IEC Functional Safety Assessment. General Electric Salem, VA USA

Similar documents
IEC Functional Safety Assessment

Results of the IEC Functional Safety Assessment

IEC Functional Safety Assessment

IEC Functional Safety Assessment

IEC Functional Safety Assessment

ida Certification Services IEC Functional Safety Assessment Project: Series 327 Solenoid Valves Customer: ASCO Numatics

IEC Functional Safety Assessment

ida Certification Services IEC Functional Safety Assessment Project: Series 8314, 8316, and Way/2 Position Solenoid Valves Customer:

Results of the IEC Functional Safety Assessment. ABB, Inc. Baton Rouge, LA USA

IEC Functional Safety Assessment. SPR Series Spool Valves. Bifold Fluidpower Ltd. Chadderton, Manchester United Kingdom

ida Certification Services IEC Functional Safety Assessment Project: Automax Pneumatic Rack & Pinion Actuators Customer: Flowserve Flow Control

IEC Functional Safety Assessment

Results of the IEC Functional Safety Assessment. Rosemount Tank Radar Sweden

Results of the IEC Functional Safety Assessment HART transparent repeater. PR electronics

Results of the IEC Functional Safety Assessment. Pressure, Temperature and Vacuum Switches. BETA B.V. Rijswijk The Netherlands

ida Certification Services IEC Functional Safety Assessment Project: Worcester 51/52, 53/54 1 piece and 519/529 Series Ball Valves Customer:

IEC Functional Safety Assessment

Comparing Certification under IEC st Edition and 2nd Edition

on behalf of TÜV INTERCERT GmbH Group of TÜV Saarland

Safety Manual In Accordance with IEC 61508

Results of the IEC Functional Safety Assessment Universal Converter. PR electronics

Spring return and double acting pneumatic rack and pinion actuator

FUNCTIONAL SAFETY CERTIFICATE. IQT3 Actuator manufactured by

SERIES 92/93 SAFETY MANUAL PNEUMATIC ACTUATOR. The High Performance Company

Failure Modes, Effects and Diagnostic Analysis

Session Nine: Functional Safety Gap Analysis and Filling the Gaps

FUNCTIONAL SAFETY CERTIFICATE. IQ3 Valve Actuator manufactured by

SIL SAFETY MANUAL. Turnex Pneumatic Actuators. Experience In Motion. NAF Turnex Pneumatic Actuators NFENDS A4 02/15 FCD NFENDS A4 05/15

ida Certification Services IEC Functional Safety Assessment Customer: Flowserve Flow Control Haywards Heath West Sussex United Kingdom

FUNCTIONAL SAFETY CERTIFICATE. TVL/TVH/TVF Switchboxes

FUNCTIONAL SAFETY CERTIFICATE. Topworx, Inc 3300 Fern Valley Road, Louisville, Kentucky, 40213, USA

Mark VIeS. A SIL 2 and SIL 3 functional safety system for today s connected world. geautomation.com

FUNCTIONAL SAFETY CERTIFICATE

FUNCTIONAL SAFETY CERTIFICATE

Development of Safety Related Systems

FUNCTIONAL SAFETY ASSESSMENT REPORT FOR THE LIFECYCLE AND MANAGEMENT OF FUNCTIONAL SAFETY

Requirements Are Evolving In The Elevator Industry. November 28, 2012

Results of the IEC Functional Safety Assessment

FUNCTIONAL SAFETY CERTIFICATE Series Poppet Valve

FUNCTIONAL SAFETY CERTIFICATE

FUNCTIONAL SAFETY CERTIFICATE

International Safety Standards Designing the Future

Session Seven Functional safety and ageing assets

Reliability of Safety-Critical Systems Chapter 2. Concepts and requirements

Report. Certificate Z F-CM AS-i Safety for SIMATIC ET 200SP

MIE TALK - January 2017

Functional Safety Machinery

FUNCTIONAL SAFETY EVALUATION of SIS and APPLICATIONS

Introduction and Revision of IEC 61508

11th International Workshop on the Application of FPGAs in Nuclear Power Plants

Functional safety Safety instrumented systems for the process industry sector

Safety cannot rely on testing

Compliance driven Integrated circuit development based on ISO26262

GE Intelligent Platforms. Mark * VIeS. A safety management solution for today s connected world

