ida Certification Services IEC Functional Safety Assessment Project: Series 327 Solenoid Valves Customer: ASCO Numatics

Transcription

1 e ida Certification Services IEC Functional Safety Assessment Project: Series 327 Solenoid Valves Customer: ASCO Numatics Scherpenzeel The Netherlands Contract Number: Q13/ Report No.: ASC Q R002 V1R1 Assessment Report Version V1, Revision R1, March 25, 2013 Chris O'Brien The document was prepared using best effort. The authors make no warranty of any kind and shall not be liable in any event for incidental or consequential damages in connection with the application of the document. All rights reserved.

2 Management summary This report summarizes the results of the functional safety assessment according to IEC carried out on the Series 327 Solenoid Valves The functional safety assessment performed by exida consisted of the following activities: - exida assessed the development process used by ASCO Numatics by an on-site audit and creation of a safety case against the requirements of IEC exida performed a detailed Failure Modes, Effects, and Diagnostic Analysis (FMEDA) of the devices to document the hardware architecture and failure behavior. - exida reviewed field failure data to ensure that the FMEDA analysis was complete. - exida reviewed the manufacturing quality system in use at ASCO. The functional safety assessment was performed to the requirements of IEC 61508: ed2, 2010, SIL 3 for mechanical components. A full IEC Safety Case was prepared, using the exida SafetyCaseDB tool, and used as the primary audit tool. Hardware process requirements and all associated documentation were reviewed. Environmental test reports were reviewed. Also the user documentation (safety manual) was reviewed. Some areas of improvement were identified in the design process and the design procedures were upgraded during the project. However because of the low complexity of the products and the proven in use design, ASCO was able to demonstrate that the objectives of the standard have been met. The results of the Functional Safety Assessment can be summarized as: The ASCO Series 327 Solenoid Valves were found to meet the requirements of IEC for up to SC3 (SIL 3 Capable). PFD AVG and Architecture Constraints must be verified for each application. The manufacturer will be entitled to use the Functional Safety Logo. The manufacturer may use the mark: T-023 V2R1, August, Page 2 of 16

3 Table of Contents Management summary Purpose and Scope Project management exida Roles of the parties involved Standards / Literature used Reference documents Documentation provided by ASCO Numatics Documentation generated by exida Product Descriptions IEC Functional Safety Assessment Methodology Assessment level Product Modifications Results of the IEC Functional Safety Assessment Open Issues Lifecycle Activities and Fault Avoidance Measures Functional Safety Management Safety Requirements Specification and Architecture Design Hardware Design Validation Verification Proven In Use Modifications User documentation Hardware Assessment Terms and Definitions Status of the Document Liability Releases Future Enhancements Release Signatures T-023 V2R1, August, Page 3 of 16

4 1 Purpose and Scope This document shall describe the results of the IEC functional safety assessment of the ASCO Numatics: Series 327 Solenoid Valves by exida according to the requirements of IEC 61508: ed2, The results of this provides the safety instrumentation engineer with the required failure data as per IEC / IEC and confidence that sufficient attention has been given to systematic failures during the development process of the device. T-023 V2R1, August, Page 4 of 16

5 2 Project management 2.1 exida exida is one of the world s leading accredited Certification Bodies and knowledge companies specializing in automation system safety and availability with over 300 years of cumulative experience in functional safety. Founded by several of the world s top reliability and safety experts from assessment organizations and manufacturers, exida is a global company with offices around the world. exida offers training, coaching, project oriented system consulting services, safety lifecycle engineering tools, detailed product assurance, cyber-security and functional safety certification, and a collection of on-line safety and reliability resources. exida maintains a comprehensive failure rate and failure mode database on process equipment. 2.2 Roles of the parties involved ASCO Numatics exida exida Manufacturer of the Series 327 Solenoid Valves Performed the hardware assessment Performed the IEC Functional Safety Assessment. ASCO contracted exida in January 2013 for the IEC Functional Safety Assessment of the above mentioned devices. 2.3 Standards / Literature used The services delivered by exida were performed based on the following standards / literature. [N1] IEC (Parts 1-7): 2010 Functional Safety of Electrical/Electronic/Programmable Electronic Safety-Related Systems 2.4 Reference documents Documentation provided by ASCO Numatics [D1] Marketing Data Sheet Marketing Data Sheet Outline Outline (MDS) [D2] MDS Example Marketing Data Sheet example, reviewed on-site [D3] Technical Specification Product Technical Specification Sheet, 327 Artic Conditions Sheet (TSS), Rev A; 11/3/2009 [D4] MP-I-121, Rev B; 10/10/2012 Procedure for handling of ASCO Valve, Inc. Stop Orders [D5] EDP-013, Rev AF; 6/2/2009 Valve Engineering R&D investigation/corrective action procedure [D6] NPD2-005, Rev 0; 10/26/2009 Valve Engineering Design Review Process [D7] EDP-148, Rev B; 7/10/2012 Qualification Test Plan procedure T-023 V2R1, August, Page 5 of 16

