IEC 61508 Assessment - exida · 2017-02-09 · © exida EFC 12-02-027 R004 V2R2 IEC 61508 Assessment DVC6200.docx, September ... D123 FHI Firmware Hardware Interface Specification

The document was prepared using best effort. The authors make no warranty of any kind and shall not be liable in any event for incidental or consequential damages in connection with the application of the document.

© All rights reserved.

idae®

IEC 61508 Functional Safety Assessment

Project:

DVC6200 SIS Digital Valve Controller and Position Monitor

Customer:

Emerson Process Management

Fisher Controls International, LLC Marshalltown, IA

USA

Contract No.: Q13-07-040 Report No.: EFC Q12/02-027 R004

Version V2, Revision R2, September 20, 2013

David E. Butler, Iwan van Beurden

© exida EFC 12-02-027 R004 V2R2 IEC 61508 Assessment DVC6200.docx, September 20, 2013

T-034 V1R2 www.exida.com Page 2 of 21

Management Summary

This report summarizes the results of the functional safety assessment according to IEC 61508 carried out on the:

Fisher Controls International, LLC DVC6200 SIS Digital Valve Controller and Position Monitor

The functional safety assessment performed by exida consisted of the following activities:

- exida assessed the development process used by Fisher Controls International, LLC

through an audit and creation of a detailed safety case against the requirements of IEC 61508.

- exida reviewed and assessed a detailed Failure Modes, Effects, and Diagnostic Analysis

(FMEDA) of the devices to document the hardware architecture and failure behavior.

- exida reviewed field failure data to ensure that the FMEDA analysis was complete.

- exida reviewed the manufacturing quality system in use at Fisher Controls International,

LLC

The functional safety assessment was performed to the requirements of IEC 61508: ed2, 2010, SIL

3. A full IEC 61508 Safety Case was prepared, using the exida SafetyCaseDB tool, and used as the primary audit tool. Hardware and software process requirements and all associated documentation were reviewed. Environmental test reports were reviewed. Also the user documentation (safety manual) was reviewed.

The results of the Functional Safety Assessment can be summarized by the following statements:

The DVC6200 SIS Digital Valve Controller, in the DETT and ETT configuration, was found to meet the systematic integrity requirements of SIL 3.

The DVC6200 SIS Position Monitor, in the Position Transmitter or Limit Switch configuration, was found to meet the systematic integrity requirements of SIL 2.

The PFDAVG and Architectural Constraint requirements of the standard must be verified for each element of the Safety Function.

The manufacturer is entitled to use these Functional Safety Logos.

The manufacturer

may use the mark:



Table of Contents

Management Summary ................................................................................................... 2

1 Purpose and Scope ................................................................................................... 4

2 Project Management .................................................................................................. 4

2.1 exida ............................................................................................................................ 4

2.2 Roles of the Parties Involved ........................................................................................ 4

2.3 Standards / Literature Used.......................................................................................... 4

2.4 Reference Documents .................................................................................................. 5

2.4.1 Documentation Provided by Fisher Controls ...................................................... 5

2.4.2 Documentation Provided by Fisher Controls for Renewal Assessment .............. 8

2.4.3 Documentation Generated by exida .................................................................. 9

3 Product Description ................................................................................................. 10

3.1 Digital Valve Controller Configurations ....................................................................... 10

3.2 Position Transmitter / Limit Switch Configurations ...................................................... 11

4 IEC 61508 Functional Safety Assessment ............................................................... 13

4.1 Methodology .............................................................................................................. 13

4.2 Assessment Level ...................................................................................................... 13

4.3 Product Modifications ................................................................................................. 14

5 Results of the IEC 61508 Functional Safety Assessment ......... Error! Bookmark not defined.

5.1 Lifecycle Activities and Fault Avoidance Measures .................................................... 14

5.1.1 Functional Safety Management ....................................................................... 15

5.1.2 Safety Requirements Specification and Architecture Design ............................ 15

5.1.3 Hardware Design ............................................................................................. 15

5.1.4 Software (Firmware) Design ............................................................................ 16

5.1.5 Validation ......................................................................................................... 16

5.1.6 Verification ....................................................................................................... 17

5.1.7 Modifications ................................................................................................... 17

5.1.8 User Documentation ........................................................................................ 17

5.2 Hardware Assessment ............................................................................................... 19

6 Terms and Definitions .............................................................................................. 20

7 Status of the document ............................................................................................ 21

7.1 Liability ....................................................................................................................... 21

7.2 Releases .................................................................................................................... 21

7.3 Future Enhancements ................................................................................................ 21

7.4 Release Signatures .................................................................................................... 21



1 Purpose and Scope

This document describes the results of the IEC 61508 functional safety assessment of the Fisher Controls International, LLC (hereafter Fisher Controls):

DVC6200 SIS Digital Valve Controller

DVC6200 SIS Position Monitor

by exida according to the requirements of IEC 61508: ed2, 2010.

