IEC 61508 Assessment - exida...JOY 12-10-045 R003 V1R2 Assessment POCV-Dump Valve-Yield Valve.docx October 14, 2013. . Page 2 of 25 . Management summary . This report summarizes the

The document was prepared using best effort. The authors make no warranty of any kind and shall not be liable in any event for incidental or consequential damages in connection with the application of the document.

© All rights reserved.

IEC 61508 Functional Safety Assessment

Project: POCV, Dump Valve System, and Yield Valve

Customer: Joy Mining Machinery, Ltd.

Wigan, Lancashire UK

Contract Number: Q12/10-045

Report No.: JOY 12/10-045 R003

Version V1, Revision R2, October 14, 2013 Michael Medoff

© exida JOY 12-10-045 R003 V1R2 Assessment POCV-Dump Valve-Yield Valve.docx

October 14, 2013 www.exida.com Page 2 of 25

Management summary This report summarizes the results of the functional safety assessment according to IEC 61508 carried out on the Pilot Operated Control Valve (POCV, Dump Valve, and Yield Valve.

The functional safety assessment performed by exida consisted of the following activities:

- exida assessed the development process used by Joy Mining Machinery, Ltd. by an on-site audit and creation of a safety case against the requirements of IEC 61508.

- exida performed a detailed Failure Modes, Effects, and Diagnostic Analysis (FMEDA) of the devices to document the hardware architecture and failure behavior.

- exida reviewed field failure data to ensure that the FMEDA analysis was complete.

- exida reviewed the manufacturing quality system in use at Joy Mining.

The functional safety assessment was performed to the requirements of IEC 61508: ed2, 2010, SIL 3 for mechanical components. A full IEC 61508 Safety Case was prepared using the exida SafetyCaseWB tool as the primary audit tool. Hardware process requirements and all associated documentation were reviewed. Environmental test reports were reviewed. Also the user documentation (safety manual) was reviewed.

Some areas of improvement were identified in the design process and the design procedures were upgraded during the project. However because of the low complexity of the products and the proven in use design, Joy Mining was able to demonstrate that the objectives of the standard have been met.

The results of the Functional Safety Assessment can be summarized as:

The Joy Mining POCV, Dump Valve System, and Yield Valve were found to meet the Systematic Capability requirements of IEC 61508 for up to SC 2 (SIL 2 Capable). The Joy Mining POCV, Dump Valve System, and Yield Valve were found to meet the Random Capability requirements for a Type A device of up to SIL 2@HFT=0 using Route 2H. The PFDAVG and/or PFH of the standard must be verified for the complete safety function. The manufacturer will be entitled to use the Functional Safety Logo.

http://www.exida.com/�



Table of Contents Management summary .................................................................................................... 2

1 Purpose and Scope ................................................................................................... 5

2 Project management .................................................................................................. 6 2.1 exida ............................................................................................................................ 6 2.2 Roles of the parties involved ........................................................................................ 6 2.3 Standards / Literature used .......................................................................................... 6 2.4 Reference documents .................................................................................................. 6

2.4.1 Documentation provided by Joy Mining Machinery, Ltd. .................................... 6 2.4.2 Documentation generated by exida ................................................................. 13

3 Product Descriptions ................................................................................................ 14 3.1 Longwall Powered Roof Support System ................................................................... 14 3.2 Dump Valve System ................................................................................................... 14

3.2.1 Master Dump Valve ......................................................................................... 14 3.2.2 Slave Dump Valve ........................................................................................... 14 3.2.3 Single High Pressure Valve ............................................................................. 14

3.3 Yield Valve ................................................................................................................. 15 3.4 Pilot Operated Control Valve ...................................................................................... 15

4 IEC 61508 Functional Safety Assessment ............................................................... 18 4.1 Methodology .............................................................................................................. 18 4.2 Assessment level ....................................................................................................... 18 4.3 Product Modifications ................................................................................................. 19

5 Results of the IEC 61508 Functional Safety Assessment ........................................ 20 5.1 Lifecycle Activities and Fault Avoidance Measures .................................................... 20

5.1.1 Functional Safety Management ....................................................................... 20 5.1.2 Safety Requirements Specification and Architecture Design ............................ 21 5.1.3 Hardware Design ............................................................................................. 21 5.1.4 Validation ......................................................................................................... 21 5.1.5 Verification ....................................................................................................... 21 5.1.6 Proven In Use .................................................................................................. 21 5.1.7 Modifications ................................................................................................... 22 5.1.8 User documentation......................................................................................... 22

