61508 SIL 3 CAPABLE - exida · 61508 / IEC 61511 and confidence that sufficient attention has been...

The document was prepared using best effort. The authors make no warranty of any kind and shall not be liable in any event for incidental or consequential damages in connection with the application of the document.

© All rights reserved.

IEC 61508 Functional Safety Assessment

Project: Flowserve Limitorque MXa Electronic Valve Actuator and Option Boards

Customer: Flowserve Limitorque

Lynchburg, VA USA

Contract No.: Q08/10-12 Report No.: FLO 08-10-12 R002

Version V2, Revision R2, September 18, 2013 Iwan van Beurden

61508 SIL 3 CAPABLE

© exida.com L.L.C. flo 08-10-12 r002 v3r1 iec 61508 assessment mxa.docx, September 18, 2013 Iwan van Beurden of 22

Management Summary This report summarizes the results of the functional safety assessment according to IEC 61508 carried out on the:

Flowserve Limitorque MXa Electronic Valve Actuator and Option Boards

The functional safety assessment performed by exida-certification consisted of the following activities:

- exida-certification assessed the development process used by Flowserve Limitorque through an audit and creation of a detailed safety case against the requirements of IEC 61508.

- exida-certification reviewed and assessed a detailed Failure Modes, Effects, and Diagnostic Analysis (FMEDA) of the devices to document the hardware architecture and failure behavior.

- exida-certification assessed the proven field experience of the Flowserve Limitorque MXa Electronic Valve Actuator and Option Boards to ensure sufficient systematic failure robustness.

The functional safety assessment was performed to the requirements of IEC 61508, SIL 3. A full IEC 61508 Safety Case was prepared, using the exida SafetyCaseDB tool, and used as the primary audit tool. Hardware and software process requirements and all associated documentation were reviewed. Environmental test reports were reviewed. Also the user documentation (safety manual) was reviewed. The results of the Functional Safety Assessment can be summarized by the following statements: The Flowserve Limitorque MXa Electronic Valve Actuator has been assessed per the relevant requirements of IEC 61508, Parts 1, 2, and 3 and meets the requirements providing a level of systematic integrity up to SIL 3. For random integrity, the Flowserve Limitorque MXa Electronic Valve Actuator is designated as a Type B device. As it is only one element of a final element configuration, the achieved SIL and minimum Hardware Fault Tolerance requirements must be verified for the application. The manufacturer will be entitled to use the Functional Safety Logo.

The manufacturer may use the mark:


Table of Contents Management Summary ................................................................................................... 2

1 Purpose and Scope ................................................................................................... 4

2 Project management .................................................................................................. 5 2.1 exida ............................................................................................................................ 5 2.2 Roles of the parties involved ........................................................................................ 5 2.3 Standards / Literature used .......................................................................................... 5 2.4 Reference documents .................................................................................................. 5

2.4.1 Documentation provided by Flowserve Limitorque ............................................. 5 2.4.2 Documentation generated by exida-certification................................................. 8

3 Product Description .................................................................................................... 9

4 IEC 61508: Functional Safety Assessment .............................................................. 13 4.1 Methodology ............................................................................................................... 13 4.2 Assessment level ....................................................................................................... 13

5 Results of the IEC 61508 Functional Safety Assessment ........................................ 14 5.1 Lifecycle Activities and Fault Avoidance Measures ..................................................... 14

5.1.1 Functional Safety Management ....................................................................... 14 5.1.2 Safety Requirements Specification and Architecture Design ............................ 15 5.1.3 Hardware Design ............................................................................................. 15 5.1.4 Software (Firmware) Design ............................................................................ 16 5.1.5 Validation ......................................................................................................... 16 5.1.6 Verification ....................................................................................................... 16 5.1.7 Modifications .................................................................................................... 17 5.1.8 User documentation ......................................................................................... 17

5.2 Hardware Assessment ............................................................................................... 17

6 Terms and Definitions .............................................................................................. 21

7 Status of the document ............................................................................................ 22 7.1 Liability ....................................................................................................................... 22 7.2 Releases .................................................................................................................... 22 7.3 Future Enhancements ................................................................................................ 22 7.4 Release Signatures .................................................................................................... 22


1 Purpose and Scope Generally three options exist when doing an assessment of sensors, interfaces and/or final elements.

Option 1 is a hardware assessment by exida according to the relevant functional safety standard(s) like IEC 61508 or EN 954-1. The hardware assessment consists of a FMEDA to determine the fault behavior and the failure rates of the device, which are then used to calculate the Safe Failure Fraction (SFF) and the average Probability of Failure on Demand (PFDAVG). When appropriate, fault injection testing will be used to confirm the effectiveness of any self-diagnostics.

