IEC 61508 Functional Safety Assessment Emerson Process ... - Exida

IEC 61508 Functional Safety Assessment 

Project: 

DVC6000 SIS Digital Valve Controller 

DETT Applications 

Customer: 

Emerson Process Management 

Fisher Controls International, LLC 

Marshalltown, IA 

USA 

Contract No.: Q07/07-41 

Report No.: EFC 07-07-41 R002 

Version V1, Revision R2, March 13, 2008 

Iwan van Beurden 

© exida Certification SA EFC 07-07-41 R002 V1R2 IEC 61508Assessment.doc, Mar. 13, 2008 

Iwan van Beurden Page 1 of 19

Management Summary 

This report summarizes the results of the functional safety assessment according to IEC 61508 

carried out on the: 

Fisher Controls DVC6000 SIS Digital Valve Controller - DETT 

The functional safety assessment performed by exida Certification consisted of the following 

activities: 

- exida Certification assessed the development process used by Fisher Controls 

International, LLC through an audit and creation of a detailed safety case against the 

requirements of IEC 61508. 

- exida Certification reviewed and assessed a detailed Failure Modes, Effects, and 

Diagnostic Analysis (FMEDA) of the devices to document the hardware architecture and 

failure behavior. 

The functional safety assessment was performed to the requirements of IEC 61508, SIL 3. A full 

IEC 61508 Safety Case was prepared, using the exida SafetyCaseDB tool, and used as the 

primary audit tool. Hardware and software process requirements and all associated documentation 

were reviewed. Environmental test reports were reviewed. Also the user documentation (safety 

manual) was reviewed. 

The results of the Functional Safety Assessment can be summarized by the following statements: 

The Fisher Controls DVC6000 SIS Digital Valve Controller - DETT was found to meet the 

requirements of SIL 3. 

The manufacturer will be entitled to use the Functional Safety Logo. 

The manufacturer 

may use the mark: 

© exida Certification SA. EFC 07-07-41 R002 V1R2 IEC 61508Assessment.doc, March 13, 2008 


Table of Contents 

Management Summary ...................................................................................................2 

1 Purpose and Scope ...................................................................................................4 

2 Project management..................................................................................................5 

2.1 exida.............................................................................................................................. 5 

2.2 Roles of the parties involved.......................................................................................... 5 

2.3 Standards / Literature used............................................................................................ 5 

2.4 Reference documents.................................................................................................... 5 

2.4.1 Documentation provided by Fisher Controls International, LLC.......................... 5 

2.4.2 Documentation generated by exida Consulting and exida Certification ............ 7 

3 Product Description....................................................................................................8 

3.1 Scope of Analysis......................................................................................................... 11 

4 IEC 61508 Functional Safety Assessment...............................................................12 

4.1 Methodology ................................................................................................................ 12 

4.2 Assessment level ......................................................................................................... 12 

5 Results of the IEC 61508 Functional Safety Assessment ........................................13 

5.1 Lifecycle Activities and Fault Avoidance Measures ..................................................... 13 

5.1.1 Functional Safety Management......................................................................... 13 

5.1.2 Safety Requirements Specification and Architecture Design ............................ 14 

5.1.3 Hardware Design............................................................................................... 14 

5.1.4 Validation........................................................................................................... 14 

5.1.5 Verification......................................................................................................... 15 

5.1.6 Modifications ..................................................................................................... 15 

5.1.7 User documentation .......................................................................................... 15 

5.2 Hardware Assessment................................................................................................. 16 

6 Terms and Definitions ..............................................................................................18 

7 Status of the document ............................................................................................19 

7.1 Liability ......................................................................................................................... 19 

7.2 Releases ...................................................................................................................... 19 

7.3 Future Enhancements.................................................................................................. 19 

7.4 Release Signatures...................................................................................................... 19 



1 Purpose and Scope 

Generally three options exist when doing an assessment of sensors, interfaces and/or final 

elements. 

Option 1: Hardware assessment according to IEC 61508 

Option 1 is a hardware assessment by exida according to the relevant functional safety standard(s) 

like IEC 61508 or EN 954-1. The hardware assessment consists of a FMEDA to determine the fault 

behavior and the failure rates of the device, which are then used to calculate the Safe Failure 

Fraction (SFF) and the average Probability of Failure on Demand (PFDAVG). When appropriate, fault 

injection testing will be used to confirm the effectiveness of any self-diagnostics. 

This option provides the safety instrumentation engineer with the required failure data as per IEC 

61508 / IEC 61511. This option does not include an assessment of the development process. 

