Add to collection(s) Add to saved
  1. Business
  2. Management

IEC 61508 Assessment

Results of the IEC 61508 Functional Safety Assessment
Project:
DeltaV SIS with Electronic Marshalling
Customer:
Emerson Process Management
Fisher Rosemount Systems
Austin, TX
USA
Contract No.: Q15/09-137
Report No.: FRS 11-03-091 R002
Version V1, Revision R5, June 14, 2016
Michael Medoff, John Yozallinas
The document was prepared using best effort. The authors make no warranty of any kind and shall not be liable in any
event for incidental or consequential damages in connection with the application of the document.
© All rights reserved.
Management summary
This report summarizes the results of the functional safety assessment according to IEC 61508
carried out on the:

DeltaV SIS with Electronic Marshalling and the addition of Local Safety
Network Gateway (LSNG) and I/O CHARMs.
The functional safety assessment performed by exida consisted of the following activities:
-
exida assessed the development process used by Emerson Process Management, Fisher
Rosemount Systems, through an audit and creation of a detailed safety case against the
requirements of IEC 61508:2010.
-
exida performed a detailed Failure Modes, Effects, and Diagnostic Analysis (FMEDA) of
the devices to document the hardware architecture and failure behavior. This included
detailed Markov models of the fault tolerant architectures done in order to show accurate
average probability of failure on demand.
-
exida assessed the product features and capabilities according a series of Application
Standards for the logic solver portion of a system. The Application Standards included:
NFPA 72:2007, NFPA 85:2007, NFPA86:2011, NFPA87:2011,
EN50156-1:2004, EN54-2-A1:2006, EN50402-1-A1:2004, and EN298:2012.
The functional safety assessment was performed to the SIL 3 requirements of IEC 61508:2010. A
full IEC 61508 safety case was prepared using the exida SafetyCase audit tools. Hardware and
software process requirements and all associated documentation were reviewed. Also, the user
documentation (safety manual) was reviewed. The results of the Functional Safety Assessment
can be summarized by the following statements:
The audited development process, as tailored and implemented by the Fisher Rosemount
Systems DeltaV SIS with Electronic Marshalling development project, complies with the
relevant safety management requirements of IEC 61508 SIL 3.
The assessment of the FMEDA shows that the DeltaV SIS with Electronic Marshalling was
found to meet the requirements of SIL 3, single use (HFT = 1 or 0). DeltaV SIS with
Electronic Marshalling was found to meet the specific logic solver requirements of the listed
system Application Standards.
The Local Safety Network Gateway (LSNG) is limited to a maximum of SIL 2 with HFT =0.
The manufacturer will be entitled to use the Functional Safety Logos.
© exida
Michael Medoff, John Yozallinas
frs 11-03-091 r002 v1r5 iec 61508 assessment deltav sis elecmarsh.doc,
Page 2 of 22
Table of Contents
Management summary .................................................................................................... 2
1
Purpose and Scope ................................................................................................... 4
1.1 Tools and Methods used for the assessment ................................................................ 4
2
Project management .................................................................................................. 5
exida .............................................................................................................................. 5
Roles of the parties involved .......................................................................................... 5
Standards / Literature used ............................................................................................ 5
Reference documents .................................................................................................... 5
2.4.1 Documentation provided by Emerson Process Management ............................. 5
2.4.2 Documentation generated by exida .................................................................... 9
2.5 Assessment Approach ................................................................................................... 9
2.1
2.2
2.3
2.4
3
Product Description .................................................................................................. 11
4
IEC 61508 Functional Safety Assessment ............................................................... 13
4.1 Assessment level ......................................................................................................... 13
5
Results of the IEC 61508 Functional Safety Assessment ........................................ 14
5.1 Lifecycle Activities and Fault Avoidance Measures ..................................................... 14
5.1.1 Functional Safety Management......................................................................... 14
5.1.2 Safety Requirements Specification and Architecture Design ............................ 15
5.1.3 Hardware Design............................................................................................... 15
5.1.4 Software (Firmware) Design.............................................................................. 16
5.1.5 Validation........................................................................................................... 16
5.1.6 Verification......................................................................................................... 17
5.1.7 Modifications ..................................................................................................... 17