6 [D8] NPD , Rev A; New Product Development for Platform Products 3/27/21012 [D9] GBP-007, Rev D; 1/9/2012 Engineering Change Notice [D10] ELP-161, Rev E; 11/8/82 [D11] S4-200, Rev A; 8/15/2012 [D12] QTP template, Version 21; 01/2012 [D13] QTR Conducting valve engineering laboratory life tests Procedure for handling valve returns Qualification Test Plan Matrix - template Qualification Test Report - Cover Sheets [D14] QTP: QTP BF Qualification Test Plan, 327 Arctic Conditions; 5/18/2009 [D15] Catalog 35, online [D16] V9629, Rev B; 2/12/2011 Solenoid Valves, Air Operated Valves, Combustion Products, Accessories Catalog Safety Manual for Solenoid Pilot Valves Documentation generated by exida [R1] ASC R001 V1 R4 Series 327 Solenoid Valves FMEDA Report, 05/17/2012 [R2] ASC R004 SafetyCase Review, V1 R1, 03/06/2013 [R3] ASC Q R002 V1R1 Assessment Report, 03/25/2013 FMEDA report ASCO Series 327 Solenoid Valves ASCO IEC Compliance Assessment, SafetyCaseDB Review IEC Functional Safety Assessment, ASCO Numatics Series 327 Solenoid Valves (this report) T-023 V2R1, August, Page 6 of 16

7 3 Product Descriptions The Series 327 Solenoid Valves are 3/2 solenoid valves that are direct operated with a balanced poppet. The Models 327B are basic flow models with ¼ inch pipe connections. The Models 327A are high flow models with ¼ and ½ inch pipe connections. The Models 327B are available in a redundant configuration. The Series 327 Solenoid Valves are offered in four coil power levels. The Series 327 Solenoid Valves are available with manual operators that are used to reset the solenoid to the energized position after a trip. The manual operators do not serve a safety function. Table 1 lists the model numbers and coil versions of the Series 327 Solenoid Valves covered by this FMEDA. Table 1 Coil Options Basic Model Number Coil Power 327B0/8327G Basic Power (10.0 to 14 W) 327B1 Medium Power ( W) 327B2 Reduced Power ( W) 327B3 Low Power (1.8 W) 327A6 Basic Power (10.0 to 14 W) Figure 1 shows a direct operated, basic flow, balanced poppet Series 327 Solenoid Valves. Figure 1: Series 327 Solenoid Valve T-023 V2R1, August, Page 7 of 16

8 Table 2 gives an overview of the different versions that were considered in the FMEDA of the Series 327 Solenoid Valves. Table 2 Version Overview Model 327B0/8327G 327B1 327B2 327B3 327B3(WS)IS 327A6 Redundant 327B0 Redundant 327B1 Redundant 327B2 Redundant 327B3 MO 1 (Manual Operator) Configuration De-Energize to trip / Energize to trip, Normally Closed / Normally Open De-Energize to trip / Energize to trip, Normally Closed / Normally Open De-Energize to trip / Energize to trip, Normally Closed / Normally Open De-Energize to trip / Energize to trip, Normally Closed / Normally Open De-Energize to trip / Energize to trip, Normally Closed / Normally Open De-Energize to trip / Energize to trip, Normally Closed / Normally Open De-Energize to trip / Energize to trip, Normally Closed De-Energize to trip / Energize to trip, Normally Closed De-Energize to trip / Energize to trip, Normally Closed De-Energize to trip / Energize to trip, Normally Closed De-Energize to trip NVR 2 (Manual Operator) De-Energize to trip Energize to trip applications failure rates do not take into account the loss of power to the solenoid. The Series 327 Solenoid Valves are classified as a Type A 3 devices according to IEC 61508, having a hardware fault tolerance of 0. 1 The MO manual operator option is used to reset the solenoid manually. It is not part of the safety function of the solenoid valve but does contribute to the failure rates of the solenoid valve. 2 The NVR manual operator option is used to reset the solenoid manually. It is not part of the safety function of the solenoid valve but does contribute to the failure rates of the solenoid valve. 3 Type A component: Non-Complex component with well-defined failure modes, for details see of IEC T-023 V2R1, August, Page 8 of 16

