iec 61508 assessment...d001 quality manual qms manual iso 9001-2008 rev 10.pdf d003a overall...

The document was prepared using best effort. The authors make no warranty of any kind and shall not be liable in any event for incidental or consequential damages in connection with the application of the document.

© All rights reserved.

idae®

IEC 61508 Functional Safety Assessment

Project:

SSX/SST Isolator/Splitter

Customer:

Moore Industries - International North Hills, CA 91343‐6196

USA

Contract Number: Q12/11-027

Report No.: MII12-11-027 R002

Version V1, Revision R2, August 6, 2013

Dave Butler

© exida MII 12-11-027 R002 V1 R2 Assessment Report.docx, August 6, 2013

T-034 V2R1 www.exida.com of 16

Management Summary

This report summarizes the results of the functional safety assessment according to IEC 61508 carried out on the SSX/SST Isolator/Splitter

The functional safety assessment performed by exida consisted of the following activities:

- exida assessed the development process used by Moore Industries - International through an audit and creation of a detailed safety case against the requirements of IEC 61508.

- exida reviewed and assessed a detailed Failure Modes, Effects, and Diagnostic Analysis (FMEDA) of the devices to document the hardware architecture and failure behavior.

- exida reviewed field failure data to ensure that the FMEDA analysis was complete.

- exida reviewed the manufacturing quality system in use at MII.

The functional safety assessment was performed to the requirements of IEC 61508: ed2, 2010, SIL

3. A full IEC 61508 Safety Case was prepared, using the exida SafetyCaseWB tool, and used as the primary audit tool. Hardware process requirements and all associated documentation were reviewed. Environmental test reports were reviewed. The user documentation (safety manual) was reviewed.

Some areas of improvement were identified in the design process and the design procedures were upgraded during the project. However because of the low complexity of the products and the proven in use design, MII was able to demonstrate that the objectives of the standard have been met.

The results of the Functional Safety Assessment can be summarized by the following statements:

The MII SSX/SST Isolator/Splitter, was found to meet the requirements of SIL 3 (SIL 3 Capable).

The PFDAVG and Architectural Constraint requirements of the standard must be verified for each element of a Safety Function.

The manufacturer will be entitled to use these Functional Safety Logos.



Table of Contents

Management Summary ................................................................................................... 2

1 Purpose and Scope ................................................................................................... 4

2 Project management .................................................................................................. 5

2.1 exida ............................................................................................................................ 5

2.2 Roles of the parties involved ........................................................................................ 5

2.3 Standards / Literature used .......................................................................................... 5

2.4 Reference documents .................................................................................................. 5

2.4.1 Documentation provided by Moore Industries - International ............................. 5

2.4.2 Documentation generated by exida ................................................................... 8

3 Product Descriptions .................................................................................................. 9

4 IEC 61508 Functional Safety Assessment ............................................................... 10

4.1 Methodology .............................................................................................................. 10

4.2 Assessment level ....................................................................................................... 10

4.3 Product Modifications ................................................................................................. 11

5 Results of the IEC 61508 Functional Safety Assessment ........................................ 12

5.1 Lifecycle Activities and Fault Avoidance Measures .................................................... 12

5.1.1 Functional Safety Management ....................................................................... 12

5.1.2 Safety Requirements Specification and Architecture Design ............................ 13

5.1.3 Hardware Design ............................................................................................. 13

5.1.4 Validation ......................................................................................................... 13

5.1.5 Verification ....................................................................................................... 13

5.1.6 Proven In Use .................................................................................................. 13

5.1.7 Modifications ................................................................................................... 13

5.1.8 User documentation......................................................................................... 14

5.2 Hardware Assessment ............................................................................................... 14

6 Terms and Definitions .............................................................................................. 15

7 Status of the Document ........................................................................................... 16

7.1 Liability ....................................................................................................................... 16

7.2 Releases .................................................................................................................... 16

7.3 Future Enhancements ................................................................................................ 16

7.4 Release Signatures .................................................................................................... 16



1 Purpose and Scope

This document shall describe the results of the IEC 61508 functional safety assessment of the

Moore Industries - International SSX/SST by exida according to the requirements of IEC 61508: ed2, 2010.