Option 2: Hardware assessment with proven-in-use consideration according to IEC 61508 / 

IEC 61511 

Option 2 extends Option 1 with an assessment of the proven-in-use documentation of the device 

including the modification process. 

This option for pre-existing programmable electronic devices provides the safety instrumentation 

engineer with the required failure data as per IEC 61508 / IEC 61511. When combined with plant 

specific proven-in-use records, it may help with prior-use justification per IEC 61511 for sensors, 

final elements and other PE field devices. 

Option 3: Full assessment according to IEC 61508 

Option 3 is a full assessment by exida according to the relevant application standard(s) like 

IEC 61511 or EN 298 and the necessary functional safety standard(s) like IEC 61508 or EN 954-1. 

The full assessment extends option 1 by an assessment of all fault avoidance and fault control 

measures during hardware and software development. 

This option provides the safety instrumentation engineer with the required failure data as per IEC 

61508 / IEC 61511 and confidence that sufficient attention has been given to systematic failures 

during the development process of the device. 

This assessment shall be done according to option 3. 

This document shall describe the results of the IEC 61508 functional safety assessment of the 

Fisher Controls DVC6000 SIS Digital Valve Controller - DETT. 



2 Project management 

2.1 exida 

exida is one of the world’s leading knowledge companies specializing in automation system safety 

and availability with over 300 years of cumulative experience in functional safety. Founded by 

several of the world’s top reliability and safety experts from assessment organizations and 

manufacturers, exida is a partnership with offices around the world. exida offers training, coaching, 

project oriented consulting services, internet based safety engineering tools, detailed product 

assurance and certification analysis and a collection of on-line safety and reliability resources. 

exida maintains a comprehensive failure rate and failure mode database on process equipment. 

exida Certification is the market leader for IEC 61508 certification for currently active marketed 

products. 

2.2 Roles of the parties involved 

Fisher Controls International, LLC Manufacturer of the DVC6000 SIS Digital Valve Controller 

exida Consulting Provided services to support Fisher Controls International, LLC during the 

development of the DVC6000 SIS Digital Valve Controller. 

exida Certification Performed the IEC 61508 Functional Safety Assessment according to 

option 3 (see section 1) 

Fisher Controls International, LLC contracted exida in October 2007 with the IEC 61508 Functional 

Safety Assessment of the above mentioned devices. 

2.3 Standards / Literature used 

The services delivered by exida were performed based on the following standards / literature. 

[N1] IEC 61508 (Parts 1 - 7): 2000 Functional Safety of Electrical/Electronic/Programmable Electronic 

Safety-Related Systems 

2.4 Reference documents 

2.4.1 Documentation provided by Fisher Controls International, LLC 

[D1] 07GA05-FSMP, 0.1; 10/4/2007 DVC6000 Functional Safety Management Plan 

[D2] CHK, C; 1/23/2008 Safety Related Systems Verification Checklists 

[D3] CRF, 0.1; 1/24/2008 Competency Review Worksheet 

[D4] DS, 9/12/2007 DVC6000 Architectural System Design Specification 

[D5] DVC6000 CHKLST, NA; 2/4/2008 Completed Safety Related Systems Verification Checklist for 

DVC6000 

[D6] EP 25, C; 1/7/2008 Software Coding Practice (EP 25) 

[D7] EP43, A; 4/24/2007 FSM: Configuration and Change Management Engineering Practice 

(EP 43) 

[D8] EP44, A Peer Review Procedure (EP 44) 



[D9] ES 102, Z; 2/6/2007 Provisions for Control of Engineering Documents by Independent 

Testing Laboratories (ES 102) 

[D10] ES 192, Y; 11/2/2005 Engineering Change Request Procedure (ES 192) 

[D11] ES 235, J; 9/29/2003 Product Safety (ES 235) 

[D12] ES 269, C; 1/8/2008 Product Development Process for Safety Instrumented Systems (ES 

269) 

[D13] Form 5807, NA; May 2007 DVC6000 SIS Instruction Manual 

[D14] Form 5854, NA; Feb 2008 DVC6000 SIS Safety Manual 4-20mA 

[D15] Form 5743, NA; Mar 2008 DVC6000 SIS Safety Manual 0-20mA 

[D16] FPP-009, F; 4/19/1999 Quality Procedure: Procurement of COTS H/W and S/W products 

(FPP-009) 

