Siemens SITRANS F,SITRANS FX330 Additional Operating Instructions

Download

Additional Operating Instructions

SITRANS F

Vortex ﬂowmeters

Functional Safety for SITRANS FX330

10/2017Edition

www.siemens.com/ﬂow

CONTENTS

SITRANS FX330

1 Introduction 4

1.1 Scope of the document..................................................................................................... 4

1.2 Revision history ................................................................................................................ 5

1.3 Device description ............................................................................................................ 6

1.4 Related documentation .................................................................................................... 6

1.5 Terms and definitions....................................................................................................... 7

2 Specification of the safety function 8

2.1 Preconditions.................................................................................................................... 8

2.2 Safety application conditions (SAC).................................................................................. 8

2.2.1 General.................................................................................................................................... 8

2.2.2 Installation ..............................................................................................................................8

2.2.3 Functional safe configuration................................................................................................. 8

2.2.4 Maintenance............................................................................................................................ 8

2.2.5 Operation................................................................................................................................. 9

2.2.6 Homogeneous redundancy ..................................................................................................... 9

2.3 Operation modes ............................................................................................................10

2.4 Definition......................................................................................................................... 11

2.5 Safety reaction and safe state........................................................................................ 12

3 Operation 13

3.1 Preparation for SIL mode operation .............................................................................. 13

3.1.1 Entering the SIL mode key.................................................................................................... 13

3.1.2 Parametrisation for SIL mode operation.............................................................................. 14

3.1.3 Verification of configuration.................................................................................................. 14

3.2 Reconfiguration of a device operated in SIL mode ........................................................ 15

3.3 Switch to non-SIL mode ................................................................................................. 16

3.4 Error conditions.............................................................................................................. 16

3.5 Parameter types ............................................................................................................. 17

4 Service 19

4.1 Maintenance ................................................................................................................... 19

4.2 Availability of services .................................................................................................... 19

4.3 Operation modes and proof test..................................................................................... 19

4.4 Resetting the fail-safe flags ........................................................................................... 23

4.5 Troubleshooting.............................................................................................................. 23

www.siemens.com/flow

10/2017 - A5E40875009-AB EN

SITRANS FX330

CONTENTS

5 Technical data 24

5.1 General notes ................................................................................................................. 24

5.2 SIL certificate.................................................................................................................. 25

5.3 Declaration ..................................................................................................................... 26

5.4 Safety relevant key indicators ........................................................................................ 27

5.5 Measuring accuracy ....................................................................................................... 28

5.6 Useful lifetime ................................................................................................................ 29

5.7 Support for SIL-approved devices.................................................................................. 29

6 Appendix 30

6.1 Explanations to safety application conditions (SAC)...................................................... 30

10/2017 - A5E40875009-AB EN

www.siemens.com/flow

INTRODUCTION

1.1 Scope of the document

This document is the safety manual for the SITRANS FX330. Its content applies if the measurement device is operated in SIL mode or prepared for SIL mode, respectively.

General hint

This vortex flowmeter is a functionally safe flowmeter. It may be deployed within safety critical systems requiring the safety function (for details refer to page 8) at a safety integrity level 2, in homogeneous redundant configuration at safety integrity level 3 (for more information about homogeneous redundancy refer to

10). In case of a detected potentially hazardous failure, the system performs a safety reaction to bring the device to a safe state, which is indicated by a failure current on the current output.

Depending on the failure, the device will resume the measuring mode as soon as the root cause of the failure disappears (transient application dependent failure) or remains in failure mode (persistent system integrity failure). In the latter case, operator's interaction is required to restart measuring mode.

SITRANS FX330

Specification of the safety function

Operation modes

on page

For safe operation, the operator / integrator must fulfil some conditions. These conditions are defined as Safety Application Conditions (SAC). For further information refer to

application conditions (SAC)

on page 8.

Safety

INFORMATION!

The data in this supplement only contains the data applicable to the SIL approval. The technical data for the standard version in the handbook (document [N1]) shall be valid, provided that it is not rendered invalid or replaced by this supplement. If necessary, parts of [N1] are referenced herein.

INFORMATION!

Installation, commissioning and maintenance may only be carried out by properly trained and authorised personnel.

INFORMATION!

Configuration for SIL mode operation needs a login as role "Expert" (for details refer to [N1], chapter "Security and permissions"]. Nevertheless the operator shall protect the flowmeter against unauthorised access.

www.siemens.com/flow

10/2017 - A5E40875009-AB EN

SITRANS FX330

1.2 Revision history

This safety manual is valid for all versions which are operated in SIL mode, identified by the V numbers according to the following tables, until its incompatibility with a new version is stated.

INTRODUCTION

Code VG16/

SG16

Functional safety relevant

a b cde f gh i j k l m n o p q rstu

vwx

x x x x x

y z

Code Description Valid flow sensor codes for SIL

device variant

VG16/SG16 Prefix to code -

a Manufacturer specific -

b General information C, D

cde Flange connection, rating and sealing surface -

f Measuring section -

gh Pressure sensor options and gaskets -

i Approvals for hazardous and ordinary locations -

j Signal converter housings 1, 2, 4, 5, 7, A, B, D, E

k System design 0 only

l Display 1 only

m Cable glands -

n Firmware feature -

o Programming language -

p Communication options 0 only

q Marking -

rstuvwx Diverse certificates (CoC, calibration, pressure testing, material,

hardness testing, cleaning, X-ray/dye penetration)

y Manual -

z Spare -

INFORMATION!

Check in case a firmware is updated or any part of the device is replaced, whether a new safety manual is available on the manufacturer's internet site.

