IEC 61508 Functional Safety Assessment

Project:
Falcon Pneumatic 3 Way Spool valves, *S****0 w/o manual override

Customer:
Westlock Controls
Saddle Brook, New Jersey
USA

Contract No.: Q09/09-39

Report No.: WES 09/09-39 R002
Version V1, Revision R1, October 12, 2009
Rachel Amkreutz - Iwan van Beurden - William M. Goble - Steven Close

The document was prepared using best effort. The authors make no warranty of any kind and shall not be liable in any
event for incidental or consequential damages in connection with the application of the document.
© All rights reserved.
Management summary
This report summarizes the results of the functional safety assessment according to IEC 61508
carried out on the:
 Falcon Pneumatic 3 Way Spool valves, *S****0 w/o manual override
The functional safety assessment performed by exida consisted of the following activities:
- exida assessed the development process used by Westlock Controls by an on-site audit
and creation of a detailed safety case against the requirements of IEC 61508. As RGS
Electro-Pneumatics Ltd is the original designer of the solenoid valves and is involved in any
modification activities, the development process used by RGS was also reviewed via a
separate assessment.
- exida performed a detailed Failure Modes, Effects, and Diagnostic Analysis (FMEDA) of the
devices to document the hardware architecture and failure behavior.
The functional safety assessment was performed to the requirements of IEC 61508, SIL 3. A full
IEC 61508 Safety Case was prepared, using the exida SafetyCaseDB tool, and used as the
primary audit tool. Hardware process requirements and all associated documentation were
reviewed. Also the user documentation including the Falcon Pneumatic 3 Way Spool valves,
*S****0 w/o manual override safety manual was reviewed.
The results of the Functional Safety Assessment can be summarized by the following statements:
The Falcon Pneumatic 3 Way Spool valves, *S****0 w/o manual override meet the
requirements of SIL 2, single use (HFT = 0) and SIL 3 for redundant use (HFT > 0).

© exida.com L.L.C. wes 09-09-39 r001 v1 r1 iec 61508 assessment.doc, 10/12/2009

Rachel Amkreutz - Iwan van Beurden - William M. Goble - Steven Close Page 2 of 19
Table of Contents
Management summary .................................................................................................... 2
1 Purpose and Scope ................................................................................................... 4
2 Project management .................................................................................................. 5
2.1 exida ............................................................................................................................ 5
2.2 Roles of the parties involved ........................................................................................ 5
2.3 Standards / Literature used .......................................................................................... 5
2.4 Reference documents .................................................................................................. 5
2.4.1 Documentation provided by Westlock Controls .................................................. 5
2.4.2 Documentation provided by RGS ....................................................................... 6
2.4.3 Documentation generated by exida.................................................................... 7
3 Product Description.................................................................................................... 8
3.1 Westlock Controls Falcon Pneumatic 3 Way Spool valves ........................................... 8
4 IEC 61508 Functional Safety Assessment ................................................................. 9
4.1 Methodology................................................................................................................. 9
4.2 Assessment level ......................................................................................................... 9
5 Results of the IEC 61508 Functional Safety Assessment ........................................ 10
5.1 Lifecycle Activities and Fault Avoidance Measures..................................................... 10
5.1.1 Functional Safety Management ....................................................................... 11
5.1.2 Safety Requirements Specification and Architecture Design ............................ 11
5.1.3 Hardware Design ............................................................................................. 12
5.1.4 Validation ......................................................................................................... 13
5.1.5 Verification ....................................................................................................... 13
5.1.6 Modifications.................................................................................................... 14
5.1.7 User documentation ......................................................................................... 14
5.2 Hardware Assessment ............................................................................................... 15
6 Terms and Definitions .............................................................................................. 17
7 Status of the document ............................................................................................ 18
7.1 Liability ....................................................................................................................... 18
7.2 Releases .................................................................................................................... 18
7.3 Future Enhancements ................................................................................................ 18
7.4 Release Signatures .................................................................................................... 18

