Upload
phamnhu
View
213
Download
0
Embed Size (px)
Citation preview
The document was prepared using best effort. The authors make no warranty of any kind and shall not be liable in any event for incidental or consequential damages in connection with the application of the document.
© All rights reserved.
idae®
Certification Services
IEC 61508 Functional Safety Assessment
Project:
Shear Seal Ram Actuator (SSR)
Customer:
NOV Texas Oil Tools Conroe, TX
USA
Contract Number: Q12/09-041
Report No.: TOT 12/09-041 R001
Version V1, Revision R1, June 25, 2013
Steven Close
© exida Q12-09-041 R001 V1R1 SSR Assessment Report.doc
T-023 V2R2www.exida.com Page 2 of 17
Management summary
This report summarizes the results of the functional safety assessment according to IEC 61508 carried out on the SSR Actuator
The functional safety assessment performed by exida consisted of the following activities:
- exida assessed the development process used by NOV Texas Oil Tools by an on-site audit and creation of a safety case against the requirements of IEC 61508.
- exida performed a detailed Failure Modes, Effects, and Diagnostic Analysis (FMEDA) of the devices to document the hardware architecture and failure behavior.
- exida reviewed field failure data to ensure that the FMEDA analysis was complete.
- exida reviewed the manufacturing quality system in use at TOT.
The functional safety assessment was performed to the requirements of IEC 61508: ed2, 2010, SIL
3 for mechanical components. A full IEC 61508 Safety Case was prepared, using the exida
SafetyCaseDB tool, and used as the primary audit tool. Hardware process requirements and all associated documentation were reviewed. Environmental test reports were reviewed. Also the user documentation (safety manual) was reviewed.
The results of the Functional Safety Assessment can be summarized as:
The TOT Shear Seal Ram Actuator (SSR) was found to meet the requirements of IEC 61508 for up to SIL 3 (SIL 3 Capable). The PFDAVG and architectural constraint requirements of the standard must be verified for each element of the safety function.
The manufacturer will be entitled to use the Functional Safety Logo.
The manufacturer
may use the mark:
© exida Q12-09-041 R001 V1R1 SSR Assessment Report.doc
T-023 V2R2www.exida.com Page 3 of 17
Table of Contents
Management summary .................................................................................................... 2
1 Purpose and Scope ................................................................................................... 4
2 Project management .................................................................................................. 5
2.1 exida ............................................................................................................................ 5
2.2 Roles of the parties involved ........................................................................................ 5
2.3 Standards / Literature used .......................................................................................... 5
2.4 Reference documents .................................................................................................. 5
2.4.1 Documentation provided by NOV Texas Oil Tools ............................................. 5
2.4.2 Documentation generated by exida ................................................................... 8
3 Product Descriptions .................................................................................................. 9
4 IEC 61508 Functional Safety Assessment ............................................................... 10
4.1 Methodology .............................................................................................................. 10
4.2 Assessment level ....................................................................................................... 10
4.3 Product Modifications ................................................................................................. 11
5 Results of the IEC 61508 Functional Safety Assessment ........................................ 12
5.1 Open Issues ............................................................................................................... 12
5.2 Lifecycle Activities and Fault Avoidance Measures .................................................... 12
5.2.1 Functional Safety Management ....................................................................... 12
5.2.2 Safety Requirements Specification and Architecture Design ............................ 13
5.2.3 Hardware Design ............................................................................................. 13
5.2.4 Validation ......................................................................................................... 13
5.2.5 Verification ....................................................................................................... 14
5.2.6 Proven In Use .................................................................................................. 14
5.2.7 Modifications ................................................................................................... 14
5.2.8 User documentation......................................................................................... 14
5.3 Hardware Assessment ............................................................................................... 14
6 Terms and Definitions .............................................................................................. 16
7 Status of the Document ........................................................................................... 17
7.1 Liability ....................................................................................................................... 17
7.2 Releases .................................................................................................................... 17
7.3 Future Enhancements ................................................................................................ 17
7.4 Release Signatures .................................................................................................... 17
© exida Q12-09-041 R001 V1R1 SSR Assessment Report.doc
T-023 V2R2www.exida.com Page 4 of 17
1 Purpose and Scope
This document shall describe the results of the IEC 61508 functional safety assessment of the NOV Texas Oil Tools:
Shear Seal Ram Actuator
by exida according to the requirements of IEC 61508: ed2, 2010.
