ida Certification Services IEC Functional Safety Assessment Project: Automax Pneumatic Rack & Pinion Actuators Customer: Flowserve Flow Control

Similar documents
ida Certification Services IEC Functional Safety Assessment Project: Worcester 51/52, 53/54 1 piece and 519/529 Series Ball Valves Customer:

ida Certification Services IEC Functional Safety Assessment Customer: Flowserve Flow Control Haywards Heath West Sussex United Kingdom

IEC Functional Safety Assessment

ida Certification Services IEC Functional Safety Assessment Project: Series 327 Solenoid Valves Customer: ASCO Numatics

ida Certification Services IEC Functional Safety Assessment Project: Series 8314, 8316, and Way/2 Position Solenoid Valves Customer:

IEC Functional Safety Assessment. SPR Series Spool Valves. Bifold Fluidpower Ltd. Chadderton, Manchester United Kingdom

Results of the IEC Functional Safety Assessment

IEC Functional Safety Assessment

IEC Functional Safety Assessment

IEC Functional Safety Assessment

IEC Functional Safety Assessment

Results of the IEC Functional Safety Assessment. ABB, Inc. Baton Rouge, LA USA

IEC Functional Safety Assessment. General Electric Salem, VA USA

IEC Functional Safety Assessment

Results of the IEC Functional Safety Assessment. Rosemount Tank Radar Sweden

Spring return and double acting pneumatic rack and pinion actuator

Results of the IEC Functional Safety Assessment HART transparent repeater. PR electronics

on behalf of TÜV INTERCERT GmbH Group of TÜV Saarland

Results of the IEC Functional Safety Assessment. Pressure, Temperature and Vacuum Switches. BETA B.V. Rijswijk The Netherlands

IEC Functional Safety Assessment

FUNCTIONAL SAFETY ASSESSMENT REPORT FOR THE LIFECYCLE AND MANAGEMENT OF FUNCTIONAL SAFETY

SIL SAFETY MANUAL. Turnex Pneumatic Actuators. Experience In Motion. NAF Turnex Pneumatic Actuators NFENDS A4 02/15 FCD NFENDS A4 05/15

Safety Manual In Accordance with IEC 61508

Session Nine: Functional Safety Gap Analysis and Filling the Gaps

SERIES 92/93 SAFETY MANUAL PNEUMATIC ACTUATOR. The High Performance Company

Results of the IEC Functional Safety Assessment Universal Converter. PR electronics

FUNCTIONAL SAFETY CERTIFICATE. IQT3 Actuator manufactured by

FUNCTIONAL SAFETY CERTIFICATE. Topworx, Inc 3300 Fern Valley Road, Louisville, Kentucky, 40213, USA

Comparing Certification under IEC st Edition and 2nd Edition

FUNCTIONAL SAFETY CERTIFICATE. TVL/TVH/TVF Switchboxes

FUNCTIONAL SAFETY CERTIFICATE. IQ3 Valve Actuator manufactured by

FUNCTIONAL SAFETY CERTIFICATE

Failure Modes, Effects and Diagnostic Analysis

FUNCTIONAL SAFETY CERTIFICATE

Introduction and Revision of IEC 61508

CASS TOES FOR FUNCTIONAL SAFETY MANAGEMENT ASSESSMENT (IEC : 2010)

FUNCTIONAL SAFETY CERTIFICATE

FUNCTIONAL SAFETY CERTIFICATE Series Poppet Valve

Safety cannot rely on testing

Session Seven Functional safety and ageing assets

FUNCTIONAL SAFETY CERTIFICATE

Procedure 14 Internal Audits

Functional safety Safety instrumented systems for the process industry sector

Reliability of Safety-Critical Systems Chapter 2. Concepts and requirements

Requirements Are Evolving In The Elevator Industry. November 28, 2012

Comparing Failure Rates for Safety Devices

ROTEK. IIInnInstI Instrument Corp. ISO 9001 Quality System Manual

MIE TALK - January 2017

QUICK START GUIDE. SQF Implementation. for.

