CertificationMSK 200-SIL-DX

Document Type Technical ReportClient Mütec lnstruments GmbH

Bei den Kämpen 2621220 Seevetal-Ramelsloh

Authors Dipl.-Ing. Wolfgang Velten-PhilippVerifier dr.ir. Michel HoutermansReport 123.493.10 - Revision 1.0Status ReleasedDate 2020-06-24

Quality Assurance

Template Date Status

QMT4-1 2020-04-08 Released

Authors

Revision Date Authors Reviewers Assessors

0 2020-06-24 WVP1 2020-06-26 WVP MH MH

Document History

Revision Date Description

0 2020-06-24 initial1 2020-06-26 release after review

©Risknowlogy® - All Rights ReservedLIMITATION OF LIABILITY-This report was prepared using best efforts. Risknowlogy does not accept anyresponsibility for omissions or inaccuracies in this report caused by the fact that certain information or documen-tation was not made available to us. Any liability in relation to this report is limited to the indemnity as outlined inour Terms and Conditions. A copy is available at all times upon request.

This document is the property of, and is proprietary to Risknowlogy®. The client has the right to duplicate thisdocument in whole and to distribute it in whole. Third parties do not have the right to disclose in whole or in partand no portion of this document shall be duplicated by any third party in any manner for any purpose withoutRisknowlogy’s expressed written authorisation.

Report 123.493.10 Revision 1.0 - Released page 2 of 14

Contents

1 Introduction 61.1 Objective and Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61.2 Product Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61.3 Functional Safety Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

2 Proven In Use Demonstration 82.1 Restricted Functionality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82.2 Conditions Of Use . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82.3 Field Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82.4 Systematic Capability and Modifications . . . . . . . . . . . . . . . . . . . . . 82.5 Reliability Analysis (FMEDA) . . . . . . . . . . . . . . . . . . . . . . . . . . . 92.6 EMC, Basic Safety and Environmental Testing . . . . . . . . . . . . . . . . . . 12

3 User Documentation 12

4 Conclusions 12

5 Standards 13

6 References 13

List of Tables

1 MSK 200-SIL-DX variants for safety related use . . . . . . . . . . . . . . . . . 72 Field Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 Functional safety data for MSK 200-SIL-DX . . . . . . . . . . . . . . . . . . . 104 PFDG for MSK 200-SIL-DX . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

List of Figures

1 MSK 200-SIL-DX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 MSK 200-SIL-DX safety function . . . . . . . . . . . . . . . . . . . . . . . . . 73 PFDG for MSK 200-SIL-DX . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Report 123.493.10 Revision 1.0 - Released page 3 of 14

Terms and Definitions

Term Definition

PFDG Average PFDPFSavg Average probability to fail to safe stateSFF Safe failure fractionDC Diagnostic coverageSC Systematic capabilityType A circuit non complex circuitry (e.g. relays, transistors, discrete components)Type B circuit complex circuitry (e.g. micro controller, FPGA, ASIC)

Report 123.493.10 Revision 1.0 - Released page 4 of 14

Parties

About Mütec Instruments

Mütec Instruments was founded in 1970 and offers solutions for complex and safety criticalproblems. Mütec’s team of highly experienced professionals and engineers works closely witheach client to design a perfectly tailored solution and often forms a close and long-term workingrelationship with those customers.

About Risknowlogy

Risknowlogy was founded in 2002 and is a family owned business. We offer products, ser-vices,consulting, certification and training. Risknowlogy certifies hardware, software, solutions,sites,management systems, organisations, and professionals.

Report 123.493.10 Revision 1.0 - Released page 5 of 14

1 Introduction

1.1 Objective and Scope

The objective of this report is to document the proven in use study carried out for the MSK 200-SIL-DX module. Application of MSK 200-SIL-DX is a Balance Voltage Supervisor for Chlor-Alkali electrolysis or voltage conversion in test systems used in the automotive area. Thepurpose of the proven in use study is to demonstrate that the device is suitable to be used insafety instrumented functions up to SIL 2 according to IEC 61511 and IEC 61508 [1, 2].

1.2 Product Description

The product subject to the proven in use analysis is the MSK 200-SIL-DX . The product isshown in Figure 1.

