IEC 61508 Assessment - ABB Group · · 2017-08-03requirements of IEC 61508. The assessment was executed using subsets of the IEC 61508 ... exida offers training, coaching, ... PNP
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
The document was prepared using best effort. The authors make no warranty of any kind and shall not be liable in any event for incidental or consequential damages in connection with the application of the document.
T-034 V5R1 80 N. Main St, Sellersville, PA 18960 Page 2 of 21
Management Summary
The Functional Safety Assessment of the ABB, Inc.
MT5000, MT5100 and MT5200 Level Transmitter
development project, performed by exida consisted of the following activities:
- exida assessed the development process used by ABB, Inc. through an audit and review of
a detailed safety case against the exida certification scheme which includes the relevant requirements of IEC 61508. The assessment was executed using subsets of the IEC 61508 requirements tailored to the work scope of the development team.
- exida reviewed and assessed a detailed Failure Modes, Effects, and Diagnostic Analysis (FMEDA) of the devices to document the hardware architecture and failure behavior.
- exida reviewed field failure data to verify the accuracy of the FMEDA analysis.
The functional safety assessment was performed to the SIL 3 requirements of IEC 61508:2010. A
full IEC 61508 Safety Case was created using the exida Safety Case tool, which also was used as the primary audit tool. Hardware and software process requirements and all associated documentation were reviewed. Environmental test reports were reviewed. The user documentation and safety manual also were reviewed.
The results of the Functional Safety Assessment can be summarized by the following statements:
The audited development process, as tailored and implemented by the ABB, Inc. MT5000, MT5100 and MT5200 Level Transmitter development project, comply with the relevant safety management requirements of IEC 61508 SIL 3.
The assessment of the FMEDA, done to the requirements of IEC 61508, has shown that the MT5000, MT5100 and MT5200 Level Transmitter can be used in a low demand safety related system in a manner where the PFDAVG is within the allowed range for SIL 2 (HFT=0), according to table 2 of IEC 61508-1.
The assessment of the FMEDA also shows that the MT5000, MT5100 and MT5200 Level Transmitter meets the requirements for architectural constraints of an element such that it can be used to implement a SIL 2 safety function (with HFT = 0) or a SIL 3 safety function (with HFT = 1).
This means that the MT5000, MT5100 and MT5200 Level Transmitter is capable for use in SIL 3 applications in Low demand mode when properly designed into a Safety Instrumented Function per the requirements in the Safety Manual and when using the versions specified in section 3.1 of this document.
by exida according to the accredited exida certification scheme which includes the requirements of IEC 61508:2010.
The purpose of the assessment was to evaluate the compliance of:
- the MT5000, MT5100 and MT5200 Level Transmitter with the technical IEC 61508-2 and -3 requirements for SIL 3 and the derived product safety property requirements
and
- the MT5000, MT5100 and MT5200 Level Transmitter development processes, procedures and techniques as implemented for the safety-related deliveries with the managerial IEC 61508-1, -2 and -3 requirements for SIL 3.
and
- the MT5000, MT5100 and MT5200 Level Transmitter hardware analysis represented by the Failure Mode, Effects and Diagnostic Analysis with the relevant requirements of IEC 61508-2.
The assessment has been carried out based on the quality procedures and scope definitions of
exida.
The results of this assessment provide the safety instrumentation engineer with the required failure data per IEC 61508 / IEC 61511 and confidence that sufficient attention has been given to systematic failures during the development process of the device.
1.1 Tools and Methods used for the assessment
This assessment was carried out using the exida Safety Case tool. The Safety Case tool contains
the exida scheme which includes all the relevant requirements of IEC 61508:2010.
For the fulfillment of the objectives, expectations are defined which builds the acceptance level for the assessment. The expectations are reviewed to verify that each single requirement is covered. Because of this methodology, comparable assessments in multiple projects with different assessors are achieved. The arguments for the positive judgment of the assessor are documented within this tool and summarized within this report.
