MarkVie SIS Evaulation Exida

61508 SIL 3 CAPABLE
IEC 61508 Functional Safety Assessment
Project:
Mark VIeS Safety Controller
Customer:
GE Energy
Salem, VA
USA
Contract No.: Q07/06-11

Report No.: GE 07-06-11 R002
Version V1, Revision R6, February 5, 2013
Dave Butler
The document was prepared using best effort. The authors make no warranty of any kind and shall not be liable in any
event for incidental or consequential damages in connection with the application of the document.
© All rights reserved.
Management Summary
This report summarizes the results of the functional safety assessment according to IEC 61508 and
EN 50402:2005+A1:2008 carried out on the:
Mark VIeS Safety Controller
The functional safety assessment performed by exida consisted of the following activities:
- exida assessed the development process used by GE Energy through an audit and creation
of a detailed safety case against the requirements of IEC 61508 and EN
50402:2005+A1:2008.
- exida reviewed and assessed a detailed Failure Modes, Effects, and Diagnostic Analysis
(FMEDA) of the devices to document the hardware architecture and failure behavior.
The functional safety assessment was performed to the requirements of IEC 61508, SIL 2 and SIL
3. This product was previously certified to IEC 61508 SIL 2 and SIL 3, depending upon its
configuration, by TÜV Nord (Report No.: SAS-136/2006T) and exida. Based on this certification, it
can be concluded that the GE Energy development process meets the requirements of IEC 61508
for SIL 3. As a result this latest assessment focused on reviewing the changes made to the
product. A full IEC 61508 Safety Case was prepared, using the exida SafetyCaseDB tool, and
used as the primary audit tool. Hardware process requirements and all associated documentation
were reviewed. Environmental test reports were reviewed. Also the user documentation (safety
manual) was reviewed. In addition, all modification documentation was reviewed for the
modifications made since the last assessment.
The results of the Functional Safety Assessment can be summarized by the following statements:
The Mark VIeS Safety Controller (not including the YVIB Vibration Detection Subsystem) was
found to meet the requirements of SIL 2 for random integrity @ HFT=0, SIL 3 for random
integrity @ HFT=1 and SIL 3 for systematic integrity.
The YVIB Vibration Detection Subsystem was found to meet the requirements of SIL 1 for
random integrity @ HFT=0, SIL 2 for random integrity @ HFT=1 and SIL 2 for systematic
integrity.
The Mark VIeS Safety Controller (not including the YVIB Vibration Detection Subsystem) was
found to meet the requirements of EN 50402:2005+A1:2008 of SIL 2 for random integrity @
HFT=0, SIL 3 for random integrity @ HFT=1 and SIL 3 for systematic integrity.
The manufacturer will be entitled to use the Functional Safety Logos.
The manufacturer
may use the mark:
© exida GE 07-06-11 R002 V1R6 IEC 61508 Assessment.doc, February 5, 2014

Dave Butler Page 2 of 31
Table of Contents
Management Summary ................................................................................................... 2
1 Purpose and Scope ................................................................................................... 5
2 Project management .................................................................................................. 5
2.1 exida ............................................................................................................................ 5
2.2 Roles of the parties involved ........................................................................................ 5
2.3 Standards / Literature used .......................................................................................... 5
2.4 Reference documents .................................................................................................. 6
2.4.1 Documentation provided by GE Energy and first assessment ............................ 6
Document List from initial certification: ......................................................................... 6
2.4.2 Supplementary Documentation provided by GE Energy for UCSB and System
Updates ............................................................................................................. 9
2.4.3 Supplementary Documentation provided by GE Energy for TPRO and System
Updates ........................................................................................................... 12
2.4.4 Supplementary Documentation Provided by GE Energy for Heartbeat Function
Block and EN50402 assessment Updates ....................................................... 13
2.4.5 Updated Documentation generated by exida ................................................... 13
3 Product Description .................................................................................................. 14
3.1 Modes of operation..................................................................................................... 16
4 Version/Revision Information ................................................................................... 17
4.1 Firmware Versions ..................................................................................................... 17
4.2 Hardware Revisions ................................................................................................... 18
4.2.1 YDIA Contact In I/O Pack (IS220YDIAS1A) ..................................................... 18
4.2.2 YDOA Contact Out I/O Pack (IS220YDOAS1A) ............................................... 18
4.2.3 YAIC Analog In/Out I/O Pack (IS220YAICS1A)................................................ 19
4.2.4 YHRA HART Enabled Analog In/Out (IS220YHRAS1A) .................................. 19
4.2.5 YTCC Thermocouple I/O Pack (IS220YTCCS1A) ............................................ 20
4.2.6 YTUR Turbine I/O Pack (IS220YTURS1A) ...................................................... 20
4.2.7 YPRO Protection I/O Pack (IS220YPROS1A) .................................................. 21
4.2.8 YVIB Vibration I/O Pack (IS220YVIBS1A)....................................................... 22
4.2.9 UCCC Mark VIeS Controller (IS215UCCCS05A) ............................................ 22
4.2.10 UCSB Mark VIeS Controller (IS420UCSBS1A) ............................................... 22
5 IEC 61508 Functional Safety Assessment ............................................................... 23
5.1 Methodology............................................................................................................... 23
5.2 Assessment level ....................................................................................................... 23
6 Results of the IEC 61508 Functional Safety Assessment ........................................ 24
6.1 Lifecycle Activities and Fault Avoidance Measures..................................................... 24
6.1.1 Functional Safety Management ....................................................................... 24
6.1.2 Safety Requirements Specification and Architecture Design ............................ 25
6.1.3 Hardware Design ............................................................................................. 25
6.1.4 Validation ......................................................................................................... 25
6.1.5 Verification ....................................................................................................... 26
6.1.6 Modifications.................................................................................................... 26
6.1.7 User documentation ......................................................................................... 26
6.2 Hardware Assessment ............................................................................................... 27
7 Results of the EN 50402:2005 + A1:2008 Functional Safety Assessment ............... 28
8 Terms and Definitions .............................................................................................. 29
9 Status of the document ............................................................................................ 30
9.1 Liability ....................................................................................................................... 30
9.2 Releases .................................................................................................................... 30
9.3 Future Enhancements ................................................................................................ 30
9.4 Release Signatures .................................................................................................... 30

1 Purpose and Scope
This document describes the results of the IEC 61508 functional safety assessment of the Mark
VIeS Safety Controller.
2 Project management
2.1
exida is one of the world’s leading knowledge companies specializing in automation system safety
and availability with over 300 man years of cumulative experience in functional safety. Founded by
several of the world’s top reliability and safety experts from assessment organizations and
manufacturers, exida is a global corporation with offices around the world. exida offers training,
safety lifecycle engineering tools, detailed product assurance and certification analysis and a
collection of on-line safety and reliability resources. exida maintains a comprehensive failure rate
and failure mode database on process equipment.
2.2 Roles of the parties involved

