IEC 61508 Functional Safety Assessment Rosemount Inc. - Exida

IEC 61508 Functional Safety AssessmentProject:Model 3051 C/T/L Safety Pressure Transmitter with option code QTDevice Label SW1.0.0-1.4.XCustomer:Rosemount Inc.Chanhassen, MNUSAContract No.: Q11/07-062Report No.: ROS 11/07-062 R007Version V1, Revision R1, March 8, 2012Michael MedoffThe document was prepared using best effort. The authors make no warranty of any kind and shall not be liable in anyevent for incidental or consequential damages in connection with the application of the document.© All rights reserved.

Management summaryThis report summarizes the results of the functional safety assessment according to IEC 61508carried out on the:‣ Model 3051 C/T/L Safety Pressure Transmitter with option code QTThe functional safety assessment performed by exida consisted of the following activities:- exida certification assessed the development process used by Emerson ProcessManagement through an audit and creation of a detailed safety case against therequirements of IEC 61508.- exida certification performed a detailed Failure Modes, Effects, and Diagnostic Analysis(FMEDA) of the devices to document the hardware architecture and failure behavior. Thisincluded detailed Markov models of the fault tolerant architectures done in order to showaccurate average probability of failure on demand.The functional safety assessment was performed to the requirements of IEC 61508, SIL 3. A fullIEC 61508 safety case was prepared using the exida SafetyCaseDB tool, and used as the primaryaudit tool. Hardware and software process requirements and all associated documentation werereviewed. Also, the user documentation (safety manual) was reviewed.The results of the Functional Safety Assessment can be summarized by the following statements:The Model 3051 C/T/L Safety Pressure Transmitter with option code QT was found to meetthe requirements of SIL 2 for random integrity @ HFT=0, SIL 3 for random integrity @ HFT=1and SIL 3 capable for systematic integrity.The manufacturer will be entitled to use the Functional Safety LogoThe manufacturermay use the mark:© exida Certification rosemount 11-07-062 r007 v1 r1 iec 61508 assessment.docx, 3/8/2012Michael Medoff Page 2 of 21

Table of ContentsManagement summary .................................................................................................... 21 Purpose and Scope ................................................................................................... 42 Project management .................................................................................................. 52.1 exida .............................................................................................................................. 52.2 Roles of the parties involved .......................................................................................... 52.3 Standards / Literature used ............................................................................................ 52.4 Reference documents .................................................................................................... 52.4.1 Documentation provided by Rosemount ............................................................. 52.4.2 Documentation generated by exida certification ............................................... 103 Product Description .................................................................................................. 114 IEC 61508 Functional Safety Assessment ............................................................... 134.1 Methodology ................................................................................................................ 134.2 Assessment level ......................................................................................................... 135 Results of the IEC 61508 Functional Safety Assessment ........................................ 145.1 Lifecycle Activities and Fault Avoidance Measures ..................................................... 145.1.1 Functional Safety Management ......................................................................... 145.1.2 Safety Requirements Specification and Architecture Design ............................ 155.1.3 Hardware Design ............................................................................................... 155.1.4 Software (Firmware) Design .............................................................................. 155.1.5 Validation........................................................................................................... 165.1.6 Verification......................................................................................................... 165.1.7 Modifications ..................................................................................................... 175.1.8 User documentation .......................................................................................... 175.2 Hardware Assessment ................................................................................................. 185.3 Opportunities for improvement ..................................................................................... 196 Terms and Definitions .............................................................................................. 207 Status of the document ............................................................................................ 217.1 Liability ......................................................................................................................... 217.2 Releases ...................................................................................................................... 217.3 Future Enhancements .................................................................................................. 217.4 Release Signatures ...................................................................................................... 21© exida Certification rosemount 11-07-062 r007 v1 r1 iec 61508 assessment.docx, 3/8/2012Michael Medoff Page 3 of 21

