from a source other than the other
party prior to the time of disclosure of said information; (iii) it was in the public domain
prior to the time of receipt; (iv) it became part of the public domain after the time of
receipt by any means other than an unauthorized act or omission by such party; (v) it is
supplied after the time of receipt without restriction by a third party who is under no
obligation to maintain such information in confidence; or (vi) it was independently
developed prior to the time of receipt. Both parties will use at least the same standard of
care as they do to protect their own Proprietary Information to ensure that their
employees, agents or consultants do not disclose or make any unauthorized use of such
Proprietary Information. Both parties will promptly notify the other party upon discovery
of any unauthorized use or disclosure of the Proprietary Information.
3. TERMINATION OF exida’s RIGHT TO POSSESS PROPRIETARY INFORMATION. Upon final
acceptance or earlier termination of this Agreement for any reason, exida's rights to
possession and use of any of the Proprietary Information in connection with the

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 279 of 292
 performance of its obligations hereunder or otherwise shall terminate and exida shall
immediately deliver to You all of the Proprietary Information and all copies of any portion
thereof. exida shall, upon completion of such delivery, certify in writing to You that it has
fulfilled its obligations under this Article. exida will keep one copy of all Proprietary
Information provided for future reference and legal liability requirements.
4. USAGE DATA. You hereby grant to exida a non- exclusive, fully paid, world- wide and
irrevocable license permitting exida to copy, anonymize, aggregate, process and display
Your Data to derive anonymous statistical and usage data, and data about the
functionality of the Software Service, provided such data cannot be used to identify You or
Your individual users ("Anonymous Data"), for the purposes of combining or incorporating
such Anonymous Data with or into other similar data and information available, derived or
obtained from other customers, licensees, users, or otherwise (when so combined or
incorporated, referred to as "Aggregate Data"), so as to permit exida to provide services
including the copying, publication, distribution, display, licensing or sale of Aggregate
Data and related or similar other statistics or data to third parties (and to You should You
elect to subscribe for same) pursuant to a separate licensing or services arrangement or
agreement. exida will be the owner of all right, title and interest in and to Aggregate Data.
Any access by You to Aggregate Data shall be pursuant to an additional license or services
agreement.
7. WARRANTY AND DISCLAIMER.
1. DISCLAIMER OF WARRANTY. The Software is provided on an “AS IS” basis, without
warranty of any kind, including, without limitation, the warranties of merchantability,
fitness for a particular purpose, non-infringement title, and results. The entire risk as to
the quality and performance of the Software is borne by You. If the Software is intended to
link to, extract content from or otherwise integrate with a third party product, exida
makes no representation or warranty that Your particular use of the Software is or will
continue to be authorized by law in Your jurisdiction or that the third party product will
continue to be available to You.
Except as otherwise provided herein, exida makes no representation, warranty, or
guaranty as to the reliability, timeliness, quality, suitability, truth, availability, accuracy or
completeness of the service or any component. exida does not represent or warrant that:
a. The use of the Software Service will be secure, timely, uninterrupted or error-free,
or operate in combination with any other hardware, service, system or data
b. The Software Service will meet your requirements or expectations
c. Any stored data will be accurate or reliable
d. The quality of any information obtained by you through the Software Service will
meet your requirements or expectations
e. Errors or defects will be corrected
f. The Software Service or the communication facilities, including, without limitation,
