In this case study we want to tell you about the experience that Brüel & Kjær Vibro America Inc. and H-ON Consulting had together during the Functional Safety Certification according to IEC 61508 of the machinery protection system, VC-8000 SETPOINT®, where both companies worked together to achieve wonderful results, right up to the final SIL certification. This article is edited by Stan Ball, Director of R&D Industrial at Brüel & Kjær Vibro America Inc. and Massimiliano Latini, Research & Special Projects Director at H-ON Consulting.
SIL Certification scenario and approach
Most often, the Functional Safety Assessment is seen by manufacturers as a passive experience where some so-called “experts” or “specialists” are required to perform some verifications, audits, or tests or even all of them to get the evidence that a product complies with requirements, whatever they are. Again, most such “specialists” often claim a lack of formal paper evidence, as for example the revision index or the approval of a document and so on.
Quite the contrary, manufacturer expectations usually consist of a chance to improve the product and provide the market better versions or improve company processes and performance, thanks to the observations or gaps highlighted by a competent and experienced assessor.
The Product under SIL analysis
VC-8000 SETPOINT® is a machine protection system to be used for machinery in the Oil & Gas, petrochemical industry, power generation (large thermal and hydroelectric power plants), and many other industries, including mining, steel, cement, maritime, pulp, paper, and numerous manufacturing companies. Machine protection is mandatory if you want to avoid catastrophic machine damage and expensive production losses, other than protecting the safety of people. A good protection system shall evaluate the critical machine parameters to shut the machine down only when necessary to protect the machine, the people, and its environment. In the case of VC-8000 SETPOINT®, these typically include but are not limited to, radial vibration, axial position, and bearing temperature measurements commonly encountered in machinery protection systems on pumps, motors, compressors, turbines, and other critical rotating and reciprocating machinery.
IEC 61508 Requirements
IEC 61508 requirements are very demanding and other than requiring good reliability of the safety-related parts, such standard introduces several constraints that shall be fulfilled to be able to declare a product as SIL rated and fully compliant with standards requirements: we are talking about architecture constraints, diagnostic coverage, systematic capability and so on. Additionally, even the company processes flowing in a perfect Functional Safety Management System able to satisfy expected quality requirements are important pillars of the standard. The complete constraint and requirements fulfillment will make possible declaring a product complying with IEC 61508 and at the same time let a third party such as we are able to certify the same result.
To learn more about IEC 61508 requirements, please visit our Functional Safety guide.
SIL certification process: our shared experience
The experience that H-ON Consulting and Brüel & Kjær Vibro shared started during 2018 where one of our assessors performed a Failure Modes, Effects, and Diagnostic Analysis (FMEDA) on the system during a deep design review at Brüel & Kjær Vibro America Inc headquarters in Minden (NV) together with the engineering department. FMEDA is a systematic reliability analysis technique to obtain, for each component first, and for the overall system later, the failure rate, the failure modes, and the diagnostic capability, starting from components reliability data. This is the basis to evaluate the probability of failure on demand, required to rate the Safety Integrity Level (SIL) of the system.
Performing FMEDA Analysis and Design review
The system was mainly composed of the main backplane, with a rack connection module (RCM), to host temperature monitoring modules (TMM) or universal monitoring modules (UMM) as needed. All of them compose the overall machinery protection system; a detailed design review and FMEDA was performed on only those parts, excluding all modules and parts not relevant for functional safety purposes.
The design review consisted of the allocation and assessment of all safety-related hardware components and of the identification of the most critical ones as to complexity and hardware fault tolerance. Hardware assessment results were integrated with firmware validation in order to fully evaluate the overall system SIL capabilities.
Product improvement in short
After this review, the manufacturer designers guided by the safety design principle for the IEC 61508 standards were able to address the gaps highlighted by our assessor and improve the design of the overall system, the hardware, and related software (that has been later verified and validated following the Agile approach) to fully match the standard requirements. The following is an example of points that have been duly addressed by the engineering dept. of Brüel & Kjær Vibro in Minden:
- The firmware has been split into 2 parts for standard applications. The first part is for FW not involved in the safety-critical path and the second part for safety-related firmware. This distinction has been carried out to limit the firmware part subject to IEC 61508-3 and IEC 61508-1 requirements and to facilitate the Management of Safety Life Cycle, to prevent changes and customizations implemented on non-safety-critical firmware from being subject to re-assessment and validation.
- For the HW, the reliability of the internal diagnostic circuitry has been increased, modifying the hardware used to detect the most relevant dangerous failure modes.
- Some signals that are critical for system operation in case of fault could inhibit or bypass the safety function. Measures and techniques to avoid safety function bypassing due to e.g. internal shorts have been implemented.
- The UMM and TMM firmware have been modified to increase the diagnostic feedback through the RCM feedback relay covering the most critical fault detection of the whole system. This leaves the output relay of each module for diagnosing the failure modes not affecting the entire system thus ensuring the VC-8000 functions without compromising reliability.
SIL Certification benefits
This is only an example of what one can obtain after a technical assessment for functional safety. Other than the certificate, the manufacturer can now benefit from real product improvement. Additionally, Brüel & Kjær Vibro worked on its own company processes to have a more effective Functional Safety Management System with the required compliance. This included addressing quality requirements for critical vendors that may be part of the manufacturing process as well as assembling and testing electronic boards. Such critical vendors have been visited and audited by our assessor during the process against certification requirements.
Working with Brüel & Kjær Vibro was exciting. Technicians were really interested during the assessment and then prepared to address the identified gaps and to implement new design feature of the product to improve the overall system reliability and avoid dangerous faults up to the effective testing, including tests for EMC compliance, that could affect Functional Safety performances of the machinery protection system.
On other hand, as Stan Ball, Director of R&D Industrial at Brüel & Kjær Vibro America Inc., says, working with us was both rewarding and educational as the complexities of achieving the SIL certification were well detailed in advance and the back and forth communication across international sites were kept timely, succinct and always professional. This included such items as HW design, FW, and SW functionality to ensure the SIL level compliance and the documentation content and requirements. It was also critical that the manufacturing facility operated within the confines of the SIL requirements for both production and documentation. This included how they manage the incoming items, handling, and storage of parts that will be used to assembly each board, including the raw materials. Testing facilities and how they traced all activities carried out on the board including personnel skills and training also had to be compliant. For the document review, assuring the traceability of all activities starting from the PO receiving up to board shipping was reviewed.
Both authors agree this is a good example of how a product certification assessment should really be. A good chance for both parties to benefit from the activity, and learn from the other. The manufacturer can understand how a product can be improved against the compliance with international standards, gaining new market quotes, and fulfill its mission to protect people and the environment. The development house has gained substantially through this endeavor and has achieved the value add that certification brings to their market and customers. On the other hand, the certification team is rewarded when working with technically sound engineers as well as knowledgeable technicians, contributing to the success of the company!
We would like to thank Brüel & Kjær Vibro team for sharing this success story, which had meant a lot to us and had been inspiring for further innovation. For more information about VC-8000 SETPOINT®, please visit B&K Vibro website.
Discover more about BYHON, our new Certification Body for Functional Safety
orGo back to the blog