cert report st3000 hart 6 pressure transmitter v38 · 2011. 11. 9. · file: cert_report_st3000...

21
Certification Report of the ST 3000 Pressure Transmitter with HART 6 Revision No.: 2.4 Date: 2010-Mar-18 Report Number: SAS-190/2006T Product: ST 3000 Pressure Transmitter with HART 6 Customer: Honeywell International Inc. Industrial Measurement & Control 512 Virginia Drive Fort Washington, PA 19034, USA Order Number: G.SCC.DL.06.019.03.SLA Authority: TÜV NORD SysTec GmbH & Co. KG Branch South Functional Safety Software & Electronics Halderstr. 27 86150 Augsburg / Germany Responsible: Josef Neumann Functional Safety Manager Reviewer: Gerhard M. Rieger Branch Manager This report must not be copied in an abridged version without the permission of TÜV NORD SysTec GmbH & Co. KG.

Upload: others

Post on 20-Aug-2020

4 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: Cert Report ST3000 HART 6 Pressure Transmitter V38 · 2011. 11. 9. · File: Cert_Report_ST3000 HART_6_Pressure_Transmitter V38.doc TÜV NORD SysTec GmbH & Co. KG Report No.: SAS-190/2006T

Certification Report of the

ST 3000 Pressure Transmitter with HART 6

Revision No.: 2.4

Date: 2010-Mar-18

Report Number: SAS-190/2006T

Product: ST 3000 Pressure Transmitter with HART 6

Customer: Honeywell International Inc. Industrial Measurement & Control 512 Virginia Drive Fort Washington, PA 19034, USA

Order Number: G.SCC.DL.06.019.03.SLA

Authority: TÜV NORD SysTec GmbH & Co. KG Branch South Functional Safety Software & Electronics Halderstr. 27 86150 Augsburg / Germany

Responsible: Josef Neumann Functional Safety Manager

Reviewer: Gerhard M. Rieger Branch Manager

This report must not be copied in an abridged version without the permission of TÜV NORD SysTec GmbH & Co. KG.

Page 2: Cert Report ST3000 HART 6 Pressure Transmitter V38 · 2011. 11. 9. · File: Cert_Report_ST3000 HART_6_Pressure_Transmitter V38.doc TÜV NORD SysTec GmbH & Co. KG Report No.: SAS-190/2006T

File: Cert_Report_ST3000 HART_6_Pressure_Transmitter V38.doc TÜV NORD SysTec GmbH & Co. KG Report No.: SAS-190/2006T Rev.: 2.4 Branch South Date: 2010-Mar-18 Halderstr. 27 Page 2 of 21 86150 Augsburg / Germany

Content Page

1 Subject of certification ................................................................................... 3

2 Basis of certification ...................................................................................... 4

3 Standards ........................................................................................................ 5

4 Definitions ....................................................................................................... 6

5 Overview about the system configuration ................................................... 7

5.1 Primary Safety Functions ..................................................................................... 8

5.2 Secondary Safety Functions ................................................................................ 8

5.3 Logic Solver Inputs .............................................................................................. 8

6 Hardware and software identification........................................................... 9

7 Documentation ............................................................................................... 9

8 Assessment activities and results ................................................................ 11

8.1 Development Process .......................................................................................... 11

8.2 System Architecture ............................................................................................. 14

8.3 Proven In Use ...................................................................................................... 15

8.4 Hardware Design and FMEDA ............................................................................. 16

8.5 Software Design and Implementation .................................................................. 19

8.6 Verification and Validation ................................................................................... 19

8.7 Modification for software version 38 ..................................................................... 20

8.8 Safety Manual ...................................................................................................... 21

9 Summary ......................................................................................................... 21

History:

Rev. Description Name Date 2.0 Initial issue for HART 6 communication J. Neumann 2007-Mar-12 2.1 Modification for hardware G and software 36 J. Neumann 2009-Apr-09 2.2 Modification for hardware H J. Neumann 2009-Jun-17 2.3 Revised configuration data J. Neumann 2009-Jul-27 2-4 Modification for software version 38 J. Neumann 1010-Mar-18

Page 3: Cert Report ST3000 HART 6 Pressure Transmitter V38 · 2011. 11. 9. · File: Cert_Report_ST3000 HART_6_Pressure_Transmitter V38.doc TÜV NORD SysTec GmbH & Co. KG Report No.: SAS-190/2006T

File: Cert_Report_ST3000 HART_6_Pressure_Transmitter V38.doc TÜV NORD SysTec GmbH & Co. KG Report No.: SAS-190/2006T Rev.: 2.4 Branch South Date: 2010-Mar-18 Halderstr. 27 Page 3 of 21 86150 Augsburg / Germany

1 Subject of certification

This report compiles the results of the assessment of the ST 3000 Pressure

Transmitter with HART 6 of Honeywell International Inc. Honeywell International Inc.

ordered the services of TÜV NORD SysTec GmbH & Co. KG (thereafter known has

TÜV NORD SysTec) to certify the ST 3000 Pressure Transmitter with HART 6

because of its use in safety-relevant applications by the process industry (e.g. oil &

gas and chemical industry) with the goal of achieving a successful approval of ST

3000 Pressure Transmitter with HART 6 in the framework of the certification of

safety-components.