[D17] FSMP, 1.0; 12/11/2007 FSM Plan Template 

[D18] HIFC, NA; 1/23/2008 Hazardous Incident Flow Chart 

[D19] IAR Template, B; 10/18/2007 IAR (Impact Analysis Report) Template 

[D20] QS50-0021,6; 1/15/1996 Supplier Evaluation Procedure 

[D21] SRS, 0.2; 1/6/2008 DVC6000 Safety Requirements Specification 

[D22] Train_Worksheet.doc, 0.1; 

6/16/2003 

Training Documentation 

[D23] TS-VAL, A; 1/9/2008 DVC6000 Safety Validation Test Specification 

[D24] V&V:SCA, V1R4; 6/15/2004 exida: Software Criticality Analysis & IEC 61508 Tailoring 

[D25] 04GA02-FSM, Rev A DVC6000 SIS & LCP100 (0-20mA / 0-24V DETT) Functional Safety 

Management / V&V Plan 

[D26] 04GA02-SaRS, Rev A DVC6000 SIS & LCP100 (0-20mA / 0-24V DETT) Safety 

Requirements Specification 

[D27] 04GA02-PMP, Rev A Project Management Plan for DVC6000 

[D28] 98GA06-SRD DVC6000 System Requirements Document 

[D29] Quality Manual.pdf, Rev B ISO-9001 Quality Management System Manual for Fisher Controls 

International Valve Division 

[D30] ES 251, Rev B Product Development Process Engineering Standard 

[D31] ES 63, Rev BK Project Documentation Standard 

[D32] ES 94, Rev AH Design Review Committee Standard 

[D33] ES 102, Rev Z Control of Engineering Documents by Independent Testing 

Laboratories Engineering Standard 

[D34] ES 36 Making and Filing Calculations Standard 

[D35] Apprv_7.pdf, Rev A Impact Analysis Report Template 

[D36] EP 32, Rev A FMEA Procedure 

[D37] ES 238 Technical Assessment Process 

[D38] DVC6000 Assembly.pdf, 

08/28/2006 

DVC6000 Assembly Drawing, 48B7710, Rev K, sheets 1 and 2 

[D39] FGS12D89.pdf, Rev L DVC6000 Series Product Assembly Specification 

[D40] 18B9592 Rev R DVC6000 electronics Bill Of Materials, pages 1 to 12 



[D41] 28B9586 Rev H DVC6000 schematic, sheets 1 to 11 

[D42] GE21413_A_schematic.tif, Rev B LCP100 Schematic 

[D43] ECRN 20070480.pdf, 8/17/07 Example of completed ECRN 

[D44] ECRN070480-IAR, Rev A Changing Fabric Material Color for DVC6000 Relay Instrument 

Diaphragm example of completed Impact Analysis 

[D45] 00GY01-PTR-02, Rev E Fault Injection Testing of DVC6000 I/P & Relay, July 2001 

[D46] 00GY01-PTR-04, Rev B Mechanical Fault Injection Test, Jan. 2002 

[D47] 04GA02 PTR.doc, Rev A Fault Injection Testing of DVC6000 Reverse Acting Relay, August 10, 

2007 

[D48] 04GA02 PTR.doc, Rev A Mechanical Fault Injection Test Relay Instrument and Supply Bias 

Misalignment, Feb 16, 2007 

[D49] 04GA02-PTR-MPU Fault Inj.doc, 

Rev A 

DVC6000 SIS Electronics Fault Injection Test Report, August 21, 

2007 

[D50] 04GA02-PTR-01, Rev A 04GA02-PTR-01, DVC6000 Electronics Fault Injection Tests 

[D51] DVC6000MTBFdata.xls Field Return Data, Feb. 2006 

[D52] 04GA02-PTR-10, Rev A DVC6000 Gemini Relay Evaluation Temperature Sensitivity Project 

Test Report 

[D53] 98GA06-PTR-08, Rev A Ten Year Chemical Environment Exposure Test of DVC6000 

2.4.2 Documentation generated by exida Consulting and exida Certification 

[R1] 

EFC 07-07-41 R002 V1R1 IEC 

61508Assessment.doc, March 13, 

2008 

IEC 61508 Functional Safety Assessment for Fisher Controls 

DVC6000 SIS Digital Valve Controller - DETT (This document) 

[R2] Safety Case DVC6000 Safety Case 4-20 mA DETT 

[R3] Safety Case DVC6000 Safety Case 0-20 mA and 0-24 VDC 

[R4] DVC6000MTBFdata 11-6 GPS.xls Field Failure analysis done on data supplied (internal document) 

[R5] Field Fail Summary.xls Summary of Field Failure Data (internal document) 