5.1.8 User documentation .......................................................................................... 18
5.2 Hardware Assessment ................................................................................................. 19
6
Terms and Definitions .............................................................................................. 20
7
Status of the document ............................................................................................ 21
7.1
7.2
7.3
7.4
Liability ......................................................................................................................... 21
Releases ...................................................................................................................... 21
Future Enhancements .................................................................................................. 21
Release Signatures ...................................................................................................... 22
© exida
Michael Medoff, John Yozallinas
frs 11-03-091 r002 v1r5 iec 61508 assessment deltav sis elecmarsh.doc,
Page 3 of 22
1 Purpose and Scope
This document shall describe the results of a full safety assessment and renewal surveillance audit
by exida according to the necessary functional safety standard IEC 61508:2010, parts 1-7. It also
includes relevant application standards:
NFPA 72:2007, NFPA 85:2007, NFPA86:2011, NFPA87:2011,
EN50156-1:2004, EN54-2-A1:2006, EN50402-1-A1:2004, and EN298:2012.
The full safety assessment includes an assessment of all fault avoidance and fault control
measures during hardware and software development. Supporting documents are listed in section
2.4.1.
The assessment has been carried out based on the quality procedures and scope definitions of
exida
The results of this assessment provide the safety instrumentation engineer with the required failure
data as per IEC 61508 / IEC 61511 and confidence that sufficient attention has been given to
systematic failures during the development process of the device.
1.1
Tools and Methods used for the assessment
This assessment was carried by using the exida Safety Case tool. The Safety Case tool contains
the exida scheme which includes all the relevant requirements of IEC 61508.
For the fulfillment of the objectives, expectations are defined which builds the acceptance level for
the assessment. The expectations are reviewed to verify that each single requirement is covered.
Because of this methodology, comparable assessments in multiple projects with different assessors
are achieved. The arguments for the positive judgment of the assessor are documented within this
tool and summarized within this report.
The assessment was planned by exida agreed with Emerson Process Management by proposal.
All assessment steps were continuously documented by exida (see [R4] and [R20]).
© exida
Michael Medoff, John Yozallinas
frs 11-03-091 r002 v1r5 iec 61508 assessment deltav sis elecmarsh.doc,
Page 4 of 22
2 Project management
2.1
exida is one of the world’s leading accredited Certification Bodies and knowledge companies
specializing in automation system safety and availability with over 300 years of cumulative
experience in functional safety. Founded by several of the world’s top reliability and safety experts
from assessment organizations and manufacturers, exida is a global company with offices around
the world. exida offers training, coaching, project oriented system consulting services, safety
lifecycle engineering tools, detailed product assurance, cyber-security and functional safety
certification, and a collection of on-line safety and reliability resources. exida maintains a
comprehensive failure rate and failure mode database on process equipment based on 150 billion
hours of field failure data.
2.2 Roles of the parties involved
Emerson Process Management
Manufacturer of the DeltaV SIS with Electronic Marshalling
exida
Performed the Functional Safety Assessment
Emerson Process Management contracted exida with the IEC 61508 Functional Safety
Assessment of the above mentioned devices.
2.3 Standards / Literature used
The services delivered by exida were performed based on the following standards / literature.
[N1]
IEC 61508:2010
(Parts 1 - 7)
Functional Safety of Electrical/Electronic/Programmable
Electronic Safety-Related Systems
2.4 Reference documents
2.4.1 Documentation provided by Emerson Process Management
Reference
Number
Document Name ( [Dxxx] =SCDB log entry in [R4] )
Revision; Date
[D01]
Functional Safety Management Plan: DeltaV CHARMs SIS
3.2; 11/26/2012
[D100]
Safety Measures Integration Test Results
NA; 11/23/2012
[D110]
EMC Test Results
0; 12/13/2012
[D111]
Validation Test Results
7; 1/11/2013
[D119a]
DeltaV CHARMs SIS SRS Validation Test Plan Review
Checklist
NA; 11/7/2012
[D160]
DeltaV SIS Charms Safety Manual
November 2012:
Draft 1; 11/11/2012
[D180]
Emerson Impact Analysis Process Template
NA; 9/15/2011
[D189]
exida Modification Phase Verification Checklist
NA; 10/12/2012
© exida
Michael Medoff, John Yozallinas
frs 11-03-091 r002 v1r5 iec 61508 assessment deltav sis elecmarsh.doc,
Page 5 of 22
[D23]
C/C++ Software Coding Standards
1.0; 4/25/2011
[D30]
DeltaV CHARTMs SIS Safety Requirements Specification
2.6; 01/08/2013
[D35]
SIS CHARMs SRS Validation Test Plan
4; 11/29/2012
[D36]
Emerson Safety Validation Test Plan Review Checklist
A; 11/7/2012
[D39]
Safety Measures Module Test Results Template
0.0; 11/6/2012
[D40]
DeltaV CHARMs SIS System Description
1.19; 11/21/2012
[D41.1]
Integration Test Plan/Results - Delta V CHARMs SIS - Inc 4
NA; 8/17/2012
[D41]
Integration Test Plan Overview
0.2; 11/15/2012
[D43]
Derived Requirements Document - included in [D30]
[D49]
Emerson System Architecture Review Checklist - Delta V SIS
CHARMs
[D50]
