Report Nr

Similar documents
Failure Modes, Effects and Diagnostic Analysis

Certification Report of the ST3000 Pressure Transmitter

Failure Modes, Effects and Diagnostic Analysis

Failure Modes, Effects and Diagnostic Analysis. Rosemount Inc. Chanhassen, Minnesota USA

Certification Report of the ST 3000 Pressure Transmitter with HART 6

Technical Report Proven In Use SITRANS P500

FMEDA Report. Failure Modes, Effects and Diagnostic Analysis. KFD0-CS-Ex*.54* and KFD0-CS-Ex*.56* Project: X7300

Failure Modes, Effects and Diagnostic Analysis

SAFETY MANUAL. Electrochemical Gas Detector GT3000 Series Includes Transmitter (GTX) with H 2 S or O 2 Sensor Module (GTS)

Failure Modes, Effects and Diagnostic Analysis

Failure Modes, Effects and Diagnostic Analysis. PR electronics A/S Rønde Denmark

Failure Modes, Effects and Diagnostic Analysis. Rosemount Inc. Chanhassen, MN USA

Failure Modes, Effects and Diagnostic Analysis

Failure Modes, Effects and Diagnostic Analysis

Failure Modes, Effects and Diagnostic Analysis

PPA Michaël GROSSI - FSCE PR electronics

Failure Modes, Effects and Diagnostic Analysis

FUNCTIONAL SAFETY OF ELECTRICAL INSTALLATIONS IN INDUSTRIAL PLANTS BY OTTO WALCH

Failure Modes, Effects and Diagnostic Analysis

FMEDA and Proven-in-use Assessment. Pepperl+Fuchs GmbH Mannheim Germany

Failure Modes, Effects and Diagnostic Analysis

Automation, Software und Informationstechnologie

SIL Safety Guide Series MS Single-Acting Spring-Return Hydraulic Linear Actuators

FUNCTIONAL SAFETY CERTIFICATE

SAFETY MANUAL. Multispectrum IR Flame Detector X3301

430128A. B-Series Flow Meter SIL Safety Manual

Introduction. Additional information. Additional instructions for IEC compliant devices. Measurement made easy

United Electric Controls One Series Safety Transmitter Safety Manual

100 & 120 Series Pressure and Temperature Switches Safety Manual

Guidelines. Safety Integrity Level - SIL - Valves and valve actuators. February Valves

SAFETY MANUAL. PointWatch Eclipse Infrared Hydrocarbon Gas Detector Safety Certified Model PIRECL

Failure Modes, Effects and Diagnostic Analysis

Overfill Prevention Control Unit with Ground Verification & Vehicle Identification Options. TÜVRheinland

Failure Modes, Effects and Diagnostic Analysis

Session Ten Achieving Compliance in Hardware Fault Tolerance

SAFETY MANUAL. X2200 UV, X9800 IR, X5200 UVIR SIL 2 Certified Flame Detectors

SAFETY MANUAL. Intelligent Sensors for H 2 S Gas Applications

IEC Functional Safety Assessment

Soliphant M with electronic insert FEM52

Safety Integrity Verification and Validation of a High Integrity Pressure Protection System to IEC 61511

Functional Safety Solutions

IEC Functional Safety Assessment

Proof Testing Level Instruments

Technical Paper. Functional Safety Update IEC Edition 2 Standards Update

Functional Safety Manual June pointek CLS500/LC500

Mobrey Magnetic Level Switches

Failure Modes, Effects and Diagnostic Analysis

SAFETY MANUAL. FL4000H and FL4000 Multi-Spectral Infrared Flame Detectors

Safety in the process industry

Functional Safety SIL Safety Integrity Level

STT850 and STT750 SmartLine Temperature Transmitter HART Communications Options Safety Manual 34-TT Revision 4 September 2017

Digital EPIC 2 Safety manual

SAFETY INTEGRITY LEVEL MANUAL. IEC and IEC XP95 and Discovery SIL Approved Product Range

