iec 61508 assessment...2020/03/30 · of iec 61508-1. the 2140:sis vibrating fork liquid level...

The document was prepared using best effort. The authors make no warranty of any kind and shall not be liable in any event for incidental or consequential damages in connection with the application of the document.

© All rights reserved.

Results of the IEC 61508 Functional Safety Assessment

Project:

2140:SIS Vibrating Fork Liquid Level Detector

Customer:

Rosemount Tank Radar

Sweden

Contract No.: Q21/01-012 Report No.: MOB 15-08-012 R003

Version V3, Revision R2, March 18, 2021

Loren Stewart

© exida MOB 15-08-012 R003 V3R2 Assessment 2140.docx

T-034 V5R7 exida 80 N. Main St, Sellersville, PA 18960 of 30

Management Summary

The Functional Safety Assessment of the Rosemount Tank Radar 2140:SIS Vibrating Fork Liquid

Level Detector development project, performed by exida consisted of the following activities:

- exida assessed the development process used by Rosemount Tank Radar through an audit

and review of a detailed safety case against the exida certification scheme which includes the relevant requirements of IEC 61508. The assessment was executed using subsets of the IEC 61508 requirements tailored to the work scope of the development team.

- exida reviewed and assessed a detailed Failure Modes, Effects, and Diagnostic Analysis (FMEDA) of the devices to document the hardware architecture and failure behavior.

- exida reviewed the manufacturing quality system in use at Rosemount Tank Radar.

The functional safety assessment was performed to the SIL 3 requirements of IEC 61508:2010. A

full IEC 61508 Safety Case was created using the exida Safety Case tool, which also was used as the primary audit tool. Hardware and software process requirements and all associated documentation were reviewed. Environmental test reports, user documentation and the safety manual also were reviewed.

The results of the Functional Safety Assessment can be summarized by the following statements:

The audited development process, as tailored and implemented by the Rosemount Tank Radar 2140:SIS Vibrating Fork Liquid Level Detector development project, complies with the relevant safety management requirements of IEC 61508 up to SIL 3.

The assessment of the FMEDA, done to the requirements of IEC 61508, has shown that the 2140:SIS Vibrating Fork Liquid Level Detector can be used in a low demand safety related system in a manner where the PFDAVG is within the allowed range for SIL 2 (HFT = 0) or SIL 3 (with HFT = 1) according to table 2 of IEC 61508-1. The 2140:SIS Vibrating Fork Liquid Level Detector can also be used in a high demand safety related system in a manner where the PFH is within the allowed range for SIL 2 (HFT = 0) or SIL 3 (with HFT = 1) according to table 3 of IEC 61508-1.

The assessment of the FMEDA also shows that the 2140:SIS Vibrating Fork Liquid Level Detector meets the requirements for architectural constraints of an element such that it can be used to implement a SIL 2 safety function (with HFT = 0) or a SIL 3 safety function (with HFT = 1).

This means that the 2140:SIS Vibrating Fork Liquid Level Detector is capable for use in up to SIL 3 applications in High or Low demand mode when properly designed into a Safety Instrumented Function per the requirements in the Safety.

http://www.exida.com/



The manufacturer will be entitled to use the Functional Safety Logo.




Table of Contents

Management Summary ................................................................................................... 2

1 Purpose and Scope ................................................................................................... 6

1.1 Tools and Methods used for the assessment ............................................................... 6

2 Project Management .................................................................................................. 7

2.1 exida ............................................................................................................................ 7

2.2 Roles of the parties involved ........................................................................................ 7

2.3 Standards / Literature used .......................................................................................... 7

2.4 Reference documents .................................................................................................. 7

2.4.1 Documentation provided by Rosemount Tank Radar ......................................... 7

2.4.2 Documentation generated by exida ................................................................. 11

2.5 Assessment Approach ............................................................................................... 12

3 Product Description ................................................................................................. 13

3.1 Hardware and Firmware Version Numbers ................................................................. 14

4 IEC 61508 Functional Safety Assessment Scheme................................................. 15

4.1 Product Modifications ................................................................................................. 15

5 Results of the IEC 61508 Functional Safety Assessment ........................................ 16

5.1 Lifecycle Activities and Fault Avoidance Measures .................................................... 16

5.1.1 Functional Safety Management ....................................................................... 16

5.1.2 Safety Lifecycle and FSM Planning ................................................................. 17

5.1.3 Documentation ................................................................................................ 17

5.1.4 Training and competence recording ................................................................. 18

5.1.5 Configuration Management .............................................................................. 18

5.1.6 Tools (and languages) ..................................................................................... 18

5.2 Safety Requirement Specification .............................................................................. 19

5.3 Change and modification management ...................................................................... 19

5.4 System Design ........................................................................................................... 20

5.5 Hardware Design and Verification .............................................................................. 20

5.5.1 Hardware architecture design .......................................................................... 21

5.5.2 Hardware Design / Probabilistic properties ...................................................... 21

5.6 Software Design ......................................................................................................... 21

5.7 Software Verification .................................................................................................. 22

5.8 Safety Validation ........................................................................................................ 23

5.9 Safety Manual ............................................................................................................ 24

6 2020 IEC 61508 Functional Safety Surveillance Audit ............................................. 25

6.1 Roles of the parties involved ...................................................................................... 25

6.2 Surveillance Methodology .......................................................................................... 25




6.2.1 Documentation provided by Rosemount Tank Radar ....................................... 26

6.2.2 Surveillance Documentation generated by exida............................................. 27

6.3 Surveillance Results ................................................................................................... 27

6.3.1 Procedure Changes ......................................................................................... 27

6.3.2 Engineering Changes ...................................................................................... 27

6.3.3 Impact Analysis ............................................................................................... 27

6.3.4 Field History .................................................................................................... 28

6.3.5 Safety Manual.................................................................................................. 28

6.3.6 FMEDA Update ............................................................................................... 28

6.3.7 Evaluate use of certificate and/or certification mark ......................................... 28

6.3.8 Previous Recommendations ............................................................................ 28

6.4 Surveillance Audit Conclusion .................................................................................... 28

7 Terms and Definitions .............................................................................................. 29

8 Status of the document ............................................................................................ 30

8.1 Liability ....................................................................................................................... 30

8.2 Version History ........................................................................................................... 30

8.3 Future Enhancements ................................................................................................ 30

8.4 Release Signatures .................................................................................................... 30




1 Purpose and Scope

This document shall describe the results of the IEC 61508 functional safety assessment of the

➢ 2140:SIS Vibrating Fork Liquid Level Detector

by exida according to the accredited exida certification scheme which includes the requirements of IEC 61508:2010.

