Report to the Certificate

Similar documents
FUNCTIONAL SAFETY CERTIFICATE

FMEDA Report. Failure Modes, Effects and Diagnostic Analysis. KFD0-CS-Ex*.54* and KFD0-CS-Ex*.56* Project: X7300

100 & 120 Series Pressure and Temperature Switches Safety Manual

Overfill Prevention Control Unit with Ground Verification & Vehicle Identification Options. TÜVRheinland

Certification Report of the ST 3000 Pressure Transmitter with HART 6

PPA Michaël GROSSI - FSCE PR electronics

Certification Report of the ST3000 Pressure Transmitter

Failure Modes, Effects and Diagnostic Analysis. Rosemount Inc. Chanhassen, Minnesota USA

IEC Functional Safety Assessment

Functional Safety: What It Is, Why It s Important And How to Comply

Failure Modes, Effects and Diagnostic Analysis

SIL Safety Guide Series MS Single-Acting Spring-Return Hydraulic Linear Actuators

Failure Modes, Effects and Diagnostic Analysis

Digital EPIC 2 Safety manual

FUNCTIONAL SAFETY CERTIFICATE. BG Break Glass Unit

United Electric Controls One Series Safety Transmitter Safety Manual

Failure Modes, Effects and Diagnostic Analysis

Introduction. Additional information. Additional instructions for IEC compliant devices. Measurement made easy

Failure Modes, Effects and Diagnostic Analysis. PR electronics A/S Rønde Denmark

Failure Modes, Effects and Diagnostic Analysis

Failure Modes, Effects and Diagnostic Analysis

Failure Modes, Effects and Diagnostic Analysis

Failure Modes, Effects and Diagnostic Analysis

INTERNATIONAL STANDARD

Process Safety - Market Requirements. V.P.Raman Mott MacDonald Pvt. Ltd.

The agri-motive safety performance integrity level Or how do you call it?

INTERNATIONAL STANDARD

Safety. Detection. Control. SAFETY INTERFACES. Safety Interfaces and Relays. Product catalogue. Issue 1

SITRANS. Temperature transmitter Functional safety for SITRANS TW. Introduction. General safety instructions 2. Device-specific safety instructions

SAFETY MANUAL. Electrochemical Gas Detector GT3000 Series Includes Transmitter (GTX) with H 2 S or O 2 Sensor Module (GTS)

Operating Guide Safe Torque Off

Failure Modes, Effects and Diagnostic Analysis

Failure Modes, Effects and Diagnostic Analysis

Automation, Software und Informationstechnologie

FUNCTIONAL SAFETY: A PRACTICAL APPROACH FOR END-USERS AND SYSTEM INTEGRATORS

Failure Modes, Effects and Diagnostic Analysis. Rosemount Inc. Chanhassen, MN USA

Automation, Functional Safety. Assessment of the Point Guard Analog Input Safety Modules 1734-IE4S and 1734-IE4SXT Rockwell Automation, USA

Audible warning devices for external alarm

Failure Modes, Effects and Diagnostic Analysis

Operating Guide Safe Torque Off


Functional Safety Manual June pointek CLS500/LC500

Operating instructions Safety-monitoring module SRB 302X3. 1 About this document

Failure Modes, Effects and Diagnostic Analysis

Loss Prevention Standard

Measurement of Safety Integrity of E/E/PES according to IEC61508

SAFETY INTEGRITY LEVEL MANUAL. IEC and IEC XP95 and Discovery SIL Approved Product Range

FUNCTIONAL SAFETY OF ELECTRICAL INSTALLATIONS IN INDUSTRIAL PLANTS BY OTTO WALCH

Safety Manual. XNX TM Universal Transmitter. Table of Contents SIL 2 Certificates Overview Safety Parameters

Guidelines. Safety Integrity Level - SIL - Valves and valve actuators. February Valves

INTERNATIONAL STANDARD

SAFETY MANUAL. PointWatch Eclipse Infrared Hydrocarbon Gas Detector Safety Certified Model PIRECL

Failure Modes, Effects and Diagnostic Analysis

Mechanics issn Transport issue 1, 2009 Communications article 0342

SAFETY MANUAL. Multispectrum IR Flame Detector X3301

Pressure Transmitter cerabar S PMC 731/631 cerabar S PMP 731/635 with ma output signal