SAFETY CERTIFIED MODEL FP-700 COMBUSTIBLE GAS DETECTOR

Rosemount Functional Safety Manual. Manual Supplement , Rev AF March 2015

SAFETY MANUAL. IR5000 Open Path Hydrocarbon Gas Monitoring System

Pressure Transmitter cerabar M PMC 41/45 cerabar M PMP 41/45/46/48 with Output Signal ma/hart

SIPART. Electropneumatic positioner Functional safety for SIPART PS2. Introduction. General safety instructions 2. Device-specific safety instructions

Assessment of the Safety Integrity of Electrical Protection Systems in the Petrochemical Industry

Failure Modes, Effects and Diagnostic Analysis

Functional Safety: What It Is, Why It s Important And How to Comply

IEC PRODUCT APPROVALS VEERING OFF COURSE

Failure Modes, Effects and Diagnostic Analysis

FUNCTIONAL SAFETY CERTIFICATE. BG Break Glass Unit

We reserve all rights in this document and in the information contained therein. Reproduction, use or disclosure to third parties without express

SITRANS. Temperature transmitter Functional safety for SITRANS TW. Introduction. General safety instructions 2. Device-specific safety instructions

Process Safety - Market Requirements. V.P.Raman Mott MacDonald Pvt. Ltd.

SAFETY RELAY APPLICATION

The agri-motive safety performance integrity level Or how do you call it?

Products Solutions Services. Safety by Design. Ask questions, get answers! Slide 1 06/15/2017. Ngo

Mechanics issn Transport issue 1, 2009 Communications article 0342


FUNCTIONAL SAFETY: A PRACTICAL APPROACH FOR END-USERS AND SYSTEM INTEGRATORS

Safety Speed Monitoring

Differential Pressure Transmitter deltabar S PMD 230/235 deltabar S FMD 230/630/633 with ma output signal

Simply reliable: Process safety from Endress+Hauser

Proservo NMS5- / NMS7-

New Developments in the IEC61511 Edition 2

Safety Manual. XNXTM Universal Transmitter. Fault Diagnostic Time Interval Proof Test Proof Testing Procedure

ACCURATE FAILURE METRICS FOR MECHANICAL INSTRUMENTS IN SAFETY APPLICATIONS

Automation, Functional Safety. Assessment of the Point Guard Analog Input Safety Modules 1734-IE4S and 1734-IE4SXT Rockwell Automation, USA

Report to the Certificate

FUNCTIONAL SAFETY MANUAL

FLT93 Installation, Operation and Troubleshooting Guide

Functional Safety: the Next Edition of IEC 61511

Pressure Transmitter cerabar S PMC 731/631 cerabar S PMP 731/635 with ma output signal

2015 Functional Safety Training & Workshops

Functional Safety of Machinery Presented by Greg Richards Manufacturing in America 02/22-23/2017

Technical Manual for the Manual Alarm Call Point BG

HAWK Measurement Systems Pty. Ltd. Centurion CGR Series Safety Manual

User s Manual. YTA110, YTA310, YTA320, and YTA710 Temperature Transmitters. Manual Change No

Rosemount 2140:SIS Level Detector

Liquiphant S, Nivotester FDL60/61, FTL670

The Next Generation Machine Protection System

Session Four Functional safety: the next edition of IEC Mirek Generowicz Engineering Manager, I&E Systems Pty Ltd

Functional safety according to IEC / IEC Important user information. Major changes in IEC nd Edition

ADIPEC 2013 Technical Conference Manuscript

Safety Instrumented Systems

67 th Canadian Chemical Engineering Conference EDMONTON, AB OCTOBER 22-25, 2017

Measurement of Safety Integrity of E/E/PES according to IEC61508

Transcription:

Report Nr. 07207334856 Applicant: Fluid Components Ltd. 1755 La Costa Meadows Drive San Marcos, CA 92069 USA Device under test: FLT 93 - Sensor System Testing body: TÜV NORD CERT GmbH Safety Related Services - SRS Langemarckstr. 20, D-45141 Essen Test engineer: Review: Test principles: Mr. Dipl.-Ing. Roger Feist Mr. Dr.-Ing. Ulrich Adolph Quantitative failure analysis with FMEDA-techniques Date: Order-no.: 24.10.2007 8000334856 The report consists of 8 pages Partial duplication of this Technical Report and its use for advertising purposes is allowed with permission of the testing laboratory only. This Technical Report contains the result of the examination of the product sampie submitted by the manufacturer. A general statement conceming the quality of the products from the series manufacture cannot be derived therefrom. page1of8 --

