automation - functional safety report about the … · automation - functional safety (a-fs) am...

2016-09-01

Report-No.: 968/EZ 195.38/16 of 12

Automation - Functional Safety

Report about the evaluation of various changes on the Safety Manager R160.2

of Honeywell Safety Management Systems

Report-No.: 968/EZ 195.38/16 Date: 2016-09-01

2016-09-01

Report-No.: 968/EZ 195.38/16 of 12

Report about the evaluation of various changes on the Safety Manager R160.2

of Honeywell Safety Management Systems

Report-No.: 968/EZ 195.38/16

Date: 2016-09-01

Number of pages (excl. appendices): 12

Product / Project: Safety Manager R160.2 Safety-related Programmable System incl. SafeNet and remote Universal Safety IO modules

Customer / Manufacturer: Honeywell Safety Management Systems Burgemeester Burgerslaan 40 5245 NH Rosmalen ('s-Hertogenbosch) The Netherlands

Customer-Order-No./Date: 4407742165 dated 2016-02-15

Certification Body: TÜV Rheinland Industrie Service GmbH Automation - Functional Safety (A-FS) Am Grauen Stein 51105 Köln Germany

TÜV-Quotation-No. / Date: Safety Management Maintenance 2016

TÜV-Order-No. / Date: 21234276 Position 200 dated 2016-02-15

Assessor/Expert: Dipl.-Ing. Klaus Jauernik

Duration: July 2016 and August 2016

The assessment results are exclusively related to the object of assessment. This report must not be copied in an abridged version without the written permission of the Certification Body.

2016-09-01

Report-No.: 968/EZ 195.38/16 of 12

Contents Page

1. Scope 4

2. Standards forming the basis for the requirements 4

3. Identification of the product / project under assessment 5

3.1. Description of the product / project 5

3.2. Documents provided by the customer 5

3.3. Documents compiled by TÜV Rheinland 6

3.4. Product samples 6

3.5. Previous reports and certificates 6

4. Objects and results of the assessment 8

4.1. Documentation of the safety related changes 8

4.2. Evaluation of the documentation 9

4.3. Software changes by Safety Manager R160.2 9

4.3.1. Software changes on FC-QPP-0002 9

4.3.2. Software changes on FC-RUSIO-3224 and FC-RUSLS-3224 10

4.3.3. Electrical safety and environmental tests for SW changes 11

4.3.4. Application standards, Safety Parameters 11

4.3.5. User documentation for the safe use 11

5. Summary 11

2016-09-01

Report-No.: 968/EZ 195.38/16 of 12

1. Scope

This report summarises the results of the assessment of the Safety Manager Software R160.2 according to the requirements of Cat. 4 / PL e of EN ISO 13849-1, SIL CL 3 of EN 62061 / IEC 61508.

The Safety Manager Software R160.2 is a controlled maintenance release targeting the limited set of customers that are connected to a EUCN network or have migrated their FSC system to Safety Manager.

All changes and PAR's have Safety Manager R160.1b and R153.2 as baseline. In this report the changes to Safety Manager R160.2 are analyzed.

2. Standards forming the basis for the requirements

[N1] EN ISO 13849-1:2015 Safety of machinery - Safety-related parts of control systems Part 1: General principles for design

[N2] EN 62061:2005 + AC:2010 + A1:2013 + A2:2015 Functional safety of safety-related electrical, electronic and programmable electronic control systems

[N3] IEC 61508 Parts 1-7:2010 Functional safety of electrical/electronic/programmable electronic safety-related systems

[N4] EN 61511-1:2004 Functional safety - Safety instrumented systems for the process industry sector - Part 1: Framework, definitions, system, hardware and software requirements

[N5] EN 61131-2:2007 Programmable controllers – Part 2: Equipment requirements and tests

[N6] IEC 61326-3-1:2008 Electrical equipment for measurement, control and laboratory use - EMC requirements Part 3-1: Immunity requirements for safety-related systems and for equipment intended to perform safety-related functions (functional safety) - General industrial applications