Juha Halminen Teollisuuden Voima Oy Olkiluoto, Finland. Lic. Tech. Risto Nevalainen Finnish Software Measurement Association ry FiSMA Espoo, Finland

TÜV Rheinland Indonesia Training Services

Functional Safety Machinery

TÜV Rheinland Indonesia Training Services

Results of the IEC Functional Safety Assessment

Sensor Scientific, Inc.

Overview of the 2nd Edition of ISO 26262: Functional Safety Road Vehicles

Compliance driven Integrated circuit development based on ISO26262

Certificating a safety related part of a control system

AERO GEAR, INC. SUPPLIER QUALITY MANUAL

Woking. q business confidence report

Software requirements for the control systems according to the level of functional safety

International Safety Standards Designing the Future

Qualification Management for Geological Storage of CO 2

Report. Certificate Z F-CM AS-i Safety for SIMATIC ET 200SP

Development of Safety Related Systems

IEC KHBO, Hobufonds SAFESYS ing. Alexander Dekeyser ing. Kurt Lintermans

Quality System Manual - Section 00

Quality Manual Template ISO 9001:2015 Quality Management System

Qualification Management for Geological Storage of CO 2

IEC and ISO A cross reference guide

A Survey on the Development and Design Strategies for Safety Related Systems according the Standard IEC/EN 61508

FOUNDATION Fieldbus Technology Update

EN39 TUBE ASSESSMENT REPORT. Assessment Summary

European cooperation for EAL-G3 INTERNAL AUDITS AND MANAGEMENT REVIEW FOR LABORATORIES. Internal Audits and Management Review for Laboratories

TL 9000 Quality Management System. Measurements Handbook. BRR Examples

ISO : Rustam Rakhimov (DMS Lab)

Westinghouse UK AP1000 GENERIC DESIGN ASSESSMENT Resolution Plan for GI-AP1000-C&I-03 Diversity of PLS, PMS (including CIM) and DAS ASSESSMENT AREA(S)

FUNCTIONAL SAFETY EVALUATION of SIS and APPLICATIONS

Process Assessment Model SPICE for Mechanical Engineering - Proposal-

COURSE LISTING. Courses Listed. with Quality Management SAP ERP. 15 February 2018 (23:55 GMT) SAP01 - SAP SAP01E - SAP Overview

Quality Manual. Document: QM Issue: 3 Revision: 3 Date: March 31, This Document is Obsolete Once Printed

QP Supplier Quality Requirements Manual. Purchasing. Dearborn Inc. Revision: E Page 1 of PURPOSE

IEC Is it pain or gain?

Quality Management System. Manual MASTER COPY

Department of Transportation Rapid City Region Office 2300 Eglin Street P.O. Box 1970 Rapid City, SD Phone: 605/ FAX: 605/

Supplier Quality System Survey

Quality Manual Power Engineering & Manufacturing Inc th Lane NE Blaine Minnesota MN 55449

Overview of the 2nd Edition of ISO 26262: Functional Safety Road Vehicles

Expected and Unintended Effects of Instrumented Safety Protections

The effect of diagnostic and periodic proof testing on the availability of programmable safety systems

AS9003A QUALITY MANUAL

SIS Designers Course. IChemE. Safety Instrumented Systems. Dubai 9-13 March 2008

1.0 Purpose. 2.0 General notes 3.0 QUALITY SYSTEM REQUIREMENTS. Approved by: G. Stugart Prepared by: Schelert

Tool centered Safety Design Support

BS2482 TIMBER BOARDS ASSESSMENT REPORT. Assessment Summary

TURBO MACH A DIVISION OF VT SAA

Purchase Order Quality Clause SCC20 Revision E, Effective 1/20/2015

Quality Management System MANUAL. SDIX, LLC Headquarters: 111 Pencader Drive Newark, Delaware 19702

Improving risk governance through independent safety assessment

Transcription:

e ida Certification Services IEC 61508 Functional Safety Assessment Project: Automax Pneumatic Rack & Pinion Actuators Customer: Flowserve Flow Control Haywards Heath West Sussex United Kingdom Contract Number: Q13/03-024 Report No.: FLO 13-03-024 R006 Version V1, Revision R2, 30 August 2013 Griff Francis The document was prepared using best effort. The authors make no warranty of any kind and shall not be liable in any event for incidental or consequential damages in connection with the application of the document. All rights reserved.