Option 1: Hardware assessment according to IEC 61508

This option provides the safety instrumentation engineer with the required failure data as per IEC 61508 / IEC 61511. This option does not include an assessment of the development process.

Option 2 extends Option 1 with an assessment of the proven-in-use documentation of the device including the modification process.

Option 2: Hardware assessment with proven-in-use consideration according to IEC 61508 / IEC 61511

This option for pre-existing programmable electronic devices provides the safety instrumentation engineer with the required failure data as per IEC 61508 / IEC 61511. When combined with plant specific proven-in-use records, it may help with prior-use justification per IEC 61511 for sensors, final elements and other PE field devices.

Option 3 is a full assessment by exida according to the relevant application standard(s) like IEC 61511 or EN 298 and the necessary functional safety standard(s) like IEC 61508 or EN 954-1. The full assessment extends option 1 by an assessment of all fault avoidance and fault control measures during hardware and software development.

Option 3: Full assessment according to IEC 61508

This option provides the safety instrumentation engineer with the required failure data as per IEC 61508 / IEC 61511 and confidence that sufficient attention has been given to systematic failures during the development process of the device.

This assessment shall be done according to option 3. This document shall describe the results of the IEC 61508 functional safety assessment of the Flowserve Limitorque MXa Electronic Valve Actuator.


2 Project management

2.1 exida exida-certification is one of the world’s leading product certification and knowledge companies specializing in automation system safety and availability with over 300 years of cumulative experience in functional safety. Founded by several of the world’s top reliability and safety experts from assessment organizations and manufacturers, exida is a global company with offices around the world. exida offers training, coaching, project oriented consulting services, safety lifecycle engineering tools, detailed product assurance and certification analysis and a collection of on-line safety and reliability resources. exida maintains a comprehensive failure rate and failure mode database on process equipment.

exida-certification is the market leader for IEC 61508 certification for industrial control products.

2.2 Roles of the parties involved Flowserve Limitorque Manufacturer of the Flowserve Limitorque MXa Electronic Valve Actuator

exida-certification Performed the IEC 61508 Functional Safety Assessment according to option 3 (see section 1)

Flowserve Limitorque contracted exida with the IEC 61508 Functional Safety Assessment of the above mentioned devices in March 2009.

2.3 Standards / Literature used The services delivered by exida were performed based on the following standards / literature.

[N1] IEC 61508 (Parts 1 - 7): 2010

Functional Safety of Electrical/Electronic/Programmable Electronic Safety-Related Systems

2.4 Reference documents 2.4.1 Documentation provided by Flowserve Limitorque [D1] MXa Safety Case Flowserve Limitorque MXa Electronic Valve Actuator

Safety Case [D2] EEP-10 MXa SQMP , Rev

1, 09/26/2011 Flowserve Limitorque MXa Electronic Valve Actuator Functional Safety Management Plan/System Quality Management Plan (SQMP)

[D3] QAP 4.1 Flowserve QAP 4.1 Design and Development Procedure [D4] Flowserve MXa PIU Report

v2, 12/05/2011 Flowserve Limitorque MXa Electronic Valve Actuator Proven in Use report

[D5] FlowserveLynchburg Engr Job descriptions - Dec 2011

Job descriptions/training requirements for Flowserve Limitorque engineering department

[D6] QAP 5 Flowserve QAP 5 Procedure For And Issuance Of Internal Engineering Documents Processing Engineering Change Orders


[D7] MXa ICD, Rev 0, August 8, 2011

EIP-409 MXa Interface Control Document (ICD)

[D8] SRS checklist exida Safety Requirements Specifications Checklist [D9] EIP-408 MXa CIDS, Rev 0,

08/08/2011 MXa CIDS, Configuration Item Development Specifiation

[D10] FCD LMENBR2302-04 Limitorque MX Series- The Next Generation in Smart Multi-Turn Actuation Brochure

[D11] MXa SDS, Rev 30 MXa Software Design Specification [D12] IEC 61508 Tables, Rev NA,

embedded in safety case [D1]

IEC 61508 Tables, document shows all tables from IEC 61508 Annex A and B from part 2 and part 3 along with a description as to how Flowserve Limitorque meets each of the requirements

[D13] FLO 08-01-45 R002 V2 R2 FMEDA Report, 6/28/2013

Flowserve Limitorque MXa Electronic Valve Actuator Failure Modes Effects and Diagnostic Analysis