The results of this provides the safety instrumentation engineer with the required failure data as per IEC 61508 and confidence that sufficient attention has been given to systematic failures during the development process of the device.

2 Project Management

2.1

exida is one of the world’s leading accredited Certification Bodies and knowledge companies specializing in automation system safety and availability with over 300 years of cumulative experience in functional safety. Founded by several of the world’s top reliability and safety experts

from assessment organizations and manufacturers, exida is a global company with offices around

the world. exida offers training, coaching, project oriented system consulting services, safety lifecycle engineering tools, detailed product assurance, cyber-security and functional safety

certification, and a collection of on-line safety and reliability resources. exida maintains a comprehensive failure rate and failure mode database on process equipment.

2.2 Roles of the Parties Involved

Fisher Controls Manufacturer of the DVC6200 SIS Digital Valve Controller and DVC6200 SIS Position Monitor

exida Provided services to support Fisher Controls during the evaluation of the DVC6200 SIS Digital Valve Controller and DVC6200 SIS Position Monitor

exida Performed the IEC 61508 Functional Safety Assessment according to IEC 61508 SIL 3.

Fisher Controls International, LLC contracted exida with the IEC 61508 Functional Safety

Assessment of the above mentioned devices.

2.3 Standards / Literature Used

The services delivered by exida were performed based on the following standards / literature.

[N1] IEC 61508 (Parts 1 - 7): 2010

Functional Safety of Electrical/Electronic/Programmable Electronic Safety-Related Systems



2.4 Reference Documents

2.4.1 Documentation Provided by Fisher Controls

D03 Quality Management System Manual - qmsm1.pdf Issue 2, Revision F; 1/2/2012

D04 PMP Project Management Plan 08GA05.doc Revision B; 4/27/2010

D07 Development Process SIS - es269.pdf Revision A; 3/19/2010

D11 SRS Verification Checklist Section 1 08GA05.doc Revision A; 5/16/2012

D117 Proven In Use Calculations For PIC module.xls 8/23/2012

D12 Supplier Quality Manual - fgs15b13.pdf Issue 0, Revision A; 11/1/2010

D120 Search of SMS CTS calls containing DVC6200f as a device type.xls

informal; 8/12/2012

D121 DVC6200F SHIPMENT JAN10 TO YTD.XLS INFORMAL REPORT; 8/12/2012

D122 08GA05 FMEDA Proven_in_use.doc Revision A; 6/12/2012

D123 FHI Firmware Hardware Interface Specification 08GA05.doc Revision A;

D124 SIS course descriptions.docx Database Report; 8/1/2012

D125 08GA05-PTR-Valve Shutdown SIS EMC Tests.xlsx Revision A; 6/20/2012

D126 08GA05-PTR-Transmitter EMC Tests.xlsx Revision A; 6/12/2012

D135 Bill of Material for Options board Revision B, Draft;

D136 Bill of Material for Main Board Revision B, Draft;

D14 Method of Revising Drawings and Other Engineering Documents - es2.pdf

Revision EH; 5/2/2011

D15 Engineering Change Request Procedure - es192.pdf Revision AA; 4/5/2010

D17 FIELDVUE SIS Corrective Action Procedures - FGS10H2.pdf Revision A; 5/19/2012

D23 Functional Safety Personnel Assessment.xls Report from online tool;

D26 Control Standard for Calibration - es243.pdf Revision F; 7/7/1999

D27 Product Safety - es235.pdf Revision J; 9/29/2003

D34 Peer Review Procedure - EP44.pdf Revision A; 4/20/2009

D34b Technical Assessment Process - es238 Revision K; 1/17/2011

D35 SaRS Safety Requirements Specification 08GA05.doc Revision B; 9/11/2012

D39 SaRS review record.docx (report from MS Outlook); 4/17/2012



D39b Document Approval Process Revision A; 2/17/2012

D40 08GA05-ERS-Electronic Requirements.doc Revision B; 2/17/2012

D41a SRS_main_08GA05.doc Rev. C; 9/15/2012

D41b SRS_transmitter_08GA05.doc Rev. D; 6/7/2012

D43 SAD System Architecture Document 08GA05.doc Revision A; 3/17/2010

D45a Schematics: GE36850_B_MagneticFB_Schem.pdf Revision B; 11/10/2009

D45b Schematics: GE45723_A_Remote_MagneticFB_Schem.pdf Revision A; 6/1/2010

D45c Schematics: GE47066_B_Main_Schem.pdf Revision B; 7/29/2011

D45d Schematics: GE47067_A_Options_Schem.pdf Revision A; 7/11/2011

D45e Schematics: GE48591_A_Term_Schem.pdf Revision A; 7/11/2011

D45f Schematics: LCP100 Rev B schematic.pdf Revision B; 7/19/2006

D47 Software Coding Practice - ep25.pdf Revision C; 8/9/2008

D47a Mainboard Firmware Architecture.doc DRAFT B; 5/15/2012

D47b Options board firmware architecture document.doc Revision A; 8/15/2007

D49 TAR Technical Assessment Report FW3 08GA05 _ Panther.doc Revision A; 4/11/2012