Release date Electronic revision Changes and compatibility Documentation

2017-07-10 ER 2.0.0_ Initial version Edition 09/2017

2017-10-01 ER 2.0.1_ Sensor diagnostics update Edition 10/2017

10/2017 - A5E40875009-AB EN

www.siemens.com/flow

INTRODUCTION

1.3 Device description

The SITRANS FX330 is a 2-wire vortex flowmeter measuring volume flow rate, temperature and optionally pressure of liquids, steam and gases. From these data the device calculates normalised flow rate, mass flow rate, power flowrate, etc.

In SIL mode the SITRANS FX330 measures the volume flow rate and outputs the measurement via the safe 4…20 mA current output.

For measurement in SIL mode the following conditions apply:

• The 4…20 mA current output provides a safe output exclusively.

• Local display, HART

• The local display and HART

• Parameters can only be changed in non-SIL mode.

• The binary output can also be used in order to provide non-safety related measurement

values.

• The current input can be used for non-safety related functionalities.

SITRANS FX330

Interface and the binary output do not provide a safe output.

Interface are read-only during SIL mode.

4...20 mA current

Tube → Safe subsystem → Non-safe

1.4 Related documentation

[N1] SITRANS FX330 Operating Instructions

[N2] IEC 61508-1 to 7:2010 Functional safety of electrical / electronic / programmable electronic safety-

related systems

[N3] Siemens Norm SN 29500, Edition 2004-01

output (safe) Current input

↑↓

subsystem

↓

Local display

Binary output

→

HART

→

www.siemens.com/flow

10/2017 - A5E40875009-AB EN

SITRANS FX330

INTRODUCTION

1.5 Terms and definitions

Term Description

DC Diagnostic Coverage of dangerous failures

EUC Equipment Under Control

Firmware Software embedded in the device

FIT

FMEDA Failure Modes, Effects and Diagnostics Analysis

FRT Fault Response Time (diagnostic test interval + Fault Reaction Time)

HFT Hardware Fault Tolerance

I/O Input / output

MTBF Mean Time Between Failures

MTTF Mean Time To Failure

MTTR Mean Time To Repair

MTR Mean Time To Restoration

PFD

AVG

PFH Probability of a dangerous Failure per Hour

PTC Proof Test Coverage

SFF Safe Failure Fraction

SIL Safety Integrity Level

SIS Safety Instrumented Systems

Systematic Capability

Type A system

Type B system

Proof

Repair

Test

1oo1 1 out of 1 channel architecture (single architecture performs the safety function)

1oo1D 1 out of 1 channel architecture with diagnostics

Failure In Time (1x10-9 failures per hour)

Rate for dangerous detected failure

Rate for dangerous undetected failure

Rate for safe detected failure

Rate for safe undetected failure

Average Probability of Failure on Demand

Measure (expressed on a scale of SC 1 to SC 4) of the confidence that the systematic safety integrity of an element meets the requirements of the specified SIL, in respect of the specified element safety function, when the element is applied in accordance with the instructions.

"Non-complex" system (all failure modes are well defined). For more data, refer to subsection 7.4.3.1.2 of IEC 61508-2.

"Complex" system (all failure modes are not well defined). For more data, refer to subsection 7.4.3.1.2 of IEC 61508-2.

Proof Test Interval

Time to Repair

Internal Diagnostics Test Interval

10/2017 - A5E40875009-AB EN

www.siemens.com/flow

SPECIFICATION OF THE SAFETY FUNCTION

2.1 Preconditions

The device must be operated within the process and ambient conditions specified in the handbook ([N1]) of the device.

The following chapter defines additional conditions, which have to be obeyed for safety applications.

2.2 Safety application conditions (SAC)

INFORMATION!

This chapter defines the conditions which must be met by the operator to ensure safe operation. Further explanations can be found in appendix I. The safety application condition is valid, while the related explanation might be incomplete.

2.2.1 General

SAC1: System changes

The flowmeter can be deployed as device with safety responsibility. Non specified changes are not allowed. Especially after maintenance measures, carrier and operator must ensure that no hazardous states came up, and that all safety application conditions are still met.

SITRANS FX330

2.2.2 Installation

SAC2: Mounting and connecting

[N1] defines requirements regarding installation and electrical connections of the device. These requirements are safety critical and must be strictly observed.

2.2.3 Functional safe configuration

SAC3: SIL mode

The flowmeter is functionally safe only if configured for operation in SIL mode.

SAC4: Parameter input

Parameters are changed under responsibility of the operator.

2.2.4 Maintenance

SAC5: Maintenance mode

If maintenance mode (for definition refer to operated under responsibility of the operator.

SAC6: Resetting the fail-safe flag

Resetting the fail-safe flag is done under responsibility of the operator. He is responsible for the correct execution of appropriate tests and the evaluation of test results.

Operation modes

on page 10) is entered, the device is

SAC7: Firmware update

Firmware may be updated by authorised personnel only.

www.siemens.com/flow

10/2017 - A5E40875009-AB EN

SITRANS FX330

SAC8: Inspection intervals

The definition of the maximum proof test intervals (for details refer to

proof test

responsible for adjusting the proof test intervals if the deployment conditions deviate from the reference conditions.

SAC9: Modification

The flowmeter must not be manipulated.

SAC10: Repair

Repair of the flowmeter must only be done by manufacturer’s personnel or personnel authorised by the manufacturer. Exceptions regarding replacement with spare parts are shown in chapter "Service" in [N1]. In all other cases, send the flowmeter to the manufacturer for repair (for instructions refer to chapter "Returning the device to the manufacturer" in [N1]).

2.2.5 Operation

SAC11: Operational limits

The operational limits as shown in [N1] in the chapter "Technical data" must be observed. To prevent unintentional trigger of the safety reaction, a permanent operation near the operational limits should be avoided.

SPECIFICATION OF THE SAFETY FUNCTION

Operation modes and

on page 19) are calculated for operation under reference conditions. The operator is

SAC12: Supervision of failure current

If a safety critical failure has been detected, the device outputs a failure current on the current output (4...20 mA). The operator must supervise both failure currents (<3.6mA and >21mA).

