KROHNE OPTISWITCH-3x00C User Manual

Safety Manual

OPTISWITCH series 3000

- two-wire

Content

Content

1 Functional safety

1.1 General. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

1.2 Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

1.3 Adjustment instructions . . . . . . . . . . . . . . . . . .

1.4 Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

1.5 Reaction during operation and in case of failure.

1.6 Recurring function test . . . . . . . . . . . . . . . . . . .

1.7 Safety-related characteristics . . . . . . . . . . . . . .

3
4
7
7
7
8
9

2 OPTISWITCH series 3000 • - two-wire

32745-EN-080414

1 Functional safety

1.1 General

Functional safety

Scope

Area of application

SIL conformity

Abbreviations, terms

This safety manual applies to measuring systems consisting of
the vibrating level switch OPTISWITCH series 3000 with
integrated oscillator VB60Z:

OPTISWITCH 3100 C, 3200 C, 3300 C

Valid hardware and software versions:

l Serial number of the electronics >14215176
l Sensor software from Rev. 1.03

The measuring system can be implemented for level detection
of bulk solids (powders and granulates) which meets the
special requirements of safety technology.

This is possible up to SIL2 in a single channel architecture
(1oo1D), and up to SIL3 in a multiple channel, redundant
architecture.

Note:

With a special factory setting, the measuring system is also
suitable for detection of solids in water (see "Operating

instructions manual").

The SIL declaration of conformity can be downloaded from our
homepage in the Internet.

Further abbreviations and terms are stated in IEC 61508-4.

SIL Safety Integrity Level

HFT Hardware Fault Tolerance

SFF Safe Failure Fraction

PFD

PFH Probability of a dangerous Failure per Hour

FMEDA Failure Mode, Effects and Diagnostics Analysis

λ

sd

λ

su

λ

dd

λ

du

DC

S

DC

D

Average Probability of dangerous Failure on Demand

avg

Rate for safe detected failure

Rate for safe undetected failure

Rate for dangerous detected failure

Rate for dangerous undetected failure

Diagnostic Coverage of safe failures; DCS= λsd/(λsd+λsu)

Diagnostic Coverage of dangerous failures; DCD= λdd/(λdd+λdu)

32745-EN-080414

OPTISWITCH series 3000 • - two-wire 3

Functional safety

FIT Failure In Time (1 FIT = 1 failure/109h)

MTBF Mean Time Between Failure

MTTF Mean Time To Failure

MTTR Mean Time To Repair

Relevant standards

Safety requirements

l IEC 61508 (also available as DIN EN)

- Functional safety of electrical/electronic/programmable

electronic safety-related systems

Failure limit values for a safety function, depending on the SIL
class (of IEC 61508-1, 7.6.2)

Safety integrity level Low demand mode High demand mode

SIL PFD

4 ≥ 10

3 ≥ 10-4… < 10

2 ≥ 10-3… < 10

1 ≥ 10-2… < 10

-5

… < 10

avg

-4

-3

-2

-1

Safety integrity of hardware for safety-related subsystems of
type B (IEC 61508-2, 7.4.3)

Safe failure fraction Hardware

SFF HFT = 0 HFT = 1 HFT = 2

< 60 % not permitted SIL1 SIL2

60 % … < 90 % SIL1 SIL2 SIL3

90 % … < 99 % SIL2 SIL3 (SIL4)

≥ 99 % SIL3 (SIL4) (SIL4)

fault toler­ance

PFH

≥ 10-9… < 10

≥ 10-8… < 10

≥ 10-7… < 10

≥ 10-6… < 10

-8

-7

-6

-5

1.2 Planning

Safety function

4 OPTISWITCH series 3000 • - two-wire

The safety function of this measuring system is the identi-

fication and signalling of the condition of the vibrating element.

A difference is made between the two conditions "covered"
and "uncovered".

32745-EN-080414

Functional safety

Safe state

Fault description

The safe state depends on the mode:

Overflow protection

(max. operation)

Vibrating element in safe
state

Output current in safe
condition if mode switch
on the sensor is set to

"max."

Output current in safe
condition if mode switch
on the sensor is set to

"min."

Failure current "fail low" < 2.3 mA < 2.3 mA

Failure current "fail high" > 23.5 mA > 23.5 mA

covered uncovered

12.5 … 23.5 mA 2.3 … 11.5 mA

2.3 … 11.5 mA 12.5 … 23.5 mA

Dry run protection

(min. operation)

A safe failure is present when the measuring system switches
to the defined safe state or the fault mode without the process
demanding it.

If the internal diagnosis system detects a failure, the measuring
system goes into fault mode.

A dangerous undetected failure exists if the measuring system
switches neither to the defined safe condition nor to the failure
mode when the process requires it.

Configuration of the
processing unit

If the measuring system delivers output currents of "fail low" or
"fail high", it can be assumed that there is a malfunction.

The processing unit must therefore interpret such currents as a
malfunction and output a suitable fault signal.

If this is not the case, the corresponding portions of the failure
rates must be assigned to the dangerous failures. The stated
values in chapter "Safety-relevant characteristics" can thus
worsen.

The processing unit must correspond to the SIL level of the
measurement chain.

If an SU 501 Ex is used for processing, the mode switch on the
sensor must be set to "max.".

Low demand mode

If the demand rate is only once a year, then the measuring
system can be used as safety-relevant subsystem in "low

demand mode" (IEC 61508-4, 3.5.12).

32745-EN-080414

OPTISWITCH series 3000 • - two-wire 5

Functional safety

If the ratio of the internal diagnostics test rate of the measuring

system to the demand rate exceeds the value 100, the
measuring system can be treated as if it is executing a safety
function in the mode with low demand rate (IEC 61508-2,

7.4.3.2.5).

An associated characteristic is the value PFD

avg

(average
Probability of dangerous Failure on Demand). It is dependent
on the test interval T

between the function tests of the

Proof

protective function.

Number values see chapter "Safety-related characteristics".

High demand mode

Assumptions

If the "low demand rate" does not apply, the measuring system
as safety-relevant subsystem in "high demand mode" should
be used (IEC 61508-4, 3.5.12).

The fault tolerance time of the complete system must be higher
than the sum of the reaction times or the diagnostics test
periods of all components in the safety-related measurement
chain.

An associated characteristic is the value PFH (failure rate).

Number values see chapter "Safety-related characteristics".

The following assumptions form the basis for the implemen-
tation of FMEDA:

l Failure rates are constant, wear of the mechanical parts is

not taken into account

l Failure rates of external power supplies are not taken into

account

l Multiple errors are not taken into account
l The average ambient temperature during the operating

time is 40 °C (104 °F)

l The environmental conditions correspond to an average

industrial environment

l The lifetime of the components is around 8 to 12 years

(IEC 61508-2, 7.4.7.4, remark 3)

l The repair time (exchange of the measuring system) after

an nondangerous malfunction is eight hours (MTTR = 8 h)

l The processing unit can interprete "fail low" and "fail high"

failures as errors and trigger a suitable error message

l The scanning interval of a connected control and pro-

cessing unit is max. 1 hour, in order to react to dangerous,
detectable errors

l Existing communication interfaces (e. g. HART, I²C-Bus)

are not used for transmission of safety-relevant information

32745-EN-080414

6 OPTISWITCH series 3000 • - two-wire

Functional safety

General instructions and
restrictions

Adjustment elements

Mounting and installa-

tion

The measuring system should be used appropriately taking
pressure, temperature, density and chemical properties of the
medium into account.

The user-specific limits must be kept. The specifications of the
operating instructions manual must not be exceeded.

Keep in mind when using as dry run protection:

l Avoid buildup on the vibrating system (probably shorter

proof test intervals will be necessary)

l Fork version: avoid granulate size of the medium > 15 mm

(0.6 in)

1.3 Adjustment instructions

Since the plant conditions influence the safety of the
measuring system, the adjustment elements must be set
according to the application:

l DIL switch for switching point adaptation
l DIL switch for mode adjustment

The function of the adjustment elements is described in the
operating instructions manual.

1.4 Setup

Take note of the mounting and installation instructions of the
operating instructions manual.

In the setup procedure, a check of the safety function by
means of an initial filling is recommended.

1.5 Reaction during operation and in case of

failure

The adjustment elements or device parameters must not be
modified during operation.

If modifications have to be made during operation, carefully
observe the safety functions.

Fault signals that may appear are described in the appropriate
operating instructions manual.

If faults or error messages are detected, the entire measuring
system must be shut down and the process held in a safe state
by other measures.

32745-EN-080414

OPTISWITCH series 3000 • - two-wire 7

Functional safety

An exchange of the electronics is easily possible and is

described in the operating instructions manual.

If due to a detected failure the electronics or the complete
sensor is exchanged, the manufacturer must be informed (incl.
a fault description).

1.6 Recurring function test

General

Function test in mode

overfill protection

The recurring function test is used to check the safety function,
to detect possible non-recognisable, dangerous faults. The
function of the measuring system must be checked in
adequate intervals.

The operator is responsible for choosing the type of check.
The time intervals depend on the selected PFD

avg

value

according to chart and diagram in paragraph "Safety-related

characteristics".

With high demand rate, a recurring function test is not
requested in IEC 61508. The function of the measuring system
is demonstrated by the frequent use of the system. In double
channel architectures it is a good idea to verify the redundancy
through recurring function tests at appropriate intervals.

The test must be carried out in a way that verifies the flawless
operation of the safety functions in conjunction with all system
components.

This is ensured by a controlled reaching of the response height
during filling. If filling up to the response height is not possible,
then a response of the measuring system must be triggered by
a suitable simulation of the level or the physical measuring
effect.

The methods and procedures used during the tests must be
stated and their suitability must be specified. The tests must be
documented.

If the function test proves negative, the entire measuring
system must be switched out of service and the process held
in a safe state by means of other measures.

In the double channel architecture 1oo2D this applies
separately to both channels.

If the measuring system is used as overfill protection, the proof
of the function is ensured by a simple function test which can
be triggered and monitored manually or by a connected control
system.

32745-EN-080414

8 OPTISWITCH series 3000 • - two-wire