[D14] Summary of FIT.xls Fault Injection Test Results Summary [D15] Main Board FIT

Report_MB_FITR.xls Fault Injection Test Results Main Board

[D16] Encoder Board FIT Report_EB_FITR.xls

Fault Injection Test Results Encoder Board

[D17] Power Module FIT Report_PM_FITR.xls

Fault Injection Test Results Power Module

[D18] UPS Board FIT Report_UPS_FITR.xls

Fault Injection Test Results UPS Board

[D19] MX_2 Software Arch Big Picture

Flowserve Limitorque MXa Electronic Valve Actuator software architecture

[D20] MX_2 Software Main Board Block Diagrams

Flowserve Limitorque MXa Electronic Valve Actuator main board block diagram

[D21] EIP-407 MXa CIDD, Rev 0, 08/08/2011

MXa CIDD, Configuration Item Design Description

[D22] MXa CSCI, Rev 0, 07/07/2010

MXa CSCI, Software Design Description for the Limitorque Mxa Electric Actuator Computer Software Configuration Item

[D23] Safety Manual Checklist Safety Manual Checklist Template [D24] System Architecure Design

Checklist System Architecure Design Checklist Template

[D25] PC_Lint_Analysis_Output_for_MXa_APP_10M12_03

PC Lint Results

[D26] MXa Main Board Firmware Static Analysis Discrepancy Report

PC Lint exception evaluation

[D27] Software Design Review Checklist

Software Design Review Checklist Template


[D28] EEP-5.1, Rev 7, 09/14/2011

Flowserve Software Standards and Procedures Manual (including Source Code Standard)

[D29] Limitorque MXa Safety Manual V2_5_final -wtd - 2013-Jun-07

Flowserve Limitorque MXa Electronic Valve Actuator and Option Boards Safety Manual

[D30] 9973-01 Rev 1, 09/28/07, Re-issued 07/07/09

EMI/EMC Test Report, MXa equipped with the DO AO FF DDC Communication Card

[D31] 9973-02 Rev 1, 09/28/07, Re-issued 07/07/09

EMI/EMC Test Report, MXa equipped with the DO ANA DP DN Communication Card

[D32] 9974-01 Rev 1, 09/28/07, Re-issued 07/07/09

FCC Verification Test Report, MXa with alternate cards

[D33] 20070925 EMC Report - Surge

EMC MXa Report – Surge, EFT, ESD ( DDC, FF PA, Dig, Analog Out )

[D34] 20080118 EMC Report - RF Immunity

MX-a Network Analog and Digital Output Conducted RF Immunity

[D35] Flowserve Safety Impact Analysis Template/Example.doc

Flowserve Safety Impact Analysis Template/Example for QX Motor Controller Fault operation ECR - 17June2011

[D36] QAP 10.5 Flowserve QAP 10.5 Safety Issues Tracking and Notification Procedure

[D37] QAP 14 Flowserve QAP 14 Corrective and Preventive Action Procedure

[D38] QAP 19.7 Flowserve QAP 19.7 Issues Tracking Procedure [D39] MXa SQTD, September 13,

2010 System Qualification Test Description for the Limitorque Mxa Electric Actuator

[D40] QAP 6.2 Flowserve QAP 6.2 Qualification of Vendors and Suppliers Procedure

[D41] Form L2068 Rev. 2, 06/04/2002

Flowserve L2068 Supplier Qualification Questionnaire Form

[D42] ADN example, 11/15/2011 Audit Deficiency Notice example [D43] LCAR example, 11/15/2011 Limitorque Corrective Action Request example [D44] FLO Q12-03-026 R003

V2R1 Flowserve Limitorque MX Accesory Boards FMEDA Report.doc, 9/10/2013

Option Boards Failure Modes Effects and Diagnostic Analysis

[D45] Main Board FIT Report_MB_FITR - v1 - wtd - 5Nov2012 - filtered for option board interface nodes,

Fault Injection Test Report (option boards)


2.4.2 Documentation generated by exida-certification [R1] FLO 08-10-12 R002 V3R1

IEC 61508 Assessment MXa.docx, September 18, 2013

IEC 61508 Functional Safety Assessment for Flowserve Limitorque MXa Electronic Valve Actuator and Option Boards (this document)


3 Product Description The Flowserve Limitorque MXa Electronic Valve Actuator and Option Boards is a smart, double-sealed, multi-turn actuator that employs an absolute encoder for position and speed feedback.

