sil-safety instructions pressure transmitter series 2000t ... · pdf file265gx/ax im 265 g/a...

SIL-Safety InstructionsSM 265/7/9 SIL-EN Rev. 02

Pressure Transmitter Series 2000T and265Ax, 265Gx, 265Vx, 265Dx, 265Jx, 267Cx, 269Cx

Instructions for Functional Safety

2

Pressure Transmitter Series 2000T and 265Ax, 265Gx, 265Vx, 265Dx, 265Jx, 267Cx, 269Cx SM 265/7/9 SIL-ENInstructions for Functional Safety

Table of contentsPage

1 Field of application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

2 User benefits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

3 Acronyms and abbreviations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

4 Relevant standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

5 Terms and definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

6 Determination of the Safety Integrity Level (SIL) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

7 Specifications for the safety function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

8 Applicable device documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

9 Behavior during operation and in case of malfunction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

10 Periodic checks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

11 Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

12 Safety-related characteristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

13 SIL conformity declaration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

14 Management summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11


1 Field of application

Differential pressure, gauge pressure and absolute pressure measurements that shall meet the special safetyrequirements according to IEC 61508/ IEC 61511-1.

The measuring unit meets the requirements regarding • functional safety in accordance with IEC 61508/IEC 61511-1• explosion protection (depending on the version) • electromagnetic compatibility in accordance with EN 61326 and NAMUR recommendation NE 21.

2 User benefits

Use for• Pressure limit monitoring• Continuous measurement• Easy commissioning

3 Acronyms and abbreviations

Acronym/ Ab-breviation

Designation Description

HFT Hardware Fault Tolerance The hardware fault tolerance of the device.This is the capability of a functional unit to continue the execution of the demanded function in case of faults or deviations.

MTBF Mean Time Between Failures This is the mean time period between two failures.

MTTR Mean Time To Repair This is the mean time period between the occurrence of a failure in a device or system and its repair.

PFD Probability of Failure on Demand This is the likelihood of dangerous safety function failures occurring on demand.

PFDav Average Probability of Failure on Demand

This is the average likelihood of dangerous safety function failures occurring on demand.

SIL Safety Integrity Level Safety Integrity LevelThe international standard IEC 61508 specifies four discrete Safety Integrity Levels (SIL 1 to SIL 4). Each level corresponds to a specific probability range regarding the failure of a safety function. The higher the Safety Integrity Level of the safety-related systems, the lower the likelihood of non-execution of the demanded safety functions.

SFF Safe Failure Fraction The fraction of non-hazardous failures, i.e. the fraction of failures without the potential to set the safety-related system to a dangerous or impermissible state.

TI Test interval between life testing of the safety function

Time interval between the functional tests of the safety function.

XooY "X out of Y" Voting (e.g. 2oo3) Classification and description of the safety-related system regarding redundancy and the selection procedure used."Y“ indicates how often the safety function is carried out (redundancy)."X“ determines how many channels must work properly.Example (pressure measurement): 1oo2 architecture. When one out of two pressure sensors reaches a defined limit value, a safety-related system decides, that the pressure limit has to be considered as exceeded. In a system with a 1oo1 architecture only one pressure sensor exists.

3


4 Relevant standards

5 Terms and definitions

6 Determination of the Safety Integrity Level (SIL)

The reachable Safety Integrity Level depends on the following safety-related characteristics:

• Average probability of failure on demand (PFDav)• Hardware fault tolerance (HFT) • Safe failure fraction (SFF).

The specific safety-related characteristics for the transmitter as a part of the safety function are detailed in chapter"Safety-related characteristics".

The following table shows the dependence of the Safety Integrity Level (SIL) on the average probability of failure ondemand (PFDav). The "Low demand mode" is considered, i.e. the maximum demand rate on the safety-related sys-tem is once per year.

The sensor, the logic unit and the final control element form together a safety-related system which carries out asafety function. The average probability of failure on demand (PFDav) is usually distributed over the subsystems(sensor, logic unit and final control element) as seen in the illustration below.

Fig. 6-1: Normal distribution of the average probability of failure on demand(PFDav) over the subsystems

Standard Designation

IEC 61508,Part 1 to 7

Functional safety of electrical/electronic/programmable electronic safety-related systems (Target group: Manufacturers and Suppliers of Devices)

IEC 61511,Part 1

Functional safety – Safety Instrumented Systems for the process industry sector (Target group: Safety Instrumented Systems Designers, Integrators and Users)

Terms Definitions

Dangerous failure Failure with the potential to set the safety-related system to a dangerous or inoperative state.

Safety-related system A safety-related system carries out the safety functions needed to establish or maintain a safe state e.g. in a plant. Example: A pressure gauge, a logic unit (e.g. limit signal transmitter) and a valve form a safe-ty-related system.

Safety function A defined function carried out by a safety-related system in order to establish or maintain a safe state of the plant under consideration of a specified dangerous incident. Example: Pressure limit monitoring

Safety Integrity Level (SIL) (Low demand mode)

4 PFDav ≥ 10-5...< 10-4

3 ≥ 10-4...< 10-3

2 ≥ 10-3...< 10-2

1 ≥ 10-2...< 10-1

Sensore.g. pressuresensor

Logic unite.g. PLC

Final controlelemente.g. valve

≤ 35 % ≤ 50 %≤ 15 %

4


IMPORTANTThis documentation applies to the transmitter 265xx as a part of a safety function.The following table shows the reachable Safety Integrity Level (SIL) of the entire safety-related system for systemsof type B, depending on the safe failure fraction (SFF) and the hardware fault tolerance (HFT). Systems of type Bare e.g. sensors with complex components like microprocessors (see also IEC61508, Part 2).

1) Acc. to IEC 61511-1, Part 11.4.3, the hardware fault tolerance (HFT) of sensors and final control elements with complex com-ponents can be decreased by one (value in brackets), if the following requirements are met:

– The device is proven-in-field.

– The user can only configure process-related parameters like the measuring range, signal direction in case of fault, etc.

– The device configuration level is access-protected, e.g. by jumper or password (here: code number or key combination).

– The function has a required Safety Integrity Level (SIL) less than 4.

The transmitter meets all requirements.

Fig. 6-2: Safety function (e.g. for pressure limit monitoring) with 265DS as a subsystem1) 265DS with local operation option and adjustable lower and upper range value and damping2) Computer with user interface like SMART VISION for setting all parameters

e.g. alarm behavior, max. alarm, operating mode, etc.3) Hand-held terminal for setting all parameters, e.g. alarm behavior, max. alarm, operating mode, etc.

The transmitter 2000T / 2600T produces an analog signal (4...20 mA) proportional with the differential pressure orgauge pressure / absolute pressure. This analog signal is fed to a subsequent logic unit, e.g. a PLC or limit trans-mitter, and monitored for violation of a defined maximum value. The logic unit must be capable of recognizing HIalarms (adjustable between 21 and 22.5 mA) and LO alarms (3.6 mA) in order to allow for malfunction detection.

Safe Failure Fraction (SFF) Hardware Fault Tolerance (HFT)

0 1 (0)1) 2 (1)1)

< 60 % impermissible SIL 1 SIL 2

60...< 90 % SIL 1 SIL 2 SIL 3

90...< 99 % SIL 2 SIL 3 –

≥ 99 % SIL 3 – –

1)

3)

2)

PC with graphicaluser interfacee.g. DSV401 (SMART VISION)

FSKmodem

Hand-heldterminal

Transmitter 265DS

Logic unite.g. PLCLimit transmitteretc.

4...20 mA

Actuator

5


7 Specifications for the safety function

NOTICERefer to chapters "Settings" and "Safety-related characteristics" of this document for the mandatory settings andspecifications for the safety function.

See the relevant data sheet for the transmitter response time.

IMPORTANTAn MTTR of 8 hours is specified.

Safety-related systems without an auto-locking function must be set to a monitored or otherwise safe state withinthe MTTR after execution of the safe function.

8 Applicable device documentation

The following documentation must be available for the transmitter, depending on the model:

Type Oper. instructions Type Oper. instructions265Dx/Vx IM 265 D/V 2010TD/TA 42/15-712265Gx/Ax IM 265 G/A 2020TG/TA 42/15-753267/269Cx IM 267C/269C 2010TC 42/15-714

For explosion-proof devices the respective EC type examination certificate must be available.

9 Behavior during operation and in case of malfunction

Note!The behavior during operation and in case of malfunction is detailed in the operating instructions.

10 Periodic checks

The operativeness of the transmitter must be checked at appropriate intervals, e.g. by controlling the calibration (seethe respective operating instructions, chapters about operation, calibration, maintenance and repair). We recom-mend to perform the checks at least once a year. It is the operator's responsibility to define the type of checks andthe checking intervals in the stated time period.

Defective transmitters / assembly groups should be returned to the ABB service and repair department, possiblywith the type of malfunction and possible reason stated. When ordering spare parts or spare units please indicatethe serial number (S/N) and year of manufacture of the original device.

Address:

ABB Automation GmbH

Department Parts & Repair

Schillerstrasse 72

D-32425 Minden

GERMANY

6


11 Settings

11.1 Alarm behavior and current output

In case of a malfunction the current is set to the selected value. The settings can be made via the ABB user interfaceDSV401 (SMART VISION) or via a hand-held terminal.

NOTICECheck the safety function upon entry of all parameters. The transmitter allows to simulate the signal current inde-pendently of the measured pressure by using the "Simulation" and "Simulate current" parameters. (These parame-ters are accessible via DSV401 (SMART VISION) or via the HART hand-held terminal.

11.2 Locking/Unlocking

WARNINGAny changes to the measuring system and its settings after commissioning may impair the safety function. For thisreason it is strongly recommended to disable local transmitter control via the local keys after having entered allparameters and after having checked the safety function. This is to protect your settings against unwanted orunauthorized modification. A lock activated via the local keys can only be deactivated by using the keys again.

Fig. 11-1:

12 Safety-related characteristics

12.1 Assumptions

– HART communication is only used for configuring, adjusting or diagnosing the device, but not for safety-relevant critical operations.

– Cyclic self-diagnosis is executed within one hour and is automatically restarted.

– The repair time after a device fault is 8 hours.

– The long-time average temperature is 40°C.

– The transmitter is only used for low demand mode applications.

– Only the 4...20 mA current signal is evaluated by the safety device.

– A dangerous failure is a failure where the output current does no longer respond to the input signal or deviates from it by more than 2% referred to the measuring span.

– The safety PLC must be designed such that it reliably recognizes faults leading to both HI alarms and LO alarms.

7


12.2 Specific safety-related characteristics

For details refer to the management summary in the Appendix.

Transmitter type Measuring range SFF PFDav λdd + λs λdu

2010TD 10 mbar 75 % 8.54 × 10-4 614 FIT 195 FIT

2010TC 10 mbar 76 % 9.43 × 10-4 699 FIT 216 FIT

2010TD2010TA

60 mbar to 20 bar400 mbar to 20 bar

73 % 8.65 × 10-4 535 FIT 198 FIT

2010TC 60 mbar to 20 bar 73 % 9.54 × 10-4 620 FIT 218 FIT

2010TD 100 bar 74 % 24.4 × 10-4 1652 FIT 558 FIT

2020TA / 2020TG 60 mbar, 400 mbar 75 % 13.1 × 10-4 917 FIT 300 FIT

2020TA2020TG

≥ 2.5 bar≥ 2.5 bar

69 % 9.71 × 10-4 518 FIT 222 FIT

λdd + λs: Fault rate of detected dangerous and of safe faultsλdu: Fault rate of undetected dangerous faults

The characters in brackets indicate the catalog number for the measuring range.

Transmitter type Measuring range SFF PFDav λdd + λs λdu

265Dx (A)265Jx (A)

10 mbar 75.9 % 8.54 × 10-4 614 FIT 195 FIT

267Cx (A)269Cx (A)

10 mbar 76.4 % 9.43 × 10-4 699 FIT 216 FIT

265Dx (C,F,L,N)265Jx (C,F,L,N)265Vx (F,L,N)

60 mbar to 20 bar60 mbar to 20 bar

400 mbar to 20 bar

73.0 % 8.65 × 10-4 535 FIT 198 FIT

267Cx (C,F,L,N)269Cx (C,F,L,N)

60 mbar to 20 bar 74.0 % 9.54 × 10-4 620 FIT 218 FIT

265Dx (R) 100 bar 74.8 % 24.4 × 10-4 1652 FIT 558 FIT

265Ax (C,F)265Gx (C,F)

60 mbar and 400 mbar60 mbar and 400 mbar

75.3 % 13.1 × 10-4 917 FIT 300 FIT

265Ax (L,U)265Gx (L,U,R,V)

≥ 2.5 bar≥ 2.5 bar

70.0 % 9.71 × 10-4 518 FIT 222 FIT

λdd + λs: Fault rate of detected dangerous and of safe faultsλdu: Fault rate of undetected dangerous faults

The characters in brackets indicate the catalog number for the measuring range.

8


13 SIL conformity declaration

9


10


14 Management summary

The document was prepared using best effort. The authors make no warranty of any kind and shall not be liable in

any event for incidental or consequential damages in connection with the application of the document.

© All rights reserved.

FMEDA and Prior-use Assessment

Project:

Pressure Transmitter 2600T / 2000T Series with 4..20 mA output

Customer:

ABB Automation Products GmbH

Minden

Germany

Contract No.: ABB 03/09-13

Report No.: ABB 03/09-13 R001

Version V1, Revision R1.2, March 2004

Stephan Aschenbrenner

11


© exida.com GmbH abb 03-09-13 r001 v1 r1.2, March 1, 2004

Stephan Aschenbrenner Page 2 of 11

Management summary

This report summarizes the results of the hardware assessment with prior-use consideration

according to IEC 61508 / IEC 61511 carried out on the pressure transmitter 2600T / 2000T

Series with 4..20 mA output and software version V0.24. Table 1 gives an overview of the

different types that belong to the considered pressure transmitter 2600T / 2000T Series.

The hardware assessment consists of a Failure Modes, Effects and Diagnostics Analysis

(FMEDA). A FMEDA is one of the steps taken to achieve functional safety assessment of a

device per IEC 61508. From the FMEDA, failure rates are determined and consequently the

Safe Failure Fraction (SFF) is calculated for the device. For full assessment purposes all

requirements of IEC 61508 must be considered.

Table 1: Version overview

Type Application Sensor Electronics

265D*A

2010TD

Differential pressure 10mbar 2-6187 P1 (3)

2-6195 P1 (2)

764913_P1

V1.1

265J*A Differential and absolute pressure 10mbar 2-6187 P1 (3)

2-6195 P1 (2)

764913_P1

V1.2 267C*A

269C*A

2010TC

Mass flow / Differential pressure 10mbar 2-6187 P1 (3)

2-6195 P1 (2)

764913_P1

9280 039 P1 (3)

265D*(C,F,L,N)

2010TD

Differential pressure 60mbar to 20bar 2-6187 P1 (3)

2-6195 P1 (2)

2-6186 P1 (3)

265J*(C,F,L,N) Differential and absolute pressure 60mbar to 20bar 2-6187 P1 (3)

2-6195 P1 (2)

2-6186 P1 (3)

V2.1

265V*(F,L,N)

2010TA

Absolute pressure 400mbar to 20bar 2-6187 P1 (3)

2-6195 P1 (2)

2-6186 P1 (3)

V2.2 267C*(C,F,L,N)

269C*(C,F,L,N)

2010TC

Mass flow / Differential pressure 60mbar to 20bar 2-6187 P1 (3)

2-6195 P1 (2)

2-6186 P1 (3)

9280 039 P1 (3)

V3 265D*R

2010TD

Differential pressure 100bar 2-6187 P1 (3)

2-6195 P1 (2)

0764 908 P1 (3)

265A* (C,F)

2020TA

Absolute pressure 60mbar and 400mbar 2-6187 P1 (3)

2-6195 P1 (2)

0764 892 P1 (3)

V4

265G* (C,F)

2020TG

Gauge 60mbar and 400mbar 2-6187 P1 (3)

2-6195 P1 (2)

0764 892 P1 (3)

265A*(L,U)

2020TA

Absolute pressure 2,5bar 2-6187 P1 (3)

2-6195 P1 (2)

2-6149 P1 (3)

V5

265G*(L,U,R,V)

2020TG

Gauge 2,5bar 2-6187 P1 (3)

2-6195 P1 (2)

2-6149 P1 (3)

12




For safety applications only the 4..20 mA output was considered. All other possible output

variants or electronics are not covered by this report. The different devices can be equipped

with or without display.

The failure rates used in this analysis are the basic failure rates from the Siemens standard

SN 29500.

According to table 2 of IEC 61508-1 the average PFD for systems operating in low demand

mode has to be 10-3

to < 10-2

for SIL 2 safety functions. A generally accepted distribution of

PFDAVG values of a SIF over the sensor part, logic solver part, and final element part assumes

that 35% of the total SIF PFDAVG value is caused by the sensor part. For a SIL 2 application the

total PFDAVG value of the SIF should be smaller than 1,00E-02, hence the maximum allowable

PFDAVG value for the sensor part would then be 3,50E-03.

The pressure transmitter 2600T / 2000T Series with 4..20 mA output is considered to be a Type

B1 component with a hardware fault tolerance of 0.

Type B components with a SFF of 60% to < 90% must have a hardware fault tolerance of 1

according to table 3 of IEC 61508-2 for SIL 2 (sub-) systems.

As the pressure transmitter 2600T / 2000T Series with 4..20 mA output is supposed to be a

proven-in-use device, an assessment of the hardware with additional prior-use demonstration

for the device and its software was carried out. The prior-use investigation was based on field

return data collected and analyzed by ABB Automation Products GmbH. This data cannot cover

the process connection. The prior-use justification for the process connection still needs to be

done by the end-user.

According to the requirements of IEC 61511-1 First Edition 2003-01 section 11.4.4 and the

assessment described in section 5.1 the Type B pressure transmitter 2600T / 2000T Series with

a hardware fault tolerance of 0 and a SFF of 60% to < 90% is considered to be suitable for use

in SIL 2 safety functions The decision on the usage of prior-use devices, however, is always

with the end-user.

Failure rates that are assigned to the various failure modes of the sensor part of the pressure

transmitter 2600T / 2000T Series were obtained from field failure data using only operational

hours from the warranty period of operation. Confidence Interval calculations were done using a

chi-square distribution and an upper limit failure rate based on a 70% confidence factor per

IEC 61508. The failure rate results were compared with industry databases [N6] and found to be

within a reasonable range considering the much higher amount of operational hours.

Assuming that a connected logic solver can detect both over-range (fail high) and under-range

(fail low), high and low failures can be classified as safe detected failures or dangerous detected

failures depending on whether the pressure transmitter 2600T / 2000T Series with 4..20 mA

output is used in an application for “low level monitoring”, “high level monitoring” or “range

monitoring”. For these applications the following tables show how the above stated

requirements are fulfilled.

Type B component: “Complex” component (using micro controllers or programmable logic); for details

see 7.4.3.1.3 of IEC 61508-2.

13




Table 2: Summary for version V1.1 – Failure rates

Failure category (Failure rates in FIT) Fail-safe state =

“fail high”

Fail-safe state =

“fail low”

Fail High (detected by the logic solver)

Fail detected (int. diag.) 216

Fail high (inherently) 245

461

245

Fail Low (detected by the logic solver)


Fail low (inherently) 15 15

231

Fail Dangerous Undetected 195 195

No Effect 137 137

Annunciation Undetected 1 1

Not part 54 54

MTBF = MTTF + MTTR 132 years 132 years

Transmitter configured fail-safe state = “fail high” – Failure rates according to IEC 61508

Failure Categories sd su dd du SFF DCS

2 DCD ²

low = Sd

high = dd

15 FIT 138 FIT 462 FIT 195 FIT 75% 10% 70%

low = dd

high = sd

461 FIT 138 FIT 15 FIT 195 FIT 75% 77% 7%

low = sd

high = sd

476 FIT 138 FIT 0 FIT 195 FIT 75% 78% 0%

Transmitter configured fail-safe state = “fail low” – Failure rates according to IEC 61508

Failure Categories sd su dd du SFF DCS ² DCD ²

low = sd

high = dd

231 FIT 138 FIT 245 FIT 195 FIT 75% 63% 56%

low = dd

high = sd

245 FIT 138 FIT 231 FIT 195 FIT 75% 64% 54%

low = sd

high = sd

476 FIT 138 FIT 0 FIT 195 FIT 75% 78% 0%

Table 3: Summary for version V1.1 – PFDAVG values

T[Proof] = 1 year T[Proof] = 5 years T[Proof] = 10 years

PFDAVG = 8,54E-04 PFDAVG = 4,26E-03 PFDAVG = 8,50E-03

2 DC means the diagnostic coverage (safe or dangerous) of the safety logic solver for pressure

transmitter 2600T / 2000T Series with 4..20 mA output.

14






“fail high”

Fail-safe state =

“fail low”




516

260




272


No Effect 166 166


Not part 54 54




low = sd

high = dd

16 FIT 167 FIT 516 FIT 216 FIT 76% 9% 70%

low = dd

high = sd

516 FIT 167 FIT 16 FIT 216 FIT 76% 76% 7%

low = sd

high = sd

532 FIT 167 FIT 0 FIT 216 FIT 76% 76% 0%



low = sd

high = dd

272 FIT 167 FIT 260 FIT 216 FIT 76% 62% 55%

low = dd

high = sd

260 FIT 167 FIT 572 FIT 216 FIT 76% 61% 73%

low = sd

high = sd

532 FIT 167 FIT 0 FIT 216 FIT 76% 76% 0%




15






“fail high”

Fail-safe state =

“fail low”




391

202




204


No Effect 127 127


Not part 54 54




low = sd

high = dd

15 FIT 128 FIT 391 FIT 198 FIT 73% 10% 66%

low = dd

high = sd

391 FIT 128 FIT 15 FIT 198 FIT 73% 75% 7%

low = sd

high = sd

406 FIT 128 FIT 0 FIT 198 FIT 73% 76% 0%



low = sd

high = dd

204 FIT 128 FIT 202 FIT 198 FIT 73% 61% 51%

low = dd

high = sd

202 FIT 128 FIT 204 FIT 198 FIT 73% 61% 51%

low = sd

high = sd

406 FIT 128 FIT 0 FIT 198 FIT 73% 76% 0%




16






“fail high”

Fail-safe state =

“fail low”




446

217




245


No Effect 156 156


Not part 54 54




low = sd

high = dd

16 FIT 157 FIT 446 FIT 218 FIT 73% 9% 67%

low = dd

high = sd

446 FIT 157 FIT 16 FIT 218 FIT 73% 74% 7%

low = sd

high = sd

462 FIT 157 FIT 0 FIT 218 FIT 73% 75% 0%



low = sd

high = dd

245 FIT 157 FIT 217 FIT 218 FIT 73% 61% 50%

low = dd

high = sd

217 FIT 157 FIT 245 FIT 218 FIT 73% 58% 53%

low = sd

high = sd

462 FIT 157 FIT 0 FIT 218 FIT 73% 75% 0%




17




Table 10: Summary for version V3 – Failure rates


“fail high”

Fail-safe state =

“fail low”




1510

1300




225


No Effect 124 124


Not part 54 54




low = sd

high = dd

15 FIT 125 FIT 1510 FIT 558 FIT 74% 11% 73%

low = dd

high = sd

1510 FIT 125 FIT 15 FIT 558 FIT 74% 92% 3%

low = sd

high = sd

1525 FIT 125 FIT 0 FIT 558 FIT 74% 92% 0%



low = sd

high = dd

225 FIT 125 FIT 1300 FIT 558 FIT 74% 64% 70%

low = dd

high = sd

1300 FIT 125 FIT 225 FIT 558 FIT 74% 91% 29%

low = sd

high = sd

1525 FIT 125 FIT 0 FIT 558 FIT 74% 92% 0%

Table 11: Summary for version V3 – PFDAVG values



18






“fail high”

Fail-safe state =

“fail low”




775

557




233


No Effect 125 125


Not part 56 56




low = sd

high = dd

15 FIT 126 FIT 775 FIT 300 FIT 75% 11% 72%

low = dd

high = sd

775 FIT 126 FIT 15 FIT 300 FIT 75% 86% 5%

low = sd

high = sd

790 FIT 126 FIT 0 FIT 300 FIT 75% 86% 0%



low = sd

high = dd

233 FIT 126 FIT 557 FIT 300 FIT 75% 65% 65%

low = dd

high = sd

557 FIT 126 FIT 233 FIT 300 FIT 75% 82% 44%

low = sd

high = sd

790 FIT 126 FIT 0 FIT 300 FIT 75% 86% 0%




19






“fail high”

Fail-safe state =

“fail low”




386

197




204


No Effect 115 115


Not part 53 53




low = sd

high = dd

15 FIT 116 FIT 386 FIT 222 FIT 69% 11% 64%

low = dd

high = sd

386 FIT 116 FIT 15 FIT 222 FIT 69% 77% 6%

low = sd

high = sd

401 FIT 116 FIT 0 FIT 222 FIT 69% 78% 0%



low = sd

high = dd

204 FIT 116 FIT 197 FIT 222 FIT 69% 64% 47%

low = dd

high = sd

197 FIT 116 FIT 204 FIT 222 FIT 69% 63% 48%

low = sd

high = sd

401 FIT 116 FIT 0 FIT 222 FIT 69% 78% 0%




20




The boxes marked in yellow ( ) mean that the calculated PFDAVG values are within the

allowed range for SIL 2 according to table 2 of IEC 61508-1 but do not fulfill the requirement to

not claim more than 35% of this range, i.e. to be better than or equal to 3,50E-03. The boxes

marked in green ( ) mean that the calculated PFDAVG values are within the allowed range for

SIL 2 according to table 2 of IEC 61508-1 and table 3.1 of ANSI/ISA–84.01–1996 and do fulfill

the requirement to not claim more than 35% of this range, i.e. to be better than or equal to

3,50E-03. The boxes marked in red ( ) mean that the calculated PFDAVG values do not fulfill

the requirement for SIL 2 according to table 2 of IEC 61508-1.

The functional assessment has shown that transmitters of the pressure transmitter

2600T / 2000T Series with 4..20 mA output have a PFDAVG within the allowed range for

SIL 2 according to table 2 of IEC 61508-1 and table 3.1 of ANSI/ISA–84.01–1996 and a Safe

Failure Fraction (SFF) of more than 69%. Based on the verification of "prior use" they can

be used as a single device for SIL2 Safety Functions in terms of IEC 61511-1 First Edition

2003-01.

A user of the pressure transmitter 2600T / 2000T Series with 4..20 mA output can utilize these

failure rates along with the failure rates for an impulse line, when required, in a probabilistic

model of a safety instrumented function (SIF) to determine suitability in part for safety

instrumented system (SIS) usage in a particular safety integrity level (SIL). A full table of failure

rates for different operating conditions is presented in section 5.2 to 5.6 along with all

assumptions.

It is important to realize that the “don’t care” failures and the “annunciation” failures are included

in the “safe undetected” failure category according to IEC 61508. Note that these failures on its

own will not affect system reliability or safety, and should not be included in spurious trip

calculations.

21

SM

265

/7/9

SIL

-EN

Rev

. 02

ABB has Sales & Customer Supportexpertise in over 100 countries worldwide.

www.abb.com

The Company’s policy is one of continuous productimprovement and the right is reserved to modify the

information contained herein without notice.

Printed in the Fed. Rep. of Germany (05.2007)

© ABB 2007

ABB LimitedHoward Road, St. NeotsCambridgeshire, PE19 8EUUKTel: +44 (0)1480 475321Fax: +44 (0)1480 217948

ABB Inc.125 E. County Line RoadWarminster, PA 18974USATel: +1 215 674 6000Fax: +1 215 674 7183

ABB Automation Products GmbHSchillerstr. 7232425 MindenGermanyTel: +49 551 905-534Fax: +49 551 [email protected]

sil-safety instructions pressure transmitter series 2000t ... · pdf file265gx/ax im 265 g/a...

Documents