The purpose of the assessment was to evaluate the compliance of:

- the 2140:SIS Vibrating Fork Liquid Level Detector with the technical IEC 61508-2 and -3 requirements for SIL 3 and the derived product safety property requirements

and

- the 2140:SIS Vibrating Fork Liquid Level Detector development processes, procedures and techniques as implemented for the safety-related deliveries with the managerial IEC 61508-1, -2 and -3 requirements for SIL 3.

and

- the 2140:SIS Vibrating Fork Liquid Level Detector hardware analysis represented by the Failure Mode, Effects and Diagnostic Analysis with the relevant requirements of IEC 61508-2.

The assessment has been carried out based on the quality procedures and scope definitions of

exida

The results of this assessment provide the safety instrumentation engineer with the required failure data per IEC 61508 / IEC 61511 and confidence that sufficient attention has been given to systematic failures during the development process of the device.

1.1 Tools and Methods used for the assessment

This assessment was carried by using the exida Safety Case tool. The Safety Case tool contains

the exida scheme which includes all the relevant requirements of IEC 61508.

For the fulfillment of the objectives, expectations are defined which builds the acceptance level for the assessment. The expectations are reviewed to verify that each single requirement is covered. Because of this methodology, comparable assessments in multiple projects with different assessors are achieved. The arguments for the positive judgment of the assessor are documented within this tool and summarized within this report.

The assessment was planned by exida agreed with Rosemount Tank Radar (see [R2]).

All assessment steps were continuously documented by exida (see [R1]).




2 Project Management

2.1

exida is one of the world’s leading accredited Certification Bodies and knowledge companies, specializing in automation system safety, availability and cybersecurity with over 500 person-years of cumulative experience in functional safety. Founded by several of the world’s top reliability and

safety experts from assessment organizations and manufacturers, exida is a global company with

offices around the world. exida offers training, coaching, project-oriented system consulting services, safety lifecycle engineering tools, detailed product assurance, cyber-security and functional

safety certification, and a collection of on-line safety and reliability resources. exida maintains a comprehensive failure rate and failure mode database on process equipment based on 350 billion hours of field failure data.

2.2 Roles of the parties involved

Rosemount Tank Radar Design Responsibility for the 2140:SIS Vibrating Fork Liquid Level Detector

exida Performed the hardware assessment [R3]

exida Performed the Functional Safety Assessment [R1] per the

accredited exida scheme.

The 2140:SIS Vibrating Fork Liquid Level Detector has manufacturing sites in Sweden and Chanhassen, MN.

exida was contracted with the IEC 61508 Functional Safety Assessment of the above-mentioned devices.

2.3 Standards / Literature used

The services delivered by exida were performed based on the following standards / literature.

[N1] IEC 61508 (Parts 1 – 7): 2010

Functional Safety of Electrical/Electronic/Programmable Electronic Safety-Related Systems

2.4 Reference documents

2.4.1 Documentation provided by Rosemount Tank Radar

Note: Documents highlighted in grey in this section have been superseded since the last assessment and the new documents are listed in Section 6: 2020 IEC 61508 Functional Safety Surveillance Audit.

Doc. ID Document Type Project Document Filename Version Date

D001 Quality Manual Quality Manual CURRENT.docx; Superseded by [D100]

Issue 11 9/12/2014

D003 Overall Development Process

Product Design And Development Process.docx

Rev. 1 Exported copy




D004 Configuration Management Process

Configuration and Change Management Work Instruction.docx

Rev. 2.0 Exported copy

D005 Field Failure Reporting Procedure

RMA_Request_Form_SRtask_v1 2_300914 (2).pdf

n/a 12/5/2014

D006 Field Return Procedure Mobrey Workflow- Depot.docx; Superseded by [D101]

Rev. 1.1 2014

D006b Field Return Procedure - RMA

Repair Shipping Process v2.0.docx; Superseded by [D102]

2.0 12/5/2014

D006c Field Return Procedure - Repair

Return Repair Process v1.0.vsd; Superseded by [D103]

1 4/12/2014

D007 Manufacturer Qualification Procedure

PUR9 Issue 2.doc; Superseded by [D95] Rev. 9 1/24/2014

D007b Manufacturer Qualification Procedure

QD14 iss 08 SUPPLIER ASSESSMENT QUESTIONNAIRE.pdf

Iss. 8 Exported copy

D008 Part Selection Procedure Supplier Quality Manual E.docx; Superseded by [D98]

Rev. E 8/31/2014

D010 Quality Management System Documentation Change Procedure

DEV 1 Iss 7 ECM Process.ppt Iss. 7 10/12/2012

D012 Non-Conformance Reporting procedure

QD20 Issue 5 NONCONFORMING MATERIAL.docx; Superseded by [D96]

Iss. 5 2/20/2014

D013 Corrective Action Procedure

QD05 Iss9 CORRECTIVE ACTIONS.docx Iss. 9 4/9/2014

D016 Action Item List Tracking Procedure

Action Item List Template.xlsx n/a Exported copy

D019 Customer Notification Procedure

QD15 Iss 9 Quality Control of Approved Products.doc; Superseded by [D94]

Iss. 9 9/21/2014

D021 Software Development Process

Product Design And Development Process.docx; Superseded by [D97]


D021b Software Tool Qualification Procedure

Software Tool Qualification Procedure.docx


D023 Modification Procedure DEV 1 Iss 7 ECM Process.ppt; Superseded by [D99]

