IEC 61508 Assessment - ABB Group · · 2017-08-03requirements of IEC 61508. The assessment was...

The document was prepared using best effort. The authors make no warranty of any kind and shall not be liable in any event for incidental or consequential damages in connection with the application of the document.

© All rights reserved.

Results of the IEC 61508 Functional Safety Assessment

Project:

MT5000, MT5100 and MT5200 Level Transmitter

Customer:

ABB, Inc. Baton Rouge, LA

USA

Contract No.: Q16-06-017 Report No.: ABB 10-02-051 R001

Version V3, Revision R1, November 1, 2016

Gregory Sauk - David Butler

© exida ABB 10-02-051 R001 V3R1 61508 Assessment Report - MT5x00.docx

T-034 V5R1 80 N. Main St, Sellersville, PA 18960 of 21

Management Summary

The Functional Safety Assessment of the ABB, Inc.

MT5000, MT5100 and MT5200 Level Transmitter

development project, performed by exida consisted of the following activities:

- exida assessed the development process used by ABB, Inc. through an audit and review of

a detailed safety case against the exida certification scheme which includes the relevant requirements of IEC 61508. The assessment was executed using subsets of the IEC 61508 requirements tailored to the work scope of the development team.

- exida reviewed and assessed a detailed Failure Modes, Effects, and Diagnostic Analysis (FMEDA) of the devices to document the hardware architecture and failure behavior.

- exida reviewed field failure data to verify the accuracy of the FMEDA analysis.

The functional safety assessment was performed to the SIL 3 requirements of IEC 61508:2010. A

full IEC 61508 Safety Case was created using the exida Safety Case tool, which also was used as the primary audit tool. Hardware and software process requirements and all associated documentation were reviewed. Environmental test reports were reviewed. The user documentation and safety manual also were reviewed.

The results of the Functional Safety Assessment can be summarized by the following statements:

The audited development process, as tailored and implemented by the ABB, Inc. MT5000, MT5100 and MT5200 Level Transmitter development project, comply with the relevant safety management requirements of IEC 61508 SIL 3.

The assessment of the FMEDA, done to the requirements of IEC 61508, has shown that the MT5000, MT5100 and MT5200 Level Transmitter can be used in a low demand safety related system in a manner where the PFDAVG is within the allowed range for SIL 2 (HFT=0), according to table 2 of IEC 61508-1.

The assessment of the FMEDA also shows that the MT5000, MT5100 and MT5200 Level Transmitter meets the requirements for architectural constraints of an element such that it can be used to implement a SIL 2 safety function (with HFT = 0) or a SIL 3 safety function (with HFT = 1).

This means that the MT5000, MT5100 and MT5200 Level Transmitter is capable for use in SIL 3 applications in Low demand mode when properly designed into a Safety Instrumented Function per the requirements in the Safety Manual and when using the versions specified in section 3.1 of this document.



The manufacturer will be entitled to use the Functional Safety Logos.

Manufacturing Facilities are located in Prairieville, LA and Shanghai, China.



Table of Contents

Management Summary ................................................................................................... 2

1 Purpose and Scope ................................................................................................... 6

1.1 Tools and Methods used for the assessment ............................................................... 6

2 Project Management .................................................................................................. 7

2.1 exida ............................................................................................................................ 7

2.2 Roles of the parties involved ........................................................................................ 7

2.3 Standards / Literature used .......................................................................................... 7

2.4 Reference documents .................................................................................................. 7

2.4.1 Documentation provided by ABB, Inc. ............................................................... 7

2.4.2 Documentation generated by exida ................................................................. 10

2.5 Assessment Approach ............................................................................................... 11

3 Product Description ................................................................................................. 12

3.1 Hardware and Software Version Numbers ................................................................. 12

4 IEC 61508 Functional Safety Assessment Scheme................................................. 13

4.1 Product Modifications ................................................................................................. 13

5 Results of the IEC 61508 Functional Safety Assessment ........................................ 13

5.1 Lifecycle Activities and Fault Avoidance Measures .................................................... 14

5.1.1 Functional Safety Management ....................................................................... 14

5.2 Safety Requirement Specification .............................................................................. 14

5.3 Change and modification management ...................................................................... 15

5.4 Hardware Design and Verification .............................................................................. 15

5.4.1 Hardware Design ............................................................................................. 15

5.4.2 Hardware Design / Probabilistic properties ...................................................... 15

5.5 Software Design ......................................................................................................... 16

5.6 Verification ................................................................................................................. 16

5.7 Safety Validation ........................................................................................................ 16

5.8 Safety Manual ............................................................................................................ 17

6 2016 IEC 61508 Functional Safety Surveillance Audit ............................................. 18

6.1 Roles of the parties involved ...................................................................................... 18

