Results of the IEC 61508 Functional Safety Assessment Project: MT5000, MT5100 and MT5200 Level Transmitter Customer: ABB, Inc. Baton Rouge, LA USA Contract No.: Q16-06-017 Report No.: ABB 10-02-051 R001 Version V3, Revision R1, November 1, 2016 Gregory Sauk - David Butler The document was prepared using best effort. The authors make no warranty of any kind and shall not be liable in any event for incidental or consequential damages in connection with the application of the document. All rights reserved.
Management Summary The Functional Safety Assessment of the ABB, Inc. MT5000, MT5100 and MT5200 Level Transmitter development project, performed by exida consisted of the following activities: - exida assessed the development process used by ABB, Inc. through an audit and review of a detailed safety case against the exida certification scheme which includes the relevant requirements of IEC 61508. The assessment was executed using subsets of the IEC 61508 requirements tailored to the work scope of the development team. - exida reviewed and assessed a detailed Failure Modes, Effects, and Diagnostic Analysis (FMEDA) of the devices to document the hardware architecture and failure behavior. - exida reviewed field failure data to verify the accuracy of the FMEDA analysis. The functional safety assessment was performed to the SIL 3 requirements of IEC 61508:2010. A full IEC 61508 Safety Case was created using the exida Safety Case tool, which also was used as the primary audit tool. Hardware and software process requirements and all associated documentation were reviewed. Environmental test reports were reviewed. The user documentation and safety manual also were reviewed. The results of the Functional Safety Assessment can be summarized by the following statements: The audited development process, as tailored and implemented by the ABB, Inc. MT5000, MT5100 and MT5200 Level Transmitter development project, comply with the relevant safety management requirements of IEC 61508 SIL 3. The assessment of the FMEDA, done to the requirements of IEC 61508, has shown that the MT5000, MT5100 and MT5200 Level Transmitter can be used in a low demand safety related system in a manner where the PFD AVG is within the allowed range for SIL 2 (HFT=0), according to table 2 of IEC 61508-1. The assessment of the FMEDA also shows that the MT5000, MT5100 and MT5200 Level Transmitter meets the requirements for architectural constraints of an element such that it can be used to implement a SIL 2 safety function (with HFT = 0) or a SIL 3 safety function (with HFT = 1). This means that the MT5000, MT5100 and MT5200 Level Transmitter is capable for use in SIL 3 applications in Low demand mode when properly designed into a Safety Instrumented Function per the requirements in the Safety Manual and when using the versions specified in section 3.1 of this document. T-034 V5R1 80 N. Main St, Sellersville, PA 18960 Page 2 of 21
The manufacturer will be entitled to use the Functional Safety Logos. Manufacturing Facilities are located in Prairieville, LA and Shanghai, China. T-034 V5R1 80 N. Main St, Sellersville, PA 18960 Page 3 of 21
Table of Contents Management Summary... 2 1 Purpose and Scope... 6 1.1 Tools and Methods used for the assessment... 6 2 Project Management... 7 2.1 exida... 7 2.2 Roles of the parties involved... 7 2.3 Standards / Literature used... 7 2.4 Reference documents... 7 2.4.1 Documentation provided by ABB, Inc.... 7 2.4.2 Documentation generated by exida... 10 2.5 Assessment Approach... 11 3 Product Description... 12 3.1 Hardware and Software Version Numbers... 12 4 IEC 61508 Functional Safety Assessment Scheme... 13 4.1 Product Modifications... 13 5 Results of the IEC 61508 Functional Safety Assessment... 13 5.1 Lifecycle Activities and Fault Avoidance Measures... 14 5.1.1 Functional Safety Management... 14 5.2 Safety Requirement Specification... 14 5.3 Change and modification management... 15 5.4 Hardware Design and Verification... 15 5.4.1 Hardware Design... 15 5.4.2 Hardware Design / Probabilistic properties... 15 5.5 Software Design... 16 5.6 Verification... 16 5.7 Safety Validation... 16 5.8 Safety Manual... 17 6 2016 IEC 61508 Functional Safety Surveillance Audit... 18 6.1 Roles of the parties involved... 18 6.2 Surveillance Methodology... 18 6.2.1 Documentation provided by ABB, Inc.... 19 6.2.2 Surveillance Documentation generated by exida... 19 6.3 Surveillance Results... 19 6.3.1 Procedure Changes... 19 6.3.2 Engineering Changes... 19 6.3.3 Impact Analysis... 19 6.3.4 Field History... 19 T-034 V5R1 80 N. Main St, Sellersville, PA 18960 Page 4 of 21
6.3.5 Safety Manual... 19 6.3.6 FMEDA Update... 19 6.3.7 Previous Recommendations... 19 7 Terms and Definitions... 20 8 Status of the document... 21 8.1 Liability... 21 8.2 Version History... 21 8.3 Future Enhancements... 21 8.4 Release Signatures... 21 T-034 V5R1 80 N. Main St, Sellersville, PA 18960 Page 5 of 21
