Failure Modes, Effects and Diagnostic Analysis Project: Eclipse Model 706 Level Transmitter Company: Magnetrol International Downers Grove, IL USA Contract Number: Q11/07-016 Report No.: MAG 11/07-016 R001 Version V1, Revision R1, 16 October 2012 Griff Francis The document was prepared using best effort. The authors make no warranty of any kind and shall not be liable in any event for incidental or consequential damages in connection with the application of the document. © All rights reserved. Management Summary This report summarizes the results of the hardware assessment in the form of a Failure Modes, Effects, and Diagnostic Analysis (FMEDA) of the Eclipse Model 706 Level Transmitter. The hardware version is defined by the assembly drawings in section 2.5.1. The software version was 0.8d0. A Failure Modes, Effects, and Diagnostic Analysis is one of the steps to be taken to achieve functional safety certification per IEC 61508 of a device. From the FMEDA, failure rates and Safe Failure Fraction are determined. The FMEDA that is described in this report concerns only the hardware of the Model 706-511*-***. For full functional safety certification purposes all requirements of IEC 61508 must be considered. The Model 706-511*-*** is a loop-powered, 24 VDC level transmitter, based on Guided Wave Radar (GWR) technology. For safety instrumented systems usage it is assumed that the 4 – 20mA output is used as the primary safety variable. The analog output meets NAMUR NE 43 (3.8mA to 20.5mA usable). The transmitter contains self-diagnostics and is programmed to send its output to a specified failure state, either low or high upon internal detection of a failure (output state is programmable). The device can be equipped with or without display. Table 1 gives an overview of the different versions that were considered in the FMEDA of the Model 706-511*-***. Table 1 Version Overview Option 1 Model 706-511*-*** The Model 706-511*-*** is classified as a Type B 1 element according to IEC 61508, having a hardware fault tolerance of 0. The analysis shows that the device has a Safe Failure Fraction between 90% and 99% (assuming that the logic solver is programmed to detect over-scale and under-scale currents) and therefore meets hardware architectural constraints for up to SIL 2 as a single device. The failure rates for the Model 706-511*-*** are listed in Table 2. 1 Type B element: “Complex” element (using micro controllers or programmable logic); for details see 7.4.4.1.3 of IEC 61508-2, ed2, 2010. © exida T-001 V6,R2 MAG 11-07-016 R001 V1 R1 FMEDA Eclipse 706 Page 2 of 23 Table 2 Failure rates Model 706-511*-*** Failure Category Failure Rate (FIT) Fail Safe Undetected 78 Fail Dangerous Detected 728 Fail Detected (detected by internal diagnostics) 571 Fail High (detected by logic solver) 73 Fail Low (detected by logic solver) 84 Fail Dangerous Undetected 61 No Effect 455 Annunciation Detected 8 Annunciation Undetected 29 In addition to the failure rates listed above, the external leakage failure rate of the Model 706-511**** is 2 FIT. External leakage failure rates do not directly contribute to the reliability of the transmitter, but should be reviewed for secondary safety and environmental issues. These failure rates are valid for the useful lifetime of the product, see Appendix A. The failure rates listed in this report do not include failures due to wear-out of any components. They reflect random failures and include failures due to external events, such as unexpected use, see section 4.2.2. Table 3 lists the failure rates for the Model 706-511*-*** according to IEC 61508, ed2, 2010. Table 3 Failure rates according to IEC 61508 in FIT Device Model 706-511*-*** λSD λSU 2 λDD λDU 0 78 728 61 SFF 93.0% A user of the Model 706-511*-*** can utilize these failure rates in a probabilistic model of a safety instrumented function (SIF) to determine suitability in part for safety instrumented system (SIS) usage in a particular safety integrity level (SIL). A full table of failure rates is presented in section 4.4 along with all assumptions. 2 It is important to realize that the No Effect failures are no longer included in the Safe Undetected failure category according to IEC 61508, ed2, 2010. © exida T-001 V6,R2 MAG 11-07-016 R001 V1 R1 FMEDA Eclipse 706 Page 3 of 23 Table of Contents Management Summary ....................................................................................................... 2 1 Purpose and Scope ...................................................................................................... 5 2 Project Management .................................................................................................... 6 2.1 exida ............................................................................................................................... 6 2.2 Roles of the parties involved ............................................................................................ 