IEC Functional Safety Assessment

Size: px

Start display at page:

Download "IEC Functional Safety Assessment"

Arlene Hart
5 years ago
Views:

IEC 61508 Functional Safety Assessment Project: Detcon IR-700 Combustible Hydrocarbon Gas Sensor Customer: Detcon The

: DC 13-06-003 R002 Version V1, Revision R1, September 12, 2013 Loren Stewart The document was prepared using best

1 IEC Functional Safety Assessment Project: Detcon IR-700 Combustible Hydrocarbon Gas Sensor Customer: Detcon The Woodlands, TX USA Contract No.: Q13/ Report No.: DC R002 Version V1, Revision R1, September 12, 2013 Loren Stewart The document was prepared using best effort. The authors make no warranty of any kind and shall not be liable in any event for incidental or consequential damages in connection with the application of the document. All rights reserved.

Management Summary This report summarizes the results of the functional safety assessment according to IEC 61508 carried out on the: Detcon IR-700 Combustible Hydrocarbon Gas Sensor The functional

requirements of IEC 61508. - exida reviewed and assessed a detailed Failure Modes, Effects, and Diagnostic Analysis (FMEDA) of the devices to document the hardware architecture and failure behavior.

- exida reviewed the manufacturing quality system in use at Detcon The functional safety assessment was performed to the requirements of IEC 61508: ed2, 2010, SIL 2.

2 Management Summary This report summarizes the results of the functional safety assessment according to IEC carried out on the: Detcon IR-700 Combustible Hydrocarbon Gas Sensor The functional safety assessment performed by exida consisted of the following activities: - exida assessed the development process used by Detcon through an audit and creation of a detailed safety case against the requirements of IEC exida reviewed and assessed a detailed Failure Modes, Effects, and Diagnostic Analysis (FMEDA) of the devices to document the hardware architecture and failure behavior. - exida reviewed field failure data to ensure that the FMEDA analysis was complete. - exida reviewed the manufacturing quality system in use at Detcon The functional safety assessment was performed to the requirements of IEC 61508: ed2, 2010, SIL 2. A full IEC Safety Case was prepared, using the exida SafetyCase Workbook tool, and used as the primary audit tool. Hardware process requirements and all associated documentation were reviewed. Environmental test reports were reviewed. Also the user documentation (safety manual) was reviewed. The results of the Functional Safety Assessment can be summarized by the following statements: The Detcon IR-700 Combustible Gas Detector was found to meet the requirements of SIL 2. The PFD AVG and Architectural Constraint requirements of the standard must be verified for each element of the Safety Function. The manufacturer will be entitled to use the Functional Safety Logo. T-034 V2R1 Page 2 of 16

3 Table of Contents Management Summary Purpose and Scope Project management exida Roles of the parties involved Standards / Literature used Reference documents Documentation provided by Detcon Documentation generated by exida Product Description IEC Functional Safety Assessment Methodology Assessment level Product Modifications Results of the IEC Functional Safety Assessment Lifecycle Activities and Fault Avoidance Measures Functional Safety Management Safety Requirements Specification and Architecture Design Design Validation Verification Proven In Use Modifications User Documentation Hardware Assessment Terms and Definitions Status of the document Liability Releases Future Enhancements Release Signatures T-034 V2R1 Page 3 of 16

4 1 Purpose and Scope This document shall describe the results of the IEC functional safety assessment of the Detcon: IR-700 Combustible Hydrocarbon Gas Sensor by exida according to the requirements of IEC 61508: ed2, The result of this assessment provides the safety instrumentation engineer with the required failure data as per IEC / IEC and confidence that sufficient attention has been given to systematic failures during the development process of the device. Table 1: Revisions in Assessment Scope Detcon IR-700 Combustible Gas Detector Hardware Software/Firmware IR-700 is comprised of: 1. Main PCB Rev 1 2. Amplifier PCB Rev 1 V8.01N T-034 V2R1 Page 4 of 16