The results of this provides the safety instrumentation engineer with the required failure data as per IEC 61508 / IEC 61511, and confidence that sufficient attention has been given to systematic failures during the development process of the device.



2 Project management

2.1

exida is one of the world’s leading accredited Certification Bodies and knowledge companies specializing in automation system safety and availability with over 300 years of cumulative experience in functional safety. Founded by several of the world’s top reliability and safety experts

from assessment organizations and manufacturers, exida is a global company with offices around

the world. exida offers training, coaching, project oriented system consulting services, safety lifecycle engineering tools, detailed product assurance, cyber-security and functional safety

certification, and a collection of on-line safety and reliability resources. exida maintains a comprehensive failure rate and failure mode database on process equipment.

2.2 Roles of the parties involved

Moore Industries - International Manufacturer of the SSX/SST Isolator/Splitter

exida Performed the hardware assessment

exida Performed the IEC 61508 Functional Safety Assessment

MII contracted exida for the IEC 61508 Functional Safety Assessment of the above mentioned devices.

2.3 Standards / Literature used

The services delivered by exida were performed based on the following standards / literature.

Doc ID Document Description

[N1] IEC 61508 (Parts 1 - 7): 2010 Functional Safety of Electrical/Electronic/Programmable Electronic Safety-Related Systems

2.4 Reference documents

2.4.1 Documentation provided by Moore Industries - International

Doc ID Document Type Required Document Supplied

D001 Quality Manual QMS Manual ISO 9001-2008 Rev 10.pdf

D003a Overall Development Process Dev 0100Rev3 DEVELOPMENT PROCESS.pdf

D003b Overall Development Process Dev 0200Rev3 Product Development - Design Validation.pdf

D004a Configuration Management Process Using CM Library Work Instruction.doc

D004b Configuration Management Process QCP_0100 Standard Inspection.pdf

D005 Hazardous Events Procedure SER_0200 Product Service.pdf

D006 Manufacturer Qualification Procedure PUR_0200 Supplier Assessment.pdf



D007 Part Qualification Procedure ENG_0400Rev1 Spec Part Numbers.pdf

D008 Verification of purchased parts/products

QCP_0200 Incoming Inspection.pdf

D009a QMS Documentation Change Procedure

Change Control Process, V1.0.doc

D009b QMS Documentation Change Procedure

MQA_1000 QMS Document Management.pdf

D010 Control of Design Records DOC_0100 Controlled Document Coordination.pdf

D011 Non-Conformance Reporting procedure

MQA_0100 CARE Customer Complaints.pdf

D012a Corrective Action Procedure ENG_0900 RER Request for Engineering Review.pdf

D012b Corrective Action Procedure MQA_0700 Deficiency Action Notice.pdf

D012c Corrective Action Procedure ENG_0700 ECO Engineering Change Order.pdf

D012d Corrective Action Procedure MQA_0100 CARE Customer Complaints.pdf

D015 MOM / Action Item List Tracking Procedure

Formal Review Process.doc

D017 Test Equipment Calibration Procedure QCP_0500 Measuring and Test Equipment Calibration.pdf

D018 Customer Notification Procedure MQA_0300 Product Recall.pdf

D019 Field Return Procedure SER_0200 Product Service.pdf

D022a Modification Procedure ENG_0700 ECO Engineering Change Order.pdf

D022b Modification Procedure Change Control Process, V1.0.doc

D023 Design Change Impact Analysis Procedure

Change Control Process, V1.0.doc

D026 FSM Plan or Development Plan SSXSST-PDP-00A1 (SST & SSX Product Development Plan).doc

D032a Job Descriptions and Competency Levels

ADM_0300 Human Resources Job Descriptions.pdf

D032b Job Descriptions and Competency Levels

DEV_1800 Functional Safety Competency Guidelines.pdf

D033 Training Record XXX XXXXXX Functional Safety Competence Assessment (new).doc

D035 IEC 61508 Training Record XXX XXXXXX Functional Safety Competence Assessment (new).doc

D038 List of Design Tools SSXSST-PDP-00A1 (SST & SSX Product Development Plan).doc

D040 Safety Requirements Specification SSXSST-REQ-00 (System Requirements) Rev BL4.pdf