The ST 3000 Pressure Transmitter with HART 6 is to be certified in accordance with

IEC 61508 for single use in Safety Integrity Level 2 (SIL 2) applications. The

development and software process should be certified in accordance with SIL 3

requirements allowing the use of dual redundant ST 3000 Pressure Transmitter with

HART 6s in SIL 3 applications.

The Honeywell International Inc. ST 3000 Pressure Transmitter with HART 6 is based

upon the certified ST3000 Pressure Transmitter and the standard ST300 Smart

Pressure Transmitter which already has a documented history starting at 1983 for the

proven in use consideration under IEC 61508, the new industry standard for safety

electronic systems.

Honeywell International Inc. has ordered TÜV NORD SysTec to certify the ST 3000

Pressure Transmitter with HART 6 as a modification of the certified ST3000 Pressure

Transmitter to upgrade to the HART 6 communication feature. This report therefore

compiles the results of the ST3000 Pressure Transmitter certification and the update

to the ST 3000 Pressure Transmitter with HART 6.

Page 4: Cert Report ST3000 HART 6 Pressure Transmitter V38 · 2011. 11. 9. · File: Cert_Report_ST3000 HART_6_Pressure_Transmitter V38.doc TÜV NORD SysTec GmbH & Co. KG Report No.: SAS-190/2006T

File: Cert_Report_ST3000 HART_6_Pressure_Transmitter V38.doc TÜV NORD SysTec GmbH & Co. KG Report No.: SAS-190/2006T Rev.: 2.4 Branch South Date: 2010-Mar-18 Halderstr. 27 Page 4 of 21 86150 Augsburg / Germany

2 Basis of certification

An effective assessment in order to meet all the requirements for a complete

certification requires the following testing segments to be successfully completed:

• Functional Safety Management (FSM)

• Development process

• Architecture

• Safety system structure

• Hardware design

• Software design and implementation

• Proven in use

• verification and validation

• Test specification

Including the following principal functional safety considerations:

• Hardware failure-behaviour

• Software failure-avoidance

• Probabilistic and Common Cause consideration

• Safety Manual

Page 5: Cert Report ST3000 HART 6 Pressure Transmitter V38 · 2011. 11. 9. · File: Cert_Report_ST3000 HART_6_Pressure_Transmitter V38.doc TÜV NORD SysTec GmbH & Co. KG Report No.: SAS-190/2006T

File: Cert_Report_ST3000 HART_6_Pressure_Transmitter V38.doc TÜV NORD SysTec GmbH & Co. KG Report No.: SAS-190/2006T Rev.: 2.4 Branch South Date: 2010-Mar-18 Halderstr. 27 Page 5 of 21 86150 Augsburg / Germany

3 Standards

Because of the application area of the ST 3000 Pressure Transmitter with HART 6,

the following standard is relevant:

Functional Safety

IEC 61508 Functional safety of electrical/electronic/programmable electronic

safety-related systems

IEC 61508-1:1998 Part 1: General Requirements

General definitions: Type B, Low Demand

IEC 61508-2:2000 Part 2: Requirements for electrical/electronic/programmable

electronic safety-related systems,

Required SIL 2

IEC 61508-3:1998 Part 3: Software requirements

Required SIL 3

Page 6: Cert Report ST3000 HART 6 Pressure Transmitter V38 · 2011. 11. 9. · File: Cert_Report_ST3000 HART_6_Pressure_Transmitter V38.doc TÜV NORD SysTec GmbH & Co. KG Report No.: SAS-190/2006T

File: Cert_Report_ST3000 HART_6_Pressure_Transmitter V38.doc TÜV NORD SysTec GmbH & Co. KG Report No.: SAS-190/2006T Rev.: 2.4 Branch South Date: 2010-Mar-18 Halderstr. 27 Page 6 of 21 86150 Augsburg / Germany

4 Definitions

FIT Failure In Time (1*10-9 failures per hour)

FMEDA Failure Mode Effect and Diagnostic Analysis

FSM Functional Safety Management

HART Highway Addressable Remote Transducer

Low demand mode Mode, where the frequency of demands for operation made on a safety-related system is no greater than one per year and no greater than twice the proof test frequency

PFD Probability of Failure on Demand

PFDAVG Average Probability of Failure on Demand

SFF Safe Failure Fraction

SIL Safety Integrity Level

SRS Safety Requirements Specification

Type A component “Non-Complex” component (using discrete elements); for details see 7.4.3.1.3 of IEC 61508-2

Type B component “Complex” component (using micro controllers or programmable logic); for details see 7.4.3.1.3 of IEC 61508-2

λdu Dangerous Undetected (DU) Failure Rate [1/h]