© exida.com L.L.C. wes 09-09-39 r001 v1 r1 iec 61508 assessment.doc, 10/12/2009

Rachel Amkreutz - Iwan van Beurden - William M. Goble - Steven Close Page 3 of 19
1 Purpose and Scope
Generally three options exist when doing an assessment of sensors, interfaces and/or final
elements.
Option 1: Hardware assessment according to IEC 61508
Option 1 is a hardware assessment by exida according to the relevant functional safety standard(s)
like IEC 61508 or EN 954-1. The hardware assessment consists of a FMEDA to determine the fault
behavior and the failure rates of the device, which are then used to calculate the Safe Failure
Fraction (SFF) and the average Probability of Failure on Demand (PFDAVG). When appropriate, fault
injection testing will be used to confirm the effectiveness of any self-diagnostics.
This option for pre-existing hardware devices shall provide the safety instrumentation engineer with
the required failure data as per IEC 61508 / IEC 61511 and does not include an assessment of the
development process
Option 2: Hardware assessment with proven-in-use consideration according to IEC 61508 /
IEC 61511
Option 2 is an assessment by exida according to the relevant functional safety standard(s) like IEC
61508 or EN 954-1. The hardware assessment consists of a FMEDA to determine the fault
behavior and the failure rates of the device, which are then used to calculate the Safe Failure
Fraction (SFF) and the average Probability of Failure on Demand (PFDAVG). When appropriate, fault
injection testing will be used to confirm the effectiveness of any self-diagnostics. In addition, this
option includes an assessment of the proven-in-use documentation of the device including the
modification process.
This option for pre-existing programmable electronic devices shall provide the safety
instrumentation engineer with the required failure data as per IEC 61508 / IEC 61511 and may help
justify the reduced fault tolerance requirements of IEC 61511 for sensors, final elements and other
PE field devices when combined with plant specific proven-in-use records.
Option 3: Full assessment according to IEC 61508
Option 3 is a full assessment by exida according to the relevant application standard(s) like
IEC 61511 or EN 298 and the necessary functional safety standard(s) like IEC 61508 or EN 954-1.
The full assessment extends option 1 by an assessment of all fault avoidance and fault control
measures during hardware and software development.

This assessment shall be done according to option 3.

This document shall describe the results of the IEC 61508 functional safety assessment of the
Westlock Controls Falcon Pneumatic 3 Way Spool valves, *S****0 w/o manual override.

© exida.com L.L.C. wes 09-09-39 r001 v1 r1 iec 61508 assessment.doc, 10/12/2009

Rachel Amkreutz - Iwan van Beurden - William M. Goble - Steven Close Page 4 of 19
2 Project management
2.1 exida
exida is one of the world’s leading knowledge companies specializing in automation system safety
and availability with over 200 years of cumulative experience in functional safety. Founded by
several of the world’s top reliability and safety experts from assessment organizations and
manufacturers, exida is a partnership with offices around the world. exida offers training, coaching,
project oriented consulting services, internet based safety engineering tools, detail product
assurance and certification analysis and a collection of on-line safety and reliability resources.
exida maintains a comprehensive failure rate and failure mode database on process equipment.

2.2 Roles of the parties involved

Westlock Controls Manufacturer of the valve body of the Falcon Pneumatic 3 Way
Spool valves
RGS Electro-Pneumatics Ltd Designer of the Falcon Pneumatic 3 Way Spool valves and OEM
supplier of the coils, spools and sealing kits
exida Performed the IEC 61508 Functional Safety Assessment according
to option 3 (see section 1)
Westlock Controls contracted exida in August 2005 with the IEC 61508 Functional Safety
Assessment of the above mentioned devices.

2.3 Standards / Literature used

The services delivered by exida were performed based on the following standards / literature.

[N1] IEC 61508 (Parts 1 - 7): Functional Safety of Electrical/Electronic/Programmable

2000 Electronic Safety-Related Systems

2.4 Reference documents

2.4.1 Documentation provided by Westlock Controls
[D1] ISO-9001 QM ISO-9001 Quality Assurance Manual, Westlock Controls
[D2] QP 7.3.1-1, Rev 1, Design and development planning of variations of existing
10/24/2005 products
[D3] QP 7.3.1-2, Rev 1, Design and development planning of new products
10/24/2005
[D4] QP 4.2.3-1, Rev 0, 07/21/04 Documentation and data control
[D5] QP 7.3.7-1, Rev 1, 10/21/05 Engineering Change Notice (ECN)
[D6] QP 7.3-1, Rev 1, 10/21/05 Engineering Stop Order (ESO)
[D7] tech382_quantum_gpniis_s User documentation
c_iom.pdf
[D8] Falcon Safety Manual, draft Falcon Pneumatic Spool valve Safety Manual