6.2 Surveillance Methodology .......................................................................................... 18

6.2.1 Documentation provided by ABB, Inc. ............................................................. 19

6.2.2 Surveillance Documentation generated by exida............................................. 19

6.3 Surveillance Results ................................................................................................... 19

6.3.1 Procedure Changes ......................................................................................... 19

6.3.2 Engineering Changes ...................................................................................... 19

6.3.3 Impact Analysis ............................................................................................... 19

6.3.4 Field History .................................................................................................... 19



6.3.5 Safety Manual.................................................................................................. 19

6.3.6 FMEDA Update ............................................................................................... 19

6.3.7 Previous Recommendations ............................................................................ 19

7 Terms and Definitions .............................................................................................. 20

8 Status of the document ............................................................................................ 21

8.1 Liability ....................................................................................................................... 21

8.2 Version History ........................................................................................................... 21

8.3 Future Enhancements ................................................................................................ 21

8.4 Release Signatures .................................................................................................... 21



1 Purpose and Scope

This document shall describe the results of the IEC 61508 functional safety assessment of the:

Model Descriptions

MT5000 Guided Wave Radar Level Transmitter

MT5100 Guided Wave Radar Level and Interface Transmitter

MT5200 Guided Wave Radar Bulk Solids Level Transmitter

by exida according to the accredited exida certification scheme which includes the requirements of IEC 61508:2010.

The purpose of the assessment was to evaluate the compliance of:

- the MT5000, MT5100 and MT5200 Level Transmitter with the technical IEC 61508-2 and -3 requirements for SIL 3 and the derived product safety property requirements

and

- the MT5000, MT5100 and MT5200 Level Transmitter development processes, procedures and techniques as implemented for the safety-related deliveries with the managerial IEC 61508-1, -2 and -3 requirements for SIL 3.

and

- the MT5000, MT5100 and MT5200 Level Transmitter hardware analysis represented by the Failure Mode, Effects and Diagnostic Analysis with the relevant requirements of IEC 61508-2.

The assessment has been carried out based on the quality procedures and scope definitions of

exida.

The results of this assessment provide the safety instrumentation engineer with the required failure data per IEC 61508 / IEC 61511 and confidence that sufficient attention has been given to systematic failures during the development process of the device.

1.1 Tools and Methods used for the assessment

This assessment was carried out using the exida Safety Case tool. The Safety Case tool contains

the exida scheme which includes all the relevant requirements of IEC 61508:2010.

For the fulfillment of the objectives, expectations are defined which builds the acceptance level for the assessment. The expectations are reviewed to verify that each single requirement is covered. Because of this methodology, comparable assessments in multiple projects with different assessors are achieved. The arguments for the positive judgment of the assessor are documented within this tool and summarized within this report.

All assessment steps were continuously documented by exida (see [R3])



2 Project Management

2.1 exida

exida is one of the world’s leading accredited Certification Bodies and knowledge companies, specializing in automation system safety and availability with over 300 years of cumulative experience in functional safety. Founded by several of the world’s top reliability and safety experts

from assessment organizations and manufacturers, exida is a global company with offices around

the world. exida offers training, coaching, project oriented system consulting services, safety lifecycle engineering tools, detailed product assurance, cyber-security and functional safety

certification, and a collection of on-line safety and reliability resources. exida maintains a comprehensive failure rate and failure mode database on process equipment based on 100 billion hours of field failure data.

2.2 Roles of the parties involved

ABB, Inc. Manufacturer of the MT5000, 5100 and MT5200 Level Transmitters

exida Performed the hardware assessment [R3]

exida Performed the Functional Safety Assessment [R1] per the

accredited exida scheme.

ABB, Inc. contracted exida with the IEC 61508 Functional Safety Assessment of the above mentioned devices.

2.3 Standards / Literature used

The services delivered by exida were performed based on the following standards / literature.

[N1] IEC 61508 (Parts 1 - 3): 2010 Functional Safety of Electrical/Electronic/Programmable Electronic Safety-Related Systems

2.4 Reference documents

2.4.1 Documentation provided by ABB, Inc.

[D1] QM-0001D, Rev D, 10/13/2011 K-TEK Corporation Quality Manual

[D2] QMP-0003K, Rev K, 8/19/2011 Quality Management Plan Procedure, Control of Documents

[D3] QMP-0008D, Rev D, 1/17/2012 Quality Management Plan Procedure, Design & Development

[D4] QMP-0010D, Rev D, 9/13/2012 Quality Management Plan Procedure, Supplier Selection and Evaluation

[D5] QMP-0018C, Rev C, 11/27/2012 Quality Management Plan Procedure, Control and Monitoring of Measuring Devices

