Siemens SITRANS F,SITRANS FX330 Additional Operating Instructions
Additional Operating Instructions
SITRANS F
Vortex flowmeters
Functional Safety for SITRANS FX330
10/2017Edition
www.siemens.com/flow
CONTENTS
SITRANS FX330
1 Introduction 4
1.1 Scope of the document..................................................................................................... 4
1.2 Revision history ................................................................................................................ 5
1.3 Device description ............................................................................................................ 6
1.4 Related documentation .................................................................................................... 6
1.5 Terms and definitions....................................................................................................... 7
2 Specification of the safety function 8
2.1 Preconditions.................................................................................................................... 8
2.2 Safety application conditions (SAC).................................................................................. 8
2.2.1 General.................................................................................................................................... 8
2.2.2 Installation ..............................................................................................................................8
2.2.3 Functional safe configuration................................................................................................. 8
2.2.4 Maintenance............................................................................................................................ 8
2.2.5 Operation................................................................................................................................. 9
2.2.6 Homogeneous redundancy ..................................................................................................... 9
2.3 Operation modes ............................................................................................................10
2.4 Definition......................................................................................................................... 11
2.5 Safety reaction and safe state........................................................................................ 12
3 Operation 13
3.1 Preparation for SIL mode operation .............................................................................. 13
3.1.1 Entering the SIL mode key.................................................................................................... 13
3.1.2 Parametrisation for SIL mode operation.............................................................................. 14
3.1.3 Verification of configuration.................................................................................................. 14
3.2 Reconfiguration of a device operated in SIL mode ........................................................ 15
3.3 Switch to non-SIL mode ................................................................................................. 16
3.4 Error conditions.............................................................................................................. 16
3.5 Parameter types ............................................................................................................. 17
4 Service 19
4.1 Maintenance ................................................................................................................... 19
4.2 Availability of services .................................................................................................... 19
4.3 Operation modes and proof test..................................................................................... 19
4.4 Resetting the fail-safe flags ........................................................................................... 23
4.5 Troubleshooting.............................................................................................................. 23
2
www.siemens.com/flow
10/2017 - A5E40875009-AB EN
SITRANS FX330
CONTENTS
5 Technical data 24
5.1 General notes ................................................................................................................. 24
5.2 SIL certificate.................................................................................................................. 25
5.3 Declaration ..................................................................................................................... 26
5.4 Safety relevant key indicators ........................................................................................ 27
5.5 Measuring accuracy ....................................................................................................... 28
5.6 Useful lifetime ................................................................................................................ 29
5.7 Support for SIL-approved devices.................................................................................. 29
6 Appendix 30
6.1 Explanations to safety application conditions (SAC)...................................................... 30
10/2017 - A5E40875009-AB EN
www.siemens.com/flow
3
1
INTRODUCTION
1.1 Scope of the document
This document is the safety manual for the SITRANS FX330. Its content applies if the
measurement device is operated in SIL mode or prepared for SIL mode, respectively.
General hint
This vortex flowmeter is a functionally safe flowmeter. It may be deployed within safety critical
systems requiring the safety function (for details refer to
page 8) at a safety integrity level 2, in homogeneous redundant configuration at safety integrity
level 3 (for more information about homogeneous redundancy refer to
10).
In case of a detected potentially hazardous failure, the system performs a safety reaction to
bring the device to a safe state, which is indicated by a failure current on the current output.
Depending on the failure, the device will resume the measuring mode as soon as the root cause
of the failure disappears (transient application dependent failure) or remains in failure mode
(persistent system integrity failure). In the latter case, operator's interaction is required to
restart measuring mode.
SITRANS FX330
Specification of the safety function
Operation modes
on page
on
For safe operation, the operator / integrator must fulfil some conditions. These conditions are
defined as Safety Application Conditions (SAC). For further information refer to
application conditions (SAC)
on page 8.
Safety
INFORMATION!
The data in this supplement only contains the data applicable to the SIL approval. The technical
data for the standard version in the handbook (document [N1]) shall be valid, provided that it is
not rendered invalid or replaced by this supplement. If necessary, parts of [N1] are referenced
herein.
INFORMATION!
Installation, commissioning and maintenance may only be carried out by properly trained and
authorised personnel.
INFORMATION!
Configuration for SIL mode operation needs a login as role "Expert" (for details refer to [N1],
chapter "Security and permissions"]. Nevertheless the operator shall protect the flowmeter
against unauthorised access.
4
www.siemens.com/flow
10/2017 - A5E40875009-AB EN
SITRANS FX330
1.2 Revision history
This safety manual is valid for all versions which are operated in SIL mode, identified by the V
numbers according to the following tables, until its incompatibility with a new version is stated.
