IEC 61508 Functional Safety Assessment Project: Mark VIe PPRO Protection Module Customer: General Electric Salem, VA USA Contract No.: Q12/05-045r1 Report No.: GE 12-05-045 R001 Version V1, Revision R2, November 1, 2013 John Yozallinas The document was prepared using best effort. The authors make no warranty of any kind and shall not be liable in any event for incidental or consequential damages in connection with the application of the document. All rights reserved.
Management Summary This report summarizes the results of the functional safety assessment according to IEC 61508 carried out on the: PPRO Protection Module The functional safety assessment performed by exida consisted of the following activities: - exida assessed the development process used by General Electric through an audit and creation of a detailed safety case against the requirements of IEC 61508. - exida reviewed and assessed a detailed Failure Modes, Effects, and Diagnostic Analysis (FMEDA) of the devices to document the hardware architecture and failure behavior. - exida reviewed field failure data to ensure that the FMEDA analysis was complete. - exida reviewed the manufacturing quality system in use at General Electric The functional safety assessment was performed to the requirements of IEC 61508: ed2, 2010, up to SIL 3. A full IEC 61508 Safety Case was prepared using the exida SafetyCase Workbook tool as the primary audit tool. Hardware process requirements and all associated documentation were reviewed. Environmental test reports were reviewed. The user documentation (safety manual) was also reviewed. The results of the Functional Safety Assessment can be summarized by the following statements: The Mark VIe PPRO Protection Module was found to meet the requirements of SIL 3. The PFD AVG and Architectural Constraint requirements of the standard must be verified for each element of the Safety Function. The manufacturer will be entitled to use the Functional Safety Logo. The manufacturer may use the mark: T-034 V2R4 www.exida.com Page 2 of 18
Table of Contents Management Summary... 2 1 Purpose and Scope... 4 2 Project management... 5 2.1 exida... 5 2.2 Roles of the parties involved... 5 2.3 Standards / Literature used... 5 2.4 Reference documents... 5 2.4.1 Documentation provided by General Electric... 5 2.4.2 Documentation generated by exida... 9 3 Product Description... 10 4 IEC 61508 Functional Safety Assessment... 11 4.1 Methodology... 12 4.2 Assessment level... 12 4.3 Product Modifications... 13 4.4 Lifecycle Activities and Fault Avoidance Measures... 13 4.4.1 Functional Safety Management... 13 4.4.2 Safety Requirements Specification and Architecture Design... 14 4.4.3 Design... 14 4.4.4 Validation... 14 4.4.5 Verification... 15 4.4.6 Modifications... 15 4.4.7 User Documentation... 15 4.5 Hardware Assessment... 16 5 Terms and Definitions... 17 6 Status of the document... 18 6.1 Liability... 18 6.2 Releases... 18 6.3 Future Enhancements... 18 6.4 Release Signatures... 18 T-034 V2R4 www.exida.com Page 3 of 18
1 Purpose and Scope This document shall describe the results of the IEC 61508 functional safety assessment of the General Electric PPRO protection module by exida according to the requirements of IEC 61508: ed2, 2010.. The details of this module are shown in Table 1: Table 1 PPRO Protection Module Components and Sub-components Catalog Number Description Rev IS220PPROS1B I/O Pack Assembly B IS220BPPCS1AC I/O Pack Processor Card AC IS200BPROS1BA Turbine Protection Application Cards BA IS210TPROS1C Emergency Protection 24 V dc CB IS210TREGS2B Emergency Trip 24 V dc BD IS210TREGS1B Emergency Trip 125 V dc BD IS210TREGS3/4/5B Emergency Trip 125 V dc Special 28 V power BD The results of this assessment provides the safety instrumentation engineer with the required failure data as per IEC 61508 / IEC 61511 and confidence that sufficient attention has been given to systematic failures during the development process of the device. Note: As defined by IEC 61508, IS220PPROS1B is a Type B element. IS200TPRO and IS200TREG are Type A elements. T-034 V2R4 www.exida.com Page 4 of 18
