Safety Manual. Process pressure transmitter IPT-1* 4 20 ma/hart. Process pressure transmitter IPT-1*

Similar documents
Safety Manual VEGAVIB series 60

Safety Manual OPTISWITCH series relay (DPDT)

Safety Manual VEGAVIB series 60

Safety Manual VEGASWING 61, 63. NAMUR With SIL qualification. Document ID: 52084

Vibrating Switches SITRANS LVL 200S, LVL 200E. Safety Manual. NAMUR With SIL qualification

Special Documentation Proline Promass 80, 83

SIL Safety Manual. ULTRAMAT 6 Gas Analyzer for the Determination of IR-Absorbing Gases. Supplement to instruction manual ULTRAMAT 6 and OXYMAT 6

Failure Modes, Effects and Diagnostic Analysis

Ultima. X Series Gas Monitor

Neles ValvGuard VG9000H Rev 2.0. Safety Manual

Failure Modes, Effects and Diagnostic Analysis

Failure Modes, Effects and Diagnostic Analysis

Eutectic Plug Valve. SIL Safety Manual. SIL SM.015 Rev 0. Compiled By : G. Elliott, Date: 19/10/2016. Innovative and Reliable Valve & Pump Solutions

FP15 Interface Valve. SIL Safety Manual. SIL SM.018 Rev 1. Compiled By : G. Elliott, Date: 30/10/2017. Innovative and Reliable Valve & Pump Solutions

Solenoid Valves used in Safety Instrumented Systems

Neles trunnion mounted ball valve Series D Rev. 2. Safety Manual

Pneumatic QEV. SIL Safety Manual SIL SM Compiled By : G. Elliott, Date: 8/19/2015. Innovative and Reliable Valve & Pump Solutions

Hydraulic (Subsea) Shuttle Valves

Failure Modes, Effects and Diagnostic Analysis. Rosemount Inc. Chanhassen, MN USA

Solenoid Valves For Gas Service FP02G & FP05G

H250 M9 Supplementary instructions

Accelerometer mod. TA18-S. SIL Safety Report

Bespoke Hydraulic Manifold Assembly

Failure Modes, Effects and Diagnostic Analysis

Functional safety. Functional safety of Programmable systems, devices & components: Requirements from global & national standards

Failure Modes, Effects and Diagnostic Analysis

SPR - Pneumatic Spool Valve

Commissioning and safety manual

YT-3300 / 3301 / 3302 / 3303 / 3350 / 3400 /

This manual provides necessary requirements for meeting the IEC or IEC functional safety standards.

Safety manual for Fisher GX Control Valve and Actuator

Rosemount 2130 Level Switch

What safety level can be reached when combining a contactor with a circuitbreaker for fail-safe switching?

Jamesbury Pneumatic Rack and Pinion Actuator

Failure Modes, Effects and Diagnostic Analysis

Failure Modes, Effects and Diagnostic Analysis

DeZURIK. KGC Cast Knife Gate Valve. Safety Manual

RESILIENT SEATED BUTTERFLY VALVES FUNCTIONAL SAFETY MANUAL

Continuous Gas Analysis. ULTRAMAT 6, OXYMAT 6 Safety Manual. Introduction 1. General description of functional safety 2

Failure Modes, Effects and Diagnostic Analysis. Rosemount Inc. Chanhassen, Minnesota USA

Achieving Compliance in Hardware Fault Tolerance

Transmitter mod. TR-A/V. SIL Safety Report

Failure Modes, Effects and Diagnostic Analysis

Service & Support. Questions and Answers about the Proof Test Interval. Proof Test According to IEC FAQ August Answers for industry.

Section 1: Multiple Choice

High performance disc valves Series Type BA, BK, BW, BM, BN, BO, BE, BH Rev Safety Manual

Failure Modes, Effects and Diagnostic Analysis

EL-O-Matic E and P Series Pneumatic Actuator SIL Safety Manual

Reliability of Safety-Critical Systems Chapter 3. Failures and Failure Analysis

DeZURIK. KSV Knife Gate Valve. Safety Manual

High Integrity Pressure Protection Systems HIPPS

PROCESS AUTOMATION SIL. Manual Safety Integrity Level. Edition 2005 IEC 61508/61511

DeZURIK Double Block & Bleed (DBB) Knife Gate Valve Safety Manual

TRI LOK SAFETY MANUAL TRI LOK TRIPLE OFFSET BUTTERFLY VALVE. The High Performance Company

COMPLIANCE with IEC EN and IEC EN 61511

Failure Modes, Effects and Diagnostic Analysis

Failure Modes, Effects and Diagnostic Analysis

L&T Valves Limited SAFETY INTEGRITY LEVEL (SIL) VERIFICATION FOR HIGH INTEGRITY PRESSURE PROTECTION SYSTEM (HIPPS) Report No.