GE Energy Manufacturer of the Mark VIeS Safety Controller
exida Performed the IEC 61508 and EN 50402:2005+A1:2008 Functional
Safety Assessment
GE Energy contracted exida in August 2007 with the IEC 61508 Functional Safety Assessment of
the above mentioned devices.
GE Energy contracted exida in March 2011 for the IEC 61508 Functional Safety Assessment of the
UCSB Control Module and renewal of the certificate.
GE Energy contracted exida in May 2012 for the IEC 61508 Functional Safety Assessment of the
TPRO Termination Board.
GE Energy contracted exida in November 2012 for the EN 50402:2005+A1:2008 Functional Safety
Assessment.
2.3 Standards / Literature used

The services delivered by exida were performed based on the following standards / literature.
[N1] IEC 61508: 2010 (Parts 1 - 7) Functional Safety of

Electrical/Electronic/Programmable Electronic Safety-
Related Systems

2.4 Reference documents
2.4.1 Documentation provided by GE Energy and first assessment
Document List from initial certification:

[D1] CRCCC; NA; 3/13/2008 CRC Code Check.txt
[D2] exida - Comm; exida: Safety Communication Analysis
[D3] exida: PIU QNX; exida: Proven In Use Report on QNX Operating System
[D4] FMTR; NA; 3/11/2008 Filter Module Test Results
[D5] Module Test Results
[D6] SAS-136/2006T Certification Report of the Mark VIeS Safety Controller
[D7] GE - Arch DS; GE: Mark VIe Architectural Specification
[D8] GE - CTLDP205; 0; GE: CTLDP205 - Electronic Component Application & Stress
Derating
[D9] GE - E-NPP; Online; GE: E-NPP - New Products and Processes
[D10] dGE - FSM; 01.02.02, GE: Mark VIe FSM Plan incl. V&V
05/26/2008
[D11] GE - GEH6721; GE: GEH6721 Mark VIe Control System Guide
[D12] GE - PG170; GE: PG170 Product Safety Process
[D13] GE - QH4000- 09; GE: QH4000 - Tab 9 Software Development Process
[D14] GE - QH4000-03; GE: QH4000 - Tab 3 Product Development PWA Design
[D15] GE - QH4000-12; GE: QH4000 - Tab 12 NPI Product Engineering
[D16] GE - QH4002.91; GE: QH4002.91 Product Development - Software
Development, Introduction
[D17] GE - QH4003.91; GE: QH4003.91 Requirements Management
[D18] GE - QH4004.32; GE: QH4004.32 Hardware Change Control
[D19] GE - QH4004.93; GE: QH4004.93 Peer Review
[D20] GE - QH4005.91; GE: QH4005.91 Configuration Management
[D21] GE - QH4010.91; GE: QH4010.91 Testing and Verification
[D22] GE - QH7000-8; GE: QH7000 Tab 8 Equipment Calibration
[D23] GE - SD020; GE: SD020 Design Process (SD020.doc)
[D24] GE - SD041; GE: SD041 Testplan and Testcase guideline (SD041.doc)
[D25] GE - SD090; GE: SD090 Fault Reporting Procedure
[D26] GE - SIL Coding; GE: Mark VIe SIL Coding Standard.doc
[D27] GEH-6723; 2/12/2008 GE: Mark VIeS Controller Safety Manual
[D28] GE - SourceSafe; GE: SourceSafe (Configuration Database)
[D29] GE - SRS; 01.04.02; GE: Mark_VIe_Safety_Control_SRS_010301
9/21/2007

[D30] GE - VTS; GE: YVIB Regression Test Specification
[D31] LINT RESULTS; NA; PC LINT Results
12/18/2007
[D32] [ Mark VIe V&V; Mark VIe Safety Validation and Verification Test Plan
1.02.02q; 10/1/2007
[D33] [ MARK VIES DR; Mark VIeS Safety Control Derived Requirements
1.07.02; 1/21/2008
[D34] [ MATRIX; 1.02.02; Safety Validaiton Traceability Matrix
10/1/2007
[D35] [ MOD_TEST; 01.00.01; YVIB Module Test Plan and Results
10/5/2007
[D36] [ Peer Review 419-1; NA; Code Review Example - Summary of Code Review
9/5/2007
[D37] [ Peer Review 419-2; NA; Code Review Example - Detailed List of Changes
9/5/2007
[D38] [ PVIB DRM; NA; PVIB Design Review Minutes
11/30/2007
[D39] [ PVIB Timing; NA; PVIB Timing Diagram
3/13/2008
[D40] SIL EGD SDS; SIL EGD Software Design Specification
01.00.04; 12/5/2007
[D41] [ SIL IOP; 1.00.02A; SIL IOPack Design Specification and FMEA
12/5/2007
[D42] [ SRS REV; NA; 9/7/2007 SRS Review Minutes
[D43] [ TR5235; 1; 6/16/2004 EMC Test Report
[D44] [ V&V: FMEDA; YVIB vibration card FMEDA
[D45] [ YVIB Bubble; NA; YVIB Bubble Diagram
11/15/2007
[D46] [ YVIB DESIGN; Mark VIe I/O Pack and Termination Board YVIB/TVBA
01.05.02; 9/26/2007 Vibration Requirements Specification
[D47] [ YVIB PROOF; 1.00.01; YVIB Proof Test Procedures
1/24/2008
[D48] [ YVIB_Vibration_Monitor YVIB Vibration Monitor portion of Mark VIeS Safety Controller
_ref1.pdf; 1; 1/21/2008 System Guide
[D49] GE MarkVIeS Safety Safety Case Database for MarkVIeS system including YVIB
CaseDB with YVIB card.
card.esc
[D50] GEP 06/01-32 Markov Model Analysis of Mark VIeS
R003;V2R1; 12/29/2006
[D51] 080403_SIL_YDOA Test results for SCR #11443
support for

SRLYS2A+WROx (SCR
11443).xls, 5/22/2008
[D52] 080422_SIL_YDOA Test Results for SCR #14033
50Hz VAC excitation
(SCR 14033).xls,
5/22/2008
[D53] 080425_SIL_YDOA Test Results for SCR #7637
Bad Solenoid Coil alms
(SCR 7637).xls,
5/22/2008
[D54] TR5698, Issue 1, EMC Test Report Mark VIe Control Packs
6/14/2006
[D55] IO Pack Hardware & Listing of Mark VIeS version and revision numbers.
Firmware 11 May
08.xls, 5/22/2008
[D56] Mark VIeS Impact Impact analysis of adding WPDF to TRLY_F
Analysis WPDF.pdf,
V01.00.01, 5/12/2008
[D57] Mark VIeS Impact Impact analysis of adding WROx to SRLY
Analysis, WROx.pdf,
V01.00.00, 5/12/2008
[D58] Modifications List SCR- List of SCRs and ECRs included in latest releases along with
ECR Cross Ref Apr status and validation information for each change.
08.xls, 5/22/2008
[D59] Module Test Miscellaneous Module Test Results
Miscellany.pdf,
V01.02.04, 5/19/2008
[D60] Module Test Blocks Module tests for changed function blocks
Changed.pdf,
V01.00.00, 3/02/2006
[D61] SilBlkTestPlans.xls, Test Results for Function Block Tests
5/22/08
[D62] Temp Status Block Design Specification for Temp Status Block
Design.rtf, 5/28/08
[D63] Temp Status Test Plan for Temperature Status Block
TestPlan.pdf,
V03.01.02C, 5/08/2008
[D64] TP Alarms.doc, Alarm Manager Test Plan
V01.00.08C, 6/30/2004
[D65] UCCC_REGRSN_Resu UCCC MarkVIeS SIL Validation Test Plan – RESULTS file
lts.xls, 5/22/2008
[D66] UCCC_REGRSN_Testp UCCC MarkVIeS SIL Validation Test Plan
lan.pdf, V01.00.00A,

