E3 Modulevel Displacer Level Transmitter

SIL Safety Manual for
Model E3
Software v1.x
Functional Safety Manual
Liquid Level
Displacer Transmitter
This manual complements and is intended to be used with
the E3 Modulevel Installation and Operating manual
(Bulletin 48-635 dated October 2008 or later).
Application
The E3 Modulevel Liquid Level Displacer Transmitter
can be applied in most process or storage vessels, bridles,
bypass chambers, interfaces, sumps, and pits up to the
unit pressure and temperature ratings. The E3
Modulevel can be used in liquids, clean or dirty, light
hydrocarbons to heavy acids (SG=0.23 to 2.20) to meet
the safety system requirements of IEC 61508.
Benefits
The E3 Modulevel provides the following benefits to
your operation:
• Suitable for use in environments up to SIL 2 (Safe
Failure Fraction = 92.3%) as independently assessed
(hardware assessment) by exida.com as per
IEC 61508/61511-1.
• Level ranges from 14 to 120+ inches
(356 to 3048+ mm).
• Process temperatures to +600° F (+315° C) for
non-steam applications.
• Process pressures to +5150 psi (+355 bar).
• Continuous self-test with 22 mA or 3.6 mA fault
indication fully compliant with NAMUR NE 43.
• IS, XP, and Non-Incendive approvals.
• Emission and immunity compliance to EN 61326.
• Two-wire, loop-powered transmitter for level,
interface, or density measurement.
E3 Modulevel Displacer Level Transmitter
SIL 1/SIL 2 Versions
Table of Contents
1.0 Introduction ...................................................................3
1.1 Product Description ..................................................3
1.2 Theory of Operation.................................................3
1.3 Determining Safety Integrity Level (SIL) ..................4
2.0 Level Measuring System .................................................4
2.1 FOUNDATION fieldbus™ .............................................4
2.2 Applicable Models.....................................................4
2.3 Miscellaneous Electrical Considerations ....................5
2.3.1 Pollution Degree 2 .........................................5
2.3.2 Overvoltage ....................................................5
3.0 Mean Time To Repair (MTTR).....................................5
4.0 Supplementary Documentation......................................5
5.0 Instructions ....................................................................6
5.1 Systematic Limitations ..............................................6
5.1.1 Application.....................................................6
5.1.2 Environmental................................................6
5.2 Skill Level of Personnel .............................................6
5.3 Necessary Tools .........................................................7
5.4 Storage ......................................................................7
5.5 Installation ................................................................7
5.6 Configuration ...........................................................7
5.6.1 General...........................................................7
5.6.2 Write Protecting / Locking .............................7
5.6.3 Write Enabling / Unlocking ...........................8
5.7 Site Acceptance Testing .............................................8
5.8 Recording results.......................................................8
5.9 Maintenance .............................................................8
5.9.1 Diagnostics.....................................................8
5.9.2 Troubleshooting .............................................8
6.0 Recurrent Function Tests ...............................................9
6.1 Proof Testing .............................................................9
6.1.1 Introduction...................................................9
6.1.2 Interval...........................................................9
6.1.3 Recording Results...........................................9
6.1.4 Proof Test Procedure.......................................9
7.0 Appendices ...................................................................11
7.1 SIL Declaration of Conformity ...............................11
7.2 FMEDA Report Management Summary ...............11
7.3 Specific Model E3 values.........................................13
7.4 PFD graph ..............................................................13
7.5 Report- Lifetime of Critical components.................13
7.6 Configuration Data Sheet ......................................14
48-650 E3 Modulevel Displacer Level Transmitter - SIL
1.0
Introduction
1.1
Product Description
The E3 Modulevel is a loop-powered, two-wire, 24 VDC
level transmitter that uses simple buoyancy principles in
combination with a precision range spring and a highly
accurate LVDT (linear variable differential transformer) to
detect and convert liquid level changes into a stable
4–20 mA output signal. The electronics are housed in an
ergonomic, dual-compartment enclosure that is angled for
ease of wiring and calibration.
The E3 Modulevel has microprocessor-based electronics
with HART compatible output, in addition to the standard
4–20 mA output. The E3 Modulevel supports the
FDT/DTM standard and a PACTware™ PC software
package allows for additional configuration and trending
capabilities.
