Functional safety manual

Liquicap M FMI51, FMI52

Capacitance level measurement For liquids with a 4...20 mA output signal

Application Overfill protection or operating maximum/minimum detection of all types of liquids in tanks to satisfy particular safety system requirements to IEC 61508. The measuring device fulfills the requirements concerning Safety functions up to SIL 2 Explosion protection due to intrinsic safety or flameproof enclosure EMC to EN 61326 and NAMUR Recommendation NE 21.

Your benefits Use for level monitoring up to SIL 2: independently assessed (Functional Assessment) by exida.com as per IEC 61508 Permanent automatic monitoring Continuous measurement Measurement is practically independent of the product properties Measurement is also possible in the event of foam or if the surface is moving Easy commissioning

SD198F/00/en 71000297

Liquicap M

Table of contents
SIL declaration of conformity. . . . . . . . . . . . . . . . . . . . 3 Functional Assessment Report. . . . . . . . . . . . . . . . . . . 4 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Layout of the measuring system with Liquicap M . . . . 5
Measuring system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Safety function data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Supplementary device documentation . . . . . . . . . . . . . . . . . . . . . . 6

Settings and installation instructions . . . . . . . . . . . . . . 7

Installation instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Configuration instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Reference operating conditions . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Maximum measured error . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Device configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Device configuration with increased safety via the display . . . . . . . 8 Device configuration with increased safety via the ToF Tool . . . . . 9 Configuration instructions for the signal processing unit . . . . . . . 10

Response in operation and in event of failure . . . . . . 11 Operating life of electrical components . . . . . . . . . . . 11 Repair . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Recurrent function tests of the measuring system . . . 12
Proof test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Appendix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
PFDavg depending on the selected maintenance interval . . . . . . . 13

FMEDA Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Liquicap M

SIL declaration of conformity

x E

m a

e l

SIL06003a_en

Liquicap M

Functional Assessment Report

Summary

Liquicap M

Introduction

Note! General information on functional safety (SIL) is provided at www.de.endress.com/SIL and in the specialized brochure CP002Z "Safety in the Process Industry reducing risks with SIL"

Layout of the measuring system with Liquicap M

Measuring system The measuring system's devices are displayed in the following diagram (example).
Logic Unit (e.g. PLC) - FieldCare - ToF Tool - FieldT FieldTool ool Package

Commubox FXA195

Operating and display module Transmitter power supply unit e.g. RMA422 or RN221N (communication resistor included)

ENDRESS + HAUSER HAUSER RMA 422

L00-FMI5xxxx-14-00-06-en-004

The safety-related signal of Liquicap M is the analog output signal 4...20 mA. All safety functions solely refer to this output. In addition, Liquicap M communicates via HART and contains HART commands with additional diagnostic information. Liquicap M generates an analog signal (4...20 mA) that is proportional to the level. This signal is sent to a downstream logic unit (e.g. PLC, limit signal transmitter, etc.) and there it is monitored for: Overshooting or undershooting a specified level value or level range The occurrence of a fault (e.g. sensor error, sensor cable disconnection or short-circuit, supply voltage failure). For fault monitoring, the logic unit must recognize HI alarms ( 21.0 mA) and Low alarms ( 3.6 mA). While configuring the transmitter and performing maintenance work on Liquicap M, alternative measures must be taken to ensure the process safety.

Liquicap M

The safety-related characteristic values determined only apply to the following versions: FMI51 FMI52 FMI51-######A##1# FMI51-######B##1# FMI52-######A##1# FMI52-######B##1#

# = All standard device versions permitted A = FEI50H + display B = FEI50H Valid FW version (firmware): version V01.03.00 or higher Valid HW version (hardware): version V02.00 or higher Safety function data The mandatory settings and data for the safety function are based on the description on Page 6 ff. and the Appendix on Page 11.

