IEC 61508 Assessment - exida · The results of the Functional Safety Assessment can be summarized by the following statements: ... Figure 1 illustrates the ... in the IEC 61508 Assessment

IEC 61508 Functional Safety Assessment

Project:

Microfinish Floating and Trunnion Mounted Ball Valves

Customer:

Microfinish Valves Pvt. Ltd. Hubli, Karnataka

India

Contract No.: Q13/07-036 Report No.: MFV 08/06-25 R002

Version V3, Revision R2, August 23, 2013 Gregory Sauk

The document was prepared using best effort. The authors make no warranty of any kind and shall not be liable in any event for incidental or consequential damages in connection with the application of the document.

© All rights reserved.

© MFV 08-06-025 R002 V3R2 Assessment Ball Valve.doc

Management Summary This report summarizes the results of the functional safety assessment according to IEC 61508:2010 carried out on the:

Series 84, 85, 87, 89, 90, and 91 Floating Ball Valves

Series T84, T85, T87, T89, T90, and T91 Trunnion Mounted Ball Valves

The functional safety assessment performed by exida consisted of the following activities:

- exida assessed the development process used by Microfinish Valves by an on-site audit and creation of a detailed safety case against the requirements of IEC 61508.

- exida performed a detailed Failure Modes, Effects, and Diagnostic Analysis (FMEDA) of the devices to document the hardware architecture and failure behavior.

- exida performed a Proven in Use assessment of the devices to document the field failure data and determine the suitability for certification.

The functional safety assessment was performed to the requirements of IEC 61508: ed2, 2010, SIL 3 for mechanical components. A full IEC 61508 Safety Case was prepared, using the exida SafetyCaseDB tool, and used as the primary audit tool. Hardware process requirements and all associated documentation were reviewed along with the proven in use assessment. Also reviewed was the user documentation including the IOM and the Safety Manuals.

Areas for improvement were identified which are generally required to formally show the compliance to IEC 61508. However because of the low complexity of the products and the proven in use design, Microfinish Valves was able to demonstrate that the objectives of the standard have been met.

The results of the Functional Safety Assessment can be summarized by the following statements:

The Microfinish Floating and Trunnion Mounted Ball Valves were found to meet the Systematic Capability requirements of IEC 61508 for up to SC 3 (SIL 3 Capable).

The Microfinish Floating and Trunnion Mounted Ball Valves were found to meet the Random Capability requirements for a Type A device of SIL 2@HFT=0, SIL 3@HFT=1 for all models using Route 2H. The PFDAVG requirements of the standard must also be verified for each application.

The manufacturer will be entitled to use the Functional Safety Logo.

exida T-023 V2R3 www.exida.com Page 2 of 15

© MFV 08-06-025 R002 V3R2 Assessment Ball Valve.doc exidaT-023 V2R3 www.exida.com Page 3 of 15

Table of Contents

Management Summary ................................................................................................... 2

1 Purpose and Scope ................................................................................................... 4

2 Project Management.................................................................................................. 5 2.1 exida...............................................................................................................................5 2.2 Roles of the parties involved...........................................................................................5 2.3 Standards and Literature used........................................................................................5 2.4 Reference Documents ....................................................................................................5

2.4.1 Documentation provided by Microfinish Valves ...................................................5 2.4.2 Documentation generated by exida.....................................................................7

3 Product Description ................................................................................................... 8

4 IEC 61508 Functional Safety Assessment............................................................... 10 4.1 Methodology .................................................................................................................10 4.2 Assessment Level.........................................................................................................10

5 Results of the IEC 61508 Functional Safety Assessment........................................ 11 5.1 Lifecycle Activities and Fault Avoidance Measures ......................................................11

5.1.1 Functional Safety Management .........................................................................11 5.1.2 Safety Requirements Specification and Architecture Design.............................12 5.1.3 Validation ...........................................................................................................12 5.1.4 Verification .........................................................................................................12 5.1.5 Proven In Use ....................................................................................................12 5.1.6 Modifications ......................................................................................................12 5.1.7 User Documentation ..........................................................................................13

5.2 Hardware Assessment..................................................................................................13

