IEC Functional Safety Assessment

Transcription

1 IEC Functinal Safety Assessment Prject: Rsemunt 3051S 4-20mA HART Pressure Transmitter Sftware Revisin 7.0 and Abve Cmpany: Rsemunt Inc. (an Emersn Prcess Management cmpany) Chanhassen, MN USA Cntract N.: Q13/ Reprt N.: ROS 06/12-18 R001 Versin V2, Revisin R1, September 5, 2014 Ted Stewart The dcument was prepared using best effrt. The authrs make n warranty f any kind and shall nt be liable in any event fr incidental r cnsequential damages in cnnectin with the applicatin f the dcument. All rights reserved.

2 Management Summary This reprt summarizes the results f the functinal safety assessment accrding t IEC carried ut n the: Rsemunt 3051S 4-20mA HART Pressure Transmitter: Cplanar Differential & Cplanar Gage Rsemunt 3051S 4-20mA HART Pressure Transmitter: Cplanar Abslute, In-line Gage, and In-Line Abslute The functinal safety assessment perfrmed by exida cnsisted f the fllwing activities: - exida assessed the develpment prcess used by Rsemunt Inc. thrugh an audit and creatin f a detailed assessment against the requirements f IEC exida reviewed and assessed a detailed Failure Mdes, Effects, and Diagnstic Analysis (FMEDA) f the devices t dcument the hardware architecture and failure behavir. - exida reviewed field failure data t ensure that the FMEDA analysis was cmplete. - exida reviewed the manufacturing quality system in use at Rsemunt Inc. The functinal safety assessment was perfrmed t the requirements f IEC 61508: ed2, 2010, SIL 3. A full IEC Safety Case was prepared using the exida SafetyCase tl as the primary audit tl. Hardware prcess requirements and all assciated dcumentatin were reviewed. Envirnmental test reprts were reviewed. Als the user dcumentatin (safety manual) was reviewed. The results f the Functinal Safety Assessment can be summarized by the fllwing statements: The Rsemunt 3051S 4-20mA HART Pressure Transmitter was fund t meet the Systematic Capability requirements f IEC fr up t SC 3 (SIL 3 Capable). The Rsemunt 3051S was fund t meet the Randm Capability requirements fr a Type B device f SIL 2@HFT=0, SIL 3@HFT=1 (Rute 1 H fr mdels where the SFF 90% and all mdels Rute 2 H ). The manufacturer will be entitled t use the Functinal Safety Lg. Ted Stewart Page 2 f 15

3 Table f Cntents Management Summary Purpse and Scpe Prject management exida Rles f the parties invlved Prduct Descriptin IEC Functinal Safety Assessment Methdlgy Assessment level Results f the IEC Functinal Safety Assessment Lifecycle Activities and Fault Avidance Measures Functinal Safety Management Safety Requirements Specificatin and Architecture Design Hardware Design Sftware (Firmware) Design Validatin Verificatin Mdificatins User dcumentatin Hardware Assessment Terms and Definitins Status f the Dcument Liability Releases Future Enhancements Release Signatures Ted Stewart Page 3 f 15

4 1 Purpse and Scpe This dcument shall describe the results f the IEC functinal safety assessment f the Rsemunt 3051S 4-20mA HART Pressure Transmitter by exida accrding t the requirements f IEC 61508: ed2, The results f this prvides the safety instrumentatin engineer with the required failure data as per IEC / IEC and cnfidence that sufficient attentin has been given t systematic failures during the develpment prcess f the device. Ted Stewart Page 4 f 15

