ida Certification Services IEC Functional Safety Assessment Customer: Flowserve Flow Control Haywards Heath West Sussex United Kingdom

Transcription

1 e ida Certification Services IEC Functional Safety Assessment Project: Worcester 44/59/459/599 Series Ball Valves Customer: Flowserve Flow Control Haywards Heath West Sussex United Kingdom Contract Number: Q13/ Report No.: FLO R001 Version V1, Revision R2, 14 May 2013 Griff Francis The document was prepared using best effort. The authors make no warranty of any kind and shall not be liable in any event for incidental or consequential damages in connection with the application of the document. All rights reserved.

2 Management summary This report summarizes the results of the functional safety assessment according to IEC carried out on the Worcester 44/59/459/599 Series Ball Valves The functional safety assessment performed by exida consisted of the following activities: - exida assessed the development process used by Flowserve Flow Control by an on-site gap analysis and creation of a safety case against the requirements of IEC exida performed a detailed Failure Modes, Effects, and Diagnostic Analysis (FMEDA) of the devices to document the hardware architecture and failure behavior. - exida reviewed field failure data to ensure that the FMEDA analysis was complete. - exida reviewed the manufacturing quality system in use at Flowserve. The functional safety assessment was performed to the requirements of IEC 61508: ed2, 2010, SIL 3 for mechanical components. A full IEC Safety Case was prepared, using the exida SafetyCaseWB tool, and used as the primary audit tool. Hardware process requirements and all associated documentation were reviewed. Environmental test plans were reviewed. Also the user documentation (Safety Manual) was reviewed. The results of the Functional Safety Assessment can be summarized as: The Flowserve Worcester 44/59/459/599 Series Ball Valves were found to meet the requirements of IEC for up to SIL 3 (SIL 3 Capable). The PFD AVG and architectural constraint requirements of the standard must be verified for each element of the safety function. The manufacturer will be entitled to use the Functional Safety Logo. T-023 V2R1 Page 2 of 20

3 Table of Contents Management summary Purpose and Scope Project management exida Roles of the parties involved Standards / Literature used Reference documents Documentation provided by Flowserve Flow Control Documentation generated by exida Product Description Series Series Series Series IEC Functional Safety Assessment Methodology Assessment level Product Modifications Results of the IEC Functional Safety Assessment Lifecycle Activities and Fault Avoidance Measures Functional Safety Management Safety Requirements Specification and Architecture Design Hardware Design Validation Verification Proven In Use Modifications User documentation Hardware Assessment Terms and Definitions Status of the Document Liability Releases Future Enhancements Release Signatures T-023 V2R1 Page 3 of 20

4 1 Purpose and Scope This document shall describe the results of the IEC functional safety assessment of the Flowserve Flow Control: 44 Series 59 Series 459 Series 599 Series by exida according to the requirements of IEC 61508: ed2, The results of this provides the safety instrumentation engineer with the required failure data as per IEC / IEC and confidence that sufficient attention has been given to systematic failures during the development process of the device. T-023 V2R1 Page 4 of 20

5 2 Project management 2.1 exida exida is one of the world s leading accredited Certification Bodies and knowledge companies specializing in automation system safety and availability with over 300 years of cumulative experience in functional safety. Founded by several of the world s top reliability and safety experts from assessment organizations and manufacturers, exida is a global company with offices around the world. exida offers training, coaching, project oriented system consulting services, safety lifecycle engineering tools, detailed product assurance, cyber-security and functional safety certification, and a collection of on-line safety and reliability resources. exida maintains a comprehensive failure rate and failure mode database on process equipment. 2.2 Roles of the parties involved Flowserve Flow Control exida exida Manufacturer of the Worcester 44/59/459/599 Series Ball Valves Performed the hardware assessment Performed the IEC Functional Safety Assessment Flowserve contracted exida in January 2013 for the IEC Functional Safety Assessment of the above mentioned devices. 2.3 Standards / Literature used The services delivered by exida were performed based on the following standards / literature. Doc ID Document [N1] IEC (Parts 1-7): 2010 Description Functional Safety of Electrical/Electronic/Programmable Electronic Safety-Related Systems 2.4 Reference documents Documentation provided by Flowserve Flow Control Doc ID from SafetyCase Generic Document Name Project Document Name Version Date D001 Quality Manual 03_Quality Manual Appendix 1 with list of 50 core processes.pdf D002 Functional 02_Execution of R&D Projects Policy Rev Safety Mgt. 3.pdf D003 Overall Development Process 02_Execution of R&D Projects Policy Rev 3.pdf Rev 13.1 Rev 3 Rev 3 22-Mar-11 Jul-07 Jul-07 T-023 V2R1 Page 5 of 20