D041 Safety Requirements Review SSX SST 20110606 System Requirements



Comments.xls

D045 System Architecture Design Specification

SSXSST-DAD-00A (Design Approach Document).doc

D047 Schematics / Circuit Diagrams 206-492-00PD4 (SSX Schematics).pdf

D052 Design Review Record SSX 20121012 Round 2 Prototype Review (on list).txt

D052b Design Review Record SST-SPL 20121012 Round 1 Prototype Fixed.txt

D053 Verification Results SSXSST-QAVNV-00A (SSXSST QA Safety Lifecycle Phase Audit) (signed).pdf

D054 FMEDA Report 700-702-36A1 (SST_SSX FMEDA REPORT).pdf

D054a01 FMEDA Analysis Data SSX-FMEDA-01PD1 (SSX_4-20mA_4-20MA_12-42DC).xls

D055 Requirements Traceability Matrix SSXSST-VNV-00 (SSXSST V&V Plan) Rev BL4.pdf

D058 Fault Injection Test Plan SSXSST-FIT-00 (SSXSST Fault Insertion Test Specification) Rev BL2.pdf

D068a Validation Test Plan SSXSST-HTS-00 (SSXSST HW Test Specification Rev BL4).pdf

D068b Validation Test Plan SSXSST-VNV-00 (SSXSST V&V Plan) Rev BL4.pdf

D069 Validation Test Plan Review Record SSXSST-VNV-00 (SSXSST V&V Plan) Rev PD1 (Tl comments).pdf

D071 EMC Test Plan SSXSST-HTS-00 (SSXSST HW Test Specification Rev BL3).pdf

D072 Name of Problem Report Tracking System

ENG_0900 RER Request for Engineering Review.pdf

D073 Validation Test Results SSX-ISO 20120824 HW Test Results-(SSXSST-HTS-00 rev BL1a).doc

D073b Validation Test Results SST-ISO 4W Hardware Test Results.doc

D073c Validation Test Data SSXSST-HTD-00BL4 (SSX Hardware Test Data).doc

D075 EMC Test Results SSX-ISO 20120824 HW Test Results-(SSXSST-HTS-00 rev BL1a).doc

D076 Fault Injection Test Results SSXSST-FIT-01 (SSX FALUT Test Results).xlsx

D076b Fault Injection Test Results SSXSST-FIT-02 (SST FALUT Test Results).xlsx

D076c Fault Injection Test Results SSXSST-FIT-03 (SST-SPL FALUT Test Results).xlsx

D077 Operation / Maintenance Manual 206-792-00B August 2013

D078 Safety Manual 206-792-00B August 2013

D079 Safety Manual Review Record SSX_SST_um review 11-02-12_11-31 (Jd comments).pdf

D084 Safety Case Checklist Safety Case WB spreadsheet

D085 Change Request Record SSXSST CR2322 for SysReq-928 (Accuracy of less than 2%)+TL.doc



D085b Change Request Record SSXSST CR2495 for SysReq-2478 (Humidity).docx

D085c Change Request Record RER 209.doc

2.4.2 Documentation generated by

Doc ID Document Description

[R1] Moore Industries SSXSST Final Safety Case.xlsm

IEC 61508 SafetyCaseWB for SSX/SST

[R2] MII 12-11-027 R002 V1 R2 Assessment Report.docx, July 30, 2013

IEC 61508 Functional Safety Assessment, Moore Industries - International SSX/SST (this report)



3 Product Descriptions

The SSX/SST Isolator/Splitter is a series of Type A hardware devices which serve to isolate and/or split electrical signals.

The 2-wire SSX Isolator is powered by the loop. The 4-wire SST is powered by an external supply (AC or DC). Both the SSX and the SST are meant to isolate power, while passing through signals from input to output. The SST can also function as a signal converter or a signal splitter. Configurations accommodate a single input with one or two accurate outputs.

The SSX and the SST are part of the Moore Industries’ Functional Safety Series products, developed following the IEC61508:2010 and certified up to SIL 3 systematic capability. The SSX and SST product family are compact, DIN-rail-mounted “loop add-ons”. They can be used to break the common electrical (galvanic) path between a HART transmitter and one or more receiving devices in a process instrumentation loop. The SST and the SSX:

Safeguard I/O cards from surges, spikes and transients. Add the 1500Vrms isolating capability of a SSX or SST Isolator to a loop to break the common (galvanic) path that can pass dangerous overloads from DCS to HART transmitter to PLC and vice-versa. This hazard is common—even when a transmitter and DCS are supposedly “isolated” already.