5.2 Open Issues ............................................................................................................... 22 5.3 Hardware Assessment ............................................................................................... 22

6 Terms and Definitions .............................................................................................. 24

7 Status of the Document ........................................................................................... 25 7.1 Liability ....................................................................................................................... 25




7.2 Releases .................................................................................................................... 25 7.3 Future Enhancements ................................................................................................ 25 7.4 Release Signatures .................................................................................................... 25




1 Purpose and Scope This document shall describe the results of the IEC 61508 functional safety assessment of the Joy Mining Machinery, Ltd.:

Pilot Operated Control Valve (POCV)

Dump Valve System

Yield Valve

by exida according to the requirements of IEC 61508: ed2, 2010.

The results of this provides the safety instrumentation engineer with the required failure data as per IEC 61508 / IEC 61511 and confidence that sufficient attention has been given to systematic failures during the development process of the device.




2 Project management

2.1 exida exida is one of the world’s leading accredited Certification Bodies and knowledge companies specializing in automation system safety and availability with over 300 years of cumulative experience in functional safety. Founded by several of the world’s top reliability and safety experts from assessment organizations and manufacturers, exida is a global company with offices around the world. exida offers training, coaching, project oriented system consulting services, safety lifecycle engineering tools, detailed product assurance, cyber-security and functional safety certification, and a collection of on-line safety and reliability resources. exida maintains a comprehensive failure rate and failure mode database on process equipment.

2.2 Roles of the parties involved Joy Mining Machinery, Ltd. Manufacturer of the POCV, Dump Valve System, and Yield Valve

exida Performed the hardware assessment

exida Performed the IEC 61508 Functional Safety Assessment.

Joy Mining contracted exida in December 2012 for the IEC 61508 Functional Safety Assessment of the above mentioned devices.

2.3 Standards / Literature used The services delivered by exida were performed based on the following standards / literature. [N1] IEC 61508 (Parts 1 - 7): 2010 Functional Safety of Electrical/Electronic/Programmable

Electronic Safety-Related Systems

2.4 Reference documents

2.4.1 Documentation provided by Joy Mining Machinery, Ltd.

Doc ID Generic Document Name

Project Document Name and Link Version Date Description

D001 Quality Manual QCPD 0003.001 - Quality

Procedures Manual - Design Overview

4 7/3/2010

The highest level document in the hierarchy

of company procedures.

D004 Configuration Management Process

QCPD 0003.006 - Quality Procedures Manual - Engineering

Change Control 2 4/11/2006

Describes the requirements, workflow, and possibly work instructions,




related to carrying out configuration

management on a project.

D005 Hazardous Events Procedure 3 QCPD0010-002.pdf 3/30/2006

Procedure for handling field

events that have the potential to

lead to a hazardous situation.

D006 Field Return Procedure 3 QCPD0010-002.pdf 3/30/2006

Describes the procedures to

receive a returned device

from a user (e.g., customer), and to capture the information

needed to evaluate and

process the field return.

D007 Manufacturer Qualification Procedure 6 QCPD0005-001.pdf 12/12/201

1

Procedure to qualify a

manufacturer of a part or product

used in the engineering and manufacture of

a device.

D019 Customer Notification Procedure 4 Joy Mining (UK/Aus)-Files-

JGUOP2.20.pdf 1/17/2013

Describes the procedures that

must be followed to notify

customers of safety problems.

D023 Modification Procedure 2 Joy Mining (UK/Aus)-Files-QCPD0003-006.pdf 4/11/2006

Describes the procedures

through which all modifications

to a product's must be carried

out.

D026 FSM Plan or Development Plan Example Project Schedule NA 9/28/2012

Plan that describes how

functional safety management is to be achieved on a particular

project.




D027 Configuration Management Plan

QCPD 0003.006 - Quality Procedures Manual - Engineering

Change Control 2 4/11/2006

Describes the requirements, workflow, and possibly work instructions,

related to carrying out configuration

management on a project.

D030 Shipment Records N/A Joy Mining (UK/Aus) - Files - High Flow Leg POCV variants (Version

2).docx 6/7/2013

3-5 years of shipment

records for proven in use assessment.