Process Assessment Model SPICE for Mechanical Engineering - Proposal-

WORK PLAN AND IV&V METHODOLOGY Information Technology - Independent Verification and Validation RFP No IVV-B

IEC KHBO, Hobufonds SAFESYS ing. Alexander Dekeyser ing. Kurt Lintermans

Technical report. Type testing

Tool centered Safety Design Support

ISO INTERNATIONAL STANDARD

Roadblocks to Approving SIS Equipment by Prior Use. Joseph F. Siebert. exida. Prepared For. ISA EXPO 2006/Texas A&M Instrumentation Symposium

SafeDesign: Machine Safety Validation

Session Three Management of Functional Safety Gaps in the Operation Phase Andy Yam Functional Expert-Safety Systems, Yokogawa Australia Pty. Ltd.

On Board Use and Application of Computer based systems

A Survey on the Development and Design Strategies for Safety Related Systems according the Standard IEC/EN 61508

Maximizing Safety Without Compromising Reliability

CASE STUDY: SAFETY INSTRUMENTED BURNER MANAGEMENT SYSTEM (SI-BMS)

Safety-critical Certification of FPGA-based Platform against Requirements of U.S. Nuclear Regulatory Commission (NRC): Industrial Case Study

The effect of diagnostic and periodic proof testing on the availability of programmable safety systems

Procedure 14 Internal Audits

REQUIREMENTS FOR SAFETY RELATED SOFTWARE IN DEFENCE EQUIPMENT PART 1: REQUIREMENTS

9. Verification, Validation, Testing

POLICY MANUAL FOR ISO 9001:2008. Document: PM-9001:2008 Date: April 7, Uncontrolled Copy

Software Safety and Certification

Document 2007 Rev 0 December 2005 Page 1 of 8

Mentor Safe IC ISO & IEC Functional Safety

Functional Safety: ISO26262

Software requirements for the control systems according to the level of functional safety

City of San Mateo Clean Water Program Programmable Logic Controller (PLC) and Human Machine Interface (HMI) Programming Services

QUALITY MANUAL. Origination Date: XXXX. Latest Revision Date. Revision Orig

Functional Safety Assessments of Safety Controls, Alarms, and Interlocks

Safety Manual. Rotamass TI Coriolis flow meter. IM 01U10D00-00EN-R, 2nd edition,

Automated System Validation By: Daniel P. Olivier & Curtis M. Egan

Mechanical Component Failure Rates - Static vs. Dynamic Operation. Web Seminar March 11, 2015 Loren L. Stewart exida Sellersville, PA USA

Research on software systems dependability at the OECD Halden Reactor Project

ISO : Rustam Rakhimov (DMS Lab)

Integrating Functional Safety with ARM. November, 2015 Lifeng Geng, Embedded Marketing Manager

Life-cycle Management of Safety Instrumented Systems

FOUNDATION Fieldbus Technology Update

R214 SPECIFIC REQUIREMENTS: INFORMATION TECHNOLOGY TESTING LABORATORY ACCREDITATION PROGRAM

FINDING THE BEST APPROACH FOR I&C MODELING IN THE PSA

QUALITY SYSTEM MANUAL

Application of DO-254 Level A (Appendix B) Design Assurance Objectives of. Elemental Analysis. Mixed Signal (Analog/Digital) Discrete Circuitry

Summary of TL 9000 R4.0 Requirements Beyond ISO 9001:2000

CASS TOES FOR FUNCTIONAL SAFETY MANAGEMENT ASSESSMENT (IEC : 2010)

IEC and ISO A cross reference guide

IEC Is it pain or gain?