D49a SDD - Program Flow Control Monitoring - 08GA05.doc Revision B; 9/13/2012

D49b SDD - Critical Data Protection - 08ga05.doc Revision A; 4/8/2011

D4d Incident Tracking Process - ep37.pdf Revision A; 1/6/2003

D51a FTR-Firmware Test Report DVC6200 wTransmitter FW3.doc Revision B; 9/11/2012

D52a EFC 12-02-027 R003 V1R4 FMEDA DVC6200 ESD_ETT.pdf Version 1, Revision 4; 5/18/2012

D52b EFC 12-02-027 R002 V1R4 FMEDA DVC6200 ESD_DETT.pdf Version 1, Revision 3; 5/21/2012

D52c EFC 12-02-027 R001 V1R1 FMEDA DVC6200 Pos_Mon Version1 Revision1; 6/8/2012

D54a TraceMatrix.vsd Informal; 9/24/2012

D54b Safety Validation Trace Matrix 08GA05.docx Revision A; 9/24/2012

D56a FI Points ESD.PDF Handwritten markups to Rev. B schematics;

D56b FI Points Position Monitor.PDF Handwritten markups to Rev. B schematics;

D59a Fisher_DVC.lnt No Version;

D59b Fisher_dvc_Lint Configuration File.lnt No Version;



D60 Lint Results FW3.zip Zip File with various versions; 2/21/2012

D61h ModTest_CriticalData_ReadMe.txt No Version; 1/4/2012

D61i AuxInput.doc No Version; 5/3/2012

D62a UTP - analog - 08GA05.doc Revision B; 3/9/2011

D62b UTP - Input Signal Processing - 08GA05.doc Revision B; 9/18/2012

D62c UTP - Low_thrd.c - 08GA05.doc Revision A; 5/20/2009

D62d UTP - Ramps.msa - 08GA05.doc Revision B; 9/18/2012

D62e Schedule_msa.doc Revision A; 5/22/2009

D65 CMP Configuration Management Plan 08GA05.doc Revision A; 5/2/2012

D68a PTP Product Master Test Plan 08GA05.doc Revision A; 5/2/2012

D68b FTP - Firmware Test Plan DVC6200 wTransmitter FW3.doc Revision A; 9/29/2011

D68c 08GA05-PTP-Electronics Prototype Test Plan.doc Revision B; 9/10/2010

D70d Safety Validation Test Plan 08GA05 Revision A; 9/13/2012

D70e TC-Positioner Safety Validation Test Cases 08GA05 Revision A; 9/6/2012

D70f TC-Options module safety validation tst cases 08GA05 Revision A; 9/20/2012

D77a PTR-Positioner Safety Validation Test report 08GA05 Revision A; 9/20/2012

D77b PTR-Options Safety Validation Test Report 08GA05 Revision A; 9/20/2012

D80a 08GA05-PTR-FaultInjectiontest.doc Revision A; 4/19/2012

D80b 08GA05-PTR-TransmitterFaultInjection.doc Revision A; 3/12/2012

D81 Quick Start Guide - d1035556x012.pdf No Version; 5/12/2012

D82 Safety Manual - D103601X012_Sep12.pdf No Version; 9/1/2012

D86 Control of Engineering Documents - es102.pdf Revision AB; 7/10/2011

D88 apprv_7.doc (impact analysis report template) Form Revision Q; 6/9/2011

D94a ValidationOfCompliance-EW430-5 50-signed.pdf Revision 6; 2/18/2011

D94b icc6812.txt Revision 1.19;