The results of this provides the safety instrumentation engineer with the required failure data as per IEC 61508 / IEC 61511 and confidence that sufficient attention has been given to systematic failures during the development process of the device.
© exida Q12-09-041 R001 V1R1 SSR Assessment Report.doc
T-023 V2R2www.exida.com Page 5 of 17
2 Project management
2.1 exida
exida is one of the world’s leading accredited Certification Bodies and knowledge companies specializing in automation system safety and availability with over 300 years of cumulative experience in functional safety. Founded by several of the world’s top reliability and safety experts
from assessment organizations and manufacturers, exida is a global company with offices around
the world. exida offers training, coaching, project oriented system consulting services, safety lifecycle engineering tools, detailed product assurance, cyber-security and functional safety
certification, and a collection of on-line safety and reliability resources. exida maintains a comprehensive failure rate and failure mode database on process equipment.
2.2 Roles of the parties involved
NOV Texas Oil Tools Manufacturer of the Shear Seal Ram Actuator (SSR)
exida Performed the hardware assessment
exida Performed the IEC 61508 Functional Safety Assessment according.
TOT contracted exida in November 2012 for the IEC 61508 Functional Safety Assessment of the above mentioned devices.
2.3 Standards / Literature used
The services delivered by exida were performed based on the following standards / literature.
[N1] IEC 61508 (Parts 1 - 7): 2010 Functional Safety of Electrical/Electronic/Programmable Electronic Safety-Related Systems
2.4 Reference documents
2.4.1 Documentation provided by NOV Texas Oil Tools
Document ID Description
[D1] 424334-1; 12/16/2011 Manufacturing Record Book SSR Actuator Assembly
[D2] Certs; Certificates
[D3] D601001380; Rev L; 5/29/2012
Quality Manual
[D4] D601001381; Rev 05; 8/1/2012
List of Quality Management Procedures
[D5] D601001383 Minutes; n/a; 5/18/2012
Management Review Meeting - Sample Meeting Minutes
[D6] D601001383; Rev 02; 11/1/2011
Procedure for Management Review
© exida Q12-09-041 R001 V1R1 SSR Assessment Report.doc
T-023 V2R2www.exida.com Page 6 of 17
[D7] D601001386; Rev 02; 11/1/2011
Procedure for Control of Documents
[D8] D601001387; Rev 02; 11/1/2011
Control of Records
[D9] D601001389; Rev 02; 11/1/2011
Notification of Changes Effecting the QMS
[D10] D601001390; Rev 03; 11/1/2011
Calibration System
[D11] D601001392; Rev 02; 11/1/2011
Inspection / Testing
[D12] D601001393; Rev 03; 8/1/2012
Corrective Action Procedure
[D13] D601001395; Rev 04; 11/1/2011
Control of Nonconforming Product
[D14] D601001396; Rev 02; 11/1/2011
Preventive Action Procedure
[D15] D601001399; Rev 02; 11/1/2011
Project Quality Requirements Planning
[D16] D601001400; Rev 02; 11/1/2011
Customer Feedback
[D17] D601001404; Rev 03; 11/1/2011
Internal Audits
[D18] D601001405; Rev 03; 11/1/2011
Review of Controlled Documents
[D19] D601001406; Rev 03; 8/1/2012
Statistical Techniques
[D20] D601001407; Rev 02; 11/1/2011
Identification and Preservation of Manufactured Equipment
[D21] D601001408; Rev 03; 11/1/2011
Procedure for Procurement Control
[D22] D601001411; Rev 03; 11/1/2011
Procedure for Preparation, Use and Control of Production Planning
[D23] D601001412; Rev 02; 11/1/2009
Procedure for Outsourced Processes
[D24] D601001415; Rev 01; 5/1/2008
Procedure for Receiving
[D25] D601001416; Rev 01; 5/1/2008
Procedure for Manufacturing Process Control
[D26] D601001418; Rev 01; 11/1/2011