Rev. 7 12/18/2013

D023b Impact Analysis Template T001 Impact Analysis Template rev 2.doc

Rev. 2 5/16/2014

D026 FSM Plan Configuration Management Plan

PCL199 - FSMP199 2140 Wired HART Functional Safety Management Plan.docx

AF 12/9/2016




Verification Plan List of Design Tools

D030 Shipment Records Field Returns Records

2130 FA data 2014 - 2015 - 2016.xls ubd6_PIU_12_2016 for exida.xlsx; Superseded by [D89] and [D90]

n/a Jan.2017

D034 Skills Matrix Training Record

2120 & 2130 Project Skills Matrix.xlsx Rev. .01 3/17/2014

D036 ISO 900x Cert or equivalent

RML ISO9001 2008 Certification.pdf Certificate_9001_2008_RMT_Chanhassen_DNV.pdf; Superseded by [D107]

n/a Oct.2015

D040 Safety Requirements Specification

PCL199 2140 Wired HART - SIRS.docx AA-05 1/9/2017

D040b Customer Requirements Document

CRD_2100_WiredHART_REV-AC.pdf AC Aug.2015

D041 Safety Requirements Review

Peer Review - PCL199 2140 HART7 - SIRS - AA 01.xlsm

AA-01 Jan.2016

D043 Software Safety Requirements Specification

PCL199 2140 HART7 - SRS.doc AT 1/9/2017

D043b Software Safety Requirements Review

2140_SRS_QuckReviewCons_log.xlsm SRS rev AD

8/1/2016

D045 System Architecture Design Specification

SRD_PCL199 2140 Wired HART RevAE.pdf

AE Dec.2016

D045b System Architecture Design -HW Req Spec

2140_ERS revAC.docx AC Dec.2016

D045c System Architecture Design -HW Req review

Peer Review - PCL199 2140 HART7 -ERS - rev AA to AB.xlsm

ERS rev AB

Dec.2016

D047 Schematics / Circuit Diagrams

Schematics listed in D055, FMEDA report

D048 Hardware Change List 2140 HW changes.xlsx n/a Mar.2016

D048b Hardware Change List-Diagnostics

2140 diagnostic changes.xlsx n/a Mar.2016

D049

High Level and Detailed Software Design Specification - Functional Requirements

PCL199 2140 HART7 - SDS.doc AA 1/6/2017




D050 SW HAZOP or Criticality Analysis and Derived Requirements

PCL199 2140 Wired HART Software HAZOP.xlsx

5 1/9/2017

D051b Detailed Software Design Specification-Data Dictionary

PCL199 2140 Wired HART Data Dictionary.xls

M 1/6/2017

D051c Detailed Software Design Specification-UML

PCL199 2140 Wired HART software design specification.pdf

n/a Exported copy

D052 Software Modules Change List

PCL199 2140 Wired HART Changed Software Modules List.xlsx

1 1/6/2017

D055b FMEDA & Fault Injection Test Plan

2140 wired hart new FMEDA-standard term block and isolator board.xlsx

3 Oct.2016

D058 Code Review Record PCL199 2140 Wired HART Software Peer Review - mFrequencyMeasurement.c.xlsm

n/a Dec.2016

D058b Code Review Record-MISRA checklist

PCL199 2140 Wired HART Software Peer Review Checklist - mFrequencyMeasurement.c.xlsx

n/a Nov.2016

D058c Code Review Record-Metrics

PCL199 - 2140 Wired HART Software Metrics Measurements.xlsx

03 Dec.2016

D060 Coding Standard CS001 - Mobrey C coding standard v1.2.doc

Rev. 1.2 5/21/2014

D066

Module test Plan & Results Requirements Traceability Software Test Coverage Analysis

PCL199 2140 Wired HART Software Test traceability matrix.xlsx

n/a Jan.2017

D068 Integration Test Plan & Results

DUT2140_STANDARD_DIAGNOSTICS.xlsx

1 1/6/2017

D069 Validation Test Plan - Compliance Matrix

CM0022 2140 RevAC.xlsx AC 12/10/2016

D069b Validation Test Plan - Final Functional

TS89006_701 Rev AB-06.docx AB-06 11/9/2016

D069c Validation Test Plan - Ready For Upgrade

PCL199 2140 Ready For Upgrade.vsd n/a Dec.2016

D070 Validation Test Plan Review Record

2140 4-20 Master EMC Review testplan results.xls

n/a Aug.2016




D074 Validation Test Plan & Results Requirements Traceability

PCL199 2140 Wired HART SDVT Traceability Matrix - TR4854.xlsx

01 Jan.2017

D074b Validation Test Results - Ready For Upgrade

PCL199 2140 Wired HART SDVT - 4.1.1 & 4.1.2 - Ready For Upgrade, Model Variants.xlsx

03 Sep.2016

D075b Environmental Test Results- Amb Temp

4844 2140 Temperature Test AB.pdf 11/2/2016

D075c Environmental Test Results- Humidity

4836 Humidity Testing AB.pdf n/a 11/9/2016

D075d Environmental Test Results- Vibration

4849 2140 Vibration Test Extreme Temp w ISO Board Rev AA.pdf

n/a 12/8/2016

D075e Environmental Test Results- Shock

4827 - Shock, Drop and Topple Test Rev AA.pdf

n/a 8/17/2016

D075f Environmental Test Results- Lifetest

4845 2140 Life Test 250,000+ Operations AA.pdf

n/a 11/28/2016

D076 EMC Test Results 4832 2140 8-16ma with iso EMC Report.pdf

n/a 11/17/2016

D078 Operation / Maintenance Manual

00809-0100-4140 Rev AA Rosemount 2140 Ref Man v2.pdf; Superseded by [D105]

2 Dec.2016

D079 Safety Manual 00809-200-4140 RevAA Rosemount 2140SIS FSM v4.pdf; Superseded by [D106]

4 Jan.2017

D086 Tool Qualification Report ValidationOfCompliance-EmbeddedWorkbench_EWAVR5.51.pdf

Rev. A Nov.2016

D088 Impact Analysis Record MOB-01872 Impact Analysis.doc Rev. 01 2/27/2014

2.4.2 Documentation generated by

[R1] MOB 15-08-012 V4R2 Safety Case WB 2140 v1.7.3d

SafetyCaseWB for 2140 Liquid Level Detector; Superseded by [R6], [R8]

[R2] Q15-08-012 Mobrey Vibrating Fork Level Switch Certification Proposal R5

Proposal and Assessment Plan for 2140 Liquid Level Detector; Superseded by Surveillance Audit proposal.