In case of the occurrence of any failure current the operator has to ensure that the safety loop reacts according to relevant application specific norms (e.g. the safety loop must be prevented from automatically resuming operation after failure notification disappears).

2.2.6 Homogeneous redundancy

SAC13:

The logic subsystem must compare the current values transmitted by the two flowmeters (or one dual version respectively) permanently. In case of a difference greater than 4% of the measurement range over a time interval greater than 30 seconds, the devices must be regarded as non-safe, or defect respectively.

SAC14:

The two flowmeters (or one dual version respectively) must be operated independently. Any hazardous re-activeness from the logic subsystem (for details refer to

10)

on the two measurement devices must be excluded. This means at least:

• Current loops are independently driven.

• Current loops are installed in a way that failures affecting both lines at a time (common

cause) can be avoided.

• The logic subsystem must provide an appropriate low failure rate.

Operation modes

on page

10/2017 - A5E40875009-AB EN

www.siemens.com/flow

SPECIFICATION OF THE SAFETY FUNCTION

2.3 Operation modes

SIL mode

In SIL mode, the device executes the safety function and will react safely if an error is detected which prevents the correct execution of the safety function. In this mode, the device is functionally safe and the safety relevant key figures like hazard rate, FRT etc. can be guaranteed.

Non-SIL mode

In non-SIL mode, the device operates as a standard device. Its behaviour is state-of-the-art, its specific functionality depends on the individual, customised parameter settings.

Maintenance mode

Maintenance mode is intended to boot a potentially defect device in order to test it in its normal operational environment. During this time, operation is done under responsibility of the operator. To avoid improvident and unintentional entering of the maintenance mode the operator is requested to enter the password for "Expert" level access.

SITRANS FX330

By entering the (correct) password, the operator acknowledges the above regulation regarding responsibility, also regarding safety responsibility if the device is operated in SIL mode.

As the maintenance mode is intended for testing, the operator shall provide additional measures to secure the safety of the overall system. Therefore, the operator shall install additional measures to provide safety of the overall system.

www.siemens.com/flow

10/2017 - A5E40875009-AB EN

SITRANS FX330

Homogeneous redundancy

The degree of a functional safe device is determined by the accomplished qualitative safety integrity level and the quantitative hazard rate determined by the failure rate of the deployed hardware.

If two or more identically constructed devices are used in parallel (device A is of the same type as device A’ like the "Dual Version"), the hazard rate for the combination (here: sensor subsystem) can be reduced.

A precondition for this is a logic subsystem comparing the output of devices A and A’: The complete sensor subsystem fails if at least one of the two devices fails (availability is reduced to 50% of the value of a single device A!).

SPECIFICATION OF THE SAFETY FUNCTION

Figure 2-1: Homogeneous redundancy

1 Sensor subsystem 2 Measurement device A 3 Measurement device A' 4 Logic subsystem

2.4 Definition

The flowmeter provides a safety function according to the international standard IEC 61508 [N2]. It is defined as follows:

Output of the volume flow rate at the 4...20 mA current output with a maximum delay of

Output of the volume flow rate at the 4...20 mA current output with a maximum delay of Output of the volume flow rate at the 4...20 mA current output with a maximum delay of 30 seconds and a measurement accuracy better than 4%.

30 seconds and a measurement accuracy better than 4%.

30 seconds and a measurement accuracy better than 4%.30 seconds and a measurement accuracy better than 4%.

Remarks

• The function is always and only executed in SIL mode.

• The measurement uncertainty of the flowmeter in safe operation equals to those

operation curre

• Concerning random errors in the device, the safety tolerance must be considered. The safety tolerance is the tolerable error before setting the safe state of the device. A random fault can cause an error of up to 2% of the present measurement value or output current si

as described in [N1]. It consists of the uncertainty of measurement function

nt output.

gnaled. For further information refer to

Measuring accuracy

in non-SIL

and

before it is

on page 28.

10/2017 - A5E40875009-AB EN

www.siemens.com/flow

SPECIFICATION OF THE SAFETY FUNCTION

2.5 Safety reaction and safe state

As soon as a failure is detected, the vortex flowmeter reacts safely, by setting the current output to the low or high failure current (safety reaction). As an additional feature, temporary and persistent failures can be distinguished:

• A failure current of approximately 3.5 mA is output in case of a transient failure.

• A failure current of approximately 3.35 mA or below, is output in case that a persistent failure

is assumed. A device with a persistent failure will not boot into SIL mode without operator’s interaction (for details refer to

Troubleshooting

Remarks

• The decision whether a failure is transient or persistent will be made within 30 seconds after its detection.

• A too low volume flow (below the lower sensor limit) is classified as a typical transient application dependent failure.

• Some failures will prevent the output of the lower failure current. In such cases, the device tries to output the high failure current (> 21 mA).

• The fault response time is 30 seconds. Any output older than 30 seconds is correct if the safety reaction is not triggered due to a safety critical device failure.

on page 23).

SITRANS FX330

www.siemens.com/flow

10/2017 - A5E40875009-AB EN

SITRANS FX330

3.1 Preparation for SIL mode operation

For execution of the safety function, the device must be unlocked for SIL mode operation and configured for SIL mode.

Devices, which have been ordered as SIL devices, have been unlocked for SIL mode by factory setting. Devices, which have not been ordered as SIL devices, must be unlocked with a key code. Please contact the manufacturer for registration and individual 4-digit key code.

The preparation for SIL mode is done in three steps:

Unlocking of the SIL mode by entering the SIL mode key code (Not applicable for devices or-

dered as SIL devices (for details refer to

2. Se

tup the device for SIL mode operation (for details refer to

eration

3. Ver

by se

on page 14).

ification of the actual configuration and subsequent confirmation of successful verifica

tting the SIL jumper (for details refer to

Entering the SIL mode key

Parametrisation for SIL mode op-

Verification of configuration

OPERATION

on page 13).

on page 14).

tion

3.1.1 Entering the SIL mode key

This step has only to be performed once before the first configuration for SIL mode operation. It is only applicable for devices, which have not been ordered as SIL devices. For basic principles of local display operation and menu structure overview refer to [N1].