D100 exida Derived Requirements Document Checklist 9/9/2012

D103 exida HW Fault Injection Test Plan and Results Checklist 7/19/2012

D104 exida Hardware Development Phase Verification Checklist 9/19/2012

D105 exida Software Architecture and Design Phase Checklist 9/20/2012

D106 exida FMEDA Checklist.doc 9/19/2012



D107 exida SW Implementation Phase Verification Checklist 9/20/2012

D108 exida Integration Test Execution Phase Verification Checklist 9/24/2012

D109 exida Validation Test Execution Phase Checklist 9/24/2012

D110 exida Functional Safety Assessment Phase Verification Checklist 9/24/2012

D111 exida Safety Manual Document Checklist 9/19/2012

D112 exida Modification Phase Verification Checklist 9/19/2012

D113 exida IEC 61508-2010 SIL 2 Tables Checklist 9/24/2012

D114 exida IEC 61508-2010 SIL 3 Tables Checklist 9/24/2012

D92 exida FSM Planning Phase Verification Checklist 9/24/2012

D93 exida Configuration Management Checklist 6/12/2012

D94 exida Software Tools Checklist 9/24/2012

D95 exida Safety Validation Test Plan Document Checklist 9/24/2012

D96 exida Safety Requirements Specification Document Checklist 7/23/2012

D97 exida Integration Test Plan Document Checklist 9/24/2012

D98 exida Proven In Use Checklist 9/19/2012

D99 exida System Architecture Phase Verification Checklist 9/20/2012

D101 SHA-1 Hash Codes (e-mail) 10/02/2012

D102 DVC 6200-6000 software HAZOP project report 04/26/2010

2.4.2 Documentation Provided by Fisher Controls for Renewal Assessment

Updated and new documentation, reviewed in the assessment, is listed in the following table.

Doc. ID Project Document Filename Revision; Date

D201 es269.pdf Rev. B; 08/15/2013

D202 em_dvc6200x1~bm.pdf Rev. BM; 01/0/1900

D202b em_dvc6200x3~af.pdf Rev. AF; 07/30/2013

D203 D60 Code Coverage Analysis Technique.doc Rev. A; 07/23/2013

D203b ep59.pdf Rev. A; 05/20/2013

D204 form_insteng_Impact_Analysis_Report_-_IAR_template.docx Rev. T; --

D205 PMP Project Mangement Plan 08GA05.doc Rev. C; 10/2/2012

D206 em_dvc6200x3~af.pdf Rev. AF; 07/30/2013

D206b em_dvc6200x1~bm.pdf Rev. BM; 07/30/2013



D207 130426 IEC61508 Training Logs.xls N/A; N/A

D208 SaRS Safety Requirements Specification 08GA05.doc Rev. D; 08/5/2013

D209 DVC6200 HW2 System model.EAP HW2; 08/15/2013

D210 DVC6200 HW2 Architecture document approval.pdf N/A; 08/13/2013

D211 D60 Code Coverage Results - FW6.doc Rev. A; 07/23/2013

D212 analog.txt N/A; N/A

D212b program_flow.txt N/A; N/A

D213 FTP - Firmware Test Plan DVC6200 wTransmitter FW6.doc Rev. A; 06/3/2013

D213b FTP Explanation.doc --; 09/5/2013

D213c Test_analog.c ; 04/1/2011

D214 D103601X012_Sep13_draft_1.pdf Draft 1; 09/9/2013

D215 ECRN 20110404-IAR-Add 2nd wire clip to DVC6015.doc Rev. A; 03/19/2013

D215b ECRN 20122162-IAR DVC6200 HW2 FW4.doc Rev. A; 09/20/2012

D215c ECRN 20122645-IAR - Relocate the option configuration of HW2 in FGS12D106 and FGS3B61.docx

Rev. A; 02/20/2013

D215d ECRN 20122808-IAR-02 DVC6200 HW2 FW5.doc Rev. C; 03/5/2013

D215e ECRN 20122983-IAR-Change Cap Tolerance on Main Board BOM.doc

Rev. A; 02/28/2013

D215f ECRN 20131416-IAR DVC6200 HW2 FW6.pdf Rev. A; 07/2/2013

2.4.3 Documentation Generated by

[R1] DVC 6200 SafetyCaseDB.esc

Safety Case

[R2] Emerson Fisher DVC6200 Recertification - Proven In Use Analysis.xls

Analysis of field failure data against failure rates predicted by FMEDA.

[R3] EFC 12-02-027 R004 V2R1 IEC 61508 Assessment DVC6200.docx, September 20, 2013

IEC 61508 Functional Safety Assessment for DVC6200 SIS Digital Valve Controller and Position Monitor (This document)



3 Product Description

The Fisher Controls DVC6200 SIS Digital Valve Controller is a communicating, microprocessor-based current-to-pneumatic instrument used in many different industries including oil and gas, power, pulp and paper, chemical, and food and beverage for safety applications. In Safety Instrumented System applications, the DVC6200 SIS Digital Valve Controller can also perform partial valve stroke testing either automatically or manually in addition to supporting the final control element safety function. The partial valve stroke test monitors actuator pressure and valve stem position as well as various internal parameters. The term “DVC6200 SIS Valve Controller” may be used, herein, to indicate this function of the device.

The device can also be configured to operate as a Position Transmitter or Limit Switch device. The term “DVC6200 SIS Position Monitor” may be used, herein, to indicate this function of the device.

