IEC 61508 Functinal Safety Assessment Prject: 1052 Series Actuatrs Cmpany: Fisher Cntrls Internatinal LLC, Inc. (an Emersn Prcess Management cmpany) Marshalltwn, IA USA Cntract Number: Q13/05-046 Reprt N.: EFC 06/03-35 R002 Versin V1, Revisin R1, September 11, 2013 Ted Stewart The dcument was prepared using best effrt. The authrs make n warranty f any kind and shall nt be liable in any event fr incidental r cnsequential damages in cnnectin with the applicatin f the dcument. All rights reserved.
Management Summary This reprt summarizes the results f the functinal safety assessment accrding t IEC 61508 carried ut n the: 1052 Series Actuatrs The functinal safety assessment perfrmed by exida cnsisted f the fllwing activities: - exida assessed the develpment prcess used by Fisher Cntrls Internatinal LLC, Inc. by an n-site audit and creatin f a safety case against the requirements f IEC 61508. - exida perfrmed a detailed Failure Mdes, Effects, and Diagnstic Analysis (FMEDA) f the devices t dcument the hardware architecture and failure behavir. - exida reviewed field failure data t ensure that the FMEDA analysis was cmplete. - exida reviewed the manufacturing quality system in use at Fisher Cntrls Internatinal LLC, Inc. - exida excluded the analysis f the Handwheel and/r lckut mechanisms The functinal safety assessment was perfrmed t the requirements f IEC 61508: ed2, 2010, SIL 3 fr mechanical cmpnents. A full IEC 61508 Safety Case was prepared, using the exida SafetyCaseDB tl, and used as the primary audit tl. Hardware prcess requirements and all assciated dcumentatin were reviewed. Envirnmental test reprts were reviewed. Als the user dcumentatin (safety manual) was reviewed. The results f the Functinal Safety Assessment can be summarized as: The Fisher Cntrls Internatinal LLC, Inc. 1052 Series Actuatrs were fund t meet the Systematic Capability requirements f IEC 61508 fr up t SC 3 (SIL 3 Capable) The manufacturer will be entitled t use the fllwing Functinal Safety Lgs T-023 V2R3 www.exida.cm Page 2 f 13
Table f Cntents Management Summary... 2 1 Purpse and Scpe... 4 2 Prject Management... 5 2.1 exida... 5 2.2 Rles f the parties invlved... 5 2.3 Standards and Literature used... 5 2.4 Reference dcuments... 5 2.4.1 Dcumentatin prvided by Fisher Cntrls Internatinal LLC, Inc.... 5 2.4.2 Dcumentatin generated by exida... 6 3 Prduct Descriptin... 7 4 IEC 61508 Functinal Safety Assessment... 8 4.1 Methdlgy... 8 4.2 Assessment level... 8 5 Results f the IEC 61508 Functinal Safety Assessment... 9 5.1 Lifecycle Activities and Fault Avidance Measures... 9 5.1.1 Functinal Safety Management... 9 5.1.2 Safety Requirements Specificatin and Architecture Design... 10 5.1.3 Hardware Design... 10 5.1.4 Validatin... 10 5.1.5 Verificatin... 10 5.1.6 Mdificatins... 10 5.1.7 User dcumentatin... 10 5.2 Hardware Assessment... 11 6 Terms and Definitins... 12 7 Status f the Dcument... 13 7.1 Liability... 13 7.2 Releases... 13 7.3 Future Enhancements... 13 7.4 Release Signatures... 13 T-023 V2R3 www.exida.cm Page 3 f 13
1 Purpse and Scpe This dcument shall describe the results f the IEC 61508 functinal safety assessment f the Fisher Cntrls Internatinal LLC, Inc. 1052 Series Actuatrs by exida accrding t the requirements f IEC 61508: ed2, 2010. The results f this prvides the safety instrumentatin engineer with the required failure data as per IEC 61508 / IEC 61511 and cnfidence that sufficient attentin has been given t systematic failures during the develpment prcess f the device. T-023 V2R3 www.exida.cm Page 4 f 13