Technical report no. 07207334856 dated 24.10.2007 Page 2 of 8 1 Contents 1 Contents 2 3 Management Documents Summary 4 Conducted tests - FMEDA calculation 4.1 4.2 General Procedure 4.3 Failure rates of the components 4.4 FMEDA results and estimation of PFD 2 2 4 5 5 5 7 8 2 Management Summary This report describes the results of the Failure Modes, Effects and Diagnostic Analysis (FMEDA) on the FLT93 sensor system. A FMEDA is one of the steps taken to achieve functional safety certification per IEC 61508 of a device. From the resulting failure rates the Safe Failure Fraction (SFF) and example PFD-values are calculated. The FMEDA that is described in this report is regarding only random failure probabilities of the FLT93-hardware. For a full functional safety certification all requirements of the IEC 61508 must be considered. The FLT93 Series models are multipurpose measurement instruments. Each model is a single instrument that is capable of detecting air flow, fluid flow and temperature. It is also able to detect liquid level or fluid media interfaces. The instrument has two field adjustable alarm set points, two buffered voltage outputs, as weil as a built-in calibration Because of the usage of commonly used electronic components with weil known failurebehaviour and sufficient field experiences the FLT 93 Sensor system electronic is classified as a Type A subsystem according to IEC 61508-1 chapter 7.4.3.1.2. It has a hardware failure tolerance (HFT) of O. The analysis shows, that different internal configurations of the FLT 93 lead to different results. Therefore focus was set to the "fail-safe configuration" is regarded to be relevant. The most relevant safety-configuration of the FLT 93 is (according to the manufacturer) is: --

Technical report no. 07207334856 dated 24.10.2007 Page 3 of 8 TrN,;;;;;J "tail-sate" "flowswitch" "SPS connectedto outputs" For the sensor head tailure rates statisticalproot data provided by the manutacturer have been used. These data have not been verified by the testing body. Certain component tailures increase configured switch-points or the measured value. They have different effects whether the FLT is configured to de-energise its output above a "high" sensor outputs (Iow tlow detection) or to de-energise below a "low"sensor output, mentioned as "High Switch" or "Low Switch" in the text below. This leads to slightly different results tor "Iow flow detection" and "high tlow detection". The estimated tailure rates under these conditions and tor this mode ot operation are listed in table 1. Table 1: Failure rates for flow-switch configuration ASD[10-9/h] ASU[10-9/h] ADD[10-9/h] ADU[10-9/h] SFF [%] High Switch 383 1102 82 374 82 Low Switch 320 1147 144 302 84 To cover a maximum number ot different FLT configurations and usage modes several different calculations were carried out tor both, high switch and low switch: FLT93 only regarding the electronic devices - without the sensor head. FLT93 with sensor-head - Failure rate trom proot-data. FLT93 with sensor-head - Generic data FLT93 with maximum output load - relay not de-rated. Details regarding the calculation and results tor other configurations can be taken trom chapter 4.2 - FMEDA calculation. Using the FMEDA results a sampie PFD using a prootcheck-interval ot 1 year was calculated. For the configuration above the PFD equals: PFD = 1.52 * 10-3(high switch) and PFD = 1.32 * 10.3(Iow switch) For SIL2-capable sensor-devices it is usually required, that the PFD-values are smaller than 3.5 *10.3.