[D6] QMP-0023G, Rev G, 9/13/2012 Quality Management Plan Procedure, Control of Nonconforming Products



[D7] QMP-0026, Rev A, 3/26/2007 Quality Management Plan Procedure, Corrective and Preventive Action

[D8] PRC0077, Rev A, 4/3/2008 Quality Procedure, Software Coding & Style Guidelines

[D9] PRC0078, Rev A, 5/6/2008 Quality Procedure, Software Design & Development Procedure

[D10] PRC0079, Rev A, 4/29/2008 Quality Procedure, Functional Safety Management Plan

[D11] PRC0080, Rev A, 3/28/2008 Quality Procedure, Safety Requirements Review Checklist

[D12] PRC0081, Rev NC, 4/22/2008 Quality Procedure, Safety Critical Tools Qualification

[D13] PRC0082, Rev A, 4/7/2009 Quality Procedure, R&D Group Qualification Record

[D14] FRM-0708, Rev B, 5/2/2008 Design Project Records

[D15] PNP-0000-1, Rev NC, 4/15/2008 Template for General Arrangement Drawings

[D16] FRM-0008, Rev NA, 2/26/2008 New Product Release Checklist

[D17] PNP-0000-1PL, Rev NC, 4/15/2008

Top Level Parts List Construction Table Template

[D18] PNP-0320-1, Rev NC, 4/22/08 Template for Safety Requirements Specifications

[D19] PNP-0330-1, Rev NC, 4/24/2008 Template for Integration & Validation Test Plan

[D20] PNP-0350-1, Rev NC, 4/24/08 Template for Functional Safety Documentation Checklists

[D21] PNP-0362-1, Rev NC, 5/6/2008 Template for Impact Analysis

[D22] PNP-0364-1, Rev NC, 4/29/2008 Template for Modification & Change of Design Project Records

[D23] PNP-0370-1A, Rev A, 5/6/2008 Template for Architecture Design Overview High Level UML & Sub Assemblies

[D24] PNP-0372-1, Rev NC, 4/22/2008 Template for Hardware Design

[D25] PNP-0376-1, Rev NC, 4/21/2008 Template for Software Configuration Record

[D26] PNP-0378-1, Rev NC, 4/29/2008 Template for Software Design Review

[D27] PNP-0380-1, Rev NC, 4/29/2008 Template for Software & Critical Code Review

[D28] PNP-0382-1, Rev NC, 4/2/2008 Template for Architecture Design & SW HW Interface Review

[D29] PNP-0384-1, Rev NC, 3/31/08 Template for Safety Requirements Review per PRC0080 Checklist

[D30] PNP-0388-1, Rev NC, 4/2/2008 Template for Safety Integration & Validation Test Plan Review

[D31] PNP-0389-1, Rev NC, 4/24/2008 Template for Safety Manual Review

[D32] PNP-0390-1, Rev NC, 4/22/2008 Template for Integration & Validation Testing

[D33] FRM-0708B-10-001, 8/6/2010 MT5000 Design Project Records



[D34] MT5000-0202-1, Rev F, February 2009

Data Sheet, MT5000

[D35] MT5100-0202-1, Rev F, February 2009

Data Sheet, MT5100

[D36] MT5200-0202-1, Rev E, January 2008

Data Sheet, MT5200

[D37] MT5000-0200-1, Rev A, April 2009

Installation and Operational Manual, MT5000

[D38] MT5000-0200-1f, Rev E, 4/1/2010 MT5000 Series IOM/Safety Manual (Draft)

[D39] MT5100-0200-01, Rev NC, September 2005


[D40] MT5200-0200-01, Rev A, March 2009


[D41] MT5000-0220-1, Rev NC, 5/3/2010

MT5000 Series General Specifications Requirements

[D42] MT5000-0320-1, Rev A, 6/14/2010

MT5000 Series Safety Requirements Specification

[D43] MT5000-0330-1, Rev NC, 5/25/2010

MT5000 Series Level Transmitters Integration and Validation Test Plan

[D44] MT5000-0332-1, Rev NC, 3/8/2010

MT5000 Series SIL 2 Project Plan 10-001 (Phase 1)