7/19/2006
[D67] YDIA Validation YDIA Validation Test Results
Summary
20080512B.xls, 5/22/08
[D68] YDIA_REGRSN_TestPl YDIA Validation Test Plan
an.pdf, V01.00.02A,
6/27/2006
[D69] YDOA Validation YDOA Validation Test Results
Summary
20080512B.xls,
5/22/2008
[D70] YDOA_REGRSN_Test YDOA Validation Test Plan
Plan.pdf, V01.00.02A,
6/27/2006
[D71] YTUR TestRecord YTUR Validation Test Results
Summary.xls, 5/22/2008
[D72] YTUR_REGRSN_TestP YTUR Validation Test Plan
lan.pdf, V01.00.03A,
7/19/2006
[D73] SCR Data Impact Analysis and Change Information for all software
changes in latest release
[D74] ECR Data Impact Analysis and Change Information for all hardware
changes in lastest release
2.4.2 Supplementary Documentation provided by GE Energy for UCSB and System

Updates
[D100] CRC; 1.00.03A; 4/12/2006 SIL CRC API Design Specification.pdf
[D101] FSM: 1.03.04; 6/5/2011 Mark VIe Safety Control Functional Safety Planx.pdf
(includes FSM Training, system modifications, V&V plan)
[D102] GE - Arch DS; 1.04.00; GE: Mark VIe Architectural Overview
4/13/2011
[D103] GE - CPE7.3; 1.7; 6/14/2011 GE: Platform Validation Processes CPE 7.3 VAL Rev
1.7.pdf
[D104] GE - CPE7.3.3-1; 1.3; GE: Platform Validation Defect Reporting CPE 7.3.3-1
1/12/2011 VAL Rev 1.3.pdf
[D105] GE - CPE7.3-1; 2.4; GE: C&PE CoE Development Process CPE 7.3-1 DEV
1/11/2011 Rev 2.4.pdf
[D106] GE - CPE7.3-4; 2.1; GE: Control Platform Software Development CPE 7.3-4
1/17/2011 SW Rev 2.1.pdf
[D107] GE - CPE7.3-7; 4.0; GE: PWA Change Control CPE 7.3.7-1 PWA Rev 4.0.pdf
3/19/2010

[D108] GE - CPE7.6; 1.0; 11/19/2010 GE: Control of Monitoring and Measurement Devices
CPE 7.6 TQ Rev 1.0.pdf
[D109] GE - CPESW; 2.0; 12/10/2010 GE: Software Process Life Cycle CPESW-PR.11 Rev
2.0.pdf
[D110] GE - CPESW-SD; 2.4; GE: Peer Review Record Instructions CPESW-SD.100
12/10/2010 Rev 2.4.pdf
[D111] GE - CTLDP205; 3; GE: CTLDP205 - Electronic Component Application &
10/29/2010 Stress Derating
[D112] GE - ctldp207; 1; 11/30/2010 GE: ctldp207.pdf Product Development PWA Design
[D113] GE - EEDI-120; 3.3; EEDI-120 Technical Review Instructions Rev 3.3.pdf
3/21/2011
[D114] GE - EEDI-170; 1.3; EEDI-170 Product Safety Process Instructions.pdf
3/21/2011
[D115] GE -CPESW-CM.10; 2.5; GE: Configuration Management Procedure CPESW-
12/10/2010 CM.10 Rev 2.5.pdf
[D116] GE -CPESW-SD.43; 1.1; GE: Test Plan Instructions CPESW-SD.43 Rev 1.1.pdf
12/10/2010
[D117] GEEQMS-NPI; 3.2; 1/31/2011 New Product Introduction GEEQMS 7.0.2 Rev 3.2.pdf
[D118] GE - GEH6722; 7/11/2011 GE: GEH6722 Mark VIe Control System Guide
[D119] GE - GEH-6723; 8/10/2011 GE: Safety Manual, GEH-6723.pdf
[D120] GE - SIL Coding; V01.00.01; GE: Mark VIe SIL Coding Standard.pdf
2/21/2006
[D121] GE – Version Control; (onsite, GE: SourceSafe (Configuration Database) and Microsoft
online) Team Foundation Server
[D122] GE - SRS; 5; 12/9/2010 GE: UCSB SIL SyRS.doc
[D123] Mark VIe V&V; 1.03.00; Mark VIe Safety Validation and Verification Test Plan
7/15/2011
[D124] MARK VIES DR; 1.03.00; Mark VIeS SysDS and SRS Validation & Verification Test
7/15/2011 Plan.xls (includes Traceability Matrix and Derived
Requirements)
[D125] MOD_TEST; NA; 4/25/2011 UCSB Module Test Plan and Results
[D126] Peer Review #1; NA; Code Review Example - Summary of Code Review
4/25/2011
[D127] Peer Review #2; NA; Code Review Example - Detailed List of Changes
4/25/2011
[D128] Q: Err; 1.0; 1/27/2009 Product Failure Analysis CPE 7.3-5 PS Rev 1.0.pdf
[D129] Q: Release; 2.2; 12-Apr-11 PM: Product Release Procedure:
Software Product Version Identification Procedure
CPESW-CM.20 Rev 2.2.pdf
[D130] Q: TestBed; V&V: Test bed description, sample files

MarkVIeS_Runtime.V040305
C.UCSB_TMR.html;
YTCC Validation Summary
SIL V040303C.UCSB.xls;
YDOA Validation Summary
SIL V040303C.UCSB.xlsx;
YAIC Validation Summary SIL
V040303C.UCSB.xls;
YDIA Validation Summary SIL
V040304C.UCSB.xlsx
[D131] SRS REV; NA; 10/4/2010 SRS Review Minutes
[D132] StaticAnalysis; NA; Coverity Results