6 2.3 Standards and Literature used ......................................................................................... 6 2.4 exida Tools Used ............................................................................................................ 7 2.5 Reference documents ...................................................................................................... 7 2.5.1 Documentation provided by Magnetrol International..................................................... 7 2.5.2 Documentation generated by exida ............................................................................. 8 3 Product Description ...................................................................................................... 9 4 Failure Modes, Effects, and Diagnostic Analysis ........................................................ 10 5 4.1 Failure categories description ........................................................................................ 10 4.2 Methodology – FMEDA, Failure Rates ........................................................................... 11 4.2.1 FMEDA ...................................................................................................................... 11 4.2.2 Failure Rates.............................................................................................................. 11 4.3 Assumptions .................................................................................................................. 12 4.4 Results........................................................................................................................... 12 Using the FMEDA Results.......................................................................................... 14 5.1 PFDAVG calculation Model 706-511*-*** .......................................................................... 14 6 Terms and Definitions ................................................................................................ 16 7 Status of the Document .............................................................................................. 17 7.1 Liability........................................................................................................................... 17 7.2 Releases ........................................................................................................................ 17 7.3 Future Enhancements .................................................................................................... 17 7.4 Release Signatures........................................................................................................ 18 Appendix A Lifetime of Critical Components................................................................ 19 Appendix B Proof tests to reveal dangerous undetected faults ................................... 20 B.1 Suggested Proof Test .................................................................................................... 20 Appendix C © exida T-001 V6,R2 exida Environmental Profiles ................................................................... 23 MAG 11-07-016 R001 V1 R1 FMEDA Eclipse 706 Page 4 of 23 1 Purpose and Scope This document shall describe the results of the hardware assessment in the form of the Failure Modes, Effects and Diagnostic Analysis carried out on the Model 706-511*-***. From this, failure rates, Safe Failure Fraction (SFF) and example PFDAVG values may be calculated. The information in this report can be used to evaluate whether a sensor subsystem meets the average Probability of Failure on Demand (PFDAVG) requirements and if applicable, the architectural constraints / minimum hardware fault tolerance requirements per IEC 61508 / IEC 61511. An FMEDA is part of effort needed to achieve full certification per IEC 61508 or other relevant functional safety standard. © exida T-001 V6,R2 MAG 11-07-016 R001 V1 R1 FMEDA Eclipse 706 Page 5 of 23 2 Project Management 2.1 exida exida is one of the world’s leading accredited Certification Bodies and knowledge companies specializing in automation system safety and availability with over 300 years of cumulative experience in functional safety. Founded by several of the world’s top reliability and safety experts from assessment organizations and manufacturers, exida is a global company with offices around the world. exida offers training, coaching, project oriented system consulting services, safety lifecycle engineering tools, detailed product assurance, cyber-security and functional safety certification, and a collection of on-line safety and reliability resources. exida maintains a comprehensive failure rate and failure mode database on process equipment. 2.2 Roles of the parties involved Magnetrol International Manufacturer of the Model 706-511*-*** exida Performed the hardware assessment Magnetrol International contracted exida in July 2011 with the hardware assessment of the above-mentioned device. 