ABB 267Cx Safety Instructions

Type
Safety Instructions

This manual is also suitable for

SIL-Safety Instructions
SM 265/7/9 SIL-EN Rev. 02
Pressure Transmitter Series 2000T and
265Ax, 265Gx, 265Vx, 265Dx, 265Jx, 267Cx, 269Cx
Instructions for Functional Safety
2
Pressure Transmitter Series 2000T and 265Ax, 265Gx, 265Vx, 265Dx, 265Jx, 267Cx, 269Cx SM 265/7/9 SIL-EN
Instructions for Functional Safety
Table of contents
Page
1 Field of application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2 User benefits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
3 Acronyms and abbreviations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3
4 Relevant standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
5 Terms and definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
6 Determination of the Safety Integrity Level (SIL) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
7 Specifications for the safety function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
8 Applicable device documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
9 Behavior during operation and in case of malfunction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
10 Periodic checks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
11 Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
12 Safety-related characteristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
13 SIL conformity declaration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
14 Management summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
3
Pressure Transmitter Series 2000T and 265Ax, 265Gx, 265Vx, 265Dx, 265Jx, 267Cx, 269Cx SM 265/7/9 SIL-EN
Instructions for Functional Safety
1 Field of application
Differential pressure, gauge pressure and absolute pressure measurements that shall meet the special safety
requirements according to IEC 61508/ IEC 61511-1.
The measuring unit meets the requirements regarding
functional safety in accordance with IEC 61508/IEC 61511-1
explosion protection (depending on the version)
electromagnetic compatibility in accordance with EN 61326 and NAMUR recommendation NE 21.
2 User benefits
Use for
Pressure limit monitoring
Continuous measurement
Easy commissioning
3 Acronyms and abbreviations
Acronym/ Ab-
breviation
Designation Description
HFT Hardware Fault Tolerance The hardware fault tolerance of the device.
This is the capability of a functional unit to continue the execution of the
demanded function in case of faults or deviations.
MTBF Mean Time Between Failures This is the mean time period between two failures.
MTTR Mean Time To Repair This is the mean time period between the occurrence of a failure in a
device or system and its repair.
PFD Probability of Failure on Demand This is the likelihood of dangerous safety function failures occurring on
demand.
PFD
av Average Probability of Failure on
Demand
This is the average likelihood of dangerous safety function failures
occurring on demand.
SIL Safety Integrity Level Safety Integrity Level
The international standard IEC 61508 specifies four discrete Safety
Integrity Levels (SIL 1 to SIL 4). Each level corresponds to a specific
probability range regarding the failure of a safety function. The higher
the Safety Integrity Level of the safety-related systems, the lower the
likelihood of non-execution of the demanded safety functions.
SFF Safe Failure Fraction The fraction of non-hazardous failures, i.e. the fraction of failures without
the potential to set the safety-related system to a dangerous or
impermissible state.
TI Test interval between life testing of
the safety function
Time interval between the functional tests of the safety function.
XooY "X out of Y" Voting (e.g. 2oo3) Classification and description of the safety-related system regarding
redundancy and the selection procedure used.
"Y“ indicates how often the safety function is carried out (redundancy).
"X“ determines how many channels must work properly.
Example (pressure measurement): 1oo2 architecture. When one out of
two pressure sensors reaches a defined limit value, a safety-related
system decides, that the pressure limit has to be considered as
exceeded. In a system with a 1oo1 architecture only one pressure
sensor exists.
4
Pressure Transmitter Series 2000T and 265Ax, 265Gx, 265Vx, 265Dx, 265Jx, 267Cx, 269Cx SM 265/7/9 SIL-EN
Instructions for Functional Safety
4 Relevant standards
5 Terms and definitions
6 Determination of the Safety Integrity Level (SIL)
The reachable Safety Integrity Level depends on the following safety-related characteristics:
Average probability of failure on demand (PFDav)
Hardware fault tolerance (HFT)
Safe failure fraction (SFF).
The specific safety-related characteristics for the transmitter as a part of the safety function are detailed in chapter
"Safety-related characteristics".
The following table shows the dependence of the Safety Integrity Level (SIL) on the average probability of failure on
demand (PFDav). The "Low demand mode" is considered, i.e. the maximum demand rate on the safety-related sys-
tem is once per year.
The sensor, the logic unit and the final control element form together a safety-related system which carries out a
safety function. The average probability of failure on demand (PFDav) is usually distributed over the subsystems
(sensor, logic unit and final control element) as seen in the illustration below.
Fig. 6-1: Normal distribution of the average probability of failure on demand
(PFD
av
) over the subsystems
Standard Designation
IEC 61508,
Part 1 to 7
Functional safety of electrical/electronic/programmable electronic safety-related systems (Target group:
Manufacturers and Suppliers of Devices)
IEC 61511,
Part 1
Functional safety – Safety Instrumented Systems for the process industry sector (Target group: Safety
Instrumented Systems Designers, Integrators and Users)
Terms Definitions
Dangerous failure Failure with the potential to set the safety-related system to a dangerous or inoperative state.
