IEC 61508 Assessment - exida€¦ · IEC 61508 Functional Safety Assessment ... [D38] QP 01; Rev...

The document was prepared using best effort. The authors make no warranty of any kind and shall not be liable in any event for incidental or consequential damages in connection with the application of the document.

© All rights reserved.

idae®

Certification Services

IEC 61508 Functional Safety Assessment

Project:

J-A Series Emergency Shutdown Valve

Customer:

Rupture Pin Technologies Oklahoma City, Oklahoma

USA

Contract Number: Q12/02-039

Report No.: RUP 12/02-039 R002

Version V1, Revision R1, February 27, 2013

Steven Close

© exida Q12-02-039 V1R1 Rupture Pin J-A Valve Assessment Report.doc

T-023 V2R1 www.exida.com of 16

Management summary

This report summarizes the results of the functional safety assessment according to IEC 61508 carried out on the J-A Series Emergency Shutdown Valve

The functional safety assessment performed by exida consisted of the following activities:

- exida assessed the development process used by Rupture Pin Technologies by an on-site audit and creation of a safety case against the requirements of IEC 61508.

- exida performed a detailed Failure Modes, Effects, and Diagnostic Analysis (FMEDA) of the devices to document the hardware architecture and failure behavior.

- exida reviewed field failure data to ensure that the FMEDA analysis was complete.

- exida reviewed the manufacturing quality system in use at Rupture Pin.

The functional safety assessment was performed to the requirements of IEC 61508: ed2, 2010, SIL

3 for mechanical components. A full IEC 61508 Safety Case was prepared, using the exida

SafetyCaseDB tool, and used as the primary audit tool. Hardware process requirements and all associated documentation were reviewed. Test Reports were reviewed. Also the user documentation (safety manual) was reviewed. A proven-in-use analysis was performed.

Some areas of improvement were identified in the design process and the design procedures were upgraded during the project. However because of the low complexity of the products and the proven in use design, Rupture Pin was able to demonstrate that the objectives of the standard have been met.

The results of the Functional Safety Assessment can be summarized as:

The Rupture Pin J-A Series Emergency Shutdown Valve were found to meet the requirements of IEC 61508 for up to SIL 3 (SIL 3 Capable). The PFDAVG and architectural constraint requirements of the standard must be verified for each element of the safety function.

The manufacturer will be entitled to use the Functional Safety Logo.



Table of Contents

Management summary .................................................................................................... 2

1 Purpose and Scope ................................................................................................... 4

2 Project management .................................................................................................. 5

2.1 exida ............................................................................................................................ 5

2.2 Roles of the parties involved ........................................................................................ 5

2.3 Standards / Literature used .......................................................................................... 5

2.4 Reference documents .................................................................................................. 5

2.4.1 Documentation provided by Rupture Pin Technologies ...................................... 5

2.4.2 Documentation generated by exida ................................................................... 8

3 Product Description ................................................................................................... 9

4 IEC 61508 Functional Safety Assessment ............................................................... 10

4.1 Methodology .............................................................................................................. 10

4.2 Assessment level ....................................................................................................... 10

4.3 Product Modifications ................................................................................................. 11

5 Results of the IEC 61508 Functional Safety Assessment ........................................ 12

5.1 Open Issues ............................................................................................................... 12

5.2 Lifecycle Activities and Fault Avoidance Measures .................................................... 12

5.2.1 Functional Safety Management ....................................................................... 12

5.2.2 Safety Requirements Specification and Architecture Design ............................ 13

5.2.3 Hardware Design ............................................................................................. 13

5.2.4 Validation ......................................................................................................... 13

5.2.5 Verification ....................................................................................................... 14

5.2.6 Proven In Use .................................................................................................. 14

5.2.7 Modifications ................................................................................................... 14

5.2.8 User documentation......................................................................................... 14

5.3 Hardware Assessment ............................................................................................... 14

6 Terms and Definitions .............................................................................................. 15

7 Status of the Document ........................................................................................... 16

7.1 Liability ....................................................................................................................... 16

7.2 Releases .................................................................................................................... 16

7.3 Future Enhancements ................................................................................................ 16

7.4 Release Signatures .................................................................................................... 16



1 Purpose and Scope

This document shall describe the results of the IEC 61508 functional safety assessment of the Rupture Pin Technologies:

J-A Series Emergency Shutdown Valve

Size (Inches)

Flange (#)

Valve Body Rating (PSIG)

3 300 750

3 600 1500

3 900 2500

4 300 750

4 600 1500

6 600 1500

6 900 2500

8 300 750

8 600 1500

10 600 1500

by exida according to the requirements of IEC 61508: ed2, 2010.