The MXa Electronic Valve Actuator consists of a mechanical gearbox powered by an electric motor. It is controlled by an integral electro-mechanical starter and advanced controls. The actuator housing is double sealed and weather proof to IP68, NEMA 4, 4X, and 6. The actuator can be used in one of two distinct safety functions; Emergency Shutdown (ESD) or Stayput.

When configured in an ESD mode the safety function of the actuator is to drive its output to the predefined safe position (fully open or closed). In this configuration the actuator is controlled by one remote ESD command signal that is configured de-energize to trip and one remote inhibit signal that is configured energize to trip.

When configured in the Stayput mode the actuator will not move without a valid remote open or close command.

The Flowserve Limitorque MXa Electronic Valve Actuator and Option Boards motor is designed for high starting torque and low inertia to reduce valve position overshoot. The MXa Electronic Valve Actuator continually monitors the motor contactor, control relays, internal logic circuits, and external command signals to detect possible malfunctions, while warning the user that the actuator should be examined and repaired by de-energizing the monitoring relay. Enabling the built-in Partial Stroke testing capability provides assurance that the Flowserve Limitorque Electronic Valve Actuator will be ready for action when called upon by its configured Safety Instrumented Function.

The double-sealed design provides a termination chamber that is separated and moisture sealed from the control compartment. The terminal compartment contains provisions for connecting power, earth, and control wiring. Wiring may be connected without opening the controls compartment, thus protecting the internal controls from exposure to potentially damaging environmental factors.

The hand wheel provides backup for manual operation. When the declutch lever is placed in its manual operation position, the output drive is coupled to the hand wheel and the valve position may be changed with it. The actuator automatically returns to motor operation whenever the motor is energized.

The accessory boards add functionality to the basic MX actuator; they were analyzed for their effect on the safety functions described above.

Figure 1 shows the Flowserve Limitorque MXa Electronic Valve Actuator and Option Boards .


Figure 1 Flowserve Limitorque MXa Electronic Valve Actuator

1 Motor Cover 8 Printed Circuit Board – Power

2 Motor Rotor 9 Local control & configuration knobs

3 Wiring harness with plug in connectors 10 LCD Display

4 Clutch Ring on Drive Sleeve 11 Absolute Position Encoder

5 Terminal block 12 Controls compartment

6 Worm/Worm Gear set 13 Motor declutch lever

7 Baseplate 14 Handwheel (manual override)


Figure 2 shows the boundary of what is included in this IEC 61508 assessment. Note that the option boards are part of the block entitled “Digital Electronics.”

Figure 2 Flowserve Limitorque MXa Electronic Valve Actuator and Option Boards Assessment

Boundary

Table 1 gives an overview of the different options that were considered in the assessment for the MXa Electronic Valve Actuator. Table 1 Option Overview

Option 1 Emergency Shutdown (ESD)

Option 2 Stayput (no un-commanded movement)

Table 2 gives an overview of the different versions that were considered in the assessment of the option boards

Digital Electronics

MotorContactor

Control

MotorContactor

Encoder Motor

Worm Shaft

Drive Shaft

Baseplate

Declutch Lever

Handwheel

FMEDA


Table 2 Version Overview

Backup Power Board

Adds internal backup power capability to the MX Actuator

UPS Power Board

connects the MX actuator to an uniterruptible power supply

Analog Option Board

Adds analog (4-20mA) I/O capability

DeviceNet Board Adds Devicenet communication

Foundation Fieldbus Board

Adds Foundation Fieldbus communication

MODBus Board Adds MODBus communication

ProfiBus DP Board

Adds Profibus DP communication

Profibus PA Board

Adds Profibus PA communication

Relay Option Board

Adds multiple monitored relay outputs Outputs are not used for safety related purposes.

Relay Option Board - Monitor

Adds multiple monitored relay outputs. Monitor relay output is used to annunciate safe operational condition.

Arctic Option Adds heaters and control circuits to enable operation in extremely cold conditions

The Flowserve Limitorque MXa Electronic Valve Actuator and Option Boards is classified as a Type B1

device according to IEC 61508, having a hardware fault tolerance of 0.

The version of the Flowserve Limitorque MXa Electronic Valve Actuator and Option Boards firmware that this IEC 61508 assessment applies to is identified as 11M05.01 associated with ECO# 23631. The main board hardware version is 0146 and the contactor board hardware version is 0068.

1 Type B device: “Complex” component (using micro controllers or programmable logic); for details see 7.4.3.1.3 of IEC 61508-2.


4 IEC 61508: Functional Safety Assessment The IEC 61508: Functional Safety Assessment was performed based on the information received from Flowserve Limitorque and is documented in [D1].

