18 Jul 2013 ... a detailed safety case against the requirements of IEC 61508. ..... exida were
performed based on the following standards / literature. [N1] IEC 61508 (Parts 1 -
7): 2010 ... V2.xlsx v2. D078 IR-700_IM_R2-7.pdf. R2.7. 4/5/2013.
IEC 61508 Functional Safety Assessment Project: Detcon IR-700 Combustible Hydrocarbon Gas Sensor Customer:
Detcon The Woodlands, TX USA
Contract No.: Q13/06-003 Report No.: DC 13-06-003 R002 Version V1, Revision R1, September 12, 2013 Loren Stewart
The document was prepared using best effort. The authors make no warranty of any kind and shall not be liable in any event for incidental or consequential damages in connection with the application of the document. © All rights reserved.
Management Summary This report summarizes the results of the functional safety assessment according to IEC 61508 carried out on the: Detcon IR-700 Combustible Hydrocarbon Gas Sensor The functional safety assessment performed by exida consisted of the following activities: -
exida assessed the development process used by Detcon through an audit and creation of a detailed safety case against the requirements of IEC 61508.
-
exida reviewed and assessed a detailed Failure Modes, Effects, and Diagnostic Analysis (FMEDA) of the devices to document the hardware architecture and failure behavior.
-
exida reviewed field failure data to ensure that the FMEDA analysis was complete.
-
exida reviewed the manufacturing quality system in use at Detcon
The functional safety assessment was performed to the requirements of IEC 61508: ed2, 2010, SIL 2. A full IEC 61508 Safety Case was prepared, using the exida SafetyCase Workbook tool, and used as the primary audit tool. Hardware process requirements and all associated documentation were reviewed. Environmental test reports were reviewed. Also the user documentation (safety manual) was reviewed. The results of the Functional Safety Assessment can be summarized by the following statements: The Detcon IR-700 Combustible Gas Detector was found to meet the requirements of SIL 2. The PFDAVG and Architectural Constraint requirements of the standard must be verified for each element of the Safety Function. The manufacturer will be entitled to use the Functional Safety Logo.
© exida T-034 V2R1
DC 13-06-003 R002 V1R1 61508 Assessment Report IR-700.doc, September 12, 2013 www.exida.com Page 2 of 16
Table of Contents Management Summary ................................................................................................... 2 1 Purpose and Scope ................................................................................................... 4 2 Project management.................................................................................................. 5 exida ...............................................................................................................................5 Roles of the parties involved ...........................................................................................5 Standards / Literature used.............................................................................................5 Reference documents .....................................................................................................5 2.4.1 Documentation provided by Detcon .....................................................................5 2.5 Documentation generated by exida................................................................................8
2.1 2.2 2.3 2.4
3 Product Description ................................................................................................... 9 4 IEC 61508 Functional Safety Assessment................................................................. 9 4.1 Methodology ...................................................................................................................9 4.2 Assessment level ..........................................................................................................10 4.3 Product Modifications ....................................................................................................10
5 Results of the IEC 61508 Functional Safety Assessment ........................................ 11 5.1 Lifecycle Activities and Fault Avoidance Measures ......................................................11 5.1.1 Functional Safety Management .........................................................................11 5.1.2 Safety Requirements Specification and Architecture Design .............................12 5.1.3 Design ................................................................................................................12 5.1.4 Validation ...........................................................................................................12 5.1.5 Verification .........................................................................................................13 5.1.6 Proven In Use ....................................................................................................13 5.1.7 Modifications ......................................................................................................13 5.1.8 User Documentation ..........................................................................................14 5.2 Hardware Assessment ..................................................................................................14
6 Terms and Definitions .............................................................................................. 15 7 Status of the document ............................................................................................ 16 7.1 7.2 7.3 7.4
Liability ..........................................................................................................................16 Releases .......................................................................................................................16 Future Enhancements...................................................................................................16 Release Signatures.......................................................................................................16
© exida T-034 V2R1
DC 13-06-003 R002 V1R1 61508 Assessment Report IR-700.doc, September 12, 2013 www.exida.com Page 3 of 16
1 Purpose and Scope This document shall describe the results of the IEC 61508 functional safety assessment of the Detcon:
IR-700 Combustible Hydrocarbon Gas Sensor
by exida according to the requirements of IEC 61508: ed2, 2010. The result of this assessment provides the safety instrumentation engineer with the required failure data as per IEC 61508 / IEC 61511 and confidence that sufficient attention has been given to systematic failures during the development process of the device. Table 1: Revisions in Assessment Scope
Detcon IR-700 Combustible Gas Detector Hardware
IR-700 is comprised of: 1. Main PCB Rev 1 2. Amplifier PCB Rev 1
Software/Firmware
V8.01N
© exida T-034 V2R1
DC 13-06-003 R002 V1R1 61508 Assessment Report IR-700.doc, September 12, 2013 www.exida.com Page 4 of 16
2 Project management 2.1 exida exida is one of the world’s leading accredited Certification Bodies and knowledge companies specializing in automation system safety and availability with over 300 years of cumulative experience in functional safety. Founded by several of the world’s top reliability and safety experts from assessment organizations and manufacturers, exida is a global company with offices around the world. exida offers training, coaching, project oriented system consulting services, safety lifecycle engineering tools, detailed product assurance, cyber-security and functional safety certification, and a collection of on-line safety and reliability resources. exida maintains a comprehensive failure rate and failure mode database on process equipment.