Management summary This report summarizes the results of the functional safety assessment according to IEC 61508 carried out on the Automax Pneumatic Rack & Pinion Actuators The functional safety assessment performed by exida consisted of the following activities: - exida assessed the development process used by Flowserve Flow Control by an on-site gap analysis and creation of a safety case against the requirements of IEC 61508. - exida performed a detailed Failure Modes, Effects, and Diagnostic Analysis (FMEDA) of the devices to document the hardware architecture and failure behavior. - exida reviewed field failure data to ensure that the FMEDA analysis was complete. - exida reviewed the manufacturing quality system in use at Flowserve. The functional safety assessment was performed to the requirements of IEC 61508: ed2, 2010, SIL 3 for mechanical components. A full IEC 61508 Safety Case was prepared, using the exida SafetyCaseWB tool, and used as the primary audit tool. Hardware process requirements and all associated documentation were reviewed. Environmental test plans were reviewed. Also the user documentation (Safety Manual) was reviewed. The results of the Functional Safety Assessment can be summarized as: The Flowserve Automax Pneumatic Rack & Pinion Actuators were found to meet the requirements of IEC 61508 for up to SIL 3 (SIL 3 Capable). The PFD AVG and architectural constraint requirements of the standard must be verified for each element of the safety function. The manufacturer will be entitled to use the Functional Safety Logo. T-023 V2R1 www.exida.com Page 2 of 18

Table of Contents Management summary... 2 1 Purpose and Scope... 4 2 Project management... 5 2.1 exida... 5 2.2 Roles of the parties involved... 5 2.3 Standards / Literature used... 5 2.4 Reference documents... 5 2.4.1 Documentation provided by Flowserve Flow Control... 5 2.4.2 Documentation generated by exida... 9 3 Product Description... 10 4 IEC 61508 Functional Safety Assessment... 11 4.1 Methodology... 11 4.2 Assessment level... 11 4.3 Product Modifications... 11 5 Results of the IEC 61508 Functional Safety Assessment... 13 5.1 Lifecycle Activities and Fault Avoidance Measures... 13 5.1.1 Functional Safety Management... 13 5.1.2 Safety Requirements Specification and Architecture Design... 14 5.1.3 Hardware Design... 14 5.1.4 Validation... 14 5.1.5 Verification... 14 5.1.6 Proven In Use... 15 5.1.7 Modifications... 15 5.1.8 User documentation... 15 5.2 Hardware Assessment... 15 6 Terms and Definitions... 17 7 Status of the Document... 18 7.1 Liability... 18 7.2 Releases... 18 7.3 Future Enhancements... 18 7.4 Release Signatures... 18 T-023 V2R1 www.exida.com Page 3 of 18

1 Purpose and Scope This document shall describe the results of the IEC 61508 functional safety assessment of the Flowserve Flow Control: Automax Series by exida according to the requirements of IEC 61508: ed2, 2010. The results of this provides the safety instrumentation engineer with the required failure data as per IEC 61508 / IEC 61511 and confidence that sufficient attention has been given to systematic failures during the development process of the device. T-023 V2R1 www.exida.com Page 4 of 18

2 Project management 2.1 exida exida is one of the world s leading accredited Certification Bodies and knowledge companies specializing in automation system safety and availability with over 300 years of cumulative experience in functional safety. Founded by several of the world s top reliability and safety experts from assessment organizations and manufacturers, exida is a global company with offices around the world. exida offers training, coaching, project oriented system consulting services, safety lifecycle engineering tools, detailed product assurance, cyber-security and functional safety certification, and a collection of on-line safety and reliability resources. exida maintains a comprehensive failure rate and failure mode database on process equipment. 2.2 Roles of the parties involved Flowserve Flow Control exida exida Manufacturer of the Automax Pneumatic Rack & Pinion Actuators Performed the hardware assessment Performed the IEC 61508 Functional Safety Assessment Flowserve contracted exida in January 2013 for the IEC 61508 Functional Safety Assessment of the above mentioned devices. 2.3 Standards / Literature used The services delivered by exida were performed based on the following standards / literature. Doc ID Document [N1] IEC 61508 (Parts 1-7): 2010 Description Functional Safety of Electrical/Electronic/Programmable Electronic Safety-Related Systems 2.4 Reference documents 2.4.1 Documentation provided by Flowserve Flow Control Doc ID from SafetyCase Generic Document Name Project Document Name Version Date D001 Quality Manual 03_Quality Manual Appendix 1 with list of 50 core processes.pdf D002 Functional 02_Execution of R&D Projects Policy Rev Safety Mgt. 3.pdf D003 Overall Development Process 02_Execution of R&D Projects Policy Rev 3.pdf Rev 13.1 Rev 3 Rev 3 22-Mar-11 Jul-07 Jul-07 T-023 V2R1 www.exida.com Page 5 of 18