5 2 Project management 2.1 exida exida is one of the world s leading accredited Certification Bodies and knowledge companies specializing in automation system safety and availability with over 300 years of cumulative experience in functional safety. Founded by several of the world s top reliability and safety experts from assessment organizations and manufacturers, exida is a global company with offices around the world. exida offers training, coaching, project oriented system consulting services, safety lifecycle engineering tools, detailed product assurance, cyber-security and functional safety certification, and a collection of on-line safety and reliability resources. exida maintains a comprehensive failure rate and failure mode database on process equipment. 2.2 Roles of the parties involved Detcon exida Manufacturer of the Detcon IR-700 Combustible Gas Detector Performed the IEC Functional Safety Assessment Detcon contracted exida with the IEC Functional Safety Assessment of the above mentioned devices. 2.3 Standards / Literature used The services delivered by exida were performed based on the following standards / literature. [N1] IEC (Parts 1-7): 2010 Functional Safety of Electrical/Electronic/Programmable Electronic Safety-Related Systems 2.4 Reference documents Documentation provided by Detcon ID Document Version Date D001 Quality Manual Folder (zip collection of QM files) 17 10/31/2012 D003 see D026 FSM D003b QOP 07 03_Design_Develop_R5.doc 5 5/29/2013 D004 QWI Firmware Config Management_R0.doc 0 5/30/2013 D004b QOP _Ctrl_Prod_Ser_R8.doc 8 5/29/2013 D005 [Hazardous Events Procedure] D006 QWI Service R5.doc 5 9/19/2012 D007 QOP _Purchasing_R7.doc 7 5/29/2013 T-034 V2R1 Page 5 of 16

6 D008 QOP 07 03_Design_Develop_R5.doc 5 5/29/2013 D010 QOP 04 02_Doc_Control_R4.doc 4 4/5/2010 D010b QWI Doc Control R7.doc 7 12/4/2008 D012 QOP 08 03_Cont_NonCoform_R5.doc 5 4/5/2010 D013 QOP 08 05_Cor Prev_Action_R8.doc 8 11/2/2010 D016 see D026 FSM D019 see D026 FSM D023 see D026 FSM D023b see D048 D025 see D026 FSM D026 FSM Plan IR 700 V2.doc v2 7/18/2013 D027 see D026 FSM D030 IR 700Installed Hours Table.xlsx n/a 7/8/2013 D031 IR700SIL2ConfirmedRMATransactions.xls n/a 7/9/2013 D032 see D026 FSM D033 see D026 FSM D034 see D026 FSM D036 ISO Certificate.pdf n/a 3/11/2013 D038 see D026 FSM D040 D3.1_IR 700 System and Safety Requirements Spec V6.doc v6 9/6/2013 D041 IR 700 SRS Review V1.doc v1 7/18/2013 D045 IR 700 System Architecture V4.docx v4 8/28/2013 D045b IR 700_System_Architecture_Review_V2.doc v2 D053 see D048 IA and D058, D058b and D058c code reviews D054 see D057 and D057b, module tests 5/16/2013 D054b TP700 SIL2 Module Tests.zip folder and IR700 SIL2 Module Tests.zip folder D056 IR 700 Requirements Traceability Matrix V2.xlsx V2 9/3/2013 T-034 V2R1 Page 6 of 16

7 D067 see D066 and D066b D068 see D066 and D066b D069 IR 700 Validation Test Plan V5.doc v5 9/4/2013 D070 IR 700_Validation_Test_Plan_Review_V1_.doc v1 D070b IR 700 Validation Test Plan Review V4.doc v4 D073 CAR Database, onsite file server; see sample in D073b. D073b TP 700 ECR Screenshot.jpg 5/29/2013 D074 see D069 test plan D074b IR 700_SIL2_Validation_Testing_Result V2.xlsx v2 D078 IR 700_IM_R2 7.pdf R2.7 4/5/2013 D079 Safety_Manual_Detcon_IR v4 8/28/ _Gas_Detector_V4.docx D080 IR 700 Safety Manual Review V3.doc v3 8/28/2013 D _001_proposedchanges.pdf n/a 3/4/2013 D081b see D048 IA D082 see D048 IA D083 DC R001_V1R2_PIU Spreadsheet DetconIR700.xls V1R2 D084 DETCON IR700 V1Rx Safety Case WB v1.5.xlsm D087 IR700_0801N_HEX.SHA1 9/9/2013 D090 see D003b DevProc D091 IR700_V801N_ReleaseNotes.pdf v8.01n T-034 V2R1 Page 7 of 16

8 2.5 Documentation generated by exida [R1] DETCON-IR700-V1R6- Safety Case WB v1.5 [R2] DC R002 V1R Assessment Report IR-700.Doc [R3] DC R002 V3 R2 IR-700 FMEDA Report [R4] DC R001_V1R2_PIU Spreadsheet- DetconIR700.pdf Safety Case file for Detcon IR-700 Combustible Hydrocarbon Gas Sensor IEC Functional Safety Assessment for Detcon IR- 700 Combustible Hydrocarbon Gas Sensor (This document) IEC FMEDA for Detcon IR-700 Combustible Hydrocarbon Gas Sensor Proven In Use Analysis Report for Detcon IR-700 Combustible Hydrocarbon Gas Sensor T-034 V2R1 Page 8 of 16

3 Product Description The Detcon IR-700 Combustible Hydrocarbon Gas Sensor is a three-wire 4 20 ma smart device to detect combustible gas hazards.