2.2 Roles of the parties involved Detcon
Manufacturer of the Detcon IR-700 Combustible Gas Detector
exida
Performed the IEC 61508 Functional Safety Assessment
Detcon contracted exida with the IEC 61508 Functional Safety Assessment of the above mentioned devices.
2.3 Standards / Literature used The services delivered by exida were performed based on the following standards / literature. [N1]
IEC 61508 (Parts 1 - 7): 2010
Functional Safety of Electrical/Electronic/Programmable Electronic Safety-Related Systems
2.4 Reference documents 2.4.1 Documentation provided by Detcon ID D001
Document Version Date Quality Manual Folder (zip collection of QM 17 10/31/2012 files)
D003 see D026‐FSM D003b QOP‐07‐03_Design_Develop_R5.doc
5
5/29/2013
D004
0
5/30/2013
D004b QOP‐07‐05‐01_Ctrl_Prod_Ser_R8.doc
8
5/29/2013
D005 D006 D007
5 7
9/19/2012 5/29/2013
QWI‐07‐05‐01‐04 Firmware Config Management_R0.doc
[Hazardous Events Procedure] QWI‐07‐05‐01‐80 Service R5.doc QOP‐07‐04‐01_Purchasing_R7.doc
© exida T-034 V2R1
DC 13-06-003 R002 V1R1 61508 Assessment Report IR-700.doc, September 12, 2013 www.exida.com Page 5 of 16
D008
QOP‐07‐03_Design_Develop_R5.doc
5
5/29/2013
D010 QOP‐04‐02_Doc_Control_R4.doc D010b QWI‐04‐02‐01 Doc Control R7.doc D012 QOP‐08‐03_Cont_NonCoform_R5.doc
4 7 5
4/5/2010 12/4/2008 4/5/2010
D013
QOP‐08‐05_Cor‐Prev_Action_R8.doc
8
11/2/2010
D016 D019 D023 D023b D025 D026 D027 D030 D031
see D026‐FSM see D026‐FSM see D026‐FSM see D048 see D026‐FSM FSM Plan IR‐700 V2.doc see D026‐FSM IR‐700Installed Hours Table.xlsx IR700SIL2ConfirmedRMATransactions.xls
v2 n/a n/a
7/18/2013 7/8/2013 7/9/2013
D032 D033 D034 D036 D038 D040
see D026‐FSM see D026‐FSM see D026‐FSM ISO Certificate.pdf see D026‐FSM D3.1_IR‐700 System and Safety Requirements Spec V6.doc
n/a v6
3/11/2013 9/6/2013
D041 D045
IR‐700 SRS Review V1 .doc IR‐700 System Architecture V4.docx
v1 v4
7/18/2013 8/28/2013
v2
D045b IR‐ 700_System_Architecture_Review_V2.doc D053
see D048‐IA and D058, D058b and D058c ‐ code reviews
D054
see D057 and D057b, module tests
5/16/2013
V2
9/3/2013
D054b TP700 SIL2 Module Tests.zip folder and IR700 SIL2 Module Tests.zip folder D056
IR‐700 Requirements Traceability Matrix V2.xlsx
© exida T-034 V2R1
DC 13-06-003 R002 V1R1 61508 Assessment Report IR-700.doc, September 12, 2013 www.exida.com Page 6 of 16
D067 D068 D069
see D066 and D066b see D066 and D066b IR‐700 Validation Test Plan V5.doc
v5
9/4/2013
D070
IR‐ 700_Validation_Test_Plan_Review_V1_.doc
v1
v4
v2
5/29/2013
R2.7 v4
4/5/2013 8/28/2013
v3
8/28/2013
n/a V1R2
3/4/2013
v8.01N
9/9/2013
D070b IR‐700 Validation Test Plan Review V4 .doc D073
CAR Database, onsite file server; see sample in D073b.