[R3] MOB 15-08-12 R001 V2R1 FMEDA 2140

FMEDA report for 2140 Liquid Level Detector; Superseded by [R5]

[R4] MOB 15-08-12 R002 V1R1 2140 FieldFailureHistory

Field Failure Analysis for 2140 Liquid Level Detector; Superseded by [R7], [R9]




2.5 Assessment Approach

The certification audit was closely driven by requirements of the exida scheme which includes subsets filtered from IEC 61508.

The assessment was planned by exida and agreed with Rosemount Tank Radar.

The following IEC 61508 objectives were subject to detailed auditing at Rosemount Tank Radar:

• FSM planning, including

o Safety Life Cycle definition

o Scope of the FSM activities

o Documentation

o Activities and Responsibilities (Training and competence)

o Configuration management

o Tools and languages

• Safety Requirement Specification

• Change and modification management

• Software architecture design process, techniques and documentation

• Hardware architecture design - process, techniques and documentation

• Hardware design / probabilistic modeling

• Hardware and system related V&V activities including documentation, verification

o Integration and fault insertion test strategy

• Software and system related V&V activities including documentation, verification

• System Validation including hardware and software validation

• Hardware-related operation, installation and maintenance requirements

The project teams, not individuals were audited.




3 Product Description

The 2140:SIS Vibrating Fork Liquid Level Detector is a smart device used in many different industries for point level sensing applications. A vibrating fork sensor is continuously monitored by the product, with changes in its natural resonant frequency being used to determine the condition of the sensor. A 4-20mA current output is used to indicate the condition of the product sensor, with discrete, user configurable current levels being set at the current output dependent upon the sensor condition. The 2140 Liquid Level Detector is microprocessor based and contains internal diagnostics as well as the ability to communicate via the HART digital protocol.

Two terminal block types are also available. The T0 type is fitted as standard. When transient protection is required, the T1 type must be specified during product ordering.

Electronics Housing

Discrete 4 to

20 mA PV

output

Power

D/A

Digital I/O

MicroprocessorSensor OscillatorTuning Fork

Sensor

Process Fluid

FMEDA

Figure 1: Parts included in the FMEDA for the 2140 Liquid Level Detector




3.1 Hardware and Firmware Version Numbers

This assessment is applicable to the following hardware and firmware versions of the 2140:SIS Vibrating Fork Liquid Level Detector:

Table 1 Version Overview

Model Description

2140 Liquid Level Detector T0 Wet On

SIS model liquid level detector configured as Wet=On fitted with a standard T0 terminal block. The safe state represents a dry fork.

2140 Liquid Level Detector T0 Dry On

SIS model liquid level detector configured as Dry=On fitted with a standard T0 terminal block. The safe state represents a wet fork.

2140 Liquid Level Detector T1 Wet On

SIS model liquid level detector configured as Wet=On fitted with an optional T1 terminal block. The safe state represents a dry fork.

2140 Liquid Level Detector T1 Dry On

SIS model liquid level detector configured as Dry=On fitted with an optional T1 terminal block. The safe state represents a wet fork.

Hardware Version V01.00.00

Firmware Version V01.00.00

The models and versions in Table 1 were current when this report was released. For updated versions covered under this certification, refer to the Safety Manual which includes the company webpage where the certified versions and compatibility can be checked.




4 IEC 61508 Functional Safety Assessment Scheme

exida assessed the development process used by Rosemount Tank Radar for this development

project against the objectives of the exida certification scheme. The results of the assessment are documented in [R1]. All objectives have been successfully considered in the Rosemount Tank Radar development processes for the development.

exida assessed the set of documents against the functional safety management requirements of IEC 61508. This was done by a pre-review of the completeness of the related requirements and then a spot inspection of certain requirements, before the development audit. The safety case demonstrated the fulfillment of the functional safety management requirements of IEC 61508-1 to 3.

The detailed development audit (see [R1]) evaluated the compliance of the processes, procedures and techniques, as implemented by Rosemount Tank Radar for the 2140:SIS Vibrating Fork Liquid Level Detector, with IEC 61508.

The assessment was executed using the exida certification scheme which includes subsets of the IEC 61508 requirements tailored to the work scope of the development team.

The result of the assessment shows that the 2140:SIS Vibrating Fork Liquid Level Detector is capable for use in SIL 3 applications, when properly designed into a Safety Instrumented Function per the requirements in the Safety Manual.

4.1 Product Modifications

The modification process has been successfully assessed and audited, so Rosemount Tank Radar may make modifications to this product as needed.

As part of the exida scheme a surveillance audit is conducted prior to renewal of the certificate. The

modification documentation listed below is submitted as part of the surveillance audit. exida will review the decisions made by the competent person in respect to the modifications made.

• Development process, including:

o Functional Safety Management, including training and competence recording, FSM planning, and configuration management

o Specification process, techniques and documentation

o Design process, techniques and documentation, including tools used

o Validation activities, including development test procedures, test plans and reports, production test procedures and documentation

o Verification activities and documentation

o Modification process and documentation

o Installation, operation, and maintenance requirements, including user documentation

• Product design

o Hardware architecture and failure behavior, documented in a FMEDA




o Software architecture and failure behavior, documented in a Software Criticality and HAZOP report

The review of the development procedures is described in section 5.1. The review of the product hardware design is described in section 5.5.

5 Results of the IEC 61508 Functional Safety Assessment

exida assessed the development process used by Rosemount Tank Radar during the product

development against the objectives of the exida certification scheme which includes IEC 61508 parts 1, 2, & 3 [N1]. The development of the 2140:SIS Vibrating Fork Liquid Level Detector was done per this IEC 61508 SIL 3 compliant development process. The Safety Case was updated with project specific design documents.

5.1 Lifecycle Activities and Fault Avoidance Measures

Rosemount Tank Radar has an IEC 61508 compliant development process as assessed during the IEC 61508 certification. This compliant development process is documented in [D003].

