The document was prepared using best effort. The authors make no warranty of any kind and shall not be liable in any event for incidental or consequential damages in connection with the application of the document.
© All rights reserved.
idae®
IEC 61508 Functional Safety Assessment
Project:
DVC6200 SIS Digital Valve Controller and Position Monitor
Customer:
Emerson Process Management
Fisher Controls International, LLC Marshalltown, IA
USA
Contract No.: Q13-07-040 Report No.: EFC Q12/02-027 R004
Version V2, Revision R2, September 20, 2013
David E. Butler, Iwan van Beurden
© exida EFC 12-02-027 R004 V2R2 IEC 61508 Assessment DVC6200.docx, September 20, 2013
T-034 V1R2 www.exida.com Page 2 of 21
Management Summary
This report summarizes the results of the functional safety assessment according to IEC 61508 carried out on the:
Fisher Controls International, LLC DVC6200 SIS Digital Valve Controller and Position Monitor
The functional safety assessment performed by exida consisted of the following activities:
- exida assessed the development process used by Fisher Controls International, LLC
through an audit and creation of a detailed safety case against the requirements of IEC 61508.
- exida reviewed and assessed a detailed Failure Modes, Effects, and Diagnostic Analysis
(FMEDA) of the devices to document the hardware architecture and failure behavior.
- exida reviewed field failure data to ensure that the FMEDA analysis was complete.
- exida reviewed the manufacturing quality system in use at Fisher Controls International,
LLC
The functional safety assessment was performed to the requirements of IEC 61508: ed2, 2010, SIL
3. A full IEC 61508 Safety Case was prepared, using the exida SafetyCaseDB tool, and used as the primary audit tool. Hardware and software process requirements and all associated documentation were reviewed. Environmental test reports were reviewed. Also the user documentation (safety manual) was reviewed.
The results of the Functional Safety Assessment can be summarized by the following statements:
The DVC6200 SIS Digital Valve Controller, in the DETT and ETT configuration, was found to meet the systematic integrity requirements of SIL 3.
The DVC6200 SIS Position Monitor, in the Position Transmitter or Limit Switch configuration, was found to meet the systematic integrity requirements of SIL 2.
The PFDAVG and Architectural Constraint requirements of the standard must be verified for each element of the Safety Function.
The manufacturer is entitled to use these Functional Safety Logos.
The manufacturer
may use the mark:
© exida EFC 12-02-027 R004 V2R2 IEC 61508 Assessment DVC6200.docx, September 20, 2013
T-034 V1R2 www.exida.com Page 3 of 21
Table of Contents
Management Summary ................................................................................................... 2
1 Purpose and Scope ................................................................................................... 4
2 Project Management .................................................................................................. 4
2.1 exida ............................................................................................................................ 4
2.2 Roles of the Parties Involved ........................................................................................ 4
2.3 Standards / Literature Used.......................................................................................... 4
2.4 Reference Documents .................................................................................................. 5
2.4.1 Documentation Provided by Fisher Controls ...................................................... 5
2.4.2 Documentation Provided by Fisher Controls for Renewal Assessment .............. 8
2.4.3 Documentation Generated by exida .................................................................. 9
3 Product Description ................................................................................................. 10
3.1 Digital Valve Controller Configurations ....................................................................... 10
3.2 Position Transmitter / Limit Switch Configurations ...................................................... 11
4 IEC 61508 Functional Safety Assessment ............................................................... 13
4.1 Methodology .............................................................................................................. 13
4.2 Assessment Level ...................................................................................................... 13
4.3 Product Modifications ................................................................................................. 14
5 Results of the IEC 61508 Functional Safety Assessment ......... Error! Bookmark not defined.
5.1 Lifecycle Activities and Fault Avoidance Measures .................................................... 14
5.1.1 Functional Safety Management ....................................................................... 15
5.1.2 Safety Requirements Specification and Architecture Design ............................ 15
5.1.3 Hardware Design ............................................................................................. 15
5.1.4 Software (Firmware) Design ............................................................................ 16
5.1.5 Validation ......................................................................................................... 16
5.1.6 Verification ....................................................................................................... 17
5.1.7 Modifications ................................................................................................... 17
5.1.8 User Documentation ........................................................................................ 17
5.2 Hardware Assessment ............................................................................................... 19
6 Terms and Definitions .............................................................................................. 20
7 Status of the document ............................................................................................ 21
7.1 Liability ....................................................................................................................... 21
7.2 Releases .................................................................................................................... 21
7.3 Future Enhancements ................................................................................................ 21
7.4 Release Signatures .................................................................................................... 21
© exida EFC 12-02-027 R004 V2R2 IEC 61508 Assessment DVC6200.docx, September 20, 2013
T-034 V1R2 www.exida.com Page 4 of 21
1 Purpose and Scope
This document describes the results of the IEC 61508 functional safety assessment of the Fisher Controls International, LLC (hereafter Fisher Controls):
DVC6200 SIS Digital Valve Controller
DVC6200 SIS Position Monitor
by exida according to the requirements of IEC 61508: ed2, 2010.
The results of this provides the safety instrumentation engineer with the required failure data as per IEC 61508 and confidence that sufficient attention has been given to systematic failures during the development process of the device.