[D45] MT5000-0362-3, Rev NC, 6/10/2010

MT5000 Series Modification Impact Analysis

[D46] MT5000-0362-4, Rev NC, 6/22/2010

MT5000 Series Modification Impact Analysis - BBTC3

[D47] MT5000-370-1, 8/11/2010 MT5000 Series Architecture UML Design Overview

[D48] MT5000-0376-2, Rev NC, 6/8/2010

MT5000 Software Configuration Record

[D49] MT5000-378-1, Rev NC, 5/20/2010

MT5000 Software Design Review

[D50] MT5000-380-1, Rev NC, 2/20/2010

MT5000, MT5100,& MT5200 Series Software & Safety Critical Code Review

[D51] MT5000-382-1, Rev NC, 6/20/2010

MT5000, MT5100 & MT5200 Architecture Design & SW/HW Interface Review

[D52] MT5000-0384- 1, Rev NC, 5/24/2010

MT5000 Series Requirements Review per Checklist - Completed

[D53] MT5000-0388-1, Rev NC, 5/5/2010

MT5000 Series SIL 2 Safety Integration and Validation Test Plan Review

[D54] MT5000-0390-1, Rev NC, 6/20/2010

MT5000 Integration and Validation Testing Results



[D55] MT5000-0390-1A, Rev A, 6/22/2010

MT5000 Integration and Validation Testing Results – Addendum

[D56] MT5000-0390-1B, 6/24/2010 MT5000 BBTC3 RAM tests after code correction

[D57] ELE1032, Rev B, November 7, 2005

Block Diagram, MT5000, MT5100, MT5200, /M6 /M7 /M7A /M7B Intrinsically Safe Modules

[D58] MT5000-0000-1, Rev B, 11/11/2005

MT5000, MT5100, MT5200 Series General Assembly and Options

[D59] Field_failure_analysis_KTEK_ABB_MT_2010-2013_Update.xls, 8/19/2013

Field Failure Analysis – PIU spreadsheet

[D60] SPM201-3000-2.efm, October 15, 2008

Failure Modes, Effects, and Diagnostic Analysis – MT5x00 Transmitter Series EPROM / Connector Board

[D61] MT2000-4000-2-jcg after FI.efm, 9/1/09

Failure Modes, Effects, and Diagnostic Analysis – MT5x00 Transmitter Series Radar Transmit/Receive Module

[D62] MT2001-5000-1-jcg after FI with added diagnostics.efm, 8/5/10

Failure Modes, Effects, and Diagnostic Analysis – MT5x00 Transmitter Series uProcessor Board

[D63] SPM201-6000-1C.efm, October 15, 2008

Failure Modes, Effects, and Diagnostic Analysis – MT5x00 Transmitter Series HART Interface Board

[D64] SPM201-7000-2B.efm, October 15, 2008

Failure Modes, Effects, and Diagnostic Analysis – MT5x00 Transmitter Series SPM201 Electronics

[D65] Probe_Assembly FMEDA R3-gps, 9/3/09

Failure Modes, Effects, and Diagnostic Analysis – MT5x00 Transmitter Series Probe Assembly

[D66] 61508 TAB, 8/4/2010 IEC 61508 Tables, document shows all tables from IEC 61508 Annex A and B from part 2 and part 3 along with a description as to how ABB, Inc. meets each of the requirements

[D67] PMU 10, Rev G, March 5, 2013 Supply Management Procedure

[D68] ITP 201211002, Rev 0 Inspection Test Plan, Magnetic Level Gauge

[D69] Production Doc Package, Rev01 Production Document Package Form

[D70] Engineering Change Documentation

Engineering Changes, including impact analysis documentation

2.4.2 Documentation generated by exida

[R1] KTEK 09-07-78 R001 V1 R3 FMEDA Report MT5x00.doc, 8/6/2010

FMEDA Report MT5000 Series Guided Wave Radar Level Transmitters

[R2] MT5000_Fault_Injection_report_

06-17-2010.xls, 6/17/10

Fault Injection Test report for MT5x00 Series

[R3] K-TEK MT5x00 SafetyCase DB IEC61508 R2.esc, August 2010

IEC 61508 SafetyCaseDB for MT5000, 5100 and MT5200 Level Transmitters



[R4] KTEK 10-02-051 R001 V2R1 MT5x00 IEC 61508 Assessment.doc, 11/11/2013

IEC 61508 Functional Safety Assessment for MT5000, MT5100 and MT5200 Level Transmitter (This document)

[R5] Field_failure_analysis_KTEK_ABB_MT_2010-2013_Update.xls

Field failure analysis.

2.5 Assessment Approach

The certification audit was closely driven by requirements of the exida scheme which includes subsets filtered from IEC 61508.

The assessment was planned by exida and agreed with ABB, Inc..

The following IEC 61508 objectives were subject to detailed auditing at ABB, Inc.:

FSM planning, including

o Safety Life Cycle definition

o Scope of the FSM activities

o Documentation

o Activities and Responsibilities (Training and competence)

o Configuration management

o Tools and languages

Safety Requirement Specification

Change and modification management

Software architecture design process, techniques and documentation

Hardware architecture design - process, techniques and documentation

Hardware design / probabilistic modeling

Hardware and system related V&V activities including documentation, verification

o Integration and fault insertion test strategy

Software and system related V&V activities including documentation, verification

System Validation including hardware and software validation

Hardware-related operation, installation and maintenance requirements

The project teams, not individuals were audited.



