cert report st3000 hart 6 pressure transmitter v38 · 2011. 11. 9. · file: cert_report_st3000...
TRANSCRIPT
Certification Report of the
ST 3000 Pressure Transmitter with HART 6
Revision No.: 2.4
Date: 2010-Mar-18
Report Number: SAS-190/2006T
Product: ST 3000 Pressure Transmitter with HART 6
Customer: Honeywell International Inc. Industrial Measurement & Control 512 Virginia Drive Fort Washington, PA 19034, USA
Order Number: G.SCC.DL.06.019.03.SLA
Authority: TÜV NORD SysTec GmbH & Co. KG Branch South Functional Safety Software & Electronics Halderstr. 27 86150 Augsburg / Germany
Responsible: Josef Neumann Functional Safety Manager
Reviewer: Gerhard M. Rieger Branch Manager
This report must not be copied in an abridged version without the permission of TÜV NORD SysTec GmbH & Co. KG.
File: Cert_Report_ST3000 HART_6_Pressure_Transmitter V38.doc TÜV NORD SysTec GmbH & Co. KG Report No.: SAS-190/2006T Rev.: 2.4 Branch South Date: 2010-Mar-18 Halderstr. 27 Page 2 of 21 86150 Augsburg / Germany
Content Page
1 Subject of certification ................................................................................... 3
2 Basis of certification ...................................................................................... 4
3 Standards ........................................................................................................ 5
4 Definitions ....................................................................................................... 6
5 Overview about the system configuration ................................................... 7
5.1 Primary Safety Functions ..................................................................................... 8
5.2 Secondary Safety Functions ................................................................................ 8
5.3 Logic Solver Inputs .............................................................................................. 8
6 Hardware and software identification........................................................... 9
7 Documentation ............................................................................................... 9
8 Assessment activities and results ................................................................ 11
8.1 Development Process .......................................................................................... 11
8.2 System Architecture ............................................................................................. 14
8.3 Proven In Use ...................................................................................................... 15
8.4 Hardware Design and FMEDA ............................................................................. 16
8.5 Software Design and Implementation .................................................................. 19
8.6 Verification and Validation ................................................................................... 19
8.7 Modification for software version 38 ..................................................................... 20
8.8 Safety Manual ...................................................................................................... 21
9 Summary ......................................................................................................... 21
History:
Rev. Description Name Date 2.0 Initial issue for HART 6 communication J. Neumann 2007-Mar-12 2.1 Modification for hardware G and software 36 J. Neumann 2009-Apr-09 2.2 Modification for hardware H J. Neumann 2009-Jun-17 2.3 Revised configuration data J. Neumann 2009-Jul-27 2-4 Modification for software version 38 J. Neumann 1010-Mar-18
File: Cert_Report_ST3000 HART_6_Pressure_Transmitter V38.doc TÜV NORD SysTec GmbH & Co. KG Report No.: SAS-190/2006T Rev.: 2.4 Branch South Date: 2010-Mar-18 Halderstr. 27 Page 3 of 21 86150 Augsburg / Germany
1 Subject of certification
This report compiles the results of the assessment of the ST 3000 Pressure
Transmitter with HART 6 of Honeywell International Inc. Honeywell International Inc.
ordered the services of TÜV NORD SysTec GmbH & Co. KG (thereafter known has
TÜV NORD SysTec) to certify the ST 3000 Pressure Transmitter with HART 6
because of its use in safety-relevant applications by the process industry (e.g. oil &
gas and chemical industry) with the goal of achieving a successful approval of ST
3000 Pressure Transmitter with HART 6 in the framework of the certification of
safety-components.
The ST 3000 Pressure Transmitter with HART 6 is to be certified in accordance with
IEC 61508 for single use in Safety Integrity Level 2 (SIL 2) applications. The
development and software process should be certified in accordance with SIL 3
requirements allowing the use of dual redundant ST 3000 Pressure Transmitter with
HART 6s in SIL 3 applications.
The Honeywell International Inc. ST 3000 Pressure Transmitter with HART 6 is based
upon the certified ST3000 Pressure Transmitter and the standard ST300 Smart
Pressure Transmitter which already has a documented history starting at 1983 for the
proven in use consideration under IEC 61508, the new industry standard for safety
electronic systems.