2 Project Management
2.1
exida is one of the world’s leading accredited Certification Bodies and knowledge companies specializing in automation system safety and availability with over 300 years of cumulative experience in functional safety. Founded by several of the world’s top reliability and safety experts
from assessment organizations and manufacturers, exida is a global company with offices around
the world. exida offers training, coaching, project oriented system consulting services, safety lifecycle engineering tools, detailed product assurance, cyber-security and functional safety
certification, and a collection of on-line safety and reliability resources. exida maintains a comprehensive failure rate and failure mode database on process equipment.
2.2 Roles of the Parties Involved
Fisher Controls Manufacturer of the DVC6200 SIS Digital Valve Controller and DVC6200 SIS Position Monitor
exida Provided services to support Fisher Controls during the evaluation of the DVC6200 SIS Digital Valve Controller and DVC6200 SIS Position Monitor
exida Performed the IEC 61508 Functional Safety Assessment according to IEC 61508 SIL 3.
Fisher Controls International, LLC contracted exida with the IEC 61508 Functional Safety
Assessment of the above mentioned devices.
2.3 Standards / Literature Used
The services delivered by exida were performed based on the following standards / literature.
[N1] IEC 61508 (Parts 1 - 7): 2010
Functional Safety of Electrical/Electronic/Programmable Electronic Safety-Related Systems
© exida EFC 12-02-027 R004 V2R2 IEC 61508 Assessment DVC6200.docx, September 20, 2013
T-034 V1R2 www.exida.com Page 5 of 21
2.4 Reference Documents
2.4.1 Documentation Provided by Fisher Controls
D03 Quality Management System Manual - qmsm1.pdf Issue 2, Revision F; 1/2/2012
D04 PMP Project Management Plan 08GA05.doc Revision B; 4/27/2010
D07 Development Process SIS - es269.pdf Revision A; 3/19/2010
D11 SRS Verification Checklist Section 1 08GA05.doc Revision A; 5/16/2012
D117 Proven In Use Calculations For PIC module.xls 8/23/2012
D12 Supplier Quality Manual - fgs15b13.pdf Issue 0, Revision A; 11/1/2010
D120 Search of SMS CTS calls containing DVC6200f as a device type.xls
informal; 8/12/2012
D121 DVC6200F SHIPMENT JAN10 TO YTD.XLS INFORMAL REPORT; 8/12/2012
D122 08GA05 FMEDA Proven_in_use.doc Revision A; 6/12/2012
D123 FHI Firmware Hardware Interface Specification 08GA05.doc Revision A;
D124 SIS course descriptions.docx Database Report; 8/1/2012
D125 08GA05-PTR-Valve Shutdown SIS EMC Tests.xlsx Revision A; 6/20/2012
D126 08GA05-PTR-Transmitter EMC Tests.xlsx Revision A; 6/12/2012
D135 Bill of Material for Options board Revision B, Draft;
D136 Bill of Material for Main Board Revision B, Draft;
D14 Method of Revising Drawings and Other Engineering Documents - es2.pdf
Revision EH; 5/2/2011
D15 Engineering Change Request Procedure - es192.pdf Revision AA; 4/5/2010
D17 FIELDVUE SIS Corrective Action Procedures - FGS10H2.pdf Revision A; 5/19/2012
D23 Functional Safety Personnel Assessment.xls Report from online tool;
D26 Control Standard for Calibration - es243.pdf Revision F; 7/7/1999
D27 Product Safety - es235.pdf Revision J; 9/29/2003
D34 Peer Review Procedure - EP44.pdf Revision A; 4/20/2009
D34b Technical Assessment Process - es238 Revision K; 1/17/2011
D35 SaRS Safety Requirements Specification 08GA05.doc Revision B; 9/11/2012
D39 SaRS review record.docx (report from MS Outlook); 4/17/2012
© exida EFC 12-02-027 R004 V2R2 IEC 61508 Assessment DVC6200.docx, September 20, 2013
T-034 V1R2 www.exida.com Page 6 of 21
D39b Document Approval Process Revision A; 2/17/2012
D40 08GA05-ERS-Electronic Requirements.doc Revision B; 2/17/2012
D41a SRS_main_08GA05.doc Rev. C; 9/15/2012
D41b SRS_transmitter_08GA05.doc Rev. D; 6/7/2012
D43 SAD System Architecture Document 08GA05.doc Revision A; 3/17/2010
D45a Schematics: GE36850_B_MagneticFB_Schem.pdf Revision B; 11/10/2009
D45b Schematics: GE45723_A_Remote_MagneticFB_Schem.pdf Revision A; 6/1/2010
D45c Schematics: GE47066_B_Main_Schem.pdf Revision B; 7/29/2011
D45d Schematics: GE47067_A_Options_Schem.pdf Revision A; 7/11/2011
D45e Schematics: GE48591_A_Term_Schem.pdf Revision A; 7/11/2011
D45f Schematics: LCP100 Rev B schematic.pdf Revision B; 7/19/2006
D47 Software Coding Practice - ep25.pdf Revision C; 8/9/2008
D47a Mainboard Firmware Architecture.doc DRAFT B; 5/15/2012
D47b Options board firmware architecture document.doc Revision A; 8/15/2007