1 Purpose and ScopeGenerally three options exist when doing an assessment of sensors, interfaces and/or finalelements.Option 1: Hardware assessment according to IEC 61508Option 1 is a hardware assessment by exida according to the relevant functional safety standard(s)like IEC 61508 or EN 954-1. The hardware assessment consists of a FMEDA to determine the faultbehavior and the failure rates of the device, which are then used to calculate the Safe FailureFraction (SFF) and the average Probability of Failure on Demand (PFD AVG ).This option shall provide the safety instrumentation engineer with the required failure data as perIEC 61508 / IEC 61511 and does not include an assessment of the development process.Option 2: Hardware assessment with proven-in-use consideration according to IEC 61508 /IEC 61511Option 2 is an assessment by exida according to the relevant functional safety standard(s) like IEC61508 or EN 954-1. The hardware assessment consists of a FMEDA to determine the faultbehavior and the failure rates of the device, which are then used to calculate the Safe FailureFraction (SFF) and the average Probability of Failure on Demand (PFD AVG ). In addition, this optionincludes an assessment of the proven-in-use demonstration of the device and its software includingthe modification process.This option for pre-existing (programmable electronic) devices shall provide the safetyinstrumentation engineer with the required failure data as per IEC 61508 / IEC 61511 and justify thereduced fault tolerance requirements of IEC 61511 for sensors, final elements and other PE fielddevices.Option 3: Full assessment according to IEC 61508Option 3 is a full assessment by exida according to the relevant application standard(s) like IEC61511 or EN 298 and the necessary functional safety standard(s) like IEC 61508 or EN 954-1. Thefull assessment extends option 1 by an assessment of all fault avoidance and fault controlmeasures during hardware and software development.This assessment shall be done according to option 3.This document shall describe the results of the IEC 61508 functional safety assessment of theModel 3051 C/T/L Safety Pressure Transmitter with option code QT, which will be referred to as the3051C/T/L Pressure Transmitter throughout this document.© exida Certification rosemount 11-07-062 r007 v1 r1 iec 61508 assessment.docx, 3/8/2012Michael Medoff Page 4 of 21

2 Project management2.1 exidaexida is one of the world’s leading knowledge and certification companies specializing inautomation system safety and availability with over 300 years of cumulative experience infunctional safety. Founded by several of the world’s top reliability and safety experts fromassessment organizations and manufacturers, exida is a global company with offices around theworld. exida offers training, coaching, project oriented services, internet based safety engineeringtools, detailed product assurance and certification analysis and a collection of on-line safety andreliability resources. exida maintains a comprehensive failure rate and failure mode database onprocess equipment.2.2 Roles of the parties involvedRosemount, Inc.exida CertificationManufacturer of the 3051C/T/L Pressure TransmitterPerformed the IEC 61508 Functional Safety Assessmentaccording to option 3 (see section 1)Rosemount, Inc. contracted exida Certification with the IEC 61508 Functional Safety Assessmentof the above mentioned devices.2.3 Standards / Literature usedThe services delivered by exida were performed based on the following standards / literature.[N1] IEC 61508 (Parts 1 - 7):2010Functional Safety of Electrical/Electronic/ProgrammableElectronic Safety-Related Systems2.4 Reference documents2.4.1 Documentation provided by RosemountDocumentReferenceDocument TitleDocumentVersion/Revision;Document Date[D02] exida Configuration Management Checklist n/a; 11/21/2011[D02a] CM Plan checklist from EDP 400-300 2/9/2012[D03] exida Documentation Checklist 11/23/2011[D04] exida Software Tool Checklist 2/16/2012[D05] exida Tool Validation Checklists 1/10/2012[D06] exida FSM Planning Phase Verification Checklist n/a; 2/16/2012[D07] Project Plan B.1; 9/29/2011[D08] Project Defined Process Documents E; 3/22/2011[D10] DOP 1810 Training Procedures R; 1/20/2010© exida Certification rosemount 11-07-062 r007 v1 r1 iec 61508 assessment.docx, 3/8/2012Michael Medoff Page 5 of 21