“Isolate” areas of an application. Ease maintenance complications by using the 4-wire SST to maintain secondary loop integrity while the primary HART master is down for maintenance.

Facilitate the “Sharing” of one (or two, for splitter) HART outputs—safely—with a secondary control or recording device.

Eliminate “Bucking” power supply problems. Whenever more than one 4-wire device provides signal to the loop, each power source (typically grounded with differing potentials) vies for control. This can cause both HART and analog signals to fluctuate, adversely affecting loop reliability and accuracy

The SSX/SST can be ordered to accept 4-20mA or 1-5V. HART standard 4-20mA with digital data superimposed on current input models (HART not available on voltage input models). Both isolators and splitter “pass” the conditioned signal—including the analog 4-20mA—through from transmitter to receiver and from receiver back to transmitter. This “signal passing” is operationally transparent to devices on either end of the loop.

The safety function of the device is to transfer the input (measured) signal to the output(s) accurately, and within a maximum response time. The safety accuracy is 3% of span. The maximum safety response time is < 100 ms. The HART signal, if present, is not part of the safety function.

The devices have no diagnostic capability.



4 IEC 61508 Functional Safety Assessment

The IEC 61508 Functional Safety Assessment was performed based on the information received from Moore Industries - International and is documented in this report.

4.1 Methodology

The full functional safety assessment includes an assessment of all fault avoidance and fault control measures during hardware development and demonstrates full compliance with IEC 61508 to the end-user. The assessment considers all requirements of IEC 61508. Any requirements that have been deemed not applicable have been marked as such in the full Safety Case report, e.g. software development requirements for a product with no software. The assessment also includes a review of existing manufacturing quality procedures to ensure compliance to the quality requirements of IEC 61508.

As part of the IEC 61508 functional safety assessment the following aspects have been reviewed:

Development process, including:

o Functional Safety Management, including training and competence recording, FSM planning, and configuration management

o Specification process, techniques and documentation

o Design process, techniques and documentation, including tools used

o Validation activities, including development test procedures, test plans and reports, production test procedures and documentation

o Verification activities and documentation

o Modification process and documentation

o Installation, operation, and maintenance requirements, including user documentation

Product design

o Hardware architecture and failure behavior, documented in a FMEDA Report

The review of the development procedures is described in section 5. The review of the product design is described in section 5.2.

4.2 Assessment level

The SSX/SST Isolator/Splitter has been assessed per IEC 61508 to the following levels:

Systematic Safety Integrity: SIL 3 capable

Random Safety Integrity: PFDAVG and Architectural Constraints must be verified for each application.

The development procedures were assessed as suitable for use in applications with a maximum Safety Integrity Level of 3 (SIL 3) according to IEC 61508.



4.3 Product Modifications

Moore Industries - International may make modifications to this product as needed. Modifications shall be classified into two types:

Type 1 Modification: Changes requiring re-certification, which includes the re-design of safety functions or safety integrity functions.

Type 2 Modification: Changes allowed to be made by Moore Industries - International provided that:

A competent person from Moore Industries - International, appointed and agreed with exida, judges and approves the modifications.

The modification documentation listed below is submitted, prior to a renewal of the certification, to exida for review of the decisions made by the competent person in respect to the modifications made.

o List of all anomalies reported

o List of all modifications completed

o Safety impact analysis which shall indicate with respect to the modification:

The initiating problem (e.g. results of root cause analysis)

The effect on the product / system

The elements/components that are subject to the modification

The extent of any re-testing

o List of modified documentation

o Regression test plans



5 Results of the IEC 61508 Functional Safety Assessment

exida assessed the development process used by Moore Industries - International for these products against the objectives of IEC 61508 parts 1, 2, and 3. The assessment was done per this IEC 61508 SIL 3 compliant development.

5.1 Lifecycle Activities and Fault Avoidance Measures

Moore Industries - International has an IEC 61508 compliant development process as assessed during the IEC 61508 certification. This compliant development process is documented in [D01].