Honeywell International Inc. has ordered TÜV NORD SysTec to certify the ST 3000
Pressure Transmitter with HART 6 as a modification of the certified ST3000 Pressure
Transmitter to upgrade to the HART 6 communication feature. This report therefore
compiles the results of the ST3000 Pressure Transmitter certification and the update
to the ST 3000 Pressure Transmitter with HART 6.
File: Cert_Report_ST3000 HART_6_Pressure_Transmitter V38.doc TÜV NORD SysTec GmbH & Co. KG Report No.: SAS-190/2006T Rev.: 2.4 Branch South Date: 2010-Mar-18 Halderstr. 27 Page 4 of 21 86150 Augsburg / Germany
2 Basis of certification
An effective assessment in order to meet all the requirements for a complete
certification requires the following testing segments to be successfully completed:
• Functional Safety Management (FSM)
• Development process
• Architecture
• Safety system structure
• Hardware design
• Software design and implementation
• Proven in use
• verification and validation
• Test specification
Including the following principal functional safety considerations:
• Hardware failure-behaviour
• Software failure-avoidance
• Probabilistic and Common Cause consideration
• Safety Manual
File: Cert_Report_ST3000 HART_6_Pressure_Transmitter V38.doc TÜV NORD SysTec GmbH & Co. KG Report No.: SAS-190/2006T Rev.: 2.4 Branch South Date: 2010-Mar-18 Halderstr. 27 Page 5 of 21 86150 Augsburg / Germany
3 Standards
Because of the application area of the ST 3000 Pressure Transmitter with HART 6,
the following standard is relevant:
Functional Safety
IEC 61508 Functional safety of electrical/electronic/programmable electronic
safety-related systems
IEC 61508-1:1998 Part 1: General Requirements
General definitions: Type B, Low Demand
IEC 61508-2:2000 Part 2: Requirements for electrical/electronic/programmable
electronic safety-related systems,
Required SIL 2
IEC 61508-3:1998 Part 3: Software requirements
Required SIL 3
File: Cert_Report_ST3000 HART_6_Pressure_Transmitter V38.doc TÜV NORD SysTec GmbH & Co. KG Report No.: SAS-190/2006T Rev.: 2.4 Branch South Date: 2010-Mar-18 Halderstr. 27 Page 6 of 21 86150 Augsburg / Germany
4 Definitions
FIT Failure In Time (1*10-9 failures per hour)
FMEDA Failure Mode Effect and Diagnostic Analysis
FSM Functional Safety Management
HART Highway Addressable Remote Transducer
Low demand mode Mode, where the frequency of demands for operation made on a safety-related system is no greater than one per year and no greater than twice the proof test frequency
PFD Probability of Failure on Demand
PFDAVG Average Probability of Failure on Demand
SFF Safe Failure Fraction
SIL Safety Integrity Level
SRS Safety Requirements Specification
Type A component “Non-Complex” component (using discrete elements); for details see 7.4.3.1.3 of IEC 61508-2
Type B component “Complex” component (using micro controllers or programmable logic); for details see 7.4.3.1.3 of IEC 61508-2
λdu Dangerous Undetected (DU) Failure Rate [1/h]
File: Cert_Report_ST3000 HART_6_Pressure_Transmitter V38.doc TÜV NORD SysTec GmbH & Co. KG Report No.: SAS-190/2006T Rev.: 2.4 Branch South Date: 2010-Mar-18 Halderstr. 27 Page 7 of 21 86150 Augsburg / Germany
ST3000
5 Overview about the system configuration
The Honeywell International Inc. ST 3000 Pressure Transmitter with HART 6 is a two-
wire 4 – 20 mA smart device classified as Type B according to IEC61508. The
transmitter contains self-diagnostics and is programmed to send its output to a
specified failure state, either high or low upon internal detection of a failure. The
device can be equipped with or without display.
The software extensions include the following functionality:
• Compliance with HART specification version 6.2 (HCF_SPEC-12, Revision
6.2, dated 25 Jan 05).