INFORMATION!

For entering the SIL mode key code it is required to gain refer to [N1], chapter "Security and permissions").

Menu To do Keys

Enter menu 1 x → A Quick Setup Go to "C Setup" 2 x ↓ C Process Go to "C6 Device" 1 x →, 5 x ↓ C6 Device Go to "C6.2 Security" 1 x →, 1 x ↓ C6.2 Security Go to "C6.2.4 Unlock SIL" 1 x →, 3 x ↓

C6.2.4 Unlock SIL Enter menu and unlock SIL by entering the four digits of the

password, confirm with enter key

After entering the SIL mode key code and confirming with enter key, return to measuring mode.

INFORMATION!

Before switching to SIL mode the customer has to ensure the proper condition of the device. In case of any doubt, a Proof Test may be performed. Previous hours of operation have to be taken into account for failure rate calculation.

“

Expert” access level before (for details

1 x →, ****, 1 x ^

10/2017 - A5E40875009-AB EN

www.siemens.com/flow

OPERATION

3.1.2 Parametrisation for SIL mode operation

Display indication To do Keys

SITRANS FX330

Go to SIL measurement page (After unlocking the SIL mode, a SIL measurement page will be available)

Press > button to enter SIL setup Enter SIL configuration menu 1 x →

A Quick Setup Change parameters in "Quick Setup" or

"Save Configuration?" (only displayed, if any parameter has been changed)

Switch to SIL mode? Confirm switching to SIL mode with

If last question was confirmed with "YES": "Password?"

Wait for reboot

"Setup" as described in [N1]

Leave Quick Setup" or "Setup" 1 x ^

Confirm settings with "YES" or cancel all changes with "NO"

"YES" or cancel with "NO"

Enter password for "Expert" (refer to [N1], chapter "Security and permissions")

(0...3) x ↑

YES / NO ^

**** ^

If question "Switch to SIL mode?" has been confirmed with "YES", the operator will be requested to enter the password for the access level "Expert" (refer to [N1], chapter "Security and permissions") and the system will reboot automatically. If question "Switch to SIL mode?" has been refused with "NO", the device will stay in non-SIL mode. Nevertheless, the changed parameters are stored persistently.

By displaying "Press key for verification" the device shows preparedness for verification of the SIL configuration.

3.1.3 Verification of configuration

During configuration verification, the device will output the complete range between 4 and 20 mA in 2 mA steps and the failure currents <3.6 and >21 mA. Each value will be held for approx. 2 seconds (after the output of >21 mA, the next output will be <3.6 mA again).

The test is performed in an endless loop which can be terminated by setting the SIL jumper or by refusing the SIL mode request (for details refer to

on page 15).

mode

Required equipment

• Calibrated current meter

Execution of the verification The parameter verification is performed as follows:

• Integrate a calibrated current meter into the current loop.

• The device will perform an automatic restart.

• Confirm request "Press key for verification" by pressing any key.

• Check carefully, whether the device shows <3.6, 4 mA, 6 mA…20, >21 mA in a loop.

• Confirm request "Set SIL jumper or press key to cancel" by setting the SIL jumper or refuse

switch to SIL mode by pressing any key

Reconfiguration of a device operated in SIL

www.siemens.com/flow

10/2017 - A5E40875009-AB EN

SITRANS FX330

Setting of the SIL jumper

• Remove the display while device is powered (for details refer to [N1], chapter "Turning the

• Set the jumper to SIL position as shown in the figures below.

• Reattach the display.

dis

play").

OPERATION

Figure 3-1: Jumper position

1 Non-SIL position 2 SIL position

After setting the jumper to the SIL position, the flowmeter will perform an automatic reboot and start operation in SIL mode. The operation in SIL mode is indicated by a small SIL logo.

Figure 3-2: Indication of SIL mode

1 SIL logo for indication of SIL mode

3.2 Reconfiguration of a device operated in SIL mode

The device must be set to non-SIL mode first, before any parameter can be changed, as changing of parameters is prohibited in SIL mode.

Follow the steps shown in the next chapter and then reconfigure the device.

10/2017 - A5E40875009-AB EN

www.siemens.com/flow

OPERATION

3.3 Switch to non-SIL mode

In order to switch the device from SIL mode to non-SIL mode the following steps have to be performed.

• Remove the display (for details refer to [N1], chapter "Turning the display").

• Set the jumper to non-SIL position (for details refer to

page 13).

• Reattach the display.

• The flowmeter will perform an automatic reset.

• Confirm request "Press key for verification" by pressing any key.

• Refuse request "Set SIL jumper or press key to cancel" by pressing any key.

• Enter password for access level "Expert".

The device will now perform an automatic reboot and start operation in non-SIL mode.

3.4 Error conditions

In principle, the error conditions for non-SIL mode and SIL mode are the same (refer to chapter "Status messages and diagnostic information" in N1]).

SITRANS FX330

Preparation for SIL mode operation

In SIL mode, the following special conditions apply additionally:

• Safety critical failures will always result in an output of a failure current.

• The failure current is the only safety relevant signal. Regarding the safe state of the device,

all other interfaces must be ignored (Example: a failure current indicates a safety critical

defect, even if the HART

• Due to power considerations, the lower failure current is the pre-defined failure current. The related user’s configuration in non-SIL mode is ignored in SIL mode. High failure current will only be set if the lower failure current cannot be output for any reasons.

• The events shown in the following table are SIL specific, i. e. they will occur only if the device is operated in SIL mode.

Status type Event group Description Actions to eliminate the event

F Electronics Emergency off

interface is still online).

triggered

Restart the device according to given procedure (for details refer to on page 23).