6 D003b D004 D005 D005b D006 D006b D007 D008 D009 D010 D011 D012 D013 D014 D015 D016 D017 D018 D018b Overall Development Process Configuration Management Process Hazardous Events Hazardous Events Manufacturer Qualification Manufacturer Qualification Part Qualification Verification of purchased parts/products QMS Documentation Change Control of Design Records Non- Conformance Reporting procedure Corrective Action Preventive Action Internal Audit Action Item List Tracking Training Test Equipment Calibration Customer Notification Customer Notification _Design Control.pdf Rev Sep-12 02_Execution of R&D Projects Policy Rev 3.pdf 15_Customer notification procedure for faulty products (if existing).pdf Rev 3 Rev 12 Jul Jan _Product Recall.pdf Rev 1 17-Jan-10 13_ Purchasing procedure pdf Rev 3 4-Oct _Supplier Review& Assessment.pdf Rev 11 8-Feb _Eng Dwg Issue & Change Rev Jul-10 Control.pdf _Incoming Inspection.pdf Rev 17 4-May _Control of Documentation.pdf Rev 7 4/4/ _Control of Engineering drawings Rev Sep-10 procedure pdf _Product Recall.pdf Rev 1 17-Jan _Corrective&Preventive Action Reporting.pdf _Corrective&Preventive Action Reporting.pdf 03_Quality Manual Appendix 1 with list of 50 core processes.pdf 02_Execution of R&D Projects Policy Rev 3.pdf Rev 30 Rev 30 Rev 13.1 Rev 3 7-Dec-12 7-Dec Mar-11 Jul-07 03_Quality Manual Appendix 1 with list of 50 Rev Mar-11 core processes.pdf 27_ Calibration procedure pdf Rev Sep-12 15_Customer notification procedure for faulty products (if existing).pdf Rev Jan _Product Recall.pdf Rev 1 7-Feb-12 T-023 V2R1 Page 6 of 20

7 D019 D019b D020 D022 D024 D025 D026 D027 D027b D028 D030 Field Return Field Return Management Review Process Modification List of s Gate Review and Approval Records FSM Plan or Development Plan Configuration Management Plan Configuration Management Plan List of applicable Agency Standards Shipment Records _Goods Returned for Investigation.pdf Rev 4 17-Jan-10 15_Customer notification procedure for Rev Jan-10 faulty products (if existing).pdf 03_Quality Manual Appendix 1 with list of 50 Rev Mar-11 core processes.pdf 31_Change pdf Rev 18 6-Sep-10 03_Quality Manual Appendix 1 with list of 50 core processes.pdf 06_Example of phase gate process followed for one at least product.doc Rev 13.1 External Version_SIL Hi-Level Plan.xlsx Rev 0 02_Execution of R&D Projects Policy Rev 3.pdf pdf 03_Quality Manual Appendix 1 with list of 50 core processes.pdf 14_Shipping and Returns information for products requiring certification (minimum 5 years)_wgf_calc.xlsx Complaints Description Directory.xlsx Rev 3 Rev Mar Oct-11 1-Jul Apr Mar-11 Oct-12 D031 Field Returns Records 14-Feb-13 D033 Training Record 11_ Example of induction set of training and 29-Jan-13 checklist for Gary Player.pdf D034 Skills Matrix Cognitive Competency Matrix..xlsx Rev Apr-13 D035 IEC Training Record D036 ISO 900x Cert or equivalent D036b ISO 900x Cert or equivalent D038 List of Design Tools D039 Management Review Record D040 Safety Requirements Specification D040b Safety Requirements Specification D041 Safety Requirements Review 32_Training Registration Sheet.pdf 18-Oct-12 04_ Copy of ISO Certificate.pdf 14-Apr-11 05_ Copy of last BSI audit report.pdf 10-Apr-12 28_List of versions of CADdesign software tools.xlsx 08_ Example of review minutes and actions arising.doc 22_44_59 PRODUCT SPECIFICATION rev 4.doc 22_459_599 PRODUCT SPECIFICATION rev 4.doc PED FILE INDEX.doc Rev 4 Rev 4 18-Mar Nov-12 6-Feb-13 T-023 V2R1 Page 7 of 20