This functional safety assessment evaluated the compliance with IEC 61508 of the processes, procedures and techniques as implemented for the product development. The assessment was

executed using the exida certification scheme which includes subsets of IEC 61508 requirements tailored to the SIL 3 work scope of the development team. The result of the assessment can be summarized by the following observations:

The audited development process complies with the relevant managerial requirements of IEC 61508 SIL 3.

5.1.1 Functional Safety Management

Objectives

The main objectives of the related IEC 61508 requirements are to:

- Structure, in a systematic manner, the phases in the overall safety lifecycle that shall be considered in order to achieve the required functional safety of the E/E/PE safety-related systems.

- Structure, in a systematic manner, the phases in the E/E/PES safety lifecycle that shall be considered in order to achieve the required functional safety of the E/E/PE safety-related systems.

- Specify the management and technical activities during the overall, E/E/PES and software safety lifecycle phases which are necessary for the achievement of the required functional safety of the E/E/PE safety-related systems.

- Specify the responsibilities of the persons, departments and organizations responsible for each overall, E/E/PES and software safety lifecycle phase or for activities within each phase.

- Specify the necessary information to be documented in order that the management of functional safety, verification and the functional safety assessment activities can be effectively performed.

- Document all information relevant to the functional safety of the E/E/PE safety-related systems throughout the E/E/PES safety lifecycle.

- Document key information relevant to the functional safety of the E/E/PE safety-related systems throughout the overall safety lifecycle.




- Specify the necessary information to be documented in order that all phases of the overall, E/E/PES and software safety lifecycles can be effectively performed.

- Select a suitable set of tools, for the required safety integrity level, over the whole safety lifecycle which assists verification, validation, assessment and modification.

5.1.2 Safety Lifecycle and FSM Planning

Assessment

The following objectives have been assessed:

- The phases of the safety lifecycle have been structured to meet the requirements for functional safety.

- The documented responsibilities of the persons, departments and organizations responsible for each safety lifecycle phase, or for activities within each phase.

- The documented, necessary information needed to carry out effective management of functional safety, verification and functional safety assessment activities.

- The documented information relevant to the functional safety of the product throughout the safety lifecycle.

- That the necessary information to carry out all phases of the safety lifecycle is documented.

- Documented evidence of a suitable set of tools, for the required safety integrity level, over the whole safety lifecycle which assists verification, validation, assessment and modification.

Conclusion:

The objectives of the standard are fulfilled by the Rosemount Tank Radar functional safety management system and new product development processes.

5.1.3 Documentation

Assessment

There is a document management system in place. This system controls how all safety relevant documents are changed, reviewed and approved.

All safety related documents are required to meet the following requirements:

-Have titles or names indicating scope of the contents

-Contain a table of contents

-Have a revision index which lists versions of the document along with a description of what changed in that version

-Documents must be searchable electronically

Lifecycle documents were sampled and found to meet these requirements.

Conclusion

The objectives of the standard are fulfilled by the Rosemount Tank Radar functional safety management system and overall quality management system.




5.1.4 Training and competence recording

Assessment

The FSM Plan lists the key people working on the project along with their roles.

A competency matrix has been created and includes the following:

a) Competency requirements for each role on project.

b) List of people who fulfill each role

c) List of competencies for each individual matched up to required competencies based on roles that they fill.

d) Training planned to fill any competency gaps.

Conclusion

The objectives of the standard are fulfilled by the Rosemount Tank Radar functional safety management system and internal organizational procedures.

5.1.5 Configuration Management

Assessment

The configuration of the product to be certified is documented including all hardware and software versions that make up the product. For software this includes source code and object code. Object code is identified with signatures.

Formal configuration control is defined and implemented for Change Authorization, Version Control, and Configuration Identification. A documented procedure exists to ensure that only approved items are delivered to customers. Master copies of the software and all associated documentation are kept during the operational lifetime of the released software.

Conclusion

The objectives of the standard are fulfilled by the Rosemount Tank Radar organizational release procedures, functional safety management system and new product development processes.

5.1.6 Tools (and languages)

Assessment

All Off-line support tools which support a phase of the software development lifecycle and cannot directly influence the safety-related system during its run time are documented in the FSM plan [D026], including tool name, manufacturer name, version number, use of the tool on this project. This includes validation test tools. All off-line support tools have been classified as either T3 (safety critical), T2 (safety-related), or T1 (interference free). An assessment has been carried out for T2 and T3 offline support tools, to determine the level of reliance placed on the tools, and the potential failure mechanisms of the tools that may affect the executable software. Where such failure mechanisms are identified, appropriate mitigation measures have been taken.




All off-line support tools in classes T2 and T3 have a specification or product manual which clearly defines the behavior of the tool and any instructions or constraints on its use.

Conclusion

The objectives of the standard are fulfilled by the Rosemount Tank Radar functional safety management system.

5.2 Safety Requirement Specification

Objectives


- Specify the requirements for each E/E/PE safety-related system, in terms of the required safety functions and the required safety integrity, in order to achieve the required functional safety.

Assessment

As defined in the development procedure, a requirements specification is created for all products. For the 2140:SIS Vibrating Fork Liquid Level Detector, the requirements specification contains a system overview, safety assumptions, and safety requirements sections. During the assessment, exida reviewed the content of the specification for completeness per the requirements of IEC 61508:2010.

Requirements from IEC 61508-2, Table B.1 that have been met by Rosemount Tank Radar include project management, documentation, structured specification, and inspection of the specification.

Conclusion

The objectives of the standard are fulfilled by the Rosemount Tank Radar functional safety management system and use of requirements management tools.

5.3 Change and modification management

Objectives


- Ensure that the required safety integrity is maintained after corrections, enhancements or adaptations to the E/E/PE safety-related systems.

Assessment

Modifications are initiated with an Engineering Design Change procedure [D99]. All changes are first reviewed and analyzed for impact before being approved. Modification Request/Records will document the reason for the change and have a detailed description of the proposed change. (affects both software and hardware). Measures to verify and validate the change are developed following the normal design process.




The Modification Procedure requires that an Impact Analysis [D023b] be performed to assess the impact of the modification, including the impact of changes to the software design (which modules are impacted) and on the Functional Safety of the system. The results of an Impact Analysis are documented.

The modification process has been successfully assessed and audited, so Rosemount Tank Radar may make modifications to this product as needed.

Conclusion

The objectives of the standard are fulfilled by the Rosemount Tank Radar functional safety management system, change management procedures, and sustaining product procedures.

5.4 System Design

Objectives The objective of the related IEC 61508 requirements of this sub clause are to specify the design requirements for each E/E/PE safety-related system, in terms of the subsystems and elements.

Assessment

System or subsystem design has been partitioned into subsystems, and interfaces between subsystems are clearly defined and documented. The main safety interface for the 2140 is the analog (loop current) output.

The System Architecture Design clearly identifies the SIL of all components in the design. If a component has a lower SIL capability than that associated with the safety function(s), then sufficient independence between the components has been documented in an FMEA or software HAZOP. The System Architecture Design describes that the behavior of the device when a fault is detected is to annunciate the detected fault through an external interface.

Conclusion


5.5 Hardware Design and Verification

Objectives


- Create E/E/PE safety-related systems conforming to the specification for the E/E/PES safety requirements (comprising the specification for the E/E/PES safety functions requirements and the specification for the E/E/PES safety integrity requirements).

- Ensure that the design and implementation of the E/E/PE safety-related systems meets the specified safety functions and safety integrity requirements.

- Demonstrate, for each phase of the overall, E/E/PES and software safety lifecycles (by review, analysis and/or tests), that the outputs meet in all respects the objectives and requirements specified for the phase.

- Test and evaluate the outputs of a given phase to ensure correctness and consistency with respect to the products and standards provided as input to that phase.

- Integrate and test the E/E/PE safety-related systems.




5.5.1 Hardware architecture design

Assessment

Hardware architecture design [D045] has been partitioned into subsystems, and interfaces between subsystems are defined and documented. Design reviews are used to discover weak design areas and make them more robust. Measures against environmental stress and over-voltage are incorporated into the design.

The FSM Plan and development process and guidelines define the required verification activities related to hardware including documentation, verification planning, test strategy and requirements tracking to validation test.

Conclusion


5.5.2 Hardware Design / Probabilistic properties

Assessment

To evaluate the hardware design of the 2140, a Failure Modes, Effects, and Diagnostic Analysis was

performed by exida for each component in the system. This is documented in [R3]. The FMEDA was verified using Fault Injection Testing as part of the development, see [D055b], and as part of the IEC 61508 assessment.

A Failure Modes and Effects Analysis (FMEA) is a systematic way to identify and evaluate the effects of different component failure modes, to determine what could eliminate or reduce the chance of failure, and to document the system in consideration. An FMEDA (Failure Mode Effect and Diagnostic Analysis) is an FMEA extension. It combines standard FMEA techniques with extension to identify online diagnostics techniques and the failure modes relevant to safety instrumented system design.

From the FMEDA, failure rates are derived for each important failure category.

These results must be considered in combination with PFDAVG of other devices of a Safety Instrumented Function (SIF) in order to determine suitability for a specific Safety Integrity Level (SIL). The Safety Manual states that the application engineer should calculate the PFDAVG for each defined safety instrumented function (SIF) to verify the design of that SIF.

Conclusion

The objectives of the standard are fulfilled by the Rosemount Tank Radar functional safety management system, FMEDA quantitative analysis, and hardware development guidelines and practices.

5.6 Software Design

Objectives


- Create a software architecture that fulfils the specified requirements for software safety with respect to the required safety integrity level.




- Review and evaluate the requirements placed on the software by the hardware architecture of the E/E/PE safety-related system, including the significance of E/E/PE hardware/software interactions for safety of the equipment under control.

- Design and implement software that fulfils the specified requirements for software safety with respect to the required safety integrity level, which is analyzable and verifiable, and which is capable of being safely modified.

Assessment

The Software Architecture Design contains a description of the software architecture. The design is partitioned into new and existing components and modules, which are identified as such. All software treated as new but [D052] lists changes to the "starting point" (legacy code) as well as new and unchanged code.

A software criticality analysis and HAZOP [D050] was performed and the report lists all components along with their criticality (Safety Critical, Safety Related, or Non-Interfering) and their required Systematic Capability. Independence has been achieved by both spatial and temporal separation as documented in the results of the SCA / SW HAZOP. Common cause failures are identified in the SW HAZOP as failures of one component that could affect an independent component and defensive measures are listed as Safety Measures. Derived requirements were recorded and included in the Software Requirements Specification [D043].

Conclusion

The objectives of the standard are fulfilled by the Rosemount Tank Radar functional safety management system.

5.7 Software Verification

Objectives


- To the extent required by the safety integrity level, test and evaluate the outputs from a given software safety lifecycle phase to ensure correctness and consistency with respect to the outputs and standards provided as input to that phase.

- Verify that the requirements for software safety (in terms of the required software safety functions and the software safety integrity) have been achieved.

- Integrate the software onto the target programmable electronic hardware. Combine the software and hardware in the safety-related programmable electronics to ensure their compatibility and to meet the requirements of the intended safety integrity level.




Assessment results

The Software Architecture Design was reviewed. This review confirms that the architecture fulfills the safety requirements. All action items required to be addressed were submitted to the action item tracking system and have been resolved. Specific design review documents were not collected for this assessment, but many SW peer review files were submitted. Most of the design was reviewed at the requirements level and design information is included in the requirements docs.

A modular approach has been used in the software design. Design has been broken up into classes and methods which are modular and subprograms have a single entry and a single exit. Structural test coverage (statements) of 100 % is documented by a manual trace of test coverage.

Module Test Results[D066] for all safety related modules were produced and documented per the Module Test Verification Plan/Specification. All SW functions were unit tested, most with automated test scripts for which data log files are saved. Some manual tests run for diagnostic functions. Sample results files were reviewed; verification of data is included in tests; test case result files show the pass/fail output. No unintended functions were observed.

Conclusion:

The objectives of the standard are fulfilled by the Rosemount Tank Radar functional safety management system, software development process, and new product development processes.

5.8 Safety Validation

Objectives

- Ensure that the design and implementation of the E/E/PE safety-related systems meets the specified safety functions and safety integrity requirements.

- Plan the validation of the safety of the E/E/PE safety-related systems.