The linkage between the level sensing element and output
electronics provides a simple mechanical design and construction. The vertical in-line design of the transmitter
results in low instrument weight and simplified installation.
The instrument comes in a variety of configurations and
pressure ratings for varied applications.
1.2
Theory of Operation
The E3 Modulevel Displacer Level Transmitter relies on the
principles of buoyancy to convert mechanical movement to
an electronic output.
The movement of the range spring, as it compresses or elongates based on the volume of displacer submerged in the
liquid, causes movement of a special LVDT core attached to
the spring. The LVDT technology converts the movement
of the LVDT core within the LVDT to a stable 4–20 mA
output signal. The position of the core, with respect to a
primary and two secondary windings, induces voltage in
each winding. The comparison of the induced voltages
within the microprocessor of the E3 Modulevel results in
very accurate level or interface level output.
The E3 Modulevel can, alternatively, be set up to track the
changing density of a liquid over a known density range and
convert that into a stable 4–20 mA output signal. As the
density of the liquid changes, so does the mass of the liquid
displaced by the displacer. This resulting change in buoyancy
force on the displacer causes movement of the LVDT core
needed to convert the density change to the 4–20 mA signal.
48-650 E3 Modulevel Displacer Level Transmitter - SIL
3
Table 1
SIL vs. PFD avg
Safety
Integrity Level
(SIL)
1.3
Tables 1 and 2 define the criteria for the achievable SIL
against the target mode of operation in Demand Mode
Operation.
Target Average
probability of failure
on demand (PFDavg)
≥10-5 to <10-4
4
≥10-4 to <10-3
3
Table 1 shows the relationship between the SIL and the
Probability of Failure on Demand Average (PFDavg).
≥10 to <10
2
-3
-2
≥10-2 to <10-1
1
Table 2 can be used to determine the achievable SIL as a
function of the Hardware Fault Tolerance (HFT) and the
Safe Failure Fraction (SFF) for the complete safety system
(Type B – complex components as per IEC 61508 Part 2)
of which the level transmitter is one component.
Table 2
Minimum hardware fault tolerance
Type B sensors, final elements and non-PE logic solvers
Hardware Fault
Tolerance (HFT)
SFF
0
1
2
Not
Allowed
SIL 1
SIL 2
60% to <90% SIL 1
SIL 2
SIL 3
Medium: 90% to <99% SIL 2
SIL 3
None: <60%
Low:
High: ≥99%
Determining Safety Integrity Level (SIL)
2.0
Level Measuring System
Figure 1 shows the structure of a typical measuring system
incorporating the E3 Modulevel.
This SIL rated device is available only with an analog signal
with HART communications. The measurement signal used
by the logic solver must be the analog 4-20 mA signal proportional to the level generated.
SIL 3
For fault monitoring, the logic unit must recognize both
high alarms (≥ 21.5 mA) and low alarms (≤ 3.6 mA). If the
logic solver loop uses intrinsic safety barriers, caution must
be taken to ensure the loop continues to operate properly
under the low alarm condition.
The only unsafe mode is when the unit is reading an incorrect level within the 4-20 mA range (> ±2% deviation).
Magnetrol defines a safe failure as one in which the 4-20
mA current is driven out of range (i.e., less than 3.8 mA or
greater than 20.5 mA).
Fault selection of the E3 Modulevel is 3.6 mA, 22.0 mA, or
HOLD, and is selected by the user. HOLD should never be
chosen as the Fault output in a safety application.
2.1
FOUNDATION fieldbus™
FOUNDATION fieldbus™ protocol is now allowed by the IEC
61508/61511 standard, as long as the proper communication
changes have been implemented. This manual, however, only
addresses the use of the HART device in SIL environments.
Figure 1
Typical System
4
2.2
Applicable Models
This manual is applicable to the following models of the E3
Modulevel Liquid Level Displacer Transmitter:
E3x-xxxx-Hxx
48-650 E3 Modulevel Displacer Level Transmitter - SIL
2.3
Miscellaneous Electrical Considerations
2.3.1 Pollution Degree 2
The E3 Modulevel Level Displacer Transmitter is designed
for use in Category II, Pollution Degree 2 installations.
A nonconductive pollution of the sort where occasionally a
temporary conductivity caused by condensation must be
expected. This is the usual pollution degree used for
equipment being evaluated to IEC/EN 61010.
2.3.2 Overvoltage
The E3 Modulevel has overvoltage protection per CE
requirements; this protection is to 1000 volts when considering Hi-pot, Fast Transients, and Surge. Therefore, there
should be no unsafe failure modes up to 1 KV.
Overvoltage Category II is a local level, covering appliances,
portable equipment, etc., with smaller transient overvoltages
than those characteristic of Overvoltage Category III. This
category applies from the wall plug to the power supply isolation barrier (transformer). The typical plant environment
is Overvoltage Category II, so most equipment evaluated to
the requirements of IEC/EN 61010 are considered to
belong in that classification.
3.0
Mean Time To Repair (MTTR)
SIL determinations are based on a number of factors including
the Mean Time To Repair (MTTR). The analysis for the E3
Modulevel Displacer Level Transmitter is based on a MTTR
of 24 hours.
4.0
Supplementary Documentation
The E3 Modulevel Installation and Operating Manual
(Bulletin 48-635) must be available for installation of the
measuring system.
The following Electronic Device Description File is required
if HART is used:
Manufacturer Code 0x56
Model E3 Modulevel Device ID OxE3, device revision 1
DD revision 1
For device installations in a classified area, the relevant
safety instructions and electrical codes must be followed.
48-650 E3 Modulevel Displacer Level Transmitter - SIL
5
5.0
Instructions
5.1
Systematic Limitations
The following application and environmental limitations
must be observed to avoid systematic failures.
5.1.1 Application
The E3 Modulevel transmitter should be located for easy
access for service, configuration, and monitoring. There should
be sufficient headroom to allow installation and removal of the
transmitter head, and, in cases of tank top configuration, the
displacer. Special precautions should be made to prevent exposure to corrosive atmosphere, excessive vibration, shock, or
physical damage. The E3 Modulevel should only be used for
applications in which buildup of solid materials on the spring
or in the enclosing tube is not an issue.
The operating temperature range for the transmitter electronics
is -40° to +176° F (-40° to +80° C). The operating temperature
range for the digital display is -5° to +160° F (-20° to +70° C).
Caution: Operation of all buoyancy type level devices should be
done in such a way as to minimize the action of dynamic
forces on the float or displacer sensing element. Good
practice for reducing the likelihood of damage to the control is to equalize pressure across the device very slowly.
5.1.2 Environmental
See Section 3.6.1 of the E3 Modulevel Installation and
Operating Manual (Bulletin 48-635) for environmental
limitations.
5.2
Skill Level of Personnel
Personnel following the procedures of this safety manual
should have technical expertise equal to or greater than that
of a qualified instrument technician.
5.3
Necessary Tools
No special equipment or tools are required to install E3
Modulevel. The following items are recommended:
• Wrenches, flange gaskets, and flange bolting
appropriate for process connection(s)
• Flat-blade screwdriver
• Level
• 1/8" Allen wrench
• 24 VDC power supply, 23 mA minimum
• Digital multimeter
• 250 to 450 ohm resistor for HART communication
6
48-650 E3 Modulevel Displacer Level Transmitter - SIL
5.4
Storage
The E3 Modulevel should be stored in its original shipping
box and not be subjected to temperatures outside the storage temperature range -50° to +185° F (-40° to +85° C), as
shown in Section 3.6.1 of the E3 Modulevel Installation
and Operating Manual (Bulletin 48-635) and associated
specifications.
5.5
Installation
Refer to the E3 Modulevel Displacer Level Transmitter
Installation and Operating Manual (Bulletin 48-635) for
the proper installation instructions:
Section 1.0 provides QuickStart Installation instructions
and Section 2.0 provides Complete Installation instructions.
Section 2.6 provides menu selection items for configuring
the transmitter including operating parameters, display and
keypad, password protection, calibration defaults, and menu
configuration based on the measurement type.
Section 2.7 provides configuration instructions if using HART.
This SIL evaluation has assumed that the customer will be
able to acknowledge an over or under current condition via
the logic solver.