8 D041b D041c D044 D044b D048 Safety Requirements Review Safety Requirements Review Marketing Requirements Document Marketing Requirements Document Hardware Change List Design Review Record PED FILE REVISION STATUS.doc 7 2-Nov-12 Automax VAVE Gate 1 Review Checklist.doc 14-Apr Market Requirements V2.doc A 1-Jul-09 MRD FINAL doc Engineering Change History.xlsx D052 08_ Example of review minutes and actions arising.doc D054 FMEDA Report FLO Q Flowserve Series Ball Valve FMEDA R001 V1R2.doc D068 Validation Test 25_ Test plans and test specification for Plan products requiring V1R2 30-Mar-09 8-Apr Nov Nov-12 certification_pro_ pdf D068b Validation Test 26_ Ball valves testing procedure Jan-10 Plan pdf D068c Validation Test Technical Specifications Rev 1.doc 1 1-Mar-11 Plan D069 Validation Test Automax VAVE Gate 1 Review 14-Apr-09 Plan Review Checklist.doc Record D070 Environmental 29_Zinc Cobalt Pinions Salt Spray Test1.tif 1 15-Aug-97 Test Plan D072 Name of Change Complaints Description Directory.xlsx 14-Feb-13 Request Tracking System D074 Environmental 29_Zinc Cobalt Pinions Salt Spray Test1.tif 1 15-Aug-97 Test Results D077 Operation / 23_ENGLISH Worcester 519_529.pdf Iss. 05/04 Maintenance Manual D077b Operation / 22_44_59 PRODUCT SPECIFICATION rev Rev 4 Maintenance 4.doc Manual D077c Operation / Series 44,45,59.pdf FCD Maintenance WCABR1050- Manual 01 D078 Safety Manual Safety Manual pdf 0 May-13 D079 D080 D080b Safety Manual Review Engineering Change Documentation Impact Analysis Example Safety Manual Review.xlsx 0 8-Apr-13 Norbro Change History.xlsx 12-Mar-13 TR1944.doc 23-Jul-08 T-023 V2R1 Page 8 of 20

9 D082 PIU Analysis FLO PIU_23Apr2013.xlsx 23-Apr Documentation generated by exida [R1] FLO Q Flowserve Series Ball Valve FMEDA R001 V1R2.doc [R2] Initial SafetyCase for Flowserve UK Products PO Q r1.msg [R3] Flowserve Q Group1 Safety Case_29Apr2013.xlsm [R4] FLO R001 V1R2 44,59,459,599 Assessment Report.doc, 14 May 2013 FMEDA report, 44/59/459/599 Series Ball Valves IEC Gap Analysis List, Flowserve Flow Control (sent in dated 13 Feb 2013) IEC SafetyCaseWB for Worcester 44/59/459/599 Series Ball Valves IEC Functional Safety Assessment, Flowserve Flow Control Worcester 44/59/459/599 Series Ball Valves (this report) T-023 V2R1 Page 9 of 20