12/18/2007
[D133] TR11082GEE01.IWS.pdf;1; EMC Test Report
17-Sep-2010
[D134] UCSB_HALT_28_OCT_2010. Environmenal test reports
xls; 8-Nov-2010
[D135] UCSB DRM; NA; 5/3/2011 UCSB Design Review Minutes
[D136] GE UCSB Controller Module UCSB FMEDA
06-28-2010FMEDA.efm;
[D137] ColorCoded GE Mark VIe UCCS FMEDA update for RoHS
FMEDA Summary 2011-08-01
RoHS.xls;
[D138] Mark VIeS UCSB Fault UCSB Fault Injection Test plan and results to support
Injection Tests.pdf; 01.00.00; FMEDA.
7/31/2011
[D139] UCCC_REGRSN_Results_04 Regression Test Specification ; no changes in IO;
03.xlsx; module tests run from both IO and controller
UCSB_REGRSN_Results_V0
403.xlsx;
YDOA-REGRSN-
TESTPLAN.pdf;
YPRO-REGRSN-
TESTPLAN.pdf;
YDIA-REGRSN-
TESTPLAN.pdf
[D140] GE MarkVIeS SafetyCaseDB- Safety Case Database for MarkVIeS system including
YVIB add UCSB.esc YVIB card and UCSB Controller
[D141] UCSB SIL PRR.pdf; NA; 4- Requirements Review
Oct-2010
[D142] MarkVIeS PREVOTE Block Function Block test results
UCSB Test Record.xls;
CTRLT_MON_UCSB.xlsx;
TEMP_STATUS_UCSB.xlsx;
SYS_OUTPUTS_UCSB.xlsx;
MarkVIeS_RuntimeBlockware
_Results_V04.03.05.xlsx
[D143] Distributed Safety Y-Pack Differences between V03.02.23C and previous
IO_V03.02.23C_Binary version that was tested.
Comparison.docx; NA;
[D144] YTUR Validation Summary Validation Summary reports
SIL V040304C.UCSB.xlsx;
YHRA Validation Summary
SIL V040303C.UCSB.xls;
YPRO-TREG Validation
Summary SIL
V040304C.UCCC.xlsx
[D145] MarkVIeS_V040306C_Hash.t SHA Codes for released executable controller code.

xt
[D146] yaic_V03.02.23C.txt SHA Codes for released executable IOPack code.
ydia_V03.02.23C.txt
ydoa_V03.02.23C.txt
yhra_V03.02.23C.txt
ypro_V03.02.23C.txt
ytcc_V03.02.23C.txt
ytur_V03.02.23C.txt
yvib_V03.02.23C.txt
[D147] Modifications List SCR-ECR Mark IVeS System modifications initiated in 2011
Cross Ref 2011 072711.xls
2.4.3 Supplementary Documentation provided by GE Energy for TPRO and System

Updates
[D150] IS200TPROH#CA, 16 Oct Schematic, Termination Board, Protective
2008
[D151] GEI-100596T, Revised: 2012- Mark* VIe Control Backup Turbine Protection (PPRO)
06-01 Module Description

2.4.4 Supplementary Documentation Provided by GE Energy for Heartbeat Function
Block and EN50402 assessment Updates
[D152] Device_HB Safety Impact Completed Impact analysis checklist for WI12830,
Analysis.pdf, WI: 12830, WI12831.
12831
[D153] SilBlk_forController_Testplans Module Test plans for SIL blocks, modified for
_DEVICE_HB.xls DEVICE_HB function block.
[D154] Module Test DEVICE_HB WI Module Test results for DEVICE_HB function block
12830 12831.xls changes per WI12830, WI12831.
[D155] 12830 12831 - DEVICE_HB Design, code and module test review notes (no action
Design Code and Test items).
Review.xls
[D156] Blocks (DEVICE_HB).pdf User Description of DEVICE_HB function block.
[D157] Device_HB Static Analysis.pdf Static analysis results on code after change.
[D158] WI 12830 Device_HB Request for change to the software based on a need for
Block.pdf a DEVICE_HB block.
2.4.5 Updated Documentation generated by exida

[R1] GE 07-06-11 R002 V1R5 IEC 61508 Functional Safety Assessment for Mark VIeS
IEC 61508 Safety Controller (This document)
Assessment.doc
[R2] GE UCSB Controller FMEDA for UCSB
Module FMEDA 06-28-
2010.efm
[R3] ColorCoded GE Mark VIe FMEDA update for UCCC RoHS, including I/O
FMEDA Summary 2011-
08-01 RoHS.xls
[R4] GEP 06-05-12 R003 Updated Markov Model Analysis Report
V2R2 Mark VIeS Markov
Model.doc

3 Product Description
The Mark VIeS Safety Controller is a flexible safety shutdown system that can be used for multiple
applications. It features high speed networked I/O for simplex, dual, and triple redundant systems.
Industry standard Ethernet communications are used for I/O, controllers, and supervisory interface
to operator and maintenance stations, and third party systems. The Mark VIeS has been certified
to be SIL 3 capable. Figure 1 shows the Mark VIeS safety control system and the devices that
connect to and interact with the system and which parts of the system are included in the
certification.
To Optional Customer Network

Enterprise Layer
Router
HMI HMI Field
Viewer Viewer Support
Supervisory Layer
PLANT DATA H IGHWAY
PLANT DATA H IGHWAY
HMI Servers
Control Layer
U NIT D ATA HIGHWAY
U NIT DATA H IGHWAY
Safety
Control Generator
TMR Protection BOP Exciter
Mark VIeS
GPP EX2100 Static
T Mark VIe Mark VI
Starter
Mark VIeS
S Turbine Control
Mark VIeS
S
R Mark VIe
A
Terminal Board
IONet Layer F
R IONET
S IONET E
T IONET
T
Terminal Board Y
F
I
Terminal Board
E
L
D
Terminal Board
I
/
O
Figure 1 Mark IVeS SIL System Context within entire Application (including BPCS)

The Mark VIeS consists of a number of modules, each with a specific function. The following is a
summary of all modules considered part of the certification:
Control Modules
UCCC – executes configured logic for a safety instrumented function (SIF) based on the current
process inputs to control the process outputs.
UCSB – executes configured logic for a safety instrumented function (SIF) based on the current
process inputs to control the process outputs.
Typical Process I/O

Typical process inputs include contact, analog, and thermocouple signals. Typical process outputs
include relays and analog outputs. All outputs based on inputs for typical process I/O require
processing by the system controller.
BPPB – Common I/O processor board which is used for all I/O types. This board is combined with
an I/O type specific data acquisition board in order to create a specific type of I/O module
YAIC- Ten analog inputs (voltage, 4-20mA) and two 4-20mA analog outputs. Single and triple pack
capable.
YHRA- Ten 4-20mA analog inputs, two 4-20mA analog outputs, all HART enabled. Capable of only
single pack operation with one or two networks.
YDIA- Twenty-four contact closure inputs with group isolation. Available nominal voltage ranges
include 24V, 48V, and 125V dc. Capable of single, dual, or triple pack operation on an appropriate
terminal board.
YDOA- Twelve relay outputs with feedback determined by the associated terminal board. Capable
of single and triple pack operation.
YTCC- Twelve thermocouple inputs. Capable of single, dual, or triple pack operation on an
appropriate terminal board.
YVIB - Twelve vibration inputs. Provides a direct interface to seismic (velocity), proximity,
velomitor and accelerometer type probes. Capable of single and triple pack operation.
Application Specific Protection