[D100] Integration Test Results 3; 2/7/2012[D109] exida Integration Test Execution Phase Checklist n/a/ 3/5/2012[D11] Safety Competencies n/a;[D110] EMC Test Results 6/27/2011[D111] Validation Test Results A; 3/17/2010[D111a] ROS Validation Testing Checklist 2/23/2012[D112] Humidity Test results 5/4/2011[D113] Temperature test results 8/29/2011[D114] EMI/EMC Surge Withstand Capability test results 6/14/2011[D115] IEEE Surge Withstand test results 8/24/2011[D116] ESD test results 5/17/2011[D119] exida Validation Test Execution Phase Checklist n/a;3/5/2012[D12] EDP 400-502 Peer Safety Review A; 3/25/2010[D120] exida Hardware Design Implementation Verification Checklist Na; 2/16/2012[D13] Training and Competency Matrix 1/23/2012[D130] Meeting Minutes for 2051C/T HART7 LOI NA; 3/1/2012[D14] Safety Instrumented Systems Training Program 1/23/2012[D150]exida Functional Safety Assessment Phase VerificationChecklistn/a;3/6/2012[D128] Functional Safety Assessment Plan V1R1;3/6/2012[D16] DOP 7 Rosemount Product Development Process B; 4/1/2011[D160a] Product Safety Manual for 3051 AA; 2/17/2012[D161a] WA0007 Safety Manual Checklist H; 2/17/2012[D165a]Failure Modes, Effects and Diagnostics Analysis (FMEDA)Report-3051V1R3; 2/14/2012[D166] exida FMEDA Document Checklist n/a;1/9/2012[D167] Product Approvals n/a; 10/27/2011[D168] Product Release Version Desscription 1/26/2012[D16a]RMD_G7.3-0001 Product Realization: Project ManagementProcessA; 7/1/2011[D17] DOP 415 Product Design and Development Process I; 10/13/2011[D17a] DOP416 SIS Product Design and Development Process I;[D18] DOP 440 Engineering Change Procedure AK; 2/1/2011[D180][D181]Impact Analysis TemplateImpact Analysis Example© exida Certification rosemount 11-07-062 r007 v1 r1 iec 61508 assessment.docx, 3/8/2012Michael Medoff Page 6 of 21

[D189] exida Modification Phase Verification Checklist 2/9/2012[D19] DOP 1110 Metrology Procedure AA; 1/15/2010[D20] ISO 9001:2008 Certificate n/a; 10/7/2011[D21] DOP 1440: Customer Notification Process P; 1/19/2010[D22] DP-50111-16 Field Return Analysis Procedure A; 2/2/2010[D23] C/C++ Software Coding Standards J; 6/22/2011[D24] EDP 400-300 Configuration and Change Control Management C; 5/1/2005[D24a] 2051/3051/2088 Configuration Management Plan G; 8/17/2011[D25] EDP 400-500 Peer Review C; 7/1/2011[D26] DOP 660 Supplier Corrective Action U; 11/10/2010[D27] Corrective And Preventive Action website n/a;[D27a] Corrective And Preventive Action Procedure DOP 8.5 AB; 5/10/2011[D28] DOP 1710 Internal Audit Program W; 1/25/2010[D29] EDP400-600 Quality_Assurance_Procedure D; 6/22/2007[D30] Safety Integrity Requirements Specification C; 6/20/2011[D31]exida SRS Document Checklist[D32] SIRS Review 0.2; 9/2/2009[D33] Customer Requirements Document D.4; 9/20/2011[D35] Validation Test Plan B; 1/31/2012[D36]exida Safety Validation Test Plan Checklist[D37] Safety Validation Plan Review 1.2; 10/27/2011[D38]Master Test Plan[D40]Architecture Design Description Document[D40a] C/T Platform HART Electronics Redesign Architecture n/a; 4/23/2009[D40b] System Requirements for the C/T HART 7 + LOI Project D.8; 9/20/2011[D41] Integration Test Plan E; 10/13/2011[D42]exida Integration Test Plan Checklist[D43a] Derived Requirements Document - HW B.1; 9/20/2011[D43b] Derived Requirements Document - SW,DAC O; 10/5/2011[D43c] Derived Requirements Document - SW, LOI G; 10/3/2011[D44]exida Derived Requirements Document Checklist[D46]Proven Operational Experience Calculation[D47]Proven In Use Analysis Report[D49] exida System Architecture Phase Verification Checklist n/a;1/26/2012© exida Certification rosemount 11-07-062 r007 v1 r1 iec 61508 assessment.docx, 3/8/2012Michael Medoff Page 7 of 21