2 Prject Management 2.1 exida exida is ne f the wrld s leading accredited Certificatin Bdies and knwledge cmpanies specializing in autmatin system safety and availability with ver 300 years f cumulative experience in functinal safety. Funded by several f the wrld s tp reliability and safety experts frm assessment rganizatins and manufacturers, exida is a glbal cmpany with ffices arund the wrld. exida ffers training, caching, prject riented system cnsulting services, safety lifecycle engineering tls, detailed prduct assurance, cyber-security and functinal safety certificatin and a cllectin f n-line safety and reliability resurces. exida maintains the largest prcess equipment database f failure rates and failure mdes with ver 60 billin unit perating hurs. 2.2 Rles f the parties invlved Fisher Cntrls Internatinal LLC, Inc. exida Manufacturer f the 1052 Series Actuatrs Perfrmed the hardware assessment exida Perfrmed the IEC 61508 Functinal Safety Assessment Fisher Cntrls Internatinal LLC, Inc. cntracted exida in February 2007 fr the IEC 61508 Functinal Safety Assessment f the abve mentined devices. 2.3 Standards and Literature used The services delivered by exida were perfrmed based n the fllwing standards / literature. [N1] IEC 61508 (Parts 1-7): ed2, 2010 Functinal Safety f Electrical/Electrnic/Prgrammable Electrnic Safety-Related Systems 2.4 Reference dcuments 2.4.1 Dcumentatin prvided by Fisher Cntrls Internatinal LLC, Inc. [D1] d100089x012 Prduct Bulletin, Type 1052 Actuatrs; Feb 2013 [D2] d100319x012 Instructin Manual, 1052 F&G Actuatrs; size 40, 60, and 70; Octber 2012 [D3] Quality Manual.pdf ISO-9001 Quality Management System Manual fr Fisher Cntrls Internatinal Valve Divisin [D4] ES 119 Design and develpment planning f new prducts; Rev Z [D5] ES 63 Prject Dcumentatin Standard [D6] ES 192 Engineering Change Request Prcedure; Rev AB [D7] ES 94 Design Review Cmmittee Standard [D8] ES 219 Valve Actuatr Design Standard T-023 V2R3 www.exida.cm Page 5 f 13
[D9] ES 36 Making and Filing Calculatins Standard; Rev N [D10] EP 32 [D11] ES 121 [D12] ES 238 FMEA Prcedure Cntrl and Maintenance Prcedure fr Analytical Cmputer; Rev R Technical Assessment Prcess [D13] d103790x12 Safety Manual (draft); September 2013 [D14] Prject Files [D15] Marketing Requirements [D16] Technical Specificatin [D17] Design Plan [D18] Technical Assessment meeting minutes Cntains all dcuments pertaining t all aspects f the prducts life (Audited n-site nly) Designs initial marketing requirements Engineering requirements fr the prject Design plan fr the prject Meeting minutes f a Technical Assessment review (example) [D19] Technical Assessment Plan Technical Assessment Cmmittee respnsibilities and checklist [D20] FEA Upgrade Prject Dcumentatin shwing cnfrmance t ES 121 [D21] Field Failure Data Database f Field Failure Data (Audited n-site nly) [D22] Test Reprts Test Reprts listed in prject file (Audited n-site nly) [D23] Jb Discriptins.pdf Engineering respnsibilities and skills requirements [D24] ISO Training Recrd.pdf Engineers Training recrd (example) [D25] Index fr ES.pdf Index f Engineering Standards [D26] d100322x012 Instructin Manual, 1052 F&G Actuatrs; size 20; February 2011 [D27] d101322x12 Instructin Manual, 1052 Actuatrs; size 33; September 2012 2.4.2 Dcumentatin generated by exida [R1] EFC_13-05- 046_R001_V1R1_1052_2052 _FMEDA [R2] 1052_safetycase.xls [R3] EFC 13-05-046 R002 V1R1 1052 assessment.dc, 09/11/2013 Failure Mdes, Effects, and Diagnstic Analysis Fisher 1052 and 2052 Actuatrs. SafetyCase_1052 Assessment reprt, 1052 Series Actuatrs (this reprt) T-023 V2R3 www.exida.cm Page 6 f 13
3 Prduct Descriptin Fisher 1052 Actuatr Features The 1052 rtary actuatrs are available with fail-pen r fail-clsed cnstructin and can be munted in any f fur actuatr t valve munting psitins. Single jint linkages with splined and clamped levers minimize lst mtin and imprves psitining accuracy. The 1052 is supplied with a spring adjustment feature which means it can be used with r withut a psitiner as dictated by the applicatin r installatin requirements. Rugged cnstructin prvides stability, crrsin resistance and prtectin frm defrmatin shuld ver-pressurizatin ccur. Actuatr-valve linkage is cmpletely enclsed yet the valve packing adjustment remains accessible withut remving any parts. During disassembly the 1052 actuatr the externally accessible spring adjuster is used t relieve spring cmpressin. The actuatr is designed fr easy installatin f a brad range f ptins including, limit switches, psitin indicating switches, psitiners, and manual ver-rides. Figure 1 1052 Actuatr munted n a Vee-Ball Figure 1 shws a typical 1052 actuatr munted t a Vee-Ball valve and with a psitiner munted. Only the 1052 actuatr is part f this analysis. Fr this 61508 Assessment, nly the n-ff cntrl (SIS applicatin) has been cnsidered. All f the 1052 Series Actuatrs cvered in this reprt are classified as Type A 1 devices accrding t IEC 61508, having a hardware fault tlerance f 0. 1 Type A element: Nn-Cmplex element (using discrete cmpnents); fr details see 7.4.4.1.2 f IEC 61508-2, ed2, 2010. T-023 V2R3 www.exida.cm Page 7 f 13
