IEC 61508 Functional Safety Assessment Rosemount Inc. - Exida

More documents

Recommendations

Info

5 Results of the IEC 61508 Functional Safety Assessmentexida certification assessed the development process used by Rosemount, Inc. during the productdevelopment against the objectives of IEC 61508 parts 1, 2, and 3, see [N1]. The development ofnew components in the 3051 C/T/L Pressure Transmitter was done using this developmentprocess. The Safety Case was updated with project specific design documents.5.1 Lifecycle Activities and Fault Avoidance MeasuresRosemount, Inc. has an IEC 61508 compliant development process as defined in [D17]. Theprocess defines a safety lifecycle which meets the requirements for a safety lifecycle asdocumented in IEC 61508. Throughout all phases of this lifecycle, fault avoidance measures areincluded. Such measures include design reviews, FMEDA, code reviews, unit testing, integrationtesting, fault injection testing, etc.This functional safety assessment investigated the compliance with IEC 61508 of the processes,procedures and techniques as implemented for the 3051 C/T/L Pressure Transmitter development.The investigation was executed using subsets of the IEC 61508 requirements tailored to the SIL 3work scope of the development team. The result of the assessment can be summarized by thefollowing observations:The audited Rosemount, Inc. development process complies with the relevant managerialrequirements of IEC 61508 SIL 3.5.1.1 Functional Safety ManagementFSM PlanningThe functional safety management of any Emerson Process Management Safety InstrumentedSystems Product development is governed by [D17]Error! Reference source not found.. Thisprocess requires that Emerson Process Management create a project plan [D07] which is specificfor each development project. The Project Plan defines all of the tasks that must be done to ensurefunctional safety as well as the person(s) responsible for each task. These processes and theprocedures referenced herein fulfill the requirements of IEC 61508 with respect to functional safetymanagement.Version ControlAll documents are under version control as required by [D24a].Training, Competency recordingCompetency is ensured by the creation of a competency and training matrix for the project [D13].The matrix lists all of those on the project who are working on any of the phases of the safetylifecycle. Specific competencies for each person are listed on the matrix which is reviewed by theproject manager. Any deficiencies are then addressed by updating the matrix with required trainingfor the project.© exida Certification rosemount 11-07-062 r007 v1 r1 iec 61508 assessment.docx, 3/8/2012Michael Medoff Page 14 of 21
5.1.2 Safety Requirements Specification and Architecture DesignAs defined in [D17] a safety requirements specification (SRS) is created for all products that mustmeet IEC 61508 requirements. For the 3051 C/T/L Pressure Transmitter, the requirementsspecification [D30] contains a system overview, safety assumptions, and safety requirementssections. During the assessment, exida certification reviewed the content of the specification forcompleteness per the requirements of IEC 61508.Requirements are tracked throughout the development process by the creation of a series oftraceability matrices which are included in the following documents: [D30], [D35], [D73], and[D127]. The system requirements are broken down into derived hardware and softwarerequirements which include specific safety requirements. Traceability matrices show how thesystem safety requirements map to the hardware and software requirements, to hardware andsoftware architecture, to software and hardware detailed design, and to validation tests.Requirements from IEC 61508-2, Table B.1 that have been met by Rosemount, Inc. include projectmanagement, documentation, structured specification, inspection of the specification, andchecklists.Requirements from IEC 61508-3, Table A.1 that have been met by Rosemount, Inc. includeBackward traceability between the safety requirements and the perceived safety needs.[D80a] documents more details on how each of these requirements has been met. This meets therequirements of SIL 3.5.1.3 Hardware DesignHardware design, including both electrical and mechanical design, is done according to [D17]. Thehardware design process includes creating a hardware architecture specification, a peer review ofthis specification, creating a detailed design, a peer review of the detailed design, componentselection, detailed drawings and schematics, a Failure Modes, Effects and Diagnostic Analysis(FMEDA), electrical unit testing, fault injection testing, and hardware verification tests.Requirements from IEC 61508-2, Table B.2 that have been met by Rosemount, Inc. includeobservance of guidelines and standards, project management, documentation, structured design,modularization, use of well-tried components, checklists, semi-formal methods, computer aideddesign tools, simulation, and inspection of the specification. This is also documented in [D80a]. Thismeets the requirements of SIL 3.5.1.4 Software (Firmware) DesignSoftware (firmware) design is done according to [D17]. The software design process includessoftware architecture design and peer review, detailed design and peer review, critical codereviews, static source code analysis and unit test.Requirements from IEC 61508-3, Table A.2 that have been met by Rosemount, Inc. include faultdetection, error detecting codes, failure assertion programming, diverse monitor techniques,stateless software design, retry fault recovery mechanisms, graceful degradation, forward andbackward traceability between the software safety requirements specification and softwarearchitecture, semi-formal methods, event-driven, with guaranteed maximum response time, staticresource allocation, and static synchronization of access to shared resources.© exida Certification rosemount 11-07-062 r007 v1 r1 iec 61508 assessment.docx, 3/8/2012Michael Medoff Page 15 of 21
Page 1 and 2: IEC 61508 Functional Safety Assessm
Page 3 and 4: Table of ContentsManagement summary
Page 5 and 6: 2 Project management2.1 exidaexida
Page 7 and 8: [D189] exida Modification Phase Ver
Page 9 and 10: [D97] Software DVT Test Plan B.2;11
Page 11 and 12: 3 Product DescriptionThe Rosemount
Page 13: 4 IEC 61508 Functional Safety Asses
Page 17 and 18: Requirements from IEC 61508-3, Tabl
Page 19 and 20: These results must be considered in
Page 21: 7 Status of the document7.1 Liabili

IEC 61508 Functional Safety Assessment Rosemount Inc. - Exida

Create successful ePaper yourself

Delete template?

Save as template?