D003b D004 D005 D005b D006 D006b D007 D008 D009 D010 D011 D012 D013 D014 D015 D016 D017 D018 D018b Overall Development Process Configuration Management Process Hazardous Events Hazardous Events Manufacturer Qualification Manufacturer Qualification Part Qualification Verification of purchased parts/products QMS Documentation Change Control of Design Records Non- Conformance Reporting procedure Corrective Action Preventive Action Internal Audit Action Item List Tracking Training Test Equipment Calibration Customer Notification Customer Notification 301002_Design Control.pdf Rev 21 28-Sep-12 02_Execution of R&D Projects Policy Rev 3.pdf 15_Customer notification procedure for faulty products (if existing).pdf Rev 3 Rev 12 Jul-07 17-Jan-10 300973_Product Recall.pdf Rev 1 17-Jan-10 13_ Purchasing procedure 500015.pdf Rev 3 4-Oct-12 701615_Supplier Review& Assessment.pdf Rev 11 8-Feb-12 300005_Eng Dwg Issue & Change Rev 17 23-Jul-10 Control.pdf 700502_Incoming Inspection.pdf Rev 17 4-May-12 701607_Control of Documentation.pdf Rev 7 4/4/2011 12_Control of Engineering drawings Rev 13.1 6-Sep-10 procedure 300003.pdf 300973_Product Recall.pdf Rev 1 17-Jan-10 701308_Corrective&Preventive Action Reporting.pdf 701308_Corrective&Preventive Action Reporting.pdf 03_Quality Manual Appendix 1 with list of 50 core processes.pdf 02_Execution of R&D Projects Policy Rev 3.pdf Rev 30 Rev 30 Rev 13.1 Rev 3 7-Dec-12 7-Dec-12 22-Mar-11 Jul-07 03_Quality Manual Appendix 1 with list of 50 Rev 13.1 22-Mar-11 core processes.pdf 27_ Calibration procedure 701700.pdf Rev 47 24-Sep-12 15_Customer notification procedure for faulty products (if existing).pdf Rev 12 17-Jan-10 300973_Product Recall.pdf Rev 1 7-Feb-12 T-023 V2R1 www.exida.com Page 6 of 18

