Red sheet

Safety
Meters Safety
Safety concept
Safety is: The protection of human lives, the environment and essential equipment Safety systems : in case of plants that present an intolerable level of Hazard ri sk due to certain process conditions, external risk reduction facilities like ESD or SIS may be used. Transmitters play an important role in these systems. Applications Emergency shutdown Fire & gas protection Burner management Rotating machinery Interlocks Remedial Action Schemes for Power Distribution Launch Control Systems

Customer benefits
Equivalent safety performances but different costs for :

@
ABB SACE S.p.A. Business Unit Instrumentation

Red sheet
Safety Integrity Level concept

The risk level of a plant is associated with the probability of failure of the process . But in case an ESD is added to the plant , the residual risk depends on the probability of failure of the ESD. Safety Integrity Level defines the maximum probability of failure of the ESD (i.e. the level of residual risk ). The suitable level can be achived using the appropriate devices or implementing appropriated architecture (redundancy ).

Safety Integrity Level SIL 4 SIL 3 SIL 2 SIL 1

Low Demand Mode of Operation

Probability of failure to perform its design function on demand

Cont/High Demand Mode of Operation

Probability of a dangerous failure per year

>=10 >=10 >=10 >=10

-5

to to to to

<10 <10 <10 <10

-4

>=10 >=10 >=10 >=10

-5

to to to to

<10 <10 <10 <10

-4

-4

-3

-4

-3

-3

-2

-3

-2

-2

-1

-2

-1

Protection of environment & community Human protection

Protection of ownership and manufacturing

Protection of plants

Safety status Normal Operation The SIL2 approval is valid only for the analog output.

3.7

3.8

20.8 22

Analogue output saturated Malfunctioning

A safety transmitter shall have a very low probability of faiures that prevents the plants to be be shut down when needed. Therefore it is designed to detect all internal electronic hardware faults and to provide this diagnostic information to the ESD by driving the analog output current to a defined level in compliance with IEC 61508 for Safety Integrity Level 2 (SIL2).

ABB SACE S.p.A. Business Unit Instrumentation

Meters Safety

Red sheet

What do the manufacturers offer?

These days most end user require to the Contractors to build the plants choosing components that assure certain safety (SIL) level. In addition to that it is required a low level of spurious failure, i.e. when the plant is shut down because of a failure of the transmitter. In order to c ompare the transmitters are necessary the HARDWARE FAILURE RATES (lambda), t hree level of information are today offered.

Safety

Standard

Basic level The manufacturer makes a unilateral declaration of safety data (performances). The customer has not assurance about the correct calculation of these data. Note: the table shows the 2600T safety data.

Safe failure Dangerous failure Safe detected failure Safe undetected failure Dangerous detected failure Dangerous undetected failure Dont care DC Diagnostic Coverage SFF Safe Failure Fraction ?s ?d ?sd ?su ?dd ?du

295 FIT 706 FIT 134 FIT 160 FIT 669 FIT 37 FIT 181 FIT 94,88 % 96,73 %

144 FIT 344 FIT

260 FIT 83 FIT 134 FIT 82,73 %

Improved level An improvement of the basic level is to have the same data CERTIFIED BY A THIRD AUTHORIZED BODY, such as TV or similar. This gives the customer the confidence that the failure data are properly calculated, but THIS IS NOT A SIL 2 CERTIFICATION as clear specify in the body report. When you have to deal with human integrity etc, is that the device must be built in such a mode that ... tolerates one fault without creating risk for .... The declarations clearly says HFT (Hardware Fault Tolerance) is 0 and, it does not even mention software fault tolerance.

SIL 2 certified instrument It meets reliability and safety parameters The data are certified The complete instrument is certified The internal software is redundant It is one fault tolerant It is manufactured according to a certified process

ABB SACE S.p.A. Business Unit Instrumentation

Meters Safety

Red sheet

Additional remarks

A safety transmitter increases safety, but consider spurious failures Often two instrument are used in parallel, tin order to meet the Hardware Fault Tolerance (HFT) required for SIL loops. But in this way also the probability of spurious failures is doubled. Instead, a single safety transmitter has redundancy and self -diagnostic to meet the HFT requirements, and also spurious failures are lower if compared to two instruments, but higher than a normal pressure transmitter.

How can you avoid that safety turns into reduced plant profitability? In order to avoid spurious plant shut down, some user install an additional third transmitter shutting down only when two transmitters ask it (2 out of 3). In this case spurious shut do wn are greatly decreased. This solution has the same performances of two Safety transmitters in parallel, this allows not to stop the plant in c ase of a spurious failure thank to the signal of the one that says it s running properly. In fact if one fault develops in one transmitt er only, it is clearly an internal one. In other words the one that works has no fault and delivers the right measure. Then the user can disconnect the faulty one and check what has happened, without loosing plant operation Again two safety transmitters are less expensive than tree standard ones.

What other should the end user remember?

The safety transmitter are not to be installed everywhere, but in safety loops they provide considerable savings while assuring equivalent performances. The safety transmitter has the same maintenance frequency of a standard one.

ABB SACE S.p.A. Business Unit Instrumentation

Meters Safety