D49 TAR Technical Assessment Report FW3 08GA05 _ Panther.doc Revision A; 4/11/2012
D49a SDD - Program Flow Control Monitoring - 08GA05.doc Revision B; 9/13/2012
D49b SDD - Critical Data Protection - 08ga05.doc Revision A; 4/8/2011
D4d Incident Tracking Process - ep37.pdf Revision A; 1/6/2003
D51a FTR-Firmware Test Report DVC6200 wTransmitter FW3.doc Revision B; 9/11/2012
D52a EFC 12-02-027 R003 V1R4 FMEDA DVC6200 ESD_ETT.pdf Version 1, Revision 4; 5/18/2012
D52b EFC 12-02-027 R002 V1R4 FMEDA DVC6200 ESD_DETT.pdf Version 1, Revision 3; 5/21/2012
D52c EFC 12-02-027 R001 V1R1 FMEDA DVC6200 Pos_Mon Version1 Revision1; 6/8/2012
D54a TraceMatrix.vsd Informal; 9/24/2012
D54b Safety Validation Trace Matrix 08GA05.docx Revision A; 9/24/2012
D56a FI Points ESD.PDF Handwritten markups to Rev. B schematics;
D56b FI Points Position Monitor.PDF Handwritten markups to Rev. B schematics;
D59a Fisher_DVC.lnt No Version;
D59b Fisher_dvc_Lint Configuration File.lnt No Version;
© exida EFC 12-02-027 R004 V2R2 IEC 61508 Assessment DVC6200.docx, September 20, 2013
T-034 V1R2 www.exida.com Page 7 of 21
D60 Lint Results FW3.zip Zip File with various versions; 2/21/2012
D61h ModTest_CriticalData_ReadMe.txt No Version; 1/4/2012
D61i AuxInput.doc No Version; 5/3/2012
D62a UTP - analog - 08GA05.doc Revision B; 3/9/2011
D62b UTP - Input Signal Processing - 08GA05.doc Revision B; 9/18/2012
D62c UTP - Low_thrd.c - 08GA05.doc Revision A; 5/20/2009
D62d UTP - Ramps.msa - 08GA05.doc Revision B; 9/18/2012
D62e Schedule_msa.doc Revision A; 5/22/2009
D65 CMP Configuration Management Plan 08GA05.doc Revision A; 5/2/2012
D68a PTP Product Master Test Plan 08GA05.doc Revision A; 5/2/2012
D68b FTP - Firmware Test Plan DVC6200 wTransmitter FW3.doc Revision A; 9/29/2011
D68c 08GA05-PTP-Electronics Prototype Test Plan.doc Revision B; 9/10/2010
D70d Safety Validation Test Plan 08GA05 Revision A; 9/13/2012
D70e TC-Positioner Safety Validation Test Cases 08GA05 Revision A; 9/6/2012
D70f TC-Options module safety validation tst cases 08GA05 Revision A; 9/20/2012
D77a PTR-Positioner Safety Validation Test report 08GA05 Revision A; 9/20/2012
D77b PTR-Options Safety Validation Test Report 08GA05 Revision A; 9/20/2012
D80a 08GA05-PTR-FaultInjectiontest.doc Revision A; 4/19/2012
D80b 08GA05-PTR-TransmitterFaultInjection.doc Revision A; 3/12/2012
D81 Quick Start Guide - d1035556x012.pdf No Version; 5/12/2012
D82 Safety Manual - D103601X012_Sep12.pdf No Version; 9/1/2012
D86 Control of Engineering Documents - es102.pdf Revision AB; 7/10/2011
D88 apprv_7.doc (impact analysis report template) Form Revision Q; 6/9/2011
D94a ValidationOfCompliance-EW430-5 50-signed.pdf Revision 6; 2/18/2011
D94b icc6812.txt Revision 1.19;
D100 exida Derived Requirements Document Checklist 9/9/2012
D103 exida HW Fault Injection Test Plan and Results Checklist 7/19/2012
D104 exida Hardware Development Phase Verification Checklist 9/19/2012
D105 exida Software Architecture and Design Phase Checklist 9/20/2012
D106 exida FMEDA Checklist.doc 9/19/2012
© exida EFC 12-02-027 R004 V2R2 IEC 61508 Assessment DVC6200.docx, September 20, 2013
T-034 V1R2 www.exida.com Page 8 of 21
D107 exida SW Implementation Phase Verification Checklist 9/20/2012
D108 exida Integration Test Execution Phase Verification Checklist 9/24/2012
D109 exida Validation Test Execution Phase Checklist 9/24/2012
D110 exida Functional Safety Assessment Phase Verification Checklist 9/24/2012
D111 exida Safety Manual Document Checklist 9/19/2012
D112 exida Modification Phase Verification Checklist 9/19/2012
D113 exida IEC 61508-2010 SIL 2 Tables Checklist 9/24/2012
D114 exida IEC 61508-2010 SIL 3 Tables Checklist 9/24/2012
D92 exida FSM Planning Phase Verification Checklist 9/24/2012
D93 exida Configuration Management Checklist 6/12/2012
D94 exida Software Tools Checklist 9/24/2012
D95 exida Safety Validation Test Plan Document Checklist 9/24/2012
D96 exida Safety Requirements Specification Document Checklist 7/23/2012
D97 exida Integration Test Plan Document Checklist 9/24/2012
D98 exida Proven In Use Checklist 9/19/2012
D99 exida System Architecture Phase Verification Checklist 9/20/2012
D101 SHA-1 Hash Codes (e-mail) 10/02/2012
D102 DVC 6200-6000 software HAZOP project report 04/26/2010
2.4.2 Documentation Provided by Fisher Controls for Renewal Assessment
Updated and new documentation, reviewed in the assessment, is listed in the following table.