[D50] Detailed Design Description - HW for C/T HART 7 + LOI Project C; 1/25/2012[D52a] ASIC Evaluation and Determination n/a; 11/3/2011[D53] Fault Injection Test Plan/Results 12/8/2011[D54] exida HW Fault Injection Test Verification Checklist n/a;1/9/2012[D55] Schematics AE; 9/27/2011[D56] BOM - 02051-3503-0101 AG; 1/26/2012[D57] HW Component Derating analysis AE;9/22/2011[D58] HW Verification A.2;3/6/2012[D59] BOM history AG; 1/26/2012[D60] HW Design Guidelines for Test and Manufacture A;3/6/2012[D61] HW Requirements Review n/a; 2/18/2011[D62] Assembly Drawing AF; 1/26/2012[D69] Hardware Design Phase Verification Checklist WA0007-E; 2/9/2011[D71] Detailed Software Design Specification 10/10/2011[D72] exida Software Architecture and Design Checklist NA; 2/9/2012[D73] SIRS-SW Design Traceability 11/28/2011[D78] SW Architecture Design Review n/a;1/17/2011[D79]Software Architecture and Design Phase Review Log (withreview of sw architecture and design checklist)[D80a] IEC 61508 SIL3 Tables not covered in FSM Plan 3/6/2012Case-70; 1/17/2011[D81] WA0007 SIS Checklists- blank H; 11/23/2011[D82] Software Tools Analysis n/a; 3/5/2012[D83] PIU Assessment; IAR Compiler for Atmel AVR microprocessors 2/11/2007[D90] PC Lint Configuration file n/a; 10/31/2011[D90a] PC Lint resolution example n/a;[D90b] Code Review example n/a; 3/22/2011[D90c] PC Lint Results n/a;3/6/2012[D91] Unit Test Records - HW A.1; 9/30/2011[D92] Unit Test - SW test plan B; 3/2/2011[D92a] SW unit test results n/a;1/25/2012[D92b][D92c][D92d]Test objectives in header fileTest objectives in source fileTest Techniques to use to develop test plans[D93] sw module_size_justification n/a; 11/15/2011[D94] sw module_test_coverage n/a; 11/15/2011© exida Certification rosemount 11-07-062 r007 v1 r1 iec 61508 assessment.docx, 3/8/2012Michael Medoff Page 8 of 21

[D97] Software DVT Test Plan B.2;11/15/2011[D97a] SW test descriptions 0.7;8/19/2011[D99] exida SW Implementation Phase Verification Checklist n/a;2/16/2012[D99a] Action Items[D127] sprint_backlog_2051 n/a;9/19/2011© exida Certification rosemount 11-07-062 r007 v1 r1 iec 61508 assessment.docx, 3/8/2012Michael Medoff Page 9 of 21

2.4.2 Documentation generated by exida certification[R1] Rosemount PressureTransmitter3051_2051_2088[R2] ROS 11-07-062 R007,Assessment, V1R1Detailed safety case documenting results of assessment(internal document)IEC 61508 Functional Safety Assessment, 3051C/T/LPressure Transmitter with option code QT (this report)© exida Certification rosemount 11-07-062 r007 v1 r1 iec 61508 assessment.docx, 3/8/2012Michael Medoff Page 10 of 21

3 Product DescriptionThe Rosemount Model 3051 C/T/L Safety Pressure Transmitter with option code QT comes in 4different models as follows:Rosemount 3051C Coplanar pressure transmittero Measures differential and gage pressure up to 2000 psi (137,9 bar).o Measures absolute pressure up to 4000 psia (275,8 bar).Rosemount 3051T in-line pressure transmittero Measures gage/absolute pressure up to 10000 psi (689,5 bar).Rosemount 3051L Level Transmittero Measures level and specific gravity up to 300 psi (20,7 bar).Rosemount 3051CF Series Flowmetero Measures flow in line sizes from 1/2-in. (15mm) to 96-in. (2400 mm).The Rosemount 3051C Coplanar design is offered for Differential Pressure (3051 CD), GagePressure (3051 CG) and Absolute Pressure (3051 CA) measurements. The Rosemount 3051Cutilizes capacitance sensor technology for Differential Pressure and Gage Pressure measurements.The Rosemount 3051T and 3051CA utilize piezoresistive sensor technology for Absolute Pressureand Gage Pressure measurements. The assessment has been performed for all four of thesemodels.The major components of the Rosemount 3051 are the sensor module and the electronics housing.The sensor module contains the oil filled sensor system (isolating diaphragms, oil fill system, andsensor) and the sensor electronics. The sensor electronics are installed within the sensor moduleand include a temperature sensor (RTD), a memory module, and the capacitance to digital signalconverter (C/D converter). The electrical signals from the sensor module are transmitted to theoutput electronics in the electronics housing. The electronics housing contains the outputelectronics board, the optional external configuration buttons, and the terminal block. The basicblock diagram of the Rosemount 3051CD is illustrated in Figure 1.© exida Certification rosemount 11-07-062 r007 v1 r1 iec 61508 assessment.docx, 3/8/2012Michael Medoff Page 11 of 21

Figure 1 – Rosemount 3051CD Pressure Transmitter Block DiagramThe 3051 C/T/L Pressure Transmitter is classified as a Type B 1 device according to IEC 61508,having a hardware fault tolerance of 0.The 3051 C/T/L Pressure Transmitter can be connected to the process using an impulse line,depending on the application the clogging of the impulse line needs to be accounted for, seesection 5.1.1 Type B device: “Complex” component (using micro controllers or programmable logic); for details see7.4.4.1.3 of IEC 61508-2.© exida Certification rosemount 11-07-062 r007 v1 r1 iec 61508 assessment.docx, 3/8/2012Michael Medoff Page 12 of 21