2.3 Standards and Literature used The services delivered by exida were performed based on the following standards / literature. [N1] IEC 61508-2: ed2, 2010 Functional Safety of Electrical/Electronic/Programmable Electronic Safety-Related Systems [N2] Electrical & Mechanical Component Reliability Handbook, 2nd Edition, 2008 exida LLC, Electrical & Mechanical Component Reliability Handbook, Second Edition, 2008, ISBN 978-0-97272346-6 [N3] EMCR Handbook, 2011 Update exida LLC, Electrical & Mechanical Component Reliability Handbook, 2011 Update [N4] Safety Equipment Reliability Handbook, 3rd Edition, 2007 exida LLC, Safety Equipment Reliability Handbook, Third Edition, 2007, ISBN 978-0-9727234-9-7 [N5] Goble, W.M. 1998 Control Systems Safety Evaluation and Reliability, ISA, ISBN 1-55617-636-8. Reference on FMEDA methods [N6] IEC 60654-1:1993-02, second edition Industrial-process measurement and control equipment – Operating conditions – Part 1: Climatic condition [N7] O’Brien, C. & Bredemeyer, L., 2009 exida LLC., Final Elements & the IEC 61508 and IEC Functional Safety Standards, 2009, ISBN 978-1-993497701-9 © exida T-001 V6,R2 MAG 11-07-016 R001 V1 R1 FMEDA Eclipse 706 Page 6 of 23 2.4 exida Tools Used [T1] Tool Version 7.1.17 FMEDA Tool [T2] Tool Version 3.0.3.712 exSILentia 2.5 Reference documents 2.5.1 Documentation provided by Magnetrol International [D1] 706 Theory of Operation for FMEDA.pdf, 27 July 2012 Theory of operation Eclipse Model 706 Guided Wave Radar Level Transmitter [D2] Model 706 Diagnostic Indicator Test Procedures, Rev A, 3 Jan 2012 Model 706 Diagnostic Indicator Test Plan (includes descriptions of diagnostics) [D3] Model 706 TOF Diagnostics Test Plan.pdf, 16 Jul 2012 Model 706 TOF Diagnostics Test Plan [D4] 094-6067, Rev E, June 2012 Schematic, ECLIPSE 4X DIGITAL BOARD [D5] 094-6068, Rev E, May 2012 Schematic, ANALOG BOARD "ECLIPSE 706" (SWEEP GENERATOR) [D6] 094-6070, Rev B, Nov 2011 Schematic, DISPLAY BOARD "ECLIPSE 706" [D7] 094-6073, Rev C, March 2012 Schematic, WIRING BOARD "ECLIPSE 706" [D8] 030-9159, Rev E, June 2012 Assembly and BOM, DIGITAL PC BOARD [D9] 030-9160, Rev F, March 2012 Assembly and BOM, ANALOG PC BOARD [D10] 030-9165, Rev B, Nov 2011 Assembly and BOM, WIRING BOARD [D11] 7Y7-XXXX, Rev B, 8 May 2012 Assembly and BOM, PROBE DUAL CONDUCTOR FLEXIBLE CABLE TWIN ROD [D12] 706-Digital-Board-RevEJULY-2012.efm, 27 July 2012 FMEDA, Digital Board [D13] Eclipse4X-Analog-Board Rev F fault injection testing 10_5_12.efm, 1 October 2012 FMEDA, Analog Board after fault injection testing [D14] Model 706 Wiring Board07272012.efm, 27 July 2012 FMEDA, Wiring Board [D15] Eclipse_706_Housing.efm, 2 July 2012 FMEDA, Housing [D16] Eclipse4X-7Y7-Probe.efm, 2 July 2012 FMEDA, Probe © exida T-001 V6,R2 MAG 11-07-016 R001 V1 R1 FMEDA Eclipse 706 Page 7 of 23 [D17] Model_Model706_SIL_Sum mary07-27-2012.xls, 27 July 2012 FMEDA, Summary [D18] HousingDocuments.pdf, 13 Jul 2012 Assembly drawings for housing components with markings to show components included in FMEDA [D19] ProbeDocuments.pdf, 13 Jul 2012 Assembly drawings for probe components with markings to show components included in FMEDA [D20] Fault injection testing schematics 10_5_12.pdf Fault injection points and results on Analog Board [D21] Proof test for Model 706.pdf, 13 July 2012 DRAFT of PROOF TEST FOR MODEL 706-51XX-XXX 2.5.2 Documentation generated by exida [R1] 706-Digital-Board-RevE10Oct2012_WGF_PTC.efm , 11 Oct 2012 FMEDA with Proof Test Coverage and adjustments, Digital Board [R2] Eclipse4X-Analog-Board Rev F fault injection testing 10Oct2012_WGF_PTC.efm , 10 Oct 2012 FMEDA with Proof Test Coverage and adjustments, Analog Board [R3] Model 706 Wiring Board07272012_PTC.efm FMEDA with Proof Test Coverage and adjustments, Wiring Board [R4] Eclipse_706_Housing_PTC .efm, 11 Oct 2012 FMEDA with Proof Test Coverage and adjustments, Housing [R5] Eclipse4X-7Y7Probe_PTC.efm, 11 Oct 2012 FMEDA with Proof Test Coverage and adjustments, Probe [R6] Model_Model706_SIL_Sum mary10Oct2012_WGF.xlsx, 11 Oct 2012 FMEDA Summary with Proof Test Coverage and adjustments [R7] MAG 11-07-016 R001 V1 R1 FMEDA Eclipse 706, 16 Oct 2012 FMEDA report, Model 706-511*-*** (this report) © exida T-001 V6,R2 MAG 11-07-016 R001 V1 R1 FMEDA Eclipse 706 Page 8 of 23 3 Product Description The Model 706-511*-*** is a loop-powered, 24 VDC level transmitter, based on Guided Wave Radar (GWR) technology. For safety instrumented systems usage it is assumed that the 4 – 20mA output is used as the primary safety variable. The analog output meets NAMUR NE 43 (3.8mA to 20.5mA usable). The transmitter contains self-diagnostics and is programmed to send its output to a specified failure state, either low or high upon internal detection of a failure (output state is programmable). The device can be equipped with or without display. User Interface Signal Conditioning Probe Microprocessor Output Current, Power Supply Proportional 4 to 20 mA PV output HART (optional) FMEDA Extent Figure 1 