Safety-related system A safety-related system carries out the safety functions needed to establish or maintain a
safe state e.g. in a plant.
Example: A pressure gauge, a logic unit (e.g. limit signal transmitter) and a valve form a safe-
ty-related system.
Safety function A defined function carried out by a safety-related system in order to establish or maintain a
safe state of the plant under consideration of a specified dangerous incident.
Example: Pressure limit monitoring
Safety Integrity Level (SIL) (Low demand mode)
4PFD
av
10
-5
...< 10
-4
3 10
-4
...< 10
-3
2 10
-3
...< 10
-2
1 10
-2
...< 10
-1
Sensor
e.g. pressure
sensor
Logic unit
e.g. PLC
Final control
element
e.g. valve
35 %
50 %
15 %
5
Pressure Transmitter Series 2000T and 265Ax, 265Gx, 265Vx, 265Dx, 265Jx, 267Cx, 269Cx SM 265/7/9 SIL-EN
Instructions for Functional Safety
IMPORTANT
This documentation applies to the transmitter 265xx as a part of a safety function.
The following table shows the reachable Safety Integrity Level (SIL) of the entire safety-related system for systems
of type B, depending on the safe failure fraction (SFF) and the hardware fault tolerance (HFT). Systems of type B
are e.g. sensors with complex components like microprocessors (see also IEC61508, Part 2).
1)
Acc. to IEC 61511-1, Part 11.4.3, the hardware fault tolerance (HFT) of sensors and final control elements with complex com-
ponents can be decreased by one (value in brackets), if the following requirements are met:
The device is proven-in-field.
The user can only configure process-related parameters like the measuring range, signal direction in case of fault, etc.
The device configuration level is access-protected, e.g. by jumper or password
(here: code number or key combination).
The function has a required Safety Integrity Level (SIL) less than 4.
The transmitter meets all requirements.
Fig. 6-2: Safety function (e.g. for pressure limit monitoring) with 265DS as a subsystem
1)
265DS with local operation option and adjustable lower and upper range value and damping
2)
Computer with user interface like SMART VISION for setting all parameters
e.g. alarm behavior, max. alarm, operating mode, etc.
3)
Hand-held terminal for setting all parameters, e.g. alarm behavior, max. alarm,
operating mode, etc.
The transmitter 2000T / 2600T produces an analog signal (4...20 mA) proportional with the differential pressure or
gauge pressure / absolute pressure. This analog signal is fed to a subsequent logic unit, e.g. a PLC or limit trans-
mitter, and monitored for violation of a defined maximum value. The logic unit must be capable of recognizing HI
alarms (adjustable between 21 and 22.5 mA) and LO alarms (3.6 mA) in order to allow for malfunction detection.
Safe Failure Fraction (SFF) Hardware Fault Tolerance (HFT)
01 (0)
1)
2 (1)
1)
< 60 % impermissible SIL 1 SIL 2
60...< 90 % SIL 1 SIL 2 SIL 3
90...< 99 % SIL 2 SIL 3
99 % SIL 3
1)
3
)
2)
PC with graphical
user interface
e.g. DSV401 (SMART VISION)
FSK
modem
Hand-held
terminal
Transmitter 265DS
Logic unit
e.g. PLC
Limit transmitter
etc.
4...20 mA
Actuator
6
Pressure Transmitter Series 2000T and 265Ax, 265Gx, 265Vx, 265Dx, 265Jx, 267Cx, 269Cx SM 265/7/9 SIL-EN
Instructions for Functional Safety
7 Specifications for the safety function
NOTICE
Refer to chapters "Settings" and "Safety-related characteristics" of this document for the mandatory settings and
specifications for the safety function.
See the relevant data sheet for the transmitter response time.
IMPORTANT
An MTTR of 8 hours is specified.
Safety-related systems without an auto-locking function must be set to a monitored or otherwise safe state within
the MTTR after execution of the safe function.
8 Applicable device documentation
The following documentation must be available for the transmitter, depending on the model:
Type Oper. instructions Type Oper. instructions
265Dx/Vx IM 265 D/V 2010TD/TA 42/15-712
265Gx/Ax IM 265 G/A 2020TG/TA 42/15-753
267/269Cx IM 267C/269C 2010TC 42/15-714
For explosion-proof devices the respective EC type examination certificate must be available.
9 Behavior during operation and in case of malfunction
Note!
The behavior during operation and in case of malfunction is detailed in the operating instructions.
10 Periodic checks
The operativeness of the transmitter must be checked at appropriate intervals, e.g. by controlling the calibration (see
the respective operating instructions, chapters about operation, calibration, maintenance and repair). We recom-
mend to perform the checks at least once a year. It is the operator's responsibility to define the type of checks and
the checking intervals in the stated time period.
Defective transmitters / assembly groups should be returned to the ABB service and repair department, possibly
with the type of malfunction and possible reason stated. When ordering spare parts or spare units please indicate
the serial number (S/N) and year of manufacture of the original device.
