Report to the Certificate XEF 15 SIL 0039 rev.1 Monitoring System, TDSP Manufacturer: CEMB S.p.A. Via Risorgimento n.9 23826 Mandello del Lario (Lc) Italy Report No.: 22CEM-TECH-15-03 Revision 2.0 of January, 8 (2018) Test and Validation Body: Xefra s.r.l. Product Testing and Certification Service Unit WTC Tower via De Marini 1 I-16149 Genova
Table of Contents page 1 Subject of Certification... 4 2 Basis of the Certification... 6 3 Basis of the testing... 6 3.1 Laws... 6 3.2 Application specific and functional safety... 6 3.3 Environmental susceptibility... 7 3.4 Electromagnetic compatibility... 7 4 Overall Results... 8 4.1 European Directives... 8 4.2 Functional Safety... 8 5 Safety Logic COTS Voter... 13 6 Conclusion and Certificate Number... 14 List of table page Table 1: Revision history... 3 Table 2: Abbreviations... 3 Table 3: Identification of the system... 5 Table 4: Laws... 6 Table 5: Application specific and functional safety standards... 7 Table 6: Environmental susceptibility standards... 7 Table 7: Electromagnetic compatibility standards... 7 Page 2 of 14
Revision history Revision Date Author Modification/Description 1.0 13.05.2015 M.Gennaccaro First issue F. Gradassi 2.0 09.01.2018 F. Gradassi Second issue Update of Chapter 1 for formal revision Table 1: Revision history List of abbreviations Abbreviation FMEA Description Failure mode and effect analysis Table 2: Abbreviations Page 3 of 14
1 Subject of Certification The present Report to the Certificate is a compilation of the most important userrelated findings of the type tests on the Monitoring System TDSP. The Monitoring System, TDSP is composed by follow parts: Commercial name TDSP Picture HW circuit board code FW version CPU M3793 98975 Version 1.3.1 PSU 92420 T6-H 83092 NA T6-R 3010 NA T-NC/8-API 95265 NA Page 4 of 14
Commercial name Safety PLC (Voter) Picture HW circuit board code FW version COTS Equipment Kernel N/A Applicative SW (CRC) 73D8ECDA Table 3: Identification of the system Page 5 of 14
2 Basis of the Certification The certification is based on the report: FMEA, revision 1.0, July 13 th, 2015 The technical documentation and the documentation of the tests executed are deposited at the test body. The certification of the system family according to the regulations and standards listed in section 3, verifies successful completion of the following test components: 1. Functional Safety 1.1 Failure effect analyses of the hardware modules 1.2 Guidance notes on safety in the operator manual 2. Basic / Electrical Safety 3. Susceptibility to Environmental Stress 3.1 Climates and Temperature 3.2 Physical Stress 4. EMC 4.1 Susceptibility to Electromagnetic Effects 4.2 Electromagnetic Emission 3 Basis of the testing The regulations and guidelines, which formed the basis of the type testing, are listed below. 3.1 Laws Reference 2006/42/EC Note European Directive on Safety of Machine Council Directive of 17 May 2006 Table 4: Laws 3.2 Application specific and functional safety Reference IEC 61508:2010 EN 62061, 2005 EN 60204-1, 2006+A1:2009 Note Functional Safety of Electrical/Electronic/Programmable Electronic Safety-related Systems (E/E/PE, or E/E/PES) Safety of machinery Functional safety of safety-related electrical, electronic and programmable electronic control systems Safety of machinery - Electrical equipment of machines - Part 1: General requirements Page 6 of 14
Reference EN 50178, 1997 Note Electronic equipment for use in power installations Table 5: Application specific and functional safety standards 3.3 Environmental susceptibility Reference EN 60529, 1991+A1:2000 EN 60068-2-1, 2007 EN 60068-2-2, 2007 EN 60068-2-6, 2008 EN 60068-2-64, 2008 EN 60068-2-30, 2005 EN 60068-2-31, 2008 Note Degrees of protection provided by enclosures (IP code) Environmental testing Part 2-1: Tests Test A: Cold Environmental testing Part 2-2: Tests Test B: Dry heat Environmental testing Part 2-6: Tests Test Fc: Vibration (sinusoidal) Environmental testing Part 2-64: Tests Test Fh: Vibration, broadband random and guidance Environmental testing Part 2-30: Tests Test Db: Damp heat, cyclic (12 h + 12 h cycle) Environmental testing Part 2-31: Tests Test Ec: Rough handling shocks, primarily for equipment-type specimens Table 6: Environmental susceptibility standards 3.4 Electromagnetic compatibility Reference Note ETSI EN 301489-1 V1.8.1, Electromagnetic compatibility and Radio spectrum Matters (ERM) - 2008 Electromagnetic Compatibility (EMC) standard for radio equipment and services - Part 1: Common technical requirements ETSI EN 301489-17 V2.1.1, Electromagnetic compatibility and Radio spectrum Matters (ERM) - 2009 Electromagnetic Compatibility (EMC) standard for radio equipment and services - Part 17: Specific conditions for 2,4 GHz wideband transmission systems and 5 GHz high performance RLAN equipment EN 61000-6-4, 2007 EN 61000-6-2, 2006 Table 7: Electromagnetic compatibility standards Electromagnetic compatibility (EMC) Part 6-4: Generic standards Emission standard for industrial environments Electromagnetic compatibility (EMC) Part 6-2: Generic standards Immunity for industrial environments Page 7 of 14
