IEC 61508 Assessment
advertisement
IEC 61508 Functional Safety Assessment Project: DeltaV SIS DeltaV SIS ETA Relay Module, KJ2231X1- BA1 DeltaV SIS DTA Relay Module, KJ2231X1- BB1 DeltaV SIS Relay Diode Module, KJ2231X1-BC1 DeltaV SIS Voltage Monitor, KJ2231X1 – EB1 Customer: Emerson Process Management Fisher Rosemount Systems Austin, TX USA Contract No.: Q09/10-23 Report No.: FRS 09-10-23 R001 Version V1, Revision R1, May 13, 2010 Michael Medoff The document was prepared using best effort. The authors make no warranty of any kind and shall not be liable in any event for incidental or consequential damages in connection with the application of the document. © All rights reserved. Management summary This report summarizes the results of the functional safety assessment according to IEC 61508 carried out on the: DeltaV SIS DeltaV SIS ETA Relay Module, KJ2231X1- BA1 DeltaV SIS DTA Relay Module, KJ2231X1-BB1 DeltaV SIS Relay Diode Module, KJ2231X1-BC1 DeltaV SIS Voltage Monitor, KJ2231X1 – EB1 The functional safety assessment performed by exida consisted of the following activities: - exida assessed the modifications performed by Emerson via two audits (one on-site) and creation of a detailed safety case against the requirements of IEC 61508. These products were previously certified to IEC 61508, SIL 3 (See [D10]). Based on this certification, it can be concluded that the Emerson development process meets the requirements of IEC 61508 for SIL 3. As a result this latest assessment focused on reviewing the changes made to the product. The changes were assessed against section 7.8 of IEC 61508 part 2 (E/E/PES Modification) and section 7.8 of part 3 (Software Modification). A partial IEC 61508 Safety Case was prepared, focusing specifically on the modification process, and used as the primary audit tool. Modification process requirements and all associated documentation were reviewed. See section 3 of this document for details on which hardware and software versions have been included in this assessment. The results of the Functional Safety Assessment can be summarized by the following statements: The DeltaV SIS, DeltaV SIS Relay Modules, DeltaV SIS Relay Diode Module, and DeltaV SIS Voltage Monitor were found to meet the requirements of SIL 3, single use (HFT = 1/0). © exida Certification Michael Medoff emerson 09-10-23 r001 v1 r1 iec 61508 assessment.doc, 5/13/2010 Page 2 of 25 Table of Contents Management summary .................................................................................................... 2 1 Purpose and Scope ................................................................................................... 4 2 Project management .................................................................................................. 5 2.1 2.2 2.3 2.4 3 Product Description.................................................................................................. 12 3.1 3.2 3.3 3.4 4 exida ............................................................................................................................ 5 Roles of the parties involved ........................................................................................ 5 Standards / Literature used .......................................................................................... 5 Reference documents .................................................................................................. 5 2.4.1 Documentation provided by Emerson Process Management ............................. 5 2.4.2 Documentation generated by exida.................................................................. 11 DeltaV SIS Logic Solver ............................................................................................. 12 DeltaV SIS Relay Modules ......................................................................................... 12 DeltaV SIS Relay Diode Module ................................................................................. 12 DeltaV SIS Voltage Monitor ........................................................................................ 12 IEC 61508 Functional Safety Assessment ............................................................... 14 4.1 Methodology............................................................................................................... 14 4.2 Assessment level ....................................................................................................... 14 5 Results of the IEC 61508 Functional Safety Assessment ........................................ 15 5.1 Lifecycle Activities and Fault Avoidance Measures..................................................... 15 5.1.1 Functional Safety Management ....................................................................... 15 5.1.2 Safety Requirements Specification and Architecture Design ............................ 16 5.1.3 Hardware Design ............................................................................................. 16 5.1.4 Validation ......................................................................................................... 17 5.1.5 Verification ....................................................................................................... 17 5.1.6 Modifications.................................................................................................... 17 5.1.7 User documentation ......................................................................................... 21 5.2 Hardware Assessment ............................................................................................... 22 6 Terms and Definitions .............................................................................................. 24 7 Status of the document ............................................................................................ 25 7.1 7.2 7.3 7.4 Liability ....................................................................................................................... 25 Releases .................................................................................................................... 25 Future Enhancements ................................................................................................ 25 Release Signatures .................................................................................................... 25 © exida Certification Michael Medoff emerson 09-10-23 r001 v1 r1 iec 61508 assessment.doc, 5/13/2010 Page 3 of 25 1 Purpose and Scope Generally four options exist when doing an assessment of sensors, logic solvers and/or final elements. Option 1: Hardware assessment according to IEC 61508 Option 1 is a hardware assessment by exida according to the relevant functional safety standard(s) like IEC 61508 or EN 954-1. The hardware assessment consists of a FMEDA to determine the fault behavior and the failure rates of the device, which are then used to calculate the Safe Failure Fraction (SFF) and the average Probability of Failure on Demand (PFDAVG). This option shall provide the safety instrumentation engineer with the required failure data as per IEC 61508 / IEC 61511 and does not include an assessment of the development process. Option 2: Hardware assessment with proven-in-use consideration according to IEC 61508 / IEC 61511 Option 2 is an assessment by exida according to the relevant functional safety standard(s) like IEC 61508 or EN 954-1. The hardware assessment consists of a FMEDA to determine the fault behavior and the failure rates of the device, which are then used to calculate the Safe Failure Fraction (SFF) and the average Probability of Failure on Demand (PFDAVG). In addition, this option includes an assessment of the proven-in-use demonstration of the device and its software including the modification process. This option for pre-existing (programmable electronic) devices shall provide the safety instrumentation engineer with the required failure data as per IEC 61508 / IEC 61511 and justify the reduced fault tolerance requirements of IEC 61511 for sensors, final elements and other PE field devices. Option 3: Full assessment according to IEC 61508 Option 3 is a full assessment by exida according to the relevant application standard(s) like IEC 61511 or EN 298 and the necessary functional safety standard(s) like IEC 61508 or EN 954-1. The full assessment extends option 1 by an assessment of all fault avoidance and fault control measures during hardware and software development. This assessment shall be done according to option 3. This document shall describe the results of the IEC 61508 functional safety assessment of the DeltaV SIS, DeltaV SIS Relay Module, and DeltaV SIS Voltage Monitor. © exida Certification Michael Medoff emerson 09-10-23 r001 v1 r1 iec 61508 assessment.doc, 5/13/2010 Page 4 of 25 2 Project management 2.1 exida exida is one of the world’s leading knowledge and certification companies specializing in automation system safety and availability with over 300 years of cumulative experience in functional safety. Founded by several of the world’s top reliability and safety experts from assessment organizations and manufacturers, exida is a global company with offices around the world. exida offers training, coaching, project oriented consulting services, internet based safety engineering tools, detailed product assurance and certification analysis and a collection of on-line safety and reliability resources. exida maintains a comprehensive failure rate and failure mode database on process equipment. 2.2 Roles of the parties involved Emerson Process Management Manufacturer of the DeltaV SIS, DeltaV SIS Relay Modules, DeltaV SIS Relay Diode Module, and DeltaV SIS Voltage Monitor exida Performed the IEC 61508 Functional Safety Assessment according to option 3 (see section 1) Emerson Process Management contracted exida with the IEC 61508 Functional Safety Assessment of the above mentioned devices. 2.3 Standards / Literature used The services delivered by exida were performed based on the following standards / literature. [N1] IEC 61508 (Parts 1 - 7): 2000 Functional Safety of Electrical/Electronic/Programmable Electronic Safety-Related Systems 2.4 Reference documents 2.4.1 Documentation provided by Emerson Process Management [D1] ImpactAnalysis_080318_10_3_SLS.doc DeltaV SIS Impact Analysis 03/27/200 Report 8 [D2] Reduced Status Boolean Design.docx Design for Reduced Status Booleans [D3] SIS_LSDVC_RevN.xls DeltaV SIL_LSDVC_Block Rev N Test Plan and Results [D4] HighDensity_ SIS_SLS_Fault_Detection_RevJ.xls DeltaV SIS_SLS_Fault_Detection Test Plan and Results Rev J [D5] SIS_SLS_Fault_Detection_RevI.xls DeltaV SIS_SLS_Fault_Detection Rev I © exida Certification Michael Medoff 02/15/200 8 emerson 09-10-23 r001 v1 r1 iec 61508 assessment.doc, 5/13/2010 Page 5 of 25 Test Plan and Results [D6] SIS_Validation_Blocks_RevO.xls DeltaV SIS_Validation_Blocks Test Plan and Results Rev O [D7] Incident_90431.txt Incident Report 90431 4/22/2008 [D9] SIS_Validation_System_RevL.xls SIS_Validation_System Test Plan Rev L [D10] FRS 06-05-30 R001 IEC 61508 Functional V1R1 Safety Assessment Report for DeltaV SIS. [D11] Incident_90899.txt Incident Report 90899 [D12] Review_3597.pdf SIS – Reduced Status 1/16/2008 Boolean Concept Design Review Minutes [D13] Review_3639.pdf Reduced Status Booleans 2/7/2008 – SLS Design Review Minutes [D14] Review_3657.pdf Code Review Minutes [D15] Review_3739.pdf Software Impact Analysis 3/28/2008 Review Minutes [D16] V210x_Formal_Module_Tests.docx Module Test Results 5/21/2008 [D17] V210x_Informal_Module_Tests.docx Module Test Results 5/21/2008 [D18] V210x_Lint_Results PC Lint Results 3/13/2008 [D19] ControlDevice_FMT.doc Module Test Results 2/13/2008 [D20] ControlIOBlock_FMT.doc Module Test Results 3/13/2008 [D21] ControlMsgRouter_FMT.doc Module Test Results 2/13/2008 [D22] ControlSecureWrite_FMT.doc Module Test Results 2/13/2008 [D23] FMT_DiagSSMonitor.doc Module Test Results 2/13/2008 [D24] Review_3657.bmp Code Review Minutes 2/18/2008 [D25] DS Delta V SIS – Simulate enhancements As-built.doc for SIS Direction release Statement 4/22/2008 2/18/2008 for 3/18/2008 [D26] V2105_SIS_Integration_Test_Results_080424.x ls Integration Test Results 6/6/2008 [D27] v11_SIS_Changes.pdf SIS Changes for V11 1/12/2010 [D28] MultipleSISNetArchitecture.pdf Delta V Technology Multiple SISNet 1.0 © exida Certification Michael Medoff emerson 09-10-23 r001 v1 r1 iec 61508 assessment.doc, 5/13/2010 Page 6 of 25 Architecture [D29] MultipleSISNetDesign.pdf DeltaV Technology Run Time Design for SISNet Domains 5/27/2009 [D30] MultipleSISNetRingsConcept.pdf DeltaV Technology Concept for Multiple SISNet Domains 4/16/2009 [D31] DS DeltaV SIS – Protected SIS Composite DS DeltaV SIS - Protected Template.html SIS Composite Template 3/11/2010 [D32] DS DeltaV SIS – Multiple SISNet Rings.html DS DeltaV SIS - Multiple SISNet Rings 3/11/2010 [D33] Additional_SLS_Changes.doc Changes for 3.1.0.7 Logic Solver 4/16/2010 [D34] Incident Repair information Detailed change descriptions for multiple incident repairs 1/22/2010 & 3/24/2010 [D35] Module Test Reports Reports on Formal and Informal Module Testing Various [D36] Review Documentation Detailed review minutes for design, code, and impact analysis reviews Various [D37] Delta V SIS Safety Manual.pdf DeltaV Safety Instrumented System Safety Manual August 2005 [D38] SIS_Validation_System_RevO.xls DeltaV SIS_Validation_System Test Plan Revision O [D39] SIS_LSDVC_RevN.xls SIS_LSDVC_Block Test Plan Revision N [D40] SIS_SLS_Fault_Detection_RevJ.xls SIS_SLS_Fault_Detection Test Plan Revision J [D41] SIS_Validation_Blocks_RevR.xls SIS_Validation_Blocks Test Plan Revision R [D42] SIS_Validation_SecureWrite_RevR.xls SIS_Validation_SecureWrit e Test Plan Revision R [D43] SIS_MultipleSISNetDomains.xls SIS_Multiple SISNet Domains Test Plan Revision A [D44] DeltaV SIS Safety Requirements Specification.pdf DeltaV SIS Safety Requirements Specification 5/20/2005 © exida Certification Michael Medoff emerson 09-10-23 r001 v1 r1 iec 61508 assessment.doc, 5/13/2010 Page 7 of 25 [D45] ImpactAnalysis_09_09_05_11_3_SLS_RevB DeltaV SIS Impact Analysis Report 8/10/2009 [D46] ImpactAnalysis_100120_11_3_part2 DeltaV SIS Impact Analysis Report 1/20/2010 [D47] DeltaV PM – 2003.6.12.pdf Delta V Project Management Plan 6/12/2003 [D48] DeltaV SIS SafetyCaseDB DeltaV SIS SafetyCaseDB, documenting the IEC 61508 compliance of the DeltaV SIS system and the Fisher-Rosemount Systems, Inc. development process March 08, 2005 [D49] SIS Acc SRS.doc DeltaV SIS Accessories, Safety Requirements Specification February 21, 2007 [D50] SIS Accessories WPP.doc SIS Accessories, Hardware Work Package Plan February 23, 2007 [D51] Safety Relay Schem 12P3963A Electronic Schematics, DeltaV SIS Safety Relay November 14, 2006 [D52] VM Schem 12P3966A Electronic Schematics, DeltaV SIS Voltage Monitor November 14, 2006 [D53] Safety Relay revised.xls FMEDA, Safety Relay, KJ2231X1-EA1, 1.01 February 23, 2007 [D54] V_MON_Acc revised.xls FMEDA, Voltage Monitor, KJ2231X1-EB1, 1.01 February 23, 2007 [D55] VMA and SRM Fault Injection Results.xls Fault Injection Test results for Safety Relay and Voltage Monitor, tests performed by FisherRosemount Systems, Inc. February 23, 2007 [D56] Safety Relay FMEDA Review Supporting Documentation.xls PFDAVG and PFH calculations for DeltaV SIS Safety Relay February 23, 2007 [D57] Voltage Monitor FMEDA Review Supporting Documentation PFDAVG and PFH calculations for DeltaV SIS Voltage Monitor February 23, 2007 [D58] FGES21B15, REV B SIS Accessories – Safety Relay and Voltage Monitor Product Hardware Specification February 13, 2007 © exida Certification Michael Medoff emerson 09-10-23 r001 v1 r1 iec 61508 assessment.doc, 5/13/2010 Page 8 of 25 [D59] 07238-10_Emerson_DeltaV System_Report Emerson Process Management Delta V System, Electromagnetic Compatibility and Environmental Test Report February 16, 2007 [D60] SafetyManual SIS Accessories, Installation and Safety Manual April 2007 [D61] FMEDA Review for Safety Relay and Voltage Monitor FMEDA Review for Safety Relay and Voltage Monitor February 23, 2007 [D62] HW Design Review - Safety Relay.doc HW Design Review Safety Relay February 22, 2007 [D63] HW Design Review - Voltage Monitor.doc HW Design Review Voltage Monitor February 22, 2007 [D64] Validation Plan - Safety Relay.doc Validation Plan Safety Relay March 04, 2007 [D65] Validation Plan - Voltage Monitor.doc Validation Plan Voltage Monitor March 24, 2007 [D66] Safety Relay Module Hardware Testplan.doc KJ2231-EA1 Safety Relay Module, Hardware Test Plan September 14, 2006 [D67] Safety Relay Module Hardware Testplan Results.doc KJ2231-EA1 Safety Relay Module, Hardware Test Plan Results September 14, 2006 [D68] Voltage Monitor Accessory Hardware Testplan.doc KJ2231-EB1 Voltage Monitor Accessory, Hardware Test Plan September 14, 2006 [D69] Voltage Monitor Accessory Hardware Testplan Results.doc KJ2231-EB1 Voltage Monitor Accessory, Hardware Test Plan Results September 14, 2006 [D70] KJ2231X1 EA1 Safety Relay Module CSA 1010 report 17Feb107.doc Test Report, IEC 61010-1/ EN 61010-1 for KJ2231X1 EA1 Safety Relay Module February 17, 2007 [D71] KJ2231X1 EB1 Voltage Monitor Accessory CSA 1010 report 17Feb.doc Test Report, IEC 61010-1/ EN 61010-1 for KJ2231X1 EB1 Voltage Monitor Accessory February 17, 2007 [D72] Review DB 3229_3238_3239.doc Screenshots of Review DB indicating documentation of review and impact analysis February 23, 2007 [D73] SIS VMon Diagnostic.doc SIS Voltage Monitor, Fault February © exida Certification Michael Medoff emerson 09-10-23 r001 v1 r1 iec 61508 assessment.doc, 5/13/2010 Page 9 of 25 5, Diagnostic Performance 19, 2007 [D74] VM SR Preliminary Test Plan.doc SLS Accessory Module Test Plan Proposal April 2007 16, [D75] Validation Plan Summary- Safety Relay 16Apr2007.doc, Validation Plan SummarySafety Relay April 2007 16, [D76] Validation Plan Summary- Voltage Monitor 16Apr2007.doc Validation Plan SummaryVoltage Monitor April 2007 16, [D77] Validation Plan Test Log - Safety Relay.doc, Validation Plan Test Log Safety Relay April 2007 16, [D78] Validation Plan Test Log - Voltage Monitor.doc, April 16, 2007 Validation Plan Test Log Voltage Monitor April 2007 16, © exida Certification Michael Medoff emerson 09-10-23 r001 v1 r1 iec 61508 assessment.doc, 5/13/2010 Page 10 of 25 2.4.2 Documentation generated by exida [R1] DeltaV Change Audit.xls Detailed safety case documenting results of first assessment (internal document) [R2] DeltaV V11 Change Audit.xls Detailed safety case documenting results of second assessment (internal document) [R3] Emerson 07-11-05 R002 V1 R1 IEC 61508 Assessment.doc IEC 61508 Functional Safety Assessment, DeltaV SIS (Previous version of this report) [R4] Emerson 09-10-23 R001 V0 R1 IEC 61508 Assessment.docx IEC 61508 Functional Safety Assessment, DeltaV SIS (This report) [R5] FRS 04-09-22 R001 V3R3 FMEDA DeltaV SIS.pdf, April 6, 2010 Emerson FRS 06-11-27 R002 V1 R1 FMEDA Voltage Monitor Module, April 4, 2007 Failure Modes Effects and Diagnostic Analysis: DeltaV SIS Safety PLC [R7] FRS Voltage Monitor and Safety Relay Fault Injection Tests, March 26, 2007 FRS Voltage Monitor and Safety Relay Fault Injection Tests performed at Fisher-Rosemount Systems, Inc. on February 23, 2007. [R8] FRS 06-05-30 R002 v10 SafetyCase Review, April 9, 2007 Fisher-Rosemount Systems, Inc. IEC 61508 Compliance Assessment, SafetyCaseDB Review [R6] © exida Certification Michael Medoff FMEDA report, Fisher-Rosemount Systems, Inc. DeltaV SIS Voltage Monitor emerson 09-10-23 r001 v1 r1 iec 61508 assessment.doc, 5/13/2010 Page 11 of 25 3 Product Description The DeltaV SIS SLS1508 is a safety logic solver. The DeltaV SLS1508 is classified as a Type B1 device according to IEC 61508, with an advanced hybrid architecture having a hardware fault tolerance of 1-detected failures / 0 – undetected failures. DeltaV SIS Relay Modules, DeltaV SIS Relay Diode Module, and DeltaV SIS Voltage Monitor are accessories that can be used with the DeltaV SLS1508 logic solver. The DeltaV SIS Relay Modules, DeltaV SIS Relay Diode Module, and DeltaV SIS Voltage Monitor are classified as Type A2 devices according to IEC 61508, having a fault tolerance of 0. Fisher-Rosemont Systems, Inc. is the original designer and manufacturer of the DeltaV SIS, DeltaV SIS Relay Modules, DeltaV SIS Relay Diode Module, and DeltaV SIS Voltage Monitor modules. 3.1 DeltaV SIS Logic Solver The DeltaV SIS Logic Solver is a compact logic solver that can handle up to 16 I/O channels in any combination of HART AI, HART AO, DI and DO including line fault detection on all I/O. The DeltaV SLS1508 hardware version assessed is 4.0 and the software versions assessed are 2.1.0.5 and 3.1.0.7. The versions covered by this assessment include 4.0 and higher for hardware, and 2.1.0.5 and higher for software. 3.2 DeltaV SIS Relay Modules The DeltaV SIS Relay Modules are suitable for use in both high and low demand safety applications, to extend the voltage and current capability of the DeltaV SLS1508 discrete output and to provide logic inversion for energize to trip applications. The modules are capable of switching up to 2.5A at 250VAC or 2.5A at 24VDC for safety applications. 3.3 DeltaV SIS Relay Diode Module The DeltaV SIS Relay Diode Module allows monitoring of field wiring when the output is not actuated. 3.4 DeltaV SIS Voltage Monitor The DeltaV SIS Voltage Monitor (model number KJ2231X1 – EB1) provides two independent sets of voltage monitoring circuitry in one device where each is suitable for use in both high and low demand de-energize to trip applications to extend the voltage input monitoring capability of the SLS1508. It also supplies a secondary output for non-safety critical monitoring for each input. 1 Type B sub(system): “Complex” sub(system) (using microcontrollers or programmable logic); for details see 7.4.3.1.3 of IEC 61508-2 2 Type A sub(system): “Non-complex” sub(system) with well defined failure modes; for details see 7.4.3.1.2 of IEC 61508-2 © exida Certification Michael Medoff emerson 09-10-23 r001 v1 r1 iec 61508 assessment.doc, 5/13/2010 Page 12 of 25 The state of both outputs for an associated input is controlled by the voltage level of the input with the outputs going to the de-energized state when the input goes below a specified value. It is designed to be used with DeltaV SLS1508 to drive a logic solver’s discrete input channel or a series 2 DI dry contact channel based on the output of the SIS Relay Module. The Voltage Monitor has the following connections: • Two four pin connection blocks, one for each voltage monitoring channel for connection to DC or AC power source being monitored. • Two four pin connection blocks , one for each voltage monitoring channel for connecting the output to a SLS monitored DI channel and a DI, dry contact channel. The DeltaV SIS Voltage Monitor hardware revision covered by this assessment is revision A or higher. © exida Certification Michael Medoff emerson 09-10-23 r001 v1 r1 iec 61508 assessment.doc, 5/13/2010 Page 13 of 25 4 IEC 61508 Functional Safety Assessment The IEC 61508 Functional Safety Assessment was performed based on the information received from Emerson and is documented here. 4.1 Methodology As part of the IEC 61508 functional safety assessment the following aspects have been reviewed: • • Development process, including: o Functional Safety Management, including training and competence recording, FSM planning, and configuration management o Specification process, techniques and documentation o Validation activities, including development test procedures, test plans and reports, production test procedures and documentation o Verification activities and documentation o Modification process and documentation o Installation, operation, and maintenance requirements, including user documentation Product design o • Hardware architecture and failure behavior, documented in a FMEDA A representative subset of all changes made in comparison to the modification requirements of IEC 61508 (Section 7.8 of part 2 and 7.8 of part 3). 4.2 Assessment level The DeltaV SIS, DeltaV SIS Relay Module, DeltaV SIS Relay Diode Module and DeltaV SIS Voltage Monitors have been assessed per IEC 61508 to Safety Integrity Level 3. The development procedures have been assessed as suitable for use in applications with a maximum Safety Integrity Level of 3 (SIL3) according to IEC 61508 (see [D10]) © exida Certification Michael Medoff emerson 09-10-23 r001 v1 r1 iec 61508 assessment.doc, 5/13/2010 Page 14 of 25 5 Results of the IEC 61508 Functional Safety Assessment exida-certification assessed the development process used by Fisher-Rosemount Systems, Inc. during the DeltaV SIS logic solver IEC 61508 certification against the objectives of IEC 61508 parts 1, 2, and 3, see [D48]. The development of the DeltaV SIS, DeltaV SIS Relay Modules, DeltaV SIS Relay Diode Module and, DeltaV SIS Voltage Monitor modules was done per this IEC 61508 SIL 3 compliant development process. The Safety Case created for the DeltaV SIS logic solver was updated with DeltaV SIS Safety Relay and DeltaV SIS Voltage Monitor design documents, see [R8]. The main difference between the DeltaV SIS logic solver Safety Case and the DeltaV SIS Safety Relay and DeltaV SIS Voltage Monitor Safety Case, apart from different design documents, is that the DeltaV SIS Safety Relay and DeltaV SIS Voltage Monitor are simple electrical devices that do not comprise of any software. Consequently software development specific objectives of IEC 61508 are ruled not applicable. In addition, exida assessed a representative subset off changes made by Fisher-Rosemount Systems, Inc. for recent releases against the modification procedures of IEC 61508 parts 2 and 3. These assessments were done remotely in May and June of 2008 and then again in March and April of 2010. Additionally, a detailed modification safety case was completed for the modifications (See [R2]). 5.1 Lifecycle Activities and Fault Avoidance Measures Fisher-Rosemount Systems, Inc. has an IEC 61508 compliant development process as assessed during the IEC 61508 certification of the DeltaV SIS logic solver. This compliant development process is documented in [D48]. For the DeltaV SIS Safety Relay and DeltaV SIS Voltage Monitor no software is part of the design and therefore any requirements specific from IEC 61508 to software and software development do not apply. This functional safety assessment has shown that the process sufficiently meets the requirements of IEC 61508 SIL 3. The assessment investigated the compliance with IEC 61508 of the processes, procedures and techniques as implemented for the Fisher-Rosemount Systems, Inc. development. The investigation was executed using subsets of the IEC 61508 requirements tailored to the SIL 3 work scope of the development team. The result of the assessment can be summarized by the following observations: The audited Fisher-Rosemount Systems, Inc. development process complies with the relevant managerial requirements of IEC 61508 SIL 3. 5.1.1 Functional Safety Management FSM Planning The functional safety management of any DeltaV development is governed by the DeltaV PMP (Project Management Plan). For each development Fisher-Rosemount Systems, Inc. creates a Work Package Plan (WPP), see [D50], with specific deliverables, reviews and approvals. This process and procedures referenced herein fulfill the requirements of IEC 61508 with respect to functional safety management. Version Control © exida Certification Michael Medoff emerson 09-10-23 r001 v1 r1 iec 61508 assessment.doc, 5/13/2010 Page 15 of 25 All documents as called out for in the Delta V PMP and the Work Package Plan are under version control as documented in [D48]. Design drawings and documents are also under version control. Fisher-Rosemount Systems, Inc. uses SourceSafe for its version control. Training, Competency recording Personnel training records are kept in accordance with IEC 61508 requirements as documented in [D48]. Fisher-Rosemount Systems, Inc. hired exida-certification to be the independent assessor per IEC 61508. 5.1.2 Safety Requirements Specification and Architecture Design The first step for any new development is the creation of a Design Specification per the Work Package Plan [D50]. The creation of the design specifciation is a combined effort by marketing and engineering. This ensures that the design requiremetns are understood correctly by engineering. For IEC 61508 developments the requirements document, Safety Requirements Specification see [D49], is reviewed by exida-consulting. During the assessment, exida-certification reviewed the content of the specification for completeness per the requirements of IEC 61508. As the DeltaV SIS Safety Relay and DeltaV SIS Voltage Monitor are simple electrical devices, there is no need for a separate architecture design phase, although design concepts where created as required by the Work Package Plan [D50]. Requirements as specified in the Design Specification are tracked through all development phases, simply by the fact that the DeltaV SIS Relay Modules, DeltaV SIS Relay Diode, and DeltaV SIS Voltage Monitor are very simple electrical devices. The Safety Requirements are part of the hardware design review checklist to ensure that designs comply with the Safety Requirements Specification. Items from IEC 61508-2, Table B.1 include project management, documentation, separation of safety requirements from non-safety requirements, structured specification, and inspection of the specification. As the functions of the DeltaV SIS Relay Modules, DeltaV SIS Relay Diode, and DeltaV SIS Voltage Monitor are simple and clearly defined there is no need for semi-formal methods such as functional block diagrams. The application is considered when specifying the requirements; the devices may be required to meet specific applications standards. This meets SIL 3. 5.1.3 Hardware Design The hardware design process consists of two distinct phases: design phase and pilot phase. During the design phase all possible solutions are reviewed and the most promising is detailed, see [D58]. At this time Circuit Description and Component Drawings are created, 3rd Party Certification is decided on and Prototype Test Planning is performed. The prototype testing is considered part of the verification activities per IEC 61508. In the pilot phase, the design is further detailed and testing is performed on prototype units. Design reviews are performed per the Work Package Plan [D50], see also [D62] and [D63]. FisherRosemount Systems, Inc. has standards for documentation with specified output documents. Development tools to be used are documented in the DeltaV PMP as documented in [D48]. © exida Certification Michael Medoff emerson 09-10-23 r001 v1 r1 iec 61508 assessment.doc, 5/13/2010 Page 16 of 25 Items from IEC 61508-2, Table B.2 include observance of guidelines and standards, project management, documentation (design outputs are documented per the Work Package Plan and other quality guidelines), structured design, modularization, use of well-tried components, and computer-aided design tools. This meets SIL 3. 5.1.4 Validation Validation Testing is done via a set of documented tests. The DeltaV SIS Safety Relay and DeltaV SIS Voltage Monitor Work Package Plan [D50] requires a validation plan for both the DeltaV SIS Relay Modules and the DeltaV SIS Voltage Monitor, see [D64] and [D65]. The validation tests are traceable to the Safety Requirements Specification [D49], see [D77] and [D78]. In addition to standard Test Specification Documents third party testing may be included as part of agency approvals. As the DeltaV SIS Relay Modules, DeltaV SIS Relay Diode, and DeltaV SIS Voltage Monitor are simple electrical devices with a straightforward safety function, there is no separate integration testing necessary. The DeltaV SIS Relay Modules, DeltaV SIS Relay Diode, and DeltaV SIS Voltage Monitor perform only 1 safety function, which is extensively tested under various conditions during validation testing. Procedures are in place for corrective actions to be taken when tests fail as documented in [D48]. Items from IEC 61508-2, Table B.3 include functional testing, project management, documentation, and black-box testing (for the considered devices this is similar to functional testing). Field experience and statistical testing via regression testing are not applicable. This meets SIL 3. Items from IEC 61508-2, Table B.5 included functional testing and functional testing under environmental conditions (see also [D70] and [D71]), fault insertion testing, project management, documentation, failure analysis (analysis on products that failed), and expanded functional testing and black-box testing. This meets SIL 3. 5.1.5 Verification The development and verification activities are defined in the Work Package Plan [D50]. For each phase the objectives are stated, required input and output documents and review activities. Several checklists are included in the Work Package Plan to ensure completeness of the verification activities. All verification activities are documented. Given the DeltaV SIS Relay Modules, DeltaV SIS Relay Diode, and DeltaV SIS Voltage Monitor only perform a single safety function, this meets SIL 3. 5.1.6 Modifications 5.1.6.1 Detailed Specification of the Modification or Change (Part 2, Section 7.8.2.1a) Detailed specifications of all modifications are included in the impact analysis document and in the Issue Tracking Database. © exida Certification Michael Medoff emerson 09-10-23 r001 v1 r1 iec 61508 assessment.doc, 5/13/2010 Page 17 of 25 5.1.6.2 Impact Analysis (Part 2, Section 7.8.2.1b) All changes include a detailed safety impact analysis. The impact analysis details which phases of the development process need to be repeated and what output is required from each phase. The impact analysis is documented in multiple independent documents (See [D1], [D45], and [D46]). A listing of all changed software modules is included in the review database (See [D24] and [D36]). 5.1.6.3 Approvals for changes (Part 2, Section 7.8.2.1c) Approvals for all changes are documented in the issue tracking database. 5.1.6.4 Progress of Changes (Part 2, Section 7.8.2.1d) Progress of all changes is documented via the change history in the issue tracking database. 5.1.6.5 Test Cases Including Revalidation Data (Part 2, Section 7.8.2.1e) Integration test cases are documented in the issue tracking database. Validation test cases are documented in the validation test plans. 5.1.6.6 E/E/PES configuration management history (Part 2, Section 7.8.2.1f) Configuration Management history is documented via the version control system for all changes. In addition, all documents include the configuration management history within the document. 5.1.6.7 Deviation from normal operations and conditions (Part 2, Section 7.8.2.1g) Deviations from normal operations and conditions is discussed in the impact analysis for all changes 5.1.6.8 Necessary changes to system procedures (Part 2, Section 7.8.2.1h) Any changes to system procedures are documented in the impact analysis. 5.1.6.9 Necessary changes to documentation (Part 2, Section 7.8.2.1i) All necessary documentation changes are included in the impact analysis 5.1.6.10 Modifications shall be performed with at least the same level of expertise, automated tools (see 7.4.4.2 of IEC61508-3), and planning and management as the initial development of the E/E/PE safety-related systems (Part 2, Section 7.8.2.3) Management assures that changes are carried out by qualified engineers. For this project, all engineers had been involved in the initial development. The Project Plan documents which fixes will be assigned to each release. The issue tracking system is used to track work assignments. Identical tools to the original development were used. © exida Certification Michael Medoff emerson 09-10-23 r001 v1 r1 iec 61508 assessment.doc, 5/13/2010 Page 18 of 25 5.1.6.11 Evidence that Change was re-verified (Part 2, Section 7.8.2.4) All changes had appropriate verification steps carried out. Verification included inspection, testing, and static analysis. Action items from inspections were tracked to closure. 5.1.6.12 For SIL 3, Entire System Must be validated (Table A.8) Complete validation test plan was run successfully after the changes were made (See [D3] through [D9], and [D38] through [D43] ) 5.1.6.13 A modification shall be initiated only on the issue of an authorized software modification request under the procedures specified during safety planning (Part 3, Section 7.8.2.1) All software changes are submitted to the issue tracking system and authorized by the development manager. 5.1.6.14 All modifications which have an impact on the functional safety of the E/E/PE safety-related system shall initiate a return to an appropriate phase of the software safety lifecycle. All subsequent phases shall then be carried out in accordance with the procedures specified for the specific phases in accordance with the requirements in this standard. Safety planning (see clause 6) should detail all subsequent activities (Part 3, Section 7.8.2.5) The impact analysis documents which phases need to be repeated and the phases are carried out according to standard procedures. 5.1.6.15 The safety planning for the modification of safety-related software shall include identification of staff and specification of their required competency. (Part 3, 7.8.2.6a) This identification of staff is documented in the issue tracking system. Required competency is not specifically documented, but the changes were made by experienced developers from the original development team. 5.1.6.16 The safety planning for the modification of safety-related software shall include a detailed specification for the modification (Part 3, Section 7.8.2.6b) This information was included in the issue tracking system and the impact analysis document. 5.1.6.17 The safety planning for the modification of safety-related software shall include verification planning (Part 3, Section 7.8.2.6c) This information was included in the impact analysis document. © exida Certification Michael Medoff emerson 09-10-23 r001 v1 r1 iec 61508 assessment.doc, 5/13/2010 Page 19 of 25 5.1.6.18 The safety planning for the modification of safety-related software shall include the scope of re-validation and testing of the modification to the extent required by the safety integrity level. For SIL 3 entire system must be revalidated. (Part 3, Section 7.8.2.6d) The impact analysis stated that the entire system would be revalidated. 5.1.6.19 Modification shall be carried out as planned (Part 3, Section 7.8.2.7) Documentation in the issue tracking system showed that all of the work was carried out as planned. 5.1.6.20 Details of all modifications shall be documented, including references to the modification/retrofit request (Part 3, Section 7.8.2.8a) The impact analysis references the modification request via the issue ID from the issue tracking system (Unique identifier for each software change request). 5.1.6.21 Details of all modifications shall be documented, including references to the results of the impact analysis which assesses the impact of the proposed software modification on the functional safety, and the decisions taken with associated justifications; (Part 3, Section 7.8.2.8b) The impact analysis documentation contains this information. 5.1.6.22 Details of all modifications shall be documented, including references to software configuration management history (Part 3, Section 7.8.2.8c) The software configuration management history is documented and stored in the version control system. 5.1.6.23 Details of all modifications shall be documented, including references to deviation from normal operations and conditions (Part 3, Section 7.8.2.8d) This was documented in the impact analysis. 5.1.6.24 Details of all modifications shall be documented, including references to all documented information affected by the modification activity (Part 3, Section 7.8.2.8e) The impact analysis included a listing of all documents that would be updated based on this change. © exida Certification Michael Medoff emerson 09-10-23 r001 v1 r1 iec 61508 assessment.doc, 5/13/2010 Page 20 of 25 5.1.6.25 Information (for example a log) on the details of all modifications shall be documented. The documentation shall include the re-verification and revalidation of data and results. (Part 3, Section 7.8.2.9) Details of all modifications are included in the impact analysis and the issue tracking system. Documentation exists for re-verification (test reports, review reports, and static analysis results) and re-validation (test reports). 5.1.6.26 The assessment of the required modification or retrofit activity shall be dependent on the results of the impact analysis and the software safety integrity level. (Part 3, Section 7.8.2.10) The assessment of the modifications was based on the results of the impact analysis 5.1.7 User documentation Fisher-Rosemount Systems, Inc. created a combined Installation and Safety Manual for the DeltaV SIS Safety Relay and DeltaV SIS Voltage Monitor modules, see [D60]. This safety manual was assessed by exida-certification. The final version is considered to be in compliance with the requirements of IEC 61508. The document includes all required reliability data and operations, maintenance, and proof test procedures. Items from IEC 61508-2, Table B.4 include operation and maintenance instructions, user friendliness, maintenance friendliness, project management, documentation, limited operation possibilities (the DeltaV SIS Relay Modules, DeltaV SIS Relay Diode, and DeltaV SIS Voltage Monitor perform well-defined actions) and operation only by skilled operators (operators familiar with type of devices, although this is partly the responsibility of the end-user). This meets SIL 3. © exida Certification Michael Medoff emerson 09-10-23 r001 v1 r1 iec 61508 assessment.doc, 5/13/2010 Page 21 of 25 5.2 Hardware Assessment To evaluate the hardware design of the DeltaV SIS, DeltaV SIS Relay Modules, DeltaV SIS Relay Diode Module, and DeltaV SIS Voltage Monitor, a Failure Modes, Effects, and Diagnostic Analysis was performed. This is documented in [R5], and [R6]. The FMEDA was verified using Fault Injection Testing as part of the development, see [D55], and as part of the IEC 61508 assessment, see [R7]. A Failure Modes and Effects Analysis (FMEA) is a systematic way to identify and evaluate the effects of different component failure modes, to determine what could eliminate or reduce the chance of failure, and to document the system in consideration. An FMEDA (Failure Mode Effect and Diagnostic Analysis) is an FMEA extension. It combines standard FMEA techniques with extension to identify online diagnostics techniques and the failure modes relevant to safety instrumented system design. From the FMEDA failure rates are derived for each important failure category. Table 1 lists these failure rates as reported in the FMEDA reports. The failure rates are valid for the useful life of the devices, which are defined as in the FMEDA reports [R5] and [R6] as approximately 10 years. This information is listed in the Safety Manual, see [D60]. Table 1: Failure rates for Simplex Safety PLC according to IEC 61508 (*Note that the SD and SU category includes failures that do not cause a spurious trip) λsd λsu3 λdd3 λdu Common (DET) 1,343 FIT 761 FIT 932 FIT 3.4 FIT Common (ET) 1,091 FIT 694 FIT 1,251 FIT 4.0 FIT AI Channel 31 FIT 45 FIT 20 FIT 0.006 FIT DI Channel 39 FIT 49 FIT 13 FIT 0.0 FIT AO Channel 31 FIT 45 FIT 20 FIT 0.006 FIT DO Channel (DET) 26 FIT 15 FIT 10 FIT 0 FIT DO Channel (ET) 16 FIT 12 FIT 17 FIT 0.3 FIT Relay Module 21 FIT 93 FIT 10 FIT 40 FIT Relay Diode Module 6 FIT 6 FIT 10 FIT 11 FIT Voltage Monitor Module 1 FIT 134 FIT 0 FIT 0.72 FIT Failure Categories NOTE: SD = SD + AD, SU = SU + AU + NE, DD = DD, DU = DU . 3 Note that the SD and SU category includes failures that do not cause a spurious trip © exida Certification Michael Medoff emerson 09-10-23 r001 v1 r1 iec 61508 assessment.doc, 5/13/2010 Page 22 of 25 These results must be considered in combination with PFDAVG or PFH values of other devices of a Safety Instrumented Function (SIF) in order to determine suitability for a specific Safety Integrity Level (SIL). The Safety Manual states that the application engineer should calculate the PFDAVG or PFH for each defined safety instrumented function (SIF) to verify the design of that SIF. The architectural constraints requirements of IEC 61508-2, Table 2 are also reviewed. The DeltaV SIS Safety PLC is classified as a Type B device according to IEC 61508, having a hardware fault tolerance of 1 for detected failures (99%+) and a hardware fault tolerance of 0 for undetected failures (1%-). The analysis shows that the system has a safe failure fraction > 99% and therefore per even worst case assumptions, the non-redundant unit may be used up to SIL 3 based on architecture constraints. For redundant use, common cause failures between the Relay Modules and the Voltage Monitors have to be considered. The user of the DeltaV SIS Relay Modules and DeltaV SIS Voltage Monitor needs to determine the application specific common cause factor β. The analysis shows that design of The DeltaV SIS, DeltaV SIS Relay Modules, DeltaV SIS Relay Diode Module, and DeltaV SIS Voltage Monitor meets the hardware requirements of IEC 61508 SIL 3 when used as a single element (HFT = 0). © exida Certification Michael Medoff emerson 09-10-23 r001 v1 r1 iec 61508 assessment.doc, 5/13/2010 Page 23 of 25 6 Terms and Definitions DET De-energize to trip ET Fault tolerance Energize to trip Ability of a functional unit to continue to perform a required function in the presence of faults or errors (IEC 61508-4, 3.6.3) Failure In Time (1x10-9 failures per hour) Failure Mode Effect and Diagnostic Analysis Hardware Fault Tolerance Mode, where the frequency of demands for operation made on a safetyrelated system is no greater than twice the proof test frequency. Average Probability of Failure on Demand Safe Failure Fraction summarizes the fraction of failures, which lead to a safe state and the fraction of failures which will be detected by diagnostic measures and lead to a defined safety action. Safety Instrumented Function Safety Integrity Level FIT FMEDA HFT Low demand mode PFDAVG SFF SIF SIL SIS Safety Instrumented System – Implementation of one or more Safety Instrumented Functions. A SIS is composed of any combination of sensor(s), logic solver(s), and final element(s). Type A (sub)system “Non-Complex” (sub)system (using discrete elements); for details see 7.4.3.1.2 of IEC 61508-2 “Complex” (sub)system (using micro controllers or programmable logic); for details see 7.4.3.1.3 of IEC 61508-2 Type B (sub)system © exida Certification Michael Medoff emerson 09-10-23 r001 v1 r1 iec 61508 assessment.doc, 5/13/2010 Page 24 of 25 7 Status of the document 7.1 Liability exida prepares reports based on methods advocated in International standards. Failure rates are obtained from a collection of industrial databases. exida accepts no liability whatsoever for the use of these numbers or for the correctness of the standards on which the general calculation methods are based. 7.2 Releases Version: Revision: Version History: Authors: Review: Release status: V1 R1 V0, R1: Draft; April 22, 2010 Michael Medoff V0, R1: Dr. William Goble; May 5, 2010 Draft 7.3 Future Enhancements At request of client. 7.4 Release Signatures Dr. William M. Goble, Principal Partner Michael Medoff, Senior Safety Engineer © exida Certification Michael Medoff emerson 09-10-23 r001 v1 r1 iec 61508 assessment.doc, 5/13/2010 Page 25 of 25