5 2 Prject management 2.1 exida exida is ne f the wrld s leading accredited Certificatin Bdies and knwledge cmpanies specializing in autmatin system safety and availability with ver 300 years f cumulative experience in functinal safety. Funded by several f the wrld s tp reliability and safety experts frm assessment rganizatins and manufacturers, exida is a glbal cmpany with ffices arund the wrld. exida ffers training, caching, prject riented system cnsulting services, safety lifecycle engineering tls, detailed prduct assurance, cyber-security and functinal safety certificatin, and a cllectin f n-line safety and reliability resurces. exida maintains the largest prcess equipment database f failure rates and failure mdes with ver 60 billin unit perating hurs. 2.2 Rles f the parties invlved Rsemunt Inc. exida Manufacturer f the Rsemunt 3051S Perfrmed the IEC Functinal Safety Assessment Rsemunt Inc. cntracted exida with the IEC Functinal Safety Assessment f the abve mentined devices. 2.3 Standards / Literature used The services delivered by exida were perfrmed based n the fllwing standards / literature. [N1] IEC (Parts 1-7): ed. 2, 2010 Functinal Safety f Electrical/Electrnic/Prgrammable Electrnic Safety-Related Systems 2.4 Reference dcuments Dcumentatin prvided by Rsemunt Inc. [D1] DOP 415 Prduct Design and Develpment Prcess [D2] DOP 440 Engineering Change Order [D3] EDP Peer Review Prcedure [D4] EDP Cnfiguratin and Change Management Prcedure [D6] Functinal_Safety_Requir ements_specificatin.dc Functinal Safety Requirements Specificatin fr the Rsemunt 3051S [D7] D Rsemunt 3051S System Requirements Dcument [D10] Prduct Safety Manual fr 3051S [D11] [D12] Safety Impact Analysis 3051S.dc SIS_SM_Prject _Plan.dc Safety Impact Analysis fr Rsemunt 3051S Prject Plan fr Rsemunt 3051S [D13] Safety_Validatin Safety Validatin Test Plan fr Rsemunt 3051S Ted Stewart Page 5 f 15

6 [D14] [D20] [D21] [D23] [D24] [D25] [D26] [D27] [D28] _Test_Plan.dc Safety_Validatin _Test_Reprt_ROM7.dc fsrs_cns_lg_sis_super mdule.xls Prject Plan Review Lg.xls sis_mdule_lint _utput.txt Rm7 _cde_review _lg.xls Sis_supermdule _design_review _lg.xls SIS_SuperMdule _Integratin _Test.dc SM_SIS_Actin _Items.dc svtp_cns_lg_sis _supermdule.xls Safety Validatin Test Reprt fr the Rsemunt 3051S Inspectin Reprt Rsemunt 3051S Functinal Safety Requirements Specificatin Inspectin Reprt Rsemunt 3051S Inspectin Plan Output frm PC LINT Cde Review Inspectin Reprt Design Review Inspectin Reprt Rsemunt 3051S Integratin Test Specificatin and Reprt Rsemunt 3051S Actin Item List Inspectin Reprt fr Safety Validatin Test Plan Dcumentatin generated by exida [R1] Rsemunt Change Audit.xls [R2] ROS 05/05-05 R001, FMEDA, V2R2 9/11/2014 [R3] ROS 03/11-07 R001, V1R1, 1/16/2004 [R4] Cplanar II 3051S with prf test cverage.xls Details f assessment (internal dcument) Rsemunt 3051S FMEDA Reprt Rsemunt 3051S Prven in Use Assessment Detailed FMEDA fr Rsemunt 3051S Cplanar Bard Ted Stewart Page 6 f 15

7 3 Prduct Descriptin The Rsemunt 3051S 4-20mA HART Pressure Transmitter, Sftware Revisins 7.0 and Abve, is a tw-wire 4 20 ma smart device used in multiple industries fr bth cntrl and safety applicatins. The FMEDA has been perfrmed fr fur different cnfiguratins f the 3051S Pressure Transmitter, i.e. Cplanar, In-Line, Level, and Flw cnfiguratins. The Rsemunt 3051S Pressure Transmitter series include the fllwing measurement cnfiguratins: Rsemunt 3051S 4-20mA HART Pressure Transmitter: Differential and Gage Cplanar Capacitance technlgy is utilized fr differential Cplanar measurements. Rsemunt 3051S 4-20mA HART Pressure Transmitter: Cplanar Abslute, In-line Gage and In-line Abslute Piezresistive sensr technlgy is used fr the abslute Cplanar and In-line measurements. Rsemunt 3051S 4-20mA HART Level Transmitter A Rsemunt 3051S Pressure Transmitter is available as a Level assembly. The Rsemunt 3051S Level transmitter can be used t measure level n virtually any liquid level vessel. Rsemunt 3051S transmitters and seal systems are designed t ffer a flexible slutin t meet the perfrmance, reliability, and installatin needs f nearly any level measurement applicatin. Rsemunt 3051S 4-20mA HART Flwmeter A Rsemunt 3051S Pressure Transmitter can be cmbined with primary elements t ffer fully assembled flwmeters. The direct munt flwmeter capability eliminates trublesme impulse lines assciated with traditinal installatins. With multiple primary element technlgies available, Rsemunt 3051S flwmeters ffer a flexible slutin t meet the perfrmance, reliability, and installatin needs f nearly any flw measurement applicatin. The flwmeters cvered fr this assessment are based n the Rsemunt 1195, 405, and 485 primary elements. Excluded frm the assessment are mdels with Fl-Tap, remte munt, r temperature input ptins. The Rsemunt 3051S 4-20mA HART Pressure Transmitter is classified as a Type B 1 device accrding t IEC 61508, having a hardware fault tlerance f 0. The Rsemunt 3051S 4-20mA HART Pressure Transmitter can be cnnected t the prcess using an impulse line, depending n the applicatin the clgging f the impulse line needs t be accunted fr, see sectin 5.1 f the FMEDA reprt [R2]. 1 Type B element: Cmplex element (using micr cntrllers r prgrammable lgic); fr details see f IEC , ed2, Ted Stewart Page 7 f 15

