IEC 61508 Functional Safety Assessment Emerson Process ... - Exida

[R14] EFC 06/01-40 R004, V1 R1,
11/21/2006
Proven In Use / Field Failure Study DVC6000 Digital Valve Controller
[R15] V&V:PoE, NA; 9/17/2007 Proven Operational Experience Spreadsheet for DVC6000
[R16] FIS 07-07-41 R001, V0R1;
1/27/2008
[R17] EFC 06/01-40 R002, V1 R1,
2/20/2008
[R18] EFC 06/01-40 R005, V1 R1,
2/26/2008
Proven In Use Assessment
FMEDA report, DVC6000 SIS Digital Valve Controller 4-20mA
FMEDA report, DVC6000 SIS Digital Valve Controller 0-20mA and 0-
24 VDC
[R19] Fisher SafetyCaseDB, 2/2008 DVC6000 SIS Digital Valve Controller 4-20mA DETT IEC 61508
Compliance SafetyCaseDB (internal database)
[R20] DVC6000 0-20 SCDB.esc,
11/8/2007
DVC6000 SIS Digital Valve Controller 0-20mA IEC 61508 Compliance
SafetyCaseDB (internal database)
[R21] IEC Tables, 0.2; 1/7/2008 IEC 61508 Tables, document shows all tables from IEC 61508 Annex
A and B from part 2 and part 3 along with a description as to how
Fisher meets each of the requirements.
[R22] PA, 3; 9/11/2007 DVC6000 pointer analysis, document is an in depth analysis of all
pointers used in the DVC6000. The analysis ensures that there is no
systematic errors that could lead to data corruption in the DVC6000
3 Product Description
The Fisher Controls International, Inc. DVC6000 SIS Digital Valve Controller is a communicating,
microprocessor-based current-to-pneumatic instrument used in many different industries including
oil and gas, power, pulp and paper, chemical, and food and beverage for both control and safety
applications. In Safety Instrumented System applications, the DVC6000 can also perform partial
valve stroke testing either automatically or manually. The partial valve stroke test monitors actuator
pressure and valve stem position.
As indicated in the following figure the DVC6000 SIS receives an input signal from the logic solver
system via an analog output. This input signal is a 0-20 mA, (0 - 24 VDC) or 4-20 mA signal. Only
De-Energize To Trip applications have been considered in this assessment. Additionally, the
DVC6000 may be operated with or without automatic shutdown enabled, but this assessment only
deals with automatic shutdown disabled. The DVC6000 digital valve controller controls an actuator
via output A or via output A and output B. This accounts for the different operating modes of the
mechanical parts as shown in Table 1.
In the single acting operating mode only output A is used. During normal operation (in De-Energize
to Trip) output A is pressurized, if a shutdown is required output A is depressurized. In the double
acting operating mode both output A and output B are used. During normal operation output A is
greater than output B, if a shutdown is required output A is equal to or less than output B. It is
assumed that the DVC6000 – actuator combination will fail safe on loss of air pressure because of
the spring return action in the actuator. The actuator that is controlled by the DVC6000 on its turn
controls a valve. A valve travel feedback signal is fed back to the digital valve controller but is not
part of the safety critical path. The feedback signal is required in order to perform a PVST.
© exida Certification SA. EFC 07-07-41 R002 V1R2 IEC 61508Assessment.doc, March 13, 2008
Iwan van Beurden Page 8 of 19