• Addition of automatic diagnostic to detect microprocessor failures
Picture 1: Block structure
A/D
PROM
Pressure- sensor
Micropro cessor
D/A
Digital I/O
Electronics Housing
Meter Body
Multi- plexer
Proportional 4 to 20 mA PV Output
Pressure
File: Cert_Report_ST3000 HART_6_Pressure_Transmitter V38.doc TÜV NORD SysTec GmbH & Co. KG Report No.: SAS-190/2006T Rev.: 2.4 Branch South Date: 2010-Mar-18 Halderstr. 27 Page 8 of 21 86150 Augsburg / Germany
5.1 Primary Safety Functions
The Honeywell International Inc. ST 3000 Pressure Transmitter with HART 6
measures the (pressure gauge, differential, absolute) of a process and reports the
measurement within a safety accuracy of 2%.
5.2 Secondary Safety Functions
The Honeywell International Inc. ST 3000 Pressure Transmitter with HART 6
performs automatic diagnostics to detect internal failures and reports these failures
via out of band signals on the 4 – 20 mA output.
5.3 Logic Solver Inputs
The logic solver must be configured so that the engineering range in the transmitter
matches the expected range of the logic solver.
To take advantage of the internal diagnostics in the ST 3000 Pressure Transmitter
with HART 6, the logic solver must be configured to annunciate an out of band
current reading (greater than 20.8 mA. or less than 3.8 mA.) in standard instrument
or (greater than 21.0 mA. or less than 3.6 mA.) with Namur “NE” option as a
diagnostic fault. The logic solver configuration must consider the slew time of the
current signal and ensure that filtering is used to prevent a false diagnostic failure
annunciation.
File: Cert_Report_ST3000 HART_6_Pressure_Transmitter V38.doc TÜV NORD SysTec GmbH & Co. KG Report No.: SAS-190/2006T Rev.: 2.4 Branch South Date: 2010-Mar-18 Halderstr. 27 Page 9 of 21 86150 Augsburg / Germany
6 Hardware and software identification
The following version sets are considered for the certification:
• Hardware Schematic: 51205697, H, 2009-05-21
• Hardware Layout: 51205695-001-M
• Software Rev 38
7 Documentation
The evaluation is based on the following documents of the ST 3000 Pressure
Transmitter with HART 6:
[D1] Project Plan, Vers. 1.5, 2006-01-25
[D2] Program Management Plan ST3000 HART 6, Vers. 1.0, 2007-01-19
[D3] Product Abstract, Vers. 0.3, 2006-02-23
[D4] Firmware Development Process, ST3000 and STT25H Upgrade Projects,
Vers. 0.7, 2006-07-11
[D5] Software Maintenance Document, R300SMD, Vers. 4.0, 1999-08-20
[D6] Risk Management Plan, Vers. 0.6, 2006-04-28
[D7] Software Requirements Specification, Vers. 1.6, 2006-07-10
[D8] High Level Design for SIL 2 implementation, Vers. 1.02, 2006-05-17
[D9] HART Burst Mode Communications for ST3000, Vers. 1.3, 2005-12-26
[D10] Proven In Use Assessment, Vers. 1.1, 2004-11-12
[D11] Failure Modes, Effects and Diagnostic Analysis, Vers. 1.1, 2006-06-16
[D12] Integration Test Plan, Vers. 1.02, 2006-07-13
[D13] Unit Test Plan for SIL2 implementation, Vers. 1.11, 2006-07-17
[D14] Unit Test Procedure, Vers. 1.0, 2006-05-23
[D15] Unit Test Report, Vers. 1.02, 2006-12-15
[D16] Fault Injection Testing, Vers. 4.0, 2006-07-14
[D17] ST3000 Hart 5 Test Plan and Test Case Design, Vers. 0.6, 2006-08-06
[D18] Test Plan Results, Vers. 1.00, 1999-07-29
[D19] Test Report, Vers. 0.3, 2006-12-07
File: Cert_Report_ST3000 HART_6_Pressure_Transmitter V38.doc TÜV NORD SysTec GmbH & Co. KG Report No.: SAS-190/2006T Rev.: 2.4 Branch South Date: 2010-Mar-18 Halderstr. 27 Page 10 of 21 86150 Augsburg / Germany
[D20] Traceability Matrix, V1.0, 2006-07-11
[D21] Internal Review Comments Document, V1.01, 2006-07-13
[D22] Safety Manual, Doc. No. 34-ST-25-31, 2006-10
[D23] Team Competency Summary, Vers. 1.0, 2006-07-11
[D24] HART 6 Communications for ST3000, Vers. 1.3, 2005-08-26