D073b TP‐700 ECR Screenshot.jpg D074 see D069‐ test plan D074b IR‐700_SIL2_Validation_Testing_Result V2.xlsx D078 D079
IR‐700_IM_R2‐7.pdf Safety_Manual_Detcon_IR‐ 700_Gas_Detector_V4.docx
D080
IR‐700 Safety Manual Review V3 .doc
D081 D081b D082 D083
0012_001_proposedchanges.pdf see D048 ‐ IA see D048 ‐ IA DC 13‐06‐003 R001_V1R2_PIU Spreadsheet‐DetconIR700.xls
D084
DETCON‐IR700‐V1Rx‐Safety Case WB‐ 61508 v1.5.xlsm
D087 D090 D091
IR700_0801N_HEX.SHA1 see D003b ‐ DevProc IR700_V801N_ReleaseNotes.pdf
© exida T-034 V2R1
DC 13-06-003 R002 V1R1 61508 Assessment Report IR-700.doc, September 12, 2013 www.exida.com Page 7 of 16
2.5 Documentation generated by exida Safety Case file for Detcon IR-700 Combustible Hydrocarbon Gas Sensor
[R1]
DETCON-IR700-V1R6Safety Case WB-61508 v1.5
[R2]
DC 13-06-003 R002 V1R1 61508 Assessment Report IR-700.Doc
IEC 61508 Functional Safety Assessment for Detcon IR700 Combustible Hydrocarbon Gas Sensor (This document)
[R3]
DC 06-08-04 R002 V3 R2 IR-700 FMEDA Report
IEC 61508 FMEDA for Detcon IR-700 Combustible Hydrocarbon Gas Sensor
[R4]
DC 13-06-003 R001_V1R2_PIU SpreadsheetDetconIR700.pdf
© exida T-034 V2R1
Proven In Use Analysis Report for Detcon IR-700 Combustible Hydrocarbon Gas Sensor
DC 13-06-003 R002 V1R1 61508 Assessment Report IR-700.doc, September 12, 2013 www.exida.com Page 8 of 16
3 Product Description The Detcon IR-700 Combustible Hydrocarbon Gas Sensor is a three-wire 4 – 20 mA smart device to detect combustible gas hazards. It contains self-diagnostics and is programmed to send its output to a specified failure state upon internal detection of a failure. For safety instrumented systems usage, the 4 – 20 mA output is used as the primary safety variable. The IR-700 is classified as a type B1 element according to IEC 61508, having a hardware fault tolerance of 0.
4 IEC 61508 Functional Safety Assessment The IEC 61508 Functional Safety Assessment was performed based on the information received from Detcon and is documented in the safety case database [R1].
4.1 Methodology The full functional safety assessment includes an assessment of all fault avoidance and fault control measures during hardware and software modifications to achieve SIL 2 capability. Other product development aspects prior to these modifications were assessed according to Proven-InUse requirements (see section 5.1.6). The combination of these assessments demonstrates full compliance with IEC 61508 to the end-user. The assessment considers all requirements of IEC 61508. Any requirements that have been deemed not applicable have been marked as such in the full Safety Case report, e.g. software development requirements for a product with no software. As part of the IEC 61508 functional safety assessment the following aspects have been reviewed:
Development process, including: o
Functional Safety Management, including training and competence recording, FSM planning, and configuration management
o
Specification process, techniques and documentation
o
Design process, techniques and documentation, including tools used
o
Validation activities, including development test procedures, test plans and reports, production test procedures and documentation
o
Verification activities and documentation
1
Type B element: “Complex” element (using micro controllers or programmable logic); for details see 7.4.4.1.3 of IEC 61508-2, ed2, 2010. © exida T-034 V2R1
DC 13-06-003 R002 V1R1 61508 Assessment Report IR-700.doc, September 12, 2013 www.exida.com Page 9 of 16
o
Modification process and documentation
o
Installation, operation, documentation
and
maintenance
requirements,
including
user
Product design o
Hardware architecture and failure behavior, documented in a FMEDA
The review of the development procedures is described in section 5. The review of the product design is described in section 5.2.