10 3 Product Description The safety function of the Worcester 44/59/459/599 Series Ball Valves is to move to the designated safe position per the actuator design within the specified safe time. The specified safe time will depend on the actuator and associated valve control instrumentation. The 44/59/459/599 Series Ball Valves feature Cavity Pressure Relieving (CPR) seats that ensure pressure generated through media expansion when the ball valve is closed is safely relieved upstream. The ball utilizes a pressure equalizing hole to balance cavity pressure with line pressure, when the valve is open. The ball valves feature an anti-blowout stem, inserted from inside the body Series The Flowserve Worcester 44 Series Ball Valve is a quarter turn ball valve. It features a 3 piece swing out design, tight shut off and bi-directional sealing. The 44 Series can be used in the following applications: OEM, Petroleum Production and Refining, Synthetic Fuels, General Processing Industry, Utility, Commercial, Hydrocarbon Processing, Petrochemical Processing, Boiler Circulation, Chemical Transfer, Industrial Plant Services, Flammable Liquids, Water Treatment, Heat Transfer Fluids Series The Flowserve Worcester 59 Series Ball Valve offers a full port option to the standard Series 44 Ball Valve. Full port capability is advantageous in applications where fluid velocity is a concern, such as slurries, viscous fluids and fluids with particulates. Designed to ASME B16.34 ratings and with an advanced seal technology, you are assured of maximum performance and life Series The Flowserve Worcester A459 Series ball valves, complements the Series 44. With a wide range of seat materials available, the valve is suitable for a most applications within the process industry up to 50 Bar. Designed with an ISO 5211 mounting platform the valve is also fitted with a direction indicator that remains on the valve during actuation to maintain stem seal integrity and provide visual indication of the ball position Series The Flowserve Worcester A599 Series ball valves, offers a full port option to the standard Series 459. T-023 V2R1 Page 10 of 20

11 In each series there are product variations as described below. Variant A Antistatic/Standard AW Steam Series Y Y Y Y Standard Valve E Envirosafe Y Y Y Y F Firesafe Y Y Y Y C Cryogenic Y Y Y Y 5HP High Pressure (5000psi max) WK High Purity (Clean) Y Y Y Description Using its unique Fluorofill seat material, Worcester guarantees the AW44 on continuous saturated steam service up to 250 psi. (17 bar) whilst other Worcester high performance seat materials provide even higher temperature/pressure capabilities. In addition to its proven record with steam as a heat transfer medium, the AW44 can accommodate other thermal fluids/hot oils up to 250 C (Fluorofill), or up to 280 C where required with other seat materials. Enviro Safe range of ball valves has a highcycle life at an increased range of temperatures and pressures. At the heart of the valve's high integrity performance is its dual stem packing. The unique primary seal is designed so that it will always fail in service BEFORE the secondary seal. With a monitoring port drilled through to a lantern ring which is located between the two sealing stages, primary seal leakage can be detected whilst the secondary seals ensure overall integrity. This unique and foolproof stem packing design is live loaded with stainless steel disc springs and has been proven in testing to be bubble tight on helium even after primary seal leakage. Primary seal integrity can then be restored by simply tightening down the gland plate. Fire Rated Valves that assure tight shutoff and prevent external leakage in the tremendous heat of an industrial fire. Heavy duty body bolts and pipe ends add a great margin of safety to Worcester Fire Safe Valves. Normal service performance is maintained with bubble tight bidirectional sealing and three rugged seating materials TFE, Reinforced TFE and Polyfill. All fire rated products can be ordered to meet NACE MR Cryogenic design is a rugged, one piece, pressure safe stem with a Polyfill thrust bearing and stainless steel split ring. You get design safety and low operational torque. Polyfill seats give you tight shutoff throughout the temperature range. With an orientationcontrolled stem/ball connection and an upstream hole in the ball, you get positive overpressure protection. All parts are oxygen compatible. High pressure applications Clean Valves are operating dependably in processes in the pharmaceutical, biotech, food, cosmetic, paint, chemical and other industries where microbes, media deposits, particle generation and cross contamination can threaten the quality of the product. The high purity design, high vacuum rating, high cycle life and pressure/temperature rating of these valves help assure quality production with minimum downtime. They last many times longer than diaphragm valves and prevent catastrophic failure. T-023 V2R1 Page 11 of 20