9 3 Product Description The Detcon IR-700 Combustible Hydrocarbon Gas Sensor is a three-wire 4 20 ma smart device to detect combustible gas hazards. It contains self-diagnostics and is programmed to send its output to a specified failure state upon internal detection of a failure. For safety instrumented systems usage, the 4 20 ma output is used as the primary safety variable. The IR-700 is classified as a type B 1 element according to IEC 61508, having a hardware fault tolerance of 0. 4 IEC Functional Safety Assessment The IEC Functional Safety Assessment was performed based on the information received from Detcon and is documented in the safety case database [R1]. 4.1 Methodology The full functional safety assessment includes an assessment of all fault avoidance and fault control measures during hardware and software modifications to achieve SIL 2 capability. Other product development aspects prior to these modifications were assessed according to Proven-In- Use requirements (see section 5.1.6). The combination of these assessments demonstrates full compliance with IEC to the end-user. The assessment considers all requirements of IEC Any requirements that have been deemed not applicable have been marked as such in the full Safety Case report, e.g. software development requirements for a product with no software. As part of the IEC functional safety assessment the following aspects have been reviewed: Development process, including: o Functional Safety Management, including training and competence recording, FSM planning, and configuration management o Specification process, techniques and documentation o Design process, techniques and documentation, including tools used o Validation activities, including development test procedures, test plans and reports, production test procedures and documentation o Verification activities and documentation 1 Type B element: Complex element (using micro controllers or programmable logic); for details see of IEC , ed2, T-034 V2R1 Page 9 of 16

10 o Modification process and documentation o Installation, operation, and maintenance requirements, including user documentation Product design o Hardware architecture and failure behavior, documented in a FMEDA The review of the development procedures is described in section 5. The review of the product design is described in section Assessment level The Detcon IR-700 Combustible Gas Detector has been assessed per IEC to the following levels: Systematic Safety Integrity: SIL 2 capable Random Safety Integrity: PFD AVG and Architectural Constraints must be verified for each application. The development procedures were assessed as suitable for use in applications with a maximum Safety Integrity Level of SIL 2 according to IEC Product Modifications Detcon may make modifications to this product as needed. Modifications shall be classified into two types: Type 1 Modification: Changes requiring re-certification, which includes the re-design of safety functions or safety integrity functions. Type 2 Modification: Changes allowed to be made by Detcon provided that: A competent person from Detcon, appointed and agreed with exida, judges and approves the modifications. The modification documentation listed below is submitted prior to a renewal of the certification to exida for review of the decisions made by the competent person in respect to the modifications made. o o o o o List of all anomalies reported List of all modifications completed Safety impact analysis which shall indicate with respect to the modification: The initiating problem (e.g. results of root cause analysis) The effect on the product / system The elements/components that are subject to the modification The extent of any re-testing List of modified documentation Regression test plans T-034 V2R1 Page 10 of 16

11 5 Results of the IEC Functional Safety Assessment exida assessed the development process used by Detcon during the product development against the objectives of IEC parts 1, 2, and 3, see [D03]. The development of the Detcon IR-700 Combustible Gas Detector was done per this IEC SIL 2 compliant development process. The Safety Case was updated with project specific design documents. 5.1 Lifecycle Activities and Fault Avoidance Measures Detcon has an IEC compliant modification process as assessed during the IEC certification. This compliant process is documented in [D003] and [D004]. This functional safety assessment investigated the compliance with IEC of the processes, procedures and techniques as implemented for the product development. The investigation was executed using subsets of the IEC requirements tailored to the SIL 2 work scope of the development team. The result of the assessment can be summarized by the following observations: The audited development process complies with the relevant managerial requirements of IEC SIL Functional Safety Management FSM Planning The functional safety management of any Detcon Safety Instrumented Systems Product development is governed by [D03]. This process requires that Detcon create a functional safety management plan [D026] or project plan which is specific for each development project. This plan defines all of the tasks that must be done to ensure functional safety as well as the person(s) responsible for each task. These processes and the procedures referenced herein fulfill the requirements of IEC with respect to functional safety management. Version Control All documents are under version control as required by [D004 and D004b] Training, Competency recording Competency is ensured by the creation of a competency and training matrix for the project [D033]. The matrix lists all of those on the project who are working on any of the phases of the safety lifecycle. Specific competencies for each person are listed on the matrix which is reviewed by the project manager. Any deficiencies are then addressed by updating the matrix with required training for the project. T-034 V2R1 Page 11 of 16