IN-PILE CREEP RELAXATION AND POST-IRRADIATION THERMAL CREEP TESTING

DESIGN CONTROL. Your Logo Here. Operational Procedure: EOP Rev.: A Pg. 1 1 of 7 DISTRIBUTION

Transcription:

IEC 61508 Functional Safety Assessment Project: Mark VIe PPRO Protection Module Customer: General Electric Salem, VA USA Contract No.: Q12/05-045r1 Report No.: GE 12-05-045 R001 Version V1, Revision R2, November 1, 2013 John Yozallinas The document was prepared using best effort. The authors make no warranty of any kind and shall not be liable in any event for incidental or consequential damages in connection with the application of the document. All rights reserved.

Management Summary This report summarizes the results of the functional safety assessment according to IEC 61508 carried out on the: PPRO Protection Module The functional safety assessment performed by exida consisted of the following activities: - exida assessed the development process used by General Electric through an audit and creation of a detailed safety case against the requirements of IEC 61508. - exida reviewed and assessed a detailed Failure Modes, Effects, and Diagnostic Analysis (FMEDA) of the devices to document the hardware architecture and failure behavior. - exida reviewed field failure data to ensure that the FMEDA analysis was complete. - exida reviewed the manufacturing quality system in use at General Electric The functional safety assessment was performed to the requirements of IEC 61508: ed2, 2010, up to SIL 3. A full IEC 61508 Safety Case was prepared using the exida SafetyCase Workbook tool as the primary audit tool. Hardware process requirements and all associated documentation were reviewed. Environmental test reports were reviewed. The user documentation (safety manual) was also reviewed. The results of the Functional Safety Assessment can be summarized by the following statements: The Mark VIe PPRO Protection Module was found to meet the requirements of SIL 3. The PFD AVG and Architectural Constraint requirements of the standard must be verified for each element of the Safety Function. The manufacturer will be entitled to use the Functional Safety Logo. The manufacturer may use the mark: T-034 V2R4 www.exida.com Page 2 of 18

Table of Contents Management Summary... 2 1 Purpose and Scope... 4 2 Project management... 5 2.1 exida... 5 2.2 Roles of the parties involved... 5 2.3 Standards / Literature used... 5 2.4 Reference documents... 5 2.4.1 Documentation provided by General Electric... 5 2.4.2 Documentation generated by exida... 9 3 Product Description... 10 4 IEC 61508 Functional Safety Assessment... 11 4.1 Methodology... 12 4.2 Assessment level... 12 4.3 Product Modifications... 13 4.4 Lifecycle Activities and Fault Avoidance Measures... 13 4.4.1 Functional Safety Management... 13 4.4.2 Safety Requirements Specification and Architecture Design... 14 4.4.3 Design... 14 4.4.4 Validation... 14 4.4.5 Verification... 15 4.4.6 Modifications... 15 4.4.7 User Documentation... 15 4.5 Hardware Assessment... 16 5 Terms and Definitions... 17 6 Status of the document... 18 6.1 Liability... 18 6.2 Releases... 18 6.3 Future Enhancements... 18 6.4 Release Signatures... 18 T-034 V2R4 www.exida.com Page 3 of 18

1 Purpose and Scope This document shall describe the results of the IEC 61508 functional safety assessment of the General Electric PPRO protection module by exida according to the requirements of IEC 61508: ed2, 2010.. The details of this module are shown in Table 1: Table 1 PPRO Protection Module Components and Sub-components Catalog Number Description Rev IS220PPROS1B I/O Pack Assembly B IS220BPPCS1AC I/O Pack Processor Card AC IS200BPROS1BA Turbine Protection Application Cards BA IS210TPROS1C Emergency Protection 24 V dc CB IS210TREGS2B Emergency Trip 24 V dc BD IS210TREGS1B Emergency Trip 125 V dc BD IS210TREGS3/4/5B Emergency Trip 125 V dc Special 28 V power BD The results of this assessment provides the safety instrumentation engineer with the required failure data as per IEC 61508 / IEC 61511 and confidence that sufficient attention has been given to systematic failures during the development process of the device. Note: As defined by IEC 61508, IS220PPROS1B is a Type B element. IS200TPRO and IS200TREG are Type A elements. T-034 V2R4 www.exida.com Page 4 of 18