Resetting the fail-safe flags

www.siemens.com/flow

10/2017 - A5E40875009-AB EN

SITRANS FX330

3.5 Parameter types

In SIL mode the device parameters are distinguished in three parameter types. Two types affect safety:

• Safety critical data:

Safety critical data: These parameters have a fixed setting and cannot be changed but read

Safety critical data:Safety critical data: only. They are marked with a padlock symbol.

Parameter Fixed setting Description

OPERATION

Current Out. Meas. Volume Flow Index of the device variable which is mapped to the current

4mA Trimming 0.004 [A] The externally measured analogue level during trimming

20mA Trimming 0.020 [A] The externally measured analogue level during trimming

High Error Current 0.0215 [A] High failure current.

Low Error Current 0.0035 [A] Low failure current.

Analog Lower Endpoint Value (no menu entry available)

Lower Ext. Range 0.004 [A] The minimum value that the analogue channel is capable of or

Analog Upper Endpoint Value (no menu entry available)

Upper Ext. Range 0.02 [A] The maximum value that the analogue channel is capable of

Error Function ALARMSELECTION LOW States whether the alarm is indicated with high or low signal

Current Loop Mode ON A switch for enabling/disabling loop current signalling.

k-Factor / Offset 0.0 Offset value to adapt k-factor.

k-Factor Linear. / Function

Up. Pip. Dist. Cor. / Function

Temp. Comp. / Function ON Setup of k-factor temperature compensation.

Lin. Thermal Exp. 1/K 0.0000175 [per Kelvin] Coefficient of linear thermal expansion (bluff body).

Min/Max Oper. Dens. / Function

Sensor Overrange 0 Is used to determine the high flow cutoff factor.

Vortex Algorithm / Filter Mode

Vortex Algorithm / Min. Amplitude

Gain CA 0 Piezo configuration.

VA Piezo Test Mode (no menu entry available)

Distortion Reduction / Function

0.004 [A] Corresponds to 0% range and therefore to the "Lower Range

0.02 [A] Corresponds to 100% range and therefore to the "Upper

OFF Switches the k-factor linearisation on/off.

OFF Setup of k-factor upstream compensation.

OFF Switch for use of upper and lower densities for calculation of

FULL AUTO SETTINGS Filter configuration:

0.01 [V] Indicator for valid measurement of vortex frequency.

PIEZO TESTMODE OFF Piezo configuration.

ON Amplitude correction.

output.

(user calibration) of the "Analog Lower Endpoint Value".

(user calibration) of the "Analog Upper Endpoint Value".

Value" of the range conversion.

is limited to.

Range Value" of the range conversion.

or is limited to.

level or not at all.

ON: HART

sensor limits.

"FULL_AUTO_SETTINGS" means that all settings are derived from Pickup configuration.

multidrop mode is disabled.

10/2017 - A5E40875009-AB EN

www.siemens.com/flow

OPERATION

Parameter Fixed setting Description

SITRANS FX330

Distortion Reduction / K_P

Distortion Reduction / K_I 140737 Amplitude correction I-factor

Distortion Reduction / Smoothing Factor

Vortex Filter / Filter Type FILTER TYPE NONE Output filter type for vortex.

Vortex Filter / Filter Length

Vortex Filter / Smoothing Factor

Vortex Algorithm / Min. SNR

Time Constant 2.0 [s] Time constant (for filter).

Low Flow Cutoff 0.0 [cubic meters per

Minimum hold time transient error (no menu entry available)

Vortex Algorithm Extended Sensor Limits

• Safety relevant data:

Safety relevant data: These parameters can be changed under responsibility of the operator.

Safety relevant data:Safety relevant data:

204011 Amplitude correction P-factor.

2141041197 Amplitude correction filter factor.

25 Output filter length.

0.05 Output filter smoothing factor.

50.0 Indicator for valid measurement of vortex frequency.

second]

5000 [ms] Minimum hold time of the failure current in case of transient

OFF Extended sensor limits

Low flow cutoff (When the flow rate drops below low flow cutoff , the current output is 4 mA)

errors.

Misconfiguration via erroneous setting is detected by the parameter verification procedure which is executed automatically if the device is setup for SIL mode and parameters have been changed (for details refer to

Preparation for SIL mode operation

on page 13).

Access level Parameter Setting / Description

Expert "Lower Range Value" of

Expert "Upper Range Value" of

Service k-Factor Represents the relation between vortex frequency and flow

Expert Density (operating) Used to determine the flow sensor limits.

Expert Temperature (operating) Used for correction of the k-factor.

Expert Fluid Determines signal processing and on-screen menu of the

Service Nominal Diameter Used to determine the flow sensor limits.

• Non-SIL data:

Non-SIL data: These parameters do not have any influence on the safety function and may be

Non-SIL data:Non-SIL data:

the current output

For further information refer to on page 14.

velocity.

local display.

Verification of configuration

changed as in non-SIL mode.

The parametrisation in SIL mode works as described in chapter "Operation" in [N1] for the most parameters. However, there are some parameters which have an influence on functional safety if set incorrectly.

For every safety affecting parameter, two values, potentially equal ones, exist in the device: one is used for non-SIL, the other for SIL operation. Depending on the device’s state, either the one parameter set or the other is shown or can be edited. As soon as the SIL mode is requested, the SIL mode parameters become active.

www.siemens.com/flow

10/2017 - A5E40875009-AB EN

SITRANS FX330

4.1 Maintenance

You must follow the maintenance instructions given in the handbook [N1].

4.2 Availability of services

The manufacturer offers a range of services to support the customer after expiration of the warranty. These include repair, maintenance, technical support and training.

INFORMATION!

For more precise information, please contact your local sales office.