Soliphant M with electronic insert FEM52

Rosemount Functional Safety Manual. Manual Supplement , Rev AF March 2015

Operating instructions Safety-monitoring module SRB 302X3. 1. About this document. Content

Mobrey Magnetic Level Switches

We reserve all rights in this document and in the information contained therein. Reproduction, use or disclosure to third parties without express

Differential Pressure Transmitter deltabar S PMD 230/235 deltabar S FMD 230/630/633 with ma output signal

Licensing of FPGA-based Safety Platform RadICS: Case Study

INTERNATIONAL STANDARD

2015 Functional Safety Training & Workshops

SAFETY/ SECURITY - FIRE FIGHTING INTEGRATED SYSTEMS

SAFETY MANUAL. X2200 UV, X9800 IR, X5200 UVIR SIL 2 Certified Flame Detectors

CERTIFICATE OF ACCREDITATION

430128A. B-Series Flow Meter SIL Safety Manual

ISO INTERNATIONAL STANDARD. Agricultural engineering Electrical and electronic equipment Testing resistance to environmental conditions

The Next Generation Machine Protection System

Introduction to machine safety

User s Manual. YTA110, YTA310, YTA320, and YTA710 Temperature Transmitters. Manual Change No

STT850 and STT750 SmartLine Temperature Transmitter HART Communications Options Safety Manual 34-TT Revision 4 September 2017

IEC Functional Safety Assessment

Hands On: Introduction to Safety Workshop Presented by Robert Jones Manufacturing in America March 14-15, 2018

Assessment of the Safety Integrity of Electrical Protection Systems in the Petrochemical Industry

Rules for Intruder Alarm Systems

INTERNATIONAL STANDARD

The Impact of Marking Requirements. on Design and Performance of Power Converters and Electrical Drives

23" PANEL MOUNT INDUSTRIAL MONITOR REVISION C PRODUCT RELIABILITY TEST REPORT

Technical Report Proven In Use SITRANS P500

Safety Integrity Verification and Validation of a High Integrity Pressure Protection System to IEC 61511

Safety Speed Monitoring

INTERNATIONAL STANDARD

NEW CENELEC STANDARDS & CSM-RA NEW CENELEC STANDARDS & CSM-RA 2017

Basics of Safety Applications

COMITÉ EUROPÉEN DES ASSURANCES

HAWK Measurement Systems Pty. Ltd. Centurion CGR Series Safety Manual

Safety in the process industry

Laboratory Honeywell Technology Solutions, Bangalore-EMC Lab, 19/2, Devarabisanahalli Village, K.R. Puram, Varthur Hobli, Bangalore, Karnataka

Changes in IEC Ed 2

17" UNIVERSAL MOUNT INDUSTRIAL MONITOR REVISION E, F & G PRODUCT RELIABILITY TEST REPORT

DRAFT TANZANIA STANDARD

Report Nr

Procedure for the Approval of New Fire Detection and Alarm Technologies

Failure Modes, Effects and Diagnostic Analysis

SAFETY CERTIFIED MODEL FP-700 COMBUSTIBLE GAS DETECTOR

Operating Manual MS220KA and MSR220KA

This document is a preview generated by EVS

Transcription:

Report to the Certificate XEF 15 SIL 0039 rev.1 Monitoring System, TDSP Manufacturer: CEMB S.p.A. Via Risorgimento n.9 23826 Mandello del Lario (Lc) Italy Report No.: 22CEM-TECH-15-03 Revision 2.0 of January, 8 (2018) Test and Validation Body: Xefra s.r.l. Product Testing and Certification Service Unit WTC Tower via De Marini 1 I-16149 Genova

Table of Contents page 1 Subject of Certification... 4 2 Basis of the Certification... 6 3 Basis of the testing... 6 3.1 Laws... 6 3.2 Application specific and functional safety... 6 3.3 Environmental susceptibility... 7 3.4 Electromagnetic compatibility... 7 4 Overall Results... 8 4.1 European Directives... 8 4.2 Functional Safety... 8 5 Safety Logic COTS Voter... 13 6 Conclusion and Certificate Number... 14 List of table page Table 1: Revision history... 3 Table 2: Abbreviations... 3 Table 3: Identification of the system... 5 Table 4: Laws... 6 Table 5: Application specific and functional safety standards... 7 Table 6: Environmental susceptibility standards... 7 Table 7: Electromagnetic compatibility standards... 7 Page 2 of 14