the internet that make the Software Service available are free of viruses or other
harmful components or are secure from interruption, interception or corruption by
third parties.
This disclaimer of warranty constitutes an essential part of the agreement.
2. WARRANTY. exida warrants that the Software does not infringe the intellectual property
rights of any third party. exida warrants the Software Service will be provided in
conformity with generally prevailing industry standards.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 280 of 292
 8. LIMITATION OF LIABILITY. UNDER NO CIRCUMSTANCES AND UNDER NO LEGAL THEORY,
TORT, CONTRACT, OR OTHERWISE, SHALL exida BE LIABLE TO YOU OR ANY OTHER PERSON
OR SHALL YOU BE LIABLE TO exida OR ANY OTHER PERSON FOR ANY INDIRECT, SPECIAL,
PUNITIVE, INCIDENTAL, OR CONSEQUENTIAL DAMAGES OF ANY CHARACTER INCLUDING,
WITHOUT LIMITATION, DAMAGES FOR WORK STOPPAGE, COMPUTER FAILURE OR LOSS OF
REVENUES, PROFITS, GOODWILL, USE, DATA OR OTHER INTANGIBLE OR ECONOMIC LOSSES.
IN NO EVENT WILL exida BE LIABLE FOR ANY DAMAGES IN EXCESS OF THE AMOUNT PAID TO
LICENSE THE SOFTWARE, EVEN IF YOU OR ANY OTHER PARTY SHALL HAVE INFORMED exida
OF THE POSSIBILITY OF SUCH DAMAGES, OR FOR ANY CLAIM. NO CLAIM, REGARDLESS OF
FORM, MAY BE MADE OR ACTION BROUGHT BY YOU MORE THAN ONE YEAR AFTER THE BASIS
FOR THE CLAIM BECOMES KNOWN TO THE PARTY ASSERTING IT.
9. TERM AND TERMINATION.
1. TERM. The term of this Agreement will commence the day the web site interface for the
Software Service is accessible to you via the Internet, and will continue for a period of one
year, six months, or three months, as selected by You or for such other initial term as
otherwise mutually agreed upon (the "Term").
2. TERM RENEWAL. If exida continues to offer the Software Service, You may renew the
Term by delivering exida a purchase order for a Term Renewal. The Term Renewal will
either extend the existing Term if the Term has not expired yet, or commence the day the
web site interface for the Software Service is accessible to you via the Internet. If You elect
to renew the Term, You must do so for the number of licenses covered under this
Agreement. A change in the number of licenses will constitute the creation of a new
agreement. As a courtesy, exida agrees to notify you via automated message prior to the
expiration of the Term to allow ample time for renewal. exida assumes no responsibility
for lapses in the Term that occur as a result of You failing to renew the Term before its
expiration.
3. END TO SITE ACCESS. Upon any expiration or termination of this Agreement:
a. Your right to use the Site and Software Services shall cease, and exida shall have no
further obligation to make the Site or Software Services available to you
b. Except as otherwise expressly stated herein, all right and licenses granted to you
under this Agreement will immediately cease
c. You will pay any unpaid fees payable for the remainder of the then-current term in
effect prior to the expiration or termination date.
4. TERMINATION. exida may terminate Your license if You do not abide by the license terms.
Upon termination of license, You shall immediately discontinue the use of the Software
Service. Your obligations to pay accrued charges and fees, if any, shall survive any
termination of this Agreement. License fees are not pro-rated upon termination of the
license because of Your breach of the license terms. You agree to indemnify exida for
reasonable attorney fees in enforcing its rights pursuant to this license. Sections 2, 5, 7, 8,
9 and 15 will survive expiration or termination of this Agreement for any reason.
10. exSILentia® USE. You are required to perform any verification activities when using the software
as described in the Documentation.
11. VOID WHERE PROHIBITED. Although the Site is accessible worldwide, not all products or
services discussed or referenced in or on the Site are available to all persons or in all geographic
locations or jurisdictions. exida reserves the right to limit the availability of the Site and/or the
provision of any Software Service described thereon to any person, geographic area, or
jurisdiction it so desires, at any time and in its sole discretion, and to limit the quantities of any