The results of this provides the safety instrumentation engineer with the required failure data as per IEC 61508 / IEC 61511 and confidence that sufficient attention has been given to systematic failures during the development process of the device.



2 Project management

2.1 exida

exida is one of the world’s leading accredited Certification Bodies and knowledge companies specializing in automation system safety and availability with over 300 years of cumulative experience in functional safety. Founded by several of the world’s top reliability and safety experts

from assessment organizations and manufacturers, exida is a global company with offices around

the world. exida offers training, coaching, project oriented system consulting services, safety lifecycle engineering tools, detailed product assurance, cyber-security and functional safety

certification, and a collection of on-line safety and reliability resources. exida maintains a comprehensive failure rate and failure mode database on process equipment.

2.2 Roles of the parties involved

Rupture Pin Technologies Manufacturer of the J-A Series Emergency Shutdown Valve

exida Performed the hardware assessment

exida Performed the IEC 61508 Functional Safety Assessment according.

Rupture Pin contracted exida in May 2012 for the IEC 61508 Functional Safety Assessment of the above mentioned devices.

2.3 Standards / Literature used

The services delivered by exida were performed based on the following standards / literature.

[N1] IEC 61508 (Parts 1 - 7): 2010 Functional Safety of Electrical/Electronic/Programmable Electronic Safety-Related Systems

2.4 Reference documents

2.4.1 Documentation provided by Rupture Pin Technologies

[D1] BOM; 12/20/2012 BOM example for a Sales Order

[D2] Cameron Cert of Conformance; 4/4/2012

Certificate of Conformance (Cameron Wheatly Swing Check Valve)

[D3] Cert Of Conformance; 4/4/2012 Certificate of Conformance for the Valve Body and Bonnett Heats

[D4] CT-TOM-SCV; 8/1/2010 Tom Wheatley Swing Check Valve

[D5] Design Verification; n/a; 9/5/2012 Design Verification

[D6] End User Docs; 12/20/2012 End User Documentation Example

[D7] Internal Audit Example; 8/2/2012 Internal Audit Example

[D8] J-A Valve Job Packet; 7/26/2011 J-A Valve Job Packet

[D9] MTR; 9/7/2011 Valve Test Certificate for The Swing Check Valve



[D10] OP-92; Rev 1; 2/25/2013 Seat Leakage Test for ESV's

[D11] Order Documents; 10/16/2012 Sales Order Engineering Documents Example

[D12] QF 039; Rev 0; 7/18/2012 Application For Quote

[D13] QF 039 Example; 9/5/2012 Application Sheet Example

[D14] QF-007; Rev 1; 3/12/2012 RTP_Training Agenda and Sign-in Sheet

[D15] QF009; 12/20/2012 In Process Inspection

[D16] QF009 Form; Rev 0; 4/8/2008 In Process Inspection (Blank Form)

[D17] QF016; Rev 2; 9/15/2011 Engineering Change Notice Example

[D18] QF017; Rev 3; 9/14/2011 Engineering Change Request Sample

[D19] QF020 Forms; Rev D; 8/23/2012 Various QA Supplier Audit Forms

[D20] QF020 Sample; 9/14/2012 Supplier Quality Assurance Audit Sample

[D21] QF-020-E; 9/1/2012 Flow Controls Inc. Qaulity Assurance Plan

[D22] QF035 Allied Valve; 9/17/2012 Inspection and Test Plan (3" Model DG)

[D23] QF035 Form; Rev 3; 12/28/2012 Inspection and Test Plan Form

[D24] QF035 Sample; 12/16/2012 Inspection and Test Plan

[D25] QF036; Rev 3; 11/30/2012 Service Ticket / RMA

[D26] QF-036 Example; Rev 2; 7/2/2012

Service Ticket / RMA Form Example

[D27] QF038; Rev 0; 10/3/2011 Design Deviation Form

[D28] QF043; Rev 2; 12/19/2012 Engineering Checklist

[D29] QF046; Rev 10-07; 11/29/2012 J-A ESV Instruction Operation & Maintenance Manual