Revision history Revision Date Author Modification/Description 1.0 13.05.2015 M.Gennaccaro First issue F. Gradassi 2.0 09.01.2018 F. Gradassi Second issue Update of Chapter 1 for formal revision Table 1: Revision history List of abbreviations Abbreviation FMEA Description Failure mode and effect analysis Table 2: Abbreviations Page 3 of 14

1 Subject of Certification The present Report to the Certificate is a compilation of the most important userrelated findings of the type tests on the Monitoring System TDSP. The Monitoring System, TDSP is composed by follow parts: Commercial name TDSP Picture HW circuit board code FW version CPU M3793 98975 Version 1.3.1 PSU 92420 T6-H 83092 NA T6-R 3010 NA T-NC/8-API 95265 NA Page 4 of 14

Commercial name Safety PLC (Voter) Picture HW circuit board code FW version COTS Equipment Kernel N/A Applicative SW (CRC) 73D8ECDA Table 3: Identification of the system Page 5 of 14

2 Basis of the Certification The certification is based on the report: FMEA, revision 1.0, July 13 th, 2015 The technical documentation and the documentation of the tests executed are deposited at the test body. The certification of the system family according to the regulations and standards listed in section 3, verifies successful completion of the following test components: 1. Functional Safety 1.1 Failure effect analyses of the hardware modules 1.2 Guidance notes on safety in the operator manual 2. Basic / Electrical Safety 3. Susceptibility to Environmental Stress 3.1 Climates and Temperature 3.2 Physical Stress 4. EMC 4.1 Susceptibility to Electromagnetic Effects 4.2 Electromagnetic Emission 3 Basis of the testing The regulations and guidelines, which formed the basis of the type testing, are listed below. 3.1 Laws Reference 2006/42/EC Note European Directive on Safety of Machine Council Directive of 17 May 2006 Table 4: Laws 3.2 Application specific and functional safety Reference IEC 61508:2010 EN 62061, 2005 EN 60204-1, 2006+A1:2009 Note Functional Safety of Electrical/Electronic/Programmable Electronic Safety-related Systems (E/E/PE, or E/E/PES) Safety of machinery Functional safety of safety-related electrical, electronic and programmable electronic control systems Safety of machinery - Electrical equipment of machines - Part 1: General requirements Page 6 of 14

Reference EN 50178, 1997 Note Electronic equipment for use in power installations Table 5: Application specific and functional safety standards 3.3 Environmental susceptibility Reference EN 60529, 1991+A1:2000 EN 60068-2-1, 2007 EN 60068-2-2, 2007 EN 60068-2-6, 2008 EN 60068-2-64, 2008 EN 60068-2-30, 2005 EN 60068-2-31, 2008 Note Degrees of protection provided by enclosures (IP code) Environmental testing Part 2-1: Tests Test A: Cold Environmental testing Part 2-2: Tests Test B: Dry heat Environmental testing Part 2-6: Tests Test Fc: Vibration (sinusoidal) Environmental testing Part 2-64: Tests Test Fh: Vibration, broadband random and guidance Environmental testing Part 2-30: Tests Test Db: Damp heat, cyclic (12 h + 12 h cycle) Environmental testing Part 2-31: Tests Test Ec: Rough handling shocks, primarily for equipment-type specimens Table 6: Environmental susceptibility standards 3.4 Electromagnetic compatibility Reference Note ETSI EN 301489-1 V1.8.1, Electromagnetic compatibility and Radio spectrum Matters (ERM) - 2008 Electromagnetic Compatibility (EMC) standard for radio equipment and services - Part 1: Common technical requirements ETSI EN 301489-17 V2.1.1, Electromagnetic compatibility and Radio spectrum Matters (ERM) - 2009 Electromagnetic Compatibility (EMC) standard for radio equipment and services - Part 17: Specific conditions for 2,4 GHz wideband transmission systems and 5 GHz high performance RLAN equipment EN 61000-6-4, 2007 EN 61000-6-2, 2006 Table 7: Electromagnetic compatibility standards Electromagnetic compatibility (EMC) Part 6-4: Generic standards Emission standard for industrial environments Electromagnetic compatibility (EMC) Part 6-2: Generic standards Immunity for industrial environments Page 7 of 14