2 Project management 2.1 exida exida is one of the world s leading accredited Certification Bodies and knowledge companies specializing in automation system safety and availability with over 300 years of cumulative experience in functional safety. Founded by several of the world s top reliability and safety experts from assessment organizations and manufacturers, exida is a global company with offices around the world. exida offers training, coaching, project oriented system consulting services, safety lifecycle engineering tools, detailed product assurance, cyber-security and functional safety certification, and a collection of on-line safety and reliability resources. exida maintains a comprehensive failure rate and failure mode database on process equipment. 2.2 Roles of the parties involved General Electric exida exida Manufacturer of the Mark VIe PPRO Protection Module Performed the hardware assessment Performed the IEC 61508 Functional Safety Assessment General Electric contracted exida with the IEC 61508 Functional Safety Assessment of the above mentioned devices. 2.3 Standards / Literature used The services delivered by exida were performed based on the following standards / literature. [N1] IEC 61508 (Parts 1-7): 2010 Functional Safety of Electrical/Electronic/Programmable Electronic Safety-Related Systems 2.4 Reference documents 2.4.1 Documentation provided by General Electric ID Document Version Date D001 [Quality Manual] D003 D004a GE Energy - Salem - Files - C&PE COE Development Process CPE 7.3-1 DEV.doc GE Energy - Salem-Files-FPGA Configuration Management Procedure.docx 2.4 1/11/2011 1 1/18/2010 T-034 V2R4 www.exida.com Page 5 of 18
D004b D004c D005 D007 D007a D016 D018 D022 D023 D023a D026 D036 D038 D040 D041 D041a GE Energy - Salem-Files-PWA Component Configuration Control CPE 7.3.7-3 PWA.docx GE Energy - Salem-Files-PWA Change Control Process CPE 7.3.7-1 PWA.doc GE Energy - Salem-Files-PW- 170.2_Product_Safety_Reactive_Pr ocess.pdf GE Energy - Salem-Files-Supplier Qualification Process SRCWI 7_4_2.pdf GE Energy - Salem-Files-P28A-AL- 0002_K.pdf GE Energy - Salem-Files-Peer Review Record Instructions.docx GE Energy - Salem - Files - Product Service Bulletin CPE 8_2_1 PS.pdf GE Energy - Salem-Files-ECT Logic Design Process.docx GE Energy - Salem-Files-PWA Change Control Process CPE 7.3.7-1 PWA.doc GE Energy - Salem-Files-ECR Request #85019825.pdf GE Energy - Salem - Files - Mark VIe PPRA-PPRO Functional Safety Plan 010102.docx GE Energy - Salem-Files- ISO9001_CDC.pdf GE Energy - Salem-Files-ECT Approved Logic Toolsx.pdf GE Energy - Salem - Files - Mark VIe PPRO BPPC SRS 010204.pdf GE Energy - Salem-Files-SPR Protection Packs (PPRO, PPRA, PTUR) Meeting Minutes (22, 28 Jan 2013).pdf GE Energy - Salem-Files-Protection Packs SPR Outline.docx 1 7/18/2011 4 3/19/2010 1.1 3/26/2013 1.2 6/4/2013 K 7/3/2012 2.4 12/10/2010 1.2 6/28/2011 1.1 11/13/2012 4 3/19/2010 NA 7/11/2013 01.01.02 8/5/2013 Issue 3 12/12/2011 1.1 11/13/2012 1.02.04 8/28/2013 NA 1/31/2013 NA 1/9/2012 T-034 V2R4 www.exida.com Page 6 of 18
D041b D042 D045 D045a D047 D047a D047b D053 D059 D059a D059b GE Energy - Salem-Files-eDR-eDRB Screen Capture Page.docx GE Energy - Salem - Files - PPRO FPGA Reqmts rev 1.8.pdf GE Energy - Salem-Files-PPROS1B Protection Module Architectural Overview.pptx GE Energy - Salem-Files-PPRO Protection Module Architectural Overview.pdf GE Energy - Salem-Files-bppc input power.pdf GE Energy - Salem-Files-treg CI volt protection.pdf GE Energy - Salem-Files-tpro Speed Inputs volt protection.pdf GE Energy - Salem-Files-PPRO SIL Architectural Review Meeting Minutes 10 Dec 2012.msg GE Energy - Salem-Files-PPRO- REGRSN-TESTPLAN 010017.doc GE Energy - Salem-Files-GE Q060512 R001 V004 Mark VIe Fault Injection Test.pdf GE Energy - Salem-Files- S6_sem_v3_5_test_report v1 2.pdf NA 8/20/2013 1.8 9/3/2013 NA 5/10/2013 1.00.07 9/4/2013 IS200BPPC 9/26/2011 H#AAA-S IS200TREG 6/21/2006 S#BD IS200TPRO 11/13/2012 H_CPR2S NA 12/11/2012 V01.00.17 7/31/2013 V0, R0.2 6/8/2006 1.2 5/1/2014 D060a D067 D067a D068 D069 D069a GE Energy - Salem-Files-ECT Verilog Source Code Standardsx.pdf GE Energy - Salem-Files-PPRO- REGRSN-TESTPLAN 010017.doc GE Energy - Salem - Files - Status Review Protection Pack Testing Meeting Minutes 8 May 2013.pdf GE Energy - Salem-Files-PPRO- REGRSN-TESTPLAN 010017.doc GE Energy - Salem-Files-PPRO Safety Validation & Verification Test Plan 010007.xls GE Energy - Salem-Files-PPRO- REGRSN-TESTPLAN 010017.doc 1.2 11/13/2012 V01.00.17 7/31/2013 NA 5/8/2013 V01.00.17 7/31/2013 01.00.06 8/1/2013 V01.00.17 7/31/2013 T-034 V2R4 www.exida.com Page 7 of 18