4 IEC 61508 Functinal Safety Assessment The IEC 61508 Functinal Safety Assessment was perfrmed based n the infrmatin received frm Fisher Cntrls Internatinal LLC, Inc. and is dcumented in this reprt. 4.1 Methdlgy The full functinal safety assessment includes an assessment f all fault avidance and fault cntrl measures during hardware develpment and demnstrates full cmpliance with IEC 61508 t the end-user. The assessment cnsiders all requirements f IEC 61508. Any requirements that have been deemed nt applicable have been marked as such in the SafetyCase, e.g. sftware develpment requirements fr a prduct with n sftware. The assessment als includes a review f existing manufacturing quality prcedures t ensure cmpliance t the quality requirements f IEC 61508. Additinally, fr designs that have been in service fr several years and have demnstrated themselves in a variety f applicatins and cnditins, cnsideratin f a prven in use assessment may be used as a substitute if a prduct didn t fllw a fully 61508 cmpliant design prcess. As part f the IEC 61508 functinal safety assessment the fllwing aspects have been reviewed: Develpment prcess, including: Functinal Safety Management, including training and cmpetence recrding, FSM planning, and cnfiguratin management Design prcess, techniques and dcumentatin, including tls used Validatin activities, including prductin test prcedures and dcumentatin Verificatin activities and dcumentatin Mdificatin prcess and dcumentatin Installatin, peratin, and maintenance requirements, including user dcumentatin Prduct design Manufacturing Quality System Hardware architecture and failure behavir, dcumented in a FMEDA The review f the develpment prcedures is described in sectin 5.1. The review f the prduct design is described in sectin 5.2. 4.2 Assessment level The 1052 Series Actuatrs listed in Sectin 3 have been assessed per IEC 61508 t the fllwing levels: Systematic Capability SC3 (SIL 3 capability) The cntinuing develpment prcedures fr any design changes were assessed as suitable fr use in applicatins with a maximum Safety Integrity Level f 3 (SIL 3) accrding t IEC 61508. T-023 V2R3 www.exida.cm Page 8 f 13
5 Results f the IEC 61508 Functinal Safety Assessment exida assessed the develpment prcess used by Fisher Cntrls Internatinal LLC, Inc. fr this develpment against the bjectives f IEC 61508 parts 1 and 2. The assessment was dcumented in the SafetyCase [R2]. 5.1 Lifecycle Activities and Fault Avidance Measures Fisher Cntrls Internatinal LLC, Inc. has a defined prduct lifecycle prcess in place. This is dcumented in the Quality Manual [D3]. The same prcess is used fr mdificatins. N sftware is part f the design and therefre any requirements specific frm IEC 61508 t sftware and sftware develpment d nt apply. The assessment investigated the cmpliance with IEC 61508 f the prcesses, prcedures and techniques as implemented fr prduct design and develpment. The investigatin was executed using subsets f the IEC 61508 requirements tailred t the SIL 3 wrk scpe f the develpment team. The defined prduct lifecycle prcess was mdified as a result f a previus audit which shwed sme areas fr imprvement. Hwever, given the simple nature f the safety functin and the extensive prven field experience fr existing prducts Fisher Cntrls Internatinal LLC, Inc. was able t demnstrate that the bjectives f the standard have been met. The result f the assessment can be summarized by the fllwing bservatins: The audited Fisher Cntrls Internatinal LLC, Inc. design and develpment prcess cmplies with the relevant managerial requirements f IEC 61508 SIL 3. 