4 Overall Results 4.1 European Directives The test performed have shown that the Speed Monitoring TDSP, complies with the relevant essential safety requirements of the Machinery Directive 2006/42/EC subject to the conditions set out in section 3. 4.2 Functional Safety The Speed Monitoring TDSP, meets the requirements with regard to the following functions in accordance with IEC 61508 subject to the conditions set out in section 3: High speed detection System used for the monitoring of the rotational velocity of safety critical machinery. Safety Architecture: 2oo3 with COTS voter Safety function: safety output in case of rotational overspeed detection within specified reaction time target Safety target: SIL3 Reaction time target: 40ms Classification: Type B Operation Mode: High Demand HFT=1 The safety function is to stop the machinery when two out of three sensors equivalent speed exceeds the safety threshold parameterized in FW in a specified reaction time. The follow fault tree analysis, show the safety analysis on equipment: Page 8 of 14
TOP EVENT Undue Overspeed Safety Loop Failure 2oo3 BE4 CCF Safety Loop 2 Failure Safety Loop 1 Failure BE1 BE2 BE3 BE1 BE2 BE3 Sensor DAQ 2 Safety Sensor DAQ 1 Safety Page 9 of 14
Basic Event BE1 Sensor HW Fault BE2 DAQ Failure H1 Undue Signal Measuring Transduced Velocity lower than real value H2 Undue Signal Acquisition and Elaboration. Overspeed not revealed BE3 H3 Safety Output HW Undue Permissive Fault Output Hazard Subhazard Countermeasure SH1 HW Fault SH2 HW Fault SH3 SW Systematic Failure SH4 a. Infinite Loop b. Micro Unpredictable behavior c. Systematic failure in code design d. Corrupted speed HW Fault safety treshold FMEDA Lambda d FMEDA Lambda d a. Watchdog Function b. Supply Voltage Monitoring Periodic Proof Tests Loop Calibration c. SW Static Analysis SW Dynamic Analysis HW SW Integration Tests d. CRC Protection and FMEDA ECHO Function during flash configuration Lambda d Page 10 of 14
BE4 CCF Basic Event Hazard Subhazard Countermeasure H4 SH5 Overvoltage protection Channels not Power Supply Undervoltage monitoring independent SH6 Primary Safety EMC EMI influences Type Tests SH7 Primary Safety Environmental influences Type Test (vibration) SH8 HW SW diversity Systematic failure Page 11 of 14 The hardware assessment shows that equipment TDSP:
have a hardware fault tolerance of 2 are classified as Type B devices ( complex component without well-defined failure modes) there are no internal diagnostic elements of these products. The TDSP equipment is suitable for the safety related use under continuous supervision of the user. It fulfils the requirements of the basis of tests, see section 3, in particular the relevant requirements of EN ISO 61508. Hazard λsd λsu λdd λdu BE1- H1 Undue Signal Measuring: transduced velocity lower than real value SH1 HW Fault T6-H 56 7 87 32 T6-R 78 10 23 34 T-NC/8-API 65 13 45 56 BE2 - H2 Undue Signal Acquisition and Elaboration: overspeed not revealed SH2 HW Fault 15677 160 15980 34 SH3 SW Systematic Failure a. Infinite Loop b. Micro Unpredictable behavior c. Systematic failure in code design d. Corrupted speed safety treshold BE3 - H3 Undue Permissive Output Self test was tested during HW/SW Integration test session. Positive result. SH4 HW Fault 14 29 0 28 H4 Channels not independent SH5 Power Supply SH6 EMC EMI Influences SH7 Environmental Influences SH8 Systematic failure (FITs means failures per 109 hours or failures per thousand million hours) 99% In the worst case, the hazard rate of Top Event ( Undue Overspeed Detection) is 17 FIT, in accordance with FTA. Page 12 of 14
5 Safety Logic COTS Voter 2oo3: In that voting, there are three channels, two requiring being ok in order to operate and comply with safety functions. The 2oo3 voting principle is better applied when there is a complete physical separation of microprocessors. However, that requires they are located in three different modules. Follow diagram show the safety architecture of COTS voter: Page 13 of 14
6 Conclusion and Certificate Number The Safety analysis were done to analyse all possible failures. The test body has checked by practical tests if all implemented measures are adequate implemented. The requirement has been met. This report adds technical details and implementation conditions required for the application of the TDSP Monitoring System to the certificates: XEF 15 SIL 0039 rev.1 Xefra srl Product Testing and Certification SU Mauro Gennaccaro Page 14 of 14