4.2 Assessment level The Detcon IR-700 Combustible Gas Detector has been assessed per IEC 61508 to the following levels:
Systematic Safety Integrity: SIL 2 capable
Random Safety Integrity: PFDAVG and Architectural Constraints must be verified for each application.
The development procedures were assessed as suitable for use in applications with a maximum Safety Integrity Level of SIL 2 according to IEC 61508.
4.3 Product Modifications Detcon may make modifications to this product as needed. Modifications shall be classified into two types: Type 1 Modification: Changes requiring re-certification, which includes the re-design of safety functions or safety integrity functions. Type 2 Modification: Changes allowed to be made by Detcon provided that:
A competent person from Detcon, appointed and agreed with exida, judges and approves the modifications.
The modification documentation listed below is submitted prior to a renewal of the certification to exida for review of the decisions made by the competent person in respect to the modifications made.
© exida T-034 V2R1
o
List of all anomalies reported
o
List of all modifications completed
o
Safety impact analysis which shall indicate with respect to the modification:
The initiating problem (e.g. results of root cause analysis)
The effect on the product / system
The elements/components that are subject to the modification
The extent of any re-testing
o
List of modified documentation
o
Regression test plans DC 13-06-003 R002 V1R1 61508 Assessment Report IR-700.doc, September 12, 2013 www.exida.com Page 10 of 16
5 Results of the IEC 61508 Functional Safety Assessment exida assessed the development process used by Detcon during the product development against the objectives of IEC 61508 parts 1, 2, and 3, see [D03]. The development of the Detcon IR-700 Combustible Gas Detector was done per this IEC 61508 SIL 2 compliant development process. The Safety Case was updated with project specific design documents. 5.1 Lifecycle Activities and Fault Avoidance Measures Detcon has an IEC 61508 compliant modification process as assessed during the IEC 61508 certification. This compliant process is documented in [D003] and [D004]. This functional safety assessment investigated the compliance with IEC 61508 of the processes, procedures and techniques as implemented for the product development. The investigation was executed using subsets of the IEC 61508 requirements tailored to the SIL 2 work scope of the development team. The result of the assessment can be summarized by the following observations: The audited development process complies with the relevant managerial requirements of IEC 61508 SIL 2.
5.1.1 Functional Safety Management FSM Planning The functional safety management of any Detcon Safety Instrumented Systems Product development is governed by [D03]. This process requires that Detcon create a functional safety management plan [D026] or project plan which is specific for each development project. This plan defines all of the tasks that must be done to ensure functional safety as well as the person(s) responsible for each task. These processes and the procedures referenced herein fulfill the requirements of IEC 61058 with respect to functional safety management. Version Control All documents are under version control as required by [D004 and D004b] Training, Competency recording Competency is ensured by the creation of a competency and training matrix for the project [D033]. The matrix lists all of those on the project who are working on any of the phases of the safety lifecycle. Specific competencies for each person are listed on the matrix which is reviewed by the project manager. Any deficiencies are then addressed by updating the matrix with required training for the project.
© exida T-034 V2R1
DC 13-06-003 R002 V1R1 61508 Assessment Report IR-700.doc, September 12, 2013 www.exida.com Page 11 of 16
5.1.2 Safety Requirements Specification and Architecture Design As defined in [D03] a safety requirements specification (SRS) is created for all products that must meet IEC 61508 requirements. For the Detcon IR-700 Combustible Gas Detector, the requirements specification [D040 and D041] contains a system overview, safety assumptions, and safety requirements sections. During the assessment, exida reviewed the content of the specification for completeness per the requirements of IEC 61508:2010. Requirements are tracked throughout the development process by the creation of a series of traceability matrices which are included in the following documents: [D040], [D056], and [D069]. The system requirements are broken down into derived hardware and software requirements which include specific safety requirements. Traceability matrices show how the system safety requirements map to the hardware and software requirements, to hardware and software architecture, to software and hardware detailed design, and to validation tests. Requirements from IEC 61508-2, Table B.1 that have been met by Detcon include project management, documentation, structured specification, inspection of the specification, and checklists. Requirements from IEC 61508-3, Table A.1 that have been met by Detcon include backward traceability between the safety requirements and the perceived safety needs.