3.1 Digital Valve Controller Configurations

In one of the Digital Valve Controller configurations (ETT or DETT), as indicated in the following figure, the DVC6200 SIS Digital Valve Controller receives an input signal from the logic solver system. This input signal is 4-20 mA, 0-20 mA or 0-24 Vdc. The DVC6200 SIS Digital Valve Controller controls an actuator via output A, via output B, or via output A and output B. This accounts for the different operating modes of the mechanical parts as shown in Figure 1. The DVC6200 SIS Digital Valve Controller, in the 4-20mA, 0-20 mA or 0-24 Vdc configuration, is classified as a Type A1 device, having a hardware fault tolerance of 0.

In the single-acting operating mode, only one output is used. During normal operation the output is pressurized. If a safety demand is required, the output is depressurized.

In the double acting operating modes both outputs are used, with the pressure differential controlling the valve’s position.

It is assumed that the DVC6200 SIS Digital Valve Controller – actuator combination will fail safe on loss of air pressure because of the spring return action in the actuator. The actuator is controlled by the DVC6200 SIS Digital Valve Controller. The valve is controlled by the actuator. A valve travel feedback signal is read by the digital valve controller but is not part of the safety critical path. The feedback signal is required to perform a PVST.

1 Type A element: “Non-Complex” element (using discrete components); for details see 7.4.4.1.2 of IEC

61508-2, ed2, 2010.



Logic

SolverTerminal

Box

Printed

Circuit

Boards

Pneumatic

Relay

Actuator

Feed-

back

Sensor

optional

LCPxxx

I/P

Converter

FMEDA scope

Air Supply

Valve

current signal

output-

switch or

transmitter

Figure 1 DVC6200 SIS Digital Valve Controller, Parts included in the FMEDA

In addition to the DVC6200 SIS Digital Valve Controller external connections, Figure 1 also shows the main parts of the digital valve controller. The DVC6200 SIS Digital Valve Controller is composed of electrical and mechanical parts. The FMEDA was done on the entire product.

3.2 Position Transmitter / Limit Switch Configurations

In the Position Transmitter and the Limit Switch configurations the DVC6200 SIS Position Monitor Feedback Sensor measures the valve position. The electronics on the Printed Circuit Boards convert the position into a 4-20 mA signal in the Transmitter mode or a discrete output in the Switch mode. The discrete output indicates whether the valve position is above or below a configurable threshold. The Feedback Sensor can be a potentiometer, a local magnetic sensor or a remote magnetic sensor.

In addition to the DVC6200 SIS Position Monitor external connections, Figure 2 also shows the main parts of the digital valve controller. The DVC6200 SIS Position Monitor is composed of electrical and mechanical parts. Note that the device, in either of these configurations, is classified as a Type B2 element, according to IEC 61508, having a hardware fault tolerance of 0.

2 Type B component: “Complex” component (using micro controllers or programmable logic); for details

see 7.4.3.1.3 of IEC 61508-2, ed2, 2010.



Logic

Solver

Pneumatic

Relay

Actuator

Feed-

back

Sensor

optional

LCPxxx

I/P

Converter

FMEDA scope

Air Supply

Valve

current signal

output-

switch or

transmitter

Valve

Mounting

Kit

Terminal

Box

Printed

Circuit

Boards

not part of the Position Monitor Safety Function

Figure 2 DVC6200 SIS Position Monitor, Parts included in the FMEDA



4 IEC 61508 Functional Safety Assessment

The IEC 61508 Functional Safety Assessment was performed based on the information received from Fisher Controls and is documented in the safety case database [R1].

4.1 Methodology

The full functional safety assessment includes an assessment of all fault avoidance and fault control measures during hardware and software development and demonstrates full compliance with IEC 61508 to the end-user. The assessment considers all requirements of IEC 61508. Any requirements that have been deemed not applicable have been marked as such in the full Safety Case report, e.g. software development requirements for a product with no software.

As part of the IEC 61508 functional safety assessment the following aspects have been reviewed:

Development process, including:

o Functional Safety Management, including training and competence recording, FSM planning, and configuration management

o Specification process, techniques and documentation

o Design process, techniques and documentation, including tools used

o Validation activities, including development test procedures, test plans and reports, production test procedures and documentation

o Verification activities and documentation

o Modification process and documentation

o Installation, operation, and maintenance requirements, including user documentation

Product design

o Hardware architecture and failure behavior, documented in a FMEDA

o Software architecture and failure behavior, documented in a Software Criticality and HAZOP report

The review of the development procedures is described in section 5.1. The review of the product design is described in section 5.2.

4.2 Assessment Level

The DVC6200 SIS Digital Valve Controller and the DVC6200 SIS Position Monitor have been assessed per IEC 61508 to the following levels:

Systematic Safety Integrity: SIL 3 capable (Digital Valve Controller configurations only)

Systematic Safety Integrity: SIL 2 capable (Position Monitor configurations)

Random Safety Integrity: PFDAVG and Architectural Constraints must be verified for each application.