© exida.com L.L.C. wes 09-09-39 r001 v1 r1 iec 61508 assessment.doc, 10/12/2009

Rachel Amkreutz - Iwan van Beurden - William M. Goble - Steven Close Page 5 of 19
2.4.2 Documentation provided by RGS
[D9] A0091.xls, 12/3/2004
[D10] Compressive Stress
Calculation.xls
[D11] Spring Calculation.xls
[D12] FMEA Solenoids.xls,
04/28/2004
[D13] FMEA Valves.xls,
04/28/2004
[D14] Technical File Mechanical
Atex1.doc
[D15] Procedure No. 22, Issue 9,
23/09/2004
[D16] Procedure No. 23, Issue 6,
30/01/1997
[D17] Procedure No. 24, Issue 6,
17/03/1991
[D18] Procedure No. 31
[D19] QA Form No. 70,
24/02/2004
[D20] Validation Document
Westlock Falcon 2.doc,
Issue 1
[D21] WI0092, Issue 1, 12/9/1995
[D22] QM ISO 9001, Issue 2,
06/12/2004
[D23] T205, Issue 1.0, 13/07/1995
[D24] RGS 06-05-02 R002 v01
IEC 61508 Assessment,
draft, June 23, 2006
[D25] Design File 1
[D26] Procedure 07, Issue 10
[D27] Procedure 28, Issue 9
[D28] RGS Test Specification
Documents
© exida.com L.L.C.
Rachel Amkreutz - Iwan van Beurden - William M. Goble - Steven Close
Life test report datasheet, A0091
Compressive stress calculations spreadsheet
Spring Calculations spreadsheet
Failure Modes, Effect and Analysis, RGS Solenoid Range
Failure Modes, Effect and Analysis, RGS Valve Range
Technical File Mechanical Atex Category 2, Pneumatic
Spool Valves
Customer Complaints / Returns procedure
Non-Conforming Material and Products procedure
Corrective and Preventative Action procedure
Draft, Implementation of Functional Safety
Customer Returns Form
Product Validation Document, Falcon 2
Recall System Work Instruction
Quality Manual BS EN ISO 9001: 2000, R.G.S. Electro-
Pneumatics Ltd.
Technis report, Demonstration of SIL 2 Safety-Integrity of
the range of Solenoid And Spool Valves and of Future
Developments at RGS Electro-Pneumatics Ltd
IEC 61508 Functional Safety Assessment, RGS Electro-
Pneumatics Ltd Falcon solenoid valves, by exida.com
LLC, draft assessment report
RGS Design And Development File
RGS Procedure No. 0007 - Document Control
RGS Procedure No. 0028 - Personnel Training
Endurance Testing
Flow Testing
High Temperature Testing
Low Temperature Testing
Pull-in and Dropout Testing
Response Time Testing
wes 09-09-39 r001 v1 r1 iec 61508 assessment.doc, 10/12/2009
Page 6 of 19
[D29] QA0073 RGS QA - Concept Review Document
[D30] QA0074 RGS QA - Feasibility Review Document
[D31] QA0075 RGS QA - Capability Review Document
[D32] QA0015, Issue 20 RGS QA - Document/Engineering Change Note

2.4.3 Documentation generated by exida

[R1] Solenoid FMEDA - Failure Modes, Effects, and Diagnostic Analysis, Falcon
Exida07 FMEDA01.xls, Pneumatic 3 Way Spool valves, *S****0 w/o manual
12/05/04 override
[R2] WES 05-08-32 R003 V1 Failure Modes, Effects, and Diagnostic Analysis Report,
R0 FMEDA 3-way Falcon, Falcon Pneumatic 3 Way Spool valves, *S****0 w/o
8/23/2006 manual override
[R3] WES 04/08-15 R004, V1, IEC 61508 Process Gap Analysis – SIL 2, Westlock
R1, 22-Feb-2005 Controls Product Development Process
[R4] WES 05-08-32 R002 Westlock IEC 61508 Compliance Assessment,
SafetyCase Review, V0 SafetyCaseDB Review
R1, 02/07/2006
[R5] WES 05-09-39 R001 V1 IEC 61508 Functional Safety Assessment, Westlock
R0 IEC 61508 Controls Falcon Pneumatic 3 Way Spool valves, *S****0
Assessment.doc, w/o manual override (this report)
10/12/2009

© exida.com L.L.C. wes 09-09-39 r001 v1 r1 iec 61508 assessment.doc, 10/12/2009

Rachel Amkreutz - Iwan van Beurden - William M. Goble - Steven Close Page 7 of 19
3 Product Description

3.1 Westlock Controls Falcon Pneumatic 3 Way Spool valves

The Falcon Pneumatic 3 Way Spool valves, *S****0 w/o manual override are 3-way or 4-way
solenoid valves. The Falcon Pneumatic 3 Way Spool valves, *S****0 w/o manual override
incorporate elastomer static seals through which a shaped spool moves. The 3-way valve is
normally used for pilot control of other relay valves or for operation of single-acting cylinders. The 4-
way valve is normally used to control the action of double acting cylinders.
The seal space assembly forms individual annular chambers opposite each valve port and the
grooved spool either closes or allows flow between adjacent chambers, hence the position of the
spool determines which ports are open or closed. The spool is moved by way of a mechanical
operated mechanism, normally against a spring return.
The 3-way valve option without manual override was reviewed for this assessment and the
FMEDA. The Falcon Pneumatic 3 Way Spool valves, *S****0 w/o manual override are classified as
Type A 1 devices according to IEC 61508, having a hardware fault tolerance of 0.
RGS Electro-Pneumatics Ltd is the original designer of the Falcon Pneumatic Spool valves and
manufacturer of the coils, spools and sealing kits. Westlock Controls is the manufacturer of the
valve body of the Falcon Pneumatic Spool valves.