Address:
ABB Automation GmbH
Department Parts & Repair
Schillerstrasse 72
D-32425 Minden
GERMANY
7
Pressure Transmitter Series 2000T and 265Ax, 265Gx, 265Vx, 265Dx, 265Jx, 267Cx, 269Cx SM 265/7/9 SIL-EN
Instructions for Functional Safety
11 Settings
11.1 Alarm behavior and current output
In case of a malfunction the current is set to the selected value. The settings can be made via the ABB user interface
DSV401 (SMART VISION) or via a hand-held terminal.
NOTICE
Check the safety function upon entry of all parameters. The transmitter allows to simulate the signal current inde-
pendently of the measured pressure by using the "Simulation" and "Simulate current" parameters. (These parame-
ters are accessible via DSV401 (SMART VISION) or via the HART hand-held terminal.
11.2 Locking/Unlocking
WARNING
Any changes to the measuring system and its settings after commissioning may impair the safety function. For this
reason it is strongly recommended to disable local transmitter control via the local keys after having entered all
parameters and after having checked the safety function. This is to protect your settings against unwanted or
unauthorized modification. A lock activated via the local keys can only be deactivated by using the keys again.
Fig. 11-1:
12 Safety-related characteristics
12.1 Assumptions
HART communication is only used for configuring, adjusting or diagnosing the device, but not for safety-relevant
critical operations.
Cyclic self-diagnosis is executed within one hour and is automatically restarted.
The repair time after a device fault is 8 hours.
The long-time average temperature is 40°C.
The transmitter is only used for low demand mode applications.
Only the 4...20 mA current signal is evaluated by the safety device.
A dangerous failure is a failure where the output current does no longer respond to the input signal or deviates
from it by more than 2% referred to the measuring span.
The safety PLC must be designed such that it reliably recognizes faults leading to both HI alarms and LO alarms.
8
Pressure Transmitter Series 2000T and 265Ax, 265Gx, 265Vx, 265Dx, 265Jx, 267Cx, 269Cx SM 265/7/9 SIL-EN
Instructions for Functional Safety
12.2 Specific safety-related characteristics
For details refer to the management summary in the Appendix.
Transmitter type Measuring range SFF PFDav λdd + λs λdu
2010TD 10 mbar 75 % 8.54 × 10
-4
614 FIT 195 FIT
2010TC 10 mbar 76 % 9.43 × 10
-4
699 FIT 216 FIT
2010TD
2010TA
60 mbar to 20 bar
400 mbar to 20 bar
73 % 8.65 × 10
-4
535 FIT 198 FIT
2010TC 60 mbar to 20 bar 73 % 9.54 × 10
-4
620 FIT 218 FIT
2010TD 100 bar 74 % 24.4 × 10
-4
1652 FIT 558 FIT
2020TA / 2020TG 60 mbar, 400 mbar 75 % 13.1 × 10
-4
917 FIT 300 FIT
2020TA
2020TG
2.5 bar
2.5 bar
69 % 9.71 × 10
-4
518 FIT 222 FIT
λdd + λs: Fault rate of detected dangerous and of safe faults
λdu: Fault rate of undetected dangerous faults
The characters in brackets indicate the catalog number for the measuring range.
Transmitter type Measuring range SFF PFDav
λdd + λs λdu
265Dx (A)
265Jx (A)
10 mbar 75.9 % 8.54 × 10
-4
614 FIT 195 FIT
267Cx (A)
269Cx (A)
10 mbar 76.4 % 9.43 × 10
-4
699 FIT 216 FIT
265Dx (C,F,L,N)
265Jx (C,F,L,N)
265Vx (F,L,N)
60 mbar to 20 bar
60 mbar to 20 bar
400 mbar to 20 bar
73.0 % 8.65 × 10
-4
535 FIT 198 FIT
267Cx (C,F,L,N)
269Cx (C,F,L,N)
60 mbar to 20 bar 74.0 % 9.54 × 10
-4
620 FIT 218 FIT
265Dx (R) 100 bar 74.8 % 24.4 × 10
-4
1652 FIT 558 FIT
265Ax (C,F)
265Gx (C,F)
60 mbar and 400 mbar
60 mbar and 400 mbar
75.3 % 13.1 × 10
-4
917 FIT 300 FIT
265Ax (L,U)
265Gx (L,U,R,V)
2.5 bar
2.5 bar
70.0 % 9.71 × 10
-4
518 FIT 222 FIT
λdd + λs: Fault rate of detected dangerous and of safe faults
λdu: Fault rate of undetected dangerous faults
The characters in brackets indicate the catalog number for the measuring range.
9
Pressure Transmitter Series 2000T and 265Ax, 265Gx, 265Vx, 265Dx, 265Jx, 267Cx, 269Cx SM 265/7/9 SIL-EN
Instructions for Functional Safety
13 SIL conformity declaration
10
Pressure Transmitter Series 2000T and 265Ax, 265Gx, 265Vx, 265Dx, 265Jx, 267Cx, 269Cx SM 265/7/9 SIL-EN
Instructions for Functional Safety
11
Pressure Transmitter Series 2000T and 265Ax, 265Gx, 265Vx, 265Dx, 265Jx, 267Cx, 269Cx SM 265/7/9 SIL-EN
Instructions for Functional Safety
14 Management summary
The document was prepared using best effort. The authors make no warranty of any kind and shall not be liable in
any event for incidental or consequential damages in connection with the application of the document.
© All rights reserved.
FMEDA and Prior-use Assessment
Project:
Pressure Transmitter 2600T / 2000T Series with 4..20 mA output
Customer:
ABB Automation Products GmbH
Minden
Germany
Contract No.: ABB 03/09-13
Report No.: ABB 03/09-13 R001
Version V1, Revision R1.2, March 2004
Stephan Aschenbrenner
12
Pressure Transmitter Series 2000T and 265Ax, 265Gx, 265Vx, 265Dx, 265Jx, 267Cx, 269Cx SM 265/7/9 SIL-EN
Instructions for Functional Safety
©
exida.com
GmbH abb 03-09-13 r001 v1 r1.2, March 1, 2004
Stephan Aschenbrenner Page 2 of 11
Management summary
This report summarizes the results of the hardware assessment with prior-use consideration
according to IEC 61508 / IEC 61511 carried out on the pressure transmitter 2600T / 2000T
Series with 4..20 mA output and software version V0.24. Table 1 gives an overview of the
different types that belong to the considered pressure transmitter 2600T / 2000T Series.
The hardware assessment consists of a Failure Modes, Effects and Diagnostics Analysis
(FMEDA). A FMEDA is one of the steps taken to achieve functional safety assessment of a
device per IEC 61508. From the FMEDA, failure rates are determined and consequently the
Safe Failure Fraction (SFF) is calculated for the device. For full assessment purposes all
requirements of IEC 61508 must be considered.
Table 1: Version overview
Type Application Sensor Electronics
265D*A
2010TD
Differential pressure 10mbar 2-6187 P1 (3)
2-6195 P1 (2)
764913_P1
V1.1
265J*A Differential and absolute pressure 10mbar 2-6187 P1 (3)
2-6195 P1 (2)
764913_P1
V1.2
267C*A
269C*A
2010TC
Mass flow / Differential pressure 10mbar 2-6187 P1 (3)
2-6195 P1 (2)
764913_P1
9280 039 P1 (3)
265D*(C,F,L,N)
2010TD
Differential pressure 60mbar to 20bar 2-6187 P1 (3)
2-6195 P1 (2)
2-6186 P1 (3)
265J*(C,F,L,N) Differential and absolute pressure 60mbar to 20bar 2-6187 P1 (3)
2-6195 P1 (2)
2-6186 P1 (3)
V2.1
265V*(F,L,N)
2010TA
Absolute pressure 400mbar to 20bar 2-6187 P1 (3)
2-6195 P1 (2)
2-6186 P1 (3)
V2.2
267C*(C,F,L,N)
269C*(C,F,L,N)
2010TC
Mass flow / Differential pressure 60mbar to 20bar 2-6187 P1 (3)
2-6195 P1 (2)
2-6186 P1 (3)
9280 039 P1 (3)
V3
265D*R
2010TD
Differential pressure 100bar 2-6187 P1 (3)
2-6195 P1 (2)
0764 908 P1 (3)
265A* (C,F)
2020TA
Absolute pressure 60mbar and 400mbar 2-6187 P1 (3)
2-6195 P1 (2)
0764 892 P1 (3)
V4
265G* (C,F)
2020TG
Gauge 60mbar and 400mbar 2-6187 P1 (3)
2-6195 P1 (2)
0764 892 P1 (3)
265A*(L,U)
2020TA
Absolute pressure
t2,5bar
2-6187 P1 (3)
2-6195 P1 (2)
2-6149 P1 (3)
V5
265G*(L,U,R,V)
2020TG
Gauge
t2,5bar
2-6187 P1 (3)
2-6195 P1 (2)
2-6149 P1 (3)
13
Pressure Transmitter Series 2000T and 265Ax, 265Gx, 265Vx, 265Dx, 265Jx, 267Cx, 269Cx SM 265/7/9 SIL-EN
Instructions for Functional Safety
©
exida.com
GmbH abb 03-09-13 r001 v1 r1.2, March 1, 2004
Stephan Aschenbrenner Page 3 of 11
For safety applications only the 4..20 mA output was considered. All other possible output
variants or electronics are not covered by this report. The different devices can be equipped
with or without display.
The failure rates used in this analysis are the basic failure rates from the Siemens standard
SN 29500.