Detailed Design Description - Documented in many documents
duch as D50a
[D50a]
KL2001X1 CSLS / SZ Controller Hardware Specification
A; 9/27/2012
[D51]
CSLS Secure Data Item Safety Communications Analysis
V1R2; 4/16/2011
[D53]
Fault Injection Test Plan - stored in multiple documents such as
D53a.
[D53a]
CSLS Product Fault List
[D55]
Schematics
[D56]
Emerson Integration Test Overview Template
0.0; 4/27/2011
[D57]
Emerson Safety Requirments Specificaton Template
0.01; 5/17/2011
[D58]
DeltaV CHARMs SIS Project Support Tools
2.0; 12/3/2012
[D59]
Technology Program Management Plan (PMP)
NA; 11/8/2012
[D60]
IEC 61508 Tables
2.2; 11/12/2012
[D61]
Fault Injection Test Results
NA; 11/29/2012
[D70]
DeltaV CHARMs SIS Software Architecture Description
2.9; 6/27/2011
[D71]
Detailed Software Design Specification - documented in many
documents
[D71a]
CSLS Common Subsystem Design
1.5; 11/12/2012
[D77]
QMS0539: Report on C Compiler Validation for the Neutrino
RTOS Safe Kernel
3.0; 10/24/2012
[D79a]
Delta V Charms SIS software architecture and design
verification checklist
NA; 11/20/2012
[D81]
Code Review and Module Test Verification Report
NA; 12/19/2012
[D82]
Module Testing Overview
1.0; 11/26/2012
[D83]
QCC Toolchain Qualification Report
1.1; 11/30/2012
© exida
Michael Medoff, John Yozallinas
NA; 11/20/2012
NA; 11/7/2012
frs 11-03-091 r002 v1r5 iec 61508 assessment deltav sis elecmarsh.doc,
Page 6 of 22
[D84]
Microsoft Visual Studio CL Compiler Tool Chain Qualification
Report
1..0; 11/30/2012
[D85]
LS DVC Hardware Desing Checklist
1.0; 12/3/2012
[D86]
LS DOUT HW Design Checklist
1.0; 12/3/2012
[D87]
CSLS Hardware Design Review Checklist
1.1; 12/3/2012
[D91]
Module Test Records - various records reviewed during on-site
audit
[D92]
DeltaV SIS CHARMs On-site Assessment Summary
NA; 12/5/2012
[D94]
Verification Plan
NA; 01/10/2013
[D95]
Detailed Integration Test Procedures
[D96]
Detailed Validation Test Procedures
[D161a]
Delta V CHARMs SIS Safety Manual Review Checklist
(Completed)
0.1; 7/31/2012
[D107]
Delta V Technology Incident Management Guidelines
D; 11/1/2011
2.4.1.1 Updated Documentation provided by Emerson Process Management
Reference
Number
Document Name ( [Dxx] =SCWB log entry in [R20] )
Revision; Date
D200
Functional Safety Management Plan: DeltaV CHARMs SIS
[D26]
3.14; 4/8/2015
D201
DeltaV SIL2 Verification Plan [D29]
For v13.3; Apr.2015
D202
DeltaV CHARMs SIS Safety Requirements Specification [D40]
3.7; SEP.2014
D203
Overall Traceability [D56]
NA; Mar.2015
D204
Software Test Coverage Analysis [D57]
1.3; Dec.2014
D205
LSNG Code Review Example [D58]
ID 1835; Nov.2014
D206
SIS Design And Coding Standard [D60]
2; Apr.2015
D207
SIS Standard Lint Results [D62]
NA; Mar.2015
D208
LSNG Software Module Test Results [D66]
1.3; 4/9/2015
D209
LSNG Safety Integration Test Results [D68]
1.0.0.62; 1/23/2015
D210
SRS Validation Test Plan Review [D70]
G; 3/31/2015
D211
SRS Validation Test Results [D74]
14; 3/30/2015
D212
DeltaV SIS Charms Safety Manual [D79]
NA; Dec.2014
D213
Safety Manual Review [D80]
D214
ECRN 22282.pdf [D81]
NA; Dec.2014
NA; May.2014
D215
ECRN 22108.pdf [D81b]
NA; Jul.2013
© exida
Michael Medoff, John Yozallinas
frs 11-03-091 r002 v1r5 iec 61508 assessment deltav sis elecmarsh.doc,
Page 7 of 22
D216
ECRN 22180.pdf [D81c]
NA; Jan.2014
D217
D218
ECRN 22282.pdf [D81d]
Impact Analysis ECRN 22082 22083.pdf [D88]
NA; May.2014
NA; May.2013
D219
Impact Analysis ECRN 22108.pdf [D88b]
NA; Jun.2013
D220
Impact Analysis ECRN 22180.pdf [D88c]
NA; Jan.2014
D221
Impact Analysis ECRN 22282.pdf [D88d]
NA; Apr.2014
D222
DeltaV SIS with Electronic Marshalling.xlsx [D30]
NA; Jun.2016
© exida
Michael Medoff, John Yozallinas
frs 11-03-091 r002 v1r5 iec 61508 assessment deltav sis elecmarsh.doc,
Page 8 of 22
2.4.2 Documentation generated by
Reference Document Name
Number
Revision; Date
[R1]
FRS 11-03-091 R002 V1R5 IEC 61508 Assessment DeltaV
SIS ElecMarsh.doc (This Report)
[R2]
Item Deleted
[R3]
DeltaV SIS Failure Modes, Effects and Diagnostics Analysis
(FMEDA) Report
V1R4; 3/14/2013
[R4]
DeltaV SIS CHARMs IEC 61508 SafetyCaseDB
NA; 1/11/2013
[R5]
exida Configuration Management Checklist
NA; 7/18/2011
[R6]
exida Software Tool Checklist for DeltaV v12 project
NA; 12/5/2012
[R7]
exida Integration Test Execution Phase Checklist
NA; 12/5/2012
[R8]
exida Validation Test Execution Phase Checklist
NA; 12/21/2012
[R9]
exida FSM Planning Phase Verification Checklist for
Emerson Systems DeltaV CHARMs SIS
NA; 12/3/2012
[R10]
exida Functional Safety Assessment Phase Verification
Checklist
NA; 12/6/2012
[R11]
exida Safety Manual Checklist
NA; 12/3/2012
[R12]
exida SRS Document Checklist
NA; 11/13/2012
[R13]
exida Integration Test Plan Checklist
NA; 12/5/2012
[R14]
exida Derived Requirements Document Checklist
NA; 7/19/2011
[R15]
exida Hardware Development Phase Verification Checklist
NA; 12/21/2012
[R16]
exida System Architecture Phase Verification Checklist
NA; 11/8/2012
[R17]
exida Software Architecture and Design Phase Checklist
NA; 12/21/2012
[R18]
exida Implementation Phase Verification Checklist
NA; 12/5/2012
[R19]
FRS11-03-091 R001 V3R3 FMEDA DeltaV SIS™ with
Electronic Marshalling (updated)
V3R3; 11/13/2015
[R20]
DeltaV SIS CHARMs IEC 61508 Safety Case WB
V2R1; 6/9/2016
[R21]
FRS 1509137 R001 V1R0 DeltaV SIS Field Failure Analysis
Sheet
V1R0, 6/7/2016
V1R5; 6/14/2016
2.5 Assessment Approach
The certification audit was closely driven by requirements of the exida scheme which includes
subsets filtered from IEC 61508.
The assessment was planned by exida and agreed with Fisher Rosemount Systems.
© exida
Michael Medoff, John Yozallinas
frs 11-03-091 r002 v1r5 iec 61508 assessment deltav sis elecmarsh.doc,
Page 9 of 22
The following IEC 61508 objectives were subject to detailed auditing at Fisher Rosemount
Systems:

FSM planning, including
o
Safety Life Cycle definition
o
Scope of the FSM activities
o
Documentation
o
Activities and Responsibilities (Training and competence)
o
Configuration management
o
Tools and languages

Safety Requirement Specification

Change and modification management

Software architecture design process, techniques and documentation

Hardware architecture design - process, techniques and documentation

Hardware design / probabilistic modeling

Hardware and system related V&V activities including documentation, verification
o
Integration and fault insertion test strategy

Software and system related V&V activities including documentation, verification

System Validation including hardware and software validation

Hardware-related operation, installation and maintenance requirements
The project teams, not individuals, were audited.
© exida
Michael Medoff, John Yozallinas
frs 11-03-091 r002 v1r5 iec 61508 assessment deltav sis elecmarsh.doc,
Page 10 of 22
3 Product Description
DeltaV SIS with Electronic Marshalling is a safety critical control system for general safety market
use. It consists of a simplex or redundant CSLS controller and one or more single-channel I/O
CHARMs. Up to 96 CHARMs can be connected to a controller. The parts included in the
assessment are those in the blocks “CSLS”, “LSNG”, and “I/O Charms” in Figure 1.
Figure 1 DeltaV SIS with Electronic Marshalling System Parts included in the Assessment
The Local Safety Network Gateway (LSNG) is a SIL 2 gateway that allows the DeltaV SIS with
Electronic Marshalling System to connect to third party Modbus devices to read safety critical data.
It resembles a Local Safety Network Bridge (LSNB) in some operations, but is specific to Fire and
Gas applications. The LSNG will read data from a pair of Modbus devices that are each reading
the same sensor data. It will then compare the data and form secure parameters from it and
transmit them on the Local Safety Network for use by CSLSs. The secure parameters it chooses to
transmit are configured by the user and the DeltaV Database.
Table 1 gives an overview of the different components that were considered at the time of the
Assessment of DeltaV SIS with Electronic Marshalling. Contact the manufacturer for the latest
versions of these components.
© exida
Michael Medoff, John Yozallinas
frs 11-03-091 r002 v1r5 iec 61508 assessment deltav sis elecmarsh.doc,
Page 11 of 22
Table 1 Component Overview
Product Type
Number
Description
HW
Revision
SW/FW
Revision
KL2001X1-BA1
CHARMS Smart Logic Solver (CSLS)
1.x
1.1.x.x
KL3001X1-LS1
LS DI NAMUR CHARM
1.x
1.x
1.x
KL3003X1-LS1
LS DI 24 VDC low-side sense (Dry 1.x
Contact) CHARM
KL3005X1-LS1
LS DI 24 VDC Isolated CHARM
1.x
1.x
KL3011X1-LS1
LS DI 120 VAC Isolated
1.x
1.x
KL3012X1-LS1
LS DI 230 VAC Isolated
1.x
1.x
KL3302X1-BA1
LS DO 24 VDC DTA CHARM
1.x
1.x
Redundant 1.x
1.x
KL3302X1-BB1
LS DO
CHARM
KL3302X1-BC1
LS DO 24 VDC ETA CHARM
1.x
1.x
Redundant 1.x
1.x
KL3302X1-BD1
LS DO
CHARM
KL3322X1-BA1
LS DVC HART DTA CHARM
1.x
1.x
Redundant 1.x
1.x
KL3322X1-BB1
LS DVC
CHARM
KL3021X1-LS1
LS AI 4-20 mA HART CHARM
1.x
1.x
KL3032X1-LS1
LS Thermocouple/mV CHARM
1.x
1.x
KL3031X1-LS1
LS RTD CHARM
1.x
1.x
KL3023X1-LS1
LS AI 0-10 VDC Isolated CHARM
1.x
1.x
KL3103X1-LS1
IS LS DI NAMUR CHARM
1.x
1.x
KL3101X1-LS1
IS LS AI 4-20 mA HART CHARM
1.x
1.x
KL3007X1-LS1
LS 24 VDC Power CHARM
1.x
1.x
KL3105X1-LS1
IS LS CHARM THERMOCOUPLE mV
1.x
1.x
KL3106X1-LS1
IS LS CHARM RTD Resistance
1.x
1.x
KL2001X1-BC1
Local Safety Network Gateway (LSNG)
1.x
1.x
24 VDC
24
VDC
HART
DTA
ETA
DTA
DeltaV SIS with Electronic Marshalling is classified as a Type B1 element according to IEC 61508,
having a hardware fault tolerance of 0.
Type B element: “Complex” element (using micro controllers or programmable logic); for details see
7.4.4.1.3 of IEC 61508-2, ed2, 2010.
1
© exida
Michael Medoff, John Yozallinas
frs 11-03-091 r002 v1r5 iec 61508 assessment deltav sis elecmarsh.doc,
Page 12 of 22
4 IEC 61508 Functional Safety Assessment
The IEC 61508 Functional Safety Assessment was performed based on the information received
from Fisher Rosemount Systems and is documented here.
4.1 Assessment level
The DeltaV SIS with Electronic Marshalling has been assessed per IEC 61508 to Safety Integrity
Level 3. The development procedures have been assessed as suitable for use in applications with
a maximum Safety Integrity Level of 3 (SIL 3) according to IEC 61508.
The Local Safety Network Gateway (LSNG) is limited to a maximum of Safety Integrity Level 2 (SIL
2) according to IEC 61508.
© exida
Michael Medoff, John Yozallinas
frs 11-03-091 r002 v1r5 iec 61508 assessment deltav sis elecmarsh.doc,
Page 13 of 22
5 Results of the IEC 61508 Functional Safety Assessment
exida assessed the development process used by Fisher Rosemount Systems during the DeltaV
SIS with Electronic Marshalling product development and maintenance against the objectives of the
exida certification scheme which includes IEC 61508 parts 1, 2, and 3. The development of the
DeltaV SIS with Electronic Marshalling modules was done per this IEC 61508 SIL 3 compliant
development process. A Safety Case [R4] and [R20] were created to show compliance with IEC
61508.
5.1 Lifecycle Activities and Fault Avoidance Measures
Fisher Rosemount Systems has an IEC 61508 compliant development process as assessed during
the IEC 61508 certification of the DeltaV SIS with Electronic Marshalling. This compliant