Mark VIeS includes two application specific I/O functions. What sets these apart from the typical
process I/O is their ability to accept local inputs and drive local outputs independent of the system
controller. They also feature application specific I/O types including pulse rate speed inputs and
flame detectors.
YTUR is a primary turbine protection input / output pack that accepts four speed signals , Estop,
and eight flame detectors while controlling three output trip relays. Ability to process speed signals
and operate trip relays is local to the YTUR and does not require controller participation. YTUR
provides additional sensing designed into the mating terminal boards to detect correct operation of
the tripping relay output circuits. YTUR includes a non-certified but non-interfering capability to
synchronize a generator to a utility grid and control a connection breaker.
YPRO is a backup or emergency protection input / output pack that accepts three speed signals,
Estop, seven contact inputs, and drives three trip relay outputs. Ability to process speed signals
and operate trip relays is local to the YPRO and does not require controller participation. YPRO
includes firmware based and hardware overspeed protection. YPRO provides additional sensing
designed into the mating terminal boards to detect correct operation of the tripping relay output
circuits. Non-interfering backup synchronizing check is included in YPRO. YPRO plus YTUR
creates a diverse, fast, comprehensive electronic overspeed protection solution.
3.1 Modes of operation

The Mark VIeS is certified for both low demand and high demand mode as well as energize to trip
mode and de-energize to trip mode. However, the system is only certified to SIL 3 for certain
combinations of architecture, demand mode and trip mode. In addition, it is certified to SIL 2 for
other combinations, and some combinations are not certified at all. The following tables describe
which configurations are certified to which safety integrity levels:
Table 1: SIL Capability of Mark VIeS in low demand mode of operation
2oo3 1oo2 2oo2 1oo1

De-energize to trip SIL 3 SIL 3 SIL 2 SIL 2
mode
Energize to trip SIL 2 Not SIL capable SIL 2 Not SIL capable
mode
Table 2: SIL Capability of Mark VIeS in high demand mode of operation
2oo3 1oo2 2oo2 1oo1

De-energize to trip SIL 3 SIL 3 Not SIL capable Not SIL capable
mode
Energize to trip Not SIL capable Not SIL capable Not SIL capable Not SIL capable
mode

4 Version/Revision Information
The following firmware and hardware revisions are included in this certification
4.1 Firmware Versions

Model Number Description Firmware Version
IS220YDIAS1A Contact In I/O Pack (YDIA) V03.02.07C
V03.02.21C
V03.02.22C
V03.02.23C
IS220YDOAS1A Contact Out I/O Pack (YDOA) V03.02.18C
V03.02.21C
V03.02.23C
IS220YAICS1A Analog In/Out I/O Pack (YAIC) V03.02.07C
V03.02.22C
V03.02.23C
IS220YHRAS1A HART Enabled Analog In/Out V03.02.07C
(YHRA)
V03.02.21C
V03.02.23C
IS220YTCCS1A Thermocouple I/O Pack V03.02.07C
(YTCC)
V03.02.21C
V03.02.23C
IS220YTURS1A Turbine I/O Pack (YTUR) V03.02.07C
V03.02.22C
V03.02.23C
IS220YPROS1A Protection I/O Pack (YPRO) V03.02.07C
V03.02.22C
V03.02.23C
IS220YVIBS1A Vibration I/O Pack V03.02.13C
V03.02.21C
V03.02.23C
IS215UCCCS05A Mark VIeS Controller (UCCC) V03.02.03C
V03.02.04C
V03.02.07C

V04.03.06C
IS420UCSBS1A Mark VIeS Controller (UCSB, V04.03.06C
600 Mhz)
4.2 Hardware Revisions
4.2.1 YDIA Contact In I/O Pack (IS220YDIAS1A)
Model Number Description Rev.

IS200BPPBS2B IO Pack CPU BM
BN
IS200BPPBS2C IO Pack CPU CA
IS200BPDIS1A Contact Input App Board AB
AC
IS200TBCIS1C 125V Cont In CB
IS200STCIS1A 24VDC Contact In AD
IS200STCIS2A 24VDC Contact In (pluggable) AD
4.2.2 YDOA Contact Out I/O Pack (IS220YDOAS1A)

BN
IS200BPDOS1A Contact Output App Board AA
IS200TRLYS1F TMR Sealed Relay Out – NO FA
IS200TRLYS2F TMR Sealed Relay Out - NC FA
IS200TRLYS1B Relay Out BG
IS200TRLYS1D Solenoid Out with Solenoid DA
monitor
IS200SRLYS1A 12 dry relay, fixed TB, no AA
daughterboard
IS200SRLYS2A 12 dry relay, pluggable TB, AA
daughterboard option
IS200WPDFH1A Power Distribution Board AC
IS200WROBH1A Power Distribution Board AA
IS200WROFH1A Power Distribution Board AA
IS200WROGH1A Power Distribution Board AA
4.2.3 YAIC Analog In/Out I/O Pack (IS220YAICS1A)

BN
IS200BPAIS1A Analog IO App Board AC
IS200TBAIS1C Analog In/Out CD
IS200STAIS1A Analog In/Out AB
IS200STAIS2A Analog In/Out (pluggable) AB
4.2.4 YHRA HART Enabled Analog In/Out (IS220YHRAS1A)

BN
IS200BHRAS1A HART Analog IO App Board AA
IS200SHRAS1A Termination BD for HART IO AB
PHRA
IS200SHRAS2A Termination BD for HART IO AB
PHRA (pluggable)

4.2.5 YTCC Thermocouple I/O Pack (IS220YTCCS1A)
BN
IS200BPTCS1A Thermocouple Input App Board AA
AB
IS200TBTCS1B TMR Thermocouple TB PWA, limit BB
12 fanned TCs
IS200TBTCS1C Simplex Thermocouple TB PWA, CB
24 TCs
IS200STTCS1A Thermocouple AA
IS200STTCS2A Thermocouple (pluggable) AA
4.2.6 YTUR Turbine I/O Pack (IS220YTURS1A)

BN
IS200BTURS1A Turbine IO App Board AB
IS200KTURS1A Turbine IO Daughterboard AA
IS200TTURS1C Turbine Termination PWA CC
IS200TRPAS1A Primary Trip PWA - 24VDC AF
IS200TRPAS2A Primary Trip PWA - 125VDC AF
IS200TRPGS1B Primary Gas Trip, TMR BD
(24/125VDC contacts)
IS200TRPGS2B Primary Gas Trip, Simplex BD
(24/125VDC contacts)

4.2.7 YPRO Protection I/O Pack (IS220YPROS1A)
BN
IS200BPROS1A Turbine Protection App Board AC
IS200SPROS1A Simplex Protection TB AB
AD
IS200TPROS1C Turbine Protection Terminal Board CA
(TMR) - two 24 barrier terminals,
each in a pluggable block
IS200TPROS2C Turbine Protection Terminal Board CA
(TMR) - two 24 pluggable Euro-
style box terminals
IS200TREAS1A Emergency Trip Aero Apps - AC
24VDC - Block Conn
125VDC - Block Conn
24VDC - Euro Conn
125VDC - Euro Conn
IS200TREGS1B Turbine Emergency Trip, 125VDC BD
IS200TREGS2B Turbine Emergency Trip, 24VDC BD
IS200TREGS3B Turbine Emergency Trip, 125VDC, BD
TMR, special 28V Power use