Rosemount 2120 Level Switch

Special Documentation Liquiphant M/S with electronic insert FEL56 + Nivotester FTL325N

YT-300 / 305 / 310 / 315 / 320 / 325 Series

Understanding safety life cycles

Applications & Tools. Evaluation of the selection of a safetyrelated mode using non-safety-related components

Reliability of Safety-Critical Systems Chapter 4. Testing and Maintenance

Functional Safety SIL Safety Instrumented Systems in the Process Industry

Precision pressure sensor Basic version Model CPT6020

Failure Modes, Effects, and Diagnostic Analysis of a Safety Device

New Thinking in Control Reliability

Transducer mod. T-NC/8-API. SIL Safety Report

Operating Instructions. Ball valve fitting according to ZB For pressure transmitter VEGABAR 82. Document ID: 50027

Section 1: Multiple Choice Explained EXAMPLE

THE IMPROVEMENT OF SIL CALCULATION METHODOLOGY. Jinhyung Park 1 II. THE SIL CALCULATION METHODOLOGY ON IEC61508 AND SOME ARGUMENT

PL estimation acc. to EN ISO

The Key Variables Needed for PFDavg Calculation

Session: 14 SIL or PL? What is the difference?

Competence in Functional Safety

Failure Modes, Effects and Diagnostic Analysis

SIL Safety Manual for Fisherr ED, ES, ET, EZ, HP, or HPA Valves with 657 / 667 Actuator

Special Documentation Liquiphant M/S with electronic insert FEL57 + Nivotester FTL325P

DSB, DSF: Pressure monitors and pressure switches

Every things under control High-Integrity Pressure Protection System (HIPPS)

Pneumatic high-pressure controller Model CPC7000

Series 3730 and Series 3731 EXPERTplus Valve Diagnostics with Partial Stroke Test (PST)

Gas density monitor With integrated transmitter Model GDM-100-TI

Supplementary Operator s Manual 42/24-14 EN Rev. 3

Valve Communication Solutions. Safety instrumented systems

Hand-held pressure calibrator with integrated pump Model CPH6600

Technical Data Sheet MF010-O-LC

Failure Modes, Effects and Diagnostic Analysis

SIL explained. Understanding the use of valve actuators in SIL rated safety instrumented systems ACTUATION

High-performance submersible pressure transmitter For level measurement Model LH-20

Operating Instructions Process pressure transmitter IPT-1* Vers metalic sensor Foundation Fieldbus

DSL, DSH: Specially designed pressure limiter

High-performance submersible pressure transmitter For level measurement Model LH-20

SPECIAL PRINT. Innovative Control Technology. Safety in the Process Industry. SAMSON AG Manuel Hinkelmann Marcel Richter Monika Schneider

Compact differential pressure switch Flameproof enclosure Ex d Models DE, DEC

Safety-critical systems: Basic definitions

2600T Series Pressure Transmitters Plugged Impulse Line Detection Diagnostic. Pressure Measurement Engineered solutions for all applications

Operating instructions Capacitive sensor KIA (M30) / / 2010

Operating Instructions VEGAFLEX C, PFA insulated

Transcription:

Safety Manual Process pressure transmitter IPT-1* 4 20 ma/hart Process pressure transmitter IPT-1*

Contents Contents 1 Functional safety 1.1 General information... 3 1.2 Planning... 4 1.3 Instrument parameter adjustment... 6 1.4 Setup... 7 1.5 Reaction during operation and in case of failure... 7 1.6 Recurring function test... 8 1.7 Safety-related characteristics... 8 2 Supplement 2