4.3 Operation modes and proof test

Continuous and high demand mode

If the flowmeter is operated in continuous or high demand mode within the specified environmental limits, the device needs no proof test during its useful lifetime (for details refer to

Useful lifetime

respectively.

on page 29). Observe SAC 11 regarding useful lifetime and constant failure rates,

SERVICE

Low demand mode

The flowmeter includes a comprehensive set of online diagnostic tests which are executed fast and frequently, resulting in a very low mean down time. Assuming reasonable low repair and restoration times as well, the device fulfils SIL2 compatible PFD values as well during the whole useful life time without additional proof tests.

Proof test

Proof tests are required in case of:

• Deployment under extreme conditions beyond the device's specificatio

nmental conditions might increase the failure rate. To keep undetected failures sm

enviro

uch deployment requires more frequent proof tests. For details refer to

s pag

e 29, operational limits as set forth in SAC 11 must not be exceeded.

• Achieving the required PFD

over time.

AVG

n. In this case,

Useful lifetime

all

WARNING!

SIS engineers must calculate the interval of proof tests based on the required PFD

For this purpose, the following tests can be performed. The diagnostic coverage of all tests together is nearly as good as the tests and procedures in the factory which were executed during or at the end of the production cycle. Only flow sensor calibration is missed here which requires a reference meter.

AVG

10/2017 - A5E40875009-AB EN

www.siemens.com/flow

SERVICE

SITRANS FX330

Proof test coverage

Step Measure Proof Test Coverage

1 Current output check according to routine in chapter

"Verification of configuration".

2 Test with simulated vortex frequencies. 96%

12%

Calibration verification (optional)

A proof test coverage of > 97% can be reached with a calibration verification. If appropriate facilities are not available, please contact the manufacturer for calibration verification.

Test with simulated vortex frequencies (step 2)

Required equipment

• Power supply 14…30 VDC

• Calibrated frequency generator, accuracy << 1%, two channels 180° phase shifted, 100 mVpp

amplitude (step 2)

• Calibrated current meter (steps 1 and 2)

Execution of frequency simulation for the proof test

To setup the device for proof testing, the following steps have to be performed:

• Set the device to non-SIL mode (for details refer to

Switch to non-SIL mode

• Unfix the electronics housing by loosening the 4 cylinder screws 1 and take off the electronics housing carefully.

on page 16).

Figure 4-1: Unfixing of the electronics housing

1 Cylinder screws 2 Washers 3 Gasket

www.siemens.com/flow

10/2017 - A5E40875009-AB EN

SITRANS FX330

• Integrate a current meter into the current loop.

• Disconnect the 3-pole plug and connect a frequency generator as illustrated below.

Figure 4-2: Connection of frequency generator

1 Frequency f1 2 Grounding 3 Frequency f2, phase-shifted by 180° compared to f1

The 2-pole and 5-pole plugs must remain connected!

The 2-pole and 5-pole plugs must remain connected!The 2-pole and 5-pole plugs must remain connected!

SERVICE

• Set start frequencies f1 and f2 to almost 0 Hz.

• Connect the flowmeter with the power supply.

• Boot the device.

• Confirm request "Press key for verification" by pressing any key.

• Login as "Expert".

• After reboot of the device activate proof test as follows:

Menu/display To do Keys

Enter menu 1 x → A Quick Setup Go to "C Setup" 2 x ↓ C Setup Go to "C6 Device" 1 x →, 5 x ↓ C6 Device Go to "C6.8 Proof Test" 1 x →, 6 x ↓ C6.8 Proof Test Enter "Proof Test" 1 x →

"Unsaved parameters will be lost!"

"Run Proof Test?" Confirm start of proof test with "YES" or cancel with "NO" YES / NO ^

Confirm warning with enter 1 x ^

If question "Confirm start of proof test?" has been confirmed with "YES", the device is prepared for proof test and displays "Proof Test is running…".

10/2017 - A5E40875009-AB EN

www.siemens.com/flow

SERVICE

SITRANS FX330

• Increase frequencies stepwise. The loop current must follow according to the following table:

Frequency [Hz] Nominal current [mA] Acceptable current range

[mA]

355 4.0 3.96...4.04

817 8.5 8.41...8.58

1229 12.5 12.38...12.63

1636 16.5 16.30...16.63

2000 20.0 19.81...20.21

• Continue only if test is successful. Stop if any current is out of the accepted limits!

• To finish or cancel the proof test press "Enter". The device will display "Device will be reset

now!" and perform an automatic reboot after pressing the "Enter" key once again.

• Re-attach the electronics housing: Carefully place the electronics housing with the gasket 3

on the device as shown in the figure "Unfixing of the electronics housing". Pay attention not to pinch the cable! Fasten the cylinder screws 1 including the washers 2 with a bolting torque of 8 Nm.

INFORMATION!

A current value below or above the acceptable limits is an indicator for wear out of the electronics. Please refer to chapters "Maintenance" and "Availability of service".

INFORMATION!

The frequency test does not consider the sensor element, configuration and drift errors.

www.siemens.com/flow

10/2017 - A5E40875009-AB EN

SITRANS FX330

4.4 Resetting the fail-safe flags

Rebooting of a device operated in SIL mode with a detected safety critical failure is inhibited. In this case, the following message is shown on the display:

The test is performed under full responsibility of the operator! The device will operate in SIL mode to allow extensive testing, but the SIL tag is not shown in the header bar on the display (because the device is actually non-safe!)

(because the device is actually non-safe!). Consequently, additional measures should be

(because the device is actually non-safe!)(because the device is actually non-safe!) installed to prevent the overall system from safety critical failures. The flowmeter might be defect persistently!

INFORMATION!

In case of any doubt, call the service department of the manufacturer and leave the device in the current safe state!

SERVICE

SIL locked!

SIL locked!SIL locked! Press key to start test

Press key to start test

Press key to start testPress key to start test

but the SIL tag is not shown in the header bar on the display

but the SIL tag is not shown in the header bar on the display but the SIL tag is not shown in the header bar on the display

Menu/display To do Keys

SIL locked! Press key to start test

Password? Enter the 4 digit "Expert" password. **** ^

Clear fail safe flag?