!
Supplementary device documentation

The reaction time of the measuring system in the activated SIL mode is 0.5 s. Note! MTTR is set at 8 hours.

Warning! The technical limit values, safety instructions, installation instructions and configuration instructions must be observed in accordance with the documentation supplied with the device. The following table provides an overview of the associated documentation and the documentation's contents for Liquicap M.
Documentation Technical Information TI401F Operating Instruction BA298F Contents Technical data Comment The documentation is also available via the Internet. See www.de.endress.com. The documentation is available in hard copy or is provided on the ToF Tool CD. The CD is supplied with every device. The documentation is also available via the Internet. See www.de.endress.com.

Identification Installation Wiring Operation Commissioning, description Maintenance Configuration examples Parameter description Troubleshooting Appendix: menus illustrated

Safety instructions XA327F, XA328F, XA346F Control Drawings ZD220F, ZD221F Certificates ZE265F

Safety instructions, installation instructions and operating instructions for devices that are suitable for use in Ex-areas or as overfill protection (WHG (German Water Resources Act)).

Select the desired explosion protection or approval by means of Feature 10 "Certificates" in the order code. The corresponding documentation is provided with the device.

Liquicap M

Settings and installation instructions

Installation instructions Please refer to the Operating Instructions (BA) for information on how to install Liquicap M correctly. As the application conditions affect the safety of the measurement, the instructions in the Technical Information (TI) and the Operating Instructions (BA) must be observed. The operator must check the suitability of the measuring device for the specific application. Additional information is available from the Endress+Hauser Sales Centers.

"
Configuration instructions

Caution! A minimum input voltage (terminal voltage) of 13.5 V must be ensured when using the devices in a safety function. The following conditions are permitted for devices used in a safety function: Local operation via display operating unit Remote operation via PC: with "ToF Tool FieldTool Package" (graphic operating program for Endress+Hauser devices), version V3.06 or higher Fieldcare, version V2.08.00 or higher Please refer to the appropriate Operating Instructions (BA) for further information on the settings.

"

Caution! Changes to the measuring system and the system's settings after commissioning can impair the protective function! Prior to the locking sequence, check the following after entering all the parameters 1. 2. the safety function (e.g. by means of the "Level Simulation" parameter or by approaching the level) whether the level value currently displayed corresponds to the actual level

Reference operating conditions

The following data refer to a rod probe with an active probe length of 1 m: Temperature = +20 C 5 C Pressure = 1013 mbar abs. 20 mbar Humidity = 65 % 20 % Medium = tap water (Conductivity 180 S/cm)

Maximum measured error

Linearity: 2 % (of the full scale value) Reproducibility: 0.25 % When using the device in PCT protective functions, the device configuration must meet two requirements: 1. 2. Confirmation concept Proven independent checking of the safety-related parameters input Locking concept Device locked after configuration completed

Device configuration

The following method for device configuration is available: Device configuration with increased safety (SIL/WHG mode)

Note! Following a reset, the device has to be switched off and then switched on again. Due to the increased configuration safety, the following section illustrates the use of the "Device configuration with increased safety" method when using the device in PCT protective systems.

Liquicap M

Device configuration with increased safety via the display

When the display is connected, the keys on the electronic insert are deactivated! If Liquicap M has been calibrated as per the Operating Instructions (BA), security locking must be activated. To do so, select the "Security settings" menu item from the main menu (CX001).
main menu
basic setup safety settings linearisation output device properties

CX001

L00-FMI5xxxx-19-05-xx-en-014

Locking The device must be locked following a specified locking sequence. 1. 2. 3. In the first control menu (SAX02), the setting for output damping and the response of the current output in the event of an error must be checked and confirmed directly. In the second control menu (SAX03), the calibration of the device must be checked against the calibration data of the user (noted previously). Then the device can be switched to the SIL/WHG mode in the control menu (SAX04) but only if confirmation was positive in the two previous configuration menus.
1.
safety settings
operating mode: st standard andard output damping: 1.0s output: max parameter ok.: yes
SAX02

2.
safety settings
SAX03

3.
safety settings
SAX04

cap. empty calibration: 0.00 pF value empty calibration: 0 % cap. full calibration: 104.00 pF value full calibration: 100 % parameter ok.: yes

operating mode: SIL/WHG SIL operating mode: locked status: st atus: SIL/WHG locked

L00-FMI5xxxx-19-05-xx-en-015

A key symbol on the display indicates that the device is locked. If the electronics are replaced, the complete locking routine has to be performed again by the user.