1
Type A component: “Non-Complex” component with well-defined failure modes, for details see 7.4.3.1.2
of IEC 61508-2.
© exida.com L.L.C. wes 09-09-39 r001 v1 r1 iec 61508 assessment.doc, 10/12/2009
Rachel Amkreutz - Iwan van Beurden - William M. Goble - Steven Close Page 8 of 19
4 IEC 61508 Functional Safety Assessment
The IEC 61508 Functional Safety Assessment was performed based on the information received
from Westlock Controls and RGS Electro-Pneumatics Ltd and is documented in [R4].

4.1 Methodology
The full functional safety assessment includes an assessment of all fault avoidance and fault
control measures during hardware and software development (if applicable) and demonstrates full
compliance with IEC 61508 to the end-user. The assessment considers all requirements of IEC
61508. Any requirements that have been deemed not applicable have been marked as such in the
full Safety Case report, e.g. software development requirements for a product with no software.
As part of the IEC 61508 functional safety assessment the following aspects have been reviewed:
• Development process, including:
o Functional Safety Management, including training and competence recording, FSM
planning, and configuration management
o Specification process, techniques and documentation
o Design process, techniques and documentation, including tools used
o Validation activities, including development test procedures, test plans and reports,
production test procedures and documentation
o Verification activities and documentation
o Modification process and documentation
o Installation, operation, and maintenance requirements, including user documentation
• Product design
o Hardware architecture and failure behavior, documented in a FMEDA
o Hardware Proven-in-use study, as documented in [D23]
The review of the development procedures is described in section 5.1. The review of the product
design is described in section 5.2.

4.2 Assessment level

The Falcon Pneumatic 3 Way Spool valves, *S****0 w/o manual override have been assessed per
IEC 61508 to the following levels:
• SIL 2 capability, single use (Hardware Fault Tolerance = 0)
• SIL 3 capability, dual use (Hardware Fault Tolerance > 0)
The development procedures will be assessed as suitable for use in applications with a maximum
Safety Integrity Level of 3 (SIL 3) according to IEC 61508.

© exida.com L.L.C. wes 09-09-39 r001 v1 r1 iec 61508 assessment.doc, 10/12/2009

Rachel Amkreutz - Iwan van Beurden - William M. Goble - Steven Close Page 9 of 19
5 Results of the IEC 61508 Functional Safety Assessment
exida assessed the development process used by Westlock Controls for this development against
the objectives of IEC 61508 parts 1 and 2. The assessment was done on August 31, 2005 on-site
at Saddle Brook, NJ.
RGS Electro-Pneumatics Ltd is the OEM supplier of the coils, spools and sealing kits. As RGS
Electro-Pneumatics Ltd is also the original designer of the Falcon Pneumatic 3 Way Spool valves,
*S****0 w/o manual override and is involved in any modification activities, the development process
used by RGS is a critical part of the assessment. The development process of RGS Electro-
Pneumatics Ltd was assessed to IEC 61508 by exida. The RGS Electro-Pneumatics Ltd IEC 61508
assessment report (draft) [D24] and documentation provided as part of that assessment served as
input to the Westlock Controls Falcon Pneumatic 3 Way Spool valves, *S****0 w/o manual override
IEC 61508 assessment
A Safety Case was also completed, see [R4]. For the Safety Case, the emphasis for the
assessment of Westlock Controls was on the modification process and installation, operation, and
maintenance requirements, including user documentation and field return procedures.