Doc. ID Project Document Filename Revision; Date
D201 es269.pdf Rev. B; 08/15/2013
D202 em_dvc6200x1~bm.pdf Rev. BM; 01/0/1900
D202b em_dvc6200x3~af.pdf Rev. AF; 07/30/2013
D203 D60 Code Coverage Analysis Technique.doc Rev. A; 07/23/2013
D203b ep59.pdf Rev. A; 05/20/2013
D204 form_insteng_Impact_Analysis_Report_-_IAR_template.docx Rev. T; --
D205 PMP Project Mangement Plan 08GA05.doc Rev. C; 10/2/2012
D206 em_dvc6200x3~af.pdf Rev. AF; 07/30/2013
D206b em_dvc6200x1~bm.pdf Rev. BM; 07/30/2013
© exida EFC 12-02-027 R004 V2R2 IEC 61508 Assessment DVC6200.docx, September 20, 2013
T-034 V1R2 www.exida.com Page 9 of 21
D207 130426 IEC61508 Training Logs.xls N/A; N/A
D208 SaRS Safety Requirements Specification 08GA05.doc Rev. D; 08/5/2013
D209 DVC6200 HW2 System model.EAP HW2; 08/15/2013
D210 DVC6200 HW2 Architecture document approval.pdf N/A; 08/13/2013
D211 D60 Code Coverage Results - FW6.doc Rev. A; 07/23/2013
D212 analog.txt N/A; N/A
D212b program_flow.txt N/A; N/A
D213 FTP - Firmware Test Plan DVC6200 wTransmitter FW6.doc Rev. A; 06/3/2013
D213b FTP Explanation.doc --; 09/5/2013
D213c Test_analog.c ; 04/1/2011
D214 D103601X012_Sep13_draft_1.pdf Draft 1; 09/9/2013
D215 ECRN 20110404-IAR-Add 2nd wire clip to DVC6015.doc Rev. A; 03/19/2013
D215b ECRN 20122162-IAR DVC6200 HW2 FW4.doc Rev. A; 09/20/2012
D215c ECRN 20122645-IAR - Relocate the option configuration of HW2 in FGS12D106 and FGS3B61.docx
Rev. A; 02/20/2013
D215d ECRN 20122808-IAR-02 DVC6200 HW2 FW5.doc Rev. C; 03/5/2013
D215e ECRN 20122983-IAR-Change Cap Tolerance on Main Board BOM.doc
Rev. A; 02/28/2013
D215f ECRN 20131416-IAR DVC6200 HW2 FW6.pdf Rev. A; 07/2/2013
2.4.3 Documentation Generated by
[R1] DVC 6200 SafetyCaseDB.esc
Safety Case
[R2] Emerson Fisher DVC6200 Recertification - Proven In Use Analysis.xls
Analysis of field failure data against failure rates predicted by FMEDA.
[R3] EFC 12-02-027 R004 V2R1 IEC 61508 Assessment DVC6200.docx, September 20, 2013
IEC 61508 Functional Safety Assessment for DVC6200 SIS Digital Valve Controller and Position Monitor (This document)
© exida EFC 12-02-027 R004 V2R2 IEC 61508 Assessment DVC6200.docx, September 20, 2013
T-034 V1R2 www.exida.com Page 10 of 21
3 Product Description
The Fisher Controls DVC6200 SIS Digital Valve Controller is a communicating, microprocessor-based current-to-pneumatic instrument used in many different industries including oil and gas, power, pulp and paper, chemical, and food and beverage for safety applications. In Safety Instrumented System applications, the DVC6200 SIS Digital Valve Controller can also perform partial valve stroke testing either automatically or manually in addition to supporting the final control element safety function. The partial valve stroke test monitors actuator pressure and valve stem position as well as various internal parameters. The term “DVC6200 SIS Valve Controller” may be used, herein, to indicate this function of the device.
The device can also be configured to operate as a Position Transmitter or Limit Switch device. The term “DVC6200 SIS Position Monitor” may be used, herein, to indicate this function of the device.
3.1 Digital Valve Controller Configurations
In one of the Digital Valve Controller configurations (ETT or DETT), as indicated in the following figure, the DVC6200 SIS Digital Valve Controller receives an input signal from the logic solver system. This input signal is 4-20 mA, 0-20 mA or 0-24 Vdc. The DVC6200 SIS Digital Valve Controller controls an actuator via output A, via output B, or via output A and output B. This accounts for the different operating modes of the mechanical parts as shown in Figure 1. The DVC6200 SIS Digital Valve Controller, in the 4-20mA, 0-20 mA or 0-24 Vdc configuration, is classified as a Type A1 device, having a hardware fault tolerance of 0.