[D25] Impact Analysis Form, Vers. 1.0, 2007-01-19
[D26] ST3000 Hart5 / HART 6 Traceability Matrix, Vers. 1.0, 2006-07-11
[D27] Impact Analysis, V1.0, 2008-08-19
[D28] Program Management Plan ST3000+, Vers. 1.0, 2007-11-08
[D29] ST3000+ SIL Unit Test Plan, Vers. 1.1.1, 2008-11-20
[D30] Schematic, R300 DE/HART, ST3000, 51205697, Vers. H
[D31] Impact Analysis Form, V1.0, 2009-Dec-23
[D32] ST 3000 Rosebud HART System Test Plan, V1.3.1, 2009-Dec-12
[D33] ST 3000+ Rosebud SIL Unit Test Plan, V1.1.3, 2009-Dec-28
[D34] Firmware Module with Highlighted Changes, 2009-Dec-30
The assessment is based on the following documents of TÜV NORD SysTec:
[D35] Offer for a type approval and certification of the ST3000 HART Pressure
Transmitter, Vers. 1.0, 2006-03-22
[D36] Offer for a type approval and certification of the updated ST3000 HART 6.x
Pressure Transmitter, Rev. 1.0, 2006-Nov-10
[D37] Protocol of the document reviews, Vers. 1.0, 2006-07-11
[D38] Fault injection test report, Vers. 1.0, 2006-07-11
[D39] Checklist according IEC 61508, Vers. 1.0, 2006-12-01
[D40] Review of the modifications for the ST3000 HART 6 Pressure Transmitter,
Rev. 1.0, 2007-01-29
[D41] Review of the modification for hardware G and SW 36, V1.0,
2009-04-09
[D42] Review of the modification for the hardware H and SW 37, V1.0, 2009-06-15
[D43] Review of the modification for the ST 3000+ HART6 about software version 6,
Rev. 1.0, 2010-03-15
File: Cert_Report_ST3000 HART_6_Pressure_Transmitter V38.doc TÜV NORD SysTec GmbH & Co. KG Report No.: SAS-190/2006T Rev.: 2.4 Branch South Date: 2010-Mar-18 Halderstr. 27 Page 11 of 21 86150 Augsburg / Germany
8 Assessment activities and results
8.1 Development Process
General aspects and scope:
In this step of assessment, a safety management audit has been performed to cover
the relevant requirements of the IEC 61508, in respect of the fulfillment of the
requirements to the safety quality procedures.
The scope of the Functional Safety Management Audit covers the specified Safety
Lifecycle Phases of the IEC61508. The scope for Honeywell International Inc. is as
follows:
For design, developing, manufacturing and integration
of microprocessor based transmitters.
For the Functional Safety Management Audit according to IEC 61508 it was essential
that the functional safety management and the software development process are
designed for the SIL 3 level to allow the set up of a redundant ST 3000 Pressure
Transmitter with HART 6 system in a SIL 3 environment. The FSM procedures are
used to reduce the systematic failure rate. Honeywell International Inc. has created
the following documents to define the FSM activities:
• Project Plan [D1]
• Program Management Plan [D2]
• Product Abstract [D3]
• Firmware Development Process [D4]
• Software Maintenance Document [D5]
Within the project all safety relevant definitions are defined by the Functional Safety
Management and the normative requirements.
Structuring of the development process:
The documents [D1] to [D5] describe the Honeywell International Inc. development
processes, procedures and work-instructions. TÜV NORD SysTec visited the
Honeywell International Inc. development site as an external assessment
File: Cert_Report_ST3000 HART_6_Pressure_Transmitter V38.doc TÜV NORD SysTec GmbH & Co. KG Report No.: SAS-190/2006T Rev.: 2.4 Branch South Date: 2010-Mar-18 Halderstr. 27 Page 12 of 21 86150 Augsburg / Germany
department, toured the facilities and interviewed the Safety Design Team in order to
understand all the relevant corporate procedures. They then extracted the most
important functional safety management requirements from the standards and
prepared documents indicating needed enhancements of the standard processes.
