Certification Report

Safety Related Level Sensor

Client: [COMPANY], City, Country
Number: 176.101.2
Revision: 0
Date: 2005.12.13

Author(s): Dr.ir. M.J.M. Houtermans, W. Velten-Philipp

Risknowlogy GmbH
Industriestrasse 47
6300 Zug
Switzerland
www.risknowlogy.com

RISKNOWLOGY
Certification Report: 176.101.2-0
Safety Related Level Sensor
[COMPANY], City, Country

© 2002 - 2007 Risknowlogy GmbH

All Rights Reserved

LIMITATION OF LIABILITY - This report was prepared using best efforts. Risknowlogy does not accept any responsibility for omissions or inaccuracies in
this report caused by the fact that certain information or documentation was not made available to us. Any liability in relation to this report is limited to the
indemnity as outlined in our Terms and Conditions. A copy is available at all times upon request.

Printed in Switzerland

This document is the property of, and is proprietary to Risknowlogy®. It is not to be disclosed in whole or in part and no portion of this document shall be
duplicated in any manner for any purpose without Risknowlogy’s expressed written authorization.

Risknowlogy®, the Risknowlogy logo®, and Functional Safety Data Sheet®, and Spurious Trip Level™ are registered service marks.

RISKNOWLOGY Page 2
Certification Report: 176.101.2-0
Safety Related Level Sensor
[COMPANY], City, Country

Revisions

Revision Date Who Description

0 2005.12.13 MH, WVP First Release

RISKNOWLOGY Page 3
Certification Report: 176.101.2-0
Safety Related Level Sensor
[COMPANY], City, Country

Table of Contents

Revisions ....................................................................................................................3
Table of Contents .......................................................................................................4
List of Tables ..............................................................................................................5
List of Figures .............................................................................................................5
Terms and Definitions.................................................................................................6
1 Introduction ...........................................................................................................7
1.1 Objective ............................................................................................................7
1.2 About CLIENT ....................................................................................................7
1.3 About Risknowlogy.............................................................................................7
2 [PRODUCT] Description........................................................................................8
2.1 Introduction ........................................................................................................8
3 Verification procedure and results.......................................................................10
3.1 History of the [PRODUCT] ...............................................................................10
3.2 Verification procedure ......................................................................................10
3.3 Management of Functional Safety....................................................................10
3.4 Hardware requirements....................................................................................11
3.5 Measures to control failures .............................................................................11
3.6 Reliability analysis............................................................................................12
3.7 Fault injection ...................................................................................................13
3.8 Software requirements .....................................................................................13
3.9 Software testing................................................................................................13
3.10 User documentation.........................................................................................14
3.11 Basic safety, environmental safety and EMC/EMI safety.................................14
3.12 Application specific requirements ....................................................................14
3.13 Conclusions .....................................................................................................15
References ...............................................................................................................16

RISKNOWLOGY Page 4
Certification Report: 176.101.2-0
Safety Related Level Sensor
[COMPANY], City, Country

List of Tables

Table 1 – Architecture and configuration overview .....................................................9

Table 2 – Functional Safety Characteristics single [PRODUCT] level sensor...........12
Table 3 – Architecture and configuration overview ...................................................13

List of Figures

Figure 1 – Typical 2oo3 LNG level sensor subsystem................................................8

Figure 2 – Sub modules [PRODUCT] level sensor ...................................................11

RISKNOWLOGY Page 5
Certification Report: 176.101.2-0
Safety Related Level Sensor
[COMPANY], City, Country

Terms and Definitions

Term Definition
Dangerous failure An internal failure that prevents the [PRODUCT] from carrying out
its safety function upon demand. See also safe failure.
Safe failure An internal failure where a [PRODUCT] carries out its safety
function without a demand from the process. This failure can lead to
a spurious trip. See also dangerous failure.
Detected failure An internal failure that is detected by built-in diagnostics. Because
of the diagnostics the [PRODUCT] can act upon the failure. See
also undetected failure.
Undetected failure An internal failure that is not detected by built-in diagnostics. See
also detected failure.
Diagnostic test A built-in test, frequently and automatically carried out, to determine
whether the [PRODUCT] could carry out its (safety) function without
problems.
FMEA Failure mode and effects analysis.
Functional safety A [PRODUCT] is functionally safe if random, systematic and
common cause failures do not lead to malfunctioning of the system
and do not result in injury or death of humans, spills to the
environment, or loss of equipment or [PRODUCT]ion
Hardware fault tolerance Hardware fault tolerance indicates the number of failures the
[PRODUCT] or subsystem can withstand without losing the safety
function.
HFT See hardware fault tolerance.
Periodic test A test that is initiated by hand on a periodic basis, e.g., once per
year, to determine whether the [PRODUCT] can carry out its
(safety) function without problems. See also diagnostic test.
PFDavg The average probability that the safety function has failed upon
demand.
PFSavg The average probability that the safety function causes a spurious
trip of the process.
Proof test See periodic test.
Safety function Function implemented in the [PRODUCT] required to achieve a
safe state of the process.
SIL Safety Integrity Level
Safety support function Function implemented in the [PRODUCT] which is not required to
achieve a safe state of the process but which enhances the
functionality of the [PRODUCT].
STL Spurious Trip Level™
SFF See safe failure fraction.
Type The complexity of a [PRODUCT] is designated by Type A or Type
B. See IEC 61508, part 2, clause 7.4.3.1.2 and 7.4.3.1.3.