12 V V Flow Y Y V Flow seat technology has opened a new chapter in the history of modulating control. The V Flow control valve combines the simplicity of a process ball valve with the characterized seat concept T-023 V2R1 Page 12 of 20

13 4 IEC Functional Safety Assessment The IEC Functional Safety Assessment was performed based on the information received from Flowserve Flow Control and is documented in this report. 4.1 Methodology The full functional safety assessment includes an assessment of all fault avoidance and fault control measures during hardware development and demonstrates full compliance with IEC to the end-user. The assessment considers all requirements of IEC The assessment also includes a review of existing manufacturing quality procedures to ensure compliance to the quality requirements of IEC As part of the IEC functional safety assessment the following aspects have been reviewed: Development process, including: o Functional Safety Management, including training and competence recording, FSM planning, and configuration management o Specification process, techniques and documentation o Design process, techniques and documentation, including tools used o Validation activities, including development test procedures, test plans and reports, production test procedures and documentation o Verification activities and documentation o Modification process and documentation o Installation, operation, and maintenance requirements, including user documentation Product design o Hardware architecture and failure behavior, documented in a FMEDA Report The review of the development procedures is described in section 5. The review of the product design is described in section Assessment level The Worcester 44/59/459/599 Series Ball Valves has been assessed per IEC to the following levels: Systematic Safety Integrity: SIL 3 capable Random Safety Integrity: PFD AVG and Architectural Constraints must be verified for each application. The development procedures have been assessed as suitable for use in applications with a maximum Safety Integrity Level of 3 (SIL3) according to IEC Product Modifications Flowserve Flow Control may make modifications to this product as needed. Modifications shall be classified into two types: T-023 V2R1 Page 13 of 20

14 Type 1 Modification: Changes requiring re-certification, which includes the re-design of safety functions or safety integrity functions. Type 2 Modification: Changes allowed to be made by Flowserve Flow Control provided that: A competent person from Flowserve Flow Control, appointed and agreed with exida, judges and approves the modifications. The modification documentation listed below is submitted prior to a renewal of the certification to exida for review of the decisions made by the competent person in respect to the modifications made. o o o o o List of all anomalies reported List of all modifications completed Safety impact analysis which shall indicate with respect to the modification: The initiating problem (e.g. results of root cause analysis) The effect on the product / system The elements/components that are subject to the modification The extent of any re-testing List of modified documentation Regression test plans T-023 V2R1 Page 14 of 20

15 5 Results of the IEC Functional Safety Assessment exida assessed the development process used by Flowserve Flow Control for these products against the objectives of IEC parts 1-7 and documented in the SafetyCase [R3]. 5.1 Lifecycle Activities and Fault Avoidance Measures Flowserve Flow Control has a defined product lifecycle process in place. This is documented in the Quality Assurance Manual, D001 and various Quality s, D002-D024. Every customer job goes through the complete design process. A documented modification process is also covered in the Quality Manual section and procedure No software is part of the design and therefore any requirements specific from IEC to software and software development do not apply. The assessment investigated the compliance with IEC of the processes, procedures and techniques as implemented for product design and development. The investigation was executed using subsets of the IEC requirements tailored to the SIL 3 work scope of the development team. The result of the assessment can be summarized by the following observations: The audited Flowserve Flow Control design and development process complies with the relevant managerial requirements of IEC SIL Functional Safety Management The valves manufactured by Flowserve are not built for inventory. These valves are built-to-order. The basic designs are standardized, but each order can have trim and materials variations or specific customer requested proof tests. Due to the specialized nature of each valve, documentation that defines all of the requirements is generated for every order as part of the process. FSM Planning Flowserve Flow Control has a defined process in place for product design and development. Required activities are specified along with review and approval requirements. This is primarily documented in section 7 of their Quality Management System Manual, D001 and in greater detail in Execution of Research & Development Projects Execution of R&D Projects Policy, D003. Templates and sample documents were reviewed and found to be sufficient. The modification process is covered by Engineering Drawing / Data Issue and Change Control, Ref: , D022. This process and the procedures referenced therein fulfill the requirements of IEC with respect to functional safety management for a product with simple complexity and well defined safety functionality. Version Control Execution of Research & Development Projects Execution of R&D Projects Policy, D003, requires that all documents be under document control. Use of this to control revisions was evident during the audit. T-023 V2R1 Page 15 of 20