Note! The SIL/WHG mode is retained after a power failure! Unlocking A password is required for unlocking. The release code (7452) must be entered directly in the SAX04 menu "SIL operating mode".
safety settings
SAX04

operating mode: SIL/WHG SIL operating mode: locked status: st atus: SIL/WHG locked

L00-FMI5xxxx-19-05-xx-en-016

Liquicap M

Device configuration with increased safety via the ToF Tool

The configuration routine and locking process is the same as when making the settings via the display. All relevant parameters are displayed on a screen page here however. As with the display, these also have to be confirmed.

L00-FMIxxxxx-20-00-00-en-006

Note! When reading back the locking, the serial number on the operating tool must be checked against the serial number of the device in question.

Liquicap M

L00-FMIxxxxx-20-00-00-en-002

L00-FMIxxxxx-20-00-00-en-004

Configuration instructions for the signal processing unit

Configuration instructions when using the level sensor as the continuous measuring system When using the level sensor as the continuous measuring system, the limit value determined appropriately must be entered at the downstream limit monitor (logic unit). All calibration and configuration work must be carried out as specified in the associated Operating Instructions.

10

Liquicap M

Response in operation and in event of failure

The behavior during operation and in the event of errors is described in the Operating Instruction BA298F.

Operating life of electrical components

In accordance with IEC 61508-2, experience shows that the useful operating life of electrical components is between 8 and 12 years.

Repair
If a SIL-type Endress+Hauser device which was used in a protective function fails, the "Declaration of contamination and cleaning" must be enclosed with a note specifying "Use as SIL device in a protective system" when returning the defective device.

11

Liquicap M

Recurrent function tests of the measuring system

Safety functions must be checked and inspected at appropriate intervals. We recommend you carry out the inspection at least once a year. The onus is on the owner-operator to select the type of inspection and the time intervals in the specified period. The inspection must be carried out in such a way that it is proven that the safety system (see Page 11, section "PFDavg depending on the maintenance interval selected") functions perfectly in interaction with all the components. The following section describes the repeat testing procedure to uncover dangerous undetected device failures. Proof test This test detects approx. 45 % of the possible dangerous undetected device failures. 1. 2. 3. 4. 5. 6. 7. 8. Check whether the level value displayed corresponds to the actual level. Ensure that the level does not change while the proof test is being performed. Unlocking (see Page 7, "Unlocking" section) Activate the proof test either on the display or using the operating tool. The current output must be monitored using a current measuring device (see the corresponding diagram). The proof test lasts approx. 30 s and cannot be interrupted. The current output returns to the current level value. Locking (see Page 7, "Locking" section) Once the proof test has been carried out, the results must be documented and stored in a suitable manner.

proof test
proof test: off

SAX06

L00-FMI5xxxx-19-05-xx-en-017

Level [%] 120

I [mA] 22.0

100

20.0

80

16.8

60

13.6

40

10.4

Measured value

20

7.2

4.0

approx 30 s
L00-FMI5xxxx-05-06-xx-en-001

12

Liquicap M

Appendix
The specific safety-related characteristic values can be found in the Declaration of Conformity on Page 3. PFDavg depending on the selected maintenance interval
PFDavg
3.50E-03 3.00E-03 2.50E-03 2.00E-03 PFDavg PFDa vg 1.50E-03 1.00E-03 5.00E-04 0.00E+00 0.0 2.0 4.0 6.0 8.0 10.0 Test interv interval [year [y ears] s]
L00-FMI5xxxx-05-06-xx-en-003