[R6] DVC6000 Electronics with 

PVST(DE to trip) HART 

annunciation.xls 

[R7] DVC6000 Electronics without 

PVST(DE to trip) HART 

annunciation.xls 

[R8] Relays DVC6000 FMEDA 4-19 

wI-P.xls 

[R9] Loop_PS_Low_FMEDA.xls, 

11/06/2006 

[R10] Loop_PS_High_FMEDA.xls, 

11/06/2006 

Failure Modes, Effects and Diagnostic Analysis, DVC6000 SIS, 

(internal document) 

Failure Modes, Effects and Diagnostic Analysis, DVC6000 SIS, 


Failure Modes, Effects and Diagnostic Analysis, DVC6000 SIS 


Failure Modes, Effects, and Diagnostic Analysis – LCP100 – Loop 

Power - Low Limit (internal document) 

Failure Modes, Effects, and Diagnostic Analysis - LCP100 – Loop 

Power – High Limit (internal document) 

[R11] 24V_PS_FMEDA.xls, 11/06/2006 Failure Modes, Effects, and Diagnostic Analysis - LCP100 – 24V 

Power Supply (internal document) 

[R12] DVC6000 FMEDA 

Megafile4_10.xls, 1/15/2008 

Failure Modes, Effects and Diagnostic Analysis rollup, DVC6000 SIS, 

(internal joint collaboration contains R8-R11) 

[R13] FCI 01/12-03 R112, 2/14/2002 FMEDA report, LC340 Line Conditioner 



[R14] EFC 06/01-40 R004, V1 R1, 

11/21/2006 

Proven In Use / Field Failure Study DVC6000 Digital Valve Controller 

[R15] V&V:PoE, NA; 9/17/2007 Proven Operational Experience Spreadsheet for DVC6000 

[R16] FIS 07-07-41 R001, V0R1; 

1/27/2008 

[R17] EFC 06/01-40 R002, V1 R1, 

2/20/2008 

[R18] EFC 06/01-40 R005, V1 R1, 

2/26/2008 

Proven In Use Assessment 

FMEDA report, DVC6000 SIS Digital Valve Controller 4-20mA 

FMEDA report, DVC6000 SIS Digital Valve Controller 0-20mA and 0- 

24 VDC 

[R19] Fisher SafetyCaseDB, 2/2008 DVC6000 SIS Digital Valve Controller 4-20mA DETT IEC 61508 

Compliance SafetyCaseDB (internal database) 

[R20] DVC6000 0-20 SCDB.esc, 

11/8/2007 

DVC6000 SIS Digital Valve Controller 0-20mA IEC 61508 Compliance 

SafetyCaseDB (internal database) 

[R21] IEC Tables, 0.2; 1/7/2008 IEC 61508 Tables, document shows all tables from IEC 61508 Annex 

A and B from part 2 and part 3 along with a description as to how 

Fisher meets each of the requirements. 

[R22] PA, 3; 9/11/2007 DVC6000 pointer analysis, document is an in depth analysis of all 

pointers used in the DVC6000. The analysis ensures that there is no 

systematic errors that could lead to data corruption in the DVC6000 

3 Product Description 

The Fisher Controls International, Inc. DVC6000 SIS Digital Valve Controller is a communicating, 

microprocessor-based current-to-pneumatic instrument used in many different industries including 

oil and gas, power, pulp and paper, chemical, and food and beverage for both control and safety 

applications. In Safety Instrumented System applications, the DVC6000 can also perform partial 

valve stroke testing either automatically or manually. The partial valve stroke test monitors actuator 

pressure and valve stem position. 

As indicated in the following figure the DVC6000 SIS receives an input signal from the logic solver 

system via an analog output. This input signal is a 0-20 mA, (0 - 24 VDC) or 4-20 mA signal. Only 

De-Energize To Trip applications have been considered in this assessment. Additionally, the 

DVC6000 may be operated with or without automatic shutdown enabled, but this assessment only 

deals with automatic shutdown disabled. The DVC6000 digital valve controller controls an actuator 

via output A or via output A and output B. This accounts for the different operating modes of the 

mechanical parts as shown in Table 1. 

In the single acting operating mode only output A is used. During normal operation (in De-Energize 

to Trip) output A is pressurized, if a shutdown is required output A is depressurized. In the double 

acting operating mode both output A and output B are used. During normal operation output A is 

greater than output B, if a shutdown is required output A is equal to or less than output B. It is 

assumed that the DVC6000 – actuator combination will fail safe on loss of air pressure because of 

the spring return action in the actuator. The actuator that is controlled by the DVC6000 on its turn 

controls a valve. A valve travel feedback signal is fed back to the digital valve controller but is not 

part of the safety critical path. The feedback signal is required in order to perform a PVST. 