16 Training, Competency recording Quality Management System Manual, D001, requires the Human Resource department to maintain training records of education, experience, training and qualifications for all personnel. Department heads are responsible for identifying and providing the training needs for their department as well as proficiency evaluations. The procedures and records were examined and found up-to-date and sufficient. Flowserve hired exida to be the independent assessor per IEC and to provide specific IEC knowledge Safety Requirements Specification and Architecture Design For the Worcester 44/59/459/599 Series Ball Valves, the simple primary functionality of the valve is the same as the safety functionality of the product (Valve changes position, Close / Open). Therefore no special Safety Requirements Specification was needed. The normal functional requirements were sufficient. As the designs of the Worcester 44/59/459/599 Series Ball Valves are simple and are based upon standard designs with extensive field history, no semi-formal methods are needed. General Design and testing methodology is documented and required as part of the design process. This meets SIL Hardware Design The design process is documented in Execution of Research & Development Projects Execution of R&D Projects Policy, D003. Items from IEC , Table B.2 include observance of guidelines and standards, (ATEX, CE Mark), project management, documentation (design outputs are documented per quality procedures), structured design, modularization, use of well-tried components / materials, and computer-aided design tools. This meets SIL Validation Validation Testing is documented on the Assessment Sales Order which is created for each order. The test plan includes testing per all standard and customer performance requirements. As the Worcester 44/59/459/599 Series Ball Valves are purely mechanical devices with a simple safety function, there is no separate integration testing necessary. The Worcester 44/59/459/599 Series Ball Valves perform only 1 Safety Function, which is extensively tested under various conditions during validation testing. Items from IEC , Table B.3 include functional testing, project management, documentation, and black-box testing (for the considered devices this is similar to functional testing). Field experience and statistical testing via regression testing are not applicable. This meets SIL 3. Items from IEC , Table B.5 included functional testing and functional testing under environmental conditions, project management, documentation, failure analysis (analysis on products that failed), expanded functional testing, black-box testing, and fault insertion testing. This meets SIL Verification The development and verification activities are defined in Sections 2.b and 2.c of Execution of Research & Development Projects Execution of R&D Projects Policy, D003. For each design phase the objectives are stated, required input and output documents and review activities. This meets SIL 3. T-023 V2R1 Page 16 of 20