Service and Recertification
© exida Q12-09-041 R001 V1R1 SSR Assessment Report.doc
T-023 V2R2www.exida.com Page 7 of 17
[D27] D601001419; Rev 02; 11/1/2009
Procedure for Design Control, Verification and Validation
[D28] D601001420; Rev 03; 11/1/2011
Engineering Procedures, Specifications and Drawings
[D29] D601001421; Rev 03; 11/1/2011
Submitting an EN
[D30] D601001423; Rev 03; 11/1/2011
Submitting an ECR
[D31] D601001424; Rev 02; 11/1/2011
Field Nonconformance Reporting
[D32] D601001426; Rev 03; 11/1/2011
Prototype Development
[D33] D601001427; Rev 04; 11/1/2011
Management of Training Records
[D34] D601001454; 12/11/2012 Approved Supplier Index
[D35] D601001472; Rev 7; 6/12/2008
RECEIVING INSPECTION
[D36] D601001477; Rev 07; 10/27/2004
QUALITY INSPECTION/NONCONFORMANCE REPORTS
[D37] D601001806; 11/10/2012 Example Design File for the SSR Actuator
[D38] D601001806L-T; 5/20/2011 Laggan & Tormore Verification (Design File)
[D39] D601005606; Rev 03; 10/15/2012
SUBSEA PROJECT CHECKLIST
[D40] D601009072; 11/14/2012 Meeting Minutes / Action Items Tracking PPM Statfjord
[D41] D601010470-TPL-001, Rev 01, 6/10/2013
Impact Analysis
[D42] D60EIA56; Rev 01; 6/25/2012 ECHT- EIA56 QUALIFICATION TESTING - QUALIFICATION CHART
[D43] ECR Sample; Sample Engineering Change request
[D44] Internal Audit Report; 5/1/2012
Sample Internal Audit Report
[D45] ISO Checklist; ISO Audit Checklist
[D46] M60EI54-ACT17L-PRO-001; Rev 01; 2/22/2011
ATEI-QAL03-PR2 CYC TEST EI54 SSR - Cycle test Procedure (L&T)
[D47] M60EI54-ACT17L-PRO-003; Rev 05; 10/27/2011
Test Procedure
[D48] M60EI54-ACT21L SAFETY MANUAL, TECH-FMC STATFJORD SSR SAFETY
[D49] M60EI54-ACT21L; 4/23/2013 ACTUATOR ASM, SSR FMC STATFJORD, Design Verification
© exida Q12-09-041 R001 V1R1 SSR Assessment Report.doc
T-023 V2R2www.exida.com Page 8 of 17
[D50] M60EI54-ACT21L–ASM-001, Rev 05, 5/7/2013
Test Procedure
[D51] M60EI54-ACT21L-MAN-001; Rev 02; 5/30/2012
Technical Manual - TECH-5.12 10K EI54 SSR STATFJORD
[D52] Master Feedback Log; n/a; 12/10/2012
Master Feedback Log
[D53] PPT; 8/14/2012 NOV Texas Oil Tools Overview
[D54] PSB-082; 2/1/2006 Product Service Bulletin
[D55] QM TOT-0300-4200-09; n/a; Training Matrix Form
[D56] QM-0099; Rev 3; Quaility Inspection/Nonconformance Report Examples
[D57] QMS Audit Checklist; QMS Audit Checklist
[D58] R001; V0, R1; 12/6/2012 Draft SSR FMEDA Report
[D59] Shop Routing; 1/24/2012 Manual Pick List
[D60] SPC60060061; Rev B; 11/1/2010
SPECIFICATION, SUBSEA - COMPLETION & WORKOVER, SHEAR SEAL RAM ASSEMBLY 5 1/8 INCH - 10K - Laggan & Tormore Project
[D61] SPC60066313; Rev A; 9/30/2011
RAM, SHEAR SEAL ASSY, 5.12, 10K WP, 3K HYDRAULICS, SINGLE CIRCUIT - Requirements (FMC)
[D62] SPC60089814; Rev A; 10/23/2012
Safety Requirements Specification - FMC
[D63] Standards; n/a; List of applicable Agency Standards -Agency Approval Certificates
[D64] Supplier Audit Report; 42612; 4/26/2012
Supplier Audit Report Sample
[D65] Tools; List of Design Tools used (e.g., AutoCad, Pro-E); revision; how long used
[D66] ZZRP-0201; Rev G; 11/2/2002 Test Report ZZRP-0201
2.4.2 Documentation generated by exida
[R1] Q12-07-111 R001 V1R3 SSR Actuator_FMEDA Report.pdf
FMEDA report, Shear Seal Ram Actuator
[R2] TOT Compliance MergedIEC 61508 Gap Reportr2.docx
IEC 61508 Site Audit Report, NOV Texas Oil Tools
[R3] Q12-07-111 TOT SSR SafetyCaseDB IEC61508 R1.esc
IEC 61508 SafetyCaseDB for Shear Seal Ram Actuator (SSR)
[R4] Q12-09-041 R001 V1R1 SSR Assessment Report.doc, June 25, 2013
IEC 61508 Functional Safety Assessment, NOV Texas Oil Tools Shear Seal Ram Actuator (SSR) (this report)
© exida Q12-09-041 R001 V1R1 SSR Assessment Report.doc