[D30] QF047; Rev 0; 11/29/2012 Safety Manual Checklist / Signoff

[D31] QF048; Rev 0; 11/28/2012 Safety Manual

[D32] QF050; Rev 1; 11/30/2012 Shop Data

[D33] QF051; Rev 0; 12/18/2012 INTERNAL AUDIT FORM

[D34] QF-24; Rev 1; 11/27/2012 FIRST ARTICLE INSPECTION REPORT (Blank Form)

[D35] QF44; 11/26/2012 Competency Matirx

[D36] QF49; Rev 0; 11/29/2012 IMPACT ANALYSIS OF THE DESIGN CHANGE ON PRODUCT

[D37] QM; Rev 6; 2/20/2013 Quality Control Manual for Manufacture of Non-Reclosing Pressure Relief Devices and Emergency Shutoff Devices

[D38] QP 01; Rev 03; 4/29/2009 Control of Documents

[D39] QP 02; Rev 04; 4/23/2012 Quality Records

[D40] QP 03; Rev 02; 12/27/2012 Internal Audit Procedure

[D41] QP 04; Rev 1; 3/9/2012 Control of Nonconforming Product



[D42] QP 05; Rev 1; 1/1/2008 Corrective Action Procedure

[D43] QP 06; Rev 0; 1/1/2008 Preventive Action Procedure

[D44] QP 11; Rev 1; 11/28/2012 Customer Notification Procedure

[D45] QP 14; Rev 1; 11/28/2012 Meeting Minutes Procedure

[D46] QP 20; Rev 1; 11/30/2012 Purchasing Activities Procedure

[D47] QP 22; Rev 0; 12/7/2012 Archiving Obsolete Quality Documents

[D48] QP 23; Rev 0; 12/28/2012 Inspection and Test Plan Procedure

[D49] QP016; Rev 3; 12/19/2012 Product Quality Plan

[D50] QP021; Rev 0; 11/15/2012 Design and Development Procedure (New Products)

[D51] QP-91; Rev 4; 1/31/2012 Seat Leakage Test

[D52] QP-93; Rev 6; 3/9/2012 Set Pressure Test Work Instruction

[D53] QP-94; Rev 8; 1/31/2012 Hydro Testing Work Instruction

[D54] RP QP 13; Rev. 1; 12/18/2012 RMA Procedure

[D55] RP QP 14; Rev 0; 7/12/2012 Customer Notification Procedure - No Document

[D56] RP Approved Vendor; 7/6/2012 Approved Vendor List

[D57] RP End User Log; 1; End User Log

[D58] RP Inspection Report; 6/28/2012 Sample Inspection Report

[D59] RP ISO Cert; ISO 9001:2008 Certification

[D60] RP Meeting Minutes Log; 7/18/2012

Meeting Minutes Log

[D61] RP QF-003; Rev A; 8/20/2010 Sample New Approved Vendor Request

[D62] RP QF020-D; Rev.0; 3/10/2011 Quality Assurance Audit Checklist

[D63] RP QF-025; Rev. 1; 8/20/2012 Vendor Request Form

[D64] RP QF-05; Rev 5; 11/30/2012 List of Quality Management Procedures

[D65] RP Shipping Records; n/a; 6/11/2012

Shipments Report

[D66] RTP-End User Log; 9/5/2012 End User Log

[D67] RPT 004; Rev 4; 3/15/2011 Quality Manual

[D68] Shop Routing; 12/20/2012 Machining Shop Progress Sheet

[D69] Technical description; N/A; Technical Description Product: JA-ESV

[D70] Test Cert; 12/20/2012 Test Certificate Example

[D71] Training Record; 11/26/2012 Individual Training Records



2.4.2 Documentation generated by exida

[R1] RUP Q12-02-039 R001 V1R4 J-A Valve FMEDA Report

FMEDA report, J-A Series Emergency Shutdown Valves custom properties>

[R2] RUP Q12-02-039_V1R1 IEC 61508 Audit Checklist.pdf

IEC 61508 Site Audit Report, Rupture Pin Technologies

[R3] RUP Q12-02-039 Rupture Pin J-A Valve Safety Case.esc

IEC 61508 SafetyCaseDB for Rupture Pin Technologies J-A Series Valves

[R4] Q12-02-039 V0R3 Rupture Pin J-A Valve Assessment Report-Client.doc, Feb 27, 2013

IEC 61508 Functional Safety Assessment, Rupture Pin Technologies (this report)



3 Product Description

The J-A Series ESD valve features a clapper, disk, piston or plunger in an open position, restrained from movement by a slender, centerless ground pin. The pin is external to the system being protected and is held firmly on both ends. The pin is engineered to buckle at a set point from an axial force applied by the system pressure acting on an unbalanced piston stem area. When the pin is buckled, the valve is closed. The Model "J-A" ESV is designed to utilize the directional flow to accelerate the closing process of the clapper in the valve. Once the system problem is corrected, the valve is reset. With no pressure on the clapper, the clapper is raised by the external handle and the piston is pushed in to hold the clapper in the open position. The buckled pin is replaced with a pin of the proper setting. The J-A Series Emergency Shutdown Valve is available in sizes 2" to 10 (275 - 2,500 PSI) with 150#, 300#, 600#, 900#, 1500#, 2500# flanges. The closing safety accuracy of the J-A Series Emergency Shutdown Valve is within +/- 5% of the setpoint.



4 IEC 61508 Functional Safety Assessment

The IEC 61508 Functional Safety Assessment was performed based on the information received from Rupture Pin Technologies and is documented in this report.

4.1 Methodology

The full functional safety assessment includes an assessment of all fault avoidance and fault control measures during hardware development and demonstrates full compliance with IEC 61508 to the end-user. The assessment considers all requirements of IEC 61508. Any requirements that have been deemed not applicable have been marked as such in the full Safety Case report, e.g. software development requirements for a product with no software. The assessment also includes a review of existing manufacturing quality procedures to ensure compliance to the quality requirements of IEC 61508.

As part of the IEC 61508 functional safety assessment the following aspects have been reviewed:

Development process, including:

o Functional Safety Management, including training and competence recording, FSM planning, and configuration management

o Specification process, techniques and documentation

o Design process, techniques and documentation, including tools used

o Validation activities, including development test procedures, test plans and reports, production test procedures and documentation

o Verification activities and documentation

o Modification process and documentation

o Installation, operation, and maintenance requirements, including user documentation

o Manufacturing Quality System

Product design

o Hardware architecture and failure behavior, documented in a FMEDA

The review of the development procedures is described in section 5. The review of the product design is described in section 5.3.

4.2 Assessment level

The J-A Series Emergency Shutdown Valve has been assessed per IEC 61508 to the following levels:

SIL 3 capability

The design procedures for allowable modifications have been assessed as suitable for use in applications with a maximum Safety Integrity Level of 3 (SIL3) according to IEC 61508.



4.3 Product Modifications

Product modifications for the J-A Series Emergency Shutdown Valve by Rupture Pin Technologies are limited to the rupture pin diameter and length. All other modifications are prohibited.



5 Results of the IEC 61508 Functional Safety Assessment

exida assessed the development process used by Rupture Pin Technologies for these products against the objectives of IEC 61508 parts 1 - 7. The assessment was done on-site at the Oklahoma City, Oklahoma facility on September 5 & 6, 2012 and documented in the SafetyCase [R3].

5.1 Open Issues

Some areas of improvement were identified in the design process and some of the design procedures and forms were upgraded during the project. All of the improvements were evaluated and included in the final version of the SafetyCase.

5.2 Lifecycle Activities and Fault Avoidance Measures

Since modifications are restricted to the rupture pin design, this assessment is only applicable to the design of the rupture pin. See section 5.2.6 for information on the proven in use assessment.

Rupture Pin Technologies has a defined product lifecycle process in place. This is documented in the Quality Control Manual [D37] and various Quality Procedures [D38]-[D55] and [D10]. Every customer job goes through the complete design process. This process follows the Product Quality Plan [D49]. A documented modification process is also covered in the Quality Manual. No software is part of the design and therefore any requirements specific from IEC 61508 to software and software development do not apply.