D031 Field Returns Records N/A Joy Mining (UK/Aus) - Files -

[email protected]_20131001_114204.pdf

10/1/2013

3-5 years of field failure/return records for

proven in use assessment.

D032 Job Descriptions and Competency Levels Issue 2 Joy Mining (UK/Aus)-Files-

DS10005 - Issue 2.pdf 6/6/2013

Contains descriptions of standard roles (and/or titles), including the relevant work activities and competence

criteria required to perform that

role.

D040 Safety Requirements Specification - Dump

Valve Issue 3 Joy Mining (UK/Aus)-Files-

DS10001 - Issue 3.pdf 7/29/2013

Identifies and specifies the

Safety Requirements for the project.

D040a Safety Requirements Specification - Yield

Valve Issue 3 Joy Mining (UK/Aus)-Files-

DS10005 - Issue 3.pdf 7/29/2013



D040b Safety Requirements Specification - POCV Issue 1 Joy Mining (UK/Aus)-Files-

DS10009 - Issue 1.pdf 7/29/2013



D045 System Architecture Design Specification Issue 2 Joy Mining (UK/Aus)-Files-

DS10001 - Issue 2.pdf 6/6/2013

Describes the System

Architecture within which the product will be

used. Identifies and describes




the product's external

interfaces.

D045c System Architecture Design Specification Issue 2 Joy Mining (UK/Aus)-Files-

DS10005 - Issue 2.pdf 6/6/2013



used. Identifies and describes the product's

external interfaces.

D045a System Architecture

Design Review Record - Yield Valve

Issue 4 Joy Mining (UK/Aus)-Files-DR10005 - Issue 4.pdf 8/30/2012





D045b System Architecture

Design Review Record - Dump Valve

Issue 4 Joy Mining (UK/Aus)-Files-DR10001 - Issue 4.pdf 7/29/2013





D048 Hardware Change List NA Joy Mining (UK/Aus) - Files - Copy

of SIL RATING OF HIGH FLOW POCV's.xlsx

10/1/2013

The list of hardware

changes (ECN, ECO) during the PIU period. The

list should contain a

description of each change.

D055 FMEDA Report - Dump Valve System V1R1

Joy Mining (UK/Aus) - Files - JOY 12-10-045 R002 V1R1 Mechanical

Roof Support FMEDA.pdf 9/26/2013

Describes the results of the Failure Mode, Effects and Diagnostics

Analysis.

D055a FMEDA Report - Yield Valve and POCV V1R1

Joy Mining (UK/Aus) - Files - JOY 12-10-045 R001 V1R1 Mechanical

Roof Support FMEDA.pdf 7/12/2013

Describes the results of the Failure Mode, Effects and Diagnostics




Analysis.

D067 Integration Test Plan Issue 4 Joy Mining (UK/Aus) - Files -

Htr1325 - Face Dump valve - Issue 4.pdf

7/29/2013

Describes the plan to test the interfaces of the

device at the architecture

level.

D068 Integration Test Results Issue 2 Joy Mining (UK/Aus)-Files-HY1114

Dump Valve Tests - Issue 2.pdf 4/4/2013

Contains the results of one or more integration

tests.

D069 Validation Test Plan - Dump Valve Issue 3 Joy Mining (UK/Aus)-Files-Htr1325

- Face Dump valve - Issue 3.pdf 7/29/2013

Describes the plan to validate the use of the device, based

on its requirements.

D069a Validation Test Plan - Yield Valve Issue 1

Joy Mining (UK/Aus) - Files - Htr1351 - Blakefield manifold 250

Return Yield Valve testing.pdf 2/27/2012

Describes the plan to validate the use of the device, based

on its requirements.

D074 Validation Test Results Issue 3 Joy Mining (UK/Aus)-Files-HY1114 Dump Valve Tests - Issue 3.pdf 4/4/2013

Contains the results of one or more validation

tests.

D074b Validation Test Results Issue 2 Joy Mining (UK/Aus) - Files -

HY1093N 250 LPM YIELD VALVE - Issue 2.pdf

9/2/2013

Contains the results of one or more validation

tests.

D078 Operation / Maintenance Manual NA

Springvale Roof Support Installation 2891849 - Roof

Support Feed and Return Pressure NA

Describes the recommended/r

equired instructions to the user for the installation, use

and maintenance of

the device.