4 Overall Results 4.1 European Directives The test performed have shown that the Speed Monitoring TDSP, complies with the relevant essential safety requirements of the Machinery Directive 2006/42/EC subject to the conditions set out in section 3. 4.2 Functional Safety The Speed Monitoring TDSP, meets the requirements with regard to the following functions in accordance with IEC 61508 subject to the conditions set out in section 3: High speed detection System used for the monitoring of the rotational velocity of safety critical machinery. Safety Architecture: 2oo3 with COTS voter Safety function: safety output in case of rotational overspeed detection within specified reaction time target Safety target: SIL3 Reaction time target: 40ms Classification: Type B Operation Mode: High Demand HFT=1 The safety function is to stop the machinery when two out of three sensors equivalent speed exceeds the safety threshold parameterized in FW in a specified reaction time. The follow fault tree analysis, show the safety analysis on equipment: Page 8 of 14

TOP EVENT Undue Overspeed Safety Loop Failure 2oo3 BE4 CCF Safety Loop 2 Failure Safety Loop 1 Failure BE1 BE2 BE3 BE1 BE2 BE3 Sensor DAQ 2 Safety Sensor DAQ 1 Safety Page 9 of 14

Basic Event BE1 Sensor HW Fault BE2 DAQ Failure H1 Undue Signal Measuring Transduced Velocity lower than real value H2 Undue Signal Acquisition and Elaboration. Overspeed not revealed BE3 H3 Safety Output HW Undue Permissive Fault Output Hazard Subhazard Countermeasure SH1 HW Fault SH2 HW Fault SH3 SW Systematic Failure SH4 a. Infinite Loop b. Micro Unpredictable behavior c. Systematic failure in code design d. Corrupted speed HW Fault safety treshold FMEDA Lambda d FMEDA Lambda d a. Watchdog Function b. Supply Voltage Monitoring Periodic Proof Tests Loop Calibration c. SW Static Analysis SW Dynamic Analysis HW SW Integration Tests d. CRC Protection and FMEDA ECHO Function during flash configuration Lambda d Page 10 of 14

BE4 CCF Basic Event Hazard Subhazard Countermeasure H4 SH5 Overvoltage protection Channels not Power Supply Undervoltage monitoring independent SH6 Primary Safety EMC EMI influences Type Tests SH7 Primary Safety Environmental influences Type Test (vibration) SH8 HW SW diversity Systematic failure Page 11 of 14 The hardware assessment shows that equipment TDSP:

have a hardware fault tolerance of 2 are classified as Type B devices ( complex component without well-defined failure modes) there are no internal diagnostic elements of these products. The TDSP equipment is suitable for the safety related use under continuous supervision of the user. It fulfils the requirements of the basis of tests, see section 3, in particular the relevant requirements of EN ISO 61508. Hazard λsd λsu λdd λdu BE1- H1 Undue Signal Measuring: transduced velocity lower than real value SH1 HW Fault T6-H 56 7 87 32 T6-R 78 10 23 34 T-NC/8-API 65 13 45 56 BE2 - H2 Undue Signal Acquisition and Elaboration: overspeed not revealed SH2 HW Fault 15677 160 15980 34 SH3 SW Systematic Failure a. Infinite Loop b. Micro Unpredictable behavior c. Systematic failure in code design d. Corrupted speed safety treshold BE3 - H3 Undue Permissive Output Self test was tested during HW/SW Integration test session. Positive result. SH4 HW Fault 14 29 0 28 H4 Channels not independent SH5 Power Supply SH6 EMC EMI Influences SH7 Environmental Influences SH8 Systematic failure (FITs means failures per 109 hours or failures per thousand million hours) 99% In the worst case, the hazard rate of Top Event ( Undue Overspeed Detection) is 17 FIT, in accordance with FTA. Page 12 of 14

5 Safety Logic COTS Voter 2oo3: In that voting, there are three channels, two requiring being ok in order to operate and comply with safety functions. The 2oo3 voting principle is better applied when there is a complete physical separation of microprocessors. However, that requires they are located in three different modules. Follow diagram show the safety architecture of COTS voter: Page 13 of 14

6 Conclusion and Certificate Number The Safety analysis were done to analyse all possible failures. The test body has checked by practical tests if all implemented measures are adequate implemented. The requirement has been met. This report adds technical details and implementation conditions required for the application of the TDSP Monitoring System to the certificates: XEF 15 SIL 0039 rev.1 Xefra srl Product Testing and Certification SU Mauro Gennaccaro Page 14 of 14

2024 © homedocbox.com Privacy Policy | Terms of Service | Feedback