The development procedures were assessed as suitable for use in applications with a maximum Safety Integrity Level of SIL 3 according to IEC 61508. As the software for a diagnostic function is classified with a C2 criticality, techniques and measures implemented during the development are only required to be SIL 2 capable. For the Transmitter / Limit Switch configurations the software is classified as C1 criticality and is therefore limited to SIL 2.

4.3 Product Modifications

The modification process has been successfully assessed and audited, so Fisher Controls may make modifications to this product as needed, provided that:

Fisher Controls has appointed a competent person(s) to judge and approve modifications.

The modification documentation listed below must be submitted to exida, prior to a renewal of the certification, for review of the decisions made by the competent person(s), with respect to the modifications made.

o List of all anomalies reported o List of all modifications completed o Safety impact analyses which shall indicate with respect to a modification:

The initiating problem (e.g., results of root cause analysis) The effect on the product / system The elements / components that are subject to the modification The extent of any re-testing (including any regression test plans)

o List of modified documentation

5 Results of the IEC 61508 Functional Safety Assessment

exida assessed the development process used by Fisher Controls during the product development against the objectives of IEC 61508 parts 1, 2, and 3, see [N1]. The development of the DVC6200 SIS Digital Valve Controller was done per this IEC 61508 SIL 3 compliant development process. The development of some of the DVC6200 SIS Position Monitor firmware followed IEC 61508 SIL 3 compliant development, using some SIL 2 techniques for firmware. The Safety Case was updated with project specific design documents.

5.1 Lifecycle Activities and Fault Avoidance Measures

Fisher Controls has an IEC 61508 compliant development process as assessed during this IEC 61508 certification. This compliant development process is documented in [R1].

This functional safety assessment investigated the compliance with IEC 61508 of the processes, procedures and techniques as implemented for DVC6200 SIS development. The investigation was executed using subsets of the IEC 61508 requirements tailored to the SIL 3 (Digital Valve Controller) and SIL 2 (Position Monitor) work scopes of the development team. The result of the assessment can be summarized by the following observations:

The audited development process complies with the relevant managerial requirements of IEC 61508 SIL 3 for the DVC6200 SIS Digital Valve Controller.

The audited development process complies with the relevant managerial requirements of IEC 61508 SIL 2 for the DVC6200 SIS Position Monitor.



5.1.1 Functional Safety Management

FSM Planning The functional safety management of any Fisher Controls Safety Instrumented Systems Product development is governed by [D07]. This process requires that Fisher Controls create a project plan [D04] which is specific for each development project. The Project Plan defines all of the tasks that must be done to ensure functional safety as well as the person(s) responsible for each task. These processes and the procedures, referenced in section 2.4.1, fulfill the requirements of IEC 61508 with respect to functional safety management.

Version Control All documents are under version control as required by [D65].

Training, Competency recording Competency is ensured by the project plan [D04], which describes roles and responsibilities of project team members. Title descriptions are maintained at a company level to define the skills associated with specific titles. Training records are maintained, including those for functional safety training, by a company database [D23].

5.1.2 Safety Requirements Specification and Architecture Design

As defined in [D07] a safety requirements specification (SRS) is created for all products that must meet IEC 61508 requirements. For the DVC6200 SIS Digital Valve Controller and Position Monitor, the requirements specification [D35] contains a system overview, safety assumptions, and safety requirements sections. During the assessment, exida certification reviewed the content of the specification for completeness per the requirements of IEC 61508.

Requirements are tracked throughout the development process by the use of a requirements management database [D54a] [D54b]. The system requirements are broken down into derived hardware requirements [D40] and software requirements [D41a] [D41b] and safety requirements [D35]. Traceability matrices show how the system safety requirements map to the hardware and software requirements, to hardware and software architecture, to software and hardware detailed design, and to validation tests [D54a] [D54b].

Requirements from IEC 61508-2, Table B.1 that have been met by Fisher Controls include project management, documentation, structured specification, inspection of the specification, and checklists.

The Safety Requirements and Architecture Design meet the requirements of SIL 3.

5.1.3 Hardware Design

Hardware design, including both electrical and mechanical design, is done according to [D7]. The hardware design process includes creating a hardware architecture specification, a peer review of this specification, creating a detailed design, a peer review of the detailed design, component selection, detailed drawings and schematics, a “Failure Modes, Effects and Diagnostic Analysis” (FMEDA), electrical unit testing, fault injection testing, and hardware verification tests.



Requirements from IEC 61508-2, Table B.2 that have been met Fisher Controls include observance of guidelines and standards, project management, documentation, structured design, modularization, use of well-tried components, checklists, semi-formal methods, computer aided design tools, and inspection of the specification. This is also documented in [D114]. This meets the requirements of SIL 3.