4 IEC 61508 Functional Safety AssessmentThe IEC 61508 Functional Safety Assessment was performed based on the information receivedfrom Rosemount and is documented here.4.1 MethodologyThe full functional safety assessment includes an assessment of all fault avoidance and faultcontrol measures during hardware and software development and demonstrates full compliancewith IEC 61508 to the end-user. The assessment considers all requirements of IEC 61508. Anyrequirements that have been deemed not applicable have been marked as such in the full SafetyCase report, e.g. software development requirements for a product with no software.As part of the IEC 61508 functional safety assessment the following aspects have been reviewed: Development process, including:o Functional Safety Management, including training and competence recording, FSMplanning, and configuration managemento Specification process, techniques and documentationo Design process, techniques and documentation, including tools usedo Validation activities, including development test procedures, test plans and reports,production test procedures and documentationo Verification activities and documentationo Modification process and documentationo Installation, operation, and maintenance requirements, including user documentation Product designo Hardware architecture and failure behavior, documented in a FMEDAo Software architecture and failure behavior, documented in safety integrityrequirement specificationThe review of the development procedures is described in section 5.1. The review of the productdesign is described in section 5.2.4.2 Assessment levelThe 3051 C/T/L Pressure Transmitter has been assessed per IEC 61508 to the following levels: SIL 2 capability for a single device SIL 3 capability for multiple devices in safety redundant configurations with a HardwareFault Tolerance of 1.The development procedures were assessed as suitable for use in applications with a maximumSafety Integrity Level of 3 (SIL 3) according to IEC 61508.© exida Certification rosemount 11-07-062 r007 v1 r1 iec 61508 assessment.docx, 3/8/2012Michael Medoff Page 13 of 21

5 Results of the IEC 61508 Functional Safety Assessmentexida certification assessed the development process used by Rosemount, Inc. during the productdevelopment against the objectives of IEC 61508 parts 1, 2, and 3, see [N1]. The development ofnew components in the 3051 C/T/L Pressure Transmitter was done using this developmentprocess. The Safety Case was updated with project specific design documents.5.1 Lifecycle Activities and Fault Avoidance MeasuresRosemount, Inc. has an IEC 61508 compliant development process as defined in [D17]. Theprocess defines a safety lifecycle which meets the requirements for a safety lifecycle asdocumented in IEC 61508. Throughout all phases of this lifecycle, fault avoidance measures areincluded. Such measures include design reviews, FMEDA, code reviews, unit testing, integrationtesting, fault injection testing, etc.This functional safety assessment investigated the compliance with IEC 61508 of the processes,procedures and techniques as implemented for the 3051 C/T/L Pressure Transmitter development.The investigation was executed using subsets of the IEC 61508 requirements tailored to the SIL 3work scope of the development team. The result of the assessment can be summarized by thefollowing observations:The audited Rosemount, Inc. development process complies with the relevant managerialrequirements of IEC 61508 SIL 3.5.1.1 Functional Safety ManagementFSM PlanningThe functional safety management of any Emerson Process Management Safety InstrumentedSystems Product development is governed by [D17]Error! Reference source not found.. Thisprocess requires that Emerson Process Management create a project plan [D07] which is specificfor each development project. The Project Plan defines all of the tasks that must be done to ensurefunctional safety as well as the person(s) responsible for each task. These processes and theprocedures referenced herein fulfill the requirements of IEC 61508 with respect to functional safetymanagement.Version ControlAll documents are under version control as required by [D24a].Training, Competency recordingCompetency is ensured by the creation of a competency and training matrix for the project [D13].The matrix lists all of those on the project who are working on any of the phases of the safetylifecycle. Specific competencies for each person are listed on the matrix which is reviewed by theproject manager. Any deficiencies are then addressed by updating the matrix with required trainingfor the project.© exida Certification rosemount 11-07-062 r007 v1 r1 iec 61508 assessment.docx, 3/8/2012Michael Medoff Page 14 of 21