TÜV NORD SysTec has reviewed this document to discuss the overall FSM
requirement activities for the project with Honeywell International Inc. TÜV NORD
SysTec has than discussed the relevant items with Honeywell International Inc. in a
meeting and reviewed the documents for the safety aspects of the system.
Honeywell International Inc. is covering the following areas:
• Functional Safety Management
• Quality Management System
• Development of Safety Sub-Systems (Realization)
• Verification & Validation activities (Testing)
The focus of the interview with Honeywell International Inc. was to demonstrate
compliance with the appropriate sections of the IEC61508 standard. The following
sections were considered:
• Specific Objectives for Functional Safety
• Change Management (Modification Process)
• Maintenance
The reviews with Honeywell International Inc. were related to the following areas:
• Safety Requirement specification
• Safety Architectural Constrains
• Safety Hardware Requirements
• Safety Software Requirements
• Proven In Use documentation
• Verification & Validation of Safety Products
• Safety Manual
It was essential for the audit to discuss the safety aspects of the project with the
participants and to ask for the relevant documents and to access all relevant
information. Actual documentation from the ST 3000 Pressure Transmitter with
HART 6 project was partly reviewed and the statements of the participants were
compared with the relevant parts of the documents.
File: Cert_Report_ST3000 HART_6_Pressure_Transmitter V38.doc TÜV NORD SysTec GmbH & Co. KG Report No.: SAS-190/2006T Rev.: 2.4 Branch South Date: 2010-Mar-18 Halderstr. 27 Page 13 of 21 86150 Augsburg / Germany
Verification & Validation activities (Testing):
For verification & validation the independent test engineers are responsible for all
activities within this segment. They create the test specifications for specific projects
used by the development engineers. The functional tests and integration and
validation testing was done by independent test engineers. The test engineers must
have specific knowledge about safety functions of the specific project. Internal
training is therefore an important method to improve the knowledge of the test
engineers. This could be proved by interviews and with reviews of examples of the
corresponding documents.
Result:
The audits and document reviews performed from the 10 to 11 of July 2006 with
Honeywell International Inc. have shown that the Functional Safety Management
System, defined in the documents [D1] to [D5] complies with the applicable sections
of the IEC 61508.
No major findings were detected in the audit.
If changes to the Safety Management Systems are performed than TÜV NORD
SysTec must be informed.
File: Cert_Report_ST3000 HART_6_Pressure_Transmitter V38.doc TÜV NORD SysTec GmbH & Co. KG Report No.: SAS-190/2006T Rev.: 2.4 Branch South Date: 2010-Mar-18 Halderstr. 27 Page 14 of 21 86150 Augsburg / Germany
8.2 System Architecture
The system documents [D7] to [D9] have been reviewed to verify compliance of the
system architecture with the standard listed in clause 3 "Standards".
Based on the set of requirements TÜV NORD SysTec has evaluated whether the
implemented fault detection and fault control measures which are defined for the ST
3000 Pressure Transmitter with HART 6 were sufficient to meet the requirements.
The system architecture was evaluated in regards to completeness and correctness
against the Safety Requirements Specification and the System FMEDA. The system
architecture have to be designed for a Type B subsystem according the IEC 61508-2
with a Safe Failure Fraction of 90% or higher.
The FMEDA verified the defined safe state of the ST 3000 Pressure Transmitter with
HART 6 in the event of possible malfunctions. Probable deviation from the specified
function of the unit was also considered to be a malfunction.
Result:
The review from TÜV NORD SysTec has shown that the system architecture of the
ST 3000 Pressure Transmitter with HART 6 is consistent against the Safety
Requirements Specification. The specifications in the documentation are consistent
and complete and clearly presented. The system concept with the chosen
architecture design and the selected measures of fault detection and fault control is
able to fulfill the Safety Integrity Level 2 with a Safe Failure Fraction of >90%.