D019 D019b D020 D022 D024 D025 D026 D027 D027b D028 D030 Field Return Field Return Management Review Process Modification List of s Gate Review and Approval Records FSM Plan or Development Plan Configuration Management Plan Configuration Management Plan List of applicable Agency Standards Shipment Records 100220_Goods Returned for Investigation.pdf Rev 4 17-Jan-10 15_Customer notification procedure for Rev 12 17-Jan-10 faulty products (if existing).pdf 03_Quality Manual Appendix 1 with list of 50 Rev 13.1 22-Mar-11 core processes.pdf 31_Change 300005.pdf Rev 18 6-Sep-10 03_Quality Manual Appendix 1 with list of 50 core processes.pdf 06_Example of phase gate process followed for one at least product.doc Rev 13.1 External Version_SIL Hi-Level Plan.xlsx Rev 0 02_Execution of R&D Projects Policy Rev 3.pdf 201304191503.pdf 03_Quality Manual Appendix 1 with list of 50 core processes.pdf 14_Shipping and Returns information for products requiring certification (minimum 5 years)_wgf_calc.xlsx Complaints Description Directory.xlsx Rev 3 Rev 13.1 22-Mar-11 17-Oct-11 1-Jul-07 19-Apr-13 22-Mar-11 Oct-12 D031 Field Returns Records 14-Feb-13 D033 Training Record 11_ Example of induction set of training and 29-Jan-13 checklist for Gary Player.pdf D034 Skills Matrix Cognitive Competency Matrix.xlsx Rev 01 29-Apr-13 D035 IEC 61508 Training Record D036 ISO 900x Cert or equivalent D036b ISO 900x Cert or equivalent D038 List of Design Tools D039 Management Review Record D040 Safety Requirements Specification D041 Safety Requirements Review D041b Safety Requirements Review 32_Training Registration Sheet.pdf 18-Oct-12 04_ Copy of ISO90012008 Certificate.pdf 14-Apr-11 05_ Copy of last BSI audit report.pdf 10-Apr-12 28_List of versions of CADdesign software tools.xlsx 08_ Example of review minutes and actions arising.doc 22_R&P ATEX PRODUCT SPECIFICATION rev 5.doc ATEX FILE INDEX.doc Rev 5 18-Mar-13 19-Nov-12 6-Feb-13 R&P ATEX FILE REVISION STATUS.doc 5 7-Feb-13 T-023 V2R1 www.exida.com Page 7 of 18

D041c Safety Requirements Review D044 Marketing Requirements Document D044b Marketing Requirements Document D048 Hardware Change List D052 Design Review Record D068 Validation Test Plan D068c Validation Test Plan D069 Validation Test Plan Review Record D070 Environmental Test Plan D072 Name of Change Request Tracking System D074 Environmental Test Results D077 Operation / Maintenance Manual Automax VAVE Gate 1 Review Checklist.doc 14-Apr-09 1.30.00 Market Requirements V2.doc A 1-Jul-09 MRD FINAL 090409.doc Change History.xlsx 30-Mar-09 3-Jun-13 08_ Example of review minutes and actions 19-Nov-10 arising.doc 25_Test plans and test specification for 5 20-Aug-10 products requiring certification 300314.pdf 1.31.08 Technical Specifications Rev 1.doc 1 1-Mar-11 Automax VAVE Gate 1 Review Checklist.doc 14-Apr-09 29_Zinc Cobalt Pinions Salt Spray Test1.tif 1 15-Aug-97 Complaints Description Directory.xlsx 14-Feb-13 29_Zinc Cobalt Pinions Salt Spray Test1.tif 1 15-Aug-97 23_Automax Pneumatic Actuators Super Nova IOM 10_06.pdf AXEIM0001-01 D078 Safety Manual Safety Manual Automax.docx 1 Jun-13 D079 D080 D080b D080c D080d Safety Manual Review Engineering Change Documentation Impact Analysis Example Corrective Action Report (internal) Corrective Action Report (external) Safety Manual Review.xlsx 1 3-Jun-13 Norbro Change History.xlsx 12-Mar-13 TR1944.doc 23-Jul-08 CAR2013-012 BH1.doc 12-Mar-13 External CAR.pdf 12-Mar-13 T-023 V2R1 www.exida.com Page 8 of 18

2.4.2 Documentation generated by exida [R1] FLO_Q10-08- 003_Automax_Actuator_FME DA_V1R4.doc [R2] Initial SafetyCase for Flowserve UK Products PO 4500331090 Q11 01-010r1.msg [R3] Flowserve Q13-03-024 Group 8 Safety Case_30Aug2013.xlsm [R4] FLO 13-03-024 PIU_3Jun2013.xlsx [R5] FLO 13-03-024 R006 V1R2 Automax Assessment Report.doc, 30 August 2013 FMEDA report, Automax Actuators IEC 61508 Gap Analysis List, Flowserve Flow Control (sent in e-mail dated 13 Feb 2013) IEC 61508 SafetyCaseWB for Automax Pneumatic Rack & Pinion Actuators PIU Analysis IEC 61508 Functional Safety Assessment, Flowserve Flow Control Automax Pneumatic Rack & Pinion Actuators (this report) T-023 V2R1 www.exida.com Page 9 of 18

