Servomex Functional Safety Manual Servotough OxyExact 2223A Transmitter

PROCESS ANALYSERS SERVOTOUGH OxyExact 2223A Transmitter Functional Safety Manual Part Number: Revision: Language: 02223006A 0 UK English This page intentionally blank. 2223A Oxygen Transmitter Functional Safety Manual LIST OF CONTENTS Section 1 INTRODUCTION ................................................................................................ 1 1.1 1.2 1.3 Purpose of this manual ....................................................................................... 1 Product description ............................................................................................. 1 Required documentation..................................................................................... 1 2 DEFINITIONS AND DESCRIPTIONS ................................................................ 3 2.1 2.2 2.3 2.4 2.5 2.6 2.7 2.8 2.9 2.10 2.11 2.12 Safety instrumented system (SIS) ...................................................................... 3 Safety function .................................................................................................... 3 Safe failure.......................................................................................................... 3 Dangerous failure................................................................................................ 3 Detected failure................................................................................................... 3 Type A and type B subsystems .......................................................................... 3 Hardware fault tolerance (HFT) .......................................................................... 4 Safe failure fraction (SFF)................................................................................... 4 PFDAVG ................................................................................................................ 4 Mean time to repair (MTTR) ............................................................................... 4 Proof test............................................................................................................. 4 Safety integrity level (SIL) ................................................................................... 5 3 SAFETY INSTRUCTIONS.................................................................................. 7 3.1 3.2 3.3 3.4 3.4.1 3.4.2 3.4.3 3.4.4 3.5 3.6 3.6.1 3.6.2 3.6.3 Boundary of safety system ................................................................................. 7 Safety function .................................................................................................... 7 Installation........................................................................................................... 7 Settings ............................................................................................................... 8 mA Output........................................................................................................... 8 Fault relay ........................................................................................................... 9 Flow alarm .......................................................................................................... 9 Analog inputs ...................................................................................................... 9 Protection of settings ........................................................................................ 10 Checking safety ................................................................................................ 10 Checks where pressure compensation is not used. ......................................... 10 Checks where pressure compensation is used. ............................................... 11 Routine calibration ............................................................................................ 11 A1 APPENDIX........................................................................................................ 13 02223006A / Revision 0 i 2223A Oxygen Transmitter Functional Safety Manual This page intentionally blank. ii 02223006A / Revision 0 2223A Oxygen Transmitter Functional Safety Manual 1 INTRODUCTION 1.1 Purpose of this manual This manual provides information and instructions that will be needed in order to use the 2223A Oxygen Transmitter in a safety instrumented system. It is aimed at those responsible for planning, designing, installing, commissioning and maintaining safety instrumented systems using the 2223A Oxygen Transmitter. 1.2 Product description The 2223A Oxygen Transmitter provides a stable and accurate measurement of the oxygen concentration in a sample gas stream. Pressure compensation and flow alarm are available as internally fitted options or as inputs from external measurements. The measurement is provided as a mA output. Fault indications are provided by a solid state relay output and by an out-of-range current from the mA output. Additional status indications are provided by further solid state relays. The 2223A Oxygen Transmitter is normally used in conjunction with a 2210 or 2213 Control Unit. This provides additional system inputs and outputs and allows the transmitter to be configured and measurements to be displayed. 1.3 Required documentation This manual covers only the functional safety-related aspects of the 2223A Oxygen Transmitter. For complete information it must be read in conjunction with the following:Title Part Number Language Operator Manual 02210001A 02210011A 02210021A 02223005A 02223015A 02223025A English French German English French German Installation Manual 02223006A / Revision 0 1 2223A Oxygen Transmitter Functional Safety Manual This page intentionally blank. 2 02223006A / Revision 0 2223A Oxygen Transmitter Functional Safety Manual 2 DEFINITIONS AND DESCRIPTIONS 2.1 Safety instrumented system (SIS) A safety instrumented system comprises components and subsystems (from sensor through to final element) which provide functions aimed at mitigating dangerous failure conditions. 