4.1 Methodology The full functional safety assessment includes an assessment of all fault avoidance and fault control measures during hardware and software development and demonstrates full compliance with IEC 61508 to the end-user. The assessment considers all requirements of IEC 61508.

As part of the IEC 61508: functional safety assessment the following aspects have been reviewed:

• Development process, including:

o Functional Safety Management, including training and competence recording, FSM planning, and configuration management

o Specification process, techniques and documentation

o Design process, techniques and documentation, including tools used

o Validation activities, including development test procedures, test plans and reports, production test procedures and documentation

o Verification activities and documentation

o Modification process and documentation

o Installation, operation, and maintenance requirements, including user documentation

• Product design

o Hardware architecture and failure behavior, documented in a FMEDA

o Software architecture design documentation, testing procedures, and testing results.

The review of the development procedures is described in section 5.1. The review of the product design is described in section 5.2.

4.2 Assessment level The Flowserve Limitorque MXa Electronic Valve Actuator has been assessed per IEC 61508 to the following levels:

• Random Safety Integrity: PFDAVG and Architectural Constraints/Minimum Hardware Fault Tolerance requirements must be verified for each final element application

• Systematic Safety Integrity: SIL 3 capability

The development procedures were assessed as suitable for use in applications with a maximum Safety Integrity Level of 3 (SIL3) according to IEC 61508.


5 Results of the IEC 61508 Functional Safety Assessment exida-certification assessed the development process used by Flowserve Limitorque during the product development against the objectives of IEC 61508: parts 1, 2, and 3, see [D1]. The development of the Flowserve Limitorque MXa Electronic Valve Actuator was done prior to the establishing of this IEC 61508: SIL 3 compliant development process. Consequently for the evaluation of systematic fault avoidance measures actual measures used and operating experience where considered in addition to documented artifacts identifying potential systematic weaknesses in the current design. The Safety Case was updated with project specific design documents. Future modifications to the Flowserve Limitorque MXa Electronic Valve Actuator must be made per the IEC 61508: SIL 3 compliant development process.

5.1 Lifecycle Activities and Fault Avoidance Measures Flowserve Limitorque has an IEC 61508 compliant development process as assessed during the IEC 61508: certification. This compliant development process is documented in [D1]. Most of the Flowserve Limitorque MXa Electronic Valve Actuator functionality was developed before this IEC 61508: compliant development process was in place; consequently the original development process and artifacts were considered and evaluated as suitable for some of the systematic fault avoidance measures. Proven operational experience as documented in the proven in use report [D4] was considered as well.

This functional safety assessment investigated the compliance with IEC 61508 of the processes, procedures and techniques as implemented for the Electronic Valve Actuator development. The investigation was executed using subsets of the IEC 61508 requirements tailored to the SIL 3 work scope of the development team. The result of the assessment can be summarized by the following observations: The audited Flowserve Limitorque development process complies with the relevant managerial requirements of IEC 61508: SIL 3.

5.1.1 Functional Safety Management

The functional safety management of any Flowserve Limitorque Safety Instrumented Systems Product development is governed by Flowserve QAP 4.1 Design and Development Procedure [D3]. The gated Product Development Process used within Flowserve Limitorque consists of a stepwise process, supported by the Planview Enterprise planning tool. It requires that Flowserve Limitorque creates a System Quality Management Plan (SQMP)/Functional Safety Management Plan (FSMP)

FSM Planning

[D2] which is specific for each development project. The System Quality Management Plan defines all of the tasks that must be done to ensure functional safety as well as the person(s) responsible for each task. These processes and the procedures referenced herein fulfill the requirements of IEC 61508 with respect to functional safety management.

All documents are under version control as documented in [D1] and required by [D3]. Design drawings and documents are also under version control through the Planview Enterprise planning tool. Source code is version controlled using visual source safe and all source code files contain the required heading information.

Version Control


Personnel training records are kept in accordance with IEC 61508 requirements as documented in [D1], also see

Training, Competency recording

[D5]. Group managers have access to the review documents of all within their respective groups. Flowserve Limitorque hired exida-certification to be the independent assessor per IEC 61508.

5.1.2 Safety Requirements Specification and Architecture Design As defined in [D3] and [D2] a Configuration Item Development Specifiation/Safety Requirements Specification (SRS) is created for all products that must meet IEC 61508 requirements. The requirements specification contains a scope and safety requirements section. For the Flowserve Limitorque MXa Electronic Valve Actuator, the Configuration Item Development Specifiation [D9] has been reviewed using a detailed checklist [D2] and [D8]. Existing product specifications [D10] were used as input. More detailed specifications were developed to document the Configuration Item Design Description (derived requiremetns) and the Computer Software Configuration Item (software requirements), see [D21] and [D22] respectively. During the assessment, exida-certification reviewed the content of the specification for completeness per the requirements of IEC 61508.