3 Product Description The MT5000 Series Level Transmitters are a series of two-wire 4 – 20 mA smart devices. It contains self-diagnostics and is programmed to send its output to a specified failure state, either high or low, upon internal detection of a failure. For safety instrumented systems usage it is assumed that the 4 – 20 mA output is used as the primary safety variable.

Figure 1 shows an overview of the main parts of the MT5000 Series Level Transmitters and the boundary for the Failure Modes, Effects, and Diagnostic Analysis.

Figure 1 MT500, MT5100, and MT5200 SIS Assembly

Table 1 gives an overview of the different versions that were considered in this assessment of the MT5000, MT5100 and MT5200 Level Transmitters.

Table 1 Models Overview

MT5000 Guided Wave Radar Level Transmitter

MT5100 Guided Wave Radar Level and Interface Transmitter

MT5200 Guided Wave Radar Bulk Solids Level Transmitter

The MT5000 Series Level Transmitters are classified as a Type B device according to IEC 61508, having a hardware fault tolerance of 0.

3.1 Hardware and Software Version Numbers

This assessment is applicable to the following hardware and software versions of MT5000, 5100 and MT5200 Level Transmitters:

EXTENT OF FMEDA

PROBE

SIGNALCONDITIONING

PROCESSOR

USERINTERFACE

OUTPUTCURRENT

GENERATION,POWER SUPPLY

HART(optional)

4-20mA



MT5000 Series Level Transmitters

Options: 4-20mA output, single output

Hardware Processor board #: MT2001-5000-1 Revision Level: G

Signal conditioning board #: MT2000-4000-2 Revision Level: E

Display board #: MT5000-7000-1 Revision Level: C

Connector board #: SPM201-3000-1 Revision Level: E

Hart Board #: SPM201-6000-1 Revision Level: F

Software/Firmware 100617 00.255

4 IEC 61508 Functional Safety Assessment Scheme

exida assessed the development process used by ABB, Inc. for this development project against

the objectives of the exida certification scheme. The results of the assessment are documented in [R3][R1]. All objectives have been successfully considered in the ABB, Inc. development processes for the development.

exida assessed the set of documents against the functional safety management requirements of IEC 61508:2010. An evaluating assessor created a safety case, to argue that the relevant requirements of IEC 61508-1 to -3 have been met, based on documented the evidence provided. An independent certifying assessor then reviews the safety case to ensure coverage of the requirements and the validity of the arguments. Additionally, an audit is performed to witness development and manufacturing environments and techniques to ensure procedures are being followed and that certain testing is carried out successfully.

The detailed assessment evaluated the compliance of the processes, procedures and techniques, as implemented for the ABB, Inc. MT5000, 5100 and MT5200 Level Transmitters, with IEC 61508.

The assessment was executed using the exida certification scheme which includes subsets of the IEC 61508 requirements tailored to the work scope of the development team.

The result of the assessment shows that the MT5000, 5100 and MT5200 Level Transmitters are capable for use in SIL 3 (Systematic Capability is SC3) applications, when properly designed into a Safety Instrumented Function per the requirements in the Safety Manual.

4.1 Product Modifications

The modification process has not yet been assessed and audited, so modifications are not currently covered by this assessment. No modifications are permitted to the certified versions of the MT5000, 5100 and MT5200 Level Transmitters without reassessment.

5 Results of the IEC 61508 Functional Safety Assessment

exida assessed the development process used by ABB, Inc. during the product development

against the objectives of the exida certification scheme which includes IEC 61508 parts 1, 2, & 3 [N1]. The development of the MT5000, 5100 and MT5200 Level Transmitters was done per this IEC 61508 SIL 3 compliant development process. The Safety Case was updated with project specific design documents.



5.1 Lifecycle Activities and Fault Avoidance Measures

ABB, Inc. has an IEC 61508 compliant development process as assessed during the IEC 61508 certification. This compliant development process is documented in [D3].

This functional safety assessment evaluated the compliance with IEC 61508 of the processes, procedures and techniques as implemented for the product development. The assessment was

executed using the exida certification scheme which includes subsets of IEC 61508 requirements tailored to the SIL 3 work scope of the development team. The result of the assessment can be summarized by the following observations:

The audited development process complies with the relevant managerial requirements of IEC 61508 SIL 3.