In the single-acting operating mode, only one output is used. During normal operation the output is pressurized. If a safety demand is required, the output is depressurized.
In the double acting operating modes both outputs are used, with the pressure differential controlling the valve’s position.
It is assumed that the DVC6200 SIS Digital Valve Controller – actuator combination will fail safe on loss of air pressure because of the spring return action in the actuator. The actuator is controlled by the DVC6200 SIS Digital Valve Controller. The valve is controlled by the actuator. A valve travel feedback signal is read by the digital valve controller but is not part of the safety critical path. The feedback signal is required to perform a PVST.
1 Type A element: “Non-Complex” element (using discrete components); for details see 7.4.4.1.2 of IEC
61508-2, ed2, 2010.
© exida EFC 12-02-027 R004 V2R2 IEC 61508 Assessment DVC6200.docx, September 20, 2013
T-034 V1R2 www.exida.com Page 11 of 21
Logic
SolverTerminal
Box
Printed
Circuit
Boards
Pneumatic
Relay
Actuator
Feed-
back
Sensor
optional
LCPxxx
I/P
Converter
FMEDA scope
Air Supply
Valve
current signal
output-
switch or
transmitter
Figure 1 DVC6200 SIS Digital Valve Controller, Parts included in the FMEDA
In addition to the DVC6200 SIS Digital Valve Controller external connections, Figure 1 also shows the main parts of the digital valve controller. The DVC6200 SIS Digital Valve Controller is composed of electrical and mechanical parts. The FMEDA was done on the entire product.
3.2 Position Transmitter / Limit Switch Configurations
In the Position Transmitter and the Limit Switch configurations the DVC6200 SIS Position Monitor Feedback Sensor measures the valve position. The electronics on the Printed Circuit Boards convert the position into a 4-20 mA signal in the Transmitter mode or a discrete output in the Switch mode. The discrete output indicates whether the valve position is above or below a configurable threshold. The Feedback Sensor can be a potentiometer, a local magnetic sensor or a remote magnetic sensor.
In addition to the DVC6200 SIS Position Monitor external connections, Figure 2 also shows the main parts of the digital valve controller. The DVC6200 SIS Position Monitor is composed of electrical and mechanical parts. Note that the device, in either of these configurations, is classified as a Type B2 element, according to IEC 61508, having a hardware fault tolerance of 0.
2 Type B component: “Complex” component (using micro controllers or programmable logic); for details
see 7.4.3.1.3 of IEC 61508-2, ed2, 2010.
© exida EFC 12-02-027 R004 V2R2 IEC 61508 Assessment DVC6200.docx, September 20, 2013
T-034 V1R2 www.exida.com Page 12 of 21
Logic
Solver
Pneumatic
Relay
Actuator
Feed-
back
Sensor
optional
LCPxxx
I/P
Converter
FMEDA scope
Air Supply
Valve
current signal
output-
switch or
transmitter
Valve
Mounting
Kit
Terminal
Box
Printed
Circuit
Boards
not part of the Position Monitor Safety Function
Figure 2 DVC6200 SIS Position Monitor, Parts included in the FMEDA
© exida EFC 12-02-027 R004 V2R2 IEC 61508 Assessment DVC6200.docx, September 20, 2013
T-034 V1R2 www.exida.com Page 13 of 21
4 IEC 61508 Functional Safety Assessment
The IEC 61508 Functional Safety Assessment was performed based on the information received from Fisher Controls and is documented in the safety case database [R1].
4.1 Methodology
The full functional safety assessment includes an assessment of all fault avoidance and fault control measures during hardware and software development and demonstrates full compliance with IEC 61508 to the end-user. The assessment considers all requirements of IEC 61508. Any requirements that have been deemed not applicable have been marked as such in the full Safety Case report, e.g. software development requirements for a product with no software.
As part of the IEC 61508 functional safety assessment the following aspects have been reviewed:
Development process, including:
o Functional Safety Management, including training and competence recording, FSM planning, and configuration management
o Specification process, techniques and documentation
o Design process, techniques and documentation, including tools used
o Validation activities, including development test procedures, test plans and reports, production test procedures and documentation
o Verification activities and documentation
o Modification process and documentation
o Installation, operation, and maintenance requirements, including user documentation
Product design
o Hardware architecture and failure behavior, documented in a FMEDA
o Software architecture and failure behavior, documented in a Software Criticality and HAZOP report
The review of the development procedures is described in section 5.1. The review of the product design is described in section 5.2.
4.2 Assessment Level
The DVC6200 SIS Digital Valve Controller and the DVC6200 SIS Position Monitor have been assessed per IEC 61508 to the following levels:
Systematic Safety Integrity: SIL 3 capable (Digital Valve Controller configurations only)
Systematic Safety Integrity: SIL 2 capable (Position Monitor configurations)
Random Safety Integrity: PFDAVG and Architectural Constraints must be verified for each application.