Requirements are tracked throughout the development process by the creation of derived requirements documented in the Configuration Item Design Description [D21] and Computer Software Configuration Item [D22]. Derived requirements map the requirements to the design. All requirements are mapped to appropriate validation tests in the validation test plan. The relation between requirements, tests, etc. will be documented in the System Qualification Test Description [D39]. For the Flowserve Limitorque MXa Electronic Valve Actuator specific validation tests were included in the System Quality Management Plan [D2] given its development prior to the establishment of an IEC 61508 compliant development process [D4].

Requirements from IEC 61508-2, Table B.1 that have been met by Flowserve Limitorque include project management, documentation, separation of safety requirements from non-safety requirements, structured specification, inspection of the specification, semi-formal methods and checklists. [D12] documents more details on how each of these requirements has been met. This meets the requirements of SIL 3.

5.1.3 Hardware Design Hardware design, including both electrical and mechanical design, is done according [D3] and [D2]. The hardware design process includes component selection, detailed drawings and schematics, interface descriptions in an Interface Control Document [D7], safety case documents for agency justification, a Failure Modes, Effects and Diagnostic Analysis (FMEDA) [D13], prototype design review, the creating of prototypes, and hardware verification tests.

Requirements from IEC 61508-2, Table B.2 that have been met by Flowserve Limitorque include observance of guidelines and standards, project management, documentation, structured design, modularization, use of well-tried components, checklists, semi-formal methods, computer aided design tools, simulation, and inspection of the specification. This is also documented in [D12]. This meets the requirements of SIL 3.


5.1.4 Software (Firmware) Design Software (firmware) design is done according to [D3], [D2], and [D28]. The software design process includes, creation of a derived requirements document [D11], architecture design [D19] and [D20] and review, detailed module design, design and critical code reviews, and static source code analysis [D25] and [D26]based on the coding standard [D28].

Requirements from IEC 61508-3, Table A.1 through A.5 that have been met by Flowserve Limitorque include observance of guidelines and standards, project management, documentation, structured design, modularization, use of well-tried components, checklists, semi-formal methods, computer aided design tools, simulation, and inspection of the specification, selection of suitable programming language, use of a defined subset of the language, and others. This is also documented in [D12]. This meets the requirements of SIL 3.

5.1.5 Validation Validation Testing is done via a set of documented tests (see [D2]). The validation tests are traceable to the Safety Requirements Specification [D9] in the System Qualification Test Description [D39]. In addition to standard Test Specification Documents, third party testing may be included as part of agency approvals. As the MXa Electronic Valve Actuator consist of simple electrical devices with a straightforward safety function, integration testing has been limited to verifying that all diagnostics take the appropriate action when they find a problem (see [D2] and [D14] through [D18] for more details on this testing).

Procedures are in place for corrective actions to be taken when tests fail as documented in [D1] [D2], and [D6].

Requirements from IEC 61508-2, Table B.3 that have been met by Flowserve Limitorque include functional testing, project management, documentation, and black-box testing as well as field experience and statistical testing via regression testing. [D12] documents more details on how each of these requirements has been met. This meets the requirements of SIL 3.

Requirements from IEC 61508-2, Table B.5 that have been met by Flowserve Limitorque include functional testing and functional testing under environmental conditions, Interference surge immunity testing, fault insertion testing, project management, documentation, static analysis, dynamic analysis, and failure analysis, expanded functional testing and black-box testing, see [D30], [D31], [D32], [D33] and [D34] for environmental testing. [D12] documents more details on how each of these requirements has been met. This meets the requirements of SIL 3.

5.1.6 Verification The development and verification activities are defined in [D2]. Verification activities include the following: Fault Injection Testing [D14] through [D18], code review, FMEDA [D13] and module testing. Further verification activities are documented in [D3] for new product development projects and [D2]. Checklists are used as part of each development process and ensure completeness of the development deliverables [D23], [D24], [D27], and also [D2]. This meets the requirements of IEC 61508 SIL 3.


5.1.7 Modifications Modifications are done per the Flowserve Limitorque IEC 61508 SIL 3 compliant development process as documented in [D1], [D2], [D3], and [D6]. Impact analyses are performed once the product is released for integration testing per the impact analysis template [D35]. Customer concerns and customer notifications are governed by [D36], [D37], and [D38]. Any customer complaints are handled through the ECO process [D6]. Past failure history is input to any new development to ensure appropriate feedback to the development team. This meets the requirements of IEC 61508 SIL3.