RISKNOWLOGY Page 6
Certification Report: 176.101.2-0
Safety Related Level Sensor
[COMPANY], City, Country

1 Introduction
1.1 Objective
The objective of this report is to describe the verification and assessment activities of the certification
carried out by Risknowlogy on [COMPANY]’s [PRODUCT] level sensor system. The purpose of the
verification and assessment is to demonstrate that the level sensor system meets the requirements
up to safety integrity level 3 according to the IEC 61508 [1] standard including the requirements, as
far as applicable, of the standards listed in [1].
This report represents a full certification, addressing all requirements of IEC 61508, and is
not limited to a hardware FMEDA.

1.2 About CLIENT

REMOVED

1.3 About Risknowlogy

Risknowlogy is an international operating [COMPANY] that offers services, consulting, certification
and training in the field of risk, reliability and safety. Risknowlogy was established in 2002 and has
offices in Switzerland, Argentina, Germany, and The Netherlands. We consider the world as our work
area and each location has obliged to maintain the same quality standards, rules, and business
practices.
The headquarters of the Risknowlogy Corporation is located in Switzerland. Here we perform
business development, market our [PRODUCT]s and services, create new [PRODUCT]s and
services, train our employees and service any country in the world that is not serviced by a local
organization.

RISKNOWLOGY Page 7
Certification Report: 176.101.2-0
Safety Related Level Sensor
[COMPANY], City, Country

2 [PRODUCT] Description
2.1 Introduction
The [PRODUCT] device is a sensor used for level measurements in storage tanks situated in tank
farms for cryogenic storage of liquefied gases such as natural liquefied gas and petroleum liquefied
gas. The level sensor continuously follows the surface of the liquid and continuously transmits its
position to the safety system (and control system if desired). A typical application using 2oo3 level
sensors is shown in Figure 1.
A single [PRODUCT] sensor consists of mechanical hardware, electronic hardware, and embedded
and application specific software. A single sensor transmits two signals to the safety system. One is
the actual level of the liquid and the second is a diagnostic signal indicating the health status of the
sensor. The application (software) of the safety system uses the transmitted signals of the sensor to
determine the appropriate reaction depending on the level of the liquid and the internal status of the
sensor.

Figure 1 – Typical 2oo3 LNG level sensor subsystem

The safety function of one sensor is defined as follows:

Continuously measure the level of [PRODUCT] and compare it to the high over spill set
point. When the set point is reached or passed, trigger the safety relay that is connected
to the safety loop of the safety system.
When the sensor is used in a redundant (dual or triple) architecture the safety function is still the
same. The difference is the voting application in the logic of the safety system, which determines the
reaction of the safety function of the overall system. In a redundant manner the level sensors operate
completely independent of each other. Table 1 gives an overview of the difference level sensor
architectures, their configurations, and the target SIL level as they are intended to be used.

RISKNOWLOGY Page 8
Certification Report: 176.101.2-0
Safety Related Level Sensor
[COMPANY], City, Country

Table 1 – Architecture and configuration overview

Architecture Configuration Target SIL Remarks

1oo1 1 x [PRODUCT] 2

1oo2 2 x [PRODUCT] 3

2oo3 3 x [PRODUCT] 3 Required to meet NFPA 59

Safety-related software components

The [PRODUCT] uses firmware version V 6.28. The application specific settings of the software can
only be programmed by [COMPANY]’s qualified design engineers and are set at the [COMPANY]
factory. They are burned into an EPROM and the software and the parameters cannot be changed
without changing the EPROM. The correctness of the firmware version can be verified in the LNG
Manager software.

Non safety-related software components

The end-user cannot install any additional non safety-related software onto the device. With the LNG
Manager the end-user can monitor the level in the tank and the status of the sensor.