The assessment investigated the compliance with IEC 61508 of the processes, procedures and techniques as implemented for product design and development. The investigation was executed using subsets of the IEC 61508 requirements tailored to the SIL 3 work scope of the development team. The defined product lifecycle process was modified as a result of the audit which showed some areas for improvement. However, given the simple nature of the safety function and the extensive proven field experience for existing products Rupture Pin Technologies was able to demonstrate that the objectives of the standard have been met. The result of the assessment can be summarized by the following observations:

The audited Rupture Pin Technologies design and development process complies with the relevant managerial requirements of IEC 61508 SIL 3.

5.2.1 Functional Safety Management

The valves manufactured by Rupture Pin are not built for inventory. These valves are built-to-order. The basic designs are standardized, but each order can have trim and materials variations or specific customer requested proof tests. Due to the specialized nature of each valve, documentation that defines all of the requirements is generated for every order as part of the process this is captured in the application sheet [D12].

FSM Planning

Rupture Pin Technologies has a defined process in place for product design and development. Required activities are specified along with review and approval requirements. This is primarily documented in the Product Quality Plan [D49]. Templates and sample documents were reviewed and found to be sufficient. The process and the procedures referenced therein fulfill the requirements of IEC 61508 with respect to functional safety management for a product with simple complexity and well defined safety functionality.



Version Control

QP 01, Control of Document [D38] describes the revision tracking procedure for all documents under document control. Use of this to control revisions was evident during the audit.

Training, Competency recording

Section 6,2,2 of the Quality Assurance Manual [D67] requires the Quality Control Manager to maintain training records of education, experience, training and qualifications for all personnel. The President and Department heads are responsible for identifying and providing the training needs for their department as well as proficiency evaluations. A competency matrix and individual training

records were examined and were found to be sufficient.. Rupture Pin hired exida to be the independent assessor per IEC 61508 and to provide specific IEC 61508 knowledge.

5.2.2 Safety Requirements Specification and Architecture Design

For the J-A Series Emergency Shutdown Valve, the simple primary functionality of the valve is the same as the safety functionality of the product. The requirements for each valve are captured on the application sheet, QF 039. No special Safety Requirements Specification is needed. The normal functional requirements were sufficient. As the J-A Series Emergency Shutdown Valve designs are based upon standard designs with extensive field history and are designed to meet ASME VIII Division 1, UG-138 requirements for buckling pin devices no semi-formal methods are needed. General Design and testing methodology is documented and required as part of the design process. This meets SIL 3.

5.2.3 Hardware Design

The design process is documented in the Product Quality Plan, QP016 [D49]. Items from IEC 61508-2, Table B.2 include observance of guidelines and standards, ASME VIII Division 1, UG-138, project management, documentation (design outputs are documented per quality procedures), structured design, modularization, use of well-tried components / materials, and computer-aided design tools. This meets SIL 3.

5.2.4 Validation

Validation Testing is documented on form QF050 [D32] which is created for each order. The test plan is defined in section 7.8 of the Quality Control Manual [D37] and includes testing per all standard and customer performance requirements. This is documented in QF035 [D23]. A Test Certificate [D70] is issued for each valve and is sent to the customer. As the J-A Series Emergency Shutdown Valve are purely mechanical devices with a simple safety function, there is no separate integration testing necessary. The J-A Series Emergency Shutdown Valve perform only 1 Safety Function, which is extensively tested under various conditions during validation testing.

Items from IEC 61508-2, Table B.3 include functional testing, project management, documentation, and black-box testing (for the considered devices this is similar to functional testing). Field experience and statistical testing via regression testing are not applicable. This meets SIL 3.

Items from IEC 61508-2, Table B.5 included functional testing and functional testing under environmental conditions, project management, documentation, failure analysis (analysis on products that failed), expanded functional testing, black-box testing, and fault insertion testing. This meets SIL 3.



5.2.5 Verification

The design verification activities are defined in Section 8 of the Product Quality Plan [D49]. For each design phase the objectives are stated, required input and output documents and review activities. This meets SIL 3.

5.2.6 Proven In Use

The J-A Series Emergency Shutdown Valve is a combination of parts needed to support the rupture pin technology and a Wheatley Swing Check Valve. In addition to the Design Fault avoidance techniques listed above, a Proven in Use evaluation was carried out on the Rupture Pin J-A Series Emergency Shutdown Valve. Shipment records for both the J-A Series and A series valves were used to determine that the rupture pin components of the two valve series have >68 million operating hours and they have demonstrated a field failure rate less than the failure rates indicated in the FMEDA reports. The Wheatley Swing Check Valve has been on the market for approximately 70 years with well in excess of 50 million operating hours. This meets the requirements for Proven In Use for SIL 3.