Password? Enter the 4 digit "Expert" password. **** ^

Wait for reboot - -

4.5 Troubleshooting

INFORMATION!

•

Modifications to SIL capable devices by the user are not permitted.

•

Only authorised personnel from the manufacturer shall repair the device.

Failures that are critical to functional safety must be reported to technical support of the manufacturer. If you find a problem, please contact your local representative. If the device must be returned to the manufacturer, refer to "Returning the device to the manufacturer" in [N1].

Start maintenance mode under full responsibility of the

operator for testing purposes.

Test device.

Enter and leave menu when finished.

Clear if the device is intact without doubt; do not clear

otherwise!

Attention: Entering "YES" will cause the flowmeter to boot to

Attention: Entering "YES" will cause the flowmeter to boot to Attention: Entering "YES" will cause the flowmeter to boot to

SIL operation next time!

SIL operation next time!SIL operation next time!

Any key.

1 x →, 1 x ^

YES / NO ^

10/2017 - A5E40875009-AB EN

www.siemens.com/flow

TECHNICAL DATA

5.1 General notes

SITRANS FX330

• The safety relevant key indicators (for details refer to

27) are related to the safety function (for details refer to

• Commissioning and use of the device presupposes agreement with its design and performance characteristics. This includes ambient and process conditions (refer to handbook [N1]).

• The values shown in the table for the safety relevant key indicators have been determined for an environmental temperature of +40°C / +104°F and below. For higher temperatures refer to

Useful lifetime

• Failure rates are assumed to be constant during the useful lifetime (for details refer to

lifetime

• Failure rates do not include mechanical wear of the sensor and bluff body. The operator is responsible for observing the specification for intended use (refer to chapter "Intended use" in [N1], respectively for adequate inspections if the device is deployed out of specification and damages caused by the process need to be assumed.

• Installation of the device must be in accordance with the instructions and the requirements of the application.

• All components that are not necessary to execute the safety function and cannot influence the safety function are not included in the calculation of the failure rates.

• External power failure rates are not included in the calculation of the failure rates.

• The FMEDA of the device was calculated with the exida tool FMEDA v7.1.17. The tool uses the

latest values from the database SN 29500 [N3].

on page 29).

on page 29.

Safety relevant key indicators

Operation modes

on page 10).

on page

Useful

www.siemens.com/flow

10/2017 - A5E40875009-AB EN

SITRANS FX330

5.2 SIL certificate

TECHNICAL DATA

10/2017 - A5E40875009-AB EN

www.siemens.com/flow

TECHNICAL DATA

5.3 Declaration

SITRANS FX330

www.siemens.com/flow

10/2017 - A5E40875009-AB EN

SITRANS FX330

5.4 Safety relevant key indicators

All values shown in the following table are related to reference conditions according to [N3]:

• Temperature: +15...+25°C / +59...+77°F

• Pressure: 1013 mbar ±50 mbar / 14.69 psi ±0.73 psi

• Relative air humidity: 60% ±15%

Key indicator Value

Device Type Type B system

Systematic Capability 3

Safety Integrity Level Single channel (HFT = 0) SIL 2

Architecture 1oo1 D

HFT 0

Failure current (failure notification) For persistent failures: < 3.4 mA

Operation mode Low and high demand, continuous mode

SFF 94.3% 94.6% 95.2% 95.2%

λDU (= PFH) 46.4 FIT 46.4 FIT 47.2 FIT 47.2 FIT

λDU (= PFH) for homogeneous redundant

configuration 1

PFD

AVG

PFD

AVG

PTC 4 12%...97% FRT 5 30 seconds MTBF 7 68 years 66 years 60 years 59 years

= 1 year) 2, 6

proof

= 12 years) 3, 6

proof

TECHNICAL DATA

Homogeneous redundant (HFT = 1) 1

For transient failures: 3.5...3.6 mA

Alternatively for failures: > 21.5 mA

Non-Ex/Ex i

Non-Ex/Ex i Ex d/Ex t/Ex nA

Non-Ex/Ex iNon-Ex/Ex i

CCCC FFFF CCCC FFFF

721 FIT 736 FIT 870 FIT 884 FIT

371 FIT 393 FIT 456 FIT 477 FIT

< <1 FIT

-4

< 2 * 10

-3

< 3 * 10

SIL 3

Ex d/Ex t/Ex nA

Ex d/Ex t/Ex nAEx d/Ex t/Ex nA

1 The PFH values for the dual version, or other device configurations deployed in homogeneous redundant configuration (for details refer to SACs 13 and 14 are fulfilled. 2 If deployed within specified environment conditions (for details refer to page 29).

3 For reference conditions, but with an extended temperature range up to +40°C / +104°F. 4 Value depends on the depth of the proof test (for details refer to

on page 19).

test

5 This is the part of the process safety time which must be reserved for the safety reaction of the flowmeter or for the delay of its safety function respectively.

6 Assuming MTTR = MTR = 8 hours. 7 Related to hardware components relevant for safe operation.

10/2017 - A5E40875009-AB EN

Operation modes

www.siemens.com/flow

on page 10) is applicable only, if

Useful lifetime

Operation modes and proof

TECHNICAL DATA

5.5 Measuring accuracy

The flowmeter measures with the same accuracy in both operation modes, in the non-SIL mode as well as in the SIL mode, as long as the device is intact.

But diagnostic measures need a reasonable gap between the states intact and defect for availability reasons. Therefore, a safety engineer integrating the flowmeter into the overall system must take the higher measurement inaccuracy into consideration.

The following figure illustrates the logical coherences.