5.1.2 Safety Requirements Specification and Architecture DesignAs defined in [D17] a safety requirements specification (SRS) is created for all products that mustmeet IEC 61508 requirements. For the 3051 C/T/L Pressure Transmitter, the requirementsspecification [D30] contains a system overview, safety assumptions, and safety requirementssections. During the assessment, exida certification reviewed the content of the specification forcompleteness per the requirements of IEC 61508.Requirements are tracked throughout the development process by the creation of a series oftraceability matrices which are included in the following documents: [D30], [D35], [D73], and[D127]. The system requirements are broken down into derived hardware and softwarerequirements which include specific safety requirements. Traceability matrices show how thesystem safety requirements map to the hardware and software requirements, to hardware andsoftware architecture, to software and hardware detailed design, and to validation tests.Requirements from IEC 61508-2, Table B.1 that have been met by Rosemount, Inc. include projectmanagement, documentation, structured specification, inspection of the specification, andchecklists.Requirements from IEC 61508-3, Table A.1 that have been met by Rosemount, Inc. includeBackward traceability between the safety requirements and the perceived safety needs.[D80a] documents more details on how each of these requirements has been met. This meets therequirements of SIL 3.5.1.3 Hardware DesignHardware design, including both electrical and mechanical design, is done according to [D17]. Thehardware design process includes creating a hardware architecture specification, a peer review ofthis specification, creating a detailed design, a peer review of the detailed design, componentselection, detailed drawings and schematics, a Failure Modes, Effects and Diagnostic Analysis(FMEDA), electrical unit testing, fault injection testing, and hardware verification tests.Requirements from IEC 61508-2, Table B.2 that have been met by Rosemount, Inc. includeobservance of guidelines and standards, project management, documentation, structured design,modularization, use of well-tried components, checklists, semi-formal methods, computer aideddesign tools, simulation, and inspection of the specification. This is also documented in [D80a]. Thismeets the requirements of SIL 3.5.1.4 Software (Firmware) DesignSoftware (firmware) design is done according to [D17]. The software design process includessoftware architecture design and peer review, detailed design and peer review, critical codereviews, static source code analysis and unit test.Requirements from IEC 61508-3, Table A.2 that have been met by Rosemount, Inc. include faultdetection, error detecting codes, failure assertion programming, diverse monitor techniques,stateless software design, retry fault recovery mechanisms, graceful degradation, forward andbackward traceability between the software safety requirements specification and softwarearchitecture, semi-formal methods, event-driven, with guaranteed maximum response time, staticresource allocation, and static synchronization of access to shared resources.© exida Certification rosemount 11-07-062 r007 v1 r1 iec 61508 assessment.docx, 3/8/2012Michael Medoff Page 15 of 21

Requirements from IEC 61508-3, Table A.3 that have been met by Rosemount, Inc. includesuitable programming language, strongly typed programming language, language subset, and toolsand translators: increased confidence from use.Requirements from IEC 61508-3, Table A.4 that have been met by Rosemount, Inc. include semiformalmethods, computer aided design tools, defensive programming, modular approach, designand coding standards, structured programming, forward traceability between the software safetyrequirements specification and software design,This is also documented in [D80a]. This meets the requirements of SIL 3.5.1.5 ValidationValidation Testing is done via a set of documented tests. The validation tests are traceable to theSafety Requirements Specification [D30] in the validation test plan [D35]. The traceability matricesshow that all safety requirements have been validated by one or more tests. In addition to standardTest Specification Documents, third party testing is included as part of the validation testing. Allnon-conformities are documented in a change request and procedures are in place for correctiveactions to be taken when tests fail as documented in [D17].Requirements from IEC 61508-2, Table B.5 that have been met by Rosemount, Inc. includefunctional testing, functional testing under environmental conditions, interference surge immunitytesting, fault insertion testing, project management, documentation, static analysis, dynamicanalysis, and failure analysis, expanded functional testing and black-box testing.Requirements from IEC 61508-3, Table A.7 that have been met by Rosemount, Inc. includeprocess simulation, functional and black box testing, and forward and backward traceabilitybetween the software safety requirements specification and the software safety validation plan.[D80a] documents more details on how each of these requirements has been met. This meets SIL3.5.1.6 VerificationVerification activities are built into the standard development process as defined in [D17].Verification activities include the following: Fault Injection Testing, static source code analysis,module testing, integration testing, FMEDA, peer reviews and both hardware and software unittesting. In addition, safety verification checklists are filled out for each phase of the safety lifecycle.This meets the requirements of IEC 61508 SIL 3.Requirements from IEC 61508-2, Table B.3 that have been met by Rosemount, Inc. includefunctional testing, project management, documentation, and black-box testing.Requirements from IEC 61508-3, Table A.5 that have been met by Rosemount, Inc. includedynamic analysis and testing, data recording and analysis, functional and black box testing,performance testing, interface testing, and test management and automation tools.Requirements from IEC 61508-3, Table A.6 that have been met by Rosemount, Inc. includefunctional and black box testing, performance testing, and forward traceability between the systemand software design requirements for hardware/software integration and the hardware/softwareintegration test specifications© exida Certification rosemount 11-07-062 r007 v1 r1 iec 61508 assessment.docx, 3/8/2012Michael Medoff Page 16 of 21