1 Purpose and Scope This document shall describe the results of the IEC 61508 functional safety assessment of the: Model Descriptions MT5000 Guided Wave Radar Level Transmitter MT5100 MT5200 Guided Wave Radar Level and Interface Transmitter Guided Wave Radar Bulk Solids Level Transmitter by exida according to the accredited exida certification scheme which includes the requirements of IEC 61508:2010. The purpose of the assessment was to evaluate the compliance of: - the MT5000, MT5100 and MT5200 Level Transmitter with the technical IEC 61508-2 and -3 requirements for SIL 3 and the derived product safety property requirements and - the MT5000, MT5100 and MT5200 Level Transmitter development processes, procedures and techniques as implemented for the safety-related deliveries with the managerial IEC 61508-1, -2 and -3 requirements for SIL 3. and - the MT5000, MT5100 and MT5200 Level Transmitter hardware analysis represented by the Failure Mode, Effects and Diagnostic Analysis with the relevant requirements of IEC 61508-2. The assessment has been carried out based on the quality procedures and scope definitions of exida. The results of this assessment provide the safety instrumentation engineer with the required failure data per IEC 61508 / IEC 61511 and confidence that sufficient attention has been given to systematic failures during the development process of the device. 1.1 Tools and Methods used for the assessment This assessment was carried out using the exida Safety Case tool. The Safety Case tool contains the exida scheme which includes all the relevant requirements of IEC 61508:2010. For the fulfillment of the objectives, expectations are defined which builds the acceptance level for the assessment. The expectations are reviewed to verify that each single requirement is covered. Because of this methodology, comparable assessments in multiple projects with different assessors are achieved. The arguments for the positive judgment of the assessor are documented within this tool and summarized within this report. All assessment steps were continuously documented by exida (see [R3]) T-034 V5R1 80 N. Main St, Sellersville, PA 18960 Page 6 of 21
2 Project Management 2.1 exida exida is one of the world s leading accredited Certification Bodies and knowledge companies, specializing in automation system safety and availability with over 300 years of cumulative experience in functional safety. Founded by several of the world s top reliability and safety experts from assessment organizations and manufacturers, exida is a global company with offices around the world. exida offers training, coaching, project oriented system consulting services, safety lifecycle engineering tools, detailed product assurance, cyber-security and functional safety certification, and a collection of on-line safety and reliability resources. exida maintains a comprehensive failure rate and failure mode database on process equipment based on 100 billion hours of field failure data. 2.2 Roles of the parties involved ABB, Inc. Transmitters exida exida Manufacturer of the MT5000, 5100 and MT5200 Level Performed the hardware assessment [R3] Performed the Functional Safety Assessment [R1] per the accredited exida scheme. ABB, Inc. contracted exida with the IEC 61508 Functional Safety Assessment of the above mentioned devices. 2.3 Standards / Literature used The services delivered by exida were performed based on the following standards / literature. [N1] IEC 61508 (Parts 1-3): 2010 Functional Safety of Electrical/Electronic/Programmable Electronic Safety-Related Systems 2.4 Reference documents 2.4.1 Documentation provided by ABB, Inc. [D1] QM-0001D, Rev D, 10/13/2011 [D2] QMP-0003K, Rev K, 8/19/2011 [D3] QMP-0008D, Rev D, 1/17/2012 [D4] QMP-0010D, Rev D, 9/13/2012 [D5] QMP-0018C, Rev C, 11/27/2012 [D6] QMP-0023G, Rev G, 9/13/2012 K-TEK Corporation Quality Manual Quality Management Plan Procedure, Control of Documents Quality Management Plan Procedure, Design & Development Quality Management Plan Procedure, Supplier Selection and Evaluation Quality Management Plan Procedure, Control and Monitoring of Measuring Devices Quality Management Plan Procedure, Control of Nonconforming Products T-034 V5R1 80 N. Main St, Sellersville, PA 18960 Page 7 of 21