5.1.3 Design Hardware design, including both electrical and mechanical design, is done according to [D03]. The hardware design process includes creating a hardware architecture specification, a peer review of this specification, creating a detailed design, a peer review of the detailed design, component selection, detailed drawings and schematics, a Failure Modes, Effects and Diagnostic Analysis (FMEDA), electrical unit testing, fault injection testing, and hardware verification tests. Requirements from IEC 61508-2, Table B.2 that have been met by Detcon include observance of guidelines and standards, project management, documentation, structured design, modularization, use of well-tried components, checklists, semi-formal methods, computer aided design tools, simulation, and inspection of the specification. This meets the requirements of SIL 2.
5.1.4 Validation Validation Testing is done via a set of documented tests. The validation tests are traceable to the Safety Requirements Specification [D004 and D004b] in the validation test plan [D069]. The traceability matrices show that all safety requirements have been validated by one or more tests. In addition to standard Test Specification Documents, third party testing is included as part of the validation testing. All non-conformities are documented in a change request and procedures are in place for corrective actions to be taken when tests fail as documented in [D03]. Requirements from IEC 61508-2, Table B.5 that have been met by Detcon include functional testing, functional testing under environmental conditions, interference surge immunity testing, fault insertion testing, project management, documentation, static analysis, dynamic analysis, and failure analysis, expanded functional testing and black-box testing. Requirements from IEC 61508-3, Table A.7 that have been met by Detcon include functional and black box testing, and forward and backward traceability between the software safety requirements specification and the software safety validation plan. This meets SIL 2. © exida T-034 V2R1
DC 13-06-003 R002 V1R1 61508 Assessment Report IR-700.doc, September 12, 2013 www.exida.com Page 12 of 16
5.1.5 Verification Verification activities are built into the standard development process as defined in [D03]. Verification activities include the following: Fault Injection Testing, static source code analysis, module testing, integration testing, FMEDA, peer reviews and software unit testing. This meets the requirements of IEC 61508 SIL 2. Requirements from IEC 61508-2, Table B.3 that have been met by Detcon include functional testing, project management, documentation, and black-box testing. Requirements from IEC 61508-3, Table A.5 that have been met by Detcon include dynamic analysis and testing, data recording and analysis, functional and black-box testing, performance testing, interface testing, and test management and automation tools. Requirements from IEC 61508-3, Table A.6 that have been met by Detcon include functional and black box testing, performance testing, and forward traceability between the system and software design requirements for hardware/software integration and the hardware/software integration test specifications Requirements from IEC 61508-3, Table A.9 that have been met include static analysis, dynamic analysis and testing, forward traceability between the software design specification and the software verification plan. This meets the requirements of SIL 2.
5.1.6 Proven In Use In addition to the Design Fault avoidance techniques listed above, a Proven in Use evaluation was carried out on the Detcon IR-700 Combustible Gas Detector. Shipment records were used to determine that the Detcon IR-700 Combustible Gas Detector have >3 million operating hours and they have demonstrated a field failure rate less than the failure rates indicated in the FMEDA reports. This meets the requirements for Proven In Use for SIL 2.