17 5.1.6 Proven In Use In addition to the Design Fault avoidance techniques listed above, a Proven in Use evaluation was carried out on the Flowserve Worcester 44/59/459/599 Series Ball Valves. Shipment records were used to determine that the 44/59/459/599 Series Ball Valves have >100 million operating hours and they have demonstrated a field failure rate less than the failure rates indicated in the FMEDA reports. This meets the requirements for Proven In Use for SIL Modifications Modifications are initiated per Engineering Drawing / Data Issue and Change Control, Ref: , D022. All changes are first reviewed and analyzed for impact before being approved. Measures to verify and validate the change are developed following the normal design process. This meets SIL User documentation Flowserve Flow Control creates the following user documentation: product brochures, User Instructions and a Safety Manual. The Safety Manual was found to contain all of the required information given the simplicity of the products. The Safety Manual references the FMEDA reports which are available and contain the required failure rates, failure modes, useful life, and suggested proof test information. Items from IEC , Table B.4 include operation and maintenance instructions, user friendliness, maintenance friendliness, project management, documentation, limited operation possibilities (Worcester 44/59/459/599 Series Ball Valves perform well-defined actions) and operation only by skilled operators (operators familiar with type of valve, although this is partly the responsibility of the end-user). This meets SIL Hardware Assessment To evaluate the hardware design of the Worcester 44/59/459/599 Series Ball Valves Failure Modes, Effects, and Diagnostic Analyses were performed by exida. These are documented in D054 [R1]. A Failure Modes and Effects Analysis (FMEA) is a systematic way to identify and evaluate the effects of different component failure modes, to determine what could eliminate or reduce the chance of failure, and to document the system in consideration. An FMEDA (Failure Mode Effect and Diagnostic Analysis) is an FMEA extension. It combines standard FMEA techniques with extension to identify online diagnostics techniques and the failure modes relevant to safety instrumented system design. From the FMEDA, failure rates are derived for each important failure category. All failure rate analysis results and useful life limitations are listed in the FMEDA report [R1]. Tables in the FMEDA report list these failure rates for the Worcester 44/59/459/599 Series Ball Valves under a variety of applications. The failure rates listed are valid for the useful life of the devices. Note, as the Worcester 44/59/459/599 Series Ball Valves are only one part of a (sub)system, the SFF should be calculated for the entire final element combination. T-023 V2R1 Page 17 of 20

18 These results must be considered in combination with PFD AVG values of other devices of a Safety Instrumented Function (SIF) in order to determine suitability for a specific Safety Integrity Level (SIL). The architectural constraints requirements of IEC , Table 2 also need to be evaluated for each final element application. It is the end users responsibility to confirm this for each particular application and to include all components of the final element in the calculations. The analysis shows that the design of the Worcester 44/59/459/599 Series Ball Valves can meet the hardware requirements of IEC 61508, up to SIL 3 depending on the complete final element design. The Hardware Fault Tolerance, PFD AVG, and Safe Failure Fraction requirements of IEC must be verified for each specific design. T-023 V2R1 Page 18 of 20

19 6 Terms and Definitions Fault tolerance FIT FMEDA HFT Low demand mode PFD AVG SFF SIF SIL SIS Type A element Type B element Ability of a functional unit to continue to perform a required function in the presence of faults or errors (IEC , 3.6.3) Failure In Time (1x10-9 failures per hour) Failure Mode Effect and Diagnostic Analysis Hardware Fault Tolerance Mode, where the frequency of demands for operation made on a safetyrelated system is no greater than twice the proof test frequency. Average Probability of Failure on Demand Safe Failure Fraction summarizes the fraction of failures, which lead to a safe state and the fraction of failures which will be detected by diagnostic measures and lead to a defined safety action. Safety Instrumented Function Safety Integrity Level Safety Instrumented System Implementation of one or more Safety Instrumented Functions. A SIS is composed of any combination of sensor(s), logic solver(s), and final element(s). Non-Complex element (using discrete components); for details see of IEC Complex element (using complex components such as micro controllers or programmable logic); for details see of IEC T-023 V2R1 Page 19 of 20

20 7 Status of the Document 7.1 Liability exida prepares reports based on methods advocated in International standards. exida accepts no liability whatsoever for the use of this report or for the correctness of the standards on which the general calculation methods are based. 7.2 Releases Version: V1 Revision: R2 Version History: V1, R2: corrected model series on p. 4; 14 May 2013 V1, R1: Released, April 30, 2013 V0, R1: Draft; 30 April 2013 Author(s): Griff Francis Review: V1, R1: Tamsin Smith (Flowserve); 13 May 2013 V0, R1: Steven Close (exida); April 29, 2013 Release status: Released 7.3 Future Enhancements At request of client. 7.4 Release Signatures Steven F. Close, Senior Safety Engineer Griff Francis, Senior Safety Engineer T-023 V2R1 Page 20 of 20