- Validate that the E/E/PE safety-related systems meet, in all respects, the requirements for safety in terms of the required safety functions and the safety integrity.

- Ensure that the integrated system complies with the specified requirements for software safety at the intended safety integrity level.

Assessment

Validation Test results were reviewed via a set of documented functional tests. The 2140:SIS Vibrating Fork Liquid Level Detector consists of simple electrical devices with a straightforward safety function. While there is no separately identifiable integration testing, the tests are planned and executed in a way to fulfill the integration testing requirements. Procedures are in place for corrective actions to be taken when failures are detected by validation testing. This includes black-box functional testing, functional testing under environmental conditions, interference surge immunity testing, fault insertion testing, white-box and specialized testing.

Conclusion

The objectives of the standard are fulfilled by the Rosemount Tank Radar functional safety management system, software development process, and new product development processes.




5.9 Safety Manual

Objectives

- Develop procedures to ensure that the required functional safety of the E/E/PE safety-related systems is maintained during operation and maintenance.

Assessment

Rosemount Tank Radar created a safety manual for the 2140:SIS Vibrating Fork Liquid Level Detector, which addresses all relevant operation and maintenance requirements from IEC 61508.

This safety manual was assessed by exida. The final version is considered to be in compliance with the requirements of IEC 61508.

Conclusion

The objectives of the standard are fulfilled by the Rosemount Tank Radar functional safety management system, documentation management, and new product development processes.




6 2020 IEC 61508 Functional Safety Surveillance Audit

6.1 Roles of the parties involved

Rosemount Tank Radar Manufacturer of the 2140:SIS Vibrating Fork Liquid Level Detector

exida Performed the hardware assessment review

exida Performed the IEC 61508 Functional Safety Surveillance Audit per

the accredited exida scheme.

exida was contracted to perform the surveillance audit for the above 2140:SIS Vibrating Fork Liquid Level Detector. The surveillance audit was conducted remotely.

6.2 Surveillance Methodology

As part of the IEC 61508 functional safety surveillance audit the following aspects have been reviewed:

• Procedure Changes – Changes to relevant procedures since the last audit are reviewed to

determine that the modified procedures meet the requirements of the exida certification scheme.

• Engineering Changes – The engineering change list is reviewed to determine if any of the changes could affect the safety function of the 2140:SIS Vibrating Fork Liquid Level Detector.

• Impact Analysis – If changes were made to the product design, the impact analysis associated with the change will be reviewed to see that the functional safety requirements for an impact analysis have been met.

• Field History – Shipping and field returns during the certification period will be reviewed to determine if any systematic failures have occurred. If systematic failures have occurred during the certification period, the corrective action that was taken to eliminate the systematic failure(s) will be reviewed to determine that said action followed the approved processes and was effective.

• Safety Manual – The latest version of the safety manual will be reviewed to determine that it meets the IEC 61508 requirements for a safety manual.

• FMEDA Update – If required or requested the FMEDA will be updated. This is typically done

if there are changes to the IEC 61508 standard and/or changes to the exida failure rate database.

• Evaluate use of the certificate and/or certification mark - Conduct a search of the applicant’s web site and document any misuse of the certificate and/or certification mark. Report any misuse of the certificate and/or certification mark to the exida Managing Director.

• Recommendations from Previous Audits – If there are recommendations from the previous audit, these are reviewed to see if the recommendations have been implemented properly.




6.2.1 Documentation provided by Rosemount Tank Radar

[D89] PCL276 2140 SIL Renewal Sales Figures; 12/16/2019

2140 Shipment data

[D90] PCL276 2140 SIL Renewal - Returns Data; 12/16/2019

2140 Return data

[D91] FA00098539 RMA example

[D92] FA00100493 RMA example

[D93] PCL276 2140 SIL Renewal Safety Related ECRs; 12/26/2019

2140 engineering change history; and reviewed all associated Impact Analysis

[D94] QD15 Iss 12 Quality Control of Approved Products; Iss. 12; 2018/10/15

Quality Control of Approved Products -QD15; Supersedes D019

[D95] PUR9 Issue 3 APPROVAL OF SUPPLIERS; Iss. 3; 2015/09/14

Approval of Suppliers; Supersedes D007

[D96] QD20-S Issue 7 Supplier nonconforming material; Iss. 7; 2016/04/08

Rejection of supplier non-conforming parts and supplier corrective action procedure; Supersedes D012

[D97] Product Design And Development Process; Version 8

Product Design And Development Process; ID 0100-23-616; Supersedes D021

[D98] Supplier Quality Manual; 2016/11/11; Rev. 6.0

Supplier Quality Manual; Supersedes D008

[D99] DEV 1 Engineering Change Process; 2017/01-02; Rev 8

Rosemount Measurement Limited (RML), Engineering Change Management (ECM) Process; Supersedes D023

[D100] RML Quality Management System Manual_SO 9001_2015; 2019/12/16; iss.17

Quality Manual; Doc# QM2; Supersedes D001

[D101] PXXX - RML FA Process; Version 0.2; 2017/10/31

RML Failure Analysis Process; Doc# 0100-23-601; Supersedes D006

[D102] PXXX - RML RMA Process; Version 0.3; 2017/11/29

RML RMA Process; Doc# 0100-23-601; Supersedes D006b

[D103] PXXX - RML Repairs Process; Version 0.3; 2017/11/29

RML Repairs Process; Doc# 0100-23-601; Supersedes D006c

[D104] Product DataSheet; Rev BB; 2018/03

Rosemount 2140 and 2140:SIS Product Data sheet; Doc# 00813-0100-4140

[D105] Reference Manual; Rev AA; 2017/01

Rosemount 2140 Level Detector; Doc# 00809-0100-4140; Supersedes D078

[D106] manual-rosemount-2140-sis-functional-safety-manual-en-us-187108; Rev CA; Mar.2021

Rosemount 2140:SIS Functional Safety Manual; Doc#: 00809-0200-4140; Supersedes D079

[D107] RML ISO9001-2015 Certificate; Expiry Date: 2020/03/31

ISO9001:2015 Certificate of Approval; Supersedes D036

[D108] 2140_RMD1110AD; Rev AD EU Declaration of Conformity; No. RMD 1110




[D109] 2140 - Sales Filed Returns Corrective Actions Figures 2019_2020.xlsx

Additional field history for SIL 3.