Figure 1: MSK 200-SIL-DX

MSK 200-SIL-DX measures galvanically isolated the input voltage (0-1000VDC, absolute ordifferential). Output is a 4-20mA analogue output and two alarm relays.The development of MSK 200-SIL-DX is based on the MSK200 development from 1998. MSK200owned a certificate according to DIN V VDE 0801 and DIN V 19250 for AK4 from TÜV Nord e.V.Therefore the MSK 200-SIL-DX includes a safety related architecture and sufficient diagnosticcoverage (see FMEA result table 3).

Report 123.493.10 Revision 1.0 - Released page 6 of 14

1.3 Functional Safety Properties

The functional safety properties according to IEC 61508 are:

• Safety function: Measure the input voltage and provide a 4-20mA current signal within aspecified accuracy (0.2-5%). In case the accuracy cannot be maintained, the alarm relay(REL3) turns off. The safety function is a logical combination of the alarm relay and theoutput (current or REL 4), see Fig. 2 and safety manual [5]).

• This is a type B device with hardware fault tolerance 0.

• The operation mode is low demand mode.

(a) Safety related output REL4 combined withalarm REL3

(b) Safety related current output combinedwith alarm REL3

Note: An externally realised logical combination of the signals is possible.

Figure 2: MSK 200-SIL-DX safety function

The conditions of use and constraints are described by the safety manual [5]. The end user isresponsible for the validation of the safety function.

The versions of MSK 200-SIL-DX which are available for safety related purpose are listed inTable 1.

Table 1: MSK 200-SIL-DX variants for safety related use

Hardware Version 2.2.1Software Version 4.04

Report 123.493.10 Revision 1.0 - Released page 7 of 14

2 Proven In Use Demonstration

2.1 Restricted Functionality

The safety function is restricted to the function described in paragraph 1.3. The functionality isrestricted in terms of [1].

2.2 Conditions Of Use

The product considered for proven in use have been used widely in the process industry insimilar operating environments [6]. These includes more than 10 typical industrial processenvironments.

2.3 Field Data

Mütec collected field data for the products since 2010 [6]. From the operating hours of eachinstrument 25% was removed to exclude non-operating hours (e.g. from storage times, non-operation, etc.). The typical operating time in the process industry is assumed 24 hours perday.Mütec has compiled customer feedback and repair data [6]. The data demonstrates that duringthe time under consideration 41 dangerous and 31 safe failures have occurred, see Table 2.

Table 2: Field Data

Product Operating hours Safe Failures Dangerous Failures

MSK 200-SIL-DX 2.39E8 h 31 41

2.4 Systematic Capability and Modifications

The firmware was released 2006 and the last modification was introduced in 2015 which leadedto version 4.04. Since 2015 the firmware is unmodified [7].The 4 modifications in the time span of 2006 to 2015 were related to product improvementsand bug fixes. Summarised, the modifications are classified as limited, traceable and minor.The modifications are not in contradiction with the proven in use verification process.The systematic capability is sufficient for route 2s according to IEC 61508-7, Annex D with 99%confidence for SIL 2.

Report 123.493.10 Revision 1.0 - Released page 8 of 14

The hardware was released 2006 (version 1.0), 2008 a minor modification was performed(v1.01) [8]. Since 2008 the hardware circuitry is unmodified, except modifications of componentvalues to adapt the input measurement circuitry to different measurement ranges (version 1.10and 1.11) and modifications of the power supply (version 2.2.1) [8]. Furthermore for MSK 200-SIL-DX the PCB layout of the input circuit was modified to improve the isolation behavior. Thehardware version of MSK 200-SIL-DX is version 2.2.1.Also the hardware modifications are not in contradiction with the proven in use verificationprocess because they are limited and minor.

Summarised the systematic capability is sufficient for SIL 2 (SC 2).

2.5 Reliability Analysis (FMEDA)

A qualitative and quantitative reliability study in line with the requirements of the IEC 61508standard was carried out. The reliability study includes a failure modes and effects analyses(FMEDA) [9]. The FMEDA uses the component failure rates from SN29500 [3] and the failuremodels from IEC 62061: 2005, Annex D [4]. For the analyse a environmental temperature of40 °C was assumed.

Table 3 presents a summary of the reliability data derived from the FMEDA and the failure ratescalculated from the field data taking a confidence interval of 90% into account.Figure 3 and Table 4 are showing the average PFD (PFDG) results depending from the intendedproof test intervals.

