The Interface Solution Experts www.miinet.com1 Lloyds Court, Manor Royal, Crawley

West Sussex, RH10 9QU, United KingdomTel: 01293 514488 Fax: 01293 536852

sales@mooreind.com

FISA 2003 - Workshop 4

13th November

Component Manufacturer View Point

Moore Industries

Rob Stockham

The Interface Solution Experts www.miinet.com1 Lloyds Court, Manor Royal, Crawley

West Sussex, RH10 9QU, United KingdomTel: 01293 514488 Fax: 01293 536852

sales@mooreind.com

Moore Industries

• Manufacturer of Process Interface Components and Systems

• Trip Amplifiers

• Temperature Transmitters

• Signal Isolators

• Data Communications and Intelligent I/O

• Plus much more

The Interface Solution Experts www.miinet.com1 Lloyds Court, Manor Royal, Crawley

West Sussex, RH10 9QU, United KingdomTel: 01293 514488 Fax: 01293 536852

sales@mooreind.com

(non safety related applications)

• British Energy• BNFL• UKAE• AWE• Electrabell Doel

(Belgium)• Garona

(Spain)• Bruce Power

(Canada)

Typical Customers In The Nuclear Industry

The Interface Solution Experts www.miinet.com1 Lloyds Court, Manor Royal, Crawley

West Sussex, RH10 9QU, United KingdomTel: 01293 514488 Fax: 01293 536852

sales@mooreind.com

Sensor Logic Solver Actuator

Selection and Justification of Instruments ???

Safety Integrity Level (SIL) Requirement Defined for LoopComponent Safety Data

PFD, SFF,etc

PIU and Software

Component Safety Data

PFD, SFF,etc

PIU and Software

Component Safety Data

PFD, SFF,etc

PIU and SoftwarePIU Proven in Use

PFD Probability Failure on Demand

SFF Safety Failure Fraction

Typical Safety Related Loop

Environment

Calibration and Maintenance Procedures

Application - Duty

The Interface Solution Experts www.miinet.com1 Lloyds Court, Manor Royal, Crawley

West Sussex, RH10 9QU, United KingdomTel: 01293 514488 Fax: 01293 536852

sales@mooreind.com

How Should The Component Be Selected

Certification

‘Suitable for

SIL 3’

Alternatively

‘Proven in Use Claim’

OR

‘Manufacturer Claim’

OR

‘Third Party EXPERT Opinion’

Basis for selection

Component selected to meet Safety Integrity Level (SIL) requirement

Selection follows a comprehensive Risk Assessment and Assignment of Safety Integrity Level (SIL) for the whole safety instrumented loop

Typically SIL 1, 2 or 3

(SIL being the 4 highest)

Can this be justified

But what does this mean?

The Interface Solution Experts www.miinet.com1 Lloyds Court, Manor Royal, Crawley

West Sussex, RH10 9QU, United KingdomTel: 01293 514488 Fax: 01293 536852

sales@mooreind.com

Often a ‘Wall’ where the basis of the certificate is not clear?

Third Party CertificationRob Stockham:

1/ User with SIS

2/ Need ?

3/Manuf with Comp

4/ Need ?

5/ Cert comp

6/Info

7/Money 2x arrow

8/Certificate

9/ Wall ?

9/ Wall comment

10/Cert comp- are they competent

11/Accreditation comp comments

12/ ‘Certified’ Manuf Man

Rob Stockham:

1/ User with SIS

2/ Need ?

3/Manuf with Comp

4/ Need ?

5/ Cert comp

6/Info

7/Money 2x arrow

8/Certificate

9/ Wall ?

9/ Wall comment

10/Cert comp- are they competent

11/Accreditation comp comments

12/ ‘Certified’ Manuf Man

National Accreditation body, audits and ‘Accredits’ the certification company

‘Expert Company’ providing certified opinion

Functional Safety Management in place, audited and certified by ‘Accredited Certification company

High confidence the Manufacurer is competent, experienced and has all the required procedures, tools, techniques and processes in place for complete safety life cycle of the component

The Interface Solution Experts www.miinet.com1 Lloyds Court, Manor Royal, Crawley

West Sussex, RH10 9QU, United KingdomTel: 01293 514488 Fax: 01293 536852

sales@mooreind.com

Justification for Use

Component Selected

Generic Data Bases can be used for ‘bench marking’ the safety and reliability data of components

Rob Stockham:

MARK to add some wise words, here or on dedicated slide

Rob Stockham:

MARK to add some wise words, here or on dedicated slide

Justification based considering a wider source of information and approaches

A More Robust Approach

Proven in Use Data - if comprehensively documented and relevant to application

Third Party Certification - is the ‘certifier’ experienced and competent, with open and audited certification procedures ( they should be ‘Accredited’ by a National Body - UKAS in the United Kingdom)

Functional Safety Management must be in place at the manufacturer ( i.e. IEC 61508 - Part 1)

FMEDA comprehensive ‘Failure Modes Effects and Diagnostic Analysis’ on hardware will have been undertaken, this is part of the hardware realisation procedures (I.e IEC 61508 - Part 2)

Review of Software and Firmware, analysis of definition, integrity and code analysis,etc. Has the software been developed to recognised standard ( i.e. IEC 61508 - Part 3)