1oo1D structure

Warning! During safety-related use of Liquicap M, the following sources of error must be ruled out: Solid and/or heavy build-up on the probe rod Corrosion or diffusion in the context of medium compatibility with regard to rod/rope material and coating

13

14
Management summary
This report summarizes the results of the hardware assessment carried out on the transmitter for continuous capacitance level measurement Liquicap M FMI 51/52 with 4..20 mA output FEI50H and software versions V01.03.00-B246 / V01.00.00-B095. The hardware assessment consists of a Failure Modes, (FMEDA). A FMEDA is one of the steps taken to achieve device per IEC 61508. From the FMEDA, failure rates are Safe Failure Fraction (SFF) is calculated for the device. requirements of IEC 61508 must be considered. Effects and Diagnostics Analysis functional safety assessment of a determined and consequently the For full assessment purposes all For safety applications only the 4..20 mA output was considered. All other possible electronics are not covered by this report. The failure rates used in this analysis are the basic failure rates from the Siemens standard SN 29500.

FMEDA Report

Failure Modes, Effects and Diagnostic Analysis

Project: Liquicap M FMI 51/52 with 4..20 mA output FEI50H Transmitter for continuous capacitance level measurement Applications with level limit detection (MIN / MAX detection)

Customer:

Endress+Hauser GmbH+Co. KG

According to table 2 of IEC 61508-1 the average PFD for systems operating in low demand mode has to be 10-3 to < 10-2 for SIL 2 safety functions. For systems operating in high demand mode of operation the PFH value has to be 10-7 1/h to < 10-6 1/h for SIL 2 safety functions according to table 3 of IEC 61508-1. A generally accepted distribution of PFDAVG or PFH values of a SIF over the sensor part, logic solver part, and final element part assumes that 35% of the total SIF PFDAVG or PFH value is caused by the sensor part. For a SIL 2 application operating in low demand mode the total PFDAVG value of the SIF should be smaller than 1,00E-02, hence the maximum allowable PFDAVG value for the sensor part would then be 3,50E-03. For a SIL 2 application operating in high demand mode of operation the total PFH value of the SIF should be smaller than 1,00E-06 1/h, hence the maximum allowable PFH value for the sensor part would then be 3,50E-07 1/h. The transmitter for continuous capacitance level measurement Liquicap M FMI 51/52 with 4..20 mA output FEI50H is considered to be a Type B1 component with a hardware fault tolerance of 0. For Type B components with a hardware fault tolerance of 0 the SFF shall be > 90% according to table 3 of IEC 61508-2 for SIL 2 (sub-) systems. Endress+Hauser together with exida.com performed a qualitative analysis of the mechanical parts of the transmitter for continuous capacitance level measurement Liquicap M FMI 51/52. This analysis was used by exida to calculate the failure rates of the sensor element using different failure rate databases ([N5], [N6], [N7] and exidas experienced-based data compilation) for the different components of the sensor element (see [R1]). The results of the quantitative analysis were used for the calculations described in section 5.2. It is assumed that the connected logic solver is configured as per the NAMUR NE43 signal ranges, i.e., Liquicap M FMI 51/52 with 4..20 mA output FEI50H communicates detected faults by an alarm output current 3,6mA or 21mA. For this configuration the following tables show how the above stated requirements are fulfilled. The following failure rates do not include failures resulting from incorrect use of the transmitter, in particular humidity entering through incompletely closed housings or inadequate cable feeding through the PG inlets.