Model 706-511*-***, Parts included in the FMEDA Guided Wave Radar is based upon the principle of TDR (Time Domain Reflectometry). TDR utilizes pulses of electromagnetic energy transmitted down a probe. When a pulse reaches a surface that has a higher dielectric than the air/vapor in which it is traveling, the pulse is reflected. An ultra high-speed timing circuit precisely measures the transit time and provides an accurate level measurement. The Guided Wave Radar (GWR) probe must match the application. The probe configuration establishes fundamental performance characteristics. Coaxial, twin element (rod or cable), and single element (rod or cable) are the three basic configurations. Table 4 gives an overview of the different versions that were considered in the FMEDA of the Model 706-511*-***. Table 4 Version Overview Option 1 Model 706-511*-*** The Model 706-511*-*** is classified as a Type B 3 element according to IEC 61508, having a hardware fault tolerance of 0. 3 Type B element: “Complex” element (using micro controllers or programmable logic); for details see 7.4.4.1.3 of IEC 61508-2, ed2, 2010. © exida T-001 V6,R2 MAG 11-07-016 R001 V1 R1 FMEDA Eclipse 706 Page 9 of 23 4 Failure Modes, Effects, and Diagnostic Analysis The Failure Modes, Effects, and Diagnostic Analysis as performed is based on the documentation obtained from Magnetrol International, see section 2.5.1. When the effect of a certain failure mode could not be analyzed theoretically, the failure modes were introduced on component level and the effects of these failure modes were examined on system level, see Fault Injection Test Results [D20]. 4.1 Failure categories description In order to judge the failure behavior of the Model 706-511*-***, the following definitions for the failure of the device were considered. Fail-Safe State State where the output exceeds the user defined threshold. Fail Safe Failure that causes the device to go to the defined fail-safe state without a demand from the process. Fail Detected Failure that causes the output signal to go to the predefined alarm state. Fail Dangerous Failure that deviates the measured input state or the actual output by more than 2% of span and that leaves the output within active scale. Fail Dangerous Undetected Failure that is dangerous and that is not being diagnosed by automatic diagnostics. Fail Dangerous Detected Failure that is dangerous but is detected by automatic diagnostics. Fail High Failure that causes the output signal to go to the over-range or high alarm output current (> 21 mA). Fail Low Failure that causes the output signal to go to the under-range or low alarm output current (< 3.6 mA). No Effect Failure of a component that is part of the safety function but that has no effect on the safety function. Annunciation Detected Failure that does not directly impact safety but does impact the ability to detect a future fault (such as a fault in a diagnostic circuit) and that is detected by internal diagnostics. A Fail Annunciation Detected failure leads to a false diagnostic alarm. Annunciation Undetected Failure that does not directly impact safety but does impact the ability to detect a future fault (such as a fault in a diagnostic circuit) and that is not detected by internal diagnostics. External Leakage Failure that causes process fluids to leak outside of the transmitter; External Leakage is not considered part of the safety function and therefore this failure rate is not included in the Safe Failure Fraction calculation. The failure categories listed above expand on the categories listed in IEC 61508 which are only safe and dangerous, both detected and undetected. In IEC 61508, Edition 2010, the No Effect failures cannot contribute to the failure rate of the safety function. Therefore they are not used for the Safe Failure Fraction calculation needed when Route 2H failure data is not available. © exida T-001 V6,R2 MAG 11-07-016 R001 V1 R1 FMEDA Eclipse 706 Page 10 of 23 Depending on the application, a Fail High or a Fail Low failure can either be safe or dangerous and may be detected or undetected depending on the programming of the logic solver. Consequently, during a Safety Integrity Level (SIL) verification assessment the Fail High and Fail Low failure categories need to be classified as safe or dangerous, detected or undetected. The Annunciation failures are provided for those who wish to do reliability modeling more detailed than required by IEC61508. It is assumed that the probability model will correctly account for the Annunciation failures. Otherwise the Annunciation Undetected failures have to be classified as Dangerous Undetected failures according to IEC 61508 (worst-case assumption). External leakage failure rates do not directly contribute to the reliability of a component but should be reviewed for secondary safety and environmental issues. 