Page 7: Cert Report ST3000 HART 6 Pressure Transmitter V38 · 2011. 11. 9. · File: Cert_Report_ST3000 HART_6_Pressure_Transmitter V38.doc TÜV NORD SysTec GmbH & Co. KG Report No.: SAS-190/2006T

File: Cert_Report_ST3000 HART_6_Pressure_Transmitter V38.doc TÜV NORD SysTec GmbH & Co. KG Report No.: SAS-190/2006T Rev.: 2.4 Branch South Date: 2010-Mar-18 Halderstr. 27 Page 7 of 21 86150 Augsburg / Germany

ST3000

5 Overview about the system configuration

The Honeywell International Inc. ST 3000 Pressure Transmitter with HART 6 is a two-

wire 4 – 20 mA smart device classified as Type B according to IEC61508. The

transmitter contains self-diagnostics and is programmed to send its output to a

specified failure state, either high or low upon internal detection of a failure. The

device can be equipped with or without display.

The software extensions include the following functionality:

• Compliance with HART specification version 6.2 (HCF_SPEC-12, Revision

6.2, dated 25 Jan 05).

• Addition of automatic diagnostic to detect microprocessor failures

Picture 1: Block structure

A/D

PROM

Pressure- sensor

Micropro cessor

D/A

Digital I/O

Electronics Housing

Meter Body

Multi- plexer

Proportional 4 to 20 mA PV Output

Pressure

Page 8: Cert Report ST3000 HART 6 Pressure Transmitter V38 · 2011. 11. 9. · File: Cert_Report_ST3000 HART_6_Pressure_Transmitter V38.doc TÜV NORD SysTec GmbH & Co. KG Report No.: SAS-190/2006T

File: Cert_Report_ST3000 HART_6_Pressure_Transmitter V38.doc TÜV NORD SysTec GmbH & Co. KG Report No.: SAS-190/2006T Rev.: 2.4 Branch South Date: 2010-Mar-18 Halderstr. 27 Page 8 of 21 86150 Augsburg / Germany

5.1 Primary Safety Functions

The Honeywell International Inc. ST 3000 Pressure Transmitter with HART 6

measures the (pressure gauge, differential, absolute) of a process and reports the

measurement within a safety accuracy of 2%.

5.2 Secondary Safety Functions

The Honeywell International Inc. ST 3000 Pressure Transmitter with HART 6

performs automatic diagnostics to detect internal failures and reports these failures

via out of band signals on the 4 – 20 mA output.

5.3 Logic Solver Inputs

The logic solver must be configured so that the engineering range in the transmitter

matches the expected range of the logic solver.

To take advantage of the internal diagnostics in the ST 3000 Pressure Transmitter

with HART 6, the logic solver must be configured to annunciate an out of band

current reading (greater than 20.8 mA. or less than 3.8 mA.) in standard instrument

or (greater than 21.0 mA. or less than 3.6 mA.) with Namur “NE” option as a

diagnostic fault. The logic solver configuration must consider the slew time of the

current signal and ensure that filtering is used to prevent a false diagnostic failure

annunciation.

Page 9: Cert Report ST3000 HART 6 Pressure Transmitter V38 · 2011. 11. 9. · File: Cert_Report_ST3000 HART_6_Pressure_Transmitter V38.doc TÜV NORD SysTec GmbH & Co. KG Report No.: SAS-190/2006T

File: Cert_Report_ST3000 HART_6_Pressure_Transmitter V38.doc TÜV NORD SysTec GmbH & Co. KG Report No.: SAS-190/2006T Rev.: 2.4 Branch South Date: 2010-Mar-18 Halderstr. 27 Page 9 of 21 86150 Augsburg / Germany

6 Hardware and software identification

The following version sets are considered for the certification:

• Hardware Schematic: 51205697, H, 2009-05-21

• Hardware Layout: 51205695-001-M

• Software Rev 38

7 Documentation

The evaluation is based on the following documents of the ST 3000 Pressure

Transmitter with HART 6:

[D1] Project Plan, Vers. 1.5, 2006-01-25

[D2] Program Management Plan ST3000 HART 6, Vers. 1.0, 2007-01-19

[D3] Product Abstract, Vers. 0.3, 2006-02-23

[D4] Firmware Development Process, ST3000 and STT25H Upgrade Projects,

Vers. 0.7, 2006-07-11

[D5] Software Maintenance Document, R300SMD, Vers. 4.0, 1999-08-20

[D6] Risk Management Plan, Vers. 0.6, 2006-04-28

[D7] Software Requirements Specification, Vers. 1.6, 2006-07-10

[D8] High Level Design for SIL 2 implementation, Vers. 1.02, 2006-05-17

[D9] HART Burst Mode Communications for ST3000, Vers. 1.3, 2005-12-26

[D10] Proven In Use Assessment, Vers. 1.1, 2004-11-12

[D11] Failure Modes, Effects and Diagnostic Analysis, Vers. 1.1, 2006-06-16

[D12] Integration Test Plan, Vers. 1.02, 2006-07-13

[D13] Unit Test Plan for SIL2 implementation, Vers. 1.11, 2006-07-17

[D14] Unit Test Procedure, Vers. 1.0, 2006-05-23

[D15] Unit Test Report, Vers. 1.02, 2006-12-15

[D16] Fault Injection Testing, Vers. 4.0, 2006-07-14

[D17] ST3000 Hart 5 Test Plan and Test Case Design, Vers. 0.6, 2006-08-06

[D18] Test Plan Results, Vers. 1.00, 1999-07-29

[D19] Test Report, Vers. 0.3, 2006-12-07

Page 10: Cert Report ST3000 HART 6 Pressure Transmitter V38 · 2011. 11. 9. · File: Cert_Report_ST3000 HART_6_Pressure_Transmitter V38.doc TÜV NORD SysTec GmbH & Co. KG Report No.: SAS-190/2006T