D078B Operation / Maintenance Manual NA Joy Mining (UK/Aus)-Files-Doc

'C'.pdf NA

Describes the recommended/r

equired instructions to the user for the installation, use

and maintenance of

the device.




D079 Safety Manual - POCV Issue 1 Joy Mining (UK/Aus) - Files - 00

Pilot Operated Check Valve Book File.pdf

10/8/2013

Contains information,

required by the IEC 61508,

which is needed by the user of the device in calculating

safety related information

about the safety function in which

the device is used, and about what should and

should not be done with the device, during

its useful lifetime, to

properly use its provided safety

function.

D079a Safety Manual - Yield Valve Issue 1 Joy Mining (UK/Aus) - Files - 00

Yield Valve Book File.pdf 10/8/2013










function.

D079b Safety Manual - Dump Valve Issue 1 Joy Mining (UK/Aus) - Files - 00

Dump Valves Book File.pdf 10/8/2013













function.

D083 PIU Analysis NA Joy Mining (UK/Aus)-Files-

Field_failure_analysis_Joy_POCV.xlsx

4/26/2013

Produced by exida, this is the results or report from an analysis

of PIU data provided by the manufacturer.

D087 Mechanical Drawings Yield Valve(Drawing #100559695) 03 26-Jun-12 Mechanical Drawing for Yield Valve

D088 Mechanical Drawings Pilot Operated Check Valve (Drawing #100480932) 03 27-Jan-12

Mechanical Drawing for

POCV

D089 Mechanical Drawings Hydraulic Dump System - Master Unit (Drawing 100498470) 03 30-Jun-11


Master Dump Valve

D090 Mechanical Drawings Hydraulic Dump System -Slave Unit (Drawing 100504481) 01 17-May-

11


Master Slave Valve

D091 Mechanical Drawings Hydraulic Dump System -Single HP (Drawing 100501817) 01 16-May-

11


High Pressure Dump valve

D092 Gap Analysis Questionnaire Gap Analysis Questionnaire NA NA

Questions and answers posed

to customer during on-site gap analysis.

D093 Example Modification Record NA Joy Mining (UK/Aus)-Files-ECM -

100559695.pdf NA Example

Modification Record




D093a Example Modification Record NA Joy Mining (UK/Aus)-Files-Mod

example 1.pdf 11/6/2012 Example

Modification Record

D093b Example Modification Record NA Joy Mining (UK/Aus)-Files-Mod

example 2.pdf 10/8/2012 Example

Modification Record

D093c Example Modification Record NA 10/8/2012

Example Modification

Record

D094 Corrosion testing of

different platings and coatings.

1 Joy Mining (UK/Aus)-Files-HTR1044.pdf 4/27/2005

Test request for corrosion

testing

D095 Test Request Form - Hydraulic Legs 2 Joy Mining (UK/Aus)-Files-

HTR1418.pdf 3/1/2013 Test request for

corrosion testing

D096 Design Review Template NA Joy Mining (UK/Aus)-Files-Design

Review Template.pdf 7/31/2013

Template for documenting Valve deisgn

review results

D097 Test Request Form -

250 1/min Return Yield Valve Approval Testing

Issue 1 Joy Mining (UK/Aus)-Files-Htr1351 - Blakefield manifold 250 Return

Yield Valve testing.pdf 2/27/2012

Test request for side impact testng, flow testing, and

overload test.

D098 Company Technical

Requirements - Electro and Electroless Plating

Issue A1 Joy Mining (UK/Aus)-Files-CTR-01-16-01.pdf Dec-03

Requirements for

electroplating Zinc/Cobalt

alloy on to steel.

D099 Explanation as to why a limited temperature

range is tested NA Joy Mining (UK/Aus)-Files-AID-

046.docx 8/22/2013

2.4.2 Documentation generated by exida

[R1] JOY 12/10-045 R002 FMEDA report, Dump Valve System [R2] JOY 12/10-045 R001 FMEDA report, POCV and Yield Valve [R3] Joy Mining (UK/Aus) - Files -

Joy Mining POCV + 4 other Valves V1R7.xlsm

IEC 61508 SafetyCaseWB for POCV, Yield Valve, and Dump Valve

[R4] Joy Mining POCV, Dump Valve and Yield Valve Assessment Report Draft.docx, October 9, 2013