12 5.1.2 Safety Requirements Specification and Architecture Design As defined in [D03] a safety requirements specification (SRS) is created for all products that must meet IEC requirements. For the Detcon IR-700 Combustible Gas Detector, the requirements specification [D040 and D041] contains a system overview, safety assumptions, and safety requirements sections. During the assessment, exida reviewed the content of the specification for completeness per the requirements of IEC 61508:2010. Requirements are tracked throughout the development process by the creation of a series of traceability matrices which are included in the following documents: [D040], [D056], and [D069]. The system requirements are broken down into derived hardware and software requirements which include specific safety requirements. Traceability matrices show how the system safety requirements map to the hardware and software requirements, to hardware and software architecture, to software and hardware detailed design, and to validation tests. Requirements from IEC , Table B.1 that have been met by Detcon include project management, documentation, structured specification, inspection of the specification, and checklists. Requirements from IEC , Table A.1 that have been met by Detcon include backward traceability between the safety requirements and the perceived safety needs Design Hardware design, including both electrical and mechanical design, is done according to [D03]. The hardware design process includes creating a hardware architecture specification, a peer review of this specification, creating a detailed design, a peer review of the detailed design, component selection, detailed drawings and schematics, a Failure Modes, Effects and Diagnostic Analysis (FMEDA), electrical unit testing, fault injection testing, and hardware verification tests. Requirements from IEC , Table B.2 that have been met by Detcon include observance of guidelines and standards, project management, documentation, structured design, modularization, use of well-tried components, checklists, semi-formal methods, computer aided design tools, simulation, and inspection of the specification. This meets the requirements of SIL Validation Validation Testing is done via a set of documented tests. The validation tests are traceable to the Safety Requirements Specification [D004 and D004b] in the validation test plan [D069]. The traceability matrices show that all safety requirements have been validated by one or more tests. In addition to standard Test Specification Documents, third party testing is included as part of the validation testing. All non-conformities are documented in a change request and procedures are in place for corrective actions to be taken when tests fail as documented in [D03]. Requirements from IEC , Table B.5 that have been met by Detcon include functional testing, functional testing under environmental conditions, interference surge immunity testing, fault insertion testing, project management, documentation, static analysis, dynamic analysis, and failure analysis, expanded functional testing and black-box testing. Requirements from IEC , Table A.7 that have been met by Detcon include functional and black box testing, and forward and backward traceability between the software safety requirements specification and the software safety validation plan. This meets SIL 2. T-034 V2R1 Page 12 of 16

13 5.1.5 Verification Verification activities are built into the standard development process as defined in [D03]. Verification activities include the following: Fault Injection Testing, static source code analysis, module testing, integration testing, FMEDA, peer reviews and software unit testing. This meets the requirements of IEC SIL 2. Requirements from IEC , Table B.3 that have been met by Detcon include functional testing, project management, documentation, and black-box testing. Requirements from IEC , Table A.5 that have been met by Detcon include dynamic analysis and testing, data recording and analysis, functional and black-box testing, performance testing, interface testing, and test management and automation tools. Requirements from IEC , Table A.6 that have been met by Detcon include functional and black box testing, performance testing, and forward traceability between the system and software design requirements for hardware/software integration and the hardware/software integration test specifications Requirements from IEC , Table A.9 that have been met include static analysis, dynamic analysis and testing, forward traceability between the software design specification and the software verification plan. This meets the requirements of SIL Proven In Use In addition to the Design Fault avoidance techniques listed above, a Proven in Use evaluation was carried out on the Detcon IR-700 Combustible Gas Detector. Shipment records were used to determine that the Detcon IR-700 Combustible Gas Detector have >3 million operating hours and they have demonstrated a field failure rate less than the failure rates indicated in the FMEDA reports. This meets the requirements for Proven In Use for SIL Modifications Modifications are done per the Detcon s change management process as documented in [D026] and [D081b]. Impact analyses are performed for all changes once the product is released for integration testing. The results of the impact analysis are used in determining whether to approve the change. The standard development process as defined in [D03] is then followed to make the change. This meets the requirements of IEC SIL 2. Requirements from IEC , Table A.8 that have been met by the Detcon modification process include impact analysis, re-verify changed software modules, re-verify affected software modules, revalidate complete system or regression validation, software configuration management, data recording and analysis, and forward and backward traceability between the software safety requirements specification and the software modification plan (including re-verification and revalidation) T-034 V2R1 Page 13 of 16