[D7] QMP-0026, Rev A, 3/26/2007 [D8] PRC0077, Rev A, 4/3/2008 [D9] PRC0078, Rev A, 5/6/2008 [D10] PRC0079, Rev A, 4/29/2008 [D11] PRC0080, Rev A, 3/28/2008 [D12] PRC0081, Rev NC, 4/22/2008 [D13] PRC0082, Rev A, 4/7/2009 [D14] FRM-0708, Rev B, 5/2/2008 [D15] PNP-0000-1, Rev NC, 4/15/2008 [D16] FRM-0008, Rev NA, 2/26/2008 [D17] PNP-0000-1PL, Rev NC, 4/15/2008 [D18] PNP-0320-1, Rev NC, 4/22/08 [D19] PNP-0330-1, Rev NC, 4/24/2008 [D20] PNP-0350-1, Rev NC, 4/24/08 [D21] PNP-0362-1, Rev NC, 5/6/2008 [D22] PNP-0364-1, Rev NC, 4/29/2008 [D23] PNP-0370-1A, Rev A, 5/6/2008 [D24] PNP-0372-1, Rev NC, 4/22/2008 [D25] PNP-0376-1, Rev NC, 4/21/2008 [D26] PNP-0378-1, Rev NC, 4/29/2008 [D27] PNP-0380-1, Rev NC, 4/29/2008 [D28] PNP-0382-1, Rev NC, 4/2/2008 [D29] PNP-0384-1, Rev NC, 3/31/08 [D30] PNP-0388-1, Rev NC, 4/2/2008 [D31] PNP-0389-1, Rev NC, 4/24/2008 [D32] PNP-0390-1, Rev NC, 4/22/2008 [D33] FRM-0708B-10-001, 8/6/2010 Quality Management Plan Procedure, Corrective and Preventive Action Quality Procedure, Software Coding & Style Guidelines Quality Procedure, Software Design & Development Procedure Quality Procedure, Functional Safety Management Plan Quality Procedure, Safety Requirements Review Checklist Quality Procedure, Safety Critical Tools Qualification Quality Procedure, R&D Group Qualification Record Design Project Records Template for General Arrangement Drawings New Product Release Checklist Top Level Parts List Construction Table Template Template for Safety Requirements Specifications Template for Integration & Validation Test Plan Template for Functional Safety Documentation Checklists Template for Impact Analysis Template for Modification & Change of Design Project Records Template for Architecture Design Overview High Level UML & Sub Assemblies Template for Hardware Design Template for Software Configuration Record Template for Software Design Review Template for Software & Critical Code Review Template for Architecture Design & SW HW Interface Review Template for Safety Requirements Review per PRC0080 Checklist Template for Safety Integration & Validation Test Plan Review Template for Safety Manual Review Template for Integration & Validation Testing MT5000 Design Project Records T-034 V5R1 80 N. Main St, Sellersville, PA 18960 Page 8 of 21
[D34] MT5000-0202-1, Rev F, February 2009 [D35] MT5100-0202-1, Rev F, February 2009 [D36] MT5200-0202-1, Rev E, January 2008 [D37] MT5000-0200-1, Rev A, April 2009 Data Sheet, MT5000 Data Sheet, MT5100 Data Sheet, MT5200 Installation and Operational Manual, MT5000 [D38] MT5000-0200-1f, Rev E, 4/1/2010 MT5000 Series IOM/Safety Manual (Draft) [D39] MT5100-0200-01, Rev NC, September 2005 [D40] MT5200-0200-01, Rev A, March 2009 [D41] MT5000-0220-1, Rev NC, 5/3/2010 [D42] MT5000-0320-1, Rev A, 6/14/2010 [D43] MT5000-0330-1, Rev NC, 5/25/2010 [D44] MT5000-0332-1, Rev NC, 3/8/2010 [D45] MT5000-0362-3, Rev NC, 6/10/2010 [D46] MT5000-0362-4, Rev NC, 6/22/2010 [D47] MT5000-370-1, 8/11/2010 [D48] MT5000-0376-2, Rev NC, 6/8/2010 [D49] MT5000-378-1, Rev NC, 5/20/2010 [D50] MT5000-380-1, Rev NC, 2/20/2010 [D51] MT5000-382-1, Rev NC, 6/20/2010 [D52] MT5000-0384- 1, Rev NC, 5/24/2010 [D53] MT5000-0388-1, Rev NC, 5/5/2010 [D54] MT5000-0390-1, Rev NC, 6/20/2010 Installation and Operational Manual, MT5100 Installation and Operational Manual, MT5200 MT5000 Series General Specifications Requirements MT5000 Series Safety Requirements Specification MT5000 Series Level Transmitters Integration and Validation Test Plan MT5000 Series SIL 2 Project Plan 10-001 (Phase 1) MT5000 Series Modification Impact Analysis MT5000 Series Modification Impact Analysis - BBTC3 MT5000 Series Architecture UML Design Overview MT5000 Software Configuration Record MT5000 Software Design Review MT5000, MT5100,& MT5200 Series Software & Safety Critical Code Review MT5000, MT5100 & MT5200 Architecture Design & SW/HW Interface Review MT5000 Series Requirements Review per Checklist - Completed MT5000 Series SIL 2 Safety Integration and Validation Test Plan Review MT5000 Integration and Validation Testing Results T-034 V5R1 80 N. Main St, Sellersville, PA 18960 Page 9 of 21
[D55] MT5000-0390-1A, Rev A, 6/22/2010 [D56] MT5000-0390-1B, 6/24/2010 [D57] ELE1032, Rev B, November 7, 2005 [D58] MT5000-0000-1, Rev B, 11/11/2005 [D59] Field_failure_analysis_KTEK_ABB_ MT_2010-2013_Update.xls, 8/19/2013 [D60] SPM201-3000-2.efm, October 15, 2008 [D61] MT2000-4000-2-jcg after FI.efm, 9/1/09 [D62] MT2001-5000-1-jcg after FI with added diagnostics.efm, 8/5/10 [D63] SPM201-6000-1C.efm, October 15, 2008 [D64] SPM201-7000-2B.efm, October 15, 2008 [D65] Probe_Assembly FMEDA R3-gps, 9/3/09 [D66] 61508 TAB, 8/4/2010 [D67] PMU 10, Rev G, March 5, 2013 [D68] ITP 201211002, Rev 0 [D69] Production Doc Package, Rev01 [D70] Engineering Change Documentation MT5000 Integration and Validation Testing Results Addendum MT5000 BBTC3 RAM tests after code correction Block Diagram, MT5000, MT5100, MT5200, /M6 /M7 /M7A /M7B Intrinsically Safe Modules MT5000, MT5100, MT5200 Series General Assembly and Options Field Failure Analysis PIU spreadsheet Failure Modes, Effects, and Diagnostic Analysis MT5x00 Transmitter Series EPROM / Connector Board Failure Modes, Effects, and Diagnostic Analysis MT5x00 Transmitter Series Radar Transmit/Receive Module Failure