IEC 61508 Functional Safety Assessment, Joy Mining Machinery, Ltd. POCV, Yield Valve, and Dump Valve (this report)




3 Product Descriptions

3.1 Longwall Powered Roof Support System The Joy Mining Machinery, Ltd. Dump Valve System (a.k.a. Face Feed Dump Valves), Pilot Operated Control Valve (POCV) and Yield valve are components of a mine longwall Powered Roof Support (PRS) system. During the mining process, longwall equipment and personnel are protected by hydraulically actuated roof supports which cover the length of the longwall face. The roof supports control the collapse of the overlying strata and help in stabilizing the coal face. Each roof support is connected to an Armoured Face Conveyor (AFC) pan via a hydraulic ram which is used during longwall advancement. As the face advances longitudinally along the panel, the roof collapses under its own weight behind the roof supports. Controlling the collapse is critical to the efficiency and safety of the longwall mine.

3.2 Dump Valve System The Joy Mining Dump Valve System is a solenoid controlled system that is remotely controlled to either send the high flow high pressure Face Feed to all of the mine face’s hydraulic systems, or to rapidly and safely dump the high pressure to the return tank.

This system consists of a Master Dump Valve, a Slave Dump Valves and a Single HP Valve. The Face Feed Dump Valve systems Safety Function is to Dump the Feed pressure going to the Face within the specified safety time when the system is tripped.

3.2.1 Master Dump Valve This assembly contains two remotely controlled solenoid valves that supply the control pressures that tell the Dump System which state to be in. The main manifold sub-assembly contains 2 valves that are in parallel that either supply the mine face equipment with supply pressure, or send the face feed pressure to the return tank. Internally the solenoids outputs are configured such that if either one is De-Energized, the system will Dump the Feed Pressure.

3.2.2 Slave Dump Valve The Slave Dump Valve is used in each Dump Valve system. The Dump Valves are similar to the Master Valves except that they do not have solenoids. Instead they utilize the outputs of Master Valve’s solenoids as their control. As in the Master Dump Valve, each manifold sub-assembly contains 2 valves that are in parallel, and only one of the control lines needs to be De-Energized in order to trip the valve.

3.2.3 Single High Pressure Valve Although this component is not needed to relieve the main Face Feed Pressure, it also utilizes the same control lines as the slave Dump Valves and therefore is included in this analysis. It functions in the same manner as the Slave Dump Valve, except that it has 1 valve to supply or dump a separate pressure feed to the face.




Figure 1 Roof Support circuit overview

These POCV, Yield Valve, and Dump Valve are classified as Type A1

3.3 Yield Valve

devices according to IEC 61508, having a hardware fault tolerance of 0.

The Joy Mining Yield Valve is used as pressure relief valves to insure that excessive pressures are not allowed to occur in a Powered Roof Support return line. This analysis covers the return line Yield Valve, P/N 100559695. This valve has a flow capacity of 250L/minute, and an adjustable yield range (trip pressure) of 900 – 1400 psi.

The Safety Function for the Yield Valve is to vent pressure in excess of the preset yield value to prevent damage to personnel or the system. Additionally the Yield Valve should not vent or leak system pressure if it is below the valves setpoint.

3.4 Pilot Operated Control Valve The Joy Mining Pilot Operated Control Valve is designed to keep fluid in the roof support leg cylinder after the fluid supply has been removed. They are directly attached to each of the leg cylinders, (there are two leg cylinders on a roof support).

• To extend the leg cylinders, fluid is directed to the P/R ports of the leg POCV’s.

o As pressurised fluid enters the POCV valve, (at the P/R port), it pushes the poppet off its seat, and fluid passes through the valve and out of the valve, and directly into the extend side, (major bore), of the cylinder.

o The cylinder is extended fully till the support reaches / meets the roof of the mine, and the cylinder is pressurized initially to 5000psi.

1 Type A element: “Non-Complex” element (using discrete components); for details see 7.4.4.1.2 of IEC 61508-2, ed2, 2010




o As soon as fluid feed is stopped, the poppet closes back onto its seat, (under both the spring and fluid pressure from the cylinder), trapping fluid pressure inside the leg cylinder.

o As the roof support is loaded by the strata above, the cylinder pressure can increase up to a maximum of the yield valve rating, which is 7179psi.