Target SIL level achieved? do the procedures in place for Functional Safety Management, Hardware Realisation and Software meet the requirements for the target SIL level requirement under IEC 61508, plus any industry and application specific requirements (such as the British Energy Programmable Electronic System (PES) Guidelines

The Interface Solution Experts www.miinet.com1 Lloyds Court, Manor Royal, Crawley

West Sussex, RH10 9QU, United KingdomTel: 01293 514488 Fax: 01293 536852

sales@mooreind.com

More Information and Evidence

Moves Black to Grey towards White

Specification challenged

Evidence

Specification

How it works

How is the software written

How it performs

Accuracy

EMI/RFI

Temperature Effects

etc

Justification

Analysis

Tests

Explanation

Documentation

Third Party ReviewComponent

Black Box, no real information on how it works or what’s inside

Claim

Claims And Justification

The Interface Solution Experts www.miinet.com1 Lloyds Court, Manor Royal, Crawley

West Sussex, RH10 9QU, United KingdomTel: 01293 514488 Fax: 01293 536852

sales@mooreind.com

Issues of Technical & Commercial sensitivity

Resource and cost implications

Requires commitment

Additional Personnel, tools, techniques, procedures and third party involvement for review and certification

Matching Commitment and involvement by user

Implications To Manufacturer

More Information and Evidence

Moves Black to Grey towards White

Specification challenged

Evidence

Specification

How it works

How is the software

written

How it performs

Accuracy

EMI/RFI

Temperature Effects

Justification

Analysis

Tests

Explanation

Documentation

Third Party ReviewComponent

Claim

Claims and Justification

The Interface Solution Experts www.miinet.com1 Lloyds Court, Manor Royal, Crawley

West Sussex, RH10 9QU, United KingdomTel: 01293 514488 Fax: 01293 536852

sales@mooreind.com

Rob Stockham:

Mark - Comments

I can use please!

Rob Stockham:

Mark - Comments

I can use please!

Issues On Software And Firmware

•Development under IEC 61508 will also ensure that issues of competency, tools, techniques and configuration and change management will all be implemented

•Is the manufacturer in control of all parts of the software development, what are the implication of embedded ‘COTS’ modules and ‘SOUP’ within the software.

•Has any ‘competent’ third party reviewed the software development, together with code analysis and what are the findings?

•Has the software been developed to a standard (IEC 61508 - Part 3)? This will provide rigorous and documented procedures for definition, specification, safety requirements, function, performance,testing, validation and verification, etc

•How complex is the software, in IEC 61511and Clause 3.2.81 defines 3 levels of software - FPL Fixed Programming Language - Trip Amplifier, Transmitter - LVL - Limited Variability Language - typical of a PLC - FVL - Full Variability Language - C++, Java, etc

•Existing products - is ‘Proven in Use’ claimed for the software, can it be justified? How long in manufacture, how many units sold, application profiles, how was the software written, software failure and ‘bug’ fix documentation?

The Interface Solution Experts www.miinet.com1 Lloyds Court, Manor Royal, Crawley

West Sussex, RH10 9QU, United KingdomTel: 01293 514488 Fax: 01293 536852

sales@mooreind.com

Rob Stockham:

Copy of FSCA in box

Rob Stockham:

Copy of FSCA in box

How Has Moore Industries Dealt With Some Of The Issues?

•Achieved Accredited Certification by SIRA for our product development processes to IEC 61508 Part 1 and Part 2, under the CASS scheme for Functional Safety Capability Assessment

•Investment in tools, training and resources to undertake FMEDA work on our products

•Working with our customers on real safety related applications and to provide practical solutions

•Involvement with IEC 61508 and IEC 61511 seminars, conferences and committees to increase our understanding of what is required

•Over 35 years experience in ‘high reliability instrument has built a robust basis for the requirements of safety related instrumentation

The Interface Solution Experts www.miinet.com1 Lloyds Court, Manor Royal, Crawley

West Sussex, RH10 9QU, United KingdomTel: 01293 514488 Fax: 01293 536852

sales@mooreind.com

Ideal For The ‘White Box’

•The manufacturer has to have ‘core competency’ in safety related components, together with having in place safety management procedures, hardware and software development procedures to IEC 61508, audited to an accredited scheme.

•The user and the manufacturer need to come together at an early stage to define requirements and participate in the product development process

•Open communication and understanding of the development of the project, to minimise uncertainties in hardware, software, testing and implementation.

•Complete involvement by the manufacturer in the life cycle of the component with the user, with feedback on performance and failures to go back into the development and life cycle process

•This degree of commitment and involvement will present and challenge to all manufacturers, but especially those who may be involved in general commercial instrumentation.

The Interface Solution Experts www.miinet.com1 Lloyds Court, Manor Royal, Crawley

West Sussex, RH10 9QU, United KingdomTel: 01293 514488 Fax: 01293 536852

sales@mooreind.com

Summary

•The user should consider the most comprehensive and robust justification and not to rely on ‘one’ element to substantiate their case.

•Consider the whole application and life cycle for the requirement

•Consider the competency and experience of the potential manufacturer (Do they understand the particular and CHALLENGING requirements of the nuclear industry)

•Get involved with the potential manufacturer at an early stage

•If required develop ‘partnering’ arrangements to develop specific components or solutions to application requirements.

THANK YOU