8 4 IEC Functinal Safety Assessment The IEC Functinal Safety Assessment was perfrmed based n the infrmatin received frm Rsemunt Inc. and is dcumented in this reprt. 4.1 Methdlgy The full functinal safety assessment includes an assessment f all fault avidance and fault cntrl measures during hardware and sftware develpment and demnstrates full cmpliance with IEC t the end-user. The assessment cnsiders all requirements f IEC Any requirements that have been deemed nt applicable have been marked as such in the full Safety Case reprt, e.g. sftware develpment requirements fr a prduct with n sftware. As part f the IEC functinal safety assessment the fllwing aspects have been reviewed: Develpment prcess, including: Functinal Safety Management, including training and cmpetence recrding, FSM planning, and cnfiguratin management Specificatin prcess, techniques and dcumentatin Design prcess, techniques and dcumentatin, including tls used Validatin activities, including develpment test prcedures, test plans and reprts, prductin test prcedures and dcumentatin Verificatin activities and dcumentatin Mdificatin prcess and dcumentatin Installatin, peratin, and maintenance requirements, including user dcumentatin Prduct design Hardware architecture and failure behavir, dcumented in a FMEDA Sftware architecture and failure behavir, dcumented in safety integrity requirement specificatin The review f the develpment prcedures is described in sectin 5.1. The review f the prduct design is described in sectin Assessment level The Rsemunt 3051S 4-20mA HART Pressure Transmitter has been assessed per IEC t the fllwing levels: Systematic Integrity (SIL 3 capability) as the develpment prcedures were assessed as suitable fr use in applicatins with a maximum Safety Integrity Level f 3 (SIL 3) accrding t IEC Architecture Cnstraint limitatins f SIL 2 fr a single device and SIL 3 fr multiple devices in safety redundant cnfiguratins with a Hardware Fault Tlerance f 1. Ted Stewart Page 8 f 15