All assessment steps were continuously documented by exida (see [R3])
T-034 V5R1 80 N. Main St, Sellersville, PA 18960 Page 7 of 21
2 Project Management
2.1 exida
exida is one of the world’s leading accredited Certification Bodies and knowledge companies, specializing in automation system safety and availability with over 300 years of cumulative experience in functional safety. Founded by several of the world’s top reliability and safety experts
from assessment organizations and manufacturers, exida is a global company with offices around
the world. exida offers training, coaching, project oriented system consulting services, safety lifecycle engineering tools, detailed product assurance, cyber-security and functional safety
certification, and a collection of on-line safety and reliability resources. exida maintains a comprehensive failure rate and failure mode database on process equipment based on 100 billion hours of field failure data.
2.2 Roles of the parties involved
ABB, Inc. Manufacturer of the MT5000, 5100 and MT5200 Level Transmitters
exida Performed the hardware assessment [R3]
exida Performed the Functional Safety Assessment [R1] per the
accredited exida scheme.
ABB, Inc. contracted exida with the IEC 61508 Functional Safety Assessment of the above mentioned devices.
2.3 Standards / Literature used
The services delivered by exida were performed based on the following standards / literature.
[N1] IEC 61508 (Parts 1 - 3): 2010 Functional Safety of Electrical/Electronic/Programmable Electronic Safety-Related Systems
Failure Modes, Effects, and Diagnostic Analysis – MT5x00 Transmitter Series EPROM / Connector Board
[D61] MT2000-4000-2-jcg after FI.efm, 9/1/09
Failure Modes, Effects, and Diagnostic Analysis – MT5x00 Transmitter Series Radar Transmit/Receive Module
[D62] MT2001-5000-1-jcg after FI with added diagnostics.efm, 8/5/10
Failure Modes, Effects, and Diagnostic Analysis – MT5x00 Transmitter Series uProcessor Board
[D63] SPM201-6000-1C.efm, October 15, 2008
Failure Modes, Effects, and Diagnostic Analysis – MT5x00 Transmitter Series HART Interface Board
[D64] SPM201-7000-2B.efm, October 15, 2008
Failure Modes, Effects, and Diagnostic Analysis – MT5x00 Transmitter Series SPM201 Electronics
[D65] Probe_Assembly FMEDA R3-gps, 9/3/09
Failure Modes, Effects, and Diagnostic Analysis – MT5x00 Transmitter Series Probe Assembly
[D66] 61508 TAB, 8/4/2010 IEC 61508 Tables, document shows all tables from IEC 61508 Annex A and B from part 2 and part 3 along with a description as to how ABB, Inc. meets each of the requirements
T-034 V5R1 80 N. Main St, Sellersville, PA 18960 Page 12 of 21
3 Product Description The MT5000 Series Level Transmitters are a series of two-wire 4 – 20 mA smart devices. It contains self-diagnostics and is programmed to send its output to a specified failure state, either high or low, upon internal detection of a failure. For safety instrumented systems usage it is assumed that the 4 – 20 mA output is used as the primary safety variable.
Figure 1 shows an overview of the main parts of the MT5000 Series Level Transmitters and the boundary for the Failure Modes, Effects, and Diagnostic Analysis.
Figure 1 MT500, MT5100, and MT5200 SIS Assembly
Table 1 gives an overview of the different versions that were considered in this assessment of the MT5000, MT5100 and MT5200 Level Transmitters.
