Transmitter mod. TR-A/V. SIL Safety Report

Similar documents
Transducer mod. T-NC/8-API. SIL Safety Report

Accelerometer mod. TA18-S. SIL Safety Report

Safety Manual VEGAVIB series 60

Safety Manual OPTISWITCH series relay (DPDT)

Safety Manual VEGAVIB series 60

Safety Manual. Process pressure transmitter IPT-1* 4 20 ma/hart. Process pressure transmitter IPT-1*

SIL Safety Manual. ULTRAMAT 6 Gas Analyzer for the Determination of IR-Absorbing Gases. Supplement to instruction manual ULTRAMAT 6 and OXYMAT 6

YT-3300 / 3301 / 3302 / 3303 / 3350 / 3400 /

YT-300 / 305 / 310 / 315 / 320 / 325 Series

Functional safety. Functional safety of Programmable systems, devices & components: Requirements from global & national standards

FP15 Interface Valve. SIL Safety Manual. SIL SM.018 Rev 1. Compiled By : G. Elliott, Date: 30/10/2017. Innovative and Reliable Valve & Pump Solutions

Eutectic Plug Valve. SIL Safety Manual. SIL SM.015 Rev 0. Compiled By : G. Elliott, Date: 19/10/2016. Innovative and Reliable Valve & Pump Solutions

This manual provides necessary requirements for meeting the IEC or IEC functional safety standards.

Bespoke Hydraulic Manifold Assembly

Solenoid Valves For Gas Service FP02G & FP05G

Failure Modes, Effects and Diagnostic Analysis. Rosemount Inc. Chanhassen, MN USA

Pneumatic QEV. SIL Safety Manual SIL SM Compiled By : G. Elliott, Date: 8/19/2015. Innovative and Reliable Valve & Pump Solutions

Hydraulic (Subsea) Shuttle Valves

Achieving Compliance in Hardware Fault Tolerance

RESILIENT SEATED BUTTERFLY VALVES FUNCTIONAL SAFETY MANUAL

Commissioning and safety manual

Safety manual for Fisher GX Control Valve and Actuator

Ultima. X Series Gas Monitor

Solenoid Valves used in Safety Instrumented Systems

Understanding safety life cycles

SPR - Pneumatic Spool Valve

L&T Valves Limited SAFETY INTEGRITY LEVEL (SIL) VERIFICATION FOR HIGH INTEGRITY PRESSURE PROTECTION SYSTEM (HIPPS) Report No.

Neles ValvGuard VG9000H Rev 2.0. Safety Manual

High Integrity Pressure Protection Systems HIPPS

Section 1: Multiple Choice

Failure Modes, Effects and Diagnostic Analysis

Safety Manual VEGASWING 61, 63. NAMUR With SIL qualification. Document ID: 52084

Vibrating Switches SITRANS LVL 200S, LVL 200E. Safety Manual. NAMUR With SIL qualification

DeZURIK Double Block & Bleed (DBB) Knife Gate Valve Safety Manual

Continuous Gas Analysis. ULTRAMAT 6, OXYMAT 6 Safety Manual. Introduction 1. General description of functional safety 2

DeZURIK. KGC Cast Knife Gate Valve. Safety Manual

Failure Modes, Effects and Diagnostic Analysis

TRI LOK SAFETY MANUAL TRI LOK TRIPLE OFFSET BUTTERFLY VALVE. The High Performance Company

DeZURIK. KSV Knife Gate Valve. Safety Manual

Section 1: Multiple Choice Explained EXAMPLE

Safety-critical systems: Basic definitions

Neles trunnion mounted ball valve Series D Rev. 2. Safety Manual

New Thinking in Control Reliability

EL-O-Matic E and P Series Pneumatic Actuator SIL Safety Manual

Jamesbury Pneumatic Rack and Pinion Actuator

Failure Modes, Effects and Diagnostic Analysis

Failure Modes, Effects and Diagnostic Analysis

Failure Modes, Effects and Diagnostic Analysis

Special Documentation Proline Promass 80, 83

Session: 14 SIL or PL? What is the difference?

Failure Modes, Effects and Diagnostic Analysis

Rosemount 2130 Level Switch

The IEC61508 Operators' hymn sheet

Failure Modes, Effects and Diagnostic Analysis

High performance disc valves Series Type BA, BK, BW, BM, BN, BO, BE, BH Rev Safety Manual

PROCESS AUTOMATION SIL. Manual Safety Integrity Level. Edition 2005 IEC 61508/61511

Failure Modes, Effects and Diagnostic Analysis. Rosemount Inc. Chanhassen, Minnesota USA

What safety level can be reached when combining a contactor with a circuitbreaker for fail-safe switching?