5.1 Lifecycle Activities and Fault Avoidance Measures

Westlock Controls has a procedure in place for new product development and for product
variations. There are specific deliverables, reviews and approvals discussed in these. The product
variation process applies to the existing Falcon Pneumatic 3 Way Spool valves, *S****0 w/o manual
override design. The development processes are documented in [D2] and [D3]. No software is part
of the Falcon Pneumatic 3 Way Spool valves, *S****0 w/o manual override design and therefore
any requirements specific from IEC 61508 to software and software development do not apply.
The development process of RGS Electro-Pneumatics Ltd was assessed to IEC 61508 by exida.
The assessment report [D24] was input to the Westlock Controls assessment. As part of the RGS
Electro-Pneumatics Ltd IEC 61508 assessment, RGS provided evidence documents in the form of
development process artifacts / development procedures to demonstrate compliance to the IEC
61508 standard. In the RGS Electro-Pneumatics Ltd IEC 61508 assessment report it is concluded
that the RGS design process is IEC 61508 compliant.
This functional safety assessment has shown that the relevant phases of the Westlock Controls
development process sufficiently meet the requirements of IEC 61508, SIL 3. The assessment
investigated the compliance with IEC 61508 of the processes, procedures and techniques as
implemented for the Westlock Controls modification process.
In addition, this functional safety assessment has shown that the RGS Electro-Pneumatics Ltd
development process sufficiently meets the requirements of IEC 61508, SIL 3 as documented in
[D24].
The result of the assessment can be summarized by the following observations:
The audited Westlock Controls modification process complies with the relevant managerial
requirements of IEC 61508 SIL 3. The RGS Electro-Pneumatics Ltd development process
complies with the relevant managerial requirements of IEC 61508 SIL 3.

© exida.com L.L.C. wes 09-09-39 r001 v1 r1 iec 61508 assessment.doc, 10/12/2009

Rachel Amkreutz - Iwan van Beurden - William M. Goble - Steven Close Page 10 of 19
5.1.1 Functional Safety Management
FSM Planning
As the Falcon Pneumatic 3 Way Spool valves, *S****0 w/o manual override are an existing product,
the Westlock Controls product variation development process applies to any product variations.
Specific deliverables, reviews, and approvals are documented in [D3]. This process and procedures
referenced herein fulfill the requirements of IEC 61508 with respect to functional safety
management. All Westlock Controls design documents, such as drawings, match RGS design
documentation. RGS has a special check in its modification process to see if modifications impact
Westlock Controls. Westlock Controls defines responsibilities in the Quality Assurance Manual.
This is deemed sufficient for the Falcon Pneumatic 3 Way Spool valves, *S****0 w/o manual
override given its low complexity.
RGS Electro-Pneumatics Ltd has a 3 stage development process (Concept, Feasibility, Capability)
in place for product development with specific deliverables, reviews and approvals. This is
documented in the Design and Development File [D25] used to specify each development project.
The same process is used for modifications. This process and procedures referenced herein fulfill
the requirements of IEC 61508 with respect to functional safety management.
Version Control
All documents as called out for in the Westlock Controls Quality Assurance Manual and sub-
procedures are under version control. The Quality Assurance Manual and sub-procedures such as
[D4] specify that documents and design drawings are under version control with revision numbers
and dates.
At RGS all documents as called out for in Design and Development File are under version control
per [D26]. Design drawings and documents are also under version control.
Training, Competency recording
Westlock Controls Human Resources maintains appropriate records of education, experience,
training and qualifications. Department managers are responsible for identifying and providing the
training needs for their department and for maintaining records of in-process training.
RGS personnel training records are kept per [D27]. The procedure and records were examined and
found up-to-date and sufficient.
Westlock Controls hired exida to be the independent assessor per IEC 61508 and to provide
specific IEC 61508 knowledge.

5.1.2 Safety Requirements Specification and Architecture Design

Since RGS is the original developer of the Falcon Pneumatic 3 Way Spool valves, *S****0 w/o
manual override and involved in any modification activities, this lifecycle phase applies to RGS. The
compliance to the requirements for this lifecycle phase are covered in the RGS IEC 61508
assessment report.

© exida.com L.L.C. wes 09-09-39 r001 v1 r1 iec 61508 assessment.doc, 10/12/2009

Rachel Amkreutz - Iwan van Beurden - William M. Goble - Steven Close Page 11 of 19
The first step for any new development is the creation of a Design Specification per the Design and
Development File [D25]. The creation of the design specifciation is a combined effort by marketing
and engineering. This ensures that the design requiremetns are understood correctly by
engineering. The Design and Development file uses a template for design specification which
ensures completeness of the requirements. The templace captures in detail all the requirements for
the devices, such as critical functions, performance targets etc. exida reviewed the content of the
specification for completeness per the requirements of IEC 61508.
As the valves are simple electro-mechanical devices, there is no need for a separate architecture
design phase. The design concepts, which follow the design specification, will indicate if the design
is new or based on an existing design.
Requirements as specified in the Design Specification are tracked through all development phases,
simply by the fact that they are contained in the Design and Development file which guides a
development project through all development lifecycle phases.
Items from IEC 61508-2, Table B.1 include project management, documentation, separation of
safety requirements from non-safety requirements, structured specification, and inspection of the
specification. As the function of the valve is simple and clearly defined there is no need for semi-
formal methods such as functional block diagrams. The application is considered when specifying
the requirements; the devices may be required to meet specific applications standards. This meets
SIL 3.