9 5 Results f the IEC Functinal Safety Assessment exida assessed the develpment prcess used by Rsemunt Inc. during the prduct develpment against the bjectives f IEC parts 1, 2, and 3, see [N1]. The develpment f the Rsemunt 3051S 4-20mA HART Pressure Transmitter was dne using this develpment prcess. The Safety Case was updated with prject specific design dcuments. 5.1 Lifecycle Activities and Fault Avidance Measures Rsemunt Inc. has an IEC cmpliant develpment prcess as defined in [D1]. The prcess defines a safety lifecycle which meets the requirements fr a safety lifecycle as dcumented in IEC Thrughut all phases f this lifecycle, fault avidance measures are included. Such measures include design reviews, FMEDA, cde reviews, unit testing, integratin testing, fault injectin testing, etc. This functinal safety assessment investigated the cmpliance with IEC f the prcesses, prcedures and techniques as implemented fr the Rsemunt 3051S 4-20mA HART Pressure Transmitter develpment. The investigatin was executed using subsets f the IEC requirements tailred t the SIL 3 wrk scpe f the develpment team. The result f the assessment can be summarized by the fllwing bservatins: The audited Rsemunt Inc. develpment prcess cmplies with the relevant managerial requirements f IEC SIL Functinal Safety Management FSM Planning The functinal safety management f any Rsemunt Inc. Safety Instrumented Systems Prduct develpment is gverned by [D1]. This prcess requires that Rsemunt Inc. create a prject plan [D12] which is specific fr each develpment prject. The Prject Plan defines all f the tasks that must be dne t ensure functinal safety as well as the persn(s) respnsible fr each task. These prcesses and the prcedures referenced herein fulfill the requirements f IEC with respect t functinal safety management. Versin Cntrl All dcuments are under versin cntrl as required by [D4]. Training, Cmpetency recrding Cmpetency is ensured by the creatin f a cmpetency and training matrix fr the prject. The matrix lists all f thse n the prject wh are wrking n any f the phases f the safety lifecycle. Specific cmpetencies fr each persn are listed n the matrix which is reviewed by the prject manager. Any deficiencies are then addressed by updating the matrix with required training fr the prject Safety Requirements Specificatin and Architecture Design As defined in [D1] a safety requirements specificatin (SRS) is created fr all prducts that must meet IEC requirements. Fr the Rsemunt 3051S 4-20mA HART Pressure Transmitter, the safety integrity requirements specificatin (SIRS) [D6] cntains a system verview, safety assumptins, and safety requirements sectins. During the assessment, exida reviewed the cntent f the specificatin fr cmpleteness per the requirements f IEC 61508: ed2, Ted Stewart Page 9 f 15

10 Requirements are tracked thrughut the develpment prcess by the creatin f a series f traceability matrices which are included in the fllwing dcuments: [D6] and [D13]. The system requirements are brken dwn int derived hardware and sftware requirements which include specific safety requirements. Traceability matrices shw hw the system safety requirements map t the hardware and sftware requirements, t hardware and sftware architecture, t sftware and hardware detailed design, and t validatin tests. Requirements frm IEC , Table B.1 that have been met by Rsemunt Inc. include prject management, dcumentatin, structured specificatin, inspectin f the specificatin, and checklists. Requirements frm IEC , Table A.1 that have been met by Rsemunt Inc. include backward traceability between the safety requirements and the perceived safety needs Hardware Design Hardware design, including bth electrical and mechanical design, is dne accrding t [D1]. The hardware design prcess includes creating a hardware architecture specificatin, a peer review f this specificatin, creating a detailed design, a peer review f the detailed design, cmpnent selectin, detailed drawings and schematics, a Failure Mdes, Effects and Diagnstic Analysis (FMEDA), electrical unit testing, fault injectin testing, and hardware verificatin tests. Requirements frm IEC , Table B.2 that have been met by Rsemunt Inc. include bservance f guidelines and standards, prject management, dcumentatin, structured design, mdularizatin, use f well-tried cmpnents, checklists, semi-frmal methds, cmputer aided design tls, simulatin, and inspectin f the specificatin. This meets the requirements f SIL Sftware (Firmware) Design Sftware (firmware) design is dne accrding t [D1]. The sftware design prcess includes sftware architecture design and peer review, detailed design and peer review, critical cde reviews, static surce cde analysis and unit test. Requirements frm IEC , Table A.2 that have been met by Rsemunt Inc. include fault detectin, errr detecting cdes, failure assertin prgramming, diverse mnitr techniques, stateless sftware design, retry fault recvery mechanisms, graceful degradatin, frward and backward traceability between the sftware safety requirements specificatin and sftware architecture, semi-frmal methds, event-driven, with guaranteed maximum respnse time, static resurce allcatin, and static synchrnizatin f access t shared resurces. Requirements frm IEC , Table A.3 that have been met by Rsemunt Inc. include suitable prgramming language, strngly typed prgramming language, language subset, and increased cnfidence frm use fr the tls and translatrs. Requirements frm IEC , Table A.4 that have been met by Rsemunt Inc. include semifrmal methds, cmputer aided design tls, defensive prgramming, mdular apprach, design and cding standards, structured prgramming, frward traceability between the sftware safety requirements specificatin and sftware design. This meets the requirements f SIL 3. Ted Stewart Page 10 f 15