File: Cert_Report_ST3000 HART_6_Pressure_Transmitter V38.doc TÜV NORD SysTec GmbH & Co. KG Report No.: SAS-190/2006T Rev.: 2.4 Branch South Date: 2010-Mar-18 Halderstr. 27 Page 10 of 21 86150 Augsburg / Germany

[D20] Traceability Matrix, V1.0, 2006-07-11

[D21] Internal Review Comments Document, V1.01, 2006-07-13

[D22] Safety Manual, Doc. No. 34-ST-25-31, 2006-10

[D23] Team Competency Summary, Vers. 1.0, 2006-07-11

[D24] HART 6 Communications for ST3000, Vers. 1.3, 2005-08-26

[D25] Impact Analysis Form, Vers. 1.0, 2007-01-19

[D26] ST3000 Hart5 / HART 6 Traceability Matrix, Vers. 1.0, 2006-07-11

[D27] Impact Analysis, V1.0, 2008-08-19

[D28] Program Management Plan ST3000+, Vers. 1.0, 2007-11-08

[D29] ST3000+ SIL Unit Test Plan, Vers. 1.1.1, 2008-11-20

[D30] Schematic, R300 DE/HART, ST3000, 51205697, Vers. H

[D31] Impact Analysis Form, V1.0, 2009-Dec-23

[D32] ST 3000 Rosebud HART System Test Plan, V1.3.1, 2009-Dec-12

[D33] ST 3000+ Rosebud SIL Unit Test Plan, V1.1.3, 2009-Dec-28

[D34] Firmware Module with Highlighted Changes, 2009-Dec-30

The assessment is based on the following documents of TÜV NORD SysTec:

[D35] Offer for a type approval and certification of the ST3000 HART Pressure

Transmitter, Vers. 1.0, 2006-03-22

[D36] Offer for a type approval and certification of the updated ST3000 HART 6.x

Pressure Transmitter, Rev. 1.0, 2006-Nov-10

[D37] Protocol of the document reviews, Vers. 1.0, 2006-07-11

[D38] Fault injection test report, Vers. 1.0, 2006-07-11

[D39] Checklist according IEC 61508, Vers. 1.0, 2006-12-01

[D40] Review of the modifications for the ST3000 HART 6 Pressure Transmitter,

Rev. 1.0, 2007-01-29

[D41] Review of the modification for hardware G and SW 36, V1.0,

2009-04-09

[D42] Review of the modification for the hardware H and SW 37, V1.0, 2009-06-15

[D43] Review of the modification for the ST 3000+ HART6 about software version 6,

Rev. 1.0, 2010-03-15

Page 11: Cert Report ST3000 HART 6 Pressure Transmitter V38 · 2011. 11. 9. · File: Cert_Report_ST3000 HART_6_Pressure_Transmitter V38.doc TÜV NORD SysTec GmbH & Co. KG Report No.: SAS-190/2006T

File: Cert_Report_ST3000 HART_6_Pressure_Transmitter V38.doc TÜV NORD SysTec GmbH & Co. KG Report No.: SAS-190/2006T Rev.: 2.4 Branch South Date: 2010-Mar-18 Halderstr. 27 Page 11 of 21 86150 Augsburg / Germany

8 Assessment activities and results

8.1 Development Process

General aspects and scope:

In this step of assessment, a safety management audit has been performed to cover

the relevant requirements of the IEC 61508, in respect of the fulfillment of the

requirements to the safety quality procedures.

The scope of the Functional Safety Management Audit covers the specified Safety

Lifecycle Phases of the IEC61508. The scope for Honeywell International Inc. is as

follows:

For design, developing, manufacturing and integration

of microprocessor based transmitters.

For the Functional Safety Management Audit according to IEC 61508 it was essential

that the functional safety management and the software development process are

designed for the SIL 3 level to allow the set up of a redundant ST 3000 Pressure

Transmitter with HART 6 system in a SIL 3 environment. The FSM procedures are

used to reduce the systematic failure rate. Honeywell International Inc. has created

the following documents to define the FSM activities:

• Project Plan [D1]

• Program Management Plan [D2]

• Product Abstract [D3]

• Firmware Development Process [D4]

• Software Maintenance Document [D5]

Within the project all safety relevant definitions are defined by the Functional Safety

Management and the normative requirements.