4.2 Methodology – FMEDA, Failure Rates 4.2.1 FMEDA A Failure Modes and Effects Analysis (FMEA) is a systematic way to identify and evaluate the effects of different component failure modes, to determine what could eliminate or reduce the chance of failure, and to document the system in consideration. A FMEDA (Failure Mode Effect and Diagnostic Analysis) is an FMEA extension. It combines standard FMEA techniques with the extension to identify automatic diagnostic techniques and the failure modes relevant to safety instrumented system design. It is a technique recommended to generate failure rates for each important category (safe detected, safe undetected, dangerous detected, dangerous undetected, fail high, fail low, etc.) in the safety models. The format for the FMEDA is an extension of the standard FMEA format from MIL STD 1629A, Failure Modes and Effects Analysis. 4.2.2 Failure Rates The failure rate data used by exida in this FMEDA is from the Electrical and Mechanical Component Reliability Handbook [N2] which was derived using over ten billion unit operational hours of field failure data from multiple sources and failure data from various databases. The rates were chosen in a way that is appropriate for safety integrity level verification calculations. The rates were chosen to match exida Profile 2, see Appendix C. It is expected that the actual number of field failures due to random events will be less than the number predicted by these failure rates. For hardware assessment according to IEC 61508 only random equipment failures are of interest. It is assumed that the equipment has been properly selected for the application and is adequately commissioned such that early life failures (infant mortality) may be excluded from the analysis. Failures caused by external events however should be considered as random failures. Examples of such failures are loss of power, physical abuse, or problems due to intermittent instrument air quality. The assumption is also made that the equipment is maintained per the requirements of IEC 61508 or IEC 61511 and therefore a preventative maintenance program is in place to replace equipment before the end of its “useful life”. The user of these numbers is responsible for determining their applicability to any particular environment. Accurate plant specific data may be used for this purpose. If a user has data collected from a good proof test reporting system such as exida SILStatTM that indicates higher failure rates, the higher numbers shall be used. Some industrial plant sites have high levels of stress. Under those conditions the failure rate data is adjusted to a higher value to account for the specific conditions of the plant. © exida T-001 V6,R2 MAG 11-07-016 R001 V1 R1 FMEDA Eclipse 706 Page 11 of 23 4.3 Assumptions The following assumptions have been made during the Failure Modes, Effects, and Diagnostic Analysis of the Model 706-511*-***. 4.4 • Only a single component failure will fail the entire Model 706-511*-***. • Failure rates are constant, wear-out mechanisms are not included. • Propagation of failures is not relevant. • All components that are not part of the safety function and cannot influence the safety function (feedback immune) are excluded. • The stress levels are average for an industrial environment and can be compared to the exida Profile 2 with temperature limits within the manufacturer’s rating. Other environmental characteristics are assumed to be within manufacturer’s rating. • Practical fault insertion tests can demonstrate the correctness of the failure effects assumed during the FMEDA and the diagnostic coverage provided by the automatic diagnostics. • The HART protocol is only used for setup, calibration, and diagnostics purposes, not for safety critical operation. • The application program in the logic solver is constructed in such a way that Fail High and Fail Low failures are detected regardless of the effect, safe or dangerous, on the safety function. • Materials are compatible with process conditions. • The device is installed per manufacturer’s instructions. • External power supply failure rates are not included. • Worst-case internal fault detection time is 15 seconds. Results Using reliability data extracted from the exida Electrical and Mechanical Component Reliability Handbook the following failure rates resulted from the Model 706-511*-*** FMEDA. © exida T-001 V6,R2 MAG 11-07-016 R001 V1 R1 FMEDA Eclipse 706 Page 12 of 23 Table 5 Failure rates Model 706-511*-*** Failure Category Failure Rate (FIT) Fail Safe Undetected 78 Fail Dangerous Detected 728 Fail Detected (detected by internal diagnostics) 571 Fail High (detected by logic solver) 73 Fail Low (detected by logic solver) 84 Fail Dangerous Undetected 61 No Effect 455 Annunciation Detected 8 Annunciation Undetected 29 In addition to the failure rates listed above, the external leakage failure rate of the Model 706-511**** is 2 FIT. External leakage failure rates do not directly contribute to the reliability of the transmitter but should be reviewed for secondary safety