© exida EFC 12-02-027 R004 V2R2 IEC 61508 Assessment DVC6200.docx, September 20, 2013
T-034 V1R2 www.exida.com Page 14 of 21
The development procedures were assessed as suitable for use in applications with a maximum Safety Integrity Level of SIL 3 according to IEC 61508. As the software for a diagnostic function is classified with a C2 criticality, techniques and measures implemented during the development are only required to be SIL 2 capable. For the Transmitter / Limit Switch configurations the software is classified as C1 criticality and is therefore limited to SIL 2.
4.3 Product Modifications
The modification process has been successfully assessed and audited, so Fisher Controls may make modifications to this product as needed, provided that:
Fisher Controls has appointed a competent person(s) to judge and approve modifications.
The modification documentation listed below must be submitted to exida, prior to a renewal of the certification, for review of the decisions made by the competent person(s), with respect to the modifications made.
o List of all anomalies reported o List of all modifications completed o Safety impact analyses which shall indicate with respect to a modification:
The initiating problem (e.g., results of root cause analysis) The effect on the product / system The elements / components that are subject to the modification The extent of any re-testing (including any regression test plans)
o List of modified documentation
5 Results of the IEC 61508 Functional Safety Assessment
exida assessed the development process used by Fisher Controls during the product development against the objectives of IEC 61508 parts 1, 2, and 3, see [N1]. The development of the DVC6200 SIS Digital Valve Controller was done per this IEC 61508 SIL 3 compliant development process. The development of some of the DVC6200 SIS Position Monitor firmware followed IEC 61508 SIL 3 compliant development, using some SIL 2 techniques for firmware. The Safety Case was updated with project specific design documents.
5.1 Lifecycle Activities and Fault Avoidance Measures
Fisher Controls has an IEC 61508 compliant development process as assessed during this IEC 61508 certification. This compliant development process is documented in [R1].
This functional safety assessment investigated the compliance with IEC 61508 of the processes, procedures and techniques as implemented for DVC6200 SIS development. The investigation was executed using subsets of the IEC 61508 requirements tailored to the SIL 3 (Digital Valve Controller) and SIL 2 (Position Monitor) work scopes of the development team. The result of the assessment can be summarized by the following observations:
The audited development process complies with the relevant managerial requirements of IEC 61508 SIL 3 for the DVC6200 SIS Digital Valve Controller.
The audited development process complies with the relevant managerial requirements of IEC 61508 SIL 2 for the DVC6200 SIS Position Monitor.
© exida EFC 12-02-027 R004 V2R2 IEC 61508 Assessment DVC6200.docx, September 20, 2013
T-034 V1R2 www.exida.com Page 15 of 21
5.1.1 Functional Safety Management
FSM Planning The functional safety management of any Fisher Controls Safety Instrumented Systems Product development is governed by [D07]. This process requires that Fisher Controls create a project plan [D04] which is specific for each development project. The Project Plan defines all of the tasks that must be done to ensure functional safety as well as the person(s) responsible for each task. These processes and the procedures, referenced in section 2.4.1, fulfill the requirements of IEC 61508 with respect to functional safety management.
Version Control All documents are under version control as required by [D65].
Training, Competency recording Competency is ensured by the project plan [D04], which describes roles and responsibilities of project team members. Title descriptions are maintained at a company level to define the skills associated with specific titles. Training records are maintained, including those for functional safety training, by a company database [D23].
5.1.2 Safety Requirements Specification and Architecture Design
As defined in [D07] a safety requirements specification (SRS) is created for all products that must meet IEC 61508 requirements. For the DVC6200 SIS Digital Valve Controller and Position Monitor, the requirements specification [D35] contains a system overview, safety assumptions, and safety requirements sections. During the assessment, exida certification reviewed the content of the specification for completeness per the requirements of IEC 61508.
Requirements are tracked throughout the development process by the use of a requirements management database [D54a] [D54b]. The system requirements are broken down into derived hardware requirements [D40] and software requirements [D41a] [D41b] and safety requirements [D35]. Traceability matrices show how the system safety requirements map to the hardware and software requirements, to hardware and software architecture, to software and hardware detailed design, and to validation tests [D54a] [D54b].
Requirements from IEC 61508-2, Table B.1 that have been met by Fisher Controls include project management, documentation, structured specification, inspection of the specification, and checklists.
The Safety Requirements and Architecture Design meet the requirements of SIL 3.
5.1.3 Hardware Design
Hardware design, including both electrical and mechanical design, is done according to [D7]. The hardware design process includes creating a hardware architecture specification, a peer review of this specification, creating a detailed design, a peer review of the detailed design, component selection, detailed drawings and schematics, a “Failure Modes, Effects and Diagnostic Analysis” (FMEDA), electrical unit testing, fault injection testing, and hardware verification tests.
© exida EFC 12-02-027 R004 V2R2 IEC 61508 Assessment DVC6200.docx, September 20, 2013
T-034 V1R2 www.exida.com Page 16 of 21
Requirements from IEC 61508-2, Table B.2 that have been met Fisher Controls include observance of guidelines and standards, project management, documentation, structured design, modularization, use of well-tried components, checklists, semi-formal methods, computer aided design tools, and inspection of the specification. This is also documented in [D114]. This meets the requirements of SIL 3.
5.1.4 Software (Firmware) Design
The safety function of the DVC6200 SIS Digital Valve Controller is implemented by a Type A circuit. The firmware on the main printed circuit board was assessed to SIL 2 capability for both the Digital Valve Controller and for the Position Monitor. Note that the Digital Valve Controller firmware is independent of the safety function and may be assessed at SIL 2 capability (SIL 3 minus 1), per IEC 61508, Part 2, section 7.4.3.2.
The firmware on the Position Monitor printed circuit board implements part of the safety function for the DVC6200 SIS Position Monitor (Type B), and was therefore assessed to SIL 2 capability. Note that this firmware is also independent of the Digital Valve Controller safety function.
Firmware design is carried out according to [D7]. The software design process includes software architecture design and peer review, detailed design and peer review, critical code reviews, static source code analysis and unit test.
Requirements from IEC 61508-3, Table A.2 that have been met by Fisher Controls include fault detection, backward recovery, modular approach, use of trusted/verified software elements, time-triggered architecture and static resource allocation.
Requirements from IEC 61508-3, Table A.3 that have been met by Fisher Controls include suitable programming language, strongly typed programming language, language subset, and tools and translators: increased confidence from use.
Requirements from IEC 61508-3, Table A.4 that have been met by Fisher Controls include modular approach, design and coding standards, structured programming, use of trusted/verified software modules and components.
This is also documented in [D113]. This meets the requirements of SIL 2.
5.1.5 Validation
Validation Testing is done via a set of documented tests. The validation tests are traceable to the Safety Requirements Specification [D35] in the validation test plan [D68a] [D68b] [D68c] [D70d] [D70e] [D70f]. The traceability matrices, [D54a] and [D54b], show that all safety requirements have been validated by one or more tests. All non-conformities are documented in a change request and procedures are in place for corrective actions to be taken when tests fail as documented in [D15].
Requirements from IEC 61508-2, Table B.5 that have been met by Fisher Controls include functional testing, functional testing under environmental conditions, interference surge immunity testing, fault insertion testing, project management, documentation, static analysis, dynamic analysis, and failure analysis, expanded functional testing, black-box testing.
Requirements from IEC 61508-3, Table A.7 that have been met by Fisher Controls include functional and black box testing.
© exida EFC 12-02-027 R004 V2R2 IEC 61508 Assessment DVC6200.docx, September 20, 2013
T-034 V1R2 www.exida.com Page 17 of 21
[D113] and [D114] document more details on how each of these requirements has been met. This meets SIL 3, except for software requirements, which meet SIL 2, as targeted.
5.1.6 Verification
Verification activities are built into the standard development process as defined in [D07]. Verification activities include the following: Fault Injection Testing, static source code analysis, module testing, integration testing, FMEDA, peer reviews and both hardware and software unit testing. In addition, safety verification checklists are filled out for each phase of the safety lifecycle. This meets the requirements of IEC 61508 SIL 3.
Requirements from IEC 61508-2, Table B.3 that have been met by Fisher Controls include functional testing, project management, documentation, black-box testing.
Requirements from IEC 61508-3, Table A.5 that have been met by Fisher Controls include dynamic analysis and testing, data recording and analysis, functional and black box testing, performance testing, test management and automation tools.
Requirements from IEC 61508-3, Table A.6 that have been met by Fisher Controls include functional and black box testing, performance testing.
Requirements from IEC 61508-3, Table A.9 that have been met include static analysis, and dynamic analysis and testing.
[D113] and [D114] document more details on how each of these requirements has been met. This meets the requirements of SIL 3, except for software requirements which meet SIL 2, as targeted.
5.1.7 Modifications
Modifications are done per the Fisher Controls’s change management process as documented in [D15] [D15b]. Impact analyses [D88] are performed for all changes once the product is released for integration testing. The results of the impact analysis are used in determining whether to approve the change. The standard development process as defined in [D7] is then followed to make the change. The handling of hazardous field incidents and customer notifications is governed by [D27]. This procedure includes identification of the problem, analysis of the problem, identification of the solution, and communication of the solution to the field. This meets the requirements of IEC 61508 SIL 3.
Requirements from IEC 61508-3, Table A.8 that have been met by the Fisher Controls modification process include impact analysis, re-verify changed software modules, re-verify affected software modules, revalidate complete system, regression validation, software configuration management, data recording and analysis. This meets the requirements of SIL 2.
5.1.8 User Documentation
Fisher Controls created a safety manual [D82] for the DVC6200 SIS Digital Valve Controller and the DVC6200 SIS Position Monitor, which addresses all relevant operation and maintenance requirements from IEC 61508. This safety manual was assessed by exida certification. The final version is considered to be in compliance with the requirements of IEC 61508.
© exida EFC 12-02-027 R004 V2R2 IEC 61508 Assessment DVC6200.docx, September 20, 2013
T-034 V1R2 www.exida.com Page 18 of 21
Requirements from IEC 61508-2, Table B.4 that have been met by Fisher Controls include operation and maintenance instructions, user friendliness, maintenance friendliness, project management, documentation, limited operation possibilities, protection against operator mistakes and operation only by skilled operators.
[D114] documents more details on how each of these requirements has been met. This meets the requirements for SIL 3.