[N7] IEC 61010-1:2010 + C1:2011 + C2:2013 Safety requirements for electrical equipment for measurement, control and laboratory use Part 1: General requirements

[N8] EN 60204-1:2006 + A1:2009 + AC:2010 (in extracts) Safety of machinery –Electrical equipment of machines – Part 1: General requirements

[N9] EN 54-2:1997 + AC:1999 + A1:2006 Fire detection and fire alarm systems – Part 2: Control and indicating equipment

[N10] EN 50130-4:2011 +A1:2014 Alarm systems Part 4: Electromagnetic compatibility – Product family standard: Immunity requirements for components of fire, intruder and social alarm systems

[N11] EN 50156-1:2004 Electrical Equipment for Furnaces

2016-09-01

Report-No.: 968/EZ 195.38/16 of 12

[N12] EN 298:2012 Automatic gas burner control systems for gas burners and gas burning appliances with or without fans

[N13] NFPA 72:2016 National Fire Alarm Code Handbook

[N14] NFPA 85:2015 Boiler and Combustion Systems Hazards Code

[N15] NFPA 86:2015 Standard for Ovens and Furnaces

[N16] NFPA 87:2015 Recommended Practice for Fluid Heaters

3. Identification of the product / project under assessment

3.1. Description of the product / project

The Safety Manager Software R160.2 is a controlled maintenance release targeting the limited set of customers that are connected to a EUCN network or have migrated their FSC system to Safety Manager.

The Safety Manager R160.2 device under test identification:

• Safety Manager R160.2 R160.2.0.372 • Safety Processor (FC-QPP-0002) R160.2.0.372 • Universal Safety IO (FC-RUSIO-3224 / FC-RUSLS-3224) R160.2.0.372 • Safety Manager R160.2 embedded software CRC 0x8677F37F • Safety Manual 160 issue 1.0, June 2016

All previously certified devices and software versions are given in the associated "Revisions List" version 4.3, filename: "01_205_5503_00_16_RL_2016-09-01".

3.2. Documents provided by the customer

The following documentation has been provided to the Test Institute electronically. For the changes a PAR (Product Anomaly Report) has been carried out. The documents are stored at the Test Institute. No. Document Rev. Date [D1] Product Anomalies and New Features

SM R160.2 File: TUV PAR Documentation SM-R160-2.docx

0.3 2016-08-31

[D2] R160.2 Safety Related software R160.2.0.372 File: Safety Related Software R160.2.0.372.zip

- 2016-08-30

[D3] Safety Manager R160.2 Software Change Notice File: SMR160.2 SCN.pdf

1.0 2016-08-31

[D4] Safety Manual EP-SM.MAN.6283 Release 160 File: Safety Manual EP-SM.MAN.6283 R160.pdf

1.0 2016-06

[D5] Safety Manager R160.2 Test Report File: Test Report SM-R160-2.xlsm

- 2016-08-30

[D6] Changes compared to SM R160.1b and R153.2 SM-R160.2-CrossCheckpart two.xlsx

1 2016-08-01

2016-09-01

Report-No.: 968/EZ 195.38/16 of 12

3.3. Documents compiled by TÜV Rheinland

The following documentation is prepared by TÜV Rheinland:

No. Document Rev. Date [D7] Evaluation Plan for modifications 1 2016-09-01

[D8] CHECKLISTE ZU SOFTWARE-MODIFIKATIONEN.doc 1 2016-09-01

3.4. Product samples

The assessment based on the information and documentation listed in chapter 3.2 provided by the manufacturer. No product sample was required.

