Professional Documents
Culture Documents
MarkVie SIS Evaulation Exida
MarkVie SIS Evaulation Exida
Project:
Mark VIeS Safety Controller
Customer:
GE Energy
Salem, VA
USA
The document was prepared using best effort. The authors make no warranty of any kind and shall not be liable in any
event for incidental or consequential damages in connection with the application of the document.
© All rights reserved.
Management Summary
This report summarizes the results of the functional safety assessment according to IEC 61508 and
EN 50402:2005+A1:2008 carried out on the:
Mark VIeS Safety Controller
The functional safety assessment performed by exida consisted of the following activities:
- exida assessed the development process used by GE Energy through an audit and creation
of a detailed safety case against the requirements of IEC 61508 and EN
50402:2005+A1:2008.
- exida reviewed and assessed a detailed Failure Modes, Effects, and Diagnostic Analysis
(FMEDA) of the devices to document the hardware architecture and failure behavior.
The functional safety assessment was performed to the requirements of IEC 61508, SIL 2 and SIL
3. This product was previously certified to IEC 61508 SIL 2 and SIL 3, depending upon its
configuration, by TÜV Nord (Report No.: SAS-136/2006T) and exida. Based on this certification, it
can be concluded that the GE Energy development process meets the requirements of IEC 61508
for SIL 3. As a result this latest assessment focused on reviewing the changes made to the
product. A full IEC 61508 Safety Case was prepared, using the exida SafetyCaseDB tool, and
used as the primary audit tool. Hardware process requirements and all associated documentation
were reviewed. Environmental test reports were reviewed. Also the user documentation (safety
manual) was reviewed. In addition, all modification documentation was reviewed for the
modifications made since the last assessment.
The results of the Functional Safety Assessment can be summarized by the following statements:
The Mark VIeS Safety Controller (not including the YVIB Vibration Detection Subsystem) was
found to meet the requirements of SIL 2 for random integrity @ HFT=0, SIL 3 for random
integrity @ HFT=1 and SIL 3 for systematic integrity.
The YVIB Vibration Detection Subsystem was found to meet the requirements of SIL 1 for
random integrity @ HFT=0, SIL 2 for random integrity @ HFT=1 and SIL 2 for systematic
integrity.
The Mark VIeS Safety Controller (not including the YVIB Vibration Detection Subsystem) was
found to meet the requirements of EN 50402:2005+A1:2008 of SIL 2 for random integrity @
HFT=0, SIL 3 for random integrity @ HFT=1 and SIL 3 for systematic integrity.
The manufacturer will be entitled to use the Functional Safety Logos.
The manufacturer
may use the mark:
2 Project management
2.1
exida is one of the world’s leading knowledge companies specializing in automation system safety
and availability with over 300 man years of cumulative experience in functional safety. Founded by
several of the world’s top reliability and safety experts from assessment organizations and
manufacturers, exida is a global corporation with offices around the world. exida offers training,
safety lifecycle engineering tools, detailed product assurance and certification analysis and a
collection of on-line safety and reliability resources. exida maintains a comprehensive failure rate
and failure mode database on process equipment.
Router
HMI HMI Field
Viewer Viewer Support
Supervisory Layer
PLANT DATA H IGHWAY
PLANT DATA H IGHWAY
HMI Servers
Control Layer
U NIT D ATA HIGHWAY
U NIT DATA H IGHWAY
Safety
Control Generator
TMR Protection BOP Exciter
Mark VIeS
GPP EX2100 Static
T Mark VIe Mark VI
Starter
Mark VIeS
S Turbine Control
Mark VIeS
S
R Mark VIe
A
Terminal Board
IONet Layer F
R IONET
S IONET E
T IONET
T
Terminal Board Y
F
I
Terminal Board
E
L
D
Terminal Board
I
/
O
Figure 1 Mark IVeS SIL System Context within entire Application (including BPCS)
Control Modules
UCCC – executes configured logic for a safety instrumented function (SIF) based on the current
process inputs to control the process outputs.
UCSB – executes configured logic for a safety instrumented function (SIF) based on the current
process inputs to control the process outputs.
BPPB – Common I/O processor board which is used for all I/O types. This board is combined with
an I/O type specific data acquisition board in order to create a specific type of I/O module
YAIC- Ten analog inputs (voltage, 4-20mA) and two 4-20mA analog outputs. Single and triple pack
capable.
YHRA- Ten 4-20mA analog inputs, two 4-20mA analog outputs, all HART enabled. Capable of only
single pack operation with one or two networks.
YDIA- Twenty-four contact closure inputs with group isolation. Available nominal voltage ranges
include 24V, 48V, and 125V dc. Capable of single, dual, or triple pack operation on an appropriate
terminal board.
YDOA- Twelve relay outputs with feedback determined by the associated terminal board. Capable
of single and triple pack operation.
YTCC- Twelve thermocouple inputs. Capable of single, dual, or triple pack operation on an
appropriate terminal board.
YVIB - Twelve vibration inputs. Provides a direct interface to seismic (velocity), proximity,
velomitor and accelerometer type probes. Capable of single and triple pack operation.
5.1 Methodology
The full functional safety assessment includes an assessment of all fault avoidance and fault
control measures during hardware and software development and demonstrates full compliance
with IEC 61508 to the end-user. The assessment considers all requirements of IEC 61508. Any
requirements that have been deemed not applicable have been marked as such in the full Safety
Case report (e.g. software development requirements for a product with no software).
As part of the IEC 61508 functional safety assessment the following aspects have been reviewed:
Development process, including:
o Functional Safety Management, including training and competence recording, FSM
planning, and configuration management
o Specification process, techniques and documentation
o Design process, techniques and documentation, including tools used
o Validation activities, including development test procedures, test plans and reports,
production test procedures and documentation
o Verification activities and documentation
o Modification process and documentation
o Installation, operation, and maintenance requirements, including user documentation
Product design
o Hardware architecture and failure behavior, documented in a FMEDA
The review of the development procedures is described in section 0. The review of the product
design is described in section 6.2.
Requirements from IEC 61508-2, Table B.1 that have been met by GE Energy include project
management, documentation, separation of safety systems from non-safety-related systems,
structured specification, and inspection of the specification. [D49] Documents more details on how
each of these requirements has been met. This meets the requirements of SIL 3.
Update: see updated safety case [D140].
6.1.4 Validation
Validation Testing is done via a set of documented tests (see [D32]). The validation tests are
traceable to the Safety Requirements Specification [D29] in the validation test plan [D32]. In
addition to standard Test Specification Documents, third party testing may be included as part of
agency approvals. Procedures are in place for corrective actions to be taken when tests fail as
documented in [D25].
Update: see updated documents: V&V test plan [D123], SRS [D122], Defect Reporting [D104], and
SIL Coding Standard [D120]; updated safety case [D140] contains the complete set of validation
test results.
6.1.5 Verification
The development and verification activities are defined in [D10]. Verification activities include the
following: Calculations for Functional Safety [D44], Code Review [D36] and [D37], Unit Testing
[D4], [D5], and [D35], Requirements Review [D42], Design Review [D38], FMEDA [D44], Static
Analysis using PC LINT [D31], and System FMEA [D41].
Update: see updated documents: FSM [D101], Calculations for Functional Safety [D136] and
[D137], Code Review [D126] and [D127], Module Testing [D125], Requirements Review [D141],
Design Review [D135], FMEDA Fault Injection Test [D138], Static Analysis using Coverity [D132].
6.1.6 Modifications
Modifications are done per the GE Energy’s IEC 61508 SIL 3 compliant development process as
documented in [D49]. All of the modifications made to the product since the previous certification
(see [D6]) were reviewed and found to be compliant with the GE Energy development process and
to IEC 61508. Consequently this meets the requirements of SIL 3.
Update: see FSM plan [D101]; see documented changes referenced in [D147], [D148], [D149].
Table 3 Markov Analysis Results for GE Energy Mark VIeS System*, low demand applications
*for use with UCCC Controller
PFDavg MTTFS [yrs]
Configuration
PTI 1 yr PTI 2 yr PTI 3 yr PTI 1 yr PTI 2 yr PTI 3yr
Simplex 1oo1 2.70E-03 5.36E-03 8.02E-03 29.92 30.00 30.08
Dual 1oo2 9.14E-05 1.91E-04 3.01E-04 15.23 15.25 15.27
Dual 2oo2 3.45E-03 6.82E-03 1.02E-02 31.57 31.38 31.21
TMR 2oo3 1.01E-04 2.29E-04 3.82E-04 520.12 357.28 275.46
Table 4: Markov Analysis Results for GE Energy Mark VIeS system*, high demand applications
*for use with UCCC Controller
Configuration PFH [hr-1] MTTFS [yrs]
Dual 1oo2 2.12E-08 7.37
TMR 2oo3 2.44E-08 253.31
Update: Table 4a, Modified for use with UCSB Controller, based on calculations in “GEP 06-05-12
R003 v05 Mark VIeS Markov Model UCSB.xls”
Configuration PFH [hr-1] MTTFS [yrs]
Dual 1oo2 2.00E-08 7.06
TMR 2oo3 2.27E-08 312.84
The analysis shows that the design of the Mark VIeS (not including the YVIB Vibration
Subsystem) meets the hardware requirements of IEC 61508 SIL 2 for random failures and
HFT=0, and SIL 3 for random failures and HFT=1.
The analysis also shows that the design of the YVIB Vibration Detection Subsystem meets
the hardware requirements of IEC 61508 SIL 1 for random failures and HFT=0, and SIL 2 for
random failures and HFT=1.
Type A (sub)system “Non-Complex” (sub)system (using discrete elements); for details see
7.4.3.1.2 of IEC 61508-2
Type B (sub)system “Complex” (sub)system (using micro controllers or programmable logic); for
details see 7.4.3.1.3 of IEC 61508-2
9.2 Releases
Version: V1
Revision: R6
Version History: V1, R6: updated to clarify SIL3/SIL2 redundancy constraints.
V1, R5: updated to update table of contents.
V1, R4: updated to add Heartbeat Block and EN50402 assessment,
Q12/05-048r1, 18 Oct 2012
V1, R3: updated for TPRO, Q12/05-074, 26 June 2012
V1, R2: updated for UCSB, Sep 11, 2011
V1, R1: Updated based on review, June 30, 2008
Authors: V1, R1, Michael Medoff
V1, R2, John Yozallinas
V1, R3, Griff Francis
V1, R4: Dave Butler
Review: V1, R2: Dr. William M. Goble; Sep 2011
V1, R4: Dr. William M. Goble; Nov 2012
V1, R6: Dr. William M. Goble; Feb 2013
Release status: released to client