development process is documented in [D01] and [D59].
This functional safety assessment has shown that the process sufficiently meets the requirements
of IEC 61508 SIL 3. The assessment investigated the compliance with IEC 61508 of the processes,
procedures and techniques as implemented for the Fisher Rosemount Systems development. The
assessment was executed using the exida certification scheme which includes subsets of IEC
61508 requirements tailored to the SIL 3 work scope of the development team. The result of the
assessment can be summarized by the following observations:
The audited Fisher Rosemount Systems development process complies with the relevant
managerial requirements of IEC 61508 SIL 3.
5.1.1 Functional Safety Management
FSM Planning
The functional safety management of any DeltaV development is governed by the Functional
Safety Management Team (FSMT). For each development Fisher Rosemount Systems creates a
Functional Safety Management Plan (FSMP), see [D01] and D200, with specific deliverables,
reviews and approvals. This process and procedures referenced herein fulfill the requirements of
IEC 61508 with respect to functional safety management.
Configuration Management
Formal configuration control is defined and implemented for Change Authorization, Version Control,
and Configuration Identification. A documented procedure exists to ensure that only approved
items are delivered to customers. Master copies of the software and all associated documentation
are kept during the operational lifetime of the released software. Formal configuration control of
requirements only is started once those requirements have been approved (See section 2.2.6 of
the FSM plan). Formal configuration control of all other deliverables occurs when the validation
phase starts as defined in section 2.2 of FSM plan. The engineering design database (EDD) keeps
track of all hardware drawings and versions including schematics and bills of material. For
software, section 4.4 of the FSM plan discusses how a branch is made for each release of
software. A version label is created for that branch and the constituent parts that make up the
software (source code files) can be found on this branch. For hardware, items cannot be released
to or from manufacturing without an ECRN, D214-D217, which must be approved. For software,
© exida
Michael Medoff, John Yozallinas
frs 11-03-091 r002 v1r5 iec 61508 assessment deltav sis elecmarsh.doc,
Page 14 of 22
unauthorized changes will be flagged to the FSMT and to the person who made the change via email as described in section 2.2.5 of FSM plan.
Training, Competency recording
Section 6 of the FSM plan describes the procedures to ensure that all persons are competent
relevant to the specific duties that they have to perform. Competency Assessment will occur at the
beginning of each project and whenever there is a change in project staff.
5.1.2 Safety Requirements Specification and Architecture Design
As defined in [D59] a safety requirements specification (SRS) is created for all products that must
meet IEC 61508 requirements. For the DeltaV SIS with Electronic Marshalling, the requirements
specification [D30] contains a system design requirements and constraints, user programming
configuration constraints, safety subsystem interface constraints, and derived requirements for
hardware and software. During the assessment, exida reviewed the content of the specification for
completeness per the requirements of IEC 61508.
All software safety requirements trace to software architecture, or software design or safety
manual. Reverse traceability is achieved in the system architecture specification by listing the
safety requirement for each that drives each safety measure.
Requirements from IEC 61508-2, Table B.1 that have been met by Fisher Rosemount Systems
include project management, documentation, structured specification, inspection of the
specification, semi-formal methods, and checklists.
Requirements from IEC 61508-3, Table A.1 that have been met by Fisher Rosemount Systems
include semi-formal methods, forward traceability between the system safety requirements and the
software safety requirements, and backward traceability between the safety requirements and the
perceived safety needs.
[D60] documents more details on how each of these requirements has been met. This meets the
requirements of SIL 3.
5.1.3 Hardware Design
The hardware design process consists of two distinct phases: design phase and pilot phase. During
the design phase all possible solutions are reviewed and the most promising is detailed. At this time
Circuit Description and Component Drawings are created, 3rd Party Certification is decided on and
Prototype Test Planning is performed. The prototype testing is considered part of the verification
activities per IEC 61508.
In the pilot phase, the design is further detailed and testing is performed on prototype units. Design
reviews are performed per the Functional Safety Management Plan [D01], using the hardware
design checklist (see [D87] for example).
Hardware changes to the DeltaV SIS with Electronic Marshalling system have been reviewed and
there are no significant effects on the existing FMEDA [R19].
© exida
Michael Medoff, John Yozallinas
frs 11-03-091 r002 v1r5 iec 61508 assessment deltav sis elecmarsh.doc,
Page 15 of 22
Items from IEC 61508-2, Table B.2 that have been met by Fisher Rosemount Systems include
observance of guidelines and standards, project management, documentation, structured design,
modularization, use of well-tried components, semi-formal methods, checklists, inspection of the
hardware or walk-through of the hardware, and computer-aided design tools. This meets SIL 3.
5.1.4 Software (Firmware) Design
Software (firmware) design is done according to [D59]. The software design process includes
software architecture design and peer review, detailed design and peer review, critical code
reviews, static source code analysis and module test.
Software changes to the DeltaV SIS with Electronic Marshalling system have been reviewed and
there are no significant effects on the existing safety functions.
Requirements from IEC 61508-3, Table A.2 that have been met by Fisher Rosemount Systems
include fault detection and diagnosis, error detecting and correcting codes, failure assertion
programming, diverse monitor techniques, retry fault recovery mechanisms, graceful degradation,
modular approach, use of trusted/verified software elements, forward and backward traceability
between the software safety requirements specification and software architecture, semi-formal
methods, computer-aided specification and design tools, cyclic behavior, with guaranteed
maximum cycle time, time-triggered architecture, and static resource allocation.
Requirements from IEC 61508-3, Table A.3 that have been met by Fisher Rosemount Systems
include suitable programming language, strongly typed programming language, language subset,
certified tools and translators, and tools and translators: increased confidence from use.
Requirements from IEC 61508-3, Table A.4 that have been met by Fisher Rosemount Systems
include semi-formal methods, computer aided design tools, defensive programming, modular
approach, design and coding standards, structured programming, use of trusted/verified software
modules and components, and forward traceability between the software safety requirements
specification and software design.
This is also documented in [D60]. This meets the requirements of SIL 3.
5.1.5 Validation
Validation Testing is done via a set of documented tests. Microsoft Test Manager is used to
document all safety validation tests. These tests are exported to a spreadsheet which documents a
snapshot of the safety validation test plan [D35]. An independent Verification and Validation team
has confirmed that all safety requirements are covered by one or more tests (See [D94]). A
number of validation tests were witnessed by the assessor during an on-site audit.
Procedures are in place for corrective actions to be taken when tests fail as documented in [D01].
© exida
Michael Medoff, John Yozallinas
frs 11-03-091 r002 v1r5 iec 61508 assessment deltav sis elecmarsh.doc,
Page 16 of 22
Items from IEC 61508-2, Table B.5 that have been met by Fisher Rosemount Systems include
functional testing and functional testing under environmental conditions, interference surge
immunity testing, fault insertion testing, project management, documentation, static analysis,
dynamic analysis and failure analysis, expanded functional testing, black-box testing, “Worst-case”
testing, and field experience. This meets SIL 3.
Items from IEC 61508-3, Table A.7 that have been met by Fisher Rosemount Systems include
process simulation, modelling, functional and black box testing, forward traceability between the
software safety requirements specification and the software safety validation plan, and backward
traceability between the software safety validation plan and the software safety requirements
specification.
5.1.6 Verification
The development and verification activities are defined in the Functional Safety Management Plan
[D01]. For each phase the objectives are stated, required input and output documents and review
activities. A number of checklists are referenced in the FSM Plan to ensure completeness of the
verification activities. During the assessment it was verified that all of these checklists were
completed. All verification activities are documented. This meets the requirements for SIL 3.
5.1.7 Modifications
The modification process has been successfully assessed and audited, Fisher Rosemount Systems
may make modifications to this product as needed. Modifications are done per the Fisher
Rosemount Systems change management process as documented in the Functional Safety
Management Plans. Impact analyses, D218-D222, are performed for all changes once the product
is released for integration testing. The results of the impact analysis are used in determining
whether to approve the change. The standard development process as defined in [D59] is then
followed to make the change. The handling of hazardous field incidents and customer notifications
is governed by [D107]. This procedure includes identification of the problem, ranking of the
problem, analysis of the problem, identification of the solution, and communication of the solution to
the field. This meets the requirements of IEC 61508 SIL 3.
As part of the exida scheme a surveillance audit is conducted prior to renewal of the certificate.
The modification documentation listed below is submitted as part of the surveillance audit. exida
will review the decisions made by the competent person in respect to the modifications made.
o
List of all anomalies reported and failure analysis samples
o
List of all modifications completed
o
Safety impact analysis which shall indicate with respect to the modification:
o

The initiating problem (e.g. results of root cause analysis)

The effect on the product / system

The elements/components that are subject to the modification

The extent of any re-testing
List of modified documentation
© exida
Michael Medoff, John Yozallinas
frs 11-03-091 r002 v1r5 iec 61508 assessment deltav sis elecmarsh.doc,
Page 17 of 22
Requirements from IEC 61508-3, Table A.8 that have been met by the Fisher Rosemount Systems
modification process include impact analysis, re-verify changed software modules, reverify affected
software modules, regression validation, software configuration management, data recording and
analysis, and forward and backward traceability between the software safety requirements
specification and the software modification plan (including re-verification and revalidation). This
meets the requirements of SIL 3.
5.1.8 User documentation
Fisher Rosemount Systems created a Safety Manual for the DeltaV SIS with Electronic
Marshalling, see [D160]. This safety manual was assessed by exida. The final version is
considered to be in compliance with the requirements of IEC 61508. The document includes all
required reliability data and operations, maintenance, and proof test procedures.
Items from IEC 61508-2, Table B.4 include operation and maintenance instructions, user
friendliness, maintenance friendliness, project management, documentation, limited operation
possibilities operation only by skilled operators, and protection against operator mistakes. This
meets SIL 3.
© exida
Michael Medoff, John Yozallinas
frs 11-03-091 r002 v1r5 iec 61508 assessment deltav sis elecmarsh.doc,
Page 18 of 22
5.2 Hardware Assessment
To evaluate the hardware design of the DeltaV SIS with Electronic Marshalling a Failure Modes,
Effects, and Diagnostic Analysis was performed. This is documented in [R3] and [R19]. The
FMEDA was verified using Fault Injection Testing which has been automated as part of the safety
validation testing, see [D53]. The fault injection testing was witnessed as part of the on-site audit
performed by exida.
A Failure Modes and Effects Analysis (FMEA) is a systematic way to identify and evaluate the
effects of different component failure modes, to determine what could eliminate or reduce the
chance of failure, and to document the system in consideration. An FMEDA (Failure Mode Effect
and Diagnostic Analysis) is an FMEA extension. It combines standard FMEA techniques with
extension to identify online diagnostics techniques and the failure modes relevant to safety
instrumented system design.
From the FMEDA failure rates are derived for each important failure category. All failure rates are
included in the exSILentia tool from exida. The failure rates are valid for the useful life of the
devices, which are defined as in the FMEDA report as approximately 50 years.
The architectural constraints requirements of IEC 61508-2, Table 2 are also reviewed. The DeltaV
SIS with Electronic Marshalling is classified as a Type B device according to IEC 61508. The
system can be configured with redundant CSLS modules as well as redundant CHARMS.
Therefore, based on configuration the system can have a hardware fault tolerance (HFT) of 0 or 1.
The analysis shows that the system has a safe failure fraction > 90% for all configurations and
therefore per even worst case assumptions, the non-redundant unit may be used up to SIL 2 and a
redundant unit may be used up to SIL 3 based on architecture constraints. Some configurations of the
system will also result in a safe failure fraction > 99% which means that such a system may be used up
to SIL 3 as a non-redundant unit, based on architectural constraints. For redundant use, common
cause failures have to be considered. The user of the DeltaV SIS Relay Modules and DeltaV SIS
Voltage Monitor needs to determine the application specific common cause factor β.