5.1.3 Hardware Design

Since RGS is the original developer of the Falcon Pneumatic 3 Way Spool valves, *S****0 w/o
manual override and involved in any modification activities, this lifecycle phase applies to RGS. The
compliance to the requirements for this lifecycle phase are covered in the RGS IEC 61508
assessment report.
The hardware design process consists of two distinct phases: concept and feasibility. During the
concept phase all possible solutions are reviewed and the most promising is detailed. At this time a
Design and Development File will be created which contains requirements, test specifications, etc.
The test specifications are considered equal to validation plan per IEC 61508.
In the feasibility phase, the design is further detailed and testing is performed on beta units. Design
reviews are performed per the Design and Development File [D25]. RGS Electro-Pneumatics Ltd
has standards for documentation with specified output documents.
RGS Electro-Pneumatics Ltd uses Autocad Lite and Design manager as development tools.
Version numbers are listed and re-qualification is done when the tool vendor makes revisions. Re-
qualification is done annually at the management review to ensure continued suitability. This meets
SIL 3.
Items from IEC 61508-2, Table B.2 should include observance of guidelines and standards, project
management, documentation, structured design, modularization, use of well-tried components, and
computer-aided design tools.

© exida.com L.L.C. wes 09-09-39 r001 v1 r1 iec 61508 assessment.doc, 10/12/2009

Rachel Amkreutz - Iwan van Beurden - William M. Goble - Steven Close Page 12 of 19
5.1.4 Validation
Since RGS is the original developer of the Falcon Pneumatic 3 Way Spool valves, *S****0 w/o
manual override and involved in any modification activities, this lifecycle phase applies to RGS. The
compliance to the requirements for this lifecycle phase are covered in the RGS IEC 61508
assessment report. As the Falcon Pneumatic 3 Way Spool valves, *S****0 w/o manual override are
purely electro-mechanical devices with a simple safety function, there is no separate integration
testing necessary.
Validation Testing is done via a set of documented tests, the RGS Test Specification Documents
[D28], as required by the Design and Development File [D25]. The tests are traceable to the
requirements via the Design and Development File. In addition to standard Test Specification
Documents third party testing my be included as part of agency approvals. As the Falcon
Pneumatic 3 Way Spool valves, *S****0 w/o manual override are purely electro-mechanical devices
with a simple safety function, there is no separate integration testing necessary. However, the
solenoids do undergo several separate tests before valve body and solenoid are integrated; this is
part of the RGS Test Specification Documents. The Falcon Pneumatic 3 Way Spool valves, *S****0
w/o manual override perform only 1 safety function, which is extensively tested under various
conditions during validation testing.
Procedures are in place for corrective actions to be taken when tests fail. Every run of the RGS
Test Specification Documents is documented in a test report and reviewed. The test reports are
included in the Design and Development File for the project.
Items from IEC 61508-2, Table B.3 should include functional testing, project management,
documentation, and black-box testing (for the considered devices this is similar to functional
testing). Field experience and statistical testing via regression testing are not applicable. This would
meets SIL 3.
Items from IEC 61508-2, Table B.5 should include functional testing and functional testing under
environmental conditions, project management, documentation, failure analysis (analysis on
products that failed), and expanded functional testing and black-box testing. Interference surge
immunity testing is not applicable and fault insertion testing is not feasible for these devices.
Instead a detailed FMEDA was performed. This would meet SIL 3.

5.1.5 Verification
Since RGS is the original developer of the Falcon Pneumatic 3 Way Spool valves, *S****0 w/o
manual override and involved in any modification activities, this lifecycle phase applies to RGS. The
compliance to the requirements for this lifecycle phase are covered in the RGS IEC 61508
assessment report.
The development and verification activities are defined in the Design and Development File [D25].
For each phase the objectives are stated, required input and output documents and review
activities. QA forms are used to facility the verification activities at the concept, feasibility and
capability stages, see [D29], [D30], and [D31] respectively. All verification activities are
documented. Given the solenoids only perform a single safety function, this meets SIL 3.

© exida.com L.L.C. wes 09-09-39 r001 v1 r1 iec 61508 assessment.doc, 10/12/2009

Rachel Amkreutz - Iwan van Beurden - William M. Goble - Steven Close Page 13 of 19
5.1.6 Modifications
Westlock Controls design changes are controlled by revision numbers and dates, and are initiated
by Engineering Change Notices, see Engineering Change Notice Procedure [D5]. All Westlock
Controls design documents, such as drawings, match RGS design documentation. RGS has a
special check in its modification process to see if modification impact Westlock Controls,. RGS is
responsible for checking if design changes affect functional safety.