Structuring of the development process:

The documents [D1] to [D5] describe the Honeywell International Inc. development

processes, procedures and work-instructions. TÜV NORD SysTec visited the

Honeywell International Inc. development site as an external assessment

Page 12: Cert Report ST3000 HART 6 Pressure Transmitter V38 · 2011. 11. 9. · File: Cert_Report_ST3000 HART_6_Pressure_Transmitter V38.doc TÜV NORD SysTec GmbH & Co. KG Report No.: SAS-190/2006T

File: Cert_Report_ST3000 HART_6_Pressure_Transmitter V38.doc TÜV NORD SysTec GmbH & Co. KG Report No.: SAS-190/2006T Rev.: 2.4 Branch South Date: 2010-Mar-18 Halderstr. 27 Page 12 of 21 86150 Augsburg / Germany

department, toured the facilities and interviewed the Safety Design Team in order to

understand all the relevant corporate procedures. They then extracted the most

important functional safety management requirements from the standards and

prepared documents indicating needed enhancements of the standard processes.

TÜV NORD SysTec has reviewed this document to discuss the overall FSM

requirement activities for the project with Honeywell International Inc. TÜV NORD

SysTec has than discussed the relevant items with Honeywell International Inc. in a

meeting and reviewed the documents for the safety aspects of the system.

Honeywell International Inc. is covering the following areas:

• Functional Safety Management

• Quality Management System

• Development of Safety Sub-Systems (Realization)

• Verification & Validation activities (Testing)

The focus of the interview with Honeywell International Inc. was to demonstrate

compliance with the appropriate sections of the IEC61508 standard. The following

sections were considered:

• Specific Objectives for Functional Safety

• Change Management (Modification Process)

• Maintenance

The reviews with Honeywell International Inc. were related to the following areas:

• Safety Requirement specification

• Safety Architectural Constrains

• Safety Hardware Requirements

• Safety Software Requirements

• Proven In Use documentation

• Verification & Validation of Safety Products

• Safety Manual

It was essential for the audit to discuss the safety aspects of the project with the

participants and to ask for the relevant documents and to access all relevant

information. Actual documentation from the ST 3000 Pressure Transmitter with

HART 6 project was partly reviewed and the statements of the participants were

compared with the relevant parts of the documents.

Page 13: Cert Report ST3000 HART 6 Pressure Transmitter V38 · 2011. 11. 9. · File: Cert_Report_ST3000 HART_6_Pressure_Transmitter V38.doc TÜV NORD SysTec GmbH & Co. KG Report No.: SAS-190/2006T

File: Cert_Report_ST3000 HART_6_Pressure_Transmitter V38.doc TÜV NORD SysTec GmbH & Co. KG Report No.: SAS-190/2006T Rev.: 2.4 Branch South Date: 2010-Mar-18 Halderstr. 27 Page 13 of 21 86150 Augsburg / Germany

Verification & Validation activities (Testing):

For verification & validation the independent test engineers are responsible for all

activities within this segment. They create the test specifications for specific projects

used by the development engineers. The functional tests and integration and

validation testing was done by independent test engineers. The test engineers must

have specific knowledge about safety functions of the specific project. Internal

training is therefore an important method to improve the knowledge of the test

engineers. This could be proved by interviews and with reviews of examples of the

corresponding documents.

Result:

The audits and document reviews performed from the 10 to 11 of July 2006 with

Honeywell International Inc. have shown that the Functional Safety Management

System, defined in the documents [D1] to [D5] complies with the applicable sections

of the IEC 61508.

No major findings were detected in the audit.

If changes to the Safety Management Systems are performed than TÜV NORD

SysTec must be informed.

Page 14: Cert Report ST3000 HART 6 Pressure Transmitter V38 · 2011. 11. 9. · File: Cert_Report_ST3000 HART_6_Pressure_Transmitter V38.doc TÜV NORD SysTec GmbH & Co. KG Report No.: SAS-190/2006T

File: Cert_Report_ST3000 HART_6_Pressure_Transmitter V38.doc TÜV NORD SysTec GmbH & Co. KG Report No.: SAS-190/2006T Rev.: 2.4 Branch South Date: 2010-Mar-18 Halderstr. 27 Page 14 of 21 86150 Augsburg / Germany

8.2 System Architecture

The system documents [D7] to [D9] have been reviewed to verify compliance of the

system architecture with the standard listed in clause 3 "Standards".

Based on the set of requirements TÜV NORD SysTec has evaluated whether the

implemented fault detection and fault control measures which are defined for the ST

3000 Pressure Transmitter with HART 6 were sufficient to meet the requirements.

The system architecture was evaluated in regards to completeness and correctness

against the Safety Requirements Specification and the System FMEDA. The system

architecture have to be designed for a Type B subsystem according the IEC 61508-2

with a Safe Failure Fraction of 90% or higher.

The FMEDA verified the defined safe state of the ST 3000 Pressure Transmitter with

HART 6 in the event of possible malfunctions. Probable deviation from the specified

function of the unit was also considered to be a malfunction.