• To retract the leg cylinder(s), fluid is directed to the annulus side of each of the leg cylinders, which also is connected to and pressurizes the pilot chambers on the leg POCV’s, which in turn pushes the POCV poppet off its seat, allowing fluid to pass out of the leg cylinder and through the valve, (via both the P/R and R ports), and the roof support lowers off.

The Safety Function being considered for the Pilot Operated Control Valve is to not vent (or significantly leak) leg pressure in a leg of a roof support system when the pilot pressure is low. Not inadvertently venting the leg pressure is needed to prevent an unwanted dump of the leg pressure which could cause a dangerous system pressure rise during a maintenance operation.

This analysis will cover the POCV assembly used on either the “right” or “left” leg assembly, with them being mirror images of each other.

Figure 1 shows which components of the Roof Support System that are being covered in this FMEDA.

Figure 2 Roof Support circuit overview




These POCV, Yield Valve, and Dump Valve are classified as Type A2

The assessment considered the following versions of these valves:

devices according to IEC 61508, having a hardware fault tolerance of 0.

Valve Name Part Numbers Version Numbers POCV (LH Mount / RH Mount) 100480351/100480932

100212624/100212625

100197746/100197747

100293456/100098658

100113294/100105020

V.03/V.03

V.04/V.04

V.03/V.03

V.02/V.06

V.05/V.06

Yield Valve 100559695 V.03

Master Dump Valve 100508389 V.01

Slave Dump Valve 100509061 V.01

Single High Power Valve 100509439 V.01

2 Type A element: “Non-Complex” element (using discrete components); for details see 7.4.4.1.2 of IEC 61508-2, ed2, 2010




4 IEC 61508 Functional Safety Assessment The IEC 61508 Functional Safety Assessment was performed based on the information received from Joy Mining Machinery, Ltd. and is documented in this report.

4.1 Methodology The full functional safety assessment includes an assessment of all fault avoidance and fault control measures during hardware development and demonstrates full compliance with IEC 61508 to the end-user. The assessment considers all requirements of IEC 61508. Any requirements that have been deemed not applicable have been marked as such in the full Safety Case report, e.g. software development requirements for a product with no software. The assessment also includes a review of existing manufacturing quality procedures to ensure compliance to the quality requirements of IEC 61508.

As part of the IEC 61508 functional safety assessment the following aspects have been reviewed:

• Development process, including:

o Functional Safety Management, including training and competence recording, FSM planning, and configuration management

o Specification process, techniques and documentation

o Design process, techniques and documentation, including tools used

o Validation activities, including development test procedures, test plans and reports, production test procedures and documentation

o Verification activities and documentation

o Modification process and documentation

o Installation, operation, and maintenance requirements, including user documentation

o Manufacturing Quality System

• Product design

o Hardware architecture and failure behavior, documented in a FMEDA

The review of the development procedures is described in section 5. The review of the product design is described in section 5.3.

4.2 Assessment level The POCV, Dump Valve, and Yield Valve have been assessed per IEC 61508 to the following levels:

• SIL 2 capability (Systematic Capability (SC) = 2)

The development procedures have been assessed as suitable for use in applications with a maximum Safety Integrity Level of 2 (SIL2) according to IEC 61508.




4.3 Product Modifications The modification process was not analyzed as part of this assessment. As a result, the assessment is limited to the current version of the product as defined in section 3 of this document.




5 Results of the IEC 61508 Functional Safety Assessment exida assessed the development process used by Joy Mining Machinery, Ltd. for these products against the objectives of IEC 61508 parts 1 - 7. The assessment was done remotely and documented in the SafetyCase [R3].

5.1 Lifecycle Activities and Fault Avoidance Measures Joy Mining Machinery, Ltd. has a defined product lifecycle process in place. This is documented in the Quality Management System Manual [D001] and various Quality Procedures [D004-D007]. A documented modification process is also covered in the Quality Manual, however this process does not currently meet all of the requirements from IEC 61508. As a result, modifications to these products are not covered by this assessment. No software is part of the design and therefore any requirements specific from IEC 61508 to software and software development do not apply.

The assessment investigated the compliance with IEC 61508 of the processes, procedures and techniques as implemented for product design and development. The investigation was executed using subsets of the IEC 61508 requirements tailored to the SIL 2 work scope of the development team. The defined product lifecycle process was modified as a result of the audit which showed some areas for improvement. However, given the simple nature of the safety function and the extensive proven field experience for Pilot Operated Control Valve Joy Mining Machinery, Ltd. was able to demonstrate that the objectives of the standard have been met. The result of the assessment can be summarized by the following observations:

The audited Joy Mining Machinery, Ltd. design and development process complies with the relevant managerial requirements of IEC 61508 SIL 2.