3.5. Previous reports and certificates

No. Report-No. Date Certificate No. Date

[R1] Report of the type approval of Safety Manager Report-No.: 968/EZ 195.00/05

2005-03-04 968/EZ 195.00/05 2005-03-04

[R2] Report of the approval of different changes of Safety Manager Report-No.: 968/EZ 195.01/05

2005-07-15 - -

[R3] Report of the approval of different changes of Safety Manager Report-No.: 968/EZ 195.02/05

2005-10-04 - -

[R4] Report of the approval of SafeNet and different changes of Safety Manager Report-No.: 968/EZ 195.03/06

2006-08-04 968/EZ 195.03/06 2006-08-04

[R5] Report of different changes of Safety Manager V110.5 Report-No.: 968/EZ 195.04/06

2006-11-27 - -

[R6] Report of different changes of Safety Manager V110.6 Report-No.: 968/EZ 195.05/07

2007-05-14 - -

[R7] Report of the approval of different changes of Safety Manager R120.3/R120.4 Report-No.: 968/EZ 195.06/07

2007-10-11 - -

[R8] Report of the approval of different changes of Safety Manager R131.1 Report-No.: 968/EZ 195.07/08

2008-04-14 968/EZ 195.07/08 2008-04-14

[R9] Report about the type approval of the Universal-Remote-I/O Module Report-No.: 968/EZ 195.08/09

2009-02-06 - -

[R10] Report of the approval of different changes of Safety Manager R131.3 and 131.5 Report-No.:968/EZ 195.09/09

2009-06-18 968/EZ 195.09/09 2009-06-18


2010-05-18 - -


2010-11-30 - -

2016-09-01

Report-No.: 968/EZ 195.38/16 of 12


[R13] Test report on the type approval of the Safety Device Safety Manager R 140.2 Report-No.:968/EZ 195.12/10

2010-12-20 968/EZ 195.12/10 2010-12-20

[R14] Test report on the type approval of the Safety Device Safety Manager R140.3 Report No. 968/EZ 195.13/11

2011-05-04 968/EZ 195.13/11 2011-05-04

[R15] Report of the approval of different changes of Safety Manager R133.1 Report-No.:968/EZ 195.14/11

2011-05-11 - -

[R16] Report of the approval of different changes of Safety Manager R133.2 Report-No.:968/EZ 195.15/11

2011-06-14 - -


2011-09-20 - -


2011-10-14 - -

[R19] Report on the approval of the Safety Manager R150.1 Report-No.: 968/EZ 195.18/12

2012-08-13 968/EZ 195.18/12 2012-08-13


2012-08-13 - -

[R21] Report of the approval of different changes of Safety Manager R150.1a Report-No.: 968/EZ 195.20/12

2012-12-05 - -

[R22] Report of the approval of different changes of Safety Manager R150.1b Report-No.: 968/EZ 195.21/13

2013-01-08 - -


2013-04-29 - -


2013-05-15 - -

[R25] Test report about the approval of different changes of Safety Manager 151.1 Report-No.: 968/EZ 195.24/13

2013-07-03 - -

[R26] Test report about the approval of different changes of Safety Manager 151.2 Report-No.: 968/EZ 195.25/13

2013-09-26 - -

[R27] Test report about the approval of different changes of Safety Manager R146.1 Report-No.: 968/EZ 195.26/14

2014-01-14 - -

[R28] Test report about the approval of different changes of Safety Manager R145.2a Report-No.: 968/EZ 195.27/14

2014-03-26 - -

2016-09-01

Report-No.: 968/EZ 195.38/16 of 12



2014-04-14 - -


2014-05-08 - -

[R31] Test report about the approval of various changes of Safety Manager R152.1 Report-No.: 968/EZ 195.30/14

2014-11-19 - -


2014-12-05 - -


2015-05-28 - -

[R34] Test report about the approval of various changes of Safety Manager R160.1b Report-No.: 968/EZ 195.33/15

2015-10-22 - -


2015-11-11 - -

[R36] Test report about the assessment of the Safety Functions for the Safety Manager Report-No.: 968/EZ 195.35/16

2016-03-30 01/205/5503.00/16 2016-03-30

[R37] Test report about the approval of various changes on the Safety Manager R153.1 Report-No.: 968/EZ 195.36/16

2016-04-27 - -

[R38] Test report about the approval of various changes on the Safety Manager R153.2 and the HW modifications of SDIL-1608 Report-No.: 968/EZ 195.37/16

2016-06-01 - -

4. Objects and results of the assessment

4.1. Documentation of the safety related changes

All changes and PAR's have Safety Manager R160.1b [R34] and R153.2 [R38] as baseline. In this report the changes to Safety Manager R160.2 are analyzed.