Modes, Effects, and Diagnostic Analysis MT5x00 Transmitter Series uprocessor Board Failure Modes, Effects, and Diagnostic Analysis MT5x00 Transmitter Series HART Interface Board Failure Modes, Effects, and Diagnostic Analysis MT5x00 Transmitter Series SPM201 Electronics Failure Modes, Effects, and Diagnostic Analysis MT5x00 Transmitter Series Probe Assembly IEC 61508 Tables, document shows all tables from IEC 61508 Annex A and B from part 2 and part 3 along with a description as to how ABB, Inc. meets each of the requirements Supply Management Procedure Inspection Test Plan, Magnetic Level Gauge Production Document Package Form Engineering Changes, including impact analysis documentation 2.4.2 Documentation generated by exida [R1] [R2] [R3] KTEK 09-07-78 R001 V1 R3 FMEDA Report MT5x00.doc, 8/6/2010 MT5000_Fault_Injection_report_ 06-17-2010.xls, 6/17/10 K-TEK MT5x00 SafetyCase DB IEC61508 R2.esc, August 2010 FMEDA Report MT5000 Series Guided Wave Radar Level Transmitters Fault Injection Test report for MT5x00 Series IEC 61508 SafetyCaseDB for MT5000, 5100 and MT5200 Level Transmitters T-034 V5R1 80 N. Main St, Sellersville, PA 18960 Page 10 of 21
[R4] [R5] KTEK 10-02-051 R001 V2R1 MT5x00 IEC 61508 Assessment.doc, 11/11/2013 Field_failure_analysis_KTEK_ABB_ MT_2010-2013_Update.xls IEC 61508 Functional Safety Assessment for MT5000, MT5100 and MT5200 Level Transmitter (This document) Field failure analysis. 2.5 Assessment Approach The certification audit was closely driven by requirements of the exida scheme which includes subsets filtered from IEC 61508. The assessment was planned by exida and agreed with ABB, Inc.. The following IEC 61508 objectives were subject to detailed auditing at ABB, Inc.: FSM planning, including o o o o o o Safety Life Cycle definition Scope of the FSM activities Documentation Activities and Responsibilities (Training and competence) Configuration management Tools and languages Safety Requirement Specification Change and modification management Software architecture design process, techniques and documentation Hardware architecture design - process, techniques and documentation Hardware design / probabilistic modeling Hardware and system related V&V activities including documentation, verification o Integration and fault insertion test strategy Software and system related V&V activities including documentation, verification System Validation including hardware and software validation Hardware-related operation, installation and maintenance requirements The project teams, not individuals were audited. T-034 V5R1 80 N. Main St, Sellersville, PA 18960 Page 11 of 21
3 Product Description The MT5000 Series Level Transmitters are a series of two-wire 4 20 ma smart devices. It contains self-diagnostics and is programmed to send its output to a specified failure state, either high or low, upon internal detection of a failure. For safety instrumented systems usage it is assumed that the 4 20 ma output is used as the primary safety variable. Figure 1 shows an overview of the main parts of the MT5000 Series Level Transmitters and the boundary for the Failure Modes, Effects, and Diagnostic Analysis. SIGNAL CONDITIONING PROCESSOR OUTPUT CURRENT GENERATION, POWER SUPPLY 4-20mA USER INTERFACE HART (optional) PROBE EXTENT OF FMEDA Figure 1 MT500, MT5100, and MT5200 SIS Assembly Table 1 gives an overview of the different versions that were considered in this assessment of the MT5000, MT5100 and MT5200 Level Transmitters. Table 1 Models Overview MT5000 MT5100 MT5200 Guided Wave Radar Level Transmitter Guided Wave Radar Level and Interface Transmitter Guided Wave Radar Bulk Solids Level Transmitter The MT5000 Series Level Transmitters are classified as a Type B device according to IEC 61508, having a hardware fault tolerance of 0. 3.1 Hardware and Software Version Numbers This assessment is applicable to the following hardware and software versions of MT5000, 5100 and MT5200 Level Transmitters: T-034 V5R1 80 N. Main St, Sellersville, PA 18960 Page 12 of 21
MT5000 Series Level Transmitters Options: 4-20mA output, single output Hardware Processor board #: MT2001-5000-1 Revision Level: G Signal conditioning board #: MT2000-4000-2 Display board #: MT5000-7000-1 Connector board #: SPM201-3000-1 Hart Board #: SPM201-6000-1 Software/Firmware 100617 00.255 Revision Level: E Revision Level: C Revision Level: E Revision Level: F 4 IEC 61508 Functional Safety Assessment Scheme exida assessed the development process used by ABB, Inc. for this development project against the objectives of the exida certification scheme. The results of the assessment are documented in [R3][R1]. All objectives have been successfully considered in the ABB, Inc. development processes for the development. exida assessed the set of documents against the functional safety management