0.75%

SITRANS FX330

- 0.75%

- 4%

Figure 5-1: Measuring accuracy vs. flow

x: Flow y: Measuring accuracy

1 Bounds for non-SIL, device intact (designed, tested) 2 SIL bounds (supervised) 3 Actual inaccuracy, noise etc.

www.siemens.com/flow

10/2017 - A5E40875009-AB EN

SITRANS FX330

5.6 Useful lifetime

The established failure rates of electronic components apply within the useful lifetime according to IEC 61508-2, section 7.4.9.5 note 3. The useful lifetime can only be extended under responsibility of the plant operator regarding special operation conditions and the employment of suitable intervals for testing and maintenance.

TECHNICAL DATA

As a consequence for the safety function, the total failure rate, and consequently λ

must not

be assumed as constant at the end of the life time. The following table provides an overview about the downgrade of lifetime, depending on electronic temperature which is the most lifetime reducing factor.

Non-Ex/Ex i [IS]

Profile Temperature

[°C / °F]

1 40 / 104

2 60 / 140

3 80 / 176

[/h]

4.64 * 10

9.79 * 10

2.13 * 10

Reduction of Reliability to [%]

Exp. Lifetime 1 [years]

Recommended Proof Test Interval 2 [years]

-8

-7

47 6 6

22 3 2

11.5 12

Ex d/Ex t/Ex nA [XP/DIP/NI]

Profile Temperature

[°C / °F]

1 40 / 104

2 60 / 140

3 80 / 176

[/h]

4.72 * 10

9.98 * 10

2.17 * 10

Reduction of Reliability to [%]

Exp. Lifetime 1 [years]

Recommended Proof Test Interval 2 [years]

-8

-7

47 6 6

22 3 2

11.5 12

1 The expected lifetime is defined here as time interval wherein less than 15% of all devices failed. 2 For low demand applications for a tolerated residual failure probability of 0.0003 per demand.

5.7 Support for SIL-approved devices

All instruments which are unlocked for the use in a SIL mode are registered by the manufacturer.

In case that modifications at the supplied flowmeter will be necessary which are relevant to the safety function of the device, the manufacturer will inform the customer immediately.

10/2017 - A5E40875009-AB EN

www.siemens.com/flow

APPENDIX

6.1 Explanations to safety application conditions (SAC)

SITRANS FX330

For some SACs (for details refer to explanations are given below:

Safety application conditions (SAC)

on page 8) additional

SAC1: System changes

Every state of the system which does not meet its specification might be hazardous, because those states were not completely analyzed. Hazardous states can be reached by

- the use of failed, but not as "failed" marked parts, or not tested parts,

- changing the wiring, especially the use of the serial interfaces in combination with a service

computer ("notebook") during operation with safety responsibility.

Most measures within the communication network are harmless, but not all. In any case, the related safety application conditions must be observed.

SAC2: Mounting and connecting

Incorrect installation will have an effect on measurement and on the measuring accuracy in general. Therefore, the correct execution of the safety function cannot be guaranteed if the installation conditions are not met.

SAC3: SIL mode

The device can be operated in SIL mode, providing the safety function or in non-SIL mode. In non-SIL mode, the key figures given in this manual (for details refer to

indicators

measures are disabled for performance reasons and the safety reaction is switched off.

on page 27) are not valid. During operation in non-SIL mode, some diagnostic

Safety relevant key

SAC4: Parameter input

The internal check functions can only detect range failures or incompatibilities in the whole data set. They cannot decide whether the data is configured as intended.

The actual parameter setting must be executed carefully.

SAC5: Maintenance mode

The maintenance mode is intended to test a device which has already potentially failed. To provide full test capability, the safe output (4..20 mA current output) is not blocked. Consequently, the operator must implement other measures temporarily to keep the overall system in a safe state.

SAC6: Resetting the fail-safe flag

When the safety reaction is triggered because a hazardous failure has been detected, a flag is saved in persistent memory to prevent the device from starting safe operation after a reset.

The device must be completely tested (for details refer to page 19). The fail-safe flag shall be reset only, if the operator is sure that the device is still intact (for details refer to safe operation as soon as the fail-safe flag is reset.

The NAMUR diagnostic information must not be used to decide whether the device is intact or not. Reason is that this information is not safe, as the "latest" diagnostic message(s) may get lost due to a device failure.

Resetting the fail-safe flags

on page 23). Note that the device will (re-)start

Operation modes and proof test

www.siemens.com/flow

10/2017 - A5E40875009-AB EN

SITRANS FX330

SAC7: Firmware update

Firmware update requires special tooling and can be provided by the authorised personnel of the manufacturer only.

SAC8: Inspection intervals

Many external events, e.g. environment temperature, may cause the device to age faster than expected. This has an effect on the failure rate which is assumed as constant over the lifetime at reference conditions.

APPENDIX

For recommendations regarding the calculation of the proof test intervals refer to

modes and proof test

on page 19 and refer to

Useful lifetime

on page 29.

Operation

SAC9: Modification

A modification may have unexpected influence on the safety function. Such effects must be analysed. This can only be done by deep knowledge of the internal construction of the device.

SAC10: Repair

Repair of the device exceeding the defined exceptions need more tooling, test and calibration facilities than available in the field.

SAC12: Supervision of failure current

The preferred failure current is low as it is a state with the lowest energy consumption. Nevertheless, a failure might prohibit the output of the lower failure current. In that case the output will be switched to the high failure current.

The failure current (low/high) is configurable but the configuration is only effective in non-SIL mode. Consequently, a device evaluating the current output must react on both failure currents, not only on the configured one.

10/2017 - A5E40875009-AB EN

www.siemens.com/flow

For more information

www.siemens.com/flow

www.siemens.com/processautomation

Siemens AG Process Industries and Drives Process Automation 76181 Karlsruhe

Germany

Product Information

Siemens SITRANS F,SITRANS FX330 Additional Operating Instructions

Specifications and Main Features

Frequently Asked Questions

User Manual