T-023 V2R2www.exida.com Page 9 of 17
3 Product Descriptions
The Shear Seal Ram Actuator is designed to be used at 10,000 psi working pressure at temperatures from -20oF to 250oF. The function of the SSR Actuator is to prevent blowout of oil and gas wells. The SSR Actuator is fitted with rams that are design to shear through pipe and affect a seal of the well. The SSR Actuator includes a locking mechanism that locks the rams in place so that a loss of hydraulic pressure to the rams will not cause the rams to retract.
The SSR Actuator set consists of the following basic components:
1 Shear/Seal Ram Cylinder Assembly R.H.
1 Shear/Seal Ram Cylinder Assembly L.H.
1 Autolock Assembly R.H
1 Autolock Assembly L.H.
Hydraulic Assembly
On a trip command, Hydraulic Pressure forces the rams to close; shearing of the work string takes place between the upper and lower blades. After shearing is complete, continued travel of both rams to the body center causes the leading edge of the right hand blade to engage the elastomeric sealing area in the left-hand insert and affect a wellbore pressure seal from below. Once the seal is obtained, the pressure from below acts to keep the rams closed and maintains the seal. Pressure above the ram acts in the opposite direction, which tends to open the rams and break the seal. Accordingly, the rams are uni-directional and designed to seal pressure from below only. Once the ram fully closes, hydraulic pressure acts on the Autolock mechanism forcing it into the lock position. The mechanical lock prevents the rams from opening in the event hydraulic pressure is lost.
The safe state for the SSR Actuator is when the Shear/Seal Ram is fully closed.
Figure 1 shows on side of the SSR Actuator.
Figure 1 SSR Actuator, one side.
© exida Q12-09-041 R001 V1R1 SSR Assessment Report.doc
T-023 V2R2www.exida.com Page 10 of 17
4 IEC 61508 Functional Safety Assessment
The IEC 61508 Functional Safety Assessment was performed based on the information received from NOV Texas Oil Tools and is documented in this report.
4.1 Methodology
The full functional safety assessment includes an assessment of all fault avoidance and fault control measures during hardware development and demonstrates full compliance with IEC 61508 to the end-user. The assessment considers all requirements of IEC 61508. Any requirements that have been deemed not applicable have been marked as such in the full Safety Case report, e.g. software development requirements for a product with no software. The assessment also includes a review of existing manufacturing quality procedures to ensure compliance to the quality requirements of IEC 61508.
As part of the IEC 61508 functional safety assessment the following aspects have been reviewed:
Development process, including:
o Functional Safety Management, including training and competence recording, FSM planning, and configuration management
o Specification process, techniques and documentation
o Design process, techniques and documentation, including tools used
o Validation activities, including development test procedures, test plans and reports, production test procedures and documentation
o Verification activities and documentation
o Modification process and documentation
o Installation, operation, and maintenance requirements, including user documentation
o Manufacturing Quality System
Product design
o Hardware architecture and failure behavior, documented in a FMEDA
The review of the development procedures is described in section 5.2. The review of the product design is described in section 5.3.