3 Product Description The Automax Actuators are rack and pinion, opposed piston actuators available in two versions: double acting and spring return. Either spring return or double acting configurations may be used in functional safety applications. This includes Models S050-S200, SN250-SN300, B050-B200 and SNA250-SNA300. Actuator pressure ranges from 2.5 to 8 bar depending on model. Starting torque ranges from 4 to 1666 Nm depending on model. The safety function of the actuator is to move the valve to the failsafe position within the specified safety time. T-023 V2R1 www.exida.com Page 10 of 18

4 IEC 61508 Functional Safety Assessment The IEC 61508 Functional Safety Assessment was performed based on the information received from Flowserve Flow Control and is documented in this report. 4.1 Methodology The full functional safety assessment includes an assessment of all fault avoidance and fault control measures during hardware development and demonstrates full compliance with IEC 61508 to the end-user. The assessment considers all requirements of IEC 61508. The assessment also includes a review of existing manufacturing quality procedures to ensure compliance to the quality requirements of IEC 61508. As part of the IEC 61508 functional safety assessment the following aspects have been reviewed: Development process, including: o Functional Safety Management, including training and competence recording, FSM planning, and configuration management o Specification process, techniques and documentation o Design process, techniques and documentation, including tools used o Validation activities, including development test procedures, test plans and reports, production test procedures and documentation o Verification activities and documentation o Modification process and documentation o Installation, operation, and maintenance requirements, including user documentation Product design o Hardware architecture and failure behavior, documented in a FMEDA Report The review of the development procedures is described in section 5. The review of the product design is described in section 5.2. 4.2 Assessment level The Automax Pneumatic Rack & Pinion Actuators has been assessed per IEC 61508 to the following levels: Systematic Safety Integrity: SIL 3 capable Random Safety Integrity: PFD AVG and Architectural Constraints must be verified for each application. The development procedures have been assessed as suitable for use in applications with a maximum Safety Integrity Level of 3 (SIL3) according to IEC 61508. 4.3 Product Modifications Flowserve Flow Control may make modifications to this product as needed. Modifications shall be classified into two types: T-023 V2R1 www.exida.com Page 11 of 18

Type 1 Modification: Changes requiring re-certification, which includes the re-design of safety functions or safety integrity functions. Type 2 Modification: Changes allowed to be made by Flowserve Flow Control provided that: A competent person from Flowserve Flow Control, appointed and agreed with exida, judges and approves the modifications. The modification documentation listed below is submitted prior to a renewal of the certification to exida for review of the decisions made by the competent person in respect to the modifications made. o o o o o List of all anomalies reported List of all modifications completed Safety impact analysis which shall indicate with respect to the modification: The initiating problem (e.g. results of root cause analysis) The effect on the product / system The elements/components that are subject to the modification The extent of any re-testing List of modified documentation Regression test plans T-023 V2R1 www.exida.com Page 12 of 18

5 Results of the IEC 61508 Functional Safety Assessment exida assessed the development process used by Flowserve Flow Control for these products against the objectives of IEC 61508 parts 1-7 and documented in the SafetyCase [R3]. 5.1 Lifecycle Activities and Fault Avoidance Measures Flowserve Flow Control has a defined product lifecycle process in place. This is documented in the Quality Assurance Manual, D001 and various Quality s, D002-D024. Every customer job goes through the complete design process. A documented modification process is also covered in the Quality Manual section 7.3.7 and procedure 30005. No software is part of the design and therefore any requirements specific from IEC 61508 to software and software development do not apply. The assessment investigated the compliance with IEC 61508 of the processes, procedures and techniques as implemented for product design and development. The investigation was executed using subsets of the IEC 61508 requirements tailored to the SIL 3 work scope of the development team. The result of the assessment can be summarized by the following observations: The audited Flowserve Flow Control design and development process complies with the relevant managerial requirements of IEC 61508 SIL 3. 5.1.1 Functional Safety Management The actuators manufactured by Flowserve are not built for inventory. These actuators are built-toorder. The basic designs are standardized, but each order can have trim and materials variations or specific customer requested proof tests. Due to the specialized nature of each actuator, documentation that defines all of the requirements is generated for every order as part of the process. FSM Planning Flowserve Flow Control has a defined process in place for product design and development. Required activities are specified along with review and approval requirements. This is primarily documented in section 7 of their Quality Management System Manual, D001 and in greater detail in Execution of Research & Development Projects Execution of R&D Projects Policy, D003. Templates and sample documents were reviewed and found to be sufficient. The modification process is covered by Engineering Drawing / Data Issue and Change Control, Ref: 300005, D022. This process and the procedures referenced therein fulfill the requirements of IEC 61508 with respect to functional safety management for a product with simple complexity and well defined safety functionality. Version Control Execution of Research & Development Projects Execution of R&D Projects Policy, D003, requires that all documents be under document control. Use of this to control revisions was evident during the audit. T-023 V2R1 www.exida.com Page 13 of 18