File: Cert_Report_ST3000 HART_6_Pressure_Transmitter V38.doc TÜV NORD SysTec GmbH & Co. KG Report No.: SAS-190/2006T Rev.: 2.4 Branch South Date: 2010-Mar-18 Halderstr. 27 Page 15 of 21 86150 Augsburg / Germany
8.3 Proven In Use
For a device to be considered proven-in-use the volume of operating experience
needs to be considered. For the Honeywell International Inc. ST 3000 Pressure
Transmitter with HART 6 this information is obtained from the Operation Experience
and Warranty Information.
The Honeywell International Inc. standard ST300 Smart Pressure Transmitter was
first introduced in January 1983. In this time period there have been no significant
revisions or changes to the design. The operating experience and warranty
information indicates that the total number of shipped units during this time period is
1,291,023. For failure rates calculated on the basis of field returns only the hours
recorded during the warranty period of the manufacturer are used, since this is the
only time frame when failures can be expected to be reported. It must be assumed
that all failures after the warranty period are not reported to the manufacturer.
Honeywell International Inc. offers a 12-mounth warranty period; this period starts on
the date of shipment. Volume of operating experience must be based on installation
dates and not on shipment dates. Since installation dates are not available it is
assumed that the pressure transmitters are installed 6 months after shipment. Using
this assumptions and restrictions the number of operational hours is estimated to be:
Operation Hours = 10,075,132,920 hrs
These operating hours are considered to be sufficient taking into account the medium
complexity of the sub-system and the use in SIL 3 safety functions.
In the calculation of the operation hours it is assumed that the units shipped include
units up to a year before the field failure reporting hereby ensuring that all failures
that occur to the included units are accounted for.
Result:
The documented operating hours are considered to be sufficient for the use at SIL 2
or SIL 3 applications, depending on redundancy and the calculation of the PDF and
SFF and taking into account the medium complexity of the subsystem.
File: Cert_Report_ST3000 HART_6_Pressure_Transmitter V38.doc TÜV NORD SysTec GmbH & Co. KG Report No.: SAS-190/2006T Rev.: 2.4 Branch South Date: 2010-Mar-18 Halderstr. 27 Page 16 of 21 86150 Augsburg / Germany
8.4 Hardware Design and FMEDA
A Failure Modes and Effects Analysis (FMEA) is a systematic way to identify and
evaluate the effects of different component failure modes, to determine what could
eliminate or reduce the chance of failure, and to document the system in
consideration.
A FMEDA (Failure Mode Effect and Diagnostic Analysis) is an extension of the
FMEA. It combines standard FMEA techniques with additional analysis to identify
online diagnostic techniques and the failure modes relevant to safety system design.
It is a technique recommended to generate failure rates for each important category
(detected, dangerous undetected, fail high, fail low, annunciation) in the safety
model.
The following assumptions have been made during the Failure Modes, Effects, and
Diagnostic Analysis of the ST 3000 Pressure Transmitter with HART 6:
• Only a single component failure will fail the entire product
• An additional ROM testing is implemented (CRC16 checksum)
• An additional RAM test is implemented (walking 1 and walking 0)
• Failure rates are constant, wear out mechanisms are not included.
• Propagation of failures is not relevant.
• All components that are not part of the safety function and cannot influence
the safety function (feedback immune) are excluded.
• The application program in the safety logic solver is configured to detect
under-range (Fail Low), over-range (Fail High) and Fail Detected failures and
does not automatically trip on these failures; therefore these failures have
been classified as dangerous detected failures.
• The HART and DE protocol are only used for setup, calibration, and diagnostic
purposes; not for safety critical operation.
• The stress levels are average for an industrial environment and can be
compared to IEC 60654-1, Class C with temperature limits within the
manufacturer’s rating and an average temperature over a long period of time
of 40ºC. Humidity levels are assumed within manufacturer’s rating.
File: Cert_Report_ST3000 HART_6_Pressure_Transmitter V38.doc TÜV NORD SysTec GmbH & Co. KG Report No.: SAS-190/2006T Rev.: 2.4 Branch South Date: 2010-Mar-18 Halderstr. 27 Page 17 of 21 86150 Augsburg / Germany
• The listed failure rates are valid for operating stress conditions typical of an
industrial field environment similar to IEC 60654-1 class C with an average
temperature over a long period of time of 40ºC. For a higher average
temperature of 60°C, the failure rates should be multiplied with an experience
based factor of 2.5. A similar multiplier should be used if frequent temperature
fluctuation must be assumed.