RISKNOWLOGY Page 9
Certification Report: 176.101.2-0
Safety Related Level Sensor
[COMPANY], City, Country

3 Verification procedure and results

3.1 History of the [PRODUCT]
The [PRODUCT] is not a newly developed product. It is based on an already existing level sensor,
which was first released in 1996. Since its initial release only minor changes have been made to
hardware and software. None of these changes were safety related [H4]. In 2004 [COMPANY]
decided to use the [PRODUCT] as basis for the sensors to be used in safety loops according to IEC
61508 / 61511 [1,5]. The [PRODUCT] had to be adjusted to meet the requirements of the IEC 61508
standard.

3.2 Verification procedure

The test procedure includes a complete verification and assessment including a status review of the
at that time current status of the [PRODUCT]. The procedure included the following review and
assessment activities:
 Management of Functional Safety
 Hardware requirements
 Reliability analysis
 Software requirements
 User documentation
 Basic safety, environmental and EMC/EMI requirements
 Application specific standards
This procedure addresses all the requirements of IEC 61508 and is not limited to a hardware
FMEDA. The following paragraphs demonstrate the verification activities performed and their results.

3.3 Management of Functional Safety

[COMPANY] is an ISO 9001:2000 certified company [13]. Their quality system is also complaint with
the ATEX directive [14]. The management of functional safety requirements are not represented in
detail enough as needed by IEC 61508 [1]. To assure that the changes to the [PRODUCT] were
carried out in line with the management of functional safety requirements [COMPANY] created the
following two documents:
 Safety plan [7]
 Verification and validation plan [8]

The safety plan describes the managerial and technical activities for the project. The verification
and validation plan describes when and who will carry out which verification activities.
Risknowlogy reviewed the two documents for completeness and correctness. The two documents
represent all the requirements of management of functional safety. The review of the documentation
did not lead to any objections.

3.3.1 Lifecycle
The lifecycle used for this project is described in the safety plan [7]. The lifecycle differs from the
hardware and software lifecycle as defined in IEC 61508.

RISKNOWLOGY Page 10
Certification Report: 176.101.2-0
Safety Related Level Sensor
[COMPANY], City, Country

Risknowlogy reviewed the lifecycle to assure that it meets the objectives of the hardware and
software lifecycle defined in IEC 61508 [1]. The review of the lifecycle did not lead to any objections.

3.3.2 Measures to avoid failures

The measures to avoid failures to be used are documented in the safety plan [7]. They are verified
according to the verification and validation plan [8]. Besides the measures to avoid failures as defined
by IEC 61508 Risknowlogy requested [COMPANY] to define additional measures for the mechanical
part of the sensor.
Risknowlogy reviewed the measures to avoid failures for completeness and correctness according
to IEC 61508. The review did not lead to any objections.

3.4 Hardware requirements

3.4.1 Safety concept

The safety requirements and safety concept of the [PRODUCT] level sensor are described in the
safety requirement specification [9]. From this specification can be derived that a single [PRODUCT]
sensor is used as a low demand system and consist of mechanical and electronic hardware and of
embedded and application specific software. The device can be divided into three subsystems as
shown in Figure 2. The division is based on the type of the subsystem according to IEC 61508. A
single sensor is a mixed Type sub system.

Sub system
level sensor
1143-2

Sub system Sub system Sub system

mechanical electronic electronic
hardware hardware hardware
Type A Type A Type B

Figure 2 – Sub modules [PRODUCT] level sensor

The embedded and application software of the device is developed according to the requirements
of SIL 3 [10].

3.5 Measures to control failures

The [PRODUCT] did not have all the measures to control failures to meet the requirements of the IEC
61508 standard. After an initial review with Risknowlogy it was decided which measure to control
failures need to be implemented. The actual measures are documented in [9,10].
Risknowlogy has reviewed the measures to control failures. This did not lead to any objections.

RISKNOWLOGY Page 11
Certification Report: 176.101.2-0
Safety Related Level Sensor
[COMPANY], City, Country

3.6 Reliability analysis

[COMPANY] has carried out a qualitative and quantitative FMEA analysis [11] to analyze the failure
behavior and the effectiveness of the measures to control failures. Risknowlogy has reviewed the
FMEA for correctness and completeness.
The following is an overview of the functional safety characteristics of a single [PRODUCT] device
per sub systems of the device. These characteristics have been derived from [9,10,11].

