BaltimoreWash DC ISA 2008 3-08

7/28/2019 BaltimoreWash DC ISA 2008 3-08

1/23

email: [email protected]

Mnchen, Germany+49-89-49000547

Sellersville, PA., USA+1-215-453-1720

Tales from the inside the instrument -

IEC 61508 Certification

excellence in dependable automation

Copyright exida2001..2008


2/23

Introduction

William Goble

William Goble has over 30 years of professionalexperience. His areas of expertise include safetyand high availability automation systems,automation probabilistic analysis, new product

development and market analysis. He developedmany of the techniques used for probabilisticevaluation of safety and high availabilityautomation systems. He was formerly Director,Critical Systems at Moore Products where jobduties included marketing, design and

development and engineering projectmanagement. He has written three books ontopics of safety and reliability modeling. He is afellow member of ISA. He has published manypapers and magazine articles. Dr. Goble has aBSEE from Penn State, a MSEE from Villanovaand a PhD from Eindhoven University of

Technology in Eindhoven, Netherlands.


3/23


4/23

Functional Safety Standards

0

10

20

30

40

50

60

70

80

90

100

1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006

Year

Is your company implementing or planning onimplementing the ISA 84.01 Functional SafetyStandard?

ISA S84.01-1996 Published

IEC 61508 Parts 1,2,4

IEC 61508 Parts 3,5,6,7

IEC 61511

ANSI/ISA 84.01-2004


5/23

IEC 61511 EquipmentJustification

Application Fit JustificationMake sure that the equipment performs the

needed functions and is fully compatible

with the environment and process.Safety Integrity JustificationEquipment used in safety instrumented

systems must be chosen based on either

IEC 61508 certification to the appropriateSIL level orjustification based on prioruse criteria


6/23

Copyright exida 2001..2008

Prior Use ??? Prior use generally means:

a user company has many years of documentedsuccessful experience (no dangerous failures)with a particular version of a particular instrument

this can provide justification for using thatinstrument even if it is not safety certified.Operating conditions must be recorded and mustbe similar to the proposed safety application.

We do not have the failure data!

I do not want to take responsibility forequipment justification!

We do not take the time to record allinstrument failures!

This is a new instrument!

I cannot justify PRIOR USE!


7/23

Alternative for safety integrity justification -IEC 61508 Full Certification

The end result of the certificationprocess is a certificate listing theSIL level for which a product isqualified and the standards thatwere used for the certification.

A good certification assessmentwill demonstrate high designquality for hardware, softwareand high manufacturing quality.

A good certification assessmentwill check to see that proper enduser documentation is provided The Safety Manual


8/23

Trend toward 61508 certified instruments

IEC 61508 Certification is a measure of design quality.IEC 61508 Certification provides fully justifiable equipment

selection without safety integrity documentation created by the

end user.

More and more products are getting IEC 61508 Certification:

0

5

10

15

20

25

30

1996

1997

1998

1999

2000

2001

200'2

2003

2004

2005

2006

2007

Number of IEC 61508 Certified Sensors

From exida Process

MeasurementInstrument Marketreport


9/23

What does an instrument manufacturer have to do?

1. Hardware - meet PFDavg

expectations for target SIL via:

Low failure rates, fail-safe design

High diagnostic coverage

2. Hardware - Meet SFF

requirement for target SIL.3. Software - Meet software

process requirements for target

SIL, systematic fault avoidance

4. Product - Meet design process

requirements for target SIL,systematic fault avoidance

5. Produce Safety Manual for UserHardware 1,2

Certify theprocess 3,4

UserDocumentation - 5

Full Product

Certification


10/23Copyright exida2001..2008

Hardware Analysis

Industry

Product

Database

FMEDA

Compare

COMPONENT

DATABASE

Draft

Component

s

Failure Mode

Distribution

ProductFailure

Modes

Product

Diagnostic

Coverage

Feedback

to update

database

Based of warranty data analysis

or field failure data analysis

An FMEDA is an analysis technique used in IEC 61508 Certification. Itis a detailed, systematic review of the design looking at every part in thedesign.


11/23

Failure Rates:lS(Failure rate of all safe failures)

l

SD

(Failure rate of all safe detected failures)

lSU(Failure rate of all safe undetected failures)

lD(Failure rate of all dangerous failures)

lDD(Failure rate of all dangerous detected failures)

lDU(Failure rate of all dangerous undetected failures)

Calculation of SFF

What are the results of the FMEDA ?


12/23

Product Failure Data Example from FMEDA


13/23

FMEDA Fault Insertion Test

Simulate component failures andtest that diagnostics perform asexpected.

Verify software contribution tofault handling

F.I.T. suites driven from FMEDA totest each diagnostic andfunctional failure mode.

Fault Insertion Tests (F.I.T.) verify the theoreticalFMEDA with actual product reactions to faults


14/23Copyright exida2001..2007

exidaSafety Case DatabaseRequirements Arguments Assessment

Evidence

Audit Lists


15/23

Copyright exida2001..2008

IndependentAssessment Process

FMEDA & Fault Insertion TestsTest SpecificationSafety Manual

Review FSM Plan + Procedures

Define Scope

Assess System & SoftwareArchitecture

Assess Safety Case

On-site AuditsComplete Safety Case

Checklist

Complete Safety CaseChecklist

Complete Safety CaseChecklist

Review Design documentation

Review Testing

Problems?

Assessment report

CertificateIndependent Audit

Assessment Plan Application Safety RequirementsMilestones

System FMEAPartitioning + Safety CriticalitySoftware + IC On-Chip Redundancy Physical & Logical Independence

Common CauseRequirements Tracking

Safety Manual

Test execution

Role allocation + Competence

Implementation of proceduresCompetence


16/23

Experience

Design Quality? Does everyone pass?

NO a majority fail initial auditsHardware A transmitter has shipped over 25,000 units and has beenshipping for nearly 5 years. The FMEDA analysis quickly showed that whenthe microprocessor clock stops, the 4 20 mA output freezes!

Hardware A valve has been shipping for nearly two years. The tool

verification check showed that mechanical tolerances were incorrectlytranslated by a CAD tool revision such that the valve would bind at hightemperatures!

Hardware A transmitter has shipped over 200,000 units and has beenshipping for nearly 3 years. A Fault Injection Test showed that diagnosticssimply did nothing. Component failures in the transmitter could cause

drifting outputs and this situation would not be revealed.Hardware A valve manufacturer has been making a particular ball valvedesign for thirty years. The product is clearly field proven. A purchasing

agent changed vendors on a critical part. The new part was not quite thesame material and many field failures resulted. IEC 61508 requires that thedesign specify exact parts with a qualification procedure needed for allchanges including a new vendor.


17/23


18/23

Are IEC 61508 Products Available?

IEC 61508 Certified Products:Pressure Transmitters

Temp. Transmitters

Flow Transmitters

Level Transmitters

PLCs

Trip Amps, modules

ActuatorsSolenoids

Valves


19/23

19

IEC 61508PLC

Certification


20/23

IEC 61508Pressure

TransmitterCertification


21/23

21

IEC 61508Solenoid Valve

Certification


22/23

ISA and othershave several bestsellers for

automation safetyand reliability

Read more about Funct ional Safety


23/23

excellence in dependable automation

Questions?

BaltimoreWash DC ISA 2008 3-08

Documents

Transcript of BaltimoreWash DC ISA 2008 3-08