• External power supply failure rates are not included.
The modifications to the hardware to implement HART 6.x has been reviewed [D37]
according the Impact Analysis Form [D25]. Only the prom size has changed from
32K to 64K.
The following tables show the failure rates resulted from the Honeywell International
Inc. ST 3000 Pressure Transmitter with HART 6 FMEDA [D11].
Failure category Failure rate (in FITs)
Fail Dangerous Detected 427 - Fail Detected (detected by internal diagnostics) 293 - Fail High (detected by the logic solver) 20 - Fail Low (detected by the logic solver) 114 Fail Dangerous Undetected 40No Effect 64Annunciation Undetected 6
Table 1 Failure rates ST 3000 Pressure Transmitter with HART 6
The failure rates that are derived from the FMEDA for the ST 3000 Pressure
Transmitter with HART 6 are in a format different from the IEC 61508 format. Table 2
lists the failure rates for ST 3000 Pressure Transmitter with HART 6 according to IEC
61508, assuming that the logic solver can detect both over-scale and under-scale
currents. It is assumed that the probability model will correctly account for the
Annunciation Undetected failures. Otherwise the Annunciation Undetected failures
have to be classified as Dangerous Undetected according to IEC 61508 (worst-case
assumption). The No Effect and Annunciation Undetected failures are classified as
safe and therefore need to be considered in the Safe Failure Fraction calculation and
are included in the total failure rate.
File: Cert_Report_ST3000 HART_6_Pressure_Transmitter V38.doc TÜV NORD SysTec GmbH & Co. KG Report No.: SAS-190/2006T Rev.: 2.4 Branch South Date: 2010-Mar-18 Halderstr. 27 Page 18 of 21 86150 Augsburg / Germany
According to IEC 61508, also the Safe Failure Fraction (SFF) of the ST 3000
Pressure Transmitter with HART 6 should be calculated. The SFF is the fraction of
the overall failure rate of a device that results in either a safe fault or a diagnosed
unsafe fault. This is reflected in the following formula for SFF:
SFF = 1 - ּגdu / ּגtotal
Device ּגsd ּגsu ּגdd ּגdu SFF
ST 3000 Pressure Transmitter with HART 6
0 FIT 70 FIT 427 FIT 40 FIT 92,5%
Table 2: Failure rates and Safe Failure Fraction according to IEC 61508
The architectural constraint type for the ST 3000 Pressure Transmitter with HART 6
is B. The SFF and required SIL determine the level of hardware fault tolerance that is
required per requirements of IEC 61508. The SIS designer is responsible for meeting
other requirements of applicable standards for any given SIL as well.
The expected lifetime of the Honeywell International Inc. ST 3000 Pressure
Transmitter with HART 6 is 50 years. The failure rates of the Honeywell International
Inc. ST 3000 Pressure Transmitter with HART 6 may increase sometime after this
period.
When plant experience indicates a shorter useful lifetime, the number based on plant
experience should be used.
The modification for hardware rev. H has only minor changes and has been reviewed
[D42].
Result:
With these results from the calculation it can be shown, that the ST 3000 Pressure
Transmitter with HART 6 fulfils SIL 2 for the hardware design in a single
configuration.
File: Cert_Report_ST3000 HART_6_Pressure_Transmitter V38.doc TÜV NORD SysTec GmbH & Co. KG Report No.: SAS-190/2006T Rev.: 2.4 Branch South Date: 2010-Mar-18 Halderstr. 27 Page 19 of 21 86150 Augsburg / Germany
8.5 Software Design and Implementation
The software of the ST 3000 Pressure Transmitter with HART 6 is based upon the
standard ST300 Smart Pressure Transmitter and is considered to be proven in use
according to the calculated operating hours.