5.6
Configuration
5.6.1 General
The E3 Modulevel can be configured via the local display,
the HART compatible handheld communicator, or a laptop
computer with PACTware.
5.6.2 Write Protecting / Locking
The E3 Modulevel transmitter is password protected with a
numerical value between 0 (Default = 0 = Password disabled) and 255. After the password has been successfully
entered, an exclamation mark (!) appears as the last character on the first line of the display.
Refer to Section 2.6.3 of the E3 Modulevel Installation and
Operating Manual (Bulletin 48-635) for information on
password protection.
48-650 E3 Modulevel Displacer Level Transmitter - SIL
7
5.6.3 Write Protecting / Locking
Ensure an exclamation mark (!) appears as the last character
on the first line of the display to confirm the password has
been accepted.
Refer to Section 2.6.3 of the E3 Modulevel Installation and
Operating Manual (Bulletin 48‑635) for information on
password protection.
When the alterations to the system are complete, ensure the
menu has been locked with the password to prevent inadvertent changes to the device.
5.7
Site Acceptance Testing
Complete a site acceptance test to ensure proper operation
after installation and configuration. This procedure is identical to the Proof Test Procedure described in Section 6.1.4
of this document.
5.8
Recording Results
Results of Site Acceptance Testing must be recorded for
future reference.
5.9
Maintenance
The only maintenance required is the proof test.
• Report all failures to Magnetrol.
• Firmware can only be upgraded by factory personnel.
5.9.1 Diagnostics
Internal diagnostic testing does a complete cycle 15 times
per second (1 every 67 ms). A message will appear and the
output current will be driven to 3.6 or 22 mA (customer
dependent) upon detection of a fault. Never specify HOLD
as the fault signal in a safety application.
5.9.2 Troubleshooting
Refer to Section 3.3 of the E3 Modulevel Installation and
Operating Manual (Bulletin 48-635) for troubleshooting
device errors. To assist in finding errors should they occur,
at start-up complete the Configuration Data Sheet found at
the back of this manual, make a list of all device configuration parameters, including the password, and retain this
information in a safe place.
8
48-650 E3 Modulevel Displacer Level Transmitter - SIL
6.0
Recurrent Function Tests
6.1
Proof Testing
6.1.1 Introduction
Following are the procedures used to detect Dangerous
Undetected (DU) failures. The procedure will detect
approximately 99% of possible DU failures in the E3
Modulevel transmitter.
6.1.2 Interval
To maintain the safety integrity level of a safety instrumented
system, it is imperative that the entire system be tested at regular time intervals (TI in the appropriate standards). The SIL for
the E3 Modulevel is based on the assumption that the end user
will carry out these tests and inspection at least once per year.
The onus is on the owner/operator to select the type of inspection and the time period for these tests.
The system check must be carried out to prove that the safety
functions meet the IEC specification and result in the desired
response of the safety system as a whole.
6.1.3 Recording results
Record the results of the Proof Test for future reference.
6.1.4 Proof Test Procedure
1.
2.
3.
4.
5.
48-650 E3 Modulevel Displacer Level Transmitter - SIL
A suggested proof test is described below. This test will
detect approximately 99% of possible Dangerous
Undetected (DU) failures in the E3 Modulevel.
Bypass the safety function and take appropriate action to
avoid a false trip.
Use HART communications to retrieve any diagnostics and
take appropriate action.
Send a HART command to the transmitter to go to the
high alarm current output and verify that the analog current
reaches that value. This tests for compliance voltage problems such as a low loop power supply voltage or increased
wiring resistance. This also tests for other possible failures.
Send a HART command to the transmitter to go to the low
alarm current output and verify that the analog current
reaches that value. This tests for possible quiescent current
related failures.
Perform a five-point calibration check of the displacer and
transmitter over the full working range using process fluids.
If the calibration check is performed by any means other
than fluids acting on the displacer, this proof test will not
detect any failures of the displacer.
9
6. If the calibration is correct, the proof test is complete.
Proceed to step 9. If the calibration is incorrect, remove the
transmitter from the process. Inspect for damage, buildup,
or clogging. Clean if necessary.
7. If the calibration is off by more than 2%, contact the factory for assistance. If the calibration is correct, the proof test is
complete. Proceed to step 8.
8. Re-install the displacer and transmitter.
9. Remove the bypass and otherwise restore normal operation.
7.0
Appendices
7.1
SIL Declaration of Conformity
Table 3
Failure Rates According to IEC 61508
Model E3
Internal Mount
Remote Mount
2
2
Proof Test
Interval
1 Year
1 Year
SFF
92.3%
92.6%
2.95 E-04
2.95 E-04
SIL
PFDavg Œ
λsd
λsu
λdd
λdu
0 FIT
0 FIT
170 FIT
176 FIT
540 FIT
568 FIT
59 FIT
59 FIT
Functional safety according to IEC 61508.
Magnetrol International, Incorporated 5300 Belmont
Road, Downers Grove, Illinois 60515 declares as the
manufacturer, that the level transmitter:
E3 Modulevel Liquid Level Displacer Transmitter
is suitable for use in safety instrumented systems according
to IEC 61508, if the safety instructions and following
parameters are observed:
FIT = Failure in Time (1x10-9 failures per hour)
ΠAs determined in compliance with ANSI/ISA-84.01
clause 9.2.3 for 1oo1 system.
Magnetrol International, Incorporated
5300 Belmont Road
Downers Grove, Illinois 60515
10
Name
Name
Title
Title
Date
Date
48-650 E3 Modulevel Displacer Level Transmitter - SIL
7.2
48-650 E3 Modulevel Displacer Level Transmitter - SIL
FMEDA Report: Exida Management Summary
11
12
48-650 E3 Modulevel Displacer Level Transmitter - SIL
7.3
Specific Model E3 Values
Specific Model E3
E3 Modulevel
Internal mount
Remote mount
SIL
SIL 2
SIL 2
HFT
0
0
SFF
92.3%
92.6%
PFDavg
2.95 E-04
2.95 E-04
Annually
(refer to table below for
other periods)
Annually
(refer to table below for
other periods)
Proof Test Interval
Proof Test Interval
(years)
PFD avg.
(SIL 2)
0
3.88 E-05
1
2.95 E-04
2
5.50 E-04
3
8.06 E-04
4
1.06 E-03
5
1.32 E-03
6
1.57 E-03
7
1.83 E-03
8
2.09 E-03
9
2.34 E-03
10
2.60 E-03
7.4
48-650 E3 Modulevel Displacer Level Transmitter - SIL
PFD Graph
13
7.5
Report: Lifetime of Critical Components
According to Section 7.4 of IEC 61508-2, a useful lifetime,
based on experience, should be assumed.
Although a constant failure rate is assumed by the probabilistic
estimation method, this only applies provided that the useful
lifetime of components is not exceeded. Beyond their useful
lifetime, the result of the probabilistic calculation method is
therefore meaningless, as the probability of failure significantly
increases with time. The useful lifetime is highly dependent on
the subsystem itself and its operating conditions.
This assumption of a constant failure rate is based on the
bathtub curve. Therefore it is obvious that the PFDavg
calculation is only valid for components that have this
constant domain and that the validity of the calculation is
limited to the useful lifetime of each component.
As there are no aluminum electrolytic or tantalum electrolytic capacitors used, there are no electrical components
that limit the useful lifetime of the system.
Based on general field failure data, a useful life period of
approximately 15 years is expected for the E3 Modulevel
Liquid Level Displacer Transmitter.
When plant experience indicates a shorter useful lifetime than
indicated, a number based on plant experience should be used.
7.6
Configuration Data Sheet
Magnetrol E3 Modulevel Configuration Data Sheet
ITEM
LvlUnits (Level & lfcLevel only)
Proc SG (level only)
OperTemp
Set 4 mA
Set 20mA
Lvl Ofst (Level & lfclLevel only)
Damping
Fault
Poll Adr
Trim Lvl (Level & lfcLevel only)
Trim SG (Density only)
Trim 4
Trim 20
New Password
Language
Software Version
DispFact
MeasType
Model
SpringSG
14
VALUE
Yes
Yes
Yes
48-650 E3 Modulevel Displacer Level Transmitter - SIL
7.6
Configuration Data Sheet (cont.)