5.1.1 Functional Safety Management

FSM Planning The functional safety management of any ABB, Inc. Safety Instrumented Systems Product development is governed by QMP-0008B Quality Management Plan Procedure, Design & Development [D3]. ABB, Inc. has a Functional Safety Management Plan Quality Procedure, PRC0079A [D10] which is fixed but requires the creation of Design Project Records per FRM-0708 [D14] for each development which defines all of the tasks that must be done to ensure functional safety as well as the person(s) responsible for each task. These processes, and the procedures referenced herein, fulfill the requirements of IEC 61508 with respect to functional safety management.

Version Control All documents are under version control as documented in [R3] and required by the Control of Documents Quality Management Plan Procedure [D2]. Design drawings and documents are also under version control, using a version control software application.

Training, Competency recording Personnel training records are kept in accordance with IEC 61508 requirements as documented in [R3] and PRC0082 the R&D Group Qualification Record Quality Procedure [D13]. ABB, Inc. hired

exida as an independent assessor, per IEC 61508.

5.2 Safety Requirement Specification

As defined in [D10] and [D14], a safety requirements specification (SRS) is created for all products that must meet IEC 61508 requirements. The requirements specification contains a scope and safety requirements section. For the MT5000, 5100 and MT5200 Level Transmitters, the SRS [D42] has been assessed.

Safety requirements are tracked, throughout the development process, by the creation of derived requirements. Safety requirements are mapped to the design, and to the appropriate validation tests in the validation test plan [D53].

Requirements from IEC 61508-2, Table B.1 that have been met by ABB, Inc. include project management, documentation, separation of safety requirements from non-safety requirements, structured specification, inspection of the specification, semi-formal methods and checklists. [D66] documents more details on how each of these requirements has been met. This meets the requirements of SIL 3.



5.3 Change and modification management

The modification process has been successfully assessed and audited for IEC 61508:2000, but has not yet been assessed for IEC 61508:2010 requirements. ABB, Inc. may not make modifications to this product until that assessment is successfully completed.

5.4 Hardware Design and Verification

Objectives

The main objectives of the related IEC 61508 requirements are to:

- Create E/E/PE safety-related systems conforming to the specification for the E/E/PES safety requirements (comprising the specification for the E/E/PES safety functions requirements and the specification for the E/E/PES safety integrity requirements).

- Ensure that the design and implementation of the E/E/PE safety-related systems meets the specified safety functions and safety integrity requirements.

- Demonstrate, for each phase of the overall, E/E/PES and software safety lifecycles (by review, analysis and/or tests), that the outputs meet in all respects the objectives and requirements specified for the phase.

- Test and evaluate the outputs of a given phase to ensure correctness and consistency with respect to the products and standards provided as input to that phase.

- Integrate and test the E/E/PE safety-related systems.

5.4.1 Hardware Design

As defined in [D10] and [D14], a safety requirements specification (SRS) is created for all products that must meet IEC 61508 requirements. The requirements specification contains a scope and safety requirements section. For the MT5000, 5100 and MT5200 Level Transmitters, the SRS [D42] has been assessed.

Safety requirements are tracked, throughout the development process, by the creation of derived requirements. Safety requirements are mapped to the design, and to the appropriate validation tests in the validation test plan [D53].

Requirements from IEC 61508-2, Table B.1 that have been met by ABB, Inc. include project management, documentation, separation of safety requirements from non-safety requirements, structured specification, inspection of the specification, semi-formal methods and checklists. [D66] documents more details on how each of these requirements has been met. This meets the requirements of SIL 3.

5.4.2 Hardware Design / Probabilistic properties

To evaluate the hardware design of the MT5100 Series Level Transmitters, a Failure Modes, Effects,

and Diagnostic Analysis was performed by exida for each component in the system. This is documented in [R1]. The FMEDA was verified using Fault Injection Testing as part of the development, see [R2], and as part of the IEC 61508 assessment.



A Failure Modes and Effects Analysis (FMEA) is a systematic way to identify and evaluate the effects of different component failure modes, to determine what could eliminate or reduce the chance of failure, and to document the system in consideration. An FMEDA (Failure Mode Effect and Diagnostic Analysis) is an FMEA extension. It combines standard FMEA techniques with extension to identify online diagnostics techniques and the failure modes relevant to safety instrumented system design.

From the FMEDA failure rates are derived for each important failure category.

These results must be considered in combination with PFDAVG of other devices of a Safety Instrumented Function (SIF) in order to determine suitability for a specific Safety Integrity Level (SIL). The Safety Manual states that the application engineer should calculate the PFDAVG for each defined safety instrumented function (SIF) to verify the design of that SIF.

The objectives of the standard are fulfilled by the ABB, Inc. functional safety management system, FMEDA quantitative analysis, and hardware development guidelines and practices.

5.5 Software Design

Software design is done according to [D3], [D10], [D14], [D8], and [D9]. The software design process includes software interface specification and detailed module design [D47], specification of configuration records [D48], design and critical code reviews [D49] and [D50], and UML specifications [D47].