According to table 2 of IEC 61508-1 the average PFD for systems operating in low demand
mode has to be t10
-3
to < 10
-2
for SIL 2 safety functions. A generally accepted distribution of
PFD
AVG
values of a SIF over the sensor part, logic solver part, and final element part assumes
that 35% of the total SIF PFD
AVG
value is caused by the sensor part. For a SIL 2 application the
total PFD
AVG
value of the SIF should be smaller than 1,00E-02, hence the maximum allowable
PFD
AVG
value for the sensor part would then be 3,50E-03.
The pressure transmitter 2600T / 2000T Series with 4..20 mA output is considered to be a Type
B
1
component with a hardware fault tolerance of 0.
Type B components with a SFF of 60% to < 90% must have a hardware fault tolerance of 1
according to table 3 of IEC 61508-2 for SIL 2 (sub-) systems.
As the pressure transmitter 2600T / 2000T Series with 4..20 mA output is supposed to be a
proven-in-use device, an assessment of the hardware with additional prior-use demonstration
for the device and its software was carried out. The prior-use investigation was based on field
return data collected and analyzed by ABB Automation Products GmbH. This data cannot cover
the process connection. The prior-use justification for the process connection still needs to be
done by the end-user.
According to the requirements of IEC 61511-1 First Edition 2003-01 section 11.4.4 and the
assessment described in section 5.1 the Type B pressure transmitter 2600T / 2000T Series with
a hardware fault tolerance of 0 and a SFF of 60% to < 90% is considered to be suitable for use
in SIL 2 safety functions The decision on the usage of prior-use devices, however, is always
with the end-user.
Failure rates that are assigned to the various failure modes of the sensor part of the pressure
transmitter 2600T / 2000T Series were obtained from field failure data using only operational
hours from the warranty period of operation. Confidence Interval calculations were done using a
chi-square distribution and an upper limit failure rate based on a 70% confidence factor per
IEC 61508. The failure rate results were compared with industry databases [N6] and found to be
within a reasonable range considering the much higher amount of operational hours.
Assuming that a connected logic solver can detect both over-range (fail high) and under-range
(fail low), high and low failures can be classified as safe detected failures or dangerous detected
failures depending on whether the pressure transmitter 2600T / 2000T Series with 4..20 mA
output is used in an application for “low level monitoring”, “high level monitoring” or “range
monitoring”. For these applications the following tables show how the above stated
requirements are fulfilled.
Type B component: “Complex” component (using micro controllers or programmable logic); for details
see 7.4.3.1.3 of IEC 61508-2.
14
Pressure Transmitter Series 2000T and 265Ax, 265Gx, 265Vx, 265Dx, 265Jx, 267Cx, 269Cx SM 265/7/9 SIL-EN
Instructions for Functional Safety
©
exida.com
GmbH abb 03-09-13 r001 v1 r1.2, March 1, 2004
Stephan Aschenbrenner Page 4 of 11
Table 2: Summary for version V1.1 – Failure rates
Failure category (Failure rates in FIT)
Fail-safe state =
“fail high”
Fail-safe state =
“fail low”
Fail High (detected by the logic solver)
Fail detected (int. diag.) 216
Fail high (inherently) 245
461
245
Fail Low (detected by the logic solver)
Fail detected (int. diag.) 216
Fail low (inherently) 15
15
231
Fail Dangerous Undetected 195 195
No Effect 137 137
Annunciation Undetected 1 1
Not part 54 54
MTBF = MTTF + MTTR 132 years 132 years
Transmitter configured fail-safe state = “fail high” – Failure rates according to IEC 61508
Failure Categories
O
sd
O
su
O
dd
O
du
SFF DC
S
2
DC
D
²
O
low
= O
Sd
O
high
= O
dd
15 FIT 138 FIT 462 FIT 195 FIT
75% 10% 70%
O
low
= O
dd
O
high
= O
sd
461 FIT 138 FIT 15 FIT 195 FIT
75% 77% 7%
O
low
= O
sd
O
high
= O
sd
476 FIT 138 FIT 0 FIT 195 FIT
75% 78% 0%
Transmitter configured fail-safe state = “fail low” – Failure rates according to IEC 61508
Failure Categories
O
sd
O
su
O
dd
O
du
SFF DC
S
² DC
D
²
O
low
= O
sd
O
high
= O
dd
231 FIT 138 FIT 245 FIT 195 FIT
75% 63% 56%
O
low
= O
dd
O
high
= O
sd
245 FIT 138 FIT 231 FIT 195 FIT
75% 64% 54%
O
low
= O
sd
O
high
= O
sd
476 FIT 138 FIT 0 FIT 195 FIT
75% 78% 0%
Table 3: Summary for version V1.1 – PFD
AVG
values
T[Proof] = 1 year T[Proof] = 5 years T[Proof] = 10 years
PFD
AVG
= 8,54E-04 PFD
AVG
= 4,26E-03 PFD
AVG
= 8,50E-03
2
DC means the diagnostic coverage (safe or dangerous) of the safety logic solver for pressure
transmitter 2600T / 2000T Series with 4..20 mA output.