6 Terms and Definitions.............................................................................................. 14

7 Status of the Document ........................................................................................... 15 7.1 Liability ..........................................................................................................................15 7.2 Releases .......................................................................................................................15 7.3 Future Enhancements...................................................................................................15 7.4 Release Signatures.......................................................................................................15


1 Purpose and Scope This document shall describe the results of the IEC 61508 functional safety assessment of the Microfinish Valves:

Series 84, 85, 87, 89, 90, and 91 Floating Ball Valves

Series T84, T85, T87, T89, T90, and T91 Trunnion Mounted Ball Valves

by exida according to the requirements of IEC 61508: ed2, 2010.

The results of this assessment provides the safety instrumentation engineer with the required failure data as per IEC 61508 / IEC 61511 and confidence that sufficient attention has been given to systematic failures during the development process of the device.


2 Project Management

2.1 exida

exida is one of the world’s leading accredited Certification Bodies and knowledge companies specializing in automation system safety and availability with over 300 years of cumulative experience in functional safety. Founded by several of the world’s top reliability and safety experts from assessment organizations and manufacturers, exida is a global company with offices around the world. exida offers training, coaching, project oriented system consulting services, safety lifecycle engineering tools, detailed product assurance, cyber-security and functional safety certification, and a collection of on-line safety and reliability resources. exida maintains the largest process equipment database of failure rates and failure modes with over 60 billion unit operating hours.

2.2 Roles of the parties involved

Microfinish Valves Pvt. Ltd. Manufacturer of the Ball Valves

exida Performed the IEC 61508 Functional Safety Assessment.

Microfinish Valves contracted exida in August 2012 with the IEC 61508 Functional Safety Assessment of the above mentioned devices.

2.3 Standards and Literature used

The services delivered by exida were performed based on the following standards / literature.

[N1] IEC 61508 (Parts 1 - 7): ed2, 2010

Functional Safety of Electrical/Electronic/Programmable Electronic Safety-Related Systems

2.4 Reference Documents

2.4.1 Documentation provided by Microfinish Valves

[D1] P/4.2.3/1 R00 Control of Documents Procedure

[D2] P/6.3/1 R00 Resource Management Procedure with evidence

[D3] P/7.6/1 R00 Control of Monitoring and Measuring Devices Procedure

[D4] P/8.2.2/1 R00 Procedure for Internal Audits

[D5] P/8.3/1 R00 Procedure for Control of Non-Conforming Product

[D6] R/8.2.2/2 R00; April 21, 2012 Internal Audit Report - example

[D7] API 6D Certificate; May 5, 2012

API 6D Monogram Certificate

[D8] R/7.3/3 R00 Floating & Trunnion Mounted Ball Valve IOM

[D9] BV 02: JUNE 2010 Floating Ball Valve Catalog

[D10] 84.pdf to 90.pdf Cross Sectional Drawings for each of the Valve Series

[D11] CE Cert; CE Cert


[D12] W/7.2.3/1 R00 Technical Specifications for Ball Valves Procedure

[D13] W/7.3.1/1 R00 Design and Development Planning Procedure

[D14] W/7.3.2/1 R00 Design Inputs

[D15] W/7.3.4/1 R00 Design Review Procedure

[D16] W/7.3.6/1 R00 Design Qualification and Validation Procedure

[D17] W/7.3.7/1 R00 Design Change Procedure

[D18] R/7.3/37 R00 Design Input Review for Ball Valves Form

[D19] R/7.3/26 R00 Fire Tests Certificates

[D20] R/7.3/13 R00 Design Change Suggestion Form

[D21] R/7.3/14 R00 Review of Design Change Suggestion Form

[D22] DB 07-44 Design File - Examples of Required Design Documents

[D23] DCS 40801; Aug 29, 2004 Completed Design Change and Design Change Circular Form - examples