2 Project management 2.1 exida exida is one of the world s leading accredited Certification Bodies and knowledge companies specializing in automation system safety and availability with over 300 years of cumulative experience in functional safety. Founded by several of the world s top reliability and safety experts from assessment organizations and manufacturers, exida is a global company with offices around the world. exida offers training, coaching, project oriented system consulting services, safety lifecycle engineering tools, detailed product assurance, cyber-security and functional safety certification, and a collection of on-line safety and reliability resources. exida maintains a comprehensive failure rate and failure mode database on process equipment. 2.2 Roles of the parties involved General Electric exida exida Manufacturer of the Mark VIe PPRO Protection Module Performed the hardware assessment Performed the IEC 61508 Functional Safety Assessment General Electric contracted exida with the IEC 61508 Functional Safety Assessment of the above mentioned devices. 2.3 Standards / Literature used The services delivered by exida were performed based on the following standards / literature. [N1] IEC 61508 (Parts 1-7): 2010 Functional Safety of Electrical/Electronic/Programmable Electronic Safety-Related Systems 2.4 Reference documents 2.4.1 Documentation provided by General Electric ID Document Version Date D001 [Quality Manual] D003 D004a GE Energy - Salem - Files - C&PE COE Development Process CPE 7.3-1 DEV.doc GE Energy - Salem-Files-FPGA Configuration Management Procedure.docx 2.4 1/11/2011 1 1/18/2010 T-034 V2R4 www.exida.com Page 5 of 18

D004b D004c D005 D007 D007a D016 D018 D022 D023 D023a D026 D036 D038 D040 D041 D041a GE Energy - Salem-Files-PWA Component Configuration Control CPE 7.3.7-3 PWA.docx GE Energy - Salem-Files-PWA Change Control Process CPE 7.3.7-1 PWA.doc GE Energy - Salem-Files-PW- 170.2_Product_Safety_Reactive_Pr ocess.pdf GE Energy - Salem-Files-Supplier Qualification Process SRCWI 7_4_2.pdf GE Energy - Salem-Files-P28A-AL- 0002_K.pdf GE Energy - Salem-Files-Peer Review Record Instructions.docx GE Energy - Salem - Files - Product Service Bulletin CPE 8_2_1 PS.pdf GE Energy - Salem-Files-ECT Logic Design Process.docx GE Energy - Salem-Files-PWA Change Control Process CPE 7.3.7-1 PWA.doc GE Energy - Salem-Files-ECR Request #85019825.pdf GE Energy - Salem - Files - Mark VIe PPRA-PPRO Functional Safety Plan 010102.docx GE Energy - Salem-Files- ISO9001_CDC.pdf GE Energy - Salem-Files-ECT Approved Logic Toolsx.pdf GE Energy - Salem - Files - Mark VIe PPRO BPPC SRS 010204.pdf GE Energy - Salem-Files-SPR Protection Packs (PPRO, PPRA, PTUR) Meeting Minutes (22, 28 Jan 2013).pdf GE Energy - Salem-Files-Protection Packs SPR Outline.docx 1 7/18/2011 4 3/19/2010 1.1 3/26/2013 1.2 6/4/2013 K 7/3/2012 2.4 12/10/2010 1.2 6/28/2011 1.1 11/13/2012 4 3/19/2010 NA 7/11/2013 01.01.02 8/5/2013 Issue 3 12/12/2011 1.1 11/13/2012 1.02.04 8/28/2013 NA 1/31/2013 NA 1/9/2012 T-034 V2R4 www.exida.com Page 6 of 18