D070 D071 D071b D074 D076 D078 D078b GE Energy - Salem - Files - PPRO Test Plan Review Meeting Minutes 3 Apr 2013.pdf GE Energy - Salem-Files- HALT_TPRO_13-May-08.xls GE Energy - Salem-Files- BPPC_HALT_18NOV2010.xls GE Energy - Salem-Files-PPRO_SIL- TPRO-TREG Validation Summary SIL V0407.UCSB.xlsx GE Energy - Salem-Files- DoC_MarkVe_VIe_S_16_May_2013. pdf GE Energy - Salem-Files-GEH- 6721V_Vol_I.pdf GE Energy - Salem-Files-PPRO GEI- 100596 Pack Replacement.pdf NA 4/3/2013 N/A 5/13/2008 NA 12/13/2010 V0407 5/29/2013 NA 5/16/2013 V 6/1/2013 N/A 6/27/2013 D078c GE Energy - Salem - Files - GEH- V 6/27/2013 6721V_Vol_II.pdf D079 GE Energy - Salem-Files-GEI- N/A 8/21/2013 100709_Aug21.pdf D087 GE Energy - Salem-Files-test_bed.v N/A 3/28/2013 D087b GE Energy - Salem-Filescodecoverage_screenshot.docx N/A 7/17/2013 D088 GE Energy - Salem-Files-_build.cmdx N/A 7/17/2013 D089 GE Energy - Salem-Filespprofpga.par N/A 3/28/2013 D090 GE Energy - Salem-Files-ug116.pdf 9.4 5/13/2013 D091 GE Energy - Salem-Files-ug393.pdf 1.3 10/17/2012 D092 GE Energy - Salem-Filespprofpga.srr NA 3/28/2013 D093 GE Energy - Salem-Filespprofpga.bld NA 8/20/2013 D094 GE Energy - Salem-Files-map.mrp NA 3/28/2013 T-034 V2R4 www.exida.com Page 8 of 18
D095 GE Energy - Salem-Filespprofpga.par NA 3/38/2013 2.4.2 Documentation generated by exida [R1] GE 12-05-045 R001 V1R1 IEC 61508 Functional Safety Assessment for PPRO Assessment PPRO.doc, Protection Module (This document) 1-Nov-13 [R2] [R3] PPRO FMEDA Summary for updated FPGA design 06072013.xls GE PPRO SafetyCase V1R6 Final WB-61508, Nov. 1, 2013 Failure Modes, Effects and Diagnostics Analysis worksheet for Mark VIe PPRO. PPRO Safety Case Workbook T-034 V2R4 www.exida.com Page 9 of 18
3 Product Description The PPRO Protection Module provides independent overspeed Estop and Trip Interlock contact input protection. The PPRO protection module operates as an independent subsystem within the non-sil certified Mark VIe Control system, using non-sil certified IONet communication. The PPRO safety loop functions are independent from the Mark VIe control system and IONet. The safety loop functionality is resident within the hardware circuits and FPGA of the PPRO protection module. The PPROS1B protection module for safety loops is based upon the existing Mark Vie protection module (PPROH1A) and the Mark VIeS Safety control (YPROS1A). Hardware overspeed protection is provided by the speed signal conditioning through the input of up to nine speed inputs three each from three shafts. Each of the three PPRO packs mounted on a TPRO are independent in detecting of overspeed and protection action. However, the three packs have a feedback signal through the TPRO terminal board that determines if two out of three (2oo3) of the packs are detecting speed on their respective speed inputs. The 2oo3 detected speed signal is used to determine if a broken wire condition exists. T-034 V2R4 www.exida.com Page 10 of 18
Figure 1: Mark VIe PPRO Protection Module within Entire Application 4 IEC 61508 Functional Safety Assessment The IEC 61508 Functional Safety Assessment was performed based on the information received from General Electric and is documented in the safety case workbook [R3] T-034 V2R4 www.exida.com Page 11 of 18