Table 1 Models Overview
MT5000 Guided Wave Radar Level Transmitter
MT5100 Guided Wave Radar Level and Interface Transmitter
T-034 V5R1 80 N. Main St, Sellersville, PA 18960 Page 13 of 21
MT5000 Series Level Transmitters
Options: 4-20mA output, single output
Hardware Processor board #: MT2001-5000-1 Revision Level: G
Signal conditioning board #: MT2000-4000-2 Revision Level: E
Display board #: MT5000-7000-1 Revision Level: C
Connector board #: SPM201-3000-1 Revision Level: E
Hart Board #: SPM201-6000-1 Revision Level: F
Software/Firmware 100617 00.255
4 IEC 61508 Functional Safety Assessment Scheme
exida assessed the development process used by ABB, Inc. for this development project against
the objectives of the exida certification scheme. The results of the assessment are documented in [R3][R1]. All objectives have been successfully considered in the ABB, Inc. development processes for the development.
exida assessed the set of documents against the functional safety management requirements of IEC 61508:2010. An evaluating assessor created a safety case, to argue that the relevant requirements of IEC 61508-1 to -3 have been met, based on documented the evidence provided. An independent certifying assessor then reviews the safety case to ensure coverage of the requirements and the validity of the arguments. Additionally, an audit is performed to witness development and manufacturing environments and techniques to ensure procedures are being followed and that certain testing is carried out successfully.
The detailed assessment evaluated the compliance of the processes, procedures and techniques, as implemented for the ABB, Inc. MT5000, 5100 and MT5200 Level Transmitters, with IEC 61508.
The assessment was executed using the exida certification scheme which includes subsets of the IEC 61508 requirements tailored to the work scope of the development team.
The result of the assessment shows that the MT5000, 5100 and MT5200 Level Transmitters are capable for use in SIL 3 (Systematic Capability is SC3) applications, when properly designed into a Safety Instrumented Function per the requirements in the Safety Manual.
4.1 Product Modifications
The modification process has not yet been assessed and audited, so modifications are not currently covered by this assessment. No modifications are permitted to the certified versions of the MT5000, 5100 and MT5200 Level Transmitters without reassessment.
5 Results of the IEC 61508 Functional Safety Assessment
exida assessed the development process used by ABB, Inc. during the product development
against the objectives of the exida certification scheme which includes IEC 61508 parts 1, 2, & 3 [N1]. The development of the MT5000, 5100 and MT5200 Level Transmitters was done per this IEC 61508 SIL 3 compliant development process. The Safety Case was updated with project specific design documents.
T-034 V5R1 80 N. Main St, Sellersville, PA 18960 Page 14 of 21
5.1 Lifecycle Activities and Fault Avoidance Measures
ABB, Inc. has an IEC 61508 compliant development process as assessed during the IEC 61508 certification. This compliant development process is documented in [D3].
This functional safety assessment evaluated the compliance with IEC 61508 of the processes, procedures and techniques as implemented for the product development. The assessment was
executed using the exida certification scheme which includes subsets of IEC 61508 requirements tailored to the SIL 3 work scope of the development team. The result of the assessment can be summarized by the following observations:
The audited development process complies with the relevant managerial requirements of IEC 61508 SIL 3.
5.1.1 Functional Safety Management
FSM Planning The functional safety management of any ABB, Inc. Safety Instrumented Systems Product development is governed by QMP-0008B Quality Management Plan Procedure, Design & Development [D3]. ABB, Inc. has a Functional Safety Management Plan Quality Procedure, PRC0079A [D10] which is fixed but requires the creation of Design Project Records per FRM-0708 [D14] for each development which defines all of the tasks that must be done to ensure functional safety as well as the person(s) responsible for each task. These processes, and the procedures referenced herein, fulfill the requirements of IEC 61508 with respect to functional safety management.
Version Control All documents are under version control as documented in [R3] and required by the Control of Documents Quality Management Plan Procedure [D2]. Design drawings and documents are also under version control, using a version control software application.
Training, Competency recording Personnel training records are kept in accordance with IEC 61508 requirements as documented in [R3] and PRC0082 the R&D Group Qualification Record Quality Procedure [D13]. ABB, Inc. hired
exida as an independent assessor, per IEC 61508.
5.2 Safety Requirement Specification
As defined in [D10] and [D14], a safety requirements specification (SRS) is created for all products that must meet IEC 61508 requirements. The requirements specification contains a scope and safety requirements section. For the MT5000, 5100 and MT5200 Level Transmitters, the SRS [D42] has been assessed.