[D110] RTR ISO 9001 14001 Certificate 2018_2021.pdf, exp Jul-2021

ISO9001:2015 Certificate of Approval;

6.2.2 Surveillance Documentation generated by

[R5] RTR 21-01-012 R001 V3R2 FMEDA 2140.pdf Mar.2021

Updated FMEDA report for SIL3, 2140:SIS Vibrating Fork Liquid Level Detector

[R6] MOB19/12-089 SC renewal, Mar.2020

Updated Doc List for Surveillance Audit for 2140:SIS Vibrating Fork Liquid Level Detector

[R7] MOB19/12-089 PIU renewal, Mar.2020

Proven In Use Analysis for 2140:SIS Vibrating Fork Liquid Level Detector

[R8] MOB 15-08-012 V5R1 Safety Case WB 2140 v1.7.3d.xlsm, Mar.2021

IEC 61508 Safety Case for SIL3 for 2140:SIS Vibrating Fork Liquid Level Detector

[R9] RML 2140 FFA Spreadsheet_R2.xlsx, Mar.2021

Updated Field History Analysis for SIL3 for 2140:SIS Vibrating Fork Liquid Level Detector

[R10] TR 4847 2140 wired hart new FMEDA-transient term block and isolator board update 2021-Mar-17.xlsx

Updated review (with notes) for FMEDA – 2140:SIS; Transient Term Block

[R11] TR 4846 2140 wired hart new FMEDA-standard term block and isolator board update 2021-Mar-18.xlsx

Updated review (with notes) for FMEDA – 2140:SIS; Std Term Block

6.3 Surveillance Results

6.3.1 Procedure Changes

Changes to Rosemount’s procedures were reviewed and were found to be consistent with the requirements of IEC 61508.

6.3.2 Engineering Changes

Engineering changes 5392, 5993, 6270, 6456, 6570, 6597, 6631, and 6638 were reviewed and all documentation was found to be acceptable.

6.3.3 Impact Analysis

All of the engineering changes had impact analysis and were reviewed and found to be consistent within the requirements of IEC 61508.




6.3.4 Field History

The field histories of these products were analyzed and found to be consistent with the failure rates predicted by the FMEDA.

6.3.5 Safety Manual

The updated safety manual was reviewed and found to be compliant with IEC 61508:2010.

6.3.6 FMEDA Update

The FMEDA was updated as part of this project to update the latest template and also add revised documents. The proof test and PTC were updated. Several product naming conventions were changed.

6.3.7 Evaluate use of certificate and/or certification mark

The Rosemount Tank Radar website was searched and no misleading or misuse of the certification or certification marks was found.

6.3.8 Previous Recommendations

There were no previous recommendations to be assessed at this audit.

6.4 Surveillance Audit Conclusion

The result of the Surveillance Audit Assessment can be summarized by the following observations:

The Rosemount Tank Radar 2140:SIS Vibrating Fork Liquid Level Detector continues to meet the relevant requirements of IEC 61508:2010 for SIL 2 @ HFT=0 or SIL 3 @ HFT=1, Route 1H or Route 2H applications, based on the initial assessment and considering:

- field failure history

- permitted modifications completed on the product

- FMEDA updates and changes

This conclusion is supported by the updated SafetyCase and certification documents.




7 Terms and Definitions

Fault tolerance Ability of a functional unit to continue to perform a required function in the presence of faults or errors (IEC 61508-4, 3.6.3)

FIT Failure In Time (1x10-9 failures per hour)

FMEDA Failure Mode Effect and Diagnostic Analysis

HFT Hardware Fault Tolerance

Low demand mode Mode where the demand interval for operation made on a safety-related system is greater than twice the proof test interval.

High demand mode Mode where the demand interval for operation made on a safety-related system is less than 100x the diagnostic detection/reaction interval, or where the safe state is part of normal operation.

PFDAVG Average Probability of Failure on Demand

PFH Probability of dangerous Failure per Hour

SFF Safe Failure Fraction - Summarizes the fraction of failures, which lead to a safe state and the fraction of failures which will be detected by diagnostic measures and lead to a defined safety action.

SIF Safety Instrumented Function

SIL Safety Integrity Level

SIS Safety Instrumented System – Implementation of one or more Safety Instrumented Functions. A SIS is composed of any combination of sensor(s), logic solver(s), and final element(s).

Type A element “Non-Complex” element (using discrete components); for details see 7.4.4.1.2 of IEC 61508-2

Type B element “Complex” element (using complex components such as micro controllers or programmable logic); for details see 7.4.4.1.3 of IEC 61508-2




8 Status of the document

8.1 Liability

exida prepares reports based on methods advocated in International standards. Failure rates are

obtained from a collection of industrial databases. exida accepts no liability whatsoever for the use of these numbers or for the correctness of the standards on which the general calculation methods are based.

8.2 Version History

Contract Number

Report Number Revision Notes

Q21/01-012 MOB 15/08-012 R003 V3, R2 Revised after review and FMEDA resolutions; audit docs were added and revised in section 6.2; JCY, 18-Mar-2021.

Q21/01-012 MOB 15/08-012 R003 V3, R1 Upgrade to SC=SIL3; JCY, 12-Mar-2021

Q20/04-151 MOB 15/08-012 R003 V2, R2 change ownership to RTR; JCY, 24-Jun-2020

Q19/12-089 MOB 15/08-012 R003 V2, R1 Recertification; LLS, Mar 30,2020

Q15/08-012 MOB 15/08-012 R003 V1, R1 Release after internal review; adjusted version numbers.

JCY, 26-Jan-2017

Q15/08-012 MOB 15/08-012 R003 V0, R1 Initial Draft; JCY, 13-Jan-2017

Review: Ted Stewart, exida, March 30, 2020

Status: Released, March 18, 2021

8.3 Future Enhancements

At request of client.

8.4 Release Signatures

Loren Stewart CFSE, Senior Safety Engineer

Ted E. Stewart, CFSP, Program Development & Compliance Manager