For RGS the compliance to the requirements for this lifecycle phase are covered in the RGS IEC
61508 assessment report. Modifications are done per the QA Document/Engineering Change Note
Form [D32]. The D/ECN form subsequently becomes part of the Design and Development File. The
D/ECN system allows the user to identify if the change affects functional safety. Affected
documents and/or drawings are also listed. If design changes are identified as a result of an
D/ECN, they are usually treated as a derived product and therefore the same general procedure is
used for both new development and modifications. All design change requests are reviewed to
determine if there is any negative impact on product safety. This review is done by both the
assigned engineer and the appropriate engineering manager (others may be included in the review
as necessary). This meets SIL 3.
Westlock Controls has a field return process in place as described in [D1]. Field returns are
evaluated by Quality Assurance. Returns that require modification to the Falcon Pneumatic 3 Way
Spool valves, *S****0 w/o manual override are communicated to RGS. If it is determined that a non-
conformity affects functional safety, Westlock Controls will notify its customers per [D6]. For RGS a
similar process is in place.

5.1.7 User documentation

Westlock Controls creates the following user documentation, see [D7]. Additionally, Westlock
Controls created a safety manual for the Falcon Pneumatic 3 Way Spool valves, *S****0 w/o
manual override, see [D8]. The Safety Manual complies to the relevant SIL 3 requirements of IEC
61508, it includes all required operations, maintenance, and proof test procedures.
Items from IEC 61508-2, Table B.4 include operation and maintenance instructions, user
friendliness, maintenance friendliness, project management, documentation, limited operation
possibilities (valve performs well-defined action) and operation only by skilled operators (operators
familiar with type of valve, although this is partly the responsibility of the end-user). This meets SIL
3.

© exida.com L.L.C. wes 09-09-39 r001 v1 r1 iec 61508 assessment.doc, 10/12/2009

Rachel Amkreutz - Iwan van Beurden - William M. Goble - Steven Close Page 14 of 19
5.2 Hardware Assessment
To evaluate the hardware design of the Falcon Pneumatic 3 Way Spool valves, *S****0 w/o manual
override, a Failure Modes, Effects, and Diagnostic Analysis was performed by exida. This is
documented in [R1] and [R2]. A Failure Modes and Effects Analysis (FMEA) is a systematic way to
identify and evaluate the effects of different component failure modes, to determine what could
eliminate or reduce the chance of failure, and to document the system in consideration. An FMEDA
(Failure Mode Effect and Diagnostic Analysis) is an FMEA extension. It combines standard FMEA
techniques with extension to identify online diagnostics techniques and the failure modes relevant
to safety instrumented system design.
From the FMEDA failure rates are derived for each important failure category. Table 1 lists these
failure rates as reported in the FMEDA report. The failure rates are valid for the useful life of the
devices. Based on general field failure data a useful life period of approximately 3 to 10 years is
expected for the Falcon Pneumatic 3 Way Spool valves, *S****0 w/o manual override. This is listed
in the FMEDA report.

Table 1 Failure rates according to IEC 61508

Device λsd λsu 2 λdd λdu SFF

3-way Falcon 0 FIT 1843 FIT 0 FIT 538 FIT 77.4%
3-way Falcon with PVST 504 FIT 1339 FIT 533 FIT 5 FIT 99.8%
For SIL 2 applications, single use, the PFDAVG value of the Safety Instrumented Function needs to
be ≥ 10-3 and < 10-2. The FMEDA reports list the percentage that the Falcon Pneumatic 3 Way
Spool valves, *S****0 w/o manual override use of this budget. The solenoid valve uses <25% of this
budget when a proof test is performed yearly, this is relatively high. The Falcon Pneumatic 3 Way
Spool valves, *S****0 w/o manual override contribute significantly less to the overall PFDAVG of the
Safety Instrumented Function when Partial Valve Stroke Testing is performed.
These results must be considered in combination with PFDAVG values of other devices of a Safety
Instrumented Function (SIF) in order to determine suitability for a specific Safety Integrity Level
(SIL). The Safety Manual states that the application engineer should calculate the PFDAVG for each
defined safety instrumented function (SIF) to verify the design of that SIF.
The architectural constraints requirements of IEC 61508-2, Table 2 are also reviewed. The Safe
Failure Fraction (SFF) for the Falcon Pneumatic 3 Way Spool valves, *S****0 w/o manual override
is between 60% and 90%. Therefore the valves can be used in SIL 2 applications, single use and
SIL 3 applications with a hardware fault tolerance of 1. When Partial Valve Stroke Testing is
implemented with diagnostic feedback, the Safe Failure Fraction (SFF) for the Falcon Pneumatic 3
Way Spool valves, *S****0 w/o manual override is greater 90% and the valves can then be used in
SIL 3 applications, single use.
The Technis Assesment report for the Falcon Pneumatic Spool valves includes a proven-in-use
study. Field data (1 application), returns data, and laboratory test data was reviewed. Table 2 lists
the results of the Field data and returns data evaluation. The laboratory test data is deemed not
applicable.