Requirements from IEC 61508-3, Table A.1 through A.5 that have been met by ABB, Inc. include observance of guidelines and standards, project management, documentation, structured design, modularization, use of well-tried components, checklists, semi-formal methods, computer aided design tools, simulation, and inspection of the specification, selection of suitable programming language, use of a defined subset of the language, and others. This meets the requirements of SIL 3.

5.6 Verification

The development and verification activities are defined in [D10] and [D14]. Verification activities include the following: Fault Injection Testing, Code Review [D50] per [D27], Checklists embedded in [D14], and FMEDA [R1]. Further verification activities are documented in [D10] and [D14] for new product development projects.

5.7 Safety Validation

Validation Testing is done via a set of documented tests (see [D10] and [D14]). The validation tests are traceable to the Safety Requirements Specification [D42] in the validation test plan [D43]. In addition to standard Test Specification Documents, third party testing may be included as part of agency approvals. As the MT5100 Series Level Transmitters consists of simple electrical devices with a straightforward safety function, integration testing has been limited to verifying that all diagnostics take the appropriate action when they find a problem (See [D54] and [R2] for more details on this testing).

Procedures are in place for corrective actions to be taken when tests fail as documented in [R3] and [D7].



Requirements from IEC 61508-2, Table B.3 that have been met by ABB, Inc. include functional testing, project management, documentation, and black-box testing. Field experience and statistical testing via regression testing are not applicable. [D66] documents more details on how each of these requirements has been met. This meets the requirements of SIL 3.

Requirements from IEC 61508-2, Table B.5 that have been met by ABB, Inc. include functional testing and functional testing under environmental conditions, Interference surge immunity testing, fault insertion testing, project management, documentation, static analysis, dynamic analysis, and failure analysis, expanded functional testing and black-box testing. [D66] documents more details on how each of these requirements has been met. This meets SIL 3.

5.8 Safety Manual

ABB, Inc. updated the user manual for the MT5100 Series Level Transmitters and incorporated the requirements for the Safety Manual, see [D37] and [D38]. This (safety) manual was assessed by

exida. The final version is considered to be in compliance with the requirements of IEC 61508. The document includes all required reliability data and operations, maintenance, and proof test procedures.

Requirements from IEC 61508-2, Table B.4 that have been met by ABB, Inc. include operation and maintenance instructions, user friendliness, maintenance friendliness, project management, documentation, limited operation possibilities, protection against operator mistakes, and operation only by skilled operators. [D66] documents more details on how each of these requirements has been met. This meets the requirements for SIL 3.



6 2016 IEC 61508 Functional Safety Surveillance Audit

6.1 Roles of the parties involved

ABB, Inc. Manufacturer of the MT5000, 5100 and MT5200 Level Transmitters

exida Performed the hardware assessment review

exida Performed the IEC 61508 Functional Safety Surveillance Audit per the

accredited exida scheme.

ABB, Inc. contracted exida in October 2016 to perform the surveillance audit for the above MT5000, 5100 and MT5200 Level Transmitters. The surveillance audit was conducted remotely in October 2016.

6.2 Surveillance Methodology

As part of the IEC 61508 functional safety surveillance audit, the following aspects have been reviewed:

Procedure Changes – Changes to relevant procedures since the last audit are reviewed to

determine that the modified procedures meet the requirements of the exida certification scheme.

Engineering Changes – The engineering change list is reviewed to determine if an of the changes could affect the safety function of the MT5000, 5100 and MT5200 Level Transmitters.

Impact Analysis – If changes were made to the product design, the impact analysis associated with the change will be reviewed to see that the functional safety requirements for an impact analysis have been met.

Field History – Shipping and field returns during the certification period will be reviewed to determine if any systematic failures have occurred. If systematic failures have occurred during the certification period, the corrective action that was taken to eliminate the systematic failure(s) will be reviewed to determine that said action followed the approved processes and was effective.

Safety Manual – The latest version of the safety manual will be reviewed to determine that it meets the IEC 61508 requirements for a safety manual.

FMEDA Update – If required or requested the FMEDA will be updated. This is typically done

if there are changes to the IEC 61508 standard and/or changes to the exida failure rate database.

Recommendations from Previous Audits – If there are recommendations from the previous audit, these are reviewed to see if the recommendations have been implemented properly.