11 5.1.5 Validatin Validatin Testing is dne via a set f dcumented tests. The validatin tests are traceable t the Safety Requirements Specificatin [D6] in the validatin test plan [D13]. The traceability matrices shw that all safety requirements have been validated by ne r mre tests. In additin t standard Test Specificatin Dcuments, third party testing is included as part f the validatin testing. All nn-cnfrmities are dcumented in a change request and prcedures are in place fr crrective actins t be taken when tests fail as dcumented in [D1]. Requirements frm IEC , Table B.5 that have been met by Rsemunt Inc. include functinal testing, functinal testing under envirnmental cnditins, interference surge immunity testing, fault insertin testing, prject management, dcumentatin, static analysis, dynamic analysis, and failure analysis, expanded functinal testing and black-bx testing. Requirements frm IEC , Table A.7 that have been met by Rsemunt Inc. include prcess simulatin, functinal and black bx testing, and frward and backward traceability between the sftware safety requirements specificatin and the sftware safety validatin plan. This meets SIL Verificatin Verificatin activities are built int the standard develpment prcess as defined in [D1]. Verificatin activities include the fllwing: Fault Injectin Testing, static surce cde analysis, mdule testing, integratin testing, FMEDA, peer reviews and bth hardware and sftware unit testing. In additin, safety verificatin checklists are filled ut fr each phase f the safety lifecycle. This meets the requirements f IEC SIL 3. Requirements frm IEC , Table B.3 that have been met by Rsemunt Inc. include functinal testing, prject management, dcumentatin, and black-bx testing. Requirements frm IEC , Table A.5 that have been met by Rsemunt Inc. include dynamic analysis and testing, data recrding and analysis, functinal and black bx testing, perfrmance testing, interface testing, and test management and autmatin tls. Requirements frm IEC , Table A.6 that have been met by Rsemunt Inc. include functinal and black bx testing, perfrmance testing, and frward traceability between the system and sftware design requirements fr hardware/sftware integratin and the hardware/sftware integratin test specificatins Requirements frm IEC , Table A.9 that have been met include static analysis, dynamic analysis and testing, frward traceability between the sftware design specificatin and the sftware verificatin plan. This meets the requirements f SIL 3. Ted Stewart Page 11 f 15

12 5.1.7 Mdificatins Mdificatins are dne per the Rsemunt Inc. s change management prcess as dcumented in [D2] and [D4]. Impact analyses are perfrmed fr all changes nce the prduct is released fr integratin testing. The results f the impact analysis are used in determining whether t apprve the change. The standard develpment prcess as defined in [D1] is then fllwed t make the change. The handling f hazardus field incidents and custmer ntificatins is gverned by DOP This prcedure includes identificatin f the prblem, analysis f the prblem, identificatin f the slutin, and cmmunicatin f the slutin t the field. This meets the requirements f IEC SIL 3. Requirements frm IEC , Table A.8 that have been met by the Rsemunt Inc. mdificatin prcess include impact analysis, reverify changed sftware mdules, reverify affected sftware mdules, revalidate cmplete system r regressin validatin, sftware cnfiguratin management, data recrding and analysis, and frward and backward traceability between the sftware safety requirements specificatin and the sftware mdificatin plan (including reverificatin and revalidatin) User dcumentatin Rsemunt Inc. created a safety manual fr the Rsemunt 3051S 4-20mA HART Pressure Transmitter [D10] which addresses all relevant peratin and maintenance requirements frm IEC This safety manual was assessed by exida. The final versin is cnsidered t be in cmpliance with the requirements f IEC Requirements frm IEC , Table B.4 that have been met by Rsemunt Inc. include peratin and maintenance instructins, maintenance friendliness, prject management, dcumentatin, and limited peratin pssibilities. This meets the requirements fr SIL 3. Ted Stewart Page 12 f 15