Table 2 – Functional Safety Characteristics single [PRODUCT] level sensor

Subsystem

Hardware Mechanical Electronics Electronics

Type A A B

Hardware fault tolerance 0 0 0

Safe failure fraction 99.0% 93.2% 95.8%

Safe detected failure rate [/h] 1.49E-9 2.00E-7 1.80E-8

Safe undetected failure rate [/h] 1.50E-11 3.86E-8 9.50E-9

Dangerous detected failure rate [/h] 1.32E-7 3.07E-7 1.80E-8

Dangerous undetected failure rate [/h] 1.34E-9 3.97E-8 2.00E-9

Maximum achievable SIL based on 3 3 2

hardware

Software

SIL 3

A single [PRODUCT] is fit for use in a SIL 2. Because the software is developed according to the
requirements of SIL 3 it is possible to use redundant devices up to SIL 3. An overview of the possible
architectures and configurations is given in Table 3. Risknowlogy has carried out PFDavg and
PFSavg calculations for the low demand sub systems for all three architectures. The calculations are
based on Markov models and the reliability data of Table 2.

RISKNOWLOGY Page 12
Certification Report: 176.101.2-0
Safety Related Level Sensor
[COMPANY], City, Country

Table 3 – Architecture and configuration overview

Architecture

Attribute 1oo1 1oo2 2oo3

Configuration 1x 2x 3 x [PRODUCT]
[PRODUCT] [PRODUCT]

Hardware fault tolerance 0 1 1

PFDavg after 1 year 1.802e-004 4.404e-008 3.287e-007

Fit for use in Safety Integrity Level 2 3 3

Percentage of SIL after 1 year 0.180% 0.004% 0.033%

PFSavg after 1 year 1.154e-006 9.701e-005 1.918e-010

Fit for use in Spurious Trip Level™ 5 4 9

The reliability analysis show that architectural constraints and the PFD values are met for each
specified architectures with its applicable SIL level. The analysis did not lead to any objections.

3.7 Fault injection

[COMPANY] has carried out fault injection tests on the actual device [19]. The tests were specified
together with Risknowlogy and were based on the FMEA [11]. During a meeting a random number of
tests have been repeated and witnessed by Risknowlogy.

Risknowlogy reviewed the fault injections test results. This did not lead to any objections.

3.8 Software requirements

3.8.1 Software architecture

The software architecture described in [10] is structured and modular. The software itself was
developed in 1995 and since then only minor enhancements have been made to improve
performance aspects only. The changes made only affect certain modules of the architecture and did
not affect the level measure functionality of the device. The changes and tests carried out to verify the
changes were documented [10]. To comply with IEC 61508 the software had to be modified to include
enhanced and new diagnostic features. The new software was developed considering the V-model
and the SIL 3 requirements of IEC 61508.
Risknowlogy reviewed the software architecture and the additional requirements. This did not lead
to any objections

3.9 Software testing

The procedure for software testing was based on two aspects. The software architecture is modular
and the modules that had not been changed since the initial development were analyzed for proven in

RISKNOWLOGY Page 13
Certification Report: 176.101.2-0
Safety Related Level Sensor
[COMPANY], City, Country

use. This is described in [10]. The new code needed to be developed according to the SIL 3
requirements of IEC 61508. The requirements are described in [10] and the verification and validation
plan included the appropriate measures to avoid and control failures [8]. The testing was carried out
by [COMPANY] and verified by Risknowlogy [30,31,32].
Risknowlogy has verified the software tests. This did not lead to any objections.

3.10 User documentation

[COMPANY] has written a user manual [33]. This user manual contains a chapter on functional safety
requirements. The end-user needs to read and apply the safety instructions described in the manual.
Risknowlogy reviewed the user manual for completeness and correctness. The review did not lead
to any objections.

3.11 Basic safety, environmental safety and EMC/EMI safety

3.11.1 Basic safety

Basic safety for [PRODUCT]s used in the process industry is covered by IEC 61010-1 [2].
[COMPANY] provided test reports for ATEX and IEC 61010-1. The equipment is powered by line
mains (110 or 230 VAC) and connected to earth (Class I). The test report [14] was reviewed by
Risknowlogy without objections.

3.11.2 Electromagnetic compatibility and environmental simulation tests

Environmental tests have been performed according the requirements of IEC 61010 [34].

3.12 Application specific requirements

The [PRODUCT] sensors needs to be configured in a 2oo3 architecture if they are used for LNG
applications as specified by NFPA 59 and 59A [5,6]. More details for the end-user are available in the
user manual [33] and the NPFA standards. The maximum SIL level that can be claimed for a 2oo3
architecture with [PRODUCT] sensors is described in paragraph 3.6.
Risknowlogy reviewed the requirements of the NFPA standards and did not find any objections to
use the 2oo3 architecture for this purpose.