15
Pressure Transmitter Series 2000T and 265Ax, 265Gx, 265Vx, 265Dx, 265Jx, 267Cx, 269Cx SM 265/7/9 SIL-EN
Instructions for Functional Safety
©
exida.com
GmbH abb 03-09-13 r001 v1 r1.2, March 1, 2004
Stephan Aschenbrenner Page 5 of 11
Table 4: Summary for version V1.2 – Failure rates
Failure category (Failure rates in FIT)
Fail-safe state =
“fail high”
Fail-safe state =
“fail low”
Fail High (detected by the logic solver)
Fail detected (int. diag.) 256
Fail high (inherently) 260
516
260
Fail Low (detected by the logic solver)
Fail detected (int. diag.) 256
Fail low (inherently) 16
16
272
Fail Dangerous Undetected 216 216
No Effect 166 166
Annunciation Undetected 1 1
Not part 54 54
MTBF = MTTF + MTTR 118 years 118 years
Transmitter configured fail-safe state = “fail high” – Failure rates according to IEC 61508
Failure Categories
O
sd
O
su
O
dd
O
du
SFF DC
S
² DC
D
²
O
low
= O
sd
O
high
= O
dd
16 FIT 167 FIT 516 FIT 216 FIT 76% 9% 70%
O
low
= O
dd
O
high
= O
sd
516 FIT 167 FIT 16 FIT 216 FIT 76% 76% 7%
O
low
= O
sd
O
high
= O
sd
532 FIT 167 FIT 0 FIT 216 FIT 76% 76% 0%
Transmitter configured fail-safe state = “fail low” – Failure rates according to IEC 61508
Failure Categories
O
sd
O
su
O
dd
O
du
SFF DC
S
² DC
D
²
O
low
= O
sd
O
high
= O
dd
272 FIT 167 FIT 260 FIT 216 FIT 76% 62% 55%
O
low
= O
dd
O
high
= O
sd
260 FIT 167 FIT 572 FIT 216 FIT 76% 61% 73%
O
low
= O
sd
O
high
= O
sd
532 FIT 167 FIT 0 FIT 216 FIT 76% 76% 0%
Table 5: Summary for version V1.2 – PFD
AVG
values
T[Proof] = 1 year T[Proof] = 5 years T[Proof] = 10 years
PFD
AVG
= 9,43E-04 PFD
AVG
= 4,70E-03 PFD
AVG
= 9,38E-03
16
Pressure Transmitter Series 2000T and 265Ax, 265Gx, 265Vx, 265Dx, 265Jx, 267Cx, 269Cx SM 265/7/9 SIL-EN
Instructions for Functional Safety
©
exida.com
GmbH abb 03-09-13 r001 v1 r1.2, March 1, 2004
Stephan Aschenbrenner Page 6 of 11
Table 6: Summary for version V2.1 – Failure rates
Failure category (Failure rates in FIT)
Fail-safe state =
“fail high”
Fail-safe state =
“fail low”
Fail High (detected by the logic solver)
Fail detected (int. diag.) 189
Fail high (inherently) 202
391
202
Fail Low (detected by the logic solver)
Fail detected (int. diag.) 189
Fail low (inherently) 15
15
204
Fail Dangerous Undetected 198 198
No Effect 127 127
Annunciation Undetected 1 1
Not part 54 54
MTBF = MTTF + MTTR 145 years 145 years
Transmitter configured fail-safe state = “fail high” – Failure rates according to IEC 61508
Failure Categories
O
sd
O
su
O
dd
O
du
SFF DC
S
² DC
D
²
O
low
= O
sd
O
high
= O
dd
15 FIT 128 FIT 391 FIT 198 FIT 73% 10% 66%
O
low
= O
dd
O
high
= O
sd
391 FIT 128 FIT 15 FIT 198 FIT 73% 75% 7%
O
low
= O
sd
O
high
= O
sd
406 FIT 128 FIT 0 FIT 198 FIT 73% 76% 0%
Transmitter configured fail-safe state = “fail low” – Failure rates according to IEC 61508
Failure Categories
O
sd
O
su
O
dd
O
du
SFF DC
S
² DC
D
²
O
low
= O
sd
O
high
= O
dd
204 FIT 128 FIT 202 FIT 198 FIT 73% 61% 51%
O
low
= O
dd
O
high
= O
sd
202 FIT 128 FIT 204 FIT 198 FIT 73% 61% 51%
O
low
= O
sd
O
high
= O
sd
406 FIT 128 FIT 0 FIT 198 FIT 73% 76% 0%
Table 7: Summary for version V2.1 – PFD
AVG
values
T[Proof] = 1 year T[Proof] = 5 years T[Proof] = 10 years
PFD
AVG
= 8,65E-04 PFD
AVG
= 4,31E-03 PFD
AVG
= 8,60E-03
17
Pressure Transmitter Series 2000T and 265Ax, 265Gx, 265Vx, 265Dx, 265Jx, 267Cx, 269Cx SM 265/7/9 SIL-EN
Instructions for Functional Safety
©
exida.com
