600T Safety Pressure Transmitters TÜV SIL2 approved IEC 61508 /ISA S84.01
Summary: Safety - Applicable Std & Rules 600T Safety Transmitters - General concepts Saturation & Alarms levels Key points for determining the “Safety Integrity Level”
Applicable Std & Rules TÜV HAZOP SIS SIL ANSI ISA S84 IEC61511 PHA OSHA 1910 IEC61508 Safety Life Cycle PHA SIL TÜV
NFPA 8501 DIN VDE 0116 IEC 61511 EN 298 NFPA 8502 Application standards HSE PES ISO 10418 EN 54-2 API RP14C ISA S84.01 IEC 61508 DIN V VDE 0801 Functional Safety DIN V 19250 EN 50081-2 EN 61131-2 Basic safety/low voltage/Ex prot./EMC EN 50082-2 Basic Quality requirements ISO 9000
IEC 61508 ISA S84.01 IEC 1131 Applicable for all industries Process Industry IEC 61511 Process Industry IEC 61513 Nuclear Industry IEC 1131 Programming Languages for PLC This specification plays and important role on programmable system for safety applications IEC 615YY Transportation IEC 615ZZ Other industries
Current Std Rules IEC 61508 IEC 61511 STANDARD Parte 1 CDV (May) Parte 2,3 CDV (July) Parte 1,2,3 FDIS May 2001
Safety - Base Concept Safety integrity can be expressed by: “Ability by system for carrying the safety operation in satisfactory way on demand” The evaluation of the performances of the system should be done according to the international stds (SIL in IEC) and national rules (AK in DIN). The certification can only be performed by authorized institute like TÜV.
Safety integrity Level (SIL)- Safety - Base Concept Safety integrity Level (SIL)- “ Safety Probability achievable through the loop (system) on safety demand.”” A safety loop or system includes all hardware , software and all the necessary components for achieving the needed safety functions.
Safety - Base concept Safety Loop 35% 15% 50% Transducer & transmitter 35% 15% 50% Transducer & transmitter Safety System Actuator , valve
Safety Integrity Levels (SIL) Protection of environment & comunity Human protection Protection of ownership and manufacturing Protection of plants “SIL 4” “SIL 3” “SIL 2” “SIL 1” Nuclear PFD: E-005 to< E-004 RRF: 100,000 to 10,000 yrs. PFD: E-004 to< E-003 RRF: 10,000 to 1,000 yrs. PFD: E-003 to < E-002 RRF: 1,000 to 100 yrs. PFD: E-002 to < E-001 RRF: 100 to 10 yrs. PFD = Probability of Failure on Demand RRF = Risk Reduction Factor (1/PFD)
Safety Integrity Levels, Target Failure Measures Low Demand Mode of Operation Cont/High Demand Safety Mode of Operation Integrity Level Probability of failure to perform its Probability of a dangerous failure design function on demand per year SIL 4 >=10 -5 to <10 -4 >=10 -5 to <10 -4 SIL 3 >=10 -4 to <10 -3 >=10 -4 to <10 -3 SIL 2 >=10 -3 to <10 -2 >=10 -3 to <10 -2 SIL 1 >=10 -2 to <10 -1 >=10 -2 to <10 -1 35 % 15 % 50% E/ E/ PE Sensor-Transmitter Safety Controller Actuator
Safety Lifecycle - “ Sequence of the activities involved for implementing the safety system from the engineering design until the commissioning”
-Identify the safety functions 1 Concept Safety analysis: -Identify the safety functions Determine the minimum safety integrity to which the safety fuction should be carried out . 2 Overall Scope Definition 3 Hazard & Risk Analysis 4 Overall Safety Requirements 5 Safety Requirements Allocation 6 7 8 Overall Operation & Maintenance Planning Overall Validation Planning Overall Planning 9 Safety-related systems: E/E/PES 10 Safety-related systems: Other Technology 11 External Risk Reduction Facilities Overall Installation & Commissioning Planning Realization Realization Realization Overall Installation & Commissioning 12 Back to appropriate Overall Safety Lifecycle phase 13 Overall Safety Validation 14 Overall Operation & Maintenance 15 Overall Modification & Retrofit 16 Decommissioning
Block 9: To Box 14 To Box 12 9.1 E/E/PES Safety Requirements Specification 9.1.1 Safety Functions Requirements Specification Safety Integrity Requirements Specification 9.1.2 9.2 E/E/PES Validation Planning 9.3 Design & Development 9.4 Integration 9.6 Safety Validation 9.5 E/E/PES Operation & Maintenance Procedures
Example for determining the Safety Integrity Level, (ISA S84.01) SIL 1 SIL 1 SIL 1 NA NA SI 1 Level of effect against dangerous event SIL 2 SIL 2 SIL 2 NA NA NA SIL 1 SIL 1 SIL 2 High High SIL 3 SIL 3 SIL 3 NA NA SIL 1 Medium SIL 2 SIL 2 SIL 3 Medium Efficiency of other means towards a risk reduction SIL 1 SIL 1 SIL 2 Low Low Low Medium High Probability of dangerous event * NA = No SIS required * Numbers in boxes are SIL levels for SIS
Comparison between classifications 99.99999 0.00001 AK8 8 99.9999 0.0001 4 AK7 7 AK6 6 99.999 0.001 3 3 AK5 5 AK4 4 99.99 0.01 2 2 AK3 3 AK2 2 99.90 0.1 1 1 AK1 1 Availability Percentage P.F.D. (Probability of Failure on Demand) ANSI/ISA S84.01 IEC 61508 Class TÜV (AK) Din V 19250 SIL
Safety - Philosophy It require analysis of risks and consequent evaluation of integrity according to the SIL (Safety Integrity Levels) “Think ” safety during all the life cycle of your plant “Think ” safety not only for the safety controller but for all the safety loop : Sensor/Transmitter Actuator
Safety Transmitter The 600T Safety Transmitter has been designed according to IEC 61508. “Functional safety of electrical/electronic/ programmable electronic safety-related systems” per Safety Integrity Level 2 (SIL2)
Safety Transmitter SIL2 means that the transmitter should detect every internal hardware failure giving an external alarm and programming the analogue output level at a predetermined value. The 600T Safety is intrinsically redundant either for hardware that for software . This has been achieved with a supplementary stage and through an improvement of the internal diagnostic software .
Saturation Limits and UP/DOWN scale (alarms) according to NE43 (NAMUR). If input signal 105% High Saturation = 20.8 mA If input signal -1.25% Low Saturation = 3.8 mA Saturation Levels UP Scale = 22 mA Down Scale = 3.7 mA Alarm Levels
Saturation Limits and UP/DOWN (alarm) scale Normal Operation Malfuntioning 22 3.7 Analogue output saturated 3.8 20.8
The SIL2 approval is valid only for the analog output. Even if the SIL2 approval is valid only for the analog output being the Hart Communication Protocol not certifiable, the 600T Safety Pressure Transmitters perform the Hart communication and keeps all the Hart features with improved diagnostic information.
Principle of operation 600T Safety Transmitters take advantage of the intrinsic redundancy of the highly reliable 600T series differential inductive sensor which provides two independent signals proportional to input pressure The two inductive signals are separately detected by two independent ASICs and separately elaborated internally the electronics. Calculations follow independent flows and they are compared in the microcontroller in order to validate the output pressure signal.
Principle of operation Internal diagnostic algorithms are implemented to check correctness and validity of all processing variables and the correct working of memories. A supplementary shut down circuitry provides a safe shut down when a fault occurs in the analog section of the electronics.
Principle of operation The output stage is also checked by reading back the analog output signal. The feedback loop is obtained by an additional A/D converter put at the end of the output stage, which translates the 4-20 signal into a digital form suitable to be compared by the microcontroller.
Summary of Key Points for Safety Integrity Excitation and reading integrity Sensor integrity CPU integrity
Summary of Key Points for Safety Integrity Analog Output stage integrity CPU working - software sequences Clock integrity Power Supply monitoring
Primary signal detection Excitation and reading integrity The pick-up values are read by two independent circuitry and transferred to the Analog to Digital conversion on two independent lines. The values are checked to test the correct circuit working and the readings consistency
Sensor integrity Pressure values are calculated independently from the two pick-ups. To check the consistency between the measurement of the two pick-ups and therefore the sensor integrity the results are independently evaluated and compared between them. In case of failure in the comparison the output is driven to up or down scale.
Hardware and software redundancy TÜV SIL2 Approved IEC 61508 - ISA S84.01 Dual element Sensor Microprocessor A/D Power supply & analog output COMPARATOR CLOCK 2 CLOCK 1 WATCHDOG PRESSURE DETECTION ELEMENT 1 LINEARIZATION & COMPENSATION VOTING HART VALIDATION D / A 420 mA OUTPUT 1 420 mA FAIL SAFE ENABLE 420 mA SAFE OUTPUT Temperature sensor COMPARATOR To better understand the architecture and the structure of the transmitters we can use this block diagram: We have mainly a main information path and a redundant information path which carries out the diagnostics: The main information path is in green. The pick up values are read in the primary electronics board where they are converted to a characteristic proprietary signal; in the secondary unit the A/D conversion and the linearization and compensation are performed. Then the digital variable is converted to an analog value that drives the output stage. In the redundant path another reading is performed. The obtained values are converted, linearized and compared with the results of the main information path. In red there are the control and diagnostic blocks: firstly the two measures are checked between them, then two different value of pressure calculated are compared between them. All the sequences are monitored by a watchdog circuit. In case of serious failure in the microcontroller a supplementary independent shut-down circuit provides to shut-down the system. This block is driven by a redundand supplementary clock and by the microcontroller that provides to act on it in case the output stage fails. This last detection is obtained by a feedback reading of the real output that is compared in the microcontroller with the digital variable. VERIFY SUPPLY PRESSURE DETECTION ELEMENT 2 LINEARIZATION & COMPENSATION A / D VERIFY OUTPUT OUTPUT 2 Base schematic Redundancy Diagnostic Redundancy Diagnostic Previous Benefits
600T Inductive Sensor Feedthrough Measuring diaphragm Ferrite Plate Coil Ferrite Pot-Core
Random hardware failure Conclusions Failure Avoid by: more reliable components additional defences against common mode failures increased diagnostic coverage increased redundancy Random hardware failure More info Back
Random hardware failure Avoid by: design features that control (tolerate) systematic faults in actual operation. techniques and measures that avoid systematic faults during design and development. Random hardware failure - Systematic failures - Specification errors - Equipment errors - Software errors More info Back
CPU Integrity Pressure values are calculated independently from the two pick-ups. To check the consistency between the measurement of the two pick-ups and therefore the sensor integrity the results are independently evaluated and compared between them. In case of failure in the comparison the output is driven to up or down scale.
Output Analog stage integrity The analog output 4-20 mA signal is read in feedback and compared with the digital 4-20 mA produced internally the microcontroller to verify the integrity of the output stage. In case of failure of this check the transmitter goes in alarm status. A supplementary output stage provides in this case to deliver a 21.6 mA signal.
CPU working - software sequences At the end of any calculation loop a watchdog is reset. If it doesn’t happen it would mean that there is an error in the microcontroller operations; after a further verification and a true error detection status an alarm signal (21.6 or 3.6 mA) is generated
Clock integrity A secondary clock provides to verify the correct functionality of the primary clock. In case of failure the supplementary output stage provides to deliver a 21.6 mA signal
Power supply monitoring If the voltage exceeds the minimum or maximum limit the signal is driven to the alarm condition.
End of slide show.
Who is TÜV? TÜV is a testing agency based in Germany that provides Functional Safety assessment for safety instrumented systems per a number of different standards including VDS0801/A1 (the primary standard), IEC 61508, ISA 84.01, and a number of other DIN electrical and application specific standards. The certification of safety-related programmable controllers/logic solvers has gained an influential world-wide reputation, particularly in the petrochemical industry. Is there legal obligation for considering Functional Safety? Yes. In Europe, USA and Germany statutory regulations address the possible malfunction of safety-related equipment. Europe – Machine Directive Gaseous Fuel Directive, Medical Device Directive; USA: OSHA regulations in particular CFR §29 1910.119; Germany: German Geratesicherheitsgesetz (Device Safety Law) and StØ rfallverordnung (Safety Incident Regulation).
What are the requirements for Functional Safety? In the US process industry, ISA S84.01 has been established to address the application of safety instrumented systems and internationally the IEC 61508 is expected to become the dominant, world-wide standard for functional safety. These standards define the requirements for Safety Integrity Level 1,2,3 and 4 certification.
Headline