4.2 Assessment level
The SSR Actuator has been assessed per IEC 61508 to the following levels:
SIL 3 capability
The development procedures have been assessed as suitable for use in applications with a maximum Safety Integrity Level of 3 (SIL3) according to IEC 61508.
© exida Q12-09-041 R001 V1R1 SSR Assessment Report.doc
T-023 V2R2www.exida.com Page 11 of 17
4.3 Product Modifications
NOV Texas Oil Tools may make modifications to this product as needed. Modifications shall be classified into two types:
Type 1 Modification: Changes requiring re-certification, which includes the re-design of safety functions or safety integrity functions.
Type 2 Modification: Changes allowed to be made by NOV Texas Oil Tools provided that:
A competent position from NOV Texas Oil Tools, appointed and agreed with exida, judges and approves the modifications. The position of Senior Engineer is qualified to judge and approve modifications.
The modification documentation listed below is submitted prior to a renewal of the certification to exida for review of the decisions made by the competent person in respect to the modifications made.
o List of all anomalies reported
o List of all modifications completed
o Safety impact analysis which shall indicate with respect to the modification:
The initiating problem (e.g. results of root cause analysis)
The effect on the product / system
The elements/components that are subject to the modification
The extent of any re-testing
o List of modified documentation
o Regression test plans
© exida Q12-09-041 R001 V1R1 SSR Assessment Report.doc
T-023 V2R2www.exida.com Page 12 of 17
5 Results of the IEC 61508 Functional Safety Assessment
exida assessed the development process used by NOV Texas Oil Tools for these products against the objectives of IEC 61508 parts 1 - 7. The assessment was done on-site at the Conroe, TX facility on December 10-11, 2012 and documented in the SafetyCase [R3].
5.1 Open Issues
The overall process is strong. Some areas of improvement were identified in the design process and some of the design procedures and forms were upgraded during the project. All of the improvements were evaluated and included in the final version of the SafetyCase.
5.2 Lifecycle Activities and Fault Avoidance Measures
NOV Texas Oil Tools has a defined product lifecycle process in place. This is documented in the Quality Management System Manual [D3] and various Quality Procedures [D6]-[D41]. Every customer job goes through the complete design process. A documented modification process is also covered in the Quality Manual and is described in more detail in procedures D601001421, “Submitting an Engineering Notice” and D601001423, Submitting an Engineering Change Request. No software is part of the design and therefore any requirements specific from IEC 61508 to software and software development do not apply.
The assessment investigated the compliance with IEC 61508 of the processes, procedures and techniques as implemented for product design and development. The investigation was executed using subsets of the IEC 61508 requirements tailored to the SIL 3 work scope of the development team. The defined product lifecycle process was modified as a result of the audit which showed some areas for improvement. The result of the assessment can be summarized by the following observations:
The audited NOV Texas Oil Tools design and development process complies with the relevant managerial requirements of IEC 61508 SIL 3.
5.2.1 Functional Safety Management
The SSR Actuator manufactured by TOT is not built for inventory. These actuators are built-to-order. The basic designs are standardized, but each order can have trim and materials variations or specific customer requested proof tests. Due to the specialized nature of each actuator, documentation that defines all of the requirements is generated for every order as part of the process.
FSM Planning
NOV Texas Oil Tools has a defined process in place for product design and development. Required activities are specified along with review and approval requirements. This is primarily documented in section 7 of their Quality Manual [D3] and in greater detail in procedure D601001419, “Procedure for Control, Verification and Validation” [D27]. Templates and sample documents were reviewed and found to be sufficient. The modification process is described in section 7.3.7 of the Quality Manual and in more specific terms on procedures D601001421 [D29] and D601001423 [D30]. The process and the procedures referenced therein fulfill the requirements of IEC 61508 with respect to functional safety management for a product with simple complexity and well defined safety functionality.
© exida Q12-09-041 R001 V1R1 SSR Assessment Report.doc
T-023 V2R2www.exida.com Page 13 of 17
Version Control
Procedure D601001420 [D28] requires that all design documents be under document control. Version control of quality documents is required by Procedure D601001386 [D7]. Use of these procedures to control revisions was evident during the audit.