GmbH abb 03-09-13 r001 v1 r1.2, March 1, 2004
Stephan Aschenbrenner Page 7 of 11
Table 8: Summary for version V2.2 – Failure rates
Failure category (Failure rates in FIT)
Fail-safe state =
“fail high”
Fail-safe state =
“fail low”
Fail High (detected by the logic solver)
Fail detected (int. diag.) 229
Fail high (inherently) 217
446
217
Fail Low (detected by the logic solver)
Fail detected (int. diag.) 229
Fail low (inherently) 16
16
245
Fail Dangerous Undetected 218 218
No Effect 156 156
Annunciation Undetected 1 1
Not part 54 54
MTBF = MTTF + MTTR 128 years 128 years
Transmitter configured fail-safe state = “fail high” – Failure rates according to IEC 61508
Failure Categories
O
sd
O
su
O
dd
O
du
SFF DC
S
² DC
D
²
O
low
= O
sd
O
high
= O
dd
16 FIT 157 FIT 446 FIT 218 FIT 73% 9% 67%
O
low
= O
dd
O
high
= O
sd
446 FIT 157 FIT 16 FIT 218 FIT 73% 74% 7%
O
low
= O
sd
O
high
= O
sd
462 FIT 157 FIT 0 FIT 218 FIT 73% 75% 0%
Transmitter configured fail-safe state = “fail low” – Failure rates according to IEC 61508
Failure Categories
O
sd
O
su
O
dd
O
du
SFF DC
S
² DC
D
²
O
low
= O
sd
O
high
= O
dd
245 FIT 157 FIT 217 FIT 218 FIT 73% 61% 50%
O
low
= O
dd
O
high
= O
sd
217 FIT 157 FIT 245 FIT 218 FIT 73% 58% 53%
O
low
= O
sd
O
high
= O
sd
462 FIT 157 FIT 0 FIT 218 FIT 73% 75% 0%
Table 9: Summary for version V2.2 – PFD
AVG
values
T[Proof] = 1 year T[Proof] = 5 years T[Proof] = 10 years
PFD
AVG
= 9,54E-04 PFD
AVG
= 4,76E-03 PFD
AVG
= 9,49E-03
18
Pressure Transmitter Series 2000T and 265Ax, 265Gx, 265Vx, 265Dx, 265Jx, 267Cx, 269Cx SM 265/7/9 SIL-EN
Instructions for Functional Safety
©
exida.com
GmbH abb 03-09-13 r001 v1 r1.2, March 1, 2004
Stephan Aschenbrenner Page 8 of 11
Table 10: Summary for version V3 – Failure rates
Failure category (Failure rates in FIT)
Fail-safe state =
“fail high”
Fail-safe state =
“fail low”
Fail High (detected by the logic solver)
Fail detected (int. diag.) 210
Fail high (inherently) 1300
1510
1300
Fail Low (detected by the logic solver)
Fail detected (int. diag.) 210
Fail low (inherently) 15
15
225
Fail Dangerous Undetected 558 558
No Effect 124 124
Annunciation Undetected 1 1
Not part 54 54
MTBF = MTTF + MTTR 50 years 50 years
Transmitter configured fail-safe state = “fail high” – Failure rates according to IEC 61508
Failure Categories
O
sd
O
su
O
dd
O
du
SFF DC
S
² DC
D
²
O
low
= O
sd
O
high
= O
dd
15 FIT 125 FIT 1510 FIT 558 FIT 74% 11% 73%
O
low
= O
dd
O
high
= O
sd
1510 FIT 125 FIT 15 FIT 558 FIT 74% 92% 3%
O
low
= O
sd
O
high
= O
sd
1525 FIT 125 FIT 0 FIT 558 FIT 74% 92% 0%
Transmitter configured fail-safe state = “fail low” – Failure rates according to IEC 61508
Failure Categories
O
sd
O
su
O
dd
O
du
SFF DC
S
² DC
D
²
O
low
= O
sd
O
high
= O
dd
225 FIT 125 FIT 1300 FIT 558 FIT 74% 64% 70%
O
low
= O
dd
O
high
= O
sd
1300 FIT 125 FIT 225 FIT 558 FIT 74% 91% 29%
O
low
= O
sd
O
high
= O
sd
1525 FIT 125 FIT 0 FIT 558 FIT 74% 92% 0%
Table 11: Summary for version V3 – PFD
AVG
values
T[Proof] = 1 year T[Proof] = 3 years T[Proof] = 5 years
PFD
AVG
= 2,44E-03 PFD
AVG
= 7,29E-03 PFD
AVG
= 1,21E-02
19
Pressure Transmitter Series 2000T and 265Ax, 265Gx, 265Vx, 265Dx, 265Jx, 267Cx, 269Cx SM 265/7/9 SIL-EN
Instructions for Functional Safety
©
exida.com
GmbH abb 03-09-13 r001 v1 r1.2, March 1, 2004
Stephan Aschenbrenner Page 9 of 11
Table 12: Summary for version V4 – Failure rates
Failure category (Failure rates in FIT)
Fail-safe state =