Training, Competency recording Quality Management System Manual, D001, requires the Human Resource department to maintain training records of education, experience, training and qualifications for all personnel. Department heads are responsible for identifying and providing the training needs for their department as well as proficiency evaluations. The procedures and records were examined and found up-to-date and sufficient. Flowserve hired exida to be the independent assessor per IEC 61508 and to provide specific IEC 61508 knowledge. 5.1.2 Safety Requirements Specification and Architecture Design For the Automax Pneumatic Rack & Pinion Actuators, the simple primary functionality of the actuator is the same as the safety functionality of the product (actuator moves valve, Close / Open). Therefore no special Safety Requirements Specification was needed. The normal functional requirements were sufficient. As the designs of the Automax Pneumatic Rack & Pinion Actuators are simple and are based upon standard designs with extensive field history, no semiformal methods are needed. General Design and testing methodology is documented and required as part of the design process. This meets SIL 3. 5.1.3 Hardware Design The design process is documented in Execution of Research & Development Projects Execution of R&D Projects Policy, D003. Items from IEC 61508-2, Table B.2 include observance of guidelines and standards, (ATEX, CE Mark), project management, documentation (design outputs are documented per quality procedures), structured design, modularization, use of well-tried components / materials, and computer-aided design tools. This meets SIL 3. 5.1.4 Validation Validation Testing is documented on the Assessment Sales Order which is created for each order. The test plan includes testing per all standard and customer performance requirements. As the Automax Pneumatic Rack & Pinion Actuators are purely mechanical devices with a simple safety function, there is no separate integration testing necessary. The Automax Pneumatic Rack & Pinion Actuators perform only 1 Safety Function, which is extensively tested under various conditions during validation testing. Items from IEC 61508-2, Table B.3 include functional testing, project management, documentation, and black-box testing (for the considered devices this is similar to functional testing). Field experience and statistical testing via regression testing are not applicable. This meets SIL 3. Items from IEC 61508-2, Table B.5 included functional testing and functional testing under environmental conditions, project management, documentation, failure analysis (analysis on products that failed), expanded functional testing, black-box testing, and fault insertion testing. This meets SIL 3. 5.1.5 Verification The development and verification activities are defined in Sections 2.b and 2.c of Execution of Research & Development Projects Execution of R&D Projects Policy, D003. For each design phase the objectives are stated, required input and output documents and review activities. This meets SIL 3. T-023 V2R1 www.exida.com Page 14 of 18