[D24] FPR; 10-6-2005; Floating Production Range

[D25] T01; R01; Aug 14, 2008 Break Torque of Floating Ball Valves w/PTFE Seats

[D26] P/6.2/1 R00 Training Procedure and Evidence

[D27] ISO Certificate; May 5, 2012 ISO 9001Certificate

[D28] MRM No.79 April 27 2012 Management Review Report - example

[D29] MSBV 01A:JUNE 2010 Metal Seated Ball Valve Catalog

[D30] MVPLS3SRS R001; V1; Apr 11, 2009

Safety Requirements Specification – Floating and Trunion Mounted Ball Valves

[D31] W/8.2.4/6 R00 Procedure for Ball Valve Testing

[D32] R/7.6/6 R00 Calibration Certificates

[D33] R/8.2.4/21 R00 Production Test Certificates

[D34] R/8.2.4/2 R00 Internal Inspection Test Plan for Ball Valves

[D35] W/8.3/1 R00 Customer complaints Work Instruction

[D36] S3FRDB R 01(0809-1112).xls Summary of Customer Complaints Data

[D37] S3SM R01; V1; Apr 11, 2009 Safety Manual for Floating and Trunnion Mounted Ball Valves

[D38] TMBV 01A; JUNE 2010 Trunnion Mounted Ball Valve Catalog

[D39] T84.pdf to T91.pdf Cross Sectional Drawings for each of the Valve Series

[D40] TPR; 10-6-2005; Trunnion Production Range

[D41] TT; Trunnion Torques

[D42] BV-CYCLIC-VA465- 101; 4/5/2008

Validation Test Reports file (Endurance, Helium Leak, Cryogenic, High Temperature, etc.) - example


2.4.2 Documentation generated by exida

[R1] MFV 08/06-25 R001; V3 R2; August 23, 2013

FMEDA Report, Floating and Trunion Mounted Ball Valves

[R2] Field Failure Analysis Microfinish R2-GPS.xls; 9/28/12

Proven In Use Analysis for Floating and Trunnion Ball Valves – 2012 update

[R3] Microfinish Mechanical SafetyCase Data.esc; 9/28/12

Microfinish Floating and Trunnion Mounted Ball Valves IEC 61508 Compliance SafetyCaseDB

[R4] MFV 08-06-025 R002 V3R2 Assessment Ball Valve.doc; 8/23/2013

IEC 61508 Functional Safety Assessment, Microfinish Floating and Trunnion Mounted Ball Valves (this report)


3 Product Description The Microfinish Floating and Trunnion Mounted Ball Valves are heavy duty ¼ turn ball valves used to control process fluids. The Valves are available in a variety of sizes, configurations, seat materials and pressure ratings up to ANSI Class 2500. The Ball Valves are typically used with other interface components (valve actuator and positioner or solenoid valve) to provide a final element subassembly for a Safety Instrumented Function (SIF).

Microfinish Floating Ball Valves are available in both reduced bore and full bore designs in sizes from 15 to 300 mm and pressure classes from ANSI 150 to 2500. Ball Valves have API-6D and CE certifications. Flexible Seats, Metal Seats, Flanged ends, and welding ends are all covered in this analysis.

The Trunnion Mounted Ball Valves consists of a trunnion mounted ball and two sets of independent seals, one set before and one after the ball. This provides double sealing with the ball and allows any pressure trapped in the body cavity to be managed. Microfinish Trunnion Mounted Ball Valves are available in both reduced bore and full bore designs in sizes from 50 to 900 mm and pressure classes from ANSI 150 to 2500. Ball valves are designed using the latest CAD software to achieve the highest levels of performance, reliability, and safety as required by the user industries. Design standards are API 6D and ASME B16.34. Flexible Seats, Metal Seats, Flanged ends, and welding ends are all covered in this analysis.

The safety function for the valve and the additional components in the subsystem is to move the valve to the safe position within the specified time. The valve may be used as either open on trip or close on trip as required by the application.

Figure 1 illustrates the boundaries for what is being covered in this FMEDA.