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 281 of 292
 such products or services that it provides. Any offer for any Software Service made on the Site is
VOID where prohibited.
12. THIRD PARTY PRODUCTS.
a. The Software may make use of 3 rd party content. This 3 rd party content will be used per
the usage agreements and other restrictions set forth by the 3 rd party. exida agrees to
bear all responsibility for the proper implementation of embedded 3rd party content.
b. The Software Service may rely on 3rd party content to enable You to use the Software
Service. This 3rd party content will be used per the usage agreements and other
restrictions set forth by the 3rd party. exida agrees to bear all responsibility for the proper
implementation of embedded 3rd party content.
c. This Software may have the ability to make use of, link to, or integrate with 3 rd party
content not embedded within the Software or not required to enable You to use the
Software or Software Service. The availability of this content is at the sole discretion of the
3 rd party content providers and may be subject to usage agreements and other
restrictions. You agree to indemnify and hold harmless exida from all claims, damages,
and expenses of whatever nature that may be made against exida by these 3 rd party
content providers as a result of Your use of the Software.
13. GENERAL.
1. ENGINEERING SERVICES. There are no Engineering Services provided under this
Agreement. Support and other services, if available, must be purchased separately from
exida
2. APPLICABLE LAW. This license shall be interpreted in accordance with the laws of the
Commonwealth of Pennsylvania, USA without giving effect to any choice of law principles
that would require the application of the laws of a different state or country. Any disputes
arising out of this license shall be adjudicated in a court of competent jurisdiction in
Pennsylvania, USA. The United Nations Convention on Contracts for the International Sale
of Goods and the Uniform Computer Information Transactions Act (USA) do not apply to
this Agreement.
3. GOVERNING LANGUAGE. Any translation of this License is done for local requirements
and in the event of a dispute between the English and any non- English versions, the
English version of this License shall govern.
4. COMPLIANCE WITH LAWS. You will comply with all applicable export and import control
laws and regulations in your use or re-exportation of the Software or Software Service
and, in particular, you will not export or re- export the Software or Software Service
without all required United States Bureau of Export and Administration licenses. You will
defend, indemnify, and hold harmless exida and its suppliers from and against any
violation of such laws or regulations by You.
5. RELATIONSHIP BETWEEN THE PARTIES. The parties are independent contractors and
neither party is the agent, partner, employee, fiduciary, or joint venture of the other party
under this Agreement. You may not act for, bind, or otherwise create or assume any
obligation on behalf of exida. There are no third party beneficiaries under this Agreement.
6. EXPORT OF TECHNICAL DATA. Neither party shall export, directly or indirectly, any
technical data acquired from the other party or any of its affiliated companies, or any
direct product of that technical data, to any other country for which the United States
Government or any agency of that government at the time of export requires an export
license or other governmental approval without first obtaining that license or approval,
when required by applicable United States law.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 282 of 292
 7. ASSIGNMENTS. You may not assign or transfer, by operation of law or otherwise, your
rights under this Agreement (including your licenses with respect to the Software Service)
to any third party without exida’s prior written consent. Any attempted assignment or
transfer in violation of the foregoing will be void. exida may freely assign its rights or
delegate its obligations under this Agreement.
8. SEVERABILITY. If any provision of this Agreement is held unenforceable by a court, such
provision may be changed and interpreted by the court to accomplish the objectives of
such provision to the greatest extent possible under applicable law and the remaining
provisions will continue in full force and effect. Without limiting the generality of the
foregoing, you agree that Section 8 will remain in effect notwithstanding the
unenforceability of any other provision of this Agreement.
9. FORCE MAJEURE. Neither party will be held responsible for any delay or failure in
performance of any part of this Agreement to the extent that such delay is caused by
events or circumstances beyond the delayed party's reasonable control. Lack of funds
does not entitle a party to claim force majeure.
10. STATUTE OF LIMITATIONS. You and exida agree that any cause of action arising out of or
related to this service must commence within one (1) year after the cause of action arose;
otherwise, such cause of action is permanently barred. Some jurisdictions may prohibit
the shortening of the time period in which a cause of action must be brought. In all such
jurisdictions, the applicable time period shall be the minimum allowed by law.
11. TRADEMARKS AND TRADE NAMES. Nothing in this Agreement shall confer on You any
right to use any trademark or trade name belonging to exida.
14. ENTIRE AGREEMENT. This Agreement constitutes the entire agreement between the parties
relating to the Software Service and supersedes any proposal or prior agreement, oral or written,
and any other communication relating to the subject matter. Both parties acknowledge that they
have not been induced to enter into this Agreement by any representations or promises not
specifically stated herein. Any conflict between the terms of this License Agreement and any
Purchase Order, invoice, or representation shall be resolved in favor of the terms of this License
Agreement. In the event that any clause or portion of any such clause is declared invalid for any
reason, such finding shall not affect the enforceability of the remaining portions of this License
and the unenforceable clause shall be severed from this license. Any amendment to this
agreement must be in writing and signed by both parties.

