IEC 61508 Functional Safety Assessment Rosemount Inc. - Exida

More documents

Recommendations

Info

5.2 Hardware AssessmentTo evaluate the hardware design of the 3051 C/T/L Pressure Transmitter a Failure Modes, Effects,and Diagnostic Analysis was performed by exida. This is documented in [D165a].A Failure Modes and Effects Analysis (FMEA) is a systematic way to identify and evaluate theeffects of different component failure modes, to determine what could eliminate or reduce thechance of failure, and to document the system in consideration. An FMEDA (Failure Mode Effectand Diagnostic Analysis) is an FMEA extension. It combines standard FMEA techniques withextension to identify online diagnostics techniques and the failure modes relevant to safetyinstrumented system design.From the FMEDA failure rates are derived for each important failure category. Table 1 lists thesefailure rates as reported in the FMEDA report. The failure rates are valid for the useful life of thedevices. Based on Emerson endurance test data and general field failure data a useful life period ofapproximately 50 years is expected for the 3051 C/T/L Pressure Transmitter . This is listed in theFMEDA reports.Table 1 Failure rates according to IEC 61508 (Failure Rates in FITS; 1 FIT = 1 Failure per 10 9 hours)Device sd su2 dd du SFF 3Model 3051 CD, CG and L - 79.3 262.4 32.4 91.3%Model 3051 CA and T - 89.9 283.0 40.9 90.1%An average Probability of Failure on Demand (PFD AVG ) calculation is performed for a single (1oo1)Model 3051 with exida’s exSILentia tool. The failure rate data used in this calculation is displayedin Table 2. A mission time of 10 years has been assumed and a Mean Time To Restoration of 24hours. Table 2 lists the proof test coverage (see Appendix B of FMEDA report) used for the modelsas well as the results when the proof test interval equals 1 year.Table 2 Sample PFD AVG ResultsDeviceProof TestCoveragePFD AVG% of SIL 2RangeModel 3051 CD, CG and L with Simple Proof Test 57% 7.08E-04 7.1%Model 3051 CA and T with Simple Proof Test 45% 1.08E-03 11%Model 3051 CD, CG and L with ComprehensiveProof TestModel 3051 CA and T with Comprehensive ProofTest84% 3.61E-04 3.6%80% 5.29E-04 5.3%2 It is important to realize that the No Effect failures are no longer included in the Safe Undetected failurecategory according to IEC 61508, ed2, 2010.3 Safe Failure Fraction needs to be calculated on (sub)system level© exida Certification rosemount 11-07-062 r007 v1 r1 iec 61508 assessment.docx, 3/8/2012Michael Medoff Page 18 of 21
These results must be considered in combination with PFD AVG values of other devices of a SafetyInstrumented Function (SIF) in order to determine suitability for a specific Safety Integrity Level(SIL). It is the responsibility of the Safety Instrumented Function designer to do calculations for theentire SIF. exida recommends the accurate Markov based exSILentia tool for this purpose.The analysis shows that design of the 3051 C/T/L Pressure Transmitter meets the hardwarerequirements of IEC 61508, SIL 2 @HFT=0 and SIL 3 @ HFT=1.5.3 Opportunities for improvementDuring the course of the assessment, there were a number of cases found where there was eithera minor non-conformance or a recommended update to the development process identified. In allof these cases the issues identified were deemed not to have a significant effect on the overallfunctional safety of the product. Therefore, these items can be considered recommendations toreduce the risk of non-compliance for future development efforts or modifications. The items foundare described below: Test environment, tools, configuration and programs used should be included in futureintegration test plansThe integration plan shall consider details of those who shall carry out the integration. Thisinformation could also be included in another document such as the roles andresponsibilities document. Update the coding standard to include a requirement for structured programming. Thisinvolves using structured constructs such as sequences (case), iterations (for, while, do)and selection (if/then/else) to control program flow and to avoid unstructured constructssuch as goto and longjmp. Update coding standard to state that if dynamic objects are used, checking must beincluded to determine if the allocation succeeded and if not, to take appropriate action.Coding standard or other document should state that interrupts should only be used if theysimplify the design.Unit test plan should indicate that input equivalence class and boundary value techniquesare used. Recommend adding to source code standard the following: Complex calculations areavoided as the basis of branching and loop decisions.The analysis made and the decisions taken on whether to continue the integration test orissue a change request, in the case when discrepancies occur should be documented in theintegration test results.© exida Certification rosemount 11-07-062 r007 v1 r1 iec 61508 assessment.docx, 3/8/2012Michael Medoff Page 19 of 21
Page 1 and 2: IEC 61508 Functional Safety Assessm
Page 3 and 4: Table of ContentsManagement summary
Page 5 and 6: 2 Project management2.1 exidaexida
Page 7 and 8: [D189] exida Modification Phase Ver
Page 9 and 10: [D97] Software DVT Test Plan B.2;11
Page 11 and 12: 3 Product DescriptionThe Rosemount
Page 13 and 14: 4 IEC 61508 Functional Safety Asses
Page 15 and 16: 5.1.2 Safety Requirements Specifica
Page 17: Requirements from IEC 61508-3, Tabl
Page 21: 7 Status of the document7.1 Liabili

IEC 61508 Functional Safety Assessment Rosemount Inc. - Exida

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?