SENSOR or FINAL ELEMENT

Manufacturer

Separation/segregation

Are all signal cables for the channels routed separately at all positions?

Diversity/redundancy

Complexity/design/application/maturity/experience

β ESTIMATION SHEETref. IEC61508-6 Annex D

Item

If the sensors/final elements have dedicated control electronics, is the electronics for each channel on separate printed-circuit boards?

If the sensors/final elements have dedicated control electronics, is the electronics for each channel indoors and in separate cabinets?

Do the devices employ different physical principles for the sensing elements for example, pressure and temperature, vane anemometer and Doppler transducer, etc?

Do the devices employ different electrical principles/designs for example, digital and analogue, different manufacturer (not re-badged) or different technology?

Do the channels employ enhanced redundancy with MooN architecture, where N > M + 2 ?

Do the channels employ enhanced redundancy with MooN architecture, where N = M + 2 ?

Are separate test methods and people used for each channel during commissioning?

Is maintenance on each channel carried out by different people at different times?

Assessment/analysis and feedback of data

Procedures/human interface

Competence/training/safety culture

Does cross-connection between channels preclude the exchange of any information other than that used for diagnostic testing or voting purposes?

Is the design based on techniques used in equipment that has been used successfully in the field for > 5 years?

Is there more than 5 years experience with the same hardware used in similar environments?

Are inputs and outputs protected from potential levels of over-voltage and over-current?

Are all devices/components conservatively rated (for example, by a factor of 2 or more)?

Have the results of the failure modes and effects analysis or fault-tree analysis been examined to establish sources of common cause failure and have predetermined sources of common cause failure been eliminated by design?

Were common cause failures considered in design reviews with the results fed back into the design? (Documentary evidence of the design review activity is required.)

Are all field failures fully analyzed with feedback into the design? (Documentary evidence of the procedure is required.)

Is there a written system of work to ensure that all component failures (or degradations) are detected, the root causes established and other similar items inspected for similar potential causes of failure?

Are procedures in place to ensure that: maintenance (including adjustment or calibration) of any part of the independent channels is staggered, and, in addition to the manual checks carried out following maintenance, the diagnostic tests are allowed to run satisfactorily between the completion of maintenance on one channel and the start of maintenance on another?

Do the documented maintenance procedures specify that all parts of redundant systems (for example, cables, etc.) intended to be independent of each other, are not to be relocated?

Is all maintenance of printed-circuit boards, etc. carried out off-site at a qualified repair centre and have all the repaired items gone through a full pre-installation testing?

Does the system diagnostic tests report failures to the level of a field-replaceable module?

Environmental control

Are all signal and power cables separate at all positions?

Environmental testing

Total X

Total Y

X / Y ratio

Diagnostic Coverage

What is the estimated diagnostic coverage?

Whast is the diagnostic test interval (hours/days/weeks)?Z

Score S

Score SD

RESULTβ

βD

Have designers been trained (with training documentation) to understand the causes and consequences of common cause failures?

Have maintainers been trained (with training documentation) to understand the causes and consequences of common cause failures?

Is personnel access limited (for example locked cabinets, inaccessible position)?

Is the system likely to operate always within the range of temperature, humidity, corrosion, dust, vibration, etc., over which it has been tested, without the use of external environmental control?

Has the system been tested for immunity to all relevant environmental influences (for example EMC, temperature, vibration, shock, humidity) to an appropriate level as specified in recognized standards?

MODEL REV

e.g. Emerson Rosemount Source

VALUE

CATEGORY TOTAL 7.0

NO 0.0

YES 4.0

YES 3.0

CATEGORY TOTAL 0.0

NO 0.0

NO 0.0

NO 0.0

NO 0.0

NO 0.0

NO 0.0

CATEGORY TOTAL 10.0

e.g. Rosemount 2088 Pressure Transmitter

YES / NO (select choice)

YES 1.0

YES 2.0

YES 3.0

YES 2.0

YES 2.0

CATEGORY TOTAL 10.0

YES 3.0

YES 3.0

YES 4.0

CATEGORY TOTAL 4.0

NO 0.0

NO 0.0

NO 0.0

YES 2.0

YES 2.0

CATEGORY TOTAL 0.0

NO 0.0

NO 0.0

CATEGORY TOTAL 7.0

YES 3.0

YES 4.0

NO 0.0

CATEGORY TOTAL 20.0

YES 20.0

27.0

31.0

0.9

>= 60 %< 2h

1.0

58.0

85.0

5.02.0

DATE

ddMMMYYYY

NOTES on MOTIVATION

Not guaranteed

Transmitters are separate

Transmitters are in different housings

Low value, improvement is recommended

No - transmitters are identical

No - transmitters are identical

No - 2oo3

No - 2oo3

No - impractical

No - impractical

e.g. EXIDA FMEDAROS 06/10-18 R001 V1 R1

No cross channel information between transmitters

2088 Pressure Transmitter based on well proven design

Extensive experience in process control

Transient voltage and current protection provided

Design has conservative rating factors proven by field reliability

FMEDA done by third party - exida. No common cause issues

Design review is part of the development process. Results are always fed back into the design

Field failure feedback procedure reviewed by third party - exida. Results are fed back into the design.

Proof test procedures are provided but they cannot insure root cause failure analysis.

Procedures are not sufficient to ensure staggered maintenance.

MOC procedures require review of proposed changes, but relocation may inadvertently be done.

Repair is done by returning product to the factory, therefore this requirement is met.

Logic solver is programmed to detect current out of range and report the specific transmitter.

Low value, improvement is recommended

Control system designers have not been trained.

Maintenance personnel have not been trained.

A tool is required to open the transmitter therefore this requirement is met.

Environmental conditions are checked at installation.

No

Complete testing of all environmental stress variables and run-in during production testing.

=351*(351+126)=73%

about 1 sec cycle

MODEL REV DATE

LOGIC SOLVER model x ddMMMYYYY

Manufacturer Source

VALUE NOTES on MOTIVATION

Separation/segregation Low value, improvement is recommended

Are all signal cables for the channels routed separately at all positions? 50% 1.5

Are the logic subsystem channels on separate printed-circuit boards? 50% 2.0

Are the logic subsystem channels in separate cabinets? 50% 1.5

Diversity/redundancy CATEGORY TOTAL 14.8

50% 3.5

50% 2.5

50% 1.3

50% 0.8

50% 1.5

50% 2.3

50% 1.0

50% 0.8

50% 1.3

Complexity/design/application/maturity/experience CATEGORY TOTAL 5.0

50% 0.5

50% 0.8

50% 1.3

50% 0.5

50% 1.0

50% 1.0

Assessment/analysis and feedback of data CATEGORY TOTAL 5.0

50% 1.5

50% 1.5

50% 2.0

Procedures/human interface CATEGORY TOTAL 6.5

50% 0.8

50% 1.0

50% 0.5

50% 0.8

50% 0.3

50% 1.3

50% 2.0

Competence/training/safety culture CATEGORY TOTAL 5.0

β ESTIMATION SHEETref. IEC61508-6 Annex D

Item YES / NO (select choice)

Do the channels employ different electrical technologies for example, one electronic or programmable electronic and the other relay?

Do the channels employ different electronic technologies for example, one electronic, the other programmable electronic?

Do the channels employ enhanced redundancy with MooN architecture, where N > M + 2 ?

Do the channels employ enhanced redundancy with MooN architecture, where N = M + 2 ?

Is low diversity used, for example hardware diagnostic tests using the same technology?

Is medium diversity used, for example hardware diagnostic tests using different technology?

Were the channels designed by different designers with no communication between them during the design activities?

Are separate test methods and people used for each channel during commissioning?

Is maintenance on each channel carried out by different people at different times?

Does cross-connection between channels preclude the exchange of any information other than that used for diagnostic testing or voting purposes?

Is the design based on techniques used in equipment that has been used successfully in the field for > 5 years?

Is there more than 5 years experience with the same hardware used in similar environments?

Is the system simple, for example no more than 10 inputs or outputs per channel?

Are inputs and outputs protected from potential levels of over-voltage and over-current?

Are all devices/components conservatively rated (for example, by a factor of 2 or more)?

Have the results of the failure modes and effects analysis or fault-tree analysis been examined to establish sources of common cause failure and have predetermined sources of common cause failure been eliminated by design?

Were common cause failures considered in design reviews with the results fed back into the design? (Documentary evidence of the design review activity is required.)

Are all field failures fully analyzed with feedback into the design? (Documentary evidence of the procedure is required.)

Is there a written system of work to ensure that all component failures (or degradations) are detected, the root causes established and other similar items inspected for similar potential causes of failure?

Are procedures in place to ensure that: maintenance (including adjustment or calibration) of any part of the independent channels is staggered, and, in addition to the manual checks carried out following maintenance, the diagnostic tests are allowed to run satisfactorily between the completion of maintenance on one channel and the start of maintenance on another?

Do the documented maintenance procedures specify that all parts of redundant systems (for example, cables, etc.) intended to be independent of each other, are not to be relocated?

Is all maintenance of printed-circuit boards, etc. carried out off-site at a qualified repair centre and have all the repaired items gone through a full pre-installation testing?

Does the system have low diagnostic coverage (60 % to 90 %) and report failures to the level of a field-replaceable module?

Does the system have medium diagnostics coverage (90 % to 99 %) and report failures to the level of a field-replaceable module?

Does the system have high diagnostics coverage (>99 %) and report failures to the level of a field-replaceable module?

50% 2.5

50% 2.5

Environmental control CATEGORY TOTAL 5.0

50% 1.5

50% 2.0

Are all signal and power cables separate at all positions? 50% 1.5

Environmental testing CATEGORY TOTAL 0.0 Low value, improvement is recommended

NO 0.0

Total X 52.5

Total Y 40.0

X / Y ratio 1.3

Diagnostic Coverage

What is the estimated diagnostic coverage? >= 90 %Whast is the diagnostic test interval in minutes? 1 < x < 5Z 0.5

Score S 92.5

Score SD 118.8

RESULT

β 1.0βD 1.0

Have designers been trained (with training documentation) to understand the causes and consequences of common cause failures?

Have maintainers been trained (with training documentation) to understand the causes and consequences of common cause failures?

Is personnel access limited (for example locked cabinets, inaccessible position)?

Is the system likely to operate always within the range of temperature, humidity, corrosion, dust, vibration, etc., over which it has been tested, without the use of external environmental control?

Has the system been tested for immunity to all relevant environmental influences (for example EMC, temperature, vibration, shock, humidity) to an appropriate level as specified in recognized standards?