Training, Competency recording
Section 6.2.2 of the Quality Manual addresses training, competency and awareness. The Human Resource department to maintain training records of education, experience, training and qualifications for all personnel. It is the responsibility of each department manager or supervisor to verify the competency of each employee. Training needs will be noted on the training matrix based upon job description. Managers and Supervisors will be responsible to provide training certificates, training and competency documents to the HR and HSE departments upon completion to be retained in employee file.
The procedures and records were examined and found up-to-date and sufficient. TOT hired exida to be the independent assessor per IEC 61508 and to provide specific IEC 61508 knowledge.
5.2.2 Safety Requirements Specification and Architecture Design
For the Shear Seal Ram Actuator (SSR), the simple primary functionality is the same as the safety functionality of the product. Therefore no special Safety Requirements Specification was needed. The normal functional requirements were sufficient.
General Design and testing methodology is documented and required as part of the design process. This meets SIL 3.
5.2.3 Hardware Design
The design process is documented in Procedure D601001419 [D27]. Items from IEC 61508-2, Table B.2 include observance of guidelines and standards, project management, documentation (design outputs are documented per quality procedures), structured design, modularization, use of well-tried components / materials, and computer-aided design tools. This meets SIL 3.
5.2.4 Validation
Validation Testing is documented in the Manufacturer’s Record Book which is created for each order. The manufacturing record contains all information regarding the manufacturing of the SSR Actuator. This includes certs, documentation and test results. The test plan includes testing per all standard and customer performance requirements. As the Shear Seal Ram Actuator (SSR) are purely mechanical devices with an easily defined safety function, there is no separate integration testing necessary. The SSR Actuator performs a shear and seal Safety Function, which is extensively tested under various conditions during validation testing.
Items from IEC 61508-2, Table B.3 include functional testing, project management, documentation, and black-box testing (for the considered devices this is similar to functional testing). Field experience and statistical testing via regression testing are not applicable. This meets SIL 3.
Items from IEC 61508-2, Table B.5 included functional testing and functional testing under environmental conditions, project management, documentation, failure analysis (analysis on products that failed), expanded functional testing, black-box testing, and fault insertion testing. This meets SIL 3.
© exida Q12-09-041 R001 V1R1 SSR Assessment Report.doc
T-023 V2R2www.exida.com Page 14 of 17
5.2.5 Verification
The design certification activities are defined in Section 4.7 of Procedure D601001419 [D27]. Design verification of the SSR Actuator is done using the distortion energy method. The results are documented in the design file for the project. For each design phase the objectives are stated, required input and output documents and review activities. This meets SIL 3.
5.2.6 Proven In Use
The SSR Actuator does not meet the exida criteria for Proven in Use.
5.2.7 Modifications
Modifications are initiated Procedure D601001423 [D30], “Submitting an ECR”. SIL related drawings are identified with a note specifying that any modifications must go through an impact analysis per Procedure D601010470, Impact Analysis [D41]. All changes are first reviewed and analyzed for their impact on the safety function before being approved. If the ECR is Approved, Engineering completes the necessary EN’s and approves the ECR using the Adobe Lifecycle Workspace which will automatically log the ECR in Teamcenter. Modifications are tracked through Teamcenter. Measures to verify and validate the change are developed following the normal design process. This meets SIL 3.
5.2.8 User documentation
NOV Texas Oil Tools creates the following user documentation: product catalogs, a Technical Manual [D51] and a Safety Manual [D48]. The Safety Manual was found to contain all of the required information. The Safety Manual references the FMEDA reports which are available and contain the required failure rates, failure modes, useful life, and suggested proof test information.
Items from IEC 61508-2, Table B.4 include operation and maintenance instructions, user friendliness, maintenance friendliness, project management, documentation, limited operation possibilities (Shear Seal Ram Actuator (SSR) perform well-defined actions) and operation only by skilled operators (operators familiar with type of valve, although this is partly the responsibility of the end-user). This meets SIL 3.
5.3 Hardware Assessment
To evaluate the hardware design of the SSR Actuator Failure Modes, Effects, and Diagnostic
Analysis’s were performed by exida. These are documented in [R1].