This functional safety assessment investigated the compliance, with IEC 61508, of the processes, procedures and techniques as implemented for the product development. The investigation was executed using subsets of the IEC 61508 requirements tailored to the SIL 3 work scope of the development team. The defined product lifecycle process was modified as a result of the audit which showed some areas for improvement. However, given the simple nature of the safety function and the extensive proven field experience for existing products, Moore Industries - International was able to demonstrate that the objectives of the standard have been met. The result of the assessment can be summarized by the following observations:

The audited Moore Industries - International design and development process complies with the relevant managerial requirements of IEC 61508 SIL 3.

5.1.1 Functional Safety Management

FSM Planning

Moore Industries - International has a defined process in place for product design and development. Required activities are specified along with review and approval requirements. This is primarily documented in section 7 of their Quality Management System Manual [D001], and in greater detail in other procedures [D003a and D003b]. Templates and sample documents were reviews and found to be sufficient. The modification process is covered by the ECO and Change Control Process [D022a and D022b]. This process and the procedures referenced therein fulfill the requirements of IEC 61508 with respect to functional safety management for a product with simple complexity and well defined safety functionality.

Version Control

DOC/0100 requires that all documents be under document control. Use of this to control revisions was evident during the audit.

Training, Competency recording

ADM/0300 and DEV/1800 requires the Human Resource department to maintain training records of education, experience, training and qualifications for all personnel. Department heads are responsible for identifying and providing the training needs for their department as well as proficiency evaluations. The procedures and records were examined and found up-to-date and

sufficient [D033 & D035]. MII hired exida to be the independent assessor per IEC 61508 and to provide specific IEC 61508 knowledge.



5.1.2 Safety Requirements Specification and Architecture Design

For the SSX/SST, the simple primary functionality is mostly to support the safety functionality of the product (Transmit measurement signal, splitting the signal and isolating power supplies, Transmit HART signals). As the SSX/SST Isolator/Splitter designs are simple and are based upon standard designs with extensive field history, no semi-formal methods are needed, although there are block diagrams in the architecture design documentation. General Design and testing methodology is documented and required as part of the design process. This meets SIL 3.

5.1.3 Hardware Design

The design process is documented in Section 7.3 of [D1]. Items from IEC 61508-2, Table B.2 include observance of guidelines and standards, project management, documentation (design outputs are documented per quality procedures), structured design, modularization, use of well-tried components / materials, and computer-aided design tools. This meets SIL 3.

5.1.4 Validation

Validation Testing is documented in [D068a-b] and [D073a-c]. The test plan includes testing of all safety requirements. As the SSX/SST are purely electrical devices with a simple safety function, there is no separate integration testing necessary per se. The SSX/SST Isolator/Splitter devices each perform only 1 Safety Function, which is extensively tested under various conditions during validation testing.

Items from IEC 61508-2, Table B.3 include functional testing, project management, documentation, and black-box testing (for the considered devices this is similar to functional testing). Field experience and statistical testing via regression testing are not applicable. This meets SIL 3.

Items from IEC 61508-2, Table B.5 included functional testing and functional testing under environmental conditions, project management, documentation, failure analysis (analysis on products that failed), expanded functional testing, black-box testing, and fault insertion testing. This meets SIL 3.

5.1.5 Verification

The development and verification activities are defined in sections 7.3.5 and 7.3.6 of [D003a]. For each design phase the objectives are stated, required input and output documents and review activities. [D053] is a verification checklist which shows that verification has been carried out appropriately. This meets SIL 3.

5.1.6 Proven In Use

No proven in use analysis was carried out for the SXX/SST.

5.1.7 Modifications

Modifications are initiated per a combination of the procedures defined in [D012a-d], including engineering change notice procedure. All changes are first reviewed and analyzed for impact before being approved. Measures to verify and validate the change are developed following the normal design process. This meets SIL 3.



5.1.8 User documentation

Moore Industries - International creates the following user documentation: product catalogs and a Safety Manual. The Safety Manual was found to contain all of the required information given the simplicity of the products. The Safety Manual references the FMEDA reports which are available and contain the required failure rates, failure modes, useful life, and suggested proof test information.

Items from IEC 61508-2, Table B.4 include operation and maintenance instructions, user friendliness, maintenance friendliness, project management, documentation and limited operation possibilities (SSX/SST perform well-defined actions). This meets SIL 3.