Logic 

Solver 

DVC6000 

IEC 61508 Type B 

Terminal 

Box 

Printed 

Wiring 

Board 

Drive 

signal 

IEC 61508 Type A 

I/P 

Converter 

exida FMEDA 

Air supply 

I/P 

Output 

pressure 

Pneumatic 

Relay 

Figure 1 DVC6000 SIS Assembly 

In addition to the DVC6000 SIS external connections, Figure 1 also indicates the main parts of the 

digital valve controller. As described above the DVC6000 SIS can be divided into an electrical part 

and a mechanical part. This assessment was done on the entire product. 

Figure 1 also indicates the architectural constraint types of the two main parts of the DVC6000 SIS 

Digital Valve Controller as defined by IEC 61508-2. The architectural constraint type of the MPU 

module assembly is Type B 1 , where the architectural constraint type of the mechanical assembly is 

Type A 1 . In the 0-20 mA and 0-24 VDC operating modes the MPU module assembly is not part of 

the safety critical path therefore the product is Type A for that operating mode. The 4-20mA 

operating mode DVC6000 is Type B. 

1 Type A device: “Non-Complex” subsystem (using discrete elements); for details see 7.4.3.1.2 of IEC 61508- 

2./ Type B device: “Complex” component (using micro controllers or programmable logic); for details see 

7.4.3.1.3 of IEC 61508-2. 


Iwan van Beurden Page 9 of 19 

Output A 

Output B 

Feedback 

Potentiometer 

Valve travel 

feedback 

Actuator 

Valve

Table 1 gives an overview of the different versions that were considered in the FMEDA’s and 

assessment of the Fisher Controls DVC6000 SIS Digital Valve Controller - DETT. 

Table 1 Version overview 

Application Safety Function 

1 4-20 mA Operation, Double-Acting (Relay 

A), De-Energize to Trip 

2 4-20 mA Operation, Single-Acting (Relay 

C), De-Energize to Trip 

3 4-20 mA Operation, Single-Acting (Relay 

A), De-Energize to Trip 

4 0-20 mA or 0-24 VDC Operation, Double- 

Acting (Relay A), De-Energize to Trip 

5 0-20 mA or 0-24 VDC Operation, Single- 

Acting (Relay C), De-Energize to Trip 

6 0-20 mA or 0-24 VDC Operation, Single- 

Acting (Relay A), De-Energize to Trip 

Output A ≤ Output B (with 4 mA input signal) 

Output A ≤ 1 psi (with 4 mA input signal) 

Output A ≤ 1 psi (with 4 mA input signal) 

Output A ≤ Output B (with < 1 mA input 

signal) 

Output A ≤ 1 psi (with < 1 mA input signal) 

Output A ≤ 1 psi (with < 1 mA input signal) 

For the 4 – 20 mA operating mode, the fail-safe state is defined as the input signal being 4 mA. The 

DVC6000 SIS Digital Valve Controller is classified as a Type B 1 device for these applications 

according to IEC 61508, having a hardware fault tolerance of 0. 

For the 0 – 20 mA operating mode, the fail-safe state is defined as the input signal being < 1mA. 

This will ensure that the electronics are no longer capable of driving the I/P module. Therefore the 

DVC6000 SIS Digital Valve Controller is classified as a Type A 1 device for both applications 

according to IEC 61508, having a hardware fault tolerance of 0. 



3.1 Scope of Analysis 

The following were considered in this analysis: 

Product: DVC6000 SIS 

Models: DVC6005, DVC6010, DVC6015, DVC6020, DVC6025, DVC6030, DVC6035, 

DVC6010S, DVC6020S, DVC6030S 

Options: Remote travel sensor, Stainless Steel housing, Extreme temperature, Relay A, 

Relay C, Low-bleed relay A, Low-bleed relay C. 

Accessories: LCP100 

LC340 (0-24VDC applications only) 



4 IEC 61508 Functional Safety Assessment 

The IEC 61508 Functional Safety Assessment was performed based on the information received 

from Fisher Controls International, LLC and is documented in [R2] and [R3]. 

4.1 Methodology 

The full functional safety assessment includes an assessment of all fault avoidance and fault 

control measures during hardware and software development and demonstrates full compliance 

with IEC 61508 to the end-user. The assessment considers all requirements of IEC 61508. Any 

requirements that have been deemed not applicable have been marked as such in the full Safety 

Case report. 

