Transducer mod. T-NC/8-API. SIL Safety Report

Similar documents
Transmitter mod. TR-A/V. SIL Safety Report

Accelerometer mod. TA18-S. SIL Safety Report

Safety Manual OPTISWITCH series relay (DPDT)

SIL Safety Manual. ULTRAMAT 6 Gas Analyzer for the Determination of IR-Absorbing Gases. Supplement to instruction manual ULTRAMAT 6 and OXYMAT 6

Safety Manual VEGAVIB series 60

Safety Manual VEGAVIB series 60

Safety Manual. Process pressure transmitter IPT-1* 4 20 ma/hart. Process pressure transmitter IPT-1*

YT-3300 / 3301 / 3302 / 3303 / 3350 / 3400 /

YT-300 / 305 / 310 / 315 / 320 / 325 Series

Functional safety. Functional safety of Programmable systems, devices & components: Requirements from global & national standards

FP15 Interface Valve. SIL Safety Manual. SIL SM.018 Rev 1. Compiled By : G. Elliott, Date: 30/10/2017. Innovative and Reliable Valve & Pump Solutions

Eutectic Plug Valve. SIL Safety Manual. SIL SM.015 Rev 0. Compiled By : G. Elliott, Date: 19/10/2016. Innovative and Reliable Valve & Pump Solutions

Bespoke Hydraulic Manifold Assembly

Solenoid Valves For Gas Service FP02G & FP05G

This manual provides necessary requirements for meeting the IEC or IEC functional safety standards.

Pneumatic QEV. SIL Safety Manual SIL SM Compiled By : G. Elliott, Date: 8/19/2015. Innovative and Reliable Valve & Pump Solutions

Hydraulic (Subsea) Shuttle Valves

Achieving Compliance in Hardware Fault Tolerance

Solenoid Valves used in Safety Instrumented Systems

Ultima. X Series Gas Monitor

SPR - Pneumatic Spool Valve

RESILIENT SEATED BUTTERFLY VALVES FUNCTIONAL SAFETY MANUAL

Safety manual for Fisher GX Control Valve and Actuator

Safety-critical systems: Basic definitions

Failure Modes, Effects and Diagnostic Analysis. Rosemount Inc. Chanhassen, MN USA

Understanding safety life cycles

Commissioning and safety manual

Failure Modes, Effects and Diagnostic Analysis

New Thinking in Control Reliability

EL-O-Matic E and P Series Pneumatic Actuator SIL Safety Manual

Safety Manual VEGASWING 61, 63. NAMUR With SIL qualification. Document ID: 52084

TRI LOK SAFETY MANUAL TRI LOK TRIPLE OFFSET BUTTERFLY VALVE. The High Performance Company

Vibrating Switches SITRANS LVL 200S, LVL 200E. Safety Manual. NAMUR With SIL qualification

L&T Valves Limited SAFETY INTEGRITY LEVEL (SIL) VERIFICATION FOR HIGH INTEGRITY PRESSURE PROTECTION SYSTEM (HIPPS) Report No.

Neles ValvGuard VG9000H Rev 2.0. Safety Manual

DeZURIK Double Block & Bleed (DBB) Knife Gate Valve Safety Manual

Section 1: Multiple Choice

Section 1: Multiple Choice Explained EXAMPLE

Failure Modes, Effects and Diagnostic Analysis

DeZURIK. KGC Cast Knife Gate Valve. Safety Manual

High Integrity Pressure Protection Systems HIPPS

DeZURIK. KSV Knife Gate Valve. Safety Manual

Session: 14 SIL or PL? What is the difference?

What safety level can be reached when combining a contactor with a circuitbreaker for fail-safe switching?

DETERMINATION OF SAFETY REQUIREMENTS FOR SAFETY- RELATED PROTECTION AND CONTROL SYSTEMS - IEC 61508

Neles trunnion mounted ball valve Series D Rev. 2. Safety Manual

Failure Modes, Effects and Diagnostic Analysis

Rosemount 2130 Level Switch

Jamesbury Pneumatic Rack and Pinion Actuator

SIL explained. Understanding the use of valve actuators in SIL rated safety instrumented systems ACTUATION

Continuous Gas Analysis. ULTRAMAT 6, OXYMAT 6 Safety Manual. Introduction 1. General description of functional safety 2

PROCESS AUTOMATION SIL. Manual Safety Integrity Level. Edition 2005 IEC 61508/61511

Failure Modes, Effects and Diagnostic Analysis

Failure Modes, Effects and Diagnostic Analysis

COMPLIANCE with IEC EN and IEC EN 61511

Special Documentation Proline Promass 80, 83

Failure Modes, Effects and Diagnostic Analysis

THE IMPROVEMENT OF SIL CALCULATION METHODOLOGY. Jinhyung Park 1 II. THE SIL CALCULATION METHODOLOGY ON IEC61508 AND SOME ARGUMENT