1 Functional safety Scope Area of application SIL conformity Abbreviations, terms Relevant standards 1.1 General information This safety manual applies to measuring systems consisting of pressure transmitter IPT-1* in version 4 20 ma/hart: IPT-10 Vers. 2.0/3.0 IPT-11 Vers. 3.0/4.0 Note: IPT-1* vers. 3.0 up to max. 1000 bar Valid hardware and software versions: Serial number of the electronics > 14138614 Sensor software from Rev. 3.50 The measuring system can be used for process pressure or level measurement of gases, vapours and liquids which meet the specific requirements of the safety technology, e.g.: Due to the service-proven reliability, implemention is possible in a single channel architecture (1oo1D) up to SIL2 and in a multi-channel, diversitary redundant architecture up to SIL3. The use of the measuring system in a multiple channel, homogeneous redundant architecture is excluded. The SIL declaration of conformity can be downloaded from our homepage in the Internet. SIL Safety Integrity Level HFT Hardware Fault Tolerance SFF Safe Failure Fraction PFD avg Average Probability of dangerous Failure on Demand PFH Probability of a dangerous Failure per Hour FMEDA Failure Mode, Effects and Diagnostics Analysis λ sd Rate for safe detected failure λ su Rate for safe undetected failure λ dd Rate for dangerous detected failure λ du Rate for dangerous undetected failure DC S Diagnostic Coverage of safe failures; DC S = λ sd /(λ sd +λ su ) DC D Diagnostic Coverage of dangerous failures; DC D = λ dd /(λ dd +λ du ) FIT Failure In Time (1 FIT = 1 failure/10 9 h) MTBF Mean Time Between Failure MTTF Mean Time To Failure MTTR Mean Time To Repair Further abbreviations and terms are stated in IEC 61508-4. IEC 61508 3

Functional safety of electrical/electronic/programmable electronic safety-related systems IEC 61511-1 Functional safety - safety instrumented systems for the process industry sector - Part 1: Framework, definitions, system, hardware and software requirements Safety requirements Failure limit values for a safety function, depending on the SIL class (of IEC 61508-1, 7.6.2) Safety integrity level Low demand mode High demand mode SIL PFD avg PFH 4 10-5 < 10-4 10-9 < 10-8 3 10-4 < 10-3 10-8 < 10-7 2 10-3 < 10-2 10-7 < 10-6 1 10-2 < 10-1 10-6 < 10-5 Safety integrity of hardware for safety-related subsystems of type B (IEC 61508-2, 7.4.3) Safe failure fraction Hardware fault tolerance SFF HFT = 0 HFT = 1 (0) < 60 % not permitted SIL1 HFT = 2 SIL2 60 % < 90 % SIL1 SIL2 SIL3 90 % < 99 % SIL2 SIL3 (SIL4) 99 % SIL3 (SIL4) (SIL4) Service proven Safety function According to IEC 61511-1, paragraph 11.4.4, the failure tolerance HFT can be reduced by one for service-proven subsystems if the following conditions are met: The instrument is service proven Only process-relevant parameters can be modified on the instrument (e. g. measuring range, current output in case of failure ) These process-relevant parameters are protected (e.g. password, ) The safety function requires less than SIL4 The assessment by change management staff was a part of the "service proven" verification. 1.2 Planning The measuring system generates on the current output a signal between 3.8 ma and 20.5 ma corresponding to the process pressure or level. This analogue signal is transmitted to a connected processing unit to monitor the following conditions: Exceeding a preset pressure value 4

Falling below a preset pressure value Quitting a preset pressure range When the switching point set on the processing unit is reached, a signal is outputted. Safe state The safe state depends on the mode: Safe state Output current in safe state Monitoring upper pressure value Exceeding the switching point Monitoring lower pressure value Falling below the switching point > Switching point (-1 %) < Switching point (+1 %) Failure current "fail low" < 3.6 ma < 3.6 ma Failure current "fail high" > 21.5 ma > 21.5 ma The current tolerance ±1 % refers to the full measuring range of 16 ma. Fault description Configuration of the processing unit Low demand mode A safe failure exists when the measuring system switches to the defined safe state or the fault mode without the process demanding it. If the internal diagnostic system detects a failure, the measuring system goes into fault mode. A dangerous undetected failure exists if the measuring system switches neither to the defined safe condition nor to the failure mode when the process requires it. If the measuring system delivers output currents of "fail low" or "fail high", it can be assumed that there is a malfunction. The processing unit must therefore interpret such currents as a malfunction and output a suitable fault signal. If this is not the case, the corresponding portions of the failure rates must be assigned to the dangerous failures. The stated values in chapter "Safety-relevant characteristics" can thus worsen. The processing unit must correspond to the SIL level of the measurement chain. If the demand rate is only once a year, then the measuring system can be used as safety-relevant subsystem in "low demand mode" (IEC 61508-4, 3.5.12). If the ratio of the internal diagnostics test rate of the measuring system to the demand rate exceeds the value 100, the measuring system can be treated as if it is executing a safety function in the mode with low demand rate (IEC 61508-2, 7.4.3.2.5). An associated characteristic is the value PFD avg (average Probability of dangerous Failure on Demand). It is dependent on the test interval T Proof between the function tests of the protective function. Number values see chapter "Safety-related characteristics". 5