- ---------- Technical report no. 07207334856 dated 24.10.2007 Page 4 of 8 3 Documents Relevant standards: /51/ IEC 61508-1:1998 Functional safety of electrical/electroniclprogrammable electronic + corrigendum safety-related systems 1999 Part 1: General requirements; /52/ IEC 61508-2:2000 Functional safety of electrical/electroniclprogrammable electronic safety-related systems Part 2: Requirements for electrical/electroniclprogrammable electronic safety-related systems; /53/ IEC 61508-6:2000 Functional safety of electrical/electroniclprogrammable electronic safety-related systems Part 6: Guidelines on the application of IEC 61508-2 an IEC 61508-3 /54/ 5N 29500 Failure rates of components 5ubmitted Files: /C1/ 5chematic diagram, 5 pages DWG No. 015811 16 June 94 /C2I Parts list "5294 basic", p.2 - p. 4/4 PL 015814-01 20 June 94 /C3/ Parts list "Input power normalline" p.2i2 PL 015905-01 20 June 94 /C4/ Parts list "relay contact rating" PL 015334-01 27 Oct 93 /C5/ Parts list "heater wattage control, PL 015920-01 15 June 94 variable, -5 sensing element" /C6/ Installation, operation and maintenance 06EN003246 Rev. B 29 5ept 94 manual FLT 5eries Flex5witch Appendices: /A1/ FMEDA for FLT93 - High 5witch 3 pages 24 Oct 2007 /A2/ FMEDA for FLT93 - Low 5witch 3 pages 24 Oct 2007 /A3/ Determination of failure rates 2 pages 24 Oct 2007 according to 5N 29500

- --- - -------------- Technical report no. 07207334856 dated 24.10.2007 Page 5 of 8 4 Conducted tests - FMEDA calculation 4.1 General The FLT93 Series models are multipurpose measurement instruments. Each model is a single instrument that is capable of detecting air flow, fluid flow and temperature. It is also able to detect liquid level or fluid media interfaces. The instrument has two field adjustable alarm set points, two buffered voltage outputs, as weil as a built-in calibration circuit. The alarm-outputs of the sensor are realized with 6 amp relay contacts that can be used to control customer process applications. For all safety-related applications the FLT93 must be configured in "failsafe alarm setting" as described in the installation manual chapter 3-200. The operation of the sensing element is based upon the thermal dispersion principle: A lowpowered heater is used to produce a temperature differential between two "Resistance Temperature Detectors" (RTD). The RTD temperature differential varies as a function of forced convection for flow measurement and as a function of fluid thermal conductivity for level and interface measurement. The measurement of the fluid's temperature is obtained from the non-heated RTD. The control circuit converts the sensing element's RTD temperature differential into an analog DC voltage signal. Dual comparators monitor the sensing element signal and activate the relay alarm circuits if the signal exceeds an adjustable set point. The control circuit contains certain removable jumpers that configure the instrument to perform in different modes. The FMEDA is a systematic way to recognise and quantify the effects of different componentfailures on the complete system. If possible, the assumptions made should be verified on the real system. 4.2 Procedure The circuit-diagram of the FLT93 was divided in subsystems, each having a determined function in the sensing function. For each component in the subsystem the possible failure modes were analysed and divided in one of the following failure-categories:

Technical report no. 07207334856 dated 24.10.2007 Page 6 of 8 TrN~ ASD: ASu: ADD: ADU: ANE: Failure, which is not influencing the safety-function but causes the module to go to safe state (e.g. by de-energising one of the relay) by means of an diagnostic circuit. Failure, which is influencing the safety function in a safe way, but remains undetected. Failure,which is causing a dangerousmalfunctionof the subsystemlmodule,but is detected by internal diagnostics. Failurethat is dangerousandis not beingdetectedby internaldiagnosis. Failure rate of a component which is not related to the safety function or the diagnostics. Usually it has other purposes in the circuit, e.g. EMC. It is not regarded as part of the safety function an its failure rate has not necessarily to be quantified. Using the sum of these failure rates the overall-sff (safe failure fraction) for the FLT93 was determined. If for a certain componentl subsystem the division in further subsystems or failure mode was not necessary, possible or sensible, 50% of the total failure rate for the subsystem have been classified to be dangerous. If components are used in a double-channel configuration (e.g. two relay in line - both must fail to be dangerous), the calculation uses a single-channel equivalent considering the Common-Cause-Failure. For all analysis steps the failsafe configuration was assumed, thus both output relay must be energised in OK-condition. If one of the two output relay is de-energised, there is a process failure or an internal component failure in the FLT93. For the switch-point settings in the alarm circuit it was assumed, that output voltages of the front end conditioners output above 7 V and below 0.5 V lead to alarm condition. All failures not causing a drift of the measured value higher than 1% of its nominal are counted with 50% dangerous (value can drift in both directions - safe an dangerous). Failures causing an output above 7 V or below 0.5 V have been counted with 50% safe and 50% dangerous detected failures. Furthermore it was assumed, that At a single point of time only one component fails. Failure rates are constant, wear out mechanisms are not included. Propagation of failures is not relevant. The stress levels are average for and industrial environment. External power supply failures can be excluded. Systematic failures like wrong connected terminals are excluded.