D041b D042 D045 D045a D047 D047a D047b D053 D059 D059a D059b GE Energy - Salem-Files-eDR-eDRB Screen Capture Page.docx GE Energy - Salem - Files - PPRO FPGA Reqmts rev 1.8.pdf GE Energy - Salem-Files-PPROS1B Protection Module Architectural Overview.pptx GE Energy - Salem-Files-PPRO Protection Module Architectural Overview.pdf GE Energy - Salem-Files-bppc input power.pdf GE Energy - Salem-Files-treg CI volt protection.pdf GE Energy - Salem-Files-tpro Speed Inputs volt protection.pdf GE Energy - Salem-Files-PPRO SIL Architectural Review Meeting Minutes 10 Dec 2012.msg GE Energy - Salem-Files-PPRO- REGRSN-TESTPLAN 010017.doc GE Energy - Salem-Files-GE Q060512 R001 V004 Mark VIe Fault Injection Test.pdf GE Energy - Salem-Files- S6_sem_v3_5_test_report v1 2.pdf NA 8/20/2013 1.8 9/3/2013 NA 5/10/2013 1.00.07 9/4/2013 IS200BPPC 9/26/2011 H#AAA-S IS200TREG 6/21/2006 S#BD IS200TPRO 11/13/2012 H_CPR2S NA 12/11/2012 V01.00.17 7/31/2013 V0, R0.2 6/8/2006 1.2 5/1/2014 D060a D067 D067a D068 D069 D069a GE Energy - Salem-Files-ECT Verilog Source Code Standardsx.pdf GE Energy - Salem-Files-PPRO- REGRSN-TESTPLAN 010017.doc GE Energy - Salem - Files - Status Review Protection Pack Testing Meeting Minutes 8 May 2013.pdf GE Energy - Salem-Files-PPRO- REGRSN-TESTPLAN 010017.doc GE Energy - Salem-Files-PPRO Safety Validation & Verification Test Plan 010007.xls GE Energy - Salem-Files-PPRO- REGRSN-TESTPLAN 010017.doc 1.2 11/13/2012 V01.00.17 7/31/2013 NA 5/8/2013 V01.00.17 7/31/2013 01.00.06 8/1/2013 V01.00.17 7/31/2013 T-034 V2R4 www.exida.com Page 7 of 18

D070 D071 D071b D074 D076 D078 D078b GE Energy - Salem - Files - PPRO Test Plan Review Meeting Minutes 3 Apr 2013.pdf GE Energy - Salem-Files- HALT_TPRO_13-May-08.xls GE Energy - Salem-Files- BPPC_HALT_18NOV2010.xls GE Energy - Salem-Files-PPRO_SIL- TPRO-TREG Validation Summary SIL V0407.UCSB.xlsx GE Energy - Salem-Files- DoC_MarkVe_VIe_S_16_May_2013. pdf GE Energy - Salem-Files-GEH- 6721V_Vol_I.pdf GE Energy - Salem-Files-PPRO GEI- 100596 Pack Replacement.pdf NA 4/3/2013 N/A 5/13/2008 NA 12/13/2010 V0407 5/29/2013 NA 5/16/2013 V 6/1/2013 N/A 6/27/2013 D078c GE Energy - Salem - Files - GEH- V 6/27/2013 6721V_Vol_II.pdf D079 GE Energy - Salem-Files-GEI- N/A 8/21/2013 100709_Aug21.pdf D087 GE Energy - Salem-Files-test_bed.v N/A 3/28/2013 D087b GE Energy - Salem-Filescodecoverage_screenshot.docx N/A 7/17/2013 D088 GE Energy - Salem-Files-_build.cmdx N/A 7/17/2013 D089 GE Energy - Salem-Filespprofpga.par N/A 3/28/2013 D090 GE Energy - Salem-Files-ug116.pdf 9.4 5/13/2013 D091 GE Energy - Salem-Files-ug393.pdf 1.3 10/17/2012 D092 GE Energy - Salem-Filespprofpga.srr NA 3/28/2013 D093 GE Energy - Salem-Filespprofpga.bld NA 8/20/2013 D094 GE Energy - Salem-Files-map.mrp NA 3/28/2013 T-034 V2R4 www.exida.com Page 8 of 18

D095 GE Energy - Salem-Filespprofpga.par NA 3/38/2013 2.4.2 Documentation generated by exida [R1] GE 12-05-045 R001 V1R1 IEC 61508 Functional Safety Assessment for PPRO Assessment PPRO.doc, Protection Module (This document) 1-Nov-13 [R2] [R3] PPRO FMEDA Summary for updated FPGA design 06072013.xls GE PPRO SafetyCase V1R6 Final WB-61508, Nov. 1, 2013 Failure Modes, Effects and Diagnostics Analysis worksheet for Mark VIe PPRO. PPRO Safety Case Workbook T-034 V2R4 www.exida.com Page 9 of 18