Result:

The review from TÜV NORD SysTec has shown that the system architecture of the

ST 3000 Pressure Transmitter with HART 6 is consistent against the Safety

Requirements Specification. The specifications in the documentation are consistent

and complete and clearly presented. The system concept with the chosen

architecture design and the selected measures of fault detection and fault control is

able to fulfill the Safety Integrity Level 2 with a Safe Failure Fraction of >90%.

Page 15: Cert Report ST3000 HART 6 Pressure Transmitter V38 · 2011. 11. 9. · File: Cert_Report_ST3000 HART_6_Pressure_Transmitter V38.doc TÜV NORD SysTec GmbH & Co. KG Report No.: SAS-190/2006T

File: Cert_Report_ST3000 HART_6_Pressure_Transmitter V38.doc TÜV NORD SysTec GmbH & Co. KG Report No.: SAS-190/2006T Rev.: 2.4 Branch South Date: 2010-Mar-18 Halderstr. 27 Page 15 of 21 86150 Augsburg / Germany

8.3 Proven In Use

For a device to be considered proven-in-use the volume of operating experience

needs to be considered. For the Honeywell International Inc. ST 3000 Pressure

Transmitter with HART 6 this information is obtained from the Operation Experience

and Warranty Information.

The Honeywell International Inc. standard ST300 Smart Pressure Transmitter was

first introduced in January 1983. In this time period there have been no significant

revisions or changes to the design. The operating experience and warranty

information indicates that the total number of shipped units during this time period is

1,291,023. For failure rates calculated on the basis of field returns only the hours

recorded during the warranty period of the manufacturer are used, since this is the

only time frame when failures can be expected to be reported. It must be assumed

that all failures after the warranty period are not reported to the manufacturer.

Honeywell International Inc. offers a 12-mounth warranty period; this period starts on

the date of shipment. Volume of operating experience must be based on installation

dates and not on shipment dates. Since installation dates are not available it is

assumed that the pressure transmitters are installed 6 months after shipment. Using

this assumptions and restrictions the number of operational hours is estimated to be:

Operation Hours = 10,075,132,920 hrs

These operating hours are considered to be sufficient taking into account the medium

complexity of the sub-system and the use in SIL 3 safety functions.

In the calculation of the operation hours it is assumed that the units shipped include

units up to a year before the field failure reporting hereby ensuring that all failures

that occur to the included units are accounted for.

Result:

The documented operating hours are considered to be sufficient for the use at SIL 2

or SIL 3 applications, depending on redundancy and the calculation of the PDF and

SFF and taking into account the medium complexity of the subsystem.

Page 16: Cert Report ST3000 HART 6 Pressure Transmitter V38 · 2011. 11. 9. · File: Cert_Report_ST3000 HART_6_Pressure_Transmitter V38.doc TÜV NORD SysTec GmbH & Co. KG Report No.: SAS-190/2006T

File: Cert_Report_ST3000 HART_6_Pressure_Transmitter V38.doc TÜV NORD SysTec GmbH & Co. KG Report No.: SAS-190/2006T Rev.: 2.4 Branch South Date: 2010-Mar-18 Halderstr. 27 Page 16 of 21 86150 Augsburg / Germany

8.4 Hardware Design and FMEDA

A Failure Modes and Effects Analysis (FMEA) is a systematic way to identify and

evaluate the effects of different component failure modes, to determine what could

eliminate or reduce the chance of failure, and to document the system in

consideration.

A FMEDA (Failure Mode Effect and Diagnostic Analysis) is an extension of the

FMEA. It combines standard FMEA techniques with additional analysis to identify

online diagnostic techniques and the failure modes relevant to safety system design.

It is a technique recommended to generate failure rates for each important category

(detected, dangerous undetected, fail high, fail low, annunciation) in the safety

model.

The following assumptions have been made during the Failure Modes, Effects, and

Diagnostic Analysis of the ST 3000 Pressure Transmitter with HART 6:

• Only a single component failure will fail the entire product

• An additional ROM testing is implemented (CRC16 checksum)

• An additional RAM test is implemented (walking 1 and walking 0)

• Failure rates are constant, wear out mechanisms are not included.

• Propagation of failures is not relevant.

• All components that are not part of the safety function and cannot influence

the safety function (feedback immune) are excluded.

• The application program in the safety logic solver is configured to detect

under-range (Fail Low), over-range (Fail High) and Fail Detected failures and

does not automatically trip on these failures; therefore these failures have

been classified as dangerous detected failures.

• The HART and DE protocol are only used for setup, calibration, and diagnostic

purposes; not for safety critical operation.

• The stress levels are average for an industrial environment and can be

compared to IEC 60654-1, Class C with temperature limits within the

manufacturer’s rating and an average temperature over a long period of time

of 40ºC. Humidity levels are assumed within manufacturer’s rating.

