FUNCTIONAL SAFETY CERTIFICATE. IQ3 Valve Actuator manufactured by

Transcription

1 FUNCTIONAL SAFETY CERTIFICATE This is to certify that the IQ3 Valve Actuator manufactured by Rotork Controls Ltd (A Division of Rotork PLC) Brassmill Lane Bath, BA1 3JQ UK have been assessed by with reference to the CASS methodologies and found to meet the requirements of IEC :2010 Routes 1H & 1S Systematic Capability (SC2) as an element/subsystem suitable for use in safety related systems performing safety functions up to and including SIL 2 capable with HFT = 0 (1oo1)* SIL 3 capable with HFT = 1 (1oo2)* when used in accordance with the scope and conditions of this certificate. * This certificate does not waive the need for further functional safety verification to establish the achieved Safety Integrity Level (SIL) of the safety related system Certification Manager: Wayne Thomas Initial Certification : 26 August 2015 This certificate issued : 16 May 2017 Renewal date : 25 August 2020 This certificate may only be reproduced in its entirety, without any change. Page 1 of 11

2 Product description and scope of certification The IQ3 SIL range is a family of electric valve actuators categorized by output torque and speed, powered by three-phase supply. The scope of the certificate is based on the assessment of the three-phase (IQ) type. IQ3 SIL range is designed to provide local and remote operation of industrial valves and dampers of all types. As well as providing normal process control of valves, remote control may include emergency shutdown (ESD) operation to open or close a valve or to ensure a valve does not move spuriously, as a priority. The IQ3 SIL design comprises a gearcase and covers cast in LM20/25 aluminium alloys, bolted to a cast iron base providing connection to the valve or gearbox. Output movement is derived from an electrical motor driving a worm and wheel gear running in an oil bath. The motor is controlled by an electronics control module incorporating provision for internal control power and motor switching. Actuators include a hand/auto clutch engaged handwheel for manual operation in case of loss of power supply. IQ3 SIL Actuators are designed to operate in standard form from -40 C to 70 C, with options down to -50 C. SIL variants are only supported to -40 C to +70 C. In addition, builds certified for use in hazardous areas under the ATEX directive, international Standard IEC Ex, North American NFPA NEC and CSA standards. Figure 1. IQ3 SIL Valve Actuators. Modules in the equipment: The assessment of the IQ3 SIL actuator has been grouped by electronic modules and mechanical modules. Module one Electronic Module The electronic modules of the IQ3 actuator comprise the following: a) Absolute Encoder b) User Interface Board c) Control Board d) Power Supply module (including motor switching module) Page 2 of 11

3 Module two Mechanical Module The mechanical modules of the IQ3 SIL actuator comprise the following: a) Electronics Interface -looms/connectors b) Terminal Bung c) Electronics Cover d) Terminal Cover e) Gearbox f) Base g) Manual hand wheel h) Drive Motor i) Piezo torque sensor IQ3 SIL Variant Actuator Safety Functions The safety function of the certified equipment consists of two safety functions: Safety Function 1 Stayput (high demand) In static mode: The actuator shall not move without a valid Motor Enable control signal combined with a valid remote Open, Closed or ESD signal. In dynamic mode: The actuator shall stop its function if the motor enable signal is removed. Note: Motor Enable is also known as (Drive Enable). Safety Function 2 Willmove (Low demond) The actuator shall operate as configured (Open, Close or Stayput) with a valid ESD control signal. Note: The configured actions (Open, Close or Stayput) are pre-determined by the user. Certified Data in support of use in safety functions The assessment has been carried out with reference to the Conformity Assessment of Safety-related Systems (CASS) methodology using the Route 1H approach. As part of the product assessment and supporting evidence of conformity in respect of hardware safety integrity against the requirements of IEC , Rotork have submitted the IQ3 SIL Actuator for FMEA verification to attain SIL 2 capability. The components failure rates have been sourced by Rotork using RIAC Automated Data book, IEC TR 62380, Handbook of Reliability Prediction Procedures for Engineers (RPPFME) and manufacturer s data. The failure modes allocated to components in the Rotork FMEA were appropriately implemented as required in IEC The IQ3 SIL Actuator has been verified in 5 size variants; 1, 2, 3, 4 and 5, summarized as shown below. Tables 1 to 5 summarize the FMEA verification for the variants sizes as shown below. Size Size 1 Size 2 Size 3 Size 4 Size 5 Translation IQ10, IQ12, IQ18 IQ19, IQ20, IQ25 IQ35 IQ40, IQ70 IQ90, IQ91, IQ95 Page 3 of 11

4 Table 1. The assessment of the IQ3 SIL Actuator sizes 1 to 5 in 1oo1 & 1oo2 configurations achieved the following results for safety function 1 (Stayput): Safety Function 1: In static mode: The actuator shall not move without a valid Motor Enable control signal combined with a valid remote Open, Closed or ESD signal. Note: The above configuration of the SF is considered for remote control option. Summary of IEC Clauses and IQ3 SIL Sizes 1-3 IQ3 SIL Sizes 4-5 Verdict HFT=0 IQ3 SIL Sizes 1-3 IQ3 SIL Sizes 4-5 Verdict HFT=1 Architectural constraints & Type of product A/B HFT=0 Type B HFT=1 Type B Safe Failure Fraction (SFF) 96% 95% SIL 2 96% 95% SIL 3 λdd λdu Size e-7 Size e-7 Size e e-5 Size e-7 Size e λsd λsu e Diagnostic coverage (DC) 0% 0% 0% 0% Average Freq of Dangerous failure (High Demand - PFH) 5.00e e-7 SIL e e-8 SIL 3 Route 1H Systematic safety integrity Route 1S Systematic Capability (SC1, SC2, SC3, SC4) SC2 (HFT:0) ; SC3 (HFT:1) achieved SIL 2 high demand, HFT=0 (1oo1), SIL 3 high demand, HFT=1 (1oo2), Page 4 of 11

5 Table 2. The assessment of the IQ3 SIL Actuator sizes 1 to 5 with the use of powered operation test such as (PVST=6 months) achieved the following results for safety function 2. Safety Function: The actuator shall operate as configured (Open, Close or Stayput) with a valid ESD control signal. Note: The configured actions (Open, Close or Stayput) are pre-determined by the user. Summary of IEC IQ3 SIL IQ3 SIL IQ3 SIL IQ3 SIL IQ3 SIL Clauses and Size 1 Sizes 2 Sizes 3 Size 4 Size 5 Verdict Architectural constraints & Type of product A/B HFT=0 (1oo1) Type B Safe Failure Fraction (SFF) 98% 97% 97% 98% 97% SIL 2 λdd λdu 7.34E E E E E E E E E E-06 λsd λsu 1.98E E E E E E E E E E-05 Diagnostic coverage (DC) 30% 28% 29% 31% 37% No PVST PTI=1yr, MTTR=24hrs, no PVST 7.5E-03 SIL 2 8.7E-03 SIL 2 8.3E-03 SIL 2 7.8E-03 SIL 2 1.1E-02 SIL 1 See table 2 TPVST=6 months, MTTR=24hrs, with PVST 4.0E-3 4.6E-3 4.4E-3 4.1E-3 5.8E-3 SIL2 Route 1H Systematic safety integrity Route 1S Systematic Capability (SC1, SC2, SC3, SC4) SC2 (HFT:0) ; SC3 (HFT:1) achieved Sizes: 1,2,3,4& 5 achieved SIL 2 (low demand, HFT=0) For TPVST = 6 months. Table 3. The assessment of the IQ3 Valve Actuator sizes 1 5 with the use of powered operation test such as (PVST=6 months) achieved the following results for safety function 2 (Will move) in redundant mode: Safety Function: The actuator shall operate as configured (Open, Close or Stayput) with a valid ESD control signal. Note: The configured actions (Open, Close or Stayput) are pre-determined by the user. Summary of IEC IQ3 SIL IQ3 SIL IQ3 SIL IQ3 SIL IQ3 SIL Clauses and Size 1 Sizes 2 Sizes 3 Size 4 Size 5 Verdict Architectural constraints & Type of product A/B HFT=1 (1oo2) Type B Common cause factor β = 5% Safe Failure Fraction (SFF) 98% 97% 97% 98% 97% SIL 3 PFDAVG-PVST@TPVST=6 months, MTTR=24hrs 1.9E-5 2.5E-5 2.3E-5 2.0E-5 4.1E-5 SIL 4 Route 1H Systematic safety integrity Route 1S Systematic Capability (SC1, SC2, SC3, SC4) SC2 (HFT:0) ; SC3 (HFT:1) achieved Sizes: 1,2,3,4&5 achieved SIL 3 (low demand, HFT=1) Page 5 of 11

6 Table 4. The assessment of the IQ3 SIL Actuator sizes 1 to 5 without the use of powered operation test such as (PVST) achieved the following results for safety function 2 (Will move): Safety Function: The actuator shall operate as configured (Open, Close or Stayput) with a valid ESD control signal. Note: The configured actions (Open, Close or Stayput) are pre-determined by the user. Summary of IEC IQ3 SIL IQ3 SIL IQ3 SIL IQ3 SIL IQ3 SIL Clauses and Size 1 Sizes 2 Sizes 3 Size 4 Size 5 Verdict Architectural constraints & Type of product A/B HFT=0 (1oo1) Type B Safe Failure Fraction (SFF) 98% 97% 97% 98% 97% SIL 2 λdd λdu 7.34E E E E E E E E E E-06 λsd λsu 1.98E E E E E E E E E E-05 Diagnostic coverage (DC) 30% 28% 29% 31% 37% PTI = 8760Hrs 7.5E E E E-03 SIL 2 MTTR = 8 Hrs 1.1E-02 SIL 1 Route 1H Systematic safety integrity Route 1S Systematic Capability (SC1, SC2, SC3, SC4) SC2 (HFT:0) ; SC3 (HFT:1) achieved Sizes: 1,2,3 &4 achieved SIL 2 (low demand, HFT=0) Size 5 achieved SIL 1 with HFT=0 Table 5. The assessment of the IQ3 SIL Actuator sizes 1 to 5 without the use of powered operation test such as (PVST) achieved the following results for safety function 2 (Will move) in redundant mode: Safety Function: The actuator shall operate as configured (Open, Close or Stayput) with a valid ESD control signal. Note: The configured actions (Open, Close or Stayput) are pre-determined by the user. Summary of IEC IQ3 SIL IQ3 SIL IQ3 SIL IQ3 SIL IQ3 SIL Clauses and Size 1 Sizes 2 Sizes 3 Size 4 Size 5 Verdict Architectural constraints & Type of product A/B HFT=1 (1oo2) Type B Common cause factor β = 5% Safe Failure Fraction (SFF) 98% 97% 97% 98% 97% SIL 3 PTI = 8760Hrs MTTR = 24 Hours 4.5E E-4 5.0E-4 4.7E E-04 SIL 3 Route 1H Systematic safety integrity Route 1S Systematic Capability (SC1, SC2, SC3, SC4) SC2 (HFT:0) ; SC3 (HFT:1) achieved Sizes: 1,2,3,4&5 achieved SIL 3 (low demand, HFT=1) Page 6 of 11

7 Table 6 shows the summary of the verified powered operation (VPO) with respect to various PFD values for safety function 2 (Will move) for HFT=0. Powered Operation Test Interval (Months) PFD Values for HFT = 0, (1oo1) Hours Size 1 Size 2 Size 3 Size 4 Size E E E E E E E E E E E E E E E E E E E E E E E E E E E E E E-03 Note 1: Verified powered operation means any suitable operations include either a PVST (partial valve stroke test) or any operation of the actuator in both directions (open and closed) that can be confirmed to have operated correctly. Note 2: Attaching option HW cards does not impact the operation of the safety function and they are not part of the assessment. Note 3: Assumptions used in the FMEA 1) Numerical failure data in this report based on the FMEA assume that failure rates are constant. Infant mortalities and wear-out mechanisms are not included. 2) Figures derived from FMEA are random hardware failures. Systematic hardware failures (such as installation or maintenance errors) are not accounted for in the FMEA but are assessed qualitatively in this report and reviewed in the safety manual. 3) All components that are not part of the safety function are excluded from the FMEA; components that play no part in the safety function and therefore whose failure does not affect the safety function (either dangerous failure or spurious trip) are classified as no part failures and do not therefore contribute to the SFF. 4) An estimated partial test coverage of the partial valve stroke testing has been taken 95%. 5) PFD AVG calculation based on the assumption that the T PVST will be carried out every 6 months. 6) FMEA has included the hardware that performs the PVST function; the software assessment completed in conjuncture with this project has also included the PVST functionality. The failure data above is supported by the base information given in Table 7 below. Page 7 of 11

8 Table 7. 1 Product identification: IQ3 SIL Actuators, sizes (1 to 5) 2 Functional specification: When the ESD signal is removed the IQ3 SIL actuator shall perform the pre-determined commissioned ESD action. 3-5 failure rates: Refer to previous table above 6 Environment limits: Temperature range: -40 C to +70 C operational 7 Lifetime/replacement limits: 10 years or: Sizes IQ10 - IQ35: 500,000 output turns Sizes IQ40 - IQ95: 250,000 output turns (whichever occurs first) 8 Proof Test requirements: Refer to Safety Manual 9 Maintenance requirements: Refer to Safety Manual 10 Diagnostic coverage: Refer to previous tables above 11 Diagnostic test interval: Test of powered operation testing is claimed with a partial test coverage of 95%, this test must be completed every 6 months in conjunction with the safety manual. 12 Repair constraints: None, other than with the I, O & M instructions 13 Safe Failure Fraction: Refer to previous tables above 14 Hardware fault tolerance (HFT): (1oo1) 15 Highest SIL (architecture/type A/B): Type B, SIL 2, HFT=0 (1oo1). 16 Systematic failure constraints: IQ3 SIL is software controlled. 17 Evidence of similar conditions in Not applicable previous use: 18 Evidence supporting the application Not applicable under different conditions of use: 19 Evidence of period of operational Not applicable use: 20 Statement of restrictions on Not applicable functionality: 21 Systematic capability: Up to SC2 (HFT=0) and SC3 (HFT = 1) 22 Systematic fault avoidance measures: Refer to systematic failures introduced during the realization lifecycle from /2 /3. 23 Systematic fault tolerance measures: Assessment done for HFT=1, Annex A part 2 of IEC have been verified including clause Validation records: Functional testing assessed in Sira reports. 25 Firmware records (SIL) V101.0, V103.0, V104.0 (Latest version) Management of functional safety The assessment has demonstrated that the product is supported by an appropriate functional safety management system that meets the relevant requirements of IEC :2010 clause 6. Page 8 of 11

9 Software lifecycle assessment The assessment has demonstrated that the product is supported by an appropriate functional safety related assessment to part 3 of IEC 61508:2010, based on route 1 S. The assessment was based on software verification, audit and document review to architecture constraints requirement where the highest safety integrity level selected is SIL 3 under HFT = 1. This certificate is applicable to the modules with the installed software shown below. Component SIL Controller Firmware revision V103.0 V104.0 (latest version) Identification of certified equipment The certified equipment and its safe use is defined in the manufacturer s documentation listed in Table 8 below. Table 8: Certified documents Sira Ref Document no. Rev Date Document description FS01 All Mods IQ35 Bill of materials for the mechanical module 1 20/05/2014 BOM exploded size variants 1, 2 and3. FS02 All Mods IQ95 Bill of materials for the mechanical module 1 14/05/2014 BOM exploded size variants 4 and5. FS LOP 1 29/04/2014 Bill of materials for the absolute encoder FS LOP 1 Bill of materials for the control board 16/10/ LOP 5 FS LOP 2 Bill of materials for the user interface board 24/02/ LOP 1 FS LOP 2 29/11/2013 Bill of materials for the power module size 1, 2 and 3 FS LOP 2 29/11/2013 Bill of materials for the power module size 4 and 5 FS08 ED /12/2013 Schematic for absolute encoder FS09 ED ED /04/2014 Schematic for control board FS10 ED Schematic for user interface board 20/06/2014 ED FS11 ED /04/2013 Schematic for power module 1, 2 and 3 FS12 ED /04/2013 Schematic for power module 4 and 5 FS LOP 1 Client completed impact analysis. FS manual PUB New SW version - 02/16 07/17 IQ3 SIL actuator functional safety manual Page 9 of 11

10 Conditions of Certification The validity of the certified base data is conditional on the manufacturer complying with the following conditions: 1. The manufacturer shall analyse failure data from returned products on an on-going basis. Sira Certification Service shall be informed in the event of any indication that the actual failure rates are worse than the certified failure rates. (A process to rate the validity of field data should be used. To this end, the manufacturer should co-operate with users to operate a formal fieldexperience feedback programme). 2. Sira shall be notified in advance (with an impact analysis report) before any modifications to the certified equipment or the functional safety information in the user documentation is carried out. Sira may need to perform a re-assessment if modifications are judged to affect the product s functional safety certified herein. 3. On-going lifecycle activities associated with this product (e.g., modifications, corrective actions, field failure analysis) shall be subject to surveillance by Sira in accordance with Regulations Applicable to the Holders of Sira Certificates. Conditions of Safe Use The validity of the certified base data in any specific user application is conditional on the user complying with the following conditions: 1. Selection of this equipment for use in safety functions applications, the installation, configuration, overall validation, maintenance and repair shall only be carried out by competent personnel, observing the manufacturer s conditions and recommendations in the user safety manual documentation. 2. All information associated with any field failures of this product should be collected under a dependability management process (e.g., IEC ) and reported to the manufacturer. 3. A proof test interval is set to 1 year. Use of power operating function for partial test coverage is also applicable as stated above. General Conditions and Notes 1. This certificate is based upon a functional safety assessment of the product described in Sira Test & Certification Assessment Reports R A_IQ3SIL_v1.0, R B_IQ3SIL_v1.0, R C_v1.0 and R C_SW_mod_RevC. 2. If certified product or system is found not to comply, should be notified immediately at the address shown on this certificate. 3. The use of this Certificate and the Sira Certification Mark that can be applied to the product or used in publicity material are subject to the Regulations Applicable to the Holders of Sira Certificates and Supplementary Regulations Specific to Functional Safety Certification. 4. This document remains the property of Sira and shall be returned when requested by the issuer. 5. The IQ3 SIL range of actuators has a local display to indicate the percentage position and has volt free relay contacts to allow remote indication of safe and dangerous failures. These relays are purely for indication and are not considered in the implementation of the safety functions. 6. The actuator can only perform its safety function in the presence of a mains supply. Therefore, integrity of this supply is to be ensured by the end user. 7. No part of the Functional safety related aspects stated in the instruction manual shall be changed without approval of the certification body. Page 10 of 11

11 Certificate History Issue Date Report no. Comment 00 21/07/2015 R A, R56A33000A & R B Certificate issue for safety function 2 Willmove /10/2015 R A_IQ3SIL_v1.0, & R B_IQ3SIL_v1.0and R C rev 0.6 Certificate issued for updating validations results, review of FMEA and safety 02 08/12/2015 R A_IQ3SIL_v1.0, & R B_IQ3SIL_v1.0and R C rev 0.6 functions 1 & 2. Certificate updated to correct table /05/2017 R C_SW_mod_RevC. Certificate updated to reflect new software revision (V104.0) and additional of IQ19 to size category 1. Page 11 of 11