5.1.8 User documentation Flowserve Limitorque created a safety manual for the MXa Electronic Valve Actuator [D29] which addresses all Safety Manual requirements, see [D23]. This (safety) manual was assessed by exida-certification. The final version is considered to be in compliance with the requirements of IEC 61508. The document includes all required reliability data and operations, maintenance, and proof test procedures. In addition to the safety manual a reference brochure exists, see [D10].

Requirements from IEC 61508-2, Table B.4 that have been met by Flowserve Limitorque include operation and maintenance instructions, user friendliness, maintenance friendliness, project management, documentation, limited operation possibilities, protection against operator mistakes, and operation only by skilled operators. [D12] documents more details on how each of these requirements has been met. This meets the requirements for SIL 3.

5.2 Hardware Assessment To evaluate the hardware design of the MXa Electronic Valve Actuator, a Failure Modes, Effects, and Diagnostic Analysis was performed by exida consulting for each component in the system. This is documented in [D13]. The FMEDA was verified using Fault Injection Testing [D14], [D15], [D16], [D17], and [D18] as part of the development and as part of the IEC 61508 assessment.

A Failure Modes and Effects Analysis (FMEA) is a systematic way to identify and evaluate the effects of different component failure modes, to determine what could eliminate or reduce the chance of failure, and to document the system in consideration. An FMEDA (Failure Mode Effect and Diagnostic Analysis) is an FMEA extension. It combines standard FMEA techniques with extension to identify online diagnostics techniques and the failure modes relevant to safety instrumented system design.

From the FMEDA failure rates are derived for each important failure category. Table 3 - Table 5 list these failure rates as reported in the FMEDA report for each of the MXa Electronic Valve Actuator options. The failure rates are valid for the useful life of the devices. The failure rates for any deployed option board are added to those for the base actuator.


Table 3 Failure rates according to IEC 61508:2010 MXa Electronic Valve Actuator for ESD Valve Open/Close Applications

Device λSD λSU2 λDD λDU SFF3

MXa Electronic Valve Actuator no Partial Stroke Test

404 FIT 185 FIT 1920 FIT 974 FIT -

MXa Electronic Valve Actuator with Partial Stroke Test 461 FIT 185 FIT 2510 FIT 388 FIT -

Table 4 Failure rates according to IEC 61508:2010 MXa Electronic Valve Actuator for Stayput Applications

Device λD

MXa Electronic Valve Actuator Continuous Demand Mode 392 FIT

2 It is important to realize that the Annunciation Undetected and Residual failures are no longer included in the Safe Undetected failure category and Annunciation Detected failures are included in the Safe Detected category according to IEC 61508 2nd edition. Note that these failures on their own will not affect system reliability or safety, and should not be included in spurious trip calculations 3 Safe Failure Fraction needs to be calculated on (sub)system level


Table 5 Failure rates according to IEC 61508:2010 MXa Electronic Valve Actuator Option Boards in FIT