and environmental issues. These failure rates are valid for the useful lifetime of the product, see Appendix A. Table 6 lists the failure rates for the Model 706-511*-*** according to IEC 61508. According to IEC 61508 [N1], the Safe Failure Fraction of a (sub)system should be determined. However as the Model 706-511*-*** is only one part of a (sub)system, the SFF should be calculated for the entire sensor / logic / final element combination. The Safe Failure Fraction is the fraction of the overall failure rate of a device that results in either a safe fault or a diagnosed unsafe fault. This is reflected in the following formulas for SFF: SFF = 1 - λDU / λTOTAL Where λTOTAL= λSD+ λSU+ λDD+ λDU Table 6 Failure rates according to IEC 61508 in FIT Device Model 706-511*-*** λSD λSU 4 λDD λDU 0 78 728 61 SFF 93.0% The architectural constraint type for the Model 706-511*-*** is B. The hardware fault tolerance of the device is 0. The SFF and required SIL determine the level of hardware fault tolerance that is required per requirements of IEC 61508 [N1] or IEC 61511. The SIS designer is responsible for meeting other requirements of applicable standards for any given SIL as well. 4 It is important to realize that the No Effect failures are no longer included in the Safe Undetected failure category according to IEC 61508, ed2, 2010. © exida T-001 V6,R2 MAG 11-07-016 R001 V1 R1 FMEDA Eclipse 706 Page 13 of 23 5 Using the FMEDA Results The following section(s) describe how to apply the results of the FMEDA. 5.1 PFDAVG calculation Model 706-511*-*** An average Probability of Failure on Demand (PFDAVG) calculation is performed for a single (1oo1) Model 706-511*-*** with exida’s exSILentia tool. The failure rate data used in this calculation is displayed in section 4.4. A mission time of 10 years has been assumed and a Mean Time To Restoration of 24 hours. Table 7 lists the proof test coverage (see Appendix B) used as well as the results when the proof test interval equals 1 year. Table 7 Sample PFDAVG Results Device Model 706-511*-*** Proof Test Coverage PFDAVG % of SIL 2 Range 84% 6.67E-04 6.7% The resulting PFDAVG Graph generated from the exSILentia tool for a proof test interval of 1 year is displayed in Figure 2. Figure 2 PFDAVG value for a single, Model 706-511*-*** with proof test intervals of 1 year. © exida T-001 V6,R2 MAG 11-07-016 R001 V1 R1 FMEDA Eclipse 706 Page 14 of 23 It is the responsibility of the Safety Instrumented Function designer to do calculations for the entire SIF. exida recommends the accurate Markov based exSILentia tool for this purpose. For SIL 2 applications, the PFDAVG value needs to be ≥ 10 -3 and < 10-2. This means that for a SIL 2 application, the PFDAVG for a 1-year Proof Test Interval of the Model 706-511*-*** is approximately equal to 6.7% of the range. These results must be considered in combination with PFDAVG values of other devices of a Safety Instrumented Function (SIF) in order to determine suitability for a specific Safety Integrity Level (SIL). © exida T-001 V6,R2 MAG 11-07-016 R001 V1 R1 FMEDA Eclipse 706 Page 15 of 23 6 Terms and Definitions FIT Failure In Time (1x10-9 failures per hour) FMEDA Failure Mode Effect and Diagnostic Analysis HFT Hardware Fault Tolerance Low demand mode Mode, where the demand interval for operation made on a safetyrelated system is greater than twice the proof test interval. Automatic Diagnostics Tests performed on line internally by the device or, if specified, externally by another device without manual intervention. PFDAVG Average Probability of Failure on Demand SFF Safe Failure Fraction summarizes the fraction of failures which lead to a safe state plus the fraction of failures which will be detected by automatic diagnostic measures and lead to a defined safety action. SIF Safety Instrumented Function SIL Safety Integrity Level SIS Safety Instrumented System – Implementation of one or more Safety Instrumented Functions. A SIS is composed of any combination of sensor(s), logic solver(s), and final element(s). Type A element “Non-Complex” element (using discrete components); for details see 7.4.4.1.2 of IEC 61508-2 Type B element “Complex” element (using complex components such as micro controllers or programmable logic); for details see 7.4.4.1.3 of IEC 61508-2 © exida T-001 V6,R2 MAG 11-07-016 R001 V1 R1 FMEDA Eclipse 706 Page 16 of 23 7 Status of the Document 7.1 Liability exida prepares FMEDA reports based on methods advocated in International standards. Failure rates are obtained from a collection of industrial databases. exida accepts no liability whatsoever for the use of these numbers or for the correctness of the standards on which the general calculation methods are based. Due to future potential changes in the standards, best available information and best practices, the current FMEDA results presented in this report may not be fully consistent with results that would be presented for the identical product at some future time. As a leader in the functional safety market place, exida is actively involved in evolving best practices prior to official release of updated standards so that our reports effectively anticipate any known changes. In addition, most changes are anticipated to be incremental in nature and results reported within the previous three year period should be sufficient for current usage without significant question. Most products also tend to undergo incremental changes over time. If an exida FMEDA has not been updated within the last three years and the exact results are critical to the SIL verification you may wish to contact the product vendor to verify the current validity of the results. 