14 5.1.8 User Documentation Detcon created a safety manual for the Detcon IR-700 Combustible Gas Detector [D079] which addresses all relevant operation and maintenance requirements from IEC This safety manual was assessed by exida. The final version is considered to be in compliance with the requirements of IEC Requirements from IEC , Table B.4 that have been met by Detcon include operation and maintenance instructions, maintenance friendliness, project management, documentation, and limited operation possibilities. This meets the requirements for SIL Hardware Assessment To evaluate the hardware design of the IR-700, a Failure Modes, Effects, and Diagnostic Analysis was performed by exida for each component in the system. This is documented in [R3]. The FMEDA was verified using Fault Injection Testing as part of the development, see [D077], and as part of the IEC assessment. A Failure Modes and Effects Analysis (FMEA) is a systematic way to identify and evaluate the effects of different component failure modes, to determine what could eliminate or reduce the chance of failure, and to document the system in consideration. An FMEDA (Failure Mode Effect and Diagnostic Analysis) is an FMEA extension. It combines standard FMEA techniques with extension to identify online diagnostics techniques and the failure modes relevant to safety instrumented system design. From the FMEDA failure rates are derived for each important failure category. All failure rate analysis results and useful life limitations are listed in the FMEDA report [R3]. Tables in the FMEDA report list these failure rates for the various configurations of the IR-700. The failure rates listed are valid for the useful life of the devices. These results must be considered in combination with PFD AVG of other devices of a Safety Instrumented Function (SIF) in order to determine suitability for a specific Safety Integrity Level (SIL). The Safety Manual states that the application engineer should calculate the PFD AVG for each defined safety instrumented function (SIF) to verify the design of that SIF. T-034 V2R1 Page 14 of 16

15 6 Terms and Definitions Fault tolerance FIT FMEDA HFT Low demand mode PFD AVG PFH SFF SIF SIL SIS Type B element Ability of a functional unit to continue to perform a required function in the presence of faults or errors (IEC , 3.6.3) Failure In Time (1x10-9 failures per hour) Failure Mode Effect and Diagnostic Analysis Hardware Fault Tolerance Mode, where the demand interval for operation made on a safety-related system is greater than twice the proof test interval. Average Probability of Failure on Demand Probability of dangerous Failure per Hour Safe Failure Fraction - Summarizes the fraction of failures, which lead to a safe state and the fraction of failures which will be detected by diagnostic measures and lead to a defined safety action. Safety Instrumented Function Safety Integrity Level Safety Instrumented System Implementation of one or more Safety Instrumented Functions. A SIS is composed of any combination of sensor(s), logic solver(s), and final element(s). Complex element (using complex components such as micro controllers or programmable logic); for details see of IEC T-034 V2R1 Page 15 of 16

exida accepts no liability whatsoever for the use of these numbers

review complete; 9/11/2013 LLS and JCY V1, R0: Generated from Safety

Stewart Review: John Yozallinas Release status: Released 7.

16 7 Status of the document 7.1 Liability exida prepares reports based on methods advocated in International standards. Failure rates are obtained from a collection of industrial databases. exida accepts no liability whatsoever for the use of these numbers or for the correctness of the standards on which the general calculation methods are based. 7.2 Releases Version: Revision: V1 R1 Version History: V1, R1: final review complete; 9/11/2013 LLS and JCY V1, R0: Generated from Safety Case and revised per comments after review; 9/09/2013 Authors: Loren Stewart Review: John Yozallinas Release status: Released 7.3 Future Enhancements At request of client. 7.4 Release Signatures Loren L Stewart, Safety Engineer John Yozallinas, Senior Safety Engineer Michel Medoff, Senior Safety Engineer T-034 V2R1 Page 16 of 16

Failure Modes, Effects and Diagnostic Analysis

Failure Modes, Effects and Diagnostic Analysis Project: Detcon FP-700 Combustible Gas Sensor Customer: Detcon The Woodlands, TX USA Contract No.: DC 06/08-04 Report No.: DC 06/08-04 R001 Version V1, Revision