Maulburg Germany

Contract No.: E+H 03/03-22 Report No.: E+H 03/03-22 R027 Version V1, Revision R5, February 2007 Stephan Aschenbrenner

Type B component:
R5-ManagementSummary

Liquicap M

R5-ManagementSummary

The document was prepared using best effort. The authors make no warranty of any kind and shall not be liable in any event for incidental or consequential damages in connection with the application of the document. All rights on the format of this technical report reserved.

Complex component (using micro controllers or programmable logic); for details see 7.4.3.1.3 of IEC 61508-2. exida.com GmbH Stephan Aschenbrenner e+h 03-03-22 r027 v1 r5.doc, February 1, 2007 Page 2 of 4

Liquicap M

The listed failure rates are valid for operating stress conditions typical of an industrial field environment similar to IEC 60654-1 class C (sheltered location) with an average temperature over a long period of time of 40C. For a higher average temperature of 60C, the failure rates should be multiplied with an experience based factor of 2,5. A similar multiplier should be used if frequent temperature fluctuation must be assumed.

It is important to realize that the no effect failures and the annunciation failures are included in the safe undetected failure category according to IEC 61508. Note that these failures on its own will not affect system reliability or safety, and should not be included in spurious trip calculations. The failure rates are valid for the useful life of Liquicap M FMI 51/52 with 4..20 mA output FEI50H (see Appendix 3).

Table 1: Summary Failure rates

Failure category Failure rates (in FIT) 695 628 39 28 75 116 2 111

Fail Dangerous Detected

Fail detected (int. diag.)

Fail low (detected by the logic solver)

Fail High (detected by the logic solver)

Fail Dangerous Undetected

No Effect

Annunciation Undetected

Not part

Table 2 Failure rates according to IEC 61508

sd 91% 0% 90%

su2 SFF

dd

du

DCS 3

DCD 3

0 FIT

118 FIT

695 FIT

75 FIT

Table 3: Summary PFDAVG values / PFH values T[Proof] = 5 years PFDAVG = 1,64E-03 PFDAVG = 3,28E-03 T[Proof] = 10 years

T[Proof] = 1 year

PFH = 7,51E-08 1/h 4

PFDAVG = 3,29E-04

The boxes marked in green ( ) mean that the calculated PFDAVG / PFH values are within the allowed range for SIL 2 according to table 2 / 3 of IEC 61508-1 and do fulfill the requirement to not claim more than 35% of this range, i.e. to be better than or equal to 3,50E-03 or 3,50E-07 1/h, respectively.

Because the Safe Failure Fraction (SFF) is above 90%, also the architectural constraints requirements of table 3 of IEC 61508-2 for Type B subsystems with a Hardware Fault Tolerance (HFT) of 0 are fulfilled.

A user of the transmitter for continuous capacitance level measurement Liquicap M FMI 51/52 with 4..20 mA output FEI50H can utilize these failure rates in a probabilistic model of a safety instrumented function (SIF) to determine suitability in part for safety instrumented system (SIS) usage in a particular safety integrity level (SIL). A full table of failure rates is presented in section 5.2 along with all assumptions.

Note that the SU category includes failures that do not cause a spurious trip DC means the diagnostic coverage (safe or dangerous). The PFH value is based on a fault detection and reaction time of 40 minutes. This also requires that a connected logic solver can detect fail low and/or fail high failures within a time that allows to react within the process safety time. e+h 03-03-22 r027 v1 r5.doc, February 1, 2007 Page 3 of 4

R5-ManagementSummary

R5-ManagementSummary

exida.com GmbH Stephan Aschenbrenner

exida.com GmbH Stephan Aschenbrenner

e+h 03-03-22 r027 v1 r5.doc, February 1, 2007 Page 4 of 4

15

Liquicap M

Instruments International
Endress+Hauser Instruments International AG Kaegenstrasse 2 4153 Reinach Switzerland Tel. +41 61 715 81 00 Fax +41 61 715 25 00 www.endress.com info@ii.endress.com

SD198F/00/en/10.07 71000297 FM+SGML 6.0 ProMoDo

71000297