9 4 IEC Functional Safety Assessment The IEC Functional Safety Assessment was performed based on the information received from ASCO Numatics and is documented in this report. 4.1 Methodology The full functional safety assessment includes an assessment of all fault avoidance and fault control measures during hardware development and demonstrates full compliance with IEC to the end-user. The assessment considers all requirements of IEC Any requirements that have been deemed not applicable have been marked as such in the full Safety Case report, e.g. software development requirements for a product with no software. The assessment also includes a review of existing manufacturing quality procedures to ensure compliance to the quality requirements of IEC As part of the IEC functional safety assessment the following aspects have been reviewed: Development process, including: o Functional Safety Management, including training and competence recording, FSM planning, and configuration management o Specification process, techniques and documentation o Design process, techniques and documentation, including tools used o Validation activities, including development test procedures, test plans and reports, production test procedures and documentation o Verification activities and documentation o Modification process and documentation o Installation, operation, and maintenance requirements, including user documentation o Manufacturing Quality System Product design o Hardware architecture and failure behavior, documented in a FMEDA The review of the development procedures is described in section 5. The review of the product design is described in section Assessment level The Series 327 Solenoid Valves has been assessed per IEC to the following levels: SIL 3 capability The development procedures have been assessed as suitable for use in applications with a maximum Safety Integrity Level of 3 (SIL3) according to IEC T-023 V2R1, August, Page 9 of 16

10 4.3 Product Modifications ASCO Numatics may make modifications to this product as needed. Modifications shall be classified into two types: Type 1 Modification: Changes requiring re-certification, which includes the re-design of safety functions or safety integrity functions. Type 2 Modification: Changes allowed to be made by ASCO Numatics provided that: A competent person from ASCO Numatics, appointed and agreed with exida, judges and approves the modifications. The modification documentation listed below is submitted prior to a renewal of the certification to exida for review of the decisions made by the competent person in respect to the modifications made. o List of all anomalies reported o List of all modifications completed o Safety impact analysis which shall indicate with respect to the modification: The initiating problem (e.g. results of root cause analysis) The effect on the product / system The elements/components that are subject to the modification The extent of any re-testing o List of modified documentation o Validation test plans T-023 V2R1, August, Page 10 of 16

11 5 Results of the IEC Functional Safety Assessment exida assessed the development process used by ASCO Numatics for these products against the objectives of IEC parts 1-7. The assessment was done on-site at the Scherpenzeel facility on February 12, 2013 and documented in the SafetyCase [R2]. 5.1 Open Issues The overall process is strong and the designs have extensive proven field experience, sufficient for SIL 3 capability. Some areas of improvement were identified in the design process and some of the design procedures and forms were upgraded during the project. All of the improvements were evaluated and included in the final version of the SafetyCase. 5.2 Lifecycle Activities and Fault Avoidance Measures ASCO Numatics has a 7-phase staged-gate process in place for product development with specific deliverables, reviews and approvals at each gate. This is documented in NPD [D8]. The same process is used for modifications. This process and procedures referenced herein fulfill the requirements of IEC with respect to functional safety management. No software is part of the design and therefore any requirements specific from IEC to software and software development do not apply. The assessment investigated the compliance with IEC of the processes, procedures and techniques as implemented for product design and development. The investigation was executed using subsets of the IEC requirements tailored to the SIL 3 work scope of the development team. The defined product lifecycle process was modified as a result of the audit which showed some areas for improvement. However, given the simple nature of the safety function and the extensive proven field experience for existing products ASCO Numatics was able to demonstrate that the objectives of the standard have been met. The result of the assessment can be summarized by the following observations: The audited ASCO Numatics design and development process complies with the relevant managerial requirements of IEC SIL Functional Safety Management FSM Planning ASCO Numatics has a defined process in place for product design and development. Required activities are specified along with review and approval requirements. This is primarily documented in NPD Templates and sample documents were reviews and found to be sufficient. The modification process is covered by the same procedure. This process and the procedures referenced therein fulfill the requirements of IEC with respect to functional safety management for a product with simple complexity and well defined safety functionality. Version Control NPD requires that all documents be under document control. Use of this to control revisions was evident during the audit. T-023 V2R1, August, Page 11 of 16

12 Training, Competency recording Personnel training records are kept per standard quality procedures. Engineering personnel involved in the project have received IEC training. ASCO Numatics hired exida to be the independent assessor per IEC and to provide specific IEC knowledge Safety Requirements Specification and Architecture Design The first step for any new development is the creation of a Marketing Data Sheet (MDS) [D2] by the Marketing Department. Once this has been reviewed and the project accepted, engineering will develop the project Technical Specification Sheet (TSS) [D3]. This captures in detail all the requirements for the devices, such as critical functions, performance targets etc. exida reviewed the content of the specification for completeness per the requirements of IEC As the valves are simple electro-mechanical devices, there is no need for a separate architecture design phase. The MDS and TSS will indicate if the design is new or based on an existing design. Requirements as specified in the Technical Specification Sheet (TSS) are tracked through all development phases. As the function of the valve is simple and clearly defined there is no need for semi-formal methods such as functional block diagrams. The application is considered when specifying the requirements; the devices may be required to meet specific applications standards. This meets SIL Hardware Design The hardware design process consists of two distinct phases: concept verification, and design and development. During concept verification all possible solutions are reviewed and the most promising is detailed. During this phase also the Qualification Test Plan and Agency Approval Plan is developed (equal to validation plan per IEC 61508). In the design and development phase, the design is further detailed and Qualification testing is performed on beta units. Per NPD2-005 [D6], a preliminary design review, an intermediate and final design review is conducted. ASCO Numatics has standards for documentation with specified output documents. ASCO Numatics uses ProE and AutoCad as development tools. Version numbers should be listed and re-qualification should be done when the tool vendor makes revisions. Re-qualification test results should be documented and reviewed. ASCO Numatics confirmed in discussions during the on-site audit that tool re-qualification is performed. Items from IEC , Table B.2 include observance of guidelines and standards, project management, documentation (design outputs are documented per NPD and other quality guidelines), structured design, modularization, use of well-tried components, and computer-aided design tools. This meets SIL Validation Validation Testing is done via a documented plan, the Qualification Test Plan, written per the Technical Specification Sheet and includes compliance testing per application standards, through the Agency Approval Plan which is part of the QTP. The QTP is traceable to the TSS. As the Series 327 Solenoid Valves are purely electro-mechanical devices with a simple safety function, there is no separate integration testing necessary. However, the solenoids do undergo several separate tests before valve body and solenoid are integrated; this is part of the Qualification Test Plan. The Series 327 Solenoid Valves perform only 1 safety function, which is extensively tested under various conditions during validation testing. T-023 V2R1, August, Page 12 of 16

13 Procedures are in place for corrective actions to be taken when tests fail. Every run of the Qualification Test Plan is documented in a Qualification Test Report and reviewed. Items from IEC , Table B.3 include functional testing, project management, documentation, and black-box testing (for the considered devices this is similar to functional testing). Field experience and statistical testing via regression testing are not applicable. This meets SIL 3. Items from IEC , Table B.5 included functional testing and functional testing under environmental conditions, project management, documentation, failure analysis (analysis on products that failed), expanded functional testing, black-box testing, and fault insertion testing. This meets SIL Verification The development and verification activities are defined in the New Product Development Process for Platform Products, NPD For each phase the objectives are stated, as well as required input and output documents and review activities. Checklists are used for e.g. the review of the Marketing Data Sheet. Design reviews are governed by NPD2-005, Valve Engineering Design Review Process. Per NPD , the following verification steps are defined: product idea review, concept definition review, feasibility review, design and development review, pilot run review, and introduction review. All verification activities are documented. This meets SIL Proven In Use In addition to the Design Fault avoidance techniques listed above, a Proven in Use evaluation was carried out on the ASCO Series 327 Solenoid Valves. Shipment records were used to determine that the Series 327 Solenoid Valves have >100 million operating hours and they have demonstrated a field failure rate less than the failure rates indicated in the FMEDA reports. This meets the requirements for Proven In Use for SIL Modifications Modifications are done per the Engineering Change Notice procedure [D9]. A web-based system is in place to track ECNs. The ECN system allows to user to identify if a certified device is affected. Affected documents and/or drawings are also listed. If design changes are identified as a result of an ECN, they are usually treated as a derived product and therefore the same general procedure is used for both new development and modifications. All design change requests are reviewed to determine if there is any negative impact on product safety. This review is done by both the assigned engineer and the appropriate engineering manager. This meets SIL User documentation ASCO Numatics creates the following user documentation: product catalogs [D15] and a Safety Manual [D16]. The Safety Manual was found to contain all of the required information given the simplicity of the products. The Safety Manual references the FMEDA reports which are available and contain the required failure rates, failure modes, useful life, and suggested proof test information. T-023 V2R1, August, Page 13 of 16