Requirements from IEC 61508-3, Table A.9 that have been met include static analysis, dynamicanalysis and testing, forward traceability between the software design specification and thesoftware verification plan.[D80a] documents more details on how each of these requirements has been met. This meets therequirements of SIL 3.5.1.7 ModificationsModifications are done per the Emerson Process Management’s change management process asdocumented in [D24]. Impact analyses are performed for all changes once the product is releasedfor integration testing. The results of the impact analysis are used in determining whether toapprove the change. The standard development process as defined in [D17] is then followed tomake the change. The handling of hazardous field incidents and customer notifications is governedby [D21]. This procedure includes identification of the problem, analysis of the problem,identification of the solution, and communication of the solution to the field. This meets therequirements of IEC 61508 SIL 3.Requirements from IEC 61508-3, Table A.8 that have been met by the Rosemount, Inc.modification process include impact analysis, reverify changed software modules, reverify affectedsoftware modules, revalidate complete system or regression validation, software configurationmanagement, data recording and analysis, and forward and backward traceability between thesoftware safety requirements specification and the software modification plan (includingreverification and revalidation)5.1.8 User documentationRosemount, Inc. created a safety manual for the 3051 C/T/L Pressure Transmitter [D160a] whichaddresses all relevant operation and maintenance requirements from IEC 61508. This safetymanual was assessed by exida certification. The final version is considered to be in compliancewith the requirements of IEC 61508.Requirements from IEC 61508-2, Table B.4 that have been met by Rosemount, Inc. includeoperation and maintenance instructions, maintenance friendliness, project management,documentation, and limited operation possibilities.[D80a] documents more details on how each of these requirements has been met. This meets therequirements for SIL 3.© exida Certification rosemount 11-07-062 r007 v1 r1 iec 61508 assessment.docx, 3/8/2012Michael Medoff Page 17 of 21

5.2 Hardware AssessmentTo evaluate the hardware design of the 3051 C/T/L Pressure Transmitter a Failure Modes, Effects,and Diagnostic Analysis was performed by exida. This is documented in [D165a].A Failure Modes and Effects Analysis (FMEA) is a systematic way to identify and evaluate theeffects of different component failure modes, to determine what could eliminate or reduce thechance of failure, and to document the system in consideration. An FMEDA (Failure Mode Effectand Diagnostic Analysis) is an FMEA extension. It combines standard FMEA techniques withextension to identify online diagnostics techniques and the failure modes relevant to safetyinstrumented system design.From the FMEDA failure rates are derived for each important failure category. Table 1 lists thesefailure rates as reported in the FMEDA report. The failure rates are valid for the useful life of thedevices. Based on Emerson endurance test data and general field failure data a useful life period ofapproximately 50 years is expected for the 3051 C/T/L Pressure Transmitter . This is listed in theFMEDA reports.Table 1 Failure rates according to IEC 61508 (Failure Rates in FITS; 1 FIT = 1 Failure per 10 9 hours)Device sd su2 dd du SFF 3Model 3051 CD, CG and L - 79.3 262.4 32.4 91.3%Model 3051 CA and T - 89.9 283.0 40.9 90.1%An average Probability of Failure on Demand (PFD AVG ) calculation is performed for a single (1oo1)Model 3051 with exida’s exSILentia tool. The failure rate data used in this calculation is displayedin Table 2. A mission time of 10 years has been assumed and a Mean Time To Restoration of 24hours. Table 2 lists the proof test coverage (see Appendix B of FMEDA report) used for the modelsas well as the results when the proof test interval equals 1 year.Table 2 Sample PFD AVG ResultsDeviceProof TestCoveragePFD AVG% of SIL 2RangeModel 3051 CD, CG and L with Simple Proof Test 57% 7.08E-04 7.1%Model 3051 CA and T with Simple Proof Test 45% 1.08E-03 11%Model 3051 CD, CG and L with ComprehensiveProof TestModel 3051 CA and T with Comprehensive ProofTest84% 3.61E-04 3.6%80% 5.29E-04 5.3%2 It is important to realize that the No Effect failures are no longer included in the Safe Undetected failurecategory according to IEC 61508, ed2, 2010.3 Safe Failure Fraction needs to be calculated on (sub)system level© exida Certification rosemount 11-07-062 r007 v1 r1 iec 61508 assessment.docx, 3/8/2012Michael Medoff Page 18 of 21