5.1.4 Software (Firmware) Design

The safety function of the DVC6200 SIS Digital Valve Controller is implemented by a Type A circuit. The firmware on the main printed circuit board was assessed to SIL 2 capability for both the Digital Valve Controller and for the Position Monitor. Note that the Digital Valve Controller firmware is independent of the safety function and may be assessed at SIL 2 capability (SIL 3 minus 1), per IEC 61508, Part 2, section 7.4.3.2.

The firmware on the Position Monitor printed circuit board implements part of the safety function for the DVC6200 SIS Position Monitor (Type B), and was therefore assessed to SIL 2 capability. Note that this firmware is also independent of the Digital Valve Controller safety function.

Firmware design is carried out according to [D7]. The software design process includes software architecture design and peer review, detailed design and peer review, critical code reviews, static source code analysis and unit test.

Requirements from IEC 61508-3, Table A.2 that have been met by Fisher Controls include fault detection, backward recovery, modular approach, use of trusted/verified software elements, time-triggered architecture and static resource allocation.

Requirements from IEC 61508-3, Table A.3 that have been met by Fisher Controls include suitable programming language, strongly typed programming language, language subset, and tools and translators: increased confidence from use.

Requirements from IEC 61508-3, Table A.4 that have been met by Fisher Controls include modular approach, design and coding standards, structured programming, use of trusted/verified software modules and components.

This is also documented in [D113]. This meets the requirements of SIL 2.

5.1.5 Validation

Validation Testing is done via a set of documented tests. The validation tests are traceable to the Safety Requirements Specification [D35] in the validation test plan [D68a] [D68b] [D68c] [D70d] [D70e] [D70f]. The traceability matrices, [D54a] and [D54b], show that all safety requirements have been validated by one or more tests. All non-conformities are documented in a change request and procedures are in place for corrective actions to be taken when tests fail as documented in [D15].

Requirements from IEC 61508-2, Table B.5 that have been met by Fisher Controls include functional testing, functional testing under environmental conditions, interference surge immunity testing, fault insertion testing, project management, documentation, static analysis, dynamic analysis, and failure analysis, expanded functional testing, black-box testing.

Requirements from IEC 61508-3, Table A.7 that have been met by Fisher Controls include functional and black box testing.



[D113] and [D114] document more details on how each of these requirements has been met. This meets SIL 3, except for software requirements, which meet SIL 2, as targeted.

5.1.6 Verification

Verification activities are built into the standard development process as defined in [D07]. Verification activities include the following: Fault Injection Testing, static source code analysis, module testing, integration testing, FMEDA, peer reviews and both hardware and software unit testing. In addition, safety verification checklists are filled out for each phase of the safety lifecycle. This meets the requirements of IEC 61508 SIL 3.

Requirements from IEC 61508-2, Table B.3 that have been met by Fisher Controls include functional testing, project management, documentation, black-box testing.

Requirements from IEC 61508-3, Table A.5 that have been met by Fisher Controls include dynamic analysis and testing, data recording and analysis, functional and black box testing, performance testing, test management and automation tools.

Requirements from IEC 61508-3, Table A.6 that have been met by Fisher Controls include functional and black box testing, performance testing.

Requirements from IEC 61508-3, Table A.9 that have been met include static analysis, and dynamic analysis and testing.

[D113] and [D114] document more details on how each of these requirements has been met. This meets the requirements of SIL 3, except for software requirements which meet SIL 2, as targeted.

5.1.7 Modifications

Modifications are done per the Fisher Controls’s change management process as documented in [D15] [D15b]. Impact analyses [D88] are performed for all changes once the product is released for integration testing. The results of the impact analysis are used in determining whether to approve the change. The standard development process as defined in [D7] is then followed to make the change. The handling of hazardous field incidents and customer notifications is governed by [D27]. This procedure includes identification of the problem, analysis of the problem, identification of the solution, and communication of the solution to the field. This meets the requirements of IEC 61508 SIL 3.

Requirements from IEC 61508-3, Table A.8 that have been met by the Fisher Controls modification process include impact analysis, re-verify changed software modules, re-verify affected software modules, revalidate complete system, regression validation, software configuration management, data recording and analysis. This meets the requirements of SIL 2.

5.1.8 User Documentation

Fisher Controls created a safety manual [D82] for the DVC6200 SIS Digital Valve Controller and the DVC6200 SIS Position Monitor, which addresses all relevant operation and maintenance requirements from IEC 61508. This safety manual was assessed by exida certification. The final version is considered to be in compliance with the requirements of IEC 61508.



Requirements from IEC 61508-2, Table B.4 that have been met by Fisher Controls include operation and maintenance instructions, user friendliness, maintenance friendliness, project management, documentation, limited operation possibilities, protection against operator mistakes and operation only by skilled operators.

[D114] documents more details on how each of these requirements has been met. This meets the requirements for SIL 3.