The analysis shows that design of The DeltaV SIS with Electronic Marshalling, meets the
hardware requirements of IEC 61508 SIL 3 when used as a single element (HFT = 0) in
certain configurations. The Local Safety Network Gateway (LSNG) is limited to a maximum
of SIL 2 with HFT =0.
© exida
Michael Medoff, John Yozallinas
frs 11-03-091 r002 v1r5 iec 61508 assessment deltav sis elecmarsh.doc,
Page 19 of 22
6 Terms and Definitions
CHARM
I/O CHARacterization Module
Fault tolerance
Ability of a functional unit to continue to perform a required function in the
presence of faults or errors (IEC 61508-4, 3.6.3)
FIT
Failure In Time (1x10-9 failures per hour)
FMEDA
Failure Mode Effect and Diagnostic Analysis
HFT
Hardware Fault Tolerance
Low demand mode
Mode where the demand interval for operation made on a safety-related
system is greater than twice the proof test interval.
High demand mode
Mode where the demand interval for operation made on a safety-related
system is less than 100x the diagnostic detection/reaction interval, or where
the safe state is part of normal operation.
PFDAVG
Average Probability of Failure on Demand
PFH
Probability of dangerous Failure per Hour
SFF
Safe Failure Fraction - Summarizes the fraction of failures, which lead to a
safe state and the fraction of failures which will be detected by diagnostic
measures and lead to a defined safety action.
SIF
Safety Instrumented Function
SIL
Safety Integrity Level
SIS
Safety Instrumented System – Implementation of one or more Safety
Instrumented Functions. A SIS is composed of any combination of
sensor(s), logic solver(s), and final element(s).
Type A element
“Non-Complex” element (using discrete components); for details see
7.4.4.1.2 of IEC 61508-2
Type B element
“Complex” element (using complex components such as micro controllers or
programmable logic); for details see 7.4.4.1.3 of IEC 61508-2
© exida
Michael Medoff, John Yozallinas
frs 11-03-091 r002 v1r5 iec 61508 assessment deltav sis elecmarsh.doc,
Page 20 of 22
7 Status of the document
7.1 Liability
exida prepares reports based on methods advocated in International standards. Failure rates are
obtained from a collection of industrial databases. exida accepts no liability whatsoever for the use
of these numbers or for the correctness of the standards on which the general calculation methods
are based.
7.2 Releases
Version:
V1
Revision:
R5
Version History: V1, R5:
certification renewal, added Emerson documents supporting the reassessment and updated SCWB [R20] in doc list; updated contract
number and [R21]; 14-Jun-2016, JCY
V1, R4:
added LSNG and 2 new I/O, added FMEDA report [R19] and SCWB
[R20] in doc list; 1-May-2015, JCY
V1, R3:
updated [R3] FMEDA report in doc list and updated report per V4R1
type B template, 2-Oct-2014, JCY
V1, R2:
Updated product list and corrected errors, Feb. 25, 2013
V1, R1:
Updated per final testing and witnessed validation test audit, Feb. 14,
2013
V0, R2:
Updated document versions based on updated documents received
from Emerson; January 11, 2013
V0, R1:
Draft; December 26, 2012
Authors:
Michael Medoff, John Yozallinas
Review:
V1, R5; Ted Stewart, exida, 6-10-2016
Release status: Released
7.3 Future Enhancements
At request of client.
© exida
Michael Medoff, John Yozallinas
frs 11-03-091 r002 v1r5 iec 61508 assessment deltav sis elecmarsh.doc,
Page 21 of 22
7.4 Release Signatures
Michael Medoff, Senior Safety Engineer
John Yozallinas, CFSE, Senior Safety Engineer
Ted E. Stewart, CFSP, Program Development & Compliance Manager
© exida
Michael Medoff, John Yozallinas
frs 11-03-091 r002 v1r5 iec 61508 assessment deltav sis elecmarsh.doc,
Page 22 of 22
Related documents
INTERNATIONAL STUDENTS’ PATHWAYS TO CAREERS THAT MAKE A DIFFERENCE
INTERNATIONAL STUDENTS’ PATHWAYS TO CAREERS THAT MAKE A DIFFERENCE
Fort Hood Sentinel Advertisement.pub
Fort Hood Sentinel Advertisement.pub
AMA-61850-FiT4HANA
AMA-61850-FiT4HANA
Download