“fail high”
Fail-safe state =
“fail low”
Fail High (detected by the logic solver)
Fail detected (int. diag.) 218
Fail high (inherently) 557
775
557
Fail Low (detected by the logic solver)
Fail detected (int. diag.) 218
Fail low (inherently) 15
15
233
Fail Dangerous Undetected 300 300
No Effect 125 125
Annunciation Undetected 1 1
Not part 56 56
MTBF = MTTF + MTTR 90 years 90 years
Transmitter configured fail-safe state = “fail high” – Failure rates according to IEC 61508
Failure Categories
O
sd
O
su
O
dd
O
du
SFF DC
S
² DC
D
²
O
low
= O
sd
O
high
= O
dd
15 FIT 126 FIT 775 FIT 300 FIT 75% 11% 72%
O
low
= O
dd
O
high
= O
sd
775 FIT 126 FIT 15 FIT 300 FIT 75% 86% 5%
O
low
= O
sd
O
high
= O
sd
790 FIT 126 FIT 0 FIT 300 FIT 75% 86% 0%
Transmitter configured fail-safe state = “fail low” – Failure rates according to IEC 61508
Failure Categories
O
sd
O
su
O
dd
O
du
SFF DC
S
² DC
D
²
O
low
= O
sd
O
high
= O
dd
233 FIT 126 FIT 557 FIT 300 FIT 75% 65% 65%
O
low
= O
dd
O
high
= O
sd
557 FIT 126 FIT 233 FIT 300 FIT 75% 82% 44%
O
low
= O
sd
O
high
= O
sd
790 FIT 126 FIT 0 FIT 300 FIT 75% 86% 0%
Table 13: Summary for version V4 – PFD
AVG
values
T[Proof] = 1 year T[Proof] = 5 years T[Proof] = 10 years
PFD
AVG
= 1,31E-03 PFD
AVG
= 6,53E-03 PFD
AVG
= 1,30E-02
20
Pressure Transmitter Series 2000T and 265Ax, 265Gx, 265Vx, 265Dx, 265Jx, 267Cx, 269Cx SM 265/7/9 SIL-EN
Instructions for Functional Safety
©
exida.com
GmbH abb 03-09-13 r001 v1 r1.2, March 1, 2004
Stephan Aschenbrenner Page 10 of 11
Table 14: Summary for version V5 – Failure rates
Failure category (Failure rates in FIT)
Fail-safe state =
“fail high”
Fail-safe state =
“fail low”
Fail High (detected by the logic solver)
Fail detected (int. diag.) 189
Fail high (inherently) 197
386
197
Fail Low (detected by the logic solver)
Fail detected (int. diag.) 189
Fail low (inherently) 15
15
204
Fail Dangerous Undetected 222 222
No Effect 115 115
Annunciation Undetected 1 1
Not part 53 53
MTBF = MTTF + MTTR 144 years 144 years
Transmitter configured fail-safe state = “fail high” – Failure rates according to IEC 61508
Failure Categories
O
sd
O
su
O
dd
O
du
SFF DC
S
² DC
D
²
O
low
= O
sd
O
high
= O
dd
15 FIT 116 FIT 386 FIT 222 FIT 69% 11% 64%
O
low
= O
dd
O
high
= O
sd
386 FIT 116 FIT 15 FIT 222 FIT 69% 77% 6%
O
low
= O
sd
O
high
= O
sd
401 FIT 116 FIT 0 FIT 222 FIT 69% 78% 0%
Transmitter configured fail-safe state = “fail low” – Failure rates according to IEC 61508
Failure Categories
O
sd
O
su
O
dd
O
du
SFF DC
S
² DC
D
²
O
low
= O
sd
O
high
= O
dd
204 FIT 116 FIT 197 FIT 222 FIT 69% 64% 47%
O
low
= O
dd
O
high
= O
sd
197 FIT 116 FIT 204 FIT 222 FIT 69% 63% 48%
O
low
= O
sd
O
high
= O
sd
401 FIT 116 FIT 0 FIT 222 FIT 69% 78% 0%
Table 15: Summary for version V5 – PFD
AVG
values
T[Proof] = 1 year T[Proof] = 5 years T[Proof] = 10 years
PFD
AVG
= 9,71E-04 PFD
AVG
= 4,84E-03 PFD
AVG
= 9,66E-03
  • Page 1 1
  • Page 2 2
  • Page 3 3
  • Page 4 4
  • Page 5 5
  • Page 6 6
  • Page 7 7
  • Page 8 8
  • Page 9 9
  • Page 10 10
  • Page 11 11
  • Page 12 12
  • Page 13 13
  • Page 14 14
  • Page 15 15
  • Page 16 16
  • Page 17 17
  • Page 18 18
  • Page 19 19
  • Page 20 20
  • Page 21 21
  • Page 22 22

ABB 267Cx Safety Instructions

Type
Safety Instructions
This manual is also suitable for

Ask a question and I''ll find the answer in the document

Finding information in a document is now easier with AI