4.2.8 YVIB Vibration I/O Pack (IS220YVIBS1A)
BN
IS200BAFAS1A Vibration IO App Board AD
IS200KAPAS1A Vibration IO App Board AC
IS200WNPSS1A Vibration IO Daughterboard AA
IS200TVBAS2A Vibration Termination AA
4.2.9 UCCC Mark VIeS Controller (IS215UCCCS05A)

IS215UCCCH5A cPCI CPU with ECC memory 5A
IS415UCCCH5A cPCI CPU with ECC memory, 5A
RoHS update
IS200EPMCS1A Ethernet IOnet interface AD
4.2.10 UCSB Mark VIeS Controller (IS420UCSBS1A)

IS400UCSBS1AB CPU with ECC memory AB

5 IEC 61508 Functional Safety Assessment
The IEC 61508 Functional Safety Assessment was performed based on the information received
from GE Energy and is documented in this report.
5.1 Methodology
The full functional safety assessment includes an assessment of all fault avoidance and fault
control measures during hardware and software development and demonstrates full compliance
with IEC 61508 to the end-user. The assessment considers all requirements of IEC 61508. Any
requirements that have been deemed not applicable have been marked as such in the full Safety
Case report (e.g. software development requirements for a product with no software).
As part of the IEC 61508 functional safety assessment the following aspects have been reviewed:
 Development process, including:
o Functional Safety Management, including training and competence recording, FSM
planning, and configuration management
o Specification process, techniques and documentation
o Design process, techniques and documentation, including tools used
o Validation activities, including development test procedures, test plans and reports,
production test procedures and documentation
o Verification activities and documentation
o Modification process and documentation
o Installation, operation, and maintenance requirements, including user documentation
 Product design
o Hardware architecture and failure behavior, documented in a FMEDA
The review of the development procedures is described in section 0. The review of the product
design is described in section 6.2.
5.2 Assessment level

The Mark VIeS Safety Controller has been assessed per IEC 61508 to the following levels:
 SIL 2 capability for random failures (Hardware Fault Tolerance = 0)
The development procedures were assessed as suitable for use in applications with a maximum
Safety Integrity Level of 3 (SIL 3) according to IEC 61508.
The Mark VIeS Safety Controller has been assessed per EN 50402:2005 + A1:2008 to the
following levels:
6 Results of the IEC 61508 Functional Safety Assessment
exida assessed the development process used by GE Energy during the product development
against the objectives of IEC 61508 parts 1, 2, and 3, see [D49] and [D140]. The development of
the Mark VIeS Safety Controller and its components was done per this IEC 61508 SIL 3 compliant
development process. The Safety Case was updated with project specific design documents. An
updated safety case [D140] was completed for the new UCSB controller and IO pack revisions.
6.1 Lifecycle Activities and Fault Avoidance Measures

GE Energy has an IEC 61508 compliant development process as assessed during the IEC 61508
certification. This compliant development process is documented in [D49] and [D140].
This functional safety assessment investigated the compliance with IEC 61508 of the processes,
procedures and techniques as implemented for the Mark VIeS development. The investigation was
executed using subsets of the IEC 61508 requirements tailored to the SIL 3 work scope of the
development team. The result of the assessment can be summarized by the following observations:
The audited GE Energy development process complies with the relevant managerial
requirements of IEC 61508 SIL 3.
6.1.1 Functional Safety Management

FSM Planning
The functional safety management of any GE Energy development is governed by the
Development Quality handbook (See [D13] through [D21]). For each development GE Energy
creates a functional safety management plan [D10] which defines all of the tasks that must be done
to ensure functional safety as well as the person responsible for each task. The team structure is
documented in the FSM plan as well. A meeting is held with management at the end of each
phase gate to determine if the team should proceed to the next phase (see [D9] for details). These
processes and the procedures referenced herein fulfill the requirements of IEC 61508 with respect
to functional safety management.
Update: additional updated processes are described in [D103] through [D117] and new FSM Plan
[D101].
Version Control
All documents are under version control as documented in [D10]. Design drawings and documents
are also under version control. GE Energy uses Visual Source Safe for its version control tool.
Update: see updated FSM plan [D101]
Training, Competency recording
Personnel training records are kept in accordance with IEC 61508 requirements as documented in
[D10]. GE Energy hired exida to be the independent assessor per IEC 61508.
Update: see updated FSM plan [D101]

6.1.2 Safety Requirements Specification and Architecture Design
As defined in [D10], a safety requirements specification (SRS) is done for all products that must
meet IEC 61508 certification. The requirements specification contains three major sections:
Product Specific Safety Requirements, Product Specific Architecture, and Derived Safety
requirements. For the Mark VIeS Safety Controller, the SRS[D29] has been reviewed by exida for
completeness per the requirements of IEC 61508.
Update: see updated FSM plan [D101] and SRS [D122].
Requirements are tracked throughout the development process by the creation of derived
requirements (see [D33]), which map the requirements to the design, and by mapping requirements
to appropriate validation tests in the validation test plan [D32]
Update: see updated V&V tracking documents [D123] and [D124].
Requirements from IEC 61508-2, Table B.1 that have been met by GE Energy include project
management, documentation, separation of safety systems from non-safety-related systems,
structured specification, and inspection of the specification. [D49] Documents more details on how
each of these requirements has been met. This meets the requirements of SIL 3.
Update: see updated safety case [D140].
6.1.3 Hardware Design

Hardware design, including both electrical and mechanical design, is done according to [D14]. The
hardware design process includes component selection, detailed drawings and schematics, safety
case documents for agency justification, a failure modes and effect analysis (FMEA), a failure
modes, effects and diagnostic analysis (FMEDA), a design review, the creation of prototypes, and
hardware verification tests.
Update: see processes in [D103] through [D117].
Requirements from IEC 61508-2, Table B.2 that have been met by GE Energy include observance
of guidelines and standards, project management, documentation, structured design,
modularization, use of well-tried components, checklists, computer aided design tools and
inspection of the specification. This meets the requirements of SIL 3.
6.1.4 Validation
Validation Testing is done via a set of documented tests (see [D32]). The validation tests are
traceable to the Safety Requirements Specification [D29] in the validation test plan [D32]. In
addition to standard Test Specification Documents, third party testing may be included as part of
agency approvals. Procedures are in place for corrective actions to be taken when tests fail as
documented in [D25].
Update: see updated documents: V&V test plan [D123], SRS [D122], Defect Reporting [D104], and
SIL Coding Standard [D120]; updated safety case [D140] contains the complete set of validation
test results.