ITEM
SprgRate
SprgMatl
TempLimt
Length
Diameter
Weight
Lower SG (lfc Level Only)
Upper SG (lfc Level Only)
CalSelct
AdjSnrLo
AdjSnrHi
Conv Fct
Scl Ofst
LVDT%
Chan 0
Chan 1
NSPValue
ElecTemp
Max Temp
Min Temp
CalSelct
AdjSnrLo
AdjSnrHi
Conv Fct
Scl Ofst
LVDT%
Chan 0
Chan 1
NSPValue
ElecTemp
Max Temp
Min Temp
Factory Cal Menu
LVDT%
Calib SG
DrySensr
SnrCalLo
LvlCalLo
SnrCalHi
LvlCalHi
User Cal Menu
LVDT%
DrySensr
SnrCalLo
LvlCalLo (Level & lfcLevel only)
Sg CalLo (Density only)
SnrCalHi
LvlCalHi
Sg CalHi (Density only)
48-650 E3 Modulevel Displacer Level Transmitter - SIL
VALUE
Factory
Factory
Factory
User
User
User
Enter
Enter
Enter
Enter
Enter
Enter
15
References
IEC 61508-2: 2000 “Functional Safety of
Electrical/Electronic/Programmable Electronic Safety
Related Systems”
IEC 60654-1: 1993-02, second edition, “Industrialprocess Measurement and Control Equipment –
Operating Conditions – Part 1: Climatic Condition”
Disclaimer
The SIL values in this document are based on an
FMEDA analysis using exida’s SILVER Tool. Magnetrol
accepts no liability whatsoever for the use of these numbers or for the correctness of the standards on which the
general calculation methods are based.
ASSURED QUALITY & SERVICE COST LESS
Service Policy
Owners of Magnetrol/STI controls may request the
return of a control or any part of a control for complete
rebuilding or replacement. They will be rebuilt or replaced
promptly. Controls returned under our service policy
must be returned by Prepaid transportation.
Magnetrol/STI will repair or replace the control at no cost
to the purchaser (or owner) other than transportation if:
1. Returned within the warranty period; and
2. The factory inspection finds the cause of the claim to
be covered under the warranty.
If the trouble is the result of conditions beyond our control; or, is NOT covered by the warranty, there will be
charges for labor and the parts required to rebuild or
replace the equipment.
In some cases it may be expedient to ship replacement
parts; or, in extreme cases a complete new control, to
replace the original equipment before it is returned. If this
is desired, notify the factory of both the model and serial
numbers of the control to be replaced. In such cases, credit for the materials returned will be determined on the
basis of the applicability of our warranty.
Return Material Procedure
So that we may efficiently process any materials that are
returned, it is essential that a “Return Material
Authorization” (RMA) number be obtained from the
factory prior to the material's return. This is available
through Magnetrol/STIs local representative or by contacting the factory. Please supply the following information:
1.
2.
3.
4.
5.
Company Name
Description of Material
Serial Number
Reason for Return
Application
Any unit that was used in a process must be properly
cleaned in accordance with OSHA standards, before it is
returned to the factory.
A Material Safety Data Sheet (MSDS) must accompany
material that was used in any media.
All shipments returned to the factory must be by prepaid
transportation.
All replacements will be shipped F.O.B. factory.
No claims for misapplication, labor, direct or consequential damage will be allowed.
5300 Belmont Road • Downers Grove, Illinois 60515-4499 • 630-969-4000 • Fax 630-969-9489 • www.magnetrol.com
145 Jardin Drive, Units 1 & 2 • Concord, Ontario Canada L4K 1X7 • 905-738-9600 • Fax 905-738-1306
Heikensstraat 6 • B 9240 Zele, Belgium • 052 45.11.11 • Fax 052 45.09.93
Regent Business Ctr., Jubilee Rd. • Burgess Hill, Sussex RH15 9TL U.K. • 01444-871313 • Fax 01444-871317
5300 Belmont Road • Downers Grove, Illinois 60515-4499 • 630-969-4028 • Fax 630-969-9489 • www.sticontrols.com
Copyright © 2009 Magnetrol International, Incorporated. All rights reserved. Printed in the USA.
BULLETIN: 48-650.0
EFFECTIVE: February 2009