5.1.1 Functional Safety Management

Joy Mining Machinery, Ltd. has a defined process in place for product design and development. Required activities are specified along with review and approval requirements. This is primarily documented in section QPCD 003.001 of their Quality Management System Manual [D001] and in greater detail in sections 3.02, QCPD 0003.003, QCPD 0003.005 and QCPD 0003.006 [D004]. This process and the procedures referenced therein fulfill the requirements of IEC 61508 with respect to functional safety management for a product with simple complexity and well defined safety functionality.

FSM Planning

D0004 requires that all documents be under document control. Use of this to control revisions was evident during the audit.

Version Control

Competency is established as follows:

Training, Competency recording

a) Competency requirements are included in job descriptions which are used when a person is hired. These requirements have also been included in section 4 of the Yield Valve Design Specification (DS1001 - Issue 2 [D045] and DS10005 [D045c])

b) List of people who fulfill each role - The Dump Valve design review [D045a] and the Yield Valve Design Review [D045b] lists the qualifications of those who fulfill each role without listing their names.




c) During the design review the competencies are compared to the required competencies with the resultant competency documented in the design review minutes.

5.1.2 Safety Requirements Specification and Architecture Design For the POCV, Yield Valve, and Dump Valve, the safety requirements are documented in the design specifications [D045], [D045c], and [D040b]. The notation used to document the design is precise drawings of the parts, including specific dimensions. This notation can be considered a semi-formal method. General Design and testing methodology is documented and required as part of the design process. This meets SIL 2 requirements.

5.1.3 Hardware Design The design process is documented in [D001]. Items from IEC 61508-2, Table B.2 include observance of guidelines and standards, project management, documentation (design outputs are documented per quality procedures), structured design, use of well-tried components / materials, use of checklists, semi-formal methods and computer-aided design tools. This meets SIL 2 requirements.

5.1.4 Validation Validation Testing is documented in D069 and D069a. The test plan includes testing per all standard and customer performance requirements. As the POCV, Yield Valve, and Dump Valve are purely mechanical devices with a simple safety function, there is no separate integration testing necessary. The POCV, Dump Valve, and Yield Valve each perform only 1 Safety Function, which is extensively tested under various conditions during validation testing.

Items from IEC 61508-2, Table B.3 include functional testing, project management, documentation, and black-box testing (for the considered devices this is similar to functional testing). Field experience and statistical testing via regression testing are not applicable. This meets SIL 2 requirements.

Items from IEC 61508-2, Table B.5 included functional testing and functional testing under environmental conditions, project management, documentation, failure analysis (analysis on products that failed), expanded functional testing and black-box testing. This meets SIL 2 requirements.

5.1.5 Verification The development and verification activities are defined in [D001]. For each design phase the objectives are stated, required input and output documents and review activities. This meets SIL 2 requirements.

5.1.6 Proven In Use In addition to the Design Fault avoidance techniques listed above, a Proven in Use evaluation was carried out on the Pilot operated check valve. Shipment records were used to determine that the this product has have > 3 million operating hours and they have demonstrated a field failure rate less than the failure rates indicated in the FMEDA reports. This meets the requirements for Proven In Use for SIL 2.




5.1.7 Modifications Modifications are initiated per QPCD 003.006 [D023]. The modification process is not completely compliant with IEC 61508, so modifications are not covered by this assessment.

5.1.8 User documentation Joy Mining Machinery, Ltd. creates a Safety Manual for each of the three valves which is a subsection of the installation manual for these valves (See D079, D079a, and D079b) . The Safety Manual was found to contain all of the required information, given the simplicity of the products. The FMEDA reports are available and contain the required failure rates, and failure modes.

Items from IEC 61508-2, Table B.4 include operation and maintenance instructions, user friendliness, maintenance friendliness, project management, documentation, limited operation possibilities (the POCV, Yield Valve, and Dump Valves perform well-defined actions) and protection against operator mistake. This meets SIL 2.

5.2 Open Issues The overall process is strong and the POCV design has extensive proven field experience, sufficient for SIL 2 capability. Some areas of improvement were identified in the design process and some of the design procedures and forms were upgraded during the project. All of the improvements were evaluated and included in the final version of the SafetyCase.