R160.2 is the successor of the approved Safety Manager R160.1b, but extended with enhancements of SM R153.2:

• - Earth leakage detection.(support of FC-TELD-0001)

In addition R160.2 was extended by the following items:

• - Remove QPP-0001 (Quad Processor Pack) • - EUCN (communication) • - AI Sensor diagnostics • - WDR (watchdog routine) • - ANN (annunciator) • - OLM (online modification) • - PID (PID algorithm)

2016-09-01

Report-No.: 968/EZ 195.38/16 of 12

The new features and changes have been documented in “Product Anomalies Analysis and Fix Descriptions” [D1]. The Product Anomaly Reports (PAR) provides the following information:

• Root cause analysis, solutions and test cases • Reason of each change • Impact analysis for each change • Test results (Embedded EXCEL sheet in the main PAR document)

The Product Anomaly Reports (PAR) leads to changes in the safety critical part of Safety Manager Software in the hardware modules:

• FC-QPP-0002 Enhanced Performance Quad Processor Pack • FC-RUSIO-3224 Remote Universal Safe IO module (24 V, 32 Channels) • FC-RUSLS-3224 Remote Universal Logic Solver module (24 V, 32 Channels) The customer has assessed all PARs, which are all either functional safety critical or affects the safety critical code. The changes have been analyzed in the following chapters.

4.2. Evaluation of the documentation

According to the requirements according to IEC 61508 [N3], the manufacturer of a safety related system has to provide sufficient information for the changes and the impact of the changes.

Result:

The review of the documents [D1] and [D3] have shown that the information inside the documents and the way the documents are handled by the manufacturer meet the requirements of the IEC 61508 [N3].

The examination of the manufacturer’s documentation was concluded with a positive result.

4.3. Software changes by Safety Manager R160.2

4.3.1. Software changes on FC-QPP-0002

The following anomalies are fixed on FC-QPP-0002.

The documented changes [D1] have been analyzed:

No. PAR No. IAR Ver.

TUV PAR Rev.

Date

3.1 1-W8BEPZ 2 0.1 2016-03-22 3.2 1-4G0AFAB 1 0.1 2016-03-16 3.3 1-OXP99V 1 0.1 2016-05-02 3.4 1-1S2ZNCN 1 0.1 2016-04-12 3.5 1-4FHBIK1 1 0.1 2016-04-05 3.6 1-3QNP26C 5 0.1 2016-04-14 3.7 1-5599VYD 1 0.1 2016-03-24 3.8 1-CO47W9 3 0.1 2016-06-01 3.9 1-3UZQ539 1 0.1 2016-04-08 3.10 1-4EI3SXB 1 0.1 2016-05-16

2016-09-01

Report-No.: 968/EZ 195.38/16 of 12


TUV PAR Rev.

Date

3.11 1-3CKGKV7 1-43AUMK9 1-10VN0ID

2 0.1 2016-04-24

3.12 1-4CC446M 1 0.1 2016-03-15 3.13 1-UVS9OF 2 0.1 2016-03-11 3.14 1-5O7JF7U 1 0.2 2016-06-30 3.15 1-5P340UJ 1.3 0.2 2016-07-25 3.16 1-5N4Q5CV 2.1 0.2 2016-06-27 3.17 1-5HWEROH 3 0.2 2016-06-27 3.18 1-5TDFXCJ 1.0 0.2 2016-07-29 3.19 1-5FB3A8T 3 0.2 2016-07-19 3.20 1-40FE5VR 2 0.2 2016-07-11

3.21 1-5QI1X73 1-10VN0ID 1 0.2 2016-07-17

3.22 1-5TX98RN 1 0.3 2016-08-10

3.23 1-61QE2KH 1 0.3 2016-08-23

The functions are described in detail by the Software Change Notice [D3].