2.2 Safety function A defined function executed by a safety instrumented system which is intended to mitigate a specific dangerous event. 2.3 Safe failure A failure other than the specific failures which lead to the defined hazardous failure state. 2.4 Dangerous failure A specific failure mode which leads to a defined non-functioning state. Note that there may be more than one dangerous failure mode for any particular system. 2.5 Detected failure A failure that is detected by diagnostic tests, proof tests, operator intervention or through normal operation. 2.6 Type A and type B subsystems This relates to the complexity of the subsystem and the degree to which it is understood. A subsystem is classified as Type A if all of the following are true:• The failure modes of all components are well defined • The behaviour of the subsystem under fault conditions can be completely determined • There is sufficient dependable field failure data to show that the claimed failure rates for detected and undetected dangerous failures are met. A subsystem is classified as Type B if any of the following are true:• The failure mode of at least one component is not well defined • The behaviour of the subsystem under fault conditions cannot be completely determined • There is insufficient dependable field failure data to support claims for failure rates for detected and undetected dangerous failures. Type B subsystems include those with complex components (e.g. microprocessors) or software. 02223006A / Revision 0 3 2223A Oxygen Transmitter Functional Safety Manual 2.7 Hardware fault tolerance (HFT) The ability to continue to provide a safety function in the presence of faults and errors. A hardware fault tolerance of N means that N+1 faults could cause the loss of a safety function. 2.8 Safe failure fraction (SFF) The fraction of failures that does not have the potential to put the safety instrumented system in a dangerous or non-functioning state. In other words, for each failure mode the ratio of the diagnosed dangerous failures and the safe failures to the total failures. This figure is sometimes expressed as a percentage. 2.9 PFDAVG The probability of a dangerous failure on demand. This is intended to apply to systems operating in a low demand mode where the safety function is required on average a maximum of once per year. A typical safety instrumented system normally consists of three subsystems as follows:- Sensor Logic System Final Elements e.g. Analyser e.g. PLC e.g. Valve It can be seen that the analyser will typically be a part of the overall system and is therefore only entitled to a fraction of the total PFDAVG range associated with the specified SIL. 2.10 Mean time to repair (MTTR) This is the average time taken to restore the safety instrumented system to a working state. 2.11 Proof test Periodic tests that are performed to detect failures so that, if necessary, the system can be restored to a fully working state. 4 02223006A / Revision 0 2223A Oxygen Transmitter Functional Safety Manual 2.12 Safety integrity level (SIL) The international standard IEC 61508 defines four Safety Integrity Levels from SIL1 to SIL4. Each of these corresponds to a range of probabilities that the safety function will fail. The higher the SIL the greater the probability that the safety function will work when required to do so. The achievable SIL is determined by a number of factors that include the safety management procedures and lifecycle activities carried out during the development of a product or system. This manual only considers product hardware failures and so covers the following characteristics:• Product type (A or B) • Hardware fault tolerance • Safe failure fraction • Average probability of a dangerous failure of the safety function on demand (PFDAVG) and associated proof test interval The following table shows the relationship between hardware fault tolerance and safe failure fraction for a Type B subsystem (see IEC 61508 Section 2). SFF <60% 60 to 90% 90 to 99% >99% 0 Not allowed SIL1 SIL2 SIL3 HFT 1 SIL1 SIL2 SIL3 SIL4 2 SIL2 SIL3 SIL4 SIL4 The following table shows the dependency of the SIL on the probability of failure on demand (PFDAVG) for low demand mode of operation. Safety Integrity Level Low Demand Mode of Operation Average Probability of Failure to Perform Safety Function on Demand 4 ≥ 10-5 to 10-4 3 ≥ 10-4 to 10-3 2 ≥ 10-3 to 10-2 1 ≥ 10-2 to 10-1 02223006A / Revision 0 5 2223A Oxygen Transmitter Functional Safety Manual This page intentionally blank. 6 02223006A / Revision 0 2223A Oxygen Transmitter Functional Safety Manual 3 SAFETY INSTRUCTIONS 3.1 Boundary of safety system The following aspects of the 2223A Oxygen Transmitter are considered to be within the boundary of the safety system covered in this manual: • Paramagnetic cell • All signal processing and support functions. This includes optional pressure compensation and flow alarm when fitted and enabled. • mA output • “Fault” relay • External analog inputs • External flow sensor inputs The following are considered to be outside of the safety boundary and are not covered in this manual: 3.2 • Communications interface to Control Unit • “Maintenance required” and “Service in Progress” relays • Digital inputs Safety function The safety function of the 2223A Oxygen Transmitter is the measurement of oxygen concentration in a sample stream. The dangerous failure is the failure to indicate this oxygen concentration to the performance stated in the product’s literature. 3.3 Installation The 2223A Oxygen Transmitter must be installed as detailed in the Installation Manual. To ensure that the safety instrumented system can respond to detected failures in the transmitter, the equipment to which the mA output is connected must treat a current of 0mA as a fault indication. The fault relay can provide an additional method of notifying fault conditions. However, its use in safety instrumented systems as the only method of fault indication is not recommended as it results in a small decrease in the safe failure fraction. If the fault relay is used then connections should be made to the contacts that are normally open when deenergised. 02223006A / Revision 0 7 2223A Oxygen Transmitter Functional Safety Manual 3.4 Settings After installation and commissioning according to the installation manual, the following settings should be made to support the safety function. This will require the use of a 2210 or 2213 Control Unit or a 2215 Tx Interface. To access these functions press the Enter key, navigate to Passwords → Enter Password and enter the appropriate password to allow settings to be changed. From the initial menu screen, navigate as follows:Transmitters → Transmitter Setup → Select Transmitter → Peripherals Enter the appropriate forms and ensure that the necessary settings are made as described below. Note that it may be necessary to scroll the forms displayed on the control unit in order to see all of the fields shown in the following sections. 3.4.1 mA Output Configure the mA output as shown as described below: 8 • Measurement 1 and 2 should be set to appropriate values for the application. • Under Range Current must be a non-zero value. • Jam must be set to Low or High. If the equipment to which the mA output is connected does not recognise both 0mA and 21mA as an indication of fault, then this parameter must be set to Low. • On Service In Progress should be set as required. 02223006A / Revision 0 2223A Oxygen Transmitter Functional Safety Manual 3.4.2 Fault relay Select the Fault Relay and configure as follows. 3.4.3 Flow alarm If the internal flow alarm is fitted and enabled, it should be calibrated at “normal” gas flow as described in the operator manual. Alarm levels should then be set as appropriate. As an alternative to the internal flow sensor, external devices may be used in conjunction with the external flow alarm inputs as described in the installation manual. 3.4.4 Analog inputs External measurements may be used to provide pressure compensation and/or cross interference compensation by connection to the transmitter’s analog inputs. Where this feature is enabled it should be configured as described below. 02223006A / Revision 0 9 2223A Oxygen Transmitter Functional Safety Manual 3.5 • Measurement 1, Current 1, Measurement 2 and Current 2 should be configured to map the input current range to the corresponding measurement range. Note that Current 1 must be greater than zero. • Under Range Current should be set to a value less than Current 1 that represents a fault condition in the external measurement. • Over Range Current should be set to a value greater than Current 2 that represents a fault condition in the external measurement. • Name, Filter Factor and Units should be set as appropriate. Protection of settings The 2223A Oxygen Transmitter is supplied with all passwords set to default values. After configuration these should be altered to provide protection against unauthorised changes. 3.6 Checking safety Safety checks should be carried out after installation and at regular intervals in accordance with IEC 61508. The required interval between tests will depend on the application, the design of the overall safety instrumented system and the target SIL. The recommended proof test interval is a maximum of one year. If there are any transmitter fault conditions present, these must be resolved before proceeding. It is also recommended that any maintenance-required conditions are addressed. For all tests it is assumed that the 2223A Oxygen Transmitter is powered and has reached stable operating temperature. 3.6.1 Checks where pressure compensation is not used. 10 1. Take appropriate action to ensure that spurious outputs will not compromise safety or cause false trips. 2. Using the built-in analog output test feature, set the output to 0.0mA and verify that the correct current is generated. Repeat with the output set to 20.0mA. 3. Carry out a full low and high calibration. 4. Perform a reference measurement with an oxygen concentration between the low and high calibration points. Check the mA output current and verify that it is within the required tolerance. 5. If an internal flow sensor is fitted, alter the flow of gas through the analyser and check that the flow alarms are triggered at the appropriate levels. 6. Restore normal operation. 02223006A / Revision 0 2223A Oxygen Transmitter Functional Safety Manual 3.6.2 Checks where pressure compensation is used. 1. Take appropriate action to ensure that spurious outputs will not compromise safety or cause false trips. 2. Using the built-in analog output test feature, set the output to 0.0mA and verify that the correct current is generated. Repeat with the output set to 20.0mA. 3. Navigate to the Transmitter Diagnostics form and view Calibrated Pressure. Check that the reading displayed is within an acceptable tolerance of the actual pressure. 4. Calibrate the pressure sensor. 5. Carry out a full low and high calibration of the oxygen measurement. 6. Carry out pressure compensation calibration. 7. Perform a reference measurement with an oxygen concentration between the low and high calibration points. Check the mA output current and verify that it is within the required tolerance. 8. If an internal flow sensor is fitted, alter the flow of gas through the analyser and check that the flow alarms are triggered at the appropriate levels. 9. Restore normal operation. 3.6.3 Routine calibration Regular full calibrations should be carried out as recommended in the operator manual. 02223006A / Revision 0 11 2223A Oxygen Transmitter Functional Safety Manual This page intentionally blank. 12 02223006A / Revision 0 2223A Oxygen Transmitter Functional Safety Manual A1 APPENDIX 02223006A / Revision 0 13