Requirements from IEC 61508-2, Table B.3 that have been met by GE Energy include functional
testing, project management, documentation, and black-box testing. Field experience and
statistical testing via regression testing are not applicable. [D49] Documents more details on how
each of these requirements has been met. This meets the requirements of SIL 3.
Requirements from IEC 61508-2, Table B.5 that have been met by GE Energy include functional
testing and functional testing under environmental conditions, Interference surge immunity testing,
fault insertion testing, project management, documentation, static analysis, dynamic analysis, and
failure analysis, expanded functional testing and black-box testing. [D49] Documents more details
on how each of these requirements has been met. This meets SIL 3.
Update: see updated safety case [D140].
6.1.5 Verification
The development and verification activities are defined in [D10]. Verification activities include the
following: Calculations for Functional Safety [D44], Code Review [D36] and [D37], Unit Testing
[D4], [D5], and [D35], Requirements Review [D42], Design Review [D38], FMEDA [D44], Static
Analysis using PC LINT [D31], and System FMEA [D41].
Update: see updated documents: FSM [D101], Calculations for Functional Safety [D136] and
[D137], Code Review [D126] and [D127], Module Testing [D125], Requirements Review [D141],
Design Review [D135], FMEDA Fault Injection Test [D138], Static Analysis using Coverity [D132].
6.1.6 Modifications
Modifications are done per the GE Energy’s IEC 61508 SIL 3 compliant development process as
documented in [D49]. All of the modifications made to the product since the previous certification
(see [D6]) were reviewed and found to be compliant with the GE Energy development process and
to IEC 61508. Consequently this meets the requirements of SIL 3.
Update: see FSM plan [D101]; see documented changes referenced in [D147], [D148], [D149].
6.1.7 User documentation

GE Energy created a Safety Manual for the Mark VIeS, see [D27]. This safety manual was
assessed by exida. The final version is considered to be in compliance with the requirements of
IEC 61508. The document includes all required reliability data and operations, maintenance, and
proof test procedures.
Update: see Safety Manual [D119]
Requirements from IEC 61508-2, Table B.4 that have been met by GE Energy include operation
and maintenance instructions, user friendliness, maintenance friendliness, documentation, and
limited operation possibilities. [D49] Documents more details on how each of these requirements
has been met. This meets the requirements for SIL 3.
Update: see FSM plan [D101]

6.2 Hardware Assessment
To evaluate the hardware design of the Mark VIeS, a Failure Modes, Effects, and Diagnostic
Analysis was performed by exida for each component in the system. This is documented in [D44]
and [D50].
Update: see FMEDA [D136] and [R4]
A Failure Modes and Effects Analysis (FMEA) is a systematic way to identify and evaluate the
effects of different component failure modes, to determine what could eliminate or reduce the
chance of failure, and to document the system in consideration. An FMEDA (Failure Mode Effect
and Diagnostic Analysis) is an FMEA extension. It combines standard FMEA techniques with
extension to identify online diagnostics techniques and the failure modes relevant to safety
instrumented system design.
In addition, a Markov model analysis ([D50]) was done for the Mark VIeS system based on the
failure rates from the FMEDA. This analysis involved creating Markov models of the failure
behavior of the system. These models, in combination with the failure rates from the FMEDA can
be used to calculate the average probability on demand (PFDavg) of the system based upon the
chosen system architecture, configuration and proof test interval. In addition, they can be used to
calculate the probability of a dangerous failure per hour (PFH) based on the chosen system
architecture and configuration. This Markov model has been made available in the exSILentia TM
safety lifecycle engineering tool for those wishing to use this model to perform SIF calculations on
their particular system configuration.
For the default Markov Model calculation, a Safety Instrumented Function is assumed that
consists of 3 Analog Input signals, 2 Digital Input Signals, and 2 Digital Output signals.
Table 3 shows the results of the Markov model calculation for several configurations of the Mark
VIeS Safety Controller used in low demand mode applications for a proof test interval of 1, 2, and 3
years, assuming a perfect proof test. Table 4 shows the results of the Markov model calculation for
several configurations of the Mark VIeS Safety Controller used in high demand applications. Note
that in high demand applications proof tests are not effective, hence only a single PFH number is
calculated for the high demand mode scenarios. Both of these calculations were done based on a
safety instrumented function (SIF) consisting of 3 analog input signals, 2 digital input signals, and 2
digital output signals.
Update: see FMEDA [D136] and Markov Analysis [R4]
Table 3 Markov Analysis Results for GE Energy Mark VIeS System*, low demand applications
*for use with UCCC Controller
PFDavg MTTFS [yrs]
Configuration
PTI 1 yr PTI 2 yr PTI 3 yr PTI 1 yr PTI 2 yr PTI 3yr
Simplex 1oo1 2.70E-03 5.36E-03 8.02E-03 29.92 30.00 30.08
Dual 1oo2 9.14E-05 1.91E-04 3.01E-04 15.23 15.25 15.27
Dual 2oo2 3.45E-03 6.82E-03 1.02E-02 31.57 31.38 31.21
TMR 2oo3 1.01E-04 2.29E-04 3.82E-04 520.12 357.28 275.46

Update: Table 3a, Modified for use with UCSB Controller, based on calculations in “GEP 06-05-12
R003 v05 Mark VIeS Markov Model UCSB.xls”
PFDavg MTTFS [yrs]
Configuration
PTI 1 yr PTI 2 yr PTI 3 yr PTI 1 yr PTI 2 yr PTI 3yr
Simplex 1oo1 2.50E-03 4.97E-03 7.44E-03 27.34 27.41 27.48
Dual 1oo2 8.66E-05 1.80E-04 2.82E-04 13.91 13.92 13.94
Dual 2oo2 3.06E-03 6.08E-03 9.08E-03 31.62 31.55 31.48
TMR 2oo3 9.47E-05 2.12E-04 3.52E-04 610.36 456.5 367.54
Table 4: Markov Analysis Results for GE Energy Mark VIeS system*, high demand applications
*for use with UCCC Controller
Configuration PFH [hr-1] MTTFS [yrs]
Dual 1oo2 2.12E-08 7.37
TMR 2oo3 2.44E-08 253.31
Update: Table 4a, Modified for use with UCSB Controller, based on calculations in “GEP 06-05-12
R003 v05 Mark VIeS Markov Model UCSB.xls”
Configuration PFH [hr-1] MTTFS [yrs]
Dual 1oo2 2.00E-08 7.06
TMR 2oo3 2.27E-08 312.84
The analysis shows that the design of the Mark VIeS (not including the YVIB Vibration
Subsystem) meets the hardware requirements of IEC 61508 SIL 2 for random failures and
HFT=0, and SIL 3 for random failures and HFT=1.
The analysis also shows that the design of the YVIB Vibration Detection Subsystem meets
the hardware requirements of IEC 61508 SIL 1 for random failures and HFT=0, and SIL 2 for
random failures and HFT=1.
7 Results of the EN 50402:2005 + A1:2008 Functional Safety

Assessment
exida assessed the Mark VIeS Safety Controller and its components per EN 50402:2005 +
A1:2008. As this standard is a subset of IEC 61508, all requirements are fulfilled with the
exception, for SIL 3 applications, of a restriction in hardware architecture that requires redundant
controllers with comparison. The Mark VIeS Safety Controller meets this requirement in its 1oo2
and 2oo3 architecture options.