Safety requirements are tracked, throughout the development process, by the creation of derived requirements. Safety requirements are mapped to the design, and to the appropriate validation tests in the validation test plan [D53].
Requirements from IEC 61508-2, Table B.1 that have been met by ABB, Inc. include project management, documentation, separation of safety requirements from non-safety requirements, structured specification, inspection of the specification, semi-formal methods and checklists. [D66] documents more details on how each of these requirements has been met. This meets the requirements of SIL 3.
T-034 V5R1 80 N. Main St, Sellersville, PA 18960 Page 15 of 21
5.3 Change and modification management
The modification process has been successfully assessed and audited for IEC 61508:2000, but has not yet been assessed for IEC 61508:2010 requirements. ABB, Inc. may not make modifications to this product until that assessment is successfully completed.
5.4 Hardware Design and Verification
Objectives
The main objectives of the related IEC 61508 requirements are to:
- Create E/E/PE safety-related systems conforming to the specification for the E/E/PES safety requirements (comprising the specification for the E/E/PES safety functions requirements and the specification for the E/E/PES safety integrity requirements).
- Ensure that the design and implementation of the E/E/PE safety-related systems meets the specified safety functions and safety integrity requirements.
- Demonstrate, for each phase of the overall, E/E/PES and software safety lifecycles (by review, analysis and/or tests), that the outputs meet in all respects the objectives and requirements specified for the phase.
- Test and evaluate the outputs of a given phase to ensure correctness and consistency with respect to the products and standards provided as input to that phase.
- Integrate and test the E/E/PE safety-related systems.
5.4.1 Hardware Design
As defined in [D10] and [D14], a safety requirements specification (SRS) is created for all products that must meet IEC 61508 requirements. The requirements specification contains a scope and safety requirements section. For the MT5000, 5100 and MT5200 Level Transmitters, the SRS [D42] has been assessed.
Safety requirements are tracked, throughout the development process, by the creation of derived requirements. Safety requirements are mapped to the design, and to the appropriate validation tests in the validation test plan [D53].
Requirements from IEC 61508-2, Table B.1 that have been met by ABB, Inc. include project management, documentation, separation of safety requirements from non-safety requirements, structured specification, inspection of the specification, semi-formal methods and checklists. [D66] documents more details on how each of these requirements has been met. This meets the requirements of SIL 3.
5.4.2 Hardware Design / Probabilistic properties
To evaluate the hardware design of the MT5100 Series Level Transmitters, a Failure Modes, Effects,
and Diagnostic Analysis was performed by exida for each component in the system. This is documented in [R1]. The FMEDA was verified using Fault Injection Testing as part of the development, see [R2], and as part of the IEC 61508 assessment.
T-034 V5R1 80 N. Main St, Sellersville, PA 18960 Page 16 of 21
A Failure Modes and Effects Analysis (FMEA) is a systematic way to identify and evaluate the effects of different component failure modes, to determine what could eliminate or reduce the chance of failure, and to document the system in consideration. An FMEDA (Failure Mode Effect and Diagnostic Analysis) is an FMEA extension. It combines standard FMEA techniques with extension to identify online diagnostics techniques and the failure modes relevant to safety instrumented system design.
From the FMEDA failure rates are derived for each important failure category.
These results must be considered in combination with PFDAVG of other devices of a Safety Instrumented Function (SIF) in order to determine suitability for a specific Safety Integrity Level (SIL). The Safety Manual states that the application engineer should calculate the PFDAVG for each defined safety instrumented function (SIF) to verify the design of that SIF.
The objectives of the standard are fulfilled by the ABB, Inc. functional safety management system, FMEDA quantitative analysis, and hardware development guidelines and practices.
5.5 Software Design
Software design is done according to [D3], [D10], [D14], [D8], and [D9]. The software design process includes software interface specification and detailed module design [D47], specification of configuration records [D48], design and critical code reviews [D49] and [D50], and UML specifications [D47].