5.1.7 Modifications Modifications are done per the Detcon’s change management process as documented in [D026] and [D081b]. Impact analyses are performed for all changes once the product is released for integration testing. The results of the impact analysis are used in determining whether to approve the change. The standard development process as defined in [D03] is then followed to make the change. This meets the requirements of IEC 61508 SIL 2. Requirements from IEC 61508-3, Table A.8 that have been met by the Detcon modification process include impact analysis, re-verify changed software modules, re-verify affected software modules, revalidate complete system or regression validation, software configuration management, data recording and analysis, and forward and backward traceability between the software safety requirements specification and the software modification plan (including re-verification and revalidation)
© exida T-034 V2R1
DC 13-06-003 R002 V1R1 61508 Assessment Report IR-700.doc, September 12, 2013 www.exida.com Page 13 of 16
5.1.8 User Documentation Detcon created a safety manual for the Detcon IR-700 Combustible Gas Detector [D079] which addresses all relevant operation and maintenance requirements from IEC 61508. This safety manual was assessed by exida. The final version is considered to be in compliance with the requirements of IEC 61508. Requirements from IEC 61508-2, Table B.4 that have been met by Detcon include operation and maintenance instructions, maintenance friendliness, project management, documentation, and limited operation possibilities. This meets the requirements for SIL 2.
5.2 Hardware Assessment To evaluate the hardware design of the IR-700, a Failure Modes, Effects, and Diagnostic Analysis was performed by exida for each component in the system. This is documented in [R3]. The FMEDA was verified using Fault Injection Testing as part of the development, see [D077], and as part of the IEC 61508 assessment. A Failure Modes and Effects Analysis (FMEA) is a systematic way to identify and evaluate the effects of different component failure modes, to determine what could eliminate or reduce the chance of failure, and to document the system in consideration. An FMEDA (Failure Mode Effect and Diagnostic Analysis) is an FMEA extension. It combines standard FMEA techniques with extension to identify online diagnostics techniques and the failure modes relevant to safety instrumented system design. From the FMEDA failure rates are derived for each important failure category. All failure rate analysis results and useful life limitations are listed in the FMEDA report [R3]. Tables in the FMEDA report list these failure rates for the various configurations of the IR-700. The failure rates listed are valid for the useful life of the devices. These results must be considered in combination with PFDAVG of other devices of a Safety Instrumented Function (SIF) in order to determine suitability for a specific Safety Integrity Level (SIL). The Safety Manual states that the application engineer should calculate the PFDAVG for each defined safety instrumented function (SIF) to verify the design of that SIF.
© exida T-034 V2R1
DC 13-06-003 R002 V1R1 61508 Assessment Report IR-700.doc, September 12, 2013 www.exida.com Page 14 of 16
6 Terms and Definitions Fault tolerance
Ability of a functional unit to continue to perform a required function in the presence of faults or errors (IEC 61508-4, 3.6.3)
FIT
Failure In Time (1x10-9 failures per hour)
FMEDA
Failure Mode Effect and Diagnostic Analysis
HFT
Hardware Fault Tolerance
Low demand mode
Mode, where the demand interval for operation made on a safety-related system is greater than twice the proof test interval.
PFDAVG
Average Probability of Failure on Demand
PFH
Probability of dangerous Failure per Hour
SFF
Safe Failure Fraction - Summarizes the fraction of failures, which lead to a safe state and the fraction of failures which will be detected by diagnostic measures and lead to a defined safety action.
SIF
Safety Instrumented Function
SIL
Safety Integrity Level
SIS
Safety Instrumented System – Implementation of one or more Safety Instrumented Functions. A SIS is composed of any combination of sensor(s), logic solver(s), and final element(s).
Type B element
© exida T-034 V2R1
“Complex” element (using complex components such as micro controllers or programmable logic); for details see 7.4.4.1.3 of IEC 61508-2
DC 13-06-003 R002 V1R1 61508 Assessment Report IR-700.doc, September 12, 2013 www.exida.com Page 15 of 16
7 Status of the document 7.1 Liability exida prepares reports based on methods advocated in International standards. Failure rates are obtained from a collection of industrial databases. exida accepts no liability whatsoever for the use of these numbers or for the correctness of the standards on which the general calculation methods are based. 7.2 Releases Version: V1 Revision: R1 Version History: V1, R1: V1, R0:
final review complete; 9/11/2013 LLS and JCY Generated from Safety Case and revised per comments after review; 9/09/2013
Authors: Loren Stewart Review: John Yozallinas Release status: Released
7.3 Future Enhancements At request of client.
7.4 Release Signatures
Loren L Stewart, Safety Engineer
John Yozallinas, Senior Safety Engineer
Michel Medoff, Senior Safety Engineer © exida T-034 V2R1
DC 13-06-003 R002 V1R1 61508 Assessment Report IR-700.doc, September 12, 2013 www.exida.com Page 16 of 16