... --. -.- Technical report no. 07207334856 dated 24.10.2007 Page 7 of 8 The potentiometer settings are done according to the manufacturer's specification. The operatingpointofthe internalsignal"/::n81g1" is between0.5v and7.0v Because of the mechanical properties of the housing the influence of dirt on the circuitboard can be excluded. After use of the calibration potentiometer it is turned to one of its maximum values to guarantee, that random switching of the "cal switch" leads to safe state. This instruction is currently not in the user manual! J22 is open, J16 is closed. 4.3 Failurerates of the components The failure rates of critical components have been extracted from /84/, failure modes, where applicable from DIN EN 62061. The data were chosen under consideration of worst case scenarios inside the span of the assumed environments. It is expected that the failure rate recognizable in average field applications will be less than the predicted numbers. If no failure-data for a component was found in /84/ other sources have been taken into account. This applies especially to the use of RTD-sensors in industrial environment. In similar applications RTD-sensors have been used with an expected failure rate of 8000 FIT. The manufacturer of the FLT93 system has claimed to provide a high protection level against vibration, which is the major failure-source for RTD. To respect this fact, a second calculation was prepared with the failure rate from the manufacturers "proven in use" data. The underlying statistics have not been verified by the testing body. To determine a failure rate from the available proof-data an average number of 54 damaged sensor-heads (for any reason) has been extracted. On a basis of approximately 3000 sold devices per year and a 3 years warranty period the failure rate was determined with 70% confidence interval and distributed equallyon both RTD. According to this each RTD should be better than 375 FIT. A similar situation applies to the relay in the sensor output circuit. While specified for 6 Amp loads, they are normally used in conjunction with high-impedance PLC-inputs, thus will be used highly underrated in 99% of current applications. Again, to respect this common application aseparate calculation was carried out. - - - - - -- -- -

Technical report no. 07207334856 dated 24.10.2007 Page 8 of 8 4.4 FMEDA results and estimation of PFD The analysis results for the sensor-electronic without interfacing device are: High Switch Low Switch ASD[10.9/h] 83 ASU[10.9/h] ADD[10-9/h] ADU[10-9/h] SFF [%] 802 7 272 77 20 847 70 227 80 head but with a PLC system as PFC1 1, 19* 1 0-3 0,99*10-3 Together with a sensor head with failure rate according to the manufacturer's a PLC system as interfacing device it yields: ASD[10.9/h] Asu[10.9/h] ADD[10.9/h] ADU[10.9/h] SFF [%] High Switch 383 1102 82 374 82 Low Switch 320 1147 144 302 84 statistic and with 1,52*10-3 1,32*10-3 If the latter calculation is done with generic data for the RTD-sensor components regarding the mechanical properties of the FLT-construction) the result is: ASD[10.9/h] Asu[10.9/h] ADD[10.9/h] ADU[10.9/h] SFF [%] PFC1 High Switch 6483 7202 1607 1872 89 8,2*10.3 Low Switch 6420 7247 1669 1827 89 8,0*10-3 (not In cases, where the FLT is used to switch a higher load (e. g. a valve) directly, the following values, considering maximum load on the output should be used: ASD[10.9/h] Asu[10.9/h] ADD[10.9/h] ADU[10-9/h] SFF [%] High Switch 83 1133 7 603 67 2,64*10-3 Low Switch 20 1178 70 558 69 2,44*10-3 1 The PFD (probability of failure on demand) values are sampies calculated for a subsystem with supposed 1001d-architecture and a 1 year proof check interval. The required value for SIL verification according to IEC 61508 is the PFD of the complete safety-function

2024 © homedocbox.com Privacy Policy | Terms of Service | Feedback