Requirements from IEC 61508-3, Table A.1 through A.5 that have been met by ABB, Inc. include observance of guidelines and standards, project management, documentation, structured design, modularization, use of well-tried components, checklists, semi-formal methods, computer aided design tools, simulation, and inspection of the specification, selection of suitable programming language, use of a defined subset of the language, and others. This meets the requirements of SIL 3.
5.6 Verification
The development and verification activities are defined in [D10] and [D14]. Verification activities include the following: Fault Injection Testing, Code Review [D50] per [D27], Checklists embedded in [D14], and FMEDA [R1]. Further verification activities are documented in [D10] and [D14] for new product development projects.
5.7 Safety Validation
Validation Testing is done via a set of documented tests (see [D10] and [D14]). The validation tests are traceable to the Safety Requirements Specification [D42] in the validation test plan [D43]. In addition to standard Test Specification Documents, third party testing may be included as part of agency approvals. As the MT5100 Series Level Transmitters consists of simple electrical devices with a straightforward safety function, integration testing has been limited to verifying that all diagnostics take the appropriate action when they find a problem (See [D54] and [R2] for more details on this testing).
Procedures are in place for corrective actions to be taken when tests fail as documented in [R3] and [D7].
T-034 V5R1 80 N. Main St, Sellersville, PA 18960 Page 17 of 21
Requirements from IEC 61508-2, Table B.3 that have been met by ABB, Inc. include functional testing, project management, documentation, and black-box testing. Field experience and statistical testing via regression testing are not applicable. [D66] documents more details on how each of these requirements has been met. This meets the requirements of SIL 3.
Requirements from IEC 61508-2, Table B.5 that have been met by ABB, Inc. include functional testing and functional testing under environmental conditions, Interference surge immunity testing, fault insertion testing, project management, documentation, static analysis, dynamic analysis, and failure analysis, expanded functional testing and black-box testing. [D66] documents more details on how each of these requirements has been met. This meets SIL 3.
5.8 Safety Manual
ABB, Inc. updated the user manual for the MT5100 Series Level Transmitters and incorporated the requirements for the Safety Manual, see [D37] and [D38]. This (safety) manual was assessed by
exida. The final version is considered to be in compliance with the requirements of IEC 61508. The document includes all required reliability data and operations, maintenance, and proof test procedures.
Requirements from IEC 61508-2, Table B.4 that have been met by ABB, Inc. include operation and maintenance instructions, user friendliness, maintenance friendliness, project management, documentation, limited operation possibilities, protection against operator mistakes, and operation only by skilled operators. [D66] documents more details on how each of these requirements has been met. This meets the requirements for SIL 3.
ABB, Inc. Manufacturer of the MT5000, 5100 and MT5200 Level Transmitters
exida Performed the hardware assessment review
exida Performed the IEC 61508 Functional Safety Surveillance Audit per the
accredited exida scheme.
ABB, Inc. contracted exida in October 2016 to perform the surveillance audit for the above MT5000, 5100 and MT5200 Level Transmitters. The surveillance audit was conducted remotely in October 2016.
6.2 Surveillance Methodology
As part of the IEC 61508 functional safety surveillance audit, the following aspects have been reviewed:
Procedure Changes – Changes to relevant procedures since the last audit are reviewed to
determine that the modified procedures meet the requirements of the exida certification scheme.
Engineering Changes – The engineering change list is reviewed to determine if an of the changes could affect the safety function of the MT5000, 5100 and MT5200 Level Transmitters.
Impact Analysis – If changes were made to the product design, the impact analysis associated with the change will be reviewed to see that the functional safety requirements for an impact analysis have been met.
Field History – Shipping and field returns during the certification period will be reviewed to determine if any systematic failures have occurred. If systematic failures have occurred during the certification period, the corrective action that was taken to eliminate the systematic failure(s) will be reviewed to determine that said action followed the approved processes and was effective.