7.2 Releases Version: V1 Revision: R1 Version History: V1, R1: Released to Magnetrol International; 16 Oct 2012 V0, R3: Changed per comments from 16 Oct 2012 e-mail V0, R2: Changed as the result of exida review and discussion with customer; 15 Oct 2012 V0, R1: Draft; 12 Oct 2012 Author(s): Griff Francis Review: V0, R2: John Benway (Magnetrol International); 16 Oct 2012 V0, R1: William Goble (exida); 12 Oct 2012 Release Status: 7.3 Released to Magnetrol International Future Enhancements At request of client. © exida T-001 V6,R2 MAG 11-07-016 R001 V1 R1 FMEDA Eclipse 706 Page 17 of 23 7.4 Release Signatures Dr. William M. Goble, Principal Partner Griff Francis, Senior Safety Engineer © exida T-001 V6,R2 MAG 11-07-016 R001 V1 R1 FMEDA Eclipse 706 Page 18 of 23 Appendix A Lifetime of Critical Components According to section 7.4.9.5 of IEC 61508-2, a useful lifetime, based on experience, should be assumed. Although a constant failure rate is assumed by the probabilistic estimation method (see section 4.2.2) this only applies provided that the useful lifetime 5 of components is not exceeded. Beyond their useful lifetime the result of the probabilistic calculation method is therefore meaningless, as the probability of failure significantly increases with time. The useful lifetime is highly dependent on the subsystem itself and its operating conditions. This assumption of a constant failure rate is based on the bathtub curve. Therefore it is obvious that the PFDAVG calculation is only valid for components that have this constant domain and that the validity of the calculation is limited to the useful lifetime of each component. It is the responsibility of the end user to maintain and operate the Model 706-511*-*** per manufacturer’s instructions. Furthermore regular inspection should show that all components are clean and free from damage. When plant experience indicates a shorter useful lifetime than indicated in this appendix, the number based on plant experience should be used. 5 Useful lifetime is a reliability engineering term that describes the operational time interval where the failure rate of a device is relatively constant. It is not a term which covers product obsolescence, warranty, or other commercial issues. © exida T-001 V6,R2 MAG 11-07-016 R001 V1 R1 FMEDA Eclipse 706 Page 19 of 23 Appendix B Proof tests to reveal dangerous undetected faults According to section 7.4.5.2 f) of IEC 61508-2 proof tests shall be undertaken to reveal dangerous faults which are undetected by automatic diagnostic tests. This means that it is necessary to specify how dangerous undetected faults which have been noted during the Failure Modes, Effects, and Diagnostic Analysis can be detected during proof testing. B.1 Suggested Proof Test The suggested proof test described in Table 8 will detect 84% of the possible DU failures that remain after taking into account automatic diagnostics. The suggested proof test in combination with automatic diagnostics will detect 98% of possible DU failures in the Model 706-511*-***. The suggested transmitter proof test consists of a setting the output to the min and max, and a calibration check, see Table 8. © exida T-001 V6,R2 MAG 11-07-016 R001 V1 R1 FMEDA Eclipse 706 Page 20 of 23 Table 8 Suggested Proof Test Step 1. 2. 3. 4. 5. Action Bypass the PLC or take other action to avoid a false trip. Inspect the Unit in detail outside and inside for physical damage or evidence of environmental or process leaks. a) Inspect the exterior of the Unit housing. If there is any evidence of physical damage that may impact the integrity of the housing and the environmental protection, the unit should be repaired or replaced. b) Inspect the interior of the Unit. Any evidence of moisture, from process or environment, is an indication of housing damage, and the unit should be repaired or replaced. Use the Unit’s DIAGNOSTICS menu to observe Present Status, and review EVENT HISTORY in the Event Log. Up to 10 events are stored. The events will be date and time stamped if the internal clock is set and running. It is suggested that the internal clock be set at the time of commissioning of the unit. If the clock is set at the time of the proof test, event times are calculated. a) Choose the menu DIAGNOSTICS / Present