14 Items from IEC , Table B.4 include operation and maintenance instructions, user friendliness, maintenance friendliness, project management, documentation, limited operation possibilities (Series 327 Solenoid Valves perform well-defined actions) and operation only by skilled operators (operators familiar with type of valve, although this is partly the responsibility of the end-user). This meets SIL Hardware Assessment To evaluate the hardware design of the Series 327 Solenoid Valves a Failure Modes, Effects, and Diagnostic Analysis was performed by exida. This is documented in [R1]. A Failure Modes and Effects Analysis (FMEA) is a systematic way to identify and evaluate the effects of different component failure modes, to determine what could eliminate or reduce the chance of failure, and to document the system in consideration. An FMEDA (Failure Mode Effect and Diagnostic Analysis) is an FMEA extension. It combines standard FMEA techniques with extension to identify online diagnostics techniques and the failure modes relevant to safety instrumented system design. From the FMEDA, failure rates are derived for each important failure category. All failure rate analysis results and useful life limitations are listed in the FMEDA report [R1]. The failure rates listed are valid for the useful life of the devices. Note, as the Series 327 Solenoid Valves are only one part of a (sub)system, the SFF should be calculated for the entire final element combination. These results must be considered in combination with PFD AVG values of other devices of a Safety Instrumented Function (SIF) in order to determine suitability for a specific Safety Integrity Level (SIL). The architectural constraints requirements of IEC , Table 2 also need to be evaluated for each final element application. It is the end users responsibility to confirm this for each particular application and to include all components of the final element in the calculations. The analysis shows that the design of the Series 327 Solenoid Valves can meet the hardware requirements of IEC 61508, SIL 3 and SIL 2 depending on the complete final element design. PFD AVG and Architecture Constraints must be verified for each application. T-023 V2R1, August, Page 14 of 16

15 6 Terms and Definitions Fault tolerance FIT FMEDA HFT Low demand mode PFD AVG PVST SFF SIF SIL SIS Type A element Type B element Ability of a functional unit to continue to perform a required function in the presence of faults or errors (IEC , 3.6.3) Failure In Time (1x10-9 failures per hour) Failure Mode Effect and Diagnostic Analysis Hardware Fault Tolerance Mode, where the frequency of demands for operation made on a safetyrelated system is no greater than twice the proof test frequency. Average Probability of Failure on Demand Partial Valve Stroke Test It is assumed that the Partial Stroke Testing, when performed, is automatically performed at least an order of magnitude more frequent than the proof test, therefore the test can be assumed an automatic diagnostic. Because of the automatic diagnostic assumption the Partial Valve Stroke Testing also has an impact on the Safe Failure Fraction. Safe Failure Fraction summarizes the fraction of failures, which lead to a safe state and the fraction of failures which will be detected by diagnostic measures and lead to a defined safety action. Safety Instrumented Function Safety Integrity Level Safety Instrumented System Implementation of one or more Safety Instrumented Functions. A SIS is composed of any combination of sensor(s), logic solver(s), and final element(s). Non-Complex element (using discrete components); for details see of IEC Complex element (using complex components such as micro controllers or programmable logic); for details see of IEC T-023 V2R1, August, Page 15 of 16

16 7 Status of the Document 7.1 Liability exida prepares reports based on methods advocated in International standards. exida accepts no liability whatsoever for the use of this report or for the correctness of the standards on which the general calculation methods are based. 7.2 Releases Version: V1 Revision: R1 Version History: V1, R1: Released, March 25, 2013 V0, R1: Draft; March 25, 2013 Authors: Chris O'Brien Review: V0, R1: Steven Close; March 25, 2013 Release status: Released 7.3 Future Enhancements At request of client. 7.4 Release Signatures Steven F. Close, Safety Engineer Chris O Brien, CFSE, Partner T-023 V2R1, August, Page 16 of 16