© exida EFC 12-02-027 R004 V2R2 IEC 61508 Assessment DVC6200.docx, September 20, 2013
T-034 V1R2 www.exida.com Page 19 of 21
5.2 Hardware Assessment
To evaluate the hardware design of the DVC6200 SIS Digital Valve Controller, a Failure Modes,
Effects, and Diagnostic Analysis was performed by exida. This is documented in [D52a, b, c].
A Failure Modes and Effects Analysis (FMEA) is a systematic way to identify and evaluate the effects of different component failure modes, to determine what could eliminate or reduce the chance of failure, and to document the system in consideration. An FMEDA (Failure Mode Effect and Diagnostic Analysis) is an FMEA extension. It combines standard FMEA techniques with extension to identify online diagnostics techniques and the failure modes relevant to safety instrumented system design.
From the FMEDA failure rates, are derived for each important failure category. All failure rate analysis results and useful life limitations are listed in the FMEDA report [D52a, b, c] which is available from Fisher Controls. Tables in the FMEDA report list these failure rates for the DVC6200 SIS Digital Valve Controller under a variety of applications. The failure rates listed are valid for the useful life of the devices.
Note, as the DVC6200 SIS Digital Valve Controller and Position Monitor are only one part of a (sub-)system, the SFF should be calculated for the entire final element combination.
These results must be considered in combination with PFDAVG values of other devices of a Safety Instrumented Function (SIF) in order to determine suitability for a specific Safety Integrity Level (SIL). The architectural constraints requirements of IEC 61508-2, Table 2 also need to be evaluated for each final element application. It is the end users responsibility to confirm this for each particular application and to include all components of the final element in the calculations.
The analysis shows that the design of the DVC6200 SIS Digital Valve Controller can meet the hardware requirements of IEC 61508, SIL 3 depending on the complete final element design.
The analysis shows that the design of the DVC6200 SIS Position Monitor can meet the hardware requirements of IEC 61508, SIL 2.
The Hardware Fault Tolerance, PFDAVG, and Safe Failure Fraction requirements of IEC 61508 must be verified for each specific design.
© exida EFC 12-02-027 R004 V2R2 IEC 61508 Assessment DVC6200.docx, September 20, 2013
T-034 V1R2 www.exida.com Page 20 of 21
6 Terms and Definitions
ETT Energize To Trip
DETT De-Energize To Trip
Fault tolerance Ability of a functional unit to continue to perform a required function in the presence of faults or errors (IEC 61508-4, 3.6.3)
FIT Failure In Time (1x10-9 failures per hour)
FMEDA Failure Mode Effect and Diagnostic Analysis
HFT Hardware Fault Tolerance
Low demand mode Mode, where the demand interval for operation made on a safety-related system is greater than twice the proof test interval.
PFDAVG Average Probability of Failure on Demand
PFH Probability of dangerous Failure per Hour
PVST Partial Valve Stroke Test
It is assumed that the Partial Stroke Testing, when performed, is automatically performed at least an order of magnitude more frequently than the proof test, therefore the test can be assumed an automatic diagnostic. Because of the automatic diagnostic assumption, the Partial Valve Stroke Testing also has an impact on the Safe Failure Fraction.
SFF Safe Failure Fraction - Summarizes the fraction of failures, which lead to a safe state and the fraction of failures which will be detected by diagnostic measures and lead to a defined safety action.
SIF Safety Instrumented Function
SIL Safety Integrity Level
SIS Safety Instrumented System – Implementation of one or more Safety Instrumented Functions. A SIS is composed of any combination of sensor(s), logic solver(s), and final element(s).
Type A element “Non-Complex” element (using discrete components); for details see 7.4.4.1.2 of IEC 61508-2
Type B element “Complex” element (using complex components such as micro controllers or programmable logic); for details see 7.4.4.1.3 of IEC 61508-2
© exida (www.exida.com) EFC 12-02-027 R004 V2R2 IEC 61508 Assessment DVC6200.docx, September 20, 2013
T-034 V1R2 Page 21 of 21
Main Offices Service Centers
Sellersville, PA, USA Munich, Germany Switzerland United Kingdom Houston, TX, USA
Calgary, AB, Canada South Africa Singapore Mexicothe Netherlands New Zealand/Australia Brazil
7 Status of the document
7.1 Liability
exida prepares reports based on methods advocated in International standards. Failure rates are
obtained from a collection of industrial databases. exida accepts no liability whatsoever for the use of these numbers or for the correctness of the standards on which the general calculation methods are based.
7.2 Releases
Version: V2
Revision: R2
Version History: V2, R2: Corrections, September 19, 2013
V2, R1: Renewal of Certificate, September 13, 2013
V1, R4: Formatting problem, October 9, 2012
V1, R3: Corrections, October 9, 2012
V1, R2: Corrections, October 4, 2012
V1, R1: First Release, October 2, 2012
V0, R1: Internal Draft, September 28, 2012.
Authors: David E. Butler, Iwan van Beurden
Review: V2, R1: John Yozallinas
V0, R1: exida internal
Release status: Released
7.3 Future Enhancements
At request of client.
7.4 Release Signatures
Iwan van Beurden, CFSE, Director of Engineering
David E. Butler, Safety Engineer