5.1.1 Functinal Safety Management FSM Planning Fisher Cntrls Internatinal LLC, Inc. has a defined prcess in place fr prduct design and develpment. Required activities are specified alng with review and apprval requirements. This is primarily dcumented in sectin 7.3 f their Quality Manual [D3]. Templates, frms and sample dcuments are prvided. The same prcess is used fr mdificatins. This prcess and prcedures referenced herein fulfill the requirements f IEC 61508 with respect t functinal safety management fr a prduct with simple cmplexity and well defined safety functinality. Versin Cntrl All dcuments in the design file are under versin cntrl. This includes design drawings and specificatin and test dcuments. Training, Cmpetency recrding Human Resurces maintain apprpriate recrds f educatin, experience, training and qualificatins fr all persnnel. Department managers are respnsible fr identifying and prviding the training needs fr their department and fr maintaining recrds f in-prcess training. The prcedures and recrds were examined and fund up-t-date and sufficient. Fisher Cntrls Internatinal LLC, Inc. hired exida Cnsulting t be the independent assessr per IEC 61508 and t prvide specific IEC 61508 knwledge. T-023 V2R3 www.exida.cm Page 9 f 13
5.1.2 Safety Requirements Specificatin and Architecture Design Fr the 1052 Series Actuatrs, Safety Requirements Specificatin was reviewed. The listed requirements were sufficient t cver a mechanical device with a simple Safety Functin. As the prduct designs are simple and are based upn standard designs with extensive field histry, n semi-frmal methds are needed. General Design and testing methdlgy is dcumented and required as part f the design prcess. This meets SIL 3. 5.1.3 Hardware Design The design prcess is dcumented in Sectin 7.3 f [D3]. Items frm IEC 61508-2, Table B.2 include bservance f guidelines and standards, (PED, ATEX, NACE) prject management, dcumentatin (design utputs are dcumented per quality prcedures), structured design, mdularizatin, use f well-tried cmpnents / materials, and cmputer-aided design tls. This meets SIL 3. 5.1.4 Validatin Validatin Testing is dne via a dcumented plan created with the prducts specificatins and includes cmpliance testing per applicatin and agency standards. There is n separate integratin testing necessary because the 1052 Series Actuatrs deals with nly simple safety functins. The 1052 Series Actuatrs perfrm nly 1 Safety Functin, which is extensively tested under varius cnditins during validatin testing. Items frm IEC 61508-2, Table B.3 include functinal testing, prject management, dcumentatin, and black-bx testing (fr the cnsidered devices this is similar t functinal testing). Field experience and statistical testing via regressin testing are nt applicable. This meets SIL 3. Items frm IEC 61508-2, Table B.5 included functinal testing and functinal testing under envirnmental cnditins, prject management, dcumentatin, failure analysis (analysis n prducts that failed), expanded functinal testing, black-bx testing, and fault insertin testing. This meets SIL 3. 5.1.5 Verificatin The develpment and verificatin activities are defined in Sectin 7.3 f [D3]. Fr each design phase the bjectives are stated, required input and utput dcuments and review activities. This meets SIL 3. 5.1.6 Mdificatins Mdificatins are dcumented in ES192 [D6]. All changes are first reviewed and if apprved, the wrk fllws the nrmal design prcess. This meets SIL 3. 5.1.7 User dcumentatin Fisher Cntrls Internatinal LLC, Inc. creates the fllwing user dcumentatin: prduct catalgs and a Safety Manual. The Safety Manual was fund t cntain all f the required infrmatin given the simplicity f the prducts. The FMEDA reprts are referenced, available and they cntain required failure rates, failure mdes, useful life, and suggested prf test infrmatin. T-023 V2R3 www.exida.cm Page 10 f 13