Figure 1 Typical Microfinish Trunnion Mounted Ball Valves

Table 1 gives an overview of the different versions that were considered in the IEC 61508 Assessment and FMEDA of the Microfinish Floating and Trunnion Mounted Ball Valves.

exidaT-023 V2R3 www.exida.com Page 8 of 15


Table 1 Version Overview

Option 1 Series 84, 85, 87, 89, 90, and 91 Floating Ball Valves, Full or Reduced Bore, Flexible or Metal Seat Models – Clean Service

Option 2 Series 84, 85, 87, 89, 90, and 91 Floating Ball Valves, Full or Reduced Bore, Flexible or Metal Seat Models – Severe Service

Option 3 Series T84, T85, T87, T89, T90, and T91 Trunion Mounted Ball Valves, Full or Reduced Bore, Flexible or Metal Seat Models – Clean Service

Option 4 Series T84, T85, T87, T89, T90, and T91 Trunion Mounted Ball Valves, Full or Reduced Bore, Flexible or Metal Seat Models – Severe Service

All of the Microfinish Floating and Trunnion Mounted Ball Valves covered in this report are classified as Type A1 devices according to IEC 61508, having a hardware fault tolerance of 0.

The common safety function that was used in the evaluation of these Valves and any additional components in the subsystem is to move the Valve to the safe position (either closed or open depending on the design configuration).

1 Type A element: “Non-Complex” element (using discrete components); for details see 7.4.4.1.2 of IEC 61508-2, ed2, 2010.


4 IEC 61508 Functional Safety Assessment The IEC 61508 Functional Safety Assessment was performed based on the information received from Microfinish Valves and is documented in this report.

4.1 Methodology

The full functional safety assessment includes an assessment of all fault avoidance and fault control measures during hardware development and demonstrates full compliance with IEC 61508 to the end-user. The assessment considers all requirements of IEC 61508. Any requirements that have been deemed not applicable have been marked as such in the full Safety Case report, e.g. software development requirements for a product with no software. The assessment also includes a review of existing manufacturing quality procedures to ensure compliance to the quality requirements of IEC 61508.

Additionally, for designs that have been in service for several years and have demonstrated themselves in a variety of applications and conditions, consideration of a proven in use assessment may be used as a substitute if a product didn’t follow a fully 61508 compliant design process.

As part of the IEC 61508 functional safety assessment the following aspects have been reviewed:

Development process, including:

o Functional Safety Management, including training and competence recording, FSM planning, and configuration management

o Design process, techniques and documentation, including tools used

o Validation activities, including production test procedures and documentation

o Verification activities and documentation

o Modification process and documentation

o Installation, operation, and maintenance requirements, including user documentation

o Manufacturing Quality System

Product design

o Hardware architecture and failure behavior, documented in a FMEDA

The review of the development procedures is described in section 5.1. The review of the product design is described in section 5.2.

4.2 Assessment Level

The Microfinish Floating and Trunnion Mounted Ball Valves listed in Section 3 have been assessed per IEC 61508 to the following levels:

Systematic Capability SC 3 (SIL 3 Capable) as the development procedures were assessed as suitable for use in applications with a maximum Safety Integrity Level of 3 (SIL 3) according to IEC 61508.

Architecture Constraint limitations of SIL 2 for a single device (using Route 2H) and SIL 3 for a single device where the SFF for the complete final element is >90% (if using Route 1H).


5 Results of the IEC 61508 Functional Safety Assessment

exida assessed the development process used by Microfinish Valves for these products against the objectives of IEC 61508 parts 1 - 7. The assessment was done on-site at the Hubli, India facility in October 2008 and is documented in the SafetyCase [R3].

5.1 Lifecycle Activities and Fault Avoidance Measures

Microfinish Valves is ISO 9001 certified and has a documented formal procedure in place for new product development or product variations. There are specific deliverables, reviews and approvals required in this process. Significant changes or modifications to the product need to go through this same process. All changes regardless of complexity, to the product are controlled by their Design Changes process. Design and Development Work Instruction W/7.3.1/1 details the Design and Development Planning, while the Design Change process is documented in Work Instruction W/7.3.7/1. No software is part of the design and therefore any requirements specific from IEC 61508 related to software and software development do not apply.

The assessment investigated the compliance with IEC 61508 of the processes, procedures and techniques as implemented for product design and development. The investigation was executed using subsets of the IEC 61508 requirements tailored to the SIL 3 work scope of the development team. The defined product lifecycle process was modified as a result of a previous audit which showed some areas for improvement. However, given the simple nature of the safety function and the extensive proven field experience for existing products, Microfinish Valves were able to demonstrate that the objectives of the standard have been met. The result of the assessment can be summarized by the following observations:

The audited Microfinish Valves design and development process complies with the relevant managerial requirements of IEC 61508 SIL 3.

5.1.1 Functional Safety Management

FSM Planning Microfinish Valves is ISO 9001 certified with appropriate quality management procedures in place. For each phase of the development process, specific deliverables, reviews and approvals are in place. Modification procedures are also in place. The process and work instructions referenced herein fulfill the requirements of IEC 61508 with respect to functional safety management for a product with simple complexity and well defined safety functionality.

Version Control All documents in the design file are under version control. This includes design drawings and specification and test documents.

Training, Competency recording

Microfinish Valves maintains appropriate records of education, experience, training and qualifications for all personnel according to Training Procedure P/6.2/1. Department Heads are responsible for identifying and providing the training needs for their department and for maintaining records of in-process training. Additionally, Microfinish Valves hired exida to be the independent assessor per IEC 61508 and to provide specific IEC 61508 knowledge.


5.1.2 Safety Requirements Specification and Architecture Design

The Microfinish Floating and Trunnion Mounted Ball Valves, Safety Requirements Specification was reviewed. The listed requirements were sufficient to cover a mechanical device with a simple Safety Function. As the product designs are simple and are based upon standard designs with extensive field history, no semi-formal methods are needed. General Design and testing methodology is documented and required as part of the design process. This meets SIL 3..

5.1.3 Validation

Validation Testing is done via Work Instruction W/7.3.6/1 which includes both standard Microfinish Valves tests and API 6D standards tests. In addition to in-house testing, third party testing may be included as part of agency approvals or customer acceptance. As the Valves are purely mechanical devices with a simple safety function, there is no separate integration testing necessary. The Valves perform only 1 safety function, which is extensively tested under various conditions during validation testing.

Items from IEC 61508-2, Table B.3 include functional testing, project management, documentation, and black-box testing (for the considered devices this is similar to functional testing). Field experience and statistical testing via regression testing are not applicable. This meets SIL 3.

Items from IEC 61508-2, Table B.5 included functional testing and functional testing under environmental conditions, project management, documentation, failure analysis (analysis on products that failed), expanded functional testing, black-box testing, and fault insertion testing. This meets SIL 3.

The Microfinish Floating and Trunnion Mounted Ball Valves validation process meets SIL 3.

5.1.4 Verification

Verification activities are defined in the Design and Development Work Instruction. For each design phase the objectives are stated, required input and output documents and review activities. This meets SIL 3.

5.1.5 Proven In Use

A Proven in Use evaluation was carried out on the Microfinish Floating and Trunnion Mounted Ball Valves. Shipment records from 2008 to 2012 were used to determine that the Floating Ball Valves have >1 billion operating hours (>70 million for the Trunnion Mounted Ball Valves) and they have demonstrated a field failure rate less than the failure rates indicated in the FMEDA reports. This meets the requirements for Proven In Use for SIL 3.

5.1.6 Modifications

Modifications are initiated per Design Change Procedure [D17] procedure. All changes are first reviewed and analyzed for impact before being approved. Measures to verify and validate the change are developed following the normal design process. This meets SIL 3.


5.1.7 User Documentation

Microfinish Valves creates the following user documentation: product catalogs and a Safety Manual. The Safety Manual was found to contain all of the required information given the simplicity of the products. The Safety Manual references the FMEDA reports which are available and contain the required failure rates, failure modes, useful life, and suggested proof test information.

Items from IEC 61508-2, Table B.4 include operation and maintenance instructions, user friendliness, maintenance friendliness, project management, documentation, limited operation possibilities (Microfinish Floating and Trunnion Mounted Ball Valves perform well-defined actions) and operation only by skilled operators (operators familiar with type of valve, although this is partly the responsibility of the end-user). This meets SIL 3.

5.2 Hardware Assessment

To evaluate the hardware design of the Microfinish Floating and Trunnion Mounted Ball Valves, a Failure Modes, Effects, and Diagnostic Analysis was performed by exida for each of the Valve and Actuator Series. This is documented in [R1].