4.1 Methodology The full functional safety assessment includes an assessment of all fault avoidance and fault control measures during hardware and software development and demonstrates full compliance with IEC 61508 to the end-user. The assessment considers all requirements of IEC 61508. Any requirements that have been deemed not applicable have been marked as such in the full Safety Case report, e.g. software development requirements for a product with no software. As part of the IEC 61508 functional safety assessment the following aspects have been reviewed: Development process, including: o o o o o o Functional Safety Management, including training and competence recording, FSM planning, and configuration management Specification process, techniques and documentation Design process, techniques and documentation, including tools used Validation activities, including development test procedures, test plans and reports, production test procedures and documentation Verification activities and documentation Modification process and documentation o Installation, operation, and maintenance requirements, including user documentation Product design o o Hardware architecture and failure behavior, documented in a FMEDA Software architecture and failure behavior, documented in a Software Criticality and HAZOP report The review of the development procedures is described in section 4.3. The review of the product design is described in section 5.2. 4.2 Assessment level The Mark VIe PPRO Protection Module Overspeed Protection Function and E-Stop function have been assessed per IEC 61508 to the following levels: Random Safety Integrity, SIL 3 @ HFT = 1; Route 1 H : PFD AVG and Architectural Constraints must be verified for each application. The Mark VIe PPRO Protection Module Trip Interlock Protection Functions have been assessed per IEC 61508 to the following levels: Random Safety Integrity, SIL 2 @ HFT = 1; Route 1 H : PFD AVG and Architectural Constraints must be verified for each application. The development procedures were assessed as suitable for use in applications with a maximum Systematic Capability Level of 3 (SIL 3 capable) according to IEC 61508. T-034 V2R4 www.exida.com Page 12 of 18
4.3 Product Modifications General Electric may make modifications to this product as needed. Results of the IEC 61508 Functional Safety Assessment exida assessed the development process used by General Electric during the product development against the objectives of IEC 61508 parts 1, 2, and 3, see [N1]. The development of the Mark VIe PPRO Protection Module was done per this IEC 61508 SIL 3 compliant development process. The Safety Case was updated with project specific design documents. 4.4 Lifecycle Activities and Fault Avoidance Measures General Electric has an IEC 61508 compliant development process as assessed during the IEC 61508 certification. This compliant development process is documented in [D003] and [D022]. This functional safety assessment investigated the compliance with IEC 61508 of the processes, procedures and techniques as implemented for the product development. The investigation was executed using subsets of the IEC 61508 requirements tailored to the SIL 3 work scope of the development team. The result of the assessment can be summarized by the following observations: The audited development process complies with the relevant managerial requirements of IEC 61508 SIL 3. 4.4.1 Functional Safety Management FSM Planning The functional safety management of any General Electric development is documented in the Functional Safety Management Plan [D026] and the C&PE COE Development Process [D003]. For each development General Electric creates a functional safety management plan which defines all of the tasks that must be done to ensure functional safety as well as the person responsible for each task. The team structure is documented in the FSM plan as well. A meeting is held with management at the end of each phase gate to determine if the team should proceed to the next phase (Phases are aligned to the NPI design process according to PG-120 Design Review Procedure). These processes and the procedures referenced herein fulfill the requirements of IEC 61508 with respect to functional safety management. Version Control All documents are under version control as documented in [D54]. Configuration control of design documents will be in accordance with C&PE ISO QMS procedures as listed in [D026]. General Electric uses Microsoft Team Server for its version control tool. Training, Competency recording Personnel training records are kept in accordance with IEC 61508 requirements as documented in [D26]. General Electric hired exida to be the independent assessor per IEC 61508. T-034 V2R4 www.exida.com Page 13 of 18
4.4.2 Safety Requirements Specification and Architecture Design As defined in [D26], a safety requirements specification (SRS) is done for all products that must meet IEC 61508 certification. The requirements specification contains three major sections: System Safety Constraint requirements, External Interface requirements, and Safety User Programming and Configuration requirements. Non-safety functions are also listed. For the PPRO Protection Module, the SRS [D040], has been reviewed by exida for completeness per the requirements of IEC 61508. Requirements are tracked throughout the development process and mapped to the design. Requirements are also mapped to appropriate validation tests in the validation test plan [D069]. Requirements from IEC 61508-2, Table B.1 that have been met by General Electric include project management, documentation, separation of safety systems from non-safety-related systems, structured specification, and inspection of the specification. The Safety Case documents more details on how each of these requirements has been met. This meets the requirements of SIL 3. 4.4.3 Design Hardware design for FPGA development is done according to [D022]. The design process includes component selection, detailed drawings and schematics, safety case documents for agency justification, a failure modes and effect analysis (FMEA), a failure modes, effects and diagnostic analysis (FMEDA), a design review, the creation of prototypes, and hardware verification tests. Requirements from IEC 61508-2, Table B.2 that have been met by General Electric include observance of guidelines and standards, project management, documentation, structured design, modularization, use of well-tried components, checklists, computer aided design tools and inspection of the specification. This meets the requirements of IEC 61508 SIL 3. 4.4.4 Validation Validation Testing is done via a set of documented tests (see [D074]). The validation tests are traceable to the Safety Requirements Specification [D040] in the validation test plan [D069]. In addition to the Safety Validation Test plan, a complete regression test [D068] is also performed. Besides standard Test Specification Documents, third party testing may be included as part of agency approvals [D071, D071b]. Procedures are in place for corrective actions to be taken when tests fail as documented in [D023, D026]. Requirements from IEC 61508-2, Table B.3 that have been met by General Electric include functional testing, project management, documentation, and black-box testing. Field experience and statistical testing via regression testing are not applicable. The Safety Case documents more details on how each of these requirements has been met. This meets the requirements of IEC 61508 SIL 3. T-034 V2R4 www.exida.com Page 14 of 18
Requirements from IEC 61508-2, Table B.5 that have been met by General Electric include functional testing and functional testing under environmental conditions, Interference surge immunity testing, fault insertion testing, project management, documentation, static analysis, dynamic analysis, and failure analysis, expanded functional testing and black-box testing. The Safety Case documents more details on how each of these requirements has been met. This meets the requirements of IEC 61508 SIL 3.. 4.4.5 Verification The development and verification activities are defined in [D026]. Verification activities include the following: Simulations for Digital Logic [D087a], EMC Testing [D076], Validation Testing [D074], Requirements Review [D041], Design Review [D053], FMEDA [R2], Test Plan reviews [D067a, D070]. This meets the requirements of IEC 61508 SIL 3. 4.4.6 Modifications Modifications are done per General Electric s IEC 61508 SIL 3 compliant development process as documented in [D026], [D023] and [D023a]. This process requires that a safety impact analysis be done for all changes, and that changes must be made with the same process used for initial development. Consequently this meets the requirements of SIL 3. 4.4.7 User Documentation General Electric created a Safety Manual for the PPRO Protection Module, see [D079]. This safety manual was assessed by exida. The final version is considered to be in compliance with the requirements of IEC 61508. The document includes all required reliability data and operations, maintenance, and proof test procedures. Requirements from IEC 61508-2, Table B.4 that have been met by General Electric include operation and maintenance instructions, user friendliness, maintenance friendliness, documentation, and limited operation possibilities. The Safety Case documents more details on how each of these requirements has been met. This meets the requirements for SIL 3. T-034 V2R4 www.exida.com Page 15 of 18