Items frm IEC 61508-2, Table B.4 include peratin and maintenance instructins, user friendliness, maintenance friendliness, prject management, dcumentatin, limited peratin pssibilities (1052 Series Actuatrs perfrm well-defined actins) and peratin nly by skilled peratrs (peratrs familiar with type f valve, althugh this is partly the respnsibility f the enduser). This meets SIL 3. 5.2 Hardware Assessment T evaluate the hardware design f the 1052 Series Actuatrs, a Failure Mdes, Effects, and Diagnstic Analysis was perfrmed by exida. This is dcumented in [R1]. A Failure Mdes and Effects Analysis (FMEA) is a systematic way t identify and evaluate the effects f different cmpnent failure mdes, t determine what culd eliminate r reduce the chance f failure, and t dcument the system in cnsideratin. An FMEDA (Failure Mde Effect and Diagnstic Analysis) is an FMEA extensin. It cmbines standard FMEA techniques with extensin t identify nline diagnstics techniques and the failure mdes relevant t safety instrumented system design. Frm the FMEDA, failure rates are derived fr each imprtant failure categry. All failure rate analysis results and useful life limitatins are listed in the FMEDA reprt [R1]. Nte, as the 1052 Series Actuatrs are nly cmpnents f a final element, the SFF must be calculated fr the entire final element cmbinatin if fllwing the Rute 1 H hardware architectural cnstraints. It is the end users respnsibility t cnfirm this fr each particular applicatin and t include all cmpnents f the final element in the calculatins. The analysis shws that the design f the 1052 Series Actuatrs can meet the hardware requirements f IEC 61508, SIL 3 depending n the cmplete final element design. T-023 V2R3 www.exida.cm Page 11 f 13
6 Terms and Definitins ATEX Atmsphere Explsives; ATEX directive fr equipment, safety / cntrl and regulatin devices, cmpnents, and prtective systems, intended fr use in ptentially explsive atmspheres. Autmatic Diagnstics Tests perfrmed n line internally by the device r, if specified, externally by anther device withut manual interventin. ES Fault tlerance FIT FMEDA HFT Lw demand mde NACE PED PFD AVG PVST Randm Capability SFF SIF SIL SIS Type A element Engineering Standard Ability f a functinal unit t cntinue t perfrm a required functin in the presence f faults r errrs (IEC 61508-4, 3.6.3) Failure In Time (1x10-9 failures per hur) Failure Mde Effect and Diagnstic Analysis Hardware Fault Tlerance Mde, where the demand interval fr peratin made n a safety-related system is greater than twice the prf test interval. Natinal Assciatin f Crrsin Engineers Pressure Equipment Directive Average Prbability f Failure n Demand Partial Valve Strke Test It is assumed that the Partial Strke Testing, when perfrmed, is autmatically perfrmed at least an rder f magnitude mre frequent than the prf test, therefre the test can be assumed an autmatic diagnstic. Because f the autmatic diagnstic assumptin the Partial Valve Strke Testing als has an impact n the Safe Failure Fractin. The SIL limit impsed by the Architectural Cnstraints fr each element. Safe Failure Fractin summarizes the fractin f failures, which lead t a safe state and the fractin f failures which will be detected by diagnstic measures and lead t a defined safety actin. Safety Instrumented Functin Safety Integrity Level Safety Instrumented System Implementatin f ne r mre Safety Instrumented Functins. A SIS is cmpsed f any cmbinatin f sensr(s), lgic slver(s), and final element(s). Nn-Cmplex element (using discrete cmpnents); fr details see 7.4.4.1.2 f IEC 61508-2 T-023 V2R3 www.exida.cm Page 12 f 13
7 Status f the Dcument 7.1 Liability exida prepares reprts based n methds advcated in Internatinal standards. exida accepts n liability whatsever fr the use f this reprt r fr the crrectness f the standards n which the general calculatin methds are based. 7.2 Releases Versin: V1 Revisin: R1 Versin Histry: V1, R1: re-certified 1051 actuatr nly; TES 9/11/13 V0, R1: Draft; August, 2013 Authrs: Ted Stewart Review: Release status: DRAFT 7.3 Future Enhancements At request f client. 7.4 Release Signatures Ted Stewart, Safety Engineer Dr. William M. Gble, Principal Partner T-023 V2R3 www.exida.cm Page 13 f 13