IN WITNESS WHEREOF, this Agreement has been executed by the parties hereto as of the date first below
written.

exida Innovation LLC

By: By:

(Print): Iwan van Beurden (Print):

Chief Technology Officer / Director of Product

Title: Title:
and Service Development

Date: Date:

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 283 of 292
 exida exSILentia® Software License Agreement v1.8 – Cloud (July 8, 2020)

Copyright © 2000-2020 exida Innovation LLC

80 North Main Street
Sellersville, PA 18960
USA
exSILentia ® , SILect™, SILver™, PHAx™, LOPAx™, SERH, SILstat™, and SILalarm™ are trademarks of exida
Innovation LLC

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 284 of 292
 Open Source Disclosure
Effective date: December 16, 2021
exida products include third-party code licensed to exida for use and redistribution under open-source
licenses. Below is a list of disclosures and disclaimers in connection with exida’s incorporation of certain
open-source licensed software into its products. Notwithstanding any of the terms and conditions of
your license agreement with exida, the terms of certain open-source licenses may be applicable to your
use of exida’s products, as set forth below.
This list of open-source code was compiled with reference to third-party software incorporated into the
products as of the date the list was generated. This list may be updated from time to time and may not
be complete.
ALL INFORMATION HERE IS PROVIDED "AS IS". exida AND ITS SUPPLIERS MAKE NO
REPRESENTATIONS OR WARRANTIES, EXPRESS OR IMPLIED, WITH REGARD TO THIS LIST OR ITS
ACCURACY OR COMPLETENESS, OR WITH RESPECT TO ANY RESULTS TO BE OBTAINED FROM USE
OR DISTRIBUTION OF THE LIST. BY USING OR DISTRIBUTING THIS LIST, YOU AGREE THAT IN NO
EVENT SHALL EXIDA BE HELD LIABLE FOR ANY DAMAGES WHATSOEVER RESULTING FROM ANY USE
OR DISTRIBUTION OF THIS LIST, INCLUDING, WITHOUT LIMITATION, ANY SPECIAL,
CONSEQUENTIAL, INCIDENTAL OR OTHER DIRECT OR INDIRECT DAMAGES.

Castle Core
Copyright © 2004-2018 Castle Project - http://www.castleproject.org/
You may obtain a copy of the license at http://www.apache.org/licenses/LICENSE-2.0.html
CommandLineParser
Copyright © 2005 - 2018 Giacomo Stelluti Scala & Contributors
You may obtain a copy of the license at https://opensource.org/licenses/MIT
CoreCLR-NCalc
Copyright © Sebastian Klose
You may obtain a copy of the license at https://opensource.org/licenses/MIT
Dapper
The Dapper library and tools are licensed under Apache 2.0: http://www.apache.org/licenses/LICENSE-
2.0
Humanizer
Copyright © .NET Foundation and Contributors
You may obtain a copy of the license at https://opensource.org/licenses/MIT
MathNet.Numerics
Copyright © 2002-2018 Math.NET Project
You may obtain a copy of the license at https://numerics.mathdotnet.com/License.html
Morelinq
Copyright © 2008 Jonathan Skeet.

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 285 of 292
 Portions Copyright © 2009 Atif Aziz, Chris Ammerman, Konrad Rudolph.
Portions Copyright © 2010 Johannes Rudolph, Leopold Bushkin.
Portions Copyright © 2015 Felipe Sateler, “sholland”.
Portions Copyright © 2016 Andreas Gullberg Larsen, Leandro F. Vieira (leandromoh).
Portions Copyright © 2017 Jonas Nyrup (jnyrup).
Portions Copyright © Microsoft. All rights reserved.
You may obtain a copy of the license at http://www.apache.org/licenses/LICENSE-2.0.html
Prism.Core
Copyright © .NET Foundation
You may obtain a copy of the license at https://opensource.org/licenses/MIT
protobuf-net
Copyright © 2008 Marc Gravell
You may obtain a copy of the license at http://www.apache.org/licenses/LICENSE-2.0.html
Serialize.Linq
Copyright © 2012-2018 Sascha Kiefer
Copyright © 2007 Free Software Foundation, Inc. - http://fsf.org/
You may obtain a copy of the license at https://www.gnu.org/licenses/gpl-3.0.en.html

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 286 of 292
 Index
A

Action Items 46
Architectural Constraints 193

Batch Operation 195

Cause 127
Import 90
Library 89
Reorder IDs 91
Column Visibility 135
Conditional Modifier 153
Import 100
Library 99
Reorder IDs 100
Consequence 127, 244
Category 75
Continuous Editing 135
Countermeasures 245
Custom Data 65
Cyber Event Scenario 246
Cyber Node 242
Cyber Security Checklist 53
Cyber Zone 241

Data Export 85
LOPAx 163
PHAx 141
Data Import 87

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 287 of 292
 Data Transfer
LOPA to SILect 172
PHA to LOPA 160
Safeguard to SRS 185
SILver to LOPA 161
Database
LOPA 105
SERH 107
Deviation 57-58, 125

Enabling Condition 148

Import 98
Library 98
Reorder IDs 99

Hardware Fault Tolerance 193

Hazard Scenario 28, 131
Library 96
Reorder IDs 97
Hierarchy
Cyber Project 241
Project 123, 133

I/O Channel to Module Connection 195

IEC 61511 Checklist 54
Import
Causes 90
Conditional Modifiers 100
Enabling Conditions 98
Recommendations 93
References 96
Safeguards 92
Independent Protection Layers 150

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 288 of 292
 Initiating Event 146
Instrumented Protection Function 168

Library 89
Causes 89, 146
Conditional Modifier 153, 251
Conditional Modifiers 99
Countermeasure 245
Enabling Condition 148
Enabling Conditions 98
Final Element Groups 203
Hazard Scenarios 96
Independent Protection Layer 150
Kill Chain Relevance 252
Logic Solver 210
Recommendations 92, 131, 246
References 95
Safeguards 91, 128
Sensor Groups 197
Likelihood 127, 244
Category 76
Likelihood Matrix 77
LOPA Database 105
exida 106
Generic 106
User Defined Data 106

Mission Time 194

Navigation
Dashboard 27, 45
PHAx™ 132

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 289 of 292
 Node 124
Types 57

Parking Lot Items 47

Plant Types 55
Prior-Use 193
Project
Configuration 55
Hierarchy 123
Information 53
Project Abbreviations 69
Project Definitions 70
Proof Test 227
Proof Test Coverage 30, 227
Proof Testing 199, 205
Proven-In-Use 193

Recommendation 131, 246

Category 60
Import 93
Library 92
LOPAx 162
Reorder IDs 94
Reference
Import 96
Library 95
Reorder IDs 96
Type 63
Reorder IDs
Causes 91
Conditional Modifiers 100
Enabling Conditions 99
Hazard Scenarios 97
Recommendations 94

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 290 of 292
 References 96
Safeguards 92
Report Generation 83
CyberPHAx 247
Lifecycle Cost Estimator 239
LOPAx 162
PHAx 136
SILect 174
SILver 221
SRS 185
Required Risk Reduction Factor 155
Reuse
Project Configuration 73
Risk Configuration 81
Risk Graph 78
Risk Matrix 75, 78, 130, 246

Safeguard 128
Category 59
Import 92
Labels 130
Library 91
Reorder IDs 92
Sessions 49
Severity Category Visibility 157
Severity Matrix 76
SIF Demand Mode 194
SIL Selection
LOPA 169
Risk Graph 170
Risk Matrix 171
SIL Threshold 80
Site Safety Index 195
Smart Deviations 57, 124-125

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 291 of 292
 Smart Threat Vectors 242-243
SRS
SIF General 182
SIF Specific 183
SIS General 179
Startup Time 194
Systematic Capability 193

Target Frequency 145

Target Safety Integrity Level 169, 171-172
Team Members 48
Team Roles 64
Threat 244
Threat Vector 243

Unit 123
Upgrading 111

© exida Innovation LLC exSILentia® v4 User Guide - Safety Page 292 of 292