5.3 Hardware Assessment To evaluate the hardware design of the POCV, Dump Valve, and Yield Valve Failure Modes, Effects, and Diagnostic Analysis’s were performed by exida. These are documented in [R1] and [R2].

A Failure Modes and Effects Analysis (FMEA) is a systematic way to identify and evaluate the effects of different component failure modes, to determine what could eliminate or reduce the chance of failure, and to document the system in consideration. An FMEDA (Failure Mode Effect and Diagnostic Analysis) is an FMEA extension. It combines standard FMEA techniques with extension to identify online diagnostics techniques and the failure modes relevant to safety instrumented system design.

From the FMEDA, failure rates are derived for each important failure category. All failure rate analysis results and useful life limitations are listed in the FMEDA report [R1 and R2]. Tables in the FMEDA report list these failure rates for the POCV, Yield Valve, and Dump Valve under a variety of applications. The failure rates listed are valid for the useful life of the devices.

These results must be considered in combination with PFDAVG and PFH values of other devices of a Safety Instrumented Function (SIF) in order to determine suitability for a specific Safety Integrity Level (SIL). The architectural constraints requirements of IEC 61508-2, Table 2 also need to be evaluated for each final element application. It is the end users responsibility to confirm this for each particular application and to include all components of the final element in the calculations.

The failure rate data used for this analysis meets the exida criteria for Route 2H. Therefore the reviewed POCV, Yield Valve, and Dump Valve meets the Route 2H hardware architectural constraints for up to SIL 2 at HFT=0 when the listed failure rates are used.




The analysis shows that the design of the POCV, Yield Valve, and Dump Valve can meet the hardware requirements of IEC 61508, SIL 2 depending on the complete final element design. The Hardware Fault Tolerance, PFDAVG and/or PFH requirements of IEC 61508 must be verified for each specific design.




6 Terms and Definitions

Fault tolerance Ability of a functional unit to continue to perform a required function in the presence of faults or errors (IEC 61508-4, 3.6.3)

FIT Failure In Time (1x10-9 failures per hour)

FMEDA Failure Mode Effect and Diagnostic Analysis

HFT Hardware Fault Tolerance

Low demand mode Mode, where the demand interval for operation made on a safety-related system is greater than twice the proof test interval..

PFDAVG Average Probability of Failure on Demand

PVST Partial Valve Stroke Test It is assumed that the Partial Stroke Testing, when performed, is

automatically performed at least an order of magnitude more frequent than the proof test, therefore the test can be assumed an automatic diagnostic. Because of the automatic diagnostic assumption the Partial Valve Stroke Testing also has an impact on the Safe Failure Fraction.

SFF Safe Failure Fraction summarizes the fraction of failures, which lead to a safe state and the fraction of failures which will be detected by diagnostic measures and lead to a defined safety action.

SIF Safety Instrumented Function

SIL Safety Integrity Level

SIS Safety Instrumented System – Implementation of one or more Safety Instrumented Functions. A SIS is composed of any combination of sensor(s), logic solver(s), and final element(s).

Type A element “Non-Complex” element (using discrete components); for details see 7.4.4.1.2 of IEC 61508-2

Type B element “Complex” element (using complex components such as micro controllers or programmable logic); for details see 7.4.4.1.3 of IEC 61508-2




7 Status of the Document

7.1 Liability exida prepares reports based on methods advocated in International standards. exida accepts no liability whatsoever for the use of this report or for the correctness of the standards on which the general calculation methods are based.

7.2 Releases Version: V1 Revision: R2 Version History: V1, R2: Fixed errors in section 3.2.3 and 3.3; October 14, 2013 V1, R1: Updated based on review; October 11, 2013 V0, R1: Draft; October 10, 2013 Authors: Michael Medoff Review: V0, R1: Dave Butler Release status: Released

7.3 Future Enhancements At request of client.

7.4 Release Signatures

Michael Medoff, CFSE, Senior Safety Engineer

David Butler, CFSE, Senior Safety Engineer


Documents

IEC 61508 Assessment - exida...JOY 12-10-045 R003 V1R2 Assessment POCV-Dump Valve-Yield Valve.docx October 14, 2013. . Page 2 of 25 . Management summary . This report summarizes the