A Failure Modes and Effects Analysis (FMEA) is a systematic way to identify and evaluate the effects of different component failure modes, to determine what could eliminate or reduce the chance of failure, and to document the system in consideration. An FMEDA (Failure Mode Effect and Diagnostic Analysis) is an FMEA extension. It combines standard FMEA techniques with extension to identify online diagnostics techniques and the failure modes relevant to safety instrumented system design.
From the FMEDA, failure rates are derived for each important failure category. All failure rate analysis results and useful life limitations are listed in the FMEDA report [R1]. Tables in the FMEDA report list these failure rates for the Shear Seal Ram Actuator (SSR) under its intended application. The failure rates listed are valid for the useful life of the device.
Note, as the Shear Seal Ram Actuator (SSR) are only one part of a (sub)system, the SFF should be calculated for the entire final element combination.
© exida Q12-09-041 R001 V1R1 SSR Assessment Report.doc
T-023 V2R2www.exida.com Page 15 of 17
These results must be considered in combination with PFDAVG values of other devices of a Safety Instrumented Function (SIF) in order to determine suitability for a specific Safety Integrity Level (SIL). The architectural constraints requirements of IEC 61508-2, Table 2 also need to be evaluated for each final element application. It is the end users responsibility to confirm this for each particular application and to include all components of the final element in the calculations.
The analysis shows that the design of the Shear Seal Ram Actuator (SSR) can meet the hardware requirements of IEC 61508, SIL 2 depending on the complete final element design. The Hardware Fault Tolerance, PFDAVG, and Safe Failure Fraction requirements of IEC 61508 must be verified for each specific design.
© exida Q12-09-041 R001 V1R1 SSR Assessment Report.doc
T-023 V2R2www.exida.com Page 16 of 17
6 Terms and Definitions
Fault tolerance Ability of a functional unit to continue to perform a required function in the presence of faults or errors (IEC 61508-4, 3.6.3)
FIT Failure In Time (1x10-9 failures per hour)
FMEDA Failure Mode Effect and Diagnostic Analysis
HFT Hardware Fault Tolerance
Low demand mode Mode, where the demand interval for operation made on a safety-related system is greater than twice the proof test interval..
PFDAVG Average Probability of Failure on Demand
PVST Partial Valve Stroke Test
It is assumed that the Partial Stroke Testing, when performed, is automatically performed at least an order of magnitude more frequent than the proof test, therefore the test can be assumed an automatic diagnostic. Because of the automatic diagnostic assumption the Partial Valve Stroke Testing also has an impact on the Safe Failure Fraction.
SFF Safe Failure Fraction summarizes the fraction of failures, which lead to a safe state and the fraction of failures which will be detected by diagnostic measures and lead to a defined safety action.
SIF Safety Instrumented Function
SIL Safety Integrity Level
SIS Safety Instrumented System – Implementation of one or more Safety Instrumented Functions. A SIS is composed of any combination of sensor(s), logic solver(s), and final element(s).
Type A element “Non-Complex” element (using discrete components); for details see 7.4.4.1.2 of IEC 61508-2
Type B element “Complex” element (using complex components such as micro controllers or programmable logic); for details see 7.4.4.1.3 of IEC 61508-2
© exida Q12-09-041 R001 V1R1 SSR Assessment Report.doc
T-023 V2R2www.exida.com Page 17 of 17
7 Status of the Document
7.1 Liability
exida prepares reports based on methods advocated in International standards. exida accepts no liability whatsoever for the use of this report or for the correctness of the standards on which the general calculation methods are based.
7.2 Releases
Version: V1
Revision: R1
Version History: V1,R1: Release to NOV Texas Oil Tools, June 25, 2013
V0, R2: Draft; May 23, 2013, Added document D65
V0, R1: Draft; May 22, 2013
Authors: Steven Close
Review: V0, R2: Griff Francis (exida); June 25, 2013
Release status: Released
7.3 Future Enhancements
At request of client.
7.4 Release Signatures
Steven F. Close, Senior Safety Engineer
Griff Francis, Senior Safety Engineer