Partial Stroke Testing. A.F.M. Prins

SIL explained. Understanding the use of valve actuators in SIL rated safety instrumented systems ACTUATION

DETERMINATION OF SAFETY REQUIREMENTS FOR SAFETY- RELATED PROTECTION AND CONTROL SYSTEMS - IEC 61508

The IEC61508 Inspection and QA Engineer s hymn sheet

THE IMPROVEMENT OF SIL CALCULATION METHODOLOGY. Jinhyung Park 1 II. THE SIL CALCULATION METHODOLOGY ON IEC61508 AND SOME ARGUMENT

Reliability of Safety-Critical Systems Chapter 3. Failures and Failure Analysis

PL estimation acc. to EN ISO

Understanding the How, Why, and What of a Safety Integrity Level (SIL)

Failure Modes, Effects and Diagnostic Analysis

SIL Safety Manual for Fisherr ED, ES, ET, EZ, HP, or HPA Valves with 657 / 667 Actuator

Functional Safety SIL Safety Instrumented Systems in the Process Industry

Failure Modes, Effects and Diagnostic Analysis

Valve Communication Solutions. Safety instrumented systems

COMPLIANCE with IEC EN and IEC EN 61511

Implementing IEC Standards for Safety Instrumented Systems

Service & Support. Questions and Answers about the Proof Test Interval. Proof Test According to IEC FAQ August Answers for industry.

The IEC61508 Project Manager's & Project Engineer's hymn sheet

Failure Modes, Effects and Diagnostic Analysis

Failure Modes, Effects and Diagnostic Analysis

H250 M9 Supplementary instructions

Failure Modes, Effects and Diagnostic Analysis

innova-ve entrepreneurial global 1

Specifications and information are subject to change without notice. Up-to-date address information is available on our website.

Every things under control High-Integrity Pressure Protection System (HIPPS)

The Key Variables Needed for PFDavg Calculation

Safety-critical systems: Basic definitions

Proof Testing A key performance indicator for designers and end users of Safety Instrumented Systems

C. Mokkapati 1 A PRACTICAL RISK AND SAFETY ASSESSMENT METHODOLOGY FOR SAFETY- CRITICAL SYSTEMS

Rosemount 2120 Level Switch

Applications & Tools. Evaluation of the selection of a safetyrelated mode using non-safety-related components

Failure Modes, Effects and Diagnostic Analysis

Session Fifteen: Protection Functions as Probabilistic Filters for Accidents

CHANGE HISTORY DISTRIBUTION LIST

Failure Modes, Effects, and Diagnostic Analysis of a Safety Device

GasSense NDIR User Manual

Safety Critical Systems

Ch.5 Reliability System Modeling.

Safety Integrity Verification and Validation of a High Integrity Pressure Protection System (HIPPS) to IEC 61511

Session One: A Practical Approach to Managing Safety Critical Equipment and Systems in Process Plants

IGEM/SR/15 Edition 5 Communication 1746 Integrity of safety-related systems in the gas industry

VALIDATE LOPA ASSUMPTIONS WITH DATA FROM YOUR OWN PROCESS

Operating instructions Safety Rope Emergency Stop Switches ZB0052 / ZB0053 ZB0072 / ZB0073

Transcription:

Transmitter mod. TR-A/V SIL Safety Report SIL003/09 rev.1 del 09.03.2009 Pagina 1 di 7

1. Employ field The transmitters are dedicated to the vibration monitoring in plants where particular safety requirements according to IEC 61508 are needed. The operating limits are shown on the data sheets of each model. 2. Acronyms and abbreviations Acronym Abbreviation HFT MTBF MTTR PFD PFD AVG PFH AVG SIL English Hardware Fault Tolerance Mean Time Between Failures Mean Time To Repair Probability of Failure on Demand Average Probability of Failure on Demand Average Probability of Failure per Hour Safety Integrity Level Description Tolerance to the equipment hardware mistakes. Capacity to perform a requested function even in presence of mistakes or deviations. Average duration between two following failures. Average duration between the appearance of a mistake on a machine / system and its repair. Average probability of dangerous failures of a safety function. Average probability of dangerous failures of a safety function in case of need. Average probability of dangerous failures of a safety function per hour The IEC 61508 international standards establish four socalled discreet SafetyIntegrityLevel (SIL 1 SIL 4). Each level corresponds to a probability interval for the failure of a safety function. When the Safety Integrity Level of the safety systems increases, it decreases the probability that the requested safety functions are not executed. SFF Low demand mode DCS LRV URV Safe Failure Fraction Low demand mode of operation Portion of non dangerous failures, i.e. failures which do not bring the safety system towards a dangerous or not allowed status. Low demand type of measurement which occurs no more than once per year and also no more than the double of the repetitive check frequency. Control systems employed for industrial application to monitor and check the decentralized equipments. Distribuited Control System Lower Range Value Zero of the measuring range Upper Range Value Span of the measuring range SIL003/09 rev.1 del 09.03.2009 Pagina 2 di 7

3. Present regulations IEC 61508 standards parts 1-7: functional safety of electric / electronic / programmable safety systems. 4. Additional applicable documentation Besides SIL safety standards, we also have to consider the following documentation: TR-A TR-V data sheet All literature is available in Italian and English. The user is anyway responsible of the compliance with the existing laws and standards. 5. Terms and definition Term Dangerous failure Safety system Safety fonction Definition Failure potentially able to bring the safety system to a dangerous or no-functional status System able to perform the safety functions necessary to reach or maintain a safe status of a plant. Defined function, performed by a safety system with the aim of reaching or maintaining a safe status of a plant taking into account a predefined dangerous event. 6. Safety fonction The TR-A/V transmitters generate a linear signal 4 20 ma proportional to the vibration level found, according to the type of monitoring and to the range foreseen by the data sheet and the purchase code. The transmitters perform their function by means of hardware electronic circuits, without any software. The only self-diagnosis function provided only for TR-A consists in a green LED which, when lit, indicates the correct connecton of the acceleration transducer. Any signal outside of the 4 20 ma range should be considered as an anomaly. The precision and safety limits are described on the data sheet. SIL003/09 rev.1 del 09.03.2009 Pagina 3 di 7

7. Checks The safety function of the whole safety circuit must be regularly checked according to IEC 61508 standards. The check intervals are established by the calculation of the individual safety circuits of a plant. The manager is responsible of the choice of the type of check and of its interval in a defined period of time. For the safety function check of the transmitters, proceed as here below described: 1-disconnect the transducer from the machine 2-make sure to catch the correct transducer output current of 4 ma 3-check the transducer by simply shaking the dynamic output up to 20 ma The damaged transmitters must be sent to our assistance department with indication of the type of failure and its possible cause. 8. Configuration The transmitter is supplied configured and tested according to the specifications of the customer s purchase order. Before putting into operation the transmitter as part of the safety function, check that the configuration guarantees the safety function of the system. Check that the right transmitter is installed on the right measuring point. As modifiable configuration parameters do not exist, the safety function is assured by the original configuration. 9. IEC 61508 proven in use IEC61508-2 7.4.7.6 A previously developed subsystem shall only be regarded as proven in use when it has a clearly restricted functionality and when there is adequate documentary evidence which is based on the previous use of a specific configuration of the subsystem (during which time all failures have been formally recorded, see 7.4.7.10), and which take into accountany additional analysisor testing, as required (see 7.4.7.8). The documentary evidence shall demonstrate that the likelihood of any failure of the subsystem (due to random hardware and systematic faults) in the E/E/PE safety-related system is low enough so that the required safety integral level(s) of the safety function(s) which use the subsystem is achieved For a device to be considered proven-in-use one must take into account the operating experiences volume. SIL003/09 rev.1 del 09.03.2009 Pagina 4 di 7

The TR-A/V transmitters appeared on the market in 1997; since then we have not made substantial revisions to the project. Considering the sales and the repair data, the units sold during 2004-2008 have been 4332. For the failure calculation we consider the operating hours only inside the warranty period validity, as after this period of time we conservatively presume that the failures are not indicated. The operating hours are 37.948.320, considering enough taking into account the low complexity of the transmitter and its employ in SIL 2 applications. The experience of running shows the following failures: Yea Systematic failure Random failure No computable Total computable failures* failures 2004 3 1 0 4 2005 0 3 0 3 2006 0 1 1 1 2007 0 2 1 2 2008 0 1 0 1 Total 11 *Failures due for instance to falls or mechanical shocks. As there is no evidence that all failures in the warranty period have been reported, we assume that only 70% of these failures have been regularly declared thus arriving to an estmated number of failures of 11/0.7=15.71 overstated at 16. These data show a failure rate of 4.22E-7 [1/h]. As IEC 61508 standards require the calculation with confidence limit higher than 70% we obtain 5.30E-7 [1/h]. IEC61508-2 7.4.7.7 The documentary evidence required by 7.4.7.6 shall demonstrate that the previous conditions of use (see note) of the specific subsystem are the same as, or sufficiently close to, those which will be experienced by the subsystem in the E/E/PE safety-related system, in order to determine that the likelihood of any unrevealed systematic faults is low enough so that the required safety integrity level(s) of the safety function(s) which use the subsistem is achieved. NOTE The conditions of use (operational profile) include all the factors which may influence the likelihood of systematic faults in the hardware and software of the subsystem. For exemple, environment, modes of use, functions performed, configuration, interfaces to other systems, operating system, translator, human factors. The TR-A/V transmitters are always employed for similar applications in similar environmental conditions. Therefore if the employ is inside the parameters shown on the data sheet, the clause is respected. SIL003/09 rev.1 del 09.03.2009 Pagina 5 di 7

IEC61508-2 7.4.7.8 Where there is any difference between the previous conditions of use and those which will be experienced in the E/E/PE safety-related system, then any such difference(s) shall be identified and there shall be an explicit demnostration, using a combination of appropriateanalytical methods and testing, in order to determine that the likelihood of any unrevealed systematic faults is low enough so that the required safety integrity level(s) of the safety function(s) which use the subsistem is achieved. As there is no difference between the previous employs of TR-A/V transmitters and the foreseen employ conditions, the clause is considered respected. IEC61508-2 7.4.7.9 The documentary evidence required by 7.4.7.6 shall establish that the extent of previous use of the specific configuration of the subsystem (in term of operational hours), is sufficient to support the claimed rates of failure on a statistical basis. As a minimum, sufficient operational time is required to establish the claimed failure rate data to a single side lower confidence limiti of at least 70% (see IEC 61508-7, annex D and IEEE 352). An operational time of any individual subsystem of less then one year shall not be considered as a part of the total operational time in the statistical analysis (see note). NOTE The necessary time, in term of operational hours, required to establish the claimed rates of failure may result from the operation of a number of identical subsystem, provided that failures from all the subsystem have been effectively detected and reported (see 7.4.7.10). If, for example, 100 subsystem each work fault-free for 10.000 h, then the total time of fault-free operation may be considered as 1.000.000 h. In this case, each subsystem has been in use for over a year and the operation therefore counts towards the total number of operational hours considered. As told at 7.4.7.6 paragraph, the number of working hours, considering the simplicity of the transmitter and its employ for SIL 2, is assumed as sufficient. We have also considered a confidence limit equal to 70%. IEC61508-2 7.4.7.10 Only previous operation where all failure of the subsystem have been effectively detected and reported (for example, when failure data has been collected in accordance with the raccomandation of IEC 60300-3-2) shall be taken into account when determining whether the above requirement (7.4.7.6 to 7.4.7.9) have been met. As told at 7.4.7.6 paragraph, considereing not realistic that all failures have been declared, we have taken into account only the warranty period and evaluated a failure notice in 70% of cases. These precautionally assessments make the clause respected. IEC61508-2 7.4.7.11 The following factors shall be taken into account when determining whether or not the above requirements (7.4.7.6 to 7.4.7.9) have been met, in terms of both the coverage and the degree of detail of the avaible information (see also 4.1 of IEC 61508-1): SIL003/09 rev.1 del 09.03.2009 Pagina 6 di 7

a-the complexity of the subsystem; b-the contribution made by the subsystem to the risk reduction; c-the consequence associated with a failure of the subsystem; d-the novelty of design. All the factors listed in the standard have been taken into account for the present evaluation. IEC61508-2 7.4.7.12 The application of a proven-in-use safety related subsystem in the E/E/PE safety related system shuld be restricted to those functions and interfaces of the subsystem which meet the relevant requirements (see 7.4.7.6 to 7.4.7.10). NOTE The measures 7.4.7.4 to 7.4.7.12 are also applicable for subsystem which contain software. In this case it has to be assured that the subsystem performs in its safety related application only that function for which evidence of the reqiored safety integrity is given. See also 7.4.2.11 of IEC 61508-3. The TR-A/V transmitter does not contain software and is proven-in-use employed only in the conditions of the present report. We thereof consider respected the clause. 10. Conclusions The following table shows the SIL levels in the various conditions of PFD AVG and PFH AVG : Safety Interity Level (SIL) Average Probability of Failure on Demand PFD AVG Average Probability of Failure per Hour PFH AVG SIL 4 10-5 x 10-4 10-9 x 10-8 SIL 3 10-4 x 10-3 10-8 x 10-7 SIL 2 10-3 x 10-2 10-7 x 10-6 SIL 1 10-2 x 10-1 10-6 x 10-5 Having obtained a value of PFH AVG equal to 5.30E-7 we consider correct the emply for SIL 2 applications. Mandello del Lario, 9th March 2009 CEMB S.P.A. Instrumentation Division Management (Eng. Enrico Coti Zelati) SIL003/09 rev.1 del 09.03.2009 Pagina 7 di 7

2024 © sportdocbox.com Privacy Policy | Terms of Service | Feedback