4.5 Hardware Assessment To evaluate the hardware design of the PPRO, a Failure Modes, Effects, and Diagnostic Analysis was performed by exida for each component in the system. This is documented in [R2]. The FMEDA was verified using Fault Injection Testing as part of the development, see [D77], and as part of the IEC 61508 assessment. A Failure Modes and Effects Analysis (FMEA) is a systematic way to identify and evaluate the effects of different component failure modes, to determine what could eliminate or reduce the chance of failure, and to document the system in consideration. An FMEDA (Failure Mode Effect and Diagnostic Analysis) is an FMEA extension. It combines standard FMEA techniques with extension to identify online diagnostics techniques and the failure modes relevant to safety instrumented system design. From the FMEDA failure rates are derived for each important failure category. These results must be considered in combination with PFD AVG of other devices of a Safety Instrumented Function (SIF) in order to determine suitability for a specific Safety Integrity Level (SIL). The Safety Manual states that the application engineer should calculate the PFD AVG for each defined safety instrumented function (SIF) to verify the design of that SIF. T-034 V2R4 www.exida.com Page 16 of 18
5 Terms and Definitions Fault tolerance FIT FMEDA HFT Low demand mode PFD AVG PFH SFF SIF SIL SIS Ability of a functional unit to continue to perform a required function in the presence of faults or errors (IEC 61508-4, 3.6.3) Failure In Time (1x10-9 failures per hour) Failure Mode Effect and Diagnostic Analysis Hardware Fault Tolerance Mode, where the demand interval for operation made on a safety-related system is greater than twice the proof test interval. Average Probability of Failure on Demand Probability of dangerous Failure per Hour Safe Failure Fraction - Summarizes the fraction of failures, which lead to a safe state and the fraction of failures which will be detected by diagnostic measures and lead to a defined safety action. Safety Instrumented Function Safety Integrity Level Safety Instrumented System Implementation of one or more Safety Instrumented Functions. A SIS is composed of any combination of sensor(s), logic solver(s), and final element(s). Type A element Type B element Non-Complex element (using discrete components); for details see 7.4.4.1.2 of IEC 61508-2 Complex element (using complex components such as micro controllers or programmable logic); for details see 7.4.4.1.3 of IEC 61508-2 T-034 V2R4 www.exida.com Page 17 of 18
6 Status of the document 6.1 Liability exida prepares reports based on methods advocated in International standards. Failure rates are obtained from a collection of industrial databases. exida accepts no liability whatsoever for the use of these numbers or for the correctness of the standards on which the general calculation methods are based. 6.2 Releases Version: Revision: V1 R2 Version History: V1, R2: Authors: John Yozallinas Review: Mike Medoff Release status: Released Updated D045a to reference a later version V1, R1: Updated based on review V0, R0: Created 6.3 Future Enhancements At request of client. 6.4 Release Signatures Certifying Assessor: John Yozallinas, Senior Safety Engineer CFSE Evaluating Assessor: Mike Medoff, Senior Safety Engineer, CFSE, CISA exida (www.exida.com) GE 12-05-045 R001 V1R2 Assessment PPRO.docx, November 1, 2013 T-034 V1R2 Page 18 of 18 Main Offices Service Centers Sellersville, PA, USA Munich, Germany Switzerland United Kingdom Houston, TX, USA Calgary, AB, Canada South Africa Singapore Mexicothe Netherlands New Zealand/Australia Brazil