3 Product Description The PPRO Protection Module provides independent overspeed Estop and Trip Interlock contact input protection. The PPRO protection module operates as an independent subsystem within the non-sil certified Mark VIe Control system, using non-sil certified IONet communication. The PPRO safety loop functions are independent from the Mark VIe control system and IONet. The safety loop functionality is resident within the hardware circuits and FPGA of the PPRO protection module. The PPROS1B protection module for safety loops is based upon the existing Mark Vie protection module (PPROH1A) and the Mark VIeS Safety control (YPROS1A). Hardware overspeed protection is provided by the speed signal conditioning through the input of up to nine speed inputs three each from three shafts. Each of the three PPRO packs mounted on a TPRO are independent in detecting of overspeed and protection action. However, the three packs have a feedback signal through the TPRO terminal board that determines if two out of three (2oo3) of the packs are detecting speed on their respective speed inputs. The 2oo3 detected speed signal is used to determine if a broken wire condition exists. T-034 V2R4 www.exida.com Page 10 of 18

Figure 1: Mark VIe PPRO Protection Module within Entire Application 4 IEC 61508 Functional Safety Assessment The IEC 61508 Functional Safety Assessment was performed based on the information received from General Electric and is documented in the safety case workbook [R3] T-034 V2R4 www.exida.com Page 11 of 18

4.1 Methodology The full functional safety assessment includes an assessment of all fault avoidance and fault control measures during hardware and software development and demonstrates full compliance with IEC 61508 to the end-user. The assessment considers all requirements of IEC 61508. Any requirements that have been deemed not applicable have been marked as such in the full Safety Case report, e.g. software development requirements for a product with no software. As part of the IEC 61508 functional safety assessment the following aspects have been reviewed: Development process, including: o o o o o o Functional Safety Management, including training and competence recording, FSM planning, and configuration management Specification process, techniques and documentation Design process, techniques and documentation, including tools used Validation activities, including development test procedures, test plans and reports, production test procedures and documentation Verification activities and documentation Modification process and documentation o Installation, operation, and maintenance requirements, including user documentation Product design o o Hardware architecture and failure behavior, documented in a FMEDA Software architecture and failure behavior, documented in a Software Criticality and HAZOP report The review of the development procedures is described in section 4.3. The review of the product design is described in section 5.2. 4.2 Assessment level The Mark VIe PPRO Protection Module Overspeed Protection Function and E-Stop function have been assessed per IEC 61508 to the following levels: Random Safety Integrity, SIL 3 @ HFT = 1; Route 1 H : PFD AVG and Architectural Constraints must be verified for each application. The Mark VIe PPRO Protection Module Trip Interlock Protection Functions have been assessed per IEC 61508 to the following levels: Random Safety Integrity, SIL 2 @ HFT = 1; Route 1 H : PFD AVG and Architectural Constraints must be verified for each application. The development procedures were assessed as suitable for use in applications with a maximum Systematic Capability Level of 3 (SIL 3 capable) according to IEC 61508. T-034 V2R4 www.exida.com Page 12 of 18