2
Note that the SU category includes failures that do not cause a spurious trip
© exida.com L.L.C. wes 09-09-39 r001 v1 r1 iec 61508 assessment.doc, 10/12/2009
Rachel Amkreutz - Iwan van Beurden - William M. Goble - Steven Close Page 15 of 19
Table 2 Failure rates Technis report – field data and returns data

Data Source Total Failure rate

Field Data Evaluation 100 FIT
Returns Data Evaluation 90 FIT

When comparing this to the FMEDA predicted results it can be concluded that the field experienced
failure rates do not indicate any systematic problems with the Falcon Pneumatic 3 Way Spool
valves, *S****0 w/o manual override.
For redundant use, common cause failure between the solenoid valves has to be considered. The
Safety Manual includes estimation of the common cause factor β.
The analysis shows that the design of the Falcon Pneumatic 3 Way Spool valves, *S****0 w/o
manual override meets the hardware requirements of IEC 61508, SIL 2 when used as a single
final element (HFT = 0) and IEC 61508, SIL 3 for redundant use (HFT > 0).

© exida.com L.L.C. wes 09-09-39 r001 v1 r1 iec 61508 assessment.doc, 10/12/2009

Rachel Amkreutz - Iwan van Beurden - William M. Goble - Steven Close Page 16 of 19
6 Terms and Definitions
Fault tolerance Ability of a functional unit to continue to perform a required function in the
presence of faults or errors (IEC 61508-4, 3.6.3)
FIT Failure In Time (1x10-9 failures per hour)
FMEDA Failure Mode Effect and Diagnostic Analysis
HFT Hardware Fault Tolerance
Low demand mode Mode, where the frequency of demands for operation made on a safety-
related system is no greater than one per year and no greater than twice the
proof test frequency.
PFDAVG Average Probability of Failure on Demand
SFF Safe Failure Fraction summarizes the fraction of failures, which lead to a
safe state and the fraction of failures which will be detected by diagnostic
measures and lead to a defined safety action.
SIF Safety Instrumented Function
SIL Safety Integrity Level
SIS Safety Instrumented System – Implementation of one or more Safety
Instrumented Functions. A SIS is composed of any combination of
sensor(s), logic solver(s), and final element(s).

Type A (sub)system “Non-Complex” (sub)system (using discrete elements); for details see
7.4.3.1.2 of IEC 61508-2
Type B (sub)system “Complex” (sub)system (using micro controllers or programmable logic); for
details see 7.4.3.1.3 of IEC 61508-2

© exida.com L.L.C. wes 09-09-39 r001 v1 r1 iec 61508 assessment.doc, 10/12/2009

Rachel Amkreutz - Iwan van Beurden - William M. Goble - Steven Close Page 17 of 19
7 Status of the document
7.1 Liability
exida prepares reports based on methods advocated in International standards. Failure rates are
obtained from a collection of industrial databases. exida accepts no liability whatsoever for the use
of these numbers or for the correctness of the standards on which the general calculation methods
are based.

7.2 Releases
This report supersedes Report No. WES 05/08-32 R001 and all of its versions and revisions
Version: V1
Revision: R0
Version History: V1, R1 Released to Westlock Controls
V1, R0: Draft; October 8, 2009
Authors: Rachel Amkreutz - Iwan van Beurden - William M. Goble - Steven Close
Review: V1, R1: William Goble (exida); October 12, 2009
Release status: Released

7.3 Future Enhancements

At request of client.

7.4 Release Signatures

Ir. Iwan van Beurden, Senior Safety Engineer

Dr. William M. Goble, Principal Partner

Ir. Rachel Amkreutz, Safety Engineer

Steven Close, Senior Safety Engineer

© exida.com L.L.C. wes 09-09-39 r001 v1 r1 iec 61508 assessment.doc, 10/12/2009

Rachel Amkreutz - Iwan van Beurden - William M. Goble - Steven Close Page 18 of 19
© exida.com L.L.C. wes 09-09-39 r001 v1 r1 iec 61508 assessment.doc, 10/12/2009
Rachel Amkreutz - Iwan van Beurden - William M. Goble - Steven Close Page 19 of 19