Status. i. Present Status should be OK. b) Choose the menu DIAGNOSTICS / EVENT HISTORY / Event Log i. Any FAULT or WARNING messages must be investigated and understood. ii. Corrective actions should be taken for FAULT messages. Use the DIAGNOSTICS menu to perform a “CURRENT LOOP TEST”. Choose the menu DIAGNOSTICS / ADVANCED DIAGNOSTICS / TRANSMITTER TESTS / Analog Output Test to change the output loop current and confirm the actual current matches the value chosen. a) Send a HART command to the transmitter (or use the local interface) to go to the high alarm current output, 22mA, and verify that the analog current reaches that value. i. This step tests for compliance voltage problems such as low supply voltage or increased wiring resistance. ii. This also tests for current loop control circuitry and adjustment problems. b) Send a HART command to the transmitter (or use the local interface) to go to the low alarm current output, 3.6mA, and verify that the analog current reaches that value. i. This step tests for high quiescent current and supply voltage problems. ii. This also tests for current loop control circuitry and adjustment problems. c) Exit the “Analog Output Test” and confirm that the output returns to original state, with the proper loop current as indicated and controlled by the unit. Use the DIAGNOSTICS menu to observe the present Echo Curve. Confirm that the ECHO Waveform is normal. The echo curve is dependent on the type of probe used, the installation conditions and the level of process on the probe. Comparison of the present Echo curve to one stored at the time of commissioning the unit gives additional confidence of the normal operation of the unit. Use of the DTM and digital © exida T-001 V6,R2 MAG 11-07-016 R001 V1 R1 FMEDA Eclipse 706 Page 21 of 23 6. 7. communications is necessary for comparison of echo curves. a) Choose the menu DIAGNOSTICS / ECHO CURVES / View Echo Curve i. Observe the present Echo Curve, identify the characteristic portions of the waveform related to the FIDUCIAL, Process level, End of Probe and other features. ii. Confirm that the FIDUCIAL appears acceptable. Confirm that FIDUCIAL is located where expected. iii. Confirm that the signal from the process level appears normal and is located as expected. iv. Verify that the baseline of the waveform is smooth and flat. v. Compare to Echo curve from commissioning in the FIDUCIAL area. b) Access the Fiducial Ticks and Fiducial Strength values in the menu DIAGNOSTICS / ADVANCED DIAGNOSTICS / INTERNAL VALUES i. Observe and record: 1. Fiducial Ticks _____________ 2. Fiducial Strength.______________ ii. Confirm that these values match the previous values. 1. Fiducial Ticks change less than +/- 100 2. Fiducial Strength changes less than +/- 15 Perform 2 point calibration check of the transmitter by applying level to two points on the probe and compare the transmitter display reading and the current level value to a known reference measurement. If the calibration is correct the proof test is complete. Proceed to step 9 8. If the calibration is incorrect, remove the transmitter and probe from the process. Inspect the probe for build-up or clogging. Clean the probe, if necessary. Perform a bench calibration check by shorting the probe at two points. Measure the level from the bottom of the probe to the two points and compare to the transmitter display and current level readings. a) If the calibration is off by more than 2%, call the factory for assistance. b) b. If the calibration is correct, the proof test is complete. c) c. Re-install the probe and transmitter. 9. Restore loop to full operation. 10. Remove the bypass from the safety PLC or otherwise restore normal operation. © exida T-001 V6,R2 MAG 11-07-016 R001 V1 R1 FMEDA Eclipse 706 Page 22 of 23 Appendix C exida Environmental Profiles Table 9 exida Environmental Profiles EXIDA ENVIRONMENTAL PROFILE 1 Cabinet Mounted Equipment 2 Low Power /Mechanical Field Products 3 General Field Equipment 4 Unprotected Mechanical Field Products 4 Process Wetted Parts © exida T-001 V6,R2 GENERAL DESCRIPTION Cabinet mounted equipment typically has significant temperature rise due to power dissipation but is subjected to only minimal daily temperature swings Mechanical / low power electrical (twowire) field products have minimal self heating and are subjected to daily temperature swings General (four-wire) field products may have moderate self heating and are subjected to daily temperature swings. Non-process wetted components of valves and actuators. Unprotected mechanical field products with minimal self heating, are subject to daily temperature swings and rain or condensation. Typically valve and sensor parts that are process wetted AMBIENT TEMPERATURE [°C] PROFILE PER IEC 60654-1 (EXTERNAL) B2 30 60 5 C3 25 30 25 C3 25 45 25 D1 25 30 35 AVERAGE MEAN (INSIDE BOX) TEMP CYCLE [°C / 365 DAYS] Per Manufacturer’s Specifications MAG 11-07-016 R001 V1 R1 FMEDA Eclipse 706 Page 23 of 23