4.3 Product Modifications General Electric may make modifications to this product as needed. Results of the IEC 61508 Functional Safety Assessment exida assessed the development process used by General Electric during the product development against the objectives of IEC 61508 parts 1, 2, and 3, see [N1]. The development of the Mark VIe PPRO Protection Module was done per this IEC 61508 SIL 3 compliant development process. The Safety Case was updated with project specific design documents. 4.4 Lifecycle Activities and Fault Avoidance Measures General Electric has an IEC 61508 compliant development process as assessed during the IEC 61508 certification. This compliant development process is documented in [D003] and [D022]. This functional safety assessment investigated the compliance with IEC 61508 of the processes, procedures and techniques as implemented for the product development. The investigation was executed using subsets of the IEC 61508 requirements tailored to the SIL 3 work scope of the development team. The result of the assessment can be summarized by the following observations: The audited development process complies with the relevant managerial requirements of IEC 61508 SIL 3. 4.4.1 Functional Safety Management FSM Planning The functional safety management of any General Electric development is documented in the Functional Safety Management Plan [D026] and the C&PE COE Development Process [D003]. For each development General Electric creates a functional safety management plan which defines all of the tasks that must be done to ensure functional safety as well as the person responsible for each task. The team structure is documented in the FSM plan as well. A meeting is held with management at the end of each phase gate to determine if the team should proceed to the next phase (Phases are aligned to the NPI design process according to PG-120 Design Review Procedure). These processes and the procedures referenced herein fulfill the requirements of IEC 61508 with respect to functional safety management. Version Control All documents are under version control as documented in [D54]. Configuration control of design documents will be in accordance with C&PE ISO QMS procedures as listed in [D026]. General Electric uses Microsoft Team Server for its version control tool. Training, Competency recording Personnel training records are kept in accordance with IEC 61508 requirements as documented in [D26]. General Electric hired exida to be the independent assessor per IEC 61508. T-034 V2R4 www.exida.com Page 13 of 18

4.4.2 Safety Requirements Specification and Architecture Design As defined in [D26], a safety requirements specification (SRS) is done for all products that must meet IEC 61508 certification. The requirements specification contains three major sections: System Safety Constraint requirements, External Interface requirements, and Safety User Programming and Configuration requirements. Non-safety functions are also listed. For the PPRO Protection Module, the SRS [D040], has been reviewed by exida for completeness per the requirements of IEC 61508. Requirements are tracked throughout the development process and mapped to the design. Requirements are also mapped to appropriate validation tests in the validation test plan [D069]. Requirements from IEC 61508-2, Table B.1 that have been met by General Electric include project management, documentation, separation of safety systems from non-safety-related systems, structured specification, and inspection of the specification. The Safety Case documents more details on how each of these requirements has been met. This meets the requirements of SIL 3. 4.4.3 Design Hardware design for FPGA development is done according to [D022]. The design process includes component selection, detailed drawings and schematics, safety case documents for agency justification, a failure modes and effect analysis (FMEA), a failure modes, effects and diagnostic analysis (FMEDA), a design review, the creation of prototypes, and hardware verification tests. Requirements from IEC 61508-2, Table B.2 that have been met by General Electric include observance of guidelines and standards, project management, documentation, structured design, modularization, use of well-tried components, checklists, computer aided design tools and inspection of the specification. This meets the requirements of IEC 61508 SIL 3. 4.4.4 Validation Validation Testing is done via a set of documented tests (see [D074]). The validation tests are traceable to the Safety Requirements Specification [D040] in the validation test plan [D069]. In addition to the Safety Validation Test plan, a complete regression test [D068] is also performed. Besides standard Test Specification Documents, third party testing may be included as part of agency approvals [D071, D071b]. Procedures are in place for corrective actions to be taken when tests fail as documented in [D023, D026]. Requirements from IEC 61508-2, Table B.3 that have been met by General Electric include functional testing, project management, documentation, and black-box testing. Field experience and statistical testing via regression testing are not applicable. The Safety Case documents more details on how each of these requirements has been met. This meets the requirements of IEC 61508 SIL 3. T-034 V2R4 www.exida.com Page 14 of 18

Requirements from IEC 61508-2, Table B.5 that have been met by General Electric include functional testing and functional testing under environmental conditions, Interference surge immunity testing, fault insertion testing, project management, documentation, static analysis, dynamic analysis, and failure analysis, expanded functional testing and black-box testing. The Safety Case documents more details on how each of these requirements has been met. This meets the requirements of IEC 61508 SIL 3.. 4.4.5 Verification The development and verification activities are defined in [D026]. Verification activities include the following: Simulations for Digital Logic [D087a], EMC Testing [D076], Validation Testing [D074], Requirements Review [D041], Design Review [D053], FMEDA [R2], Test Plan reviews [D067a, D070]. This meets the requirements of IEC 61508 SIL 3. 4.4.6 Modifications Modifications are done per General Electric s IEC 61508 SIL 3 compliant development process as documented in [D026], [D023] and [D023a]. This process requires that a safety impact analysis be done for all changes, and that changes must be made with the same process used for initial development. Consequently this meets the requirements of SIL 3. 4.4.7 User Documentation General Electric created a Safety Manual for the PPRO Protection Module, see [D079]. This safety manual was assessed by exida. The final version is considered to be in compliance with the requirements of IEC 61508. The document includes all required reliability data and operations, maintenance, and proof test procedures. Requirements from IEC 61508-2, Table B.4 that have been met by General Electric include operation and maintenance instructions, user friendliness, maintenance friendliness, documentation, and limited operation possibilities. The Safety Case documents more details on how each of these requirements has been met. This meets the requirements for SIL 3. T-034 V2R4 www.exida.com Page 15 of 18