As part of the IEC 61508 functional safety assessment the following aspects have been reviewed: 

• Development process, including: 

o Functional Safety Management, including training and competence recording, FSM 

planning, and configuration management 

o Specification process, techniques and documentation 

o Design process, techniques and documentation, including tools used 

o Validation activities, including development test procedures, test plans and reports, 

production test procedures and documentation 

o Verification activities and documentation 

o Modification process and documentation 

o Installation, operation, and maintenance requirements, including user documentation 

• Product design 

o Hardware architecture and failure behavior, documented in a FMEDA 

o Software architecture and failure behavior, documented in listed software analysis 

documents. 

The review of the development procedures is described in section 5.1. The review of the product 

design is described in section 5.2. 

4.2 Assessment level 

The DVC6000 SIS, DETT Digital Valve Controller has been assessed per IEC 61508 to the 

following levels: 

Systematic Safety Integrity Level: The development procedures were assessed as suitable 

for use in applications with a maximum Safety Integrity Level of 3 (SIL 3) according to IEC 

61508. 

• Random Safety Integrity Level: PFDAVG and Architectural Constraints must be verified for 

each final element application up to SIL 3. 



5 Results of the IEC 61508 Functional Safety Assessment 

exida Certification assessed the development process used by Fisher Controls International, LLC 

during the product development against the objectives of IEC 61508 parts 1, 2, and 3, in [R2] and 

[R3]. The development process was fully compliant with IEC 61508. However, portions of the 

DVC6000 SIS Digital Valve Controller were developed prior to the establishment of this IEC 61508 

SIL 3 compliant development process. Consequently for the evaluation of systematic fault 

avoidance measures, proven in use claims were considered in addition to existing design 

documentation and additional documented safety analysis which showed the design integrity. The 

Safety Case was created with project specific design documents. Future modifications to the 

DVC6000 SIS Digital Valve Controller must be made per the IEC 61508 SIL 3 compliant 

development process. 

5.1 Lifecycle Activities and Fault Avoidance Measures 

Fisher Controls International, LLC has an IEC 61508 compliant development process as assessed 

during the IEC 61508 certification. This compliant development process is documented in [R2] and 

[R3]. Most of the DVC6000 SIS Digital Valve Controller functionality was developed before this IEC 

61508 compliant development process was in place, consequently proven in use arguments were 

considered for some of the systematic fault avoidance measures. 

This functional safety assessment investigated the compliance with IEC 61508 of the processes, 

procedures and techniques as implemented for the digital valve controller development. The 

investigation was executed using subsets of the IEC 61508 requirements tailored to the SIL 3 work 

scope of the development team. The result of the assessment can be summarized by the following 

observations: 

The audited Fisher Controls International, LLC development process complies with the 

relevant managerial requirements of IEC 61508 SIL 3. 

5.1.1 Functional Safety Management 

FSM Planning 

The functional safety management of any Fisher Controls International, LLC Safety Instrumented 

Systems Product development is governed by Engineering Standard ES 269 [D12]. For each 

development Fisher Controls International, LLC creates a Functional Safety Management Plan per 

the FSM Plan Template [D17] which defines all of the tasks that must be done to ensure functional 

safety as well as the person(s) responsible for each task. These processes and the procedures 

referenced herein fulfill the requirements of IEC 61508 with respect to functional safety 

management. 

Version Control 

All documents are under version control as documented in [D10], [R2] and [R3]. Design drawings 

and documents are also under version control. Fisher Controls International, LLC uses Visual 

Source Safe for its version control. 

Training, Competency recording 



Personnel training records are kept in accordance with IEC 61508 requirements as documented in 

[R2], [R3] and [D22]. Fisher Controls International, LLC hired exida Consulting to provide analysis, 

training and supplemental functional safety expertise. Fisher Controls International, LLC hired 

exida Certification to be the independent assessor per IEC 61508. 

5.1.2 Safety Requirements Specification and Architecture Design 

As defined in [D1] and [D7], a safety requirements specification (SRS) is done for all products that 

must meet IEC 61508 requirements. The requirements specification contains a scope and safety 

requirements section. For the DVC6000 SIS Digital Valve Controller, the SRS [D21] and [D26], 

have been reviewed by exida Consulting. During the assessment, exida Certification reviewed the 

content of the specification for completeness per the requirements of IEC 61508. 

Requirements are tracked throughout the development process by the creation of derived 

requirements, which map the requirements to the design, and by mapping requirements to 

appropriate validation tests in the validation test plan [D23]. 