All listed PARs were solved by changing the software. All items were retested, as far as required.

By the retest of the test sequences (see System Test Report [D5]) and within the PAR documentation there are still some open deviations.

Theses deviations are non-safety related. For this reason new PAR´s are created for fixing.

Result:

The documents contain all necessary information to understand the reason for the change. The way of documentation fulfills the requirements of IEC 61508. The test results are accepted by the Test Institute. The examination was finished with a positive result

4.3.2. Software changes on FC-RUSIO-3224 and FC-RUSLS-3224

The following anomalies are fixed on FC-RUSIO-3224 and FC-RUSLS-3224. The documented changes [D1] have been analyzed:


TUV PAR Rev.

Date

4.1 1-4MTSDPZ 1 0.1 2016-03-02 4.2 1-4WI0ITF 5.0 0.2 2016-07-01 4.3 1-40EPMWN 1.0 0.2 2016-07-06 4.4 1-5T7Q7HA 1.0 0.2 2016-07-25 4.5 1-192F4EV 1.0 0.2 2016-07-26 4.6 1-40EPMWN 1.0 0.2 2016-07-06 4.7 1-5TO8PZZ 1.0 0.2 2016-07-29

2016-09-01

Report-No.: 968/EZ 195.38/16 of 12

The functions are described in detail by the Software Change Notice [D3].

All listed PARs were solved by changing the software. All items were retested, as far as required.

By the retest of the test sequences (see System Test Report [D5]) and within the PAR documentation there are still some open deviations.

Theses deviations are non-safety related. For this reason new PAR´s are created for fixing.

Result:

The documents contain all necessary information to understand the reason for the change. The way of documentation fulfills the requirements of IEC 61508. The test results are accepted by the Test Institute. The examination was finished with a positive result

4.3.3. Electrical safety and environmental tests for SW changes

Due to the fact that only software changes took place, the results for the electrical safety and environmental test results as stated in [R36] are further valid.

4.3.4. Application standards, Safety Parameters

The results presented in report [R36] were not affected by the changes.

Thus the results are further valid.

4.3.5. User documentation for the safe use

As part of the modification, the manufacturer revised the safety manual [D4] and the accompanying Software Change Notice [D3].

Result:

The review of the user documentation was concluded with a positive result. The corresponding requirements that result from the standards specified in Section 2 which apply to the user documentation are still met.

5. Summary

During the evaluation of the changes for the Safety Manager R160.2 no infringement of the functional and safety-related requirements in the applied standards could be found.

The product complies with the requirements of the relevant standards (Cat. 4 / PL e acc. to EN ISO 13849-1, SIL CL 3 acc. to EN 62061 / IEC 61508). It is suitable for the use in safety-related applications up to SIL 3 acc. to EN 62061 / IEC 61511 / IEC 61508 and PL e / Cat. 4 acc. to EN ISO 13849-1.

The additional requirements as listed in the “Safety Manager R160.2 Software Change Notice” [D3] and the “Safety Manual EP-SM.MAN.6283” [D4] must be considered.

Cologne, 2016-09-01 Report released after review: TIS/A-FS/Kst. 968 jau-nie Date: 2016-09-01 The assessor Dipl.-Ing. Klaus Jauernik Dipl.-Ing. (FH) Gernot Klaes

2016-09-01

Report-No.: 968/EZ 195.38/16 of 12

Statement of the certification body: According to the results documented in this report and the shown conformity to the relevant and applied standards respectively to their protection goals it is confirmed, that the certificate with the no.: 01/205/5503.00/16 dated 2016-03-30 remains further valid. The associated “Revisions List” version 4.3, filename “01_205_5503_00_16_RL_2016-09-01”, is updated correspondingly. Cologne, 2016-09-01 Specialist Certifier Dipl.-Ing. (FH) Gernot Klaes