INTRODUCTION
1
Code VG16/
SG16
Functional
safety
relevant
a b cde f gh i j k l m n o p q rstu
vwx
x x x x x
y z
Code Description Valid flow sensor codes for SIL
device variant
VG16/SG16 Prefix to code -
a Manufacturer specific -
b General information C, D
cde Flange connection, rating and sealing surface -
f Measuring section -
gh Pressure sensor options and gaskets -
i Approvals for hazardous and ordinary locations -
j Signal converter housings 1, 2, 4, 5, 7, A, B, D, E
k System design 0 only
l Display 1 only
m Cable glands -
n Firmware feature -
o Programming language -
p Communication options 0 only
q Marking -
rstuvwx Diverse certificates (CoC, calibration, pressure testing, material,
hardness testing, cleaning, X-ray/dye penetration)
y Manual -
z Spare -
-
INFORMATION!
Check in case a firmware is updated or any part of the device is replaced, whether a new safety
manual is available on the manufacturer's internet site.
Release date Electronic revision Changes and compatibility Documentation
2017-07-10 ER 2.0.0_ Initial version Edition 09/2017
2017-10-01 ER 2.0.1_ Sensor diagnostics update Edition 10/2017
10/2017 - A5E40875009-AB EN
www.siemens.com/flow
5
1
INTRODUCTION
1.3 Device description
The SITRANS FX330 is a 2-wire vortex flowmeter measuring volume flow rate, temperature and
optionally pressure of liquids, steam and gases. From these data the device calculates
normalised flow rate, mass flow rate, power flowrate, etc.
In SIL mode the SITRANS FX330 measures the volume flow rate and outputs the measurement
via the safe 4…20 mA current output.
For measurement in SIL mode the following conditions apply:
• The 4…20 mA current output provides a safe output exclusively.
• Local display, HART
• The local display and HART
• Parameters can only be changed in non-SIL mode.
• The binary output can also be used in order to provide non-safety related measurement
values.
• The current input can be used for non-safety related functionalities.
SITRANS FX330
®
Interface and the binary output do not provide a safe output.
®
Interface are read-only during SIL mode.
4...20 mA current
Tube → Safe subsystem → Non-safe
1.4 Related documentation
[N1] SITRANS FX330 Operating Instructions
[N2] IEC 61508-1 to 7:2010 Functional safety of electrical / electronic / programmable electronic safety-
related systems
[N3] Siemens Norm SN 29500, Edition 2004-01
output (safe) Current input
↑↓
subsystem
↓
Local display
Binary output
→
HART
→
6
www.siemens.com/flow
10/2017 - A5E40875009-AB EN
SITRANS FX330
INTRODUCTION
1.5 Terms and definitions
Term Description
DC Diagnostic Coverage of dangerous failures
EUC Equipment Under Control
Firmware Software embedded in the device
FIT
FMEDA Failure Modes, Effects and Diagnostics Analysis
FRT Fault Response Time (diagnostic test interval + Fault Reaction Time)
HFT Hardware Fault Tolerance
I/O Input / output
λ
DD
λ
DU
λ
SD
λ
SU
MTBF Mean Time Between Failures
MTTF Mean Time To Failure
MTTR Mean Time To Repair
MTR Mean Time To Restoration
PFD
AVG
PFH Probability of a dangerous Failure per Hour
PTC Proof Test Coverage
SFF Safe Failure Fraction
SIL Safety Integrity Level
SIS Safety Instrumented Systems
Systematic
Capability
Type A
system
Type B
system
T
Proof
T
Repair
T
Test
1oo1 1 out of 1 channel architecture (single architecture performs the safety function)
1oo1D 1 out of 1 channel architecture with diagnostics
Failure In Time (1x10-9 failures per hour)
Rate for dangerous detected failure
Rate for dangerous undetected failure
Rate for safe detected failure
Rate for safe undetected failure
Average Probability of Failure on Demand
Measure (expressed on a scale of SC 1 to SC 4) of the confidence that the systematic safety integrity of an
element meets the requirements of the specified SIL, in respect of the specified element safety function,
when the element is applied in accordance with the instructions.
"Non-complex" system (all failure modes are well defined). For more data, refer to subsection 7.4.3.1.2 of
IEC 61508-2.
"Complex" system (all failure modes are not well defined). For more data, refer to subsection 7.4.3.1.2 of
IEC 61508-2.
Proof Test Interval
Time to Repair
Internal Diagnostics Test Interval
1
10/2017 - A5E40875009-AB EN
www.siemens.com/flow
7
2
SPECIFICATION OF THE SAFETY FUNCTION
2.1 Preconditions
The device must be operated within the process and ambient conditions specified in the
handbook ([N1]) of the device.
The following chapter defines additional conditions, which have to be obeyed for safety
applications.
2.2 Safety application conditions (SAC)
INFORMATION!
This chapter defines the conditions which must be met by the operator to ensure safe operation.
Further explanations can be found in appendix I. The safety application condition is valid, while
the related explanation might be incomplete.
2.2.1 General
SAC1: System changes
The flowmeter can be deployed as device with safety responsibility. Non specified changes are
not allowed. Especially after maintenance measures, carrier and operator must ensure that no
hazardous states came up, and that all safety application conditions are still met.
SITRANS FX330
2.2.2 Installation
SAC2: Mounting and connecting
[N1] defines requirements regarding installation and electrical connections of the device. These
requirements are safety critical and must be strictly observed.
2.2.3 Functional safe configuration
SAC3: SIL mode
The flowmeter is functionally safe only if configured for operation in SIL mode.
SAC4: Parameter input
Parameters are changed under responsibility of the operator.
2.2.4 Maintenance
SAC5: Maintenance mode
If maintenance mode (for definition refer to
operated under responsibility of the operator.
SAC6: Resetting the fail-safe flag
Resetting the fail-safe flag is done under responsibility of the operator. He is responsible for the
correct execution of appropriate tests and the evaluation of test results.
Operation modes
on page 10) is entered, the device is
SAC7: Firmware update
Firmware may be updated by authorised personnel only.
8
www.siemens.com/flow
10/2017 - A5E40875009-AB EN
SITRANS FX330
SAC8: Inspection intervals
The definition of the maximum proof test intervals (for details refer to
proof test
responsible for adjusting the proof test intervals if the deployment conditions deviate from the
reference conditions.
SAC9: Modification
The flowmeter must not be manipulated.
SAC10: Repair
Repair of the flowmeter must only be done by manufacturer’s personnel or personnel authorised
by the manufacturer. Exceptions regarding replacement with spare parts are shown in chapter
"Service" in [N1]. In all other cases, send the flowmeter to the manufacturer for repair (for
instructions refer to chapter "Returning the device to the manufacturer" in [N1]).
2.2.5 Operation
SAC11: Operational limits
The operational limits as shown in [N1] in the chapter "Technical data" must be observed. To
prevent unintentional trigger of the safety reaction, a permanent operation near the operational
limits should be avoided.
SPECIFICATION OF THE SAFETY FUNCTION
Operation modes and
on page 19) are calculated for operation under reference conditions. The operator is
2
SAC12: Supervision of failure current
If a safety critical failure has been detected, the device outputs a failure current on the current
output (4...20 mA). The operator must supervise both failure currents
(<3.6mA and >21mA).
In case of the occurrence of any failure current the operator has to ensure that the safety loop
reacts according to relevant application specific norms (e.g. the safety loop must be prevented
from automatically resuming operation after failure notification disappears).
2.2.6 Homogeneous redundancy
SAC13:
The logic subsystem must compare the current values transmitted by the two flowmeters (or
one dual version respectively) permanently. In case of a difference greater than 4% of the
measurement range over a time interval greater than 30 seconds, the devices must be regarded
as non-safe, or defect respectively.
SAC14:
The two flowmeters (or one dual version respectively) must be operated independently. Any
hazardous re-activeness from the logic subsystem (for details refer to
10)
on the two measurement devices must be excluded. This means at least:
• Current loops are independently driven.
• Current loops are installed in a way that failures affecting both lines at a time (common
cause) can be avoided.
• The logic subsystem must provide an appropriate low failure rate.
Operation modes
on page
10/2017 - A5E40875009-AB EN
www.siemens.com/flow
9
2
SPECIFICATION OF THE SAFETY FUNCTION
2.3 Operation modes
SIL mode
In SIL mode, the device executes the safety function and will react safely if an error is detected
which prevents the correct execution of the safety function. In this mode, the device is
functionally safe and the safety relevant key figures like hazard rate, FRT etc. can be guaranteed.
Non-SIL mode
In non-SIL mode, the device operates as a standard device. Its behaviour is state-of-the-art, its
specific functionality depends on the individual, customised parameter settings.
Maintenance mode
Maintenance mode is intended to boot a potentially defect device in order to test it in its normal
operational environment. During this time, operation is done under responsibility of the
operator. To avoid improvident and unintentional entering of the maintenance mode the operator
is requested to enter the password for "Expert" level access.
SITRANS FX330
By entering the (correct) password, the operator acknowledges the above regulation regarding
responsibility, also regarding safety responsibility if the device is operated in SIL mode.
As the maintenance mode is intended for testing, the operator shall provide additional measures
to secure the safety of the overall system. Therefore, the operator shall install additional
measures to provide safety of the overall system.
10
www.siemens.com/flow
10/2017 - A5E40875009-AB EN
Loading...