Requirements from IEC 61508-2, Table B.1 that have been met by Fisher Controls International, 

LLC include project management, documentation, separation of safety requirements from nonsafety 

requirements, structured specification, inspection of the specification, semi-formal methods 

and checklists. [R21] documents more details on how each of these requirements have been met. 

This meets the requirements of SIL 3. 

5.1.3 Hardware Design 

Hardware design, including both electrical and mechanical design, is done according to [D1] and 

[D12]. The hardware design process includes component selection, detailed drawings and 

schematics, 3D Solid Models, safety case documents for agency justification, a failure modes and 

effect analysis (FMEA), a failure modes, effects and diagnostic analysis (FMEDA), a concept 

design review, the creating of prototypes, and hardware verification tests. 


LLC include observance of guidelines and standards, project management, documentation, 

structured design, modularization, use of well-tried components, checklists, semi-formal methods, 

computer aided design tools, simulation, and inspection of the specification. This meets the 

requirements of SIL 3. 

5.1.4 Validation 

Validation Testing is done via a set of documented tests (see [D1] and [D23]). The validation tests 

are traceable to the Safety Requirements Specification [D21] and [D26] in the validation test plan 

[D23]. In addition to standard Test Specification Documents, third party testing may be included as 

part of agency approvals. As the Fisher Controls DVC6000 SIS Digital Valve Controller - DETT 

consists of simple electrical devices with a straightforward safety function, integration testing has 

been limited to verifying that all diagnostics take the appropriate action when they find a problem 

(See [D1] for more details on this testing). 

Procedures are in place for corrective actions to be taken when tests fail as documented in [R2], 

[R3] and [D10]. 




LLC include functional testing, project management, documentation, and black-box testing. Field 

experience and statistical testing via regression testing are not applicable. [R21] documents more 

details on how each of these requirements has been met. This meets the requirements of SIL 3. 


LLC include functional testing and functional testing under environmental conditions, Interference 

surge immunity testing, fault insertion testing, project management, documentation, static analysis, 

dynamic analysis, and failure analysis, expanded functional testing and black-box testing. [R21] 

documents more details on how each of these requirements has been met. This meets SIL 3. 

5.1.5 Verification 

The development and verification activities are defined in [D1] and [D2]. Verification activities 

include the following: Fault Injection Testing [D45] to [D50], Code Review [D8], Checklists [D5], 

FMEDA [R12], [R13], [R17], and [R18], Software Criticality Analysis and HAZOP [D24], and System 

FMEA [R17], and [R18]. Further verification activities are documented in [D1] and [D12] for new 

product development projects. 

5.1.6 Modifications 

Modifications are done per the Fisher Controls International, LLC’s IEC 61508 SIL 3 compliant 

development process as documented in [D7] and [D10], and governed by [D12]. This meets the 

requirements of IEC 61508 SIL 3. 

5.1.7 User documentation 

Fisher Controls International, LLC created a Safety Manual for the DVC6000 SIS Digital Valve 

Controller, see [D14] and[D15]. These safety manuals were assessed by exida Certification. The 

final version is considered to be in compliance with the requirements of IEC 61508. The document 

includes all required reliability data and operations, maintenance, and proof test procedures. 


LLC include operation and maintenance instructions, user friendliness, maintenance friendliness, 

project management, documentation, limited operation possibilities, protection against operator 

mistakes, and operation only by skilled operators. [R21] documents more details on how each of 

these requirements has been met. This meets the requirements for SIL 3. 



5.2 Hardware Assessment 

To evaluate the hardware design of the DVC6000 SIS Digital Valve Controller, a Failure Modes, 

Effects, and Diagnostic Analysis was performed by exida Consulting for each component in the 

system. This is documented in [R12], [R13], [R17], and [R18]. The FMEDA’s were verified using 

Fault Injection Testing as part of the development, see [D45] to [D50], and as part of the IEC 61508 

assessment. 

A Failure Modes and Effects Analysis (FMEA) is a systematic way to identify and evaluate the 

effects of different component failure modes, to determine what could eliminate or reduce the 

chance of failure, and to document the system in consideration. An FMEDA (Failure Mode Effect 

and Diagnostic Analysis) is an FMEA extension. It combines standard FMEA techniques with 

extension to identify online diagnostics techniques and the failure modes relevant to safety 

instrumented system design. 

From the FMEDA failure rates are derived for each important failure category. The detailed failure 

rates are listed in [R12], [R13], [R17] and [R18]. Table 2 lists these failure rates in IEC 61508 

format as reported in the FMEDA reports. The failure rates are valid for the useful life of the 

devices. 