requirements of IEC 61508:2010. An evaluating assessor created a safety case, to argue that the relevant requirements of IEC 61508-1 to -3 have been met, based on documented the evidence provided. An independent certifying assessor then reviews the safety case to ensure coverage of the requirements and the validity of the arguments. Additionally, an audit is performed to witness development and manufacturing environments and techniques to ensure procedures are being followed and that certain testing is carried out successfully. The detailed assessment evaluated the compliance of the processes, procedures and techniques, as implemented for the ABB, Inc. MT5000, 5100 and MT5200 Level Transmitters, with IEC 61508. The assessment was executed using the exida certification scheme which includes subsets of the IEC 61508 requirements tailored to the work scope of the development team. The result of the assessment shows that the MT5000, 5100 and MT5200 Level Transmitters are capable for use in SIL 3 (Systematic Capability is SC3) applications, when properly designed into a Safety Instrumented Function per the requirements in the Safety Manual. 4.1 Product Modifications The modification process has not yet been assessed and audited, so modifications are not currently covered by this assessment. No modifications are permitted to the certified versions of the MT5000, 5100 and MT5200 Level Transmitters without reassessment. 5 Results of the IEC 61508 Functional Safety Assessment exida assessed the development process used by ABB, Inc. during the product development against the objectives of the exida certification scheme which includes IEC 61508 parts 1, 2, & 3 [N1]. The development of the MT5000, 5100 and MT5200 Level Transmitters was done per this IEC 61508 SIL 3 compliant development process. The Safety Case was updated with project specific design documents. T-034 V5R1 80 N. Main St, Sellersville, PA 18960 Page 13 of 21
5.1 Lifecycle Activities and Fault Avoidance Measures ABB, Inc. has an IEC 61508 compliant development process as assessed during the IEC 61508 certification. This compliant development process is documented in [D3]. This functional safety assessment evaluated the compliance with IEC 61508 of the processes, procedures and techniques as implemented for the product development. The assessment was executed using the exida certification scheme which includes subsets of IEC 61508 requirements tailored to the SIL 3 work scope of the development team. The result of the assessment can be summarized by the following observations: The audited development process complies with the relevant managerial requirements of IEC 61508 SIL 3. 5.1.1 Functional Safety Management FSM Planning The functional safety management of any ABB, Inc. Safety Instrumented Systems Product development is governed by QMP-0008B Quality Management Plan Procedure, Design & Development [D3]. ABB, Inc. has a Functional Safety Management Plan Quality Procedure, PRC0079A [D10] which is fixed but requires the creation of Design Project Records per FRM-0708 [D14] for each development which defines all of the tasks that must be done to ensure functional safety as well as the person(s) responsible for each task. These processes, and the procedures referenced herein, fulfill the requirements of IEC 61508 with respect to functional safety management. Version Control All documents are under version control as documented in [R3] and required by the Control of Documents Quality Management Plan Procedure [D2]. Design drawings and documents are also under version control, using a version control software application. Training, Competency recording Personnel training records are kept in accordance with IEC 61508 requirements as documented in [R3] and PRC0082 the R&D Group Qualification Record Quality Procedure [D13]. ABB, Inc. hired exida as an independent assessor, per IEC 61508. 5.2 Safety Requirement Specification As defined in [D10] and [D14], a safety requirements specification (SRS) is created for all products that must meet IEC 61508 requirements. The requirements specification contains a scope and safety requirements section. For the MT5000, 5100 and MT5200 Level Transmitters, the SRS [D42] has been assessed. Safety requirements are tracked, throughout the development process, by the creation of derived requirements. Safety requirements are mapped to the design, and to the appropriate validation tests in the validation test plan [D53]. Requirements from IEC 61508-2, Table B.1 that have been met by ABB, Inc. include project management, documentation, separation of safety requirements from non-safety requirements, structured specification, inspection of the specification, semi-formal methods and checklists. [D66] documents more details on how each of these requirements has been met. This meets the requirements of SIL 3. T-034 V5R1 80 N. Main St, Sellersville, PA 18960 Page 14 of 21
5.3 Change and modification management The modification process has been successfully assessed and audited for IEC 61508:2000, but has not yet been assessed for IEC 61508:2010 requirements. ABB, Inc. may not make modifications to this product until that assessment is successfully completed. 5.4 Hardware Design and Verification Objectives The main objectives of the related IEC 61508 requirements are to: - Create E/E/PE safety-related systems conforming to the specification for the E/E/PES safety requirements (comprising the specification for the E/E/PES safety functions requirements and the specification for the E/E/PES safety integrity requirements). - Ensure that the design and implementation of the E/E/PE safety-related systems meets the specified safety functions and safety integrity requirements. - Demonstrate, for each phase of the overall, E/E/PES and software safety lifecycles (by review, analysis and/or tests), that the outputs meet in all respects the objectives and requirements specified for the phase. - Test and evaluate the outputs of a given phase to ensure correctness and consistency with respect to the products and standards provided as input to that phase. - Integrate and test the E/E/PE safety-related systems. 5.4.1 Hardware Design As defined in [D10] and [D14], a safety requirements specification (SRS) is created for all products that must meet IEC 61508 requirements. The requirements specification contains a scope and safety requirements section. For the MT5000, 5100 and MT5200 Level Transmitters, the SRS [D42] has been assessed. Safety requirements are tracked, throughout the development process, by the creation of derived requirements. Safety requirements are mapped to the design, and to the appropriate validation tests in the validation test plan [D53]. Requirements from IEC 61508-2, Table B.1 that have been met by ABB, Inc. include project management, documentation, separation of safety requirements from non-safety requirements, structured specification, inspection of the specification, semi-formal methods and checklists. [D66] documents more details on how each of these requirements has been met. This meets the requirements of SIL 3. 5.4.2 Hardware Design / Probabilistic properties To evaluate the hardware design of the MT5100 Series Level Transmitters, a Failure Modes, Effects, and Diagnostic Analysis was performed by exida for each component in the system. This is documented in [R1]. The FMEDA was verified using Fault Injection Testing as part of the development, see [R2], and as part of the IEC 61508 assessment. T-034 V5R1 80 N. Main St, Sellersville, PA 18960 Page 15 of 21
A Failure Modes and Effects Analysis (FMEA) is a systematic way to identify and evaluate the effects of different component failure modes, to determine what could eliminate or reduce the chance of failure, and to document the system in consideration. An FMEDA (Failure Mode Effect and Diagnostic Analysis) is an FMEA extension. It combines standard FMEA techniques with extension to identify online diagnostics techniques and the failure modes relevant to safety instrumented system design. From the FMEDA failure rates are derived for each important failure category. These results must be considered in combination with PFD AVG of other devices of a Safety Instrumented Function (SIF) in order to determine suitability for a specific Safety Integrity Level (SIL). The Safety Manual states that the application engineer should calculate the PFD AVG for each defined safety instrumented function (SIF) to verify the design of that SIF. The objectives of the standard are fulfilled by the ABB, Inc. functional safety management system, FMEDA quantitative analysis, and hardware development guidelines and practices. 5.5 Software Design Software design is done according to [D3], [D10], [D14], [D8], and [D9]. The software design process includes software interface specification and detailed module design [D47], specification of configuration records [D48], design and critical code reviews [D49] and [D50], and UML specifications [D47]. Requirements from IEC 61508-3, Table A.1 through A.5 that have been met by ABB, Inc. include observance of guidelines and standards, project management, documentation, structured design, modularization, use of well-tried components, checklists, semi-formal methods, computer aided design tools, simulation, and inspection of the specification, selection of suitable programming language, use of a defined subset of the language, and others. This meets the requirements of SIL 3. 5.6 Verification The development and verification activities are defined in [D10] and [D14]. Verification activities include the following: Fault Injection Testing, Code Review [D50] per [D27], Checklists embedded in [D14], and FMEDA [R1]. Further verification activities are documented in [D10] and [D14] for new product development projects. 5.7 Safety Validation Validation Testing is done via a set of documented tests (see [D10] and [D14]). The validation tests are traceable to the Safety Requirements Specification [D42] in the validation test plan [D43]. In addition to standard Test Specification Documents, third party testing may be included as part of agency approvals. As the MT5100 Series Level Transmitters consists of simple electrical devices with a straightforward safety function, integration testing has been limited to verifying that all diagnostics take the appropriate action when they find a problem (See [D54] and [R2] for more details on this testing). Procedures are in place for corrective actions to be taken when tests fail as documented in [R3] and [D7]. T-034 V5R1 80 N. Main St, Sellersville, PA 18960 Page 16 of 21
Requirements from IEC 61508-2, Table B.3 that have been met by ABB, Inc. include functional testing, project management, documentation, and black-box testing. Field experience and statistical testing via regression testing are not applicable. [D66] documents more details on how each of these requirements has been met. This meets the requirements of SIL 3. Requirements from IEC 61508-2, Table B.5 that have been met by ABB, Inc. include functional testing and functional testing under environmental conditions, Interference surge immunity testing, fault insertion testing, project management, documentation, static analysis, dynamic analysis, and failure analysis, expanded functional testing and black-box testing. [D66] documents more details on how each of these requirements has been met. This meets SIL 3. 5.8 Safety Manual ABB, Inc. updated the user manual for the MT5100 Series Level Transmitters and incorporated the requirements for the Safety Manual, see [D37] and [D38]. This (safety) manual was assessed by exida. The final version is considered to be in compliance with the requirements of IEC 61508. The document includes all required reliability data and operations, maintenance, and proof test procedures. Requirements from IEC 61508-2, Table B.4 that have been met by ABB, Inc. include operation and maintenance instructions, user friendliness, maintenance friendliness, project management, documentation, limited operation possibilities, protection against operator mistakes, and operation only by skilled operators. [D66] documents more details on how each of these requirements has been met. This meets the requirements for SIL 3. T-034 V5R1 80 N. Main St, Sellersville, PA 18960 Page 17 of 21
6 2016 IEC 61508 Functional Safety Surveillance Audit 6.1 Roles of the parties involved ABB, Inc. exida exida Manufacturer of the MT5000, 5100 and MT5200 Level Transmitters Performed the hardware assessment review Performed the IEC 61508 Functional Safety Surveillance Audit per the accredited exida scheme. ABB, Inc. contracted exida in October 2016 to perform the surveillance audit for the above MT5000, 5100 and MT5200 Level Transmitters. The surveillance audit was conducted remotely in October 2016. 6.2 Surveillance Methodology As part of the IEC 61508 functional safety surveillance audit, the following aspects have been reviewed: Procedure Changes Changes to relevant procedures since the last audit are reviewed to determine that the modified procedures meet the requirements of the exida certification scheme. Engineering Changes The engineering change list is reviewed to determine if an of the changes could affect the safety function of the MT5000, 5100 and MT5200 Level Transmitters. Impact Analysis If changes were made to the product design, the impact analysis associated with the change will be reviewed to see that the functional safety requirements for an impact analysis have been met. Field History Shipping and field returns during the certification period will be reviewed to determine if any systematic failures have occurred. If systematic failures have occurred during the certification period, the corrective action that was taken to eliminate the systematic failure(s) will be reviewed to determine that said action followed the approved processes and was effective. Safety Manual The latest version of the safety manual will be reviewed to determine that it meets the IEC 61508 requirements for a safety manual. FMEDA Update If required or requested the FMEDA will be updated. This is typically done if there are changes to the IEC 61508 standard and/or changes to the exida failure rate database. Recommendations from Previous Audits If there are recommendations from the previous audit, these are reviewed to see if the recommendations have been implemented properly. T-034 V5R1 80 N. Main St, Sellersville, PA 18960 Page 18 of 21