6.2.1 Documentation provided by ABB, Inc.

[D71] MTs with M7A_2016 hours calculated Failure return data and shipping records

[D72] OI_MT5000-EN_H. Safety Manual

6.2.2 Surveillance Documentation generated by exida

[R6] ABB 09-07-78 R001 V1 R5 FMEDA Report MT5x00.doc, 10/27/2016

FMEDA Report MT5000 Series Guided Wave Radar Level Transmitters

[R7] DRAFT - ABB 10-02-051 R001 V3R0 61508 Assessment Report - MT5x00.docx, 10/31/2016

IEC 61508 Assessment Report (this file)

[R8] ABB 16-06-017 V1R0 61508 2010 Update Analysis MT 5x00.xlsx

Update from ed. 1 to ed. 2 Gap analysis.

6.3 Surveillance Results

6.3.1 Procedure Changes

There were no changes to the procedures during the previous certification period.

6.3.2 Engineering Changes

There were no safety-related design changes during the previous certification period.

6.3.3 Impact Analysis

There were no safety-related design changes during the previous certification period.

6.3.4 Field History

The field history of the product has been analyzed and found to be consistent with the failure rates predicted by the FMEDA.

6.3.5 Safety Manual

The safety manual was reviewed and found to be compliant with IEC 61508:2010.

6.3.6 FMEDA Update

No FMEDA update was necessary as there were no safety-related design changes during the certification period. However, the FMEDA report was updated to reflect changes made in the 2010 version of the 61508 standard and to add Route 2H.

6.3.7 Previous Recommendations

There were no previous recommendations to be assessed at this audit.



7 Terms and Definitions

exida criteria A conservative approach to arriving at failure rates suitable for use in hardware evaluations utilizing the 2H Route in IEC 61508-2.

Fault tolerance Ability of a functional unit to continue to perform a required function in the presence of faults or errors (IEC 61508-4, 3.6.3)

FIT Failure In Time (1x10-9 failures per hour)

FMEDA Failure Mode Effect and Diagnostic Analysis

HFT Hardware Fault Tolerance

Low demand mode Mode where the demand interval for operation made on a safety-related system is greater than twice the proof test interval.

High demand mode Mode where the demand interval for operation made on a safety-related system is less than 100x the diagnostic detection/reaction interval, or where the safe state is part of normal operation.

PFDAVG Average Probability of Failure on Demand

PFH Probability of dangerous Failure per Hour

Random Capability The SIL limit imposed by the Architectural Constraints for each element.

SFF Safe Failure Fraction - Summarizes the fraction of failures, which lead to a safe state and the fraction of failures which will be detected by diagnostic measures and lead to a defined safety action.

SIF Safety Instrumented Function

SIL Safety Integrity Level

SIS Safety Instrumented System – Implementation of one or more Safety Instrumented Functions. A SIS is composed of any combination of sensor(s), logic solver(s), and final element(s).

Systematic Capability Measure of the confidence that the systematic safety integrity of an element meets the requirements of the specified SIL.

Type A element “Non-Complex” element (using discrete components); for details see 7.4.4.1.2 of IEC 61508-2

Type B element “Complex” element (using complex components such as micro controllers or programmable logic); for details see 7.4.4.1.3 of IEC 61508-2



8 Status of the document

8.1 Liability

exida prepares reports based on methods advocated in International standards. Failure rates are

obtained from a collection of industrial databases. exida accepts no liability whatsoever for the use of these numbers or for the correctness of the standards on which the general calculation methods are based.

8.2 Version History

Contract Number

Report Number, version Revision Notes

Q16/06-017 ABB 10-02-051 R001 V3R1 Changed city to Baton Rouge, DEB, 31-Oct-2016

Q16/06-017 ABB 10-02-051 R001 V3R0 Revised for surveillance assessment, D. Butler, 31-Oct-2016.

Q13/08-088 KTEK 10-02-051 R001 V2R1 Revised for (minor) ABB comments, D. Butler, 11-Nov-2013.

Q13/08-088 KTEK 10-02-051 R001 V2R0 Revised for surveillance assessment, D. Butler, 29-Oct-2013.

Q13/08-088 KTEK 10-02-051 R001 V1R2 Added manufacturing locations, S. Close, 11-Mar-2013.

Q10/02-051 KTEK 10-02-051 R001 V1R1 Released to ABB, Inc.; 27-Aug-2010

Q10/02-051 KTEK 10-02-051 R001 V0R1 Internal Draft; 25-Aug-2010

Review: V2, R0: Gregory Sauk; October 30, 2013

V0, R1: Iwan van Beurden (exida); August 27, 2010

Status: Released, 10/31/2016

8.3 Future Enhancements

At request of client.

8.4 Release Signatures

David Butler, CFSE, Safety Engineer

Gregory Sauk, CFSE Senior Safety Engineer

William M. Goble, Principal Partner

IEC 61508 Assessment - ABB Group · · 2017-08-03requirements of IEC 61508. The assessment was...

Documents

Transcript of IEC 61508 Assessment - ABB Group · · 2017-08-03requirements of IEC 61508. The assessment was...