To provide the necessary internal testing of the hardware module to cover the IEC
61508 requirements for the Safe Failure Fraction (SFF) according SIL 2 additional
tests has been implemented. This was done by adding software modules following
the IEC 61508-3 SIL 3 process for software developing and implementation. These
additional tests includes RAM and ROM testing and a flow control to reach a
sufficient safe failure fraction > 90%. The corresponding documents have been
reviewed by TÜV NORD SysTec. The modifications to the software to implement
HART 6.x has been reviewed [D40] and [D41] according the Impact Analysis Form
[D25] and [D27]. Only new HART 6 specific commands and long address scheme
per HART Foundation Specifications have been added.
Result:
The software design and implementation is compliant to IEC 61508 part 3 according
SIL 3.
8.6 Verification and Validation
The verification activities are defined by the reviews of the documentation according
the specific phases of the development model (V-model). The review documentation
has been discussed with responsible engineers from Honeywell International Inc. and
has been reviewed by TÜV NORD SysTec.
The test specification defined in the Integration Test Plan [D12] from the
manufacturer has been reviewed. The list of validation tests are referenced to the
Requirement Specification. The review has shown that the requirements are covered
by the validation plan.
After the execution of the validation tests by the manufacturer [D13] to [D19], the test
results have been reviewed by TÜV NORD SysTec. The test results are also
referenced to the Design Specification.
File: Cert_Report_ST3000 HART_6_Pressure_Transmitter V38.doc TÜV NORD SysTec GmbH & Co. KG Report No.: SAS-190/2006T Rev.: 2.4 Branch South Date: 2010-Mar-18 Halderstr. 27 Page 20 of 21 86150 Augsburg / Germany
Additional sample testing of the ST 3000 Pressure Transmitter with HART 6 have
been defined by TÜV NORD SysTec and a separate list of test items has been
generated. The defined of tests have been executed by TÜV NORD SysTec together
with the manufacturer. The definition and results are documented in the Fault
Injection Test Report for the ST3000 Pressure Transmitter [D38].
Result:
The review of the Integration Test Plan and the Test Reports from the manufacturer
and the execution of the sample tests by TÜV NORD SysTec have shown that the
defined tests are consistent to the Design Specification and the tested results can be
compared to the tests of the manufacturer. The test definitions are sufficient to prove
compliance with the standard.
8.7 Modification for software version 38
The review covered the modification of the ST3000 HART 6 Pressure Transmitter
firmware because of a bug fix which was discovered by an internal trial run in the
factory. The modification results in the actual version 38
An Impact Analysis[31] is provided by the customer and was reviewed by TÜV
NORD SysTec. The modification and possible safety impact are analyzed and
documented clearly. The discussed modification has no impact to safety features of
the pressure transmitter. The details are outlined in the impact analysis.
Test activities have been defined and are documented in the test documentation [32]
and [33].
The validation of the product changes covers the defined set of testing.
The test documentation has been reviewed by TÜV NORD SysTec and has shown
that the test coverage is sufficient and no safety impacts could be found.
File: Cert_Report_ST3000 HART_6_Pressure_Transmitter V38.doc TÜV NORD SysTec GmbH & Co. KG Report No.: SAS-190/2006T Rev.: 2.4 Branch South Date: 2010-Mar-18 Halderstr. 27 Page 21 of 21 86150 Augsburg / Germany
8.8 Safety Manual
The Safety Manual [D22] has been reviewed to fulfill the requirements of the
considered standard. Specifically the section about Proof Testing has been checked
according the defined measures to be followed up by the end user to be compliant
with the considered standard according failure detection which are not covered by
the diagnostic of the transmitter.
Result:
The review has shown that the Safety Manual meets the requirement of the
considered standard. Detailed descriptions are included for the end user to install,
operate and maintain the transmitter in the required safety level.
9 Summary
The assessment of the ST 3000 Pressure Transmitter with HART 6 has shown that
the system design, the safety functional management and the system structure are
compliant with the IEC 61508, SIL 2 under consideration of the proven in use of the
transmitter and the additional measures implemented to the transmitter. The defined
development process of the software for modifications together with the proven in
use consideration is in accordance with IEC 61508, SIL 3 requirements allowing the
use of dual redundant ST 3000 Pressure Transmitter with HART 6 in SIL 3
applications.
The validation and testing activities has shown compliances between the realized
transmitter implementation and the safety requirements specification.
The actual version of the Safety Manual [D22] must be considered for the use in
safety relevant applications.