Safety Manual – The latest version of the safety manual will be reviewed to determine that it meets the IEC 61508 requirements for a safety manual.
FMEDA Update – If required or requested the FMEDA will be updated. This is typically done
if there are changes to the IEC 61508 standard and/or changes to the exida failure rate database.
Recommendations from Previous Audits – If there are recommendations from the previous audit, these are reviewed to see if the recommendations have been implemented properly.
There were no changes to the procedures during the previous certification period.
6.3.2 Engineering Changes
There were no safety-related design changes during the previous certification period.
6.3.3 Impact Analysis
There were no safety-related design changes during the previous certification period.
6.3.4 Field History
The field history of the product has been analyzed and found to be consistent with the failure rates predicted by the FMEDA.
6.3.5 Safety Manual
The safety manual was reviewed and found to be compliant with IEC 61508:2010.
6.3.6 FMEDA Update
No FMEDA update was necessary as there were no safety-related design changes during the certification period. However, the FMEDA report was updated to reflect changes made in the 2010 version of the 61508 standard and to add Route 2H.
6.3.7 Previous Recommendations
There were no previous recommendations to be assessed at this audit.
T-034 V5R1 80 N. Main St, Sellersville, PA 18960 Page 20 of 21
7 Terms and Definitions
exida criteria A conservative approach to arriving at failure rates suitable for use in hardware evaluations utilizing the 2H Route in IEC 61508-2.
Fault tolerance Ability of a functional unit to continue to perform a required function in the presence of faults or errors (IEC 61508-4, 3.6.3)
FIT Failure In Time (1x10-9 failures per hour)
FMEDA Failure Mode Effect and Diagnostic Analysis
HFT Hardware Fault Tolerance
Low demand mode Mode where the demand interval for operation made on a safety-related system is greater than twice the proof test interval.
High demand mode Mode where the demand interval for operation made on a safety-related system is less than 100x the diagnostic detection/reaction interval, or where the safe state is part of normal operation.
PFDAVG Average Probability of Failure on Demand
PFH Probability of dangerous Failure per Hour
Random Capability The SIL limit imposed by the Architectural Constraints for each element.
SFF Safe Failure Fraction - Summarizes the fraction of failures, which lead to a safe state and the fraction of failures which will be detected by diagnostic measures and lead to a defined safety action.
SIF Safety Instrumented Function
SIL Safety Integrity Level
SIS Safety Instrumented System – Implementation of one or more Safety Instrumented Functions. A SIS is composed of any combination of sensor(s), logic solver(s), and final element(s).
Systematic Capability Measure of the confidence that the systematic safety integrity of an element meets the requirements of the specified SIL.
Type A element “Non-Complex” element (using discrete components); for details see 7.4.4.1.2 of IEC 61508-2
Type B element “Complex” element (using complex components such as micro controllers or programmable logic); for details see 7.4.4.1.3 of IEC 61508-2
T-034 V5R1 80 N. Main St, Sellersville, PA 18960 Page 21 of 21
8 Status of the document
8.1 Liability
exida prepares reports based on methods advocated in International standards. Failure rates are
obtained from a collection of industrial databases. exida accepts no liability whatsoever for the use of these numbers or for the correctness of the standards on which the general calculation methods are based.
8.2 Version History
Contract Number
Report Number, version Revision Notes
Q16/06-017 ABB 10-02-051 R001 V3R1 Changed city to Baton Rouge, DEB, 31-Oct-2016
Q16/06-017 ABB 10-02-051 R001 V3R0 Revised for surveillance assessment, D. Butler, 31-Oct-2016.
Q13/08-088 KTEK 10-02-051 R001 V2R1 Revised for (minor) ABB comments, D. Butler, 11-Nov-2013.
Q13/08-088 KTEK 10-02-051 R001 V2R0 Revised for surveillance assessment, D. Butler, 29-Oct-2013.