Page 17: Cert Report ST3000 HART 6 Pressure Transmitter V38 · 2011. 11. 9. · File: Cert_Report_ST3000 HART_6_Pressure_Transmitter V38.doc TÜV NORD SysTec GmbH & Co. KG Report No.: SAS-190/2006T

File: Cert_Report_ST3000 HART_6_Pressure_Transmitter V38.doc TÜV NORD SysTec GmbH & Co. KG Report No.: SAS-190/2006T Rev.: 2.4 Branch South Date: 2010-Mar-18 Halderstr. 27 Page 17 of 21 86150 Augsburg / Germany

• The listed failure rates are valid for operating stress conditions typical of an

industrial field environment similar to IEC 60654-1 class C with an average

temperature over a long period of time of 40ºC. For a higher average

temperature of 60°C, the failure rates should be multiplied with an experience

based factor of 2.5. A similar multiplier should be used if frequent temperature

fluctuation must be assumed.

• External power supply failure rates are not included.

The modifications to the hardware to implement HART 6.x has been reviewed [D37]

according the Impact Analysis Form [D25]. Only the prom size has changed from

32K to 64K.

The following tables show the failure rates resulted from the Honeywell International

Inc. ST 3000 Pressure Transmitter with HART 6 FMEDA [D11].

Failure category Failure rate (in FITs)

Fail Dangerous Detected 427 - Fail Detected (detected by internal diagnostics) 293 - Fail High (detected by the logic solver) 20 - Fail Low (detected by the logic solver) 114 Fail Dangerous Undetected 40No Effect 64Annunciation Undetected 6

Table 1 Failure rates ST 3000 Pressure Transmitter with HART 6

The failure rates that are derived from the FMEDA for the ST 3000 Pressure

Transmitter with HART 6 are in a format different from the IEC 61508 format. Table 2

lists the failure rates for ST 3000 Pressure Transmitter with HART 6 according to IEC

61508, assuming that the logic solver can detect both over-scale and under-scale

currents. It is assumed that the probability model will correctly account for the

Annunciation Undetected failures. Otherwise the Annunciation Undetected failures

have to be classified as Dangerous Undetected according to IEC 61508 (worst-case

assumption). The No Effect and Annunciation Undetected failures are classified as

safe and therefore need to be considered in the Safe Failure Fraction calculation and

are included in the total failure rate.

Page 18: Cert Report ST3000 HART 6 Pressure Transmitter V38 · 2011. 11. 9. · File: Cert_Report_ST3000 HART_6_Pressure_Transmitter V38.doc TÜV NORD SysTec GmbH & Co. KG Report No.: SAS-190/2006T

File: Cert_Report_ST3000 HART_6_Pressure_Transmitter V38.doc TÜV NORD SysTec GmbH & Co. KG Report No.: SAS-190/2006T Rev.: 2.4 Branch South Date: 2010-Mar-18 Halderstr. 27 Page 18 of 21 86150 Augsburg / Germany

According to IEC 61508, also the Safe Failure Fraction (SFF) of the ST 3000

Pressure Transmitter with HART 6 should be calculated. The SFF is the fraction of

the overall failure rate of a device that results in either a safe fault or a diagnosed

unsafe fault. This is reflected in the following formula for SFF:

SFF = 1 - ּגdu / ּגtotal

Device ּגsd ּגsu ּגdd ּגdu SFF

ST 3000 Pressure Transmitter with HART 6

0 FIT 70 FIT 427 FIT 40 FIT 92,5%

Table 2: Failure rates and Safe Failure Fraction according to IEC 61508

The architectural constraint type for the ST 3000 Pressure Transmitter with HART 6

is B. The SFF and required SIL determine the level of hardware fault tolerance that is

required per requirements of IEC 61508. The SIS designer is responsible for meeting

other requirements of applicable standards for any given SIL as well.

The expected lifetime of the Honeywell International Inc. ST 3000 Pressure

Transmitter with HART 6 is 50 years. The failure rates of the Honeywell International

Inc. ST 3000 Pressure Transmitter with HART 6 may increase sometime after this

period.

When plant experience indicates a shorter useful lifetime, the number based on plant

experience should be used.

The modification for hardware rev. H has only minor changes and has been reviewed

[D42].

Result:

With these results from the calculation it can be shown, that the ST 3000 Pressure

Transmitter with HART 6 fulfils SIL 2 for the hardware design in a single

configuration.

Page 19: Cert Report ST3000 HART 6 Pressure Transmitter V38 · 2011. 11. 9. · File: Cert_Report_ST3000 HART_6_Pressure_Transmitter V38.doc TÜV NORD SysTec GmbH & Co. KG Report No.: SAS-190/2006T

File: Cert_Report_ST3000 HART_6_Pressure_Transmitter V38.doc TÜV NORD SysTec GmbH & Co. KG Report No.: SAS-190/2006T Rev.: 2.4 Branch South Date: 2010-Mar-18 Halderstr. 27 Page 19 of 21 86150 Augsburg / Germany

8.5 Software Design and Implementation

The software of the ST 3000 Pressure Transmitter with HART 6 is based upon the

standard ST300 Smart Pressure Transmitter and is considered to be proven in use

according to the calculated operating hours.

To provide the necessary internal testing of the hardware module to cover the IEC

61508 requirements for the Safe Failure Fraction (SFF) according SIL 2 additional

tests has been implemented. This was done by adding software modules following

the IEC 61508-3 SIL 3 process for software developing and implementation. These

additional tests includes RAM and ROM testing and a flow control to reach a

sufficient safe failure fraction > 90%. The corresponding documents have been

reviewed by TÜV NORD SysTec. The modifications to the software to implement

HART 6.x has been reviewed [D40] and [D41] according the Impact Analysis Form

[D25] and [D27]. Only new HART 6 specific commands and long address scheme

per HART Foundation Specifications have been added.

Result:

The software design and implementation is compliant to IEC 61508 part 3 according

SIL 3.

8.6 Verification and Validation

The verification activities are defined by the reviews of the documentation according

the specific phases of the development model (V-model). The review documentation

has been discussed with responsible engineers from Honeywell International Inc. and

has been reviewed by TÜV NORD SysTec.

The test specification defined in the Integration Test Plan [D12] from the

manufacturer has been reviewed. The list of validation tests are referenced to the

Requirement Specification. The review has shown that the requirements are covered

by the validation plan.

After the execution of the validation tests by the manufacturer [D13] to [D19], the test

results have been reviewed by TÜV NORD SysTec. The test results are also

referenced to the Design Specification.

Page 20: Cert Report ST3000 HART 6 Pressure Transmitter V38 · 2011. 11. 9. · File: Cert_Report_ST3000 HART_6_Pressure_Transmitter V38.doc TÜV NORD SysTec GmbH & Co. KG Report No.: SAS-190/2006T

File: Cert_Report_ST3000 HART_6_Pressure_Transmitter V38.doc TÜV NORD SysTec GmbH & Co. KG Report No.: SAS-190/2006T Rev.: 2.4 Branch South Date: 2010-Mar-18 Halderstr. 27 Page 20 of 21 86150 Augsburg / Germany

Additional sample testing of the ST 3000 Pressure Transmitter with HART 6 have

been defined by TÜV NORD SysTec and a separate list of test items has been

generated. The defined of tests have been executed by TÜV NORD SysTec together

with the manufacturer. The definition and results are documented in the Fault

Injection Test Report for the ST3000 Pressure Transmitter [D38].

Result:

The review of the Integration Test Plan and the Test Reports from the manufacturer

and the execution of the sample tests by TÜV NORD SysTec have shown that the

defined tests are consistent to the Design Specification and the tested results can be

compared to the tests of the manufacturer. The test definitions are sufficient to prove

compliance with the standard.

8.7 Modification for software version 38

The review covered the modification of the ST3000 HART 6 Pressure Transmitter

firmware because of a bug fix which was discovered by an internal trial run in the

factory. The modification results in the actual version 38

An Impact Analysis[31] is provided by the customer and was reviewed by TÜV

NORD SysTec. The modification and possible safety impact are analyzed and

documented clearly. The discussed modification has no impact to safety features of

the pressure transmitter. The details are outlined in the impact analysis.

Test activities have been defined and are documented in the test documentation [32]

and [33].

The validation of the product changes covers the defined set of testing.

The test documentation has been reviewed by TÜV NORD SysTec and has shown

that the test coverage is sufficient and no safety impacts could be found.

Page 21: Cert Report ST3000 HART 6 Pressure Transmitter V38 · 2011. 11. 9. · File: Cert_Report_ST3000 HART_6_Pressure_Transmitter V38.doc TÜV NORD SysTec GmbH & Co. KG Report No.: SAS-190/2006T

File: Cert_Report_ST3000 HART_6_Pressure_Transmitter V38.doc TÜV NORD SysTec GmbH & Co. KG Report No.: SAS-190/2006T Rev.: 2.4 Branch South Date: 2010-Mar-18 Halderstr. 27 Page 21 of 21 86150 Augsburg / Germany

8.8 Safety Manual

The Safety Manual [D22] has been reviewed to fulfill the requirements of the

considered standard. Specifically the section about Proof Testing has been checked

according the defined measures to be followed up by the end user to be compliant

with the considered standard according failure detection which are not covered by

the diagnostic of the transmitter.

Result:

The review has shown that the Safety Manual meets the requirement of the

considered standard. Detailed descriptions are included for the end user to install,

operate and maintain the transmitter in the required safety level.

9 Summary

The assessment of the ST 3000 Pressure Transmitter with HART 6 has shown that

the system design, the safety functional management and the system structure are

compliant with the IEC 61508, SIL 2 under consideration of the proven in use of the

transmitter and the additional measures implemented to the transmitter. The defined

development process of the software for modifications together with the proven in

use consideration is in accordance with IEC 61508, SIL 3 requirements allowing the

use of dual redundant ST 3000 Pressure Transmitter with HART 6 in SIL 3

applications.

The validation and testing activities has shown compliances between the realized

transmitter implementation and the safety requirements specification.

The actual version of the Safety Manual [D22] must be considered for the use in

safety relevant applications.