RISKNOWLOGY Page 14
Certification Report: 176.101.2-0
Safety Related Level Sensor
[COMPANY], City, Country

3.13 Conclusions
The full Risknowlogy certification of the [PRODUCT] level sensor demonstrates that the sensor is
suitable for safety related loops up to SIL 3 according to IEC 61508 and IEC 61511. The instructions
of the safety manual need to be considered for proper use of the [PRODUCT] and are an integral part
of this certification report.

RISKNOWLOGY Page 15
Certification Report: 176.101.2-0
Safety Related Level Sensor
[COMPANY], City, Country

References

The following references have been used during this certification project.
1 IEC 61508:2000, parts 1 – 7
Functional safety of electrical/electronic/programmable electronic safety related systems
2 IEC 61010-1:2001
Safety requirements for electrical equipment for measurement, control, and laboratory use
- Part 1: General requirements
3 EN 61326-1:1997 and annex A1:1998, A2:2001, and A3:2003
Electrical equipment for measurement, control and laboratory use - EMC requirements
4 IEC 61511, Parts 1-3: 2004
Functional safety
Safety instrumented systems for the process industry sector
5 NFPA 59:2004
Utility LP-Gas Plant Code
6 NFPA 59A:2001
Standard for the [PRODUCT]ion, Storage, and Handling of Liquefied Natural Gas (LNG)
7 [COMPANY], Safety Plan System 1143MK2, ID 1143 MKII /SAFETY PLAN, Version 2,
2005-09-01
8 [COMPANY], Verification And Validation Plan, ID 1143MKII/V&V, Version 0, 2005-09-1
9 [COMPANY], Safety requirements specification System 1143MK2, ID 1143 MKII /SRS,
Version 4, 2005-09-01
10 [COMPANY], Software Requirement Specification And High Level Software Architecture
Description. 1143mk2, ID 1143 MKII /software requirement specification, Version 1, 2005-
10-26
11 [COMPANY], FMEA, excel spreadsheet, version E, 2005-9-11
12 [COMPANY], Hardware Fault Injection Report, Version 0, 2005-10-28
13 BVQI, NF EN ISO 9001:2000 certificate, number 175608, 2005-08-25
14 INERIS, ATEX certificate, Notification Number INERIS 03ATEXQ409, 2003-08-01
15 Bureau Veritas, Certificate of Conformity to the Directive 89/336/EEC dealing with
electromagnetic compatibility, 2005-10-27
16 Cofrac, NF EN ISO/CEI 17025, 2002-11-01
17 [COMPANY], Sub-assy inspection, specification and report, 225-02990-112-TES-2,
version 2, 2003-11-17
18 [COMPANY], Mechanic Inward Receipt specification and report, 862-22008-990-TME-1,
Revision 1, 2004-01-08
19 [COMPANY], Final Inspection specification and report, 01143-TEP-6, Revision 6, 2004-
03-18
20 TUV, Certificate 968/EZ 165.00/04, HIMA H4135: Safety Relay, 2004-04-14
21 HIMA, Data Sheet H 4135 (0435)
22 [COMPANY], Assembly drawing Jaguer Asservi 01143 MKII Coupes sur compartiments
produit et adf, reperage, version 2005-07-28
23 [COMPANY], Assembly drawing Jaguer Asservi 01143 MKII Vues sur compartiments
produit et adf, reperage, version 2005-02-19

RISKNOWLOGY Page 16
Certification Report: 176.101.2-0
Safety Related Level Sensor
[COMPANY], City, Country

24 [COMPANY], Jaugeur Asservi 001142, Circuit Intrinseque, PR 225-02990-112, 2005-04-

15
25 [COMPANY], Circuit Asservissement, 220V Pour Jaugeur 1143 MK II, PR 225-05059-
315, 2005-02-09
26 [COMPANY], Schema de principe CPU Module, 225-05684-111, 2004-10-20
27 [COMPANY], Circuit Borniers Pour Jaugeur 1143 MK II, 225-05680-121, 2005-02-18
28 [COMPANY], Schematic Diagram Bus, 225-05697-111, 2004-11-03
29 [COMPANY], Schematic Diagram Display Module, 225-05683-111, 2004-10-27
30 [COMPANY], Software diagnostic test specification, -Autotest, Rev 0
-Instruction set check, Rev 1
-RAM check, Rev 1
-ROM check, Rev 1
31 [COMPANY], Software Module Test Report, Rev 0
[COMPANY], Software Fault Injection Report, Rev 0
32 [COMPANY], Integration Validation Test Report, Rev 0
33 [COMPANY], Installation and Maintenance Manual, Level and Temperature Servo-
Gauge, [PRODUCT], 2005-11.
34 LCIE Report 60039536-539381, 2005-11-28

RISKNOWLOGY Page 17