5.1.6 Proven In Use In addition to the Design Fault avoidance techniques listed above, a Proven in Use evaluation was carried out on the Flowserve Automax Pneumatic Rack & Pinion Actuators. Shipment records were used to determine that the Automax Actuators have >100 million operating hours and they have demonstrated a field failure rate less than the failure rates indicated in the FMEDA reports. This meets the requirements for Proven In Use for SIL 3. 5.1.7 Modifications Modifications are initiated per Engineering Drawing / Data Issue and Change Control, Ref: 300005, D022. All changes are first reviewed and analyzed for impact before being approved. Measures to verify and validate the change are developed following the normal design process. This meets SIL 3. 5.1.8 User documentation Flowserve Flow Control creates the following user documentation: product brochures, User Instructions and a Safety Manual. The Safety Manual was found to contain all of the required information given the simplicity of the products. The Safety Manual references the FMEDA reports which are available and contain the required failure rates, failure modes, useful life, and suggested proof test information. Items from IEC 61508-2, Table B.4 include operation and maintenance instructions, user friendliness, maintenance friendliness, project management, documentation, limited operation possibilities (Automax Pneumatic Rack & Pinion Actuators perform well-defined actions) and operation only by skilled operators (operators familiar with type of actuator, although this is partly the responsibility of the end-user). This meets SIL 3. 5.2 Hardware Assessment To evaluate the hardware design of the Automax Pneumatic Rack & Pinion Actuators Failure Modes, Effects, and Diagnostic Analyses were performed by exida. These are documented in [R1]. A Failure Modes and Effects Analysis (FMEA) is a systematic way to identify and evaluate the effects of different component failure modes, to determine what could eliminate or reduce the chance of failure, and to document the system in consideration. An FMEDA (Failure Mode Effect and Diagnostic Analysis) is an FMEA extension. It combines standard FMEA techniques with extension to identify online diagnostics techniques and the failure modes relevant to safety instrumented system design. From the FMEDA, failure rates are derived for each important failure category. All failure rate analysis results and useful life limitations are listed in the FMEDA report [R1]. Tables in the FMEDA report list these failure rates for the Automax Pneumatic Rack & Pinion Actuators under a variety of applications. The failure rates listed are valid for the useful life of the devices. Note, as the Automax Pneumatic Rack & Pinion Actuators are only one part of a (sub)system, the SFF should be calculated for the entire final element combination. T-023 V2R1 www.exida.com Page 15 of 18

These results must be considered in combination with PFD AVG values of other devices of a Safety Instrumented Function (SIF) in order to determine suitability for a specific Safety Integrity Level (SIL). The architectural constraints requirements of IEC 61508-2, Table 2 also need to be evaluated for each final element application. It is the end users responsibility to confirm this for each particular application and to include all components of the final element in the calculations. The analysis shows that the design of the Automax Pneumatic Rack & Pinion Actuators can meet the hardware requirements of IEC 61508, up to SIL 3 depending on the complete final element design. The Hardware Fault Tolerance, PFD AVG, and Safe Failure Fraction requirements of IEC 61508 must be verified for each specific design. T-023 V2R1 www.exida.com Page 16 of 18

6 Terms and Definitions Fault tolerance FIT FMEDA HFT Low demand mode PFD AVG SFF SIF SIL SIS Type A element Type B element Ability of a functional unit to continue to perform a required function in the presence of faults or errors (IEC 61508-4, 3.6.3) Failure In Time (1x10-9 failures per hour) Failure Mode Effect and Diagnostic Analysis Hardware Fault Tolerance Mode, where the frequency of demands for operation made on a safetyrelated system is no greater than twice the proof test frequency. Average Probability of Failure on Demand Safe Failure Fraction summarizes the fraction of failures, which lead to a safe state and the fraction of failures which will be detected by diagnostic measures and lead to a defined safety action. Safety Instrumented Function Safety Integrity Level Safety Instrumented System Implementation of one or more Safety Instrumented Functions. A SIS is composed of any combination of sensor(s), logic solver(s), and final element(s). Non-Complex element (using discrete components); for details see 7.4.4.1.2 of IEC 61508-2 Complex element (using complex components such as micro controllers or programmable logic); for details see 7.4.4.1.3 of IEC 61508-2 T-023 V2R1 www.exida.com Page 17 of 18

7 Status of the Document 7.1 Liability exida prepares reports based on methods advocated in International standards. exida accepts no liability whatsoever for the use of this report or for the correctness of the standards on which the general calculation methods are based. 7.2 Releases Version: V1 Revision: R2 Version History: V1, R2: updated versions of FMEDA Report and SafetyCase; 30 Aug 2013 V1, R1: Released; 27 June 2013 V0, R1: Draft; 10 June 2013 Author(s): Griff Francis Review: V0, R1: Steven Close (exida); 25 June 2013 Release status: Released 7.3 Future Enhancements At request of client. 7.4 Release Signatures Steven F. Close, Senior Safety Engineer Griff Francis, Senior Safety Engineer T-023 V2R1 www.exida.com Page 18 of 18

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback