Overfill Prevention Control Unit with Ground Verification & Vehicle Identification Options. TÜVRheinland

Similar documents
SIL Safety Guide Series MS Single-Acting Spring-Return Hydraulic Linear Actuators

Digital EPIC 2 Safety manual

100 & 120 Series Pressure and Temperature Switches Safety Manual

United Electric Controls One Series Safety Transmitter Safety Manual

Scully ST-15 WX. Technical Manual. Multi-Point Liquid-Level Detection System

User s Manual. YTA110, YTA310, YTA320, and YTA710 Temperature Transmitters. Manual Change No

Failure Modes, Effects and Diagnostic Analysis

STT850 and STT750 SmartLine Temperature Transmitter HART Communications Options Safety Manual 34-TT Revision 4 September 2017

Mobrey Magnetic Level Switches

Rosemount Functional Safety Manual. Manual Supplement , Rev AF March 2015

Failure Modes, Effects and Diagnostic Analysis

Failure Modes, Effects and Diagnostic Analysis

PPA Michaël GROSSI - FSCE PR electronics

SAFETY MANUAL. X2200 UV, X9800 IR, X5200 UVIR SIL 2 Certified Flame Detectors

Failure Modes, Effects and Diagnostic Analysis

SAFETY MANUAL. Multispectrum IR Flame Detector X3301

Failure Modes, Effects and Diagnostic Analysis. Rosemount Inc. Chanhassen, Minnesota USA

Failure Modes, Effects and Diagnostic Analysis. PR electronics A/S Rønde Denmark

Failure Modes, Effects and Diagnostic Analysis

SAFETY MANUAL. Electrochemical Gas Detector GT3000 Series Includes Transmitter (GTX) with H 2 S or O 2 Sensor Module (GTS)

Safety in the process industry

IEC61511 Standard Overview

SAFETY MANUAL. PointWatch Eclipse Infrared Hydrocarbon Gas Detector Safety Certified Model PIRECL

Failure Modes, Effects and Diagnostic Analysis

Rosemount 2140:SIS Level Detector

Certification Report of the ST 3000 Pressure Transmitter with HART 6

Failure Modes, Effects and Diagnostic Analysis

Certification Report of the ST3000 Pressure Transmitter

FUNCTIONAL SAFETY IN FIRE PROTECTION SYSTEM E-BOOK

Failure Modes, Effects and Diagnostic Analysis

FMEDA Report. Failure Modes, Effects and Diagnostic Analysis. KFD0-CS-Ex*.54* and KFD0-CS-Ex*.56* Project: X7300

FMEDA and Proven-in-use Assessment. Pepperl+Fuchs GmbH Mannheim Germany

SLG 700 SmartLine Level Transmitters Guided Wave Radar Safety Manual 34-SL Revision 4.0 December 2017

Assessment of the Safety Integrity of Electrical Protection Systems in the Petrochemical Industry

New Developments in the IEC61511 Edition 2

Functional Safety Manual June pointek CLS500/LC500

Functional Safety Solutions

SITRANS. Temperature transmitter Functional safety for SITRANS TW. Introduction. General safety instructions 2. Device-specific safety instructions

Safety Integrity Verification and Validation of a High Integrity Pressure Protection System to IEC 61511

IEC Functional Safety Assessment

Technical Manual for the Manual Alarm Call Point BG

FUNCTIONAL SAFETY OF ELECTRICAL INSTALLATIONS IN INDUSTRIAL PLANTS BY OTTO WALCH

Safety Transmitter / Logic Solver Hybrids. Standards Certification Education & Training Publishing Conferences & Exhibits

Measurement of Safety Integrity of E/E/PES according to IEC61508

Failure Modes, Effects and Diagnostic Analysis

Failure Modes, Effects and Diagnostic Analysis

Failure Modes, Effects and Diagnostic Analysis. Rosemount Inc. Chanhassen, MN USA

67 th Canadian Chemical Engineering Conference EDMONTON, AB OCTOBER 22-25, 2017

Functional Safety: the Next Edition of IEC 61511

FUNCTIONAL SAFETY CERTIFICATE

FUNCTIONAL SAFETY CERTIFICATE. BG Break Glass Unit

Is your current safety system compliant to today's safety standard?

Technical Paper. Functional Safety Update IEC Edition 2 Standards Update

FUNCTIONAL SAFETY: A PRACTICAL APPROACH FOR END-USERS AND SYSTEM INTEGRATORS

InstrumentationTools.com

430128A. B-Series Flow Meter SIL Safety Manual

Failure Modes, Effects and Diagnostic Analysis

Functional safety according to IEC / IEC Important user information. Major changes in IEC nd Edition

Failure Modes, Effects and Diagnostic Analysis

Process Safety - Market Requirements. V.P.Raman Mott MacDonald Pvt. Ltd.

Safety Instrumented Systems

Soliphant M with electronic insert FEM52

SAFETY INTEGRITY LEVEL MANUAL. IEC and IEC XP95 and Discovery SIL Approved Product Range

SAFETY CERTIFIED MODEL FP-700 COMBUSTIBLE GAS DETECTOR

Failure Modes, Effects and Diagnostic Analysis

The SIL Concept in the process industry International standards IEC 61508/ 61511

Session Four Functional safety: the next edition of IEC Mirek Generowicz Engineering Manager, I&E Systems Pty Ltd

Functional Safety Manual Oil Leak Detector NAR300 System

Functional Safety: What It Is, Why It s Important And How to Comply

Addressing Challenges in HIPPS Design and Implementation

FUNCTIONAL SAFETY MANUAL

Introduction. Additional information. Additional instructions for IEC compliant devices. Measurement made easy

HAWK Measurement Systems Pty. Ltd. Centurion CGR Series Safety Manual

SIPART. Electropneumatic positioner Functional safety for SIPART PS2. Introduction. General safety instructions 2. Device-specific safety instructions

Proservo NMS5- / NMS7-

Session Ten Achieving Compliance in Hardware Fault Tolerance

Guidelines. Safety Integrity Level - SIL - Valves and valve actuators. February Valves

Simply reliable: Process safety from Endress+Hauser

Failure Modes, Effects and Diagnostic Analysis

Failure Modes, Effects and Diagnostic Analysis

We reserve all rights in this document and in the information contained therein. Reproduction, use or disclosure to third parties without express

Australian Standard. Functional safety Safety instrumented systems for the process industry sector

Report to the Certificate

Applying Buncefield Recommendations and IEC61508 and IEC Standards to Fuel Storage Sites

Safety Manual. XNXTM Universal Transmitter. Fault Diagnostic Time Interval Proof Test Proof Testing Procedure

INTELLICHECK. scully. Scully s IntelliCheck System. IntelliCheck is a state of the art point level detection system that provides:

Technical Report Proven In Use SITRANS P500


SAFETY MANUAL. FL4000H and FL4000 Multi-Spectral Infrared Flame Detectors

Integrated but separate

Fully configurable SIL2 addressable Fire & Gas Detection solutions

Changes in IEC Ed 2

SAFETY MANUAL. IR5000 Open Path Hydrocarbon Gas Monitoring System

IEC Functional Safety Assessment

Automation, Software und Informationstechnologie

SAFETY MANUAL. Intelligent Sensors for H 2 S Gas Applications

ADIPEC 2013 Technical Conference Manuscript

Operating Guide Safe Torque Off

Fire and Gas Detection and Mitigation Systems

Where Process Safety meets Machine Safety

Transcription:

Scully Intellitrol Safety Manual Overfill Prevention Control Unit with Ground Verification & Vehicle Identification Options TÜVRheinland Functional Safety Type Approved FS IEC 61508 Certified SIL 2 / SIL 3 Capable MaxSafety SYSTEMS Scully Signal Company / Tel. 617 692 8600 / Fax. 617 692 8620 / 800 2 SCULLY (272 8559) 70 Industrial Way, Wilmington, MA 01887-3479, USA / sales@scully.com / www.scully.com

Intellitrol - Safety Manual Table of Contents Introduction 3. 1.1 Terms and Abbreviations 1.2 Acronyms 1.3 Product Support 1.4 Related Literature 1.5 Reference Standards Designing a Safety Instrumented Function using a Scully Signal Company Intellitrol 5. 2.1 Safety Function 2.2 Environmental limits 2.3 Design Verification 2.4 SIL Capability 2.5 General Requirements Installation and Commissioning 6. 3.1 Installation 3.2 Physical Location and Placement Operation and Maintenance 7. 4.1 Proof test 4.2 Proof Test Procedure 4.3 Repair and replacement 4.4 Useful Life 4.5 Scully Signal Company Notification

Intellitrol - Safety Manual Intoduction This Safety Manual provides information necessary to design, install, verify and maintain a Safety Instrumented Function (SIF) utilizing a Scully Signal Company Intellitrol Overfill Protection System. This manual provides necessary requirements for meeting the IEC 61511 functional safety standards. 1.1 Terms and Abbreviations Safety: Freedom from unacceptable risk of harm Functional Safety: The ability of a system to carry out the actions necessary to achieve or to maintain a defined safe state for the equipment / machinery / plant / apparatus under control of the system Basic Safety: The equipment must be designed and manufactured such that it protects against risk of damage to persons by electrical shock and other hazards and against resulting fire and explosion. The protection must be effective under all conditions of the nominal operation and under single fault condition Safety Assessment: The investigation to arrive at a judgment - based on evidence - of the safety achieved by safety-related systems Fail-Safe State: State corresponding to the device failing to detect a ground connection and/or the state where the device output relay contacts correspond to the de-energized state of the relay. Fail Safe: Failure that causes the relay contacts to go to the defined fail-safe state without a demand from the process. Fail Dangerous: Failure that does not respond to a demand from the process (i.e. being unable to go to the defined fail-safe state). Fail Dangerous Undetected: Failure that is dangerous and that is not being diagnosed by the device. Fail Dangerous Detected: Failure that is dangerous but is detected by the device. Fail Annunciation Undetected: Failure that does not cause a false trip or prevent the safety function but does cause loss of an automatic diagnostic and is not detected by another diagnostic. Fail Annunciation Detected: Failure that does not cause a false trip or prevent the safety function but does cause loss of an automatic diagnostic or false diagnostic indication. Fail No Effect: Failure of a component that is part of the safety function but that has no effect on the safety function. Low Demand Mode: Mode, where the frequency of demands for operation made on a safety-related system is no greater than twice the proof test frequency. Page 1.

Overfill Prevention Control Unit (with Ground Verification & Vehicle Identification Option) Intoduction 1.2 Acronyms FMEDA: Failure Modes, Effects and Diagnostic Analysis HFT: Hardware Fault Tolerance MOC: Management of Change. These are specific procedures often done when performing any work activities in compliance with government regulatory authorities. PFD AVG: Average Probability of Failure on Demand SFF: Safe Failure Fraction, the fraction of the overall failure rate of a device that results in either a safe fault or a diagnosed unsafe fault. SIF: Safety Instrumented Function, a set of equipment intended to reduce the risk due to a specific hazard (a safety loop). SIL: Safety Integrity Level, discrete level (one out of a possible four) for specifying the safety integrity requirements of the safety functions to be allocated to the E/E/PE safety-related systems where Safety Integrity Level 4 has the highest level of safety integrity and Safety Integrity Level 1 has the lowest. SIS: Safety Instrumented System Implementation of one or more Safety Instrumented Functions. A SIS is composed of any combination of sensor(s), logic solver(s), and final element(s). 1.3 Product Support Product support can be obtained from: Scully Signal Company, 70 Industrial Way, Wilmington, Massachusetts (617) 692-8600 / (800) 272-8559 / www.scully.com 1.4 Related Literature The Technical Manual provided with the product contains information critical to the functional safety of the ST-47 Groundhog. That manual provides key specifications for the product and procedures which are pertinent to the proper installation and maintenance of the product. The options for the ground detection and enclosures are also outlined in the Technical manual. Guidelines/References: Safety Integrity Level Selection Systematic Methods Including Layer of Protection Analysis, ISBN 1-55617-777-1, ISA Control System Safety Evaluation and Reliability, 2nd Edition, ISBN 1-55617-638-8, ISA Safety Instrumented Systems Verification, Practical Probabilistic Calculations, ISBN 1-55617-909-9, ISA 1.5 Reference Standards Functional Safety: IEC 61508: 2010 Functional safety of electrical/electronic/ programmable electronic safety-related systems ANSI/ISA 84.00.01-2004 (IEC 61511 Mod.) Functional Safety Safety Instrumented Systems for the Process Industry Sector Page 2.

Intellitrol - Safety Manual Designing a Safety Instrumented Function using a Scully Signal Company Intellitrol 2.1 Safety Function As part of the safety instrumented function the Intellitrol system will be configured such that when the output relay opens the Safety Instrumented Function will go to the safe state (no permit state). An Intellitrol system consists of a cabinet, Sculcon junction box, and one or more sensors. The output of the Intellitrol can be used to directly actuate a safety valve or it can be used as an input to a safety rated logic solver. 2.2 Environmental limits The designer of a SIF must check that the product is rated for use within the expected environmental limits. Refer to the Intellitrol Technical Manual for environmental limits. 2.3 Design Verification A detailed Failure Mode, Effects, and Analysis (FMEA) report is available from Scully Signal Company. This report details all failure rates and failure modes. The achieved Safety Integrity Level (SIL) of an entire Safety Instrumented Function (SIF) design must be verified by the designer via a calculation of PFDAVG considering architecture, proof test interval, proof test effectiveness, any automatic diagnostics, average repair time and the specific failure rates of all products included in the SIF. Each subsystem must be checked to assure compliance with minimum hardware fault tolerance (HFT) requirements. To model multi-channel systems, a technique such as Markov modeling is recommended to properly account for common failure modes. The failure rate data listed in the FMEA report is only valid for the useful life time of an Intellitrol module. The failure rates will increase sometime after this time period. Reliability calculations based on the data listed in the FMEA report for mission times beyond the lifetime may yield results that are too optimistic, i.e. the calculated Safety Integrity Level will not be achieved. 2.4 SIL Capability 2.4.1 Systematic Integrity The product has met manufacturer design process requirements of Safety Integrity Level (SIL) 3. These are intended to achieve sufficient integrity against systematic errors of design by the manufacturer. A Safety Instrumented Function (SIF) designed with this product must not be used at a SIL level higher than the statement without prior use justification by end user or diverse technology redundancy in the design. 2.4.2 Random Integrity The Intellitrol is a Type B Device. Therefore based on the SFF between 90% and 99% the design can meet SIL 2 @ HFT=0. 2.4.3 Safety Parameters For detailed failure rate information refer to the Failure Modes, Effects and Analysis Report for the Intellitrol. Page 3.

Overfill Prevention Control Unit (with Ground Verification & Vehicle Identification Option) Designing a Safety Instrumented Function using a Scully Signal Company Intellitrol 2.5 General Requirements The Intellitrol will transition from the permit state to the non permit state within 450ms of a sensor wet or fault condition when used within the specified ambient temperature range of 40 degrees to +120 degrees Fahrenheit. All SIS components including the Intellitrol must be operational before process start-up. Personnel performing maintenance and testing on the Intellitrol shall be competent to do so. Results from the proof tests shall be recorded and reviewed periodically. Page 4.

Intellitrol - Safety Manual Installation and Commissioning 3.1 Installation The Intellitrol module must be installed per standard practices outlined in the Technical Manual. The environment must be verified to not exceed the ratings. The Intellitrol must be accessible for physical inspection. 3.2 Physical Location and Placement The Intellitrol shall be accessible with sufficient room for electrical connections and shall allow manual proof testing. The Intellitrol shall be mounted in a low vibration environment. If excessive vibration can be expected special precautions shall be taken to ensure the integrity of the connectors or the vibration should be reduced using appropriate damping mounts. Page 5.

Overfill Prevention Control Unit (with Ground Verification & Vehicle Identification Option) Operation and Maintenance 4.1 Proof test The objective of proof testing is to detect failures within a Scully Signal Company Overfill Prevention Control Monitor that are not detected by any automatic self-check diagnostics of the system. Of main concern are undetected failures that prevent the safety instrumented function from performing its intended function. The frequency of proof testing, or the proof test interval, is to be determined in reliability calculations for the safety instrumented functions for which a Scully Signal Company Overfill Prevention Control Monitor is applied. The proof tests must be performed more frequently than or as frequently as specified in the calculation in order to maintain the required safety integrity of the safety instrumented function. The following proof test is recommended. The results of the proof test should be recorded and any failures that are detected and that compromise functional safety should be reported to Scully Signal Company. The suggested proof test consists of: Sensor wire open Sensor wet condition Sensor wire shorted to ground And for units with ground proving enabled: Ground open Ground ball / ground bolt, if jumpered, shorted to ground And for units with deadman enabled: Deadman open 4.2 Proof Test Procedure The suggested proof test consists of an electrical test of each monitored input. Separate proof testing is required for each plug type connected to the Intellitrol. See Table 1 to 3 for the steps to preform manual testing using a Scully rack test unit. Scully personel will typically utilize a test unit which will automate these steps. If Vehicle Identification Proving (VIP) is enabled on the Intellitrol, the serial number of the tester must be added to the Intellitrol s TIM list or the VIP disabled during the proof test. Page 6.

Intellitrol - Safety Manual Operation and Maintenance 4.2.1 Table 1: Proof Test for Green Plug 2 or 4 J-Slot/Locking Pin (2-Wire Sensors) Step Action 1 Set the tester for 2-wire and all 2-wire switches in a dry/thermistor position. Place the Ground switch in the appropriate position of Resistor or Ground Bolt/Ball based on the Intellitrol ground jumper position. Connect the Intellitrol to the tester. When a deadman switch is connected confirm that the control module is indicating a permit condition (green bar illuminated) with the switch closed and a no permit (red bar illuminated) with the switch open. NOTE: If the Intellitrol is jumpered for 6 compartments, switches 1 and 2 will have no effect. This is normal operation. 2 If a deadman switch is connected, confirm that the control module is indicating a permit condition (green bar illuminated) with the switch closed and a nonpermit condition (red bar illuminated) with the switch open. The deadman switch must be closed in the remaining steps. 3 For each optic sensor switch, one at a time, move the switch to the wet position and verify the Intellitrol goes to a non-permissive state then reposition the switch to dry. Verify the Intellitrol returns to the permissive state. 4 Hold the SHORT switch in the SHORT position for several seconds and verify the correct Intellitrol response. If the Intellitrol is jumpered for ground proving and Ground Bolt the Intellitrol will go non-permissive and the red ground light will be illuminated while the switch is held in the SHORT position. A short will also cause a non-permissive output due to a VIP fault making it critical to verify the ground light as well as the non-permissive light bar. 5 Move the GROUND switch to the open position and verify the correct Intellitrol response. The Intellitrol, if jumpered for ground proving, will go non permissive and the red ground light will be illuminated. 6 Disconnect the Intellitrol from the tester. Page 7.

Overfill Prevention Control Unit (with Ground Verification & Vehicle Identification Option) Operation and Maintenance 4.2.2 Table 2: Proof Test for Blue Plug 3J-Slot/Locking Pin (5-Wire Sensors) Step Action 1 Set the tester for 5-wire and with 5-wire switch in a dry position. Place the Ground switch in the appropriate position of Resistor or Ground Bolt/Ball based on the Intellitrol ground jumper position. Connect the Intellitrol to the tester and confirm that the control module is indicating a permit condition (green bar illuminated). 2 If a deadman switch is connected, confirm that the control module is indicating a permit condition (green bar illuminated) with the switch closed and a nonpermit condition (red bar illuminated) with the switch open. The deadman switch must be closed in the remaining steps. 3 Move the 5-wire switch to the wet position and verify the Intellitrol goes to a non-permissive state (red bar illuminated) then reposition the switch to dry. Verify the Intellitrol returns to the permissive state. 4 Hold the SHORT switch in the SHORT position for several seconds and verify the correct Intellitrol response. If the Intellitrol is jumpered for ground proving and Ground Bolt the Intellitrol will go non-permissive and the red ground light will be illuminated while the switch is held in the SHORT position. A short will also cause a non-permissive output due to a VIP fault making it critical to verify the ground light as well as the non-permissive light bar. 5 Move the GROUND switch to the open position and verify the correct Intellitrol response. The Intellitrol, if jumpered for ground proving, will go non-permissive and the red ground light will be illuminated. 6 Disconnect the Intellitrol from the tester. Page 8.

Intellitrol - Safety Manual Operation and Maintenance 4.2.3 Table 3: Proof Test for 4 J-Slot/Locking Pin Black Plug (2-Wire and 5-Wire Sensors) Step Action 1 Set the tester for 2-wire and all 2-wire switches in a dry/thermistor position. Place the Ground switch in the appropriate position of Resistor or Ground Bolt/Ball based on the Intellitrol ground jumper position. Connect the Intellitrol to the tester and confirm that the control module is indicating a permit condition (green bar illuminated). NOTE: If the Intellitrol is jumpered for 6 compartments, switches 1 and 2 will have no effect. This is normal operation. 2 If a deadman switch is connected, confirm that the control module is indicating a permit condition (green bar illuminated) with the switch closed and a nonpermit condition (red bar illuminated) with the switch open. The deadman switch must be closed in the remaining steps 3 For each optic sensor switch, one at a time, move the switch to the wet position and verify the Intellitrol goes to a non-permissive state (red bar illuminated) then reposition the switch to dry. Verify the Intellitrol returns to the permissive state. 4 Disconnect the Intellitrol from the tester, change the tester to 5-Wire mode, and reconnect the tester. Confirm that the control module is indicating a permit condition (green bar illuminated). 5 Move the 5-wire switch to the wet position and verify the Intellitrol goes to a non-permissive state (red bar illuminated) then reposition the switch to dry. Verify the Intellitrol returns to the permissive state. 6 Hold the SHORT switch in the SHORT position for several seconds and verify the correct Intellitrol response. If the Intellitrol is jumpered for ground proving and Ground Bolt the Intellitrol will go non-permissive and the red ground light will be illuminated while the switch is held in the SHORT position. A short will also cause a non-permissive output due to a VIP fault making it critical to verify the ground light as well as the non-permissive light bar. 7 Move the GROUND switch to the open position and verify the correct Intellitrol response. The Intellitrol, if jumpered for ground proving, will go non-permissive and the red ground light will be illuminated. 8 Disconnect the Intellitrol from the tester. The person(s) performing the proof test of a Intellitrol unit should be trained in SIS operations, including bypass procedures, and Intellitrol maintenance. No special tools, other than the rack tester, are required. Page 9.

Overfill Prevention Control Unit (with Ground Verification & Vehicle Identification Option) Operation and Maintenance 4.3 Repair and replacement Repair procedures in the Intellitrol Technical Manual must be followed. 4.4 Useful Life The useful life of the Intellitrol is 10 years. 4.5 Scully Signal Company Notification Any failures that are detected and that compromise functional safety should be reported to Scully Signal Company. Please contact Scully Signal Company customer service. Page 10.

Intellitrol - Safety Manual Notes: Page 11.

Overfill Prevention Control Unit (with Ground Verification & Vehicle Identification Option) Notes:

Scully - Setting Standards in Safety and Dependability since 1936. For over seventy-five years Scully has been engineering and building products to the highest safety and reliability standards. We design and manufacture all of our systems under one roof to ensure complete quality control over our manufacturing and testing operations. Scully is ISO certified and all of our products are 100% made in the U.S.A. In addition, we back up our products with the best service in the industry. We have direct sales and service personnel in the U.S.A., The United Kingdom, and Europe and are represented in over 50 countries. For more information and 24 hour technical assistance, call Scully Signal Company at 1-800-2SCULLY (1-800-272-8559). Scully Headquarters in Wilmington, MA U.S.A. Copyright 2014 Scully Signal Company. MaxSafety, Sculcon and Scully are registered trademarks of Scully Signal Company. The names and logos of other companies mentioned herein may be trademarkes of their respective owners. This document is for informational purposes only. Scully makes no warranties, expressed or implied, in this document. All Rights Reserved. Specifications are subject to change without notice. 60719 Rev A October 2014 MaxSafety SYSTEMS Dynamic Self-Testing Overfill Prevention Systems Scully Signal Company 70 Industrial Way, Wilmington, MA 01887-3479, USA Tel: 800 272 8559 / 617 692 8600 email: sales@scully.com Scully Systems Europe NV Eksterveldlaan 31a 2820 Bonheiden / Belgium Tel: +32 (0) 15 56 00 70 email: info@scully.be Scully UK Ltd Meridian House, Unit 33, 37 Road One Winsford Industrial Estate, Winsford Cheshire CW7 3QG / UK Tel.: +44 (0) 1606 553805 email: sales@scullyuk.com

2024 © homedocbox.com Privacy Policy | Terms of Service | Feedback