High demand mode Assumptions General instructions and restrictions Adjustment tools Create a measurement loop If the "low demand rate" does not apply, the measuring system should be used as a safety-relevant subsystem in the mode "high demand mode" (IEC 61508-4, 3.5.12). The fault tolerance time of the complete system must be higher than the sum of the reaction times or the diagnostics test periods of all components in the safety-related measurement chain. An associated characteristic is the value PFH (failure rate). Number values see chapter "Safety-related characteristics". The following assumptions form the basis for the implementation of FMEDA: Failure rates are constant, wear of the mechanical parts is not taken into account Failure rates of external power supplies are not taken into account Multiple errors are not taken into account The average ambient temperature during the operating time is 40 C (104 F) The environmental conditions correspond to an average industrial environment The lifetime of the components is around 8 to 12 years (IEC 61508-2, 7.4.7.4, remark 3) The repair time (exchange of the measuring system) after an nondangerous malfunction is eight hours (MTTR = 8 h) The processing unit can interpret "fail low" and "fail high" failures as a disruption and trigger a suitable error message The scanning interval of a connected control and processing unit is max. 1 hour, in order to react to dangerous, detectable errors Existing communication interfaces (e. g. HART, I²C-Bus) are not used for transmission of safety-relevant information The measuring system should be used appropriately taking pressure, temperature, density and chemical properties of the medium into account. The user-specific limits must be complied with. The specifications of the operating instructions manual must not be exceeded. 1.3 Instrument parameter adjustment Since plant conditions influence the functional safety of the measuring system, the instrument parameters must be set in compliance with the application. The following tools are allowed: The DTM suitable for IPT-1* in conjunction with an adjustment software according to the FDT/DTM standard, e. g. PACTware Display and adjustment module Note: Make sure that WIKA-DTM IPT 04/2006 or a newer version is used. In the adjustment software, the parameter "Sensor according to SIL" must be selected in the menu level "Basic adjustment". 6

If the display and adjustment module is used, the parameter "SIL" must be actived in the menu level "Service". Reaction when malfunction occurs Damping of the output signal Inadmissible modes Inspection possibilities Access locking Mounting and installation Operation and interference The parameter adjustment of the interference current influences the safety-related characteristics. For safety-relevant applications only the following interference currents are permitted: fail low = <3.6 ma (default value) fail high = 22 ma The damping of the output signal must be adapted to the process safety time. Measured value transmission via HART signal as well as HART multidrop mode is not permitted. The effectivity of the set parameters must be checked in a suitable way. After connecting the instrument, the output signal jumps to the set interference current (at the end of the switch-on phase) In mode "Simulation", the signal current can be simulated independent of the actual pressure or level To avoid unwanted or unauthorized modification, the set parameters must be protected against unintentional access: Activate the password protection in the adjustment software Activate the PIN on the display and adjustment module Access by means of HART handheld or similar equipment is not permitted. Protecting against unintentional or unauthorized adjustment can be done, e.g. by sealing the housing cover. Caution: After a reset of the values, all parameters must be checked or readjusted. 1.4 Setup Take note of the mounting and installation instructions of the operating instructions manual. In the setup procedure, a check of the safety function by means of an initial filling is recommended. 1.5 Reaction during operation and in case of failure The adjustment elements or device parameters must not be modified during operation. If modifications have to be made during operation, carefully observe the safety functions. 7

Fault signals that may appear are described in the appropriate operating instructions manual. If faults or error messages are detected, the entire measuring system must be shut down and the process held in a safe state by other measures. The exchange of the electronics is simple and described in the operating instructions manual. Note the instructions for parameter adjustment and setup. If due to a detected failure the electronics or the complete sensor is exchanged, the manufacturer must be informed (incl. a fault description). Reason and implementation Basics 1.6 Recurring function test The recurring function test is used to check the safety function, to detect possible non-recognisable, dangerous faults. The function of the measuring system must be checked in adequate intervals. The operator is responsible for choosing the type of check. The time intervals depend on the selected PFD avg value according to chart and diagram in paragraph "Safety-related characteristics". With high demand rate, a recurring function test is not requested in IEC 61508. The functional efficiency of the measuring system is demonstrated by the frequent use of the system. In double channel architectures it is a good idea to verify the effect of the redundancy through recurring function tests at appropriate intervals. The test must be carried out in a way that verifies the flawless operation of the safety functions in conjunction with all system components. This is ensured by a controlled reaching of the response height during filling. If filling up to the response height is not possible, then a response of the measuring system must be triggered by a suitable simulation of the level or the physical measuring effect. The methods and procedures used during the tests must be stated and their suitability must be specified. The tests must be documented. If the function test proves negative, the entire measuring system must be switched out of service and the process held in a safe state by means of other measures. In the double channel architecture (1oo2D) this applies separately to both channels. 1.7 Safety-related characteristics The failure rates of the electronics, the mechanical parts of the transmitter as well as the process fitting are determined by an FMEDA according to IEC 61508. The calculations are based on component failure rates according to SN 29500. All values refer to an average ambient temperature during the operating time of 40 C (104 F). For a higher average temperature of 60 C (140 F), the failure rates should be multiplied by a factor of 2.5. A similar factor applies if frequent temperature fluctuations are expected. 8

The calculations are also based on the specifications stated in chapter "Planning". Service life Failure rates After 8 to 12 years, the failure rates of the electronic components will increase, whereby the derived PFD and PFH values will deteriorate (IEC 61508-2, 7.4.7.4, note 3). The key figures stated in the following charts apply to the modes: Overfill protection or monitoring upper pressure value Dry run protection or monitoring lower pressure value Monitoring a specified pressure range Fault reaction time Specific characteristics λ sd λ su λ dd λ du 0 FIT 208 FIT 642 FIT 244 FIT DC S 0 % DC D 72 % MTBF = MTTF + MTTR 0.78 x 10 6 h Error E013 (no measured value available) Error E041 (hardware error) Error E036 (no executable sensor software) Single channel architecture (1oo1D) SIL SIL2 HFT 0 Instrument type Type B < 10 s < 20 s < 1 h SFF 77 % PFD avg T Proof = 1 year T Proof = 2 years T Proof = 5 years < 0.107 x 10-2 < 0.214 x 10-2 < 0.533 x 10-2 PFH < 0.244 x 10-6 /h Time-dependent process of PFD avg The chronological sequence of PFD avg is nearly linear to the operating time over a period up to 10 years. The above values apply only to the T Proof interval after which a recurring function test must be carried out. 9

4 PFD avg 3 2 1 1 5 10 T Proof Fig. 1: Chronological sequence of PFD avg (figures see above charts) 1 PFD avg = 0 2 PFD avg after 1 year 3 PFD avg after 5 years 4 PFD avg after 10 years Multiple channel architecture Specific characteristics If the measuring system is used in a multiple channel architecture, the safety-relevant characteristics of the selected structure of the meas. chain must be calculated specifically for the selected application according to the above failure rates. A suitable Common Cause Factor must be taken into account. The measuring system must only be used in a diversitary redundant architecture! 10

2 Supplement 2 Supplement 11

Printing date: All statements concerning scope of delivery, application, practical use and operating conditions of the sensors and processing systems correspond to the information available at the time of printing. WIKA Alexander Wiegand SE & Co. KG Alexander-Wiegand-Straße 30 63911 Klingenberg Germany Phone (+49) 9372/132-0 Fax (+49) 9372 132-406 E-mail: info@wika.de www.wika.de 32138-EN-131017 12

2024 © sportdocbox.com Privacy Policy | Terms of Service | Feedback