8 Terms and Definitions
Fault tolerance Ability of a functional unit to continue to perform a required function in the
presence of faults or errors (IEC 61508-4, 3.6.3)
FIT Failure In Time (1x10-9 failures per hour)
FMEDA Failure Mode Effect and Diagnostic Analysis
HFT Hardware Fault Tolerance
Low demand mode Mode, where the frequency of demands for operation made on a safety-
related system is no greater than one per year and no greater than twice the
proof test frequency.
PFDAVG Average Probability of Failure on Demand
PFH Probability of dangerous Failure per Hour
PTI Proof Test Interval
SFF Safe Failure Fraction summarizes the fraction of failures, which lead to a
safe state and the fraction of failures which will be detected by diagnostic
measures and lead to a defined safety action.
SIF Safety Instrumented Function
SIL Safety Integrity Level
SIS Safety Instrumented System – Implementation of one or more Safety
Instrumented Functions. A SIS is composed of any combination of
sensor(s), logic solver(s), and final element(s).
HART Highway Addressable Remote Transducer

AI Analog Input
AO Analog Output
DI Digital Input
DO Digital Output
Type A (sub)system “Non-Complex” (sub)system (using discrete elements); for details see
7.4.3.1.2 of IEC 61508-2
Type B (sub)system “Complex” (sub)system (using micro controllers or programmable logic); for
details see 7.4.3.1.3 of IEC 61508-2

9 Status of the document
9.1 Liability
exida prepares reports based on methods advocated in International standards. Failure rates are
obtained from a collection of industrial databases. exida accepts no liability whatsoever for the use
of these numbers or for the correctness of the standards on which the general calculation methods
are based.
9.2 Releases
Version: V1
Revision: R6
Version History: V1, R6: updated to clarify SIL3/SIL2 redundancy constraints.
V1, R5: updated to update table of contents.
V1, R4: updated to add Heartbeat Block and EN50402 assessment,
Q12/05-048r1, 18 Oct 2012
V1, R3: updated for TPRO, Q12/05-074, 26 June 2012
V1, R2: updated for UCSB, Sep 11, 2011
V1, R1: Updated based on review, June 30, 2008
Authors: V1, R1, Michael Medoff
V1, R2, John Yozallinas
V1, R3, Griff Francis
V1, R4: Dave Butler
Review: V1, R2: Dr. William M. Goble; Sep 2011
V1, R4: Dr. William M. Goble; Nov 2012
V1, R6: Dr. William M. Goble; Feb 2013
Release status: released to client
9.3 Future Enhancements

At request of client.
9.4 Release Signatures
Dave Butler, Safety Engineer
Dr. William M. Goble, Principal Partner


MarkVie SIS Evaulation Exida

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

MarkVie SIS Evaulation Exida

Uploaded by

Copyright:

Available Formats

61508 SIL 3 CAPABLE

IEC 61508 Functional Safety Assessment

Contract No.: Q07/06-11

© exida GE 07-06-11 R002 V1R6 IEC 61508 Assessment.doc, February 5, 2014

© exida GE 07-06-11 R002 V1R6 IEC 61508 Assessment.doc, February 5, 2014

2.2 Roles of the parties involved

2.3 Standards / Literature used

[N1] IEC 61508: 2010 (Parts 1 - 7) Functional Safety of

© exida GE 07-06-11 R002 V1R6 IEC 61508 Assessment.doc, February 5, 2014

Document List from initial certification:

© exida GE 07-06-11 R002 V1R6 IEC 61508 Assessment.doc, February 5, 2014

© exida GE 07-06-11 R002 V1R6 IEC 61508 Assessment.doc, February 5, 2014

© exida GE 07-06-11 R002 V1R6 IEC 61508 Assessment.doc, February 5, 2014

2.4.2 Supplementary Documentation provided by GE Energy for UCSB and System

© exida GE 07-06-11 R002 V1R6 IEC 61508 Assessment.doc, February 5, 2014

© exida GE 07-06-11 R002 V1R6 IEC 61508 Assessment.doc, February 5, 2014

[D132] StaticAnalysis; NA; Coverity Results

[D145] MarkVIeS_V040306C_Hash.t SHA Codes for released executable controller code.

2.4.3 Supplementary Documentation provided by GE Energy for TPRO and System

© exida GE 07-06-11 R002 V1R6 IEC 61508 Assessment.doc, February 5, 2014

2.4.5 Updated Documentation generated by exida

© exida GE 07-06-11 R002 V1R6 IEC 61508 Assessment.doc, February 5, 2014

To Optional Customer Network

© exida GE 07-06-11 R002 V1R6 IEC 61508 Assessment.doc, February 5, 2014

Typical Process I/O

Application Specific Protection

3.1 Modes of operation

Table 1: SIL Capability of Mark VIeS in low demand mode of operation

2oo3 1oo2 2oo2 1oo1

Table 2: SIL Capability of Mark VIeS in high demand mode of operation

2oo3 1oo2 2oo2 1oo1

© exida GE 07-06-11 R002 V1R6 IEC 61508 Assessment.doc, February 5, 2014

4.1 Firmware Versions

© exida GE 07-06-11 R002 V1R6 IEC 61508 Assessment.doc, February 5, 2014

4.2 Hardware Revisions

4.2.1 YDIA Contact In I/O Pack (IS220YDIAS1A)

Model Number Description Rev.

4.2.2 YDOA Contact Out I/O Pack (IS220YDOAS1A)

Model Number Description Rev.

4.2.3 YAIC Analog In/Out I/O Pack (IS220YAICS1A)

4.2.4 YHRA HART Enabled Analog In/Out (IS220YHRAS1A)

© exida GE 07-06-11 R002 V1R6 IEC 61508 Assessment.doc, February 5, 2014

4.2.6 YTUR Turbine I/O Pack (IS220YTURS1A)

© exida GE 07-06-11 R002 V1R6 IEC 61508 Assessment.doc, February 5, 2014

© exida GE 07-06-11 R002 V1R6 IEC 61508 Assessment.doc, February 5, 2014

4.2.9 UCCC Mark VIeS Controller (IS215UCCCS05A)

4.2.10 UCSB Mark VIeS Controller (IS420UCSBS1A)

Model Number Description Rev.

© exida GE 07-06-11 R002 V1R6 IEC 61508 Assessment.doc, February 5, 2014

5.2 Assessment level

6.1 Lifecycle Activities and Fault Avoidance Measures

6.1.1 Functional Safety Management

© exida GE 07-06-11 R002 V1R6 IEC 61508 Assessment.doc, February 5, 2014

6.1.3 Hardware Design

© exida GE 07-06-11 R002 V1R6 IEC 61508 Assessment.doc, February 5, 2014

6.1.7 User documentation

© exida GE 07-06-11 R002 V1R6 IEC 61508 Assessment.doc, February 5, 2014

© exida GE 07-06-11 R002 V1R6 IEC 61508 Assessment.doc, February 5, 2014

7 Results of the EN 50402:2005 + A1:2008 Functional Safety

© exida GE 07-06-11 R002 V1R6 IEC 61508 Assessment.doc, February 5, 2014

HART Highway Addressable Remote Transducer

© exida GE 07-06-11 R002 V1R6 IEC 61508 Assessment.doc, February 5, 2014

9.3 Future Enhancements

9.4 Release Signatures