The FMEDA analysis, which represents design expectations, corresponds with the data fromthe proven in use data, which represents operational experience.

Report 123.493.10 Revision 1.0 - Released page 9 of 14

Table 3: Functional safety data for MSK 200-SIL-DX

Properties FMEDA Proven In Use 90% Confidence

Type BSafe failure rate 331 134 180Safe detected failure rate 0 n.a. n.aSafe undetected failure rate 331 n.a. n.aDangerous failure rate 362 172 223Dangerous detected failure rate 325 n.a. n.aDangerous undetected failure rate 37 n.a. n.aDC 90% n.a. n.aSafe failure fraction 95% n.a. n.a.

Notes:Failure rates are in FIT 10−91/h.Confidence interval according to IEC 61508 route 2h.

Table 4: PFDG for MSK 200-SIL-DX

Proof Test (Years) 1 5 10 20

PFDG 1.9E-4 8.4E-4 1.7E-3 3.3E-3%SIL 2 1.9% 8.4% 17% 33%PFSavg 1.5E-3

MTTR 72h

Report 123.493.10 Revision 1.0 - Released page 10 of 14

Figure 3: PFDG for MSK 200-SIL-DX

Report 123.493.10 Revision 1.0 - Released page 11 of 14

2.6 EMC, Basic Safety and Environmental Testing

The product complies [10] with

• EMC directive 2014/30/EU

• LVD directive 2014/35/EU

3 User Documentation

The safety manual [5] provided by Mütec provides all necessary information for usage of theproduct. The manual was reviewed without any objections.

4 Conclusions

The proven in use analysis demonstrates that the specified safety function of MSK 200-SIL-DXis suitable for SIL 2 safety properties according to IEC 61508, route 2 and IEC 61511.

Risknowlogy

Wolfgang Velten-PhilippAuthor

dr.ir. Michel HoutermansVerifier

Report 123.493.10 Revision 1.0 - Released page 12 of 14

5 Standards

[1] IEC 61508: 2010Functional safety of electrical/electronic/programmable electronic safety related systems.

[2] IEC 61511: 2016Functional safety: Safety instrumented systems for the process industry sector.

[3] SN29500: 2013Failure Rates of Components.

[4] IEC 62061: 2005, Annex DSafety of machinery - Functional safety of safety-related electrical, electronic and pro-grammable electronic control systems.

6 References

[5] MSK200_Safety Manual, 2020-05-04.

[6] Betriebsstunden_DuoTec.xlsx.

[7] Firmware-Versionen_MSK200-SIL-XX.pdf.

[8] Versionen des MSK200.pdf20200508_Unterschiede-DPVX-VK.pdfMSK200_DB 4-20mA.pdfMSK200_DP -10V to +10V.pdfMSK200_DP_-250V to +250V.pdfMSK200_DP_-5V to +5V.pdfMSK200_DV 0-70mV.pdfMSK200_DX 0-1000V.pdfMSK200_DX 0-1200V.pdfMSK200_VK_7 to 1.pdf.

[9] FMEA_MSK200-SIL-XX_20200623.ods.

[10] EU EMC Declaration 20/061020-1EU-Konformitaetserklaerung_LVDNiederspannungsrichtlinie_MSK200-SIL-DX.

[11] Anwendungen.pdfDuoTec Referenzen.pdf.

[12] Reparaturhistorie 2010-2017.xlsx.

[13] ISO 9001: 2008 Certificate, A1047GER, 2017-08-28, QAS International.

Report 123.493.10 Revision 1.0 - Released page 13 of 14

[14] FSM Certificate, 123.202.07, 2016-06-13, Risknowlogy.

[15] SchematicsMSK200-SIL-MD_rev1.0.2.pdfSchaltung_MSK200-SIL-XX_rev1.2.pdfNEW_2020_06_MSK200-SIL-XX.pdf.

[16] Technical Report 123.101.2, V1.1, Risknowlogy, 2006.

Report 123.493.10 Revision 1.0 - Released page 14 of 14

IntroductionObjective and ScopeProduct DescriptionFunctional Safety Properties

Proven In Use DemonstrationRestricted FunctionalityConditions Of UseField DataSystematic Capability and ModificationsReliability Analysis (FMEDA)EMC, Basic Safety and Environmental Testing

User DocumentationConclusionsStandardsReferences