These results must be considered in combination with PFD AVG values of other devices of a SafetyInstrumented Function (SIF) in order to determine suitability for a specific Safety Integrity Level(SIL). It is the responsibility of the Safety Instrumented Function designer to do calculations for theentire SIF. exida recommends the accurate Markov based exSILentia tool for this purpose.The analysis shows that design of the 3051 C/T/L Pressure Transmitter meets the hardwarerequirements of IEC 61508, SIL 2 @HFT=0 and SIL 3 @ HFT=1.5.3 Opportunities for improvementDuring the course of the assessment, there were a number of cases found where there was eithera minor non-conformance or a recommended update to the development process identified. In allof these cases the issues identified were deemed not to have a significant effect on the overallfunctional safety of the product. Therefore, these items can be considered recommendations toreduce the risk of non-compliance for future development efforts or modifications. The items foundare described below: Test environment, tools, configuration and programs used should be included in futureintegration test plansThe integration plan shall consider details of those who shall carry out the integration. Thisinformation could also be included in another document such as the roles andresponsibilities document. Update the coding standard to include a requirement for structured programming. Thisinvolves using structured constructs such as sequences (case), iterations (for, while, do)and selection (if/then/else) to control program flow and to avoid unstructured constructssuch as goto and longjmp. Update coding standard to state that if dynamic objects are used, checking must beincluded to determine if the allocation succeeded and if not, to take appropriate action.Coding standard or other document should state that interrupts should only be used if theysimplify the design.Unit test plan should indicate that input equivalence class and boundary value techniquesare used. Recommend adding to source code standard the following: Complex calculations areavoided as the basis of branching and loop decisions.The analysis made and the decisions taken on whether to continue the integration test orissue a change request, in the case when discrepancies occur should be documented in theintegration test results.© exida Certification rosemount 11-07-062 r007 v1 r1 iec 61508 assessment.docx, 3/8/2012Michael Medoff Page 19 of 21

6 Terms and DefinitionsFault toleranceFITFMEDAHFTLow demand modePFD AVGSFFSIFSILSISType A (sub)systemType B (sub)systemAbility of a functional unit to continue to perform a required function in thepresence of faults or errors (IEC 61508-4, 3.6.3)Failure In Time (1x10 -9 failures per hour)Failure Mode Effect and Diagnostic AnalysisHardware Fault ToleranceMode, where the frequency of demands for operation made on a safetyrelatedsystem is no greater than twice the proof test frequency.Average Probability of Failure on DemandSafe Failure Fraction summarizes the fraction of failures, which lead to asafe state and the fraction of failures which will be detected by diagnosticmeasures and lead to a defined safety action.Safety Instrumented FunctionSafety Integrity LevelSafety Instrumented System – Implementation of one or more SafetyInstrumented Functions. A SIS is composed of any combination ofsensor(s), logic solver(s), and final element(s).“Non-Complex” (sub)system (using discrete elements); for details see7.4.3.1.2 of IEC 61508-2“Complex” (sub)system (using micro controllers or programmable logic); fordetails see 7.4.3.1.3 of IEC 61508-2© exida Certification rosemount 11-07-062 r007 v1 r1 iec 61508 assessment.docx, 3/8/2012Michael Medoff Page 20 of 21

7 Status of the document7.1 Liabilityexida prepares reports based on methods advocated in International standards. Failure rates areobtained from a collection of industrial databases. exida accepts no liability whatsoever for the useof these numbers or for the correctness of the standards on which the general calculation methodsare based.7.2 ReleasesVersion: V1Revision: R1Version History: V1, R1: Updated based on review comments; March 8, 2012V0, R1: Draft; March 7, 2012Authors: Michael MedoffReview: V1, R1: John Yozallinas & Jessica Lo; March 8, 2012Release status: Released.7.3 Future EnhancementsAt request of client.7.4 Release SignaturesJohn Yozallinas, Evaluating AssessorMichael Medoff, Certifying Assessor© exida Certification rosemount 11-07-062 r007 v1 r1 iec 61508 assessment.docx, 3/8/2012Michael Medoff Page 21 of 21