13 5.2 Hardware Assessment T evaluate the hardware design f the Rsemunt 3051S 4-20mA HART Pressure Transmitter, a Failure Mdes, Effects, and Diagnstic Analysis was perfrmed by exida fr each cmpnent in the system. The FMEDA was verified using Fault Injectin Testing as part f the develpment, and as part f the IEC assessment. A Failure Mdes and Effects Analysis (FMEA) is a systematic way t identify and evaluate the effects f different cmpnent failure mdes, t determine what culd eliminate r reduce the chance f failure, and t dcument the system in cnsideratin. An FMEDA (Failure Mde Effect and Diagnstic Analysis) is an FMEA extensin. It cmbines standard FMEA techniques with extensin t identify nline diagnstics techniques and the failure mdes relevant t safety instrumented system design. Failure rates are listed in the FMEDA reprts fr each imprtant failure categry. Refer t the FMEDA [R2] fr a cmplete listing f the assumptins used and the resulting failure rates. The FMEDA results must be cnsidered in cmbinatin with PFD AVG and architectural cnstraints f ther devices f a Safety Instrumented Functin (SIF) in rder t determine suitability fr a specific Safety Integrity Level (SIL). The Safety Manual states that the applicatin engineer shuld calculate the PFD AVG fr each defined safety instrumented functin (SIF) t verify the design f that SIF. The FMEDA analysis shws that mst f the reviewed 3051 mdels have a Safe Failure Fractin > 90% (assuming that the lgic slver is prgrammed t detect ver-scale and under-scale currents) and therefre thse mdels meet Rute 1 H hardware architectural cnstraints fr up t SIL 2 as a single device and SIL 3 with Hardware Fault Tlerance f 1. The failure rate data used fr this analysis meets the exida criteria fr Rute 2 H and the diagnstic cverage is 60%. Therefre all f the reviewed 3051 mdels meet the Rute 2 H hardware architectural cnstraints fr up t SIL 2 as a single device when the listed failure rates are used. If the Rsemunt 3051S 4-20mA HART Pressure Transmitter is ne part f an element the architectural cnstraints shuld be determined fr the entire sensr element The architectural cnstraint type fr the Rsemunt 3051S 4-20mA HART Pressure Transmitter Series is B. The required SIL determine the level f hardware fault tlerance that is required per requirements f IEC r IEC The SIS designer is respnsible fr meeting ther requirements f applicable standards fr any given SIL as well. The analysis shws that design f the Rsemunt 3051S Pressure Transmitter meets the hardware requirements f IEC 61508, SIL and SIL HFT=1. Ted Stewart Page 13 f 15

14 6 Terms and Definitins Fault tlerance FIT FMEDA HFT Lw demand mde PFD AVG Randm Capability SFF SIF SIL SIS Systematic Capability Type B element Ability f a functinal unit t cntinue t perfrm a required functin in the presence f faults r errrs (IEC , 3.6.3). Failure In Time (1x10-9 failures per hur) Failure Mde Effect and Diagnstic Analysis Hardware Fault Tlerance Mde, where the demand interval fr peratin made n a safety-related system is greater than twice the prf test interval. Average Prbability f Failure n Demand The SIL limit impsed by the Architectural Cnstraints fr each element. Safe Failure Fractin summarizes the fractin f failures, which lead t a safe state and the fractin f failures which will be detected by diagnstic measures and lead t a defined safety actin. Safety Instrumented Functin Safety Integrity Level Safety Instrumented System Implementatin f ne r mre Safety Instrumented Functins. A SIS is cmpsed f any cmbinatin f sensr(s), lgic slver(s), and final element(s). Measure f the cnfidence that the systematic safety integrity f an element meets the requirements f the specified SIL. Cmplex element (using cmplex cmpnents such as micr cntrllers r prgrammable lgic); fr details see f IEC Ted Stewart Page 14 f 15

15 7 Status f the Dcument 7.1 Liability exida prepares reprts based n methds advcated in Internatinal standards. Failure rates are btained frm a cllectin f industrial databases. exida accepts n liability whatsever fr the use f these numbers r fr the crrectness f the standards n which the general calculatin methds are based. 7.2 Releases Versin: V2 Revisin: R1 Versin Histry: V2, R1: updated t IEC standard and incrprated rute 2 H; TES; 9/5/14 V1, R2: updated frm Q , incrprated new template, and updated t incrprate Rsemunt feedback/cmments fr cert; Rsemunt decided n rute 2H at this time; Ted Stewart; May 2, 2013 V1, R1: Released t Emersn, December 22, 2006 Authrs: Michael Medff, Jhn Yzallinas Review: V0, R1: William M. Gble; December 22, 2006 Release status: RELEASED 7.3 Future Enhancements At request f client. 7.4 Release Signatures Ted Stewart, Evaluating Assessr William Gble, Certifying Assessr Ted Stewart Page 15 f 15