6.2.1 Documentation provided by ABB, Inc. [D71] MTs with M7A_2016 hours calculated [D72] OI_MT5000-EN_H. Failure return data and shipping records Safety Manual 6.2.2 Surveillance Documentation generated by exida [R6] [R7] ABB 09-07-78 R001 V1 R5 FMEDA Report MT5x00.doc, 10/27/2016 DRAFT - ABB 10-02-051 R001 V3R0 61508 Assessment Report - MT5x00.docx, 10/31/2016 [R8] ABB 16-06-017 V1R0 61508 2010 Update Analysis MT 5x00.xlsx FMEDA Report MT5000 Series Guided Wave Radar Level Transmitters IEC 61508 Assessment Report (this file) Update from ed. 1 to ed. 2 Gap analysis. 6.3 Surveillance Results 6.3.1 Procedure Changes There were no changes to the procedures during the previous certification period. 6.3.2 Engineering Changes There were no safety-related design changes during the previous certification period. 6.3.3 Impact Analysis There were no safety-related design changes during the previous certification period. 6.3.4 Field History The field history of the product has been analyzed and found to be consistent with the failure rates predicted by the FMEDA. 6.3.5 Safety Manual The safety manual was reviewed and found to be compliant with IEC 61508:2010. 6.3.6 FMEDA Update No FMEDA update was necessary as there were no safety-related design changes during the certification period. However, the FMEDA report was updated to reflect changes made in the 2010 version of the 61508 standard and to add Route 2 H. 6.3.7 Previous Recommendations There were no previous recommendations to be assessed at this audit. T-034 V5R1 80 N. Main St, Sellersville, PA 18960 Page 19 of 21
7 Terms and Definitions exida criteria A conservative approach to arriving at failure rates suitable for use in hardware evaluations utilizing the 2 H Route in IEC 61508-2. Fault tolerance FIT FMEDA HFT Low demand mode High demand mode PFD AVG PFH Random Capability SFF SIF SIL SIS Ability of a functional unit to continue to perform a required function in the presence of faults or errors (IEC 61508-4, 3.6.3) Failure In Time (1x10-9 failures per hour) Failure Mode Effect and Diagnostic Analysis Hardware Fault Tolerance Mode where the demand interval for operation made on a safety-related system is greater than twice the proof test interval. Mode where the demand interval for operation made on a safety-related system is less than 100x the diagnostic detection/reaction interval, or where the safe state is part of normal operation. Average Probability of Failure on Demand Probability of dangerous Failure per Hour The SIL limit imposed by the Architectural Constraints for each element. Safe Failure Fraction - Summarizes the fraction of failures, which lead to a safe state and the fraction of failures which will be detected by diagnostic measures and lead to a defined safety action. Safety Instrumented Function Safety Integrity Level Safety Instrumented System Implementation of one or more Safety Instrumented Functions. A SIS is composed of any combination of sensor(s), logic solver(s), and final element(s). Systematic Capability Measure of the confidence that the systematic safety integrity of an element meets the requirements of the specified SIL. Type A element Non-Complex element (using discrete components); for details see 7.4.4.1.2 of IEC 61508-2 Type B element Complex element (using complex components such as micro controllers or programmable logic); for details see 7.4.4.1.3 of IEC 61508-2 T-034 V5R1 80 N. Main St, Sellersville, PA 18960 Page 20 of 21
8 Status of the document 8.1 Liability exida prepares reports based on methods advocated in International standards. Failure rates are obtained from a collection of industrial databases. exida accepts no liability whatsoever for the use of these numbers or for the correctness of the standards on which the general calculation methods are based. 8.2 Version History Contract Number Report Number, version Q16/06-017 ABB 10-02-051 R001 V3R1 Q16/06-017 ABB 10-02-051 R001 V3R0 Q13/08-088 KTEK 10-02-051 R001 V2R1 Q13/08-088 KTEK 10-02-051 R001 V2R0 Q13/08-088 KTEK 10-02-051 R001 V1R2 Q10/02-051 KTEK 10-02-051 R001 V1R1 Q10/02-051 KTEK 10-02-051 R001 V0R1 Revision Notes Changed city to Baton Rouge, DEB, 31-Oct-2016 Revised for surveillance assessment, D. Butler, 31-Oct-2016. Revised for (minor) ABB comments, D. Butler, 11-Nov-2013. Revised for surveillance assessment, D. Butler, 29-Oct-2013. Added manufacturing locations, S. Close, 11-Mar-2013. Released to ABB, Inc.; 27-Aug-2010 Internal Draft; 25-Aug-2010 Review: V2, R0: Gregory Sauk; October 30, 2013 V0, R1: Iwan van Beurden (exida); August 27, 2010 Status: Released, 10/31/2016 8.3 Future Enhancements At request of client. 8.4 Release Signatures David Butler, CFSE, Safety Engineer Gregory Sauk, CFSE Senior Safety Engineer William M. Goble, Principal Partner T-034 V5R1 80 N. Main St, Sellersville, PA 18960 Page 21 of 21