5.2 Hardware Assessment

To evaluate the hardware design of the SSX/SST Isolator/Splitter Failure Modes, Effects, and

Diagnostic Analyses were performed by Moore Industries - International and reviewed by exida. These are documented in [D054].

A Failure Modes and Effects Analysis (FMEA) is a systematic way to identify and evaluate the effects of different component failure modes, to determine what could eliminate or reduce the chance of failure, and to document the system in consideration. An FMEDA (Failure Mode Effect and Diagnostic Analysis) is an FMEA extension. It combines standard FMEA techniques with extension to identify online diagnostics techniques and the failure modes relevant to safety instrumented system design.

From the FMEDA, failure rates are derived for each important failure category. All failure rate analysis results and useful life limitations are listed in the FMEDA report [D054]. Tables in the FMEDA report list these failure rates for the various configurations of the SSX/SST. The failure rates listed are valid for the useful life of the devices.

These results must be considered in combination with PFDAVG values of other devices of a Safety Instrumented Function (SIF) in order to determine suitability for a specific Safety Integrity Level (SIL). The Safety Manual states that the application engineer should calculate the PFDAVG for each defined safety instrumented function (SIF) to verify the design of that SIF.



6 Terms and Definitions

Fault tolerance Ability of a functional unit to continue to perform a required function in the presence of faults or errors (IEC 61508-4, 3.6.3)

FIT Failure In Time (1x10-9 failures per hour)

FMEDA Failure Mode Effect and Diagnostic Analysis

HFT Hardware Fault Tolerance

Low demand mode Mode, where the demand interval for operation made on a safety-related system is greater than twice the proof test interval.

PFDAVG Average Probability of Failure on Demand

PFH Probability of dangerous Failure per Hour

SFF Safe Failure Fraction - Summarizes the fraction of failures, which lead to a safe state and the fraction of failures which will be detected by diagnostic measures and lead to a defined safety action.

SIF Safety Instrumented Function

SIL Safety Integrity Level

SIS Safety Instrumented System – Implementation of one or more Safety Instrumented Functions. A SIS is composed of any combination of sensor(s), logic solver(s), and final element(s).

HART (Highway Addressable Remote Transducer) - A communication protocol that provides digital data transmission between intelligent field instruments and host systems, over traditional 4-20 mA analog wiring, while simultaneously communicating a 4-20mA signal.

Analog Input a continuous input signal in which the time varying feature (e.g., 4-20 mA current) of the signal is a representation of some other time varying, measured quantity (e.g., temperature, pressure, etc.).

Analog Output a continuous output signal in which the time varying feature (e.g., 0-5 V) of the signal is a representation of some other time varying, quantity (e.g., valve position, etc.).

Digital Input an input signal (e.g., > 2.5 V, < 2.5 V) representing a discrete value (e.g., a Boolean “On” or “Off”).

Digital Output an output signal (e.g., > 2.5 V, < 2.5 V) representing a discrete value (e.g., a Boolean “On” or “Off”).

Type A element “Non-Complex” element (using discrete components); for details see 7.4.4.1.2 of IEC 61508-2

Type B element “Complex” element (using complex components such as micro controllers or programmable logic); for details see 7.4.4.1.3 of IEC 61508-2

7 Status of the Document

7.1 Liability

exida prepares reports based on methods advocated in International standards. Failure rates are

obtained from a collection of industrial databases. exida accepts no liability whatsoever for the use of these numbers or for the correctness of the standards on which the general calculation methods are based.

7.2 Releases

Version: V1

Revision: R2

Version History: V1, R2: August 6, 2013 – updated report for monitoring mode changes.

V1, R1: July 30, 2013 – incorporate comments from certification audit.

V1, R0: March 25, 2013 – Initial draft

Authors: Dave Butler

Review: V1, R1: Griff Francis: July 30, 2013

V1, R0: Griff Francis: March 25, 2013

Release status: Released

7.3 Future Enhancements

At request of client.

7.4 Release Signatures

David E, Butler, CFSE, Senior Safety Engineer

Griff Francis, Safety Engineer

iec 61508 assessment...d001 quality manual qms manual iso 9001-2008 rev 10.pdf d003a overall...

Documents