A Failure Modes and Effects Analysis (FMEA) is a systematic way to identify and evaluate the effects of different component failure modes, to determine what could eliminate or reduce the chance of failure, and to document the system in consideration. An FMEDA (Failure Mode Effect and Diagnostic Analysis) is an FMEA extension. It combines standard FMEA techniques with extension to identify online diagnostics techniques and the failure modes relevant to safety instrumented system design.

From the FMEDA failure rates are derived for each important failure category. All failure rate analysis results and useful life limitation are listed in the FMEDA report [R1].

Note, as the Microfinish Floating and Trunnion Mounted Ball Valves are only components of a final element, the SFF must be calculated for the entire final element combination if following the Route 1H hardware architectural constraints. It is the end users responsibility to confirm this for each particular application and to include all components of the final element in the calculations.

The failure rate data used for this analysis meets the exida criteria for Route 2H. Therefore the reviewed Microfinish Floating and Trunnion Mounted Ball Valves meet the Route 2H hardware architectural constraints for up to SIL 2 at HFT=0 when the listed failure rates are used, and SIL 3 applications with a HFT=1.

The analysis shows that the design of the Microfinish Floating and Trunnion Mounted Ball Valves can meet the hardware requirements of IEC 61508, SIL 3 depending on the complete final element design. The Hardware Fault Tolerance, PFDAVG, and Safe Failure Fraction (when not following Route 2H) requirements of the IEC 61508 must be verified for each specific design.


6 Terms and Definitions Automatic Diagnostics Tests performed on line internally by the device or, if specified, externally

by another device without manual intervention.

exida criteria A conservative approach to arriving at failure rates suitable for use in hardware evaluations utilizing the 2H Route in IEC 61508-2.

Fault tolerance Ability of a functional unit to continue to perform a required function in the presence of faults or errors (IEC 61508-4, 3.6.3)

FIT Failure In Time (1x10-9 failures per hour)

FMEDA Failure Mode Effect and Diagnostic Analysis

HFT Hardware Fault Tolerance

Low demand mode Mode, where the demand interval for operation made on a safety-related system is greater than twice the proof test interval.

PFDAVG Average Probability of Failure on Demand

PVST Partial Valve Stroke Test

It is assumed that the Partial Stroke Testing, when performed, is automatically performed at least an order of magnitude more frequent than the proof test, therefore the test can be assumed an automatic diagnostic. Because of the automatic diagnostic assumption the Partial Valve Stroke Testing also has an impact on the Safe Failure Fraction.

Random Capability The SIL limit imposed by the Architectural Constraints for each element.

SFF Safe Failure Fraction summarizes the fraction of failures, which lead to a safe state and the fraction of failures which will be detected by diagnostic measures and lead to a defined safety action.

SIF Safety Instrumented Function

SIL Safety Integrity Level

SIS Safety Instrumented System – Implementation of one or more Safety Instrumented Functions. A SIS is composed of any combination of sensor(s), logic solver(s), and final element(s).

Type A element “Non-Complex” element (using discrete components); for details see 7.4.4.1.2 of IEC 61508-2


7 Status of the Document

7.1 Liability

exida prepares reports based on methods advocated in International standards. exida accepts no liability whatsoever for the use of this report or for the correctness of the standards on which the general calculation methods are based.

7.2 Releases

This report replaces report MFV 08/06-25 R002 V2 R2; all previous versions of this are now obsolete.

Version: V3

Revision: R2

Version History: V3, R2: Revised some Route 2H notes – GPS, Aug. 23, 2013

V3, R1: Updated report to include Route 2H – TES, Aug. 9, 2013

V2, R1: Used current template T-023_V2R1 – GPS Oct. 9, 2012

V1, R1: Draft

Authors: Gregory Sauk

Review: V2, R1: William Goble (exida); October 9, 2012

Release status: Released to Microfinish Valves

7.3 Future Enhancements At request of client.

7.4 Release Signatures

Gregory Sauk, CFSE, Senior Safety Engineer

Dr. William M. Goble, Principal Partner

exida T-023 V2R3 www.exida.com Page 15 of 15