Device λSD λSU λDD λDU SFF

Backup Power Board – ESD Mode 0 0 3 0 -

UPS Power Board – ESD Mode 0 0 5 0 -

Analog Option Board – ESD Mode 0 0 62 0 -

DeviceNet Board – ESD Mode 0 0 14 0 -

Foundation Fieldbus Board – ESD Mode 0 0 57 0 -

MODBus Board – ESD Mode 0 0 12 0 -

ProfiBus DP Board – ESD Mode 0 0 19 0 -

Profibus PA Board – ESD Mode 0 0 57 0 -

Relay Option Board – NI – ESD Mode 0 0 17 0 -

Relay Option Board – Monitor – ESD Mode 90 2 141 2 -

Arctic Option – ESD Mode 0 0 0 6 -

Backup Power Board – Stayput Mode 3 0 0 0 -

UPS Power Board – Stayput Mode 5 0 0 0 -

Analog Option Board – Stayput Mode 53 9 0 -

DeviceNet Board – Stayput Mode 9 0 6 0 -

Foundation Fieldbus Board – Stayput Mode 47 0 10 0 -

MODBus Board – Stayput Mode 7 0 6 0 -

ProfiBus DP Board – Stayput Mode 11 0 8 0 -

Profibus PA Board – Stayput Mode 47 0 10 0 -


Relay Option Board – NI – Stayput Mode 11 0 6 0 -

Relay Option Board – Monitor – Stayput Mode 112 2 119 2 -

Arctic Option – Stayput Mode 0 9 0 0 -

For low demand SIL 2 applications the PFDAVG value of the entire Safety Instrumented Function needs to be ≥ 10-3 and < 10-2. The FMEDA report [D13] lists the percentage that the MXa Electronic Valve Actuator uses of this budget for different mission times. Considering a 1 year proof test interval and a 15 year mission time, the Electronic Valve Actuator with partial stroke testing uses a percentage of the PFDAVG budget that which is adequate enough to allow use in SIL 2 applications. Without the partial stroke testing the Electronic Valve Actuator still uses over 50% of the PFDAVG budget which is adequate enough to allow use in SIL 2 applications, but which leaves minor room for the rest of the SIFs components.

For high/continuous demand SIL 2 applications the PFH value of the entire Safety Instrumented Function needs to be ≥ 10-7 and < 10-6. The Electronic Valve Actuator uses 39.2% of the PFH budget which is adequate enough to allow use in SIL 2 applications t.

These results must be considered in combination with PFDAVG/PFH of other devices of a Safety Instrumented Function (SIF) in order to determine suitability for a specific Safety Integrity Level (SIL). The Safety Manual states that the application engineer should calculate the PFDAVG/PFH for each defined safety instrumented function (SIF) to verify the design of that SIF. For low demand applications the architectural constraints requirements, IEC 61508-2, Table 2, also need to be evaluated for each final element application. The architectural constraint type for MXa Electronic Valve Actuator is B. The hardware fault tolerance of the device is 0.

The analysis shows that the design of the Flowserve Limitorque MXa Electronic Valve Actuator meets the hardware requirements of IEC 61508 SIL 2, single use (HFT = 0) and SIL 3, redundant use (HFT = 1).


6 Terms and Definitions Fault tolerance Ability of a functional unit to continue to perform a required function in the

presence of faults or errors (IEC 61508-4, 3.6.3) FIT Failure In Time (1x10-9 failures per hour) FMEDA Failure Mode Effect and Diagnostic Analysis HFT Hardware Fault Tolerance Low demand mode Mode, where the frequency of demands for operation made on a safety-

related system is no greater than twice the proof test frequency PFDAVG Average Probability of Failure on Demand PFH Probability of dangerous Failure per Hour

PVST Partial Valve Stroke Testing It is assumed that the Partial Stroke Testing, when performed, is performed

at least an order of magnitude more frequent than the proof test, therefore the test can be assumed an automatic diagnostic. Because of the automatic diagnostic assumption the Partial Stroke Testing also has an impact on the Safe Failure Fraction.

SFF Safe Failure Fraction summarizes the fraction of failures, which lead to a safe state and the fraction of failures which will be detected by diagnostic measures and lead to a defined safety action.

SIF Safety Instrumented Function SIL Safety Integrity Level SIS Safety Instrumented System – Implementation of one or more Safety

Instrumented Functions. A SIS is composed of any combination of sensor(s), logic solver(s), and final element(s).

Type A (sub)system “Non-Complex” (sub)system (using discrete elements); for details see

7.4.3.1.2 of IEC 61508-2 Type B (sub)system “Complex” (sub)system (using micro controllers or programmable logic); for

details see 7.4.3.1.3 of IEC 61508-2


7 Status of the document

7.1 Liability

exida prepares reports based on methods advocated in International standards. Failure rates are obtained from a collection of industrial databases. exida accepts no liability whatsoever for the use of these numbers or for the correctness of the standards on which the general calculation methods are based.

7.2 Releases Version: V3 Revision: R1 Version History: V3, R1: Added Arctic Option and Profibus PA Board, R. Chalupa,

September 11, 2013 V2, R2: Updated per internal review, R. Chalupa, June 27, 2013 V2, R1: Updated per IEC 61508 2nd edition; added option boards; R. Chalupa,

June 25, 2013 V1, R1: First Release; January 13, 2013 V0, R1: Internal Draft; December 08, 2011 Authors: Iwan van Beurden Review: V2, R1: Griff Francis, exida, June 26, 2013 V0, R1: Chris O’Brien Release status: First Release

7.3 Future Enhancements At request of client.

7.4 Release Signatures

Iwan van Beurden, CFSE, Director of Engineering

Chris O’Brien, CFSE, Partner

61508 SIL 3 CAPABLE - exida · 61508 / IEC 61511 and confidence that sufficient attention has been...

Documents

Transcript of 61508 SIL 3 CAPABLE - exida · 61508 / IEC 61511 and confidence that sufficient attention has been...