Table 2 Failure rates according to IEC 61508 

Device λsd λsu 2 λdd λdu 

Fisher Controls DVC6000, DETT SIS Digital 

Valve Controller, 4 – 20 mA., Double or 

Single-Acting, Normal 

Fisher Controls DVC6000, DETT SIS Digital 


Single-Acting, w/PVST diagnostics 

Fisher Controls DVC6000 DETT SIS Digital 


Single-Acting, Normal 

Fisher Controls DVC6000 DETT SIS Digital 


Single-Acting, w/PVST diagnostics 

0 1183 0 144 

508 1004 97 47 

0 974 0 91 

543 786 62 29 

Tables in the FMEDA reports [R17], and [R18] lists these failure rates for the DVC6000 SIS 

including the optional LCP100 and LC340 under a variety of applications. The failure rates listed 

are valid for the useful life of the devices. Based on general field failure data a useful life period of 

approximately 10 years is expected for the DVC6000 SIS Digital Valve Controller. This is listed in 

the FMEDA report. However, when plant experience indicates a shorter useful lifetime than 

indicated in the FMEDA report, the number based on plant experience should be used. All other 

assumptions are also listed in the reports. 

2 It is important to realize that the “Residual Effect” failures are included in the “Safe Undetected” failure 

category according to IEC 61508. Note that these failures on their own will not affect system reliability or 

safety, and should not be included in spurious trip calculations 



For low demand SIL 3 applications the PFDAVG value of the Safety Instrumented Function needs to 

be ≥ 10 -4 and < 10 -3 . The PFDAVG of all devices of a Safety Instrumented Function (SIF) must be 

calculated in order to determine suitability for a specific Safety Integrity Level (SIL). The Safety 

Manual states that the application engineer should calculate the PFDAVG for each defined safety 

instrumented function (SIF) to verify the design of that SIF. 

The analysis shows that the design of the DVC6000 SIS Digital Valve Controller (including 

the optional LCP100 and LC340) is capable of meeting the hardware requirements of IEC 

61508 SIL 3. 



6 Terms and Definitions 

Fault tolerance Ability of a functional unit to continue to perform a required function in the 

presence of faults or errors (IEC 61508-4, 3.6.3) 

FIT Failure In Time (1x10 -9 failures per hour) 

FMEDA Failure Mode Effect and Diagnostic Analysis 

HART Highway Addressable Remote Transducer 

HFT Hardware Fault Tolerance 

Low demand mode Mode, where the frequency of demands for operation made on a safetyrelated 

system is no greater than twice the proof test frequency. 

PFDAVG 

Average Probability of Failure on Demand 

PVST Partial Valve Stroke Test 

It is assumed that the Partial Valve Stroke Testing, when performed, is 

performed at least an order of magnitude more frequently than the proof 

test, therefore the test can be assumed an automatic diagnostic. Because of 

the automatic diagnostic assumption the Partial Valve Stroke Testing also 

has an impact on the Safe Failure Fraction. 

SFF Safe Failure Fraction summarizes the fraction of failures, which lead to a 

safe state and the fraction of failures which will be detected by diagnostic 

measures and lead to a defined safety action. 

SIF Safety Instrumented Function 

SIL Safety Integrity Level 

SIS Safety Instrumented System – Implementation of one or more Safety 

Instrumented Functions. A SIS is composed of any combination of 

sensor(s), logic solver(s), and final element(s). 

Type A (sub)system “Non-Complex” (sub)system (using discrete elements); for details see 

7.4.3.1.2 of IEC 61508-2 

Type B (sub)system “Complex” (sub)system (using micro controllers or programmable logic); for 

details see 7.4.3.1.3 of IEC 61508-2 



7 Status of the document 

7.1 Liability 

exida prepares reports based on methods advocated in International standards. Failure rates are 

obtained from a collection of industrial databases. exida accepts no liability whatsoever for the use 

of these numbers or for the correctness of the standards on which the general calculation methods 

are based. 

7.2 Releases 

Version: V1 

Revision: R2 

Version History: V1, R2 Minor edits, March 13, 2008 

V1, R1: Added 0 – 20 mA; February 29, 2008 

V0, R1: Internal Draft; February 20, 2008 

Authors: Iwan van Beurden 

Review: V1, R1 Client 

V0, R1 William M. Goble 

Release status: Released 

7.3 Future Enhancements 

At request of client. 

7.4 Release Signatures 

William M. Goble, Principal Partner 

Iwan van Beurden, Director of Engineering

IEC 61508 Functional Safety Assessment Emerson Process ... - Exida

Create successful ePaper yourself

Delete template?

Save as template?