5.2 Hardware Assessment

To evaluate the hardware design of the DVC6200 SIS Digital Valve Controller, a Failure Modes,

Effects, and Diagnostic Analysis was performed by exida. This is documented in [D52a, b, c].

A Failure Modes and Effects Analysis (FMEA) is a systematic way to identify and evaluate the effects of different component failure modes, to determine what could eliminate or reduce the chance of failure, and to document the system in consideration. An FMEDA (Failure Mode Effect and Diagnostic Analysis) is an FMEA extension. It combines standard FMEA techniques with extension to identify online diagnostics techniques and the failure modes relevant to safety instrumented system design.

From the FMEDA failure rates, are derived for each important failure category. All failure rate analysis results and useful life limitations are listed in the FMEDA report [D52a, b, c] which is available from Fisher Controls. Tables in the FMEDA report list these failure rates for the DVC6200 SIS Digital Valve Controller under a variety of applications. The failure rates listed are valid for the useful life of the devices.

Note, as the DVC6200 SIS Digital Valve Controller and Position Monitor are only one part of a (sub-)system, the SFF should be calculated for the entire final element combination.

These results must be considered in combination with PFDAVG values of other devices of a Safety Instrumented Function (SIF) in order to determine suitability for a specific Safety Integrity Level (SIL). The architectural constraints requirements of IEC 61508-2, Table 2 also need to be evaluated for each final element application. It is the end users responsibility to confirm this for each particular application and to include all components of the final element in the calculations.

The analysis shows that the design of the DVC6200 SIS Digital Valve Controller can meet the hardware requirements of IEC 61508, SIL 3 depending on the complete final element design.

The analysis shows that the design of the DVC6200 SIS Position Monitor can meet the hardware requirements of IEC 61508, SIL 2.

The Hardware Fault Tolerance, PFDAVG, and Safe Failure Fraction requirements of IEC 61508 must be verified for each specific design.



6 Terms and Definitions

ETT Energize To Trip

DETT De-Energize To Trip

Fault tolerance Ability of a functional unit to continue to perform a required function in the presence of faults or errors (IEC 61508-4, 3.6.3)

FIT Failure In Time (1x10-9 failures per hour)

FMEDA Failure Mode Effect and Diagnostic Analysis

HFT Hardware Fault Tolerance

Low demand mode Mode, where the demand interval for operation made on a safety-related system is greater than twice the proof test interval.

PFDAVG Average Probability of Failure on Demand

PFH Probability of dangerous Failure per Hour

PVST Partial Valve Stroke Test

It is assumed that the Partial Stroke Testing, when performed, is automatically performed at least an order of magnitude more frequently than the proof test, therefore the test can be assumed an automatic diagnostic. Because of the automatic diagnostic assumption, the Partial Valve Stroke Testing also has an impact on the Safe Failure Fraction.

SFF Safe Failure Fraction - Summarizes the fraction of failures, which lead to a safe state and the fraction of failures which will be detected by diagnostic measures and lead to a defined safety action.

SIF Safety Instrumented Function

SIL Safety Integrity Level

SIS Safety Instrumented System – Implementation of one or more Safety Instrumented Functions. A SIS is composed of any combination of sensor(s), logic solver(s), and final element(s).

Type A element “Non-Complex” element (using discrete components); for details see 7.4.4.1.2 of IEC 61508-2

Type B element “Complex” element (using complex components such as micro controllers or programmable logic); for details see 7.4.4.1.3 of IEC 61508-2

© exida (www.exida.com) EFC 12-02-027 R004 V2R2 IEC 61508 Assessment DVC6200.docx, September 20, 2013

T-034 V1R2 Page 21 of 21

Main Offices Service Centers

Sellersville, PA, USA Munich, Germany Switzerland United Kingdom Houston, TX, USA

Calgary, AB, Canada South Africa Singapore Mexicothe Netherlands New Zealand/Australia Brazil

7 Status of the document

7.1 Liability

exida prepares reports based on methods advocated in International standards. Failure rates are

obtained from a collection of industrial databases. exida accepts no liability whatsoever for the use of these numbers or for the correctness of the standards on which the general calculation methods are based.

7.2 Releases

Version: V2

Revision: R2

Version History: V2, R2: Corrections, September 19, 2013

V2, R1: Renewal of Certificate, September 13, 2013

V1, R4: Formatting problem, October 9, 2012

V1, R3: Corrections, October 9, 2012

V1, R2: Corrections, October 4, 2012

V1, R1: First Release, October 2, 2012

V0, R1: Internal Draft, September 28, 2012.

Authors: David E. Butler, Iwan van Beurden

Review: V2, R1: John Yozallinas

V0, R1: exida internal

Release status: Released

7.3 Future Enhancements

At request of client.

7.4 Release Signatures

Iwan van Beurden, CFSE, Director of Engineering

David E. Butler, Safety Engineer