5.2.7 Modifications

Product modifications by Rupture Pin Technologies are limited to the rupture pin diameter and length. All other modifications are prohibited.

5.2.8 User documentation

Rupture Pin Technologies creates the following user documentation: product catalogs and a Safety Manual [D31]. The Safety Manual was found to contain all of the required information given the simplicity of the products. The Safety Manual references the FMEDA reports which are available and contain the required failure rates, failure modes, useful life, and suggested proof test information.

Items from IEC 61508-2, Table B.4 include operation and maintenance instructions, user friendliness, maintenance friendliness, project management, documentation, limited operation possibilities and operation only by skilled operators (operators familiar with type of valve, although this is partly the responsibility of the end-user). This meets SIL 3.

5.3 Hardware Assessment

To evaluate the hardware design of the J-A Series Emergency Shutdown Valve Failure Modes,

Effects, and Diagnostic Analysis’s were performed by exida. These are documented in [R1].

A Failure Modes and Effects Analysis (FMEA) is a systematic way to identify and evaluate the effects of different component failure modes, to determine what could eliminate or reduce the chance of failure, and to document the system in consideration. An FMEDA (Failure Mode Effect and Diagnostic Analysis) is an FMEA extension. It combines standard FMEA techniques with extension to identify online diagnostics techniques and the failure modes relevant to safety instrumented system design.

From the FMEDA, failure rates are derived for each important failure category. All failure rate analysis results and useful life limitations are listed in the FMEDA report [R1]. Tables in the FMEDA report list these failure rates for the J-A Series Emergency Shutdown Valve under a variety of applications. The failure rates listed are valid for the useful life of the devices.



The architectural constraints requirements of IEC 61508-2, Table 2 also need to be evaluated for each application. It is the end users responsibility to confirm this for each particular application and to include all components of the final element in the calculations.

The analysis shows that the design of the J-A Series Emergency Shutdown Valve can meet the hardware requirements of IEC 61508, SIL 1 as a standalone device and up to SIL 3 depending on architecture. The Hardware Fault Tolerance, PFDAVG, and Safe Failure Fraction requirements of IEC 61508 must be verified for each specific application.

6 Terms and Definitions

Fault tolerance Ability of a functional unit to continue to perform a required function in the presence of faults or errors (IEC 61508-4, 3.6.3)

FIT Failure In Time (1x10-9 failures per hour)

FMEDA Failure Mode Effect and Diagnostic Analysis

HFT Hardware Fault Tolerance

Low demand mode Mode, where the demand interval for operation made on a safety-related system is greater than twice the proof test interval.

PFDAVG Average Probability of Failure on Demand

SFF Safe Failure Fraction summarizes the fraction of failures, which lead to a safe state and the fraction of failures which will be detected by diagnostic measures and lead to a defined safety action.

SIF Safety Instrumented Function

SIL Safety Integrity Level

SIS Safety Instrumented System – Implementation of one or more Safety Instrumented Functions. A SIS is composed of any combination of sensor(s), logic solver(s), and final element(s).

Type A element “Non-Complex” element (using discrete components); for details see 7.4.4.1.2 of IEC 61508-2

Type B element “Complex” element (using complex components such as micro controllers or programmable logic); for details see 7.4.4.1.3 of IEC 61508-2



7 Status of the Document

7.1 Liability

exida prepares reports based on methods advocated in International standards. exida accepts no liability whatsoever for the use of this report or for the correctness of the standards on which the general calculation methods are based.

7.2 Releases

Version: V1

Revision: R1

Version History: V1, R1: Released, February 27, 2013

V0, R1: Draft; January 7, 2013

Authors: Steven Close

Review: V0, R1: Gregory Sauk, February 27, 2013

Release status: Released

7.3 Future Enhancements

At request of client.

7.4 Release Signatures

Steven F. Close, Safety Engineer

Gregory Sauk, CFSE, Senior Safety Engineer

IEC 61508 Assessment - exida€¦ · IEC 61508 Functional Safety Assessment ... [D38] QP 01; Rev...

Documents

Transcript of IEC 61508 Assessment - exida€¦ · IEC 61508 Functional Safety Assessment ... [D38] QP 01; Rev...