Failure Modes, Effects and Diagnostic Analysis

High performance disc valves Series Type BA, BK, BW, BM, BN, BO, BE, BH Rev Safety Manual

PL estimation acc. to EN ISO

Failure Modes, Effects and Diagnostic Analysis

Implementing IEC Standards for Safety Instrumented Systems

H250 M9 Supplementary instructions

Understanding the How, Why, and What of a Safety Integrity Level (SIL)

SIL Safety Manual for Fisherr ED, ES, ET, EZ, HP, or HPA Valves with 657 / 667 Actuator

Functional Safety SIL Safety Instrumented Systems in the Process Industry

Failure Modes, Effects and Diagnostic Analysis

The IEC61508 Operators' hymn sheet

Safety-critical systems: Basic definitions

Failure Modes, Effects and Diagnostic Analysis. Rosemount Inc. Chanhassen, Minnesota USA

C. Mokkapati 1 A PRACTICAL RISK AND SAFETY ASSESSMENT METHODOLOGY FOR SAFETY- CRITICAL SYSTEMS

Service & Support. Questions and Answers about the Proof Test Interval. Proof Test According to IEC FAQ August Answers for industry.

Reliability of Safety-Critical Systems Chapter 3. Failures and Failure Analysis

Applications & Tools. Evaluation of the selection of a safetyrelated mode using non-safety-related components

Rosemount 2120 Level Switch

Partial Stroke Testing. A.F.M. Prins

The Key Variables Needed for PFDavg Calculation

A quantitative software testing method for hardware and software integrated systems in safety critical applications

Valve Communication Solutions. Safety instrumented systems

Failure Modes, Effects and Diagnostic Analysis

Failure Modes, Effects and Diagnostic Analysis

Failure Modes, Effects and Diagnostic Analysis

Proof Testing A key performance indicator for designers and end users of Safety Instrumented Systems

Every things under control High-Integrity Pressure Protection System (HIPPS)

innova-ve entrepreneurial global 1

Failure Modes, Effects, and Diagnostic Analysis of a Safety Device

IGEM/SR/15 Edition 5 Communication 1746 Integrity of safety-related systems in the gas industry

Session Fifteen: Protection Functions as Probabilistic Filters for Accidents

Positioner type Smart Valve Positioner with diagnostic functions. Presented By: Mr. Gourishankar Saharan. Product management Jens Bargon / V42

The IEC61508 Inspection and QA Engineer s hymn sheet

Transactions on the Built Environment vol 7, 1994 WIT Press, ISSN

Safety Critical Systems

CHANGE HISTORY DISTRIBUTION LIST

Session One: A Practical Approach to Managing Safety Critical Equipment and Systems in Process Plants

Specifications and information are subject to change without notice. Up-to-date address information is available on our website.

Safety Integrity Verification and Validation of a High Integrity Pressure Protection System (HIPPS) to IEC 61511

REASSESSING FAILURE RATES

Functional Example CD-FE-I-029-V30-EN Safety-related controls SIRIUS Safety Integrated

Hazard Operability Analysis

Transcription:

CEMB S.p.a. Transducer mod. T-NC/8-API SIL Safety Report SIL006/11 rev.0 dated 03.03.2011 Page 1 di 7

1. Employ field The transducers can measure the static or dynamic distance in plants which need to satisfy the safey standards according to IEC 61508. The operating limits are shown on the data sheets of each model. 2. Acronyms and abbreviations Acronym Abbreviation English Description HFT MTBF MTTR PFD PFD AVG PFH AVG SIL SFF Lowdemand mode Hardware Fault Tolerance Mean Time BetweenFailures Mean Time To Repair Probability of Failure on Demand Average Probability of Failure on Demand Average Probability of Failure per Hour SafetyIntegrity Level Tolerance to the equipment hardware mistakes. Capacity to perform a requested function even in presence of mistakes or deviations. Average duration between two following failures Average duration between the appareance of a mistake on a machine / system and its repair. Probability of dangerous failures of a safety function. Average probability of dangerous failures of a safety function in case of need. Average probability of dangerous failures of a safety function per hour. The IEC 61508 international standards establish four so-called discreet SafetyIntegrity Level (SIL 1 - SIL 4). Each Level corresponds to a probability interval for the failure of a safety function. When the Safety Integrity Level of the safety systems increases, it decreases the probability that the requested safety functions are not executed. SafeFailureFraction Portion of non dangerous failures, i.e. failures which do not bring the safety system towards a dangerous or not allowed status. Low demand mode of operation Low demand type of measurement which occurs no more than once per year and also no more than the double of the repetitive check frequency DCS Distribuited Control System Control systems employed for industrial application to monitor and check the decentralized equipments. LRV Lower Range Value Zero of the measuring range URV UpperRange Value Span of the measuring range SIL006/11 rev.0 del 03.03.2011 Pagina 2 di 7

3. Present regulations IEC 61508 standards parts 1-7: functional safety of electric / electronic / programmable safety systems. 4. Additional applicable documentation Besides SIL safety standards, we also have to consider the following documentation: T-NC/8-API data sheet All literature is available in Italian and English. The user is anyway responsible of the compliance with the existing laws and standards. 5. Terms and definitions Term Dangerous failure Safety system Safety function Definition Failure potentially able to bring the safety system to a dangerous or no-functional status System able to perform the safety functions necessary to reach or maintain a safe status of a plant. Defined function, performed by a safety system with the aim of reaching or maintaining a safe status of a plant taking into account a predefined dangerous event. 6. Safety function The T-NC8/API transducers generate an electric signal proportional to the distance of the target with sensitivity 7.87 V/mm, according to the data sheet. The transducers perform this function by means of eddy-current probes, without the employ of any software. No self-diagnosis function is foreseen. The precision and safety limits are described on the data sheet. SIL006/11 rev.0 del 03.03.2011 Pagina 3 di 7

7. Checks The safety function of the whole safety circuit must be regularly checked according to IEC 61508 standards. The check intervals are established by the calculation of the individual safety circuits of a plant. The manager is responsible of the choice of the type of check and of its interval in a defined period of time. For the safety function check of the transducers, proceed as here below described: 1-power the transducer 2-check the correct output (around -10Vdc) when the transducer is positioned at approximately 1.5mm from the target 3-check that to the target displacement corresponds the output variation The damaged transducers must be sent to our assistance department with indication of the type of failure and its possible cause. 8. Configuration The transducer is supplied configured and tested according to the specifications of the customer s purchase order. Before putting into operation the transducer as part of the safety function, check that the configuration guarantees the safety function of the system. Check that the right transducer is installed on the right measuring point. As modifiable configuration parameters do not exist, the safety function is assured by the original configuration. 9. IEC 61508 proven in use IEC61508-2 7.4.7.6 A previously developed subsystem shall only be regarded as proven in use when it has a clearly restricted functionality and when there is adequate documentary evidence which is based on the previous use of a specific configuration of the subsystem (during which time all failures have been formally recorded, see 7.4.7.10), and which take into accountany additional analysisor testing, as required (see 7.4.7.8). The documentary evidence shall demonstrate that the likelihood of any failure of the subsystem (due to random hardware and systematic faults) in the E/E/PE safety-related system is low enough so that the required safety integral level(s) of the safety function(s) which use the subsystem is achieved For a device to be considered proven-in-use one must take into account the operating experiences volume. The T-NC8/API transducers appeared on the market in 1989. SIL006/11 rev.0 del 03.03.2011 Pagina 4 di 7

Considering the sales and the repair data, the units sold during 2001-2010 have been 4084. For the failure calculation we consider the operating hours only inside the warranty period validity as after this period of time we conservatively presume that the failures are not indicated. The operating hours are 35.775.840, considered enough taking into account the low complexity of the transducer and its employ in SIL 2 applications. The experience of running shows the following failures: Year Systematic failure Random failure No computable failures* Total computable failures 2001 0 4 10 4 2002 0 1 8 1 2003 0 3 5 3 2004 0 2 12 2 2005 0 2 13 2 2006 0 1 14 1 2007 0 1 2 1 2008 0 0 8 0 2009 0 0 1 0 2010 0 1 8 1 Totale 15 *Failures due for instance to falls or mechanical shocks As there is no evidence that all failures in the warranty period have been reported, we assume that only 70% of these failures have been regularly declared thus arriving to an estimated number of failures of 15/0.7=21.43 overstated at 22. These data show a failure rate of 6.15E-7 [1/h]. As IEC 61508 standars require the calculation with confidence limit higher than 70% we obtain 7.51E-7 [1/h]. IEC61508-2 7.4.7.7 The documentary evidence required by 7.4.7.6 shall demonstrate that the previous conditions of use (see note) of the specific subsystem are the same as, or sufficiently close to, those which will be experienced by the subsystem in the E/E/PE safety-related system, in order to determine that the likelihood of any unrevealed systematic faults is low enough so that the required safety integrity level(s) of the safety function(s) which use the subsistem is achieved. NOTE The conditions of use (operational profile) include all the factors which may influence the likelihood of systematic faults in the hardware and software of the subsystem. For exemple, environment, modes of use, functions performed, configuration, interfaces to other systems, operating system, translator, human factors. The T-NC8/API transducers are always employed for similar applications in similar environmental conditions. Therefore if the employ is inside the parameters shown on the data sheet, the clause is respected. IEC61508-2 7.4.7.8 SIL006/11 rev.0 del 03.03.2011 Pagina 5 di 7

Where there is any difference between the previous conditions of use and those which will be experienced in the E/E/PE safety-related system, then any such difference(s) shall be identified and there shall be an explicit demnostration, using a combination of appropriateanalytical methods and testing, in order to determine that the likelihood of any unrevealed systematic faults is low enough so that the required safety integrity level(s) of the safety function(s) which use the subsistem is achieved. As there is no difference between the previous employs of T-NC8/API transducers and the foreseen employ conditions, tha clause is considered respected. IEC61508-2 7.4.7.9 The documentary evidence required by 7.4.7.6 shall establish that the extent of previous use of the specific configuration of the subsystem (in term of operational hours), is sufficient to support the claimed rates of failure on a statistical basis. As a minimum, sufficient operational time is required to establish the claimed failure rate data to a single side lower confidence limiti of at least 70% (see IEC 61508-7, annex D and IEEE 352). An operational time of any individual subsystem of less then one year shall not be considered as a part of the total operational time in the statistical analysis (see note). NOTE The necessary time, in term of operational hours, required to establish the claimed rates of failure may result from the operation of a number of identical subsystem, provided that failures from all the subsystem have been effectively detected and reported (see 7.4.7.10). If, for example, 100 subsystem each work fault-free for 10.000 h, then the total time of fault-free operation may be considered as 1.000.000 h. In this case, each subsystem has been in use for over a year and the operation therefore counts towards the total number of operational hours considered. As told at 7.4.7.6 paragraph, the number of working hours, considering the simplicity of the transducer and its employ for SIL 2, is assumed as sufficient. We have also considered a confidence limit equal to 70%. IEC61508-2 7.4.7.10 Only previous operation where all failure of the subsystem have been effectively detected and reported (for example, when failure data has been collected in accordance with the raccomandation of IEC 60300-3-2) shall be taken into account when determining whether the above requirement (7.4.7.6 to 7.4.7.9) have been met. As told at 7.4.7.6 paragraph, considering not realistic that all failures have been declared, we have taken into account only the warranty period and evaluated a failure notice in 70% of cases. These precautionaly assessments make the clause respected. IEC61508-2 7.4.7.11 The following factors shall be taken into account when determining whether or not the above requirements (7.4.7.6 to 7.4.7.9) have been met, in terms of both the coverage and the degree of detail of the avaible information (see also 4.1 of IEC 61508-1): a-the complexity of the subsystem; SIL006/11 rev.0 del 03.03.2011 Pagina 6 di 7

b-the contribution made by the subsystem to the risk reduction; c-the consequence associated with a failure of the subsystem; d-the novelty of design. All the factors listed in the standard have been taken into account for the present evaluation. IEC61508-2 7.4.7.12 The application of a proven-in-use safety related subsystem in the E/E/PE safety related system shuld be restricted to those functions and interfaces of the subsystem which meet the relevant requirements (see 7.4.7.6 to 7.4.7.10). NOTE The measures 7.4.7.4 to 7.4.7.12 are also applicable for subsystem which contain software. In this case it has to be assured that the subsystem performs in its safety related application only that function for which evidence of the reqiored safety integrity is given. Seealso 7.4.2.11 of IEC 61508-3. The T-NC8/API transducer does not contain software and is proven-in-use employed only in the conditions of the present report. We therefore consider respected the clause. 10. Conclusions The following table shows the SIL levels in the various conditions of PFD AVG e PFH AVG : SafetyInterity Level (SIL) Average Probability of Failure on Demand PFD AVG Average Probability of Failure per Hour PFH AVG SIL 4 10-5 x 10-4 10-9 x 10-8 SIL 3 10-4 x 10-3 10-8 x 10-7 SIL 2 10-3 x 10-2 10-7 x 10-6 SIL 1 10-2 x 10-1 10-6 x 10-5 Having obtained a value of PFH AVG equal to 7.51E-7 we consider correct the employ for SIL2 applications. Mandello del Lario, 3rd March 2011 CEMB S.P.A. Quality Product Management (Raffaele Paruzzi) SIL006/11 rev.0 del 03.03.2011 Pagina 7 di 7

2024 © sportdocbox.com Privacy Policy | Terms of Service | Feedback