4.5 Hardware Assessment To evaluate the hardware design of the PPRO, a Failure Modes, Effects, and Diagnostic Analysis was performed by exida for each component in the system. This is documented in [R2]. The FMEDA was verified using Fault Injection Testing as part of the development, see [D77], and as part of the IEC 61508 assessment. A Failure Modes and Effects Analysis (FMEA) is a systematic way to identify and evaluate the effects of different component failure modes, to determine what could eliminate or reduce the chance of failure, and to document the system in consideration. An FMEDA (Failure Mode Effect and Diagnostic Analysis) is an FMEA extension. It combines standard FMEA techniques with extension to identify online diagnostics techniques and the failure modes relevant to safety instrumented system design. From the FMEDA failure rates are derived for each important failure category. These results must be considered in combination with PFD AVG of other devices of a Safety Instrumented Function (SIF) in order to determine suitability for a specific Safety Integrity Level (SIL). The Safety Manual states that the application engineer should calculate the PFD AVG for each defined safety instrumented function (SIF) to verify the design of that SIF. T-034 V2R4 www.exida.com Page 16 of 18

5 Terms and Definitions Fault tolerance FIT FMEDA HFT Low demand mode PFD AVG PFH SFF SIF SIL SIS Ability of a functional unit to continue to perform a required function in the presence of faults or errors (IEC 61508-4, 3.6.3) Failure In Time (1x10-9 failures per hour) Failure Mode Effect and Diagnostic Analysis Hardware Fault Tolerance Mode, where the demand interval for operation made on a safety-related system is greater than twice the proof test interval. Average Probability of Failure on Demand Probability of dangerous Failure per Hour Safe Failure Fraction - Summarizes the fraction of failures, which lead to a safe state and the fraction of failures which will be detected by diagnostic measures and lead to a defined safety action. Safety Instrumented Function Safety Integrity Level Safety Instrumented System Implementation of one or more Safety Instrumented Functions. A SIS is composed of any combination of sensor(s), logic solver(s), and final element(s). Type A element Type B element Non-Complex element (using discrete components); for details see 7.4.4.1.2 of IEC 61508-2 Complex element (using complex components such as micro controllers or programmable logic); for details see 7.4.4.1.3 of IEC 61508-2 T-034 V2R4 www.exida.com Page 17 of 18

6 Status of the document 6.1 Liability exida prepares reports based on methods advocated in International standards. Failure rates are obtained from a collection of industrial databases. exida accepts no liability whatsoever for the use of these numbers or for the correctness of the standards on which the general calculation methods are based. 6.2 Releases Version: Revision: V1 R2 Version History: V1, R2: Authors: John Yozallinas Review: Mike Medoff Release status: Released Updated D045a to reference a later version V1, R1: Updated based on review V0, R0: Created 6.3 Future Enhancements At request of client. 6.4 Release Signatures Certifying Assessor: John Yozallinas, Senior Safety Engineer CFSE Evaluating Assessor: Mike Medoff, Senior Safety Engineer, CFSE, CISA exida (www.exida.com) GE 12-05-045 R001 V1R2 Assessment PPRO.docx, November 1, 2013 T-034 V1R2 Page 18 of 18 Main Offices Service Centers Sellersville, PA, USA Munich, Germany Switzerland United Kingdom Houston, TX, USA Calgary, AB, Canada South Africa Singapore Mexicothe Netherlands New Zealand/Australia Brazil

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback